OK so the audit log shows shows this in your header:
Authorization: Basic Z3JtYXdjYWRtaW46dGVzdA==
The value of the Authorization header is therefore "Basic
Z3JtYXdjYWRtaW46dGVzdA==" which cannot be base64 decoded due to that initial
"Basic " part which is not Base 64 encoded. This is what you are supposed to
send so nothing wrong with your header, but it explains why your rule is not
working as ModSecurity does not know you only want to base64 decode part of the
header.
So you need to write a chained rule to capture the actual base64 encoded part
using backets and "capture" and then base 64 decode the TX:1 variable which is
captured:
SecRule "REQUEST_HEADERS:Authorization" "^Basic (.*)$"
"phase:1,id:1003,log,capture,chain,deny,status:403" SecRule TX:1
"@contains admin" "t:base64Decode"
I've tested this and it seems to work.
Thanks,Barry
> From: gary.mans...@ricardo.com
> To: barry_poll...@hotmail.com; csand...@trustwave.com;
> owasp-modsecurity-core-rule-set@lists.owasp.org
> Subject: RE: [Owasp-modsecurity-core-rule-set] Is it possible to use
> modsecurity rules to prevent logins by specific user accounts?
> Date: Fri, 15 Apr 2016 10:37:16 +0000
>
> I added the rule, cleared the logs and logged in again with the grmawcadmin
> user
>
> Here are the updated logs as requested.
>
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
