/usr/share/modsecurity-crs/util/regression-tests/README is in modsecurity-crs 2.2.9-1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 | ModSecurity Rules regression testing suite
==========================================
Rules regression test tool installation:
----------------------------------------
Test should be run from the same host ModSecurity runs on, or a computer that
has file system access to ModSecurity audit log (see %modseclog in step 5)
1. Copy rulesregtest.pl, rulesregtest.conf and test files to a directory on the
server.
2. Put testserver.cgi in the server's /cgi-bin directory (required only if
outbound tests are used)
3. Set ModSecurity to use serial logging.
4. Ensure that the web server response with 200 to access the home page (since
default tests use "/" as the URL)
5. Edit rulesregtest.conf:
- Server address and port (%server directive). The default (127.0.0.1:80) may
be OK.
- Location of ModSecurity audit log file (%modseclog directive).
Writing tests:
--------------
Write a text file with the following directives:
%test <name> - starts a test and set is name (used for report)
%status <number> - sets the expected status code
%event <string> - set a string to search in the audit log of the test. You can
use multiple directives to define many required patterns. For example:
%event [id "960009"]
%output <string> - set a string to search in the HTTP response. You can use
multiple directives to define many required patterns.
%request � multiple lines of the request on the following lines, terminated by
the next directive (a line starting with "%"). A request can include variables
using perl notation ($var). this would be replaced when testing with a value
set by the %var directive.
- Note: Do not forget to leave an empty line as required by HTTP. The script
locks otherwise.
- Note: Content-Length has to be calculated manually.
Finding bugs
------------
The following directives will help to find the problems:
%verbose � will output request, reply and new ModSecurity audit log lines for
the current test.
%relevant � will output verbose output for tests that failed.
Variable replacement:
---------------------
%var variable=value, value, value�.. - Set values for a variable, the test
would be repeated using every value. Values are set only for the current test.
Multiple %var directives for the same variable add values to the list and do
not replace values, so:
%var variable=value1
%var variable=value2
Would test with both value1 and value2.
If multiple variables are used in the same test, than the test is carried for
each combination of values of the variables:
%var var1=v1, v2
%var var3=v3, v4
The test would be repeated 4 times with the test vectors (v1, v3), (v1, v4),
(v2, v3), (v2, v4).
Testing responses:
------------------
To force response content in request, use /cgi-bin/testserver.cgi as the target
URL and add one or more of the following headers to the reuqest:
Response-Status - Force a response status line. Defaults to "200 OK".
Response-Content - Adds the string to the response. Note that this would not be
the entire response.
Response-Content-Type - sets the value of the content type header, defaults to
"text/html"
Response-Header-Name - Add a header to the response. This defined the new
header's name. Response-Header-Value defines the header's value.
Response-Header-Value - The value of the new header defined by the request
header Response-Header-Name. Note: If Response-Header-Name is empty, then this
parameter will be ignored.
** NOT IMPLEMENTED YET **
Response-File - the name of a file to use as the entire response. Name is
reletive to the $RESPONSE_FILE_DIR in the testserver.cgi sctip.
** NOT IMPLEMENTED YET **
|