github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2026-01-10 02:04:36 +03:00
Code Issues Packages Projects Releases Wiki Activity

Retag 2.1.2 with some doc changes.

Browse Source
This commit is contained in:
brectanus
2007-08-02 21:01:46 +00:00
parent c5d69ff5e7 42edcab6ab
commit 1f1635cf0d
2 changed files with 321 additions and 266 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
CHANGES
View File

@@ -1,6 +1,8 @@
27 July 2007 - 2.1.2
--------------------
* Cleaned up and clarified some documentation.
* Update included core rules to latest version (1.4.3).
* Enhanced ability to alert/audit failed requests.

383
doc/modsecurity2-apache-reference.xml
View File

@@ -16,15 +16,15 @@
<section id="01-introduction">
<title>Introduction</title>
<para><trademark class="trade">ModSecurity</trademark>is a web application
firewall (WAF). With over 70% of all attacks now carried out over the web
application level, organisations need every help they can get in making
their systems secure. WAFs are deployed to establish an external security
layer that increases security, detects, and prevents attacks before they
reach web applications. It provides protection from a range of attacks
against web applications and allows for HTTP traffic monitoring and
real-time analysis with little or no changes to existing
infrastructure._err</para>
<para><trademark class="trade">ModSecurity</trademark> is a web
application firewall (WAF). With over 70% of all attacks now carried out
over the web application level, organisations need every help they can get
in making their systems secure. WAFs are deployed to establish an external
security layer that increases security, detects, and prevents attacks
before they reach web applications. It provides protection from a range of
attacks against web applications and allows for HTTP traffic monitoring
and real-time analysis with little or no changes to existing
infrastructure.</para>
<section>
<title>HTTP Traffic Logging</title>
@@ -197,8 +197,8 @@
which are in most cases custom coded. The Core Rules are heavily
commented to allow it to be used as a step-by-step deployment guide for
ModSecurity. The latest Core Rules can be found at the ModSecurity
website - <link
linkend="http://www.modsecurity.org/projects/rules/">http://www.modsecurity.org/projects/rules/</link>.</para>
website - <ulink
url="http://www.modsecurity.org/projects/rules/">http://www.modsecurity.org/projects/rules/</ulink>.</para>
</section>
<section>
@@ -297,8 +297,8 @@
</listitem>
<listitem>
<para>(Optional) Install the latest version of libxml2, if it isn't
already installed on the server.</para>
<para>Install the latest version of libxml2, if it isn't already
installed on the server.</para>
</listitem>
<listitem>
@@ -315,10 +315,8 @@
</listitem>
<listitem>
<para>(Optional) Edit Makefile to enable ModSecurity to use libxml2
(uncomment line<literal moreinfo="none"> DEFS =
-DWITH_LIBXML2</literal>) and configure the include path (for example:
<filename
<para>Edit Makefile to configure the correct include path for libxml
(for example: <filename
moreinfo="none">INCLUDES=-I/usr/include/libxml2</filename>)</para>
</listitem>
@@ -435,11 +433,9 @@
moreinfo="none">SecAction
nolog,redirect:http://www.hostname.com</literal></para>
<para><emphasis role="bold"> <emphasis
role="bold">ProcessingPhase:</emphasis> </emphasis>Any</para>
<para><emphasis role="bold">ProcessingPhase:</emphasis> Any</para>
<para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
</emphasis>Any</para>
<para><emphasis role="bold">Scope:</emphasis> Any</para>
<para><emphasis role="bold">Dependencies/Notes:</emphasis> None</para>
@@ -494,8 +490,7 @@
<para><emphasis role="bold">Processing Phase:</emphasis> N/A</para>
<para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
</emphasis>Any</para>
<para><emphasis role="bold">Scope:</emphasis> Any</para>
<para><emphasis role="bold">Dependencies/Notes:</emphasis> Can be
set/changed with the "ctl" action for the current transaction.</para>
@@ -503,8 +498,8 @@
<para>Example: The following example shows the various audit directives
used together.</para>
<programlisting format="linespecific"><emphasis role="bold">SecAuditEngine RelevantOnly
</emphasis>SecAuditLog logs/audit/audit.log
<programlisting format="linespecific"><emphasis role="bold">SecAuditEngine RelevantOnly</emphasis>
SecAuditLog logs/audit/audit.log
SecAuditLogParts ABCFHZ
SecAuditLogType concurrent
SecAuditLogStorageDir logs/audit
@@ -547,8 +542,7 @@ SecAuditLogStorageDir logs/audit
<para><emphasis role="bold">Processing Phase:</emphasis> N/A</para>
<para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
</emphasis>Any</para>
<para><emphasis role="bold">Scope:</emphasis> Any</para>
<para><emphasis role="bold">Dependencies/Notes:</emphasis> This file is
open on startup when the server typically still runs as<emphasis>
@@ -584,8 +578,7 @@ SecAuditLogStorageDir logs/audit
<para><emphasis role="bold">Processing Phase:</emphasis> N/A</para>
<para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
</emphasis>Any</para>
<para><emphasis role="bold">Scope:</emphasis> Any</para>
<para><emphasis role="bold">Dependencies/Notes:</emphasis> A main audit
log must be defined via <literal moreinfo="none">SecAuditLog</literal>
@@ -624,16 +617,17 @@ SecAuditLogStorageDir logs/audit
<itemizedlist>
<listitem>
<para><literal moreinfo="none">A</literal> audit log header
<para><literal moreinfo="none">A</literal> – audit log header
(mandatory)</para>
</listitem>
<listitem>
<para><literal moreinfo="none">B</literal> request headers</para>
<para><literal moreinfo="none">B</literal> – request
headers</para>
</listitem>
<listitem>
<para><literal moreinfo="none">C</literal> request body (present
<para><literal moreinfo="none">C</literal> – request body (present
only if the request body exists and ModSecurity is configured to
intercept it)</para>
</listitem>
@@ -644,7 +638,7 @@ SecAuditLogStorageDir logs/audit
</listitem>
<listitem>
<para><literal moreinfo="none">E</literal> intermediary response
<para><literal moreinfo="none">E</literal> – intermediary response
body (present only if ModSecurity is configured to intercept
response bodies, and if the audit log engine is configured to record
it). Intermediary response body is the same as the actual response
@@ -655,14 +649,14 @@ SecAuditLogStorageDir logs/audit
</listitem>
<listitem>
<para><literal moreinfo="none">F</literal> final response headers
(excluding the Date and Server headers, which are always added by
Apache in the late stage of content delivery).</para>
<para><literal moreinfo="none">F</literal> – final response
headers (excluding the Date and Server headers, which are always
added by Apache in the late stage of content delivery).</para>
</listitem>
<listitem>
<para><literal moreinfo="none">G</literal> RESERVED for the actual
response body, not implemented yet.</para>
<para><literal moreinfo="none">G</literal> – RESERVED for the
actual response body, not implemented yet.</para>
</listitem>
<listitem>
@@ -673,13 +667,12 @@ SecAuditLogStorageDir logs/audit
<listitem>
<para><literal moreinfo="none">I</literal> - This part is a
replacement for part C. It will log the same data as C in all cases
except when<literal
moreinfo="none">multipart/form-data</literal>encoding in used. In
this case it will log a fake<literal moreinfo="none">
application/x-www-form-urlencoded</literal> body that contains the
information about parameters but not about the files. This is handy
if you don't want to have (often large) files stored in your audit
logs.</para>
except when<literal moreinfo="none">multipart/form-data</literal>
encoding in used. In this case it will log a fake <literal
moreinfo="none"> application/x-www-form-urlencoded</literal> body
that contains the information about parameters but not about the
files. This is handy if you don't want to have (often large) files
stored in your audit logs.</para>
</listitem>
<listitem>
@@ -689,7 +682,7 @@ SecAuditLogStorageDir logs/audit
</listitem>
<listitem>
<para><literal moreinfo="none">Z</literal> final boundary,
<para><literal moreinfo="none">Z</literal> – final boundary,
signifies the end of the entry (mandatory)</para>
</listitem>
</itemizedlist>
@@ -710,8 +703,7 @@ SecAuditLogStorageDir logs/audit
<para><emphasis role="bold">Processing Phase:</emphasis> N/A</para>
<para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
</emphasis>Any</para>
<para><emphasis role="bold">Scope:</emphasis> Any</para>
<para><emphasis role="bold">Dependencies/Notes:</emphasis> Must have the
SecAuditEngine set to RelevantOnly. The parameter is a regular
@@ -742,8 +734,7 @@ SecAuditLogStorageDir logs/audit
<para><emphasis role="bold">Processing Phase:</emphasis> N/A</para>
<para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
</emphasis>Any</para>
<para><emphasis role="bold">Scope:</emphasis> Any</para>
<para><emphasis role="bold">Dependencies/Notes:</emphasis>
SecAuditLogType must be set to Concurrent. The directory must already be
@@ -769,8 +760,7 @@ SecAuditLogStorageDir logs/audit
<para><emphasis role="bold">Processing Phase:</emphasis> N/A</para>
<para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
</emphasis>Any</para>
<para><emphasis role="bold">Scope:</emphasis> Any</para>
<para><emphasis role="bold">Dependencies/Notes:</emphasis> Must specify
SecAuditLogStorageDir if you use concurrent logging.</para>
@@ -808,8 +798,7 @@ SecAuditLogStorageDir logs/audit
<para><emphasis role="bold">Processing Phase:</emphasis> N/A</para>
<para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
</emphasis>Main</para>
<para><emphasis role="bold">Scope:</emphasis> Main</para>
<para><emphasis role="bold">Dependencies/Notes:</emphasis> The internal
chroot functionality provided by ModSecurity works great for simple
@@ -841,8 +830,7 @@ SecAuditLogStorageDir logs/audit
<para><emphasis role="bold">Processing Phase:</emphasis> N/A</para>
<para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
</emphasis>Any</para>
<para><emphasis role="bold">Scope:</emphasis> Any</para>
<para><emphasis role="bold">Dependencies/Notes:</emphasis> None</para>
@@ -900,8 +888,7 @@ SecAuditLogStorageDir logs/audit
<para><emphasis role="bold">Processing Phase:</emphasis> N/A</para>
<para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
</emphasis>Any</para>
<para><emphasis role="bold">Scope:</emphasis> Any</para>
<para><emphasis role="bold">Dependencies/Notes:</emphasis> None</para>
</section>
@@ -920,17 +907,15 @@ SecAuditLogStorageDir logs/audit
<para><emphasis role="bold">Processing Phase:</emphasis> N/A</para>
<para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
</emphasis>Any</para>
<para><emphasis role="bold">Scope:</emphasis> Any</para>
<para><emphasis role="bold">Dependencies/Notes:</emphasis> Levels
<literal moreinfo="none">1</literal>-<literal moreinfo="none">3
</literal>are always sent to the Apache error log. Therefore you can
always use level<literal moreinfo="none"> 0 </literal>as the default
logging level in production. Level<literal moreinfo="none"> 5
</literal>is useful when debugging. It is not advisable to use higher
logging levels in production as excessive logging can slow down server
significantly.</para>
<literal moreinfo="none">1 - 3</literal> are always sent to the Apache
error log. Therefore you can always use level <literal
moreinfo="none">0</literal> as the default logging level in production.
Level <literal moreinfo="none">5</literal> is useful when debugging. It
is not advisable to use higher logging levels in production as excessive
logging can slow down server significantly.</para>
<para>Possible values are:</para>
@@ -985,8 +970,7 @@ SecAuditLogStorageDir logs/audit
<para><emphasis role="bold">Processing Phase:</emphasis> Any</para>
<para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
</emphasis>Any</para>
<para><emphasis role="bold">Scope:</emphasis> Any</para>
<para><emphasis role="bold">Dependencies/Notes:</emphasis> Rules
following a SecDefaultAction directive will inherit this setting unless
@@ -1019,8 +1003,7 @@ SecAuditLogStorageDir logs/audit
<para><emphasis role="bold">Processing Phase:</emphasis> N/A</para>
<para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
</emphasis>Main</para>
<para><emphasis role="bold">Scope:</emphasis> Main</para>
<para><emphasis role="bold">Dependencies/Notes:</emphasis> By default
httpd-guardian will defend against clients that send more 120 requests
@@ -1035,17 +1018,16 @@ SecAuditLogStorageDir logs/audit
<para>Development of a state of the art external protection tool will be
a focus of subsequent ModSecurity releases. However, a fully functional
tool is already available as part of the Apache httpd tools project
(<link
linkend="http://www.apachesecurity.net/tools/">http://www.apachesecurity.net/tools/</link>).
The tool is called httpd-guardian and can be used to defend against
Denial of Service attacks. It uses the blacklist tool (from the same
project) to interact with an iptables-based (Linux) or pf-based (*BSD)
firewall, dynamically blacklisting the offending IP addresses. It can
also interact with SnortSam (http://www.snortsam.net). Assuming
httpd-guardian is already configured (look into the source code for the
detailed instructions) you only need to add one line to your Apache
configuration to deploy it:</para>
tool is already available as part of the <ulink type=""
url="http://www.apachesecurity.net/tools/">Apache httpd tools
project</ulink>. The tool is called httpd-guardian and can be used to
defend against Denial of Service attacks. It uses the blacklist tool
(from the same project) to interact with an iptables-based (Linux) or
pf-based (*BSD) firewall, dynamically blacklisting the offending IP
addresses. It can also interact with SnortSam (http://www.snortsam.net).
Assuming httpd-guardian is already configured (look into the source code
for the detailed instructions) you only need to add one line to your
Apache configuration to deploy it:</para>
<programlisting format="linespecific">SecGuardianLog |/path/to/httpd-guardian</programlisting>
</section>
@@ -1065,8 +1047,7 @@ SecAuditLogStorageDir logs/audit
<para><emphasis role="bold">Processing Phase:</emphasis> N/A</para>
<para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
</emphasis>Any</para>
<para><emphasis role="bold">Scope:</emphasis> Any</para>
<para><emphasis role="bold">Dependencies/Notes:</emphasis> This
directive is required if you plan to inspect POST_PAYLOADS of requests.
@@ -1104,8 +1085,7 @@ SecAuditLogStorageDir logs/audit
<para><emphasis role="bold">Processing Phase:</emphasis> N/A</para>
<para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
</emphasis>Any</para>
<para><emphasis role="bold">Scope:</emphasis> Any</para>
<para><emphasis role="bold">Dependencies/Notes:</emphasis> 131072 KB
(134217728 bytes) is the default setting. Anything over this limit will
@@ -1128,8 +1108,7 @@ SecAuditLogStorageDir logs/audit
<para><emphasis role="bold">Processing Phase:</emphasis> N/A</para>
<para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
</emphasis>Any</para>
<para><emphasis role="bold">Scope:</emphasis> Any</para>
<para><emphasis role="bold">Dependencies/Notes:</emphasis> None</para>
@@ -1153,8 +1132,7 @@ SecRequestBodyInMemoryLimit 131072</programlisting>
<para><emphasis role="bold">Processing Phase:</emphasis> N/A</para>
<para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
</emphasis>Any</para>
<para><emphasis role="bold">Scope:</emphasis> Any</para>
<para><emphasis role="bold">Dependencies/Notes:</emphasis> Anything over
this limit will be rejected with status code 500 Internal Server Error.
@@ -1183,8 +1161,7 @@ SecResponseBodyLimit 524288</programlisting>
<para><emphasis role="bold">Processing Phase:</emphasis> N/A</para>
<para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
</emphasis>Any</para>
<para><emphasis role="bold">Scope:</emphasis> Any</para>
<para><emphasis role="bold">Dependencies/Notes:</emphasis>
Multiple<literal moreinfo="none"> SecResponseBodyMimeType</literal>
@@ -1213,8 +1190,7 @@ SecResponseBodyLimit 524288</programlisting>
<para><emphasis role="bold">Processing Phase:</emphasis> N/A</para>
<para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
</emphasis>Any</para>
<para><emphasis role="bold">Scope:</emphasis> Any</para>
<para><emphasis role="bold">Dependencies/Notes:</emphasis> None</para>
</section>
@@ -1233,8 +1209,7 @@ SecResponseBodyLimit 524288</programlisting>
<para><emphasis role="bold">Processing Phase:</emphasis> N/A</para>
<para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
</emphasis>Any</para>
<para><emphasis role="bold">Scope:</emphasis> Any</para>
<para><emphasis role="bold">Dependencies/Notes:</emphasis> This
directive is required if you plan to inspect html responses. This
@@ -1272,8 +1247,7 @@ SecResponseBodyLimit 524288</programlisting>
<para><emphasis role="bold">Processing Phase:</emphasis> Any</para>
<para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
</emphasis>Any</para>
<para><emphasis role="bold">Scope:</emphasis> Any</para>
<para><emphasis role="bold">Dependencies/Notes:</emphasis> None</para>
@@ -1321,8 +1295,8 @@ SecResponseBodyLimit 524288</programlisting>
<para>In the simplest possible case you will use a regular expression
pattern as the second rule parameter. This is what we've done in the
examples above. If you do this ModSecurity assumes you want to use
the<literal moreinfo="none"> rx </literal>operator. You can explicitly
examples above. If you do this ModSecurity assumes you want to use the
<literal moreinfo="none">rx</literal> operator. You can explicitly
specify the operator you want to use by using <literal
moreinfo="none">@</literal> as the first character in the second rule
parameter:</para>
@@ -1372,8 +1346,7 @@ SecResponseBodyLimit 524288</programlisting>
<para><emphasis role="bold">Processing Phase:</emphasis> Any</para>
<para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
</emphasis>Any</para>
<para><emphasis role="bold">Scope:</emphasis> Any</para>
<para><emphasis role="bold">Dependencies/Notes:</emphasis>
Resource-specific contexts (e.g.<literal moreinfo="none">
@@ -1405,8 +1378,7 @@ SecDefaultAction log,deny,phase:1,redirect:http://www.site2.com
&lt;VirtualHost *:80&gt;
ServerName app2.com
ServerAlias www.app2.com
<emphasis role="bold">SecRuleInheritance On
</emphasis>SecRule ARGS "attack"
<emphasis role="bold">SecRuleInheritance On</emphasis> SecRule ARGS "attack"
...
&lt;/VirtualHost&gt;</programlisting>
@@ -1439,8 +1411,7 @@ ServerAlias www.app2.com
<para><emphasis role="bold">Processing Phase:</emphasis> Any</para>
<para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
</emphasis>Any</para>
<para><emphasis role="bold">Scope:</emphasis> Any</para>
<para><emphasis role="bold">Dependencies/Notes:</emphasis> Thisdirective
can also be controled by the ctl action (ctl:ruleEngine=off) for per
@@ -1480,8 +1451,7 @@ ServerAlias www.app2.com
<para><emphasis role="bold">Processing Phase:</emphasis> Any</para>
<para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
</emphasis>Any</para>
<para><emphasis role="bold">Scope:</emphasis> Any</para>
<para><emphasis role="bold">Dependencies/Notes:</emphasis> This
directive supports multiple parameters, where each parameter can either
@@ -1505,8 +1475,7 @@ ServerAlias www.app2.com
<para><emphasis role="bold">Processing Phase:</emphasis> Any</para>
<para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
</emphasis>Any</para>
<para><emphasis role="bold">Scope:</emphasis> Any</para>
<para><emphasis role="bold">Dependencies/Notes:</emphasis> This
directive supports multiple parameters. Each parameter is a regular
@@ -1531,8 +1500,7 @@ ServerAlias www.app2.com
<para><emphasis role="bold">Processing Phase:</emphasis> N/A</para>
<para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
</emphasis>Main</para>
<para><emphasis role="bold">Scope:</emphasis> Main</para>
<para><emphasis role="bold">Dependencies/Notes:</emphasis> In order for
this directive to work, you must set the Apache ServerTokens directive
@@ -1556,8 +1524,7 @@ ServerAlias www.app2.com
<para><emphasis role="bold">Processing Phase:</emphasis> N/A</para>
<para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
</emphasis>Any</para>
<para><emphasis role="bold">Scope:</emphasis> Any</para>
<para><emphasis role="bold">Dependencies/Notes:</emphasis> Needs to be
writable by the Apache user process. This is the directory location
@@ -1580,8 +1547,7 @@ ServerAlias www.app2.com
<para><emphasis role="bold">Processing Phase:</emphasis> N/A</para>
<para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
</emphasis>Any</para>
<para><emphasis role="bold">Scope:</emphasis> Any</para>
<para><emphasis role="bold">Dependencies/Notes:</emphasis> This
directory must be on the same filesystem as the temporary directory
@@ -1604,8 +1570,7 @@ ServerAlias www.app2.com
<para><emphasis role="bold">Processing Phase:</emphasis> N/A</para>
<para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
</emphasis>Any</para>
<para><emphasis role="bold">Scope:</emphasis> Any</para>
<para><emphasis role="bold">Dependencies/Notes:</emphasis> This
directive requires the storage directory to be defined (using <literal
@@ -1646,8 +1611,7 @@ ServerAlias www.app2.com
<para><emphasis role="bold">Processing Phase:</emphasis> N/A</para>
<para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
</emphasis>Any</para>
<para><emphasis role="bold">Scope:</emphasis> Any</para>
<para><emphasis role="bold">Dependencies/Notes:</emphasis> Partitions
are used to avoid collisions between session IDs and user IDs. This
@@ -1744,7 +1708,7 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID}
<programlisting format="linespecific">SecDefaultAction "log,pass,<emphasis
role="bold">phase:2</emphasis>"
SecRule HTTP_Host "!^$" "deny,<emphasis role="bold">phase:1</emphasis>"</programlisting>
SecRule REQUEST_HEADERS:Host "!^$" "deny,<emphasis role="bold">phase:1</emphasis>"</programlisting>
<para><emphasis role="bold">Note on Rule and Phases</emphasis></para>
@@ -1794,7 +1758,7 @@ SecRule HTTP_Host "!^$" "deny,<emphasis role="bold">phase:1</emphasis>"</program
</listitem>
<listitem>
<para>multipart/form-data used for file transfers</para>
<para>multipart/form-data – used for file transfers</para>
</listitem>
<listitem>
@@ -1816,8 +1780,8 @@ SecRule HTTP_Host "!^$" "deny,<emphasis role="bold">phase:1</emphasis>"</program
not be able to be triggered as expected. Additionally, there are some
response headers that are added by Apache at a later hook (such as Date,
Server and Connection) that we would not be able to trigger on or
sanitize. This should work appropirately in a proxy setup
however.</para>
sanitize. This should work appropirately in a proxy setup or within
phase:5 (logging).</para>
</section>
<section>
@@ -1836,8 +1800,9 @@ SecRule HTTP_Host "!^$" "deny,<emphasis role="bold">phase:1</emphasis>"</program
<para>This phase is run just before logging takes place. The rules
placed into this phase can only affect how the logging is performed.
This phase can be used to inspect the error messages logged by Apache.
You can not deny/block connections in this phase as it is too
late.</para>
You can not deny/block connections in this phase as it is too late. This
phase also allows for inspection of other response headers that weren't
available during phase:3 or phase:4.</para>
</section>
</section>
@@ -1857,23 +1822,23 @@ SecRule HTTP_Host "!^$" "deny,<emphasis role="bold">phase:1</emphasis>"</program
invocations against the operator if argument p does not exist. Some
variables are actually collections, which are expanded into more
variables at runtime. The following example will examine all request
arguments:<programlisting format="linespecific">SecRule ARGS dirty</programlisting>Sometimes,
however, you will want to look only at parts of a collection. This can
be achieved with the help of the <emphasis>selection
arguments:<programlisting format="linespecific">SecRule ARGS dirty</programlisting>
Sometimes, however, you will want to look only at parts of a collection.
This can be achieved with the help of the <emphasis>selection
operator</emphasis>(colon). The following example will only look at the
arguments named<literal moreinfo="none"> p</literal> (do note that, in
general, requests can contain multiple arguments with the same name):
<programlisting format="linespecific">SecRule ARGS:p dirty</programlisting>It
is also possible to specify exclusions. The following will examine all
request arguments for the word<emphasis> dirty</emphasis>, except the
ones named<literal moreinfo="none"> z </literal>(again, there can be
<programlisting format="linespecific">SecRule ARGS:p dirty</programlisting>
It is also possible to specify exclusions. The following will examine
all request arguments for the word<emphasis> dirty</emphasis>, except
the ones named <literal moreinfo="none">z</literal> (again, there can be
zero or more arguments named<literal moreinfo="none"> z</literal>):
<programlisting format="linespecific">SecRule ARGS|!ARGS:z dirty</programlisting>There
is a special operator that allows you to count how many variables there
are in a collection. The following rule will trigger if there is more
than zero arguments in the request (ignore the second parameter for the
time being): <programlisting format="linespecific">SecRule &amp;ARGS !^0$</programlisting>And
sometimes you need to look at an array of parameters, each with a
<programlisting format="linespecific">SecRule ARGS|!ARGS:z dirty</programlisting>
There is a special operator that allows you to count how many variables
there are in a collection. The following rule will trigger if there is
more than zero arguments in the request (ignore the second parameter for
the time being): <programlisting format="linespecific">SecRule &amp;ARGS !^0$</programlisting>
And sometimes you need to look at an array of parameters, each with a
slightly different name. In this case you can specify a regular
expression in the selection operator itself. The following rule will
look into all arguments whose names begin with <literal
@@ -2021,7 +1986,8 @@ SecRule <emphasis role="bold">ENV:tag</emphasis> "suspicious"</programlisting>
<title><literal moreinfo="none">QUERY_STRING</literal></title>
<para>This variable holds form data passed to the script/handler by
appending data after a question mark. Example:</para>
appending data after a question mark. Warning: Not URL-decoded.
Example:</para>
<programlisting format="linespecific">SecRule <emphasis role="bold">QUERY_STRING</emphasis> "attack"</programlisting>
</section>
@@ -2173,8 +2139,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"</programlisting>
<title><literal moreinfo="none">REQUEST_FILENAME</literal></title>
<para>This variable holds the relative REQUEST_URI minus the
QUERY_STRING part (e.g. /index.php). Warning: not urlDecoded.
Example:</para>
QUERY_STRING part (e.g. /index.php). Example:</para>
<programlisting format="linespecific">SecRule <emphasis role="bold">REQUEST_FILENAME</emphasis> "^/cgi-bin/login\.php$"</programlisting>
</section>
@@ -2300,10 +2265,10 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"</programlisting>
<para><emphasis role="bold">Note</emphasis></para>
<para>This variable may not have access to some headers when running in
embedded-mode. Headers such as Server, Date and Connection are added
during a later Apache hook just prior to sending the data to the client.
This data should be available, however, when running in
proxy-mode.</para>
embedded-mode. Headers such as Server, Date, Connection and Content-Type
are added during a later Apache hook just prior to sending the data to
the client. This data should be available, however, either during
ModSecurity phase:5 (logging) or when running in proxy-mode.</para>
</section>
<section>
@@ -2660,6 +2625,72 @@ SecRule REQBODY_PROCESSOR "<emphasis role="bold">!^XML$</emphasis>" skip:2
SecRule <emphasis role="bold">XML:/employees/employee/name/text()</emphasis> Fred
SecRule <emphasis role="bold">XML:/xq:employees/employee/name/text()</emphasis> Fred \
xmlns:xq=http://www.example.com/employees</programlisting>
<para>The first XPath expression does not use namespaces. It would match
against payload such as this one:</para>
<programlisting>&lt;employees&gt;
&lt;employee&gt;
&lt;name&gt;Fred Jones&lt;/name&gt;
&lt;address location="home"&gt;
&lt;street&gt;900 Aurora Ave.&lt;/street&gt;
&lt;city&gt;Seattle&lt;/city&gt;
&lt;state&gt;WA&lt;/state&gt;
&lt;zip&gt;98115&lt;/zip&gt;
&lt;/address&gt;
&lt;address location="work"&gt;
&lt;street&gt;2011 152nd Avenue NE&lt;/street&gt;
&lt;city&gt;Redmond&lt;/city&gt;
&lt;state&gt;WA&lt;/state&gt;
&lt;zip&gt;98052&lt;/zip&gt;
&lt;/address&gt;
&lt;phone location="work"&gt;(425)555-5665&lt;/phone&gt;
&lt;phone location="home"&gt;(206)555-5555&lt;/phone&gt;
&lt;phone location="mobile"&gt;(206)555-4321&lt;/phone&gt;
&lt;/employee&gt;
&lt;/employees&gt;</programlisting>
<para>The second XPath expression does use namespaces. It would match
the following payload:</para>
<programlisting>&lt;xq:employees xmlns:xq="http://www.example.com/employees"&gt;
&lt;employee&gt;
&lt;name&gt;Fred Jones&lt;/name&gt;
&lt;address location="home"&gt;
&lt;street&gt;900 Aurora Ave.&lt;/street&gt;
&lt;city&gt;Seattle&lt;/city&gt;
&lt;state&gt;WA&lt;/state&gt;
&lt;zip&gt;98115&lt;/zip&gt;
&lt;/address&gt;
&lt;address location="work"&gt;
&lt;street&gt;2011 152nd Avenue NE&lt;/street&gt;
&lt;city&gt;Redmond&lt;/city&gt;
&lt;state&gt;WA&lt;/state&gt;
&lt;zip&gt;98052&lt;/zip&gt;
&lt;/address&gt;
&lt;phone location="work"&gt;(425)555-5665&lt;/phone&gt;
&lt;phone location="home"&gt;(206)555-5555&lt;/phone&gt;
&lt;phone location="mobile"&gt;(206)555-4321&lt;/phone&gt;
&lt;/employee&gt;
&lt;/xq:employees&gt;</programlisting>
<para>Note the different namespace used in the second example.</para>
<para>To learn more about XPath we suggest the following
resources:</para>
<orderedlist>
<listitem>
<para><ulink url="http://www.w3.org/TR/xpath">XPath
Standard</ulink></para>
</listitem>
<listitem>
<para><ulink
url="http://www.zvon.org/xxl/XPathTutorial/General/examples.html">XPath
Tutorial</ulink></para>
</listitem>
</orderedlist>
</section>
</section>
@@ -2774,7 +2805,7 @@ SecRule <emphasis role="bold">XML:/xq:employees/employee/name/text()</emphasis>
</listitem>
<listitem>
<para><literal moreinfo="none">&amp;nbs</literal>p and <literal
<para><literal moreinfo="none">&amp;nbsp</literal> and <literal
moreinfo="none">&amp;nbsp;</literal></para>
</listitem>
@@ -2873,9 +2904,11 @@ SecRule <emphasis role="bold">XML:/xq:employees/employee/name/text()</emphasis>
<title><literal>urlDecodeUni</literal></title>
<para>In addition to decoding %xx like <literal
moreinfo="none">urlDecode, urlDecodeUni also </literal>decodes<literal
moreinfo="none"> <literal>%uXXXX</literal> </literal>encoding (only the
lower byte will be used, the higher byte will be discarded).</para>
moreinfo="none">urlDecode, urlDecodeUni</literal> also decodes <literal
moreinfo="none">%uXXXX</literal> encoding. If the code is in the range
of FF01-FF5E (the full width ASCII codes), then the higher byte is used
to detect and adjust the lower byte. Otherwise, only the lower byte will
be used and the higher byte zeroed.</para>
</section>
<section>
@@ -2898,18 +2931,18 @@ SecRule <emphasis role="bold">XML:/xq:employees/employee/name/text()</emphasis>
<orderedlist continuation="restarts" inheritnum="ignore">
<listitem>
<para><emphasis>Disruptive actions</emphasis>- are those actions where
ModSecurity will intercept the data. They can only appear in the first
rule in a chain.</para>
<para><emphasis>Disruptive actions</emphasis> - are those actions
where ModSecurity will intercept the data. They can only appear in the
first rule in a chain.</para>
</listitem>
<listitem>
<para><emphasis>Non-disruptive actions</emphasis>; can appear
<para><emphasis>Non-disruptive actions</emphasis> - can appear
anywhere.</para>
</listitem>
<listitem>
<para><emphasis>Flow actions</emphasis>; can appear only in the first
<para><emphasis>Flow actions</emphasis> - can appear only in the first
rule in a chain.</para>
</listitem>
@@ -2917,7 +2950,7 @@ SecRule <emphasis role="bold">XML:/xq:employees/employee/name/text()</emphasis>
<para><emphasis>Meta-data actions</emphasis>(<literal
moreinfo="none">id</literal>,<literal moreinfo="none">
rev</literal>,<literal moreinfo="none"> severity</literal>,<literal
moreinfo="none"> msg</literal>); can only appear in the first rule in
moreinfo="none"> msg</literal>) - can only appear in the first rule in
a chain.</para>
</listitem>
@@ -3243,27 +3276,48 @@ SecRule REQUEST_URI "^/cgi-bin/script\.pl" \
<itemizedlist>
<listitem>
<para>1 99999; reserved for your internal needs, use as you see
fit but don't publish them to others</para>
<para>1 – 99,999; reserved for local (internal) use. Use as you
see fit but do not use this range for rules that are distributed to
others.</para>
</listitem>
<listitem>
<para>100,000-199,999; reserved for internal use of the engine, to
assign to rules that do not have explicit IDs</para>
assign to rules that do not have explicit IDs.</para>
</listitem>
<listitem>
<para>200,000-299,999; reserved for rules published at
modsecurity.org</para>
modsecurity.org.</para>
</listitem>
<listitem>
<para>300,000-399,999; reserved for rules published at
gotroot.com</para>
gotroot.com.</para>
</listitem>
<listitem>
<para>400,000 and above; unreserved range.</para>
<para>400,000-419,999; unused (available for reservation).</para>
</listitem>
<listitem>
<para>420,000-429,999; reserved for <ulink type=""
url="http://projects.otaku42.de/wiki/ScallyWhack">ScallyWhack</ulink>.</para>
</listitem>
<listitem>
<para>430,000-899,999; unused (available for reservation).</para>
</listitem>
<listitem>
<para>900,000-999,999; reserved for the <ulink
url="http://www.modsecurity.org/projects/rules/">Core Rules</ulink>
project.</para>
</listitem>
<listitem>
<para>1,000,000 and above; unused (available for
reservation).</para>
</listitem>
</itemizedlist>
</section>
@@ -3811,9 +3865,8 @@ SecAction <emphasis role="bold">setsid:%{REQUEST_COOKIES.PHPSESSID}</emphasis></
<programlisting format="linespecific">setvar:!tx.score</programlisting>
<para>To increase or decrease variable value use <literal
moreinfo="none">+</literal>and<literal
moreinfo="none">-</literal>characters in front of a numerical
value:</para>
moreinfo="none">+</literal> and <literal moreinfo="none">-</literal>
characters in front of a numerical value:</para>
<programlisting format="linespecific">setvar:tx.score=+5</programlisting>
</section>