github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-11-21 03:26:42 +03:00
Code Issues Packages Projects Releases Wiki Activity

Add notes regarding operators that supports capture #1482

Victor Hora
2017-07-04 16:44:33 -04:00
parent 1fa81d1d9e
commit 8a14f18461
1 changed files with 17 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
Reference-Manual.mediawiki

@@ -4005,6 +4005,8 @@ Your site has a wide '''select'''ion of computers.
SecRule REQUEST_URI "@detectSQLi" "id:152" SecRule REQUEST_URI "@detectSQLi" "id:152"
</pre> </pre>
; Note : This operator supports the "capture" action.
== detectXSS == == detectXSS ==
'''Description:''' Returns true if XSS injection is found. This operator uses LibInjection to detect XSS attacks. '''Description:''' Returns true if XSS injection is found. This operator uses LibInjection to detect XSS attacks.
@@ -4098,6 +4100,8 @@ SecGsbLookupDb /path/to/GsbMalware.dat
SecRule RESPONSE_BODY "@gsbLookup =\"https?\:\/\/(.*?)\"" "phase:4,id:157,capture,log,block,msg:'Bad url detected in RESPONSE_BODY (Google Safe Browsing Check)',logdata:'http://www.google.com/safebrowsing/diagnostic?site=%{tx.0}'" SecRule RESPONSE_BODY "@gsbLookup =\"https?\:\/\/(.*?)\"" "phase:4,id:157,capture,log,block,msg:'Bad url detected in RESPONSE_BODY (Google Safe Browsing Check)',logdata:'http://www.google.com/safebrowsing/diagnostic?site=%{tx.0}'"
</pre> </pre>
; Note : This operator supports the "capture" action.
== gt == == gt ==
'''Description:''' Performs numerical comparison and returns true if the input value is greater than the operator parameter. Macro expansion is performed on the parameter string before comparison. '''Description:''' Performs numerical comparison and returns true if the input value is greater than the operator parameter. Macro expansion is performed on the parameter string before comparison.
@@ -4287,6 +4291,7 @@ SecRule REQUEST_HEADERS:User-Agent "@pm WebZIP WebCopier Webster WebStripper ...
; Note : This operator does not support macro expansion (as of ModSecurity v2.9.1). ; Note : This operator does not support macro expansion (as of ModSecurity v2.9.1).
; Note : This operator supports the "capture" action.
== pmf == == pmf ==
Short alias for pmFromFile. Short alias for pmFromFile.
@@ -4348,6 +4353,8 @@ setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var},set
; Note : If the RBL used is dnsbl.httpbl.org (Honeypot Project RBL) then the SecHttpBlKey directive must specify the user's registered API key. ; Note : If the RBL used is dnsbl.httpbl.org (Honeypot Project RBL) then the SecHttpBlKey directive must specify the user's registered API key.
; Note : If the RBL used is either multi.uribl.com or zen.spamhaus.org combined RBLs, it is possible to also parse the return codes in the last octet of the DNS response to identify which specific RBL the IP was found in. ; Note : If the RBL used is either multi.uribl.com or zen.spamhaus.org combined RBLs, it is possible to also parse the return codes in the last octet of the DNS response to identify which specific RBL the IP was found in.
; Note : This operator supports the "capture" action.
== rsub == == rsub ==
'''Description''': Performs regular expression data substitution when applied to either the STREAM_INPUT_BODY or STREAM_OUTPUT_BODY variables. This operator also supports macro expansion. Starting with ModSecurity 2.7.0 this operator supports the syntax |hex| allowing users to use special chars like \n \r '''Description''': Performs regular expression data substitution when applied to either the STREAM_INPUT_BODY or STREAM_OUTPUT_BODY variables. This operator also supports macro expansion. Starting with ModSecurity 2.7.0 this operator supports the syntax |hex| allowing users to use special chars like \n \r
@@ -4373,6 +4380,8 @@ Regular expressions are handled by the PCRE library [http://www.pcre.org]. ModSe
Regular expressions are a very powerful tool. You are strongly advised to read the PCRE documentation to get acquainted with its features. Regular expressions are a very powerful tool. You are strongly advised to read the PCRE documentation to get acquainted with its features.
; Note : This operator supports the "capture" action.
== rx == == rx ==
'''Description''': Performs a regular expression match of the pattern provided as parameter. '''This is the default operator; the rules that do not explicitly specify an operator default to @rx'''. '''Description''': Performs a regular expression match of the pattern provided as parameter. '''This is the default operator; the rules that do not explicitly specify an operator default to @rx'''.
@@ -4395,6 +4404,8 @@ Regular expressions are handled by the PCRE library [http://www.pcre.org]. ModSe
Regular expressions are a very powerful tool. You are strongly advised to read the PCRE documentation to get acquainted with its features. Regular expressions are a very powerful tool. You are strongly advised to read the PCRE documentation to get acquainted with its features.
; Note : This operator supports the "capture" action.
== streq == == streq ==
'''Description:''' Performs a string comparison and returns true if the parameter string is identical to the input string. Macro expansion is performed on the parameter string before comparison. '''Description:''' Performs a string comparison and returns true if the parameter string is identical to the input string. Macro expansion is performed on the parameter string before comparison.
@@ -4529,6 +4540,8 @@ The @validateUtf8Encoding operator detects the following problems:
SecRule ARGS "@verifyCC \d{13,16}" "phase:2,id:194,nolog,pass,msg:'Potential credit card number',sanitiseMatched" SecRule ARGS "@verifyCC \d{13,16}" "phase:2,id:194,nolog,pass,msg:'Potential credit card number',sanitiseMatched"
</pre> </pre>
; Note : This operator supports the "capture" action.
== verifyCPF == == verifyCPF ==
'''Description:''' Detects CPF numbers (Brazilian social number) in input. This operator will first use the supplied regular expression to perform an initial match, following up with an algorithm calculation to minimize false positives. '''Description:''' Detects CPF numbers (Brazilian social number) in input. This operator will first use the supplied regular expression to perform an initial match, following up with an algorithm calculation to minimize false positives.
@@ -4543,6 +4556,8 @@ SecRule ARGS "@verifyCPF /^([0-9]{3}\.){2}[0-9]{3}-[0-9]{2}$/" "phase:2,id:195,n
'''Supported on libModSecurity:''' Yes '''Supported on libModSecurity:''' Yes
; Note : This operator supports the "capture" action.
== verifySSN == == verifySSN ==
'''Description:''' Detects US social security numbers (SSN) in input. This operator will first use the supplied regular expression to perform an initial match, following up with an SSN algorithm calculation to minimize false positives. '''Description:''' Detects US social security numbers (SSN) in input. This operator will first use the supplied regular expression to perform an initial match, following up with an SSN algorithm calculation to minimize false positives.
@@ -4572,6 +4587,8 @@ A Social Security number is broken up into 3 sections:
*Area code must be less than 740 *Area code must be less than 740
*Area code must be different then 666 *Area code must be different then 666
; Note : This operator supports the "capture" action.
== within == == within ==
'''Description:''' Returns true if the input value (the needle) is found anywhere within the @within parameter (the haystack). Macro expansion is performed on the parameter string before comparison. '''Description:''' Returns true if the input value (the needle) is found anywhere within the @within parameter (the haystack). Macro expansion is performed on the parameter string before comparison.