1[ 2 { 3 "enabled":1, 4 "version_min":300000, 5 "resource":"ssdeep", 6 "title":"Testing Operator :: @fuzzyHash (1/2)", 7 "client":{ 8 "ip":"200.249.12.31", 9 "port":123 10 }, 11 "server":{ 12 "ip":"200.249.12.31", 13 "port":80 14 }, 15 "request":{ 16 "headers":{ 17 "Host":"localhost", 18 "User-Agent":"curl/7.38.0", 19 "Accept":"*/*", 20 "Content-Length": "27", 21 "Content-Type": "application/x-www-form-urlencoded" 22 }, 23 "uri":"/", 24 "method":"POST", 25 "body": [ 26"", 27"# -- Rule engine initialization ----------------------------------------------", 28"", 29"# Enable ModSecurity, attaching it to every transaction. Use detection", 30"# only to start with, because that minimises the chances of post-installation", 31"# disruption.", 32"#", 33"SecRuleEngine DetectionOnly", 34"", 35"", 36"# -- Request body handling ---------------------------------------------------", 37"", 38"# Allow ModSecurity to access request bodies. If you don't, ModSecurity", 39"# won't be able to see any POST parameters, which opens a large security", 40"# hole for attackers to exploit.", 41"#", 42"SecRequestBodyAccess On", 43"", 44"", 45"# Enable XML request body parser.", 46"# Initiate XML Processor in case of xml content-type", 47"#", 48"SecRule REQUEST_HEADERS:Content-Type \"text/xml\" \\", 49" \"id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML\"", 50"", 51"# Enable JSON request body parser.", 52"# Initiate JSON Processor in case of JSON content-type; change accordingly", 53"# if your application does not use 'application/json'", 54"#", 55"SecRule REQUEST_HEADERS:Content-Type \"application/json\" \\", 56" \"id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON\"", 57"", 58"# Maximum request body size we will accept for buffering. If you support", 59"# file uploads then the value given on the first line has to be as large", 60"# as the largest file you are willing to accept. The second value refers", 61"# to the size of data, with files excluded. You want to keep that value as", 62"# low as practical.", 63"#", 64"SecRequestBodyLimit 13107200", 65"SecRequestBodyNoFilesLimit 131072", 66"", 67"# Store up to 128 KB of request body data in memory. When the multipart", 68"# parser reachers this limit, it will start using your hard disk for", 69"# storage. That is slow, but unavoidable.", 70"#", 71"SecRequestBodyInMemoryLimit 131072", 72"", 73"# What do do if the request body size is above our configured limit.", 74"# Keep in mind that this setting will automatically be set to ProcessPartial", 75"# when SecRuleEngine is set to DetectionOnly mode in order to minimize", 76"# disruptions when initially deploying ModSecurity.", 77"#", 78"SecRequestBodyLimitAction Reject", 79"", 80"# Verify that we've correctly processed the request body.", 81"# As a rule of thumb, when failing to process a request body", 82"# you should reject the request (when deployed in blocking mode)", 83"# or log a high-severity alert (when deployed in detection-only mode).", 84"#", 85"SecRule REQBODY_ERROR \"!\\@eq 0\" ", 86"\"id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2\"", 87" " 88] 89 }, 90 "response":{ 91 "headers":{ 92 "Date":"Mon, 13 Jul 2015 20:02:41 GMT", 93 "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", 94 "Content-Type":"text/html" 95 }, 96 "body":[ 97 "no need." 98 ] 99 }, 100 "expected":{ 101 "debug_log":" Fuzzy hash: matched with score: 54." 102 }, 103 "rules":[ 104 "SecRuleEngine On", 105 "SecRequestBodyAccess On", 106 "SecRule REQUEST_BODY \"@fuzzyHash test-cases/data/ssdeep.txt 1\" \"id:1,phase:2,pass,t:trim\"" 107 ] 108 }, 109 { 110 "enabled":1, 111 "version_min":300000, 112 "resource":"ssdeep", 113 "title":"Testing Operator :: @fuzzyHash (2/2)", 114 "client":{ 115 "ip":"200.249.12.31", 116 "port":123 117 }, 118 "server":{ 119 "ip":"200.249.12.31", 120 "port":80 121 }, 122 "request":{ 123 "headers":{ 124 "Host":"localhost", 125 "User-Agent":"curl/7.38.0", 126 "Accept":"*/*", 127 "Content-Length": "27", 128 "Content-Type": "application/x-www-form-urlencoded" 129 }, 130 "uri":"/", 131 "method":"POST", 132 "body": [ 133"", 134"# -- Rule engine initialization ----------------------------------------------", 135"", 136"# Enable ModSecurity, attaching it to every transaction. Use detection", 137"# only to start with, because that minimises the chances of post-installation", 138"# disruption.", 139"#", 140"SecRuleEngine DetectionOnly", 141"", 142"", 143"# -- Request body handling ---------------------------------------------------", 144"", 145"# Allow ModSecurity to access request bodies. If you don't, ModSecurity", 146"# won't be able to see any POST parameters, which opens a large security", 147"# hole for attackers to exploit.", 148"#", 149"SecRequestBodyAccess On", 150"", 151"", 152"# Enable XML request body parser.", 153"# Initiate XML Processor in case of xml content-type", 154"#", 155"SecRule REQUEST_HEADERS:Content-Type \"text/xml\" \\", 156" \"id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML\"", 157"", 158"# Enable JSON request body parser.", 159"# Initiate JSON Processor in case of JSON content-type; change accordingly", 160"# if your application does not use 'application/json'", 161"#", 162"SecRule REQUEST_HEADERS:Content-Type \"application/json\" \\", 163" \"id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON\"", 164"", 165"# Maximum request body size we will accept for buffering. If you support", 166"# file uploads then the value given on the first line has to be as large", 167"# as the largest file you are willing to accept. The second value refers", 168"# to the size of data, with files excluded. You want to keep that value as", 169"# low as practical.", 170"#", 171"SecRequestBodyLimit 13107200", 172"SecRequestBodyNoFilesLimit 131072", 173"", 174"# Store up to 128 KB of request body data in memory. When the multipart", 175"# parser reachers this limit, it will start using your hard disk for", 176"# storage. That is slow, but unavoidable.", 177"#", 178"SecRequestBodyInMemoryLimit 131072", 179"", 180"# What do do if the request body size is above our configured limit.", 181"# Keep in mind that this setting will automatically be set to ProcessPartial", 182"# when SecRuleEngine is set to DetectionOnly mode in order to minimize", 183"# disruptions when initially deploying ModSecurity.", 184"#", 185"SecRequestBodyLimitAction Reject", 186"", 187"# Verify that we've correctly processed the request body.", 188"# As a rule of thumb, when failing to process a request body", 189"# you should reject the request (when deployed in blocking mode)", 190"# or log a high-severity alert (when deployed in detection-only mode).", 191"#", 192"SecRule REQBODY_ERROR \"!\\@eq 0\" ", 193"\"id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2\"", 194" " 195] 196 }, 197 "response":{ 198 "headers":{ 199 "Date":"Mon, 13 Jul 2015 20:02:41 GMT", 200 "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", 201 "Content-Type":"text/html" 202 }, 203 "body":[ 204 "no need." 205 ] 206 }, 207 "expected":{ 208 "debug_log":"Rule returned 0." 209 }, 210 "rules":[ 211 "SecRuleEngine On", 212 "SecRequestBodyAccess On", 213 "SecRule REQUEST_BODY \"@fuzzyHash test-cases/data/ssdeep.txt 100\" \"id:1,phase:2,pass,t:trim\"" 214 ] 215 } 216] 217