Each action belongs to one of five groups:
Disruptive actions; can only appear in the first rule in a chain.
Non-disruptive actions; can appear anywhere.
Flow actions; can appear only in the first rule in a chain.
Meta-data actions (id
,
rev
, severity
,
msg
); can only appear in the first rule in a
chain.
Data actions - can appear anywhere; these actions are completely passive and only serve to carry data used by other actions.
When used together with the regular expression operator capture action will create copies of regular expression captures and place them into the transaction variable collection. Up to ten captures will be copied on a successful pattern match, each with a name consisting of a digit from 0 to 9.
Chains the rule where the action is placed with the rule that immediately follows it. The result is called a rule chain.
# Refuse to accept POST requests that do # not specify request body length SecRule REQUEST_METHOD ^POST$ chain SecRule REQUEST_HEADER:Content-Length ^$
The ctl action allows configuration options to be updated for the transaction. The following configuration options are supported:
auditEngine
-
auditLogParts
-
debugLogLevel
-
requestBodyAccess
-
requestBodyLimit
-
requestBodyProcessor
-
responseBodyAccess
-
responseBodyLimit
-
ruleEngine
-
With the exception of requestBodyProcessor
,
each configuration option corresponds to one configuration directive and
the usage is identical.
The requestBodyProcessor option allows you to configure the
request body processor. By default ModSecurity will use the
URLENCODED
and MULTIPART
processors to process an
application/x-www-form-urlencoded
and a
multipart/form-data
body, respectively. A third
processor, XML, is also supported, but it is never used implicitly.
Instead you must tell ModSecurity to use it by placing a few rules in
the REQUEST_HEADERS
processing phase.
# Parse requests with Content-Type "text/xml" as XML SecRule REQUEST_CONTENT_TYPE ^text/xml nolog,pass,ctl:requestBodyProcessor=XML
After the request body was processed as XML you will be able to use the XML-related features to inspect it.
Request body processors will not interrupt a transaction if an
error occurs during parsing. Instead they will set variables
REQBODY_PROCESSOR_ERROR
and
REQBODY_PROCESSOR_ERROR_MSG
. These variables should
be inspected in the REQUEST_BODY
phase and an
appropriate action taken.
Decrement counter based on its age. The following example will decrement the counter by 60 every 300 seconds.
deprecatevar:session.score=60/300
Counter values are always positive, meaning the value will never go below zero.
Note: causes error message to appear in the log "(9)Bad file descriptor: core_output_filter: writing data to the network"
Configures collection variable to expire after the given time in seconds.
expirevar:session.suspicious=3600
Initialises a named persistent collection, either by loading data from storage or by creating a new collection in memory. The following example initiates IP address tracking.
initcol:ip=%{REMOTE_ADDR}
Every collection contains several built-in variables that are read-only:
CREATE_TIME
-
KEY
-
LAST_UPDATE_TIME
-
TIMEOUT
-
UPDATE_COUNTER
-
UPDATE_RATE
- collection updates per
minute.
Collections are loaded into memory when the initcol action is encountered. The collection in storage will be updated (and the appropriate counters increased) only if it was changed during transaction processing.
To create a collection to hold session variables
(SESSION
) use action setsid
. To
create a collection to hold user variables (USER
)
use action setuid
.
At this time it is only possible to have three collections:
IP
, SESSION
, and
USER
.
If enabled ModSecurity will perform multiple operator invocations for every target, before and after every anti-evasion transformation is performed.
Indicates that a successful match of the rule should not be used as criteria whether the transaction should be logged to the audit log.
Continues processing with the next rule in spite of a successful match. Transaction will not be interrupted but it will be logged (unless logging has been suppressed).
Intercepts transaction by issuing a redirect to the given
location. If the status
action is present and its
value is acceptable (301, 302, 303, or 307) it will be used for the
redirection. Otherwise status code 302 will be used.
Specifies rule revision. This action is used in combination with
the id
action to allow the same rule ID to be used
after changes take place but to still provide some indication the rule
changed.
Sanitises (replaces each byte with an asterisk) a named request argument prior to audit logging.
sanitiseArg:password
Sanitises the variable (request argument, request header, or response header) that caused a rule match. This action can be used to sanitise arbitrary transaction elements when they match a condition. For example, the example below will sanitise any argument that contains the word password in the name.
SecRule ARGS_NAMES password nolog,pass,sanitiseMatched
Special-purpose action that initialises the
USER
collection. After initialisation takes place the
variable USERID
will be available for use in the
subsequent rules.
Special-purpose action that initialises the
SESSION
collection. On first invocation of this
action the collection will be empty (not taking the pre-defined
variables into account - see initcol
for more
information). On subsequent invocations the contents of the collection
(session, in this case) will be retrieved from storage. After
initialisation takes place the variable SESSIONID
will be available for use in the subsequent rules.
# Initialise session variables using the session cookie value SecRule REQUEST_COOKIES:PHPSESSID !^$ chain,nolog,pass SecAction setsid:%{REQUEST_COOKIES.PHPSESSID}
This action understands each application maintains its own set of sessions. It will utilise the current web application ID to create a session namespace.
Creates, removes, or updates an environment variable. This action can be used to establish communication with other Apache modules.
To create a new variable (if you omit the value
1
will be used):
setenv:name=value
To remove a variable:
setenv:!name
Creates, removes, or updates a variable in the specified collection.
To create a new variable:
setvar:tx.score=10
To remove a variable prefix the name with exclamation mark:
setvar:!tx.score
To increase or decrease variable value use +
and -
characters in front of a numerical
value:
setvar:tx.score=+5
Skips one or more rules (or chains) on successful match. This action can not be used to skip rules within one chain.
Accepts a single paramater denoting the number of rules (or chains) to skip.
skip:3
This action can be used which transformation function should be used against the specified variables before they (or the results, rather) are run against the operator specified in the rule.