Apache Security - Ivan Ristic [190]
* * *
Although broad rules are easy to write, they usually do not work well in real life. Their use significantly increases the chances of introducing false positives and reducing system availability to its legitimate users (not to mention the annoyance they cause). A much better approach to rule design is to consider the impact and only apply rules to certain parts of HTTP requests. This is what SecFilterSelective is for. For example, the following rule will look for the keyword only in the query string:
SecFilterSelective QUERY_STRING KEYWORD
The QUERY_STRING variable is one of the supported variables. The complete list is given in Tables Table 12-1 (standard variables available for use with mod_rewrite or CGI scripts) and Table 12-2 (extended variables specific to mod_security). In most cases, the variable names are the same as those used by mod_rewrite and the CGI specification.
Table 12-1. Standard rule variables
Variable name
Description
REMOTE_ADDR
IP address of the client.
REMOTE_HOST
Host name of the client, when available.
REMOTE_USER
Authenticated username, when available.
REMOTE_IDENT
Remote username (provided by the identd daemon but almost no one uses it any more).
REQUEST_METHOD
Request method (e.g., GET, POST).
SCRIPT_FILENAME
Full system path for the script being executed.
PATH_INFO
The extra part of the URI given after the script name. For example, if the URI is /view.php/5, the value of PATH_INFO is /5.
QUERY_STRING
The part of the URI after the question mark, when available (e.g. id=5).
AUTH_TYPE
The string Basic or Digest, when available.
DOCUMENT_ROOT
Path to the document root, as specified with the DocumentRoot directive.
SERVER_ADMIN
The email address of the server administrator, as specified with the ServerAdministrator directive.
SERVER_NAME
The hostname of the server, as specified with the ServerName directive.
SERVER_ADDR
The IP address of the server where the request was received.
SERVER_PORT
Server port where the request was received.
SERVER_PROTOCOL
The protocol specified in the request (e.g., HTTP/1.1).
SERVER_SOFTWARE
Apache version, as configured with ServerTokens.
TIME_YEAR
Current year (e.g., 2004).
TIME_MON
Current month as a number (e.g., 10 for October).
TIME_DAY
Current day of month as a number.
TIME_HOUR
Current hour as a number in a 24-hour day (e.g., 14 for 2 PM).
TIME_MIN
Current minute.
TIME_SEC
Current second.
TIME_WDAY
Current weekday as a number (e.g., 4 for Thursday when Monday is considered to be the first day of the week).
TIME
Current time as a combination of individual elements listed above in the form YmdHMS (e.g., 20041014144619 for October 14 2004, 14:46:19).
THE_REQUEST
Complete first line of the request (e.g., GET /view.php?id=5 HTTP/1.0).
REQUEST_URI
The second token on the request line (e.g., /view.php?id=5).
REQUEST_FILENAME
A synonym for SCRIPT_FILENAME.
Table 12-2. Extended rule variables
Variable Name
Description
POST_PAYLOAD
Gives access to the raw request body except for requests using the multipart/form-data encoding (which is required for file uploads). In such cases, the request body will probably contain binary data and interfere with regular expressions. To get around this problem, mod_security takes the original request apart and re-creates and gives access to a fake request body in the application/x-form-urlencoded format, effectively hiding the differences