github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-08-15 23:55:03 +03:00
Code Issues Packages Projects Releases Wiki Activity

I added notes about accessing response headers in phase:3 and phase:5.

Browse Source
This commit is contained in:
rbarnett 2007-04-12 18:46:12 +00:00
parent e72540b0a0
commit f2c96bae2a
1 changed files with 22 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
doc/modsecurity2-apache-reference.xml
View File

@ -1009,12 +1009,13 @@ SecAuditLogStorageDir logs/audit
<para>Development of a state of the art external protection tool will be <para>Development of a state of the art external protection tool will be
a focus of subsequent ModSecurity releases. However, a fully functional a focus of subsequent ModSecurity releases. However, a fully functional
tool is already available as part of the Apache httpd tools project tool is already available as part of the Apache httpd tools project
(<link linkend="http://www.apachesecurity.net/tools/">http://www.apachesecurity.net/tools/</link>). The (<link
tool is called httpd-guardian and can be used to defend against Denial linkend="http://www.apachesecurity.net/tools/">http://www.apachesecurity.net/tools/</link>).
of Service attacks. It uses the blacklist tool (from the same project) The tool is called httpd-guardian and can be used to defend against
to interact with an iptables-based (Linux) or pf-based (*BSD) firewall, Denial of Service attacks. It uses the blacklist tool (from the same
dynamically blacklisting the offending IP addresses. It can also project) to interact with an iptables-based (Linux) or pf-based (*BSD)
interact with SnortSam (http://www.snortsam.net). Assuming firewall, dynamically blacklisting the offending IP addresses. It can
also interact with SnortSam (http://www.snortsam.net). Assuming
httpd-guardian is already configured (look into the source code for the httpd-guardian is already configured (look into the source code for the
detailed instructions) you only need to add one line to your Apache detailed instructions) you only need to add one line to your Apache
configuration to deploy it:</para> configuration to deploy it:</para>
@ -1788,8 +1789,8 @@ SecRule HTTP_Host "!^$" "deny,<emphasis role="bold">phase:1</emphasis>"</program
not be able to be triggered as expected. Additionally, there are some not be able to be triggered as expected. Additionally, there are some
response headers that are added by Apache at a later hook (such as Date, response headers that are added by Apache at a later hook (such as Date,
Server and Connection) that we would not be able to trigger on or Server and Connection) that we would not be able to trigger on or
sanitize. This should work appropirately in a proxy setup sanitize. This should work appropirately in a proxy setup or within
however.</para> phase:5 (logging).</para>
</section> </section>
<section> <section>
@ -1808,8 +1809,9 @@ SecRule HTTP_Host "!^$" "deny,<emphasis role="bold">phase:1</emphasis>"</program
<para>This phase is run just before logging takes place. The rules <para>This phase is run just before logging takes place. The rules
placed into this phase can only affect how the logging is performed. placed into this phase can only affect how the logging is performed.
This phase can be used to inspect the error messages logged by Apache. This phase can be used to inspect the error messages logged by Apache.
You can not deny/block connections in this phase as it is too You can not deny/block connections in this phase as it is too late. This
late.</para> phase also allows for inspection of other response headers that weren't
available during phase:3 or phase:4.</para>
</section> </section>
</section> </section>
@ -1850,10 +1852,12 @@ SecRule HTTP_Host "!^$" "deny,<emphasis role="bold">phase:1</emphasis>"</program
expression in the selection operator itself. The following rule will expression in the selection operator itself. The following rule will
look into all arguments whose names begin with <literal look into all arguments whose names begin with <literal
moreinfo="none">id_</literal>: <programlisting format="linespecific">SecRule ARGS:/^id_/ dirty</programlisting></para> moreinfo="none">id_</literal>: <programlisting format="linespecific">SecRule ARGS:/^id_/ dirty</programlisting></para>
<note><para>In ModSecurity 1.X, the <literal>ARGS</literal> variable stood <note>
for <literal>QUERY_STRING</literal> + <literal>POST_PAYLOAD</literal>, <para>In ModSecurity 1.X, the <literal>ARGS</literal> variable stood
whereas now it expands to to individual variables.</para></note> for <literal>QUERY_STRING</literal> + <literal>POST_PAYLOAD</literal>,
whereas now it expands to to individual variables.</para>
</note>
</section> </section>
<section> <section>
@ -2255,10 +2259,10 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"</programlisting>
<para><emphasis role="bold">Note</emphasis></para> <para><emphasis role="bold">Note</emphasis></para>
<para>This variable may not have access to some headers when running in <para>This variable may not have access to some headers when running in
embedded-mode. Headers such as Server, Date and Connection are added embedded-mode. Headers such as Server, Date, Connection and Content-Type
during a later Apache hook just prior to sending the data to the client. are added during a later Apache hook just prior to sending the data to
This data should be available, however, when running in the client. This data should be available, however, either during
proxy-mode.</para> ModSecurity phase:5 (logging) or when running in proxy-mode.</para>
</section> </section>
<section> <section>