Changes - j0ke.net Open Build Service

Changes of Revision 25

[-] [+]	Changed	mod_security-ix.changes
@@ -1,4 +1,9 @@ ------------------------------------------------------------------- +Sun Jul 29 16:02:36 UTC 2012 - cs@linux-administrator.com + +- Update to release 2.6.7 + +------------------------------------------------------------------- Wed Jul 18 07:08:48 UTC 2012 - cs@linux-administrator.com - disable rule 340152
[-] [+]	Changed	mod_security-ix.spec ^
@@ -1,6 +1,6 @@ Summary: Security module for the Apache HTTP Server Name: mod_security -Version: 2.6.6 +Version: 2.6.7 Release: 25 License: GPLv2 URL: http://www.modsecurity.org/
[-] [+]	Changed	modsecurity-apache_2.6.7.tar.bz2/CHANGES ^
@@ -1,3 +1,15 @@ +23 Jul 2012 - 2.6.7 +------------------- + + * Fixed PCRE mismtach version warning message (Thanks Victor Julien). + + * Fixed explicit target replacement using SecUpdateTargetById was broken. + + * The ctl:ruleUpdateTargetById is deprecated and will be removed for future versions since + there is no safe way to use it per-request. + + * Added ctl:ruleRemoveTargetById that can be used to exclude targets to be processed per-request. + 08 Jun 2012 - 2.6.6 -------------------
[-] [+]	Changed	modsecurity-apache_2.6.7.tar.bz2/apache2/mod_security2.c ^
@@ -84,7 +84,7 @@ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL, "ModSecurity: Loaded APR do not match with compiled!"); } - pcre_vrs = apr_psprintf(mp,"%d.%d", PCRE_MAJOR, PCRE_MINOR); + pcre_vrs = apr_psprintf(mp,"%d.%02d", PCRE_MAJOR, PCRE_MINOR); ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL, "ModSecurity: PCRE compiled version=\"%s\"; "
[-] [+]	Changed	modsecurity-apache_2.6.7.tar.bz2/apache2/modsecurity.c ^
@@ -368,6 +368,8 @@ if (msr->response_headers_to_sanitize == NULL) return -1; msr->pattern_to_sanitize = apr_table_make(msr->mp, 32); if (msr->pattern_to_sanitize == NULL) return -1; + msr->removed_targets = apr_table_make(msr->mp, 16); + if (msr->removed_targets == NULL) return -1; /* Initialise cookies */ msr->request_cookies = apr_table_make(msr->mp, 16);
[-] [+]	Changed	modsecurity-apache_2.6.7.tar.bz2/apache2/modsecurity.h ^
@@ -280,6 +280,7 @@ apr_table_t response_headers_to_sanitize; apr_table_t request_cookies; apr_table_t pattern_to_sanitize; + apr_table_t removed_targets; unsigned int urlencoded_error; unsigned int inbound_error;
[-] [+]	Changed	modsecurity-apache_2.6.7.tar.bz2/apache2/msc_release.h ^
@@ -38,7 +38,7 @@ #define MODSEC_VERSION_MAJOR "2" #define MODSEC_VERSION_MINOR "6" -#define MODSEC_VERSION_MAINT "6" +#define MODSEC_VERSION_MAINT "7" #define MODSEC_VERSION_TYPE "" #define MODSEC_VERSION_RELEASE ""
[-] [+]	Changed	modsecurity-apache_2.6.7.tar.bz2/apache2/re.c ^
@@ -32,6 +32,7 @@ NULL, }; +static int fetch_target_exception(msre_rule rule, modsec_rec msr, msre_var var); static apr_status_t msre_parse_targets(msre_ruleset ruleset, const char text, apr_array_header_t arr, char *error_msg); static char msre_generate_target_string(apr_pool_t pool, msre_rule rule); @@ -43,6 +44,116 @@ /* -- Actions, variables, functions and operator functions ----------------- / +static int fetch_target_exception(msre_rule rule, modsec_rec msr, msre_var var) { + const char targets = NULL, exceptions = NULL; + char savedptr = NULL, target = NULL, value = NULL; + char c = NULL, name = NULL, id = NULL; + char variable = NULL, myvar = NULL; + char myvalue = NULL, myname = NULL; + const apr_array_header_t tarr = NULL; + const apr_table_entry_t telts = NULL; + int i, match; + + if(msr == NULL) + return 0; + + if(var == NULL) + return 0; + + if(rule == NULL) + return 0; + + if(rule->actionset == NULL) + return 0; + + if(rule->actionset->id !=NULL) { + + myvar = apr_pstrdup(msr->mp, var->name); + + c = strchr(myvar,':'); + + if(c != NULL) { + myname = apr_strtok(myvar,":",&myvalue); + } else { + myname = myvar; + } + + tarr = apr_table_elts(msr->removed_targets); + telts = (const apr_table_entry_t)tarr->elts; + + match = 0; + for (i = 0; i < tarr->nelts; i++) { + id = (char )telts[i].key; + + if(strcasecmp(id, rule->actionset->id) == 0) { + exceptions = (char )telts[i].val; + + targets = apr_pstrdup(msr->mp, exceptions); + + if(targets != NULL) { + if (msr->txcfg->debuglog_level >= 9) { + msr_log(msr, 9, "fetch_target_exception: Found exception target list [%s] for rule id %s", targets, rule->actionset->id); + } + + target = apr_strtok((char )targets, ",", &savedptr); + + while(target != NULL) { + + variable = apr_pstrdup(msr->mp, target); + + c = strchr(variable,':'); + + if(c != NULL) { + name = apr_strtok(variable,":",&value); + } else { + name = variable; + } + + if((strlen(myname) == strlen(name)) && + (strncasecmp(myname, name,strlen(myname)) == 0)) { + + if(value != NULL && myvalue != NULL) { + if((strlen(myvalue) == strlen(value)) && + strncasecmp(myvalue,value,strlen(myvalue)) == 0) { + if (msr->txcfg->debuglog_level >= 9) { + msr_log(msr, 9, "fetch_target_exception: Target %s will not be processed.", target); + } + match = 1; + } + } else if (value == NULL && myvalue == NULL) { + if (msr->txcfg->debuglog_level >= 9) { + msr_log(msr, 9, "fetch_target_exception: Target %s will not be processed.", target); + } + match = 1; + } else if (value == NULL && myvalue != NULL) { + if (msr->txcfg->debuglog_level >= 9) { + msr_log(msr, 9, "fetch_target_exception: Target %s will not be processed.", target); + } + match = 1; + } + } + + target = apr_strtok(NULL, ",", &savedptr); + } + } else { + if (msr->txcfg->debuglog_level >= 9) { + msr_log(msr, 9, "fetch_target_exception: No exception target found for rule id %s.", rule->actionset->id); + + } + } + + } + + } + + } + + if(match) + return 1; + + return 0; +} + char update_rule_target(cmd_parms cmd, directory_config dcfg, msre_ruleset rset, const char p1, const char p2, const char p3) { @@ -57,7 +168,7 @@ int name_len = 0, value_len = 0; char name = NULL, value = NULL; char opt = NULL, param = NULL; - int i, rc, match = 0; + int i, rc, match = 0, var_appended = 0; int offset = 0; if(p1 == NULL \|\| p2 == NULL \|\| (dcfg == NULL && rset == NULL)) { @@ -125,21 +236,25 @@ targets = (msre_var *)rule->targets->elts; // TODO need a good way to remove the element from array, maybe change array by tables or rings for (i = 0; i < rule->targets->nelts; i++) { - if((strlen(targets[i]->name) == strlen(name)) && + if((strlen(targets[i]->name) == strlen(name)) && (strncasecmp(targets[i]->name,name,strlen(targets[i]->name)) == 0) && (targets[i]->is_negated == is_negated) && (targets[i]->is_counting == is_counting)) { if(value != NULL && targets[i]->param != NULL) { if((strlen(targets[i]->param) == strlen(value)) && - strncasecmp(targets[i]->param,value,strlen(targets[i]->param)) == 0) { + strncasecmp(targets[i]->param,value,strlen(targets[i]->param)) == 0) { memset(targets[i]->name,0,strlen(targets[i]->name)); memset(targets[i]->param,0,strlen(targets[i]->param)); match = 1; + targets[i]->is_counting = 0; + targets[i]->is_negated = 1; } } else if (value == NULL && targets[i]->param == NULL){ memset(targets[i]->name,0,strlen(targets[i]->name)); match = 1; + targets[i]->is_counting = 0; + targets[i]->is_negated = 1; } else continue; @@ -157,6 +272,7 @@ if (rc < 0) { goto end; } + var_appended = 1; } else { goto end; } @@ -209,7 +325,7 @@ if(value != NULL && targets[i]->param != NULL) { if((strlen(targets[i]->param) == strlen(value)) && - strncasecmp(targets[i]->param,value,strlen(targets[i]->param)) == 0) { + strncasecmp(targets[i]->param,value,strlen(targets[i]->param)) == 0) { match = 1; } } else if (value == NULL && targets[i]->param == NULL){ @@ -225,21 +341,22 @@ target = NULL; } - if(match == 0 ) { rc = msre_parse_targets(ruleset, p, rule->targets, &my_error_msg); if (rc < 0) { goto end; } + var_appended = 1; } } p = apr_strtok(NULL,",",&savedptr); } - if(match == 0) { + if(var_appended == 1) { curr_targets = msre_generate_target_string(ruleset->mp, rule); rule->unparsed = msre_rule_generate_unparsed(ruleset->mp, rule, curr_targets, NULL, NULL); + rule->p1 = apr_pstrdup(ruleset->mp, curr_targets); } end: @@ -2155,10 +2272,24 @@ full_varname = var->name; } + rc = fetch_target_exception(rule, msr, var); + + if(rc > 0) { + + if (msr->txcfg->debuglog_level >= 4) { + msr_log(msr, 4, "Executing operator \"%s%s\" with param \"%s\" against %s skipped.", + (rule->op_negated ? "!" : ""), rule->op_name, + log_escape(msr->mp, rule->op_param), full_varname); + } + + return RULE_NO_MATCH; + + } + if (msr->txcfg->debuglog_level >= 4) { msr_log(msr, 4, "Executing operator \"%s%s\" with param \"%s\" against %s.", - (rule->op_negated ? "!" : ""), rule->op_name, - log_escape(msr->mp, rule->op_param), full_varname); + (rule->op_negated ? "!" : ""), rule->op_name, + log_escape(msr->mp, rule->op_param), full_varname); } if (msr->txcfg->debuglog_level >= 9) {
[-] [+]	Changed	modsecurity-apache_2.6.7.tar.bz2/apache2/re_actions.c ^
@@ -819,6 +819,17 @@ return NULL; } else + if (strcasecmp(name, "ruleRemoveTargetById") == 0) { + char parm = NULL; + char savedptr = NULL; + + parm = apr_strtok(value,";",&savedptr); + + if(parm == NULL && savedptr == NULL) + return apr_psprintf(engine->mp, "ruleRemoveTargetById must has at least id;target1,targets2...targetN"); + + return NULL; + } else if (strcasecmp(name, "ruleUpdateTargetById") == 0) { char parm = NULL; char savedptr = NULL; @@ -1046,6 +1057,23 @@ return 1; } else + if (strcasecmp(name, "ruleRemoveTargetById") == 0) { + msre_rule updated_rule = NULL; + char p1 = NULL, p2 = NULL; + char savedptr = NULL; + + p1 = apr_strtok(value,";",&savedptr); + + p2 = apr_strtok(NULL,";",&savedptr); + + if (msr->txcfg->debuglog_level >= 4) { + msr_log(msr, 4, "Ctl: ruleRemoveTargetById id=%s targets=%s", p1, p2); + } + + apr_table_addn(msr->removed_targets, p1, (const char )apr_pstrdup(msr->mp, p2)); + + return 1; + } else if (strcasecmp(name, "ruleUpdateTargetById") == 0) { char p1 = NULL, p2 = NULL, p3 = NULL; char *savedptr = NULL;
[-] [+]	Changed	modsecurity-apache_2.6.7.tar.bz2/doc/Reference_Manual.html ^
@@ -9,26 +9,30 @@ <meta name="generator" content="MediaWiki 1.15.1"> <meta name="robots" content="noindex,follow"> <meta name="keywords" content="Reference Manual"> - <link rel="shortcut icon" href="http://sourceforge.net/favicon.ico"> + <link rel="alternate" type="application/x-wiki" title="Edit" +href="https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual&action=edit"> + <link rel="edit" title="Edit" +href="https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual&action=edit"> + <link rel="shortcut icon" href="https://sourceforge.net/favicon.ico"> <link rel="search" type="application/opensearchdescription+xml" -href="http://sourceforge.net/apps/mediawiki/mod-security/opensearch_desc.php" +href="https://sourceforge.net/apps/mediawiki/mod-security/opensearch_desc.php" title="mod-security (en)"> <link rel="alternate" type="application/rss+xml" title="mod-security RSS Feed" -href="http://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Special:RecentChanges&feed=rss"> +href="https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Special:RecentChanges&feed=rss"> <link rel="alternate" type="application/atom+xml" title="mod-security Atom Feed" -href="http://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Special:RecentChanges&feed=atom"> +href="https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Special:RecentChanges&feed=atom"> <title>SourceForge.net: Reference Manual - mod-security</title> <link rel="stylesheet" href="Reference_Manual_files/commonPrint.css" type="text/css"> - <link rel="stylesheet" href="Reference_Manual_files/index_003.css" + <link rel="stylesheet" href="Reference_Manual_files/index_002.css" type="text/css"> <link rel="stylesheet" href="Reference_Manual_files/index.css" type="text/css"> <link rel="stylesheet" href="Reference_Manual_files/index_004.css" type="text/css"> - <link rel="stylesheet" href="Reference_Manual_files/index_002.css" + <link rel="stylesheet" href="Reference_Manual_files/index_003.css" type="text/css"> <!--[if lt IE 7]><script type="text/javascript" src="/apps/mediawiki/mod-security/skins/common/IEFixes.js?207"></script> <meta http-equiv="imagetoolbar" content="no" /><![endif]--> @@ -41,7 +45,7 @@ var wgScript = "/apps/mediawiki/mod-security/index.php"; var wgVariantArticlePath = false; var wgActionPaths = {}; - var wgServer = "http://sourceforge.net"; + var wgServer = "https://sourceforge.net"; var wgCanonicalNamespace = ""; var wgCanonicalSpecialPageName = false; var wgNamespaceNumber = 0; @@ -50,12 +54,12 @@ var wgAction = "view"; var wgArticleId = "12"; var wgIsArticle = true; - var wgUserName = null; - var wgUserGroups = null; + var wgUserName = "Brenosilva"; + var wgUserGroups = ["admin", "editor", "", "user", "autoconfirmed"]; var wgUserLanguage = "en"; var wgContentLanguage = "en"; var wgBreakFrames = false; - var wgCurRevisionId = 444; + var wgCurRevisionId = 507; var wgVersion = "1.15.1"; var wgEnableAPI = true; var wgEnableWriteAPI = true; @@ -63,11 +67,13 @@ var wgDigitTransformTable = ["", ""]; var wgRestrictionEdit = []; var wgRestrictionMove = []; + var wgAjaxWatch = {"watchMsg": "Watch", "unwatchMsg": "Unwatch", "watchingMsg": "Watching…", "unwatchingMsg": "Unwatching…"}; /]]>/</script> <script type="text/javascript" src="Reference_Manual_files/wikibits.js"><!-- wikibits js --></script> <!-- Head Scripts --> <script type="text/javascript" src="Reference_Manual_files/ajax.js"></script> + <script type="text/javascript" src="Reference_Manual_files/ajaxwatch.js"></script> <script type="text/javascript" src="Reference_Manual_files/index.php"><!-- site js --></script> @@ -94,9 +100,9 @@ class="tocnumber">1</span> <span class="toctext">ModSecurity® Reference Manual</span></a> <ul> -<li class="toclevel-2"><a href="#Current_as_of_v2.5.13_and_v2.6"><span -class="tocnumber">1.1</span> <span class="toctext">Current as of v2.5.13 - and v2.6</span></a> +<li class="toclevel-2"><a href="#Current_as_of_v2.5.13_v2.6_and_v2.7"><span + class="tocnumber">1.1</span> <span class="toctext">Current as of +v2.5.13 v2.6 and v2.7</span></a> <ul> <li class="toclevel-3"><a href="#Copyright_.C2.A9_2004-2011_Trustwave_Holdings.2C_Inc."><span @@ -244,98 +250,116 @@ class="tocnumber">6.20</span> <span class="toctext">SecDefaultAction</span></a></li> <li class="toclevel-2"><a href="#SecDisableBackendCompression"><span class="tocnumber">6.21</span> <span class="toctext">SecDisableBackendCompression</span></a></li> -<li class="toclevel-2"><a href="#SecGeoLookupDb"><span class="tocnumber">6.22</span> +<li class="toclevel-2"><a href="#SecEncryptionEngine"><span +class="tocnumber">6.22</span> <span class="toctext">SecEncryptionEngine</span></a></li> +<li class="toclevel-2"><a href="#SecEncryptionKey"><span +class="tocnumber">6.23</span> <span class="toctext">SecEncryptionKey</span></a></li> +<li class="toclevel-2"><a href="#SecEncryptionParam"><span +class="tocnumber">6.24</span> <span class="toctext">SecEncryptionParam</span></a></li> +<li class="toclevel-2"><a href="#SecEncryptionMethodRx"><span +class="tocnumber">6.25</span> <span class="toctext">SecEncryptionMethodRx</span></a></li> +<li class="toclevel-2"><a href="#SecEncryptionMethodPm"><span +class="tocnumber">6.26</span> <span class="toctext">SecEncryptionMethodPm</span></a></li> +<li class="toclevel-2"><a href="#SecGeoLookupDb"><span class="tocnumber">6.27</span> <span class="toctext">SecGeoLookupDb</span></a></li> -<li class="toclevel-2"><a href="#SecGsbLookupDb"><span class="tocnumber">6.23</span> +<li class="toclevel-2"><a href="#SecGsbLookupDb"><span class="tocnumber">6.28</span> <span class="toctext">SecGsbLookupDb</span></a></li> -<li class="toclevel-2"><a href="#SecGuardianLog"><span class="tocnumber">6.24</span> +<li class="toclevel-2"><a href="#SecGuardianLog"><span class="tocnumber">6.29</span> <span class="toctext">SecGuardianLog</span></a></li> -<li class="toclevel-2"><a href="#SecHttpBlKey"><span class="tocnumber">6.25</span> +<li class="toclevel-2"><a href="#SecHttpBlKey"><span class="tocnumber">6.30</span> <span class="toctext">SecHttpBlKey</span></a></li> <li class="toclevel-2"><a href="#SecInterceptOnError"><span -class="tocnumber">6.26</span> <span class="toctext">SecInterceptOnError</span></a></li> -<li class="toclevel-2"><a href="#SecMarker"><span class="tocnumber">6.27</span> +class="tocnumber">6.31</span> <span class="toctext">SecInterceptOnError</span></a></li> +<li class="toclevel-2"><a href="#SecMarker"><span class="tocnumber">6.32</span> <span class="toctext">SecMarker</span></a></li> <li class="toclevel-2"><a href="#SecPcreMatchLimit"><span -class="tocnumber">6.28</span> <span class="toctext">SecPcreMatchLimit</span></a></li> +class="tocnumber">6.33</span> <span class="toctext">SecPcreMatchLimit</span></a></li> <li class="toclevel-2"><a href="#SecPcreMatchLimitRecursion"><span -class="tocnumber">6.29</span> <span class="toctext">SecPcreMatchLimitRecursion</span></a></li> -<li class="toclevel-2"><a href="#SecPdfProtect"><span class="tocnumber">6.30</span> +class="tocnumber">6.34</span> <span class="toctext">SecPcreMatchLimitRecursion</span></a></li> +<li class="toclevel-2"><a href="#SecPdfProtect"><span class="tocnumber">6.35</span> <span class="toctext">SecPdfProtect</span></a></li> <li class="toclevel-2"><a href="#SecPdfProtectMethod"><span -class="tocnumber">6.31</span> <span class="toctext">SecPdfProtectMethod</span></a></li> +class="tocnumber">6.36</span> <span class="toctext">SecPdfProtectMethod</span></a></li> <li class="toclevel-2"><a href="#SecPdfProtectSecret"><span -class="tocnumber">6.32</span> <span class="toctext">SecPdfProtectSecret</span></a></li> +class="tocnumber">6.37</span> <span class="toctext">SecPdfProtectSecret</span></a></li> <li class="toclevel-2"><a href="#SecPdfProtectTimeout"><span -class="tocnumber">6.33</span> <span class="toctext">SecPdfProtectTimeout</span></a></li> +class="tocnumber">6.38</span> <span class="toctext">SecPdfProtectTimeout</span></a></li> <li class="toclevel-2"><a href="#SecPdfProtectTokenName"><span -class="tocnumber">6.34</span> <span class="toctext">SecPdfProtectTokenName</span></a></li> +class="tocnumber">6.39</span> <span class="toctext">SecPdfProtectTokenName</span></a></li> <li class="toclevel-2"><a href="#SecReadStateLimit"><span -class="tocnumber">6.35</span> <span class="toctext">SecReadStateLimit</span></a></li> +class="tocnumber">6.40</span> <span class="toctext">SecReadStateLimit</span></a></li> +<li class="toclevel-2"><a href="#SecSensorId"><span class="tocnumber">6.41</span> + <span class="toctext">SecSensorId</span></a></li> <li class="toclevel-2"><a href="#SecWriteStateLimit"><span -class="tocnumber">6.36</span> <span class="toctext">SecWriteStateLimit</span></a></li> +class="tocnumber">6.42</span> <span class="toctext">SecWriteStateLimit</span></a></li> <li class="toclevel-2"><a href="#SecRequestBodyAccess"><span -class="tocnumber">6.37</span> <span class="toctext">SecRequestBodyAccess</span></a></li> +class="tocnumber">6.43</span> <span class="toctext">SecRequestBodyAccess</span></a></li> <li class="toclevel-2"><a href="#SecRequestBodyInMemoryLimit"><span -class="tocnumber">6.38</span> <span class="toctext">SecRequestBodyInMemoryLimit</span></a></li> +class="tocnumber">6.44</span> <span class="toctext">SecRequestBodyInMemoryLimit</span></a></li> <li class="toclevel-2"><a href="#SecRequestBodyLimit"><span -class="tocnumber">6.39</span> <span class="toctext">SecRequestBodyLimit</span></a></li> +class="tocnumber">6.45</span> <span class="toctext">SecRequestBodyLimit</span></a></li> <li class="toclevel-2"><a href="#SecRequestBodyNoFilesLimit"><span -class="tocnumber">6.40</span> <span class="toctext">SecRequestBodyNoFilesLimit</span></a></li> +class="tocnumber">6.46</span> <span class="toctext">SecRequestBodyNoFilesLimit</span></a></li> <li class="toclevel-2"><a href="#SecRequestBodyLimitAction"><span -class="tocnumber">6.41</span> <span class="toctext">SecRequestBodyLimitAction</span></a></li> +class="tocnumber">6.47</span> <span class="toctext">SecRequestBodyLimitAction</span></a></li> <li class="toclevel-2"><a href="#SecResponseBodyLimit"><span -class="tocnumber">6.42</span> <span class="toctext">SecResponseBodyLimit</span></a></li> +class="tocnumber">6.48</span> <span class="toctext">SecResponseBodyLimit</span></a></li> <li class="toclevel-2"><a href="#SecResponseBodyLimitAction"><span -class="tocnumber">6.43</span> <span class="toctext">SecResponseBodyLimitAction</span></a></li> +class="tocnumber">6.49</span> <span class="toctext">SecResponseBodyLimitAction</span></a></li> <li class="toclevel-2"><a href="#SecResponseBodyMimeType"><span -class="tocnumber">6.44</span> <span class="toctext">SecResponseBodyMimeType</span></a></li> +class="tocnumber">6.50</span> <span class="toctext">SecResponseBodyMimeType</span></a></li> <li class="toclevel-2"><a href="#SecResponseBodyMimeTypesClear"><span -class="tocnumber">6.45</span> <span class="toctext">SecResponseBodyMimeTypesClear</span></a></li> +class="tocnumber">6.51</span> <span class="toctext">SecResponseBodyMimeTypesClear</span></a></li> <li class="toclevel-2"><a href="#SecResponseBodyAccess"><span -class="tocnumber">6.46</span> <span class="toctext">SecResponseBodyAccess</span></a></li> -<li class="toclevel-2"><a href="#SecRule"><span class="tocnumber">6.47</span> +class="tocnumber">6.52</span> <span class="toctext">SecResponseBodyAccess</span></a></li> +<li class="toclevel-2"><a href="#SecRule"><span class="tocnumber">6.53</span> <span class="toctext">SecRule</span></a></li> <li class="toclevel-2"><a href="#SecRuleInheritance"><span -class="tocnumber">6.48</span> <span class="toctext">SecRuleInheritance</span></a></li> -<li class="toclevel-2"><a href="#SecRuleEngine"><span class="tocnumber">6.49</span> +class="tocnumber">6.54</span> <span class="toctext">SecRuleInheritance</span></a></li> +<li class="toclevel-2"><a href="#SecRuleEngine"><span class="tocnumber">6.55</span> <span class="toctext">SecRuleEngine</span></a></li> +<li class="toclevel-2"><a href="#SecRulePerfTime"><span +class="tocnumber">6.56</span> <span class="toctext">SecRulePerfTime</span></a></li> <li class="toclevel-2"><a href="#SecRuleRemoveById"><span -class="tocnumber">6.50</span> <span class="toctext">SecRuleRemoveById</span></a></li> +class="tocnumber">6.57</span> <span class="toctext">SecRuleRemoveById</span></a></li> <li class="toclevel-2"><a href="#SecRuleRemoveByMsg"><span -class="tocnumber">6.51</span> <span class="toctext">SecRuleRemoveByMsg</span></a></li> +class="tocnumber">6.58</span> <span class="toctext">SecRuleRemoveByMsg</span></a></li> <li class="toclevel-2"><a href="#SecRuleRemoveByTag"><span -class="tocnumber">6.52</span> <span class="toctext">SecRuleRemoveByTag</span></a></li> -<li class="toclevel-2"><a href="#SecRuleScript"><span class="tocnumber">6.53</span> +class="tocnumber">6.59</span> <span class="toctext">SecRuleRemoveByTag</span></a></li> +<li class="toclevel-2"><a href="#SecRuleScript"><span class="tocnumber">6.60</span> <span class="toctext">SecRuleScript</span></a></li> <li class="toclevel-2"><a href="#SecRuleUpdateActionById"><span -class="tocnumber">6.54</span> <span class="toctext">SecRuleUpdateActionById</span></a></li> +class="tocnumber">6.61</span> <span class="toctext">SecRuleUpdateActionById</span></a></li> <li class="toclevel-2"><a href="#SecRuleUpdateTargetById"><span -class="tocnumber">6.55</span> <span class="toctext">SecRuleUpdateTargetById</span></a></li> +class="tocnumber">6.62</span> <span class="toctext">SecRuleUpdateTargetById</span></a></li> +<li class="toclevel-2"><a href="#SecRuleUpdateTargetByMsg"><span +class="tocnumber">6.63</span> <span class="toctext">SecRuleUpdateTargetByMsg</span></a></li> +<li class="toclevel-2"><a href="#SecRuleUpdateTargetByTag"><span +class="tocnumber">6.64</span> <span class="toctext">SecRuleUpdateTargetByTag</span></a></li> <li class="toclevel-2"><a href="#SecServerSignature"><span -class="tocnumber">6.56</span> <span class="toctext">SecServerSignature</span></a></li> +class="tocnumber">6.65</span> <span class="toctext">SecServerSignature</span></a></li> <li class="toclevel-2"><a href="#SecStreamInBodyInspection"><span -class="tocnumber">6.57</span> <span class="toctext">SecStreamInBodyInspection</span></a></li> +class="tocnumber">6.66</span> <span class="toctext">SecStreamInBodyInspection</span></a></li> <li class="toclevel-2"><a href="#SecStreamOutBodyInspection"><span -class="tocnumber">6.58</span> <span class="toctext">SecStreamOutBodyInspection</span></a></li> -<li class="toclevel-2"><a href="#SecTmpDir"><span class="tocnumber">6.59</span> +class="tocnumber">6.67</span> <span class="toctext">SecStreamOutBodyInspection</span></a></li> +<li class="toclevel-2"><a href="#SecTmpDir"><span class="tocnumber">6.68</span> <span class="toctext">SecTmpDir</span></a></li> <li class="toclevel-2"><a href="#SecUnicodeMapFile"><span -class="tocnumber">6.60</span> <span class="toctext">SecUnicodeMapFile</span></a></li> +class="tocnumber">6.69</span> <span class="toctext">SecUnicodeMapFile</span></a></li> <li class="toclevel-2"><a href="#SecUnicodeCodePage"><span -class="tocnumber">6.61</span> <span class="toctext">SecUnicodeCodePage</span></a></li> -<li class="toclevel-2"><a href="#SecUploadDir"><span class="tocnumber">6.62</span> +class="tocnumber">6.70</span> <span class="toctext">SecUnicodeCodePage</span></a></li> +<li class="toclevel-2"><a href="#SecUploadDir"><span class="tocnumber">6.71</span> <span class="toctext">SecUploadDir</span></a></li> <li class="toclevel-2"><a href="#SecUploadFileLimit"><span -class="tocnumber">6.63</span> <span class="toctext">SecUploadFileLimit</span></a></li> +class="tocnumber">6.72</span> <span class="toctext">SecUploadFileLimit</span></a></li> <li class="toclevel-2"><a href="#SecUploadFileMode"><span -class="tocnumber">6.64</span> <span class="toctext">SecUploadFileMode</span></a></li> +class="tocnumber">6.73</span> <span class="toctext">SecUploadFileMode</span></a></li> <li class="toclevel-2"><a href="#SecUploadKeepFiles"><span -class="tocnumber">6.65</span> <span class="toctext">SecUploadKeepFiles</span></a></li> -<li class="toclevel-2"><a href="#SecWebAppId"><span class="tocnumber">6.66</span> +class="tocnumber">6.74</span> <span class="toctext">SecUploadKeepFiles</span></a></li> +<li class="toclevel-2"><a href="#SecWebAppId"><span class="tocnumber">6.75</span> <span class="toctext">SecWebAppId</span></a></li> <li class="toclevel-2"><a href="#SecCollectionTimeout"><span -class="tocnumber">6.67</span> <span class="toctext">SecCollectionTimeout</span></a></li> +class="tocnumber">6.76</span> <span class="toctext">SecCollectionTimeout</span></a></li> </ul> </li> <li class="toclevel-1"><a href="#Processing_Phases"><span @@ -427,127 +451,131 @@ <span class="toctext">PERF_PHASE4</span></a></li> <li class="toclevel-2"><a href="#PERF_PHASE5"><span class="tocnumber">8.35</span> <span class="toctext">PERF_PHASE5</span></a></li> -<li class="toclevel-2"><a href="#PERF_SREAD"><span class="tocnumber">8.36</span> +<li class="toclevel-2"><a href="#PERF_RULES"><span class="tocnumber">8.36</span> + <span class="toctext">PERF_RULES</span></a></li> +<li class="toclevel-2"><a href="#PERF_SREAD"><span class="tocnumber">8.37</span> <span class="toctext">PERF_SREAD</span></a></li> -<li class="toclevel-2"><a href="#PERF_SWRITE"><span class="tocnumber">8.37</span> +<li class="toclevel-2"><a href="#PERF_SWRITE"><span class="tocnumber">8.38</span> <span class="toctext">PERF_SWRITE</span></a></li> -<li class="toclevel-2"><a href="#QUERY_STRING"><span class="tocnumber">8.38</span> +<li class="toclevel-2"><a href="#QUERY_STRING"><span class="tocnumber">8.39</span> <span class="toctext">QUERY_STRING</span></a></li> -<li class="toclevel-2"><a href="#REMOTE_ADDR"><span class="tocnumber">8.39</span> +<li class="toclevel-2"><a href="#REMOTE_ADDR"><span class="tocnumber">8.40</span> <span class="toctext">REMOTE_ADDR</span></a></li> -<li class="toclevel-2"><a href="#REMOTE_HOST"><span class="tocnumber">8.40</span> +<li class="toclevel-2"><a href="#REMOTE_HOST"><span class="tocnumber">8.41</span> <span class="toctext">REMOTE_HOST</span></a></li> -<li class="toclevel-2"><a href="#REMOTE_PORT"><span class="tocnumber">8.41</span> +<li class="toclevel-2"><a href="#REMOTE_PORT"><span class="tocnumber">8.42</span> <span class="toctext">REMOTE_PORT</span></a></li> -<li class="toclevel-2"><a href="#REMOTE_USER"><span class="tocnumber">8.42</span> +<li class="toclevel-2"><a href="#REMOTE_USER"><span class="tocnumber">8.43</span> <span class="toctext">REMOTE_USER</span></a></li> -<li class="toclevel-2"><a href="#REQBODY_ERROR"><span class="tocnumber">8.43</span> +<li class="toclevel-2"><a href="#REQBODY_ERROR"><span class="tocnumber">8.44</span> <span class="toctext">REQBODY_ERROR</span></a></li> <li class="toclevel-2"><a href="#REQBODY_ERROR_MSG"><span -class="tocnumber">8.44</span> <span class="toctext">REQBODY_ERROR_MSG</span></a></li> +class="tocnumber">8.45</span> <span class="toctext">REQBODY_ERROR_MSG</span></a></li> <li class="toclevel-2"><a href="#REQBODY_PROCESSOR"><span -class="tocnumber">8.45</span> <span class="toctext">REQBODY_PROCESSOR</span></a></li> +class="tocnumber">8.46</span> <span class="toctext">REQBODY_PROCESSOR</span></a></li> <li class="toclevel-2"><a href="#REQUEST_BASENAME"><span -class="tocnumber">8.46</span> <span class="toctext">REQUEST_BASENAME</span></a></li> -<li class="toclevel-2"><a href="#REQUEST_BODY"><span class="tocnumber">8.47</span> +class="tocnumber">8.47</span> <span class="toctext">REQUEST_BASENAME</span></a></li> +<li class="toclevel-2"><a href="#REQUEST_BODY"><span class="tocnumber">8.48</span> <span class="toctext">REQUEST_BODY</span></a></li> <li class="toclevel-2"><a href="#REQUEST_BODY_LENGTH"><span -class="tocnumber">8.48</span> <span class="toctext">REQUEST_BODY_LENGTH</span></a></li> +class="tocnumber">8.49</span> <span class="toctext">REQUEST_BODY_LENGTH</span></a></li> <li class="toclevel-2"><a href="#REQUEST_COOKIES"><span -class="tocnumber">8.49</span> <span class="toctext">REQUEST_COOKIES</span></a></li> +class="tocnumber">8.50</span> <span class="toctext">REQUEST_COOKIES</span></a></li> <li class="toclevel-2"><a href="#REQUEST_COOKIES_NAMES"><span -class="tocnumber">8.50</span> <span class="toctext">REQUEST_COOKIES_NAMES</span></a></li> +class="tocnumber">8.51</span> <span class="toctext">REQUEST_COOKIES_NAMES</span></a></li> <li class="toclevel-2"><a href="#REQUEST_FILENAME"><span -class="tocnumber">8.51</span> <span class="toctext">REQUEST_FILENAME</span></a></li> +class="tocnumber">8.52</span> <span class="toctext">REQUEST_FILENAME</span></a></li> <li class="toclevel-2"><a href="#REQUEST_HEADERS"><span -class="tocnumber">8.52</span> <span class="toctext">REQUEST_HEADERS</span></a></li> +class="tocnumber">8.53</span> <span class="toctext">REQUEST_HEADERS</span></a></li> <li class="toclevel-2"><a href="#REQUEST_HEADERS_NAMES"><span -class="tocnumber">8.53</span> <span class="toctext">REQUEST_HEADERS_NAMES</span></a></li> -<li class="toclevel-2"><a href="#REQUEST_LINE"><span class="tocnumber">8.54</span> +class="tocnumber">8.54</span> <span class="toctext">REQUEST_HEADERS_NAMES</span></a></li> +<li class="toclevel-2"><a href="#REQUEST_LINE"><span class="tocnumber">8.55</span> <span class="toctext">REQUEST_LINE</span></a></li> -<li class="toclevel-2"><a href="#REQUEST_METHOD"><span class="tocnumber">8.55</span> +<li class="toclevel-2"><a href="#REQUEST_METHOD"><span class="tocnumber">8.56</span> <span class="toctext">REQUEST_METHOD</span></a></li> <li class="toclevel-2"><a href="#REQUEST_PROTOCOL"><span -class="tocnumber">8.56</span> <span class="toctext">REQUEST_PROTOCOL</span></a></li> -<li class="toclevel-2"><a href="#REQUEST_URI"><span class="tocnumber">8.57</span> +class="tocnumber">8.57</span> <span class="toctext">REQUEST_PROTOCOL</span></a></li> +<li class="toclevel-2"><a href="#REQUEST_URI"><span class="tocnumber">8.58</span> <span class="toctext">REQUEST_URI</span></a></li> <li class="toclevel-2"><a href="#REQUEST_URI_RAW"><span -class="tocnumber">8.58</span> <span class="toctext">REQUEST_URI_RAW</span></a></li> -<li class="toclevel-2"><a href="#RESPONSE_BODY"><span class="tocnumber">8.59</span> +class="tocnumber">8.59</span> <span class="toctext">REQUEST_URI_RAW</span></a></li> +<li class="toclevel-2"><a href="#RESPONSE_BODY"><span class="tocnumber">8.60</span> <span class="toctext">RESPONSE_BODY</span></a></li> <li class="toclevel-2"><a href="#RESPONSE_CONTENT_LENGTH"><span -class="tocnumber">8.60</span> <span class="toctext">RESPONSE_CONTENT_LENGTH</span></a></li> +class="tocnumber">8.61</span> <span class="toctext">RESPONSE_CONTENT_LENGTH</span></a></li> <li class="toclevel-2"><a href="#RESPONSE_CONTENT_TYPE"><span -class="tocnumber">8.61</span> <span class="toctext">RESPONSE_CONTENT_TYPE</span></a></li> +class="tocnumber">8.62</span> <span class="toctext">RESPONSE_CONTENT_TYPE</span></a></li> <li class="toclevel-2"><a href="#RESPONSE_HEADERS"><span -class="tocnumber">8.62</span> <span class="toctext">RESPONSE_HEADERS</span></a></li> +class="tocnumber">8.63</span> <span class="toctext">RESPONSE_HEADERS</span></a></li> <li class="toclevel-2"><a href="#RESPONSE_HEADERS_NAMES"><span -class="tocnumber">8.63</span> <span class="toctext">RESPONSE_HEADERS_NAMES</span></a></li> +class="tocnumber">8.64</span> <span class="toctext">RESPONSE_HEADERS_NAMES</span></a></li> <li class="toclevel-2"><a href="#RESPONSE_PROTOCOL"><span -class="tocnumber">8.64</span> <span class="toctext">RESPONSE_PROTOCOL</span></a></li> +class="tocnumber">8.65</span> <span class="toctext">RESPONSE_PROTOCOL</span></a></li> <li class="toclevel-2"><a href="#RESPONSE_STATUS"><span -class="tocnumber">8.65</span> <span class="toctext">RESPONSE_STATUS</span></a></li> -<li class="toclevel-2"><a href="#RULE"><span class="tocnumber">8.66</span> +class="tocnumber">8.66</span> <span class="toctext">RESPONSE_STATUS</span></a></li> +<li class="toclevel-2"><a href="#RULE"><span class="tocnumber">8.67</span> <span class="toctext">RULE</span></a></li> <li class="toclevel-2"><a href="#SCRIPT_BASENAME"><span -class="tocnumber">8.67</span> <span class="toctext">SCRIPT_BASENAME</span></a></li> +class="tocnumber">8.68</span> <span class="toctext">SCRIPT_BASENAME</span></a></li> <li class="toclevel-2"><a href="#SCRIPT_FILENAME"><span -class="tocnumber">8.68</span> <span class="toctext">SCRIPT_FILENAME</span></a></li> -<li class="toclevel-2"><a href="#SCRIPT_GID"><span class="tocnumber">8.69</span> +class="tocnumber">8.69</span> <span class="toctext">SCRIPT_FILENAME</span></a></li> +<li class="toclevel-2"><a href="#SCRIPT_GID"><span class="tocnumber">8.70</span> <span class="toctext">SCRIPT_GID</span></a></li> <li class="toclevel-2"><a href="#SCRIPT_GROUPNAME"><span -class="tocnumber">8.70</span> <span class="toctext">SCRIPT_GROUPNAME</span></a></li> -<li class="toclevel-2"><a href="#SCRIPT_MODE"><span class="tocnumber">8.71</span> +class="tocnumber">8.71</span> <span class="toctext">SCRIPT_GROUPNAME</span></a></li> +<li class="toclevel-2"><a href="#SCRIPT_MODE"><span class="tocnumber">8.72</span> <span class="toctext">SCRIPT_MODE</span></a></li> -<li class="toclevel-2"><a href="#SCRIPT_UID"><span class="tocnumber">8.72</span> +<li class="toclevel-2"><a href="#SCRIPT_UID"><span class="tocnumber">8.73</span> <span class="toctext">SCRIPT_UID</span></a></li> <li class="toclevel-2"><a href="#SCRIPT_USERNAME"><span -class="tocnumber">8.73</span> <span class="toctext">SCRIPT_USERNAME</span></a></li> -<li class="toclevel-2"><a href="#SERVER_ADDR"><span class="tocnumber">8.74</span> +class="tocnumber">8.74</span> <span class="toctext">SCRIPT_USERNAME</span></a></li> +<li class="toclevel-2"><a href="#SERVER_ADDR"><span class="tocnumber">8.75</span> <span class="toctext">SERVER_ADDR</span></a></li> -<li class="toclevel-2"><a href="#SERVER_NAME"><span class="tocnumber">8.75</span> +<li class="toclevel-2"><a href="#SERVER_NAME"><span class="tocnumber">8.76</span> <span class="toctext">SERVER_NAME</span></a></li> -<li class="toclevel-2"><a href="#SERVER_PORT"><span class="tocnumber">8.76</span> +<li class="toclevel-2"><a href="#SERVER_PORT"><span class="tocnumber">8.77</span> <span class="toctext">SERVER_PORT</span></a></li> -<li class="toclevel-2"><a href="#SESSION"><span class="tocnumber">8.77</span> +<li class="toclevel-2"><a href="#SESSION"><span class="tocnumber">8.78</span> <span class="toctext">SESSION</span></a></li> -<li class="toclevel-2"><a href="#SESSIONID"><span class="tocnumber">8.78</span> +<li class="toclevel-2"><a href="#SESSIONID"><span class="tocnumber">8.79</span> <span class="toctext">SESSIONID</span></a></li> <li class="toclevel-2"><a href="#STREAM_INPUT_BODY"><span -class="tocnumber">8.79</span> <span class="toctext">STREAM_INPUT_BODY</span></a></li> +class="tocnumber">8.80</span> <span class="toctext">STREAM_INPUT_BODY</span></a></li> <li class="toclevel-2"><a href="#STREAM_OUTPUT_BODY"><span -class="tocnumber">8.80</span> <span class="toctext">STREAM_OUTPUT_BODY</span></a></li> -<li class="toclevel-2"><a href="#TIME"><span class="tocnumber">8.81</span> +class="tocnumber">8.81</span> <span class="toctext">STREAM_OUTPUT_BODY</span></a></li> +<li class="toclevel-2"><a href="#TIME"><span class="tocnumber">8.82</span> <span class="toctext">TIME</span></a></li> -<li class="toclevel-2"><a href="#TIME_DAY"><span class="tocnumber">8.82</span> +<li class="toclevel-2"><a href="#TIME_DAY"><span class="tocnumber">8.83</span> <span class="toctext">TIME_DAY</span></a></li> -<li class="toclevel-2"><a href="#TIME_EPOCH"><span class="tocnumber">8.83</span> +<li class="toclevel-2"><a href="#TIME_EPOCH"><span class="tocnumber">8.84</span> <span class="toctext">TIME_EPOCH</span></a></li> -<li class="toclevel-2"><a href="#TIME_HOUR"><span class="tocnumber">8.84</span> +<li class="toclevel-2"><a href="#TIME_HOUR"><span class="tocnumber">8.85</span> <span class="toctext">TIME_HOUR</span></a></li> -<li class="toclevel-2"><a href="#TIME_MIN"><span class="tocnumber">8.85</span> +<li class="toclevel-2"><a href="#TIME_MIN"><span class="tocnumber">8.86</span> <span class="toctext">TIME_MIN</span></a></li> -<li class="toclevel-2"><a href="#TIME_MON"><span class="tocnumber">8.86</span> +<li class="toclevel-2"><a href="#TIME_MON"><span class="tocnumber">8.87</span> <span class="toctext">TIME_MON</span></a></li> -<li class="toclevel-2"><a href="#TIME_SEC"><span class="tocnumber">8.87</span> +<li class="toclevel-2"><a href="#TIME_SEC"><span class="tocnumber">8.88</span> <span class="toctext">TIME_SEC</span></a></li> -<li class="toclevel-2"><a href="#TIME_WDAY"><span class="tocnumber">8.88</span> +<li class="toclevel-2"><a href="#TIME_WDAY"><span class="tocnumber">8.89</span> <span class="toctext">TIME_WDAY</span></a></li> -<li class="toclevel-2"><a href="#TIME_YEAR"><span class="tocnumber">8.89</span> +<li class="toclevel-2"><a href="#TIME_YEAR"><span class="tocnumber">8.90</span> <span class="toctext">TIME_YEAR</span></a></li> -<li class="toclevel-2"><a href="#TX"><span class="tocnumber">8.90</span> +<li class="toclevel-2"><a href="#TX"><span class="tocnumber">8.91</span> <span class="toctext">TX</span></a></li> -<li class="toclevel-2"><a href="#UNIQUE_ID"><span class="tocnumber">8.91</span> +<li class="toclevel-2"><a href="#UNIQUE_ID"><span class="tocnumber">8.92</span> <span class="toctext">UNIQUE_ID</span></a></li> <li class="toclevel-2"><a href="#URLENCODED_ERROR"><span -class="tocnumber">8.92</span> <span class="toctext">URLENCODED_ERROR</span></a></li> -<li class="toclevel-2"><a href="#USERID"><span class="tocnumber">8.93</span> +class="tocnumber">8.93</span> <span class="toctext">URLENCODED_ERROR</span></a></li> +<li class="toclevel-2"><a href="#USERID"><span class="tocnumber">8.94</span> <span class="toctext">USERID</span></a></li> -<li class="toclevel-2"><a href="#WEBAPPID"><span class="tocnumber">8.94</span> +<li class="toclevel-2"><a href="#USERAGENT_IP"><span class="tocnumber">8.95</span> + <span class="toctext">USERAGENT_IP</span></a></li> +<li class="toclevel-2"><a href="#WEBAPPID"><span class="tocnumber">8.96</span> <span class="toctext">WEBAPPID</span></a></li> <li class="toclevel-2"><a href="#WEBSERVER_ERROR_LOG"><span -class="tocnumber">8.95</span> <span class="toctext">WEBSERVER_ERROR_LOG</span></a></li> -<li class="toclevel-2"><a href="#XML"><span class="tocnumber">8.96</span> +class="tocnumber">8.97</span> <span class="toctext">WEBSERVER_ERROR_LOG</span></a></li> +<li class="toclevel-2"><a href="#XML"><span class="tocnumber">8.98</span> <span class="toctext">XML</span></a></li> </ul> </li> @@ -628,91 +656,99 @@ <li class="toclevel-1"><a href="#Actions"><span class="tocnumber">10</span> <span class="toctext">Actions</span></a> <ul> -<li class="toclevel-2"><a href="#allow"><span class="tocnumber">10.1</span> +<li class="toclevel-2"><a href="#accuracy"><span class="tocnumber">10.1</span> + <span class="toctext">accuracy</span></a></li> +<li class="toclevel-2"><a href="#allow"><span class="tocnumber">10.2</span> <span class="toctext">allow</span></a></li> -<li class="toclevel-2"><a href="#append"><span class="tocnumber">10.2</span> +<li class="toclevel-2"><a href="#append"><span class="tocnumber">10.3</span> <span class="toctext">append</span></a></li> -<li class="toclevel-2"><a href="#auditlog"><span class="tocnumber">10.3</span> +<li class="toclevel-2"><a href="#auditlog"><span class="tocnumber">10.4</span> <span class="toctext">auditlog</span></a></li> -<li class="toclevel-2"><a href="#block"><span class="tocnumber">10.4</span> +<li class="toclevel-2"><a href="#block"><span class="tocnumber">10.5</span> <span class="toctext">block</span></a></li> -<li class="toclevel-2"><a href="#capture"><span class="tocnumber">10.5</span> +<li class="toclevel-2"><a href="#capture"><span class="tocnumber">10.6</span> <span class="toctext">capture</span></a></li> -<li class="toclevel-2"><a href="#chain"><span class="tocnumber">10.6</span> +<li class="toclevel-2"><a href="#chain"><span class="tocnumber">10.7</span> <span class="toctext">chain</span></a></li> -<li class="toclevel-2"><a href="#ctl"><span class="tocnumber">10.7</span> +<li class="toclevel-2"><a href="#ctl"><span class="tocnumber">10.8</span> <span class="toctext">ctl</span></a></li> -<li class="toclevel-2"><a href="#deny"><span class="tocnumber">10.8</span> +<li class="toclevel-2"><a href="#deny"><span class="tocnumber">10.9</span> <span class="toctext">deny</span></a></li> -<li class="toclevel-2"><a href="#deprecatevar"><span class="tocnumber">10.9</span> +<li class="toclevel-2"><a href="#deprecatevar"><span class="tocnumber">10.10</span> <span class="toctext">deprecatevar</span></a></li> -<li class="toclevel-2"><a href="#drop"><span class="tocnumber">10.10</span> +<li class="toclevel-2"><a href="#drop"><span class="tocnumber">10.11</span> <span class="toctext">drop</span></a></li> -<li class="toclevel-2"><a href="#exec"><span class="tocnumber">10.11</span> +<li class="toclevel-2"><a href="#exec"><span class="tocnumber">10.12</span> <span class="toctext">exec</span></a></li> -<li class="toclevel-2"><a href="#expirevar"><span class="tocnumber">10.12</span> +<li class="toclevel-2"><a href="#expirevar"><span class="tocnumber">10.13</span> <span class="toctext">expirevar</span></a></li> -<li class="toclevel-2"><a href="#id"><span class="tocnumber">10.13</span> +<li class="toclevel-2"><a href="#id"><span class="tocnumber">10.14</span> <span class="toctext">id</span></a></li> -<li class="toclevel-2"><a href="#initcol"><span class="tocnumber">10.14</span> +<li class="toclevel-2"><a href="#initcol"><span class="tocnumber">10.15</span> <span class="toctext">initcol</span></a></li> -<li class="toclevel-2"><a href="#log"><span class="tocnumber">10.15</span> +<li class="toclevel-2"><a href="#log"><span class="tocnumber">10.16</span> <span class="toctext">log</span></a></li> -<li class="toclevel-2"><a href="#logdata"><span class="tocnumber">10.16</span> +<li class="toclevel-2"><a href="#logdata"><span class="tocnumber">10.17</span> <span class="toctext">logdata</span></a></li> -<li class="toclevel-2"><a href="#msg"><span class="tocnumber">10.17</span> +<li class="toclevel-2"><a href="#maturity"><span class="tocnumber">10.18</span> + <span class="toctext">maturity</span></a></li> +<li class="toclevel-2"><a href="#msg"><span class="tocnumber">10.19</span> <span class="toctext">msg</span></a></li> -<li class="toclevel-2"><a href="#multiMatch"><span class="tocnumber">10.18</span> +<li class="toclevel-2"><a href="#multiMatch"><span class="tocnumber">10.20</span> <span class="toctext">multiMatch</span></a></li> -<li class="toclevel-2"><a href="#noauditlog"><span class="tocnumber">10.19</span> +<li class="toclevel-2"><a href="#noauditlog"><span class="tocnumber">10.21</span> <span class="toctext">noauditlog</span></a></li> -<li class="toclevel-2"><a href="#nolog"><span class="tocnumber">10.20</span> +<li class="toclevel-2"><a href="#nolog"><span class="tocnumber">10.22</span> <span class="toctext">nolog</span></a></li> -<li class="toclevel-2"><a href="#pass"><span class="tocnumber">10.21</span> +<li class="toclevel-2"><a href="#pass"><span class="tocnumber">10.23</span> <span class="toctext">pass</span></a></li> -<li class="toclevel-2"><a href="#pause"><span class="tocnumber">10.22</span> +<li class="toclevel-2"><a href="#pause"><span class="tocnumber">10.24</span> <span class="toctext">pause</span></a></li> -<li class="toclevel-2"><a href="#phase"><span class="tocnumber">10.23</span> +<li class="toclevel-2"><a href="#phase"><span class="tocnumber">10.25</span> <span class="toctext">phase</span></a></li> -<li class="toclevel-2"><a href="#prepend"><span class="tocnumber">10.24</span> +<li class="toclevel-2"><a href="#prepend"><span class="tocnumber">10.26</span> <span class="toctext">prepend</span></a></li> -<li class="toclevel-2"><a href="#proxy"><span class="tocnumber">10.25</span> +<li class="toclevel-2"><a href="#proxy"><span class="tocnumber">10.27</span> <span class="toctext">proxy</span></a></li> -<li class="toclevel-2"><a href="#redirect"><span class="tocnumber">10.26</span> +<li class="toclevel-2"><a href="#redirect"><span class="tocnumber">10.28</span> <span class="toctext">redirect</span></a></li> -<li class="toclevel-2"><a href="#rev"><span class="tocnumber">10.27</span> +<li class="toclevel-2"><a href="#rev"><span class="tocnumber">10.29</span> <span class="toctext">rev</span></a></li> -<li class="toclevel-2"><a href="#sanitiseArg"><span class="tocnumber">10.28</span> +<li class="toclevel-2"><a href="#sanitiseArg"><span class="tocnumber">10.30</span> <span class="toctext">sanitiseArg</span></a></li> <li class="toclevel-2"><a href="#sanitiseMatched"><span -class="tocnumber">10.29</span> <span class="toctext">sanitiseMatched</span></a></li> +class="tocnumber">10.31</span> <span class="toctext">sanitiseMatched</span></a></li> <li class="toclevel-2"><a href="#sanitiseMatchedBytes"><span -class="tocnumber">10.30</span> <span class="toctext">sanitiseMatchedBytes</span></a></li> +class="tocnumber">10.32</span> <span class="toctext">sanitiseMatchedBytes</span></a></li> <li class="toclevel-2"><a href="#sanitiseRequestHeader"><span -class="tocnumber">10.31</span> <span class="toctext">sanitiseRequestHeader</span></a></li> +class="tocnumber">10.33</span> <span class="toctext">sanitiseRequestHeader</span></a></li> <li class="toclevel-2"><a href="#sanitiseResponseHeader"><span -class="tocnumber">10.32</span> <span class="toctext">sanitiseResponseHeader</span></a></li> -<li class="toclevel-2"><a href="#severity"><span class="tocnumber">10.33</span> +class="tocnumber">10.34</span> <span class="toctext">sanitiseResponseHeader</span></a></li> +<li class="toclevel-2"><a href="#severity"><span class="tocnumber">10.35</span> <span class="toctext">severity</span></a></li> -<li class="toclevel-2"><a href="#setuid"><span class="tocnumber">10.34</span> +<li class="toclevel-2"><a href="#setuid"><span class="tocnumber">10.36</span> <span class="toctext">setuid</span></a></li> -<li class="toclevel-2"><a href="#setsid"><span class="tocnumber">10.35</span> +<li class="toclevel-2"><a href="#setrsc"><span class="tocnumber">10.37</span> + <span class="toctext">setrsc</span></a></li> +<li class="toclevel-2"><a href="#setsid"><span class="tocnumber">10.38</span> <span class="toctext">setsid</span></a></li> -<li class="toclevel-2"><a href="#setenv"><span class="tocnumber">10.36</span> +<li class="toclevel-2"><a href="#setenv"><span class="tocnumber">10.39</span> <span class="toctext">setenv</span></a></li> -<li class="toclevel-2"><a href="#setvar"><span class="tocnumber">10.37</span> +<li class="toclevel-2"><a href="#setvar"><span class="tocnumber">10.40</span> <span class="toctext">setvar</span></a></li> -<li class="toclevel-2"><a href="#skip"><span class="tocnumber">10.38</span> +<li class="toclevel-2"><a href="#skip"><span class="tocnumber">10.41</span> <span class="toctext">skip</span></a></li> -<li class="toclevel-2"><a href="#skipAfter"><span class="tocnumber">10.39</span> +<li class="toclevel-2"><a href="#skipAfter"><span class="tocnumber">10.42</span> <span class="toctext">skipAfter</span></a></li> -<li class="toclevel-2"><a href="#status"><span class="tocnumber">10.40</span> +<li class="toclevel-2"><a href="#status"><span class="tocnumber">10.43</span> <span class="toctext">status</span></a></li> -<li class="toclevel-2"><a href="#t"><span class="tocnumber">10.41</span> +<li class="toclevel-2"><a href="#t"><span class="tocnumber">10.44</span> <span class="toctext">t</span></a></li> -<li class="toclevel-2"><a href="#tag"><span class="tocnumber">10.42</span> +<li class="toclevel-2"><a href="#tag"><span class="tocnumber">10.45</span> <span class="toctext">tag</span></a></li> -<li class="toclevel-2"><a href="#xmlns"><span class="tocnumber">10.43</span> +<li class="toclevel-2"><a href="#ver"><span class="tocnumber">10.46</span> + <span class="toctext">ver</span></a></li> +<li class="toclevel-2"><a href="#xmlns"><span class="tocnumber">10.47</span> <span class="toctext">xmlns</span></a></li> </ul> </li> @@ -723,59 +759,67 @@ <span class="toctext">beginsWith</span></a></li> <li class="toclevel-2"><a href="#contains"><span class="tocnumber">11.2</span> <span class="toctext">contains</span></a></li> -<li class="toclevel-2"><a href="#endsWith"><span class="tocnumber">11.3</span> +<li class="toclevel-2"><a href="#containsWord"><span class="tocnumber">11.3</span> + <span class="toctext">containsWord</span></a></li> +<li class="toclevel-2"><a href="#endsWith"><span class="tocnumber">11.4</span> <span class="toctext">endsWith</span></a></li> -<li class="toclevel-2"><a href="#eq"><span class="tocnumber">11.4</span> +<li class="toclevel-2"><a href="#eq"><span class="tocnumber">11.5</span> <span class="toctext">eq</span></a></li> -<li class="toclevel-2"><a href="#ge"><span class="tocnumber">11.5</span> +<li class="toclevel-2"><a href="#ge"><span class="tocnumber">11.6</span> <span class="toctext">ge</span></a></li> -<li class="toclevel-2"><a href="#geoLookup"><span class="tocnumber">11.6</span> +<li class="toclevel-2"><a href="#geoLookup"><span class="tocnumber">11.7</span> <span class="toctext">geoLookup</span></a></li> -<li class="toclevel-2"><a href="#gsbLookup"><span class="tocnumber">11.7</span> +<li class="toclevel-2"><a href="#gsbLookup"><span class="tocnumber">11.8</span> <span class="toctext">gsbLookup</span></a></li> -<li class="toclevel-2"><a href="#gt"><span class="tocnumber">11.8</span> +<li class="toclevel-2"><a href="#gt"><span class="tocnumber">11.9</span> <span class="toctext">gt</span></a></li> -<li class="toclevel-2"><a href="#inspectFile"><span class="tocnumber">11.9</span> +<li class="toclevel-2"><a href="#inspectFile"><span class="tocnumber">11.10</span> <span class="toctext">inspectFile</span></a></li> -<li class="toclevel-2"><a href="#ipMatch"><span class="tocnumber">11.10</span> +<li class="toclevel-2"><a href="#ipMatch"><span class="tocnumber">11.11</span> <span class="toctext">ipMatch</span></a></li> -<li class="toclevel-2"><a href="#le"><span class="tocnumber">11.11</span> +<li class="toclevel-2"><a href="#ipMatchF"><span class="tocnumber">11.12</span> + <span class="toctext">ipMatchF</span></a></li> +<li class="toclevel-2"><a href="#ipMatchFromFile"><span +class="tocnumber">11.13</span> <span class="toctext">ipMatchFromFile</span></a></li> +<li class="toclevel-2"><a href="#le"><span class="tocnumber">11.14</span> <span class="toctext">le</span></a></li> -<li class="toclevel-2"><a href="#lt"><span class="tocnumber">11.12</span> +<li class="toclevel-2"><a href="#lt"><span class="tocnumber">11.15</span> <span class="toctext">lt</span></a></li> -<li class="toclevel-2"><a href="#pm"><span class="tocnumber">11.13</span> +<li class="toclevel-2"><a href="#pm"><span class="tocnumber">11.16</span> <span class="toctext">pm</span></a></li> -<li class="toclevel-2"><a href="#pmf"><span class="tocnumber">11.14</span> +<li class="toclevel-2"><a href="#pmf"><span class="tocnumber">11.17</span> <span class="toctext">pmf</span></a></li> -<li class="toclevel-2"><a href="#pmFromFile"><span class="tocnumber">11.15</span> +<li class="toclevel-2"><a href="#pmFromFile"><span class="tocnumber">11.18</span> <span class="toctext">pmFromFile</span></a></li> -<li class="toclevel-2"><a href="#rbl"><span class="tocnumber">11.16</span> +<li class="toclevel-2"><a href="#rbl"><span class="tocnumber">11.19</span> <span class="toctext">rbl</span></a></li> -<li class="toclevel-2"><a href="#rsub"><span class="tocnumber">11.17</span> +<li class="toclevel-2"><a href="#rsub"><span class="tocnumber">11.20</span> <span class="toctext">rsub</span></a></li> -<li class="toclevel-2"><a href="#rx"><span class="tocnumber">11.18</span> +<li class="toclevel-2"><a href="#rx"><span class="tocnumber">11.21</span> <span class="toctext">rx</span></a></li> -<li class="toclevel-2"><a href="#streq"><span class="tocnumber">11.19</span> +<li class="toclevel-2"><a href="#streq"><span class="tocnumber">11.22</span> <span class="toctext">streq</span></a></li> -<li class="toclevel-2"><a href="#strmatch"><span class="tocnumber">11.20</span> +<li class="toclevel-2"><a href="#strmatch"><span class="tocnumber">11.23</span> <span class="toctext">strmatch</span></a></li> <li class="toclevel-2"><a href="#validateByteRange"><span -class="tocnumber">11.21</span> <span class="toctext">validateByteRange</span></a></li> -<li class="toclevel-2"><a href="#validateDTD"><span class="tocnumber">11.22</span> +class="tocnumber">11.24</span> <span class="toctext">validateByteRange</span></a></li> +<li class="toclevel-2"><a href="#validateDTD"><span class="tocnumber">11.25</span> <span class="toctext">validateDTD</span></a></li> -<li class="toclevel-2"><a href="#validateSchema"><span class="tocnumber">11.23</span> +<li class="toclevel-2"><a href="#validateEncryption"><span +class="tocnumber">11.26</span> <span class="toctext">validateEncryption</span></a></li> +<li class="toclevel-2"><a href="#validateSchema"><span class="tocnumber">11.27</span> <span class="toctext">validateSchema</span></a></li> <li class="toclevel-2"><a href="#validateUrlEncoding"><span -class="tocnumber">11.24</span> <span class="toctext">validateUrlEncoding</span></a></li> +class="tocnumber">11.28</span> <span class="toctext">validateUrlEncoding</span></a></li> <li class="toclevel-2"><a href="#validateUtf8Encoding"><span -class="tocnumber">11.25</span> <span class="toctext">validateUtf8Encoding</span></a></li> -<li class="toclevel-2"><a href="#verifyCC"><span class="tocnumber">11.26</span> +class="tocnumber">11.29</span> <span class="toctext">validateUtf8Encoding</span></a></li> +<li class="toclevel-2"><a href="#verifyCC"><span class="tocnumber">11.30</span> <span class="toctext">verifyCC</span></a></li> -<li class="toclevel-2"><a href="#verifyCPF"><span class="tocnumber">11.27</span> +<li class="toclevel-2"><a href="#verifyCPF"><span class="tocnumber">11.31</span> <span class="toctext">verifyCPF</span></a></li> -<li class="toclevel-2"><a href="#verifySSN"><span class="tocnumber">11.28</span> +<li class="toclevel-2"><a href="#verifySSN"><span class="tocnumber">11.32</span> <span class="toctext">verifySSN</span></a></li> -<li class="toclevel-2"><a href="#within"><span class="tocnumber">11.29</span> +<li class="toclevel-2"><a href="#within"><span class="tocnumber">11.33</span> <span class="toctext">within</span></a></li> </ul> </li> @@ -804,9 +848,9 @@ <a name="ModSecurity.C2.AE_Reference_Manual" id="ModSecurity.C2.AE_Reference_Manual"></a><h1> <span class="mw-headline"> ModSecurity® Reference Manual </span></h1> -<a name="Current_as_of_v2.5.13_and_v2.6" -id="Current_as_of_v2.5.13_and_v2.6"></a><h2> <span class="mw-headline"> -Current as of v2.5.13 and v2.6 </span></h2> +<a name="Current_as_of_v2.5.13_v2.6_and_v2.7" +id="Current_as_of_v2.5.13_v2.6_and_v2.7"></a><h2> <span +class="mw-headline"> Current as of v2.5.13 v2.6 and v2.7 </span></h2> <a name="Copyright_.C2.A9_2004-2011_Trustwave_Holdings.2C_Inc." id="Copyright_.C2.A9_2004-2011_Trustwave_Holdings.2C_Inc."></a><h3> <span class="mw-headline"> Copyright © 2004-2011 <a @@ -1199,6 +1243,18 @@ title="http://www.modsecurity.org/documentation/ModSecurity-Migration-Matrix.pdf" rel="nofollow">http://www.modsecurity.org/documentation/ModSecurity-Migration-Matrix.pdf</a> </dd></dl> +<dl><dd> Starting with ModSecurity 2.7.0 there are a few important +configuration options +</dd></dl> +<ol><li><b>--enable-pcre-jit</b> - Enables JIT support from pcre >= +8.20 that can improve regex performance. +</li><li><b>--enable-cache-lua</b> - Enables lua vm caching that can +improve lua script performance. Difference just appears if ModSecurity +must run more than one script per transaction. +</li><li><b>--enable-request-early</b> - On ModSecuricy 2.6 phase one +has been moved to phase 2 hook, if you want to play around it use this +option. +</li></ol> <a name="Configuration_Directives" id="Configuration_Directives"></a><h1> <span class="mw-headline"> Configuration Directives </span></h1> <p>The following section outlines all of the ModSecurity directives. @@ -1245,7 +1301,7 @@ for application/x-www-form- urlencoded content. </p><p><b>Syntax:</b> <code>SecArgumentSeparator character</code> </p><p><b>Default:</b> & -</p><p><b>Scope:</b> Main +</p><p><b>Scope:</b> Main(< 2.7.0), Any(2.7.0) </p><p><b>Version:</b> 2.0.0 </p><p>This directive is needed if a backend web application is using a nonstandard argument separator. Applications are sometimes (very rarely) @@ -1672,7 +1728,7 @@ frontend compression enabled. </p><p><b>Syntax:</b> <code>SecDisableBackendCompression On\|Off </code> </p><p><b>Scope:</b> Any -</p><p><b>Version:</b> Development trunk +</p><p><b>Version:</b> 2.6.0 </p><p><b>Default:</b> Off </p><p>This directive is necessary in reverse proxy mode when the backend servers support response compression, but you wish to inspect @@ -1681,6 +1737,100 @@ directive is not necessary in embedded mode, because ModSecurity performs inspection before response compression takes place. </p> +<a name="SecEncryptionEngine" id="SecEncryptionEngine"></a><h2> <span +class="mw-headline"> SecEncryptionEngine </span></h2> +<p><b>Description:</b> Configures the encryption engine. +</p><p><b>Syntax:</b> <code>SecEncryptionEngine On\|Off</code> +</p><p><b>Example Usage:</b> <code>SecEncryptionEngine On </code> +</p><p><b>Scope</b>: Any +</p><p><b>Version:</b> 2.7 +</p><p><b>Default:</b> Off +</p><p>The possible values are: +</p> +<ul><li><b>On</b>: Encryption engine can process the request/response +data. +</li><li><b>Off</b>: Encryption engine will not process any data. +</li></ul> +<dl><dt> Note </dt><dd> Users must enable stream output variables +and content injection. +</dd></dl> +<a name="SecEncryptionKey" id="SecEncryptionKey"></a><h2> <span +class="mw-headline"> SecEncryptionKey </span></h2> +<p><b>Description:</b> Define the key that will be used by HMAC. +</p><p><b>Syntax:</b> <code>SecEncryptionKey rand\|TEXT +KeyOnly\|SessionID\|RemoteIP</code> +</p><p><b>Example Usage:</b> <code>SecEncryptionKey "this_is_my_key" +KeyOnly</code> +</p><p><b>Scope</b>: Any +</p><p><b>Version:</b> 2.7 +</p><p>ModSecurity encryption engine will append, if specified, the +user's session id or remote ip to the key before the MAC operation. If +the first parameter is "rand" then a random key will be generated and +used by the engine. +</p><p><br> +</p> +<a name="SecEncryptionParam" id="SecEncryptionParam"></a><h2> <span +class="mw-headline"> SecEncryptionParam </span></h2> +<p><b>Description:</b> Define the parameter name that will receive the +MAC hash. +</p><p><b>Syntax:</b> <code>SecEncryptionParam TEXT</code> +</p><p><b>Example Usage:</b> <code>SecEncryptionKey "hmac"</code> +</p><p><b>Scope</b>: Any +</p><p><b>Version:</b> 2.7 +</p><p>ModSecurity encryption engine will add a new parameter to +protected HTML elements containing the MAC hash. +</p> +<a name="SecEncryptionMethodRx" id="SecEncryptionMethodRx"></a><h2> <span + class="mw-headline"> SecEncryptionMethodRx </span></h2> +<p><b>Description:</b> Configures what kind of HTML data the encryption +engine should sign based on regular expression. +</p><p><b>Syntax:</b> <code>SecEncryptionMethodRx TYPE REGEX</code> +</p><p><b>Example Usage</b>: <code>SecEncryptionMethodRx HashHref +"product_info\|list_product"</code> +</p><p><b>Scope:</b> Any +</p><p><b>Version:</b> 2.7.0 +</p><p>As a initial support is possible to protect HREF, FRAME, IFRAME +and FORM ACTION html elements as well response Location header when http + redirect code are sent. +</p><p>The possible values for TYPE are: +</p> +<ul><li><b>HashHref</b>: Used to sign href= html elements +</li><li><b>HashFormAction</b>: Used to sign form action= html elements +</li><li><b>HashIframeSrc</b>: Used to sign iframe src= html elements +</li><li><b>HashframeSrc</b>: Used to sign frame src= html elements +</li><li><b>HashLocation</b>: Used to sign Location response header +</li></ul> +<dl><dt> Note </dt><dd> This directive is used to sign the elements + however user must use the @validateEncryption operator to enforce data +integrity. +</dd></dl> +<p><br> +</p> +<a name="SecEncryptionMethodPm" id="SecEncryptionMethodPm"></a><h2> <span + class="mw-headline"> SecEncryptionMethodPm </span></h2> +<p><b>Description:</b> Configures what kind of HTML data the encryption +engine should sign based on string search algoritm. +</p><p><b>Syntax:</b> <code>SecEncryptionMethodRx TYPE "string1 string2 +string3..."</code> +</p><p><b>Example Usage</b>: <code>SecEncryptionMethodRx HashHref +"product_info list_product"</code> +</p><p><b>Scope:</b> Any +</p><p><b>Version:</b> 2.7.0 +</p><p>As a initial support is possible to protect HREF, FRAME, IFRAME +and FORM ACTION html elements as well response Location header when http + redirect code are sent. +</p><p>The possible values for TYPE are: +</p> +<ul><li><b>HashHref</b>: Used to sign href= html elements +</li><li><b>HashFormAction</b>: Used to sign form action= html elements +</li><li><b>HashIframeSrc</b>: Used to sign iframe src= html elements +</li><li><b>HashframeSrc</b>: Used to sign frame src= html elements +</li><li><b>HashLocation</b>: Used to sign Location response header +</li></ul> +<dl><dt> Note </dt><dd> This directive is used to sign the elements + however user must use the @validateEncryption operator to enforce data +integrity. +</dd></dl> <a name="SecGeoLookupDb" id="SecGeoLookupDb"></a><h2> <span class="mw-headline"> SecGeoLookupDb </span></h2> <p><b>Description</b>: Defines the path to the database that will be @@ -1710,9 +1860,11 @@ autonumber" title="http://code.google.com/apis/safebrowsing/" rel="nofollow">[3]</a>. </p> -<dl><dt> Note </dt><dd> After registering and obtaining a Safe -Browsing API key, you can automatically download the GSB using a tool -like wget (where <i><b>KEY</b></i> is your own API key): +<dl><dt> Note </dt><dd> Deprecated in 2.7.0 after Google dev team +decided to not allow the database download anymore. After registering +and obtaining a Safe Browsing API key, you can automatically download +the GSB using a tool like wget (where <i><b>KEY</b></i> is your own API +key): </dd></dl> <p><code>wget <a href="http://sb.google.com/safebrowsing/update?client=api&apikey=KEY&version=goog-malware-hash:1:-1" @@ -1929,6 +2081,15 @@ title="http://blog.spiderlabs.com/2010/11/advanced-topic-of-the-week-mitigating-slow-http-dos-attacks.html" rel="nofollow">http://blog.spiderlabs.com/2010/11/advanced-topic-of-the-week-mitigating-slow-http-dos-attacks.html</a> </p> +<a name="SecSensorId" id="SecSensorId"></a><h2> <span +class="mw-headline"> SecSensorId </span></h2> +<p><b>Description:</b> Define a sensor ID that will be present into log +part H. +</p><p><b>Syntax:</b> <code>SecSensorId TEXT </code> +</p><p><b>Example Usage</b>: <code>SecSensorId WAFSensor01 </code> +</p><p><b>Scope</b>: Main +</p><p><b>Version</b>: 2.7.0 +</p> <a name="SecWriteStateLimit" id="SecWriteStateLimit"></a><h2> <span class="mw-headline"> SecWriteStateLimit </span></h2> <p><b>Description:</b> Establishes a per-IP address limit of how many @@ -2187,6 +2348,16 @@ </li><li><b>DetectionOnly</b>: process rules but never executes any disruptive actions (block, deny, drop, allow, proxy and redirect) </li></ul> +<a name="SecRulePerfTime" id="SecRulePerfTime"></a><h2> <span +class="mw-headline"> SecRulePerfTime </span></h2> +<p><b>Description:</b> Set a performance threshold for rules. Rules that + spends too much time will be logged into audit log Part H in the format + id=usec. +</p><p><b>Syntax:</b> <code>SecRulePerfTime USECS </code> +</p><p><b>Example Usage:</b> <code>SecRulePerfTime 1000 </code> +</p><p><b>Scope:</b> Any +</p><p><b>Version:</b> 2.7 +</p> <a name="SecRuleRemoveById" id="SecRuleRemoveById"></a><h2> <span class="mw-headline"> SecRuleRemoveById </span></h2> <p><b>Description:</b> Removes the matching rules from the current @@ -2390,7 +2561,7 @@ </p><p><b>Version:</b> 2.6 </p><p>This directive will append (or replace) variables to the current target list of the specified rule with the targets provided in the -second parameter. +second parameter. Starting with 2.7.0 this feature supports id range. </p><p><b>Explicitly Appending Targets</b> </p><p>This is useful for implementing exceptions where you want to externally update a target list to exclude inspection of specific @@ -2439,6 +2610,107 @@ </p> <pre>SecRule REQUEST_FILENAME "@streq /path/to/file.php" "phase:1,t:none,nolog,pass,ctl:ruleUpdateTargetById=958895;REQUEST_URI;REQUEST_FILENAME" </pre> +<dl><dt> Note </dt><dd> This ctl is deprecated and will be removed +from the code, since we cannot use it per-transaction. +</dd></dl> +<a name="SecRuleUpdateTargetByMsg" id="SecRuleUpdateTargetByMsg"></a><h2> + <span class="mw-headline"> SecRuleUpdateTargetByMsg </span></h2> +<p><b>Description:</b> Updates the target (variable) list of the +specified rule by rule message. +</p><p><b>Syntax:</b> <code>SecRuleUpdateTargetByMsg TEXT +TARGET1[,TARGET2,TARGET3] REPLACED_TARGET</code> +</p><p><b>Example Usage:</b> <code>SecRuleUpdateTargetByMsg "Cross-site +Scripting (XSS) Attack" "!ARGS:foo"</code> +</p><p><b>Scope:</b> Any +</p><p><b>Version:</b> 2.7 +</p><p>This directive will append (or replace) variables to the current +target list of the specified rule with the targets provided in the +second parameter. +</p><p><b>Explicitly Appending Targets</b> +</p><p>This is useful for implementing exceptions where you want to +externally update a target list to exclude inspection of specific +variable(s). +</p> +<pre>SecRule REQUEST_FILENAME\|ARGS_NAMES\|ARGS\|XML:/ "[\;\\|\`]\W?\bmail\b" \ + "phase:2,rev:'2.1.1',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,block,msg:'System Command Injection',id:'958895',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=% +{tx.0}" + +SecRuleUpdateTargetByMsg "System Command Injection" !ARGS:email +</pre> +<p>The effective resulting rule in the previous example will append the +target to the end of the variable list as follows: +</p> +<pre>SecRule REQUEST_FILENAME\|ARGS_NAMES\|ARGS\|XML:/\|!ARGS:email "[\;\\|\`]\W?\bmail\b" \ + "phase:2,rev:'2.1.1',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,block,msg:'System Command Injection',id:'958895',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=% +{tx.0}"" +</pre> +<p><b>Explicitly Replacing Targets</b> +</p><p>You can also entirely replace the target list to something more +appropriate for your environment. For example, lets say you want to +inspect REQUEST_URI instead of REQUEST_FILENAME, you could do this: +</p> +<pre>SecRule REQUEST_FILENAME\|ARGS_NAMES\|ARGS\|XML:/ "[\;\\|\`]\W?\bmail\b" \ + "phase:2,rev:'2.1.1',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,block,msg:'System Command Injection',id:'958895',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=% +{tx.0}" + +SecRuleUpdateTargetByMsg "System Command Injection" REQUEST_URI REQUEST_FILENAME +</pre> +<p>The effective resulting rule in the previous example will append the +target to the end of the variable list as follows: +</p> +<pre>SecRule REQUEST_URI\|ARGS_NAMES\|ARGS\|XML:/ "[\;\\|\`]\W?\bmail\b" \ + "phase:2,rev:'2.1.1',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,block,msg:'System Command Injection',id:'958895',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=% +{tx.0}"" +</pre> +<a name="SecRuleUpdateTargetByTag" id="SecRuleUpdateTargetByTag"></a><h2> + <span class="mw-headline"> SecRuleUpdateTargetByTag </span></h2> +<p><b>Description:</b> Updates the target (variable) list of the +specified rule by rule tag. +</p><p><b>Syntax:</b> <code>SecRuleUpdateTargetByTag TEXT +TARGET1[,TARGET2,TARGET3] REPLACED_TARGET</code> +</p><p><b>Example Usage:</b> <code>SecRuleUpdateTargetByTag +"WEB_ATTACK/XSS" "!ARGS:foo"</code> +</p><p><b>Scope:</b> Any +</p><p><b>Version:</b> 2.7 +</p><p>This directive will append (or replace) variables to the current +target list of the specified rule with the targets provided in the +second parameter. +</p><p><b>Explicitly Appending Targets</b> +</p><p>This is useful for implementing exceptions where you want to +externally update a target list to exclude inspection of specific +variable(s). +</p> +<pre>SecRule REQUEST_FILENAME\|ARGS_NAMES\|ARGS\|XML:/ "[\;\\|\`]\W?\bmail\b" \ + "phase:2,rev:'2.1.1',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,block,msg:'System Command Injection',id:'958895',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=% +{tx.0}" + +SecRuleUpdateTargetByTag "WASCTC/WASC-31" !ARGS:email +</pre> +<p>The effective resulting rule in the previous example will append the +target to the end of the variable list as follows: +</p> +<pre>SecRule REQUEST_FILENAME\|ARGS_NAMES\|ARGS\|XML:/\|!ARGS:email "[\;\\|\`]\W?\bmail\b" \ + "phase:2,rev:'2.1.1',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,block,msg:'System Command Injection',id:'958895',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=% +{tx.0}"" +</pre> +<p><b>Explicitly Replacing Targets</b> +</p><p>You can also entirely replace the target list to something more +appropriate for your environment. For example, lets say you want to +inspect REQUEST_URI instead of REQUEST_FILENAME, you could do this: +</p> +<pre>SecRule REQUEST_FILENAME\|ARGS_NAMES\|ARGS\|XML:/ "[\;\\|\`]\W?\bmail\b" \ + "phase:2,rev:'2.1.1',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,block,msg:'System Command Injection',id:'958895',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=% +{tx.0}" + +SecRuleUpdateTargetByTag "WASCTC/WASC-31" REQUEST_URI REQUEST_FILENAME +</pre> +<p>The effective resulting rule in the previous example will append the +target to the end of the variable list as follows: +</p> +<pre>SecRule REQUEST_URI\|ARGS_NAMES\|ARGS\|XML:/ "[\;\\|\`]\W?\bmail\b" \ + "phase:2,rev:'2.1.1',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,block,msg:'System Command Injection',id:'958895',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=% +{tx.0}"" +</pre> <a name="SecServerSignature" id="SecServerSignature"></a><h2> <span class="mw-headline"> SecServerSignature </span></h2> <p><b>Description:</b> Instructs ModSecurity to change the data @@ -2645,7 +2917,7 @@ <p>Below is a diagram of the standard Apache Request Cycle. In the diagram, the 5 ModSecurity processing phases are shown. </p><p><a -href="http://sourceforge.net/apps/mediawiki/mod-security/index.php?title=File:Apache_request_cycle-modsecurity.jpg" +href="https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=File:Apache_request_cycle-modsecurity.jpg" class="image" title="Apache request cycle-modsecurity.jpg"><img alt="" src="Reference_Manual_files/600px-Apache_request_cycle-modsecurity.jpg" height="459" width="600" border="0"></a> @@ -2836,6 +3108,9 @@ <p>Contains the number of milliseconds elapsed since the beginning of the current transaction. Available starting with 2.6.0. </p> +<dl><dt> Note </dt><dd> Starting with ModSecurity 2.7.0 the time is + microseconds. +</dd></dl> <a name="ENV" id="ENV"></a><h2> <span class="mw-headline"> ENV </span></h2> <p>Collection that provides access to environment variables set by ModSecurity. Requires a single parameter to specify the name of the @@ -3110,6 +3385,12 @@ <p>Contains the time, in microseconds, spent processing phase 5. Available starting with 2.6. </p> +<a name="PERF_RULES" id="PERF_RULES"></a><h2> <span class="mw-headline"> + PERF_RULES </span></h2> +<p>Contains the time of rules, in microseconds. Available starting with +2.7. +</p><p><code>SecRule PERF_RULES "@gt 1000" "id:12345,phase:5"</code> +</p> <a name="PERF_SREAD" id="PERF_SREAD"></a><h2> <span class="mw-headline"> PERF_SREAD </span></h2> <p>Contains the time, in microseconds, spent reading from persistent @@ -3617,6 +3898,12 @@ # Is the current user the administrator? SecRule USERID "admin" </pre> +<a name="USERAGENT_IP" id="USERAGENT_IP"></a><h2> <span +class="mw-headline"> USERAGENT_IP </span></h2> +<p>This variable is created when running modsecurity with apache2.4 and +will contains the client ip address set by mod_remoteip in proxied +connections. +</p> <a name="WEBAPPID" id="WEBAPPID"></a><h2> <span class="mw-headline"> WEBAPPID </span></h2> <p>This variable contains the current application name, which is set in @@ -3983,7 +4270,7 @@ <dl><dt> Note </dt><dd> <b>Disruptive actions will NOT be executed if the SecRuleEngine is set to DetectionOnly</b>. If you are creating exception/whitelisting rules that use the allow action, you should also -add the ctl:ruleEngine=DetectionOnly action to execute the action. +add the ctl:ruleEngine=On action to execute the action. </dd></dl> <ul><li> <b>Non-disruptive action</b>s - Do something, but that something does not and cannot affect the rule processing flow. Setting a @@ -4000,6 +4287,20 @@ action holds the status that will be used for blocking (if it takes place). </li></ul> +<a name="accuracy" id="accuracy"></a><h2> <span class="mw-headline"> +accuracy </span></h2> +<p><b>Description:</b> Specifies the relative accuracy level of the rule + related to false positives/negatives. The value is a string based on a + numeric scale (1-9 where 9 is very strong and 1 has many false +positives). +</p><p><b>Action Group:</b> Meta-data +</p><p><b>Version:</b> 2.7 +</p><p><b>Example:</b> +</p> +<pre>SecRule REQUEST_FILENAME\|ARGS_NAMES\|ARGS\|XML:/ "\bgetparentfolder\b" \ + "phase:2,ver:'CRS/2.2.4,accuracy:'9',maturity:'9',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958016',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'% \ +{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" +</pre> <a name="allow" id="allow"></a><h2> <span class="mw-headline"> allow </span></h2> <p><b>Description:</b> Stops rule processing on a successful match and allows the transaction to proceed. @@ -4195,7 +4496,13 @@ </li><li><b>ruleRemoveById</b> - since this action us triggered at run time, it should be specified <b>before</b> the rule in which it is disabling. -</li><li><b>ruleUpdateTargetById</b> +</li><li><b>ruleUpdateTargetById</b> - This is deprecated and will be +removed from the code. Use ruleRemoveTargetById for per-request +exceptions. +</li><li><b>ruleRemoveTargetById</b> +</li><li><b>ruleRemoveByMsg</b> +</li><li><b>encryptionEngine</b> +</li><li><b>encryptionEnforcement</b> </li></ol> <p>With the exception of the requestBodyProcessor and forceRequestBodyVariable settings, each configuration option corresponds @@ -4304,7 +4611,8 @@ </p> <a name="id" id="id"></a><h2> <span class="mw-headline"> id </span></h2> <p><b>Description</b>: Assigns a unique ID to the rule or chain in which - it appears. + it appears. Starting with ModSecurity 2.7 this action is mandatory and +must be numeric. </p><p><b>Action Group:</b> Meta-data </p><p><b>Example:</b> </p> @@ -4324,14 +4632,22 @@ href="http://projects.otaku42.de/wiki/Scally-Whack" class="external autonumber" title="http://projects.otaku42.de/wiki/Scally-Whack" rel="nofollow">[9]</a> -</li><li>430,000–699,999: unused (available for reservation) +</li><li>430,000–439,999: reserved for rules published by Flameeyes <a +href="http://www.flameeyes.eu/projects/modsec" class="external +autonumber" title="http://www.flameeyes.eu/projects/modsec" +rel="nofollow">[10]</a> +</li><li>440.000-599,999: unused (available for reservation) +</li><li>600,000-699,999: reserved for use by Akamai <a +href="http://www.akamai.com/html/solutions/waf.html" class="external +autonumber" title="http://www.akamai.com/html/solutions/waf.html" +rel="nofollow">[11]</a> </li><li>700,000–799,999: reserved for Ivan Ristic </li><li>900,000–999,999: reserved for the OWASP ModSecurity Core Rule Set <a href="http://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project" class="external autonumber" title="http://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project" - rel="nofollow">[10]</a> project + rel="nofollow">[12]</a> project </li><li>1,000,000-1,999,999: unused (available for reservation) </li><li>2,000,000-2,999,999: reserved for rules from Trustwave's SpiderLabs Research team @@ -4377,6 +4693,21 @@ as %{TX.0} or %{MATCHED_VAR}. The information is properly escaped for use with logging of binary data. </p> +<a name="maturity" id="maturity"></a><h2> <span class="mw-headline"> +maturity </span></h2> +<p><b>Description:</b> Specifies the relative maturity level of the rule + related to the length of time a rule has been public and the amount of +testing it has received. The value is a string based on a numeric scale + (1-9 where 9 is extensively tested and 1 is a brand new experimental +rule). +</p><p><b>Action Group:</b> Meta-data +</p><p><b>Version:</b> 2.7 +</p><p><b>Example:</b> +</p> +<pre>SecRule REQUEST_FILENAME\|ARGS_NAMES\|ARGS\|XML:/* "\bgetparentfolder\b" \ + "phase:2,ver:'CRS/2.2.4,accuracy:'9',maturity:'9',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958016',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'% \ +{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" +</pre> <a name="msg" id="msg"></a><h2> <span class="mw-headline"> msg </span></h2> <p><b>Description:</b> Assigns a custom message to the rule or chain in which it appears. The message will be logged along with every alert. @@ -4455,7 +4786,8 @@ </pre> <a name="pause" id="pause"></a><h2> <span class="mw-headline"> pause </span></h2> <p><b>Description:</b> Pauses transaction processing for the specified -number of milliseconds. +number of milliseconds. Starting with ModSecurity 2.7 this feature also +supports macro expansion. </p><p><b>Action Group:</b> Non-disruptive </p><p><b>Example:</b> </p> @@ -4478,6 +4810,17 @@ <pre># Initialize IP address tracking in phase 1 SecAction phase:1,nolog,pass,initcol:IP=%{REMOTE_ADDR} </pre> +<p>Starting in ModSecurity version v2.7 there are aliases for some phase + numbers: +</p> +<ul><li><b>2 - request</b> +</li><li><b>4 - response</b> +</li><li><b>5 - logging</b> +</li></ul> +<p><b>Example:</b> +</p> +<pre>SecRule REQUEST_HEADERS:User-Agent "Test" "phase:request,log,deny" +</pre> <dl><dt> Warning </dt><dd> Keep in mind that if you specify the incorrect phase, the variable used in the rule may not yet be available. This could lead to a false negative situation where your variable and @@ -4684,6 +5027,17 @@ application namespaces (configured using SecWebAppId), and will use one if it is configured. </p> +<a name="setrsc" id="setrsc"></a><h2> <span class="mw-headline"> setrsc </span></h2> +<p><b>Description:</b> Special-purpose action that initializes the +RESOURCE collection using a key provided as parameter. +</p><p><b>Action Group:</b> Non-disruptive +</p><p><b>Example:</b> +</p> +<pre>SecAction "phase:1,pass,id:3,log,setrsc:'abcd1234'" +</pre> +<p>This action understands application namespaces (configured using +SecWebAppId), and will use one if it is configured. +</p> <a name="setsid" id="setsid"></a><h2> <span class="mw-headline"> setsid </span></h2> <p><b>Description:</b> Special-purpose action that initializes the SESSION collection using the session token provided as parameter. @@ -4830,6 +5184,16 @@ slashes to create a hierarchy of categories (as in the example). Since ModSecurity 2.6.0 tag supports macro expansion. </p> +<a name="ver" id="ver"></a><h2> <span class="mw-headline"> ver </span></h2> +<p><b>Description:</b> Specifies the rule set version. +</p><p><b>Action Group:</b> Meta-data +</p><p><b>Version:</b> 2.7 +</p><p><b>Example:</b> +</p> +<pre>SecRule REQUEST_FILENAME\|ARGS_NAMES\|ARGS\|XML:/* "\bgetparentfolder\b" \ + "phase:2,ver:'CRS/2.2.4,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958016',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'% \ +{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" +</pre> <a name="xmlns" id="xmlns"></a><h2> <span class="mw-headline"> xmlns </span></h2> <p><b>Description:</b> Configures an XML namespace, which will be used in the execution of XPath expressions. @@ -4865,6 +5229,24 @@ <pre># Detect ".php" anywhere in the request line SecRule REQUEST_LINE "@contains .php" </pre> +<a name="containsWord" id="containsWord"></a><h2> <span +class="mw-headline"> containsWord </span></h2> +<p><b>Description:</b> Returns true if the parameter string (with word +boundaries) is found anywhere in the input. Macro expansion is performed + on the parameter string before comparison. +</p><p><b>Example:</b> +</p> +<pre># Detect "select" anywhere in ARGS +SecRule ARGS "@containsWord select" +</pre> +<p>Would match on - <br> +-1 union <b>select</b> +BENCHMARK(2142500,MD5(CHAR(115,113,108,109,97,112))) FROM wp_users WHERE + ID=1 and (ascii(substr(user_login,1,1))&0x01=0) from wp_users where + ID=1-- +</p><p>But not on - <br> +Your site has a wide <b>select</b>ion of computers. +</p> <a name="endsWith" id="endsWith"></a><h2> <span class="mw-headline"> endsWith </span></h2> <p><b>Description:</b> Returns true if the parameter string is found at @@ -4967,7 +5349,7 @@ href="http://mod-security.svn.sourceforge.net/viewvc/mod-security/crs/trunk/util/" class="external autonumber" title="http://mod-security.svn.sourceforge.net/viewvc/mod-security/crs/trunk/util/" - rel="nofollow">[11]</a> that allows the file approval mechanism to + rel="nofollow">[13]</a> that allows the file approval mechanism to integrate with the ClamAV virus scanner. This is especially handy to prevent viruses and exploits from entering the web server through file upload. @@ -5065,6 +5447,31 @@ </p> <pre>SecRule REMOTE_ADDR "@ipMatch 192.168.1.100,192.168.1.50,10.10.50.0/24" </pre> +<a name="ipMatchF" id="ipMatchF"></a><h2> <span class="mw-headline"> +ipMatchF </span></h2> +<p>short alias for ipMatchFromFile +</p> +<a name="ipMatchFromFile" id="ipMatchFromFile"></a><h2> <span +class="mw-headline"> ipMatchFromFile </span></h2> +<p><b>Description:</b> Performs a fast ipv4 or ipv6 match of REMOTE_ADDR + variable, loading data from a file. Can handle the following formats: +</p> +<ul><li>Full IPv4 Address - 192.168.1.100 +</li><li>Network Block/CIDR Address - 192.168.1.0/24 +</li><li>Full IPv6 Address - 2001:db8:85a3:8d3:1319:8a2e:370:7348 +</li><li>Network Block/CIDR Address - +2001:db8:85a3:8d3:1319:8a2e:370:0/24 +</li></ul> +<p><b>Examples:</b> +</p> +<pre>SecRule REMOTE_ADDR "@ipMatch ips.txt" +</pre> +<p>The file ips.txt may contain: +</p> +<pre>192.168.0.1 +172.16.0.0/16 +10.0.0.0/8 +</pre> <a name="le" id="le"></a><h2> <span class="mw-headline"> le </span></h2> <p><b>Description:</b> Performs numerical comparison and returns true if the input value is less than or equal to the operator parameter. Macro @@ -5191,7 +5598,9 @@ <a name="rsub" id="rsub"></a><h2> <span class="mw-headline"> rsub </span></h2> <p><b>Description</b>: Performs regular expression data substitution when applied to either the STREAM_INPUT_BODY or STREAM_OUTPUT_BODY -variables. This operator also supports macro expansion. +variables. This operator also supports macro expansion. Starting with +ModSecurity 2.7.0 this operator supports the syntax \|hex\| allowing users + to use special chars like \n \r </p><p><b>Syntax:</b> <code>@rsub s/regex/str/[id]</code> </p><p><b>Examples:</b> Removing HTML Comments from response bodies: @@ -5205,7 +5614,7 @@ </dd></dl> <p>Regular expressions are handled by the PCRE library <a href="http://www.pcre.org/" class="external autonumber" -title="http://www.pcre.org" rel="nofollow">[12]</a>. ModSecurity +title="http://www.pcre.org" rel="nofollow">[14]</a>. ModSecurity compiles its regular expressions with the following settings: </p> <ol><li>The entire input is treated as a single line, even when there @@ -5243,7 +5652,7 @@ </pre> <p>Regular expressions are handled by the PCRE library <a href="http://www.pcre.org/" class="external autonumber" -title="http://www.pcre.org" rel="nofollow">[13]</a>. ModSecurity +title="http://www.pcre.org" rel="nofollow">[15]</a>. ModSecurity compiles its regular expressions with the following settings: </p> <ol><li>The entire input is treated as a single line, even when there @@ -5340,6 +5749,15 @@ # Validate XML payload against DTD SecRule XML "@validateDTD /path/to/xml.dtd" "phase:2,deny,msg:'Failed DTD validation'" </pre> +<a name="validateEncryption" id="validateEncryption"></a><h2> <span +class="mw-headline"> validateEncryption </span></h2> +<p><b>Description:</b> Validates REQUEST_URI that contains data +protected by the encryption engine. +</p><p><b>Example:</b> +</p> +<pre># Validates requested URI that matches a regular expression. +SecRule REQUEST_URI "@validateEncryption "product_info\|product_list" "phase:1,deny,id:123456" +</pre> <a name="validateSchema" id="validateSchema"></a><h2> <span class="mw-headline"> validateSchema </span></h2> <p><b>Description:</b> Validates the XML DOM tree against the supplied @@ -5815,16 +6233,16 @@ <!-- NewPP limit report -Preprocessor node count: 723/1000000 +Preprocessor node count: 793/1000000 Post-expand include size: 0/2097152 bytes Template argument size: 0/2097152 bytes Expensive parser function count: 0/100 --> -<!-- Saved in parser cache with key p_mod-security_mediawiki:pcache:idhash:12-0!1!0!!en!2!edit=0!printable=1 and timestamp 20111219124748 --> +<!-- Saved in parser cache with key p_mod-security_mediawiki:pcache:idhash:12-0!1!0!!en!2!printable=1 and timestamp 20120723175510 --> <div class="printfooter"> Retrieved from "<a -href="http://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual">http://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual</a>"</div> +href="https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual">https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual</a>"</div> <!-- end content --> <div class="visualClear"></div> </div> @@ -5837,18 +6255,30 @@ <ul> <li id="ca-nstab-main" class="selected"><a -href="http://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual" +href="https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual" title="View the content page [alt-shift-c]" accesskey="c">Page</a></li> <li id="ca-talk" class="new"><a -href="http://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Talk:Reference_Manual&action=edit&redlink=1" +href="https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Talk:Reference_Manual&action=edit&redlink=1" title="Discussion about the content page [alt-shift-t]" accesskey="t">Discussion</a></li> - <li id="ca-viewsource"><a -href="http://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual&action=edit" - title="This page is protected. -You can view its source [alt-shift-e]" accesskey="e">View source</a></li> + <li id="ca-edit"><a +href="https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual&action=edit" + title="You can edit this page. +Please use the preview button before saving [alt-shift-e]" accesskey="e">Edit</a></li> <li id="ca-history"><a -href="http://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual&action=history" +href="https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual&action=history" title="Past revisions of this page [alt-shift-h]" accesskey="h">History</a></li> + <li id="ca-delete"><a +href="https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual&action=delete" + title="Delete this page [alt-shift-d]" accesskey="d">Delete</a></li> + <li id="ca-move"><a +href="https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Special:MovePage/Reference_Manual" + title="Move this page [alt-shift-m]" accesskey="m">Move</a></li> + <li id="ca-protect"><a +href="https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual&action=protect" + title="Protect this page [alt-shift-=]" accesskey="=">Protect</a></li> + <li id="ca-watch"><a +href="https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual&action=watch" + title="Add this page to your watchlist [alt-shift-w]" accesskey="w">Watch</a></li> </ul> </div> </div> @@ -5858,6 +6288,24 @@ <table style="height: 4px;" rules="none" border="0" cellpadding="0" cellspacing="0"></table> <ul> + <li id="pt-userpage"><a +href="https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=User:Brenosilva" + title="Your user page [alt-shift-.]" accesskey="." class="new">Brenosilva</a></li> + <li id="pt-mytalk"><a +href="https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=User_talk:Brenosilva" + title="Your talk page [alt-shift-n]" accesskey="n" class="new">My talk</a></li> + <li id="pt-preferences"><a +href="https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Special:Preferences" + title="Your preferences">My preferences</a></li> + <li id="pt-watchlist"><a +href="https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Special:Watchlist" + title="The list of pages you are monitoring for changes [alt-shift-l]" +accesskey="l">My watchlist</a></li> + <li id="pt-mycontris"><a +href="https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Special:Contributions/Brenosilva" + title="List of your contributions [alt-shift-y]" accesskey="y">My +contributions</a></li> + <li id="pt-logout"></li> </ul> </div> </div> @@ -5865,7 +6313,7 @@ <a style="background-image: url("/apps/mediawiki/mod-security/nfs/project/m/mo/mod-security/7/70/MediaWikiSidebarLogo.png");" -href="http://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Main_Page" +href="https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Main_Page" title="Visit the main page [alt-shift-z]" accesskey="z"></a> </div> <script type="text/javascript"> if (window.isMSIE55) fixalpha(); </script> @@ -5874,24 +6322,24 @@ <div class="pBody"> <ul> <li id="n-mainpage-description"><a -href="http://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Main_Page">Main +href="https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Main_Page">Main Page</a></li> <li id="n-portal"><a -href="http://sourceforge.net/apps/mediawiki/mod-security/index.php?title=mod-security:Community_Portal" +href="https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=mod-security:Community_Portal" title="About the project, what you can do, where to find things">Community portal</a></li> <li id="n-currentevents"><a -href="http://sourceforge.net/apps/mediawiki/mod-security/index.php?title=mod-security:Current_events" +href="https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=mod-security:Current_events" title="Find background information on current events">Current events</a></li> <li id="n-recentchanges"><a -href="http://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Special:RecentChanges" +href="https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Special:RecentChanges" title="The list of recent changes in the wiki [alt-shift-r]" accesskey="r">Recent changes</a></li> <li id="n-randompage"><a -href="http://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Special:Random" +href="https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Special:Random" title="Load a random page [alt-shift-x]" accesskey="x">Random page</a></li> <li id="n-help"><a -href="http://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Help:Contents" +href="https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Help:Contents" title="The place to find out">Help</a></li> </ul> </div> @@ -5916,22 +6364,25 @@ <div class="pBody"> <ul> <li id="t-whatlinkshere"><a -href="http://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Special:WhatLinksHere/Reference_Manual" +href="https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Special:WhatLinksHere/Reference_Manual" title="List of all wiki pages that link here [alt-shift-j]" accesskey="j">What links here</a></li> <li id="t-recentchangeslinked"><a -href="http://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Special:RecentChangesLinked/Reference_Manual" +href="https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Special:RecentChangesLinked/Reference_Manual" title="Recent changes in pages linked from this page [alt-shift-k]" accesskey="k">Related changes</a></li> +<li id="t-upload"><a +href="https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Special:Upload" + title="Upload files [alt-shift-u]" accesskey="u">Upload file</a></li> <li id="t-specialpages"><a -href="http://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Special:SpecialPages" +href="https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Special:SpecialPages" title="List of all special pages [alt-shift-q]" accesskey="q">Special pages</a></li> <li id="t-print"><a -href="http://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual&printable=yes&printable=yes" +href="https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual&printable=yes&printable=yes" rel="alternate" title="Printable version of this page [alt-shift-p]" accesskey="p">Printable version</a></li> <li id="t-permalink"><a -href="http://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual&oldid=444" +href="https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual&oldid=507" title="Permanent link to this revision of the page">Permanent link</a></li> </ul> </div> @@ -5943,15 +6394,15 @@ src="Reference_Manual_files/poweredby_mediawiki_88x31.png" alt="Powered by MediaWiki"></a></div> <ul id="f-list"> - <li id="lastmod"> This page was last modified on 19 December 2011, -at 12:16.</li> - <li id="viewcount">This page has been accessed 77,761 times.</li> + <li id="lastmod"> This page was last modified on 23 July 2012, at +17:54.</li> + <li id="viewcount">This page has been accessed 142,275 times.</li> </ul> </div> </div> <script type="text/javascript">if (window.runOnloadHook) runOnloadHook();</script> -<!-- Served in 1.177 secs. --> +<!-- Served in 1.261 secs. --> <script type="text/javascript">