Download form.php script.
$ wget http://zeus.fei.tuke.sk/bps3r/form.php.txt
$ cp form.php.txt /var/www/html/form.php
$ \rm /etc/httpd/modsecurity.d/*.conf
<html>
<body>
<?php
if(isset($_POST['data']))
echo $_POST['data'];
else
{
?>
<form method="post" action="">
Enter something here:<textarea name="data"></textarea>
<input type="submit"/>
</form>
<?php
}
?>
</body>
</html>
Custom rules can be added to any of the configuration files or placed in modsecurity directories. We'll place our rules in a separate new file.
$ mcedit /etc/httpd/modsecurity.d/rules.conf
Enter:
SecRule REQUEST_FILENAME "form.php" "id:'400001',chain,deny,log,msg:'Spam detected'"
SecRule REQUEST_METHOD "POST" chain
SecRule REQUEST_BODY "@rx (?i:(pills|insurance|rolex))"
Save the file and reload Apache.
$ service httpd restart
Open http://192.168.56.XYZ/form.php in the browser and enter text containing any of these words: pills, insurance, rolex. You'll either see a 403 page and a log entry or only a log entry based on SecRuleEngine setting.