github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2026-01-13 15:07:10 +03:00
Code Issues Packages Projects Releases Wiki Activity

Fix 30 file location (MODSEC-79).

Browse Source
This commit is contained in:
b1v1r
2009-07-25 05:10:31 +00:00
parent acd6441e68
commit 171ed2ec93
1 changed files with 11 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
rules/base_rules/modsecurity_crs_30_http_policy.conf → rules/modsecurity_crs_30_http_policy.conf
View File

@@ -1,6 +1,6 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.1.6.1
# Copyright (C) 2006-2007 Breach Security Inc. All rights reserved.
# Core ModSecurity Rule Set ver.2.0
# Copyright (C) 2006-2009 Breach Security Inc. All rights reserved.
#
# The ModSecuirty Core Rule Set is distributed under GPL version 2
# Please see the enclosed LICENCE file for full details.
@@ -15,10 +15,6 @@
# HTTP protocol usage is effective in therefore effective in blocking many
# application layer attacks.
#
# TODO If you are using the ModSecurity Core Ruleset template system you can set
# the policy limitations in the ruleset.config file. Otherwise edit this
# file manually to set you policy limitations.
#
# TODO Many automation programs use non standard HTTP requests. While you may
# want to allow some of those, try not to create exceptions only for the
# automated program based on properties such as their source IP address or
@@ -31,8 +27,7 @@
# methods. If that is not the case with your environment, you are advised
# to edit the line or uncomment it.
#
SecRule REQUEST_METHOD "!^((?:(?:POS|GE)T|OPTIONS|HEAD))$" \
"phase:2,t:none,log,auditlog,status:501,msg:'Method is not allowed by policy', severity:'2',id:'960032',tag:'POLICY/METHOD_NOT_ALLOWED'"
SecRule REQUEST_METHOD "!^((?:(?:POS|GE)T|OPTIONS|HEAD))$" "phase:2,t:none,block,nolog,auditlog,status:501,msg:'Method is not allowed by policy', severity:'2',id:'960032',tag:'POLICY/METHOD_NOT_ALLOWED',setvar:tx.anomaly_score=+5,setvar:tx.policy_score=+1,setvar:tx.%{rule.id}-POLICY/METHOD_NOT_ALLOWED-%{matched_var_name}=%{matched_var}"
# Restrict which content-types we accept.
@@ -65,9 +60,8 @@ SecRule REQUEST_METHOD "!^((?:(?:POS|GE)T|OPTIONS|HEAD))$" \
# M-Business iAnywhere application/x-mal-client-data
# UltraLite iAnywhere application/octet-stream
#
SecRule REQUEST_METHOD "!^(?:get|head|propfind|options)$" \
"phase:2,chain,t:none,t:lowercase,deny,log,auditlog,status:501,msg:'Request content type is not allowed by policy',id:'960010',tag:'POLICY/ENCODING_NOT_ALLOWED',severity:'4'"
SecRule REQUEST_HEADERS:Content-Type "!(?:^(?:application\/x-www-form-urlencoded(?:;(?:\s?charset\s?=\s?[\w\d\-]{1,18})?)??$|multipart/form-data;)|text/xml)" "t:none"
SecRule REQUEST_METHOD "!^(?:GET|HEAD|PROPFIND|OPTIONS)$" "phase:2,chain,t:none,block,nolog,auditlog,status:501,msg:'Request content type is not allowed by policy',id:'960010',tag:'POLICY/ENCODING_NOT_ALLOWED',severity:'4'"
SecRule REQUEST_HEADERS:Content-Type "!(?:^(?:application\/x-www-form-urlencoded(?:;(?:\s?charset\s?=\s?[\w\d\-]{1,18})?)??$|multipart/form-data;)|text/xml)" "t:none,setvar:tx.anomaly_score=+5,setvar:tx.policy_score=+1,setvar:tx.%{rule.id}-POLICY/CONTENT_TYPE_NOT_ALLOWED-%{matched_var_name}=%{matched_var}"
# Restrict protocol versions.
#
@@ -79,8 +73,7 @@ SecRule REQUEST_HEADERS:Content-Type "!(?:^(?:application\/x-www-form-urlencoded
# to use your site, try to create a narrower expection and not allow any
# client to send HTTP requests in a version lower than 1.1
#
SecRule REQUEST_PROTOCOL "!^HTTP/(0\.9|1\.[01])$" \
"phase:2,t:none,deny,log,auditlog,status:505,msg:'HTTP protocol version is not allowed by policy', severity:'2',id:'960034',tag:'POLICY/PROTOCOL_NOT_ALLOWED'"
SecRule REQUEST_PROTOCOL "!^HTTP/(0\.9|1\.[01])$" "phase:2,t:none,block,nolog,auditlog,status:505,msg:'HTTP protocol version is not allowed by policy', severity:'2',id:'960034',tag:'POLICY/PROTOCOL_NOT_ALLOWED',setvar:tx.anomaly_score=+5,setvar:tx.policy_score=+1,setvar:tx.%{rule.id}-POLICY/PROTOCOL_NOT_ALLOWED-%{matched_var_name}=%{matched_var}"
# Restrict file extension
#
@@ -90,8 +83,7 @@ SecRule REQUEST_PROTOCOL "!^HTTP/(0\.9|1\.[01])$" \
# You may need to use ModSecurity Core Rule Set Templates to do so, otherwise
# comment the whole rule.
#
SecRule REQUEST_BASENAME "\.(?:c(?:o(?:nf(?:ig)?|m)|s(?:proj|r)?|dx|er|fg|md)|p(?:rinter|ass|db|ol|wd)|v(?:b(?:proj|s)?|sdisco)|a(?:s(?:ax?|cx)|xd)|d(?:bf?|at|ll|os)|i(?:d[acq]|n[ci])|ba(?:[kt]|ckup)|res(?:ources|x)|s(?:h?tm|ql|ys)|l(?:icx|nk|og)|\w{0,5}~|webinfo|ht[rw]|xs[dx]|key|mdb|old)$" \
"phase:2,t:none,t:urlDecodeUni, t:lowercase, deny,log,auditlog,status:500,msg:'URL file extension is restricted by policy', severity:'2',id:'960035',tag:'POLICY/EXT_RESTRICTED'"
SecRule REQUEST_BASENAME "\.(?:c(?:o(?:nf(?:ig)?|m)|s(?:proj|r)?|dx|er|fg|md)|p(?:rinter|ass|db|ol|wd)|v(?:b(?:proj|s)?|sdisco)|a(?:s(?:ax?|cx)|xd)|d(?:bf?|at|ll|os)|i(?:d[acq]|n[ci])|ba(?:[kt]|ckup)|res(?:ources|x)|s(?:h?tm|ql|ys)|l(?:icx|nk|og)|\w{0,5}~|webinfo|ht[rw]|xs[dx]|key|mdb|old)$" "phase:2,t:none,t:urlDecodeUni,t:lowercase,block,nolog,auditlog,status:500,msg:'URL file extension is restricted by policy', severity:'2',id:'960035',tag:'POLICY/EXT_RESTRICTED',setvar:tx.anomaly_score=+5,setvar:tx.policy_score=+1,setvar:tx.%{rule.id}-POLICY/EXT_RESTRICTED-%{matched_var_name}=%{matched_var}"
@@ -102,8 +94,7 @@ SecRule REQUEST_BASENAME "\.(?:c(?:o(?:nf(?:ig)?|m)|s(?:proj|r)?|dx|er|fg|md)|p(
# the list of blocked extensions. You may need to use ModSecurity Core Rule
# Set Templates to do so, otherwise comment the whole rule.
#
SecRule REQUEST_HEADERS_NAMES "(?:lock-token|translate|if)$" \
"phase:2,t:none,t:lowercase,deny,log,auditlog,status:500,msg:'HTTP header is restricted by policy',id:'960038',tag:'POLICY/HEADER_RESTRICTED',tag:'POLICY/FILES_NOT_ALLOWED',severity:'4'"
SecRule REQUEST_HEADERS_NAMES "(?:(?:Proxy-Connectio|Lock-Toke)n|(?:Content-Rang|Translat)e|via|if)$" "phase:2,t:none,block,nolog,auditlog,status:500,msg:'HTTP header is restricted by policy',id:'960038',tag:'POLICY/HEADER_RESTRICTED',tag:'POLICY/FILES_NOT_ALLOWED',severity:'4',setvar:tx.anomaly_score=+5,setvar:tx.policy_score=+1,setvar:tx.%{rule.id}-POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}"
# Restricted Content Encodings
@@ -113,10 +104,8 @@ SecRule REQUEST_HEADERS_NAMES "(?:lock-token|translate|if)$" \
# - Inbound compressed content will be denied
# - Outbound compressed content will be logged once, to alert the user
# Deny inbound compressed content
SecRule REQUEST_HEADERS:Content-Encoding "!^Identity$" \
"phase:2,t:none,deny,log,auditlog,status:501,msg:'ModSecurity does not support content encodings',id:'960902',severity:'3'"
SecRule REQUEST_HEADERS:Content-Encoding "!^Identity$" "phase:2,t:none,block,nolog,auditlog,status:501,msg:'ModSecurity does not support content encodings',id:'960902',severity:'4',setvar:tx.anomaly_score=+5,setvar:tx.policy_score=+1,setvar:tx.%{rule.id}-POLICY/ENCODING_RESTRICTED-%{matched_var_name}=%{matched_var}"
# Log outbound compressed content (log once)
SecRule RESPONSE_HEADERS:Content-Encoding "!^Identity$" \
"phase:4,t:none,pass,log,auditlog,msg:'ModSecurity does not support content encodings',id:'960903',severity:'4',chain,initcol:global=global"
SecRule &GLOBAL:alerted_960903_compression "@eq 0" "setvar:global.alerted_960903_compression"
SecRule RESPONSE_HEADERS:Content-Encoding "!^Identity$" "phase:4,t:none,pass,nolog,auditlog,msg:'ModSecurity does not support content encodings',id:'960903',severity:'4',chain,initcol:global=global"
SecRule &GLOBAL:alerted_960903_compression "@eq 0" "setvar:global.alerted_960903_compression,setvar:tx.anomaly_score=+5,setvar:tx.policy_score=+1,setvar:tx.%{rule.id}-POLICY/ENCODING_RESTRICTED-%{matched_var_name}=%{matched_var}"