github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-09-30 03:34:29 +03:00
Code Issues Packages Projects Releases Wiki Activity

Update to core rules 1.4.3

Browse Source
This commit is contained in:
brectanus
2007-07-19 14:18:42 +00:00
parent e251a9bd57
commit 9be72c39d1
12 changed files with 183 additions and 79 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
rules/modsecurity_crs_50_outbound.conf
View File

@@ -15,15 +15,15 @@
SecDefaultAction "log,pass,status:501,phase:4"
SecRule RESPONSE_BODY "\b(?:th(?:is (?:(?:analysis was produced by .{0,100}? ana|report was generated by web)log|summary was generated by .{0,100}? wwwstat)|ese statistics were produced by (?:getstats|pelab))|generated by webalizer)\b" \
SecRule RESPONSE_BODY "\b(?:Th(?:is (?:summary was generated by .{0,100}? (?:w(?:ebcruncher|wwstat)|analog|Jware)|analysis was produced by .{0,100}? (?:calamaris|EasyStat|analog)|report was generated by WebLog)|ese statistics were produced by (?:getstats|PeLAB))|[gG]enerated by [Ww]ebalizer)\b" \
"ctl:auditLogParts=+E,deny,log,auditlog,status:404,msg:'Statistics Information Leakage',,id:'970002',severity:'4'"
SecRule RESPONSE_BODY "\b(?:(?:s(?:(?:elect list because it is not contained in (?:an aggregate function and there is no|either an aggregate function or the) group by claus|yntax error converting the \w+ value .*? to a column of data typ)e|upplied argument is not a valid (?:(?:m(?:s |y)|postgre)sql|o(?:racle|dbc)))|(?:you have an error in your sql|incorrect) syntax near|SQL Server does not exist or access denied)\b|c(?:ould not find server '\w+' in sysservers\. execute sp_addlinkedserver\b|annot take a \w+ data type as an argument\.)|e(?:ither bof or eof is true, or the current record has been deleted\. requested\b|rror '800a01b8')|un(?:closed quotation mark before the character string\b|able to connect to postgresql server:)|microsoft (?:ole db provider for .{0,30} error '|jet database engine error '8)|(?:warning: mysql_connect\(\)|postgresql query failed):|(?:\[microsoft\]\[odbc|ora-\d{5}:) )" \
SecRule RESPONSE_BODY "\b(?:(?:s(?:elect list because it is not contained in (?:an aggregate function and there is no|either an aggregate function or the) GROUP BY clause|upplied argument is not a valid (?:(?:M(?:S |y)|Postgre)SQL|O(?:racle|DBC)))|S(?:yntax error converting the \w+ value .*? to a column of data type|QL Server does not exist or access denied)|Either BOF or EOF is True, or the current record has been deleted(?:; the operation|\. Requested)|The column prefix .{0,50}? does not match with a table name or alias name used in the query|Could not find server '\w+' in sysservers\. execute sp_addlinkedserver)\b|(?:(?:Microsoft OLE DB Provider for .{0,30} [eE]rro|You have an error in your SQL syntax nea)r |error '800a01b8)'|Un(?:closed quotation mark before the character string\b|able to connect to PostgreSQL server:)|(?:Warning: mysql_connect\(\)|PostgreSQL query failed):|cannot take a \w+ data type as an argument\.|incorrect syntax near (?:\'|the\b|@@error\b)|microsoft jet database engine error '8|(?:\[Microsoft\]\[ODBC|ORA-\d{5}:) )" \
"ctl:auditLogParts=+E,deny,log,auditlog,status:500,msg:'SQL Information Leakage',,id:'970003',severity:'4'"
SecRule RESPONSE_BODY "(?:\b(?:adodb\.command\b.{0,100}?\b(?:application uses a value of the wrong type for the current operation\b|error')|microsoft vbscript (?:compilation|runtime) (?:\(0x8|error)\b|object required: '|error '800)|(?:\/errormessage\.aspx\?error|>error 'asp)\b)" \
SecRule RESPONSE_BODY "(?:\b(?:A(?:DODB\.Command\b.{0,100}?\b(?:Application uses a value of the wrong type for the current operation\b|error')| trappable error occurred in an external object\. The script cannot continue running\b)|Microsoft VBScript (?:compilation (?:\(0x8|error)|runtime (?:Error|\(0x8))\b|Object required: '|error '800)|<b>Version Information:<\/b>(?:&nbsp;|\s)(?:Microsoft \.NET Framework|ASP\.NET) Version:|(?:\/[Ee]rror[Mm]essage\.aspx?\?[Ee]rror|>error 'ASP)\b)" \
"ctl:auditLogParts=+E,deny,log,auditlog,status:500,msg:'IIS Information Leakage',,id:'970004',severity:'4'"
SecRule RESPONSE_BODY "\bserver error in.{0,50}\bapplication\b" \
SecRule RESPONSE_BODY "\bServer Error in.{0,50}?\bApplication\b" \
"chain,ctl:auditLogParts=+E,deny,log,auditlog,status:500,msg:'IIS Information Leakage',,id:'970904',severity:'4'"
SecRule RESPONSE_STATUS "!^404$"
@@ -42,7 +42,7 @@ SecRule RESPONSE_BODY "\b403 forbidden\b\W*?\binternet security and acceleration
SecRule RESPONSE_BODY "\b<o:documentproperties>\b" \
"log,auditlog,msg:'Microsoft Word document properties leakage',,id:'970012',severity:'4'"
SecRule RESPONSE_BODY "(?:>\[to parent directory\]<\/a><br>|<title>index of.*?<h1>index of)" \
SecRule RESPONSE_BODY "(?:>\[To Parent Directory\]<\/[Aa]><br>|<title>Index of.*?<h1>Index of)" \
"ctl:auditLogParts=+E,deny,log,auditlog,status:403,msg:'Directory Listing',,id:'970013',severity:'4'"
@@ -69,5 +69,5 @@ SecRule RESPONSE_BODY "(?:(?:<h1>internal server error<\/h1>.*?<h2>part of the s
"ctl:auditLogParts=+E,log,auditlog,msg:'The application is not available',,id:'970118',severity:'5'"
SecRule RESPONSE_STATUS "^500$" "chain,ctl:auditLogParts=+E,log,auditlog,msg:'WebLogic information disclosure',,id:'970021',severity:'4'"
SecRule RESPONSE_BODY "<title>JSP compile error</title>" t:none
SecRule RESPONSE_BODY "<title>JSP compile error<\/title>" t:none