github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-08-14 13:56:01 +03:00
Code Issues Packages Projects Releases Wiki Activity

Fix some spelling, grammer and formatting issues.

Browse Source
This commit is contained in:
brectanus 2007-02-13 20:42:07 +00:00
parent c482774094
commit 08c231a6b3
1 changed files with 150 additions and 140 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

198
doc/modsecurity2-apache-reference.xml
View File

@ -188,10 +188,10 @@
<title>Overview</title>
<para>ModSecurity is a web application firewall engine that provides
very little protection on its own. In order to become useful ModSecurity
must be configured with rules. In order to enable users to take full
advantage of ModSecurity out of the box, Breach Security Inc. is
providing a free certified rule set for ModSecurity 2.0. Unlike
very little protection on its own. In order to become useful,
ModSecurity must be configured with rules. In order to enable users to
take full advantage of ModSecurity out of the box, Breach Security Inc.
is providing a free certified rule set for ModSecurity 2.0. Unlike
intrusion detection and prevention systems, which rely on signature
specific to known vulnerabilities, the Core Rules provide generic
protection from unknown vulnerabilities often found in web applications,
@ -337,8 +337,8 @@
</listitem>
<listitem>
<para>(Optional) Add one line to your configuration to load
libxml2:<filename moreinfo="none">LoadFile
<para>(Optional) Add one line to your configuration to load libxml2:
<filename moreinfo="none">LoadFile
/usr/lib/libxml2.so</filename></para>
</listitem>
@ -454,9 +454,9 @@
<para><emphasis role="bold">Description: </emphasis>Specifies which
character to use as separator for<literal moreinfo="none">
application/x-www-form-urlencoded</literal> content. Defaults to<literal
moreinfo="none">&amp;</literal>. Applications are sometimes (very
rarely) written to use a semicolon (<literal
application/x-www-form-urlencoded</literal> content. Defaults to
<literal moreinfo="none">&amp;</literal>. Applications are sometimes
(very rarely) written to use a semicolon (<literal
moreinfo="none">;</literal>).</para>
<para><emphasis role="bold">Syntax:</emphasis> <literal
@ -562,8 +562,8 @@ SecAuditLogStorageDir logs/audit
will need to use the modsec-auditlog-collector.pl script and use the
following format:</para>
<para><literal>SecAuditLog "|/path/to/modsec-auditlog-collector.pl
/path/to/SecAuditLogDataDir /path/to/SecAuditLog"</literal></para>
<para><programlisting format="linespecific">SecAuditLog \
"|/path/modsec-auditlog-collector.pl /path/SecAuditLogDataDir /path/SecAuditLog"</programlisting></para>
</section>
<section>
@ -721,7 +721,7 @@ SecAuditLogStorageDir logs/audit
user as new files are generated at runtime.</para>
<para>As with all logging mechanisms, ensure that you specify a file
system location that as adequate disk space and is not on the root
system location that has adequate disk space and is not on the root
partition.</para>
</section>
@ -965,7 +965,8 @@ SecAuditLogStorageDir logs/audit
<para>The default value is:</para>
<programlisting format="linespecific">SecDefaultAction log,auditlog,deny,status:403,phase:2,t:lowercase,t:replaceNulls,t:compressWhitespace</programlisting>
<programlisting format="linespecific">SecDefaultAction \
log,auditlog,deny,status:403,phase:2,t:lowercase,t:replaceNulls,t:compressWhitespace</programlisting>
<para><emphasis role="bold">Note</emphasis></para>
@ -996,7 +997,7 @@ SecAuditLogStorageDir logs/audit
httpd-guardian will defend against clients that send more 120 requests
in a minute, or more than 360 requests in five minutes.</para>
<para>Since 1.9 ModSecurity supports a new directive, SecGuardianLog,
<para>Since 1.9, ModSecurity supports a new directive, SecGuardianLog,
that is designed to send all access data to another program using the
piped logging feature. Since Apache is typically deployed in a
multi-process fashion, making information sharing difficult, the idea is
@ -1037,11 +1038,12 @@ SecAuditLogStorageDir logs/audit
<para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
</emphasis>Any</para>
<para><emphasis role="bold">Dependencies/Notes: </emphasis>Thisdirective
is required if you plan to inspect POST_PAYLOADS of requests. This
directive must be used along with the "phase:2" processing phase action
and REQUEST_BODY variable/location. If any of these 3 parts are not
configured, you will not be able to inspect the request bodies.</para>
<para><emphasis role="bold">Dependencies/Notes: </emphasis>This
directive is required if you plan to inspect POST_PAYLOADS of requests.
This directive must be used along with the "phase:2" processing phase
action and REQUEST_BODY variable/location. If any of these 3 parts are
not configured, you will not be able to inspect the request
bodies.</para>
<para>Possible values are:</para>
@ -1620,7 +1622,7 @@ ServerAlias www.app2.com
<para><emphasis role="bold">Dependencies/Notes:</emphasis> Partitions
are used to avoid collisions between session IDs and user IDs. This
directive must be used if there are multiple applications deployed on
the same server. If it isn't a collision between session IDs might
the same server. If it isn't used, a collision between session IDs might
occur. The default value is<literal moreinfo="none"> default</literal>.
Example:</para>
@ -1726,15 +1728,15 @@ SecRule HTTP_Host "!^$" "deny,<emphasis role="bold">phase:1</emphasis>"</program
<section>
<title>Phase Request Headers</title>
<para>Rules in this phase immediately after Apache completes reading the
request headers (post-read-request phase). At this point the request
body has not been read yet, meaning not all request arguments are
available. Rules should be placed in this phase if you need to have them
run early (before Apache does something with the request), to do
something before the request body has been read, determine whether or
not the request body should be buffered, or decide how you want the
request body to be processed (e.g. whether to parse it as XML or
not).</para>
<para>Rules in this phase are processed immediately after Apache
completes reading the request headers (post-read-request phase). At this
point the request body has not been read yet, meaning not all request
arguments are available. Rules should be placed in this phase if you
need to have them run early (before Apache does something with the
request), to do something before the request body has been read,
determine whether or not the request body should be buffered, or decide
how you want the request body to be processed (e.g. whether to parse it
as XML or not).</para>
<para><emphasis role="bold">Note</emphasis></para>
@ -2016,7 +2018,7 @@ SecRule <emphasis role="bold">ENV:tag</emphasis> "suspicious"</programlisting>
<section>
<title><literal moreinfo="none">REMOTE_PORT</literal></title>
<para>This variable hold information on the source port that the client
<para>This variable holds information on the source port that the client
used when initiating the connection to our web server. Example: in this
example, we are evaluating to see if the <literal>REMOTE_PORT</literal>
is less than 1024, which would indicate that the user is a privileged
@ -2144,7 +2146,8 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"</programlisting>
<para>Example: the second example is targeting only the Host
header.</para>
<programlisting format="linespecific">SecRule <emphasis role="bold">REQUEST_HEADERS:Host</emphasis> "^[\d\.]+$" "deny,log,status:400,msg:'Host header is a numeric IP address'"</programlisting>
<programlisting format="linespecific">SecRule <emphasis role="bold">REQUEST_HEADERS:Host</emphasis> "^[\d\.]+$" \
"deny,log,status:400,msg:'Host header is a numeric IP address'"</programlisting>
</section>
<section>
@ -2153,7 +2156,8 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"</programlisting>
<para>This variable is a collection of the names of all of the Request
Headers. Example:</para>
<programlisting format="linespecific">SecRule <emphasis role="bold">REQUEST_HEADERS_NAMES</emphasis> "^x-forwarded-for" "log,deny,status:403,t:lowercase,msg:'Proxy Server Used'"</programlisting>
<programlisting format="linespecific">SecRule <emphasis role="bold">REQUEST_HEADERS_NAMES</emphasis> "^x-forwarded-for" \
"log,deny,status:403,t:lowercase,msg:'Proxy Server Used'"</programlisting>
</section>
<section>
@ -2602,11 +2606,13 @@ SecRule REQUEST_HEADERS:Transfer-Encoding "!^$"</programlisting>
XPath:</para>
<programlisting format="linespecific">SecDefaultAction log,deny,status:403,phase:2
SecRule REQUEST_HEADERS:Content-Type ^text/xml$ phase:1,t:lowercase,nolog,pass,ctl:requestBodyProcessor=<emphasis
SecRule REQUEST_HEADERS:Content-Type ^text/xml$ \
phase:1,t:lowercase,nolog,pass,ctl:requestBodyProcessor=<emphasis
role="bold">XML</emphasis>
SecRule REQBODY_PROCESSOR "<emphasis role="bold">!^XML$</emphasis>" skip:2
SecRule <emphasis role="bold">XML:/employees/employee/name/text()</emphasis> Fred
SecRule <emphasis role="bold">XML:/xq:employees/employee/name/text()</emphasis> Fred xmlns:xq=http://www.example.com/employees</programlisting>
SecRule <emphasis role="bold">XML:/xq:employees/employee/name/text()</emphasis> Fred \
xmlns:xq=http://www.example.com/employees</programlisting>
</section>
</section>
@ -2628,12 +2634,12 @@ SecRule <emphasis role="bold">XML:/xq:employees/employee/name/text()</emphasis>
case in order to evade the ModSecurity rule:</para>
<para><programlisting format="linespecific">SecRule ARG:p "xp_cmdshell" <emphasis
role="bold">"t:lowercase"</emphasis></programlisting>multipetranformation
actions can be used in the same rule, for example the following rule also
ensures that an attacker does not use URL encodign (%xx encoding) for
evasion. Not the order of the transformation functions, which ensures that
a URL encoded letter is first decoded and than translated to lower
case.</para>
role="bold">"t:lowercase"</emphasis></programlisting>multiple
tranformation actions can be used in the same rule, for example the
following rule also ensures that an attacker does not use URL encoding
(%xx encoding) for evasion. Note the order of the transformation
functions, which ensures that a URL encoded letter is first decoded and
than translated to lower case.</para>
<para><programlisting format="linespecific">SecRule ARG:p "xp_cmdshell" <emphasis
role="bold">"t:urlDecode,t:lowercase"</emphasis></programlisting></para>
@ -2672,18 +2678,14 @@ SecRule <emphasis role="bold">XML:/xq:employees/employee/name/text()</emphasis>
<title><literal>escapeSeqDecode</literal></title>
<para>This function decode ANSI C escape sequences:<literal
moreinfo="none">\a</literal>,<literal
moreinfo="none">\b</literal>,<literal
moreinfo="none">\f</literal>,<literal
moreinfo="none">\n</literal>,<literal
moreinfo="none">\r</literal>,<literal
moreinfo="none">\t</literal>,<literal
moreinfo="none">\v</literal>,<literal
moreinfo="none">\\</literal>,<literal
moreinfo="none">\?</literal>,<literal
moreinfo="none">\'</literal>,<literal
moreinfo="none">\"</literal>,<literal
moreinfo="none">\xHH</literal>(hexadecimal),<literal
moreinfo="none"> \a</literal>,<literal moreinfo="none"> \b</literal>,
<literal moreinfo="none">\f</literal>, <literal
moreinfo="none">\n</literal>, <literal moreinfo="none">\r</literal>,
<literal moreinfo="none">\t</literal>, <literal
moreinfo="none">\v</literal>, <literal moreinfo="none">\\</literal>,
<literal moreinfo="none">\?</literal>, <literal
moreinfo="none">\'</literal>, <literal moreinfo="none">\"</literal>,
<literal moreinfo="none">\xHH</literal>(hexadecimal), <literal
moreinfo="none">\0OOO</literal>(octal). Invalid encodings are left in
the output.</para>
</section>
@ -3106,8 +3108,10 @@ SecRule REQUEST_CONTENT_TYPE ^text/xml nolog,pass,<emphasis role="bold">ctl:requ
connections.</para>
<programlisting format="linespecific">SecAction initcol:ip=%{REMOTE_ADDR},nolog
SecRule ARGS:login "!^$" nolog,phase:1,setvar:ip.auth_attempt=+1,deprecatevar:ip.auth_attempt=20/120
SecRule IP:AUTH_ATTEMPT "@gt 25" log,<emphasis role="bold">drop</emphasis>,phase:1,msg:'Possible Brute Force Attack"</programlisting>
SecRule ARGS:login "!^$" \
nolog,phase:1,setvar:ip.auth_attempt=+1,deprecatevar:ip.auth_attempt=20/120
SecRule IP:AUTH_ATTEMPT "@gt 25" \
log,<emphasis role="bold">drop</emphasis>,phase:1,msg:'Possible Brute Force Attack"</programlisting>
<para><emphasis role="bold">Note</emphasis></para>
@ -3129,8 +3133,8 @@ SecRule IP:AUTH_ATTEMPT "@gt 25" log,<emphasis role="bold">drop</emphasis>,phase
<para>Example:</para>
<programlisting format="linespecific">SecRule REQUEST_URI "^/cgi-bin/script\.pl" "log,<emphasis
role="bold">exec:/usr/local/apache/bin/test.sh</emphasis>,phase:1"</programlisting>
<programlisting format="linespecific">SecRule REQUEST_URI "^/cgi-bin/script\.pl" \
"log,<emphasis role="bold">exec:/usr/local/apache/bin/test.sh</emphasis>,phase:1"</programlisting>
<para><emphasis role="bold">Note</emphasis></para>
@ -3159,8 +3163,8 @@ SecRule IP:AUTH_ATTEMPT "@gt 25" log,<emphasis role="bold">drop</emphasis>,phase
<programlisting format="linespecific">SecRule REQUEST_COOKIES:JSESSIONID "!^$" nolog,phase:1,pass,chain
SecAction setsid:%{REQUEST_COOKIES:JSESSIONID}
SecRule REQUEST_URI "^/cgi-bin/script\.pl" "log,allow,setvar:session.suspicious=1,<emphasis
role="bold">expirevar:session.suspicious=3600</emphasis>,phase:1"</programlisting>
SecRule REQUEST_URI "^/cgi-bin/script\.pl" \
"log,allow,setvar:session.suspicious=1,<emphasis role="bold">expirevar:session.suspicious=3600</emphasis>,phase:1"</programlisting>
<para><emphasis role="bold">Note</emphasis></para>
@ -3183,8 +3187,8 @@ SecRule REQUEST_URI "^/cgi-bin/script\.pl" "log,allow,setvar:session.suspicious=
<para>Example:</para>
<programlisting format="linespecific">SecRule &amp;REQUEST_HEADERS:Host "@eq 0" "log,<emphasis
role="bold">id:60008</emphasis>,severity:2,msg:'Request Missing a Host Header'"</programlisting>
<programlisting format="linespecific">SecRule &amp;REQUEST_HEADERS:Host "@eq 0" \
"log,<emphasis role="bold">id:60008</emphasis>,severity:2,msg:'Request Missing a Host Header'"</programlisting>
<para><emphasis role="bold">Note</emphasis></para>
@ -3249,8 +3253,8 @@ SecRule REQUEST_URI "^/cgi-bin/script\.pl" "log,allow,setvar:session.suspicious=
</listitem>
<listitem>
<para><literal moreinfo="none">LAST_UPDATE_TIME</literal>- date/time
of the last update to the collection.</para>
<para><literal moreinfo="none">LAST_UPDATE_TIME</literal> -
date/time of the last update to the collection.</para>
</listitem>
<listitem>
@ -3265,8 +3269,8 @@ SecRule REQUEST_URI "^/cgi-bin/script\.pl" "log,allow,setvar:session.suspicious=
</listitem>
<listitem>
<para><literal moreinfo="none">UPDATE_RATE</literal>- is the average
rate updates per minute since creation.</para>
<para><literal moreinfo="none">UPDATE_RATE</literal> - is the
average rate updates per minute since creation.</para>
</listitem>
</orderedlist>
@ -3279,8 +3283,8 @@ SecRule REQUEST_URI "^/cgi-bin/script\.pl" "log,allow,setvar:session.suspicious=
<para>To create a collection to hold session variables (<literal
moreinfo="none">SESSION</literal>) use action <literal
moreinfo="none">setsid</literal>. To create a collection to hold user
variables (<literal moreinfo="none">USER</literal>)use action <literal
moreinfo="none">setuid</literal>.</para>
variables (<literal moreinfo="none">USER</literal>) use action
<literal moreinfo="none">setuid</literal>.</para>
</note>
<note>
@ -3321,8 +3325,9 @@ SecRule REQUEST_URI "^/cgi-bin/script\.pl" "log,allow,setvar:session.suspicious=
<para>Example:</para>
<programlisting format="linespecific">SecRule &amp;REQUEST_HEADERS:Host "@eq 0" "log,id:60008<emphasis
role="bold">,</emphasis>severity:2,<emphasis role="bold">msg:'Request Missing a Host Header'"</emphasis></programlisting>
<programlisting format="linespecific">SecRule &amp;REQUEST_HEADERS:Host "@eq 0" \
"log,id:60008<emphasis role="bold">,</emphasis>severity:2,<emphasis
role="bold">msg:'Request Missing a Host Header'"</emphasis></programlisting>
<para><emphasis role="bold">Note</emphasis></para>
@ -3342,8 +3347,8 @@ SecRule REQUEST_URI "^/cgi-bin/script\.pl" "log,allow,setvar:session.suspicious=
<para>Example:</para>
<programlisting format="linespecific">SecDefaultAction log,deny,phase:1,t:lowercase,t:removeNulls,t:lowercase SecRule ARGS "attack"<emphasis
role="bold">multiMatch</emphasis></programlisting>
<programlisting format="linespecific">SecDefaultAction log,deny,phase:1,t:removeNulls,t:lowercase
SecRule ARGS "attack" <emphasis role="bold">multiMatch</emphasis></programlisting>
<para><emphasis role="bold">Note</emphasis></para>
@ -3372,8 +3377,8 @@ SecRule REQUEST_URI "^/cgi-bin/script\.pl" "log,allow,setvar:session.suspicious=
<para>If the SecAuditEngine is set to On, all of the transactions will
be logged. If it is set to RelevantOnly, then you can control it with
the noauditlog action. Even it the noauditlog action is applied to a
specific rule, if a rule either before or after triggered an audit
the noauditlog action. Even if the noauditlog action is applied to a
specific rule and a rule either before or after triggered an audit
event, then the tranaction will be logged to the audit log. The correct
way to disable audit logging for the entire transaction is to use
"<literal moreinfo="none">ctl:auditEngine=Off</literal>"</para>
@ -3450,7 +3455,7 @@ SecRule REQUEST_URI "^/cgi-bin/script\.pl" "log,allow,setvar:session.suspicious=
<para>Example:</para>
<programlisting format="linespecific">SecDefaultAction log,deny,<emphasis
role="bold">phase:1</emphasis>,t:lowercase,t:removeNulls,t:lowercase
role="bold">phase:1</emphasis>,t:removeNulls,t:lowercase
SecRule REQUEST_HEADERS:User-Agent "Test" log,deny,status:403</programlisting>
<para><emphasis role="bold">Note</emphasis></para>
@ -3493,8 +3498,8 @@ SecRule REQUEST_HEADERS:User-Agent "Test" log,deny,status:403</programlisting>
<para>Example:</para>
<programlisting format="linespecific">SecRule REQUEST_HEADERS:User-Agent "Test" log,<emphasis
role="bold">redirect:http://www.hostname.com/failed.html</emphasis></programlisting>
<programlisting format="linespecific">SecRule REQUEST_HEADERS:User-Agent "Test" \
log,<emphasis role="bold">redirect:http://www.hostname.com/failed.html</emphasis></programlisting>
<para><emphasis role="bold">Note</emphasis></para>
@ -3580,8 +3585,8 @@ SecRule REQUEST_HEADERS:User-Agent "Test" log,deny,status:403</programlisting>
<para><emphasis role="bold">Action Group:</emphasis>
Non-Disruptive</para>
<para>Example: For example, the example below will sanitise the data in
the Authorization header.</para>
<para>Example: This will sanitise the data in the Authorization
header.</para>
<programlisting format="linespecific">SecAction log,phase:1,<emphasis
role="bold">sanitiseRequestHeader:Authorization</emphasis></programlisting>
@ -3600,8 +3605,8 @@ SecRule REQUEST_HEADERS:User-Agent "Test" log,deny,status:403</programlisting>
<para><emphasis role="bold">Action Group:</emphasis>
Non-Disruptive</para>
<para>Example: For example, the example below will sanitise the
Set-Cookie data sent to the client.</para>
<para>Example: This will sanitise the Set-Cookie data sent to the
client.</para>
<programlisting format="linespecific">SecAction log,phase:3,<emphasis
role="bold">sanitiseResponseHeader:Set-Cookie</emphasis></programlisting>
@ -3626,7 +3631,7 @@ SecRule REQUEST_HEADERS:User-Agent "Test" log,deny,status:403</programlisting>
<para><emphasis role="bold">Note</emphasis></para>
<para>The severity numbers follow the Syslog convention -</para>
<para>The severity numbers follow the Syslog convention:</para>
<itemizedlist>
<listitem>
@ -3666,9 +3671,9 @@ SecRule REQUEST_HEADERS:User-Agent "Test" log,deny,status:403</programlisting>
<section>
<title><literal>setuid</literal></title>
<para><emphasis role="bold">Description:</emphasis>
Special-purposeaction that initialises the <literal
moreinfo="none">USER</literal> collection.</para>
<para><emphasis role="bold">Description:</emphasis> Special-purpose
action that initialises the <literal moreinfo="none">USER</literal>
collection.</para>
<para><emphasis role="bold">Action Group:</emphasis>
Non-Disruptive</para>
@ -3781,8 +3786,10 @@ SecAction<emphasis role="bold">setsid:%{REQUEST_COOKIES.PHPSESSID}</emphasis></p
role="bold">skip:2</emphasis>"
SecRule REMOTE_ADDR "^127\.0\.0\.1$" "chain"
SecRule REQUEST_HEADERS:User-Agent "^Apache \(internal dummy connection\)$" "t:none"
SecRule &amp;REQUEST_HEADERS:Host "@eq 0" "deny,log,status:400,id:960008,severity:4,msg:'Request Missing a Host Header'"
SecRule &amp;REQUEST_HEADERS:Accept "@eq 0" "log,deny,log,status:400,id:960015,msg:'Request Missing an Accept Header'"</programlisting></para>
SecRule &amp;REQUEST_HEADERS:Host "@eq 0" \
"deny,log,status:400,id:960008,severity:4,msg:'Request Missing a Host Header'"
SecRule &amp;REQUEST_HEADERS:Accept "@eq 0" \
"log,deny,log,status:400,id:960015,msg:'Request Missing an Accept Header'"</programlisting></para>
<para><emphasis role="bold">Note</emphasis></para>
@ -3831,9 +3838,9 @@ SecRule &amp;REQUEST_HEADERS:Accept "@eq 0" "log,deny,log,status:400,id:960015,m
<para>Example:</para>
<programlisting format="linespecific">SecDefaultAction log,deny,phase:1,t:lowercase,t:removeNulls,t:lowercase
SecRule REQUEST_COOKIES:SESSIONID "47414e81cbbef3cf8366e84eeacba091" log,deny,status:403,<emphasis
role="bold">t:md5</emphasis></programlisting>
<programlisting format="linespecific">SecDefaultAction log,deny,phase:1,t:removeNulls,t:lowercase
SecRule REQUEST_COOKIES:SESSIONID "47414e81cbbef3cf8366e84eeacba091" \
log,deny,status:403,<emphasis role="bold">t:md5</emphasis></programlisting>
<para><emphasis role="bold">Note</emphasis></para>
@ -3855,7 +3862,8 @@ SecRule REQUEST_COOKIES:SESSIONID "47414e81cbbef3cf8366e84eeacba091" log,deny,st
<para>Example:</para>
<programlisting format="linespecific">SecRule REQUEST_HEADERS:Content-Type "text/xml" phase:1,pass,ctl:requestBodyProcessor=XML,ctl:requestBodyAccess=On,<emphasis
<programlisting format="linespecific">SecRule REQUEST_HEADERS:Content-Type "text/xml" \
phase:1,pass,ctl:requestBodyProcessor=XML,ctl:requestBodyAccess=On,<emphasis
role="bold">xmlns:xsd="http://www.w3.org/2001/XMLSchema"</emphasis>
SecRule XML:/soap:Envelope/soap:Body/q1:getInput/id() "123" phase:2,deny</programlisting>
</section>
@ -4032,7 +4040,7 @@ SecRule XML:/soap:Envelope/soap:Body/q1:getInput/id() "123" phase:2,deny</progra
</listitem>
<listitem>
<para>It is executed in the flow or rules rather than being a build
<para>It is executed in the flow of rules rather than being a built
in pre-check.</para>
</listitem>
</itemizedlist>
@ -4042,12 +4050,13 @@ SecRule XML:/soap:Envelope/soap:Body/q1:getInput/id() "123" phase:2,deny</progra
<title><literal>validateDTD</literal></title>
<para><emphasis role="bold">Description:</emphasis> This operator
requires request body to be processed as XML.</para>
requires the request body to be processed as XML.</para>
<para>Example:</para>
<programlisting format="linespecific">SecDefaultAction log,deny,status:403,phase:2
SecRule REQUEST_HEADERS:Content-Type ^text/xml$ phase:1,t:lowercase,nolog,pass,ctl:requestBodyProcessor=XML
SecRule REQUEST_HEADERS:Content-Type ^text/xml$ \
phase:1,t:lowercase,nolog,pass,ctl:requestBodyProcessor=XML
SecRule REQBODY_PROCESSOR "!^XML$" nolog,pass,skip:1
SecRule XML "<emphasis role="bold">@validateDTD /path/to/apache2/conf/xml.dtd</emphasis>"</programlisting>
</section>
@ -4056,12 +4065,13 @@ SecRule XML "<emphasis role="bold">@validateDTD /path/to/apache2/conf/xml.dtd</e
<title><literal>validateSchema</literal></title>
<para><emphasis role="bold">Description:</emphasis> This operator
requires request body to be processed as XML.</para>
requires the request body to be processed as XML.</para>
<para>Example:</para>
<programlisting format="linespecific">SecDefaultAction log,deny,status:403,phase:2
SecRule REQUEST_HEADERS:Content-Type ^text/xml$ phase:1,t:lowercase,nolog,pass,ctl:requestBodyProcessor=XML
SecRule REQUEST_HEADERS:Content-Type ^text/xml$ \
phase:1,t:lowercase,nolog,pass,ctl:requestBodyProcessor=XML
SecRule REQBODY_PROCESSOR "!^XML$" nolog,pass,skip:1
SecRule XML "<emphasis role="bold">@validateSchema /path/to/apache2/conf/xml.xsd</emphasis>"</programlisting>