Thanks much, Josh!


On Tuesday, November 5, 2013 1:48 PM, Josh Amishav-Zlatin <> wrote:
On Tue, Nov 5, 2013 at 9:18 AM, Samir Kelekar <> wrote:
I am new to modsecurity. I installed mod-security ( 2.7.4) with apache i( version 2.4.6) in embedded mode as a module.
Trying to do some very basic testing.
Apache is installed at
and I just did the regular apache check ( where the page saying "It works" appears.

I put in  a rule that looks for any response header to contain the word Apache. The "Server:" Header
should contain it ordinarily. But as the log below shows, when RESPONSE_HEADERS are expanded,
Server: is not among the response headers.
Why is it so? Is it that in the embedded mode, this header is not available?

Hi Samir,

Take a looks at:

When running in embedded mode, headers such as Server, Date, Connection and Content-Type are not accessible. These variables should be available in phase 5 (or when deployed in proxy mode).

 - Josh
I want to eventually run mod-security in the standalone mode where I want to be able to process all Response Headers.

Configuration file
RuleEngine On
SecTmpDir /usr/local/apache2/logs/
SecDataDir /usr/local/apache2/logs/
SecDebugLog /usr/local/apache2/logs/debug.log
SecDebugLogLevel 9
SecRule RESPONSE_HEADERS "@rx Apache" "phase:3,deny,log,status:503,id:123479"
SecAuditEngine On
SecAuditLog /usr/local/apache2/logs/audit.log
SecAuditLogParts ABCFGHZ
SecAuditLogType Serial
SecAuditLogStorageDir /usr/local/apache2/logs
SecAuditLogRelevantStatus ^(?:5|4(?!04))

Debug Log file ( relevant portions)

05/Nov/2013:12:34:14 +0530] [][rid#a96024c8][/index.html][4] Starting phase RESPONSE_HEADERS.
[05/Nov/2013:12:34:14 +0530] [][rid#a96024c8][/index.html][9] This phase consists of 1 rule(s).
[05/Nov/2013:12:34:14 +0530] [][rid#a96024c8][/index.html][4] Recipe: Invoking rule 921da48; [file "/opt/modsecurity/etc/main.conf"] [line "11"] [id "123479"].
[05/Nov/2013:12:34:14 +0530] [][rid#a96024c8][/index.html][5] Rule 921da48: SecRule "RESPONSE_HEADERS" "@rx Apache" "phase:3,auditlog,deny,log,status:503,id:123479"
[05/Nov/2013:12:34:14 +0530] [][rid#a96024c8][/index.html][4] Expanded "RESPONSE_HEADERS" to "RESPONSE_HEADERS:Last-Modified|RESPONSE_HEADERS:ETag|RESPONSE_HEADERS:Accept-Ranges|RESPONSE_HEADERS:Content-Length".
[05/Nov/2013:12:34:14 +0530] [][rid#a96024c8][/index.html][4] Transformation completed in 6 usec.
[05/Nov/2013:12:34:14 +0530] [][rid#a96024c8][/index.html][4] Executing operator "rx" with param "Apache" against RESPONSE_HEADERS:Last-Modified.
[05/Nov/2013:12:34:14 +0530] [][rid#a96024c8][/index.html][9] Target value: "Mon, 11 Jun 2007 18:53:14 GMT"
[05/Nov/2013:12:34:14 +0530] [][rid#a96024c8][/index.html][4] Operator completed in 21 usec.
[05/Nov/2013:12:34:14 +0530] [][rid#a96024c8][/index.html][4] Transformation completed in 1 usec.
[05/Nov/2013:12:34:14 +0530] [][rid#a96024c8][/index.html][4] Executing operator "rx" with param "Apache" against RESPONSE_HEADERS:ETag.
[05/Nov/2013:12:34:14 +0530] [][rid#a96024c8][/index.html][9] Target value: ""2d-432a5e4a73a80""
[05/Nov/2013:12:34:14 +0530] [][rid#a96024c8][/index.html][4] Operator completed in 3 usec.
[05/Nov/2013:12:34:14 +0530] [][rid#a96024c8][/index.html][4] Transformation completed in 1 usec.
[05/Nov/2013:12:34:14 +0530] [][rid#a96024c8][/index.html][4] Executing operator "rx" with param "Apache" against RESPONSE_HEADERS:Accept-Ranges.
[05/Nov/2013:12:34:14 +0530] [][rid#a96024c8][/index.html][9] Target value: "bytes"

Appreciate a response.

November Webinars for C, C++, Fortran Developers
Accelerate application performance with scalable programming models. Explore
techniques for threading, error checking, porting, and tuning. Get the most
from the latest Intel processors and coprocessors. See abstracts and register
mod-security-users mailing list
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: