github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-09-29 19:24:29 +03:00
Code Issues Packages Projects Releases Wiki Activity

Merge 2.5.x (2.5.12) changes into trunk.

Browse Source
This commit is contained in:
b1v1r
2010-02-05 19:05:20 +00:00
parent ed11e27e0f
commit 08edc0c26f
54 changed files with 3170 additions and 330 deletions
Download Patch File Download Diff File Expand all files Collapse all files

200
doc/modsecurity2-apache-reference.xml
View File

@@ -4,9 +4,9 @@
<article>
<title><trademark class="registered">ModSecurity</trademark> Reference Manual</title>
<articleinfo>
<releaseinfo>Version 2.6.0-trunk (Nov 12, 2009)</releaseinfo>
<releaseinfo>Version 2.6.0-trunk (Feb 3, 2009)</releaseinfo>
<copyright>
<year>2004-2009</year>
<year>2004-2010</year>
<holder>Breach Security, Inc. (<ulink url="http://www.breach.com"
>http://www.breach.com</ulink>)</holder>
</copyright>
@@ -218,10 +218,11 @@
central repository, then you will also need the curl library.</para>
<para><ulink type="" url="http://curl.haxx.se/libcurl/"
>http://curl.haxx.se/libcurl/</ulink></para>
<note>
<para>Many have had issues with libcurl linked with the GnuTLS library for SSL/TLS
support. It is recommended that the openssl library be used for SSL/TLS support in
libcurl.</para>
<para>Many have had issues with libcurl linked with the GnuTLS
library for SSL/TLS support. It is recommended that the openssl
library be used for SSL/TLS support in libcurl.</para>
</note>
</listitem>
</orderedlist>
@@ -999,6 +1000,61 @@ SecRule &amp;REQUEST_HEADERS:Accept "@eq 0" \
SecMarker 99</emphasis></programlisting>
</para>
</section>
<section>
<title><literal>SecPcreMatchLimit</literal></title>
<para><emphasis>Description:</emphasis>Sets the the match limit in the
PCRE library. See the pcre_extra field in the pcreapi man page.</para>
<para><emphasis>Syntax:</emphasis> <literal
moreinfo="none">SecPcreMatchLimit value</literal></para>
<para><emphasis>Example Usage:</emphasis> <literal
moreinfo="none">SecPcreMatchLimit 1500</literal></para>
<para><emphasis>Processing Phase:</emphasis> N/A</para>
<para><emphasis>Scope:</emphasis> Global</para>
<para><emphasis>Version:</emphasis> 2.5.12</para>
<para><emphasis>Dependencies/Notes:</emphasis> Default is set at compile
(1500 by default)</para>
<para>The <literal>--enable-pcre-match-limit=val</literal> configure
option will set a custom default and the
<literal>--disable-pcre-match-limit</literal> option will resort to the
compiled PCRE library default.</para>
</section>
<section>
<title><literal>SecPcreMatchLimitRecursion</literal></title>
<para><emphasis>Description:</emphasis>Sets the the match limit
recursion in the PCRE library. See the pcre_extra field in the pcreapi
man page.</para>
<para><emphasis>Syntax:</emphasis> <literal
moreinfo="none">SecPcreMatchLimitRecursion value</literal></para>
<para><emphasis>Example Usage:</emphasis> <literal
moreinfo="none">SecPcreMatchLimitRecursion 1500</literal></para>
<para><emphasis>Processing Phase:</emphasis> N/A</para>
<para><emphasis>Scope:</emphasis> Global</para>
<para><emphasis>Version:</emphasis> 2.5.12</para>
<para><emphasis>Dependencies/Notes:</emphasis> Default is set at compile
(1500 by default)</para>
<para>The <literal>--enable-pcre-match-limit-recursion=val</literal>
configure option will set a custom default and the
<literal>--disable-pcre-match-limit-recursion</literal> option will
resort to the compiled PCRE library default.</para>
</section>
<section>
<title><literal>SecPdfProtect</literal></title>
<para><emphasis>Description:</emphasis> Enables the PDF XSS protection functionality. Once
@@ -1670,6 +1726,42 @@ SecRuleUpdateActionById 12345 "t:compressWhitespace,deny,status:403,msg:'A new m
as the temporary directory defined with <literal moreinfo="none">SecTmpDir</literal>. This
directive is used with <literal>SecUploadKeepFiles</literal>.</para>
</section>
<section>
<title><literal>SecUploadFileLimit</literal></title>
<para><emphasis>Description:</emphasis> Configures the maximum number of
file uploads processed in a multipart POST.</para>
<para><emphasis>Syntax:</emphasis> <literal
moreinfo="none">SecUploadFileLimit number</literal></para>
<para><emphasis>Example Usage:</emphasis> <literal
moreinfo="none">SecUploadFileLimit 10</literal></para>
<para><emphasis>Processing Phase:</emphasis> N/A</para>
<para><emphasis>Scope:</emphasis> Any</para>
<para><emphasis>Version:</emphasis> 2.5.12</para>
<para><emphasis>Dependencies/Notes:</emphasis> The default is set to 100
files, but you are encouraged to reduce this value. Any file over the
limit will not be extracted and the <literal
moreinfo="none">MULTIPART_FILE_LIMIT_EXCEEDED</literal> and <literal
moreinfo="none">MULTIPART_STRICT_ERROR</literal> flags will be set. To
prevent bypassing any file checks, you must check for one of these
flags.</para>
<note>
<para>If the limit is exceeded, the part name and file name will still
be recorded in <literal moreinfo="none">FILES_NAME</literal> and
<literal moreinfo="none">FILES</literal>, the file size will be
recorded in <literal moreinfo="none">FILES_SIZES</literal>, but there
will be no record in <literal moreinfo="none">FILES_TMPNAMES</literal>
as a temporary file was not created.</para>
</note>
</section>
<section>
<title><literal>SecUploadFileMode</literal></title>
<para><emphasis>Description:</emphasis> Configures the mode (permissions) of any uploaded
@@ -2111,19 +2203,30 @@ SecRule ARGS "@pm some key words" id:12345,deny,status:500</programlisting>
</section>
<section>
<title><literal>MULTIPART_STRICT_ERROR</literal></title>
<para><literal>MULTIPART_STRICT_ERROR</literal> will be set to <literal>1</literal> when any
of the following variables is also set to <literal>1</literal>: <literal
>REQBODY_PROCESSOR_ERROR</literal>, <literal>MULTIPART_BOUNDARY_QUOTED</literal>, <literal
>MULTIPART_BOUNDARY_WHITESPACE</literal>, <literal>MULTIPART_DATA_BEFORE</literal>,
<literal>MULTIPART_DATA_AFTER</literal>, <literal>MULTIPART_HEADER_FOLDING</literal>,
<literal>MULTIPART_LF_LINE</literal>, <literal>MULTIPART_SEMICOLON_MISSING</literal>
<literal>MULTIPART_INVALID_QUOTING</literal>. Each of these variables covers one unusual
(although sometimes legal) aspect of the request body in <literal>multipart/form-data
format</literal>. Your policies should <emphasis>always</emphasis> contain a rule to check
either this variable (easier) or one or more individual variables (if you know exactly what
you want to accomplish). Depending on the rate of false positives and your default policy
you should decide whether to block or just warn when the rule is triggered.</para>
<para>The best way to use this variable is as in the example below:</para>
<para><literal>MULTIPART_STRICT_ERROR</literal> will be set to
<literal>1</literal> when any of the following variables is also set to
<literal>1</literal>: <literal>REQBODY_PROCESSOR_ERROR</literal>,
<literal>MULTIPART_BOUNDARY_QUOTED</literal>,
<literal>MULTIPART_BOUNDARY_WHITESPACE</literal>,
<literal>MULTIPART_DATA_BEFORE</literal>,
<literal>MULTIPART_DATA_AFTER</literal>,
<literal>MULTIPART_HEADER_FOLDING</literal>,
<literal>MULTIPART_LF_LINE</literal>,
<literal>MULTIPART_SEMICOLON_MISSING</literal>
<literal>MULTIPART_INVALID_QUOTING</literal>
<literal>MULTIPART_INVALID_HEADER_FOLDING</literal>
<literal>MULTIPART_FILE_LIMIT_EXCEEDED</literal>. Each of these
variables covers one unusual (although sometimes legal) aspect of the
request body in <literal>multipart/form-data format</literal>. Your
policies should <emphasis>always</emphasis> contain a rule to check
either this variable (easier) or one or more individual variables (if
you know exactly what you want to accomplish). Depending on the rate of
false positives and your default policy you should decide whether to
block or just warn when the rule is triggered.</para>
<para>The best way to use this variable is as in the example
below:</para>
<programlisting>SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
"phase:2,t:none,log,deny,msg:'Multipart request body \
failed strict validation: \
@@ -2135,7 +2238,9 @@ DA %{MULTIPART_DATA_AFTER}, \
HF %{MULTIPART_HEADER_FOLDING}, \
LF %{MULTIPART_LF_LINE}, \
SM %{MULTIPART_SEMICOLON_MISSING}, \
IQ %{MULTIPART_INVALID_QUOTING}'"</programlisting>
IQ %{MULTIPART_INVALID_QUOTING}, \
IQ %{MULTIPART_INVALID_HEADER_FOLDING}, \
FE %{MULTIPART_FILE_LIMIT_EXCEEDED}'"</programlisting>
<para>The <literal>multipart/form-data</literal> parser was upgraded in ModSecurity v2.1.3 to
actively look for signs of evasion. Many variables (as listed above) were added to expose
various facts discovered during the parsing process. The <literal
@@ -2570,6 +2675,21 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID}</programlisting>
using the <literal moreinfo="none">@rx</literal> operator with capturing parens and the
<literal moreinfo="none">capture</literal> action.</para>
</listitem>
<listitem>
<para><literal moreinfo="none">TX:MSC_.*</literal> - ModSecurity
processing flags.</para>
<itemizedlist>
<listitem>
<para><literal
moreinfo="none">MSC_PCRE_LIMITS_EXCEEDED</literal> - Set
non-zero if PCRE match limits are exceeded. See <literal
moreinfo="none">SecPcreMatchLimit</literal> and <literal
moreinfo="none">SecPcreMatchLimitRecursion</literal>.</para>
</listitem>
</itemizedlist>
</listitem>
</itemizedlist>
<programlisting format="linespecific">SecRule WEBSERVER_ERROR_LOG "does not exist" "phase:5,pass,<emphasis>setvar:tx.score=+5</emphasis>"
SecRule<emphasis> TX:SCORE</emphasis> "@gt 20" deny,log</programlisting>
@@ -3256,7 +3376,7 @@ setvar:session.suspicious=1,<emphasis>expirevar:session.suspicious=3600</emphasi
<para>430,000-699,999; unused (available for reservation).</para>
</listitem>
<listitem>
<para>700,000-799,999; reserved for Ivan Ristic.</para>
<para>700,000-799,999; reserved for Ivan Ristic.</para>
</listitem>
<listitem>
@@ -3731,6 +3851,9 @@ SecRule ARGS:route "!<emphasis>@endsWith %{REQUEST_ADDR}</emphasis>" t:none,deny
"equal to."</para>
<para>Example:</para>
<programlisting format="linespecific">SecRule &amp;REQUEST_HEADERS_NAMES "<emphasis>@eq</emphasis> 15"</programlisting>
<para>Macro expansion is performed so you may use variable names such as
<literal>%{TX.1}</literal>, etc.</para>
</section>
<section>
<title><literal>ge</literal></title>
@@ -3738,6 +3861,9 @@ SecRule ARGS:route "!<emphasis>@endsWith %{REQUEST_ADDR}</emphasis>" t:none,deny
"greater than or equal to."</para>
<para>Example:</para>
<programlisting format="linespecific">SecRule &amp;REQUEST_HEADERS_NAMES "<emphasis>@ge</emphasis> 15"</programlisting>
<para>Macro expansion is performed so you may use variable names such as
<literal>%{TX.1}</literal>, etc.</para>
</section>
<section>
<title><literal>geoLookup</literal></title>
@@ -3766,6 +3892,9 @@ SecRule &amp;GEO "@eq 0" "deny,status:403,msg:'Failed to lookup IP'"</programlis
"greater than."</para>
<para>Example:</para>
<programlisting format="linespecific">SecRule &amp;REQUEST_HEADERS_NAMES "<emphasis>@gt</emphasis> 15"</programlisting>
<para>Macro expansion is performed so you may use variable names such as
<literal>%{TX.1}</literal>, etc.</para>
</section>
<section>
<title><literal>inspectFile</literal></title>
@@ -3800,6 +3929,9 @@ end</programlisting>
"less than or equal to."</para>
<para>Example:</para>
<programlisting format="linespecific">SecRule &amp;REQUEST_HEADERS_NAMES "<emphasis>@le</emphasis> 15"</programlisting>
<para>Macro expansion is performed so you may use variable names such as
<literal>%{TX.1}</literal>, etc.</para>
</section>
<section>
<title><literal>lt</literal></title>
@@ -3807,6 +3939,9 @@ end</programlisting>
"less than."</para>
<para>Example:</para>
<programlisting format="linespecific">SecRule &amp;REQUEST_HEADERS_NAMES "<emphasis>@lt</emphasis> 15"</programlisting>
<para>Macro expansion is performed so you may use variable names such as
<literal>%{TX.1}</literal>, etc.</para>
</section>
<section>
<title><literal>pm</literal></title>
@@ -3827,15 +3962,34 @@ end</programlisting>
<para>Notes:</para>
<orderedlist continuation="restarts" inheritnum="ignore">
<listitem>
<para>The contents of the files should be one phrase per line. End of line markers will be
stripped from the phrases, however, whitespace will not be trimmed from phrases in the
file. Empty lines and comment lines (beginning with a '#') are ignored.</para>
<para>The contents of the files should be one phrase per line. End
of line markers will be stripped from the phrases (LF and CRLF), and
whitespace is trimmed from both sides of the phrases. Empty lines
and comment lines (beginning with a '#') are ignored.</para>
</listitem>
<listitem>
<para>To allow easier inclusion of phrase files with rulesets, relative paths may be used
to the phrase files. In this case, the path of the file containing the rule is prepended
to the phrase file path.</para>
</listitem>
<listitem>
<para>To allow easier matching of whole IP addresses, you can add
boundary characters to the phrases. For example, use "/1.2.3.4/"
instead of "1.2.3.4". You can then insert these characters into the
target prior to a match:</para>
<programlisting format="linespecific">SecAction "phase:1,pass,nolog,setvar:tx.remote_addr=/%{REMOTE_ADDR}/"
SecRule TX:REMOTE_ADDR "<emphasis>@pmFromFile ip-blacklist.txt</emphasis>" "deny,status:403
# ip-blacklist.txt contents:
# NOTE: All IPs must be prefixed/suffixed with "/" as the rules
# will add in this character as a boundary to ensure
# the entire IP is matched.
# SecAction "phase:1,pass,nolog,setvar:tx.remote_addr='/%{REMOTE_ADDR}/'"
/1.2.3.4/
/5.6.7.8/</programlisting>
</listitem>
</orderedlist>
<para>Example:</para>
<programlisting format="linespecific">SecRule REQUEST_HEADERS:User-Agent "<emphasis>@pm</emphasis> /path/to/blacklist1 blacklist2" "deny,status:403</programlisting>