Description: Establishes a per-IP address limit of how many +connections are allowed to be in SERVER_BUSY_WRITE state. +
Syntax: SecWriteStateLimit LIMIT
+
Example Usage: SecWriteStateLimit 50
+
Scope: Main +
Version: 2.6.0 +
Default: 0 (no limit) +
This measure is effective against Slow DoS request body attacks. +
Description: Configures whether request bodies will be @@ -2415,39 +2432,37 @@ insert.
Description: Configures the ability to use stream inspection -for inbound request data. +for inbound request data in a re-allocable buffer. For security reasons +we are still buffering the stream.
Syntax: SecStreamInBodyInspection On|Off
Example Usage: SecStreamInBodyInspection On
Scope: Any
Version: 2.6.0
Default: Off
This feature enables the creation of the STREAM_INPUT_BODY -variable and is useful in a prequalification ruleset scenario against a -large list of strings. +variable and is useful for data modification or to match data in raw +data for any content-types.
-Description: Configures the ability to use stream inspection -for outbound request data. +for outbound request data in a re-allocable buffer. For security +reasons we are still buffering the stream.
Syntax: SecStreamOutBodyInspection On|Off
Example Usage: SecStreamOutBodyInspection On
Scope: Any
Version: 2.6.0
Default: Off
This feature enables the creation of the STREAM_OUTPUT_BODY -variable and is useful in two main scenarios: +variable and is useful when you need to do data modification into +response body.
-Description: Defines the path to the file that will be used by + the urlDecodeUni transformation function to map Unicode code points +during normalization. +
Syntax: SecUnicodeMapFile /path/to/unicode.mapping
+
Example Usage: SecUnicodeMapFile
+/usr/local/apache/conf/crs/unicode.mapping
+
Scope: Any +
Version: 2.6.1 +
+Description: Defines which Unicode code point will be used by +the urlDecodeUni transformation function during normalization. +
Syntax: SecUnicodeCodePage XXXXX
+
Example Usage: SecUnicodeCodePage 20127
+
Scope: Any +
Version: 2.6.1 +
Description: Configures the directory where intercepted files @@ -3416,9 +3451,9 @@ class="mw-headline"> STREAM_INPUT_BODY
This variable give access to the raw response body content. This -variable is best used for two use-cases: +variable is best used for case:
-# Detect credit card numbers in parameters and
# prevent them from being logged to audit log
-SecRule ARGS "@verifyCC \d{13,16}" "phase:2,nolog,pass,msg:'Potential credit card number in request',sanitiseMatchedBytes"
-SecRule RESPONSE_BODY "@verifyCC \d{13,16}" "phase:4,t:none,log,block,msg:'Potential credit card number is response body',sanitiseMatchedBytes:0/4"
+SecRule ARGS "@verifyCC \d{13,16}" "phase:2,nolog,capture,pass,msg:'Potential credit card number in request',sanitiseMatchedBytes"
+SecRule RESPONSE_BODY "@verifyCC \d{13,16}" "phase:4,t:none,log,capture,block,msg:'Potential credit card number is response body',sanitiseMatchedBytes:0/4"
# Detect suspicious client by looking at the user agent identification SecRule REQUEST_HEADERS:User-Agent "@pm WebZIP WebCopier Webster WebStripper ... SiteSnagger ProWebWalker CheeseBot"+
Short alias for pmFromFile.
@@ -5074,6 +5109,11 @@ easier inclusion of phrase files with rulesets, relative paths may be used to the phrase files. In this case, the path of the file containing the rule is prepended to the phrase file path.
+
Description: Looks up the input value in the RBL (real-time block list) given as parameter. The parameter can be an IPv4 address or a @@ -5178,6 +5218,12 @@ expression.
# Detect suspicious client by looking at the user agent identification SecRule REQUEST_HEADERS:User-Agent "@strmatch WebZIP"+
+
Description: Validates that the byte values used in input fall @@ -5701,13 +5747,13 @@ SecCookieFormat 0 - +
@@ -5817,7 +5863,7 @@ pages href="http://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual&printable=yes&printable=yes" rel="alternate" title="Printable version of this page [alt-shift-p]" accesskey="p">Printable version