1 # ---------------------------------------------------------------
2 # Core ModSecurity Rule Set ver.2.0.3
3 # Copyright (C) 2006-2009 Breach Security Inc. All rights reserved.
5 # The ModSecuirty Core Rule Set is distributed under GPL version 2
6 # Please see the enclosed LICENCE file for full details.
7 # ---------------------------------------------------------------
11 # You should set the score to the proper threshold you would prefer. If kept at "@gt 0"
12 # it will work similarly to previous Mod CRS rules and will create an event in the error_log
13 # file if there are any rules that match. If you would like to lessen the number of events
14 # generated in the error_log file, you should increase the anomaly score threshold to
15 # something like "@gt 20". This would only generate an event in the error_log file if
16 # there are multiple lower severity rule matches or if any 1 higher severity item matches.
18 # You should also set the desired disruptive action (deny, redirect, etc...).
21 # Correlated Successful Attack
23 SecRule &TX:'/LEAKAGE\\\/ERRORS/' "@ge 1" \
24 "chain,phase:5,t:none,log,pass,severity:'0',msg:'Correlated Successful Attack Identified: Inbound Attack (%{tx.inbound_tx_msg}) + Outbound Data Leakage (%{tx.msg}) - (Transactional Anomaly Score: %{TX.ANOMALY_SCORE})'"
25 SecRule &TX:'/WEB_ATTACK/' "@ge 1" "t:none,skipAfter:END_CORRELATION"
27 # Correlated Attack Attempt
29 SecRule &TX:'/AVAILABILITY\\\/APP_NOT_AVAIL/' "@ge 1" \
30 "chain,phase:5,t:none,log,pass,severity:'1',msg:'Correlated Attack Attempt Identified: Inbound Attack (%{tx.inbound_tx_msg}) + Outbound Application Error (%{tx.msg}) - (Transactional Anomaly Score %{TX.ANOMALY_SCORE})'"
31 SecRule &TX:'/WEB_ATTACK/' "@ge 1" "t:none,skipAfter:END_CORRELATION"
33 # Alert on High Anomaly Scores
35 #SecRule TX:ANOMALY_SCORE "@ge 40" \
36 # "phase:5,t:none,log,noauditlog,pass,msg:'Transactional Anomaly Score (score %{TX.ANOMALY_SCORE}): %{tx.msg}'"
38 # Alert on any anomalies
40 SecRule TX:ANOMALY_SCORE "@ge 5" \
41 "phase:5,t:none,log,noauditlog,pass,msg:'Transactional Anomaly Score (score %{TX.ANOMALY_SCORE}): %{tx.msg}'"
43 SecMarker END_CORRELATION