7. Rules Usage
Use “|” as “OR” logical expression
SecRule
REQUEST_FILENAME|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUE
ST_HEADERS:
Referer "@validateByteRange 1-255“ "log,auditlog,msg:'Request Missing an Accept
Header',
severity:'2',id:'960015',t:urlDecodeUni,phase:1“
Use “!” as “NOT” logical expression
8. Rules Usage
Use Regular Expression to make a Rule
SecRule REQUEST_METHOD "^POST$"
"chain,phase:2,t:none,deny,log,auditlog,status:400,msg:'POST request must have a
Content- Length header„
Use “:” to pick a variable from a Collection
SecRule REQUEST_HEADERS:Content-Length "!^0?$" t:none
10. Default Actions
Use to set a Use “Default” Default
“Default Behavior” SetDefaultAction Actions is
of Apache Mod directive to add into phase:2,
Security. If anything configuration file log,
has not been auditlog,
defined happen, pass
Apache will apply
Default Actions
13. Chained Actions
Group Rules together
Similar to “AND” logical expression in programming language
Add “chain” action in every rule, except the last one
Example:
SecRule REQUEST_HEADERS "haidinhtuan"
"chain,phase:2,nolog,deny,status:406"
SecRule REQUEST_METHOD "GET" "t:none“
15. Persistent Collections
TX Collection only exist in a transaction.
After the data has been transfer
Why completely, variables will be remove
Persistent
Collection?
Persistent Collection can keep a record
of variables through several
transactions.
16. Persistent 1. Monitor user behavior based on IP Address
Collections 2. Monitor Sessions
3. User behavior monitoring
4. Prevent Session Hijacking Attack
5. Detect Denial of Service (DoS) Attack
6. Detect Brute Force Attack
17. Persistent Collections
IP SESSION USER
Created by using Created by using Created by using
initcol directive setsid directive setid directive
Hold client address Hold session Hold user variables
variables variables
18. Persistent Collections
Define date directory first using SecDataDir
directive
For example:
SecDataDir /etc/httpd/modsec_data
21. Transformation functions
Mod Security match exactly strings and variables
Transformation function will transform different
string formats into a single string
24. Validate Contents
Check the validation of HTTP Requests
@validateByteRang @validateDTD @validateSchema @validatUrlEncodin @validateUtf8Encod
e g ing
Validate Byte Validate XML files Validate XML files Validate URL Validate UTF-8
Range by DTD by Schema Encoding Encoding
25. Validate Contents
Validate Byte Range
@validateByteRang @validateDTD @validateSchema @validatUrlEncodin @validateUtf8Encod
e g ing
Validate Byte Validate XML files Validate XML files Validate URL Validate UTF-8
Range by DTD by Schema Encoding Encoding
26. Validate Byte Range
Allow number only in Content field of Request Header
SecRule REQUEST_HEADERS:Content "@validateByteRange
48-57“ "phase:4,deny,log,status:403“
27. Validate Contents
Validate XML files by DTD
(Document Type Definition)
@validateByteRang @validateDTD @validateSchema @validatUrlEncodin @validateUtf8Encod
e g ing
Validate Byte Validate XML files Validate XML files Validate URL Validate UTF-8
Range by DTD by Schema Encoding Encoding
28. Validate DTD
A Document Type Definition (DTD) is a set of
markup declarations that define a document type for
an SGML-family markup language (SGML, XML,
HTML).
It‟s define what components should be included and
their format
29. Validate Contents
Validate XML files by Schema
@validateByteRang @validateDTD @validateSchema @validatUrlEncodin @validateUtf8Encod
e g ing
Validate Byte Validate XML files Validate XML files Validate URL Validate UTF-8
Range by DTD by Schema Encoding Encoding
30. Validate Schema
DTD supports only PCDATA and CDATA format.
Schema supports detailed descriptions about data in
XML files. For example: string, normalizedString,
integer, positiveInteger
31. Validate Contents
Validate URL Encoding
@validateByteRang @validateDTD @validateSchema @validatUrlEncodin @validateUtf8Encod
e g ing
Validate Byte Validate XML files Validate XML files Validate URL Validate UTF-8
Range by DTD by Schema Encoding Encoding
32. Validate URL Encoding
RFC 1738 only allow ASCII in a URL
HTML: supports ISO-8859-1 (ISO-Latin)
HTML4: Supports Unicode characters
33. Validate Contents
Validate UTF-8 Encoding
@validateByteRang @validateDTD @validateSchema @validatUrlEncodin @validateUtf8Encod
e g ing
Validate Byte Validate XML files Validate XML files Validate URL Validate UTF-8
Range by DTD by Schema Encoding Encoding
34. Validate UTF-8 Encoding
UTF-8 is used on almost every webservers to
encode strings and compatible with ASCII
SecRule ARGS "@validateUtf8Encoding"