github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-09-29 19:24:29 +03:00
Code Issues Packages Projects Releases Wiki Activity

Add additional CRS files.

Browse Source
This commit is contained in:
brectanus
2008-02-15 23:59:55 +00:00
parent aef091a849
commit 63bccf793c
2 changed files with 69 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
rules/optional_rules/modsecurity_crs_42_comment_spam.conf Normal file
View File

@@ -0,0 +1,34 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.1.6.0-rc3
# Copyright (C) 2006-2007 Breach Security Inc. All rights reserved.
#
# The ModSecuirty Core Rule Set is distributed under GPL version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
#
# Comment spam is an attack against blogs, guestbooks, wikis and other types of
# interactive web sites that accept and display hyperlinks submitted by
# visitors. The spammers automatically post specially crafted random comments
# which include links that point to the spammer's web site. The links
# artificially increas the site's search engine ranking and may make the site
# more noticable in search results.
#
SecDefaultAction "log,pass,phase:2,status:501,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase"
# Prequalifier. Look for <http> first
SecRule ARGS|ARGS_NAMES "\bhttp:" "skip:1,pass,nolog,id:'999010',severity:'5'"
SecAction pass,nolog,skipAfter:999011
# Look for 2 ways of posting a link
SecRule ARGS|ARGS_NAMES "\[url\b" "chain,ctl:auditLogParts=+E,deny,log,auditlog,status:400,msg:'Comment Spam',id:'950923',severity:'2'"
SecRule ARGS|ARGS_NAMES "\<a"
# Look for too many links in argument (Prone to FPs)
SecRule ARGS|ARGS_NAMES "(http:\/.*?){4}" "ctl:auditLogParts=+E,deny,log,auditlog,status:400,msg:'Comment Spam',id:'950020',severity:'3'"
SecAction "pass,nolog,id:'999011',severity:'5'"

35
rules/optional_rules/modsecurity_crs_42_tight_security.conf Normal file
View File

@@ -0,0 +1,35 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.1.6.0-rc3
# Copyright (C) 2006-2007 Breach Security Inc. All rights reserved.
#
# The ModSecuirty Core Rule Set is distributed under GPL version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
#
# This ruleset file contains rules that are highly prone to FPs
#
# When installing this ruleset, you are advised to activate ModSecurity
# in DetectionOnly, and verify that this ruleset doesn't intercept too
# many legit requests.
#
SecDefaultAction "log,pass,phase:2,status:400,t:none"
#
# Directory Traversal
#
SecRule REQUEST_URI "(?:\x5c|(?:%(?:c(?:0%(?:9v|af)|1%1c)|2(?:5(?:2f|5c)|f)|u221[56]|1u|5c)|\/))(?:%(?:u2024|2e)|\.){2}(?:\x5c|(?:%(?:c(?:0%(?:9v|af)|1%1c)|2(?:5(?:2f|5c)|f)|u221[56]|1u|5c)|\/))" \
"phase:1,t:lowercase,capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'Path Traversal Attack',id:'950103',severity:'2'"
# Weaker signature
SecRule REQUEST_FILENAME "\.\.[/\x5c]" "phase:1,t:urlDecodeUni,capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'Path Traversal Attack',id:'950103',severity:'2'"
#
# RFI Attack
#
SecRule ARGS "^(?:ht|f)tp:/" \
"t:htmlEntityDecode,t:lowercase,capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'Remote File Inclusion Attack',id:'950117',severity:'2'"