mirror of
https://github.com/owasp-modsecurity/ModSecurity.git
synced 2025-08-14 13:56:01 +03:00
75 lines
3.6 KiB
Plaintext
75 lines
3.6 KiB
Plaintext
# ---------------------------------------------------------------
|
|
# Core ModSecurity Rule Set
|
|
# Copyright (C) 2006 Breach Security Inc. All rights reserved.
|
|
#
|
|
# The ModSecuirty Core Rule Set is distributed under GPL version 2
|
|
# Please see the enclosed LICENCE file for full details.
|
|
# ---------------------------------------------------------------
|
|
|
|
|
|
#
|
|
# TODO in some cases a valid client (usually automated) generates requests that
|
|
# violates the HTTP protocol. Create exceptions for those clients, but try
|
|
# to limit the exception to a source IP or other additional properties of
|
|
# the request such as URL and not allow the violation generally.
|
|
#
|
|
#
|
|
|
|
# Use status code 400 response status code by default as protocol violations
|
|
# are in essence bad requests.
|
|
SecDefaultAction "log,pass,phase:1,status:400"
|
|
|
|
# Accept only digits in content length
|
|
#
|
|
SecRule REQUEST_HEADERS:Content-Length "!^\d+$" "deny,log,auditlog,status:400,msg:'Content-Length HTTP header is not numeric', severity:'2',id:'960016'"
|
|
|
|
# Do not accept GET or HEAD requests with bodies
|
|
# HTTP standard allows GET requests to have a body but this
|
|
# feature is not used in real life. Attackers could try to force
|
|
# a request body on an unsuspecting web applications.
|
|
#
|
|
SecRule REQUEST_METHOD "^(GET|HEAD)$" "chain,deny,log,auditlog,status:400,msg:'GET or HEAD requests with bodies', severity:'2',id:'960011'"
|
|
SecRule REQUEST_HEADERS:Content-Length "!^0?$"
|
|
|
|
# Require Content-Length to be provided with every POST request.
|
|
#
|
|
SecRule REQUEST_METHOD "^POST$" "chain,deny,log,auditlog,status:400,msg:'POST request must have a Content-Length header',id:'960012',severity:'4'"
|
|
SecRule &REQUEST_HEADERS:Content-Length "@eq 0"
|
|
|
|
# Don't accept transfer encodings we know we don't know how to handle
|
|
#
|
|
# NOTE ModSecurity does not support chunked transfer encodings at
|
|
# this time. You MUST reject all such requests.
|
|
#
|
|
SecRule HTTP_Transfer-Encoding "!^$" "deny,log,auditlog,status:501,msg:'ModSecurity does not support transfer encodings',id:'960013',severity:'5'"
|
|
|
|
# Check decodings
|
|
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "@validateUrlEncoding" \
|
|
"chain, deny,log,auditlog,status:400,msg:'URL Encoding Abuse Attack Attempt',id:'950107',severity:'4'"
|
|
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "\%(?![0-9a-fA-F]{2}|u[0-9a-fA-F]{4})"
|
|
|
|
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "@validateUtf8Encoding" "deny,log,auditlog,status:400,msg:'UTF8 Encoding Abuse Attack Attempt',id:'950801',severity:'4'"
|
|
|
|
# Proxy access attempt
|
|
# NOTE Apache blocks such access by default if not set as a proxy. The rule is
|
|
# included in case Apache proxy is misconfigured.
|
|
SecRule REQUEST_URI ^http:/ "deny,log,auditlog,status:400,msg:'Proxy access attempt', severity:'2',id:'960014'"
|
|
|
|
#
|
|
# Restrict type of characters sent
|
|
#
|
|
# NOTE In order to be broad and support localized applications this rule
|
|
# only validates that NULL Is not used.
|
|
#
|
|
# The strict policy version also validates that protocol and application
|
|
# generated fields are limited to printable ASCII.
|
|
#
|
|
# TODO If your application use the range 32-126 for parameters.
|
|
#
|
|
SecRule REQUEST_FILENAME|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer \
|
|
"@validateByteRange 1-255" \
|
|
"log,auditlog,msg:'Request Missing an Accept Header', severity:'2',id:'960015',t:urlDecodeUni,phase:1"
|
|
|
|
SecRule ARGS|ARGS_NAMES "@validateByteRange 1-255" \
|
|
"deny,log,auditlog,status:400,msg:'Invalid character in request',id:'960901',severity:'4',t:urlDecodeUni,phase:2"
|