diff --git a/doc/modsecurity2-apache-reference.xml b/doc/modsecurity2-apache-reference.xml
index ad9f0d33..17d961b6 100644
--- a/doc/modsecurity2-apache-reference.xml
+++ b/doc/modsecurity2-apache-reference.xml
@@ -182,9 +182,9 @@
Security.
- ModSecurity, mod_security, ModSecurity Pro, and
- ModSecurity Core Rules are trademarks or
- registered trademarks of Breach Security, Inc.
+ ModSecurity, mod_security, ModSecurity Pro, and ModSecurity Core
+ Rules are trademarks or registered trademarks of Breach Security,
+ Inc.
@@ -1300,7 +1300,8 @@ SecAuditLogStorageDir logs/audit
Dependencies/Notes: None
- SecRule REQUEST_URI "^/$" "chain,skipAfter:99"
+ SecRule REQUEST_URI "^/$" \
+ "chain,t:none,t:urlDecode,t:lowercase,t:normalisePath,skipAfter:99"
SecRule REMOTE_ADDR "^127\.0\.0\.1$" "chain"
SecRule REQUEST_HEADERS:User-Agent \
"^Apache \(internal dummy connection\)$" "t:none"
@@ -1468,10 +1469,11 @@ SecRule &REQUEST_HEADERS:Accept "@eq 0" \
Version: 2.0.0
Dependencies/Notes: This directive is
- required if you plan to inspect POST_PAYLOADS of requests. This
+ required if you plan to inspect POST_PAYLOAD. This
directive must be used along with the "phase:2" processing phase action
- and REQUEST_BODY variable/location. If any of these 3 parts are not
- configured, you will not be able to inspect the request bodies.
+ and REQUEST_BODY variable/location. If any of these 3
+ parts are not configured, you will not be able to inspect the request
+ bodies.
Possible values are:
@@ -1740,7 +1742,10 @@ SecResponseBodyLimit 524288
VARIABLES OPERATOR [ACTIONS]
Example Usage: SecRule REQUEST_URI "attack"
+ moreinfo="none">SecRule REQUEST_URI "attack" \
+
+
+ "phase:1,t:none,t:urlDecode,t:lowercase,t:normalisePath"
Processing Phase: Any
@@ -1768,11 +1773,11 @@ SecResponseBodyLimit 524288
following rule will reject a transaction that has the word
dirty in the URI:
- SecRule REQUEST_URI dirty
+ SecRule ARGS dirty
Each rule can specify one or more variables:
- SecRule REQUEST_URI|QUERY_STRING dirty
+ SecRule ARGS|REQUEST_HEADERS:User-Agent dirty
There is a third format supported by the selection operator -
XPath expression. XPath expressions can only used against the special
@@ -1799,7 +1804,7 @@ SecResponseBodyLimit 524288
moreinfo="none">@ as the first character in the second rule
parameter:
- SecRule REQUEST_URI "@rx dirty"
+ SecRule ARGS "@rx dirty"
Note how we had to use double quotes to delimit the second rule
parameter. This is because the second parameter now has a whitespace
@@ -2035,7 +2040,7 @@ function main()
-- Retrieve one variable, applying one transformation function.
-- The second parameter is a string.
- local var2 = m.getvar("REQUEST_URI", "normalisePath");
+ local var2 = m.getvar("ARGS", "lowercase");
-- Retrieve one variable, applying several transformation functions.
-- The second parameter is now a list. You should note that m.getvar()
@@ -2553,7 +2558,8 @@ SecRule REQUEST_HEADERS:Host "!^$" "deny,phase:1"
- SecRule REQUEST_FILENAME "^/cgi-bin/login\.php$" "chain,log,deny,phase:2"
+ SecRule REQUEST_FILENAME "^/cgi-bin/login\.php" \
+ "chain,log,deny,phase:2,t:none,t:lowercase,t:normalisePath"
SecRule ARGS_COMBINED_SIZE "@gt 25"
@@ -2567,8 +2573,9 @@ SecRule ARGS_COMBINED_SIZE "@gt 25"
allow 2 argument names - p and a. If any other argument names are
injected, it will be blocked.
- SecRule REQUEST_FILENAME "/index.php" "chain,log,deny,status:403,phase:2"
-SecRule ARGS_NAMES "!^(p|a)$"
+ SecRule REQUEST_FILENAME "/index.php" \
+ "chain,log,deny,status:403,phase:2,t:none,t:lowercase,t:normalisePath"
+SecRule ARGS_NAMES "!^(p|a)$" "t:none,t:lowercase"
@@ -2621,9 +2628,9 @@ SecRule ARGS_NAMES "!^(p|a)$"
<literal moreinfo="none">ENV</literal>
- Collection, requires a single parameter (after a colon character).
- The ENV variable is set with setenv and does not give access to the CGI
- environment variables. Example:
+ Collection, requires a single parameter (after colon). The
+ ENV variable is set with setenv and does not give
+ access to the CGI environment variables. Example:
SecRule REQUEST_FILENAME "printenv" pass,setenv:tag=suspicious
SecRule ENV:tag "suspicious"
@@ -3004,10 +3011,17 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
<literal moreinfo="none">REQUEST_BASENAME</literal>
This variable holds just the filename part of
- REQUEST_FILENAME (e.g. index.php). Warning: not URL
- decoded. Example:
+ REQUEST_FILENAME (e.g. index.php).
- SecRule REQUEST_BASENAME "^login\.php$"
+ Example:
+
+ SecRule REQUEST_BASENAME "^login\.php$" phase:2,t:none,t:lowercase
+
+
+ Please note that anti-evasion transformations are not applied to
+ this variable by default. REQUEST_BASENAME will
+ recognise both / and \ as path separators.
+
@@ -3023,7 +3037,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
Note
This variable is only available if the content type is
- application/x-www-form-urlencoded.
+ application/x-www-form-urlencoded.
@@ -3050,25 +3064,32 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
<literal moreinfo="none">REQUEST_FILENAME</literal>
- This variable holds the relative REQUEST_URI minus the
- QUERY_STRING part (e.g. /index.php). Example:
+ This variable holds the relative REQUEST_URI
+ minus the QUERY_STRING part (e.g. /index.php).
+ Example:
- SecRule REQUEST_FILENAME "^/cgi-bin/login\.php$"
+ SecRule REQUEST_FILENAME "^/cgi-bin/login\.php$" phase:2,t:none,t:normalisePath
+
+
+ Please note that anti-evasion transformations are not used on
+ REQUEST_FILENAME by default.
+
<literal moreinfo="none">REQUEST_HEADERS</literal>
This variable can be used as either a collection of all of the
- Request Headers or can be used to specify individual headers (by using
+ request headers or can be used to specify individual headers (by using
REQUEST_HEADERS:Header-Name). Example: the first
- example uses REQUEST_HEADERS as a collection and is applying the
- validateUrlEncoding operator against all headers.
+ example uses REQUEST_HEADERS as a collection and is
+ applying the validateUrlEncoding operator against all
+ headers.
SecRule REQUEST_HEADERS "@validateUrlEncoding"
- Example: the second example is targeting only the Host
- header.
+ Example: the second example is targeting only the
+ Host header.
SecRule REQUEST_HEADERS:Host "^[\d\.]+$" \
"deny,log,status:400,msg:'Host header is a numeric IP address'"
@@ -3077,8 +3098,8 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
<literal moreinfo="none">REQUEST_HEADERS_NAMES</literal>
- This variable is a collection of the names of all of the Request
- Headers. Example:
+ This variable is a collection of the names of all of the request
+ headers. Example:
SecRule REQUEST_HEADERS_NAMES "^x-forwarded-for" \
"log,deny,status:403,t:lowercase,msg:'Proxy Server Used'"
@@ -3099,9 +3120,10 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
<literal moreinfo="none">REQUEST_METHOD</literal>
- This variable holds the Request Method used by the client.
- Example: the following example will trigger if the Request Method is
- either CONNECT or TRACE.
+ This variable holds the request method used by the client.
+
+ The following example will trigger if the request method is either
+ CONNECT or TRACE.
SecRule REQUEST_METHOD "^((?:connect|trace))$" t:none,t:lowercase
@@ -3109,7 +3131,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
<literal moreinfo="none">REQUEST_PROTOCOL</literal>
- This variable holds the Request Protocol Version information.
+ This variable holds the request protocol version information.
Example:
SecRule REQUEST_PROTOCOL "!^http/(0\.9|1\.0|1\.1)$" t:none,t:lowercase
@@ -3118,31 +3140,45 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
<literal moreinfo="none">REQUEST_URI</literal>
- This variable holds the full URL including the QUERY_STRING data
- (e.g. /index.php?p=X), however it will never contain a domain name, even
- if it was provided on the request line. Warning: not URL decoded. It
- also does not include either the REQUEST_METHOD or the HTTP version
- info. Example:
+ This variable holds the full URL including the
+ QUERY_STRING data (e.g. /index.php?p=X), however it
+ will never contain a domain name, even if it was provided on the request
+ line. It also does not include either the
+ REQUEST_METHOD or the HTTP version info.
- SecRule REQUEST_URI "attack"
+ Example:
+
+ SecRule REQUEST_URI "attack" phase:1,t:none,t:urlDecode,t:lowercase,t:normalisePath
+
+
+ Please note that anti-evasion transformations are not used on
+ REQUEST_URI by default.
+
<literal moreinfo="none">REQUEST_URI_RAW</literal>
- Same as REQUEST_URI but will contain the domain name if it was
- provided on the request line (e.g.
- http://www.example.com/index.php?p=X). Warning: not URL decoded.
- Example:
+ Same as REQUEST_URI but will contain the domain
+ name if it was provided on the request line (e.g.
+ http://www.example.com/index.php?p=X).
- SecRule REQUEST_URI_RAW "http:/"
+ Example:
+
+ SecRule REQUEST_URI_RAW "http:/" phase:1,t:none,t:urlDecode,t:lowercase,t:normalisePath
+
+
+ Please note that anti-evasion transformations are not used on
+ REQUEST_URI_RAW by default.
+
<literal moreinfo="none">RESPONSE_BODY</literal>
- This variable holds the data for the response payload.
- Example:
+ This variable holds the data for the response payload.
+
+ Example:
SecRule RESPONSE_BODY "ODBC Error Code"
@@ -3377,7 +3413,8 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
SecRule REQUEST_COOKIES:PHPSESSID !^$ chain,nolog,pass
SecAction setsid:%{REQUEST_COOKIES.PHPSESSID}
-SecRule REQUEST_URI "^/cgi-bin/finger$" "pass,log,setvar:session.score=+10"
+SecRule REQUEST_URI "^/cgi-bin/finger$" \
+ "phase:2,t:none,t:lowercase,t:normalisePath,pass,log,setvar:session.score=+10"
SecRule SESSION:SCORE "@gt 50" "pass,log,setvar:session.blocked=1"
SecRule SESSION:BLOCKED "@eq 1" "log,deny,status:403"
@@ -4116,9 +4153,11 @@ SecRule TX:1 "(?:(?:a(dmin|nonymous)))"
Example:
# Refuse to accept POST requests that do
-# not specify request body length
-SecRule REQUEST_METHOD ^POST$ chain
-SecRule REQUEST_HEADER:Content-Length ^$
+# not specify request body length. Do note that
+# this rule should be preceeded by a rule that verifies
+# only valid request methods (e.g. GET, HEAD and POST) are used.
+SecRule REQUEST_METHOD ^POST$ chain,t:none
+SecRule REQUEST_HEADER:Content-Length ^$ t:none
Note
@@ -4297,7 +4336,7 @@ SecRule IP:AUTH_ATTEMPT "@gt 25" \
# The following is going to execute /usr/local/apache/bin/test.sh
# as a shell script on rule match.
SecRule REQUEST_URI "^/cgi-bin/script\.pl" \
- "log,exec:/usr/local/apache/bin/test.sh"
+ "phase:2,t:none,t:lowercase,t:normalisePath,log,exec:/usr/local/apache/bin/test.sh"
# The following is going to process /usr/local/apache/conf/exec.lua
# internally as a Lua script on rule match.
@@ -4331,7 +4370,8 @@ SecRule ARGS:p attack log,exec:/usr/local/apache/conf/exec.luaSecRule REQUEST_COOKIES:JSESSIONID "!^$" nolog,phase:1,pass,chain
SecAction setsid:%{REQUEST_COOKIES:JSESSIONID}
SecRule REQUEST_URI "^/cgi-bin/script\.pl" \
- "log,allow,setvar:session.suspicious=1,expirevar:session.suspicious=3600,phase:1"
+ "phase:2,t:none,t:lowercase,t:normalisePath,log,allow,\
+setvar:session.suspicious=1,expirevar:session.suspicious=3600,phase:1"
Note
@@ -4949,7 +4989,8 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID}Example:
- SecRule REQUEST_URI "^/$" "chain,skip:2"
+ SecRule REQUEST_URI "^/$" \
+"phase:2,chain,t:none,skip:2"
SecRule REMOTE_ADDR "^127\.0\.0\.1$" "chain"
SecRule REQUEST_HEADERS:User-Agent "^Apache \(internal dummy connection\)$" "t:none"
SecRule &REQUEST_HEADERS:Host "@eq 0" \
@@ -4978,7 +5019,7 @@ SecRule &REQUEST_HEADERS:Accept "@eq 0" \
Example:
- SecRule REQUEST_URI "^/$" "chain,skipAfter:960015"
+ SecRule REQUEST_URI "^/$" "chain,t:none,skipAfter:960015"
SecRule REMOTE_ADDR "^127\.0\.0\.1$" "chain"
SecRule REQUEST_HEADERS:User-Agent "^Apache \(internal dummy connection\)$" "t:none"
SecRule &REQUEST_HEADERS:Host "@eq 0" \
@@ -5053,7 +5094,8 @@ SecRule REQUEST_COOKIES:SESSIONID "47414e81cbbef3cf8366e84eeacba091" \
Example:
SecRule REQUEST_FILENAME "\b(?:n(?:map|et|c)|w(?:guest|sh)|cmd(?:32)?|telnet|rcmd|ftp)\.exe\b" \
- "deny,msg:'System Command Access',id:'950002',tag:'WEB_ATTACK/FILE_INJECTION',tag:'OWASP/A2',severity:'2'"
+ "t:none,t:lowercase,deny,msg:'System Command Access',id:'950002',\
+tag:'WEB_ATTACK/FILE_INJECTION',tag:'OWASP/A2',severity:'2'"
Note