Fix 30 file location (MODSEC-79).

2026-01-14 15:37:10 +03:00 · 2009-07-25 05:10:31 +00:00
parent acd6441e68
commit 171ed2ec93
1 changed files with 11 additions and 22 deletions
--- a/rules/base_rules/modsecurity_crs_30_http_policy.conf
+++ b/rules/base_rules/modsecurity_crs_30_http_policy.conf
@@ -1,6 +1,6 @@
 # ---------------------------------------------------------------
-# Core ModSecurity Rule Set ver.1.6.1
+# Core ModSecurity Rule Set ver.2.0
-# Copyright (C) 2006-2007 Breach Security Inc. All rights reserved.
+# Copyright (C) 2006-2009 Breach Security Inc. All rights reserved.
 #
 # The ModSecuirty Core Rule Set is distributed under GPL version 2
 # Please see the enclosed LICENCE file for full details.
@@ -15,10 +15,6 @@
 # HTTP protocol usage is effective in therefore effective in blocking many 
 # application layer attacks. 
 #
 # TODO If you are using the ModSecurity Core Ruleset template system you can set 
 #      the policy limitations in the ruleset.config file. Otherwise edit this 
 #      file manually to set you policy limitations.
 #
 # TODO Many automation programs use non standard HTTP requests. While you may 
 #      want to allow some of those, try not to create exceptions only for the
 #      automated program based on properties such as their source IP address or
@@ -31,8 +27,7 @@
 #      methods. If that is not the case with your environment, you are advised 
 #      to edit the line or uncomment it.
 #
-SecRule REQUEST_METHOD "!^((?:(?:POS|GE)T|OPTIONS|HEAD))$" \
+SecRule REQUEST_METHOD "!^((?:(?:POS|GE)T|OPTIONS|HEAD))$" "phase:2,t:none,block,nolog,auditlog,status:501,msg:'Method is not allowed by policy', severity:'2',id:'960032',tag:'POLICY/METHOD_NOT_ALLOWED',setvar:tx.anomaly_score=+5,setvar:tx.policy_score=+1,setvar:tx.%{rule.id}-POLICY/METHOD_NOT_ALLOWED-%{matched_var_name}=%{matched_var}" 
    "phase:2,t:none,log,auditlog,status:501,msg:'Method is not allowed by policy', severity:'2',id:'960032',tag:'POLICY/METHOD_NOT_ALLOWED'"
 # Restrict which content-types we accept.
@@ -65,9 +60,8 @@ SecRule REQUEST_METHOD "!^((?:(?:POS|GE)T|OPTIONS|HEAD))$" \
 #      M-Business iAnywhere      application/x-mal-client-data
 #      UltraLite iAnywhere       application/octet-stream
 #
-SecRule REQUEST_METHOD "!^(?:get|head|propfind|options)$" \
+SecRule REQUEST_METHOD "!^(?:GET|HEAD|PROPFIND|OPTIONS)$" "phase:2,chain,t:none,block,nolog,auditlog,status:501,msg:'Request content type is not allowed by policy',id:'960010',tag:'POLICY/ENCODING_NOT_ALLOWED',severity:'4'" 
-    "phase:2,chain,t:none,t:lowercase,deny,log,auditlog,status:501,msg:'Request content type is not allowed by policy',id:'960010',tag:'POLICY/ENCODING_NOT_ALLOWED',severity:'4'"
+	SecRule REQUEST_HEADERS:Content-Type "!(?:^(?:application\/x-www-form-urlencoded(?:;(?:\s?charset\s?=\s?[\w\d\-]{1,18})?)??$|multipart/form-data;)|text/xml)" "t:none,setvar:tx.anomaly_score=+5,setvar:tx.policy_score=+1,setvar:tx.%{rule.id}-POLICY/CONTENT_TYPE_NOT_ALLOWED-%{matched_var_name}=%{matched_var}"
 SecRule REQUEST_HEADERS:Content-Type "!(?:^(?:application\/x-www-form-urlencoded(?:;(?:\s?charset\s?=\s?[\w\d\-]{1,18})?)??$|multipart/form-data;)|text/xml)" "t:none"
 # Restrict protocol versions.
 #
@@ -79,8 +73,7 @@ SecRule REQUEST_HEADERS:Content-Type "!(?:^(?:application\/x-www-form-urlencoded
 #      to use your site, try to create a narrower expection and not allow any 
 #      client to send HTTP requests in a version lower than 1.1  
 #       
-SecRule REQUEST_PROTOCOL "!^HTTP/(0\.9|1\.[01])$" \
+SecRule REQUEST_PROTOCOL "!^HTTP/(0\.9|1\.[01])$" "phase:2,t:none,block,nolog,auditlog,status:505,msg:'HTTP protocol version is not allowed by policy', severity:'2',id:'960034',tag:'POLICY/PROTOCOL_NOT_ALLOWED',setvar:tx.anomaly_score=+5,setvar:tx.policy_score=+1,setvar:tx.%{rule.id}-POLICY/PROTOCOL_NOT_ALLOWED-%{matched_var_name}=%{matched_var}" 
    "phase:2,t:none,deny,log,auditlog,status:505,msg:'HTTP protocol version is not allowed by policy', severity:'2',id:'960034',tag:'POLICY/PROTOCOL_NOT_ALLOWED'"
 # Restrict file extension
 #
@@ -90,8 +83,7 @@ SecRule REQUEST_PROTOCOL "!^HTTP/(0\.9|1\.[01])$" \
 #      You may need to use ModSecurity Core Rule Set Templates to do so, otherwise
 #      comment the whole rule.       
 #
-SecRule REQUEST_BASENAME "\.(?:c(?:o(?:nf(?:ig)?|m)|s(?:proj|r)?|dx|er|fg|md)|p(?:rinter|ass|db|ol|wd)|v(?:b(?:proj|s)?|sdisco)|a(?:s(?:ax?|cx)|xd)|d(?:bf?|at|ll|os)|i(?:d[acq]|n[ci])|ba(?:[kt]|ckup)|res(?:ources|x)|s(?:h?tm|ql|ys)|l(?:icx|nk|og)|\w{0,5}~|webinfo|ht[rw]|xs[dx]|key|mdb|old)$" \
+SecRule REQUEST_BASENAME "\.(?:c(?:o(?:nf(?:ig)?|m)|s(?:proj|r)?|dx|er|fg|md)|p(?:rinter|ass|db|ol|wd)|v(?:b(?:proj|s)?|sdisco)|a(?:s(?:ax?|cx)|xd)|d(?:bf?|at|ll|os)|i(?:d[acq]|n[ci])|ba(?:[kt]|ckup)|res(?:ources|x)|s(?:h?tm|ql|ys)|l(?:icx|nk|og)|\w{0,5}~|webinfo|ht[rw]|xs[dx]|key|mdb|old)$" "phase:2,t:none,t:urlDecodeUni,t:lowercase,block,nolog,auditlog,status:500,msg:'URL file extension is restricted by policy', severity:'2',id:'960035',tag:'POLICY/EXT_RESTRICTED',setvar:tx.anomaly_score=+5,setvar:tx.policy_score=+1,setvar:tx.%{rule.id}-POLICY/EXT_RESTRICTED-%{matched_var_name}=%{matched_var}" 
    "phase:2,t:none,t:urlDecodeUni, t:lowercase, deny,log,auditlog,status:500,msg:'URL file extension is restricted by policy', severity:'2',id:'960035',tag:'POLICY/EXT_RESTRICTED'"
@@ -102,8 +94,7 @@ SecRule REQUEST_BASENAME "\.(?:c(?:o(?:nf(?:ig)?|m)|s(?:proj|r)?|dx|er|fg|md)|p(
 #      the list of blocked extensions. You may need to use ModSecurity Core Rule 
 #      Set Templates to do so, otherwise comment the whole rule.       
 #
-SecRule REQUEST_HEADERS_NAMES "(?:lock-token|translate|if)$" \
+SecRule REQUEST_HEADERS_NAMES "(?:(?:Proxy-Connectio|Lock-Toke)n|(?:Content-Rang|Translat)e|via|if)$" "phase:2,t:none,block,nolog,auditlog,status:500,msg:'HTTP header is restricted by policy',id:'960038',tag:'POLICY/HEADER_RESTRICTED',tag:'POLICY/FILES_NOT_ALLOWED',severity:'4',setvar:tx.anomaly_score=+5,setvar:tx.policy_score=+1,setvar:tx.%{rule.id}-POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}" 
    "phase:2,t:none,t:lowercase,deny,log,auditlog,status:500,msg:'HTTP header is restricted by policy',id:'960038',tag:'POLICY/HEADER_RESTRICTED',tag:'POLICY/FILES_NOT_ALLOWED',severity:'4'"
 # Restricted Content Encodings
@@ -113,10 +104,8 @@ SecRule REQUEST_HEADERS_NAMES "(?:lock-token|translate|if)$" \
 #   - Inbound compressed content will be denied
 #   - Outbound compressed content will be logged once, to alert the user
 # Deny inbound compressed content
-SecRule REQUEST_HEADERS:Content-Encoding "!^Identity$" \
+SecRule REQUEST_HEADERS:Content-Encoding "!^Identity$" "phase:2,t:none,block,nolog,auditlog,status:501,msg:'ModSecurity does not support content encodings',id:'960902',severity:'4',setvar:tx.anomaly_score=+5,setvar:tx.policy_score=+1,setvar:tx.%{rule.id}-POLICY/ENCODING_RESTRICTED-%{matched_var_name}=%{matched_var}" 
    "phase:2,t:none,deny,log,auditlog,status:501,msg:'ModSecurity does not support content encodings',id:'960902',severity:'3'"
 # Log outbound compressed content (log once)
-SecRule RESPONSE_HEADERS:Content-Encoding "!^Identity$" \
+SecRule RESPONSE_HEADERS:Content-Encoding "!^Identity$" "phase:4,t:none,pass,nolog,auditlog,msg:'ModSecurity does not support content encodings',id:'960903',severity:'4',chain,initcol:global=global" 
-    "phase:4,t:none,pass,log,auditlog,msg:'ModSecurity does not support content encodings',id:'960903',severity:'4',chain,initcol:global=global"
+	SecRule &GLOBAL:alerted_960903_compression "@eq 0" "setvar:global.alerted_960903_compression,setvar:tx.anomaly_score=+5,setvar:tx.policy_score=+1,setvar:tx.%{rule.id}-POLICY/ENCODING_RESTRICTED-%{matched_var_name}=%{matched_var}"
 SecRule &GLOBAL:alerted_960903_compression "@eq 0" "setvar:global.alerted_960903_compression"