Index
A
- action
- deny action / Blocking requests
- pass action / Taking no action but continuing rule processing
- SecAction, using / SecAction
- setenv action / Sending more detailed alert emails
- additional operators
- set-based pattern matching, @pm operator used / Set-based pattern matching with @pm and @pmFromFile
- set-based pattern matching, @pmFromFile operator used / Set-based pattern matching with @pm and @pmFromFile
- set-based pattern matching, advantages / Set-based pattern matching with @pm and @pmFromFile
- @pmFromFile / @pmFromFile
- positive secure model / Validating character ranges
- @validateByteRange operator / Validating character ranges
- alternation
- about / Alternation
- anchors
- about / Anchors
- start of line or string / Start and end of string
- word boundary / Word Boundary
- apx
- attacker’s real IP address
- detecting / Detecting the real IP address of an attacker
- audit log engine
- SecAuditEngine Off / Enabling the audit log engine
- SecAuditEngine RelevantOnly, using / Enabling the audit log engine
- SecAuditLogRelevantStatus / Enabling the audit log engine
- serial logging logs / Single versus multiple file logging
- serial logging logs, advantage / Single versus multiple file logging
- audit logging
- audit log engine / Enabling the audit log engine
- determining / Determining what to log
- configuration / The configuration so far
- format / Log format
- data, sanitizing / Audit log sanitization actions
B
- backreferences
- about / Backreferences
- captured backreferences, in ModSecurity / Captures and ModSecurity
- blog spam
- about / Blog spam
C
- chain rules
- creating / Creating chained rules
- character classes
- about / Character classes
- negated matching / Negated matching
- shorthand notation / Shorthand notation
- chroot jail
- about / What is a chroot jail?
- disadvantage / What is a chroot jail?
- sample attack / A sample attack
- putting, in Apache (traditional way) / Traditional chrooting
- verifying / Verifying that the jail works
- caveats, SecChrootDir / Chroot caveats
- collection
- about / Variables and collections
- field filter, regular expression used / Filtering collection fields using a regular expression
- built-in fields / Built-in fields
- common attacks
- shell command execution / Shell command execution attempts
- null byte attacks / Null byte attacks
- source code revelation / Source code revelation
- directory traversal attacks / Directory traversal attacks
- blog spam / Blog spam
- concurrent logging
- about / Concurrent logging
- cookies
- allowing, rules / Cookies
- core ruleset, real-world performance test
- protection against / The core ruleset
- working / Making sure it works
- credit card, SecRule
- numbers, detecting / Detecting credit card numbers
- Luhn algorithm / The Luhn algorithm and false positives
- false-positive matches / The Luhn algorithm and false positives
- cross-site scripting
- about / Cross-site scripting
- XSS attacks, preventing / Preventing XSS attacks
- PDF XSS, protecting / PDF XSS protection
- cross-site scripting, real-life examples
- about / Cross-site scripting, Real-life example: The Twitter worm
- Twitter worm / Real-life example: The Twitter worm
- CSRF
- about / Cross-site request forgeries
- protecting against / Protecting against cross-site request forgeries
- ctl action
- using / How to use the ctl action
D
- directives
- about / Directives
- SecAuditEngine / SecAuditEngine
- SecAuditLogRelevantStatus / SecAuditLogRelevantStatus
- SecCacheTransformations / SecCacheTransformations (deprecated/experimental)
- SecGuardianLog / SecGuardianLog
- SecResponseBodyAccess / SecResponseBodyAccess
- SecRule / SecRule
- SecServerSignature / SecServerSignature
- SecUploadKeepFiles / SecUploadKeepFiles
- directory traversal attacks
- about / Directory traversal attacks
- dot character
- about / The Dot character
- downloading
- ModSecurity / Downloading
- public key, from server / Checking the integrity of the downloaded source archive
E
- ETag header
- about / The ETag HTTP header
F
- Fiddler
G
- Geeklog, real-life examples
- about / Geeklog, Patching Geeklog
- source code / Geeklog
- HTTP authentication / Geeklog
- running / Geeklog
- patching / Patching Geeklog
H
- htmlentities() function
- about / Preventing XSS attacks
- HTTP fingerprinting
- about / HTTP fingerprinting
- working / How HTTP fingerprinting works
- server banner / Server banner
- response header / Response header
- protocol responses / HTTP protocol responses
- ModSecurity, using / Using ModSecurity to defeat HTTP fingerprinting
- httprecon tool
- running / HTTP fingerprinting
I
- <img> tag
- about / Cross-site request forgeries
- installation, testing
- simple ModSecurity rule, creating / Creating a simple ModSecurity rule
- web server signature, distinguishing / Disguising the web server signature
J
- JSESSIONID cookie
- about / Analyzing log files
L
- lazy quantifier
- about / Lazy quantifiers
- need for / Lazy quantifiers
- ldd tool
- using / Verifying that the jail works
- log files
- analyzing / Analyzing log files
M
- MD5
- mlogc
- compiling / Compiling mlogc
- configuring / Configuring mlogc
- ModProfile tool
- about / Alternative approaches
- modsec.conf file
- configuring / Configuration file, Completing the configuration
- phase:2 statement / Configuration file
- ModSecurity
- version 2.0 / Versions
- version 2.0, features / Versions
- version 2.5 / Versions
- history / Downloading
- downloading / Downloading
- downloaded source archive integrity, checking / Checking the integrity of the downloaded source archive
- apx / Required additional libraries and filessource codemodsecurity/tools directory
- libxml2 / Required additional libraries and filessource codemodsecurity/tools directory
- mod_unique_id / Required additional libraries and filessource codemodsecurity/tools directory
- compiling / Compilation
- integrating, with Apache / Integrating ModSecurity with Apache
- installation, testing / Testing your installation, Disguising the web server signature
- numerical operators / Matching numbers
- visitors’geographical location, SecRule / Tracking the geographical location of your visitors
- @inspectFile, using / Inspecting uploaded files
- Apache, jailing / How ModSecurity helps jailing Apache
- using, to create chroot jail / Using ModSecurity to create a chroot jail
- ModSecurity, with core ruleset loaded
- about / Response timeModSecurity, with core ruleset loadedabout
- server response time graph / Response timeModSecurity, with core ruleset loadedabout
- Apache memory usage graph / Memory usage
- server responce time, buffering vs non-buffering graph / Finding the bottleneck
- Apache memory usage, buffering vs non-buffering / Finding the bottleneck
- core ruleset performance, wrapping up / Wrapping up core ruleset performance
- ModSecurity Console
- about / The ModSecurity Console
- server / The ModSecurity Console
- features / The ModSecurity Console
- installing / Installing the ModSecurity Console
- accessing / Accessing the Console
- Administrative Events / Accessing the Console
- logs, forwarding to / Forwarding logs to the ModSecurity Console
- ModSecurity rules
- chain rules, creating / Creating chained rules
- rule ID / Rule IDs
- string matching / Simple string matching
- number matching / Matching numbers
- collection / Counting items in collections
- order evaluation / Phases and rule ordering
- ctl action, using / Using the ctl action to control the rule engine
- macro expansion / Macro expansion
- shell scripts, executing / Executing shell scripts
- data, injecting into response / Injecting data into responses
N
- nolog directive
- non-capturing parentheses
- about / Non-capturing parentheses
- null byte attacks
- about / Null byte attacks
- replaceNulls function / ModSecurity and null bytes
O
- & operator
- using / Blocking proxied requests
P
- @pmFromFile operator
- using / @pmFromFile
- @pm operator
- @inspectFile, differentiating / @pmFromFile
- performance / Performance of the phrase matching operators
- PCRE
- about / Regular expression flavors
- PDF XSS, cross-site scripting
- protecting / PDF XSS protection
- HttpOnly cookies, using / HttpOnly cookies to prevent XSS attacks
- HttpOnly cookies, session identifier cookie / Session identifiers
- performance optimization
- about / Optimizing performance
- extra memory addition, restricting / Memory consumption
- static content request, bypassing / Bypassing inspection of static content
- @pm operator, using / Using @pm and @pmFromFile
- @pmFromFile operator, using / Using @pm and @pmFromFile
- logging / Logging
- pipe character (|)
- about / Examining several variables
- positive security model
- implementing, advantages / Considerations before beginning
- implementing, drawbacks / Considerations before beginning
- implementing / Considerations before beginning
- four-step process / Groundwork
- user actions, identifying / Step 1: Identifying user actions
- user actions, analyzing / Step 2: Getting detailed information on each action
- request information, gathering / Step 2: Getting detailed information on each action
- rules, writing / Step 3: Writing rules
- ruleset, testing / Step 4: Testing the new ruleset
- actions / Actions
- allowed argument, blocking / Blocking what's allowed—denying everything else
- rulest, keeping up to date / Keeping everything up to date
- protocol responses, HTTP fingerprinting
- DELETE command, issuing / Issuing an HTTP DELETE request
- IIS, differences / Issuing an HTTP DELETE request
- non-existent version number, using / Bad HTTP version numbers
- non-existent protocol, using / Bad protocol name
- ETag header / The ETag HTTP header
- proxied requests
- blocking / Blocking proxied requests
Q
- quantifiers
- about / Quantifiers—star, plus, and question mark, Star
- plus sign(+) / Plus sign
- grouping / Grouping
- question mark(?)
- about / Question Mark
R
- ranges
- about / Ranges
- real-life examples
- Geeklog / Geeklog
- cross-site scripting / Cross-site scripting
- real-world performance test
- starting with / A real-world performance test
- core ruleset / The core ruleset
- core ruleset, installing / Installing the core ruleset
- basics / Performance testing basics
- basics, httperf tool / Performance testing basics, Using httperf
- testing, without ModSecurity / Getting a baseline: Testing without ModSecurity, Response time, Memory usage
- memory usage / Memory usage
- CPU usage / CPU usage
- ModSecurity, without any loaded rules / ModSecurity without any loaded rules, ModSecurity with the core ruleset loadedreal-world performance testModSecurity, without any loaded rules
- server response time graph / ModSecurity without any loaded rules
- ModSecurity, with core ruleset loaded / ModSecurity with the core ruleset loadedreal-world performance testModSecurity, without any loaded rules
- regex
- email address / Our email address regexregular expressionadditional resources
- [-\w.+] character / Our email address regexregular expressionadditional resources
- \.[a-zA-Z]{2,4} / Our email address regexregular expressionadditional resources
- RegexBuddy
- about / Debugging regular expressions
- regular expression
- about / What is a regular expression?
- flavors / Regular expression flavors
- examples / Example of a regular expression
- examples, email address identification / Identifying an email address
- debugging / Debugging regular expressions
- additional resources / Additional resources, Our email address regexregular expressionadditional resources
- regular expressions
- about / An introduction to regular expressions, More about regular expressions
- examples / Examples of regular expressions
- @rx, using / Using @rx to block a remote host
- regular expresssions, performance optimization
- writing / Writing regular expressions for best performance, Use one regular expression whenever possible
- non-capturing parentheses, using / Use non-capturing parentheses wherever possible
- Remo
- interface / Installation
- rules / Remo rules
- editing rule / Creating and editing rules
- rules, installing / Installing the rules
- error, resolving / Installing the rules
- log files, analyzing / Analyzing log files
- request headers
- about / Headers
- request phase
- REQUEST_HEADERS / Phases and rule ordering
- REQUEST_BODY / Phases and rule ordering
- RESPONSE_HEADERS / Phases and rule ordering
- RESPONSE_BODY / Phases and rule ordering
- LOGGING / Phases and rule ordering
- REQUEST_BASENAME
- about / REQUEST_BASENAME
- REQUEST_HEADERS
- about / REQUEST_HEADERS
- REQUEST_PROTOCOL
- about / REQUEST_PROTOCOL
- REQUEST_URI
- about / REQUEST_URI
- RoR
- about / Installation
- 0.2.0 beta / Installation
- rule ID
- rule matching
- options / Actions—what to do when a rule matches
- request, allowing / Allowing requests
- request, blocking / Blocking requests
- rule, processing / Taking no action but continuing rule processing
- request, dropping / Dropping requests
- request, redirecting / Redirecting and proxying requests
- ruleset
- viewing / The ruleset so far
- finished view / The finished ruleset
S
- SCRIPT_BASENAME
- about / SCRIPT_BASENAME
- SecAction
- SecArgumentSeparator
- about / SecArgumentSeparator
- SecAuditEngine
- about / SecAuditEngine
- SecAuditLog
- about / SecAuditLog
- SecAuditLog2
- about / SecAuditLog2
- SecAuditLogParts
- about / SecAuditLogParts
- SecAuditLogRelevantStatus
- maxlen:n / SecAuditLogRelevantStatus
- SecAuditLogStorageDir
- maxlen:n / SecAuditLogStorageDir
- SecAuditLogType
- maxlen:n / SecAuditLogType
- SecChrootDir
- about / SecChrootDir
- SecComponentSignature
- about / SecComponentSignature
- SecContentInjection
- about / SecContentInjection
- SecCookieFormat
- about / SecCookieFormat
- SecDataDir
- about / SecDataDir
- SecDebugLog
- about / SecDebugLog
- SecDebugLogLevel
- about / SecDebugLogLevel
- SecDefaultAction
- about / SecDefaultAction
- SecGuardianLog
- about / SecGeoLookupDb
- SecMarker
- about / SecMarker
- SecPdfProtect
- about / SecPdfProtect
- SecPdfProtectMethod
- about / SecPdfProtectMethod
- SecPdfProtectSecret
- about / SecPdfProtectSecret
- SecPdfProtectTimeout
- about / SecPdfProtectTimeout
- SecPdfProtectTokenName
- about / SecPdfProtectTokenName
- SecRequestBodyInMemoryLimit
- about / SecRequestBodyInMemoryLimit
- SecRequestBodyLimit
- about / SecRequestBodyLimit
- SecRequestBodyNoFilesLimit
- about / SecRequestBodyNoFilesLimit
- SecResponseBodyAccess
- about / SecResponseBodyMimeTypesClear
- SecResponseBodyLimit
- about / SecResponseBodyLimit
- SecResponseBodyLimitAction
- about / SecResponseBodyLimitAction
- SecResponseBodyMimeType
- about / SecResponseBodyMimeType
- SecRule
- syntax / SecRule syntax
- about / SecRule in practice, SecRule
- uncommon request methods, blocking / Blocking uncommon request methods
- timely access, restricting / Restricting access to certain times of day
- credit card leaks, detecting / Detecting credit card leaks
- requests, pausing for specified amount of time / Pausing requests for a specified amount of time
- SecRule, syntax
- using / SecRule syntax
- target / SecRule syntax
- collection / SecRule syntax
- operator part / SecRule syntax
- Actions / SecRule syntax
- example / SecRule syntax
- variables, standard / Variables and collections
- variables, collection / Variables and collections
- variables, list / Variables and collections
- transaction collection (TX) / The transaction collection
- data storage, between requests / Storing data between requests
- data storage, SESSION collection / Storing data between requests
- data storage, USER collection / Storing data between requests
- data storage, IP collection / Storing data between requests
- several variables, examining / Examining several variables
- quoted message / Quotes: Sometimes you need them and sometimes you don't
- SecRuleInheritance
- about / SecRuleInheritance
- SecRuleRemoveById
- about / SecRuleEngine, SecRuleRemoveById
- SecRuleRemoveByMsg
- about / SecRuleRemoveByMsg
- SecServerSignature
- about / SecRuleUpdateActionById
- SecTmpDir
- about / SecTmpDir
- SecUploadDir
- about / SecUploadDir
- SecUploadFileMode
- about / SecUploadFileMode
- SecWebAppId
- about / SecWebAppId
- SeqRequestBodyAccess
- about / SeqRequestBodyAccess
- Server Side Includes (SSI)
- about / Verifying that the jail works
- shell command execution
- chain of events / Shell command execution attempts
- Linux system commands / Shell command execution attempts
- shell scripts
- executing / Executing shell scripts
- alert emails, sending / Sending alert emails
- more detailed alert emails, sending / Sending more detailed alert emails
- file downloads, counting / Counting file downloads
- brute-force password guessing, blocking / Blocking brute-force password guessing
- source code
- unpacking / Unpacking the source code
- modsecurity/apache2 directory / Unpacking the source code
- modsecurity/doc directory / Unpacking the source code
- modsecurity/tools directory / Required additional libraries and filessource codemodsecurity/tools directory
- source code revelation
- preventing / Source code revelation
- SQL injection
- about / SQL injection
- performing, ways / Standard injection attempts, Writing data to files
- multiple data table retrieval, UNION used / Retrieving data from multiple tables with UNION
- multiple queries / Multiple queries in one call
- arbitrary files, reading / Reading arbitrary files
- preventing, steps / Preventing SQL injection attacks
- prepared statements, using / Preventing SQL injection attacks
- user data, sanitizing / Preventing SQL injection attacks
- t:lowercase transformation function, using / What to block
- Star
- about / Star
- Start new topic action
- securing / Securing the "Start New Topic" action
- string matching
- using / Simple string matching
T
- $ tar xfvz modsecurity-apache.tar.gz command
- about / Unpacking the source code
- transformation function
- about / Transformation functions
- applying / Transformation functions
- tweaks
- configuring / Configuration tweaks, Summarytweaksconfiguring
- typical HTTP request
- about / A typical HTTP request
- event sequence / A typical HTTP request
U
- uploaded files
- inspecting / Inspecting uploaded files
V
- @verifyCC operator
- about / Detecting credit card leaks
- variables
- about / Variables
- ARGS / ARGS
- ARGS_COMBINED_SIZE / ARGS_COMBINED_SIZE
- ARGS_NAMES / ARGS_NAMES
- ARGS_GET / ARGS_GET
- ARGS_GET_NAMES / ARGS_GET_NAMES
- ARGS_POST / ARGS_POST
- ARGS_POST_NAMES / ARGS_POST_NAMES
- AUTH_TYPE / AUTH_TYPE
- ENV / ENV
- FILES / FILES
- FILES_COMBINED_SIZE / FILES_COMBINED_SIZE
- FILES_NAMES / FILES_NAMES
- FILES_SIZES / FILES_SIZES
- FILES_TMPNAMES / FILES_TMPNAMES, GEO
- HIGHEST_SEVERITY / HIGHEST_SEVERITY
- MATCHED_VAR / MATCHED_VAR
- MATCHED_VAR_NAME / MATCHED_VAR_NAME
- MODSEC_BUILD / MODSEC_BUILD
- MULTIPART_CRLF_LF_LINES / MULTIPART_CRLF_LF_LINES
- MULTIPART_STRICT_ERROR / MULTIPART_STRICT_ERROR
- MULTIPART_UNMATCHED_BOUNDARY / MULTIPART_UNMATCHED_BOUNDARY
- PATH_INFO / PATH_INFO
- QUERY_STRING / QUERY_STRING
- REMOTE_ADDR / REMOTE_ADDR
- REMOTE_HOST / REMOTE_HOST
- REMOTE_PORT / REMOTE_PORT
- REMOTE_USER / REMOTE_USER
- REQBODY_PROCESSOR / REQBODY_PROCESSOR
- REQBODY_PROCESSOR_ERROR / REQBODY_PROCESSOR_ERROR
- REQBODY_PROCESSOR_ERROR_MSG / REQBODY_PROCESSOR_ERROR_MSG
- REQUEST_BASENAME / REQUEST_BASENAME
- REQUEST_BODY / REQUEST_BODY
- REQUEST_COOKIES / REQUEST_COOKIES
- REQUEST_COOKIES_NAMES / REQUEST_COOKIES_NAMES
- REQUEST_FILENAME / REQUEST_FILENAME
- REQUEST_HEADERS / REQUEST_HEADERS
- REQUEST_HEADERS_NAMES / REQUEST_HEADERS_NAMES
- REQUEST_LINE / REQUEST_LINE
- REQUEST_METHOD / REQUEST_METHOD
- REQUEST_PROTOCOL / REQUEST_PROTOCOL
- REQUEST_URI / REQUEST_URI
- REQUEST_URI_RAW / REQUEST_URI_RAW
- RESPONSE_BODY / RESPONSE_BODY
- RESPONSE_CONTENT_LENGTH / RESPONSE_CONTENT_LENGTH
- RESPONSE_CONTENT_TYPE / RESPONSE_CONTENT_TYPE
- RESPONSE_HEADERS / RESPONSE_HEADERS
- RESPONSE_HEADERS_NAMES / RESPONSE_HEADERS_NAMES
- RESPONSE_PROTOCOL / RESPONSE_PROTOCOL
- RESPONSE_STATUS / RESPONSE_STATUS
- RULE / RULE
- SCRIPT_BASENAME / SCRIPT_BASENAME
- SCRIPT_FILENAME / SCRIPT_FILENAME
- SCRIPT_GID / SCRIPT_GID
- SCRIPT_GROUPNAME / SCRIPT_GROUPNAME
- SCRIPT_MODE / SCRIPT_MODE
- SCRIPT_UID / SCRIPT_UID
- SCRIPT_USERNAME / SCRIPT_USERNAME
- SERVER_ADDR / SERVER_ADDR
- SERVER_NAME / SERVER_NAME
- SERVER_PORT / SERVER_PORT
- SESSION / SESSION
- SESSIONID / SESSIONID
- TIME / TIME
- TIME_DAY / TIME_DAY
- TIME_EPOCH / TIME_EPOCH
- TIME_HOUR / TIME_HOUR
- TIME_MIN / TIME_MIN
- TIME_MON / TIME_MON
- TIME_SEC / TIME_SEC
- TIME_WDAY / TIME_WDAY
- TIME_YEAR / TIME_YEAR
- TX / TX
- USERID / USERID
- virtual patch example
- about / From vulnerability discovery to virtual patch: An example
- patch, creating / Creating the patch
- web application, changing / Changing the web application for additional security
- testing / Testing your patches
- virtual patching
- need for / Why use virtual patching?
- advantages, speed / Speed
- advantages, stability / Stability
- advantages, flexibility / Flexibility
- advantages, cost-effectiveness / Cost-effectiveness
- creating / Creating a virtual patch
- real-life examples / Real-life examples
- visitors’geographical location, SecRule
- tracking / Tracking the geographical location of your visitors
- GEO collection, fields / GEO collection fields
- specific country users, blocking / Blocking users from specific countries
- requests, load balancing / Load balancing requests between servers on different continents
W
- WEBAPPID
- about / WEBAPPID
- web of trust concept
- WEBSERVER_ERROR_LOG
- about / WEBSERVER_ERROR_LOG
X
- XML
- about / XML
Y
- YaBB
- about / The web application
- installing / The web application
- cookies / Cookies