The below rule is a chained rule to only allow certain usernames through a particular URI. For this instance this was for /owa for MS exchange. This rule is a relatively simple way to only allow certain AD users through to /owa using a custom WAF rule.
SecRule REQUEST_URI "owa" \
"id:1005, \
phase:2, \
t:lowercase, \
deny, \
log, \
msg:'Rule 1005',\
Chain"
SecRule ARGS:username "@rx ^(?!kevin|steve|paula)"\
"t:lowercase,t:removeWhiteSpace"
You have to turn on inspect HTML POST content inside of advanced settings or this will not work.
To test I did the following through CLI:
curl --data "username=nick" http://10.1.112.55/owa
-This failed
While:
curl --data "username=kevin" http://10.1.112.55/owa
-worked
Ruby Williams
Thanks for sharing this information..