Table of Contents
ModSecurity® Reference Manual
Current as of v2.6 v2.7 v2.8 v2.9 v3.0
Copyright © 2004-2022 Trustwave Holdings, Inc.
Table of Contents
Introduction
HTTP Traffic Logging
Real-Time Monitoring and Attack Detection
Attack Prevention and Virtual Patching
Flexible Rule Engine
Embedded-mode Deployment
Network-based Deployment
Portability
Licensing
Installation for Apache
Prerequisites
ModSecurity 2.x works only with Apache 2.0.x or higher
mod_uniqueid
libapr and libapr-util
libpcre
libxml2
liblua v5.x.x
libcurl v7.15.1 or higher
Installation Methods
GitHub Access
Stable Release Download
Installation Steps
UNIX
Windows (MS VC++ 8)
Edit the main Apache httpd config file (usually httpd.conf)
Configure ModSecurity
Start Apache httpd
NGINX
Installation for Microsoft IIS
Manually Installing and Troubleshooting Setup of ModSecurity Module on IIS
Configuration
Common Problems
Configuration Directives
SecAction
SecArgumentSeparator
SecArgumentsLimit
SecAuditEngine
SecAuditLog
SecAuditLog2
SecAuditLogDirMode
SecAuditLogFormat
SecAuditLogFileMode
SecAuditLogParts
SecAuditLogRelevantStatus
SecAuditLogStorageDir
SecAuditLogType
SecCacheTransformations
SecChrootDir
SecCollectionTimeout
SecComponentSignature
SecConnEngine
SecContentInjection
SecCookieFormat
SecCookieV0Separator
SecDataDir
SecDebugLog
SecDebugLogLevel
SecDefaultAction
SecDisableBackendCompression
SecHashEngine
SecHashKey
SecHashParam
SecHashMethodRx
SecHashMethodPm
SecGeoLookupDb
SecGsbLookupDb
SecGuardianLog
SecHttpBlKey
SecInterceptOnError
SecMarker
SecPcreMatchLimit
SecPcreMatchLimitRecursion
SecReadStateLimit
SecConnReadStateLimit
SecSensorId
SecWriteStateLimit
SecConnWriteStateLimit
SecRemoteRules
SecRemoteRulesFailAction
SecRequestBodyAccess
SecRequestBodyInMemoryLimit
SecRequestBodyJsonDepthLimit
SecRequestBodyLimit
SecRequestBodyNoFilesLimit
SecRequestBodyLimitAction
SecResponseBodyLimit
SecResponseBodyLimitAction
SecResponseBodyMimeType
SecResponseBodyMimeTypesClear
SecResponseBodyAccess
SecRule
SecRuleInheritance
SecRuleEngine
SecRulePerfTime
SecRuleRemoveById
SecRuleRemoveByMsg
SecRuleRemoveByTag
SecRuleScript
SecRuleUpdateActionById
SecRuleUpdateTargetById
SecRuleUpdateTargetByMsg
SecRuleUpdateTargetByTag
SecServerSignature
SecStatusEngine
SecStreamInBodyInspection
SecStreamOutBodyInspection
SecTmpDir
SecUnicodeMapFile
SecUnicodeCodePage
SecUploadDir
SecUploadFileLimit
SecUploadFileMode
SecUploadKeepFiles
SecWebAppId
SecXmlExternalEntity
Processing Phases
Phase Request Headers
Phase Request Body
Phase Response Headers
Phase Response Body
Phase Logging
Variables
ARGS
ARGS_COMBINED_SIZE
ARGS_GET
ARGS_GET_NAMES
ARGS_NAMES
ARGS_POST
ARGS_POST_NAMES
AUTH_TYPE
DURATION
ENV
FILES
FILES_COMBINED_SIZE
FILES_NAMES
FULL_REQUEST
FULL_REQUEST_LENGTH
FILES_SIZES
FILES_TMPNAMES
FILES_TMP_CONTENT
GEO
HIGHEST_SEVERITY
INBOUND_DATA_ERROR
MATCHED_VAR
MATCHED_VARS
MATCHED_VAR_NAME
MATCHED_VARS_NAMES
MODSEC_BUILD
MULTIPART_CRLF_LF_LINES
MULTIPART_FILENAME
MULTIPART_NAME
MULTIPART_PART_HEADERS
MULTIPART_STRICT_ERROR
MULTIPART_UNMATCHED_BOUNDARY
OUTBOUND_DATA_ERROR
PATH_INFO
PERF_ALL
PERF_COMBINED
PERF_GC
PERF_LOGGING
PERF_PHASE1
PERF_PHASE2
PERF_PHASE3
PERF_PHASE4
PERF_PHASE5
PERF_RULES
PERF_SREAD
PERF_SWRITE
QUERY_STRING
REMOTE_ADDR
REMOTE_HOST
REMOTE_PORT
REMOTE_USER
REQBODY_ERROR
REQBODY_ERROR_MSG
REQBODY_PROCESSOR
REQUEST_BASENAME
REQUEST_BODY
REQUEST_BODY_LENGTH
REQUEST_COOKIES
REQUEST_COOKIES_NAMES
REQUEST_FILENAME
REQUEST_HEADERS
REQUEST_HEADERS_NAMES
REQUEST_LINE
REQUEST_METHOD
REQUEST_PROTOCOL
REQUEST_URI
REQUEST_URI_RAW
RESPONSE_BODY
RESPONSE_CONTENT_LENGTH
RESPONSE_CONTENT_TYPE
RESPONSE_HEADERS
RESPONSE_HEADERS_NAMES
RESPONSE_PROTOCOL
RESPONSE_STATUS
RULE
SCRIPT_BASENAME
SCRIPT_FILENAME
SCRIPT_GID
SCRIPT_GROUPNAME
SCRIPT_MODE
SCRIPT_UID
SCRIPT_USERNAME
SDBM_DELETE_ERROR
SERVER_ADDR
SERVER_NAME
SERVER_PORT
SESSION
SESSIONID
STATUS_LINE
STREAM_INPUT_BODY
STREAM_OUTPUT_BODY
TIME
TIME_DAY
TIME_EPOCH
TIME_HOUR
TIME_MIN
TIME_MON
TIME_SEC
TIME_WDAY
TIME_YEAR
TX
UNIQUE_ID
URLENCODED_ERROR
USERID
USERAGENT_IP
WEBAPPID
WEBSERVER_ERROR_LOG
XML
Transformation functions
base64Decode
sqlHexDecode
base64DecodeExt
base64Encode
cmdLine
compressWhitespace
cssDecode
escapeSeqDecode
hexDecode
hexEncode
htmlEntityDecode
jsDecode
length
lowercase
md5
none
normalisePath
normalizePath
normalisePathWin
normalizePathWin
parityEven7bit
parityOdd7bit
parityZero7bit
removeNulls
removeWhitespace
replaceComments
removeCommentsChar
removeComments
replaceNulls
urlDecode
uppercase
urlDecodeUni
urlEncode
utf8toUnicode
sha1
trimLeft
trimRight
trim
Actions
accuracy
allow
append
auditlog
block
capture
chain
ctl
deny
deprecatevar
drop
exec
expirevar
id
initcol
log
logdata
maturity
msg
multiMatch
noauditlog
nolog
pass
pause
phase
prepend
proxy
redirect
rev
sanitiseArg
sanitiseMatched
sanitiseMatchedBytes
sanitiseRequestHeader
sanitiseResponseHeader
severity
setuid
setrsc
setsid
setenv
setvar
skip
skipAfter
status
t
tag
ver
xmlns
Operators
beginsWith
contains
containsWord
detectSQLi
detectXSS
endsWith
fuzzyHash
eq
ge
geoLookup
gsbLookup
gt
inspectFile
ipMatch
ipMatchF
ipMatchFromFile
le
lt
noMatch
pm
pmf
pmFromFile
rbl
rsub
rx
streq
strmatch
unconditionalMatch
validateByteRange
validateDTD
validateHash
validateSchema
validateUrlEncoding
validateUtf8Encoding
verifyCC
verifyCPF
verifySSN
within
Macro Expansion
Persistent Storage
Miscellaneous Topics
Logging in Apache via mod_log_config
Precedence of ModSecurity over other Apache modules
A Recommended Base Configuration
Impedance Mismatch
Impedance Mismatch with PHP Apps