File: modsecurity_crs_49_header_tagging.conf

package info (click to toggle)
modsecurity-crs 2.2.9-1+deb8u1
  • links: PTS
  • area: main
  • in suites: jessie
  • size: 3,064 kB
  • ctags: 219
  • sloc: perl: 1,002; ansic: 727; ruby: 69; makefile: 18
file content (52 lines) | stat: -rw-r--r-- 3,216 bytes parent folder | download | duplicates (2)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.9
# Copyright (C) 2006-2012 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under 
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------


# This file will add Request Header Tagging which allows ModSecurity to communicate
# any event/rule matches it finds with the downstream application server.  The concept
# is similar to that of Anti-SPAM apps for Email (such as SpamAssassin).
#
# The idea is that if the WAF is in a DetectionOnly mode, it can still share data
# with the destination app server and then the app server may choose to inspect
# the new WAF request headers and factor in this data into a possible blocking
# decision.
#
# This concept is tremendously useful in a distributed architecture and/or when
# there are Fraud Detection Systems at the app server layer that can correlate
# the WAF data into the overall Fraud Score.  This is also useful in Hosting
# Environments where the decision to block may not be as clear.
#

SecRule TX:ANOMALY_SCORE "@eq 0" "phase:2,id:'900044',t:none,nolog,pass,skipAfter:END_HEADER_TAGGING"

SecRule TX:/^\d/ "." "phase:2,id:'900045',t:none,nolog,pass,setvar:tx.counter=+1,setenv:matched_rule-%{tx.counter}=%{matched_var_name},setenv:anomaly_score=%{tx.anomaly_score},setenv:sql_injection_score=%{tx.sql_injection_score},setenv:xss_score=%{tx.xss_score}"

RequestHeader append X-WAF-Events "%{matched_rule-1}e" env=matched_rule-1
RequestHeader append X-WAF-Events "%{matched_rule-2}e" env=matched_rule-2
RequestHeader append X-WAF-Events "%{matched_rule-3}e" env=matched_rule-3
RequestHeader append X-WAF-Events "%{matched_rule-4}e" env=matched_rule-4
RequestHeader append X-WAF-Events "%{matched_rule-5}e" env=matched_rule-5
RequestHeader append X-WAF-Events "%{matched_rule-6}e" env=matched_rule-6
RequestHeader append X-WAF-Events "%{matched_rule-7}e" env=matched_rule-7
RequestHeader append X-WAF-Events "%{matched_rule-8}e" env=matched_rule-8
RequestHeader append X-WAF-Events "%{matched_rule-9}e" env=matched_rule-9
RequestHeader append X-WAF-Events "%{matched_rule-10}e" env=matched_rule-10
RequestHeader append X-WAF-Events "%{matched_rule-11}e" env=matched_rule-11
RequestHeader append X-WAF-Events "%{matched_rule-12}e" env=matched_rule-12
RequestHeader append X-WAF-Events "%{matched_rule-13}e" env=matched_rule-13
RequestHeader append X-WAF-Events "%{matched_rule-14}e" env=matched_rule-14
RequestHeader append X-WAF-Events "%{matched_rule-15}e" env=matched_rule-15
RequestHeader append X-WAF-Events "%{matched_rule-16}e" env=matched_rule-16
RequestHeader append X-WAF-Events "%{matched_rule-17}e" env=matched_rule-17
RequestHeader append X-WAF-Events "%{matched_rule-18}e" env=matched_rule-18
RequestHeader append X-WAF-Events "%{matched_rule-19}e" env=matched_rule-19
RequestHeader append X-WAF-Events "%{matched_rule-20}e" env=matched_rule-20
RequestHeader set X-WAF-Score "Total=%{anomaly_score}e; sqli=%{sql_injection_score}e; xss=%{xss_score}e" env=anomaly_score

SecMarker END_HEADER_TAGGING