# --------------------------------------------------------------- # Core ModSecurity Rule Set ver.2.0.3 # Copyright (C) 2006-2009 Breach Security Inc. All rights reserved. # # The ModSecuirty Core Rule Set is distributed under GPL version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- # # NOTE Bad robots detection is based on checking elements easily # controlled by the client. As such a determined attacked can bypass # those checks. Therefore bad robots detection should not be viewed as # a security mechanism against targeted attacks but rather as a nuisance # reduction, eliminating most of the random attacks against your web # site. SecRule REQUEST_HEADERS:User-Agent "(?:\b(?:m(?:ozilla\/4\.0 \(compatible\)|etis)|webtrends security analyzer|pmafind)\b|n(?:-stealth|sauditor|essus|ikto)|b(?:lack ?widow|rutus|ilbo)|(?:jaascoi|paro)s|webinspect|\.nasl)" \ "phase:2,t:none,t:lowercase,block,nolog,auditlog,status:404,msg:'Request Indicates a Security Scanner Scanned the Site',id:'990002',tag:'AUTOMATION/SECURITY_SCANNER',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+10,setvar:tx.automation_score=+1,setvar:tx.%{rule.id}-AUTOMATION/SECURITY_SCANNER-%{matched_var_name}=%{matched_var}" SecRule REQUEST_HEADERS_NAMES "\bacunetix-product\b" \ "phase:2,t:none,t:lowercase,block,nolog,auditlog,status:404,msg:'Request Indicates a Security Scanner Scanned the Site',id:'990901',tag:'AUTOMATION/SECURITY_SCANNER',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+10,setvar:tx.automation_score=+1,setvar:tx.%{rule.id}-AUTOMATION/SECURITY_SCANNER-%{matched_var_name}=%{matched_var}" SecRule REQUEST_FILENAME "^/nessustest" \ "phase:2,t:none,t:lowercase,block,nolog,auditlog,status:404,msg:'Request Indicates a Security Scanner Scanned the Site',id:'990902',tag:'AUTOMATION/SECURITY_SCANNER',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+10,setvar:tx.automation_score=+1,setvar:tx.%{rule.id}-AUTOMATION/SECURITY_SCANNER-%{matched_var_name}=%{matched_var}" SecRule REQUEST_HEADERS:User-Agent "(?:e(?:mail(?:(?:collec|harves|magne)t|(?: extracto|reape)r|siphon|wolf)|(?:collecto|irgrabbe)r|xtractorpro|o browse)|w(?:eb(?:emailextrac| by mail|altbot)|i(?:se(?:nut)?bot|ndows xp 5)|ordpress\/4\.01|3mir)|a(?:t(?:tache|hens)|utoemailspider|dsarobot| href=)|m(?:ailto:craftbot\@yahoo\.com|urzillo compatible)|p(?:(?:oe-component-clien|ackra)t|cbrowser|surf)|c(?:ompatible(?: ; msie|-)|hinaclaw)|f(?:astlwspider|loodgate)|t(?:uring machine|akeout)|g(?:rub-client|ecko\/25)|h(?:hjhj@yahoo|anzoweb)|d(?:igout4u|ts )agent|larbin@unspecified|(?:; widow|zeu)s|\bdatacha0s\b|user-agent:|rsync|shai|\\r)" \ "phase:2,t:none,t:lowercase,block,nolog,auditlog,status:404,msg:'Rogue web site crawler',id:'990012',tag:'AUTOMATION/MALICIOUS',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+10,setvar:tx.automation_score=+1,setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}" SecRule REQUEST_HEADERS:User-Agent "(?:\b(?:(?:indy librar|snoop)y|microsoft url control|lynx)\b|mozilla\/2\.0 \(compatible; newt activex; win32\)|w(?:3mirror|get)|download demon|l(?:ibwww|wp)|p(?:avuk|erl)|big brother|autohttp|netants|eCatch|curl)" \ "chain,phase:2,t:none,t:lowercase,nolog,auditlog,msg:'Request Indicates an automated program explored the site',id:'990011',tag:'AUTOMATION/MISC',severity:'5'" SecRule REQUEST_HEADERS:User-Agent "!^apache.*perl" "t:none,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:tx.automation_score=+1,setvar:tx.%{rule.id}-AUTOMATION/MISC-%{matched_var_name}=%{matched_var}"