Modsecurity V3.0: OpenLiteSpped how to block cookie

Question

I am using mod-security V3 on a centos machine with Openlitespeed.

My php file access.php create cookie: honey_bot_trap with value : 16 character [0-9a-zA-z]. - dynamic: ex: au4abbgjk190Bl

in modsecurity create rules:

SecRule REQUEST_HEADERS:Cookie "@contains honey_bot_trap" "chain,id:'990014',phase:1,t=none,block,msg:'fake cookie'"

i want create rules :

1. All request to my domain will redirect to access.php (the cookie create by file: honey_bot_trap: au4abbgjk190Bl)
2. Modsecurity check if no cookie honey_bot_trap: au4abbgjk190Bl is block.
3. if request has honey_bot_trap: au4abbgjk190Bl add to check rate.
4. if rate of IP over 2 click /s is block (or redirect to https://m ydomain.com/verify.php)

Please help me. Thank for all.

Answer 1

OpenLiteSpeed is not a creator of rules, but a consumer of them. We generally recommend the use of pre-created rules like OWASP or Comodo. If you wish to create rules you should check out the rules guide: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v3.x)https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v3.x)

Answer 2

The rule you are attempting to create is very, very complicated. It may sound simple, but I've written the 2nd edition of the ModSecurity Handbook and trust me, I would take me 2-3 hours to get this working.

With that being said, ModSec is probably not the best tool for what you have in mind. If you want to push through, try to put your hands on a copy of the ModSecurity Handbook (instead of the reference linked above) and use mod_qos or something along those lines for rate limiting and not ModSec.

#CRSDevOnDuty

P.S. Hat tip to Robert Perper.