From 793b57670105682a894e1d55fdcfdfcbeec03447 Mon Sep 17 00:00:00 2001 From: brectanus Date: Mon, 15 Oct 2007 16:50:36 +0000 Subject: [PATCH] Added support for MATCHED_VAR and MATCHED_VAR_NAME. See #123. --- apache2/modsecurity.c | 3 + apache2/modsecurity.h | 2 +- apache2/re.c | 6 +- apache2/re_actions.c | 29 +- apache2/re_variables.c | 30 +- doc/modsecurity2-apache-reference.xml | 400 ++++++++------------------ 6 files changed, 166 insertions(+), 304 deletions(-) diff --git a/apache2/modsecurity.c b/apache2/modsecurity.c index bd927be9..3e718cd1 100644 --- a/apache2/modsecurity.c +++ b/apache2/modsecurity.c @@ -304,6 +304,9 @@ apr_status_t modsecurity_tx_init(modsec_rec *msr) { msr->tcache = apr_hash_make(msr->mp); if (msr->tcache == NULL) return -1; + msr->matched_var = (msc_string *)apr_pcalloc(msr->mp, sizeof(msc_string)); + if (msr->matched_var == NULL) return -1; + msr->highest_severity = 255; /* high, invalid value */ return 1; diff --git a/apache2/modsecurity.h b/apache2/modsecurity.h index a7470676..17662b12 100644 --- a/apache2/modsecurity.h +++ b/apache2/modsecurity.h @@ -324,7 +324,7 @@ struct modsec_rec { apr_time_t time_checkpoint_2; apr_time_t time_checkpoint_3; - const char *matched_var; + msc_string *matched_var; int highest_severity; /* upload */ diff --git a/apache2/re.c b/apache2/re.c index e043a002..6b60e406 100644 --- a/apache2/re.c +++ b/apache2/re.c @@ -1342,7 +1342,11 @@ static int execute_operator(msre_var *var, msre_rule *rule, modsec_rec *msr, log_escape(msr->mp, full_varname)); } - msr->matched_var = apr_pstrdup(msr->mp, var->name); + /* Save the last matched var data */ + msr->matched_var->name = apr_pstrdup(msr->mp, var->name); + msr->matched_var->name_len = strlen(msr->matched_var->name); + msr->matched_var->value = apr_pmemdup(msr->mp, var->value, var->value_len); + msr->matched_var->value_len = var->value_len; /* Keep track of the highest severity matched so far */ if ((acting_actionset->severity > 0) && (acting_actionset->severity < msr->highest_severity)) diff --git a/apache2/re_actions.c b/apache2/re_actions.c index fb9220ba..8bd034c9 100644 --- a/apache2/re_actions.c +++ b/apache2/re_actions.c @@ -769,39 +769,40 @@ static apr_status_t msre_action_sanitiseMatched_execute(modsec_rec *msr, apr_poo const apr_array_header_t *tarr; const apr_table_entry_t *telts; int i, type = 0; + msc_string *mvar = msr->matched_var; - if (msr->matched_var == NULL) return 0; + if (mvar->name_len == 0) return 0; /* IMP1 We need to extract the variable name properly here, * taking into account it may have been escaped. */ - if (strncmp(msr->matched_var, "ARGS:", 5) == 0) { - sargname = apr_pstrdup(msr->mp, msr->matched_var + 5); + if ((mvar->name_len > 5) && (strncmp(mvar->name, "ARGS:", 5) == 0)) { + sargname = apr_pstrdup(msr->mp, mvar->name + 5); type = SANITISE_ARG; } else - if (strncmp(msr->matched_var, "ARGS_NAMES:", 11) == 0) { - sargname = apr_pstrdup(msr->mp, msr->matched_var + 11); + if ((mvar->name_len > 11) && (strncmp(mvar->name, "ARGS_NAMES:", 11) == 0)) { + sargname = apr_pstrdup(msr->mp, mvar->name + 11); type = SANITISE_ARG; } else - if (strncmp(msr->matched_var, "REQUEST_HEADERS:", 16) == 0) { - sargname = apr_pstrdup(msr->mp, msr->matched_var + 16); + if ((mvar->name_len > 16) && (strncmp(mvar->name, "REQUEST_HEADERS:", 16) == 0)) { + sargname = apr_pstrdup(msr->mp, mvar->name + 16); type = SANITISE_REQUEST_HEADER; } else - if (strncmp(msr->matched_var, "REQUEST_HEADERS_NAMES:", 22) == 0) { - sargname = apr_pstrdup(msr->mp, msr->matched_var + 22); + if ((mvar->name_len > 22) && (strncmp(mvar->name, "REQUEST_HEADERS_NAMES:", 22) == 0)) { + sargname = apr_pstrdup(msr->mp, mvar->name + 22); type = SANITISE_REQUEST_HEADER; } else - if (strncmp(msr->matched_var, "RESPONSE_HEADERS:", 17) == 0) { - sargname = apr_pstrdup(msr->mp, msr->matched_var + 17); + if ((mvar->name_len > 17) && (strncmp(mvar->name, "RESPONSE_HEADERS:", 17) == 0)) { + sargname = apr_pstrdup(msr->mp, mvar->name + 17); type = SANITISE_RESPONSE_HEADER; } else - if (strncmp(msr->matched_var, "RESPONSE_HEADERS_NAMES:", 23) == 0) { - sargname = apr_pstrdup(msr->mp, msr->matched_var + 23); + if ((mvar->name_len > 23) && (strncmp(mvar->name, "RESPONSE_HEADERS_NAMES:", 23) == 0)) { + sargname = apr_pstrdup(msr->mp, mvar->name + 23); type = SANITISE_RESPONSE_HEADER; } else { msr_log(msr, 3, "sanitiseMatched: Don't know how to handle variable: %s", - msr->matched_var); + mvar->name); return 0; } diff --git a/apache2/re_variables.c b/apache2/re_variables.c index 2b41c57b..d75afafa 100644 --- a/apache2/re_variables.c +++ b/apache2/re_variables.c @@ -843,8 +843,23 @@ static int var_ip_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, static int var_matched_var_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, apr_table_t *vartab, apr_pool_t *mptmp) { - return var_simple_generate(var, vartab, mptmp, - apr_pstrdup(mptmp, msr->matched_var)); + return var_simple_generate_ex(var, vartab, mptmp, + apr_pmemdup(mptmp, + msr->matched_var->value, + msr->matched_var->value_len), + msr->matched_var->value_len); +} + +/* MATCHED_VAR_NAME */ + +static int var_matched_var_name_generate(modsec_rec *msr, msre_var *var, msre_rule *rule, + apr_table_t *vartab, apr_pool_t *mptmp) +{ + return var_simple_generate_ex(var, vartab, mptmp, + apr_pmemdup(mptmp, + msr->matched_var->name, + msr->matched_var->name_len), + msr->matched_var->name_len); } /* SESSION */ @@ -2312,6 +2327,17 @@ void msre_engine_register_default_variables(msre_engine *engine) { PHASE_REQUEST_HEADERS ); + /* MATCHED_VAR_NAME */ + msre_engine_variable_register(engine, + "MATCHED_VAR_NAME", + VAR_SIMPLE, + 0, 0, + NULL, + var_matched_var_name_generate, + VAR_DONT_CACHE, + PHASE_REQUEST_HEADERS + ); + /* MODSEC_BUILD */ msre_engine_variable_register(engine, "MODSEC_BUILD", diff --git a/doc/modsecurity2-apache-reference.xml b/doc/modsecurity2-apache-reference.xml index 4302ee2a..40c19d5d 100644 --- a/doc/modsecurity2-apache-reference.xml +++ b/doc/modsecurity2-apache-reference.xml @@ -2025,9 +2025,7 @@ SecRule REQUEST_HEADERS:Host "!^$" "deny,phase:1The following variables are supported in ModSecurity 2.x:
- - <literal moreinfo="none">ARGS</literal> - + <literal moreinfo="none">ARGS</literal> ARGS is a collection and can be used on its own (means all arguments including the POST Payload), with a static @@ -2072,9 +2070,7 @@ SecRule REQUEST_HEADERS:Host "!^$" "deny,phase:1
- - <literal moreinfo="none">ARGS_COMBINED_SIZE</literal> - + <literal moreinfo="none">ARGS_COMBINED_SIZE</literal> This variable allows you to set more targeted evaluations on the total size of the Arguments as compared with normal Apache LimitRequest @@ -2088,9 +2084,7 @@ SecRule ARGS_COMBINED_SIZE "@gt 25"
- - <literal moreinfo="none">ARGS_NAMES</literal> - + <literal moreinfo="none">ARGS_NAMES</literal> Is a collection of the argument names. You can search for specific argument names that you want to block. In a positive policy scenario, @@ -2104,18 +2098,14 @@ SecRule ARGS_NAMES "!^(p|a)$"
- - <literal moreinfo="none">ARGS_GET</literal> - + <literal moreinfo="none">ARGS_GET</literal> ARGS_GET is similar to ARGS, but only contains arguments from the query string.
- - <literal moreinfo="none">ARGS_GET_NAMES</literal> - + <literal moreinfo="none">ARGS_GET_NAMES</literal> ARGS_GET_NAMES is similar to ARGS_NAMES, but only contains argument names from the @@ -2123,9 +2113,7 @@ SecRule ARGS_NAMES "!^(p|a)$"
- - <literal moreinfo="none">ARGS_POST</literal> - + <literal moreinfo="none">ARGS_POST</literal> ARGS_POST is similar to ARGS, but only contains arguments from the POST @@ -2133,9 +2121,7 @@ SecRule ARGS_NAMES "!^(p|a)$"
- - <literal moreinfo="none">ARGS_POST_NAMES</literal> - + <literal moreinfo="none">ARGS_POST_NAMES</literal> ARGS_POST_NAMES is similar to ARGS_NAMES, but only contains argument names from the @@ -2143,18 +2129,14 @@ SecRule ARGS_NAMES "!^(p|a)$"
- - <literal moreinfo="none">AUTH_TYPE</literal> - + <literal moreinfo="none">AUTH_TYPE</literal> This variable holds the authentication method used to validate a user. Example: SecRule AUTH_TYPE "basic" log,deny,status:403,phase:1,t:lowercase - - Note - + Note This data will not be available in a proxy-mode deployment as the authentication is not local. In a proxy-mode deployment, you would need @@ -2163,9 +2145,7 @@ SecRule ARGS_NAMES "!^(p|a)$"
- - <literal moreinfo="none">ENV</literal> - + <literal moreinfo="none">ENV</literal> Collection, requires a single parameter (after a colon character). The ENV variable is set with setenv and does not give access to the CGI @@ -2177,9 +2157,7 @@ SecRule ENV:tag "suspicious"
- - <literal moreinfo="none">FILES</literal> - + <literal moreinfo="none">FILES</literal> Collection. Contains a collection of original file names (as they were called on the remote user's file system). Note: only available if @@ -2189,9 +2167,7 @@ SecRule ENV:tag "suspicious"
- - <literal moreinfo="none">FILES_COMBINED_SIZE</literal> - + <literal moreinfo="none">FILES_COMBINED_SIZE</literal> Single value. Total size of the uploaded files. Note: only available if files were extracted from the request body. Example: @@ -2200,9 +2176,7 @@ SecRule ENV:tag "suspicious"
- - <literal moreinfo="none">FILES_NAMES</literal> - + <literal moreinfo="none">FILES_NAMES</literal> Collection w/o parameter. Contains a list of form fields that were used for file upload. Note: only available if files were extracted from @@ -2212,9 +2186,7 @@ SecRule ENV:tag "suspicious"
- - <literal moreinfo="none">FILES_SIZES</literal> - + <literal moreinfo="none">FILES_SIZES</literal> Collection. Contains a list of file sizes. Useful for implementing a size limitation on individual uploaded files. Note: only available if @@ -2224,9 +2196,7 @@ SecRule ENV:tag "suspicious"
- - <literal moreinfo="none">FILES_TMPNAMES</literal> - + <literal moreinfo="none">FILES_TMPNAMES</literal> Collection. Contains a collection of temporary files' names on the disk. Useful when used together with ENV:tag "suspicious"
- - <literal moreinfo="none">GEO</literal> - + <literal moreinfo="none">GEO</literal> GEO is a collection populated by the @geoLookups operator. It can be used to match @@ -2313,9 +2281,7 @@ SecRule GEO:COUNTRY_CODE "!@streq UK"
- - <literal moreinfo="none">HIGHEST_SEVERITY</literal> - + <literal moreinfo="none">HIGHEST_SEVERITY</literal> This variable holds the highest severity of any rules that have matched so far. Severities are numeric values and thus can be used with @@ -2332,22 +2298,31 @@ SecRule GEO:COUNTRY_CODE "!@streq UK"
- - <literal moreinfo="none">MATCHED_VAR</literal> - + <literal moreinfo="none">MATCHED_VAR</literal> + + This variable holds the value of the variable that was matched + against. It is similar to the TX:0, except it can be used for all + operators and does not require that the capture action be specified. + + SecRule ARGS pattern chain,deny +... +SecRule MATCHED_VAR "further scrutiny" +
+ +
+ <literal moreinfo="none">MATCHED_VAR_NAME</literal> This variable holds the full name of the variable that was matched against. - SecRule ARGS pattern setvar:tx.mymatch=%{MATCHED_VAR} + SecRule ARGS pattern setvar:tx.mymatch=%{MATCHED_VAR_NAME} ... SecRule TX:MYMATCH "@eq ARGS:param" deny
- - <literal moreinfo="none">MODSEC_BUILD</literal> - + <literal moreinfo="none">MODSEC_BUILD</literal> This variable holds the ModSecurity build number. This variable is intended to be used to check the build number prior to using a feature @@ -2358,9 +2333,7 @@ SecRule ARGS "@pm some key words" deny,status:500
- - <literal>MULTIPART_STRICT_ERROR</literal> - + <literal>MULTIPART_STRICT_ERROR</literal> MULTIPART_STRICT_ERROR will be set to 1 when any of the following variables is also set to @@ -2407,9 +2380,7 @@ SM %{MULTIPART_SEMICOLON_MISSING}'"
- - <literal>MULTIPART_UNMATCHED_BOUNDARY</literal> - + <literal>MULTIPART_UNMATCHED_BOUNDARY</literal> Set to 1 when, during the parsing phase of a multipart/request-body, ModSecurity encounters what @@ -2427,9 +2398,7 @@ SM %{MULTIPART_SEMICOLON_MISSING}'"
- - <literal moreinfo="none">PATH_INFO</literal> - + <literal moreinfo="none">PATH_INFO</literal> Besides passing query information to a script/handler, you can also pass additional data, known as extra path information, as part of @@ -2439,9 +2408,7 @@ SM %{MULTIPART_SEMICOLON_MISSING}'"
- - <literal moreinfo="none">QUERY_STRING</literal> - + <literal moreinfo="none">QUERY_STRING</literal> This variable holds form data passed to the script/handler by appending data after a question mark. Warning: Not URL-decoded. @@ -2451,9 +2418,7 @@ SM %{MULTIPART_SEMICOLON_MISSING}'"
- - <literal moreinfo="none">REMOTE_ADDR</literal> - + <literal moreinfo="none">REMOTE_ADDR</literal> This variable holds the IP address of the remote client. Example: @@ -2462,9 +2427,7 @@ SM %{MULTIPART_SEMICOLON_MISSING}'"
- - <literal moreinfo="none">REMOTE_HOST</literal> - + <literal moreinfo="none">REMOTE_HOST</literal> If HostnameLookUps are set to On, then this variable will hold the DNS resolved remote host name. If it is set to Off, then it will hold @@ -2476,9 +2439,7 @@ SM %{MULTIPART_SEMICOLON_MISSING}'"
- - <literal moreinfo="none">REMOTE_PORT</literal> - + <literal moreinfo="none">REMOTE_PORT</literal> This variable holds information on the source port that the client used when initiating the connection to our web server. Example: in this @@ -2490,9 +2451,7 @@ SM %{MULTIPART_SEMICOLON_MISSING}'"
- - <literal moreinfo="none">REMOTE_USER</literal> - + <literal moreinfo="none">REMOTE_USER</literal> This variable holds the username of the authenticated user. If there are no password (basic|digest) access controls in place, then this @@ -2500,18 +2459,14 @@ SM %{MULTIPART_SEMICOLON_MISSING}'" SecRule REMOTE_USER "admin" - - Note - + Note This data will not be available in a proxy-mode deployment as the authentication is not local.
- - <literal moreinfo="none">REQBODY_PROCESSOR</literal> - + <literal moreinfo="none">REQBODY_PROCESSOR</literal> Built-in processors are URLENCODED, @@ -2523,9 +2478,8 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
- - <literal moreinfo="none">REQBODY_PROCESSOR_ERROR</literal> - + <literal + moreinfo="none">REQBODY_PROCESSOR_ERROR</literal> Possible values are 0 (no error) or 1 (error). This variable will be set by request body processors (typically the @@ -2550,9 +2504,8 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
- - <literal moreinfo="none">REQBODY_PROCESSOR_ERROR_MSG</literal> - + <literal + moreinfo="none">REQBODY_PROCESSOR_ERROR_MSG</literal> Empty, or contains the error message from the processor. Example: @@ -2561,9 +2514,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
- - <literal moreinfo="none">REQUEST_BASENAME</literal> - + <literal moreinfo="none">REQUEST_BASENAME</literal> This variable holds just the filename part of REQUEST_FILENAME (e.g. index.php). Warning: not @@ -2573,9 +2524,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
- - <literal moreinfo="none">REQUEST_BODY</literal> - + <literal moreinfo="none">REQUEST_BODY</literal> This variable holds the data in the request body (including POST_PAYLOAD data). REQUEST_BODY should be used if the original order of @@ -2584,18 +2533,14 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd" SecRule REQUEST_BODY "^username=\w{25,}\&password=\w{25,}\&Submit\=login$" - - Note - + Note This variable is only available if the content type is application/x-www-form-urlencoded.
- - <literal moreinfo="none">REQUEST_COOKIES</literal> - + <literal moreinfo="none">REQUEST_COOKIES</literal> This variable is a collection of all of the cookie data. Example: the following example is using the Ampersand special operator to count @@ -2606,9 +2551,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
- - <literal moreinfo="none">REQUEST_COOKIES_NAMES</literal> - + <literal moreinfo="none">REQUEST_COOKIES_NAMES</literal> This variable is a collection of the cookie names in the request headers. Example: the following rule will trigger if the JSESSIONID @@ -2618,9 +2561,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
- - <literal moreinfo="none">REQUEST_FILENAME</literal> - + <literal moreinfo="none">REQUEST_FILENAME</literal> This variable holds the relative REQUEST_URI minus the QUERY_STRING part (e.g. /index.php). Example: @@ -2629,9 +2570,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
- - <literal moreinfo="none">REQUEST_HEADERS</literal> - + <literal moreinfo="none">REQUEST_HEADERS</literal> This variable can be used as either a collection of all of the Request Headers or can be used to specify indivudual headers (by using @@ -2649,9 +2588,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
- - <literal moreinfo="none">REQUEST_HEADERS_NAMES</literal> - + <literal moreinfo="none">REQUEST_HEADERS_NAMES</literal> This variable is a collection of the names of all of the Request Headers. Example: @@ -2661,9 +2598,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
- - <literal moreinfo="none">REQUEST_LINE</literal> - + <literal moreinfo="none">REQUEST_LINE</literal> This variable holds the complete request line sent to the server (including the REQUEST_METHOD and HTTP version data). Example: this @@ -2673,9 +2608,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd" SecRule REQUEST_LINE "!(^((?:(?:pos|ge)t|head))|http/(0\.9|1\.0|1\.1)$)" - - Note - + Note Due to the default action transformation function lowercase, the regex strings should be in lowercase as well unless the t:none @@ -2683,9 +2616,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
- - <literal moreinfo="none">REQUEST_METHOD</literal> - + <literal moreinfo="none">REQUEST_METHOD</literal> This variable holds the Request Method used by the client. Example: the following example will trigger if the Request Method is @@ -2693,9 +2624,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd" SecRule REQUEST_METHOD "^((?:connect|trace))$" - - Note - + Note Due to the default action transformation function lowercase, the regex strings should be in lowercase as well unless the t:none @@ -2703,18 +2632,14 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
- - <literal moreinfo="none">REQUEST_PROTOCOL</literal> - + <literal moreinfo="none">REQUEST_PROTOCOL</literal> This variable holds the Request Protocol Version information. Example: SecRule REQUEST_PROTOCOL "!^http/(0\.9|1\.0|1\.1)$" - - Note - + Note Due to the default action transformation function lowercase, the regex strings should be in lowercase as well unless the t:none @@ -2722,9 +2647,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
- - <literal moreinfo="none">REQUEST_URI</literal> - + <literal moreinfo="none">REQUEST_URI</literal> This variable holds the full URL including the QUERY_STRING data (e.g. /index.php?p=X), however it will never contain a domain name, even @@ -2736,9 +2659,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
- - <literal moreinfo="none">REQUEST_URI_RAW</literal> - + <literal moreinfo="none">REQUEST_URI_RAW</literal> Same as REQUEST_URI but will contain the domain name if it was provided on the request line (e.g. @@ -2749,9 +2670,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
- - <literal moreinfo="none">RESPONSE_BODY</literal> - + <literal moreinfo="none">RESPONSE_BODY</literal> This variable holds the data for the response payload. Example: @@ -2760,9 +2679,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
- - <literal>RESPONSE_CONTENT_LENGTH</literal> - + <literal>RESPONSE_CONTENT_LENGTH</literal> Response body length in bytes. Can be available starting with phase 3 but it does not have to be (as the length of response body is @@ -2778,18 +2695,14 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
- - <literal>RESPONSE_CONTENT_TYPE</literal> - + <literal>RESPONSE_CONTENT_TYPE</literal> Response content type. Only available starting with phase 3.
- - <literal moreinfo="none">RESPONSE_HEADERS</literal> - + <literal moreinfo="none">RESPONSE_HEADERS</literal> This variable is similar to the REQUEST_HEADERS variable and can be used in the same manner. Example: @@ -2797,9 +2710,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd" SecRule RESPONSE_HEADERS:X-Cache "MISS" - - Note - + Note This variable may not have access to some headers when running in embedded-mode. Headers such as Server, Date, Connection and Content-Type @@ -2809,27 +2720,21 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
- - <literal moreinfo="none">RESPONSE_HEADERS_NAMES</literal> - + <literal moreinfo="none">RESPONSE_HEADERS_NAMES</literal> This variable is a collection of the response header names. Example: SecRule RESPONSE_HEADERS_NAMES "Set-Cookie" - - Note - + Note Same limitations as RESPONSE_HEADERS with regards to access to some headers in embedded-mode.
- - <literal moreinfo="none">RESPONSE_PROTOCOL</literal> - + <literal moreinfo="none">RESPONSE_PROTOCOL</literal> This variable holds the HTTP Response Protocol information. Example: @@ -2838,18 +2743,14 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
- - <literal moreinfo="none">RESPONSE_STATUS</literal> - + <literal moreinfo="none">RESPONSE_STATUS</literal> This variable holds the HTTP Response Status Code generated by Apache. Example: SecRule RESPONSE_STATUS "^[45]" - - Note - + Note This directive may not work as expected in embedded-mode as Apache handles many of the stock response codes (404, 401, etc...) earlier in @@ -2858,9 +2759,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
- - <literal moreinfo="none">RULE</literal> - + <literal moreinfo="none">RULE</literal> This variable provides access to the id, rev, @@ -2875,77 +2774,59 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
- - <literal moreinfo="none">SCRIPT_BASENAME</literal> - + <literal moreinfo="none">SCRIPT_BASENAME</literal> This variable holds just the local filename part of SCRIPT_FILENAME. Example: SecRule SCRIPT_BASENAME "^login\.php$" - - Note - + Note This variable is not available in proxy mode.
- - <literal moreinfo="none">SCRIPT_FILENAME</literal> - + <literal moreinfo="none">SCRIPT_FILENAME</literal> This variable holds the full path on the server to the requested script. (e.g. SCRIPT_NAME plus the server path). Example: SecRule SCRIPT_FILENAME "^/usr/local/apache/cgi-bin/login\.php$" - - Note - + Note This variable is not available in proxy mode.
- - <literal moreinfo="none">SCRIPT_GID</literal> - + <literal moreinfo="none">SCRIPT_GID</literal> This variable holds the groupid (numerical value) of the group owner of the script. Example: SecRule SCRIPT_GID "!^46$" - - Note - + Note This variable is not available in proxy mode.
- - <literal moreinfo="none">SCRIPT_GROUPNAME</literal> - + <literal moreinfo="none">SCRIPT_GROUPNAME</literal> This variable holds the group name of the group owner of the script. Example: SecRule SCRIPT_GROUPNAME "!^apache$" - - Note - + Note This variable is not available in proxy mode.
- - <literal moreinfo="none">SCRIPT_MODE</literal> - + <literal moreinfo="none">SCRIPT_MODE</literal> This variable holds the script's permissions mode data (numerical - 1=execute, 2=write, 4=read and 7=read/write/execute). Example: will @@ -2953,17 +2834,13 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd" SecRule SCRIPT_MODE "^(2|3|6|7)$" - - Note - + Note This variable is not available in proxy mode.
- - <literal moreinfo="none">SCRIPT_UID</literal> - + <literal moreinfo="none">SCRIPT_UID</literal> This variable holds the userid (numerical value) of the owner of the script. Example: the example rule below will trigger if the UID is @@ -2971,34 +2848,26 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd" SecRule SCRIPT_UID "!^46$" - - Note - + Note This variable is not available in proxy mode.
- - <literal moreinfo="none">SCRIPT_USERNAME</literal> - + <literal moreinfo="none">SCRIPT_USERNAME</literal> This variable holds the username of the owner of the script. Example: SecRule SCRIPT_USERNAME "!^apache$" - - Note - + Note This variable is not available in proxy mode.
- - <literal moreinfo="none">SERVER_ADDR</literal> - + <literal moreinfo="none">SERVER_ADDR</literal> This variable contains the IP address of the server. Example: @@ -3007,27 +2876,21 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
- - <literal moreinfo="none">SERVER_NAME</literal> - + <literal moreinfo="none">SERVER_NAME</literal> This variable contains the server's hostname or IP address. Example: SecRule SERVER_NAME "hostname\.com$" - - Note - + Note This data is taken from the Host header submitted in the client request.
- - <literal moreinfo="none">SERVER_PORT</literal> - + <literal moreinfo="none">SERVER_PORT</literal> This variable contains the local port that the web server is listening on. Example: @@ -3036,9 +2899,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
- - <literal moreinfo="none">SESSION</literal> - + <literal moreinfo="none">SESSION</literal> This variable is a collection, available only after setsid is executed. Example: the following @@ -3056,9 +2917,7 @@ SecRule SESSION:BLOCKED "@eq 1" "log,deny,statu
- - <literal moreinfo="none">SESSIONID</literal> - + <literal moreinfo="none">SESSIONID</literal> This variable is the value set with setsid. Example: @@ -3069,9 +2928,7 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID}
- - <literal moreinfo="none">TIME</literal> - + <literal moreinfo="none">TIME</literal> This variable holds a formatted string representing the time (hour:minute:second). Example: @@ -3080,9 +2937,7 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID}
- - <literal moreinfo="none">TIME_DAY</literal> - + <literal moreinfo="none">TIME_DAY</literal> This variable holds the current date (1-31). Example: this rule would trigger anytime between the 10th and 20th days of the @@ -3092,9 +2947,7 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID}
- - <literal moreinfo="none">TIME_EPOCH</literal> - + <literal moreinfo="none">TIME_EPOCH</literal> This variable holds the time in seconds since 1970. Example: @@ -3103,9 +2956,7 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID}
- - <literal moreinfo="none">TIME_HOUR</literal> - + <literal moreinfo="none">TIME_HOUR</literal> This variable holds the current hour (0-23). Example: this rule would trigger during "off hours". @@ -3114,9 +2965,7 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID}
- - <literal moreinfo="none">TIME_MIN</literal> - + <literal moreinfo="none">TIME_MIN</literal> This variable holds the current minute (0-59). Example: this rule would trigger during the last half hour of every hour. @@ -3125,9 +2974,7 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID}
- - <literal moreinfo="none">TIME_MON</literal> - + <literal moreinfo="none">TIME_MON</literal> This variable holds the current month (0-11). Example: this rule would match if the month was either November (10) or December @@ -3137,9 +2984,7 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID}
- - <literal moreinfo="none">TIME_SEC</literal> - + <literal moreinfo="none">TIME_SEC</literal> This variable holds the current second count (0-59). Example: @@ -3148,9 +2993,7 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID}
- - <literal moreinfo="none">TIME_WDAY</literal> - + <literal moreinfo="none">TIME_WDAY</literal> This variable holds the current weekday (0-6). Example: this rule would trigger only on week-ends (Saturday and Sunday). @@ -3159,9 +3002,7 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID}
- - <literal moreinfo="none">TIME_YEAR</literal> - + <literal moreinfo="none">TIME_YEAR</literal> This variable holds the current four-digit year data. Example: @@ -3170,9 +3011,7 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID}
- - <literal moreinfo="none">TX</literal> - + <literal moreinfo="none">TX</literal> Transaction Collection. This is used to store pieces of data, create a transaction anomaly score, and so on. Transaction variables are @@ -3208,9 +3047,7 @@ SecRule TX:SCORE "@gt 20" deny,log
- - <literal moreinfo="none">USERID</literal> - + <literal moreinfo="none">USERID</literal> This variable is the value set with setuid. Example: @@ -3220,9 +3057,7 @@ SecRule USERID "Admin"
- - <literal moreinfo="none">WEBAPPID</literal> - + <literal moreinfo="none">WEBAPPID</literal> This variable is the value set with SecWebAppId. Example: @@ -3233,9 +3068,7 @@ SecRule REQUEST_HEADERS:Transfer-Encoding "!^$"
- - <literal moreinfo="none">WEBSERVER_ERROR_LOG</literal> - + <literal moreinfo="none">WEBSERVER_ERROR_LOG</literal> Contains zero or more error messages produced by the web server. Access to this variable is in phase:5 (logging). Example: @@ -3244,9 +3077,7 @@ SecRule REQUEST_HEADERS:Transfer-Encoding "!^$"
- - <literal moreinfo="none">XML</literal> - + <literal moreinfo="none">XML</literal> Can be used standalone (as a target for validateDTD and validateSchema) or with an XPath expression parameter (which makes it a @@ -3317,17 +3148,14 @@ SecRule XML:/xq:employees/employee/name/text() - - XPath Standard - + XPath + Standard - - XPath - Tutorial - + XPath + Tutorial
@@ -5264,4 +5092,4 @@ SecRule REQUEST_METHOD "!@within %{tx.allowed_methods}
- + \ No newline at end of file