0

I'm really new to modsecurity and I'm having some issues in understanding the rule editing.

I need to return 200 to the requests arriving form a specific endpoint that starts with /myendpoint/ but I still want to deny the endpoint to do anything else.

I've checked on the web but I cannot find a solution that works fine for me.

# ModSec Rule Exclusion: 930100
SecRule REQUEST_URI "@beginsWith \/myendpoint\/" "phase:2,log,block,status:200,id:10000,ctl:ruleRemoveById=930100"

The rule above doesn't look like it's working at all and the requests are still blocked but the status 200 is not returned.

I need this because I have integrated the endpoint to a Telegram bot but if it receives a 403, the bot will keep sending the same message continuously for 24 hours. I think that returning 200 but yet blocking the request to go further would solve the issue.

Maonat
  • 27
  • 1
  • 6

2 Answers2

1

This is a very peculiar need. But anyways, Azurit has already pointed out the problem with the slashes. I think the other problem is the use of block. I'd do a deny combined with status. Much to my surprise, this works.

SecRule REQUEST_URI "@beginsWith /myendpoint/" "id:1000,phase:1,deny,status:200"
dune73
  • 339
  • 1
  • 3
0

Just to be clear: You want to block the request but still return HTTP code 200?

Btw, do NOT escape URI: "@beginsWith /myendpoint/"

azurit
  • 286
  • 1
  • 7
  • Yes that's what I want to achieve. Why I shouldn't escape it in that way? I should escape the uri completely by providing the equal? If yes how would it be the correct solution? – Maonat Jun 29 '21 at 15:17
  • This is correct syntax: SecRule REQUEST_URI "@beginsWith /myendpoint/" "phase:2,log,... – azurit Jun 29 '21 at 15:35
  • Ah escape the slashes :) BTW that's correct, i want to simply return code 200 but still block the request. It is not working with this `SecRule REQUEST_URI "@beginsWith /myendpoint/" "phase:2,log,block,status:200,id:10000,ctl:ruleRemoveById=930100"` – Maonat Jun 29 '21 at 17:47
  • I don't think this is possible. Why you want to do this anyway? Are those requests really bad and needs to be blocked? Maybe just ignore them on application level? – azurit Jun 30 '21 at 08:59
  • In this case can I ignore the rule only for that specific endpoint so I can keep it turned on for other endpoints? – Maonat Jul 01 '21 at 00:02
  • Yes, you can create an exclusion rule, something like: `SecRule REQUEST_FILENAME "@beginsWith /myendpoint/" "id:10000,phase:1,pass,t:none,nolog,ctl:ruleRemoveTargetById=930110"` You can set ID of the rule you want to 'ignore' at the end. Also, you can use multiple 'ctl:ruleRemoveTargetById'. – azurit Jul 01 '21 at 06:18
  • why is "REQUEST_FILENAME" instead of "REQUEST_URI"? At the end of the story, what I want to intercept is the endpoint, not a specific file. If I want to disable multiple rules, it's enough to add for instance `SecRule REQUEST_FILENAME "@beginsWith /myendpoint/" "id:10000,phase:1,pass,t:none,nolog,ctl:ruleRemoveTargetById=930110,ctl:ruleRemoveTargetById=930100"` ? – Maonat Jul 02 '21 at 11:40
  • REQUEST_URI contains also query string (?a=b), you don't need to check for that in this case (but both of them will work). Yes, it looks ok. – azurit Jul 03 '21 at 14:00