The web application firewall rule engine is where gathered information is checked for any specific or malicious content.
This section provides information about basic rule-writing syntax, and rule directives for securing Web applications from attacks.
The main directive that is used for creating rules is SecRule. The syntax for SecRule is:
SecRule VARIABLES OPERATOR [TRANSFORMATION_FUNCTIONS, ACTIONS]
VARIABLES: Specify where to check in an HTTP transaction. Web application firewall pre-processes raw transaction data, which makes it easy for rules to focus on the logic of detection. A rule must specify one or more variables. Multiple rules can be used with a single variable by using the | operator.
OPERATORS: Specify how a transformed variable is to be analyzed. Operators always begin with an @ character, and are followed by a space. Only one operator is allowed per rule.
TRANSFORMATION_FUNCTIONS: Change input in some way before the rule operator is run. A rule can specify one or more transformation functions.
ACTIONS: Specify the required action if the rule evaluates to true, which could be, display an error message, step on to another rule, or some other task.
Here is an example of a rule:
SecRule ARGS|REQUEST_HEADERS "@rx <script" msg:'XSSAttack',deny,status:404
ARGS and REQUEST_HEADERS are variables (request parameters and request headers, respectively).
@rx is the regular expression operator. It is used to match a pattern in the variables.
In the example, the pattern is <script.
msg, deny and status are actions to be performed if a pattern is matched.
The rule in the example is used to avoid XSS attacks, which is done by checking for a <script pattern in the request parameters and header, and an XSS Attack log message is generated. Any matching request is denied with a 404 status response.