mirror of
https://github.com/owasp-modsecurity/ModSecurity.git
synced 2026-01-13 15:07:10 +03:00
Fix 30 file location (MODSEC-79).
This commit is contained in:
b1v1r
@@ -1,6 +1,6 @@
|
||||
# ---------------------------------------------------------------
|
||||
# Core ModSecurity Rule Set ver.1.6.1
|
||||
# Copyright (C) 2006-2007 Breach Security Inc. All rights reserved.
|
||||
# Core ModSecurity Rule Set ver.2.0
|
||||
# Copyright (C) 2006-2009 Breach Security Inc. All rights reserved.
|
||||
#
|
||||
# The ModSecuirty Core Rule Set is distributed under GPL version 2
|
||||
# Please see the enclosed LICENCE file for full details.
|
||||
@@ -15,10 +15,6 @@
|
||||
# HTTP protocol usage is effective in therefore effective in blocking many
|
||||
# application layer attacks.
|
||||
#
|
||||
# TODO If you are using the ModSecurity Core Ruleset template system you can set
|
||||
# the policy limitations in the ruleset.config file. Otherwise edit this
|
||||
# file manually to set you policy limitations.
|
||||
#
|
||||
# TODO Many automation programs use non standard HTTP requests. While you may
|
||||
# want to allow some of those, try not to create exceptions only for the
|
||||
# automated program based on properties such as their source IP address or
|
||||
@@ -31,8 +27,7 @@
|
||||
# methods. If that is not the case with your environment, you are advised
|
||||
# to edit the line or uncomment it.
|
||||
#
|
||||
SecRule REQUEST_METHOD "!^((?:(?:POS|GE)T|OPTIONS|HEAD))$" \
|
||||
"phase:2,t:none,log,auditlog,status:501,msg:'Method is not allowed by policy', severity:'2',id:'960032',tag:'POLICY/METHOD_NOT_ALLOWED'"
|
||||
SecRule REQUEST_METHOD "!^((?:(?:POS|GE)T|OPTIONS|HEAD))$" "phase:2,t:none,block,nolog,auditlog,status:501,msg:'Method is not allowed by policy', severity:'2',id:'960032',tag:'POLICY/METHOD_NOT_ALLOWED',setvar:tx.anomaly_score=+5,setvar:tx.policy_score=+1,setvar:tx.%{rule.id}-POLICY/METHOD_NOT_ALLOWED-%{matched_var_name}=%{matched_var}"
|
||||
|
||||
|
||||
# Restrict which content-types we accept.
|
||||
@@ -65,9 +60,8 @@ SecRule REQUEST_METHOD "!^((?:(?:POS|GE)T|OPTIONS|HEAD))$" \
|
||||
# M-Business iAnywhere application/x-mal-client-data
|
||||
# UltraLite iAnywhere application/octet-stream
|
||||
#
|
||||
SecRule REQUEST_METHOD "!^(?:get|head|propfind|options)$" \
|
||||
"phase:2,chain,t:none,t:lowercase,deny,log,auditlog,status:501,msg:'Request content type is not allowed by policy',id:'960010',tag:'POLICY/ENCODING_NOT_ALLOWED',severity:'4'"
|
||||
SecRule REQUEST_HEADERS:Content-Type "!(?:^(?:application\/x-www-form-urlencoded(?:;(?:\s?charset\s?=\s?[\w\d\-]{1,18})?)??$|multipart/form-data;)|text/xml)" "t:none"
|
||||
SecRule REQUEST_METHOD "!^(?:GET|HEAD|PROPFIND|OPTIONS)$" "phase:2,chain,t:none,block,nolog,auditlog,status:501,msg:'Request content type is not allowed by policy',id:'960010',tag:'POLICY/ENCODING_NOT_ALLOWED',severity:'4'"
|
||||
SecRule REQUEST_HEADERS:Content-Type "!(?:^(?:application\/x-www-form-urlencoded(?:;(?:\s?charset\s?=\s?[\w\d\-]{1,18})?)??$|multipart/form-data;)|text/xml)" "t:none,setvar:tx.anomaly_score=+5,setvar:tx.policy_score=+1,setvar:tx.%{rule.id}-POLICY/CONTENT_TYPE_NOT_ALLOWED-%{matched_var_name}=%{matched_var}"
|
||||
|
||||
# Restrict protocol versions.
|
||||
#
|
||||
@@ -79,8 +73,7 @@ SecRule REQUEST_HEADERS:Content-Type "!(?:^(?:application\/x-www-form-urlencoded
|
||||
# to use your site, try to create a narrower expection and not allow any
|
||||
# client to send HTTP requests in a version lower than 1.1
|
||||
#
|
||||
SecRule REQUEST_PROTOCOL "!^HTTP/(0\.9|1\.[01])$" \
|
||||
"phase:2,t:none,deny,log,auditlog,status:505,msg:'HTTP protocol version is not allowed by policy', severity:'2',id:'960034',tag:'POLICY/PROTOCOL_NOT_ALLOWED'"
|
||||
SecRule REQUEST_PROTOCOL "!^HTTP/(0\.9|1\.[01])$" "phase:2,t:none,block,nolog,auditlog,status:505,msg:'HTTP protocol version is not allowed by policy', severity:'2',id:'960034',tag:'POLICY/PROTOCOL_NOT_ALLOWED',setvar:tx.anomaly_score=+5,setvar:tx.policy_score=+1,setvar:tx.%{rule.id}-POLICY/PROTOCOL_NOT_ALLOWED-%{matched_var_name}=%{matched_var}"
|
||||
|
||||
# Restrict file extension
|
||||
#
|
||||
@@ -90,8 +83,7 @@ SecRule REQUEST_PROTOCOL "!^HTTP/(0\.9|1\.[01])$" \
|
||||
# You may need to use ModSecurity Core Rule Set Templates to do so, otherwise
|
||||
# comment the whole rule.
|
||||
#
|
||||
SecRule REQUEST_BASENAME "\.(?:c(?:o(?:nf(?:ig)?|m)|s(?:proj|r)?|dx|er|fg|md)|p(?:rinter|ass|db|ol|wd)|v(?:b(?:proj|s)?|sdisco)|a(?:s(?:ax?|cx)|xd)|d(?:bf?|at|ll|os)|i(?:d[acq]|n[ci])|ba(?:[kt]|ckup)|res(?:ources|x)|s(?:h?tm|ql|ys)|l(?:icx|nk|og)|\w{0,5}~|webinfo|ht[rw]|xs[dx]|key|mdb|old)$" \
|
||||
"phase:2,t:none,t:urlDecodeUni, t:lowercase, deny,log,auditlog,status:500,msg:'URL file extension is restricted by policy', severity:'2',id:'960035',tag:'POLICY/EXT_RESTRICTED'"
|
||||
SecRule REQUEST_BASENAME "\.(?:c(?:o(?:nf(?:ig)?|m)|s(?:proj|r)?|dx|er|fg|md)|p(?:rinter|ass|db|ol|wd)|v(?:b(?:proj|s)?|sdisco)|a(?:s(?:ax?|cx)|xd)|d(?:bf?|at|ll|os)|i(?:d[acq]|n[ci])|ba(?:[kt]|ckup)|res(?:ources|x)|s(?:h?tm|ql|ys)|l(?:icx|nk|og)|\w{0,5}~|webinfo|ht[rw]|xs[dx]|key|mdb|old)$" "phase:2,t:none,t:urlDecodeUni,t:lowercase,block,nolog,auditlog,status:500,msg:'URL file extension is restricted by policy', severity:'2',id:'960035',tag:'POLICY/EXT_RESTRICTED',setvar:tx.anomaly_score=+5,setvar:tx.policy_score=+1,setvar:tx.%{rule.id}-POLICY/EXT_RESTRICTED-%{matched_var_name}=%{matched_var}"
|
||||
|
||||
|
||||
|
||||
@@ -102,8 +94,7 @@ SecRule REQUEST_BASENAME "\.(?:c(?:o(?:nf(?:ig)?|m)|s(?:proj|r)?|dx|er|fg|md)|p(
|
||||
# the list of blocked extensions. You may need to use ModSecurity Core Rule
|
||||
# Set Templates to do so, otherwise comment the whole rule.
|
||||
#
|
||||
SecRule REQUEST_HEADERS_NAMES "(?:lock-token|translate|if)$" \
|
||||
"phase:2,t:none,t:lowercase,deny,log,auditlog,status:500,msg:'HTTP header is restricted by policy',id:'960038',tag:'POLICY/HEADER_RESTRICTED',tag:'POLICY/FILES_NOT_ALLOWED',severity:'4'"
|
||||
SecRule REQUEST_HEADERS_NAMES "(?:(?:Proxy-Connectio|Lock-Toke)n|(?:Content-Rang|Translat)e|via|if)$" "phase:2,t:none,block,nolog,auditlog,status:500,msg:'HTTP header is restricted by policy',id:'960038',tag:'POLICY/HEADER_RESTRICTED',tag:'POLICY/FILES_NOT_ALLOWED',severity:'4',setvar:tx.anomaly_score=+5,setvar:tx.policy_score=+1,setvar:tx.%{rule.id}-POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}"
|
||||
|
||||
|
||||
# Restricted Content Encodings
|
||||
@@ -113,10 +104,8 @@ SecRule REQUEST_HEADERS_NAMES "(?:lock-token|translate|if)$" \
|
||||
# - Inbound compressed content will be denied
|
||||
# - Outbound compressed content will be logged once, to alert the user
|
||||
# Deny inbound compressed content
|
||||
SecRule REQUEST_HEADERS:Content-Encoding "!^Identity$" \
|
||||
"phase:2,t:none,deny,log,auditlog,status:501,msg:'ModSecurity does not support content encodings',id:'960902',severity:'3'"
|
||||
SecRule REQUEST_HEADERS:Content-Encoding "!^Identity$" "phase:2,t:none,block,nolog,auditlog,status:501,msg:'ModSecurity does not support content encodings',id:'960902',severity:'4',setvar:tx.anomaly_score=+5,setvar:tx.policy_score=+1,setvar:tx.%{rule.id}-POLICY/ENCODING_RESTRICTED-%{matched_var_name}=%{matched_var}"
|
||||
# Log outbound compressed content (log once)
|
||||
SecRule RESPONSE_HEADERS:Content-Encoding "!^Identity$" \
|
||||
"phase:4,t:none,pass,log,auditlog,msg:'ModSecurity does not support content encodings',id:'960903',severity:'4',chain,initcol:global=global"
|
||||
SecRule &GLOBAL:alerted_960903_compression "@eq 0" "setvar:global.alerted_960903_compression"
|
||||
SecRule RESPONSE_HEADERS:Content-Encoding "!^Identity$" "phase:4,t:none,pass,nolog,auditlog,msg:'ModSecurity does not support content encodings',id:'960903',severity:'4',chain,initcol:global=global"
|
||||
SecRule &GLOBAL:alerted_960903_compression "@eq 0" "setvar:global.alerted_960903_compression,setvar:tx.anomaly_score=+5,setvar:tx.policy_score=+1,setvar:tx.%{rule.id}-POLICY/ENCODING_RESTRICTED-%{matched_var_name}=%{matched_var}"
|
||||
|
||||
Reference in New Issue
Block a user