ModSec2 Rule Lang Guide

ModSecurity 2
Rule Language
ModSecurity 2 Rule Language 2 / 30
Processing Phases
ModSecurity splits processing into 5 processing

phases:
1. Request Headers
2. Request Body
3. Response Headers
4. Response Body
5. Logging
his !any phases allo" you to decide "hat you

"ant to happen at #ey points o$ transaction
processing.
Rule Syntax
he !ost used directi%e is SecRule:

SecRule VARIABLES PERA!R "A#!I$S%
his directi%e "ill:

1. &'pand collection %aria(les $ro! the )*R+*BL&S
section.
2. *pply the operator as speci$ied in the ,-&R*,R
section to the e'panded %aria(les.
3. ,ne rule "ill trigger once $or a !atch in e%ery
%aria(le.
4. * !atch "ill either e'ecute the per.rule actions/ or
per$or! the de$ault actions.
ModSecurity 2 Rule Language & / 30
Si'(le Rule
+n the si!plest case:

SecRule RE)*ES!+*RI aaa
he a(o%e "ill loo# $or the pattern aaa in the

%aria(le R&01&S21R+.
he pattern is a regular e'pression.
* si!ilar pattern can (e "ritten as:

SecRule RE)*ES!+*RI ,-3.
ModSecurity uses -3R& 4http:55""".pcre.org6

ModSecurity 2 Rule Language / / 30
Multi(le Varia,les As !argets
here can (e any nu!(er o$ %aria(les in the

)*R+*BL&S section 4separated (y pipes6:
SecRule 0RE)*ES!+*RI1)*ER2+S!RI$30 4
ccc
3on$iguration directi%es can (e split o%er se%eral

lines 4that7s an *pache $eature6 (y ter!inating
the line "ith a (ac#slash.
he "hitespace at the (eginning o$ ne't line "ill

(eco!e part o$ the directi%e.
+$ you need to ha%e a "hitespace use dou(le

quotes to deli!it para!eter.
Varia,le #ollections
So!e %aria(les e'pand at runti!e:

SecRule AR3S ddd
he a(o%e "ill e'pand into %aria(les

representing indi%idual request para!eters/ (ut
only i$ there are para!eters present.
,nly the content is e'a!ined.
*nother %aria(le is used $or the na!es:

SecRule AR3S+$AMES eee
here is a %aria(le $or e%ery (it o$ transaction.

!argeting Indi7idual Para'eters
8ou can target indi%idual para!eters "ith the

help o$ the selection operator:
SecRule AR3S8( 999
,r you can target all para!eters e'cept the

ones you speci$y:
SecRule AR3S1:AR3S8; ggg
8ou can e%en use a regular e'pression to select

the para!eters 49 does the opposite in (eta.36:
SecRule AR3S8/<=/ hhh
ModSecurity 2 Rule Language > / 30
#ounting Varia,les In a #ollection
8ou can count ho" !any %aria(les there are in

a collection 4e.g. para!eters/ request headers/
response headers/ etc6:
SecRule ?AR3S :<0@
he a(o%e triggers i$ there are any para!eters

supplied in the request.
8ou !ight ha%e noticed the e'cla!ation !ar#: it

negates the regular e'pression.
ModSecurity 2 Rule Language A / 30
Varia,le $a'es BCD
*R;S/ *R;S23,MB+<&=2S+>&/ *R;S2<*M&S
R&0B,=82-R,3&SS,R/
R&0B,=82-R,3&SS,R2&RR,R/
R&0B,=82-R,3&SS,R2&RR,R2MS;
?ML
@&BS&R)&R2&RR,R2L,;
A+L&S/ A+L&S2M-<*M&S/ A+L&S2<*M&S/

A+L&2S+>&S/ A+L&S23,MB+<&=2S+>&
&<)
ModSecurity 2 Rule Language C0 / 30
Varia,le $a'es B2D
R&M,&2H,S/ R&M,&2*==R/
R&M,&2-,R/ R&M,&21S&R
-*H2+<A,/ 01&R82SR+<;
*1H28-&
S&R)&R2<*M&/ S&R)&R2-,R/ S&R)&R2*==R
R&01&S2L+<&/ R&01&S21R+/
R&01&S2M&H,=/ R&01&S2-R,,3,L
R&01&S2A+L&<*M&/ R&01&S2B*S&<*M&
S3R+-2A+L&<*M&/ S3R+-2B*S&<*M&
ModSecurity 2 Rule Language CC / 30
Varia,le $a'es B3D
+M&/ +M&2&-,3H
+M&28&*R/ +M&2M,</ +M&2=*8/

+M&2H,1R/ +M&2M+</ +M&2S&3/
+M&2@=*8
S3R+-21+=/ S3R+-2;+=
S3R+-21S&R<*M&/ S3R+-2;R,1-<*M&
S3R+-2M,=&
R&01&S2H&*=&RS/
R&01&S2H&*=&RS2<*M&S
Varia,le $a'es B&D
R&01&S23,,B+&S/
R&01&S23,,B+&S2<*M&S
R&01&S2B,=8
R&S-,<S&2L+<&/ R&S-,<S&2S*1S
R&S-,<S&2-R,,3,L
R&S-,<S&2H&*=&RS/
R&S-,<S&2H&*=&RS2<*M&S
R&S-,<S&2B,=8
@&B*--+=/ S&SS+,<+=
Ex(licit (erators In Rules
Regular e'pression !atcher is the de$ault

operator.
+n a general case you can choose e'actly "hich

operator you "ant to use:
SecRule RE)*ES!+*RI 0Erx iii0
8ou can still use the e'cla!ation !ar# in $ront

o$ the C character 4and the !eaning is the
sa!e6.
ModSecurity 2 Rule Language C& / 30
Su((orted (erators
he $ollo"ing operators are supported in 2.D.D.(eta.3:

e;
ge
gt
ins(ectFile
le
lt
r,l
rx
7alidateByteRange
7alidateG!G
7alidateSche'a
7alidate*rlEncoding
7alidate*t9>Encoding
ModSecurity 2 Rule Language C/ / 30
(erator *sage Exa'(les
)alidate $iles that are uploaded:

SecRule FILES+!MP$AMES 0Eins(ectFile 4
/o(t/a(ache/,in/ins(ect+scri(tH(l0
3hec# only certain (ytes are used in para!eters:

SecRule AR3S 0E7alidateByteRange 4
C0IC3I32JC250
)alidate 1A.E encoding:

SecRule AR3S 0E7alidate*t9>Encoding0
Real.ti!e Bloc# List loo#up:

SecRule REM!E+AGGR 0Er,l scHsur,lHorg0
Actions
here are $i%e types o$ action:

CH Gisru(ti7e actions F interrupt current transaction.
2H $onJdisru(ti7e actions F change state.
3H FloK actions F change rule $lo".
&H MetaJdata actions F contain rule !etadata.
/H Gata actions F !ere placeholders $or other
actions.
1sage e'a!ple:
SecRule AR3S ddd logIdenyIstatus8/00
SecAction nologI(assIexec8/,in/this/thatH(l
Gisru(ti7e Actions
+nterrupt or disrupt transaction:
deny F stops transaction.
dro( F drops connection
redirect F respond "ith a redirection.
(roxy F $or"ard request to another ser%er.
(ause F slo" do"n e'ecution.

ModSecurity 2 Rule Language C> / 30
MetaJdata Actions
Meta.data actions descri(e the rule:
id F unique rule +=.
re7 F rule re%ision.
'sg F custo! !essage.
se7erity F as syslog 4D.G6.
(hase F the phase "here the rule is supposed to

run.
log/ nolog F "hether or not to log the !atch.
auditlog/ noauditlog F "hether or not to count the

!atch to"ard audit logging.
ModSecurity 2 Rule Language CA / 30
FloK Actions
Alo" actions a$$ect ho" rules are processed:
alloK F stop processing rules.
chain F co!(ine the rule "ith the ne't one.
(ass F ignore !atch in the current rule.
sLi( F s#ip o%er one or !ore rules.

Gata Actions
=ata actions are helpers $or other parts o$ the

rule:
ca(ture F used in co!(ination "ith Cr' to capture

su(e'pressions.
status F "hich status code to use $or deny/ redirect.
t F de$ines "hich trans$or!ation $unctions need to (e

run against the %aria(les.
x'lns F de$ines na!espace $or ?-ath e'pressions.

ModSecurity 2 Rule Language 2C / 30
Audit Log Sanitisation Actions
here are $our actions:
sanitiseArg
sanitiseMatched
sanitiseRe;uestMeader
sanitiseRes(onseMeader
&'a!ples:
SecAction nologI(assIsanitiseArg8(
SecAction 4
nologI(assIsanitiseRe;uestMeader8Authori=ation
SecRule AR3S secret 4
nologI(assIsanitiseMatched
Varia,le Actions
@or#ing "ith en%iron!ent %aria(les:

seten78na'eN7alue
seten78:na'e
@or#ing "ith %aria(les:

set7ar8txHscoreNC0
set7ar8txHscoreNO/
set7ar8:txHscore
de(recate7ar8sessionHscoreN50/3500
ex(ire7ar8sessionH,locLedN3500
#ollection Actions
initcol F create a persistent collection:

initcol8i(NP-REM!E+AGGR.
setsid F initialise session storage:

SecRule RE)*ES!+#QIES8PMPSESSIG :<@ chainInologI(ass
SecAction setsid8P-RE)*ES!+#QIESHPMPSESSIG.
his action "ill initialise %aria(le SESSI$IG.
1se SecRe,A((Id directi%e to create session

storage na!espace $or each application.
ModSecurity 2 Rule Language 2& / 30
BuiltJin #ollection Varia,les
So!e %aria(les are auto!atically generated:
3R&*&2+M&
B&8
L*S21-=*&2+M&
+M&,1
1-=*&23,1<&R
1-=*&2R*&
So!e %aria(le na!es ha%e pre.de$ined purpose:
BL,3B&=
S3,R&
ModSecurity 2 Rule Language 2/ / 30
ther Actions
&'ecute e'ternal script:

exec8/,in/scri(tH(l
1pdate transaction settings dyna!ically:
ctl
audit&ngine
auditLog-arts
de(ugLogLe%el
requestBody*ccess
requestBodyLi!it
requestBody-rocessor
responseBody*ccess
responseBodyLi!it
Aor e'a!ple:
ctl8auditEngineNo99
!rans9or'ation Functions BCD
rans$or!ation $unctions "ill auto!atically

con%ert data (e$ore !atching:
hexGecode
hexEncode
ht'lEntityGecode
esca(eSe;Gecode
nor'alisePath
nor'alisePathRin
'd/
shaC
loKercase
re(lace$ulls
co'(ressRhites(ace
re(lace#o''ents
urlGecode
urlGecode*ni
,ase5&Encode
,ase5&Gecode
!rans9or'ation Functions B2D
he $ollo"ing is per$or!ed (y de$ault 4and in

this order6:
loKercase
re(lace$ulls
co'(ressRhites(ace
But you can change the de$ault setting $or all

su(sequent rules:
SecGe9aultAction logIdenyIstatus8/00I4
t8re(lace$ullsIt8co'(ressRhites(ace
,r/ Hust $or one rule:

SecRule AR38,ase5& AB# t8,ase5&decode
ModSecurity 2 Rule Language 2> / 30
#o'(lete SML Exa'(le BCD
=etect ?ML and instruct ModSecurity to parse it:

I -hase 1
Sec=e$ault*ction phase:1
I =etect ?ML requests and process the! as ?ML
SecRule R&01&S2H&*=&RS:3ontent.ype Jte't5'!lK L
nolog/pass/ctl:requestBody-rocessorM?ML
ModSecurity 2 Rule Language 2A / 30
#o'(lete SML Exa'(le B2D
I -hase 2
Sec=e$ault*ction phase:2
I Stop on request (ody processing errors
I 4e.g. ?ML is not "ell $or!ed6
SecRule R&0B,=82-R,3&SS,R2&RR,R NCeq 1N
I )alidate ?ML against a ==
SecRule R&0B,=82-R,3&SS,R NJ?MLK chain
SecRule ?ML NC%alidate== 5opt5apache.$rontend5con$5'!l.dtdN
I Loo# into only one part o$ the ?ML
SecRule ?ML:5person5na!e5$irstna!e5te't46 +%an
!ME E$G:
Questions?

ModSec2 Rule Lang Guide

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

ModSec2 Rule Lang Guide

Încărcat de

Drepturi de autor:

Formate disponibile

ModSecurity 2

ModSecurity splits processing into 5 processing

his !any phases allo" you to decide "hat you

he !ost used directi%e is SecRule:

his directi%e "ill:

+n the si!plest case:

he a(o%e "ill loo# $or the pattern aaa in the

he pattern is a regular e'pression.

* si!ilar pattern can (e "ritten as:

ModSecurity uses -3R& 4http:55""".pcre.org6

here can (e any nu!(er o$ %aria(les in the

3on$iguration directi%es can (e split o%er se%eral

he "hitespace at the (eginning o$ ne't line "ill

+$ you need to ha%e a "hitespace use dou(le

So!e %aria(les e'pand at runti!e:

he a(o%e "ill e'pand into %aria(les

,nly the content is e'a!ined.

*nother %aria(le is used $or the na!es:

here is a %aria(le $or e%ery (it o$ transaction.

8ou can target indi%idual para!eters "ith the

,r you can target all para!eters e'cept the

8ou can e%en use a regular e'pression to select

8ou can count ho" !any %aria(les there are in

he a(o%e triggers i$ there are any para!eters

8ou !ight ha%e noticed the e'cla!ation !ar#: it

*R;S/ *R;S23,MB+<&=2S+>&/ *R;S2<*M&S

A+L&S/ A+L&S2M-<*M&S/ A+L&S2<*M&S/

S&R)&R2<*M&/ S&R)&R2-,R/ S&R)&R2*==R

+M&28&*R/ +M&2M,</ +M&2=*8/

Regular e'pression !atcher is the de$ault

+n a general case you can choose e'actly "hich

8ou can still use the e'cla!ation !ar# in $ront

he $ollo"ing operators are supported in 2.D.D.(eta.3:

)alidate $iles that are uploaded:

3hec# only certain (ytes are used in para!eters:

)alidate 1A.E encoding:

Real.ti!e Bloc# List loo#up:

here are $i%e types o$ action:

+nterrupt or disrupt transaction:

deny F stops transaction.

dro( F drops connection

redirect F respond "ith a redirection.

(roxy F $or"ard request to another ser%er.

(ause F slo" do"n e'ecution.

Meta.data actions descri(e the rule:

id F unique rule +=.

re7 F rule re%ision.

'sg F custo! !essage.

se7erity F as syslog 4D.G6.

(hase F the phase "here the rule is supposed to

log/ nolog F "hether or not to log the !atch.

auditlog/ noauditlog F "hether or not to count the

Alo" actions a$$ect ho" rules are processed:

alloK F stop processing rules.

chain F co!(ine the rule "ith the ne't one.

(ass F ignore !atch in the current rule.

sLi( F s#ip o%er one or !ore rules.

=ata actions are helpers $or other parts o$ the

ca(ture F used in co!(ination "ith Cr' to capture

status F "hich status code to use $or deny/ redirect.

t F de$ines "hich trans$or!ation $unctions need to (e

x'lns F de$ines na!espace $or ?-ath e'pressions.

here are $our actions:

R;S/ R;S23,MB+<&=2S+>&/ R;S2<M&S

A+L&S/ A+L&S2M-<M&S/ A+L&S2<M&S/

S&R)&R2<M&/ S&R)&R2-,R/ S&R)&R2==R

+M&28&R/ +M&2M,</ +M&2=8/