Posted on by Michael Lucas

mod_security2 case sensitive?

I’ve written previously about using mod_security to block referral spam and hosts on a DNS-based RBL.  I thought it was working pretty well, until I looked at my referrers today and saw lots of hits from “FreePornVideos.bogus” (domain name & suffix altered).  I shouldn’t see this, as my mod_security rules include:

SecRule REQUEST_HEADERS:REFERER "porn" deny,status:500

Lots of mod_security documentation claims that matches are case-insensitive.  I should not be seeing this.  What’s going on?  I believe that the problem is that the referral matches are case-sensitive, but let’s verify that.  First, let’s try a simple referral in lower case.

$ wget http://www.michaelwlucas.com/ --referer=porn
--2011-01-19 10:17:32--  http://www.michaelwlucas.com/
Resolving www.michaelwlucas.com (www.michaelwlucas.com)... 198.22.63.8
Connecting to www.michaelwlucas.com (www.michaelwlucas.com)|198.22.63.8|:80... connected.
HTTP request sent, awaiting response... 500 Internal Server Error
2011-01-19 10:17:32 ERROR 500: Internal Server Error.

That works as expected.  Now try with a capital letter:

$ wget http://www.michaelwlucas.com/ --referer=Porn
--2011-01-19 10:17:34--  http://www.michaelwlucas.com/
Resolving www.michaelwlucas.com (www.michaelwlucas.com)... 198.22.63.8
Connecting to www.michaelwlucas.com (www.michaelwlucas.com)|198.22.63.8|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 10376 (10K) [text/html]
Saving to: `index.html'

Matches are case sensitive, despite what I read in the documentation.  Listing both Porn and porn won’t solve the problem, because that won’t protect me from pORN.

Lesson of the day: verify you’re reading the correct documentation, and that you read what the author actually wrote.  mod_security2 uses PCRE for regular expressions. Version 1 used POSIX.  If I want case-insensitive matching, I have to declare that in my regex.  I modified the rule to read:

SecRule REQUEST_HEADERS:REFERER "(?i:(porn))" deny,status:500

Reload Apache. Test again with wget.  Both porn and Porn are now blocked, as well as pORN.  Petulance of the day remediated. Now back to BGP.