github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-11-21 11:36:40 +03:00
Code Issues Packages Projects Releases Wiki Activity

Adding information on currently unsupported variables / directives for libModSecurity (v3)

Victor Hora
2017-06-06 14:29:48 -04:00
parent 9fbc5f1aa0
commit 9ff0d9eeaa
1 changed files with 164 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

194
Reference-Manual.mediawiki

@@ -828,7 +828,9 @@ ModSecurity relies on the free geolocation databases (GeoLite City and GeoLite C
'''Scope:''' Any
'''Version:''' 2.6.0
'''Version:''' 2.6.0
'''Supported on libModSecurity:''' TBD
ModSecurity relies on the free Google Safe Browsing database that can be obtained from the Google GSB API [http://code.google.com/apis/safebrowsing/].
@@ -1396,7 +1398,9 @@ Description: This directive creates a special rule that executes a Lua script to
'''Scope:''' Any
'''Version:''' 2.5.0
'''Version:''' 2.5.0-2.9.x
'''Supported on libModSecurity:''' TBI
; Note : All Lua scripts are compiled at configuration time and cached in memory. To reload scripts you must reload the entire ModSecurity configuration by restarting Apache.
@@ -1467,7 +1471,9 @@ end
'''Scope:''' Any
'''Version:''' 2.6.0
'''Version:''' 2.6.0-2.9.x
'''Supported on libModSecurity:''' TBI
This directive will overwrite the action list of the specified rule with the actions provided in the second parameter. It has two limitations: it cannot be used to change the ID or phase of a rule. Only the actions that can appear only once are overwritten. The actions that are allowed to appear multiple times in a list, will be appended to the end of the list.
<pre>
@@ -1491,7 +1497,9 @@ The addition of t:none will neutralize any previous transformation functions spe
'''Scope:''' Any
'''Version:''' 2.6
'''Version:''' 2.6-2.9.x
'''Supported on libModSecurity:''' TBI
This directive will append (or replace) variables to the current target list of the specified rule with the targets provided in the second parameter. Starting with 2.7.0 this feature supports id range.
@@ -1548,7 +1556,9 @@ SecRule REQUEST_URI|ARGS_NAMES|ARGS|XML:/* "[\;\|\`]\W*?\bmail\b" \
'''Scope:''' Any
'''Version:''' 2.7
'''Version:''' 2.7-2.9.x
'''Supported on libModSecurity:''' TBI
This directive will append (or replace) variables to the current target list of the specified rule with the targets provided in the second parameter.
@@ -1594,7 +1604,9 @@ SecRule REQUEST_URI|ARGS_NAMES|ARGS|XML:/* "[\;\|\`]\W*?\bmail\b" \
'''Scope:''' Any
'''Version:''' 2.7
'''Version:''' 2.7-2.9.x
'''Supported on libModSecurity:''' TBI
This directive will append (or replace) variables to the current target list of the specified rule with the targets provided in the second parameter.
@@ -1704,7 +1716,9 @@ This feature enables the creation of the STREAM_INPUT_BODY variable and is usefu
'''Scope:''' Any
'''Version:''' 2.6.0
'''Version:''' 2.6.0-2.9.x
'''Supported on libModSecurity:''' TBD
'''Default:''' Off
@@ -1818,7 +1832,9 @@ Possible values are:
'''Scope:''' Any
'''Version:''' 2.0.0
'''Version:''' 2.0.0-2.9.x
'''Supported on libModSecurity:''' TBI
'''Default:''' default
@@ -2156,28 +2172,60 @@ Contains the extra request URI information, also known as path info. (For exampl
<code>SecRule PATH_INFO "^/(bin|etc|sbin|opt|usr)" "id:33"</code>
== PERF_COMBINED ==
Contains the time, in microseconds, spent in ModSecurity during the current transaction. The value in this variable is arrived to by adding all the performance variables except PERF_SREAD (the time spent reading from persistent storage is already included in the phase measurements). Available starting with 2.6.
Contains the time, in microseconds, spent in ModSecurity during the current transaction. The value in this variable is arrived to by adding all the performance variables except PERF_SREAD (the time spent reading from persistent storage is already included in the phase measurements).
'''Version:''' 2.6.0-2.9.x
'''Supported on libModSecurity:''' TBI
== PERF_GC ==
Contains the time, in microseconds, spent performing garbage collection. Available starting with 2.6.
Contains the time, in microseconds, spent performing garbage collection.
'''Version:''' 2.6.0-2.9.x
'''Supported on libModSecurity:''' TBI
== PERF_LOGGING ==
Contains the time, in microseconds, spent in audit logging. This value is known only after the handling of a transaction is finalized, which means that it can only be logged using mod_log_config and the %{VARNAME}M syntax. Available starting with 2.6.
Contains the time, in microseconds, spent in audit logging. This value is known only after the handling of a transaction is finalized, which means that it can only be logged using mod_log_config and the %{VARNAME}M syntax.
'''Version:''' 2.6.0-2.9.x
'''Supported on libModSecurity:''' TBI
== PERF_PHASE1 ==
Contains the time, in microseconds, spent processing phase 1. Available starting with 2.6.
Contains the time, in microseconds, spent processing phase 1.
'''Version:''' 2.6.0-2.9.x
'''Supported on libModSecurity:''' TBI
== PERF_PHASE2 ==
Contains the time, in microseconds, spent processing phase 2. Available starting with 2.6.
Contains the time, in microseconds, spent processing phase 2.
'''Version:''' 2.6.0-2.9.x
'''Supported on libModSecurity:''' TBI
== PERF_PHASE3 ==
Contains the time, in microseconds, spent processing phase 3. Available starting with 2.6.
Contains the time, in microseconds, spent processing phase 3.
'''Version:''' 2.6.0-2.9.x
'''Supported on libModSecurity:''' TBI
== PERF_PHASE4 ==
Contains the time, in microseconds, spent processing phase 4. Available starting with 2.6.
Contains the time, in microseconds, spent processing phase 4.
'''Version:''' 2.6.0-2.9.x
'''Supported on libModSecurity:''' TBI
== PERF_PHASE5 ==
Contains the time, in microseconds, spent processing phase 5. Available starting with 2.6.
Contains the time, in microseconds, spent processing phase 5.
'''Version:''' 2.6.0-2.9.x
'''Supported on libModSecurity:''' TBI
== PERF_RULES ==
PERF_RULES is a collection, that is populated with the rules hitting
@@ -2186,7 +2234,9 @@ contains the time, in microseconds, spent processing the individual
rule. The various items in the collection can be accessed via the
rule id.
Available starting with 2.7.
'''Version:''' 2.7.0-2.9.x
'''Supported on libModSecurity:''' TBI
<pre>
SecRulePerfTime 100
@@ -2211,14 +2261,19 @@ the rule id is being written to the logfile.
The final rule 95002 notes the time spent in rule 10001 (the virus
inspection).
== PERF_SREAD ==
Contains the time, in microseconds, spent reading from persistent storage. Available starting with 2.6.
Contains the time, in microseconds, spent reading from persistent storage.
'''Version:''' 2.6.0-2.9.x
'''Supported on libModSecurity:''' TBI
== PERF_SWRITE ==
Contains the time, in microseconds, spent writing to persistent storage. Available starting with 2.6.
Contains the time, in microseconds, spent writing to persistent storage.
'''Version:''' 2.6.0-2.9.x
'''Supported on libModSecurity:''' TBI
== QUERY_STRING ==
Contains the query string part of a request URI. The value in QUERY_STRING is always provided raw, without URL decoding taking place.
@@ -2393,33 +2448,53 @@ This is a special collection that provides access to the id, rev, severity, logd
== SCRIPT_BASENAME ==
This variable holds just the local filename part of SCRIPT_FILENAME.
'''Version:''' 2.x
'''Supported on libModSecurity:''' TBI
<code>SecRule SCRIPT_BASENAME "^login\.php$" "id:60"</code>
; Note : Not available in proxy mode.
== SCRIPT_FILENAME ==
This variable holds the full internal path to the script that will be used to serve the request.
This variable holds the full internal path to the script that will be used to serve the request.
'''Version:''' 2.x
'''Supported on libModSecurity:''' TBI
<code>SecRule SCRIPT_FILENAME "^/usr/local/apache/cgi-bin/login\.php$" "id:61"</code>
; Note : Not available in proxy mode.
== SCRIPT_GID ==
This variable holds the numerical identifier of the group owner of the script.
This variable holds the numerical identifier of the group owner of the script.
'''Version:''' 2.x
'''Supported on libModSecurity:''' TBI
<code>SecRule SCRIPT_GID "!^46$" "id:62"</code>
; Note : Not available in proxy mode.
== SCRIPT_GROUPNAME ==
This variable holds the name of the group owner of the script.
This variable holds the name of the group owner of the script.
'''Version:''' 2.x
'''Supported on libModSecurity:''' TBI
<code>SecRule SCRIPT_GROUPNAME "!^apache$" "id:63"</code>
; Note : Not available in proxy mode.
== SCRIPT_MODE ==
This variable holds the scripts permissions mode data (e.g., 644).
This variable holds the scripts permissions mode data (e.g., 644).
'''Version:''' 2.x
'''Supported on libModSecurity:''' TBI
<pre>
# Do not allow scripts that can be written to
@@ -2429,7 +2504,11 @@ SecRule SCRIPT_MODE "^(2|3|6|7)$" "id:64"
; Note : Not available in proxy mode.
== SCRIPT_UID ==
This variable holds the numerical identifier of the owner of the script.
This variable holds the numerical identifier of the owner of the script.
'''Version:''' 2.x
'''Supported on libModSecurity:''' TBI
<pre>
# Do not run any scripts that are owned
@@ -2440,7 +2519,11 @@ SecRule SCRIPT_UID "!^46$" "id:65"
; Note : Not available in proxy mode.
== SCRIPT_USERNAME ==
This variable holds the username of the owner of the script.
This variable holds the username of the owner of the script.
'''Version:''' 2.x
'''Supported on libModSecurity:''' TBI
<pre>
# Do not run any scripts owned by Apache SecRule
@@ -2505,6 +2588,11 @@ This variable give access to the raw request body content. This variable is bes
This variable give access to the raw response body content. This variable is best used for case:
#For data substitution - using @rsub against this variable allows you to manipulate live request body data. Example - to remove offending payloads or to substitute benign data.
'''Version:''' 2.6.0-2.9.x
'''Supported on libModSecurity:''' TBD
; Note : You must enable the SecStreamOutBodyInspection directive
== TIME ==
@@ -2587,10 +2675,23 @@ SecRule USERID "admin" "id:85"
== USERAGENT_IP ==
This variable is created when running modsecurity with apache2.4 and will contains the client ip address set by mod_remoteip in proxied connections.
'''Version:''' 2.x
'''Supported on libModSecurity:''' TBI
== WEBAPPID ==
This variable contains the current application name, which is set in configuration using SecWebAppId.
'''Version:''' 2.0.0-2.9.x
'''Supported on libModSecurity:''' TBI
== WEBSERVER_ERROR_LOG ==
'''Version:''' 2.x
'''Supported on libModSecurity:''' TBI
Contains zero or more error messages produced by the web server. This variable is best accessed from phase 5 (logging).
<code>SecRule WEBSERVER_ERROR_LOG "File does not exist" "phase:5,id:86,t:none,nolog,pass,setvar:TX.score=+5"</code>
@@ -3070,6 +3171,10 @@ This action is extremely useful when responding to both Brute Force and Denial o
'''Action Group:''' Non-disruptive
'''Version:''' 2.x
'''Supported on libModSecurity:''' TBI
'''Example:'''
<pre>
# Run external program on rule match
@@ -3439,6 +3544,10 @@ After initialization takes place, the variable USERID will be available for use
'''Action Group:''' Non-disruptive
'''Version:''' 2.x
'''Supported on libModSecurity:''' TBI
'''Example:'''
<pre>
SecAction "phase:1,pass,id:3,log,setrsc:'abcd1234'"
@@ -3468,6 +3577,10 @@ Setsid takes an individual variable, not a collection. Variables within an actio
'''Action Group:''' Non-disruptive
'''Version:''' 2.x
'''Supported on libModSecurity:''' TBI
'''Examples:'''
<pre>
SecRule RESPONSE_HEADERS:/Set-Cookie2?/ "(?i:(j?sessionid|(php)?sessid|(asp|jserv|jw)?session[-_]?(id)?|cf(id|token)|sid))" "phase:3,t:none,pass,id:139,nolog,setvar:tx.sessionid=%{matched_var}"
@@ -3699,7 +3812,9 @@ SecRule REQUEST_LINE "!@endsWith HTTP/1.1" "id:152"
For further information on ssdeep, visit its site: http://ssdeep.sourceforge.net/
'''Version:''' v2.9.0-RC1+
'''Version:''' v2.9.0-RC1-2.9.x
'''Supported on libModSecurity:''' TBI
'''Example:'''
<pre>
@@ -3753,6 +3868,8 @@ See the GEO variable for an example and more information on various fields avail
'''Version:''' 2.6
'''Supported on libModSecurity:''' TBD
'''Example:'''
The gsbLookup operator matches on success and is thus best used in combination with a block or redirect action. If you wish to block on successful lookups, the following example demonstrates how best to do it:
<pre>
@@ -3855,6 +3972,9 @@ end
; Note: Use @inspectFile with caution. It may not be safe to use @inspectFile with variables other than FILES_TMPNAMES. Other variables such as "FULL_REQUEST" may contains content that force your platform to fork process out of your control, making possible to an attacker to execute code using the same permissions of your web server. For other variables you may want to look at the Lua script engine. This observation was brought to our attention by "Gryzli", on our users mailing list.
'''Version:''' 2.x
'''Supported on libModSecurity:''' TBI
'''Reference:''' http://blog.spiderlabs.com/2010/10/advanced-topic-of-the-week-preventing-malicious-pdf-file-uploads.html
@@ -4015,6 +4135,10 @@ setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var},set
'''Syntax:''' <code>@rsub s/regex/str/[id]</code>
'''Version:''' 2.x
'''Supported on libModSecurity:''' TBI
'''Examples:'''
Removing HTML Comments from response bodies:
<pre>
@@ -4124,6 +4248,10 @@ SecRule XML "@validateDTD /path/to/xml.dtd" "phase:2,id:181,deny,msg:'Failed DTD
== validateHash ==
'''Description:''' Validates REQUEST_URI that contains data protected by the hash engine.
'''Version:''' 2.x
'''Supported on libModSecurity:''' TBI
'''Example:'''
<pre>
# Validates requested URI that matches a regular expression.
@@ -4193,6 +4321,10 @@ SecRule ARGS "@verifyCC \d{13,16}" "phase:2,id:194,nolog,pass,msg:'Potential cre
SecRule ARGS "@verifyCPF /^([0-9]{3}\.){2}[0-9]{3}-[0-9]{2}$/" "phase:2,id:195,nolog,pass,msg:'Potential CPF number',sanitiseMatched"
</pre>
'''Version:''' 2.6-2.9.x
'''Supported on libModSecurity:''' TBI
== verifySSN ==
'''Description:''' Detects US social security numbers (SSN) in input. This operator will first use the supplied regular expression to perform an initial match, following up with an SSN algorithm calculation to minimize false positives.
@@ -4203,7 +4335,9 @@ SecRule ARGS "@verifyCPF /^([0-9]{3}\.){2}[0-9]{3}-[0-9]{2}$/" "phase:2,id:195,n
SecRule ARGS "@verifySSN \d{3}-?\d{2}-?\d{4}" "phase:2,id:196,nolog,pass,msg:'Potential social security number',sanitiseMatched"
</pre>
'''Version:''' 2.6
'''Version:''' 2.6-2.9.x
'''Supported on libModSecurity:''' TBI
'''SSN Format''':