rules/optional_rules/modsecurity_crs_20_protocol_violations.conf

   1 # ---------------------------------------------------------------
   2 # Core ModSecurity Rule Set ver.1.6.1
   3 # Copyright (C) 2006-2007 Breach Security Inc. All rights reserved.
   4 #
   5 # The ModSecuirty Core Rule Set is distributed under GPL version 2
   6 # Please see the enclosed LICENCE file for full details.
   7 # ---------------------------------------------------------------
   8
   9
  10 #
  11 # TODO in some cases a valid client (usually automated) generates requests that
  12 #      violates the HTTP protocol. Create exceptions for those clients, but try
  13 #      to limit the exception to a source IP or other additional properties of
  14 #      the request such as URL and not allow the violation generally.
  15 #
  16 #
  17
  18 # Validate request line
  19 #
  20 SecRule REQUEST_LINE "!^(?:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+|get /[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?)$" \
  21     "t:none,t:lowercase,phase:2,deny,log,auditlog,status:400,msg:'Invalid HTTP Request Line',id:'960911',severity:'2'"
  22
  23
  24 # HTTP Request Smuggling
  25 #
  26 SecRule REQUEST_HEADERS:'/(Content-Length|Transfer-Encoding)/' "," "phase:2,t:none,deny,log,auditlog,status:400,msg:'HTTP Request Smuggling Attack.',id:'950012',tag:'WEB_ATTACK/REQUEST_SMUGGLING',severity:'1'"
  27
  28 # Block request with malformed content.
  29 # ModSecurity will not inspect these, but the server application might do so
  30 #
  31 SecRule REQBODY_PROCESSOR_ERROR "!@eq 0" "t:none,phase:2,deny,log,auditlog,status:400,msg:'Request Body Parsing Failed. %{REQBODY_PROCESSOR_ERROR_MSG}',id:'960912',severity:'2'"
  32
  33
  34 # Accept only digits in content length
  35 #
  36 SecRule REQUEST_HEADERS:Content-Length "!^\d+$" "phase:2,t:none,deny,log,auditlog,status:400,msg:'Content-Length HTTP header is not numeric', severity:'2',id:'960016',tag:'PROTOCOL_VIOLATION/INVALID_HREQ'"
  37
  38 # Do not accept GET or HEAD requests with bodies
  39 # HTTP standard allows GET requests to have a body but this
  40 # feature is not used in real life. Attackers could try to force
  41 # a request body on an unsuspecting web applications.
  42 #
  43 SecRule REQUEST_METHOD "^(?:GET|HEAD)$" "chain,phase:2,t:none,deny,log,auditlog,status:400,msg:'GET or HEAD requests with bodies', severity:'2',id:'960011',tag:'PROTOCOL_VIOLATION/EVASION'"
  44 SecRule REQUEST_HEADERS:Content-Length "!^0?$" t:none
  45
  46 # Require Content-Length to be provided with every POST request.
  47 #
  48 SecRule REQUEST_METHOD "^POST$" "chain,phase:2,t:none,deny,log,auditlog,status:400,msg:'POST request must have a Content-Length header',id:'960012',tag:'PROTOCOL_VIOLATION/EVASION',severity:'4'"
  49 SecRule &REQUEST_HEADERS:Content-Length "@eq 0" t:none
  50
  51 # Don't accept transfer encodings we know we don't know how to handle
  52 #
  53 # NOTE ModSecurity does not support chunked transfer encodings at
  54 #      this time. You MUST reject all such requests.
  55 #
  56 SecRule REQUEST_HEADERS:Transfer-Encoding "!^$" "phase:2,t:none,deny,log,auditlog,status:501,msg:'ModSecurity does not support transfer encodings',id:'960013',tag:'PROTOCOL_VIOLATION/EVASION',severity:'3'"
  57
  58 # Check encodings
  59 SecRule REQUEST_BODY|REQUEST_URI|XML:/* "\%(?!$|\W|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" \
  60         "chain,phase:2,t:none,deny,log,auditlog,status:400,msg:'URL Encoding Abuse Attack Attempt',id:'950107',tag:'PROTOCOL_VIOLATION/EVASION',severity:'4'"
  61 SecRule REQUEST_BODY|REQUEST_URI|XML:/* "@validateUrlEncoding"
  62
  63 # Check UTF enconding
  64 # Uncomment this rule if your system uses UTF encoding.
  65 #SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "@validateUtf8Encoding" "phase:2,t:none,deny,log,auditlog,status:400,msg:'UTF8 Encoding Abuse Attack Attempt',id:'950801',tag:'PROTOCOL_VIOLATION/EVASION',severity:'4'"
  66
  67 # Disallow use of full-width unicode
  68 SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "\%u[fF]{2}[0-9a-fA-F]{2}" \
  69   "t:none,phase:2,deny,log,auditlog,status:400,msg:'Unicode Full/Half Width Abuse Attack Attempt',id:'950116',severity:'4'"
  70
  71 # Proxy access attempt
  72 # NOTE Apache blocks such access by default if not set as a proxy. The rule is
  73 #      included in case Apache proxy is misconfigured.
  74 SecRule REQUEST_URI_RAW ^\w+:/ "phase:2,t:none,deny,log,auditlog,status:400,msg:'Proxy access attempt', severity:'2',id:'960014',tag:'PROTOCOL_VIOLATION/PROXY_ACCESS'"
  75
  76 #
  77 # Restrict type of characters sent
  78 #
  79 # NOTE In order to be broad and support localized applications this rule
  80 #      only validates that NULL Is not used.
  81 #
  82 #          The strict policy version also validates that protocol and application
  83 #          generated fields are limited to printable ASCII.
  84 #
  85 # TODO If your application use the range 32-126 for parameters.
  86 #
  87 SecRule REQUEST_FILENAME|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer \
  88         "@validateByteRange 32-126" \
  89         "phase:2,deny,log,auditlog,status:400,msg:'Invalid character in request',id:'960018',tag:'PROTOCOL_VIOLATION/EVASION',severity:'4',t:none,t:urlDecodeUni"
  90
  91 SecRule ARGS|ARGS_NAMES|REQUEST_HEADERS:Referer "@validateByteRange 1-255" \
  92         "phase:2,deny,log,auditlog,status:400,msg:'Invalid character in request',id:'960901',tag:'PROTOCOL_VIOLATION/EVASION',severity:'4',t:none,t:urlDecodeUni"