diff --git a/CHANGES b/CHANGES index 46b66c40..1d0c74f4 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,9 @@ -02 Nov 2007 - 2.5.0-dev3 + +26 Nov 2007 - 2.5.0-dev3 ------------------------ + * Implement SecComponentSignature. + * Fix warnings on Solaris and/or 64bit builds. * Added skipAfter: action to allow skipping all rules until a rule diff --git a/doc/modsecurity2-apache-reference.xml b/doc/modsecurity2-apache-reference.xml index 5b3ba93f..ab0096db 100644 --- a/doc/modsecurity2-apache-reference.xml +++ b/doc/modsecurity2-apache-reference.xml @@ -149,8 +149,7 @@ ModSecurity is known to work well on a wide range of operating systems. Our customers are successfully running it on Linux, Windows, - Solaris, FreeBSD, OpenBSD, NetBSD, AIX, Mac OS X, and HP-UX. + Solaris, FreeBSD, OpenBSD, NetBSD, AIX, Mac OS X, and HP-UX.
@@ -410,7 +409,7 @@ "allow" rules or to correct any false positives in the Core rules as they are applied to your site. - Note + Note It is highly encouraged that you do not edit the Core rules files themselves but rather place all changes (such as @@ -421,23 +420,23 @@
<literal>SecAction</literal> - Description: Unconditionally - processes the action list it receives as the first and only parameter. - It accepts one parameter, the syntax of which is identical to the third - parameter of SecRule. + Description: Unconditionally processes the + action list it receives as the first and only parameter. It accepts one + parameter, the syntax of which is identical to the third parameter + of SecRule. - Syntax: SecAction action1,action2,action2 + Syntax: SecAction + action1,action2,action2 - Example Usage: Example Usage: SecAction nolog,redirect:http://www.hostname.com - ProcessingPhase: Any + ProcessingPhase: Any - Scope: Any + Scope: Any - Dependencies/Notes: None + Dependencies/Notes: None SecAction is best used when you uncondiationally execute an action. This is explicit triggering whereas the normal Actions are @@ -449,25 +448,24 @@
<literal>SecArgumentSeparator</literal> - Description: Specifies which - character to use as separator for + Description: Specifies which character to use + as separator for application/x-www-form-urlencoded content. Defaults to &. Applications are sometimes (very rarely) written to use a semicolon (;). - Syntax: Syntax: SecArgumentSeparator character - Example Usage: Example Usage: SecArgumentSeparator ; - Processing Phase: Any + Processing Phase: Any - Scope: - Main + Scope: Main - Dependencies/Notes: None + Dependencies/Notes: None This directive is needed if a backend web appliaction is using a non-standard argument separator. If this directive is not set properly @@ -479,31 +477,31 @@
<literal>SecAuditEngine</literal> - Description: Configures the audit - logging engine. + Description: Configures the audit logging + engine. - Syntax: Syntax: SecAuditEngine On|Off|RelevantOnly - Example Usage: Example Usage: SecAuditEngine On - Processing Phase: N/A + Processing Phase: N/A - Scope: Any + Scope: Any - Dependencies/Notes: Can be - set/changed with the "ctl" action for the current transaction. + Dependencies/Notes: Can be set/changed with + the "ctl" action for the current transaction. Example: The following example shows the various audit directives used together. - SecAuditEngine RelevantOnly + SecAuditEngine RelevantOnly SecAuditLog logs/audit/audit.log SecAuditLogParts ABCFHZ SecAuditLogType concurrent SecAuditLogStorageDir logs/audit -SecAuditLogRelevantStatus ^[45] +SecAuditLogRelevantStatus ^[45] Possible values are: @@ -530,22 +528,22 @@ SecAuditLogStorageDir logs/audit
<literal>SecAuditLog</literal> - Description: Defines the path to - the main audit log file. + Description: Defines the path to the main + audit log file. - Syntax: SecAuditLog /path/to/auditlog + Syntax: SecAuditLog + /path/to/auditlog - Example Usage: Example Usage: SecAuditLog /usr/local/apache/logs/audit.log - Processing Phase: N/A + Processing Phase: N/A - Scope: Any + Scope: Any - Dependencies/Notes: This file is - open on startup when the server typically still runs as + Dependencies/Notes: This file is open on + startup when the server typically still runs as root. You should not allow non-root users to have write privileges for this file or for the directory it is stored in.. @@ -564,50 +562,48 @@ SecAuditLogStorageDir logs/audit
<literal>SecAuditLog2</literal> - Description: Defines the path to - the secondary audit log index file when concurrent logging is enabled. - See SecAuditLog2 for more - details. + Description: Defines the path to the + secondary audit log index file when concurrent logging is enabled. See + SecAuditLog2 for more details. - Syntax: SecAuditLog2 /path/to/auditlog2 + Syntax: SecAuditLog2 + /path/to/auditlog2 - Example Usage: Example Usage: SecAuditLog2 /usr/local/apache/logs/audit2.log - Processing Phase: N/A + Processing Phase: N/A - Scope: Any + Scope: Any - Dependencies/Notes: A main audit - log must be defined via SecAuditLog - before this directive may be used. Additionally, this log is only used - for replicating the main audit log index file when concurrent audit - logging is used. It will not be used - for non-concurrent audit logging. + Dependencies/Notes: A main audit log must be + defined via SecAuditLog before this + directive may be used. Additionally, this log is only used for + replicating the main audit log index file when concurrent audit logging + is used. It will not be used for non-concurrent + audit logging.
<literal>SecAuditLogParts</literal> - Description: Defines the path to - the main audit log file. + Description: Defines the path to the main + audit log file. - Syntax: Syntax: SecAuditLogParts PARTS - Example Usage: Example Usage: SecAuditLogParts ABCFHZ - Processing Phase: N/A + Processing Phase: N/A - Scope: - Any + Scope: Any - Dependencies/Notes: At this time - ModSecurity does not log response bodies of stock Apache responses (e.g. - 404), or the Dependencies/Notes: At this time ModSecurity + does not log response bodies of stock Apache responses (e.g. 404), or the Server and Date response headers. @@ -690,22 +686,23 @@ SecAuditLogStorageDir logs/audit
<literal>SecAuditLogRelevantStatus</literal> - Description: Configures which - response status code is to be considered relevant for the purpose of - audit logging. + Description: Configures which response status + code is to be considered relevant for the purpose of audit + logging. - Syntax: Syntax: SecAuditLogRelevantStatus REGEX - Example Usage: Example Usage: SecAuditLogRelevantStatus ^[45] - Processing Phase: N/A + Processing Phase: N/A - Scope: Any + Scope: Any - Dependencies/Notes: Must have the - SecAuditEngine set to RelevantOnly. The parameter is a regular + Dependencies/Notes: Must have the + SecAuditEngine set to + RelevantOnly. The parameter is a regular expression. The main purpose of this directive is to allow you to configure @@ -719,26 +716,25 @@ SecAuditLogStorageDir logs/audit
<literal>SecAuditLogStorageDir</literal> - Description: Configures the - storage directory where concurrent audit log entries are to be - stored. + Description: Configures the storage directory + where concurrent audit log entries are to be stored. - Syntax: Syntax: SecAuditLogStorageDir /path/to/storage/dir - Example Usage: Example Usage: SecAuditLogStorageDir /usr/local/apache/logs/audit - Processing Phase: N/A + Processing Phase: N/A - Scope: Any + Scope: Any - Dependencies/Notes: - SecAuditLogType must be set to Concurrent. The directory must already be - created before starting Apache and it must be writable by the web server - user as new files are generated at runtime. + Dependencies/Notes: SecAuditLogType must be + set to Concurrent. The directory must already be created before starting + Apache and it must be writable by the web server user as new files are + generated at runtime. As with all logging mechanisms, ensure that you specify a file system location that has adequate disk space and is not on the root @@ -748,21 +744,22 @@ SecAuditLogStorageDir logs/audit
<literal>SecAuditLogType</literal> - Description: Configures the type - of audit logging mechanism to be used. + Description: Configures the type of audit + logging mechanism to be used. - Syntax: Syntax: SecAuditLogType Serial|Concurrent - Example Usage: Example Usage: SecAuditLogType Serial - Processing Phase: N/A + Processing Phase: N/A - Scope: Any + Scope: Any - Dependencies/Notes: Must specify - SecAuditLogStorageDir if you use concurrent logging. + Dependencies/Notes: Must specify + SecAuditLogStorageDir if you use concurrent + logging. Possible values are: @@ -786,22 +783,24 @@ SecAuditLogStorageDir logs/audit
<literal>SecCacheTransformations</literal> - Description: Controls caching of + Description: Controls caching of transformations. - Syntax: Syntax: SecCacheTransformations On|Off [options] - Example Usage: Example Usage: SecCacheTransformations On "minlen:64,maxlen:0" - Processing Phase: N/A + Processing Phase: N/A - Scope: Any + Scope: Any - Dependencies/Notes: N/A + Version: 2.5.0 + + Dependencies/Notes: N/A First parameter: @@ -839,24 +838,24 @@ SecAuditLogStorageDir logs/audit
<literal>SecChrootDir</literal> - Description: Configures the - directory path that will be used to jail the web server process. + Description: Configures the directory path + that will be used to jail the web server process. - Syntax: SecChrootDir /path/to/chroot/dir + Syntax: SecChrootDir + /path/to/chroot/dir - Example Usage: Example Usage: SecChrootDir /chroot - Processing Phase: N/A + Processing Phase: N/A - Scope: Main + Scope: Main - Dependencies/Notes: The internal - chroot functionality provided by ModSecurity works great for simple - setups. One example of a simple setup is Apache serving static files - only, or running scripts using modules. Some problems you might - encounter with more complex setups: + Dependencies/Notes: The internal chroot + functionality provided by ModSecurity works great for simple setups. One + example of a simple setup is Apache serving static files only, or + running scripts using modules. Some problems you might encounter with + more complex setups: @@ -889,37 +888,61 @@ SecAuditLogStorageDir logs/audit decision.
+
+ <literal>SecComponentSignature</literal> + + Description: Appends component signature to + the ModSecurity signature. + + Syntax: SecComponentSignature + "COMPONENT_NAME/X.Y.Z (COMMENT)" + + Example usage: SecComponentSignature + "Core Rules/1.2.3" + + Scope: Main + + Version: 2.5.0 + + Notes: This directive should be used to make + the presence of significant ModSecurity components known. The entire + signature will be recorded in transaction audit log. It should be used + by ModSecurity module and rule set writers to make debugging + easier. +
+
<literal>SecContentInjection (Experimental)</literal> - Description: Enables content - injection using actions append and - prepend. + Description: Enables content injection using + actions append and prepend. - Syntax: - SecContentInjection (On|Off) + Syntax: SecContentInjection + (On|Off) - Example Usage: - SecContentInjection On + Example Usage: SecContentInjection + On + + Version: 2.5.0
<literal>SecCookieFormat</literal> - Description: Selects the cookie - format that will be used in the current configuration context. + Description: Selects the cookie format that + will be used in the current configuration context. - Syntax: Syntax: SecCookieFormat 0|1 - Example Usage: Example Usage: SecCookieFormat 0 - Processing Phase: N/A + Processing Phase: N/A - Scope: Any + Scope: Any - Dependencies/Notes: None + Dependencies/Notes: None Possible values are: @@ -940,68 +963,67 @@ SecAuditLogStorageDir logs/audit
<literal>SecDataDir</literal> - Description: Path where - persistent data (e.g. IP address data, session data, etc) is to be - stored. + Description: Path where persistent data (e.g. + IP address data, session data, etc) is to be stored. - Syntax: SecDataDir /path/to/dir + Syntax: SecDataDir + /path/to/dir - Example Usage: Example Usage: SecDataDir /usr/local/apache/logs/data - Processing Phase: N/A + Processing Phase: N/A - Scope: + Scope: Main - Dependencies/Notes: This - directive is needed when initcol, setsid an setuid are used. Must be - writable by the web server user. + Dependencies/Notes: This directive is needed + when initcol, setsid an setuid are used. Must be writable by the web + server user.
<literal>SecDebugLog</literal> - Description: Path to the - ModSecurity debug log file. + Description: Path to the ModSecurity debug + log file. - Syntax: SecDebugLog /path/to/modsec-debug.log + Syntax: SecDebugLog + /path/to/modsec-debug.log - Example Usage: Example Usage: SecDebugLog /usr/local/apache/logs/modsec-debug.log - Processing Phase: N/A + Processing Phase: N/A - Scope: Any + Scope: Any - Dependencies/Notes: None + Dependencies/Notes: None
<literal>SecDebugLogLevel</literal> - Description: Configures the - verboseness of the debug log data. + Description: Configures the verboseness of + the debug log data. - Syntax: Syntax: SecDebugLogLevel 0|1|2|3|4|5|6|7|8|9 - Example Usage: Example Usage: SecDebugLogLevel 4 - Processing Phase: N/A + Processing Phase: N/A - Scope: Any + Scope: Any - Dependencies/Notes: Levels - 1 - 3 are always sent to the Apache - error log. Therefore you can always use level 0 as the default logging level in production. - Level 5 is useful when debugging. It - is not advisable to use higher logging levels in production as excessive + Dependencies/Notes: Levels 1 - 3 are always sent to the Apache error log. + Therefore you can always use level 0 + as the default logging level in production. Level 5 is useful when debugging. It is not + advisable to use higher logging levels in production as excessive logging can slow down server significantly. Possible values are: @@ -1044,31 +1066,31 @@ SecAuditLogStorageDir logs/audit
<literal>SecDefaultAction</literal> - Description: Defines the default - action to take on a rule match. + Description: Defines the default action to + take on a rule match. - Syntax: Syntax: SecDefaultAction action1,action2,action3 - Example Usage: Example Usage: SecDefaultAction log,auditlog,deny,status:403,phase:2,t:lowercase - Processing Phase: Any + Processing Phase: Any - Scope: Any + Scope: Any - Dependencies/Notes: Rules - following a SecDefaultAction directive will inherit this setting unless - a specific action is specified for an indivdual rule or until another + Dependencies/Notes: Rules following a + SecDefaultAction directive will inherit this setting unless a specific + action is specified for an indivdual rule or until another SecDefaultAction is specified. The default value is: SecDefaultAction log,auditlog,deny,status:403,phase:2,t:none - Note + Note SecDefaultAction must specify a disruptive action and a processing phase. @@ -1077,45 +1099,45 @@ SecAuditLogStorageDir logs/audit
<literal>SecGeoLookupsDb</literal> - Description: Defines the path to - the geograpical database file. + Description: Defines the path to the + geograpical database file. - Syntax: Syntax: SecGeoLookupsDb /path/to/db - Example Usage: Example Usage: SecGeoLookupsDb /usr/local/geo/data/GeoLiteCity.dat - Processing Phase: N/A + Processing Phase: N/A - Scope: Any + Scope: Any - Dependencies/Notes: Check out - www.maxmind.com for free database files. + Dependencies/Notes: Check out www.maxmind.com + for free database files.
<literal>SecGuardianLog</literal> - Description: Configuration - directive to use the httpd-guardian script to monitor for Denial of - Service (DoS) attacks. + Description: Configuration directive to use + the httpd-guardian script to monitor for Denial of Service (DoS) + attacks. - Syntax: Syntax: SecGuardianLog |/path/to/httpd-guardian - Example Usage: Example Usage: SecGuardianLog |/usr/local/apache/bin/httpd-guardian - Processing Phase: N/A + Processing Phase: N/A - Scope: Main + Scope: Main - Dependencies/Notes: By default - httpd-guardian will defend against clients that send more 120 requests - in a minute, or more than 360 requests in five minutes. + Dependencies/Notes: By default httpd-guardian + will defend against clients that send more 120 requests in a minute, or + more than 360 requests in five minutes. Since 1.9, ModSecurity supports a new directive, SecGuardianLog, that is designed to send all access data to another program using the @@ -1143,23 +1165,22 @@ SecAuditLogStorageDir logs/audit
<literal>SecPdfProtect</literal> (Experimental) - Description: Enables the PDF XSS - protection functionality. Once enabled access to PDF files is tracked. - Direct access attempts are redirected to links that contain one-time - tokens. Requests with valid tokens are allowed through unmodified. - Requests with invalid tokens are also allowed through but with forced - download of the PDF files. This implementation uses response headers to - detect PDF files and thus can be used with dynamically generated PDF - files that do not have the .pdf extension in the - request URI. + Description: Enables the PDF XSS protection + functionality. Once enabled access to PDF files is tracked. Direct + access attempts are redirected to links that contain one-time tokens. + Requests with valid tokens are allowed through unmodified. Requests with + invalid tokens are also allowed through but with forced download of the + PDF files. This implementation uses response headers to detect PDF files + and thus can be used with dynamically generated PDF files that do not + have the .pdf extension in the request URI.
<literal>SecPdfProtectMethod</literal> (Experimental) - Description: Configure desired - protection method to be used when requests for PDF files are detected. - Possible values are TokenRedirection and + Description: Configure desired protection + method to be used when requests for PDF files are detected. Possible + values are TokenRedirection and ForcedDownload. The token redirection approach will attempt to redirect with tokens where possible. This allows PDF files to continue to be opened inline but only works for GET requests. Forced @@ -1168,71 +1189,67 @@ SecAuditLogStorageDir logs/audit download is considered to be more secure but may cause usability problems for users ("This PDF won't open anymore!"). - Default: + Default: TokenRedirection
<literal>SecPdfProtectSecret</literal> (Experimental) - Description: Defines the secret - that will be used to construct one-time tokens. You should use a - reasonably long value for the secret (e.g. 16 characters is good). Once - selected the secret should not be changed as as it will break the the - tokens that were sent prior to change. But it's not a big deal even if - you change it. It will just force dowload of PDF files with tokens that - were issued in the last few seconds. + Description: Defines the secret that will be + used to construct one-time tokens. You should use a reasonably long + value for the secret (e.g. 16 characters is good). Once selected the + secret should not be changed as as it will break the the tokens that + were sent prior to change. But it's not a big deal even if you change + it. It will just force dowload of PDF files with tokens that were issued + in the last few seconds.
<literal>SecPdfProtectTimeout</literal> (Experimental) - Description: Defines the token - timeout. After token expires it can no longer be used to allow access to - PDF file. Request will be allowed through but the PDF will be delivered - as attachment. + Description: Defines the token timeout. After + token expires it can no longer be used to allow access to PDF file. + Request will be allowed through but the PDF will be delivered as + attachment. - Default: - 10 + Default: 10
<literal>SecPdfProtectTokenName</literal> (Experimental) - Description: Defines the name of - the token. The only reason you would want to change the name of the - token is if you wanted to hide the fact you are running ModSecurity. - It's a good reason but it won't really help as the adversary can look - into the algorithm used for PDF protection and figure it out anyway. It - does raise the bar slightly so go ahead if you want to. + Description: Defines the name of the token. + The only reason you would want to change the name of the token is if you + wanted to hide the fact you are running ModSecurity. It's a good reason + but it won't really help as the adversary can look into the algorithm + used for PDF protection and figure it out anyway. It does raise the bar + slightly so go ahead if you want to. - Default: - PDFTOKEN + Default: PDFTOKEN
<literal>SecRequestBodyAccess</literal> - Description: Configures whether - request bodies will be buffered and processed by ModSecurity by - default. + Description: Configures whether request + bodies will be buffered and processed by ModSecurity by default. - Syntax: Syntax: SecRequestBodyAccess On|Off - Example Usage: Example Usage: SecRequestBodyAccess On - Processing Phase: N/A + Processing Phase: N/A - Scope: Any + Scope: Any - Dependencies/Notes: This - directive is required if you plan to inspect POST_PAYLOADS of requests. - This directive must be used along with the "phase:2" processing phase - action and REQUEST_BODY variable/location. If any of these 3 parts are - not configured, you will not be able to inspect the request - bodies. + Dependencies/Notes: This directive is + required if you plan to inspect POST_PAYLOADS of requests. This + directive must be used along with the "phase:2" processing phase action + and REQUEST_BODY variable/location. If any of these 3 parts are not + configured, you will not be able to inspect the request bodies. Possible values are: @@ -1252,43 +1269,43 @@ SecAuditLogStorageDir logs/audit
<literal>SecRequestBodyLimit</literal> - Description: Configures the - maximum request body size ModSecurity will accept for buffering. + Description: Configures the maximum request + body size ModSecurity will accept for buffering. - Syntax: Syntax: SecRequestBodyLimit NUMBER_IN_BYTES - Example Usage: Example Usage: SecRequestBodyLimit 134217728 - Processing Phase: N/A + Processing Phase: N/A - Scope: Any + Scope: Any - Dependencies/Notes: 131072 KB - (134217728 bytes) is the default setting. Anything over this limit will - be rejected with status code 413 Request Entity Too Large. There is a - hard limit of 1 GB. + Dependencies/Notes: 131072 KB (134217728 + bytes) is the default setting. Anything over this limit will be rejected + with status code 413 Request Entity Too Large. There is a hard limit of + 1 GB.
<literal>SecRequestBodyInMemoryLimit</literal> - Description: Configures the - maximum request body size ModSecurity will store in memory. + Description: Configures the maximum request + body size ModSecurity will store in memory. - Syntax: Syntax: SecRequestBodyInMemoryLimit NUMBER_IN_BYTES - Example Usage: Example Usage: SecRequestBodyInMemoryLimit 131072 - Processing Phase: N/A + Processing Phase: N/A - Scope: Any + Scope: Any - Dependencies/Notes: None + Dependencies/Notes: None By default the limit is 128 KB: @@ -1299,22 +1316,22 @@ SecRequestBodyInMemoryLimit 131072
<literal>SecResponseBodyLimit</literal> - Description: Configures the - maximum response body size that will be accepted for buffering. + Description: Configures the maximum response + body size that will be accepted for buffering. - Syntax: Syntax: SecResponseBodyLimit NUMBER_IN_BYTES - Example Usage: Example Usage: SecResponseBodyLimit 524228 - Processing Phase: N/A + Processing Phase: N/A - Scope: Any + Scope: Any - Dependencies/Notes: Anything over - this limit will be rejected with status code 500 Internal Server Error. - This setting will not affect the responses with MIME types that are not + Dependencies/Notes: Anything over this limit + will be rejected with status code 500 Internal Server Error. This + setting will not affect the responses with MIME types that are not marked for buffering. There is a hard limit of 1 GB. By default this limit is configured to 512 KB: @@ -1326,8 +1343,8 @@ SecResponseBodyLimit 524288
<literal>SecResponseBodyLimitAction</literal> - Description: Controls what - happens once a response body limit, configured with + Description: Controls what happens once a + response body limit, configured with SecResponseBodyLimit, is encountered. By default ModSecurity wil reject a response body that is longer than specified. Some web sites, however, will produce very long responses making it @@ -1345,40 +1362,38 @@ SecResponseBodyLimit 524288 before it is sent back, and therefore bypass any monitoring device. - Syntax: - SecResponseBodyLimitAction + Syntax: SecResponseBodyLimitAction Reject|ProcessPartial - Example Usage: + Example Usage: SecResponseBodyLimitAction ProcessPartial - Processing Phase: N/A + Processing Phase: N/A - Scope: Any + Scope: Any
<literal>SecResponseBodyMimeType</literal> - Description: Configures - which MIME types are to be considered - for response body buffering. + Description: Configures which MIME types are to be considered for response + body buffering. - Syntax: Syntax: SecResponseBodyMimeType mime/type - Example Usage: Example Usage: SecResponseBodyMimeType text/plain text/html - Processing Phase: N/A + Processing Phase: N/A - Scope: Any + Scope: Any - Dependencies/Notes: - Multiple SecResponseBodyMimeType - directives can be used to add MIME - types. + Dependencies/Notes: Multiple SecResponseBodyMimeType directives can be + used to add MIME types. The default value is text/plaintext/html: @@ -1389,45 +1404,45 @@ SecResponseBodyLimit 524288
<literal>SecResponseBodyMimeTypesClear</literal> - Description: Clears the list of - MIME types considered for response - body buffering, allowing you to start populating the list from + Description: Clears the list of MIME types considered for response body + buffering, allowing you to start populating the list from scratch. - Syntax: Syntax: SecResponseBodyMimeTypesClear - Example Usage: Example Usage: SecResponseBodyMimeTypesClear - Processing Phase: N/A + Processing Phase: N/A - Scope: Any + Scope: Any - Dependencies/Notes: None + Dependencies/Notes: None
<literal>SecResponseBodyAccess</literal> - Description: Configures whether - response bodies are to be buffer and analysed or not. + Description: Configures whether response + bodies are to be buffer and analysed or not. - Syntax: Syntax: SecResponseBodyAccess On|Off - Example Usage: Example Usage: SecResponseBodyAccess On - Processing Phase: N/A + Processing Phase: N/A - Scope: Any + Scope: Any - Dependencies/Notes: This - directive is required if you plan to inspect html responses. This - directive must be used along with the "phase:4" processing phase action - and RESPONSE_BODY variable/location. If any of these 3 parts are not - configured, you will not be able to inspect the response bodies. + Dependencies/Notes: This directive is + required if you plan to inspect html responses. This directive must be + used along with the "phase:4" processing phase action and RESPONSE_BODY + variable/location. If any of these 3 parts are not configured, you will + not be able to inspect the response bodies. Possible values are: @@ -1447,21 +1462,21 @@ SecResponseBodyLimit 524288
<literal>SecRule</literal> - Description: Description: SecRule is the main ModSecurity directive. It is used to analyse data and perform actions based on the results. - Syntax: SecRule VARIABLES OPERATOR [ACTIONS] + Syntax: SecRule + VARIABLES OPERATOR [ACTIONS] - Example Usage: Example Usage: SecRule REQUEST_URI "attack" - Processing Phase: Any + Processing Phase: Any - Scope: Any + Scope: Any - Dependencies/Notes: None + Dependencies/Notes: None In general, the format of this rule is as follows: @@ -1544,30 +1559,29 @@ SecResponseBodyLimit 524288
<literal>SecRuleInheritance</literal> - Description: Configures whether - the current context will inherit rules from the parent context - (configuration options are inherited in most cases - you should look up - the documentation for every directive to determine if it is inherited or + Description: Configures whether the current + context will inherit rules from the parent context (configuration + options are inherited in most cases - you should look up the + documentation for every directive to determine if it is inherited or not). - Syntax: Syntax: SecRuleInheritance On|Off - Example Usage: Example Usage: SecRuleInheritance Off - Processing Phase: Any + Processing Phase: Any - Scope: Any + Scope: Any - Dependencies/Notes: - Resource-specific contexts (e.g. - Location, Directory, etc) - cannot override phase1 rules configured in the main - server or in the virtual server. This is because phase 1 is run early in - the request processing process, before Apache maps request to resource. - Virtual host context can override phase 1 rules configured in the main - server. + Dependencies/Notes: Resource-specific + contexts (e.g. Location, Directory, etc) cannot override + phase1 rules configured in the main server or in + the virtual server. This is because phase 1 is run early in the request + processing process, before Apache maps request to resource. Virtual host + context can override phase 1 rules configured in the main server. Example: The following example shows where ModSecurity may be enabled in the main Apache configuration scope, however you might want @@ -1581,7 +1595,7 @@ SecDefaultAction log,pass,phase:2 <VirtualHost *:80> ServerName app1.com -ServerAlias www.app1.com +ServerAlias www.app1.com SecRuleInheritance Off SecDefaultAction log,deny,phase:1,redirect:http://www.site2.com ... @@ -1590,7 +1604,7 @@ SecDefaultAction log,deny,phase:1,redirect:http://www.site2.com <VirtualHost *:80> ServerName app2.com ServerAlias www.app2.com -SecRuleInheritance On SecRule ARGS "attack" +SecRuleInheritance On SecRule ARGS "attack" ... </VirtualHost> @@ -1612,22 +1626,22 @@ ServerAlias www.app2.com
<literal>SecRuleEngine</literal> - Description: Configures the rules + Description: Configures the rules engine. - Syntax: Syntax: SecRuleEngine On|Off|DetectionOnly - Example Usage: Example Usage: SecRuleEngine On - Processing Phase: Any + Processing Phase: Any - Scope: Any + Scope: Any - Dependencies/Notes: Thisdirective - can also be controled by the ctl action (ctl:ruleEngine=off) for per - rule processing. + Dependencies/Notes: Thisdirective can also be + controled by the ctl action (ctl:ruleEngine=off) for per rule + processing. Possible values are: @@ -1652,23 +1666,23 @@ ServerAlias www.app2.com
<literal>SecRuleRemoveById</literal> - Description: Removes matching - rules from the parent contexts. + Description: Removes matching rules from the + parent contexts. - Syntax: Syntax: SecRuleRemoveById RULEID - Example Usage: Example Usage: SecRuleRemoveByID 1 2 "9000-9010" - Processing Phase: Any + Processing Phase: Any - Scope: Any + Scope: Any - Dependencies/Notes: This - directive supports multiple parameters, where each parameter can either - be a rule ID, or a range. Parameters that contain spaces must be - delimited using double quotes. + Dependencies/Notes: This directive supports + multiple parameters, where each parameter can either be a rule ID, or a + range. Parameters that contain spaces must be delimited using double + quotes. SecRuleRemoveById 1 2 5 10-20 "400-556" 673
@@ -1676,116 +1690,114 @@ ServerAlias www.app2.com
<literal>SecRuleRemoveByMsg</literal> - Description: Removes matching - rules from the parent contexts. + Description: Removes matching rules from the + parent contexts. - Syntax: Syntax: SecRuleRemoveByMsg REGEX - Example Usage: Example Usage: SecRuleRemoveByMsg "FAIL" - Processing Phase: Any + Processing Phase: Any - Scope: Any + Scope: Any - Dependencies/Notes: This - directive supports multiple parameters. Each parameter is a regular - expression that will be applied to the message (specified using the - msg action). + Dependencies/Notes: This directive supports + multiple parameters. Each parameter is a regular expression that will be + applied to the message (specified using the msg action).
<literal>SecServerSignature</literal> - Description: Instructs - ModSecurity to change the data presented in the "Server:" response - header token. + Description: Instructs ModSecurity to change + the data presented in the "Server:" response header token. - Syntax: Syntax: SecServerSignature "WEB SERVER SOFTWARE" - Example Usage: Example Usage: SecServerSignature "Netscape-Enterprise/6.0" - Processing Phase: N/A + Processing Phase: N/A - Scope: Main + Scope: Main - Dependencies/Notes: In order for - this directive to work, you must set the Apache ServerTokens directive - to Full. ModSecurity will overwrite the server signature data held in - this memory space with the data set in this directive. If ServerTokens - is not set to Full, then the memory space is most likely not large - enough to hold the new data we are looking to insert. + Dependencies/Notes: In order for this + directive to work, you must set the Apache ServerTokens directive to + Full. ModSecurity will overwrite the server signature data held in this + memory space with the data set in this directive. If ServerTokens is not + set to Full, then the memory space is most likely not large enough to + hold the new data we are looking to insert.
<literal>SecTmpDir</literal> - Description: Configures the - directory where temporary files will be created. + Description: Configures the directory where + temporary files will be created. - Syntax: SecTmpDir /path/to/dir + Syntax: SecTmpDir + /path/to/dir - Example Usage: Example Usage: SecTmpDir /tmp - Processing Phase: N/A + Processing Phase: N/A - Scope: Any + Scope: Any - Dependencies/Notes: Needs to be - writable by the Apache user process. This is the directory location - where Apache will swap data to disk if it runs out of memory (more data - than what was specified in the SecRequestBodyInMemoryLimit directive) - during inspection. + Dependencies/Notes: Needs to be writable by + the Apache user process. This is the directory location where Apache + will swap data to disk if it runs out of memory (more data than what was + specified in the SecRequestBodyInMemoryLimit directive) during + inspection.
<literal>SecUploadDir</literal> - Description: Configures the - directory where intercepted files will be stored. + Description: Configures the directory where + intercepted files will be stored. - Syntax: SecUploadDir /path/to/dir + Syntax: SecUploadDir + /path/to/dir - Example Usage: Example Usage: SecUploadDir /tmp - Processing Phase: N/A + Processing Phase: N/A - Scope: Any + Scope: Any - Dependencies/Notes: This - directory must be on the same filesystem as the temporary directory - defined with SecTmpDir. This - directive is used with SecUploadKeepFiles. + Dependencies/Notes: This directory must be on + the same filesystem as the temporary directory defined with SecTmpDir. This directive is used with + SecUploadKeepFiles.
<literal>SecUploadKeepFiles</literal> - Description: Configures whether - or not the intercepted files will be kept after transaction is - processed. + Description: Configures whether or not the + intercepted files will be kept after transaction is processed. - Syntax: Syntax: SecUploadKeepFiles On|Off|RelevantOnly - Example Usage: Example Usage: SecUploadKeepFiles On - Processing Phase: N/A + Processing Phase: N/A - Scope: Any + Scope: Any - Dependencies/Notes: This - directive requires the storage directory to be defined (using Dependencies/Notes: This directive requires + the storage directory to be defined (using SecUploadDir). Possible values are: @@ -1812,30 +1824,30 @@ ServerAlias www.app2.com
<literal>SecWebAppId</literal> - Description: Creates a partition - on the server that belongs to one web application. + Description: Creates a partition on the + server that belongs to one web application. - Syntax: SecWebAppId "NAME" + Syntax: SecWebAppId + "NAME" - Example Usage: Example Usage: SecWebAppId "WebApp1" - Processing Phase: N/A + Processing Phase: N/A - Scope: Any + Scope: Any - Dependencies/Notes: Partitions - are used to avoid collisions between session IDs and user IDs. This - directive must be used if there are multiple applications deployed on - the same server. If it isn't used, a collision between session IDs might - occur. The default value is default. + Dependencies/Notes: Partitions are used to + avoid collisions between session IDs and user IDs. This directive must + be used if there are multiple applications deployed on the same server. + If it isn't used, a collision between session IDs might occur. The + default value is default. Example: <VirtualHost *:80> ServerName app1.com ServerAlias www.app1.com -SecWebAppId "App1" +SecWebAppId "App1" SecRule REQUEST_COOKIES:PHPSESSID !^$ chain,nolog,pass SecAction setsid:%{REQUEST_COOKIES.PHPSESSID} ... @@ -1843,7 +1855,7 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID} <VirtualHost *:80> ServerName app2.com -ServerAlias www.app2.com +ServerAlias www.app2.com SecWebAppId "App2" SecRule REQUEST_COOKIES:PHPSESSID !^$ chain,nolog,pass SecAction setsid:%{REQUEST_COOKIES.PHPSESSID} @@ -1904,8 +1916,7 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID} - ModSecurity Processing Phases - Diagram + ModSecurity Processing Phases Diagram Below is a diagram of the standard Apache Request Cycle. In the diagram, the 5 ModSecurity processing phases are @@ -1918,11 +1929,10 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID} action either directly in the rule or in using the SecDefaultAction directive: - SecDefaultAction "log,pass,phase:2" -SecRule REQUEST_HEADERS:Host "!^$" "deny,phase:1" + SecDefaultAction "log,pass,phase:2" +SecRule REQUEST_HEADERS:Host "!^$" "deny,phase:1" - Note on Rule and Phases + Note on Rule and Phases Keep in mind that rules are executed according to phases, so even if two rules are adjacent in a configuration file, but are set to execute in @@ -1944,7 +1954,7 @@ SecRule REQUEST_HEADERS:Host "!^$" "deny,phase:1 - Note + Note Rules in this phase can not leverage Apache scope directives (Directory, Location, LocationMatch, etc...) as the post-read-request @@ -2080,7 +2090,7 @@ SecRule REQUEST_HEADERS:Host "!^$" "deny,phase:1 SecRule REQUEST_FILENAME "^/cgi-bin/login\.php$" "chain,log,deny,phase:2" -SecRule ARGS_COMBINED_SIZE "@gt 25" +SecRule ARGS_COMBINED_SIZE "@gt 25"
@@ -2094,7 +2104,7 @@ SecRule ARGS_COMBINED_SIZE "@gt 25" SecRule REQUEST_FILENAME "/index.php" "chain,log,deny,status:403,phase:2" -SecRule ARGS_NAMES "!^(p|a)$" +SecRule ARGS_NAMES "!^(p|a)$"
@@ -2134,9 +2144,9 @@ SecRule ARGS_NAMES "!^(p|a)$" This variable holds the authentication method used to validate a user. Example: - SecRule AUTH_TYPE "basic" log,deny,status:403,phase:1,t:lowercase + SecRule AUTH_TYPE "basic" log,deny,status:403,phase:1,t:lowercase - Note + Note This data will not be available in a proxy-mode deployment as the authentication is not local. In a proxy-mode deployment, you would need @@ -2151,9 +2161,8 @@ SecRule ARGS_NAMES "!^(p|a)$" The ENV variable is set with setenv and does not give access to the CGI environment variables. Example: - SecRule REQUEST_FILENAME "printenv" pass,setenv:tag=suspicious -SecRule ENV:tag "suspicious" + SecRule REQUEST_FILENAME "printenv" pass,setenv:tag=suspicious +SecRule ENV:tag "suspicious"
@@ -2163,7 +2172,7 @@ SecRule ENV:tag "suspicious" were called on the remote user's file system). Note: only available if files were extracted from the request body. Example: - SecRule FILES "\.conf$" log,deny,status:403,phase:2 + SecRule FILES "\.conf$" log,deny,status:403,phase:2
@@ -2172,7 +2181,7 @@ SecRule ENV:tag "suspicious" Single value. Total size of the uploaded files. Note: only available if files were extracted from the request body. Example: - SecRule FILES_COMBINED_SIZE "@gt 1000" log,deny,status:403,phase:2 + SecRule FILES_COMBINED_SIZE "@gt 1000" log,deny,status:403,phase:2
@@ -2182,7 +2191,7 @@ SecRule ENV:tag "suspicious" used for file upload. Note: only available if files were extracted from the request body. Example: - SecRule FILES_NAMES "^upfile$" log,deny,status:403,phase:2 + SecRule FILES_NAMES "^upfile$" log,deny,status:403,phase:2
@@ -2192,7 +2201,7 @@ SecRule ENV:tag "suspicious" a size limitation on individual uploaded files. Note: only available if files were extracted from the request body. Example: - SecRule FILES_SIZES "@gt 100" log,deny,status:403,phase:2 + SecRule FILES_SIZES "@gt 100" log,deny,status:403,phase:2
@@ -2203,7 +2212,7 @@ SecRule ENV:tag "suspicious" moreinfo="none">@inspectFile. Note: only available if files were extracted from the request body. Example: - SecRule FILES_TMPNAMES "@inspectFile /path/to/inspect_script.pl" + SecRule FILES_TMPNAMES "@inspectFile /path/to/inspect_script.pl"
@@ -2219,64 +2228,60 @@ SecRule ENV:tag "suspicious" - COUNTRY_CODE: Two character - country code. EX: US, UK, etc. + COUNTRY_CODE: Two character country code. + EX: US, UK, etc. - COUNTRY_CODE3: Up to three - character country code. + COUNTRY_CODE3: Up to three character + country code. - COUNTRY_NAME: The full - country name. + COUNTRY_NAME: The full country + name. - COUNTRY_CONTINENT: The teo - character continent that the country is located. EX: EU + COUNTRY_CONTINENT: The teo character + continent that the country is located. EX: EU - REGION: The two character - region. For US, this is state. For Canada, providence, etc. + REGION: The two character region. For US, + this is state. For Canada, providence, etc. - CITY: The city name. + CITY: The city name. - POSTAL_CODE: The postal - code. + POSTAL_CODE: The postal code. - LATITUDE: The - latitude. + LATITUDE: The latitude. - LONGITUDE: The - longitude. + LONGITUDE: The longitude. - DMA_CODE: The metropoliton - area code. (US only) + DMA_CODE: The metropoliton area code. (US + only) - AREA_CODE: The phone system - area code. (US only) + AREA_CODE: The phone system area code. + (US only) Example: - SecRule REMOTE_ADDR "@geoLookup" chain,drop,msg:'Non-UK IP address' + SecRule REMOTE_ADDR "@geoLookup" chain,drop,msg:'Non-UK IP address' SecRule GEO:COUNTRY_CODE "!@streq UK"
@@ -2307,7 +2312,7 @@ SecRule GEO:COUNTRY_CODE "!@streq UK" SecRule ARGS pattern chain,deny ... -SecRule MATCHED_VAR "further scrutiny" +SecRule MATCHED_VAR "further scrutiny"
@@ -2318,7 +2323,7 @@ SecRule MATCHED_VAR "further scrutiny"SecRule ARGS pattern setvar:tx.mymatch=%{MATCHED_VAR_NAME} ... -SecRule TX:MYMATCH "@eq ARGS:param" deny +SecRule TX:MYMATCH "@eq ARGS:param" deny
@@ -2328,7 +2333,7 @@ SecRule TX:MYMATCH "@eq ARGS:param" deny - SecRule MODSEC_BUILD "!@ge 02050102" skip:1 + SecRule MODSEC_BUILD "!@ge 02050102" skip:1 SecRule ARGS "@pm some key words" deny,status:500
@@ -2347,7 +2352,7 @@ SecRule ARGS "@pm some key words" deny,status:500 However, mixing CRLF and LF line terminators is dangerous as it can allow for evasion. Therefore, in such cases, you will have to add a check for - MULTIPART_CRLF_LF_LINES. + MULTIPART_CRLF_LF_LINES.
@@ -2422,7 +2427,7 @@ SM %{MULTIPART_SEMICOLON_MISSING}'" also pass additional data, known as extra path information, as part of the URL. Example: - SecRule PATH_INFO "^/(bin|etc|sbin|opt|usr)" + SecRule PATH_INFO "^/(bin|etc|sbin|opt|usr)"
@@ -2432,7 +2437,7 @@ SM %{MULTIPART_SEMICOLON_MISSING}'" appending data after a question mark. Warning: Not URL-decoded. Example: - SecRule QUERY_STRING "attack" + SecRule QUERY_STRING "attack"
@@ -2441,7 +2446,7 @@ SM %{MULTIPART_SEMICOLON_MISSING}'" This variable holds the IP address of the remote client. Example: - SecRule REMOTE_ADDR "^192\.168\.1\.101$" + SecRule REMOTE_ADDR "^192\.168\.1\.101$"
@@ -2453,7 +2458,7 @@ SM %{MULTIPART_SEMICOLON_MISSING}'" known bad client hosts or network blocks, or conversely, to allow in authorized hosts. Example: - SecRule REMOTE_HOST "\.evil\.network\org$" + SecRule REMOTE_HOST "\.evil\.network\org$"
@@ -2465,7 +2470,7 @@ SM %{MULTIPART_SEMICOLON_MISSING}'" is less than 1024, which would indicate that the user is a privileged user (root). - SecRule REMOTE_PORT "@lt 1024" phase:1,log,pass,setenv:remote_port=privileged + SecRule REMOTE_PORT "@lt 1024" phase:1,log,pass,setenv:remote_port=privileged
@@ -2475,9 +2480,9 @@ SM %{MULTIPART_SEMICOLON_MISSING}'" there are no password (basic|digest) access controls in place, then this variable will be empty. Example: - SecRule REMOTE_USER "admin" + SecRule REMOTE_USER "admin" - Note + Note This data will not be available in a proxy-mode deployment as the authentication is not local. @@ -2491,7 +2496,7 @@ SM %{MULTIPART_SEMICOLON_MISSING}'" MULTIPART, and XML. Example: - SecRule REQBODY_PROCESSOR "^XML$ chain + SecRule REQBODY_PROCESSOR "^XML$ chain SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
@@ -2506,7 +2511,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd" Example: - SecRule REQBODY_PROCESSOR_ERROR "@eq 1" deny,phase:2 + SecRule REQBODY_PROCESSOR_ERROR "@eq 1" deny,phase:2 Your policies must have a rule to check @@ -2528,7 +2533,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd" Empty, or contains the error message from the processor. Example: - SecRule REQBODY_PROCESSOR_ERROR_MSG "failed to parse" t:lowercase + SecRule REQBODY_PROCESSOR_ERROR_MSG "failed to parse" t:lowercase
@@ -2538,7 +2543,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd" REQUEST_FILENAME (e.g. index.php). Warning: not urlDecoded. Example: - SecRule REQUEST_BASENAME "^login\.php$" + SecRule REQUEST_BASENAME "^login\.php$"
@@ -2549,9 +2554,9 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd" the arguements is important (ARGS should be used in all other cases). Example: - SecRule REQUEST_BODY "^username=\w{25,}\&password=\w{25,}\&Submit\=login$" + SecRule REQUEST_BODY "^username=\w{25,}\&password=\w{25,}\&Submit\=login$" - Note + Note This variable is only available if the content type is application/x-www-form-urlencoded. @@ -2565,7 +2570,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd" how many variables are in the collection. In this rule, it would trigger if the request does not include any Cookie headers. - SecRule &REQUEST_COOKIES "@eq 0" + SecRule &REQUEST_COOKIES "@eq 0"
@@ -2575,7 +2580,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd" headers. Example: the following rule will trigger if the JSESSIONID cookie is not present. - SecRule &REQUEST_COOKIES_NAMES:JSESSIONID "@eq 0" + SecRule &REQUEST_COOKIES_NAMES:JSESSIONID "@eq 0"
@@ -2584,7 +2589,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd" This variable holds the relative REQUEST_URI minus the QUERY_STRING part (e.g. /index.php). Example: - SecRule REQUEST_FILENAME "^/cgi-bin/login\.php$" + SecRule REQUEST_FILENAME "^/cgi-bin/login\.php$"
@@ -2596,12 +2601,12 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd" example uses REQUEST_HEADERS as a collection and is applying the validateUrlEncoding operator against all headers. - SecRule REQUEST_HEADERS "@validateUrlEncoding" + SecRule REQUEST_HEADERS "@validateUrlEncoding" Example: the second example is targeting only the Host header. - SecRule REQUEST_HEADERS:Host "^[\d\.]+$" \ + SecRule REQUEST_HEADERS:Host "^[\d\.]+$" \ "deny,log,status:400,msg:'Host header is a numeric IP address'"
@@ -2611,7 +2616,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd" This variable is a collection of the names of all of the Request Headers. Example: - SecRule REQUEST_HEADERS_NAMES "^x-forwarded-for" \ + SecRule REQUEST_HEADERS_NAMES "^x-forwarded-for" \ "log,deny,status:403,t:lowercase,msg:'Proxy Server Used'"
@@ -2624,9 +2629,9 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd" GET, HEAD, POST or if the HTTP is something other than HTTP/0.9, 1.0 or 1.1. - SecRule REQUEST_LINE "!(^((?:(?:pos|ge)t|head))|http/(0\.9|1\.0|1\.1)$)" + SecRule REQUEST_LINE "!(^((?:(?:pos|ge)t|head))|http/(0\.9|1\.0|1\.1)$)" - Note + Note Due to the default action transformation function lowercase, the regex strings should be in lowercase as well unless the t:none @@ -2640,9 +2645,9 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd" Example: the following example will trigger if the Request Method is either CONNECT or TRACE. - SecRule REQUEST_METHOD "^((?:connect|trace))$" + SecRule REQUEST_METHOD "^((?:connect|trace))$" - Note + Note Due to the default action transformation function lowercase, the regex strings should be in lowercase as well unless the t:none @@ -2655,9 +2660,9 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd" This variable holds the Request Protocol Version information. Example: - SecRule REQUEST_PROTOCOL "!^http/(0\.9|1\.0|1\.1)$" + SecRule REQUEST_PROTOCOL "!^http/(0\.9|1\.0|1\.1)$" - Note + Note Due to the default action transformation function lowercase, the regex strings should be in lowercase as well unless the t:none @@ -2673,7 +2678,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd" does not include either the REQUEST_METHOD or the HTTP version info. Example: - SecRule REQUEST_URI "attack" + SecRule REQUEST_URI "attack"
@@ -2684,7 +2689,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd" http://www.example.com/index.php?p=X). Warning: not urlDecoded. Example: - SecRule REQUEST_URI_RAW "http:/" + SecRule REQUEST_URI_RAW "http:/"
@@ -2693,7 +2698,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd" This variable holds the data for the response payload. Example: - SecRule RESPONSE_BODY "ODBC Error Code" + SecRule RESPONSE_BODY "ODBC Error Code"
@@ -2725,10 +2730,9 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd" This variable is similar to the REQUEST_HEADERS variable and can be used in the same manner. Example: - SecRule RESPONSE_HEADERS:X-Cache "MISS" + SecRule RESPONSE_HEADERS:X-Cache "MISS" - Note + Note This variable may not have access to some headers when running in embedded-mode. Headers such as Server, Date, Connection and Content-Type @@ -2743,9 +2747,9 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd" This variable is a collection of the response header names. Example: - SecRule RESPONSE_HEADERS_NAMES "Set-Cookie" + SecRule RESPONSE_HEADERS_NAMES "Set-Cookie" - Note + Note Same limitations as RESPONSE_HEADERS with regards to access to some headers in embedded-mode. @@ -2757,7 +2761,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd" This variable holds the HTTP Response Protocol information. Example: - SecRule RESPONSE_PROTOCOL "^HTTP\/0\.9" + SecRule RESPONSE_PROTOCOL "^HTTP\/0\.9"
@@ -2766,9 +2770,9 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd" This variable holds the HTTP Response Status Code generated by Apache. Example: - SecRule RESPONSE_STATUS "^[45]" + SecRule RESPONSE_STATUS "^[45]" - Note + Note This directive may not work as expected in embedded-mode as Apache handles many of the stock response codes (404, 401, etc...) earlier in @@ -2787,8 +2791,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd" action. Only available for expansion in action strings (e.g.setvar:tx.varname=%{rule.id}). Example: - SecRule &REQUEST_HEADERS:Host "@eq 0" "log,deny,setvar:tx.varname=%{rule.id}" + SecRule &REQUEST_HEADERS:Host "@eq 0" "log,deny,setvar:tx.varname=%{rule.id}"
@@ -2797,9 +2800,9 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd" This variable holds just the local filename part of SCRIPT_FILENAME. Example: - SecRule SCRIPT_BASENAME "^login\.php$" + SecRule SCRIPT_BASENAME "^login\.php$" - Note + Note This variable is not available in proxy mode.
@@ -2810,9 +2813,9 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd" This variable holds the full path on the server to the requested script. (e.g. SCRIPT_NAME plus the server path). Example: - SecRule SCRIPT_FILENAME "^/usr/local/apache/cgi-bin/login\.php$" + SecRule SCRIPT_FILENAME "^/usr/local/apache/cgi-bin/login\.php$" - Note + Note This variable is not available in proxy mode.
@@ -2823,9 +2826,9 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd" This variable holds the groupid (numerical value) of the group owner of the script. Example: - SecRule SCRIPT_GID "!^46$" + SecRule SCRIPT_GID "!^46$" - Note + Note This variable is not available in proxy mode.
@@ -2836,9 +2839,9 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd" This variable holds the group name of the group owner of the script. Example: - SecRule SCRIPT_GROUPNAME "!^apache$" + SecRule SCRIPT_GROUPNAME "!^apache$" - Note + Note This variable is not available in proxy mode.
@@ -2850,9 +2853,9 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd" - 1=execute, 2=write, 4=read and 7=read/write/execute). Example: will trigger if the script has the WRITE permissions set. - SecRule SCRIPT_MODE "^(2|3|6|7)$" + SecRule SCRIPT_MODE "^(2|3|6|7)$" - Note + Note This variable is not available in proxy mode.
@@ -2864,9 +2867,9 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd" the script. Example: the example rule below will trigger if the UID is not 46 (the Apache user). - SecRule SCRIPT_UID "!^46$" + SecRule SCRIPT_UID "!^46$" - Note + Note This variable is not available in proxy mode.
@@ -2877,9 +2880,9 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd" This variable holds the username of the owner of the script. Example: - SecRule SCRIPT_USERNAME "!^apache$" + SecRule SCRIPT_USERNAME "!^apache$" - Note + Note This variable is not available in proxy mode.
@@ -2890,7 +2893,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd" This variable contains the IP address of the server. Example: - SecRule SERVER_ADDR "^192\.168\.1\.100$" + SecRule SERVER_ADDR "^192\.168\.1\.100$"
@@ -2899,9 +2902,9 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd" This variable contains the server's hostname or IP address. Example: - SecRule SERVER_NAME "hostname\.com$" + SecRule SERVER_NAME "hostname\.com$" - Note + Note This data is taken from the Host header submitted in the client request. @@ -2913,7 +2916,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd" This variable contains the local port that the web server is listening on. Example: - SecRule SERVER_PORT "^80$" + SecRule SERVER_PORT "^80$"
@@ -2928,10 +2931,9 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd" SecRule REQUEST_COOKIES:PHPSESSID !^$ chain,nolog,pass SecAction setsid:%{REQUEST_COOKIES.PHPSESSID} -SecRule REQUEST_URI "^/cgi-bin/finger$" "pass,log,setvar:session.score=+10" -SecRule SESSION:SCORE "@gt 50" "pass,log,setvar:session.blocked=1" -SecRule SESSION:BLOCKED "@eq 1" "log,deny,status:403" +SecRule REQUEST_URI "^/cgi-bin/finger$" "pass,log,setvar:session.score=+10" +SecRule SESSION:SCORE "@gt 50" "pass,log,setvar:session.blocked=1" +SecRule SESSION:BLOCKED "@eq 1" "log,deny,status:403"
@@ -2940,7 +2942,7 @@ SecRule SESSION:BLOCKED "@eq 1" "log,deny,statu This variable is the value set with setsid. Example: - SecRule SESSIONID !^$ chain,nolog,pass + SecRule SESSIONID !^$ chain,nolog,pass SecRule REQUEST_COOKIES:PHPSESSID !^$ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID}
@@ -2951,7 +2953,7 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID} This variable holds a formatted string representing the time (hour:minute:second). Example: - SecRule TIME "^(([1](8|9))|([2](0|1|2|3))):\d{2}:\d{2}$" + SecRule TIME "^(([1](8|9))|([2](0|1|2|3))):\d{2}:\d{2}$"
@@ -2961,7 +2963,7 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID} would trigger anytime between the 10th and 20th days of the month. - SecRule TIME_DAY "^(([1](0|1|2|3|4|5|6|7|8|9))|20)$" + SecRule TIME_DAY "^(([1](0|1|2|3|4|5|6|7|8|9))|20)$"
@@ -2970,7 +2972,7 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID} This variable holds the time in seconds since 1970. Example: - SecRule TIME_EPOCH "@gt 1000" + SecRule TIME_EPOCH "@gt 1000"
@@ -2979,7 +2981,7 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID} This variable holds the current hour (0-23). Example: this rule would trigger during "off hours". - SecRule TIME_HOUR "^(0|1|2|3|4|5|6|[1](8|9)|[2](0|1|2|3))$" + SecRule TIME_HOUR "^(0|1|2|3|4|5|6|[1](8|9)|[2](0|1|2|3))$"
@@ -2988,7 +2990,7 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID} This variable holds the current minute (0-59). Example: this rule would trigger during the last half hour of every hour. - SecRule TIME_MIN "^(3|4|5)" + SecRule TIME_MIN "^(3|4|5)"
@@ -2998,7 +3000,7 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID} would match if the month was either November (10) or December (11). - SecRule TIME_MON "^1" + SecRule TIME_MON "^1"
@@ -3007,7 +3009,7 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID} This variable holds the current second count (0-59). Example: - SecRule TIME_SEC "@gt 30" + SecRule TIME_SEC "@gt 30"
@@ -3016,7 +3018,7 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID} This variable holds the current weekday (0-6). Example: this rule would trigger only on week-ends (Saturday and Sunday). - SecRule TIME_WDAY "^(0|6)$" + SecRule TIME_WDAY "^(0|6)$"
@@ -3025,7 +3027,7 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID} This variable holds the current four-digit year data. Example: - SecRule TIME_YEAR "^2006$" + SecRule TIME_YEAR "^2006$"
@@ -3059,9 +3061,8 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID} - SecRule WEBSERVER_ERROR_LOG "does not exist" "phase:5,pass,setvar:tx.score=+5" -SecRule TX:SCORE "@gt 20" deny,log + SecRule WEBSERVER_ERROR_LOG "does not exist" "phase:5,pass,setvar:tx.score=+5" +SecRule TX:SCORE "@gt 20" deny,log
@@ -3071,7 +3072,7 @@ SecRule TX:SCORE "@gt 20" deny,logsetuid. Example: SecAction setuid:%{REMOTE_USER},nolog -SecRule USERID "Admin" +SecRule USERID "Admin"
@@ -3081,7 +3082,7 @@ SecRule USERID "Admin" moreinfo="none">SecWebAppId. Example: SecWebAppId "WebApp1" -SecRule WEBAPPID "WebApp1" "chain,log,deny,status:403" +SecRule WEBAPPID "WebApp1" "chain,log,deny,status:403" SecRule REQUEST_HEADERS:Transfer-Encoding "!^$"
@@ -3091,7 +3092,7 @@ SecRule REQUEST_HEADERS:Transfer-Encoding "!^$" Contains zero or more error messages produced by the web server. Access to this variable is in phase:5 (logging). Example: - SecRule WEBSERVER_ERROR_LOG "File does not exist" "phase:5,setvar:tx.score=+5" + SecRule WEBSERVER_ERROR_LOG "File does not exist" "phase:5,setvar:tx.score=+5"
@@ -3104,11 +3105,10 @@ SecRule REQUEST_HEADERS:Transfer-Encoding "!^$" SecDefaultAction log,deny,status:403,phase:2 SecRule REQUEST_HEADERS:Content-Type ^text/xml$ \ - phase:1,t:lowercase,nolog,pass,ctl:requestBodyProcessor=XML -SecRule REQBODY_PROCESSOR "!^XML$" skip:2 -SecRule XML:/employees/employee/name/text() Fred -SecRule XML:/xq:employees/employee/name/text() Fred \ + phase:1,t:lowercase,nolog,pass,ctl:requestBodyProcessor=XML +SecRule REQBODY_PROCESSOR "!^XML$" skip:2 +SecRule XML:/employees/employee/name/text() Fred +SecRule XML:/xq:employees/employee/name/text() Fred \ xmlns:xq=http://www.example.com/employees The first XPath expression does not use namespaces. It would match @@ -3188,7 +3188,7 @@ SecRule XML:/xq:employees/employee/name/text() data is never altered. Transformation functions are used to transform a variable before testing it in a rule. - Note + Note The default transformation function setting is - lowercase, replaceNulls and compressWhitespace (in this order). @@ -3196,24 +3196,21 @@ SecRule XML:/xq:employees/employee/name/text() The following rule will ensure that an attacker does not use mixed case in order to evade the ModSecurity rule: - SecRule ARG:p "xp_cmdshell" "t:lowercase" multiple - tranformation actions can be used in the same rule, for example the - following rule also ensures that an attacker does not use URL encoding + SecRule ARG:p "xp_cmdshell" "t:lowercase" + multiple tranformation actions can be used in the same rule, for example + the following rule also ensures that an attacker does not use URL encoding (%xx encoding) for evasion. Note the order of the transformation functions, which ensures that a URL encoded letter is first decoded and than translated to lower case. - SecRule ARG:p "xp_cmdshell" "t:urlDecode,t:lowercase" + SecRule ARG:p "xp_cmdshell" "t:urlDecode,t:lowercase" One can use the SetDefaultAction command to ensure the translation occurs for every rule until the next. Note that translation actions are additive, so if a rule explicitly list actions, the translation actions set by SetDefaultAction are still performed. - SecDefaultAction t:urlDecode,t:lowercase + SecDefaultAction t:urlDecode,t:lowercase The following transformation functions are supported: @@ -3477,17 +3474,16 @@ SecRule XML:/xq:employees/employee/name/text()
<literal>allow</literal> - Description: Stops processing on - a successful match and allows transaction to proceed. + Description: Stops processing on a successful + match and allows transaction to proceed. - Action Group: Disruptive + Action Group: Disruptive Example: - SecRule REMOTE_ADDR "^192\.168\.1\.100$" nolog,phase:1,allow + SecRule REMOTE_ADDR "^192\.168\.1\.100$" nolog,phase:1,allow - Note + Note The allow action only applies to the current processing phase. If your intent is to explicitly allow a request, then you should use the @@ -3498,40 +3494,35 @@ SecRule XML:/xq:employees/employee/name/text()
append (Experimental) - Description: Appends text given - as parameter to the end of response body. For this action to work - content injection must be enabled by setting - SecContentInjection to On. Also - make sure you check the content type of the response before you make - changes to it (e.g. you don't want to inject stuff into images). + Description: Appends text given as parameter + to the end of response body. For this action to work content injection + must be enabled by setting SecContentInjection to + On. Also make sure you check the content type of the + response before you make changes to it (e.g. you don't want to inject + stuff into images). - Action Group: - Non-Disruptive + Action Group: Non-Disruptive - Processing Phases: 3 and - 4. + Processing Phases: 3 and 4. Example: - SecRule RESPONSE_CONTENT_TYPE "^text/html" "nolog,pass,append:'<hr>Footer'" + SecRule RESPONSE_CONTENT_TYPE "^text/html" "nolog,pass,append:'<hr>Footer'"
<literal>auditlog</literal> - Description: Marks the - transaction for logging in the audit log. + Description: Marks the transaction for + logging in the audit log. - Action Group: - Non-Disruptive + Action Group: Non-Disruptive Example: - SecRule REMOTE_ADDR "^192\.168\.1\.100$" auditlog,phase:1,allow + SecRule REMOTE_ADDR "^192\.168\.1\.100$" auditlog,phase:1,allow - Note + Note The auditlog action is now explicit if log is already specified. @@ -3540,23 +3531,20 @@ SecRule XML:/xq:employees/employee/name/text()
<literal>capture</literal> - Description: When used together - with the regular expression operator, capture action will create copies - of regular expression captures and place them into the transaction - variable collection. Up to ten captures will be copied on a successful - pattern match, each with a name consisting of a digit from 0 to - 9. + Description: When used together with the + regular expression operator, capture action will create copies of + regular expression captures and place them into the transaction variable + collection. Up to ten captures will be copied on a successful pattern + match, each with a name consisting of a digit from 0 to 9. - Action Group: - Non-Disruptive + Action Group: Non-Disruptive Example: - SecRule REQUEST_BODY "^username=(\w{25,})" phase:2,capture,t:none,chain + SecRule REQUEST_BODY "^username=(\w{25,})" phase:2,capture,t:none,chain SecRule TX:1 "(?:(?:a(dmin|nonymous)))" - Note + Note The 0 data captures the entire REGEX match and 1 captures the data in the first parantheses, etc... @@ -3565,23 +3553,23 @@ SecRule TX:1 "(?:(?:a(dmin|nonymous)))"
<literal>chain</literal> - Description: Chains the rule - where the action is placed with the rule that immediately follows it. - The result is called a rule chain. Chained rules - allow for more complex rule matches where you want to use a number of - different VARIABLES to create a better rule and to help prevent false + Description: Chains the rule where the action + is placed with the rule that immediately follows it. The result is + called a rule chain. Chained rules allow for more + complex rule matches where you want to use a number of different + VARIABLES to create a better rule and to help prevent false positives. - Action Group: Flow + Action Group: Flow Example: # Refuse to accept POST requests that do # not specify request body length -SecRule REQUEST_METHOD ^POST$ chain +SecRule REQUEST_METHOD ^POST$ chain SecRule REQUEST_HEADER:Content-Length ^$ - Note + Note In programming language concepts, think of chained rules somewhat similar to AND conditional statements. The actions specified in the @@ -3596,18 +3584,17 @@ SecRule REQUEST_HEADER:Content-Length ^$
<literal>ctl</literal> - Description: The ctl action - allows configuration options to be updated for the transaction. + Description: The ctl action allows + configuration options to be updated for the transaction. - Action Group: - Non-Disruptive + Action Group: Non-Disruptive Example: # Parse requests with Content-Type "text/xml" as XML -SecRule REQUEST_CONTENT_TYPE ^text/xml nolog,pass,ctl:requestBodyProcessor=XML +SecRule REQUEST_CONTENT_TYPE ^text/xml nolog,pass,ctl:requestBodyProcessor=XML - Note + Note The following configuration options are supported: @@ -3681,32 +3668,30 @@ SecRule REQUEST_CONTENT_TYPE ^text/xml nolog,pass,ctl:requ
<literal>deny</literal> - Description: Stops rule - processing and intercepts transaction. + Description: Stops rule processing and + intercepts transaction. - Action Group: Disruptive + Action Group: Disruptive Example: - SecRule REQUEST_HEADERS:User-Agent "nikto" "log,deny,msg:'Nikto Scanners Identified'" + SecRule REQUEST_HEADERS:User-Agent "nikto" "log,deny,msg:'Nikto Scanners Identified'"
<literal>deprecatevar</literal> - Description: Decrement counter - based on its age. + Description: Decrement counter based on its + age. - Action Group: - Non-Disruptive + Action Group: Non-Disruptive Example: The following example will decrement the counter by 60 every 300 seconds. SecAction deprecatevar:session.score=60/300 - Note + Note Counter values are always positive, meaning the value will never go below zero. @@ -3715,11 +3700,11 @@ SecRule REQUEST_CONTENT_TYPE ^text/xml nolog,pass,ctl:requ
<literal>drop</literal> - Description: Immediately initiate - a "connection close" action to tear down the TCP connection by sending a + Description: Immediately initiate a + "connection close" action to tear down the TCP connection by sending a FIN packet. - Action Group: Disruptive + Action Group: Disruptive Example: The following example initiates an IP collection for tracking Basic Authentication attempts. If the client goes over the @@ -3730,9 +3715,9 @@ SecRule REQUEST_CONTENT_TYPE ^text/xml nolog,pass,ctl:requ SecRule ARGS:login "!^$" \ nolog,phase:1,setvar:ip.auth_attempt=+1,deprecatevar:ip.auth_attempt=20/120 SecRule IP:AUTH_ATTEMPT "@gt 25" \ - log,drop,phase:1,msg:'Possible Brute Force Attack" + log,drop,phase:1,msg:'Possible Brute Force Attack" - Note + Note This action is extremely useful when responding to both Brute Force and Denial of Service attacks in that, in both cases, you want to @@ -3744,18 +3729,17 @@ SecRule IP:AUTH_ATTEMPT "@gt 25" \
<literal>exec</literal> - Description: Executes an external + Description: Executes an external script/binary supplied as parameter. - Action Group: - Non-Disruptive + Action Group: Non-Disruptive Example: SecRule REQUEST_URI "^/cgi-bin/script\.pl" \ - "log,exec:/usr/local/apache/bin/test.sh,phase:1" + "log,exec:/usr/local/apache/bin/test.sh,phase:1" - Note + Note This directive does not effect a primary action if it exists. This action will always call script with no parameters, but providing all @@ -3772,20 +3756,19 @@ SecRule IP:AUTH_ATTEMPT "@gt 25" \
<literal>expirevar</literal> - Description: Configurescollection - variable to expire after the given time in seconds. + Description: Configurescollection variable to + expire after the given time in seconds. - Action Group: - Non-Disruptive + Action Group: Non-Disruptive Example: SecRule REQUEST_COOKIES:JSESSIONID "!^$" nolog,phase:1,pass,chain SecAction setsid:%{REQUEST_COOKIES:JSESSIONID} SecRule REQUEST_URI "^/cgi-bin/script\.pl" \ - "log,allow,setvar:session.suspicious=1,expirevar:session.suspicious=3600,phase:1" + "log,allow,setvar:session.suspicious=1,expirevar:session.suspicious=3600,phase:1" - Note + Note You should use expirevar actions at the same time that you use setvar actions in order to keep the indended expiration time. If they @@ -3799,17 +3782,17 @@ SecRule REQUEST_URI "^/cgi-bin/script\.pl" \
<literal>id</literal> - Description: Assigns a unique ID - to the rule or chain. + Description: Assigns a unique ID to the rule + or chain. - Action Group: Metadata + Action Group: Metadata Example: SecRule &REQUEST_HEADERS:Host "@eq 0" \ - "log,id:60008,severity:2,msg:'Request Missing a Host Header'" + "log,id:60008,severity:2,msg:'Request Missing a Host Header'" - Note + Note These are the reserved ranges: @@ -3864,19 +3847,18 @@ SecRule REQUEST_URI "^/cgi-bin/script\.pl" \
<literal>initcol</literal> - Description: Initialises a named - persistent collection, either by loading data from storage or by - creating a new collection in memory. + Description: Initialises a named persistent + collection, either by loading data from storage or by creating a new + collection in memory. - Action Group: - Non-Disruptive + Action Group: Non-Disruptive Example: The following example initiates IP address tracking. - SecAction initcol:ip=%{REMOTE_ADDR},nolog + SecAction initcol:ip=%{REMOTE_ADDR},nolog - Note + Note Every collection contains several built-in variables that are read-only: @@ -3949,18 +3931,16 @@ SecRule REQUEST_URI "^/cgi-bin/script\.pl" \
<literal>log</literal> - Description: Indicates that a - successful match of the rule needs to be logged. + Description: Indicates that a successful + match of the rule needs to be logged. - Action Group: - Non-Disruptive + Action Group: Non-Disruptive Example: - SecAction initcol:ip=%{REMOTE_ADDR},log + SecAction initcol:ip=%{REMOTE_ADDR},log - Note + Note This action will log matches to the Apache error log file and the ModSecurity audit log. @@ -3969,17 +3949,16 @@ SecRule REQUEST_URI "^/cgi-bin/script\.pl" \
<literal>logdata</literal> - Description: Allows logging a - data fragment. + Description: Allows logging a data + fragment. - Action Group: Metadata + Action Group: Metadata Example: - SecRule &ARGS:p "@eq 0" "log,logdata:'%{TX.0}'" + SecRule &ARGS:p "@eq 0" "log,logdata:'%{TX.0}'" - Note + Note The logdata information appears in the error and/or audit log files and is not sent back to the client in response headers. Macro @@ -3991,18 +3970,17 @@ SecRule REQUEST_URI "^/cgi-bin/script\.pl" \
<literal>msg</literal> - Description: Assigns a custom - message to the rule or chain. + Description: Assigns a custom message to the + rule or chain. - Action Group: Metadata + Action Group: Metadata Example: SecRule &REQUEST_HEADERS:Host "@eq 0" \ - "log,id:60008,severity:2,msg:'Request Missing a Host Header'" + "log,id:60008,severity:2,msg:'Request Missing a Host Header'" - Note + Note The msg information appears in the error and/or audit log files and is not sent back to the client in response headers. @@ -4011,19 +3989,18 @@ SecRule REQUEST_URI "^/cgi-bin/script\.pl" \
<literal>multiMatch</literal> - Description: If enabled - ModSecurity will perform multiple operator invocations for every target, - before and after every anti-evasion transformation is performed. + Description: If enabled ModSecurity will + perform multiple operator invocations for every target, before and after + every anti-evasion transformation is performed. - Action Group: - Non-Disruptive + Action Group: Non-Disruptive Example: SecDefaultAction log,deny,phase:1,t:removeNulls,t:lowercase -SecRule ARGS "attack" multiMatch +SecRule ARGS "attack" multiMatch - Note + Note Normally, variables are evaluated once, only after all transformation functions have completed. With multiMatch, variables are @@ -4034,19 +4011,17 @@ SecRule ARGS "attack" multiMatch <literal>noauditlog</literal> - Description: Indicates that a - successful match of the rule should not be used as criteria whether the - transaction should be logged to the audit log. + Description: Indicates that a successful + match of the rule should not be used as criteria whether the transaction + should be logged to the audit log. - Action Group: - Non-Disruptive + Action Group: Non-Disruptive Example: - SecRule REQUEST_HEADERS:User-Agent "Test" allow,noauditlog + SecRule REQUEST_HEADERS:User-Agent "Test" allow,noauditlog - Note + Note If the SecAuditEngine is set to On, all of the transactions will be logged. If it is set to RelevantOnly, then you can control it with @@ -4060,18 +4035,16 @@ SecRule ARGS "attack" multiMatch <literal>nolog</literal> - Description: Prevents rule - matches from appearing in both the error and audit logs. + Description: Prevents rule matches from + appearing in both the error and audit logs. - Action Group: - Non-Disruptive + Action Group: Non-Disruptive Example: - SecRule REQUEST_HEADERS:User-Agent "Test" allow,nolog + SecRule REQUEST_HEADERS:User-Agent "Test" allow,nolog - Note + Note The nolog action also implies noauditlog.
@@ -4079,17 +4052,16 @@ SecRule ARGS "attack" multiMatch <literal>pass</literal> - Description: Continues processing - with the next rule in spite of a successful match. + Description: Continues processing with the + next rule in spite of a successful match. - Action Group: Disruptive + Action Group: Disruptive Example: - SecRule REQUEST_HEADERS:User-Agent "Test" log,pass + SecRule REQUEST_HEADERS:User-Agent "Test" log,pass - Note + Note Transaction will not be interrupted but it will be logged (unless logging has been suppressed). @@ -4098,17 +4070,16 @@ SecRule ARGS "attack" multiMatch <literal>pause</literal> - Description: Pauses transaction - processing for the specified number of milliseconds. + Description: Pauses transaction processing + for the specified number of milliseconds. - Action Group: Disruptive + Action Group: Disruptive Example: - SecRule REQUEST_HEADERS:User-Agent "Test" log,deny,status:403,pause:5000 + SecRule REQUEST_HEADERS:User-Agent "Test" log,deny,status:403,pause:5000 - Note + Note This feature can be of limited benefit for slowing down Brute Force Scanners, however use with care. If you are under a Denial of @@ -4120,18 +4091,17 @@ SecRule ARGS "attack" multiMatch <literal>phase</literal> - Description: Places the rule (or - the rule chain) into one of five available processing phases. + Description: Places the rule (or the rule + chain) into one of five available processing phases. - Action Group: Disruptive + Action Group: Disruptive Example: - SecDefaultAction log,deny,phase:1,t:removeNulls,t:lowercase + SecDefaultAction log,deny,phase:1,t:removeNulls,t:lowercase SecRule REQUEST_HEADERS:User-Agent "Test" log,deny,status:403 - Note + Note Keep in mind that is you specify the incorrect phase, the target variable that you specify may be empty. This could lead to a false @@ -4143,40 +4113,35 @@ SecRule REQUEST_HEADERS:User-Agent "Test" log,deny,status:403
prepend (Experimental) - Description: Prepends text given - as parameter to the response body. For this action to work content - injection must be enabled by setting - SecContentInjection to On. Also - make sure you check the content type of the response before you make - changes to it (e.g. you don't want to inject stuff into images). + Description: Prepends text given as parameter + to the response body. For this action to work content injection must be + enabled by setting SecContentInjection to + On. Also make sure you check the content type of the + response before you make changes to it (e.g. you don't want to inject + stuff into images). - Action Group: - Non-Disruptive + Action Group: Non-Disruptive - Processing Phases: 3 and - 4. + Processing Phases: 3 and 4. Example: - SecRule RESPONSE_CONTENT_TYPE ^text/html "phase:3,nolog,pass,prepend:'Header<br>'" + SecRule RESPONSE_CONTENT_TYPE ^text/html "phase:3,nolog,pass,prepend:'Header<br>'"
<literal>proxy</literal> - Description: Intercepts - transaction by forwarding request to another web server using the proxy - backend. + Description: Intercepts transaction by + forwarding request to another web server using the proxy backend. - Action Group: Disruptive + Action Group: Disruptive Example: - SecRule REQUEST_HEADERS:User-Agent "Test" log,proxy:http://www.honeypothost.com/ + SecRule REQUEST_HEADERS:User-Agent "Test" log,proxy:http://www.honeypothost.com/ - Note + Note For this action to work, mod_proxy must also be installed. This action is useful if you would like to proxy matching requests onto a @@ -4186,17 +4151,17 @@ SecRule REQUEST_HEADERS:User-Agent "Test" log,deny,status:403
<literal>redirect</literal> - Description: Intercepts - transaction by issuing a redirect to the given location. + Description: Intercepts transaction by + issuing a redirect to the given location. - Action Group: Disruptive + Action Group: Disruptive Example: SecRule REQUEST_HEADERS:User-Agent "Test" \ - log,redirect:http://www.hostname.com/failed.html + log,redirect:http://www.hostname.com/failed.html - Note + Note If the status action is present and its value is acceptable (301, 302, 303, or 307) it will be used for @@ -4206,17 +4171,15 @@ SecRule REQUEST_HEADERS:User-Agent "Test" log,deny,status:403
<literal>rev</literal> - Description: Specifies rule - revision. + Description: Specifies rule revision. - Action Group: Metadata + Action Group: Metadata Example: - SecRule REQUEST_METHOD "^PUT$" "id:340002,rev:1,severity:2,msg:'Restricted HTTP function'" + SecRule REQUEST_METHOD "^PUT$" "id:340002,rev:1,severity:2,msg:'Restricted HTTP function'" - Note + Note This action is used in combination with the id action to allow the same rule ID to be used @@ -4227,19 +4190,17 @@ SecRule REQUEST_HEADERS:User-Agent "Test" log,deny,status:403
<literal>sanitiseArg</literal> - Description: Sanitises (replaces - each byte with an asterisk) a named request argument prior to audit + Description: Sanitises (replaces each byte + with an asterisk) a named request argument prior to audit logging. - Action Group: - Non-Disruptive + Action Group: Non-Disruptive Example: - SecAction nolog,phase:2,sanitiseArg:password + SecAction nolog,phase:2,sanitiseArg:password - Note + Note The sanitize actions do not sanitize any data within the actual raw requests but only on the copy of data within memory that is set to @@ -4251,22 +4212,20 @@ SecRule REQUEST_HEADERS:User-Agent "Test" log,deny,status:403
<literal>sanitiseMatched</literal> - Description: Sanitises the - variable (request argument, request header, or response header) that - caused a rule match. + Description: Sanitises the variable (request + argument, request header, or response header) that caused a rule + match. - Action Group: - Non-Disruptive + Action Group: Non-Disruptive Example: This action can be used to sanitise arbitrary transaction elements when they match a condition. For example, the example below will sanitise any argument that contains the word password in the name. - SecRule ARGS_NAMES password nolog,pass,sanitiseMatched + SecRule ARGS_NAMES password nolog,pass,sanitiseMatched - Note + Note Same note as sanitiseArg.
@@ -4274,19 +4233,17 @@ SecRule REQUEST_HEADERS:User-Agent "Test" log,deny,status:403
<literal>sanitiseRequestHeader</literal> - Description: Sanitises a named - request header. + Description: Sanitises a named request + header. - Action Group: - Non-Disruptive + Action Group: Non-Disruptive Example: This will sanitise the data in the Authorization header. - SecAction log,phase:1,sanitiseRequestHeader:Authorization + SecAction log,phase:1,sanitiseRequestHeader:Authorization - Note + Note Same note as sanitiseArg.
@@ -4294,19 +4251,17 @@ SecRule REQUEST_HEADERS:User-Agent "Test" log,deny,status:403
<literal>sanitiseResponseHeader</literal> - Description: Sanitises a named - response header. + Description: Sanitises a named response + header. - Action Group: - Non-Disruptive + Action Group: Non-Disruptive Example: This will sanitise the Set-Cookie data sent to the client. - SecAction log,phase:3,sanitiseResponseHeader:Set-Cookie + SecAction log,phase:3,sanitiseResponseHeader:Set-Cookie - Note + Note Same note as sanitiseArg.
@@ -4314,17 +4269,16 @@ SecRule REQUEST_HEADERS:User-Agent "Test" log,deny,status:403
<literal>severity</literal> - Description: Assigns severity to - the rule it is placed with. + Description: Assigns severity to the rule it + is placed with. - Action Group: Metadata + Action Group: Metadata Example: - SecRule REQUEST_METHOD "^PUT$" "id:340002,rev:1,severity:2,msg:'Restricted HTTP function'" + SecRule REQUEST_METHOD "^PUT$" "id:340002,rev:1,severity:2,msg:'Restricted HTTP function'" - Note + Note The severity numbers follow the Syslog convention: @@ -4366,18 +4320,17 @@ SecRule REQUEST_HEADERS:User-Agent "Test" log,deny,status:403
<literal>setuid</literal> - Description: Special-purpose - action that initialises the USER + Description: Special-purpose action that + initialises the USER collection. - Action Group: - Non-Disruptive + Action Group: Non-Disruptive Example: - SecAction setuid:%{REMOTE_USER},nolog + SecAction setuid:%{REMOTE_USER},nolog - Note + Note After initialisation takes place the variable USERID will be available for use in the @@ -4387,20 +4340,19 @@ SecRule REQUEST_HEADERS:User-Agent "Test" log,deny,status:403
<literal>setsid</literal> - Description: - Special-purposeaction that initialises the SESSION collection. + Description: Special-purposeaction that + initialises the SESSION + collection. - Action Group: - Non-Disruptive + Action Group: Non-Disruptive Example: # Initialise session variables using the session cookie value SecRule REQUEST_COOKIES:PHPSESSID !^$ chain,nolog,pass -SecAction setsid:%{REQUEST_COOKIES.PHPSESSID} +SecAction setsid:%{REQUEST_COOKIES.PHPSESSID} - Note + Note On first invocation of this action the collection will be empty (not taking the pre-defined variables into account - see setsid:%{REQUEST_COOKIES.PHPSESSID} <literal>setenv</literal> - Description: Creates, removes, or - updates an environment variable. + Description: Creates, removes, or updates an + environment variable. - Action Group: - Non-Disruptive + Action Group: Non-Disruptive Examples: @@ -4433,7 +4384,7 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID}setenv:!name - Note + Note This action can be used to establish communication with other Apache modules. @@ -4442,11 +4393,10 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID} <literal>setvar</literal> - Description: Creates, removes, or - updates a variable in the specified collection. + Description: Creates, removes, or updates a + variable in the specified collection. - Action Group: - Non-Disruptive + Action Group: Non-Disruptive Examples: @@ -4468,16 +4418,14 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID} <literal>skip</literal> - Description: Skips one or more - rules (or chains) on successful match. + Description: Skips one or more rules (or + chains) on successful match. - Action Group: - Non-Disruptive + Action Group: Non-Disruptive Example: - SecRule REQUEST_URI "^/$" "chain,skip:2" + SecRule REQUEST_URI "^/$" "chain,skip:2" SecRule REMOTE_ADDR "^127\.0\.0\.1$" "chain" SecRule REQUEST_HEADERS:User-Agent "^Apache \(internal dummy connection\)$" "t:none" SecRule &REQUEST_HEADERS:Host "@eq 0" \ @@ -4485,7 +4433,7 @@ SecRule &REQUEST_HEADERS:Host "@eq 0" \ SecRule &REQUEST_HEADERS:Accept "@eq 0" \ "log,deny,log,status:400,id:960015,msg:'Request Missing an Accept Header'" - Note + Note Skip only applies to the current processing phase and not necessarily the order in which the rules appear in the configuration @@ -4498,18 +4446,17 @@ SecRule &REQUEST_HEADERS:Accept "@eq 0" \
<literal>status</literal> - Description: Specifies the - response status code to use with actions - deny and redirect. + Description: Specifies the response status + code to use with actions deny + and redirect. - Action Group: Disruptive + Action Group: Disruptive Example: - SecDefaultAction log,deny,status:403,phase:1 + SecDefaultAction log,deny,status:403,phase:1 - Note + Note Staus actions defined in Apache scope locations (such as Directory, Location, etc...) may be superceded by phase:1 action @@ -4522,21 +4469,20 @@ SecRule &REQUEST_HEADERS:Accept "@eq 0" \
<literal>t</literal> - Description: This action can be - used which transformation function should be used against the specified - variables before they (or the results, rather) are run against the - operator specified in the rule. + Description: This action can be used which + transformation function should be used against the specified variables + before they (or the results, rather) are run against the operator + specified in the rule. - Action Group: - Non-Disruptive + Action Group: Non-Disruptive Example: SecDefaultAction log,deny,phase:1,t:removeNulls,t:lowercase SecRule REQUEST_COOKIES:SESSIONID "47414e81cbbef3cf8366e84eeacba091" \ - log,deny,status:403,t:md5 + log,deny,status:403,t:md5 - Note + Note Any transformation functions that you specify in a SecRule will be in addtion to previous ones specified in SecDefaultAction. Use of @@ -4547,17 +4493,17 @@ SecRule REQUEST_COOKIES:SESSIONID "47414e81cbbef3cf8366e84eeacba091" \
<literal>tag</literal> - Description: Assigns custom text - to a rule or chain. + Description: Assigns custom text to a rule or + chain. - Action Group: Metadata + Action Group: Metadata Example: SecRule REQUEST_FILENAME "\b(?:n(?:map|et|c)|w(?:guest|sh)|cmd(?:32)?|telnet|rcmd|ftp)\.exe\b" \ - "deny,msg:'System Command Access',id:'950002',tag:'WEB_ATTACK/FILE_INJECTION',tag:'OWASP/A2',severity:'2'" + "deny,msg:'System Command Access',id:'950002',tag:'WEB_ATTACK/FILE_INJECTION',tag:'OWASP/A2',severity:'2'" - Note + Note The tag information appears in the error and/or audit log files. Its intent is to be used to automate classification of rules and the @@ -4568,18 +4514,15 @@ SecRule REQUEST_COOKIES:SESSIONID "47414e81cbbef3cf8366e84eeacba091" \
<literal>xmlns</literal> - Description: This action should - be used together with an XPath expression to register a - namespace. + Description: This action should be used + together with an XPath expression to register a namespace. - Action Group: - Non-Disruptive + Action Group: Non-Disruptive Example: SecRule REQUEST_HEADERS:Content-Type "text/xml" \ - phase:1,pass,ctl:requestBodyProcessor=XML,ctl:requestBodyAccess=On,xmlns:xsd="http://www.w3.org/2001/XMLSchema" + phase:1,pass,ctl:requestBodyProcessor=XML,ctl:requestBodyAccess=On,xmlns:xsd="http://www.w3.org/2001/XMLSchema" SecRule XML:/soap:Envelope/soap:Body/q1:getInput/id() "123" phase:2,deny
@@ -4594,81 +4537,75 @@ SecRule XML:/soap:Envelope/soap:Body/q1:getInput/id() "123" phase:2,deny <literal>beginsWith</literal> - Description: This operator is a - string comparison and returns true if the parameter value is found at - the beginning of the input. Macro expansion is performed so you may use + Description: This operator is a string + comparison and returns true if the parameter value is found at the + beginning of the input. Macro expansion is performed so you may use variable names such as %{TX.1}, etc. Example: - SecRule REQUEST_LINE "!@beginsWith GET" t:none,deny,status:403 + SecRule REQUEST_LINE "!@beginsWith GET" t:none,deny,status:403 SecRule REQUEST_ADDR "^(.*)\.\d+$" deny,status:403,capture,chain -SecRule ARGS:gw "!@beginsWith %{TX.1}" +SecRule ARGS:gw "!@beginsWith %{TX.1}"
<literal>contains</literal> - Description: This operator is a - string comparison and returns true if the parameter value is found - anywhere in the input. Macro expansion is performed so you may use - variable names such as %{TX.1}, etc. + Description: This operator is a string + comparison and returns true if the parameter value is found anywhere in + the input. Macro expansion is performed so you may use variable names + such as %{TX.1}, etc. Example: - SecRule REQUEST_LINE "!@contains .php" t:none,deny,status:403 + SecRule REQUEST_LINE "!@contains .php" t:none,deny,status:403 SecRule REQUEST_ADDR "^(.*)$" deny,status:403,capture,chain -SecRule ARGS:ip "!@contains %{TX.1}" +SecRule ARGS:ip "!@contains %{TX.1}"
<literal>endsWith</literal> - Description: This operator is a - string comparison and returns true if the parameter value is found at - the end of the input. Macro expansion is performed so you may use - variable names such as %{TX.1}, etc. + Description: This operator is a string + comparison and returns true if the parameter value is found at the end + of the input. Macro expansion is performed so you may use variable names + such as %{TX.1}, etc. Example: - SecRule REQUEST_LINE "!@endsWith HTTP/1.1" t:none,deny,status:403 -SecRule ARGS:route "!@endsWith %{REQUEST_ADDR}" t:none,deny,status:403 + SecRule REQUEST_LINE "!@endsWith HTTP/1.1" t:none,deny,status:403 +SecRule ARGS:route "!@endsWith %{REQUEST_ADDR}" t:none,deny,status:403
<literal>eq</literal> - Description: This operator is a - numerical comparison and stands for "equal to." + Description: This operator is a numerical + comparison and stands for "equal to." Example: - SecRule &REQUEST_HEADERS_NAMES "@eq 15" + SecRule &REQUEST_HEADERS_NAMES "@eq 15"
<literal>ge</literal> - Description: This operator is a - numerical comparison and stands for "greater than or equal to." + Description: This operator is a numerical + comparison and stands for "greater than or equal to." Example: - SecRule &REQUEST_HEADERS_NAMES "@ge 15" + SecRule &REQUEST_HEADERS_NAMES "@ge 15"
<literal>geoLookup</literal> - Description: This operator looks - up various data fields from an IP address or hostname. The results will - be captured in the GEO - collection. + Description: This operator looks up various + data fields from an IP address or hostname. The results will be captured + in the GEO collection. You must provide a database via SecGeoLookupsDb before this operator can be @@ -4681,64 +4618,59 @@ SecRule ARGS:route "!@endsWith %{REQUEST_ADDR}"
<literal>gt</literal> - Description: This operator is a - numerical comparison and stands for "greater than." + Description: This operator is a numerical + comparison and stands for "greater than." Example: - SecRule &REQUEST_HEADERS_NAMES "@gt 15" + SecRule &REQUEST_HEADERS_NAMES "@gt 15"
<literal>inspectFile</literal> - Description: Executes the - external script/binary given as parameter to the operator against every - file extracted from the request. + Description: Executes the external + script/binary given as parameter to the operator against every file + extracted from the request. Example: - SecRule FILES_TMPNAMES "@inspectFile /opt/apache/bin/inspect_script.pl" + SecRule FILES_TMPNAMES "@inspectFile /opt/apache/bin/inspect_script.pl"
<literal>le</literal> - Description: This operator is a - numerical comparison and stands for "less than or equal to." + Description: This operator is a numerical + comparison and stands for "less than or equal to." Example: - SecRule &REQUEST_HEADERS_NAMES "@le 15" + SecRule &REQUEST_HEADERS_NAMES "@le 15"
<literal>lt</literal> - Description: This operator is a - numerical comparison and stands for "less than." + Description: This operator is a numerical + comparison and stands for "less than." Example: - SecRule &REQUEST_HEADERS_NAMES "@lt 15" + SecRule &REQUEST_HEADERS_NAMES "@lt 15"
<literal>pm</literal> - Description: Phrase Match - operator. This operator uses a set based matching engine (Aho-Corasick) - for faster matches of keyword lists. It will match any one of its - arguments anywhere in the target value. + Description: Phrase Match operator. This + operator uses a set based matching engine (Aho-Corasick) for faster + matches of keyword lists. It will match any one of its arguments + anywhere in the target value. Example: - SecRule REQUEST_HEADERS:User-Agent "@pm WebZIP WebCopier Webster WebStripper SiteSnagger ProWebWalker CheeseBot" "deny,status:403 + SecRule REQUEST_HEADERS:User-Agent "@pm WebZIP WebCopier Webster WebStripper SiteSnagger ProWebWalker CheeseBot" "deny,status:403 The above would deny access with 403 if any of the words matched within the User-Agent HTTP header value. @@ -4747,9 +4679,9 @@ SecRule ARGS:route "!@endsWith %{REQUEST_ADDR}"
<literal>pmFromFile</literal> - Description: Phrase Match - operator. This operator uses a set based matching engine (Aho-Corasick) - for faster matches of keyword lists. This operator is the same as + Description: Phrase Match operator. This + operator uses a set based matching engine (Aho-Corasick) for faster + matches of keyword lists. This operator is the same as @pm except that it takes a list of files as arguments. It will match any one of the phrases listed in the file(s) anywhere in the target value. @@ -4774,8 +4706,7 @@ SecRule ARGS:route "!@endsWith %{REQUEST_ADDR}" Example: - SecRule REQUEST_HEADERS:User-Agent "@pm /path/to/blacklist1 blacklist2" "deny,status:403 + SecRule REQUEST_HEADERS:User-Agent "@pm /path/to/blacklist1 blacklist2" "deny,status:403 The above would deny access with 403 if any of the patterns in the two files matched within the User-Agent HTTP header value. The @@ -4786,29 +4717,27 @@ SecRule ARGS:route "!@endsWith %{REQUEST_ADDR}"
<literal>rbl</literal> - Description: Look up the - parameter in the RBL given as parameter. Parameter can be an IPv4 - address, or a hostname. + Description: Look up the parameter in the RBL + given as parameter. Parameter can be an IPv4 address, or a + hostname. Example: - SecRule REMOTE_ADDR "@rbl sc.surbl.org" + SecRule REMOTE_ADDR "@rbl sc.surbl.org"
<literal>rx</literal> - Description: Regular expression - operator. This is the default operator, so if the "@" operator is not - defined, it is assumed to be rx. + Description: Regular expression operator. + This is the default operator, so if the "@" operator is not defined, it + is assumed to be rx. Example: - SecRule REQUEST_HEADERS:User-Agent "@rx nikto" + SecRule REQUEST_HEADERS:User-Agent "@rx nikto" - Note + Note Regular expressions are handled by the PCRE library (http://www.pcre.org). ModSecurity @@ -4842,31 +4771,29 @@ SecRule ARGS:route "!@endsWith %{REQUEST_ADDR}"
<literal>streq</literal> - Description: This operator is a - string comparison and returns true if the parameter value matches the - input exactly. Macro expansion is performed so you may use variable - names such as %{TX.1}, etc. + Description: This operator is a string + comparison and returns true if the parameter value matches the input + exactly. Macro expansion is performed so you may use variable names such + as %{TX.1}, etc. Example: - SecRule ARGS:foo "!@streq bar" t:none,deny,status:403 + SecRule ARGS:foo "!@streq bar" t:none,deny,status:403 SecRule REQUEST_ADDR "^(.*)$" deny,status:403,capture,chain -SecRule REQUEST_HEADERS:Ip-Address "!@streq %{TX.1}" +SecRule REQUEST_HEADERS:Ip-Address "!@streq %{TX.1}"
<literal>validateByteRange</literal> - Description: Validates the byte - range used in the variable falls into the specified range. + Description: Validates the byte range used in + the variable falls into the specified range. Example: - SecRule ARG:text "@validateByteRange 10, 13, 32-126" + SecRule ARG:text "@validateByteRange 10, 13, 32-126" - Note + Note You can force requests to consist only of bytes from a certain byte range. This can be useful to avoid stack overflow attacks (since @@ -4902,8 +4829,8 @@ SecRule REQUEST_HEADERS:Ip-Address "!@streq %{TX.1} <literal>validateDTD</literal> - Description: This operator - requires the request body to be processed as XML. + Description: This operator requires the + request body to be processed as XML. Example: @@ -4911,14 +4838,14 @@ SecRule REQUEST_HEADERS:Ip-Address "!@streq %{TX.1}@validateDTD /path/to/apache2/conf/xml.dtd" +SecRule XML "@validateDTD /path/to/apache2/conf/xml.dtd"
<literal>validateSchema</literal> - Description: This operator - requires the request body to be processed as XML. + Description: This operator requires the + request body to be processed as XML. Example: @@ -4926,7 +4853,7 @@ SecRule XML "@validateDTD /path/to/apache2/conf/xml.dtd@validateSchema /path/to/apache2/conf/xml.xsd" +SecRule XML "@validateSchema /path/to/apache2/conf/xml.xsd" This operator requires request body to be processed as XML.
@@ -4934,15 +4861,14 @@ SecRule XML "@validateSchema /path/to/apache2/conf/xml.xsd
<literal>validateUrlEncoding</literal> - Description: Verifies the - encodings used in the variable (if any) are valid. + Description: Verifies the encodings used in + the variable (if any) are valid. Example: - SecRule ARGS "@validateUrlEncoding" + SecRule ARGS "@validateUrlEncoding" - Note + Note URL encoding is an HTTP standard for encoding byte values within a URL. The byte is escaped with a % followed by two hexadecimal values @@ -4955,15 +4881,14 @@ SecRule XML "@validateSchema /path/to/apache2/conf/xml.xsd
<literal>validateUtf8Encoding</literal> - Description: Verifies the - variable is a valid UTF-8 encoded string. + Description: Verifies the variable is a valid + UTF-8 encoded string. Example: - SecRule ARGS "@validateUtf8Encoding" + SecRule ARGS "@validateUtf8Encoding" - Note + Note UTF-8 encoding is valid on most web servers. Integer values between 0-65535 are encoded in a UTF-8 byte sequence that is escaped by @@ -4998,20 +4923,19 @@ SecRule XML "@validateSchema /path/to/apache2/conf/xml.xsd
<literal>within</literal> - Description: This operator is a - string comparison and returns true if the input value is found anywhere - within the parameter value. Note that this is similar to + Description: This operator is a string + comparison and returns true if the input value is found anywhere within + the parameter value. Note that this is similar to @contains, except that the target and match values are reversed. Macro expansion is performed so you may use variable names such as %{TX.1}, etc. Example: - SecRule REQUEST_METHOD "!@within get,post,head" t:lowercase,deny,status:403 + SecRule REQUEST_METHOD "!@within get,post,head" t:lowercase,deny,status:403 SecAction "pass,setvar:'tx.allowed_methods=get,post,head'" -SecRule REQUEST_METHOD "!@within %{tx.allowed_methods}" t:lowercase,deny,status:403 +SecRule REQUEST_METHOD "!@within %{tx.allowed_methods}" t:lowercase,deny,status:403
@@ -5114,4 +5038,4 @@ SecRule REQUEST_METHOD "!@within %{tx.allowed_methods}
- + \ No newline at end of file