From efe52d4e777fd0263422ca191dd4573b4978fa90 Mon Sep 17 00:00:00 2001 From: brectanus Date: Thu, 14 Jun 2007 18:48:35 +0000 Subject: [PATCH] Initialize rules tmp pool properly. Update to latest core rules. --- CHANGES | 2 + apache2/mod_security2.c | 2 + rules/CHANGELOG | 188 +++-- rules/LICENSE | 678 +++++++++--------- rules/README | 2 + rules/modsecurity_crs_10_config.conf | 582 +++++++-------- ...odsecurity_crs_20_protocol_violations.conf | 158 ++-- ...modsecurity_crs_21_protocol_anomalies.conf | 105 +-- rules/modsecurity_crs_30_http_policy.conf | 289 ++++---- rules/modsecurity_crs_35_bad_robots.conf | 66 +- rules/modsecurity_crs_40_generic_attacks.conf | 177 ++--- rules/modsecurity_crs_45_trojans.conf | 72 +- rules/modsecurity_crs_50_outbound.conf | 141 ++-- rules/modsecurity_crs_55_marketing.conf | 46 +- 14 files changed, 1314 insertions(+), 1194 deletions(-) diff --git a/CHANGES b/CHANGES index fe56ffc6..0eb5b1f3 100644 --- a/CHANGES +++ b/CHANGES @@ -2,6 +2,8 @@ ?? ??? 2007 - 2.2.0-trunk ------------------------- + * Update included core rules to latest version. + * Do not trigger "pause" action for internal requests. * Added matching rule filename and line number to audit log. diff --git a/apache2/mod_security2.c b/apache2/mod_security2.c index 98f0c75c..a179cda0 100644 --- a/apache2/mod_security2.c +++ b/apache2/mod_security2.c @@ -353,6 +353,8 @@ static modsec_rec *create_tx_context(request_rec *r) { msr_log(msr, 4, "Transaction context created (dcfg %x).", msr->dcfg1); } + msr->msc_rule_mptmp = NULL; + return msr; } diff --git a/rules/CHANGELOG b/rules/CHANGELOG index 1ab249f7..e78a4fa9 100644 --- a/rules/CHANGELOG +++ b/rules/CHANGELOG @@ -1,66 +1,122 @@ - - -version 1.3.2 build 4 2007/01/17 - -Fixed apache 2.4 dummy requests exclusion -Added persistent PDF UXSS detection rule - - -Vervion 1.3.2 build 3 2007/01/10 - -Fixed regular expresion in rule 960010 (file #30) to allow mulipart-data content - - -Version 1.3.2 - 2006/12/27 - -New events: -- 960037 Directory is restricted by policy -- 960038 HTTP header is restricted by policy - -Regular expressions fixes: -- Regular expressions with @ at end of beginning (for example "@import) -- Regular expressions with un-escaped "." -- Command Injections now always require certain characters both before and after the command. Important since many are common English words (finger, mail) -- The command injection wget is not searched in the UA header as it has different meaning there. -- LDAP Fixed to reduce FPs: - + More accurate regular expressions - + high bit characters not accpeted between signature tokens. -- Do not detect JSP compile error" in the response body, will trigger this rule, with severity 4 (Warning) +- 950015,950910,950911 - HTTP Response Splitting + Looking for HTTP Response Splitting patterns as described in Amit Klein's excellent article: + http://www.packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf +ModSecurity does not support compressed content at the moment. Thus, the following rules have been added: +- 960902 - Content-Encoding in request not supported + Any incoming compressed request will be denied +- 960903 - Content-Encoding in response not suppoted + An outgoing compressed response will be logged to alert, but ONLY ONCE. + +False Positives Fixes: +- Removed <.exe>,<.shtml> from restricted extensions +- Will not be looking for SQL Injection signatures , in the Via request header +- Excluded Referer header from SQL injection, XSS and command injection rules +- Excluded X-OS-Prefs header from command injection rule +- Will be looking for command injection signatures in + REQUEST_COOKIES|REQUEST_COOKIES_NAMES instead of REQUEST_HEADERS:Cookie. +- Allowing charset specification in the Content-Type + +Additional rules logic: +- Corrected match of OPTIONS method in event 960015 +- Changed location for event 960014 (proxy access) to REQUEST_URI_RAW +- Moved all rules apart from method inspection from phase 1 to phase 2 - + This will enable viewing content if such a rule triggers as well as setting + exceptions using Apache scope tags. +- Added match for double quote in addition to single quote for signature (SQL Injection) +- Added 1=1 signature (SQL Injection) + +-------------------------------- +version 1.3.2 build 4 2007/01/17 +-------------------------------- + +Fixed apache 2.4 dummy requests exclusion +Added persistent PDF UXSS detection rule + +-------------------------------- +Version 1.3.2 build 3 2007/01/10 +-------------------------------- + +Fixed regular expression in rule 960010 (file #30) to allow multipart form data +content + +-------------------------- +Version 1.3.2 - 2006/12/27 +-------------------------- + +New events: +- 960037 Directory is restricted by policy +- 960038 HTTP header is restricted by policy + +Regular expressions fixes: +- Regular expressions with @ at end of beginning (for example "@import) +- Regular expressions with un-escaped "." +- Command Injections now always require certain characters both before and after the command. Important since many are common English words (finger, mail) +- The command injection wget is not searched in the UA header as it has different meaning there. +- LDAP Fixed to reduce FPs: + + More accurate regular expressions + + high bit characters not accpeted between signature tokens. +- Do not detect - Copyright (C) - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License along - with this program; if not, write to the Free Software Foundation, Inc., - 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. - -Also add information on how to contact you by electronic and paper mail. - -If the program is interactive, make it output a short notice like this -when it starts in an interactive mode: - - Gnomovision version 69, Copyright (C) year name of author - Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. - This is free software, and you are welcome to redistribute it - under certain conditions; type `show c' for details. - -The hypothetical commands `show w' and `show c' should show the appropriate -parts of the General Public License. Of course, the commands you use may -be called something other than `show w' and `show c'; they could even be -mouse-clicks or menu items--whatever suits your program. - -You should also get your employer (if you work as a programmer) or your -school, if any, to sign a "copyright disclaimer" for the program, if -necessary. Here is a sample; alter the names: - - Yoyodyne, Inc., hereby disclaims all copyright interest in the program - `Gnomovision' (which makes passes at compilers) written by James Hacker. - - , 1 April 1989 - Ty Coon, President of Vice - -This General Public License does not permit incorporating your program into -proprietary programs. If your program is a subroutine library, you may -consider it more useful to permit linking proprietary applications with the -library. If this is what you want to do, use the GNU Lesser General -Public License instead of this License. + GNU GENERAL PUBLIC LICENSE + Version 2, June 1991 + + Copyright (C) 1989, 1991 Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The licenses for most software are designed to take away your +freedom to share and change it. By contrast, the GNU General Public +License is intended to guarantee your freedom to share and change free +software--to make sure the software is free for all its users. This +General Public License applies to most of the Free Software +Foundation's software and to any other program whose authors commit to +using it. (Some other Free Software Foundation software is covered by +the GNU Lesser General Public License instead.) You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +this service if you wish), that you receive source code or can get it +if you want it, that you can change the software or use pieces of it +in new free programs; and that you know you can do these things. + + To protect your rights, we need to make restrictions that forbid +anyone to deny you these rights or to ask you to surrender the rights. +These restrictions translate to certain responsibilities for you if you +distribute copies of the software, or if you modify it. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must give the recipients all the rights that +you have. You must make sure that they, too, receive or can get the +source code. And you must show them these terms so they know their +rights. + + We protect your rights with two steps: (1) copyright the software, and +(2) offer you this license which gives you legal permission to copy, +distribute and/or modify the software. + + Also, for each author's protection and ours, we want to make certain +that everyone understands that there is no warranty for this free +software. If the software is modified by someone else and passed on, we +want its recipients to know that what they have is not the original, so +that any problems introduced by others will not reflect on the original +authors' reputations. + + Finally, any free program is threatened constantly by software +patents. We wish to avoid the danger that redistributors of a free +program will individually obtain patent licenses, in effect making the +program proprietary. To prevent this, we have made it clear that any +patent must be licensed for everyone's free use or not licensed at all. + + The precise terms and conditions for copying, distribution and +modification follow. + + GNU GENERAL PUBLIC LICENSE + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. This License applies to any program or other work which contains +a notice placed by the copyright holder saying it may be distributed +under the terms of this General Public License. The "Program", below, +refers to any such program or work, and a "work based on the Program" +means either the Program or any derivative work under copyright law: +that is to say, a work containing the Program or a portion of it, +either verbatim or with modifications and/or translated into another +language. (Hereinafter, translation is included without limitation in +the term "modification".) Each licensee is addressed as "you". + +Activities other than copying, distribution and modification are not +covered by this License; they are outside its scope. The act of +running the Program is not restricted, and the output from the Program +is covered only if its contents constitute a work based on the +Program (independent of having been made by running the Program). +Whether that is true depends on what the Program does. + + 1. You may copy and distribute verbatim copies of the Program's +source code as you receive it, in any medium, provided that you +conspicuously and appropriately publish on each copy an appropriate +copyright notice and disclaimer of warranty; keep intact all the +notices that refer to this License and to the absence of any warranty; +and give any other recipients of the Program a copy of this License +along with the Program. + +You may charge a fee for the physical act of transferring a copy, and +you may at your option offer warranty protection in exchange for a fee. + + 2. You may modify your copy or copies of the Program or any portion +of it, thus forming a work based on the Program, and copy and +distribute such modifications or work under the terms of Section 1 +above, provided that you also meet all of these conditions: + + a) You must cause the modified files to carry prominent notices + stating that you changed the files and the date of any change. + + b) You must cause any work that you distribute or publish, that in + whole or in part contains or is derived from the Program or any + part thereof, to be licensed as a whole at no charge to all third + parties under the terms of this License. + + c) If the modified program normally reads commands interactively + when run, you must cause it, when started running for such + interactive use in the most ordinary way, to print or display an + announcement including an appropriate copyright notice and a + notice that there is no warranty (or else, saying that you provide + a warranty) and that users may redistribute the program under + these conditions, and telling the user how to view a copy of this + License. (Exception: if the Program itself is interactive but + does not normally print such an announcement, your work based on + the Program is not required to print an announcement.) + +These requirements apply to the modified work as a whole. If +identifiable sections of that work are not derived from the Program, +and can be reasonably considered independent and separate works in +themselves, then this License, and its terms, do not apply to those +sections when you distribute them as separate works. But when you +distribute the same sections as part of a whole which is a work based +on the Program, the distribution of the whole must be on the terms of +this License, whose permissions for other licensees extend to the +entire whole, and thus to each and every part regardless of who wrote it. + +Thus, it is not the intent of this section to claim rights or contest +your rights to work written entirely by you; rather, the intent is to +exercise the right to control the distribution of derivative or +collective works based on the Program. + +In addition, mere aggregation of another work not based on the Program +with the Program (or with a work based on the Program) on a volume of +a storage or distribution medium does not bring the other work under +the scope of this License. + + 3. You may copy and distribute the Program (or a work based on it, +under Section 2) in object code or executable form under the terms of +Sections 1 and 2 above provided that you also do one of the following: + + a) Accompany it with the complete corresponding machine-readable + source code, which must be distributed under the terms of Sections + 1 and 2 above on a medium customarily used for software interchange; or, + + b) Accompany it with a written offer, valid for at least three + years, to give any third party, for a charge no more than your + cost of physically performing source distribution, a complete + machine-readable copy of the corresponding source code, to be + distributed under the terms of Sections 1 and 2 above on a medium + customarily used for software interchange; or, + + c) Accompany it with the information you received as to the offer + to distribute corresponding source code. (This alternative is + allowed only for noncommercial distribution and only if you + received the program in object code or executable form with such + an offer, in accord with Subsection b above.) + +The source code for a work means the preferred form of the work for +making modifications to it. For an executable work, complete source +code means all the source code for all modules it contains, plus any +associated interface definition files, plus the scripts used to +control compilation and installation of the executable. However, as a +special exception, the source code distributed need not include +anything that is normally distributed (in either source or binary +form) with the major components (compiler, kernel, and so on) of the +operating system on which the executable runs, unless that component +itself accompanies the executable. + +If distribution of executable or object code is made by offering +access to copy from a designated place, then offering equivalent +access to copy the source code from the same place counts as +distribution of the source code, even though third parties are not +compelled to copy the source along with the object code. + + 4. You may not copy, modify, sublicense, or distribute the Program +except as expressly provided under this License. Any attempt +otherwise to copy, modify, sublicense or distribute the Program is +void, and will automatically terminate your rights under this License. +However, parties who have received copies, or rights, from you under +this License will not have their licenses terminated so long as such +parties remain in full compliance. + + 5. You are not required to accept this License, since you have not +signed it. However, nothing else grants you permission to modify or +distribute the Program or its derivative works. These actions are +prohibited by law if you do not accept this License. Therefore, by +modifying or distributing the Program (or any work based on the +Program), you indicate your acceptance of this License to do so, and +all its terms and conditions for copying, distributing or modifying +the Program or works based on it. + + 6. Each time you redistribute the Program (or any work based on the +Program), the recipient automatically receives a license from the +original licensor to copy, distribute or modify the Program subject to +these terms and conditions. You may not impose any further +restrictions on the recipients' exercise of the rights granted herein. +You are not responsible for enforcing compliance by third parties to +this License. + + 7. If, as a consequence of a court judgment or allegation of patent +infringement or for any other reason (not limited to patent issues), +conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot +distribute so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you +may not distribute the Program at all. For example, if a patent +license would not permit royalty-free redistribution of the Program by +all those who receive copies directly or indirectly through you, then +the only way you could satisfy both it and this License would be to +refrain entirely from distribution of the Program. + +If any portion of this section is held invalid or unenforceable under +any particular circumstance, the balance of the section is intended to +apply and the section as a whole is intended to apply in other +circumstances. + +It is not the purpose of this section to induce you to infringe any +patents or other property right claims or to contest validity of any +such claims; this section has the sole purpose of protecting the +integrity of the free software distribution system, which is +implemented by public license practices. Many people have made +generous contributions to the wide range of software distributed +through that system in reliance on consistent application of that +system; it is up to the author/donor to decide if he or she is willing +to distribute software through any other system and a licensee cannot +impose that choice. + +This section is intended to make thoroughly clear what is believed to +be a consequence of the rest of this License. + + 8. If the distribution and/or use of the Program is restricted in +certain countries either by patents or by copyrighted interfaces, the +original copyright holder who places the Program under this License +may add an explicit geographical distribution limitation excluding +those countries, so that distribution is permitted only in or among +countries not thus excluded. In such case, this License incorporates +the limitation as if written in the body of this License. + + 9. The Free Software Foundation may publish revised and/or new versions +of the General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + +Each version is given a distinguishing version number. If the Program +specifies a version number of this License which applies to it and "any +later version", you have the option of following the terms and conditions +either of that version or of any later version published by the Free +Software Foundation. If the Program does not specify a version number of +this License, you may choose any version ever published by the Free Software +Foundation. + + 10. If you wish to incorporate parts of the Program into other free +programs whose distribution conditions are different, write to the author +to ask for permission. For software which is copyrighted by the Free +Software Foundation, write to the Free Software Foundation; we sometimes +make exceptions for this. Our decision will be guided by the two goals +of preserving the free status of all derivatives of our free software and +of promoting the sharing and reuse of software generally. + + NO WARRANTY + + 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY +FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN +OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES +PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED +OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS +TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE +PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, +REPAIR OR CORRECTION. + + 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR +REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, +INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING +OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED +TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY +YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER +PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE +POSSIBILITY OF SUCH DAMAGES. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +convey the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + + Copyright (C) + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License along + with this program; if not, write to the Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + +Also add information on how to contact you by electronic and paper mail. + +If the program is interactive, make it output a short notice like this +when it starts in an interactive mode: + + Gnomovision version 69, Copyright (C) year name of author + Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate +parts of the General Public License. Of course, the commands you use may +be called something other than `show w' and `show c'; they could even be +mouse-clicks or menu items--whatever suits your program. + +You should also get your employer (if you work as a programmer) or your +school, if any, to sign a "copyright disclaimer" for the program, if +necessary. Here is a sample; alter the names: + + Yoyodyne, Inc., hereby disclaims all copyright interest in the program + `Gnomovision' (which makes passes at compilers) written by James Hacker. + + , 1 April 1989 + Ty Coon, President of Vice + +This General Public License does not permit incorporating your program into +proprietary programs. If your program is a subroutine library, you may +consider it more useful to permit linking proprietary applications with the +library. If this is what you want to do, use the GNU Lesser General +Public License instead of this License. diff --git a/rules/README b/rules/README index 98a28508..57d6bc59 100644 --- a/rules/README +++ b/rules/README @@ -1,3 +1,5 @@ + + ModSecurity Core Rule Set ============================== diff --git a/rules/modsecurity_crs_10_config.conf b/rules/modsecurity_crs_10_config.conf index 09bc8393..69db2257 100644 --- a/rules/modsecurity_crs_10_config.conf +++ b/rules/modsecurity_crs_10_config.conf @@ -1,285 +1,297 @@ -# --------------------------------------------------------------- -# Core ModSecurity Rule Set -# Copyright (C) 2006 Breach Security Inc. All rights reserved. -# -# The ModSecuirty Core Rule Set is distributed under GPL version 2 -# Please see the enclosed LICENCE file for full details. -# --------------------------------------------------------------- - - -# Configuration contained in this file should be customized -# for your specific requirements before deployment. -# -# Next to each rule there is a description of what it does. Each -# location where customization is needed is marked with "TODO". It -# is recommended that you: -# -# 1) Keep a copy of the original file. This will allow you to use -# the "diff" command to quickly see the changes. It will also -# make upgrades to future rule sets easier. -# -# 2) Document your changes thoroughly. -# -# You are advised to start with ModSecurity in detection mode only. -# Switch to protection when you are comfortable with your rule set. -# For maximum protection monitor your logs on daily basis (or -# better). -# - -# TODO You may want to provide an error friendly message to your -# users when you start rejecting requests. You can do this using -# the Apache ErrorDocument directive. You should also add -# mod_unique_id to your configuration and display the unique -# request ID on the error page. This would allow your users to -# report the request ID back to you so that you can investigate -# the false positive (if that's what it is). A nice error page -# usually reduces the impact of false positives on the users. -# -# The drawback of this user friendly approach is that it is -# easier for the attackers to figure out there is an web -# application firewall protecting the application. -# -# ErrorDocument 403 /path/to/error_document.php -# -# For more information see -# http://httpd.apache.org/docs-2.0/custom-error.html - - -## -- Configuration ---------------------------------------------------------- - -# Turn ModSecurity on ("On"), set to monitoring only -# ("DetectionOnly") or turn off ("Off"). -# -SecRuleEngine On - -# Define which part of the HTTP transaction to inspect. -# -# Inspecting request body (SecRequestBodyAccess) should probably be always set -# to "on". Only very high volume sites that never use POST requests might want -# to set it to "off" to optimize performance. -# -# Inspecting response body is useful for monitoring for information leaks, -# or for signs of intrusion. However, it does require all responses to be -# buffered in memory. For most sites this should not be a problem, but special -# care must be taken to avoid buffering file downloads (through -# MIME type selection, as shown below). -# -# TODO If you decide to enable output filtering make sure to -# review the list of scanned MIME types. If pages of the types specified -# for outbound inspection are smaller than 512K in you application -# (which is usually the case) you may reduce the SecResponseBodyLimit -# to protect from potential denial of service attacks. -# -SecRequestBodyAccess On -SecResponseBodyAccess On -SecResponseBodyMimeType (null) text/html text/plain text/xml -SecResponseBodyLimit 524288 - - -# What to do when an error is encountered. -# -# The default is to log the error and let the request go through. -# This is a reasonable setting to start with because you do not -# want to reject legitimate requests with an untuned rule set. -# -# If, after monitoring the performance of the rule set after a -# sufficient period, you determine the rules never (or rarely -# trigger on legitimate requests) you can change to something -# else, such as "log,deny,status:500". You can also leave the -# default setting here as is, but use per rule action configuration -# to only configure some rules to reject requests, leaving most -# of them to work in detection mode. -# -#SecDefaultAction "phase:2,log,pass,status:500" - -# Set web server identification string -# -# TODO In case you use Apache, you may want specify a simple server signature -# instead of the detailed Apache default signature that list most modules -# used on the specific Apache deployment: -# "Apache/2.2.0 (Fedora)" -# -SecServerSignature "Apache/2.2.0 (Fedora)" - -## -- File uploads configuration ----------------------------------------------- -# Temporary file storage path. -# -# TODO Change the temporary folder setting to a path where only -# the web server has access. -# -SecUploadDir /tmp - -# Whether or not to keep the stored files. -# -# In most cases you don't want to keep the uploaded files (especially -# when there is a lot of them). It may be useful to change the setting -# to "RelevantOnly", in which case the files uploaded in suspicious -# requests will be stored. -# -SecUploadKeepFiles Off - -# Inspect uploaded files. -# -# TODO If there is a danger of attack through uploaded files then it -# is possible to configure an external script to inspect each file -# before it is seen by the application. An example script is -# included with ModSecurity (/util/modsec-clamscan.pl). -# -# Inspecting uploaded files is especially important in a hosting, -# community or blogging environments where uploading files is permitted. -# -# NOTE the t:none action is required in order not to process the files names -# passed to the script based on previously defined actions in a -# SecDefaultAction directive. -# -# SecRule FILES_TMPNAMES "@inspectFile /opt/apache/bin/inspect_script.pl" \ -# "t:none" - -## -- Logging ---------------------------------------------------------------- - -# Whether to log requests to the forensic log. -# -# By default, only requests that trigger a ModSecurity events (as detected -# by) or a serer error are logged ("RelevantOnly"). This is a reasonable -# setting. Full logging can be set by using # "on". If the system is used -# for protection only and no logging is desired (not reccomended) logging can -# be turned of using "off" -# -# NOTE It is also possible to configure forensic logging on the -# per request basis using the "auditlog" and "noauditlog" rule -# actions. -# -# TODO The default rule set logs requests that generate a 404 "file not found" -# response. These events are interesting, but may log a lot of information. -# you may consider removing it by setting SecAuditLogRelevantStatus -# to "^(?:5|4\d[^4])". -# -SecAuditEngine RelevantOnly -SecAuditLogRelevantStatus "^[45]" - -# Log files structure -# -# You can select to log all events to a single log file (set SecAuditLogType to -# "Serial") or to log each request to a separate file (set it to "Concurrent"). -# The former is usually easier to use, but if full logging is required or if -# the protected system supports a large transaction volume the later may -# be a better option. -# -# TODO Set the SecAuditLog (for "Serial" logging) or SecAuditLogStorageDir (for -# "Concurrent" logging). -# -# TODO If you change from "Serial" to "Concurrent" uncomment the -# SecAuditLogStorageDir directive and make sure the direcory specified -# exists and has write permissions for the Apache user. - -SecAuditLogType Serial -SecAuditLog logs/modsec_audit.log -# SecAuditLogStorageDir logs/modsec_audit - -# Select what portions of the request to log -# -# Modify the string by adding any of the letter below to it: -# A - audit log header (mandatory) -# B - request headers -# C - request body (present only if the request body exists and ModSecurity is -# configured to intercept it) -# E - intermediary response body (present only if ModSecurity is configured to -# intercept response bodies, and if the audit log engine is configured to -# record it). Intermediary response body is the same as the actual response -# body unless ModSecurity intercepts the intermediary response body, in -# which case the actual response body will contain the error message -# (either the Apache default error message, or the ErrorDocument page). -# F - final response headers (excluding the Date and Server headers, which are -# always added by Apache in the late stage of content delivery). -# H - audit log trailer -# I - This part is a replacement for part C. It will log the same data as C in -# all cases except when multipart/form-data encoding in used. In this case -# it will log a fake application/x-www-form-urlencoded body that contains -# the information about parameters but not about the files. This is handy -# if you don't want to have (often large) files stored in your audit logs. -# Z - final boundary, signifies the end of the entry (mandatory) - -SecAuditLogParts "ABIFHZ" - -# Create a separate log to monitor performance. -# -# TODO Performance monitoring only works with Apache 2.x. You need -# to add mod_unique_id and mod_logio to your configuration. Then -# uncomment the following two lines. -# -# LogFormat "%V %h %t %{UNIQUE_ID}e \"%r\" %>s %X | %I %O | %<{mod_security-time1}n %<{mod_security-time2}n %<{mod_security-time3}n %D" mperformance -# CustomLog logs/modsec_performance.log mperformance - -# Custom application access log. -# -# TODO You should consider creating a custom access log. It could contain -# the performance metrics from above, but should also record the -# session ID for every request. That would make it possible to -# list all requests performed as part of a session. -# -# One custom log should be used per application but if you want -# multiple applications to share one log file make sure each -# line includes a unique application ID (unless the hostname is -# sufficient for differentiation). - -## -- Tuning and debugging - -# This section include tuning and debugging directives that usually require no -# modifications unless - - -# Parameters separator -# -# Specifies which character to use as separator for -# application/x-www-form-urlencoded content. -# Defaults to "&". Applications are sometimes (very rarely) written to use -# a semicolon (";"). -# -# NOTE Changing the value for this directive has significant influence on how -# ModSecurity works. Make the change only if you are absolutely sure it -# is required. -SecArgumentSeparator "&" - - -# Selects the cookie format that will be used in the current configuration -# context. -# -# Possible values are: -# 0 - use version 0 (Netscape) cookies. This is what most applications use. -# It is the default value. -# 1 - use version 1 cookies. - -SecCookieFormat 0 - -# Maximum size of the request body to keep in memory -# -# A higher value requires more server memory while a lower number would slow -# the server due to additional disk access. By default the limit is 128 KB: -SecRequestBodyInMemoryLimit 131072 - - -# Whether to send ModSecurity messages to a separate debug log. -# -# Debug messages are very useful for, well, debugging. The default -# setting here copies (they always appear in the Apache error log) -# only the most important messages (errors and warnings). -# -# NOTE Debug logging is generally very slow. You should never -# use values greater than "3" in production. -# -SecDebugLog logs/modsec_debug.log -SecDebugLogLevel 3 - -# Path where persistent data (e.g. IP address data, session data, etc) is to -# be stored. Must be writable by the web server user. -# -# TODO It is advisable to create a directory structure for ModSecurity such as -# /var/log/msa and create sub directories for SecDataDir, SecTmpDir, -# SecUploadDir, SecAuditLog and SecAuditLogStorageDir -# underneath it and set the permission for read and write only by the -# Apache user. - -SecDataDir /tmp - -# Configures the directory where temporary files will be created. -SecTmpDir /tmp +# --------------------------------------------------------------- +# Core ModSecurity Rule Set +# Copyright (C) 2006 Breach Security Inc. All rights reserved. +# +# The ModSecuirty Core Rule Set is distributed under GPL version 2 +# Please see the enclosed LICENCE file for full details. +# --------------------------------------------------------------- + + +# Configuration contained in this file should be customized +# for your specific requirements before deployment. +# +# Next to each rule there is a description of what it does. Each +# location where customization is needed is marked with "TODO". It +# is recommended that you: +# +# 1) Keep a copy of the original file. This will allow you to use +# the "diff" command to quickly see the changes. It will also +# make upgrades to future rule sets easier. +# +# 2) Document your changes thoroughly. +# +# You are advised to start with ModSecurity in detection mode only. +# Switch to protection when you are comfortable with your rule set. +# For maximum protection monitor your logs on daily basis (or +# better). +# + +# TODO You may want to provide an error friendly message to your +# users when you start rejecting requests. You can do this using +# the Apache ErrorDocument directive. You should also add +# mod_unique_id to your configuration and display the unique +# request ID on the error page. This would allow your users to +# report the request ID back to you so that you can investigate +# the false positive (if that's what it is). A nice error page +# usually reduces the impact of false positives on the users. +# +# The drawback of this user friendly approach is that it is +# easier for the attackers to figure out there is an web +# application firewall protecting the application. +# +# ErrorDocument 403 /path/to/error_document.php +# +# For more information see +# http://httpd.apache.org/docs-2.0/custom-error.html + + +## -- Configuration ---------------------------------------------------------- + +# Turn ModSecurity on ("On"), set to monitoring only +# ("DetectionOnly") or turn off ("Off"). +# +SecRuleEngine On + +# Define which part of the HTTP transaction to inspect. +# +# Inspecting request body (SecRequestBodyAccess) should probably be always set +# to "on". Only very high volume sites that never use POST requests might want +# to set it to "off" to optimize performance. +# +# Inspecting response body is useful for monitoring for information leaks, +# or for signs of intrusion. However, it does require all responses to be +# buffered in memory. For most sites this should not be a problem, but special +# care must be taken to avoid buffering file downloads (through +# MIME type selection, as shown below). +# +# TODO If you decide to enable output filtering make sure to +# review the list of scanned MIME types. If pages of the types specified +# for outbound inspection are smaller than 512K in you application +# (which is usually the case) you may reduce the SecResponseBodyLimit +# to protect from potential denial of service attacks. +# +SecRequestBodyAccess On +SecResponseBodyAccess On +SecResponseBodyMimeType (null) text/html text/plain text/xml +SecResponseBodyLimit 524288 + + +# Initiate XML Processor in case of xml content-type +# +# TODO Remove this rule if you don't wish to parse XML request +# Note that this will disable XML protection +SecRule REQUEST_HEADERS:Content-Type "text/xml" \ +"phase:1,pass,nolog,ctl:requestBodyProcessor=XML" + + +# What to do when an error is encountered. +# +# The default is to log the error and let the request go through. +# This is a reasonable setting to start with because you do not +# want to reject legitimate requests with an untuned rule set. +# +# If, after monitoring the performance of the rule set after a +# sufficient period, you determine the rules never (or rarely +# trigger on legitimate requests) you can change to something +# else, such as "log,deny,status:500". You can also leave the +# default setting here as is, but use per rule action configuration +# to only configure some rules to reject requests, leaving most +# of them to work in detection mode. +# +#SecDefaultAction "phase:2,log,pass,status:500" + +# Set web server identification string +# +# TODO In case you use Apache, you may want specify a simple server signature +# instead of the detailed Apache default signature that list most modules +# used on the specific Apache deployment: +# "Apache/2.2.0 (Fedora)" +# +SecServerSignature "Apache/2.2.0 (Fedora)" + +## -- File uploads configuration ----------------------------------------------- +# Temporary file storage path. +# +# TODO Change the temporary folder setting to a path where only +# the web server has access. +# +SecUploadDir /tmp + +# Whether or not to keep the stored files. +# +# In most cases you don't want to keep the uploaded files (especially +# when there is a lot of them). It may be useful to change the setting +# to "RelevantOnly", in which case the files uploaded in suspicious +# requests will be stored. +# +SecUploadKeepFiles Off + +# Inspect uploaded files. +# +# TODO If there is a danger of attack through uploaded files then it +# is possible to configure an external script to inspect each file +# before it is seen by the application. An example script is +# included with ModSecurity (/util/modsec-clamscan.pl). +# +# Inspecting uploaded files is especially important in a hosting, +# community or blogging environments where uploading files is permitted. +# +# NOTE the t:none action is required in order not to process the files names +# passed to the script based on previously defined actions in a +# SecDefaultAction directive. +# +# SecRule FILES_TMPNAMES "@inspectFile /opt/apache/bin/inspect_script.pl" \ +# "t:none" + +## -- Logging ---------------------------------------------------------------- + +# Whether to log requests to the forensic log. +# +# By default, only requests that trigger a ModSecurity events (as detected +# by) or a serer error are logged ("RelevantOnly"). This is a reasonable +# setting. Full logging can be set by using # "on". If the system is used +# for protection only and no logging is desired (not reccomended) logging can +# be turned of using "off" +# +# NOTE It is also possible to configure forensic logging on the +# per request basis using the "auditlog" and "noauditlog" rule +# actions. +# +# TODO The default rule set logs requests that generate a 404 "file not found" +# response. These events are interesting, but may log a lot of information. +# you may consider removing it by setting SecAuditLogRelevantStatus +# to "^(?:5|4\d[^4])". +# +SecAuditEngine RelevantOnly +SecAuditLogRelevantStatus "^[45]" + +# Log files structure +# +# You can select to log all events to a single log file (set SecAuditLogType to +# "Serial") or to log each request to a separate file (set it to "Concurrent"). +# The former is usually easier to use, but if full logging is required or if +# the protected system supports a large transaction volume the later may +# be a better option. +# +# TODO Set the SecAuditLog (for "Serial" logging) or SecAuditLogStorageDir (for +# "Concurrent" logging). +# +# TODO If you change from "Serial" to "Concurrent" uncomment the +# SecAuditLogStorageDir directive and make sure the direcory specified +# exists and has write permissions for the Apache user. + +SecAuditLogType Serial +SecAuditLog logs/modsec_audit.log +# SecAuditLogStorageDir logs/modsec_audit + +# Select what portions of the request to log +# +# Modify the string by adding any of the letter below to it: +# A - audit log header (mandatory) +# B - request headers +# C - request body (present only if the request body exists and ModSecurity is +# configured to intercept it) +# E - intermediary response body (present only if ModSecurity is configured to +# intercept response bodies, and if the audit log engine is configured to +# record it). Intermediary response body is the same as the actual response +# body unless ModSecurity intercepts the intermediary response body, in +# which case the actual response body will contain the error message +# (either the Apache default error message, or the ErrorDocument page). +# F - final response headers (excluding the Date and Server headers, which are +# always added by Apache in the late stage of content delivery). +# H - audit log trailer +# I - This part is a replacement for part C. It will log the same data as C in +# all cases except when multipart/form-data encoding in used. In this case +# it will log a fake application/x-www-form-urlencoded body that contains +# the information about parameters but not about the files. This is handy +# if you don't want to have (often large) files stored in your audit logs. +# Z - final boundary, signifies the end of the entry (mandatory) + +SecAuditLogParts "ABIFHZ" + +# Create a separate log to monitor performance. +# +# TODO Performance monitoring only works with Apache 2.x. You need +# to add mod_unique_id and mod_logio to your configuration. Then +# uncomment the following two lines. +# +# LogFormat "%V %h %t %{UNIQUE_ID}e \"%r\" %>s %X | %I %O | %<{mod_security-time1}n %<{mod_security-time2}n %<{mod_security-time3}n %D" mperformance +# CustomLog logs/modsec_performance.log mperformance + +# Custom application access log. +# +# TODO You should consider creating a custom access log. It could contain +# the performance metrics from above, but should also record the +# session ID for every request. That would make it possible to +# list all requests performed as part of a session. +# +# One custom log should be used per application but if you want +# multiple applications to share one log file make sure each +# line includes a unique application ID (unless the hostname is +# sufficient for differentiation). + +## -- Tuning and debugging + +# This section include tuning and debugging directives that usually require no +# modifications unless + + +# Parameters separator +# +# Specifies which character to use as separator for +# application/x-www-form-urlencoded content. +# Defaults to "&". Applications are sometimes (very rarely) written to use +# a semicolon (";"). +# +# NOTE Changing the value for this directive has significant influence on how +# ModSecurity works. Make the change only if you are absolutely sure it +# is required. +SecArgumentSeparator "&" + + +# Selects the cookie format that will be used in the current configuration +# context. +# +# Possible values are: +# 0 - use version 0 (Netscape) cookies. This is what most applications use. +# It is the default value. +# 1 - use version 1 cookies. + +SecCookieFormat 0 + +# Maximum size of the request body to keep in memory +# +# A higher value requires more server memory while a lower number would slow +# the server due to additional disk access. By default the limit is 128 KB: +SecRequestBodyInMemoryLimit 131072 + + +# Whether to send ModSecurity messages to a separate debug log. +# +# Debug messages are very useful for, well, debugging. The default +# setting here copies (they always appear in the Apache error log) +# only the most important messages (errors and warnings). +# +# NOTE Debug logging is generally very slow. You should never +# use values greater than "3" in production. +# +SecDebugLog logs/modsec_debug.log +SecDebugLogLevel 3 + +# Path where persistent data (e.g. IP address data, session data, etc) is to +# be stored. Must be writable by the web server user. +# +# TODO It is advisable to create a directory structure for ModSecurity such as +# /var/log/msa and create sub directories for SecDataDir, SecTmpDir, +# SecUploadDir, SecAuditLog and SecAuditLogStorageDir +# underneath it and set the permission for read and write only by the +# Apache user. + +SecDataDir /tmp + +# Configures the directory where temporary files will be created. +SecTmpDir /tmp + +# Loades the variable collection relating to the requested resource +# NOTE: We will not initiate a collection if there was an error (To prevent overloading) +SecRule RESPONSE_STATUS "!^(?:30[12]|[45]\d\d)$" "phase:3,pass,nolog,initcol:resource=%{REQUEST_FILENAME}" diff --git a/rules/modsecurity_crs_20_protocol_violations.conf b/rules/modsecurity_crs_20_protocol_violations.conf index 04a955e4..e586c8ac 100644 --- a/rules/modsecurity_crs_20_protocol_violations.conf +++ b/rules/modsecurity_crs_20_protocol_violations.conf @@ -1,74 +1,84 @@ -# --------------------------------------------------------------- -# Core ModSecurity Rule Set -# Copyright (C) 2006 Breach Security Inc. All rights reserved. -# -# The ModSecuirty Core Rule Set is distributed under GPL version 2 -# Please see the enclosed LICENCE file for full details. -# --------------------------------------------------------------- - - -# -# TODO in some cases a valid client (usually automated) generates requests that -# violates the HTTP protocol. Create exceptions for those clients, but try -# to limit the exception to a source IP or other additional properties of -# the request such as URL and not allow the violation generally. -# -# - -# Use status code 400 response status code by default as protocol violations -# are in essence bad requests. -SecDefaultAction "log,pass,phase:1,status:400" - -# Accept only digits in content length -# -SecRule REQUEST_HEADERS:Content-Length "!^\d+$" "deny,log,auditlog,status:400,msg:'Content-Length HTTP header is not numeric', severity:'2',id:'960016'" - -# Do not accept GET or HEAD requests with bodies -# HTTP standard allows GET requests to have a body but this -# feature is not used in real life. Attackers could try to force -# a request body on an unsuspecting web applications. -# -SecRule REQUEST_METHOD "^(GET|HEAD)$" "chain,deny,log,auditlog,status:400,msg:'GET or HEAD requests with bodies', severity:'2',id:'960011'" -SecRule REQUEST_HEADERS:Content-Length "!^0?$" - -# Require Content-Length to be provided with every POST request. -# -SecRule REQUEST_METHOD "^POST$" "chain,deny,log,auditlog,status:400,msg:'POST request must have a Content-Length header',id:'960012',severity:'4'" -SecRule &REQUEST_HEADERS:Content-Length "@eq 0" - -# Don't accept transfer encodings we know we don't know how to handle -# -# NOTE ModSecurity does not support chunked transfer encodings at -# this time. You MUST reject all such requests. -# -SecRule HTTP_Transfer-Encoding "!^$" "deny,log,auditlog,status:501,msg:'ModSecurity does not support transfer encodings',id:'960013',severity:'5'" - -# Check decodings -SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "@validateUrlEncoding" \ - "chain, deny,log,auditlog,status:400,msg:'URL Encoding Abuse Attack Attempt',id:'950107',severity:'4'" -SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "\%(?![0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" - -SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "@validateUtf8Encoding" "deny,log,auditlog,status:400,msg:'UTF8 Encoding Abuse Attack Attempt',id:'950801',severity:'4'" - -# Proxy access attempt -# NOTE Apache blocks such access by default if not set as a proxy. The rule is -# included in case Apache proxy is misconfigured. -SecRule REQUEST_URI ^http:/ "deny,log,auditlog,status:400,msg:'Proxy access attempt', severity:'2',id:'960014'" - -# -# Restrict type of characters sent -# -# NOTE In order to be broad and support localized applications this rule -# only validates that NULL Is not used. -# -# The strict policy version also validates that protocol and application -# generated fields are limited to printable ASCII. -# -# TODO If your application use the range 32-126 for parameters. -# -SecRule REQUEST_FILENAME|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer \ - "@validateByteRange 1-255" \ - "log,auditlog,msg:'Request Missing an Accept Header', severity:'2',id:'960015',t:urlDecodeUni,phase:1" - -SecRule ARGS|ARGS_NAMES "@validateByteRange 1-255" \ - "deny,log,auditlog,status:400,msg:'Invalid character in request',id:'960901',severity:'4',t:urlDecodeUni,phase:2" +# --------------------------------------------------------------- +# Core ModSecurity Rule Set +# Copyright (C) 2006 Breach Security Inc. All rights reserved. +# +# The ModSecuirty Core Rule Set is distributed under GPL version 2 +# Please see the enclosed LICENCE file for full details. +# --------------------------------------------------------------- + + +# +# TODO in some cases a valid client (usually automated) generates requests that +# violates the HTTP protocol. Create exceptions for those clients, but try +# to limit the exception to a source IP or other additional properties of +# the request such as URL and not allow the violation generally. +# +# + +# Use status code 400 response status code by default as protocol violations +# are in essence bad requests. +SecDefaultAction "log,pass,phase:2,status:400" + + +# Validate request line +SecRule REQUEST_LINE "!^[a-z]{3,10}\s*(?:http\:\/\/[\w\-\.\/]*)??\/[\w\-\.\/]*(?:\?[\S]*)??\s*http\/[01]\.[901]$" \ + "t:none,t:lowercase,deny,log,auditlog,status:400,msg:'Invalid HTTP Request Line',,id:'960911',severity:'2'" + + +# Accept only digits in content length +# +SecRule REQUEST_HEADERS:Content-Length "!^\d+$" "deny,log,auditlog,status:400,msg:'Content-Length HTTP header is not numeric', severity:'2',,id:'960016'," + +# Do not accept GET or HEAD requests with bodies +# HTTP standard allows GET requests to have a body but this +# feature is not used in real life. Attackers could try to force +# a request body on an unsuspecting web applications. +# +SecRule REQUEST_METHOD "^(GET|HEAD)$" "chain,deny,log,auditlog,status:400,msg:'GET or HEAD requests with bodies', severity:'2',,id:'960011'," +SecRule REQUEST_HEADERS:Content-Length "!^0?$" + +# Require Content-Length to be provided with every POST request. +# +SecRule REQUEST_METHOD "^POST$" "chain,deny,log,auditlog,status:400,msg:'POST request must have a Content-Length header',,id:'960012',severity:'4'" +SecRule &REQUEST_HEADERS:Content-Length "@eq 0" + +# Don't accept transfer encodings we know we don't know how to handle +# +# NOTE ModSecurity does not support chunked transfer encodings at +# this time. You MUST reject all such requests. +# +SecRule REQUEST_HEADERS:Transfer-Encoding "!^$" "deny,log,auditlog,status:501,msg:'ModSecurity does not support transfer encodings',,id:'960013',severity:'3'" + +# Check decodings +SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "@validateUrlEncoding" \ + "chain, deny,log,auditlog,status:400,msg:'URL Encoding Abuse Attack Attempt',,id:'950107',severity:'4'" +SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "\%(?!$|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" + +SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "@validateUtf8Encoding" "deny,log,auditlog,status:400,msg:'UTF8 Encoding Abuse Attack Attempt',,id:'950801',severity:'4'" + +# Disallow use of full-width unicode +SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "\%u[fF]{2}[0-9a-fA-F]{2}" \ + "t:none,deny,log,auditlog,status:400,msg:'Unicode Full/Half Width Abuse Attack Attempt',,id:'950116',severity:'4'" + +# Proxy access attempt +# NOTE Apache blocks such access by default if not set as a proxy. The rule is +# included in case Apache proxy is misconfigured. +SecRule REQUEST_URI_RAW ^http:/ "deny,log,auditlog,status:400,msg:'Proxy access attempt', severity:'2',,id:'960014'," + +# +# Restrict type of characters sent +# +# NOTE In order to be broad and support localized applications this rule +# only validates that NULL Is not used. +# +# The strict policy version also validates that protocol and application +# generated fields are limited to printable ASCII. +# +# TODO If your application use the range 32-126 for parameters. +# +SecRule REQUEST_FILENAME|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer \ + "@validateByteRange 1-255" \ + "deny,log,auditlog,status:400,msg:'Invalid character in request',,id:'960018',severity:'4',t:urlDecodeUni,phase:1" + +SecRule ARGS|ARGS_NAMES|REQUEST_HEADERS:Referer "@validateByteRange 1-255" \ + "deny,log,auditlog,status:400,msg:'Invalid character in request',,id:'960901',severity:'4',t:urlDecodeUni,phase:2" diff --git a/rules/modsecurity_crs_21_protocol_anomalies.conf b/rules/modsecurity_crs_21_protocol_anomalies.conf index a7a66ec6..b0c4419b 100644 --- a/rules/modsecurity_crs_21_protocol_anomalies.conf +++ b/rules/modsecurity_crs_21_protocol_anomalies.conf @@ -1,50 +1,55 @@ -# --------------------------------------------------------------- -# Core ModSecurity Rule Set -# Copyright (C) 2006 Breach Security Inc. All rights reserved. -# -# The ModSecuirty Core Rule Set is distributed under GPL version 2 -# Please see the enclosed LICENCE file for full details. -# --------------------------------------------------------------- - - -# -# TODO in some cases a valid client (usually automated) generates requests that -# violates the HTTP protocol. Create exceptions for those clients, but try -# to limit the exception to a source IP or other additional properties of -# the request such as URL and not allow the violation generally. -# - -# Use status code 400 response status code by default as protocol violations -# are in essence bad requests. -SecDefaultAction "log,pass,phase:1,status:400" - -# Do not accept requests without common headers. -# -# Implies either an attacker or a legitimate automation client. -# -SecRule REQUEST_URI "^/$" "chain,skip:4" -SecRule REMOTE_ADDR "^127\.0\.0\.1$" "chain" -SecRule REQUEST_HEADERS:User-Agent "^Apache.*\(internal dummy connection\)$" "t:none" - -SecRule &REQUEST_HEADERS:Host "@eq 0" \ - "skip:1,log,auditlog,msg:'Request Missing a Host Header',id:'960008',severity:'4'" -SecRule REQUEST_HEADERS:Host "^$" \ - "log,auditlog,msg:'Request Missing a Host Header',id:'960008',severity:'4'" - - -SecRule &REQUEST_HEADERS:Accept "@eq 0" \ - "chain,skip:1,log,auditlog,msg:'Request Missing an Accept Header', severity:'2',id:'960015'" -SecRule REQUEST_METHOD "!OPTIONS" -SecRule REQUEST_HEADERS:Accept "^$" \ - "chain,log,auditlog,msg:'Request Missing an Accept Header', severity:'2',id:'960015'" -SecRule REQUEST_METHOD "!OPTIONS" - -SecRule &REQUEST_HEADERS:User-Agent "@eq 0" \ - "skip:1,log,auditlog,msg:'Request Missing a User Agent Header',id:'960009',severity:'4'" -SecRule REQUEST_HEADERS:User-Agent "^$" \ - "log,auditlog,msg:'Request Missing a User Agent Header',id:'960009',severity:'4'" - - -# Check that the host header is not an IP address -# -SecRule REQUEST_HEADERS:Host "^[\d\.]+$" "deny,log,auditlog,status:400,msg:'Host header is a numeric IP address', severity:'2',id:'960017'" +# --------------------------------------------------------------- +# Core ModSecurity Rule Set +# Copyright (C) 2006 Breach Security Inc. All rights reserved. +# +# The ModSecuirty Core Rule Set is distributed under GPL version 2 +# Please see the enclosed LICENCE file for full details. +# --------------------------------------------------------------- + + +# +# TODO in some cases a valid client (usually automated) generates requests that +# violates the HTTP protocol. Create exceptions for those clients, but try +# to limit the exception to a source IP or other additional properties of +# the request such as URL and not allow the violation generally. +# + +# Use status code 400 response status code by default as protocol violations +# are in essence bad requests. +SecDefaultAction "log,pass,phase:2,status:400" + +# Do not accept requests without common headers. +# +# Implies either an attacker or a legitimate automation client. +# +SecRule REQUEST_URI "^/$" "chain,skip:4" +SecRule REMOTE_ADDR "^127\.0\.0\.1$" "chain" +SecRule REQUEST_HEADERS:User-Agent "^Apache.*\(internal dummy connection\)$" "t:none" + +SecRule &REQUEST_HEADERS:Host "@eq 0" \ + "skip:1,log,auditlog,msg:'Request Missing a Host Header',,id:'960008',severity:'4'" +SecRule REQUEST_HEADERS:Host "^$" \ + "log,auditlog,msg:'Request Missing a Host Header',,id:'960008',severity:'4'" + + +SecRule &REQUEST_HEADERS:Accept "@eq 0" \ + "chain,skip:1,log,auditlog,msg:'Request Missing an Accept Header', severity:'2',,id:'960015'," +SecRule REQUEST_METHOD "!^OPTIONS$" "t:none" +SecRule REQUEST_HEADERS:Accept "^$" \ + "chain,log,auditlog,msg:'Request Missing an Accept Header', severity:'2',,id:'960015'," +SecRule REQUEST_METHOD "!^OPTIONS$" "t:none" + +SecRule &REQUEST_HEADERS:User-Agent "@eq 0" \ + "skip:1,log,auditlog,msg:'Request Missing a User Agent Header',,id:'960009',severity:'4'" +SecRule REQUEST_HEADERS:User-Agent "^$" \ + "log,auditlog,msg:'Request Missing a User Agent Header',,id:'960009',severity:'4'" + + +SecRule &REQUEST_HEADERS:Content-Type "@eq 0" \ + "chain,log,auditlog,msg:'Request Containing Content, but Missing Content-Type header',,id:'960904',severity:'4'" +SecRule REQUEST_HEADERS:Content-Length "!^0$" + + +# Check that the host header is not an IP address +# +SecRule REQUEST_HEADERS:Host "^[\d\.]+$" "deny,log,auditlog,status:400,msg:'Host header is a numeric IP address', severity:'2',,id:'960017'," diff --git a/rules/modsecurity_crs_30_http_policy.conf b/rules/modsecurity_crs_30_http_policy.conf index 4962638f..1c55cdb1 100644 --- a/rules/modsecurity_crs_30_http_policy.conf +++ b/rules/modsecurity_crs_30_http_policy.conf @@ -1,137 +1,152 @@ -# --------------------------------------------------------------- -# Core ModSecurity Rule Set -# Copyright (C) 2006 Breach Security Inc. All rights reserved. -# -# The ModSecuirty Core Rule Set is distributed under GPL version 2 -# Please see the enclosed LICENCE file for full details. -# --------------------------------------------------------------- - - -#%name 30 - HTTP policy enforcement -#%desc The HTTP policy enforcement rule set sets limitations on the use of HTTP by clients. - -# Few applications require the breadth and depth of the HTTP protocol. On the -# other hand many attacks abuse valid but rare HTTP use patterns. Restricting -# HTTP protocol usage is effective in therefore effective in blocking many -# application layer attacks. -# -# TODO If you are using the ModSecurity Core Ruleset template system you can set -# the policy limitations in the ruleset.config file. Otherwise edit this -# file manually to set you policy limitations. -# -# TODO Many automation programs use non standard HTTP requests. While you may -# want to allow some of those, try not to create exceptions only for the -# automated program based on properties such as their source IP address or -# the URL they access. -# - -SecDefaultAction "pass,log,status:400,phase:1" - -# allow request methods -# -# TODO Most applications only use GET, HEAD, and POST request -# methods, if so uncomment the line below. Otherwise you are advised -# to edit the line before uncommenting it. -# -SecRule REQUEST_METHOD "!^((?:(?:POS|GE)T|OPTIONS|HEAD))$" \ - "phase:1,log,auditlog,status:501,msg:'Method is not allowed by policy', severity:'2',id:'960032'" - - -# Restrict witch content encodings we accept. -# -# TODO Most applications support only two encodings for request bodies -# because that is all browsers know how to produce. If you are using -# automated tools to talk to the application you may be using other -# content types and would want to change the list of supported encodings. -# -# Note though that ModSecurity parses only three content encodings: -# application/x-www-form-urlencoded, multipart/form-data request and -# text/xml. The protection provided for any other type of encoding is -# inferior. -# -# TODO There are many applications that are not using multipart/form-data -# encoding (typically only used for file uploads). This content type -# can be disabled if not used. -# -# NOTE We allow any content type to be specified with GET or HEAD -# because some tools incorrectly supply content type information -# even when the body is not present. There is a rule further in -# the file to prevent GET and HEAD requests to have bodies to we're -# safe in that respect. -# -# NOTE Use of WebDAV requires "text/xml" content type. -# -# NOTE Philippe Bourcier (pbourcier AT citali DOT com) reports -# applications running on the PocketPC and AvantGo platforms use -# non-standard content types: -# -# M-Business iAnywhere application/x-mal-client-data -# UltraLite iAnywhere application/octet-stream -# -SecRule REQUEST_METHOD "!^(?:get|head|propfind|options)$" \ - "chain, t:lowercase, deny,log,auditlog,status:501,msg:'Request content encoding is not allowed by policy',id:'960010',severity:'4'" -SecRule REQUEST_HEADERS:Content-Type "!(?:^(?:application/x-www-form-urlencoded$|multipart/form-data;)|text/xml)" - -# Restrict protocol versions. -# -# TODO All modern browsers use HTTP version 1.1. For tight security, allow only -# this version. -# -# NOTE Automation programs, both malicious and non malicious many times use -# other HTTP versions. If you want to allow a specific automated program -# to use your site, try to create a narrower expection and not allow any -# client to send HTTP requests in a version lower than 1.1 -# -SecRule REQUEST_PROTOCOL "!^HTTP/(0\.9|1\.[01])$" \ - "t:none, deny,log,auditlog,status:505,msg:'HTTP protocol version is not allowed by policy', severity:'2',id:'960034'" - -# Restrict file extension -# -# TODO the list of file extensions below are virtually always considered unsafe -# and not in use in any valid program. If your application uses one of -# these extensions, please remove it from the list of blocked extensions. -# You may need to use ModSecurity Core Rule Set Templates to do so, otherwise -# comment the whole rule. -# -SecRule REQUEST_BASENAME "\.(?:c(?:o(?:nf(?:ig)?|m)|s(?:proj|r)?|dx|er|fg|md)|p(?:rinter|ass|db|ol|wd)|v(?:b(?:proj|s)?|sdisco)|a(?:s(?:ax?|cx)|xd)|s(?:html?|ql|tm|ys)|d(?:bf?|at|ll|os)|i(?:d[acq]|n[ci])|ba(?:[kt]|ckup)|res(?:ources|x)|l(?:icx|nk|og)|\w{,5}~|webinfo|ht[rw]|xs[dx]|exe|key|mdb|old)$" \ - "t:urlDecodeUni, t:lowercase, deny,log,auditlog,status:500,msg:'URL file extension is restricted by policy', severity:'2',id:'960035'" - - - -# Restricted HTTP headers -# -# TODO the list of HTTP headers below are considered unsafe for your environment. -# If your application uses one of these directories, please remove it from -# the list of blocked extensions. You may need to use ModSecurity Core Rule -# Set Templates to do so, otherwise comment the whole rule. -# -SecRule REQUEST_HEADERS_NAMES "\.(?:Lock-Token|Translate|If)$" \ - "deny,log,auditlog,status:500,msg:'HTTP header is restricted by policy',id:'960038',severity:'4'" - - -## -- Apache Limits ---------------------------------------------------------- - -# These are Apache limit directives, but we are including them here because -# they are often forgotten. If you already have these configured leave this -# section entirely commented-out. Otherwise review the limits and uncomment -# the directives. - -# Maximum size of the request body. -# -# NOTE If your application allows file uploads the value below will -# most likely be way to low. -# -#LimitRequestBody 64000 - -# Maximum number of request headers in a request. -# -#LimitRequestFields 32 - -# Maximum size of request header lines. -# -#LimitRequestFieldSize 8000 - -# Maximum size of the request line. -# -#LimitRequestLine 4000 - +# --------------------------------------------------------------- +# Core ModSecurity Rule Set +# Copyright (C) 2006 Breach Security Inc. All rights reserved. +# +# The ModSecuirty Core Rule Set is distributed under GPL version 2 +# Please see the enclosed LICENCE file for full details. +# --------------------------------------------------------------- + + +#%name 30 - HTTP policy enforcement +#%desc The HTTP policy enforcement rule set sets limitations on the use of HTTP by clients. + +# Few applications require the breadth and depth of the HTTP protocol. On the +# other hand many attacks abuse valid but rare HTTP use patterns. Restricting +# HTTP protocol usage is effective in therefore effective in blocking many +# application layer attacks. +# +# TODO If you are using the ModSecurity Core Ruleset template system you can set +# the policy limitations in the ruleset.config file. Otherwise edit this +# file manually to set you policy limitations. +# +# TODO Many automation programs use non standard HTTP requests. While you may +# want to allow some of those, try not to create exceptions only for the +# automated program based on properties such as their source IP address or +# the URL they access. +# + +SecDefaultAction "pass,log,status:400,phase:2" + +# allow request methods +# +# TODO Most applications only use GET, HEAD, and POST request +# methods, if so uncomment the line below. Otherwise you are advised +# to edit the line before uncommenting it. +# +SecRule REQUEST_METHOD "!^((?:(?:POS|GE)T|OPTIONS|HEAD))$" \ + "phase:1,log,auditlog,status:501,msg:'Method is not allowed by policy', severity:'2',,id:'960032'," + + +# Restrict which content-types we accept. +# +# TODO Most applications support only two types for request bodies +# because that is all browsers know how to produce. If you are using +# automated tools to talk to the application you may be using other +# content types and would want to change the list of supported types. +# +# Note though that ModSecurity parses only three content types: +# application/x-www-form-urlencoded, multipart/form-data request and +# text/xml. The protection provided for any other type is inferior. +# +# TODO There are many applications that are not using multipart/form-data +# types (typically only used for file uploads). This content type +# can be disabled if not used. +# +# NOTE We allow any content type to be specified with GET or HEAD +# because some tools incorrectly supply content type information +# even when the body is not present. There is a rule further in +# the file to prevent GET and HEAD requests to have bodies to we're +# safe in that respect. +# +# NOTE Use of WebDAV requires "text/xml" content type. +# +# NOTE Philippe Bourcier (pbourcier AT citali DOT com) reports +# applications running on the PocketPC and AvantGo platforms use +# non-standard content types: +# +# M-Business iAnywhere application/x-mal-client-data +# UltraLite iAnywhere application/octet-stream +# +SecRule REQUEST_METHOD "!^(?:get|head|propfind|options)$" \ + "chain, t:lowercase, deny,log,auditlog,status:501,msg:'Request content type is not allowed by policy',,id:'960010',severity:'4'" +SecRule REQUEST_HEADERS:Content-Type "!(?:^(?:application\/x-www-form-urlencoded(?:;(?:\s?charset\s?=\s?[\w\d\-]{1,18})?)??$|multipart/form-data;)|text/xml)" + +# Restrict protocol versions. +# +# TODO All modern browsers use HTTP version 1.1. For tight security, allow only +# this version. +# +# NOTE Automation programs, both malicious and non malicious many times use +# other HTTP versions. If you want to allow a specific automated program +# to use your site, try to create a narrower expection and not allow any +# client to send HTTP requests in a version lower than 1.1 +# +SecRule REQUEST_PROTOCOL "!^HTTP/(0\.9|1\.[01])$" \ + "t:none, deny,log,auditlog,status:505,msg:'HTTP protocol version is not allowed by policy', severity:'2',,id:'960034'," + +# Restrict file extension +# +# TODO the list of file extensions below are virtually always considered unsafe +# and not in use in any valid program. If your application uses one of +# these extensions, please remove it from the list of blocked extensions. +# You may need to use ModSecurity Core Rule Set Templates to do so, otherwise +# comment the whole rule. +# +SecRule REQUEST_BASENAME "\.(?:c(?:o(?:nf(?:ig)?|m)|s(?:proj|r)?|dx|er|fg|md)|p(?:rinter|ass|db|ol|wd)|v(?:b(?:proj|s)?|sdisco)|a(?:s(?:ax?|cx)|xd)|d(?:bf?|at|ll|os)|i(?:d[acq]|n[ci])|ba(?:[kt]|ckup)|res(?:ources|x)|s(?:h?tm|ql|ys)|l(?:icx|nk|og)|\w{,5}~|webinfo|ht[rw]|xs[dx]|key|mdb|old)$" \ + "t:urlDecodeUni, t:lowercase, deny,log,auditlog,status:500,msg:'URL file extension is restricted by policy', severity:'2',,id:'960035'," + + + +# Restricted HTTP headers +# +# TODO the list of HTTP headers below are considered unsafe for your environment. +# If your application uses one of these directories, please remove it from +# the list of blocked extensions. You may need to use ModSecurity Core Rule +# Set Templates to do so, otherwise comment the whole rule. +# +SecRule REQUEST_HEADERS_NAMES "\.(?:Lock-Token|Translate|If)$" \ + "deny,log,auditlog,status:500,msg:'HTTP header is restricted by policy',,id:'960038',severity:'4'" + + +# Restricted Content Encodings +# +# ModSecurity does not support compressed content. Therefore, the following +# action will be taken: +# - Inbound compressed content will be denied +# - Outbound compressed content will be logged once, to alert the user +# Deny inbound compressed content +SecRule REQUEST_HEADERS:Content-Encoding "!^Identity$" \ + "phase:2,t:none,deny,log,auditlog,status:501,msg:'ModSecurity does not support content encodings',,id:'960902',severity:'3'" +# Log outbound compressed content (once per location) +SecRule RESPONSE_HEADERS:Content-Encoding "!^Identity$" \ + "phase:5,t:none,pass,log,auditlog,msg:'ModSecurity does not support content encodings',,id:'960903',severity:'4',chain" +SecRule &RESOURCE:alerted_960903_compression "@eq 0" "setvar:resource.alerted_960903_compression" + + + +## -- Apache Limits ---------------------------------------------------------- + +# These are Apache limit directives, but we are including them here because +# they are often forgotten. If you already have these configured leave this +# section entirely commented-out. Otherwise review the limits and uncomment +# the directives. + +# Maximum size of the request body. +# +# NOTE If your application allows file uploads the value below will +# most likely be way to low. +# +#LimitRequestBody 64000 + +# Maximum number of request headers in a request. +# +#LimitRequestFields 32 + +# Maximum size of request header lines. +# +#LimitRequestFieldSize 8000 + +# Maximum size of the request line. +# +#LimitRequestLine 4000 + diff --git a/rules/modsecurity_crs_35_bad_robots.conf b/rules/modsecurity_crs_35_bad_robots.conf index e034e00f..4048d982 100644 --- a/rules/modsecurity_crs_35_bad_robots.conf +++ b/rules/modsecurity_crs_35_bad_robots.conf @@ -1,33 +1,33 @@ -# --------------------------------------------------------------- -# Core ModSecurity Rule Set -# Copyright (C) 2006 Breach Security Inc. All rights reserved. -# -# The ModSecuirty Core Rule Set is distributed under GPL version 2 -# Please see the enclosed LICENCE file for full details. -# --------------------------------------------------------------- - - -# -# NOTE Bad robots detection is based on checking elements easily -# controlled by the client. As such a determined attacked can bypass -# those checks. Therefore bad robots detection should not be viewed as -# a security mechanism against targeted attacks but rather as a nuisance -# reduction, eliminating most of the random attacks against your web -# site. - -SecDefaultAction "log,pass,phase:2,t:lowercase" - -SecRule HTTP_User-Agent "(?:\b(?:m(?:ozilla\/4\.0 \(compatible\)|etis)|webtrends security analyzer|pmafind)\b|n(?:-stealth|sauditor|essus|ikto)|b(?:lack ?widow|rutus|ilbo)|(?:jaascoi|paro)s|internet explorer|webinspect|\.nasl)" \ - "deny,log,auditlog,status:404,msg:'Request Indicates a Security Scanner Scanned the Site',id:'990002',severity:'2'" -SecRule REQUEST_HEADERS_NAMES "\bacunetix-product\b" \ - "deny,log,auditlog,status:404,msg:'Request Indicates a Security Scanner Scanned the Site',id:'990901',severity:'2'" -SecRule REQUEST_FILENAME "^/nessustest" \ - "deny,log,auditlog,status:404,msg:'Request Indicates a Security Scanner Scanned the Site',id:'990902',severity:'2'" - -SecRule REQUEST_HEADERS:User-Agent "(?:m(?:ozilla\/(?:4\.0 \(compatible; advanced email extractor|2\.0 \(compatible; newt activex; win32\))|ailto:craftbot\@yahoo\.com)|e(?:mail(?:(?:collec|harves|magne)t|(?: extracto|reape)r|siphon|wolf)|(?:collecto|irgrabbe)r|xtractorpro|o browse)|a(?:t(?:tache|hens)|utoemailspider|dsarobot)|w(?:eb(?:emailextrac| by mail)|3mir)|f(?:astlwspider|loodgate)|p(?:cbrowser|ackrat|surf)|(?:digout4uagen|takeou)t|(?:chinacla|be)w|hhjhj@yahoo|rsync|shai|zeus)" \ - "deny,log,auditlog,status:404,msg:'Rogue web site crawler',id:'990012',severity:'2'" - -SecRule REQUEST_HEADERS:User-Agent "(?:\b(?:(?:indy librar|snoop)y|microsoft url control|lynx)\b|d(?:ownload demon|isco)|w(?:3mirror|get)|l(?:ibwww|wp)|p(?:avuk|erl)|cu(?:sto|rl)|big brother|autohttp|netants|eCatch)" \ - "chain,log,auditlog,msg:'Request Indicates an automated program explored the site',id:'990011',severity:'5'" -SecRule REQUEST_HEADERS:User-Agent "!^apache.*perl" - +# --------------------------------------------------------------- +# Core ModSecurity Rule Set +# Copyright (C) 2006 Breach Security Inc. All rights reserved. +# +# The ModSecuirty Core Rule Set is distributed under GPL version 2 +# Please see the enclosed LICENCE file for full details. +# --------------------------------------------------------------- + + +# +# NOTE Bad robots detection is based on checking elements easily +# controlled by the client. As such a determined attacked can bypass +# those checks. Therefore bad robots detection should not be viewed as +# a security mechanism against targeted attacks but rather as a nuisance +# reduction, eliminating most of the random attacks against your web +# site. + +SecDefaultAction "log,pass,phase:2,t:lowercase" + +SecRule REQUEST_HEADERS:User-Agent "(?:\b(?:m(?:ozilla\/4\.0 \(compatible\)|etis)|webtrends security analyzer|pmafind)\b|n(?:-stealth|sauditor|essus|ikto)|b(?:lack ?widow|rutus|ilbo)|(?:jaascoi|paro)s|internet explorer|webinspect|\.nasl)" \ + "deny,log,auditlog,status:404,msg:'Request Indicates a Security Scanner Scanned the Site',,id:'990002',severity:'2'" +SecRule REQUEST_HEADERS_NAMES "\bacunetix-product\b" \ + "deny,log,auditlog,status:404,msg:'Request Indicates a Security Scanner Scanned the Site',,id:'990901',severity:'2'" +SecRule REQUEST_FILENAME "^/nessustest" \ + "deny,log,auditlog,status:404,msg:'Request Indicates a Security Scanner Scanned the Site',,id:'990902',severity:'2'" + +SecRule REQUEST_HEADERS:User-Agent "(?:m(?:ozilla\/(?:4\.0 \(compatible; advanced email extractor|2\.0 \(compatible; newt activex; win32\))|ailto:craftbot\@yahoo\.com)|e(?:mail(?:(?:collec|harves|magne)t|(?: extracto|reape)r|siphon|wolf)|(?:collecto|irgrabbe)r|xtractorpro|o browse)|a(?:t(?:tache|hens)|utoemailspider|dsarobot)|w(?:eb(?:emailextrac| by mail)|3mir)|f(?:astlwspider|loodgate)|p(?:cbrowser|ackrat|surf)|(?:digout4uagen|takeou)t|(?:chinacla|be)w|hhjhj@yahoo|rsync|shai|zeus)" \ + "deny,log,auditlog,status:404,msg:'Rogue web site crawler',,id:'990012',severity:'2'" + +SecRule REQUEST_HEADERS:User-Agent "(?:\b(?:(?:indy librar|snoop)y|microsoft url control|lynx)\b|d(?:ownload demon|isco)|w(?:3mirror|get)|l(?:ibwww|wp)|p(?:avuk|erl)|cu(?:sto|rl)|big brother|autohttp|netants|eCatch)" \ + "chain,log,auditlog,msg:'Request Indicates an automated program explored the site',,id:'990011',severity:'5'" +SecRule REQUEST_HEADERS:User-Agent "!^apache.*perl" + diff --git a/rules/modsecurity_crs_40_generic_attacks.conf b/rules/modsecurity_crs_40_generic_attacks.conf index 4eaf389d..b6cab755 100644 --- a/rules/modsecurity_crs_40_generic_attacks.conf +++ b/rules/modsecurity_crs_40_generic_attacks.conf @@ -1,83 +1,94 @@ -# --------------------------------------------------------------- -# Core ModSecurity Rule Set -# Copyright (C) 2006 Breach Security Inc. All rights reserved. -# -# The ModSecuirty Core Rule Set is distributed under GPL version 2 -# Please see the enclosed LICENCE file for full details. -# --------------------------------------------------------------- - - -# -# TODO While some of the pattern groups such as command injection are usually -# safe of false positives, other pattern groups such as SQL injection and -# XSS may require setting exceptions and therefore are set to log only by -# default. -# -# Start ModSecurity in monitoring only mode and check whether your -# application requires exceptions for a specific URL, Pattern or source IP -# before moving to blocking mode. - -SecDefaultAction "log,pass,phase:2,status:500,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase" - -# Session fixation -SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "(?:\.cookie\b.*?;\W*?(?:expires|domain)\W*?=|\bhttp-equiv\W+set-cookie\b)" \ - "capture,ctl:auditLogParts=+E,log,auditlog,msg:'Session Fixation. Matched signature <%{TX.0}>',id:'950009',severity:'2'" - -# Blind SQL injection -SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "(?:\b(?:(?:s(?:ys\.(?:user_(?:(?:t(?:ab(?:_column|le)|rigger)|object|view)s|c(?:onstraints|atalog))|all_tables|tab)|elect\b.{0,40}\b(?:substring|ascii|user))|m(?:sys(?:(?:queri|ac)e|relationship|column|object)s|ysql.user)|c(?:onstraint_type|harindex)|attnotnull)\b|(?:locate|instr)\W+\()|\@\@spid\b)" \ - "capture,t:replaceComments,ctl:auditLogParts=+E,log,auditlog,msg:'Blind SQL Injection Attack. Matched signature <%{TX.0}>',id:'950007',severity:'2'" -#SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "\b(?:benchmark|encode)\b" \ -# "chain,ctl:auditLogParts=+E,log,auditlog,msg:'Blind SQL Injection Attack. Matched signature <%{TX.0}>',id:'950903',severity:'2'" -#SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "[\\(\)\%#]\|--" -SecRule REQUEST_FILENAME|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "\b(?:(?:s(?:ys(?:(?:(?:process|tabl)e|filegroup|object)s|c(?:o(?:nstraint|lumn)s|at)|dba|ibm)|ubstr(?:ing)?)|user_(?:(?:(?:constrain|objec)t|tab(?:_column|le)|ind_column|user)s|password|group)|a(?:tt(?:rel|typ)id|ll_objects)|object_(?:(?:nam|typ)e|id)|pg_(?:attribute|class)|column_(?:name|id)|(?:dba|mb)_users|xtype\W+\bchar|rownum)\b|t(?:able_name\b|extpos\W+\())" \ - "capture,t:replaceComments,ctl:auditLogParts=+E,log,auditlog,msg:'Blind SQL Injection Attack. Matched signature <%{TX.0}>',id:'950904',severity:'2'" - -# SQL injection -SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "(?:\b(?:(?:s(?:elect\b(?:.{1,100}?\b(?:(?:length|count|top)\b.{1,100}?\bfrom|from\b.{1,100}?\bwhere)|.*?\b(?:d(?:ump\b.*\bfrom|ata_type)|(?:to_(?:numbe|cha)|inst)r))|p_(?:(?:addextendedpro|sqlexe)c|(?:oacreat|prepar)e|execute(?:sql)?|makewebtask)|ql_(?:longvarchar|variant))|xp_(?:reg(?:re(?:movemultistring|ad)|delete(?:value|key)|enum(?:value|key)s|addmultistring|write)|e(?:xecresultset|numdsn)|(?:terminat|dirtre)e|availablemedia|loginconfig|cmdshell|filelist|makecab|ntsec)|u(?:nion\b.{1,100}?\bselect|tl_(?:file|http))|group\b.*\bby\b.{1,100}?\bhaving|load\b\W*?\bdata\b.*\binfile|(?:n?varcha|tbcreato)r|autonomous_transaction|open(?:rowset|query)|dbms_java)\b|i(?:n(?:to\b\W*?\b(?:dump|out)file|sert\b\W*?\binto|ner\b\W*?\bjoin)\b|(?:f(?:\b\W*?\(\W*?\bbenchmark|null\b)|snull\b)\W*?\()|(?:having|or|and)\b\s+?(?:\d{1,10}|'[^=]{1,10}')\s*?[=<>]+|(?:print\]\b\W*?\@|root)\@|c(?:ast\b\W*?\(|oalesce\b))|(?:;\W*?\b(?:shutdown|drop)|\@\@version)\b|'(?:s(?:qloledb|a)|msdasql|dbo)')" \ - "capture,t:replaceComments,ctl:auditLogParts=+E,log,auditlog,msg:'SQL Injection Attack. Matched signature <%{TX.0}>',id:'950001',severity:'2'" -#SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "\b(?:rel(?:(?:nam|typ)e|kind)|a(?:ttn(?:ame|um)|scii)|c(?:o(?:nver|un)t|ha?r)|s(?:hutdown|elect)|to_(?:numbe|cha)r|u(?:pdate|nion)|d(?:elete|rop)|group\b\W*\bby|having|insert|length|where)\b" \ -# "chain,ctl:auditLogParts=+E,log,auditlog,msg:'SQL Injection Attack. Matched signature <%{TX.0}>',id:'950905',severity:'2'" -#SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "[\\(\)\%#]\|--" -SecRule REQUEST_FILENAME|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "\b(?:user_(?:(?:object|table|user)s|password|group)|a(?:tt(?:rel|typ)id|ll_objects)|object_(?:(?:nam|typ)e|id)|pg_(?:attribute|class)|column_(?:name|id)|substr(?:ing)?|table_name|mb_users|rownum)\b" \ - "capture,t:replaceComments,ctl:auditLogParts=+E,log,auditlog,msg:'SQL Injection Attack. Matched signature <%{TX.0}>',id:'950906',severity:'2'" - -# XSS -SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS "(?:\b(?:on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|down|up)|c(?:hange|lick)|s(?:elec|ubmi)t|(?:un)?load|dragdrop|resize|focus|blur)\b\W*?=|abort\b)|(?:l(?:owsrc\b\W*?\b(?:(?:java|vb)script|shell)|ivescript)|(?:href|url)\b\W*?\b(?:(?:java|vb)script|shell)|background-image|mocha):|type\b\W*?\b(?:text\b(?:\W*?\b(?:j(?:ava)?|ecma)script\b| [vbscript])|application\b\W*?\bx-(?:java|vb)script\b)|s(?:(?:tyle\b\W*=.*\bexpression\b\W*|ettimeout\b\W*?)\(|rc\b\W*?\b(?:(?:java|vb)script|shell|http):)|(?:c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder)\b|a(?:ctivexobject\b|lert\b\W*?\())|<(?:(?:body\b.*?\b(?:backgroun|onloa)d|input\b.*?\\btype\b\W*?\bimage)\b|!\[CDATA\[|script|meta)|(?:\.(?:(?:execscrip|addimpor)t|(?:fromcharcod|cooki)e|innerhtml)|\@import)\b)" \ - "capture,ctl:auditLogParts=+E,log,auditlog,msg:'Cross-site Scripting (XSS) Attack. Matched signature <%{TX.0}>',id:'950004',severity:'2'" - -# file injection -SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS "(?:\b(?:\.(?:ht(?:access|passwd|group)|www_?acl)|global\.asa|httpd\.conf|boot\.ini)\b|\/etc\/)" \ - "capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'Remote File Access Attempt. Matched signature <%{TX.0}>',id:'950005',severity:'2'" - -# Command access -SecRule REQUEST_FILENAME "\b(?:n(?:map|et|c)|w(?:guest|sh)|cmd(?:32)?|telnet|rcmd|ftp)\.exe\b" \ - "capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'System Command Access. Matched signature <%{TX.0}>',id:'950002',severity:'2'" - -# Command injection -SecRule ARGS|ARGS_NAMES|REQUEST_HEADERS "(?:\b(?:(?:n(?:et(?:\b\W+?\blocalgroup|\.exe)|(?:map|c)\.exe)|t(?:racer(?:oute|t)|elnet\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\.exe|echo\b\W*?\by+)\b|c(?:md(?:(?:32)?\.exe\b|\b\W*?\/c)|d(?:\b\W*?[\\\/]|\W*?\.\.)|hmod.{0,40}?\+.{0,3}x))|[\;\|\`]\W*?\b(?:(?:c(?:h(?:grp|mod|own|sh)|md|pp|c)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)\b|g(?:\+\+|cc\b))|\/(?:c(?:h(?:grp|mod|own|sh)|pp|c)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|g(?:\+\+|cc)|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)(?:[\'\"\|\;\`\-\s]|$))" \ - "capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'System Command Injection. Matched signature <%{TX.0}>',id:'950006',severity:'2'" -SecRule "ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:User-Agent" \ - "\bwget\b" \ - "capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'System Command Injection. Matched signature <%{TX.0}>',id:'950907',severity:'2'" - -# Coldfusion injection -SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS "\bcf(?:usion_(?:d(?:bconnections_flush|ecrypt)|set(?:tings_refresh|odbcini)|getodbc(?:dsn|ini)|verifymail|encrypt)|_(?:(?:iscoldfusiondatasourc|getdatasourceusernam)e|setdatasource(?:password|username))|newinternal(?:adminsecurit|registr)y|admin_registry_(?:delete|set)|internaldebug)\b" \ - "capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'Injection of Undocumented ColdFusion Tags. Matched signature <%{TX.0}>',id:'950008',severity:'2'" - -# LDAP injection -SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "(?:\((?:\W*?(?:objectc(?:ategory|lass)|homedirectory|[gu]idnumber|cn)\b\W*?=|[^\w\x80-\xFF]*?[\!\&\|][^\w\x80-\xFF]*?\()|\)[^\w\x80-\xFF]*?\([^\w\x80-\xFF]*?[\!\&\|])" \ - "capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'LDAP Injection Attack. Matched signature <%{TX.0}>',id:'950010',severity:'2'" - -# SSI injection -SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS "