From c6c4003942181469e26921257505962138f1efa7 Mon Sep 17 00:00:00 2001 From: brectanus Date: Fri, 18 Jan 2008 21:14:21 +0000 Subject: [PATCH] More configure cleanup. Update docs for new install: configure && make && make install Spell check the docs. --- apache2/Makefile.in | 7 +- apache2/configure.in | 4 + apache2/t/{run-tests.pl => run-tests.pl.in} | 2 +- doc/modsecurity2-apache-reference.xml | 221 ++++++++++---------- 4 files changed, 124 insertions(+), 110 deletions(-) rename apache2/t/{run-tests.pl => run-tests.pl.in} (99%) diff --git a/apache2/Makefile.in b/apache2/Makefile.in index 0f3f39cf..2b7e079c 100644 --- a/apache2/Makefile.in +++ b/apache2/Makefile.in @@ -10,6 +10,7 @@ MOD_SECURITY2_H = re.h modsecurity.h msc_logging.h msc_multipart.h msc_parsers.h msc_geo.h acmp.h utf8tables.h msc_lua.h CC = @CC@ +PERL = @PERL@ EXTRA_CFLAGS = @EXTRA_CFLAGS@ MODSEC_EXTRA_CFLAGS = @MODSEC_EXTRA_CFLAGS@ @@ -64,7 +65,7 @@ clean: clean-extras @rm -rf *.la *.lo *.o *.slo .libs msc_test maintainer-clean: clean - @rm -rf Makefile config config.log config.status configure mod_security2_config.h + @rm -rf Makefile mlogc-src/Makefile t/run-tests.pl config config.log config.status configure mod_security2_config.h dist-clean: maintainer-clean @@ -91,8 +92,8 @@ TESTOBJS = re.o re_operators.o re_actions.o re_tfns.o re_variables.o \ msc_test: mod_security2.la msc_test.c @$(CC) $(CPPFLAGS) $(LDFLAGS) $(APXS_INCLUDES) $(EXTRA_CFLAGS) $(MODSEC_EXTRA_CFLAGS) $(APR_CFLAGS) $(APU_CFLAGS) -o msc_test $(TESTOBJS) msc_test.c $(LIBS) $(APR_LIBS) $(APU_LIBS) $(APXS_LIBS) $(APR_LINK_LD) $(APU_LINK_LD) -test: msc_test - @t/run-tests.pl +test: t/run-tests.pl msc_test + @$(PERL) t/run-tests.pl mlogc: @$(MAKE) -C mlogc-src mlogc \ diff --git a/apache2/configure.in b/apache2/configure.in index e0cb26d7..078bcc25 100644 --- a/apache2/configure.in +++ b/apache2/configure.in @@ -19,6 +19,7 @@ AC_PROG_INSTALL AC_PROG_LN_S AC_PROG_MAKE_SET AC_PROG_RANLIB +AC_PATH_PROGS(PERL, perl perl5, ) # Checks for header files. AC_HEADER_STDC @@ -233,6 +234,9 @@ CHECK_LUA() CHECK_CURL() AC_CONFIG_FILES([Makefile]) +if test -e "$PERL"; then + AC_CONFIG_FILES([t/run-tests.pl]) +fi if test -e "mlogc-src/Makefile.in"; then AC_CONFIG_FILES([mlogc-src/Makefile]) fi diff --git a/apache2/t/run-tests.pl b/apache2/t/run-tests.pl.in similarity index 99% rename from apache2/t/run-tests.pl rename to apache2/t/run-tests.pl.in index fcc6d6cc..a95e1536 100755 --- a/apache2/t/run-tests.pl +++ b/apache2/t/run-tests.pl.in @@ -1,4 +1,4 @@ -#!/usr/bin/perl +#!@PERL@ # # Run unit tests. # diff --git a/doc/modsecurity2-apache-reference.xml b/doc/modsecurity2-apache-reference.xml index aa05d9df..eb0c904f 100644 --- a/doc/modsecurity2-apache-reference.xml +++ b/doc/modsecurity2-apache-reference.xml @@ -310,51 +310,62 @@ - Edit Makefile to configure the path to the Apache ServerRoot - directory. You can check this by identifying the ServerRoot directive - setting in your httpd.conf file. This is the path that was specified - with the "--install-path=" configuration flag during compilation (for - example, in Fedora Core4: top_dir = - /etc/httpd). + Run the configure script to generate a Makefile. Typically no + options are needed. + + ./configure + + Options are available for more customization (use + ./configure --help for a full list), but typically + you will only need to specify the location of the + apxs command installed by Apache httpd with the + --with-apxs option. + + ./configure + --with-apxs=/path/to/httpd-2.x.y/bin/apxs - Edit Makefile to configure the correct include path for libxml - (for example -I - /usr/include/libxml2) + Compile with: make - Edit Makefile to configure the correct incpude path for Lua (for - example -I /usr/include/lua5.1). + Optionally test with: make test - Compile with make + Optionally build the ModSecurity Log Collector with: + make mlogc - Stop Apache + Stop Apache httpd - Install with make + Optionally install mlogc: Review the + INSTALL file included in the apache2/mlogc-src + directory in the distribution. + + + + Install the ModSecurity module with: make install - Load libxml2 before ModSecurity: LoadFile /usr/lib/libxml2.so + Load libxml2 before ModSecurity: LoadFile + /usr/lib/libxml2.so Load Lua before ModSecurity: LoadFile - /usr/lib/liblua5.1.so. + /usr/lib/liblua5.1.so. - Load ModSecurity itself: LoadModule - security2_module modules/mod_security2.so + Load ModSecurity itself: LoadModule security2_module + modules/mod_security2.so @@ -362,7 +373,7 @@ - Start Apache + Start Apache httpd @@ -445,17 +456,17 @@ moreinfo="none">SecAction nolog,redirect:http://www.hostname.com - ProcessingPhase: Any + Processing Phase: Any Scope: Any Dependencies/Notes: None - SecAction is best used when you uncondiationally execute an - action. This is explicit triggering whereas the normal Actions are - conditional based on data inspection of the request/response. This is a - useful directive when you want to run certian actions such as initcol to - initialize collections. + SecAction is best used when you unconditionally execute an action. + This is explicit triggering whereas the normal Actions are conditional + based on data inspection of the request/response. This is a useful + directive when you want to run certain actions such as + initcol to initialize collections.
@@ -480,10 +491,10 @@ Dependencies/Notes: None - This directive is needed if a backend web appliaction is using a + This directive is needed if a backend web application is using a non-standard argument separator. If this directive is not set properly - for each web app, then ModSecurity will not be able to parse the - arguements appropriately and the effectiveness of the rule matching will + for each web application, then ModSecurity will not be able to parse the + arguments appropriately and the effectiveness of the rule matching will be significantly decreased.
@@ -504,7 +515,7 @@ Scope: Any Dependencies/Notes: Can be set/changed with - the "ctl" action for the current transaction. + the "ctl" action for the current transaction. Example: The following example shows the various audit directives used together. @@ -564,12 +575,12 @@ SecAuditLogStorageDir logs/audit audit logging format is used. If concurrent audit logging format is used this file will be used as an index, and contain a record of all audit log files created. If you are planning to use Concurrent audit logging - and sending your audit log data off to a remote Console host, then you - will need to use the modsec-auditlog-collector.pl script and use the - following format: + and sending your audit log data off to a remote Console host or + commercial ModSecurity Management Appliance, then you will need to + configure and use the ModSecurity Log Collector (mlogc) and use the + following format for the audit log: - SecAuditLog \ - "|/path/modsec-auditlog-collector.pl /path/SecAuditLogDataDir /path/SecAuditLog" + SecAuditLog "|/path/to/mlogc /path/to/mlogc.conf"
@@ -837,7 +848,7 @@ SecAuditLogStorageDir logs/audit - The following options are allowed (comma seperated): + The following options are allowed (comma separated): @@ -1102,9 +1113,9 @@ SecAuditLogStorageDir logs/audit Dependencies/Notes: Rules following a SecDefaultAction directive will inherit this setting unless a specific - action is specified for an indivdual rule or until another + action is specified for an individual rule or until another SecDefaultAction is specified. Take special note that in the logging - disruptive actions are not allowed, but this can inadvertantly be + disruptive actions are not allowed, but this can inadvertently be inherited using a disruptive action in SecDefaultAction. The default value is: @@ -1121,7 +1132,7 @@ SecAuditLogStorageDir logs/audit <literal>SecGeoLookupDb</literal> Description: Defines the path to the - geograpical database file. + geographical database file. Syntax: SecGeoLookupDb /path/to/db @@ -1196,7 +1207,7 @@ SecAuditLogStorageDir logs/audit Example Usage: SecMarker 9999 - ProcessingPhase: Any + Processing Phase: Any Scope: Any @@ -1249,10 +1260,10 @@ SecRule &REQUEST_HEADERS:Accept "@eq 0" \ Description: Defines the secret that will be used to construct one-time tokens. You should use a reasonably long value for the secret (e.g. 16 characters is good). Once selected the - secret should not be changed as as it will break the the tokens that - were sent prior to change. But it's not a big deal even if you change - it. It will just force dowload of PDF files with tokens that were issued - in the last few seconds. + secret should not be changed as it will break the tokens that were sent + prior to change. But it's not a big deal even if you change it. It will + just force download of PDF files with tokens that were issued in the + last few seconds.
@@ -1342,7 +1353,7 @@ SecRule &REQUEST_HEADERS:Accept "@eq 0" \ Description: Configures the maximum request body size ModSecurity will accept for buffering, excluding the size of files being transported in the request. This directive comes handy to - further reduce susceptability to DoS attacks when someone is sending + further reduce susceptibility to DoS attacks when someone is sending request bodies of very large sizes. Web applications that require file uploads must configure SecRequestBodyLimit to a high value. Since large files are streamed to disk file uploads will not @@ -1426,7 +1437,7 @@ SecResponseBodyLimit 524288 Description: Controls what happens once a response body limit, configured with SecResponseBodyLimit, is encountered. By default - ModSecurity wil reject a response body that is longer than specified. + ModSecurity will reject a response body that is longer than specified. Some web sites, however, will produce very long responses making it difficult to come up with a reasonable limit. Such sites would have to raise the limit significantly to function properly defying the purpose @@ -1519,7 +1530,7 @@ SecResponseBodyLimit 524288 Scope: Any Dependencies/Notes: This directive is - required if you plan to inspect html responses. This directive must be + required if you plan to inspect HTML responses. This directive must be used along with the "phase:4" processing phase action and RESPONSE_BODY variable/location. If any of these 3 parts are not configured, you will not be able to inspect the response bodies. @@ -1666,7 +1677,7 @@ SecResponseBodyLimit 524288 Example: The following example shows where ModSecurity may be enabled in the main Apache configuration scope, however you might want to configure your VirtualHosts differently. In the first example, the - first virtualhost is not inheriting the ModSecurity main config + first VirtualHost is not inheriting the ModSecurity main config directives and in the second one it is. SecRuleEnine On @@ -1719,8 +1730,8 @@ ServerAlias www.app2.com Scope: Any - Dependencies/Notes: Thisdirective can also be - controled by the ctl action (ctl:ruleEngine=off) for per rule + Dependencies/Notes: This directive can also + be controlled by the ctl action (ctl:ruleEngine=off) for per rule processing. Possible values are: @@ -2040,7 +2051,7 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID} </VirtualHost> In the two examples configurations shown, SecWebAppId is being - used in conjuction with the Apache VirtualHost directives. What this + used in conjunction with the Apache VirtualHost directives. What this achieves is to create more unique collection names when being hosted on one server. Normally, when setsid is used, ModSecurity will create a collection with the name "SESSION" and it will hold the value specified. @@ -2186,7 +2197,7 @@ SecRule REQUEST_HEADERS:Host "!^$" "deny,phase:1"
@@ -2196,7 +2207,7 @@ SecRule REQUEST_HEADERS:Host "!^$" "deny,phase:1"This is the general-purpose output analysis phase. At this point you can run rules against the response body (provided it was buffered, of course). This is the phase where you would want to inspect the - outbound html for information discloure, error messages or failed + outbound HTML for information disclosure, error messages or failed authentication text. @@ -2260,7 +2271,7 @@ SecRule REQUEST_HEADERS:Host "!^$" "deny,phase:1"In ModSecurity 1.X, the ARGS variable stood for QUERY_STRING + POST_PAYLOAD, - whereas now it expands to to individual variables. + whereas now it expands to individual variables. @@ -2335,7 +2346,7 @@ SecRule ARGS_NAMES "!^(p|a)$" This data will not be available in a proxy-mode deployment as the authentication is not local. In a proxy-mode deployment, you would need - to inpect the REQUEST_HEADERS:Authorization + to inspect the REQUEST_HEADERS:Authorization header. @@ -2428,7 +2439,7 @@ SecRule ENV:tag "suspicious" - COUNTRY_CONTINENT: The teo character + COUNTRY_CONTINENT: The two character continent that the country is located. EX: EU @@ -2454,7 +2465,7 @@ SecRule ENV:tag "suspicious" - DMA_CODE: The metropoliton area code. (US + DMA_CODE: The metropolitan area code. (US only) @@ -2526,14 +2537,14 @@ SecRule ARGS "@pm some key words" id:12345,deny,status:500 <literal>MULTIPART_CRLF_LF_LINES</literal> This flag variable will be set to 1 whenever a - multipart request uses mixed line terminators. The + multi-part request uses mixed line terminators. The multipart/form-data RFC requires CRLF sequence to be used to terminate lines. Since some client implementations use only LF to terminate lines you might want to allow them to proceed under certain circumstances (if you want to do this you will need to stop using - MULTIPART_STRICT_ERROR and check each multipart flag - variable individually, avoding MULTIPART_LF_LINE). + MULTIPART_STRICT_ERROR and check each multi-part flag + variable individually, avoiding MULTIPART_LF_LINE). However, mixing CRLF and LF line terminators is dangerous as it can allow for evasion. Therefore, in such cases, you will have to add a check for @@ -2595,7 +2606,7 @@ SM %{MULTIPART_SEMICOLON_MISSING}'" feels like a boundary but it is not. Such an event may occur when evasion of ModSecurity is attempted. - The best wasy to use this variable is as in the example + The best way to use this variable is as in the example below: SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \ @@ -2725,8 +2736,8 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd" <literal moreinfo="none">REQUEST_BASENAME</literal> This variable holds just the filename part of - REQUEST_FILENAME (e.g. index.php). Warning: not - urlDecoded. Example: + REQUEST_FILENAME (e.g. index.php). Warning: not URL + decoded. Example: SecRule REQUEST_BASENAME "^login\.php$" @@ -2736,7 +2747,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd" This variable holds the data in the request body (including POST_PAYLOAD data). REQUEST_BODY should be used if the original order of - the arguements is important (ARGS should be used in all other cases). + the arguments is important (ARGS should be used in all other cases). Example: SecRule REQUEST_BODY "^username=\w{25,}\&password=\w{25,}\&Submit\=login$" @@ -2781,7 +2792,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd" <literal moreinfo="none">REQUEST_HEADERS</literal> This variable can be used as either a collection of all of the - Request Headers or can be used to specify indivudual headers (by using + Request Headers or can be used to specify individual headers (by using REQUEST_HEADERS:Header-Name). Example: the first example uses REQUEST_HEADERS as a collection and is applying the validateUrlEncoding operator against all headers. @@ -2859,9 +2870,9 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd" This variable holds the full URL including the QUERY_STRING data (e.g. /index.php?p=X), however it will never contain a domain name, even - if it was provided on the request line. Warning: not urlDecoded. It also - does not include either the REQUEST_METHOD or the HTTP version info. - Example: + if it was provided on the request line. Warning: not URL decoded. It + also does not include either the REQUEST_METHOD or the HTTP version + info. Example: SecRule REQUEST_URI "attack" @@ -2871,7 +2882,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd" Same as REQUEST_URI but will contain the domain name if it was provided on the request line (e.g. - http://www.example.com/index.php?p=X). Warning: not urlDecoded. + http://www.example.com/index.php?p=X). Warning: not URL decoded. Example: SecRule REQUEST_URI_RAW "http:/" @@ -3008,7 +3019,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
<literal moreinfo="none">SCRIPT_GID</literal> - This variable holds the groupid (numerical value) of the group + This variable holds the group id (numerical value) of the group owner of the script. Example: SecRule SCRIPT_GID "!^46$" @@ -3048,7 +3059,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
<literal moreinfo="none">SCRIPT_UID</literal> - This variable holds the userid (numerical value) of the owner of + This variable holds the user id (numerical value) of the owner of the script. Example: the example rule below will trigger if the UID is not 46 (the Apache user). @@ -3224,8 +3235,8 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID} last past the current request/response process. Example: In this example, we are using setvar to increase the tx.score value by 5 points. We then have a follow-up run that will evaluate the transactional score - this this request and then it will decided whether or not to allow/deny - the request through. + this request and then it will decided whether or not to allow/deny the + request through. The following is a list of reserved names in the TX collection: @@ -3382,7 +3393,7 @@ SecRule XML:/xq:employees/employee/name/text() Fred \ case in order to evade the ModSecurity rule: SecRule ARG:p "xp_cmdshell" "t:lowercase" - multiple tranformation actions can be used in the same rule, for example + multiple transformation actions can be used in the same rule, for example the following rule also ensures that an attacker does not use URL encoding (%xx encoding) for evasion. Note the order of the transformation functions, which ensures that a URL encoded letter is first decoded and @@ -3390,10 +3401,10 @@ SecRule XML:/xq:employees/employee/name/text() Fred \ SecRule ARG:p "xp_cmdshell" "t:urlDecode,t:lowercase" - One can use the SetDefaultAction command to ensure the translation + One can use the SecDefaultAction command to ensure the translation occurs for every rule until the next. Note that translation actions are additive, so if a rule explicitly list actions, the translation actions - set by SetDefaultAction are still performed. + set by SecDefaultAction are still performed. SecDefaultAction t:urlDecode,t:lowercase @@ -3402,7 +3413,7 @@ SecRule XML:/xq:employees/employee/name/text() Fred \
<literal>base64Decode</literal> - This function decoes a base64-encoded string. + This function decodes a base64-encoded string.
@@ -3507,7 +3518,7 @@ SecRule XML:/xq:employees/employee/name/text() Fred \
<literal>lowercase</literal> - This function is enabled by default. It converts all charactes to + This function is enabled by default. It converts all characters to lowercase using the current C locale.
@@ -3515,7 +3526,7 @@ SecRule XML:/xq:employees/employee/name/text() Fred \ <literal>md5</literal> This function calculates an MD5 hash from input. Note that the - computed hash is in a raw binary form and may need encoded to be useable + computed hash is in a raw binary form and may need encoded to be usable (EX: t:md5,t:hexEncode).
@@ -3557,9 +3568,9 @@ SecRule XML:/xq:employees/employee/name/text() Fred \
<literal>replaceComments</literal> - This function replaces each occurence of a C-style comments + This function replaces each occurrence of a C-style comments (/* ... */) with a single space - (multiple consecutive occurences of a space will not be compressed). + (multiple consecutive occurrences of a space will not be compressed). Unterminated comments will too be replaced with a space (ASCII 32). However, a standalone termination of a comment (*/) will not be acted upon. @@ -3606,7 +3617,7 @@ SecRule XML:/xq:employees/employee/name/text() Fred \ <literal>sha1</literal> This function calculates a SHA1 hash from input. Note that the - computed hash is in a raw binary form and may need encoded to be useable + computed hash is in a raw binary form and may need encoded to be usable (EX: t:sha1,t:hexEncode).
@@ -3784,7 +3795,7 @@ SecRule TX:1 "(?:(?:a(dmin|nonymous)))" Note The 0 data captures the entire REGEX match and 1 captures the data - in the first parantheses, etc... + in the first parens, etc...
@@ -3968,7 +3979,7 @@ SecRule IP:AUTH_ATTEMPT "@gt 25" \ <literal>exec</literal> Description: Executes an external - script/binary supplied as parameter. As of v2.5, if tge parameter + script/binary supplied as parameter. As of v2.5, if the parameter supplied to exec is a Lua script (detected by the .lua extension) the script will be processed internally. This means you will get direct access @@ -3997,7 +4008,7 @@ SecRule ARGS:p attack log,exec:/usr/local/apache/conf/exec.lua @@ -4007,8 +4018,8 @@ SecRule ARGS:p attack log,exec:/usr/local/apache/conf/exec.lua <literal>expirevar</literal> - Description: Configurescollection variable to - expire after the given time in seconds. + Description: Configures a collection variable + to expire after the given time in seconds. Action Group: Non-Disruptive @@ -4022,7 +4033,7 @@ SecRule REQUEST_URI "^/cgi-bin/script\.pl" \ Note You should use expirevar actions at the same time that you use - setvar actions in order to keep the indended expiration time. If they + setvar actions in order to keep the indented expiration time. If they are used on their own (perhaps in a SecAction directive) the expire time could get re-set. When variables are removed from collections, and there are no other changes, collections are not written to disk at the end of @@ -4283,7 +4294,7 @@ SecRule ARGS "attack" multiMatch be logged. If it is set to RelevantOnly, then you can control it with the noauditlog action. Even if the noauditlog action is applied to a specific rule and a rule either before or after triggered an audit - event, then the tranaction will be logged to the audit log. The correct + event, then the transaction will be logged to the audit log. The correct way to disable audit logging for the entire transaction is to use "ctl:auditEngine=Off"
@@ -4596,7 +4607,7 @@ SecRule REQUEST_HEADERS:User-Agent "Test" log,deny,status:403
<literal>setsid</literal> - Description: Special-purposeaction that + Description: Special-purpose action that initialises the SESSION collection. @@ -4611,7 +4622,7 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID}Note On first invocation of this action the collection will be empty - (not taking the pre-defined variables into account - see initcol for more information). On subsequent invocations the contents of the collection (session, in this case) will be retrieved from storage. After initialisation takes place the @@ -4695,7 +4706,7 @@ SecRule &REQUEST_HEADERS:Accept "@eq 0" \ necessarily the order in which the rules appear in the configuration file. If you group rules by processing phases, then skip should work as expected. This action can not be used to skip rules within one chain. - Accepts a single paramater denoting the number of rules (or chains) to + Accepts a single parameter denoting the number of rules (or chains) to skip.
@@ -4724,7 +4735,7 @@ SecRule &REQUEST_HEADERS:Accept "@eq 0" \ necessarily the order in which the rules appear in the configuration file. If you group rules by processing phases, then skip should work as expected. This action can not be used to skip rules within one chain. - Accepts a single paramater denoting the last rule ID to skip. + Accepts a single parameter denoting the last rule ID to skip.
@@ -4742,8 +4753,8 @@ SecRule &REQUEST_HEADERS:Accept "@eq 0" \ Note - Staus actions defined in Apache scope locations (such as - Directory, Location, etc...) may be superceded by phase:1 action + Status actions defined in Apache scope locations (such as + Directory, Location, etc...) may be superseded by phase:1 action settings. The Apache ErrorDocument directive will be triggered if present in the configuration. Therefore if you have previously defined a custom error page for a given status then it will be executed and its @@ -4769,7 +4780,7 @@ SecRule REQUEST_COOKIES:SESSIONID "47414e81cbbef3cf8366e84eeacba091" \ Note Any transformation functions that you specify in a SecRule will be - in addtion to previous ones specified in SecDefaultAction. Use of + in addition to previous ones specified in SecDefaultAction. Use of "t:none" will remove all transformation functions for the specified rule.
@@ -5062,9 +5073,8 @@ end All matches are case-sensitive. If you do not care about case sensitivity you either need to implement the lowercase transformational function, or - use the per-pattern(?i)modificator, as allowed by - PCRE. + use the per-pattern(?i)modifier, + as allowed by PCRE. @@ -5072,7 +5082,7 @@ end PCRE_DOLLAR_ENDONLY flags are set during compilation, meaning a single dot will match any character, including the newlines and a $ - end anchor will not match a trailing newline charater. + end anchor will not match a trailing newline character. @@ -5507,9 +5517,8 @@ Server: Apache/2.x.x - Refer to the documentsation for - SecAuditLogParts for the explanation of each - part. + Refer to the documentation for SecAuditLogParts + for the explanation of each part. @@ -5521,7 +5530,7 @@ Server: Apache/2.x.x
Impedance Mismatch - Web application firewalls have a difficult job trying to make + Web application fireballs have a difficult job trying to make sense of data that passes by, without any knowledge of the application and its business logic. The protection they provide comes from having an independent layer of security on the outside. Because data validation is @@ -5537,7 +5546,7 @@ Server: Apache/2.x.x While we will continue to enhance ModSecurity to deal with various evasion techniques the problem can only be minimized, but never solved. - With so many different application backends chances are some will always + With so many different application backend chances are some will always do something completely unexpected. The only solution is to be aware of the technologies in the backend when writing rules, adapting the rules to remove the mismatch. See the next section for some examples. @@ -5612,4 +5621,4 @@ Server: Apache/2.x.x
- + \ No newline at end of file