diff --git a/doc/modsecurity2-apache-reference.xml b/doc/modsecurity2-apache-reference.xml index eed3fc55..88b8e425 100644 --- a/doc/modsecurity2-apache-reference.xml +++ b/doc/modsecurity2-apache-reference.xml @@ -188,17 +188,17 @@ Overview ModSecurity is a web application firewall engine that provides - very little protection on its own. In order to become useful ModSecurity - must be configured with rules. In order to enable users to take full - advantage of ModSecurity out of the box, Breach Security Inc. is - providing a free certified rule set for ModSecurity 2.0. Unlike + very little protection on its own. In order to become useful, + ModSecurity must be configured with rules. In order to enable users to + take full advantage of ModSecurity out of the box, Breach Security Inc. + is providing a free certified rule set for ModSecurity 2.0. Unlike intrusion detection and prevention systems, which rely on signature specific to known vulnerabilities, the Core Rules provide generic protection from unknown vulnerabilities often found in web applications, which are in most cases custom coded. The Core Rules are heavily commented to allow it to be used as a step-by-step deployment guide for ModSecurity. The latest Core Rules can be found at the ModSecurity - website -http://www.modsecurity.org/projects/rules/index.html. @@ -294,7 +294,7 @@ Make sure you have mod_unique_idinstalled. + moreinfo="none">mod_unique_id installed. @@ -317,7 +317,7 @@ (Optional) Edit Makefile to enable ModSecurity to use libxml2 - (uncomment lineDEFS = + (uncomment line DEFS = -DWITH_LIBXML2) and configure the include path (for example: INCLUDES=-I/usr/include/libxml2) @@ -337,13 +337,13 @@ - (Optional) Add one line to your configuration to load - libxml2:LoadFile + (Optional) Add one line to your configuration to load libxml2: + LoadFile /usr/lib/libxml2.so - Add one line to your configuration to load ModSecurity:Add one line to your configuration to load ModSecurity: LoadModule security2_module modules/mod_security2.so @@ -454,9 +454,9 @@ Description: Specifies which character to use as separator for - application/x-www-form-urlencoded content. Defaults to&. Applications are sometimes (very - rarely) written to use a semicolon ( content. Defaults to + &. Applications are sometimes + (very rarely) written to use a semicolon (;). Syntax: - SecAuditLog "|/path/to/modsec-auditlog-collector.pl - /path/to/SecAuditLogDataDir /path/to/SecAuditLog" + SecAuditLog \ + "|/path/modsec-auditlog-collector.pl /path/SecAuditLogDataDir /path/SecAuditLog"
@@ -721,7 +721,7 @@ SecAuditLogStorageDir logs/audit user as new files are generated at runtime. As with all logging mechanisms, ensure that you specify a file - system location that as adequate disk space and is not on the root + system location that has adequate disk space and is not on the root partition.
@@ -749,14 +749,14 @@ SecAuditLogStorageDir logs/audit - Serial - all audit log + Serial - all audit log entries will be stored in the main audit logging file. This is more convenient for casual use but it is slower as only one audit log entry can be written to the file at any one file. - Concurrent - audit log + Concurrent - audit log entries will be stored in separate files, one for each transaction. Concurrent logging is the mode to use if you are going to send the audit log data off to a remote ModSecurity Console host. @@ -965,7 +965,8 @@ SecAuditLogStorageDir logs/audit The default value is: - SecDefaultAction log,auditlog,deny,status:403,phase:2,t:lowercase,t:replaceNulls,t:compressWhitespace + SecDefaultAction \ + log,auditlog,deny,status:403,phase:2,t:lowercase,t:replaceNulls,t:compressWhitespace Note @@ -996,7 +997,7 @@ SecAuditLogStorageDir logs/audit httpd-guardian will defend against clients that send more 120 requests in a minute, or more than 360 requests in five minutes. - Since 1.9 ModSecurity supports a new directive, SecGuardianLog, + Since 1.9, ModSecurity supports a new directive, SecGuardianLog, that is designed to send all access data to another program using the piped logging feature. Since Apache is typically deployed in a multi-process fashion, making information sharing difficult, the idea is @@ -1037,11 +1038,12 @@ SecAuditLogStorageDir logs/audit Scope: Any - Dependencies/Notes: Thisdirective - is required if you plan to inspect POST_PAYLOADS of requests. This - directive must be used along with the "phase:2" processing phase action - and REQUEST_BODY variable/location. If any of these 3 parts are not - configured, you will not be able to inspect the request bodies. + Dependencies/Notes: This + directive is required if you plan to inspect POST_PAYLOADS of requests. + This directive must be used along with the "phase:2" processing phase + action and REQUEST_BODY variable/location. If any of these 3 parts are + not configured, you will not be able to inspect the request + bodies. Possible values are: @@ -1233,10 +1235,10 @@ SecResponseBodyLimit 524288 is used to analyse data and perform actions based on the results. Syntax: SecRuleVARIABLES OPERATOR [ACTIONS] + moreinfo="none">SecRule VARIABLES OPERATOR [ACTIONS] Example Usage: SecRuleREQUEST_URI "attack" + moreinfo="none">SecRule REQUEST_URI "attack" Processing Phase: Any @@ -1314,7 +1316,7 @@ SecResponseBodyLimit 524288
Actions in rules - The third parameter, ACTIONS, + The third parameter, ACTIONS, can be omitted only because there is a helper feature that specifies the default action list. If the parameter isn't omitted the actions specified in the parameter will be merged with the default action list @@ -1346,7 +1348,7 @@ SecResponseBodyLimit 524288 Dependencies/Notes: Resource-specific contexts (e.g. Location, Directory, etc) - cannot overridephase1rules configured in the main + cannot override phase1 rules configured in the main server or in the virtual server. This is because phase 1 is run early in the request processing process, before Apache maps request to resource. Virtual host context can override phase 1 rules configured in the main @@ -1400,7 +1402,7 @@ ServerAlias www.app2.com engine. Syntax: SecRuleEngineOn|Off|DetectionOnly + moreinfo="none">SecRuleEngine On|Off|DetectionOnly Example Usage: SecRuleEngine On @@ -1418,16 +1420,16 @@ ServerAlias www.app2.com - On - process rules. + On - process rules. - Off - do not process + Off - do not process rules. - DetectionOnly - process + DetectionOnly - process rules but never intercept transactions, even when rules are configured to do so. @@ -1583,17 +1585,17 @@ ServerAlias www.app2.com - On - Keep uploaded + On - Keep uploaded files. - Off - Do not keep uploaded + Off - Do not keep uploaded files. - RelevantOnly - This will + RelevantOnly - This will keep only those files that belong to requests that are deemed relevant. @@ -1620,7 +1622,7 @@ ServerAlias www.app2.com Dependencies/Notes: Partitions are used to avoid collisions between session IDs and user IDs. This directive must be used if there are multiple applications deployed on - the same server. If it isn't a collision between session IDs might + the same server. If it isn't used, a collision between session IDs might occur. The default value is default. Example: @@ -1726,15 +1728,15 @@ SecRule HTTP_Host "!^$" "deny,phase:1" Phase Request Headers - Rules in this phase immediately after Apache completes reading the - request headers (post-read-request phase). At this point the request - body has not been read yet, meaning not all request arguments are - available. Rules should be placed in this phase if you need to have them - run early (before Apache does something with the request), to do - something before the request body has been read, determine whether or - not the request body should be buffered, or decide how you want the - request body to be processed (e.g. whether to parse it as XML or - not). + Rules in this phase are processed immediately after Apache + completes reading the request headers (post-read-request phase). At this + point the request body has not been read yet, meaning not all request + arguments are available. Rules should be placed in this phase if you + need to have them run early (before Apache does something with the + request), to do something before the request body has been read, + determine whether or not the request body should be buffered, or decide + how you want the request body to be processed (e.g. whether to parse it + as XML or not). Note @@ -1821,13 +1823,13 @@ SecRule HTTP_Host "!^$" "deny,phase:1" ARGS:p will not result in any + expression). Note: ARGS:p will not result in any invocations against the operator if argument p does not exist. Some variables are actually collections, which are expanded into more variables at runtime. The following example will examine all request arguments:SecRule ARGS dirtySometimes, however, you will want to look only at parts of a collection. This can - be achieved with the help of theselection + be achieved with the help of the selection operator(colon). The following example will only look at the arguments named p (do note that, in general, requests can contain multiple arguments with the same name): @@ -1989,7 +1991,7 @@ SecRule ENV:tag "suspicious" This variable holds form data passed to the script/handler by appending data after a question mark. Example: - SecRuleQ UERY_STRIN G"attack" + SecRule QUERY_STRING "attack"
@@ -2016,7 +2018,7 @@ SecRule ENV:tag "suspicious"
<literal moreinfo="none">REMOTE_PORT</literal> - This variable hold information on the source port that the client + This variable holds information on the source port that the client used when initiating the connection to our web server. Example: in this example, we are evaluating to see if the REMOTE_PORT is less than 1024, which would indicate that the user is a privileged @@ -2144,7 +2146,8 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd" Example: the second example is targeting only the Host header. - SecRule REQUEST_HEADERS:Host "^[\d\.]+$" "deny,log,status:400,msg:'Host header is a numeric IP address'" + SecRule REQUEST_HEADERS:Host "^[\d\.]+$" \ + "deny,log,status:400,msg:'Host header is a numeric IP address'"
@@ -2153,7 +2156,8 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd" This variable is a collection of the names of all of the Request Headers. Example: - SecRule REQUEST_HEADERS_NAMES "^x-forwarded-for" "log,deny,status:403,t:lowercase,msg:'Proxy Server Used'" + SecRule REQUEST_HEADERS_NAMES "^x-forwarded-for" \ + "log,deny,status:403,t:lowercase,msg:'Proxy Server Used'"
@@ -2297,13 +2301,13 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
<literal moreinfo="none">RULE</literal> - This variable provides access to theThis variable provides access to the id,rev,severity, andmsgfields of the rule that triggered the + moreinfo="none">severity, and msg fields of the rule that triggered the action. Only available for expansion in action strings (e.g.setvar:tx.varname=%{rule.id}).Example: + moreinfo="none">setvar:tx.varname=%{rule.id}). Example: SecRule &REQUEST_HEADERS:Host "@eq 0" "phase:2,deny,id:1,setvar:tx.varname=%{rule.id}" @@ -2431,14 +2435,14 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd" This variable contains the local port that the web server is listening on. Example: - SecRuleS ERVER_PORT "^80$" + SecRule SERVER_PORT "^80$"
<literal moreinfo="none">SESSION</literal> - This variable is a collection, available only after setsid is executed. Example: the following + This variable is a collection, available only after setsid is executed. Example: the following example shows how to initialize a SESSION collection with setsid, how to use setvar to increase the session.score values, how to set the session.blocked variable and finally how to deny the connection based on @@ -2602,11 +2606,13 @@ SecRule REQUEST_HEADERS:Transfer-Encoding "!^$" XPath: SecDefaultAction log,deny,status:403,phase:2 -SecRule REQUEST_HEADERS:Content-Type ^text/xml$ phase:1,t:lowercase,nolog,pass,ctl:requestBodyProcessor=XML SecRule REQBODY_PROCESSOR "!^XML$" skip:2 SecRule XML:/employees/employee/name/text() Fred -SecRule XML:/xq:employees/employee/name/text() Fred xmlns:xq=http://www.example.com/employees +SecRule XML:/xq:employees/employee/name/text() Fred \ + xmlns:xq=http://www.example.com/employees
@@ -2628,12 +2634,12 @@ SecRule XML:/xq:employees/employee/name/text() case in order to evade the ModSecurity rule: SecRule ARG:p "xp_cmdshell" "t:lowercase"multipetranformation - actions can be used in the same rule, for example the following rule also - ensures that an attacker does not use URL encodign (%xx encoding) for - evasion. Not the order of the transformation functions, which ensures that - a URL encoded letter is first decoded and than translated to lower - case. + role="bold">"t:lowercase"multiple + tranformation actions can be used in the same rule, for example the + following rule also ensures that an attacker does not use URL encoding + (%xx encoding) for evasion. Note the order of the transformation + functions, which ensures that a URL encoded letter is first decoded and + than translated to lower case. SecRule ARG:p "xp_cmdshell" "t:urlDecode,t:lowercase" @@ -2672,18 +2678,14 @@ SecRule XML:/xq:employees/employee/name/text() <literal>escapeSeqDecode</literal> This function decode ANSI C escape sequences:\a,\b,\f,\n,\r,\t,\v,\\,\?,\',\",\xHH(hexadecimal), \a, \b, + \f, \n, \r, + \t, \v, \\, + \?, \', \", + \xHH(hexadecimal), \0OOO(octal). Invalid encodings are left in the output.
@@ -2708,34 +2710,34 @@ SecRule XML:/xq:employees/employee/name/text() - &#xHHand&#xHH;(where H is any hexadecimal + &#xHH and &#xHH; (where H is any hexadecimal number) - &#DDDand&#DDD;(where D is any decimal + &#DDD and &#DDD; (where D is any decimal number) - &quotand&quot and &quot; - &nbsp and&nbsp and &nbsp; - &ltand&lt and &lt; - &gtand&gt and &gt; @@ -2824,7 +2826,7 @@ SecRule XML:/xq:employees/employee/name/text() <literal>urlDecodeUni</literal> In addition to decoding %xx like urlDecode, urlDecodeUni also decodesurlDecode, urlDecodeUni also decodes %uXXXX encoding (only the lower byte will be used, the higher byte will be discarded). @@ -3106,8 +3108,10 @@ SecRule REQUEST_CONTENT_TYPE ^text/xml nolog,pass,ctl:requ connections. SecAction initcol:ip=%{REMOTE_ADDR},nolog -SecRule ARGS:login "!^$" nolog,phase:1,setvar:ip.auth_attempt=+1,deprecatevar:ip.auth_attempt=20/120 -SecRule IP:AUTH_ATTEMPT "@gt 25" log,drop,phase:1,msg:'Possible Brute Force Attack" +SecRule ARGS:login "!^$" \ + nolog,phase:1,setvar:ip.auth_attempt=+1,deprecatevar:ip.auth_attempt=20/120 +SecRule IP:AUTH_ATTEMPT "@gt 25" \ + log,drop,phase:1,msg:'Possible Brute Force Attack" Note @@ -3129,8 +3133,8 @@ SecRule IP:AUTH_ATTEMPT "@gt 25" log,drop,phase Example: - SecRule REQUEST_URI "^/cgi-bin/script\.pl" "log,exec:/usr/local/apache/bin/test.sh,phase:1" + SecRule REQUEST_URI "^/cgi-bin/script\.pl" \ + "log,exec:/usr/local/apache/bin/test.sh,phase:1" Note @@ -3159,8 +3163,8 @@ SecRule IP:AUTH_ATTEMPT "@gt 25" log,drop,phase SecRule REQUEST_COOKIES:JSESSIONID "!^$" nolog,phase:1,pass,chain SecAction setsid:%{REQUEST_COOKIES:JSESSIONID} -SecRule REQUEST_URI "^/cgi-bin/script\.pl" "log,allow,setvar:session.suspicious=1,expirevar:session.suspicious=3600,phase:1" +SecRule REQUEST_URI "^/cgi-bin/script\.pl" \ + "log,allow,setvar:session.suspicious=1,expirevar:session.suspicious=3600,phase:1" Note @@ -3183,8 +3187,8 @@ SecRule REQUEST_URI "^/cgi-bin/script\.pl" "log,allow,setvar:session.suspicious= Example: - SecRule &REQUEST_HEADERS:Host "@eq 0" "log,id:60008,severity:2,msg:'Request Missing a Host Header'" + SecRule &REQUEST_HEADERS:Host "@eq 0" \ + "log,id:60008,severity:2,msg:'Request Missing a Host Header'" Note @@ -3239,18 +3243,18 @@ SecRule REQUEST_URI "^/cgi-bin/script\.pl" "log,allow,setvar:session.suspicious= - CREATE_TIME- date/time of + CREATE_TIME - date/time of the creation of the collection. - KEY- the value of the + KEY - the value of the initcol variable (the client's IP address in the example). - LAST_UPDATE_TIME- date/time - of the last update to the collection. + LAST_UPDATE_TIME - + date/time of the last update to the collection. @@ -3260,27 +3264,27 @@ SecRule REQUEST_URI "^/cgi-bin/script\.pl" "log,allow,setvar:session.suspicious= - UPDATE_COUNTER- how many + UPDATE_COUNTER - how many times the collection has been updated since creation. - UPDATE_RATE- is the average - rate updates per minute since creation. + UPDATE_RATE - is the + average rate updates per minute since creation. Collections are loaded into memory when the initcol action is encountered. The collection in storage will be updated (and the - appropriate counters increased)onlyif it was + appropriate counters increased) only if it was changed during transaction processing. To create a collection to hold session variables (SESSION) use action setsid. To create a collection to hold user - variables (USER)use action setuid. + variables (USER) use action + setuid. @@ -3321,8 +3325,9 @@ SecRule REQUEST_URI "^/cgi-bin/script\.pl" "log,allow,setvar:session.suspicious= Example: - SecRule &REQUEST_HEADERS:Host "@eq 0" "log,id:60008,severity:2,msg:'Request Missing a Host Header'" + SecRule &REQUEST_HEADERS:Host "@eq 0" \ + "log,id:60008,severity:2,msg:'Request Missing a Host Header'" Note @@ -3342,8 +3347,8 @@ SecRule REQUEST_URI "^/cgi-bin/script\.pl" "log,allow,setvar:session.suspicious= Example: - SecDefaultAction log,deny,phase:1,t:lowercase,t:removeNulls,t:lowercase SecRule ARGS "attack"multiMatch + SecDefaultAction log,deny,phase:1,t:removeNulls,t:lowercase +SecRule ARGS "attack" multiMatch Note @@ -3372,8 +3377,8 @@ SecRule REQUEST_URI "^/cgi-bin/script\.pl" "log,allow,setvar:session.suspicious= If the SecAuditEngine is set to On, all of the transactions will be logged. If it is set to RelevantOnly, then you can control it with - the noauditlog action. Even it the noauditlog action is applied to a - specific rule, if a rule either before or after triggered an audit + the noauditlog action. Even if the noauditlog action is applied to a + specific rule and a rule either before or after triggered an audit event, then the tranaction will be logged to the audit log. The correct way to disable audit logging for the entire transaction is to use "ctl:auditEngine=Off" @@ -3450,7 +3455,7 @@ SecRule REQUEST_URI "^/cgi-bin/script\.pl" "log,allow,setvar:session.suspicious= Example: SecDefaultAction log,deny,phase:1,t:lowercase,t:removeNulls,t:lowercase + role="bold">phase:1,t:removeNulls,t:lowercase SecRule REQUEST_HEADERS:User-Agent "Test" log,deny,status:403 Note @@ -3493,12 +3498,12 @@ SecRule REQUEST_HEADERS:User-Agent "Test" log,deny,status:403 Example: - SecRule REQUEST_HEADERS:User-Agent "Test" log,redirect:http://www.hostname.com/failed.html + SecRule REQUEST_HEADERS:User-Agent "Test" \ + log,redirect:http://www.hostname.com/failed.html Note - If thestatusaction is present + If the status action is present and its value is acceptable (301, 302, 303, or 307) it will be used for the redirection. Otherwise status code 302 will be used. @@ -3518,8 +3523,8 @@ SecRule REQUEST_HEADERS:User-Agent "Test" log,deny,status:403 Note - This action is used in combination with theidaction to allow the same rule ID to be used + This action is used in combination with the id action to allow the same rule ID to be used after changes take place but to still provide some indication the rule changed. @@ -3580,8 +3585,8 @@ SecRule REQUEST_HEADERS:User-Agent "Test" log,deny,status:403 Action Group: Non-Disruptive - Example: For example, the example below will sanitise the data in - the Authorization header. + Example: This will sanitise the data in the Authorization + header. SecAction log,phase:1,sanitiseRequestHeader:Authorization @@ -3600,8 +3605,8 @@ SecRule REQUEST_HEADERS:User-Agent "Test" log,deny,status:403 Action Group: Non-Disruptive - Example: For example, the example below will sanitise the - Set-Cookie data sent to the client. + Example: This will sanitise the Set-Cookie data sent to the + client. SecAction log,phase:3,sanitiseResponseHeader:Set-Cookie @@ -3626,7 +3631,7 @@ SecRule REQUEST_HEADERS:User-Agent "Test" log,deny,status:403 Note - The severity numbers follow the Syslog convention - + The severity numbers follow the Syslog convention: @@ -3666,9 +3671,9 @@ SecRule REQUEST_HEADERS:User-Agent "Test" log,deny,status:403
<literal>setuid</literal> - Description: - Special-purposeaction that initialises the USER collection. + Description: Special-purpose + action that initialises the USER + collection. Action Group: Non-Disruptive @@ -3698,13 +3703,13 @@ SecRule REQUEST_HEADERS:User-Agent "Test" log,deny,status:403 # Initialise session variables using the session cookie value SecRule REQUEST_COOKIES:PHPSESSID !^$ chain,nolog,pass -SecActionsetsid:%{REQUEST_COOKIES.PHPSESSID} +SecAction setsid:%{REQUEST_COOKIES.PHPSESSID} Note On first invocation of this action the collection will be empty - (not taking the pre-defined variables into account - seeinitcolfor more information). On subsequent + (not taking the pre-defined variables into account - see initcol for more information). On subsequent invocations the contents of the collection (session, in this case) will be retrieved from storage. After initialisation takes place the variable SESSIONID will be available @@ -3781,8 +3786,10 @@ SecActionsetsid:%{REQUEST_COOKIES.PHPSESSID}

skip:2" SecRule REMOTE_ADDR "^127\.0\.0\.1$" "chain" SecRule REQUEST_HEADERS:User-Agent "^Apache \(internal dummy connection\)$" "t:none" -SecRule &REQUEST_HEADERS:Host "@eq 0" "deny,log,status:400,id:960008,severity:4,msg:'Request Missing a Host Header'" -SecRule &REQUEST_HEADERS:Accept "@eq 0" "log,deny,log,status:400,id:960015,msg:'Request Missing an Accept Header'" +SecRule &REQUEST_HEADERS:Host "@eq 0" \ + "deny,log,status:400,id:960008,severity:4,msg:'Request Missing a Host Header'" +SecRule &REQUEST_HEADERS:Accept "@eq 0" \ + "log,deny,log,status:400,id:960015,msg:'Request Missing an Accept Header'" Note @@ -3831,9 +3838,9 @@ SecRule &REQUEST_HEADERS:Accept "@eq 0" "log,deny,log,status:400,id:960015,m Example: - SecDefaultAction log,deny,phase:1,t:lowercase,t:removeNulls,t:lowercase -SecRule REQUEST_COOKIES:SESSIONID "47414e81cbbef3cf8366e84eeacba091" log,deny,status:403,t:md5 + SecDefaultAction log,deny,phase:1,t:removeNulls,t:lowercase +SecRule REQUEST_COOKIES:SESSIONID "47414e81cbbef3cf8366e84eeacba091" \ + log,deny,status:403,t:md5 Note @@ -3855,7 +3862,8 @@ SecRule REQUEST_COOKIES:SESSIONID "47414e81cbbef3cf8366e84eeacba091" log,deny,st Example: - SecRule REQUEST_HEADERS:Content-Type "text/xml" phase:1,pass,ctl:requestBodyProcessor=XML,ctl:requestBodyAccess=On,SecRule REQUEST_HEADERS:Content-Type "text/xml" \ + phase:1,pass,ctl:requestBodyProcessor=XML,ctl:requestBodyAccess=On,xmlns:xsd="http://www.w3.org/2001/XMLSchema" SecRule XML:/soap:Envelope/soap:Body/q1:getInput/id() "123" phase:2,deny
@@ -4032,7 +4040,7 @@ SecRule XML:/soap:Envelope/soap:Body/q1:getInput/id() "123" phase:2,deny - It is executed in the flow or rules rather than being a build + It is executed in the flow of rules rather than being a built in pre-check. @@ -4042,12 +4050,13 @@ SecRule XML:/soap:Envelope/soap:Body/q1:getInput/id() "123" phase:2,denyvalidateDTD Description: This operator - requires request body to be processed as XML. + requires the request body to be processed as XML. Example: SecDefaultAction log,deny,status:403,phase:2 -SecRule REQUEST_HEADERS:Content-Type ^text/xml$ phase:1,t:lowercase,nolog,pass,ctl:requestBodyProcessor=XML +SecRule REQUEST_HEADERS:Content-Type ^text/xml$ \ + phase:1,t:lowercase,nolog,pass,ctl:requestBodyProcessor=XML SecRule REQBODY_PROCESSOR "!^XML$" nolog,pass,skip:1 SecRule XML "@validateDTD /path/to/apache2/conf/xml.dtd" @@ -4056,12 +4065,13 @@ SecRule XML "@validateDTD /path/to/apache2/conf/xml.dtdvalidateSchema Description: This operator - requires request body to be processed as XML. + requires the request body to be processed as XML. Example: SecDefaultAction log,deny,status:403,phase:2 -SecRule REQUEST_HEADERS:Content-Type ^text/xml$ phase:1,t:lowercase,nolog,pass,ctl:requestBodyProcessor=XML +SecRule REQUEST_HEADERS:Content-Type ^text/xml$ \ + phase:1,t:lowercase,nolog,pass,ctl:requestBodyProcessor=XML SecRule REQBODY_PROCESSOR "!^XML$" nolog,pass,skip:1 SecRule XML "@validateSchema /path/to/apache2/conf/xml.xsd"