Hi.
Lately I have seen a lot of forms filled with domain “bit.ly” that points to malicious code or to an spammer page.
So, I added “bit.ly” to my userdata_bl_domains file but some of my customers complained that they use that a lot, so I had to delete that on my blacklist.
So, Is possible to add a line like “bit.ly/someword” on this rule or this rule is just for domains only?
Do you have a reference guide where I can read how to properly used each of the userdata_bl_[filename]?
I am interested in one where I could add phrases or email addresses to a black list where to be checked when users posts comments on forms.
Actually what I was looking is to have a file like per example “user_bl_phrases” (just an example), where I could add any text that I will like to block in any web form in my server.
I will like to be able to add texts in a file like “user_bl_phrases” that mod security could check the list and proceed accordingly if the phrase is matched.
For now I really don’t know if Comodo rules has already a file for this.
you can add your custom rule to track suspicious data
SecRule REQUEST_URI|ARGS|ARGS_NAMES|REQUEST_BODY|XML:/* "@pmFromFile userdata_bl_words" \
"id:110491,\
msg:'COMODO WAF: Bad data is not allowed by policy||%{tx.domain}|%{tx.mode}|5',\
phase:1,\
deny,\
status:403,\
log,\
rev:1,\
severity:5
"
You should completely understand what parameters to track. Also, rule provided as example, without any warranties, could produce a lot of false positives.
I have tried the rule that you kindly wrote and modified it a bit, but it is not working.
Here is the rule:
SecRule REQUEST_URI|ARGS|ARGS_NAMES|REQUEST_BODY|XML:/* “@pmFromFile /mymodsec/userdata_bl_emails”
“id:110491,msg:‘SECMAS: Blocked email not allowed by policy||%{tx.domain}|%{tx.mode}|5’,phase:1,deny,status:403,log,rev:1,severity:5”
and the file userdata_bl_emails that is located at my directory /mymodesec/ contains per example:
2conv.ch@gmail.com
aidenmorgan77+cax@gmail.com
alvinellis2528@gmail.com
I have escaped the @ and dots (.) and seems not working. Even it didn’t work with @ and dot not escaped.
What I pretend is that when someone writes those emails on a form, the IP is blocked.