1 # ---------------------------------------------------------------
2 # Core ModSecurity Rule Set ver.2.0.3
3 # Copyright (C) 2006-2009 Breach Security Inc. All rights reserved.
5 # The ModSecuirty Core Rule Set is distributed under GPL version 2
6 # Please see the enclosed LICENCE file for full details.
7 # ---------------------------------------------------------------
11 # Uncomment the anomaly sections you wish to use.
12 # You should set the score to the proper threshold you would prefer. If kept at "@gt 0"
13 # it will work similarly to previous Mod CRS rules and will create an event in the error_log
14 # file if there are any rules that match. If you would like to lessen the number of events
15 # generated in the error_log file, you should increase the anomaly score threshold to
16 # something like "@gt 20". This would only generate an event in the error_log file if
17 # there are multiple lower severity rule matches or if any 1 higher severity item matches.
19 # You should also set the desired disruptive action (deny, redirect, etc...).
22 # Alert and Deny on High Anomaly Scores
24 SecRule TX:ANOMALY_SCORE "@ge 20" \
25 "phase:2,t:none,nolog,auditlog,deny,msg:'Anomaly Score Exceeded (score %{TX.ANOMALY_SCORE}): %{tx.msg}',setvar:tx.inbound_tx_msg=%{tx.msg}"
27 # Alert on any anomalies
29 #SecRule TX:ANOMALY_SCORE "@ge 0" \
30 # "phase:2,t:none,nolog,auditlog,pass,msg:'Anomaly Score Exceeded (score %{TX.ANOMALY_SCORE}): %{tx.msg}',setvar:tx.inbound_tx_msg=%{tx.msg}"
32 # Alert on SQL Injection anomalies
34 #SecRule TX:SQLI_SCORE "@gt 0" \
35 # "phase:2,t:none,log,deny,msg:'SQL Injection Detected (score %{TX.SQLI_SCORE}): %{tx.msg}'"
37 # Alert on XSS anomalies
39 #SecRule TX:XSS_SCORE "!@eq 0" \
40 # "phase:2,t:none,log,deny,msg:'XSS Detected (score %{TX.XSS_SCORE}): %{tx.msg}'"
42 # Alert on Protocol Policy anomalies
44 #SecRule TX:PROTOCOL_VIOLATION_SCORE "!@eq 0" \
45 # "phase:2,t:none,log,deny,msg:'Protocol Violations Detected (score %{TX.PROTOCOL_VIOLATION_SCORE}): %{tx.msg}'"