# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.0.3
# Copyright (C) 2006-2009 Breach Security Inc. All rights reserved.
#
# The ModSecuirty Core Rule Set is distributed under GPL version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------


#
# PHP-IDS rules (www.php-ids.org)
# Converter.php Section
# https://svn.php-ids.org/svn/trunk/lib/IDS/Converter.php
#

#
# Make sure the value to normalize and monitor doesn't contain
# possibilities for a regex DoS.
# http://www.checkmarx.com/Upload/Documents/PDF/Checkmarx_OWASP_IL_2009_ReDoS.pdf
#
SecRule REQUEST_BODY|REQUEST_URI_RAW|ARGS|ARGS_NAMES|FILES|FILES_NAMES|XML:/* "(?:(.{2,})\1{32,})|(?:[+=|\-@\s]{128,})" "phase:2,capture,multiMatch,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Possible RegEx DoS Payload',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+10,setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{matched_var}"

#
# Identify Comment Evasion Attempts
#
SecRule REQUEST_BODY|REQUEST_URI_RAW|ARGS|ARGS_NAMES|FILES|FILES_NAMES|XML:/* "(?:\<!-|-->|\/\*|\*\/|\/\/\W*\w+\s*$)" "phase:2,capture,multiMatch,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Comment Evasion Attempt',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+10,setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{matched_var}"

SecRule REQUEST_BODY|REQUEST_URI_RAW|ARGS|ARGS_NAMES|FILES|FILES_NAMES|XML:/* "(?:--[^-]*-)" "phase:2,capture,multiMatch,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Comment Evasion Attempt',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+10,setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{matched_var}"

SecRule REQUEST_BODY|REQUEST_URI_RAW|ARGS|ARGS_NAMES|FILES|FILES_NAMES|XML:/* "(?:(?:<!)(?:(?:--(?:[^-]*(?:-[^-]+)*)--\s*)*)(?:>))" "phase:2,capture,multiMatch,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Comment Evasion Attempt',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+10,setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{matched_var}"

SecRule REQUEST_BODY|REQUEST_URI_RAW|ARGS|ARGS_NAMES|FILES|FILES_NAMES|XML:/* "(?:(?:\/\*\/*[^\/\*]*)+\*\/)" "phase:2,capture,multiMatch,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Comment Evasion Attempt',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+10,setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{matched_var}"

SecRule REQUEST_BODY|REQUEST_URI_RAW|ARGS|ARGS_NAMES|FILES|FILES_NAMES|XML:/* "(?:--[^-]*-)" "phase:2,capture,multiMatch,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Comment Evasion Attempt',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+10,setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{matched_var}"

SecRule REQUEST_BODY|REQUEST_URI_RAW|ARGS|ARGS_NAMES|FILES|FILES_NAMES|XML:/* "(<\w+)\/+(\w+=?)" "phase:2,capture,multiMatch,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Comment Evasion Attempt',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+10,setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{matched_var}"

SecRule REQUEST_BODY|REQUEST_URI_RAW|ARGS|ARGS_NAMES|FILES|FILES_NAMES|XML:/* "[^\\\:]\/\/(.*)$" "phase:2,capture,multiMatch,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Comment Evasion Attempt',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+10,setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{matched_var}"

#
# Checks for common charcode patterns 
#
# check if value matches typical charCode pattern 
SecRule REQUEST_BODY|REQUEST_URI_RAW|ARGS|ARGS_NAMES|FILES|FILES_NAMES|XML:/* "(?:[\d+-=\/\* ]+(?:\s?,\s?[\d+-=\/\* ]+)){4,}" "phase:2,capture,multiMatch,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Basic Charcode Pattern Found',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+10,setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{matched_var}"

#
# check for octal charcode pattern
SecRule REQUEST_BODY|REQUEST_URI_RAW|ARGS|ARGS_NAMES|FILES|FILES_NAMES|XML:/* "(?:(?:[\\\]+\d+[ \t]*){8,})" "phase:2,capture,multiMatch,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Octal Charcode Pattern Found',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+10,setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{matched_var}"

#
# check for hexadecimal charcode pattern
SecRule REQUEST_BODY|REQUEST_URI_RAW|ARGS|ARGS_NAMES|FILES|FILES_NAMES|XML:/* "(?:(?:[\\\]+\w+\s*){8,})" "phase:2,capture,multiMatch,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Hexadecimal Charcode Pattern Found',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+10,setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{matched_var}"