From 90444d451327ea01b1263e4e509874edd5a38eee Mon Sep 17 00:00:00 2001 From: ivanr Date: Thu, 31 Jul 2008 11:00:11 +0000 Subject: [PATCH] Update documentation to use correct tfn function in examples. Warn users that REQUEST_BASENAME, _FILENAME, _URI and _URI_RAW variables are not transformed by default. --- doc/modsecurity2-apache-reference.xml | 158 ++++++++++++++++---------- 1 file changed, 100 insertions(+), 58 deletions(-) diff --git a/doc/modsecurity2-apache-reference.xml b/doc/modsecurity2-apache-reference.xml index ad9f0d33..17d961b6 100644 --- a/doc/modsecurity2-apache-reference.xml +++ b/doc/modsecurity2-apache-reference.xml @@ -182,9 +182,9 @@ Security. - ModSecurity, mod_security, ModSecurity Pro, and - ModSecurity Core Rules are trademarks or - registered trademarks of Breach Security, Inc. + ModSecurity, mod_security, ModSecurity Pro, and ModSecurity Core + Rules are trademarks or registered trademarks of Breach Security, + Inc. @@ -1300,7 +1300,8 @@ SecAuditLogStorageDir logs/audit Dependencies/Notes: None - SecRule REQUEST_URI "^/$" "chain,skipAfter:99" + SecRule REQUEST_URI "^/$" \ + "chain,t:none,t:urlDecode,t:lowercase,t:normalisePath,skipAfter:99" SecRule REMOTE_ADDR "^127\.0\.0\.1$" "chain" SecRule REQUEST_HEADERS:User-Agent \ "^Apache \(internal dummy connection\)$" "t:none" @@ -1468,10 +1469,11 @@ SecRule &REQUEST_HEADERS:Accept "@eq 0" \ Version: 2.0.0 Dependencies/Notes: This directive is - required if you plan to inspect POST_PAYLOADS of requests. This + required if you plan to inspect POST_PAYLOAD. This directive must be used along with the "phase:2" processing phase action - and REQUEST_BODY variable/location. If any of these 3 parts are not - configured, you will not be able to inspect the request bodies. + and REQUEST_BODY variable/location. If any of these 3 + parts are not configured, you will not be able to inspect the request + bodies. Possible values are: @@ -1740,7 +1742,10 @@ SecResponseBodyLimit 524288 VARIABLES OPERATOR [ACTIONS] Example Usage: SecRule REQUEST_URI "attack" + moreinfo="none">SecRule REQUEST_URI "attack" \ + + + "phase:1,t:none,t:urlDecode,t:lowercase,t:normalisePath" Processing Phase: Any @@ -1768,11 +1773,11 @@ SecResponseBodyLimit 524288 following rule will reject a transaction that has the word dirty in the URI: - SecRule REQUEST_URI dirty + SecRule ARGS dirty Each rule can specify one or more variables: - SecRule REQUEST_URI|QUERY_STRING dirty + SecRule ARGS|REQUEST_HEADERS:User-Agent dirty There is a third format supported by the selection operator - XPath expression. XPath expressions can only used against the special @@ -1799,7 +1804,7 @@ SecResponseBodyLimit 524288 moreinfo="none">@ as the first character in the second rule parameter: - SecRule REQUEST_URI "@rx dirty" + SecRule ARGS "@rx dirty" Note how we had to use double quotes to delimit the second rule parameter. This is because the second parameter now has a whitespace @@ -2035,7 +2040,7 @@ function main() -- Retrieve one variable, applying one transformation function. -- The second parameter is a string. - local var2 = m.getvar("REQUEST_URI", "normalisePath"); + local var2 = m.getvar("ARGS", "lowercase"); -- Retrieve one variable, applying several transformation functions. -- The second parameter is now a list. You should note that m.getvar() @@ -2553,7 +2558,8 @@ SecRule REQUEST_HEADERS:Host "!^$" "deny,phase:1" - SecRule REQUEST_FILENAME "^/cgi-bin/login\.php$" "chain,log,deny,phase:2" + SecRule REQUEST_FILENAME "^/cgi-bin/login\.php" \ + "chain,log,deny,phase:2,t:none,t:lowercase,t:normalisePath" SecRule ARGS_COMBINED_SIZE "@gt 25" @@ -2567,8 +2573,9 @@ SecRule ARGS_COMBINED_SIZE "@gt 25" allow 2 argument names - p and a. If any other argument names are injected, it will be blocked. - SecRule REQUEST_FILENAME "/index.php" "chain,log,deny,status:403,phase:2" -SecRule ARGS_NAMES "!^(p|a)$" + SecRule REQUEST_FILENAME "/index.php" \ + "chain,log,deny,status:403,phase:2,t:none,t:lowercase,t:normalisePath" +SecRule ARGS_NAMES "!^(p|a)$" "t:none,t:lowercase"
@@ -2621,9 +2628,9 @@ SecRule ARGS_NAMES "!^(p|a)$"
<literal moreinfo="none">ENV</literal> - Collection, requires a single parameter (after a colon character). - The ENV variable is set with setenv and does not give access to the CGI - environment variables. Example: + Collection, requires a single parameter (after colon). The + ENV variable is set with setenv and does not give + access to the CGI environment variables. Example: SecRule REQUEST_FILENAME "printenv" pass,setenv:tag=suspicious SecRule ENV:tag "suspicious" @@ -3004,10 +3011,17 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd" <literal moreinfo="none">REQUEST_BASENAME</literal> This variable holds just the filename part of - REQUEST_FILENAME (e.g. index.php). Warning: not URL - decoded. Example: + REQUEST_FILENAME (e.g. index.php). - SecRule REQUEST_BASENAME "^login\.php$" + Example: + + SecRule REQUEST_BASENAME "^login\.php$" phase:2,t:none,t:lowercase + + + Please note that anti-evasion transformations are not applied to + this variable by default. REQUEST_BASENAME will + recognise both / and \ as path separators. +
@@ -3023,7 +3037,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd" Note This variable is only available if the content type is - application/x-www-form-urlencoded. + application/x-www-form-urlencoded.
@@ -3050,25 +3064,32 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
<literal moreinfo="none">REQUEST_FILENAME</literal> - This variable holds the relative REQUEST_URI minus the - QUERY_STRING part (e.g. /index.php). Example: + This variable holds the relative REQUEST_URI + minus the QUERY_STRING part (e.g. /index.php). + Example: - SecRule REQUEST_FILENAME "^/cgi-bin/login\.php$" + SecRule REQUEST_FILENAME "^/cgi-bin/login\.php$" phase:2,t:none,t:normalisePath + + + Please note that anti-evasion transformations are not used on + REQUEST_FILENAME by default. +
<literal moreinfo="none">REQUEST_HEADERS</literal> This variable can be used as either a collection of all of the - Request Headers or can be used to specify individual headers (by using + request headers or can be used to specify individual headers (by using REQUEST_HEADERS:Header-Name). Example: the first - example uses REQUEST_HEADERS as a collection and is applying the - validateUrlEncoding operator against all headers. + example uses REQUEST_HEADERS as a collection and is + applying the validateUrlEncoding operator against all + headers. SecRule REQUEST_HEADERS "@validateUrlEncoding" - Example: the second example is targeting only the Host - header. + Example: the second example is targeting only the + Host header. SecRule REQUEST_HEADERS:Host "^[\d\.]+$" \ "deny,log,status:400,msg:'Host header is a numeric IP address'" @@ -3077,8 +3098,8 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
<literal moreinfo="none">REQUEST_HEADERS_NAMES</literal> - This variable is a collection of the names of all of the Request - Headers. Example: + This variable is a collection of the names of all of the request + headers. Example: SecRule REQUEST_HEADERS_NAMES "^x-forwarded-for" \ "log,deny,status:403,t:lowercase,msg:'Proxy Server Used'" @@ -3099,9 +3120,10 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
<literal moreinfo="none">REQUEST_METHOD</literal> - This variable holds the Request Method used by the client. - Example: the following example will trigger if the Request Method is - either CONNECT or TRACE. + This variable holds the request method used by the client. + + The following example will trigger if the request method is either + CONNECT or TRACE. SecRule REQUEST_METHOD "^((?:connect|trace))$" t:none,t:lowercase
@@ -3109,7 +3131,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
<literal moreinfo="none">REQUEST_PROTOCOL</literal> - This variable holds the Request Protocol Version information. + This variable holds the request protocol version information. Example: SecRule REQUEST_PROTOCOL "!^http/(0\.9|1\.0|1\.1)$" t:none,t:lowercase @@ -3118,31 +3140,45 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
<literal moreinfo="none">REQUEST_URI</literal> - This variable holds the full URL including the QUERY_STRING data - (e.g. /index.php?p=X), however it will never contain a domain name, even - if it was provided on the request line. Warning: not URL decoded. It - also does not include either the REQUEST_METHOD or the HTTP version - info. Example: + This variable holds the full URL including the + QUERY_STRING data (e.g. /index.php?p=X), however it + will never contain a domain name, even if it was provided on the request + line. It also does not include either the + REQUEST_METHOD or the HTTP version info. - SecRule REQUEST_URI "attack" + Example: + + SecRule REQUEST_URI "attack" phase:1,t:none,t:urlDecode,t:lowercase,t:normalisePath + + + Please note that anti-evasion transformations are not used on + REQUEST_URI by default. +
<literal moreinfo="none">REQUEST_URI_RAW</literal> - Same as REQUEST_URI but will contain the domain name if it was - provided on the request line (e.g. - http://www.example.com/index.php?p=X). Warning: not URL decoded. - Example: + Same as REQUEST_URI but will contain the domain + name if it was provided on the request line (e.g. + http://www.example.com/index.php?p=X). - SecRule REQUEST_URI_RAW "http:/" + Example: + + SecRule REQUEST_URI_RAW "http:/" phase:1,t:none,t:urlDecode,t:lowercase,t:normalisePath + + + Please note that anti-evasion transformations are not used on + REQUEST_URI_RAW by default. +
<literal moreinfo="none">RESPONSE_BODY</literal> - This variable holds the data for the response payload. - Example: + This variable holds the data for the response payload. + + Example: SecRule RESPONSE_BODY "ODBC Error Code"
@@ -3377,7 +3413,8 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd" SecRule REQUEST_COOKIES:PHPSESSID !^$ chain,nolog,pass SecAction setsid:%{REQUEST_COOKIES.PHPSESSID} -SecRule REQUEST_URI "^/cgi-bin/finger$" "pass,log,setvar:session.score=+10" +SecRule REQUEST_URI "^/cgi-bin/finger$" \ + "phase:2,t:none,t:lowercase,t:normalisePath,pass,log,setvar:session.score=+10" SecRule SESSION:SCORE "@gt 50" "pass,log,setvar:session.blocked=1" SecRule SESSION:BLOCKED "@eq 1" "log,deny,status:403"
@@ -4116,9 +4153,11 @@ SecRule TX:1 "(?:(?:a(dmin|nonymous)))" Example: # Refuse to accept POST requests that do -# not specify request body length -SecRule REQUEST_METHOD ^POST$ chain -SecRule REQUEST_HEADER:Content-Length ^$ +# not specify request body length. Do note that +# this rule should be preceeded by a rule that verifies +# only valid request methods (e.g. GET, HEAD and POST) are used. +SecRule REQUEST_METHOD ^POST$ chain,t:none +SecRule REQUEST_HEADER:Content-Length ^$ t:none Note @@ -4297,7 +4336,7 @@ SecRule IP:AUTH_ATTEMPT "@gt 25" \ # The following is going to execute /usr/local/apache/bin/test.sh # as a shell script on rule match. SecRule REQUEST_URI "^/cgi-bin/script\.pl" \ - "log,exec:/usr/local/apache/bin/test.sh" + "phase:2,t:none,t:lowercase,t:normalisePath,log,exec:/usr/local/apache/bin/test.sh" # The following is going to process /usr/local/apache/conf/exec.lua # internally as a Lua script on rule match. @@ -4331,7 +4370,8 @@ SecRule ARGS:p attack log,exec:/usr/local/apache/conf/exec.luaSecRule REQUEST_COOKIES:JSESSIONID "!^$" nolog,phase:1,pass,chain SecAction setsid:%{REQUEST_COOKIES:JSESSIONID} SecRule REQUEST_URI "^/cgi-bin/script\.pl" \ - "log,allow,setvar:session.suspicious=1,expirevar:session.suspicious=3600,phase:1" + "phase:2,t:none,t:lowercase,t:normalisePath,log,allow,\ +setvar:session.suspicious=1,expirevar:session.suspicious=3600,phase:1" Note @@ -4949,7 +4989,8 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID}Example: - SecRule REQUEST_URI "^/$" "chain,skip:2" + SecRule REQUEST_URI "^/$" \ +"phase:2,chain,t:none,skip:2" SecRule REMOTE_ADDR "^127\.0\.0\.1$" "chain" SecRule REQUEST_HEADERS:User-Agent "^Apache \(internal dummy connection\)$" "t:none" SecRule &REQUEST_HEADERS:Host "@eq 0" \ @@ -4978,7 +5019,7 @@ SecRule &REQUEST_HEADERS:Accept "@eq 0" \ Example: - SecRule REQUEST_URI "^/$" "chain,skipAfter:960015" + SecRule REQUEST_URI "^/$" "chain,t:none,skipAfter:960015" SecRule REMOTE_ADDR "^127\.0\.0\.1$" "chain" SecRule REQUEST_HEADERS:User-Agent "^Apache \(internal dummy connection\)$" "t:none" SecRule &REQUEST_HEADERS:Host "@eq 0" \ @@ -5053,7 +5094,8 @@ SecRule REQUEST_COOKIES:SESSIONID "47414e81cbbef3cf8366e84eeacba091" \ Example: SecRule REQUEST_FILENAME "\b(?:n(?:map|et|c)|w(?:guest|sh)|cmd(?:32)?|telnet|rcmd|ftp)\.exe\b" \ - "deny,msg:'System Command Access',id:'950002',tag:'WEB_ATTACK/FILE_INJECTION',tag:'OWASP/A2',severity:'2'" + "t:none,t:lowercase,deny,msg:'System Command Access',id:'950002',\ +tag:'WEB_ATTACK/FILE_INJECTION',tag:'OWASP/A2',severity:'2'" Note