1 # ---------------------------------------------------------------
2 # Core ModSecurity Rule Set ver.2.0.3
3 # Copyright (C) 2006-2009 Breach Security Inc. All rights reserved.
5 # The ModSecuirty Core Rule Set is distributed under GPL version 2
6 # Please see the enclosed LICENCE file for full details.
7 # ---------------------------------------------------------------
11 # PHP-IDS rules (www.php-ids.org)
12 # Converter.php Section
13 # https://svn.php-ids.org/svn/trunk/lib/IDS/Converter.php
17 # Make sure the value to normalize and monitor doesn't contain
18 # possibilities for a regex DoS.
19 # http://www.checkmarx.com/Upload/Documents/PDF/Checkmarx_OWASP_IL_2009_ReDoS.pdf
21 SecRule REQUEST_BODY|REQUEST_URI_RAW|ARGS|ARGS_NAMES|FILES|FILES_NAMES|XML:/* "(?:(.{2,})\1{32,})|(?:[+=|\-@\s]{128,})" "phase:2,capture,multiMatch,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Possible RegEx DoS Payload',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+10,setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{matched_var}"
24 # Identify Comment Evasion Attempts
26 SecRule REQUEST_BODY|REQUEST_URI_RAW|ARGS|ARGS_NAMES|FILES|FILES_NAMES|XML:/* "(?:\<!-|-->|\/\*|\*\/|\/\/\W*\w+\s*$)" "phase:2,capture,multiMatch,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Comment Evasion Attempt',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+10,setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{matched_var}"
28 SecRule REQUEST_BODY|REQUEST_URI_RAW|ARGS|ARGS_NAMES|FILES|FILES_NAMES|XML:/* "(?:--[^-]*-)" "phase:2,capture,multiMatch,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Comment Evasion Attempt',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+10,setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{matched_var}"
30 SecRule REQUEST_BODY|REQUEST_URI_RAW|ARGS|ARGS_NAMES|FILES|FILES_NAMES|XML:/* "(?:(?:<!)(?:(?:--(?:[^-]*(?:-[^-]+)*)--\s*)*)(?:>))" "phase:2,capture,multiMatch,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Comment Evasion Attempt',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+10,setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{matched_var}"
32 SecRule REQUEST_BODY|REQUEST_URI_RAW|ARGS|ARGS_NAMES|FILES|FILES_NAMES|XML:/* "(?:(?:\/\*\/*[^\/\*]*)+\*\/)" "phase:2,capture,multiMatch,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Comment Evasion Attempt',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+10,setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{matched_var}"
34 SecRule REQUEST_BODY|REQUEST_URI_RAW|ARGS|ARGS_NAMES|FILES|FILES_NAMES|XML:/* "(?:--[^-]*-)" "phase:2,capture,multiMatch,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Comment Evasion Attempt',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+10,setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{matched_var}"
36 SecRule REQUEST_BODY|REQUEST_URI_RAW|ARGS|ARGS_NAMES|FILES|FILES_NAMES|XML:/* "(<\w+)\/+(\w+=?)" "phase:2,capture,multiMatch,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Comment Evasion Attempt',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+10,setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{matched_var}"
38 SecRule REQUEST_BODY|REQUEST_URI_RAW|ARGS|ARGS_NAMES|FILES|FILES_NAMES|XML:/* "[^\\\:]\/\/(.*)$" "phase:2,capture,multiMatch,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Comment Evasion Attempt',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+10,setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{matched_var}"
41 # Checks for common charcode patterns
43 # check if value matches typical charCode pattern
44 SecRule REQUEST_BODY|REQUEST_URI_RAW|ARGS|ARGS_NAMES|FILES|FILES_NAMES|XML:/* "(?:[\d+-=\/\* ]+(?:\s?,\s?[\d+-=\/\* ]+)){4,}" "phase:2,capture,multiMatch,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Basic Charcode Pattern Found',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+10,setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{matched_var}"
47 # check for octal charcode pattern
48 SecRule REQUEST_BODY|REQUEST_URI_RAW|ARGS|ARGS_NAMES|FILES|FILES_NAMES|XML:/* "(?:(?:[\\\]+\d+[ \t]*){8,})" "phase:2,capture,multiMatch,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Octal Charcode Pattern Found',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+10,setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{matched_var}"
51 # check for hexadecimal charcode pattern
52 SecRule REQUEST_BODY|REQUEST_URI_RAW|ARGS|ARGS_NAMES|FILES|FILES_NAMES|XML:/* "(?:(?:[\\\]+\w+\s*){8,})" "phase:2,capture,multiMatch,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Hexadecimal Charcode Pattern Found',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+10,setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{matched_var}"
projects / libapache-mod-security.git / blob