From b3243374f5e560f49b11faa4b353a02dc4bc4f92 Mon Sep 17 00:00:00 2001 From: brenosilva Date: Wed, 30 Mar 2011 14:17:41 +0000 Subject: [PATCH] New doc --- doc/Makefile | 45 - doc/Reference_Manual.html | 5791 ++++++++++++++++++++ doc/apache_request_cycle-modsecurity.jpg | Bin 92271 -> 0 bytes doc/breach-logo-small.gif | Bin 2389 -> 0 bytes doc/hijack-detect.lua | 231 - doc/html-chunked.xsl | 293 - doc/html.xsl | 21 - doc/main-index.html | 35 - doc/migration-matrix.html | 74 - doc/migration-matrix.xml | 808 --- doc/modsecurity-logo.png | Bin 100823 -> 0 bytes doc/modsecurity-reference.css | 102 - doc/modsecurity.gif | Bin 2585 -> 0 bytes doc/modsecurity2-apache-reference.xml | 6364 ---------------------- doc/modsecurity2-data-formats.xml | 1274 ----- doc/pdf.xsl | 166 - 16 files changed, 5791 insertions(+), 9413 deletions(-) delete mode 100644 doc/Makefile create mode 100644 doc/Reference_Manual.html delete mode 100644 doc/apache_request_cycle-modsecurity.jpg delete mode 100644 doc/breach-logo-small.gif delete mode 100644 doc/hijack-detect.lua delete mode 100644 doc/html-chunked.xsl delete mode 100644 doc/html.xsl delete mode 100644 doc/main-index.html delete mode 100644 doc/migration-matrix.html delete mode 100644 doc/migration-matrix.xml delete mode 100644 doc/modsecurity-logo.png delete mode 100644 doc/modsecurity-reference.css delete mode 100644 doc/modsecurity.gif delete mode 100644 doc/modsecurity2-apache-reference.xml delete mode 100644 doc/modsecurity2-data-formats.xml delete mode 100644 doc/pdf.xsl diff --git a/doc/Makefile b/doc/Makefile deleted file mode 100644 index 43d82b8e..00000000 --- a/doc/Makefile +++ /dev/null @@ -1,45 +0,0 @@ -FOP = /opt/fop/fop.sh -XALAN = /opt/fop/xalan.sh -JAVA_HOME = /usr/lib/jvm/java-6-sun - -ALLDOCS = modsecurity2-apache-reference.pdf modsecurity2-data-formats.pdf modsecurity2-apache-reference.html modsecurity2-data-formats.html html-multipage/index.html index.html - -all: $(ALLDOCS) - -modsecurity2-apache-reference.pdf: modsecurity2-apache-reference.xml - JAVA_HOME=$(JAVA_HOME); export JAVA_HOME; \ - $(FOP) -q -xsl pdf.xsl -xml modsecurity2-apache-reference.xml -pdf modsecurity2-apache-reference.pdf; - -modsecurity2-data-formats.pdf: modsecurity2-data-formats.xml - JAVA_HOME=$(JAVA_HOME); export JAVA_HOME; \ - $(FOP) -q -xsl pdf.xsl -xml modsecurity2-data-formats.xml -pdf modsecurity2-data-formats.pdf; - -modsecurity2-apache-reference.html: modsecurity2-apache-reference.xml - JAVA_HOME=$(JAVA_HOME); export JAVA_HOME; \ - $(XALAN) -q -xsl html.xsl -in modsecurity2-apache-reference.xml -param base.dir ./; \ - mv index.html modsecurity2-apache-reference.html; - -modsecurity2-data-formats.html: modsecurity2-data-formats.xml - JAVA_HOME=$(JAVA_HOME); export JAVA_HOME; \ - $(XALAN) -q -xsl html.xsl -in modsecurity2-data-formats.xml -param base.dir ./; \ - mv index.html modsecurity2-data-formats.html; - -html-multipage/index.html: modsecurity2-apache-reference.xml - JAVA_HOME=$(JAVA_HOME); export JAVA_HOME; \ - mkdir html-multipage/; \ - $(XALAN) -q -xsl html-chunked.xsl -in modsecurity2-apache-reference.xml -param base.dir html-multipage/; \ - cp modsecurity-reference.css html-multipage/; \ - cp modsecurity.gif html-multipage/; \ - cp breach-logo-small.gif html-multipage/; \ - cp apache_request_cycle-modsecurity.jpg html-multipage/ - -index.html: main-index.html - (cp main-index.html index.html && \ - VERSION=`grep ".*" modsecurity2-apache-reference.xml | sed 's/[ \t]*<\/\?releaseinfo>[ \t]*//g'` && \ - perl -pi -e "s/\\\$$version/$$VERSION/" index.html) - -clean: - rm -rf docindex.html $(ALLDOCS) html-multipage - -.PHONY: setup cleanup - diff --git a/doc/Reference_Manual.html b/doc/Reference_Manual.html new file mode 100644 index 00000000..e2cecfc1 --- /dev/null +++ b/doc/Reference_Manual.html @@ -0,0 +1,5791 @@ + + + + + + + + + + + + + + + SourceForge.net: Reference Manual - mod-security + + + + + + + + + + + + + + + + + + + +
+
+
+ +

Reference Manual

+
+

From mod-security

+
+
Jump to: navigation, + search
+

Contents

[hide]
+ +
+

ModSecurity® Reference Manual

+

+Current as of v2.5.13 and v2.6

+

Copyright © 2004-2011 Trustwave Holdings, +Inc.

+

Table of Contents

+

Introduction

+

ModSecurity is a web application firewall (WAF). With over 70% of +attacks now carried out over the web application level, organisations +need all the help they can get in making their systems secure. WAFs are +deployed to establish an increased external security layer to detect +and/or prevent attacks before they reach web applications. ModSecurity +provides protection from a range of attacks against web applications and + allows for HTTP traffic monitoring and real-time analysis with little +or no changes to existing infrastructure. +

+

HTTP Traffic Logging

+

Web servers are typically well-equipped to log traffic in a form +useful for marketing analyses, but fall short logging traffic to web +applications. In particular, most are not capable of logging the request + bodies. Your adversaries know this, and that is why most attacks are +now carried out via POST requests, rendering your systems blind. +ModSecurity makes full HTTP transaction logging possible, allowing +complete requests and responses to be logged. Its logging facilities +also allow fine-grained decisions to be made about exactly what is +logged and when, ensuring only the relevant data is recorded. As some of + the request and/or response may contain sensitive data in certain +fields, ModSecurity can be configured to mask these fields before they +are written to the audit log. +

+

Real-Time Monitoring and Attack Detection

+

In addition to providing logging facilities, ModSecurity can monitor +the HTTP traffic in real time in order to detect attacks. In this case, +ModSecurity operates as a web intrusion detection tool, allowing you to +react to suspicious events that take place at your web systems. +

+

Attack Prevention and Virtual Patching

+

ModSecurity can also act immediately to prevent attacks from reaching + your web applications. There are three commonly used approaches: +

+
  1. Negative security model. A negative security model monitors +requests for anomalies, unusual behaviour, and common web application +attacks. It keeps anomaly scores for each request, IP addresses, +application sessions, and user accounts. Requests with high anomaly +scores are either logged or rejected altogether. +
  2. Positive security model. When a positive security model is +deployed, only requests that are known to be valid are accepted, with +everything else rejected. This model requires knownledge of the web +applications you are protecting. Therefore a positive security model +works best with applications that are heavily used but rarely updated so + that maintenance of the model is minimized. +
  3. Known weaknesses and vulnerabilities. Its rule language makes +ModSecurity an ideal external patching tool. External patching +(sometimes referred to as Virtual Patching) is about reducing the window + of opportunity. Time needed to patch application vulnerabilities often +runs to weeks in many organisations. With ModSecurity, applications can +be patched from the outside, without touching the application source +code (and even without any access to it), making your systems secure +until a proper patch is applied to the application. +
+

Flexible Rule Engine

+

A flexible rule engine sits in the heart of ModSecurity. It +implements the ModSecurity Rule Language, which is a specialised +programming language designed to work with HTTP transaction data. The +ModSecurity Rule Language is designed to be easy to use, yet flexible: +common operations are simple while complex operations are possible. +Certified ModSecurity Rules, included with ModSecurity, contain a +comprehensive set of rules that implement general-purpose hardening, +protocol validation and detection of common web application security +issues. Heavily commented, these rules can be used as a learning tool. +

+

+ Embedded-mode Deployment

+

ModSecurity is an embeddable web application firewall, which means it + can be deployed as part of your existing web server infrastructure +provided your web servers are Apache-based. This deployment method has +certain advantages: +

+
  1. No changes to existing network. It only takes a few minutes to +add ModSecurity to your existing web servers. And because it was +designed to be completely passive by default, you are free to deploy it +incrementally and only use the features you need. It is equally easy to +remove or deactivate it if required. +
  2. No single point of failure. Unlike with network-based +deployments, you will not be introducing a new point of failure to your +system. +
  3. Implicit load balancing and scaling. Because it works embedded +in web servers, ModSecurity will automatically take advantage of the +additional load balancing and scalability features. You will not need to + think of load balancing and scaling unless your existing system needs +them. +
  4. Minimal overhead. Because it works from inside the web server +process there is no overhead for network communication and minimal +overhead in parsing and data exchange. +
  5. No problem with encrypted or compressed content. Many IDS +systems have difficulties analysing SSL traffic. This is not a problem +for ModSecurity because it is positioned to work when the traffic is +decrypted and decompressed. +
+

+ Network-based Deployment

+

ModSecurity works equally well when deployed as part of an +Apache-based reverse proxy server, and many of our customers choose to +do so. In this scenario, one installation of ModSecurity can protect any + number of web servers (even the non-Apache ones). +

+

Portability

+

ModSecurity is known to work well on a wide range of operating +systems. Our customers are successfully running it on Linux, Windows, +Solaris, FreeBSD, OpenBSD, NetBSD, AIX, Mac OS X, and HP-UX. +

+

+Licensing

+

ModSecurity is available under two licenses. Users can choose to use +the software under the terms of the GNU General Public License version 2 + (licence text is included with the distribution), as an Open Source / +Free Software product. A range of commercial licenses is also available, + together with a range of commercial support contracts. For more +information on commercial licensing please contact Trustwave. +

+
Note 
ModSecurity, mod_security, ModSecurity Pro, + and ModSecurity Core Rules are trademarks or registered trademarks of +Trustwave Holdings, Inc. +
+

OWASP ModSecurity Core Rule Set (CRS) Project

+

+Overview

+

ModSecurity is a web application firewall engine that provides very +little protection on its own. In order to become useful, ModSecurity +must be configured with rules. In order to enable users to take full +advantage of ModSecurity out of the box, Trustwave's SpiderLabs created +the OWASP ModSecurity Core Rule Set (CRS) Project. Unlike intrusion +detection and prevention systems, which rely on signatures specific to +known vulnerabilities, the CRS provide generic protection from unknown +vulnerabilities often found in web applications, which are in most cases + custom coded. The CRS is heavily commented to allow it to be used as a +step-by-step deployment guide for ModSecurity. The latest rules packages + can be found at the OWASP ModSecurity CRS Project Site. +

+

Core Rules Content

+

In order to provide generic web applications protection, the CRS use +some of the following example techniques: +

+
  • HTTP protection - detecting violations of the HTTP protocol and a + locally defined usage policy. +
  • Common Web Attacks Protection - detecting common web +application security attack. +
  • Automation detection - Detecting bots, crawlers, scanners and +other surface malicious activity. +
  • Trojan Protection - Detecting access to Trojans horses. +
  • Error Hiding - Disguising error messages sent by the server. +
+

Installation

+

Prerequisites

+

ModSecurity 2.x works only with Apache 2.0.x or +higher

+

Version 2.2.x is highly recommended. +

+

mod_uniqueid

+

Make sure you have mod_unique_id installed. +mod_unique_id is packaged with Apache httpd. +

+

libapr and libapr-util

+

libapr and libapr-util - http://apr.apache.org/ +

+

+libpcre

+

http://www.pcre.org/ +

+

+libxml2

+

http://xmlsoft.org/downloads.html +

+

liblua v5.1.x

+

This library is optional and only needed if you will be using the new + Lua engine - http://www.lua.org/download.html +

+
Note 
that ModSecurity requires the dynamic +libraries. These are not built by default in the source distribution, so + the binary distribution is recommended. +
+

+ libcurl v7.15.1 or higher

+

If you will be using the ModSecurity Log Collector (mlogc) to send +audit logs to a central repository, then you will also need the curl +library. +

http://curl.haxx.se/libcurl/ +

+
Note 
Many have had issues with libcurl linked +with the GnuTLS library for SSL/TLS support. It is recommended that the +openssl library be used for SSL/TLS support in libcurl. +
+

Installation Methods

+

Before you begin with installation you will need to choose your +preferred installation method. First you need to choose whether to +install the latest version of ModSecurity directly from CVS (best +features, but possibly unstable) or use the latest stable release +(recommended). If you choose a stable release, it might be possible to +install ModSecurity from binary. It is always possible to compile it +from source code. +

The following few pages will give you more information on +benefits of choosing one method over another. +

+

+ SVN Access

+

If you want to access the latest version of the module you need to +get it from the svn repository. The list of changes made since the last +stable release is normally available on the web site (and in the file +CHANGES). The SVN repository for ModSecurity is hosted by SourceForge (http://www.sf.net). You can + access it directly or view if through web using this address: http://mod-security.svn.sourceforge.net/viewvc/mod-security/ + +

To download the lastest TRUNK source code to your computer you +need to execute the following command: +

git +

+
$git svn clone --prefix=svn/ https://mod-security.svn.sourceforge.net/svnroot/mod-security/m2/trunk
+
+

svn +

+
svn co https://mod-security.svn.sourceforge.net/svnroot/mod-security/m2/trunk modisecurity
+
+

Stable Release Download

+

To download the stable release go to http://www.modsecurity.org/download/. + Binary distributions are sometimes available. If they are, they are +listed on the download page. If not download the source code +distribution. +

+

Installation Steps

+
  • Stop Apache httpd +
  • Unpack the ModSecurity archive +
  • Build +
+

Building differs for UNIX (or UNIX-like) operating systems and +Windows. +

+

UNIX

+

Run the configure script to generate a Makefile. Typically no options + are needed. +

+
./configure
+

Options are available for more customization (use ./configure --help +for a full list), but typically you will only need to specify the +location of the apxs command installed by Apache httpd with the +--with-apxs option. +

+
./configure --with-apxs=/path/to/httpd-2.x.y/bin/apxs
+
Note 
There are certain configure options that +are meant for debugging an other development use. If enabled, these +options can substantially impact performance. These options include all +--debug-* options as well as the --enable-performance-measurements +options. +
+

Compile with: +

+
make
+

Optionally test with: +

+
make test
+
Note 
This is step is still a bit experimental. +If you have problems, please send the full output and error from the +build to the support list. Most common issues are related to not finding + the required headers and/or libraries. +
+

Optionally build the ModSecurity Log Collector with: +

+
make mlogc
+

Optionally install mlogc: Review the INSTALL file included in the +apache2/mlogc-src directory in the distribution. +Install the ModSecurity module with: +

+
make install
+

+ Windows (MS VC++ 8)

+

Edit Makefile.win to configure the Apache base and library paths. +Compile with: nmake -f Makefile.win +Install the ModSecurity module with: nmake -f Makefile.win install +Copy the libxml2.dll and lua5.1.dll to the Apache bin directory. +Alternatively you can follow the step below for using LoadFile to load +these libraries. +

+

+ Edit the main Apache httpd config file +(usually httpd.conf)

+

On UNIX (and Windows if you did not copy the DLLs as stated above) +you must load libxml2 and lua5.1 before ModSecurity with something like +this: +

+
LoadFile /usr/lib/libxml2.so
+LoadFile /usr/lib/liblua5.1.so
+
+

Load the ModSecurity module with: +

+
LoadModule security2_module modules/mod_security2.so
+
+

Configure ModSecurity

+

Start Apache httpd

+

You should now have ModSecurity 2.x up and running. +

+
Note 
If you have compiled Apache yourself you +might experience problems compiling ModSecurity against PCRE. This is +because Apache bundles PCRE but this library is also typically provided +by the operating system. I would expect most (all) vendor-packaged +Apache distributions to be configured to use an external PCRE library +(so this should not be a problem). +
+
You want to avoid Apache using the bundled PCRE library and +ModSecurity linking against the one provided by the operating system. +The easiest way to do this is to compile Apache against the PCRE library + provided by the operating system (or you can compile it against the +latest PCRE version you downloaded from the main PCRE distribution +site). You can do this at configure time using the --with-pcre switch. +If you are not in a position to recompile Apache, then, to compile +ModSecurity successfully, you'd still need to have access to the bundled + PCRE headers (they are available only in the Apache source code) and +change the include path for ModSecurity (as you did in step 7 above) to +point to them (via the --with-pcre ModSecurity configure option). +
+
Do note that if your Apache is using an external PCRE library +you can compile ModSecurity with WITH_PCRE_STUDY defined,which would +possibly give you a slight performance edge in regular expression +processing. +
+
Non-gcc compilers may have problems running out-of-the-box as +the current build system was designed around the gcc compiler and some +compiler/linker flags may differ. To use a non-gcc compiler you may need + some manual Makefile tweaks if issues cannot be solved by exporting +custom CFLAGS and CPPFLAGS environment variables. +
+
If you are upgrading from ModSecurity 1.x, please refer to the +migration matrix at http://www.modsecurity.org/documentation/ModSecurity-Migration-Matrix.pdf +
+

+ Configuration Directives

+

The following section outlines all of the ModSecurity directives. +Most of the ModSecurity directives can be used inside the various Apache + Scope Directives such as VirtualHost, Location, LocationMatch, +Directory, etc... There are others, however, that can only be used once +in the main configuration file. This information is specified in the +Scope sections below. The first version to use a given directive is +given in the Version sections below. +

These rules, along with the Core rules files, should be contained + is files outside of the httpd.conf file and called up with Apache +"Include" directives. This allows for easier updating/migration of the +rules. If you create your own custom rules that you would like to use +with the Core rules, you should create a file called - +modsecurity_crs_15_customrules.conf and place it in the same directory +as the Core rules files. By using this file name, your custom rules will + be called up after the standard ModSecurity Core rules configuration +file but before the other Core rules. This allows your rules to be +evaluated first which can be useful if you need to implement specific +"allow" rules or to correct any false positives in the Core rules as +they are applied to your site. +

+
Note 
It is highly encouraged that you do not +edit the Core rules files themselves but rather place all changes (such +as SecRuleRemoveByID, etc...) in your custom rules file. This will allow + for easier upgrading as newer Core rules are released by Breach +Security on the ModSecurity website. +
+

+SecAction

+

Description: Unconditionally processes the action list it +receives as the first and only parameter. The syntax of the parameter is + identical to that of the third parameter of SecRule. +

Syntax: SecAction "action1,action2,action3,...“ +

Scope: Any +

Version: 2.0.0 +

This directive is commonly used to set variables and initialize +persistent collections using the initcol action. For example: +

+
SecAction nolog,phase:1,initcol:RESOURCE=%{REQUEST_FILENAME}
+

SecArgumentSeparator

+

Description: Specifies which character to use as the separator + for application/x-www-form- urlencoded content. +

Syntax: SecArgumentSeparator character +

Default: & +

Scope: Main +

Version: 2.0.0 +

This directive is needed if a backend web application is using a +nonstandard argument separator. Applications are sometimes (very rarely) + written to use a semicolon separator. You should not change the default + setting unless you establish that the application you are working with +requires a different separator. If this directive is not set properly +for each web application, then ModSecurity will not be able to parse the + arguments appropriately and the effectiveness of the rule matching will + be significantly decreased. +

+

SecAuditEngine

+

Description: Configures the audit logging engine. +

Syntax: SecAuditEngine RelevantOnly +

Default: Off +

Scope: Any +

Version: 2.0.0 +

The SecAuditEngine directive is used to configure the audit +engine, which logs complete transactions. ModSecurity is currently able +to log most, but not all transactions. Transactions involving errors +(e.g., 400 and 404 transactions) use a different execution path, which +ModSecurity does not support. +

The possible values for the audit log engine are as follows: +

+
  • On: log all transactions +
  • Off: do not log any transactions +
  • RelevantOnly: only the log transactions that have +triggered a warning or an error, or have a status code that is +considered to be relevant (as determined by the +SecAuditLogRelevantStatus directive) +
+
Note 
If you need to change the audit log engine +configuration on a per-transaction basis (e.g., in response to some +transaction data), use the ctl action. +
+

The following example demonstrates how SecAuditEngine is used: +

+
SecAuditEngine RelevantOnly
+SecAuditLog logs/audit/audit.log
+SecAuditLogParts ABCFHZ 
+SecAuditLogType concurrent 
+SecAuditLogStorageDir logs/audit 
+SecAuditLogRelevantStatus ^(?:5|4(?!04))
+
+

SecAuditLog

+

Description: Defines the path to the main audit log file +(serial logging format) or the concurrent logging index file (concurrent + logging format). When used in combination with mlogc (only possible +with concurrent logging), this directive defines the mlogc location and +command line. +

Syntax: SecAuditLog /path/to/audit.log +

Scope: Any Version: 2.0.0 +

This file will be used to store the audit log entries if serial +audit logging format is used. If concurrent audit logging format is used + this file will be used as an index, and contain a record of all audit +log files created. If you are planning to use concurrent audit logging +to send your audit log data off to a remote server you will need to +deploy the ModSecurity Log Collector (mlogc), like this: +

+
SecAuditLog "|/path/to/mlogc /path/to/mlogc.conf"
+
+
Note 
This audit log file is opened on startup +when the server typically still runs as root. You should not allow +non-root users to have write privileges for this file or for the +
+

SecAuditLog2

+

Description: Defines the path to the secondary audit log index + file when concurrent logging is enabled. See SecAuditLog for more +details. +

Syntax: SecAuditLog2 /path/to/audit.log +

Scope: Any +

Version: 2.1.2 +

The purpose of SecAuditLog2 is to make logging to two remote +servers possible, which is typically achieved by running two instances +of the mlogc tool, each with a different configuration (in addition, one + of the instances will need to be instructed not to delete the files it +submits). This directive can be used only if SecAuditLog was previously +configured and only if concurrent logging format is used. +

+

SecAuditLogDirMode

+

Description: Configures the mode (permissions) of any +directories created for the concurrent audit logs, using an octal mode +value as parameter (as used in chmod). +

Syntax: SecAuditLogDirMode octal_mode|"default" + +

Default: 0600 +

Scope: Any +

Version: 2.5.10 +

The default mode for new audit log directories (0600) only grants + read/write access to the owner (typically the account under which +Apache is running, for example apache). If access from other accounts is + needed (e.g., for use with mpm-itk), then you may use this directive to + grant additional read and/or write privileges. You should use this +directive with caution to avoid exposing potentially sensitive data to +unauthorized users. Using the value default as parameter reverts the +configuration back to the default setting. This feature is not available + on operating systems not supporting octal file modes. +

Example: +

+
SecAuditLogDirMode 02750
+
Note 
The process umask may still limit the mode +if it is being more restrictive than the mode set using this directive. +
+

SecAuditLogFileMode

+

Description: Configures the mode (permissions) of any files +created for concurrent audit logs using an octal mode (as used in +chmod). See SecAuditLogDirMode for controlling the mode of created audit + log directories. +

Syntax: SecAuditLogFileMode octal_mode|"default" + +

Scope: Any +

Version: 2.5.10 +

Example Usage: SecAuditLogFileMode 00640 +

This feature is not available on operating systems not supporting + octal file modes. The default mode (0600) only grants read/write access + to the account writing the file. If access from another account is +needed (using mpm-itk is a good example), then this directive may be +required. However, use this directive with caution to avoid exposing +potentially sensitive data to unauthorized users. Using the value +“default” will revert back to the default setting. +

+
Note 
The process umask may still limit the mode +if it is being more restrictive than the mode set using this directive. +
+

SecAuditLogParts

+

Description: Defines which parts of each transaction are going + to be recorded in the audit log. Each part is assigned a single letter; + when a letter appears in the list then the equivalent part will be +recorded. See below for the list of all parts. +

Syntax: SecAuditLogParts PARTLETTERS +

Example Usage: SecAuditLogParts ABCFHZ +

Scope: Any Version: 2.0.0 +

Default: ABCFHZ Note +

The format of the audit log format is documented in detail in the + Audit Log Data Format Documentation. +

Available audit log parts: +

+
  • A: Audit log header (mandatory). +
  • B: Request headers. +
  • C: Request body (present only if the request body exists and +ModSecurity is configured to intercept it). +
  • D: Reserved for intermediary response headers; not implemented +yet. +
  • E: Intermediary response body (present only if ModSecurity is +configured to intercept response bodies, and if the audit log engine is +configured to record it). Intermediary response body is the same as the +actual response body unless ModSecurity intercepts the intermediary +response body, in which case the actual response body will contain the +error message (either the Apache default error message, or the +ErrorDocument page). +
  • F: Final response headers (excluding the Date and Server +headers, which are always added by Apache in the late stage of content +delivery). +
  • G: Reserved for the actual response body; not implemented yet. +
  • H: Audit log trailer. +
  • I: This part is a replacement for part C. It will log the same +data as C in all cases except when multipart/form-data encoding in used. + In this case, it will log a fake application/x-www-form-urlencoded body + that contains the information about parameters but not about the files. + This is handy if you don’t want to have (often large) files stored in +your audit logs. +
  • J: This part contains information about the files uploaded +using multipart/form-data encoding. +
  • K: This part contains a full list of every rule that matched +(one per line) in the order they were matched. The rules are fully +qualified and will thus show inherited actions and default operators. +Supported as of v2.5.0. +
  • Z: Final boundary, signifies the end of the entry (mandatory). +
+

+ SecAuditLogRelevantStatus

+

Description: Configures which response status code is to be +considered relevant for the purpose of audit logging. +

Syntax: SecAuditLogRelevantStatus REGEX +

Example Usage: SecAuditLogRelevantStatus +"^(?:5|4(?!04))" +

Scope: Any +

Version: 2.0.0 +

Dependencies/Notes: Must have SecAuditEngine set to +RelevantOnly. +

The main purpose of this directive is to allow you to configure +audit logging for only the transactions that have the status code that +matches the supplied regular expression. The example provided would log +all 5xx and 4xx level status codes, except for 404s. Although you could +achieve the same effect with a rule in phase 5, +SecAuditLogRelevantStatus is sometimes better, because it continues to +work even when SecRuleEngine is disabled. +

+

SecAuditLogStorageDir

+

Description: Configures the directory where concurrent audit +log entries are to be stored. +

Syntax: SecAuditLogStorageDir /path/to/storage/dir +

Example Usage: SecAuditLogStorageDir +/usr/local/apache/logs/audit +

Scope: Any +

Version: 2.0.0 +

This directive is only needed when concurrent audit logging is +used. The directory must already exist and must be writable by the web +server user. Audit log entries are created at runtime, after Apache +switches to a non-root account. +As with all logging mechanisms, ensure that you specify a file system +location that has adequate disk space and is not on the main system +partition. +

+

SecAuditLogType

+

Description: Configures the type of audit logging mechanism to + be used. +

Syntax: SecAuditLogType Serial|Concurrent +

Example Usage: SecAuditLogType Serial +

Scope: Any +

Version: 2.0.0 +

The possible values are: +

+
Serial 
Audit log entries will be stored in a +single file, specified by SecAuditLog. This is conve- nient for casual +use, but it can slow down the server, because only one audit log entry +can be written to the file at any one time. +
Concurrent 
One file per transaction is used for + audit logging. This approach is more scalable when heavy logging is +required (multiple transactions can be recorded in parallel). It is also + the only choice if you need to use remote logging. +
+

SecCacheTransformations

+

Description: Controls the caching of transformations, which +may speed up the processing of complex rule sets. Caching is off by +default starting with 2.5.6, when it was deprecated and downgraded back +to experimental. +

Syntax: SecCacheTransformations On|Off [options] +

Example Usage: SecCacheTransformations On +"minlen:64,maxlen:0" +

Scope: Any +

Version: 2.5.0; deprecated in 2.5.6. +

The first directive parameter can be one of the following: +

+
  • On: Cache transformations (per transaction, per phase) +allowing identical transforma- tions to be performed only once. +
  • Off: Do not cache any transformations, leaving all +transformations to be performed every time they are needed. +
+

The following options are allowed (multiple options must be +comma-separated): +

+
  • incremental:on|off: Enabling this option will cache every + transformation instead of just the final transformation. The default is + off. +
  • maxitems:N: Do not allow more than N transformations to +be cached. Cache will be disabled once this number is reached. A zero +value is interpreted as unlimited. This option may be useful to limit +caching for a form with a large number of variables. The default value +is 512. +
  • minlen:N: Do not cache the transformation if the +variable’s length is less than N bytes. The default setting is 32. +
  • maxlen:N: Do not cache the transformation if the +variable’s length is more than N bytes. A zero value is interpreted as +unlimited. The default setting is 1024. +
+

SecChrootDir

+

Description: Configures the directory path that will be used +to jail the web server process. +

Syntax: SecChrootDir /path/to/chroot/dir +

Example Usage: SecChrootDir /chroot +

Scope: Main +

Version: 2.0.0 +

This feature is not available on Windows builds. The internal +chroot functionality provided by ModSecurity works great for simple +setups. One example of a simple setup is Apache serving only static +files, or running applications using built-in modules. Some problems you + might encounter with more complex setups: +

+
  1. DNS lookups do not work (this is because this feature requires a + shared library that is loaded on demand, after chroot takes place). +
  2. You cannot send email from PHP, because it wants to use +sendmail and sendmail re- sides outside the jail. +
  3. In some cases, when you separate Apache from its configuration, + restarts and graceful reloads no longer work. +
+

The best way to use SecChrootDir is the following: +

+
  1. Create /chroot to be your main jail directory. +
  2. Create /chroot/opt/apache inside jail. +
  3. Create a symlink from /opt/apache to /chroot/opt/apache. +
  4. Now install Apache into /chroot/opt/apache. +
+

You should be aware that the internal chroot feature might not be +100% reliable. Due to the large number of default and third-party +modules available for the Apache web server, it is not possible to +verify the internal chroot works reliably with all of them. A module, +working from within Apache, can do things that make it easy to break out + of the jail. In particular, if you are using any of the modules that +fork in the module initialisation phase (e.g., mod_fastcgi, mod_fcgid, +mod_cgid), you are advised to examine each Apache process and observe +its current working directory, process root, and the list of open files. + Consider what your options are and make your own decision. +

+

SecComponentSignature

+

Description: Appends component signature to the ModSecurity +signature. +

Syntax: SecComponentSignature "COMPONENT_NAME/X.Y.Z +(COMMENT)" +

Example usage: SecComponentSignature "core +ruleset/2.1.3" +

Scope: Main +

Version: 2.5.0 +

This directive should be used to make the presence of significant + rule sets known. The entire signature will be recorded in the +transaction audit log. +

+

SecContentInjection

+

Description: Enables content injection using actions append +and prepend. +

Syntax: SecContentInjection On|Off +

Example Usage: SecContentInjection On +

Scope: Any +

Version: 2.5.0 +

This directive provides an easy way to control content injection, + no matter what the rules want to do. It is not necessary to have +response body buffering enabled in order to use content injection. +

+

SecCookieFormat

+

Description: Selects the cookie format that will be used in +the current configuration context. +

Syntax: SecCookieFormat 0|1 +

Example Usage: SecCookieFormat 0 +

Scope: Any +

Version: 2.0.0 +

The possible values are: +

+
  • 0: Use version 0 (Netscape) cookies. This is what most +applications use. It is the default value. +
  • 1: Use version 1 cookies. +
+

+ SecDataDir

+

Description: Path where persistent data (e.g., IP address +data, session data, and so on) is to be stored. +

Syntax: SecDataDir /path/to/dir +

Example Usage: SecDataDir +/usr/local/apache/logs/data +

Scope: Main +

Version: 2.0.0 +

This directive must be provided before initcol, setsid, and +setuid can be used. The directory to which the directive points must be +writable by the web server user. +

+

SecDebugLog

+

Description: Path to the ModSecurity debug log file. +

Syntax: SecDebugLog /path/to/modsec-debug.log +

Example Usage: SecDebugLog +/usr/local/apache/logs/modsec-debug.log +

Scope: Any +

Version: 2.0.0 +

+

SecDebugLogLevel

+

Description: Configures the verboseness of the debug log data. + +

Syntax: SecDebugLogLevel 0|1|2|3|4|5|6|7|8|9 +

Example Usage: SecDebugLogLevel 4 +

Scope: Any +

Version: 2.0.0 +

Messages at levels 1–3 are always copied to the Apache error log. + Therefore you can always use level 0 as the default logging level in +production if you are very concerned with performance. Having said that, + the best value to use is 3. Higher logging levels are not recommended +in production, because the heavy logging affects performance adversely. +

The possible values for the debug log level are: +

+
  • 0: no logging +
  • 1: errors (intercepted requests) only +
  • 2: warnings +
  • 3: notices +
  • 4: details of how transactions are handled +
  • 5: as above, but including information about each piece of +information handled +
  • 9: log everything, including very detailed debugging +information +
+

SecDefaultAction

+

Description: Defines the default list of actions, which will +be inherited by the rules in the same configuration context. +

Syntax: SecDefaultAction "action1,action2,action3“ +

Example Usage: SecDefaultAction +"phase:2,log,auditlog,deny,status:403“ +

Scope: Any +

Version: 2.0.0 +

Default: phase:2,log,auditlog,pass +

Every rule following a previous SecDefaultAction +directive in the same configuration context will inherit its settings +unless more specific actions are used. Every SecDefaultAction + directive must specify a disruptive action and a processing phase and +cannot contain metadata actions. +

+
Warning 
SecDefaultAction is not +inherited across configuration contexts. (For an example of why this may + be a problem, read the following ModSecurity Blog entry http://blog.spiderlabs.com/2008/07/three-modsecurity-rule-language-annoyances.html.) +
+

+ SecDisableBackendCompression

+

Description: Disables backend compression while leaving the +frontend compression enabled. +

Syntax: SecDisableBackendCompression On|Off +

Scope: Any +

Version: Development trunk +

Default: Off +

This directive is necessary in reverse proxy mode when the +backend servers support response compression, but you wish to inspect +response bodies. Unless you disable backend compression, ModSecurity +will only see compressed content, which is not very useful. This +directive is not necessary in embedded mode, because ModSecurity +performs inspection before response compression takes place. +

+

SecGeoLookupDb

+

Description: Defines the path to the database that will be +used for geolocation lookups. +

Syntax: SecGeoLookupDb /path/to/db +

Example Usage: SecGeoLookupDb +/path/to/GeoLiteCity.dat +

Scope: Any +

Version: 2.5.0 +

ModSecurity relies on the free geolocation databases (GeoLite +City and GeoLite Country) that can be obtained from MaxMind [1]. +

+

SecGsbLookupDb

+

Description: Defines the path to the database that will be +used for Google Safe Browsing (GSB) lookups. +

Syntax: SecGsbLookupDb /path/to/db +

Example Usage: SecGsbLookupDb +/path/to/GsbMalware.dat +

Scope: Any +

Version: 2.6.0 +

ModSecurity relies on the free Google Safe Browsing database that + can be obtained from the Google GSB API [2]. +

+
Note 
After registering and obtaining a Safe +Browsing API key, you can automatically download the GSB using a tool +like wget (where KEY is your own API key): +
+

wget http://sb.google.com/safebrowsing/update?client=api&apikey=KEY&version=goog-malware-hash:1:-1 +

+

SecGuardianLog

+

Description: Configures an external program that will receive +the information about every transaction via piped logging. +

Syntax: SecGuardianLog |/path/to/httpd-guardian +

Example Usage: SecGuardianLog +|/usr/local/apache/bin/httpd-guardian +

Scope: Main +

Version: 2.0.0 +

Guardian logging is designed to send the information about every +request to an external program. Because Apache is typically deployed in a + multiprocess fashion, which makes information sharing between processes + difficult, the idea is to deploy a single external process to observe +all requests in a stateful manner, providing additional protection. +

Currently the only tool known to work with guardian logging is +httpd-guardian, which is part of the Apache httpd tools project [3]. The httpd-guardian tool is designed to defend +against denial of service attacks. It uses the blacklist tool (from the +same project) to interact with an iptables-based (on a Linux system) or +pf-based (on a BSD system) firewall, dynamically blacklisting the +offending IP addresses. It can also interact with SnortSam [4]. Assuming +httpd-guardian is already configured (look into the source code for the +detailed instructions), you only need to add one line to your Apache +configuration to deploy it: +

+
SecGuardianLog |/path/to/httpd-guardian
+

SecInterceptOnError

+

Description: Configures how to respond when rule processing +fails. +

Syntax: SecInterceptOnError On|Off +

Example Usage: SecInterceptOnError On +

Scope: Main +

Version: 2.6 +

When an operator execution fails (ie returns <0), this +directive configures how to react. When set to "Off", the rule is just +ignored and the engine will continue executing the rules in phase. When + set to "On", the rule will be just dropped and no more rules will be +executed in the same phase, also no interception is made. +

+

+SecMarker

+

Description: Adds a fixed rule marker that can be used as a +target in a skipAfter action. A SecMarker directive essentially creates a + rule that does nothing and whose only purpose is to carry the given ID. +

Syntax: SecMarker ID|TEXT +

Example Usage: SecMarker 9999 +

Scope: Any +

Version: 2.5.0 +

The value can be either a number or a text string. The SecMarker + directive is available to allow you to choose the best way to implement + a skip-over. Here is an example used from the Core Rule Set: +

+
SecMarker BEGIN_HOST_CHECK
+
+        SecRule &REQUEST_HEADERS:Host "@eq 0" \
+                "skipAfter:END_HOST_CHECK,phase:2,rev:'2.1.1',t:none,block,msg:'Request Missing a Host Header',id:'960008',tag:'PROTOCOL_VIOLATION/MISSING_HEADER_HOST',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'5',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"
+        SecRule REQUEST_HEADERS:Host "^$" \
+                "phase:2,rev:'2.1.1',t:none,block,msg:'Request Missing a Host Header',id:'960008',tag:'PROTOCOL_VIOLATION/MISSING_HEADER_HOST',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'5',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"
+
+SecMarker END_HOST_CHECK
+
+

SecPcreMatchLimit

+

Description: Sets the match limit in the PCRE library. +

Syntax: SecPcreMatchLimit value +

Example Usage: SecPcreMatchLimit 1500 +

Scope: Main +

Version: 2.5.12 +

Default: 1500 +

The default can be changed when ModSecurity is prepared for +compilation: the --enable-pcre-match-limit=val configure option will set + a custom default and the --disable-pcre-match-limit option will revert +back to the default of the PCRE library. +For more information, refer to the pcre_extra field in the pcreapi man +page. +

+

+ SecPcreMatchLimitRecursion

+

Description: Sets the match limit recursion in the PCRE +library. +

Syntax: SecPcreMatchLimitRecursion value +

Example Usage: SecPcreMatchLimitRecursion 1500 +

Scope: Main +

Version: 2.5.12 +

Default: 1500 +

The default can be changed when ModSecurity is prepared for +compilation: the --enable-pcre-match-limit-recursion=val configure +option will set a custom default and the +--disable-pcre-match-limit-recursion option will revert back to the +default of the PCRE library. +For more information, refer to the pcre_extra field in the pcreapi man +page. +

+

SecPdfProtect

+

Description: Enables the PDF XSS protection functionality. +

Syntax: SecPdfProtect On|Off +

Example Usage: SecPdfProtect On +

Scope: Any +

Version: 2.5.0; removed from trunk +

Once enabled access to PDF files is tracked. Direct access +attempts are redirected to links that contain one-time tokens. Requests +with valid tokens are allowed through, unmodified. Requests with invalid + tokens are also allowed through, but with forced download of the PDF +files. This implementation uses response headers to detect PDF files and + thus can be used with dynamically generated PDF files that do not have +the .pdf extension in the request URI. +

+

SecPdfProtectMethod

+

Description: Configure desired protection method to be used +when requests for PDF files are detected. +

Syntax: SecPdfProtectMethod method +

Example Usage: SecPdfProtectMethod TokenRedirection +

Scope: Any +

Version: 2.5.0; removed from trunk +

Default: TokenRedirection +

Possible values are TokenRedirection and ForcedDownload. The +token redirection approach will attempt to redirect with tokens where +possible. This allows PDF files to continue to be opened inline but +works only for GET requests. Forced download always causes PDF files to +be delivered as opaque binaries and attachments. The latter will always +be used for non-GET requests. Forced download is considered to be more +secure but may cause usability problems for users (“This PDF won’t open +anymore!”). +

+

SecPdfProtectSecret

+

Description: Defines the secret that will be used to construct + one-time tokens. +

Syntax: SecPdfProtectSecret secret +

Example Usage: SecPdfProtectSecret +MyRandomSecretString +

Scope: Any +

Version: 2.5.0; removed from trunk +

You should use a reasonably long value for the secret (e.g., 16 +characters is good). Once selected, the secret should not be changed, as + it will break the tokens that were sent prior to change. But it’s not a + big deal even if you change it. It will just force download of PDF +files with tokens that were issued in the last few seconds. +

+

SecPdfProtectTimeout

+

Description: Defines the token timeout. +

Syntax: SecPdfProtectTimeout timeout +

Example Usage: SecPdfProtectTimeout 10 +

Scope: Any +

Version: 2.5.0; removed from trunk +

Default: 10 +

After token expires, it can no longer be used to allow access to a + PDF file. Request will be allowed through but the PDF will be delivered + as an attachment. +

+

SecPdfProtectTokenName

+

Description: Defines the name of the token. +

Syntax: SecPdfProtectTokenName name +

Example Usage: SecPdfProtectTokenName PDFTOKEN +

Scope: Any +

Version: 2.5.0; removed from trunk +

Default: PDFTOKEN +

The only reason you would want to change the name of the token is + if you wanted to hide the fact that you are running ModSecurity. It’s a + good reason, but it won’t really help, as the adversary can look into +the algorithm used for PDF protection and figure it out anyway. It does +raise the bar slightly, so go ahead if you want to. +

+

SecReadStateLimit

+

Description: Establishes a per-IP address limit of how many +connections are allowed to be in SERVER_BUSY_READ state. +

Syntax: SecReadStateLimit LIMIT +

Example Usage: SecReadStateLimit 50 +

Scope: Main +

Version: 2.5.13 +

Default: 0 (no limit) +

This measure is effective against Slowloris-style attacks from a +single IP address, but it may not be as good against modified attacks +that work by slowly sending request body content. This is because Apache + to switches state to SERVER_BUSY_WRITE once request headers have been +read. As an alternative, consider mod_reqtimeout (part of Apache as of +2.2.15), which is expected be effective against both attack types. See +Blog post on mitigating slow DoS attacks - http://blog.spiderlabs.com/2010/11/advanced-topic-of-the-week-mitigating-slow-http-dos-attacks.html +

+

SecRequestBodyAccess

+

Description: Configures whether request bodies will be +buffered and processed by ModSecurity. +

Syntax: SecRequestBodyAccess On|Off +

Example Usage: SecRequestBodyAccess On +

Scope: Any +

Version: 2.0.0 +

This directive is required if you want to inspect the data +transported request bodies (e.g., POST parameters). Request buffering is + also required in order to make reliable blocking possible. The +possible values are: +

+
  • On: buffer request bodies +
  • Off: do not buffer request bodies +
+

+ SecRequestBodyInMemoryLimit

+

Description: Configures the maximum request body size that +ModSecurity will store in mem- ory. +

Syntax: SecRequestBodyInMemoryLimit LIMIT_IN_BYTES +

Example Usage: SecRequestBodyInMemoryLimit 131072 +

Scope: Any +

Version: 2.0.0 +

Default: 131072 (128 KB) +

When a multipart/form-data request is being processed, once the +in-memory limit is reached, the request body will start to be streamed +into a temporary file on disk. +

+

SecRequestBodyLimit

+

Description: Configures the maximum request body size +ModSecurity will accept for buffering. +

Syntax: SecRequestBodyLimit LIMIT_IN_BYTES +

Example Usage: SecRequestBodyLimit 134217728 +

Scope: Any +

Version: 2.0.0 +

Default: 134217728 (131072 KB) +

Anything over the limit will be rejected with status code 413 +(Request Entity Too Large). There is a hard limit of 1 GB. +

+
Note 
In ModSecurity 2.5.x and earlier, +SecRequestBodyLimit works only when used in the main server +configuration, or a VirtualHost container. In these versions, request +body limit is enforced immediately after phase 1, but before phase 2 +configuration (i.e. whatever is placed in a Location container) is +resolved. You can work around this limitation by using a phase 1 rule +that changes the request body limit dynamically, using the +ctl:requestBodyLimit action. ModSecurity 2.6.x (currently in the trunk +only) and better do not have this limitation. +
+

+ SecRequestBodyNoFilesLimit

+

Description: Configures the maximum request body size +ModSecurity will accept for buffering, excluding the size of any files +being transported in the request. This directive is useful to reduce +susceptibility to DoS attacks when someone is sending request bodies of +very large sizes. Web applications that require file uploads must +configure SecRequestBodyLimit to a high value, but because large files +are streamed to disk, file uploads will not increase memory consumption. + However, it’s still possible for someone to take advantage of a large +request body limit and send non-upload requests with large body sizes. +This directive eliminates that loophole. +

Syntax: SecRequestBodyNoFilesLimit NUMBER_IN_BYTES +

Example Usage: SecRequestBodyLimit 131072 +

Scope: Any +

Version: 2.5.0 +

Default: 1048576 (1 MB) +

Generally speaking, the default value is not small enough. For +most applications, you should be able to reduce it down to 128 KB or +lower. Anything over the limit will be rejected with status code 413 +(Request Entity Too Large). There is a hard limit of 1 GB. +

+

+ SecRequestBodyLimitAction

+

Description: Controls what happens once a request body limit, +configured with SecRequestBodyLimit, is encountered +

Syntax: SecRequestBodyLimitAction +Reject|ProcessPartial +

Example Usage: SecRequestBodyLimitAction +ProcessPartial +

Scope: Any +

Version: 2.6.0 +

By default, ModSecurity will reject a request body that is longer + than specified. This is problematic especially when ModSecurity is +being run in DetectionOnly mode and the intent is to be totally passive +and not take any disruptive actions against the transaction. With the +ability to choose what happens once a limit is reached, site +administrators can choose to inspect only the first part of the request, + the part that can fit into the desired limit, and let the rest through. + This is not ideal from a possible evasion issue perspective, however +it may be acceptable under certain circumstances. +

+
Note 
When the SecRuleEngine is set to +DetectionOnly, SecRequestBodyLimitAction is automatically set to +ProcessPartial in order to not cause any disruptions. If you want to +know if/when a request body size is over your limit, you can create a +rule to check for the existence of the INBOUND_ERROR_DATA variable. +
+

SecResponseBodyLimit

+

Description: Configures the maximum response body size that +will be accepted for buffering. +

Syntax: SecResponseBodyLimit LIMIT_IN_BYTES +

Example Usage: SecResponseBodyLimit 524228 +

Scope: Any +

Version: 2.0.0 +

Default: 524288 (512 KB) +

Anything over this limit will be rejected with status code 500 +(Internal Server Error). This setting will not affect the responses with + MIME types that are not selected for buffering. There is a hard limit +of 1 GB. +

+

+ SecResponseBodyLimitAction

+

Description: Controls what happens once a response body limit, + configured with SecResponseBodyLimit, is encountered. +

Syntax: SecResponseBodyLimitAction +Reject|ProcessPartial +

Example Usage: SecResponseBodyLimitAction +ProcessPartial +

Scope: Any +

Version: 2.5.0 +

By default, ModSecurity will reject a response body that is +longer than specified. Some web sites, however, will produce very long +responses, making it difficult to come up with a reasonable limit. Such +sites would have to raise the limit significantly to function properly, +defying the purpose of having the limit in the first place (to control +memory consumption). With the ability to choose what happens once a +limit is reached, site administrators can choose to inspect only the +first part of the response, the part that can fit into the desired +limit, and let the rest through. Some could argue that allowing parts of + responses to go uninspected is a weakness. This is true in theory, but +applies only to cases in which the attacker controls the output (e.g., +can make it arbitrary long). In such cases, however, it is not possible +to prevent leakage anyway. The attacker could compress, obfuscate, or +even encrypt data before it is sent back, and therefore bypass any +monitoring device. +

+

SecResponseBodyMimeType

+

Description: Configures which MIME types are to be considered +for response body buffering. +

Syntax: SecResponseBodyMimeType MIMETYPE MIMETYPE +... +

Example Usage: SecResponseBodyMimeType text/plain +text/html text/xml +

Scope: Any +

Version: 2.0.0 +

Default: text/plain text/html +

Multiple SecResponseBodyMimeType directives can be used to add +MIME types. Use SecResponseBodyMimeTypesClear to clear previously +configured MIME types and start over. +

+

+SecResponseBodyMimeTypesClear

+

Description: Clears the list of MIME types considered for +response body buffering, allowing you to start populating the list from +scratch. +

Syntax: SecResponseBodyMimeTypesClear +

Example Usage: SecResponseBodyMimeTypesClear +

Scope: Any +

Version: 2.0.0 +

+

SecResponseBodyAccess

+

Description: Configures whether response bodies are to be +buffered. +

Syntax: SecResponseBodyAccess On|Off +

Example Usage: SecResponseBodyAccess On +

Scope: Any +

Version: 2.0.0 +

Default: Off +

This directive is required if you plan to inspect HTML responses +and implement response blocking. Possible values are: +

+
  • On: buffer response bodies (but only if the response MIME type +matches the list configured with SecResponseBodyMimeType). +
  • Off: do not buffer response bodies. +
+

+SecRule

+

Description: Creates a rule that will analyze the selected +variables using the selected operator. +

Syntax: SecRule VARIABLES OPERATOR [ACTIONS] +

Example Usage: SecRule ARGS "@rx attack" +"phase:1,log,deny" +

Scope: Any +

Version: 2.0.0 +

Every rule must provide one or more variables along with the +operator that should be used to inspect them. If no actions are +provided, the default list will be used. (There is always a default +list, even if one was not explicitly set with SecDefaultAction.) If +there are actions specified in a rule, they will be merged with the +default list to form the final actions that will be used. (The actions +in the rule will overwrite those in the default list.) Refer to +SecDefaultAction for more information. +

+

SecRuleInheritance

+

Description: Configures whether the current context will +inherit the rules from the parent context. +

Syntax: SecRuleInheritance On|Off +

Example Usage: SecRuleInheritance Off +

Scope: Any +

Version: 2.0.0 +

Default: On +

Sometimes when you create a more specific configuration context +(for example using the <Location> container), you may wish to use a + different set of rules than those used in the parent context. By +setting SecRuleInheritance to Off, you prevent the parent rules to be +inherited, which allows you to start from scratch. In ModSecurity 2.5.x +it is not possible to override phase 1 rules from a <Location> +configuration context. There are no limitations in that respect in the +current development version (and there won’t be in the next major +version). +

The possible values are: +

+
  • On: inherit rules from the parent context +
  • Off: do not inherit rules from the parent context +
+
Note 
Configuration contexts are an Apache +concept. Directives <Directory>, <Files>, <Location>, +and <VirtualHost> are all used to create configuration contexts. +For more information, please go to the Apache documentation, under +Configuration Sections [5]. This directive does not affect how configuration + options are inherited. +
+

SecRuleEngine

+

Description: Configures the rules engine. +

Syntax: SecRuleEngine On|Off|DetectionOnly +

Example Usage: SecRuleEngine On +

Scope: Any +

Version: 2.0.0 +

Default: Off +

The possible values are: +

+
  • On: process rules +
  • Off: do not process rules +
  • DetectionOnly: process rules but never intercept +transactions, even when rules are configured to block +
+

SecRuleRemoveById

+

Description: Removes the matching rules from the current +configuration context. +

Syntax: SecRuleRemoveById ID ID RANGE ... +

Example Usage: SecRuleRemoveByID 1 2 "9000-9010" +

Scope: Any +

Version: 2.0.0 +

This directive supports multiple parameters, each of which can be + a rule ID or a range. Parameters that contain spaces must be delimited +using double quotes. +

+
Note 
This directive must be specified after +the rule in which it is disabling. This should be used within local + custom rule files that are processed after third party rule sets. +Example file - modsecurity_crs_60_customrules.conf. +
+

SecRuleRemoveByMsg

+

Description: Removes the matching rules from the current +configuration context. +

Syntax: SecRuleRemoveByMsg REGEX +

Example Usage: SecRuleRemoveByMsg "FAIL" +

Scope: Any +

Version: 2.0.0 +

Normally, you would use SecRuleRemoveById to remove rules, but +that requires the rules to have IDs defined. If they don’t, then you can + remove them with SecRuleRemoveByMsg, which matches a regular expression + against rule messages. +

+
Note 
This directive must be specified after the +rule in which it is disabling. This should be used within local custom +rule files that are processed after third party rule sets. Example file - + modsecurity_crs_60_customrules.conf. +
+

SecRuleRemoveByTag

+

Description: Removes the matching rules from the current +configuration context. +

Syntax: SecRuleRemoveByTab REGEX +

Example Usage: SecRuleRemoveByTag "WEB_ATTACK/XSS" +

Scope: Any +

Version: 2.6 +

Normally, you would use SecRuleRemoveById to remove rules, but +that requires the rules to have IDs defined. If they don’t, then you can + remove them with SecRuleRemoveByTag, which matches a regular expression + against rule tag data. This is useful if you want to disable entire +groups of rules based on tag data. Example tags used in the OWASP +ModSecurity CRS include: +

+
  • AUTOMATION/MALICIOUS +
  • AUTOMATION/MISC +
  • AUTOMATION/SECURITY_SCANNER +
  • LEAKAGE/SOURCE_CODE_ASP_JSP +
  • LEAKAGE/SOURCE_CODE_CF +
  • LEAKAGE/SOURCE_CODE_PHP +
  • WEB_ATTACK/CF_INJECTION +
  • WEB_ATTACK/COMMAND_INJECTION +
  • WEB_ATTACK/FILE_INJECTION +
  • WEB_ATTACK/HTTP_RESPONSE_SPLITTING +
  • WEB_ATTACK/LDAP_INJECTION +
  • WEB_ATTACK/PHP_INJECTION +
  • WEB_ATTACK/REQUEST_SMUGGLING +
  • WEB_ATTACK/SESSION_FIXATION +
  • WEB_ATTACK/SQL_INJECTION +
  • WEB_ATTACK/SSI_INJECTION +
  • WEB_ATTACK/XSS +
+
Note 
This directive must be specified after the +rule in which it is disabling. This should be used within local custom +rule files that are processed after third party rule sets. Example file - + modsecurity_crs_60_customrules.conf. +
+

SecRuleScript

+

Description: This directive creates a special rule that executes a +Lua script to decide whether to match or not. The main difference from +SecRule is that there are no targets nor operators. The script can fetch + any variable from the ModSecurity context and use any (Lua) operator to + test them. The second optional parameter is the list of actions whose +meaning is identical to that of SecRule. +

Syntax: SecRuleScript /path/to/script.lua [ACTIONS] +

Example Usage: SecRuleScript "/path/to/file.lua" +"block" +

Scope: Any +

Version: 2.5.0 +

+
Note 
All Lua scripts are compiled at +configuration time and cached in memory. To reload scripts you must +reload the entire ModSecurity configuration by restarting Apache. +
+

Example script: +

+
-- Your script must define the main entry
+-- point, as below.
+function main()
+    -- Log something at level 1. Normally you shouldn't be
+    -- logging anything, especially not at level 1, but this is
+    -- just to show you can. Useful for debugging.
+    m.log(1, "Hello world!");
+
+    -- Retrieve one variable.
+    local var1 = m.getvar("REMOTE_ADDR");
+
+    -- Retrieve one variable, applying one transformation function.
+    -- The second parameter is a string.
+    local var2 = m.getvar("ARGS", "lowercase");
+
+    -- Retrieve one variable, applying several transformation functions.
+    -- The second parameter is now a list. You should note that m.getvar()
+    -- requires the use of comma to separate collection names from
+    -- variable names. This is because only one variable is returned.
+    local var3 = m.getvar("ARGS.p", { "lowercase", "compressWhitespace" } );
+
+    -- If you want this rule to match return a string
+    -- containing the error message. The message must contain the name
+    -- of the variable where the problem is located.
+    -- return "Variable ARGS:p looks suspicious!"
+
+    -- Otherwise, simply return nil.
+    return nil;
+end
+
+

In this first example we were only retrieving one variable at the +time. In this case the name of the variable is known to you. In many +cases, however, you will want to examine variables whose names you won't + know in advance, for example script parameters. +

Example showing use of m.getvars() to retrieve many variables at +once: +

+
function main()
+    -- Retrieve script parameters.
+    local d = m.getvars("ARGS", { "lowercase", "htmlEntityDecode" } );
+
+    -- Loop through the paramters.
+    for i = 1, #d do
+        -- Examine parameter value.
+        if (string.find(d[i].value, "<script")) then
+            -- Always specify the name of the variable where the
+            -- problem is located in the error message.
+            return ("Suspected XSS in variable " .. d[i].name .. ".");
+        end
+    end
+
+    -- Nothing wrong found.
+    return nil;
+end
+
+
Note 
Go to http://www.lua.org/ + to find more about the Lua programming language. The reference manual +too is available online, at http://www.lua.org/manual/5.1/. +
+
Note 
Lua support is marked as experimental as +the way the progamming interface may continue to evolve while we are +working for the best implementation style. Any user input into the +programming interface is appreciated. +
+

SecRuleUpdateActionById

+

Description: Updates the action list of the specified rule. +

Syntax: SecRuleUpdateActionById RULEID ACTIONLIST +

Example Usage: SecRuleUpdateActionById 12345 +"deny,status:403" +

Scope: Any +

Version: 2.5.0 +

This directive will overwrite the action list of the specified +rule with the actions provided in the second parameter. It has two +limitations: it cannot be used to change the ID or phase of a rule. Only + the actions that can appear only once are overwritten. The actions that + are allowed to appear multiple times in a list, will be appended to the + end of the list. +

+
SecRule ARGS attack "phase:2,id:12345,t:lowercase,log,pass,msg:'Message text'"
+SecRuleUpdateActionById 12345 "t:none,t:compressWhitespace,deny,status:403,msg:'New message text'"
+
+

The effective resulting rule in the previous example will be as +follows: +

+
SecRule ARGS attack "phase:2,id:12345,t:lowercase,t:none,t:compressWhitespace,deny,status:403,msg:'New Message text'"
+
+

The addition of t:none will neutralize any previous transformation +functions specified (t:lowercase, in the example). +

+
Note 
If the target rule is a chained rule, you +must currently specify chain in the SecRuleUpdateActionById action list +as well. This will be fixed in a future version. +
+

SecRuleUpdateTargetById

+

Description: Updates the target (variable) list of the +specified rule. +

Syntax: SecRuleUpdateTargetById RULEID +TARGET1[,TARGET2,TARGET3] REPLACED_TARGET +

Example Usage: SecRuleUpdateTargetById 12345 +"!ARGS:foo" +

Scope: Any +

Version: 2.6 +

This directive will append (or replace) variables to the current +target list of the specified rule with the targets provided in the +second parameter. +

Explicitly Appending Targets +

This is useful for implementing exceptions where you want to +externally update a target list to exclude inspection of specific +variable(s). +

+
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "[\;\|\`]\W*?\bmail\b" \
+     "phase:2,rev:'2.1.1',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,block,msg:'System Command Injection',id:'958895',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%
+{tx.0}"
+
+SecRuleUpdateTargetById 958895 !ARGS:email
+
+

The effective resulting rule in the previous example will append the +target to the end of the variable list as follows: +

+
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/*|!ARGS:email "[\;\|\`]\W*?\bmail\b" \
+     "phase:2,rev:'2.1.1',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,block,msg:'System Command Injection',id:'958895',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%
+{tx.0}""
+
+

Explicitly Replacing Targets +

You can also entirely replace the target list to something more +appropriate for your environment. For example, lets say you want to +inspect REQUEST_URI instead of REQUEST_FILENAME, you could do this: +

+
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "[\;\|\`]\W*?\bmail\b" \
+     "phase:2,rev:'2.1.1',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,block,msg:'System Command Injection',id:'958895',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%
+{tx.0}"
+
+SecRuleUpdateTargetById 958895 REQUEST_URI REQUEST_FILENAME
+
+

The effective resulting rule in the previous example will append the +target to the end of the variable list as follows: +

+
SecRule REQUEST_URI|ARGS_NAMES|ARGS|XML:/* "[\;\|\`]\W*?\bmail\b" \
+     "phase:2,rev:'2.1.1',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,block,msg:'System Command Injection',id:'958895',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%
+{tx.0}""
+
+

Conditionally Appending Targets +

You could also do the same by using the ctl action. This is +useful if you want to only update the targets for a particular URL +

+
SecRule REQUEST_FILENAME "@streq /path/to/file.php" "phase:1,t:none,nolog,pass,ctl:ruleUpdateTargetById=958895;!ARGS:email"
+
+

Conditionally Replacing Targets +

You could also replace targets using the ctl action. For +example, lets say you want to only inspect ARGS for a particular URL: +

+
SecRule REQUEST_FILENAME "@streq /path/to/file.php" "phase:1,t:none,nolog,pass,ctl:ruleUpdateTargetById=958895;REQUEST_URI;REQUEST_FILENAME"
+
+

SecServerSignature

+

Description: Instructs ModSecurity to change the data +presented in the "Server:" response header token. +

Syntax: SecServerSignature "WEB SERVER SOFTWARE" +

Example Usage: SecServerSignature +"Microsoft-IIS/6.0" +

Scope: Main +

Version: 2.0.0 +

In order for this directive to work, you must set the Apache +ServerTokens directive to Full. ModSecurity will overwrite the server +signature data held in this memory space with the data set in this +directive. If ServerTokens is not set to Full, then the memory space is +most likely not large enough to hold the new data we are looking to +insert. +

+

+ SecStreamInBodyInspection

+

Description: Configures the ability to use stream inspection +(Apache connection level filter) for inbound request data. +

Syntax: SecStreamInBodyInspection On|Off +

Example Usage: SecStreamInBodyInspection On +

Scope: Any +

Version: 2.6.0 +

Default: Off +

This feature enables the creation of the STREAM_INPUT_BODY +variable and is useful in a prequalification ruleset scenario against a +large list of strings. +

+
Note 
This directive provides stream access to +REQUEST_BODY payload data. It does not include REQUEST_URI or +REQUEST_HEADER data. +
+

+ SecStreamOutBodyInspection

+

Description: Configures the ability to use stream inspection +(Apache connection level filter) for outbound request data. +

Syntax: SecStreamOutBodyInspection On|Off +

Example Usage: SecStreamOutBodyInspection On +

Scope: Any +

Version: 2.6.0 +

Default: Off +

This feature enables the creation of the STREAM_OUTPUT_BODY +variable and is useful in two main scenarios: +

+
  1. A prequalification ruleset scenario against a large list of +strings. This helps with performance as buffering the RESPONSE_BODY +data is slow. +
  2. In situations where the response body must be streamed to the +client (buffering breaks the app). +
+
Note 
This directive provides stream access to +RESPONSE_BODY payload data. It does not include RESPONSE_HEADER data. +
+

+SecTmpDir

+

Description: Configures the directory where temporary files +will be created. +

Syntax: SecTmpDir /path/to/dir +

Example Usage: SecTmpDir /tmp +

Scope: Any +

Version: 2.0.0 +

The location specified needs to be writable by the Apache user +process. This is the directory location where ModSecurity will swap data + to disk if it runs out of memory (more data than what was specified in +the SecRequestBodyInMemoryLimit directive) during inspection. +

+

SecUploadDir

+

Description: Configures the directory where intercepted files +will be stored. +

Syntax: SecUploadDir /path/to/dir +

Example Usage: SecUploadDir /tmp +

Scope: Any +

Version: 2.0.0 +

This directory must be on the same filesystem as the temporary +directory defined with SecTmpDir. This directive is used with +SecUploadKeepFiles. +

+

SecUploadFileLimit

+

Description: Configures the maximum number of file uploads +processed in a multipart POST. +

Syntax: SecUploadFileLimit number +

Example Usage: SecUploadFileLimit 10 +

Scope: Any +

Version: 2.5.12 +

The default is set to 100 files, but you are encouraged to reduce + this value. Any file over the limit will not be extracted and the +MULTIPART_FILE_LIMIT_EXCEEDED and MULTIPART_STRICT_ERROR flags will be +set. To prevent bypassing any file checks, you must check for one of +these flags. +

+
Note 
If the limit is exceeded, the part name and + file name will still be recorded in FILES_NAME and FILES, the file size + will be recorded in FILES_SIZES, but there will be no record in +FILES_TMPNAMES as a temporary file was not created. +
+

SecUploadFileMode

+

Description: Configures the mode (permissions) of any uploaded + files using an octal mode (as used in chmod). +

Syntax: SecUploadFileMode octal_mode|"default" +

Example Usage: SecUploadFileMode 0640 +

Scope: Any +

Version: 2.1.6 +

This feature is not available on operating systems not supporting + octal file modes. The default mode (0600) only grants read/write access + to the account writing the file. If access from another account is +needed (using clamd is a good example), then this directive may be +required. However, use this directive with caution to avoid exposing +potentially sensitive data to unauthorized users. Using the value +"default" will revert back to the default setting. +

+
Note 
The process umask may still limit the mode +if it is being more restrictive than the mode set using this directive. +
+

SecUploadKeepFiles

+

Description: Configures whether or not the intercepted files +will be kept after transaction is processed. +

Syntax: SecUploadKeepFiles On|Off|RelevantOnly +

Example Usage: SecUploadKeepFiles On +

Scope: Any +

Version: 2.0.0 +

This directive requires the storage directory to be defined +(using SecUploadDir). +

Possible values are: +

+
  • On - Keep uploaded files. +
  • Off - Do not keep uploaded files. +
  • RelevantOnly - This will keep only those files that +belong to requests that are deemed relevant. +
+

SecWebAppId

+

Description: Creates an application namespace, allowing for +separate persistent session and user storage. +

Syntax: SecWebAppId "NAME" +

Example Usage: SecWebAppId "WebApp1" +

Scope: Any +

Version: 2.0.0 +

Default: default +

Application namespaces are used to avoid collisions between +session IDs and user IDs when multiple applications are deployed on the +same server. If it isn’t used, a collision between session IDs might +occur. +

+
<VirtualHost *:80> 
+ServerName app1.example.com 
+SecWebAppId "App1" ...
+</VirtualHost>
+
+<VirtualHost *:80> 
+ServerName app2.example.com 
+SecWebAppId "App2" ...
+</VirtualHost>
+
+

In the two examples configurations shown, SecWebAppId is being used +in conjunction with the Apache VirtualHost directives. Applications +namespace information is also recorded in the audit logs (using the +WebApp-Info header of the H part). +

+

Processing Phases

+

ModSecurity 2.x allows rules to be placed in one of the following +five phases of the Apache request cycle: +

+
  • Request headers (REQUEST_HEADERS) +
  • Request body (REQUEST_BODY) +
  • Response headers (RESPONSE_HEADERS) +
  • Response body (RESPONSE_BODY) +
  • Logging (LOGGING) +
+

Below is a diagram of the standard Apache Request Cycle. In the +diagram, the 5 ModSecurity processing phases are shown. +

+

In order to select the phase a rule executes during, use the +phase action either directly in the rule or in using the +SecDefaultAction directive: +

+
SecDefaultAction "log,pass,phase:2"
+SecRule REQUEST_HEADERS:Host "!^$" "deny,phase:1"
+
+
Note 
The data available in each phase is +cumulative. This means that as you move onto later phases, you have +access to more and more data from the transaction. +
Note 
Keep in mind that rules are executed +according to phases, so even if two rules are adjacent in a +configuration file, but are set to execute in different phases, they +would not happen one after the other. The order of rules in the +configuration file is important only within the rules of each phase. +This is especially important when using the skip and skipAfter actions. +
+
Note 
The LOGGING phase is special. It is +executed at the end of each transaction no matter what happened in the +previous phases. This means it will be processed even if the request was + intercepted or the allow action was used to pass the transaction +through. +
+

Phase Request Headers

+

Rules in this phase are processed immediately after Apache completes +reading the request headers (post-read-request phase). At this point the + request body has not been read yet, meaning not all request arguments +are available. Rules should be placed in this phase if you need to have +them run early (before Apache does something with the request), to do +something before the request body has been read, determine whether or +not the request body should be buffered, or decide how you want the +request body to be processed (e.g. whether to parse it as XML or not). +

+
Note 
Rules in this phase can not leverage Apache + scope directives (Directory, Location, LocationMatch, etc...) as the +post-read-request hook does not have this information yet. The exception + here is the VirtualHost directive. If you want to use ModSecurity rules + inside Apache locations, then they should run in Phase 2. Refer to the +Apache Request Cycle/ModSecurity Processing Phases diagram. +
+

Phase Request Body

+

This is the general-purpose input analysis phase. Most of the +application-oriented rules should go here. In this phase you are +guaranteed to have received the request arguments (provided the request +body has been read). ModSecurity supports three encoding types for the +request body phase: +

+
  • application/x-www-form-urlencoded - used to transfer form + data +
  • multipart/form-data - used for file transfers +
  • text/xml - used for passing XML data +
+

Other encodings are not used by most web applications. +

+
Note 
In order to access the Request Body phase +data, you must have SecRequestBodyAccess set to On. +
+

Phase Response Headers

+

This phase takes place just before response headers are sent back to +the client. Run here if you want to observe the response before that +happens, and if you want to use the response headers to determine if you + want to buffer the response body. Note that some response status codes +(such as 404) are handled earlier in the request cycle by Apache and my +not be able to be triggered as expected. Additionally, there are some +response headers that are added by Apache at a later hook (such as Date, + Server and Connection) that we would not be able to trigger on or +sanitize. This should work appropriately in a proxy setup or within +phase:5 (logging). +

+

Phase Response Body

+

This is the general-purpose output analysis phase. At this point you +can run rules against the response body (provided it was buffered, of +course). This is the phase where you would want to inspect the outbound +HTML for information disclosure, error messages or failed authentication + text. +

+
Note 
In order to access the Response Body phase +data, you must have SecResponseBodyAccess set to On +
+

Phase Logging

+

This phase is run just before logging takes place. The rules placed +into this phase can only affect how the logging is performed. This phase + can be used to inspect the error messages logged by Apache. You cannot +deny/block connections in this phase as it is too late. This phase also +allows for inspection of other response headers that weren't available +during phase:3 or phase:4. Note that you must be careful not to inherit a + disruptive action into a rule in this phase as this is a configuration +error in ModSecurity 2.5.0 and later versions +

+

+Variables

+

The following variables are supported in ModSecurity 2.x: +

+

ARGS

+

ARGS is a collection and can be used on its own (means all arguments +including the POST Payload), with a static parameter (matches arguments +with that name), or with a regular expression (matches all arguments +with name that matches the regular expression). To look at only the +query string or body arguments, see the ARGS_GET and ARGS_POST +collections. +

Some variables are actually collections, which are expanded into +more variables at runtime. The following example will examine all +request arguments: +

SecRule ARGS dirty +

Sometimes, however, you will want to look only at parts of a +collection. This can be achieved with the help of the selection +operator(colon). The following example will only look at the arguments +named p (do note that, in general, requests can contain multiple +arguments with the same name): +

SecRule ARGS:p dirty +

It is also possible to specify exclusions. The following will +examine all request arguments for the word dirty, except the ones named z + (again, there can be zero or more arguments named z): +

SecRule ARGS|!ARGS:z dirty +

There is a special operator that allows you to count how many +variables there are in a collection. The following rule will trigger if +there is more than zero arguments in the request (ignore the second +parameter for the time being): +

SecRule &ARGS !^0$ +

And sometimes you need to look at an array of parameters, each +with a slightly different name. In this case you can specify a regular +expression in the selection operator itself. The following rule will +look into all arguments whose names begin with id_: +

SecRule ARGS:/^id_/ dirty +

+
Note 
Using ARGS:p will not result in any +invocations against the operator if argument p does not exist. +
+

In ModSecurity 1.X, the ARGS variable stood for QUERY_STRING + +POST_PAYLOAD, whereas now it expands to individual variables. +

+

ARGS_COMBINED_SIZE

+

Contains the combined size of all request parameters. Files are +excluded from the calculation. This variable can be useful, for example, + to create a rule to ensure that the total size of the argument data is +below a certain threshold. The following rule detects a request whose +para- meters are more than 2500 bytes long: +

SecRule ARGS_COMBINED_SIZE "@gt 2500" +

+

+ARGS_GET

+

ARGS_GET is similar to ARGS, but contains only query string +parameters. +

+

ARGS_GET_NAMES

+

ARGS_GET_NAMES is similar to ARGS_NAMES, but contains only the names +of query string parameters. +

+

+ ARGS_NAMES

+

Contains all request parameter names. You can search for specific +parameter names that you want to inspect. In a positive policy scenario, + you can also whitelist (using an inverted rule with the exclamation +mark) only the authorized argument names. +This example rule allows only two argument names: p and a: +

SecRule ARGS_NAMES "!^(p|a)$" +

+

+ARGS_POST

+

ARGS_POST is similar to ARGS, but only contains arguments from the +POST body. +

+

ARGS_POST_NAMES

+

ARGS_POST_NAMES is similar to ARGS_NAMES, but contains only the names + of request body parameters. +

+

+AUTH_TYPE

+

This variable holds the authentication method used to validate a +user, if any of the methods built into HTTP are used. In a reverse-proxy + deployment, this information will not be available if the +authentication is handled in the backend web server. +

SecRule AUTH_TYPE "Basic" +

+

+DURATION

+

Contains the number of milliseconds elapsed since the beginning of +the current transaction. Available starting with 2.6.0. +

+

ENV

+

Collection that provides access to environment variables set by +ModSecurity. Requires a single parameter to specify the name of the +desired variable. +

+
# Set environment variable 
+SecRule REQUEST_FILENAME "printenv" \
+"phase:2,pass,setenv:tag=suspicious" 
+
+# Inspect environment variable
+SecRule ENV:tag "suspicious" 
+
+
Note 
Use setenv to set environment variables to +be accessed by Apache. +
+

FILES

+

Contains a collection of original file names (as they were called on +the remote user’s filesys- tem). Available only on inspected +multipart/form-data requests. +

SecRule FILES "@rx \.conf$" +

+
Note 
Only available if files were extracted from + the request body. +
+

FILES_COMBINED_SIZE

+

Contains the total size of the files transported in request body. +Available only on inspected multipart/form-data requests. +

SecRule FILES_COMBINED_SIZE "@gt 100000" +

+

FILES_NAMES

+

Contains a list of form fields that were used for file upload. +Available only on inspected multipart/form-data requests. +

SecRule FILES_NAMES "^upfile$" +

+

FILES_SIZES

+

Contains a list of individual file sizes. Useful for implementing a +size limitation on individual uploaded files. Available only on +inspected multipart/form-data requests. +

SecRule FILES_SIZES "@gt 100" +

+

FILES_TMPNAMES

+

Contains a list of temporary files’ names on the disk. Useful when +used together with @inspectFile. Available only on inspected +multipart/form-data requests. +

SecRule FILES_TMPNAMES "@inspectFile +/path/to/inspect_script.pl" +

+

GEO

+

GEO is a collection populated by the results of the last @geoLookup +operator. The collection can be used to match geographical fields looked + from an IP address or hostname. +

Available since ModSecurity 2.5.0. +

Fields: +

+
  • COUNTRY_CODE: Two character country code. EX: US, GB, etc. +
  • COUNTRY_CODE3: Up to three character country code. +
  • COUNTRY_NAME: The full country name. +
  • COUNTRY_CONTINENT: The two character continent that the country + is located. EX: EU +
  • REGION: The two character region. For US, this is state. For +Canada, providence, etc. +
  • CITY: The city name if supported by the database. +
  • POSTAL_CODE: The postal code if supported by the database. +
  • LATITUDE: The latitude if supported by the database. +
  • LONGITUDE: The longitude if supported by the database. +
  • DMA_CODE: The metropolitan area code if supported by the +database. (US only) +
  • AREA_CODE: The phone system area code. (US only) +
+

Example: +

+
SecGeoLookupDb /usr/local/geo/data/GeoLiteCity.dat
+...
+SecRule REMOTE_ADDR "@geoLookup" "chain,drop,msg:'Non-GB IP address'"
+SecRule GEO:COUNTRY_CODE "!@streq GB"
+
+

HIGHEST_SEVERITY

+

This variable holds the highest severity of any rules that have +matched so far. Severities are numeric values and thus can be used with +comparison operators such as @lt, and so on. A value of 255 indicates +that no severity has been set. +

SecRule HIGHEST_SEVERITY "@le 2" \ +"phase:2,deny,status:500,msg:'severity %{HIGHEST_SEVERITY}'" +

+
Note 
Higher severities have a lower numeric +value. +
+

MATCHED_VAR

+

This variable holds the value of the most-recently matched variable. +It is similar to the TX:0, but it is automatically supported by all +operators and there is no need to specify the capture action. +

+
SecRule ARGS pattern chain,deny
+  SecRule MATCHED_VAR "further scrutiny"
+
+
Note 
Be aware that this variable holds data for +the last operator match. This means that if there are +more than one matches, only the last one will be populated. Use +MATCHED_VARS variable if you want all matches. +
+

MATCHED_VARS

+

Similar to MATCHED_VAR except that it is a collection of all +matches for the current operator check. +

+
SecRule ARGS pattern "chain,deny"
+  SecRule MATCHED_VARS "@eq ARGS:param"
+
+

MATCHED_VAR_NAME

+

This variable holds the full name of the variable that was matched +against. +

+
SecRule ARGS pattern "chain,deny"
+  SecRule MATCHED_VAR_NAME "@eq ARGS:param"
+
+
Note 
Be aware that this variable holds data for +the last operator match. This means that if there are +more than one matches, only the last one will be populated. Use +MATCHED_VARS_NAMES variable if you want all matches. +
+

MATCHED_VARS_NAMES

+

Similar to MATCHED_VAR_NAME except that it is a collection of all + matches for the current operator check. +

+
SecRule ARGS pattern "chain,deny"
+  SecRule MATCHED_VARS_NAMES "@eq ARGS:param"
+
+

MODSEC_BUILD

+

This variable holds the ModSecurity build number. This variable is +intended to be used to check the build number prior to using a feature +that is available only in a certain build. Example: +

+
SecRule MODSEC_BUILD "!@ge 02050102" "skipAfter:12345"
+SecRule ARGS "@pm some key words" "id:12345,deny,status:500"
+
+

MULTIPART_CRLF_LF_LINES

+

This flag variable will be set to 1 whenever a multi-part request +uses mixed line terminators. The multipart/form-data RFC requires CRLF +sequence to be used to terminate lines. Since some client +implementations use only LF to terminate lines you might want to allow +them to proceed under certain circumstances (if you want to do this you +will need to stop using MULTIPART_STRICT_ERROR and check each multi-part + flag variable individually, avoiding MULTIPART_LF_LINE). However, +mixing CRLF and LF line terminators is dangerous as it can allow for +evasion. Therefore, in such cases, you will have to add a check for +MULTIPART_CRLF_LF_LINES. +

+

MULTIPART_STRICT_ERROR

+

MULTIPART_STRICT_ERROR will be set to 1 when any of the following +variables is also set to 1: REQBODY_PROCESSOR_ERROR, +MULTIPART_BOUNDARY_QUOTED, MULTIPART_BOUNDARY_WHITESPACE, +MULTIPART_DATA_BEFORE, MULTIPART_DATA_AFTER, MULTIPART_HEADER_FOLDING, +MULTIPART_LF_LINE, MULTIPART_SEMICOLON_MISSING MULTIPART_INVALID_QUOTING + MULTIPART_INVALID_HEADER_FOLDING MULTIPART_FILE_LIMIT_EXCEEDED. Each of + these variables covers one unusual (although sometimes legal) aspect of + the request body in multipart/form-data format. Your policies should +always contain a rule to check either this variable (easier) or one or +more individual variables (if you know exactly what you want to +accomplish). Depending on the rate of false positives and your default +policy you should decide whether to block or just warn when the rule is +triggered. +

The best way to use this variable is as in the example below: +

+
SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
+"phase:2,t:none,log,deny,msg:'Multipart request body \
+failed strict validation: \
+PE %{REQBODY_PROCESSOR_ERROR}, \
+BQ %{MULTIPART_BOUNDARY_QUOTED}, \
+BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
+DB %{MULTIPART_DATA_BEFORE}, \
+DA %{MULTIPART_DATA_AFTER}, \
+HF %{MULTIPART_HEADER_FOLDING}, \
+LF %{MULTIPART_LF_LINE}, \
+SM %{MULTIPART_SEMICOLON_MISSING}, \
+IQ %{MULTIPART_INVALID_QUOTING}, \
+IQ %{MULTIPART_INVALID_HEADER_FOLDING}, \
+FE %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
+
+

The multipart/form-data parser was upgraded in ModSecurity v2.1.3 to +actively look for signs of evasion. Many variables (as listed above) +were added to expose various facts discovered during the parsing +process. The MULTIPART_STRICT_ERROR variable is handy to check on all +abnormalities at once. The individual variables allow detection to be +fine-tuned according to your circumstances in order to reduce the number + of false positives. +

+

+ MULTIPART_UNMATCHED_BOUNDARY

+

Set to 1 when, during the parsing phase of a multipart/request-body, +ModSecurity encounters what feels like a boundary but it is not. Such an + event may occur when evasion of ModSecurity is attempted. +

The best way to use this variable is as in the example below: +

+
SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
+"phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"
+
+

Change the rule from blocking to logging-only if many false positives + are encountered. +

+

+PATH_INFO

+

Contains the extra request URI information, also known as path info. +(For example, in the URI /index.php/123, /123 is the path info.) +Available only in embedded deployments. +

SecRule PATH_INFO "^/(bin|etc|sbin|opt|usr)" +

+

PERF_COMBINED

+

Contains the time, in microseconds, spent in ModSecurity during the +current transaction. The value in this variable is arrived to by adding +all the performance variables except PERF_SREAD (the time spent reading +from persistent storage is already included in the phase measurements). +Available starting with 2.6. +

+

+PERF_GC

+

Contains the time, in microseconds, spent performing garbage +collection. Available starting with 2.6. +

+

PERF_LOGGING

+

Contains the time, in microseconds, spent in audit logging. This +value is known only after the handling of a transaction is finalized, +which means that it can only be logged using mod_log_config and +the %{VARNAME}M syntax. Available starting with 2.6. +

+

PERF_PHASE1

+

Contains the time, in microseconds, spent processing phase 1. +Available starting with 2.6. +

+

PERF_PHASE2

+

Contains the time, in microseconds, spent processing phase 2. +Available starting with 2.6. +

+

PERF_PHASE3

+

Contains the time, in microseconds, spent processing phase 3. +Available starting with 2.6. +

+

PERF_PHASE4

+

Contains the time, in microseconds, spent processing phase 4. +Available starting with 2.6. +

+

PERF_PHASE5

+

Contains the time, in microseconds, spent processing phase 5. +Available starting with 2.6. +

+

+ PERF_SREAD

+

Contains the time, in microseconds, spent reading from persistent +storage. Available starting with 2.6. +

+

PERF_SWRITE

+

Contains the time, in microseconds, spent writing to persistent +storage. Available starting with 2.6. +

+

QUERY_STRING

+

Contains the query string part of a request URI. The value in +QUERY_STRING is always provided raw, without URL decoding taking place. +

SecRule QUERY_STRING "attack" +

+

REMOTE_ADDR

+

This variable holds the IP address of the remote client. +

SecRule REMOTE_ADDR "@ipMatch 192.168.1.101" +

+

REMOTE_HOST

+

If the Apache directive HostnameLookups is set to On, then this +variable will hold the remote hostname resolved through DNS. If the +directive is set to Off, this variable it will hold the remote IP +address (same as REMOTE_ADDR). Possible uses for this variable would be +to deny known bad client hosts or network blocks, or conversely, to +allow in authorized hosts. +

SecRule REMOTE_HOST "\.evil\.network\org$" +

+

REMOTE_PORT

+

This variable holds information on the source port that the client +used when initiating the connection to our web server. +

In the following example, we are evaluating to see whether the +REMOTE_PORT is less than 1024, which would indicate that the user is a +privileged user: +

SecRule REMOTE_PORT "@lt 1024" +

+

REMOTE_USER

+

This variable holds the username of the authenticated user. If there +are no password access controls in place (Basic or Digest +authentication), then this variable will be empty. +

SecRule REMOTE_USER "^admin$" +

+
Note 
In a reverse-proxy deployment, this +information will not be available if the authentication is +
+

handled in the backend web server. +

+

REQBODY_PROCESSOR

+

Contains the name of the currently used request body processor. The +possible values are URLENCODED, MULTIPART, and XML. +

+
SecRule REQBODY_PROCESSOR "^XML$ chain 
+  SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
+
+

REQBODY_PROCESSOR_ERROR

+

Contains the status of the request body processor used for request +body parsing. The values can be 0 (no error) or 1 (error). This variable + will be set by request body processors (typically the +multipart/request-data parser or the XML parser) when they fail to do +their work. +

SecRule REQBODY_PROCESSOR_ERROR "@eq 1" deny,phase:2 +

+
Note 
Your policies must have a rule to check for + request body processor errors at the very beginning of phase 2. Failure + to do so will leave the door open for impedance mismatch attacks. It is + possible, for example, that a payload that cannot be parsed by +ModSecurity can be successfully parsed by more tolerant parser operating + in the application. If your policy dictates blocking, then you should +reject the request if error is detected. When operating in +detection-only mode, your rule should alert with high severity when +request body processing fails. +
+

+ REQBODY_PROCESSOR_ERROR_MSG

+

If there’s been an error during request body parsing, the variable +will contain the following error message: +

SecRule REQBODY_PROCESSOR_ERROR_MSG "failed to parse" +

+

REQUEST_BASENAME

+

This variable holds just the filename part of REQUEST_FILENAME (e.g., + index.php). +

SecRule REQUEST_BASENAME "^login\.php$" +phase:2,t:none,t:lowercase +

+
Note 
Please note that anti-evasion +transformations are not applied to this variable by default. +REQUEST_BASENAME will recognise both / and \ as path separators. You +should understand that the value of this variable depends on what was +provided in request, and that it does not have to correspond to the +resource (on disk) that will be used by the web server. +
+

REQUEST_BODY

+

Holds the raw request body. This variable is available only if the +URLENCODED request body processor was used, which will occur by default +when the application/x-www-form-urlencoded content type is detected, or +if the use of the URLENCODED request body parser was forced. +

SecRule REQUEST_BODY +"^username=\w{25,}\&password=\w{25,}\&Submit\=login$" +

As of 2.5.7, it is possible to force the presence of the +REQUEST_BODY variable, but only when there is no request body processor +defined using the ctl:forceRequestBodyVariable option in the +REQUEST_HEADERS phase. +

+

REQUEST_BODY_LENGTH

+

Contains the number of bytes read from a request body. Available +starting with v2.6 +

+

REQUEST_COOKIES

+

This variable is a collection of all of request cookies (values +only). Example: the following example is using the Ampersand special +operator to count how many variables are in the collection. In this +rule, it would trigger if the request does not include any Cookie +headers. +

SecRule &REQUEST_COOKIES "@eq 0" +

+

REQUEST_COOKIES_NAMES

+

This variable is a collection of the names of all request cookies. +For example, the following rule will trigger if the JSESSIONID cookie is + not present: +

SecRule &REQUEST_COOKIES_NAMES:JSESSIONID "@eq 0" +

+

REQUEST_FILENAME

+

This variable holds the relative request URL without the query string + part (e.g., /index.php). +

SecRule REQUEST_FILENAME "^/cgi-bin/login\.php$" +phase:2,t:none,t:normalizePath +

+
Note 
Please note that anti-evasion +transformations are not used on REQUEST_FILENAME, which means that you +will have to specify them in the rules that use this variable. +
+

REQUEST_HEADERS

+

This variable can be used as either a collection of all of the +request headers or can be used to inspect selected headers (by using the + REQUEST_HEADERS:Header-Name syntax). +

SecRule REQUEST_HEADERS:Host "^[\d\.]+$" +"deny,log,status:400,msg:'Host header is a numeric IP address'" +

+

REQUEST_HEADERS_NAMES

+

This variable is a collection of the names of all of the request +headers. +

SecRule REQUEST_HEADERS_NAMES "^x-forwarded-for" +"log,deny,status:403,t:lowercase,msg:'Proxy Server Used'" +

+

REQUEST_LINE

+

This variable holds the complete request line sent to the server +(including the request method and HTTP version information). +

+
# Allow only POST, GET and HEAD request methods, as well as only
+# the valid protocol versions 
+SecRule REQUEST_LINE "!(^((?:(?:POS|GE)T|HEAD))|HTTP/(0\.9|1\.0|1\.1)$)" "phase:1,log,block,t:none"
+
+

REQUEST_METHOD

+

This variable holds the request method used in the transaction. +

SecRule REQUEST_METHOD "^(?:CONNECT|TRACE)$" "t:none" +

+

REQUEST_PROTOCOL

+

This variable holds the request protocol version information. +

SecRule REQUEST_PROTOCOL "!^HTTP/(0\.9|1\.0|1\.1)$" +

+

REQUEST_URI

+

This variable holds the full request URL including the query string +data (e.g., /index.php? p=X). However, it will never contain a domain +name, even if it was provided on the request line. +

SecRule REQUEST_URI "attack" +"phase:1,t:none,t:urlDecode,t:lowercase,t:normalizePath" +

+
Note 
Please note that anti-evasion +transformations are not used on REQUEST_URI, which means that you will +have to specify them in the rules that use this variable. +
+

REQUEST_URI_RAW

+

Same as REQUEST_URI but will contain the domain name if it was +provided on the request line (e.g., http://www.example.com/index.php?p=X). +

SecRule REQUEST_URI_RAW "http:/" +"phase:1,t:none,t:urlDecode,t:lowercase,t:normalizePath" +

+
Note 
Please note that anti-evasion +transformations are not used on REQUEST_URI_RAW, which means that you +will have to specify them in the rules that use this variable. +
+

RESPONSE_BODY

+

This variable holds the data for the response body, but only when +response body buffering is enabled. +

SecRule RESPONSE_BODY "ODBC Error Code" "phase:4,t:none" +

+

RESPONSE_CONTENT_LENGTH

+

Response body length in bytes. Can be available starting with phase +3, but it does not have to be (as the length of response body is not +always known in advance). If the size is not known, this variable will +contain a zero. If RESPONSE_CONTENT_LENGTH contains a zero in phase 5 +that means the actual size of the response body was 0. The value of this + variable can change between phases if the body is modified. For +example, in embedded mode, mod_deflate can compress the response body +between phases 4 and 5. +

+

RESPONSE_CONTENT_TYPE

+

Response content type. Available only starting with phase 3. The +value available in this variable is taken directly from the internal +structures of Apache, which means that it may contain the information +that is not yet available in response headers. In embedded deployments, +you should always refer to this variable, rather than to +RESPONSE_HEADERS:Content-Type. +

+

RESPONSE_HEADERS

+

This variable refers to response headers, in the same way as +REQUEST_HEADERS does to request headers. +

SecRule RESPONSE_HEADERS:X-Cache "MISS" +

This variable may not have access to some headers when running in + embedded mode. Headers such as Server, Date, Connection, and +Content-Type could be added just prior to sending the data to the +client. This data should be available in phase 5 or when deployed in +proxy mode. +

+

RESPONSE_HEADERS_NAMES

+

This variable is a collection of the response header names. +

SecRule RESPONSE_HEADERS_NAMES "Set-Cookie" +"phase:3,t:none" +

The same limitations apply as the ones discussed in +RESPONSE_HEADERS. +

+

RESPONSE_PROTOCOL

+

This variable holds the HTTP response protocol information. +

SecRule RESPONSE_PROTOCOL "^HTTP\/0\.9" "phase:3,t:none" +

+

RESPONSE_STATUS

+

This variable holds the HTTP response status code: +

SecRule RESPONSE_STATUS "^[45]" "phase:3,t:none" +

This variable may not work as expected in embedded mode, as +Apache sometimes handles certain requests differently, and without +invoking ModSecurity (all other modules). +

+

RULE

+

This is a special collection that provides access to the id, rev, +severity, logdata, and msg fields of the rule that triggered the action. + It can be used to refer to only the same rule in which it resides. +

SecRule &REQUEST_HEADERS:Host "@eq 0" +"log,deny,setvar:tx.varname=%{RULE.id}" +

+

SCRIPT_BASENAME

+

This variable holds just the local filename part of SCRIPT_FILENAME. +

SecRule SCRIPT_BASENAME "^login\.php$" +

+
Note 
Not available in proxy mode. +
+

SCRIPT_FILENAME

+

This variable holds the full internal path to the script that will be + used to serve the request. +

SecRule SCRIPT_FILENAME +"^/usr/local/apache/cgi-bin/login\.php$" +

+
Note 
Not available in proxy mode. +
+

+ SCRIPT_GID

+

This variable holds the numerical identifier of the group owner of +the script. +

SecRule SCRIPT_GID "!^46$" +

+
Note 
Not available in proxy mode. +
+

SCRIPT_GROUPNAME

+

This variable holds the name of the group owner of the script. +

SecRule SCRIPT_GROUPNAME "!^apache$" +

+
Note 
Not available in proxy mode. +
+

SCRIPT_MODE

+

This variable holds the script’s permissions mode data (e.g., 644). +

+
# Do not allow scripts that can be written to
+SecRule SCRIPT_MODE "^(2|3|6|7)$"
+
+
Note 
Not available in proxy mode. +
+

+ SCRIPT_UID

+

This variable holds the numerical identifier of the owner of the +script. +

+
# Do not run any scripts that are owned 
+# by Apache (Apache's user id is 46) 
+SecRule SCRIPT_UID "!^46$"
+
+
Note 
Not available in proxy mode. +
+

SCRIPT_USERNAME

+

This variable holds the username of the owner of the script. +

+
# Do not run any scripts owned by Apache SecRule 
+SCRIPT_USERNAME "^apache$"
+
+
Note 
Not available in proxy mode. +
+

SERVER_ADDR

+

This variable contains the IP address of the server. +

SecRule SERVER_ADDR "@ipMatch 192.168.1.100" +

+

SERVER_NAME

+

This variable contains the transaction’s hostname or IP address, +taken from the request itself (which means that, in principle, it should + not be trusted). +

SecRule SERVER_NAME "hostname\.com$" +

+

SERVER_PORT

+

This variable contains the local port that the web server (or reverse + proxy) is listening on. +

SecRule SERVER_PORT "^80$" +

+

+SESSION

+

This variable is a collection that contains session information. It +becomes available only after setsid is executed. +

The following example shows how to initialize SESSION using +setsid, how to use setvar to increase the SESSION.score values, how to +set the SESSION.blocked variable, and finally, how to deny the +connection based on the SESSION:blocked value: +

+
# Initialize session storage 
+SecRule REQUEST_COOKIES:PHPSESSID !^$ "phase:2,nolog,pass,setsid:%{REQUEST_COOKIES.PHPSESSID}"
+
+# Increment session score on attack 
+SecRule REQUEST_URI "^/cgi-bin/finger$" "phase:2,t:none,t:lowercase,t:normalizePath,pass,setvar:SESSION.score=+10" 
+
+# Detect too many attacks in a session
+SecRule SESSION:score "@gt 50" "phase:2,pass,setvar:SESSION.blocked=1"
+
+# Enforce session block 
+SecRule SESSION:blocked "@eq 1" "phase:2,deny,status:403"
+
+

+SESSIONID

+

This variable contains the value set with setsid. See SESSION (above) + for a complete example. +

+

STREAM_INPUT_BODY

+

This variable is created by a Connection-Level Filter hook in Apache +and give access to the raw request body content. This variable is best +used for two use-cases: +

+
  1. For fast pattern matching - using @pm/@pmf to prequalify large +text strings against the data. This is more performant vs. using +REQUEST_BODY/ARGS_POST/ARGS_POST_NAMES as it happens before ModSecurity +parsing/buffering in phase:2 variable population. +
  2. For data substitution - using @rsub against this variable +allows you to manipulate live request body data. Example - to remove +offending payloads or to substitute benign data. +
+
Note 
You must enable the +SecStreamInBodyInspection directive +
+

STREAM_OUTPUT_BODY

+

This variable is created by a Connection-Level Filter hook in Apache +and give access to the raw response body content. This variable is best + used for two use-cases: +

+
  1. For fast pattern matching - using @pm/@pmf to prequalify large +text strings against the data. This is more performant vs. using +RESPONSE_BODY as it happens before ModSecurity parsing/buffering in +phase:2 variable population. +
  2. For data substitution - using @rsub against this variable +allows you to manipulate live request body data. Example - to remove +offending payloads or to substitute benign data. +
+
Note 
You must enable the +SecStreamOutBodyInspection directive +
+

TIME

+

This variable holds a formatted string representing the time +(hour:minute:second). +

SecRule TIME "^(([1](8|9))|([2](0|1|2|3))):\d{2}:\d{2}$" +

+

+TIME_DAY

+

This variable holds the current date (1–31). The following rule +triggers on a transaction that’s happening anytime between the 10th and +20th in a month: +

SecRule TIME_DAY "^(([1](0|1|2|3|4|5|6|7|8|9))|20)$" +

+

+ TIME_EPOCH

+

This variable holds the time in seconds since 1970. +

+

+TIME_HOUR

+

This variable holds the current hour value (0–23). The following rule + triggers when a request is made “off hours”: +

SecRule TIME_HOUR "^(0|1|2|3|4|5|6|[1](8|9)|[2](0|1|2|3))$" +

+

+TIME_MIN

+

This variable holds the current minute value (0–59). The following +rule triggers during the last half hour of every hour: +

SecRule TIME_MIN "^(3|4|5)" +

+

+TIME_MON

+

This variable holds the current month value (0–11). The following +rule matches if the month is either November (value 10) or December +(value 11): +

SecRule TIME_MON "^1" +

+

+TIME_SEC

+

This variable holds the current second value (0–59). +

SecRule TIME_SEC "@gt 30" +

+

+TIME_WDAY

+

This variable holds the current weekday value (0–6). The following +rule triggers only on Satur- day and Sunday: +

SecRule TIME_WDAY "^(0|6)$" +

+

+TIME_YEAR

+

This variable holds the current four-digit year value. +

SecRule TIME_YEAR "^2006$" +

+

TX

+

This is the transient transaction collection, which is used to store +pieces of data, create a transaction anomaly score, and so on. The +variables placed into this collection are available only until the +transaction is complete. +

+
# Increment transaction attack score on attack 
+SecRule ARGS attack "phase:2,nolog,pass,setvar:TX.score=+5"
+
+# Block the transactions whose scores are too high 
+SecRule TX:SCORE "@gt 20" "phase:2,log,deny"
+
+

Some variable names in the TX collection are reserved and cannot be +used: +

+
  • TX:0: the matching value when using the @rx or @pm operator with + the capture action +
  • TX:1-TX:9: the captured subexpression value when using the @rx +operator with capturing parens and the capture action +
  • TX:MSC_.*: ModSecurity processing flags +
  • MSC_PCRE_LIMITS_EXCEEDED: Set to nonzero if PCRE match limits +are exceeded. See SecPcreMatchLimit and SecPcreMatchLimitRecursion for +more information. +
+

+UNIQUE_ID

+

This variable holds the data created by mod_unique_id [6]. This module provides a magic token for each +request which is guaranteed to be unique across "all" requests under +very specific conditions. The unique identifier is even unique across +multiple machines in a properly configured cluster of machines. The +environment variable UNIQUE_ID is set to the identifier for each +request. The UNIQUE_ID environment variable is constructed by encoding +the 112-bit (32-bit IP address, 32 bit pid, 32 bit time stamp, 16 bit +counter) quadruple using the alphabet [A-Za-z0-9@-] in a manner similar +to MIME base64 encoding, producing 19 characters. +

+

URLENCODED_ERROR

+

This variable is created when an invalid URL encoding is encountered +during the parsing of a query string (on every request) or during the +parsing of an application/x-www-form-urlencoded request body (only on +the requests that use the URLENCODED request body processor). +

+

USERID

+

This variable contains the value set with setuid. +

+
# Initialize user tracking
+SecAction "nolog,pass,setuid:%{REMOTE_USER}" 
+
+# Is the current user the administrator?
+SecRule USERID "admin"
+
+

+WEBAPPID

+

This variable contains the current application name, which is set in +configuration using SecWebAppId. +

+

WEBSERVER_ERROR_LOG

+

Contains zero or more error messages produced by the web server. This + variable is best accessed from phase 5 (logging). +

SecRule WEBSERVER_ERROR_LOG "File does not exist" +"phase:5,t:none,nolog,pass,setvar:TX.score=+5" +

+

XML

+

Special collection used to interact with the XML parser. It can be +used standalone as a target for the validateDTD and validateSchema +operator. Otherwise, it must contain a valid XPath expression, which +will then be evaluated against a previously parsed XML DOM tree. +

+
SecDefaultAction log,deny,status:403,phase:2
+SecRule REQUEST_HEADERS:Content-Type ^text/xml$ "phase:1,t:lowercase,nolog,pass,ctl:requestBodyProcessor=XML"
+SecRule REQBODY_PROCESSOR "!^XML$" skipAfter:12345
+
+SecRule XML:/employees/employee/name/text() Fred
+SecRule XML:/xq:employees/employee/name/text() Fred "id:12345,xmlns:xq=http://www.example.com/employees"
+
+

The first XPath expression does not use namespaces. It would match +against payload such as this one: +

+
<employees>
+    <employee>
+        <name>Fred Jones</name>
+        <address location="home">
+            <street>900 Aurora Ave.</street>
+            <city>Seattle</city>
+            <state>WA</state>
+            <zip>98115</zip>
+        </address>
+        <address location="work">
+            <street>2011 152nd Avenue NE</street>
+            <city>Redmond</city>
+            <state>WA</state>
+            <zip>98052</zip>
+        </address>
+        <phone location="work">(425)555-5665</phone>
+        <phone location="home">(206)555-5555</phone>
+        <phone location="mobile">(206)555-4321</phone>
+    </employee>
+</employees>
+
+

The second XPath expression does use namespaces. It would match the +following payload: +

+
<xq:employees xmlns:xq="http://www.example.com/employees">
+    <employee>
+        <name>Fred Jones</name>
+        <address location="home">
+            <street>900 Aurora Ave.</street>
+            <city>Seattle</city>
+            <state>WA</state>
+            <zip>98115</zip>
+        </address>
+        <address location="work">
+            <street>2011 152nd Avenue NE</street>
+            <city>Redmond</city>
+            <state>WA</state>
+            <zip>98052</zip>
+        </address>
+        <phone location="work">(425)555-5665</phone>
+        <phone location="home">(206)555-5555</phone>
+        <phone location="mobile">(206)555-4321</phone>
+    </employee>
+</xq:employees>
+
+

Note the different namespace used in the second example. +

+

+ Transformation functions

+

Transformation functions are used to alter input data before it is +used in matching (i.e., operator execution). The input data is never +modified, actually—whenever you request a transformation function to be +used, ModSecurity will create a copy of the data, transform it, and then + run the operator against the result. +

+
Note 
There are no default transformation +functions, as there were in the first generation of ModSecurity (1.x). +
+

In the following example, the request parameter values are converted +to lowercase before matching: +

SecRule ARGS "xp_cmdshell" "t:lowercase" +

Multiple transformation actions can be used in the same rule, +forming a transformation pipeline. The transformations will be performed + in the order in which they appear in the rule. +

In most cases, the order in which transformations are performed +is very important. In the following example, a series of transformation +functions is performed to counter evasion. Performing the +transformations in any other order would allow a skillful attacker to +evade detection: +

SecRule ARGS +"(asfunction|javascript|vbscript|data|mocha|livescript):" +"t:none,t:htmlEntityDecode,t:lowercase,t:removeNulls,t:removeWhitespace" +

+
Warning 
It is currently possible to use +SecDefaultAction to specify a default list of transformation functions, +which will be applied to all rules that follow the SecDefaultAction +directive. However, this practice is not recommended, because it means +that mistakes are very easy to make. It is recommended that you always +specify the transformation functions that are needed by a particular +rule, starting the list with t:none (which clears the possibly inherited + transformation functions). +
+

The remainder of this section documents the transformation functions +currently available in ModSecurity. +

+

base64Decode

+

Decodes a Base64-encoded string. +

+
SecRule REQUEST_HEADERS:Authorization "^Basic ([a-zA-Z0-9]+=*)$" "phase:1,capture,chain,logdata:%{TX.1}"
+  SecRule TX:1 ^(\w+): t:base64Decode,capture,chain
+    SecRule TX:1 ^(admin|root|backup)$ 
+
+

base64DecodeExt

+

Decodes a Base64-encoded string. Unlike base64Decode, this version +uses a forgiving implementation, which ignores invalid characters. +Available as of 2.5.13. +

See blog post on Base64Decoding evasion issues on PHP sites - http://blog.spiderlabs.com/2010/04/impedance-mismatch-and-base64.html +

+

base64Encode

+

Encodes input string using Base64 encoding. +

+

+cmdLine

+
Note 
This is a community contribution developed +by Marc Stern [7] +
+

In Windows and Unix, commands may be escaped by different means, such + as: +

+
  • c^ommand /c ... +
  • "command" /c ... +
  • command,/c ... +
  • backslash in the middle of a Unix command +
+

The cmdLine transformation function avoids this problem by +manipulating the variable contend in the following ways: +

+
  • deleting all backslashes [\] +
  • deleting all double quotes ["] +
  • deleting all sigle quotes ['] +
  • deleting all carets [^] +
  • deleting spaces before a slash [/] +
  • deleting spaces before an open parentesis [(] +
  • replacing all commas [,] and semicolon [;] into a space +
  • replacing all multiple spaces (including tab, newline, etc.) +into one space +
  • transform all characters to lowercase +
+

Example Usage: +

+
SecRule ARGS "(?:command(?:.com)?|cmd(?:.exe)?)(?:/.*)?/[ck]" "phase:2,t:none, t:cmdLine"
+
+

compressWhitespace

+

Converts any of the whitespace characters (0x20, \f, \t, \n, \r, \v, +0xa0) to spaces (ASCII 0x20), compressing multiple consecutive space +characters into one. +

+

+cssDecode

+

Decodes characters encoded using the CSS 2.x escape rules syndata.html#characters. + This function uses only up to two bytes in the decoding process, +meaning that it is useful to uncover ASCII characters encoded using CSS +encoding (that wouldn’t normally be encoded), or to counter evasion, +which is a combination of a backslash and non-hexadecimal characters +(e.g., ja\vascript is equivalent to javascript). +

+

escapeSeqDecode

+

Decodes ANSI C escape sequences: \a, \b, \f, \n, \r, \t, \v, \\, \?, +\', \", \xHH (hexadecimal), \0OOO (octal). Invalid encodings are left in + the output. +

+

+hexDecode

+

Decodes a string that has been encoded using the same algorithm as +the one used in hexEncode (see following entry). +

+

+hexEncode

+

Encodes string (possibly containing binary characters) by replacing +each input byte with two hexadecimal characters. For example, xyz is +encoded as 78797a. +

+

htmlEntityDecode

+

Decodes the characters encoded as HTML entities. The following +variants are supported: +

+
  • &#xHH and &#xHH; (where H is any hexadecimal number) +
  • &#DDD and &#DDD; (where D is any decimal number) +
  • &quotand" +
  • &nbspand  +
  • &ltand< +
  • &gtand> +
+

This function always converts one HTML entity into one byte, possibly + resulting in a loss of information (if the entity refers to a character + that cannot be represented with the single byte). It is thus useful to +uncover bytes that would otherwise not need to be encoded, but it cannot + do anything meaningful with the characters from the range above 0xff. +

+

+jsDecode

+

Decodes JavaScript escape sequences. If a \uHHHH code is in the range + of FF01-FF5E (the full width ASCII codes), then the higher byte is used + to detect and adjust the lower byte. Otherwise, only the lower byte +will be used and the higher byte zeroed (leading to possible loss of +information). +

+

length

+

Looks up the length of the input string in bytes, placing it (as +string) in output. For example, if it gets ABCDE on input, this +transformation function will return 5 on output. +

+

+lowercase

+

Converts all characters to lowercase using the current C locale. +

+

md5

+

Calculates an MD5 hash from the data in input. The computed hash is +in a raw binary form and may need encoded into text to be printed (or +logged). Hash functions are commonly used in combination with hexEncode +(for example: t:md5,t:hexEncode). +

+

none

+

Not an actual transformation function, but an instruction to +ModSecurity to remove all transformation functions associated with the +current rule. +

+

normalisePath

+

Removes multiple slashes, directory self-references, and directory +back-references (except when at the beginning of the input) from input +string. +

+

normalisePathWin

+

Same as normalisePath, but first converts backslash characters to +forward slashes. +

+

parityEven7bit

+

Calculates even parity of 7-bit data replacing the 8th bit of each +target byte with the calculated parity bit. +

+

parityOdd7bit

+

Calculates odd parity of 7-bit data replacing the 8th bit of each +target byte with the calculated parity bit. +

+

parityZero7bit

+

Calculates zero parity of 7-bit data replacing the 8th bit of each +target byte with a zero-parity bit, which allows inspection of even/odd +parity 7-bit data as ASCII7 data. +

+

removeNulls

+

Removes all NUL bytes from input. +

+

removeWhitespace

+

Removes all whitespace characters from input. +

+

replaceComments

+

Replaces each occurrence of a C-style comment (/* ... */) with a +single space (multiple consecutive occurrences of which will not be +compressed). Unterminated comments will also be replaced with a space +(ASCII 0x20). However, a standalone termination of a comment (*/) will +not be acted upon. +

+

replaceNulls

+

Replaces NUL bytes in input with space characters (ASCII 0x20). +

+

+urlDecode

+

Decodes a URL-encoded input string. Invalid encodings (i.e., the ones + that use non-hexadecimal characters, or the ones that are at the end of + string and have one or two bytes missing) are not converted, but no +error is raised. To detect invalid encodings, use the +@validateUrlEncoding operator on the input data first. The +transformation function should not be used against variables that have +already been URL-decoded (such as request parameters) unless it is your +intention to perform URL decoding twice! +

+

urlDecodeUni

+

Like urlDecode, but with support for the Microsoft-specific %u +encoding. If the code is in the range of FF01-FF5E (the full-width ASCII + codes), then the higher byte is used to detect and adjust the lower +byte. Otherwise, only the lower byte will be used and the higher byte +zeroed. +

+

+urlEncode

+

Encodes input string using URL encoding. +

+

sha1

+

Calculates a SHA1 hash from the input string. The computed hash is in + a raw binary form and may need encoded into text to be printed (or +logged). Hash functions are commonly used in combination with hexEncode +(for example, t:sha1,t:hexEncode). +

+

+trimLeft

+

Removes whitespace from the left side of the input string. +

+

+trimRight

+

Removes whitespace from the right side of the input string. +

+

trim

+

Removes whitespace from both the left and right sides of the input +string. +

+

+Actions

+

Each action belongs to one of five groups: +

+
  • Disruptive actions - Cause ModSecurity to do something. +In many cases something means block transaction, but not in all. For +example, the allow action is classified as a disruptive action, but it +does the opposite of blocking. There can only be one disruptive action +per rule (if there are multiple disruptive actions present, or +inherited, only the last one will take effect), or rule chain (in a +chain, a disruptive action can only appear in the first rule). +
  • Non-disruptive actions - Do something, but that +something does not and cannot affect the rule processing flow. Setting a + variable, or changing its value is an example of a non-disruptive +action. Non-disruptive action can appear in any rule, including each +rule belonging to a chain. +
  • Flow actions - These actions affect the rule flow (for +example skip or skipAfter). +
  • Meta-data actions - Meta-data actions are used to +provide more information about rules. Examples include id, rev, severity + and msg. +
  • Data actions - Not really actions, these are mere +containers that hold data used by other actions. For example, the status + action holds the status that will be used for blocking (if it takes +place). +
+

allow

+

Description: Stops rule processing on a successful match and +allows the transaction to proceed. +

Action Group: Disruptive +

Example: +

+
# Allow unrestricted access from 192.168.1.100 
+SecRule REMOTE_ADDR "^192\.168\.1\.100$" phase:1,nolog,allow
+
+


+Prior to ModSecurity 2.5 the allow action would only affect the current +phase. An allow in phase 1 would skip processing the remaining rules in +phase 1 but the rules from phase 2 would execute. Starting with v2.5.0 +allow was enhanced to allow for fine-grained control of what is done. +The following rules now apply: +

+
  1. If used one its own, like in the example above, allow will +affect the entire transaction, stopping processing of the current phase +but also skipping over all other phases apart from the logging phase. +(The logging phase is special; it is designed to always execute.) +
  2. If used with parameter "phase", allow will cause the engine to +stop processing the current phase. Other phases will continue as normal. +
  3. If used with parameter "request", allow will cause the engine +to stop processing the current phase. The next phase to be processed +will be phase RESPONSE_HEADERS. +
+

Examples: +

+
# Do not process request but process response.
+SecAction phase:1,allow:request
+
+# Do not process transaction (request and response).
+SecAction phase:1,allow
+
+

If you want to allow a response through, put a rule in phase +RESPONSE_HEADERS and simply use allow on its own: +

+
# Allow response through.
+SecAction phase:3,allow
+
+

append

+

Description: Appends text given as parameter to the end of +response body. Content injection must be en- abled (using the +SecContentInjection directive). No content type checks are made, which +means that before using any of the content injection actions, you must +check whether the content type of the response is adequate for +injection. +

Action Group: Non-disruptive +

Processing Phases: 3 and 4. +

Example: +

+
SecRule RESPONSE_CONTENT_TYPE "^text/html" "nolog,pass,append:'<hr>Footer'"
+
Warning 
Although macro expansion is allowed in +the additional content, you are strongly cau- tioned against inserting +user-defined data fields into output. Doing so would create a cross-site + scripting vulnerability. +
+

+auditlog

+

Description: Marks the transaction for logging in the audit +log. +

Action Group: Non-disruptive +

Example: +

SecRule REMOTE_ADDR "^192\.168\.1\.100$" +auditlog,phase:1,allow +

+
Note 
The auditlog action is now explicit if log +is already specified. +
+

block

+

Description: Performs the disruptive action defined by the +previous SecDefaultAction. +

Action Group: Disruptive +

This action is essentially a placeholder that is intended to be +used by rule writers to request a blocking action, but without +specifying how the blocking is to be done. The idea is that such +decisions are best left to rule users, as well as to allow users, to +override blocking if they so desire. +In future versions of ModSecurity, more control and functionality will +be added to define "how" to block. +

Examples: +

+
# Specify how blocking is to be done 
+SecDefaultAction phase:2,deny,status:403,log,auditlog
+
+# Detect attacks where we want to block 
+SecRule ARGS attack1 phase:2,block
+
+# Detect attacks where we want only to warn 
+SecRule ARGS attack2 phase:2,pass
+
+

It is possible to use the SecRuleUpdateActionById directive to +override how a rule handles blocking. This is useful in three cases: +

+
  1. If a rule has blocking hard-coded, and you want it to use the +policy you determine +
  2. If a rule was written to block, but you want it to only warn +
  3. If a rule was written to only warn, but you want it to block +
+

The following example demonstrates the first case, in which the +hard-coded block is removed in favor of the user-controllable block: +

+
# Specify how blocking is to be done 
+SecDefaultAction phase:2,deny,status:403,log,auditlog
+
+# Detect attacks and block 
+SecRule ARGS attack1 phase:2,id:1,deny
+
+# Change how rule ID 1 blocks 
+SecRuleUpdateActionById 1 block
+
+

+capture

+

Description: When used together with the regular expression +operator (@rx), the capture action will create copies of the regular +expression captures and place them into the transaction variable +collection. +

Action Group: Non-disruptive +

Example: +

+
SecRule REQUEST_BODY "^username=(\w{25,})" phase:2,capture,t:none,chain
+  SecRule TX:1 "(?:(?:a(dmin|nonymous)))"
+
+

Up to 10 captures will be copied on a successful pattern match, each +with a name consisting of a digit from 0 to 9. The TX.0 variable always +contains the entire area that the regular expression matched. All the +other variables contain the captured values, in the order in which the +capturing parentheses appear in the regular expression. +

+

chain

+

Description: Chains the current rule with the rule that +immediately follows it, creating a rule chain. Chained rules allow for +more complex processing logic. +

Action Group: Flow +

Example: +

+
# Refuse to accept POST requests that do not contain Content-Length header. 
+# (Do note that this rule should be preceded by a rule 
+# that verifies only valid request methods are used.) 
+SecRule REQUEST_METHOD "^POST$" phase:1,chain,t:none
+  SecRule &REQUEST_HEADERS:Content-Length "@eq 0" t:none
+
+
Note 
Rule chains allow you to simulate logical +AND. The disruptive actions specified in the first portion of the +chained rule will be triggered only if all of the variable checks return + positive hits. If any one aspect of a chained rule comes back negative, + then the entire rule chain will fail to match. Also note that +disruptive actions, execution phases, metadata actions (id, rev, msg), +skip, and skipAfter actions can be specified only by the chain starter +rule. +
+

The following directives can be used in rule chains: +

+
  • SecAction +
  • SecRule +
  • SecRuleScript +
+

Special rules control the usage of actions in chained rules: +

+
  • Any actions that affect the rule flow (i.e., the disruptive +actions, skip and skipAfter) can be used only in the chain starter. They + will be executed only if the entire chain matches. +
  • Non-disruptive rules can be used in any rule; they will be +executed if the rule that contains them matches and not only when the +entire chain matches. +
  • The metadata actions (e.g., id, rev, msg) can be used only in +the chain starter. +
+

ctl

+

Description: Changes ModSecurity configuration on transient, +per-transaction basis. Any changes made using this action will affect +only the transaction in which the action is executed. The default +configuration, as well as the other transactions running in parallel, +will be unaffected. +

Action Group: Non-disruptive +

Example: +

+
# Parse requests with Content-Type "text/xml" as XML 
+SecRule REQUEST_CONTENT_TYPE ^text/xml "nolog,pass,ctl:requestBodyProcessor=XML"
+
+

The following configuration options are supported: +

+
  1. auditEngine +
  2. auditLogParts +
  3. debugLogLevel +
  4. forceRequestBodyVariable +
  5. requestBodyAccess +
  6. requestBodyLimit +
  7. requestBodyProcessor +
  8. responseBodyAccess +
  9. responseBodyLimit +
  10. ruleEngine +
  11. ruleRemoveById - since this action us triggered at run +time, it should be specified before the rule in which it is +disabling. +
  12. ruleUpdateTargetById +
+

With the exception of the requestBodyProcessor and +forceRequestBodyVariable settings, each configuration option corresponds + to one configuration directive and the usage is identical. +

The requestBodyProcessor option allows you to configure the +request body processor. By default, ModSecurity will use the URLENCODED +and MULTIPART processors to process an application/x-www-form-urlencoded + and a multipart/form-data body, respectively. A third processor, XML, +is also supported, but it is never used implicitly. Instead, you must +tell ModSecurity to use it by placing a few rules in the REQUEST_HEADERS + processing phase. After the request body is processed as XML, you will +be able to use the XML-related features to inspect it. +

Request body processors will not interrupt a transaction if an +error occurs during parsing. Instead, they will set the variables +REQBODY_PROCESSOR_ERROR and REQBODY_PROCESSOR_ERROR_MSG. These variables + should be inspected in the REQUEST_BODY phase and an appropriate action + taken. +The forceRequestBodyVariable option allows you to configure the +REQUEST_BODY variable to be set when there is no request body processor +configured. This allows for inspection of request bodies of unknown +types. +

+

deny

+

Description: Stops rule processing and intercepts transaction. +

Action Group: Disruptive +

Example: +SecRule REQUEST_HEADERS:User-Agent "nikto" "log,deny,msg:'Nikto +Scanners Identified'" +

+

deprecatevar

+

Description: Decrements numerical value over time, which makes + sense only applied to the variables stored in persistent storage. +

Action Group: Non-Disruptive +

Example: The following example will decrement the counter by 60 +every 300 seconds. +

+
SecAction phase:5,nolog,pass,deprecatevar:SESSION.score=60/300
+
+

Counter values are always positive, meaning that the value will never + go below zero. Unlike expirevar, the deprecate action must be executed +on every request. +

+

drop

+

Description: Initiates an immediate close of the TCP +connection by sending a FIN packet. +

Action Group: Disruptive +

Example: The following example initiates an IP collection +for tracking Basic Authentication attempts. If the client goes over the +threshold of more than 25 attempts in 2 minutes, it will DROP subsequent + connections. +

+
SecAction phase:1,initcol:ip=%{REMOTE_ADDR},nolog
+SecRule ARGS:login "!^$" "nolog,phase:1,setvar:ip.auth_attempt=+1,deprecatevar:ip.auth_attempt=20/120"
+SecRule IP:AUTH_ATTEMPT "@gt 25" "log,drop,phase:1,msg:'Possible Brute Force Attack'"
+
+
Note 
This action is currently not available on +Windows based builds. +
+

This action is extremely useful when responding to both Brute Force +and Denial of Service attacks in that, in both cases, you want to +minimize both the network bandwidth and the data returned to the client. + This action causes error message to appear in the log "(9)Bad file +descriptor: core_output_filter: writing data to the network" +

+

exec

+

Description: Executes an external script/binary supplied as +parameter. As of v2.5.0, if the parameter supplied to exec is a Lua +script (detected by the .lua extension) the script will be processed +internally. This means you will get direct access to the internal +request context from the script. Please read the SecRuleScript +documentation for more details on how to write Lua scripts. +

Action Group: Non-disruptive +

Example: +

+
# Run external program on rule match 
+SecRule REQUEST_URI "^/cgi-bin/script\.pl" "phase:2,t:none,t:lowercase,t:normalizePath,block,\ exec:/usr/local/apache/bin/test.sh"
+
+# Run Lua script on rule match 
+SecRule ARGS:p attack "phase:2,block,exec:/usr/local/apache/conf/exec.lua"
+
+

The exec action is executed independently from any disruptive actions + specified. External scripts will always be called with no parameters. +Some transaction information will be placed in environment variables. +All the usual CGI environment variables will be there. You should be +aware that forking a threaded process results in all threads being +replicated in the new process. Forking can therefore incur larger +overhead in a multithreaded deployment. The script you execute must +write something (anything) to stdout; if it doesn’t, ModSecurity will +assume that the script failed, and will record the failure. +

+

+expirevar

+

Description: Configures a collection variable to expire after +the given time period (in seconds). +

Action Group: Non-disruptive +

Example: +

+
SecRule REQUEST_COOKIES:JSESSIONID "!^$" "nolog,phase:1,pass,setsid:%{REQUEST_COOKIES:JSESSIONID}"
+SecRule REQUEST_URI "^/cgi-bin/script\.pl" "phase:2,t:none,t:lowercase,t:normalisePath,log,allow,setvar:session.suspicious=1,expirevar:session.suspicious=3600,phase:1"
+
+

You should use the expirevar actions at the same time that you use +setvar actions in order to keep the indented expiration time. If they +are used on their own (perhaps in a SecAction directive), the expire +time will be reset. +

+

id

+

Description: Assigns a unique ID to the rule or chain in which + it appears. +

Action Group: Meta-data +

Example: +

+
SecRule &REQUEST_HEADERS:Host "@eq 0" "log,id:60008,severity:2,msg:'Request Missing a Host Header'"
+
+

These are the reserved ranges: +

+
  • 1–99,999: reserved for local (internal) use. Use as you see fit, + but do not use this range for rules that are distributed to others +
  • 100,000–199,999: reserved for internal use of the engine, to +assign to rules that do not have explicit IDs +
  • 200,000–299,999: reserved for rules published at +modsecurity.org +
  • 300,000–399,999: reserved for rules published at gotroot.com +
  • 400,000–419,999: unused (available for reservation) +
  • 420,000–429,999: reserved for ScallyWhack [8] +
  • 430,000–699,999: unused (available for reservation) +
  • 700,000–799,999: reserved for Ivan Ristic +
  • 900,000–999,999: reserved for the OWASP ModSecurity Core Rule +Set [9] project +
  • 1,000,000-1,999,999: unused (available for reservation) +
  • 2,000,000-2,999,999: reserved for rules from Trustwave's +SpiderLabs Research team +
  • 3,000,000 and above: unused (available for reservation) +
+

+initcol

+

Description: Initializes a named persistent collection, either + by loading data from storage or by creating a new collection in memory. +

Action Group: Non-disruptive +

Example: The following example initiates IP address +tracking, which is best done in phase 1: +

+
SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR}
+
+

Collections are loaded into memory on-demand, when the initcol action + is executed. A collection will be persisted only if a change was made +to it in the course of transaction processing. +

See the "Persistant Storage" section for further details. +

+

log

+

Description: Indicates that a successful match of the rule +needs to be logged. +

Action Group: Non-disruptive +

Example: +

+
SecAction phase:1,pass,initcol:ip=%{REMOTE_ADDR},log
+
+

This action will log matches to the Apache error log file and the +ModSecurity audit log. +

+

+logdata

+

Description: Logs a data fragment as part of the alert +message. +

Action Group: Non-disruptive +

Example: +

+
SecRule ARGS:p "@rx <script>" "phase:2,log,pass,logdata:%{MATCHED_VAR}"
+
+

The logdata information appears in the error and/or audit log files. +Macro expansion is performed, so you may use variable names such +as %{TX.0} or %{MATCHED_VAR}. The information is properly +escaped for use with logging of binary data. +

+

msg

+

Description: Assigns a custom message to the rule or chain in +which it appears. The message will be logged along with every alert. +

Action Group: Meta-data +

Example: +

+
SecRule &REQUEST_HEADERS:Host "@eq 0" "log,id:60008,severity:2,msg:'Request Missing a Host Header'"
+
+
Note 
The msg information appears in the error +and/or audit log files and is not sent back to the client in response +headers. +
+

+ multiMatch

+

Description: If enabled, ModSecurity will perform multiple +operator invocations for every target, before and after every +anti-evasion transformation is performed. +

Action Group: Non-disruptive +

Example: +

+
SecRule ARGS "attack" "phase1,log,deny,t:removeNulls,t:lowercase,multiMatch"
+
+

Normally, variables are inspected only once per rule, and only after +all transformation functions have been completed. With multiMatch, +variables are checked against the operator before and after every +transformation function that changes the input. +

+

+ noauditlog

+

Description: Indicates that a successful match of the rule +should not be used as criteria to determine whether the transaction +should be logged to the audit log. +

Action Group: Non-disruptive +

Example: +

+
SecRule REQUEST_HEADERS:User-Agent "Test" allow,noauditlog
+
+

If the SecAuditEngine is set to On, all of the transactions will be +logged. If it is set to RelevantOnly, then you can control the logging +with the noauditlog action. +

The noauditlog action affects only the current rule. If you +prevent audit logging in one rule only, a match in another rule will +still cause audit logging to take place. If you want to prevent audit +logging from taking place, regardless of whether any rule matches, use +ctl:auditEngine=Off. +

+

nolog

+

Description: Prevents rule matches from appearing in both the +error and audit logs. +

Action Group: Non-disruptive +

Example: +

+
SecRule REQUEST_HEADERS:User-Agent "Test" allow,nolog
+
+

Although nolog implies noauditlog, you can override the former by +using nolog,auditlog. +

+

pass

+

Description: Continues processing with the next rule in spite +of a successful match. +

Action Group: Disruptive +

Example: +

+
SecRule REQUEST_HEADERS:User-Agent "Test" "log,pass"
+
+

When using pass with a SecRule with multiple targets, all variables +will be inspected and all non-disruptive actions trigger for every +match. In the following example, the TX.test variable will be +incremented once for every request parameter: +

+
# Set TX.test to zero 
+SecAction "phase:2,nolog,pass,setvar:TX.test=0"
+
+# Increment TX.test for every request parameter 
+SecRule ARGS "test" "phase:2,log,pass,setvar:TX.test=+1"
+
+

pause

+

Description: Pauses transaction processing for the specified +number of milliseconds. +

Action Group: Non-disruptive +

Example: +

+
SecRule REQUEST_HEADERS:User-Agent "Test" "log,deny,status:403,pause:5000"
+
+
Warning 
This feature can be of limited benefit +for slowing down brute force authentication attacks, but use with care. +If you are under a denial of service attack, the pause feature may make +matters worse, as it will cause an entire Apache worker (process or +thread, depending on the deployment mode) to sit idle until the pause is + completed. +
+

phase

+

Description: Places the rule or chain into one of five +available processing phases. It can also be used in SecDefaultAction to +establish the rule defaults. +

Action Group: Meta-data +

Example: +

+
# Initialize IP address tracking in phase 1
+SecAction phase:1,nolog,pass,initcol:IP=%{REMOTE_ADDR}
+
+
Warning 
Keep in mind that if you specify the +incorrect phase, the variable used in the rule may not yet be available. + This could lead to a false negative situation where your variable and +operator may be correct, but it misses malicious data because you +specified the wrong phase. +
+

+prepend

+

Description: Prepends the text given as parameter to response +body. Content injection must be enabled (using the SecContentInjection +directive). No content type checks are made, which means that before +using any of the content injection actions, you must check whether the +content type of the response is adequate for injection. +

Action Group: Non-disruptive +

Processing Phases: 3 and 4. +

Example: +

+
SecRule RESPONSE_CONTENT_TYPE ^text/html \ "phase:3,nolog,pass,prepend:'Header<br>'"
+
+
Warning 
Although macro expansion is allowed in +the injected content, you are strongly cautioned against inserting user +defined data fields int output. Doing so would create a cross-site +scripting vulnerability. +
+

proxy

+

Description: Intercepts the current transaction by forwarding +the request to another web server using the proxy backend. The +forwarding is carried out transparently to the HTTP client (i.e., +there’s no external redirection taking place). +

Action Group: Disruptive +

Example: +

+
SecRule REQUEST_HEADERS:User-Agent "Test" log,proxy:http://honeypothost/
+
+

For this action to work, mod_proxy must also be installed. This +action is useful if you would like to proxy matching requests onto a +honeypot web server, and especially in combination with IP address or +session tracking. +

+

+redirect

+

Description: Intercepts transaction by issuing an external +(client-visible) redirection to the given location.. +

Action Group: Disruptive +

Example: +

+
SecRule REQUEST_HEADERS:User-Agent "Test" "phase:1,log,redirect:http://www.example.com/failed.html"
+
+

If the status action is present on the same rule, and its value can +be used for a redirection (i.e., is one of the following: 301, 302, 303, + or 307), the value will be used for the redirection status code. +Otherwise, status code 302 will be used. +

+

rev

+

Description: Specifies rule revision. It is useful in +combination with the id action to provide an indication that a rule has +been changed. +

Action Group: Meta-data +

Example: +

+
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "(?:(?:[\;\|\`]\W*?\bcc|\b(wget|curl))\b|\/cc(?:[\'\"\|\;\`\-\s]|$))" \
+	                "phase:2,rev:'2.1.3',capture,t:none,t:normalisePath,t:lowercase,ctl:auditLogParts=+E,block,msg:'System Command Injection',id:'950907',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0},skipAfter:END_COMMAND_INJECTION1"
+
+
Note 
This action is used in combination with the + id action to allow the same rule ID to be used after changes take place + but to still provide some indication the rule changed. +
+

sanitiseArg

+

Description: Prevents sensitive request parameter data from +being logged to audit log. Each byte of the named parameter(s) is +replaced with an asterisk. +

Action Group: Non-disruptive +

Example: +

+
# Never log passwords 
+SecAction "nolog,phase:2,sanitiseArg:password,sanitiseArg:newPassword,sanitiseArg:oldPassword"
+
+
Note 
The sanitize actions affect only the data +as it is logged to audit log. High-level debug logs may contain +sensitive data. Apache access log may contain sensitive data placed in +the request URI. +
+

sanitiseMatched

+

Description: Prevents the matched variable (request argument, +request header, or response header) from being logged to audit log. Each + byte of the named parameter(s) is replaced with an asterisk. +

Action Group: Non-disruptive +

Example: This action can be used to sanitise arbitrary +transaction elements when they match a condition. For example, the +example below will sanitise any argument that contains the word password + in the name. +

+
SecRule ARGS_NAMES password nolog,pass,sanitiseMatched
+
+
Note 
The sanitize actions affect only the data +as it is logged to audit log. High-level debug logs may contain +sensitive data. Apache access log may contain sensitive data placed in +the request URI. +
+

sanitiseMatchedBytes

+

Description: Prevents the matched string in a variable from +being logged to audit log. Each or a range of bytes of the named +parameter(s) is replaced with an asterisk. +

Action Group: Non-disruptive +

Example: This action can be used to sanitise arbitrary +transaction elements when they match a condition. For example, the +example below will sanitise the credit card number. +

+
  • sanitiseMatchedBytes -- This would x out only the bytes that +matched. +
  • sanitiseMatchedBytes:1/4 -- This would x out the bytes that +matched, but keep the first byte and last 4 bytes +
+
# Detect credit card numbers in parameters and 
+# prevent them from being logged to audit log 
+SecRule ARGS "@verifyCC \d{13,16}" "phase:2,nolog,pass,msg:'Potential credit card number in request',sanitiseMatchedBytes"
+SecRule RESPONSE_BODY "@verifyCC \d{13,16}" "phase:4,t:none,log,block,msg:'Potential credit card number is response body',sanitiseMatchedBytes:0/4"
+
+
Note 
The sanitize actions affect only the data +as it is logged to audit log. High-level debug logs may contain +sensitive data. Apache access log may contain sensitive data placed in +the request URI. +
+

sanitiseRequestHeader

+

Description: Prevents a named request header from being logged + to audit log. Each byte of the named request header is replaced with an + asterisk.. +

Action Group: Non-disruptive +

Example: This will sanitise the data in the Authorization +header. +

+
SecAction "phase:1,nolog,pass,sanitiseRequestHeader:Authorization"
+
+
Note 
The sanitize actions affect only the data +as it is logged to audit log. High-level debug logs may contain +sensitive data. Apache access log may contain sensitive data placed in +the request URI. +
+

sanitiseResponseHeader

+

Description: Prevents a named response header from being +logged to audit log. Each byte of the named response header is replaced +with an asterisk. +

Action Group: Non-disruptive +

Example: This will sanitise the Set-Cookie data sent to +the client. +

+
SecAction "phase:3,nolog,pass,sanitiseResponseHeader:Set-Cookie"
+
+
Note 
The sanitize actions affect only the data +as it is logged to audit log. High-level debug logs may contain +sensitive data. Apache access log may contain sensitive data placed in +the request URI. +
+

+severity

+

Description: Assigns severity to the rule in which it is used. +

Action Group: Meta-data +

Example: +

+
SecRule REQUEST_METHOD "^PUT$" "id:340002,rev:1,severity:CRITICAL,msg:'Restricted HTTP function'"
+
+

Severity values in ModSecurity follows the numeric scale of syslog +(where 0 is the most severe). The data below is used by the OWASP +ModSecurity Core Rule Set (CRS): +

+
  • 0 - EMERGENCY: is generated from correlation of anomaly +scoring data where there is an inbound attack and an outbound leakage. +
  • 1 - ALERT: is generated from correlation where there is +an inbound attack and an outbound application level error. +
  • 2 - CRITICAL: Anomaly Score of 5. Is the highest +severity level possible without correlation. It is normally generated +by the web attack rules (40 level files). +
  • 3 - ERROR: Error - Anomaly Score of 4. Is generated +mostly from outbound leakage rules (50 level files). +
  • 4 - WARNING: Anomaly Score of 3. Is generated by +malicious client rules (35 level files). +
  • 5 - NOTICE: Anomaly Score of 2. Is generated by the +Protocol policy and anomaly files. +
  • 6 - INFO +
  • 7 - DEBUG +
+

It is possible to specify severity levels using either the numerical +values or the text values, but you should always specify severity levels + using the text values, because it is difficult to remember what a +number stands for. The use of the numerical values is deprecated as of +version 2.5.0 and may be removed in one of the subsequent major updates. +

+

setuid

+

Description: Special-purpose action that initializes the USER +collection using the username provided as parameter. +

Action Group: Non-disruptive +

Example: +

+
SecRule ARGS:username ".*" "phase:2,t:none,pass,nolog,noauditlog,capture,setvar:session.username=%{TX.0},setuid:%{TX.0}"
+
+

After initialization takes place, the variable USERID will be +available for use in the subsequent rules. This action understands +application namespaces (configured using SecWebAppId), and will use one +if it is configured. +

+

setsid

+

Description: Special-purpose action that initializes the +SESSION collection using the session token provided as parameter. +

Action Group: Non-disruptive +

Example: +

+
# Initialise session variables using the session cookie value 
+SecRule REQUEST_COOKIES:PHPSESSID !^$ "chain,nolog,pass,setsid:%{REQUEST_COOKIES.PHPSESSID}"
+
+

Note +

After the initialization takes place, the variable SESSIONID will + be available for use in the subsequent rules. This action understands +application namespaces (configured using SecWebAppId), and will use one +if it is configured. +

+

setenv

+

Description: Creates, removes, and updates environment +variables that can be accessed by Apache. +

Action Group: Non-disruptive +

Examples: +

+
SecRule RESPONSE_HEADERS:/Set-Cookie2?/ "(?i:(j?sessionid|(php)?sessid|(asp|jserv|jw)?session[-_]?(id)?|cf(id|token)|sid))" "phase:3,t:none,pass,nolog,setvar:tx.sessionid=%{matched_var}"
+SecRule TX:SESSIONID "!(?i:\;? ?httponly;?)" "phase:3,t:none,setenv:httponly_cookie=%{matched_var},pass,log,auditlog,msg:'AppDefect: Missing HttpOnly Cookie Flag.'"
+
+Header set Set-Cookie "%{httponly_cookie}e; HTTPOnly" env=httponly_cookie
+
+

setvar

+

Description: Creates, removes, or updates a variable. Variable + names are case-insensitive. +

Action Group: Non-disruptive +

Examples: +To create a variable and set its value to 1 (usually used for setting +flags), use: setvar:TX.score +

To create a variable and initialize it at the same time, use: setvar:TX.score=10 +

To remove a variable prefix the name with exclamation mark, use: setvar:!TX.score +

To increase or decrease variable value, use + and - characters in + front of a numerical value: setvar:TX.score=+5 +

Example from OWASP CRS: +

+
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bsys\.user_catalog\b" \
+		"phase:2,rev:'2.1.3',capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E, \
+block,msg:'Blind SQL Injection Attack',id:'959517',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1', \
+tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score}, \
+setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"
+
+

skip

+

Description: Skips one or more rules (or chains) on successful + match. +

Action Group: Flow +

Example: +

+
# Require Accept header, but not from access from the localhost 
+SecRule REMOTE_ADDR "^127\.0\.0\.1$" "phase:1,skip:1" 
+
+# This rule will be skipped over when REMOTE_ADDR is 127.0.0.1 
+SecRule &REQUEST_HEADERS:Accept "@eq 0" "phase:1,deny,msg:'Request Missing an Accept Header'"
+
+

The skip action works only within the current processing phase and +not necessarily in the order in which the rules appear in the +configuration file. If you place a phase 2 rule after a phase 1 rule +that uses skip, it will not skip over the phase 2 rule. It will skip +over the next phase 1 rule that follows it in the phase. +

+

+skipAfter

+

Description: Skips one or more rules (or chains) on a successful +match, resuming rule execution with the first rule that follows the rule + (or marker created by SecMarker) with the provided ID. +

Action Group: Flow +

Example: The following rules implement the same logic as +the skip example, but using skipAfter: +

+
# Require Accept header, but not from access from the localhost 
+SecRule REMOTE_ADDR "^127\.0\.0\.1$" "phase:1,skipAfter:IGNORE_LOCALHOST" 
+
+# This rule will be skipped over when REMOTE_ADDR is 127.0.0.1 
+SecRule &REQUEST_HEADERS:Accept "@eq 0" "phase:1,deny,msg:'Request Missing an Accept Header'" 
+SecMarker IGNORE_LOCALHOST
+
+

Example from the OWASP ModSecurity CRS: +

+
SecMarker BEGIN_HOST_CHECK
+
+	SecRule &REQUEST_HEADERS:Host "@eq 0" \
+    		"skipAfter:END_HOST_CHECK,phase:2,rev:'2.1.3',t:none,block,msg:'Request Missing a Host Header',id:'960008',tag:'PROTOCOL_VIOLATION/MISSING_HEADER_HOST',tag:'WASCTC/WASC-21', \
+tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'5',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score}, \
+setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"
+
+	SecRule REQUEST_HEADERS:Host "^$" \
+    		"phase:2,rev:'2.1.3',t:none,block,msg:'Request Missing a Host Header',id:'960008',tag:'PROTOCOL_VIOLATION/MISSING_HEADER_HOST',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7', \
+tag:'PCI/6.5.10',severity:'5',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score}, \
+setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"
+
+SecMarker END_HOST_CHECK
+
+

The skipAfter action works only within the current processing phase +and not necessarily the order in which the rules appear in the +configuration file. If you place a phase 2 rule after a phase 1 rule +that uses skip, it will not skip over the phase 2 rule. It will skip +over the next phase 1 rule that follows it in the phase. +

+

status

+

Description: Specifies the response status code to use with +actions deny and redirect. +

Action Group: Data +

Example: +

+
# Deny with status 403
+SecDefaultAction "phase:1,log,deny,status:403"
+
+

Status actions defined in Apache scope locations (such as Directory, +Location, etc...) may be superseded by phase:1 action settings. The +Apache ErrorDocument directive will be triggered if present in the +configuration. Therefore if you have previously defined a custom error +page for a given status then it will be executed and its output +presented to the user. +

+

t

+

Description: This action is used to specify the transformation + pipeline to use to transform the value of each variable used in the +rule before matching. +

Action Group: Non-disruptive +

Example: +

+
SecRule ARGS "(asfunction|javascript|vbscript|data|mocha|livescript):" "t:none,t:htmlEntityDecode,t:lowercase,t:removeNulls,t:removeWhitespace"
+
+

Any transformation functions that you specify in a SecRule will be +added to the previous ones specified in SecDefaultAction. It is +recommended that you always use t:none in your rules, which prevents +them depending on the default configuration. +

+

tag

+

Description: Assigns a tag (category) to a rule or a chain. +

Action Group: Meta-data +

Example: +

+
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bgetparentfolder\b" \
+	"phase:2,rev:'2.1.3',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958016',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'% \
+{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+
+

The tag information appears along with other rule metadata. The +purpose of the tagging mechanism to allow easy automated categorization +of events. Multiple tags can be specified on the same rule. Use forward +slashes to create a hierarchy of categories (as in the example). Since +ModSecurity 2.6.0 tag supports macro expansion. +

+

xmlns

+

Description: Configures an XML namespace, which will be used +in the execution of XPath expressions. +

Action Group: Data +

Example: +

+
SecRule REQUEST_HEADERS:Content-Type "text/xml" "phase:1,pass,ctl:requestBodyProcessor=XML,ctl:requestBodyAccess=On, \
+    xmlns:xsd="http://www.w3.org/2001/XMLSchema"
+SecRule XML:/soap:Envelope/soap:Body/q1:getInput/id() "123" phase:2,deny
+
+

+Operators

+

This section documents the operators currently available in +ModSecurity. +

+

+ beginsWith

+

Description: Returns true if the parameter string is found at +the beginning of the input. Macro expansion is performed on the +parameter string before comparison. +

Example: +

+
# Detect request line that does not begin with "GET" 
+SecRule REQUEST_LINE "!@beginsWith GET"
+
+

+contains

+

Description: Returns true if the parameter string is found +anywhere in the input. Macro expansion is performed on the parameter +string before comparison. +

Example: +

+
# Detect ".php" anywhere in the request line 
+SecRule REQUEST_LINE "@contains .php" 
+
+

+endsWith

+

Description: Returns true if the parameter string is found at +the end of the input. Macro expansion is performed on the parameter +string before comparison. +

Example: +

+
# Detect request line that does not end with "HTTP/1.1" 
+SecRule REQUEST_LINE "!@endsWith HTTP/1.1"
+
+

eq

+

Description: Performs numerical comparison and returns true if + the input value is equal to the provided parameter. Macro expansion is +performed on the parameter string before comparison. +

Example: +

+
# Detect exactly 15 request headers 
+SecRule &REQUEST_HEADERS_NAMES "@eq 15"
+
+

ge

+

Description: Performs numerical comparison and returns true if + the input value is greater than or equal to the provided parameter. +Macro expansion is performed on the parameter string before comparison. +

Example: +

+
# Detect 15 or more request headers 
+SecRule &REQUEST_HEADERS_NAMES "@ge 15"
+
+

+geoLookup

+

Description: Performs a geolocation lookup using the IP +address in input against the geolocation database previously configured +using SecGeoLookupDb. If the lookup is successful, the obtained +information is captured in the GEO collection. +

Example: +The geoLookup operator matches on success and is thus best used in +combination with nolog,pass. If you wish to block on a failed lookup +(which may be over the top, depending on how accurate the geolocation +database is), the following example demonstrates how best to do it: +

+
# Configure geolocation database 
+SecGeoLookupDb /path/to/GeoLiteCity.dat 
+... 
+# Lookup IP address 
+SecRule REMOTE_ADDR "@geoLookup" "phase:1,nolog,pass"
+
+# Block IP address for which geolocation failed
+ SecRule &GEO "@eq 0" "phase:1,deny,msg:'Failed to lookup IP'"
+
+

See the GEO variable for an example and more information on various +fields available. +

+

+gsbLookup

+

Description: Performs a local lookup of Google's Safe Browsing + using URLs in input against the GSB database previously configured +using SecGsbLookupDb. When combined with capture operator it will save +the matched url into tx.0 variable. +

Syntax: SecRule TARGET "@gsbLookup REGEX" ACTIONS +

Version: 2.6 +

Example: +The gsbLookup operator matches on success and is thus best used in +combination with a block or redirect action. If you wish to block on +successful lookups, the following example demonstrates how best to do +it: +

+
# Configure Google Safe Browsing database 
+SecGsbLookupDb /path/to/GsbMalware.dat 
+... 
+# Check response bodies for malicious links
+SecRule RESPONSE_BODY "@gsbLookup =\"https?\:\/\/(.*?)\"" "phase:4,capture,log,block,msg:'Bad url detected in RESPONSE_BODY (Google Safe Browsing Check)',logdata:'http://www.google.com/safebrowsing/diagnostic?site=%{tx.0}'"
+
+

gt

+

Description: Performs numerical comparison and returns true if + the input value is greater than the operator parameter. Macro expansion + is performed on the parameter string before comparison. +

Example: +

+
# Detect more than 15 headers in a request 
+SecRule &REQUEST_HEADERS_NAMES "@gt 15"
+
+

inspectFile

+

Description: Executes an external program for every variable +in the target list. The contents of the variable is provided to the +script as the first parameter on the command line. The program must be +specified as the first parameter to the operator. As of version 2.5.0, +if the supplied program filename is not absolute, it is treated as +relative to the directory in which the configuration file resides. Also +as of version 2.5.0, if the filename is determined to be a Lua script +(based on its .lua extension), the script will be processed by the +internal Lua engine. Internally processed scripts will often run faster +(there is no process creation overhead) and have full access to the +transaction context of ModSecurity. +

The @inspectFile operator was initially designed for file +inspection (hence the name), but it can also be used in any situation +that requires decision making using external logic. +

The OWASP ModSecurity Core Rule Set (CRS) includes a utility +script in the /util directory called runav.pl [10] that allows the file approval mechanism to +integrate with the ClamAV virus scanner. This is especially handy to +prevent viruses and exploits from entering the web server through file +upload. +

+
#!/usr/bin/perl
+#
+# runav.pl
+# Copyright (c) 2004-2011 Trustwave
+#
+# This script is an interface between ModSecurity and its
+# ability to intercept files being uploaded through the
+# web server, and ClamAV
+
+
+$CLAMSCAN = "clamscan";
+
+if ($#ARGV != 0) {
+    print "Usage: modsec-clamscan.pl <filename>\n";
+    exit;
+}
+
+my ($FILE) = shift @ARGV;
+
+$cmd = "$CLAMSCAN --stdout --disable-summary $FILE";
+$input = `$cmd`;
+$input =~ m/^(.+)/;
+$error_message = $1;
+
+$output = "0 Unable to parse clamscan output [$1]";
+
+if ($error_message =~ m/: Empty file\.?$/) {
+    $output = "1 empty file";
+}
+elsif ($error_message =~ m/: (.+) ERROR$/) {
+    $output = "0 clamscan: $1";
+}
+elsif ($error_message =~ m/: (.+) FOUND$/) {
+    $output = "0 clamscan: $1";
+}
+elsif ($error_message =~ m/: OK$/) {
+    $output = "1 clamscan: OK";
+}
+
+print "$output\n";
+
+
+

Example: Using the runav.pl script: +

+
# Execute external program to validate uploaded files 
+SecRule FILES_TMPNAMES "@inspectFile /path/to/util/runav.pl"
+
+

Example of using Lua script (placed in the same directory as the +configuration file): +

+
SecRule FILES_TMPNANMES "@inspectFile inspect.lua"
+
+

The contents of inspect.lua: +

+
function main(filename)
+    -- Do something to the file to verify it. In this example, we
+    -- read up to 10 characters from the beginning of the file.
+    local f = io.open(filename, "rb");
+    local d = f:read(10);
+    f:close();
+   
+    -- Return null if there is no reason to believe there is ansything
+    -- wrong with the file (no match). Returning any text will be taken
+    -- to mean a match should be trigerred.
+    return null;
+end
+
+

Reference: http://blog.spiderlabs.com/2010/10/advanced-topic-of-the-week-preventing-malicious-pdf-file-uploads.html +

+

+ipMatch

+

Description: Performs a fast ipv4 or ipv6 match of REMOTE_ADDR + variable data. Can handle the following formats: +

+
  • Full IPv4 Address - 192.168.1.100 +
  • Network Block/CIDR Address - 192.168.1.0/24 +
  • Full IPv6 Address - 2001:db8:85a3:8d3:1319:8a2e:370:7348 +
  • Network Block/CIDR Address - +2001:db8:85a3:8d3:1319:8a2e:370:0/24 +
+

Examples: +

Individual Address: +

+
SecRule REMOTE_ADDR "@ipMatch 192.168.1.100"
+
+

Multiple Addresses w/network block: +

+
SecRule REMOTE_ADDR "@ipMatch 192.168.1.100,192.168.1.50,10.10.50.0/24"
+
+
Note 
Does not work under Windows OS +
+

le

+

Description: Performs numerical comparison and returns true if + the input value is less than or equal to the operator parameter. Macro +expansion is performed on the parameter string before comparison. +

Example: +

+
# Detect 15 or fewer headers in a request 
+SecRule &REQUEST_HEADERS_NAMES "@le 15"
+
+

lt

+

Description: Performs numerical comparison and returns true if + the input value is less than to the operator parameter. Macro expansion + is performed on the parameter string before comparison. +

Example: +

+
# Detect fewer than 15 headers in a request 
+SecRule &REQUEST_HEADERS_NAMES "@lt 15"
+
+

+strmatch

+

Description: Performs a string match of the provided word +against the desired input value. The operator uses the pattern matching + Boyer-Moore-Horspool algorithm, which means that it is a single pattern + matching operator. This operator performs much better than a regular +expression. +

Example: +

+
# Detect suspicious client by looking at the user agent identification 
+SecRule REQUEST_HEADERS:User-Agent "@strmatch WebZIP"
+
+

pm

+

Description: Performs a case-insensitive match of the provided + phrases against the desired input value. The operator uses a set-based +matching algorithm (Aho-Corasick), which means that it will match any +number of keywords in parallel. When matching of a large number of +keywords is needed, this operator performs much better than a regular +expression. +

Example: +

+
# Detect suspicious client by looking at the user agent identification 
+SecRule REQUEST_HEADERS:User-Agent "@pm WebZIP WebCopier Webster WebStripper ... SiteSnagger ProWebWalker CheeseBot"
+
+

pmf

+

Short alias for pmFromFile. +

+

+ pmFromFile

+

Description: Performs a case-insensitive match of the provided + phrases against the desired input value. The operator uses a set-based +matching algorithm (Aho-Corasick), which means that it will match any +number of keywords in parallel. When matching of a large number of +keywords is needed, this operator performs much better than a regular +expression. +

This operator is the same as @pm, except that it takes a list of +files as arguments. It will match any one of the phrases listed in the +file(s) anywhere in the target value. +

Example: +

+
# Detect suspicious user agents using the keywords in 
+# the files /path/to/blacklist1 and blacklist2 (the latter 
+# must be placed in the same folder as the configuration file) 
+SecRule REQUEST_HEADERS:User-Agent "@pm /path/to/blacklist1 blacklist2"
+
+

Notes: +

+
  1. Files must contain exactly one phrase per line. End of line +markers (both LF and CRLF) will be stripped from each phrase and any +whitespace trimmed from both the beginning and the end. Empty lines and +comment lines (those beginning with the # character) will be ignored. +
  2. To allow easier inclusion of phrase files with rule sets, +relative paths may be used to the phrase files. In this case, the path +of the file containing the rule is prepended to the phrase file path. +
  3. The @pm operator phrases do not support metacharacters. +
  4. Because this operator does not check for boundaries when +matching, false positives are possible in some cases. For example, if +you want to use @pm for IP address matching, the phrase 1.2.3.4 will +potentially match more than one IP address (e.g., it will also match +1.2.3.40 or 1.2.3.41). To avoid the false positives, you can use your +own boundaries in phrases. For example, use /1.2.3.4/ instead of just +1.2.3.4. Then, in your rules, also add the boundaries where appropriate. + You will find a complete example in the example. +
+
# Prepare custom REMOTE_ADDR variable 
+SecAction "phase:1,nolog,pass,setvar:tx.REMOTE_ADDR=/%{REMOTE_ADDR}/"
+
+# Check if REMOTE_ADDR is blacklisted 
+SecRule TX:REMOTE_ADDR "@pmFromFile blacklist.txt" "phase:1,deny,msg:'Blacklisted IP address'" 
+
+

The file blacklist.txt may contain: +

+
# ip-blacklist.txt contents:
+# NOTE: All IPs must be prefixed/suffixed with "/" as the rules
+#   will add in this character as a boundary to ensure
+#   the entire IP is matched.
+# SecAction "phase:1,pass,nolog,setvar:tx.remote_addr='/%{REMOTE_ADDR}/'"
+/1.2.3.4/ 
+/5.6.7.8/
+
+
Warning 
Before ModSecurity 2.5.12, the +@pmFromFile operator understood only the LF line endings and did not +trim the whitespace from phrases. If you are using an older version of +ModSecurity, you should take care when editing the phrase files to avoid + using the undesired characters in patterns.e files should be one phrase + per line. End of line markers will be stripped from the phrases (LF and + CRLF), and whitespace is trimmed from both sides of the phrases. Empty +lines and comment lines (beginning with a '#') are ignored. To allow +easier inclusion of phrase files with rulesets, relative paths may be +used to the phrase files. In this case, the path of the file containing +the rule is prepended to the phrase file path. +
+

rbl

+

Description: Looks up the input value in the RBL (real-time +block list) given as parameter. The parameter can be an IPv4 address or a + hostname. +

Example: +

+
SecRule REMOTE_ADDR "@rbl sbl-xbl.spamhaus.org" "phase:1,t:none,pass,nolog,auditlog,msg:'RBL Match for SPAM Source',tag:'AUTOMATION/MALICIOUS',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.automation_score=+%{tx.warning_anomaly_score},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score}, \
+setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var},setvar:ip.spammer=1,expirevar:ip.spammer=86400,setvar:ip.previous_rbl_check=1,expirevar:ip.previous_rbl_check=86400,skipAfter:END_RBL_CHECK"
+
+

rsub

+

Description: Performs regular expression data substitution +when applied to either the STREAM_INPUT_BODY or STREAM_OUTPUT_BODY +variables. This operator also supports macro expasion. +

Syntax: @rsub s/regex/str/[i] +

Examples: +Removing HTML Comments from response bodies: +

+
SecStreamOutBodyInspection On
+SecRule STREAM_OUTPUT_BODY "@rsub s/<!--.*?-->//" "phase:4,t:none,nolog,pass"
+
+

Regular expressions are handled by the PCRE library [11]. ModSecurity +compiles its regular expressions with the following settings: +

+
  1. The entire input is treated as a single line, even when there +are newline characters present. +
  2. All matches are case-sensitive. If you wish to perform +case-insensitive matching, you can either use the lowercase +transformation function or force case-insensitive matching by prefixing +the regular expression pattern with the (?i) modifier (a PCRE feature; +you will find many similar features in the PCRE documentation). +
  3. The PCRE_DOTALL and PCRE_DOLLAR_ENDONLY flags are set during +compilation, meaning that a single dot will match any character, +including the newlines, and a $ end anchor will not match a trailing +newline character. +
+

Regular expressions are a very powerful tool. You are strongly +advised to read the PCRE documentation to get acquainted with its +features. +

+

rx

+

Description: Performs a regular expression match of the +pattern provided as parameter. This is the default operator; the +rules that do not explicitly specify an operator default to @rx. +

Examples: +

+
# Detect Nikto 
+SecRule REQUEST_HEADERS:User-Agent "@rx nikto" phase:1,t:lowercase
+
+# Detect Nikto with a case-insensitive pattern 
+SecRule REQUEST_HEADERS:User-Agent "@rx (?i)nikto" phase:1,t:none
+
+# Detect Nikto with a case-insensitive pattern 
+SecRule REQUEST_HEADERS:User-Agent "(?i)nikto"
+
+

Regular expressions are handled by the PCRE library [12]. ModSecurity +compiles its regular expressions with the following settings: +

+
  1. The entire input is treated as a single line, even when there +are newline characters present. +
  2. All matches are case-sensitive. If you wish to perform +case-insensitive matching, you can either use the lowercase +transformation function or force case-insensitive matching by prefixing +the regular expression pattern with the (?i) modifier (a PCRE feature; +you will find many similar features in the PCRE documentation). +
  3. The PCRE_DOTALL and PCRE_DOLLAR_ENDONLY flags are set during +compilation, meaning that a single dot will match any character, +including the newlines, and a $ end anchor will not match a trailing +newline character. +
+

Regular expressions are a very powerful tool. You are strongly +advised to read the PCRE documentation to get acquainted with its +features. +

+

streq

+

Description: Performs a string comparison and returns true if +the parameter string is identical to the input string. Macro expansion +is performed on the parameter string before comparison. +

Example: +

+
# Detect request parameters "foo" that do not # contain "bar", exactly. 
+SecRule ARGS:foo "!@streq bar"
+
+

validateByteRange

+

Description: Validates that the byte values used in input fall + into the range specified by the operator parameter. This operator +matches on an input value that contains bytes that are not in the +specified range. +

Example: +

+
# Enforce very strict byte range for request parameters (only 
+# works for the applications that do not use the languages other 
+# than English). 
+SecRule ARGS "@validateByteRange 10, 13, 32-126"
+
+

The validateByteRange is most useful when used to detect the presence + of NUL bytes, which don’t have a legitimate use, but which are often +used as an evasion technique. +

+
# Do not allow NUL bytes 
+SecRule ARGS "@validateByteRange 1-255"
+
+
Note 
You can force requests to consist only of +bytes from a certain byte range. This can be useful to avoid stack +overflow attacks (since they usually contain "random" binary content). +Default range values are 0 and 255, i.e. all byte values are allowed. +This directive does not check byte range in a POST payload when +multipart/form-data encoding (file upload) is used. Doing so would +prevent binary files from being uploaded. However, after the parameters +are extracted from such request they are checked for a valid range. +
+

validateByteRange is similar to the ModSecurity 1.X +SecFilterForceByteRange Directive however since it works in a rule +context, it has the following differences: +

+
  • You can specify a different range for different variables. +
  • It has an "event" context (id, msg....) +
  • It is executed in the flow of rules rather than being a built +in pre-check. +
+

validateDTD

+

Description: Validates the XML DOM tree against the supplied +DTD. The DOM tree must have been built previously using the XML request +body processor. This operator matches when the validation fails. +

Example: +

+
# Parse the request bodies that contain XML 
+SecRule REQUEST_HEADERS:Content-Type ^text/xml$ "phase:1,nolog,pass,t:lowercase,ctl:requestBodyProcessor=XML"
+
+# Validate XML payload against DTD 
+SecRule XML "@validateDTD /path/to/xml.dtd" "phase:2,deny,msg:'Failed DTD validation'"
+
+

validateSchema

+

Description: Validates the XML DOM tree against the supplied +XML Schema. The DOM tree must have been built previously using the XML +request body processor. This operator matches when the validation fails. +

Example: +

+
# Parse the request bodies that contain XML 
+SecRule REQUEST_HEADERS:Content-Type ^text/xml$ "phase:1,nolog,pass,t:lowercase,ctl:requestBodyProcessor=XML"
+
+# Validate XML payload against DTD 
+SecRule XML "@validateSchema /path/to/xml.xsd" "phase:2,deny,msg:'Failed DTD validation'"
+
+

validateUrlEncoding

+

Description: Validates the URL-encoded characters in the +provided input string. +

Example: +

+
# Validate URL-encoded characters in the request URI 
+SecRule REQUEST_URI_RAW "@validateUrlEncoding"
+
+

ModSecurity will automatically decode the URL-encoded characters in +request parameters, which means that there is little sense in applying +the @validateUrlEncoding operator to them —that is, unless you know that + some of the request parameters were URL-encoded more than once. Use +this operator against raw input, or against the input that you know is +URL-encoded. For example, some applications will URL-encode cookies, +although that’s not in the standard. Because it is not in the standard, +ModSecurity will neither validate nor decode such encodings. +

+

validateUtf8Encoding

+

Description: Check whether the input is a valid UTF-8 string. +

Example: +

+
# Make sure all request parameters contain only valid UTF-8 
+SecRule ARGS "@validateUtf8Encoding"
+
+

The @validateUtf8Encoding operator detects the following problems: +

+
Not enough bytes 
UTF-8 supports two-, three-, +four-, five-, and six-byte encodings. ModSecurity will locate cases when + one or more bytes is/are missing from a character. +
Invalid characters 
The two most significant +bits in most characters should be fixed to 0x80. Some attack techniques +use different values as an evasion technique. +
Overlong characters 
ASCII characters are mapped + directly into UTF-8, which means that an ASCII character is one UTF-8 +character at the same time. However, in UTF-8 many ASCII characters can +also be encoded with two, three, four, five, and six bytes. This is no +longer legal in the newer versions of Unicode, but many older +implementations still support it. The use of overlong UTF-8 characters +is common for evasion. +
+
Notes 
+
+
  • Most, but not all applications use UTF-8. If you are dealing +with an application that does, validating that all request parameters +are valid UTF-8 strings is a great way to prevent a number of evasion +techniques that use the assorted UTF-8 weaknesses. False positives are +likely if you use this operator in an application that does not use +UTF-8. +
  • Many web servers will also allow UTF-8 in request URIs. If +yours does, you can verify the request URI using @validateUtf8Encoding. +
+

+verifyCC

+

Description: Detects credit card numbers in input. This +operator will first use the supplied regular expression to perform an +initial match, following up with the Luhn algorithm calculation to +minimize false positives. +

Example: +

+
# Detect credit card numbers in parameters and 
+# prevent them from being logged to audit log 
+SecRule ARGS "@verifyCC \d{13,16}" "phase:2,nolog,pass,msg:'Potential credit card number',sanitiseMatched"
+
+

+verifyCPF

+

Description: Detects CPF numbers (Brazilian social number) in +input. This operator will first use the supplied regular expression to +perform an initial match, following up with an algorithm calculation to +minimize false positives. +

Example: +

+
# Detect CPF numbers in parameters and 
+# prevent them from being logged to audit log 
+SecRule ARGS "@verifyCPF /^([0-9]{3}\.){2}[0-9]{3}-[0-9]{2}$/" "phase:2,nolog,pass,msg:'Potential CPF number',sanitiseMatched"
+
+

+verifySSN

+

Description: Detects US social security numbers (SSN) in +input. This operator will first use the supplied regular expression to +perform an initial match, following up with an SSN algorithm calculation + to minimize false positives. +

Example: +

+
# Detect social security numbers in parameters and 
+# prevent them from being logged to audit log 
+SecRule ARGS "@verifySSN \d{3}-?\d{2}-?\d{4}" "phase:2,nolog,pass,msg:'Potential social security number',sanitiseMatched"
+
+

Version: 2.6 +

SSN Format: +

A Social Security number is broken up into 3 sections: +

+
  • Area (3 digits) +
  • Group (2 digits) +
  • Serial (4 digits) +
+

verifySSN checks: +

+
  • Must have 9 digits +
  • Cannot be a sequence number (ie,, 123456789, 012345678) +
  • Cannot be a repetition sequence number ( ie 11111111 , +222222222) +
  • Cannot have area and/or group and/or serial zeroed sequences +
  • Area code must be less than 740 +
  • Area code must be different then 666 +
+

within

+

Description: Returns true if the input value is found anywhere + within the parameter value (the opposite of @contains). Macro expansion + is performed on the parameter string before comparison. +

Example: +

+
# Detect request methods other than GET, POST and HEAD SecRule REQUEST_METHOD "!@within GET,POST,HEAD"
+
+

Macro Expansion

+

Macros allow for using place holders in rules that will be expanded +out to their values at runtime. Currently only variable expansion is +supported, however more options may be added in future versions of +ModSecurity. +

Format: +

+
%{VARIABLE}
+%{COLLECTION.VARIABLE}
+
+

Macro expansion can be used in actions such as initcol, setsid, +setuid, setvar, setenv, logdata. Operators that are evaluated at runtime + support expansion and are noted above. Such operators include +@beginsWith, @endsWith, @contains, @within and @streq. You cannot use +macro expansion for operators that are "compiled" such as @pm, @rx, etc. + as these operators have their values fixed at configure time for +efficiency. +

Some values you may want to expand include: TX, REMOTE_ADDR, +USERID, HIGHEST_SEVERITY, MATCHED_VAR, MATCHED_VAR_NAME, +MULTIPART_STRICT_ERROR, RULE, SESSION, USERID, among others. +

+

Persistant Storage

+

At this time it is only possible to have three collections in which +data is stored persistantly (i.e. data available to multiple requests). +These are: IP, SESSION and USER. +

Every collection contains several built-in variables that are +available and are read-only unless otherwise specified: +

+
  1. CREATE_TIME - date/time of the creation of the +collection. +
  2. IS_NEW - set to 1 if the collection is new (not yet +persisted) otherwise set to 0. +
  3. KEY - the value of the initcol variable (the client's IP + address in the example). +
  4. LAST_UPDATE_TIME - date/time of the last update to the +collection. +
  5. TIMEOUT - date/time in seconds when the collection will +be updated on disk from memory (if no other updates occur). This +variable may be set if you wish to specifiy an explicit expiration time +(default is 3600 seconds). +
  6. UPDATE_COUNTER - how many times the collection has been +updated since creation. +
  7. UPDATE_RATE - is the average rate updates per minute +since creation. +
+

To create a collection to hold session variables (SESSION) use action + setsid. To create a collection to hold user variables (USER) use action + setuid. To create a collection to hold client address variables (IP) +use action initcol. +

+
Note 
ModSecurity implements atomic updates of +persistent variables only for integer variables (counters) at this time. + Variables are read from storage whenever initcol is encountered in the +rules and persisted at the end of request processing. Counters are +adjusted by applying a delta generated by re-reading the persisted data +just before being persisted. This keeps counter data consistent even if +the counter was modified and persisted by another thread/process during +the transaction. +
+
Note 
ModSecurity uses a Berkley Database (SDBM) +for persistant storage. This type of database is generally limited to +storing a maximum of 1008 bytes per key. This may be a limitation if you + are attempting to store a considerable amount of data in variables for a + single key. Some of this limitation is planned to be reduced in a +future version of ModSecurity. +
+

Miscellaneous Topics

+

Impedance Mismatch

+

Web application firewalls have a difficult job trying to make sense +of data that passes by, without any knowledge of the application and its + business logic. The protection they provide comes from having an +independent layer of security on the outside. Because data validation is + done twice, security can be increased without having to touch the +application. In some cases, however, the fact that everything is done +twice brings problems. Problems can arise in the areas where the +communication protocols are not well specified, or where either the +device or the application do things that are not in the specification. +In such cases it may be possible to design payload that will be +interpreted in one way by one device and in another by the other device. + This problem is better known as Impedance Mismatch. It can be exploited + to evade the security devices. +

While we will continue to enhance ModSecurity to deal with +various evasion techniques the problem can only be minimized, but never +solved. With so many different application backend chances are some will + always do something completely unexpected. The only solution is to be +aware of the technologies in the backend when writing rules, adapting +the rules to remove the mismatch. See the next section for some +examples. +

+

+ Impedance Mismatch with PHP Apps

+
  1. When writing rules to protect PHP applications you need to pay +attention to the following facts: +
  2. When "register_globals" is set to "On" request parameters are +automatically converted to script variables. In some PHP versions it is +even possible to override the $GLOBALS array. +
  3. Whitespace at the beginning of parameter names is ignored. +(This is very dangerous if you are writing rules to target specific +named variables.) +
  4. The remaining whitespace (in parameter names) is converted to +underscores. The same applies to dots and to a "[" if the variable name +does not contain a matching closing bracket. (Meaning that if you want +to exploit a script through a variable that contains an underscore in +the name you can send a parameter with a whitespace or a dot instead.) +
  5. Cookies can be treated as request parameters. +
  6. The discussion about variable names applies equally to the +cookie names. +
  7. The order in which parameters are taken from the request and +the environment is EGPCS (environment, GET, POST, Cookies, built-in +variables). This means that a POST parameter will overwrite the +parameters transported on the request line (in QUERY_STRING). +
  8. When "magic_quotes_gpc" is set to "On" PHP will use backslash +to escape the following characters: single quote, double quote, +backslash, and the nul byte. +
  9. If "magic_quotes_sybase" is set to "On" only the single quote +will be escaped using another single quote. In this case the +"magic_quotes_gpc" setting becomes irrelevant. The "magic_quotes_sybase" + setting completely overrides the "magic_quotes_gpc" behaviour but +"magic_quotes_gpc" still must be set to "On" for the Sybase-specific +quoting to be work. +
  10. PHP will also automatically create nested arrays for you. For +example "p[x][y]=1" results in a total of three variables. +
+

+ A Recommended Base Configuration

+

The following is a recommended configuration file which handles the +main ModSecurity directives/setting. These are the items that the Admin + should handle and configure for their own site. These settings should +not be including within 3rd party rules files. +

+
# -- Rule engine initialization ----------------------------------------------
+
+# Enable ModSecurity, attaching it to every transaction. Use detection
+# only to start with, because that minimises the chances of post-installation
+# disruption.
+#
+SecRuleEngine DetectionOnly
+
+
+# -- Request body handling ---------------------------------------------------
+
+# Allow ModSecurity to access request bodies. If you don't, ModSecurity
+# won't be able to see any POST parameters, which opens a large security
+# hole for attackers to exploit.
+#
+SecRequestBodyAccess On
+
+# Maximum request body size we will accept for buffering. If you support
+# file uploads then the value given on the first line has to be as large
+# as the largest file you are willing to accept. The second value refers
+# to the size of data, with files excluded. You want to keep that value as
+# low as practical.
+#
+SecRequestBodyLimit 13107200
+SecRequestBodyNoFilesLimit 131072
+
+# Store up to 128 KB of request body data in memory. When the multipart
+# parser reachers this limit, it will start using your hard disk for
+# storage. That is slow, but unavoidable.
+#
+SecRequestBodyInMemoryLimit 131072
+
+# Verify that we've correctly processed the request body.
+# As a rule of thumb, when failing to process a request body
+# you should reject the request (when deployed in blocking mode)
+# or log a high-severity alert (when deployed in detection-only mode).
+#
+SecRule REQBODY_PROCESSOR_ERROR "!@eq 0" \
+"phase:2,t:none,log,deny,msg:'Failed to parse request body.',severity:2"
+
+# By default be strict with what we accept in the multipart/form-data
+# request body. If the rule below proves to be too strict for your
+# environment consider changing it to detection-only. You are encouraged
+# _not_ to remove it altogether.
+#
+SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
+"phase:2,t:none,log,deny,msg:'Multipart request body \
+failed strict validation: \
+PE %{REQBODY_PROCESSOR_ERROR}, \
+BQ %{MULTIPART_BOUNDARY_QUOTED}, \
+BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
+DB %{MULTIPART_DATA_BEFORE}, \
+DA %{MULTIPART_DATA_AFTER}, \
+HF %{MULTIPART_HEADER_FOLDING}, \
+LF %{MULTIPART_LF_LINE}, \
+SM %{MULTIPART_SEMICOLON_MISSING}, \
+IQ %{MULTIPART_INVALID_QUOTING}, \
+IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
+IH %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
+
+# Did we see anything that might be a boundary?
+#
+SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
+"phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"
+
+# PCRE Tuning
+# We want to avoid a potential RegEx DoS condition
+#
+SecPcreMatchLimit 1000
+SecPcreMatchLimitRecursion 1000
+
+# Some internal errors will set flags in TX and we will need to look for these.
+# All of these are prefixed with "MSC_".  The following flags currently exist:
+#
+# MSC_PCRE_LIMITS_EXCEEDED: PCRE match limits were exceeded.
+#
+SecRule TX:/^MSC_/ "!@streq 0" \
+        "phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
+
+
+# -- Response body handling --------------------------------------------------
+
+# Allow ModSecurity to access response bodies. We leave this disabled
+# because most deployments want to focus on the incoming threats, and
+# leaving this off reduces memory consumption.
+#
+SecResponseBodyAccess Off
+
+# Which response MIME types do you want to inspect? You should adjust the
+# configuration below to catch documents but avoid static files
+# (e.g., images and archives).
+#
+SecResponseBodyMimeType text/plain text/html
+
+# Buffer response bodies of up to 512 KB in length.
+SecResponseBodyLimit 524288
+
+# What happens when we encounter a response body larger than the configured
+# limit? By default, we process what we have and let the rest through.
+# That's somewhat less secure, but does not break any legitimate pages.
+#
+SecResponseBodyLimitAction ProcessPartial
+
+
+# -- Filesystem configuration ------------------------------------------------
+
+# The location where ModSecurity stores temporary files (for example, when
+# it needs to handle a file upload that is larger than the configured limit).
+# If you don't specify a location here your system's default will be used
+# (normally /tmp), but that's less than ideal. It is recommended that you
+# specify a location that's private.
+#
+SecTmpDir /opt/modsecurity/var/tmp/
+
+# The location where ModSecurity will keep its persistent data. This,
+# too, needs to be a place that other users can't access.
+#
+SecDataDir /opt/modsecurity/var/data/
+
+
+# -- File uploads handling configuration -------------------------------------
+
+# The location where ModSecurity stores intercepted uploaded files. This
+# location must be private to ModSecurity. You don't want other users on
+# the server to access the files, do you?
+#
+SecUploadDir /opt/modsecurity/var/upload/
+
+# By default, only keep the files that were determined to be unusual
+# in some way (by an external inspection script). For this to work you
+# will also need at least one file inspection rule.
+#
+SecUploadKeepFiles RelevantOnly
+
+# Uploaded files are by default created with permissions that do not allow
+# any other user to access them. You may need to relax that if you want to
+# interface ModSecurity to an external program (e.g., an anti-virus).
+#
+SecUploadFileMode 0600
+
+
+# -- Debug log configuration -------------------------------------------------
+
+# The default debug log configuration is to duplicate the error, warning
+# and notice messages from the error log.
+#
+SecDebugLog /opt/modsecurity/var/log/debug.log
+SecDebugLogLevel 3
+
+
+# -- Audit log configuration -------------------------------------------------
+
+# Log the transactions that are marked by a rule, as well as those that
+# trigger a server error (determined by a 5xx response status code).
+#
+SecAuditEngine RelevantOnly
+SecAuditLogRelevantStatus "^(?:5|4(?!04))"
+
+# Log everything we know about a transaction.
+SecAuditLogParts ABCDEFHKZ
+
+# Use a single file for logging. This is much easier to look at, but
+# assumes that you will use the audit log only ocassionally.
+#
+SecAuditLogType Serial
+SecAuditLog /opt/modsecurity/var/log/audit.log
+
+# Specify the path for concurrent audit logging.
+SecAuditLogStorageDir /opt/modsecurity/var/audit/
+
+
+# -- Miscellaneous -----------------------------------------------------------
+
+# Use the most commonly used application/x-www-form-urlencded parameter
+# separator. There's probably only one application somewhere that uses
+# something else so don't expect to change this value.
+#
+SecArgumentSeparator &
+
+# Settle on version 0 (zero) cookies, as that is what most applications
+# use. Using an incorrect cookie version may open your installation to
+# evasion attacks (against the rules that examine named cookies).
+#
+SecCookieFormat 0
+
+ + + + +
+Retrieved from "http://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual"
+ +
+
+
+
+
+
+
Views
+
+ +
+
+
+
Personal tools
+
+
+
    +
+
+
+ + + + + +
+
+ +
+ + + + + + + \ No newline at end of file diff --git a/doc/apache_request_cycle-modsecurity.jpg b/doc/apache_request_cycle-modsecurity.jpg deleted file mode 100644 index 390c649350e15d4a359ca2be8ca15b4a963cc96b..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 92271 zcmeFZ2UrwK);Hcb1j&NrG$0@-Ac7#70TED90ZEdxBmqg183X~zf&z*HgOU^h$r&Vr zh~yjxkQ`=+0}M0&_TIhsdiTHK?tc63x8M6LJpFX{bamCK>Z()c{LZfmKZ2hDPTf$s zt^yDc5CC4_KY$+xlz@}O#3aN-CrL<1NJ&qUQP5FRkdsp|)1IcLV`qVKu(PnSaq?W? z<2)nC&Bn$raZd1}h?tldlut@dQdIWBB{9+OnGleYl2VXUFi}!6iE^=ViT=ZX_)h@M zNeGJQEQH_;aDs*aLPLOW2A}{yKmnd|K0-^`Yu9gRY3u0f-PJd+w6eZuV{2#c=I-&()63f@_;E;R*pu*x z_-D@(5|duMOn&n=BQq;I=iU3F;*!#`@`}o;#-`?$*0%PJ&wc#^gG0k3qhrX~x%qDk zi%ZKZ=&kLY-MxLx!QuCM5de^%tMzNm{;Xa!V7*Qd5<&<`zSoQ3geQ1FXb6e8M2Kk> zHA&1}PM;Bdbdv5$TzX*xDfgv2D0&OmUNQzAF(fbgd)0ob*&nM|&_7kPUn}-oy~Y3v z2m$!ho6hE2hW&3Tz~enCKGegz_}O zPPR4rOxHH%{Woc->0_q?JYY(RT|$um&afP&LDl1wE8(lv@Jq(E0G+1te~+zs+(91-Hjin- z!AoFR$SXV$)BC%-VMXQtX7GQZ4F;w-20X||#T|^*)>`M(YZ#8!;}Y1IES|H8@Ia^L z3hc-7;Z4(9Y-pR~5KBDJCtv_9{n9Vb#p8i@@cmozFNF`2@PK;{3CRyb@GY|baMBc4 z$9mAKz#z|v2inVpk3F3i9Ln>#k#KCJD;^krh`U$q^Kb3rzsUaQ=kw81nKnSYloJgT zq(L%wa3+nzz3WPI)BDkhFYma`2Ppwvl+JnyoUv5O#F{4lK{MLqz}er?{aTRK)0pbp z4#<<6`E#$k*qb8-Jj}escc~lX81{yn@W7a7lIV?L?!d)Nz^9Z>Q-SE;c(CDtsQP&l zM?7F|EP)5q%=3dP@xYJ6_70}LS*bCAzJ8cxWFk^o_hQ&+wIE|YmGq$o@g#ktm*K2+ z!4oWfu2+N_agnsm%SA)k@mD7wwMjC4b?GmKQr7VlG>Z+qbWiMWiF;z6y)Cgx0k0C- zhZ_JJOIhLEqD)Qi9*FA6#x{nQO?BM}|Aq zbWK^TQ#`1c0}fLYI)z)hPj$VK2p7VVy6}Z5u^F)r(mp3)Epz-TD%V!;1MI#(9~%2% zbTyebzu?~DTDb_RcEy;sC*_i2JM2bPOcB48*=L_quKWZ8TCyX}K`;@&Cal!rR_6BU zFI)ThSQ{trw!T1i<%_qNr^8RrA5C982&hZY(jMUGyir|M5@<4^1i8gtbd9d_(I=8J zpL>DAnnodQv3VuqFlxBN-7cFP2R9y(F=y)e_)oO!pFWYuOg$NW-fpy+spntRpAG`hyu4SCB(weLd--=Nd3`o*i^u3Vh?lJhiQ{Z(%O>p2Bd zeF5i;uFoEsQh7x-?kCd^&cN<@-=ocly40$`@uIz3a<|J7W7*n^iM)&ENZqsOu`N%t z7Ad?4?^@Wh{5+*faJR>LV8H*oY3Pwb~TB z0FyTrv0?QzTxjfAr=dQpuOV|BS6rIV`LZ<;rh|aZo2jMaJp@L0Agq2~YPS1`tPKxj z=$7{A!H}B=R9?ln#zH)>OrHn1|7rpKFPO=7d^^V-PEzdO`Jfr|VNxK~`N`C270y-N zQH~vgfnK8mtY9oDyvJ#J`z?+^^>O`@g!4fUiH^~9jM%l^Zt^LGcIIZQELESdU!V3# zG&`S^PH?mz32tCUP(Q=MkmHfv%ng~cRtc|YDIRwDr)1a_+DRKRXi)Ij6AN_g*!fXs zdCeXf<3`KRN$`gu#3wlamjZ7c-U`-pFFq?MN%F8CoH zNP(h?WO?y`Vm170p!ClL#eFYm{C`V9iBOsvo;HX<8Fm#>SYJAjmpI#Joyf4%+0#Rm z%>O2k?C%^>zgOvZ@cJUW=bfW6FwjqhmYvp0;lg02UWw~4}MB-C+rNK zs~E}zGF+w7etMESu6>>iILN-6ysDtqO=)oDA*T3tKTmm^4VO~fE?3x`;n>Z66S`iU zU<&h?)CZeTCiZ|Wew$lOJs}<4_w|a5yiPZj8^lDz#Y0z9IK*N)u*0nM@=LPVkyh_6 z{r(!hw|1UBEnTIE=@0TpNNz@b^)9T?Q<5(e?hApk>c*(-Ff0rOzlDxT@)hLZ8g+h< z95hiZ+gHijpD)?@5J%-Zls8y`9&VMBxQ;fuaNnYrc17UyIc@Kk+LfO;7kR@9+GWVr z*XpRf&NpcrE|p|ivL3`W2yURcZKO`#hRH?@qSXVja&wI3NqWWiD#~ZiA)mH!nr>{c zs}?Rli@FymTi!@xdq~|3ebUp;Th+UMzwt(}`-d|SiWJu?Q3WQE8eI+}qlrnm=oc zcIDa#|E)!Y>}z=GPM$Nxr~?NbnmU5@cE4HQhoo!1kNZ@zl5WvA@}EB<5QO;491HY& z#1eV=8uhI2I80vVw!Tj?+9#VH27#Ef#hgoJMyZ4#&sIEBD|2ykiU|`;dTQ043=W9 zOA)*t$htoNT_6QAi- z^=!~@uy>lDL@LMvCvxVdhic{9ko%z}L9&ei&-)_$qaBNH5c99s#m86DsQkopy`0(5+j>O(oiO7qP+H_7WqyF3pU0>y9? zBe!uJ1G4HqCu`6|Yf1M-qEwhdm<|(RR|FVm`|R&vuc6M^omQkmn79xok=+pRd;O6; zcW6xz(eJ+Mz-lc(RH8;__WJ4ji!eoPabb#OgR;^r`~9+Y-i;SuhVpr=PZ~0}laL@* z71-p{Q2Wh?Y0>V}G+y1t#WlFjP6I>zMja)N`KKaZsa+pPuXJgb<`WA=ImX=xjTPX1^ixzG(ZG06CFs<>i2$a=R z8`?Q42&@tct?-a}>yjg$!7$|ZWNbc+S93Cqv>h6RW5jZqO>tm`DUTLi46#jNx6QL#L{d4=`lH)@iYld`pEG)KtX`H^2G>g+ zSfxVWo+yfZd4b3C*#pj`j)NHLfRr3a<6@6>uh`L~nm%fWgR>tu&{zJXBt`F%@E0mq z(%sgR>^?i<{g|>9b$UM~)YlhPj;*B`@=@ha?Y1Y6Uw{3=y7-WfC=kGrOjR#~dPCHq zr1V4$mSA^_SvB?&fh1ysdQLTmT+#oFt4otvF$GOTnkwq{BgB%Yk4l>Lw{a5z@d(MNqzMr zY9ZP=V>yoL!+HZvx@)s_B!@a*ye;I5JXww@t)GGpz(4o^Sl{k6slQtV4H1J=8L#L` z8y72G$dpKPy%{w=%`?_zXS$)t&04I)}h@n8~U+0^jF)#Hj zHC!ehm=q&uz=BSMVJ_&mHNmC%e?VR|h+;$Vz?M)a9xxt1NM2ukf-%JdXC~@*C+lD4 zPyO8)?AH?i&P?~uq?0U&Fx}!cPE&?`t|>smnR`{@%0tINzFeAIwhhj0BscbvP4*hpS?z9C;oh|$ztCMB#Q&VM}n^+OK z>7zjcI<{n&no`s9ps2U9Qp<f@nTSzl6QW%#b|4EDly zR1e8(&{B&+EoQH(V)?tNd;&_BJ4-*E{}kL4(d^8yd_9*^Xqu5{1~L^W+5IOWzT(be z<@##QxmfZhDn4XhoT_`)O6fJ+X1bf~dDH~jmN{NZIOSV1xJt6|59%l3?eDVT!(4{$ zfTl9tPlw)DQwI0;Qh229PG50W>2{?e;6&N)L$^^`}iLxtjZm9UAIl zn|~^{4>Tp`K2z@#$p^}|;pl9_7hY|8BwUH-F)`w<|6R93WWmXYJz8kDwO$ z|21sRAN>)5wu#nilAcP-PUxtXq#wG9vpUDO9}12GJn*wLZ~r9R&I&)|3;bXB+lI_* zO$8_ndjn(m*2}GF)!X*uvxm~dSy*0HKXQ8#OMN&CNG8xw-_O-UN?@N1O@r>Q?Oz1% z-Wjd37^emdzSD1rsk^^Yf$ai}-+W|k#WCpe*Kze*yEI&L(p4epC%fLohdt{f1AoU7 z-IhJNQ~gpAt1AlQcuvrx3A$NWUP17)Z6c3dosT?d;7hFruyXNA*r3;q1K8@q#wdJ; zlmi^d0%=D!kyb~^XX8%pCTTxSJNjnUwyK&mM+*P8s#FHjAndZ+a93~k5d6+Wv^QnM zJn>R*EI*txWR0_Z-+Jmu!a8WTq0RJ0Bbqm+mLttZ2v_PTEAW1KJUyuGGv%vx-z1BR z58zZge&%=}ULAzOhxtKeVxd7SR!`@rP8?D7rJl+eR&2lpOXEPq9u-MAjWJ5LiBH?I z>?S?I%Gu@VUm{m~fo<6)CYyPxcz8+`X+k}FX)cc%ITbFx`6LxiZZf7w*&n9Xm+~??~K=FW3_|euV?h zQS=g9i*i~sn^#y-Ynccmec3G=>$uTU{Usw}uV^xAmNPG8BstPI=KN$++4R@&Wb?45-S7(flaH|o^ycJ$>TYn3~2RzA8>PzRT0?bPuJ;DUI6Rf7* z53ot9_1qm#g`d~wiQ%2(eorwc=wd2t$0EK_KO=>`Ql$XCnE2Ey!rz+fV#fl-g(36U z+wj^Q`XNl`)gh1WQ?|*$hRgD2ljY99N|p-za?tJCmp(^)5T#N%+1<}1MzB^jRBDY_ zN;0Tjjk9xRj*Fmdjy0c1z6H?_Zf2oO%yY^-QypThZ9&d&{+i8mp+;H+u>vQlG0keq zw7)FDBHQX&SX&`VZWp64;x%I)dUAg;&&RVdn)P;H0Q)lSh~bmuy)l7TK};!I&w+Bj zm=q$wFtXKwulZdK`yMTejBuHMZr4oIqjD$EAdANXtwC+GDoIG{kBky~d2V|JGOU-w zB}dECDu=lX%H=%^>{t@Zj}#}zmVM^O#6R`XcYP5dCDqUq2vRkQ{rtAL*W(uTUJz=s zEU%zD@8+RjpWyaYZvJX()(50>oN29rat)c$M%>b2P7&&7Uw_TXObNXK!?gt&x>^Nx*x>w$a>`V zqRwh?Oy%-ejZIULy*%T9JomU=S)|!sm07X?t3$E0q5M>OeGMYsAM@c@y)gh9wg-=G z?%;|1FmYZi31;hRV|jt)GIIk{$8zgL4@ob}y^Q40aO-zPPZ(CFr1pw!?(LE=&&j#y z?q?^}yRNl*+C=#bcUSdP4Po_XYKi^N?fT2ZsFfZh+f^Tl-r~AK&LH=I&Sib~-OR@U z_cRd95j(I59lv>%+QA|@$XGm`XCrEzr$BL-UA}~1Qw@Z&bOvK2%-GPYS8lOYZq2K< z8GoP>XfCNgF`|gFIl4Wr5z%BYC{{7&a8zB);%E`Y-65%2dIha7&r%-Tn0gU4>kx42 zl}cr*a_G2b-{yXk`&~e`rGr9hkpvUV&JS6#|8cTk#LD3Tu5JeSh%W5-OzBTJB{jU= zttD-bJ{AvL%d>?b-bC;N-;ZDHk;7kNa?mFDZdLuUpTzc?*ibyM>H$B*I4>##cYkMv zRQ%pXS^6ojU-JC-obBRNeE<)7##gB?u(veohVGYaCU1SS)ZA2H5fZZ>*B_8b7n}7j zHih}=qcc_oJ$;A~H_fnLN?VrTG+5tv#+julUy=kLTz=FS2sYR3tGNbGg_soNRpWPJfA2g53MXPX!03Ug4^efsGnPS3#^4T*@)i+=3cuqK|s< zBu^N7-900Jq0?6nf!UKtYN!fSxK6`1TLI3}PxJO0Usa0)Z5UrW>>;sF73s6?XVlP7 z`uuQAYEyYQN~}}-QRV{%%Rslj8i?L@p8NEgfJG+{Eu)it*M}qyPSoU@(-*6v*a!D_ zS^(es^{3pKoH<4}H10DCr3whNLPuCO_jJ0x^`GoqV2J)mS|HdjMlP@!Ql6aIeyYM^cro)5shjF*Fxt{CAVm5YsvnAc_alAA|aRVrA^T z9gFYO&Bt#%PE@Y5&YFgmhVftMVIL~JIZm^8C{xC-Vmb%TLYJP@k}-&gi3h!x}- zsN**8!&f)C2=(RV0aDx@fT@Mlj_kGkkU! zdyamx;Y;(DgR{=inwYX`eF~SJBvG{YVwiYtJ-MG;(W{$%X&Tp%4RT6rj`%`gJqea-m0*UaQ zN7-_i>S%=G>)@dpL&aXfU0-1ulc~`72icUVp_S7qV&k{ucwC&h%|m^*71&jqg-_k} z3Tv(7h;M0n|FHw>FzHBgNMX7Wfr2sEGO%1IM_O9FV%|%X`s&a#-6lPl^_Kmy30v}A z0MgCe0=WBxMY{W6P(Q!2BKAyjOkJGg-5fi&YH6r%`0#!cf8~6{mekIwqwnl}@*M6p z%Zj$tPy|}(9VU!2z0kLvla>21XhN?0n1;L8nlx+*ZD@UtvOZYWe~P`@!~1ehfH3O8tA~J)VH1vJAm6+^{_B*tcT{R%A11PC%nwRca(r9d+(RJu67gym;G5YUQ8I3< zLeA*2@U{9`>YEhDS%3LWEona|S!726`=IO8Wz^TZi))e7V~Jy)CFqv5C(RPiCy#R= z1I{?kC4+zrL8}TC|8X_QCvo^4v~EJ?7;kgZ$%fV|!Cjzdf;`e2+?mv1KciNO>$x$p zxUp>*kI}kY-fua$fr$ThW|i1S2=IW?$aB@!hYA&lx$2B*Fs0qtsNs5lxfogP&~~&I z>^W2u)|TWW{|>d#>MsxFecWIIQ!=TXso*Y0WhS>)5c8f5lroKmZ}IaT4ZcIAC&-dI zeQnToy)Jp82qzAPEfHy(nyCIJ1BPs*fMKnYO8>@&3XnKE%3~gT<EeKqZn_)xxg_Q1z3nYUuiP$N+b^N0+mkNs2HVoaS$Rcg4COi2H?=QzSI^{Fs2 zSRq!C?{Jf@J#Ba0k`}(?yZUp!7!@Z|oV=`hJ~)Xuaz)|+<>nH2BReSAYKjHiPTUt1 zERGYJ`BM-d9I~)b*5ilaHZCCL<=mnT?x@SS47Ctu6I--2=FYVI&EU=47JardaOVA+ z5M?ri8E}zEh)#n*`R9WK_B(ImZvfI?(Mj0A_4+k|EHHReN4Ig9gFo`PaVau@t1~NjrJU{>;KY?w4GN>f$w{YOiOgj){Rh&?n}Sy_Crp zk=C5+)THAJFBY4!G;4e6QZBhB)xz5rDwbP7H|7;@%Ur5wllMu*@H03ace z3p47q{EjpGc!qAev-(n&>5U%gT3hlo@7sLc9IEo+hwxw=t~pa=hw&8ayJtRfY^izt zairqYSGTxF;BnVLxN(|n$snaJ-PumIe+&<_m5=3f=#=9Dm%B6Yn|e0CCvDMpV|;N+ zsh|h`@dNx&*}<5|4ab28o-Rhh)&!uqID;M%#Xt3Rf~?+*cLqwrelSp>lz3oh z1&q_6roTo2g+DUITz-lBu{Li1cI6cHqtG!-lMvz{I9d}oJ`md z`I6yg>`zC~>~}{U^CmxhEwoUc2;Tm9dUs%GvqkuT)(J!~VV^(N5kWxxb^1HT$MGn4 z+`m|Ebe%yRJ>WWA{A7WDpi25ADpHSg~`#y;;BU$mHerTrHuHQ|HfPDXJYUuBO&xf#AQlglkY7CwhqLt%qMJFx&zM921#FmAT=8u@;02f7 zbIeN(t+AQQk-zsEJ_h|7C@0f+5{5k8-wONoG_OF&UjW(&-8yeKz1yxk30&$ly&+q= zlijOu%1FP#gEYdcsnzFQ&RR*eklc+iL)BAq4y1!T4E?_dL#Zy zOD#cxqmDUC7WHS5+Xv{WKv_JX(OViz?WN=1MJ6oUUg5HwS{jr_?E%H8+`ZT`UsL3x zmmfWc5c50e79;5P;#Nz$iW<=M_8)&+0SikRbQ=ge{spRyy4-1~ehW z2%0hV4Pngz&=QStXTctCxaM7XHq>T>b3S*Z;qw*;Mpk%@z~IHvuT-`&-9|km;r1p( z=(B0>R_ro@hCFNh&$nbZ3CtmFLd_%R7cOm@e36JXP*0NrqfeY(j4eK)c^REKT()cN z^TSn!3o=$JE4dNRgg0-EO@#)^_IN32f^OI2NOhn@#VY+C$LsdM5x!(VP+ z6YuisZ`8yz-BOd9Owb8-QD8e;J~OGL(_bP7zkaY`QKoSkm77YA62jD_-5F-Q-%&<>*a%YGu00mi?r|*RtNNxa4WP*`=Y=~zhyksVGveh#finL@G~AfT z98)#5uy{q&&XM;^p{f3aw@6%NqRfko`%auT_Nlv2EYGm%j=*Z#elryN@F&m|EI4@; z7vk@R!vudPD&hfB@!?~#!^LAX2_9faPz6OSg0|_|D$utxHNpdRoFG6B8cer9$MQ;D zB_8lo1P8%)!~(p=T+gpx(i?_tK7nD@LCek<-cyhdpFRagkAY0Od^nEQq2Q2yxBF<8 z8YiRrUt#{0Edw_H??I$L|FX!(RSqdWdkd|z9nKy^$xQi|H~EDSu{;8& z)?nk?y(`}0pF3tLEln#fE)A{Uk8F|+4$Wn84yM?O%yYU|_3C}p@z|PKX$(^W4ZV(! z8K|}`QMjh{D|-j?$!o7a@(Cob=B**h6h1b_JvwfPD59f!UIIK)$owG)GB3|F*6ocX zf8jW5XJyTKez$-Y6W>Nie)|3=Ka9 zF4S)Zt73%;z+hX?iB%j%d{bTL`7?|J1^o|BKRR&n`x)8WYdMKi$$(kFLT#J0Q*c(hq+iEWWv= z$V_soH2@@<4c2fu%SL--Wjq|N^;`#Ix;C@ZkA`_S4S84i?h(+u!~h5--3Ry}DZh1p0Hn`p0Ya~PNlHTA?I1{GtG(Egn}%hT zY~EaDSy1Sgm{6V{x?Mfn?DUPtY-OM8TRpIOOQRVsO66uplxI(i>sv85hHl^#w)b@Zm>s9;Ej5J)*wp9+|a{e z(gLsBce8PWJtHmNQ2A@fyE@apt%zt@sZqW(FMk8j>yztn)Gy#8;c(Em!; z7d71##w};}^WuR!cwi$Ln8C4vr0+p6-h`}Aq4WEZ8grtp5f2)5V`yUl*W zpjqo=dblzDW!U+DPJY6fd%>UHmot*m2@A&1(lOtY3jqZ8$>K_48n`tREypT^ESo)( zzxDKs(aUQ}#=G$Tl~pMx8yd8ph{@PJ8+Z-_ zZ(gYV9(2IgxK1a8$ZozuTGiM zZXAs)r2XO6p{X(3k{%YBr6yN=FENHV?%HzwPy;bG7Vo*ZkD!M2)Tn!8Ps6QN@qpmV zW;c$6DOG+>w*;6+tpjzlJX`tD`i*Pp_e?a~NW{CAlGhi*Ht;}^N6i7`$p$Nej$mm( zPsm{|k7Kp@+*`v5!T68uW)AOuph5pahyEWv|7m4S|1uaa|Gv})cmV$qG?M?Z3ldoV zZduLj@7CP>4~c%BG?R?#Hl2t3bD;Cp3uO4WgrMeNL5FVVQngKH`zuZA6v_6Nd7d5Z zUMS7&p1q}ETcvx`7Vgh^l%Z$&c9~&JC)seEQ-kD7Qze4L&OoQ^rETI+;bR4m&>#WAL)gI1GT?9sjg$D*>A4OUoA z2^W|I-QS4CnD~Sp6I_68P6EEq_|3b#3tDnYz1>M-Z+|=;<;KYt0cr=N_X>1}5RA6g zyT_ti4+e6VJc-mbzk%_p)4ip)R29&I5=DaVM6W>@2t5mmb|`h_^i;|!RVFJ5EI@7v zj0RKG*_`9IN!10}vx+1UcWZ>7E~Tchb2LlVnRr6|S)UT{7f|-PY$Es?t5fq*5*#8LqT2std~z%;t@ezXB?M=<4A1bK&TipWX zzDA(Bf2$xARkKTdc)|!iT?On*3pBxgsMo)vz{c)2!(GC%$OpiNW&R>^Gqx?-JfWsG z8sttOs5X9Gx$rL-s{hHu@m&76ZXhf7+&6ZI5VT6E+td4IFw9^|hwS1xnuoDI z9{<#WWqP7c`K}zQxv7jqMLO$l`)gL)8uB8^0N0&3e#>pocRzAJ{?;{0IQ&K)TKyVT zdML7iO|NeF5%xMrF?*K*ui=M`t*?EE{-C<13))g#sRSV0uOExP{r$P|^YWsDA9Hl?ye zpJ}Na6ZcO8k)05?p|sNr6&M$nStaMNCv(<-k9lDc^w%=vTP*Q_{AE0_zXlKSGEQo9 z)Z}LDU)tD{YLa9l+iAzTIpkn2-wJ4UI+^jDJsR*h+u9EA{9Yaud3{en_+SeRGSpjQ z1;R0IbCt4o6q`KqritSYHLl#c_at?g`Njgdj_6~t2Zmq>u@Fb+AJK;M%fkbkBOtr- zon^tY!Rt+;gfX@AY@)$^B_I9yPf!=$#RJ_5Kb4?5@&Ug1c^Y>di+YE?9sz`{>B6?Z zeQ%yNjOLyI^q11l-v>ebA0OU{B!G+aB!}7!1Sbi9qMdX#7Ag9t+N|PeThpHcjj{g8IR~ z(w+HFB`(R5eI0O)|J-Nzk_m`RAgRoauYfRr+HeRQ&WAQ9ulcZ1G&033#Q8w&0d>le z&Vp6i)!|AJNGX?7@Ko&yp3U)(?}skCjE%Pu+R|&7&DEML|6wEUSM&O(Rk7N7Wb4e@ zE4Bn*BZal%mTv?6pP1;`XkN?`#HjoH1J)*}HF%&A$tu)nvi+Ck&(Fwb)sW0moP|b6 zt1R$FQuL727=Xh*1Ey#~|9!c7em@?VqTeX1M=w+N=!N2XdZjLlhRD!|s%HYun10+f zHt22xEbl?G86Jp)_~Ouc(+uEpol49l;#c&a#XG|F%;Z`f7}cX^Fhmcn?xeqp+DA|b zNwg%(!pJjwQXng|C`8Ocbv?1|ezHWvx`GLp*2Q}Y{*>O=QD``+;_S(1PwqN#j|^9i zdxb(zVL9zIazvC$1HqL!aVTn>oG^Sfy+9kS^Q|Q;EPtUa@(WxjR8F$sJmy40p6~;= zqb8HK_kr$_>z`=m%T3b})Gu)K4pj+BQ3V`KH^)aKgU6p4x8|X%wTsc@b{cl}Yqxt8 z7R9^$7--6)JfhyGy(~OPHl@rs?f2m2*{g9^!@k)A6GH)__EmDFHPkk^SKR(z+#(FA zW2Ez1>xo}oPAoilK^WKNW_sE$T4s(tp=H4Qe$zQ_Hj8&&ksAHG)RC99ma{~N2cdj7 zdq`YnVbNouk@=n3s@Vb|H$x%GeHeeV#bOJ24(qB%%goWDDNU*d#3t3|Zl}p7 zpE69+xV+N^Xrnnw-x*>}3}4KhwVfxj+$~T<$3}6L54tDT^}I=3m}Bjv(yes#0`WES zm988468XvwSgUi;n4MB4%}0+ESULDHZf|TeDV6yQTvZ4 zh4UI34~L&)ZeMe+kH|fn8xnJK%}!cpoitz&ZKzvO!nNKc@g;>Hl0Hx;w~|<%R2H6f zVTmcnOrS@e$!i79Zs#^(bmdGu!x!GMU%hwK!F4KOH}(`asE$?j9+Vmh?Np<5#DLWz8AHH zkhic@^ozAhc6M)FkU6b`<$BYRx!kgGGTu7|b^J;EMRkqRY|8Yi*hoF6Lq*WV_W<-f ziU_z7S?Y582i*J5cN+NX_c70b4l5d!yL(v;+&5lz1ACcYT+zdHs1s2Hj}*xNSff7< z6tyL=&)B@wPAl?gqAxrn(eZtS=JZgW21J8if!Y9N8V=ji5sTdq@%`q-*j%QK$;`O) zl<~oQ4@spVyzMneMC(NJg^F#`EqB}Gs8-N4?BpgMhCD5aJU$Dnf<4hr8@p_}y$wCy z;fHkO)e$U*=QyX@_-eRvcX=L$1?^N%lfxV33)f3pFA6vusdVB3KntlZ1p3=sFUm2V znTD7<>ePf?#k*Nccz|kWo$+eg^}zDcg|9RItM72VMc_t^FF-RVU3D)y35#vR1O8+{ zBPu&+O_rPOoz+R&%eUOMTKUQo8IFq1X<-ITf6e}fcNN&`L+jX=Q<(;woE-^hZ(nzA zjT8>^v5pN-Gme6m6n2OYz->q2-CyAQJ#T*#6>zH)#K7NT>Mf_*js|gDLmxi`P%N=L zOlP0xip=Ir-UMUt_v;rIU`I=u$8W9i089il&aMPXG1oCKU$Wn_7tHR8dzk!80ppyp z#K>6m>Ew|?0z5rG_qQT`XpJw=Wz1x~~qet*>ubwmp@=%(WNCZ4k zb86LS?EuaP0sYK`0raqNS)y#OS32bb7aF$BTc;bVVC$^H2M4jZL%LrZ2tg�wdc= zqiLY({ic4Zu?l5B{J4(IE|tC{;goZ-W~f_7e!*X?VPq^)Hfn zz(0tA{>AtH^Y$m;W}_H}&eghqC~GWz78X21#sS?WK5+kwl_W32B*z26lpf+aCK z--ww~P4N8qNsgbONBNryNx(wpA5wWQdEU`}iv|QLqRAx`HI*dN;u+`HZ?iga69xy5 zW$0)d@qa=9KrQh(Td=@w7!-R!{^9_#E@nABUjDIOmZky+hdjB1f|*z79CVY#6m#cr z`j|ojy5C#i37oa?@D4K8TQpD6qZ22+Pt7do=KiQMin_1odC|S9{P?uOsuCF zsa%$g>k=II9HoaS%-WbJcM+6?Oa>mm@nZilw@*=$Sxk%P%91wQy+9f(eWsjwvZnws zkuu>Ky7AX(27k;?V)^=B!GhTSoKT`Z1SYwB)9{Xs=(X`M^JU!}a5L*if56x{adATA zuKbxk%YmI``sXF+sFs-4@)apY=tZ^&;F~PhJF&!U^-8~~#sKqa`k}W@2HTT9eU2o} zr&fk;+%>vD<@Fzk-XSXdBMgh82j%YB@4JjG z?~C4eKw(9l&kuQA9CqY9%QX0OK~kkpMlVxE^!k2*9LCZ?@S()kS5cEY8fiCnt}Pk_itc^w?IHpo!fulP8$kAqG_VCuc=BQy$7YlYcsG|%Vhi8BhIg_w2ZxUb|JUp2&M1RGf~ z=m2gvnQpIof|2_klH6Vs%^!d1{qg4i`ePl&wtDgo>8lo%Di6s->q=KHZwqymxMfeo zDS;7T(!cJu{P9f+|I;>%Q;{SbrbJ&@&Xc{EAC~wW60yN^RJvFvY3}V!oIEX>NLdyr z?Myk=MjUd_l4+Zp!okb^J&TcvPDqKF*%^X}`hOhe5^voVNG*}#B8BkL6BT{_V)ZP@ zSA+0lap4vH=}m4%cbS|9L3`QH^!YZ zKyPw{Q{0E`cGSn^{&0<;PQlUJN;?(I*4{NW{7{in7`JKib?O9aY7X~^@pwz%a{vXr zeKZ$7?1o*P;+3IQ#VvIKZfU4TUd}kbGvMG-hW>D^*Nb&#D41n-4+(Qn#cC&-NQLgV z#$)a)g>y4cD=@&3Cs5N^j50VNB49sUFQ05^;r)HC{3zoBA^c@&e$~R>P&-CVON<6K#xQ$FF{g3#vgeT zd>aWp-a7YVc}q(ODmUCIVG!-@eryV|X@0oQkBI;le@y)2_1}CkieiX&I8rQE&PnKu zexZl(q>%;@9HUSp0Y(XE;L~Sff4Hu?B63}UZ4t|90)j7TC+j!kZpacLYhri4UmDY& zKSqLaz|;T{FZj(q@mpde;~%bmsr=ODv%k)YQz(Ohh~(1(I?OT%+}x7DRSWr=MB@QY zHR$0?TDu0(%HImA{LyFs5&M5gr7?O9tE2pAI{j`#vjk#5MZS*Uc=|;($KVTQE0V{+ zwStg=J)m?5qt#GFh@&rzH@`vkP9 zeupX;he3F;Hf5l*K(4W$1_?W;kHZP7Xc$CFPQt?AOY9`aXjLpH4wMJs z4&847T&7XACC~#TSP(b`{zK{SD55)?wkO)CMrkt4-acsYc>4**-VQFIxesRS4Q*wI z-0aKWDJv?CIdhMBtYTAv0x0vbkZeGOV>0EK2Kl+hDO4+^8SEjzy~=S;ox{b zT{d-qfX(e7p5C-dW?+y_tk~y+ixDoYb{S#BYy$uOXz;Jyd? zg~r|61)d;5I2PnWPKtvoWQoApnp8J8wa%q`(FE;=2RQnF+G6;VJDhGgl@Sx^E&qmR z%$2yM>(qB| zlf5?N;IJ3GeLecv&V5}-Y?{qrY=u^^kc7$Rn=NF(-88)FUamLqhnF#TliY$t9vQ)7 zaJ*yoJ}T+i<5#<>8VLhklADL(Cj&TF>n*j(_q1Y#mv5owbs@-m8T;gnV*$?f`#F$2 z6f8mz%ZDoZ?3?u^zHqC@gJ)>#y-FU9>ll2 zp^d%{`hLpqWX4U%w; z)R44!eNSw|q03KzDs>8q=6n5gV=<9!nDcs)e$QLiTL>pS;F$;b>PDgs)dxLf{H3qj zZrCsbQ97ZRw9FLyxob~kCa*jIw`n5EYqLnB7ZWc0pm2Y&^H8TgOn0vjtA-|5J8^Bw zoY}lDP`XxW*8S8(X6bVw!OG@9irL(*eA|5!vHrfRI{sqa7z_^cW|j5xcBDM zj(diexFZ%V2F-_X=j=Rt`AtPnJdklwV6V$Wd#aaLR+X2j#H-niVb}#MsGqPnV03mz zq4(_?ICkf8(4fh0XeC+xu0;tRUE>k+8Rk#zVe8!TDd2Y%47j-5SH(Nv%$!ij%$-wk ztt`PN=-lu|JA@3C#@vvVAB*h2|MVc_G_R`o`j`av(S6t|$P79Upy4rTTXg;K)uQ3j zrRgm~P{-wyVne*L+td%p?CN(%9maN?4^Duw;bB7D6>vM#Kg5CgdDo!7mR5`RPgFSn zpSf`eD(c_1{8jyJPliCj-_hTURDVZ~+xc~OqQ6$o-}s$i7F>@}xA6*x!g(y=s6mpQ z5~xY@Eo$cG$|w8bQ_!!qP*AsT@q>eW_lpMcpquF_@#X+QgC5HQSZ#tO6Vk!OVZTcb{;qC3;m?eTylq0U z#?DA*V8lt2w@G!YZPhT91rukN7iQSr^5K1E5a`a1_nLrS2jdLmv&SVuHsot|)%QxB z>Ufv;hDbdFb#P0&2&%D&?Mc?zczc%Key4T$uPqYku;%mYNzK=s4N!ti45L!JEx^MP zJ^E~{N@)#hU~C|6E#@4VMG*p1?|Aktov6X{(uAN7ZCSREzTr(Wv}p_sy`2dkHpi}x zS(x*X-mJxf{-vrE_J(-Z_mzrR9gDxMmCxn3Xg?LTudR4FQWFOGh#<7(N%kwY z5E;uO2n5#E{vJ?t?JiYTAj8vBZo!&23(l-7mCG%gMSi|{`q@Mep~=ne3&uG08y-uo zDXy^PXK-%a^R@ff;0^dHc&)%egR;b_bQ$8R(?FHZKNSz|7bVbuBag-8iaV(uZiDvh z3+vb~Flk_R2L`zuJL_HQ#&6Dt>KF1m!G+G7suqku8*!<`jto1;?j>!%g{})PDsbq# zpi+_Ij)(r+O4(ws#!iiNId~-@Ygk%RiuA9US3C}~;(KPi0ULv+FyR3^xHPaWM1r&$ zb1J=@?(2S*HmjAnn_g85Bje)X;wt3qmwWwDv-h$|dF)=;qRRKTfCmDozELc*^P8`q zCJfnoZ^*C&H{k)wjSsSW1Dnan33K`Tv$c%hh50$Xt2`~r(#uAps>)6&yqapTy5O}f zqs{R%1IeGtkC>gj;5bD}_S`(^k^)o~qtvJuz*jrSSz5hic2C~6+r**YS)OU63z_4- z>c>04{VlP|pS3BGg|4XM-uq}_p)QBH<4kbN*w60HkINr&a25|bIr|NjGc`zcxtp+} zqF7kp8O` zq`@#H_v-&+?>)n!ShsEAYJwpW+F-@QNjp{u*9dR9^O)_lhtV@yBW5iZm)a=q_N z5i~DL+nC2o?%sSdgtc8}u#sF?fROF$LSZ(&9)GET8=X4;iEjf$G{N&(3eDHwOo+7g ze#XE)p^!n4ba;)`ljD&(-aVt|OXfB%)jFfo67+JF823+XdtAIdy2SA|roIBUQ6Ck9 z=czdJlOYb=5JU07Zcm?s&wZ2ey_a^iy{r`(^7oLFhT=GSWM z_#QHS?v7kID5as6vq;C{vRnC#{c_sBX3Dd!vo?)wGu<&zB)tY&?d z5XkN&Mu<))ayN!VdTqG(*R#-NiwZ_ z&OszOu9-%T@a7#DwGki?Nx55K79&CJlP?2OF!1=KIP*x&US2UNdT?>U%bg^xo+vF+?K2)Y>v5vo|%%4LY5M6NK35E`>}v3RT}`h2Kq z+|7JjxRST%PJs4)&(-8Afy>?W^wX7x>5u2F#`XQgVA)X`XB}zPkgkpU0-eH@NO2qS z!TjAv{Di(-qtuYg_4|qOB2#KhAV}b;0&Cou>|6FYd3#urei6xItL;|RAsVY~M@VK1?Kw7GmK8tJ=Xa`*uh?RwJ5Uk@j1zeEuN_~=CVI)O=PDl4jq z032%?VDl${9{AM0jx1JxjT8oRTO9GzW$}2MU;Gq)7dKX7%dNFczpL?z(yicnNO!0L z!N7C?qx>XS2-%-01W53@7l{YCeKaf@bwALOn{8+SRFe03b|eUAnxj&33@vk&{wi^J z<(8LpnSZoP?8Vz`YuQix8}7y zPUcrbgeQapCuKwJG=#3~Hb*;(fl>pkw*)tNdTdk07dHg=68Fpfz$y>UnegHca?fNi z`t#1Sw*9wIq2p<0^!B!@Rt|77e*?LW8bpAYpU8i6_2=N!np6Tzam0m=H)RL$nbB9b z<LIiEUgJ*aQg-@ZpNWF_3R!^+EmQ80X50Ei5h%6cdWs} zY0wJ&jriXjTVOuY20x$u zvMJ;q(P^w6%FFA>-<+jgS4!C6;l=8{Oj_a;Di!lkGyhv3Chx`>LZ3 z+Dd865xM6ZV5fxRjK>sU?q;LCbe9R`L$C(k?*I7e-MBCL(#~ZYe!If#W;J=T)o-?6 zKPGT$BinORck6;AL+=3LEq@G0QZeU|YrNlkdlGE}gfMz>IJRx}=;al$;4=68$&@;J zNSd+T+1le0M9W@=o7FYqORw&62G&JYF{I0%qm^oW-L|w+^IRF1$b%v(+jDgEE~u_1 z@rt=aZW}L6rp1)lhL90Mu&2vYR=I98Y5iWY=662Bjr8t2lT)a#>h@T?0EGbDbiGxL45}CRE(MWdq+%JdyV%Wxcz$AD%f(a4p9|A z)Me7Rb#C*H*UH#++dF8ehhX0V(EhAYTBP4xdLi12#qll9Eo1@OR0<99KxHtRU;Jb} z{dl-MNkot-3i;5><2(tvQsR6|IAyL;1tHnW4Dt=M#m~M3h|Uj0qr90wmef9o>ZOH! zBQU|CKdce`!}|cyrT@XT+f-|-#!GT)8n~*}ac?o`yoC}q<1vN$%A7sVn}mT7N?pc) z_f0rw&y}wLmpn+iYRoS1WkZA%vy`qJ5ZSHk1%m#4SOIjQV;$bE51!MoStf5Ze*in_ zWa$-@wkV0IFVmuM~R-WVb<};LMT+G&qRx zy~to}1NzzYTa-Jqc~C2PIX(;+VyYgYK;obw$G z`k3(x7jjSJbkq>T5HJof+IxDYF;v+x23BiWd>uWzLgXUg7;zC4^JG>j1SmA*G>LH)_H_dMdH}zx5xRv~EM6oFCZq~tA|rdym3lB;zG||&1Y&`Pi6`K2 z{49M>%nAesXF-hSc*X&7@Z`J)rNu4-)^ezye+BB>-sS!kD)z_U|ND_muHs&3dI@$A9RaEHH+ttI?=i zp>f~vc`kQRXrc)7_kd%rT$%eh5vQtXirja&djnsaV?+dRDe>*a?ENJ4l*zcEb4VVX=A-L=u%e`SJa8UCxVKUDYExB|#nw3ya?b z`UdDq|GPuSuXdY*UpgEtfunbNj11reRouZKjvnj9L81B_*E>$tR%#4if#u`~LJ(U`jy`v{IWn@C{j{Dqxz(?5jhPs- zhl+PuOuuTA+;bR}$t`D3_KG^F)}PvQOl_<>)!6pzqou3%rIxB--A1rE{etbbt%{wH z7tu0zP_d3LI?Q(4L}v1;qBXrU`HNdy5)^5`Fj9IkQl?qaui$;{^LHlpp0w@-Za$xU z7MZ%qd0Y7RbnPCTD35I@Bixp#RHR-Y^pAQ~PBy?)Z#Vm&cu0cF!jdhC0^TexFQ7e;XVhaoV z5eH@EFq!yeal%7E#+sPRRS#Y|jgMD+oQsZhRywj4DV>K>s$Q^+;uN_v$6YgWa4zfS zLMDaolsvzShbmn#fplfJ%*NUX*r6)YWNi|k+HtD%Uek-6mL{X;z#zASU3sb1L{z*TKGlEwIZ_Wl?tNzy2q;KSJ_DMtmBuN* zPS9XT7~!c?*HoYRs6S0)2fH(5h-=Y6gD^9ceVHQa>RM3SI@8bgb~rBJHb0-P z+}FddE&SREqm#Vun^F_O53I(>BQCAdEcWreg?9cD`afd>+$ycXu*vBHNru!hY3^6= zH-pyWBJ(?D$;)lOe*}{i)n1PWu*tD@&61Nw7$W-USg(`OMof`|(f<<3kLL_Bs_zNC zThUmMIXtul7tuxmLwq5&j*tVV;RkG}nKIT}(C zVge*c?Ae{(qj@UEH0rCcPeT=EmgTIH!1Tp;V?FbroyqVzHX~|f=2^HYu3(&fH}{CKPj}Y^&1=Qo7sTOvoF|w+?@3{|A-T#lja;%kbR>7^15?hIsdkrwnTe- zrc1SDDf_RV> zbGFOz7G;V39cdhn1S@cn4rGBv+?zd5@gF`1%Eu@4QFYda_V%C+xJ$*3^%(Q z-k}Jn*ht)~0L?j)Ls@S{w|r>w9>z!{pev)NOgre;UAvc*?(R)+w@L=|_AQT(g> z_@CcHU{Dg&b;AuQKOzHJoSW}jn7YKnj)h7mq8=yMtz>j5e9+GC6UX5%&c;)|0g}Je zG{w+7t)_LA3JjTsuD@FbO9FqZvBUQ)=x;T6Xt-u{Ys>p9@N{}heS+S=;2?->dnYH1 zP^=$)$>zD(e&tY$F$kZ^PN9O5*HCztU_+RKe^}1mv4gJPEQ2mgLQyQyh#!}}``i9% ztN*tbmVdYN5;?`|@Yz67aZ5=+3(ikQeeIGt0VWGbIr%S?@k0+Nn0+KgCSDr%9 zdRl4zEH6N$Np82T+vM`J=$90mQhTxp(D-kAC_H_Cxh)=)XrqBo*2h>GUjcpF(N<7H z55RZ6e@ioyP9nbc7Rqu=lX#XD4ZZ?IgwI?S^N}Z)Xp1rHBi2Zd*u$Xy4T5*Vz7$Ui)HA(MBCn6mjV6Wzi%A9-S%@NKGFT> zBXZzNf*QSG)>mnQ&Ah7qwZ@f0vTT*~MeRgus+zL2r(x~w<^CtoM&@rX^scr#F&5}h zEJ_n<@2d&sEjN(GvyN?_h!+EJKNCY>>EGiQ|Hpb-U&J|&WoW<`;OX(t5dLv8eh7i; zd-&Pk57&65!b}*Gk@P=t4z!G$@c_>G_X86Cv(D>J0Dj8+aUXwj^5J;&gOZf`qR!m9$Qfnn~_#K$nZQcahSK4>( zEdH*ZCS-nh2bB4kfn2{4QxJl<_bng!&FLdCUeuA*j4-c*-c3-r%9X%dpw)g~Xc!0x zfkY_@{i8?Qw;Mn2O^+(b`xFj~P}t*G{e1KOoLT=NXa{wh{zZe=wRM((Uuj>#(k;1J zIN-)BAF(2hCTC+?m>?csnRf7jeUdP(#5)-gC&O zSaTOZNBiBK{`QCdIWFX%=sZ%sU>k_Y_rmey-X@NnQ35P{aX>a5IKiLNFpeLeN=ANL zL`O|0Zy}9JIf7yR#m%s8OKY&XRa3>8TE!Zr&bwNF{@u4VO%p`c4Al$^>9Df2wZ7zO zU;b!yQZ^2Sl>+p2(I?XlJ0zZseVtrjD`v8nFx#FT5onnVOqBYwVMT&9;IgIZ&-u2{ zXgyhLV&-ZjTu1BxGL1Cf#p{5FBxL8kH`9|}rt#iJQ5dTDEZ_dNkA@~l3(Pbeo#3^{zNu6*+@p)uz!`XbfARU!ZM+y=$s zTu2U0mo6w)udU12Qpnj%jPyLF4`mXz0z(Zgo||P4$(~h+Ea0|XEw$~NtMx5;qx;5HJ7{1p140X9}1E-XkLsU1> zu56eHS?do)inuMNqzrIx%2#iByjAt=;ps;4?TTeD7PzJo!McYz7-Ud%U@O8&^&;H^ zbiQ}_(XLZdDYAxsIrtZB-!(&)90+ZU1>@u=Zrs=A*OuNg`TtK-e<%Z6BZ$|RbL|lAKGjm(^FfLX!NA< zgFW1RrCiJLXGN&*+MA}XqpwTlP^y3CTS&Wz2rR0JM@1G4j+z)`p2N0!oIId}B9`ng zhH$@B^jv=*JWK(c)<;lMtf1(iZ<4@?gkhvQLaWTk^GOGn@m!@>RZwpk@(y^tai5_Y zD1a3d*aM}I>D-lXb7Dmtt!-H|4%J9;X!AR_&Tp^s-`-x~z~3q0{L7Y)wi%#AudlIm zHEco2Ok-??&}haWiOxB*!ddvTWEoC-I^m&DG$tZzt2>cPv0#G>C&z(ZmDgFOkt+nf zkje=u)kG5x-BUzLe+7&qkv*Os&pvZ*mx~BL%nx2cR7sC*-*|)K<%$x=RB2BJ4rqeK z_;)$OcHHWl6};nc7wP8GEcj7^ zJzhsKIkQ7$NWD>4-#)>bC>%HA{EG|Br-9MEujhNjDB>0#`4fbHn(1aM2F60Fyt0gOZ@42oQUFxGxUUW5iIwdp&W*lAl#(2`w zRik*HYMPxeE#jrjEw5F@c41BB-v!H}aUJQGMX-ty8Er>?wGj!ATVtEPnJ_FwHo5YmR{(bbmLxyqUkx#k*d>ibnq?`LTBiw* znNE0cJ(Ik;8?lfc$37_EOF*BeV(4A4D}F>1Y-lwqTT`|CveGXSxfY&0*e~8 zG_Gyb*Hez6ziIb?u{LE?g?&XgHA{BzmN`z{?jUQ(aQ3rqlz7uP?-0rC=IINed(W>G zxQ^Ea3#( za#v2RY9FuqRMIMGiP`9mE-qvZi=6sH2L7QKi>HA>Z9~n7Tlv9~8DF=(ojDzCc%KVe z{StY{R$r;}bbe1#v-koO{~jNin~|J)d~<)7%}9AHgB!g$)E_&FO$a`hZns%_ zJq+g~QpultOTX|i%ACqSfS|KJRsMtqB7*5dOE)*8O>}p`(&i-2C8`>-ovae=D_pvH zbZQj8RP(8)d>W=e>pD+Uzy=H%3&H(ZzN9ZkGHFfKP+c8#PdHYdIm#uh(0#iuV1{wH zK;1XmytXKMUV;ZR37h8e%bR|;AR`hJgqtuZFDiF0f%4ezgBhoFIsG?r-NpiN z%Wgb$`KiMccAGxE7wuWBuA%aS3+NAIy(MT%+S>K2fPT4TE3^{5H zG9}meFr^4GogSko;79ez@1b@rZ4v&P23yg*z24@If~RX#1?cIOh^%ClsAeOxMI#OS zbTeM358Vl8uPmJ&Ju>PeqfCqcB(vmzuLN^IC?sk<1|PVN?Gcnq)`s?<(zqg~@Zc!s z`6YsGIjf163fMui%J`q7Gux5HA@DDCVo%`os*TT-s#^yecLk;w_Ok=;a_(R+y`seT zvqJyaEV|3oIma|1UgbIF<|bIKFqgh^ZgfOQ|QHM z4HL-dWBTaF)v`SMC3mkTxfED?2MuAC`498IZq_9~c^(l3*&Zaw^}>oM(^QNB{u;DASG-H9#DnL|qP2HFFykp;Z5LL(A4)HBRLbsP2ye}Y$JZEe;)~^j|MXi4uLJ#uBFmgV z7&?-fFHP~i>2rY%T}FbE;x+1d<>C^Zy`f9+vcM1!d8Ne+p;+V2-wA5cxcueht ztw&i5vy-c@>W!5I?M7iAn0N~bd9`$)uMYxrK&qzJ-yH{W{8Noc=D?XOg6GoV0 zDzOp~?!^zKaWCTmk`9iR7~AdJcM_hlWqypN0!dYrz)dR<%8g)d&;2VusO;S9w78(k zH>>E`1drDPva|8AOSqQrXazvNRm_&^fa7z&&nV)4&xaa~+WnfJ!~57E85blS>n=4w z`dTDe3>6rKm}(5LiSGkqV6T~RL&mWICmLc{m@kRD6z;ajl#8JXIJN#q_|N(+5KP%nj0THE7_2wE}06p%qa}G z?6#tj6Z4(CdzsFXZ^_F29MC+y^1PH@_@tNj>ue*1^9-zq9#G;Od63bA?2l~QtEYLv z*;ch94b9h+YC zr1@m1N#rRmo4{=9Nt`3@XqF3jGDRO)mvS7~_J=&zZ^aQJXk>Meu7;=172_VcC^@-5 z>#%pUoj%0FQl8)i=Zl}(%P*3VQ?Ux%fpdhw_O>6|3kayo0KO-{D_bFynNzHfjw0O4 z+~g7>n)#jMhd1RG)R#vl70fSlZ1{s!QyV++E^muOjA4DLtAecv^isg{E70CSx0yV- z{1D4S&5%;);b7rXsr@8#x{L5-CleLxH0rTxkC@L{7f1a*V~0<5PAes39mCtRU?*na z(+CE|X|}drNIImtq8Tm|t8h^xD(`iQn!`n;vY-9xoV1-|?(@Jc<6}SYEOkvs6*ay% zDn1Gkd_%SQB@?D}O>?hx!X|PBm$P4j8Uo)$Y|fKej1w`*ug-QkmR{^`gEuqSMMlp1 zkZezi5sp;%cX(La7c!G!;A#eU3F(eUWiLlpr+JtLh|u?_DKhnhNM57bidd|wo*6>u zd<8Dsm$}_Gd6!0CQ`zH3z!}QhaERF!d)b~e+ca~k`C1ktfzL?llWw^b7B6IfDtLQk zobTL0Ka}*0_vwmm_&b>t)a7jnFO~O^y{wyfJe{Y?F?m#Cqo1^|l8Lye5@4H8daXP!mV# zRXs-$cKhylh=U>hP?z%MqH(lp3J8Of9@hZ2K7O;Du(vau)fTSK^G<0nlQaYwz#DHr2Bv~hyL6Z z#|s#_7ZyZ$CiAia=+dTfaxOXHy3h&-y$K8uYaT<^AM-pitnZ?9I|Yj*7fP%uPi(@k zc~h|Cl(f%6jC*ZD#fOg_){la2(?*&`V!?|dASc-1;n~VYy?Y=2zPXV8_Nhkk&_VhYn<*JqPAG_yT_q!Gk(geU7AsfcDF7xroPCcrG4%!@#aM3E{KMO z3@n&1yyFXHZ8QA}WZ%Wvk0@Y$bDV*{shgd~7_K`h|KUMQuO#*2)6DRT3C!8@OKKr^ zQ~~PFhMP6TA&63kY&>VaIy;d;*S6QG@147#DN(OnhinSI0%S-$N;K`si_{My3hJJ} zURYwlT(FEtYbii)xT8DH!mLFFkdaWe2_-4D z*KI@Qbw3-ONCq;uH<^TLj@f7dw8`UxUjbp?w0I%9-at)9@MisF4C80~CMEZY^b+e^w)_Ov zj$*Q4YkN7kPp=rw2$J;3NLoGW5_0sexc*KX%*<076@1IzZLke22;j?q{+!RS7Vdy# z9>N2SFbdFfz^gkFMsSMTaq^9-bFGu+fIN7=%mGDg3HAkU9EWyBz~_(k1B6r%x^tI7 zYSMd}R2q0?^L3El^HN+0BsjukJsr+U<^J|Pswu#wyVQz#95X-$%mmHTRzjM6is1bp z0-lQV6o+ZY6x#~D;wjvF@JQBWvPlL(4r_J>g{oAXNH&Ly&|wRL!RUX6?gE8piwK-g zW`93E$SAb47yjh@!hPiWKTpM!0LYWz>4JW;5&!w{B&eAFmv^_7wmTGsb3ncoRs-I~tbnNhA9ht*&}SIf^W6D3OBEds`KBBM?V4f$es8qXU}- z!G!OQ<>cexi*}0v#rk%JTnqtNtpsg09~#EDeF=8g)F*tEcc{{`?}u4>-)GAV%AjAt zh;HnPR@*Y}rz&mcQQ&poWq9p(tO-fk^qHbsgkD0V9UD`$J!#gt5yo6JsiWpKj3yqb z3D3`W&`1MCxd&&8(S)83i;Y&bvE7zUL7v+Y28O*19;|hh(*#sL8X~qJEtO!a?NYNq z?naFKR4unb$<~o`)`udJ`vzqF)B#ss5qayBT8ZQ5jk+p%-*h|6n{;cyouY_uJYkD| zs~$iNFr+oFQEKz1;~*7Fa?4T{O-R{~BJCXOsMYl`6Pz2)c3v$9IeTqMU=AT)^`xH% z451z$_9N&nw!x%47gcVG^d-Z2?8t@9)Vcj$I~|t$d`Po6FK#3I6y>xbU(s9erZPi& zGgB51@Lh6btb-GDegz1P?;KNzB|5Ic*&ft#CiBM%!yo&jPd460O6DL^jzZz9nb}Wb zXFgw%JBqs$p)7URxha4FH}I7khI_gEE;O_T&qJj)T6W5w*EYo(r|`+k6%4;A2?_e! z=bo#T&7uob`ZQN(5b52gpS=?@t?ef#D`#ddnuRHQEtTVbYC2QB@D+$?TgCz<6c3ER z+gkBKSrACRBZt1hpFwptI-nA|j4*#GDg7;#Yb~E_#^K82O&f(=T@8l)>8FNo$t=it zfl9fRUQ&j0>w|BS!EdZqr&p?I6MAOJI@8Kmrehh?^b|yB*I7ORe59tBgTGj|-+V1k zuRbuE>67sqLyOH%=I$E?wR%#9H6ZpwpC+-teB{5UU@{brD*f35@=}Oh@Q?U*MC(YD!~h(rKvwXuYCm_*{JtorK`-;SMu8G7 zaxK{5ZEg}^2ftr;;rNSX7ynx={M6)4jac!esmdq3pTuk%h+p?M(CS1ZQWo7~%6c2k z?N%6`5ZQ||qu0TyGAI~45M73QwpD5&B!h^%K9_ift=KrSlT0Z;i?U{aPfh;bzkjd# z1|Qlrzel-ic^(2vmPT3iK|ts?)0iK!pC2=!KYzc5d$R|S1<3>RJhIzv3MaB63tYRXVCPfY1T}%NCG3AJTduu6<8~>tGbC^sojki z!u$H^c--5AJW1AjIj`*su|s=d${P~6x+9lZgvQptGdP&g`82jumOm1GIn2N@58(FJ zv=(vZ(z-97lR(e=z{Bn^i`5f$Ry8_cye(eezPQpIzFLAidP5e?N)5HWXu2kvu`Psd7gt^dsF`vG*{# zy*oxhO!zk6)pxm<=)S5L(gmKvc`K70{=C`zgotvhDc{PcmL zx$1?GpSlSB#rXAS>-^14J}Ezr@|}sAXf=*;R!;=0)*A#R@{bDBUo?9fQ5+!mC2(Ud zXV3Qm*g;~N1_c=aIs3L5SpkAy0j6G>{qsz)-c31=bdUbkQX}XopZ@EOtbV=tfBime z1ebP;+P57%G8CA}HGTA6a2*W2bUM)idE3sQ$Z0WBUV&oHYS>6RP_$%HJ&cYiPvS)o zK0X-{fvL?`Aa04^1U38>fa5!$g!L)XV(_!flFWTt7(1#@E&V4~W3j|E-!cP97s;8iln=*$ z;IjQUQz?uE^I;5^yL9)Cw-xO7M0|3{cr$YPW8RS50FyN(wreaU0;=fxt~xlc(k11G z>BUybPsdDab!XprnQ07z)APp*76DhY(j1r_FEQobxsj|_5o{CHu%j)HRgiHJW=-xw zi$0ozO`7ow#b!e*c^4yv_^Q|h!<*5bklTy_)Km)X_f=|i8f;Tx574Owgytq_$uVNR zS4&heoLDcyk!c4jk(XCA337$LkHr7@TadiSV3*tLck^tYdSx|$N?snFAy9K_+ku%j zAhn}dy}OEWa!|AYa@E|u^VKgNAa%tNWP1aPVi&EFwY~zu z7705lLDm?3Y#VXLiJ%I)?Frbhfxs5*%-7=xg+Q0()4^6uTgI6ZvQUWKV<6ww03bwkLf?)KjSQ@D&sz z;@wi`98J_$K*`N-EtE2R8ctmYwuHHETLhBSN)tlp5E;HayFaMXP8hxMAq=q?L6YMZZg#e50D9s+eTfn-Vnc6i3pb zem^GtTzTFXkbn6v(fsq@qMb_&S(>MGRbuJt)E?E>mBbBo+NZmJRJIT6Lx$Cwd?8pd zjP4scxl$^=Rga3F@&yO@82iQ%S@Kg945o_eii&yWEN9gW@JQ6#69v=;!*je%mb}zL(C=@~ zuOua?Qcf1rn4d~(e6K_l&)`>6hX1;{{fgrt&w!i|Z&;18s4b~}lczme?*~4P#KO0N zghH`$yQ&we)!1&V#(i^F^j4S+Xom9xp6EW_>D&i>}_@qY_RV$!iW&5UzEgC&HF z>ZaANPCD9e^j+Vv;~)QWi(2Dgk~0Qe4L5xk<(SX=wk#_k@H)NNIE0UcQiH9(!CUi+ zl5_df#aU4+v`@ru`ney5;%V{3G3q!&Ldu0vJU)y~O-ZC`l zerDH-*L)+alLA;np@G%i7;(@{WU_@uy*2vYm}T>e$ja-Fyr*9If|cJGIw+{SEp;`y za;LAOPE6M0kzfy~;(}H)K&|WXa=F6U7NQWPUjc++1+??VdCU2$8JB2IzUAa=>*?@- zc{Z5XeBAiHI=(+4{{`8l2vw{?h264?&7#)DRD89wVgpGVhKar6q_Z}Sn8A|737fk7 z3*J*CE>1YUqNAod7bI`J3m(${?9VDgf#e;Yx0n)kR?!CrcBxzVtKdcN=B&uEA!ofi zI=&>kP!!=Obfpoczz0nZN$QAR=4=F4Ub7X+Q*ycn;Ta!KBok~ShQ!?Zg27~f=vGe~ z5gU>x(_r4q_)#4;wye-Rud&~`o{?Qn;n0>DKxMxwa$V&Dg{q;ldgF-i$ z)tu;va%vqp*#|51rd@)*+XqViYw}9$xv`AXl+<~zeVrCdiL9!dT70B=`kjI@qMHn( zQtU|PduyW(F@inc@QtE|ReLaxLStxUFdW6IArm%jS9Ch{ZvCw~U>+YVbSQgYFy(RaZh#jk zZBNMDU1eqWU+mx=V^HN%UutDhjDDuLsB*zZhkugbnshv97WoPxa}X~yy_tzOX<+}Q zCL4Ze8YelW37GbSy#MH6v6~I)dQD^Yv|d@MdP!k}BO69okDFy+cXlUE4K~mwS3jlj zoGwh51iHh?YYIhbI5I2zSO;~69Efb&ESLuNuYt2w0`-YjVFiccyS0sG3g7H|frY7u zg}(QyD&ZpjH$n+SuR*f0GRv>QcaA&}TE)*|)9vRz%z97_Gi z@Y%!QZNMB8z;IOlaLhqRZR~!NGRD(uBzt!zYYSmYVheeCG@!jMx3(@A(_Mp+t#VSS^NV&pGX#<@Kj$JFfs7~vn0^} z-))x^6}SV+s)w;!)r_$~=J8aw$thObHy3^;6GG_sEmJq+Y@GtX0&G7St2n1uZO+mh zuANK~Fh#b~^W)Y z0RqsE=JD1d=Q;X3>Li2Ue&d)$YunsAZLTf-gh?j@T1~ZdeRvx}xs?ud8WRQ0x{}3V zLWpNzI`-4X=rcRp51S+@o|Cr7*=5gk1j#P#7~lLMaHYh)HbT0P6-pv*w6F?P?TMmJ-_Fu#kFa?_Z*slH~sSERy|WWxo=;Nr7*!>E8^Om-r@&X>#T z#I6H&T8aiAEW!*}a*hgDiHOffx>PZeit0%H)jkv{roE^gx%aqwAl9aLSlN*o60_sk z=GDPFUK2@H%k8HGqAx#*F|@49CaL)o#Dem0jcMEO$IJ!LD0vVTnvE9a=omlXzRmhU zD^Fsprco7x%UF&#g_v^0=_ttQDwhTe3qia@K3J_^-=L;k9(_q~G5hAyaUpXC1^@}* z`fDX2U(TJg_gIqwR5E-TIdTz`6!8+#>XCn7tBmNY4oAPUTb0b@XF+Uc_AMhH1ep_)L z#3j;-LBHm3>ozo^d95geX9>2tIdg?+tj)W10d^uLIn&mkdzrT@>l~<9EB3(}N?O-` z&M%u06eDlfO!(3}WK>7cKgPXP(jOgsBtRh(5*S}Qed{6LhQF)H{sdG=WW8;z2(%&U z^-PBirZ1`xbmYHrSG4E47F9Ed5MEdoVysAxJnwqHOYm8YG8oJ&SMn`5 z2x;e;e6u}@fk@!xK$C+_)6&qB$vJ_Bsst}`v4JtFt=IcmKOM)&8aP82)dAJF0w4|Z zsjq^qrGsc!k$wd8g=lOfb99%-*6r2=-GIIqec=buLYya?ZK>2hM+oet8Z6ky7i{sE z+;|^z>17qmWZe`0t9l3@<)*4|i-+lgj4kMc&rsgwYjQtF7jS#$f+yNc$11#irFHDp z+FVt&N(hC2{31?^(yO;eu?pJjJjNmah$#E#O(m##ijg>qkq=g@np~@sj+^iA8l`2! zmsA?z`ku~=H!pXviP~2G<}@cNz)d?23fO#CXRe^(d5gu}Z!}K9OQtNbA*QHV0|z9`GtG`cM^&k4VACQu7>yu#aAU%gru)c zlh>u4#0(Fg*y^t-^%J64|r6XFMRsn1Y_O+H%heI`WBP!c-xVDG1Rz_YL8twxOQ z0mf1$R!rh|fl3)}1q|!PtWa34%O1?n3ay6(v;Td#$ctI4I_~H9vM&TMWfjfpH}|o! zf|g>TJj4$auZrab5SE$BcHO>^-b_3zNJ3Z>mhOX_{E```8efzdt-cA5v4^}c*IoV@ z%NMa17h{yA0;~@p+Lu=2TRp?EV?CE+oUU#2@qxiNtM`g~F`nv`CRkt=*?xekK)oi!3?A2WddFEZ-xd#- zt$X`I$ycDWZuj^cYkt4n9n_36p-9@I+t$Ut0w5)%6bXudB#)6>p9(SvE`fXmhozlU zg0?j|BrB8#It+d(bZonAkI+1J11iXu&L-cl-bb9RI|2!uHO+3dD$R#H&3)a z0LR(E^IRM~V%4qbi=Ty6_;1^mca_r!Ap6quOTDo|*eQ;V{Ok>1yh;uC(RmaQvKk=5 z`QM5Kq`qL!_st*BKnGim3175d*k5|W6&N=1$S1)dN*4w&FrxP*#yWH@Ri)vZY!T- z4CkNL7f_og3CTC8%>-M_*M?Ml-VXNjjK!W!izZK9Q@wH6 zMImy}ZXcA0hq00NwqCz& z1BVWe=XfSWwAS$M0B_`Pm&;9h4)3&W#py&KF|X$~JB{Qp=v3L7>|wNlQ#r6vFDu;j zy@*=j$?d__LE8xq*O?7-i|1=;@vGvPZOgV3Vx`7wY?a-)Irp(z0CTGmC3NmL_`=$K z2`P1U;L{;z_7PLxJvZu#^OP60^VVqktJiil?l2Jg^ zNwz#EV7aBOCyh%OBXL>UJx*)_Yd2qo>!~BRjf{**V}?crfttkS_C2AMUKT;r#HuOV zqhd`EpvNMFosJXSFJ}Zzg!^g?vH~cGF=oa!v@eb?Gk+T#uLBW;5~@O=Jm9|oApOZe z`V#;JvM(3|xI~PKYNKJrGoantWR7|MWUGHAqTi#ir6r+^ziaiun=h=BV(iAv)T9Zw zPrP&>avH{R@U4aOxdvX3|HIyQhc&gO{RR=RP?X+LigXa93j{@)h!iQ(RgfwmAP{Om zq<0XIA|Sm5r1v7dNN-9{=pc|#1B7@tXO3siIdjg;eD|AsXYO;qKX|gU**jTlXYaM% z^}fGyTq-2;sqAAYnGDlCh?n*420j`deBQwG+Ir2!LJ{bSjubwr>3Dd1 zqEs~8<8~?<(7ORF<3T6J_z~LUG*CEBt&@c zTZ#yBwB+4lLr~;Cp5L=00B-3ubP&PZ+t=^%#2ow{WoqKtLtg(LsrBJOANZ zLSQNd4TpS6 zHv;|eEX@x_0f~gW-YlvF7H*uiqk9{8`mHqG4EmFe?&HD(B=2R_4V7ix-OH-^dqL;=!KNe676ZHFbcT1}Jymm=5BmLW`or3O+E!sdkiMv_yI-v7qF0mWmc? z3Py|NFh#RgmD4CA6Xbo1Wt4Od>x)a#ZH`88dncPKryG|*pNFX5&GN~bz%1IWxujR( zokV&Nv#xYqGE(cCAVI}At;q%E1d2knLreLW4%y9p>`8wpkw{(GlzkA77wm^d`|x?yN1&VZ9xM?!$ad8Ak+5q zmhcy73&Br^K+p1Tzii?F);sQ}Tpr+;*(eD#X+mx;iP4&x}Z99kao$70v(%$&OiB9nd((%b+iDlD5OlK z;7hLxRiLfGQLs8@{3m3Je;}#;!RxaDQ%-)f{ zv~qdUstLovL=5Db_E%N_X^diBU`3OJB_|1ht{m^~0`kjeivohyrrlFlU?|_;7`I3x z0b&V1T)+ScTMs<_$9vEgALKT$W#k1tb=yzm!0pOHUxY6PO&iaI<*TxP2NfHH2hD@= ztrE*8H4`gZ3|XF>o3UQC{*a{9G!5=)yonOV92X1%4Byl^0paJy|1 zV12*8Hit~}xDAZj6RD}dw^TGzp%JR&YZn>X2xH`LK0Yj#{YOnAVfL1c$C6V85MY{S zp>xKkZkFiF@Z=}!RF9=Xp!*wx`_%kYykyU%@SX*kTaJpq@a;;wP|uC*RYZm;@g?wN zO*=duJL%)vlInk4JHG#R*7T`Ir2+B&)1|P76HfpaZo>D(yn$_b1hd5t;)$+*k)JI6 zAd$=DC*e&){gj&MFu#m$PSm@OYl$3iiRoFOTQ4^|?4xV>wyndFc43K+Od#BfgEb+X z)j%teDykovh2;~49$i!m?HleoEp_5tE313t&O z^7wADO|G_+OCO79L~+_VwWKt?G|O?c>=rC9**tL!{@739!uXaNxQ-Vvd5Y(s?4@1E zs8Q0l=(kdE3Vj}qCv-RXD=vQA*}O5s0aDUXt#y28t_37vM@Q}TGZnZKm0%gkPj}I3 z=Rd?Yt`V#$n#zgs5R8souTsP(1BVG(i{;o1B%jcNlCQ|$>B?|hq4N_F8|P@@zoRCc zy(YRPgku#Np=UeHGD#w=%e$;AOVtIWB3@}a1YNpH)2exsZMbUN;HnH|Zmzj*0`yfg ztxc@~pT`Oja1gncyYEewp0(Ljl7zCu_ZH{$xH8LnBK+>k>B_SSDhPqrxl*Sh-aYEJ zZLsQX{Bmf+J_(=?HG`48HwHN4r^kX!cSf9V0TFnb|Kfv_yHTof&jX(WIqSEY_C2Mc zFcL|NFV46dGNkH?MMZUQUrSl~BiL-Rxh^)*@wu9VTW| z2V0}_SP_>!%K=O}qYppG*YrK91uaRR2P!_Wqluj9`;`aVx01QeskjC-ryfx>No?1v zVU7KZro@gE`#@%B)s8qL?wUsbDgSaCSPH;RjQGY^ul7pp(=A+IBUNNAs+@#$u6$s} zz_xim--xC<5gh)Ib;&F;_JAB`Q`Aeeyd3pbn*NE$ksB?aq@#)5f?~Z;=i$yPse;!N zGE9sw9*SQ!mS8?<@xCRf0@rYswqY!sJYxP!Nxx6|68v;3FsZl5tV|rzJk43D% zZ0Wp?B}*rjphWs{Ng)%_h6K^RU!jC&Utvt(TZ&MkW<7GS&qgj)N@Fm5_)AXsfiG3>)F1xn38#{MxZO_dfg0V>nG}9? zadm92msu9~;kWZvbwLMd=VVK%>_-VFQX#iGY2yPWZSpM+)zhaYSDrGch^U5W>(Fjk z97w#HklYkZ>j6wZN!nRjn65bWc9zDi(KyUL20VRN9mj*0UZpZwCRX`pjW_Q^-&6{# z9Vd=K`FB1VdsY^sk~k}#^uiH5V+Goa6twP_R9R?HRX{B#r0aM1PcC^oxCJ*LQiCPz z{OwH2f@ijKpzwfbZXXmcaumw~aZ!uD^@8Qbh@E=YRz;v89{m>3(d%y{Ob#^O`ggrS$sofdw|d z{yZCVz62p|`$M*;pJ1xw9uGz^qAqy(`cjL-p?)DTG7J^0O{h)qNx+c~J3KW|gpob< z8?t%mf%J~3x}j++LhX%4$Y|nO2ca87p3^b86EfyL<8?9Hl{@Zz)AGwu( zcfRIFJAS;r2x$~i-9E?NRk7_mPIeh~2gSOWKr-Cmm6jsa)8n-fmhCMD^&hs}S<|?z zcwW`kS(LiZrN;rMn6HWi9>M4tE&Me{b@!HYpPQ*5H(_2+%AK@}xj+JyD`O2=-lCQ! z3@pDv0&2b1okNlx3jI{bxCjpy0)Fu2k?EiaYNR_~V#%(Cwe^18Y{ z<@(iMKfKVftp|z=4z~!+D;F@fSD$J|M$`0?xBdG7ZC z*v7+Rs=|FNn*6Sk)FK2khaR6)aztM1G0iG%9MdmA?sL=t`RdPl>08f--k(kBg=zXgKgUAsj`^h z&**9>BJz>X;mI&WwS~4ZAh(luJcs9CweH>v2yB}g;_9KA>G`JSPMtUqw$)a~95ngI zi4Jn;+Dt395w|4GciK@xN>#M_PawRQdL}jQ>aiD_7*6D|J55)la3Eu5AUBg)MEg?CwoVZ`#|^@w z_T?em>ZQVP^$afD^w>GA%*d*AfZV3$YQ(t)W{62mxwS67iPNM)1;|zPlNir{|5i4a z|6ZLfZ|DRV?x&4X2x;Z2+M3Gkb8-eE&YTesMJJ-$n$dJ-FUq+f!Wmf@Nfq#;vEuV> zNqdtDSs>SYX7`ZqhuaiGW9pdnriU@yA_eJdWYfm10v|rh(32Trqmawv1M+nvIi4HR zUM7>JLQQWDDc!Q_OV@WQUrBMs$0PTB`&qtm5ljGLm?QTF z!yC*mj%JpQW<*@l@wPZea-P)^#jde~1iLwgzqg*`1COd=;b(QSOPiBSR5K9*IRK7R zD5t?4z^<$Vy?l8Fdqt`S%=buBh{euKX zl>bsYFFDR(Pbi1SYI3y)H|y!Ka*VfqgEzUTRKH|0RG6g>}KHh2=LMBW}%K5u;k zdDD_TDAPFVqs2KZuFJ0y@Y!CDe%<=aUw-eilpIJmJtNpyK-7duPhH4#UaSw0SNsQk z|Fi$s@CP;Rs8$#sFB#f6&WZvmEST%LkDG7tl)x=;1JI;7*sBi~LQ|~AM5?kp7Sb%5 zNb7G|9vJdg%B{*-pB4kIuZK*rAos@cy$owNoj0C8?_sh&^Lv%*1l%FED;hW^XJg^N z>{6J-@&T((d%$a}Zqx3*NCV`TJ?aNdfPL(=mnP2EiNR1s19yw`1j+^L9?|p8u8|Kn zLed;i0vjkodrh@zTUxtD(N@BPE3C8IpFiP&Ke$I_j=EjP zT8NJUB5Vfehv1f79xsq%T|Y4tl(L#32X(VOj(4QL^g>7Ap(20=c4w|`1t~O$h?xXN z2U1DD#bKk+b2p2v;_>tJQ@&K1Jucqq28s^OJ+vXuGL$yfD=nhIC4LK9=ln3b_w;Ba z_kZ(e>>J-#6nf9)o;S^$PfxZH465G_$G=#l+J@yZZgAV_5Rl(Z{WQx|c_mCwNp1#!FNj4ZZyu!KAqV_YXrL9s&)Az{md{7j zZ5rlZ!;J)UT@~ow_?Z{^X9Ly0djEgm{Pc4dFDyRTk(i)Cz|LtuEwJ>pSv0=2P+c^e z9xb^;0GFYk@b^%)gXzCv@2QPgf=uNJk7W2W?zfur(M%qc(=BwL=rgsxw|L7S?xkK^eR9DpjyksXiYLgsU~E8_4mEy(FtYm=Y2(10>o zjE}M|Bm4W!dQndybK(+GB9O&t(KNIdD9&tuP?+2V3{dN#fE8?_2Y&{-wc}9K&b-j` zJ+sMJ!$ua6w|ulPcT7EjJx(LBKQU~=9G+FiJd5VA?ww~PFXT2_OIqqX=tCHEJ0A?! zL?2@Pg#q+uF7C9~gdH%KEdX!)n5?S+;LuMsr25-f3e^bcs)_N*dc?2J1syU~Oab%T zPp!IBU&&w&d=UkF4w>)a{v9Ms3#8gLnfw?fSyHbSpYF>rjvtN}%1{YJbkr9hW|o#= zmmpA;mk)B-J|Ri~7SAKdHrAi*tQ|lPlonn)IIZ?VA%Io_dkY|O-d4yu!5^i$`^M_f zj>y8wBhi)>>|Yc!A6^X2vz$=!6o^7N)UXTT zY`p#55B>Mbq3Ywpk6#&z7n=oJYATT{({o*}>t^ooHudSfNuLP71KuQVVEsHDv1s2j z^4#x4cG8HUSW@faV~YKO69mbbyA$h#@gDa^>R}rb#`z}-a^>UoSAISKBGs68h{s}+Y^z$nYdDKcIcjyG>#^%e(qR8dhBk}9dh{?KO6Zwl> z^MeF*@Cb^qJ7NB5jq)Fu@aRHMCZ0q)+x6GHhqlBW7kFlq9k`DzD%MjLTJw_`uZnV- z6yIy1ylwK1xJeJRcb_Y(VOW{AUV|sF^;%w^9wD`<+PNVh@$$Py{L}9>u8^n$nHk|I zL+6i(58-MOg7e3s^WAIiU%iSz%EYPXK&zBdv;&#QF>c`tbg7`C4bwgm7st4dre5#TYp=U~WKkslm-FWdap$e}hMFnIEZLxuG zZ~A10?2Be@UX9S36=wi2(Z~pYTENx~vS8R)51Cx2A&J(l>37%3glJFbl#f+hbkZ+( zcQ#q_n0uv0U>vg{uL=|W9ALXGE!9}(&nemE07{fh@qM}M&GeW5dEA@7|K`{>J7IGa zUi6e;usZFcpr=Lmes*~j^Omc+&Pn@6PEy4znqbXHw+u6HL5!vHMJEQBTk z41sC^4^iPYBQBsQZFY#Q5q2$ZwnOg&KEQxDy2alKF@GO#;r?E#R0sUq!BJIb?At3| zK2Oz0)szP>LC@dj*`!4hfXGIJL3MJ^)}(m`_h(2w%~eK8J*B6s<2*w@h=lb;%1E9g zxo_@|d7cKTHh6zoP5+ZkRX;PkN?ln*J-*l4nhag}+2F3NRTcEgy$_&KE4<#<`wmi7 zJ5(osx^xcbdv?4FH45072#7mYHiZWel(_c7QHOnpZ?9yeonKb9~jSGd#4h#0b!cqsRF${r$zG#zAk7V;KRU8kpc&ls`yI>@~<2r-7v%Nf|Q~KT4 zIqBa6}^rmu@XZkFaVDC1#w?lV$ zjR5??4XoC3Do)eFggSsD>hP9g!IGt3ifBL(i4!>N=KJik`>2L=G?FI-wyPw|O=I0* zz#0;0Aa)GJjKtCeMHK1u&ri()f zHUb+463ph(`&HKzFl?m7#{)zgL2D<0bKt|?)NyZ;Uu%&)21G%ji!mDj`lAPYO8piR z(77>GB4n5AT|ZQ_<+}LA0xx*ry1Q`k+O?^TJj0blYeh37xi(H-2WGHRQnX9XZ`_ftOa$acG zp?-nsJxXcVbK+u(sUXuXD4udc0)?!3ek!*BpD z((i5Ho8}#=F7PC?yK!q)q~>y9u3IZ<7&l@uiZX<1KvldnYblD!uflJrLfQSP1$>^g zos}hR(mkRxZ7p<=fCf%SR}c{h0L)))I;sJ-p6xcv^;%b77y8_L*N-!Kr^9XBLwlAN zY3|E5B&>SLvXK>;NZ?#k`WD|}=W(M>in#bxC(PxTsRjPD01~{dHI}NW;yilCf$>V{ z6($-f*t`5ZW-DdHIM0XL={q(0#RwaY@Q zeyWrvtCrwPEdZ#T_Y-g3)@^x%ua;xaN~++M?5>9lXyaZLhPkLVj7_!CI>jX)`!#$A zeU`b+;-z03(Naz91K&^~dlc8IhCJeb4nYNpQi|JbOjEAxBFZsfxSwwCCIC3wQ6r%(0HKts{vXulYCwxT=n^v47 z;SkrLLF!8~H9PfL%OPxDVw_b;RGg_EN<2x}RO7sJV>+5T*JNO1P4hZh1;K42RWEM0 zplgC`N@RVESG_xEJM&RYk}z}y?Dqm40AK!Kk7&5v=0!I?q0&@YL1}joD2YT7hVHo9 zy6-nHd*6h47#B-|DQGIF*yYV>psz-{UrIH z=2$D)Xl6-${1DWv&Q5a#qtT_>RerskPP#=o+_UXq(-+na-!e zCvAs>yiW}3n;gBlN9u2-%fg!o*Cr)#oF`>Uq8n&x%e;7$FxKpCUWA^2AS~TP+|g4* zhDEbC?bW??48-yhZnU7?DNlZVRD8S2WrK)MyJ&~r2W(q>>}nBU4g8z8*5g8}+phoG0Hz*XTcwU3zKCB{|k3eOUH_Svw=-O}EgsCj|74-79mI9OnXB=P0a=*h*1+;m3(ahF`)eY4a*?25F7G zzQrdHsgScW=Y-*>IDGw$7Xx*o{2-Egy*6cD(IhBA`O0IWH18a077A%!ILz_kP{reY zCNhJ$^;&O-D#GgEvB2vdnFAoQl&{Te!EGq^)){D93hqbb(m-%fqBvoEyq&F5&0_3% zd}>^laIe)gLe+~n3(yeN1qQy(Z*G)HR^u-RmR_7#zi*EEb_@MfVdRVT0OtC96D7pq zxSe0}Nqntbp_#ywxQka@B>l61 z%zt1dLNYTsNG&7JvDvPOOP3;iHo50?N3_PVdeIU*1R zkaMM~H!QTE^@CN$3&_7ECV;u)L3BEbk7$LO@(1z6SkW2wHuS5*6!wv>ISYvR!c>^M zS!n0UrMAPJ_#>^kTTHGkrxv)MN>IwCh|KHk$_Uh{1peG?Dc^HY)WhH~CA~KD{T0XNNM~mE%vCu3Z@a z<-@1`^3@CdkA^kDVH}PrAJCBMhKqt8r8uEj;MIR8-Zy=_c?wIYVO+4P5|&cxw%F!eR=&Dv-1qs51b!{lq;HzSYQT2`bm_7K+(p;-@LBvGp)PJdiuEw>F(&Ga}}|tsdP! z1uLo?9&*#V(@)?b<`|`xeO-woOedVbWeQcV>C>9Gc3rc-k>SdA;L3Tu3ub)9QpB0@ z$|z~i*mXu-F?AV6CnR~9XT!UvL97uS4avKa)+@$-Sjiy|HmPH)j>liWY+m==7;1t$ zqeZdqKswq(jUX-as=QM8&8*sar)JbF^hiT_^^k*grmeOPKD-@q>c{RDRrD5H3Y4h6f3o z3s@M#&jR7QhTMQB2OFaeX90k9$}V({oGA=TEM*ReOs0{@L{n$UM9UXuq_s=pXvt9oOC7H&>N; zeo<5%q=|*~?zvIAX4Q zJ@TzKT{P9+s>`>65=nB-ZxiUR4^0{v+UdhoyLaDQpmThoA-;qZTWu(7Ca6$1x-$>> zvQVL{-IkMF3#tNNok)onZ*DhsAGp}~^3zb`HW5tid=Ah@ozAsdZ!?jQ$M`9@!sEmYAmkcpHa-+$7WwdmtrJU{Vo!u0%lg@03aZC!= z=w_qPI_-lh+exX)U|a0xt6pd>B?6lMTL5^SIrwNunjIayEtlFBg)S8-g?9$f9hllhg(2*af}HtUO4_d`bg9 zhV8&D=j*$;>Wa!QJ9i1L_GA(jIuOfj&cU4LE`BR6#4=i{xaL)?tJ;x&Ba?=&lW4y-sF( z+PcG6A!jwcO^YHW0-l|74)&4ww@Dt#NVTM&2;nap99=zvJ0I2Ie{(Z0;_iNBsNa!# zb!#7{dJjcvQTsf$SO4ps1EHAy=QN-FYCubF=6Q&+B5B?Y7ck+glLDvLBv%aAp!3LOnlCegnmqB~wn1mguQb@;NbxUrZ zTTAE^dy6s(QPc#2aYc-E{;GKo3h!-<(#R{>;B}!UiZ!=nX1Q8LY9JpkPE2IeXHM87 z+e+tqy42@T8_~MSxMT7%kJW|Y&LbZg27_BiX@XZa*16lHg(^MNvq|LjHX{5z44-m{ z(58nx$DVU7=0k_L=Jg`#E>uwW?>o^o0N`#{}W``Hq!S;w8C z?;!c_ph${{QwO~rfIn%x!zb?^kVbq7dN&P5{R>(>zQ->(w94%uX`3X12*W0FyR4Qc2CYVrgw|N;^y03gqSPT; z;9nh4dO!j`B+KT5~Gr;OKtZvW`XDFECi&siushRFx!E^?xEkIAM-*{6w48 zw^S7()Xp!FUnZXs={ATz*D7_n{g|?hd1Iu!vY2s+btMsjQ7?w1s-ykvGcBp`6vfmN zHydd%YS_8J)#F-M9c0l=XM?Lt&_3NMJ0kN?&y-iVSzOC#4`&J@iomZ+M^{7a+B$h& zQshbBz{rg*O+0GVqiKu2a+$=f3wij)Lk zp`oH;3{&Rixbt^%!)i7St3HK^J57PFuE8rq{J^5)-h!{bdf1`x54JUji)L7S%0ANW zLn*A>vV)M7oJ$V1ue0e-CSulfj)BQ%j#OIF}c)-Eyt(EXHW+<+AQ&zL!6zfb?Ikv8ZP#G)T6J$67IdP|=HkXM5A%@4lrp zx12^`>~VLb@JQd)mf-XjO+N2JL70lOWgMBp^;J{7^+J!^Icw{bmz}ObJW9x|1{DjCb$?$UA-PmBZbd1M}u8G)rg z9_}F3K?m>Z*|%K18xgDUbT|tjv2rlv-%f&T!DcVYt9M+;vq&SBF!qK8P? zoB#lZ%UZsJcIQ(MyNZT`K?ndLpbas`dXQm{$e}HT$R-S${d9-BJl$KY39Xev1*m`n zU~@q15m_L~4_LYbN*x}-n*byL5YRC910W=yz}ry@7_I@JnmO%ghp92>t9Qf(N zp+`v7lSLps{pVjv(UgvMR~@`A@VJdd_KP;`zf{x3`K{EvODINimKz!V;X_terFFR$ z8Tl*~Azik-o7;%T^WSLHljC%+&*GI$NHctbD<6p-QI^Otv=m)ZqQ%n%9fzm93I3D{ zkIQj{&*0NY-ovj;Q&b60ul$N9)*=z@I7qmXwl?0t6%1OGlmc>QG{5A`(t(_rg-J!2 zfbW|DjoT=I4xIu?f@2%t#sPYpp2N+!E%^G^5e(?$e zxe75}s6iRGHk~tGt4&-x&W^DmJQ$X|dyh5$Wh?falsl@=X0?fge^b(qKWP8Glatcc zt6g(Rvr+lXXz5h~92t-ajb!q!AreQE%Ns-ua?VO4;VDC#AZ!?iRY>GenUzM2mY;J& z?65Hxc&pR9NFMA!ECV+)~pwhgC@XK(EVMoy!?^W(cAUE4kWj`lNMd*U59^Elm| z(jjsnS0A(`f=JbPP+^<6i-l|sQ z`@*?;27K#LA-f~c7og0=mNRQPE)o2qu_F8x11^x7?@eJr?!{s0MkH0v2_CsSfR-DK zJUu;BkRCH!m5U)J_WkxoF*hQzmCbk-OM_qmiovLR67mUl7B<&QgLoqzHv@2#J|<#m zW<9iK5?z?s=iy%OrCXti2mGWSY88WpLt8eN6}U`^8XF4o8A*}zFBcRl35oA~osHK- z_D2-Te4P0z-_zv6k_GZOnSW=7GH=t}x2BVS{e?c6@KPBa1$tbk*Q9(tx?X3H)+i`@ z_2ZEV)K@7wsBf+G)49K9r`q~64`Q4e=XbU zqNhE!%D1A`PA!mm+Efwl1fHd72YE~^G%*dJc)tm~2lU?vMd_V{>rgCm(oATbtS^%0 z{d6u*bjmDKhz5lcJf>`G9wL``r4(%91GW)wt3we1I&pA{0ad9hru?%3&ou1x$mIs zuv@1~#YTWGM@Ssgew!LTaWS&9Rj)M8{k)Q@!nq2-q3KJ#)Ds)#m)%q0u{Clag~ecX z(qPXs3fFCoc>t{WH%Y!93CaJ)>)+y8#1~vmd|OLYgo5bR*WDcJ>Yi%JEwVApb~hNB6{qI%h#tPcIEXE*?@;Q#h1YLcFC03z6RpX6k{#tyCS#el`k9S#9zipBxZ zCehP93*1n29fE;hXS{s7#ITcZ++b6@*x||*Sc3$mF|8xA`y*|qH>MeE8!qna1@_5pJl`{NKqr(57#Q*tg!R(ygT4jWjtAy+& z6TX$2d7O16U;!e8^Q?qVIANR5v}7o6JS!5FhMU`i`8FjAf~wor)?u8@%`B&If~?gjaJl!-X&9OMw_T&c!8U+{uxQ zCt{7)84gu(ktPh6!WYwGh?T(|VND$Vokl4q&1+7RK?h6A3xpR~t_>0p0rG>5R28L- zA5%57s&{(6Z71#&`$-E7zT!1jPf~AqtZ~szE-A|Yt!U7N^MD}A zIuW@VKCVT)gfdON6py_^a^rgeusQVbLN|cIslBw{v$zafn_OzZY+CX-=&oO=OX;5n z%|l)7TZ>QbEAD?nRB)waWa(NB^5{ece3@E!dB0xebn)qH*wzIh90vf?HB?|BX~a`o zlnh>4X6^edds?o3@(DXkH1{n<<;B<8DJ#l6Cv$sxq@rM{{3jm_Af)~4x$8e|`~R&d zfU{_g-i9?aH~6BNi8p9VYw%hIQKL^;B#xc> zc-;8ncpqgL1pH~>BJ>5MCIx;$U$!o4T4y9)B0Ry#hLyyH@hf@W za)}2xbCr>)I!<3d@J%#8I4T5jc}w5~>&ZQLBFwzvc2)V0Jt|F%ELb*Gp;-nD(x?5V z&kctjLe~mC@B#h2D|4GB!C%w81#Fxa7)G6G`>H=SL~aJg&ES0ka=i{uOuvIln?;Q- zELY~!73jNf=<*iLheKHDjKs+WKOW+jcy;El8jB~FZ{WTj4{5wKd#h|(jJpilyH9aiiH*Bt-oZ9}sXbnkFkvA(u z-%$F~8P)BlE5kJ9B&EI3KOuRmP^wns*$Djc0~P}R$ON3Ix_R%6!AROFFr4j-A*T;u zlYe5!{i`l$Qiiqq2B%Bq`0}{E5+>+FjTSMigq7)4R9GqJ#%y`PKk#4ORSn!xjOOcL zS+(}2B3n2$@p78;P|!HM5OSF0V-Sd3&emjN`zY_GhDTDa3LtRkcGCypZ?M+-@I6V;buY>^l044D6AbKOqaOT<@k82$#8*bm9cu@h7)$hqF=~>Bw3;@*@ zpf(Ukbfg*g(aMbhL)ebcmXa{@mKqQ4HoVtr@?xM@j3STDPG+_owEnxv@TNIRMn(Rh zXF`6AU$0*-*phcx%ICB74Qcc9n4+8OfOd==5Q$#s_YJhZ-MR3w~_cbJWoL|c}>%hTuSmV}Ps|2#r9 zKT|#box@9iQ;1|hz@{5xf=J!{8nti@#ru{!Jf%(|{^K8+Ik7CM(PR0$&aRFeX<;N``r^ z>vxbzP4N63PX9-AwwLD5X+}-sQF!M=&7z2C>DJtCg>rSUfUQ9b%IU)O3<%HMF(N*TdtzJ z*Pvin<-a3{+gUO7R4PbK2K=ZUc%>=w7H2yA1o zqocP#USru7GPBxv15;TpqHA_N%{O?#lqk#ZCZtU8<(kBriM(D4&RuMKJSDZ z?b^?4)uD=tiv}RHa~i`B6AxM>Db9yhe%l2A?+cq=1gG)vneQNf9bH*RSGRaxmje^; zT+qcTmy=HMZ5b*LSp@ism6zCX{Z)8_ycAE;RVP=E!Hb4E^j!W6BiQ4OP65kV(FqU! zB0xlBmbE@aGe&ttU!%PK%8?2emv2cdWZmtAvEBsQh6UA*?!O1O(NcbV)!^JQ_if|W zUDj}mBlz1>RmuIe;RN_V0Pl1A!gV9&F(#d{ia?@@(Vi3y9@Z!69Ba+=C&W@Rl2dx| z9f<()1}F`YuS>J|TkDSz9$S=Y-3z@>Ze!o|L`HHYLT_r!L!iL;E1IfJnxT4RWn5_U z2A-kFemogxD1ENfku7BPf~3|QT2tZ(IWypw)L{n@_6~1M&V36upx?ro66c~zCT^VJ zHr7Kwb#$Q$C@v4P-`jM*SEj7E7025xnD5uh2O(JAhX-C8#Aot%TDA4!)N4l!5I{}P z`HvZFwx1@{*Noy1^bnKK)v(nPzoY2yMTzQ-%U2alp=+hC!^~cd?D^!-yy@{}ao-f< z9Vs@xW8?!!6_3TYA7D9A#)09m+{uoiDLL|U9O>sx#2ApOPbV5Q0T>BTo@ZXrs6bYQ zfJ^sm?wchlJK8iVJKHusGBpXmZ33v$(o_L7E#bKA4!H@Urwm_faHKHNl*u3qg>i3UbTF zh=_Fi;rJG>((P4Bg;^0*kip%PuZ~%+bL|g)R4Nt;^$tC=4BRh&DWDA&PRS0Cq z@lp@6j@qoN<; zY|I63=r>0*F+iYgCTfO>Dn4a5T@89;pU)(t4r>9;Vqz=zF!zUO7~Gh|V1wI> zx}!YwR(H_Hc@q};m&C;4>(+^A>kLS=G5X=d1ccJFTK_G?wI;KOQ|5*DrKFBkQ6o{^ z#Tug?w1;z~FJky-HD3q$#~5U;z=SDj-z_ zr346_P=g@72|R$(LI;r|NRg^Yuc3!t5?ZJUH9+8*^M2pVvqs-ZjaVnba2KXoW}RYkSj%QU7F#-Gy2|9el8jh90`zOsf1DEJlIv9o--*; zxa=yk0sGOwwOoS?frzh~@((J!C>X2#G%%x;7Yd9aQ|_L3WQq9-mI{=V50HyN~53D<~4E9_5A~9 z66P~mkpLs{G?n30v$RubBRa(`HT#`B;q1;*DN)s5fJj#{XSDOpfGW^=sf@MCV>08r?1Asn zH^UZqP*O`tNX1d4U~{N-E^Nc1KD3CkJA0#D1iEtagWOPuKpewq0WxCqbEybMwE8e&$xCzQ=Eft;t zEU!ruO&!w7>}~My_ZT-E>pSkZ`}_FuTJ29tb#i)d&Ql9_&zT->=Pnq}7tp-f+{Fzyu$fGlkY)PrS2RCn zwapAO6K=9~2)Hr2tfC4|gF&02XT60Bt@R1x)_QK9ft{6IjTc@%A1mZ1-y2w`K(WaPp7P`P2Nnn>XMWn(J%Avr`RjJQkQeA2+wAc9`zL8L zE^dWzo~0wr39Bx9R;mgHo9Rbp%L$}$aivQhp@6CT`hm`(Ao)*F)q;+>9#E&0_Z0tx zM5oq+)c^To z7+&^GkwTu^hyHY;gz+uStxO|on?1YtJD-n~qt~{FG#u`E58_ z_+#Rg+QiZ_7>AJ0R7BW-7|$J6U&&R&#d@q31NjlEF^y-Kzd!wRIg7M=+MOQ$gmES9 zN%KWBpj7)19WWbOMe_8PNa{vf`KZCOYmUSl&(+?sn>t*oE{<-VJ~bpl)=s-dXstSq zDSYo8?oSAP`Bih`j~#wWO!~5l6=hNdDY%$qjA&CO(tKW#3ktNYl1jWI=I`p0;a)(H zb-}Or+%~R?FegTCHp17B&6=%!?D9jdCUmWZ_%m731R6hI+VB^jnUKVL@-&@?!MG5s z<8NzH^t^kNSFZrKiy z1qDhI(E_^NJk360zl%IaN^H7hU1ivS%4=gA6y@@DnMmzC%QK_cD$|%v$O{pEO^UB- zKB4ou)Dml0o71gZ8a2nrHFHfy;ri0zQN7a{7j8Zh%o&+)EjJxlEEQjjuk5lFWC&Ip zqIr=BS;7PihAGGswjT$#e8Qrb5PmC%DGucfs+_>?t4pmwSAClJW(WunmNEa|qTMSR0cHCBF#>^9xAn-f*`7(-%lZ3zreN^QJx=8kbLG6+8kuL|$B zii2GYE1FrbZf5&PWgn=A0X9(o>_h@FL}lpQ=D0$O4zdy=fYa9YzJ2 zJ)`AExNOu(l_qSTI4(v}%x+i76jz#2DWDj6iO~~(2)I$9*BbN%=2IuWYz{K2&$h*3 z-$KNXoZd!#A3IL$oKK0Xb@MrV>8Fr4=bMa00x5G>8v1t+_~Wmn+O0E>(OH@acfX19 zcz$lZRkmmX6(ZO0Z4P?caM?YV7H;(Q!er+g*36dXLVYkBR9gAFEMH(z%0#k$6iiZ5=IB451I5=B*sC^}ge6n7AL?ox600-F|d{uZ`E@e2O2~ z_xR{gB!JM8IV4%6)vQl2owgYX>NQvwetSXS-iy!jrQhdIDvUHp&e(d$beD=5M-TTK z%WH^%arzqz?=E_OxvVG)`KI|Ev}$ilRtBJo+dAb#*ytv_{g1_t#HEBg95BkNN_}9f zHfu(o@5)2y8$j6m>?};Qy1x!@WIGMypO%`ZnMBn&$gmb;Hy;e=5(9%i(v=hN4tF{r zDVO*xc|T8lX}u+nq;>SnYobN2d)7AuU@@ir6(86(gpveF0`}a@9oWJ;?UrOBn;m`kT`?X8tp9S#0yn=(4e=QfG zM|OLpo05!^(u$mf3$Zu2bqhxYW*ySgvh{DESWkFr3+OL2pXa3QdkDrpeEt*~h1yc9 z&^p9}Pa+Ms{{%53KIsgRF(e;Deq;T*Mfe-1Lc%TrBKk8+%H@q2u5g&!4yN>8z(9 zghMl!2!@rv7YPorFF(5Lnrj+<_w3gLU))uy2LcXYLC6rr8l%1+=`oh-lh;RlxI3<& z_Ne=lSMJKV4Uk^8VD8GvNw}qdsITV!5z%BwYAZ%qJ|v#Q*SOYaKem_Z5K{dkdV_NE zi@O3%AGkQ-aE%`|sBpT8q_BlLZX_GeR> z%iL{XE|2^QMI$Wz+qx@xr17I>2OBZ<1vU4aiX=WhwTLs0y(&tFKwz$78Y^#Q$o_lWZ z@(bA`N3wHOuGN3RHd|`W(A3zXfZ$kl*>xSjGHID+Pw0rpCt1bT>W;Ws5sP@;BlTgI zVZV!>g_;3uXi5P$T*b4Ilgl=SiBXbMa!}^Hpu(Mmt;@>K?b#P~Qof|-oqy-)#vhgI zr`S*(iNvx5dW+^qLJfyw2bNo}TzGE*|09;7^CMTJ9_bY}8O?$ap}ngUqUysLd3r%R z-_7`ipW-cQs4<2T$F>^|j~*$rGJL|Gy16HIYTDzTjlT2zJh27jsUJ-CnS(Q#)aQm5 z-gR{duWPA@sXX)pe9MYs>qOP7>$Rc`HTJ`I5IY=WcHBU~rgjNa*Eyd+bJAd8!JA|aXgb~ zACJ`#Y@MO!!?^B@T-cQq;;l3=m7d|A+af$6Mv(zyZXMI70KB8#ly;Tanurx@a!PUm z>kLMOeX8N^h^JI26U9glk|j_^bp+v{4D9);>V|qMoJd&mg$Ar22xm`^Q(~$6rONzk zg%)U)o%*W|8krZ$WBwqc{_MwVl+i@Xz)i{OSfgi8&!t3+XcN$(KLStsjVYq*P1c8W zA0_Kljv)7drEhx(NFxVu{U5in$U|ztO;wf54-o{)%VB_2^63cjRS(ce)LK&AGoJao zOSQXZd)&6Lg0&5*2E7g%Zf0Z7Nc7`_{^LYx@-C27_;`q)!D#He!EF(W78ho~I{y;> znX0OrtED$C2X-%q|D2aL)YT<1C2j z8~*n5yG2(8t(NXU1B4WYdqh}WEknM($31n`pi^YDck?~xPAgcU51fzi`pdMA0GQTo z0H$?Pib~JV@;qFIHIdH*=;9rWzf4hR!oIbEh_ucOqKn2p8Nf#w{g)S?CW*DtaV{t^*ncm zY!k2>ha=sZ#C8?$Iw*)vu~*CZ$sR;}Xr5$-jeLk{sZ46#Q>z)-;DFyiyumMKfo`{P zdTu#>2bc7layS=x-yQVj#7`^2FWi+AaOi-%-wU~beaYhJ*kS%oQyc>**FTb~Oo{H1 zg>~X{KKHB{kd{|7+z}(ILVhcS1sPwLyYNHXz~fcHw7_l|uAr7@!!1TAE=6*!@5SXR zuBT;j@=3iKrJl@+i0ni{D!RG=)fWR<@C&h@_z1}#$o#T{I{s0vLM^V?3q%Dj0(l)X z;d~*)-U@TCxq~?E+WwvMt7obc4tqN+;gUgaTx1XxeTm|V5j@0w-15h|vxynQC?X8@ zj9Fd{S0&b-JbL4x|DBkM^JaSokP7fkdur;gxuxP%*MWmFhdTdkYC#s@gV?7Zygb7o znat(hltX?7$Q4c-rgYFAe;D*el_j>GlhJv1wr%dfb3Yt8{|JLz<8k~GlsWEqb+E!m zv{~+=jo#xcBgt}=Tv?ap{GT@Hv8~YCgg1Hag=2*UOqN+Lpv^hnD@RF1KJ`28N6np8 z0g$Q3FzlJCCOgQ?143&2VnXRd{_5BRo%e8`Hfvc{S)M=(((RV220GGN$-ShHdlQi_ zieAJj$A^?%pH%fe1KjXFT=x-eK-=OYAg@sy;AsIj*SKXC#fgFTF3UClr0MUCCRuZ{m(*(5WB}dsm zH7yl2w019nolN&pyk;WeN!X&7Y0cNt+>trzp+V0!ZpfCtCG}9SY$}?&NH$aPdIko$@O>wwTc$6)SxwsE31)9;{W2FI zi3z#s+F|}7Zr!c){fVg<7d5N>F<1xl5wx2B&uhXzIHD~7r=S^shkN{2`p*0+A^Lxu zR{z${{W-XT4%XJd1ZPLw*}SV>YBgAHdsTds5*CDy!9T4tniYaFlWr)UTDkwM2&W8p z|8iB9(cJBJUlcXka}`KkmmPv|u3+4f&X6H|3?$V3kS6Y|J@2AsAE}y4_?R?Ll&Pcy zih4CP&!(%0RCc&>q+@)uGW$n@x8s6{CcUN?ZZ)kl478Q}EzonLevgCaA}NXXu0~nB z#WUu1;h_vqp$BUG{!UIXb{|oFK!{>Re~Ih-GdUA7ySGT0#2thAGkj-Ev~=2K*OW@& zxgmWIET}WkXZ+>?;^Mp2%=w}svUG{{;V?NVaIx;h?zpogahp!xYCTBcXhe&ABh^c{ zysTeA8N2N>*Ttd|HZHFn`|#8L(-}n&uHLgAU_7Dz;ocfmM5pP37CO|PxE0^Np!}D? zwD*NQ(sSh_awXxL`o?L@M9SbO^{3(;Hg|8I;!rrA!>9Sc`mO=oWa6A#ZPBE4DFOvJ zbdAWld=!9ly)*i-w?ltjU}rUAX|=~}$d_l;ElqH!qJ)|hDv?!yTd&+U^2j%!-wj98 zc0hGK)=fk2gIbIcxK$OHk)X{uwP3wJy4>Ny`F{wdEcERu#6^$PUkw9oe}pjL?FjP-4N-fh z=08EUM{W>j$3YJ^e3W=v>UPin?Y1at>GesPF_6m5Ch;uR5{^ab_pW7Ml;IZ{H7?yL z(FQUv&toIx^rKF$SQ&DMyGkU5c--98y3R_SsegK-_jYv3K9}OB>5L$G1iwGySw@=+ zj4s+#pxibXoMu3s^MXK`(?&i8{Ntu>ANU`+#{NsmG@>(0;LWZ?tW1=Y+j4rGnIa;u z6>^!VAF(t*mgT?c)~P;ws7*;$En2CmYGt)u+vFCq8hyn`fGtx;we!<8@hZtehPS~@ z9=XZbGwX{5s>#-DH?^E@jFjMbSP(TQTR3&Mpx(ZictuAgo=3acH`8ZhP(_HU0N?8! zVE+xl;bdusQ;cczddva&h>4b16GY@It2JJMK=kQzphFJ+A>DcIpgKw*4zEJk5NG5y z_OQ*4gPPzKhJ0J+RSXT5G&*X%qVEur1lq4}8q%p&>Q#YMYz59Vi?VUCPL)R_tTlss zg!iMpEowy4w%a=>KabCD4N>g+s@zVyPATMa`Ir__TutO#?D|n-5}6XPzHh@cg`O&g z-yx<|&uK9>T6%c`ro|pj79xO8!&4@LDY{JeR*-HX#pA})uIcm_`yiY! z->U?=H!mEqd1f?dIBj<&-lavVa9L=Ku`8#0J^e^mZ+|2e9~xs*R?+QHobJC|g9W zg(LrPb2gk*v8ecZuGXD(dkck5CtKlB)a#F%OfL`a!idi9#Wfv{l6B{49LiEV7Sizn z2S@rj0DXa)4kjVb&xU($C|fjO5@#u&>&1FpySz700} z-v;!}6z#oJo%%AHBgOqnoSOk;v1t~91}Zph*;um9i8tkH-^7PxnU0hF5}SF6&471} zgmJU8rZ%l=w3`zz>cY5k1;0}QHX9k6)AcHV-GB@Ic|;klCzpCNM8s>kC`-J>62=n8 z_yLW+3|>^&X?xM*EauHSQY4{a*5uZ3Jxci0q3Q?oBi7sYm!IFZ-0;tmS&bSiF$R{Q zReci7!z&wMqt0dfj1~H!dZ= zwpqJLx*Ow1kBJ&RInDYEkb>k_p-rD&_KtF1Xq>-5(%1Muj}=n|NHf`m8Pxe?i@LGc4SovYhF#bY7{uLzP6KX-+e?8ri+5>7 z4Tkvw$sOvPZ$^hr=v$d&?eC6cm@>8&^u=^LsFm~z1%o7A}(dkX`D=&4%wdi#|$u7TZTtD;T2ga?^N z;iKB%o;3c-vxLDr6=AnTt~h=RlN?RDM>u(R>B=)Fq2+2af9B*}8r`u^0#FA}U1&hL zbZyu|;ZPULB>W-hpti;E;TWPzvvRnrDX;R@v6xVvhI}I}bB1eHqpM;|(knryhl}-} zObNcB*eCagZ;qItTz2>pH3>nXIo7e(dq9r%7LANT9H|f7dqVr}TcCn^{$%T;4f+H} zBhyoAKm_IZ)Hb=Sn}f2t#I}my7Hns+=lJYKqu{ieVT||ntlSh^=KlMoE2;UET}aDh zwU+~~=RfHD(S6Xd+2i#}XHX(sn0uzZ^v%oYzNagH$@YG!I05QAT2Z3`7xV>0F~_lP z=YZZ2&LM76z*c|Ftw}~OSDF0D?B}KBH*Wtw$%sJzC*`4JpFRiR*0r2C{wk*;tu${^ z^RPIz@|wNQSgFTZ8PGi8Y;ouRhHeoovptaO?)4Q`3wBpV3bQq4;qhNkjTy=7s5H7^vhg#vJn3wCG(+Kldl-FUUOW_w|2c@P8T~YUbWy z)>}q*3T01UKK$X-{!_4n zZYDwciQp5&IC4gUV!Gd$WgG%5vS<#iqs8d*zh(5LNul<8K6Mx`OI{*Lx diff --git a/doc/breach-logo-small.gif b/doc/breach-logo-small.gif deleted file mode 100644 index d732ac5018a0110c7a1bc11349528f3e1bb966c3..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 2389 zcmV-b399x-Nk%w1VPpU#0Qdg@ML|McT3h=4{`dU;_51$D>Gx8+=R7z$h0yK^pxxE) z`E_%1e|&wEl9R^8#i-u%N4VyvrKPT{tSl)i%gV}?*6;+oF*4iR+tSg|>gwuDy5^?c^DVC8a>?wW+wu~m-oCxPP)$x* zR#t4s>uJU6`27CW)z#ke`WU9)U|wG6=;+Su_~hi|go1+I-Q9c4?XTeUGO**y>-cze zcH{K>jEahg(eL2%``PgNZEI_u+VZ;O_O|2o&d$y~wdISknQA*$huh=@S85%O zJw7U};+oj;fPH=pqTVPZC4+&1Nx9}FtKk5h+&DBf{r&y>`}$VAR*S));~Nw{QUem zHaG9@@9p^glaZ0Qw^LA2W@BWBg@)AA(+8m4@A>`N*x0J6sjI1~_4M>? zX=*}0Kr${bV#DcM!048gm4D9d6{X)-zUYtC@RQZ>*w@#jqNCUF`mnFBdUtrh=k|z( zhjVaopq`#PI5+{F+<43EZ^-LTOH6urdC14dt*fla$H;+yfNN-JURzw9o18tG(x>HY3FR$a`;^M%+zbhvwJGA6EH8%D2^_bW3cFOGL_55JM>71IIT31-l z?f4=dAOHXVA^8LW00930EC2ui0Av6p000R80RIUbNU)&6g9sBUT*$DY!-o(fN}Ncs zqC*h*pgarpEENb47DI|W__5?i0R#wKxUlNU5CkW%%#g_i0+k>6R$fYJvgF9021^P6 zu}Z-dDkg%UV1@<)mo!Z*sF_N&s+vJ*xbP@pz(uYiCNlL9HDG{GpcFq6xFl*v5Erq& zq)}nDuHCzJEntC%M&GkB1s3fYigsa1Pog@7GH_x>0=wQKCrD5R%b-Cs1`V^DAajCY z2`og$>rDlhFW^kr_%ZZj;eQ~?+DP%u3tg)!u!#8rAzCvRE)Z0xFy>aLPT4v=qsK*s zieB)nq)L8o+C3=1H$^i*Z%LXNx2;Km;5IY2tpX4#R+AU zw$(R9^w5tCt9;_&YleaF$tt3}(nAWlaFB#8k9ord8u#>bphGBu@q#TXG*JQqDfBbI zCom8OV@M|vAb=2=K!L)02|yFeJwFhj5CJmeB83?0ykOLI~#uF|YYN=raECR*@kY4KPr=W%^ zDq89N)P^d;#Gq;nBD5n%P=BQVs;V&5#B&EpbI7`C48o{l&q0(FL(QuQu|WbHntY%^ z4DGlHLJlL`;2{Y1s4_wviWJjMLG3Iv!31W^W5xk|;84ShYye}%1mc>pOgL|hKuJNf zw6Jct^WUB8%z`w zPr@CXQi}&6Bn&_d1hHXC!g-wHK_dyzL&}Sar#k64S-NgzXW~k&o+$o!H6Y5B<#bl0;%jzBO-_`$2A@J z%YI zjJVkc9a3Ko+XrU&;|!nwc#TcP#T?*|8_KJFK<@(GfsNp@52OeH{){rbLiR-Ak22fH z&HX@egyGK{w>>2%{i&!$SwYHGxR5paurvM#9{Y1Nm*^5Cn3&SbUdM#4Ox3WF%Zi)P>%CpZBBCJc=rlwg5BSn!WF zkij1Z7(o_O$i;%R5D&`OBPWzmkA&IKj0xMu4gTL_(Y2L%;Ez9y zSO^#an+PNf2o4ip?SQcmHdFy&u)~AyXdo?tpm2)|X`v~U2LfLZ@si3k8$nPhHE61> z8&HhiB>VyYfIlFSe4|*%9FVt+7VyChEvRG%#_^vx?2`!|LPQQI_>cQpu3{e$XENuR zum#*;7KexjAdbcav_;b&YshCGfaVXU)y<0m_`@t_ItxV{;y)m;=KR`mgP!^#VdfBJ zANYVcd0-I{zBmOFG$6|sP7R~YgC{}$kg#RYpam_E-`YmtAvREM8QX#l1&$Vua}5L$ z)-wYQ_`p^^n1Tj``$rs@;ExGtfFL#4CjfFF5K3GlVP;^04~RfSf28ASYh(dC|LPA+ zK#v6B@BkgcLD_Kp!Us7(*BkN>fI18W6+j4sDJb9}5+uU|m94A?Ofe3D{Gk;9h=K=a zp#%Ujct9QlIm9jkkqAN*VjhWj2RTgo4@P7G01N0t#We5>07L+Kql&I{r%T=HTKBpU H2?zi?XVITh diff --git a/doc/hijack-detect.lua b/doc/hijack-detect.lua deleted file mode 100644 index dbaf53cc..00000000 --- a/doc/hijack-detect.lua +++ /dev/null @@ -1,231 +0,0 @@ ---[[ - This is an example ModSecurity 2.5 Lua script to perform Session Hijacking - Detection by storing session information into a SQL database. - - This script simply keeps track of the IP address and User Agent - string for a session. If these change, but keep the same session, - then it is considered hijacking. - - Requires luasqlite3: http://luasqlite.luaforge.net/ - - Author: Brian Rectanus -]]-- - -local t0 = os.clock(); -m.log(9, "HijackDetect: Begin loading script."); - --- Requires luasqlite3: http://luasqlite.luaforge.net/ -require "lsqlite3"; - - ----------------------------------------- ---[[ Edit these to your environment ]]-- ----------------------------------------- - --- Name of the database file -HIJACK_DB = "/tmp/modsec-hijack.db"; - --- Expire session in N seconds (stop tracking session if idle longer than this) -HIJACK_EXPIRE = 300; - --- Always alert even if only one of IP or UserAgent is a mismatch if set true -HIJACK_ALWAYS_ALERT = true; - --- Do not issue warnings at all if set true -HIJACK_NO_WARN = false; - --- What session IDs to look for -HIJACK_SESSID = { - ["REQUEST_COOKIES:sessionid"] = 1, - ["REQUEST_COOKIES:jsessionid"] = 1, - ["REQUEST_COOKIES:sessid"] = 1, - ["REQUEST_COOKIES:phpsessid"] = 1, --- ["REQUEST_COOKIES:aspsession"] = 1, --- ["REQUEST_COOKIES:jservsession"] = 1, --- ["REQUEST_COOKIES:jwsession"] = 1, --- ["REQUEST_COOKIES:aspsession-id"] = 1, --- ["REQUEST_COOKIES:jservsession-id"] = 1, --- ["REQUEST_COOKIES:jwsession-id"] = 1, --- ["REQUEST_COOKIES:aspsession_id"] = 1, --- ["REQUEST_COOKIES:jservsession_id"] = 1, --- ["REQUEST_COOKIES:jwsession_id"] = 1, --- ["REQUEST_COOKIES:cfid"] = 1, --- ["REQUEST_COOKIES:token"] = 1, --- ["REQUEST_COOKIES:sid"] = 1, - ["ARGS:sessionid"] = 1, - ["ARGS:jsessionid"] = 1, - ["ARGS:sessid"] = 1, - ["ARGS:phpsessid"] = 1, --- ["ARGS:aspsession"] = 1, --- ["ARGS:jservsession"] = 1, --- ["ARGS:jwsession"] = 1, --- ["ARGS:aspsession-id"] = 1, --- ["ARGS:jservsession-id"] = 1, --- ["ARGS:jwsession-id"] = 1, --- ["ARGS:aspsession_id"] = 1, --- ["ARGS:jservsession_id"] = 1, --- ["ARGS:jwsession_id"] = 1, --- ["ARGS:cfid"] = 1, --- ["ARGS:token"] = 1, --- ["ARGS:sid"] = 1, -}; - ----------------------------------------- - --- // All the SQL that is used. Probably do not want to touch this. // -- - -HIJACK_CREATE_SQL = [[ - CREATE TABLE sess ( - ip varchar(256) - , ua varchar(256) - , id varchar(256) - , val varchar(256) - , ts INTEGER - , PRIMARY KEY ( ip, ua, id ) - ) -]]; -HIJACK_INDEX_SQL = [[ - CREATE INDEX IF NOT EXISTS session ON sess ( id, val ) -]]; -HIJACK_GET_SQL = [[ - SELECT ua, ip, id, val - FROM sess - WHERE id = :id AND val = :val AND (ip <> :ip OR ua <> :ua) -]]; -HIJACK_ADD_SQL = [[ - INSERT OR REPLACE INTO sess - VALUES (:ip, :ua, :id, :val, :ts) -]] -HIJACK_CLEANUP_SQL = [[ - DELETE FROM sess - WHERE ts <= :ts -]] - --- // The code executed by ModSecurity. // -- - -function main() - m.log(9, "HijackDetect: Begin execution."); - local now = os.time(); - - local db = sqlite3.open(HIJACK_DB); - if db == nil then - return "HijackDetect: Failed to open database, \"" .. HIJACK_DB .. "\""; - end - - -- Retrieve the User Agent String - local ua = m.getvar("REQUEST_HEADERS.User-Agent"); - local ip = m.getvar("REMOTE_ADDR"); - local sess = {}; - local sessn = 0; - - -- Loop through the targets for well-known session IDs - local cookies = m.getvars("REQUEST_COOKIES", "lowercase" ); - for k,v in pairs(cookies) do - name = v["name"]; - if HIJACK_SESSID[name] == 1 then - m.log(9, "HijackDetect: Using sessid " .. name); - sess[name] = v["value"]; - sessn = sessn + 1; - end - end - - local args = m.getvars("ARGS"); - for k,v in pairs(args) do - name = v["name"]; - if HIJACK_SESSID[name] == 1 then - m.log(9, "HijackDetect: Using sessid " .. name); - sess[name] = v["value"]; - sessn = sessn + 1; - end - end - - local n = 0; - local s; - local rc; - - -- Now attempt to create the table (fails if exists, but that is fine) - db:exec(HIJACK_CREATE_SQL); - db:exec(HIJACK_INDEX_SQL); - - -- Cleanup old sessions - m.log(9, "HijackDetect: Cleanup"); - s = db:prepare(HIJACK_CLEANUP_SQL); - if s == nil then - m.log(4, "HijackDetect: Error preparing SQL \"" .. HIJACK_CLEANUP_SQL .."\"" .. rc); - return nil; - end - rc = s:bind_names{ ts=(now - HIJACK_EXPIRE) }; - if rc ~= sqlite3.OK then - m.log(4, "HijackDetect: Error binding data - " .. rc); - return nil; - end - rc = s:step(); - if rc ~= sqlite3.DONE then - m.log(4, "HijackDetect: Error executing - " .. rc); - return nil; - end - s:finalize(); - - -- Make sure the session IDs are the same - m.log(9, "HijackDetect: Fetching"); - s = db:prepare(HIJACK_GET_SQL); - if s == nil then - m.log(4, "HijackDetect: Error preparing SQL \"" .. HIJACK_GET_SQL .."\"" .. rc); - return nil; - end - for sessid, sessval in pairs(sess) do - rc = s:bind_names{ ua=ua, ip=ip, id=sessid, val=sessval}; - if rc ~= sqlite3.OK then - m.log(4, "HijackDetect: Error binding data - " .. rc); - return nil; - end - - -- Alert if another ip/ua has this session - if s:step() == sqlite3.ROW then - local row = s:get_named_values(); - - -- Only alert of both ip/ua change and warn otherwise - if HIJACK_ALWAYS_ALERT or (row["ip"] ~= ip and row["ua"] ~= ua) then - m.log(9, "HijackDetect: End execution (match)."); - return string.format("HijackDetect: Detected session hijacking [ip \"%s\"] [ua \"%s\"] [sessid \"%s\"] [sessval \"%s\"]", ip, ua, sessid, sessval); - elseif HIJACK_NO_WARN == false then - m.log(9, "HijackDetect: End execution (no match)."); - m.log(3, string.format("Warning. Detected possible session hijacking [ip \"%s\"] [ua \"%s\"] [sessid \"%s\"] [sessval \"%s\"]", ip, ua, sessid, sessval)); - return nil; - end - - end - - s:reset(); - end - s:finalize(); - - -- Insert/Update sessions - m.log(9, "HijackDetect: Inserting"); - s = db:prepare(HIJACK_ADD_SQL); - if s == nil then - m.log(4, "HijackDetect: Error preparing SQL \"" .. HIJACK_ADD_SQL .."\"" .. rc); - return nil; - end - for k,v in pairs(sess) do - m.log(9, "HijackDetect: Storing sessid \"" .. k .. "\"."); - rc = s:bind_names{ ua=ua, ip=ip, id=k, val=v, ts=now }; - if rc ~= sqlite3.OK then - m.log(4, "HijackDetect: Error binding data - " .. rc); - return nil; - end - rc = s:step(); - if rc ~= sqlite3.DONE then - m.log(4, "HijackDetect: Error executing - " .. rc); - return nil; - end - s:reset(); - end - s:finalize(); - - m.log(9, "HijackDetect: End execution (no match)."); - return nil; -end - -local t1 = os.clock(); -m.log(9, "HijackDetect: End loading script (" .. os.difftime(t2,t1) .. ")."); diff --git a/doc/html-chunked.xsl b/doc/html-chunked.xsl deleted file mode 100644 index 8b250969..00000000 --- a/doc/html-chunked.xsl +++ /dev/null @@ -1,293 +0,0 @@ - - - - - - - - -modsecurity-reference.css - - -
ModSecurity
- - - -
Copyright (C) 2004-2010 Breach Security
- - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/doc/html.xsl b/doc/html.xsl deleted file mode 100644 index 4d389ee6..00000000 --- a/doc/html.xsl +++ /dev/null @@ -1,21 +0,0 @@ - - - - - - - -
ModSecurity
- - - -
Copyright (C) 2004-2010 Breach Security
- - - -
- - -modsecurity-reference.css - - diff --git a/doc/main-index.html b/doc/main-index.html deleted file mode 100644 index 321caa01..00000000 --- a/doc/main-index.html +++ /dev/null @@ -1,35 +0,0 @@ - - - - ModSecurity for Apache Reference - - - - -
-
ModSecurity
-
- -
- -
- -

ModSecurity for Apache Documentation

- -

$version

- - - -
- -
Copyright (C) 2004-2006 Breach Security
- - - diff --git a/doc/migration-matrix.html b/doc/migration-matrix.html deleted file mode 100644 index 70d908a5..00000000 --- a/doc/migration-matrix.html +++ /dev/null @@ -1,74 +0,0 @@ - - - ModSecurity Migration Matrix

ModSecurity Migration Matrix

Version 1.0 / (April 10, 2007)

Copyright © 2004-2007 Breach Security, Inc. (http://www.breach.com)

Migration from 1.x to 2.x

If you are already using an older version of ModSecurity and want to upgrade/migrate your existing custom rules, you will need to ensure that you properly translate all of your Directives to their corresponding 2.0 counterparts. Some directives have simply changed names, however some directives actually behave differently so it is important that you also review the entire 2.0 Reference Manual. -The migration matrix show below should help you to translate ModSecurity 1.X directives to the 2.0 values. There are also some notes that provide additional information is a directive significantly changed how it operates. -

Feature/CapabilityModSecurity 1.xModSecurity 2.xNotesHow To Upgrade
Apache Version SupportedApache 1.x/2.xApache 2.x OnlyModSecurity 2.0 will only work with Apache 2.x and not the older 1.3 version.If you are mainly an Apache 1.3 shop and/or you have other web servers that you want to protect (such as IIS) an alternative solution is to deploy an Apache 2.x reverse proxy server and implement ModSecurity 2.x on it.
InstallationCan be installed as either a DSO module or as a statically compiled module.Can currently only be installed as a DSO module.In 1.x, you could use apxs directly, while in 2.x you must use the provided Makefile.If you can not use DSOs in your current Apache configs, you may look at implementing a front-end Apache reverse proxy server.
Configuration - IfModuleApache 1.x - <IfModule mod_security.c> - -Apache 2.x - <IfModule security_module><IfModule security2_module>The syntax of using IfModule has changed between Apache 1.x and 2.xMake sure that any existing <IfModule> directives uses the correct syntax.
Processing Phases Supported25ModSecurity 1.x supports:

  • Inbound - which corresponds to current Mod 2.x Request Body phase and the Apache “fixups” phase.

  • Outbound - which corresponds to current Mod 2.x Response Body phase and just after the Apache “response” processing phase.

ModSecurity 2.x supports:

  • Request Headers – which corresponds with the Apache “post-read-request” phase.

  • Request Body – which corresponds with the Apache “fixups” phase.

  • Response Headers – which corresponds to the Apache “response” phase.

  • Response Body – which corresponds to just after the Apache “response” phase.

  • Logging - which is the Apache logging phase.

If you are translating existing 1.x rules (SecFilter/SecFilterSelective) then you should use phase:2 in the new rule syntax. Translate existing OUTPUT rules to run in phase:4.
Directive to turn On/Off the Rule EngineSecFilterEngineSecRuleEngine -ctl:ruleEngine=

  • 1.x – values were On, Off and DynamicOnly and was a Global directive.

  • 2.x - values are On, Off or DetectionOnly.

  • 2.x – the “ctl” action can control the RuleEngine dynamically for individual requests.

Replace SecFilterEngine with SecRuleEngine. The DynamicOnly mode is not supported in ModSecurity 2.x because it was sometimes difficult for ModSecurity to determine if a particular request was dynamic in nature or not. Use of AddType vs. AddHandler would cause problems. Since this logic relies on the internal (and not entirely documented) workings of Apache and on the chosen configuration it also makes it somewhat unpredictable.
Directive to handle the Audit EngineSecAuditEngine On, Off, RelevantOnly, DynamicOrRelevantSecAuditEngine On, Off, RelevantOnlyIn 2.x, the DynamicOrRelevant option was discontinued.If you are using DynamicOrRelevant then switch it to RelevantOnly.
Default Rule ActionSecFilterDefaultActionSecDefaultAction

  • 1.x – SecFilterDefaultAction could be used anywhere in the config and it would be picked up by all rules.

  • 2.x – SecDefaultAction must come before rules and be specified in each context. The default setting for this directive (if it is not specified otherwise) is – -SecDefaultAction phase:2,log,deny,status:403,\

    t:lowercase,t:replaceNulls,\

    t:compressWhitespace

Replace SecFilterDefaultAction with SecDefaultAction. Optionally, you can group rules together where you would like to use the same action and then specify a SecDefaultAction line before each group. - -Also keep in mind that while most actions specified on individual rules will supersede those specified in SecDefaultAction, transformation functions are additive. So, if you specify a “t:base64Decode” transformation function to a rule, it will be added after the lowercase, replaceNulls and compressWhitespace transformation functions.
Debug LoggingSecFilterDebugLog -SecFilterDebugLogLevelSecDebugLog -SecDebugLogLevelName change only.Change the names of these directives to their 2.x counterparts.
Rule Directive(s)SecFilter -SecFilterSelectiveSecRule

  • In Mod 1.x, SecFilter and SecFilterSelective were case insensitive.

  • In Mod 2.x, the case of data is not altered unless the lowercase transformation funce is used. -SecRule has essentially the same rule syntax as SecFilterSelective.

Replace SecFilterSelective with SecRule and make sure to translate the variable tested according to this list. -Replace any SecFilter with a new SecRule directive. You will need to specify a new Variable location and a phase. You can optionally specify a disruptive action, otherwise it will be inherited from a previous SecDefaultAction. -
Rule ExceptionsWhitelist approach – use pass, allow actions -False Positive Approach – use SecFilterRemoveWhitelist approach – use pass, allow and ctl actions. -False Positive Approach – use SecRuleRemoveById and Apache Scope contextIn Mod 2.x, using the “allow” action may not be enough to truly let a request through as “allow” only applies to the current processing phase. This means that rules in subsequent phases may act on the request. This is why you need to also use the “ctl:ruleEngine=Off” action if you really want to let a request through.See Blog post on handling false positives and creating custom rules - http://www.modsecurity.org/blog/archives/2007/02/handling_false.html
Directive to control rule inheritance to Apache Scope locations (Virtual Hosts, Location, Directory)SecFilterInheritanceSecRuleInheritanceThe best use of this directive is when you want to start with a “clean slate” so you can use SecRuleInheritance Off and then specify your new rule sets. -Note – Rule Inheritance does not work across Apache Scope directives (such as Vhosts, Location and Directory directives). This means that you can not use SecRuleInheritance On to inherit a SecDefaultAction directive within these new contexts. This is an issue with the way that Apache inherits contexts. It is for this reason that we recommend that you specify new SecDefaultAction directives within each Apache scope location that you create.Translate any existing “SecFilterInheritance Off” rules directly to “SecRuleInheritance Off”. -Then replace any “SecFilterInheritance On” directives inside Apache Scope context locations with a new SecDefaultAction directive and then import the rules that you want with standard Apache Include directives.
Ability to manage rules in Apache Scope locationsSecFilterImport -SecFilterRemoveSecRuleRemoveById -SecRuleRemoveByMsgSecFilterRemove is now SecRuleRemoveById or SecRuleRemoveByMsg. SecFilterImport is no longer supported.Change all of your existing SecFilterRemove rules to SecRuleRemoveById. For any existing SecFilterImport rules, you will need to either copy the rule into the context or use an Apache Include Directive to include entire files (such as including the Core Rules files).
Ability to verify URL/UTF8 EncodingsSecFilterCheckURLEncoding -SecFilterCheckUnicodeEncoding @validateUrlEncoding -@validateUtf8Encoding In Mod 1.x, these were Global Directives and in Mod 2.x they are Operators that can be applied selectively to each rule.Add the rules that will do exactly the same as the directives
Ability to enforce a Byte Range (allowed character set)SecFilterForceByteRange@validateByteRangeIn Mod 1.x, this was a Global Directive and in Mod 2.x it is an Operator that can be applied selectively to each rule. -In Mod 1.x, this directive did not check POST payloads when multipart/form-data encoding was used.You can now add @validateByteRange operators to individual rules. This helps if you have differences in allowed character sets for different portions of the web application.
Ability to Normalize/Transform Request DataModSecurity 1.x automatically applied the following transformations:

  • On Windows only, convert \ to /

  • Reduce /./ to /

  • Reduce // to /

  • Decode URL-encoded characters

  • Converts Null Bytes to Space character

  • base64Decode

  • base64Encode

  • compressWhitespace

  • escapeSeqDecode

  • hexDecode

  • hexEncode

  • htmlEntityDecode

  • lowercase

  • md5

  • none

  • normalisePath

  • normalisePathWin

  • removeNulls

  • removeWhitespace

  • replaceComments

  • replaceNulls

  • urlDecode

  • urlDecodeUni

  • urlEncode

  • sha1

In Mod 1.x, the normalization functions were implicit and you could not control them. In Mod 2.x, not normalization is done by default. There are now “Transformation Functions” that allow you to selectively apply normalizations and other features.You should add the appropriate transformation functions to either SecDefaultAction directive or each individual rule. See the Core Rules files for examples. -Keep in mind that transformation functions are inherited from parent SecDefaultAction directives. Care should be taken to ensure that RegEx patterns match the data after transformation functions are applied. In order to avoid possible unwanted inherited transformation functions, use “t:none” to either not apply any transformation functions or you can then specify specific transformation functions after “t:none”.
Ability to specify an arbitrary Request Header in a ruleHEADER_headername -HTTP_headernameREQUEST_HEADERS REQUEST_HEADERS:headername -REQUEST_HEADERS:/RegEx/The HTTP_headername syntax has been superseded by the new REQUEST_HEADERS:headername syntax and will not be supported in future releases. The advantage to using the new syntax is that you can also use RegEx in the headername portion.Translate any existing HTTP_headername directives to REQUEST_HEADERS:headername. Also consider consolidating header checks by using Regular Expressions in the header name portion of the Variable.
Variable/Location for the entire URL Request LineTHE_REQUESTREQUEST_LINEFunctions the same. The variable includes the Request Method, URI and HTTP version data.Translate any existing THE_REQUEST directives to REQUEST_LINE directives.
Variable/Location for ArgumentsARG_nameARGS:name -ARGS:/RegEx/Similar to the HTTP_headername situation, the advantage of the new syntax is the ability to use RegEx in the argument name.Translate any existing ARG_name directives to ARGS:name directives.
Accessing Request BodiesSecFilterScanPOST -POST_PAYLOADSecRequestBodyAccess -Phase:2 -REQUEST_BODYIn 2.x, the directive is now called SecRequestBodyAccess and it is more flexible than SecFilterScanPOST as it is able to inspect all request bodies (such as PUT and XML, etc…) and not just POST payloads.Replace the existing SecFilterScanPOST directive with SecRequestBodyAccess. -For individual rules where you want to inspect the request bodies, you must specify REQUEST_BODY as the variable and you also must ensure that it is running in phase:2 (by either an inherited SecDefaultAction setting or by explicitly specifying the phase within the rule action).
Ability to disable POST/Request buffering dynamicallyMODSEC_NOPOSTBUFFERINGctl:requestBodyAccess=OffIn 2.x, you can use the ctl action to turn on/off request body access on a per rule basis.Take any existing entries in the httpd.conf file that set the MODSEC_NOPOSTBUFFERING Env variable and translate them to Mod 2.x rules.
Accessing CookiesCOOKIES -COOKIES_COUNT -COOKIES_NAMES -COOKIES_VALUES -COOKIE_nameREQUEST_HEADERS:Cookie -REQUEST_COOKIES_NAMES REQUEST_COOKIES_NAMES:name -REQUEST_COOKIES_NAMES:/RegEx/ -REQUEST_COOKIES -REQUEST_COOKIES:name REQUEST_COOKIES:/RegEx/ In 2.x, you can use the “&” character to “count” the number of variables. -While there are different ways to access request cookies, the main difference between them are that REQUEST_HEADERS:Cookie will include all of the “raw” Cookie data while any of the REQUEST_COOKIES variable values are parsed.Translate rules as follows – -Mod 1.x -> Mod 2.x -COOKIES -> REQUEST_COOKIES -COOKIES_COUNT -> &REQUEST_COOKIES -COOKIES_NAMES -> REQUEST_COOKIES_NAMES COOKIES_VALUES -> REQUEST_COOKIES -COOKIE_name -> REQUEST_COOKIES:name
Counting VariablesARGS_COUNT -COOKIES_COUNT -HEADERS_COUNT -FILES_COUNT&ARGS -&REQUEST_COOKIES &REQUEST_HEADERS -&FILESIn 2.x, prepending the “&” character will count the number of variables. Example – -1.x – HEADERS_COUNT -2.x - &REQUEST_HEADERSTranslate existing 1.x rules as listed.
Accessing HTTP Status CodeOUTPUT_STATUSRESPONSE_STATUS -Phase:3In 2.x, you need to specify both the RESPONSE_STATUS variable and phase:3 with the rule.Translate any existing 1.x OUTPUT STATUS rules to use RESPONSE_STATUS and phase:3.
Accessing Response Bodies/Post PayloadsSecFilterScanOutput -SecFilterOutputMimeTypes -OUTPUTSecResponseBodyAccess -SecResponseBodyMimeTypes -RESPONSE_BODY -Phase:4In 1.x, neither skipnext nor chain could be used on the OUTPUT location. -In 2.x, both actions can be used on RESPONSE_BODYTranslate directives/rules as follows – -Mod 1.x -> Mod 2.x -SecFilterScanOutput -> SecResponseBodyAccess -SecFilterOutputMimeTypes -> SecResponseBodyMimeTypes -OUTPUT -> RESPONSE_BODY/Phase:4
Cookie NormalizationSecFilterCookieFormat -SecFilterNormalizeCookiesSecCookieFormatSecFilterNormalizeCookies is no longer supported as Mod 2.x transformation functions can now be used to normalize all Variables including Cookie data.Change SecFilterCookieFormat to SecCookieFormat. -When specifying Cookie variables, then apply the applicable transformation functions in the action field of the rule.
Ability to skip rulesskipnextskipIn Mod 2.x – skip takes into account chained rulesets and treats them as 1 rule. -In Mod 1.x – skipnext treated each rule directive as an individual rule regardless of whether or not they were tied together as a chained ruleset.Translate all skipnext rules to skip, however make sure to factor in any chained rulesets that may follow and adjust the skip number accordingly.
Adding/Removing Audit Log Data on a per rule basislogpartsclt:auditLogParts=The rules function the same.Translate any existing logparts actions to the ctl:auditLogParts equivalent.
Inspecting uploaded filesSecUploadApproveScript@inspectFile -FILES_TMPNAMESThe main difference here is that now @inspectFile is an Operator vs. a global Directive. This means that you can apply @inspectFile to individual rules and use different scripts as appropriate. -Also, the return codes are now reversed – -In 1.x, a return code of “1” means that the file would be allowed. -In 2.x, a return code of “1” means that the file would be denied. In order to scan/inspect uploaded files in 2.x, you need to create specific rules that use the FILES_TMPNAMES variable (as these are the names of the files that are temporarily stored on disk) and then use the @inspectFile Operator on each rule. -Also, make sure to swap your return codes in existing scripts as mentioned in the notes column.
Memory limits for uploaded filesSecUploadInMemoryLimitSecRequestBodyInMemoryLimitThese two directives function the same.Change the SecUploadInMemoryLimit directive to SecRequestBodyInMemoryLimit.
diff --git a/doc/migration-matrix.xml b/doc/migration-matrix.xml deleted file mode 100644 index 6bd5f049..00000000 --- a/doc/migration-matrix.xml +++ /dev/null @@ -1,808 +0,0 @@ - -
- ModSecurity Migration Matrix - - - Version 1.0 / (April 10, 2007) - - - 2004-2010 - - Breach Security, Inc. (http://www.breach.com) - - - -
- Migration from 1.x to 2.x - -
- If you are already using an older version of ModSecurity and want - to upgrade/migrate your existing custom rules, you will need to ensure - that you properly translate all of your Directives to their - corresponding 2.0 counterparts. Some directives have simply changed - names, however some directives actually behave differently so it is - important that you also review the entire 2.0 Reference Manual. The - migration matrix show below should help you to translate ModSecurity 1.X - directives to the 2.0 values. There are also some notes that provide - additional information is a directive significantly changed how it - operates. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- Feature/Capability - - ModSecurity 1.x - - ModSecurity 2.x - - Notes - - How To Upgrade -
- Apache Version Supported - Apache 1.x/2.xApache 2.x OnlyModSecurity 2.0 will only work with Apache 2.x and not the older - 1.3 version.If you are mainly an Apache 1.3 shop and/or you have other web - servers that you want to protect (such as IIS) an alternative - solution is to deploy an Apache 2.x reverse proxy server and - implement ModSecurity 2.x on it.
- Installation - Can be installed as either a DSO module or as a statically - compiled module.Can currently only be installed as a DSO module.In 1.x, you could use apxs directly, while in 2.x you must use - the provided Makefile.If you can not use DSOs in your current Apache configs, you may - look at implementing a front-end Apache reverse proxy server.
- Configuration - IfModule - Apache 1.x - <IfModule mod_security.c> Apache 2.x - - <IfModule security_module><IfModule security2_module>The syntax of using IfModule has changed between Apache 1.x and - 2.xMake sure that any existing <IfModule> directives uses the - correct syntax.
- Processing Phases Supported - 25ModSecurity 1.x supports: - - Inbound - which corresponds to current Mod 2.x Request - Body phase and the Apache “fixups” phase. - - - - Outbound - which corresponds to current Mod 2.x Response - Body phase and just after the Apache “response” processing - phase. - - ModSecurity 2.x supports: - - Request Headers – which corresponds with the Apache - “post-read-request” phase. - - - - Request Body – which corresponds with the Apache - “fixups” phase. - - - - Response Headers – which corresponds to the Apache - “response” phase. - - - - Response Body – which corresponds to just after the - Apache “response” phase. - - - - Logging - which is the Apache logging phase. - - If you are translating existing 1.x rules - (SecFilter/SecFilterSelective) then you should use phase:2 in the - new rule syntax. Translate existing OUTPUT rules to run in - phase:4.
- Directive to turn On/Off the Rule - Engine - SecFilterEngineSecRuleEngine ctl:ruleEngine= - - - 1.x – values were On, Off and DynamicOnly and was a - Global directive. - - - - 2.x - values are On, Off or DetectionOnly. - - - - 2.x – the “ctl” action can control the RuleEngine - dynamically for individual requests. - - - Replace SecFilterEngine with SecRuleEngine. The DynamicOnly mode - is not supported in ModSecurity 2.x because it was sometimes - difficult for ModSecurity to determine if a particular request was - dynamic in nature or not. Use of AddType vs. AddHandler would cause - problems. Since this logic relies on the internal (and not entirely - documented) workings of Apache and on the chosen configuration it - also makes it somewhat unpredictable.
- Directive to handle the Audit - Engine - SecAuditEngine On, Off, RelevantOnly, DynamicOrRelevantSecAuditEngine On, Off, RelevantOnlyIn 2.x, the DynamicOrRelevant option was discontinued.If you are using DynamicOrRelevant then switch it to - RelevantOnly.
- Default Rule Action - SecFilterDefaultActionSecDefaultAction - - - 1.x – SecFilterDefaultAction could be used anywhere in - the config and it would be picked up by all rules. - - - - 2.x – SecDefaultAction must come before rules and be - specified in each context. The default setting for this - directive (if it is not specified otherwise) is – - SecDefaultAction - phase:2,log,deny,status:403,\ - - - t:lowercase,t:replaceNulls,\ - - - - t:compressWhitespace - - - - Replace SecFilterDefaultAction with SecDefaultAction. - Optionally, you can group rules together where you would like to use - the same action and then specify a SecDefaultAction line before each - group. Also keep in mind that while most actions specified on - individual rules will supersede those specified in SecDefaultAction, - transformation functions are additive. So, if you specify a - “t:base64Decode” transformation function to a rule, it will be added - after the lowercase, replaceNulls and compressWhitespace - transformation functions.
- Debug Logging - SecFilterDebugLog SecFilterDebugLogLevelSecDebugLog SecDebugLogLevelName change only.Change the names of these directives to their 2.x - counterparts.
- Rule Directive(s) - SecFilter SecFilterSelectiveSecRule - - - In Mod 1.x, SecFilter and SecFilterSelective were case - insensitive. - - - - In Mod 2.x, the case of data is not altered unless the - lowercase transformation funce is used. SecRule has - essentially the same rule syntax as SecFilterSelective. - - - Replace SecFilterSelective with SecRule and make sure to - translate the variable tested according to this list. Replace any - SecFilter with a new SecRule directive. You will need to specify a - new Variable location and a phase. You can optionally specify a - disruptive action, otherwise it will be inherited from a previous - SecDefaultAction.
- Rule Exceptions - Whitelist approach – use pass, allow actions False Positive - Approach – use SecFilterRemoveWhitelist approach – use pass, allow and ctl actions. False - Positive Approach – use SecRuleRemoveById and Apache Scope - contextIn Mod 2.x, using the “allow” action may not be enough to truly - let a request through as “allow” only applies to the current - processing phase. This means that rules in subsequent phases may act - on the request. This is why you need to also use the - “ctl:ruleEngine=Off” action if you really want to let a request - through.See Blog post on handling false positives and creating custom - rules - - http://www.modsecurity.org/blog/archives/2007/02/handling_false.html
- Directive to control rule inheritance to - Apache Scope locations (Virtual Hosts, Location, - Directory) - SecFilterInheritanceSecRuleInheritanceThe best use of this directive is when you want to start with a - “clean slate” so you can use SecRuleInheritance Off and then specify - your new rule sets. Note – Rule Inheritance does not work across - Apache Scope directives (such as Vhosts, Location and Directory - directives). This means that you can not use SecRuleInheritance On - to inherit a SecDefaultAction directive within these new contexts. - This is an issue with the way that Apache inherits contexts. It is - for this reason that we recommend that you specify new - SecDefaultAction directives within each Apache scope location that - you create.Translate any existing “SecFilterInheritance Off” rules directly - to “SecRuleInheritance Off”. Then replace any “SecFilterInheritance - On” directives inside Apache Scope context locations with a new - SecDefaultAction directive and then import the rules that you want - with standard Apache Include directives.
- Ability to manage rules in Apache Scope - locations - SecFilterImport SecFilterRemoveSecRuleRemoveById SecRuleRemoveByMsgSecFilterRemove is now SecRuleRemoveById or SecRuleRemoveByMsg. - SecFilterImport is no longer supported.Change all of your existing SecFilterRemove rules to - SecRuleRemoveById. For any existing SecFilterImport rules, you will - need to either copy the rule into the context or use an Apache - Include Directive to include entire files (such as including the - Core Rules files).
- Ability to verify URL/UTF8 - Encodings - SecFilterCheckURLEncoding SecFilterCheckUnicodeEncoding @validateUrlEncoding @validateUtf8Encoding In Mod 1.x, these were Global Directives and in Mod 2.x they are - Operators that can be applied selectively to each rule.Add the rules that will do exactly the same as the - directives
- Ability to enforce a Byte Range (allowed - character set) - SecFilterForceByteRange@validateByteRangeIn Mod 1.x, this was a Global Directive and in Mod 2.x it is an - Operator that can be applied selectively to each rule. In Mod 1.x, - this directive did not check POST payloads when multipart/form-data - encoding was used.You can now add @validateByteRange operators to individual - rules. This helps if you have differences in allowed character sets - for different portions of the web application.
- Ability to Normalize/Transform Request - Data - ModSecurity 1.x automatically applied the following - transformations: - - On Windows only, convert \ to / - - - - Reduce /./ to / - - - - Reduce // to / - - - - Decode URL-encoded characters - - - - Converts Null Bytes to Space character - - - - - base64Decode - - - - base64Encode - - - - compressWhitespace - - - - escapeSeqDecode - - - - hexDecode - - - - hexEncode - - - - htmlEntityDecode - - - - lowercase - - - - md5 - - - - none - - - - normalisePath - - - - normalisePathWin - - - - removeNulls - - - - removeWhitespace - - - - replaceComments - - - - replaceNulls - - - - urlDecode - - - - urlDecodeUni - - - - urlEncode - - - - sha1 - - - In Mod 1.x, the normalization functions were implicit and you - could not control them. In Mod 2.x, not normalization is done by - default. There are now “Transformation Functions” that allow you to - selectively apply normalizations and other features.You should add the appropriate transformation functions to - either SecDefaultAction directive or each individual rule. See the - Core Rules files for examples. Keep in mind that transformation - functions are inherited from parent SecDefaultAction directives. - Care should be taken to ensure that RegEx patterns match the data - after transformation functions are applied. In order to avoid - possible unwanted inherited transformation functions, use “t:none” - to either not apply any transformation functions or you can then - specify specific transformation functions after “t:none”.
- Ability to specify an arbitrary Request - Header in a rule - HEADER_headername HTTP_headernameREQUEST_HEADERS REQUEST_HEADERS:headername - REQUEST_HEADERS:/RegEx/The HTTP_headername syntax has been superseded by the new - REQUEST_HEADERS:headername syntax and will not be supported in - future releases. The advantage to using the new syntax is that you - can also use RegEx in the headername portion.Translate any existing HTTP_headername directives to - REQUEST_HEADERS:headername. Also consider consolidating header - checks by using Regular Expressions in the header name portion of - the Variable.
- Variable/Location for the entire URL Request - Line - THE_REQUESTREQUEST_LINEFunctions the same. The variable includes the Request Method, - URI and HTTP version data.Translate any existing THE_REQUEST directives to REQUEST_LINE - directives.
- Variable/Location for Arguments - ARG_nameARGS:name ARGS:/RegEx/Similar to the HTTP_headername situation, the advantage of the - new syntax is the ability to use RegEx in the argument name.Translate any existing ARG_name directives to ARGS:name - directives.
- Accessing Request Bodies - SecFilterScanPOST POST_PAYLOADSecRequestBodyAccess Phase:2 REQUEST_BODYIn 2.x, the directive is now called SecRequestBodyAccess and it - is more flexible than SecFilterScanPOST as it is able to inspect all - request bodies (such as PUT and XML, etc…) and not just POST - payloads.Replace the existing SecFilterScanPOST directive with - SecRequestBodyAccess. For individual rules where you want to inspect - the request bodies, you must specify REQUEST_BODY as the variable - and you also must ensure that it is running in phase:2 (by either an - inherited SecDefaultAction setting or by explicitly specifying the - phase within the rule action).
- Ability to disable POST/Request buffering - dynamically - MODSEC_NOPOSTBUFFERINGctl:requestBodyAccess=OffIn 2.x, you can use the ctl action to turn on/off request body - access on a per rule basis.Take any existing entries in the httpd.conf file that set the - MODSEC_NOPOSTBUFFERING Env variable and translate them to Mod 2.x - rules.
- Accessing Cookies - COOKIES COOKIES_COUNT COOKIES_NAMES COOKIES_VALUES - COOKIE_nameREQUEST_HEADERS:Cookie REQUEST_COOKIES_NAMES - REQUEST_COOKIES_NAMES:name REQUEST_COOKIES_NAMES:/RegEx/ - REQUEST_COOKIES REQUEST_COOKIES:name REQUEST_COOKIES:/RegEx/ In 2.x, you can use the “&” character to “count” the number - of variables. While there are different ways to access request - cookies, the main difference between them are that - REQUEST_HEADERS:Cookie will include all of the “raw” Cookie data - while any of the REQUEST_COOKIES variable values are parsed.Translate rules as follows – Mod 1.x -> Mod 2.x COOKIES -> - REQUEST_COOKIES COOKIES_COUNT -> &REQUEST_COOKIES - COOKIES_NAMES -> REQUEST_COOKIES_NAMES COOKIES_VALUES -> - REQUEST_COOKIES COOKIE_name -> REQUEST_COOKIES:name
- Counting Variables - ARGS_COUNT COOKIES_COUNT HEADERS_COUNT FILES_COUNT&ARGS &REQUEST_COOKIES &REQUEST_HEADERS - &FILESIn 2.x, prepending the “&” character will count the number - of variables. Example – 1.x – HEADERS_COUNT 2.x - - &REQUEST_HEADERSTranslate existing 1.x rules as listed.
- Accessing HTTP Status Code - OUTPUT_STATUSRESPONSE_STATUS Phase:3In 2.x, you need to specify both the RESPONSE_STATUS variable - and phase:3 with the rule.Translate any existing 1.x OUTPUT STATUS rules to use - RESPONSE_STATUS and phase:3.
- Accessing Response Bodies/Post - Payloads - SecFilterScanOutput SecFilterOutputMimeTypes OUTPUTSecResponseBodyAccess SecResponseBodyMimeTypes RESPONSE_BODY - Phase:4In 1.x, neither skipnext nor chain could be used on the OUTPUT - location. In 2.x, both actions can be used on RESPONSE_BODYTranslate directives/rules as follows – Mod 1.x -> Mod 2.x - SecFilterScanOutput -> SecResponseBodyAccess - SecFilterOutputMimeTypes -> SecResponseBodyMimeTypes OUTPUT -> - RESPONSE_BODY/Phase:4
- Cookie Normalization - SecFilterCookieFormat SecFilterNormalizeCookiesSecCookieFormatSecFilterNormalizeCookies is no longer supported as Mod 2.x - transformation functions can now be used to normalize all Variables - including Cookie data.Change SecFilterCookieFormat to SecCookieFormat. When specifying - Cookie variables, then apply the applicable transformation functions - in the action field of the rule.
- Ability to skip rules - skipnextskipIn Mod 2.x – skip takes into account chained rulesets and treats - them as 1 rule. In Mod 1.x – skipnext treated each rule directive as - an individual rule regardless of whether or not they were tied - together as a chained ruleset.Translate all skipnext rules to skip, however make sure to - factor in any chained rulesets that may follow and adjust the skip - number accordingly.
- Adding/Removing Audit Log Data on a per rule - basis - logpartsclt:auditLogParts=The rules function the same.Translate any existing logparts actions to the ctl:auditLogParts - equivalent.
- Inspecting uploaded files - SecUploadApproveScript@inspectFile FILES_TMPNAMESThe main difference here is that now @inspectFile is an Operator - vs. a global Directive. This means that you can apply @inspectFile - to individual rules and use different scripts as appropriate. Also, - the return codes are now reversed – In 1.x, a return code of “1” - means that the file would be allowed. In 2.x, a return code of “1” - means that the file would be denied. In order to scan/inspect uploaded files in 2.x, you need to - create specific rules that use the FILES_TMPNAMES variable (as these - are the names of the files that are temporarily stored on disk) and - then use the @inspectFile Operator on each rule. Also, make sure to - swap your return codes in existing scripts as mentioned in the notes - column.
- Memory limits for uploaded files - SecUploadInMemoryLimitSecRequestBodyInMemoryLimitThese two directives function the same.Change the SecUploadInMemoryLimit directive to - SecRequestBodyInMemoryLimit.
-
-
-
diff --git a/doc/modsecurity-logo.png b/doc/modsecurity-logo.png deleted file mode 100644 index 7fa98c5a3723a4363e1f258c516232f0bac7331b..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 100823 zcmV)KK)Sz)P)3BB%Xs|4HkQSf#o&Ud zo7Yy;)mpnpyeY@C-sN!H(k{bOAhCb0`gOkms8$MQ4a^1xFadu5^L+CH_zyhmGzi>V zpwXl(nC1xIXd`qdkgy2=fA1rmJ}J#*htrGlM#^N`DkfXZ1-(+aX*N zXn~SbdCo2YsY^Q|+aA823QW#=- zwxqE3hT5;p6BzIbMy$aQKvP2>7ZD19xmU%2t24*`Rw~u22P4d->oEKZKzEfSIS_*| znE(G-Q*9Or?BtZ{ve_gA{xjj7f8MqL@%H(x4*EV1j45+21dL-^k?_?Xu*w^FO~YvrwuWD)LQk&$8)7fWI_#cQwkOSr zDr$8qKPL@D<^rjTa9gQk!9k_6%F=U8R;)gJ9q2s2yJ}Q(BZCKS;(5m6%TXFc@HYE5aE$ zuwW0cxH{zG70t+W6rk7Q8_D@QHj^b}l1)jq&Ub6HAl?RlQL)cY*?F*C2LtPXA>!_b zK>BwMifA#+{p=D+ThsSOmKN`aO~2G^0WnI68fuS+#W;qPRAPkLr|2tDv1Hm?o)Zb~9g&6bTBME|Y*CJVriW^}NB&>70nyFeOHCWMQ zRoQXV8MQbqLBAOVw~v^_Jz1%Zn%+#(1Dzzm86x2GlMxFO9TK0h43}g+hB^N88E;zI ziYkist%zp!K!Z>hjA570_txuRmUL=q_c5z@=se?`x0*fzTMuEc_uDkkjA9ZWKJHu4 zF(=slIkQ=BL;wT=w_xEcFP!Nv&c&v;9%F%g%lX3 zD22bYzu3nf4U|`N*3`<`;#Ej2xvoYL#v<2b-qN|y4?;}q&_fe&NXQ3ZTVdxzp^QAaVs-x%TEy6Q#nUx;*glyqL2T^GhjGru|j!w%-Fp;^6+?AT6 z(lE5Su;~Jp1ecV=;5Ndt0ywFC!+x;AXe;9@09$61!!QiOP%Q2KSN1lw0o&noQ`@wG zfc^N0Wj;@b){aVwC9P<%8_cLtBxfiBm42@P+2YrT?0-9vRldIpm%V1e36|5&9fps! zJ@mDkR>W}OZ;&oaG|&@HW&5B6WL;eZ>x^Aai(=x? zXVpgBf|&3m>tGr3rmQMvlVz0xN+h3Wwss5j+w2*`1=FoeNcdZ&P4HXjPgn=9iMUxC zkJ6;7a#`YU0&`Sr%`!QqgmOdTc8ItazA*iEaK@PFPiq2$*LbPJQa&TTe`AB4JVEK^ zm57d=qM&JEgmG@qD>&lqR1CiL)>9_Zf76)fC}ApCbK0H}RN+oA1sic{beH-hwx=X% z_3(~br?-9)Moy+1xyEM~0I(hy2yKCgItt-3%E>lO5m?<0d^j~pat4EnaAEE(m{weg zF8jAw3}}bYQXLdBW~}y)xrmB|u$9ezrk-WVVINYQ{rn2Rrx|Qn41zE;%>Vy$-eOvW zBzE2QXcZy3_;=I$NA}(uu27G%6GS3Ke5tl9v12{|yz5FU?*DUpG&|Q2@=uKj+-mGJ z*PH~=Uy`Q`3NwUCS79@ZE^2Z=N5X4C>W~fTb*b7-+p3LT)ra-z`qtu26&Sd8 z0XZx$OHs7mjxwXvIdX4VNhPS@o^cXRlxh*{cG0|L^-FYniiLI_p-`)~#Plr$+$}*( zZ;z+oG%}R7!W@O&UIYAEhBk4zAd0hhDJqiH=2?y>qVu6_?(0^W;-@T2WF{0bQb9vR ze%1!F95N&|K7j`&{wYwdT-+ufj8_Hmj`B+Aa>-qHP_^KHAf(lg~plrp{x(lC8zGs zjUpzHsTBF|TBjDiyslrC=2>E_L0~08>gmT(IkpU;VLgtqY&`O`y7@BkZO?iJoGEFB z&J>8%_WXm#_{8N zuKnN+K^gr}t?;_4xgB!e0%Z1jZJy-$X-bZuq6{CsCy`x5N5{O2%DDRd()`t(&JMkd zh$x&C2?Bs^eV<}m>X5h<(V2mnlwAjNAlzY(c~biLFoE?uBr&7iZoS3v{!+uNJh72* z9fAvYSma4exzS`3_nmv;tJc5L7a#m`3C~QJFo^eyI+5Sas??%j7pyJxeE7n=Y};yu zHgO5I+g!@$`DfYHYH(|^`8JRH_zFO%xokNQgdnuY|Nk>tbeAHSnQaz*QZGfgAJYXz z4|Q+vNtkOXy!wtFEy(*!jw2O%s1H=G`}8BBy%veY0qo(A3O?cidSbWoVrThet$~fn z(39rp&!jeAsTOtDp_@jk&X(G@^-h*62TVHV?)kl-@Id0OGysY+&@!+m`_5oSJ8?#k zLN=tsRjT`WL0zCQ5*M!o9{ym7Hfs-I>|P508EUG@iF1%4xQE8U{9w?d=gO~ng zOs&$hAh;Jk2$qCxnTm#>^(`*;a!6j@LhRvGYX7iUZB+w;Q-dcK$RSwKQEIgpVCWAW zDqi=C`#}F+Q-RMre&U;@uq0K&~I2Z0!dp)vQrbC6gXJ9a@r^9iHQka~H2lvny7a>OQpz?rBt z0YYsi3dNyQySpQKzzjj5V?dkij%aFCyPP)$Yp(0%XE~~_;L~ydCnWbSc?suHv3Iq7;*oB`sb&T-r?if06A;NMYr!x3OW|4&A z9;+#VbO?SZq3`%04M#DIvVNQXlwi5IX6Cw!9=a&APRCZ5B|NB%v&6oCB!?ux$dRhp zl~MUsrx^o=56q%@c%+r#*3o!yb4B#l$ya;OV=`G?&@1`^ez@sq0Rip}5Wztnpb zx^F+Bk;a@PydsA*U193nb7^maFGbu7_(@#LTSo~`SJ&YFDF7X3umd3w!cdy*|NnCL zV1%~dZQVqTGYli;)!)3Uz9HUNil{ag^gS(GA;ChcD7dBy4CFr7{8+_huR4U)47HKJ zmN1xh6yB<)5`m`tJQW_@Jz3U=4vk%*mgn5uJGU>*`S`wFr1%{%4S)<<^;XU9{%qWY z!w`z`&RYAxASzXhJ0q`1d=A?#o7*+ozy+*=qOb*Y*Ccl#pN)fNbD$xEn#XPTv*Q<%7yg66h>$rKPZ)9 zkv|a%w%&RcEDu+D*kOZLlEbQt`P$smck|k6&~(;HNtA#wgAKzhTXDvhL)5dDVe5KX zmzd0yJ_u7=qJu?;JpR5bI2r0`bXYUXnQi078ZP^-Z5L+hQ|d?`jox;pgZ=mCDC%}0 z+huz%W2xadoZ>yQ;`+;M{3Xj_s%JDN9CH-lXZa@wnhf|0z{nY7Aq>PIRJ{M4abazN zka@0L)%NKmlYvj)fQMA?{)jp~?nEP>D1tedV{#~?4XeM4P$pG@JecH9De~Zan(kYfU_RZq0O=MeDa3t5g>Td74^W5GNNx#vGuHXCqZ+ zl(=3H6YMWN(Ak#9d>U-cXl(zSG}X~<#t9T+%3Ke-J$83Ygwr ze1Kwqs_VxFS|{+JG)GxM!70u+CK%Q1X^m{x?vXvZf;6I!0Cb!|7Q`?JLS^oMXJ*lt z2x!)`X$!^o2!5KR#)lvL}~#_2JwsAh|ii_)$@0>F!1@Hw+;B>q~3b zFSrPCK}f+k8ZOlt;BIzD(2KSCj!If}QK7S;;6n_lWGpkqD?6N;4K`NU$b~Y~C*_8r zOvrBE2M|rga!X)q*YhiwC2$KZ;pD9hy-f5;!zGT$DcA07j8UJJQ>o3KD|Q?BYwBRb z4kwU&D22V9X4mH(1h@}B$`Y1OnG~r%x}#D%Ph;M9-2qh$YrbI`uAHjYI*$kXaE~80 zRMt)5oN;oD4Y8IigjoyXGihvUUJfv>*S^A~`RbID;Ch(YLB>iw@w7fEcu zB*J9!2Ai65;D@)cUCE?+@7)4`JJpUN_;q&rtFsgJTpcmQRN6oqHgc#Pz$&V}=J!URgh=#E zRSH9sSWSF2={<#af`P?xy7ZgikK&>E7l4l|If595L1O#wS^2CZKsXg-obkb_-$rK& zsSbdJTK!nMsN@gR{H(x(SItq}xNzgPVq~&o2h|Q>(fF}^3qkb8rK`5HpuOzZnR5SgWn;^-$q#4JtvMM zvY?8V=21JpzNV3^u=*iV5)6d@Sf==0DUrz8d!lRH&%RE(2AA;qdIhxme^K~h3%dOw zG@+n<3CSLMkA(~pS^Qob3PNZG7QB1|bsrVLw{wNKnSeQT&{wu%Zp`Cvv2jD;b0}L@ z;>Dr!DA;LjoJpS?#(tUR$Zxu5TlY5Bz$^|uSZUhNDJ5nTmzbd;%-&*Nip%VLOpL?C z%RFx|Z1hfq@ko-dMJ8GQrn?udi3Y2lRydTn&{I@ms6jbCH5{o)c1r0#s0l2 ztkmFaB?fWzez5X)<~Tt0swI1q#JxZSKJywI2b%xRNQbcqI(`+O;jg3jLk9!~yPx?f zem@nKCJ?+6b}P@;8z1NV~q8X1J>vEh-w2G)j#OHiLeOdlcznela2dygvVvfSA=fHrsm*Wwz za-q+NlZZ=`xdLULX;J)oO<5FGlNZJTj=oX)5^B_{YS z!&Z_K%1H5l-95%FeIOvP%hYKci2Pn4SpO+cTZzOyvF8m zmQu$!t>nQ|1{Itt1Z^_Mv=pJ#yaVyTj|D%Qf4&_kjEU+6xCk}LvCDjd-mttC*c+HE z+2eoYVklPVB7ZnlcF_)qJ*W(!48qiG4=&_+R*W*Wm)G0;+nSdkYwvuYC-*_-IpFlqQzy{toz>OUnuk6LDe6(nFtc*;e}d#R||&>G}Ed zlp@IozSOG&XYP-jovG2{J~d^#g$JdkYd}JebB%w?L}2)HBzvTP3j-i?pJ~ ztZ!^p&T*8I6>+SI7St#BVL3$M9NqGIqv5%}<#dmFYGWq$F&&}Oto*nIjIDzgqb_JG zM%0!|QgcsXAeAo5&1y`0Re1fgTYLHAiODq8U?4xEXWB1IA{*V9(N!f&ybVu^0Ro{d z5s*c-?vE71K^hW>WQF{$XlEOy2T!~#NLS;nPC>9I)VUp*=ctb3O~whdnz2q#0M@5i z#!ro+>GO%#S8GJ;fgj5${nm~9%h1Qr7!*tCr1`9BiPNL|o|El78m!4jlj5TC$C3DI zFj1nX1LJdpC|Oz}&NIxk;*4J_Pn7fLXD7)e*~(iRqY`mxs(N;{f9Ngr&Eu#W7M5jZ z`aj{A)h=mRwHDtOQ*;~Cbu2ae(jnyO%rN!kxQE{hWqai{RPnTMVx`ml3&7VIr6CN% zAQ-&=o$i+n=6O9&I4N;N10(1vxc4c&Eqx%inQS#i!jY@N!hHmG2CNBRY8mh6nsH!Q9evl7Pp&s~%D(dkrd4syl} z;9UW9@Rl!7XDZ3aqAV<}((#urJole5RyLawr?^m)X(nuV;q1h=YPKBOu4tq%b}{CJ zhr#F^L{t$LvkEk~z_i~6Hs+UV`w;GvbjKe=kx)nl$a|*k8;xt|4{aEqsvKc8=T#5b z*a8gZ^HybNNWiCSP7QC`0JVw9TVUy8qao93v z$)E6d9^(HSX&ox!i^=7dJ%-qet6g2S5HT@WiOTOY#;#}G^ZONmuQNtMAckR}J;VRM zEE^+o88#p&yqFk9{1PD2qfGI9>og&7P*i07>3-V||->JZJeWu5PJ z+^L2fzn7+I0k93wffY2jHqsC{M;d+9q3gZ^5Oy6$41+-MaQ{88KQ`I~QURJ#fZ;ZN z_#AOyl^-7ER843LHCiB$zcPE$Ndi@@>+e&`DT5|Lf|denC1GQWbl}QWMEW-K`fl1& z7l0$2A@B7((px&bH)W#9J?>X6BZ9d7!nwrn72aM&0D#y?KsuUARVWuYjD_w9z1ltS z=b~V&(jWF$Ro`=ZfCH8ALHx2&M*ko5T0Oc8Y5vJ0Yl|l?^mYP~!jpbKP8TPeNgI z>*#_3TGBi|_d`zd-bHM)t~ozl)T+pUve^jd_DZs4Jb%abQvkpAoP#+COa`*m7Pu7m zeu^uZv18c-^oMgkLb>0`=~DP@3OCEmzTVm{&d{nNv~qT&RB7o;gP)p@LI<1`3X^trF4t7aVt(UcQAIp}w?V!!Us*U(@gJ%|H3_>+`#{LPH=UffLPhAF6nz6sRF`3SUsnCloK3o_Pp zA%4$GRhi=@wP0w&JUuQvEv^yBT*#9xOh++wiT>VJO&Ru{9(u)*jC?Mueon+8tP>h) zBZx@s3{P<1`A4Gs3sT54VOfgiI6E>>e}e8*(?8 zy|hq3j)6Y3I%Nv-sfWK zSlZ`BsC$G*A&>mZ3s{$VOL7Awqeek@2BB4F4)AHXJ60{D!(+W~YC&T_xMKKED+5Z+ zyIKN>v!oFf@_)|6leFXpQZ-J0c+ltdu5swtv#* z2FY)<;W|nfqnBYArVO#MBB(|lKx&2CPfic8fgt>MX}u-xI&sc}`*QL#zzXLY1avvm zRPB|4AN2%JCp@oqT1W4t4}RyZymT&*xY1QrS2+M7|VuN zcaa6PO=4pLm_y1NpZ5{N2}a(KqLih8p7jZCjLaT_+E(OzCns!9N;*yrVj0qFylr3v z-H5WL)_&a@75(1ZDD)hqf{lLT*EBd?kjeuf5z6M-TPtdz=#nLQ%umdnoLOH z{)^m4RI~-=WWr?bdFCSkV`s4AFbssy(EtBu_E0H?fpPcNLscb}?Sz4O^JzxLKcaiF zr(O?f+kx;tMUt#^&{&|#;MKCe|Hu8UJayg+pup3|%z2gvDVM7#KLSF)M%czL_JEH7 zeYSQao$I%Jv%=)M4VITQjShdd(UX8#?&hj{=HPUC0U5Vr8l!KAT%igx`UkCLtMNY2 zwT4pSYFMo(B`@M1)QNR3yn@qIJCr}XsNVk zS^U}>*T?Mr@(L9f4@K7frPjAbCQ{&L943>%svw1QRfpP#?ev5A=|BGD!Uv?rOJp6CICx&F)PtQX)hK!+H1p!hgmn zRa(i-&#u5TV=G{c{)O-7KLPkUmmG$H5Qf@P?|)^|O$Hk?SyxqmlLoMP{<%ogB4v*c zM?AF*>63Jt%vIOcIL*L_0#n&21zd0qsvaE8Ox3kGDE=sE>-G|=j4g-qED%rouFJ`x zYhuut;i*JpvqJkD7Dx10#X;|GSRDBdJSk#9EZ>yicYPTWfKxEPx>m1}kZ7}Lez+V5 z?7~{&Znmn;*tHMPR_!w)5PB+SdqQD00p?;G6?WS`oq}Wyxk@@i;x-|We|6!7OUoyvK;7y~y|=$)V5&?w_B0MVdbPW=)a$zZh|R-MjBpKov_8tC ziK^gILyx|y(byDXa1f`B+Q-M5?_FSnyTR7cT zI<=T!u;@<}qHP~xGX^~d?UFmz3i0H6TTETSMzC?9#X)>(MksQEov97CPGRMa(3cp2 zg|lmcR|hVwMHsIh)zY`|f2l_Ry3Q@ff*=H;lFa_M%>9{CKzjq7N~a!*NBKM6>b4Eb z@wSmr!)Po|Zd?-x0j>vcRXJ_RZM}Tg3T`?k9F4RFiE!HDQtG~j$gFVHBlr?;=w*zpqDm^=7PYsMF1c^&jN3)a8fP*WQ2xO)xKZ&46DT z_^dW_z+t}H+i}^3PE|2%J?0dJ&7~umX0Z4+|Ho>r=&Lb=-O_J-otQ-Qt*ho4p6AF0 zn@5dVYjZ7Hho3>F7D7T0#+3W^iTMe@*OlNf41+M(|NrbsYXi0+llFnOSweh%80ZUP z<+%9p`~>=21Q)<`CHhVT>Hg#A-!i*@MvGiHTJ{k!f4Z>WSeWp|05Dij8>Tpk)Z;#= ztfUf3HCtl{H?)@NhDWvdt5fS)?x!If4||VXU9A+&6EuUrqn1a|0c%ID=c@ThcWg^a zKQFi(ygQkV5T$=1lVY&*Ax%x96sdU+?ADkL=uy=uT6x5Y?*u^U2B%%xN6^$#1FTYy zg@ugx{X4mNd_X?K*3iN8j;i2uy}r7d!X0q2zg;KUv;W)Jm*q2n5}?F zXK)!MS9s%R83SRWdgSD$?yaMK;!aa{@7>~z{K=`&?LBw6fDoH%r?ThNC&X=&rgS@` z2~jrw48oD~VAYoug{pVzzy2p?M-H~GwHX|6mHem(*W`Pn=L|}5tpJk(9Ex!JmV2^0 z7Bb(5_{;=kgP|YO_zRsBnX=U&ntqYUdSq1PZ7V=?{RnZYGgG~NfA--~_!DJeNmlJB z5qwOT5I25}<8SUW>>8}kL`JFg22+|un-FaAQ=^;mcM#S4|ER=BYU4*L+c+U z>PCLl*^KO0GJ^FVTxdRTDP&xjZ!TeX8>}Ez#a@9}Y&V$euni6m$L+?PFvhBgckqn# z6@afZ$zd3VVW0@~|6f*4jm4pyTTcZV)Q%Po`J2kL?mcu5xmTy#M$*;19GmW@7&lpa zZJ8C)SUImo5ET_Sq)A9cuDS~`#$tf;WY_3o{Uf09oUiUVyt?xS!Nzed0b2mn)N`(Y zn+^H!{+(wDI(hk7wu9LOFPqz-*%_QrBe98mBVLm6w_m5Z{URbYy;jCj@PxM;abyJE z;`o}HaPzDPrx7abX6}exOr-aZDp;TX)eP$D4;tb2Z^v=Q#-VR=<+6>%spQ_r z?m_6isdkq`=bd7{30%u*?pK#!&;}h#rmhnZ5bT%j5oLCQC{sY&9H&&8XQ2$Davhm0 z`_*q<610?JwKF!rlN9ddta|C-u~-gwk~l6j)57v*Q7B^+bD+X@Rz41I-hlcPf9EmD zVYqx^3Q<@cDVD8JD;ZZ;E8Rl^8>tnK0DPTU62l-2Lt&=(zq0z1*xK3yq?x1;zURM)s*Ul@F|3LMx2mKPl5K698O1H+mM*Tp%_l&T%A7xD0NLiU0=ls~m^CwsaKj)fcHLf}AA8%B- zWMh29!A-q))V()yojPyz93L}oJklhGUX?Ku{Tp3Ag)dx zZH0_R`%P)vWy->7aA@xEP)P>v{E~F!2`QOIyP-Dn_L!WxMF>MC zZm5=sl_IKSd!YXK3c%NuyZnxaUpj5sI+z!Q<&nA(AvyktD?l{Q@n}JIC?A_rnwp7(ns+o1y z$6q=%f0hD5v{G<9y8Sfnq8{_Y$V|s1QN^XZ7Wr%&Y4MmCFq#E88n%Wj z;Y@Aq1Z<|zLbxf)seZVkhLray2<(j<&nl%NqZ;c1B_{)MxvM-D5~A24WQeLQ(!;i3 zD;u&V?1ueTRo3m{H&|+n5yVP&w+vBoi=g@!e9!wyq{YIK#KI>NgQ={EFdrYwv+SdY zsr;jz_f1tQ%#l`~3}?PA*33YY7PPQu2XbjITCHT4aVKhiCoqgi&B+Y5wNG#V1ys1V~|id1pt^Gc_B5hZg|LLf^yFZ##G@U13c z6s*t7vaL|LbFmpi`GwFami={`Qz-?ox+`T>mft^|hF~>U;)l#U8k3cJHULsg^qoQb zIied6kE0H16lskFU!}JX4=oWyf8rQ$G2G-uY%*8u)i<0I(q8kW|HVED;Qg5NA!Nr3 z&wmHV>e?JId`VxMtshd`rJ*tVom4c@@mgYTdQ=a?quY}{RH(0MCc}h(-6eBmKW0L`-0fl@5Z!URzK{F!N z8=Kmn&XmO5XhP;0SuUibkV%&vQ*UtGoxpk`xMJ5DIhuJI94J-9Ts$V7d6;n2;CvL$^ec>lYsy0&E+g z0tI`2(4W1dXa=P6rW;*~Or5M zPUo>EnTxg{`@1|+DgyF!)=wVyR7oQq^!8b6CjRN^h#AMtdEV7b4NQ|am!s$>F(k~1 z0bW>%1rSW3-ttQ4jaXY``tMF1OO8sx@XTty+1(Qr;p{?;uV1u$$1KWBoV22c(U!oO z+%E)nG!asH;!8F4%yo&uDl9eV>3po*!>n0l)ccRVDL-*C>f-ZnAob%u4NiKxGCKV& zN}&rcGp{t{f(!MuNm0Wh{Rg{>gBb_ex-%;FzGxef&0aQqa@SnTZ(4?Z1R(6(ksO9$ z7)s3S{jZD^*;x2cN$JLJOo=2O!M_j%X}i=N{YRm#bh9UJP;QYUeUWJ4V$yG)eIJJ% zk&dKrB|{rFbr#l<^JdO$4&9h_DMj;{Fb1b99;@C6R#L*|%~Q{3%ofMXQTC*cpXiA9 zw5%VSPa>qB@tD5Fqp5Or_tSUQXosFA%7AR{9oiEcmHvqkziJ!`YR*)F98VN@9MHR&82;tbYvBwI;-*SN>L$eT82#3FgG&JaC~* zYb=`#kF?82T@-T;*^drMv$|qR4U8K~9c>h>0G|fJsiioBi(u4I0=c0j(uqVyxT{)u zE;%>Tgc_b3Duo}4mnYiHPLUdH&{rD1quXEX9CbJl_Bv$$BB28}T1 zNI?RPbD-(Aw*==i>19d*1JCqh0l%9^Zkqc(ZfKP*as~|C=Xqn9QQ-t#%?duq);Z|9ma*B%R8yJ*DE_ue6E>| z+Ir<&y*?Bsjw%Sq1ACjOdv(tmxWqO)rGhU3wtdO0gu-Nr3xfU^0TSvDvnpB&lm%L= z2*Wd&kBa|w9eL61iyO@EmtO(sI)fyJVGstwO#lC7_23vJfp0x#k~#q)R=-{o+Pr_} zosuVaI*A0s0jk%6q4)KAcP;B-Sk#kt}L#IwGv3G_pUl(S?Mw$b3S!L=z7Il8m{ zf6j1dvZe!a{ZiPSH%@LQ{At~0a3ccm&B37pB8xQ9$+G3V9j+sK|M1|6IpYhUzlN7R zM5I@lWP}GEVt6V&Ol4tH*P2S>q}ev9$cmjudY7Y;QR)kQC@k_*{PqcQ=lTjNMy_?m z`Os&o*l48WwB4OfPRIZfFWDemJ{cK6Uoo6qL2~PtBJm0d{2cSY0Cb&e4#F@DgX;-# z{{th!57zmS^Z-K>v?Xz!&#zt2)DZnPr(q8-YX0()T3N+~5LJ-J3WKON@y8BkXT{xZ z30OMOn1Ew?27~}bZWA!Q!$6v?M>p448{yDMQ?D+d_-W z(MFjB6HaW6?l65&FubNiG@`{)oSu|x!zcd_o%eMa1JET_9i-&O0Y3Hp7Dk>4T1F&7 zt!=CNOtTAvjJ3#Pr^Ofv$@pT5<#ShOkavBYqN1_Z8~acTY8n48Mu?U{))igOUqOxceYZ+Wz6tnitUrR#)RaU;Weqs)&0DUx%foiC z6zuq;LUA?=8cfq*VMPhV!K_~8-Ah{kxH9b$KumVh#d$ut6ab}-P|5=eUR|0PUBo-aQDb$? z{u-a#1PnKE+($nF=sIJZhM^#c{v{MhP#P%$iA!)0Zo#QIN3M|zP@*7GQKX<7k|KX+ zXUA<~Ik6>w@85YlbIT8wY@s9vDM!UobuyM+>n~0x&892lP48|d!mmfM94ZL@0P-z} zN_?o~sqY(JR-&TaLaU}b;OqfY$h_YU8QsV%LrSTF%`}?eI_*u+E0d}_W2gm0>)=HR zJedVrT{yrJ6yPJx8NM@)0V4UF4|%-5dw+Y~E)Q;(VF{?qho{ru$8P_5_}y%7HC9Ig)Z3 zM?((C_|rUhF&rV-o6S&P2zA}b!AEEVNw89**EYaxq!S27EDae!jOKLAt-d*S!ai}* zKdUVngkgq44AEOqBbU)Dfi4DnULWA0E1X9x+vVxy*$l<6YR#9wbo~1MIUK1_ELBKa z2w<>7NaIPPJ-6h<=@QQ><->*4H8h7qGN>Xip&jO(0?7+EmV8EfXks>OBO4t%sQ2Lt zIm~8t7wJP0qw_ca0#J6wI1L3c5Z#d?r3uiaq==M?Q&4kTF2NyC>a?LD6ciYNl&ohw z{)imlM^SeF+TNKrt5ipWZ4;g$Wwf|pg9Eh^#SRqHl3#UCjnX}nk4tMM$sOqK?d?NF zKZ+0xNZmzusrwiRba!Ngx7?$Sa zhv~HlB07$sx}8d;>l0ik{$oX_Ny>V(%gf5uWo*v1h!3 zbR$#~FENgx?f$UBBilpxK!5q<`%w3nleoE=mepSD`LsP1ngyz>i>yLgXocn~eXV_E zx)^1{X`)GNa+lZ<3zc8Vz9qCjSuu8VF#(qjU=b=oK5(KzOvEuMM!y@uqmKx#(MG?| zmPzY%OTw96)4lf>PXQ=9!(D}97zCHZ_kU$fG-m_aCVKyyt7dLH6h2-dn?yh!H5C~> zgGr-?t~qVqGq~f~ajj(Iw{p1|J$=`yWdXlO0xx`R+y-Qo4 zwa;~v)QnrH?u8t*bJJCDv-R+z)X@J=u(wx4i!pP~Oe?J=+>BKSjODWq2Jl`bl~6Ix zSUh&~UOb3iT(F%;;9op@+{#FL8rbtWg4g)e>6pGk9Ye}F%5hY7G~VVWq=o~A*G`gR zaOlqF*K67l)`ap9O_zD7=fp4kXH1wH2%A)$T+<8`XfyRGg9NX>hM296NAg?AwQPHD z0VunY90Xz*mPq{n%jVL>ONs<%4lwOxvE%qN5E9Wdms#35}xR>oCIi)q00@!D>nEeeg<{7lW$|Lr`Z7uc7NR0FCo6D zT?|5%lv8%&4tWv)4;7t>~cf6za%xO<@cS#y-7u5!lmYTIn zLW9vT@RR;Lvi5%P7~I%S7TN!!Fm z`7w-tnWy!h#|6%b%Nv+(qx$gZ@2cJF#?48;7WWMIC_W{m8d7?_83Mr8 zaCJ_TeT|0267e$;nU(5Ix@!E;0aKR2wqV^dvRVl7q>TmKa)EoAV_m-wthE;YTLP&v zDYPk`J8@UU2k0AqtKy94e3SaAopfR0X797P8sFvjjzAHTHeuQvLRH2^0n62UEQPHD$xsXnPjRPrcc+w3P)hGk@;5^m z`}2oko$TsN6|mQ9C&$Z(9Sy#@&-DaUsox;F{`wyByxB?$T~UDTj=P;@W)*n~sJ29N z9E{G9Nq-hAf% zD@f8iIqvg(^CD!_ya@e)dqc!_41Ox{#p2flCPY*v0IL?XK z%`=X~SST)*vdlSEq>xZwaqRdwCmu4%Jnp_qaC=nsNi_{HH>@!&l3x-;Jj0(pV{Mjc z&KG;N`{I?vOV{>{Bfp3N(s5B~l!?rrT~-SosMc=zJUaGy1!L=fBY441zhTNyEuU!ZDe46LOQ@iu&iPeJF*1#qzzU7NgF?Ry`^qqtdr79S{2;5GD9br zYCAmJ7_^QRwQ9z3b-Opqi7f#836Ks#%<>d?j87a-SN7_8xhWCGU6dlj%j^-^_qBVropRO&IfGr;#UJ|sZL*fCPZ_@J=qmtJ- zb9JC>jwP?E%g__#QE4q!pq^g5Bs*H03vlez=_i4WIO>I3!MHmP+@!mLdYxfn36LEZ zFKa*U;Bfz;;;G(3{B1N z&>5*m^Ty;CO&z!oKmX1^u!MIm2xr-rivZ4&>Rc zX+`!As=+#is>q6CToK?MWk)w66f|~eC^XY8%Q$6E7M*w}nx65KQ6T60i3x^X2x`WN zSCm&BB`xZ+VDY$`T9bH;w5%ledR!CYk)9!t%P3TfPJ~)``H6VX5ph~$?}DY-Z~zNv zJvRx4PEZqc1hE5T2ptXmY)6!1@ZW5e@HWow&>!V=g{xdU7~D*X&P~;@JA1qSdv5_a zyMiQyfe;2>TF3vtHy+wul0ZH90$W+O5JK{@aDs&tOjIxhCIWlQa373qG8!X~(XKGg zO!G6_O*X7{ApBOumLpBygD;jef@ivxZ&w8oZjRhsEVh=z<{t*QqJzgrPsCLBzyoP3*H4qpfczAM^%Z+*p{h~7;dja<(r&XL!$#J<7#kdd zM-wz}SVBmg{{< ztlkC;`2b%5C_97Qgkd0vuAxUb2Z{gxr%IK2s?-A?F)boEGqV#UxF@m`o2++d-+bsr zYuMh+OdMh<*M%gKjiR?Rt_Ey~8713YR@alvCV+u$J&WF!rQZu@?@CC?@B)yHL6#LdDTTXta@ zEw@jX50%#p7a%B~RGnCW9sOo}aku}WLC#AYb0@Ew_g7L`xAh&vq@1X27+)GxEVy;K7^V3pKL(z4y~)C>qpQ7 z2zd}Y=}y&Grz*|dn2IvHqm|bhKh)MsDwRJ7?r}-Qr{kqLy*EGob84z>c@51D8j?I*|O0Ysh@LHfC4nP6SnFt zwWGA=P!ADE3k;Kw)8+X=&dJgVEfH;tt}?-hs8;oWgBaFQFYv+m32`XZ@(y~-1m$6K znHY(I^Pl`WdN0?@@q0V|Za?SqYi*DJd&NY;BuZ^R8L^C!>hsyJjVR83fHTn|mn{$0 zBwm_f%=T1K@MK?PXQMAh*8CKJw6obwAc$dbB2k3sX^YweTzLP7#FeV<#C8G~USW18 zlRtkx@YZ7Dg_Y*NvTOaLMCmlEIDxi1hK62TD)PF8Nsan3EfVvl2D{aoSCS$Fh2t+2 z5qfp%=%Ex9wv=7KcY&bnMSoUK6NDk1a}lD!dt($VsFSI>xmVcN7U|+=P zd4sX%FuuBg&z7{Z;DAjHk=BtD=vD@t8~<@UY?tkNzkU6DpFYpKdgH;vv=>OMDZ5qj zN5kF)w;@XvlI)K*KGkzNA4BE=g9^mcPNyUdkf17^v$WQYM5A8;7(16F24NV6+6!RY zMd?fyz5g-Q6~wX>rWars^1)H$r^$lmd;U~gcFx5dttcWvMym#Ni;$9sEr7J;Ua@jT zf{8j)Bqhx(xza(;AV=HcruA` zbN849C`6=w!?x3901fTw?#NUAl(QdNhQ_27VFiE-n-&_4WhfD-bs|+6iA1uyvjpTP z=BxyogrVqP5w=NaVf^)RZ0Gol?|7Z>ZQlzT;`YioZ!oBck*mqhZ1?On)Slqt8iU0z z!*)!@0_tGtB07S0%cFxUvW7J9r>7_U1fcBNaTADw*c+BAND)c{N+j-o9}2o$fFy7N zoCt-t_IMtMmSPKbc0Truy>w!r(6^EqPO~iJP$8OWN+;vk3P1OJca!s&@p;Io7^QK7 z*u7C@n=k#7LA`JF>b)#FgO(1}69^m@XI$AVH70nK8roV`e{sN}>R4j`jCo3mH# znoubOF-r8QM~=vi;eFTDXNO>r9T1({x0oB`TOy{;Pp?+4;nAhzxKl)N8_+#cIbVlC z--?ThhK|aEv-F_Qz-XrIK@o-+?Y5>R+hzuWO$kx@(+YvonzHRl1af&fsyBkzyNNIK z_!aFTAWS~BTGDJgDXFy#dq;X-VZx#`0?OVT7e$!zNjbR|(pOSdtcgmbwGy1HW_SKN zeeMrsq8PQZe^2;6{z!o@kzu9@E{H{}Rxg{6&35{75{0aeNUZ^!QhVnML`BWJ-0X2#e?ZasH@H8hI7F<*AH6+*`EhATVN{x@=?N9BD} zjTtt^__b8no8C)xPX#XZeWg5Y6nXH_&{7slgMt#Jr69ytOe>+?k{m%>)!NrOTa*!& zx&@xP@A!wD5gPf{4~St_76WQ6)(%tjs=|aBh@tLqp)gbaPjTp+q)72B6+7OEyiy5= z`63*}*xZ`rhAzeEnt@{UedJi|@@zKQdgl`4T8(z6zV;T|Y}$3`Jh4+kmqnO}6F_+O ze+I!^m@1D3$WMA;UsM@|P*#6bta>7gRvi3s&UriFJ8xdLR^g&Rz^5jn%CBuoIJJ?; z5@tiDHju@AYd$xR*SlRF*UP;f7bak`+q`B~=PmrPxVCLO9QUW6^Xd2eec0!2H|>uW zzki1KwI<@6dcCSpE)CT7DMQb~1e<~n)aY8=l9%m~vzF7Sx15H%=x>^SxWrD1JYAXsCP9&SZS zj3@Oh?FW;7C!Ud~>NTLE$rrP#>_8Mlc4%^u3~h9rvj||NGz2Q8Ns`mZVK*o+A7Hs_ z+={0`4O+?Tn7O=(bBQLXQFYZ!M9`5R?1>2UlzZPf{8@O{)&P`DF8})=HQ=rYYL(V4 zMR#oLK#gi+TwCs4#E3XgD=w0?+PQFZO7o1IU0+sGG7nK?R|FSOzm_oNAz5FAhK$%~ z+LBb>Raf|JpqCYSmD&l8AS1v!B6MmBjYUJ4V4vB^SG)9~TwbN)H^Uv`ei(F0H5ffQ zCTG9|*;c4pG{}$G8fbpo3_pHS*mRt3_v`$gAFt=>ayCCKbs75$4UVjzjfF=B1w`fG z01RnQGG++6vlmBly+&KYq_c0-tBy-K`TMe}G^dwV_JeE&YVfmt1R(9&brT4J*p3th z+K@z)NEG@1FT~K?j_om3bU(0%#O$1(A6~wJSoY+Bg%wi8OOoz;LH4i4q5^;{hk+KY za|#TN(I8XAiYc{8i`$ga)GZiGI(O<}M^|jEMQSeX5$VcyzAvTSsYA)+20T-e{e$wW zSD7-9w+%{tuK6M*c!|vVwNmw|HY&RNtE8~<@p}Gs9ium&I_zE=v}A=*JcAs1Wt+9rkU?ER{a`S)#V@EFQ1uP4Gb^Fc4FZ_;0DQ>ADR4cE#L0PruAv=kp5F;9 zsKtv;OJ;p2r$hK&!q^5(O$zfCwE_FHX2qm_6AhG$`E5!@Kms9Q*>S%n<`4`j2k=l< z-R;B*Dr%%91dy_ySk12g#Oi($Yg-z>$S$&+rt0wR6c~ z7=(c+j#T9csZ#a+$DFPV9?y_f_f3NW7~{{IgKY<_hZUs(6`OC`z{b{&WrJyFv2HgQ zpY)od4%M~b$oblnQp`WQ&cS`U{tChl)Z`M(eWJCS)jDG^8&Z62o1(hG`5^Eyv}8=k{TR)DJqdYs{*u9y~SvQ~95 zF8rz^Mp(9BM!fO|(MdIw4O#dqv_qlwKA1o0R81Kq1U5I~Cje<@u){D6!ce^b|7Uh- zh;7_c?~|rhDFiUjKSLTZroYsa60zS4VvfTbSzO^UPM!Iyx0lG~xin^Do*dt2p9b^b z;@ZCrIFYB^SOW5ak!xqC(x0WciFbXTcQD9rKX~i*Gzm4Ofpapx3aLiw*sBXYZ=6Ht z7VVIi`-O54^=V*X$ae+bZi*U0F7&@HAc;nOFn;$ftuBTAuhSLk8Xj=1!>Dr!!QQy^ z$>NZ5gTC*jak3erRJ1pNP8=jOfNtpcENY|50VY1dL}30Aa&AS;XT=Bs2yrrQ3D{wB zKUN_K4p6PBXvsUU9X^E1IMu>M3X?nGo}fQD%QitR3-YxB;lPV;!BU@WpMwg=RpOAh z$5JG*!ypP)VCfIsrR`+7G*7&bg_C+S`GXKXdGO?Vw=zG(>C*NL3}?M6E-Bsb2!r<{ zk(ZzbIgSZ?5~(Q#L(P$+0~Ae27r3^i;UuK3ok8Z%{skcIjCB|WVi0Oe{r_L4OX~o} zT{=dJlp)dO&OG4d!sjBm$dbRSrwzC@Aro8%2Lx-%SW&Hst+%w43QWf2XU8up;{+R@ zMCa4$VslT42U^W}9{T!#VED*p=nJ~LUeYEy1WEgOf;3^+tOvWL&O~J&Fr0Ztr3awy zvP{c`HPxDz0{{Gk4MF#<3=jN|w&u#UJX)G*rDl6T0OdF!{ewQ8(*<|50}nk&m;5Dk z8h)OEcC0FVHwSY?=T5O^fff=v{yH`rkID;yvN zi8?>?R@HtaHt1mgoyEVE<`dEivNkSJLpE(G;9(($wfa3be@Bmy3TmgR4oqLaQVg^Y|3d+q6g2OBNGqQ03@7c&bpcy1{5( zRGu`Vv?$pG3lUvbt0e{zj=d=-&ophwu1S$tW4^y&2SSOAcxM_`85!b5P0DVo$B%?L zCE~RL5_tk|Pxii?+YJ-w^aW3~K-s@ww>17s;y}py;a)CcG!a1YXz$d4LTe4#S~{a1 zJKvc50~zE?b|syBn>Kn_j{2aRh#8A)#Fa4u>5tP(^K(Smw%9)CUXMIyhHGfNF2IQ- zLsyXN61&OX2M{8v+ZLtXeshMd*accvlt}qRajlhz#k(74W#cj~W{m~8iM_tXrA%uo zBJ(9+zY$Cdig+CX+?u*ZDTO5?rE+RY-4w*&rY;vJ@V_%;i|ldC;e51R?WE;?c22c} zVAjxCEPtet4wv&4fUz@LaTthUpbh>1Pp%8;Wi!%hxxO~E6v8I9ERA0keYtAZKq-B6 z8y2BUZ7B1wq{$|=X0??PLy==)!8qpZU)#d^Iu)Tt0&-6}VZ17Nq?;2In&a`VpnH^y zNr9aUqA3<#Y|+(4Nn#x{55+(E4aPV}?Jcb)lo6A;HLM9^NoB)8T1)(ywQq!wzuMie z*R}V_TKv-l`1#!{!3$EDZ{kX{@H!{5$I{Y&_1egWrHQAU!0^=A}iJ*VjsAOvIiXI5j*p1RqaVKldq=wRIGf5=a z!-{@DY$V4_(V@%fvS{8j1=#J`Pbn6Rcqdq+%H{1beMzaOT$UG~I-1d7s~w2+N*h|j zT5@E)Hdh+7sK}2j;2DCs32YL3FOW*Tcis2VtExaH!?j+nMt@U(}2$!J&RmSkFw4y#xp|mHETg5$ixff?>2;78j#d)c(wBx!4RP z1=5*eY$f}HZ1T-%SB>zB7^VVaF;u{^+tgS z4cADCv%JE}Kp%QDGeG*H$+vb5{Bsu$Kqp(7o#!wT~g zrO!Sm1igPZaQSOi^quHiVEP?N?S=TTcJ5y2eQV6f;`b^CtCZw1oAJUnCqWC>3_z?p z)p8UEcpUd@XjZ9;mZr7AA7NP>osd_MV?n*ry7-l79Mj5cMM6u5Mpu+b359aZfTAt7 z8{b?XD%{LIK)(WTb_O{N12G6RQvd&DdWgCKOjNbEo}x%ev&M$;D-SVatlTYl0L4L$ z=@5K+jd>Z;Ju+x;55JDG@lXJz)pK;F2!^*P0To^MG;2%# zjvWj^+_3EuNsi?xsaSMxU|TK|q+peC6+$_l%nl1l zQ^RH8@`OTLx8b)WRIjA;j2$mdlbG3wBR%-p_+q~u&lIka{NwI7M8w$&!)V>NCBZEy z=(jDp)F<4IX@3UySKVBaqP9IZ?Yqg|kD`Z|$X{_8Mz9XtoxV*naZx%?cC5Rhh{9Nm zHK5z$X#$ebljlS%o5cxH7(rsigLjbi(eqPTTB`%I;p&^Wb^Uk?K-#q}I}CzA*82Zn zd?MB3g$1>J=u>BGCry-$fP2a8wLolGrS9X2)Tk~y_^PKEH=$6HJF1_5w>`rW-n^%N zTSk{ma%$ejrRdX3`$VBki@GN}>H$PtP}Pq|O1)BkjqT*GOzz$yt(-i0F8B*<-sqvO zm1tn_e-A~BF_D3k#t}pve@ctaWHpn1tq<5#z$>y&yjPVIaF_j{wzJu0(7w9M$$3S2 zb?`b08^(1x!wn=DbAHvah;NWP0-M?B&7ULquJf%?IIfng@o3nu2c`rqylROjBc3Ey^KBH7(U$1^w1|5D5>$09%LDim8lPC1k{Gnsp=xNQ0*nqDv-2w@rclg zb50{{kuJOBHs+4hU}G5~`5h*ig`~X7#M9hjTf6kvN7t0RKISjaW%amz$k}tw;o)zg z{m%?L&T|uRPcGo1d>GKabj)feim#heWDzfS!FUt)6Cd_lyij^4|L6BCe!$~UL zAHPmb(;e&c=eIa1J>!_zT55-Wjxh<(*c#G8LoS=R*Wyu(UVh}SPsMgyR%^a3AU;Uw z9)jPT#D3rIkL|8LtNt?AVT4?ni2u7>-$P_u63kn$HhOQdv>7FgG0G`r6jPewlx1{` zmDatK+6=wwq>{4hgp_Kkh)dFAT$nL>yeAZ^oy}&9Zw})~{lZ6zF=d2vC>$l6p%g9* zcjIq{-Uz8+R?|vqsgzU#?yq%i+4s6xuj_x{1EdiSY-0N~m;iq?76t$TFzYJ4B57o zR+M_?g5VD&L!LG8IMxG!Ob-f*PUub^WD&rZW8BYm?Rsr9?{d$u^ z-rhGXz@B%gDP#$RWI$(Zyd~j@xwi@6I2OfV`kS7Ixtk~1JGN6NbFH`Bfpz+LFE7fiGZL|sRC*nVmpc7dDzS*v9sQ6Bz%h^S>v6xzi)QF znUM$@&gi6HELT3fj3Z`HWMrQyvf8gK;lUQ8iunAgiQsEOEoZ^yN%dzQkOH)P9XR7K zDg3xh)0!-uK5o5!arCP9q-$wyQ*Skqu!_J6@4IezKbqbQr*Gf?eD`H=b3XwffS7o< z^13)HOK~*E>8RQ}w9d~C&Q80JtUBBo0C*K~ZZF@9ha>OS_AWmUE7E1x{!nx>{+dwJY>bN=k)(CV0ayR89U zkoLs!d}IRv2j71Ey|}#k@Z;{*@i!;>dnMTa3A{Yn(2CmG#mh`aRD#IMRT-(MX*6`B zQPU6xV2r~Ru~MP(N$Uq(BniM90B{t9lab@X2J}NfJtBojcbg%|bEyib;4~bIr-Omu z9l$M3*9@~+H;t+Spe9Qd32=C|rFovCOEEA_0OSP-PUc|{Ol`-pCs7aqX~;0;5=i+N z^`+Zwd`1lb-h)jWv;Y85brr9qY1B{+Qw6Yg1;89D5CXEW07GN2bODR$Iquk*z+wVC z!=|N1EtS$q88J6EuPGJ;q2AOb?6uN_9KLk^LHEFfTTRDPpaBfEa9RF?R0U}&$LhJu z(WN`vg^i=w_X1MK1iY!y(nU$+O4EM$eX4FuYSYx4cpD>g$_rm4Nff~(>!D?|TS!+i zIa3q?A2;z)6uBd37SG@*6jf2N<>kRa#C%KAhQa`FL=?ouq!4hcl)uR9n*ga&P>tY< z8C{FYkjda5NYmOKi`kZuW4H5UII#D+2 zp{xc(6zIT|#GoL|GqW~ORZ*0r68FuU&siOtPu+UX46XuMn3#-I#KT;5T&>iE1-X$c zU0mSz@4pWoytd>Gq9-RV!o$wSLe7Ng|Nq~A z{(1TO^O?(!_MN?d^2*~EAHV(okJ1Oix=i#xqF;tM*Bbe#QEoOCcT=ShR~=J5Ic{!t zV%!3(%dXsfv10qh?I&)(`}Pykfd(dqg)L!f%3>sW>-Fo;DNXB7Tz|sC!i;?W1_NqG z3f?FL*0Vw)g2Ld!i<6fZ*qdZxVn%5>|HpQKH6zNZxPN~@H3+a8e)Hn>>*ue&e*KPh zl_UNIwVt^;Dgb`LHvqX`J|2}_6qYXTlY0Z_*r+&F-DmT+|_ zk(ZQ#oC*Yg|9<=U`OT|0ub;jA@b1&!zkd<8-(XDZGNOhUuytZ=Z49jYQ7+Iy-kHjX z+(m-ULjzk*7ml5I`|=F~V%;dV;+2t6SzSR{R}*`cfs$H~nv#r+Pj212cIgJV^$tyb zT-=<7)}}oCyol2o;j??_XBWd9`SZ`k<7eKyd<)&<1g;4Lg!p9?Wkn^$*tx(R45a-S zK-nMPzMna8{Nwx2z&4z`s)Cxn7RH$y|B)`rWklP41+?P+m0Ndi+=E_?z{F%~Zw|~U zi1Q}FP6M`Iff%-U0^7a8*xD4Jm8gCSJFb*oZ7ZHF3jW7?^Ww7=86jI%0%{;3N>)Df1kuh`luQ zbc&{CZR?ypHCuB!`#;ds{r1n^aUUolLQv&8U4&r+n4(feRfSaoI0aqCH+m|Q_)vuB zd~lnAVyID6ZaO0J010oz#fJg=f$P!+zIG5*RaNLE$&%38la`!bKQa=7m#(L(^|^|B z9?Rc|WX|{vAn>XEh4l;W(NY9bmu4R%_X1!qWM={v*2=)laa1$mz3bdMTeH|y$YHbhRq0burLMNYvx8-%gYLp?Mh%Z z92aDwA}7)^XaB_quc0kPyvMS@n=ZhNW2-Bd7HDE;rp(I5!a!93?56@fuBRd8b^6|n zwWp3=eexIcwl$1ZTIfUE|Nm>s2-T%J*qN)curQJ13@)}HPkkj>;l`PJkKcGk`tA}2 ztTirX`vw?*lCqMrD)PW4FtES-AKT^D$g4?FN&!Y3B?}{HN)K43@Cga<^7DzyNZz}C z2iVvA2U=u=wegBQNFi-uUS4iRRYeJTX*N!d|Nl{rb3s4g1Z5-RV1u4h=mGNd;M8a{y(d5qxy?|9`X{ z?C{M9IGe4=-9d~ky8n?|PFOD&Laxk^$2k9E8!Y&bb|}YxY^w=1TYwMP ziuwEN7X$j{Qfy1{VcPlld0ALl&~L`YQn4ad4*vY{{loi@7{~uJBF_P188b%6eZdN`!tJoUi$SHG)BV5!J6!CkQQzsAizy=Wyfe`tk}uTUN&jR`8%(e znQ-1j1`i5g2ZocCDau(pGtx?0Qh#XBSq~h109)`Y`5}>+uywZN^X0M5%($D47~i@%37-8vQjLp ztpAaYSHL?)iu)QxFZz+kMc;Su21Fwy}wLGE0=_3i6728@O17-cWU?j~Sh3h}Dz zY5@EFOw3I1r9)U;_n%-(3H#7ABxG3F*<@4{1VjXHU%C0>$xF2LfJnP@(Jmb!qMAg# z#}hto59_(ZuO?(vb{c7f_=ly#EYXS3jX2M*jalxb{_-RFngD z0f{Ly8Bs4Ug&m85bl^54wk{^}Ffjg3EhDz;Iv8;W_d)RJzXdp zM$wm9As^d{dc**-;Q#?>yPBSafgrlu50GyGfmA{WkN~j?kw$|D)Zj@E;)ScmgkU_F zn0S%+m*pqemC~}EnJgSY_t-Q|+fC=qOy9hxLGNhjoI@0C@NYte#u%gSJ#hMX`}#Mc zYtwsYeB0d-ef^c)PkcOIJq%i|E26sgI&$8g27iIR!Rt6~TeHW@Y9ZwcLU~mr7U@{z zecb<+4hd*>pI$JB=9nDx@OiNU1|9cX@G>F;jmTIX4%(qOZT~w)Hi+t{2i? z`m;@QohcJl58F!lZohX}t9sohR|ZM|RGd^T8!sJZ@q$sY5@GH|>vpqs(lkwza$=z@ z0On*_<&u5Y$rcY7<7$+JW+`MA6PUEnaX!J2iQMwgqIg;Wo87Y$sf0jNzoD8ELt?j_ zhiQh$<};o1Zn13nzUvGMGhh~lnnts^bc9kjOI%Flaz{?5Qmbej;SyV8^c!rJQdU+0 zGf*8?pqBteEvQchjax$MJ#iYUrE3X>H4*9waggr7XNOWZ!fRaD+YPH$4G1U#pA14X zE$YF9NO0%Sf_-IKLwmoF&j`5bDu-Oe5kS>2S5?FE=@ha?Yr4T?Fvb;zp(m4Z*JCtD zZZ~2o_&Ws6IZQ*3C*!KmN)VSKsJt@&p8qT^a6Z9zsFgp zdK+=Dv7nwh2R|wpC9eMc`{!b;80%+5-pDgnU}m6@8fL-EO`fm+V{P_{N{DEi=<*8- zVO}neGvq*czMzG z(lB7X_>z%zL~C3km&4&f+MWu>WHp zx)zp+Nz9GR|FH%mBW9-y{V-}AlV50kTD)C; z)FA|T?eZVjIs+_o4H8n~GRpGMwRo5sk(V!^jqNiMOee@kQ2obIHveZpJJuVs@5+dD zn$>^Q^EXJEM8ewiM70mtlIG^)!|D;F9cYY5=k9~{J8%Ol;Qy#zV8rSSsC_@begFLa z6FhgouiisD^$q6$3G$T2f5dqpjF_!?8~`8yZ&%aOFc3sDD~;KvNvKt!YA|4G(?Bbp z>IVoO#DnB4!Lt{|f8kHIIl7I}Y-V;hrAo0-C=}8p&Cbkwv-2L4(N_p{eB10miM%}V zRunAyi2Vjy{6^MG7#`2F^PRrC**p}5gZJ0Fx2Nl0?I&742WPiw8V)|GLN@kJDBlkk zqvyvt=N;>RUuC|3$uF~c%w!#j;~fB2&*{5Pem^VI_6AR&Ec0)!MkO5o8wCwondb*y za+bP5VCvMM{+Y5Cwb>vuQ!PU_sIsE4#lko`JU&37h42Sb(9!dIr?Uz7TvPW{tjfL= z4U4uEV5};t-`YJI#*?2a!2%L{nnhZ}q;CpzJWc$s>`UReFhw6gN?Zc52-uhiOq+Kw zoT_hy?Ktr?*&ps{8Cob?-bfCxT3i)qvr|GPs6Wy^AhZyq7HPo(G=GC(R2r!T3Z!_5 z1EkX3Ktwn1@@Rb0vF(P{039z9rU64O`dkT$xuJo5x*-RV;s^3bVTrsIl`Ee2kta!6 z6VqK423>Y^Ovae&_hf-9?D0K*_tUH`}m z+Cn0%Iwh?0a|$db>MPY(O96(> z|F{WPyo{xi?#y)71cR|BNI0~+OK0ZIoA-7CMo5fc$@&4sB&|~>T8RclS_K*WZOsq% zzuN70<#;qSe-z|~XXbe|Z-H&8+5zwiT`97`+sk8_UU>g;B}w%D`gEHO zwlpI07iD7f)lAyz?&9G-Kllw)6G6Y+Rbd$$gsq!m7WWgCU&__{d4gX)u3w3Y`Si`~ z=*8B?5B#8)ugiQfjZH@-X7BLo;OJ^Ojr%>(N!5cry7Oh!oS@Y2z)YXgY;t}%rtEhr zUrePa%f-lN`Eh!RB!oD#e$=W`I>h4YBCzHtwUWayimr=Ax7U@@gXq?g2B!1TN+&l;V-w1j|K+r>ItJpDvw@%t?ZxJcY(*vM(~71kXdqJ=KAO ztIz8wi}$lo*CnmG00uiA^Zm6}+ zaQ(5~Y(8B~dhX{1K*p+U_+y&u^oZHTq)x-Ym8-u5pzdl~8U})>QaAu7?Jc+2#XW`u@$qU&2g;LwxT-*Qwu+}iU*G^l(n0KX-J8qPqh2C`1d*bml>F1zAz4_@l0$D3~K+0PNy!{uf=no-QV42dG_$~RIK0Lks$Fw6f}#! zO^gVF`7-UG@hQ-8arI9)OQI-=Z6-{>+5G@cX&_5`C{SJHL9?J}BwM?#o30K5L2QF>b^HKH&dDZCv|kt_(LmdwId#%t*+GSwJG-x0`<=3VxwMt3}TI{ z^bC{z-Nw*WX;N)#sH(5D8*lvOWb^@D}f`ZadNY$n;|PqwQGUx?fi7BBWj^ zk$0K|n!r(E;j~1(G}D6d0lB>d!qz@iJ(HrNPk}%p8Uurrlb0c$TR0S1%{Pte-%=%Wyrcgj)%o<9GuXych(C+|Lf z`{f^ag)tu|tG2vol$XA{tp+PAGbM)Kd-!I>_6vJX-hJ}!E9mTEhX35`ti~!5F}{X& zX3Fej?ak%pVwDr-IfHQzGq773>ZT{a&qYR+_T<_71E=pDyYTSU+b1-hM|lg&^?JTbu3+E|g9g7sX;H*)|vB4WaP!a`WCT4%tqn*w}t!uyx6 zFQ2&t%y{rV<)43lfB*jT?d$iCA3o`s>4WNEJabnV^Rnz*93tYvpq;FYC_DebYp=uw zM1%;pJ~57Z`10Z7vj+Y z5x;-@`1Ru_1ICCxuzAPI&W@fv@p+a}K#>3WqZe4t1Vz1T3$$;To0Ef!6Up%Zcrypc zkDuPX{|!A%8~q$l29!(d5Ch!|sDsV$<{`E<7|0j=FfyVa=>@e4Ab?mfJHF5c5#mA^ zMx?v*khVplYyro%OZY#^HELvoXD>fiPuaES%)P%z(fR84pXV1IUcUe8)2AO{J_gWb zCZvPMPv6&1+q3V&gMUbKY(IYg-Ff!@OKNqB%i*y4sgQmQQ ziH-~z?mT+te)pmy7w)_OR%y_SB^Vg~-F&|J*v(A`u9wE!S(}nPS!-jgq$Yd*%fUoepv5zrX+Azy0{}{ioNj-fA1^02}+T<3<0YpD6MlOHgofgDUUOpb8kvP8}8& zCNU{-VBtu@NEJA4|NQ)Q=jx58_n-dw`4i>jNQT!>A3l|kkx5tsK zhF=B9_+La)oSX0dhj$;*j)TNf(ZYAWGGN@|4QWWC?L~#(O@e%(FXmbn9H&+x4-cYW zV1}j7$%t|S2KqW}%yZfP<7_*kox=s|N)xz>2YwDF@~PrzZh%n#{@=WK12XatSHaB0 zq^zkTr6dnKBm|?Qg*h$_PWjItJbrNd0qj&`xLg0rD#|EotHD=1VF_gP8FWT&em;~V zr5G7;)plImTx{%Y|FK3Q*4X_2|NXm9kn2ov&lo@t++ajKmJ)K=+JB6Co)P1!2IM;K|R2_e% zxtRjd`TKQ8*AG_Ker{}^h4i@#d7UMBpH89MR%dZ-vvPPfT;qQ5xU#-g+Bs(`_F{1} z74iRf=Y3rLzI#v`uJNpy268!d%7C*oZ-yX${o1R}Eq&dzYC#w>0#oGglroSX;vZIR zez{bxRA1WcE5(s~>>=njTUNQ!sNeOgHwC9sMB@|t+O~G~A6yTK zDPl=`LCeQdoh(Q~(hNh?1kvxPL(OcKaj&rS#D^duAQoai68oO)AD#cXpfncvL~3JL zHKK>_2Y*ki$G@#!x2qCLW1vo0J2AfzG*p_Jo|HYvF-Qn0^=J%=>=ewoGdLL$lkATq z+P0vlp-_;NKvQBjLuoM`RE7kT^4mb>b@N{0N#=o?Mpz{iNIL)#DV7;nlCVGaypGd$ z+ii!O-L^;0j^p+GU?3c>59|INB->p2^Ooy6o)f)X@=5)s9`-_^2kT zkK@ZKkyH`+VAOatyZxi{+xcqD)yKE9>snk8=UrUv8i887N8`(%Z-2gosbtj%=9kQ! z&GM|n^gai>2Uicydz!P(g1Egje7U#Xy~7*tYdF)$^aZ!KHY{@iWi?j%E0+R|saYSj z@$BxOR)#(SxfhmA2T*zHoLt-y@((IXCd3t#SE&tF7d(;ole9Mo_BvfZOloz} zjfziA;G_*rz<}vcir zG4;cky1p@HJ+%=wYJ06g#RQ=&XDu0Z&_atjrUCd|d`nY7^H10q5cw5=a(Z?u>4U)U z0fuM`=-=xP2A;>e)bt=Mkz&~}&1^2WtU48u^T>nsOgfjh021hY(N`ATN`O!SsV}nM zN1Pt06RSm)u?rN@PaRvc!u_KAW`70X>`HqQ27>4gwzLF@Sk#zkqQ>a|{{zOvn3!M` zqfx{o+=n14N6YP6pxvEm%Ln+_1e$caJDoT4=Dm=}2PKC&I581}zu4ZM`mu4!9Fx(F z!@4H0srzE1ZH2(!3!ESF8Lf$5KUbPxy)|y0&Q{CKP6$NfhI_s3fTbQw?QWl~|HY7+ zj)&W^)8m!N&kvc(m5pv);}k{}P=Py1!^K@b{j@SzKRGbY_Kk(Cv9zIN>}W5cu3mq> zyv-FFZ6F5^(FlOqFYEl~qh}7+TTY}b#>2X<>JI26pvqTh!br|E&Dl5*cndY+_x4g) zJ&RF<7!XFODgr1Qny!Jco@Sth)r7Gnt8IKqkqb2o?Tl|=^=qY?pJ0K#KG~ci_gSeA zEeiXm*XMO|IeIXF9JD1bZxLPQ?ezZs`NJNSGLro^r zxozzLfL3mamxEWZ(7v|gX*3!Ukm+Yb{rpjHiq-2q@_XC8M4p zS}xN%ak#h}!_nQShbs4Qzx^d>OdOK`U1YoVZuxEf0K?ojstyL;wN*7O5{q#pEGP$; zU8p$oZB&%_W}GuJ0)P;|j}pfJI<0TVV-!vKA_-g6adqFm)W%pijuW`4o0@1)Iru=Z^pR5O z3qH4P+U{=GYLRovwwrCg{bpuoYAl;g)4VxGm&&)q4nATJdN#sgZ3y~qH1&cI=LR`| z3*q)t-FbP_I|tPiL%tv0K2F@_s+P)t*#aN$#1S58_SA6p_mnm21?Q!G+V3jOYNBQG z{kpn&o!KtNe3~f}xr31IxR-;`#aXYCXXoxt>*T0=JseAjj)zCb{Z3W)E6)oC5ASZU ztZhgjnuufxJ&mpV;m7$|5B=j8iAKr&W%_3x%PVk!=_S!t1B>Pm^3-GB4*->De8f&r zxe_qG5zJTKinhjO4 zOgqbG<;(~RE28uucmb~kicSTN-A5o4&+`C7!ZGLY5eUY@LbCHW=rxft`JSQa`b0Bl z`h30!gOD2tfF%IY5AI-v1H_`a10>)=3rDID>*0*J7zSYYY@j@DOqiP@_FPm|JI6Ir(1c4w7?<}?f42jp8p4(gh|4;B#)24@BYST1rnyP$M zP*;JeqOdc|lBk5l10gXB+2Ng!=ao7orOPaOX0DN3^(UhV0&H>>NLsh4r3nhVXXt6+ zr~FBlMTsE567lPJoG#V$e7?V`OmmGfIGzC5U)*f-ukYy6IHBK%o`i?{8~04|WtOSO zm(Nm@s))E`cpx|kdPRB)PC0r#=WaM~EA#MXiLV@aI~<(bdNvQU$;V7eiA;Z(F(6y1 z_s{vo83jQBs9<&TwG^cqiR^nW2n*N&3DHgu;2wS@SPscAnZR7(^}TD)?Wmu1B88$b zE{n3>`3y%gq*;nQ&;P<0%c2!3I?9dJ>H7Ze4W!*0RWjf6d>4_RgVCmaDf9|4jg$3S zQ5df-S}~-v*lzPQO4!I0bOd=l7qr`=oqomjMeTvqVR1uo!~m^acfG%nk{L1(D>5xd zsik&R4INoz02T$oroF&Y>t&(+sH>vi>GNp(G#bCXPG-|ct<^4i6?;eJJsY{i10vbV zC*xwb3;I|;B5l&isOF-@fNqIwBUO%O(g>-7th=!mVX|2%?oJKn%JDxO1pU1Qcx#pw zi4T1c_|7q?L+dM<_eNCfyIHQ%cwxY$nS@2rVdtc`3p$|O&geJfB`x?3E6nQNe*s84 z*Peu7C=BlqCSyZHqtQeS|Nj^H1%e@%sED!)1-7wcyRr6kt(qZxA&~4w+jDz*-mY}F zr7r+A3*G2{TUP|2>4h{*7V7jn#3X7zpRofSAnXz5CX{o@;6KK=T-cVj6NSr+{PEsES13@%JAi) zetmy8pDn80GLB=Bkhn4m(Mdyt#wBTP=jNL*gCe)y`Iah+9pwY#{6q<;JaSmq8r$BZb<9HLKt9) zo6!nrjWrRtyFebS7j;#b7FNOR$ggtd;0Io(19eL!v{|wrcB7gtLh`xt~Xh;LnmLO_wnA#!bMmHc1v;#Uc z@GSsm*YlGw42Anp+1xNO5|5bp|NkYPOgxxyAu&-~Cs4|4!oF(d`HdN0Y5S?ho15BJK^qPvbBcCiN)l z_lEvW*gyT^C)#cflI3|Z^CmUlbHqio&5rVt@M9pdoFZ5EKY)RK$Zau6pnT~2@x$bK zGMml{mV8WJp4%*=+j?;S?m7E)eI7R6zHc5+=5~Q!WgF9H^mbed*C( zXP>4V3BXChGoq|h-NN%r*O8)%WEa9|0k>H?pkwVuIKmdYrQQ#%cqo1mHwA0t1xX9w z0ZEMtEb@(Q&4Jk2DyfUO^N-Kz+f+)~xcZ}ud1&`gn3)>46Csg*a5fpD(~S}MD$w+! zF3YX)$#l z1xP@u%Ix`IYcC7!t3J@9>Iu%73LUxGCQ`C9ihlt}yOx%Qfgn87NcysdoIK$S?d^Ur8SU;iSzb>z%wnT)Y=L^10k#XVOU;Xd`g$_Ep{n+t9MZ4s`iE2o z%E5>L4kcXL*OSG9Z%ttQxMuU$S>=mGUE{ZFCy!^**y94qK3R6Vqi$R%n)3LR%P1Pp zr={G}6%%n(rR7OT{n;~+Bv1t^_Ff#1XU9WPc0%Xl8=C0J`p0VitFW~yIz$i)iN|r} zU=@L^hWjz}^-jjX36wbI915b4E7ncx_L2Z7L^OuZrg>h1EDf*-4L-LYtJgOpZ9@RT zy~JtA__ZI9rPQM@!Itf(X(q9T(mUW~=N2npAx@&oTfK9_HPWu!8=Q|M6 z*X|*A$7F@9P?oEqX~&~sLTyDr(_TLFdg%~BAnwzI>{cR8*L|D=N1*v!IriPNlLD*G5r}*coQl)A zs(5y2rr3-!kTOD59=SnkH{HNk=IMD0DhQ zo3GvMzWb=yWudr-c#5da>Q0gvoJa|n)V*M6Ox6uK{IVw-j4$y4ZS3-}NNk+as3q9B z>H6)anx9Zn>us|)uxNqZ08}%?(!N{2DBGv@2K#FEhkCPUOHp$f5v^Z91zQAc}+|Md8Gw zuypiBxvqgV>AcM0ek9Z*mbv5x7m1x7m+<8!4V+ki(c_5cquF$(1FLRMQDg#gnPcb+Yu3+ecV9Rpe?U?oomI@PQ8J31>QI#5+#NK10xc;-h zk&l$8~pID-M68wcV2c$#}4w!Ksk3E9A~7kAWvs3!&zh$r*`ISze;ppaTcCYz+UkqOQ~7 z65Bw^*)%ppsuC(`6t;tVzzW}gh zYZ!&@Uby>_W%ijV+SKUFfI-+}M=oaA9_(QJob>X>-K?DN?%sheg*A`$W1a96dYuS7 zx(?}1A5N56W>Gi3luDEgv%Us^j|;WvB(ROFkB)C(?-#*6*MRLRpi>dxUgS7hR2J3S z{;;@Tdf_kF+dfI+NfLj&X9js6E1`lwpB|&YZI_N~{>U1d3cBp;*%aNP^l5&P;>PTM_5)z@h;db>r3l z6sDbkqe^t#R)N|VbMn1Y`=*I!nL0S{K`OB^DM0oGPXFCk@XCr_@vun}KTe0BkLT*g zV8CwUY?dvs4ErGE=hwBq&6+VVVjb^yhax{erRxD=OJ8Xg9QsNShUweu^GkZ#XWNf$ zw#)7jusz2MIK)Z&Ts`4ls<8+|5SyHr%j`ojh39uC48YwH%5xb12oR_tL3T5SAXGso zik3kmMvBN>PWOnWn19%SrS=3YCzzNlLXBb3(ZA``L~FMl z4S7HQ6@ay?>rEJjfpLqnhM}owV;cYehwTBhk2gd&rXhjXv}L7>Y*+g4dm8)W755{O*ss*xjuIpSH_S_<71}eAX$ugC^hjmSy zP23wWI2v!-_usdXjJ~au@gs3;NhMim)xr$ybPbR$JPffy2BK# zKCl@DLXCyA7x>y(&>sQ2EVU)bfJ$zK_$oGIj1Y&+f}+Np&!8k$^dzITR{>0-qSNEk ze%E*hWf=Z}V?Jed*?-lO=5VInO$-1wyHk3*4$dL}MQHW>u4i49r= zX5auET6~8#Wm$|VY;XAyfVHdXNf-#CJ85rNtTr)5F`9Vx2YWw(tVDB$tZntK>E{>H)@vWp1alK9~poxI%6%G z^~*!a|3Y?yVmwBgp#%$6Ul<|V1`0V5h$88@fdsD%K&;?`jJfD#Sqo2O4PWA?7lN3= zf*u(tG-}9+wIHx3D1RLeoofZVClo`7t+a=UJXsy-h2)e>9B5cLqJ)J5(m-@$9PRpm zj1su|v)-;ZlWAcV#1i7((DM3Pkss8%X`M_*j=Ta$6P%i+*{xstT2OMtz|PB5x5Hd_ zh5N5YhhpuQnicZ5@go3f*Rs!)L7_ZkWt30#FG8X^e4QyVxV^i2mBl+#+ z_3*Vvqf!%XjaymW3F*Vx`R4Zi?&0}q`?$Tnxk}!QD3Xmpx{gccYlKO&Vg*7dmbe%l z>c~A6emgwz(Zct3dK((!f(lkH9fCpdRC`R;s%iM7m&5MDvbL6HNc!z?{<7_)bKDSe zaE^TAeiWB%C#l5!lr>fiT#JLkGFeZqN^7YS136`=X|CyS&t{rMM@sh6i>x6+tht2! z8mu5#4^-^Tl?nPN|CUd}vdr)?o=PPPKlVZTryuX1;+dZO`A_4hyX*#*J6>|z^fV6Al#S)HKOalTpM0cX2M~o{4ezm5q{vJvLL{Kg{&QjKxF2m zi^!g^DIo%tofLU}!>^BXe2y9VR57xK)Gs9&UXmOzDLd2yF6rjM-gs=vG8@aOeiaeE z5bPE5b#L3h1gY_rH+g*tj)clNnR7%?b`2Q`6wWpc`ilarun?h5?}8YK*b`zgZR*!yQ;4R_fX}-8f#ayTi`ykeu`B*&6?6 z)1C;H$)*kS{qeaS#*i}u4sazF@S;dCQ>UT4(*g4#*qTTY;QEkKPX7r&+SRi(5Cy?E z;u-Ne1;Il60}2*e`2TAw!M|V;BnpXz5k~LyZfAGjNyx!9DbghG-tO$q$HDj_X~IL$ zw=j&eN3#wyFExV_AJVjkq$R_t;wUE+$2)Rn@sManR*&xtF)))K&Aw$3u2ZvBzcyc- z0)V>>8AAU$r&rJcm{$h^vq$>0Op@`4E?<_KbxXSc?yUpVG z;_CAD;qLnW=Is2`1@x*7vTnai=XD2%w4};}k{{asi~{JacgP8V5_}1n0nku}eGP+N z<1G3E8m$y5wupvPT^Qb2)rEMHhD>m)Vp9R;yPU;a{?_4FcnOk`H7y&+FFSu%5ZrBG z;tTlvceUj=>U&%ik$@tq-<1M`fjDT9!;Wj+Ki>kdcJ(X`1VMC1Vv-{fe}EuZNSYLa zo&UeG6aRx~iXefM-ZLxA?!1{@!JO#>$KLIHzK;vrajSt8n=W+d)o~!40@fd;jG8oo z_Jm^~u<_6D`jn{4SUA2e=aW_o({1&4b>&__kQM}Y;yGyT^bZ?#|Bi~;rAFi_x@d&M zGJ~Cux83XW%l>^=`KabL`B@!n@cM-l5is&^wwT}C-99`$ZnpQsuq3JLTDF#uE98xC zxw$=ucG}&Vc09Ro$y3S5-T*wg(L2ayzUhy`lqjXGIo&nW{^-zPasZreKMRN11Cf9n zl$40K!*pjFxwSW0{6~xCA(uwxQYU8%DBb3_U8tdlDh!W@c1a7a0Sm-56RyT``l_h_ zmJ$c5HRZ2JcsueD&bUs(N36Y4osJ+H-T{ue4%^?SK-?0eodkN?)5Dz-;qh>&A6Oz` zU3XhESm|=MzFzZ!R_4paaJ6zPQJZ!Nx z$6EzY3rpdxo^N($ccxMpmfe}j$oU*qVi<=tpumXT<7Fb#%W`!m-c*q!tVz_a^z*qX zK!xL=)2$a8Q#vFSO%HHmkzpZM2h3sqb79h|iO^wpoAo`X*@;H~{#nhZv#-VHrmjuY zs0G5lO6-;31f4X7JL9+4_m9c*%jn?ds3;=Y&!gOUCh?0X;Df@cg)`YB`(@Rm<^D$=qrp8VYQoyp-yUPqfWdd;J4Qiy|$U_FS}5NZd!46XC+? zt{55z5(Px10Bqmb6(g%Nom8d5w8Sqb$Ub}Go#Pm%kE>u#n~{vjsRgJCS8#;yR61rA zMb(OBwEX_H+vIuL6;W@00S}+5!@z=&e}l(|zF2TrRx^@&n|l4%q;mOcxUN7mi{~DU zqb%fq)gFiWxj_OUl3P0gSi5>w1%ep3d4(vbm0+!njfIu}zqYb?Sm+5RD&C zlG$wbME2E+9Cv4u*_q7z*w@#CS)K+;6%Ek3DB01|gRX*-ZW#tblMyQK!5lp4**{RC zP^IdmE?@p$i2IqR$SArMg+#4wTq4yh^fWO%Sel?6N)fo~oXL5nek@k(n z@X{$;>DDp=ahvF_?s$j;AoeXldX6wt%8i5n8j;!WiG~&O#uV{gNnr^b*2fhPeX4x9 z1kvX?mNWcCN}k!~&G7h*C=cro!y**t;_&JSC-#zbjK=71R0^CTtgpQbIlk>2|0xKW zA$?W$yTe6d$8tjnsI^1_-}CybD0uwd^DmL%|LR3K)!!1wP`!xNzbB|A#C22BTaP6G37)N^;@M zoc0p&{s6S4v^_ItW)AW>lNu~`C_vtk=Eiu^)eY?44EtXTB;r7#cvSq^Sf{z{)3<68 z197yviR$0r_k&kv)%)lF=U>FUNY>r*A+j;yG^7+mO!r&P67per$6%|w-5-S}rlB=u zxLU)}v$tw;HMzOF9iN?cdtC=~pe{wlgrfWoQx@iMFt~qw7>$poPtVK6GW%<6Yl+Qt zgA<`Ox#EXv0~#9%va3WM{9%u#H+dto5`Vy5@fQ8*+kyZ1SBT8DSt_*P0qzKJzs=rh3U@Z zI0-@ii*T!ih$LtzGO@yJTgLpQ;}-G&N+o5p>_8O!$b5j7V=RmL{9{%fU0<4!LMy2C z=<9}~VXxo++B(*CIwu$BtT?A|lQ`gY-}TGux5uTs7QjzYBG(;xu0`#URA%L>;KUkP zmP8s*s7`+bVC@WA8U}(WJQIR0ZK0s3*do&Z|8IKIlb{D7Ql+$qw$V;QOn2Yx>{c}9 z7D_{!G`pLb_r6zp`jv7|G2@yKi0JvbNTtp_$=t@U8 zA>9ZA;2%0(#iPDZ$BNqTRFB(Wd_XYB;fqQcBq2wE;z>$h9g|5MdCyqSRf3|pIBcNP z0UHm!AC0BdK^lQ0lO;oVJBC}`41^q@w<|Nk?d^yI;KFc4#mp#c}^h^;VhW~atbFN6yz z>9+HBW@o;a0i6=}IUJ5LwUW>!o5m+{?$mhvsPkXJ^uopXf0O zO)!a1YHuZ)iJIG7mZM^r9d(U=Gq*_XN?3=xQ;D@`=<|Turab^Rs*~OwCWMgFw>S3^O@?pBG-vZg!vdw|6maWca8BT~cJ;mhv=Tx7*Lv zaz&|$sXd#79jzVQCCp%3gWeG0`lGH%h&NG}ah~ylkUC;jUf=+{CAO?)@`lK<91I4r zBP+amgkfC&Ljw{*M(Lh@IVP14q@Z6}ox`XT-odOFFn&dC8KWO|ivvI;t+@J*qw75{ z#XB9Sxi`p5t#c;#gTc`#*62U0Y9F?$r+`(j4SdvsVEWXC#P`>?O^n$Olah?}fsIQD z;pDVRB2HqTtRUCK2|EK!|W);s5^|mV%vy78WX`lBCE7#ys!C+kIa#!86rCLW;e+ zefwtK%v>llOo*H7_)lfyXv;Du!FZ~UB(-q^DkRs!!nI@_(5j{-0|`L$3_9qH7JI;_ zV8LXt>mPImR*d6Tmj3q+cz~$7)3t$xe{&OIApAp-?;V0T@)tO2P&ULrx18t zvAeUUh!@j?lSgeR@>G4*`OqQgj#a~}I346ia-2$)hlE&?#bzl#JTPQ1G~&`?eFb}f zljXk#5B#Mj^1}x;t|LxRkmI%p#@~pJl1dIS&%H7@xey%7{nc_+zdo_6qaNDC7PU{t(Mpwwmwpzt&Y6P3|AV_;=?Uo^v4rq3Bz1GrNEQXLK&qnbWWTHuir ztvSagBKfo1QDQmBS8WD=O>8}3VL=pfo4g7@8{u81TAJtr6sm>9xu{iH0%vUTpVHF%p ziwyG|-f3<7+MH=k<1ocO?DhpkITD%@SCtj>7AImG-itB86o#hpX(C9nSVck8Ds?Y_ zTzeNsa^fU5j$&!70?~;<*yxgyK=jm7%!8;qTX!yB7vcqy0h2>sXTIBW1A<*6`>@fd zPUpYFaTe@;K@=U)kMZ>O>g!;?M#{37hG5*<=|Zl9p__!p?sv7(HwUDMlj_-tND+*# zvB6yndY&YuB>x0ndl7)NYuRZS27+D$O;Yjr1;l~>|A!t?PY4eEg$5cSPLb%;w0NHm z6{NRHRg_fD+B>r|a}nh$+#qWuyK^2$VW^r*18Xr9N<71!NzsbrV%vbZ+m9OODK!Z^ z-c2-fYlDJ$s`2UPKUc-lAE7BPhO3DqWCu= zqC|skDGEpIR|tvAd~W`R-N)u-vtB*DuAhf(zyB)6utZ)uT&25|@6&15T(s@|<3rcA z;1(jDZj!;FEonzpm@An$ZRpc98R1-VP$ZT1qGnKU3`+91+;H!Y$-cfcS5he8Ab|k! z8hHlOF2z-VoSIH?0dS|KfE@*IDfJ9yYSCTJ->} zN!5LLY;&NYhc>4wN_OqF$1`)J$gjd`jw^l*7M8HniJnA1k}Fh3nTnVhqptctl&2`z zLP?-*EP4&0V=K>Z{is^q#%Y$YjQ#s(yOH;9rS{N)Pjr@)M)rr8pchgOIhWH(b8&Le zVz8QMP*bX1WMpQo`S#8rZ@qY0+}+$h-am9NuRC)+pcP{X2*Oa+SRH<@uG@CrmUNO_ zY^$%hxOo<>AR*~(=6&N27Fn{292Ca{y*^CFWK0za|Ba(Emw>wqy8QKajELs?bLM7dEd#lR;;W zBbtZz-?ql=) zMJA^NFmrO+Zkow(pQq<%&1@>+Y=o;M*8Q^oTTp7 zU4f#^0<8G@{;~_=)FFDcR%w+6QYwUEJ)Qrbx8?6-?JoojE8wBhHp)G05^C_mV-_}s zlkOHxWL2GAN$00=Znum^I&RS$Ra#FE&$rh%k9YT{<7Wf>ph%D;JtWF=#+lw+TwV5| z=$p)5xFkH$2vo1lPz1>*1}UVW;VUm6NqJ1gJnaa(tW*wwdCDyRw0`XU;e#fo9W{B2 z(Qk1W%5Xuzm0bm%BtPh5Hit}ln|SFz16{!cxdU5KjK7A~c~Z<#LcSGMWEBT1I8gr* z^|@KeaB~U7$!w}qL}*R#X`Gn}3$!(GThiU)Bg>p7Qm!6q_bUA=TuX9NfH|3Pk44`k z?@}ILh^H-`ptR|fO2y*>on{K*(ODdH@*tcJ$B*{|&1OLP|7V-ccE9(RyWKWOx7@5e zJI{!>m)9R_`N?-$I!>hBBpt-8xTk6TGrKj&qM5;JkS;>06qOpm_~lOk(ypebK_G}S zg=&Zv2*&8KhkEh<{}(ScG4ZIBVpFIT7=h5;nc2lk?S=G02w`V;-p4#odv7>8Px7#s z8bD82`*l;rGt+%8Bx!p+BZB>>l+JM|&!ruj^E^mhBaEQ-?iuO>mz^SP&o3l4M<6??M2=h71m%8~JC;~)&h zifRWnvq)ZEo)_zv*UiUf^}LE7AG+}!BHz>sD)L!(K^%qAB26-<4|}1>HVnSDmW&>I zb^C~;lB+8no^?-QcI970u72T-5ppeq#K(`vssjLJ`YG>y4U!Nz#HIYECv&z^P7aUP zejCfDMvG7<40YFYZqirk&(*T%K0N{HL z3JR7x_>c!BP+zqv#R4U(1IHFIt5|>W*>eJMfT`uyu7MUga@ka{pKt*}a*as@tgVSb z5}Wd1;vnlThvJZJzry=F2S+m(bvd3v5Z=1pEQl7C&{b5?oFt#7s?#KG8WcRH;5fh_ z>VX5?#9^!JxVCKT@i78(GD3p6f%r!N)~;zv-DBL*!>rgQ-R{~W6i@Yp~ za>oEHE-w;*&MZZ7DnIIGrKd-6JlNxoA}M9X1EQit6~IHK=2>yAXLGb=ACvLR`0@Ga z_Tm25#o1wnmkE zA!rP9X&0@k>izXiO!6Muj}I8ptpi;QZZxrh!8I$u^ucc6o%@cz%@1~4>`B>^W7NbD zX_bKU%mZN?K#*_tNv(O7t%p*B=T81K&j1~g!$H9|$E{U8&2)x(XY4f@bikI7N}MFe z;XtP6Lk*Nwtr%z`vQ691=f$k}&S^{3oxZgpwj%=y!HfUie{OU#T$vkVE8|%9BLHhx zu+uOML+y4&O;sipgpfEOArAciuW;It%Oo^746&lpZ80Hj6URvp8(i93wMDJ%_w4t) zpp<(vSKI=dg9o;k7*orfX>PU1xfoLVGNE(}`TLah`0)^W4HdzEcruP0k)8da&8{<` zD9cWJ$aPbhLT|5ifPt9im37YGVv#kM<>?5R-acBcC#AE@GE`ZJ4h1)q;qOMJisJM_ z!DS$vB&|6=O}E7eraTlEi$KSt79+&mr`|x})$_`v!Q1=0IV}&yq@2AP^jZx&!!`B$ z!@(qA>9;^KMDjOG({K9Coh*>WFJKIz`%X1HJUuoySGIeNQ7K8$z~;zTzrSwQFKgfJ zBkH>jV%tib4?2jM!611aVr*hm2RfAC`M052Fc1Twv^p_lZtn&Gci(+D`G8SAm~~%b zr-*)(1|~xfS1BTj328_U9?O34P+5d2ocKQ6s6`DB@aGiOVeV0ga^Fl0LU=%SO&)0@ zg?>c`L?WdyrHcT19Z z5{AAy`HAhr-QGp%W6G@=x#2BfH#h-@J%)?dg<-mFtr9s2s|WV==H=;m5>3a^jWY{# zycA(@Z5~!>P`<2+?N+(7Y-@eP^ZmodQ#o+bCNW43C9K^=(g(ZN?O>KLx-fA2uHFcH z#9V8R;DWRv5jc;|RsdH=4THdd?Hl+1BSV+{cGgq5Ree^guOpLRhxGWg%;dP-yFgw{ z%McrTBL<(=JgZMwWg_(#4S;{XLZGah2KkODL`0#bp;d`hJ%2Ze_rlf&dVTm^_k-}` zr?@C;E6{aywKJV^aE>3|dY$X++W@d#4&fh;Ja2X%2jhT^MOlrpLG7w)^|>@@x6mr2 zs6(ljLt!D77-Vp+quylc2sch9g&Ssj*-(OC0Z6;Lo(7>9dW$e1nk_D7WWM_1i~s-k zn3(8>nGq)7V5=8_d)rH+``8mNV;zCg)6<^gQ_U^mxKCv+prDR4fJVLzD8o(C0bceJ z(?NT#M3=mfd`_GAPcHdFfZd_B_WsVd)oPuc`T|}ivncSt%AHZNutVl-siVCnVdy7| z>8T;E(mX46q(sHCtjj^-`1sFF6imb5y{J5{w*bKO6g6hJy^hYarl2bf)A?-Kib0}C zuOe?snXj+kQk8BxwGav~fMkvAGk<-4d3buHLgCV|r7P^ z{mEn!#}pY19VX+)V#PbU*m|;A5a9z`f>V+LR9){iMmHI_B_N7#WPM8{*5h=D49%6+ zal~=h&Poy4LZ{J9bG_$Z1!1I)aqp(JtJ^}ExF0PtDTwRebaoTn|ZQuJ$!-p41Nza9=W?u^pk=#Fv(Y2|3;(FtPAdO zP6s#t_dyO-F8tS-hmn9Fg}m&R;6vu@X+`xT0BL8~(;y6l;dV>~4DJJoQUCuh(+?(# z#<-1%O!`^`+PiDVhTE4Bk_~8p>-C=Z-i65dqAr9^|KnjLgp(;vIX6-n z9UjH?>$-J)+YzHpjsf!hag3=pTL|+|Pl`I7F?c0J6-C}(mr$Jr9`kB>m2`GY!tobD z{SwkK?YpiGZO&}$e5+=FE0c|C71JEr`#HPK2}C*;gCN%!`!{Err8aR1vzhRqbVv_P zb0FRGL0=}5CW#SL5v=&_btO8sNTIojqK^9yp0)fI!eXL88!Q-%{IjB#j+p8R6pX1i zw!-ujhiY5~LIMg3C$1_`7$5yboCPEg>faff7M~xRw*8@=&}_K;?Ttl}+?8cV)g$bP z%E33SZDL(*D-k}t+J%KoHhagk4w@7hc?)vi$4O9fquqew>OTD|0BP5@n=lMRV?*BUy%0yAI4rLjcqJzNXN*aq>UXrOof-e^%6Jn{T$DTLj@vyA18oVgzKczFOX*< z0o|N(41fy4aE5)r+s!2U*C4?N?(!h~m+y>y+3Lv#c#*A}$|)BO;3GU|!xngcEVKD+ z>MJ&{pT>4r;M)FZdzkv1YPo1m@jd2JP&D0lp-|7W=Bd2Lp<%IzQu4$>PBs~^0U+e# zyiz`0t+BQ>L_J3g6+rh55O>aW=eopsIWIP@`6qFyb&M3h;+KFS4S@$>F>r zgW;QhyRKgsIWYV0_FM)Aw8LT|Yk}2hS+7WEJ9YU((AnQx*JTVwyUvT&zh$pmcRZ4| z9ipv}NEzA^r{Kn3fnh=|h@)*ihwJDeVH@CBew>cDj~UvzVRoGMSqhd}#1g<}$#k6~ z+eAq$-5x=glsW4O2MkOV76tzn6GX0lml~<5cV9-gg2DwpXr8W-6a^wb3f|v7F5Irz ze2lV=CeI2i@#x@j*c(EYk6n0)e*`JtP5lW#+7;|13Q*bcAzo)BR{{cisCRV0ng&6hh-zw#q0+-NvaM)8+9wA zfkM#kvoG)KygYzTui5U)x7A?prp3bE-Cl{Yy6C+jHgfONxqZC98MPPaBrEnUhX(Qj zu+07FquwOHv6wx>6~Q_IiQQfQP?_ecKR@d%u8Vj^C>GT#+w2OL)jFU9Hm${cy$%WU zG_^@gm~&#3L3gD7*%0T(Mj`cmuGokt5)k*5Ovdg$k^G; zCJ{G3J>#(zcw#)AUR*A(Cj=PKYt4oDNo!neH(w4L`F3K5J%T<|F^&++Je2!hYhxM2 zYC|x2ju9$^{|_A5bR@-49AC5bd*U)_zdxq6mO$Kr&hBAz zYdBGQ6i^yzU<`+ic35zt0@h{;a>Krx)6Jj8D9bv#`}N1N{QOuqd<26NSYV@0Mr(XG zb>CpVSWv7Y1j{IvN>9pXNn2_%ZuK7lSi72@27w^Dv$cYJNerp+q8H;$z4`zDg=u2r z9itTygv4g#yR*9kN-U>ln~;`vW@q2Lc~1(%(U6Qb(YC8V!#bO7lTynF1uq^*UrUf9pm=+{gDkoc{$Wr1fMJ=|V0vvHHxcAKp?G3qmg zV)GpDzUO%{%7whUirkt;ge+p#zPz~zS2G*oY#!{06?&P^^%jP~O#s(D0hns+ca^LZ zi*}+~BYeV$!(g*m)dWqn*DKYTGD}i`@ua2-=CljPwjHe^>|HPcVK1mbg1@?Lcor^g zTg5g}2d#~?TNY&vIIGcA6lI=ed)yLK%)nH6Y~HmUJ2(wYK^XG%yPO<^z8?mRu>ocJ zpiV5WYK!zE?MPT)41BX3b;eDnX3IOCOOOu(MQqlp%FOY-Ur|TJiCJSR^;7DoHA`7{ zc(!$|g08)U5e^7H4JJmfYV4zmKkcau=&EQ(8)BvGp|1ItE-gzVjiXA?09B+&)SBeG z5rDL- z=}8y}qC3U5kQx*}kRah;LOhsg;?4j6D?E9_Xad9rg2lqv54xS1-4z;-By`v;-JRL@ z=Dqb4?RF*tWT6Ju)rxQfsfS{_W%CG<@-t}dLC$Gzd$D2?fy*jnT3N zmsc?H(&XI9FQ5hatOl<)DKE>cXWg7xC+&*+*&#`#6Sad9(yu8qaB%-%u$~BV_USRs zozPM0#IPcN6{2~y7gMRS69_W2mXTGicTF?vC}~%#%aOGc4Xm#>bWWqHCSl$|`xH|p zDW-_UT#U38d(L0#X9tx|Tr=0D0Ew4_meVa&xY4^0KtpAkcm0IXfXQo=A0O~5)zY3xv;R2&?}g9nd}N5_NX(W@Wr%@6S64Mb3AWeSXIp`_VO z!U*WK!?bA{ve~z9-z%xjk(O7r!ZjlVD_jYtaau>a;XiaUz$(MOl5YRg{rUPL6vhB{ zj`4+3XtwQ_K9cn5`E}b{G(+)tce%e;#x41Hp0ntC;FKS3E?Ou4w)k^4p6+;JwCM4d zUKT#mZHL-v2lrPUrq==$YyGS)Zm-XGqd;q)W|mH8Y06EZP7_Q*vDx#F+-e2WqX-3q zuQs?w6grM$%}emMs}cgvr|C5L94WJ%Zy0v_^W0m|G@Q1GB=DSPR153TX~>i?DpJ3a zlNz-n5!66-MxxBZMnsa2&9cdUZ-9kki&uN^59bTW9rOf9t5|c=pA)v4p77WjbMkzW zgL*A$w+KhZBoY^=ca;3aqc|CV5!N%`@DD8|sbwid_+la4Pt8oBu#Q_^3L3|UZUx9& zgJoS=dpbZv$Z76pp5b6!l~}nS0W-C(WZ_lQ>qO5x_5znAs?hsO4eMdn*paI>dz};#AX$ z7m;yM;ajc<>)L;$t&VZ}2}YA-#WRZVC0y7JGF>W+(sCst)ARpjm1fOMnO;C^i>47U zE}rI8RL7YN#&Sb2p?JX5#bVLtd;-|N8=_{Dhuov0?gj)}mSX>-iwgT&G!%N@B(b)C zulxwW+SRlq5QO12AV6$MRQtg^{-;vC-cPvulp za~}qq!LQ9P2e~1IFVN)F_g`|{{Pd<&E7!`#(*(VQ8(0qO3(d`qotzXFG(7@_%QmmX`sc-nj}ad~!-HX{!G^D&4Je6dzl z*AH;ClRi7%(#OYXD`$;v4Xx&@`XZ>ZrajB&v$Bf|8A}i9j<+c|NN9{6<7Pa!nV;&i z7J~}q$6=J*&817`rCM*dJA(jrK#9M}rZ%3wtyi8owV0$Mivc(;t^l|s8p-bz5>_Ih zvq3uDU(j`efk1LGncrR`(XdcKlXqs2OYp!V@_MD()g+hJHggR-cCB1>7<<a)q&wY`m)85dl7*)bC7J9;Q|&33^MC-|XsAlw}kI2#;VOaYO152^#P&QjlZc z0is4Ju`IJ6^V*@rl*zX#6^X>CoQI}>AjqIXQJFv>O!k`AY;}JZh^s;dsKb0FRoE>g z7ZTxUm=F@03=xAE5o2O9B+36lKOapuHR`iEoY@Tr+@Nrp(AKiKwV92KZ!FdA_Rh`=sM3-| zVnX#`-<@9X&(-}=(}|AhZ3&AU?5>-})ahA1e+@fzB|md%ZEt(=aBtn1M1Dn<|38j< ztyD4RXC$ zpRGH~bE4=2#@idZN9l!(99B8(W%!Fs^t8luZDS_~pk6IkJI{_J1r=4%6M8(A2oQeJ zU&nrf;$W-Zw2Bseuqj|Hp~p-k8;!>>v-OwNIP`hcre)xMR ziae#o&1@RB%G#|^gO$D&-(!x=h&bkaZOqg7VLB_^FJli9ka&cqfU1&E6>w5XCQ`hY zHmGsnKkdA@qAL8!cpZ_Dpc4oU2V;8nSJIqzqsML+A}S>Uw?HUdT;ARku}DFb_nfU- ziS?o@O@0_jt@Fvf;pZI zzTxP*0IZ$MPQpMGhMCfqDtL)eF-2`cG;u@X#*GVizJYJ*(ybepE;TWV&`1cEAT4dB z?RZMtxwR!hB&=xC&XCTW%lzj%a-Ok4oQfS2oD-+4$-MAvlV&c(ht@Y_6d8oreidux zw@F$+*qHuf(2TN&@rmHa`^VS2+tyigfo3|(CstqZ+Bm^$tp=DfFC-T!OtuVCHTv&7+GMl*5xo{j>r57g#m4@H22OY9H|sU^0Hn;>6}h2TU4DoLABE z!+N!+v)-p!BXVUHCM+h3u|PlA+}<*FqMSJlHBvpLt%5~vB-8(xbIw^@b`<_P-S>_^ z4-ne{DT z6I;Bg(xSsxNl{{(io-x+`0Ye^9FI>z2%=VJ=4#a{DFopDRb24sOlThZ!DKiNf`CJ_ zac96u3`wMCNO1A_s28U_9)wQ2!v2swwWQH7X3Zj9c)tR$cJ)3DLP4BENNO5UyL2%w z8vVOX++Cd99gVY16HBZ?s|8AHjg;nmSb@8HkC2MpI`C-H%iX)X--k{6)Qb6vNC072 z;#1J@vgVb4+Yxl>VF#RrEVmGUKAd(9~BU z*0P3*Tw^0Kj#IsMEKL8 zanK}upAl3F6M%ndPl9#o7Mp}0zD!g}6VL?8yTBhP-`IbiM=>L7>S|D^k!G;`r3jA0 zxCxY`E2N2Q>=RVH1^!rFtw1x4R?j41v`W9&uG%tT)M-OT6eZQ+JFeUH_PoP=^}p|S zyI|X>)3+?mJE18qpAS^(9I`Y^-luu>Z4_V!GM`|^W%;pbn#R*u#1H+-__WjyUgs$h z+Y(XQ1Uj8MN$`Op&^Ur(x4S7~-vSVKhB*xaK@{G>`(MQ$dIFnh(gT=OECwYK6H{qb zpp}+qX$#Ek&W2WFB>V(I7BV|KZ}xiudzRE5gn_jyi;}Sj)N&yu(H{6QErVofNb$5H z`h^B;XD;AyQJ5pxwI}P?8<_LaWHg?d|2kl<#?i%fSo0i>$RdBO>-zF0Ow#NxUZH5< zOV#Ov2>xZZ@icvUE%cW{TJ&LPoNYO@onou_F6!!~aEx>3 z*&>M^VRe%#p^EzLu$BhN!MMj_{SUVX6qI>By}e(SD^j|#p9h`Vv8a^Ch9l zZ-ylkfTKIY&K0=4M|OqdeU`;xj7`5!qgCOWbN;s2Tg!>X9L#|0nsk;#-JXz0kgmMK zv61AT0CvY&;|fJE!hA_nOi8nuB)7wW|6_2xqD12lc?3~t(uPqlR^5tNREK#<(p9-s z8r(2Yv-JF^=(K+H3s36o4Q8*|A?f#3)=33RiIHpwlsn>^FD0Tuo4zisbngG{?_L z8UGA^BmHO$4?ui2+*QE57Ir+jJz&iEBu5aY{t28|E}}fZ=qX-bT;Ep}p7sVd z-#?dEcj+?!_iO4#*1?hX^0y)mqpJFq7#C5)tXhvwoMet+MHx&V%JReihm@WKjnqjJ#jXDY$exFY$+)))1~Ep| z*e=;TN0-jko-Im`sD_h$e%8_Iup9T-g`x(XZT_(V8EV0vW9g`&#MrT0-^G?WQwqF7skzt#Mn8M*L4elwpwfRQxpA zdYNsN?1ZCkUj>Q!Qc=7jFjh9Pk*d>h*wU+&c@#?dHGW8o+{T{(yj{yq!!QuE`}yz_ zJ@y+oAc4dUp%j&Zs+1CH2yIj^J$%8@LPH%S*Os$H>Q9_QXG-~F8Nu%3?pC?_*zw+w#@RlOUTX--B zxHrU(3Hs?~o^rQsv_ao^I`r%_mdX(>?<=%}@(^M&vpe6o-6l*+s6( zx02CyN<%{8s18&dB`;6Ub8lK2IVpXz>y`re$WCr{TjYF+GEa#-zx7RLNwK>2`rJwKE%t_%#p-EmZttd_#u3Jg}hGfOIO^ zXp~G~kMUU%)8_FTMNhl&v@a^ic)bP&Y6wTJB~VoZX{7r(CKP1(SGWrB=X-Y|fNGe4 zW{-9#Q4+;Tsi9U+Nq~JI!@e@jqGD_{2ESTyh}y==P?Irej^Fm|zXFhUZ954A zL6r5A`3WC1et|FkfiL)GVvGh7p<;^=lvp8vRcVp7N|eIb#nPSGOGstknkH@2%k<2d znRE8AiX;ZmROo};bRBjU*SqQU0&PO@pQ0bbSXiUuvpfGxB(pVf9(FlA$dmOM5?TUO zYQ6H|*-f**ES?S)TIunt4YzzyIlb;KO>hciZ>v89c5Xc%om>XRy%g2uy@mV77gz0( zQgJR=FTm*$SMC3F>dxq?&nH<`QdB#t59WV~@v&#y@yD!f+1=K|g7+sY+VHsyllZnd z-ipJxRkw#dH%Sr=BU&<>&KeA4ND~U09ZG|j|KizIYv2x7*a-s%ZX$a}gl)MBRs7{N z9JlkBa48Hm(t$a+gORmhlpo%(*<7D%?Af*Ec;KxE$7v!jRB?nAW$+%f8+V!R7$_=? z%#a)#exhl(@7&&pvslLT+M0!uPjjDRm4Cp5HK6`yFlSeaL0(RqNrYTJ8!Z?t+D=6? zY8@7#v02#aP|K!__*^glb<(Okkw4W`b69EnTZ%6*cL&Wop+JnbraPvSVDYn%$r6cH zk%|uaSym9uqWS!rVS@x#V%u^+rm)ErdNa(yY8#NLi>M?4hSWyUkVU%pR{+|sohM-^ z3g1(RE(ClKjfoGUgcx%t#gv3FNC{+f*02)Ghwn(9x zTpMhAU#((5hOXS)p5FVNbH49K;>a ztadtZx-0|Zi*HyNjyCWYB?q&ME^ya$>L~@yeuD97#n+BugX|-0Li_M3| z$GWqWJw7-9TKI%|`RpzF3f48PkjdqV0vfkui-u_E6j7gv`9qam&< zL5@f9CZ@GX-8Iyd@>5c-DJ)}_@{K00PWB7ITzNwRzfbzKP0Nv3y{4xmApBDinmzGx zuNq>ETzCCfvtHMx87GP*d7D%&Rqn2Dqf4=g=_$$Y#~2H325_r}v-n=Lvt#4hd}?a* zqhkyW4`VMt>`Ao)6Mfc|iizrgjEit7+*-<7kClqHAIty^5@f_V*dio(S_Dy{ji_WA zqb~tiyPDmmfgqf5>;sUfAR*G95Q>D5;M5z3Ug#tA%scQ9JOWR^1;jJZ8x=xTs~!Rf zfto@cjExhLG!3*)+#S4*cXxKPJv8E$SeE6Vo&9EKzWqMe#8erLd58j<4m>oWRw#u? ziQ3`{M9{PZb0`33VGm%MhX`*2tvUzuTwLWIDBhq!F-OGt`oU!fWCPzQ7$Bm)(-IDT z9Y1^Vc5A1#x$)rfqkFZRRdD`82b!I;ZvW5r?&0e<&D}3ya?U`?nSseC7tc;L1&bd} z3C4`Q-1_K;$4{TEuRUCGz4E2*WIRsyn(gPW-fe#h3fD|N%U}9?6^f+NV2aT2dCPM$ z`S$gDC+yVk-oCX`yHdI4x?aJIq1{Tl*VE*upn?+#z5EDE&XV6z{Nu3QpUNf+4j@Gf z65C=!FqnEn*`oRA!0$xeiyNlM&08+3ZO)%P%nnhT0c9^I7#Am z(E8jO<%aD%G0peCUm(0|tG4E2pv-rWdtCE@wC#nn^b8gPSb$hnf2|!ib8RcXo^Fa) zvhd^$BWHR)(r`;CLRibfsC2IR34{Ld!(Ou%##x9}Z!CD+RmD+73!G(zY3o-hQ7ogz zDo&Xtf5Tp%%e}D~GQmZ>1W|0BOwwL&K{`kdk~tn$rq~v zPU@zK>;DsgvTNyW8VJJKw4k)4#STsrB2_{{s6{<;K;puM6XMsF8y5rzBm^oF6=@pM zI3%gl#*H8GD}J+foPF4vsy)VvHkAB<|_U0`tt5L<0(HmbpGGVHgfZ zGgg<4+o(oWwOuy^?5l4$JcU0#mFE|t9L0AZ94MOQ1z`qgX{8a;Wx^qE6tmZt?-dF| z=cnp+35yZMIqyrZ6+HTW6n#A%e(y*J$0zSzKYw-DIy!9Cxa|#SukO=fFiM0AV|iw_ zyOW=1(&r!jzZ1BKK{+!pd6KyVs2aCIh65Fy0O-Fz{Tg(~%KJAjKD>Q-bnx`y=Em(n z0ZwMI2u?fF@t3oY-@3A9FTW2*58!?nDt>U+0_)Xg2#9MKdAWn-xiWO~{CDSHZ%}Ut z{GPDO?QB)6Wf;Fx3{x&524o-H>`BUp2Ci%9b5&O5$+fP{!ywG~zl=94+*XTmDJu~t z<;zzr!|Js!#^QLdS+6yO$2?a_8pwcjeR2o@saW7`pZUu4B8_WV>P&;EKXFL56E3m; zx(J~}-)qDYvPjT}bn?kSw(W@LeQ7Aw1YT&?xf;K<^Jul6EMk_t>x3F4$7!8$7&@j2 z@qseEk+0;126$;l5UjG4Dt0-BSq7}^9X%wuKOEDFA}aL*un-B=)u5^t)t+#CL*RIBd$*b- z!Vymt7X!|W=JsvJ_x%#a3lxM!bA~2NnW@cZ`)h+;ur{S_sM^A`i+MDJa|&@Uz)~cb zyJdPY7BC_LT2xX)3N?}oOOZOO2c5BvfC z8vhL;A^Jd&02P5msy4)Ne63H$>)761J5nFg9NL-L*||LX4O+hcAW4JS6z%5qm}iL1 zlSUdsc;ti$4Q;qf!Qp~@qdN9*nOJjQ# z&=_JT`x;EuW*fA#=zCmHVI9c3&TY*$)l+Qp?DUfjy+gbU374`D0cZwAJ>UgoG&i-? zV)lILK3TfYo<6!<%#EpHs2IHH6f2r~1maIfo@ND@HgK_Vn*ZMHf8N}!f8Blkv)kPH zUPwwLp+O8UlwySY{vEaK`@$9a%X9nf)y3od1fohgxMPIO01yqwK9}c8QN)j92a~J+Ey6`pupArGO+{5@d7?n*&`g0<bnQQY&^%AVDDZr5w+CMi zxo^`$(3Rz@F`4vZ>?&!9Wg)^oRH6ZbwG~;`4NW(Vdc^O{(LtWD?YNd9qGKeE$rWg1 zUR1R60RA$PCSh;@VS0xsjKJ^GIEHUXVe{ zlZ@+KrhcE|A!a$4=H2~vd+!B%zjnP{$(XK!Ya}$4;hpUgsH&0v0ZKqw5|ZXw(GdpH z&~>eae5!=Umty92w0U5T3X+hr80olUOI8D&r(>k2_&7_EKT4=&O$?3b{{(y~$@ou? z3-vcYM_Y}$5ycavX;f;uY8pC_F`*}}i4IAez;{6Qun;T-YZZA0yPu`GV5Nni0e-u9 zym@V7;bk@!e0*;Eet7@dy>HvLw~!Gk)+5u+wY%Z$r52G_+3YZ6@)q*z z6nEt-smB3x$1Kk?pj{2nDE%PY(o_!N>?1%mT=>{SS#+H}0_T#*5s*Y;q^(wpbdt$M znI3?7!$PEQIQ|t20}>bmu)}|~4Kn@OfgguM58c#3+r#V{etr3B7@3nb1SjZC!bUkd zYD9xHeMAXD@0dqe6sE#bVM16jt!m>UMs{ifRtq6ABb{BebQsS&D zA+LGO+V@FpchoA!zNZpn=@e}%_Ar{W6a#S1^OKB+mh*Hev{9HU#`saPhRM9=c?7`z zVMx*HW_5jcn+Jr;%s*t@ae~b$2#SMF<9+h> zPXM~EB)4H028u<05cL0l>$Qg>32G~`Tb7Y5a!AUz1TYL+7R7Bi^FBXn$>xZsqC*TJ zYRVcp=g7VDm*<)%^q3w4mcf15V%sw`j|bsDM#`>j>`Md1<0@?Pjecl9+!}Vt@|r>r zlhQCe7tWJM{RFMHyv0osT17kht;7r5AKR^NpWi>6G|06!G@4H0V_??v7+vQnZU%i+ z@A_lZe1>~cUnsw>b-S)x`MNVZX4*q;o4Tf-Q;j}Ut()kftZI*=L0QXAe=y58&sZJ9 zP{>arN%`=Q$C`+XUG_cDue(EsaGI_^8M=9wIa-KaT%tyRtaOT51^@n4@oQ@>W|HPi*h}l!X&;QYy$S|r zlq@&U@J0eduo=1J`FM)2CC6It`TaorIj+BEAQTTo+$Vat&oQG`*JlE#gGF-fb|iOoNN;JF+EsI8DQp6RmRK6VhZs}WxbMyjF|vpe z+tAzDJ5FoE3X$dh^Gbfsr$R{o1|5ET(7C^PjQR!6t6Vy^Khb#sqRxm6XcVuZXAaBxkbfKmV+8hNmujw_@B;z9MaV6Ws|_Os zVURV}>mj*+yx+e*`49ZJg)xk5Q5rUOUPYgu!JW}{QrX>@dFG(Y_XkeLvY%Kt?HaCZEfe$?Iz^e%=lY1TRh^@ zkQLc71EMSbCN*Ng^d+EKR}Y|+!eLTj@S8E~AJ2v8fstnn{|&Dg1YnTcB6#mYO09wE z4qoI)P(k`1mu7RyQ+-B=7EgxgL#J`HB5i&V-|-`~+#!GeEu7$XOE!z$@Wg2LB9g&B zPNstbVVz;gBbXHf2yf+m(D*V*ovcf(8N;d7F-VJPV51qp9=R2MC7G(53Wz_ewr(G@GY zk-R7 zvf4ll#H`SBDEMoHtU4(=rN-Yo~A;J-=W^#rw8K}l{fzw3}^5V zsjgxzX@sPZ)GZSbswrLR3dTERuM zS0GZhk{Yh+Tj10EBrGM@Y^Yiv!;8PP4NGV-A=?qWGcfe;LrVf}UgxxQMr|NcrV+H0 z#JXWD<`76rKQ;v?7jroL*?2TU*O&wYSVT_dg1MoyUP!pSrSVQhR#uJ)nJyL&PL|Jk zLg-P)%{RidTB^)V8cg)l=uq8ZjUqdR37%QI-Jqca%jxYOcOJ6&MIfR}oA$kh^ugvc zN@UX~r|EIpF4Zc{#&Kw{jPE0g|5~_*W!ehE^F}2sgDxVvrMe^+wyFM0rLFDPQO_NOKYx;-O z${WQrHCnPcDgYWeN|@-e4xWDbDUowAHxE{< zaEvfR7m#r-CioKr0SsGw|KHi57TkDv?XDn^@>kP=8MIY}uBlUk8^UwuAJMZ9hIpaR zOF8m23np(=%!PrBb%9B(-TH%4vWv9*1V^x9#FojZ>T~veE-TQ%pfj0VBR6mQSR!NYnjhE!OtPpCMBLzF zB+!WMWC)H(6N9y-wVk}vT2iUvN(l-NY@UBDyB3maDiiHy8GJ98YB99*%h(O9Q7T$_ zyC}Ch&1m*5tJC`*FNzfTtCb8o4jY-JbnFHX8~TZS*tV;^W;bdx{Kuq^j!#w#)c{tZ zm7;x(0@nDgrwwXyX)txx1reVpebTwtt4^fLuNs?b5L<>mIo@Gq>1e^hiLEn5#4%sG z0a)vJjCA6P-#hyzvVhb_Ab6;f$<wB@!9IXnCF40ij{OuWqvbBPG zUrA&X@0X5e&PRJ-OYP}QY z0dJSnD-sgusKZs)VcP5_vbqT-$>fIed)lKAwBmnsn(QzIr5~v~TJf@7&)YUrQUJ-7 z2psAC=KXemJf8Y!+}ME6SITszXB)csjS+avFsisTx5M-`?Go;E!j}MaU0n`>U<}(5 zFJSckH#Ej)4K+mh)^;PlE8u{wf4i_{P`jR5A)PfEr#v*E@4RLoZ1Gq$1KB`o1XT_| z4fmJ~0InWQF6$X@2-w%A?T+nuV35vPY+5l-)$A_E@yIquV=5gYxiRo$+ibd7nzQ?v zHfWklfX2iqY*w6?sPfGTVC1{BrXuyX^~+_UZYvE@XbypbA##SH$Fa~p@0r&WB1(8@ z{aD3vq|C7t@2tUqvzsa~3`KGr67Y5FVn3}39)`ih?5S`AA!)drOo0@k3}*uyiqqs* zO*jwR)wie_g1*9c?;R9If%9~NE1bw;L~Xq8#!ZEG(if^WWRBh`>$s3z>D8Q3)uyD% zl(1xvX{?Gt<@Rr;8)MwoGPEG1WX@=rUkh&S@_Y5k9Lm|WDgvN5RzMd@_=-P*Oh^cs zr|d%={QkM!ue*ghr<{K%;8KyX`FX!zkLR{+yRDz(U4Y$^-UPFYhcy`kQSYbUX|g|> z!FCd;fR4RpzhC(Zz}Fe;HVnitR1DI+K+ymH!y=hIs6_&wC{pLaOFTG8?#>eRB;Kyj zm8s%LfP&=;e9Ug39-mm**wJvdB%}=4fw6R1L$HW?5n3GW=1>AIabL%oMsVd1o;D3J zY!0(&Hf&e+5EAmO1ZcFTBo6rCE(?w=q+}177?GA%1J9-vw-_7kaT&vG#TIxPAZh^( zYeBK;U+w#Z=e6pivm9TCb^U+S5Xi>N4j%3ve#7FMLM~}X5}d>7y^M!Ls%pa zM`Srg^7*RvCrQEUY zHJ+ZCV9a9tCMD(ITALa;2L}$6??uf^m}_THWta)ji8p1cEA4udWe#=Y=lPvO@=!F{ zAgzQfi}JaVhxv0=i_h*%3+L^~R6-&wA}40!KkS}ZVS%vq{QP6Ezc01|j=hTIZm2N3 zKC2RLGelmY-r+GY7FFt)K#CCLZoYskfhMcZb`q%R>=4q^;$KZ{i}yPf{(O9HvjfbM z#`b^1#*pBCqT5xIXu`mmv&I&);9q z*UwAa97&c|Y0-}V^|sgt9m;exvJ7)5DK75xf8*tO&|6vVJGD`15X z_dg+0k6@7clGx4@?7FDb*LLz5$FX0GCFiU7h!UceA8z{V$FATkda2;8lJ%s`szf z!OH-)#XI)0X$NG?lO*?L;nksHwL(PL&PeXCcrUj!stS8Ap`~{VPav7fO_QsCpg+xj z>4R4vdUi^h{IcD%jp1z9u|Ghwq)&2*wo_y%s;NDWI%)yCiH-|FbxU}n zh%_W!$iQQdA`QWazqD-^Fau_NJj5ZqVV6iL5()mC9V+m?^^G}#CX-SSOTF~-9N508 zcO-%3ev-TpJ`rs|V0a4M;h1~}#AkP4SV$5}XZVNT-CFVGMsM-daii}iDn+iJ@dd6JKK6x)j$K}qDfx^ws1V$>lEo}(`JCt zSrM_bCZ<&3*lLpalanY3ry=MJwq@a-Hs4ue(x6mkE9y>c3bo<6)&+Wpa)Sb6z@ivB z5H7wT7I8t*8{L~-^@Bx)9Q`P<>W@?3kE3`gweK^^C2GxrqER%^RNkRt=2K94mxvb4 zHu4HJ_{$PoFPHQ6cFofXZyiR`2b0wQ2! zj3BeCNV_X*h3-}XFxmeRfUk4OK^O*N=!}HA266vOqQcfJAc;SL3$!RDi8FcjT>b#S z4XZA=gaKFi=Vt{=voeVK*Ug7y6cEClT>{ne#MDFaIQlsli-fW;1hcGoj7#RF0elKk zeuE*~NR2N|^0HnT*ad$ZuaU_hi!(O-@5e7^cb>D93SJ?>BDJC1r)?{-NM9`s;k2kF#v+ zClk4yO-17qeaTX^t|1Nkh=LsT7sdADLJ*f~-@~27{M;?0{0}S{^2s_B` zpen`XnkO6O&9x1XG66DK)K*UKQ;831H;^(dhR$E|twBISid3Sm>RZ!+ zcJ%^E+kt5&c^{_qLZOIYs0tOH9oacmBdAWi$w_eYvGvjmGF( z)O7n@kc;h#o3Ujm8H#I!qjTF&pxfE7iMf82Szq#el(EGHB{vtvBb5l;TzX^h7TGO0 zgGy2Di{_R5#6X@eGS*jmtZW{_uppC)v1$;}lL3}kBk=)NKF+bPa;fc1U!rjvm#CJ6 zb~i0SB1tT&0|vdV?9lL-8O~i-@rzr-#lo7c z599X+Ya~NacPYQ0#xyxzQUt=P>X*5|0KGH%{r-49Zrgpid9VdG0{gyyUhhM-j%f{Z zr_P0oSI8GB_L{S0xfsw;j4>=tvWCemcKxBNAie_7b;i04#4rpMJET*G{QpO`=ol1G zhxRN!+P7p2a6o*KL_bn*JJD10r35jy;-HkxZz8pvy~+m+cBT^zQ8y5OdT&;%BW$sw zlc$qa^Rn8NbRUs{KC_*;W5eaa^nImMK5Y<&!pNCBJDu{JZ1IhCqyjl3F(M@Sr48Bb z00!D_q_d%s%`w_!l7`>`K$QQ;x=*9s^5Od0x}Xz6f4~T=`udM7aGu&Y#^n%D2NV-Y zENy^#KDmfp^kErMGq~pes0+#aQ>`Ugth_BA$R2qtVGWVTP^``~FT)_2s-v#9@?&ao zOz`wXhB?Am@2C)Z0(+K&Bghw` z>2SnZZfV$2%X#KgMRVwE*-SyG>d3HhSQ`oSS5yjz-zcE>0MMS$Q0gg`>{jOTxGVSw z^XA;#+Q3BZO+h0}*HmIxF-VeL?2sU8*@iA}hJ)%Ur$7f&hW29RSVm%(`;$r53>L$f zV6n?8g^yhHEj9dwDtSpg(_`?jdea&-<4X@XQWjd4V4DqK(hVRzFQwwDA|jN%&ZVK6 zYkheU@}VQy8nW6V>R^xSL9;eM##jcV>pPzG6rb+I1>D0NdlGzkVsCnI?AYU^#Z6R| zRhHX32eQtK(2j|e1e04kByc{$q1!m5oCJ?~E&NjgQu$+8)Pe3I=4yYc9T@}aXPB&z zt*YCSvVxu1r*0(9Lhc4)0Cx7v=AaH$SP%wK8z74?u}LOqIoK6yBz}F4$Jg=rO!cQb z<1pC8U*G;bzt7)uEhyd8)VmlCvoliIKiPwcYpCL3v1K%+=EA$_OQ>yv_!EGyGuTZa z24d(8sw#1!>i>UZ+cO-Dkh+QO@p5Iw0kYXm>=*lE5L?n?ETgz4(iVb8{B%^2yJG0t z3@{2+piu+g5+EI^UmuMOL(ukSC(QfVOO!OJX znbA5!CyWhN-5b!~D8WuAfgx=$c~Q`ROJy6}z{9Egh^WD~H(S90u36_ovr`KY#c8qer(ltTWekn1gDbsno_BQVO?k$x2fi zH9dlOy6zcu@)UrubH_m#h=FJvju46apAaFs&g0?O(j5rM+#C*W{hNL3@M zl#ezv5(Y`t{}@FEa@03l*jOjV#UD+u9_pt$el77UB3<h(1^1PiOc0&lJw+d zeNudrPP;0KLinD)CS=3#56Eq&>`Qja9<9WRo5R)Dydlt&tq_>eo7Re&>U6q8+Xi9u zwwaeDeDBo6FtZ+p1}2;BQstzqBiIE#w-d<<2HkzVtlM>a4-vtm?&8{g_QG@DAGf=O zaMO@W5~nyqeMe+VXwOmuB7*E-7I>qkN36->wojY4*8qF}-mf2@-(R(7u5yl! zPfQ-S`|r=+r7tu7;VhVLV>B56u9O6zm4Tb8v#=YV(p-WyCzDfR29M88^S=Omoxy4Y zF$_c{2&A{B|NoH<y`iWZE8)=)%g}jKE9T^S9a8`pq319%d9g5AP z_028U=?HU*IL6mjVy2Kpvv}JZ2;!$fO`vRd$efIG7$2@T=!lLMwnR25hl3^w7Aub! zIPFRK`^`{ut2hxs>fapFQl+t&5|WgINk%)6+sR{9L@KA&HQ1CaHinDPCLXqofRs4B zy3nX9TI+@d7V8#eOi2Y37Y!MPoIBi)<-HFkH~bc_i(yv;}mp*X`@``f;6QZYyGo_0`%v zkMH~M&$AWEONayC6RzTf$=rc9T>|Sf65kaW3}&WXUzP*WOr7g#|G)4j0A1&j8bJ`l zPzxqmhmiXpFfdn$LP&R6l0Dnm40LrD{zy-cG8|^r2n?}&dt``nWNYMIFGrqkbo6WC zYF=L?z;aJD#RV0H>@vtpZ&j6XST3{T)yiV@`Xf2n+u~4%N4lh=74AidZ5Ie+ux#s| z1ZiT{0^I$bel}Xcoys!I8`#q9(`osWa4--AlR3>JMM_@%8z5f4h_w@!Vl97dxV#dVW94(wA}c7>B#*hH3k; zbnBnQr;0I~3P7nf&3We7)idx(HFQ{6{1t$(b4@`Yh+%LGqKNlDr|2Jd5sV=2Op z1hVd9+BErkkiRP?8>nib=Hqt|h%-n=W2E+J(225nL#9%f-W9pHgvN@+L9Pl`xCQWGO^`$-}L3)Bv4Y`*~2Zsv@Uf4my-(%5pziS)`Z1T#*4HdT*U z>&D!K#&VRgvHEd9c8ampjzOFj-;v7FHh5+>D9YT*Zx05Jr{m>vel9EGHw1c23cf|{ z`dDt)`-`CK;NO<-0FBk*Ycx3tUB*3nplIS`FVW+LX{!7#o}PFMz}Fe%APfUBFkA8e z=W#)O1?sJlIY5%N*WrwiP-)YwJ+U8xM^AH?v}lyO9QtNcfrZs`%HYMABytbv*pV`G z2hJJJ0$avUfKqhG-_7g+cSZ&IrhmNnY?JIjgW4=BG7`uIdS(!qck3vygkEX({K)L?b9L%sDCDK~`wTimisx~#PR$50(X_dseVw&K4tf7QS^e(k^K~32F_eI8 z%C+eZt@rzSU$w-Eq@opPYm8g5z_Y2OcS6wY$1(o(Qh*i*LXB6+NZ&k$@*{~G%Qxhx3^wWoX!K!?tnZHgClnyzrl&A01$%EvZPRTKx6GtphcDZw&-2RHu^ zJC}cAUWKF-PH@`pL~jidnC`8PET0So;^et6{Yr|C6v7g&mSXe%sl#ngucROLxvtmq z?L``p<@yjgzWXPpL!hk0JoSYLBYTHUyN$4^!?+2`Mekv}QJUn1zwEtZV`a_qJ{;Sa z*tTs>Y;z|wu{pscJGRYbfsoskr{6%wH`6CLT=G1~#+v+9_6E^Uv>5l;cgK?EA93YGQMgp3^db0t zoTu>PhOb>RkBcEJ7-B_B5p~9S8oQqW$g*N)zdp8@?E+asbPWUf%Eu*VLOF_9K0@)J zra6kp(Pd%v+)Zl4`V~0P&mejYdB@pm?>PtmGsU?7LVepgKZ?nlz}bVoIRAlNmIEP) z4l(L1;ZKd_gg}9!t1%T9#Z|86xkmP^EfO8~J91pIVNMrZ10N?*#1{ zdz@i2>ok~%!oZP??EF#B?QPT-Bkegh!t!kGkCR^`GU4$mci$kUwXXB>@ z#P+V+LwK$ferx>Ne#q+p#QLc|9+Ctp7_OD^+|BbmSbot*n75qZAaOBB+b?SSCsv$* z8zzQE-ww(?R>lBdhqNt8v{f&-dfFG_N?62{(Ebs!h3B5?Ax^_y!xzzgC@~$04BK5@j3MlBC<8f^%$N@@e`5#+tRNV!q zxdSdO?3IyrSMXIkV)rcK@Y~~twV0a2{X9$Y5~VM+aYH#34{Zt%$!a_t$U>)eC(9^U zbdC#gImk9vEGe}0Yae&((~YI4WD7_WrD%2T?)gL8@HYLnz(zfTrWa+IzZ%<2yx!Sq zV7n-or5UeY@ELTve#!moE56}$Wkh3!#>cqWOmXfIRBoU&pi<|!KdV7e>|*?LTa{_S z9o%kZhr;lxOf2q)q4L#C#x#e(et8OF5(ghHM*=v$f1=qQZrpOQXlu7Q z`{jtlB!ggH`)~1P0gUl!#GqVmtH677Qn41MsOEP1#O|>cT5VIL$Y#piwIqP%>E^Zj z^9Yo|%|`_2ljJiAAoY?W6@Dg3dACw74J!N|INn#!^GS7Kz_pHBqha3 zIOqFgiw8PLll;ry$iN(=j8$)ki@Z7rD~50AzqhxBL|ecA7RUK!Yrw-pK@RmMCm06E zP{l@dF~Y6v@8G;Hc1?tIb;h#E%z8142PWHaT=yOYcS%$M-=hyiFgW-+^>u3!iaJ?2 zR5P*ni`mM@e2HWu7rRL(uLRRt53(9yl~ep9+!RVbVeW<*%}4Ep#yYt#Z6#Cc?MpLd!n8 zhG{SgrXGn5LcAvo-jl<_V_<#egX~Jg&9a2Ac9o$vaK6DVDvObfgIE^`qEt=TrWoeVE6F{JTAmWOBwOo$FPs;kCtY$Q_@ z86&LJyMH`p05j1}2oy!?#rObOxZvTl9FsbU!j)3Yr7Ss}#fI%`po5>YO7wxwX8+)X zWMrAyVrrv}DuwVC-yFKdF+i`XyEXGMka3TX0RmK~pUuwqV)14j;zb1$NNAc1gW?#o z$(Kg3c;Gu!XGBNY+A(l-0Y-asT_JKjG9mEYxvP!4E8?umv>J8v2TYU!TJsbF}$!^t*UkFN-g#aO*m-?c-as}c8-?ffN1KI{8u`M?QJ-HXpD$uC(%DoQx! za=YVQ@3#tZXUC?w(l006@dVKVJA0K8F}3Zxn3Y${z8^oK;4Di&A90&E3-9#MLxsNmPz$KQ9@oJ4q;rX8u zQ~$PM)bhtZ(5#WrCL=VJ{S4wenj31`wo z?_{Pij!5SBbR0z^IC7omVrB!-+iFBPDiTI!o+bs zKmvmU%3nMhv`}Jf;fF&_?}2dM<$)kbJznvU&>~uxQ)O_^dbZtSW??f_7!j>NkFIS& z$gn8ir;WzqKzu1nTMJyP4R0T{7DVgdMl+Ue6-%O|A+f3U_`aG%>0o^-6yrr)2XVF~ zsla)rNXQBm5)CgcS;BzgCfI2|AzNaguL`WCmvC3@3q16!SRWG_V4G%**D=a37!8T> zEw%0KYDrdo19kMc11_aL=3UQ)d;xko4{g!yioFJ$Wj{)=90rLDz`=u|Djr8ObW(%M zugrSq1!iIH(ZLHx?TcY|p_93|0xRPr9cx^c4&Dq`tqu{)q`lx?5<2U4{rd@Ed=KXP zHTRixKqvFV{DQT9Orn8(n&l-^M7sR=-pc=Gc<>s&IRh}Il^S4U$ww3<8rtWDLKWA! zw2Ge}Sb7EFK~mLDpTJwOIHX}R%SAh6cShygUP4Oo1;DB5rD%`cs$j*N!W}Q~tANwSY~@iWEq?4g!s#lp-9VHn;u=->>&{z%>*3M5=>0wRC}8Q;4ks6|%sYoB zZy{v&#Z!2Bd24{!iH{hzc?!KFUZ#mdKiUs<2~8hu@WzFxnPIep2;23SK!55QOsVPA z;!;@FK2<8vs*SrARqt1oA*!=(SG^>)UAQn6`xhV8p9e$hx1gyGmx6}D^!RwHS~li+ zaII)I9H_pLBec|Et`nSn2@pXdb82l@!CZjbWU_k8G|V+-J|24;j&O#$>`MK$hZrW~ zdUSw{<}AN8^_Ee97*41*4|dC%YpS?cIeRFo*&B53semkX%cQn^!<{l-@lS< zLgujNuT}brzaV621^yx2?p>AIfOqX#3Cz7yG`t;da3Hi%)}8@|c;Lb#O&m%1`)gG^ zCvE_$$U+1;i{`3@*&H{QXOhdbBQ}?&SJdPhp644`Q>JPw z9Y9Y0d!2UMoLBh;O0f5cQ0muooY@io<98CWVe6QwMwLV?+s7D1FFuMN#kRa-Phez* zr73y{;`YOR)6-^KKy+t-4Swn)>ljfVw^ zmZ8?aHu9yXUe-$`6Fs>dIlCy!ey^^007wTcvUeBU&bbkQVQ^7LD9S2xC|R>sY^E8~G}=e1-Qej~tH;sE;36&S|;Jw3qVdr{nbyww5i*(cCDNIrbcF7?Pf61;&+efc~{dT!u;cMKCnxxhf$Njg_n=4S3}j2 zI}>>l`jL=NoCjlqE!=dA*<(ItY);cNLktatic+QR>Dz`TD_$UvEd&1eux!g-K`R{T zIn1_)#%3cA|5(8ocK|j;4|e?&gpa2C>D(jkUuy3`!&hIqA#Gi7(bx+6(*wzU9`ECUC84mtSOLaEB?&NN^4=N3x-#l z8rz$?H3RxanA4={^+^5C5a)aYec%l;FAuCnDn(a-Ta!HBM z3u>0R_`XU4o|18t3fAu^RIik53PTX>Qnlb{QCGwQ{zpn=UeYOBr%<-gGSZmX-j;BE zo#v}8DpXw$0rFT7Gj_~~Bb{gXTq91hcB%EO$x-)pRX|%@6#tlG#&EZwc?BNaK>HHH z+jjjfD>??Gw_5%-)`<_LU%)eagVZ_Y8lk(Aco&rl->@p6jTm!{+S+phXLH{pn&dn8 z-ZiizPxVl&^|2=QM34OlQWTfgo>%zX=R|~LJFXrkpkE+uu$Bob zXn(MfJSGni!&kI{10I4!dbL^EjK_4I!dsTcnH*I0zPT(<<-xwj;c3c8;vGq~gJ5pE zqihU;Y=|RACxq`hfi&zak?zO+_}oK+MWN8J^~mQ6<^Et1Pb%^`LXgGpl8Wv@19UAz z3FlZO?nY^YnC&9RQcjBdT!G?l$@vSv$Ubi17Nuli#jogmj6yGHxp4Gl&R$6B`)-#4 z+*7J)tpXeP(xbm~##F=5()FOhO`hLRkkr zW>0!pBvz@BT5x-3KQ@zZF(9%z2S=Q`#5%d5y^8(#>E<0K?5V)@ifSak8tc}|{<>## zNLem|V*}vdAC99n-%)a92MVJ>(`w3QXp{a#0Qu^%qYmVQc_D?QSQNJ#KYe_B9@F29 zD>GV20p5zvi;l-m07mP*PiN`l%D*~@Cj8PfmOHOuim)RMxEnD18%Q5a^n z+%j*)ISdo6Mw7+wj^RE6nV--p6l4FHpiYdbC7g`dxkL zfzU0hD76;&=cGR4_-DbA>VB3Nc94f=VS#IWS)+yvPzh!*Bgtn~>(q?0IiSdtyMWuu zdb42dbSq#@*3n9J%RLYcz9U~);;-3?-OC2~ysv6m>_B6z0yH4slSK-Bz&U|@Hv(D` zTqSWR{<`zm8aDh>l+OwoOmq-ArHtG}zri$P&uXxuA=q4E{IBR!KXe-K zn6pSr*W6U}a!6i>X2JyiE=nv1g7`*ne8 z_OwxhcjW%|5~ntrYO_M#$W*RbkoJ^LAhKk+wW!I;tp8Rflh*1XfEKQ+w~x#q@6 z#=cC;mI}d4h_4K_!=pyZ2`2l@*#yBhIMznD+gT9U{p@f+rhm%R4^7t#O7Dj@j%pvY zxl46F=x&I0E}BcC^7K1VlX}w3W0FkS4jSE?|Xa@ zTOr)s1U>YFE?7Oy8Xnmt){EYXwG`rW8ntGxerPf;x_VYMyPO2pEmj=MEZ!6EpNOx` zWsNw3v_@A8hQDvM!m%fBMkweyhNWq9MCP@@dM0RP^GJjIx85(a-ly0isboHRA=V$*>76;^ZFQ2^ZI4Yt`_piV#W=6Na2NZ4)(uA!|-+3UmTtOs!JPM zk0w6q;V9>8+m4J6WH8a`3lOS2zAZkWXBlg=o)M4r?+RrK)2y&R`dnp^SZJqg9{yQN2)ETjR@{u4EScS7gOjX`C6QN_B38Ng)*DJ> z$)#yYjI?#*-dRp!1dd(E%7X5FM)9qQdq2w7H&Uj+;1T`8)*sv+MkkMIdpwVYm(e`|}UGd)9PLvovpLMz8SEK`RN z3$fCuPW~xa3cLb(6E4NKWda4?dn`yY+k-gS#NHN?XBseLi?Yv*v_KW7MG(l0pRxgZ zNSEJCZYB~*`HI3}_yf8-BC!|Nl&0TgNc$L!Bc1WflE!6zhV3YXx zgdS-wed~_tTNrY*7OeL8aXz7N+x73js=?>W(C*qR2~sVtFJSezv4w$nH^3Ap@9wXt zrqn!HIG+85=ra#SO4(Rz+Z%F(Wr$J!0w`+b&1A_DJ7H@%xv^#zFP!kuCJhN@W?}R0 zzOMa4I^r5Ctag7TCv;i~&~NT0OP!C_unCD=iKqmj=TpKn{$Pk0NPpcRrE=9mx`H9= z9kDO6bqxtz6hO_a&3MsV5!uukeS(2K3gyH#{esGE;V1nfn_Cj|({WNpgt*ocM@8*T z?P&$lQGwWQ(T#G~O(pZrpCI49>jS{VuS>M_{Ruq+Ak8L{p|%4$ux#n<7A0;HK;Plosi7iY_!@H z8&s&f-APg+qVR^-{_`R_7uYgNqe@pLfZzTMe&C|3^7PaE-%kX@PP%!wr`Nqwn7G7u zepvoiDNW0nw_LPIuwJ2a1;tc5~6mVSVbE z$!m*EBeW2SK!8ULw?WI_XCGW?zk&-g@;8DYwM6nZUHLi39*|od_q59nVNS+Lk27xe z+q=6Dbt-I~J;InQsvO-j4{BY~PW@Ms?+n!g{O<5ctWnfM2ga8oaP37s7!RWubnWIxQk=ynu@Y6bRSw|*)&CD}BtiqcK!-lP8N^YkA>c04ou zn(ShR(d|%6QMfZ-j^;b#zbQ_U^ZNRh(D`b|B#1;P8{+$bf2L05Ws75 zIiQO^B<+-DDOqMv`}HN>vgZ2&YV0g5X6swnDS?U4w^jK+flWM??dyN8I4sJS*rWG? z`~)I2JVN-f(^>~l^E~2CK7%rbvKXI$m3Rl`tjlLwa#--Prl;}Nq$m>=K|f77rnxyQ z;lxluxvvE0SnNx;1#nf?lOi;5+2C+62yGX;{5_R=44a=PZ43Anp}1u?^SQ}E)(>Tr z$Q5C){)4Ju9cR^tRYy`zlF{dVXeA=HlW_hBpmaC_P2`isS$qABg-_f4(r4rjwa54y z4rM&Nl(4ki~JR1LoP*Vf7F6q^>jIA_> z|(R|!prlx}|5V?Yn?81`-{c;lt z(2kC94azivJLRPFFOW543RCFTHYx80E^+H6srugOj$_zDs%>iNd${K9;GV9;VYzlu z%lu=FM&e>thdgU@rq-V74a5vcW>$F8X44?0dsQ>X0J0!D}$$EdkeE2C$FToJ5oZGZ=sBR^>#Xqi8I{F?+?)+%^rhnN)%?~ zcE(5}^XOrWPX114yfR;^37HiX=Co`m^|Clk4&Rn^1QrS13va^v93Ipmb-u9G+b42y z@-q_~bSXQw`nlAr-?8FcUeB4bJBd8}vyeY12KKp--}8QH3zHN}q&SE8j>d|LK{0^S9)E=Otc#ydfd zh|fIGo4GcpLLnsX*2ZKI-nXh}gzMkPTV-u1 zW!^r|RNBcRT#BWvTew;H15KORStgibK;bkAGA4PC^LKQfT1&gBC=o=yl4AEdrFR&FFF~e-bL(PzmhMa#$=>U6PUQ#%L3%@0W=@$i!+xoqjF( zJ@WhZVNc6#_49f-Y91s3F?9^zk>+)4^e=K$FSP3dy!Kuy>TOE-Yb-bKuNkU0Q68|u z^q=;GGtYvWmf`jh+ZY_KHQ}G!b82@`_Odd5Wau(I5Cl&Qbz<+6z)4rpe;#*&#l1%DwHn*C)8fI}IX54i=% zOA_(I%%&y$%p!5S%IE}Gj=wJXVQpBi5^neF(9NyC-~9-8!0u>BcJvwC$7V1q(Uj@S z%RbO-cHfNYMPKWSGNM$Fmfo+y>S{LDoRRv4MX9pyd0bBUBqeehgc+3NWXQD_6pupP z!=}KW?OvetQN@hIfSW&k-!!DbrtMEQLX$oVrtFL<6YS3iO3w8Ss!5U&>pHRkplsTgnAGJ%K zQFPpAV3!;Q%vm$*1u_SG@gzOkT;VCw71#5kaQJA;!nD@Yb^&F$()x!Z8~z-+)zR9c z=w-pNwN@NzHO6UX8mnM_+ucB1KwJ?MM$>~{6~OOekQ+1R?ln1^dRyZ}ig02zJqMXt zE5}ZazfoEvEgGvkzar+m9+klMt8q6}A!L1-htw3ibk&!=;ZX*CwHr0@BP%K5=C^ru z&hb2jgpZ4y89BS8Z**`fN{GpJslQKF-0Z_Nv85gHH!3y~cyf;^^|~$rj9#H)^d~X1 zQmarZi34q_>xKQr=2_YfHOBnXad{Ew?6NH6nc!zaf(%ixDOaC#mSgEZc|KzxkV_oE z+IDaq+euVo9b?e<84iN{XmLD5QbvBeeO4g%!;(=)4^pMlJXwqsKa);CGCn-Le zt8=varphWaW~J(;o8l&Gc61*rh-P$2d6&_-HhEiHZrWoW+3ec=SGNW|Z^}P3yG9sO zNchb03v{L0@=`lgjHJ@Y*b0)?lryFbld)2BdRY(kJv<@n-`n5IKTiROyRlB-ERyi~ zqjSyOA|v~aO;vHC2@TsVzG9y#K*=S6BMC3eoF!*}e1D*hRa3`YLbz`fQ{Tg)&)g%? zJ)uSEGeLK5eB|nY9ZjZV9i-jynOs7}htkWc0QCZ5vGF7S<|2P-7hf2|BxfLu!0%+| zkhjq=GRCdo$7-#Tt^CtRVL(`7pUG+7Lp!HJhAH*JIIc${i$RI)?sGEo0^{{dw;FSpe ze4+4J@tz_F9hYC4*GPe{)`M3w_bxRfi@jwM2gPqJjBHcTVs!sr5DDbb2eH(Ak-e6Q z)Q^-PLK_~3`F-V*xXo8YcN^u&{PCMW?jcp%USw2Qwah0OTo^%m6i_YAH0s?p#R(ii ze$C}-R=v9u9|s$~O;#0!Ya*TXfN0r*5>zE>bG~db3M~02Mi)D zh%ilENL&ZilHTAycfgs^A@#CyX1rhO{v7L`?lpm(`hqXJc(b`k&O4rDZLF-Myb`6P zL_`0ws{6&aGR!&(bG4Yy{PPwbmS%e~Qz6*)x>C2^jNepK^UntI(VPRg9WUN=XC;YX ztjMUkDWyz5Wcp+mKG(Y3xqEUZWpTr_{quV(g5B8o-(Le!f(-uBcaBmU*lSGqBG@3^A-Hazk+R?L*P zh>T!jI>%3NXUs3$=1z=4ok$5D?~H4oil_G;-0M9Sree%r+hT0lFn7*~PaA=Dy|Y5E zX(@(C#_R=u%Kg1l&V8HHf+;@QRU6+U%+~-$EOQ>;|CK>fyqx#3qbN=k#IsNF8BK@- zBSQ-8`aHwMrLF7>+_9#EHIpLD4I&j3ISQu{4H!=5uNo7!mgbhB`Ys!X_&>oU{O@fP zyR`^{dfbQIO|yO+O|_!5964=)Zkv}rC7$n>2hCS?nqwD;5F+IJ?6ddi!MTa~W3*W4 z>;3(!q?D5uUigW--|btx`&*eslD4CZv6G#*MbD3Z|6pzN>YcR>?}$aSJx4^)So#R z5?e4`Zo9ff-zdn(x#jL*X2l{>k_qE0?%9!Bz-CQSr^Zd7X11gFRV*FM$mDK6@wc4A zGDU+`mvKMZ&-$@{-q!E{r*Y3y*S(BC)^r@EeBZKmg`Lj%4I%qA^w3gXZHz<5h7ueA zC;YSe2;?36>57TjLyEyciH(3d*BVS=BSNAbI&?PDr+Y+a?{^OvDK)M0`R z?KD;wBMRz^mK1EITkP*xZ&c2J??$vqQk_*Gu6(EOYGo`o!tCV}#P_jOumce|B+$t{ z`;qj@YY#{)x5Ilby^N~^Y?I(vI@fY-A#QAIYZzUjB6AYdukl82Y=0Ix486nJl6*bY zn8i94_(=#wp+}GTUF0prMfVr~_;0Hh=}b2BcB1*7_U@6 z=DM?rGgSRkSa70)Ow|^`5bpHRo(DSn@$TNOrKrqF(MjAY_Xyr27RkznCFQ>@A0?st z>%Swb`DaRtWSF*>P*jh;PJC;o5!9U}c5Z+-|9$J!CGs#TcUPToDnXa@7k)B(J00UQ zv0wF)Z-ObDCg(NEndhFa!y9M>q2g|@{ZBqreJf~Ur#6OI$;6Ksj%=vL`P~B=d>5bY zrK@$YX=&6zemq>-z&6}U_;mz^+pqd1=H+vR*o{@z%9aqxmyb%!TZUz(CV(R>YcG}5jE+<7_6rUa9+=W5E`rw4*U z*{UNIY=4EoKhlIbI{WLR?t^hYKrTHjr?&HJcz1X#g!;oLetFwXzJA6{^+-JrIx)^!y05mBf}+(1^p|O*?sry~%yj&p;%seuF0+0D(XpQ30x~2-4lO zxX=ZD9blw>Y0`lJtp7dC6#;|GoksBZzX!NrU}&NR*jN92{_kgCpJk*Ow*IdY02r7k zShQBxe_wxA4F={1hF|XY^*?R=QwSUk44hLBJof)uh6DqHu&je1{$HI4FkoO%Qe4q9w&sl)Ke!jmxonBr7 zK_Z}!$I(il%039MSqGQ0S*KYS*Q_ahuSo~nQ+KaPH~Cpd!&4V}Da}z29ww@wTjX=3 z0T5u|eNUg5m{$1*3^CZOb;NJam!NfJ;6%r}=kxodJc+N!+uQ4UWoM2r+uPG?tZ48v z$#NFRc1)q`kG5a3?61^*(KtozxN(&*#q`+d#B}u3`Tqdn69oU2uwTX2d~9c^@!Qh# z+iSJ<=H<_q+uKEB%kd$&Gi(kvR<`0@OB02A_1cE?skmjTVv7MlI*dH_^A1|*YI_vKi2JRsF$D$uV(3=H- zC~39=_`$)>abR;z^XEo9r1x1jJq=f^-NaW54ce7U#ZP*=H%#)IJ}!5QjxAOc78shJ zp||emIU4z38JV(rktz`~*PzadEpj#VOm0*fpK>>vjOFhT!{m{UxJ`Il1|p*Nef$8^ zQxOV(Jg#q5%p1jkc25YI{lZWTA6)&Jk=)9@o%JNnnb>S@ zW<6H6HdZ9_!U{j1GceCyC;?5P@{RBI&+h<#i-kx1%Z>~GO$^u{Eb5+PS0!WOCf}Td zbc4&M76Z^<_=B)}R@?+oUjaNQFf4Hc<%4807Btmvm({4W=Y9hP%vP}V$2s+IT@!eB zq)0s~I=@{gy~t5G#RHJy@{u00@ooU&^G=}a2Z#@-x)p$SyL9g7>+a`mZwkP!Ym z6La0dBP*LA-M{)LAB~a#jeS6{Wx6>&piiBdQ?lt71-$fq1E25c1o^zbr*5OZZAr=4 zp$M==#DlL^j}!oCY4D^ABc4T8vOa(S<&0Eh&JpB_U%G|O>1Itjd(Hk_oE%k<$Y(ZW8$;VXS_a+GG z()a!S>UJ}+5_kc8clne}iLqERbCvPy+w0~f@WcPWG%qqUPMQdB3#rZQ=F{RYVbUmo zv5N)>l7O!SjSmfsb&ZcOjt?VM#wL5{CVA@i^QHwYr9&;Jh1WxrY<(8k`>*8(zraA5 ztL);5db=6iOx+Yyul*tX-tm0=_&x~~?Hv;N1j57PB*|4ijR#p6H;Vv*G`NtBwPZ

>}ofgy8v0iF13@QK~9x_+MCw z!U91YKi`m7R$X>?FI#hfo1d0#Aat|q&*%Sj<^Vw!Pw%K}snC-xZ28DU1!v#<&(H7_ z0R@06jjo|xzN)_kaTdC`(_gE|`Y9NW2Fw8EWdnlNC)gdvcB#8wZ&mcETKpKz?}4}Po|C_d)klZE|D>Cj1L?0FXZ3V$V;He)6MC{p-67Q7mzqg=@TlE1aWpH(dYNd$w)-qAF!K)V3Q<@64U{D3mkeMyDCqK+s%?@*!VQWS2$T$+craU*Fej|hfUy7Av>gHb}E=ha4J1Z zWFG5pVXggdn!9HEctrKY(5(Lo#SwB7^a1N`QRxHb=2+PV@_g>Cq%j6{JU^#yFNzdq zi$p~!RJjZ0%iv{~fBt~q8Gib!gif{C9 zz1=fd(xW;gKu{~_`Ei)1lezQN^W}U}fCSk73cV4CNTe2WhKLWnm+C9Cc;=t-%im!m z&>q^%Z~gt1l1>nbQ*^V4s1Rl8-mDpf@b7UK_q@X>!|{br$I2| znf`$Z%86l9(mr#>z6w;z;AKi)T}L7$c78n}jemU(NbPOYy@XHQY5=-A9r~M-x&dmt z`dFO(6cL1t0RRPR9D$9j;!`orA^bcd>Oi8kvHYM|?5vWcfr%<+>t45%KI)LOP-zIdOvM)=o(>D@eg9${1{ciwc4(_hgb@lX??OIPQeFXD{VJHh{|};+CA#Q{Pu1 zc4n|d)5}|}(dK0JJ$&ifWQrWw6d~w2A1~-&8uu{5J6|zF#68_q-vL(L7=Z@u`Gc6J zyDbLmyaO4&+F@%-6;q7TDfNVKg( zkYbv|lA*_mf;mG8Cax_CUC=Un5`6!H0yjB00%mPQl;$1`K3lQo~%!1?RWn5aWTCZY(% zB29T^mP4Z*;Sr)*Xz?uHiT9G?@ugnugUaO+c(KnpV>S(rYrey)jRQOU?E6zo@@x7^ zMN6laFcjc2$_+onpY^Pkh)@oliL~Vk0x9aet80Yf8qEivxWI559#@B!o=!11dudxF zvM{b$1>Rb!WR;z_WfF9`)ChSM8&<6ao-P0s`7xWGEvVmDl6;uI_E!DYcn9v&>KKcE zY*fF!0^q{$o=>en*6EN>x0FMNM>8vS$Mm$F^UsGi)ZFAYv2{Kp>0POoTcezLNj+mb6d~ zEX{jZxx+aZdIj-|`^?A=7ibvX-OcOr3$hic&$gue-T2tV!_p@p`NxwiHvNWW*0O&; z*~ugPCVY1TTQwtedvWLjP=(SJ@9ztaK?uwR1pzA+70nmhB-ZE3iQm_#Zgi=J$!aa+>?KXx~aSX`&dx$}Iff&o_Y} z;M4o%?dNusj{8dBrs&@0WG4uGxf1yH{&Xsmb`4AW@!5SAAYKRP8TPwh$S8=c8EQH` z#O|lXcid^%u`UO|+iR?UdVFBCthV2{Mi9}`8~Ya%?QNoSJk)8! zyH4ub$7&Q|1rX>*f5*SoglZH`^tBg4sZc} z)Q&fkC&A@}@^|1dU!6u=t+&UK6!-pFKKUz0q@yi}Kr58La^cuc3(@ zoKj8P+PWnD2b1-vEgP@(LbVW&qwq3>hGIF^lpAn#8f!Pp<|XdwQF z2&g?!V@X8po|E53Ht-rr~`MW4K78o%{D1tx(|0V9jFffu$Gmj;o=@(!1Cl|KVl=A484 z66yKjadVdiIMM#_WD3zMT~XY1z#xC*E2NU(>LBjJ270? zGg>?__=lyhf@bK?P;XB^yI#}|)F<%*UE^R4eHvY#52875--mb9xS!YWlZa@~uji;! ztWS%bpV0_#GI3n=c38uEeIKB!8gr$?LBu2>pb#P8V7=($P4h>l@a2|{f_#Uy-tw7h z@D4*x>;(DGbI{gGv`jbvKfGV=Cleh$!(^|BlAo?f%S4Xv`|Itii0LSAn<;V4s6cKJ z&iDHT5Ky7))3IPo$v;y{FwinR8!5mXs006xkTJo!<~*L?D+?++E^ zhoW7BH$h^m@8p%tAsUTwDd3ovJ(^L8vROnL&Gc6_v{zNMPPGxv?1;4-;m)kL=p7`; zX5z`{nY_K0>Yi1aJOyCDt=u5Y>ht7Jb=3ZPkIJ5eT$W7Y^ZdGXnqy%Mlo)6+{&;%5 z<$1F10aYosTv3rC9i4K*dh>Qa;JMUt5Wv;)MY!j*U*i2fmx_R z^nduOcUPDfPMVm#&rAC!U0t8_CG>vZ{X}`y|7-87zoKftz8P9NB&Cr?T2dG>0Hs8f zP-3W|rKDqq2BncyLQyb~l&&G91r#NuyStfsFYf#MJnLQS{Rf`4-iIIVb^qd-bFRIw zy+5(fb)McQRdx&&dYhjSa{JxO$mD1yxn1&N=QMxQG=GyNf57mwz<=*5X8N13YK}tV zfqKnKQ1<9-AB``X!E+(72diRbMmX%@#tiyqXGTkDGah@0-Z`1UzwMKsE9$+OF{?f? z5&oqtLWflrx3UD2r?d7-pZ83g|IKK-z?O4Okn$g`fQsF)es_E2xCk|{eImOPf;%J8 zJLunKB)I9!x0X#ks}OaoASU@`_&s7dk-p-NzIUCJ_3w4E0r|i3+*?@TZIygMoz>+y zLS>@|RJ+YQI2#EZB(T2)$S(UUYbQ{kH#DIEPt-?j2jQ^GT`j&XxDec>XV~z+IK2C& z4M);CVZA&C+Tn$075Y;t^J%a0ueQ72J+G%PDqbe$hTWq89B$4GQb7AMf8;JmA=Tq` zbb8lJV)MBNdO>nkjSjBiB*7cD-GNT@IHB2$x!XY>OqFD_h)lt7?G)n#zIcoOp;`z+P25Pvb*ebx6S z%{}&ZGMB>T(Trg z;vH_VtH=6k|FT%$5?{{;vF@lK%n}|SS1@sP_96p2=;X@Q8;yEKYVw2 z?<6rjj*F9@+qZos^^580z~NE77*Itg9Wf-@Ij|X_^#5H{Jk5i$u;;jB_C>T zPqN2i`Qd7; z6#T?-3LJ^{QUrI%8BuWxX#Bwo?WOiJI5p5DzQqzf92gEzX7k^^^79g;6brYJyKL*5 zy1bt=o^UHX;P7a$inc|f3Gcl#%so`H z1gbTjWJlZ@lUREtivCj^I?-a=py)27Ipt+&nt>tmkM0YV2f4#$5#ctrgH;gXA-WRe zPxdGTE`0mV`1#_-NY{)+GyaG>;D}DvRzUWWZ{o@o@y_Bog372xD7rcibwf2 zg=#!uwTfPT_}3}CB+Ghs36?wylcux&!)QIs3>#jyPg{mB!CM0^Uw*^Nsr8TXMwK#6 z5#Rx;7rq9Hp9Zae9i4~jJ>8GCRDj}0UtmtpXaiDMjs|O@y(@XOZBfD2!Mr|hY!Ys! z&kU`q>Aj;awq861YxP@lfuqUOQ|GPr(tPj7ZUE|C`sABMZhjUm9`@BKf*VCTtP!$MjNR22mqMsKo0@Y8f?V+pA7GG&EP^H zIe~)&=D$c(&U5KQM7bNy1OjW%CHyP5FRILY;Dggm&NV+z*E=sQXc zxapOdiM$ZYquC9B()Rc)_ZMg@IvSV$f%EY%zqSBk#R|RAUfoWi2rxh z(|&DvdAO`W0-e7Etj2`I6}q>(z5r_b><;91JNn09O9Sd?yOjm17KEm@9Mti&EtobL zK($@%Z*?Ka?yyr}fXmWbWz1P~sml8Q5#YkFx*!d zx-9e8@48Zz)V})Dr0mSR)bDy>{AS4$x-Tdl{eSF!ihvM0lo_J{DuW)*cYThwtcIT9 zFb9&m>q3I>+bv@f;N2*hQ#v*aA2=Hq+>o9I=KV#IJo^U|TxdNc@#o%!8l=%0Qyfvw z5(35J5XacTCEu3P5RCu+kHIfM6GR`cOe7+PD%d<9i?LNnVcyy0-$SUA*=g@q5C*ot z-JkSfc=M*+VNMRjBbS0zHB1sb#d&MS5p4@dT*lw*)`F}VNj73hdchd7iL}0c;nwfP z{ew=|+8hOYKl7tX`n%d>0yz5qwVWT&VsIz;AUC@JYEf`%+tH1- zz;%!}u)bd9x_tVao|E^Ohh&?MoZ}(}ACbvnG-Kc(^h5LubY5cP>D~qq z1ReN0IZm&W#!(f=y|__af2(-8jYEE(14yF}&BP0oZ2vXDSBa)En82NbJj$IAF8{NI z_2`*VDE1t8z`gl9Sa8fW?){^i`EMN`C=Ct_*b24Mf9TlY{~;pt$~T0NcnG!z!JiGf z?|wg7I%#$Z*xx!@f%5ReSkmZy7D;fzXS7XrscAWvOxChrma$P(PH2~j?U!Auh#y!6 zXb8jrf>k!88sZci5+%KbJwL&NUT!>%RX#pnIRp6sIOIBd2GOE^MNezpF0@l23&v?p zs&UC8{if2k@Leu3>4dknCd@oY($9n%hyI`%S1!+uE}f|51rs%=kXO895m`@~BFj06 z%snM%ABWl48_il(UA80BKt>8Th;oaqtX?Pmr)n8U#k59SB1(f#y^p6#0b$4uKri%+ zg7auG?M+*(MociSY1)!lHq$KeJBrq6{)CHl0zY?dV`yI+bHyDI-X!>0M5xiiN=F`o z!M3cNoqYFg*$g;8YOiUbiqn~W{KFx^1~W)LOv7nGDxEc+`TNX-DpHB#>R5clxHrj| zhA+jx`?2)_G4L{5&LLw$IPb-!L_@cbDJ*7V1Ek_pme?D&SgW0$yovs)us1_ z2tgvJ1yn-no3y8`8PG3WK~Ft*hL;qe>P(`PwhHv8ZEA~B*2Km&c)T=*r1Xn5+-S}Q z6inZ=c`25;p;>!7&9$|Jk_Z2pQFsf1EnN@zLtd-_09x?g)F6>0;!W_u!7sGs3rGu;9@k&;*YeEuFt`H!T$_iP-Q5y27hK{!vM}Q zH`-EUiC5fT@9G(amIg;0#l>dH;)rBSUu0a@Nmen6?b6B&b|<}9_yWQZ{KiaFwB^ba zE@<(O?}J(?Su3}0)bbyHrL5~Dra7T$CB)HLE(Qjdy zJgZpTUWw*LghwY!55!>x3F>OHLbKFk6PZk=0(v~NUb=sL%K?>FZv4;82Y*9N+#|Lb zFl4a!IuC6T1h(1e5B($+d)^gm8JV!b(3_wB;KDy!<-cks*L+8z|DGX{)n$d@G&3f& z*o=TM#)xV6Z3YxRh55F&H##_jzcny)v)D4+jlQG$_5J zLTU21_oudX+6YhyDsgB}~+?{fd3TtjsK z>gRpOOJy{*E#NnMnRdbGg@PJR8QZx6tRJi60Adp`K=r>p|7R z8z0uF!Ea$GSbzI#uIGSFE#xzhCe3zSYc;%YjYe++0<%bj{L)EvUcBNJjR2( zB2l8~Vld#MjNP=`J;CD}^6(r%dp3iWJ3ub?J3mu6d}hN;+VRj~_fU#REH(P7eY#*? zjra-jkrn~ujyf&th(Yifc4u-T58UbV6|Cg$U-+(h@{m_1zOr0)<5KzAeJ^EgkF40T z0=F^Ft*w7+R;zG6wI47pJ}E$t)zIbW?+UP*(;3Nb0l%T9(){%uT8G5cG)2t>Qp*@Z zg`C7!1mrv~qVlhs8&e!LH-b!66KS1BoqfCIm+!VjZ=0jnwU_49kl6?`6vL6|1+#zN|dR z?ouSWBxJMseD8bL43#)ueZ?e{md|PhR>8CYFxFwp9B`F5b;9bvH`0-Ej|DJK`ZUqPjI6O4Pu_w)^dz-_O4tb|tGa`EPJ$&oYXF3uI>4Z_$t-DGPFn{DzICdb87IZl zIKKj!@=j@1Xa+}KF6~t=WqtJPzy6_t)TtOu(eHSRR)~^uYP+0-JipbG`~Mp3dUxTe zJnOu$uKw+Q|2vfRU-t6<$QAi_I_xbC4v!z~?p9={DL~?8`&I@eEgJpsIP6oY(|z!X zd8v+Up3pGx$HBpI>sA{dU)#-UVY--DY3X>M2n}HZa+K?zVjgnhIq@lKM0NNH;qBo{ zx7jaf^2n=y!@{D|!*oR=ufAUY^>&vIJ60AQIo>|d4^#@7*)4dg-FOjF!0b-#DC1oZ zVs&yZnz`w(_kMeG-Zcom5z?=n{e_S2)}zOdFO%3z8qnQlvNP@U2nxStJpWscmDgE* zqxZOM;l{lb`}d@Z>b-Kh5km;KK*wxS^|H*t_N5f*P9@0~gr|WDnsa{>)06Dj#)>xT zrE`=MY}(6Rc^2H5L&kQDUsXTceAgZx>S$_d05gdi%f5tV)_@%44@Ozt=s$1HTdBKx zk08gIxZr&5Rkm{! zX0W%DRQxwFG4a)_S3lU|M=F0f*WBd=03HJGJ9#rBIp{67z z5N$0jt$X)+x_du;hP)Lmvl{5{zwzkB_s_jAI467w(9E|#3ERU?j}GjgJb4lTU!L{d z8ZEVy9Ucy4qRl-&S}D!T<;wl>^=rH5&H3}A4NV$u<$y)uGFu{}dITOv0_T8nS;4KX ziTQptVQ8svw@@vJNi#DPuBN8x^?(SJhPD4zOH57r1i-{4wCRtR; z&kYTElbn8he&ihH4gEM`W9#DT>h0;%`O4J|)RN8dQAtZl^LktOGtxNIr%xwp+-9n4 zs(nt5HSTEKdi7^?q{O5dBUn47FAwr1n5mM7JhGMi8;7^Y*T-f7Rkkf}mscfEDJM6` zenUklYY1CE(M3EV)^0O!|HyIqTYJ6;Us6Xvd$>Z=LQ})eb~D4npczdqomApaWw7ko z9ZAO*CKOe(J{V&2FQL6*Jl|AYKZ#w>{^8ks<%nhWJrf_fJZ`GaQ_N=Y|u68*;b z?yMi(F%WMlZ)HuHKT8kfwG96Vh5V7C8kS>=@;~WzygU4D&VhIU6TcH>RXbk%=d7(l zT+Wr54SNUg+u=OY=Uq>8X6j{V~oD!1n*sDsgoQv@Abn^!_4W- zj%#b3ot?M&H*t7w*1%6sqHtus)3b)(P}41M-f)z;mIt0ZgOLQmX4C=$(X#e>h7Obf z6_<7GB6bC+UpelG`gm--$Y+>fb75!YfwHZ7f)$5id7gkqWi;VmJlKF!`ky%|3 z$ZQ(&)3bx3y1KJLZfKES7T-025ATaHD+(W&qyQ9H#oD8)uayPY*`SZ#zki=9q!(8x z)z%Z4m6efr(vvDAaQCjEkp3CvYaTX|c2=`yzdewBE_aMkpwrk7z6r*x?j;?pwMWx> zRaBmAP4)Hlsf<+!YdVM?7CfnVaX#q=vQu)&Y${cP>1)K-*<;!56 z!r*jkXj&T6N93)iKoflLMnG0A5z5)HqMygieA(qn#SfnVLf8vi8+$Tl{oz90FQs3x zM;oIKnN)6Nt{WqkEg=jo?d&Fx8xbcVgSk_;`(Bq?G>M7|6C6vDZEYSQc1PwUEt?-b zezZAL<0fbK>+)u@yQ#`=l>+{fWnaR*~o zljPrz9^+4O{KATUayMf{Y(cyfil3hB?94=UYE<(E#&ijzXs25ch{IKbhqR7XR(9i+ zfxa$glMj?=S2jjVne6Opo=x$&c@Zy8Qg=&m!UivmnqB2*l?t!nl1{0z#zXxUaD#bJ zXD6q^!OXXs9wbr}?hresrPx%#)*^g?jWy3tCu=8Vw^qU!p0d?~A!d*|;^RaWLOE@s zkd)>g?U7<}aj>Fm4sI+A44&@KIT%z8U{OV7C$!^_Zd&ArlG6J5E4WN{_jZm94Rv?R zy&AB{ztLo%c1U;?fj>WbJ@0rmJM1$yDea;J|M;L-j7lBL-OfPUPMGh<;%WVT{sn$iq9rbK`E(@ zIjZ8li*M`GLu;??R(>6fB%mC{rLIwz5DkW`tP8U{1113 zf}P;A_1AlC{w~ZU*@Hryg=Hm@lI3`Nd~0h#<%uE9#nd2?C4}foqO!7bysmB#2J`9> zY6gJ`I@E-fxcK#}ULsG#-M5 zh0B6AjEwi$eNjGx(IC^NS`Z7JM_%@WQ}zA_Af-@r{ElarY>PVj*<|B%)0D zNo8VdL$FaBqa~pjt>;^mSsS4H==OCdB_;8+?AqCRpSUZ?D!d+=X$hH9hNVWH@_qz9 zPnbrT8iGsr!)GB_SDteAlUK24)*-7TrJ|P?m#$gVf2%3g4?Z*-bF&*#Hak}BeJGVWM*!#+Lyr7c&ncLROF~ z3u%uZJ2^Q)W4Vk-ZZ1!85pJ-L}RilW3fV>GjSf*a; zk|w-Tak4X|61d#YbGT5@m6)d%+}V5o_pL`m5O)`sPi&6gn)hV{1O%>M+dA2qdGqEC zN@6GC5+k#uc}jY2$(?w+&tORT!rWKaG}zzU`%qMb7dk&BfrT`<&tddm=%YD)@koo@ zyL&gX`#_M_p3b7#(@xHk+L6E|V0*GITr`?jRz?PgJ@K8Wb`2kTt)F+}40Fbq-0%j0 z!#FxPIM_PeA&Z8f8~Th(%qm>i%KDslR>6n4BUnkkUA!VzF%ahC=`-@@5B6+9NZLyc zMY#Isi!m*i8b{AscyzSTRk?`n;cQfNAcmvqtKG-&z6?prhJdsuD!s_%H;Nwfpj(9h zcnz|e|C53BGb{C)z)RQVGz#-(Z!wC;;1D|22c0RV;3aGb8Pk|6Uc=x9y8gSoBCy7L((GGUs& za&p%-hdYJyB`)&E_ex50vl?0QZRNN)(0l#&FlXfYd?_gpL9asKa02ja%(9eyl|}j@ zW~wR_q;x^J!?oGg@H^g!R^wNUrer(QRU3GGtGEAB!^uwUBVa&5B_t$L5*mP(hhznf zguet>h3OzK1w8eoWMvm7e0Mbb7$E7nsGIy1dL%xV)q+kHyCqp!N&HYh3pBZ*0b0Av z1>k94zKFdpCl79ep>ZTECmy?A<(xq_K1sY+$cFRkc)nA*kMw86y-xe zO>N{+1u*h3)xeV=%x-dQ0!_Qa}w$~LG7bkK%KSt^>vNOrD>gAJhbdODH{S#FnF$_tc1mCgHyOw zRM2&@_S^}Z@kc;;;<+GN9!$Hf;bd%CnK9hFk2&_DbGe~Dai@lt@Hn)Xh`{ws$t-RX z#fGAZYI<44!<8M&OPB7+?w-mL6NuS>PJxIR=?SN~kKPR#?AElBCzb{1qvW;b**g#j+?7Nll=1eGhu^f!I@KcC_r5F!&2CTl|%pmV`D|KYXQ&T=H_lyW_|wT zwA50i+LfDn7q|n+i}8*7B#qB|=9RqQUUcSY9A@wKQ_ZfaDVvVMIDj_NGSWjZr^&N# zwcK|%PD+s|9=?V?P{@&>$yzqLhsMV&2!;MBDld;sN}|iIefRENeH5v*P2c9`re-1+ zXH%u;e;#5EK*WhnLqYxRwQVaaxS*#5qs;9$X*sIa8!4$m`pdTV(1633)YOl31jnyK zFqluDJ}hmlsAPYN;uvdk9tD*!riT+HQ5;@Cl&QT&JWY3-5>7+1c@(hYXimwva|fjE#@Sqlov`hKtsQ3zt@wR1wE%LAZ*9532Bg0qDkop>d&KCM)i{I~@>HRe^5s_Hu7p)^B>CqX{nOQJ6eA!&ZmjQA4 zLauIS0;X4AzB@7HQI5yb{*vx%dDp4>qrRfS8+UeISlJS%YtB4>?tMT>LF)AlqQd7w zeBzu!KHcn3B+fiqZ0fZ!at$`h{f#GmRhF?i2+hvKwzRscDEA~sN2mCXz6))j`}yxr zAO!T4^7CM^QN_G5(l{!}XD6rL`=X;I^vznVna?H7YTbbvLLL8;5*H=Liu@pZTiTF_ zcnD>T>K7NM7p zHT9h`PKAi59n;pvn>-&nRXXZsL6rLD-8;UkYf?i2Ih>ru`2;RA)$y6;{&d%AY9~xk z$f}BpM!!A6RtnZJg7fpG4WQ_OcdqBgzt{jovfB#o@T$NEhi7c!UH}a5jBHH+>TGAn zcK;6`?$kjfRK@(EkqGNsgit6R;i>rn`Jo-8!AxT?daoUPCW~J~P~OKUMU(;d_4r^# zA2!igRd8F^JUGdBHUy6|w|GKPd<%!g>-+qqDgHjwgupK!Ip=qUUdqVnpbP)z*%FMG z5D@tD_it}|yR6*98PF!?_+s+<rO`Fst1`}X5UVXo^yw%y;~2V6uz5!%+-c|O~U9WK&S zqDpprX>ijCaUS{zNmL2y6fz53)b@a`!~RiK5td`T0Y?f4SJ& z-iSz1l>OP)>i_|_B_YZ;GBHzBS_J)eKN>%)p?uAVYc@_CwviO;SawZ?(8tMl>+iis zqJ-Y_Y@8gMmkymxO#$I?Giy=T@xh&(>>L9y46=j5q!o!X4Rini&YFGh(;`5|mMy{F z9^P3hZqsz1gUL98u;-6W@A>~dbUZ&lFLdS^W$=}0pG=1gg6SVqAY+FEgiq-|B? zwG)SD2lixS(OH#n>iwR510=W0Ofz;Rai_yfcmH5i|27d3W?_&n|7!uin3#5d6bv?q z-kPWZ_2f!?jDeIj1jtU46hK`8TFgMElB}{I{BWPZ`tvkM@8Glj$nfxjkF~Xk`8x*E zMgPAAIKi$Zy<(yNPxk1PZ^en;O@|Ng@iEwRJH!}sq$#IQw@ zZeh`THY>-R1$#1J0_mc+sghCE2W{c;BB_Gl$f8CBK1A+1EDWqid3m|_b07KZ3LEQd z@uc0m1Ryb0eUCW+<-p^|RTSxez!fp12Zk?*zY8Sa7_2w-1DIenET<5+Ul@2Zsabip19et!N- zmtukX$xvqm>q_9Xn4T_h=8a}N1$91{J!d!7LP=2(8F?i*p{9TtEO2NkGW1A7l2+gB zR#@X3j`64<9OeuZRlr^9eDOF?!=a4`+Wxayo1U2dU--JZS^%manLU#88WH#K*i+|n zMZMaZUw5*xxxH@6fqG&OWD}rvSlRRYB;HUF14L-zosD%=kFMrLf5FcT&dmJoj|-Ks z@5GZmr6^7%?XlXkAIxo{R{NIN{R(blul<>ckB={a^jxK8ho_K`H2w9;KrX1k%_%9r z9Gb3+dyXMs?`SVwl9rNtcl$NPuS*ak$d!@O7SIWY>Qf*f2F-+|$9Ef>n!G$cKR%X) zcPb#=c2Af!AYCLr+G znEdghN7mNX%l$bMqcd*S*85u%3f9cFw+IvzPRa{3 z3-z*O#tPzNF)>6w!N|Gx{2pk_D z7ZG74Bfe08+$FAQY-MF;adL3L2XmepS1rV8owl~ME9^OQ@c8hZWB^y-UC1gAW!aVrcnWXHY)=;{T)XP$nR_|NMu#~_3;r?)2Dc$XMdFV8TlQ& z+p4z;Jme@eE??A{a_XMn{lzscmRee?KpW`zXm4W^xI5bl+^8szOrXe#ii%?SByO^z z#O!D|m7n9Mn||JqecoE-JX&JWd~4C#1(vF9Y;0^{k?XQi?CNrXtj#DWpZ@_g)UqW+ zm0h<0_Rs6#B535%;i1#|I?}ujkB?<9oSk1ZYk9_5#?Dm&Y3u9TSX;V>5tfscJ?Nt4 zmUo+$%eIe_7^|}B0*?mh&l4ruO~}O9*nPwtvN2M^*$J87*^%VqyM?h(g>l<;9diPCnd682ZF+())8S;a zVHuY6*Tt!d=|S1{Jy`x>ycl*nnno3v!>50i3w*)hImx6zwX)snh|$*~Sl$J}rK=21 z&k4t(La}UFS!QNt?J{zpm~U}zj(#=o`td_IF2KlWL@1G)h)7CK+(mAMO358_x<^LK zhGse=%^~kwfD8%xa*mU#DNSQNsEg?2?b z(3x~}bdh!f$xlbel@u?u>iv$MpKoNpp#Uk-%Tv?sG|kkxOdvCG8)jpt;yz2Ty4`m% zRz+};Q^t@lUp|Fu%*9NQ_V#xiZjM)4aj>KKWO#Uxp|8xp1GndCjn92 z&H_iX56_8=jMAfNxj3LcL2|tsty&k#(7Y&&%fdo%{w1$Q=S;`cXZh!$P2u6$_2-iB znl5eL%(#wb8x!S)<4vs!RiW)q$L_5G!S+a%BaaU_JyWplGgFDD2zIERk-Fe_RxS>q^2 zt`VA;nE3wv)jdsBB9+!apB?{`<0*$B>PuySm2%(FKcH14IQ~7;989SLE1*}Ph*JG` zAyS`E#Yfx@zkBCy&YPTA=qn>yD!odJ^d8(c zZ=c=2IF@GjU-~b#$?n7FJcDQqYUJlN2@4DN^Ye?DDQxTQ1?s=x{Klq%)Pvb>fL-#` zIB#XVC#)2@qB0SGMM1&>d}Zc!j2qL?(lS_x`F|JUbgw|O1%c(O;KuCiK-JaXCew+p zud_3!r{CF5f)nKZa^G0ih0UpDN0R#6RR^PeQZ#~*@nxV_;|k=FnfHQ(SjVa-%5$oH zWs{zJPpzJr6(E@}$g&wp(AvHo?D}on5jPsmTDi0c%l`fhCQPkGvC6_cSzRKoxir-N4~+WKj$Y>zFp}>+U$kPSjWh zsREQC{O?BS1wDsjtR*ip?c~+S=R6`>Tcm#36hYugptB?PP8H1$txO=s0%}}V+ zyy5fLud><6q(WnLUMofV+;w&SF$NgWh8!K&{?;oS7#OVkoZ`Y8Uej{jaBy@Yt&h&! z>J}Fl2OvQ8`D#*L3pAcE8vJRc>CFC`J+E>$0^c8ub-Mh39yEsT&qx5hsQd5U@gYZ= z>OIiXGPvjQ{wfJ`IueQ0W|3rgDk?1-jNP}Js`mybY0VM?-l$mS#w{jR-d74Z`zm44H3EA`XD^EuyfjHQ*zI;gXxiKb7YJLTPYbp@F4- zpKJ>|eReL)`r=~khv*K0%U`JfnpBxPv3AcM7ELh5zqrD}s-(WSye+{mroD*upu*$9 z3nLejF}R9@27AP8|Jtzc_9U<88BLGmW0v(Gm z?Sc(CG4XeMre#p$(4!V*-PYe`edhydNJt2{*3e%#-%58@mSs!8^?Ghc_b}IqYW&$j z^yzY8b$WG51%qymt*wi=5V&_7AB<%e;IRguox;boCVG1J@2?NKz2hJy^-7LU6b6fOb8{ss zgjshs^N=u?wK3Dvdpvh%b-dIzGh_MS!LH=br&8l%W7V$X`&(#-pHj61Wt(aq7}n(B zvwULwN@?Xw%6pXIJp_PojEszQa5n(=5Ph=!;pa02Sdo#w{*J;=<3JBjPc9`-zqz(Z zISP(^g)d@az^U(P@1t~tR8~~%@9q-FF0>Mn_4f6?9zO!?|~tt1Pb8Yh@rb7_E8mE1!^zhQkkg zPMusMiNT&2KhPTL{hLigc4)z65aMpWV_l2?-svvA5SZMN);_roY9m zOPrmYSU%O>(9_y_Da}A2-hg!dq)E%ImnVOXS3&|R=>}?Q0q4Bc#YCK!?Uu+ zCaGQA*x1>7`}%&ix(1w|1M{f`e9n58vj6*pqkNYY{8>q1p+-<5$M5_ze9NbD58&WF zdQMuFIPvS(w`WuA7L$~fq3V$SG?eEWD4b-+TVfL8FX9s{fS2XaeC0o`7mjxNnYOts zG#FFs-IxAqaq;i^dWNKhyN6fmdn~|6ApZcN=as44=1|@bXq$u?t0nQL(0hkWD(TFy)R-&}QDK2FjOf3u?CJ z6N8N0ok&8m?XRba0ZnRgVWHqX7yfKvrO&wZ8L-{g=D&kB5B1+C9)lCZr5F-ae9rE*;nav1n{j;qnFiEG~K)SKNf#-*7YlcOS9z7-- z5y0c{E2Om79!@QCPE-eDkK?0jeO5qS@96km?CQFhK#1rx52ZhR-m8u^z=|4UmonooDCOY z8gD>CA=9v9K-={s27q`0(5NUo8c4+e*fAi`ZNLEF%!#|ZmN|R9N-lJ^Et2w%yc+V) zR05~Ut@d_@at$hz&BevV%gmQC_>;U-)n-%$$yl@h+5BB!`<49<+O94xUtNnI|M`7Y zK;ROy3TW~~KD0>c$)><#3q=IPBsIkVjXT}DZEC6{FYoh>=HE>GuFiqd*aqM=^t!M> zlvF5$MM#K*WF87*%C&p|gYGj!ZPM?nsi`rdg^+^bu^WtFV8y3z`3Gvffu)`mxZJpK3-0 z^WmRwdy*x=Mh7-3D&VpgYZ)Z@s@OX`72$4p-(h$TWf18_EQo%0IrIQ z9}R?0RJ#d<3@ibH|M1~MK|#Ui$F-@I2N?eYphN2F6fuuUV}bga;5y;(2m&l`_0}mB z-wV{KVgHJRHF9=XPc7t>px7F3ULWCXb@{y)RsRDp_Ocr(@_wWlm9h?`y~o$Drx&bP z(*y(Dpi`huAR2|kVfPj^pJ)U;vzT^pxQPU_O)pT zynYJ+rkNsv5G#R7Y22bb4i~2VdGpPinB;m*o6HM;^(#{SX-Fvbuk62nCntaYWg$5w zBPHx(m_Jb>2$a1d@4|!Yd~I;k8;qMxgZ9b@HKus9wz+wOV2NhPf`w&1m7*;1YxCdA=P~p~B*B>gfXsGO>PuyTJOw3Fl>}}%&kLE587y?6Cz=4Ip0CO?wp)_^B${ZEMcw&1`h#@eFSL&mKXCp4I=6z+3_7Rr>%OxK!9~o?k(jY z){Y12{?PAxG8HnZMLOla?x#TJf;nsAPH~)LfzKRWb#?Bu>#nzx0#u|`j09yBANIw< z!eV-|u~F$@nQb_j#^ob2KOd%{AvjOFbb5ql@g4+DK}R^KZZoz1sbj$+cy*QS;^MD$ zvCV0Tf2(qeL*Mf56%3)4r+_cPts10dXbk3Db>7H{$cj;BW|H+77y`A4NS^%BpFc%< zdD}}{s@Vh4j37IcA47=57+`M?&Nl2VfR`5$5eY`$>}?;^Vjca6oUb_RUele|zDGlo zP@tJG+2HFYx4KH}<1&Lok4jqW2icrIcIDZqwG zb#=1v0XZ3Y(vem<<=E`*eTr2i0*}|!xcehp^{J&LLN1wB7Gzy}3n8iCJSedsr!N{0 zYO(%SA~p{|Jl#WNN$1#L(q{xlz1x`sl){?yakW;sGs=-vVQ30tvP

FD6}$iU!?hP0!G z>Eo{r5~C*Y>(vz%*)rZvx~^NR-%;%hz?;#n=7mshKwI!PX&x6MyeZ31BQONAoWl)v(9>o)QacxU-5Ec4aF@aBRv^C#aR?w^HVn7v6&YuWccX}QfSN5 zUsh)Gm;do7@?DgB#f>MvD+f(N+B?q(QE}1(LPg?RjOzrxS3;-8b(|9NxRh2B7W{I_ zIDAf1znYE4f4D<#j=Sa3t^1h7$}bYOr(DSzIP(nZ({N+3s+uw~Dq{WbH}T)4y~j%A z72?i6rcpRJJ7-yq38v36g0B5NO0~h(;#2SPjTi44gsiaj2{xu8kt%gxsqVW;Hy(t= zllxD&zy$8?i!6hwBZ-Je7b{$IV8{Yh+6U7+Vfv6sRJ(X2_J*YUtK@rO1#ZkZcVC|LkVM&H8LE* z2;cc$YS(kINVZmbTJZs7YcK7CDlxBmr40`7d)4SsL9ojPo62QMh@BX}P z&3D=4BY{^KU2si0C=b}>udio2ZrB3YokDV4E+;2v^6@!a4`|GQs%z?SK>C8g{4I?0 z25Z=kLOF_TaiTilf472U^wjZ z%@Xv|(n4BN(j!B|;a|Ug{rvOz!2_5zdz@@IxWgtd^f7|3*9ul}=keqC@YHZzLeL%u zF?pc??AH9;(qqom;n@r2npM-S^4~Y62=@uf#4zhieWO4)3`8GaU=t|fd~aa|$e3mF z#B5otk;EjXCMIAInwU5;BJ}GcD=TT~atJg%=rYxXnD+l3pe$tdpO+XxwIli;{Z`5U hp2Gb9*}2q21h(TVPk3g2M-YI&dw2Ejl-z=a{U2sFX0HGM diff --git a/doc/modsecurity-reference.css b/doc/modsecurity-reference.css deleted file mode 100644 index 1c89c88d..00000000 --- a/doc/modsecurity-reference.css +++ /dev/null @@ -1,102 +0,0 @@ - -body { - font: 13px/20px Arial, Helvetica; - background-color: white; - width: 800px; -} - -/* TEXT */ - -PRE { - font-size: 100%; - padding: 5px; - border-style: solid; - border-width: 1px; - border-color: #CCCCCC; - background-color: #F5F8FA; -} - -p, td, tr, li, ol, ul { - /*font-family: Trebuchet MS, Verdana, Tahoma, Arial, Helvetica, Geneva;*/ - /*font-family: Arial, Helvetica; - font-size: 14px; - line-height: 24px;*/ -} - -.copyright { - font-size: 10px; -} - -h1 { - padding-top: 40px; - font: 24px/30px Arial, Helvetica; - font-weight: bold; -} - -h2 { - font: 20px/30px Arial, Helvetica; - font-weight: bold; -} - -h3 { - padding-top: 15px; - font: 16px/10px Arial, Helvetica; - font-weight: bold; -} - -h4 { - padding-top: 15px; - font: 14px/10px Arial, Helvetica; - font-weight: bold; -} - - - - -.header { - background-color: #00448B; - border-top: 6px solid #002B6E; - height: 84px; - vertical-align: top; - padding-left: 20px; - padding-top: 10px; -} - -.topNavigation { - background-color: #EEEEEE; - background: url('g/topnav-background.gif'); - height: 23px; - line-height: 12px; - vertical-align: top; - padding-left: 12px; - padding-top: 5px; -} - -.topLink, A.topLink:link, A.topLink:active, A.topLink:visited { - font-weight: bold; - color: black; - text-decoration: none; - padding-left: 8px; - padding-right: 8px; -} - -A.topLink:hover { - color: #BB0000; -} - -#navheader td { - font-size: 12px; -} - -#navfooter td { - font-size: 12px; -} - -h3.title { - margin-top: 0px; -} - -.note { - border-top: 1px solid #CCCCCC; - border-bottom: 1px solid #CCCCCC; -} diff --git a/doc/modsecurity.gif b/doc/modsecurity.gif deleted file mode 100644 index 76f5ca1632677cb890e0a5ad57cf47cb8a4a6c8d..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 2585 zcmV+!3g-1kNk%w1VR!%}0OkMyMS8T;+UNWG{a1IVdy~1WyVD0Zeqx@~4m^P!N{eWu z+9FMj7(|8^LWB}Nfh<&!G+UL8qQhB|$|qKpQi;NvtjcVu-t+bNJ#npVhq6Rxo$c`T zLUys-;_OO*x;kyDV4KktK!Rze+>)imRgK2z?DH^Tp62TExy0F|w9hJ9nIlkm!FW4o`jp2nVgKB zq^Y5Xm8+(xjgO_8v$Kh)u)Ds!qmsX!s<67EtCPvKoXpL&uf)R3$-S!6vX{oYmAI#* z&bZvK!l91m;Mvx|+RCY{*wxL%^V;^HuJyjove%iC0NcSUc8j1fWRs8y)Fn?|EL+tW z4ntRt*D!AL^tB3x1c66$qb#ngn5&qk227Z6`E*ekvt!2^vTS&z$%qjI^!bBn5Z|;- z45V=2aAe9Elk4cUqIK?8J5w7SAt=zN&z?V1o<4e6GS|$dhZ?l7V1WXcK~oxJZF-L& zz@7g8;{HOAqG|xF0zF+z2ba^)jDH$7HbWKmr3Zf}n#4JaCv9CkUjWWd{Wapd}0_XnBVLwf5n}4pdZyf&l|)nZplS_OJpA zI)DLy76+7}02FG(p@0}lz%fG^B4FSE8ZU$a1_cy=A%+fJ*l++CWI*8n6k&Lp2OK)Q z0Kym|P(a5QUwF`k9tU`;M;tGRF@qOOupx%PUX+-PDXmsD1Ox_9)rS>+AmC;HA3H#x z>5;^42r&j22l&9i1Uv|_0tO0@K|u%(*zkfG2joEk z8473-0uvb6@d5=CoQw3jOE(Qh3@SkGLDeC6k#!g*gh0U;I(&ct2Sb0r#80fcsVGyWC~JF93lH*jZiK_?N@~v0)BBTL7|1@P{*m1QZHn;M*W5K`T}80diQL207?K zophCkSl2@Zgt4oe3w9|BQ-L&VzA zcz_r^d_fN;c!2`o&<2orBZ|RuAQk6U1iNAJ0T-ys04h)wEYL>(O~&y<0unFGMj7EqvKT2Me3D6oa@MZpgakbxKu z0D={?U<^6{0OUB(Ckdcomoh*A6v)6seEm?E`zvO;LePdII4uTdh=C1oV34LrbBe^P z$_^Hg$vzNa3Y^px7b@9@Av^&BRX7m5J4Ht0D>@#Aq+fdT@)0sh8V;k3cFgC5GDNExmM8iPPU21-zZ008d> zti?hD`$hj>cRl zsK&T_h{3^PKmiqS0S7YB!@)@KfpX3OjUWI49L~Z80Hn7DHS|IYK;YOFgaBURLj!c4 z0S)N7;JRz*v#P0yOXh4J-fwC6dGc1D>#iEck)IeozAgR-ghlCUw1InS3@}1?F@-E- zfub`svUP5QgDhC*5I8^rZYj!%Ea3JGMaIDa?bsa>se*=F0HP$m)14(V0?bE24wJBq z97M3WL;)rhauOh39e6-hjmZZBF~SR|xMLX<`3GR=F%f9``67Pc!UQ~}0Nsg1BogUM zL}t>HL1!c&0oeyMD9wpBe82+goWM$uLLWW@de621OEd_*7nZDg9GGznBN%W500003 zo6g5V9s-PhoI=pO21j1d5 zX!p4s=Gcr&{EX?<{6jK)dC0c6{f>>eWHOItb-0yM>~3GD-K-|aUm!y4K6{%X--tCx vo - -

- <trademark class="registered">ModSecurity</trademark> Reference - Manual - - - Version 2.6.0-trunk (Feb 11, 2009) - - - 2004-2010 - - Breach Security, Inc. (http://www.breach.com) - - - -
- Introduction - - ModSecurity is a web application firewall (WAF). With over 70% of - attacks now carried out over the web application level, organisations need - all the help they can get in making their systems secure. WAFs are - deployed to establish an increased external security layer to detect - and/or prevent attacks before they reach web applications. ModSecurity - provides protection from a range of attacks against web applications and - allows for HTTP traffic monitoring and real-time analysis with little or - no changes to existing infrastructure. - -
- HTTP Traffic Logging - - Web servers are typically well-equipped to log traffic in a form - useful for marketing analyses, but fall short logging traffic to web - applications. In particular, most are not capable of logging the request - bodies. Your adversaries know this, and that is why most attacks are now - carried out via POST requests, rendering your systems blind. ModSecurity - makes full HTTP transaction logging possible, allowing complete requests - and responses to be logged. Its logging facilities also allow - fine-grained decisions to be made about exactly what is logged and when, - ensuring only the relevant data is recorded. As some of the request - and/or response may contain sensitive data in certain fields, - ModSecurity can be configured to mask these fields before they are - written to the audit log. -
- -
- Real-Time Monitoring and Attack Detection - - In addition to providing logging facilities, ModSecurity can - monitor the HTTP traffic in real time in order to detect attacks. In - this case, ModSecurity operates as a web intrusion detection tool, - allowing you to react to suspicious events that take place at your web - systems. -
- -
- Attack Prevention and Just-in-time Patching - - ModSecurity can also act immediately to prevent attacks from - reaching your web applications. There are three commonly used - approaches: - - - - Negative security model. A negative security model monitors - requests for anomalies, unusual behaviour, and common web - application attacks. It keeps anomaly scores for each request, IP - addresses, application sessions, and user accounts. Requests with - high anomaly scores are either logged or rejected altogether. - - - - Positive security model. When a positive security model is - deployed, only requests that are known to be valid are accepted, - with everything else rejected. This model requires knownledge of the - web applications you are protecting. Therefore a positive security - model works best with applications that are heavily used but rarely - updated so that maintenance of the model is minimized. - - - - Known weaknesses and vulnerabilities. Its rule language makes - ModSecurity an ideal external patching tool. External patching - (sometimes referred to as Virtual Patching) is about reducing the - window of opportunity. Time needed to patch application - vulnerabilities often runs to weeks in many organisations. With - ModSecurity, applications can be patched from the outside, without - touching the application source code (and even without any access to - it), making your systems secure until a proper patch is applied to - the application. - - -
- -
- Flexible Rule Engine - - A flexible rule engine sits in the heart of ModSecurity. It - implements the ModSecurity Rule Language, which is a specialised - programming language designed to work with HTTP transaction data. The - ModSecurity Rule Language is designed to be easy to use, yet flexible: - common operations are simple while complex operations are possible. - Certified ModSecurity Rules, included with ModSecurity, contain a - comprehensive set of rules that implement general-purpose hardening, - protocol validation and detection of common web application security - issues. Heavily commented, these rules can be used as a learning - tool. -
- -
- Embedded-mode Deployment - - ModSecurity is an embeddable web application firewall, which means - it can be deployed as part of your existing web server infrastructure - provided your web servers are Apache-based. This deployment method has - certain advantages: - - - - No changes to existing network. It only takes a few minutes to - add ModSecurity to your existing web servers. And because it was - designed to be completely passive by default, you are free to deploy - it incrementally and only use the features you need. It is equally - easy to remove or deactivate it if required. - - - - No single point of failure. Unlike with network-based - deployments, you will not be introducing a new point of failure to - your system. - - - - Implicit load balancing and scaling. Because it works embedded - in web servers, ModSecurity will automatically take advantage of the - additional load balancing and scalability features. You will not - need to think of load balancing and scaling unless your existing - system needs them. - - - - Minimal overhead. Because it works from inside the web server - process there is no overhead for network communication and minimal - overhead in parsing and data exchange. - - - - No problem with encrypted or compressed content. Many IDS - systems have difficulties analysing SSL traffic. This is not a - problem for ModSecurity because it is positioned to work when the - traffic is decrypted and decompressed. - - -
- -
- Network-based Deployment - - ModSecurity works equally well when deployed as part of an - Apache-based reverse proxy server, and many of our customers choose to - do so. In this scenario, one installation of ModSecurity can protect any - number of web servers (even the non-Apache ones). -
- -
- Portability - - ModSecurity is known to work well on a wide range of operating - systems. Our customers are successfully running it on Linux, Windows, - Solaris, FreeBSD, OpenBSD, NetBSD, AIX, Mac OS X, and HP-UX. -
- -
- Licensing - - ModSecurity is available under two licenses. Users can choose to - use the software under the terms of the GNU General Public License - version 2 (licence text is included with the distribution), as an Open - Source / Free Software product. A range of commercial licenses is also - available, together with a range of commercial support contracts. For - more information on commercial licensing please contact Breach - Security. - - - ModSecurity, mod_security, ModSecurity Pro, and ModSecurity Core - Rules are trademarks or registered trademarks of Breach Security, - Inc. - -
-
- -
- <trademark>ModSecurity Core Rules</trademark> - -
- Overview - - ModSecurity is a web application firewall engine that provides - very little protection on its own. In order to become useful, - ModSecurity must be configured with rules. In order to enable users to - take full advantage of ModSecurity out of the box, Breach Security, Inc. - is providing a free certified rule set for ModSecurity 2.x. Unlike - intrusion detection and prevention systems, which rely on signatures - specific to known vulnerabilities, the Core Rules provide generic - protection from unknown vulnerabilities often found in web applications, - which are in most cases custom coded. The Core Rules are heavily - commented to allow it to be used as a step-by-step deployment guide for - ModSecurity. The latest Core Rules can be found at the ModSecurity - website - http://www.modsecurity.org/projects/rules/. -
- -
- Core Rules Content - - In order to provide generic web applications protection, the Core - Rules use the following techniques: - - - - HTTP protection - detecting violations of the HTTP protocol - and a locally defined usage policy. - - - - Common Web Attacks Protection - detecting common web - application security attack. - - - - Automation detection - Detecting bots, crawlers, scanners and - other surface malicious activity. - - - - Trojan Protection - Detecting access to Trojans horses. - - - - Error Hiding - Disguising error messages sent by the - server. - - -
-
- -
- Installation - - ModSecurity installation requirements: - - - - ModSecurity 2.x works only with Apache 2.0.x or higher. Version - 2.2.x is highly recommended. - - - - Make sure you have mod_unique_id installed. - - mod_unique_id is packaged with Apache httpd. - - - - libapr and libapr-util - - http://apr.apache.org/ - - - - libpcre - - http://www.pcre.org/ - - - - libxml2 - - http://xmlsoft.org/downloads.html - - - - liblua v5.1.x - - This library is optional and only needed if you will be using - the new Lua engine. - - http://www.lua.org/download.html - - Note that ModSecurity requires the dynamic libraries. These are - not built by default in the source distribution, so the binary - distribution is recommended. - - - - libcurl v7.15.1 or higher - - If you will be using the ModSecurity Log Collector (mlogc) to - send audit logs to a central repository, then you will also need the - curl library. - - http://curl.haxx.se/libcurl/ - - - Many have had issues with libcurl linked with the GnuTLS - library for SSL/TLS support. It is recommended that the openssl - library be used for SSL/TLS support in libcurl. - - - - - ModSecurity installation consists of the following steps: - - - - Stop Apache httpd - - - - Unpack the ModSecurity archive - - - - Building differs for UNIX (or UNIX-like) operating systems and - Windows. - - - - UNIX - - - - Run the configure script to generate a Makefile. - Typically no options are needed except the prefix directory - for installation and possibly the location of the Apache apxs - (or apxs2) utility: - - ./configure --prefix=/usr/local/modsecurity - --with-apxs=/path/to/httpd-2.x.y/bin/apxs - - Other options are available for more customization (use - ./configure --help for a full list). - - - There are certain configure options that are meant for - debugging an other development use. If enabled, these - options can substantially impact performance. These options - include all --debug-* options as well as - the --enable-performance-measurements - options. - - - - - Compile with: make - - - - Optionally test with: make - test - - - This is step is still a bit experimental. If you have - problems, please send the full output and error from the - build to the support list. Most common issues are related to - not finding the required headers and/or libraries. - - - - - Install ModSecurity module and utilities with: - make install - - - - - - Windows (MS VC++ 8) - - - - Edit Makefile.win to configure the - Apache base and library paths. - - - - Compile with: nmake -f - Makefile.win - - - - Install the ModSecurity module with: nmake -f - Makefile.win install - - - - Copy the libxml2.dll and - lua5.1.dll to the Apache - bin directory. Alternatively you can follow - the step below for using LoadFile to load these - libraries. - See the included - README_WINDOWS.TXT file for more - details. This file contains the Windows build notes from - Tom Donovan who helps with the Apache Lounge builds - (http://www.apachelounge.com/). - - - - - - - - - Edit the main Apache httpd config file (usually - httpd.conf) - - On UNIX (and Windows if you did not copy the DLLs as stated - above) you must load libxml2 and lua5.1 before ModSecurity with - something like this: - - LoadFile /usr/lib/libxml2.so -LoadFile /usr/lib/liblua5.1.so - - Load the ModSecurity module with:LoadModule security2_module modules/mod_security2.so - - - - Configure ModSecurity - - - - Start Apache httpd - - - - You should now have ModSecurity 2.x up and running. - - - - - If you have compiled Apache yourself you might experience problems - compiling ModSecurity against PCRE. This is because Apache bundles PCRE - but this library is also typically provided by the operating system. I - would expect most (all) vendor-packaged Apache distributions to be - configured to use an external PCRE library (so this should not be a - problem). - - You want to avoid Apache using the bundled PCRE library and - ModSecurity linking against the one provided by the operating system. - The easiest way to do this is to compile Apache against the PCRE library - provided by the operating system (or you can compile it against the - latest PCRE version you downloaded from the main PCRE distribution - site). You can do this at configure time using the --with-pcre switch. If you are not in a - position to recompile Apache, then, to compile ModSecurity successfully, - you'd still need to have access to the bundled PCRE headers (they are - available only in the Apache source code) and change the include path - for ModSecurity (as you did in step 7 above) to point to them (via the - --with-pcre ModSecurity configure option). - - Do note that the current version of PCRE packaged with Apache - 2.2.14 is using an older version which does not support some of the more - advanced features to aide in preventing regex denial of service attacks - (REDoS) on poorly designed regular expressions. - - Non-gcc compilers may have problems running out-of-the-box as the - current build system was designed around the gcc compiler and some - compiler/linker flags may differ. To use a non-gcc compiler you may need - some manual Makefile tweaks if issues cannot be solved by exporting - custom CFLAGS and CPPFLAGS environment variables. - - If you are upgrading from ModSecurity 1.x, please refer to the - migration matrix at http://www.modsecurity.org/documentation/ModSecurity-Migration-Matrix.pdf - -
- -
- Configuration Directives - - The following section outlines all of the ModSecurity directives. - Most of the ModSecurity directives can be used inside the various Apache - Scope Directives such as VirtualHost, - Location, LocationMatch, - Directory, etc... There are others, however, that can - only be used once in the main configuration file. This information is - specified in the Scope sections below. The first version to use a given - directive is given in the Version sections below. - - These rules, along with the Core rules files, should be contained is - files outside of the httpd.conf file and called up with Apache "Include" - directives. This allows for easier updating/migration of the rules. If you - create your own custom rules that you would like to use with the Core - rules, you should create a file called - - modsecurity_crs_15_customrules.conf and place it in - the same directory as the Core rules files. By using this file name, your - custom rules will be called up after the standard ModSecurity Core rules - configuration file but before the other Core rules. This allows your rules - to be evaluated first which can be useful if you need to implement - specific "allow" rules or to correct any false positives in the Core rules - as they are applied to your site. - - - It is highly encouraged that you do not edit the Core rules files - themselves but rather place all changes (such as - SecRuleRemoveByID, etc...) in your custom rules file. - This will allow for easier upgrading as newer Core rules are released by - Breach Security on the ModSecurity website. - - -
- <literal>SecAction</literal> - - Description: Unconditionally processes the - action list it receives as the first and only parameter. It accepts one - parameter, the syntax of which is identical to the third parameter - of SecRule. - - Syntax: SecAction - action1,action2,action3 - - Example Usage: SecAction - nolog,phase:1,initcol:RESOURCE=%{REQUEST_FILENAME} - - Processing Phase: Any - - Scope: Any - - Version: 2.0.0 - - Dependencies/Notes: None - - SecAction is best used when you unconditionally execute an action. - This is explicit triggering whereas the normal actions are conditional - based on data inspection of the request/response. This is a useful - directive when you want to run certain actions such as - initcol to initialize collections. -
- -
- <literal>SecArgumentSeparator</literal> - - Description: Specifies which character to use - as separator for - application/x-www-form-urlencoded content. Defaults to - &. Applications are sometimes - (very rarely) written to use a semicolon (;). - - Syntax: SecArgumentSeparator character - - Example Usage: SecArgumentSeparator ; - - Processing Phase: Any - - Scope: Main - - Version: 2.0.0 - - Dependencies/Notes: None - - This directive is needed if a backend web application is using a - non-standard argument separator. If this directive is not set properly - for each web application, then ModSecurity will not be able to parse the - arguments appropriately and the effectiveness of the rule matching will - be significantly decreased. -
- -
- <literal>SecAuditEngine</literal> - - Description: Configures the audit logging - engine. - - Syntax: SecAuditEngine On|Off|RelevantOnly - - Example Usage: SecAuditEngine On - - Processing Phase: N/A - - Scope: Any - - Version: 2.0.0 - - Dependencies/Notes: Can be set/changed with - the "ctl" action for the current transaction. - - Example: The following example shows the various audit directives - used together. - - SecAuditEngine RelevantOnly -SecAuditLog logs/audit/audit.log -SecAuditLogParts ABCFHZ -SecAuditLogType concurrent -SecAuditLogStorageDir logs/audit -SecAuditLogRelevantStatus ^(?:5|4\d[^4]) - - Possible values are: - - - - On - log all transactions - by default. - - - - Off - do not log - transactions by default. - - - - RelevantOnly - by default - only log transactions that have triggered a warning or an error, or - have a status code that is considered to be relevant (see SecAuditLogRelevantStatus). - - -
- -
- <literal>SecAuditLog</literal> - - Description: Defines the path to the main - audit log file. - - Syntax: SecAuditLog - /path/to/auditlog - - Example Usage: SecAuditLog - /usr/local/apache/logs/audit.log - - Processing Phase: N/A - - Scope: Any - - Version: 2.0.0 - - Dependencies/Notes: This file is open on - startup when the server typically still runs as - root. You should not allow non-root users to have write - privileges for this file or for the directory it is stored in.. - - This file will be used to store the audit log entries if serial - audit logging format is used. If concurrent audit logging format is used - this file will be used as an index, and contain a record of all audit - log files created. If you are planning to use Concurrent audit logging - and sending your audit log data off to a remote Console host or - commercial ModSecurity Management Appliance, then you will need to - configure and use the ModSecurity Log Collector (mlogc) and use the - following format for the audit log: - - - Prior to 2.5.13 you may have been able to use a relative path to - a piped logger command, but this was broken on some platforms and the - feature was removed in 2.5.13 to make the platforms more - consitent. - - - SecAuditLog "|/path/to/mlogc /path/to/mlogc.conf" -
- -
- <literal>SecAuditLog2</literal> - - Description: Defines the path to the - secondary audit log index file when concurrent logging is enabled. See - SecAuditLog2 for more details. - - Syntax: SecAuditLog2 - /path/to/auditlog2 - - Example Usage: SecAuditLog2 - /usr/local/apache/logs/audit2.log - - Processing Phase: N/A - - Scope: Any - - Version: 2.1.2 - - Dependencies/Notes: A main audit log must be - defined via SecAuditLog before this - directive may be used. Additionally, this log is only used for - replicating the main audit log index file when concurrent audit logging - is used. It will not be used for non-concurrent - audit logging. -
- -
- <literal>SecAuditLogDirMode</literal> - - Description: Configures the mode - (permissions) of any directories created for concurrent audit logs using - an octal mode (as used in chmod). See SecAuditLogFileMode for controlling the mode - of audit log files. - - Syntax: SecAuditLogDirMode octal_mode|"default" - - Example Usage: SecAuditLogDirMode 02750 - - Processing Phase: N/A - - Scope: Any - - Version: 2.5.10 - - Dependencies/Notes: This feature is not - available on operating systems not supporting octal file modes. The - default mode (0600) only grants read/write access to the account writing - the file. If access from another account is needed (using mpm-itk is a - good example), then this directive may be required. However, use this - directive with caution to avoid exposing potentially sensitive data to - unauthorized users. Using the value "default" will revert back to the - default setting. - - - The process umask may still limit the mode if it is being more - restrictive than the mode set using this directive. - -
- -
- <literal>SecAuditLogFileMode</literal> - - Description: Configures the mode - (permissions) of any files created for concurrent audit logs using an - octal mode (as used in chmod). See SecAuditLogDirMode for controlling the mode of - created audit log directories. - - Syntax: SecAuditLogFileMode - octal_mode|"default" - - Example Usage: SecAuditLogFileMode 00640 - - Processing Phase: N/A - - Scope: Any - - Version: 2.5.10 - - Dependencies/Notes: This feature is not - available on operating systems not supporting octal file modes. The - default mode (0600) only grants read/write access to the account writing - the file. If access from another account is needed (using mpm-itk is a - good example), then this directive may be required. However, use this - directive with caution to avoid exposing potentially sensitive data to - unauthorized users. Using the value "default" will revert back to the - default setting. - - - The process umask may still limit the mode if it is being more - restrictive than the mode set using this directive. - -
- -
- <literal>SecAuditLogParts</literal> - - Description: Defines which part of each - transaction are going to be recorded in audit log. Each part is assigned - a single letter. If a letter appears in the list then the equivalent - part of each transactions will be recorded. See below for the list of - all parts. - - Syntax: SecAuditLogParts PARTS - - Example Usage: SecAuditLogParts ABCFHZ - - Processing Phase: N/A - - Scope: Any - - Version: 2.0.0 - - Dependencies/Notes: At this time ModSecurity - does not log response bodies of stock Apache responses (e.g. 404), or the Server and Date response headers. - - Default: ABCFHZ. - - - Please refer to the ModSecurity Data Formats document for a - detailed description of every available part. - - - Available audit log parts: - - - - A - audit log header - (mandatory) - - - - B - request headers - - - - C - request body (present - only if the request body exists and ModSecurity is configured to - intercept it) - - - - D - RESERVED for - intermediary response headers, not implemented yet. - - - - E - intermediary response - body (present only if ModSecurity is configured to intercept - response bodies, and if the audit log engine is configured to record - it). Intermediary response body is the same as the actual response - body unless ModSecurity intercepts the intermediary response body, - in which case the actual response body will contain the error - message (either the Apache default error message, or the - ErrorDocument page). - - - - F - final response headers - (excluding the Date and Server headers, which are always added by - Apache in the late stage of content delivery). - - - - G - RESERVED for the actual - response body, not implemented yet. - - - - H - audit log - trailer - - - - I - This part is a - replacement for part C. It will log the same data as C in all cases - except when multipart/form-data - encoding in used. In this case it will log a fake application/x-www-form-urlencoded body - that contains the information about parameters but not about the - files. This is handy if you don't want to have (often large) files - stored in your audit logs. - - - - J - RESERVED. This part, - when implemented, will contain information about the files uploaded - using multipart/form-data encoding. - - - - K - This part contains a - full list of every rule that matched (one per line) in the order - they were matched. The rules are fully qualified and will thus show - inherited actions and default operators. Supported as of - v2.5.0 - - - - Z - final boundary, - signifies the end of the entry (mandatory) - - -
- -
- <literal>SecAuditLogRelevantStatus</literal> - - Description: Configures which response status - code is to be considered relevant for the purpose of audit - logging. - - Syntax: SecAuditLogRelevantStatus REGEX - - Example Usage: SecAuditLogRelevantStatus - ^(?:5|4\d[^4]) - - Processing Phase: N/A - - Scope: Any - - Version: 2.0.0 - - Dependencies/Notes: Must have the - SecAuditEngine set to - RelevantOnly. The parameter is a regular - expression. - - The main purpose of this directive is to allow you to configure - audit logging for only transactions that generate the specified HTTP - Response Status Code. This directive is often used to the decrease the - total size of the audit log file. Keep in mind that if this parameter is - used, then successful attacks that result in a 200 OK status code will - not be logged. -
- -
- <literal>SecAuditLogStorageDir</literal> - - Description: Configures the storage directory - where concurrent audit log entries are to be stored. - - Syntax: SecAuditLogStorageDir - /path/to/storage/dir - - Example Usage: SecAuditLogStorageDir - /usr/local/apache/logs/audit - - Processing Phase: N/A - - Scope: Any - - Version: 2.0.0 - - Dependencies/Notes: SecAuditLogType must be - set to Concurrent. The directory must already be created before starting - Apache and it must be writable by the web server user as new files are - generated at runtime. - - As with all logging mechanisms, ensure that you specify a file - system location that has adequate disk space and is not on the root - partition. -
- -
- <literal>SecAuditLogType</literal> - - Description: Configures the type of audit - logging mechanism to be used. - - Syntax: SecAuditLogType Serial|Concurrent - - Example Usage: SecAuditLogType Serial - - Processing Phase: N/A - - Scope: Any - - Version: 2.0.0 - - Dependencies/Notes: Must specify - SecAuditLogStorageDir if you use concurrent - logging. - - Possible values are: - - - - Serial - all audit log - entries will be stored in the main audit logging file. This is more - convenient for casual use but it is slower as only one audit log - entry can be written to the file at any one file. - - - - Concurrent - audit log - entries will be stored in separate files, one for each transaction. - Concurrent logging is the mode to use if you are going to send the - audit log data off to a remote ModSecurity Console host. - - -
- -
- <literal>SecCacheTransformations</literal> - (Deprecated/Experimental) - - Description: Controls caching of - transformations. Caching is off by default starting with 2.5.6, when it - was deprecated and downgraded back to experimental. - - Syntax: SecCacheTransformations On|Off - [options] - - Example Usage: SecCacheTransformations On - "minlen:64,maxlen:0" - - Processing Phase: N/A - - Scope: Any - - Version: 2.5.0 - - Dependencies/Notes: N/A - - First parameter: - - - - On - cache transformations - (per transaction, per phase) allowing identical transformations to - be performed only once. (default) - - - - Off - do not cache any - transformations, forcing all transformations to be performed for - each rule executed. - - - - The following options are allowed (comma separated): - - - - incremental:on|off - - enabling this option will cache every transformation instead of just - the final transformation. (default: off) - - - - maxitems:N - do not allow - more than N transformations to be cached. The cache will then be - disabled. A zero value is interpreted as "unlimited". This option - may be useful to limit caching for a form with a large number of - ARGS. (default: 512) - - - - minlen:N - do not cache the - transformation if the value's length is less than N bytes. (default: - 32) - - - - maxlen:N - do not cache the - transformation if the value's length is more than N bytes. A zero - value is interpreted as "unlimited". (default: 1024) - - -
- -
- <literal>SecChrootDir</literal> - - Description: Configures the directory path - that will be used to jail the web server process. - - Syntax: SecChrootDir - /path/to/chroot/dir - - Example Usage: SecChrootDir /chroot - - Processing Phase: N/A - - Scope: Main - - Version: 2.0.0 - - Dependencies/Notes: This feature is not - available on Windows builds. The internal chroot functionality provided - by ModSecurity works great for simple setups. One example of a simple - setup is Apache serving static files only, or running scripts using - modules.builds. Some problems you might encounter with more complex - setups: - - - - DNS lookups do not work (this is because this feature requires - a shared library that is loaded on demand, after chroot takes - place). - - - - You cannot send email from PHP because it uses sendmail and - sendmail is outside the jail. - - - - In some cases Apache graceful (reload) no longer works. - - - - You should be aware that the internal chroot feature might not be - 100% reliable. Due to the large number of default and third-party - modules available for the Apache web server, it is not possible to - verify the internal chroot works reliably with all of them. A module, - working from within Apache, can do things that make it easy to break out - of the jail. In particular, if you are using any of the modules that - fork in the module initialisation phase (e.g. - mod_fastcgi, mod_fcgid, - mod_cgid), you are advised to examine each Apache - process and observe its current working directory, process root, and the - list of open files. Consider what your options are and make your own - decision. -
- -
- <literal>SecComponentSignature</literal> - - Description: Appends component signature to - the ModSecurity signature. - - Syntax: SecComponentSignature - "COMPONENT_NAME/X.Y.Z (COMMENT)" - - Example usage: SecComponentSignature - "Core Rules/1.2.3" - - Processing Phase: N/A - - Scope: Main - - Version: 2.5.0 - - Dependencies/Notes: This directive should be - used to make the presence of significant ModSecurity components known. - The entire signature will be recorded in transaction audit log. It - should be used by ModSecurity module and rule set writers to make - debugging easier. -
- -
- <literal>SecContentInjection</literal> - - Description: Enables content injection using - actions append and prepend. - - Syntax: SecContentInjection - (On|Off) - - Example Usage: SecContentInjection - On - - Processing Phase: N/A - - Scope: Any - - Version: 2.5.0 - - Dependencies/Notes: N/A -
- -
- <literal>SecCookieFormat</literal> - - Description: Selects the cookie format that - will be used in the current configuration context. - - Syntax: SecCookieFormat 0|1 - - Example Usage: SecCookieFormat 0 - - Processing Phase: N/A - - Scope: Any - - Version: 2.0.0 - - Dependencies/Notes: None - - Possible values are: - - - - 0 - use version 0 - (Netscape) cookies. This is what most applications use. It is the - default value. - - - - 1 - use version 1 - cookies. - - -
- -
- <literal>SecDataDir</literal> - - Description: Path where persistent data (e.g. - IP address data, session data, etc) is to be stored. - - Syntax: SecDataDir - /path/to/dir - - Example Usage: SecDataDir /usr/local/apache/logs/data - - Processing Phase: N/A - - Scope: Main - - Dependencies/Notes: This directive is needed - when initcol, setsid an setuid are used. Must be writable by the web - server user. -
- -
- <literal>SecDebugLog</literal> - - Description: Path to the ModSecurity debug - log file. - - Syntax: SecDebugLog - /path/to/modsec-debug.log - - Example Usage: SecDebugLog - /usr/local/apache/logs/modsec-debug.log - - Processing Phase: N/A - - Scope: Any - - Version: 2.0.0 - - Dependencies/Notes: None -
- -
- <literal>SecDebugLogLevel</literal> - - Description: Configures the verboseness of - the debug log data. - - Syntax: SecDebugLogLevel 0|1|2|3|4|5|6|7|8|9 - - Example Usage: SecDebugLogLevel 4 - - Processing Phase: N/A - - Scope: Any - - Version: 2.0.0 - - Dependencies/Notes: Levels 1 - 3 are always sent to the Apache error log. - Therefore you can always use level 0 - as the default logging level in production. Level 5 is useful when debugging. It is not - advisable to use higher logging levels in production as excessive - logging can slow down server significantly. - - Possible values are: - - - - 0 - no logging. - - - - 1 - errors (intercepted - requests) only. - - - - 2 - warnings. - - - - 3 - notices. - - - - 4 - details of how - transactions are handled. - - - - 5 - as above, but including - information about each piece of information handled. - - - - 9 - log everything, - including very detailed debugging information. - - -
- -
- <literal>SecDefaultAction</literal> - - Description: Defines the default action to - take on a rule match. - - Syntax: SecDefaultAction - action1,action2,action3 - - Example Usage: SecDefaultAction - log,auditlog,deny,status:403,phase:2 - - Processing Phase: Any - - Scope: Any - - Version: 2.0.0 - - Dependencies/Notes: Rules following a - SecDefaultAction directive will inherit this setting - unless a specific action is specified for an individual rule or until - another SecDefaultAction is specified. Take special - note that in the logging disruptive actions are not allowed, but this - can inadvertently be inherited using a disruptive action in - SecDefaultAction. - - The default value is minimal (differing from previous - versions): - - SecDefaultAction phase:2,log,auditlog,pass - - - SecDefaultAction must specify a disruptive - action and a processing phase and cannot contain metadata - actions. - - - - SecDefaultAction is not - inherited across configuration contexts. (For an example of why this - may be a problem for you, read the following ModSecurity Blog entry - http://blog.modsecurity.org/2008/07/modsecurity-tri.html). - -
- -
- <literal>SecGeoLookupDb</literal> - - Description: Defines the path to the - geographical database file. - - Syntax: SecGeoLookupDb /path/to/db - - Example Usage: SecGeoLookupDb - /usr/local/geo/data/GeoLiteCity.dat - - Processing Phase: N/A - - Scope: Any - - Version: 2.5.0 - - Dependencies/Notes: Check out - maxmind.com for free database files. -
- -
- <literal>SecGuardianLog</literal> - - Description: Configuration directive to use - the httpd-guardian script to monitor for Denial of Service (DoS) - attacks. - - Syntax: SecGuardianLog |/path/to/httpd-guardian - - Example Usage: SecGuardianLog - |/usr/local/apache/bin/httpd-guardian - - Processing Phase: N/A - - Scope: Main - - Version: 2.0.0 - - Dependencies/Notes: By default httpd-guardian - will defend against clients that send more than 120 requests in a - minute, or more than 360 requests in five minutes. - - Since 1.9, ModSecurity supports a new directive, SecGuardianLog, - that is designed to send all access data to another program using the - piped logging feature. Since Apache is typically deployed in a - multi-process fashion, making information sharing difficult, the idea is - to deploy a single external process to observe all requests in a - stateful manner, providing additional protection. - - Development of a state of the art external protection tool will be - a focus of subsequent ModSecurity releases. However, a fully functional - tool is already available as part of the Apache httpd tools - project. The tool is called httpd-guardian and can be used to - defend against Denial of Service attacks. It uses the blacklist tool - (from the same project) to interact with an iptables-based (Linux) or - pf-based (*BSD) firewall, dynamically blacklisting the offending IP - addresses. It can also interact with SnortSam (http://www.snortsam.net). - Assuming httpd-guardian is already configured (look into the source code - for the detailed instructions) you only need to add one line to your - Apache configuration to deploy it: - - SecGuardianLog |/path/to/httpd-guardian -
- -
- <literal>SecMarker</literal> - - Description: Adds a fixed rule marker in the - ruleset to be used as a target in a skipAfter action. - A SecMarker directive essentially creates a rule that - does nothing and whose only purpose it to carry the given ID. - - Syntax: SecMarker - ID - - Example Usage: SecMarker 9999 - - Processing Phase: Any - - Scope: Any - - Version: 2.5.0 - - Dependencies/Notes: None - - SecRule REQUEST_URI "^/$" \ - "chain,t:none,t:urlDecode,t:lowercase,t:normalisePath,skipAfter:99" -SecRule REMOTE_ADDR "^127\.0\.0\.1$" "chain" -SecRule REQUEST_HEADERS:User-Agent \ - "^Apache \(internal dummy connection\)$" "t:none" -SecRule &REQUEST_HEADERS:Host "@eq 0" \ - "deny,log,status:400,id:08,severity:4,msg:'Missing a Host Header'" -SecRule &REQUEST_HEADERS:Accept "@eq 0" \ - "log,deny,log,status:400,id:15,msg:'Request Missing an Accept Header'" - -SecMarker 99 -
- -
- <literal>SecPcreMatchLimit</literal> - - Description:Sets the the match limit in the - PCRE library. See the pcre_extra field in the pcreapi man page. - - Syntax: SecPcreMatchLimit value - - Example Usage: SecPcreMatchLimit 1500 - - Processing Phase: N/A - - Scope: Global - - Version: 2.5.12 - - Dependencies/Notes: Default is set at compile - (1500 by default). See also - SecPcreMatchLimitRecursion - - If the limits are exceeded this will be logged at level 3 in the - debug log, added as a Message line in the audit log and the TX:MSC_PCRE_LIMITS_EXCEEDED flag will be set - to a non-zero value. To prevent bypass, you should write a rule to check - for the existance of the TX:MSC_PCRE_LIMITS_EXCEEDED flag. - - SecPcreMatchLimit 100 -SecPcreMatchLimitRecursion 100 - ... -SecRule TX:/^MSC_/ "!@eq 0" "phase:5,pass,log,auditlog,msg:'Potential REDoS'" - - - The --enable-pcre-match-limit=val configure - option will set a custom default and the - --disable-pcre-match-limit option will resort to - the compiled PCRE library default. - -
- -
- <literal>SecPcreMatchLimitRecursion</literal> - - Description:Sets the the match limit - recursion in the PCRE library. See the pcre_extra field in the pcreapi - man page. - - Syntax: SecPcreMatchLimitRecursion value - - Example Usage: SecPcreMatchLimitRecursion 1500 - - Processing Phase: N/A - - Scope: Global - - Version: 2.5.12 - - Dependencies/Notes: Default is set at compile - (1500 by default). See also SecPcreMatchLimit - - If the limits are exceeded this will be logged at level 3 in the - debug log, added as a Message line in the audit log and the TX:MSC_PCRE_LIMITS_EXCEEDED flag will be set - to a non-zero value. To prevent bypass, you should write a rule to check - for the existance of the TX:MSC_PCRE_LIMITS_EXCEEDED flag. - - SecPcreMatchLimit 100 -SecPcreMatchLimitRecursion 100 - ... -SecRule TX:/^MSC_/ "!@eq 0" "phase:5,pass,log,auditlog,msg:'Potential REDoS'" - - - The --enable-pcre-match-limit-recursion=val - configure option will set a custom default and the - --disable-pcre-match-limit-recursion option will - resort to the compiled PCRE library default. - -
- -
- <literal>SecPdfProtect</literal> - - Description: Enables the PDF XSS protection - functionality. Once enabled access to PDF files is tracked. Direct - access attempts are redirected to links that contain one-time tokens. - Requests with valid tokens are allowed through unmodified. Requests with - invalid tokens are also allowed through but with forced download of the - PDF files. This implementation uses response headers to detect PDF files - and thus can be used with dynamically generated PDF files that do not - have the .pdf extension in the request URI. - - Syntax: SecPdfProtect On|Off - - Example Usage: SecPdfProtect On - - Processing Phase: N/A - - Scope: Any - - Version: 2.5.0 - - Dependencies/Notes: None -
- -
- <literal>SecPdfProtectMethod</literal> - - Description: Configure desired protection - method to be used when requests for PDF files are detected. Possible - values are TokenRedirection and - ForcedDownload. The token redirection approach will - attempt to redirect with tokens where possible. This allows PDF files to - continue to be opened inline but only works for GET requests. Forced - download always causes PDF files to be delivered as opaque binaries and - attachments. The latter will always be used for non-GET requests. Forced - download is considered to be more secure but may cause usability - problems for users ("This PDF won't open anymore!"). - - Syntax: SecPdfProtectMethod method - - Example Usage: SecPdfProtectMethod TokenRedirection - - Processing Phase: N/A - - Scope: Any - - Version: 2.5.0 - - Dependencies/Notes: None - - Default: - TokenRedirection -
- -
- <literal>SecPdfProtectSecret</literal> - - Description: Defines the secret that will be - used to construct one-time tokens. You should use a reasonably long - value for the secret (e.g. 16 characters is good). Once selected the - secret should not be changed as it will break the tokens that were sent - prior to change. But it's not a big deal even if you change it. It will - just force download of PDF files with tokens that were issued in the - last few seconds. - - Syntax: SecPdfProtectSecret secret - - Example Usage: SecPdfProtectSecret - MyRandomSecretString - - Processing Phase: N/A - - Scope: Any - - Version: 2.5.0 - - Dependencies/Notes: None -
- -
- <literal>SecPdfProtectTimeout</literal> - - Description: Defines the token timeout. After - token expires it can no longer be used to allow access to PDF file. - Request will be allowed through but the PDF will be delivered as - attachment. - - Syntax: SecPdfProtectTimeout timeout - - Example Usage: SecPdfProtectTimeout 10 - - Processing Phase: N/A - - Scope: Any - - Version: 2.5.0 - - Dependencies/Notes: None - - Default: 10 -
- -
- <literal>SecPdfProtectTokenName</literal> - - Description: Defines the name of the token. - The only reason you would want to change the name of the token is if you - wanted to hide the fact you are running ModSecurity. It's a good reason - but it won't really help as the adversary can look into the algorithm - used for PDF protection and figure it out anyway. It does raise the bar - slightly so go ahead if you want to. - - Syntax: SecPdfProtectTokenName name - - Example Usage: SecPdfProtectTokenName PDFTOKEN - - Processing Phase: N/A - - Scope: Any - - Version: 2.5.0 - - Dependencies/Notes: None - - Default: PDFTOKEN -
- -
- <literal>SecRequestBodyAccess</literal> - - Description: Configures whether request - bodies will be buffered and processed by ModSecurity by default. - - Syntax: SecRequestBodyAccess On|Off - - Example Usage: SecRequestBodyAccess On - - Processing Phase: N/A - - Scope: Any - - Version: 2.0.0 - - Dependencies/Notes: This directive is - required if you plan to inspect request bodies. Inspection can only be - carried out in phases 2 and higher, using the - REQUEST_BODY variable/location. If any of these 3 - conditions aren't satisfied, the inspection will not work. - - Possible values are: - - - - On - access request - bodies. - - - - Off - do not attempt to - access request bodies. - - -
- -
- <literal>SecRequestBodyLimit</literal> - - Description: Configures the maximum request - body size ModSecurity will accept for buffering. - - Syntax: SecRequestBodyLimit NUMBER_IN_BYTES - - Example Usage: SecRequestBodyLimit 134217728 - - Scope: Any - - Version: 2.0.0 - - Dependencies/Notes: 131072 KB (134217728 - bytes) is the default setting. Anything over this limit will be rejected - with status code 413 Request Entity Too Large. There is a hard limit of - 1 GB. -
- -
- <literal>SecRequestBodyNoFilesLimit</literal> - - Description: Configures the maximum request - body size ModSecurity will accept for buffering, excluding the size of - files being transported in the request. This directive comes handy to - further reduce susceptibility to DoS attacks when someone is sending - request bodies of very large sizes. Web applications that require file - uploads must configure SecRequestBodyLimit to a high - value. Since large files are streamed to disk file uploads will not - increase memory consumption. However, it's still possible for someone to - take advantage of a large request body limit and send non-upload - requests with large body sizes. This directive eliminates that - loophole. - - Syntax: SecRequestBodyNoFilesLimit - NUMBER_IN_BYTES - - Example Usage: SecRequestBodyLimit 131072 - - Scope: Any - - Version: 2.5.0 - - Dependencies/Notes: 1 MB (1048576 bytes) is - the default setting. This value is very conservative. For most - applications you should be able to reduce it down to 128 KB or lower. - Anything over the limit will be rejected with status code 413 - Request Entity Too Large. There is a hard limit of 1 - GB. -
- -
- <literal>SecRequestBodyInMemoryLimit</literal> - - Description: Configures the maximum request - body size ModSecurity will store in memory. - - Syntax: SecRequestBodyInMemoryLimit - NUMBER_IN_BYTES - - Example Usage: SecRequestBodyInMemoryLimit 131072 - - Processing Phase: N/A - - Scope: Any - - Version: 2.0.0 - - Dependencies/Notes: None - - By default the limit is 128 KB: - - # Store up to 128 KB in memory -SecRequestBodyInMemoryLimit 131072 -
- -
- <literal>SecResponseBodyLimit</literal> - - Description: Configures the maximum response - body size that will be accepted for buffering. - - Syntax: SecResponseBodyLimit NUMBER_IN_BYTES - - Example Usage: SecResponseBodyLimit 524228 - - Processing Phase: N/A - - Scope: Any - - Version: 2.0.0 - - Dependencies/Notes: Anything over this limit - will be rejected with status code 500 Internal Server Error. This - setting will not affect the responses with MIME types that are not - marked for buffering. There is a hard limit of 1 GB. - - By default this limit is configured to 512 KB: - - # Buffer response bodies of up to 512 KB in length -SecResponseBodyLimit 524288 -
- -
- <literal>SecResponseBodyLimitAction</literal> - - Description: Controls what happens once a - response body limit, configured with - SecResponseBodyLimit, is encountered. By default - ModSecurity will reject a response body that is longer than specified. - Some web sites, however, will produce very long responses making it - difficult to come up with a reasonable limit. Such sites would have to - raise the limit significantly to function properly defying the purpose - of having the limit in the first place (to control memory consumption). - With the ability to choose what happens once a limit is reached site - administrators can choose to inspect only the first part of the - response, the part that can fit into the desired limit, and let the rest - through. Some could argue that allowing parts of responses to go - uninspected is a weakness. This is true in theory but only applies to - cases where the attacker controls the output (e.g. can make it arbitrary - long). In such cases, however, it is not possible to prevent leakage - anyway. The attacker could compress, obfuscate, or even encrypt data - before it is sent back, and therefore bypass any monitoring - device. - - Syntax: SecResponseBodyLimitAction - Reject|ProcessPartial - - Example Usage: - SecResponseBodyLimitAction ProcessPartial - - Processing Phase: N/A - - Scope: Any - - Version: 2.5.0 - - Dependencies/Notes: None -
- -
- <literal>SecResponseBodyMimeType</literal> - - Description: Configures which MIME types are to be considered for response - body buffering. - - Syntax: SecResponseBodyMimeType mime/type - - Example Usage: SecResponseBodyMimeType text/plain - text/html - - Processing Phase: N/A - - Scope: Any - - Version: 2.0.0 - - Dependencies/Notes: Multiple SecResponseBodyMimeType directives can be - used to add to the list of MIME - types. You can also use the special null value to - request ModSecurity to inspect the bodies of the responses that do not - specify a MIME type. - - The default value is text/plain - text/html: - - SecResponseBodyMimeType text/plain text/html -
- -
- <literal>SecResponseBodyMimeTypesClear</literal> - - Description: Clears the list of MIME types considered for response body - buffering, allowing you to start populating the list from - scratch. - - Syntax: SecResponseBodyMimeTypesClear - - Example Usage: SecResponseBodyMimeTypesClear - - Processing Phase: N/A - - Scope: Any - - Version: 2.0.0 - - Dependencies/Notes: None -
- -
- <literal>SecResponseBodyAccess</literal> - - Description: Configures whether response - bodies are to be buffer and analysed or not. - - Syntax: SecResponseBodyAccess On|Off - - Example Usage: SecResponseBodyAccess On - - Processing Phase: N/A - - Scope: Any - - Version: 2.0.0 - - Dependencies/Notes: This directive is - required if you plan to inspect HTML responses. This directive must be - used along with the "phase:4" processing phase action and RESPONSE_BODY - variable/location. If any of these 3 parts are not configured, you will - not be able to inspect the response bodies. - - Possible values are: - - - - On - access response bodies - (but only if the MIME type matches, see above). - - - - Off - do not attempt to - access response bodies. - - -
- -
- <literal>SecRule</literal> - - Description: SecRule is the main ModSecurity directive. It - is used to analyse data and perform actions based on the results. - - Syntax: SecRule - VARIABLES OPERATOR [ACTIONS] - - Example Usage: SecRule REQUEST_URI "attack" \ - - - "phase:1,t:none,t:urlDecode,t:lowercase,t:normalisePath" - - Processing Phase: Any - - Scope: Any - - Version: 2.0.0 - - Dependencies/Notes: None - - In general, the format of this rule is as follows: - - SecRule VARIABLES OPERATOR [ACTIONS] - - The second part, OPERATOR, - specifies how they are going to be checked. The third (optional) part, - ACTIONS, specifies what to do - whenever the operator used performs a successful match against a - variable. - -
- Variables in rules - - The first part, VARIABLES, - specifies which variables are to be checked. For example, the - following rule will reject a transaction that has the word - dirty in the URI: - - SecRule ARGS dirty - - Each rule can specify one or more variables: - - SecRule ARGS|REQUEST_HEADERS:User-Agent dirty - - There is a third format supported by the selection operator - - XPath expression. XPath expressions can only used against the special - variable XML, which is available only of the request body was - processed as XML. - - SecRule XML:/xPath/Expression dirty - - - Not all collections support all selection operator format - types. You should refer to the documentation of each collection to - determine what is and isn't supported. - -
- -
- Collections - - A variable can contain one or many pieces of data, depending on - the nature of the variable and the way it is used. We've seen examples - of both approaches in the previous section. When a variable can - contain more than one value we refer to it as a - collection. - - Collections are always expanded before a rule is run. For - example, the following rule: - - SecRule ARGS dirty - - will be expanded to: - - SecRule ARGS:p dirty -SecRule ARGS:q dirty - - in a requests that has only two parameters, named - p and q. - - Collections come in several flavours: - - - - Read-only - - - Created at runtime using transaction data. For example: - ARGS (contains a list of all request - parameter values) and REQUEST_HEADERS - (contains a list of all request header values). - - - - - Transient Read/Write - - - The TX collection is created (empty) - for every transaction. Rules can read from it and write to it - (using the setvar action, for example), but - the information stored in this collection will not survive the - end of transaction. - - - - - Persistent Read/Write - - - There are several collections that can be written to, but - which are persisted to the storage backend. These collections - are used to track clients across transactions. Examples of - collections that fall into this type are IP, - SESSION and USER. - - - -
- -
- Operators in rules - - In the simplest possible case you will use a regular expression - pattern as the second rule parameter. This is what we've done in the - examples above. If you do this ModSecurity assumes you want to use the - rx (regular expression) operator. - You can also explicitly specify the operator you want to use by using - @, followed by the name of an - operator, at the beginning of the second SecRule - parameter: - - SecRule ARGS "@rx dirty" - - Note how we had to use double quotes to delimit the second rule - parameter. This is because the second parameter now has whitespace in - it. Any number of whitespace characters can follow the name of the - operator. If there are any non-whitespace characters there, they will - all be treated as a special parameter to the operator. In the case of - the regular expression operator the special parameter is the pattern - that will be used for comparison. - - The @ can be the second character if you are using negation to - negate the result returned by the operator: - - SecRule &ARGS "!@rx ^0$" -
- -
- Operator negation - - Operator results can be negated by using an exclamation mark at - the beginning of the second parameter. The following rule matches if - the word dirty does not appear - in the User-Agent request header: - - SecRule REQUEST_HEADERS:User-Agent !dirty - - You can use the exclamation mark in combination with any - parameter. If you do, the exclamation mark needs to go first, followed - by the explicit operator reference. The following rule has the same - effect as the previous example: - - SecRule REQUEST_HEADERS:User-Agent "!@rx dirty" - - If you need to use negation in a rule that is going to be - applied to several variables then it may not be immediately clear what - will happen. Consider the following example: - - SecRule ARGS:p|ARGS:q !dirty - - The above rule is identical to: - - SecRule ARGS:p !dirty -SecRule ARGS:q !dirty - - - Negation is applied to operations against individual - operations, not agains the entire variable list. - -
- -
- Actions in rules - - The third parameter, ACTIONS, - can be omitted only because there is a helper feature that specifies - the default action list. If the parameter isn't omitted the actions - specified in the parameter will be merged with the default action list - to create the actual list of actions that will be processed on a rule - match. -
-
- -
- <literal>SecRuleInheritance</literal> - - Description: Configures whether the current - context will inherit rules from the parent context (configuration - options are inherited in most cases - you should look up the - documentation for every directive to determine if it is inherited or - not). - - Syntax: SecRuleInheritance On|Off - - Example Usage: SecRuleInheritance Off - - Processing Phase: Any - - Scope: Any - - Version: 2.0.0 - - Dependencies/Notes: Before ModSecurity 2.6.x - it was not possible for resource-specific contexts (e.g. Location, Directory, etc) to override phase 1 rules - configured in the main server or in the virtual server. Starting with - ModSecurity 2.6 this limitation has been lifted and the rules and the - configuration directives can be freely used across configuration - contexts. - - Example: The following example shows where ModSecurity may be - enabled in the main Apache configuration scope, however you might want - to configure your VirtualHosts differently. In the first example, the - first VirtualHost is not inheriting the ModSecurity main config - directives and in the second one it is. - - SecRuleEngine On -SecDefaultAction log,pass,phase:2 -... - -<VirtualHost *:80> -ServerName app1.com -ServerAlias www.app1.com -SecRuleInheritance Off -SecDefaultAction log,deny,phase:1,redirect:http://www.site2.com -... -</VirtualHost> - -<VirtualHost *:80> -ServerName app2.com -ServerAlias www.app2.com -SecRuleInheritance On SecRule ARGS "attack" -... -</VirtualHost> - - Possible values are: - - - - On - inherit rules from the - parent context. - - - - Off - do not inherit rules - from the parent context. - - - Configuration contexts are an Apache concept. Directives - <Directory>, - <Files>, - <Location> and - <VirtualHost> are all used to create - configuration contexts. For more information please go to the - Apache documentation section Configuration - Sections. - - - -
- -
- <literal>SecRuleEngine</literal> - - Description: Configures the rules - engine. - - Syntax: SecRuleEngine On|Off|DetectionOnly - - Example Usage: SecRuleEngine On - - Processing Phase: Any - - Scope: Any - - Version: 2.0.0 - - Dependencies/Notes: This directive can also - be controlled by the ctl action (ctl:ruleEngine=off) for per rule - processing. - - Possible values are: - - - - On - process rules. - - - - Off - do not process - rules. - - - - DetectionOnly - process - rules but never intercept transactions, even when rules are - configured to do so. - - -
- -
- <literal>SecRuleRemoveById</literal> - - Description: Removes matching rules from the - parent contexts. - - Syntax: SecRuleUpdateActionById RULEID - ACTIONLIST - - Example Usage: SecRuleRemoveByID 1 2 "9000-9010" - - Processing Phase: Any - - Scope: Any - - Version: 2.0.0 - - Dependencies/Notes: This directive supports - multiple parameters, where each parameter can either be a rule ID, or a - range. Parameters that contain spaces must be delimited using double - quotes. - - SecRuleRemoveById 1 2 5 10-20 "400-556" 673 -
- -
- <literal>SecRuleRemoveByMsg</literal> - - Description: Removes matching rules from the - parent contexts. - - Syntax: SecRuleRemoveByMsg REGEX - - Example Usage: SecRuleRemoveByMsg "FAIL" - - Processing Phase: Any - - Scope: Any - - Version: 2.0.0 - - Dependencies/Notes: This directive supports - multiple parameters. Each parameter is a regular expression that will be - applied to the message (specified using the msg action). -
- -
- <literal>SecRuleScript</literal> (Experimental) - - Description: This directive creates a special - rule that executes a Lua script to decide whether to match or not. The - main difference from SecRule is that there are no - targets nor operators. The script can fetch any variable from the - ModSecurity context and use any (Lua) operator to test them. The second - optional parameter is the list of actions whose meaning is identical to - that of SecRule. - - Syntax: SecRuleScript - /path/to/script.lua [ACTIONS] - - Example Usage: SecRuleScript "/path/to/file.lua" - "block" - - Processing Phase: Any - - Scope: Any - - Version: 2.5.0 - - Dependencies/Notes: None - - - All Lua scripts are compiled at configuration time and cached in - memory. To reload scripts you must reload the entire ModSecurity - configuration by restarting Apache. - - - Example script: - - -- Your script must define the main entry --- point, as below. -function main() - -- Log something at level 1. Normally you shouldn't be - -- logging anything, especially not at level 1, but this is - -- just to show you can. Useful for debugging. - m.log(1, "Hello world!"); - - -- Retrieve one variable. - local var1 = m.getvar("REMOTE_ADDR"); - - -- Retrieve one variable, applying one transformation function. - -- The second parameter is a string. - local var2 = m.getvar("ARGS", "lowercase"); - - -- Retrieve one variable, applying several transformation functions. - -- The second parameter is now a list. You should note that m.getvar() - -- requires the use of comma to separate collection names from - -- variable names. This is because only one variable is returned. - local var3 = m.getvar("ARGS.p", { "lowercase", "compressWhitespace" } ); - - -- If you want this rule to match return a string - -- containing the error message. The message must contain the name - -- of the variable where the problem is located. - -- return "Variable ARGS:p looks suspicious!" - - -- Otherwise, simply return nil. - return nil; -end - - In this first example we were only retrieving one variable at the - time. In this case the name of the variable is known to you. In many - cases, however, you will want to examine variables whose names you won't - know in advance, for example script parameters. - - Example showing use of m.getvars() to retrieve - many variables at once: - - function main() - -- Retrieve script parameters. - local d = m.getvars("ARGS", { "lowercase", "htmlEntityDecode" } ); - - -- Loop through the paramters. - for i = 1, #d do - -- Examine parameter value. - if (string.find(d[i].value, "<script")) then - -- Always specify the name of the variable where the - -- problem is located in the error message. - return ("Suspected XSS in variable " .. d[i].name .. "."); - end - end - - -- Nothing wrong found. - return nil; -end - - - Go to http://www.lua.org/ to find more - about the Lua programming language. The reference manual too is - available online, at http://www.lua.org/manual/5.1/. - - - - Lua support is marked as experimental as - the way the progamming interface may continue to evolve while we are - working for the best implementation style. Any user input into the - programming interface is appreciated. - -
- -
- <literal>SecRuleUpdateActionById</literal> - - Description: Updates the action list of the - specified rule. - - Syntax: SecRuleRemoveById RULEID ACTIONLIST - - Example Usage: SecRuleUpdateActionById 12345 - deny,status:403 - - Processing Phase: Any - - Scope: Any - - Version: 2.5.0 - - Dependencies/Notes: This directive merges the - specified action list with the rule's action list. There are two - limitations. The rule ID cannot be changed, nor can the phase. Further - note that actions that may be specified multiple times are appended to - the original. - - SecAction \ - "t:lowercase,phase:2,id:12345,pass,msg:'The Message',log,auditlog" -SecRuleUpdateActionById 12345 "t:compressWhitespace,deny,status:403,msg:'A new message' - - The example above will cause the rule to be executed as if it was - specified as follows: - - SecAction \ - "t:lowercase,phase:2,id:12345,log,auditlog,t:compressWhitespace,deny,status:403,msg:'A new message'" -
- -
- <literal>SecServerSignature</literal> - - Description: Instructs ModSecurity to change - the data presented in the "Server:" response header token. - - Syntax: SecServerSignature "WEB SERVER - SOFTWARE" - - Example Usage: SecServerSignature - "Netscape-Enterprise/6.0" - - Processing Phase: N/A - - Scope: Main - - Version: 2.0.0 - - Dependencies/Notes: In order for this - directive to work, you must set the Apache ServerTokens directive to - Full. ModSecurity will overwrite the server signature data held in this - memory space with the data set in this directive. If ServerTokens is not - set to Full, then the memory space is most likely not large enough to - hold the new data we are looking to insert. -
- -
- <literal>SecTmpDir</literal> - - Description: Configures the directory where - temporary files will be created. - - Syntax: SecTmpDir - /path/to/dir - - Example Usage: SecTmpDir /tmp - - Processing Phase: N/A - - Scope: Any - - Version: 2.0.0 - - Dependencies/Notes: Needs to be writable by - the Apache user process. This is the directory location where Apache - will swap data to disk if it runs out of memory (more data than what was - specified in the SecRequestBodyInMemoryLimit directive) during - inspection. -
- -
- <literal>SecUploadDir</literal> - - Description: Configures the directory where - intercepted files will be stored. - - Syntax: SecUploadDir - /path/to/dir - - Example Usage: SecUploadDir /tmp - - Processing Phase: N/A - - Scope: Any - - Version: 2.0.0 - - Dependencies/Notes: This directory must be on - the same filesystem as the temporary directory defined with SecTmpDir. This directive is used with - SecUploadKeepFiles. -
- -
- <literal>SecUploadFileLimit</literal> - - Description: Configures the maximum number of - file uploads processed in a multipart POST. - - Syntax: SecUploadFileLimit number - - Example Usage: SecUploadFileLimit 10 - - Processing Phase: N/A - - Scope: Any - - Version: 2.5.12 - - Dependencies/Notes: The default is set to 100 - files, but you are encouraged to reduce this value. Any file over the - limit will not be extracted and the MULTIPART_FILE_LIMIT_EXCEEDED and MULTIPART_STRICT_ERROR flags will be set. To - prevent bypassing any file checks, you must check for one of these - flags. - - - If the limit is exceeded, the part name and file name will still - be recorded in FILES_NAME and - FILES, the file size will be - recorded in FILES_SIZES, but there - will be no record in FILES_TMPNAMES - as a temporary file was not created. - -
- -
- <literal>SecUploadFileMode</literal> - - Description: Configures the mode - (permissions) of any uploaded files using an octal mode (as used in - chmod). - - Syntax: SecUploadFileMode octal_mode|"default" - - Example Usage: SecUploadFileMode 0640 - - Processing Phase: N/A - - Scope: Any - - Version: 2.1.6 - - Dependencies/Notes: This feature is not - available on operating systems not supporting octal file modes. The - default mode (0600) only grants read/write access to the account writing - the file. If access from another account is needed (using clamd is a - good example), then this directive may be required. However, use this - directive with caution to avoid exposing potentially sensitive data to - unauthorized users. Using the value "default" will revert back to the - default setting. - - - The process umask may still limit the mode if it is being more - restrictive than the mode set using this directive. - -
- -
- <literal>SecUploadKeepFiles</literal> - - Description: Configures whether or not the - intercepted files will be kept after transaction is processed. - - Syntax: SecUploadKeepFiles On|Off|RelevantOnly - - Example Usage: SecUploadKeepFiles On - - Processing Phase: N/A - - Scope: Any - - Version: 2.0.0 - - Dependencies/Notes: This directive requires - the storage directory to be defined (using SecUploadDir). - - Possible values are: - - - - On - Keep uploaded - files. - - - - Off - Do not keep uploaded - files. - - - - RelevantOnly - This will - keep only those files that belong to requests that are deemed - relevant. - - -
- -
- <literal>SecWebAppId</literal> - - Description: Creates a partition on the - server that belongs to one web application. - - Syntax: SecWebAppId - "NAME" - - Example Usage: SecWebAppId "WebApp1" - - Processing Phase: N/A - - Scope: Any - - Version: 2.0.0 - - Dependencies/Notes: Partitions are used to - avoid collisions between session IDs and user IDs. This directive must - be used if there are multiple applications deployed on the same server. - If it isn't used, a collision between session IDs might occur. The - default value is default. - Example: - - <VirtualHost *:80> -ServerName app1.com -ServerAlias www.app1.com -SecWebAppId "App1" -SecRule REQUEST_COOKIES:PHPSESSID !^$ chain,nolog,pass -SecAction setsid:%{REQUEST_COOKIES.PHPSESSID} -... -</VirtualHost> - -<VirtualHost *:80> -ServerName app2.com -ServerAlias www.app2.com -SecWebAppId "App2" -SecRule REQUEST_COOKIES:PHPSESSID !^$ chain,nolog,pass -SecAction setsid:%{REQUEST_COOKIES.PHPSESSID} -... -</VirtualHost> - - In the two examples configurations shown, SecWebAppId is being - used in conjunction with the Apache VirtualHost directives. What this - achieves is to create more unique collection names when being hosted on - one server. Normally, when setsid is used, ModSecurity will create a - collection with the name "SESSION" and it will hold the value specified. - With using SecWebAppId as shown in the examples, however, the name of - the collection would become "App1_SESSION" and "App2_SESSION". - - SecWebAppId is relevant in two cases: - - - - You are logging transactions/alerts to the ModSecurity Console - and you want to use the web application ID to search only the - transactions belonging to that application. - - - - You are using the data persistence facility (collections - SESSION and USER) and you need to avoid collisions between sessions - and users belonging to different applications. - - -
-
- -
- Processing Phases - - ModSecurity 2.x allows rules to be placed in one of the following - five phases: - - - - Request headers (REQUEST_HEADERS) - - - - Request body (REQUEST_BODY) - - - - Response headers (RESPONSE_HEADERS) - - - - Response body (RESPONSE_BODY) - - - - Logging (LOGGING) - - - - Below is a diagram of the normal Apache request cycle. In the - diagram, the 5 ModSecurity processing phases are shown. - - - - In order to select the phase a rule executes during, use the phase - action either directly in the rule or in using the - SecDefaultAction directive: - - SecDefaultAction "log,pass,phase:2" -SecRule REQUEST_HEADERS:Host "!^$" "deny,phase:1" - - - Keep in mind that rules are executed according to phases, so even - if two rules are adjacent in a configuration file, but are set to - execute in different phases, they would not happen one after the other. - The order of rules in the configuration file is important only within - the rules of each phase. This is especially important when using the - skip and skipAfter actions. - - - - The LOGGING phase is special. It is executed at - the end of each transaction no matter what happened in the previous - phases. This means it will be processed even if the request was - intercepted or the allow action was used to pass the - transaction through. - - -
- Phase Request Headers - - Phase 1 allows you to inspect a transaction of which request - headers are available, but before a request body (if any) has been read. - Place rules into this phase when you want something to happen before a - body has been read, or if you want to influence how a body will be - processed (e.g., configure the buffering options or configure request - body processors). Beware that you won't have complete request - information available at this point. If a request has a body, there may - be further parameters in it. Use phase 2 when you need to inspect all - request parameters. -
- -
- Phase Request Body - - This is the general-purpose input analysis phase. Most of the - application-oriented rules should go here. In this phase you are - guaranteed to have received the request arguments (provided the request - body has been read). ModSecurity supports three encoding types for the - request body phase: - - - - application/x-www-form-urlencoded - used to - transfer form data (used automatically) - - - - multipart/form-data - used for file - transfers (used automatically) - - - - text/xml - used for passing XML data (must - be explicitly configured) - - - - Other encodings are not used by most web applications. -
- -
- Phase Response Headers - - This phase takes place just before response headers are sent back - to the client. Run here if you want to observe the response before that - happens, and if you want to use the response headers to determine if you - want to buffer the response body. Note that some response status codes - (such as 404) are handled earlier in the request cycle by Apache and my - not be able to be triggered as expected. Additionally, there are some - response headers that are added by Apache at a later hook (such as Date, - Server and Connection) that we would not be able to trigger on or - sanitize. This should work appropriately in a proxy setup or within - phase:5 (logging). -
- -
- Phase Response Body - - This is the general-purpose output analysis phase. At this point - you can run rules against the response body (provided it was buffered, - of course). This is the phase where you would want to inspect the - outbound HTML for information disclosure, error messages or failed - authentication text. -
- -
- Phase Logging - - This phase is run just before logging takes place. The rules - placed into this phase can only affect how the logging is performed. - This phase can be used to inspect the error messages logged by Apache. - You cannot deny/block connections in this phase as it is too late. This - phase also allows for inspection of other response headers that weren't - available during phase:3 or phase:4. Note that you must be careful not - to inherit a disruptive action into a rule in this phase as this is a - configuration error in ModSecurity 2.5.0 and later versions. -
-
- -
- Variables - - The following variables are supported in ModSecurity 2.x: - -
- <literal moreinfo="none">ARGS</literal> - - ARGS is a collection and can be used on its own - (means all arguments including the POST Payload), with a static - parameter (matches arguments with that name), or with a regular - expression (matches all arguments with name that matches the regular - expression). To look at only the query string or body arguments, see the - ARGS_GET and ARGS_POST - collections. - - Some variables are actually collections, which are expanded into - more variables at runtime. The following example will examine all - request arguments:SecRule ARGS dirty - Sometimes, however, you will want to look only at parts of a collection. - This can be achieved with the help of the selection - operator(colon). The following example will only look at the - arguments named p (do note that, in - general, requests can contain multiple arguments with the same name): - SecRule ARGS:p dirty - It is also possible to specify exclusions. The following will examine - all request arguments for the word dirty, except - the ones named z (again, there can be - zero or more arguments named z): - SecRule ARGS|!ARGS:z dirty - There is a special operator that allows you to count how many variables - there are in a collection. The following rule will trigger if there is - more than zero arguments in the request (ignore the second parameter for - the time being): SecRule &ARGS !^0$ - And sometimes you need to look at an array of parameters, each with a - slightly different name. In this case you can specify a regular - expression in the selection operator itself. The following rule will - look into all arguments whose names begin with id_: SecRule ARGS:/^id_/ dirty - - - Using ARGS:p will not result in any - invocations against the operator if argument p does not exist. - - In ModSecurity 1.X, the ARGS variable stood - for QUERY_STRING + POST_PAYLOAD, - whereas now it expands to individual variables. - -
- -
- <literal moreinfo="none">ARGS_COMBINED_SIZE</literal> - - This variable allows you to set more targeted evaluations on the - total size of the Arguments as compared with normal Apache LimitRequest - directives. For example, you could create a rule to ensure that the - total size of the argument data is below a certain threshold (to help - prevent buffer overflow issues). Example: Block request if the size of - the arguments is above 25 characters. - - SecRule REQUEST_FILENAME "^/cgi-bin/login\.php" \ - "chain,log,deny,phase:2,t:none,t:lowercase,t:normalisePath" -SecRule ARGS_COMBINED_SIZE "@gt 25" -
- -
- <literal moreinfo="none">ARGS_NAMES</literal> - - Is a collection of the argument names. You can search for specific - argument names that you want to block. In a positive policy scenario, - you can also whitelist (using an inverted rule with the ! character) - only authorized argument names. Example: This example rule will only - allow 2 argument names - p and a. If any other argument names are - injected, it will be blocked. - - SecRule REQUEST_FILENAME "/index.php" \ - "chain,log,deny,status:403,phase:2,t:none,t:lowercase,t:normalisePath" -SecRule ARGS_NAMES "!^(p|a)$" "t:none,t:lowercase" -
- -
- <literal moreinfo="none">ARGS_GET</literal> - - ARGS_GET is similar to ARGS, - but only contains arguments from the query string. -
- -
- <literal moreinfo="none">ARGS_GET_NAMES</literal> - - ARGS_GET_NAMES is similar to - ARGS_NAMES, but only contains argument names from the - query string. -
- -
- <literal moreinfo="none">ARGS_POST</literal> - - ARGS_POST is similar to - ARGS, but only contains arguments from the POST - body. -
- -
- <literal moreinfo="none">ARGS_POST_NAMES</literal> - - ARGS_POST_NAMES is similar to - ARGS_NAMES, but only contains argument names from the - POST body. -
- -
- <literal moreinfo="none">AUTH_TYPE</literal> - - This variable holds the authentication method used to validate a - user. Example: - - SecRule AUTH_TYPE "basic" log,deny,status:403,phase:1,t:lowercase - - Note - - This data will not be available in a proxy-mode deployment as the - authentication is not local. In a proxy-mode deployment, you would need - to inspect the REQUEST_HEADERS:Authorization - header. -
- -
- <literal moreinfo="none">ENV</literal> - - Collection, requires a single parameter (after colon). The - ENV variable is set with setenv and does not give - access to the CGI environment variables. Example: - - SecRule REQUEST_FILENAME "printenv" pass,setenv:tag=suspicious -SecRule ENV:tag "suspicious" -
- -
- <literal moreinfo="none">FILES</literal> - - Collection. Contains a collection of original file names (as they - were called on the remote user's file system). Note: only available if - files were extracted from the request body. Example: - - SecRule FILES "\.conf$" log,deny,status:403,phase:2 -
- -
- <literal moreinfo="none">FILES_COMBINED_SIZE</literal> - - Single value. Total size of the uploaded files. Note: only - available if files were extracted from the request body. Example: - - SecRule FILES_COMBINED_SIZE "@gt 1000" log,deny,status:403,phase:2 -
- -
- <literal moreinfo="none">FILES_NAMES</literal> - - Collection w/o parameter. Contains a list of form fields that were - used for file upload. Note: only available if files were extracted from - the request body. Example: - - SecRule FILES_NAMES "^upfile$" log,deny,status:403,phase:2 -
- -
- <literal moreinfo="none">FILES_SIZES</literal> - - Collection. Contains a list of file sizes. Useful for implementing - a size limitation on individual uploaded files. Note: only available if - files were extracted from the request body. Example: - - SecRule FILES_SIZES "@gt 100" log,deny,status:403,phase:2 -
- -
- <literal moreinfo="none">FILES_TMPNAMES</literal> - - Collection. Contains a collection of temporary files' names on the - disk. Useful when used together with @inspectFile. Note: only available if files - were extracted from the request body. Example: - - SecRule FILES_TMPNAMES "@inspectFile /path/to/inspect_script.pl" -
- -
- <literal moreinfo="none">GEO</literal> - - GEO is a collection populated by the results of - the last @geoLookup operator. The - collection can be used to match geographical fields looked from an IP - address or hostname. - - Available since ModSecurity 2.5.0. - - Fields: - - - - COUNTRY_CODE: Two character country code. - EX: US, GB, etc. - - - - COUNTRY_CODE3: Up to three character - country code. - - - - COUNTRY_NAME: The full country - name. - - - - COUNTRY_CONTINENT: The two character - continent that the country is located. EX: EU - - - - REGION: The two character region. For US, - this is state. For Canada, providence, etc. - - - - CITY: The city name if supported by the - database. - - - - POSTAL_CODE: The postal code if supported - by the database. - - - - LATITUDE: The latitude if supported by - the database. - - - - LONGITUDE: The longitude if supported by - the database. - - - - DMA_CODE: The metropolitan area code if - supported by the database. (US only) - - - - AREA_CODE: The phone system area code. - (US only) - - - - Example: - - SecGeoLookupDb /usr/local/geo/data/GeoLiteCity.dat -... -SecRule REMOTE_ADDR "@geoLookup" "chain,drop,msg:'Non-GB IP address'" -SecRule GEO:COUNTRY_CODE "!@streq GB" -
- -
- <literal moreinfo="none">HIGHEST_SEVERITY</literal> - - This variable holds the highest severity of any rules that have - matched so far. Severities are numeric values and thus can be used with - comparison operators such as @lt, - etc. - - - Higher severities have a lower numeric value. - - A value of 255 indicates no severity has been set. - - - SecRule HIGHEST_SEVERITY "@le 2" "phase:2,deny,status:500,msg:'severity %{HIGHEST_SEVERITY}'" -
- -
- <literal moreinfo="none">MATCHED_VAR</literal> - - This variable holds the value of the variable that was matched - against. It is similar to the TX:0, except it can be used for all - operators and does not require that the capture action be specified. - - SecRule ARGS pattern chain,deny -... -SecRule MATCHED_VAR "further scrutiny" -
- -
- <literal moreinfo="none">MATCHED_VAR_NAME</literal> - - This variable holds the full name of the variable that was matched - against. - - SecRule ARGS pattern setvar:tx.mymatch=%{MATCHED_VAR_NAME} -... -SecRule TX:MYMATCH "@eq ARGS:param" deny -
- -
- <literal moreinfo="none">MODSEC_BUILD</literal> - - This variable holds the ModSecurity build number. This variable is - intended to be used to check the build number prior to using a feature - that is available only in a certain build. Example: - - SecRule MODSEC_BUILD "!@ge 02050102" skipAfter:12345 -SecRule ARGS "@pm some key words" id:12345,deny,status:500 -
- -
- <literal>MULTIPART_CRLF_LF_LINES</literal> - - This flag variable will be set to 1 whenever a - multi-part request uses mixed line terminators. The - multipart/form-data RFC requires - CRLF sequence to be used to terminate lines. Since - some client implementations use only LF to terminate - lines you might want to allow them to proceed under certain - circumstances (if you want to do this you will need to stop using - MULTIPART_STRICT_ERROR and check each multi-part flag - variable individually, avoiding MULTIPART_LF_LINE). - However, mixing CRLF and LF line - terminators is dangerous as it can allow for evasion. Therefore, in such - cases, you will have to add a check for - MULTIPART_CRLF_LF_LINES. -
- -
- <literal>MULTIPART_STRICT_ERROR</literal> - - MULTIPART_STRICT_ERROR will be set to - 1 when any of the following variables is also set to - 1: REQBODY_PROCESSOR_ERROR, - MULTIPART_BOUNDARY_QUOTED, - MULTIPART_BOUNDARY_WHITESPACE, - MULTIPART_DATA_BEFORE, - MULTIPART_DATA_AFTER, - MULTIPART_HEADER_FOLDING, - MULTIPART_LF_LINE, - MULTIPART_SEMICOLON_MISSING - MULTIPART_INVALID_QUOTING - MULTIPART_INVALID_HEADER_FOLDING - MULTIPART_FILE_LIMIT_EXCEEDED. Each of these - variables covers one unusual (although sometimes legal) aspect of the - request body in multipart/form-data format. Your - policies should always contain a rule to check - either this variable (easier) or one or more individual variables (if - you know exactly what you want to accomplish). Depending on the rate of - false positives and your default policy you should decide whether to - block or just warn when the rule is triggered. - - The best way to use this variable is as in the example - below: - - SecRule MULTIPART_STRICT_ERROR "!@eq 0" \ -"phase:2,t:none,log,deny,msg:'Multipart request body \ -failed strict validation: \ -PE %{REQBODY_PROCESSOR_ERROR}, \ -BQ %{MULTIPART_BOUNDARY_QUOTED}, \ -BW %{MULTIPART_BOUNDARY_WHITESPACE}, \ -DB %{MULTIPART_DATA_BEFORE}, \ -DA %{MULTIPART_DATA_AFTER}, \ -HF %{MULTIPART_HEADER_FOLDING}, \ -LF %{MULTIPART_LF_LINE}, \ -SM %{MULTIPART_SEMICOLON_MISSING}, \ -IQ %{MULTIPART_INVALID_QUOTING}, \ -IQ %{MULTIPART_INVALID_HEADER_FOLDING}, \ -FE %{MULTIPART_FILE_LIMIT_EXCEEDED}'" - - The multipart/form-data parser was upgraded in - ModSecurity v2.1.3 to actively look for signs of evasion. Many variables - (as listed above) were added to expose various facts discovered during - the parsing process. The MULTIPART_STRICT_ERROR - variable is handy to check on all abnormalities at once. The individual - variables allow detection to be fine-tuned according to your - circumstances in order to reduce the number of false positives. Detailed - analysis of various evasion techniques covered will be released as a - separated document at a later date. -
- -
- <literal>MULTIPART_UNMATCHED_BOUNDARY</literal> - - Set to 1 when, during the parsing phase of a - multipart/request-body, ModSecurity encounters what - seems like a boundary but it is not. Such an event may occur when - evasion of ModSecurity is attempted. - - The best way to use this variable is as in the example - below: - - SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \ -"phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'" - - Change the rule from blocking to logging-only if many false - positives are encountered. -
- -
- <literal moreinfo="none">PATH_INFO</literal> - - Besides passing query information to a script/handler, you can - also pass additional data, known as extra path information, as part of - the URL. Example: - - SecRule PATH_INFO "^/(bin|etc|sbin|opt|usr)" -
- -
- <literal moreinfo="none">QUERY_STRING</literal> - - This variable holds form data passed to the script/handler by - appending data after a question mark. Warning: Not URL-decoded. - Example: - - SecRule QUERY_STRING "attack" -
- -
- <literal moreinfo="none">REMOTE_ADDR</literal> - - This variable holds the IP address of the remote client. - Example: - - SecRule REMOTE_ADDR "^192\.168\.1\.101$" -
- -
- <literal moreinfo="none">REMOTE_HOST</literal> - - If HostnameLookUps are set to On, then this variable will hold the - DNS resolved remote host name. If it is set to Off, then it will hold - the remote IP address. Possible uses for this variable would be to deny - known bad client hosts or network blocks, or conversely, to allow in - authorized hosts. Example: - - SecRule REMOTE_HOST "\.evil\.network\org$" -
- -
- <literal moreinfo="none">REMOTE_PORT</literal> - - This variable holds information on the source port that the client - used when initiating the connection to our web server. Example: in this - example, we are evaluating to see if the REMOTE_PORT - is less than 1024, which would indicate that the user is a privileged - user (root). - - SecRule REMOTE_PORT "@lt 1024" phase:1,log,pass,setenv:remote_port=privileged -
- -
- <literal moreinfo="none">REMOTE_USER</literal> - - This variable holds the username of the authenticated user. If - there are no password (basic|digest) access controls in place, then this - variable will be empty. Example: - - SecRule REMOTE_USER "admin" - - Note - - This data will not be available in a proxy-mode deployment as the - authentication is not local. -
- -
- <literal moreinfo="none">REQBODY_PROCESSOR</literal> - - Built-in processors are URLENCODED, - MULTIPART, and XML. - Example: - - SecRule REQBODY_PROCESSOR "^XML$ chain -SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd" -
- -
- <literal - moreinfo="none">REQBODY_PROCESSOR_ERROR</literal> - - Possible values are 0 (no error) or 1 (error). This variable will - be set by request body processors (typically the - multipart/request-data parser or the XML parser) - when they fail to properly parse a request payload. - - Example: - - SecRule REQBODY_PROCESSOR_ERROR "@eq 1" deny,phase:2 - - - Your policies must have a rule to check - REQBODY_PROCESSOR_ERROR at the beginning of phase - 2. Failure to do so will leave the door open for impedance mismatch - attacks. It is possible, for example, that a payload that cannot be - parsed by ModSecurity can be successfully parsed by more tolerant - parser operating in the application. If your policy dictates blocking - then you should reject the request if error is detected. When - operating in detection-only mode your rule should alert with high - severity when request body processing fails. - -
- -
- <literal - moreinfo="none">REQBODY_PROCESSOR_ERROR_MSG</literal> - - Empty, or contains the error message from the processor. - Example: - - SecRule REQBODY_PROCESSOR_ERROR_MSG "failed to parse" t:lowercase -
- -
- <literal moreinfo="none">REQUEST_BASENAME</literal> - - This variable holds just the filename part of - REQUEST_FILENAME (e.g. index.php). - - Example: - - SecRule REQUEST_BASENAME "^login\.php$" phase:2,t:none,t:lowercase - - - Please note that anti-evasion transformations are not applied to - this variable by default. REQUEST_BASENAME will - recognise both / and \ as path - separators. - -
- -
- <literal moreinfo="none">REQUEST_BODY</literal> - - This variable holds the data in the request body (including - POST_PAYLOAD data). REQUEST_BODY - should be used if the original order of the arguments is important - (ARGS should be used in all other cases). - Example: - - SecRule REQUEST_BODY "^username=\w{25,}\&password=\w{25,}\&Submit\=login$" - - - This variable is only available if the - URLENCODED request body processor parsed a request - body. This will occur by default when an - application/x-www-form-urlencoded is detected, or - the URLENCODED request body parser is forced. As of - 2.5.7 it is possible to force the presence of the - REQUEST_BODY variable, but only when there is no - request body processor defined, using the - ctl:forceRequestBodyVariable option in the - REQUEST_HEADERS phase. - -
- -
- <literal moreinfo="none">REQUEST_COOKIES</literal> - - This variable is a collection of all of the cookie data. Example: - the following example is using the Ampersand special operator to count - how many variables are in the collection. In this rule, it would trigger - if the request does not include any Cookie headers. - - SecRule &REQUEST_COOKIES "@eq 0" -
- -
- <literal moreinfo="none">REQUEST_COOKIES_NAMES</literal> - - This variable is a collection of the cookie names in the request - headers. Example: the following rule will trigger if the JSESSIONID - cookie is not present. - - SecRule &REQUEST_COOKIES_NAMES:JSESSIONID "@eq 0" -
- -
- <literal moreinfo="none">REQUEST_FILENAME</literal> - - This variable holds the relative REQUEST_URI - minus the QUERY_STRING part (e.g. /index.php). - Example: - - SecRule REQUEST_FILENAME "^/cgi-bin/login\.php$" phase:2,t:none,t:normalisePath - - - Please note that anti-evasion transformations are not used on - REQUEST_FILENAME by default. - -
- -
- <literal moreinfo="none">REQUEST_HEADERS</literal> - - This variable can be used as either a collection of all of the - request headers or can be used to specify individual headers (by using - REQUEST_HEADERS:Header-Name). Example: the first - example uses REQUEST_HEADERS as a collection and is - applying the validateUrlEncoding operator against all - headers. - - SecRule REQUEST_HEADERS "@validateUrlEncoding" - - Example: the second example is targeting only the - Host header. - - SecRule REQUEST_HEADERS:Host "^[\d\.]+$" \ - "deny,log,status:400,msg:'Host header is a numeric IP address'" -
- -
- <literal moreinfo="none">REQUEST_HEADERS_NAMES</literal> - - This variable is a collection of the names of all of the request - headers. Example: - - SecRule REQUEST_HEADERS_NAMES "^x-forwarded-for" \ - "log,deny,status:403,t:lowercase,msg:'Proxy Server Used'" -
- -
- <literal moreinfo="none">REQUEST_LINE</literal> - - This variable holds the complete request line sent to the server - (including the REQUEST_METHOD and HTTP version data). Example: this - example rule will trigger if the request method is something other than - GET, HEAD, POST or if the HTTP is something other than HTTP/0.9, 1.0 or - 1.1. - - SecRule REQUEST_LINE "!(^((?:(?:pos|ge)t|head))|http/(0\.9|1\.0|1\.1)$)" t:none,t:lowercase -
- -
- <literal moreinfo="none">REQUEST_METHOD</literal> - - This variable holds the request method used by the client. - - The following example will trigger if the request method is either - CONNECT or TRACE. - - SecRule REQUEST_METHOD "^((?:connect|trace))$" t:none,t:lowercase -
- -
- <literal moreinfo="none">REQUEST_PROTOCOL</literal> - - This variable holds the request protocol version information. - Example: - - SecRule REQUEST_PROTOCOL "!^http/(0\.9|1\.0|1\.1)$" t:none,t:lowercase -
- -
- <literal moreinfo="none">REQUEST_URI</literal> - - This variable holds the full URL including the - QUERY_STRING data (e.g. /index.php?p=X), however it - will never contain a domain name, even if it was provided on the request - line. It also does not include either the - REQUEST_METHOD or the HTTP version info. - - Example: - - SecRule REQUEST_URI "attack" phase:1,t:none,t:urlDecode,t:lowercase,t:normalisePath - - - Please note that anti-evasion transformations are not used on - REQUEST_URI by default. - -
- -
- <literal moreinfo="none">REQUEST_URI_RAW</literal> - - Same as REQUEST_URI but will contain the domain - name if it was provided on the request line (e.g. - http://www.example.com/index.php?p=X). - - Example: - - SecRule REQUEST_URI_RAW "http:/" phase:1,t:none,t:urlDecode,t:lowercase,t:normalisePath - - - Please note that anti-evasion transformations are not used on - REQUEST_URI_RAW by default. - -
- -
- <literal moreinfo="none">RESPONSE_BODY</literal> - - This variable holds the data for the response payload. - - Example: - - SecRule RESPONSE_BODY "ODBC Error Code" -
- -
- <literal>RESPONSE_CONTENT_LENGTH</literal> - - Response body length in bytes. Can be available starting with - phase 3 but it does not have to be (as the length of response body is - not always known in advance.) If the size is not known this variable - will contain a zero. If RESPONSE_CONTENT_LENGTH - contains a zero in phase 5 that means the actual size of the response - body was 0. - - The value of this variable can change between phases if the body - is modified. For example, in embedded mode - mod_deflate can compress the response body between - phases 4 and 5. -
- -
- <literal>RESPONSE_CONTENT_TYPE</literal> - - Response content type. Only available starting with phase - 3. -
- -
- <literal moreinfo="none">RESPONSE_HEADERS</literal> - - This variable is similar to the REQUEST_HEADERS variable and can - be used in the same manner. Example: - - SecRule RESPONSE_HEADERS:X-Cache "MISS" - - Note - - This variable may not have access to some headers when running in - embedded-mode. Headers such as Server, Date, Connection and Content-Type - are added during a later Apache hook just prior to sending the data to - the client. This data should be available, however, either during - ModSecurity phase:5 (logging) or when running in proxy-mode. -
- -
- <literal moreinfo="none">RESPONSE_HEADERS_NAMES</literal> - - This variable is a collection of the response header names. - Example: - - SecRule RESPONSE_HEADERS_NAMES "Set-Cookie" - - Note - - Same limitations as RESPONSE_HEADERS with regards to access to - some headers in embedded-mode. -
- -
- <literal moreinfo="none">RESPONSE_PROTOCOL</literal> - - This variable holds the HTTP response protocol information. - Example: - - SecRule RESPONSE_PROTOCOL "^HTTP\/0\.9" -
- -
- <literal moreinfo="none">RESPONSE_STATUS</literal> - - This variable holds the HTTP response status code as generated by - Apache. Example: - - SecRule RESPONSE_STATUS "^[45]" - - Note - - This directive may not work as expected in embedded-mode as Apache - handles many of the stock response codes (404, 401, etc...) earlier in - Phase 2. This variable should work as expected in a proxy-mode - deployment. -
- -
- <literal moreinfo="none">RULE</literal> - - This variable provides access to the id, rev, - severity, logdata, and msg fields of the rule that triggered the - action. Only available for expansion in action strings (e.g.setvar:tx.varname=%{rule.id}). Example: - - SecRule &REQUEST_HEADERS:Host "@eq 0" "log,deny,setvar:tx.varname=%{rule.id}" -
- -
- <literal moreinfo="none">SCRIPT_BASENAME</literal> - - This variable holds just the local filename part of - SCRIPT_FILENAME. Example: - - SecRule SCRIPT_BASENAME "^login\.php$" - - Note - - This variable is not available in proxy mode. -
- -
- <literal moreinfo="none">SCRIPT_FILENAME</literal> - - This variable holds the full path on the server to the requested - script. (e.g. SCRIPT_NAME plus the server path). Example: - - SecRule SCRIPT_FILENAME "^/usr/local/apache/cgi-bin/login\.php$" - - Note - - This variable is not available in proxy mode. -
- -
- <literal moreinfo="none">SCRIPT_GID</literal> - - This variable holds the group id (numerical value) of the group - owner of the script. Example: - - SecRule SCRIPT_GID "!^46$" - - Note - - This variable is not available in proxy mode. -
- -
- <literal moreinfo="none">SCRIPT_GROUPNAME</literal> - - This variable holds the group name of the group owner of the - script. Example: - - SecRule SCRIPT_GROUPNAME "!^apache$" - - Note - - This variable is not available in proxy mode. -
- -
- <literal moreinfo="none">SCRIPT_MODE</literal> - - This variable holds the script's permissions mode data (numerical - - 1=execute, 2=write, 4=read and 7=read/write/execute). Example: will - trigger if the script has the WRITE permissions set. - - SecRule SCRIPT_MODE "^(2|3|6|7)$" - - Note - - This variable is not available in proxy mode. -
- -
- <literal moreinfo="none">SCRIPT_UID</literal> - - This variable holds the user id (numerical value) of the owner of - the script. Example: the example rule below will trigger if the UID is - not 46 (the Apache user). - - SecRule SCRIPT_UID "!^46$" - - Note - - This variable is not available in proxy mode. -
- -
- <literal moreinfo="none">SCRIPT_USERNAME</literal> - - This variable holds the username of the owner of the script. - Example: - - SecRule SCRIPT_USERNAME "!^apache$" - - Note - - This variable is not available in proxy mode. -
- -
- <literal moreinfo="none">SERVER_ADDR</literal> - - This variable contains the IP address of the server. - Example: - - SecRule SERVER_ADDR "^192\.168\.1\.100$" -
- -
- <literal moreinfo="none">SERVER_NAME</literal> - - This variable contains the server's hostname or IP address. - Example: - - SecRule SERVER_NAME "hostname\.com$" - - Note - - This data is taken from the Host header submitted in the client - request. -
- -
- <literal moreinfo="none">SERVER_PORT</literal> - - This variable contains the local port that the web server is - listening on. Example: - - SecRule SERVER_PORT "^80$" -
- -
- <literal moreinfo="none">SESSION</literal> - - This variable is a collection, available only after setsid is executed. Example: the following - example shows how to initialize a SESSION collection with setsid, how to - use setvar to increase the session.score values, how to set the - session.blocked variable and finally how to deny the connection based on - the session:blocked value. - - SecRule REQUEST_COOKIES:PHPSESSID !^$ chain,nolog,pass -SecAction setsid:%{REQUEST_COOKIES.PHPSESSID} -SecRule REQUEST_URI "^/cgi-bin/finger$" \ - "phase:2,t:none,t:lowercase,t:normalisePath,pass,log,setvar:session.score=+10" -SecRule SESSION:SCORE "@gt 50" "pass,log,setvar:session.blocked=1" -SecRule SESSION:BLOCKED "@eq 1" "log,deny,status:403" -
- -
- <literal moreinfo="none">SESSIONID</literal> - - This variable is the value set with setsid. Example: - - SecRule SESSIONID !^$ chain,nolog,pass -SecRule REQUEST_COOKIES:PHPSESSID !^$ -SecAction setsid:%{REQUEST_COOKIES.PHPSESSID} -
- -
- <literal moreinfo="none">TIME</literal> - - This variable holds a formatted string representing the time - (hour:minute:second). Example: - - SecRule TIME "^(([1](8|9))|([2](0|1|2|3))):\d{2}:\d{2}$" -
- -
- <literal moreinfo="none">TIME_DAY</literal> - - This variable holds the current date (1-31). Example: this rule - would trigger anytime between the 10th and 20th days of the - month. - - SecRule TIME_DAY "^(([1](0|1|2|3|4|5|6|7|8|9))|20)$" -
- -
- <literal moreinfo="none">TIME_EPOCH</literal> - - This variable holds the time in seconds since 1970. - Example: - - SecRule TIME_EPOCH "@gt 1000" -
- -
- <literal moreinfo="none">TIME_HOUR</literal> - - This variable holds the current hour (0-23). Example: this rule - would trigger during "off hours". - - SecRule TIME_HOUR "^(0|1|2|3|4|5|6|[1](8|9)|[2](0|1|2|3))$" -
- -
- <literal moreinfo="none">TIME_MIN</literal> - - This variable holds the current minute (0-59). Example: this rule - would trigger during the last half hour of every hour. - - SecRule TIME_MIN "^(3|4|5)" -
- -
- <literal moreinfo="none">TIME_MON</literal> - - This variable holds the current month (0-11). Example: this rule - would match if the month was either November (10) or December - (11). - - SecRule TIME_MON "^1" -
- -
- <literal moreinfo="none">TIME_SEC</literal> - - This variable holds the current second count (0-59). - Example: - - SecRule TIME_SEC "@gt 30" -
- -
- <literal moreinfo="none">TIME_WDAY</literal> - - This variable holds the current weekday (0-6). Example: this rule - would trigger only on week-ends (Saturday and Sunday). - - SecRule TIME_WDAY "^(0|6)$" -
- -
- <literal moreinfo="none">TIME_YEAR</literal> - - This variable holds the current four-digit year data. - Example: - - SecRule TIME_YEAR "^2006$" -
- -
- <literal moreinfo="none">TX</literal> - - Transaction Collection. This is used to store pieces of data, - create a transaction anomaly score, and so on. Transaction variables are - set for 1 request/response cycle. The scoring and evaluation will not - last past the current request/response process. Example: In this - example, we are using setvar to increase the tx.score value by 5 points. - We then have a follow-up run that will evaluate the transactional score - this request and then it will decided whether or not to allow/deny the - request through. - - The following is a list of reserved names in the TX - collection: - - - - TX:0 - The matching value - when using the @rx or @pm operator with the capture action. - - - - TX:1-TX:9 - The captured - subexpression value when using the @rx operator with capturing parens and the - capture action. - - - - TX:MSC_* - ModSecurity - processing flags. - - - - MSC_PCRE_LIMITS_EXCEEDED - Set - non-zero if PCRE match limits are exceeded. See SecPcreMatchLimit and SecPcreMatchLimitRecursion. - - - - - - SecRule WEBSERVER_ERROR_LOG "does not exist" "phase:5,pass,setvar:tx.score=+5" -SecRule TX:SCORE "@gt 20" deny,log -
- -
- <literal moreinfo="none">USERID</literal> - - This variable is the value set with setuid. Example: - - SecAction setuid:%{REMOTE_USER},nolog -SecRule USERID "Admin" -
- -
- <literal moreinfo="none">WEBAPPID</literal> - - This variable is the value set with SecWebAppId. Example: - - SecWebAppId "WebApp1" -SecRule WEBAPPID "WebApp1" "chain,log,deny,status:403" -SecRule REQUEST_HEADERS:Transfer-Encoding "!^$" -
- -
- <literal moreinfo="none">WEBSERVER_ERROR_LOG</literal> - - Contains zero or more error messages produced by the web server. - Access to this variable is in phase:5 (logging). Example: - - SecRule WEBSERVER_ERROR_LOG "File does not exist" "phase:5,setvar:tx.score=+5" -
- -
- <literal moreinfo="none">XML</literal> - - Can be used standalone (as a target for - validateDTD and validateSchema) or - with an XPath expression parameter (which makes it a valid target for - any function that accepts plain text). Example using XPath: - - SecDefaultAction log,deny,status:403,phase:2 -SecRule REQUEST_HEADERS:Content-Type ^text/xml$ \ - phase:1,t:lowercase,nolog,pass,ctl:requestBodyProcessor=XML -SecRule REQBODY_PROCESSOR "!^XML$" skipAfter:12345 -SecRule XML:/employees/employee/name/text() Fred -SecRule XML:/xq:employees/employee/name/text() Fred \ - id:12345,xmlns:xq=http://www.example.com/employees - - The first XPath expression does not use namespaces. It would match - against payload such as this one: - - <employees> - <employee> - <name>Fred Jones</name> - <address location="home"> - <street>900 Aurora Ave.</street> - <city>Seattle</city> - <state>WA</state> - <zip>98115</zip> - </address> - <address location="work"> - <street>2011 152nd Avenue NE</street> - <city>Redmond</city> - <state>WA</state> - <zip>98052</zip> - </address> - <phone location="work">(425)555-5665</phone> - <phone location="home">(206)555-5555</phone> - <phone location="mobile">(206)555-4321</phone> - </employee> -</employees> - - The second XPath expression does use namespaces. It would match - the following payload: - - <xq:employees xmlns:xq="http://www.example.com/employees"> - <employee> - <name>Fred Jones</name> - <address location="home"> - <street>900 Aurora Ave.</street> - <city>Seattle</city> - <state>WA</state> - <zip>98115</zip> - </address> - <address location="work"> - <street>2011 152nd Avenue NE</street> - <city>Redmond</city> - <state>WA</state> - <zip>98052</zip> - </address> - <phone location="work">(425)555-5665</phone> - <phone location="home">(206)555-5555</phone> - <phone location="mobile">(206)555-4321</phone> - </employee> -</xq:employees> - - Note the different namespace used in the second example. - - To learn more about XPath we suggest the following - resources: - - - - XPath - Standard - - - - XPath - Tutorial - - -
-
- -
- Transformation functions - - When ModSecurity receives request or response information, it makes - a copy of this data and places it into memory. It is on this data in - memory that transformation functions are applied. The raw request/response - data is never altered. Transformation functions are used to transform a - variable before testing it in a rule. - - Note - - There are no default transformation functions as there were in - previous versions of ModSecurity. - - The following rule will ensure that an attacker does not use mixed - case in order to evade the ModSecurity rule: - - SecRule ARGS:p "xp_cmdshell" "t:lowercase" - multiple transformation actions can be used in the same rule, for example - the following rule also ensures that an attacker does not use URL encoding - (%xx encoding) for evasion. Note the order of the transformation - functions, which ensures that a URL encoded letter is first decoded and - than translated to lower case. - - SecRule ARGS:p "xp_cmdshell" "t:urlDecode,t:lowercase" - - One can use the SecDefaultAction command to ensure the translation - occurs for every rule until the next. Note that transformation actions are - additive, so if a rule explicitly list actions, the translation actions - set by SecDefaultAction are still performed. - - SecDefaultAction t:urlDecode,t:lowercase - - The following transformation functions are supported: - -
- <literal>base64Decode</literal> - - This function decodes a base64-encoded string. -
- -
- <literal>base64Encode</literal> - - This function encodes input string using base64 encoding. -
- -
- <literal>compressWhitespace</literal> - - It converts whitespace characters (32, \f, \t, \n, \r, \v, 160) to - spaces (ASCII 32) and then compresses multiple consecutive space - characters into one. -
- -
- cssDecode - - Decodes CSS-encoded characters, as specified at http://www.w3.org/TR/REC-CSS2/syndata.html. - This function uses only up to two bytes in the decoding process, meaning - it is useful to uncover ASCII characters (that wouldn't normally be - encoded) encoded using CSS encoding, or to counter evasion which is a - combination of a backslash and non-hexadecimal characters (e.g. - ja\vascript is equivalent to - javascript). -
- -
- <literal>escapeSeqDecode</literal> - - This function decode ANSI C escape sequences: \a, \b, - \f, \n, \r, - \t, \v, \\, - \?, \', \", - \xHH (hexadecimal), \0OOO (octal). Invalid encodings are left in - the output. -
- -
- <literal>hexDecode</literal> - - This function decodes a hex-encoded string. -
- -
- <literal>hexEncode</literal> - - This function encodes input as hex-encoded string. -
- -
- <literal>htmlEntityDecode</literal> - - This function decodes HTML entities present in input. The - following variants are supported: - - - - &#xHH and &#xHH; (where H is any hexadecimal - number) - - - - &#DDD and &#DDD; (where D is any decimal - number) - - - - &quot and &quot; - - - - &nbsp and &nbsp; - - - - &lt and &lt; - - - - &gt and &gt; - - - - This function will convert any entity into a single byte only, - possibly resulting in a loss of information. It is thus useful to - uncover bytes that would otherwise not need to be encoded, but it cannot - do anything with the characters from the range above 255. -
- -
- <literal>jsDecode</literal> - - Decodes JavaScript escape sequences. If a - \uHHHH code is in the range of - FF01-FF5E (the full width ASCII - codes), then the higher byte is used to detect and adjust the lower - byte. Otherwise, only the lower byte will be used and the higher byte - zeroed. -
- -
- <literal>length</literal> - - This function converts the input to its numeric length (count of - bytes). -
- -
- <literal>lowercase</literal> - - This function converts all characters to lowercase using the - current C locale. -
- -
- <literal>md5</literal> - - This function calculates an MD5 hash from input. Note that the - computed hash is in a raw binary form and may need encoded into text to - be usable (for example: t:md5,t:hexEncode). -
- -
- <literal><literal>none</literal></literal> - - Not an actual transformation function, but an instruction to - ModSecurity to remove all transformation functions associated with the - current rule. -
- -
- <literal>normalisePath</literal> - - This function will remove multiple slashes, self-references and - directory back-references (except when they are at the beginning of the - input). -
- -
- <literal>normalisePathWin</literal> - - Same as normalisePath, but will first convert - backslash characters to forward slashes. -
- -
- <literal>parityEven7bit</literal> - - This function calculates even parity of 7-bit data replacing the - 8th bit of each target byte with the calculated parity bit. -
- -
- <literal>parityOdd7bit</literal> - - This function calculates odd parity of 7-bit data replacing the - 8th bit of each target byte with the calculated parity bit. -
- -
- <literal>parityZero7bit</literal> - - This function calculates zero parity of 7-bit data replacing the - 8th bit of each target byte with a zero parity bit which allows - inspection of even/odd parity 7bit data as ASCII7 data. -
- -
- <literal>removeNulls</literal> - - This function removes NULL bytes from input. -
- -
- <literal>removeWhitespace</literal> - - This function removes all whitespace characters from input. -
- -
- <literal>replaceComments</literal> - - This function replaces each occurrence of a C-style comments - (/* ... */) with a single space - (multiple consecutive occurrences of a space will not be compressed). - Unterminated comments will too be replaced with a space (ASCII 32). - However, a standalone termination of a comment (*/) will not be acted upon. -
- -
- <literal>replaceNulls</literal> - - This function is enabled by default. It replaces NULL bytes in - input with spaces (ASCII 32). -
- -
- <literal>urlDecode</literal> - - This function decodes an URL-encoded input string. Invalid - encodings (i.e. the ones that use non-hexadecimal characters, or the - ones that are at the end of string and have one or two characters - missing) will not be converted. If you want to detect invalid encodings - use the @validateUrlEncoding - operator. The transformation function should not be used against - variables that have already been URL-decoded unless it is your intention - to perform URL decoding twice! -
- -
- <literal>urlDecodeUni</literal> - - In addition to decoding %xx like urlDecode, urlDecodeUni also decodes %uXXXX encoding. If the code is in the range - of FF01-FF5E (the full width ASCII - codes), then the higher byte is used to detect and adjust the lower - byte. Otherwise, only the lower byte will be used and the higher byte - zeroed. -
- -
- <literal>urlEncode</literal> - - This function encodes input using URL encoding. -
- -
- <literal>sha1</literal> - - This function calculates a SHA1 hash from input. Note that the - computed hash is in a raw binary form and may need encoded to be usable - (for example: t:sha1,t:hexEncode). -
- -
- <literal>trimLeft</literal> - - This function removes whitespace from the left side of - input. -
- -
- <literal>trimRight</literal> - - This function removes whitespace from the right side of - input. -
- -
- <literal>trim</literal> - - This function removes whitespace from both the left and right - sides of input. -
-
- -
- Actions - - Each action belongs to one of five groups: - - - - Disruptive actions - - - Cause ModSecurity to do something. In many cases something - means block transaction, but not in all. For example, the allow - action is classified as a disruptive action, but it does the - opposite of blocking. There can only be one disruptive action per - rule (if there are multiple disruptive actions present, or - inherited, only the last one will take effect), or rule chain (in a - chain, a disruptive action can only appear in the first - rule). - - - - - Non-disruptive actions - - - Do something, but that something does not and cannot affect - the rule processing flow. Setting a variable, or changing its value - is an example of a non-disruptive action. Non-disruptive action can - appear in any rule, including each rule belonging to a chain. - - - - - Flow actions - - - These actions affect the rule flow (for example - skip or skipAfter). - - - - - Meta-data actions - - - Meta-data actions are used to provide more information about - rules. Examples include id, - rev, severity and - msg. - - - - - Data actions - - - Not really actions, these are mere containers that hold data - used by other actions. For example, the status - action holds the status that will be used for blocking (if it takes - place). - - - - -
- <literal>allow</literal> - - Description: Stops rule processing on a - successful match and allows the transaction to proceed. - - Action Group: Disruptive - - Example: - - SecRule REMOTE_ADDR "^192\.168\.1\.100$" nolog,phase:1,allow - - Prior to ModSecurity 2.5 the allow action would - only affect the current phase. An allow in phase 1 - would skip processing the remaining rules in phase 1 but the rules from - phase 2 would still execute. Starting with v2.5.0 - allow was enhanced to allow for fine-grained control - of what is done. The following rules now apply: - - - - If used one its own, like in the example above, - allow will affect the entire transaction, - stopping processing of the current phase but also skipping over all - other phases apart from the logging phase. (The logging phase is - special; it is designed to always execute.) - - - - If used with parameter "phase", allow will - cause the engine to stop processing the current phase. Other phases - will continue as normal. - - - - If used with parameter "request", allow - will cause the engine to stop processing the current phase. The next - phase to be processed will be phase - RESPONSE_HEADERS. - - - - Examples: - - # Do not process request but process response. -SecAction phase:1,allow:request - -# Do not process transaction (request and response). -SecAction phase:1,allow - - - If you want to allow a response through, put a rule in phase - RESPONSE_HEADERS and simply use - allow on its own: - - # Allow response through. -SecAction phase:3,allow -
- -
- append - - Description: Appends text given as parameter - to the end of response body. For this action to work content injection - must be enabled by setting SecContentInjection to - On. Also make sure you check the content type of the - response before you make changes to it (e.g. you don't want to inject - stuff into images). - - Action Group: Non-disruptive - - Processing Phases: 3 and 4. - - Example: - - SecRule RESPONSE_CONTENT_TYPE "^text/html" "nolog,pass,append:'<hr>Footer'" - - - While macro expansion is allowed in the additional content, you - are strongly cautioned against inserting user defined data - fields. - -
- -
- <literal>auditlog</literal> - - Description: Marks the transaction for - logging in the audit log. - - Action Group: Non-disruptive - - Example: - - SecRule REMOTE_ADDR "^192\.168\.1\.100$" auditlog,phase:1,allow - - Note - - The auditlog action is now explicit if log is already - specified. -
- -
- <literal>block</literal> - - Description: Performs the default disruptive - action. - - Action Group: Disruptive - - It is intended to be used by ruleset writers to signify that the - rule was intended to block and leaves the "how" up to the administrator. - This action is currently a placeholder which will just be replaced by - the action from the last SecDefaultAction in the same - context. Using the block action with the - SecRuleUpdateActionById directive allows a rule to be - reverted back to the previous SecDefaultAction - disruptive action. - - In future versions of ModSecurity, more control and functionality - will be added to define "how" to block. - - Examples: - - In the following example, the second rule will "deny" because of - the SecDefaultAction disruptive action. The intent being that the - administrator could easily change this to another disruptive action - without editing the actual rules. - - ### Administrator defines "how" to block (deny,status:403)... -SecDefaultAction phase:2,deny,status:403,log,auditlog - -### Included from a rulest... -# Intent is to warn for this User Agent -SecRule REQUEST_HEADERS:User-Agent "perl" "phase:2,pass,msg:'Perl based user agent identified'" -# Intent is to block for this User Agent, "how" described in SecDefaultAction -SecRule REQUEST_HEADERS:User-Agent "nikto" "phase:2,block,msg:'Nikto Scanners Identified'" - - In the following example, The rule is reverted back to the - pass action defined in the SecDefaultAction directive - by using the SecRuleUpdateActionById directive in - conjuction with the block action. This allows an - administrator to override an action in a 3rd party rule without - modifying the rule itself. - - ### Administrator defines "how" to block (deny,status:403)... -SecDefaultAction phase:2,pass,log,auditlog - -### Included from a rulest... -SecRule REQUEST_HEADERS:User-Agent "nikto" "id:1,phase:2,deny,msg:'Nikto Scanners Identified'" - -### Added by the administrator -SecRuleUpdateActionById 1 "block" -
- -
- <literal>capture</literal> - - Description: When used together with the - regular expression operator, capture action will create copies of - regular expression captures and place them into the transaction variable - collection. Up to ten captures will be copied on a successful pattern - match, each with a name consisting of a digit from 0 to 9. - - Action Group: Non-disruptive - - Example: - - SecRule REQUEST_BODY "^username=(\w{25,})" phase:2,capture,t:none,chain -SecRule TX:1 "(?:(?:a(dmin|nonymous)))" - - Note - - The 0 data captures the entire REGEX match and 1 captures the data - in the first parens, etc... -
- -
- <literal>chain</literal> - - Description: Chains the rule where the action - is placed with the rule that immediately follows it. The result is - called a rule chain. Chained rules allow for more - complex rule matches where you want to use a number of different - VARIABLES to create a better rule and to help prevent false - positives. - - Action Group: Flow - - Example: - - # Refuse to accept POST requests that do -# not specify request body length. Do note that -# this rule should be preceeded by a rule that verifies -# only valid request methods (e.g. GET, HEAD and POST) are used. -SecRule REQUEST_METHOD ^POST$ chain,t:none -SecRule REQUEST_HEADERS:Content-Length ^$ t:none - - - In programming language concepts, think of chained rules - somewhat similar to AND conditional statements. The actions specified - in the first portion of the chained rule will only be triggered if all - of the variable checks return positive hits. If one aspect of the - chained rule is negative, then the entire rule chain is negative. Also - note that disruptive actions, execution phases, metadata actions (id, - rev, msg), skip and skipAfter actions can only be specified on by the - chain starter rule. - -
- -
- <literal>ctl</literal> - - Description: The ctl action allows - configuration options to be updated for the transaction. - - Action Group: Non-disruptive - - Example: - - # Parse requests with Content-Type "text/xml" as XML -SecRule REQUEST_CONTENT_TYPE ^text/xml nolog,pass,ctl:requestBodyProcessor=XML - - Note - - The following configuration options are supported: - - - - auditEngine - - - - auditLogParts - - - - debugLogLevel - - - - ruleRemoveById (single rule - ID, or a single rule ID range accepted as parameter) - - - - requestBodyAccess - - - - forceRequestBodyVariable - - - - requestBodyLimit - - - - requestBodyProcessor - - - - responseBodyAccess - - - - responseBodyLimit - - - - ruleEngine - - - - With the exception of - requestBodyProcessor and - forceRequestBodyVariable, each configuration option - corresponds to one configuration directive and the usage is - identical. - - The requestBodyProcessor option allows you to - configure the request body processor. By default ModSecurity will use - the URLENCODED and MULTIPART processors to process an application/x-www-form-urlencoded and a - multipart/form-data bodies, - respectively. A third processor, XML, is also - supported, but it is never used implicitly. Instead you must tell - ModSecurity to use it by placing a few rules in the REQUEST_HEADERS processing phase. After the - request body was processed as XML you will be able to use the - XML-related features to inspect it. - - Request body processors will not interrupt a transaction if an - error occurs during parsing. Instead they will set variables REQBODY_PROCESSOR_ERROR and REQBODY_PROCESSOR_ERROR_MSG. These variables - should be inspected in the REQUEST_BODY phase and an appropriate action - taken. - - The forceRequestBodyVariable option allows you - to configure the REQUEST_BODY variable to be set when - there is no request body processor configured. This allows for - inspection of request bodies of unknown types. -
- -
- <literal>deny</literal> - - Description: Stops rule processing and - intercepts transaction. - - Action Group: Disruptive - - Example: - - SecRule REQUEST_HEADERS:User-Agent "nikto" "log,deny,msg:'Nikto Scanners Identified'" -
- -
- <literal>deprecatevar</literal> - - Description: Decrement counter based on its - age. - - Action Group: Non-Disruptive - - Example: The following example will decrement the counter by 60 - every 300 seconds. - - SecAction deprecatevar:session.score=60/300 - - Note - - Counter values are always positive, meaning the value will never - go below zero. -
- -
- <literal>drop</literal> - - Description: Immediately initiate a - "connection close" action to tear down the TCP connection by sending a - FIN packet. - - Action Group: Disruptive - - Example: The following example initiates an IP collection for - tracking Basic Authentication attempts. If the client goes over the - threshold of more than 25 attempts in 2 minutes, it will DROP subsequent - connections. - - SecAction phase:1,initcol:ip=%{REMOTE_ADDR},nolog -SecRule ARGS:login "!^$" \ - nolog,phase:1,setvar:ip.auth_attempt=+1,deprecatevar:ip.auth_attempt=20/120 -SecRule IP:AUTH_ATTEMPT "@gt 25" \ - "log,drop,phase:1,msg:'Possible Brute Force Attack'" - - Note - - This action is currently not available on Windows based builds. - This action is extremely useful when responding to both Brute Force and - Denial of Service attacks in that, in both cases, you want to minimize - both the network bandwidth and the data returned to the client. This - action causes error message to appear in the log "(9)Bad file - descriptor: core_output_filter: writing data to the network" -
- -
- <literal>exec</literal> - - Description: Executes an external - script/binary supplied as parameter. As of v2.5.0, if the parameter - supplied to exec is a Lua script (detected by the - .lua extension) the script will be processed - internally. This means you will get direct access - to the internal request context from the script. Please read the - SecRuleScript documentation for more details on how - to write Lua scripts. - - Action Group: Non-disruptive - - Example: - - # The following is going to execute /usr/local/apache/bin/test.sh -# as a shell script on rule match. -SecRule REQUEST_URI "^/cgi-bin/script\.pl" \ - "phase:2,t:none,t:lowercase,t:normalisePath,log,exec:/usr/local/apache/bin/test.sh" - -# The following is going to process /usr/local/apache/conf/exec.lua -# internally as a Lua script on rule match. -SecRule ARGS:p attack log,exec:/usr/local/apache/conf/exec.lua - - - The exec action is executed independently from any disruptive - actions. External scripts will always be called with no parameters. - Some transaction information will be placed in environment variables. - All the usual CGI environment variables will be there. You should be - aware that forking a threaded process results in all threads being - replicated in the new process. Forking can therefore incur larger - overhead in multi-threaded operation. The script you execute must - write something (anything) to stdout. If it doesn't ModSecurity will - assume execution didn't work. - -
- -
- <literal>expirevar</literal> - - Description: Configures a collection variable - to expire after the given time in seconds. - - Action Group: Non-disruptive - - Example: - - SecRule REQUEST_COOKIES:JSESSIONID "!^$" nolog,phase:1,pass,chain -SecAction setsid:%{REQUEST_COOKIES:JSESSIONID} -SecRule REQUEST_URI "^/cgi-bin/script\.pl" \ - "phase:2,t:none,t:lowercase,t:normalisePath,log,allow,\ -setvar:session.suspicious=1,expirevar:session.suspicious=3600,phase:1" - - Note - - You should use expirevar actions at the same time that you use - setvar actions in order to keep the indented expiration time. If they - are used on their own (perhaps in a SecAction directive) the expire time - could get re-set. When variables are removed from collections, and there - are no other changes, collections are not written to disk at the end of - request. This is because the variables can always be expired again when - the collection is read again on a subsequent request. -
- -
- <literal>id</literal> - - Description: Assigns a unique ID to the rule - or chain. - - Action Group: Meta-data - - Example: - - SecRule &REQUEST_HEADERS:Host "@eq 0" \ - "log,id:60008,severity:2,msg:'Request Missing a Host Header'" - - Note - - These are the reserved ranges: - - - - 1-99,999; reserved for local (internal) use. Use as you see - fit but do not use this range for rules that are distributed to - others. - - - - 100,000-199,999; reserved for internal use of the engine, to - assign to rules that do not have explicit IDs. - - - - 200,000-299,999; reserved for rules published at - modsecurity.org. - - - - 300,000-399,999; reserved for rules published at - gotroot.com. - - - - 400,000-419,999; unused (available for reservation). - - - - 420,000-429,999; reserved for ScallyWhack. - - - - 430,000-699,999; unused (available for reservation). - - - - 700,000-799,999; reserved for Ivan Ristic. - - - - 900,000-999,999; reserved for the Core Rules - project. - - - - 1,000,000 and above; unused (available for - reservation). - - -
- -
- <literal>initcol</literal> - - Description: Initialises a named persistent - collection, either by loading data from storage or by creating a new - collection in memory. - - Action Group: Non-disruptive - - Example: The following example initiates IP address - tracking. - - SecAction phase:1,initcol:ip=%{REMOTE_ADDR},nolog - - Note - - Normally you will want to use phase:1 along - with initcol so that the collection is available in - all phases. - - Collections are loaded into memory when the initcol action is - encountered. The collection in storage will be persisted (and the - appropriate counters increased) only if it was - changed during transaction processing. - - See the "Persistant Storage" section for further details. -
- -
- <literal>log</literal> - - Description: Indicates that a successful - match of the rule needs to be logged. - - Action Group: Non-disruptive - - Example: - - SecAction phase:1,initcol:ip=%{REMOTE_ADDR},log - - Note - - This action will log matches to the Apache error log file and the - ModSecurity audit log. -
- -
- <literal>logdata</literal> - - Description: Allows a data fragment to be - logged as part of the alert message. - - Action Group: Non-disruptive - - Example: - - SecRule &ARGS:p "@eq 0" "log,logdata:'%{TX.0}'" - - Note - - The logdata information appears in the error and/or audit log - files and is not sent back to the client in response headers. Macro - expansion is preformed so you may use variable names such as %{TX.0}, - etc. The information is properly escaped for use with logging binary - data. -
- -
- <literal>msg</literal> - - Description: Assigns a custom message to the - rule or chain. - - Action Group: Meta-data - - Example: - - SecRule &REQUEST_HEADERS:Host "@eq 0" \ - "log,id:60008,severity:2,msg:'Request Missing a Host Header'" - - Note - - The msg information appears in the error and/or audit log files - and is not sent back to the client in response headers. -
- -
- <literal>multiMatch</literal> - - Description: If enabled ModSecurity will - perform multiple operator invocations for every target, before and after - every anti-evasion transformation is performed. - - Action Group: Non-disruptive - - Example: - - SecDefaultAction log,deny,phase:1,t:removeNulls,t:lowercase -SecRule ARGS "attack" multiMatch - - Note - - Normally, variables are evaluated once, only after all - transformation functions have completed. With multiMatch, variables are - checked against the operator before and after every transformation - function that changes the input. -
- -
- <literal>noauditlog</literal> - - Description: Indicates that a successful - match of the rule should not be used as criteria whether the transaction - should be logged to the audit log. - - Action Group: Non-disruptive - - Example: - - SecRule REQUEST_HEADERS:User-Agent "Test" allow,noauditlog - - Note - - If the SecAuditEngine is set to On, all of the transactions will - be logged. If it is set to RelevantOnly, then you can control it with - the noauditlog action. Even if the noauditlog action is applied to a - specific rule and a rule either before or after triggered an audit - event, then the transaction will be logged to the audit log. The correct - way to disable audit logging for the entire transaction is to use - "ctl:auditEngine=Off" -
- -
- <literal>nolog</literal> - - Description: Prevents rule matches from - appearing in both the error and audit logs. - - Action Group: Non-disruptive - - Example: - - SecRule REQUEST_HEADERS:User-Agent "Test" allow,nolog - - Note - - The nolog action also implies noauditlog. -
- -
- <literal>pass</literal> - - Description: Continues processing with the - next rule in spite of a successful match. - - Action Group: Disruptive - - Example1: - - SecRule REQUEST_HEADERS:User-Agent "Test" log,pass - - When using pass with SecRule with multiple - targets, all targets will be processed and - all non-disruptive actions will trigger for - every match found. In the second example the - TX:test target would be incremented by 1 for each matching - argument. - - Example2: - - SecRule ARGS "test" log,pass,setvar:TX.test=+1 - - Note - - The transaction will not be interrupted but a log will be - generated for each matching target (unless logging has been - suppressed). -
- -
- <literal>pause</literal> - - Description: Pauses transaction processing - for the specified number of milliseconds. - - Action Group: Non-disruptive - - Example: - - SecRule REQUEST_HEADERS:User-Agent "Test" log,deny,status:403,pause:5000 - - Note - - This feature can be of limited benefit for slowing down Brute - Force Scanners, however use with care. If you are under a Denial of - Service type of attack, the pause feature may make matters worse as this - feature will cause child processes to sit idle until the pause is - completed. -
- -
- <literal>phase</literal> - - Description: Places the rule (or the rule - chain) into one of five available processing phases. - - Action Group: Meta-data - - Example: - - SecDefaultAction log,deny,phase:1,t:removeNulls,t:lowercase -SecRule REQUEST_HEADERS:User-Agent "Test" log,deny,status:403 - - Note - - Keep in mind that is you specify the incorrect phase, the target - variable that you specify may be empty. This could lead to a false - negative situation where your variable and operator (RegEx) may be - correct, but it misses malicious data because you specified the wrong - phase. -
- -
- prepend - - Description: Prepends text given as parameter - to the response body. For this action to work content injection must be - enabled by setting SecContentInjection to - On. Also make sure you check the content type of the - response before you make changes to it (e.g. you don't want to inject - stuff into images). - - Action Group: Non-disruptive - - Processing Phases: 3 and 4. - - Example: - - SecRule RESPONSE_CONTENT_TYPE ^text/html "phase:3,nolog,pass,prepend:'Header<br>'" - - - While macro expansion is allowed in the additional content, you - are strongly cautioned against inserting user defined data - fields. - -
- -
- <literal>proxy</literal> - - Description: Intercepts transaction by - forwarding request to another web server using the proxy backend. - - Action Group: Disruptive - - Example: - - SecRule REQUEST_HEADERS:User-Agent "Test" log,proxy:http://www.honeypothost.com/ - - Note - - For this action to work, mod_proxy must also be installed. This - action is useful if you would like to proxy matching requests onto a - honeypot webserver. -
- -
- <literal>redirect</literal> - - Description: Intercepts transaction by - issuing a redirect to the given location. - - Action Group: Disruptive - - Example: - - SecRule REQUEST_HEADERS:User-Agent "Test" \ - log,redirect:http://www.hostname.com/failed.html - - Note - - If the status action is present - and its value is acceptable (301, 302, 303, or 307) it will be used for - the redirection. Otherwise status code 302 will be used. -
- -
- <literal>rev</literal> - - Description: Specifies rule revision. - - Action Group: Meta-data - - Example: - - SecRule REQUEST_METHOD "^PUT$" "id:340002,rev:1,severity:2,msg:'Restricted HTTP function'" - - Note - - This action is used in combination with the id action to allow the same rule ID to be used - after changes take place but to still provide some indication the rule - changed. -
- -
- <literal>sanitizeArg</literal> - - Description: Sanitises (replaces each byte - with an asterisk) a named request argument prior to audit - logging. - - Action Group: Non-disruptive - - Example: - - SecAction nolog,phase:2,sanitizeArg:password - - Note - - The sanitize actions do not sanitize any data within the actual - raw requests but only on the copy of data within memory that is set to - log to the audit log. It will not sanitize the data in the - modsec_debug.log file (if the log level is set high enough to capture - this data). -
- -
- <literal>sanitizeMatched</literal> - - Description: Sanitises the variable (request - argument, request header, or response header) that caused a rule - match. - - Action Group: Non-disruptive - - Example: This action can be used to sanitize arbitrary transaction - elements when they match a condition. For example, the example below - will sanitize any argument that contains the word - password in the name. - - SecRule ARGS_NAMES password nolog,pass,sanitizeMatched - - Note - - Same note as sanitizeArg. -
- -
- <literal>sanitizeRequestHeader</literal> - - Description: Sanitises a named request - header. - - Action Group: Non-disruptive - - Example: This will sanitize the data in the Authorization - header. - - SecAction log,phase:1,sanitizeRequestHeader:Authorization - - Note - - Same note as sanitizeArg. -
- -
- <literal>sanitizeResponseHeader</literal> - - Description: Sanitises a named response - header. - - Action Group: Non-disruptive - - Example: This will sanitize the Set-Cookie data sent to the - client. - - SecAction log,phase:3,sanitizeResponseHeader:Set-Cookie - - Note - - Same note as sanitizeArg. -
- -
- <literal>severity</literal> - - Description: Assigns severity to the rule it - is placed with. - - Action Group: Meta-data - - Example: - - SecRule REQUEST_METHOD "^PUT$" "id:340002,rev:1,severity:CRITICAL,msg:'Restricted HTTP function'" - - Note - - Severity values in ModSecurity follow those of syslog, as - below: - - - - 0 - EMERGENCY - - - - 1 - ALERT - - - - 2 - CRITICAL - - - - 3 - ERROR - - - - 4 - WARNING - - - - 5 - NOTICE - - - - 6 - INFO - - - - 7 - DEBUG - - - - It is possible to specify severity levels using either the - numerical values or the text values. You should always specify severity - levels using the text values. The use of the numerical values is - deprecated (as of v2.5.0) and may be removed in one of the susequent - major updates. -
- -
- <literal>setuid</literal> - - Description: Special-purpose action that - initialises the USER - collection. - - Action Group: Non-disruptive - - Example: - - SecAction setuid:%{REMOTE_USER},nolog - - Note - - After initialisation takes place the variable USERID will be available for use in the - subsequent rules. -
- -
- <literal>setsid</literal> - - Description: Special-purpose action that - initialises the SESSION - collection. - - Action Group: Non-disruptive - - Example: - - # Initialise session variables using the session cookie value -SecRule REQUEST_COOKIES:PHPSESSID !^$ chain,nolog,pass -SecAction setsid:%{REQUEST_COOKIES.PHPSESSID} - - Note - - On first invocation of this action the collection will be empty - (not taking the predefined variables into account - see initcol for more information). On subsequent - invocations the contents of the collection (session, in this case) will - be retrieved from storage. After initialisation takes place the - variable SESSIONID will be available - for use in the subsequent rules.This action understands each application - maintains its own set of sessions. It will utilise the current web - application ID to create a session namespace. -
- -
- <literal>setenv</literal> - - Description: Creates, removes, or updates an - environment variable. - - Action Group: Non-disruptive - - Examples: - - To create a new variable (if you omit the value 1 will be used): - - setenv:name=value - - To remove a variable: - - setenv:!name - - Note - - This action can be used to establish communication with other - Apache modules. -
- -
- <literal>setvar</literal> - - Description: Creates, removes, or updates a - variable in the specified collection. - - Action Group: Non-disruptive - - Examples: - - To create a new variable: - - setvar:tx.score=10 - - To remove a variable prefix the name with exclamation mark: - - setvar:!tx.score - - To increase or decrease variable value use + and - - characters in front of a numerical value: - - setvar:tx.score=+5 -
- -
- <literal>skip</literal> - - Description: Skips one or more rules (or - chains) on successful match. - - Action Group: Flow - - Example: - - SecRule REQUEST_URI "^/$" \ -"phase:2,chain,t:none,skip:2" -SecRule REMOTE_ADDR "^127\.0\.0\.1$" "chain" -SecRule REQUEST_HEADERS:User-Agent "^Apache \(internal dummy connection\)$" "t:none" -SecRule &REQUEST_HEADERS:Host "@eq 0" \ - "deny,log,status:400,id:960008,severity:4,msg:'Request Missing a Host Header'" -SecRule &REQUEST_HEADERS:Accept "@eq 0" \ - "log,deny,log,status:400,id:960015,msg:'Request Missing an Accept Header'" - - Note - - Skip only applies to the current processing phase and not - necessarily the order in which the rules appear in the configuration - file. If you group rules by processing phases, then skip should work as - expected. This action can not be used to skip rules within one chain. - Accepts a single parameter denoting the number of rules (or chains) to - skip. -
- -
- <literal>skipAfter</literal> - - Description: Skips rules (or chains) on - successful match resuming rule execution after the specified rule ID or - marker (see SecMarker) is found. - - Action Group: Flow - - Example: - - SecRule REQUEST_URI "^/$" "chain,t:none,skipAfter:960015" -SecRule REMOTE_ADDR "^127\.0\.0\.1$" "chain" -SecRule REQUEST_HEADERS:User-Agent "^Apache \(internal dummy connection\)$" "t:none" -SecRule &REQUEST_HEADERS:Host "@eq 0" \ - "deny,log,status:400,id:960008,severity:4,msg:'Request Missing a Host Header'" -SecRule &REQUEST_HEADERS:Accept "@eq 0" \ - "log,deny,log,status:400,id:960015,msg:'Request Missing an Accept Header'" - - Note - - SkipAfter only applies to the current - processing phase and not necessarily the order in which the rules appear - in the configuration file. If you group rules by processing phases, then - skip should work as expected. This action can not be used to skip rules - within one chain. Accepts a single parameter denoting the last rule ID - to skip. -
- -
- <literal>status</literal> - - Description: Specifies the response status - code to use with actions deny - and redirect. - - Action Group: Data - - Example: - - SecDefaultAction log,deny,status:403,phase:1 - - Note - - Status actions defined in Apache scope locations (such as - Directory, Location, etc...) may be superseded by phase:1 action - settings. The Apache ErrorDocument directive will be triggered if - present in the configuration. Therefore if you have previously defined a - custom error page for a given status then it will be executed and its - output presented to the user. -
- -
- <literal>t</literal> - - Description: This action can be used which - transformation function should be used against the specified variables - before they (or the results, rather) are run against the operator - specified in the rule. - - Action Group: Non-disruptive - - Example: - - SecDefaultAction log,deny,phase:1,t:removeNulls,t:lowercase -SecRule REQUEST_COOKIES:SESSIONID "47414e81cbbef3cf8366e84eeacba091" \ - log,deny,status:403,t:md5,t:hexEncode - - Note - - Any transformation functions that you specify in a SecRule will be - in addition to previous ones specified in SecDefaultAction. Use of - "t:none" will remove all transformation functions for the specified - rule. -
- -
- <literal>tag</literal> - - Description: Assigns custom text to a rule or - chain. - - Action Group: Meta-data - - Example: - - SecRule REQUEST_FILENAME "\b(?:n(?:map|et|c)|w(?:guest|sh)|cmd(?:32)?|telnet|rcmd|ftp)\.exe\b" \ - "t:none,t:lowercase,deny,msg:'System Command Access',id:'950002',\ -tag:'WEB_ATTACK/FILE_INJECTION',tag:'OWASP/A2',severity:'2'" - - Note - - The tag information appears in the error and/or audit log files. - Its intent is to be used to automate classification of rules and the - alerts generated by rules. Multiple tags can be used per - rule/chain. -
- -
- <literal>xmlns</literal> - - Description: This action should be used - together with an XPath expression to register a namespace. - - Action Group: Data - - Example: - - SecRule REQUEST_HEADERS:Content-Type "text/xml" \ - "phase:1,pass,ctl:requestBodyProcessor=XML,ctl:requestBodyAccess=On, \ - xmlns:xsd="http://www.w3.org/2001/XMLSchema" -SecRule XML:/soap:Envelope/soap:Body/q1:getInput/id() "123" phase:2,deny -
-
- -
- Operators - - A number of operators can be used in rules, as documented below. The - operator syntax uses the @ symbol followed by the - specific operator name. - -
- <literal>beginsWith</literal> - - Description: This operator is a string - comparison and returns true if the parameter value is found at the - beginning of the input. Macro expansion is performed so you may use - variable names such as %{TX.1}, etc. - - Example: - - SecRule REQUEST_LINE "!@beginsWith GET" t:none,deny,status:403 -SecRule REQUEST_ADDR "^(.*)\.\d+$" deny,status:403,capture,chain -SecRule ARGS:gw "!@beginsWith %{TX.1}" -
- -
- <literal>contains</literal> - - Description: This operator is a string - comparison and returns true if the parameter value is found anywhere in - the input. Macro expansion is performed so you may use variable names - such as %{TX.1}, etc. - - Example: - - SecRule REQUEST_LINE "!@contains .php" t:none,deny,status:403 -SecRule REQUEST_ADDR "^(.*)$" deny,status:403,capture,chain -SecRule ARGS:ip "!@contains %{TX.1}" -
- -
- <literal>endsWith</literal> - - Description: This operator is a string - comparison and returns true if the parameter value is found at the end - of the input. Macro expansion is performed so you may use variable names - such as %{TX.1}, etc. - - Example: - - SecRule REQUEST_LINE "!@endsWith HTTP/1.1" t:none,deny,status:403 -SecRule ARGS:route "!@endsWith %{REQUEST_ADDR}" t:none,deny,status:403 -
- -
- <literal>eq</literal> - - Description: This operator is a numerical - comparison and stands for "equal to." - - Example: - - SecRule &REQUEST_HEADERS_NAMES "@eq 15" - - Macro expansion is performed so you may use variable names such as - %{TX.1}, etc. -
- -
- <literal>ge</literal> - - Description: This operator is a numerical - comparison and stands for "greater than or equal to." - - Example: - - SecRule &REQUEST_HEADERS_NAMES "@ge 15" - - Macro expansion is performed so you may use variable names such as - %{TX.1}, etc. -
- -
- <literal>geoLookup</literal> - - Description: This operator looks up various - data fields from an IP address or hostname in the target data. The - results will be captured in the GEO - collection. - - You must provide a database via SecGeoLookupDb before this operator can be - used. - - - This operator matches and the action is executed on a - successful lookup. For this reason, you probably want to - use the pass,nolog actions. This allows for - setvar and other non-disruptive - actions to be executed on a match. If you wish to block on a failed - lookup, then do something like this (look for an empty GEO - collection): - - SecGeoLookupDb /usr/local/geo/data/GeoLiteCity.dat -... -SecRule REMOTE_ADDR "@geoLookup" "pass,nolog" -SecRule &GEO "@eq 0" "deny,status:403,msg:'Failed to lookup IP'" - - - See the GEO variable for an - example and more information on various fields available. -
- -
- <literal>gt</literal> - - Description: This operator is a numerical - comparison and stands for "greater than." - - Example: - - SecRule &REQUEST_HEADERS_NAMES "@gt 15" - - Macro expansion is performed so you may use variable names such as - %{TX.1}, etc. -
- -
- <literal>inspectFile</literal> - - Description: Executes the external - script/binary given as parameter to the operator against every file - extracted from the request. As of v2.5.0, if the supplied filename is - not absolute it is treated as relative to the directory in which the - configuration file resides. Also as of v2.5.0, if the filename is - determined to be a Lua script (based on its extension) the script will - be processed by the internal engine. As such it will have full access to - the ModSecurity context. - - Example of using an external binary/script: - - # Execute external script to validate uploaded files. -SecRule FILES_TMPNAMES "@inspectFile /opt/apache/bin/inspect_script.pl" - - Example of using Lua script: - - SecRule FILES_TMPNANMES "@inspectFile inspect.lua" - - Script inspect.lua: - - function main(filename) - -- Do something to the file to verify it. In this example, we - -- read up to 10 characters from the beginning of the file. - local f = io.open(filename, "rb"); - local d = f:read(10); - f:close(); - - -- Return null if there is no reason to believe there is ansything - -- wrong with the file (no match). Returning any text will be taken - -- to mean a match should be trigerred. - return null; -end -
- -
- <literal>le</literal> - - Description: This operator is a numerical - comparison and stands for "less than or equal to." - - Example: - - SecRule &REQUEST_HEADERS_NAMES "@le 15" - - Macro expansion is performed so you may use variable names such as - %{TX.1}, etc. -
- -
- <literal>lt</literal> - - Description: This operator is a numerical - comparison and stands for "less than." - - Example: - - SecRule &REQUEST_HEADERS_NAMES "@lt 15" - - Macro expansion is performed so you may use variable names such as - %{TX.1}, etc. -
- -
- <literal>pm</literal> - - Description: Phrase Match operator. This - operator uses a set based matching engine (Aho-Corasick) for faster - matches of keyword lists. It will match any one of its arguments - anywhere in the target value. The match is case insensitive. - - Example: - - SecRule REQUEST_HEADERS:User-Agent "@pm WebZIP WebCopier Webster WebStripper SiteSnagger ProWebWalker CheeseBot" "deny,status:403 - - The above would deny access with 403 if any of the words matched - within the User-Agent HTTP header value. -
- -
- <literal>pmFromFile</literal> - - Description: Phrase Match operator. This - operator uses a set based matching engine (Aho-Corasick) for faster - matches of keyword lists. This operator is the same as - @pm except that it takes a list of files as - arguments. It will match any one of the phrases listed in the file(s) - anywhere in the target value. - - Notes: - - - - The contents of the files should be one phrase per line. End - of line markers will be stripped from the phrases (LF and CRLF), and - whitespace is trimmed from both sides of the phrases. Empty lines - and comment lines (beginning with a '#') are ignored. - - - - To allow easier inclusion of phrase files with rulesets, - relative paths may be used to the phrase files. In this case, the - path of the file containing the rule is prepended to the phrase file - path. - - - - To allow easier matching of whole IP addresses, you can add - boundary characters to the phrases. For example, use "/1.2.3.4/" - instead of "1.2.3.4". You can then insert these characters into the - target prior to a match: - - SecAction "phase:1,pass,nolog,setvar:tx.remote_addr=/%{REMOTE_ADDR}/" -SecRule TX:REMOTE_ADDR "@pmFromFile ip-blacklist.txt" "deny,status:403 - -# ip-blacklist.txt contents: -# NOTE: All IPs must be prefixed/suffixed with "/" as the rules -# will add in this character as a boundary to ensure -# the entire IP is matched. -# SecAction "phase:1,pass,nolog,setvar:tx.remote_addr='/%{REMOTE_ADDR}/'" -/1.2.3.4/ -/5.6.7.8/ - - - - Example: - - SecRule REQUEST_HEADERS:User-Agent "@pm /path/to/blacklist1 blacklist2" "deny,status:403 - - The above would deny access with 403 if any of the patterns in the - two files matched within the User-Agent HTTP header value. The - blacklist2 file would need to be placed in the same - path as the file containing the rule. -
- -
- <literal>rbl</literal> - - Description: Look up the parameter in the RBL - given as parameter. Parameter can be an IPv4 address, or a - hostname. - - Example: - - SecRule REMOTE_ADDR "@rbl sc.surbl.org" -
- -
- <literal>rx</literal> - - Description: Regular expression operator. - This is the default operator, so if the "@" operator is not defined, it - is assumed to be rx. - - Example: - - SecRule REQUEST_HEADERS:User-Agent "@rx nikto" - - Note - - Regular expressions are handled by the PCRE library (http://www.pcre.org). ModSecurity - compiles its regular expressions with the following settings: - - - - The entire input is treated as a single line, even when there - are newline characters present. - - - - All matches are case-sensitive. If you do not care about case - sensitivity you either need to implement the lowercase transformation function, or use - the per-pattern(?i)modifier, as - allowed by PCRE. - - - - The PCRE_DOTALL and - PCRE_DOLLAR_ENDONLY flags are set - during compilation, meaning a single dot will match any character, - including the newlines and a $ - end anchor will not match a trailing newline character. - - -
- -
- <literal>streq</literal> - - Description: This operator is a string - comparison and returns true if the parameter value matches the input - exactly. Macro expansion is performed so you may use variable names such - as %{TX.1}, etc. - - Example: - - SecRule ARGS:foo "!@streq bar" t:none,deny,status:403 -SecRule REQUEST_ADDR "^(.*)$" deny,status:403,capture,chain -SecRule REQUEST_HEADERS:Ip-Address "!@streq %{TX.1}" -
- -
- <literal>validateByteRange</literal> - - Description: Validates the byte range used in - the variable falls into the specified range. - - Example: - - SecRule ARGS:text "@validateByteRange 10, 13, 32-126" - - Note - - You can force requests to consist only of bytes from a certain - byte range. This can be useful to avoid stack overflow attacks (since - they usually contain "random" binary content). Default range values are - 0 and 255, i.e. all byte values are allowed. This directive does not - check byte range in a POST payload when - multipart/form-data encoding (file upload) is used. - Doing so would prevent binary files from being uploaded. However, after - the parameters are extracted from such request they are checked for a - valid range. - - validateByteRange is similar to the ModSecurity 1.X - SecFilterForceByteRange Directive however since it works in a rule - context, it has the following differences: - - - - You can specify a different range for different - variables. - - - - It has an "event" context (id, msg....) - - - - It is executed in the flow of rules rather than being a built - in pre-check. - - -
- -
- <literal>validateDTD</literal> - - Description: Validates the DOM tree generated - by the XML request body processor against the supplied DTD. - - Example: - - SecDefaultAction log,deny,status:403,phase:2 -SecRule REQUEST_HEADERS:Content-Type ^text/xml$ \ - phase:1,t:lowercase,nolog,pass,ctl:requestBodyProcessor=XML -SecRule REQBODY_PROCESSOR "!^XML$" nolog,pass,skipAfter:12345 -SecRule XML "@validateDTD /path/to/apache2/conf/xml.dtd" "deny,id:12345" - - - This operator requires request body to be processed as - XML. - -
- -
- <literal>validateSchema</literal> - - Description: Validates the DOM tree generated - by the XML request body processor against the supplied XML - Schema. - - Example: - - SecDefaultAction log,deny,status:403,phase:2 -SecRule REQUEST_HEADERS:Content-Type ^text/xml$ \ - phase:1,t:lowercase,nolog,pass,ctl:requestBodyProcessor=XML -SecRule REQBODY_PROCESSOR "!^XML$" nolog,pass,skipAfter:12345 -SecRule XML "@validateSchema /path/to/apache2/conf/xml.xsd" "deny,id:12345" - - - This operator requires request body to be processed as - XML. - -
- -
- <literal>validateUrlEncoding</literal> - - Description: Verifies the encodings used in - the variable (if any) are valid. - - Example: - - SecRule ARGS "@validateUrlEncoding" - - Note - - URL encoding is an HTTP standard for encoding byte values within a - URL. The byte is escaped with a % followed by two hexadecimal values - (0-F). This directive does not check encoding in a POST payload when the - multipart/form-data encoding (file upload) is used. - It is not necessary to do so because URL encoding is not used for this - encoding. -
- -
- <literal>validateUtf8Encoding</literal> - - Description: Verifies the variable is a valid - UTF-8 encoded string. - - Example: - - SecRule ARGS "@validateUtf8Encoding" - - Note - - UTF-8 encoding is valid on most web servers. Integer values - between 0-65535 are encoded in a UTF-8 byte sequence that is escaped by - percents. The short form is two bytes in length. - - check for three types of errors: - - - - Not enough bytes. UTF-8 supports two, three, four, five, and - six byte encodings. ModSecurity will locate cases when a byte or - more is missing. - - - - Invalid encoding. The two most significant bits in most - characters are supposed to be fixed to 0x80. Attackers can use this - to subvert Unicode decoders. - - - - Overlong characters. ASCII characters are mapped directly into - the Unicode space and are thus represented with a single byte. - However, most ASCII characters can also be encoded with two, three, - four, five, and six characters thus tricking the decoder into - thinking that the character is something else (and, presumably, - avoiding the security check). - - -
- -
- <literal>verifyCC</literal> - - Description: This operator verifies a given - regular expression as a potential credit card number. It first matches - with a single generic regular expression then runs the resulting match - through a Luhn checksum algorithm to further verify it as a potential - credit card number. - - Example: - - SecRule ARGS "@verifyCC \d{13,16}" \ - "phase:2,sanitizeMatched,log,auditlog,pass,msg:'Potential credit card number'" -
- -
- <literal>within</literal> - - Description: This operator is a string - comparison and returns true if the input value is found anywhere within - the parameter value. Note that this is similar to - @contains, except that the target and match values - are reversed. Macro expansion is performed so you may use variable names - such as %{TX.1}, etc. - - Example: - - SecRule REQUEST_METHOD "!@within get,post,head" t:lowercase,deny,status:403 - -SecAction "pass,setvar:'tx.allowed_methods=get,post,head'" -SecRule REQUEST_METHOD "!@within %{tx.allowed_methods}" t:lowercase,deny,status:403 -
-
- -
- Macro Expansion - - Macros allow for using place holders in rules that will be expanded - out to their values at runtime. Currently only variable expansion is - supported, however more options may be added in future versions of - ModSecurity. - - Format: - - %{VARIABLE} -%{COLLECTION.VARIABLE} - - Macro expansion can be used in actions such as initcol, setsid, - setuid, setvar, setenv, logdata. Operators that are evaluated at runtime - support expansion and are noted above. Such operators include @beginsWith, - @endsWith, @contains, @within and @streq. You cannot use macro expansion - for operators that are "compiled" such as @pm, @rx, etc. as these - operators have their values fixed at configure time for efficiency. - - Some values you may want to expand include: TX, REMOTE_ADDR, USERID, - HIGHEST_SEVERITY, MATCHED_VAR, MATCHED_VAR_NAME, MULTIPART_STRICT_ERROR, - RULE, SESSION, USERID, among others. -
- -
- Persistant Storage - - At this time it is only possible to have three collections in which - data is stored persistantly (i.e. data available to multiple requests). - These are: IP, SESSION and USER. - - Every collection contains several built-in variables that are - available and are read-only unless otherwise specified: - - - - CREATE_TIME - date/time of - the creation of the collection. - - - - IS_NEW - set to 1 if the - collection is new (not yet persisted) otherwise set to 0. - - - - KEY - the value of the - initcol variable (the client's IP address in the example). - - - - LAST_UPDATE_TIME - date/time - of the last update to the collection. - - - - TIMEOUT - date/time in - seconds when the collection will be updated on disk from memory (if no - other updates occur). This variable may be set if you wish to specifiy - an explicit expiration time (default is 3600 seconds). - - - - UPDATE_COUNTER - how many - times the collection has been updated since creation. - - - - UPDATE_RATE - is the average - rate updates per minute since creation. - - - - To create a collection to hold session variables (SESSION) use action setsid. To create a collection to hold user - variables (USER) use action setuid. To create a collection to hold client - address variables (IP) use action - initcol. - - - ModSecurity implements atomic updates of persistent variables only - for integer variables (counters) at this time. Variables are read from - storage whenever initcol is encountered in the rules - and persisted at the end of request processing. Counters are adjusted by - applying a delta generated by re-reading the persisted data just before - being persisted. This keeps counter data consistent even if the counter - was modified and persisted by another thread/process during the - transaction. - - - - ModSecurity uses a Berkley Database (SDBM) for persistant storage. - This type of database is generally limited to storing a maximum of 1008 - bytes per key. This may be a limitation if you are attempting to store a - considerable amount of data in variables for a single key. Some of this - limitation is planned to be reduced in a future version of - ModSecurity. - -
- -
- Miscellaneous Topics - - - -
- Impedance Mismatch - - Web application firewalls have a difficult job trying to make - sense of data that passes by, without any knowledge of the application - and its business logic. The protection they provide comes from having an - independent layer of security on the outside. Because data validation is - done twice, security can be increased without having to touch the - application. In some cases, however, the fact that everything is done - twice brings problems. Problems can arise in the areas where the - communication protocols are not well specified, or where either the - device or the application do things that are not in the specification. - In such cases it may be possible to design payload that will be - interpreted in one way by one device and in another by the other device. - This problem is better known as Impedance Mismatch. It can be exploited - to evade the security devices. - - While we will continue to enhance ModSecurity to deal with various - evasion techniques the problem can only be minimized, but never solved. - With so many different application backend chances are some will always - do something completely unexpected. The only solution is to be aware of - the technologies in the backend when writing rules, adapting the rules - to remove the mismatch. See the next section for some examples. - -
- PHP Peculiarities for ModSecurity Users - - When writing rules to protect PHP applications you need to pay - attention to the following facts: - - - - When "register_globals" is set to "On" request parameters - are automatically converted to script variables. In some PHP - versions it is even possible to override the $GLOBALS - array. - - - - Whitespace at the beginning of parameter names is ignored. - (This is very dangerous if you are writing rules to target - specific named variables.) - - - - The remaining whitespace (in parameter names) is converted - to underscores. The same applies to dots and to a "[" if the - variable name does not contain a matching closing bracket. - (Meaning that if you want to exploit a script through a variable - that contains an underscore in the name you can send a parameter - with a whitespace or a dot instead.) - - - - Cookies can be treated as request parameters. - - - - The discussion about variable names applies equally to the - cookie names. - - - - The order in which parameters are taken from the request and - the environment is EGPCS (environment, GET, POST, Cookies, - built-in variables). This means that a POST parameter will - overwrite the parameters transported on the request line (in - QUERY_STRING). - - - - When "magic_quotes_gpc" is set to "On" PHP will use - backslash to escape the following characters: single quote, double - quote, backslash, and the nul byte. - - - - If "magic_quotes_sybase" is set to "On" only the single - quote will be escaped using another single quote. In this case the - "magic_quotes_gpc" setting becomes irrelevant. The - "magic_quotes_sybase" setting completely overrides the - "magic_quotes_gpc" behaviour but "magic_quotes_gpc" still must be - set to "On" for the Sybase-specific quoting to be work. - - - - PHP will also automatically create nested arrays for you. - For example "p[x][y]=1" results in a total of three - variables. - - -
-
-
-
diff --git a/doc/modsecurity2-data-formats.xml b/doc/modsecurity2-data-formats.xml deleted file mode 100644 index 32e1ddc2..00000000 --- a/doc/modsecurity2-data-formats.xml +++ /dev/null @@ -1,1274 +0,0 @@ - - -
- ModSecurity 2 Data Formats - - 2.6.0-trunk (April 22, 2009) - - 2004-2010 - Breach Security, Inc. (http://www.breach.com) - - - The purpose of this document is to describe the formats of the ModSecurity alert messages, - transaction logs and communication protocols, which would not only allow for a better - understanding what ModSecurity does but also for an easy integration with third-party tools - and products. -
- Alerts - As part of its operations ModSecurity will emit alerts, which are either - warnings (non-fatal) or errors (fatal, - usually leading to the interception of the transaction in question). Below is an example - of a ModSecurity alert entry: - Access denied with code 505 (phase 1). Match of "rx - ^HTTP/(0\\\\.9|1\\\\.[01])$" against "REQUEST_PROTOCOL" required. - [id "960034"] [msg "HTTP protocol version is not allowed by policy"] - [severity "CRITICAL"] [uri "/"] [unique_id "PQaTTVBEUOkAAFwKXrYAAAAM"] - - - Alerts will only ever contain one line of text but we've broken - the above example into multiple lines to make it fit into the - page. - - - Each alert entry begins with the engine message, which describes - what ModSecurity did and why. For example:Access denied with code 505 (phase 1). Match of "rx - ^HTTP/(0\\\\.9|1\\\\.[01])$" against "REQUEST_PROTOCOL" required. - -
- Alert Action Description - - The first part of the engine message tells you whether ModSecurity - acted to interrupt transaction or rule processing: - - - - If the alert is only a warning, the first sentence will simply - say Warning. - - - - If the transaction was intercepted, the first sentence will - begin with Access denied. What follows is the - list of possible messages related to transaction - interception: - - - - Access denied with code %0 - a - response with status code %0 was sent. - - - - Access denied with connection close - - connection was abruptly closed. - - - - Access denied with redirection to %0 using - status %1 - a redirection to URI - %0 was issued using status - %1. - - - - - - There is also a special message that ModSecurity emits where - an allow action is executed. There are three - variations of this type of message: - - - - Access allowed - rule engine stopped - processing rules (transaction was unaffected). - - - - Access to phase allowed - rule engine - stopped processing rules in the current phase only. Subsequent - phases will be processed normally. Transaction was not affected - by this rule but it may be affected by any of the rules in the - subsequent phase. - - - - Access to request allowed - rule - engine stopped processing rules in the current phase. Phases - prior to request execution in the backend (currently phases 1 - and 2) will not be processed. The response phases (currently - phases 3 and 4) and others (currently phase 5) will be processed - as normal. Transaction was not affected by this rule but it may - be affected by any of the rules in the subsequent phase. - - - - -
- -
- Alert Justification Description - - The second part of the engine message explains - why the alert was generated. Since it is - automatically generated from the rules it will be very technical in - nature, talking about operators and their parameters and give you - insight into what the rule looked like. But this message cannot give you - insight into the reasoning behind the rule. A well-written rule will - always specify a human-readable message (using the - msg action) to provide further information. - - The format of the second part of the engine message depends on - whether it was generated by the operator (which happens on a match) or - by the rule processor (which happens where there is not a match, but the - negation was used): - - - - @beginsWith - String match %0 at - %1. - - - - @contains - String match %0 at - %1. - - - - @containsWord - String match %0 - at %1. - - - - @endsWith - String match %0 at - %1. - - - - @eq - Operator EQ matched %0 at - %1. - - - - @ge - Operator GE matched %0 at - %1. - - - - @geoLookup - Geo lookup for %0 - succeeded at %1. - - - - @inspectFile - File %0 rejected - by the approver script %1: %2 - - - - @le - Operator LE matched %0 at - %1. - - - - @lt - Operator LT matched %0 at - %1. - - - - @rbl - RBL lookup of %0 succeeded - at %1. - - - - @rx - Pattern match %0 at - %1. - - - - @streq - String match %0 at - %1. - - - - @validateByteRange - Found %0 - byte(s) in %1 outside range: %2. - - - - @validateDTD - XML: DTD - validation failed. - - - - @validateSchema - XML: Schema - validation failed. - - - - @validateUrlEncoding - - - - Invalid URL Encoding: Non-hexadecimal digits - used at %0. - - - - Invalid URL Encoding: Not enough characters at - the end of input at %0. - - - - - - @validateUtf8Encoding - - - - Invalid UTF-8 encoding: not enough bytes in - character at %0. - - - - Invalid UTF-8 encoding: invalid byte value in - character at %0. - - - - Invalid UTF-8 encoding: overlong character - detected at %0. - - - - Invalid UTF-8 encoding: use of restricted - character at %0. - - - - Invalid UTF-8 encoding: decoding error at - %0. - - - - - - @verifyCC - CC# match %0 at - %1. - - - - Messages not related to operators: - - - - When SecAction directive is processed - - Unconditional match in SecAction. - - - - When SecRule does not match but negation is - used - Match of %0 against %1 required. - - - - - The parameters to the operators @rx and - @pm (regular expression and text pattern, - respectively) will be truncated to 252 bytes if they are longer than - this limit. In this case the parameter in the alert message will be - terminated with three dots. - -
- -
- Meta-data - - The metadata fields are always placed at the end of the alert - entry. Each metadata field is a text fragment that consists of an open - bracket followed by the metadata field name, followed by the value and - the closing bracket. What follows is the text fragment that makes up the - id metadata field. - - [id "960034"] - - The following metadata fields are currently used: - - - - offset - The byte offset where a match - occured within the target data. This is not always available. - - - - id - Unique rule ID, as specified by the - id action. - - - - rev - Rule revision, as specified by the - rev action. - - - - msg - Human-readable message, as specified - by the msg action. - - - - severity - Event severity as text, as - specified by the severity action. The possible - values (with their corresponding numberical values in brackets) are - EMERGENCY (0), ALERT (1), - CRITICAL (2), ERROR (3), - WARNING (4), NOTICE (5), - INFO (6) and DEBUG (7). - - - - unique_id - Unique event ID, generated - automatically. - - - - uri - Request URI. - - - - logdata - contains transaction data - fragment, as specified by the logdata - action. - - -
- -
- Escaping - - ModSecurity alerts will always contain text fragments that were - taken from configuration or the transaction. Such text fragments escaped - before they are user in messages, in order to sanitize the potentially - dangerous characters. They are also sometimes surrounded using double - quotes. The escaping algorithm is as follows: - - Characters 0x08 - (BACKSPACE), 0x0a - (NEWLINE), 0x10 - (CARRIAGE RETURN), 0x09 - (HORIZONTAL TAB) and 0x0b - (VERTICAL TAB) will be represented as - \b, \n, - \r, \t and - \v, respectively. - - - - Bytes from the ranges 0-0x1f and - 0x7f-0xff (inclusive) will be represented as - \xHH, where HH is the - hexadecimal value of the byte. - - - - Backslash characters (\) will be - represented as \\. - - - - Each double quote character will be represented as - \", but only if the entire fragment is - surrounded with double quotes. - - -
- -
- Alerts in the Apache Error Log - - Every ModSecurity alert conforms to the following format when it - appears in the Apache error log: - - [Sun Jun 24 10:19:58 2007] [error] [client 192.168.0.1] - ModSecurity: ALERT_MESSAGE - - The above is a standard Apache error log format. The - ModSecurity: prefix is specific to ModSecurity. It - is used to allow quick identification of ModSecurity alert messages when - they appear in the same file next to other Apache messages. - - The actual message (ALERT_MESSAGE in the - example above) is in the same format as described in the - Alerts section. - - - Apache further escapes ModSecurity alert messages before writing - them to the error log. This means that all backslash characters will - be doubled in the error log. In practice, since ModSecurity will - already represent a single backslash within an untrusted text fragment - as two backslashes, the end result in the Apache error log will be - four backslashes. Thus, if you need to interpret - a ModSecurity message from the error log, you should decode the - message part after the ModSecurity: prefix first. - This step will peel the first encoding layer. - -
- -
- Alerts in Audit Logs - - Alerts are transported in the H section of the - ModSecurity Audit Log. Alerts will appear each on a separate line and in - the order they were generated by ModSecurity. Each line will be in the - following format: - - Message: ALERT_MESSAGE - - Below is an example of an H section that - contains two alert messages: - - --c7036611-H-- -Message: Warning. Match of "rx ^apache.*perl" against - "REQUEST_HEADERS:User-Agent" required. [id "990011"] [msg "Request - Indicates an automated program explored the site"] [severity "NOTICE"] -Message: Warning. Pattern match "(?:\\b(?:(?:s(?:elect\\b(?:.{1,100}?\\b - (?:(?:length|count|top)\\b.{1,100}?\\bfrom|from\\b.{1,100}?\\bwhere) - |.*?\\b(?:d(?:ump\\b.*\\bfrom|ata_type)|(?:to_(?:numbe|cha)|inst)r))|p_ - (?:(?:addextendedpro|sqlexe)c|(?:oacreat|prepar)e|execute(?:sql)?| - makewebt ..." at ARGS:c. [id "950001"] [msg "SQL Injection Attack. - Matched signature: union select"] [severity "CRITICAL"] -Stopwatch: 1199881676978327 2514 (396 2224 -) -Producer: ModSecurity v2.x.x (Apache 2.x) -Server: Apache/2.x.x - ---c7036611-Z-- -
-
- -
- Audit Log - - ModSecurity records one transaction in a single audit log file. - Below is an example: - - --c7036611-A-- -[09/Jan/2008:12:27:56 +0000] OSD4l1BEUOkAAHZ8Y3QAAAAH 209.90.77.54 64995 - 80.68.80.233 80 ---c7036611-B-- -GET //EvilBoard_0.1a/index.php?c='/**/union/**/select/**/1,concat(username, - char(77),password,char(77),email_address,char(77),info,char(77),user_level, - char(77))/**/from/**/eb_members/**/where/**/userid=1/*http://kamloopstutor. - com/images/banners/on.txt? HTTP/1.1 -TE: deflate,gzip;q=0.3 -Connection: TE, cslose -Host: www.example.com -User-Agent: libwww-perl/5.808 - ---c7036611-F-- -HTTP/1.1 404 Not Found -Content-Length: 223 -Connection: close -Content-Type: text/html; charset=iso-8859-1 - ---c7036611-H-- -Message: Warning. Match of "rx ^apache.*perl" against - "REQUEST_HEADERS:User-Agent" required. [id "990011"] [msg "Request - Indicates an automated program explored the site"] [severity "NOTICE"] -Message: Warning. Pattern match "(?:\\b(?:(?:s(?:elect\\b(?:.{1,100}?\\b - (?:(?:length|count|top)\\b.{1,100}?\\bfrom|from\\b.{1,100}?\\bwhere) - |.*?\\b(?:d(?:ump\\b.*\\bfrom|ata_type)|(?:to_(?:numbe|cha)|inst)r))|p_ - (?:(?:addextendedpro|sqlexe)c|(?:oacreat|prepar)e|execute(?:sql)?| - makewebt ..." at ARGS:c. [id "950001"] [msg "SQL Injection Attack. - Matched signature: union select"] [severity "CRITICAL"] -Stopwatch: 1199881676978327 2514 (396 2224 -) -Producer: ModSecurity v2.x.x (Apache 2.x) -Server: Apache/2.x.x - ---c7036611-Z-- - - - The file consist of multiple sections, each in different format. - Separators are used to define sections: - - --c7036611-A-- - - A separator always begins on a new line and conforms to the - following format: - - - - Two dashes - - - - Unique boundary, which consists from several hexadecimal - characters. - - - - One dash character. - - - - Section identifier, currently a single uppercase letter. - - - - Two trailing dashes. - - - - Refer to the documentation for SecAuditLogParts - for the explanation of each part. - -
- Parts - - This section documents the audit log parts available in - ModSecurity 2.x. They are: - - A - audit log - header - - - - B - request - headers - - - - C - request body - - - - D - intended response - headers (NOT IMPLEMENTED) - - - - E - intended response - body - - - - F - response - headers - - - - G - response body (NOT - IMPLEMENTED) - - - - H - audit log - trailer - - - - I - reduced multipart - request body - - - - J - multipart files - information (NOT IMPLEMENTED) - - - - K - matched rules - information - - - - Z - audit log - footer - - - -
- Audit Log Header (<literal>A</literal>) - - ModSecurity 2.x audit log entries always begin with the header - part. For example: - - --c7036611-A-- -[09/Jan/2008:12:27:56 +0000] OSD4l1BEUOkAAHZ8Y3QAAAAH 209.90.77.54 64995 - 80.68.80.233 80 - - The header contains only one line, with the following - information on it: - - - - Timestamp - - - - Unique transaction ID - - - - Source IP address (IPv4 or IPv6) - - - - Source port - - - - Destination IP address (IPv4 or IPv6) - - - - Destination port - - -
- -
- Request Headers (<literal>B</literal>) - - The request headers part contains the request line and the - request headers. The information present in this part will not be - identical to that sent by the client responsible for the transaction. - ModSecurity 2.x for Apache does not have access to the raw data; it - sees what Apache itself sees. While the end result may be identical to - the raw request, differences are possible in some areas: - - - - If any of the fields are NUL-terminated, - Apache will only see the content prior to the NUL. - - - - Headers that span multiple lines (feature known as header - folding) will be collapsed into a single line. - - - - Multiple headers with the same name will be combined into a - single header (as allowed by the HTTP RFC). - - -
- -
- Request Body (<literal>C</literal>) - - This part contains the request body of the transaction, after - dechunking and decompression (if applicable). -
- -
- Intended Response Headers (<literal>D</literal>) - - This part contains the status line and the request headers that - would have been delivered to the client had ModSecurity not - intervened. Thus this part makes sense only for transactions where - ModSecurity altered the data flow. By differentiating before the - intended and the final response headers, we are able to record what - was internally ready for sending, but also what was actually - sent. - - - This part is reserved for future use. It is not implemented in - ModSecurity 2.x. - -
- -
- Intended Response Body (<literal>E</literal>) - - This part contains the transaction response body (before - compression and chunking, where used) that was either sent or would - have been sent had ModSecurity not intervened. You can find whether - interception took place by looking at the Action - header of the part H. If that header is present, - and the interception took place in phase 3 or 4 then the - E part contains the intended response body. - Otherwise, it contains the actual response body. - - - Once the G (actual response body) part is - implemented, part E will be present only in audit - logs that contain a transaction that was intercepted, and there will - be no need for further analsys. - -
- -
- Response Headers (<literal>F</literal>) - - This part contains the actual response headers sent to the - client. Since ModSecurity 2.x for Apache does not access the raw - connection data, it constructs part F out of the - internal Apache data structures that hold the response headers. - - Some headers (the Date and - Server response headers) are generated just before - they are sent and ModSecurity is not able to record those. You should - note than ModSecurity is working as part of a reverse proxy, the - backend web server will have generated these two servers, and in that - case they will be recorded. -
- -
- Response Body (G) - - When implemented, this part will contain the actual response - body before compression and chunking. - - - This part is reserved for future use. It is not implemented in - ModSecurity 2.x. - -
- -
- Audit Log Trailer (H) - - Part H contains additional transaction - meta-data that was obtained from the web server or from ModSecurity - itself. The part contains a number of trailer headers, which are - similar to HTTP headers (without support for header - folding): - - Action - - - - Apache-Error - - - - Message - - - - Producer - - - - Response-Body-Transformed - - - - Sanitised-Args - - - - Sanitised-Request-Headers - - - - Sanitised-Response-Headers - - - - Server - - - - Stopwatch - - - - WebApp-Info - - - -
- Action - - The Action header is present only for the - transactions that were intercepted: - - Action: Intercepted (phase 2) - - The phase information documents the phase in which the - decision to intercept took place. -
- -
- Apache-Error - - The Apache-Error header contains Apache error log messages - observed by ModSecurity, excluding those sent by ModSecurity itself. - For example: - - Apache-Error: [file "/tmp/buildd/apache2-2.0.54/build-tree/apache2/server/ - core.c"] [line 3505] [level 3] File does not exist: /var/www/www. - modsecurity.org/fst/documentation/modsecurity-apache/2.5.0-dev2 -
- -
- Message - - Zero or more Message headers can be present - in any trailer, and each such header will represent a single - ModSecurity warning or error, displayed in the order they were - raised. - - The example below was broken into multiple lines to make it - fit this page: - - Message: Access denied with code 400 (phase 2). Pattern match "^\w+:/" at - REQUEST_URI_RAW. [file "/etc/apache2/rules-1.6.1/modsecurity_crs_20_ - protocol_violations.conf"] [line "74"] [id "960014"] [msg "Proxy access - attempt"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/PROXY_ACCESS"] -
- -
- Producer - - The Producer header identifies the product - that generated the audit log. For example: - - Producer: ModSecurity for Apache/2.5.5 (http://www.modsecurity.org/). - - ModSecurity allows rule sets to add their own signatures to - the Producer information (this is done using the - SecComponentSignature directive). Below is an - example of the Producer header with the signature - of one component (all one line): - - Producer: ModSecurity for Apache/2.5.5 (http://www.modsecurity.org/); - MyComponent/1.0.0 (Beta). -
- -
- Response-Body-Transformed - - This header will appear in every audit log that contains a - response body: - - Response-Body-Transformed: Dechunked - - The contents of the header is constant at present, so the - header is only useful as a reminder that the recorded response body - is not identical to the one sent to the client. The actual content - is the same, except that Apache may further compress the body and - deliver it in chunks. -
- -
- Sanitised-Args - - The Sanitised-Args header contains a list - of arguments that were sanitized (each byte of their content - replaced with an asterisk) before logging. For example: - - Sanitised-Args: "old_password", "new_password", "new_password_repeat". -
- -
- Sanitised-Request-Headers - - The Sanitised-Request-Headers header - contains a list of request headers that were sanitized before - logging. For example: - - Sanitised-Request-Headers: "Authentication". -
- -
- Sanitised-Response-Headers - - The Sanitised-Response-Headers header - contains a list of response headers that were sanitized before - logging. For example: - - Sanitised-Response-Headers: "My-Custom-Header". -
- -
- Server - - The Server header identifies the web - server. For example: - - Server: Apache/2.0.54 (Debian GNU/Linux) mod_ssl/2.0.54 OpenSSL/0.9.7e - - This information may sometimes be present in any of the parts - that contain response headers, but there are a few cases when it - isn't: - - None of the response headers were recoreded. - - - - The information in the response headers is not accurate - because server signature masking was used. - - -
- -
- Stopwatch - - The Stopwatch header provides certain - diagnostic information that allows you to determine the performance - of the web server and of ModSecurity itself. It will typically look - like this: - - Stopwatch: 1222945098201902 2118976 (770* 4400 -) - - Each line can contain up to 5 different values. Some values - can be absent; each absent value will be replaced with a - dash. - - The meanings of the values are as follows (all values are in - microseconds): - - Transaction timestamp in microseconds since January 1st, - 1970. - - - - Transaction duration. - - - - The time between the moment Apache started processing - the request and until phase 2 of ModSecurity began. If an - asterisk is present that means the time includes the time it - took ModSecurity to read the request body from the client - (typically slow). This value can be used to provide a rough - estimate of the client speed, but only with larger request - bodies (the smaller request bodies may arrive in a single - TCP/IP packet). - - - - The time between the start of processing and until phase - 2 was completed. If you substract the previous value from this - value you will get the exact duration of phase 2 (which is the - main rule processing phase). - - - - The time between the start of request processing and - util we began sending a fully-buffered response body to the - client. If you substract this value from the total transaction - duration and divide with the response body size you may get a - rough estimate of the client speed, but only for larger - response bodies. - - -
- -
- WebApp-Info - - The WebApp-Info header contains information - on the application to which the recorded transaction belongs. This - information will appear only if it is known, which will happen if - SecWebAppId was set, or setsid - or setuid executed in the transaction. - - The header uses the following format: - - WebApp-Info: "WEBAPPID" "SESSIONID" "USERID" - - Each unknown value is replaced with a dash. -
-
- -
- Reduced Multipart Request Body (<literal>I</literal>) - - Transactions that deal with file uploads tend to be large, yet - the file contents is not always relevant from the security point of - view. The I part was designed to avoid recording - raw multipart/form-data request bodies, replacing - them with a simulated - application/x-www-form-urlencoded body that - contains the same key-value parameters. - - The reduced multipart request body will not contain any file - information. The J part (currently not implemented) - is intended to carry the file metadata. -
- -
- Multipart Files Information (<literal>J</literal>) - - The purpose of part J is to record the - information on the files contained in a - multipart/form-data request body. This is handy in - the cases when the original request body was not recorded, or when - only a reduced version was recorded (e.g. when part - I was used instead of part - C). - - - This part is reserved for future use. It is not implemented in - ModSecurity 2.x. - -
- -
- Matched Rules (<literal>K</literal>) - - The matched rules part contains a record of all ModSecurity - rules that matched during transaction processing. You should note that - if a rule that belongs to a chain matches then the entire chain will - be recorded. This is because, even though the disruptive action may - not have executed, other per-rule actions have, and you will need to - see the entire chain in order to understand the rules. - - This part is available starting with ModSecurity 2.5.x. -
- -
- Audit Log Footer (<literal>Z</literal>) - - Part Z is a special part that only has a - boundary but no content. Its only purpose is to signal the end of an - audit log. -
-
- -
- Storage Formats - - ModSecurity supports two audit log storage formats: - - Serial audit log format - multiple - audit log files stored in the same file. - - - - Concurrent audit log format - one file - is used for every audit log. - - - -
- Serial Audit Log Format - - The serial audit log format stores multiple audit log entries - within the same file (one after another). This is often very convinent - (audit log entries are easy to find) but this format is only suitable - for light logging in the current ModSecurity implementation because - writing to the file is serialised: only one audit log entry can be - written at any one time. -
- -
- Concurrent Audit Log Format - - The concurrent audit log format uses one file per audit log - entry, and allows many transactions to be recorded at once. A - hierarchical directory structure is used to ensure that the number of - files created in any one directory remains relatively small. For - example: - - $LOGGING-HOME/20081128/20081128-1414/20081128-141417- - egDKy38AAAEAAAyMHXsAAAAA - - The current time is used to work out the directory structure. - The file name is constructed using the current time and the - transaction ID. - - The creation of every audit log in concurrent format is recorded - with an entry in the concurrent audit log index - file. The format of each line resembles the common web - server access log format. For example: - - 192.168.0.111 192.168.0.1 - - [28/Nov/2008:15:06:32 +0000] - "GET /?p=\\ HTTP/1.1" 200 69 "-" "-" NOfRx38AAAEAAAzcCU4AAAAA - "-" /20081128/20081128-1506/20081128-150632-NOfRx38AAAEAAAzcCU4AAAAA - 0 1183 md5:ffee2d414cd43c2f8ae151652910ed96 - - The tokens on the line are as follows: - - - - Hostname (or IP address, if the hostname is not - known) - - - - Source IP address - - - - Remote user (from HTTP Authentication) - - - - Local user (from identd) - - - - Timestamp - - - - Request line - - - - Response status - - - - Bytes sent (in the response body) - - - - Referrer information - - - - User-Agent information - - - - Transaction ID - - - - Session ID - - - - Audit log file name (relative to the audit logging home, as - configured using the SecAuditLogStorageDir - directive) - - - - Audit log offset - - - - Audit log size - - - - Audit log hash (the has begins with the name of the - algorithm used, followed by a colon, followed by the hexadecimal - representation of the hash itself); this hash can be used to - verify that the transaction was correctly recorded and that it - hasn't been modified since. - - - - - Lines in the index file will be up to 3980 bytes long, and the - information logged will be reduced to fit where necessary. Reduction - will occur within the individual fields, but the overall format will - remain the same. The character L will appear as - the last character on a reduced line. A space will be the last - character on a line that was not reduced to stay within the - limit. - -
-
- -
- Transport Protocol - - Audit logs generated in multi-sensor deployments are of little use - if left on the sensors. More commonly, they will be transported to a - central logging server using the transport protocol described in this - section: - - - - The transport protocol is based on the HTTP protocol. - - - - The server end is an SSL-enabled web server with HTTP Basic - Authentication configured. - - - - Clients will open a connection to the centralisation web - server and authenticate (given the end-point URI, the username and - the password). - - - - Clients will submit every audit log in a single - PUT transaction, placing the file in the body of - the request and additional information in the request headers (see - below for details). - - - - Server will process each submission and respond with an - appropriate status code: - - - - 200 (OK) - the submission was processed; the client can - delete the corresponding audit log entry if it so desires. The - same audit log entry must not be submitted again. - - - - 409 (Conflict) - if the submission is in invalid format - and cannot be processed. The client should attempt to fix the - problem with the submission and attempt delivery again at a - later time. This error is generally going to occur due to a - programming error in the protocol implementation, and not - because of the content of the audit log entry that is being - transported. - - - - 500 (Internal Server Error) - if the server was unable to - correctly process the submission, due to its own fault. The - client should re-attempt delivery at a later time. A client that - starts receiving 500 reponses to all its submission should - suspend its operations for a period of time before - continuing. - - - - - - - Server implementations are advised to accept all submissions - that correctly implement the protocol. Clients are unlikely to be able - to overcome problems within audit log entries, so such problems are - best resolved on the server side. - - - - When en error occurs, the server may place an explanation of the - problem in the text part of the response line. - - -
- Request Headers Information - - Each audit log entry submission must contain additional - information in the request headers: - - - - Header X-Content-Hash must contain the - audit log entry hash. Clients should expect the audit log entries - to be validated against the hash by the server. - - - - Header X-ForensicLog-Summary must contain - the entire concurrent format index line. - - - - The Content-Lenght header must be present - and contain the length of the audit log entry. - - -
-
-
-
diff --git a/doc/pdf.xsl b/doc/pdf.xsl deleted file mode 100644 index b7b70c17..00000000 --- a/doc/pdf.xsl +++ /dev/null @@ -1,166 +0,0 @@ - - - - - - - - - - - -0pt -11 -1.5 -1 20 1 - - - 0.0em - 0.0em - 0.0em - - 0.2em - 0.2em - 0.2em - - - - - - - - bold - always - left - 1.0em - 1.0em - 1.0em - 0.0em - 0.0em - 0.0em - - - - 24pt - - page - - 0.0em - 0.0em - 0.0em - - - - - - 18pt - - - - 14pt - - - - 12pt - - - - 0.0em - 0.0em - 0.0em - 0.2em - 0.2em - 0.2em - - - - 0.2em - 0.2em - 0.2em - - 0.2em - 0.2em - 0.2em - - 2pc - - - - - #f0f0f0 - 2pt - - - - 90% - - - - - - - - - - - - - - - - - - - - - - - - ​ - - - - -