index of.*?<h1>index of)" \ "ctl:auditLogParts=+E,deny,log,auditlog,status:403,msg:'Directory Listing',id:'970013',severity:'4'" #SecRule RESPONSE_BODY "\b[a-z]\:\\." "chain,ctl:auditLogParts=+E,log,auditlog,msg:'File or Directory Names Leakage',id:'970011',severity:'4'" #SecRule RESPONSE_BODY "!program files\\microsoft office\\(?:office|templates)" SecRule RESPONSE_BODY "(?:\b(?:(?:s(?:erver\.(?:(?:(?:htm|ur)lencod|execut)e|createobject|mappath)|cripting\.filesystemobject)|(?:response\.(?:binary)?writ|vbscript\.encod)e|wscript\.(?:network|shell))\b|javax\.servlet|<jsp:)|\.(?:(?:(?:createtex|ge)t|loadfrom)file|addheader)\b)" \ "ctl:auditLogParts=+E,log,auditlog,msg:'ASP/JSP source code leakage',id:'970014',severity:'4'" SecRule RESPONSE_BODY "\<\%" "chain,ctl:auditLogParts=+E,log,auditlog,msg:'ASP/JSP source code leakage',id:'970903',severity:'4'" SecRule RESPONSE_BODY "!(?:\b(?:(?:i(?:nterplay|hdr|d3)|m(?:ovi|thd)|(?:ex|jf)if|f(?:lv|ws)|varg|cws)\b|r(?:iff\b|ar!B)|gif)|B(?:%pdf|\.ra)\b)" SecRule RESPONSE_BODY "(?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open)|\$_(?:(?:pos|ge)t|session))\b" \ "ctl:auditLogParts=+E,log,auditlog,msg:'PHP source code leakage',id:'970015',severity:'4'" SecRule RESPONSE_BODY "<\?(?!xml)" \ "chain,ctl:auditLogParts=+E,log,auditlog,msg:'PHP source code leakage',id:'970902',severity:'4'" SecRule RESPONSE_BODY "!(?:\b(?:(?:i(?:nterplay|hdr|d3)|m(?:ovi|thd)|(?:ex|jf)if|f(?:lv|ws)|varg|cws)\b|r(?:iff\b|ar!B)|gif)|B(?:%pdf|\.ra)\b)" SecRule RESPONSE_BODY "\b<cf" \ "ctl:auditLogParts=+E,log,auditlog,msg:'Cold Fusion source code leakage',id:'970016',severity:'4'" SecRule RESPONSE_STATUS "^503$" "ctl:auditLogParts=+E,log,auditlog,msg:'The application is not available',id:'970901',severity:'5'" SecRule RESPONSE_BODY "(?:(?:<h1>internal server error<\/h1>.*?<h2>part of the server has crashed or it has a configuration error\.<\/h2|microsoft ole db provider for sql server $0x80040e31$<br>timeout expired<br)>|cannot connect to the server: timed out)" \ "ctl:auditLogParts=+E,log,auditlog,msg:'The application is not available',id:'970118',severity:'5'"

# --------------------------------------------------------------- # Core ModSecurity Rule Set # Copyright (C) 2006 Breach Security Inc. All rights reserved. # # The ModSecuirty Core Rule Set is distributed under GPL version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- # # NOTE By default the status code sent is 501, which implies that the web # server does not support the required operation. This is a non standard # of this status code which normally refers to unsupported HTTP methods. # It is used in order to confuse automated clients and scanners. SecDefaultAction "log,pass,status:501,phase:4" SecRule RESPONSE_BODY "\b(?:th(?:is (?:(?:analysis was produced by .{0,100} ana|report was generated by web)log|summary was generated by .{0,100} wwwstat)|ese statistics were produced by (?:getstats|pelab))|generated by webalizer)\b" \ "ctl:auditLogParts=+E,deny,log,auditlog,status:404,msg:'Statistics Information Leakage',id:'970002',severity:'4'" SecRule RESPONSE_BODY "\b(?:(?:s(?:(?:elect list because it is not contained in (?:an aggregate function and there is no|either an aggregate function or the) group by claus|yntax error converting the \w+ value .*? to a column of data typ)e|upplied argument is not a valid (?:(?:m(?:s |y)|postgre)sql|o(?:racle|dbc)))|(?:you have an error in your sql|incorrect) syntax near|SQL Server does not exist or access denied)\b|c(?:ould not find server '\w+' in sysservers\. execute sp_addlinkedserver\b|annot take a \w+ data type as an argument\.)|e(?:ither bof or eof is true, or the current record has been deleted\. requested\b|rror '800a01b8')|un(?:closed quotation mark before the character string\b|able to connect to postgresql server:)|microsoft (?:ole db provider for .{0,30} error '|jet database engine error '8)|(?:warning: mysql_connect|postgresql query failed):|(?:\[microsoft\]\[odbc|ora-\d{5}:) )" \ "ctl:auditLogParts=+E,deny,log,auditlog,status:500,msg:'SQL Information Leakage',id:'970003',severity:'4'" SecRule RESPONSE_BODY "(?:\b(?:adodb\.command\b.{0,100}\b(?:application uses a value of the wrong type for the current operation\b|error')|microsoft vbscript (?:compilation|runtime) (?:$0x8|error)\b|object required: '|error '800)|(?:\/errormessage\.aspx\?error|>error 'asp)\b)" \ "ctl:auditLogParts=+E,deny,log,auditlog,status:500,msg:'IIS Information Leakage',id:'970004',severity:'4'" SecRule RESPONSE_BODY "\bserver error in.{0,50}\bapplication\b" \ "chain,ctl:auditLogParts=+E,deny,log,auditlog,status:500,msg:'IIS Information Leakage',id:'970904',severity:'4'" SecRule RESPONSE_STATUS "!^404$" SecRule RESPONSE_BODY "\ban error was encountered while publishing this resource\b" \ "ctl:auditLogParts=+E,deny,log,auditlog,status:500,msg:'Zope Information Leakage',id:'970007',severity:'4'" SecRule RESPONSE_BODY "\bthe error occurred in\b.{0,100}\: line\b.{0,1000}\bcoldfusion\b.*?\bstack trace \(click to expand$\b" \ "ctl:auditLogParts=+E,deny,log,auditlog,status:500,msg:'Cold Fusion Information Leakage',id:'970008',severity:'4'" SecRule RESPONSE_BODY "\warning\<\/b\>\:\b\W*?\bon line\b" \ "ctl:auditLogParts=+E,deny,log,auditlog,status:500,msg:'PHP Information Leakage',id:'970009',severity:'4'" SecRule RESPONSE_BODY "\b403 forbidden\b\W*?\binternet security and acceleration server\b" \ "ctl:auditLogParts=+E,log,auditlog,msg:'ISA server existence revealed',id:'970010',severity:'4'" SecRule RESPONSE_BODY "\b\b" \ "log,auditlog,msg:'Microsoft Word document properties leakage',id:'970012',severity:'4'" SecRule RESPONSE_BODY "(?:>\[to parent directory\]<\/a>
|index of.*?<h1>index of)" \ "ctl:auditLogParts=+E,deny,log,auditlog,status:403,msg:'Directory Listing',id:'970013',severity:'4'" #SecRule RESPONSE_BODY "\b[a-z]\:\\." "chain,ctl:auditLogParts=+E,log,auditlog,msg:'File or Directory Names Leakage',id:'970011',severity:'4'" #SecRule RESPONSE_BODY "!program files\\microsoft office\\(?:office|templates)" SecRule RESPONSE_BODY "(?:\b(?:(?:s(?:erver\.(?:(?:(?:htm|ur)lencod|execut)e|createobject|mappath)|cripting\.filesystemobject)|(?:response\.(?:binary)?writ|vbscript\.encod)e|wscript\.(?:network|shell))\b|javax\.servlet|<jsp:)|\.(?:(?:(?:createtex|ge)t|loadfrom)file|addheader)\b)" \ "ctl:auditLogParts=+E,log,auditlog,msg:'ASP/JSP source code leakage',id:'970014',severity:'4'" SecRule RESPONSE_BODY "\<\%" "chain,ctl:auditLogParts=+E,log,auditlog,msg:'ASP/JSP source code leakage',id:'970903',severity:'4'" SecRule RESPONSE_BODY "!(?:\b(?:(?:i(?:nterplay|hdr|d3)|m(?:ovi|thd)|(?:ex|jf)if|f(?:lv|ws)|varg|cws)\b|r(?:iff\b|ar!B)|gif)|B(?:%pdf|\.ra)\b)" SecRule RESPONSE_BODY "(?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open)|\$_(?:(?:pos|ge)t|session))\b" \ "ctl:auditLogParts=+E,log,auditlog,msg:'PHP source code leakage',id:'970015',severity:'4'" SecRule RESPONSE_BODY "<\?(?!xml)" \ "chain,ctl:auditLogParts=+E,log,auditlog,msg:'PHP source code leakage',id:'970902',severity:'4'" SecRule RESPONSE_BODY "!(?:\b(?:(?:i(?:nterplay|hdr|d3)|m(?:ovi|thd)|(?:ex|jf)if|f(?:lv|ws)|varg|cws)\b|r(?:iff\b|ar!B)|gif)|B(?:%pdf|\.ra)\b)" SecRule RESPONSE_BODY "\b<cf" \ "ctl:auditLogParts=+E,log,auditlog,msg:'Cold Fusion source code leakage',id:'970016',severity:'4'" SecRule RESPONSE_STATUS "^503$" "ctl:auditLogParts=+E,log,auditlog,msg:'The application is not available',id:'970901',severity:'5'" SecRule RESPONSE_BODY "(?:(?:<h1>internal server error<\/h1>.*?<h2>part of the server has crashed or it has a configuration error\.<\/h2|microsoft ole db provider for sql server $0x80040e31$<br>timeout expired<br)>|cannot connect to the server: timed out)" \ "ctl:auditLogParts=+E,log,auditlog,msg:'The application is not available',id:'970118',severity:'5'"