mirror of
https://github.com/owasp-modsecurity/ModSecurity.git
synced 2026-01-02 22:54:54 +03:00
Merge 2.5.x changes to trunk.
This commit is contained in:
b1v1r
@@ -1,6 +1,6 @@
|
||||
# ---------------------------------------------------------------
|
||||
# Core ModSecurity Rule Set ver.1.6.1
|
||||
# Copyright (C) 2006-2007 Breach Security Inc. All rights reserved.
|
||||
# Core ModSecurity Rule Set ver.2.0
|
||||
# Copyright (C) 2006-2009 Breach Security Inc. All rights reserved.
|
||||
#
|
||||
# The ModSecuirty Core Rule Set is distributed under GPL version 2
|
||||
# Please see the enclosed LICENCE file for full details.
|
||||
@@ -16,17 +16,27 @@
|
||||
# more noticable in search results.
|
||||
#
|
||||
|
||||
SecRule &IP:SPAMMER "@eq 0" "chain,phase:1,t:none,block,nolog,auditlog,msg:'RBL Match for SPAM Source',tag:'AUTOMATION/MALICIOUS',severity:'2',skipAfter:END_RBL_CHECK"
|
||||
SecRule REMOTE_ADDR "@rbl sbl-xbl.spamhaus.org" \
|
||||
"t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.automation_score=+1,setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}=%{matched_var_name}=%{matched_var}',setvar:ip.spammer=1,expirevar:ip.spammer=86400"
|
||||
|
||||
SecRule IP:SPAMMER "@eq 1" "phase:1,t:none,block,nolog,auditlog,msg:'RBL Match for SPAM Source',tag:'AUTOMATION/MALICIOUS',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.automation_score=+1,setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}=%{matched_var_name}=%{matched_var}'"
|
||||
|
||||
SecMarker END_RBL_CHECK
|
||||
|
||||
SecRule REQUEST_HEADERS:User-Agent "^(?:m(?:o(?:zilla(?:\/4\.0\+?\()?|vable type)|i(?:crosoft url|ssigua)|j12bot\/v1\.0\.8|sie)|e(?:mail(?:collector| ?siphon)|collector)|(?:blogsearchbot-marti|super happy fu)n|i(?:nternet explorer|sc systems irc)|ja(?:karta commons|va(?:\/| )1\.)|c(?:ore-project\/|herrypicker)|p(?:sycheclone|ussycat|ycurl)|(?:grub crawl|omniexplor)er|a(?:utoemailspider|dwords)|w(?:innie poh|ordpress)|nut(?:scrape/|chcvs)|8484 boston project|user(?:[- ]agent:)?|l(?:ibwww-perl|wp)|di(?:amond|gger)|trackback\/|httpproxy|<sc|")" \
|
||||
"phase:2,t:none,t:lowercase,block,nolog,auditlog,status:404,msg:'Common SPAM/Email Harvester crawler',id:'958297',tag:'AUTOMATION/MALICIOUS',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.automation_score=+1,setvar:tx.anomaly_score=+10,setvar:'tx.%{rule.id}=%{matched_var_name}=%{matched_var}'"
|
||||
|
||||
# Prequalifier. Look for <http> first
|
||||
SecRule ARGS|ARGS_NAMES "\bhttp:" "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,skip:1,pass,nolog,id:'999010',severity:'5'"
|
||||
SecRule ARGS|ARGS_NAMES "\bhttp:" "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,skip:1,pass,nolog,id:'999010',severity:'6'"
|
||||
|
||||
SecAction phase:2,pass,nolog,skipAfter:999011
|
||||
SecAction phase:2,pass,nolog,skipAfter:END_COMMENT_SPAM
|
||||
|
||||
# Look for 2 ways of posting a link
|
||||
SecRule ARGS|ARGS_NAMES "\[url\b" "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,chain,ctl:auditLogParts=+E,deny,log,auditlog,status:400,msg:'Comment Spam',id:'950923',severity:'2'"
|
||||
SecRule ARGS|ARGS_NAMES "\<a" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase"
|
||||
# Look for 2 ways of posting a link
|
||||
SecRule ARGS|ARGS_NAMES "\[url\b" "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,chain,ctl:auditLogParts=+E,block,nolog,auditlog,status:400,msg:'Comment Spam',id:'950923',severity:'2'"
|
||||
SecRule ARGS|ARGS_NAMES "\<a" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:tx.automation_score=+1,setvar:tx.anomaly_score=+10,setvar:'tx.%{rule.id}=%{matched_var_name}=%{matched_var}'"
|
||||
|
||||
# Look for too many links in an argument (Prone to FPs)
|
||||
SecRule ARGS|ARGS_NAMES "(http:\/.*?){4}" "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:400,msg:'Comment Spam',id:'950020',severity:'3'"
|
||||
# Look for too many links in an argument (Prone to FPs)
|
||||
SecRule ARGS|ARGS_NAMES "(http:\/.*?){4}" "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,status:400,msg:'Comment Spam',id:'950020',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.automation_score=+1,setvar:tx.anomaly_score=+10,setvar:'tx.%{rule.id}=%{matched_var_name}=%{matched_var}'"
|
||||
|
||||
|
||||
SecMarker 999011
|
||||
SecMarker END_COMMENT_SPAM
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
# ---------------------------------------------------------------
|
||||
# Core ModSecurity Rule Set ver.1.6.1
|
||||
# Copyright (C) 2006-2007 Breach Security Inc. All rights reserved.
|
||||
# Core ModSecurity Rule Set ver.2.0
|
||||
# Copyright (C) 2006-2009 Breach Security Inc. All rights reserved.
|
||||
#
|
||||
# The ModSecuirty Core Rule Set is distributed under GPL version 2
|
||||
# Please see the enclosed LICENCE file for full details.
|
||||
@@ -19,15 +19,9 @@
|
||||
# Directory Traversal
|
||||
#
|
||||
SecRule REQUEST_URI "(?:\x5c|(?:%(?:c(?:0%(?:9v|af)|1%1c)|2(?:5(?:2f|5c)|f)|u221[56]|1u|5c)|\/))(?:%(?:u2024|2e)|\.){2}(?:\x5c|(?:%(?:c(?:0%(?:9v|af)|1%1c)|2(?:5(?:2f|5c)|f)|u221[56]|1u|5c)|\/))" \
|
||||
"phase:1,t:none,t:lowercase,capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'Path Traversal Attack',id:'950103',severity:'2'"
|
||||
"phase:1,t:none,t:lowercase,capture,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'Path Traversal Attack',id:'950103',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:'tx.%{rule.id}=%{matched_var_name}=%{matched_var}'"
|
||||
|
||||
# Weaker signature
|
||||
SecRule REQUEST_FILENAME "\.\.[/\x5c]" "phase:1,t:none,t:urlDecodeUni,capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'Path Traversal Attack',id:'950103',severity:'2'"
|
||||
#SecRule REQUEST_FILENAME "\.\.[/\x5c]" "phase:1,t:none,t:urlDecodeUni,capture,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'Path Traversal Attack',id:'950103',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:'tx.%{rule.id}=%{matched_var_name}=%{matched_var}'"
|
||||
|
||||
|
||||
#
|
||||
# RFI Attack
|
||||
#
|
||||
SecRule ARGS "^(?:ht|f)tp:/" \
|
||||
"phase:2,t:none,t:htmlEntityDecode,t:lowercase,capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'Remote File Inclusion Attack',id:'950117',severity:'2'"
|
||||
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
# ---------------------------------------------------------------
|
||||
# Core ModSecurity Rule Set ver.1.6.1
|
||||
# Copyright (C) 2006-2007 Breach Security Inc. All rights reserved.
|
||||
# Core ModSecurity Rule Set ver.2.0
|
||||
# Copyright (C) 2006-2009 Breach Security Inc. All rights reserved.
|
||||
#
|
||||
# The ModSecuirty Core Rule Set is distributed under GPL version 2
|
||||
# Please see the enclosed LICENCE file for full details.
|
||||
@@ -12,10 +12,10 @@
|
||||
# --
|
||||
|
||||
SecRule REQUEST_HEADERS:User-Agent "msn(?:bot|ptc)" \
|
||||
"phase:2,t:none,t:lowercase,log,auditlog,msg:'MSN robot activity',id:'910008',severity:'5'"
|
||||
"phase:2,t:none,t:lowercase,nolog,auditlog,msg:'MSN robot activity',id:'910008',severity:'6'"
|
||||
|
||||
SecRule REQUEST_HEADERS:User-Agent "\byahoo(?:-(?:mmcrawler|blogs)|! slurp)\b" \
|
||||
"phase:2,t:none,t:lowercase,log,auditlog,msg:'Yahoo robot activity',id:'910007',severity:'5'"
|
||||
"phase:2,t:none,t:lowercase,nolog,auditlog,msg:'Yahoo robot activity',id:'910007',severity:'6'"
|
||||
|
||||
SecRule REQUEST_HEADERS:User-Agent "(?:(?:gsa-crawler \(enterprise; s4-e9lj2b82fjjaa; me\@mycompany\.com|adsbot-google \(\+http:\/\/www\.google\.com\/adsbot\.html)\)|\b(?:google(?:-sitemaps|bot)|mediapartners-google)\b)" \
|
||||
"phase:2,t:none,t:lowercase,log,auditlog,msg:'Google robot activity',id:'910006',severity:'5'"
|
||||
"phase:2,t:none,t:lowercase,nolog,auditlog,msg:'Google robot activity',id:'910006',severity:'6'"
|
||||
|
||||
Reference in New Issue
Block a user