# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.0.3
# Copyright (C) 2006-2009 Breach Security Inc. All rights reserved.
#
# The ModSecuirty Core Rule Set is distributed under GPL version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------


# HTTP policy enforcement
# The HTTP policy enforcement rule set sets limitations on the use of HTTP by clients.

# Few applications require the breadth and depth of the HTTP protocol. On the 
# other hand many attacks abuse valid but rare HTTP use patterns. Restricting 
# HTTP protocol usage is effective in therefore effective in blocking many 
# application layer attacks. 
#
# TODO Many automation programs use non standard HTTP requests. While you may 
#      want to allow some of those, try not to create exceptions only for the
#      automated program based on properties such as their source IP address or
#      the URL they access.
#

# allow request methods
#
# TODO Most applications only use GET, HEAD, and POST request
#      methods. If that is not the case with your environment, you are advised 
#      to edit the line or uncomment it.
#
SecRule REQUEST_METHOD "!^((?:(?:POS|GE)T|OPTIONS|HEAD))$" "phase:2,t:none,block,nolog,auditlog,status:501,msg:'Method is not allowed by policy', severity:'2',id:'960032',tag:'POLICY/METHOD_NOT_ALLOWED',setvar:tx.anomaly_score=+5,setvar:tx.policy_score=+1,setvar:tx.%{rule.id}-POLICY/METHOD_NOT_ALLOWED-%{matched_var_name}=%{matched_var}" 


# Restrict which content-types we accept.
#
# TODO Most applications support only two types for request bodies
#      because that is all browsers know how to produce. If you are using
#      automated tools to talk to the application you may be using other
#      content types and would want to change the list of supported types.
# 
#      Note though that ModSecurity parses only three content types:
#      application/x-www-form-urlencoded, multipart/form-data request and 
#      text/xml. The protection provided for any other type is inferior.
#
# TODO There are many applications that are not using multipart/form-data
#      types (typically only used for file uploads). This content type
#      can be disabled if not used.  
#
# NOTE We allow any content type to be specified with GET or HEAD
#      because some tools incorrectly supply content type information
#      even when the body is not present. There is a rule further in
#      the file to prevent GET and HEAD requests to have bodies to we're
#      safe in that respect.
#
# NOTE Use of WebDAV requires "text/xml" content type.
#
# NOTE Philippe Bourcier (pbourcier AT citali DOT com) reports
#      applications running on the PocketPC and AvantGo platforms use
#      non-standard content types:
#
#      M-Business iAnywhere      application/x-mal-client-data
#      UltraLite iAnywhere       application/octet-stream
#
SecRule REQUEST_METHOD "!^(?:GET|HEAD|PROPFIND|OPTIONS)$" "phase:2,chain,t:none,block,nolog,auditlog,status:501,msg:'Request content type is not allowed by policy',id:'960010',tag:'POLICY/ENCODING_NOT_ALLOWED',severity:'4'" 
	SecRule REQUEST_HEADERS:Content-Type "!(?:^(?:application\/x-www-form-urlencoded(?:;(?:\s?charset\s?=\s?[\w\d\-]{1,18})?)??$|multipart/form-data;)|text/xml)" "t:none,setvar:tx.anomaly_score=+5,setvar:tx.policy_score=+1,setvar:tx.%{rule.id}-POLICY/CONTENT_TYPE_NOT_ALLOWED-%{matched_var_name}=%{matched_var}"

# Restrict protocol versions.
#
# TODO All modern browsers use HTTP version 1.1. For tight security, allow only 
#      this version. 
#
# NOTE Automation programs, both malicious and non malicious many times use 
#      other HTTP versions. If you want to allow a specific automated program
#      to use your site, try to create a narrower expection and not allow any 
#      client to send HTTP requests in a version lower than 1.1  
#       
SecRule REQUEST_PROTOCOL "!^HTTP/(0\.9|1\.[01])$" "phase:2,t:none,block,nolog,auditlog,status:505,msg:'HTTP protocol version is not allowed by policy', severity:'2',id:'960034',tag:'POLICY/PROTOCOL_NOT_ALLOWED',setvar:tx.anomaly_score=+5,setvar:tx.policy_score=+1,setvar:tx.%{rule.id}-POLICY/PROTOCOL_NOT_ALLOWED-%{matched_var_name}=%{matched_var}" 

# Restrict file extension
#
# TODO the list of file extensions below are virtually always considered unsafe
#      and not in use in any valid program. If your application uses one of 
#      these extensions, please remove it from the list of blocked extensions.
#      You may need to use ModSecurity Core Rule Set Templates to do so, otherwise
#      comment the whole rule.       
#
SecRule REQUEST_BASENAME "\.(?:c(?:o(?:nf(?:ig)?|m)|s(?:proj|r)?|dx|er|fg|md)|p(?:rinter|ass|db|ol|wd)|v(?:b(?:proj|s)?|sdisco)|a(?:s(?:ax?|cx)|xd)|d(?:bf?|at|ll|os)|i(?:d[acq]|n[ci])|ba(?:[kt]|ckup)|res(?:ources|x)|s(?:h?tm|ql|ys)|l(?:icx|nk|og)|\w{0,5}~|webinfo|ht[rw]|xs[dx]|key|mdb|old)$" "phase:2,t:none,t:urlDecodeUni,t:lowercase,block,nolog,auditlog,status:500,msg:'URL file extension is restricted by policy', severity:'2',id:'960035',tag:'POLICY/EXT_RESTRICTED',setvar:tx.anomaly_score=+5,setvar:tx.policy_score=+1,setvar:tx.%{rule.id}-POLICY/EXT_RESTRICTED-%{matched_var_name}=%{matched_var}" 



# Restricted HTTP headers 
#
# TODO the list of HTTP headers below are considered unsafe for your environment.
#      If your application uses one of these directories, please remove it from 
#      the list of blocked extensions. You may need to use ModSecurity Core Rule 
#      Set Templates to do so, otherwise comment the whole rule.       
#
SecRule REQUEST_HEADERS_NAMES "(?:(?:Proxy-Connectio|Lock-Toke)n|(?:Content-Rang|Translat)e|via|if)$" "phase:2,t:none,block,nolog,auditlog,status:500,msg:'HTTP header is restricted by policy',id:'960038',tag:'POLICY/HEADER_RESTRICTED',tag:'POLICY/FILES_NOT_ALLOWED',severity:'4',setvar:tx.anomaly_score=+5,setvar:tx.policy_score=+1,setvar:tx.%{rule.id}-POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}" 


# Restricted Content Encodings
#
# ModSecurity does not support compressed content. Therefore, the following
# action will be taken:
#   - Inbound compressed content will be denied
#   - Outbound compressed content will be logged once, to alert the user
# Deny inbound compressed content
SecRule REQUEST_HEADERS:Content-Encoding "!^Identity$" "phase:2,t:none,block,nolog,auditlog,status:501,msg:'ModSecurity does not support content encodings',id:'960902',severity:'4',setvar:tx.anomaly_score=+5,setvar:tx.policy_score=+1,setvar:tx.%{rule.id}-POLICY/ENCODING_RESTRICTED-%{matched_var_name}=%{matched_var}" 
# Log outbound compressed content (log once)
SecRule RESPONSE_HEADERS:Content-Encoding "!^Identity$" "phase:4,t:none,pass,nolog,auditlog,msg:'ModSecurity does not support content encodings',id:'960903',severity:'4',chain,initcol:global=global" 
	SecRule &GLOBAL:alerted_960903_compression "@eq 0" "setvar:global.alerted_960903_compression,setvar:tx.anomaly_score=+5,setvar:tx.policy_score=+1,setvar:tx.%{rule.id}-POLICY/ENCODING_RESTRICTED-%{matched_var_name}=%{matched_var}"