1[
2  {
3    "enabled":1,
4    "version_min":300000,
5    "resource":"ssdeep",
6    "title":"Testing Operator :: @fuzzyHash (1/2)",
7    "client":{
8      "ip":"200.249.12.31",
9      "port":123
10    },
11    "server":{
12      "ip":"200.249.12.31",
13      "port":80
14    },
15    "request":{
16      "headers":{
17        "Host":"localhost",
18        "User-Agent":"curl/7.38.0",
19        "Accept":"*/*",
20        "Content-Length": "27",
21        "Content-Type": "application/x-www-form-urlencoded"
22      },
23      "uri":"/",
24      "method":"POST",
25      "body": [
26"",
27"# -- Rule engine initialization ----------------------------------------------",
28"",
29"# Enable ModSecurity, attaching it to every transaction. Use detection",
30"# only to start with, because that minimises the chances of post-installation",
31"# disruption.",
32"#",
33"SecRuleEngine DetectionOnly",
34"",
35"",
36"# -- Request body handling ---------------------------------------------------",
37"",
38"# Allow ModSecurity to access request bodies. If you don't, ModSecurity",
39"# won't be able to see any POST parameters, which opens a large security",
40"# hole for attackers to exploit.",
41"#",
42"SecRequestBodyAccess On",
43"",
44"",
45"# Enable XML request body parser.",
46"# Initiate XML Processor in case of xml content-type",
47"#",
48"SecRule REQUEST_HEADERS:Content-Type \"text/xml\" \\",
49"     \"id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML\"",
50"",
51"# Enable JSON request body parser.",
52"# Initiate JSON Processor in case of JSON content-type; change accordingly",
53"# if your application does not use 'application/json'",
54"#",
55"SecRule REQUEST_HEADERS:Content-Type \"application/json\" \\",
56"     \"id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON\"",
57"",
58"# Maximum request body size we will accept for buffering. If you support",
59"# file uploads then the value given on the first line has to be as large",
60"# as the largest file you are willing to accept. The second value refers",
61"# to the size of data, with files excluded. You want to keep that value as",
62"# low as practical.",
63"#",
64"SecRequestBodyLimit 13107200",
65"SecRequestBodyNoFilesLimit 131072",
66"",
67"# Store up to 128 KB of request body data in memory. When the multipart",
68"# parser reachers this limit, it will start using your hard disk for",
69"# storage. That is slow, but unavoidable.",
70"#",
71"SecRequestBodyInMemoryLimit 131072",
72"",
73"# What do do if the request body size is above our configured limit.",
74"# Keep in mind that this setting will automatically be set to ProcessPartial",
75"# when SecRuleEngine is set to DetectionOnly mode in order to minimize",
76"# disruptions when initially deploying ModSecurity.",
77"#",
78"SecRequestBodyLimitAction Reject",
79"",
80"# Verify that we've correctly processed the request body.",
81"# As a rule of thumb, when failing to process a request body",
82"# you should reject the request (when deployed in blocking mode)",
83"# or log a high-severity alert (when deployed in detection-only mode).",
84"#",
85"SecRule REQBODY_ERROR \"!\\@eq 0\" ",
86"\"id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2\"",
87"       "
88]
89    },
90    "response":{
91      "headers":{
92        "Date":"Mon, 13 Jul 2015 20:02:41 GMT",
93        "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT",
94        "Content-Type":"text/html"
95      },
96      "body":[
97        "no need."
98      ]
99    },
100    "expected":{
101      "debug_log":" Fuzzy hash: matched with score: 54."
102    },
103    "rules":[
104      "SecRuleEngine On",
105      "SecRequestBodyAccess On",
106      "SecRule REQUEST_BODY \"@fuzzyHash test-cases/data/ssdeep.txt 1\" \"id:1,phase:2,pass,t:trim\""
107    ]
108  },
109  {
110    "enabled":1,
111    "version_min":300000,
112    "resource":"ssdeep",
113    "title":"Testing Operator :: @fuzzyHash (2/2)",
114    "client":{
115      "ip":"200.249.12.31",
116      "port":123
117    },
118    "server":{
119      "ip":"200.249.12.31",
120      "port":80
121    },
122    "request":{
123      "headers":{
124        "Host":"localhost",
125        "User-Agent":"curl/7.38.0",
126        "Accept":"*/*",
127        "Content-Length": "27",
128        "Content-Type": "application/x-www-form-urlencoded"
129      },
130      "uri":"/",
131      "method":"POST",
132      "body": [
133"",
134"# -- Rule engine initialization ----------------------------------------------",
135"",
136"# Enable ModSecurity, attaching it to every transaction. Use detection",
137"# only to start with, because that minimises the chances of post-installation",
138"# disruption.",
139"#",
140"SecRuleEngine DetectionOnly",
141"",
142"",
143"# -- Request body handling ---------------------------------------------------",
144"",
145"# Allow ModSecurity to access request bodies. If you don't, ModSecurity",
146"# won't be able to see any POST parameters, which opens a large security",
147"# hole for attackers to exploit.",
148"#",
149"SecRequestBodyAccess On",
150"",
151"",
152"# Enable XML request body parser.",
153"# Initiate XML Processor in case of xml content-type",
154"#",
155"SecRule REQUEST_HEADERS:Content-Type \"text/xml\" \\",
156"     \"id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML\"",
157"",
158"# Enable JSON request body parser.",
159"# Initiate JSON Processor in case of JSON content-type; change accordingly",
160"# if your application does not use 'application/json'",
161"#",
162"SecRule REQUEST_HEADERS:Content-Type \"application/json\" \\",
163"     \"id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON\"",
164"",
165"# Maximum request body size we will accept for buffering. If you support",
166"# file uploads then the value given on the first line has to be as large",
167"# as the largest file you are willing to accept. The second value refers",
168"# to the size of data, with files excluded. You want to keep that value as",
169"# low as practical.",
170"#",
171"SecRequestBodyLimit 13107200",
172"SecRequestBodyNoFilesLimit 131072",
173"",
174"# Store up to 128 KB of request body data in memory. When the multipart",
175"# parser reachers this limit, it will start using your hard disk for",
176"# storage. That is slow, but unavoidable.",
177"#",
178"SecRequestBodyInMemoryLimit 131072",
179"",
180"# What do do if the request body size is above our configured limit.",
181"# Keep in mind that this setting will automatically be set to ProcessPartial",
182"# when SecRuleEngine is set to DetectionOnly mode in order to minimize",
183"# disruptions when initially deploying ModSecurity.",
184"#",
185"SecRequestBodyLimitAction Reject",
186"",
187"# Verify that we've correctly processed the request body.",
188"# As a rule of thumb, when failing to process a request body",
189"# you should reject the request (when deployed in blocking mode)",
190"# or log a high-severity alert (when deployed in detection-only mode).",
191"#",
192"SecRule REQBODY_ERROR \"!\\@eq 0\" ",
193"\"id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2\"",
194"       "
195]
196    },
197    "response":{
198      "headers":{
199        "Date":"Mon, 13 Jul 2015 20:02:41 GMT",
200        "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT",
201        "Content-Type":"text/html"
202      },
203      "body":[
204        "no need."
205      ]
206    },
207    "expected":{
208      "debug_log":"Rule returned 0."
209    },
210    "rules":[
211      "SecRuleEngine On",
212      "SecRequestBodyAccess On",
213      "SecRule REQUEST_BODY \"@fuzzyHash test-cases/data/ssdeep.txt 100\" \"id:1,phase:2,pass,t:trim\""
214    ]
215  }
216]
217