1 # ---------------------------------------------------------------
2 # Core ModSecurity Rule Set ver.2.0.3
3 # Copyright (C) 2006-2009 Breach Security Inc. All rights reserved.
5 # The ModSecuirty Core Rule Set is distributed under GPL version 2
6 # Please see the enclosed LICENCE file for full details.
7 # ---------------------------------------------------------------
11 # Comment spam is an attack against blogs, guestbooks, wikis and other types of
12 # interactive web sites that accept and display hyperlinks submitted by
13 # visitors. The spammers automatically post specially crafted random comments
14 # which include links that point to the spammer's web site. The links
15 # artificially increas the site's search engine ranking and may make the site
16 # more noticable in search results.
19 SecRule &IP:SPAMMER "@eq 0" "chain,phase:1,t:none,block,nolog,auditlog,msg:'RBL Match for SPAM Source',tag:'AUTOMATION/MALICIOUS',severity:'2',skipAfter:END_RBL_CHECK"
20 SecRule REMOTE_ADDR "@rbl sbl-xbl.spamhaus.org" \
21 "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.automation_score=+1,setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}=%{matched_var_name}=%{matched_var}',setvar:ip.spammer=1,expirevar:ip.spammer=86400"
23 SecRule IP:SPAMMER "@eq 1" "phase:1,t:none,block,nolog,auditlog,msg:'RBL Match for SPAM Source',tag:'AUTOMATION/MALICIOUS',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.automation_score=+1,setvar:tx.anomaly_score=+20,setvar:'tx.%{rule.id}=%{matched_var_name}=%{matched_var}'"
25 SecMarker END_RBL_CHECK
27 SecRule REQUEST_HEADERS:User-Agent "^(?:m(?:o(?:zilla\/4\.0\+?\(|vable type)|i(?:crosoft url|ssigua)|j12bot\/v1\.0\.8|sie)|e(?:mail(?:collector| ?siphon)|collector)|(?:blogsearchbot-marti|super happy fu)n|i(?:nternet explorer|sc systems irc)|ja(?:karta commons|va(?:\/| )1\.)|c(?:ore-project\/|herrypicker)|p(?:sycheclone|ussycat|ycurl)|(?:grub crawl|omniexplor)er|a(?:utoemailspider|dwords)|w(?:innie poh|ordpress)|nut(?:scrape/|chcvs)|8484 boston project|user(?:[- ]agent:)?|l(?:ibwww-perl|wp)|di(?:amond|gger)|trackback\/|httpproxy|<sc)" \
28 "phase:2,t:none,t:lowercase,block,nolog,auditlog,status:404,msg:'Common SPAM/Email Harvester crawler',id:'958297',tag:'AUTOMATION/MALICIOUS',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.automation_score=+1,setvar:tx.anomaly_score=+10,setvar:'tx.%{rule.id}=%{matched_var_name}=%{matched_var}'"
30 # Prequalifier. Look for <http> first
31 SecRule ARGS|ARGS_NAMES "\bhttp:" "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,skip:1,pass,nolog,id:'999010',severity:'6'"
33 SecAction phase:2,pass,nolog,skipAfter:END_COMMENT_SPAM
35 # Look for 2 ways of posting a link
36 SecRule ARGS|ARGS_NAMES "\[url\b" "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,chain,ctl:auditLogParts=+E,block,nolog,auditlog,status:400,msg:'Comment Spam',id:'950923',severity:'2'"
37 SecRule ARGS|ARGS_NAMES "\<a" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:tx.automation_score=+1,setvar:tx.anomaly_score=+10,setvar:'tx.%{rule.id}=%{matched_var_name}=%{matched_var}'"
39 # Look for too many links in an argument (Prone to FPs)
40 SecRule ARGS|ARGS_NAMES "(http:\/.*?){4}" "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,status:400,msg:'Comment Spam',id:'950020',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.automation_score=+1,setvar:tx.anomaly_score=+10,setvar:'tx.%{rule.id}=%{matched_var_name}=%{matched_var}'"
42 SecMarker END_COMMENT_SPAM
projects / libapache-mod-security.git / blob