github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-11-18 18:30:35 +03:00
Code Issues Packages Projects Releases Wiki Activity

Updated Reference Manual (mediawiki)

Felipe Zimmerle
2013-11-04 08:17:25 -08:00
parent 4a8fc7a660
commit 7793874dcd
1 changed files with 49 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

52
Reference-Manual.mediawiki

@@ -573,6 +573,22 @@ You should be aware that the internal chroot feature might not be 100% reliable.
This directive should be used to make the presence of significant rule sets known. The entire signature will be recorded in the transaction audit log. This directive should be used to make the presence of significant rule sets known. The entire signature will be recorded in the transaction audit log.
== SecConnEngine ==
'''Description:''' Configures the connections engine.
'''Syntax:''' <code>SecConnEngine On|Off|DetectionOnly </code>
'''Example Usage:''' <code>SecConnEngine On </code>
'''Scope:''' Any
'''Version:''' 2.7.6
Analog to SecRuleEngine, the possible values are:
*'''On''': process rules, quietly.
*'''Off''': do not process rules.
*'''DetectionOnly''': process rules in verbose mode but never executes any disruptive actions
== SecContentInjection == == SecContentInjection ==
'''Description:''' Enables content injection using actions append and prepend. '''Description:''' Enables content injection using actions append and prepend.
@@ -985,11 +1001,26 @@ The only reason you would want to change the name of the token is if you wanted
'''Scope''': Main '''Scope''': Main
'''Version''': 2.5.13 '''Version''': 2.5.13, DEPRECATED as of v2.7.6.
'''Default:''' 0 (no limit) '''Default:''' 0 (no limit)
This measure is effective against Slowloris-style attacks from a single IP address, but it may not be as good against modified attacks that work by slowly sending request body content. This is because Apache to switches state to SERVER_BUSY_WRITE once request headers have been read. As an alternative, consider mod_reqtimeout (part of Apache as of 2.2.15), which is expected be effective against both attack types. See Blog post on mitigating slow DoS attacks - http://blog.spiderlabs.com/2010/11/advanced-topic-of-the-week-mitigating-slow-http-dos-attacks.html For v2.7.6 or newest refer to SecConnReadStateLimit.
== SecConnReadStateLimit ==
'''Description:''' Establishes a per-IP address limit of how many connections are allowed to be in SERVER_BUSY_READ state.
'''Syntax:''' <code>SecReadStateLimit LIMIT OPTIONAL_IP_MATCH_OPERATOR</code>
'''Example Usage''': <code>SecReadStateLimit 50 "!@ipMatch 127.0.0.1"</code>
'''Scope''': Main
'''Version''': v2.7.6
'''Default:''' 0 (no limit)
This measure is effective against Slowloris-style attacks from a single IP address, but it may not be as good against modified attacks that work by slowly sending request body content. This is because Apache to switches state to SERVER_BUSY_WRITE once request headers have been read. As an alternative, consider mod_reqtimeout (part of Apache as of 2.2.15), which is expected be effective against both attack types. See Blog post on mitigating slow DoS attacks - http://blog.spiderlabs.com/2010/11/advanced-topic-of-the-week-mitigating-slow-http-dos-attacks.html. v2.7.6 and newest supports the @ipMatch, @ipMatchF and @ipMatchFromFile operator along with the its negative (e.g. !@ipMatch) these were used to create suspicious or whitelist. When a suspicious list is informed, just the IPs that belongs to the list will be filtered. A combination of suspicious and whitelist is possible by using multiple definitions of SecConnReadStateLimit, note, however, that the limit will be always overwrite by its successor.
== SecSensorId == == SecSensorId ==
'''Description:''' Define a sensor ID that will be present into log part H. '''Description:''' Define a sensor ID that will be present into log part H.
@@ -1011,11 +1042,26 @@ This measure is effective against Slowloris-style attacks from a single IP addre
'''Scope''': Main '''Scope''': Main
'''Version''': 2.6.0, DEPRECATED as of v2.7.6.
'''Default:''' 0 (no limit)
For v2.7.6 or newest refer to SecConnWriteStateLimit.
== SecConnWriteStateLimit ==
'''Description:''' Establishes a per-IP address limit of how many connections are allowed to be in SERVER_BUSY_WRITE state.
'''Syntax:''' <code>SecWriteStateLimit LIMIT OPTIONAL_IP_MATCH_OPERATOR</code>
'''Example Usage''': <code>SecWriteStateLimit 50 "!ipMatch 127.0.0.1"</code>
'''Scope''': Main
'''Version''': 2.6.0 '''Version''': 2.6.0
'''Default:''' 0 (no limit) '''Default:''' 0 (no limit)
This measure is effective against Slow DoS request body attacks. This measure is effective against Slow DoS request body attacks. v2.7.6 and newest supports the @ipMatch, @ipMatchF and @ipMatchFromFile operator along with the its negative (e.g. !@ipMatch) these were used to create suspicious or whitelist. When a suspicious list is informed, just the IPs that belongs to the list will be filtered. A combination of suspicious and whitelist is possible by using multiple definitions of SecConnReadStateLimit, note, however, that the limit will be always overwrite by its successor.
== SecRequestBodyAccess == == SecRequestBodyAccess ==
'''Description''': Configures whether request bodies will be buffered and processed by ModSecurity. '''Description''': Configures whether request bodies will be buffered and processed by ModSecurity.