第1页 / 共305页
第2页 / 共305页
第3页 / 共305页
第4页 / 共305页
第5页 / 共305页
第6页 / 共305页
第7页 / 共305页
第8页 / 共305页
ModSecurity Handbook(使用手册).pdf
ModSecurity Handbook
Table of Contents
Preface
Audience
Contents of This Book
Updates
Conventions
Acknowledgements
Part I: User Guide
Chapter 1: Introduction
Brief History
Understanding ModSecurity
What ModSecurity Does
What Rules Look Like
Transaction Lifecycle
Lifecycle Example
File Upload Example
Impact of ModSecurity on Web Server
Embedded vs. Reverse Proxy Mode
Missing from ModSecurity
Resources
General Resources
Developer Resources
Related Projects
Chapter 2: Installation
Installation from Source
Downloading Releases
Downloading from Repository
Compilation under Unix
Compile-time options
Installation from Binaries
Fedora Core, CentOS, and Red Hat Enterprise Linux
Debian and Ubuntu
Installation on Windows
Chapter 3: Configuration
Folder Locations
Configuration Layout
Adding ModSecurity to Apache
Powering Up
Request Body Handling
Response Body Handling
Filesystem Locations
File Uploads
Debug Log
Audit Log
Miscellaneous Options
Default Rule Match Policy
Handling Parsing Errors
Verifying Installation
Chapter 4: Logging
Debug Log
Debugging in Production
Audit Log
Audit Log Entry Example
Concurrent Audit Log
Remote Logging
Configuring Mlogc
Activating Mlogc
Troubleshooting Mlogc
File Upload Interception
Storing Files
Inspecting Files
Integrating with ClamAV
Guardian Log
Advanced Logging Configuration
Increasing Logging from a Rule
Dynamically Altering Logging Configuration
Removing Sensitive Data from Audit Logs
Selective Audit Logging
Chapter 5: Rule Language Overview
Anatomy of a Rule
Variables
Request variables
Server variables
Response variables
Miscellaneous variables
Parsing flags
Collections
Time variables
Operators
String matching operators
Numerical operators
Validation operators
Miscellaneous operators
Actions
Disruptive actions
Flow actions
Metadata actions
Variable actions
Logging actions
Special actions
Miscellaneous actions
Chapter 6: Rule Language Tutorial
Introducing simple rules and operators
Working with variables
Combining rules into chains
Operator negation
Variable counting
Using actions
Understanding action defaults
Actions in chained rules
Unconditional rules
Using transformation functions
Blocking
Changing rule flow
Smarter skipping
If-then-else
Controlling logging
Capturing data
Variable manipulation
Variable expansion
Recording data in alerts
Adding meta data
Chapter 7: Rule Configuration
Apache Configuration Syntax
Breaking lines
Directives and parameters
Spreading configuration across files
Container directives
Configuration contexts
Configuration merging
Configuration Inheritance
Configuration inheritance
Rule inheritance
SecDefaultAction inheritance anomaly
Rule Manipulation
Removing rules at configure-time
Updating rules at configure-time
Excluding rules at run-time
Chapter 8: Persistent Storage
Manipulating Collection Records
Creating records
Application namespaces
Initializing records
Controlling record longevity
Deleting records
Detecting very old records
Collection Variables
Built-in variables
Variable expiry
Variable value depreciation
Implementation Details
Retrieving records
Storing a collection
Record Limits
Applied Persistence
Periodic alerting
Denial of service attack detection
Brute force attack detection
Session Management
Initializing Sessions
Blocking Sessions
Forcing Session Regeneration
Restricting Session Life Time
Detecting Session Hijacking
User Management
Detecting Users Sign In
Detecting Users Sign Out
Chapter 9: Practical Rule Writing
Whitelisting
Whitelisting theory
Whitelisting mechanics
Granular whitelisting
Complete whitelisting example
Virtual Patching
Reputation Management
Organizing Rule Sets
Using Rule Sets
Integration with other Apache modules
Conditional logging
Header manipulation
Securing session cookies
Advanced Blocking
Making the most of regular expressions
How ModSecurity Compiles Patterns
Changing how patterns are compiled
Common pattern problems
Regular Expression Denial of Service
Resources
Performance tips
Chapter 10: Content Injection
Writing Content Injection Rules
Communicating back to the server
Interrupting page rendering
Using external JavaScript code
Communicating with Users
Chapter 11: Writing Rules in Lua
Rule Language Integration
Lua Rules Skeleton
Accessing Variables
Logging
Lua Actions
Chapter 12: Handling XML
XML Parsing
DTD Validation
XML Schema Validation
XML Namespaces
XPath Expressions
XPath and Namespaces
XML Inspection Framework
Chapter 13: Extending Rule Language
Extension Template
Adding a Transformation Function
Adding an Operator
Adding a Variable
Part II: Reference Documentation
Chapter 14: Reference Manual
Configuration Directives
SecAction
SecArgumentSeparator
SecAuditEngine
SecAuditLog
SecAuditLog2
SecAuditLogDirMode
SecAuditLogFileMode
SecAuditLogParts
SecAuditLogRelevantStatus
SecAuditLogStorageDir
SecAuditLogType
SecCacheTransformations (Deprecated/Experimental)
SecChrootDir
SecComponentSignature
SecContentInjection
SecCookieFormat
SecDataDir
SecDebugLog
SecDebugLogLevel
SecDefaultAction
SecGeoLookupDb
SecGuardianLog
SecMarker
SecPdfProtect (Obsolete)
SecPdfProtectMethod (Obsolete)
SecPdfProtectSecret (Obsolete)
SecPdfProtectTimeout (Obsolete)
SecPdfProtectTokenName (Obsolete)
SecRequestBodyAccess
SecRequestBodyLimit
SecRequestBodyNoFilesLimit
SecRequestBodyInMemoryLimit
SecResponseBodyLimit
SecResponseBodyLimitAction
SecResponseBodyMimeType
SecResponseBodyMimeTypesClear
SecResponseBodyAccess
SecRule
Variables in rules
Collections
Operators in rules
Operator negation
Actions in rules
SecRuleInheritance
SecRuleEngine
SecRuleRemoveById
SecRuleRemoveByMsg
SecRuleScript (Experimental)
SecRuleUpdateActionById
SecServerSignature
SecTmpDir
SecUploadDir
SecUploadFileMode
SecUploadKeepFiles
SecWebAppId
Variables
ARGS
ARGS_COMBINED_SIZE
ARGS_NAMES
ARGS_GET
ARGS_GET_NAMES
ARGS_POST
ARGS_POST_NAMES
AUTH_TYPE
DURATION
ENV
FILES
FILES_COMBINED_SIZE
FILES_NAMES
FILES_SIZES
FILES_TMPNAMES
GEO
HIGHEST_SEVERITY
MATCHED_VAR
MATCHED_VAR_NAME
MODSEC_BUILD
MULTIPART_CRLF_LF_LINES
MULTIPART_STRICT_ERROR
MULTIPART_UNMATCHED_BOUNDARY
PATH_INFO
QUERY_STRING
REMOTE_ADDR
REMOTE_HOST
REMOTE_PORT
REMOTE_USER
REQBODY_PROCESSOR
REQBODY_PROCESSOR_ERROR
REQBODY_PROCESSOR_ERROR_MSG
REQUEST_BASENAME
REQUEST_BODY
REQUEST_COOKIES
REQUEST_COOKIES_NAMES
REQUEST_FILENAME
REQUEST_HEADERS
REQUEST_HEADERS_NAMES
REQUEST_LINE
REQUEST_METHOD
REQUEST_PROTOCOL
REQUEST_URI
REQUEST_URI_RAW
RESPONSE_BODY
RESPONSE_CONTENT_LENGTH
RESPONSE_CONTENT_TYPE
RESPONSE_HEADERS
RESPONSE_HEADERS_NAMES
RESPONSE_PROTOCOL
RESPONSE_STATUS
RULE
SCRIPT_BASENAME
SCRIPT_FILENAME
SCRIPT_GID
SCRIPT_GROUPNAME
SCRIPT_MODE
SCRIPT_UID
SCRIPT_USERNAME
SERVER_ADDR
SERVER_NAME
SERVER_PORT
SESSION
SESSIONID
TIME
TIME_DAY
TIME_EPOCH
TIME_HOUR
TIME_MIN
TIME_MON
TIME_SEC
TIME_WDAY
TIME_YEAR
TX
URLENCODED_ERROR
USERID
WEBAPPID
WEBSERVER_ERROR_LOG
XML
Transformation functions
base64Decode
base64Encode
compressWhitespace
cssDecode
escapeSeqDecode
hexDecode
hexEncode
htmlEntityDecode
jsDecode
length
lowercase
md5
none
normalizePath
normalizePathWin
parityEven7bit
parityOdd7bit
parityZero7bit
removeNulls
removeWhitespace
replaceComments
replaceNulls
urlDecode
urlDecodeUni
urlEncode
sha1
trimLeft
trimRight
trim
Actions
allow
append
auditlog
block
capture
chain
ctl
deny
deprecatevar
drop
exec
expirevar
id
initcol
log
logdata
msg
multiMatch
noauditlog
nolog
pass
pause
phase
prepend
proxy
redirect
rev
sanitiseArg
sanitiseMatched
sanitiseRequestHeader
sanitiseResponseHeader
severity
setuid
setsid
setenv
setvar
skip
skipAfter
status
t
tag
xmlns
Operators
beginsWith
contains
endsWith
eq
ge
geoLookup
gt
inspectFile
le
lt
pm
pmFromFile
rbl
rx
streq
validateByteRange
validateDTD
validateSchema
validateUrlEncoding
validateUtf8Encoding
verifyCC
within
Chapter 15: Data Formats Guide
Alerts
Alert Action Description
Alert Justification Description
Meta-data
Escaping
Alerts in the Apache Error Log
Alerts in Audit Logs
Audit Log
Parts
Audit Log Header (A)
Request Headers (B)
Request Body (C)
Intended Response Headers (D)
Intended Response Body (E)
Response Headers (F)
Response Body (G)
Audit Log Trailer (H)
Action
Apache-Error
Message
Producer
Response-Body-Transformed
Sanitised-Args
Sanitised-Request-Headers
Sanitised-Response-Headers
Server
Stopwatch
WebApp-Info
Reduced Multipart Request Body (I)
Multipart Files Information (J)
Matched Rules (K)
Audit Log Footer (Z)
Storage Formats
Serial Audit Log Format
Concurrent Audit Log Format
Transport Protocol
Request Headers Information
Index
空白页面
MODSECURITY
HANDBOOK
The Complete Guide to Securing
Your Web Applications
Preview Release
Ivan Ristic
Last update: Sat Jan 30 18:30:43 UTC 2010
Table of Contents
Preface ................................................................................................................... xv
Audience ........................................................................................................ xv
Contents of This Book .................................................................................... xv
Updates .......................................................................................................... xv
Conventions ................................................................................................... xv
Acknowledgements ......................................................................................... xv
I. User Guide ........................................................................................................... 1
1. Introduction ................................................................................................. 2
Brief History ............................................................................................ 3
Understanding ModSecurity ..................................................................... 4
What ModSecurity Does ........................................................................... 5
What Rules Look Like .............................................................................. 6
Transaction Lifecycle ................................................................................ 7
Lifecycle Example ............................................................................. 8
File Upload Example ...................................................................... 11
Impact of ModSecurity on Web Server ..................................................... 12
Embedded vs. Reverse Proxy Mode .......................................................... 13
Missing from ModSecurity ...................................................................... 14
Resources ............................................................................................... 15
General Resources .......................................................................... 16
Developer Resources ....................................................................... 17
Related Projects .............................................................................. 18
2. Installation ................................................................................................. 19
Installation from Source .......................................................................... 20
Downloading Releases ..................................................................... 20
Downloading from Repository ........................................................ 21
Compilation under Unix ................................................................. 23
Installation from Binaries ........................................................................ 27
iii
Fedora Core, CentOS, and Red Hat Enterprise Linux ......................... 27
Debian and Ubuntu ........................................................................ 27
Installation on Windows ......................................................................... 28
3. Configuration ............................................................................................. 29
Folder Locations ..................................................................................... 30
Configuration Layout .............................................................................. 32
Adding ModSecurity to Apache ............................................................... 33
Powering Up .......................................................................................... 34
Request Body Handling .......................................................................... 35
Response Body Handling ........................................................................ 36
Filesystem Locations ............................................................................... 38
File Uploads ........................................................................................... 38
Debug Log ............................................................................................. 39
Audit Log ............................................................................................... 39
Miscellaneous Options ............................................................................ 40
Default Rule Match Policy ....................................................................... 40
Handling Parsing Errors .......................................................................... 41
Verifying Installation .............................................................................. 42
4. Logging ...................................................................................................... 44
Debug Log ............................................................................................. 44
Debugging in Production ................................................................ 45
Audit Log ............................................................................................... 47
Audit Log Entry Example ................................................................ 48
Concurrent Audit Log ..................................................................... 50
Remote Logging ..................................................................................... 51
Configuring Mlogc ......................................................................... 53
Activating Mlogc ............................................................................ 54
Troubleshooting Mlogc ................................................................... 56
File Upload Interception ......................................................................... 57
Storing Files ................................................................................... 58
Inspecting Files .............................................................................. 58
Integrating with ClamAV ................................................................ 60
Guardian Log ......................................................................................... 61
Advanced Logging Configuration ............................................................ 62
Increasing Logging from a Rule ....................................................... 62
Dynamically Altering Logging Configuration .................................... 63
Removing Sensitive Data from Audit Logs ........................................ 63
Selective Audit Logging ................................................................... 64
5. Rule Language Overview ............................................................................. 66
iv
Anatomy of a Rule ................................................................................. 66
Variables ................................................................................................ 67
Request variables ............................................................................ 68
Server variables .............................................................................. 69
Response variables .......................................................................... 70
Miscellaneous variables ................................................................... 71
Parsing flags ................................................................................... 71
Collections ..................................................................................... 72
Time variables ................................................................................ 72
Operators ............................................................................................... 73
String matching operators ............................................................... 73
Numerical operators ....................................................................... 74
Validation operators ....................................................................... 74
Miscellaneous operators .................................................................. 75
Actions .................................................................................................. 75
Disruptive actions ........................................................................... 75
Flow actions ................................................................................... 76
Metadata actions ............................................................................ 76
Variable actions .............................................................................. 76
Logging actions .............................................................................. 77
Special actions ................................................................................ 77
Miscellaneous actions ..................................................................... 78
6. Rule Language Tutorial ............................................................................... 79
Introducing simple rules and operators .................................................... 79
Working with variables ........................................................................... 80
Combining rules into chains ................................................................... 80
Operator negation .................................................................................. 81
Variable counting ................................................................................... 81
Using actions ......................................................................................... 82
Understanding action defaults ......................................................... 83
Actions in chained rules .................................................................. 84
Unconditional rules ........................................................................ 85
Using transformation functions ............................................................... 85
Blocking ................................................................................................. 87
Changing rule flow ................................................................................. 87
Smarter skipping ............................................................................ 89
If-then-else ..................................................................................... 89
Controlling logging ................................................................................. 90
Capturing data ....................................................................................... 91
v
Variable manipulation ............................................................................. 92
Variable expansion .................................................................................. 92
Recording data in alerts .......................................................................... 94
Adding meta data ................................................................................... 95
7. Rule Configuration ..................................................................................... 98
Apache Configuration Syntax .................................................................. 98
Breaking lines ................................................................................. 99
Directives and parameters ............................................................. 100
Spreading configuration across files ................................................ 100
Container directives ...................................................................... 102
Configuration contexts .................................................................. 103
Configuration merging .................................................................. 104
Configuration Inheritance ..................................................................... 104
Configuration inheritance ............................................................. 105
Rule inheritance ............................................................................ 105
SecDefaultAction inheritance anomaly ........................................... 106
Rule Manipulation ................................................................................ 107
Removing rules at configure-time .................................................. 107
Updating rules at configure-time ................................................... 108
Excluding rules at run-time ........................................................... 109
8. Persistent Storage ...................................................................................... 110
Manipulating Collection Records ........................................................... 111
Creating records ........................................................................... 111
Application namespaces ................................................................ 112
Initializing records ........................................................................ 113
Controlling record longevity .......................................................... 113
Deleting records ........................................................................... 114
Detecting very old records ............................................................. 115
Collection Variables .............................................................................. 115
Built-in variables .......................................................................... 116
Variable expiry ............................................................................. 116
Variable value depreciation ............................................................ 117
Implementation Details ......................................................................... 118
Retrieving records ......................................................................... 118
Storing a collection ....................................................................... 119
Record Limits ............................................................................... 121
Applied Persistence ............................................................................... 122
Periodic alerting ........................................................................... 122
Denial of service attack detection ................................................... 125
vi
Brute force attack detection ........................................................... 127
Session Management ............................................................................. 129
Initializing Sessions ....................................................................... 129
Blocking Sessions .......................................................................... 131
Forcing Session Regeneration ......................................................... 131
Restricting Session Life Time ......................................................... 132
Detecting Session Hijacking ........................................................... 134
User Management ................................................................................. 136
Detecting Users Sign In ................................................................. 137
Detecting Users Sign Out .............................................................. 138
9. Practical Rule Writing ............................................................................... 139
Whitelisting .......................................................................................... 139
Whitelisting theory ....................................................................... 139
Whitelisting mechanics .................................................................. 140
Granular whitelisting .................................................................... 141
Complete whitelisting example ...................................................... 141
Virtual Patching .................................................................................... 142
Reputation Management ....................................................................... 143
Organizing Rule Sets ............................................................................. 143
Using Rule Sets ..................................................................................... 143
Integration with other Apache modules .................................................. 143
Conditional logging ...................................................................... 144
Header manipulation .................................................................... 145
Securing session cookies ................................................................ 145
Advanced Blocking ............................................................................... 146
Making the most of regular expressions .................................................. 147
How ModSecurity Compiles Patterns ............................................. 147
Changing how patterns are compiled ............................................. 148
Common pattern problems ........................................................... 149
Regular Expression Denial of Service .............................................. 150
Resources ..................................................................................... 150
Performance tips ................................................................................... 151
10. Content Injection .................................................................................... 152
Writing Content Injection Rules ............................................................ 152
Communicating back to the server ................................................. 155
Interrupting page rendering ........................................................... 155
Using external JavaScript code ....................................................... 156
Communicating with Users ................................................................... 157
11. Writing Rules in Lua ............................................................................... 159
vii
Rule Language Integration ..................................................................... 160
Lua Rules Skeleton ................................................................................ 160
Accessing Variables ............................................................................... 161
Logging ................................................................................................ 162
Lua Actions .......................................................................................... 162
12. Handling XML ........................................................................................ 164
XML Parsing ........................................................................................ 164
DTD Validation .................................................................................... 168
XML Schema Validation ........................................................................ 169
XML Namespaces ................................................................................. 171
XPath Expressions ................................................................................. 173
XPath and Namespaces ......................................................................... 175
XML Inspection Framework .................................................................. 175
13. Extending Rule Language ......................................................................... 178
Extension Template ............................................................................... 179
Adding a Transformation Function ........................................................ 181
Adding an Operator .............................................................................. 184
Adding a Variable ................................................................................. 188
II. Reference Documentation ................................................................................. 192
14. Reference Manual .................................................................................... 193
Configuration Directives ....................................................................... 193
SecAction ................................................................................... 193
SecArgumentSeparator ................................................................ 193
SecAuditEngine .......................................................................... 194
SecAuditLog ............................................................................... 195
SecAuditLog2 ............................................................................. 195
SecAuditLogDirMode .................................................................. 196
SecAuditLogFileMode ................................................................. 196
SecAuditLogParts ........................................................................ 197
SecAuditLogRelevantStatus .......................................................... 198
SecAuditLogStorageDir ............................................................... 199
SecAuditLogType ........................................................................ 199
SecCacheTransformations (Deprecated/Experimental) ..................... 199
SecChrootDir ............................................................................. 200
SecComponentSignature ............................................................. 201
SecContentInjection .................................................................... 201
SecCookieFormat ....................................................................... 202
SecDataDir ................................................................................. 202
SecDebugLog ............................................................................. 202
viii
SecDebugLogLevel ...................................................................... 203
SecDefaultAction ........................................................................ 203
SecGeoLookupDb ....................................................................... 204
SecGuardianLog ......................................................................... 204
SecMarker .................................................................................. 205
SecPdfProtect (Obsolete) ............................................................... 205
SecPdfProtectMethod (Obsolete) ................................................... 206
SecPdfProtectSecret (Obsolete) ...................................................... 206
SecPdfProtectTimeout (Obsolete) .................................................. 207
SecPdfProtectTokenName (Obsolete) ............................................. 207
SecRequestBodyAccess ................................................................ 207
SecRequestBodyLimit .................................................................. 208
SecRequestBodyNoFilesLimit ....................................................... 208
SecRequestBodyInMemoryLimit .................................................. 209
SecResponseBodyLimit ................................................................ 209
SecResponseBodyLimitAction ...................................................... 210
SecResponseBodyMimeType ........................................................ 210
SecResponseBodyMimeTypesClear ............................................... 211
SecResponseBodyAccess .............................................................. 211
SecRule ...................................................................................... 211
SecRuleInheritance ..................................................................... 214
SecRuleEngine ............................................................................ 216
SecRuleRemoveById .................................................................... 216
SecRuleRemoveByMsg ................................................................. 216
SecRuleScript (Experimental) ........................................................ 217
SecRuleUpdateActionById ........................................................... 219
SecServerSignature ...................................................................... 219
SecTmpDir ................................................................................. 219
SecUploadDir ............................................................................. 220
SecUploadFileMode .................................................................... 220
SecUploadKeepFiles .................................................................... 221
SecWebAppId ............................................................................. 221
Variables ............................................................................................... 222
ARGS ........................................................................................ 222
ARGS_COMBINED_SIZE ........................................................... 223
ARGS_NAMES ........................................................................... 224
ARGS_GET ................................................................................ 224
ARGS_GET_NAMES .................................................................. 224
ARGS_POST .............................................................................. 224
ix
相关推荐
2023年江西萍乡中考道德与法治真题及答案.doc
2012年重庆南川中考生物真题及答案.doc
2013年江西师范大学地理学综合及文艺理论基础考研真题.doc
2020年四川甘孜小升初语文真题及答案I卷.doc
2020年注册岩土工程师专业基础考试真题及答案.doc
2023-2024学年福建省厦门市九年级上学期数学月考试题及答案.doc
2021-2022学年辽宁省沈阳市大东区九年级上学期语文期末试题及答案.doc
2022-2023学年北京东城区初三第一学期物理期末试卷及答案.doc
2018上半年江西教师资格初中地理学科知识与教学能力真题及答案.doc
2012年河北国家公务员申论考试真题及答案-省级.doc
2020-2021学年江苏省扬州市江都区邵樊片九年级上学期数学第一次质量检测试题及答案.doc
2022下半年黑龙江教师资格证中学综合素质真题及答案.doc
