[ root @ WEB conf ] # cat modsecurity.conf
# -- Rule engine initialization ----------------------------------------------
SecRuleEngine DetectionOnly #Configure the rule engine On: processing rules, Off: not processing rules, DetectionOnly: processing rules, not interrupting business
## -- Request body handling ---------------------------------------------------
# Allow ModSecurity to access request bodies. If you don't, ModSecurity
# won't be able to see any POST parameters, which opens a large security
# hole for attackers to exploit.
#
SecRequestBodyAccess On #Description: Configure whether ModSecurity processes or buffers the request body by default On: access the request body, Off: do not attempt to access the request body
#Note: If you plan to check POST_PAYLOAD, use this command. This command must be used together with the "phase: 2" processing phase action and the REQUEST_BODY variable/location. If any of these three parts is not configured, you cannot check the request body.
# Enable XML request body parser.
# Initiate XML Processor in case of xml content-type
#
SecRule REQUEST_HEADERS : Content - Type "(?:text|application)/xml" \
"id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
# Enable JSON request body parser.
# Initiate JSON Processor in case of JSON content-type; change accordingly
# if your application does not use 'application/json'
#
SecRule REQUEST_HEADERS : Content - Type "application/json" \
"id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"
# Maximum request body size we will accept for buffering. If you support
# file uploads then the value given on the first line has to be as large
# as the largest file you are willing to accept. The second value refers
# to the size of data, with files excluded. You want to keep that value as
# low as practical.
#
SecRequestBodyLimit one hundred and thirty-four million two hundred and seventeen thousand seven hundred and twenty-eight #Configure the cache size of the maximum request body allowed by ModSecurity
#Note: The default value is 131072 KB (134217728 bytes). Anything exceeding this limit will be rejected. The prompt 413 indicates that the request body is too large. There is also a hard limit of 1GB.
SecRequestBodyNoFilesLimit one hundred and thirty-one thousand and seventy-two #: Configure the maximum buffer size of the request body allowed by ModSecurity, except the file size being transferred in the request. This instruction is convenient to reduce the impact of DoS attacks using some large-scale requests. Web applications that provide file upload services must configure SecRequestBodyLimit to a large value. Because large files are directly accessed to disk files, memory consumption will not be increased. However, it is still possible for someone to limit and send a large number of non upload requests by using the large request body. This directive eliminates this vulnerability.
#Note: The default is 1 MB (1048576 bytes). This value is relatively old. Most applications should reach 128KB or lower. Anything exceeding this limit will be rejected. The prompt is 413. The request body is too large. There is also a hard limit of 1GB.
# Store up to 128 KB of request body data in memory. When the multipart
# parser reachers this limit, it will start using your hard disk for
# storage. That is slow, but unavoidable.
#
SecRequestBodyInMemoryLimit one hundred and thirty-one thousand and seventy-two #Configure ModSecurity to use memory to save the maximum request body size. The default limit is 128 KB. The maximum size stored in memory is 128 KB
# What do do if the request body size is above our configured limit.
# Keep in mind that this setting will automatically be set to ProcessPartial
# when SecRuleEngine is set to DetectionOnly mode in order to minimize
# disruptions when initially deploying ModSecurity.
#
SecRequestBodyLimitAction Reject #Reject: Reject, Process Partial: Render the first part of the request # What to do when the request exceeds the setting configured in the SecRequestBodyLimit policy. Requests larger than the collection are rejected by default.
# Verify that we've correctly processed the request body.
# As a rule of thumb, when failing to process a request body
# you should reject the request (when deployed in blocking mode)
# or log a high-severity alert (when deployed in detection-only mode).
#
SecRule REQBODY_ERROR "!@eq 0" \
"id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
# By default be strict with what we accept in the multipart/form-data
# request body. If the rule below proves to be too strict for your
# environment consider changing it to detection-only. You are encouraged
# _not_ to remove it altogether.
#
SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
"id:'200003', phase:2,t:none,log,deny,status:400, \
msg:'Multipart request body failed strict validation: \
PE %{REQBODY_PROCESSOR_ERROR}, \
BQ %{MULTIPART_BOUNDARY_QUOTED}, \
BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
DB %{MULTIPART_DATA_BEFORE}, \
DA %{MULTIPART_DATA_AFTER}, \
HF %{MULTIPART_HEADER_FOLDING}, \
LF %{MULTIPART_LF_LINE}, \
SM %{MULTIPART_MISSING_SEMICOLON}, \
IQ %{MULTIPART_INVALID_QUOTING}, \
IP %{MULTIPART_INVALID_PART}, \
IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
# Did we see anything that might be a boundary?
#
SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
"id:'200004',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"
# PCRE Tuning
# We want to avoid a potential RegEx DoS condition
#
SecPcreMatchLimit one thousand #Set matching limits in the PCRE library.
SecPcreMatchLimitRecursion one thousand #Set the matching limit recursion in the PCRE library.
# Some internal errors will set flags in TX and we will need to look for these.
# All of these are prefixed with "MSC_". The following flags currently exist:
#
# MSC_PCRE_LIMITS_EXCEEDED: PCRE match limits were exceeded.
#
SecRule TX : /^ MSC_ / "!@streq 0" \
"id:'200005',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
## -- Response body handling --------------------------------------------------
# Allow ModSecurity to access response bodies.
# You should have this directive enabled in order to identify errors
# and data leakage issues.
#
# Do keep in mind that enabling this directive does increases both
# memory consumption and response latency.
#
SecResponseBodyAccess On #Configure whether the response body is cached and analyzed On: Access to the response body only supports the use of MIME classes, Off: Do not attempt to access the response body
#Note: If you plan to check the HTML response, you need to use this command. This command must be used together with the "phase: 4" processing phase action and the REQUEST_BODY variable/location. If any of these three parts is not configured, you cannot check the request body.
# Which response MIME types do you want to inspect? You should adjust the
# configuration below to catch documents but avoid static files
# (e.g., images and archives).
#
SecResponseBodyMimeType text / plain text / html text / xml #Configure the recommended MIME type for the response data cache
# Buffer response bodies of up to 512 KB in length.
SecResponseBodyLimit five hundred and twenty-four thousand two hundred and eighty-eight #Configure the maximum response volume size allowed to cache
#Any exceeding this limit will be rejected, with a prompt of 500. Internal server error. This setting does not affect the MIME type response, and the cache does not mark this. There is a hard limit of 1GB.
# What happens when we encounter a response body larger than the configured
# limit? By default, we process what we have and let the rest through.
# That's somewhat less secure, but does not break any legitimate pages.
#
SecResponseBodyLimitAction ProcessPartial #Configure SecResponseBodyLimit to control the situation where the response body limit is encountered. By default, ModSecurity rejects the response body that exceeds the specified length. However, some Web sites will generate some very long responses, which will make it difficult to limit appropriately. This kind of website has to greatly increase the attention and put the limit in the first place (control the memory consumption). What can be selected is that when site restrictions occur, administrators can choose to check only the first part of the response, which can incorporate the ideal restrictions and let them pass. It can be proved that allowing partial responses without checking is a vulnerability, which is correct in theory, but only applicable to cases where an attacker controls the output (for example, it can be arbitrarily long). In any case, in this case, there is no way to prevent the vulnerability. Attackers can compress, scramble, or even encrypt data before sending it back, because they can traverse any monitoring device.
## -- Filesystem configuration ------------------------------------------------
# The location where ModSecurity stores temporary files (for example, when
# it needs to handle a file upload that is larger than the configured limit).
#
# This default setting is chosen due to all systems have /tmp available however,
# this is less than ideal. It is recommended that you specify a location that's private.
#
SecTmpDir / tmp / #Configure the path for temporary file creation
#You need to provide the writable permission of the apache user process. The location of this directory is also the location where apache will exchange data to the disk when it checks that the data runs out of memory (more data than specified by the SecRequestBodyInMemoryLimit command).
# The location where ModSecurity will keep its persistent data. This default setting
# is chosen due to all systems have /tmp available however, it
# too should be updated to a place that other users can't access.
#
SecDataDir / tmp / #Specify the path for storing continuous data (such as IP address data, session data, etc.)
#Note: initcol, setsid and setuid need this command, and the server user must be able to write to this directory
## -- File uploads handling configuration -------------------------------------
# The location where ModSecurity stores intercepted uploaded files. This
# location must be private to ModSecurity. You don't want other users on
# the server to access the files, do you?
#
#SecUploadDir/opt/modsecurity/var/upload/# Configure the directory where intercepted files are stored
# By default, only keep the files that were determined to be unusual
# in some way (by an external inspection script). For this to work you
# will also need at least one file inspection rule.
#
#SecUploadKeepFiles RelevantOnly # On: Save uploaded files, Off: Do not save uploaded files, RelevantOnly: Only save files confirmed to be related to requests # Configure whether to save intercepted files after transaction processing
# Uploaded files are by default created with permissions that do not allow
# any other user to access them. You may need to relax that if you want to
# interface ModSecurity to an external program (e.g., an anti-virus).
#
#SecUploadFileMode 0600 # Use octal number (same as chmod) to configure the mode (permission) of all uploaded files
## -- Debug log configuration -------------------------------------------------
# The default debug log configuration is to duplicate the error, warning
# and notice messages from the error log.
#
SecDebugLog / var / log / security / debug . log #Specify the path to the ModSecurity debug log file
SecDebugLogLevel three #Configuring verbose debug log data
#Note: Levels 1 to 3 are always used to generate Apache error logs, because you can always use level 0 as the default log level in the product, and level 5 is used for debugging. It is not recommended to use such high level logs in the product. Excessive logging will significantly improve the performance of the server.
## -- Audit log configuration -------------------------------------------------
# Log the transactions that are marked by a rule, as well as those that
# trigger a server error (determined by a 5xx or 4xx, excluding 404,
# level response status codes).
#
SecAuditEngine RelevantOnly #On: log all transactions by default, Off: log no transactions by default, RelevantOnly: log only transactions triggered by warning or error, or log some status codes that have been specially considered # Configure whether to start the audit log engine
SecAuditLogRelevantStatus "^(?:5|4(?!04))" #Which response status codes are configured is closely related to the purpose of the audit log
#Note: SecAuditEngine must be set to RelevantOnly, and its parameter is a regular expression.
#The main purpose of this command is to allow you to configure the unique transaction that generates special HTTP response status codes for audit. This command is usually used to reduce the overall size of the audit log file. Remember, if this parameter is used, the successful attack event with the return status code of 200 will not be recorded.
# Log everything we know about a transaction.
SecAuditLogParts ABIJDEFHZ #Define the portion of each transaction that is recorded in the audit log. Each part is represented by an independent letter. When a letter appears in the list, it means that the same part of each transaction will be recorded. See the following for the full list.
#Note: At this time, ModSecurity does not record the contents of the Apache use response (such as 404), or the server and date response headers.
#A - Audit log title (mandatory)
#B - Request Title
#C - Requestor (currently only exists for the requestor, and ModSecurity has been configured to intercept)
#D - Reserved for the intermediary response header, not yet implemented
#E - The man in the middle response body (currently only valid for intercepting response bodies configured and audit log engine records configured). The man in the middle response body is the same as the actual response body, unless ModSecurity intercepts the man in the middle response body. In this case, the actual response body contains error information (either the default error information of Apache or the error document page).
#F - Final response header (recent content transfer information added by Apache except for date and server title).
#G - Reserved for the actual response body, not yet implemented.
#H - Audit Log Index
#I - The replacement of this part C, when using multipart/form data coding, will be recorded with
#C The same data. In this case, the fake application/x-www-form-urlencoded content will be recorded, which contains information about the parameters, but not the file. If you don't want to use a file (usually large) to store your audit log, this is very convenient.
#J - Reserved. After implementation, this section will contain the information about uploading files using multipart/form data encoding.
#K - This section contains a complete list, which is matched in order (one for each line). These rules are fully qualified, indicating that the default actions and operations are inherited and supported from 2.5.0.
#Z - Final boundary, which means the end of the item (mandatory)
# Use a single file for logging. This is much easier to look at, but
# assumes that you will use the audit log only ocassionally.
#
SecAuditLogType Serial #Configure the type of audit logging mechanism
#Serial - All audit log entries are stored in the main audit log record file. It is convenient to use at will, but it is slow because only one file can be opened at any time and only one audit log entry can be written.
#Concurrent - The audit log entries are stored in different files, one for each transaction. If you want to send the audit log data to the remote ModSecurity control host, use the Concurrent log mode.
SecAuditLog / var / log / security / modsec_audit . log #Define the main audit log file path
SecAuditLogDirMode 0777
SecAuditLogFileMode 0550
SecAuditLogStorageDir / var / log / security
SecAuditLogType Concurrent
# Specify the path for concurrent audit logging.
SecAuditLogStorageDir / var / log / security / audit / #Configure the path when simultaneously auditing log entries
## -- Miscellaneous -----------------------------------------------------------
# Use the most commonly used application/x-www-form-urlencoded parameter
# separator. There's probably only one application somewhere that uses
# something else so don't expect to change this value.
#
SecArgumentSeparator &# The specified characters are used as separators for application/x-www-form-urlencoded content. The default is&. In very few cases, applications will use semicolons (; ) 。
#This command is used for background WEB applications to use non-standard parameter separators. If this command is not properly set in each WEB application, ModSecurity may not be able to properly analyze all parameters, and the effect of rule matching may be significantly reduced.
# Settle on version 0 (zero) cookies, as that is what most applications
# use. Using an incorrect cookie version may open your installation to
# evasion attacks (against the rules that examine named cookies).
#
SecCookieFormat zero #Select the cookie format used in the current configuration text
#0 - Use version 0 (Netscape) cookies, which is used by most applications and is the default value
#1 - Use version 1 cookies
# Specify your Unicode Code Point.
# This mapping is used by the t:urlDecodeUni transformation function
# to properly map encoded data to your language. Properly setting
# these directives helps to reduce false positives and negatives.
#
SecUnicodeMapFile unicode . mapping twenty thousand one hundred and twenty-seven #Defines the path to the file that will be used by the urlDecodeUni transform function to map Unicode code points during normalization, and specifies the code points to use.
# Improve the quality of ModSecurity by sharing information about your
# current ModSecurity version and dependencies versions.
# The following information will be shared: ModSecurity version,
# Web Server version, APR version, PCRE version, Lua version, Libxml2
# version, Anonymous unique id for host.
SecStatusEngine On #Control the status report function. Use DNS based reports to send software version information to the ModSecurity project team.
SecRuleEngine off
include waf / crs - setup . conf
#include waf/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
include waf / rules / REQUEST - nine hundred and one - INITIALIZATION . conf
include waf / rules / REQUEST - nine hundred and five - COMMON - EXCEPTIONS . conf
include waf / rules / REQUEST - nine hundred and ten - IP - REPUTATION . conf
include waf / rules / REQUEST - nine hundred and eleven - METHOD - ENFORCEMENT . conf
include waf / rules / REQUEST - nine hundred and twelve - DOS - PROTECTION . conf
include waf / rules / REQUEST - nine hundred and thirteen - SCANNER - DETECTION . conf
include waf / rules / REQUEST - nine hundred and twenty - PROTOCOL - ENFORCEMENT . conf
include waf / rules / REQUEST - nine hundred and twenty-one - PROTOCOL - ATTACK . conf
include waf / rules / REQUEST - nine hundred and thirty - APPLICATION - ATTACK - LFI . conf
include waf / rules / REQUEST - nine hundred and thirty-one - APPLICATION - ATTACK - RFI . conf
include waf / rules / REQUEST - nine hundred and thirty-two - APPLICATION - ATTACK - RCE . conf
include waf / rules / REQUEST - nine hundred and thirty-three - APPLICATION - ATTACK - PHP . conf
include waf / rules / REQUEST - nine hundred and forty-one - APPLICATION - ATTACK - XSS . conf
include waf / rules / REQUEST - nine hundred and forty-two - APPLICATION - ATTACK - SQLI . conf
include waf / rules / REQUEST - nine hundred and forty-three - APPLICATION - ATTACK - SESSION - FIXATION . conf
include waf / rules / REQUEST - nine hundred and forty-nine - BLOCKING - EVALUATION . conf
include waf / rules / RESPONSE - nine hundred and fifty - DATA - LEAKAGES . conf
#include waf/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf
include waf / rules / RESPONSE - nine hundred and fifty-two - DATA - LEAKAGES - JAVA . conf
include waf / rules / RESPONSE - nine hundred and fifty-three - DATA - LEAKAGES - PHP . conf
include waf / rules / RESPONSE - nine hundred and fifty-four - DATA - LEAKAGES - IIS . conf
include waf / rules / RESPONSE - nine hundred and fifty-nine - BLOCKING - EVALUATION . conf
include waf / rules / RESPONSE - nine hundred and eighty - CORRELATION . conf
#include waf/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf