diff --git a/doc/modsecurity2-apache-reference.xml b/doc/modsecurity2-apache-reference.xml index bbaaed26..c534eef5 100644 --- a/doc/modsecurity2-apache-reference.xml +++ b/doc/modsecurity2-apache-reference.xml @@ -16,15 +16,15 @@
Introduction - ModSecurityis a web application - firewall (WAF). With over 70% of all attacks now carried out over the web - application level, organisations need every help they can get in making - their systems secure. WAFs are deployed to establish an external security - layer that increases security, detects, and prevents attacks before they - reach web applications. It provides protection from a range of attacks - against web applications and allows for HTTP traffic monitoring and - real-time analysis with little or no changes to existing - infrastructure._err + ModSecurity is a web + application firewall (WAF). With over 70% of all attacks now carried out + over the web application level, organisations need every help they can get + in making their systems secure. WAFs are deployed to establish an external + security layer that increases security, detects, and prevents attacks + before they reach web applications. It provides protection from a range of + attacks against web applications and allows for HTTP traffic monitoring + and real-time analysis with little or no changes to existing + infrastructure.
HTTP Traffic Logging @@ -197,8 +197,8 @@ which are in most cases custom coded. The Core Rules are heavily commented to allow it to be used as a step-by-step deployment guide for ModSecurity. The latest Core Rules can be found at the ModSecurity - website - http://www.modsecurity.org/projects/rules/. + website - http://www.modsecurity.org/projects/rules/.
@@ -297,8 +297,8 @@ - (Optional) Install the latest version of libxml2, if it isn't - already installed on the server. + Install the latest version of libxml2, if it isn't already + installed on the server. @@ -315,10 +315,8 @@ - (Optional) Edit Makefile to enable ModSecurity to use libxml2 - (uncomment line DEFS = - -DWITH_LIBXML2) and configure the include path (for example: - Edit Makefile to configure the correct include path for libxml + (for example: INCLUDES=-I/usr/include/libxml2) @@ -435,11 +433,9 @@ moreinfo="none">SecAction nolog,redirect:http://www.hostname.com - ProcessingPhase: Any + ProcessingPhase: Any - Scope: - Any + Scope: Any Dependencies/Notes: None @@ -453,7 +449,7 @@
<literal>SecArgumentSeparator</literal> - Description: Specifies which + Description: Specifies which character to use as separator for application/x-www-form-urlencoded content. Defaults to &. Applications are sometimes @@ -469,7 +465,7 @@ Processing Phase: Any Scope: - Main + Main Dependencies/Notes: None @@ -492,10 +488,9 @@ Example Usage: SecAuditEngine On - Processing Phase: N/A + Processing Phase: N/A - Scope: - Any + Scope: Any Dependencies/Notes: Can be set/changed with the "ctl" action for the current transaction. @@ -503,8 +498,8 @@ Example: The following example shows the various audit directives used together. - SecAuditEngine RelevantOnly -SecAuditLog logs/audit/audit.log + SecAuditEngine RelevantOnly +SecAuditLog logs/audit/audit.log SecAuditLogParts ABCFHZ SecAuditLogType concurrent SecAuditLogStorageDir logs/audit @@ -514,7 +509,7 @@ SecAuditLogStorageDir logs/audit - On - log all transactions + On - log all transactions by default. @@ -524,7 +519,7 @@ SecAuditLogStorageDir logs/audit - RelevantOnly - by default + RelevantOnly - by default only log transactions that have triggered a warning or an error, or have a status code that is considered to be relevant (see SecAuditLogRelevantStatus). @@ -547,8 +542,7 @@ SecAuditLogStorageDir logs/audit Processing Phase: N/A - Scope: - Any + Scope: Any Dependencies/Notes: This file is open on startup when the server typically still runs as @@ -584,8 +578,7 @@ SecAuditLogStorageDir logs/audit Processing Phase: N/A - Scope: - Any + Scope: Any Dependencies/Notes: A main audit log must be defined via SecAuditLog @@ -607,12 +600,12 @@ SecAuditLogStorageDir logs/audit Example Usage: SecAuditLogParts ABCFHZ - Processing Phase: N/A + Processing Phase: N/A Scope: - Any + Any - Dependencies/Notes: At this time + Dependencies/Notes: At this time ModSecurity does not log response bodies of stock Apache responses (e.g. 404), or the Server and - A – audit log header + A – audit log header (mandatory) - B – request headers + B – request + headers - C – request body (present + C – request body (present only if the request body exists and ModSecurity is configured to intercept it) @@ -644,7 +638,7 @@ SecAuditLogStorageDir logs/audit - E – intermediary response + E – intermediary response body (present only if ModSecurity is configured to intercept response bodies, and if the audit log engine is configured to record it). Intermediary response body is the same as the actual response @@ -655,14 +649,14 @@ SecAuditLogStorageDir logs/audit - F – final response headers - (excluding the Date and Server headers, which are always added by - Apache in the late stage of content delivery). + F – final response + headers (excluding the Date and Server headers, which are always + added by Apache in the late stage of content delivery). - G – RESERVED for the actual - response body, not implemented yet. + G – RESERVED for the + actual response body, not implemented yet. @@ -673,13 +667,12 @@ SecAuditLogStorageDir logs/audit I - This part is a replacement for part C. It will log the same data as C in all cases - except whenmultipart/form-dataencoding in used. In - this case it will log a fake - application/x-www-form-urlencoded body that contains the - information about parameters but not about the files. This is handy - if you don't want to have (often large) files stored in your audit - logs. + except whenmultipart/form-data + encoding in used. In this case it will log a fake application/x-www-form-urlencoded body + that contains the information about parameters but not about the + files. This is handy if you don't want to have (often large) files + stored in your audit logs. @@ -689,7 +682,7 @@ SecAuditLogStorageDir logs/audit - Z – final boundary, + Z – final boundary, signifies the end of the entry (mandatory) @@ -698,7 +691,7 @@ SecAuditLogStorageDir logs/audit
<literal>SecAuditLogRelevantStatus</literal> - Description: Configures which + Description: Configures which response status code is to be considered relevant for the purpose of audit logging. @@ -708,10 +701,9 @@ SecAuditLogStorageDir logs/audit Example Usage: SecAuditLogRelevantStatus ^[45] - Processing Phase: N/A + Processing Phase: N/A - Scope: - Any + Scope: Any Dependencies/Notes: Must have the SecAuditEngine set to RelevantOnly. The parameter is a regular @@ -740,10 +732,9 @@ SecAuditLogStorageDir logs/audit moreinfo="none">SecAuditLogStorageDir /usr/local/apache/logs/audit - Processing Phase: N/A + Processing Phase: N/A - Scope: - Any + Scope: Any Dependencies/Notes: SecAuditLogType must be set to Concurrent. The directory must already be @@ -769,8 +760,7 @@ SecAuditLogStorageDir logs/audit Processing Phase: N/A - Scope: - Any + Scope: Any Dependencies/Notes: Must specify SecAuditLogStorageDir if you use concurrent logging. @@ -806,10 +796,9 @@ SecAuditLogStorageDir logs/audit Example Usage: SecChrootDir /chroot - Processing Phase: N/A + Processing Phase: N/A - Scope: - Main + Scope: Main Dependencies/Notes: The internal chroot functionality provided by ModSecurity works great for simple @@ -839,10 +828,9 @@ SecAuditLogStorageDir logs/audit Example Usage: SecCookieFormat 0 - Processing Phase: N/A + Processing Phase: N/A - Scope: - Any + Scope: Any Dependencies/Notes: None @@ -856,7 +844,7 @@ SecAuditLogStorageDir logs/audit - 1 - use version 1 + 1 - use version 1 cookies. @@ -878,7 +866,7 @@ SecAuditLogStorageDir logs/audit Processing Phase: N/A Scope: - Main + Main Dependencies/Notes: This directive is needed when initcol, setsid an setuid are used. Must be @@ -900,8 +888,7 @@ SecAuditLogStorageDir logs/audit Processing Phase: N/A - Scope: - Any + Scope: Any Dependencies/Notes: None
@@ -909,7 +896,7 @@ SecAuditLogStorageDir logs/audit
<literal>SecDebugLogLevel</literal> - Description: Configures the + Description: Configures the verboseness of the debug log data. Syntax: Processing Phase: N/A - Scope: - Any + Scope: Any Dependencies/Notes: Levels - 1-3 - are always sent to the Apache error log. Therefore you can - always use level 0 as the default - logging level in production. Level 5 - is useful when debugging. It is not advisable to use higher - logging levels in production as excessive logging can slow down server - significantly. + 1 - 3 are always sent to the Apache + error log. Therefore you can always use level 0 as the default logging level in production. + Level 5 is useful when debugging. It + is not advisable to use higher logging levels in production as excessive + logging can slow down server significantly. Possible values are: - 0 - no logging. + 0 - no logging. - 1 - errors (intercepted + 1 - errors (intercepted requests) only. - 2 - warnings. + 2 - warnings. - 3 - notices. + 3 - notices. - 4 - details of how + 4 - details of how transactions are handled. - 5 - as above, but including + 5 - as above, but including information about each piece of information handled. - 9 - log everything, + 9 - log everything, including very detailed debugging information. @@ -983,12 +968,11 @@ SecAuditLogStorageDir logs/audit moreinfo="none">SecDefaultAction log,auditlog,deny,status:403,phase:2,t:lowercase - Processing Phase: Any + Processing Phase: Any - Scope: - Any + Scope: Any - Dependencies/Notes: Rules + Dependencies/Notes: Rules following a SecDefaultAction directive will inherit this setting unless a specific action is specified for an indivdual rule or until another SecDefaultAction is specified. @@ -1017,12 +1001,11 @@ SecAuditLogStorageDir logs/audit moreinfo="none">SecGuardianLog |/usr/local/apache/bin/httpd-guardian - Processing Phase: N/A + Processing Phase: N/A - Scope: - Main + Scope: Main - Dependencies/Notes: By default + Dependencies/Notes: By default httpd-guardian will defend against clients that send more 120 requests in a minute, or more than 360 requests in five minutes. @@ -1035,17 +1018,16 @@ SecAuditLogStorageDir logs/audit Development of a state of the art external protection tool will be a focus of subsequent ModSecurity releases. However, a fully functional - tool is already available as part of the Apache httpd tools project - (http://www.apachesecurity.net/tools/). - The tool is called httpd-guardian and can be used to defend against - Denial of Service attacks. It uses the blacklist tool (from the same - project) to interact with an iptables-based (Linux) or pf-based (*BSD) - firewall, dynamically blacklisting the offending IP addresses. It can - also interact with SnortSam (http://www.snortsam.net). Assuming - httpd-guardian is already configured (look into the source code for the - detailed instructions) you only need to add one line to your Apache - configuration to deploy it: + tool is already available as part of the Apache httpd tools + project. The tool is called httpd-guardian and can be used to + defend against Denial of Service attacks. It uses the blacklist tool + (from the same project) to interact with an iptables-based (Linux) or + pf-based (*BSD) firewall, dynamically blacklisting the offending IP + addresses. It can also interact with SnortSam (http://www.snortsam.net). + Assuming httpd-guardian is already configured (look into the source code + for the detailed instructions) you only need to add one line to your + Apache configuration to deploy it: SecGuardianLog |/path/to/httpd-guardian
@@ -1063,12 +1045,11 @@ SecAuditLogStorageDir logs/audit Example Usage: SecRequestBodyAccess On - Processing Phase: N/A + Processing Phase: N/A - Scope: - Any + Scope: Any - Dependencies/Notes: This + Dependencies/Notes: This directive is required if you plan to inspect POST_PAYLOADS of requests. This directive must be used along with the "phase:2" processing phase action and REQUEST_BODY variable/location. If any of these 3 parts are @@ -1084,7 +1065,7 @@ SecAuditLogStorageDir logs/audit - Off - do not attempt to + Off - do not attempt to access request bodies. @@ -1104,10 +1085,9 @@ SecAuditLogStorageDir logs/audit Processing Phase: N/A - Scope: - Any + Scope: Any - Dependencies/Notes: 131072 KB + Dependencies/Notes: 131072 KB (134217728 bytes) is the default setting. Anything over this limit will be rejected with status code 413 Request Entity Too Large. There is a hard limit of 1 GB. @@ -1116,7 +1096,7 @@ SecAuditLogStorageDir logs/audit
<literal>SecRequestBodyInMemoryLimit</literal> - Description: Configures the + Description: Configures the maximum request body size ModSecurity will store in memory. Syntax: Processing Phase: N/A - Scope: - Any + Scope: Any Dependencies/Notes: None @@ -1142,7 +1121,7 @@ SecRequestBodyInMemoryLimit 131072
<literal>SecResponseBodyLimit</literal> - Description: Configures the + Description: Configures the maximum response body size that will be accepted for buffering. Syntax: Example Usage: SecResponseBodyLimit 524228 - Processing Phase: N/A + Processing Phase: N/A - Scope: - Any + Scope: Any - Dependencies/Notes: Anything over + Dependencies/Notes: Anything over this limit will be rejected with status code 500 Internal Server Error. This setting will not affect the responses with MIME types that are not marked for buffering. There is a hard limit of 1 GB. @@ -1170,7 +1148,7 @@ SecResponseBodyLimit 524288
<literal>SecResponseBodyMimeType</literal> - Description: Configures + Description: Configures which MIME types are to be considered for response body buffering. @@ -1183,8 +1161,7 @@ SecResponseBodyLimit 524288 Processing Phase: N/A - Scope: - Any + Scope: Any Dependencies/Notes: Multiple SecResponseBodyMimeType @@ -1201,7 +1178,7 @@ SecResponseBodyLimit 524288 <literal>SecResponseBodyMimeTypesClear</literal> Description: Clears the list of - MIME types considered for response + MIME types considered for response body buffering, allowing you to start populating the list from scratch. @@ -1211,10 +1188,9 @@ SecResponseBodyLimit 524288 Example Usage: SecResponseBodyMimeTypesClear - Processing Phase: N/A + Processing Phase: N/A - Scope: - Any + Scope: Any Dependencies/Notes: None
@@ -1233,8 +1209,7 @@ SecResponseBodyLimit 524288 Processing Phase: N/A - Scope: - Any + Scope: Any Dependencies/Notes: This directive is required if you plan to inspect html responses. This @@ -1246,12 +1221,12 @@ SecResponseBodyLimit 524288 - On - access response bodies + On - access response bodies (but only if the MIME type matches, see above). - Off - do not attempt to + Off - do not attempt to access response bodies. @@ -1261,7 +1236,7 @@ SecResponseBodyLimit 524288 <literal>SecRule</literal> Description: SecRuleis the main ModSecurity directive. It + moreinfo="none">SecRule is the main ModSecurity directive. It is used to analyse data and perform actions based on the results. Syntax: Processing Phase: Any - Scope: - Any + Scope: Any Dependencies/Notes: None @@ -1321,10 +1295,10 @@ SecResponseBodyLimit 524288 In the simplest possible case you will use a regular expression pattern as the second rule parameter. This is what we've done in the - examples above. If you do this ModSecurity assumes you want to use - the rx operator. You can explicitly + examples above. If you do this ModSecurity assumes you want to use the + rx operator. You can explicitly specify the operator you want to use by using @ as the first character in the second rule + moreinfo="none">@ as the first character in the second rule parameter: SecRule REQUEST_URI "@rx dirty" @@ -1372,12 +1346,11 @@ SecResponseBodyLimit 524288 Processing Phase: Any - Scope: - Any + Scope: Any Dependencies/Notes: Resource-specific contexts (e.g. - Location, Directory, etc) + Location, Directory, etc) cannot override phase1 rules configured in the main server or in the virtual server. This is because phase 1 is run early in the request processing process, before Apache maps request to resource. @@ -1405,8 +1378,7 @@ SecDefaultAction log,deny,phase:1,redirect:http://www.site2.com <VirtualHost *:80> ServerName app2.com ServerAlias www.app2.com -SecRuleInheritance On -SecRule ARGS "attack" +SecRuleInheritance On SecRule ARGS "attack" ... </VirtualHost> @@ -1414,12 +1386,12 @@ ServerAlias www.app2.com - On - inherit rules from the + On - inherit rules from the parent context. - Off - do not inherit rules + Off - do not inherit rules from the parent context. @@ -1439,8 +1411,7 @@ ServerAlias www.app2.com Processing Phase: Any - Scope: - Any + Scope: Any Dependencies/Notes: Thisdirective can also be controled by the ctl action (ctl:ruleEngine=off) for per @@ -1480,8 +1451,7 @@ ServerAlias www.app2.com Processing Phase: Any - Scope: - Any + Scope: Any Dependencies/Notes: This directive supports multiple parameters, where each parameter can either @@ -1505,19 +1475,18 @@ ServerAlias www.app2.com Processing Phase: Any - Scope: - Any + Scope: Any Dependencies/Notes: This directive supports multiple parameters. Each parameter is a regular expression that will be applied to the message (specified using the - msg action). + msg action).
<literal>SecServerSignature</literal> - Description: Instructs + Description: Instructs ModSecurity to change the data presented in the "Server:" response header token. @@ -1531,8 +1500,7 @@ ServerAlias www.app2.com Processing Phase: N/A - Scope: - Main + Scope: Main Dependencies/Notes: In order for this directive to work, you must set the Apache ServerTokens directive @@ -1556,10 +1524,9 @@ ServerAlias www.app2.com Processing Phase: N/A - Scope: - Any + Scope: Any - Dependencies/Notes: Needs to be + Dependencies/Notes: Needs to be writable by the Apache user process. This is the directory location where Apache will swap data to disk if it runs out of memory (more data than what was specified in the SecRequestBodyInMemoryLimit directive) @@ -1580,8 +1547,7 @@ ServerAlias www.app2.com Processing Phase: N/A - Scope: - Any + Scope: Any Dependencies/Notes: This directory must be on the same filesystem as the temporary directory @@ -1604,10 +1570,9 @@ ServerAlias www.app2.com Processing Phase: N/A - Scope: - Any + Scope: Any - Dependencies/Notes: This + Dependencies/Notes: This directive requires the storage directory to be defined (using SecUploadDir). @@ -1644,10 +1609,9 @@ ServerAlias www.app2.com Example Usage: SecWebAppId "WebApp1" - Processing Phase:N/A + Processing Phase: N/A - Scope: - Any + Scope: Any Dependencies/Notes: Partitions are used to avoid collisions between session IDs and user IDs. This @@ -1744,7 +1708,7 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID} SecDefaultAction "log,pass,phase:2" -SecRule HTTP_Host "!^$" "deny,phase:1" +SecRule REQUEST_HEADERS:Host "!^$" "deny,phase:1" Note on Rule and Phases @@ -1794,7 +1758,7 @@ SecRule HTTP_Host "!^$" "deny,phase:1" - multipart/form-data – used for file transfers + multipart/form-data – used for file transfers @@ -1816,8 +1780,8 @@ SecRule HTTP_Host "!^$" "deny,phase:1" + sanitize. This should work appropirately in a proxy setup or within + phase:5 (logging).
@@ -1836,8 +1800,9 @@ SecRule HTTP_Host "!^$" "deny,phase:1"This phase is run just before logging takes place. The rules placed into this phase can only affect how the logging is performed. This phase can be used to inspect the error messages logged by Apache. - You can not deny/block connections in this phase as it is too - late. + You can not deny/block connections in this phase as it is too late. This + phase also allows for inspection of other response headers that weren't + available during phase:3 or phase:4.
@@ -1857,23 +1822,23 @@ SecRule HTTP_Host "!^$" "deny,phase:1"SecRule ARGS dirtySometimes, - however, you will want to look only at parts of a collection. This can - be achieved with the help of the selection + arguments:SecRule ARGS dirty + Sometimes, however, you will want to look only at parts of a collection. + This can be achieved with the help of the selection operator(colon). The following example will only look at the arguments named p (do note that, in general, requests can contain multiple arguments with the same name): - SecRule ARGS:p dirtyIt - is also possible to specify exclusions. The following will examine all - request arguments for the word dirty, except the - ones named z (again, there can be + SecRule ARGS:p dirty + It is also possible to specify exclusions. The following will examine + all request arguments for the word dirty, except + the ones named z (again, there can be zero or more arguments named z): - SecRule ARGS|!ARGS:z dirtyThere - is a special operator that allows you to count how many variables there - are in a collection. The following rule will trigger if there is more - than zero arguments in the request (ignore the second parameter for the - time being): SecRule &ARGS !^0$And - sometimes you need to look at an array of parameters, each with a + SecRule ARGS|!ARGS:z dirty + There is a special operator that allows you to count how many variables + there are in a collection. The following rule will trigger if there is + more than zero arguments in the request (ignore the second parameter for + the time being): SecRule &ARGS !^0$ + And sometimes you need to look at an array of parameters, each with a slightly different name. In this case you can specify a regular expression in the selection operator itself. The following rule will look into all arguments whose names begin with phase:1" SecRule REQUEST_FILENAME "^/cgi-bin/login\.php$" "chain,log,deny,phase:2" -SecRule ARGS_COMBINED_SIZE "@gt 25" +SecRule ARGS_COMBINED_SIZE "@gt 25"
@@ -1920,7 +1885,7 @@ SecRule ARGS_NAMES "!^(p|a)$" This variable holds the authentication method used to validate a user. Example: - SecRule AUTH_TYPE "basic" log,deny,status:403,phase:1,t:lowercase + SecRule AUTH_TYPE "basic" log,deny,status:403,phase:1,t:lowercase Note @@ -1978,7 +1943,7 @@ SecRule ENV:tag "suspicious" a size limitation on individual uploaded files. Note: only available if files were extracted from the request body. Example: - SecRule FILES_SIZES "@gt 100" log,deny,status:403,phase:2 + SecRule FILES_SIZES "@gt 100" log,deny,status:403,phase:2
@@ -1986,7 +1951,7 @@ SecRule ENV:tag "suspicious" Collection. Contains a collection of temporary files' names on the disk. Useful when used together with @inspectFile. Note: only available if files + moreinfo="none">@inspectFile. Note: only available if files were extracted from the request body. Example: SecRule FILES_TMPNAMES "@inspectFile /path/to/inspect_script.pl" @@ -2021,7 +1986,8 @@ SecRule ENV:tag "suspicious" <literal moreinfo="none">QUERY_STRING</literal> This variable holds form data passed to the script/handler by - appending data after a question mark. Example: + appending data after a question mark. Warning: Not URL-decoded. + Example: SecRule QUERY_STRING "attack"
@@ -2032,7 +1998,7 @@ SecRule ENV:tag "suspicious" This variable holds the IP address of the remote client. Example: - SecRule REMOTE_ADDR "^192\.168\.1\.101$" + SecRule REMOTE_ADDR "^192\.168\.1\.101$"
@@ -2044,7 +2010,7 @@ SecRule ENV:tag "suspicious" known bad client hosts or network blocks, or conversely, to allow in authorized hosts. Example: - SecRule REMOTE_HOST "\.evil\.network\org$" + SecRule REMOTE_HOST "\.evil\.network\org$"
@@ -2056,7 +2022,7 @@ SecRule ENV:tag "suspicious" is less than 1024, which would indicate that the user is a privileged user (root). - SecRule REMOTE_PORT "@lt 1024" phase:1,log,pass,setenv:remote_port=privileged + SecRule REMOTE_PORT "@lt 1024" phase:1,log,pass,setenv:remote_port=privileged
@@ -2129,7 +2095,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd" REQUEST_FILENAME (e.g. index.php). Warning: not urlDecoded. Example: - SecRule REQUEST_BASENAME "^login\.php$" + SecRule REQUEST_BASENAME "^login\.php$"
@@ -2140,7 +2106,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd" the arguements is important (ARGS should be used in all other cases). Example: - SecRule REQUEST_BODY "^username=\w{25,}\&password=\w{25,}\&Submit\=login$" + SecRule REQUEST_BODY "^username=\w{25,}\&password=\w{25,}\&Submit\=login$" Note @@ -2173,8 +2139,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd" <literal moreinfo="none">REQUEST_FILENAME</literal> This variable holds the relative REQUEST_URI minus the - QUERY_STRING part (e.g. /index.php). Warning: not urlDecoded. - Example: + QUERY_STRING part (e.g. /index.php). Example: SecRule REQUEST_FILENAME "^/cgi-bin/login\.php$"
@@ -2188,7 +2153,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd" example uses REQUEST_HEADERS as a collection and is applying the validateUrlEncoding operator against all headers. - SecRule REQUEST_HEADERS "@validateUrlEncoding" + SecRule REQUEST_HEADERS "@validateUrlEncoding" Example: the second example is targeting only the Host header. @@ -2216,7 +2181,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd" GET, HEAD, POST or if the HTTP is something other than HTTP/0.9, 1.0 or 1.1. - SecRule REQUEST_LINE "!(^((?:(?:pos|ge)t|head))|http/(0\.9|1\.0|1\.1)$)" + SecRule REQUEST_LINE "!(^((?:(?:pos|ge)t|head))|http/(0\.9|1\.0|1\.1)$)" Note @@ -2247,7 +2212,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd" This variable holds the Request Protocol Version information. Example: - SecRule REQUEST_PROTOCOL "!^http/(0\.9|1\.0|1\.1)$" + SecRule REQUEST_PROTOCOL "!^http/(0\.9|1\.0|1\.1)$" Note @@ -2265,7 +2230,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd" does not include either the REQUEST_METHOD or the HTTP version info. Example: - SecRule REQUEST_URI "attack" + SecRule REQUEST_URI "attack"
@@ -2300,10 +2265,10 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd" Note This variable may not have access to some headers when running in - embedded-mode. Headers such as Server, Date and Connection are added - during a later Apache hook just prior to sending the data to the client. - This data should be available, however, when running in - proxy-mode. + embedded-mode. Headers such as Server, Date, Connection and Content-Type + are added during a later Apache hook just prior to sending the data to + the client. This data should be available, however, either during + ModSecurity phase:5 (logging) or when running in proxy-mode.
@@ -2312,7 +2277,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd" This variable is a collection of the response header names. Example: - SecRule RESPONSE_HEADERS_NAMES "Set-Cookie" + SecRule RESPONSE_HEADERS_NAMES "Set-Cookie" Note @@ -2326,7 +2291,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd" This variable holds the HTTP Response Protocol information. Example: - SecRule RESPONSE_PROTOCOL "^HTTP\/0\.9" + SecRule RESPONSE_PROTOCOL "^HTTP\/0\.9"
@@ -2335,7 +2300,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd" This variable holds the HTTP Response Status Code generated by Apache. Example: - SecRule RESPONSE_STATUS "^[45]" + SecRule RESPONSE_STATUS "^[45]" Note @@ -2366,7 +2331,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd" This variable holds just the local filename part of SCRIPT_FILENAME. Example: - SecRule SCRIPT_BASENAME "^login\.php$" + SecRule SCRIPT_BASENAME "^login\.php$" Note @@ -2392,7 +2357,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd" This variable holds the groupid (numerical value) of the group owner of the script. Example: - SecRule SCRIPT_GID "!^46$" + SecRule SCRIPT_GID "!^46$" Note @@ -2419,7 +2384,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd" - 1=execute, 2=write, 4=read and 7=read/write/execute). Example: will trigger if the script has the WRITE permissions set. - SecRule SCRIPT_MODE "^(2|3|6|7)$" + SecRule SCRIPT_MODE "^(2|3|6|7)$" Note @@ -2446,7 +2411,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd" This variable holds the username of the owner of the script. Example: - SecRule SCRIPT_USERNAME "!^apache$" + SecRule SCRIPT_USERNAME "!^apache$" Note @@ -2468,7 +2433,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd" This variable contains the server's hostname or IP address. Example: - SecRule SERVER_NAME "hostname\.com$" + SecRule SERVER_NAME "hostname\.com$" Note @@ -2482,7 +2447,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd" This variable contains the local port that the web server is listening on. Example: - SecRule SERVER_PORT "^80$" + SecRule SERVER_PORT "^80$"
@@ -2530,7 +2495,7 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID} would trigger anytime between the 10th and 20th days of the month. - SecRule TIME_DAY "^(([1](0|1|2|3|4|5|6|7|8|9))|20)$" + SecRule TIME_DAY "^(([1](0|1|2|3|4|5|6|7|8|9))|20)$"
@@ -2585,7 +2550,7 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID} This variable holds the current weekday (0-6). Example: this rule would trigger only on week-ends (Saturday and Sunday). - SecRule TIME_WDAY "^(0|6)$" + SecRule TIME_WDAY "^(0|6)$"
@@ -2594,7 +2559,7 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID} This variable holds the current four-digit year data. Example: - SecRule TIME_YEAR "^2006$" + SecRule TIME_YEAR "^2006$"
@@ -2660,6 +2625,72 @@ SecRule REQBODY_PROCESSOR "!^XML$" skip:2 SecRule XML:/employees/employee/name/text() Fred SecRule XML:/xq:employees/employee/name/text() Fred \ xmlns:xq=http://www.example.com/employees + + The first XPath expression does not use namespaces. It would match + against payload such as this one: + + <employees> + <employee> + <name>Fred Jones</name> + <address location="home"> + <street>900 Aurora Ave.</street> + <city>Seattle</city> + <state>WA</state> + <zip>98115</zip> + </address> + <address location="work"> + <street>2011 152nd Avenue NE</street> + <city>Redmond</city> + <state>WA</state> + <zip>98052</zip> + </address> + <phone location="work">(425)555-5665</phone> + <phone location="home">(206)555-5555</phone> + <phone location="mobile">(206)555-4321</phone> + </employee> +</employees> + + The second XPath expression does use namespaces. It would match + the following payload: + + <xq:employees xmlns:xq="http://www.example.com/employees"> + <employee> + <name>Fred Jones</name> + <address location="home"> + <street>900 Aurora Ave.</street> + <city>Seattle</city> + <state>WA</state> + <zip>98115</zip> + </address> + <address location="work"> + <street>2011 152nd Avenue NE</street> + <city>Redmond</city> + <state>WA</state> + <zip>98052</zip> + </address> + <phone location="work">(425)555-5665</phone> + <phone location="home">(206)555-5555</phone> + <phone location="mobile">(206)555-4321</phone> + </employee> +</xq:employees> + + Note the different namespace used in the second example. + + To learn more about XPath we suggest the following + resources: + + + + XPath + Standard + + + + XPath + Tutorial + +
@@ -2681,7 +2712,7 @@ SecRule XML:/xq:employees/employee/name/text() case in order to evade the ModSecurity rule: SecRule ARG:p "xp_cmdshell" "t:lowercase"multiple + role="bold">"t:lowercase" multiple tranformation actions can be used in the same rule, for example the following rule also ensures that an attacker does not use URL encoding (%xx encoding) for evasion. Note the order of the transformation @@ -2732,8 +2763,8 @@ SecRule XML:/xq:employees/employee/name/text() moreinfo="none">\v, \\, \?, \', \", - \xHH(hexadecimal), \0OOO(octal). Invalid encodings are left in + \xHH (hexadecimal), \0OOO (octal). Invalid encodings are left in the output. @@ -2774,7 +2805,7 @@ SecRule XML:/xq:employees/employee/name/text() - &nbsp and &nbsp and &nbsp; @@ -2873,9 +2904,11 @@ SecRule XML:/xq:employees/employee/name/text() <literal>urlDecodeUni</literal> In addition to decoding %xx like urlDecode, urlDecodeUni also decodes %uXXXX encoding (only the - lower byte will be used, the higher byte will be discarded). + moreinfo="none">urlDecode, urlDecodeUni also decodes %uXXXX encoding. If the code is in the range + of FF01-FF5E (the full width ASCII codes), then the higher byte is used + to detect and adjust the lower byte. Otherwise, only the lower byte will + be used and the higher byte zeroed.
@@ -2898,18 +2931,18 @@ SecRule XML:/xq:employees/employee/name/text() - Disruptive actions- are those actions where - ModSecurity will intercept the data. They can only appear in the first - rule in a chain. + Disruptive actions - are those actions + where ModSecurity will intercept the data. They can only appear in the + first rule in a chain. - Non-disruptive actions; can appear + Non-disruptive actions - can appear anywhere. - Flow actions; can appear only in the first + Flow actions - can appear only in the first rule in a chain. @@ -2917,12 +2950,12 @@ SecRule XML:/xq:employees/employee/name/text() Meta-data actions(id, rev, severity, msg); can only appear in the first rule in + moreinfo="none"> msg) - can only appear in the first rule in a chain. - Data actions- can appear anywhere; these + Data actions - can appear anywhere; these actions are completely passive and only serve to carry data used by other actions. @@ -2997,14 +3030,14 @@ SecRule TX:1 "(?:(?:a(dmin|nonymous)))"
<literal>chain</literal> - Description: Chains the rule + Description: Chains the rule where the action is placed with the rule that immediately follows it. The result is called a rule chain. Chained rules allow for more complex rule matches where you want to use a number of different VARIABLES to create a better rule and to help prevent false positives. - Action Group: Flow + Action Group: Flow Example: @@ -3090,7 +3123,7 @@ SecRule REQUEST_CONTENT_TYPE ^text/xml nolog,pass,ctl:requ moreinfo="none">URLENCODED and MULTIPART processors to process an application/x-www-form-urlencoded and a - multipart/form-data body, + multipart/form-data body, respectively. A third processor, XML, is also supported, but it is never used implicitly. Instead you must tell ModSecurity to use it by placing a few rules in the REQUEST_HEADERS @@ -3143,7 +3176,7 @@ SecRule REQUEST_CONTENT_TYPE ^text/xml nolog,pass,ctl:requ
<literal>drop</literal> - Description: Immediately initiate + Description: Immediately initiate a "connection close" action to tear down the TCP connection by sending a FIN packet. @@ -3243,27 +3276,48 @@ SecRule REQUEST_URI "^/cgi-bin/script\.pl" \ - 1 – 99999; reserved for your internal needs, use as you see - fit but don't publish them to others + 1 – 99,999; reserved for local (internal) use. Use as you + see fit but do not use this range for rules that are distributed to + others. 100,000-199,999; reserved for internal use of the engine, to - assign to rules that do not have explicit IDs + assign to rules that do not have explicit IDs. 200,000-299,999; reserved for rules published at - modsecurity.org + modsecurity.org. 300,000-399,999; reserved for rules published at - gotroot.com + gotroot.com. - 400,000 and above; unreserved range. + 400,000-419,999; unused (available for reservation). + + + + 420,000-429,999; reserved for ScallyWhack. + + + + 430,000-899,999; unused (available for reservation). + + + + 900,000-999,999; reserved for the Core Rules + project. + + + + 1,000,000 and above; unused (available for + reservation).
@@ -3271,7 +3325,7 @@ SecRule REQUEST_URI "^/cgi-bin/script\.pl" \
<literal>initcol</literal> - Description: Initialises a named + Description: Initialises a named persistent collection, either by loading data from storage or by creating a new collection in memory. @@ -3305,7 +3359,7 @@ SecRule REQUEST_URI "^/cgi-bin/script\.pl" \ - TIMEOUT- date/time in + TIMEOUT - date/time in seconds when the collection will be updated on disk from memory (if no other updates occur). @@ -3345,7 +3399,7 @@ SecRule REQUEST_URI "^/cgi-bin/script\.pl" \
<literal>log</literal> - Description: Indicates that a + Description: Indicates that a successful match of the rule needs to be logged. Action Group: @@ -3385,7 +3439,7 @@ SecRule REQUEST_URI "^/cgi-bin/script\.pl" \
<literal>multiMatch</literal> - Description: If enabled + Description: If enabled ModSecurity will perform multiple operator invocations for every target, before and after every anti-evasion transformation is performed. @@ -3408,7 +3462,7 @@ SecRule ARGS "attack" multiMatch <literal>noauditlog</literal> - Description: Indicates that a + Description: Indicates that a successful match of the rule should not be used as criteria whether the transaction should be logged to the audit log. @@ -3453,7 +3507,7 @@ SecRule ARGS "attack" multiMatch <literal>pass</literal> - Description: Continues processing + Description: Continues processing with the next rule in spite of a successful match. Action Group: Disruptive @@ -3517,7 +3571,7 @@ SecRule REQUEST_HEADERS:User-Agent "Test" log,deny,status:403
<literal>proxy</literal> - Description: Intercepts + Description: Intercepts transaction by forwarding request to another web server using the proxy backend. @@ -3538,7 +3592,7 @@ SecRule REQUEST_HEADERS:User-Agent "Test" log,deny,status:403
<literal>redirect</literal> - Description: Intercepts + Description: Intercepts transaction by issuing a redirect to the given location. Action Group: Disruptive @@ -3810,10 +3864,9 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID}setvar:!tx.score - To increase or decrease variable value use+and-characters in front of a numerical - value: + To increase or decrease variable value use + and - + characters in front of a numerical value: setvar:tx.score=+5
@@ -3821,7 +3874,7 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID} <literal>skip</literal> - Description: Skips one or more + Description: Skips one or more rules (or chains) on successful match. Action Group: @@ -3926,13 +3979,13 @@ SecRule XML:/soap:Envelope/soap:Body/q1:getInput/id() "123" phase:2,deny <literal>eq</literal> - Description: This operator is a + Description: This operator is a numerical comparison and stands for "equal to." Example: SecRule &REQUEST_HEADERS_NAMES "@eq 15" + role="bold">@eq 15"
@@ -3969,19 +4022,19 @@ SecRule XML:/soap:Envelope/soap:Body/q1:getInput/id() "123" phase:2,denyExample: SecRule FILES_TMPNAMES "@inspectFile /opt/apache/bin/inspect_script.pl" + role="bold">@inspectFile /opt/apache/bin/inspect_script.pl"
<literal>le</literal> - Description: This operator is a + Description: This operator is a numerical comparison and stands for "less than or equal to." Example: SecRule &REQUEST_HEADERS_NAMES "@le 15" + role="bold">@le 15"
@@ -4019,7 +4072,7 @@ SecRule XML:/soap:Envelope/soap:Body/q1:getInput/id() "123" phase:2,denyExample: SecRule REQUEST_HEADERS:User-Agent "@rx nikto" + role="bold">@rx nikto" Note @@ -4055,13 +4108,13 @@ SecRule XML:/soap:Envelope/soap:Body/q1:getInput/id() "123" phase:2,deny <literal>validateByteRange</literal> - Description: Validates the byte + Description: Validates the byte range used in the variable falls into the specified range. Example: SecRule ARG:text "@validateByteRange 10, 13, 32-126" + role="bold">@validateByteRange 10, 13, 32-126" Note