Dear Ryan, I just tested the rules and what I can see on Apache is:
xxx.xxx.xxx.xxx - - [05/Sep/2014:02:05:29 +0800] "GET /index.php/appradio/item/23-all-features HTTP/1.1" 200 45429 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" xxx.xxx.xxx.xxx - - [05/Sep/2014:02:05:30 +0800] "POST /index.php/about HTTP/1.1" 404 - http://www.com/index.php/appradio/item/23-all-features "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" Seem its only block for ‘POST’ but still allow access for ‘GET’, correct me if I’m wrong. Please advice. TQ so much for help. From: Ryan Barnett Sent: Friday, September 05, 2014 1:42 AM To: Mesra.net CEO ; owasp-modsecurity-core-rule-set@lists.owasp.org Subject: Re: [Owasp-modsecurity-core-rule-set] Block URL of Joomla Try this (untested) - SecRule REQUEST_FILENAME "@streq /index.php/appradio" "phase:request,t:none,t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin,block,msg:'Blocking Joomla AppRadio Demo Template Request'" Ryan Barnett Senior Lead Security Researcher, SpiderLabs Trustwave | SMART SECURITY ON DEMAND www.trustwave.com From: "Mesra.net CEO" <ad...@mesra.my> Date: Thursday, September 4, 2014 1:10 PM To: "owasp-modsecurity-core-rule-set@lists.owasp.org" <owasp-modsecurity-core-rule-set@lists.owasp.org> Subject: [Owasp-modsecurity-core-rule-set] Block URL of Joomla Dear All, I’m facing problem with one of my stubborn client who host on my server, I did advice him to remove the demo template for example http://www.xxxx.com/index.php/appradio because the spammer misused it to submit their ads and the client still deny it, that activity very annoying because that make my server overloaded due lot of submission of ads, so how can I block any access to index.php/appradio with modsecurity ? Please help and Thank you so much -------------------------------------------------------------------------------- This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
