mirror of
https://github.com/owasp-modsecurity/ModSecurity.git
synced 2025-08-13 21:36:00 +03:00
153 lines
6.7 KiB
Plaintext
153 lines
6.7 KiB
Plaintext
# ---------------------------------------------------------------
|
|
# Core ModSecurity Rule Set
|
|
# Copyright (C) 2006 Breach Security Inc. All rights reserved.
|
|
#
|
|
# The ModSecuirty Core Rule Set is distributed under GPL version 2
|
|
# Please see the enclosed LICENCE file for full details.
|
|
# ---------------------------------------------------------------
|
|
|
|
|
|
#%name 30 - HTTP policy enforcement
|
|
#%desc The HTTP policy enforcement rule set sets limitations on the use of HTTP by clients.
|
|
|
|
# Few applications require the breadth and depth of the HTTP protocol. On the
|
|
# other hand many attacks abuse valid but rare HTTP use patterns. Restricting
|
|
# HTTP protocol usage is effective in therefore effective in blocking many
|
|
# application layer attacks.
|
|
#
|
|
# TODO If you are using the ModSecurity Core Ruleset template system you can set
|
|
# the policy limitations in the ruleset.config file. Otherwise edit this
|
|
# file manually to set you policy limitations.
|
|
#
|
|
# TODO Many automation programs use non standard HTTP requests. While you may
|
|
# want to allow some of those, try not to create exceptions only for the
|
|
# automated program based on properties such as their source IP address or
|
|
# the URL they access.
|
|
#
|
|
|
|
SecDefaultAction "pass,log,status:400,phase:2"
|
|
|
|
# allow request methods
|
|
#
|
|
# TODO Most applications only use GET, HEAD, and POST request
|
|
# methods, if so uncomment the line below. Otherwise you are advised
|
|
# to edit the line before uncommenting it.
|
|
#
|
|
SecRule REQUEST_METHOD "!^((?:(?:POS|GE)T|OPTIONS|HEAD))$" \
|
|
"phase:1,log,auditlog,status:501,msg:'Method is not allowed by policy', severity:'2',,id:'960032',"
|
|
|
|
|
|
# Restrict which content-types we accept.
|
|
#
|
|
# TODO Most applications support only two types for request bodies
|
|
# because that is all browsers know how to produce. If you are using
|
|
# automated tools to talk to the application you may be using other
|
|
# content types and would want to change the list of supported types.
|
|
#
|
|
# Note though that ModSecurity parses only three content types:
|
|
# application/x-www-form-urlencoded, multipart/form-data request and
|
|
# text/xml. The protection provided for any other type is inferior.
|
|
#
|
|
# TODO There are many applications that are not using multipart/form-data
|
|
# types (typically only used for file uploads). This content type
|
|
# can be disabled if not used.
|
|
#
|
|
# NOTE We allow any content type to be specified with GET or HEAD
|
|
# because some tools incorrectly supply content type information
|
|
# even when the body is not present. There is a rule further in
|
|
# the file to prevent GET and HEAD requests to have bodies to we're
|
|
# safe in that respect.
|
|
#
|
|
# NOTE Use of WebDAV requires "text/xml" content type.
|
|
#
|
|
# NOTE Philippe Bourcier (pbourcier AT citali DOT com) reports
|
|
# applications running on the PocketPC and AvantGo platforms use
|
|
# non-standard content types:
|
|
#
|
|
# M-Business iAnywhere application/x-mal-client-data
|
|
# UltraLite iAnywhere application/octet-stream
|
|
#
|
|
SecRule REQUEST_METHOD "!^(?:get|head|propfind|options)$" \
|
|
"chain, t:lowercase, deny,log,auditlog,status:501,msg:'Request content type is not allowed by policy',,id:'960010',severity:'4'"
|
|
SecRule REQUEST_HEADERS:Content-Type "!(?:^(?:application\/x-www-form-urlencoded(?:;(?:\s?charset\s?=\s?[\w\d\-]{1,18})?)??$|multipart/form-data;)|text/xml)"
|
|
|
|
# Restrict protocol versions.
|
|
#
|
|
# TODO All modern browsers use HTTP version 1.1. For tight security, allow only
|
|
# this version.
|
|
#
|
|
# NOTE Automation programs, both malicious and non malicious many times use
|
|
# other HTTP versions. If you want to allow a specific automated program
|
|
# to use your site, try to create a narrower expection and not allow any
|
|
# client to send HTTP requests in a version lower than 1.1
|
|
#
|
|
SecRule REQUEST_PROTOCOL "!^HTTP/(0\.9|1\.[01])$" \
|
|
"t:none, deny,log,auditlog,status:505,msg:'HTTP protocol version is not allowed by policy', severity:'2',,id:'960034',"
|
|
|
|
# Restrict file extension
|
|
#
|
|
# TODO the list of file extensions below are virtually always considered unsafe
|
|
# and not in use in any valid program. If your application uses one of
|
|
# these extensions, please remove it from the list of blocked extensions.
|
|
# You may need to use ModSecurity Core Rule Set Templates to do so, otherwise
|
|
# comment the whole rule.
|
|
#
|
|
SecRule REQUEST_BASENAME "\.(?:c(?:o(?:nf(?:ig)?|m)|s(?:proj|r)?|dx|er|fg|md)|p(?:rinter|ass|db|ol|wd)|v(?:b(?:proj|s)?|sdisco)|a(?:s(?:ax?|cx)|xd)|d(?:bf?|at|ll|os)|i(?:d[acq]|n[ci])|ba(?:[kt]|ckup)|res(?:ources|x)|s(?:h?tm|ql|ys)|l(?:icx|nk|og)|\w{,5}~|webinfo|ht[rw]|xs[dx]|key|mdb|old)$" \
|
|
"t:urlDecodeUni, t:lowercase, deny,log,auditlog,status:500,msg:'URL file extension is restricted by policy', severity:'2',,id:'960035',"
|
|
|
|
|
|
|
|
# Restricted HTTP headers
|
|
#
|
|
# TODO the list of HTTP headers below are considered unsafe for your environment.
|
|
# If your application uses one of these directories, please remove it from
|
|
# the list of blocked extensions. You may need to use ModSecurity Core Rule
|
|
# Set Templates to do so, otherwise comment the whole rule.
|
|
#
|
|
SecRule REQUEST_HEADERS_NAMES "\.(?:Lock-Token|Translate|If)$" \
|
|
"deny,log,auditlog,status:500,msg:'HTTP header is restricted by policy',,id:'960038',severity:'4'"
|
|
|
|
|
|
# Restricted Content Encodings
|
|
#
|
|
# ModSecurity does not support compressed content. Therefore, the following
|
|
# action will be taken:
|
|
# - Inbound compressed content will be denied
|
|
# - Outbound compressed content will be logged once, to alert the user
|
|
# Deny inbound compressed content
|
|
SecRule REQUEST_HEADERS:Content-Encoding "!^Identity$" \
|
|
"phase:2,t:none,deny,log,auditlog,status:501,msg:'ModSecurity does not support content encodings',,id:'960902',severity:'3'"
|
|
# Log outbound compressed content (once per location)
|
|
SecRule RESPONSE_HEADERS:Content-Encoding "!^Identity$" \
|
|
"phase:5,t:none,pass,log,auditlog,msg:'ModSecurity does not support content encodings',,id:'960903',severity:'4',chain"
|
|
SecRule &RESOURCE:alerted_960903_compression "@eq 0" "setvar:resource.alerted_960903_compression"
|
|
|
|
|
|
|
|
## -- Apache Limits ----------------------------------------------------------
|
|
|
|
# These are Apache limit directives, but we are including them here because
|
|
# they are often forgotten. If you already have these configured leave this
|
|
# section entirely commented-out. Otherwise review the limits and uncomment
|
|
# the directives.
|
|
|
|
# Maximum size of the request body.
|
|
#
|
|
# NOTE If your application allows file uploads the value below will
|
|
# most likely be way to low.
|
|
#
|
|
#LimitRequestBody 64000
|
|
|
|
# Maximum number of request headers in a request.
|
|
#
|
|
#LimitRequestFields 32
|
|
|
|
# Maximum size of request header lines.
|
|
#
|
|
#LimitRequestFieldSize 8000
|
|
|
|
# Maximum size of the request line.
|
|
#
|
|
#LimitRequestLine 4000
|
|
|