From c482774094107d354c49edb28fd782b009316f77 Mon Sep 17 00:00:00 2001 From: ivanr Date: Tue, 6 Feb 2007 12:32:03 +0000 Subject: [PATCH] Branched 2.1.0-rc7 --- rules/CHANGELOG | 66 ++++ rules/LICENSE | 339 ++++++++++++++++++ rules/README | 179 +++++++++ ...odsecurity_crs_20_protocol_violations.conf | 74 ++++ ...modsecurity_crs_21_protocol_anomalies.conf | 50 +++ .../modsecurity_crs_40_generic_attacks.conf | 83 +++++ rules/modsecurity_crs_10_config.conf | 285 +++++++++++++++ ...odsecurity_crs_20_protocol_violations.conf | 74 ++++ ...modsecurity_crs_21_protocol_anomalies.conf | 50 +++ rules/modsecurity_crs_30_http_policy.conf | 137 +++++++ rules/modsecurity_crs_35_bad_robots.conf | 33 ++ rules/modsecurity_crs_40_generic_attacks.conf | 83 +++++ rules/modsecurity_crs_45_trojans.conf | 36 ++ rules/modsecurity_crs_50_outbound.conf | 68 ++++ rules/modsecurity_crs_55_marketing.conf | 23 ++ 15 files changed, 1580 insertions(+) create mode 100644 rules/CHANGELOG create mode 100644 rules/LICENSE create mode 100644 rules/README create mode 100644 rules/blocking/modsecurity_crs_20_protocol_violations.conf create mode 100644 rules/blocking/modsecurity_crs_21_protocol_anomalies.conf create mode 100644 rules/blocking/modsecurity_crs_40_generic_attacks.conf create mode 100644 rules/modsecurity_crs_10_config.conf create mode 100644 rules/modsecurity_crs_20_protocol_violations.conf create mode 100644 rules/modsecurity_crs_21_protocol_anomalies.conf create mode 100644 rules/modsecurity_crs_30_http_policy.conf create mode 100644 rules/modsecurity_crs_35_bad_robots.conf create mode 100644 rules/modsecurity_crs_40_generic_attacks.conf create mode 100644 rules/modsecurity_crs_45_trojans.conf create mode 100644 rules/modsecurity_crs_50_outbound.conf create mode 100644 rules/modsecurity_crs_55_marketing.conf diff --git a/rules/CHANGELOG b/rules/CHANGELOG new file mode 100644 index 00000000..1ab249f7 --- /dev/null +++ b/rules/CHANGELOG @@ -0,0 +1,66 @@ + + +version 1.3.2 build 4 2007/01/17 + +Fixed apache 2.4 dummy requests exclusion +Added persistent PDF UXSS detection rule + + +Vervion 1.3.2 build 3 2007/01/10 + +Fixed regular expresion in rule 960010 (file #30) to allow mulipart-data content + + +Version 1.3.2 - 2006/12/27 + +New events: +- 960037 Directory is restricted by policy +- 960038 HTTP header is restricted by policy + +Regular expressions fixes: +- Regular expressions with @ at end of beginning (for example "@import) +- Regular expressions with un-escaped "." +- Command Injections now always require certain characters both before and after the command. Important since many are common English words (finger, mail) +- The command injection wget is not searched in the UA header as it has different meaning there. +- LDAP Fixed to reduce FPs: + + More accurate regular expressions + + high bit characters not accpeted between signature tokens. +- Do not detect + Copyright (C) + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License along + with this program; if not, write to the Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + +Also add information on how to contact you by electronic and paper mail. + +If the program is interactive, make it output a short notice like this +when it starts in an interactive mode: + + Gnomovision version 69, Copyright (C) year name of author + Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate +parts of the General Public License. Of course, the commands you use may +be called something other than `show w' and `show c'; they could even be +mouse-clicks or menu items--whatever suits your program. + +You should also get your employer (if you work as a programmer) or your +school, if any, to sign a "copyright disclaimer" for the program, if +necessary. Here is a sample; alter the names: + + Yoyodyne, Inc., hereby disclaims all copyright interest in the program + `Gnomovision' (which makes passes at compilers) written by James Hacker. + + , 1 April 1989 + Ty Coon, President of Vice + +This General Public License does not permit incorporating your program into +proprietary programs. If your program is a subroutine library, you may +consider it more useful to permit linking proprietary applications with the +library. If this is what you want to do, use the GNU Lesser General +Public License instead of this License. diff --git a/rules/README b/rules/README new file mode 100644 index 00000000..fb6d6597 --- /dev/null +++ b/rules/README @@ -0,0 +1,179 @@ + + +ModSecurity Core Rule Set +============================== + +(c) 2006 Breach Secuiry Inc. + +The ModSecurity Core Rule Set is provided to you under the terms and +conditions of GPL version 2 + +This directory contains the files for Core ModSecurity Rule Set +The rules are compatible with ModSecurity 2.1 (as of version 1.3.2) + + +Overview +-------- + +Using ModSecurity requires rules. In order to enable users to take full +advantage of ModSecurity immediately, Breach Security Inc. is providing a free +Core rule set. Unlike intrusion detection and prevention systems which +rely on signature specific to known vulnerabilities, the Core Rule Set +provides generic protection from unknown vulnerabilities often found in web +application that are in most cases custom coded. + +Keep in mind that a predefined rule set is only part of the work required to +protect your web site. We strongly urge you to consult Ivan Ristic's book, +"Apache Security" in order to harden your Apache web server. You may also +consider writing custom rules for providing a positive security envelope to +your application or critical parts of it. Breach Security can provide you with +training and professional services to assist you in doing that. The Core +Rule Set is heavily commented to allow it to be used as a step-by-step +deployment guide for ModSecurity. + +For more information refer to the Core Rule Set page at +http://www.modsecurity.org/ + + +Core Rule Set Structure & Usage +------------------------------------ + +To activate the rules for your web server installation: + + 1) You may want to edit and customize modsecurity_crs_10_config.conf. + Additionally you may want to edit modsecurity_crs_30_http_policy.conf + which enforces an application specific HTTP protocol usage. + + 2) Add the following line to your httpd.conf (assuming + you've placed the rule files into conf/modsecurity/): + + Include conf/modsecurity/*.conf + + 3) Restart web server. + + 4) Make sure your web sites are still running fine. + + 5) Simulate an attack against the web server. Then check + the attack was correctly logged in the Apache error log, + ModSecurity debug log (if you enabled it) and ModSecurity + audit log (if you enabled it). + + 6) If you configured your audit log entries to be transported + to ModSecurity Console in real time, check the alert was + correctly recorded there too. + +About Regular Expressions +------------------------- + +One of the advantages of the Core Rule Set, being a set of text files is your +ability to modify it. However you will find that the regular expressions used +are very complex. + +Since regular expressions are much more efficient if assembled into a single +expression and optimized, a generation script takes a list of patterns that +are required for a rule and optimize them into a most efficient regular +expression. + +We plan to release the optimization script shortly to allow much easier editing +of regular expressions. + + +Core Rule Set Content +-------------------------- + +In order to provide generic web applications protection, the Core Rule Set +uses the following techniques: + +1. HTTP protection - detecting violations of the HTTP protocol and a locally +defined usage policy. + +2. Common Web Attacks Protection - detecting common web application security +attack. + +3. Automation detection - Detecting bots, crawlers, scanners and other surface +malicious activity. + +4. Trojan Protection - Detecting access to Trojans horses. + +5. Errors Hiding – Disguising error messages sent by the server + +In addition the rule set also hints at the power of ModSecurity beyond +providing security by reporting access from the major search engines to your +site. + + +HTTP Protection - This first line of protection ensures that all abnormal HTTP +requests are detected. This line of defense eliminates a large number of +automated and non targeted attacks as well as protects the web server itself. +Common Web Attacks Protection Rules on the second level address the common web +application security attack methods. These are the issues that can appear in +any web application. Some of the issues addressed are: + +- SQL Injection +- Cross-Site Scripting (XSS) +- OS Command execution +- Remote code inclusion +- LDAP Injection +- SSI Injection +- Information leak +- Buffer overflows +- File disclosure + +Automation Detection - Automated clients are both a security risk and a +commercial risk. Automated crawlers collect information from your site, consume +bandwidth and might also search for vulnerabilities on the web site. Automation +detection is especially useful for generic detection of comments spam. + + +Trojan Protection - ModSecurity Core Rule Set detects access to back doors +installed on a web server. This feature is very important in a hosting +environment when some of this backdoors may be uploaded in a legitimate way and +used maliciously. In addition the Core Rule Set includes a hook for adding +an Anti-Virus program such as ClamAV for checking file uploads. + +Errors Hiding - If all fails, the Core Rule Set will detect errors sent by +the web server. Detecting and blocking errors prevents attackers from +collecting reconnaissance information about the web application and also server +as a last line of defense in case an attack was not detected eariler. + + +Few Word of Caution +------------------- + +As with every new technology, using the ModSecurity Core Rule Set requires some caution: + +- Every Rule Set can have false positive in new environments and any new +installation should initially use the log only Rule Set version or if no such +version is available, set ModSecurity to Detection only using the SecRuleEngine +DetectionOnly command. + +After running ModSecurity in a detection only mode for a while review the evens +generated and decide if any modification to the rule set should be made before +moving to protection mode. + +- Freely available wide spread signatures have their down side as attackers may +examine them and find ways to bypass them. Especially note that the automation +detection signatures are relatively easy to evade and should not be viewed as a +security mechanism but only as a "nuisance reduction" mechanism. + + +Road Map +-------- + +This rule set is both young and old. Breach Security has a long experience with +rules and signatures for application security protection and the Core Rule +Set is based on this experience. On the other hand, this is a first cut of a +ModSecurity rule set so your feedback and remarks, either directly or through +the ModSecurity mailing list would be greatly appreciated. + +Going forward we plan to: + +- Utilize ModSecurity 2.0 support for events correlation to detect denial of +service attacks, brute force attacks and attack reconnaissance + +- Add a framework for validating SOAP requests. + +- Add signatures for key known vulnerabilities. + +Anything else you would want? + diff --git a/rules/blocking/modsecurity_crs_20_protocol_violations.conf b/rules/blocking/modsecurity_crs_20_protocol_violations.conf new file mode 100644 index 00000000..484085af --- /dev/null +++ b/rules/blocking/modsecurity_crs_20_protocol_violations.conf @@ -0,0 +1,74 @@ +# --------------------------------------------------------------- +# Core ModSecurity Rule Set +# Copyright (C) 2006 Breach Security Inc. All rights reserved. +# +# The ModSecuirty Core Rule Set is distributed under GPL version 2 +# Please see the enclosed LICENCE file for full details. +# --------------------------------------------------------------- + + +# +# TODO in some cases a valid client (usually automated) generates requests that +# violates the HTTP protocol. Create exceptions for those clients, but try +# to limit the exception to a source IP or other additional properties of +# the request such as URL and not allow the violation generally. +# +# + +# Use status code 400 response status code by default as protocol violations +# are in essence bad requests. +SecDefaultAction "log,pass,phase:1,status:400" + +# Accept only digits in content length +# +SecRule REQUEST_HEADERS:Content-Length "!^\d+$" "deny,log,auditlog,status:400,msg:'Content-Length HTTP header is not numeric', severity:'2',id:'960016'" + +# Do not accept GET or HEAD requests with bodies +# HTTP standard allows GET requests to have a body but this +# feature is not used in real life. Attackers could try to force +# a request body on an unsuspecting web applications. +# +SecRule REQUEST_METHOD "^(GET|HEAD)$" "chain,deny,log,auditlog,status:400,msg:'GET or HEAD requests with bodies', severity:'2',id:'960011'" +SecRule REQUEST_HEADERS:Content-Length "!^0?$" + +# Require Content-Length to be provided with every POST request. +# +SecRule REQUEST_METHOD "^POST$" "chain,deny,log,auditlog,status:400,msg:'POST request must have a Content-Length header',id:'960012',severity:'4'" +SecRule &REQUEST_HEADERS:Content-Length "@eq 0" + +# Don't accept transfer encodings we know we don't know how to handle +# +# NOTE ModSecurity does not support chunked transfer encodings at +# this time. You MUST reject all such requests. +# +SecRule HTTP_Transfer-Encoding "!^$" "deny,log,auditlog,status:501,msg:'ModSecurity does not support transfer encodings',id:'960013',severity:'5'" + +# Check decodings +SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "@validateUrlEncoding" \ + "chain, deny,log,auditlog,status:400,msg:'URL Encoding Abuse Attack Attempt',id:'950107',severity:'4'" +SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "\%(?![0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" + +SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "@validateUtf8Encoding" "deny,log,auditlog,status:400,msg:'UTF8 Encoding Abuse Attack Attempt',id:'950801',severity:'4'" + +# Proxy access attempt +# NOTE Apache blocks such access by default if not set as a proxy. The rule is +# included in case Apache proxy is misconfigured. +SecRule REQUEST_URI ^http:/ "deny,log,auditlog,status:400,msg:'Proxy access attempt', severity:'2',id:'960014'" + +# +# Restrict type of characters sent +# +# NOTE In order to be broad and support localized applications this rule +# only validates that NULL Is not used. +# +# The strict policy version also validates that protocol and application +# generated fields are limited to printable ASCII. +# +# TODO If your application use the range 32-126 for parameters. +# +SecRule REQUEST_FILENAME|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer \ + "@validateByteRange 32-126" \ + "deny,log,auditlog,status:400,msg:'Request Missing an Accept Header', severity:'2',id:'960015',t:urlDecodeUni,phase:1" + +SecRule ARGS|ARGS_NAMES "@validateByteRange 1-255" \ + "deny,log,auditlog,status:400,msg:'Invalid character in request',id:'960901',severity:'4',t:urlDecodeUni,phase:2" diff --git a/rules/blocking/modsecurity_crs_21_protocol_anomalies.conf b/rules/blocking/modsecurity_crs_21_protocol_anomalies.conf new file mode 100644 index 00000000..03084e36 --- /dev/null +++ b/rules/blocking/modsecurity_crs_21_protocol_anomalies.conf @@ -0,0 +1,50 @@ +# --------------------------------------------------------------- +# Core ModSecurity Rule Set +# Copyright (C) 2006 Breach Security Inc. All rights reserved. +# +# The ModSecuirty Core Rule Set is distributed under GPL version 2 +# Please see the enclosed LICENCE file for full details. +# --------------------------------------------------------------- + + +# +# TODO in some cases a valid client (usually automated) generates requests that +# violates the HTTP protocol. Create exceptions for those clients, but try +# to limit the exception to a source IP or other additional properties of +# the request such as URL and not allow the violation generally. +# + +# Use status code 400 response status code by default as protocol violations +# are in essence bad requests. +SecDefaultAction "log,pass,phase:1,status:400" + +# Do not accept requests without common headers. +# +# Implies either an attacker or a legitimate automation client. +# +SecRule REQUEST_URI "^/$" "chain,skip:4" +SecRule REMOTE_ADDR "^127\.0\.0\.1$" "chain" +SecRule REQUEST_HEADERS:User-Agent "^Apache.*\(internal dummy connection\)$" "t:none" + +SecRule &REQUEST_HEADERS:Host "@eq 0" \ + "skip:1,deny,log,auditlog,status:400,msg:'Request Missing a Host Header',id:'960008',severity:'4'" +SecRule REQUEST_HEADERS:Host "^$" \ + "deny,log,auditlog,status:400,msg:'Request Missing a Host Header',id:'960008',severity:'4'" + + +SecRule &REQUEST_HEADERS:Accept "@eq 0" \ + "chain,skip:1,deny,log,auditlog,status:400,msg:'Request Missing an Accept Header', severity:'2',id:'960015'" +SecRule REQUEST_METHOD "!OPTIONS" +SecRule REQUEST_HEADERS:Accept "^$" \ + "chain,deny,log,auditlog,status:400,msg:'Request Missing an Accept Header', severity:'2',id:'960015'" +SecRule REQUEST_METHOD "!OPTIONS" + +SecRule &REQUEST_HEADERS:User-Agent "@eq 0" \ + "skip:1,deny,log,auditlog,status:400,msg:'Request Missing a User Agent Header',id:'960009',severity:'4'" +SecRule REQUEST_HEADERS:User-Agent "^$" \ + "deny,log,auditlog,status:400,msg:'Request Missing a User Agent Header',id:'960009',severity:'4'" + + +# Check that the host header is not an IP address +# +SecRule REQUEST_HEADERS:Host "^[\d\.]+$" "deny,log,auditlog,status:400,msg:'Host header is a numeric IP address', severity:'2',id:'960017'" diff --git a/rules/blocking/modsecurity_crs_40_generic_attacks.conf b/rules/blocking/modsecurity_crs_40_generic_attacks.conf new file mode 100644 index 00000000..dc3a9e7e --- /dev/null +++ b/rules/blocking/modsecurity_crs_40_generic_attacks.conf @@ -0,0 +1,83 @@ +# --------------------------------------------------------------- +# Core ModSecurity Rule Set +# Copyright (C) 2006 Breach Security Inc. All rights reserved. +# +# The ModSecuirty Core Rule Set is distributed under GPL version 2 +# Please see the enclosed LICENCE file for full details. +# --------------------------------------------------------------- + + +# +# TODO While some of the pattern groups such as command injection are usually +# safe of false positives, other pattern groups such as SQL injection and +# XSS may require setting exceptions and therefore are set to log only by +# default. +# +# Start ModSecurity in monitoring only mode and check whether your +# application requires exceptions for a specific URL, Pattern or source IP +# before moving to blocking mode. + +SecDefaultAction "log,pass,phase:2,status:500,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase" + +# Session fixation +SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "(?:\.cookie\b.*?;\W*?(?:expires|domain)\W*?=|\bhttp-equiv\W+set-cookie\b)" \ + "capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'Session Fixation. Matched signature <%{TX.0}>',id:'950009',severity:'2'" + +# Blind SQL injection +SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "(?:\b(?:(?:s(?:ys\.(?:user_(?:(?:t(?:ab(?:_column|le)|rigger)|object|view)s|c(?:onstraints|atalog))|all_tables|tab)|elect\b.{0,40}\b(?:substring|ascii|user))|m(?:sys(?:(?:queri|ac)e|relationship|column|object)s|ysql.user)|c(?:onstraint_type|harindex)|attnotnull)\b|(?:locate|instr)\W+\()|\@\@spid\b)" \ + "capture,t:replaceComments,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'Blind SQL Injection Attack. Matched signature <%{TX.0}>',id:'950007',severity:'2'" +#SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "\b(?:benchmark|encode)\b" \ +# "chain,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'Blind SQL Injection Attack. Matched signature <%{TX.0}>',id:'950903',severity:'2'" +#SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "[\\(\)\%#]\|--" +SecRule REQUEST_FILENAME|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "\b(?:(?:s(?:ys(?:(?:(?:process|tabl)e|filegroup|object)s|c(?:o(?:nstraint|lumn)s|at)|dba|ibm)|ubstr(?:ing)?)|user_(?:(?:(?:constrain|objec)t|tab(?:_column|le)|ind_column|user)s|password|group)|a(?:tt(?:rel|typ)id|ll_objects)|object_(?:(?:nam|typ)e|id)|pg_(?:attribute|class)|column_(?:name|id)|(?:dba|mb)_users|xtype\W+\bchar|rownum)\b|t(?:able_name\b|extpos\W+\())" \ + "capture,t:replaceComments,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'Blind SQL Injection Attack. Matched signature <%{TX.0}>',id:'950904',severity:'2'" + +# SQL injection +SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "(?:\b(?:(?:s(?:elect\b(?:.{1,100}?\b(?:(?:length|count|top)\b.{1,100}?\bfrom|from\b.{1,100}?\bwhere)|.*?\b(?:d(?:ump\b.*\bfrom|ata_type)|(?:to_(?:numbe|cha)|inst)r))|p_(?:(?:addextendedpro|sqlexe)c|(?:oacreat|prepar)e|execute(?:sql)?|makewebtask)|ql_(?:longvarchar|variant))|xp_(?:reg(?:re(?:movemultistring|ad)|delete(?:value|key)|enum(?:value|key)s|addmultistring|write)|e(?:xecresultset|numdsn)|(?:terminat|dirtre)e|availablemedia|loginconfig|cmdshell|filelist|makecab|ntsec)|u(?:nion\b.{1,100}?\bselect|tl_(?:file|http))|group\b.*\bby\b.{1,100}?\bhaving|load\b\W*?\bdata\b.*\binfile|(?:n?varcha|tbcreato)r|autonomous_transaction|open(?:rowset|query)|dbms_java)\b|i(?:n(?:to\b\W*?\b(?:dump|out)file|sert\b\W*?\binto|ner\b\W*?\bjoin)\b|(?:f(?:\b\W*?\(\W*?\bbenchmark|null\b)|snull\b)\W*?\()|(?:having|or|and)\b\s+?(?:\d{1,10}|'[^=]{1,10}')\s*?[=<>]+|(?:print\]\b\W*?\@|root)\@|c(?:ast\b\W*?\(|oalesce\b))|(?:;\W*?\b(?:shutdown|drop)|\@\@version)\b|'(?:s(?:qloledb|a)|msdasql|dbo)')" \ + "capture,t:replaceComments,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'SQL Injection Attack. Matched signature <%{TX.0}>',id:'950001',severity:'2'" +#SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "\b(?:rel(?:(?:nam|typ)e|kind)|a(?:ttn(?:ame|um)|scii)|c(?:o(?:nver|un)t|ha?r)|s(?:hutdown|elect)|to_(?:numbe|cha)r|u(?:pdate|nion)|d(?:elete|rop)|group\b\W*\bby|having|insert|length|where)\b" \ +# "chain,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'SQL Injection Attack. Matched signature <%{TX.0}>',id:'950905',severity:'2'" +#SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "[\\(\)\%#]\|--" +SecRule REQUEST_FILENAME|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "\b(?:user_(?:(?:object|table|user)s|password|group)|a(?:tt(?:rel|typ)id|ll_objects)|object_(?:(?:nam|typ)e|id)|pg_(?:attribute|class)|column_(?:name|id)|substr(?:ing)?|table_name|mb_users|rownum)\b" \ + "capture,t:replaceComments,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'SQL Injection Attack. Matched signature <%{TX.0}>',id:'950906',severity:'2'" + +# XSS +SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS "(?:\b(?:on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|down|up)|c(?:hange|lick)|s(?:elec|ubmi)t|(?:un)?load|dragdrop|resize|focus|blur)\b\W*?=|abort\b)|(?:l(?:owsrc\b\W*?\b(?:(?:java|vb)script|shell)|ivescript)|(?:href|url)\b\W*?\b(?:(?:java|vb)script|shell)|background-image|mocha):|type\b\W*?\b(?:text\b(?:\W*?\b(?:j(?:ava)?|ecma)script\b| [vbscript])|application\b\W*?\bx-(?:java|vb)script\b)|s(?:(?:tyle\b\W*=.*\bexpression\b\W*|ettimeout\b\W*?)\(|rc\b\W*?\b(?:(?:java|vb)script|shell|http):)|(?:c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder)\b|a(?:ctivexobject\b|lert\b\W*?\())|<(?:(?:body\b.*?\b(?:backgroun|onloa)d|input\b.*?\\btype\b\W*?\bimage)\b|!\[CDATA\[|script|meta)|(?:\.(?:(?:execscrip|addimpor)t|(?:fromcharcod|cooki)e|innerhtml)|\@import)\b)" \ + "capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'Cross-site Scripting (XSS) Attack. Matched signature <%{TX.0}>',id:'950004',severity:'2'" + +# file injection +SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS "(?:\b(?:\.(?:ht(?:access|passwd|group)|www_?acl)|global\.asa|httpd\.conf|boot\.ini)\b|\/etc\/)" \ + "capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'Remote File Access Attempt. Matched signature <%{TX.0}>',id:'950005',severity:'2'" + +# Command access +SecRule REQUEST_FILENAME "\b(?:n(?:map|et|c)|w(?:guest|sh)|cmd(?:32)?|telnet|rcmd|ftp)\.exe\b" \ + "capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'System Command Access. Matched signature <%{TX.0}>',id:'950002',severity:'2'" + +# Command injection +SecRule ARGS|ARGS_NAMES|REQUEST_HEADERS "(?:\b(?:(?:n(?:et(?:\b\W+?\blocalgroup|\.exe)|(?:map|c)\.exe)|t(?:racer(?:oute|t)|elnet\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\.exe|echo\b\W*?\by+)\b|c(?:md(?:(?:32)?\.exe\b|\b\W*?\/c)|d(?:\b\W*?[\\\/]|\W*?\.\.)|hmod.{0,40}?\+.{0,3}x))|[\;\|\`]\W*?\b(?:(?:c(?:h(?:grp|mod|own|sh)|md|pp|c)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)\b|g(?:\+\+|cc\b))|\/(?:c(?:h(?:grp|mod|own|sh)|pp|c)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|g(?:\+\+|cc)|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)(?:[\'\"\|\;\`\-\s]|$))" \ + "capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'System Command Injection. Matched signature <%{TX.0}>',id:'950006',severity:'2'" +SecRule "ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:User-Agent" \ + "\bwget\b" \ + "capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'System Command Injection. Matched signature <%{TX.0}>',id:'950907',severity:'2'" + +# Coldfusion injection +SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS "\bcf(?:usion_(?:d(?:bconnections_flush|ecrypt)|set(?:tings_refresh|odbcini)|getodbc(?:dsn|ini)|verifymail|encrypt)|_(?:(?:iscoldfusiondatasourc|getdatasourceusernam)e|setdatasource(?:password|username))|newinternal(?:adminsecurit|registr)y|admin_registry_(?:delete|set)|internaldebug)\b" \ + "capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'Injection of Undocumented ColdFusion Tags. Matched signature <%{TX.0}>',id:'950008',severity:'2'" + +# LDAP injection +SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "(?:\((?:\W*?(?:objectc(?:ategory|lass)|homedirectory|[gu]idnumber|cn)\b\W*?=|[^\w\x80-\xFF]*?[\!\&\|][^\w\x80-\xFF]*?\()|\)[^\w\x80-\xFF]*?\([^\w\x80-\xFF]*?[\!\&\|])" \ + "capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'LDAP Injection Attack. Matched signature <%{TX.0}>',id:'950010',severity:'2'" + +# SSI injection +SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS "