projects / libapache-mod-security.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Imported Upstream version 2.5.11
[libapache-mod-security.git] / rules / base_rules / modsecurity_crs_21_protocol_anomalies.conf
1 # ---------------------------------------------------------------
2 # Core ModSecurity Rule Set ver.2.0.3
3 # Copyright (C) 2006-2009 Breach Security Inc. All rights reserved.
4 #
5 # The ModSecuirty Core Rule Set is distributed under GPL version 2
6 # Please see the enclosed LICENCE file for full details.
7 # ---------------------------------------------------------------
8
9
10 #
11 # TODO in some cases a valid client (usually automated) generates requests that
12 #      violates the HTTP protocol. Create exceptions for those clients, but try
13 #      to limit the exception to a source IP or other additional properties of 
14 #      the request such as URL and not allow the violation generally. 
15 #
16
17 # Do not accept requests without common headers. 
18 # Implies either an attacker or a legitimate automation client. 
19 #
20
21 # Detect HTTP/0.9 Requests
22 SecRule REQUEST_PROTOCOL ^HTTP/0.9$ "t:none,phase:2,nolog,auditlog,msg:'HTTP/0.9 Request Detected',id:'960019',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}"
23
24 SecMarker BEGIN_HOST_CHECK
25
26         SecRule &REQUEST_HEADERS:Host "@eq 0" \
27                 "skipAfter:END_HOST_CHECK,phase:2,t:none,nolog,auditlog,msg:'Request Missing a Host Header',id:'960008',tag:'PROTOCOL_VIOLATION/MISSING_HEADER',severity:'5',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"
28         SecRule REQUEST_HEADERS:Host "^$" \
29                 "phase:2,t:none,nolog,auditlog,msg:'Request Missing a Host Header',id:'960008',tag:'PROTOCOL_VIOLATION/MISSING_HEADER',severity:'5',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"
30
31 SecMarker END_HOST_CHECK
32     
33
34 SecMarker BEGIN_ACCEPT_CHECK
35
36         SecRule &REQUEST_HEADERS:Accept "@eq 0" \
37                 "chain,phase:2,t:none,nolog,auditlog,msg:'Request Missing an Accept Header', severity:'2',id:'960015',tag:'PROTOCOL_VIOLATION/MISSING_HEADER'"
38                 SecRule REQUEST_METHOD "!^OPTIONS$" "skipAfter:END_ACCEPT_CHECK,t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"
39         SecRule REQUEST_HEADERS:Accept "^$" \
40                 "chain,phase:2,t:none,nolog,auditlog,msg:'Request Has an Empty Accept Header', severity:'2',id:'960021',tag:'PROTOCOL_VIOLATION/MISSING_HEADER'"
41                 SecRule REQUEST_METHOD "!^OPTIONS$" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"
42
43 SecMarker END_ACCEPT_CHECK
44
45 SecMarker BEGIN_UA_CHECK
46
47         SecRule &REQUEST_HEADERS:User-Agent "@eq 0" \
48                 "skipAfter:END_UA_CHECK,phase:2,t:none,nolog,auditlog,msg:'Request Missing a User Agent Header',id:'960009',tag:'PROTOCOL_VIOLATION/MISSING_HEADER',severity:'5',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"
49         SecRule REQUEST_HEADERS:User-Agent "^$" \
50                 "t:none,nolog,auditlog,msg:'Request Missing a User Agent Header',id:'960009',tag:'PROTOCOL_VIOLATION/MISSING_HEADER',severity:'5',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"
51
52 SecMarker END_UA_CHECK
53
54
55 SecRule &REQUEST_HEADERS:Content-Type "@eq 0" \
56     "chain,phase:2,t:none,nolog,auditlog,msg:'Request Containing Content, but Missing Content-Type header',id:'960904',severity:'5'"
57         SecRule REQUEST_HEADERS:Content-Length "!^0$" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.protocol_violation_score=+1,setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"
58
59
60 # Check that the host header is not an IP address 
61 #
62 SecRule REQUEST_HEADERS:Host "^[\d.:]+$" "phase:2,t:none,block,nolog,auditlog,status:400,msg:'Host header is a numeric IP address', severity:'2',id:'960017',tag:'PROTOCOL_VIOLATION/IP_HOST',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.policy_score=+1,setvar:tx.%{rule.id}-POLICY/IP_HOST-%{matched_var_name}=%{matched_var}'"
63
64
65 # Log a security event when the request is rejected by apache
66 #
67 # You must patch mod_unique_id for this to work correctly.  See the following
68 # mod-security-users mail-list post for the patch details -
69 # http://article.gmane.org/gmane.comp.apache.mod-security.user/5808
70 #
71 SecRule RESPONSE_STATUS ^400$ "t:none,phase:5,chain,nolog,auditlog,pass,msg:'Invalid request',id:'960913',severity:'4'"
72         SecRule WEBSERVER_ERROR_LOG !ModSecurity "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.leakage_score=+1,setvar:tx.%{rule.id}-LEAKAGE/ERRORS-%{matched_var_name}=%{matched_var}"
73
libapache-mod-security