ModSecurity

ModSecurity® Reference Manual

Version 2.5.11 (Nov 4, 2009)

Copyright © 2004-2009 Breach Security, Inc. (http://www.breach.com)

Table of Contents

Introduction
HTTP Traffic Logging
Real-Time Monitoring and Attack Detection
Attack Prevention and Just-in-time Patching
Flexible Rule Engine
Embedded-mode Deployment
Network-based Deployment
Portability
Licensing
ModSecurity Core Rules
Overview
Core Rules Content
Installation
Configuration Directives
SecAction
SecArgumentSeparator
SecAuditEngine
SecAuditLog
SecAuditLog2
SecAuditLogDirMode
SecAuditLogFileMode
SecAuditLogParts
SecAuditLogRelevantStatus
SecAuditLogStorageDir
SecAuditLogType
SecCacheTransformations (Deprecated/Experimental)
SecChrootDir
SecComponentSignature
SecContentInjection
SecCookieFormat
SecDataDir
SecDebugLog
SecDebugLogLevel
SecDefaultAction
SecGeoLookupDb
SecGuardianLog
SecMarker
SecPdfProtect
SecPdfProtectMethod
SecPdfProtectSecret
SecPdfProtectTimeout
SecPdfProtectTokenName
SecRequestBodyAccess
SecRequestBodyLimit
SecRequestBodyNoFilesLimit
SecRequestBodyInMemoryLimit
SecResponseBodyLimit
SecResponseBodyLimitAction
SecResponseBodyMimeType
SecResponseBodyMimeTypesClear
SecResponseBodyAccess
SecRule
SecRuleInheritance
SecRuleEngine
SecRuleRemoveById
SecRuleRemoveByMsg
SecRuleScript (Experimental)
SecRuleUpdateActionById
SecServerSignature
SecTmpDir
SecUploadDir
SecUploadFileMode
SecUploadKeepFiles
SecWebAppId
Processing Phases
Phase Request Headers
Phase Request Body
Phase Response Headers
Phase Response Body
Phase Logging
Variables
ARGS
ARGS_COMBINED_SIZE
ARGS_NAMES
ARGS_GET
ARGS_GET_NAMES
ARGS_POST
ARGS_POST_NAMES
AUTH_TYPE
ENV
FILES
FILES_COMBINED_SIZE
FILES_NAMES
FILES_SIZES
FILES_TMPNAMES
GEO
HIGHEST_SEVERITY
MATCHED_VAR
MATCHED_VAR_NAME
MODSEC_BUILD
MULTIPART_CRLF_LF_LINES
MULTIPART_STRICT_ERROR
MULTIPART_UNMATCHED_BOUNDARY
PATH_INFO
QUERY_STRING
REMOTE_ADDR
REMOTE_HOST
REMOTE_PORT
REMOTE_USER
REQBODY_PROCESSOR
REQBODY_PROCESSOR_ERROR
REQBODY_PROCESSOR_ERROR_MSG
REQUEST_BASENAME
REQUEST_BODY
REQUEST_COOKIES
REQUEST_COOKIES_NAMES
REQUEST_FILENAME
REQUEST_HEADERS
REQUEST_HEADERS_NAMES
REQUEST_LINE
REQUEST_METHOD
REQUEST_PROTOCOL
REQUEST_URI
REQUEST_URI_RAW
RESPONSE_BODY
RESPONSE_CONTENT_LENGTH
RESPONSE_CONTENT_TYPE
RESPONSE_HEADERS
RESPONSE_HEADERS_NAMES
RESPONSE_PROTOCOL
RESPONSE_STATUS
RULE
SCRIPT_BASENAME
SCRIPT_FILENAME
SCRIPT_GID
SCRIPT_GROUPNAME
SCRIPT_MODE
SCRIPT_UID
SCRIPT_USERNAME
SERVER_ADDR
SERVER_NAME
SERVER_PORT
SESSION
SESSIONID
TIME
TIME_DAY
TIME_EPOCH
TIME_HOUR
TIME_MIN
TIME_MON
TIME_SEC
TIME_WDAY
TIME_YEAR
TX
USERID
WEBAPPID
WEBSERVER_ERROR_LOG
XML
Transformation functions
base64Decode
base64Encode
compressWhitespace
cssDecode
escapeSeqDecode
hexDecode
hexEncode
htmlEntityDecode
jsDecode
length
lowercase
md5
none
normalisePath
normalisePathWin
parityEven7bit
parityOdd7bit
parityZero7bit
removeNulls
removeWhitespace
replaceComments
replaceNulls
urlDecode
urlDecodeUni
urlEncode
sha1
trimLeft
trimRight
trim
Actions
allow
append
auditlog
block
capture
chain
ctl
deny
deprecatevar
drop
exec
expirevar
id
initcol
log
logdata
msg
multiMatch
noauditlog
nolog
pass
pause
phase
prepend
proxy
redirect
rev
sanitiseArg
sanitiseMatched
sanitiseRequestHeader
sanitiseResponseHeader
severity
setuid
setsid
setenv
setvar
skip
skipAfter
status
t
tag
xmlns
Operators
beginsWith
contains
endsWith
eq
ge
geoLookup
gt
inspectFile
le
lt
pm
pmFromFile
rbl
rx
streq
validateByteRange
validateDTD
validateSchema
validateUrlEncoding
validateUtf8Encoding
verifyCC
within
Macro Expansion
Persistant Storage
Miscellaneous Topics
Impedance Mismatch
Copyright (C) 2004-2009 Breach Security