1 # ---------------------------------------------------------------
2 # Core ModSecurity Rule Set ver.2.0.3
3 # Copyright (C) 2006-2009 Breach Security Inc. All rights reserved.
5 # The ModSecuirty Core Rule Set is distributed under GPL version 2
6 # Please see the enclosed LICENCE file for full details.
7 # ---------------------------------------------------------------
10 # This file is used to allow custom checks and exclusions for the transactional
11 # variable rules. Place rules in this file so that you may influence what happens
12 # in the 49 - Enforcement File.
14 # In previous ModSecurity rules, the TARGET list would have to be updated in
15 # order to exclude a specific paramater like this -
17 # SecRule ARGS_NAMES|ARGS|!ARGS:foo
19 # With the new transactional variable rules, parameter exceptions can now
20 # be handled AFTER the initial inspection as the rules now use setvars to
21 # capture meta-data with each rule match. They use this syntax -
23 # setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{matched_var}
25 # When the transactional rules trigger, they will set a TX variable similar to this
26 # for an SQL Injection attack -
28 # Set variable "tx.950001-WEB_ATTACK/SQL_INJECTION-ARGS:comments" to "1' or select * from users where username = admin ".
30 # With this data now available, the user can implement flexible exceptions.
32 # Exception example - exclude a parameter
34 # In this example, we are inspecting
35 # the TX collections to see if there is a current variable that has matched
36 # for the 950001 SQL Injection rule ID and for the "comments" parameter. If
37 # so, then we are going to remove the collection entirely by using the
38 # setvar:!tx. syntax. By doing this, the TX collection is removed before final
39 # inspection at the end of phase 2 in the enforcement file.
41 #SecRule TX:'/^950001.*ARGS:comments/' ".*" "chain,phase:2,t:none,nolog,pass"
42 # SecRule MATCHED_VAR_NAME "TX\:(.*)" "capture,t:none,setvar:!tx.%{tx.1},setvar:tx.anomaly_score=-20"
45 # This is an example exclusion for the entire SQL Injection category of rules
47 #SecRule TX:'/SQL_INJECTION/' ".*" "phase:2,t:none,nolog,pass,chain,setvar:tx.sql_injection=+1,setvar:tx.sql_injection_%{tx.sql_injection}=%{matched_var_name}"
48 # SecRule TX:'/^SQL_INJECTION_/' "TX\:(.*)" "capture,t:none,setvar:!tx.%{tx.1},setvar:tx.anomaly_score=-20"
51 # This is an example exclusion that combines the URL and parameter and removes
52 # a specific SQL Injection ID only if the parameter foo payload matches
54 #SecRule REQUEST_FILENAME "@streq /path/to/file.php" "chain,phase:2,t:none,nolog,pass"
55 # SecRule TX:'/^950001.*ARGS:foo/' "@streq Item 1=1" "chain,t:none"
56 # SecRule MATCHED_VAR_NAME "TX\:(.*)" "capture,t:none,setvar:!tx.%{tx.1},setvar:tx.anomaly_score=-20"