1 # ---------------------------------------------------------------
2 # Core ModSecurity Rule Set ver.2.0.3
3 # Copyright (C) 2006-2009 Breach Security Inc. All rights reserved.
5 # The ModSecuirty Core Rule Set is distributed under GPL version 2
6 # Please see the enclosed LICENCE file for full details.
7 # ---------------------------------------------------------------
11 # In most cases, you should expect a certain volume of each a request on your
12 # website. For example, a request with 400 arguments, can be suspicious.
13 # This file creates limitations on the request.
14 # TODO Look at the rules in this file, and define the sizes you'd like to enforce.
15 # Note that most of the rules are commented out by default.
16 # Uncomment the rules you need
19 ## -- Arguments limits --
21 # Limit argument name length
22 #SecRule ARGS_NAMES "@gt 100" "phase:2,t:none,t:length,block,nolog,auditlog,status:403,msg:'Argument name too long',id:'960209',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.policy_score=+1,setvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"
24 # Limit value name length
25 #SecRule ARGS "@gt 400" "phase:2,t:none,t:length,block,nolog,auditlog,status:403,msg:'Argument value too long',id:'960208',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.policy_score=+1,setvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"
27 # Maximum number of arguments in request limited
28 SecRule &ARGS "@gt 255" "phase:2,t:none,block,nolog,auditlog,status:403,msg:'Too many arguments in request',id:'960335',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.policy_score=+1,setvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"
30 # Limit arguments total length
31 #SecRule ARGS_COMBINED_SIZE "@gt 64000" "phase:2,t:none,block,nolog,auditlog,status:403,msg:'Total arguments size exceeded',id:'960341',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.policy_score=+1,setvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"
34 ## -- File upload limits --
36 # Individual file size is limited
37 #SecRule FILES_SIZES "@gt 1048576" "phase:2,t:none,block,nolog,auditlog,status:403,msg:'Uploaded file size too large',id:'960342',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.policy_score=+1,setvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"
39 # Combined file size is limited
40 #SecRule FILES_COMBINED_SIZE "@gt 1048576" "phase:2,t:none,block,nolog,auditlog,status:403,msg:'Total uploaded files size too large',id:'960343',severity:'4',setvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"
44 ## -- Apache Limits --
46 # These are Apache limit directives, but we are including them here because
47 # they are often forgotten. If you already have these configured leave this
48 # section entirely commented-out. Otherwise review the limits and uncomment
51 # Maximum size of the request body.
53 # NOTE If your application allows file uploads the value below will
54 # most likely be way to low.
56 #LimitRequestBody 64000
58 # Maximum number of request headers in a request.
60 #LimitRequestFields 32
62 # Maximum size of request header lines.
64 #LimitRequestFieldSize 8000
66 # Maximum size of the request line.
68 #LimitRequestLine 4000