1. RULE引擎开关
SecRuleEngine
- Description:SecRule引擎开关
- Scope: Any
- Syntax: SecRuleEngine On|Off|DetectionOnly
- On|Off|DetectionOnly
- On
- Off: 默认关闭
- DetectionOnly:只检测,不防护
- On|Off|DetectionOnly
SecRuleEngine DetectionOnly
2. 添加RULE
SecRule
- Description: 添加一个rule
- Scope: Any
- Syntax: SecRule VARIABLES OPERATOR [ACTIONS]
- VARIABLES:Where to look, 检查位置;
- OPERATOR:How to look, 对VARIABLES所取的内容进行匹配
- ACTIONS:What should Mod_Security do, 当匹配成功后,应该做什么,比如 记log、阻断等等。没有指定action则用default action。
SecRule ARGS "@rx attack" "phase:1,log,deny,id:1"
SecRuleScript
- Description: 调用Lua脚本进行匹配
- Scope: Any
- Syntax:SecRuleScript DIR ACTIONS
- DIR: lua脚本
- ACTIONS
SecRuleScript "/path/to/file.lua" "block"
SecAction
- Description:配置强制action
- Scope: Any
- Syntax: SecAction "action1,action2,action3,..."
SecAction nolog,phase:1,initcol:RESOURCE=%{REQUEST_FILENAME}
SecDefaultAction
- Description: 配置default action
- Scope: Any
- Syntax: SecDefaultAction "action1,action2,action3"
- Action list: 默认配置为"phase:2,log,auditlog,pass"
SecDefaultAction "phase:1,log,auditlog,pass"
3. Disable RULE
SecRuleRemoveById
- Description:Disable指定ID的RULE,该命令必须在指定ID的RULE后面
- Scope: Any
- Syntax: SecRuleRemoveById ID ID RANGE ...
SecRuleRemoveByID 1 2 "9000-9010"
SecRuleRemoveByMsg
- Description:Disable匹配message的RULE,该命令必须在匹配message的RULE后面
- Scope: Any
- Syntax: SecRuleRemoveByMsg REGEX
SecRuleRemoveByMsg "FAIL"
SecRuleRemoveByTag
- Description:Disable匹配tag的RULE,该命令必须在匹配tag的RULE后面
- Scope: Any
- Syntax: SecRuleRemoveByTag REGEX
SecRuleRemoveByTag "WEB_ATTACK/XSS"
4. Update RULE
SecRuleUpdateActionById
- Description:Update匹配ID的RULE的ACTIONS
- 不能改写rule ID和phase
- 一条rule中只允许配置一个的action:改写
- 一条rule中允许配置多个的action:添加
- Scope: Any
- Syntax: SecRuleUpdateActionById RULEID[:offset] ACTIONLIST
- RULEID[:offset]
- Action list
SecRuleUpdateActionById 12345 "deny,status:403"
SecRuleUpdateTargetById
- Description:更新VARIABLE
- Scope:Any
- Syntax: SecRuleUpdateTargetById RULEID TARGET1[,TARGET2,TARGET3] REPLACED_TARGET
- RULEID
- 新添加的target list
- 被替换的target
#添加target
SecRuleUpdateTargetById 12345 "!ARGS:foo"
#替换指定target
SecRuleUpdateTargetById 958895 REQUEST_URI REQUEST_FILENAME
SecRuleUpdateTargetByMsg
- Description:更新VARIABLE
- Scope: Any
- Syntax: SecRuleUpdateTargetByMsg TEXT TARGET1[,TARGET2,TARGET3] REPLACED_TARGET
- TEXT: message
- 新添加的target list
- 被替换的target
SecRuleUpdateTargetByTag
- Description:更新VARIABLE
- Scope: Any
- Syntax: SecRuleUpdateTargetByTag TEXT TARGET1[,TARGET2,TARGET3] REPLACED_TARGET
- TEXT: tag
- 新添加的target list
- 被替换的target
5. 远程RULE
SecRemoteRules
- Description:加载远程RULE
- Scope: Any
- Syntax: SecRemoteRules [crypto] key https://url
- [crypto] :只支持TLS
- key:Remote server 根据key发送RULE
- https://url: 远程服务器上的RULE文件
SecRemoteRules some-key https://www.yourserver.com/plain-text-rules.txt
SecRemoteRulesFailAction
- Description:远程RULE加载失败后的action,改名了也影响@ipMatchFromFile从远程服务器检索远程文件。
- Scope:Any
- Syntax: SecRemoteRulesFailAction Abort|Warn
- Abort|Warn:默认配置为Abord
6. RULE继承
SecRuleInheritance
- Description:是否开启从父RULE继承
- Scope:Any
- Syntax: SecRuleInheritance On|Off
- On|Off:默认开启
7. RULE跳转
SecMarker
- Description:创建一个marker,与skipAfter联合使用
- Scope: Any
- Syntax: SecMarker ID|TEXT
SecMarker BEGIN_HOST_CHECK
SecRule &REQUEST_HEADERS:Host "@eq 0" \
"skipAfter:END_HOST_CHECK,phase:2,rev:'2.1.1',t:none,block,msg:'Request Missing a Host Header',id:'960008',tag:'PROTOCOL_VIOLATION/MISSING_HEADER_HOST',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'5',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"
SecRule REQUEST_HEADERS:Host "^$" \
"phase:2,rev:'2.1.1',t:none,block,msg:'Request Missing a Host Header',id:'960008',tag:'PROTOCOL_VIOLATION/MISSING_HEADER_HOST',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'5',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"
SecMarker END_HOST_CHECK
8. 规则集签名
SecComponentSignature
- Description:规则集签名,该签名将被记录在audit log中
- Scope: Main
- Syntax: SecComponentSignature "COMPONENT_NAME/X.Y.Z (COMMENT)"
9. 性能调试
SecRulePerfTime
- Description:设置一条RULE执行做需要的时间阈值,超过该阈值的RULE将被记录在audit log Part H;用于性能调优。
- Scope: Any
- Syntax: SecRulePerfTime USECS
10. 正则表达式相关配置
SecPcreMatchLimit
- Description: 设置 PCRE 库中的匹配限制。
- Scope: Main, not allowed inside VirtualHosts.
- Syntax: SecPcreMatchLimit value
- Default: 1500
SecPcreMatchLimitRecursion
- Description: 设置 PCRE 库中的递归匹配限制。
- Scope: Main,not allowed inside VirtualHosts.
- Syntax: SecPcreMatchLimitRecursion value
- Default: 1500
11. 多web应用分离
SecWebAppId
Description: 创建application namespace, 允许单独的持久会话和用户存储。当在同一台服务器上部署多个应用程序时, 应用程序命名空间用于避免会话 id 和用户 id 之间的冲突。如果未使用, 则可能会发生会话 id 之间的冲突。application namespace也被记录在审核日志中 (使用WebApp-Info header的log H 部分)。
Scope: Any, 与VirtualHost配合使用
Syntax: SecWebAppId "NAME"
<VirtualHost *:80>
ServerName app1.example.com
SecWebAppId "App1" ...
</virtualhost>
<VirtualHost *:80>
ServerName app2.example.com
SecWebAppId "App2" ...
</virtualhost>
12. Others
SecChrootDir
- Description: 配置web server process的工作目录。
- Scope: Main,不支持VirtualHost
- Syntax: SecChrootDir /path/to/chroot/dir
SecCollectionTimeout seconds
- Description: Specifies the collections timeout. Default is 3600 seconds.
- Scope: Any
- Syntax: SecCollectionTimeout seconds
SecInterceptOnError
- Description: 配置在rule处理失败时如何响应。
- Scope: Main
- Syntax: SecInterceptOnError On|Off
- On: 不再执行同一phase中的其他rule,不执行拦截
- Off: 跳过当前执行失败的rule,继续向下执行
SecCacheTransformations
- Description: 控制转换的缓存, 这可能加快复杂规则集的处理速度。Version: < v2.5.6
- Scope: Any
- Syntax: SecCacheTransformations On|Off [options]
- On: 缓存变换, (per transaction, per phase) 允许相同的变换只执行一次。
- Off: 不缓存
- incremental:on|off: Enabling this option will cache every transformation instead of just the final transformation. The default is off.
- maxitems:N: Do not allow more than N transformations to be cached. Cache will be disabled once this number is reached. A zero value is interpreted as unlimited. This option may be useful to limit caching for a form with a large number of variables. The default value is 512.
- minlen:N: Do not cache the transformation if the variable’s length is less than N bytes. The default setting is 32.
- maxlen:N: Do not cache the transformation if the variable’s length is more than N bytes. A zero value is interpreted as unlimited. The default setting is 1024.
Example Usage: SecCacheTransformations On "minlen:64,maxlen:0"
SecStatusEngine
- Description: 将软件版本信息发送给ModSecurity Project团队
- Scope: Any
- Syntax: SecStatusEngine On|Off
- Default off
Reference:
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual