# --------------------------------------------------------------- # Core ModSecurity Rule Set ver.2.2.9 # Copyright (C) 2006-2012 Trustwave All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- # This file will add Request Header Tagging which allows ModSecurity to communicate # any event/rule matches it finds with the downstream application server. The concept # is similar to that of Anti-SPAM apps for Email (such as SpamAssassin). # # The idea is that if the WAF is in a DetectionOnly mode, it can still share data # with the destination app server and then the app server may choose to inspect # the new WAF request headers and factor in this data into a possible blocking # decision. # # This concept is tremendously useful in a distributed architecture and/or when # there are Fraud Detection Systems at the app server layer that can correlate # the WAF data into the overall Fraud Score. This is also useful in Hosting # Environments where the decision to block may not be as clear. # SecRule TX:ANOMALY_SCORE "@eq 0" "phase:2,id:'900044',t:none,nolog,pass,skipAfter:END_HEADER_TAGGING" SecRule TX:/^\d/ "." "phase:2,id:'900045',t:none,nolog,pass,setvar:tx.counter=+1,setenv:matched_rule-%{tx.counter}=%{matched_var_name},setenv:anomaly_score=%{tx.anomaly_score},setenv:sql_injection_score=%{tx.sql_injection_score},setenv:xss_score=%{tx.xss_score}" RequestHeader append X-WAF-Events "%{matched_rule-1}e" env=matched_rule-1 RequestHeader append X-WAF-Events "%{matched_rule-2}e" env=matched_rule-2 RequestHeader append X-WAF-Events "%{matched_rule-3}e" env=matched_rule-3 RequestHeader append X-WAF-Events "%{matched_rule-4}e" env=matched_rule-4 RequestHeader append X-WAF-Events "%{matched_rule-5}e" env=matched_rule-5 RequestHeader append X-WAF-Events "%{matched_rule-6}e" env=matched_rule-6 RequestHeader append X-WAF-Events "%{matched_rule-7}e" env=matched_rule-7 RequestHeader append X-WAF-Events "%{matched_rule-8}e" env=matched_rule-8 RequestHeader append X-WAF-Events "%{matched_rule-9}e" env=matched_rule-9 RequestHeader append X-WAF-Events "%{matched_rule-10}e" env=matched_rule-10 RequestHeader append X-WAF-Events "%{matched_rule-11}e" env=matched_rule-11 RequestHeader append X-WAF-Events "%{matched_rule-12}e" env=matched_rule-12 RequestHeader append X-WAF-Events "%{matched_rule-13}e" env=matched_rule-13 RequestHeader append X-WAF-Events "%{matched_rule-14}e" env=matched_rule-14 RequestHeader append X-WAF-Events "%{matched_rule-15}e" env=matched_rule-15 RequestHeader append X-WAF-Events "%{matched_rule-16}e" env=matched_rule-16 RequestHeader append X-WAF-Events "%{matched_rule-17}e" env=matched_rule-17 RequestHeader append X-WAF-Events "%{matched_rule-18}e" env=matched_rule-18 RequestHeader append X-WAF-Events "%{matched_rule-19}e" env=matched_rule-19 RequestHeader append X-WAF-Events "%{matched_rule-20}e" env=matched_rule-20 RequestHeader set X-WAF-Score "Total=%{anomaly_score}e; sqli=%{sql_injection_score}e; xss=%{xss_score}e" env=anomaly_score SecMarker END_HEADER_TAGGING