Skip to content

Home

Jump to bottom Edit New page
Felipe Zimmerle edited this page Apr 19, 2018 · 20 revisions
Table of Contents

Actions - Accuracy

Accuracy

Specifies the relative accuracy level of the rule related to false
positives/negatives. The value is a string based on a numeric scale (1-9
where 9 is very strong and 1 has many false positives).

= SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bgetparentfolder\b" \
"phase:2,ver:'CRS/2.2.4,accuracy:'9',maturity:'9',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958016',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'% \

{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"

Details

Allow

Stops rule processing on a successful match and allows the transaction to proceed.

Starting with v2.5.0 allow was enhanced to allow for fine-grained control of what is done. The following rules now apply:

If used one its own, like in the example above, allow will affect the entire transaction, stopping processing of the current phase but also skipping over all other phases apart from the logging phase. (The logging phase is special; it is designed to always execute.) If used with parameter "phase", allow will cause the engine to stop processing the current phase. Other phases will continue as normal.

If used with parameter "request", allow will cause the engine to stop processing the current phase. The next phase to be processed will be phase RESPONSE_HEADERS.

Do not process request but process response.

= SecAction phase:1,allow:request,id:96

Do not process transaction (request and response).

= SecAction phase:1,allow,id:97

If you want to allow a response through, put a rule in phase RESPONSE_HEADERS and simply use allow on its own:

Allow response through.

= SecAction phase:3,allow,id:98

Details

None

AuditLogParts

Changes ModSecurity configuration on transient, per-transaction basis. Any changes made using this action will affect only the transaction in which the action is executed. The default configuration, as well as the other transactions running in parallel, will be unaffected.

None

Details

None

Base64Decode

Transformation

Decodes a Base64-encoded string.

Note: Be careful when applying base64Decode with other transformations. The order of your transformation matters in this case as certain transformations may change or invalidate the base64 encoded string prior to being decoded (i.e t:lowercase, etc). This of course means that it is also very difficult to write a single rule that checks for a base64decoded value OR an unencoded value with transformations, it is best to write two rules in this situation.

Details

None

Base64DecodeExt

Transformation

Decodes a Base64-encoded string. Unlike base64Decode, this version uses a forgiving implementation, which ignores invalid characters.

See blog post on Base64Decoding evasion issues on PHP sites - http://blog.spiderlabs.com/2010/04/impedance-mismatch-and-base64.html

Details

None

Base64Encode

Transformation

Decodes a Base64-encoded string. Unlike base64Decode, this version uses a forgiving implementation, which ignores invalid characters.

See blog post on Base64Decoding evasion issues on PHP sites - http://blog.spiderlabs.com/2010/04/impedance-mismatch-and-base64.html

Details

None

Block

Performs the disruptive action defined by the previous SecDefaultAction.

This action is essentially a placeholder that is intended to be used by rule writers to request a blocking action, but without specifying how the blocking is to be done. The idea is that such decisions are best left to rule users, as well as to allow users, to override blocking if they so desire. In future versions of ModSecurity, more control and functionality will be added to define "how" to block.

Specify how blocking is to be done

= SecDefaultAction phase:2,deny,id:101,status:403,log,auditlog

Detect attacks where we want to block

= SecRule ARGS attack1 phase:2,block,id:102

Detect attacks where we want only to warn

= SecRule ARGS attack2 phase:2,pass,id:103

It is possible to use the SecRuleUpdateActionById directive to override how a rule handles blocking. This is useful in three cases:

  1. If a rule has blocking hard-coded, and you want it to use the policy you determine
  2. If a rule was written to block, but you want it to only warn
  3. If a rule was written to only warn, but you want it to block The following example demonstrates the first case, in which the hard-coded block is removed in favor of the user-controllable block:

Specify how blocking is to be done

= SecDefaultAction phase:2,deny,status:403,log,auditlog,id:104

Detect attacks and block

= SecRule ARGS attack1 phase:2,id:1,deny

Change how rule ID 1 blocks

= SecRuleUpdateActionById 1 block

Details

None

Capture

When used together with the regular expression operator (@rx), the capture action will create copies of the regular expression captures and place them into the transaction variable collection.

Up to 10 captures will be copied on a successful pattern match, each with a name consisting of a digit from 0 to 9. The TX.0 variable always contains the entire area that the regular expression matched. All the other variables contain the captured values, in the order in which the capturing parentheses appear in the regular expression.

= SecRule REQUEST_BODY "^username=(\w{25,})" phase:2,capture,t:none,chain,id:105 SecRule TX:1 "(?:(?:a(dmin|nonymous)))"

Details

Chain

Chains the current rule with the rule that immediately follows it, creating a rule chain. Chained rules allow for more complex processing logic.

Note: Rule chains allow you to simulate logical AND. The disruptive actions specified in the first portion of the chained rule will be triggered only if all of the variable checks return positive hits. If any one aspect of a chained rule comes back negative, then the entire rule chain will fail to match. Also note that disruptive actions, execution phases, metadata actions (id, rev, msg, tag, severity, logdata), skip, and skipAfter actions can be specified only by the chain starter rule.

Refuse to accept POST requests that do not contain Content-Length header.

(Do note that this rule should be preceded by a rule

that verifies only valid request methods are used.)

= SecRule REQUEST_METHOD "^POST$" phase:1,chain,t:none,id:105 = SecRule &REQUEST_HEADERS:Content-Length "@eq 0" t:none

Details

None

CmdLine

Transformation

In Windows and Unix, commands may be escaped by different means, such as:

  • c^ommand /c ...
  • "command" /c ...
  • command,/c ...
  • backslash in the middle of a Unix command

The cmdLine transformation function avoids this problem by manipulating the variable contend in the following ways:

  • deleting all backslashes []
  • deleting all double quotes ["]
  • deleting all sigle quotes [']
  • deleting all carets [^]
  • deleting spaces before a slash /
  • deleting spaces before an open parentesis [(]
  • replacing all commas [,] and semicolon [;] into a space
  • replacing all multiple spaces (including tab, newline, etc.) into one space
  • transform all characters to lowercase

= SecRule ARGS "(?:command(?:.com)?|cmd(?:.exe)?)(?:/.*)?/[ck]" "phase:2,id:94,t:none, t:cmdLine"

Details

None

CompressWhitespace

Transformation

Converts any of the whitespace characters (0x20, \f, \t, \n, \r, \v, 0xa0) to spaces (ASCII 0x20), compressing multiple consecutive space characters into one.

Details

None

CssDecode

Transformation

Decodes characters encoded using the CSS 2.x escape rules syndata.html#characters. This function uses only up to two bytes in the decoding process, meaning that it is useful to uncover ASCII characters encoded using CSS encoding (that wouldn’t normally be encoded), or to counter evasion, which is a combination of a backslash and non-hexadecimal characters (e.g., ja\vascript is equivalent to javascript).

Details

None

Deny

Stops rule processing and intercepts transaction.

= SecRule REQUEST_HEADERS:User-Agent "nikto" "log,deny,id:107,msg:'Nikto Scanners Identified'"

Details

None

EscapeSeqDecode

Transformation

Decodes ANSI C escape sequences: \a, \b, \f, \n, \r, \t, \v, \, ?, ', ", \xHH (hexadecimal), \0OOO (octal). Invalid encodings are left in the output.

Details

None

Exec

Executes an external script/binary supplied as parameter. If the parameter supplied to exec is a Lua script (detected by the .lua extension) the script will be processed internally. This means you will get direct access to the internal request context from the script. Please read the SecRuleScript documentation for more details on how to write Lua scripts.

The exec action is executed independently from any disruptive actions specified. External scripts will always be called with no parameters. Some transaction information will be placed in environment variables. All the usual CGI environment variables will be there. You should be aware that forking a threaded process results in all threads being replicated in the new process. Forking can therefore incur larger overhead in a multithreaded deployment. The script you execute must write something (anything) to stdout; if it doesn’t, ModSecurity will assume that the script failed, and will record the failure.

Run external program on rule match

= SecRule REQUEST_URI "^/cgi-bin/script.pl" "phase:2,id:112,t:none,t:lowercase,t:normalizePath,block,\ exec:/usr/local/apache/bin/test.sh"

Run Lua script on rule match

= SecRule ARGS:p attack "phase:2,id:113,block,exec:/usr/local/apache/conf/exec.lua"

Details

None

HexDecode

Transformation

Decodes a string that has been encoded using the same algorithm as the one used in hexEncode (see following entry).

Details

None

HexEncode

Transformation

Encodes string (possibly containing binary characters) by replacing each input byte with two hexadecimal characters. For example, xyz is encoded as 78797a.

Details

None

HtmlEntityDecode

Transformation

Decodes the characters encoded as HTML entities. The following variants are supported:

  • HH and HH; (where H is any hexadecimal number)
  • DDD and DDD; (where D is any decimal number)
  • &quotand"
  • &nbspand
  • &ltand<
  • &gtand>

This function always converts one HTML entity into one byte, possibly resulting in a loss of information (if the entity refers to a character that cannot be represented with the single byte). It is thus useful to uncover bytes that would otherwise not need to be encoded, but it cannot do anything meaningful with the characters from the range above 0xff.

Details

None

InitCol

Initializes a named persistent collection, either by loading data from storage or by creating a new collection in memory.

Collections are loaded into memory on-demand, when the initcol action is executed. A collection will be persisted only if a change was made to it in the course of transaction processing.

The following example initiates IP address tracking, which is best done in phase 1:

Details

None

JsDecode

Transformation

Decodes JavaScript escape sequences. If a \uHHHH code is in the range of FF01-FF5E (the full width ASCII codes), then the higher byte is used to detect and adjust the lower byte. Otherwise, only the lower byte will be used and the higher byte zeroed (leading to possible loss of information).

Details

None

Length

Transformation

Looks up the length of the input string in bytes, placing it (as string) in output. For example, if it gets ABCDE on input, this transformation function will return 5 on output.

Details

None

Log

Indicates that a successful match of the rule needs to be logged.

This action will log matches to the Web Server error log file and the ModSecurity audit log.

= SecAction phase:1,id:117,pass,initcol:ip=%{REMOTE_ADDR},log

Details

None

LogData

Logs a data fragment as part of the alert message.

The logdata information appears in the error and/or audit log files. Macro expansion is performed, so you may use variable names such as %{TX.0} or %{MATCHED_VAR}. The information is properly escaped for use with logging of binary data.

= SecRule ARGS:p "@rx <script>" "phase:2,id:118,log,pass,logdata:%{MATCHED_VAR}"

Details

None

LowerCase

Transformation

Converts all characters to lowercase using the current C locale.

Details

None

Maturity

Specifies the relative maturity level of the rule related to the length of
time a rule has been public and the amount of testing it has received. The
value is a string based on a numeric scale (1-9 where 9 is extensively
tested and 1 is a brand new experimental rule).

Example

= SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bgetparentfolder\b" \
"phase:2,ver:'CRS/2.2.4,accuracy:'9',maturity:'9',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958016',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'% \

{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"

Details

Md5

Transformation

Calculates an MD5 hash from the data in input. The computed hash is in a raw binary form and may need encoded into text to be printed (or logged). Hash functions are commonly used in combination with hexEncode (for example: t:md5,t:hexEncode).

Details

None

Msg

Assigns a custom message to the rule or chain in which it appears. The message will be logged along with every alert.

Note: The msg information appears in the error and/or audit log files and is not sent back to the client in response headers.

= SecRule &REQUEST_HEADERS:Host "@eq 0" "log,id:60008,severity:2,msg:'Request Missing a Host Header'"

Details

None

MultiMatch

If enabled, ModSecurity will perform multiple operator invocations for every target, before and after every anti-evasion transformation is performed.

Normally, variables are inspected only once per rule, and only after all transformation functions have been completed. With multiMatch, variables are checked against the operator before and after every transformation function that changes the input.

= SecRule ARGS "attack" "phase1,log,deny,id:119,t:removeNulls,t:lowercase,multiMatch"

Details

None

NoAuditLog

Indicates that a successful match of the rule should not be used as criteria to determine whether the transaction should be logged to the audit log.

If the SecAuditEngine is set to On, all of the transactions will be logged. If it is set to RelevantOnly, then you can control the logging with the noauditlog action.

The noauditlog action affects only the current rule. If you prevent audit logging in one rule only, a match in another rule will still cause audit logging to take place. If you want to prevent audit logging from taking place, regardless of whether any rule matches, use ctl:auditEngine=Off.

= SecRule REQUEST_HEADERS:User-Agent "Test" allow,noauditlog,id:120

Details

None

NoLog

Prevents rule matches from appearing in both the error and audit logs.

Although nolog implies noauditlog, you can override the former by using nolog,auditlog.

= SecRule REQUEST_HEADERS:User-Agent "Test" allow,nolog,id:121

Details

None

None

Transformation

Not an actual transformation function, but an instruction to ModSecurity to remove all transformation functions associated with the current rule.

Details

None

NormalisePath

Transformation

Removes multiple slashes, directory self-references, and directory back-references (except when at the beginning of the input) from input string.

Details

None

NormalisePathWin

Transformation

Same as normalizePath, but first converts backslash characters to forward slashes.

Details

None

ParityEven7bit

Transformation

Calculates even parity of 7-bit data replacing the 8th bit of each target byte with the calculated parity bit.

Details

None

ParityOdd7bit

Transformation

Calculates odd parity of 7-bit data replacing the 8th bit of each target byte with the calculated parity bit.

Details

None

ParityZero7bit

Transformation

Calculates zero parity of 7-bit data replacing the 8th bit of each target byte with a zero-parity bit, which allows inspection of even/odd parity 7-bit data as ASCII7 data.

Details

None

Pass

Continues processing with the next rule in spite of a successful match.

= SecRule REQUEST_HEADERS:User-Agent "Test" "log,pass,id:122"

When using pass with a SecRule with multiple targets, all variables will be inspected and all non-disruptive actions trigger for every match. In the following example, the TX.test variable will be incremented once for every request parameter:

Set TX.test to zero

= SecAction "phase:2,nolog,pass,setvar:TX.test=0,id:123"

Increment TX.test for every request parameter

= SecRule ARGS "test" "phase:2,log,pass,setvar:TX.test=+1,id:124"

Details

None

Phase

Places the rule or chain into one of five available processing phases. It can also be used in SecDefaultAction to establish the rule defaults.

There are aliases for some phase numbers: 2 - request 4 - response 5 - logging

Warning: Keep in mind that if you specify the incorrect phase, the variable used in the rule may not yet be available. This could lead to a false negative situation where your variable and operator may be correct, but it misses malicious data because you specified the wrong phase.

None

Details

None

Redirect

Intercepts transaction by issuing an external (client-visible) redirection to the given location.

If the status action is present on the same rule, and its value can be used for a redirection (i.e., is one of the following: 301, 302, 303, or 307), the value will be used for the redirection status code. Otherwise, status code 302 will be used.

= SecRule REQUEST_HEADERS:User-Agent "Test" "phase:1,id:130,log,redirect:http://www.example.com/failed.html"

Details

None

RemoveComments

Transformation

Removes each occurrence of comment (/* ... *, --, #). Multiple consecutive occurrences of which will not be compressed.

Details

None

RemoveCommentsChar

Transformation

Removes common comments chars (/*, , --, #).

Details

None

RemoveNulls

Transformation

Removes all NUL bytes from input.

Details

None

RemoveWhitespace

Transformation

Removes all whitespace characters from input.

Details

None

ReplaceComments

Transformation

Replaces each occurrence of a C-style comment (/* ... ) with a single space (multiple consecutive occurrences of which will not be compressed). Unterminated comments will also be replaced with a space (ASCII 0x20). However, a standalone termination of a comment (/) will not be acted upon.

Details

None

ReplaceNulls

Transformation

Replaces NUL bytes in input with space characters (ASCII 0x20).

Details

None

RequestBodyAccess

Changes ModSecurity configuration on transient, per-transaction basis. Any changes made using this action will affect only the transaction in which the action is executed. The default configuration, as well as the other transactions running in parallel, will be unaffected.

None

Details

None

RequestBodyProcessorJSON

Changes ModSecurity configuration on transient, per-transaction basis. Any changes made using this action will affect only the transaction in which the action is executed. The default configuration, as well as the other transactions running in parallel, will be unaffected.

None

Details

None

RequestBodyProcessorXML

Changes ModSecurity configuration on transient, per-transaction basis. Any changes made using this action will affect only the transaction in which the action is executed. The default configuration, as well as the other transactions running in parallel, will be unaffected.

None

Details

None

Rev

Specifies rule revision. It is useful in combination with the id action to provide an indication that a rule has been changed.

Note: This action is used in combination with the id action to allow the same rule ID to be used after changes take place but to still provide some indication the rule changed

= SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "(?:(?:[;|`]\W*?\bcc|\b(wget|curl))\b|/cc(?:['"|;`-\s]|$))"
"phase:2,rev:'2.1.3',capture,t:none,t:normalizePath,t:lowercase,ctl:auditLogParts=+E,block,msg:'System Command Injection',id:'950907',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0},skipAfter:END_COMMAND_INJECTION1"

Details

None

RuleEngine

Changes ModSecurity configuration on transient, per-transaction basis. Any changes made using this action will affect only the transaction in which the action is executed. The default configuration, as well as the other transactions running in parallel, will be unaffected.

None

Details

None

RuleId

Assigns a unique ID to the rule or chain in which it appears

These are the reserved ranges:

= SecRule &REQUEST_HEADERS:Host "@eq 0" "log,id:60008,severity:2,msg:'Request Missing a Host Header'"

Details

None

RuleRemoveById

Changes ModSecurity configuration on transient, per-transaction basis. Any changes made using this action will affect only the transaction in which the action is executed. The default configuration, as well as the other transactions running in parallel, will be unaffected.

None

Details

None

RuleRemoveByTag

Changes ModSecurity configuration on transient, per-transaction basis. Any changes made using this action will affect only the transaction in which the action is executed. The default configuration, as well as the other transactions running in parallel, will be unaffected.

None

Details

None

RuleRemoveTargetById

Changes ModSecurity configuration on transient, per-transaction basis. Any changes made using this action will affect only the transaction in which the action is executed. The default configuration, as well as the other transactions running in parallel, will be unaffected.

None

Details

None

RuleRemoveTargetByTag

Changes ModSecurity configuration on transient, per-transaction basis. Any changes made using this action will affect only the transaction in which the action is executed. The default configuration, as well as the other transactions running in parallel, will be unaffected.

None

Details

None

SetRSC

Special-purpose action that initializes the RESOURCE collection using a key provided as parameter.

This action understands application namespaces (configured using SecWebAppId), and will use one if it is configured.

= SecAction "phase:1,pass,id:3,log,setrsc:'abcd1234'"

Details

None

SetSID

Special-purpose action that initializes the SESSION collection using the session token provided as parameter.

Note: After the initialization takes place, the variable SESSION will be available for use in the subsequent rules. This action understands application namespaces (configured using SecWebAppId), and will use one if it is configured.

Setsid takes an individual variable, not a collection. Variables within an action, such as setsid, use the format [collection].[variable] .

Initialise session variables using the session cookie value

= SecRule REQUEST_COOKIES:PHPSESSID !^$ "nolog,pass,id:138,setsid:%{REQUEST_COOKIES.PHPSESSID}"

Details

None

SetUID

Special-purpose action that initializes the USER collection using the username provided as parameter.

After initialization takes place, the variable USERID will be available for use in the subsequent rules. This action understands application namespaces (configured using SecWebAppId), and will use one if it is configured.

= SecRule ARGS:username ".*" "phase:2,id:137,t:none,pass,nolog,noauditlog,capture,setvar:session.username=%{TX.0},setuid:%{TX.0}"

Details

None

SetVar

Creates, removes, or updates a variable. Variable names are
case-insensitive.

Example

To create a variable and set its value to 1 (usually used for setting flags), use: setvar:TX.score

To create a variable and initialize it at the same time, use: setvar:TX.score=10

To remove a variable, prefix the name with an exclamation mark: setvar:!TX.score

To increase or decrease variable value, use + and - characters in front of a numerical value: setvar:TX.score=+5

Example from OWASP CRS:
= SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bsys\.user_catalog\b" \
    "phase:2,rev:'2.1.3',capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E, \

block,msg:'Blind SQL Injection Attack',id:'959517',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',
tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"

Note: When used in a chain this action will be executed when an individual
rule matches and not the entire chain.This means that

= SecRule REQUEST_FILENAME "@contains /test.php" "chain,id:7,phase:1,t:none,nolog,setvar:tx.auth_attempt=+1" 
= SecRule ARGS_POST:action "@streq login" "t:none"

will increment every time that test.php is visited (regardless of the
parameters submitted). If the desired goal is to set the variable only if
the entire rule matches, it should be included in the last rule of the
chain. For instance:

= SecRule REQUEST_FILENAME "@streq test.php" "chain,id:7,phase:1,t:none,nolog"
= SecRule ARGS_POST:action "@streq login" "t:none,setvar:tx.auth_attempt=+1"

Details

Severity

Assigns severity to the rule in which it is used.

Severity values in ModSecurity follows the numeric scale of syslog (where 0 is the most severe). The data below is used by the OWASP ModSecurity Core Rule Set (CRS):

  • 0 - EMERGENCY: is generated from correlation of anomaly scoring data where there is an inbound attack and an outbound leakage.
  • 1 - ALERT: is generated from correlation where there is an inbound attack and an outbound application level error.
  • 2 - CRITICAL: Anomaly Score of 5. Is the highest severity level possible without correlation. It is normally generated by the web attack rules (40 level files).
  • 3 - ERROR: Error - Anomaly Score of 4. Is generated mostly from outbound leakage rules (50 level files).
  • 4 - WARNING: Anomaly Score of 3. Is generated by malicious client rules (35 level files).
  • 5 - NOTICE: Anomaly Score of 2. Is generated by the Protocol policy and anomaly files.
  • 6 - INFO
  • 7 - DEBUG

It is possible to specify severity levels using either the numerical values or the text values, but you should always specify severity levels using the text values, because it is difficult to remember what a number stands for. The use of the numerical values is deprecated as of version 2.5.0 and may be removed in one of the subsequent major updates.

= SecRule REQUEST_METHOD "^PUT$" "id:340002,rev:1,severity:CRITICAL,msg:'Restricted HTTP function'"

Details

None

Sha1

Transformation

Calculates a SHA1 hash from the input string. The computed hash is in a raw binary form and may need encoded into text to be printed (or logged). Hash functions are commonly used in combination with hexEncode (for example, t:sha1,t:hexEncode).

Details

None

Skip

Skips one or more rules (or chains) on successful match.

The skip action works only within the current processing phase and not necessarily in the order in which the rules appear in the configuration file. If you place a phase 2 rule after a phase 1 rule that uses skip, it will not skip over the phase 2 rule. It will skip over the next phase 1 rule that follows it in the phase.

Require Accept header, but not from access from the localhost

= SecRule REMOTE_ADDR "^127.0.0.1$" "phase:1,skip:1,id:141"

This rule will be skipped over when REMOTE_ADDR is 127.0.0.1

= SecRule &REQUEST_HEADERS:Accept "@eq 0" "phase:1,id:142,deny,msg:'Request Missing an Accept Header'"

Details

None

SkipAfter

Skips one or more rules (or chains) on a successful match, resuming rule execution with the first rule that follows the rule (or marker created by SecMarker) with the provided ID.

The following rules implement the same logic as the skip example, but using skipAfter:

Require Accept header, but not from access from the localhost

= SecRule REMOTE_ADDR "^127.0.0.1$" "phase:1,id:143,skipAfter:IGNORE_LOCALHOST"

This rule will be skipped over when REMOTE_ADDR is 127.0.0.1

= SecRule &REQUEST_HEADERS:Accept "@eq 0" "phase:1,deny,id:144,msg:'Request Missing an Accept Header'" = SecMarker IGNORE_LOCALHOST

The skipAfter action works only within the current processing phase and not necessarily the order in which the rules appear in the configuration file. If you place a phase 2 rule after a phase 1 rule that uses skip, it will not skip over the phase 2 rule. It will skip over the next phase 1 rule that follows it in the phase.

Details

None

SqlHexDecode

Transformation

Decode sql hex data. Example (0x414243) will be decoded to (ABC).

Details

None

Status

Specifies the response status code to use with actions deny and redirect.

Status actions defined in Apache scope locations (such as Directory, Location, etc...) may be superseded by phase:1 action settings. The Apache ErrorDocument directive will be triggered if present in the configuration. Therefore if you have previously defined a custom error page for a given status then it will be executed and its output presented to the user.

Deny with status 403

= SecDefaultAction "phase:1,log,deny,id:145,status:403"

Details

None

Tag

Assigns a tag (category) to a rule or a chain.

The tag information appears along with other rule metadata. The purpose of the tagging mechanism to allow easy automated categorization of events. Multiple tags can be specified on the same rule. Use forward slashes to create a hierarchy of categories (as in the example).

None

Details

None

Trim

Transformation

Removes whitespace from both the left and right sides of the input string.

Details

None

TrimLeft

Transformation

Removes whitespace from the left side of the input string.

Details

None

TrimRight

Transformation

Removes whitespace from the right side of the input string.

Details

None

UpperCase

Transformation

Converts all characters to uppercase using the current C locale.

Details

None

UrlDecode

Transformation

Decodes a URL-encoded input string. Invalid encodings (i.e., the ones that use non-hexadecimal characters, or the ones that are at the end of string and have one or two bytes missing) are not converted, but no error is raised. To detect invalid encodings, use the @validateUrlEncoding operator on the input data first. The transformation function should not be used against variables that have already been URL-decoded (such as request parameters) unless it is your intention to perform URL decoding twice!

Details

None

UrlDecodeUni

Transformation

Like urlDecode, but with support for the Microsoft-specific %u encoding. If the code is in the range of FF01-FF5E (the full-width ASCII codes), then the higher byte is used to detect and adjust the lower byte. Otherwise, only the lower byte will be used and the higher byte zeroed.

Details

None

UrlEncode

Transformation

Encodes input string using URL encoding.

Details

None

Utf8ToUnicode

Transformation

Converts all UTF-8 characters sequences to Unicode. This help input normalization specially for non-english languages minimizing false-positives and false-negatives.

Details

None

Ver

Specifies the rule set version.

Example

= SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bgetparentfolder\b" \
"phase:2,ver:'CRS/2.2.4,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958016',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'% \

{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"

Details

XmlNS

Configures an XML namespace, which will be used in the execution of XPath expressions.

= SecRule REQUEST_HEADERS:Content-Type "text/xml" "phase:1,id:147,pass,ctl:requestBodyProcessor=XML,ctl:requestBodyAccess=On,
xmlns:xsd="http://www.w3.org/2001/XMLSchema" = SecRule XML:/soap:Envelope/soap:Body/q1:getInput/id() "123" phase:2,deny,id:148

Details

None

Add a custom footer
Add a custom sidebar
Clone this wiki locally