diff --git a/CHANGES b/CHANGES index 8f0ceae8..1bed5712 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,10 @@ ?? ??? 2007 - 2.5.0-trunk ------------------------- + * Cleaned up some documentation. + + * Performance improvements in caching transformations. + * Stricter validation for @validateUtf8Encoding. * Capture the match in TX:0 when using "capture" action in phrase match diff --git a/doc/modsecurity2-apache-reference.xml b/doc/modsecurity2-apache-reference.xml index d84bb5f6..9a4914af 100644 --- a/doc/modsecurity2-apache-reference.xml +++ b/doc/modsecurity2-apache-reference.xml @@ -16,14 +16,14 @@
Introduction - ModSecurityis a web application - firewall (WAF). With over 70% of all attacks now carried out over the web - application level, organisations need every help they can get in making - their systems secure. WAFs are deployed to establish an external security - layer that increases security, detects, and prevents attacks before they - reach web applications. It provides protection from a range of attacks - against web applications and allows for HTTP traffic monitoring and - real-time analysis with little or no changes to existing + ModSecurity is a web + application firewall (WAF). With over 70% of all attacks now carried out + over the web application level, organisations need every help they can get + in making their systems secure. WAFs are deployed to establish an external + security layer that increases security, detects, and prevents attacks + before they reach web applications. It provides protection from a range of + attacks against web applications and allows for HTTP traffic monitoring + and real-time analysis with little or no changes to existing infrastructure.
@@ -198,7 +198,7 @@ commented to allow it to be used as a step-by-step deployment guide for ModSecurity. The latest Core Rules can be found at the ModSecurity website - http://www.modsecurity.org/projects/rules/. + url="http://www.modsecurity.org/projects/rules/">http://www.modsecurity.org/projects/rules/.
@@ -433,11 +433,9 @@ moreinfo="none">SecAction nolog,redirect:http://www.hostname.com - ProcessingPhase: Any + ProcessingPhase: Any - Scope: - Any + Scope: Any Dependencies/Notes: None @@ -451,7 +449,7 @@
<literal>SecArgumentSeparator</literal> - Description: Specifies which + Description: Specifies which character to use as separator for application/x-www-form-urlencoded content. Defaults to &. Applications are sometimes @@ -467,7 +465,7 @@ Processing Phase: Any Scope: - Main + Main Dependencies/Notes: None @@ -490,10 +488,9 @@ Example Usage: SecAuditEngine On - Processing Phase: N/A + Processing Phase: N/A - Scope: - Any + Scope: Any Dependencies/Notes: Can be set/changed with the "ctl" action for the current transaction. @@ -501,8 +498,8 @@ Example: The following example shows the various audit directives used together. - SecAuditEngine RelevantOnly -SecAuditLog logs/audit/audit.log + SecAuditEngine RelevantOnly +SecAuditLog logs/audit/audit.log SecAuditLogParts ABCFHZ SecAuditLogType concurrent SecAuditLogStorageDir logs/audit @@ -512,7 +509,7 @@ SecAuditLogStorageDir logs/audit - On - log all transactions + On - log all transactions by default. @@ -522,7 +519,7 @@ SecAuditLogStorageDir logs/audit - RelevantOnly - by default + RelevantOnly - by default only log transactions that have triggered a warning or an error, or have a status code that is considered to be relevant (see SecAuditLogRelevantStatus). @@ -545,8 +542,7 @@ SecAuditLogStorageDir logs/audit Processing Phase: N/A - Scope: - Any + Scope: Any Dependencies/Notes: This file is open on startup when the server typically still runs as @@ -582,8 +578,7 @@ SecAuditLogStorageDir logs/audit Processing Phase: N/A - Scope: - Any + Scope: Any Dependencies/Notes: A main audit log must be defined via SecAuditLog @@ -605,12 +600,12 @@ SecAuditLogStorageDir logs/audit Example Usage: SecAuditLogParts ABCFHZ - Processing Phase: N/A + Processing Phase: N/A Scope: - Any + Any - Dependencies/Notes: At this time + Dependencies/Notes: At this time ModSecurity does not log response bodies of stock Apache responses (e.g. 404), or the Server and I - This part is a replacement for part C. It will log the same data as C in all cases - except whenmultipart/form-dataencoding in used. In - this case it will log a fake - application/x-www-form-urlencoded body that contains the - information about parameters but not about the files. This is handy - if you don't want to have (often large) files stored in your audit - logs. + except whenmultipart/form-data + encoding in used. In this case it will log a fake application/x-www-form-urlencoded body + that contains the information about parameters but not about the + files. This is handy if you don't want to have (often large) files + stored in your audit logs. @@ -696,7 +690,7 @@ SecAuditLogStorageDir logs/audit
<literal>SecAuditLogRelevantStatus</literal> - Description: Configures which + Description: Configures which response status code is to be considered relevant for the purpose of audit logging. @@ -706,10 +700,9 @@ SecAuditLogStorageDir logs/audit Example Usage: SecAuditLogRelevantStatus ^[45] - Processing Phase: N/A + Processing Phase: N/A - Scope: - Any + Scope: Any Dependencies/Notes: Must have the SecAuditEngine set to RelevantOnly. The parameter is a regular @@ -738,10 +731,9 @@ SecAuditLogStorageDir logs/audit moreinfo="none">SecAuditLogStorageDir /usr/local/apache/logs/audit - Processing Phase: N/A + Processing Phase: N/A - Scope: - Any + Scope: Any Dependencies/Notes: SecAuditLogType must be set to Concurrent. The directory must already be @@ -767,8 +759,7 @@ SecAuditLogStorageDir logs/audit Processing Phase: N/A - Scope: - Any + Scope: Any Dependencies/Notes: Must specify SecAuditLogStorageDir if you use concurrent logging. @@ -804,10 +795,9 @@ SecAuditLogStorageDir logs/audit Example Usage: SecChrootDir /chroot - Processing Phase: N/A + Processing Phase: N/A - Scope: - Main + Scope: Main Dependencies/Notes: The internal chroot functionality provided by ModSecurity works great for simple @@ -851,10 +841,9 @@ SecAuditLogStorageDir logs/audit Example Usage: SecCookieFormat 0 - Processing Phase: N/A + Processing Phase: N/A - Scope: - Any + Scope: Any Dependencies/Notes: None @@ -868,7 +857,7 @@ SecAuditLogStorageDir logs/audit - 1 - use version 1 + 1 - use version 1 cookies. @@ -890,7 +879,7 @@ SecAuditLogStorageDir logs/audit Processing Phase: N/A Scope: - Main + Main Dependencies/Notes: This directive is needed when initcol, setsid an setuid are used. Must be @@ -912,8 +901,7 @@ SecAuditLogStorageDir logs/audit Processing Phase: N/A - Scope: - Any + Scope: Any Dependencies/Notes: None
@@ -921,7 +909,7 @@ SecAuditLogStorageDir logs/audit
<literal>SecDebugLogLevel</literal> - Description: Configures the + Description: Configures the verboseness of the debug log data. Syntax: Processing Phase: N/A - Scope: - Any + Scope: Any Dependencies/Notes: Levels - 1-3 - are always sent to the Apache error log. Therefore you can - always use level 0 as the default - logging level in production. Level 5 - is useful when debugging. It is not advisable to use higher - logging levels in production as excessive logging can slow down server - significantly. + 1 - 3 are always sent to the Apache + error log. Therefore you can always use level 0 as the default logging level in production. + Level 5 is useful when debugging. It + is not advisable to use higher logging levels in production as excessive + logging can slow down server significantly. Possible values are: - 0 - no logging. + 0 - no logging. - 1 - errors (intercepted + 1 - errors (intercepted requests) only. - 2 - warnings. + 2 - warnings. - 3 - notices. + 3 - notices. - 4 - details of how + 4 - details of how transactions are handled. - 5 - as above, but including + 5 - as above, but including information about each piece of information handled. - 9 - log everything, + 9 - log everything, including very detailed debugging information. @@ -995,12 +981,11 @@ SecAuditLogStorageDir logs/audit moreinfo="none">SecDefaultAction log,auditlog,deny,status:403,phase:2,t:lowercase - Processing Phase: Any + Processing Phase: Any - Scope: - Any + Scope: Any - Dependencies/Notes: Rules + Dependencies/Notes: Rules following a SecDefaultAction directive will inherit this setting unless a specific action is specified for an indivdual rule or until another SecDefaultAction is specified. @@ -1030,8 +1015,7 @@ SecAuditLogStorageDir logs/audit Processing Phase: N/A - Scope: - Any + Scope: Any Dependencies/Notes: Check out www.maxmind.com for free database files. @@ -1051,12 +1035,11 @@ SecAuditLogStorageDir logs/audit moreinfo="none">SecGuardianLog |/usr/local/apache/bin/httpd-guardian - Processing Phase: N/A + Processing Phase: N/A - Scope: - Main + Scope: Main - Dependencies/Notes: By default + Dependencies/Notes: By default httpd-guardian will defend against clients that send more 120 requests in a minute, or more than 360 requests in five minutes. @@ -1166,12 +1149,11 @@ SecAuditLogStorageDir logs/audit Example Usage: SecRequestBodyAccess On - Processing Phase: N/A + Processing Phase: N/A - Scope: - Any + Scope: Any - Dependencies/Notes: This + Dependencies/Notes: This directive is required if you plan to inspect POST_PAYLOADS of requests. This directive must be used along with the "phase:2" processing phase action and REQUEST_BODY variable/location. If any of these 3 parts are @@ -1187,7 +1169,7 @@ SecAuditLogStorageDir logs/audit - Off - do not attempt to + Off - do not attempt to access request bodies. @@ -1207,10 +1189,9 @@ SecAuditLogStorageDir logs/audit Processing Phase: N/A - Scope: - Any + Scope: Any - Dependencies/Notes: 131072 KB + Dependencies/Notes: 131072 KB (134217728 bytes) is the default setting. Anything over this limit will be rejected with status code 413 Request Entity Too Large. There is a hard limit of 1 GB. @@ -1219,7 +1200,7 @@ SecAuditLogStorageDir logs/audit
<literal>SecRequestBodyInMemoryLimit</literal> - Description: Configures the + Description: Configures the maximum request body size ModSecurity will store in memory. Syntax: Processing Phase: N/A - Scope: - Any + Scope: Any Dependencies/Notes: None @@ -1245,7 +1225,7 @@ SecRequestBodyInMemoryLimit 131072
<literal>SecResponseBodyLimit</literal> - Description: Configures the + Description: Configures the maximum response body size that will be accepted for buffering. Syntax: Example Usage: SecResponseBodyLimit 524228 - Processing Phase: N/A + Processing Phase: N/A - Scope: - Any + Scope: Any - Dependencies/Notes: Anything over + Dependencies/Notes: Anything over this limit will be rejected with status code 500 Internal Server Error. This setting will not affect the responses with MIME types that are not marked for buffering. There is a hard limit of 1 GB. @@ -1273,7 +1252,7 @@ SecResponseBodyLimit 524288
<literal>SecResponseBodyMimeType</literal> - Description: Configures + Description: Configures which MIME types are to be considered for response body buffering. @@ -1286,8 +1265,7 @@ SecResponseBodyLimit 524288 Processing Phase: N/A - Scope: - Any + Scope: Any Dependencies/Notes: Multiple SecResponseBodyMimeType @@ -1304,7 +1282,7 @@ SecResponseBodyLimit 524288 <literal>SecResponseBodyMimeTypesClear</literal> Description: Clears the list of - MIME types considered for response + MIME types considered for response body buffering, allowing you to start populating the list from scratch. @@ -1314,10 +1292,9 @@ SecResponseBodyLimit 524288 Example Usage: SecResponseBodyMimeTypesClear - Processing Phase: N/A + Processing Phase: N/A - Scope: - Any + Scope: Any Dependencies/Notes: None
@@ -1336,8 +1313,7 @@ SecResponseBodyLimit 524288 Processing Phase: N/A - Scope: - Any + Scope: Any Dependencies/Notes: This directive is required if you plan to inspect html responses. This @@ -1349,12 +1325,12 @@ SecResponseBodyLimit 524288 - On - access response bodies + On - access response bodies (but only if the MIME type matches, see above). - Off - do not attempt to + Off - do not attempt to access response bodies. @@ -1364,7 +1340,7 @@ SecResponseBodyLimit 524288 <literal>SecRule</literal> Description: SecRuleis the main ModSecurity directive. It + moreinfo="none">SecRule is the main ModSecurity directive. It is used to analyse data and perform actions based on the results. Syntax: Processing Phase: Any - Scope: - Any + Scope: Any Dependencies/Notes: None @@ -1424,10 +1399,10 @@ SecResponseBodyLimit 524288 In the simplest possible case you will use a regular expression pattern as the second rule parameter. This is what we've done in the - examples above. If you do this ModSecurity assumes you want to use - the rx operator. You can explicitly + examples above. If you do this ModSecurity assumes you want to use the + rx operator. You can explicitly specify the operator you want to use by using @ as the first character in the second rule + moreinfo="none">@ as the first character in the second rule parameter: SecRule REQUEST_URI "@rx dirty" @@ -1475,12 +1450,11 @@ SecResponseBodyLimit 524288 Processing Phase: Any - Scope: - Any + Scope: Any Dependencies/Notes: Resource-specific contexts (e.g. - Location, Directory, etc) + Location, Directory, etc) cannot override phase1 rules configured in the main server or in the virtual server. This is because phase 1 is run early in the request processing process, before Apache maps request to resource. @@ -1508,8 +1482,7 @@ SecDefaultAction log,deny,phase:1,redirect:http://www.site2.com <VirtualHost *:80> ServerName app2.com ServerAlias www.app2.com -SecRuleInheritance On -SecRule ARGS "attack" +SecRuleInheritance On SecRule ARGS "attack" ... </VirtualHost> @@ -1517,12 +1490,12 @@ ServerAlias www.app2.com - On - inherit rules from the + On - inherit rules from the parent context. - Off - do not inherit rules + Off - do not inherit rules from the parent context. @@ -1542,8 +1515,7 @@ ServerAlias www.app2.com Processing Phase: Any - Scope: - Any + Scope: Any Dependencies/Notes: Thisdirective can also be controled by the ctl action (ctl:ruleEngine=off) for per @@ -1583,8 +1555,7 @@ ServerAlias www.app2.com Processing Phase: Any - Scope: - Any + Scope: Any Dependencies/Notes: This directive supports multiple parameters, where each parameter can either @@ -1608,19 +1579,18 @@ ServerAlias www.app2.com Processing Phase: Any - Scope: - Any + Scope: Any Dependencies/Notes: This directive supports multiple parameters. Each parameter is a regular expression that will be applied to the message (specified using the - msg action). + msg action).
<literal>SecServerSignature</literal> - Description: Instructs + Description: Instructs ModSecurity to change the data presented in the "Server:" response header token. @@ -1634,8 +1604,7 @@ ServerAlias www.app2.com Processing Phase: N/A - Scope: - Main + Scope: Main Dependencies/Notes: In order for this directive to work, you must set the Apache ServerTokens directive @@ -1659,10 +1628,9 @@ ServerAlias www.app2.com Processing Phase: N/A - Scope: - Any + Scope: Any - Dependencies/Notes: Needs to be + Dependencies/Notes: Needs to be writable by the Apache user process. This is the directory location where Apache will swap data to disk if it runs out of memory (more data than what was specified in the SecRequestBodyInMemoryLimit directive) @@ -1683,8 +1651,7 @@ ServerAlias www.app2.com Processing Phase: N/A - Scope: - Any + Scope: Any Dependencies/Notes: This directory must be on the same filesystem as the temporary directory @@ -1707,10 +1674,9 @@ ServerAlias www.app2.com Processing Phase: N/A - Scope: - Any + Scope: Any - Dependencies/Notes: This + Dependencies/Notes: This directive requires the storage directory to be defined (using SecUploadDir). @@ -1747,10 +1713,9 @@ ServerAlias www.app2.com Example Usage: SecWebAppId "WebApp1" - Processing Phase:N/A + Processing Phase: N/A - Scope: - Any + Scope: Any Dependencies/Notes: Partitions are used to avoid collisions between session IDs and user IDs. This @@ -1961,23 +1926,23 @@ SecRule REQUEST_HEADERS:Host "!^$" "deny,phase:1SecRule ARGS dirtySometimes, - however, you will want to look only at parts of a collection. This can - be achieved with the help of the selection + arguments:SecRule ARGS dirty + Sometimes, however, you will want to look only at parts of a collection. + This can be achieved with the help of the selection operator(colon). The following example will only look at the arguments named p (do note that, in general, requests can contain multiple arguments with the same name): - SecRule ARGS:p dirtyIt - is also possible to specify exclusions. The following will examine all - request arguments for the word dirty, except the - ones named z (again, there can be + SecRule ARGS:p dirty + It is also possible to specify exclusions. The following will examine + all request arguments for the word dirty, except + the ones named z (again, there can be zero or more arguments named z): - SecRule ARGS|!ARGS:z dirtyThere - is a special operator that allows you to count how many variables there - are in a collection. The following rule will trigger if there is more - than zero arguments in the request (ignore the second parameter for the - time being): SecRule &ARGS !^0$And - sometimes you need to look at an array of parameters, each with a + SecRule ARGS|!ARGS:z dirty + There is a special operator that allows you to count how many variables + there are in a collection. The following rule will trigger if there is + more than zero arguments in the request (ignore the second parameter for + the time being): SecRule &ARGS !^0$ + And sometimes you need to look at an array of parameters, each with a slightly different name. In this case you can specify a regular expression in the selection operator itself. The following rule will look into all arguments whose names begin with phase:1 SecRule REQUEST_FILENAME "^/cgi-bin/login\.php$" "chain,log,deny,phase:2" -SecRule ARGS_COMBINED_SIZE "@gt 25" +SecRule ARGS_COMBINED_SIZE "@gt 25"
@@ -2024,7 +1989,7 @@ SecRule ARGS_NAMES "!^(p|a)$" This variable holds the authentication method used to validate a user. Example: - SecRule AUTH_TYPE "basic" log,deny,status:403,phase:1,t:lowercase + SecRule AUTH_TYPE "basic" log,deny,status:403,phase:1,t:lowercase Note @@ -2082,7 +2047,7 @@ SecRule ENV:tag "suspicious" a size limitation on individual uploaded files. Note: only available if files were extracted from the request body. Example: - SecRule FILES_SIZES "@gt 100" log,deny,status:403,phase:2 + SecRule FILES_SIZES "@gt 100" log,deny,status:403,phase:2
@@ -2090,7 +2055,7 @@ SecRule ENV:tag "suspicious" Collection. Contains a collection of temporary files' names on the disk. Useful when used together with @inspectFile. Note: only available if files + moreinfo="none">@inspectFile. Note: only available if files were extracted from the request body. Example: SecRule FILES_TMPNAMES "@inspectFile /path/to/inspect_script.pl" @@ -2196,7 +2161,7 @@ SecRule GEO:COUNTRY_CODE "!@streq UK" This variable holds the IP address of the remote client. Example: - SecRule REMOTE_ADDR "^192\.168\.1\.101$" + SecRule REMOTE_ADDR "^192\.168\.1\.101$"
@@ -2208,7 +2173,7 @@ SecRule GEO:COUNTRY_CODE "!@streq UK" known bad client hosts or network blocks, or conversely, to allow in authorized hosts. Example: - SecRule REMOTE_HOST "\.evil\.network\org$" + SecRule REMOTE_HOST "\.evil\.network\org$"
@@ -2220,7 +2185,7 @@ SecRule GEO:COUNTRY_CODE "!@streq UK" is less than 1024, which would indicate that the user is a privileged user (root). - SecRule REMOTE_PORT "@lt 1024" phase:1,log,pass,setenv:remote_port=privileged + SecRule REMOTE_PORT "@lt 1024" phase:1,log,pass,setenv:remote_port=privileged
@@ -2293,7 +2258,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd" REQUEST_FILENAME (e.g. index.php). Warning: not urlDecoded. Example: - SecRule REQUEST_BASENAME "^login\.php$" + SecRule REQUEST_BASENAME "^login\.php$"
@@ -2304,7 +2269,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd" the arguements is important (ARGS should be used in all other cases). Example: - SecRule REQUEST_BODY "^username=\w{25,}\&password=\w{25,}\&Submit\=login$" + SecRule REQUEST_BODY "^username=\w{25,}\&password=\w{25,}\&Submit\=login$" Note @@ -2351,7 +2316,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd" example uses REQUEST_HEADERS as a collection and is applying the validateUrlEncoding operator against all headers. - SecRule REQUEST_HEADERS "@validateUrlEncoding" + SecRule REQUEST_HEADERS "@validateUrlEncoding" Example: the second example is targeting only the Host header. @@ -2379,7 +2344,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd" GET, HEAD, POST or if the HTTP is something other than HTTP/0.9, 1.0 or 1.1. - SecRule REQUEST_LINE "!(^((?:(?:pos|ge)t|head))|http/(0\.9|1\.0|1\.1)$)" + SecRule REQUEST_LINE "!(^((?:(?:pos|ge)t|head))|http/(0\.9|1\.0|1\.1)$)" Note @@ -2410,7 +2375,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd" This variable holds the Request Protocol Version information. Example: - SecRule REQUEST_PROTOCOL "!^http/(0\.9|1\.0|1\.1)$" + SecRule REQUEST_PROTOCOL "!^http/(0\.9|1\.0|1\.1)$" Note @@ -2428,7 +2393,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd" does not include either the REQUEST_METHOD or the HTTP version info. Example: - SecRule REQUEST_URI "attack" + SecRule REQUEST_URI "attack"
@@ -2498,7 +2463,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd" This variable is a collection of the response header names. Example: - SecRule RESPONSE_HEADERS_NAMES "Set-Cookie" + SecRule RESPONSE_HEADERS_NAMES "Set-Cookie" Note @@ -2512,7 +2477,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd" This variable holds the HTTP Response Protocol information. Example: - SecRule RESPONSE_PROTOCOL "^HTTP\/0\.9" + SecRule RESPONSE_PROTOCOL "^HTTP\/0\.9"
@@ -2521,7 +2486,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd" This variable holds the HTTP Response Status Code generated by Apache. Example: - SecRule RESPONSE_STATUS "^[45]" + SecRule RESPONSE_STATUS "^[45]" Note @@ -2552,7 +2517,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd" This variable holds just the local filename part of SCRIPT_FILENAME. Example: - SecRule SCRIPT_BASENAME "^login\.php$" + SecRule SCRIPT_BASENAME "^login\.php$" Note @@ -2578,7 +2543,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd" This variable holds the groupid (numerical value) of the group owner of the script. Example: - SecRule SCRIPT_GID "!^46$" + SecRule SCRIPT_GID "!^46$" Note @@ -2605,7 +2570,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd" - 1=execute, 2=write, 4=read and 7=read/write/execute). Example: will trigger if the script has the WRITE permissions set. - SecRule SCRIPT_MODE "^(2|3|6|7)$" + SecRule SCRIPT_MODE "^(2|3|6|7)$" Note @@ -2632,7 +2597,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd" This variable holds the username of the owner of the script. Example: - SecRule SCRIPT_USERNAME "!^apache$" + SecRule SCRIPT_USERNAME "!^apache$" Note @@ -2654,7 +2619,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd" This variable contains the server's hostname or IP address. Example: - SecRule SERVER_NAME "hostname\.com$" + SecRule SERVER_NAME "hostname\.com$" Note @@ -2668,7 +2633,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd" This variable contains the local port that the web server is listening on. Example: - SecRule SERVER_PORT "^80$" + SecRule SERVER_PORT "^80$"
@@ -2716,7 +2681,7 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID} would trigger anytime between the 10th and 20th days of the month. - SecRule TIME_DAY "^(([1](0|1|2|3|4|5|6|7|8|9))|20)$" + SecRule TIME_DAY "^(([1](0|1|2|3|4|5|6|7|8|9))|20)$"
@@ -2771,7 +2736,7 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID} This variable holds the current weekday (0-6). Example: this rule would trigger only on week-ends (Saturday and Sunday). - SecRule TIME_WDAY "^(0|6)$" + SecRule TIME_WDAY "^(0|6)$"
@@ -2780,7 +2745,7 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID} This variable holds the current four-digit year data. Example: - SecRule TIME_YEAR "^2006$" + SecRule TIME_YEAR "^2006$"
@@ -2933,7 +2898,7 @@ SecRule XML:/xq:employees/employee/name/text() case in order to evade the ModSecurity rule: SecRule ARG:p "xp_cmdshell" "t:lowercase"multiple + role="bold">"t:lowercase" multiple tranformation actions can be used in the same rule, for example the following rule also ensures that an attacker does not use URL encoding (%xx encoding) for evasion. Note the order of the transformation @@ -2984,8 +2949,8 @@ SecRule XML:/xq:employees/employee/name/text() moreinfo="none">\v, \\, \?, \', \", - \xHH(hexadecimal), \0OOO(octal). Invalid encodings are left in + \xHH (hexadecimal), \0OOO (octal). Invalid encodings are left in the output.
@@ -3026,7 +2991,7 @@ SecRule XML:/xq:employees/employee/name/text() - &nbsp and &nbsp and &nbsp; @@ -3132,11 +3097,11 @@ SecRule XML:/xq:employees/employee/name/text() <literal>urlDecodeUni</literal> In addition to decoding %xx like urlDecode, urlDecodeUni also decodes %uXXXX encoding. If the - code is in the range of FF01-FF5E (the full width ASCII codes), then the - higher byte is used to detect and adjust the lower byte. Otherwise, only - the lower byte will be used and the higher byte zeroed. + moreinfo="none">urlDecode, urlDecodeUni also decodes %uXXXX encoding. If the code is in the range + of FF01-FF5E (the full width ASCII codes), then the higher byte is used + to detect and adjust the lower byte. Otherwise, only the lower byte will + be used and the higher byte zeroed.
@@ -3180,18 +3145,18 @@ SecRule XML:/xq:employees/employee/name/text() - Disruptive actions- are those actions where - ModSecurity will intercept the data. They can only appear in the first - rule in a chain. + Disruptive actions - are those actions + where ModSecurity will intercept the data. They can only appear in the + first rule in a chain. - Non-disruptive actions; can appear + Non-disruptive actions - can appear anywhere. - Flow actions; can appear only in the first + Flow actions - can appear only in the first rule in a chain. @@ -3199,12 +3164,12 @@ SecRule XML:/xq:employees/employee/name/text() Meta-data actions(id, rev, severity, msg); can only appear in the first rule in + moreinfo="none"> msg) - can only appear in the first rule in a chain. - Data actions- can appear anywhere; these + Data actions - can appear anywhere; these actions are completely passive and only serve to carry data used by other actions. @@ -3301,14 +3266,14 @@ SecRule TX:1 "(?:(?:a(dmin|nonymous)))"
<literal>chain</literal> - Description: Chains the rule + Description: Chains the rule where the action is placed with the rule that immediately follows it. The result is called a rule chain. Chained rules allow for more complex rule matches where you want to use a number of different VARIABLES to create a better rule and to help prevent false positives. - Action Group: Flow + Action Group: Flow Example: @@ -3394,7 +3359,7 @@ SecRule REQUEST_CONTENT_TYPE ^text/xml nolog,pass,ctl:requ moreinfo="none">URLENCODED and MULTIPART processors to process an application/x-www-form-urlencoded and a - multipart/form-data body, + multipart/form-data body, respectively. A third processor, XML, is also supported, but it is never used implicitly. Instead you must tell ModSecurity to use it by placing a few rules in the REQUEST_HEADERS @@ -3447,7 +3412,7 @@ SecRule REQUEST_CONTENT_TYPE ^text/xml nolog,pass,ctl:requ
<literal>drop</literal> - Description: Immediately initiate + Description: Immediately initiate a "connection close" action to tear down the TCP connection by sending a FIN packet. @@ -3596,7 +3561,7 @@ SecRule REQUEST_URI "^/cgi-bin/script\.pl" \
<literal>initcol</literal> - Description: Initialises a named + Description: Initialises a named persistent collection, either by loading data from storage or by creating a new collection in memory. @@ -3630,7 +3595,7 @@ SecRule REQUEST_URI "^/cgi-bin/script\.pl" \ - TIMEOUT- date/time in + TIMEOUT - date/time in seconds when the collection will be updated on disk from memory (if no other updates occur). @@ -3681,7 +3646,7 @@ SecRule REQUEST_URI "^/cgi-bin/script\.pl" \
<literal>log</literal> - Description: Indicates that a + Description: Indicates that a successful match of the rule needs to be logged. Action Group: @@ -3721,7 +3686,7 @@ SecRule REQUEST_URI "^/cgi-bin/script\.pl" \
<literal>multiMatch</literal> - Description: If enabled + Description: If enabled ModSecurity will perform multiple operator invocations for every target, before and after every anti-evasion transformation is performed. @@ -3744,7 +3709,7 @@ SecRule ARGS "attack" multiMatch <literal>noauditlog</literal> - Description: Indicates that a + Description: Indicates that a successful match of the rule should not be used as criteria whether the transaction should be logged to the audit log. @@ -3789,7 +3754,7 @@ SecRule ARGS "attack" multiMatch <literal>pass</literal> - Description: Continues processing + Description: Continues processing with the next rule in spite of a successful match. Action Group: Disruptive @@ -3875,7 +3840,7 @@ SecRule REQUEST_HEADERS:User-Agent "Test" log,deny,status:403
<literal>proxy</literal> - Description: Intercepts + Description: Intercepts transaction by forwarding request to another web server using the proxy backend. @@ -3896,7 +3861,7 @@ SecRule REQUEST_HEADERS:User-Agent "Test" log,deny,status:403
<literal>redirect</literal> - Description: Intercepts + Description: Intercepts transaction by issuing a redirect to the given location. Action Group: Disruptive @@ -4168,10 +4133,9 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID}setvar:!tx.score - To increase or decrease variable value use+and-characters in front of a numerical - value: + To increase or decrease variable value use + and - + characters in front of a numerical value: setvar:tx.score=+5
@@ -4179,7 +4143,7 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID} <literal>skip</literal> - Description: Skips one or more + Description: Skips one or more rules (or chains) on successful match. Action Group: @@ -4284,7 +4248,7 @@ SecRule XML:/soap:Envelope/soap:Body/q1:getInput/id() "123" phase:2,deny <literal>beginsWith</literal> - Description: This operator is a + Description: This operator is a string comparison and returns true if the parameter value is found at the beginning of the input. Macro expansion is performed so you may use variable names such as %{TX.1}, etc. @@ -4300,7 +4264,7 @@ SecRule ARGS:gw "!@beginsWith %{TX.1}" <literal>contains</literal> - Description: This operator is a + Description: This operator is a string comparison and returns true if the parameter value is found anywhere in the input. Macro expansion is performed so you may use variable names such as %{TX.1}, etc. @@ -4308,7 +4272,7 @@ SecRule ARGS:gw "!@beginsWith %{TX.1}"Example: SecRule REQUEST_LINE "!@contains .php " t:none,deny,status:403 + role="bold">@contains .php" t:none,deny,status:403 SecRule REQUEST_ADDR "^(.*)$" deny,status:403,capture,chain SecRule ARGS:ip "!@contains %{TX.1}"
@@ -4316,7 +4280,7 @@ SecRule ARGS:ip "!@contains %{TX.1}" <literal>endsWith</literal> - Description: This operator is a + Description: This operator is a string comparison and returns true if the parameter value is found at the end of the input. Macro expansion is performed so you may use variable names such as %{TX.1}, etc. @@ -4331,13 +4295,13 @@ SecRule ARGS:route "!@endsWith %{REQUEST_ADDR}"
<literal>eq</literal> - Description: This operator is a + Description: This operator is a numerical comparison and stands for "equal to." Example: SecRule &REQUEST_HEADERS_NAMES "@eq 15" + role="bold">@eq 15"
@@ -4390,19 +4354,19 @@ SecRule ARGS:route "!@endsWith %{REQUEST_ADDR}" Example: SecRule FILES_TMPNAMES "@inspectFile /opt/apache/bin/inspect_script.pl" + role="bold">@inspectFile /opt/apache/bin/inspect_script.pl"
<literal>le</literal> - Description: This operator is a + Description: This operator is a numerical comparison and stands for "less than or equal to." Example: SecRule &REQUEST_HEADERS_NAMES "@le 15" + role="bold">@le 15"
@@ -4414,7 +4378,7 @@ SecRule ARGS:route "!@endsWith %{REQUEST_ADDR}" Example: SecRule &REQUEST_HEADERS_NAMES "@lt 15" + role="bold">@lt 15"
@@ -4496,7 +4460,7 @@ SecRule ARGS:route "!@endsWith %{REQUEST_ADDR}" Example: SecRule REQUEST_HEADERS:User-Agent "@rx nikto" + role="bold">@rx nikto" Note @@ -4532,7 +4496,7 @@ SecRule ARGS:route "!@endsWith %{REQUEST_ADDR}"
<literal>streq</literal> - Description: This operator is a + Description: This operator is a string comparison and returns true if the parameter value matches the input exactly. Macro expansion is performed so you may use variable names such as %{TX.1}, etc. @@ -4548,13 +4512,13 @@ SecRule REQUEST_HEADERS:Ip-Address "!@streq %{TX.1} <literal>validateByteRange</literal> - Description: Validates the byte + Description: Validates the byte range used in the variable falls into the specified range. Example: SecRule ARG:text "@validateByteRange 10, 13, 32-126" + role="bold">@validateByteRange 10, 13, 32-126" Note @@ -4686,7 +4650,7 @@ SecRule XML "@validateSchema /path/to/apache2/conf/xml.xsd
<literal>within</literal> - Description: This operator is a + Description: This operator is a string comparison and returns true if the input value is found anywhere within the parameter value. Note that this is similar to @contains, except that the target and match values