ModSecurity 2.5 -- Table of Contents -- ModSecurity 2.5 -- Credits -- About the Author -- About the Reviewers -- Preface -- What ModSecurity is -- Why you need ModSecurity -- What this book covers -- What you need for this book -- Who this book is for -- Conventions -- Reader feedback -- Customer support -- Errata -- Piracy -- Questions -- 1. Installation and Configuration -- Versions -- Downloading -- Checking the integrity of the downloaded source archive -- Unpacking the source code -- Required additional libraries and files -- Compilation -- Integrating ModSecurity with Apache -- Configuration file -- Completing the configuration -- Testing your installation -- Creating a simple ModSecurity rule -- Disguising the web server signature -- Summary -- 2. Writing Rules -- SecRule syntax -- Variables and collections -- The transaction collection -- Storing data between requests -- Examining several variables -- Quotes: Sometimes you need them and sometimes you don't -- Creating chained rules -- Rule IDs -- An introduction to regular expressions -- Examples of regular expressions -- More about regular expressions -- Using @rx to block a remote host -- Simple string matching -- Matching numbers -- More about collections -- Counting items in collections -- Filtering collection fields using a regular expression -- Built-in fields -- Transformation functions -- Other operators -- Set-based pattern matching with @pm and @pmFromFile -- @pmFromFile -- Performance of the phrase matching operators -- Validating character ranges -- Phases and rule ordering -- Actions-what to do when a rule matches -- Allowing requests -- Blocking requests -- Taking no action but continuing rule processing -- Dropping requests -- Redirecting and proxying requests -- SecAction -- Using the ctl action to control the rule engine -- How to use the ctl action -- Macro expansion.

SecRule in practice -- Blocking uncommon request methods -- Restricting access to certain times of day -- Detecting credit card leaks -- Detecting credit card numbers -- The Luhn algorithm and false positives -- Tracking the geographical location of your visitors -- GEO collection fields -- Blocking users from specific countries -- Load balancing requests between servers on different continents -- Pausing requests for a specified amount of time -- Executing shell scripts -- Sending alert emails -- Sending more detailed alert emails -- Counting file downloads -- Blocking brute-force password guessing -- Injecting data into responses -- Inspecting uploaded files -- Summary -- 3. Performance -- A typical HTTP request -- A real-world performance test -- The core ruleset -- Installing the core ruleset -- Making sure it works -- Performance testing basics -- Using httperf -- Getting a baseline: Testing without ModSecurity -- Response time -- Memory usage -- CPU usage -- ModSecurity without any loaded rules -- ModSecurity with the core ruleset loaded -- Response time -- Memory usage -- Finding the bottleneck -- Wrapping up core ruleset performance -- Optimizing performance -- Memory consumption -- Bypassing inspection of static content -- Using @pm and @pmFromFile -- Logging -- Writing regular expressions for best performance -- Use non-capturing parentheses wherever possible -- Use one regular expression whenever possible -- Summary -- 4. Audit Logging -- Enabling the audit log engine -- Single versus multiple file logging -- Determining what to log -- The configuration so far -- Log format -- Concurrent logging -- Selectively disabling logging -- Audit log sanitization actions -- The ModSecurity Console -- Installing the ModSecurity Console -- Accessing the Console -- Compiling mlogc -- Configuring mlogc -- Forwarding logs to the ModSecurity Console.

Summary -- 5. Virtual Patching -- Why use virtual patching? -- Speed -- Stability -- Flexibility -- Cost-effectiveness -- Creating a virtual patch -- From vulnerability discovery to virtual patch: An example -- Creating the patch -- Changing the web application for additional security -- Testing your patches -- Real-life examples -- Geeklog -- Patching Geeklog -- Cross-site scripting -- Real-life example: The Twitter worm -- Summary -- 6. Blocking Common Attacks -- HTTP fingerprinting -- How HTTP fingerprinting works -- Server banner -- Response header -- HTTP protocol responses -- Issuing an HTTP DELETE request -- Bad HTTP version numbers -- Bad protocol name -- The ETag HTTP header -- Using ModSecurity to defeat HTTP fingerprinting -- Blocking proxied requests -- Cross-site scripting -- Preventing XSS attacks -- PDF XSS protection -- HttpOnly cookies to prevent XSS attacks -- Session identifiers -- Cross-site request forgeries -- Protecting against cross-site request forgeries -- Shell command execution attempts -- Null byte attacks -- ModSecurity and null bytes -- Source code revelation -- Directory traversal attacks -- Blog spam -- SQL injection -- Standard injection attempts -- Retrieving data from multiple tables with UNION -- Multiple queries in one call -- Reading arbitrary files -- Writing data to files -- Preventing SQL injection attacks -- What to block -- Website defacement -- Brute force attacks -- Directory indexing -- Detecting the real IP address of an attacker -- Summary -- 7. Chroot Jails -- What is a chroot jail? -- A sample attack -- Traditional chrooting -- How ModSecurity helps jailing Apache -- Using ModSecurity to create a chroot jail -- Verifying that the jail works -- Chroot caveats -- Summary -- 8. REMO -- More about Remo -- Installation -- Remo rules -- Creating and editing rules -- Installing the rules.

Analyzing log files -- Configuration tweaks -- Summary -- 9. Protecting a Web Application -- Considerations before beginning -- The web application -- Groundwork -- Step 1: Identifying user actions -- Step 2: Getting detailed information on each action -- Step 3: Writing rules -- Step 4: Testing the new ruleset -- Actions -- Blocking what's allowed-denying everything else -- Cookies -- Headers -- Securing the "Start New Topic" action -- The ruleset so far -- The finished ruleset -- Alternative approaches -- Keeping everything up to date -- Summary -- A. Directives and Variables -- Directives -- SecAction -- SecArgumentSeparator -- SecAuditEngine -- SecAuditLog -- SecAuditLog2 -- SecAuditLogParts -- SecAuditLogRelevantStatus -- SecAuditLogStorageDir -- SecAuditLogType -- SecCacheTransformations (deprecated/experimental) -- SecChrootDir -- SecComponentSignature -- SecContentInjection -- SecCookieFormat -- SecDataDir -- SecDebugLog -- SecDebugLogLevel -- SecDefaultAction -- SecGeoLookupDb -- SecGuardianLog -- SecMarker -- SecPdfProtect -- SecPdfProtectMethod -- SecPdfProtectSecret -- SecPdfProtectTimeout -- SecPdfProtectTokenName -- SeqRequestBodyAccess -- SecRequestBodyLimit -- SecRequestBodyNoFilesLimit -- SecRequestBodyInMemoryLimit -- SecResponseBodyLimit -- SecResponseBodyLimitAction -- SecResponseBodyMimeType -- SecResponseBodyMimeTypesClear -- SecResponseBodyAccess -- SecRule -- SecRuleInheritance -- SecRuleEngine -- SecRuleRemoveById -- SecRuleRemoveByMsg -- SecRuleUpdateActionById -- SecServerSignature -- SecTmpDir -- SecUploadDir -- SecUploadFileMode -- SecUploadKeepFiles -- SecWebAppId -- Variables -- ARGS -- ARGS_COMBINED_SIZE -- ARGS_NAMES -- ARGS_GET -- ARGS_GET_NAMES -- ARGS_POST -- ARGS_POST_NAMES -- AUTH_TYPE -- ENV -- FILES -- FILES_COMBINED_SIZE -- FILES_NAMES -- FILES_SIZES -- FILES_TMPNAMES -- GEO -- HIGHEST_SEVERITY -- MATCHED_VAR.

MATCHED_VAR_NAME -- MODSEC_BUILD -- MULTIPART_CRLF_LF_LINES -- MULTIPART_STRICT_ERROR -- MULTIPART_UNMATCHED_BOUNDARY -- PATH_INFO -- QUERY_STRING -- REMOTE_ADDR -- REMOTE_HOST -- REMOTE_PORT -- REMOTE_USER -- REQBODY_PROCESSOR -- REQBODY_PROCESSOR_ERROR -- REQBODY_PROCESSOR_ERROR_MSG -- REQUEST_BASENAME -- REQUEST_BODY -- REQUEST_COOKIES -- REQUEST_COOKIES_NAMES -- REQUEST_FILENAME -- REQUEST_HEADERS -- REQUEST_HEADERS_NAMES -- REQUEST_LINE -- REQUEST_METHOD -- REQUEST_PROTOCOL -- REQUEST_URI -- REQUEST_URI_RAW -- RESPONSE_BODY -- RESPONSE_CONTENT_LENGTH -- RESPONSE_CONTENT_TYPE -- RESPONSE_HEADERS -- RESPONSE_HEADERS_NAMES -- RESPONSE_PROTOCOL -- RESPONSE_STATUS -- RULE -- SCRIPT_BASENAME -- SCRIPT_FILENAME -- SCRIPT_GID -- SCRIPT_GROUPNAME -- SCRIPT_MODE -- SCRIPT_UID -- SCRIPT_USERNAME -- SERVER_ADDR -- SERVER_NAME -- SERVER_PORT -- SESSION -- SESSIONID -- TIME -- TIME_DAY -- TIME_EPOCH -- TIME_HOUR -- TIME_MIN -- TIME_MON -- TIME_SEC -- TIME_WDAY -- TIME_YEAR -- TX -- USERID -- WEBAPPID -- WEBSERVER_ERROR_LOG -- XML -- B. Regular Expressions -- What is a regular expression? -- Regular expression flavors -- Example of a regular expression -- Identifying an email address -- The Dot character -- Quantifiers-star, plus, and question mark -- Question Mark -- Star -- Plus sign -- Grouping -- Ranges -- Alternation -- Backreferences -- Captures and ModSecurity -- Non-capturing parentheses -- Character classes -- Negated matching -- Shorthand notation -- Anchors -- Start and end of string -- Word Boundary -- Lazy quantifiers -- Debugging regular expressions -- Additional resources -- Our email address regex -- Summary -- Index.