1. Header Handling

SecUnicodeMapFile

Description: 定义 urlDecodeUni 转换函数将使用的文件的路径, 以便在规范化过程中映射 Unicode 代码点, 并指定要使用的代码点。
Scope: Any
Syntax: SecUnicodeMapFile /path/to/unicode.mapping CODEPOINT

SecUnicodeMapFile unicode.mapping 20127

SecUnicodeCodePage

Description: 定义在规范化期间, urlDecodeUni 转换函数将使用哪个 Unicode 码点。
- Version: < v2.6.1
Scope: Any
Syntax: SecUnicodeCodePage XXXXX

SecUnicodeCodePage 20127

SecCookieFormat

Description：Cookie version配置
Scope: Any
Syntax: SecCookieFormat 0|1
- 默认值为 0

SecCookieV0Separator

Description：Version 0的cookie分割符配置
Scope: Any
Syntax: SecCookieV0Separator character

SecServerSignature

Description: 更改response中server header
- Apache ServerTokens命令必须置为Full
Scope: Main，不支持VirtualHost
Syntax: SecServerSignature "WEB SERVER SOFTWARE"

2. Body Handling

2.1 Request body

SecRequestBodyAccess

Description: 允许Mod_Security缓存request body
Scope: Any
Syntax: SecRequestBodyAccess On|Off

SecArgumentSeparator

Description：当 application/x-www-form- urlencoded使用的不是标准的分隔符的时候，使用该命令更改分隔符进行匹配。如果配置不正确，规则匹配有效性将大大降低。
Scope: Any
Syntax: SecArgumentSeparator character
- character：默认为&

SecRequestBodyInMemoryLimit

Description：存储在RAM中的request body大小。multipart/form-data请求，超过该限制将被存储在disk临时文件中。
Scope: Any
Syntax: SecRequestBodyInMemoryLimit LIMIT_IN_BYTES

SecRequestBodyLimit

Description：允许mod_security缓存的request body大小，超过限制回413。Phase 1 RULE。
Scope: Any
Syntax: SecRequestBodyLimit LIMIT_IN_BYTES
- 默认值：134217728 (131072 KB)

SecRequestBodyLimitAction

Description: 配置request body达到限制时的action
Scope: Any
Syntax: SecRequestBodyLimitAction Reject|ProcessPartial
Reject：拒绝请求，默认值
ProcessPartial：部分处理

SecRequestBodyNoFilesLimit

Description：非上传文件的request body缓存限制，上传文件不消耗内存，不受该命令影响。
Scope: Any
Syntax: SecRequestBodyNoFilesLimit NUMBER_IN_BYTES
- 默认值：1048576 (1 MB)，对大部分Web应调小到128K

SecTmpDir

Description：临时文件存放位置，临时文件包括超出限制的request body，配置限制的命令为 SecRequestBodyInMemoryLimit, Apache user process对该目录需要有write权限。
Scope: Any
Syntax: SecTmpDir /path/to/dir

SecStreamInBodyInspection

Description: 配置在 re-allocable 缓冲区中对入站请求数据使用流检查的能力。受server资源限制。
Scope: Any
Syntax: SecStreamInBodyInspection On|Off
- Default: Off

2.2 File Upload Interception

SecUploadKeepFiles

Description：是否截获上传文件
Scope: Any
Syntax: SecUploadKeepFiles On|Off|RelevantOnly
- RelevantOnly: 只保存触发error或者warning的上传文件

SecUploadDir

Description：Mod_security截获的上传文件存放位置
Scope: Any
Syntax: SecUploadDir /path/to/dir

SecUploadFileMode

Description：截获的上传文件权限设置, 该命令可以用于开放clamd (第三方病毒扫描)账户对上传文件的权限。
Scope: Any
Syntax: SecUploadFileMode octal_mode|"default"
- Default: 只对创建文件的账户开放read/write权限

SecUploadFileLimit

Description：一个请求中允许上传的文件个数
Scope: Any
Syntax: SecUploadFileLimit number

2.3 Response Body

SecResponseBodyAccess

Description：允许Mod_Security缓存response body
Scope: Any
Syntax: SecResponseBodyAccess On|Off

SecResponseBodyMimeType

Description: 检查哪些MIME类型的response，没有配置的MIME TYPE将不做response body检查。
Scope: Any
Syntax: SecResponseBodyMimeType MIMETYPE MIMETYPE ...
- null：匹配没有指定MIME TYPE的response

SecResponseBodyMimeTypesClear

Description：清除SecResponseBodyMimeType配置, 允许重新配置。
Scope: Any
Syntax: SecResponseBodyMimeTypesClear

SecResponseBodyLimit

Description：允许缓存的response body size，超出该限制的response由SecResponseBodyLimitAction决定如何处理
Scope: Any
Syntax: SecResponseBodyLimit LIMIT_IN_BYTES
- Default: 524288 (512 KB)

SecResponseBodyLimitAction

Description：处理超出SecResponseBodyLimit定义限制的response
Scope: Any
Syntax: SecResponseBodyLimitAction Reject|ProcessPartial
- ProcessPartial：超出部分不做处理，直接转发给client
- Reject：超出限制的response被丢弃，发送500给client

SecDisableBackendCompression

Description：禁用后台压缩, 同时使前端压缩处于启用状态。
Scope: Any
Syntax: SecDisableBackendCompression On|Off

SecContentInjection

Description：另一种方式控制是否截获response body，当需要使用@rsub + STREAM_时，必须打开这个开关。
Scope: Any
Syntax: SecContentInjection On|Off

SecStreamOutBodyInspection

Description: 配置在 re-allocable 缓冲区中对出站请求数据使用流检查的能力。
Scope: Any
Syntax: SecStreamOutBodyInspection On|Off
- Default: Off

2.4 Persistent data

SecDataDir

Description：存储persistent data的位置
Scope: Main
Syntax: SecDataDir /path/to/dir

3. Log Handling

3.1 Debug log

SecDebugLog

Description：Debug log存放位置及log文件名字
Scope: Any
Syntax: SecDebugLog /path/to/modsec-debug.log

SecDebugLogLevel

Description：Debug log等级，不低于配置级别的log将被记录; 1-3级别的log将被记到apache error logs
Scope: Any
Syntax: SecDebugLogLevel 0|1|2|3|4|5|6|7|8|9
- 0：No logging
- 1: Errors (e.g., fatal processing errors, blocked transactions)
- 2: Warnings (e.g., nonblocking rule matches)
- 3: Notices (e.g., nonfatal processing errors)
- 4: Handling of transactions and performance
- 5: Detailed syntax of the rules
- 9: Detailed information about transactions

3.2 Audit log

SecAuditEngine

Description：审计log开关
Scope: Any
Syntax: SecAuditEngine RelevantOnly
- On：Log everything
- Off：Log nothing
- RelevantOnly：只记触发error或者warning的transaction

SecAuditLogType

Description: 配置要使用的审核日志记录机制的类型。
Scope: Any
Syntax: SecAuditLogType Serial|Concurrent|HTTPS
- Serial : 所有审计log将被记录到SecAuditLog指定的一个文件中，速度慢。
- Concurrent : 一个transaction对应一个log文件，加快速度；当使用远程log服务时，必须选择该机制。
- HTTPS : 使用URL传输log。

SecAuditLog & SecAuditLog2

Description: 将审计log记录到指定文件中
Scope: Any
Syntax: SecAuditLog /path/to/audit.log
Syntax: SecAuditLog2 /path/to/audit.log

# Use a single file for logging.
SecAuditLogType Serial
SecAuditLog /usr/local/modsecurity/var/log/audit.log
# Copy the audit log to another file
SecAuditLog2 /usr/local/modsecurity/var/log/audit2.log

# Specify the path for concurrent audit logging.
SecAuditLogType Concurrent
SecAuditLogStorageDir /usr/local/modsecurity/var/audit/

SecAuditLogDirMode

Description：配置审计log目录权限
Scope: Any
Syntax: SecAuditLogDirMode octal_mode|"default"

SecAuditLogFileMode

Description：配置审计log文件权限
Scope: Any
Syntax: SecAuditLogFileMode octal_mode|"default"

SecAuditLogFormat

Description：配置审计log格式
Scope: Any
Syntax: SecAuditLogFormat JSON|Native
- native: Default
- JSON

SecAuditLogRelevantStatus

Description: 记录指定response status code的transaction
Scope: Any
Syntax: SecAuditLogRelevantStatus REGEX

SecAuditLogRelevantStatus "^(?:5|4(?!04))"

SecAuditLogParts

Description：审计log被分为多个部分，每个部分用一个字母代表，改命令用于配置记录那些部分
Scope: Any
Syntax: SecAuditLogParts PARTLETTERS
- A：Audit log header (mandatory)
- B：Request headers
- C：Request body
- D：Reserved
- E：Response body
- F：Response headers
- G：Reserved
- H：Audit log trailer, which contains additional data
- I：Reduced multipart request body, which excludes files (alternative to part C)
- J：Information on uploaded files (multipart requests)
- K：Contains a list of all rules that matched for the transaction
- Z：Final boundary (mandatory)

SecSensorId ？

Description：定义一个sensor ID，该ID将被记录在log H中
Scope: Main
Syntax: SecSensorId TEXT

Reference:
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual

ModSecurity: Rule -- Handling

1. Header Handling

SecUnicodeMapFile

SecUnicodeCodePage

SecCookieFormat

SecCookieV0Separator

SecServerSignature

2. Body Handling

2.1 Request body

SecRequestBodyAccess

SecArgumentSeparator

SecRequestBodyInMemoryLimit

SecRequestBodyLimit

SecRequestBodyLimitAction

SecRequestBodyNoFilesLimit

SecTmpDir

SecStreamInBodyInspection

2.2 File Upload Interception

SecUploadKeepFiles

SecUploadDir

SecUploadFileMode

SecUploadFileLimit

2.3 Response Body

SecResponseBodyAccess

SecResponseBodyMimeType

SecResponseBodyMimeTypesClear

SecResponseBodyLimit

SecResponseBodyLimitAction

SecDisableBackendCompression

SecContentInjection

SecStreamOutBodyInspection

2.4 Persistent data

SecDataDir

3. Log Handling

3.1 Debug log

SecDebugLog

SecDebugLogLevel

3.2 Audit log

SecAuditEngine

SecAuditLogType

SecAuditLog & SecAuditLog2

SecAuditLogDirMode

SecAuditLogFileMode

SecAuditLogFormat

SecAuditLogRelevantStatus

SecAuditLogParts

SecSensorId ？

推荐阅读更多精彩内容