github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-08-13 21:36:00 +03:00
Code Issues Packages Projects Releases Wiki Activity

Initialize rules tmp pool properly.

Browse Source 
Update to latest core rules.
This commit is contained in:
brectanus 2007-06-14 18:48:35 +00:00
parent a4835b73ff
commit efe52d4e77
14 changed files with 1314 additions and 1194 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
CHANGES
View File

@ -2,6 +2,8 @@
?? ??? 2007 - 2.2.0-trunk ?? ??? 2007 - 2.2.0-trunk
------------------------- -------------------------
* Update included core rules to latest version.
* Do not trigger "pause" action for internal requests. * Do not trigger "pause" action for internal requests.
* Added matching rule filename and line number to audit log. * Added matching rule filename and line number to audit log.

2
apache2/mod_security2.c
View File

@ -353,6 +353,8 @@ static modsec_rec *create_tx_context(request_rec *r) {
msr_log(msr, 4, "Transaction context created (dcfg %x).", msr->dcfg1); msr_log(msr, 4, "Transaction context created (dcfg %x).", msr->dcfg1);
} }
msr->msc_rule_mptmp = NULL;
return msr; return msr;
} }

188
rules/CHANGELOG
View File

@ -1,66 +1,122 @@
--------------------------------
version 1.3.2 build 4 2007/01/17 version 1.4 build 2 - 2007/05/17
--------------------------------
Fixed apache 2.4 dummy requests exclusion New Feature:
Added persistent PDF UXSS detection rule - Search for signatures in XML content
New Events:
Vervion 1.3.2 build 3 2007/01/10 - 950107 - Unicode Full/Half Width Abuse Attack Attempt
- 960911 - Invalid HTTP request line
Fixed regular expresion in rule 960010 (file #30) to allow mulipart-data content - 960904 - Request Missing Content-Type (when there is content)
- 970018 - IIS installed in default location (any drive)
- 950019 - Email Injection
Version 1.3.2 - 2006/12/27
Regular expressions fixes:
New events: - Further optimization of some regular expressions (using the non-greediness operator)
- 960037 Directory is restricted by policy
- 960038 HTTP header is restricted by policy ------------------------
version 1.4 - 2007/05/02
Regular expressions fixes: ------------------------
- Regular expressions with @ at end of beginning (for example "@import)
- Regular expressions with un-escaped "." New Events:
- Command Injections now always require certain characters both before and after the command. Important since many are common English words (finger, mail) - 970021 - WebLogic information disclosure
- The command injection wget is not searched in the UA header as it has different meaning there. Matching of "<title>JSP compile error</title>" in the response body, will trigger this rule, with severity 4 (Warning)
- LDAP Fixed to reduce FPs: - 950015,950910,950911 - HTTP Response Splitting
+ More accurate regular expressions Looking for HTTP Response Splitting patterns as described in Amit Klein's excellent article:
+ high bit characters not accpeted between signature tokens. http://www.packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf
- Do not detect <?xml as a PHP tag in both PHP injection and PHP source leakage ModSecurity does not support compressed content at the moment. Thus, the following rules have been added:
- Removed Java from automation UA - 960902 - Content-Encoding in request not supported
- When validating encoding, added regexp based chained rule that accepts both %xx and %uxxxxx encoding bypassing a limitation of "@validateUrlEncoding" Any incoming compressed request will be denied
- 960903 - Content-Encoding in response not suppoted
Additional rules logic: An outgoing compressed response will be logged to alert, but ONLY ONCE.
- Checks for empty headers in addition to missing ones (Host, Accept and User-Agent)
- OPTIONS method does not require an accept header. False Positives Fixes:
- Apache keep alive request exception. - Removed <.exe>,<.shtml> from restricted extensions
- PROPFIND and OPTIONS can be used without content-encoding (like HEAD and GET) - Will not be looking for SQL Injection signatures <root@>,<coalesce> in the Via request header
- Validate byte range checks by default only that no NULL char exists. - Excluded Referer header from SQL injection, XSS and command injection rules
- Added CSS to allowed extensions in strict rule sets. - Excluded X-OS-Prefs header from command injection rule
- Changed default action in file #50 to pass instead of deny. - Will be looking for command injection signatures in
- Moved IP host header from protocol violations to protocol anomalies. REQUEST_COOKIES|REQUEST_COOKIES_NAMES instead of REQUEST_HEADERS:Cookie.
- Allowing charset specification in the <application/x-www-form-urlencoded> Content-Type
Modified descriptions:
- 950107: URL Encoding Abuse Attack Attempt Additional rules logic:
- 950801: UTF8 Encoding Abuse Attack Attempt - Corrected match of OPTIONS method in event 960015
- Added matched pattern in many events using capture and %{TX.0} - Changed location for event 960014 (proxy access) to REQUEST_URI_RAW
- Added ctl:auditLogParts=+E for outbound events and attacks to collect response. - Moved all rules apart from method inspection from phase 1 to phase 2 -
This will enable viewing content if such a rule triggers as well as setting
-- exceptions using Apache scope tags.
Version 1.2 - 2006/11/19 - Added match for double quote in addition to single quote for <or x=x> signature (SQL Injection)
- Added 1=1 signature (SQL Injection)
Changes:
+ Move all events to the range of events allocated to Thinking Stone, now Breach --------------------------------
by prefixing all event IDs with "9". version 1.3.2 build 4 2007/01/17
+ Reverse severities to follow the Syslog format used by ModSecurity, now 1 is --------------------------------
the highest and 5 the lowest.
Fixed apache 2.4 dummy requests exclusion
Bug fixes: Added persistent PDF UXSS detection rule
+ Removed quotes from list of mime types inspected on exit (directive
SecResponseBodyMimeType) --------------------------------
+ Corrected "cd .." signature. Now the periods are escaped. Version 1.3.2 build 3 2007/01/10
+ Too many FPs with events 950903 & 950905. Commented them out until fixed. --------------------------------
-- Fixed regular expression in rule 960010 (file #30) to allow multipart form data
Version 1.1 - 2006/10/18 content
Initial version --------------------------
Version 1.3.2 - 2006/12/27
--------------------------
New events:
- 960037 Directory is restricted by policy
- 960038 HTTP header is restricted by policy
Regular expressions fixes:
- Regular expressions with @ at end of beginning (for example "@import)
- Regular expressions with un-escaped "."
- Command Injections now always require certain characters both before and after the command. Important since many are common English words (finger, mail)
- The command injection wget is not searched in the UA header as it has different meaning there.
- LDAP Fixed to reduce FPs:
+ More accurate regular expressions
+ high bit characters not accpeted between signature tokens.
- Do not detect <?xml as a PHP tag in both PHP injection and PHP source leakage
- Removed Java from automation UA
- When validating encoding, added regexp based chained rule that accepts both %xx and %uxxxxx encoding bypassing a limitation of "@validateUrlEncoding"
Additional rules logic:
- Checks for empty headers in addition to missing ones (Host, Accept and User-Agent)
- OPTIONS method does not require an accept header.
- Apache keep alive request exception.
- PROPFIND and OPTIONS can be used without content-encoding (like HEAD and GET)
- Validate byte range checks by default only that no NULL char exists.
- Added CSS to allowed extensions in strict rule sets.
- Changed default action in file #50 to pass instead of deny.
- Moved IP host header from protocol violations to protocol anomalies.
Modified descriptions:
- 950107: URL Encoding Abuse Attack Attempt
- 950801: UTF8 Encoding Abuse Attack Attempt
- Added matched pattern in many events using capture and %{TX.0}
- Added ctl:auditLogParts=+E for outbound events and attacks to collect response.
------------------------
Version 1.2 - 2006/11/19
------------------------
Changes:
+ Move all events to the range of events allocated to Thinking Stone, now Breach
by prefixing all event IDs with "9".
+ Reverse severities to follow the Syslog format used by ModSecurity, now 1 is
the highest and 5 the lowest.
Bug fixes:
+ Removed quotes from list of mime types inspected on exit (directive
SecResponseBodyMimeType)
+ Corrected "cd .." signature. Now the periods are escaped.
+ Too many FPs with events 950903 & 950905. Commented them out until fixed.
------------------------
Version 1.1 - 2006/10/18
------------------------
Initial version

678
rules/LICENSE
View File

@ -1,339 +1,339 @@
GNU GENERAL PUBLIC LICENSE GNU GENERAL PUBLIC LICENSE
Version 2, June 1991 Version 2, June 1991
Copyright (C) 1989, 1991 Free Software Foundation, Inc., Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
Everyone is permitted to copy and distribute verbatim copies Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed. of this license document, but changing it is not allowed.
Preamble Preamble
The licenses for most software are designed to take away your The licenses for most software are designed to take away your
freedom to share and change it. By contrast, the GNU General Public freedom to share and change it. By contrast, the GNU General Public
License is intended to guarantee your freedom to share and change free License is intended to guarantee your freedom to share and change free
software--to make sure the software is free for all its users. This software--to make sure the software is free for all its users. This
General Public License applies to most of the Free Software General Public License applies to most of the Free Software
Foundation's software and to any other program whose authors commit to Foundation's software and to any other program whose authors commit to
using it. (Some other Free Software Foundation software is covered by using it. (Some other Free Software Foundation software is covered by
the GNU Lesser General Public License instead.) You can apply it to the GNU Lesser General Public License instead.) You can apply it to
your programs, too. your programs, too.
When we speak of free software, we are referring to freedom, not When we speak of free software, we are referring to freedom, not
price. Our General Public Licenses are designed to make sure that you price. Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for have the freedom to distribute copies of free software (and charge for
this service if you wish), that you receive source code or can get it this service if you wish), that you receive source code or can get it
if you want it, that you can change the software or use pieces of it if you want it, that you can change the software or use pieces of it
in new free programs; and that you know you can do these things. in new free programs; and that you know you can do these things.
To protect your rights, we need to make restrictions that forbid To protect your rights, we need to make restrictions that forbid
anyone to deny you these rights or to ask you to surrender the rights. anyone to deny you these rights or to ask you to surrender the rights.
These restrictions translate to certain responsibilities for you if you These restrictions translate to certain responsibilities for you if you
distribute copies of the software, or if you modify it. distribute copies of the software, or if you modify it.
For example, if you distribute copies of such a program, whether For example, if you distribute copies of such a program, whether
gratis or for a fee, you must give the recipients all the rights that gratis or for a fee, you must give the recipients all the rights that
you have. You must make sure that they, too, receive or can get the you have. You must make sure that they, too, receive or can get the
source code. And you must show them these terms so they know their source code. And you must show them these terms so they know their
rights. rights.
We protect your rights with two steps: (1) copyright the software, and We protect your rights with two steps: (1) copyright the software, and
(2) offer you this license which gives you legal permission to copy, (2) offer you this license which gives you legal permission to copy,
distribute and/or modify the software. distribute and/or modify the software.
Also, for each author's protection and ours, we want to make certain Also, for each author's protection and ours, we want to make certain
that everyone understands that there is no warranty for this free that everyone understands that there is no warranty for this free
software. If the software is modified by someone else and passed on, we software. If the software is modified by someone else and passed on, we
want its recipients to know that what they have is not the original, so want its recipients to know that what they have is not the original, so
that any problems introduced by others will not reflect on the original that any problems introduced by others will not reflect on the original
authors' reputations. authors' reputations.
Finally, any free program is threatened constantly by software Finally, any free program is threatened constantly by software
patents. We wish to avoid the danger that redistributors of a free patents. We wish to avoid the danger that redistributors of a free
program will individually obtain patent licenses, in effect making the program will individually obtain patent licenses, in effect making the
program proprietary. To prevent this, we have made it clear that any program proprietary. To prevent this, we have made it clear that any
patent must be licensed for everyone's free use or not licensed at all. patent must be licensed for everyone's free use or not licensed at all.
The precise terms and conditions for copying, distribution and The precise terms and conditions for copying, distribution and
modification follow. modification follow.
GNU GENERAL PUBLIC LICENSE GNU GENERAL PUBLIC LICENSE
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
0. This License applies to any program or other work which contains 0. This License applies to any program or other work which contains
a notice placed by the copyright holder saying it may be distributed a notice placed by the copyright holder saying it may be distributed
under the terms of this General Public License. The "Program", below, under the terms of this General Public License. The "Program", below,
refers to any such program or work, and a "work based on the Program" refers to any such program or work, and a "work based on the Program"
means either the Program or any derivative work under copyright law: means either the Program or any derivative work under copyright law:
that is to say, a work containing the Program or a portion of it, that is to say, a work containing the Program or a portion of it,
either verbatim or with modifications and/or translated into another either verbatim or with modifications and/or translated into another
language. (Hereinafter, translation is included without limitation in language. (Hereinafter, translation is included without limitation in
the term "modification".) Each licensee is addressed as "you". the term "modification".) Each licensee is addressed as "you".
Activities other than copying, distribution and modification are not Activities other than copying, distribution and modification are not
covered by this License; they are outside its scope. The act of covered by this License; they are outside its scope. The act of
running the Program is not restricted, and the output from the Program running the Program is not restricted, and the output from the Program
is covered only if its contents constitute a work based on the is covered only if its contents constitute a work based on the
Program (independent of having been made by running the Program). Program (independent of having been made by running the Program).
Whether that is true depends on what the Program does. Whether that is true depends on what the Program does.
1. You may copy and distribute verbatim copies of the Program's 1. You may copy and distribute verbatim copies of the Program's
source code as you receive it, in any medium, provided that you source code as you receive it, in any medium, provided that you
conspicuously and appropriately publish on each copy an appropriate conspicuously and appropriately publish on each copy an appropriate
copyright notice and disclaimer of warranty; keep intact all the copyright notice and disclaimer of warranty; keep intact all the
notices that refer to this License and to the absence of any warranty; notices that refer to this License and to the absence of any warranty;
and give any other recipients of the Program a copy of this License and give any other recipients of the Program a copy of this License
along with the Program. along with the Program.
You may charge a fee for the physical act of transferring a copy, and You may charge a fee for the physical act of transferring a copy, and
you may at your option offer warranty protection in exchange for a fee. you may at your option offer warranty protection in exchange for a fee.
2. You may modify your copy or copies of the Program or any portion 2. You may modify your copy or copies of the Program or any portion
of it, thus forming a work based on the Program, and copy and of it, thus forming a work based on the Program, and copy and
distribute such modifications or work under the terms of Section 1 distribute such modifications or work under the terms of Section 1
above, provided that you also meet all of these conditions: above, provided that you also meet all of these conditions:
a) You must cause the modified files to carry prominent notices a) You must cause the modified files to carry prominent notices
stating that you changed the files and the date of any change. stating that you changed the files and the date of any change.
b) You must cause any work that you distribute or publish, that in b) You must cause any work that you distribute or publish, that in
whole or in part contains or is derived from the Program or any whole or in part contains or is derived from the Program or any
part thereof, to be licensed as a whole at no charge to all third part thereof, to be licensed as a whole at no charge to all third
parties under the terms of this License. parties under the terms of this License.
c) If the modified program normally reads commands interactively c) If the modified program normally reads commands interactively
when run, you must cause it, when started running for such when run, you must cause it, when started running for such
interactive use in the most ordinary way, to print or display an interactive use in the most ordinary way, to print or display an
announcement including an appropriate copyright notice and a announcement including an appropriate copyright notice and a
notice that there is no warranty (or else, saying that you provide notice that there is no warranty (or else, saying that you provide
a warranty) and that users may redistribute the program under a warranty) and that users may redistribute the program under
these conditions, and telling the user how to view a copy of this these conditions, and telling the user how to view a copy of this
License. (Exception: if the Program itself is interactive but License. (Exception: if the Program itself is interactive but
does not normally print such an announcement, your work based on does not normally print such an announcement, your work based on
the Program is not required to print an announcement.) the Program is not required to print an announcement.)
These requirements apply to the modified work as a whole. If These requirements apply to the modified work as a whole. If
identifiable sections of that work are not derived from the Program, identifiable sections of that work are not derived from the Program,
and can be reasonably considered independent and separate works in and can be reasonably considered independent and separate works in
themselves, then this License, and its terms, do not apply to those themselves, then this License, and its terms, do not apply to those
sections when you distribute them as separate works. But when you sections when you distribute them as separate works. But when you
distribute the same sections as part of a whole which is a work based distribute the same sections as part of a whole which is a work based
on the Program, the distribution of the whole must be on the terms of on the Program, the distribution of the whole must be on the terms of
this License, whose permissions for other licensees extend to the this License, whose permissions for other licensees extend to the
entire whole, and thus to each and every part regardless of who wrote it. entire whole, and thus to each and every part regardless of who wrote it.
Thus, it is not the intent of this section to claim rights or contest Thus, it is not the intent of this section to claim rights or contest
your rights to work written entirely by you; rather, the intent is to your rights to work written entirely by you; rather, the intent is to
exercise the right to control the distribution of derivative or exercise the right to control the distribution of derivative or
collective works based on the Program. collective works based on the Program.
In addition, mere aggregation of another work not based on the Program In addition, mere aggregation of another work not based on the Program
with the Program (or with a work based on the Program) on a volume of with the Program (or with a work based on the Program) on a volume of
a storage or distribution medium does not bring the other work under a storage or distribution medium does not bring the other work under
the scope of this License. the scope of this License.
3. You may copy and distribute the Program (or a work based on it, 3. You may copy and distribute the Program (or a work based on it,
under Section 2) in object code or executable form under the terms of under Section 2) in object code or executable form under the terms of
Sections 1 and 2 above provided that you also do one of the following: Sections 1 and 2 above provided that you also do one of the following:
a) Accompany it with the complete corresponding machine-readable a) Accompany it with the complete corresponding machine-readable
source code, which must be distributed under the terms of Sections source code, which must be distributed under the terms of Sections
1 and 2 above on a medium customarily used for software interchange; or, 1 and 2 above on a medium customarily used for software interchange; or,
b) Accompany it with a written offer, valid for at least three b) Accompany it with a written offer, valid for at least three
years, to give any third party, for a charge no more than your years, to give any third party, for a charge no more than your
cost of physically performing source distribution, a complete cost of physically performing source distribution, a complete
machine-readable copy of the corresponding source code, to be machine-readable copy of the corresponding source code, to be
distributed under the terms of Sections 1 and 2 above on a medium distributed under the terms of Sections 1 and 2 above on a medium
customarily used for software interchange; or, customarily used for software interchange; or,
c) Accompany it with the information you received as to the offer c) Accompany it with the information you received as to the offer
to distribute corresponding source code. (This alternative is to distribute corresponding source code. (This alternative is
allowed only for noncommercial distribution and only if you allowed only for noncommercial distribution and only if you
received the program in object code or executable form with such received the program in object code or executable form with such
an offer, in accord with Subsection b above.) an offer, in accord with Subsection b above.)
The source code for a work means the preferred form of the work for The source code for a work means the preferred form of the work for
making modifications to it. For an executable work, complete source making modifications to it. For an executable work, complete source
code means all the source code for all modules it contains, plus any code means all the source code for all modules it contains, plus any
associated interface definition files, plus the scripts used to associated interface definition files, plus the scripts used to
control compilation and installation of the executable. However, as a control compilation and installation of the executable. However, as a
special exception, the source code distributed need not include special exception, the source code distributed need not include
anything that is normally distributed (in either source or binary anything that is normally distributed (in either source or binary
form) with the major components (compiler, kernel, and so on) of the form) with the major components (compiler, kernel, and so on) of the
operating system on which the executable runs, unless that component operating system on which the executable runs, unless that component
itself accompanies the executable. itself accompanies the executable.
If distribution of executable or object code is made by offering If distribution of executable or object code is made by offering
access to copy from a designated place, then offering equivalent access to copy from a designated place, then offering equivalent
access to copy the source code from the same place counts as access to copy the source code from the same place counts as
distribution of the source code, even though third parties are not distribution of the source code, even though third parties are not
compelled to copy the source along with the object code. compelled to copy the source along with the object code.
4. You may not copy, modify, sublicense, or distribute the Program 4. You may not copy, modify, sublicense, or distribute the Program
except as expressly provided under this License. Any attempt except as expressly provided under this License. Any attempt
otherwise to copy, modify, sublicense or distribute the Program is otherwise to copy, modify, sublicense or distribute the Program is
void, and will automatically terminate your rights under this License. void, and will automatically terminate your rights under this License.
However, parties who have received copies, or rights, from you under However, parties who have received copies, or rights, from you under
this License will not have their licenses terminated so long as such this License will not have their licenses terminated so long as such
parties remain in full compliance. parties remain in full compliance.
5. You are not required to accept this License, since you have not 5. You are not required to accept this License, since you have not
signed it. However, nothing else grants you permission to modify or signed it. However, nothing else grants you permission to modify or
distribute the Program or its derivative works. These actions are distribute the Program or its derivative works. These actions are
prohibited by law if you do not accept this License. Therefore, by prohibited by law if you do not accept this License. Therefore, by
modifying or distributing the Program (or any work based on the modifying or distributing the Program (or any work based on the
Program), you indicate your acceptance of this License to do so, and Program), you indicate your acceptance of this License to do so, and
all its terms and conditions for copying, distributing or modifying all its terms and conditions for copying, distributing or modifying
the Program or works based on it. the Program or works based on it.
6. Each time you redistribute the Program (or any work based on the 6. Each time you redistribute the Program (or any work based on the
Program), the recipient automatically receives a license from the Program), the recipient automatically receives a license from the
original licensor to copy, distribute or modify the Program subject to original licensor to copy, distribute or modify the Program subject to
these terms and conditions. You may not impose any further these terms and conditions. You may not impose any further
restrictions on the recipients' exercise of the rights granted herein. restrictions on the recipients' exercise of the rights granted herein.
You are not responsible for enforcing compliance by third parties to You are not responsible for enforcing compliance by third parties to
this License. this License.
7. If, as a consequence of a court judgment or allegation of patent 7. If, as a consequence of a court judgment or allegation of patent
infringement or for any other reason (not limited to patent issues), infringement or for any other reason (not limited to patent issues),
conditions are imposed on you (whether by court order, agreement or conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License. If you cannot excuse you from the conditions of this License. If you cannot
distribute so as to satisfy simultaneously your obligations under this distribute so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you License and any other pertinent obligations, then as a consequence you
may not distribute the Program at all. For example, if a patent may not distribute the Program at all. For example, if a patent
license would not permit royalty-free redistribution of the Program by license would not permit royalty-free redistribution of the Program by
all those who receive copies directly or indirectly through you, then all those who receive copies directly or indirectly through you, then
the only way you could satisfy both it and this License would be to the only way you could satisfy both it and this License would be to
refrain entirely from distribution of the Program. refrain entirely from distribution of the Program.
If any portion of this section is held invalid or unenforceable under If any portion of this section is held invalid or unenforceable under
any particular circumstance, the balance of the section is intended to any particular circumstance, the balance of the section is intended to
apply and the section as a whole is intended to apply in other apply and the section as a whole is intended to apply in other
circumstances. circumstances.
It is not the purpose of this section to induce you to infringe any It is not the purpose of this section to induce you to infringe any
patents or other property right claims or to contest validity of any patents or other property right claims or to contest validity of any
such claims; this section has the sole purpose of protecting the such claims; this section has the sole purpose of protecting the
integrity of the free software distribution system, which is integrity of the free software distribution system, which is
implemented by public license practices. Many people have made implemented by public license practices. Many people have made
generous contributions to the wide range of software distributed generous contributions to the wide range of software distributed
through that system in reliance on consistent application of that through that system in reliance on consistent application of that
system; it is up to the author/donor to decide if he or she is willing system; it is up to the author/donor to decide if he or she is willing
to distribute software through any other system and a licensee cannot to distribute software through any other system and a licensee cannot
impose that choice. impose that choice.
This section is intended to make thoroughly clear what is believed to This section is intended to make thoroughly clear what is believed to
be a consequence of the rest of this License. be a consequence of the rest of this License.
8. If the distribution and/or use of the Program is restricted in 8. If the distribution and/or use of the Program is restricted in
certain countries either by patents or by copyrighted interfaces, the certain countries either by patents or by copyrighted interfaces, the
original copyright holder who places the Program under this License original copyright holder who places the Program under this License
may add an explicit geographical distribution limitation excluding may add an explicit geographical distribution limitation excluding
those countries, so that distribution is permitted only in or among those countries, so that distribution is permitted only in or among
countries not thus excluded. In such case, this License incorporates countries not thus excluded. In such case, this License incorporates
the limitation as if written in the body of this License. the limitation as if written in the body of this License.
9. The Free Software Foundation may publish revised and/or new versions 9. The Free Software Foundation may publish revised and/or new versions
of the General Public License from time to time. Such new versions will of the General Public License from time to time. Such new versions will
be similar in spirit to the present version, but may differ in detail to be similar in spirit to the present version, but may differ in detail to
address new problems or concerns. address new problems or concerns.
Each version is given a distinguishing version number. If the Program Each version is given a distinguishing version number. If the Program
specifies a version number of this License which applies to it and "any specifies a version number of this License which applies to it and "any
later version", you have the option of following the terms and conditions later version", you have the option of following the terms and conditions
either of that version or of any later version published by the Free either of that version or of any later version published by the Free
Software Foundation. If the Program does not specify a version number of Software Foundation. If the Program does not specify a version number of
this License, you may choose any version ever published by the Free Software this License, you may choose any version ever published by the Free Software
Foundation. Foundation.
10. If you wish to incorporate parts of the Program into other free 10. If you wish to incorporate parts of the Program into other free
programs whose distribution conditions are different, write to the author programs whose distribution conditions are different, write to the author
to ask for permission. For software which is copyrighted by the Free to ask for permission. For software which is copyrighted by the Free
Software Foundation, write to the Free Software Foundation; we sometimes Software Foundation, write to the Free Software Foundation; we sometimes
make exceptions for this. Our decision will be guided by the two goals make exceptions for this. Our decision will be guided by the two goals
of preserving the free status of all derivatives of our free software and of preserving the free status of all derivatives of our free software and
of promoting the sharing and reuse of software generally. of promoting the sharing and reuse of software generally.
NO WARRANTY NO WARRANTY
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
REPAIR OR CORRECTION. REPAIR OR CORRECTION.
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. POSSIBILITY OF SUCH DAMAGES.
END OF TERMS AND CONDITIONS END OF TERMS AND CONDITIONS
How to Apply These Terms to Your New Programs How to Apply These Terms to Your New Programs
If you develop a new program, and you want it to be of the greatest If you develop a new program, and you want it to be of the greatest
possible use to the public, the best way to achieve this is to make it possible use to the public, the best way to achieve this is to make it
free software which everyone can redistribute and change under these terms. free software which everyone can redistribute and change under these terms.
To do so, attach the following notices to the program. It is safest To do so, attach the following notices to the program. It is safest
to attach them to the start of each source file to most effectively to attach them to the start of each source file to most effectively
convey the exclusion of warranty; and each file should have at least convey the exclusion of warranty; and each file should have at least
the "copyright" line and a pointer to where the full notice is found. the "copyright" line and a pointer to where the full notice is found.
<one line to give the program's name and a brief idea of what it does.> <one line to give the program's name and a brief idea of what it does.>
Copyright (C) <year> <name of author> Copyright (C) <year> <name of author>
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or the Free Software Foundation; either version 2 of the License, or
(at your option) any later version. (at your option) any later version.
This program is distributed in the hope that it will be useful, This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details. GNU General Public License for more details.
You should have received a copy of the GNU General Public License along You should have received a copy of the GNU General Public License along
with this program; if not, write to the Free Software Foundation, Inc., with this program; if not, write to the Free Software Foundation, Inc.,
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
Also add information on how to contact you by electronic and paper mail. Also add information on how to contact you by electronic and paper mail.
If the program is interactive, make it output a short notice like this If the program is interactive, make it output a short notice like this
when it starts in an interactive mode: when it starts in an interactive mode:
Gnomovision version 69, Copyright (C) year name of author Gnomovision version 69, Copyright (C) year name of author
Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
This is free software, and you are welcome to redistribute it This is free software, and you are welcome to redistribute it
under certain conditions; type `show c' for details. under certain conditions; type `show c' for details.
The hypothetical commands `show w' and `show c' should show the appropriate The hypothetical commands `show w' and `show c' should show the appropriate
parts of the General Public License. Of course, the commands you use may parts of the General Public License. Of course, the commands you use may
be called something other than `show w' and `show c'; they could even be be called something other than `show w' and `show c'; they could even be
mouse-clicks or menu items--whatever suits your program. mouse-clicks or menu items--whatever suits your program.
You should also get your employer (if you work as a programmer) or your You should also get your employer (if you work as a programmer) or your
school, if any, to sign a "copyright disclaimer" for the program, if school, if any, to sign a "copyright disclaimer" for the program, if
necessary. Here is a sample; alter the names: necessary. Here is a sample; alter the names:
Yoyodyne, Inc., hereby disclaims all copyright interest in the program Yoyodyne, Inc., hereby disclaims all copyright interest in the program
`Gnomovision' (which makes passes at compilers) written by James Hacker. `Gnomovision' (which makes passes at compilers) written by James Hacker.
<signature of Ty Coon>, 1 April 1989 <signature of Ty Coon>, 1 April 1989
Ty Coon, President of Vice Ty Coon, President of Vice
This General Public License does not permit incorporating your program into This General Public License does not permit incorporating your program into
proprietary programs. If your program is a subroutine library, you may proprietary programs. If your program is a subroutine library, you may
consider it more useful to permit linking proprietary applications with the consider it more useful to permit linking proprietary applications with the
library. If this is what you want to do, use the GNU Lesser General library. If this is what you want to do, use the GNU Lesser General
Public License instead of this License. Public License instead of this License.

2
rules/README
View File

@ -1,3 +1,5 @@
ModSecurity Core Rule Set ModSecurity Core Rule Set
============================== ==============================

582
rules/modsecurity_crs_10_config.conf
View File

@ -1,285 +1,297 @@
# --------------------------------------------------------------- # ---------------------------------------------------------------
# Core ModSecurity Rule Set # Core ModSecurity Rule Set
# Copyright (C) 2006 Breach Security Inc. All rights reserved. # Copyright (C) 2006 Breach Security Inc. All rights reserved.
# #
# The ModSecuirty Core Rule Set is distributed under GPL version 2 # The ModSecuirty Core Rule Set is distributed under GPL version 2
# Please see the enclosed LICENCE file for full details. # Please see the enclosed LICENCE file for full details.
# --------------------------------------------------------------- # ---------------------------------------------------------------
# Configuration contained in this file should be customized # Configuration contained in this file should be customized
# for your specific requirements before deployment. # for your specific requirements before deployment.
# #
# Next to each rule there is a description of what it does. Each # Next to each rule there is a description of what it does. Each
# location where customization is needed is marked with "TODO". It # location where customization is needed is marked with "TODO". It
# is recommended that you: # is recommended that you:
# #
# 1) Keep a copy of the original file. This will allow you to use # 1) Keep a copy of the original file. This will allow you to use
# the "diff" command to quickly see the changes. It will also # the "diff" command to quickly see the changes. It will also
# make upgrades to future rule sets easier. # make upgrades to future rule sets easier.
# #
# 2) Document your changes thoroughly. # 2) Document your changes thoroughly.
# #
# You are advised to start with ModSecurity in detection mode only. # You are advised to start with ModSecurity in detection mode only.
# Switch to protection when you are comfortable with your rule set. # Switch to protection when you are comfortable with your rule set.
# For maximum protection monitor your logs on daily basis (or # For maximum protection monitor your logs on daily basis (or
# better). # better).
# #
# TODO You may want to provide an error friendly message to your # TODO You may want to provide an error friendly message to your
# users when you start rejecting requests. You can do this using # users when you start rejecting requests. You can do this using
# the Apache ErrorDocument directive. You should also add # the Apache ErrorDocument directive. You should also add
# mod_unique_id to your configuration and display the unique # mod_unique_id to your configuration and display the unique
# request ID on the error page. This would allow your users to # request ID on the error page. This would allow your users to
# report the request ID back to you so that you can investigate # report the request ID back to you so that you can investigate
# the false positive (if that's what it is). A nice error page # the false positive (if that's what it is). A nice error page
# usually reduces the impact of false positives on the users. # usually reduces the impact of false positives on the users.
# #
# The drawback of this user friendly approach is that it is # The drawback of this user friendly approach is that it is
# easier for the attackers to figure out there is an web # easier for the attackers to figure out there is an web
# application firewall protecting the application. # application firewall protecting the application.
# #
# ErrorDocument 403 /path/to/error_document.php # ErrorDocument 403 /path/to/error_document.php
# #
# For more information see # For more information see
# http://httpd.apache.org/docs-2.0/custom-error.html # http://httpd.apache.org/docs-2.0/custom-error.html
## -- Configuration ---------------------------------------------------------- ## -- Configuration ----------------------------------------------------------
# Turn ModSecurity on ("On"), set to monitoring only # Turn ModSecurity on ("On"), set to monitoring only
# ("DetectionOnly") or turn off ("Off"). # ("DetectionOnly") or turn off ("Off").
# #
SecRuleEngine On SecRuleEngine On
# Define which part of the HTTP transaction to inspect. # Define which part of the HTTP transaction to inspect.
# #
# Inspecting request body (SecRequestBodyAccess) should probably be always set # Inspecting request body (SecRequestBodyAccess) should probably be always set
# to "on". Only very high volume sites that never use POST requests might want # to "on". Only very high volume sites that never use POST requests might want
# to set it to "off" to optimize performance. # to set it to "off" to optimize performance.
# #
# Inspecting response body is useful for monitoring for information leaks, # Inspecting response body is useful for monitoring for information leaks,
# or for signs of intrusion. However, it does require all responses to be # or for signs of intrusion. However, it does require all responses to be
# buffered in memory. For most sites this should not be a problem, but special # buffered in memory. For most sites this should not be a problem, but special
# care must be taken to avoid buffering file downloads (through # care must be taken to avoid buffering file downloads (through
# MIME type selection, as shown below). # MIME type selection, as shown below).
# #
# TODO If you decide to enable output filtering make sure to # TODO If you decide to enable output filtering make sure to
# review the list of scanned MIME types. If pages of the types specified # review the list of scanned MIME types. If pages of the types specified
# for outbound inspection are smaller than 512K in you application # for outbound inspection are smaller than 512K in you application
# (which is usually the case) you may reduce the SecResponseBodyLimit # (which is usually the case) you may reduce the SecResponseBodyLimit
# to protect from potential denial of service attacks. # to protect from potential denial of service attacks.
# #
SecRequestBodyAccess On SecRequestBodyAccess On
SecResponseBodyAccess On SecResponseBodyAccess On
SecResponseBodyMimeType (null) text/html text/plain text/xml SecResponseBodyMimeType (null) text/html text/plain text/xml
SecResponseBodyLimit 524288 SecResponseBodyLimit 524288
# What to do when an error is encountered. # Initiate XML Processor in case of xml content-type
# #
# The default is to log the error and let the request go through. # TODO Remove this rule if you don't wish to parse XML request
# This is a reasonable setting to start with because you do not # Note that this will disable XML protection
# want to reject legitimate requests with an untuned rule set. SecRule REQUEST_HEADERS:Content-Type "text/xml" \
# "phase:1,pass,nolog,ctl:requestBodyProcessor=XML"
# If, after monitoring the performance of the rule set after a
# sufficient period, you determine the rules never (or rarely
# trigger on legitimate requests) you can change to something # What to do when an error is encountered.
# else, such as "log,deny,status:500". You can also leave the #
# default setting here as is, but use per rule action configuration # The default is to log the error and let the request go through.
# to only configure some rules to reject requests, leaving most # This is a reasonable setting to start with because you do not
# of them to work in detection mode. # want to reject legitimate requests with an untuned rule set.
# #
#SecDefaultAction "phase:2,log,pass,status:500" # If, after monitoring the performance of the rule set after a
# sufficient period, you determine the rules never (or rarely
# Set web server identification string # trigger on legitimate requests) you can change to something
# # else, such as "log,deny,status:500". You can also leave the
# TODO In case you use Apache, you may want specify a simple server signature # default setting here as is, but use per rule action configuration
# instead of the detailed Apache default signature that list most modules # to only configure some rules to reject requests, leaving most
# used on the specific Apache deployment: # of them to work in detection mode.
# "Apache/2.2.0 (Fedora)" #
# #SecDefaultAction "phase:2,log,pass,status:500"
SecServerSignature "Apache/2.2.0 (Fedora)"
# Set web server identification string
## -- File uploads configuration ----------------------------------------------- #
# Temporary file storage path. # TODO In case you use Apache, you may want specify a simple server signature
# # instead of the detailed Apache default signature that list most modules
# TODO Change the temporary folder setting to a path where only # used on the specific Apache deployment:
# the web server has access. # "Apache/2.2.0 (Fedora)"
# #
SecUploadDir /tmp SecServerSignature "Apache/2.2.0 (Fedora)"
# Whether or not to keep the stored files. ## -- File uploads configuration -----------------------------------------------
# # Temporary file storage path.
# In most cases you don't want to keep the uploaded files (especially #
# when there is a lot of them). It may be useful to change the setting # TODO Change the temporary folder setting to a path where only
# to "RelevantOnly", in which case the files uploaded in suspicious # the web server has access.
# requests will be stored. #
# SecUploadDir /tmp
SecUploadKeepFiles Off
# Whether or not to keep the stored files.
# Inspect uploaded files. #
# # In most cases you don't want to keep the uploaded files (especially
# TODO If there is a danger of attack through uploaded files then it # when there is a lot of them). It may be useful to change the setting
# is possible to configure an external script to inspect each file # to "RelevantOnly", in which case the files uploaded in suspicious
# before it is seen by the application. An example script is # requests will be stored.
# included with ModSecurity (/util/modsec-clamscan.pl). #
# SecUploadKeepFiles Off
# Inspecting uploaded files is especially important in a hosting,
# community or blogging environments where uploading files is permitted. # Inspect uploaded files.
# #
# NOTE the t:none action is required in order not to process the files names # TODO If there is a danger of attack through uploaded files then it
# passed to the script based on previously defined actions in a # is possible to configure an external script to inspect each file
# SecDefaultAction directive. # before it is seen by the application. An example script is
# # included with ModSecurity (/util/modsec-clamscan.pl).
# SecRule FILES_TMPNAMES "@inspectFile /opt/apache/bin/inspect_script.pl" \ #
# "t:none" # Inspecting uploaded files is especially important in a hosting,
# community or blogging environments where uploading files is permitted.
## -- Logging ---------------------------------------------------------------- #
# NOTE the t:none action is required in order not to process the files names
# Whether to log requests to the forensic log. # passed to the script based on previously defined actions in a
# # SecDefaultAction directive.
# By default, only requests that trigger a ModSecurity events (as detected #
# by) or a serer error are logged ("RelevantOnly"). This is a reasonable # SecRule FILES_TMPNAMES "@inspectFile /opt/apache/bin/inspect_script.pl" \
# setting. Full logging can be set by using # "on". If the system is used # "t:none"
# for protection only and no logging is desired (not reccomended) logging can
# be turned of using "off" ## -- Logging ----------------------------------------------------------------
#
# NOTE It is also possible to configure forensic logging on the # Whether to log requests to the forensic log.
# per request basis using the "auditlog" and "noauditlog" rule #
# actions. # By default, only requests that trigger a ModSecurity events (as detected
# # by) or a serer error are logged ("RelevantOnly"). This is a reasonable
# TODO The default rule set logs requests that generate a 404 "file not found" # setting. Full logging can be set by using # "on". If the system is used
# response. These events are interesting, but may log a lot of information. # for protection only and no logging is desired (not reccomended) logging can
# you may consider removing it by setting SecAuditLogRelevantStatus # be turned of using "off"
# to "^(?:5|4\d[^4])". #
# # NOTE It is also possible to configure forensic logging on the
SecAuditEngine RelevantOnly # per request basis using the "auditlog" and "noauditlog" rule
SecAuditLogRelevantStatus "^[45]" # actions.
#
# Log files structure # TODO The default rule set logs requests that generate a 404 "file not found"
# # response. These events are interesting, but may log a lot of information.
# You can select to log all events to a single log file (set SecAuditLogType to # you may consider removing it by setting SecAuditLogRelevantStatus
# "Serial") or to log each request to a separate file (set it to "Concurrent"). # to "^(?:5|4\d[^4])".
# The former is usually easier to use, but if full logging is required or if #
# the protected system supports a large transaction volume the later may SecAuditEngine RelevantOnly
# be a better option. SecAuditLogRelevantStatus "^[45]"
#
# TODO Set the SecAuditLog (for "Serial" logging) or SecAuditLogStorageDir (for # Log files structure
# "Concurrent" logging). #
# # You can select to log all events to a single log file (set SecAuditLogType to
# TODO If you change from "Serial" to "Concurrent" uncomment the # "Serial") or to log each request to a separate file (set it to "Concurrent").
# SecAuditLogStorageDir directive and make sure the direcory specified # The former is usually easier to use, but if full logging is required or if
# exists and has write permissions for the Apache user. # the protected system supports a large transaction volume the later may
# be a better option.
SecAuditLogType Serial #
SecAuditLog logs/modsec_audit.log # TODO Set the SecAuditLog (for "Serial" logging) or SecAuditLogStorageDir (for
# SecAuditLogStorageDir logs/modsec_audit # "Concurrent" logging).
#
# Select what portions of the request to log # TODO If you change from "Serial" to "Concurrent" uncomment the
# # SecAuditLogStorageDir directive and make sure the direcory specified
# Modify the string by adding any of the letter below to it: # exists and has write permissions for the Apache user.
# A - audit log header (mandatory)
# B - request headers SecAuditLogType Serial
# C - request body (present only if the request body exists and ModSecurity is SecAuditLog logs/modsec_audit.log
# configured to intercept it) # SecAuditLogStorageDir logs/modsec_audit
# E - intermediary response body (present only if ModSecurity is configured to
# intercept response bodies, and if the audit log engine is configured to # Select what portions of the request to log
# record it). Intermediary response body is the same as the actual response #
# body unless ModSecurity intercepts the intermediary response body, in # Modify the string by adding any of the letter below to it:
# which case the actual response body will contain the error message # A - audit log header (mandatory)
# (either the Apache default error message, or the ErrorDocument page). # B - request headers
# F - final response headers (excluding the Date and Server headers, which are # C - request body (present only if the request body exists and ModSecurity is
# always added by Apache in the late stage of content delivery). # configured to intercept it)
# H - audit log trailer # E - intermediary response body (present only if ModSecurity is configured to
# I - This part is a replacement for part C. It will log the same data as C in # intercept response bodies, and if the audit log engine is configured to
# all cases except when multipart/form-data encoding in used. In this case # record it). Intermediary response body is the same as the actual response
# it will log a fake application/x-www-form-urlencoded body that contains # body unless ModSecurity intercepts the intermediary response body, in
# the information about parameters but not about the files. This is handy # which case the actual response body will contain the error message
# if you don't want to have (often large) files stored in your audit logs. # (either the Apache default error message, or the ErrorDocument page).
# Z - final boundary, signifies the end of the entry (mandatory) # F - final response headers (excluding the Date and Server headers, which are
# always added by Apache in the late stage of content delivery).
SecAuditLogParts "ABIFHZ" # H - audit log trailer
# I - This part is a replacement for part C. It will log the same data as C in
# Create a separate log to monitor performance. # all cases except when multipart/form-data encoding in used. In this case
# # it will log a fake application/x-www-form-urlencoded body that contains
# TODO Performance monitoring only works with Apache 2.x. You need # the information about parameters but not about the files. This is handy
# to add mod_unique_id and mod_logio to your configuration. Then # if you don't want to have (often large) files stored in your audit logs.
# uncomment the following two lines. # Z - final boundary, signifies the end of the entry (mandatory)
#
# LogFormat "%V %h %t %{UNIQUE_ID}e \"%r\" %>s %X | %I %O | %<{mod_security-time1}n %<{mod_security-time2}n %<{mod_security-time3}n %D" mperformance SecAuditLogParts "ABIFHZ"
# CustomLog logs/modsec_performance.log mperformance
# Create a separate log to monitor performance.
# Custom application access log. #
# # TODO Performance monitoring only works with Apache 2.x. You need
# TODO You should consider creating a custom access log. It could contain # to add mod_unique_id and mod_logio to your configuration. Then
# the performance metrics from above, but should also record the # uncomment the following two lines.
# session ID for every request. That would make it possible to #
# list all requests performed as part of a session. # LogFormat "%V %h %t %{UNIQUE_ID}e \"%r\" %>s %X | %I %O | %<{mod_security-time1}n %<{mod_security-time2}n %<{mod_security-time3}n %D" mperformance
# # CustomLog logs/modsec_performance.log mperformance
# One custom log should be used per application but if you want
# multiple applications to share one log file make sure each # Custom application access log.
# line includes a unique application ID (unless the hostname is #
# sufficient for differentiation). # TODO You should consider creating a custom access log. It could contain
# the performance metrics from above, but should also record the
## -- Tuning and debugging # session ID for every request. That would make it possible to
# list all requests performed as part of a session.
# This section include tuning and debugging directives that usually require no #
# modifications unless # One custom log should be used per application but if you want
# multiple applications to share one log file make sure each
# line includes a unique application ID (unless the hostname is
# Parameters separator # sufficient for differentiation).
#
# Specifies which character to use as separator for ## -- Tuning and debugging
# application/x-www-form-urlencoded content.
# Defaults to "&". Applications are sometimes (very rarely) written to use # This section include tuning and debugging directives that usually require no
# a semicolon (";"). # modifications unless
#
# NOTE Changing the value for this directive has significant influence on how
# ModSecurity works. Make the change only if you are absolutely sure it # Parameters separator
# is required. #
SecArgumentSeparator "&" # Specifies which character to use as separator for
# application/x-www-form-urlencoded content.
# Defaults to "&". Applications are sometimes (very rarely) written to use
# Selects the cookie format that will be used in the current configuration # a semicolon (";").
# context. #
# # NOTE Changing the value for this directive has significant influence on how
# Possible values are: # ModSecurity works. Make the change only if you are absolutely sure it
# 0 - use version 0 (Netscape) cookies. This is what most applications use. # is required.
# It is the default value. SecArgumentSeparator "&"
# 1 - use version 1 cookies.
SecCookieFormat 0 # Selects the cookie format that will be used in the current configuration
# context.
# Maximum size of the request body to keep in memory #
# # Possible values are:
# A higher value requires more server memory while a lower number would slow # 0 - use version 0 (Netscape) cookies. This is what most applications use.
# the server due to additional disk access. By default the limit is 128 KB: # It is the default value.
SecRequestBodyInMemoryLimit 131072 # 1 - use version 1 cookies.
SecCookieFormat 0
# Whether to send ModSecurity messages to a separate debug log.
# # Maximum size of the request body to keep in memory
# Debug messages are very useful for, well, debugging. The default #
# setting here copies (they always appear in the Apache error log) # A higher value requires more server memory while a lower number would slow
# only the most important messages (errors and warnings). # the server due to additional disk access. By default the limit is 128 KB:
# SecRequestBodyInMemoryLimit 131072
# NOTE Debug logging is generally very slow. You should never
# use values greater than "3" in production.
# # Whether to send ModSecurity messages to a separate debug log.
SecDebugLog logs/modsec_debug.log #
SecDebugLogLevel 3 # Debug messages are very useful for, well, debugging. The default
# setting here copies (they always appear in the Apache error log)
# Path where persistent data (e.g. IP address data, session data, etc) is to # only the most important messages (errors and warnings).
# be stored. Must be writable by the web server user. #
# # NOTE Debug logging is generally very slow. You should never
# TODO It is advisable to create a directory structure for ModSecurity such as # use values greater than "3" in production.
# /var/log/msa and create sub directories for SecDataDir, SecTmpDir, #
# SecUploadDir, SecAuditLog and SecAuditLogStorageDir SecDebugLog logs/modsec_debug.log
# underneath it and set the permission for read and write only by the SecDebugLogLevel 3
# Apache user.
# Path where persistent data (e.g. IP address data, session data, etc) is to
SecDataDir /tmp # be stored. Must be writable by the web server user.
#
# Configures the directory where temporary files will be created. # TODO It is advisable to create a directory structure for ModSecurity such as
SecTmpDir /tmp # /var/log/msa and create sub directories for SecDataDir, SecTmpDir,
# SecUploadDir, SecAuditLog and SecAuditLogStorageDir
# underneath it and set the permission for read and write only by the
# Apache user.
SecDataDir /tmp
# Configures the directory where temporary files will be created.
SecTmpDir /tmp
# Loades the variable collection relating to the requested resource
# NOTE: We will not initiate a collection if there was an error (To prevent overloading)
SecRule RESPONSE_STATUS "!^(?:30[12]|[45]\d\d)$" "phase:3,pass,nolog,initcol:resource=%{REQUEST_FILENAME}"

158
rules/modsecurity_crs_20_protocol_violations.conf
View File

@ -1,74 +1,84 @@
# --------------------------------------------------------------- # ---------------------------------------------------------------
# Core ModSecurity Rule Set # Core ModSecurity Rule Set
# Copyright (C) 2006 Breach Security Inc. All rights reserved. # Copyright (C) 2006 Breach Security Inc. All rights reserved.
# #
# The ModSecuirty Core Rule Set is distributed under GPL version 2 # The ModSecuirty Core Rule Set is distributed under GPL version 2
# Please see the enclosed LICENCE file for full details. # Please see the enclosed LICENCE file for full details.
# --------------------------------------------------------------- # ---------------------------------------------------------------
# #
# TODO in some cases a valid client (usually automated) generates requests that # TODO in some cases a valid client (usually automated) generates requests that
# violates the HTTP protocol. Create exceptions for those clients, but try # violates the HTTP protocol. Create exceptions for those clients, but try
# to limit the exception to a source IP or other additional properties of # to limit the exception to a source IP or other additional properties of
# the request such as URL and not allow the violation generally. # the request such as URL and not allow the violation generally.
# #
# #
# Use status code 400 response status code by default as protocol violations # Use status code 400 response status code by default as protocol violations
# are in essence bad requests. # are in essence bad requests.
SecDefaultAction "log,pass,phase:1,status:400" SecDefaultAction "log,pass,phase:2,status:400"
# Accept only digits in content length
# # Validate request line
SecRule REQUEST_HEADERS:Content-Length "!^\d+$" "deny,log,auditlog,status:400,msg:'Content-Length HTTP header is not numeric', severity:'2',id:'960016'" SecRule REQUEST_LINE "!^[a-z]{3,10}\s*(?:http\:\/\/[\w\-\.\/]*)??\/[\w\-\.\/]*(?:\?[\S]*)??\s*http\/[01]\.[901]$" \
"t:none,t:lowercase,deny,log,auditlog,status:400,msg:'Invalid HTTP Request Line',,id:'960911',severity:'2'"
# Do not accept GET or HEAD requests with bodies
# HTTP standard allows GET requests to have a body but this
# feature is not used in real life. Attackers could try to force # Accept only digits in content length
# a request body on an unsuspecting web applications. #
# SecRule REQUEST_HEADERS:Content-Length "!^\d+$" "deny,log,auditlog,status:400,msg:'Content-Length HTTP header is not numeric', severity:'2',,id:'960016',"
SecRule REQUEST_METHOD "^(GET|HEAD)$" "chain,deny,log,auditlog,status:400,msg:'GET or HEAD requests with bodies', severity:'2',id:'960011'"
SecRule REQUEST_HEADERS:Content-Length "!^0?$" # Do not accept GET or HEAD requests with bodies
# HTTP standard allows GET requests to have a body but this
# Require Content-Length to be provided with every POST request. # feature is not used in real life. Attackers could try to force
# # a request body on an unsuspecting web applications.
SecRule REQUEST_METHOD "^POST$" "chain,deny,log,auditlog,status:400,msg:'POST request must have a Content-Length header',id:'960012',severity:'4'" #
SecRule &REQUEST_HEADERS:Content-Length "@eq 0" SecRule REQUEST_METHOD "^(GET|HEAD)$" "chain,deny,log,auditlog,status:400,msg:'GET or HEAD requests with bodies', severity:'2',,id:'960011',"
SecRule REQUEST_HEADERS:Content-Length "!^0?$"
# Don't accept transfer encodings we know we don't know how to handle
# # Require Content-Length to be provided with every POST request.
# NOTE ModSecurity does not support chunked transfer encodings at #
# this time. You MUST reject all such requests. SecRule REQUEST_METHOD "^POST$" "chain,deny,log,auditlog,status:400,msg:'POST request must have a Content-Length header',,id:'960012',severity:'4'"
# SecRule &REQUEST_HEADERS:Content-Length "@eq 0"
SecRule HTTP_Transfer-Encoding "!^$" "deny,log,auditlog,status:501,msg:'ModSecurity does not support transfer encodings',id:'960013',severity:'5'"
# Don't accept transfer encodings we know we don't know how to handle
# Check decodings #
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "@validateUrlEncoding" \ # NOTE ModSecurity does not support chunked transfer encodings at
"chain, deny,log,auditlog,status:400,msg:'URL Encoding Abuse Attack Attempt',id:'950107',severity:'4'" # this time. You MUST reject all such requests.
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "\%(?![0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" #
SecRule REQUEST_HEADERS:Transfer-Encoding "!^$" "deny,log,auditlog,status:501,msg:'ModSecurity does not support transfer encodings',,id:'960013',severity:'3'"
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "@validateUtf8Encoding" "deny,log,auditlog,status:400,msg:'UTF8 Encoding Abuse Attack Attempt',id:'950801',severity:'4'"
# Check decodings
# Proxy access attempt SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "@validateUrlEncoding" \
# NOTE Apache blocks such access by default if not set as a proxy. The rule is "chain, deny,log,auditlog,status:400,msg:'URL Encoding Abuse Attack Attempt',,id:'950107',severity:'4'"
# included in case Apache proxy is misconfigured. SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "\%(?!$|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})"
SecRule REQUEST_URI ^http:/ "deny,log,auditlog,status:400,msg:'Proxy access attempt', severity:'2',id:'960014'"
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "@validateUtf8Encoding" "deny,log,auditlog,status:400,msg:'UTF8 Encoding Abuse Attack Attempt',,id:'950801',severity:'4'"
#
# Restrict type of characters sent # Disallow use of full-width unicode
# SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "\%u[fF]{2}[0-9a-fA-F]{2}" \
# NOTE In order to be broad and support localized applications this rule "t:none,deny,log,auditlog,status:400,msg:'Unicode Full/Half Width Abuse Attack Attempt',,id:'950116',severity:'4'"
# only validates that NULL Is not used.
# # Proxy access attempt
# The strict policy version also validates that protocol and application # NOTE Apache blocks such access by default if not set as a proxy. The rule is
# generated fields are limited to printable ASCII. # included in case Apache proxy is misconfigured.
# SecRule REQUEST_URI_RAW ^http:/ "deny,log,auditlog,status:400,msg:'Proxy access attempt', severity:'2',,id:'960014',"
# TODO If your application use the range 32-126 for parameters.
# #
SecRule REQUEST_FILENAME|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer \ # Restrict type of characters sent
"@validateByteRange 1-255" \ #
"log,auditlog,msg:'Request Missing an Accept Header', severity:'2',id:'960015',t:urlDecodeUni,phase:1" # NOTE In order to be broad and support localized applications this rule
# only validates that NULL Is not used.
SecRule ARGS|ARGS_NAMES "@validateByteRange 1-255" \ #
"deny,log,auditlog,status:400,msg:'Invalid character in request',id:'960901',severity:'4',t:urlDecodeUni,phase:2" # The strict policy version also validates that protocol and application
# generated fields are limited to printable ASCII.
#
# TODO If your application use the range 32-126 for parameters.
#
SecRule REQUEST_FILENAME|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer \
"@validateByteRange 1-255" \
"deny,log,auditlog,status:400,msg:'Invalid character in request',,id:'960018',severity:'4',t:urlDecodeUni,phase:1"
SecRule ARGS|ARGS_NAMES|REQUEST_HEADERS:Referer "@validateByteRange 1-255" \
"deny,log,auditlog,status:400,msg:'Invalid character in request',,id:'960901',severity:'4',t:urlDecodeUni,phase:2"

105
rules/modsecurity_crs_21_protocol_anomalies.conf
View File

@ -1,50 +1,55 @@
# --------------------------------------------------------------- # ---------------------------------------------------------------
# Core ModSecurity Rule Set # Core ModSecurity Rule Set
# Copyright (C) 2006 Breach Security Inc. All rights reserved. # Copyright (C) 2006 Breach Security Inc. All rights reserved.
# #
# The ModSecuirty Core Rule Set is distributed under GPL version 2 # The ModSecuirty Core Rule Set is distributed under GPL version 2
# Please see the enclosed LICENCE file for full details. # Please see the enclosed LICENCE file for full details.
# --------------------------------------------------------------- # ---------------------------------------------------------------
# #
# TODO in some cases a valid client (usually automated) generates requests that # TODO in some cases a valid client (usually automated) generates requests that
# violates the HTTP protocol. Create exceptions for those clients, but try # violates the HTTP protocol. Create exceptions for those clients, but try
# to limit the exception to a source IP or other additional properties of # to limit the exception to a source IP or other additional properties of
# the request such as URL and not allow the violation generally. # the request such as URL and not allow the violation generally.
# #
# Use status code 400 response status code by default as protocol violations # Use status code 400 response status code by default as protocol violations
# are in essence bad requests. # are in essence bad requests.
SecDefaultAction "log,pass,phase:1,status:400" SecDefaultAction "log,pass,phase:2,status:400"
# Do not accept requests without common headers. # Do not accept requests without common headers.
# #
# Implies either an attacker or a legitimate automation client. # Implies either an attacker or a legitimate automation client.
# #
SecRule REQUEST_URI "^/$" "chain,skip:4" SecRule REQUEST_URI "^/$" "chain,skip:4"
SecRule REMOTE_ADDR "^127\.0\.0\.1$" "chain" SecRule REMOTE_ADDR "^127\.0\.0\.1$" "chain"
SecRule REQUEST_HEADERS:User-Agent "^Apache.*\(internal dummy connection\)$" "t:none" SecRule REQUEST_HEADERS:User-Agent "^Apache.*\(internal dummy connection\)$" "t:none"
SecRule &REQUEST_HEADERS:Host "@eq 0" \ SecRule &REQUEST_HEADERS:Host "@eq 0" \
"skip:1,log,auditlog,msg:'Request Missing a Host Header',id:'960008',severity:'4'" "skip:1,log,auditlog,msg:'Request Missing a Host Header',,id:'960008',severity:'4'"
SecRule REQUEST_HEADERS:Host "^$" \ SecRule REQUEST_HEADERS:Host "^$" \
"log,auditlog,msg:'Request Missing a Host Header',id:'960008',severity:'4'" "log,auditlog,msg:'Request Missing a Host Header',,id:'960008',severity:'4'"
SecRule &REQUEST_HEADERS:Accept "@eq 0" \ SecRule &REQUEST_HEADERS:Accept "@eq 0" \
"chain,skip:1,log,auditlog,msg:'Request Missing an Accept Header', severity:'2',id:'960015'" "chain,skip:1,log,auditlog,msg:'Request Missing an Accept Header', severity:'2',,id:'960015',"
SecRule REQUEST_METHOD "!OPTIONS" SecRule REQUEST_METHOD "!^OPTIONS$" "t:none"
SecRule REQUEST_HEADERS:Accept "^$" \ SecRule REQUEST_HEADERS:Accept "^$" \
"chain,log,auditlog,msg:'Request Missing an Accept Header', severity:'2',id:'960015'" "chain,log,auditlog,msg:'Request Missing an Accept Header', severity:'2',,id:'960015',"
SecRule REQUEST_METHOD "!OPTIONS" SecRule REQUEST_METHOD "!^OPTIONS$" "t:none"
SecRule &REQUEST_HEADERS:User-Agent "@eq 0" \ SecRule &REQUEST_HEADERS:User-Agent "@eq 0" \
"skip:1,log,auditlog,msg:'Request Missing a User Agent Header',id:'960009',severity:'4'" "skip:1,log,auditlog,msg:'Request Missing a User Agent Header',,id:'960009',severity:'4'"
SecRule REQUEST_HEADERS:User-Agent "^$" \ SecRule REQUEST_HEADERS:User-Agent "^$" \
"log,auditlog,msg:'Request Missing a User Agent Header',id:'960009',severity:'4'" "log,auditlog,msg:'Request Missing a User Agent Header',,id:'960009',severity:'4'"
# Check that the host header is not an IP address SecRule &REQUEST_HEADERS:Content-Type "@eq 0" \
# "chain,log,auditlog,msg:'Request Containing Content, but Missing Content-Type header',,id:'960904',severity:'4'"
SecRule REQUEST_HEADERS:Host "^[\d\.]+$" "deny,log,auditlog,status:400,msg:'Host header is a numeric IP address', severity:'2',id:'960017'" SecRule REQUEST_HEADERS:Content-Length "!^0$"
# Check that the host header is not an IP address
#
SecRule REQUEST_HEADERS:Host "^[\d\.]+$" "deny,log,auditlog,status:400,msg:'Host header is a numeric IP address', severity:'2',,id:'960017',"

289
rules/modsecurity_crs_30_http_policy.conf
View File

@ -1,137 +1,152 @@
# --------------------------------------------------------------- # ---------------------------------------------------------------
# Core ModSecurity Rule Set # Core ModSecurity Rule Set
# Copyright (C) 2006 Breach Security Inc. All rights reserved. # Copyright (C) 2006 Breach Security Inc. All rights reserved.
# #
# The ModSecuirty Core Rule Set is distributed under GPL version 2 # The ModSecuirty Core Rule Set is distributed under GPL version 2
# Please see the enclosed LICENCE file for full details. # Please see the enclosed LICENCE file for full details.
# --------------------------------------------------------------- # ---------------------------------------------------------------
#%name 30 - HTTP policy enforcement #%name 30 - HTTP policy enforcement
#%desc The HTTP policy enforcement rule set sets limitations on the use of HTTP by clients. #%desc The HTTP policy enforcement rule set sets limitations on the use of HTTP by clients.
# Few applications require the breadth and depth of the HTTP protocol. On the # Few applications require the breadth and depth of the HTTP protocol. On the
# other hand many attacks abuse valid but rare HTTP use patterns. Restricting # other hand many attacks abuse valid but rare HTTP use patterns. Restricting
# HTTP protocol usage is effective in therefore effective in blocking many # HTTP protocol usage is effective in therefore effective in blocking many
# application layer attacks. # application layer attacks.
# #
# TODO If you are using the ModSecurity Core Ruleset template system you can set # TODO If you are using the ModSecurity Core Ruleset template system you can set
# the policy limitations in the ruleset.config file. Otherwise edit this # the policy limitations in the ruleset.config file. Otherwise edit this
# file manually to set you policy limitations. # file manually to set you policy limitations.
# #
# TODO Many automation programs use non standard HTTP requests. While you may # TODO Many automation programs use non standard HTTP requests. While you may
# want to allow some of those, try not to create exceptions only for the # want to allow some of those, try not to create exceptions only for the
# automated program based on properties such as their source IP address or # automated program based on properties such as their source IP address or
# the URL they access. # the URL they access.
# #
SecDefaultAction "pass,log,status:400,phase:1" SecDefaultAction "pass,log,status:400,phase:2"
# allow request methods # allow request methods
# #
# TODO Most applications only use GET, HEAD, and POST request # TODO Most applications only use GET, HEAD, and POST request
# methods, if so uncomment the line below. Otherwise you are advised # methods, if so uncomment the line below. Otherwise you are advised
# to edit the line before uncommenting it. # to edit the line before uncommenting it.
# #
SecRule REQUEST_METHOD "!^((?:(?:POS|GE)T|OPTIONS|HEAD))$" \ SecRule REQUEST_METHOD "!^((?:(?:POS|GE)T|OPTIONS|HEAD))$" \
"phase:1,log,auditlog,status:501,msg:'Method is not allowed by policy', severity:'2',id:'960032'" "phase:1,log,auditlog,status:501,msg:'Method is not allowed by policy', severity:'2',,id:'960032',"
# Restrict witch content encodings we accept. # Restrict which content-types we accept.
# #
# TODO Most applications support only two encodings for request bodies # TODO Most applications support only two types for request bodies
# because that is all browsers know how to produce. If you are using # because that is all browsers know how to produce. If you are using
# automated tools to talk to the application you may be using other # automated tools to talk to the application you may be using other
# content types and would want to change the list of supported encodings. # content types and would want to change the list of supported types.
# #
# Note though that ModSecurity parses only three content encodings: # Note though that ModSecurity parses only three content types:
# application/x-www-form-urlencoded, multipart/form-data request and # application/x-www-form-urlencoded, multipart/form-data request and
# text/xml. The protection provided for any other type of encoding is # text/xml. The protection provided for any other type is inferior.
# inferior. #
# # TODO There are many applications that are not using multipart/form-data
# TODO There are many applications that are not using multipart/form-data # types (typically only used for file uploads). This content type
# encoding (typically only used for file uploads). This content type # can be disabled if not used.
# can be disabled if not used. #
# # NOTE We allow any content type to be specified with GET or HEAD
# NOTE We allow any content type to be specified with GET or HEAD # because some tools incorrectly supply content type information
# because some tools incorrectly supply content type information # even when the body is not present. There is a rule further in
# even when the body is not present. There is a rule further in # the file to prevent GET and HEAD requests to have bodies to we're
# the file to prevent GET and HEAD requests to have bodies to we're # safe in that respect.
# safe in that respect. #
# # NOTE Use of WebDAV requires "text/xml" content type.
# NOTE Use of WebDAV requires "text/xml" content type. #
# # NOTE Philippe Bourcier (pbourcier AT citali DOT com) reports
# NOTE Philippe Bourcier (pbourcier AT citali DOT com) reports # applications running on the PocketPC and AvantGo platforms use
# applications running on the PocketPC and AvantGo platforms use # non-standard content types:
# non-standard content types: #
# # M-Business iAnywhere application/x-mal-client-data
# M-Business iAnywhere application/x-mal-client-data # UltraLite iAnywhere application/octet-stream
# UltraLite iAnywhere application/octet-stream #
# SecRule REQUEST_METHOD "!^(?:get|head|propfind|options)$" \
SecRule REQUEST_METHOD "!^(?:get|head|propfind|options)$" \ "chain, t:lowercase, deny,log,auditlog,status:501,msg:'Request content type is not allowed by policy',,id:'960010',severity:'4'"
"chain, t:lowercase, deny,log,auditlog,status:501,msg:'Request content encoding is not allowed by policy',id:'960010',severity:'4'" SecRule REQUEST_HEADERS:Content-Type "!(?:^(?:application\/x-www-form-urlencoded(?:;(?:\s?charset\s?=\s?[\w\d\-]{1,18})?)??$|multipart/form-data;)|text/xml)"
SecRule REQUEST_HEADERS:Content-Type "!(?:^(?:application/x-www-form-urlencoded$|multipart/form-data;)|text/xml)"
# Restrict protocol versions.
# Restrict protocol versions. #
# # TODO All modern browsers use HTTP version 1.1. For tight security, allow only
# TODO All modern browsers use HTTP version 1.1. For tight security, allow only # this version.
# this version. #
# # NOTE Automation programs, both malicious and non malicious many times use
# NOTE Automation programs, both malicious and non malicious many times use # other HTTP versions. If you want to allow a specific automated program
# other HTTP versions. If you want to allow a specific automated program # to use your site, try to create a narrower expection and not allow any
# to use your site, try to create a narrower expection and not allow any # client to send HTTP requests in a version lower than 1.1
# client to send HTTP requests in a version lower than 1.1 #
# SecRule REQUEST_PROTOCOL "!^HTTP/(0\.9|1\.[01])$" \
SecRule REQUEST_PROTOCOL "!^HTTP/(0\.9|1\.[01])$" \ "t:none, deny,log,auditlog,status:505,msg:'HTTP protocol version is not allowed by policy', severity:'2',,id:'960034',"
"t:none, deny,log,auditlog,status:505,msg:'HTTP protocol version is not allowed by policy', severity:'2',id:'960034'"
# Restrict file extension
# Restrict file extension #
# # TODO the list of file extensions below are virtually always considered unsafe
# TODO the list of file extensions below are virtually always considered unsafe # and not in use in any valid program. If your application uses one of
# and not in use in any valid program. If your application uses one of # these extensions, please remove it from the list of blocked extensions.
# these extensions, please remove it from the list of blocked extensions. # You may need to use ModSecurity Core Rule Set Templates to do so, otherwise
# You may need to use ModSecurity Core Rule Set Templates to do so, otherwise # comment the whole rule.
# comment the whole rule. #
# SecRule REQUEST_BASENAME "\.(?:c(?:o(?:nf(?:ig)?|m)|s(?:proj|r)?|dx|er|fg|md)|p(?:rinter|ass|db|ol|wd)|v(?:b(?:proj|s)?|sdisco)|a(?:s(?:ax?|cx)|xd)|d(?:bf?|at|ll|os)|i(?:d[acq]|n[ci])|ba(?:[kt]|ckup)|res(?:ources|x)|s(?:h?tm|ql|ys)|l(?:icx|nk|og)|\w{,5}~|webinfo|ht[rw]|xs[dx]|key|mdb|old)$" \
SecRule REQUEST_BASENAME "\.(?:c(?:o(?:nf(?:ig)?|m)|s(?:proj|r)?|dx|er|fg|md)|p(?:rinter|ass|db|ol|wd)|v(?:b(?:proj|s)?|sdisco)|a(?:s(?:ax?|cx)|xd)|s(?:html?|ql|tm|ys)|d(?:bf?|at|ll|os)|i(?:d[acq]|n[ci])|ba(?:[kt]|ckup)|res(?:ources|x)|l(?:icx|nk|og)|\w{,5}~|webinfo|ht[rw]|xs[dx]|exe|key|mdb|old)$" \ "t:urlDecodeUni, t:lowercase, deny,log,auditlog,status:500,msg:'URL file extension is restricted by policy', severity:'2',,id:'960035',"
"t:urlDecodeUni, t:lowercase, deny,log,auditlog,status:500,msg:'URL file extension is restricted by policy', severity:'2',id:'960035'"
# Restricted HTTP headers
# Restricted HTTP headers #
# # TODO the list of HTTP headers below are considered unsafe for your environment.
# TODO the list of HTTP headers below are considered unsafe for your environment. # If your application uses one of these directories, please remove it from
# If your application uses one of these directories, please remove it from # the list of blocked extensions. You may need to use ModSecurity Core Rule
# the list of blocked extensions. You may need to use ModSecurity Core Rule # Set Templates to do so, otherwise comment the whole rule.
# Set Templates to do so, otherwise comment the whole rule. #
# SecRule REQUEST_HEADERS_NAMES "\.(?:Lock-Token|Translate|If)$" \
SecRule REQUEST_HEADERS_NAMES "\.(?:Lock-Token|Translate|If)$" \ "deny,log,auditlog,status:500,msg:'HTTP header is restricted by policy',,id:'960038',severity:'4'"
"deny,log,auditlog,status:500,msg:'HTTP header is restricted by policy',id:'960038',severity:'4'"
# Restricted Content Encodings
## -- Apache Limits ---------------------------------------------------------- #
# ModSecurity does not support compressed content. Therefore, the following
# These are Apache limit directives, but we are including them here because # action will be taken:
# they are often forgotten. If you already have these configured leave this # - Inbound compressed content will be denied
# section entirely commented-out. Otherwise review the limits and uncomment # - Outbound compressed content will be logged once, to alert the user
# the directives. # Deny inbound compressed content
SecRule REQUEST_HEADERS:Content-Encoding "!^Identity$" \
# Maximum size of the request body. "phase:2,t:none,deny,log,auditlog,status:501,msg:'ModSecurity does not support content encodings',,id:'960902',severity:'3'"
# # Log outbound compressed content (once per location)
# NOTE If your application allows file uploads the value below will SecRule RESPONSE_HEADERS:Content-Encoding "!^Identity$" \
# most likely be way to low. "phase:5,t:none,pass,log,auditlog,msg:'ModSecurity does not support content encodings',,id:'960903',severity:'4',chain"
# SecRule &RESOURCE:alerted_960903_compression "@eq 0" "setvar:resource.alerted_960903_compression"
#LimitRequestBody 64000
# Maximum number of request headers in a request.
# ## -- Apache Limits ----------------------------------------------------------
#LimitRequestFields 32
# These are Apache limit directives, but we are including them here because
# Maximum size of request header lines. # they are often forgotten. If you already have these configured leave this
# # section entirely commented-out. Otherwise review the limits and uncomment
#LimitRequestFieldSize 8000 # the directives.
# Maximum size of the request line. # Maximum size of the request body.
# #
#LimitRequestLine 4000 # NOTE If your application allows file uploads the value below will
# most likely be way to low.
#
#LimitRequestBody 64000
# Maximum number of request headers in a request.
#
#LimitRequestFields 32
# Maximum size of request header lines.
#
#LimitRequestFieldSize 8000
# Maximum size of the request line.
#
#LimitRequestLine 4000

66
rules/modsecurity_crs_35_bad_robots.conf
View File

@ -1,33 +1,33 @@
# --------------------------------------------------------------- # ---------------------------------------------------------------
# Core ModSecurity Rule Set # Core ModSecurity Rule Set
# Copyright (C) 2006 Breach Security Inc. All rights reserved. # Copyright (C) 2006 Breach Security Inc. All rights reserved.
# #
# The ModSecuirty Core Rule Set is distributed under GPL version 2 # The ModSecuirty Core Rule Set is distributed under GPL version 2
# Please see the enclosed LICENCE file for full details. # Please see the enclosed LICENCE file for full details.
# --------------------------------------------------------------- # ---------------------------------------------------------------
# #
# NOTE Bad robots detection is based on checking elements easily # NOTE Bad robots detection is based on checking elements easily
# controlled by the client. As such a determined attacked can bypass # controlled by the client. As such a determined attacked can bypass
# those checks. Therefore bad robots detection should not be viewed as # those checks. Therefore bad robots detection should not be viewed as
# a security mechanism against targeted attacks but rather as a nuisance # a security mechanism against targeted attacks but rather as a nuisance
# reduction, eliminating most of the random attacks against your web # reduction, eliminating most of the random attacks against your web
# site. # site.
SecDefaultAction "log,pass,phase:2,t:lowercase" SecDefaultAction "log,pass,phase:2,t:lowercase"
SecRule HTTP_User-Agent "(?:\b(?:m(?:ozilla\/4\.0 \(compatible\)|etis)|webtrends security analyzer|pmafind)\b|n(?:-stealth|sauditor|essus|ikto)|b(?:lack ?widow|rutus|ilbo)|(?:jaascoi|paro)s|internet explorer|webinspect|\.nasl)" \ SecRule REQUEST_HEADERS:User-Agent "(?:\b(?:m(?:ozilla\/4\.0 \(compatible\)|etis)|webtrends security analyzer|pmafind)\b|n(?:-stealth|sauditor|essus|ikto)|b(?:lack ?widow|rutus|ilbo)|(?:jaascoi|paro)s|internet explorer|webinspect|\.nasl)" \
"deny,log,auditlog,status:404,msg:'Request Indicates a Security Scanner Scanned the Site',id:'990002',severity:'2'" "deny,log,auditlog,status:404,msg:'Request Indicates a Security Scanner Scanned the Site',,id:'990002',severity:'2'"
SecRule REQUEST_HEADERS_NAMES "\bacunetix-product\b" \ SecRule REQUEST_HEADERS_NAMES "\bacunetix-product\b" \
"deny,log,auditlog,status:404,msg:'Request Indicates a Security Scanner Scanned the Site',id:'990901',severity:'2'" "deny,log,auditlog,status:404,msg:'Request Indicates a Security Scanner Scanned the Site',,id:'990901',severity:'2'"
SecRule REQUEST_FILENAME "^/nessustest" \ SecRule REQUEST_FILENAME "^/nessustest" \
"deny,log,auditlog,status:404,msg:'Request Indicates a Security Scanner Scanned the Site',id:'990902',severity:'2'" "deny,log,auditlog,status:404,msg:'Request Indicates a Security Scanner Scanned the Site',,id:'990902',severity:'2'"
SecRule REQUEST_HEADERS:User-Agent "(?:m(?:ozilla\/(?:4\.0 \(compatible; advanced email extractor|2\.0 \(compatible; newt activex; win32\))|ailto:craftbot\@yahoo\.com)|e(?:mail(?:(?:collec|harves|magne)t|(?: extracto|reape)r|siphon|wolf)|(?:collecto|irgrabbe)r|xtractorpro|o browse)|a(?:t(?:tache|hens)|utoemailspider|dsarobot)|w(?:eb(?:emailextrac| by mail)|3mir)|f(?:astlwspider|loodgate)|p(?:cbrowser|ackrat|surf)|(?:digout4uagen|takeou)t|(?:chinacla|be)w|hhjhj@yahoo|rsync|shai|zeus)" \ SecRule REQUEST_HEADERS:User-Agent "(?:m(?:ozilla\/(?:4\.0 \(compatible; advanced email extractor|2\.0 \(compatible; newt activex; win32\))|ailto:craftbot\@yahoo\.com)|e(?:mail(?:(?:collec|harves|magne)t|(?: extracto|reape)r|siphon|wolf)|(?:collecto|irgrabbe)r|xtractorpro|o browse)|a(?:t(?:tache|hens)|utoemailspider|dsarobot)|w(?:eb(?:emailextrac| by mail)|3mir)|f(?:astlwspider|loodgate)|p(?:cbrowser|ackrat|surf)|(?:digout4uagen|takeou)t|(?:chinacla|be)w|hhjhj@yahoo|rsync|shai|zeus)" \
"deny,log,auditlog,status:404,msg:'Rogue web site crawler',id:'990012',severity:'2'" "deny,log,auditlog,status:404,msg:'Rogue web site crawler',,id:'990012',severity:'2'"
SecRule REQUEST_HEADERS:User-Agent "(?:\b(?:(?:indy librar|snoop)y|microsoft url control|lynx)\b|d(?:ownload demon|isco)|w(?:3mirror|get)|l(?:ibwww|wp)|p(?:avuk|erl)|cu(?:sto|rl)|big brother|autohttp|netants|eCatch)" \ SecRule REQUEST_HEADERS:User-Agent "(?:\b(?:(?:indy librar|snoop)y|microsoft url control|lynx)\b|d(?:ownload demon|isco)|w(?:3mirror|get)|l(?:ibwww|wp)|p(?:avuk|erl)|cu(?:sto|rl)|big brother|autohttp|netants|eCatch)" \
"chain,log,auditlog,msg:'Request Indicates an automated program explored the site',id:'990011',severity:'5'" "chain,log,auditlog,msg:'Request Indicates an automated program explored the site',,id:'990011',severity:'5'"
SecRule REQUEST_HEADERS:User-Agent "!^apache.*perl" SecRule REQUEST_HEADERS:User-Agent "!^apache.*perl"

177
rules/modsecurity_crs_40_generic_attacks.conf
View File

@ -1,83 +1,94 @@
# --------------------------------------------------------------- # ---------------------------------------------------------------
# Core ModSecurity Rule Set # Core ModSecurity Rule Set
# Copyright (C) 2006 Breach Security Inc. All rights reserved. # Copyright (C) 2006 Breach Security Inc. All rights reserved.
# #
# The ModSecuirty Core Rule Set is distributed under GPL version 2 # The ModSecuirty Core Rule Set is distributed under GPL version 2
# Please see the enclosed LICENCE file for full details. # Please see the enclosed LICENCE file for full details.
# --------------------------------------------------------------- # ---------------------------------------------------------------
# #
# TODO While some of the pattern groups such as command injection are usually # TODO While some of the pattern groups such as command injection are usually
# safe of false positives, other pattern groups such as SQL injection and # safe of false positives, other pattern groups such as SQL injection and
# XSS may require setting exceptions and therefore are set to log only by # XSS may require setting exceptions and therefore are set to log only by
# default. # default.
# #
# Start ModSecurity in monitoring only mode and check whether your # Start ModSecurity in monitoring only mode and check whether your
# application requires exceptions for a specific URL, Pattern or source IP # application requires exceptions for a specific URL, Pattern or source IP
# before moving to blocking mode. # before moving to blocking mode.
SecDefaultAction "log,pass,phase:2,status:500,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase" SecDefaultAction "log,pass,phase:2,status:500,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase"
# Session fixation # Session fixation
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "(?:\.cookie\b.*?;\W*?(?:expires|domain)\W*?=|\bhttp-equiv\W+set-cookie\b)" \ SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "(?:\.cookie\b.*?;\W*?(?:expires|domain)\W*?=|\bhttp-equiv\W+set-cookie\b)" \
"capture,ctl:auditLogParts=+E,log,auditlog,msg:'Session Fixation. Matched signature <%{TX.0}>',id:'950009',severity:'2'" "capture,ctl:auditLogParts=+E,log,auditlog,msg:'Session Fixation. Matched signature <%{TX.0}>',,id:'950009',severity:'2'"
# Blind SQL injection # Blind SQL injection
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "(?:\b(?:(?:s(?:ys\.(?:user_(?:(?:t(?:ab(?:_column|le)|rigger)|object|view)s|c(?:onstraints|atalog))|all_tables|tab)|elect\b.{0,40}\b(?:substring|ascii|user))|m(?:sys(?:(?:queri|ac)e|relationship|column|object)s|ysql.user)|c(?:onstraint_type|harindex)|attnotnull)\b|(?:locate|instr)\W+\()|\@\@spid\b)" \ SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "(?:\b(?:(?:s(?:ys\.(?:user_(?:(?:t(?:ab(?:_column|le)|rigger)|object|view)s|c(?:onstraints|atalog))|all_tables|tab)|elect\b.{0,40}\b(?:substring|ascii|user))|m(?:sys(?:(?:queri|ac)e|relationship|column|object)s|ysql.user)|c(?:onstraint_type|harindex)|attnotnull)\b|(?:locate|instr)\W+\()|\@\@spid\b)" \
"capture,t:replaceComments,ctl:auditLogParts=+E,log,auditlog,msg:'Blind SQL Injection Attack. Matched signature <%{TX.0}>',id:'950007',severity:'2'" "capture,t:replaceComments,ctl:auditLogParts=+E,log,auditlog,msg:'Blind SQL Injection Attack. Matched signature <%{TX.0}>',,id:'950007',severity:'2'"
#SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "\b(?:benchmark|encode)\b" \ #SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "\b(?:benchmark|encode)\b" \
# "chain,ctl:auditLogParts=+E,log,auditlog,msg:'Blind SQL Injection Attack. Matched signature <%{TX.0}>',id:'950903',severity:'2'" # "chain,ctl:auditLogParts=+E,log,auditlog,msg:'Blind SQL Injection Attack. Matched signature <%{TX.0}>',,id:'950903',severity:'2'"
#SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "[\\(\)\%#]\|--" #SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "[\\(\)\%#]\|--"
SecRule REQUEST_FILENAME|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "\b(?:(?:s(?:ys(?:(?:(?:process|tabl)e|filegroup|object)s|c(?:o(?:nstraint|lumn)s|at)|dba|ibm)|ubstr(?:ing)?)|user_(?:(?:(?:constrain|objec)t|tab(?:_column|le)|ind_column|user)s|password|group)|a(?:tt(?:rel|typ)id|ll_objects)|object_(?:(?:nam|typ)e|id)|pg_(?:attribute|class)|column_(?:name|id)|(?:dba|mb)_users|xtype\W+\bchar|rownum)\b|t(?:able_name\b|extpos\W+\())" \ SecRule REQUEST_FILENAME|ARGS|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "\b(?:(?:s(?:ys(?:(?:(?:process|tabl)e|filegroup|object)s|c(?:o(?:nstraint|lumn)s|at)|dba|ibm)|ubstr(?:ing)?)|user_(?:(?:(?:constrain|objec)t|tab(?:_column|le)|ind_column|user)s|password|group)|a(?:tt(?:rel|typ)id|ll_objects)|object_(?:(?:nam|typ)e|id)|pg_(?:attribute|class)|column_(?:name|id)|(?:dba|mb)_users|xtype\W+\bchar|rownum)\b|t(?:able_name\b|extpos\W+\())" \
"capture,t:replaceComments,ctl:auditLogParts=+E,log,auditlog,msg:'Blind SQL Injection Attack. Matched signature <%{TX.0}>',id:'950904',severity:'2'" "capture,t:replaceComments,ctl:auditLogParts=+E,log,auditlog,msg:'Blind SQL Injection Attack. Matched signature <%{TX.0}>',,id:'950904',severity:'2'"
# SQL injection # SQL injection
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "(?:\b(?:(?:s(?:elect\b(?:.{1,100}?\b(?:(?:length|count|top)\b.{1,100}?\bfrom|from\b.{1,100}?\bwhere)|.*?\b(?:d(?:ump\b.*\bfrom|ata_type)|(?:to_(?:numbe|cha)|inst)r))|p_(?:(?:addextendedpro|sqlexe)c|(?:oacreat|prepar)e|execute(?:sql)?|makewebtask)|ql_(?:longvarchar|variant))|xp_(?:reg(?:re(?:movemultistring|ad)|delete(?:value|key)|enum(?:value|key)s|addmultistring|write)|e(?:xecresultset|numdsn)|(?:terminat|dirtre)e|availablemedia|loginconfig|cmdshell|filelist|makecab|ntsec)|u(?:nion\b.{1,100}?\bselect|tl_(?:file|http))|group\b.*\bby\b.{1,100}?\bhaving|load\b\W*?\bdata\b.*\binfile|(?:n?varcha|tbcreato)r|autonomous_transaction|open(?:rowset|query)|dbms_java)\b|i(?:n(?:to\b\W*?\b(?:dump|out)file|sert\b\W*?\binto|ner\b\W*?\bjoin)\b|(?:f(?:\b\W*?\(\W*?\bbenchmark|null\b)|snull\b)\W*?\()|(?:having|or|and)\b\s+?(?:\d{1,10}|'[^=]{1,10}')\s*?[=<>]+|(?:print\]\b\W*?\@|root)\@|c(?:ast\b\W*?\(|oalesce\b))|(?:;\W*?\b(?:shutdown|drop)|\@\@version)\b|'(?:s(?:qloledb|a)|msdasql|dbo)')" \ SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "(?:\b(?:(?:s(?:elect\b(?:.{1,100}?\b(?:(?:length|count|top)\b.{1,100}?\bfrom|from\b.{1,100}?\bwhere)|.*?\b(?:d(?:ump\b.*\bfrom|ata_type)|(?:to_(?:numbe|cha)|inst)r))|p_(?:(?:addextendedpro|sqlexe)c|(?:oacreat|prepar)e|execute(?:sql)?|makewebtask)|ql_(?:longvarchar|variant))|xp_(?:reg(?:re(?:movemultistring|ad)|delete(?:value|key)|enum(?:value|key)s|addmultistring|write)|e(?:xecresultset|numdsn)|(?:terminat|dirtre)e|availablemedia|loginconfig|cmdshell|filelist|makecab|ntsec)|u(?:nion\b.{1,100}?\bselect|tl_(?:file|http))|group\b.*\bby\b.{1,100}?\bhaving|load\b\W*?\bdata\b.*\binfile|(?:n?varcha|tbcreato)r|autonomous_transaction|open(?:rowset|query)|1\s*=\s*1|dbms_java)\b|i(?:n(?:to\b\W*?\b(?:dump|out)file|sert\b\W*?\binto|ner\b\W*?\bjoin)\b|(?:f(?:\b\W*?\(\W*?\bbenchmark|null\b)|snull\b)\W*?\()|(?:having|or|and)\b\s+(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"])\s*[=<>]+|print\]\b\W*?\@\@|cast\b\W*?\()|(?:;\W*?\b(?:shutdown|drop)|\@\@version)\b|'(?:s(?:qloledb|a)|msdasql|dbo)')" \
"capture,t:replaceComments,ctl:auditLogParts=+E,log,auditlog,msg:'SQL Injection Attack. Matched signature <%{TX.0}>',id:'950001',severity:'2'" "capture,t:replaceComments,ctl:auditLogParts=+E,log,auditlog,msg:'SQL Injection Attack. Matched signature <%{TX.0}>',,id:'950001',severity:'2'"
#SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "\b(?:rel(?:(?:nam|typ)e|kind)|a(?:ttn(?:ame|um)|scii)|c(?:o(?:nver|un)t|ha?r)|s(?:hutdown|elect)|to_(?:numbe|cha)r|u(?:pdate|nion)|d(?:elete|rop)|group\b\W*\bby|having|insert|length|where)\b" \ #SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "\b(?:rel(?:(?:nam|typ)e|kind)|a(?:ttn(?:ame|um)|scii)|c(?:o(?:nver|un)t|ha?r)|s(?:hutdown|elect)|to_(?:numbe|cha)r|u(?:pdate|nion)|d(?:elete|rop)|group\b\W*\bby|having|insert|length|where)\b" \
# "chain,ctl:auditLogParts=+E,log,auditlog,msg:'SQL Injection Attack. Matched signature <%{TX.0}>',id:'950905',severity:'2'" # "chain,ctl:auditLogParts=+E,log,auditlog,msg:'SQL Injection Attack. Matched signature <%{TX.0}>',,id:'950905',severity:'2'"
#SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "[\\(\)\%#]\|--" #SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "[\\(\)\%#]\|--"
SecRule REQUEST_FILENAME|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "\b(?:user_(?:(?:object|table|user)s|password|group)|a(?:tt(?:rel|typ)id|ll_objects)|object_(?:(?:nam|typ)e|id)|pg_(?:attribute|class)|column_(?:name|id)|substr(?:ing)?|table_name|mb_users|rownum)\b" \ SecRule REQUEST_FILENAME|ARGS|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "\b(?:user_(?:(?:object|table|user)s|password|group)|a(?:tt(?:rel|typ)id|ll_objects)|object_(?:(?:nam|typ)e|id)|pg_(?:attribute|class)|column_(?:name|id)|substr(?:ing)?|table_name|mb_users|rownum)\b" \
"capture,t:replaceComments,ctl:auditLogParts=+E,log,auditlog,msg:'SQL Injection Attack. Matched signature <%{TX.0}>',id:'950906',severity:'2'" "capture,t:replaceComments,ctl:auditLogParts=+E,log,auditlog,msg:'SQL Injection Attack. Matched signature <%{TX.0}>',,id:'950906',severity:'2'"
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer|!REQUEST_HEADERS:via "\b(?:coalesce\b|root\@)" \
# XSS "capture,t:replaceComments,ctl:auditLogParts=+E,log,auditlog,msg:'SQL Injection Attack. Matched signature <%{TX.0}>',,id:'950908',severity:'2'"
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS "(?:\b(?:on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|down|up)|c(?:hange|lick)|s(?:elec|ubmi)t|(?:un)?load|dragdrop|resize|focus|blur)\b\W*?=|abort\b)|(?:l(?:owsrc\b\W*?\b(?:(?:java|vb)script|shell)|ivescript)|(?:href|url)\b\W*?\b(?:(?:java|vb)script|shell)|background-image|mocha):|type\b\W*?\b(?:text\b(?:\W*?\b(?:j(?:ava)?|ecma)script\b| [vbscript])|application\b\W*?\bx-(?:java|vb)script\b)|s(?:(?:tyle\b\W*=.*\bexpression\b\W*|ettimeout\b\W*?)\(|rc\b\W*?\b(?:(?:java|vb)script|shell|http):)|(?:c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder)\b|a(?:ctivexobject\b|lert\b\W*?\())|<(?:(?:body\b.*?\b(?:backgroun|onloa)d|input\b.*?\\btype\b\W*?\bimage)\b|!\[CDATA\[|script|meta)|(?:\.(?:(?:execscrip|addimpor)t|(?:fromcharcod|cooki)e|innerhtml)|\@import)\b)" \
"capture,ctl:auditLogParts=+E,log,auditlog,msg:'Cross-site Scripting (XSS) Attack. Matched signature <%{TX.0}>',id:'950004',severity:'2'" # XSS
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "(?:\b(?:on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|down|up)|c(?:hange|lick)|s(?:elec|ubmi)t|(?:un)?load|dragdrop|resize|focus|blur)\b\W*?=|abort\b)|(?:l(?:owsrc\b\W*?\b(?:(?:java|vb)script|shell)|ivescript)|(?:href|url)\b\W*?\b(?:(?:java|vb)script|shell)|background-image|mocha):|type\b\W*?\b(?:text\b(?:\W*?\b(?:j(?:ava)?|ecma)script\b| [vbscript])|application\b\W*?\bx-(?:java|vb)script\b)|s(?:(?:tyle\b\W*=.*\bexpression\b\W*|ettimeout\b\W*?)\(|rc\b\W*?\b(?:(?:java|vb)script|shell|http):)|(?:c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder)\b|a(?:ctivexobject\b|lert\b\W*?\())|<(?:(?:body\b.*?\b(?:backgroun|onloa)d|input\b.*?\\btype\b\W*?\bimage)\b|!\[CDATA\[|script|meta)|(?:\.(?:(?:execscrip|addimpor)t|(?:fromcharcod|cooki)e|innerhtml)|\@import)\b)" \
# file injection "capture,ctl:auditLogParts=+E,log,auditlog,msg:'Cross-site Scripting (XSS) Attack. Matched signature <%{TX.0}>',,id:'950004',severity:'2'"
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS "(?:\b(?:\.(?:ht(?:access|passwd|group)|www_?acl)|global\.asa|httpd\.conf|boot\.ini)\b|\/etc\/)" \
"capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'Remote File Access Attempt. Matched signature <%{TX.0}>',id:'950005',severity:'2'" # file injection
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/* "(?:\b(?:\.(?:ht(?:access|passwd|group)|www_?acl)|global\.asa|httpd\.conf|boot\.ini)\b|\/etc\/)" \
# Command access "capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'Remote File Access Attempt. Matched signature <%{TX.0}>',,id:'950005',severity:'2'"
SecRule REQUEST_FILENAME "\b(?:n(?:map|et|c)|w(?:guest|sh)|cmd(?:32)?|telnet|rcmd|ftp)\.exe\b" \
"capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'System Command Access. Matched signature <%{TX.0}>',id:'950002',severity:'2'" # Command access
SecRule REQUEST_FILENAME "\b(?:n(?:map|et|c)|w(?:guest|sh)|cmd(?:32)?|telnet|rcmd|ftp)\.exe\b" \
# Command injection "capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'System Command Access. Matched signature <%{TX.0}>',,id:'950002',severity:'2'"
SecRule ARGS|ARGS_NAMES|REQUEST_HEADERS "(?:\b(?:(?:n(?:et(?:\b\W+?\blocalgroup|\.exe)|(?:map|c)\.exe)|t(?:racer(?:oute|t)|elnet\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\.exe|echo\b\W*?\by+)\b|c(?:md(?:(?:32)?\.exe\b|\b\W*?\/c)|d(?:\b\W*?[\\\/]|\W*?\.\.)|hmod.{0,40}?\+.{0,3}x))|[\;\|\`]\W*?\b(?:(?:c(?:h(?:grp|mod|own|sh)|md|pp|c)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)\b|g(?:\+\+|cc\b))|\/(?:c(?:h(?:grp|mod|own|sh)|pp|c)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|g(?:\+\+|cc)|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)(?:[\'\"\|\;\`\-\s]|$))" \
"capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'System Command Injection. Matched signature <%{TX.0}>',id:'950006',severity:'2'" # Command injection
SecRule "ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:User-Agent" \ SecRule ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:'/(Cookie|Referer|X-OS-Prefs)/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES "(?:\b(?:(?:n(?:et(?:\b\W+?\blocalgroup|\.exe)|(?:map|c)\.exe)|t(?:racer(?:oute|t)|elnet\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\.exe|echo\b\W*?\by+)\b|c(?:md(?:(?:32)?\.exe\b|\b\W*?\/c)|d(?:\b\W*?[\\\/]|\W*?\.\.)|hmod.{0,40}?\+.{0,3}x))|[\;\|\`]\W*?\b(?:(?:c(?:h(?:grp|mod|own|sh)|md|pp|c)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)\b|g(?:\+\+|cc\b))|\/(?:c(?:h(?:grp|mod|own|sh)|pp|c)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|g(?:\+\+|cc)|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)(?:[\'\"\|\;\`\-\s]|$))" \
"\bwget\b" \ "capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'System Command Injection. Matched signature <%{TX.0}>',,id:'950006',severity:'2'"
"capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'System Command Injection. Matched signature <%{TX.0}>',id:'950907',severity:'2'" SecRule "ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:User-Agent" \
"\bwget\b" \
# Coldfusion injection "capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'System Command Injection. Matched signature <%{TX.0}>',,id:'950907',severity:'2'"
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS "\bcf(?:usion_(?:d(?:bconnections_flush|ecrypt)|set(?:tings_refresh|odbcini)|getodbc(?:dsn|ini)|verifymail|encrypt)|_(?:(?:iscoldfusiondatasourc|getdatasourceusernam)e|setdatasource(?:password|username))|newinternal(?:adminsecurit|registr)y|admin_registry_(?:delete|set)|internaldebug)\b" \
"capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'Injection of Undocumented ColdFusion Tags. Matched signature <%{TX.0}>',id:'950008',severity:'2'" # Coldfusion injection
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/* "\bcf(?:usion_(?:d(?:bconnections_flush|ecrypt)|set(?:tings_refresh|odbcini)|getodbc(?:dsn|ini)|verifymail|encrypt)|_(?:(?:iscoldfusiondatasourc|getdatasourceusernam)e|setdatasource(?:password|username))|newinternal(?:adminsecurit|registr)y|admin_registry_(?:delete|set)|internaldebug)\b" \
# LDAP injection "capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'Injection of Undocumented ColdFusion Tags. Matched signature <%{TX.0}>',,id:'950008',severity:'2'"
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "(?:\((?:\W*?(?:objectc(?:ategory|lass)|homedirectory|[gu]idnumber|cn)\b\W*?=|[^\w\x80-\xFF]*?[\!\&\|][^\w\x80-\xFF]*?\()|\)[^\w\x80-\xFF]*?\([^\w\x80-\xFF]*?[\!\&\|])" \
"capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'LDAP Injection Attack. Matched signature <%{TX.0}>',id:'950010',severity:'2'" # LDAP injection
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "(?:\((?:\W*?(?:objectc(?:ategory|lass)|homedirectory|[gu]idnumber|cn)\b\W*?=|[^\w\x80-\xFF]*?[\!\&\|][^\w\x80-\xFF]*?\()|\)[^\w\x80-\xFF]*?\([^\w\x80-\xFF]*?[\!\&\|])" \
# SSI injection "capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'LDAP Injection Attack. Matched signature <%{TX.0}>',,id:'950010',severity:'2'"
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS "<!--\W*?#\W*?(?:e(?:cho|xec)|printenv|include|cmd)" \
"capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'SSI injection Attack. Matched signature <%{TX.0}>',id:'950011',severity:'2'" # SSI injection
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/* "<!--\W*?#\W*?(?:e(?:cho|xec)|printenv|include|cmd)" \
# PHP injection "capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'SSI injection Attack. Matched signature <%{TX.0}>',,id:'950011',severity:'2'"
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS "(?:(?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open)|\$_(?:(?:pos|ge)t|session))\b|<\?(?!xml))" \
"capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'PHP Injection Attack. Matched signature <%{TX.0}>',id:'950013',severity:'2'" # PHP injection
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/* "(?:(?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open)|\$_(?:(?:pos|ge)t|session))\b|<\?(?!xml))" \
"capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'PHP Injection Attack. Matched signature <%{TX.0}>',,id:'950013',severity:'2'"
# PHP injection
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS "http:\/\/[\w\.]+?\/.*?\.pdf\b[^\x0d\x0a]*#" \ # HTTP Response Splitting
"capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'Persistent Universal PDF XSS attack',id:'950018',severity:'2'" SecRule REQUEST_URI|REQUEST_HEADERS|REQUEST_HEADERS_NAMES "%0[ad]" \
"t:none,t:lowercase,capture,ctl:auditLogParts=+E,deny,log,auditlog,status:400,msg:'HTTP Response Splitting Attack. Matched signature <%{TX.0}>',,id:'950910',severity:'1'"
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/* "(?:\bhttp.(?:0\.9|1\.[01])|<(?:html|meta)\b)" \
"capture,ctl:auditLogParts=+E,deny,log,auditlog,status:400,msg:'HTTP Response Splitting Attack. Matched signature <%{TX.0}>',,id:'950911',severity:'1'"
# UPDF XSS
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/* "http:\/\/[\w\.]+?\/.*?\.pdf\b[^\x0d\x0a]*#" \
"capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'Persistent Universal PDF XSS attack',,id:'950018',severity:'2'"
# Email Injection
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/* "[\n\r]\s*(?:to|bcc|cc)\s*:.*?\@" \
"t:none,t:lowercase,t:urlDecode,capture,log,auditlog,msg:'Email Injection Attack. Matched signature <%{TX.0}>',,id:'950019',severity:'2'"

72
rules/modsecurity_crs_45_trojans.conf
View File

@ -1,36 +1,36 @@
# --------------------------------------------------------------- # ---------------------------------------------------------------
# Core ModSecurity Rule Set # Core ModSecurity Rule Set
# Copyright (C) 2006 Breach Security Inc. All rights reserved. # Copyright (C) 2006 Breach Security Inc. All rights reserved.
# #
# The ModSecuirty Core Rule Set is distributed under GPL version 2 # The ModSecuirty Core Rule Set is distributed under GPL version 2
# Please see the enclosed LICENCE file for full details. # Please see the enclosed LICENCE file for full details.
# --------------------------------------------------------------- # ---------------------------------------------------------------
# The trojan access detection rules detects access to known Trojans already # The trojan access detection rules detects access to known Trojans already
# installed on a server. Uploading of Trojans is part of the Anti-Virus rules # installed on a server. Uploading of Trojans is part of the Anti-Virus rules
# and uses external Anti Virus program when uploading files. # and uses external Anti Virus program when uploading files.
# #
# Detection of Trojans access is especially important in a hosting environment # Detection of Trojans access is especially important in a hosting environment
# where the actual Trojan upload may be done through valid methods and not # where the actual Trojan upload may be done through valid methods and not
# through hacking. # through hacking.
# -- # --
# #
# NOTE Trojans detection is based on checking elements controlled by the client. # NOTE Trojans detection is based on checking elements controlled by the client.
# A determined attacked can bypass those checks. We are working on # A determined attacked can bypass those checks. We are working on
# enchaining the checks so it would require a major change in the Trojan # enchaining the checks so it would require a major change in the Trojan
# to overcome. # to overcome.
# #
# NOTE We found out that Trojan horses are not detected easily by Anti-Virus # NOTE We found out that Trojan horses are not detected easily by Anti-Virus
# software when uploading as the signature set of AV software is not tuned # software when uploading as the signature set of AV software is not tuned
# for this purpose. We are working on adding signature tuned to detect # for this purpose. We are working on adding signature tuned to detect
# Trojans upload to file uploading inspection. # Trojans upload to file uploading inspection.
# #
SecDefaultAction "log,pass,phase:2,t:lowercase,status:404" SecDefaultAction "log,pass,phase:2,t:lowercase,status:404"
SecRule REQUEST_HEADERS_NAMES "x_(?:key|file)\b" "ctl:auditLogParts=+E,deny,log,auditlog,status:404,msg:'Backdoor access',id:'950110',severity:'2'" SecRule REQUEST_HEADERS_NAMES "x_(?:key|file)\b" "ctl:auditLogParts=+E,deny,log,auditlog,status:404,msg:'Backdoor access',,id:'950110',severity:'2'"
SecRule REQUEST_FILENAME "root\.exe" \ SecRule REQUEST_FILENAME "root\.exe" \
"t:urlDecodeUni,t:htmlEntityDecode,ctl:auditLogParts=+E,deny,log,auditlog,status:404,msg:'Backdoor access',id:'950921',severity:'2'" "t:urlDecodeUni,t:htmlEntityDecode,ctl:auditLogParts=+E,deny,log,auditlog,status:404,msg:'Backdoor access',,id:'950921',severity:'2'"
SecRule RESPONSE_BODY "(?:<title>[^<]*?(?:\b(?:(?:c(?:ehennemden|gi-telnet)|gamma web shell)\b|imhabirligi phpftp)|(?:r(?:emote explorer|57shell)|aventis klasvayv|zehir)\b|\.::(?:news remote php shell injection::\.| rhtools\b)|ph(?:p(?:(?: commander|-terminal)\b|remoteview)|vayv)|myshell)|\b(?:(?:(?:microsoft windows\b.{,10}\bversion\b.{,20}(c) copyright 1985-.{,10}\bmicrosoft corp|ntdaddy v1\.9 - obzerve \| fux0r inc)\.|(?:www\.sanalteror\.org - indexer and read|haxplor)er|php(?:konsole| shell)|c99shell)\b|aventgrup\.<br>|drwxr))" \ SecRule RESPONSE_BODY "(?:<title>[^<]*?(?:\b(?:(?:c(?:ehennemden|gi-telnet)|gamma web shell)\b|imhabirligi phpftp)|(?:r(?:emote explorer|57shell)|aventis klasvayv|zehir)\b|\.::(?:news remote php shell injection::\.| rhtools\b)|ph(?:p(?:(?: commander|-terminal)\b|remoteview)|vayv)|myshell)|\b(?:(?:(?:microsoft windows\b.{,10}?\bversion\b.{,20}?(c) copyright 1985-.{,10}?\bmicrosoft corp|ntdaddy v1\.9 - obzerve \| fux0r inc)\.|(?:www\.sanalteror\.org - indexer and read|haxplor)er|php(?:konsole| shell)|c99shell)\b|aventgrup\.<br>|drwxr))" \
"phase:4,ctl:auditLogParts=+E,deny,log,auditlog,status:404,msg:'Backdoor access',id:'950922',severity:'2'" "phase:4,ctl:auditLogParts=+E,deny,log,auditlog,status:404,msg:'Backdoor access',,id:'950922',severity:'2'"

141
rules/modsecurity_crs_50_outbound.conf
View File

@ -1,68 +1,73 @@
# --------------------------------------------------------------- # ---------------------------------------------------------------
# Core ModSecurity Rule Set # Core ModSecurity Rule Set
# Copyright (C) 2006 Breach Security Inc. All rights reserved. # Copyright (C) 2006 Breach Security Inc. All rights reserved.
# #
# The ModSecuirty Core Rule Set is distributed under GPL version 2 # The ModSecuirty Core Rule Set is distributed under GPL version 2
# Please see the enclosed LICENCE file for full details. # Please see the enclosed LICENCE file for full details.
# --------------------------------------------------------------- # ---------------------------------------------------------------
# #
# NOTE By default the status code sent is 501, which implies that the web # NOTE By default the status code sent is 501, which implies that the web
# server does not support the required operation. This is a non standard # server does not support the required operation. This is a non standard
# of this status code which normally refers to unsupported HTTP methods. # of this status code which normally refers to unsupported HTTP methods.
# It is used in order to confuse automated clients and scanners. # It is used in order to confuse automated clients and scanners.
SecDefaultAction "log,pass,status:501,phase:4" SecDefaultAction "log,pass,status:501,phase:4"
SecRule RESPONSE_BODY "\b(?:th(?:is (?:(?:analysis was produced by .{0,100} ana|report was generated by web)log|summary was generated by .{0,100} wwwstat)|ese statistics were produced by (?:getstats|pelab))|generated by webalizer)\b" \ SecRule RESPONSE_BODY "\b(?:th(?:is (?:(?:analysis was produced by .{0,100}? ana|report was generated by web)log|summary was generated by .{0,100}? wwwstat)|ese statistics were produced by (?:getstats|pelab))|generated by webalizer)\b" \
"ctl:auditLogParts=+E,deny,log,auditlog,status:404,msg:'Statistics Information Leakage',id:'970002',severity:'4'" "ctl:auditLogParts=+E,deny,log,auditlog,status:404,msg:'Statistics Information Leakage',,id:'970002',severity:'4'"
SecRule RESPONSE_BODY "\b(?:(?:s(?:(?:elect list because it is not contained in (?:an aggregate function and there is no|either an aggregate function or the) group by claus|yntax error converting the \w+ value .*? to a column of data typ)e|upplied argument is not a valid (?:(?:m(?:s |y)|postgre)sql|o(?:racle|dbc)))|(?:you have an error in your sql|incorrect) syntax near|SQL Server does not exist or access denied)\b|c(?:ould not find server '\w+' in sysservers\. execute sp_addlinkedserver\b|annot take a \w+ data type as an argument\.)|e(?:ither bof or eof is true, or the current record has been deleted\. requested\b|rror '800a01b8')|un(?:closed quotation mark before the character string\b|able to connect to postgresql server:)|microsoft (?:ole db provider for .{0,30} error '|jet database engine error '8)|(?:warning: mysql_connect\(\)|postgresql query failed):|(?:\[microsoft\]\[odbc|ora-\d{5}:) )" \ SecRule RESPONSE_BODY "\b(?:(?:s(?:(?:elect list because it is not contained in (?:an aggregate function and there is no|either an aggregate function or the) group by claus|yntax error converting the \w+ value .*? to a column of data typ)e|upplied argument is not a valid (?:(?:m(?:s |y)|postgre)sql|o(?:racle|dbc)))|(?:you have an error in your sql|incorrect) syntax near|SQL Server does not exist or access denied)\b|c(?:ould not find server '\w+' in sysservers\. execute sp_addlinkedserver\b|annot take a \w+ data type as an argument\.)|e(?:ither bof or eof is true, or the current record has been deleted\. requested\b|rror '800a01b8')|un(?:closed quotation mark before the character string\b|able to connect to postgresql server:)|microsoft (?:ole db provider for .{0,30} error '|jet database engine error '8)|(?:warning: mysql_connect\(\)|postgresql query failed):|(?:\[microsoft\]\[odbc|ora-\d{5}:) )" \
"ctl:auditLogParts=+E,deny,log,auditlog,status:500,msg:'SQL Information Leakage',id:'970003',severity:'4'" "ctl:auditLogParts=+E,deny,log,auditlog,status:500,msg:'SQL Information Leakage',,id:'970003',severity:'4'"
SecRule RESPONSE_BODY "(?:\b(?:adodb\.command\b.{0,100}\b(?:application uses a value of the wrong type for the current operation\b|error')|microsoft vbscript (?:compilation|runtime) (?:\(0x8|error)\b|object required: '|error '800)|(?:\/errormessage\.aspx\?error|>error 'asp)\b)" \ SecRule RESPONSE_BODY "(?:\b(?:adodb\.command\b.{0,100}?\b(?:application uses a value of the wrong type for the current operation\b|error')|microsoft vbscript (?:compilation|runtime) (?:\(0x8|error)\b|object required: '|error '800)|(?:\/errormessage\.aspx\?error|>error 'asp)\b)" \
"ctl:auditLogParts=+E,deny,log,auditlog,status:500,msg:'IIS Information Leakage',id:'970004',severity:'4'" "ctl:auditLogParts=+E,deny,log,auditlog,status:500,msg:'IIS Information Leakage',,id:'970004',severity:'4'"
SecRule RESPONSE_BODY "\bserver error in.{0,50}\bapplication\b" \ SecRule RESPONSE_BODY "\bserver error in.{0,50}\bapplication\b" \
"chain,ctl:auditLogParts=+E,deny,log,auditlog,status:500,msg:'IIS Information Leakage',id:'970904',severity:'4'" "chain,ctl:auditLogParts=+E,deny,log,auditlog,status:500,msg:'IIS Information Leakage',,id:'970904',severity:'4'"
SecRule RESPONSE_STATUS "!^404$" SecRule RESPONSE_STATUS "!^404$"
SecRule RESPONSE_BODY "\ban error was encountered while publishing this resource\b" \ SecRule RESPONSE_BODY "\ban error was encountered while publishing this resource\b" \
"ctl:auditLogParts=+E,deny,log,auditlog,status:500,msg:'Zope Information Leakage',id:'970007',severity:'4'" "ctl:auditLogParts=+E,deny,log,auditlog,status:500,msg:'Zope Information Leakage',,id:'970007',severity:'4'"
SecRule RESPONSE_BODY "\bthe error occurred in\b.{0,100}\: line\b.{0,1000}\bcoldfusion\b.*?\bstack trace \(click to expand\)\b" \ SecRule RESPONSE_BODY "\bthe error occurred in\b.{0,100}\: line\b.{0,1000}\bcoldfusion\b.*?\bstack trace \(click to expand\)\b" \
"ctl:auditLogParts=+E,deny,log,auditlog,status:500,msg:'Cold Fusion Information Leakage',id:'970008',severity:'4'" "ctl:auditLogParts=+E,deny,log,auditlog,status:500,msg:'Cold Fusion Information Leakage',,id:'970008',severity:'4'"
SecRule RESPONSE_BODY "\<b\>warning\<\/b\>\:\b\W*?\bon line\b" \ SecRule RESPONSE_BODY "\<b\>warning\<\/b\>\:\b\W*?\bon line\b" \
"ctl:auditLogParts=+E,deny,log,auditlog,status:500,msg:'PHP Information Leakage',id:'970009',severity:'4'" "ctl:auditLogParts=+E,deny,log,auditlog,status:500,msg:'PHP Information Leakage',,id:'970009',severity:'4'"
SecRule RESPONSE_BODY "\b403 forbidden\b\W*?\binternet security and acceleration server\b" \ SecRule RESPONSE_BODY "\b403 forbidden\b\W*?\binternet security and acceleration server\b" \
"ctl:auditLogParts=+E,log,auditlog,msg:'ISA server existence revealed',id:'970010',severity:'4'" "ctl:auditLogParts=+E,log,auditlog,msg:'ISA server existence revealed',,id:'970010',severity:'4'"
SecRule RESPONSE_BODY "\b<o:documentproperties>\b" \ SecRule RESPONSE_BODY "\b<o:documentproperties>\b" \
"log,auditlog,msg:'Microsoft Word document properties leakage',id:'970012',severity:'4'" "log,auditlog,msg:'Microsoft Word document properties leakage',,id:'970012',severity:'4'"
SecRule RESPONSE_BODY "(?:>\[to parent directory\]<\/a><br>|<title>index of.*?<h1>index of)" \ SecRule RESPONSE_BODY "(?:>\[to parent directory\]<\/a><br>|<title>index of.*?<h1>index of)" \
"ctl:auditLogParts=+E,deny,log,auditlog,status:403,msg:'Directory Listing',id:'970013',severity:'4'" "ctl:auditLogParts=+E,deny,log,auditlog,status:403,msg:'Directory Listing',,id:'970013',severity:'4'"
#SecRule RESPONSE_BODY "\b[a-z]\:\\." "chain,ctl:auditLogParts=+E,log,auditlog,msg:'File or Directory Names Leakage',id:'970011',severity:'4'"
#SecRule RESPONSE_BODY "!program files\\microsoft office\\(?:office|templates)" SecRule RESPONSE_BODY "(?:\b(?:(?:s(?:erver\.(?:(?:(?:htm|ur)lencod|execut)e|createobject|mappath)|cripting\.filesystemobject)|(?:response\.(?:binary)?writ|vbscript\.encod)e|wscript\.(?:network|shell))\b|javax\.servlet|<jsp:)|\.(?:(?:(?:createtex|ge)t|loadfrom)file|addheader)\b)" \
"ctl:auditLogParts=+E,log,auditlog,msg:'ASP/JSP source code leakage',,id:'970014',severity:'4'"
SecRule RESPONSE_BODY "(?:\b(?:(?:s(?:erver\.(?:(?:(?:htm|ur)lencod|execut)e|createobject|mappath)|cripting\.filesystemobject)|(?:response\.(?:binary)?writ|vbscript\.encod)e|wscript\.(?:network|shell))\b|javax\.servlet|<jsp:)|\.(?:(?:(?:createtex|ge)t|loadfrom)file|addheader)\b)" \ SecRule RESPONSE_BODY "\<\%" "chain,ctl:auditLogParts=+E,log,auditlog,msg:'ASP/JSP source code leakage',,id:'970903',severity:'4'"
"ctl:auditLogParts=+E,log,auditlog,msg:'ASP/JSP source code leakage',id:'970014',severity:'4'" SecRule RESPONSE_BODY "!(?:\b(?:(?:i(?:nterplay|hdr|d3)|m(?:ovi|thd)|(?:ex|jf)if|f(?:lv|ws)|varg|cws)\b|r(?:iff\b|ar!B)|gif)|B(?:%pdf|\.ra)\b)"
SecRule RESPONSE_BODY "\<\%" "chain,ctl:auditLogParts=+E,log,auditlog,msg:'ASP/JSP source code leakage',id:'970903',severity:'4'"
SecRule RESPONSE_BODY "!(?:\b(?:(?:i(?:nterplay|hdr|d3)|m(?:ovi|thd)|(?:ex|jf)if|f(?:lv|ws)|varg|cws)\b|r(?:iff\b|ar!B)|gif)|B(?:%pdf|\.ra)\b)" SecRule RESPONSE_BODY "(?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open)|\$_(?:(?:pos|ge)t|session))\b" \
"ctl:auditLogParts=+E,log,auditlog,msg:'PHP source code leakage',,id:'970015',severity:'4'"
SecRule RESPONSE_BODY "(?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open)|\$_(?:(?:pos|ge)t|session))\b" \ SecRule RESPONSE_BODY "<\?(?!xml)" \
"ctl:auditLogParts=+E,log,auditlog,msg:'PHP source code leakage',id:'970015',severity:'4'" "chain,ctl:auditLogParts=+E,log,auditlog,msg:'PHP source code leakage',,id:'970902',severity:'4'"
SecRule RESPONSE_BODY "<\?(?!xml)" \ SecRule RESPONSE_BODY "!(?:\b(?:(?:i(?:nterplay|hdr|d3)|m(?:ovi|thd)|(?:ex|jf)if|f(?:lv|ws)|varg|cws)\b|r(?:iff\b|ar!B)|gif)|B(?:%pdf|\.ra)\b)"
"chain,ctl:auditLogParts=+E,log,auditlog,msg:'PHP source code leakage',id:'970902',severity:'4'"
SecRule RESPONSE_BODY "!(?:\b(?:(?:i(?:nterplay|hdr|d3)|m(?:ovi|thd)|(?:ex|jf)if|f(?:lv|ws)|varg|cws)\b|r(?:iff\b|ar!B)|gif)|B(?:%pdf|\.ra)\b)" SecRule RESPONSE_BODY "\b<cf" \
"ctl:auditLogParts=+E,log,auditlog,msg:'Cold Fusion source code leakage',,id:'970016',severity:'4'"
SecRule RESPONSE_BODY "\b<cf" \
"ctl:auditLogParts=+E,log,auditlog,msg:'Cold Fusion source code leakage',id:'970016',severity:'4'" SecRule RESPONSE_BODY "[a-z]:\\\\inetpub\b" \
"t:none,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'IIS installed in default location',,id:'970018',severity:'5',chain"
SecRule RESPONSE_STATUS "^503$" "ctl:auditLogParts=+E,log,auditlog,msg:'The application is not available',id:'970901',severity:'5'" SecRule &RESOURCE:alerted_970018_iisDefLoc "@eq 0" "setvar:resource.alerted_970018_iisDefLoc"
SecRule RESPONSE_BODY "(?:(?:<h1>internal server error<\/h1>.*?<h2>part of the server has crashed or it has a configuration error\.<\/h2|microsoft ole db provider for sql server \(0x80040e31\)<br>timeout expired<br)>|cannot connect to the server: timed out)" \
"ctl:auditLogParts=+E,log,auditlog,msg:'The application is not available',id:'970118',severity:'5'" SecRule RESPONSE_STATUS "^503$" "ctl:auditLogParts=+E,log,auditlog,msg:'The application is not available',,id:'970901',severity:'5'"
SecRule RESPONSE_BODY "(?:(?:<h1>internal server error<\/h1>.*?<h2>part of the server has crashed or it has a configuration error\.<\/h2|microsoft ole db provider for sql server \(0x80040e31\)<br>timeout expired<br)>|cannot connect to the server: timed out)" \
"ctl:auditLogParts=+E,log,auditlog,msg:'The application is not available',,id:'970118',severity:'5'"
SecRule RESPONSE_STATUS "^500$" "chain,ctl:auditLogParts=+E,log,auditlog,msg:'WebLogic information disclosure',,id:'970021',severity:'4'"
SecRule RESPONSE_BODY "<title>JSP compile error</title>" t:none

46
rules/modsecurity_crs_55_marketing.conf
View File

@ -1,23 +1,23 @@
# --------------------------------------------------------------- # ---------------------------------------------------------------
# Core ModSecurity Rule Set # Core ModSecurity Rule Set
# Copyright (C) 2006 Breach Security Inc. All rights reserved. # Copyright (C) 2006 Breach Security Inc. All rights reserved.
# #
# The ModSecuirty Core Rule Set is distributed under GPL version 2 # The ModSecuirty Core Rule Set is distributed under GPL version 2
# Please see the enclosed LICENCE file for full details. # Please see the enclosed LICENCE file for full details.
# --------------------------------------------------------------- # ---------------------------------------------------------------
# These rules do not have a security importance, but shows other benefits of # These rules do not have a security importance, but shows other benefits of
# monitoring and logging HTTP transactions. # monitoring and logging HTTP transactions.
# -- # --
SecDefaultAction "log,pass,phase:2,t:lowercase" SecDefaultAction "log,pass,phase:2,t:lowercase"
SecRule HTTP_User-Agent "msn(?:bot|ptc)" \ SecRule REQUEST_HEADERS:User-Agent "msn(?:bot|ptc)" \
"log,auditlog,msg:'MSN robot activity',id:'910008',severity:'5'" "log,auditlog,msg:'MSN robot activity',,id:'910008',severity:'5'"
SecRule HTTP_User-Agent "\byahoo(?:-(?:mmcrawler|blogs)|! slurp)\b" \ SecRule REQUEST_HEADERS:User-Agent "\byahoo(?:-(?:mmcrawler|blogs)|! slurp)\b" \
"log,auditlog,msg:'Yahoo robot activity',id:'910007',severity:'5'" "log,auditlog,msg:'Yahoo robot activity',,id:'910007',severity:'5'"
SecRule HTTP_User-Agent "\b(?:google(?:-sitemaps|bot)|mediapartners-google)\b" \ SecRule REQUEST_HEADERS:User-Agent "(?:(?:gsa-crawler \(enterprise; s4-e9lj2b82fjjaa; me\@mycompany\.com|adsbot-google \(\+http:\/\/www\.google\.com\/adsbot\.html)\)|\b(?:google(?:-sitemaps|bot)|mediapartners-google)\b)" \
"log,auditlog,msg:'Google robot activity',id:'910006',severity:'5'" "log,auditlog,msg:'Google robot activity',,id:'910006',severity:'5'"