1 # ---------------------------------------------------------------
2 # Core ModSecurity Rule Set ver.2.0.3
3 # Copyright (C) 2006-2009 Breach Security Inc. All rights reserved.
5 # The ModSecuirty Core Rule Set is distributed under GPL version 2
6 # Please see the enclosed LICENCE file for full details.
7 # ---------------------------------------------------------------
10 # HTTP policy enforcement
11 # The HTTP policy enforcement rule set sets limitations on the use of HTTP by clients.
13 # Few applications require the breadth and depth of the HTTP protocol. On the
14 # other hand many attacks abuse valid but rare HTTP use patterns. Restricting
15 # HTTP protocol usage is effective in therefore effective in blocking many
16 # application layer attacks.
18 # TODO Many automation programs use non standard HTTP requests. While you may
19 # want to allow some of those, try not to create exceptions only for the
20 # automated program based on properties such as their source IP address or
21 # the URL they access.
24 # allow request methods
26 # TODO Most applications only use GET, HEAD, and POST request
27 # methods. If that is not the case with your environment, you are advised
28 # to edit the line or uncomment it.
30 SecRule REQUEST_METHOD "!^((?:(?:POS|GE)T|OPTIONS|HEAD))$" "phase:2,t:none,block,nolog,auditlog,status:501,msg:'Method is not allowed by policy', severity:'2',id:'960032',tag:'POLICY/METHOD_NOT_ALLOWED',setvar:tx.anomaly_score=+5,setvar:tx.policy_score=+1,setvar:tx.%{rule.id}-POLICY/METHOD_NOT_ALLOWED-%{matched_var_name}=%{matched_var}"
33 # Restrict which content-types we accept.
35 # TODO Most applications support only two types for request bodies
36 # because that is all browsers know how to produce. If you are using
37 # automated tools to talk to the application you may be using other
38 # content types and would want to change the list of supported types.
40 # Note though that ModSecurity parses only three content types:
41 # application/x-www-form-urlencoded, multipart/form-data request and
42 # text/xml. The protection provided for any other type is inferior.
44 # TODO There are many applications that are not using multipart/form-data
45 # types (typically only used for file uploads). This content type
46 # can be disabled if not used.
48 # NOTE We allow any content type to be specified with GET or HEAD
49 # because some tools incorrectly supply content type information
50 # even when the body is not present. There is a rule further in
51 # the file to prevent GET and HEAD requests to have bodies to we're
52 # safe in that respect.
54 # NOTE Use of WebDAV requires "text/xml" content type.
56 # NOTE Philippe Bourcier (pbourcier AT citali DOT com) reports
57 # applications running on the PocketPC and AvantGo platforms use
58 # non-standard content types:
60 # M-Business iAnywhere application/x-mal-client-data
61 # UltraLite iAnywhere application/octet-stream
63 SecRule REQUEST_METHOD "!^(?:GET|HEAD|PROPFIND|OPTIONS)$" "phase:2,chain,t:none,block,nolog,auditlog,status:501,msg:'Request content type is not allowed by policy',id:'960010',tag:'POLICY/ENCODING_NOT_ALLOWED',severity:'4'"
64 SecRule REQUEST_HEADERS:Content-Type "!(?:^(?:application\/x-www-form-urlencoded(?:;(?:\s?charset\s?=\s?[\w\d\-]{1,18})?)??$|multipart/form-data;)|text/xml)" "t:none,setvar:tx.anomaly_score=+5,setvar:tx.policy_score=+1,setvar:tx.%{rule.id}-POLICY/CONTENT_TYPE_NOT_ALLOWED-%{matched_var_name}=%{matched_var}"
66 # Restrict protocol versions.
68 # TODO All modern browsers use HTTP version 1.1. For tight security, allow only
71 # NOTE Automation programs, both malicious and non malicious many times use
72 # other HTTP versions. If you want to allow a specific automated program
73 # to use your site, try to create a narrower expection and not allow any
74 # client to send HTTP requests in a version lower than 1.1
76 SecRule REQUEST_PROTOCOL "!^HTTP/(0\.9|1\.[01])$" "phase:2,t:none,block,nolog,auditlog,status:505,msg:'HTTP protocol version is not allowed by policy', severity:'2',id:'960034',tag:'POLICY/PROTOCOL_NOT_ALLOWED',setvar:tx.anomaly_score=+5,setvar:tx.policy_score=+1,setvar:tx.%{rule.id}-POLICY/PROTOCOL_NOT_ALLOWED-%{matched_var_name}=%{matched_var}"
78 # Restrict file extension
80 # TODO the list of file extensions below are virtually always considered unsafe
81 # and not in use in any valid program. If your application uses one of
82 # these extensions, please remove it from the list of blocked extensions.
83 # You may need to use ModSecurity Core Rule Set Templates to do so, otherwise
84 # comment the whole rule.
86 SecRule REQUEST_BASENAME "\.(?:c(?:o(?:nf(?:ig)?|m)|s(?:proj|r)?|dx|er|fg|md)|p(?:rinter|ass|db|ol|wd)|v(?:b(?:proj|s)?|sdisco)|a(?:s(?:ax?|cx)|xd)|d(?:bf?|at|ll|os)|i(?:d[acq]|n[ci])|ba(?:[kt]|ckup)|res(?:ources|x)|s(?:h?tm|ql|ys)|l(?:icx|nk|og)|\w{0,5}~|webinfo|ht[rw]|xs[dx]|key|mdb|old)$" "phase:2,t:none,t:urlDecodeUni,t:lowercase,block,nolog,auditlog,status:500,msg:'URL file extension is restricted by policy', severity:'2',id:'960035',tag:'POLICY/EXT_RESTRICTED',setvar:tx.anomaly_score=+5,setvar:tx.policy_score=+1,setvar:tx.%{rule.id}-POLICY/EXT_RESTRICTED-%{matched_var_name}=%{matched_var}"
90 # Restricted HTTP headers
92 # TODO the list of HTTP headers below are considered unsafe for your environment.
93 # If your application uses one of these directories, please remove it from
94 # the list of blocked extensions. You may need to use ModSecurity Core Rule
95 # Set Templates to do so, otherwise comment the whole rule.
97 SecRule REQUEST_HEADERS_NAMES "(?:(?:Proxy-Connectio|Lock-Toke)n|(?:Content-Rang|Translat)e|via|if)$" "phase:2,t:none,block,nolog,auditlog,status:500,msg:'HTTP header is restricted by policy',id:'960038',tag:'POLICY/HEADER_RESTRICTED',tag:'POLICY/FILES_NOT_ALLOWED',severity:'4',setvar:tx.anomaly_score=+5,setvar:tx.policy_score=+1,setvar:tx.%{rule.id}-POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}"
100 # Restricted Content Encodings
102 # ModSecurity does not support compressed content. Therefore, the following
103 # action will be taken:
104 # - Inbound compressed content will be denied
105 # - Outbound compressed content will be logged once, to alert the user
106 # Deny inbound compressed content
107 SecRule REQUEST_HEADERS:Content-Encoding "!^Identity$" "phase:2,t:none,block,nolog,auditlog,status:501,msg:'ModSecurity does not support content encodings',id:'960902',severity:'4',setvar:tx.anomaly_score=+5,setvar:tx.policy_score=+1,setvar:tx.%{rule.id}-POLICY/ENCODING_RESTRICTED-%{matched_var_name}=%{matched_var}"
108 # Log outbound compressed content (log once)
109 SecRule RESPONSE_HEADERS:Content-Encoding "!^Identity$" "phase:4,t:none,pass,nolog,auditlog,msg:'ModSecurity does not support content encodings',id:'960903',severity:'4',chain,initcol:global=global"
110 SecRule &GLOBAL:alerted_960903_compression "@eq 0" "setvar:global.alerted_960903_compression,setvar:tx.anomaly_score=+5,setvar:tx.policy_score=+1,setvar:tx.%{rule.id}-POLICY/ENCODING_RESTRICTED-%{matched_var_name}=%{matched_var}"