├── .kitchen.yml ├── Berksfile ├── CONTRIBUTORS.md ├── LICENSE ├── README.md ├── Vagrantfile ├── attributes └── default.rb ├── metadata.rb ├── recipes └── default.rb ├── templates └── default │ ├── REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example.erb │ ├── REQUEST-901-INITIALIZATION.conf.erb │ ├── REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf.erb │ ├── REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf.erb │ ├── REQUEST-905-COMMON-EXCEPTIONS.conf.erb │ ├── REQUEST-910-IP-REPUTATION.conf.erb │ ├── REQUEST-911-METHOD-ENFORCEMENT.conf.erb │ ├── REQUEST-912-DOS-PROTECTION.conf.erb │ ├── REQUEST-913-SCANNER-DETECTION.conf.erb │ ├── REQUEST-920-PROTOCOL-ENFORCEMENT.conf.erb │ ├── REQUEST-921-PROTOCOL-ATTACK.conf.erb │ ├── REQUEST-930-APPLICATION-ATTACK-LFI.conf.erb │ ├── REQUEST-931-APPLICATION-ATTACK-RFI.conf.erb │ ├── REQUEST-932-APPLICATION-ATTACK-RCE.conf.erb │ ├── REQUEST-933-APPLICATION-ATTACK-PHP.conf.erb │ ├── REQUEST-941-APPLICATION-ATTACK-XSS.conf.erb │ ├── REQUEST-942-APPLICATION-ATTACK-SQLI.conf.erb │ ├── REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf.erb │ ├── REQUEST-949-BLOCKING-EVALUATION.conf.erb │ ├── RESPONSE-950-DATA-LEAKAGES.conf.erb │ ├── RESPONSE-951-DATA-LEAKAGES-SQL.conf.erb │ ├── RESPONSE-952-DATA-LEAKAGES-JAVA.conf.erb │ ├── RESPONSE-953-DATA-LEAKAGES-PHP.conf.erb │ ├── RESPONSE-954-DATA-LEAKAGES-IIS.conf.erb │ ├── RESPONSE-959-BLOCKING-EVALUATION.conf.erb │ ├── RESPONSE-980-CORRELATION.conf.erb │ ├── RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example.erb │ ├── crawlers-user-agents.data.erb │ ├── crs-setup.conf.erb │ ├── fastly_test_rules.conf.erb │ ├── headers.conf.erb │ ├── iis-errors.data.erb │ ├── index.html.erb │ ├── java-code-leakages.data.erb │ ├── java-errors.data.erb │ ├── lfi-os-files.data.erb │ ├── modsecurity.conf.erb │ ├── php-config-directives.data.erb │ ├── php-errors.data.erb │ ├── php-function-names-933150.data.erb │ ├── php-function-names-933151.data.erb │ ├── php-variables.data.erb │ ├── ports.conf.erb │ ├── restricted-files.data.erb │ ├── scanners-headers.data.erb │ ├── scanners-urls.data.erb │ ├── scanners-user-agents.data.erb │ ├── scripting-user-agents.data.erb │ ├── sql-errors.data.erb │ ├── sql-function-names.data.erb │ ├── unicode.mapping.erb │ ├── unix-shell.data.erb │ ├── vhost.conf.erb │ └── windows-powershell-commands.data.erb └── test └── integration └── default └── default_spec.rb /.kitchen.yml: -------------------------------------------------------------------------------- 1 | --- 2 | driver: 3 | name: vagrant 4 | 5 | provisioner: 6 | name: chef_zero 7 | require_chef_omnibus: 12.21.12 8 | 9 | transport: 10 | forward_agent: true 11 | username: vagrant 12 | 13 | verifier: 14 | name: inspec 15 | format: doc 16 | 17 | platforms: 18 | - name: ubuntu-14.04 19 | 20 | suites: 21 | - name: default 22 | run_list: 23 | - recipe[waf_testbed::default] 24 | attributes: 25 | -------------------------------------------------------------------------------- /Berksfile: -------------------------------------------------------------------------------- 1 | source 'https://supermarket.chef.io' 2 | 3 | metadata 4 | cookbook 'apt', '~> 3.0.0' 5 | cookbook 'git' 6 | cookbook 'poise-python', '~> 1.7.0' 7 | -------------------------------------------------------------------------------- /CONTRIBUTORS.md: -------------------------------------------------------------------------------- 1 | ## Contributors 2 | 3 | The following people have contributed to the waf_tesbed project 4 | 5 | - Christian Peron 6 | - Zack Allen 7 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | Copyright 2016-2017 Fastly 181 | 182 | Licensed under the Apache License, Version 2.0 (the "License"); 183 | you may not use this file except in compliance with the License. 184 | You may obtain a copy of the License at 185 | 186 | http://www.apache.org/licenses/LICENSE-2.0 187 | 188 | Unless required by applicable law or agreed to in writing, software 189 | distributed under the License is distributed on an "AS IS" BASIS, 190 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 191 | See the License for the specific language governing permissions and 192 | limitations under the License. 193 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # waf_testbed 2 | 3 | ## Purpose 4 | 5 | Cookbook to create a WAF rule testing environment. This cookbook will provision apache2, 6 | modsecurity and version 3.0.2 of the OWASP core ruleset. In addition, this cookbook will 7 | provision services for both HTTP/HTTPS. This cookbook installs the Framework for Testing WAFs 8 | (FTW) package in additional to the OWASP core ruleset regression tests (projects linked below). 9 | 10 | [FTW] (https://github.com/fastly/ftw) 11 | 12 | [OWASP regression tests] (https://github.com/SpiderLabs/OWASP-CRS-regressions) 13 | 14 | ## Dependencies 15 | 16 | To use the Vagrantfile, you will need the Berksfile plugin installed: 17 | 18 | % vagrant plugin install vagrant-berkshelf 19 | 20 | Change the following attribute to control the mode (block/log): 21 | 22 | ``` 23 | default['waf_testbed']['engine_mode'] = 'On' 24 | ``` 25 | 26 | 27 | To view the audit trails associated with mod security: 28 | 29 | ``` 30 | /var/log/apache2/modsec_audit.log 31 | ``` 32 | 33 | To view the logs associated with mod security: 34 | 35 | ``` 36 | /var/log/apache2-default/error_log 37 | ``` 38 | -------------------------------------------------------------------------------- /Vagrantfile: -------------------------------------------------------------------------------- 1 | # 2 | # apache2+mod_security vagrant box 3 | # 4 | Vagrant.configure(2) do |config| 5 | config.ssh.forward_agent = true 6 | config.vm.define 'modsec0' do |modsec_conf| 7 | modsec_conf.vm.box = 'ubuntu/trusty64' 8 | modsec_conf.berkshelf.enabled = true 9 | modsec_conf.berkshelf.berksfile_path = './Berksfile' 10 | modsec_conf.vm.network 'private_network', ip: '192.168.50.75' 11 | modsec_conf.vm.provider 'virtualbox' do |v| 12 | v.memory = 512 13 | v.cpus = 2 14 | end 15 | modsec_conf.vm.provision :chef_solo do |chef| 16 | chef.add_recipe('waf_testbed::default') 17 | end 18 | end 19 | end 20 | -------------------------------------------------------------------------------- /attributes/default.rb: -------------------------------------------------------------------------------- 1 | # 2 | # Specify which mode we want the WAF engine operating in. 3 | # On: Prevention mode (will terminate the HTTP transaction) 4 | # DetectionOnly: Passively monitor, log but do NOT impact the HTTP transaction (default) 5 | # 6 | default['waf_testbed']['engine_mode'] = 'DetectionOnly' 7 | default['waf_testbed']['ftw']['use_git'] = true 8 | default['waf_testbed']['ftw']['branch'] = 'master' 9 | default['waf_testbed']['ftw']['pip_version'] = '1.0.1' 10 | -------------------------------------------------------------------------------- /metadata.rb: -------------------------------------------------------------------------------- 1 | name 'waf_testbed' 2 | maintainer 'Team Security' 3 | maintainer_email 'team-security@fastly.com' 4 | license 'apache' 5 | description 'Installs/Configures waf_testbed' 6 | long_description 'Installs/Configures waf_testbed' 7 | version '0.2.0' 8 | 9 | depends 'apt', '~> 3.0.0' 10 | depends 'httpd' 11 | depends 'git' 12 | depends 'poise-python' 13 | -------------------------------------------------------------------------------- /recipes/default.rb: -------------------------------------------------------------------------------- 1 | # 2 | # Cookbook Name:: waf_testbed 3 | # Recipe:: default 4 | # 5 | # Copyright (c) 2016 Fastly, Inc. All Rights Reserved. 6 | 7 | include_recipe 'apt' 8 | include_recipe 'git' 9 | include_recipe 'poise-python' 10 | 11 | # 12 | # install framework for testings WAFS (FTW) via python 13 | python_runtime '2' 14 | 15 | # use an experimental FTW branch 16 | # if enabled, use a specified ftw branch instead of installing from pip 17 | if node['waf_testbed']['ftw']['use_git'] then 18 | git '/opt/ftw' do 19 | repository 'https://github.com/fastly/ftw.git' 20 | branch node['waf_testbed']['ftw']['branch'] 21 | action :sync 22 | notifies :run, 'python_execute[install ftw]', :immediately 23 | end 24 | python_execute 'install ftw' do 25 | action :nothing 26 | command '-m pip install -e .' 27 | cwd '/opt/ftw' 28 | end 29 | else 30 | python_package 'ftw' do 31 | version node['waf_testbed']['ftw']['pip_version'] 32 | end 33 | end 34 | 35 | 36 | # 37 | # Checkout the latest CRS regression tests 38 | git '/opt/owasp-crs-regressions' do 39 | repository 'https://github.com/SpiderLabs/OWASP-CRS-regressions.git' 40 | revision 'master' 41 | action :sync 42 | end 43 | 44 | # NB: for debugging purposes 45 | package 'curl' do 46 | action :install 47 | end 48 | 49 | httpd_service 'default' do 50 | action [ :create, :start ] 51 | end 52 | 53 | httpd_module 'security2' do 54 | action :create 55 | end 56 | 57 | httpd_module 'unique_id' do 58 | action :create 59 | end 60 | 61 | httpd_module 'headers' do 62 | action :create 63 | end 64 | 65 | httpd_module 'ssl' do 66 | action :create 67 | end 68 | 69 | httpd_module 'socache_shmcb' do 70 | action :create 71 | end 72 | 73 | directory '/usr/local/waftest' do 74 | owner 'root' 75 | group 'root' 76 | mode 0755 77 | action :create 78 | end 79 | 80 | template '/usr/local/waftest/index.html' do 81 | source 'index.html.erb' 82 | owner 'root' 83 | group 'root' 84 | mode 0755 85 | action :create 86 | notifies :restart, 'httpd_service[default]' 87 | end 88 | 89 | httpd_config "crs-setup" do 90 | source 'crs-setup.conf.erb' 91 | notifies :restart, 'httpd_service[default]' 92 | end 93 | 94 | httpd_config "modsecurity" do 95 | source 'modsecurity.conf.erb' 96 | notifies :restart, 'httpd_service[default]' 97 | end 98 | 99 | httpd_config "headers" do 100 | source 'headers.conf.erb' 101 | notifies :restart, 'httpd_service[default]' 102 | end 103 | 104 | httpd_config "vhost" do 105 | source 'vhost.conf.erb' 106 | notifies :restart, 'httpd_service[default]' 107 | end 108 | 109 | httpd_config 'fastly_test_rules' do 110 | source 'fastly_test_rules.conf.erb' 111 | notifies :restart, 'httpd_service[default]' 112 | end 113 | 114 | httpd_config 'ports' do 115 | source 'ports.conf.erb' 116 | notifies :restart, 'httpd_service[default]' 117 | end 118 | 119 | template '/etc/modsecurity/unicode.mapping' do 120 | source 'unicode.mapping.erb' 121 | notifies :restart, 'httpd_service[default]' 122 | end 123 | 124 | msc_rules_collection = [ 125 | "REQUEST-901-INITIALIZATION.conf", 126 | "REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf", 127 | "REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf", 128 | "REQUEST-905-COMMON-EXCEPTIONS.conf", 129 | "REQUEST-910-IP-REPUTATION.conf", 130 | "REQUEST-911-METHOD-ENFORCEMENT.conf", 131 | "REQUEST-912-DOS-PROTECTION.conf", 132 | "REQUEST-913-SCANNER-DETECTION.conf", 133 | "REQUEST-920-PROTOCOL-ENFORCEMENT.conf", 134 | "REQUEST-921-PROTOCOL-ATTACK.conf", 135 | "REQUEST-930-APPLICATION-ATTACK-LFI.conf", 136 | "REQUEST-931-APPLICATION-ATTACK-RFI.conf", 137 | "REQUEST-932-APPLICATION-ATTACK-RCE.conf", 138 | "REQUEST-933-APPLICATION-ATTACK-PHP.conf", 139 | "REQUEST-941-APPLICATION-ATTACK-XSS.conf", 140 | "REQUEST-942-APPLICATION-ATTACK-SQLI.conf", 141 | "REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf", 142 | "REQUEST-949-BLOCKING-EVALUATION.conf", 143 | "RESPONSE-950-DATA-LEAKAGES.conf", 144 | "RESPONSE-951-DATA-LEAKAGES-SQL.conf", 145 | "RESPONSE-952-DATA-LEAKAGES-JAVA.conf", 146 | "RESPONSE-953-DATA-LEAKAGES-PHP.conf", 147 | "RESPONSE-954-DATA-LEAKAGES-IIS.conf", 148 | "RESPONSE-959-BLOCKING-EVALUATION.conf", 149 | "RESPONSE-980-CORRELATION.conf", 150 | "crawlers-user-agents.data", 151 | "iis-errors.data", 152 | "java-code-leakages.data", 153 | "java-errors.data", 154 | "lfi-os-files.data", 155 | "php-config-directives.data", 156 | "php-errors.data", 157 | "php-function-names-933150.data", 158 | "php-function-names-933151.data", 159 | "php-variables.data", 160 | "restricted-files.data", 161 | "scanners-headers.data", 162 | "scanners-urls.data", 163 | "scanners-user-agents.data", 164 | "scripting-user-agents.data", 165 | "sql-errors.data", 166 | "sql-function-names.data", 167 | "unix-shell.data", 168 | "windows-powershell-commands.data" 169 | ] 170 | 171 | msc_rules_collection.each do |t| 172 | template "/etc/modsecurity/#{t}" do 173 | source "#{t}.erb" 174 | owner 'root' 175 | group 'root' 176 | notifies :restart, 'httpd_service[default]' 177 | end 178 | end 179 | -------------------------------------------------------------------------------- /templates/default/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example.erb: -------------------------------------------------------------------------------- 1 | # ------------------------------------------------------------------------ 2 | # OWASP ModSecurity Core Rule Set ver.3.0.2 3 | # Copyright (c) 2006-2016 Trustwave and contributors. All rights reserved. 4 | # 5 | # The OWASP ModSecurity Core Rule Set is distributed under 6 | # Apache Software License (ASL) version 2 7 | # Please see the enclosed LICENSE file for full details. 8 | # ------------------------------------------------------------------------ 9 | 10 | # 11 | # The purpose of this file is to hold LOCAL exceptions for your site. The 12 | # types of rules that would go into this file are one where you want to 13 | # short-circuit inspection and allow certain transactions to pass through 14 | # inspection or if you want to alter rules that are applied. 15 | # 16 | # This file is named REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example for a 17 | # very specific reason. Files affixed with the .example extension are designed 18 | # to contain user created/modified data. The '.example'. extension should be 19 | # renamed to end in .conf. The advantage of this is that when OWASP CRS is 20 | # updated, the updates will not overwrite a user generated configuration file. 21 | # 22 | # As a result of this design paradigm users are encouraged NOT to directly 23 | # modify rules. Instead they should use this 24 | # REQUEST-900-EXCLUSION-RULES-BEFORE-CRS and the 25 | # RESPONSE-999-EXCLUSION-RULES-AFTER-CRS file to modify OWASP rules using 26 | # methods similar to the examples specified below. 27 | # 28 | # REQUEST-900-EXCLUSION-RULES-BEFORE-CRS and 29 | # RESPONSE-999-EXCLUSION-RULES-AFTER-CRS serve different purposes. ModSecurity 30 | # effectively maintains two different context: startup, and per transaction. 31 | # As a rule, directives are processed within the startup context. While they 32 | # can affect the per transaction context they generally remain fixed during the 33 | # execution of ModSecurity. 34 | # 35 | # As a result if one wanted to disable a rule at bootup the SecRuleRemoveById 36 | # directive or one of its siblings would have to be placed AFTER the rule is 37 | # listed, otherwise it will not have knowledge of the rules existence (since 38 | # these rules are read in at the same time). This means that when using 39 | # directives that effect SecRules, these exceptions should be placed AFTER all 40 | # the existing rules. This is why RESPONSE-999-EXCLUSION-RULES-AFTER-CRS is 41 | # designed such that it loads LAST. 42 | # 43 | # Conversely, ModSecurity supports several actions that can change the state of 44 | # the underlying configuration during the per transaction context, this is when 45 | # rules are being processed. Generally, these are accomplished by using the 46 | # 'ctl' action. As these are part of a rule, they will be evaluated in the 47 | # order rules are applied (by physical location, considering phases). As a 48 | # result of this ordering a 'ctl' action should be placed with consideration to 49 | # when it will be executed. This is particularly relevant for the 'ctl' options 50 | # that involve modifying ID's (such as ruleRemoveById). In these cases it is 51 | # important that such rules are placed BEFORE the rule ID they will affect. 52 | # Unlike the setup context, by the time we process rules in the per-transaction 53 | # context, we are already aware of all the rule ID's. It is by this logic that 54 | # we include rules such as this BEFORE all the remaining rules. As a result 55 | # REQUEST-900-EXCLUSION-RULES-BEFORE-CRS is designed to load FIRST. 56 | # 57 | # As a general rule: 58 | # ctl:ruleEngine -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS 59 | # ctl:ruleRemoveById -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS 60 | # ctl:ruleRemoveByMsg -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS 61 | # ctl:ruleRemoveByTag -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS 62 | # ctl:ruleRemoveTargetById -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS 63 | # ctl:ruleRemoveTargetByMsg -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS 64 | # ctl:ruleRemoveTargetByTag -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS 65 | # 66 | # SecRuleRemoveById -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS 67 | # SecRuleRemoveByMsg -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS 68 | # SecRuleRemoveByTag -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS 69 | # SecRuleUpdateActionById -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS 70 | # SecRuleUpdateTargetById -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS 71 | # SecRuleUpdateTargetByMsg -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS 72 | # SecRuleUpdateTargetByTag -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS 73 | # 74 | # 75 | # What follows are a group of examples that show you how to perform rule 76 | # exclusions. 77 | # 78 | # 79 | # Example Exclusion Rule: Disable inspection for an authorized client 80 | # 81 | # This ruleset allows you to control how ModSecurity will handle traffic 82 | # originating from Authorized Vulnerability Scanning (AVS) sources. See 83 | # related blog post - 84 | # http://blog.spiderlabs.com/2010/12/advanced-topic-of-the-week-handling-authorized-scanning-traffic.html 85 | # 86 | # White-list ASV network block (no blocking or logging of AVS traffic) Update 87 | # IP network block as appropriate for your AVS traffic 88 | # 89 | # ModSec Rule Exclusion: Disable Rule Engine for known ASV IP 90 | # SecRule REMOTE_ADDR "@ipMatch 192.168.1.100" \ 91 | # "phase:1,id:1000,pass,nolog,ctl:ruleEngine=Off" 92 | # 93 | # 94 | # Example Exclusion Rule: Removing a specific ARGS parameter from inspection 95 | # for an individual rule 96 | # 97 | # This rule shows how to conditionally exclude the "password" 98 | # parameter for rule 942100 when the REQUEST_URI is /index.php 99 | # ModSecurity Rule Exclusion: 942100 SQL Injection Detected via libinjection 100 | # 101 | # SecRule REQUEST_URI "@beginsWith /index.php" \ 102 | # "id:1001,phase:1,pass,nolog, \ 103 | # ctl:ruleRemoveTargetById=942100;ARGS:password" 104 | # 105 | # 106 | # Example Exclusion Rule: Removing a specific ARGS parameter from inspection 107 | # for only certain attacks 108 | # 109 | # Attack rules within the CRS are tagged, with tags such as 'attack-lfi', 110 | # 'attack-sqli', 'attack-xss', 'attack-injection-php', et cetera. 111 | # 112 | # ModSecurity Rule Exclusion: Disable inspection of ARGS:pwd 113 | # for all rules tagged attack-sqli 114 | # SecRule REQUEST_FILENAME "@endsWith /wp-login.php" \ 115 | # "id:1002,phase:request,pass,nolog,\ 116 | # ctl:ruleRemoveTargetByTag=attack-sqli;ARGS:pwd" 117 | # 118 | 119 | # Example Exclusion Rule: Removing a specific ARGS parameter from inspection 120 | # for all CRS rules 121 | # 122 | # This rule illustrates that we can use tagging very effectively to whitelist a 123 | # common false positive across an entire ModSecurity instance. This can be done 124 | # because every rule in OWASP_CRS is tagged with OWASP_CRS. This will NOT 125 | # affect custom rules. 126 | # 127 | # ModSecurity Rule Exclusion: Disable inspection of ARGS:pwd 128 | # for all CRS rules 129 | # SecRule REQUEST_FILENAME "@endsWith /wp-login.php" \ 130 | # "id:1003,phase:request,pass,nolog,\ 131 | # ctl:ruleRemoveTargetByTag=CRS;ARGS:pwd" 132 | 133 | # 134 | # Example Exclusion Rule: Removing a range of rules 135 | # 136 | # This rule illustrates that we can remove a rule range via a ctl action. 137 | # This uses the fact, that rules are grouped by topic in rule files covering 138 | # a certain id range. 139 | # 140 | # ModSecurity Rule Exclusion: Disable all SQLi and XSS rules 141 | # SecRule REQUEST_FILENAME "@beginsWith /admin" \ 142 | # "id:1004,phase:request,pass,nolog,\ 143 | # ctl:ruleRemoveById=941000-942999" 144 | # 145 | # 146 | # The application specific rule exclusion files 147 | # REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf 148 | # REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf 149 | # bring additional examples which can be useful then tuning a service. 150 | -------------------------------------------------------------------------------- /templates/default/REQUEST-901-INITIALIZATION.conf.erb: -------------------------------------------------------------------------------- 1 | # ------------------------------------------------------------------------ 2 | # OWASP ModSecurity Core Rule Set ver.3.0.2 3 | # Copyright (c) 2006-2016 Trustwave and contributors. All rights reserved. 4 | # 5 | # The OWASP ModSecurity Core Rule Set is distributed under 6 | # Apache Software License (ASL) version 2 7 | # Please see the enclosed LICENSE file for full details. 8 | # ------------------------------------------------------------------------ 9 | 10 | # 11 | # This file REQUEST-901-INITIALIZATION.conf initializes the Core Rules 12 | # and performs preparatory actions. It also fixes errors and omissions 13 | # of variable definitions in the file crs-setup.conf. 14 | # The setup.conf can and should be edited by the user, this file 15 | # is part of the CRS installation and should not be altered. 16 | # 17 | 18 | 19 | # 20 | # -=[ Rules Version ]=- 21 | # 22 | # Rule version data is added to the "Producer" line of Section H of the Audit log: 23 | # 24 | # - Producer: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/); OWASP_CRS/3.0.0. 25 | # 26 | # Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecComponentSignature 27 | # 28 | SecComponentSignature "OWASP_CRS/3.0.2" 29 | 30 | # 31 | # -=[ Default setup values ]=- 32 | # 33 | # The CRS checks the tx.crs_setup_version variable to ensure that the setup 34 | # file is included at the correct time. This detects situations where 35 | # necessary settings are not defined, for instance if the file 36 | # inclusion order is incorrect, or if the user has forgotten to 37 | # include the crs-setup.conf file. 38 | # 39 | # If you are upgrading from an earlier version of the CRS and you are 40 | # getting this error, please make a new copy of the setup template 41 | # crs-setup.conf.example to crs-setup.conf, and re-apply your policy 42 | # changes. There have been many changes in settings syntax from CRS2 43 | # to CRS3, so an old setup file may cause unwanted behavior. 44 | # 45 | # If you are not planning to use the crs-setup.conf template, you must 46 | # manually set the tx.crs_setup_version variable before including 47 | # the CRS rules/* files. 48 | # 49 | # The variable is a numerical representation of the CRS version number. 50 | # E.g., v3.0.0 is represented as 300. 51 | # 52 | 53 | SecRule &TX:crs_setup_version "@eq 0" \ 54 | "id:901001,\ 55 | phase:1,\ 56 | auditlog,\ 57 | log,\ 58 | deny,\ 59 | status:500,\ 60 | severity:CRITICAL,\ 61 | msg:'ModSecurity Core Rule Set is deployed without configuration! Please copy the crs-setup.conf.example template to crs-setup.conf, and include the crs-setup.conf file in your webserver configuration before including the CRS rules. See the INSTALL file in the CRS directory for detailed instructions.'" 62 | 63 | 64 | # 65 | # -=[ Default setup values ]=- 66 | # 67 | # Some constructs or individual rules will fail if certain parameters 68 | # are not set in the setup.conf file. The following rules will catch 69 | # these cases and assign sane default values. 70 | # 71 | 72 | # Default Inbound Anomaly Threshold Level (rule 900110 in setup.conf) 73 | SecRule &TX:inbound_anomaly_score_threshold "@eq 0" \ 74 | "id:901100,\ 75 | phase:1,\ 76 | pass,\ 77 | nolog,\ 78 | setvar:tx.inbound_anomaly_score_threshold=5" 79 | 80 | # Default Outbound Anomaly Threshold Level (rule 900110 in setup.conf) 81 | SecRule &TX:outbound_anomaly_score_threshold "@eq 0" \ 82 | "id:901110,\ 83 | phase:1,\ 84 | pass,\ 85 | nolog,\ 86 | setvar:tx.outbound_anomaly_score_threshold=4" 87 | 88 | # Default Paranoia Level (rule 900000 in setup.conf) 89 | SecRule &TX:paranoia_level "@eq 0" \ 90 | "id:901120,\ 91 | phase:1,\ 92 | pass,\ 93 | nolog,\ 94 | setvar:tx.paranoia_level=1" 95 | 96 | # Default Sampling Percentage (rule 900400 in setup.conf) 97 | SecRule &TX:sampling_percentage "@eq 0" \ 98 | "id:901130,\ 99 | phase:1,\ 100 | pass,\ 101 | nolog,\ 102 | setvar:tx.sampling_percentage=100" 103 | 104 | # Default Anomaly Scores (rule 900100 in setup.conf) 105 | SecRule &TX:critical_anomaly_score "@eq 0" \ 106 | "id:901140,\ 107 | phase:1,\ 108 | pass,\ 109 | nolog,\ 110 | setvar:tx.critical_anomaly_score=5" 111 | 112 | SecRule &TX:error_anomaly_score "@eq 0" \ 113 | "id:901141,\ 114 | phase:1,\ 115 | pass,\ 116 | nolog,\ 117 | setvar:tx.error_anomaly_score=4" 118 | 119 | SecRule &TX:warning_anomaly_score "@eq 0" \ 120 | "id:901142,\ 121 | phase:1,\ 122 | pass,\ 123 | nolog,\ 124 | setvar:tx.warning_anomaly_score=3" 125 | 126 | SecRule &TX:notice_anomaly_score "@eq 0" \ 127 | "id:901143,\ 128 | phase:1,\ 129 | pass,\ 130 | nolog,\ 131 | setvar:tx.notice_anomaly_score=2" 132 | 133 | # Default do_reput_block 134 | SecRule &TX:do_reput_block "@eq 0" \ 135 | "id:901150,\ 136 | phase:1,\ 137 | pass,\ 138 | nolog,\ 139 | setvar:tx.do_reput_block=0" 140 | 141 | # Default block duration 142 | SecRule &TX:reput_block_duration "@eq 0" \ 143 | "id:901152,\ 144 | phase:1,\ 145 | pass,\ 146 | nolog,\ 147 | setvar:tx.reput_block_duration=300" 148 | 149 | # Default HTTP policy: allowed_methods (rule 900200) 150 | SecRule &TX:allowed_methods "@eq 0" \ 151 | "id:901160,\ 152 | phase:1,\ 153 | pass,\ 154 | nolog,\ 155 | setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'" 156 | 157 | # Default HTTP policy: allowed_request_content_type (rule 900220) 158 | SecRule &TX:allowed_request_content_type "@eq 0" \ 159 | "id:901162,\ 160 | phase:1,\ 161 | pass,\ 162 | nolog,\ 163 | setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/soap+xml|application/x-amf|application/json|application/octet-stream|text/plain'" 164 | 165 | # Default HTTP policy: allowed_http_versions (rule 900230) 166 | SecRule &TX:allowed_http_versions "@eq 0" \ 167 | "id:901163,\ 168 | phase:1,\ 169 | pass,\ 170 | nolog,\ 171 | setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0'" 172 | 173 | # Default HTTP policy: restricted_extensions (rule 900240) 174 | SecRule &TX:restricted_extensions "@eq 0" \ 175 | "id:901164,\ 176 | phase:1,\ 177 | pass,\ 178 | nolog,\ 179 | setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'" 180 | 181 | # Default HTTP policy: restricted_headers (rule 900250) 182 | SecRule &TX:restricted_headers "@eq 0" \ 183 | "id:901165,\ 184 | phase:1,\ 185 | pass,\ 186 | nolog,\ 187 | setvar:'tx.restricted_headers=/proxy/ /lock-token/ /content-range/ /translate/ /if/'" 188 | 189 | # Default HTTP policy: static_extensions (rule 900260) 190 | SecRule &TX:static_extensions "@eq 0" \ 191 | "id:901166,\ 192 | phase:1,\ 193 | pass,\ 194 | nolog,\ 195 | setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ /.webp/'" 196 | 197 | 198 | # 199 | # -=[ Initialize internal variables ]=- 200 | # 201 | 202 | # Initialize anomaly scoring variables. 203 | # All _score variables start at 0, and are incremented by the various rules 204 | # upon detection of a possible attack. 205 | # sql_error_match is used for shortcutting rules for performance reasons. 206 | 207 | SecAction \ 208 | "id:901200,\ 209 | phase:1,\ 210 | nolog,\ 211 | pass,\ 212 | t:none,\ 213 | setvar:tx.anomaly_score=0,\ 214 | setvar:tx.sql_injection_score=0,\ 215 | setvar:tx.xss_score=0,\ 216 | setvar:tx.rfi_score=0,\ 217 | setvar:tx.lfi_score=0,\ 218 | setvar:tx.rce_score=0,\ 219 | setvar:tx.php_injection_score=0,\ 220 | setvar:tx.http_violation_score=0,\ 221 | setvar:tx.session_fixation_score=0,\ 222 | setvar:tx.inbound_anomaly_score=0,\ 223 | setvar:tx.outbound_anomaly_score=0,\ 224 | setvar:tx.sql_error_match=0" 225 | 226 | 227 | # 228 | # -=[ Initialize collections ]=- 229 | # 230 | # Create both Global and IP collections for rules to use. 231 | # There are some CRS rules that assume that these two collections 232 | # have already been initiated. 233 | # 234 | 235 | SecRule REQUEST_HEADERS:User-Agent "^(.*)$" \ 236 | "id:901318, \ 237 | phase:1, \ 238 | t:none,t:sha1,t:hexEncode, \ 239 | setvar:tx.ua_hash=%{matched_var}, \ 240 | nolog, \ 241 | pass" 242 | 243 | SecAction \ 244 | "id:901321, \ 245 | phase:1, \ 246 | t:none, \ 247 | initcol:global=global, \ 248 | initcol:ip=%{remote_addr}_%{tx.ua_hash}, \ 249 | setvar:tx.real_ip=%{remote_addr}, \ 250 | nolog, \ 251 | pass" 252 | 253 | 254 | # 255 | # -=[ Easing In / Sampling Percentage ]=- 256 | # 257 | # This is used to send only a limited percentage of requests into the Core 258 | # Rule Set. The selection is based on TX.sampling_percentage and a pseudo 259 | # random number calculated below. 260 | # 261 | # Use this to ease into a new Core Rules installation with an existing 262 | # productive service. 263 | # 264 | # See 265 | # https://www.netnea.com/cms/2016/04/26/easing-in-conditional-modsecurity-rule-execution-based-on-pseudo-random-numbers/ 266 | # 267 | 268 | # 269 | # Generate the pseudo random number 270 | # 271 | # ATTENTION: This is no cryptographically secure random number. It's just 272 | # a cheap way to get some random number suitable for sampling. 273 | # 274 | # We take the entropy contained in the UNIQUE_ID. We hash that variable and 275 | # take the first integer numbers out of it. Theoretically, it is possible 276 | # there are no integers in a sha1 hash. We make sure we get two 277 | # integer numbers by taking the last two digits from the DURATION counter 278 | # (in microseconds). 279 | # Finally, leading zeros are removed from the two-digit random number. 280 | # 281 | 282 | SecRule TX:sampling_percentage "@eq 100" \ 283 | "id:901400,\ 284 | phase:1,\ 285 | pass,\ 286 | nolog,\ 287 | skipAfter:END-SAMPLING" 288 | 289 | SecRule UNIQUE_ID "@rx ^." \ 290 | "id:901410,\ 291 | phase:1,\ 292 | pass,\ 293 | nolog,\ 294 | t:sha1,\ 295 | t:hexEncode,\ 296 | setvar:TX.sampling_rnd100=%{MATCHED_VAR}" 297 | 298 | SecRule DURATION "@rx (..)$" \ 299 | "id:901420,\ 300 | phase:1,\ 301 | pass,\ 302 | capture,\ 303 | nolog,\ 304 | setvar:TX.sampling_rnd100=%{TX.sampling_rnd100}%{TX.1}" 305 | 306 | SecRule TX:sampling_rnd100 "@rx ^[a-f]*([0-9])[a-f]*([0-9])" \ 307 | "id:901430,\ 308 | phase:1,\ 309 | pass,\ 310 | nolog,\ 311 | capture,\ 312 | setvar:TX.sampling_rnd100=%{TX.1}%{TX.2}" 313 | 314 | SecRule TX:sampling_rnd100 "@rx ^0([0-9])" \ 315 | "id:901440,\ 316 | phase:1,\ 317 | pass,\ 318 | capture,\ 319 | nolog,\ 320 | setvar:TX.sampling_rnd100=%{TX.1}" 321 | 322 | 323 | # 324 | # Sampling decision 325 | # 326 | # If a request is allowed to pass without being checked by the CRS, there is no 327 | # entry in the audit log (for performance reasons), but an error log entry is 328 | # being written. If you want to disable the error log entry, then issue the 329 | # following directive somewhere after the inclusion of the CRS 330 | # (E.g., RESPONSE-999-EXCEPTIONS.conf). 331 | # 332 | # SecRuleUpdateActionById 901450 "nolog" 333 | # 334 | 335 | 336 | SecRule TX:sampling_rnd100 "!@lt %{tx.sampling_percentage}" \ 337 | "id:901450,\ 338 | phase:1,\ 339 | pass,\ 340 | log,\ 341 | noauditlog,\ 342 | ctl:ruleEngine=off,\ 343 | msg:'Sampling: Disable the rule engine based on sampling_percentage \ 344 | %{TX.sampling_percentage} and random number %{TX.sampling_rnd100}.'" 345 | 346 | SecMarker "END-SAMPLING" 347 | -------------------------------------------------------------------------------- /templates/default/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf.erb: -------------------------------------------------------------------------------- 1 | # ------------------------------------------------------------------------ 2 | # OWASP ModSecurity Core Rule Set ver.3.0.2 3 | # Copyright (c) 2006-2016 Trustwave and contributors. All rights reserved. 4 | # 5 | # The OWASP ModSecurity Core Rule Set is distributed under 6 | # Apache Software License (ASL) version 2 7 | # Please see the enclosed LICENSE file for full details. 8 | # ------------------------------------------------------------------------ 9 | 10 | # These exclusions remedy false positives in a default Drupal install. 11 | # The exclusions are only active if crs_exclusions_drupal=1 is set. 12 | # See rule 900130 in crs-setup.conf.example for instructions. 13 | 14 | # 15 | # [ POLICY ] 16 | # 17 | # Drupal is a complex application that is hard to secure with the CRS. This set 18 | # of exclusion rules aims to sanitise the CRS in a way that allows a default 19 | # Drupal setup to be installed and configured without much hassle as far as 20 | # ModSecurity and the CRS are concerned. 21 | # 22 | # The exclusion rules are fairly straight forward in the sense that they 23 | # disable CRS on a set of well-known parameter fields that are often the source 24 | # of false positives / false alarms of the CRS. This includes namely the 25 | # session cookie, the password fields and article/node bodies. 26 | # 27 | # This is based on two assumptions: - You have a basic trust in your 28 | # authenticated users who are allowed to edit nodes. - Drupal allows html 29 | # content in nodes and it protects your users from attacks via these fields. 30 | # 31 | # If you think these assumptions are wrong or if you would prefer a more 32 | # careful/secure approach, you can disable the exclusion rules handling of said 33 | # node body false positives. Do this by placing the following directive in 34 | # RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf. 35 | # 36 | # SecRuleRemoveById 9001200-9001299 37 | # 38 | # This will mean the CRS remain intact for the editing of node bodies. 39 | # 40 | # The exclusion rules in this file work without the need to define a Drupal 41 | # installation path prefix. Instead they look at the URI from the end - or 42 | # they use regular expressions when targeting dynamic URL. This is all not 43 | # totally foolproof. In some cases, an advanced attacker might be able to 44 | # doctor a request in a way that one of these exclusion rules is triggered 45 | # and the request will bypass all further inspection despite not being a 46 | # Drupal request at all. These exclusion rules could thus be leveraged to 47 | # disable the CRS completely. This is why these rules are off by default. 48 | # 49 | # The CRS rules covered by this ruleset are the rules with Paranoia Level 1 and 50 | # 2. If you chose to run Paranoia Level 3 or 4, you will be facing additional 51 | # false positives which you need to handle yourself. 52 | # 53 | # This set of exclusion rules does not cover any additional Drupal modules 54 | # outside of core. 55 | # 56 | # The exclusion rules are based on Drupal 8.1.10. 57 | # 58 | # And finally: This set of exclusion rules is in an experimental state. If you 59 | # encounter false positives with the basic Drupal functionality and they are 60 | # not covered by this rule file, then please report them. The aim is to be able 61 | # to install and run Drupal core in a seamless manner protected by 62 | # ModSecurity / CRS up to the paranoia level 2. 63 | 64 | 65 | SecRule &TX:crs_exclusions_drupal|TX:crs_exclusions_drupal "@eq 0" \ 66 | "id:9001000,\ 67 | phase:2,\ 68 | t:none,\ 69 | nolog,\ 70 | pass,\ 71 | skipAfter:END-DRUPAL-RULE-EXCLUSIONS" 72 | 73 | 74 | # [ Table of Contents ] 75 | # 76 | # 9001100 Session Cookie 77 | # 9001110 Password 78 | # 9001120 FREE for use 79 | # 9001130 FREE for use 80 | # 9001140 Content and Descriptions 81 | # 9001150 FREE for use 82 | # 9001160 Form Token 83 | # 9001170 Text Formats and Editors 84 | # 9001180 WYSIWYG/CKEditor Assets and Upload 85 | # 9001190 FREE for use 86 | # 9001200 Content and Descriptions 87 | # 88 | # The rule id range from 9001200 to 9001999 is reserved for future 89 | # use (Drupal plugins / modules). 90 | 91 | 92 | # [ Session Cookie ] 93 | # 94 | # Giving the session cookie a dynamic name is most unfortunate 95 | # from a ModSecurity perspective. The rule language does not allow 96 | # us to disable rules in a granular way for individual cookies with 97 | # dynamic names. So we need to disable rule causing false positives 98 | # for all cookies and their names. 99 | # 100 | # Rule Exclusion Session Cookie: 942450 SQL Hex Encoding Identified 101 | # 102 | SecAction "id:9001100,\ 103 | phase:2,\ 104 | nolog,\ 105 | pass,\ 106 | ctl:ruleRemoveTargetById=942450;REQUEST_COOKIES_NAMES,\ 107 | ctl:ruleRemoveTargetById=942450;REQUEST_COOKIES" 108 | 109 | 110 | # 111 | # [ Password ] 112 | # 113 | # Disable the CRS completely for all occurrences of passwords. 114 | # 115 | SecRule REQUEST_FILENAME "@endsWith /core/install.php" \ 116 | "id:9001110,\ 117 | phase:2,\ 118 | nolog,\ 119 | pass,\ 120 | ctl:ruleRemoveTargetByTag=CRS;ARGS:account[pass][pass1],\ 121 | ctl:ruleRemoveTargetByTag=CRS;ARGS:account[pass][pass2]" 122 | 123 | SecRule REQUEST_FILENAME "@endsWith /user/login" \ 124 | "id:9001112,\ 125 | phase:2,\ 126 | t:none,\ 127 | nolog,\ 128 | pass,\ 129 | ctl:ruleRemoveTargetByTag=CRS;ARGS:pass" 130 | 131 | SecRule REQUEST_FILENAME "@endsWith /admin/people/create" \ 132 | "id:9001114,\ 133 | phase:2,\ 134 | nolog,\ 135 | pass,\ 136 | ctl:ruleRemoveTargetByTag=CRS;ARGS:pass[pass1],\ 137 | ctl:ruleRemoveTargetByTag=CRS;ARGS:pass[pass2]" 138 | 139 | SecRule REQUEST_FILENAME "@rx /user/[0-9]+/edit$" \ 140 | "id:9001116,\ 141 | phase:2,\ 142 | nolog,\ 143 | pass,\ 144 | ctl:ruleRemoveTargetByTag=CRS;ARGS:current_pass,\ 145 | ctl:ruleRemoveTargetByTag=CRS;ARGS:pass[pass1],\ 146 | ctl:ruleRemoveTargetByTag=CRS;ARGS:pass[pass2]" 147 | 148 | 149 | # 150 | # [ Admin Settings (general) ] 151 | # 152 | # Disable known false positives for various fields used on admin pages. 153 | # 154 | # Rule Exclusion: 920271 Invalid character in request on multiple fields/paths 155 | # Rule Exclusion: 942430 Restricted SQL Character Anomaly Detection (args) 156 | # Disabled completely for admin/config pages 157 | # For the people/accounts page, we disable the CRS completely for a number of 158 | # freeform text fields. 159 | # 160 | SecRule REQUEST_FILENAME "@contains /admin/config/" \ 161 | "id:9001122,\ 162 | phase:2,\ 163 | nolog,\ 164 | pass,\ 165 | ctl:ruleRemoveById=942430" 166 | 167 | SecRule REQUEST_FILENAME "@endsWith /admin/config/people/accounts" \ 168 | "id:9001124,\ 169 | phase:2,\ 170 | nolog,\ 171 | pass,\ 172 | ctl:ruleRemoveById=920271,\ 173 | ctl:ruleRemoveById=942440,\ 174 | ctl:ruleRemoveTargetByTag=CRS;ARGS:user_mail_cancel_confirm_body,\ 175 | ctl:ruleRemoveTargetByTag=CRS;ARGS:user_mail_password_reset_body,\ 176 | ctl:ruleRemoveTargetByTag=CRS;ARGS:user_mail_register_admin_created_body,\ 177 | ctl:ruleRemoveTargetByTag=CRS;ARGS:user_mail_register_no_approval_required_body,\ 178 | ctl:ruleRemoveTargetByTag=CRS;ARGS:user_mail_register_pending_approval_body,\ 179 | ctl:ruleRemoveTargetByTag=CRS;ARGS:user_mail_status_activated_body,\ 180 | ctl:ruleRemoveTargetByTag=CRS;ARGS:user_mail_status_blocked_body,\ 181 | ctl:ruleRemoveTargetByTag=CRS;ARGS:user_mail_status_canceled_body" 182 | 183 | SecRule REQUEST_FILENAME "@endsWith /admin/config/development/configuration/single/import" \ 184 | "id:9001126,\ 185 | phase:2,\ 186 | nolog,\ 187 | pass,\ 188 | ctl:ruleRemoveById=920271,\ 189 | ctl:ruleRemoveById=942440" 190 | 191 | SecRule REQUEST_FILENAME "@endsWith /admin/config/development/maintenance" \ 192 | "id:9001128,\ 193 | phase:2,\ 194 | nolog,\ 195 | pass,\ 196 | ctl:ruleRemoveById=942440" 197 | 198 | 199 | # 200 | # 201 | # [ Content and Descriptions ] 202 | # 203 | # Disable known false positives for field "ids[]". 204 | # 205 | # Rule Exclusion: 942130 SQL Injection Attack: SQL Tautology Detected 206 | # 207 | SecRule REQUEST_FILENAME "@endsWith /contextual/render" \ 208 | "id:9001140,\ 209 | phase:2,\ 210 | nolog,\ 211 | pass,\ 212 | ctl:ruleRemoveTargetById=942130;ARGS:ids[]" 213 | 214 | 215 | # 216 | # [ Form Token / Build ID ] 217 | # 218 | # Rule Exclusion for form_build_id: 942440 SQL Comment Sequence Detected on ... 219 | # Rule Exclusion for form_token: 942450 SQL Hex Encoding 220 | # Rule Exclusion for form_build_id: 942450 SQL Hex Encoding 221 | # 222 | # This is applied site-wide. 223 | # 224 | SecAction "id:9001160,\ 225 | phase:2,\ 226 | nolog,\ 227 | pass,\ 228 | ctl:ruleRemoveTargetById=942440;ARGS:form_build_id,\ 229 | ctl:ruleRemoveTargetById=942450;ARGS:form_token,\ 230 | ctl:ruleRemoveTargetById=942450;ARGS:form_build_id" 231 | 232 | 233 | # 234 | # [ Text Formats and Editors ] 235 | # 236 | # Disable the CRS completely for two fields triggering many, many rules 237 | # 238 | # Rule Exclusion for two fields: 942440 SQL Comment Sequence Detected 239 | # 240 | SecRule REQUEST_FILENAME "@endsWith /admin/config/content/formats/manage/full_html" \ 241 | "id:9001170,\ 242 | phase:2,\ 243 | nolog,\ 244 | pass,\ 245 | ctl:ruleRemoveTargetByTag=CRS;ARGS:editor[settings][toolbar][button_groups],\ 246 | ctl:ruleRemoveTargetByTag=CRS;ARGS:filters[filter_html][settings][allowed_html]" 247 | 248 | 249 | # 250 | # [ WYSIWYG/CKEditor Assets and Upload ] 251 | # 252 | # Disable the unnecessary requestBodyAccess and for binary uploads 253 | # bigger than an arbitrary limit of 31486341 bytes. 254 | # 255 | # Extensive checks make sure these uploads are really legitimate. 256 | # 257 | SecRule REQUEST_METHOD "@streq POST" \ 258 | "id:'9001180',\ 259 | phase:1,\ 260 | t:none,\ 261 | pass,\ 262 | nolog,\ 263 | noauditlog,\ 264 | chain" 265 | SecRule REQUEST_FILENAME "@rx /admin/content/assets/add/[a-z]+$" \ 266 | chain 267 | SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "^[a-zA-Z0-9_-]+" \ 268 | ctl:requestBodyAccess=Off 269 | 270 | SecRule REQUEST_METHOD "@streq POST" \ 271 | "id:'9001182',\ 272 | phase:1,\ 273 | t:none,\ 274 | pass,\ 275 | nolog,\ 276 | noauditlog,\ 277 | chain" 278 | SecRule REQUEST_FILENAME "@rx /admin/content/assets/manage/[0-9]+$" \ 279 | chain 280 | SecRule ARGS:destination "@streq admin/content/assets" \ 281 | chain 282 | SecRule REQUEST_HEADERS:Content-Length "@gt 31486341" \ 283 | chain 284 | SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx ^[a-zA-Z0-9_-]+" \ 285 | ctl:requestBodyAccess=Off 286 | 287 | SecRule REQUEST_METHOD "@streq POST" \ 288 | "id:'9001184',\ 289 | phase:1,\ 290 | t:none,\ 291 | pass,\ 292 | nolog,\ 293 | noauditlog,\ 294 | chain" 295 | SecRule REQUEST_FILENAME \ 296 | "@rx /file/ajax/field_asset_[a-z0-9_]+/[ua]nd/0/form-[a-z0-9A-Z_-]+$" \ 297 | chain 298 | SecRule REQUEST_HEADERS:Content-Length "@gt 31486341" \ 299 | chain 300 | SecRule REQUEST_HEADERS:Content-Type "@streq multipart/form-data" \ 301 | chain 302 | SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "^@rx [a-zA-Z0-9_-]+" \ 303 | ctl:requestBodyAccess=Off 304 | 305 | 306 | # 307 | # [ Content and Descriptions ] 308 | # 309 | # Disable the CRS completely for node bodies and other free text fields. 310 | # Other rules are disabled individually. 311 | # 312 | # Rule Exclusion for ARGS:uid[0][target_id]: 942410 SQL Injection Attack 313 | # Rule Exclusion for ARGS:destination: 932110 RCE: Windows Command Inj. 314 | # 315 | SecRule REQUEST_FILENAME "@endsWith /node/add/article" \ 316 | "id:9001200,\ 317 | phase:2,\ 318 | nolog,\ 319 | pass,\ 320 | ctl:ruleRemoveTargetByTag=CRS;ARGS:body[0][value],\ 321 | ctl:ruleRemoveTargetById=942410;ARGS:uid[0][target_id]" 322 | 323 | SecRule REQUEST_FILENAME "@endsWith /node/add/page" \ 324 | "id:9001202,\ 325 | phase:2,\ 326 | nolog,\ 327 | pass,\ 328 | ctl:ruleRemoveTargetByTag=CRS;ARGS:body[0][value],\ 329 | ctl:ruleRemoveTargetById=942410;ARGS:uid[0][target_id]" 330 | 331 | SecRule REQUEST_FILENAME "@rx /node/[0-9]+/edit$" \ 332 | "id:9001204,\ 333 | phase:2,\ 334 | nolog,\ 335 | pass,\ 336 | ctl:ruleRemoveTargetByTag=CRS;ARGS:body[0][value],\ 337 | ctl:ruleRemoveTargetById=942410;ARGS:uid[0][target_id],\ 338 | ctl:ruleRemoveTargetById=932110;ARGS:destination" 339 | 340 | SecRule REQUEST_FILENAME "@endsWith /block/add" \ 341 | "id:9001206,\ 342 | phase:2,\ 343 | nolog,\ 344 | pass,\ 345 | ctl:ruleRemoveTargetByTag=CRS;ARGS:body[0][value]" 346 | 347 | SecRule REQUEST_FILENAME "@endsWith /admin/structure/block/block-content/manage/basic" \ 348 | "id:9001208,\ 349 | phase:2,\ 350 | nolog,\ 351 | pass,\ 352 | ctl:ruleRemoveTargetByTag=CRS;ARGS:description" 353 | 354 | SecRule REQUEST_FILENAME "@rx /editor/filter_xss/(full|basic)_html$" \ 355 | "id:9001210,\ 356 | phase:2,\ 357 | nolog,\ 358 | pass,\ 359 | ctl:ruleRemoveTargetByTag=CRS;ARGS:value" 360 | 361 | SecRule REQUEST_FILENAME "@rx /user/[0-9]+/contact$" \ 362 | "id:9001212,\ 363 | phase:2,\ 364 | nolog,\ 365 | pass,\ 366 | ctl:ruleRemoveTargetByTag=CRS;ARGS:message[0][value]" 367 | 368 | SecRule REQUEST_FILENAME "@endsWith /admin/config/development/maintenance" \ 369 | "id:9001214,\ 370 | phase:2,\ 371 | nolog,\ 372 | pass,\ 373 | ctl:ruleRemoveTargetByTag=CRS;ARGS:maintenance_mode_message" 374 | 375 | SecRule REQUEST_FILENAME "@endsWith /admin/config/services/rss-publishing" \ 376 | "id:9001216,\ 377 | phase:2,\ 378 | nolog,\ 379 | pass,\ 380 | ctl:ruleRemoveTargetByTag=CRS;ARGS:feed_description" 381 | 382 | 383 | SecMarker END-DRUPAL-RULE-EXCLUSIONS 384 | -------------------------------------------------------------------------------- /templates/default/REQUEST-905-COMMON-EXCEPTIONS.conf.erb: -------------------------------------------------------------------------------- 1 | # ------------------------------------------------------------------------ 2 | # OWASP ModSecurity Core Rule Set ver.3.0.2 3 | # Copyright (c) 2006-2016 Trustwave and contributors. All rights reserved. 4 | # 5 | # The OWASP ModSecurity Core Rule Set is distributed under 6 | # Apache Software License (ASL) version 2 7 | # Please see the enclosed LICENSE file for full details. 8 | # ------------------------------------------------------------------------ 9 | 10 | 11 | # This file is used as an exception mechanism to remove common false positives 12 | # that may be encountered. 13 | # 14 | # Exception for Apache SSL pinger 15 | # 16 | SecRule REQUEST_LINE "@streq GET /" \ 17 | "phase:1,\ 18 | id:905100,\ 19 | t:none,\ 20 | pass,\ 21 | nolog,\ 22 | tag:'application-multi',\ 23 | tag:'language-multi',\ 24 | tag:'platform-apache',\ 25 | tag:'attack-generic',\ 26 | chain" 27 | SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" \ 28 | "t:none,\ 29 | ctl:ruleEngine=Off,\ 30 | ctl:auditEngine=Off" 31 | 32 | # 33 | # Exception for Apache internal dummy connection 34 | # 35 | SecRule REQUEST_LINE "^(GET /|OPTIONS \*) HTTP/[12]\.[01]$" \ 36 | "phase:1,\ 37 | id:905110,\ 38 | t:none,\ 39 | pass,\ 40 | nolog,\ 41 | tag:'application-multi',\ 42 | tag:'language-multi',\ 43 | tag:'platform-apache',\ 44 | tag:'attack-generic',\ 45 | chain" 46 | SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" \ 47 | "t:none,\ 48 | chain" 49 | SecRule REQUEST_HEADERS:User-Agent "^.*\(internal dummy connection\)$" \ 50 | "t:none,\ 51 | ctl:ruleEngine=Off,\ 52 | ctl:auditEngine=Off" 53 | 54 | 55 | -------------------------------------------------------------------------------- /templates/default/REQUEST-910-IP-REPUTATION.conf.erb: -------------------------------------------------------------------------------- 1 | # ------------------------------------------------------------------------ 2 | # OWASP ModSecurity Core Rule Set ver.3.0.2 3 | # Copyright (c) 2006-2016 Trustwave and contributors. All rights reserved. 4 | # 5 | # The OWASP ModSecurity Core Rule Set is distributed under 6 | # Apache Software License (ASL) version 2 7 | # Please see the enclosed LICENSE file for full details. 8 | # ------------------------------------------------------------------------ 9 | 10 | # 11 | # -= Paranoia Level 0 (empty) =- (apply unconditionally) 12 | # 13 | 14 | 15 | SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:1,id:910011,nolog,pass,skipAfter:END-REQUEST-910-IP-REPUTATION" 16 | SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:2,id:910012,nolog,pass,skipAfter:END-REQUEST-910-IP-REPUTATION" 17 | # 18 | # -= Paranoia Level 1 (default) =- (apply only when tx.paranoia_level is sufficiently high: 1 or higher) 19 | # 20 | 21 | # 22 | # -=[ IP Reputation Block Flag Check ]=- 23 | # 24 | # The first check we do is to see if the client IP address has already 25 | # been blacklisted by rules from previous requests. 26 | # 27 | # If the rule matches, it will do a skipAfter and pick up processing 28 | # at the end of the request phase for actual blocking. 29 | # 30 | SecRule TX:DO_REPUT_BLOCK "@eq 1" \ 31 | "msg:'Request from Known Malicious Client (Based on previous traffic violations).',\ 32 | logdata:'Previous Block Reason: %{ip.reput_block_reason}',\ 33 | severity:'CRITICAL',\ 34 | id:910000,\ 35 | phase:request,\ 36 | block,\ 37 | t:none,\ 38 | tag:'application-multi',\ 39 | tag:'language-multi',\ 40 | tag:'platform-multi',\ 41 | tag:'attack-reputation-ip',\ 42 | tag:'IP_REPUTATION/MALICIOUS_CLIENT',\ 43 | setvar:'tx.msg=%{rule.msg}',\ 44 | skipAfter:BEGIN_REQUEST_BLOCKING_EVAL,\ 45 | chain" 46 | SecRule IP:REPUT_BLOCK_FLAG "@eq 1" \ 47 | "setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ 48 | setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}" 49 | 50 | 51 | # 52 | # -=[ GeoIP Checks ]=- 53 | # 54 | # This rule requires activating the SecGeoLookupDB directive 55 | # in the crs-setup.conf file and specifying 56 | # the list of blocked countries (tx.high_risk_country_codes). 57 | # 58 | # This rule does a GeoIP resolution on the client IP address. 59 | # 60 | SecRule TX:HIGH_RISK_COUNTRY_CODES "!^$" \ 61 | "msg:'Client IP is from a HIGH Risk Country Location.',\ 62 | severity:'CRITICAL',\ 63 | id:910100,\ 64 | phase:request,\ 65 | block,\ 66 | t:none,\ 67 | tag:'application-multi',\ 68 | tag:'language-multi',\ 69 | tag:'platform-multi',\ 70 | tag:'attack-reputation-ip',\ 71 | chain" 72 | SecRule TX:REAL_IP "@geoLookup" \ 73 | "chain" 74 | SecRule GEO:COUNTRY_CODE "@within %{tx.high_risk_country_codes}" \ 75 | "setvar:'tx.msg=%{rule.msg}',\ 76 | setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ 77 | setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var},\ 78 | setvar:ip.reput_block_flag=1,\ 79 | expirevar:ip.reput_block_flag=%{tx.reput_block_duration},\ 80 | setvar:'ip.reput_block_reason=%{rule.msg}'" 81 | 82 | 83 | # 84 | # -=[ IP Reputation Checks ]=- 85 | # 86 | # ModSecurity Rules from Trustwave SpiderLabs: IP Blacklist Alert 87 | # Ref: http://www.modsecurity.org/projects/commercial/rules/ 88 | # 89 | # This rule checks the client IP address against a list of recent IPs captured 90 | # from the SpiderLabs web honeypot systems (last 48 hours). 91 | # 92 | #SecRule TX:REAL_IP "@ipMatchFromFile ip_blacklist.data" \ 93 | "msg:'Client IP in Trustwave SpiderLabs IP Reputation Blacklist.',\ 94 | severity:'CRITICAL',\ 95 | id:910110,\ 96 | phase:request,\ 97 | block,\ 98 | t:none,\ 99 | tag:'application-multi',\ 100 | tag:'language-multi',\ 101 | tag:'platform-multi',\ 102 | tag:'attack-reputation-ip',\ 103 | setvar:'tx.msg=%{rule.msg}',\ 104 | setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ 105 | setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var},\ 106 | setvar:ip.reput_block_flag=1,\ 107 | expirevar:ip.reput_block_flag=%{tx.reput_block_duration},\ 108 | setvar:'ip.reput_block_reason=%{rule.msg}'" 109 | 110 | 111 | # 112 | # First check if we have already run an @rbl check for this IP by checking in IP collection. 113 | # If we have, then skip doing another check. 114 | # 115 | SecRule IP:PREVIOUS_RBL_CHECK "@eq 1" \ 116 | "id:910120,\ 117 | phase:request,\ 118 | nolog,\ 119 | tag:'application-multi',\ 120 | tag:'language-multi',\ 121 | tag:'platform-multi',\ 122 | tag:'attack-reputation-ip',\ 123 | pass,\ 124 | t:none,\ 125 | skipAfter:END_RBL_LOOKUP" 126 | 127 | # 128 | # Check Client IP against ProjectHoneypot's HTTP Blacklist 129 | # Ref: http://www.projecthoneypot.org/httpbl_api.php 130 | # 131 | # To use the blacklist, you must register for an HttpBL API Key 132 | # and choose the traffic types to block. See section 133 | # "Project Honey Pot HTTP Blacklist" in crs-setup.conf. 134 | # 135 | # Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecHttpBlKey 136 | # 137 | 138 | # Skip HttpBL checks if user has not defined one of the TX:block_* variables. 139 | # This prevents error "Operator error: RBL httpBl called but no key defined: set SecHttpBlKey" 140 | SecRule &TX:block_suspicious_ip "@eq 0" \ 141 | "id:910130,\ 142 | phase:request,\ 143 | t:none,\ 144 | nolog,\ 145 | pass,\ 146 | chain,\ 147 | skipAfter:END_RBL_CHECK" 148 | SecRule &TX:block_harvester_ip "@eq 0" "chain" 149 | SecRule &TX:block_spammer_ip "@eq 0" "chain" 150 | SecRule &TX:block_search_ip "@eq 0" 151 | 152 | SecRule TX:REAL_IP "@rbl dnsbl.httpbl.org" \ 153 | "id:910140,\ 154 | phase:request,\ 155 | capture,\ 156 | nolog,pass,t:none, \ 157 | tag:'application-multi',\ 158 | tag:'language-multi',\ 159 | tag:'platform-multi',\ 160 | tag:'attack-reputation-ip',\ 161 | chain,\ 162 | setvar:tx.httpbl_msg=%{tx.0}" 163 | SecRule TX:httpbl_msg "RBL lookup of .*?.dnsbl.httpbl.org succeeded at TX:checkip. (.*?): .*" \ 164 | "t:none,\ 165 | capture,\ 166 | setvar:tx.httpbl_msg=%{tx.1}" 167 | 168 | # The following regexs are generated based off re_operators.c 169 | SecRule TX:block_search_ip "@eq 1" \ 170 | "msg:'HTTP Blacklist match for search engine IP', \ 171 | severity:'CRITICAL', \ 172 | id:910150,\ 173 | phase:request,\ 174 | block,\ 175 | t:none,\ 176 | tag:'application-multi',\ 177 | tag:'language-multi',\ 178 | tag:'platform-multi',\ 179 | tag:'attack-reputation-ip',\ 180 | chain,\ 181 | skipAfter:END_RBL_CHECK" 182 | SecRule TX:httpbl_msg "Search Engine" \ 183 | "setvar:'tx.msg=%{rule.msg}',\ 184 | setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ 185 | setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var},\ 186 | setvar:ip.reput_block_flag=1,\ 187 | expirevar:ip.reput_block_flag=%{tx.reput_block_duration},\ 188 | setvar:'ip.reput_block_reason=%{rule.msg}',\ 189 | setvar:ip.previous_rbl_check=1,\ 190 | expirevar:ip.previous_rbl_check=86400" 191 | 192 | SecRule TX:block_spammer_ip "@eq 1" \ 193 | "msg:'HTTP Blacklist match for spammer IP',\ 194 | severity:'CRITICAL',\ 195 | id:910160,\ 196 | phase:request,\ 197 | block,\ 198 | t:none,\ 199 | tag:'application-multi',\ 200 | tag:'language-multi',\ 201 | tag:'platform-multi',\ 202 | tag:'attack-reputation-ip',\ 203 | chain,\ 204 | skipAfter:END_RBL_CHECK" 205 | SecRule TX:httpbl_msg "(?i)^.*? spammer .*?$" \ 206 | "setvar:'tx.msg=%{rule.msg}',\ 207 | setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ 208 | setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var},\ 209 | setvar:ip.reput_block_flag=1,\ 210 | expirevar:ip.reput_block_flag=%{tx.reput_block_duration},\ 211 | setvar:'ip.reput_block_reason=%{rule.msg}',\ 212 | setvar:ip.previous_rbl_check=1,\ 213 | expirevar:ip.previous_rbl_check=86400" 214 | 215 | SecRule TX:block_suspicious_ip "@eq 1" \ 216 | "msg:'HTTP Blacklist match for suspicious IP',\ 217 | severity:'CRITICAL',\ 218 | id:910170,\ 219 | phase:request,\ 220 | block,\ 221 | t:none,\ 222 | tag:'application-multi',\ 223 | tag:'language-multi',\ 224 | tag:'platform-multi',\ 225 | tag:'attack-reputation-ip',\ 226 | chain,\ 227 | skipAfter:END_RBL_CHECK" 228 | SecRule TX:httpbl_msg "(?i)^.*? suspicious .*?$" \ 229 | "setvar:'tx.msg=%{rule.msg}',\ 230 | setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ 231 | setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var},\ 232 | setvar:ip.reput_block_flag=1,\ 233 | expirevar:ip.reput_block_flag=%{tx.reput_block_duration},\ 234 | setvar:'ip.reput_block_reason=%{rule.msg}',\ 235 | setvar:ip.previous_rbl_check=1,\ 236 | expirevar:ip.previous_rbl_check=86400" 237 | 238 | SecRule TX:block_harvester_ip "@eq 1" \ 239 | "msg:'HTTP Blacklist match for harvester IP',\ 240 | severity:'CRITICAL',\ 241 | id:910180,\ 242 | phase:request,\ 243 | block,\ 244 | t:none,\ 245 | tag:'application-multi',\ 246 | tag:'language-multi',\ 247 | tag:'platform-multi',\ 248 | tag:'attack-reputation-ip',\ 249 | chain,\ 250 | skipAfter:END_RBL_CHECK" 251 | SecRule TX:httpbl_msg "(?i)^.*? harvester .*?$" \ 252 | "setvar:'tx.msg=%{rule.msg}',\ 253 | setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ 254 | setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var},\ 255 | setvar:ip.reput_block_flag=1,\ 256 | expirevar:ip.reput_block_flag=%{tx.reput_block_duration},\ 257 | setvar:'ip.reput_block_reason=%{rule.msg}',\ 258 | setvar:ip.previous_rbl_check=1,\ 259 | expirevar:ip.previous_rbl_check=86400" 260 | 261 | SecAction \ 262 | "id:910190,\ 263 | phase:request,\ 264 | nolog,\ 265 | pass,\ 266 | t:none,\ 267 | tag:'application-multi',\ 268 | tag:'language-multi',\ 269 | tag:'platform-multi',\ 270 | tag:'attack-reputation-ip',\ 271 | setvar:ip.previous_rbl_check=1,\ 272 | expirevar:ip.previous_rbl_check=86400" 273 | 274 | SecMarker END_RBL_LOOKUP 275 | 276 | SecMarker END_RBL_CHECK 277 | 278 | 279 | SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:1,id:910013,nolog,pass,skipAfter:END-REQUEST-910-IP-REPUTATION" 280 | SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:2,id:910014,nolog,pass,skipAfter:END-REQUEST-910-IP-REPUTATION" 281 | # 282 | # -= Paranoia Level 2 =- (apply only when tx.paranoia_level is sufficiently high: 2 or higher) 283 | # 284 | 285 | 286 | 287 | SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:1,id:910015,nolog,pass,skipAfter:END-REQUEST-910-IP-REPUTATION" 288 | SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:2,id:910016,nolog,pass,skipAfter:END-REQUEST-910-IP-REPUTATION" 289 | # 290 | # -= Paranoia Level 3 =- (apply only when tx.paranoia_level is sufficiently high: 3 or higher) 291 | # 292 | 293 | 294 | 295 | SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:1,id:910017,nolog,pass,skipAfter:END-REQUEST-910-IP-REPUTATION" 296 | SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:2,id:910018,nolog,pass,skipAfter:END-REQUEST-910-IP-REPUTATION" 297 | # 298 | # -= Paranoia Level 4 =- (apply only when tx.paranoia_level is sufficiently high: 4 or higher) 299 | # 300 | 301 | 302 | 303 | # 304 | # -= Paranoia Levels Finished =- 305 | # 306 | SecMarker "END-REQUEST-910-IP-REPUTATION" 307 | 308 | -------------------------------------------------------------------------------- /templates/default/REQUEST-911-METHOD-ENFORCEMENT.conf.erb: -------------------------------------------------------------------------------- 1 | # ------------------------------------------------------------------------ 2 | # OWASP ModSecurity Core Rule Set ver.3.0.2 3 | # Copyright (c) 2006-2016 Trustwave and contributors. All rights reserved. 4 | # 5 | # The OWASP ModSecurity Core Rule Set is distributed under 6 | # Apache Software License (ASL) version 2 7 | # Please see the enclosed LICENSE file for full details. 8 | # ------------------------------------------------------------------------ 9 | 10 | # 11 | # -= Paranoia Level 0 (empty) =- (apply unconditionally) 12 | # 13 | 14 | 15 | 16 | SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:1,id:911011,nolog,pass,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" 17 | SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:2,id:911012,nolog,pass,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" 18 | # 19 | # -= Paranoia Level 1 (default) =- (apply only when tx.paranoia_level is sufficiently high: 1 or higher) 20 | # 21 | 22 | # 23 | # -=[ Allowed Request Methods ]=- 24 | # 25 | # tx.allowed_methods is defined in the crs-setup.conf file 26 | # 27 | SecRule REQUEST_METHOD "!@within %{tx.allowed_methods}" \ 28 | "msg:'Method is not allowed by policy',\ 29 | severity:'CRITICAL',\ 30 | id:911100,\ 31 | phase:request,\ 32 | block,\ 33 | rev:'2',\ 34 | ver:'OWASP_CRS/3.0.0',\ 35 | maturity:'9',\ 36 | accuracy:'9',\ 37 | tag:'application-multi',\ 38 | tag:'language-multi',\ 39 | tag:'platform-multi',\ 40 | tag:'attack-generic',\ 41 | tag:'OWASP_CRS/POLICY/METHOD_NOT_ALLOWED',\ 42 | tag:'WASCTC/WASC-15',\ 43 | tag:'OWASP_TOP_10/A6',\ 44 | tag:'OWASP_AppSensor/RE1',\ 45 | tag:'PCI/12.1',\ 46 | logdata:'%{matched_var}',\ 47 | setvar:'tx.msg=%{rule.msg}',\ 48 | setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ 49 | setvar:tx.%{rule.id}-OWASP_CRS/POLICY/METHOD_NOT_ALLOWED-%{matched_var_name}=%{matched_var}" 50 | 51 | 52 | 53 | 54 | SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:1,id:911013,nolog,pass,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" 55 | SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:2,id:911014,nolog,pass,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" 56 | # 57 | # -= Paranoia Level 2 =- (apply only when tx.paranoia_level is sufficiently high: 2 or higher) 58 | # 59 | 60 | 61 | 62 | SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:1,id:911015,nolog,pass,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" 63 | SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:2,id:911016,nolog,pass,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" 64 | # 65 | # -= Paranoia Level 3 =- (apply only when tx.paranoia_level is sufficiently high: 3 or higher) 66 | # 67 | 68 | 69 | 70 | SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:1,id:911017,nolog,pass,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" 71 | SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:2,id:911018,nolog,pass,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" 72 | # 73 | # -= Paranoia Level 4 =- (apply only when tx.paranoia_level is sufficiently high: 4 or higher) 74 | # 75 | 76 | 77 | 78 | # 79 | # -= Paranoia Levels Finished =- 80 | # 81 | SecMarker "END-REQUEST-911-METHOD-ENFORCEMENT" 82 | 83 | -------------------------------------------------------------------------------- /templates/default/REQUEST-912-DOS-PROTECTION.conf.erb: -------------------------------------------------------------------------------- 1 | # ------------------------------------------------------------------------ 2 | # OWASP ModSecurity Core Rule Set ver.3.0.2 3 | # Copyright (c) 2006-2016 Trustwave and contributors. All rights reserved. 4 | # 5 | # The OWASP ModSecurity Core Rule Set is distributed under 6 | # Apache Software License (ASL) version 2 7 | # Please see the enclosed LICENSE file for full details. 8 | # ------------------------------------------------------------------------ 9 | 10 | # 11 | # Anti-Automation rules to detect Denial of Service attacks. 12 | # 13 | # Description of mechanics: 14 | # When a request hits a non-static resource (TX:STATIC_EXTENSIONS), then a counter for the IP 15 | # address is being raised (IP:DOS_COUNTER). If the counter (IP:DOS_COUNTER) hits a limit 16 | # (TX:DOS_COUNTER_THRESHOLD), then a burst is identified (IP:DOS_BURST_COUNTER) and the 17 | # counter (IP:DOS_COUNTER) is reset. The burst counter expires within a timeout period 18 | # (TX:DOS_BURST_TIME_SLICE). 19 | # If the burst counter (IP:DOS_BURST_COUNTER) is greater equal 2, then the blocking flag 20 | # is being set (IP:DOS_BLOCK). The blocking flag (IP:DOS_BLOCK) expires within a timeout 21 | # period (TX:DOS_BLOCK_TIMEOUT). All this counting happens in phase 5. 22 | # There is a stricter sibling to this rule (912170) in paranoia level 2, where the 23 | # burst counter check (IP:DOS_BURST_COUNTER) hits at greater equal 1. 24 | # 25 | # The blocking is done in phase 1: When the blocking flag is encountered (IP:DOS_BLOCK), 26 | # then the request is dropped without sending a response. If this happens, then a 27 | # counter is # raised (IP:DOS_BLOCK_COUNTER). 28 | # When an IP address is blocked for the first time, then the blocking is reported in a 29 | # message and a flag (IP:DOS_BLOCK_FLAG) is set. This flag expires in 60 seconds. 30 | # When an IP address is blocked and the flag (IP:DOS_BLOCK_FLAG) is set, then the 31 | # blocking is not being reported (to prevent a flood of alerts). When the flag 32 | # (IP:DOS_BLOCK_FLAG) has expired and a new request is being blocked, then the 33 | # counter (IP:DOS_BLOCK_COUNTER) is being reset to 0 and the block is being treated 34 | # as the first block (-> alert). 35 | # In order to be able to display the counter (IP:DOS_BLOCK_COUNTER) and resetting 36 | # it at the same time, we copy the counter (IP:DOS_BLOCK_COUNTER) into a different 37 | # variable (TX:DOS_BLOCK_COUNTER), which is then displayed in turn. 38 | # 39 | # Variables: 40 | # IP:DOS_BLOCK Flag if an IP address should be blocked 41 | # IP:DOS_BLOCK_COUNTER Counter of blocked requests 42 | # IP:DOS_BLOCK_FLAG Flag keeping track of alert. Flag expires after 60 seconds. 43 | # IP:DOS_BURST_COUNTER Burst counter 44 | # IP:DOS_COUNTER Request counter (static resources are ignored) 45 | # TX:DOS_BLOCK_COUNTER Copy of IP:DOS_BLOCK_COUNTER (needed for display reasons) 46 | # TX:DOS_BLOCK_TIMEOUT Period in seconds a blocked IP will be blocked 47 | # TX:DOS_COUNTER_THRESHOLD Limit of requests, where a burst is identified 48 | # TX:DOS_BURST_TIME_SLICE Period in seconds when we will forget a burst 49 | # TX:STATIC_EXTENSIONS Paths which can be ignored with regards to DoS 50 | # 51 | # As a precondition for these rules, please set the following three variables: 52 | # - TX:DOS_BLOCK_TIMEOUT 53 | # - TX:DOS_COUNTER_THRESHOLD 54 | # - TX:DOS_BURST_TIME_SLICE 55 | # 56 | # And make sure that TX:STATIC_EXTENSIONS is also set. 57 | # 58 | 59 | # 60 | # -= Paranoia Level 0 (empty) =- (apply unconditionally) 61 | # 62 | 63 | # 64 | # Skip if variables defining DoS protection are not set 65 | # 66 | SecRule &TX:dos_burst_time_slice "@eq 0" \ 67 | "id:912100,\ 68 | phase:1,\ 69 | t:none,\ 70 | nolog,\ 71 | pass,\ 72 | chain,\ 73 | skipAfter:END_DOS_PROTECTION_CHECKS" 74 | SecRule &TX:dos_counter_threshold "@eq 0" "chain" 75 | SecRule &TX:dos_block_timeout "@eq 0" 76 | 77 | SecRule &TX:dos_burst_time_slice "@eq 0" \ 78 | "id:912110,\ 79 | phase:5,\ 80 | t:none,\ 81 | nolog,\ 82 | pass,\ 83 | chain,\ 84 | skipAfter:END_DOS_PROTECTION_CHECKS" 85 | SecRule &TX:dos_counter_threshold "@eq 0" "chain" 86 | SecRule &TX:dos_block_timeout "@eq 0" 87 | 88 | 89 | SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:1,id:912011,nolog,pass,skipAfter:END-REQUEST-912-DOS-PROTECTION" 90 | SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:2,id:912012,nolog,pass,skipAfter:END-REQUEST-912-DOS-PROTECTION" 91 | # 92 | # -= Paranoia Level 1 (default) =- (apply only when tx.paranoia_level is sufficiently high: 1 or higher) 93 | # 94 | 95 | # 96 | # -=[ Anti-Automation / DoS Protection : Block ]=- 97 | # 98 | 99 | # 100 | # Block and track # of requests and log 101 | # 102 | SecRule IP:DOS_BLOCK "@eq 1" \ 103 | "chain,\ 104 | phase:1,\ 105 | id:912120,\ 106 | drop,\ 107 | tag:'application-multi',\ 108 | tag:'language-multi',\ 109 | tag:'platform-multi',\ 110 | tag:'attack-dos',\ 111 | msg:'Denial of Service (DoS) attack identified from %{tx.real_ip} (%{tx.dos_block_counter} hits since last alert)'" 112 | SecRule &IP:DOS_BLOCK_FLAG "@eq 0" \ 113 | "setvar:ip.dos_block_counter=+1,\ 114 | setvar:ip.dos_block_flag=1,\ 115 | expirevar:ip.dos_block_flag=60,\ 116 | setvar:tx.dos_block_counter=%{ip.dos_block_counter},\ 117 | setvar:ip.dos_block_counter=0" 118 | 119 | 120 | # 121 | # Block and track # of requests but don't log 122 | # 123 | SecRule IP:DOS_BLOCK "@eq 1" \ 124 | "phase:1,\ 125 | id:912130,\ 126 | t:none,\ 127 | drop,\ 128 | nolog,\ 129 | tag:'application-multi',\ 130 | tag:'language-multi',\ 131 | tag:'platform-multi',\ 132 | tag:'attack-dos',\ 133 | setvar:ip.dos_block_counter=+1" 134 | 135 | 136 | # 137 | # -=[ Anti-Automation / DoS Protection: Count requests ]=- 138 | # 139 | 140 | # 141 | # Skip if we have blocked the request 142 | # 143 | SecRule IP:DOS_BLOCK "@eq 1" \ 144 | "phase:5,\ 145 | id:912140,\ 146 | t:none,\ 147 | nolog,\ 148 | tag:'application-multi',\ 149 | tag:'language-multi',\ 150 | tag:'platform-multi',\ 151 | tag:'attack-dos',\ 152 | pass,\ 153 | skipAfter:END_DOS_PROTECTION_CHECKS" 154 | 155 | 156 | # 157 | # DOS Counter: Count the number of requests to non-static resources 158 | # 159 | SecRule REQUEST_BASENAME ".*?(\.[a-z0-9]{1,10})?$" \ 160 | "phase:5,\ 161 | id:912150,\ 162 | t:none,\ 163 | t:lowercase,\ 164 | nolog,\ 165 | pass,\ 166 | tag:'application-multi',\ 167 | tag:'language-multi',\ 168 | tag:'platform-multi',\ 169 | tag:'attack-dos',\ 170 | capture,\ 171 | setvar:tx.extension=/%{TX.1}/,\ 172 | chain" 173 | SecRule TX:EXTENSION "!@within %{tx.static_extensions}" \ 174 | "setvar:ip.dos_counter=+1" 175 | 176 | 177 | # 178 | # Check DOS Counter 179 | # If the request count is greater than or equal to user settings, 180 | # we raise the burst counter. This happens via two separate rules: 181 | # - 912160: raise from 0 to 1 182 | # - 912161: raise from 1 to 2 183 | # 184 | # This approach with two rules avoids raising the burst counter 185 | # from 0 to 2 via two concurrent requests. We do not raise the 186 | # burst counter beyond 2. 187 | # 188 | # 189 | SecRule IP:DOS_COUNTER "@ge %{tx.dos_counter_threshold}" \ 190 | "phase:5,\ 191 | id:912160,\ 192 | t:none,\ 193 | nolog,\ 194 | pass,\ 195 | tag:'application-multi',\ 196 | tag:'language-multi',\ 197 | tag:'platform-multi',\ 198 | tag:'attack-dos',\ 199 | chain" 200 | SecRule &IP:DOS_BURST_COUNTER "@eq 0" \ 201 | "setvar:ip.dos_burst_counter=1,\ 202 | expirevar:ip.dos_burst_counter=%{tx.dos_burst_time_slice},\ 203 | setvar:!ip.dos_counter" 204 | 205 | 206 | SecRule IP:DOS_COUNTER "@ge %{tx.dos_counter_threshold}" \ 207 | "phase:5,\ 208 | id:912161,\ 209 | t:none,\ 210 | nolog,\ 211 | pass,\ 212 | tag:'application-multi',\ 213 | tag:'language-multi',\ 214 | tag:'platform-multi',\ 215 | tag:'attack-dos',\ 216 | chain" 217 | SecRule &IP:DOS_BURST_COUNTER "@ge 1" \ 218 | "setvar:ip.dos_burst_counter=2,\ 219 | expirevar:ip.dos_burst_counter=%{tx.dos_burst_time_slice},\ 220 | setvar:!ip.dos_counter" 221 | 222 | 223 | # 224 | # Check DOS Burst Counter and set Block 225 | # Check the burst counter - if greater than or equal to 2, then we set the IP 226 | # block variable for a given expiry and issue an alert. 227 | # 228 | SecRule IP:DOS_BURST_COUNTER "@ge 2" \ 229 | "phase:5,\ 230 | id:912170,\ 231 | t:none,\ 232 | log,\ 233 | pass,\ 234 | tag:'application-multi',\ 235 | tag:'language-multi',\ 236 | tag:'platform-multi',\ 237 | tag:'attack-dos',\ 238 | msg:'Potential Denial of Service (DoS) Attack from %{tx.real_ip} - # of Request Bursts: %{ip.dos_burst_counter}',\ 239 | setvar:ip.dos_block=1,\ 240 | expirevar:ip.dos_block=%{tx.dos_block_timeout}" 241 | 242 | 243 | 244 | SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:1,id:912013,nolog,pass,skipAfter:END-REQUEST-912-DOS-PROTECTION" 245 | SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:2,id:912014,nolog,pass,skipAfter:END-REQUEST-912-DOS-PROTECTION" 246 | SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:5,id:912019,nolog,pass,skipAfter:END-REQUEST-912-DOS-PROTECTION" 247 | # 248 | # -= Paranoia Level 2 =- (apply only when tx.paranoia_level is sufficiently high: 2 or higher) 249 | # 250 | 251 | # 252 | # Check DOS Burst Counter and set Block 253 | # Check the burst counter - if greater than or equal to 1, then we set the IP 254 | # block variable for a given expiry and issue an alert. 255 | # 256 | # This is a stricter sibling of rule 912170. 257 | # 258 | SecRule IP:DOS_BURST_COUNTER "@ge 1" \ 259 | "phase:5,\ 260 | id:912171,\ 261 | t:none,\ 262 | log,\ 263 | pass,\ 264 | tag:'application-multi',\ 265 | tag:'language-multi',\ 266 | tag:'platform-multi',\ 267 | tag:'attack-dos',\ 268 | tag:'paranoia-level/2',\ 269 | msg:'Potential Denial of Service (DoS) Attack from %{tx.real_ip} - # of Request Bursts: %{ip.dos_burst_counter}',\ 270 | setvar:ip.dos_block=1,\ 271 | expirevar:ip.dos_block=%{tx.dos_block_timeout}" 272 | 273 | 274 | 275 | SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:1,id:912015,nolog,pass,skipAfter:END-REQUEST-912-DOS-PROTECTION" 276 | SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:2,id:912016,nolog,pass,skipAfter:END-REQUEST-912-DOS-PROTECTION" 277 | # 278 | # -= Paranoia Level 3 =- (apply only when tx.paranoia_level is sufficiently high: 3 or higher) 279 | # 280 | 281 | 282 | 283 | SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:1,id:912017,nolog,pass,skipAfter:END-REQUEST-912-DOS-PROTECTION" 284 | SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:2,id:912018,nolog,pass,skipAfter:END-REQUEST-912-DOS-PROTECTION" 285 | # 286 | # -= Paranoia Level 4 =- (apply only when tx.paranoia_level is sufficiently high: 4 or higher) 287 | # 288 | 289 | 290 | 291 | # 292 | # -= Paranoia Levels Finished =- 293 | # 294 | SecMarker "END-REQUEST-912-DOS-PROTECTION" 295 | 296 | SecMarker END_DOS_PROTECTION_CHECKS 297 | -------------------------------------------------------------------------------- /templates/default/REQUEST-913-SCANNER-DETECTION.conf.erb: -------------------------------------------------------------------------------- 1 | # ------------------------------------------------------------------------ 2 | # OWASP ModSecurity Core Rule Set ver.3.0.2 3 | # Copyright (c) 2006-2016 Trustwave and contributors. All rights reserved. 4 | # 5 | # The OWASP ModSecurity Core Rule Set is distributed under 6 | # Apache Software License (ASL) version 2 7 | # Please see the enclosed LICENSE file for full details. 8 | # ------------------------------------------------------------------------ 9 | 10 | # 11 | # -= Paranoia Level 0 (empty) =- (apply unconditionally) 12 | # 13 | 14 | 15 | 16 | SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:1,id:913011,nolog,pass,skipAfter:END-REQUEST-913-SCANNER-DETECTION" 17 | SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:2,id:913012,nolog,pass,skipAfter:END-REQUEST-913-SCANNER-DETECTION" 18 | # 19 | # -= Paranoia Level 1 (default) =- (apply only when tx.paranoia_level is sufficiently high: 1 or higher) 20 | # 21 | 22 | # 23 | # -=[ Vulnerability Scanner Checks ]=- 24 | # 25 | # These rules inspect the default User-Agent and Header values sent by 26 | # various commercial and open source vuln scanners. 27 | # 28 | # The following rules contain User-Agent lists: 29 | # 913100 - security scanners (data file scanners-user-agents.data) 30 | # 913101 - scripting/generic HTTP clients (data file scripting-user-agents.data) 31 | # 913102 - web crawlers/bots (data file crawlers-user-agents.data) 32 | # 33 | SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scanners-user-agents.data" \ 34 | "msg:'Found User-Agent associated with security scanner',\ 35 | severity:'CRITICAL',\ 36 | id:913100,\ 37 | rev:'2',\ 38 | phase:request,\ 39 | block,\ 40 | t:none,\ 41 | t:lowercase,\ 42 | ver:'OWASP_CRS/3.0.0',\ 43 | maturity:'9',\ 44 | accuracy:'9',\ 45 | capture,\ 46 | logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ 47 | tag:'application-multi',\ 48 | tag:'language-multi',\ 49 | tag:'platform-multi',\ 50 | tag:'attack-reputation-scanner',\ 51 | tag:'OWASP_CRS/AUTOMATION/SECURITY_SCANNER',\ 52 | tag:'WASCTC/WASC-21',\ 53 | tag:'OWASP_TOP_10/A7',\ 54 | tag:'PCI/6.5.10',\ 55 | setvar:'tx.msg=%{rule.msg}',\ 56 | setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ 57 | setvar:tx.%{rule.id}-OWASP_CRS/AUTOMATION/SECURITY_SCANNER-%{matched_var_name}=%{matched_var},\ 58 | setvar:ip.reput_block_flag=1,\ 59 | expirevar:ip.reput_block_flag=%{tx.reput_block_duration},\ 60 | setvar:'ip.reput_block_reason=%{rule.msg}'" 61 | 62 | SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@pmf scanners-headers.data" \ 63 | "msg:'Found request header associated with security scanner',\ 64 | severity:CRITICAL,\ 65 | id:913110,\ 66 | phase:request,\ 67 | rev:'3',\ 68 | ver:'OWASP_CRS/3.0.0',\ 69 | maturity:'9',\ 70 | accuracy:'9',\ 71 | t:none,\ 72 | t:lowercase,\ 73 | block,\ 74 | logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ 75 | tag:'application-multi',\ 76 | tag:'language-multi',\ 77 | tag:'platform-multi',\ 78 | tag:'attack-reputation-scanner',\ 79 | tag:'OWASP_CRS/AUTOMATION/SECURITY_SCANNER',\ 80 | tag:'WASCTC/WASC-21',\ 81 | tag:'OWASP_TOP_10/A7',\ 82 | tag:'PCI/6.5.10',\ 83 | setvar:'tx.msg=%{rule.msg}',\ 84 | setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ 85 | setvar:tx.%{rule.id}-OWASP_CRS/AUTOMATION/SECURITY_SCANNER-%{matched_var_name}=%{matched_var},\ 86 | setvar:ip.reput_block_flag=1,\ 87 | expirevar:ip.reput_block_flag=%{tx.reput_block_duration},\ 88 | setvar:'ip.reput_block_reason=%{rule.msg}'" 89 | 90 | 91 | SecRule REQUEST_FILENAME|ARGS "@pmf scanners-urls.data" \ 92 | "msg:'Found request filename/argument associated with security scanner',\ 93 | severity:CRITICAL,\ 94 | id:913120,\ 95 | phase:request,\ 96 | rev:'3',\ 97 | ver:'OWASP_CRS/3.0.0',\ 98 | maturity:'9',\ 99 | accuracy:'9',\ 100 | t:none,\ 101 | t:lowercase,\ 102 | block,\ 103 | logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ 104 | tag:'application-multi',\ 105 | tag:'language-multi',\ 106 | tag:'platform-multi',\ 107 | tag:'attack-reputation-scanner',\ 108 | tag:'OWASP_CRS/AUTOMATION/SECURITY_SCANNER',\ 109 | tag:'WASCTC/WASC-21',\ 110 | tag:'OWASP_TOP_10/A7',\ 111 | tag:'PCI/6.5.10',\ 112 | setvar:'tx.msg=%{rule.msg}',\ 113 | setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ 114 | setvar:tx.%{rule.id}-OWASP_CRS/AUTOMATION/SECURITY_SCANNER-%{matched_var_name}=%{matched_var},\ 115 | setvar:ip.reput_block_flag=1,\ 116 | expirevar:ip.reput_block_flag=%{tx.reput_block_duration},\ 117 | setvar:'ip.reput_block_reason=%{rule.msg}'" 118 | 119 | 120 | SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:1,id:913013,nolog,pass,skipAfter:END-REQUEST-913-SCANNER-DETECTION" 121 | SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:2,id:913014,nolog,pass,skipAfter:END-REQUEST-913-SCANNER-DETECTION" 122 | # 123 | # -= Paranoia Level 2 =- (apply only when tx.paranoia_level is sufficiently high: 2 or higher) 124 | # 125 | 126 | 127 | # 128 | # -=[ Scripting/Generic User-Agents ]=- 129 | # 130 | # This rule detects user-agents associated with various HTTP client libraries 131 | # and scripting languages. Detection suggests attempted access by some 132 | # automated tool. 133 | # 134 | # This rule is a sibling of rule 913100. 135 | # 136 | SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scripting-user-agents.data" \ 137 | "msg:'Found User-Agent associated with scripting/generic HTTP client',\ 138 | severity:'CRITICAL',\ 139 | id:913101,\ 140 | rev:'1',\ 141 | phase:request,\ 142 | block,\ 143 | t:none,\ 144 | t:lowercase,\ 145 | ver:'OWASP_CRS/3.0.0',\ 146 | maturity:'9',\ 147 | accuracy:'7',\ 148 | capture,\ 149 | logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ 150 | tag:'application-multi',\ 151 | tag:'language-multi',\ 152 | tag:'platform-multi',\ 153 | tag:'attack-reputation-scripting',\ 154 | tag:'OWASP_CRS/AUTOMATION/SCRIPTING',\ 155 | tag:'WASCTC/WASC-21',\ 156 | tag:'OWASP_TOP_10/A7',\ 157 | tag:'PCI/6.5.10',\ 158 | tag:'paranoia-level/2',\ 159 | setvar:'tx.msg=%{rule.msg}',\ 160 | setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ 161 | setvar:tx.%{rule.id}-OWASP_CRS/AUTOMATION/SCRIPTING-%{matched_var_name}=%{matched_var},\ 162 | setvar:ip.reput_block_flag=1,\ 163 | expirevar:ip.reput_block_flag=%{tx.reput_block_duration},\ 164 | setvar:'ip.reput_block_reason=%{rule.msg}'" 165 | 166 | 167 | 168 | # 169 | # -=[ Crawler User-Agents ]=- 170 | # 171 | # This rule detects user-agents associated with various crawlers, SEO tools, 172 | # and bots, which have been reported to potentially misbehave. 173 | # These crawlers can have legitimate uses when used with authorization. 174 | # 175 | # This rule is a sibling of rule 913100. 176 | # 177 | SecRule REQUEST_HEADERS:User-Agent "@pmFromFile crawlers-user-agents.data" \ 178 | "msg:'Found User-Agent associated with web crawler/bot',\ 179 | severity:'CRITICAL',\ 180 | id:913102,\ 181 | rev:'1',\ 182 | phase:request,\ 183 | block,\ 184 | t:none,\ 185 | t:lowercase,\ 186 | ver:'OWASP_CRS/3.0.0',\ 187 | maturity:'9',\ 188 | accuracy:'9',\ 189 | capture,\ 190 | logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ 191 | tag:'application-multi',\ 192 | tag:'language-multi',\ 193 | tag:'platform-multi',\ 194 | tag:'attack-reputation-crawler',\ 195 | tag:'OWASP_CRS/AUTOMATION/CRAWLER',\ 196 | tag:'WASCTC/WASC-21',\ 197 | tag:'OWASP_TOP_10/A7',\ 198 | tag:'PCI/6.5.10',\ 199 | tag:'paranoia-level/2',\ 200 | setvar:'tx.msg=%{rule.msg}',\ 201 | setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ 202 | setvar:tx.%{rule.id}-OWASP_CRS/AUTOMATION/CRAWLER-%{matched_var_name}=%{matched_var},\ 203 | setvar:ip.reput_block_flag=1,\ 204 | expirevar:ip.reput_block_flag=%{tx.reput_block_duration},\ 205 | setvar:'ip.reput_block_reason=%{rule.msg}'" 206 | 207 | 208 | 209 | SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:1,id:913015,nolog,pass,skipAfter:END-REQUEST-913-SCANNER-DETECTION" 210 | SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:2,id:913016,nolog,pass,skipAfter:END-REQUEST-913-SCANNER-DETECTION" 211 | # 212 | # -= Paranoia Level 3 =- (apply only when tx.paranoia_level is sufficiently high: 3 or higher) 213 | # 214 | 215 | 216 | 217 | SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:1,id:913017,nolog,pass,skipAfter:END-REQUEST-913-SCANNER-DETECTION" 218 | SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:2,id:913018,nolog,pass,skipAfter:END-REQUEST-913-SCANNER-DETECTION" 219 | # 220 | # -= Paranoia Level 4 =- (apply only when tx.paranoia_level is sufficiently high: 4 or higher) 221 | # 222 | 223 | 224 | 225 | # 226 | # -= Paranoia Levels Finished =- 227 | # 228 | SecMarker "END-REQUEST-913-SCANNER-DETECTION" 229 | 230 | -------------------------------------------------------------------------------- /templates/default/REQUEST-921-PROTOCOL-ATTACK.conf.erb: -------------------------------------------------------------------------------- 1 | # ------------------------------------------------------------------------ 2 | # OWASP ModSecurity Core Rule Set ver.3.0.2 3 | # Copyright (c) 2006-2016 Trustwave and contributors. All rights reserved. 4 | # 5 | # The OWASP ModSecurity Core Rule Set is distributed under 6 | # Apache Software License (ASL) version 2 7 | # Please see the enclosed LICENSE file for full details. 8 | # ------------------------------------------------------------------------ 9 | 10 | # 11 | # -= Paranoia Level 0 (empty) =- (apply unconditionally) 12 | # 13 | 14 | 15 | 16 | SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:1,id:921011,nolog,pass,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" 17 | SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:2,id:921012,nolog,pass,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" 18 | # 19 | # -= Paranoia Level 1 (default) =- (apply only when tx.paranoia_level is sufficiently high: 1 or higher) 20 | # 21 | 22 | # 23 | # -=[ HTTP Request Smuggling ]=- 24 | # 25 | # [ Rule Logic ] 26 | # This rule looks for a comma character in either the Content-Length or Transfer-Encoding 27 | # request headers. This character would indicate that there were more than one request header 28 | # with this same name. In these instances, Apache treats the data in a similar manner as 29 | # multiple cookie values. 30 | # 31 | # [ References ] 32 | # http://projects.webappsec.org/HTTP-Request-Smuggling 33 | # http://article.gmane.org/gmane.comp.apache.mod-security.user/3299 34 | # 35 | SecRule REQUEST_HEADERS:'/(Content-Length|Transfer-Encoding)/' "," \ 36 | "msg:'HTTP Request Smuggling Attack.',\ 37 | phase:request,\ 38 | id:921100,\ 39 | rev:'2',\ 40 | ver:'OWASP_CRS/3.0.0',\ 41 | maturity:'9',\ 42 | accuracy:'9',\ 43 | severity:'CRITICAL',\ 44 | t:none,\ 45 | capture,\ 46 | block,\ 47 | logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ 48 | tag:'application-multi',\ 49 | tag:'language-multi',\ 50 | tag:'platform-multi',\ 51 | tag:'attack-protocol',\ 52 | tag:'OWASP_CRS/WEB_ATTACK/REQUEST_SMUGGLING',\ 53 | tag:'WASCTC/WASC-26',\ 54 | tag:'OWASP_TOP_10/A1',\ 55 | tag:'PCI/6.5.2',\ 56 | setvar:'tx.msg=%{rule.msg}',\ 57 | setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ 58 | setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ 59 | setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/REQUEST_SMUGGLING-%{matched_var_name}=%{tx.0}" 60 | 61 | # 62 | # -=[ HTTP Request Smuggling ]=- 63 | # 64 | # [ Rule Logic ] 65 | # This rule looks for a CR/LF character in combination with a HTTP / WEBDAV method name. 66 | # This would point to an attempt to inject a 2nd request into the request, thus bypassing 67 | # tests carried out on the primary request. 68 | # 69 | # [ References ] 70 | # http://projects.webappsec.org/HTTP-Request-Smuggling 71 | # 72 | SecRule ARGS_NAMES|ARGS|XML:/* "(?:\n|\r)+(?:get|post|head|options|connect|put|delete|trace|propfind|propatch|mkcol|copy|move|lock|unlock)\s+" \ 73 | "msg:'HTTP Request Smuggling Attack',\ 74 | phase:request,\ 75 | id:921110,\ 76 | rev:'1',\ 77 | ver:'OWASP_CRS/3.0.0',\ 78 | maturity:'5',\ 79 | accuracy:'5',\ 80 | severity:'CRITICAL',\ 81 | capture,\ 82 | tag:'application-multi',\ 83 | tag:'language-multi',\ 84 | tag:'platform-multi',\ 85 | tag:'attack-protocol',\ 86 | t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,\ 87 | ctl:auditLogParts=+E,\ 88 | block,\ 89 | logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ 90 | setvar:'tx.msg=%{rule.msg}',\ 91 | setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ 92 | setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ 93 | setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/REQUEST-SMUGGLING-%{matched_var_name}=%{tx.0}" 94 | 95 | # 96 | # -=[ HTTP Response Splitting ]=- 97 | # 98 | # [ Rule Logic ] 99 | # These rules look for Carriage Return (CR) %0d and Linefeed (LF) %0a characters. 100 | # These characters may cause problems if the data is returned in a respones header and 101 | # may be interpreted by an intermediary proxy server and treated as two separate 102 | # responses. 103 | # 104 | # [ References ] 105 | # http://projects.webappsec.org/HTTP-Response-Splitting 106 | # 107 | SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "[\r\n]\W*?(?:content-(type|length)|set-cookie|location):" \ 108 | "msg:'HTTP Response Splitting Attack',\ 109 | phase:request,\ 110 | id:921120,\ 111 | rev:'2',\ 112 | ver:'OWASP_CRS/3.0.0',\ 113 | maturity:'9',\ 114 | accuracy:'9',\ 115 | severity:'CRITICAL',\ 116 | t:none,t:urlDecodeUni,t:lowercase,\ 117 | capture,\ 118 | tag:'application-multi',\ 119 | tag:'language-multi',\ 120 | tag:'platform-multi',\ 121 | tag:'attack-protocol',\ 122 | ctl:auditLogParts=+E,\ 123 | block,\ 124 | logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ 125 | setvar:'tx.msg=%{rule.msg}',\ 126 | setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ 127 | setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ 128 | setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESPONSE_SPLITTING-%{matched_var_name}=%{tx.0}" 129 | 130 | 131 | SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?:\bhttp\/(?:0\.9|1\.[01])|<(?:html|meta)\b)" \ 132 | "msg:'HTTP Response Splitting Attack',\ 133 | phase:request,\ 134 | id:921130,\ 135 | rev:'2',\ 136 | ver:'OWASP_CRS/3.0.0',\ 137 | maturity:'9',\ 138 | accuracy:'9',\ 139 | severity:'CRITICAL',\ 140 | capture,\ 141 | tag:'application-multi',\ 142 | tag:'language-multi',\ 143 | tag:'platform-multi',\ 144 | tag:'attack-protocol',\ 145 | t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,\ 146 | ctl:auditLogParts=+E,\ 147 | block,\ 148 | logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ 149 | setvar:'tx.msg=%{rule.msg}',\ 150 | setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ 151 | setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ 152 | setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESPONSE_SPLITTING-%{matched_var_name}=%{tx.0}" 153 | 154 | # 155 | # -=[ HTTP Header Injection ]=- 156 | # 157 | # [ Rule Logic ] 158 | # These rules look for Carriage Return (CR) %0d and Linefeed (LF) %0a characters, 159 | # on their own or in combination with header field names. 160 | # These characters may cause problems if the data is returned in a respones header 161 | # and interpreted by the client. 162 | # The rules are similar to rules defending against the HTTP Request Splitting and 163 | # Request Smuggling rules. 164 | # 165 | # [ References ] 166 | # https://en.wikipedia.org/wiki/HTTP_header_injection 167 | # 168 | SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "(\n|\r)" \ 169 | "msg:'HTTP Header Injection Attack via headers',\ 170 | phase:request,\ 171 | id:921140,\ 172 | rev:'1',\ 173 | ver:'OWASP_CRS/3.0.0',\ 174 | maturity:'5',\ 175 | accuracy:'5',\ 176 | severity:'CRITICAL',\ 177 | capture,\ 178 | tag:'application-multi',\ 179 | tag:'language-multi',\ 180 | tag:'platform-multi',\ 181 | tag:'attack-protocol',\ 182 | t:none,t:htmlEntityDecode,t:lowercase,\ 183 | ctl:auditLogParts=+E,\ 184 | block,\ 185 | logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ 186 | setvar:'tx.msg=%{rule.msg}',\ 187 | setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ 188 | setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ 189 | setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/HEADER_INJECTION-%{matched_var_name}=%{tx.0}" 190 | 191 | 192 | # Detect newlines in argument names. 193 | # Checking for GET arguments has been moved to paranoia level 2 (921151) 194 | # in order to mitigate possible false positives. 195 | # 196 | SecRule ARGS_NAMES "(\n|\r)" \ 197 | "msg:'HTTP Header Injection Attack via payload (CR/LF detected)',\ 198 | phase:request,\ 199 | id:921150,\ 200 | rev:'1',\ 201 | ver:'OWASP_CRS/3.0.0',\ 202 | maturity:'5',\ 203 | accuracy:'5',\ 204 | severity:'CRITICAL',\ 205 | capture,\ 206 | tag:'application-multi',\ 207 | tag:'language-multi',\ 208 | tag:'platform-multi',\ 209 | tag:'attack-protocol',\ 210 | t:none,t:urlDecodeUni,t:htmlEntityDecode,\ 211 | ctl:auditLogParts=+E,\ 212 | block,\ 213 | logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ 214 | setvar:'tx.msg=%{rule.msg}',\ 215 | setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ 216 | setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ 217 | setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/HEADER_INJECTION-%{matched_var_name}=%{tx.0}" 218 | 219 | 220 | SecRule ARGS_NAMES|ARGS|XML:/* "(?:\n|\r)+(?:\s+|location|refresh|(?:set-)?cookie|(X-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))\s*:" \ 221 | "msg:'HTTP Header Injection Attack via payload (CR/LF and header-name detected)',\ 222 | phase:request,\ 223 | id:921160,\ 224 | rev:'1',\ 225 | ver:'OWASP_CRS/3.0.0',\ 226 | maturity:'5',\ 227 | accuracy:'5',\ 228 | severity:'CRITICAL',\ 229 | capture,\ 230 | tag:'application-multi',\ 231 | tag:'language-multi',\ 232 | tag:'platform-multi',\ 233 | tag:'attack-protocol',\ 234 | t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,\ 235 | ctl:auditLogParts=+E,\ 236 | block,\ 237 | logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ 238 | setvar:'tx.msg=%{rule.msg}',\ 239 | setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ 240 | setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ 241 | setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/HEADER_INJECTION-%{matched_var_name}=%{tx.0}" 242 | 243 | 244 | 245 | SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:1,id:921013,nolog,pass,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" 246 | SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:2,id:921014,nolog,pass,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" 247 | # 248 | # -= Paranoia Level 2 =- (apply only when tx.paranoia_level is sufficiently high: 2 or higher) 249 | # 250 | 251 | 252 | # Detect newlines in GET argument values. 253 | # These may point to a HTTP header injection attack, but can also sometimes 254 | # occur in benign query parameters. 255 | # 256 | # See also: rule 921140, 921150 257 | # 258 | SecRule ARGS_GET "(\n|\r)" \ 259 | "msg:'HTTP Header Injection Attack via payload (CR/LF detected)',\ 260 | phase:request,\ 261 | id:921151,\ 262 | rev:'1',\ 263 | ver:'OWASP_CRS/3.0.0',\ 264 | maturity:'5',\ 265 | accuracy:'5',\ 266 | severity:'CRITICAL',\ 267 | capture,\ 268 | tag:'application-multi',\ 269 | tag:'language-multi',\ 270 | tag:'platform-multi',\ 271 | tag:'attack-protocol',\ 272 | tag:'paranoia-level/2',\ 273 | t:none,t:urlDecodeUni,t:htmlEntityDecode,\ 274 | ctl:auditLogParts=+E,\ 275 | block,\ 276 | logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ 277 | setvar:'tx.msg=%{rule.msg}',\ 278 | setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ 279 | setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ 280 | setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/HEADER_INJECTION-%{matched_var_name}=%{tx.0}" 281 | 282 | 283 | SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:1,id:921015,nolog,pass,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" 284 | SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:2,id:921016,nolog,pass,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" 285 | # 286 | # -= Paranoia Level 3 =- (apply only when tx.paranoia_level is sufficiently high: 3 or higher) 287 | # 288 | # 289 | 290 | # -=[ HTTP Parameter Polution ]=- 291 | # 292 | # [ Rule Logic ] 293 | # These rules look for multiple parameters with the same name. 294 | # 921170 counts the occurrences of the individual parameters. 295 | # 921180 checks if any counter is > 1. 296 | # 297 | # One HPP attack vector is to try evade signature filters by distributing the 298 | # attack payload across multiple parameters with the same name. 299 | # This works as many security devices only apply signatures to individual 300 | # parameter payloads, however the back-end web application may (in the case 301 | # of ASP.NET) consolidate all of the payloads into one thus making the 302 | # attack payload active. 303 | # 304 | # [ References ] 305 | # http://tacticalwebappsec.blogspot.com/2009/05/http-parameter-pollution.html 306 | # https://capec.mitre.org/data/definitions/460.html 307 | # 308 | SecRule ARGS_NAMES "." \ 309 | "phase:request,\ 310 | id:921170,\ 311 | rev:'2',\ 312 | ver:'OWASP_CRS/3.0.0',\ 313 | pass,\ 314 | nolog,\ 315 | tag:'application-multi',\ 316 | tag:'language-multi',\ 317 | tag:'platform-multi',\ 318 | tag:'attack-protocol',\ 319 | tag:'paranoia-level/3',\ 320 | tag:'CAPEC-460',\ 321 | setvar:'TX.paramcounter_%{MATCHED_VAR_NAME}=+1'" 322 | 323 | SecRule TX:/paramcounter_.*/ "@gt 1" \ 324 | "msg:'HTTP Parameter Pollution (%{TX.1})',\ 325 | chain,\ 326 | phase:request,\ 327 | id:921180,\ 328 | rev:'2',\ 329 | ver:'OWASP_CRS/3.0.0',\ 330 | maturity:'7',\ 331 | accuracy:'8',\ 332 | severity:'CRITICAL',\ 333 | pass,\ 334 | tag:'application-multi',\ 335 | tag:'language-multi',\ 336 | tag:'platform-multi',\ 337 | tag:'attack-protocol',\ 338 | tag:'paranoia-level/3',\ 339 | tag:'CAPEC-460',\ 340 | logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}'" 341 | SecRule MATCHED_VARS_NAMES "TX:paramcounter_(.*)" \ 342 | "capture,\ 343 | setvar:tx.msg=%{rule.msg},\ 344 | setvar:tx.http_violation_score=+%{tx.critical_anomaly_score},\ 345 | setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ 346 | setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/HTTP_PARAMETER_POLLUTION-%{matched_var_name}=%{tx.0}" 347 | 348 | 349 | 350 | SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:1,id:921017,nolog,pass,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" 351 | SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:2,id:921018,nolog,pass,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" 352 | # 353 | # -= Paranoia Level 4 =- (apply only when tx.paranoia_level is sufficiently high: 4 or higher) 354 | # 355 | 356 | 357 | 358 | # 359 | # -= Paranoia Levels Finished =- 360 | # 361 | SecMarker "END-REQUEST-921-PROTOCOL-ATTACK" 362 | 363 | -------------------------------------------------------------------------------- /templates/default/REQUEST-930-APPLICATION-ATTACK-LFI.conf.erb: -------------------------------------------------------------------------------- 1 | # ------------------------------------------------------------------------ 2 | # OWASP ModSecurity Core Rule Set ver.3.0.2 3 | # Copyright (c) 2006-2016 Trustwave and contributors. All rights reserved. 4 | # 5 | # The OWASP ModSecurity Core Rule Set is distributed under 6 | # Apache Software License (ASL) version 2 7 | # Please see the enclosed LICENSE file for full details. 8 | # ------------------------------------------------------------------------ 9 | 10 | # 11 | # -= Paranoia Level 0 (empty) =- (apply unconditionally) 12 | # 13 | 14 | 15 | 16 | SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:1,id:930011,nolog,pass,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" 17 | SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:2,id:930012,nolog,pass,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" 18 | # 19 | # -= Paranoia Level 1 (default) =- (apply only when tx.paranoia_level is sufficiently high: 1 or higher) 20 | # 21 | 22 | # 23 | # -=[ Directory Traversal Attacks ]=- 24 | # 25 | # Ref: https://github.com/wireghoul/dotdotpwn 26 | # 27 | # [ Encoded /../ Payloads ] 28 | # 29 | SecRule REQUEST_URI_RAW|REQUEST_BODY|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|XML:/* "(?i)(?:\x5c|(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|\/))(?:%(?:(?:f(?:(?:c%80|8)%8)?0%8|e)0%80%ae|2(?:(?:5(?:c0%25a|2))?e|%45)|u(?:(?:002|ff0)e|2024)|%32(?:%(?:%6|4)5|E)|c0(?:%[256aef]e|\.))|\.(?:%0[01]|\?)?|\?\.?|0x2e){2}(?:\x5c|(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|\/))" \ 30 | "phase:request,\ 31 | msg:'Path Traversal Attack (/../)',\ 32 | id:930100,\ 33 | ver:'OWASP_CRS/3.0.0',\ 34 | rev:'3',\ 35 | maturity:'9',\ 36 | accuracy:'7',\ 37 | t:none,\ 38 | block,\ 39 | severity:CRITICAL,\ 40 | logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ 41 | capture,\ 42 | tag:'application-multi',\ 43 | tag:'language-multi',\ 44 | tag:'platform-multi',\ 45 | tag:'attack-lfi',\ 46 | tag:'OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL',\ 47 | setvar:'tx.msg=%{rule.msg}',\ 48 | setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ 49 | setvar:tx.lfi_score=+%{tx.critical_anomaly_score},\ 50 | setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL-%{matched_var_name}=%{matched_var}'" 51 | 52 | # 53 | # [ Decoded /../ Payloads ] 54 | # 55 | SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|XML:/* "@pm ..\ ../" \ 56 | "phase:request,\ 57 | msg:'Path Traversal Attack (/../)',\ 58 | id:930110,\ 59 | ver:'OWASP_CRS/3.0.0',\ 60 | rev:'1',\ 61 | maturity:'9',\ 62 | accuracy:'7',\ 63 | multiMatch,\ 64 | t:none,t:utf8toUnicode,t:urlDecodeUni,t:removeNulls,t:cmdLine,\ 65 | block,\ 66 | severity:CRITICAL,\ 67 | logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ 68 | capture,\ 69 | tag:'application-multi',\ 70 | tag:'language-multi',\ 71 | tag:'platform-multi',\ 72 | tag:'attack-lfi',\ 73 | tag:'OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL',\ 74 | setvar:'tx.msg=%{rule.msg}',\ 75 | setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ 76 | setvar:tx.lfi_score=+%{tx.critical_anomaly_score},\ 77 | setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL-%{matched_var_name}=%{matched_var}'" 78 | 79 | # 80 | # -=[ OS File Access ]=- 81 | # 82 | # Ref: https://github.com/lightos/Panoptic/blob/master/cases.xml 83 | # 84 | SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmf lfi-os-files.data" \ 85 | "phase:request,\ 86 | msg:'OS File Access Attempt',\ 87 | rev:'4',\ 88 | ver:'OWASP_CRS/3.0.0',\ 89 | maturity:'9',\ 90 | accuracy:'9',\ 91 | capture,\ 92 | t:none,t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin,t:lowercase,\ 93 | block,\ 94 | id:930120,\ 95 | tag:'application-multi',\ 96 | tag:'language-multi',\ 97 | tag:'platform-multi',\ 98 | tag:'attack-lfi',\ 99 | tag:'OWASP_CRS/WEB_ATTACK/FILE_INJECTION',\ 100 | tag:'WASCTC/WASC-33',\ 101 | tag:'OWASP_TOP_10/A4',\ 102 | tag:'PCI/6.5.4',\ 103 | logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ 104 | severity:'CRITICAL',\ 105 | setvar:'tx.msg=%{rule.msg}',\ 106 | setvar:tx.lfi_score=+%{tx.critical_anomaly_score},\ 107 | setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ 108 | setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{tx.0}" 109 | 110 | # 111 | # -=[ Restricted File Access ]=- 112 | # 113 | # Detects attempts to retrieve application source code, metadata, 114 | # credentials and version control history possibly reachable in a web root. 115 | # 116 | SecRule REQUEST_FILENAME "@pmf restricted-files.data" \ 117 | "phase:request,\ 118 | msg:'Restricted File Access Attempt',\ 119 | rev:'1',\ 120 | ver:'OWASP_CRS/3.0.0',\ 121 | maturity:'7',\ 122 | accuracy:'8',\ 123 | capture,\ 124 | t:none,t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin,t:lowercase,\ 125 | block,\ 126 | id:930130,\ 127 | tag:'application-multi',\ 128 | tag:'language-multi',\ 129 | tag:'platform-multi',\ 130 | tag:'attack-lfi',\ 131 | tag:'OWASP_CRS/WEB_ATTACK/FILE_INJECTION',\ 132 | tag:'WASCTC/WASC-33',\ 133 | tag:'OWASP_TOP_10/A4',\ 134 | tag:'PCI/6.5.4',\ 135 | logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ 136 | severity:'CRITICAL',\ 137 | setvar:'tx.msg=%{rule.msg}',\ 138 | setvar:tx.lfi_score=+%{tx.critical_anomaly_score},\ 139 | setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ 140 | setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{tx.0}" 141 | 142 | 143 | 144 | SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:1,id:930013,nolog,pass,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" 145 | SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:2,id:930014,nolog,pass,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" 146 | # 147 | # -= Paranoia Level 2 =- (apply only when tx.paranoia_level is sufficiently high: 2 or higher) 148 | # 149 | 150 | 151 | 152 | SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:1,id:930015,nolog,pass,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" 153 | SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:2,id:930016,nolog,pass,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" 154 | # 155 | # -= Paranoia Level 3 =- (apply only when tx.paranoia_level is sufficiently high: 3 or higher) 156 | # 157 | 158 | 159 | 160 | SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:1,id:930017,nolog,pass,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" 161 | SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:2,id:930018,nolog,pass,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" 162 | # 163 | # -= Paranoia Level 4 =- (apply only when tx.paranoia_level is sufficiently high: 4 or higher) 164 | # 165 | 166 | 167 | 168 | # 169 | # -= Paranoia Levels Finished =- 170 | # 171 | SecMarker "END-REQUEST-930-APPLICATION-ATTACK-LFI" 172 | 173 | -------------------------------------------------------------------------------- /templates/default/REQUEST-931-APPLICATION-ATTACK-RFI.conf.erb: -------------------------------------------------------------------------------- 1 | # ------------------------------------------------------------------------ 2 | # OWASP ModSecurity Core Rule Set ver.3.0.2 3 | # Copyright (c) 2006-2016 Trustwave and contributors. All rights reserved. 4 | # 5 | # The OWASP ModSecurity Core Rule Set is distributed under 6 | # Apache Software License (ASL) version 2 7 | # Please see the enclosed LICENSE file for full details. 8 | # ------------------------------------------------------------------------ 9 | # 10 | # RFI Attacks 11 | # 12 | 13 | # 14 | # -= Paranoia Level 0 (empty) =- (apply unconditionally) 15 | # 16 | 17 | 18 | 19 | SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:1,id:931011,nolog,pass,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" 20 | SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:2,id:931012,nolog,pass,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" 21 | # 22 | # -= Paranoia Level 1 (default) =- (apply only when tx.paranoia_level is sufficiently high: 1 or higher) 23 | # 24 | 25 | # -=[ Rule Logic ]=- 26 | # These rules look for common types of Remote File Inclusion (RFI) attack methods. 27 | # - URL Contains an IP Address 28 | # - The PHP "include()" Function 29 | # - RFI Data Ends with Question Mark(s) (?) 30 | # - RFI Host Doesn't Match Local Host 31 | # 32 | # -=[ References ]=- 33 | # http://projects.webappsec.org/Remote-File-Inclusion 34 | # http://tacticalwebappsec.blogspot.com/2009/06/generic-remote-file-inclusion-attack.html 35 | # 36 | SecRule ARGS "^(?i)(?:file|ftps?|https?):\/\/(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" \ 37 | "msg:'Possible Remote File Inclusion (RFI) Attack: URL Parameter using IP Address',\ 38 | severity:CRITICAL,\ 39 | phase:request,\ 40 | id:931100, \ 41 | rev:'2',\ 42 | ver:'OWASP_CRS/3.0.0',\ 43 | maturity:'9',\ 44 | accuracy:'9',\ 45 | t:none,\ 46 | capture,\ 47 | ctl:auditLogParts=+E,\ 48 | block,\ 49 | logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ 50 | tag:'application-multi',\ 51 | tag:'language-multi',\ 52 | tag:'platform-multi',\ 53 | tag:'attack-rfi',\ 54 | tag:'OWASP_CRS/WEB_ATTACK/RFI',\ 55 | setvar:'tx.msg=%{rule.msg}',\ 56 | setvar:tx.rfi_score=+%{tx.critical_anomaly_score},\ 57 | setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ 58 | setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RFI-%{matched_var_name}=%{tx.0}" 59 | 60 | SecRule QUERY_STRING|REQUEST_BODY "(?i:(\binclude\s*\([^)]*|mosConfig_absolute_path|_CONF\[path\]|_SERVER\[DOCUMENT_ROOT\]|GALLERY_BASEDIR|path\[docroot\]|appserv_root|config\[root_dir\])=(file|ftps?|https?):\/\/)" \ 61 | "phase:request,\ 62 | rev:'3',\ 63 | ver:'OWASP_CRS/3.0.0',\ 64 | maturity:'9',\ 65 | accuracy:'9',\ 66 | t:none,t:urlDecodeUni,\ 67 | capture,\ 68 | ctl:auditLogParts=+E,\ 69 | block,\ 70 | msg:'Possible Remote File Inclusion (RFI) Attack: Common RFI Vulnerable Parameter Name used w/URL Payload',\ 71 | logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ 72 | id:931110,\ 73 | severity:'CRITICAL',\ 74 | tag:'application-multi',\ 75 | tag:'language-multi',\ 76 | tag:'platform-multi',\ 77 | tag:'attack-rfi',\ 78 | tag:'OWASP_CRS/WEB_ATTACK/RFI',\ 79 | setvar:'tx.msg=%{rule.msg}',\ 80 | setvar:tx.rfi_score=+%{tx.critical_anomaly_score},\ 81 | setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ 82 | setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RFI-%{matched_var_name}=%{tx.0}" 83 | 84 | SecRule ARGS "^(?i)(?:file|ftps?|https?)(.*?)\?+$" \ 85 | "phase:request,\ 86 | rev:'2',\ 87 | ver:'OWASP_CRS/3.0.0',\ 88 | maturity:'9',\ 89 | accuracy:'9',\ 90 | t:none,\ 91 | capture,\ 92 | ctl:auditLogParts=+E,\ 93 | block,\ 94 | msg:'Possible Remote File Inclusion (RFI) Attack: URL Payload Used w/Trailing Question Mark Character (?)',\ 95 | logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ 96 | id:931120,\ 97 | severity:'CRITICAL',\ 98 | tag:'application-multi',\ 99 | tag:'language-multi',\ 100 | tag:'platform-multi',\ 101 | tag:'attack-rfi',\ 102 | tag:'OWASP_CRS/WEB_ATTACK/RFI',\ 103 | setvar:'tx.msg=%{rule.msg}',\ 104 | setvar:tx.rfi_score=+%{tx.critical_anomaly_score},\ 105 | setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ 106 | setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RFI-%{matched_var_name}=%{tx.0}" 107 | 108 | 109 | 110 | SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:1,id:931013,nolog,pass,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" 111 | SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:2,id:931014,nolog,pass,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" 112 | # 113 | # -= Paranoia Level 2 =- (apply only when tx.paranoia_level is sufficiently high: 2 or higher) 114 | # 115 | 116 | SecRule ARGS "^(?i)(?:file|ftps?|https?)://(.*)$" \ 117 | "chain,\ 118 | phase:request,\ 119 | rev:'3',\ 120 | ver:'OWASP_CRS/3.0.0',\ 121 | maturity:'9',\ 122 | accuracy:'9',\ 123 | t:none,\ 124 | capture,\ 125 | ctl:auditLogParts=+E,\ 126 | block,\ 127 | msg:'Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link',\ 128 | logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ 129 | id:931130,\ 130 | severity:'CRITICAL',\ 131 | tag:'application-multi',\ 132 | tag:'language-multi',\ 133 | tag:'platform-multi',\ 134 | tag:'attack-rfi',\ 135 | tag:'OWASP_CRS/WEB_ATTACK/RFI',\ 136 | tag:'paranoia-level/2'" 137 | SecRule TX:1 "!@beginsWith %{request_headers.host}" \ 138 | "setvar:'tx.msg=%{rule.msg}',\ 139 | setvar:tx.rfi_score=+%{tx.critical_anomaly_score},\ 140 | setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ 141 | setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RFI-%{matched_var_name}=%{tx.1}" 142 | 143 | 144 | 145 | SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:1,id:931015,nolog,pass,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" 146 | SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:2,id:931016,nolog,pass,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" 147 | # 148 | # -= Paranoia Level 3 =- (apply only when tx.paranoia_level is sufficiently high: 3 or higher) 149 | # 150 | 151 | 152 | 153 | SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:1,id:931017,nolog,pass,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" 154 | SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:2,id:931018,nolog,pass,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" 155 | # 156 | # -= Paranoia Level 4 =- (apply only when tx.paranoia_level is sufficiently high: 4 or higher) 157 | # 158 | 159 | 160 | 161 | # 162 | # -= Paranoia Levels Finished =- 163 | # 164 | SecMarker "END-REQUEST-931-APPLICATION-ATTACK-RFI" 165 | 166 | -------------------------------------------------------------------------------- /templates/default/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf.erb: -------------------------------------------------------------------------------- 1 | # ------------------------------------------------------------------------ 2 | # OWASP ModSecurity Core Rule Set ver.3.0.2 3 | # Copyright (c) 2006-2016 Trustwave and contributors. All rights reserved. 4 | # 5 | # The OWASP ModSecurity Core Rule Set is distributed under 6 | # Apache Software License (ASL) version 2 7 | # Please see the enclosed LICENSE file for full details. 8 | # ------------------------------------------------------------------------ 9 | 10 | # 11 | # -= Paranoia Level 0 (empty) =- (apply unconditionally) 12 | # 13 | 14 | 15 | 16 | SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:1,id:943011,nolog,pass,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" 17 | SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:2,id:943012,nolog,pass,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" 18 | # 19 | # -= Paranoia Level 1 (default) =- (apply only when tx.paranoia_level is sufficiently high: 1 or higher) 20 | # 21 | 22 | # 23 | # Session fixation 24 | # 25 | # -=[ References ]=- 26 | # http://projects.webappsec.org/Session-Fixation 27 | # http://projects.webappsec.org/w/page/13246960/Session%20Fixation 28 | # http://capec.mitre.org/data/definitions/61.html 29 | # 30 | SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i)(?:\.cookie\b.*?;\W*?(?:expires|domain)\W*?=|\bhttp-equiv\W+set-cookie\b)" \ 31 | "msg:'Possible Session Fixation Attack: Setting Cookie Values in HTML',\ 32 | phase:request,\ 33 | rev:'2',\ 34 | ver:'OWASP_CRS/3.0.0',\ 35 | maturity:'9',\ 36 | accuracy:'9',\ 37 | severity:'CRITICAL',\ 38 | t:none,t:urlDecodeUni,\ 39 | capture,\ 40 | ctl:auditLogParts=+E,\ 41 | block,\ 42 | id:943100,\ 43 | tag:'application-multi',\ 44 | tag:'language-multi',\ 45 | tag:'platform-multi',\ 46 | tag:'attack-fixation',\ 47 | tag:'OWASP_CRS/WEB_ATTACK/SESSION_FIXATION',\ 48 | tag:'WASCTC/WASC-37',\ 49 | tag:'CAPEC-61',\ 50 | logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ 51 | setvar:'tx.msg=%{rule.msg}',\ 52 | setvar:tx.session_fixation_score=+%{tx.critical_anomaly_score},\ 53 | setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ 54 | setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SESSION_FIXATION-%{matched_var_name}=%{tx.0}" 55 | 56 | 57 | SecRule ARGS_NAMES "@rx ^(jsessionid|aspsessionid|asp.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$" \ 58 | "msg:'Possible Session Fixation Attack: SessionID Parameter Name with Off-Domain Referer',\ 59 | phase:request,\ 60 | rev:'2',\ 61 | ver:'OWASP_CRS/3.0.0',\ 62 | maturity:'2',\ 63 | accuracy:'7',\ 64 | id:943110,\ 65 | t:none,t:urlDecodeUni,t:lowercase,\ 66 | capture,\ 67 | ctl:auditLogParts=+E,\ 68 | block,\ 69 | severity:'CRITICAL',\ 70 | tag:'application-multi',\ 71 | tag:'language-multi',\ 72 | tag:'platform-multi',\ 73 | tag:'attack-fixation',\ 74 | tag:'OWASP_CRS/WEB_ATTACK/SESSION_FIXATION',\ 75 | tag:'WASCTC/WASC-37',\ 76 | tag:'CAPEC-61',\ 77 | logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ 78 | chain" 79 | SecRule REQUEST_HEADERS:Referer "^(?:ht|f)tps?://(.*?)\/" \ 80 | "capture,\ 81 | chain" 82 | SecRule TX:1 "!@endsWith %{request_headers.host}" \ 83 | "setvar:'tx.msg=%{rule.msg}',\ 84 | setvar:tx.session_fixation_score=+%{tx.critical_anomaly_score},\ 85 | setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ 86 | setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SESSION_FIXATION-%{matched_var_name}=%{tx.0}" 87 | 88 | 89 | SecRule ARGS_NAMES "@rx ^(jsessionid|aspsessionid|asp.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$" \ 90 | "msg:'Possible Session Fixation Attack: SessionID Parameter Name with No Referer',\ 91 | phase:request,\ 92 | rev:'2',\ 93 | ver:'OWASP_CRS/3.0.0',\ 94 | maturity:'2',\ 95 | accuracy:'7',\ 96 | id:943120,\ 97 | t:none,t:urlDecodeUni,t:lowercase,\ 98 | capture,\ 99 | ctl:auditLogParts=+E,\ 100 | severity:'CRITICAL',\ 101 | block,\ 102 | tag:'application-multi',\ 103 | tag:'language-multi',\ 104 | tag:'platform-multi',\ 105 | tag:'attack-fixation',\ 106 | tag:'OWASP_CRS/WEB_ATTACK/SESSION_FIXATION',\ 107 | tag:'WASCTC/WASC-37',\ 108 | tag:'CAPEC-61',\ 109 | logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ 110 | chain" 111 | SecRule &REQUEST_HEADERS:Referer "@eq 0" \ 112 | "setvar:'tx.msg=%{rule.msg}',\ 113 | setvar:tx.session_fixation_score=+%{tx.critical_anomaly_score},\ 114 | setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ 115 | setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SESSION_FIXATION-%{matched_var_name}=%{tx.0}" 116 | 117 | 118 | 119 | 120 | SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:1,id:943013,nolog,pass,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" 121 | SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:2,id:943014,nolog,pass,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" 122 | # 123 | # -= Paranoia Level 2 =- (apply only when tx.paranoia_level is sufficiently high: 2 or higher) 124 | # 125 | 126 | 127 | 128 | SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:1,id:943015,nolog,pass,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" 129 | SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:2,id:943016,nolog,pass,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" 130 | # 131 | # -= Paranoia Level 3 =- (apply only when tx.paranoia_level is sufficiently high: 3 or higher) 132 | # 133 | 134 | 135 | 136 | SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:1,id:943017,nolog,pass,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" 137 | SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:2,id:943018,nolog,pass,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" 138 | # 139 | # -= Paranoia Level 4 =- (apply only when tx.paranoia_level is sufficiently high: 4 or higher) 140 | # 141 | 142 | 143 | 144 | # 145 | # -= Paranoia Levels Finished =- 146 | # 147 | SecMarker "END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" 148 | 149 | -------------------------------------------------------------------------------- /templates/default/REQUEST-949-BLOCKING-EVALUATION.conf.erb: -------------------------------------------------------------------------------- 1 | # ------------------------------------------------------------------------ 2 | # OWASP ModSecurity Core Rule Set ver.3.0.2 3 | # Copyright (c) 2006-2016 Trustwave and contributors. All rights reserved. 4 | # 5 | # The OWASP ModSecurity Core Rule Set is distributed under 6 | # Apache Software License (ASL) version 2 7 | # Please see the enclosed LICENSE file for full details. 8 | # ------------------------------------------------------------------------ 9 | 10 | # 11 | # -= Paranoia Level 0 (empty) =- (apply unconditionally) 12 | # 13 | 14 | SecMarker BEGIN_REQUEST_BLOCKING_EVAL 15 | 16 | # These rules use the anomaly score settings specified in the 10 config file. 17 | # You should also set the desired disruptive action (deny, redirect, etc...). 18 | # 19 | # -=[ IP Reputation Checks ]=- 20 | # 21 | # Block based on variable IP.REPUT_BLOCK_FLAG and TX.DO_REPUT_BLOCK 22 | # 23 | SecRule IP:REPUT_BLOCK_FLAG "@eq 1" \ 24 | "msg:'Request Denied by IP Reputation Enforcement.',\ 25 | severity:CRITICAL,\ 26 | phase:request,\ 27 | id:949100,\ 28 | deny,\ 29 | log,\ 30 | logdata:'Previous Block Reason: %{ip.reput_block_reason}',\ 31 | tag:'application-multi',\ 32 | tag:'language-multi',\ 33 | tag:'platform-multi',\ 34 | tag:'attack-reputation-ip',\ 35 | chain" 36 | SecRule TX:DO_REPUT_BLOCK "@eq 1" \ 37 | "setvar:tx.inbound_tx_msg=%{tx.msg},\ 38 | setvar:tx.inbound_anomaly_score=%{tx.anomaly_score}" 39 | 40 | 41 | # 42 | # -=[ Anomaly Mode: Overall Transaction Anomaly Score ]=- 43 | # 44 | SecRule TX:ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" \ 45 | "msg:'Inbound Anomaly Score Exceeded (Total Score: %{TX.ANOMALY_SCORE})',\ 46 | severity:CRITICAL,\ 47 | phase:request,\ 48 | id:949110,\ 49 | t:none,\ 50 | deny,\ 51 | log,\ 52 | tag:'application-multi',\ 53 | tag:'language-multi',\ 54 | tag:'platform-multi',\ 55 | tag:'attack-generic',\ 56 | setvar:tx.inbound_tx_msg=%{tx.msg},\ 57 | setvar:tx.inbound_anomaly_score=%{tx.anomaly_score}" 58 | 59 | 60 | 61 | SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:1,id:949011,nolog,pass,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" 62 | SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:2,id:949012,nolog,pass,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" 63 | # 64 | # -= Paranoia Level 1 (default) =- (apply only when tx.paranoia_level is sufficiently high: 1 or higher) 65 | # 66 | 67 | 68 | 69 | SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:1,id:949013,nolog,pass,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" 70 | SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:2,id:949014,nolog,pass,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" 71 | # 72 | # -= Paranoia Level 2 =- (apply only when tx.paranoia_level is sufficiently high: 2 or higher) 73 | # 74 | 75 | 76 | 77 | SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:1,id:949015,nolog,pass,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" 78 | SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:2,id:949016,nolog,pass,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" 79 | # 80 | # -= Paranoia Level 3 =- (apply only when tx.paranoia_level is sufficiently high: 3 or higher) 81 | # 82 | 83 | 84 | 85 | SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:1,id:949017,nolog,pass,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" 86 | SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:2,id:949018,nolog,pass,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" 87 | # 88 | # -= Paranoia Level 4 =- (apply only when tx.paranoia_level is sufficiently high: 4 or higher) 89 | # 90 | 91 | 92 | 93 | # 94 | # -= Paranoia Levels Finished =- 95 | # 96 | SecMarker "END-REQUEST-949-BLOCKING-EVALUATION" 97 | 98 | -------------------------------------------------------------------------------- /templates/default/RESPONSE-950-DATA-LEAKAGES.conf.erb: -------------------------------------------------------------------------------- 1 | # ------------------------------------------------------------------------ 2 | # OWASP ModSecurity Core Rule Set ver.3.0.2 3 | # Copyright (c) 2006-2016 Trustwave and contributors. All rights reserved. 4 | # 5 | # The OWASP ModSecurity Core Rule Set is distributed under 6 | # Apache Software License (ASL) version 2 7 | # Please see the enclosed LICENSE file for full details. 8 | # ------------------------------------------------------------------------ 9 | 10 | # The paranoia level skip rules 950020, 950021 and 950022 have odd 11 | # numbers not in sync with other paranoia level skip rules in other 12 | # files. This is done to avoid rule id collisions with CRSv2. 13 | # This is also true for rule 950130. 14 | 15 | # 16 | # -= Paranoia Level 0 (empty) =- (apply unconditionally) 17 | # 18 | 19 | 20 | 21 | SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:3,id:950020,nolog,pass,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" 22 | SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:4,id:950021,nolog,pass,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" 23 | # 24 | # -= Paranoia Level 1 (default) =- (apply only when tx.paranoia_level is sufficiently high: 1 or higher) 25 | # 26 | 27 | # 28 | # -=[ Directory Listing ]=- 29 | # 30 | #SecRule RESPONSE_BODY "(?:<(?:TITLE>Index of.*?Index of.*?Index of|>\[To Parent Directory\]<\/[Aa]>
)" \ 31 | # "phase:response,\ 32 | # rev:'2',\ 33 | # ver:'OWASP_CRS/3.0.0',\ 34 | # maturity:'9',\ 35 | # accuracy:'9',\ 36 | # t:none,\ 37 | # capture,\ 38 | # ctl:auditLogParts=+E,\ 39 | # block,\ 40 | # msg:'Directory Listing',\ 41 | # logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ 42 | # id:950130,\ 43 | # tag:'application-multi',\ 44 | # tag:'language-multi',\ 45 | # tag:'platform-multi',\ 46 | # tag:'attack-disclosure',\ 47 | # tag:'OWASP_CRS/LEAKAGE/INFO_DIRECTORY_LISTING',\ 48 | # tag:'WASCTC/WASC-13',\ 49 | # tag:'OWASP_TOP_10/A6',\ 50 | # tag:'PCI/6.5.6',\ 51 | # severity:'ERROR',\ 52 | # setvar:'tx.msg=%{rule.msg}',\ 53 | # setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},\ 54 | # setvar:tx.anomaly_score=+%{tx.error_anomaly_score},\ 55 | # setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/INFO-%{matched_var_name}=%{tx.0}" 56 | 57 | 58 | 59 | SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:3,id:950013,nolog,pass,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" 60 | SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:4,id:950014,nolog,pass,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" 61 | # 62 | # -= Paranoia Level 2 =- (apply only when tx.paranoia_level is sufficiently high: 2 or higher) 63 | # 64 | 65 | # 66 | # -=[ The application is not available - 5xx level status code ]=- 67 | # 68 | SecRule RESPONSE_STATUS "^5\d{2}$" \ 69 | "phase:response,\ 70 | rev:'3',\ 71 | ver:'OWASP_CRS/3.0.0',\ 72 | maturity:'9',\ 73 | accuracy:'9',\ 74 | t:none,\ 75 | capture,\ 76 | ctl:auditLogParts=+E,\ 77 | block,\ 78 | msg:'The Application Returned a 500-Level Status Code',\ 79 | logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ 80 | id:950100,\ 81 | tag:'application-multi',\ 82 | tag:'language-multi',\ 83 | tag:'platform-multi',\ 84 | tag:'attack-disclosure',\ 85 | tag:'WASCTC/WASC-13',\ 86 | tag:'OWASP_TOP_10/A6',\ 87 | tag:'PCI/6.5.6',\ 88 | tag:'paranoia-level/2',\ 89 | severity:'ERROR',\ 90 | setvar:'tx.msg=%{rule.msg}',\ 91 | setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},\ 92 | setvar:tx.anomaly_score=+%{tx.error_anomaly_score},\ 93 | setvar:tx.%{rule.id}-AVAILABILITY/APP_NOT_AVAIL-%{matched_var_name}=%{tx.0}" 94 | 95 | 96 | 97 | SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:3,id:950015,nolog,pass,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" 98 | SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:4,id:950016,nolog,pass,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" 99 | # 100 | # -= Paranoia Level 3 =- (apply only when tx.paranoia_level is sufficiently high: 3 or higher) 101 | # 102 | 103 | 104 | 105 | SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:3,id:950017,nolog,pass,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" 106 | SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:4,id:950022,nolog,pass,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" 107 | # 108 | # -= Paranoia Level 4 =- (apply only when tx.paranoia_level is sufficiently high: 4 or higher) 109 | # 110 | 111 | 112 | 113 | # 114 | # -= Paranoia Levels Finished =- 115 | # 116 | SecMarker "END-RESPONSE-950-DATA-LEAKAGES" 117 | 118 | -------------------------------------------------------------------------------- /templates/default/RESPONSE-952-DATA-LEAKAGES-JAVA.conf.erb: -------------------------------------------------------------------------------- 1 | # ------------------------------------------------------------------------ 2 | # OWASP ModSecurity Core Rule Set ver.3.0.2 3 | # Copyright (c) 2006-2016 Trustwave and contributors. All rights reserved. 4 | # 5 | # The OWASP ModSecurity Core Rule Set is distributed under 6 | # Apache Software License (ASL) version 2 7 | # Please see the enclosed LICENSE file for full details. 8 | # ------------------------------------------------------------------------ 9 | 10 | # 11 | # -= Paranoia Level 0 (empty) =- (apply unconditionally) 12 | # 13 | 14 | 15 | 16 | SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:3,id:952011,nolog,pass,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" 17 | SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:4,id:952012,nolog,pass,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" 18 | # 19 | # -= Paranoia Level 1 (default) =- (apply only when tx.paranoia_level is sufficiently high: 1 or higher) 20 | # 21 | 22 | # 23 | # -=[ Java Source Code Leakages ]=- 24 | # 25 | SecRule RESPONSE_BODY "@pmFromFile java-code-leakages.data" \ 26 | "phase:4,\ 27 | rev:'3',\ 28 | ver:'OWASP_CRS/3.0.0',\ 29 | maturity:'9',\ 30 | accuracy:'9',\ 31 | t:none,\ 32 | capture,\ 33 | ctl:auditLogParts=+E,\ 34 | block,\ 35 | msg:'Java Source Code Leakage',\ 36 | logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ 37 | id:952100,\ 38 | tag:'application-multi',\ 39 | tag:'language-java',\ 40 | tag:'platform-multi',\ 41 | tag:'attack-disclosure',\ 42 | tag:'OWASP_CRS/LEAKAGE/SOURCE_CODE_JAVA',\ 43 | tag:'WASCTC/WASC-13',\ 44 | tag:'OWASP_TOP_10/A6',\ 45 | tag:'PCI/6.5.6',\ 46 | severity:'ERROR',\ 47 | setvar:'tx.msg=%{rule.msg}',\ 48 | setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},\ 49 | setvar:tx.anomaly_score=+%{tx.error_anomaly_score},\ 50 | setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{tx.0}" 51 | 52 | # 53 | # -=[ Java Errors ]=- 54 | # 55 | # Ref: https://github.com/andresriancho/w3af/blob/master/plugins/grep/error_pages.py 56 | # 57 | SecRule RESPONSE_BODY "@pmFromFile java-errors.data" \ 58 | "phase:4,\ 59 | rev:'3',\ 60 | ver:'OWASP_CRS/3.0.0',\ 61 | maturity:'9',\ 62 | accuracy:'9',\ 63 | t:none,\ 64 | capture,\ 65 | ctl:auditLogParts=+E,\ 66 | block,\ 67 | msg:'Java Errors',\ 68 | logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ 69 | id:952110,\ 70 | tag:'application-multi',\ 71 | tag:'language-java',\ 72 | tag:'platform-multi',\ 73 | tag:'attack-disclosure',\ 74 | tag:'OWASP_CRS/LEAKAGE/ERRORS_JAVA',\ 75 | tag:'WASCTC/WASC-13',\ 76 | tag:'OWASP_TOP_10/A6',\ 77 | tag:'PCI/6.5.6',\ 78 | severity:'ERROR',\ 79 | setvar:'tx.msg=%{rule.msg}',\ 80 | setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},\ 81 | setvar:tx.anomaly_score=+%{tx.error_anomaly_score},\ 82 | setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}" 83 | 84 | 85 | 86 | SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:3,id:952013,nolog,pass,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" 87 | SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:4,id:952014,nolog,pass,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" 88 | # 89 | # -= Paranoia Level 2 =- (apply only when tx.paranoia_level is sufficiently high: 2 or higher) 90 | # 91 | 92 | 93 | 94 | SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:3,id:952015,nolog,pass,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" 95 | SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:4,id:952016,nolog,pass,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" 96 | # 97 | # -= Paranoia Level 3 =- (apply only when tx.paranoia_level is sufficiently high: 3 or higher) 98 | # 99 | 100 | 101 | 102 | SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:3,id:952017,nolog,pass,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" 103 | SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:4,id:952018,nolog,pass,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" 104 | # 105 | # -= Paranoia Level 4 =- (apply only when tx.paranoia_level is sufficiently high: 4 or higher) 106 | # 107 | 108 | 109 | 110 | # 111 | # -= Paranoia Levels Finished =- 112 | # 113 | SecMarker "END-RESPONSE-952-DATA-LEAKAGES-JAVA" 114 | 115 | -------------------------------------------------------------------------------- /templates/default/RESPONSE-953-DATA-LEAKAGES-PHP.conf.erb: -------------------------------------------------------------------------------- 1 | # ------------------------------------------------------------------------ 2 | # OWASP ModSecurity Core Rule Set ver.3.0.2 3 | # Copyright (c) 2006-2016 Trustwave and contributors. All rights reserved. 4 | # 5 | # The OWASP ModSecurity Core Rule Set is distributed under 6 | # Apache Software License (ASL) version 2 7 | # Please see the enclosed LICENSE file for full details. 8 | # ------------------------------------------------------------------------ 9 | 10 | # 11 | # -= Paranoia Level 0 (empty) =- (apply unconditionally) 12 | # 13 | 14 | 15 | 16 | SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:3,id:953011,nolog,pass,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" 17 | SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:4,id:953012,nolog,pass,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" 18 | # 19 | # -= Paranoia Level 1 (default) =- (apply only when tx.paranoia_level is sufficiently high: 1 or higher) 20 | # 21 | 22 | # 23 | # -=[ PHP Error Message Leakage ]=- 24 | # 25 | SecRule RESPONSE_BODY "@pmf php-errors.data" \ 26 | "msg:'PHP Information Leakage',\ 27 | id:953100,\ 28 | phase:response,\ 29 | ver:'OWASP_CRS/3.0.0',\ 30 | rev:'3',\ 31 | maturity:'9',\ 32 | accuracy:'9',\ 33 | t:none,\ 34 | capture,\ 35 | ctl:auditLogParts=+E,\ 36 | block,\ 37 | severity:'ERROR',\ 38 | logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ 39 | tag:'application-multi',\ 40 | tag:'language-php',\ 41 | tag:'platform-multi',\ 42 | tag:'attack-disclosure',\ 43 | tag:'OWASP_CRS/LEAKAGE/ERRORS_PHP',\ 44 | tag:'WASCTC/WASC-13',\ 45 | tag:'OWASP_TOP_10/A6',\ 46 | tag:'PCI/6.5.6',\ 47 | setvar:'tx.msg=%{rule.msg}',\ 48 | setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},\ 49 | setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}" 50 | 51 | # 52 | # -=[ PHP source code leakage ]=- 53 | # 54 | # Detect some common PHP keywords in output. 55 | # 56 | SecRule RESPONSE_BODY "(?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open|call_user_func)|\$_(?:(?:pos|ge)t|session))\b" \ 57 | "phase:response,\ 58 | rev:'2',\ 59 | ver:'OWASP_CRS/3.0.0',\ 60 | maturity:'9',\ 61 | accuracy:'9',\ 62 | t:none,\ 63 | capture,\ 64 | ctl:auditLogParts=+E,\ 65 | block,\ 66 | msg:'PHP source code leakage',\ 67 | logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ 68 | id:953110,\ 69 | tag:'application-multi',\ 70 | tag:'language-php',\ 71 | tag:'platform-multi',\ 72 | tag:'attack-disclosure',\ 73 | tag:'OWASP_CRS/LEAKAGE/SOURCE_CODE_PHP',\ 74 | tag:'WASCTC/WASC-13',\ 75 | tag:'OWASP_TOP_10/A6',\ 76 | tag:'PCI/6.5.6',\ 77 | severity:'ERROR',\ 78 | setvar:'tx.msg=%{rule.msg}',\ 79 | setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},\ 80 | setvar:tx.anomaly_score=+%{tx.error_anomaly_score},\ 81 | setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/SOURCE_CODE-%{matched_var_name}=%{tx.0}" 82 | 83 | # Detect the presence of the PHP open tag ".{1,20}?error '800(?:04005|40e31)'.{1,40}?Timeout expired| \(0x80040e31\)
Timeout expired
)|

internal server error<\/h1>.*?

part of the server has crashed or it has a configuration error\.<\/h2>|cannot connect to the server: timed out)" \ 52 | "phase:4,\ 53 | rev:'3',\ 54 | ver:'OWASP_CRS/3.0.0',\ 55 | maturity:'9',\ 56 | accuracy:'9',\ 57 | t:none,\ 58 | capture,\ 59 | ctl:auditLogParts=+E,\ 60 | block,\ 61 | msg:'Application Availability Error',\ 62 | logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ 63 | id:954110,\ 64 | tag:'application-multi',\ 65 | tag:'language-multi',\ 66 | tag:'platform-iis',\ 67 | tag:'platform-windows',\ 68 | tag:'attack-disclosure',\ 69 | tag:'WASCTC/WASC-13',\ 70 | tag:'OWASP_TOP_10/A6',\ 71 | tag:'PCI/6.5.6',\ 72 | severity:'ERROR',\ 73 | setvar:'tx.msg=%{rule.msg}',\ 74 | setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},\ 75 | setvar:tx.anomaly_score=+%{tx.error_anomaly_score},\ 76 | setvar:tx.%{rule.id}-AVAILABILITY/APP_NOT_AVAIL-%{matched_var_name}=%{tx.0}" 77 | 78 | # 79 | # IIS Errors leakage 80 | # 81 | SecRule RESPONSE_BODY "(?:\b(?:A(?:DODB\.Command\b.{0,100}?\b(?:Application uses a value of the wrong type for the current operation\b|error')| trappable error occurred in an external object\. The script cannot continue running\b)|Microsoft VBScript (?:compilation (?:\(0x8|error)|runtime (?:Error|\(0x8))\b|Object required: '|error '800)|Version Information:<\/b>(?: |\s)(?:Microsoft \.NET Framework|ASP\.NET) Version:|>error 'ASP\b|An Error Has Occurred|>Syntax error in string in query expression|\/[Ee]rror[Mm]essage\.aspx?\?[Ee]rror\b)" \ 82 | "phase:4,\ 83 | rev:'2',\ 84 | ver:'OWASP_CRS/3.0.0',\ 85 | maturity:'9',\ 86 | accuracy:'9',\ 87 | t:none,\ 88 | capture,\ 89 | ctl:auditLogParts=+E,\ 90 | block,\ 91 | msg:'IIS Information Leakage',\ 92 | logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ 93 | id:954120,\ 94 | tag:'application-multi',\ 95 | tag:'language-multi',\ 96 | tag:'platform-iis',\ 97 | tag:'platform-windows',\ 98 | tag:'attack-disclosure',\ 99 | tag:'OWASP_CRS/LEAKAGE/ERRORS_IIS',\ 100 | tag:'WASCTC/WASC-13',\ 101 | tag:'OWASP_TOP_10/A6',\ 102 | tag:'PCI/6.5.6',\ 103 | severity:'ERROR',\ 104 | setvar:'tx.msg=%{rule.msg}',\ 105 | setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},\ 106 | setvar:tx.anomaly_score=+%{tx.error_anomaly_score},\ 107 | setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}" 108 | 109 | 110 | SecRule RESPONSE_STATUS "!^404$" \ 111 | "phase:4,\ 112 | rev:'2',\ 113 | ver:'OWASP_CRS/3.0.0',\ 114 | maturity:'9',\ 115 | accuracy:'9',\ 116 | t:none,\ 117 | capture,\ 118 | ctl:auditLogParts=+E,\ 119 | block,\ 120 | msg:'IIS Information Leakage',\ 121 | logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ 122 | id:954130,\ 123 | tag:'application-multi',\ 124 | tag:'language-multi',\ 125 | tag:'platform-iis',\ 126 | tag:'platform-windows',\ 127 | tag:'attack-disclosure',\ 128 | tag:'OWASP_CRS/LEAKAGE/ERRORS_IIS',\ 129 | tag:'WASCTC/WASC-13',\ 130 | tag:'OWASP_TOP_10/A6',\ 131 | tag:'PCI/6.5.6',\ 132 | severity:'ERROR',\ 133 | chain" 134 | SecRule RESPONSE_BODY "\bServer Error in.{0,50}?\bApplication\b" \ 135 | "t:none,\ 136 | capture,\ 137 | setvar:'tx.msg=%{rule.msg}',\ 138 | setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},\ 139 | setvar:tx.anomaly_score=+%{tx.error_anomaly_score},\ 140 | setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}" 141 | 142 | 143 | 144 | SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:3,id:954013,nolog,pass,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" 145 | SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:4,id:954014,nolog,pass,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" 146 | # 147 | # -= Paranoia Level 2 =- (apply only when tx.paranoia_level is sufficiently high: 2 or higher) 148 | # 149 | 150 | 151 | 152 | SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:3,id:954015,nolog,pass,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" 153 | SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:4,id:954016,nolog,pass,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" 154 | # 155 | # -= Paranoia Level 3 =- (apply only when tx.paranoia_level is sufficiently high: 3 or higher) 156 | # 157 | 158 | 159 | 160 | SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:3,id:954017,nolog,pass,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" 161 | SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:4,id:954018,nolog,pass,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" 162 | # 163 | # -= Paranoia Level 4 =- (apply only when tx.paranoia_level is sufficiently high: 4 or higher) 164 | # 165 | 166 | 167 | 168 | # 169 | # -= Paranoia Levels Finished =- 170 | # 171 | SecMarker "END-RESPONSE-954-DATA-LEAKAGES-IIS" 172 | 173 | -------------------------------------------------------------------------------- /templates/default/RESPONSE-959-BLOCKING-EVALUATION.conf.erb: -------------------------------------------------------------------------------- 1 | # ------------------------------------------------------------------------ 2 | # OWASP ModSecurity Core Rule Set ver.3.0.2 3 | # Copyright (c) 2006-2016 Trustwave and contributors. All rights reserved. 4 | # 5 | # The OWASP ModSecurity Core Rule Set is distributed under 6 | # Apache Software License (ASL) version 2 7 | # Please see the enclosed LICENSE file for full details. 8 | # ------------------------------------------------------------------------ 9 | 10 | # You should set the score to the proper threshold you would prefer. If kept at "@gt 0" 11 | # it will work similarly to previous Mod CRS rules and will create an event in the error_log 12 | # file if there are any rules that match. If you would like to lessen the number of events 13 | # generated in the error_log file, you should increase the anomaly score threshold to 14 | # something like "@gt 20". This would only generate an event in the error_log file if 15 | # there are multiple lower severity rule matches or if any 1 higher severity item matches. 16 | # 17 | # You should also set the desired disruptive action (deny, redirect, etc...). 18 | # 19 | 20 | # 21 | # -= Paranoia Level 0 (empty) =- (apply unconditionally) 22 | # 23 | 24 | # Alert and Block on High Anomaly Scores - this would block outbound data leakages 25 | # 26 | SecRule TX:OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" \ 27 | "phase:4,\ 28 | id:959100,\ 29 | tag:'anomaly-evaluation',\ 30 | t:none,\ 31 | deny,\ 32 | msg:'Outbound Anomaly Score Exceeded (Total Score: %{TX.OUTBOUND_ANOMALY_SCORE})'" 33 | 34 | 35 | 36 | SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:3,id:959011,nolog,pass,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION" 37 | SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:4,id:959012,nolog,pass,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION" 38 | # 39 | # -= Paranoia Level 1 (default) =- (apply only when tx.paranoia_level is sufficiently high: 1 or higher) 40 | # 41 | 42 | 43 | 44 | SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:3,id:959013,nolog,pass,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION" 45 | SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:4,id:959014,nolog,pass,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION" 46 | # 47 | # -= Paranoia Level 2 =- (apply only when tx.paranoia_level is sufficiently high: 2 or higher) 48 | # 49 | 50 | 51 | 52 | SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:3,id:959015,nolog,pass,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION" 53 | SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:4,id:959016,nolog,pass,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION" 54 | # 55 | # -= Paranoia Level 3 =- (apply only when tx.paranoia_level is sufficiently high: 3 or higher) 56 | # 57 | 58 | 59 | 60 | SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:3,id:959017,nolog,pass,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION" 61 | SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:4,id:959018,nolog,pass,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION" 62 | # 63 | # -= Paranoia Level 4 =- (apply only when tx.paranoia_level is sufficiently high: 4 or higher) 64 | # 65 | 66 | 67 | 68 | # 69 | # -= Paranoia Levels Finished =- 70 | # 71 | SecMarker "END-RESPONSE-959-BLOCKING-EVALUATION" 72 | 73 | -------------------------------------------------------------------------------- /templates/default/RESPONSE-980-CORRELATION.conf.erb: -------------------------------------------------------------------------------- 1 | # ------------------------------------------------------------------------ 2 | # OWASP ModSecurity Core Rule Set ver.3.0.2 3 | # Copyright (c) 2006-2016 Trustwave and contributors. All rights reserved. 4 | # 5 | # The OWASP ModSecurity Core Rule Set is distributed under 6 | # Apache Software License (ASL) version 2 7 | # Please see the enclosed LICENSE file for full details. 8 | # ------------------------------------------------------------------------ 9 | 10 | # 11 | # This file is used in post processing after the response has been sent to 12 | # the client (in the logging phase). Its purpose is to provide inbound+outbound 13 | # correlation of events to provide a more intelligent designation as to the outcome 14 | # or result of the transaction - meaning, was this a successful attack? 15 | # 16 | 17 | # 18 | # -= Paranoia Level 0 (empty) =- (apply unconditionally) 19 | # 20 | 21 | # 22 | # -=[ Correlated Successful Attack ]=- 23 | # 24 | SecRule &TX:'/LEAKAGE\\\/ERRORS/' "@ge 1" \ 25 | "chain,\ 26 | phase:logging,\ 27 | id:980100,\ 28 | t:none,\ 29 | log,\ 30 | pass,\ 31 | tag:'event-correlation',\ 32 | skipAfter:END_CORRELATION,\ 33 | severity:'EMERGENCY',\ 34 | msg:'Correlated Successful Attack Identified: (Total Score: %{tx.anomaly_score}) Inbound Attack (%{tx.inbound_tx_msg} - Inbound Anomaly Score: %{TX.INBOUND_ANOMALY_SCORE}) + Outbound Data Leakage (%{tx.msg} - Outbound Anomaly Score: %{TX.OUTBOUND_ANOMALY_SCORE})'" 35 | SecRule &TX:'/WEB_ATTACK/' "@ge 1" "t:none" 36 | 37 | 38 | # 39 | # -=[ Correlated Attack Attempt ]=- 40 | # 41 | SecRule &TX:'/AVAILABILITY\\\/APP_NOT_AVAIL/' "@ge 1" \ 42 | "chain,\ 43 | phase:logging,\ 44 | id:980110,\ 45 | t:none,\ 46 | log,\ 47 | pass,\ 48 | tag:'event-correlation',\ 49 | skipAfter:END_CORRELATION,\ 50 | severity:'ALERT',\ 51 | msg:'Correlated Attack Attempt Identified: (Total Score: %{tx.anomaly_score}) Inbound Attack (%{tx.inbound_tx_msg} Inbound Anomaly Score: %{TX.INBOUND_ANOMALY_SCORE}) + Outbound Application Error (%{tx.msg} - Outbound Anomaly Score: %{TX.OUTBOUND_ANOMALY_SCORE})'" 52 | SecRule &TX:'/WEB_ATTACK/' "@ge 1" "t:none" 53 | 54 | SecRule TX:INBOUND_ANOMALY_SCORE "@gt 0" \ 55 | "chain,\ 56 | phase:logging,\ 57 | id:980120,\ 58 | t:none,\ 59 | log,noauditlog,\ 60 | pass,\ 61 | tag:'event-correlation',\ 62 | skipAfter:END_CORRELATION,\ 63 | msg:'Inbound Anomaly Score (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE}): %{tx.inbound_tx_msg}'" 64 | SecRule TX:INBOUND_ANOMALY_SCORE "@lt %{tx.inbound_anomaly_score_threshold}" 65 | 66 | SecRule TX:INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" \ 67 | "phase:logging,\ 68 | id:980130,\ 69 | t:none,\ 70 | log,noauditlog,\ 71 | pass,\ 72 | tag:'event-correlation',\ 73 | msg:'Inbound Anomaly Score Exceeded (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE} - SQLI=%{tx.sql_injection_score},XSS=%{tx.xss_score},RFI=%{tx.rfi_score},LFI=%{tx.lfi_score},RCE=%{tx.rce_score},PHPI=%{tx.php_injection_score},HTTP=%{tx.http_violation_score},SESS=%{tx.session_fixation_score}): %{tx.inbound_tx_msg}'" 74 | 75 | SecRule TX:OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" \ 76 | "phase:logging,\ 77 | id:980140,\ 78 | t:none,\ 79 | log,noauditlog,\ 80 | pass,\ 81 | tag:'event-correlation',\ 82 | msg:'Outbound Anomaly Score Exceeded (score %{TX.OUTBOUND_ANOMALY_SCORE}): %{tx.msg}'" 83 | 84 | SecMarker END_CORRELATION 85 | 86 | 87 | SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:1,id:980011,nolog,pass,skipAfter:END-RESPONSE-980-CORRELATION" 88 | SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:2,id:980012,nolog,pass,skipAfter:END-RESPONSE-980-CORRELATION" 89 | # 90 | # -= Paranoia Level 1 (default) =- (apply only when tx.paranoia_level is sufficiently high: 1 or higher) 91 | # 92 | 93 | 94 | 95 | SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:1,id:980013,nolog,pass,skipAfter:END-RESPONSE-980-CORRELATION" 96 | SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:2,id:980014,nolog,pass,skipAfter:END-RESPONSE-980-CORRELATION" 97 | # 98 | # -= Paranoia Level 2 =- (apply only when tx.paranoia_level is sufficiently high: 2 or higher) 99 | # 100 | 101 | 102 | 103 | SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:1,id:980015,nolog,pass,skipAfter:END-RESPONSE-980-CORRELATION" 104 | SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:2,id:980016,nolog,pass,skipAfter:END-RESPONSE-980-CORRELATION" 105 | # 106 | # -= Paranoia Level 3 =- (apply only when tx.paranoia_level is sufficiently high: 3 or higher) 107 | # 108 | 109 | 110 | 111 | SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:1,id:980017,nolog,pass,skipAfter:END-RESPONSE-980-CORRELATION" 112 | SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:2,id:980018,nolog,pass,skipAfter:END-RESPONSE-980-CORRELATION" 113 | # 114 | # -= Paranoia Level 4 =- (apply only when tx.paranoia_level is sufficiently high: 4 or higher) 115 | # 116 | 117 | 118 | 119 | # 120 | # -= Paranoia Levels Finished =- 121 | # 122 | SecMarker "END-RESPONSE-980-CORRELATION" 123 | 124 | -------------------------------------------------------------------------------- /templates/default/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example.erb: -------------------------------------------------------------------------------- 1 | # ------------------------------------------------------------------------ 2 | # OWASP ModSecurity Core Rule Set ver.3.0.2 3 | # Copyright (c) 2006-2016 Trustwave and contributors. All rights reserved. 4 | # 5 | # The OWASP ModSecurity Core Rule Set is distributed under 6 | # Apache Software License (ASL) version 2 7 | # Please see the enclosed LICENSE file for full details. 8 | # ------------------------------------------------------------------------ 9 | 10 | # 11 | # The purpose of this file is to hold LOCAL exceptions for your site. 12 | # The types of rules that would go into this file are one where you want 13 | # to unconditionally disable rules or modify their actions during startup. 14 | # 15 | # Please see the file REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example 16 | # for a description of the rule exclusions mechanism and the correct 17 | # use of this file. 18 | # 19 | 20 | # 21 | # Example Exclusion Rule: To unconditionally disable a rule ID 22 | # 23 | # ModSecurity Rule Exclusion: 942100 SQL Injection Detected via libinjection 24 | # SecRuleRemoveById 942100 25 | 26 | # Example Exclusion Rule: Remove a group of rules 27 | # 28 | # ModSecurity Rule Exclusion: Disable PHP injection rules 29 | # SecRuleRemoveByTag "attack-injection-php" 30 | 31 | # 32 | # Example Exclusion Rule: To unconditionally remove parameter "foo" from 33 | # inspection for SQLi rules 34 | # 35 | # ModSecurity Rule Exclusion: disable sqli rules for parameter foo. 36 | # SecRuleUpdateTargetByTag "attack-sqli" "!ARGS:foo" 37 | 38 | 39 | # -- [[ Changing the Disruptive Action for Anomaly Mode ]] -- 40 | # 41 | # In Anomaly Mode (default in CRS3), the rules in REQUEST-949-BLOCKING-EVALUATION.conf 42 | # and RESPONSE-959-BLOCKING-EVALUATION.conf check the accumulated attack scores 43 | # against your policy. To apply a disruptive action, they overwrite the default 44 | # actions specified in SecDefaultAction (setup.conf) with a 'deny' action. 45 | # This 'deny' is by default paired with a 'status:403' action. 46 | # 47 | # In order to change the disruptive action from 'deny' to something else, 48 | # you must use SecRuleUpdateActionByID directives AFTER the CRS rules 49 | # are configured, for instance in the RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf file. 50 | # 51 | # These actions only apply when using Anomaly Mode. 52 | # 53 | # Default action: block with error 403 54 | # (No configuration needed in this file if you want the default behavior.) 55 | # 56 | 57 | # Example: redirect back to the homepage on blocking 58 | # 59 | # SecRuleUpdateActionById 949110 "t:none,redirect:'http://%{request_headers.host}/'" 60 | # SecRuleUpdateActionById 959100 "t:none,redirect:'http://%{request_headers.host}/'" 61 | 62 | # Example: redirect to another URL on blocking 63 | # 64 | # SecRuleUpdateActionById 949110 "t:none,redirect:'http://example.com/report_problem'" 65 | # SecRuleUpdateActionById 959100 "t:none,redirect:'http://example.com/report_problem'" 66 | 67 | # Example: send an error 404 68 | # 69 | # SecRuleUpdateActionById 949110 "t:none,deny,status:404" 70 | # SecRuleUpdateActionById 959100 "t:none,deny,status:404" 71 | 72 | # Example: drop the connection (best for DoS attacks) 73 | # 74 | # SecRuleUpdateActionById 949110 "t:none,drop" 75 | # SecRuleUpdateActionById 959100 "t:none,drop" 76 | -------------------------------------------------------------------------------- /templates/default/crawlers-user-agents.data.erb: -------------------------------------------------------------------------------- 1 | # Search engine crawlers and other bots 2 | 3 | # site ripper 4 | # http://www.softbytelabs.com/en/BlackWidow/ 5 | black widow 6 | blackwidow 7 | # crawler 8 | # 2006 9 | prowebwalker 10 | # generic crawler 11 | pymills-spider/ 12 | # SEO 13 | # https://ahrefs.com/robot 14 | AhrefsBot 15 | # people database 16 | # https://pipl.com/bot/ 17 | PiplBot 18 | # advertising targeting 19 | # https://www.grapeshot.com/crawler/ 20 | GrapeshotCrawler/2.0 21 | grapeFX 22 | # SEO 23 | # http://www.searchmetrics.com/searchmetricsbot/ 24 | SearchmetricsBot 25 | # SEO 26 | # https://moz.com/help/guides/moz-procedures/what-is-rogerbot 27 | rogerbot 28 | # SEO 29 | # http://www.majestic12.co.uk/projects/dsearch/mj12bot.php 30 | MJ12bot 31 | # news service 32 | Owlin bot 33 | # misbehaving spider 34 | Lingewoud-550-Spyder 35 | -------------------------------------------------------------------------------- /templates/default/fastly_test_rules.conf.erb: -------------------------------------------------------------------------------- 1 | # 2 | # Define something that can be easily tested just to make sure the engine 3 | # is running and the rules are being loaded properly (and functioning). 4 | # 5 | SecRule REQUEST_METHOD "!@rx ^(POST|GET)" \ 6 | "msg:'WAF testing: something other than POST/GET was used',\ 7 | id:343432,\ 8 | phase:1,\ 9 | logdata:'WAF testing: Got unauthorized method: %{REQUEST_METHOD}',\ 10 | deny, 11 | -------------------------------------------------------------------------------- /templates/default/headers.conf.erb: -------------------------------------------------------------------------------- 1 | 2 | Header set Cache-Control "private, no-cache, no-store, proxy-revalidate, no-transform" 3 | Header set Pragma "no-cache" 4 | 5 | -------------------------------------------------------------------------------- /templates/default/iis-errors.data.erb: -------------------------------------------------------------------------------- 1 |

HTTP 403.6 - Forbidden: IP address rejected
2 | 500 Internal Server Error 3 | Microsoft VBScript runtime (0x8 4 | error '800 5 | Application uses a value of the wrong type for the current operation 6 | Microsoft VBScript compilation (0x8 7 | Microsoft VBScript compilation error 8 | Microsoft .NET Framework Version: 9 | A trappable error occurred in an external object. The script cannot continue running 10 | Microsoft VBScript runtime Error 11 | >Syntax error in string in query expression 12 | ADODB.Command 13 | Object required: ' 14 | -------------------------------------------------------------------------------- /templates/default/index.html.erb: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | WAF Test Page 5 |

Testing Site

6 | 
 7 |           Nothing to see here.
 8 |
9 | 10 | 11 | -------------------------------------------------------------------------------- /templates/default/java-code-leakages.data.erb: -------------------------------------------------------------------------------- 1 | 9 | 10 | 11 | # -- Request body handling --------------------------------------------------- 12 | 13 | # Allow ModSecurity to access request bodies. If you don't, ModSecurity 14 | # won't be able to see any POST parameters, which opens a large security 15 | # hole for attackers to exploit. 16 | # 17 | SecRequestBodyAccess On 18 | 19 | 20 | # Enable XML request body parser. 21 | # Initiate XML Processor in case of xml content-type 22 | # 23 | SecRule REQUEST_HEADERS:Content-Type "text/xml" \ 24 | "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML" 25 | 26 | 27 | # Maximum request body size we will accept for buffering. If you support 28 | # file uploads then the value given on the first line has to be as large 29 | # as the largest file you are willing to accept. The second value refers 30 | # to the size of data, with files excluded. You want to keep that value as 31 | # low as practical. 32 | # 33 | SecRequestBodyLimit 13107200 34 | SecRequestBodyNoFilesLimit 131072 35 | 36 | # Store up to 128 KB of request body data in memory. When the multipart 37 | # parser reachers this limit, it will start using your hard disk for 38 | # storage. That is slow, but unavoidable. 39 | # 40 | SecRequestBodyInMemoryLimit 131072 41 | 42 | # What do do if the request body size is above our configured limit. 43 | # Keep in mind that this setting will automatically be set to ProcessPartial 44 | # when SecRuleEngine is set to DetectionOnly mode in order to minimize 45 | # disruptions when initially deploying ModSecurity. 46 | # 47 | SecRequestBodyLimitAction Reject 48 | 49 | # Verify that we've correctly processed the request body. 50 | # As a rule of thumb, when failing to process a request body 51 | # you should reject the request (when deployed in blocking mode) 52 | # or log a high-severity alert (when deployed in detection-only mode). 53 | # 54 | SecRule REQBODY_ERROR "!@eq 0" \ 55 | "id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2" 56 | 57 | # By default be strict with what we accept in the multipart/form-data 58 | # request body. If the rule below proves to be too strict for your 59 | # environment consider changing it to detection-only. You are encouraged 60 | # _not_ to remove it altogether. 61 | # 62 | SecRule MULTIPART_STRICT_ERROR "!@eq 0" \ 63 | "id:'200002',phase:2,t:none,log,deny,status:44, \ 64 | msg:'Multipart request body failed strict validation: \ 65 | PE %{REQBODY_PROCESSOR_ERROR}, \ 66 | BQ %{MULTIPART_BOUNDARY_QUOTED}, \ 67 | BW %{MULTIPART_BOUNDARY_WHITESPACE}, \ 68 | DB %{MULTIPART_DATA_BEFORE}, \ 69 | DA %{MULTIPART_DATA_AFTER}, \ 70 | HF %{MULTIPART_HEADER_FOLDING}, \ 71 | LF %{MULTIPART_LF_LINE}, \ 72 | SM %{MULTIPART_MISSING_SEMICOLON}, \ 73 | IQ %{MULTIPART_INVALID_QUOTING}, \ 74 | IP %{MULTIPART_INVALID_PART}, \ 75 | IH %{MULTIPART_INVALID_HEADER_FOLDING}, \ 76 | FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'" 77 | 78 | # Did we see anything that might be a boundary? 79 | # 80 | SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \ 81 | "id:'200003',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'" 82 | 83 | # PCRE Tuning 84 | # We want to avoid a potential RegEx DoS condition 85 | # 86 | SecPcreMatchLimit 1000 87 | SecPcreMatchLimitRecursion 1000 88 | 89 | # Some internal errors will set flags in TX and we will need to look for these. 90 | # All of these are prefixed with "MSC_". The following flags currently exist: 91 | # 92 | # MSC_PCRE_LIMITS_EXCEEDED: PCRE match limits were exceeded. 93 | # 94 | SecRule TX:/^MSC_/ "!@streq 0" \ 95 | "id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'" 96 | 97 | 98 | # -- Response body handling -------------------------------------------------- 99 | 100 | # Allow ModSecurity to access response bodies. 101 | # You should have this directive enabled in order to identify errors 102 | # and data leakage issues. 103 | # 104 | # Do keep in mind that enabling this directive does increases both 105 | # memory consumption and response latency. 106 | # 107 | SecResponseBodyAccess On 108 | 109 | # Which response MIME types do you want to inspect? You should adjust the 110 | # configuration below to catch documents but avoid static files 111 | # (e.g., images and archives). 112 | # 113 | SecResponseBodyMimeType text/plain text/html text/xml 114 | 115 | # Buffer response bodies of up to 512 KB in length. 116 | SecResponseBodyLimit 524288 117 | 118 | # What happens when we encounter a response body larger than the configured 119 | # limit? By default, we process what we have and let the rest through. 120 | # That's somewhat less secure, but does not break any legitimate pages. 121 | # 122 | SecResponseBodyLimitAction ProcessPartial 123 | 124 | 125 | # -- Filesystem configuration ------------------------------------------------ 126 | 127 | # The location where ModSecurity stores temporary files (for example, when 128 | # it needs to handle a file upload that is larger than the configured limit). 129 | # 130 | # This default setting is chosen due to all systems have /tmp available however, 131 | # this is less than ideal. It is recommended that you specify a location that's private. 132 | # 133 | SecTmpDir /tmp/ 134 | 135 | # The location where ModSecurity will keep its persistent data. This default setting 136 | # is chosen due to all systems have /tmp available however, it 137 | # too should be updated to a place that other users can't access. 138 | # 139 | SecDataDir /tmp/ 140 | 141 | 142 | # -- File uploads handling configuration ------------------------------------- 143 | 144 | # The location where ModSecurity stores intercepted uploaded files. This 145 | # location must be private to ModSecurity. You don't want other users on 146 | # the server to access the files, do you? 147 | # 148 | #SecUploadDir /opt/modsecurity/var/upload/ 149 | 150 | # By default, only keep the files that were determined to be unusual 151 | # in some way (by an external inspection script). For this to work you 152 | # will also need at least one file inspection rule. 153 | # 154 | #SecUploadKeepFiles RelevantOnly 155 | 156 | # Uploaded files are by default created with permissions that do not allow 157 | # any other user to access them. You may need to relax that if you want to 158 | # interface ModSecurity to an external program (e.g., an anti-virus). 159 | # 160 | #SecUploadFileMode 0600 161 | 162 | 163 | # -- Debug log configuration ------------------------------------------------- 164 | 165 | # The default debug log configuration is to duplicate the error, warning 166 | # and notice messages from the error log. 167 | # 168 | #SecDebugLog /opt/modsecurity/var/log/debug.log 169 | #SecDebugLogLevel 3 170 | 171 | 172 | # -- Audit log configuration ------------------------------------------------- 173 | 174 | # Log the transactions that are marked by a rule, as well as those that 175 | # trigger a server error (determined by a 5xx or 4xx, excluding 404, 176 | # level response status codes). 177 | # 178 | SecAuditEngine RelevantOnly 179 | SecAuditLogRelevantStatus "^(?:5|4(?!04))" 180 | 181 | # Log everything we know about a transaction. 182 | SecAuditLogParts ABIJDEFHZ 183 | 184 | # Use a single file for logging. This is much easier to look at, but 185 | # assumes that you will use the audit log only ocassionally. 186 | # 187 | SecAuditLogType Serial 188 | SecAuditLog /var/log/apache2/modsec_audit.log 189 | 190 | # Specify the path for concurrent audit logging. 191 | #SecAuditLogStorageDir /opt/modsecurity/var/audit/ 192 | 193 | 194 | # -- Miscellaneous ----------------------------------------------------------- 195 | 196 | # Use the most commonly used application/x-www-form-urlencoded parameter 197 | # separator. There's probably only one application somewhere that uses 198 | # something else so don't expect to change this value. 199 | # 200 | SecArgumentSeparator & 201 | 202 | # Settle on version 0 (zero) cookies, as that is what most applications 203 | # use. Using an incorrect cookie version may open your installation to 204 | # evasion attacks (against the rules that examine named cookies). 205 | # 206 | SecCookieFormat 0 207 | 208 | # Specify your Unicode Code Point. 209 | # This mapping is used by the t:urlDecodeUni transformation function 210 | # to properly map encoded data to your language. Properly setting 211 | # these directives helps to reduce false positives and negatives. 212 | # 213 | SecUnicodeMapFile /etc/modsecurity/unicode.mapping 20127 214 | IncludeOptional "/etc/modsecurity/*.conf" 215 | SecAction "phase:1,t:none,nolog,pass,\ 216 | id:23423423423,\ 217 | setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1',\ 218 | setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'," 219 | -------------------------------------------------------------------------------- /templates/default/php-config-directives.data.erb: -------------------------------------------------------------------------------- 1 | allow_call_time_pass_reference 2 | allow_url_fopen 3 | allow_url_include 4 | always_populate_raw_post_data 5 | arg_separator.input 6 | arg_separator.output 7 | asp_tags 8 | assert.active 9 | assert.bail 10 | assert.callback 11 | assert.quiet_eval 12 | assert.warning 13 | auto_append_file 14 | auto_detect_line_endings 15 | auto_globals_jit 16 | auto_prepend_file 17 | bcmath.scale 18 | birdstep.max_links 19 | browscap 20 | cgi.fix_pathinfo 21 | cgi.force_redirect 22 | cgi.nph 23 | cgi.redirect_status_env 24 | cgi.rfc2616_headers 25 | com.allow_dcom 26 | com.autoregister_casesensitive 27 | com.autoregister_typelib 28 | com.autoregister_verbose 29 | com.code_page 30 | com.typelib_file 31 | date.default_latitude 32 | date.default_longitude 33 | date.sunrise_zenith 34 | date.sunset_zenith 35 | date.timezone 36 | dba.default_handler 37 | default_charset 38 | default_mimetype 39 | default_socket_timeout 40 | define_syslog_variables 41 | disable_classes 42 | disable_functions 43 | display_errors 44 | display_startup_errors 45 | doc_root 46 | docref_ext 47 | docref_root 48 | enable_dl 49 | error_append_string 50 | error_log 51 | error_prepend_string 52 | error_reporting 53 | exif.decode_jis_intel 54 | exif.decode_jis_motorola 55 | exif.decode_unicode_intel 56 | exif.decode_unicode_motorola 57 | exif.encode_jis 58 | exif.encode_unicode 59 | expose_php 60 | extension_dir 61 | fastcgi.impersonate 62 | fastcgi.logging 63 | file_uploads 64 | filter.default 65 | filter.default_flags 66 | gd.jpeg_ignore_warning 67 | highlight.bg 68 | highlight.comment 69 | highlight.default 70 | highlight.html 71 | highlight.keyword 72 | highlight.string 73 | html_errors 74 | ibase.allow_persistent 75 | ibase.dateformat 76 | ibase.default_charset 77 | ibase.default_db 78 | ibase.default_password 79 | ibase.default_user 80 | ibase.max_links 81 | ibase.max_persistent 82 | ibase.timeformat 83 | ibase.timestampformat 84 | iconv.input_encoding 85 | iconv.internal_encoding 86 | iconv.output_encoding 87 | ignore_repeated_errors 88 | ignore_repeated_source 89 | ignore_user_abort 90 | implicit_flush 91 | include_path 92 | intl.default_locale 93 | intl.error_level 94 | ldap.max_links 95 | log_errors 96 | log_errors_max_len 97 | magic_quotes_gpc 98 | magic_quotes_runtime 99 | magic_quotes_sybase 100 | mail.add_x_header 101 | mail.force_extra_parameters 102 | mail.log 103 | max_execution_time 104 | max_file_uploads 105 | max_input_nesting_level 106 | max_input_time 107 | mbstring.detect_order 108 | mbstring.encoding_translation 109 | mbstring.func_overload 110 | mbstring.http_input 111 | mbstring.http_output 112 | mbstring.http_output_conv_mimetype 113 | mbstring.internal_encoding 114 | mbstring.language 115 | mbstring.script_encoding 116 | mbstring.strict_detection 117 | mbstring.substitute_character 118 | mcrypt.algorithms_dir 119 | mcrypt.modes_dir 120 | memory_limit 121 | mssql.allow_persistent 122 | mssql.batchsize 123 | mssql.charset 124 | mssql.compatability_mode 125 | mssql.connect_timeout 126 | mssql.datetimeconvert 127 | mssql.max_links 128 | mssql.max_persistent 129 | mssql.max_procs 130 | mssql.min_error_severity 131 | mssql.min_message_severity 132 | mssql.secure_connection 133 | mssql.textlimit 134 | mssql.textsize 135 | mssql.timeout 136 | mysql.allow_local_infile 137 | mysql.allow_persistent 138 | mysql.cache_size 139 | mysql.connect_timeout 140 | mysql.default_host 141 | mysql.default_password 142 | mysql.default_port 143 | mysql.default_socket 144 | mysql.default_user 145 | mysql.max_links 146 | mysql.max_persistent 147 | mysql.trace_mode 148 | mysqli.allow_local_infile 149 | mysqli.allow_persistent 150 | mysqli.cache_size 151 | mysqli.default_host 152 | mysqli.default_port 153 | mysqli.default_pw 154 | mysqli.default_socket 155 | mysqli.default_user 156 | mysqli.max_links 157 | mysqli.max_persistent 158 | mysqli.reconnect 159 | mysqlnd.collect_memory_statistics 160 | mysqlnd.collect_statistics 161 | mysqlnd.net_cmd_buffer_size 162 | mysqlnd.net_read_buffer_size 163 | oci8.connection_class 164 | oci8.default_prefetch 165 | oci8.events 166 | oci8.max_persistent 167 | oci8.old_oci_close_semantics 168 | oci8.persistent_timeout 169 | oci8.ping_interval 170 | oci8.privileged_connect 171 | oci8.statement_cache_size 172 | odbc.allow_persistent 173 | odbc.check_persistent 174 | odbc.default_db 175 | odbc.default_pw 176 | odbc.default_user 177 | odbc.defaultbinmode 178 | odbc.defaultlrl 179 | odbc.max_links 180 | odbc.max_persistent 181 | open_basedir 182 | output_buffering 183 | output_handler 184 | pcre.backtrack_limit 185 | pcre.recursion_limit 186 | pdo_mysql.cache_size 187 | pdo_mysql.default_socket 188 | pdo_odbc.connection_pooling 189 | pgsql.allow_persistent 190 | pgsql.auto_reset_persistent 191 | pgsql.ignore_notice 192 | pgsql.log_notice 193 | pgsql.max_links 194 | pgsql.max_persistent 195 | phar.cache_list 196 | phar.readonly 197 | phar.require_hash 198 | post_max_size 199 | realpath_cache_size 200 | realpath_cache_ttl 201 | register_argc_argv 202 | register_globals 203 | register_long_arrays 204 | report_memleaks 205 | report_zend_debug 206 | request_order 207 | safe_mode 208 | safe_mode_allowed_env_vars 209 | safe_mode_exec_dir 210 | safe_mode_gid 211 | safe_mode_include_dir 212 | safe_mode_protected_env_vars 213 | sendmail_from 214 | sendmail_path 215 | serialize_precision 216 | session.auto_start 217 | session.bug_compat_42 218 | session.bug_compat_warn 219 | session.cache_expire 220 | session.cache_limiter 221 | session.cookie_domain 222 | session.cookie_httponly 223 | session.cookie_lifetime 224 | session.cookie_path 225 | session.cookie_secure 226 | session.entropy_file 227 | session.entropy_length 228 | session.gc_divisor 229 | session.gc_maxlifetime 230 | session.gc_probability 231 | session.hash_bits_per_character 232 | session.hash_function 233 | session.name 234 | session.referer_check 235 | session.save_handler 236 | session.save_path 237 | session.serialize_handler 238 | session.use_cookies 239 | session.use_only_cookies 240 | session.use_trans_sid 241 | short_open_tag 242 | soap.wsdl_cache_dir 243 | soap.wsdl_cache_enabled 244 | soap.wsdl_cache_limit 245 | soap.wsdl_cache_ttl 246 | sql.safe_mode 247 | sqlite.assoc_case 248 | sqlite3.extension_dir 249 | sybct.allow_persistent 250 | sybct.deadlock_retry_count 251 | sybct.hostname 252 | sybct.login_timeout 253 | sybct.max_links 254 | sybct.max_persistent 255 | sybct.min_client_severity 256 | sybct.min_server_severity 257 | sybct.timeout 258 | sysvshm.init_mem 259 | tidy.clean_output 260 | tidy.default_config 261 | track_errors 262 | unserialize_callback_func 263 | upload_max_filesize 264 | upload_tmp_dir 265 | url_rewriter.tags 266 | user_agent 267 | user_dir 268 | user_ini.cache_ttl 269 | user_ini.filename 270 | variables_order 271 | xmlrpc_error_number 272 | xmlrpc_errors 273 | y2k_compliance 274 | zlib.output_compression 275 | zlib.output_compression_level 276 | zlib.output_handler 277 | -------------------------------------------------------------------------------- /templates/default/php-errors.data.erb: -------------------------------------------------------------------------------- 1 | Warning: 2 | No row with the given identifier 3 | open_basedir restriction in effect 4 | eval()'d code on line 5 | Cannot execute a blank command in 6 | Fatal error: preg_replace 7 | thrown in 8 | #0 {main} 9 | Stack trace: 10 | on line 11 | () cannot be called statically 12 | - not a Class::Method 13 | ::__toString() must not throw an exception 14 | Access to undeclared static property: 15 | An iterator cannot be used with foreach by reference 16 | Array callback has to contain indices 0 and 1 17 | Arrived at end of main loop which shouldn't happen 18 | Attempt to destruct pending exception 19 | Attempt to unset static property 20 | Balloc() allocation exceeds list boundary 21 | Balloc() failed to allocate memory 22 | Base lambda function for closure not found 23 | Call to a member function 24 | Call to private 25 | Call to protected 26 | Call to undefined function 27 | Call to undefined method 28 | Can only throw objects 29 | Cannot access empty property 30 | Cannot access parent:: when current class scope has no parent 31 | Cannot access parent:: when no class scope is active 32 | Cannot access property started with '\\0' 33 | Cannot access self:: when no class scope is active 34 | Cannot access static:: when no class scope is active 35 | Cannot access undefined property for object with overloaded property access 36 | Cannot assign by reference to overloaded object 37 | Cannot break/continue %d level%s 38 | Cannot call abstract method 39 | Cannot call constructor 40 | Cannot call forward_static_call() when no class scope is active 41 | Cannot call non static method 42 | Cannot call overloaded function for non-object 43 | Cannot call private 44 | Cannot create references to/from string offsets 45 | Cannot create references to/from string offsets nor overloaded objects 46 | Cannot declare self-referencing constant 47 | Cannot destroy active lambda function 48 | Cannot get arguments for 49 | Cannot increment/decrement overloaded objects nor string offsets 50 | Cannot instantiate abstract class 51 | Cannot instantiate interface 52 | Cannot instantiate trait 53 | Cannot override final 54 | Cannot pass parameter 55 | Cannot redeclare 56 | Cannot redeclare class 57 | Cannot register a reverse output handler conflict outside of MINIT 58 | Cannot register an output handler alias outside of MINIT 59 | Cannot register an output handler conflict outside of MINIT 60 | Cannot resume an already running generator 61 | Cannot return string offsets by reference 62 | Cannot set non exception as previous exception 63 | Cannot unset string offsets 64 | Cannot use [] for reading 65 | Cannot use assign-op operators with overloaded objects nor string offsets 66 | Cannot use object as array 67 | Cannot use object of type 68 | Cannot use string offset as an array 69 | Cannot use string offset as an object 70 | Cannot yield from finally in a force-closed generator 71 | Cannot yield string offsets by reference 72 | Class entry requested for an object without PHP class 73 | Class name must be a valid object or a string 74 | Corrupted fcall_info provided to zend_call_function() 75 | DCOM has been disabled by your administrator [com.allow_dcom=0] 76 | DateFormat class not defined 77 | DateTimeInterface can't be implemented by user classes 78 | EXTREMELY fatal error: jmpbuf unrecoverable; terminating 79 | EXTREMELY fatal error: jmpbuf unrecoverable; terminating. 80 | EXTREMELY fatal error: longjmp returned control; terminating 81 | Encoding: '*' may only be first arraySize value in list 82 | Encoding: Attribute 83 | Encoding: Can't decode apache map, missing key 84 | Encoding: Can't decode apache map, missing value 85 | Encoding: Can't decode apache map, only Strings or Longs are allowd as keys 86 | Encoding: Cannot find encoding 87 | Encoding: Element 88 | Encoding: Error calling from_xml callback 89 | Encoding: Error calling to_xml callback 90 | Encoding: External reference 91 | Encoding: Internal Error 92 | Encoding: Invalid timestamp 93 | Encoding: SoapVar has no 'enc_type' property 94 | Encoding: Unresolved reference 95 | Encoding: Violation of encoding rules 96 | Encoding: Violation of id and ref information items 97 | Encoding: object has no ' 98 | Encoding: object has no 'any' property 99 | Encoding: string ' 100 | Error installing signal handler for 101 | Exception thrown without a stack frame 102 | Exceptions must be valid objects derived from the Exception base class 103 | Failed to clone SpoofChecker object 104 | Failed to register IntlDateFormatter class 105 | Failed to register MessageFormatter class 106 | Failed to register NumberFormatter class 107 | Failed to register ResourceBundle class 108 | Field width %d is too long 109 | First array member is not a valid class name or object 110 | Function name must be a string 111 | Illegal length modifier specified 112 | Illegal offset type 113 | Input string is too long 114 | Invalid RelaxNG Validation Context 115 | Invalid Schema Validation Context 116 | Invalid opcode 117 | Invalid serialization data for DatePeriod object 118 | Invalid serialization data for DateTime object 119 | Invalid serialization data for DateTimeImmutable object 120 | Maximum execution time of 121 | Method name must be a string 122 | Need to supply an object when throwing an exception 123 | Nesting level too deep - recursive dependency? 124 | NumberFormatter class not defined 125 | Object does not support method calls 126 | Only variables can be passed by reference 127 | PDO: driver 128 | Parsing Schema: or expected in complexContent 129 | Parsing Schema: attribute 130 | Parsing Schema: attribute has both 'ref' and 'type' attributes 131 | Parsing Schema: attribute has both 'ref' attribute and subtype 132 | Parsing Schema: attribute has both 'type' attribute and subtype 133 | Parsing Schema: attribute has no 'name' nor 'ref' attributes 134 | Parsing Schema: attributeGroup 135 | Parsing Schema: attributeGroup has both 'ref' attribute and subattribute 136 | Parsing Schema: attributeGroup has no 'name' nor 'ref' attributes 137 | Parsing Schema: can't import schema from 138 | Parsing Schema: complexType has no 'name' attribute 139 | Parsing Schema: element has both 'default' and 'fixed' attributes 140 | Parsing Schema: element has both 'itemType' attribute and subtype 141 | Parsing Schema: element has both 'ref' and 'fixed' attributes 142 | Parsing Schema: element has both 'ref' and 'nillable' attributes 143 | Parsing Schema: element has both 'ref' and 'type' attributes 144 | Parsing Schema: element has both 'ref' attribute and subtype 145 | Parsing Schema: element has both 'type' attribute and subtype 146 | Parsing Schema: element has no 'name' nor 'ref' attributes 147 | Parsing Schema: expected or in simpleContent 148 | Parsing Schema: expected , or in simpleType 149 | Parsing Schema: extension has no 'base' attribute 150 | Parsing Schema: group has both 'ref' attribute and subcontent 151 | Parsing Schema: group has no 'name' nor 'ref' attributes 152 | Parsing Schema: include has no 'schemaLocation' attribute 153 | Parsing Schema: missing restriction value 154 | Parsing Schema: redefine has no 'schemaLocation' attribute 155 | Parsing Schema: restriction has no 'base' attribute 156 | Parsing Schema: simpleType has no 'name' attribute 157 | Parsing Schema: unexpected 158 | Parsing Schema: unresolved element 'ref' attribute 159 | Parsing Schema: unresolved group 'ref' attribute 160 | Parsing WSDL: 161 | Parsing WSDL: has no name attribute 162 | Parsing WSDL: with name 163 | Parsing WSDL: has no name attribute 164 | Parsing WSDL: 165 | Parsing WSDL: has no name attribute 166 | Parsing WSDL: 167 | Parsing WSDL: has no name attribute 168 | Parsing WSDL: Could not find any usable binding services in WSDL. 169 | Parsing WSDL: Couldn't bind to service 170 | Parsing WSDL: Couldn't find in 171 | Parsing WSDL: Couldn't load from 172 | Parsing WSDL: Missing 'name' attribute for 173 | Parsing WSDL: Missing 'name' attribute for 174 | Parsing WSDL: Missing 'type' attribute for 175 | Parsing WSDL: Missing with name 176 | Parsing WSDL: Missing with name 177 | Parsing WSDL: Missing / with name 178 | Parsing WSDL: Missing message attribute for
179 | Parsing WSDL: Missing name for of 180 | Parsing WSDL: Missing name for of 181 | Parsing WSDL: Missing name for of 182 | Parsing WSDL: Missing part '%s' in 183 | Parsing WSDL: Missing part attribute for
184 | Parsing WSDL: No element with name 185 | Parsing WSDL: No address associated with 186 | Parsing WSDL: No binding associated with 187 | Parsing WSDL: No location associated with 188 | Parsing WSDL: No name associated with 189 | Parsing WSDL: The fault message 190 | Parsing WSDL: Unexpected WSDL element < 191 | Parsing WSDL: Unexpected extensibility element < 192 | Parsing WSDL: Unknown encodingStyle ' 193 | Parsing WSDL: Unknown required WSDL extension ' 194 | Parsing WSDL: Unspecified encodingStyle 195 | Possible integer overflow in memory allocation ( 196 | Second array member is not a valid method 197 | Spoofchecker class not defined 198 | String size overflow 199 | The object to be iterated is in an invalid state: " 200 | Trying to clone an uncloneable object 201 | Trying to clone an uncloneable object of class 202 | Unable to call 203 | Unable to cast node to string 204 | Undefined class constant ' 205 | Undefined constant ' 206 | Undefined offset for object of type 207 | Unexpected inconsistency in create_function() 208 | Unknown SOAP version 209 | Unknown typehint 210 | Unsupported operand types 211 | Using $this when not in object context 212 | Wrong parameters for ErrorException( 213 | Wrong parameters for Exception( 214 | You MUST load PDO before loading any PDO drivers 215 | [] operator not supported for strings 216 | and must therefore be declared abstract or implement the remaining methods 217 | namespace must not match the enclosing schema 'targetNamespace' 218 | requires PDO API version 219 | -------------------------------------------------------------------------------- /templates/default/php-function-names-933150.data.erb: -------------------------------------------------------------------------------- 1 | __halt_compiler 2 | apache_child_terminate 3 | base64_decode 4 | bzdecompress 5 | call_user_func 6 | call_user_func_array 7 | call_user_method 8 | call_user_method_array 9 | convert_uudecode 10 | file_get_contents 11 | file_put_contents 12 | fsockopen 13 | gzdecode 14 | gzinflate 15 | gzuncompress 16 | include_once 17 | invokeargs 18 | pcntl_exec 19 | pcntl_fork 20 | pfsockopen 21 | posix_getcwd 22 | posix_getpwuid 23 | posix_getuid 24 | posix_uname 25 | ReflectionFunction 26 | require_once 27 | shell_exec 28 | str_rot13 29 | sys_get_temp_dir 30 | wp_remote_fopen 31 | wp_remote_get 32 | wp_remote_head 33 | wp_remote_post 34 | wp_remote_request 35 | wp_safe_remote_get 36 | wp_safe_remote_head 37 | wp_safe_remote_post 38 | wp_safe_remote_request 39 | zlib_decode 40 | -------------------------------------------------------------------------------- /templates/default/php-variables.data.erb: -------------------------------------------------------------------------------- 1 | $GLOBALS 2 | $HTTP_COOKIE_VARS 3 | $HTTP_ENV_VARS 4 | $HTTP_GET_VARS 5 | $HTTP_POST_FILES 6 | $HTTP_POST_VARS 7 | $HTTP_RAW_POST_DATA 8 | $HTTP_REQUEST_VARS 9 | $HTTP_SERVER_VARS 10 | $_COOKIE 11 | $_ENV 12 | $_FILES 13 | $_GET 14 | $_POST 15 | $_REQUEST 16 | $_SERVER 17 | $_SESSION 18 | $argc 19 | $argv 20 | -------------------------------------------------------------------------------- /templates/default/ports.conf.erb: -------------------------------------------------------------------------------- 1 | Listen 0.0.0.0:443 2 | -------------------------------------------------------------------------------- /templates/default/restricted-files.data.erb: -------------------------------------------------------------------------------- 1 | # Apache 2 | # (no slash; also guards against old.htaccess, old.htpasswd, etc.) 3 | .htaccess 4 | .htdigest 5 | .htpasswd 6 | # Version control 7 | /.git/ 8 | /.gitignore 9 | /.hg/ 10 | /.hgignore 11 | /.svn/ 12 | # Wordpress 13 | wp-config.php 14 | wp-config.bak 15 | wp-config.old 16 | wp-config.temp 17 | wp-config.tmp 18 | wp-config.txt 19 | # Symfony 20 | /config/config.yml 21 | /config/config_dev.yml 22 | /config/config_prod.yml 23 | /config/config_test.yml 24 | /config/parameters.yml 25 | /config/routing.yml 26 | /config/security.yml 27 | /config/services.yml 28 | # Drupal 29 | /sites/default/default.settings.php 30 | /sites/default/settings.php 31 | # Magento 32 | /app/etc/local.xml 33 | # Sublime Text 34 | /sftp-config.json 35 | # ASP.NET 36 | /Web.config 37 | # Node 38 | /gruntfile.js 39 | /npm-debug.log 40 | # Composer 41 | /composer.json 42 | /composer.lock 43 | /packages.json 44 | # dotenv 45 | /.env 46 | -------------------------------------------------------------------------------- /templates/default/scanners-headers.data.erb: -------------------------------------------------------------------------------- 1 | acunetix-product 2 | (acunetix web vulnerability scanner 3 | acunetix-scanning-agreement 4 | acunetix-user-agreement 5 | myvar=1234 6 | x-ratproxy-loop 7 | bytes=0-,5-0,5-1,5-2,5-3,5-4,5-5,5-6,5-7,5-8,5-9,5-10,5-11,5-12,5-13,5-14 8 | x-scanner 9 | -------------------------------------------------------------------------------- /templates/default/scanners-urls.data.erb: -------------------------------------------------------------------------------- 1 | /.adSensepostnottherenonobook 2 | /hello.html 3 | /actSensepostnottherenonotive 4 | /acunetix-wvs-test-for-some-inexistent-file 5 | /antidisestablishmentarianism 6 | /appscan_fingerprint/mac_address 7 | /arachni- 8 | /cybercop 9 | /nessus_is_probing_you_ 10 | /nessustest 11 | /netsparker- 12 | /rfiinc.txt 13 | /thereisnowaythat-you-canbethere 14 | /w3af/remotefileinclude.html 15 | appscan_fingerprint 16 | w00tw00t.at.ISC.SANS.DFind 17 | w00tw00t.at.blackhats.romanian.anti-sec 18 | -------------------------------------------------------------------------------- /templates/default/scanners-user-agents.data.erb: -------------------------------------------------------------------------------- 1 | # Vulnerability scanners, bruteforce password crackers and exploitation tools 2 | 3 | # password cracker 4 | # http://sectools.org/tool/hydra/ 5 | (hydra) 6 | # vuln scanner 7 | # http://virtualblueness.net/nasl.html 8 | .nasl 9 | # sql injection 10 | # https://sourceforge.net/projects/absinthe/ 11 | absinthe 12 | # email harvesting 13 | # dead? 2004 14 | advanced email extractor 15 | # vuln scanner 16 | # http://www.arachni-scanner.com/ 17 | arachni/ 18 | # 19 | autogetcontent 20 | # nessus frontend 21 | # http://www.crossley-nilsen.com/Linux/Bilbo_-_Nessus_WEB/bilbo_-_nessus_web.html 22 | # dead? 2003 23 | bilbo 24 | # Backup File Artifacts Checker 25 | # https://github.com/mazen160/bfac 26 | BFAC 27 | # password cracker 28 | # http://sectools.org/tool/brutus/ 29 | brutus 30 | brutus/aet 31 | # sql injection 32 | # https://www.notsosecure.com/bsqlbf-v2-blind-sql-injection-brute-forcer/ 33 | bsqlbf 34 | # vuln scanner 35 | # http://freecode.com/projects/cgichk dead? 2001 36 | cgichk 37 | # vuln scanner 38 | # https://sourceforge.net/projects/cisco-torch/ 39 | cisco-torch 40 | # vuln scanner 41 | # https://github.com/stasinopoulos/commix 42 | commix 43 | # MS FrontPage vuln scanner? 44 | core-project/1.0 45 | # vuln scanner? 46 | crimscanner/ 47 | # vuln scanner 48 | datacha0s 49 | # hidden page scanner 50 | # https://www.owasp.org/index.php/Category:OWASP_DirBuster_Project 51 | dirbuster 52 | # vuln scanner 53 | # https://sourceforge.net/projects/dominohunter/ 54 | domino hunter 55 | # vuln scanner - directory traversal fuzzer 56 | # https://github.com/wireghoul/dotdotpwn 57 | dotdotpwn 58 | # 59 | # 60 | email extractor 61 | # vuln scanner 62 | fhscan core 1. 63 | # 64 | floodgate 65 | # 66 | get-minimal 67 | # vuln scanner 68 | gootkit auto-rooter scanner 69 | # 70 | grabber 71 | # vuln scanner 72 | # https://sourceforge.net/projects/grendel/ 73 | grendel-scan 74 | # sql injection 75 | havij 76 | # vuln scanner - path disclosure finder 77 | # http://seclists.org/fulldisclosure/2010/Sep/375 78 | inspath 79 | # 80 | internet ninja 81 | # vuln scanner 82 | jaascois 83 | # vuln scanner 84 | zmeu 85 | # port scanner 86 | # https://github.com/robertdavidgraham/masscan 87 | masscan 88 | # vuln scanner 89 | # http://www.severus.org/sacha/metis/ 90 | metis 91 | # vuln scanner 92 | morfeus fucking scanner 93 | # sql injection 94 | # https://github.com/dtrip/mysqloit 95 | mysqloit 96 | # vuln scanner 97 | # http://www.nstalker.com/ 98 | n-stealth 99 | # vuln scanner 100 | # http://www.tenable.com/products/nessus-vulnerability-scanner 101 | nessus 102 | # vuln scanner 103 | # https://www.netsparker.com/web-vulnerability-scanner/ 104 | netsparker 105 | # vuln scanner 106 | # https://cirt.net/Nikto2 107 | nikto 108 | # vuln scanner 109 | nmap nse 110 | nmap scripting engine 111 | nmap-nse 112 | # vuln scanner 113 | # http://www.nsauditor.com/ 114 | nsauditor 115 | # vuln scanner 116 | # http://www.openvas.org/ 117 | openvas 118 | # sql injection 119 | # http://www.vealtel.com/software/nosec/pangolin/ 120 | pangolin 121 | # web proxy & vuln scanner 122 | # https://sourceforge.net/projects/paros/ 123 | paros 124 | # phpmyadmin vuln scanner 125 | # dead 2005? 126 | pmafind 127 | # 128 | prog.customcrawler 129 | # vuln scanner 130 | # https://www.qualys.com/suite/web-application-scanning/ 131 | qualys was 132 | # 133 | s.t.a.l.k.e.r. 134 | # 135 | security scan 136 | # vuln scanner 137 | # https://sourceforge.net/projects/springenwerk/ 138 | springenwerk 139 | # sql injection 140 | # http://www.sqlpowerinjector.com/ 141 | sql power injector 142 | # sql injection 143 | # http://sqlmap.org/ 144 | sqlmap 145 | # sql injection 146 | # http://sqlninja.sourceforge.net/ 147 | sqlninja 148 | # password cracker 149 | # http://foofus.net/goons/jmk/medusa/medusa.html 150 | teh forest lobster 151 | # 152 | this is an exploit 153 | # vuln scanner? 154 | toata dragostea 155 | toata dragostea mea pentru diavola 156 | # SQL bot 157 | # http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=22142&signatureSubId=0 158 | uil2pn 159 | # badly scripted UAs (e.g. User-Agent: User-Agent: foo) 160 | user-agent: 161 | # vuln scannr 162 | # https://subgraph.com/vega/ 163 | vega/ 164 | # vuln scanner 165 | # dead? 166 | voideye 167 | # vuln scanner 168 | # http://w3af.org/ 169 | w3af.sf.net 170 | w3af.sourceforge.net 171 | w3af.org 172 | # site scanner (legacy) 173 | # http://www.robotstxt.org/db/webbandit.html 174 | webbandit 175 | # vuln scanner 176 | # http://www8.hp.com/us/en/software-solutions/webinspect-dynamic-analysis-dast/ 177 | webinspect 178 | # site scanner 179 | # http://www.scrt.ch/en/attack/downloads/webshag 180 | webshag 181 | # vuln scanner 182 | # dead? 183 | webtrends security analyzer 184 | # vuln scanner 185 | # https://github.com/hhucn/webvulnscan 186 | webvulnscan 187 | # web technology scanner 188 | # https://www.morningstarsecurity.com/research/whatweb 189 | whatweb 190 | # vuln scanner 191 | whcc/ 192 | # exploit poc 193 | wordpress hash grabber 194 | # exploit 195 | xmlrpc exploit 196 | # wordpress vuln scanner 197 | # https://wpscan.org/ 198 | WPScan 199 | -------------------------------------------------------------------------------- /templates/default/scripting-user-agents.data.erb: -------------------------------------------------------------------------------- 1 | # Generic HTTP clients (popular libraries) 2 | 3 | # http library 4 | # http://search.cpan.org/~opera/HTTP-DAV/DAV.pm 5 | dav.pm/v 6 | # http library 7 | # http://search.cpan.org/dist/libwww-perl/lib/LWP.pm 8 | libwww-perl 9 | # generic 10 | mozilla/4.0 (compatible) 11 | mozilla/4.0 (compatible; msie 6.0; win32) 12 | mozilla/5.0 sf/ 13 | mozilla/5.0 sf// 14 | # http library 15 | # https://pypi.python.org/pypi/httplib2 16 | python-httplib2 17 | # http library 18 | # http://docs.python-requests.org/en/master/ 19 | python-requests 20 | # http library 21 | # https://docs.python.org/2/library/urllib.html 22 | Python-urllib 23 | # http library 24 | # https://github.com/typhoeus/typhoeus 25 | typhoeus 26 | # http library 27 | # https://msdn.microsoft.com/en-us/library/windows/desktop/aa382925%28v=vs.85%29.aspx 28 | winhttp.winhttprequest 29 | -------------------------------------------------------------------------------- /templates/default/sql-errors.data.erb: -------------------------------------------------------------------------------- 1 | MySqlClient. 2 | Server message 3 | SQL error 4 | Oracle error 5 | JET Database Engine 6 | Procedure or function 7 | SQLite.Exception 8 | [IBM][CLI Driver][DB2/6000] 9 | the used select statements have different number of columns 10 | org.postgresql.util.PSQLException 11 | Access Database Engine 12 | Incorrect syntax near 13 | Syntax error in string in query expression 14 | SQLiteException 15 | ' doesn't exist 16 | CLI Driver 17 | on MySQL result index 18 | sybase 19 | com.informix.jdbc 20 | [MySQL][ODBC 21 | Error 22 | has occurred in the vicinity of: 23 | Sintaxis incorrecta cerca de 24 | MySQL server version for the right syntax to use 25 | com.mysql.jdbc.exceptions 26 | You have an error in your SQL syntax near 27 | You have an error in your SQL syntax; 28 | An illegal character has been found in the statement 29 | pg_query() [: 30 | supplied argument is not a valid MySQL 31 | mssql_query() 32 | mysql_fetch_array() 33 | Exception 34 | java.sql.SQLException 35 | Column count doesn't match value count at row 36 | Sybase message 37 | SQL Server 38 | PostgreSQL query failed: 39 | Dynamic SQL Error 40 | System.Data.SQLite.SQLiteException 41 | SQLite/JDBCDriver 42 | Unclosed quotation mark before the character string 43 | System.Data.SqlClient. 44 | Unclosed quotation mark after the character string 45 | System.Data.OleDb.OleDbException 46 | [DM_QUERY_E_SYNTAX] 47 | [SqlException 48 | Unexpected end of command in statement 49 | valid PostgreSQL result 50 | pg_exec() [: 51 | SQL Server 52 | [SQLITE_ERROR] 53 | Microsoft OLE DB Provider for ODBC Drivers 54 | PostgreSQL 55 | org.hsqldb.jdbc 56 | ADODB.Field (0x800A0BCD) 57 | SQL syntax 58 | Exception 59 | System.Data.SqlClient.SqlException 60 | Data type mismatch in criteria expression. 61 | Driver 62 | DB2 SQL error 63 | Sybase message: 64 | ORA- 65 | [Microsoft][ODBC SQL Server Driver] 66 | '80040e14' 67 | Microsoft OLE DB Provider for SQL Server 68 | in query expression 69 | Npgsql. 70 | valid MySQL result 71 | supplied argument is not a valid PostgreSQL result 72 | db2_ 73 | Ingres SQLSTATE 74 | Column count doesn't match 75 | Warning 76 | [Microsoft][ODBC Microsoft Access Driver] 77 | [Macromedia][SQLServer JDBC Driver] 78 | Warning: ibase_ 79 | Roadhouse.Cms. 80 | DB2 SQL error: 81 | -------------------------------------------------------------------------------- /templates/default/sql-function-names.data.erb: -------------------------------------------------------------------------------- 1 | abs 2 | acos 3 | adddate 4 | addtime 5 | aes_decrypt 6 | aes_encrypt 7 | ascii 8 | asciistr 9 | asin 10 | atan 11 | atan2 12 | avg 13 | benchmark 14 | bin 15 | bin_to_num 16 | bit_and 17 | bit_count 18 | bit_length 19 | bit_or 20 | bit_xor 21 | cast 22 | ciel 23 | cieling 24 | char_length 25 | char 26 | character_length 27 | charset 28 | chr 29 | coalesce 30 | coercibility 31 | collation 32 | compress 33 | concat_ws 34 | concat 35 | connection_id 36 | conv 37 | convert_tz 38 | convert 39 | cos 40 | cot 41 | count 42 | dcount 43 | cr32 44 | curdate 45 | current_date 46 | current_time 47 | current_timestamp 48 | current_user 49 | curtime 50 | database 51 | date 52 | date_add 53 | date_format 54 | date_sub 55 | datediff 56 | day 57 | dayname 58 | dayofmonth 59 | dayofweek 60 | dayofyear 61 | decode 62 | default 63 | degrees 64 | des_decrypt 65 | des_encrypt 66 | dump 67 | elt 68 | encode 69 | encrypt 70 | exp 71 | export_set 72 | extract 73 | extractvalue 74 | field 75 | field_in_set 76 | find_in_set 77 | floor 78 | format 79 | found_rows 80 | from_base64 81 | from_days 82 | from_unixtime 83 | get_format 84 | get_lock 85 | greatest 86 | group_concat 87 | hex 88 | hextoraw 89 | rawtohex 90 | hour 91 | if 92 | ifnull 93 | in 94 | inet6_aton 95 | inet6_ntoa 96 | inet_aton 97 | inet_ntoa 98 | insert 99 | instr 100 | interval 101 | isnull 102 | is_free_lock 103 | is_ipv4_compat 104 | is_ipv4_mapped 105 | is_ipv4 106 | is_ipv6 107 | is_not_null 108 | is_not 109 | is_null 110 | is_used_lock 111 | last 112 | last_day 113 | last_inser_id 114 | lcase 115 | least 116 | left 117 | length 118 | ln 119 | load_file 120 | local 121 | localtimestamp 122 | locate 123 | log 124 | log2 125 | log10 126 | lower 127 | lpad 128 | ltrim 129 | make_set 130 | makedate 131 | master_pos_wait 132 | max 133 | md5 134 | microsecond 135 | mid 136 | min 137 | minute 138 | mod 139 | month 140 | monthname 141 | name_const 142 | not_in 143 | now 144 | nullif 145 | oct 146 | octet_length 147 | old_password 148 | ord 149 | password 150 | period_add 151 | period_diff 152 | pi 153 | position 154 | pow 155 | power 156 | procedure_analyse 157 | quarter 158 | quote 159 | radians 160 | rand 161 | release_lock 162 | repeat 163 | replace 164 | reverse 165 | right 166 | round 167 | row_count 168 | rpad 169 | rtrim 170 | schema 171 | sec_to_time 172 | second 173 | session_user 174 | sha 175 | sha1 176 | sha2 177 | sign 178 | sin 179 | pg_sleep 180 | sleep 181 | soundex 182 | space 183 | sqrt 184 | std 185 | stddev_pop 186 | stddev_samp 187 | str_to_date 188 | strcmp 189 | subdate 190 | substring 191 | substring_index 192 | substr 193 | subtime 194 | sum 195 | sysdate 196 | system_user 197 | tan 198 | time 199 | timestamp 200 | timestampadd 201 | timestampdiff 202 | timediff 203 | time_format 204 | time_to_sec 205 | to_base64 206 | todays 207 | toseconds 208 | tochar 209 | tonchar 210 | trim 211 | truncate 212 | ucase 213 | uncompress 214 | uncompressed_length 215 | unhex 216 | unix_timestamp 217 | updatexml 218 | upper 219 | user 220 | utc_date 221 | utc_time 222 | utc_timestamp 223 | uuid 224 | uuid_short 225 | values 226 | var_pop 227 | var_samp 228 | variance 229 | version 230 | week 231 | weekday 232 | weekofyear 233 | weight_string 234 | year 235 | yearweek 236 | xmltype 237 | -------------------------------------------------------------------------------- /templates/default/unix-shell.data.erb: -------------------------------------------------------------------------------- 1 | bin/bash 2 | bin/csh 3 | bin/dash 4 | bin/du 5 | bin/echo 6 | bin/less 7 | bin/ls 8 | bin/more 9 | bin/nc 10 | bin/ps 11 | bin/rbash 12 | bin/sh 13 | bin/sleep 14 | bin/su 15 | bin/tcsh 16 | bin/uname 17 | dev/fd/ 18 | dev/null 19 | dev/stderr 20 | dev/stdin 21 | dev/stdout 22 | dev/tcp/ 23 | dev/udp/ 24 | dev/zero 25 | etc/group 26 | etc/master.passwd 27 | etc/passwd 28 | etc/pwd.db 29 | etc/shadow 30 | etc/shells 31 | etc/spwd.db 32 | proc/self/ 33 | usr/bin/cc 34 | usr/bin/clang 35 | usr/bin/clang++ 36 | usr/bin/curl 37 | usr/bin/env 38 | usr/bin/fetch 39 | usr/bin/file 40 | usr/bin/find 41 | usr/bin/ftp 42 | usr/bin/gcc 43 | usr/bin/head 44 | usr/bin/id 45 | usr/bin/less 46 | usr/bin/more 47 | usr/bin/nc 48 | usr/bin/nice 49 | usr/bin/nmap 50 | usr/bin/perl 51 | usr/bin/php 52 | usr/bin/php5 53 | usr/bin/php7 54 | usr/bin/python 55 | usr/bin/python2 56 | usr/bin/python3 57 | usr/bin/ruby 58 | usr/bin/tail 59 | usr/bin/top 60 | usr/bin/uname 61 | usr/bin/wget 62 | usr/bin/who 63 | usr/bin/whoami 64 | usr/bin/xargs 65 | usr/local/bin/bash 66 | usr/local/bin/curl 67 | usr/local/bin/nmap 68 | usr/local/bin/perl 69 | usr/local/bin/php 70 | usr/local/bin/python 71 | usr/local/bin/python2 72 | usr/local/bin/python3 73 | usr/local/bin/rbash 74 | usr/local/bin/ruby 75 | usr/local/bin/wget 76 | -------------------------------------------------------------------------------- /templates/default/vhost.conf.erb: -------------------------------------------------------------------------------- 1 | 2 | DocumentRoot /usr/local/waftest 3 | 4 | Order allow,deny 5 | Allow from all 6 | Require all granted 7 | 8 | 9 | 10 | DocumentRoot /usr/local/waftest 11 | SecRuleEngine <%= node['waf_testbed']['engine_mode'] %> 12 | SSLEngine on 13 | SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem 14 | SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key 15 | BrowserMatch "MSIE [2-6]" \ 16 | nokeepalive ssl-unclean-shutdown \ 17 | downgrade-1.0 force-response-1.0 18 | BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown 19 | 20 | Order allow,deny 21 | Allow from all 22 | Require all granted 23 | 24 | 25 | -------------------------------------------------------------------------------- /templates/default/windows-powershell-commands.data.erb: -------------------------------------------------------------------------------- 1 | powershell.exe 2 | Add-BitsFile 3 | Add-Computer 4 | Add-Content 5 | Add-History 6 | Add-Member 7 | Add-PSSnapin 8 | Add-Type 9 | Checkpoint-Computer 10 | Clear-Content 11 | Clear-EventLog 12 | Clear-History 13 | Clear-Item 14 | Clear-ItemProperty 15 | Clear-Variable 16 | Compare-Object 17 | Complete-BitsTransfer 18 | Complete-Transaction 19 | Connect-WSMan 20 | ConvertFrom-CSV 21 | ConvertFrom-SecureString 22 | ConvertFrom-StringData 23 | Convert-Path 24 | ConvertTo-CSV 25 | ConvertTo-Html 26 | ConvertTo-SecureString 27 | ConvertTo-XML 28 | Copy-Item 29 | Copy-ItemProperty 30 | Debug-Process 31 | Disable-ComputerRestore 32 | Disable-PSBreakpoint 33 | Disable-PSSessionConfiguration 34 | Disable-WSManCredSSP 35 | Disconnect-WSMan 36 | Enable-ComputerRestore 37 | Enable-PSBreakpoint 38 | Enable-PSRemoting 39 | Enable-PSSessionConfiguration 40 | Enable-WSManCredSSP 41 | Enter-PSSession 42 | Exit-PSSession 43 | Export-Alias 44 | Export-Clixml 45 | Export-Console 46 | Export-Counter 47 | Export-CSV 48 | Export-FormatData 49 | Export-ModuleMember 50 | Export-PSSession 51 | ForEach-Object 52 | Format-Custom 53 | Format-List 54 | Format-Table 55 | Format-Wide 56 | Get-Acl 57 | Get-Alias 58 | Get-AppLockerFileInformation 59 | Get-AppLockerPolicy 60 | Get-AuthenticodeSignature 61 | Get-BitsTransfer 62 | Get-ChildItem 63 | Get-Command 64 | Get-ComputerRestorePoint 65 | Get-Content 66 | Get-Counter 67 | Get-Credential 68 | Get-Culture 69 | Get-Event 70 | Get-EventLog 71 | Get-EventSubscriber 72 | Get-ExecutionPolicy 73 | Get-FormatData 74 | Get-History 75 | Get-Host 76 | Get-HotFix 77 | Get-Item 78 | Get-ItemProperty 79 | Get-Job 80 | Get-Location 81 | Get-Member 82 | Get-Module 83 | Get-PfxCertificate 84 | Get-Process 85 | Get-PSBreakpoint 86 | Get-PSCallStack 87 | Get-PSDrive 88 | Get-PSProvider 89 | Get-PSSession 90 | Get-PSSessionConfiguration 91 | Get-PSSnapin 92 | Get-Random 93 | Get-Service 94 | Get-TraceSource 95 | Get-Transaction 96 | Get-TroubleshootingPack 97 | Get-UICulture 98 | Get-Unique 99 | Get-Variable 100 | Get-WinEvent 101 | Get-WmiObject 102 | Get-WSManCredSSP 103 | Get-WSManInstance 104 | Group-Object 105 | Import-Alias 106 | Import-Clixml 107 | Import-Counter 108 | Import-CSV 109 | Import-LocalizedData 110 | Import-Module 111 | Import-PSSession 112 | Invoke-Command 113 | Invoke-Expression 114 | Invoke-History 115 | Invoke-Item 116 | Invoke-TroubleshootingPack 117 | Invoke-WmiMethod 118 | Invoke-WSManAction 119 | Join-Path 120 | Limit-EventLog 121 | Measure-Command 122 | Measure-Object 123 | Move-Item 124 | Move-ItemProperty 125 | New-Alias 126 | New-AppLockerPolicy 127 | New-Event 128 | New-EventLog 129 | New-Item 130 | New-ItemProperty 131 | New-Module 132 | New-ModuleManifest 133 | New-Object 134 | New-PSDrive 135 | New-PSSession 136 | New-PSSessionOption 137 | New-Service 138 | New-TimeSpan 139 | New-Variable 140 | New-WebServiceProxy 141 | New-WSManInstance 142 | New-WSManSessionOption 143 | Out-Default 144 | Out-File 145 | Out-GridView 146 | Out-Host 147 | Out-Null 148 | Out-Printer 149 | Out-String 150 | Pop-Location 151 | Push-Location 152 | Read-Host 153 | Receive-Job 154 | Register-EngineEvent 155 | Register-ObjectEvent 156 | Register-PSSessionConfiguration 157 | Register-WmiEvent 158 | Remove-BitsTransfer 159 | Remove-Computer 160 | Remove-Event 161 | Remove-EventLog 162 | Remove-Item 163 | Remove-ItemProperty 164 | Remove-Job 165 | Remove-Module 166 | Remove-PSBreakpoint 167 | Remove-PSDrive 168 | Remove-PSSession 169 | Remove-PSSnapin 170 | Remove-Variable 171 | Remove-WmiObject 172 | Remove-WSManInstance 173 | Rename-Item 174 | Rename-ItemProperty 175 | Reset-ComputerMachinePassword 176 | Resolve-Path 177 | Restart-Computer 178 | Restart-Service 179 | Restore-Computer 180 | Resume-BitsTransfer 181 | Resume-Service 182 | Select-Object 183 | Select-String 184 | Select-XML 185 | Send-MailMessage 186 | Set-Acl 187 | Set-Alias 188 | Set-AppLockerPolicy 189 | Set-AuthenticodeSignature 190 | Set-BitsTransfer 191 | Set-Content 192 | Set-Date 193 | Set-ExecutionPolicy 194 | Set-Item 195 | Set-ItemProperty 196 | Set-Location 197 | Set-PSBreakpoint 198 | Set-PSDebug 199 | Set-PSSessionConfiguration 200 | Set-Service 201 | Set-StrictMode 202 | Set-TraceSource 203 | Set-Variable 204 | Set-WmiInstance 205 | Set-WSManInstance 206 | Set-WSManQuickConfig 207 | Show-EventLog 208 | Sort-Object 209 | Split-Path 210 | Start-BitsTransfer 211 | Start-Job 212 | Start-Process 213 | Start-Service 214 | Start-Sleep 215 | Start-Transaction 216 | Start-Transcript 217 | Stop-Computer 218 | Stop-Job 219 | Stop-Process 220 | Stop-Service 221 | Stop-Transcript 222 | Suspend-BitsTransfer 223 | Suspend-Service 224 | Tee-Object 225 | Test-AppLockerPolicy 226 | Test-ComputerSecureChannel 227 | Test-Connection 228 | Test-ModuleManifest 229 | Test-Path 230 | Test-WSMan 231 | Trace-Command 232 | Undo-Transaction 233 | Unregister-Event 234 | Unregister-PSSessionConfiguration 235 | Update-FormatData 236 | Update-List 237 | Update-TypeData 238 | Use-Transaction 239 | Wait-Event 240 | Wait-Job 241 | Wait-Process 242 | Where-Object 243 | Write-Debug 244 | Write-Error 245 | Write-EventLog 246 | Write-Host 247 | Write-Output 248 | Write-Progress 249 | Write-Verbose 250 | Write-Warning 251 | -EncodedCommand 252 | -ExecutionPolicy 253 | -PSConsoleFile 254 | -------------------------------------------------------------------------------- /test/integration/default/default_spec.rb: -------------------------------------------------------------------------------- 1 | describe service('apache2-default') do 2 | it { should be_enabled } 3 | it { should be_running } 4 | end 5 | 6 | describe port(80) do 7 | it { should be_listening } 8 | end 9 | 10 | describe port(443) do 11 | it { should be_listening } 12 | end 13 | 14 | describe package('libapache2-mod-security2') do 15 | it { should be_installed } 16 | end 17 | 18 | # 19 | # NB: It's possible that the engine is running in detection 20 | # mode. The following command should result in a log being 21 | # generated at the very least. 22 | # 23 | describe command('curl -X__FOOBAZ localhost') do 24 | # its(:stdout) { should match '403 Forbidden' } 25 | its(:exit_status) { should eq 0 } 26 | end 27 | 28 | describe command('curl -XGET localhost') do 29 | its(:stdout) { should match '

Testing Site

' } 30 | its(:exit_status) { should eq 0 } 31 | end 32 | 33 | describe command('curl -X_BOGUS_HEADER_TLS -k https://localhost') do 34 | its(:exit_status) { should eq 0 } 35 | end 36 | 37 | describe file('/var/log/apache2/modsec_audit.log') do 38 | it { should be_file } 39 | its (:content) { should match 'data "WAF testing: Got unauthorized method: __FOOBAZ"\]' } 40 | end 41 | 42 | describe file('/var/log/apache2/modsec_audit.log') do 43 | it { should be_file } 44 | its (:content) { should match 'data "WAF testing: Got unauthorized method: _BOGUS_HEADER_TLS"\]' } 45 | end 46 | --------------------------------------------------------------------------------