mirror of
https://github.com/owasp-modsecurity/ModSecurity.git
synced 2025-09-30 19:47:47 +03:00
Update Core Rules to those in 2.1.4.
This commit is contained in:
brectanus
71
rules/modsecurity_crs_23_request_limits.conf
Normal file
71
rules/modsecurity_crs_23_request_limits.conf
Normal file
@@ -0,0 +1,71 @@
|
||||
# ---------------------------------------------------------------
|
||||
# Core ModSecurity Rule Set ver.1.5
|
||||
# Copyright (C) 2006-2007 Breach Security Inc. All rights reserved.
|
||||
#
|
||||
# The ModSecuirty Core Rule Set is distributed under GPL version 2
|
||||
# Please see the enclosed LICENCE file for full details.
|
||||
# ---------------------------------------------------------------
|
||||
|
||||
|
||||
|
||||
# In most cases, you should expect a certain volume of each a request on your
|
||||
# website. For example, a request with 400 arguments, can be suspicious.
|
||||
# This file creates limitations on the request.
|
||||
# TODO Look at the rules in this file, and define the sizes you'd like to enforce.
|
||||
# Note that most of the rules are commented out by default.
|
||||
# Uncomment the rules you need
|
||||
#
|
||||
|
||||
SecDefaultAction "pass,log,status:400,phase:2"
|
||||
|
||||
## -- Arguments limits --
|
||||
|
||||
# Limit argument name length
|
||||
#SecRule ARGS_NAMES "^.{100}" "phase:2,t:none,deny,log,auditlog,status:403,msg:'Argument name too long',id:'960209',severity:'4'"
|
||||
|
||||
# Limit value name length
|
||||
#SecRule ARGS "^.{400}" "phase:2,t:none,deny,log,auditlog,status:403,msg:'Argument value too long',id:'960208',severity:'4'"
|
||||
|
||||
# Maximum number of arguments in request limited
|
||||
SecRule &ARGS "@gt 255" "phase:2,t:none,deny,log,auditlog,status:403,msg:'Too many arguments in request',id:'960335',severity:'4'"
|
||||
|
||||
# Limit arguments total length
|
||||
#SecRule ARGS_COMBINED_SIZE "@gt 64000" "phase:2,t:none,deny,log,auditlog,status:403,msg:'Total arguments size exceeded',id:'960341',severity:'4'"
|
||||
|
||||
|
||||
## -- File upload limits --
|
||||
|
||||
# Individual file size is limited
|
||||
#SecRule FILES_SIZES "@gt 1048576" "phase:2,t:none,deny,log,auditlog,status:403,msg:'Uploaded file size too large',id:'960342',severity:'4'"
|
||||
|
||||
# Combined file size is limited
|
||||
#SecRule FILES_COMBINED_SIZE "@gt 1048576" "phase:2,t:none,deny,log,auditlog,status:403,msg:'Total uploaded files size too large',id:'960343',severity:'4'"
|
||||
|
||||
|
||||
|
||||
## -- Apache Limits --
|
||||
|
||||
# These are Apache limit directives, but we are including them here because
|
||||
# they are often forgotten. If you already have these configured leave this
|
||||
# section entirely commented-out. Otherwise review the limits and uncomment
|
||||
# the directives.
|
||||
|
||||
# Maximum size of the request body.
|
||||
#
|
||||
# NOTE If your application allows file uploads the value below will
|
||||
# most likely be way to low.
|
||||
#
|
||||
#LimitRequestBody 64000
|
||||
|
||||
# Maximum number of request headers in a request.
|
||||
#
|
||||
#LimitRequestFields 32
|
||||
|
||||
# Maximum size of request header lines.
|
||||
#
|
||||
#LimitRequestFieldSize 8000
|
||||
|
||||
# Maximum size of the request line.
|
||||
#
|
||||
#LimitRequestLine 4000
|
||||
|
||||
Reference in New Issue
Block a user