github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-08-13 21:36:00 +03:00
Code Issues Packages Projects Releases Wiki Activity
ModSecurity/rules/modsecurity_crs_50_outbound.conf
brectanus efe52d4e77 Initialize rules tmp pool properly. 
Update to latest core rules.
2007-06-14 18:48:35 +00:00

74 lines
6.2 KiB
Plaintext
Raw Blame History

# ---------------------------------------------------------------
# Core ModSecurity Rule Set
# Copyright (C) 2006 Breach Security Inc. All rights reserved.
#
# The ModSecuirty Core Rule Set is distributed under GPL version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
#
# NOTE By default the status code sent is 501, which implies that the web
# server does not support the required operation. This is a non standard
# of this status code which normally refers to unsupported HTTP methods.
# It is used in order to confuse automated clients and scanners.
SecDefaultAction "log,pass,status:501,phase:4"
SecRule RESPONSE_BODY "\b(?:th(?:is (?:(?:analysis was produced by .{0,100}? ana|report was generated by web)log|summary was generated by .{0,100}? wwwstat)|ese statistics were produced by (?:getstats|pelab))|generated by webalizer)\b" \
"ctl:auditLogParts=+E,deny,log,auditlog,status:404,msg:'Statistics Information Leakage',,id:'970002',severity:'4'"
SecRule RESPONSE_BODY "\b(?:(?:s(?:(?:elect list because it is not contained in (?:an aggregate function and there is no|either an aggregate function or the) group by claus|yntax error converting the \w+ value .*? to a column of data typ)e|upplied argument is not a valid (?:(?:m(?:s |y)|postgre)sql|o(?:racle|dbc)))|(?:you have an error in your sql|incorrect) syntax near|SQL Server does not exist or access denied)\b|c(?:ould not find server '\w+' in sysservers\. execute sp_addlinkedserver\b|annot take a \w+ data type as an argument\.)|e(?:ither bof or eof is true, or the current record has been deleted\. requested\b|rror '800a01b8')|un(?:closed quotation mark before the character string\b|able to connect to postgresql server:)|microsoft (?:ole db provider for .{0,30} error '|jet database engine error '8)|(?:warning: mysql_connect\(\)|postgresql query failed):|(?:\[microsoft\]\[odbc|ora-\d{5}:) )" \
"ctl:auditLogParts=+E,deny,log,auditlog,status:500,msg:'SQL Information Leakage',,id:'970003',severity:'4'"
SecRule RESPONSE_BODY "(?:\b(?:adodb\.command\b.{0,100}?\b(?:application uses a value of the wrong type for the current operation\b|error')|microsoft vbscript (?:compilation|runtime) (?:\(0x8|error)\b|object required: '|error '800)|(?:\/errormessage\.aspx\?error|>error 'asp)\b)" \
"ctl:auditLogParts=+E,deny,log,auditlog,status:500,msg:'IIS Information Leakage',,id:'970004',severity:'4'"
SecRule RESPONSE_BODY "\bserver error in.{0,50}\bapplication\b" \
"chain,ctl:auditLogParts=+E,deny,log,auditlog,status:500,msg:'IIS Information Leakage',,id:'970904',severity:'4'"
SecRule RESPONSE_STATUS "!^404$"
SecRule RESPONSE_BODY "\ban error was encountered while publishing this resource\b" \
"ctl:auditLogParts=+E,deny,log,auditlog,status:500,msg:'Zope Information Leakage',,id:'970007',severity:'4'"
SecRule RESPONSE_BODY "\bthe error occurred in\b.{0,100}\: line\b.{0,1000}\bcoldfusion\b.*?\bstack trace \(click to expand\)\b" \
"ctl:auditLogParts=+E,deny,log,auditlog,status:500,msg:'Cold Fusion Information Leakage',,id:'970008',severity:'4'"
SecRule RESPONSE_BODY "\<b\>warning\<\/b\>\:\b\W*?\bon line\b" \
"ctl:auditLogParts=+E,deny,log,auditlog,status:500,msg:'PHP Information Leakage',,id:'970009',severity:'4'"
SecRule RESPONSE_BODY "\b403 forbidden\b\W*?\binternet security and acceleration server\b" \
"ctl:auditLogParts=+E,log,auditlog,msg:'ISA server existence revealed',,id:'970010',severity:'4'"
SecRule RESPONSE_BODY "\b<o:documentproperties>\b" \
"log,auditlog,msg:'Microsoft Word document properties leakage',,id:'970012',severity:'4'"
SecRule RESPONSE_BODY "(?:>\[to parent directory\]<\/a><br>|<title>index of.*?<h1>index of)" \
"ctl:auditLogParts=+E,deny,log,auditlog,status:403,msg:'Directory Listing',,id:'970013',severity:'4'"
SecRule RESPONSE_BODY "(?:\b(?:(?:s(?:erver\.(?:(?:(?:htm|ur)lencod|execut)e|createobject|mappath)|cripting\.filesystemobject)|(?:response\.(?:binary)?writ|vbscript\.encod)e|wscript\.(?:network|shell))\b|javax\.servlet|<jsp:)|\.(?:(?:(?:createtex|ge)t|loadfrom)file|addheader)\b)" \
"ctl:auditLogParts=+E,log,auditlog,msg:'ASP/JSP source code leakage',,id:'970014',severity:'4'"
SecRule RESPONSE_BODY "\<\%" "chain,ctl:auditLogParts=+E,log,auditlog,msg:'ASP/JSP source code leakage',,id:'970903',severity:'4'"
SecRule RESPONSE_BODY "!(?:\b(?:(?:i(?:nterplay|hdr|d3)|m(?:ovi|thd)|(?:ex|jf)if|f(?:lv|ws)|varg|cws)\b|r(?:iff\b|ar!B)|gif)|B(?:%pdf|\.ra)\b)"
SecRule RESPONSE_BODY "(?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open)|\$_(?:(?:pos|ge)t|session))\b" \
"ctl:auditLogParts=+E,log,auditlog,msg:'PHP source code leakage',,id:'970015',severity:'4'"
SecRule RESPONSE_BODY "<\?(?!xml)" \
"chain,ctl:auditLogParts=+E,log,auditlog,msg:'PHP source code leakage',,id:'970902',severity:'4'"
SecRule RESPONSE_BODY "!(?:\b(?:(?:i(?:nterplay|hdr|d3)|m(?:ovi|thd)|(?:ex|jf)if|f(?:lv|ws)|varg|cws)\b|r(?:iff\b|ar!B)|gif)|B(?:%pdf|\.ra)\b)"
SecRule RESPONSE_BODY "\b<cf" \
"ctl:auditLogParts=+E,log,auditlog,msg:'Cold Fusion source code leakage',,id:'970016',severity:'4'"
SecRule RESPONSE_BODY "[a-z]:\\\\inetpub\b" \
"t:none,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'IIS installed in default location',,id:'970018',severity:'5',chain"
SecRule &RESOURCE:alerted_970018_iisDefLoc "@eq 0" "setvar:resource.alerted_970018_iisDefLoc"
SecRule RESPONSE_STATUS "^503$" "ctl:auditLogParts=+E,log,auditlog,msg:'The application is not available',,id:'970901',severity:'5'"
SecRule RESPONSE_BODY "(?:(?:<h1>internal server error<\/h1>.*?<h2>part of the server has crashed or it has a configuration error\.<\/h2|microsoft ole db provider for sql server \(0x80040e31\)<br>timeout expired<br)>|cannot connect to the server: timed out)" \
"ctl:auditLogParts=+E,log,auditlog,msg:'The application is not available',,id:'970118',severity:'5'"
SecRule RESPONSE_STATUS "^500$" "chain,ctl:auditLogParts=+E,log,auditlog,msg:'WebLogic information disclosure',,id:'970021',severity:'4'"
SecRule RESPONSE_BODY "<title>JSP compile error</title>" t:none
Reference in New Issue View Git Blame Copy Permalink