# --------------------------------------------------------------- # Core ModSecurity Rule Set ver.1.5.1 # Copyright (C) 2006-2007 Breach Security Inc. All rights reserved. # # The ModSecuirty Core Rule Set is distributed under GPL version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- # # TODO in some cases a valid client (usually automated) generates requests that # violates the HTTP protocol. Create exceptions for those clients, but try # to limit the exception to a source IP or other additional properties of # the request such as URL and not allow the violation generally. # # Use status code 400 response status code by default as protocol violations # are in essence bad requests. SecDefaultAction "log,pass,phase:2,status:400" # Do not accept requests without common headers. # Implies either an attacker or a legitimate automation client. # # Exception for Apache SSL pinger SecRule REQUEST_LINE "^GET /$" "chain,skip:8,nolog,pass" SecRule REMOTE_ADDR "^127\.0\.0\.1$" # Exception for Apache internal dummy connection SecRule REQUEST_LINE "^GET / HTTP/1.0$" "chain,skip:5,nolog,pass" SecRule REMOTE_ADDR "^127\.0\.0\.1$" "chain" SecRule REQUEST_HEADERS:User-Agent "^Apache.*\(internal dummy connection\)$" "t:none" # Detect HTTP/0.9 Requests SecRule REQUEST_PROTOCOL ^http/0.9$ "t:lowercase,log,auditlog,msg:'HTTP/0.9 Request Detected',id:'960019',severity:'4'" SecRule &REQUEST_HEADERS:Host "@eq 0" \ "skip:1,log,auditlog,msg:'Request Missing a Host Header',id:'960008',severity:'4'" SecRule REQUEST_HEADERS:Host "^$" \ "log,auditlog,msg:'Request Missing a Host Header',id:'960008',severity:'4'" SecRule &REQUEST_HEADERS:Accept "@eq 0" \ "chain,skip:1,log,auditlog,msg:'Request Missing an Accept Header', severity:'2',id:'960015'" SecRule REQUEST_METHOD "!^OPTIONS$" "t:none" SecRule REQUEST_HEADERS:Accept "^$" \ "chain,log,auditlog,msg:'Request Missing an Accept Header', severity:'2',id:'960015'" SecRule REQUEST_METHOD "!^OPTIONS$" "t:none" SecRule &REQUEST_HEADERS:User-Agent "@eq 0" \ "skip:1,log,auditlog,msg:'Request Missing a User Agent Header',id:'960009',severity:'4'" SecRule REQUEST_HEADERS:User-Agent "^$" \ "log,auditlog,msg:'Request Missing a User Agent Header',id:'960009',severity:'4'" SecRule &REQUEST_HEADERS:Content-Type "@eq 0" \ "chain,log,auditlog,msg:'Request Containing Content, but Missing Content-Type header',id:'960904',severity:'4'" SecRule REQUEST_HEADERS:Content-Length "!^0$" # Check that the host header is not an IP address # SecRule REQUEST_HEADERS:Host "^[\d\.]+$" "deny,log,auditlog,status:400,msg:'Host header is a numeric IP address', severity:'2',id:'960017'" # Log a security event when the request is rejected by apache # SecRule RESPONSE_STATUS ^400$ "t:none,phase:5,chain,log,auditlog,msg:'Invalid request',id:'960913',severity:'2'" SecRule WEBSERVER_ERROR_LOG !ModSecurity