← HeatShield Docs

ModSecurity Rules and Rule Sets

As ModSecurity is only the engine itself, it requires rules to be useful. These rules are instructions about what to look for in requests and what to do if a request matches a rule.

As rules must work together with other rules in order to provide broad security coverage, rules come in groups of rules called rule sets. Additionally, ModSecurity version 3 supports rules that influence the processing of future rules, so rules don't always act alone and must be designed to work together.

Structure of a ModSecurity Rule

A ModSecurity rule is sometimes called a SecRule because each rule definition starts with the word "SecRule" as the start of the rule definition.

After the word "SecRule" comes the four useful parts of the rule:

  1. Variables tell ModSecurity what parts of the request to look at.
  2. Operators tell ModSecurity when to trigger a rule match.
  3. Transformations tell ModSecurity how to normalize the variable's data.
  4. Actions tell ModSecurity what to do when a rule matches.

These are combined into a rule as follows:

SecRule VARIABLES "OPERATOR" "TRANSFORMATIONS,ACTIONS"

Here's an example of a simple rule that will block a request if the request path (after being normalized to lowercase) is equal to /wp-config.php.

SecRule REQUEST_URI "@streq /wp-config.php" "id:1,phase:1,t:lowercase,deny"

In practice, most rules aren't that simple. Below is an example of an actual rule from the OWASP ModSecurity Core Rule Set.

SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)union.*?select.*?from" \
    "id:942270,\
    phase:2,\
    block,\
    capture,\
    t:none,t:urlDecodeUni,\
    msg:'Looking for basic sql injection. Common attack string for mysql, oracle and others',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-sqli',\
    tag:'paranoia-level/1',\
    tag:'OWASP_CRS',\
    tag:'capec/1000/152/248/66',\
    tag:'PCI/6.5.2',\
    ver:'OWASP_CRS/3.3.0',\
    severity:'CRITICAL',\
    setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"

You may have noticed the operator portion of the above rule:

@rx (?i)union.*?select.*?from

This strange looking string is a regular expression, also known as a regex. Regular expressions are a powerful language for pattern matching used throughout computer science and the software industry. This particular regex is checking if a string contains anywhere in it the word "union", followed by any other characters, then followed by the word "select", followed again by any other characters, and then followed by the word "union". These are SQL keywords that, when occurring in this order, may mean an attacker is exploiting a SQL injection vulnerability in an application.

For more information on the structure and capabilities of ModSecurity rules, see the ModSecurity rule documentation.

Advanced security for your WordPress sites