mod-security

Chained rule not working in ModSecurity/Coraza


ModSecurity rule chaining is not working (I'm using Coraza). For the following rules:

SecRule REQUEST_HEADERS:X-Forwarded-For "@ipMatch 3.4.5.6" "id:9,phase:1,chain"
SecRule REQUEST_HEADERS:Host "@eq bar.com" "id:10,phase:1,deny"

When I send the following request:

curl -v -H 'Host: bar.com' -H 'X-Forwarded-For: 3.4.5.6'  localhost

The two rules match, but the action in the second rule is not applied and the request is not denied.

I verified the rules are matching by seeing the following in the log:

2023/11/06 19:33:20 [DEBUG] Evaluating operator: MATCH tx_id="bqZkxImuTflWlGYCGVG" rule_id=9 operator_function="@ipMatch" operator_data="3.4.5.6" arg="3.4.5.6"
2023/11/06 19:33:20 [DEBUG] Evaluating operator: MATCH tx_id="bqZkxImuTflWlGYCGVG" rule_id=10 operator_function="@eq" operator_data="bar.com" arg="bar.com"

Solution

  • The action has to be in the first rule that begins the chain:

    SecRule REQUEST_HEADERS:X-Forwarded-For "@ipMatch 3.4.5.6" "id:9,phase:1,deny,chain"
    SecRule REQUEST_HEADERS:Host "@eq bar.com" "id:10,phase:1"