Mod Security Rules

From Gray.co.uk

Jump to: navigation, search

[edit] Notes on Mod_Security

ModSecurity splits processing into 5 processing phases:

  1. Request Headers
  2. Request Body
  3. Response Headers
  4. Response Body
  5. Logging

[edit] SecRule

This sets up a Rule. 

SecRule REQUEST_URI abc

this looks for abc in the URI of the request. The Patterns can be any PCRE

By enclosing the Variable to be checked in quotes you can do multiple checks SecRule "REQUEST_URI|QUERY_STRING" abc

  • Some variables expand at runtime: 
SecRule ARGS ddd
  • The above will expand into variables representing individual request parameters, but only if there are parameters present.
  • Only the content is examined.
  • Another variable is used for the names: 
SecRule ARGS_NAMES eee
  • There is a variable for every bit of transaction.
  • You can target individual parameters with the help of the selection operator: 
SecRule ARGS:p fff
  • Or you can target all parameters except the ones you specify: 
SecRule ARGS|!ARGS:q ggg
  • You can even use a regular expression to select the parameters (* does the opposite in beta-3): 
SecRule ARGS:/^z/ hhh
  • You can count how many variables there are in a collection (e.g. parameters, request headers, response headers, etc): 
SecRule &ARGS !^0$
  • The above triggers if there are any parameters supplied in the request.
  • You might have noticed the exclamation mark; it negates the regular expression.

[edit] VARIABLE NAMES

  • ARGS, ARGS_COMBINED_SIZE, ARGS_NAMES
  • REQBODY_PROCESSOR, REQBODY_PROCESSOR_ERROR, REQBODY_PROCESSOR_ERROR_MSG
  • XML
  • WEBSERVER_ERROR_LOG
  • FILES, FILES_TMPNAMES, FILES_NAMES, FILE_SIZES, FILES_COMBINED_SIZE
  • TX
  • ENV
  • REMOTE_HOST, REMOTE_ADDR, REMOTE_PORT, REMOTE_USER
  • PATH_INFO, QUERY_STRING
  • AUTH_TYPE
  • SERVER_NAME, SERVER_PORT, SERVER_ADDR
  • REQUEST_LINE, REQUEST_URI, REQUEST_METHOD, REQUEST_PROTOCOL
  • REQUEST_FILENAME, REQUEST_BASENAME
  • SCRIPT_FILENAME, SCRIPT_BASENAME
  • TIME, TIME_EPOCH
  • TIME_YEAR, TIME_MON, TIME_DAY, TIME_HOUR, TIME_MIN, TIME_SEC, TIME_WDAY
  • SCRIPT_UID, SCRIPT_GID
  • SCRIPT_USERNAME, SCRIPT_GROUPNAME
  • SCRIPT_MODE
  • REQUEST_HEADERS, REQUEST_HEADERS_NAMES
  • REQUEST_COOKIES, REQUEST_COOKIES_NAMES
  • REQUEST_BODY
  • RESPONSE_LINE, RESPONSE_STATUS
  • RESPONSE_PROTOCOL
  • RESPONSE_HEADERS, RESPONSE_HEADERS_NAMES
  • RESPONSE_BODY
  • WEBAPPID, SESSIONID
Retrieved from "http://wiki.gray.me.uk/index.php/Mod_Security_Rules"
Personal tools
Motorhome Build