mod_security2 case sensitive?

I’ve written previously about using mod_security to block referral spam and hosts on a DNS-based RBL.  I thought it was working pretty well, until I looked at my referrers today and saw lots of hits from “FreePornVideos.bogus” (domain name & suffix altered).  I shouldn’t see this, as my mod_security rules include:

SecRule REQUEST_HEADERS:REFERER "porn" deny,status:500

Lots of mod_security documentation claims that matches are case-insensitive.  I should not be seeing this.  What’s going on?  I believe that the problem is that the referral matches are case-sensitive, but let’s verify that.  First, let’s try a simple referral in lower case.

$ wget http://www.michaelwlucas.com/ --referer=porn
--2011-01-19 10:17:32--  http://www.michaelwlucas.com/
Resolving www.michaelwlucas.com (www.michaelwlucas.com)... 198.22.63.8
Connecting to www.michaelwlucas.com (www.michaelwlucas.com)|198.22.63.8|:80... connected.
HTTP request sent, awaiting response... 500 Internal Server Error
2011-01-19 10:17:32 ERROR 500: Internal Server Error.

That works as expected.  Now try with a capital letter:

$ wget http://www.michaelwlucas.com/ --referer=Porn
--2011-01-19 10:17:34--  http://www.michaelwlucas.com/
Resolving www.michaelwlucas.com (www.michaelwlucas.com)... 198.22.63.8
Connecting to www.michaelwlucas.com (www.michaelwlucas.com)|198.22.63.8|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 10376 (10K) [text/html]
Saving to: `index.html'

Matches are case sensitive, despite what I read in the documentation.  Listing both Porn and porn won’t solve the problem, because that won’t protect me from pORN.

Lesson of the day: verify you’re reading the correct documentation, and that you read what the author actually wrote.  mod_security2 uses PCRE for regular expressions. Version 1 used POSIX.  If I want case-insensitive matching, I have to declare that in my regex.  I modified the rule to read:

SecRule REQUEST_HEADERS:REFERER "(?i:(porn))" deny,status:500

Reload Apache. Test again with wget.  Both porn and Porn are now blocked, as well as pORN.  Petulance of the day remediated. Now back to BGP.

Stalk me on social media