diff options
Diffstat (limited to 'files/mod_security/custom_rules/rules.conf')
-rw-r--r-- | files/mod_security/custom_rules/rules.conf | 546 |
1 files changed, 546 insertions, 0 deletions
diff --git a/files/mod_security/custom_rules/rules.conf b/files/mod_security/custom_rules/rules.conf new file mode 100644 index 0000000..b51ea89 --- /dev/null +++ b/files/mod_security/custom_rules/rules.conf @@ -0,0 +1,546 @@ +# http://www.gotroot.com/mod_security+rules +# Gotroot.com ModSecurity rules +# Application Security Rules for modsec 2.x +# +# Version: N-20061022-01 +# +# Download from: http://www.gotroot.com/downloads/ftp/mod_security/2.0/rules.conf +# +# Created by Michael Shinn of the Prometheus Group (http://www.prometheus-group.com) +# Copyright 2005 and 2006 by Michael Shinn and the Prometheus Group, all rights reserved. +# Redistribution is strictly prohibited in any form, including whole or in part. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS +# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE +# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS +# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF +# THE POSSIBILITY OF SUCH DAMAGE. + +#-------------------------------- +# notes +#-------------------------------- +# Rules work with modsecurity 2.0 and above only + +#-------------------------------- +#start rules +#-------------------------------- + +#Configure for your site +SecDefaultAction "log,deny,phase:2,status:500,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase" + +#Enforce proper HTTP requests +SecRule REQUEST_PROTOCOL "!^HTTP/(0\.9|1\.0|1\.1)$" "id:340000,severity:1,msg:'Bad HTTP Protocol'" + +#Generic rule for allowed characters, very broken at the moment, dont use it unless you can fix it +#Then post your fix eh! +#SecRule REQUEST_URI "!^[-a-zA-z0-9\.\+_/\-\?\=]+$" "chain,id:340002,rev:1,severity:2,msg:'Restricted HTTP character set'" + + +# Don't accept transfer encodings we know we don't handle +# (and you don't need it anyway) +SecRule HTTP_Transfer-Encoding "!^$" "id:340004,rev:1,severity:2,msg:'Dis-allowed Transfer Encoding'" + +#deny TRACE method +SecRule REQUEST_METHOD "TRACE" "id:340007,rev:1,severity:2,msg:'TRACE method denied'" + +#XSS insertion into headers +SecRule REQUEST_HEADERS "(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=|javascript\:)" "id:300002,rev:1,severity:2,msg:'XSS attack in Content-type header'" + + +#Don't accept chunked encodings +#modsecurity can not look at these, so this is a hole +#that can bypass your rules, the rule before this one +#should cover this, but hey paranoia is cheap +SecRule HTTP_Transfer-Encoding "chunked" "id:300003,rev:1,severity:2,msg:'Chunked Transfer Encoding denied'" + +#Code injection via content length +SecRule HTTP_Content-Length "\;(system|passthru|exec)\(" "id:330003,rev:1,severity:2,msg:'Code Injection in Content-Length header'" + +##generic recursion signatures +SecRule REQUEST_URI "!(alt_mod_frameset\.php)" "chain,id:300004,rev:2,severity:2,msg:'Generic Path Recursion denied'" +SecRule REQUEST_URI "\.\./\.\./" +#generic path recurision sig + + +#generic recursion signatures +SecRule REQUEST_URI "\.\|\./\.\|\./\.\|" "id:300005,rev:1,severity:2,msg:'Generic Path Recursion denied'" + +#generic bogus path sigs +SecRule REQUEST_URI "\.\.\./" "id:300006,rev:1,severity:2,msg:'Bogus Path denied'" + +#Generic PHP exploit signatures +SecRule REQUEST_BODY "(chr|fwrite|fopen|system|e?chr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;" "id:330001,rev:1,severity:2,msg:'Generic PHP exploit pattern denied'" + +#Generic PHP exploit signatures +SecRule REQUEST_BODY|REQUEST_URI "<\?php (chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;" "id:330002,rev:1,severity:2,msg:'Generic PHP exploit pattern denied'" + +#slightly tighter rules with narrower focus +SecRule REQUEST_URI|REQUEST_BODY "(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;" "id:300008,rev:1,severity:2,msg:'Generic PHP exploit pattern denied'" + +#generic XSS PHP attack types +SecRule REQUEST_URI "\.php\?" "chain,id:300010,rev:1,severity:2,msg:'Generic PHP XSS exploit pattern denied'" +SecRule REQUEST_BODY|REQUEST_URI "(javascript\:/(.*new\x20ActiveXObject.*Sh\.regwrite|.*window\.opener\.document\.body.\innerHTML=window\.opener\.document\.body\.innerHTML\.replace)|onmouseover=\'javascript)" + + +#Prevent SQL injection in cookies +SecRule REQUEST_COOKIES "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|UNION SELECT.*\'.*\'.*,[0-9].*INTO.*FROM)" "id:300011,rev:1,severity:2,msg:'Generic SQL injection in cookie'" + +#Prevent command injection through cookies +SecRule REQUEST_COOKIES "\; cmd=" + +#Prevent SQL injection in UA +SecRule HTTP_USER_AGENT "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|UNION SELECT.*\'.*\'.*,[0-9].*INTO.*FROM)" "id:300012,rev:1,severity:2,msg:'Generic SQL injection in User Agent header'" + +# Generic filter to prevent SQL injection attacks +# Understand that all SQL filters are very limited and are very difficult +# to prevent false postives and negatives. +# Pplease report false positives/negatives to mike@gotroot.com +SecRule REQUEST_URI "!((/wp-admin/post|privmsg|/ticket/admin|/misc|tiki-editpage|/post|/horde3?/imp/compose|/posting)\.php|/modules\.php\?op=modload&name=(Downloads|Submit_News)|/admin\.php\?module=NS\-AddStory\&op=|/index\.php\?name=PNphpBB2&file=posting&mode=reply.*|/phpMyAdmin/|/PNphpBB2-posting\.html|/otrs/index\.pl|tiki-index\.php\?page=|/index\.php\?title=.*&action=edit|/_mmServerScripts/|/node/[0-9]+/edit|/_vti_bin/.*\.exe/)" "chain,id:300013,rev:1,severity:2,msg:'Generic SQL injection protection'" +SecRule REQUEST_URI|REQUEST_BODY "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|UNION SELECT.*\'.*\'.*,[0-9].*INTO.*FROM)" + +#Generic SQL sigs +SecRule ARGS "(or.+1[[:space:]]*=[[:space:]]1|(or 1=1|'.+)--')" "id:300014,rev:1,severity:2,msg:'Generic SQL injection protection'" + +#Generic SQL sigs +SecRule ARGS "((alter|create|drop)[[:space:]]+(column|database|procedure|table)|delete[[:space:]]+from|update.+set.+=)" "id:300015,rev:1,severity:2,msg:'Generic SQL injection protection'" + +#Generic SQL sigs +SecRule REQUEST_URI "!(/node/[0-9]+/edit|/forum/posting\.php|/admins/wnedit\.php|/alt_doc\.php\?returnUrl=.*edit|/admin/categories\.php\?cPath=.*|modules\.php\?name=Forums&file=posting&mode=.*)" "chain,id:300016,rev:2,severity:2,msg:'Generic SQL injection protection'" +SecRule ARGS "(insert[[:space:]]+into.+values|select.*from.+[a-z|A-Z|0-9]|select.+from|bulk[[:space:]]+insert|union.+select|convert.+\(.*from)" + +#Meta character SQL injection +SecRule REQUEST_URI "\'.*(insert[[:space:]]+into.+values|select.*from.+[a-z|A-Z|0-9]|select.+from|bulk[[:space:]]+insert|union.+select|convert.+\(.*from)|and.*char\(.*\)" "id:380015,rev:1,severity:2,msg:'Generic SQL metacharacter URI injection protection'" + +#Generic command line attack filter +SecRule REQUEST_URI "!(/Count\.cgi)" "chain,id:300017,rev:1,severity:2,msg:'Generic command line attack filter'" +SecRule REQUEST_URI|REQUEST_BODY "\|+.*[\x20].*[\x20].*\|" + +#Generic PHP bad functions protection +#PHP copy() function: http://securitytracker.com/alerts/2006/Apr/1015882.html +SecRule ARGS compress\.zlib: + +#Generic XSS filter +#please report false positives +SecRule REQUEST_URI "!/mt\.cgi" chain +SecRule REQUEST_URI|REQUEST_BODY "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" + +#XSS in referrer and UA headers +SecRule HTTP_REFERER|HTTP_USER_AGENT "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" + +#PHP Injection Attack generic signature +SecRule REQUEST_URI "\.php" chain +SecRule REQUEST_URI|REQUEST_BODY "(\?((LOCAL|INCLUDE|PEAR|SQUIZLIB)_PATH|action|content|dir|name|menu|pm_path|path|pathtoroot|cat|pagina|path|include_location|root|page|gorumDir|site|topside|pun_root|open|seite)=(http|https|ftp)\:/|(cmd|command)=(cd|\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |id|cmd|pwd|wget |lwp-(download|request|mirror|rget) |uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |\./|whoami|killall |rm \-[a-z|A-Z]))" + +#PHP Injection Attack generic signature +SecRule REQUEST_URI "\.php\?(((LOCAL|INCLUDE|PEAR|SQUIZLIB)_PATH|action|content|dir|name|menu|pm_path|pagina|path|pathtoroot|cat|include_location|gorumDir|root|page|site|topside|pun_root|open|seite)=(http|https|ftp)\:/|.*(cmd|command)=(cd|\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat)|rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z]))" + +#Generic PHP remote file inclusion attack signature +SecRule REQUEST_URI "\.php\?" chain +SecRule REQUEST_URI "(http|https|ftp)\:/" chain +SecRule REQUEST_URI|REQUEST_BODY "(cmd|command)=(cd|\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])" + +#Generic PHP remote file inclusion attack signature with command +SecRule REQUEST_URI "\.php\?" chain +SecRule REQUEST_URI "(http|https|ftp)\:/" chain +SecRule REQUEST_URI|REQUEST_BODY "(cmd|command)=.*(cd|\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])" + +#really broad furl_fopen attack sig +#tune this for your system +SecRule REQUEST_URI "!(/tiki-objectpermissions|aardvarkts/install/index|/do_command|banner_click|wp-login|tiki-view_cache|/horde/index|/horde/services/go|/goto|gallery2?/main|ad-?server/adjs)" "chain,id:300018,rev:3,severity:2,msg:'Generic PHP code injection protection via ARGS'" +SecRule REQUEST_URI "\.php(3|4|5)?(\?|&)" chain +SecRule ARGS "(ht|f)tps?:/" +SecRule REQUEST_URI "!(/tiki-objectpermissions|aardvarkts/install/index|/do_command|banner_click|wp-login|tiki-view_cache|/horde/index|/horde/services/go|/goto|gallery2?/main|ad-?server/adjs)" "chain,id:300040,rev:1,severity:2,msg:'Generic PHP code injection protection in URI'" +SecRule REQUEST_URI "\.php(3|4|5)?(\?|&).*=(ht|f)tps?:/" + + +#Genenric PHP body attack +SecRule REQUEST_BODY "(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)" chain +SecRule REQUEST_BODY "^PHP\:*((cd|mkdir)[[:space:]]+(/|[A-Z|a-z|0-9]|\.)*|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat)|rexec |smbclient |t?ftp |ncftp |chmod |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])" + +#Generic PHP remote file injection +SecRule REQUEST_URI "!(/do_command)" chain +SecRule REQUEST_URI "\.php\?.*=(https?|ftp)\:/.*(cmd|command)=" + +#script, perl, etc. code in HTTP_Referer string +SecRule HTTP_Referer "\#\!.*/" + +#generic command line attack +SecRule REQUEST_URI|ARGS "\|*id\;echo*\|" + +#remote file inclusion generic attack signature +SecRule REQUEST_URI "\.(dat|gif|jpg|png|bmp|txt|vir|dot)\?" chain +SecRule REQUEST_URI|REQUEST_BODY "((name|pm_path|pagina|path|include_location|root|page|open)=(http|https|ftp)|(cmd|command|inc)=)" + +#remote file inclusion generic attack signature +SecRule ARGS "\.(dat|gif|jpg|png|bmp|txt|vir|dot)" chain +SecRule ARGS "\?\&(cmd|inc|name)=" + +#remote file inclusion generic attack signature +SecRule ARGS "\.(dat|gif|jpg|png|bmp|txt|vir|dot)\?\&(cmd|inc|name)=" + +#remote file inclusion generic attack signature +SecRule REQUEST_URI "\.php\?.*=(http|https|ftp)\:/.*\?&cmd=" + +#Bogus file extensions generic signature +SecRule REQUEST_URI "[A-Za-z0-9]\.(gif|jpg|png|bmp)\.txt" + +#PHP remote path attach generic signature +SecRule REQUEST_URI "\.ph(p(3|4)?).*path=(http|https|ftp)\:/" +SecRule REQUEST_URI "\.php.*path=(http|https|ftp)\:/" + +#generic attack sig +SecRule REQUEST_URI "cd\x20*\;(cd|\;|echo|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |\./)" + +# WEB-ATTACKS uname -a command attempt +SecRule REQUEST_URI "uname" chain +SecRule REQUEST_URI "\x20-a" + +#Generic argument protection rule against bad meta characters +#SecRule "ARGS" "!^[A-Za-z0-9.&/?@_%=:;, -]*$" + +#generic php attack sigs +SecRule REQUEST_URI "(&(cmd|command)=(id|uname)\x20|cmd\?(cmd|command)=|(spy|cmd|cmd_out|sh)\.(gif|jpg|png|bmp|txt)\?&(cmd|command)=|\.php\?&(cmd|command)=)" + +# WEB-ATTACKS xterm command attempt +SecRule REQUEST_URI "/usr/X11R6/bin/xterm" + +# WEB-ATTACKS /etc/shadow access +SecRule REQUEST_URI "/etc/shadow" + +# WEB-ATTACKS /bin/ps command attempt +SecRule REQUEST_URI "/bin/ps" + +# WEB-ATTACKS /usr/bin/id command attempt +SecRule REQUEST_URI "/usr/bin/id" chain +SecRule REQUEST_URI "\x20" + +# WEB-ATTACKS echo command attempt +SecRule REQUEST_URI "/bin/echo" chain +SecRule REQUEST_URI "\x20" + +# WEB-ATTACKS kill command attempt +SecRule REQUEST_URI "/bin/kill" chain +SecRule REQUEST_URI "\x20" + +# WEB-ATTACKS chmod command attempt +SecRule REQUEST_URI "/bin/chmod" chain +SecRule REQUEST_URI "\x20" + +# WEB-ATTACKS chsh command attempt +SecRule REQUEST_URI "/usr/bin/chsh" + +# WEB-ATTACKS gcc command attempt +SecRule REQUEST_URI "gcc" chain +SecRule REQUEST_URI "x20-o" + +# WEB-ATTACKS /usr/bin/cc command attempt +SecRule REQUEST_URI "/usr/bin/cc" chain +SecRule REQUEST_URI "\x20" + +# WEB-ATTACKS /usr/bin/cpp command attempt +SecRule REQUEST_URI "/usr/bin/cpp" chain +SecRule REQUEST_URI "\x20" + +# WEB-ATTACKS /usr/bin/g++ command attempt +SecRule REQUEST_URI "/usr/bin/g\+\+" chain +SecRule REQUEST_URI "\x20" + +# WEB-ATTACKS g++ command attempt +SecRule REQUEST_URI "g\+\+\x20" chain +SecRule REQUEST_URI "\x20" + +# WEB-ATTACKS bin/python access attempt +SecRule REQUEST_URI "bin/python" chain +SecRule REQUEST_URI "\x20" + +# WEB-ATTACKS python access attempt +#SecRule "python\x20" + +# WEB-ATTACKS bin/tclsh execution attempt +SecRule REQUEST_URI "bin/tclsh" + +# WEB-ATTACKS tclsh execution attempt +SecRule REQUEST_URI "tclsh8\x20" + +# WEB-ATTACKS bin/nasm command attempt +SecRule REQUEST_URI "bin/nasm" + +# WEB-ATTACKS nasm command attempt +SecRule REQUEST_URI "nasm\x20" + +# WEB-ATTACKS /usr/bin/perl execution attempt +SecRule REQUEST_URI "/usr/bin/perl" + +# WEB-ATTACKS traceroute command attempt +SecRule REQUEST_URI "traceroute" chain +SecRule REQUEST_URI "\x20([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" + +# WEB-ATTACKS ping command attempt +SecRule REQUEST_URI "/bin/ping" chain +SecRule REQUEST_URI "\x20" + +# WEB-ATTACKS X application to remote host attempt +SecRule REQUEST_URI "\x20-display\x20" + +# WEB-ATTACKS mail command attempt +SecRule REQUEST_URI "/bin/mail" chain +SecRule REQUEST_URI "\x20" + +# WEB-ATTACKS /bin/ls command attempt +SecRule REQUEST_URI "/bin/ls" chain +SecRule REQUEST_URI "\x20" + +# WEB-ATTACKS /etc/inetd.conf access +SecRule REQUEST_URI "/etc/inetd\.conf" + +# WEB-ATTACKS /etc/motd access +SecRule REQUEST_URI "/etc/motd" +# WEB-ATTACKS conf/httpd.conf attempt +SecRule REQUEST_URI "conf/httpd\.conf" + +# WEB-MISC .htpasswd access +SecRule REQUEST_URI "\.htpasswd" + +# WEB-MISC /etc/passwd access +SecRule REQUEST_URI "/etc/passwd" + +# WEB-MISC nessus 1.X 404 probe +SecRule REQUEST_URI "/nessus_is_probing_you_" + +# WEB-MISC nessus 2.x 404 probe +SecRule REQUEST_URI "/NessusTest" + +# WEB-MISC ls%20-l +SecRule REQUEST_URI "ls" chain +SecRule REQUEST_URI "\x20-l" + +# WEB-MISC apache directory disclosure attempt +SecRule REQUEST_URI "////////" + +#musicat empower attempt +SecRule REQUEST_URI "/empower\?DB=" + +# WEB-MISC *%0a.pl access +SecRule REQUEST_URI "/*\x0a\.pl" + +#PHPBB worm sigs +SecRule REQUEST_URI "!(tiki-searchindex\.php)" chain +SecRule ARGS:highlight "(\x27|%27|\x2527|%2527)" + +#PHP defenses +SecRule ARGS:PHPSESSID "!^[0-9a-z]*$" + +#PHP defenses +SecRule ARGS "^(globals($|\[)|php:/)" + +#PHP defenses +SecRule REQUEST_COOKIES:PHPSESSID "!^[0-9a-z]*$" + +#PHP defenses +SecRule REQUEST_COOKIES:sessionid "!^[0-9a-z\.]*$" + +# Web-attacks chdir +SecRule REQUEST_URI "&(cmd|command)=chdir\x20" + +# TIKIWIKI +SecRule REQUEST_URI "/tiki-map.phtml\?mapfile=\.\./\.\./" + +#SMTP redirects +SecRule REQUEST_URI_RAW ^(http|https)\:/.+:25 + +#These are VERY experiemental, please report false positives/negatives, etc. +#very experimental generic remote download sig +#foo IP or FQDN, or foo http/https/ftp://whatever +SecRule REQUEST_URI "(perl|t?ftp|links|elinks|lynx|ncftp|(s|r)(cp|sh)|wget|lwp-(download|request|mirror|rget)|curl|cvs|svn).*\x20((http|https|ftp)\:/|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|.*[A-Za-z|0-9]\.[a-zA-Z]{2,4}/|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" + +#Command inline detection +SecRule REQUEST_URI "( |\;|/|\'|,|\&|\=|\.)((s|r)(sh|cp)) *(.*\@.*|(http|https|ftp)\:/|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|.*[A-Za-z|0-9]\.[a-zA-Z]{2,4}/|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" + +#very experimental connect command sig +SecRule REQUEST_URI "( |\;|/|\'|,|\&|\=|\.)(perl|nc|telnet|(rs)sh|rexec) .*([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|[A-Za-z|0-9]\.[a-zA-Z]{2,4}|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" + +#Commands, also need a major rework, these also have issues +SecRule REQUEST_URI "\;\x20+?perl\x20+[A-Za-z|0-9]+;" +#SecRule REQUEST_URI "echo\x20" +SecRule REQUEST_URI "links -dump " +SecRule REQUEST_URI "links -dump-(charset|width) " +SecRule REQUEST_URI "links (http|https|ftp)\:/" +SecRule REQUEST_URI "links -source " +#SecRule REQUEST_URI "mkdir\x20" +SecRule REQUEST_URI "cd\x20/(tmp|/var/tmp)" + +SecRule REQUEST_URI "cd \.\." +SecRule REQUEST_URI "/\.(history|bash_history) HTTP\/(0\.9|1\.0|1\.1)$" + +#generic block for fwrite fopen uploads +SecRule REQUEST_URI "fwrite" chain +SecRule REQUEST_URI "fopen" + +#generic sig for more bad PHP functions +SecRule REQUEST_URI "chr\(([0-9]{1,3})\)" +SecRule ARGS_NAMES "^php:/" + +# WEB-MISC Tomcat view source attempt +SecRule REQUEST_URI "\x252ejsp" + +# WEB-MISC whisker HEAD/./ +#SecRule "HEAD/./" + +# WEB-FRONTPAGE .... request +SecRule REQUEST_URI "\.\.\.\./" + +#experimental CSS rule +#SecRule REQUEST_URI "/(\x3C|<)(\x2F|\/)*[a-z0-9\%]+(\x3E|>)" + +#Generic attack rules pcre format +#cross site scripting attempt IMG onerror or onload +SecRule REQUEST_URI "\<IMG.*/\bonerror\b[\s]*=" + +#cross site scripting attempt TYPE + JAVASCRIPT +SecRule REQUEST_URI "TYPE\s*=\s*[\'\"]text\/javascript" + +#cross site scripting attempt STYLE + JAVASCRIPT +SecRule REQUEST_URI "TYPE\s*=\s*[\'\"]application\/x-javascript" + +#cross site scripting attempt STYLE + JSCRIPT +SecRule REQUEST_URI "TYPE\s*=\s*[\'\"]text\/jscript" + +# cross site scripting attempt STYLE + VBSCRIPT +SecRule REQUEST_URI "TYPE\s*=\s*[\'\"]text\/vbscript" + +#cross site scripting attempt STYLE + VBSCRIPT +SecRule REQUEST_URI "TYPE\s*=\s*[\'\"]application\/x-vbscript" + +#cross site scripting attempt STYLE + ECMACRIPT +SecRule REQUEST_URI "TYPE\s*=\s*[\'\"]text\/ecmascript" + +# cross site scripting attempt STYLE + EXPRESSION +SecRule REQUEST_URI "STYLE[\s]*=[\s]*[^>]expression[\s]*\(" + +#cross site scripting attempt STYLE + EXPRESSION +SecRule REQUEST_URI "[\s]*expression[\s]*\([^}]}[\s]*<\/STYLE>" + +# cross site scripting attempt using XML +SecRule REQUEST_URI "<!\[CDATA\[<\]\]>SCRIPT" + +#cross site scripting attempt executing hidden Javascript +SecRule REQUEST_URI "eval[\s]*\([\s]*[^\.]\.innerHTML[\s]*\)" + +#cross site scripting attempt executing hidden Javascript +SecRule REQUEST_URI "window\.execScript[\s]*\(" + +#cross site scripting attempt to execute Javascript code +SecRule REQUEST_URI "/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*[\'\"]*javascript[\:]" + +#cross site scripting stealth attempt to execute Javascript code +#may false alarm for some language sets +SecRule REQUEST_URI "!(/index\.php\?module=Blocks&type=admin&func=update|/index\.php\?go=.*&edit=)" chain +SecRule REQUEST_URI|REQUEST_BODY "(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*[\'\"]*[\x09\x0a\x0b\x0c\x0d]*j[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*v[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*c[\x09\x0a\x0b\x0c\x0d]*r[\x09\x0a\x0b\x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*p[\x09\x0a\x0b\x0c\x0d]*t[\x09\x0a\x0b\x0c\x0d]*[\:]" + +#Apache /server-info accessible +SecRule REQUEST_URI "/server-info" chain +SecRule REMOTE_ADDR "!^127\.0\.0\.1$" + +#Apache /server-status accessible +#Modified so apache-protect can run +SecRule REQUEST_URI "^/server-status/$" chain +SecRule REMOTE_ADDR "!^127\.0\.0\.1$" + +#generic Common HTTP vulnerability +SecRule REQUEST_URI "/\?cwd=/" + +#General [url] php forum protections (phpbb and others, to protect against script injection attacks in url links) +SecRule REQUEST_URI "\.php\?" chain +SecRule REQUEST_URI|REQUEST_BODY "\[url=(script|javascript|applet|about|chrome|activex)\:/.*\].*\[/url\]" + +#Experimental XML-RPC generic attack sigs +SecRule REQUEST_BODY "\'\,\'\'\)\)\;" +SecRule REQUEST_BODY "\<param\>\<name\>.*\'\)\;" + +#MTS +#XML-RPC generic attack sigs +SecRule REQUEST_HEADERS "^Content-Type\: application/xml" chain +SecRule REQUEST_BODY "(\<xml|\<.*xml)" chain +SecRule REQUEST_BODY "(echo( |\(|\').*\;|chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;" chain +SecRule REQUEST_BODY "methodCall\>" + +#Specific XML-RPC attacks on xmlrpc.php +SecRule REQUEST_URI "(xmlrpc|xmlrpc.*)\.php" chain +SecRule REQUEST_BODY "(\<xml|\<.*xml)" chain +SecRule REQUEST_BODY "(echo( |\(|\').*\;|chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;" + +#Too generic, unless you know you won't see this in any of the fields of an XMLRPC message on your system +#SecRule REQUEST_URI "/xmlrpc\.php" chain +#SecRule "(cd|perl |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |id|uname |cvs |svn |(s|r)(cp|sh) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |\./)" + +#XML-RPC SQL injection generic signature +SecRule REQUEST_URI "(xmlrpc|xmlrpc_.*)\.php" chain +SecRule REQUEST_BODY "<methodName>.*</methodName>.*<value><string>.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view).*methodName\>" + +#generic remote file inclusion vulns +SecRule REQUEST_URI "/index\.php\?do=.*&page=(http|https|ftp)\:/" +SecRule REQUEST_URI "/index\.php\?kietu\[.*\]=(http|https|ftp)\:/" +SecRule REQUEST_URI "/index\.php\?libDir=http://xxxxxxxx" +SecRule REQUEST_URI "/init\.php\?HTTP_POST_VARS\[GALLERY_BASEDIR\]=(http|https|ftp)\:/" + +#catch smuggling attacks +#SecRule "^(GET|POST).*Host:.*^(GET|POST)" + +#Drupal remote command execution vulnerability exploit signature +#This is already covered in another generic signature, but just in case you leave it out, here it is +#again with a slightly tigher regexp +SecRule REQUEST_BODY "\<.*php .*\(.*\)\;system\(.*\).*php*\>" +#Slightly stronger version of the above +SecRule REQUEST_BODY "\<.*php .*\(.*\)\;(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\).*php*\>" + +#Generic PHP attack sig +SecRule REQUEST_BODY|REQUEST_URI "system\(getenv\(HTTP_PHP\)\)" + +#Generic Nessus request filter +SecRule REQUEST_URI "NessusTest*\.html" + +#Generic PHP payload command injection and upload vulnerabilities +SecRule REQUEST_BODY "<\?php" chain +SecRule REQUEST_BODY "((fputs|fread)\(.*\,.*\)\;|fsockopen\(gethostbyname|chr\(.*\)\.chr\(.*\)\.chr\(|(fclose|fgets)\(.*\)\;|(system|exec)\(.*\)\;)" chain +SecRule REQUEST_BODY "\<\?php" + +#Generic XML RPC attack sig +SecRule REQUEST_BODY "\'(______BEGIN______|_____FIM_____)\'\;" + +#HTTP header PHP code injection attacks +SecRule HTTP_CLIENT_IP|HTTP_USER_AGENT|HTTP_Referer "(<\?php|<[[:space:]]?\?[[:space:]]?php|<\? php)" +#wormsign +SecRule REQUEST_HEADERS "XXXXXXXXXXXXXXX\: \+\+\+\+\+\+\+\+\+\+\+\+\+" +SecRule REQUEST_BODY "THMC\.\$dbhost\.THMC\.\$dbname\.THMC\.\$dbuser\.THMC\.\$dbpasswd\.THMC" + +#phpbb wormsign +SecRule REQUEST_URI|REQUEST_BODY "echo _GHC/RST_" + +#Generic PHP avatar upload exploits +SecRule REQUEST_URI "\.php" chain +SecRule REQUEST_BODY "Content-Disposition\: form-data\; name=\"avatar\"\;" chain +SecRule REQUEST_BODY "\<\?php" chain +SecRule REQUEST_BODY "\?>" + +#Fake image file shell attacvk +SecRule REQUEST_HEADERS:Content-Type "image/.*" +SecRule REQUEST_BODY "chr\(" + +#bogus graphics file +SecRule REQUEST_HEADERS:Content-Disposition "\.php" chain +SecRule REQUEST_HEADERS:Content-Type "(image/gif|image/jpg|image/png|image/bmp)" + +#wormsign +SecRule REQUEST_URI "Hacked.*by.*member.*of.*SCC" + +#Special account protection +SecRule REQUEST_URI "/~(root|ftp|bin|nobody|named|guest|logs|sshd)/" + +#Generic PHP fopen sig +SecRule REQUEST_URI|REQUEST_BODY "fp=fopen\(" |