ModSecurity
ModSecurity copied to clipboard
owasp-modsecurity
Detect user agent and execute action
Hello!
I would like to know what would be the best way I can do something similar to this (taken from ChatGPT). I would need to detect when there are many WP Rocket requests (User Agent -> “WP Rocket/Preload”) and if it exceeds more than X requests, execute a request to an external server to have it monitored Would it be possible?
So far what I have, which does not work, is:
SecAction "id:400020,phase:1,nolog,pass,t:none,setvar:tx.wp_rocket_counter=0"
SecRule REQUEST_HEADERS:User-Agent "@contains ?iRocket/Preload"
"id:400021,phase:1,nolog,pass,setvar:tx.wp_rocket_counter=+1"
SecRule TX:wp_rocket_counter "@gt 10"
"id:400022,phase:2,log,deny,status:403,msg:'Too many Rocket/Preload requests detected',
exec:'/usr/bin/curl --user-agent "phmodsec" -X POST https://api.domain.com/alert.php -d "alert=Too many Rocket/Preload requests detected"'"
Hopefully someone can lend a hand!
Hi @AngelSamuel,
sorry for the late reply.
I think the problem in your solution is here:
SecAction "id:400020,phase:1,nolog,pass,t:none,setvar:tx.wp_rocket_counter=0"
Your variable will be initialized with 0 in every transactions, and will never reach the value of 10.
I think you need to use a persistent storage to store this value (I assume you want to count the requests by IP), so you need to use the IP collection.
Please first read the relevant part:
(you didn't mention the used version)
https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v3.x)#persistent-storage
and I'm sure CRS's DOS plugin is a good reference, if you want to understand the behavior:
https://github.com/coreruleset/dos-protection-plugin-modsecurity/blob/main/plugins/dos-protection-before.conf
@AngelSamuel is there anything we can help you? If not, could you close this issue?
Another remark: "@contains ?iRocket/Preload" is incorrect. "?i" is treated as a litteral, not "Rocket/Preload" case-insensitive. Unless some more info comes in, we'll close this issue soon.
