modsecurity系列三：规则1-Variables

The Rule Language is implemented using 9 directives

规则语言如下：

SecAction Performs an unconditional action. This directive is essentially a rule that always
matches.
SecDefaultAction Specifies the default action list, which will be used in the rules that follow.
SecMarker Creates a marker that can be used in conjunction with the skipAfter action. Amarker creates a rule that does nothing, but has an ID assigned to it.
SecRule Creates a rule.
SecRuleInheritance Controls whether rules are inherited in a child configuration context.
SecRuleRemoveById Removes the rule with the given ID.
SecRuleRemoveByMsg Removes the rule whose message matches the given regular expression.
SecRuleScript Creates a rule implemented using Lua.
SecRuleUpdateActionById Replaces the action list of the rule with the given ID with the supplied action

list.

规则格式：

Every rule defined by SecRule conforms to the same format, as below:
SecRule VARIABLES OPERATOR [TRANSFORMATION_FUNCTIONS, ACTIONS]

Variables
Identify parts of a HTTP transaction each rule works with. ModSecurity will extractinformation from every transaction and make it available, through variables, torules to use. The important thing about variables to remember is that they are binarystrings, meaning they can contain special characters and bytes of any value. Yoursites may be restricting themselves to using only text in parameters, but that does notmean your adversaries will. In fact, your adversaries will use whatever helps themachieve their goals. A rule must specify one or more variables.
Operators
Specify how is a (transformed) variable to be analyzed. Regular expressions are themost popular choice, but ModSecurity supports many other operators, and you areeven able to write your own. Only one operator is allowed per rule.
Transformation functions
A list of transformation functions that can be specified for every rule gives ModSecurityinstructions how each variable is to be changed before analysis can be done.Transformation functions are commonly used to counter evasion, but they can alsobe used to uncover data that was

Variables
In ModSecurity, variables are used to identify the exact place you want to look at in a HTTP transaction. One of the main features of ModSecurity is the fact that it pre-process raw transaction data and makes it easy for the rules to focus on the logic of detection. There are77 variables in the most recent version of ModSecurity; they are listed in Table 5.2, “Request variables”.

变量类型

Regular variables

正则变量
Contain only one piece of information, or one string. For example, REMOTE_ADDR, always contains the IP address of the client.
Collections

集合
Groups of regular variables. Some collections (e.g., ARGS) allow enumeration, making
it possible to use its every member in a rule. Some other collections (e.g., ENV) 68 Chapter 5: Rule Language Overview are not as flexible, but there is always going to be some way to extract individual regular variables out of them.
Read-only collections

只读集合
Many of the collections point to some data that cannot be modified, in which case the collection itself will be available only for reading.
Read/write collections

读写集合
When a collection is not based on immutable data ModSecurity will allow you to modify it.A good example of a read/write collection is TX, which a collection that starts empty and exists only as long as the currently processed transaction exists.
Special collections

特定集合
Sometimes a collection is just a handy mechanism to retrieve information from something that is not organised as a collection but it can seem that way. This is the case with the XML collection, which takes an XPath expression as a (mandatory) parameter and allows you to extract values out of an XML file.
Persistent collections

持久化集合
Some collections can be stored and retrieved later. This feature allows you to adopt a
wider view of

Request variables
Request variables are those extracted from the request part of the transaction that is being  inspected. The variables that describe the request line (request method, URI and protocolinformation) and the request headers become available as early as phase 1 and the complete information will be available for phase 2.

ARGS Request parameters (read-only collection)
ARGS_COMBINED_SIZE Total size of all request parameters combined  参数总大小
ARGS_NAMES Request parameters’ names (collection) 请求参数的名字
ARGS_GET   Query string parameters (read-only collection) 查询字符串
ARGS_GET_NAMES Query string parameters’ names (read-only collection) 查询字符串名字
ARGS_POST Request body parameters (read-only collection) post参数
ARGS_POST_NAMES Request body parameters’ names (read-only collection) post参数名字
FILES File names (read-only collection)
FILES_COMBINED_SIZE Combined size of all uploaded files
FILES_NAMES File parameter names (read-only collection)
FILES_SIZES A list of file sizes (read-only collection)
FILES_TMPNAMES A list of temporary file names (read-only collection)
PATH_INFO Extra path information
QUERY_STRING Request query string 查询字符串
REMOTE_USER Remote user
REQUEST_BASENAME Request URI basename
REQUEST_BODY Request body
REQUEST_COOKIES Request cookies (read-only collection) 请求cookie值
REQUEST_COOKIES_NAMES Request cookies’ names (read-only collection) 请求cookie名字
REQUEST_FILENAME Request URI filename/path
REQUEST_HEADERS Request headers (collection, read-only) 头部值
REQUEST_HEADERS_NAMES Request headers’ names (read-only collection) 头部名字
REQUEST_LINE Request line
REQUEST_METHOD Request method 请求方法
REQUEST_PROTOCOL Request protocol
REQUEST_URI Request URI, convert to exclude hostname 请求的url
REQUEST_URI_RAW Request URI, as it was presented in the request

Server variables
Server variables contain the pieces of information available to the server, most of them valid only for the transaction being processed at the moment they are evaluated

AUTH_TYPE Authentication type
REMOTE_ADDR Remote address
REMOTE_HOST Remote host
REMOTE_PORT Remote port
SCRIPT_BASENAME Script basename
SCRIPT_FILENAME Script filename/path
SCRIPT_GID Script group ID
SCRIPT_GROUPNAME Script group name
SCRIPT_MODE Script permissions
SCRIPT_UID Script user ID
SCRIPT_USERNAME Script user name
SERVER_ADDR Server address
SERVER_NAME Server name
SERVER_PORT Server port

Response variables

响应变量
Response variables are those extracted from the response part of the transaction that is being inspected. Most response variables will be available in phase 3. The arguably most important response variable, RESPONSE_BODY, is only available in phase 4 (the phase is also called
RESPONSE_BODY).

RESPONSE_BODY Response body 响应体
RESPONSE_CONTENT_LENGTH Response content length
RESPONSE_CONTENT_TYPE Response content type
RESPONSE_HEADERS Response headers (read-only collection)
RESPONSE_HEADERS_NAMES Response headers’ names (read-only collection)
RESPONSE_PROTOCOL Response protocol
RESPONSE_STATUS Response status code

Miscellaneous variables 其他变量
Miscellaneous variables are exactly what they are called: they are the variables that couldn’tfit in any other category.

HIGHEST_SEVERITY Highest severity encountered
MATCHED_VAR Contents of the last variable that matched
MATCHED_VAR_NAME Name of the last variable that match
MODSEC_BUILD ModSecurity build version (e.g., 02050102)
SESSIONID Session ID associated with current transaction
USERID User ID associated with current transaction
WEBAPPID Web application ID associated with current transaction
WEBSERVER_ERROR_LOG Error messages generated by Apache during current transaction

Parsing flags
Parsing flags are used by ModSecurity to signal important parsing events. The idea is toavoid taking implicit action (e.g., blocking in response to an invalid request), but allow the rules to decide what to do.

MULTIPART_BOUNDARY_QUOTED Multipart parsing error: quoted boundary encountered
MULTIPART_BOUNDARY_WHITESPACE Multipart parsing error: whitespace in boundary
MULTIPART_CRLF_LF_LINES Multipart parsing error: mixed line endings used
MULTIPART_DATA_BEFORE Multipart parsing error: seen data before first boundary
MULTIPART_DATA_AFTER Multipart parsing error: seen data after last boundary
MULTIPART_HEADER_FOLDING Multipart parsing error: header folding used
MULTIPART_LF_LINE Multipart parsing error: LF line ending detected
MULTIPART_SEMICOLON_MISSING Multipart parsing error: missing semicolon before boundary
MULTIPART_STRICT_ERROR At least one multipart error except MULTIPART_UNMATCHED_BOUNDARYoccurred
MULTIPART_UNMATCHED_BOUNDARY Multipart parsing error: unmatched boundary detected (prone to false positives)
REQBODY_PROCESSOR Request processor that handled request body
REQBODY_PROCESSOR_ERROR Request processor error flag (0 or 1)
REQBODY_PROCESSOR_ERROR_MSG Request processor error message

Collections
Collections are the special kind of variables that can contain other variables. With exception of the persistent collections, all collections are essentially one-offs, special variables that give access to the information to which ModSecurity has access.

ENV Environment variables (read-only collection, although it’s possible to use setvar
to change it)
GEO Geo lookup information from the last @geoLookup invocation (read-only collection)
GLOBAL Global information, shared by all processes (read/write collection)
IP IP address data storage (read/write collection)
TX Transient transaction data (read/write collection)
RULE Current rule metadata (read-only collection)
SESSION Session data storage (read/write collection)
USER User data storage (read/write collection)
XML XML DOM tree (read-only collection)

Time variables
Time variables all represent the moment in time when the transaction that ModSecurity is
processing began.
Table 5.8. Time variables
Variable Description
TIME Time (HH:MM:SS)
TIME_DAY Day of the month (1-31)
TIME_EPOCH Seconds since January 1, 1970 (e.g., 1251029017)
TIME_HOUR Hour of the day (0-23)
TIME_MIN Minute of the hour (0-59)
TIME_MON Month of the year (0-11)
TIME_SEC Second of the minute (0-59)
TIME_WDAY Week day (0-6)
TIME_YEAR Year

下文继续