# http://www.atomicorp.com/ # Atomicorp (Gotroot.com) ModSecurity rules # Application Security Rules for modsec 2.x # # Created by the Prometheus Group (http://www.prometheus-group.com) # Copyright 2005-2008 by the Prometheus Group, all rights reserved. # Redistribution is strictly prohibited in any form, including whole or in part. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE # LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF # THE POSSIBILITY OF SUCH DAMAGE. # #-------------------------------- # notes #-------------------------------- # Rules work with modsecurity 2.5 and above only # rule ids 3400000's #-------------------------------- #start rules #-------------------------------- #Configure for your site #SecDefaultAction "log,deny,auditlog,phase:2,status:403,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase" SecDefaultAction "log,deny,auditlog,phase:2,status:403,t:lowercase,t:replaceNulls,t:compressWhitespace" # Rule 340000: Enforce proper HTTP requests # GET /robots.txt HTTP/1.0 SecRule REQUEST_PROTOCOL "!(?:^|\n|\r)(?:http|HTTP)/(0\.9|1\.[01])$" \ "t:none,id:340000,rev:7,severity:1,msg:'Bad HTTP Protocol <%{TX.0}>'" # Rule 34000X: Generic rule for allowed characters, very broken at the moment # dont use it unless you can fix it #SecRule REQUEST_URI "!^[-a-zA-z0-9\.\+_/\-\?\=]+$" "chain,id:340002,rev:1,severity:2,msg:'Restricted HTTP character set'" # Rule 340001: Don't accept transfer encodings we know we don't handle SecRule REQUEST_HEADERS:Transfer-Encoding "!^$" \ "id:340001,rev:1,severity:2,msg:'Dis-allowed Transfer Encoding'" # Rule 340002: deny TRACE method SecRule REQUEST_METHOD "trac(?:e|k)" \ "phase:1,t:lowercase,id:340002,rev:2,severity:2,msg:'TRACE/TRACK method denied'" # Rule 340161: deny CONNECT method SecRule REQUEST_METHOD "connect" \ "phase:1,t:lowercase,id:340161,rev:1,severity:2,msg:'CONNECT method denied'" # Rule 340003: XSS insertion into headers SecRule REQUEST_HEADERS "(?:<[[:space:]]*(?:script|about|applet|activex|chrome)*>.*(?:script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=|javascript\:)" \ "id:340003,rev:2,severity:2,msg:'XSS attack in request'" # Rule 340004: Don't accept chunked encodings # modsecurity can not look at these, so this is a hole that can bypass your rules, # the rule before this oneshould cover this, but hey paranoia is cheap SecRule REQUEST_HEADERS:Transfer-Encoding "chunked" \ "id:340004,rev:1,severity:2,msg:'Chunked Transfer Encoding denied'" # Rule 340005: Code injection via content length SecRule REQUEST_HEADERS:Content-Length "\;(?:system|passthru|exec)\(" \ "id:340005,rev:1,severity:2,msg:'Code Injection in Content-Length header'" # Rule 340162 #SecRule REQUEST_HEADERS:Content-Length "!ˆ\d+$" \ # "id:340162,rev:1,severity:2,msg:’Content-Length HTTP header violation’" # Rule 340006: generic recursion signatures SecRule REQUEST_URI "!(?:alt_mod_frameset.php|checkout_shipping.php)" \ "t:normalisePath,id:340006,rev:4,severity:2,msg:'Generic Path Recursion denied', chain" SecRule REQUEST_URI "\.\./\.\./" # Rule 340007: generic recursion signatures SecRule REQUEST_URI "\.\|\./\.\|\./\.\|" \ "t:normalisePath,id:340007,rev:1,severity:2,msg:'Generic Path Recursion denied'" # Rule 340008: generic bogus path sigs SecRule REQUEST_URI "\.\.\./" \ "id:340008,rev:1,severity:2,msg:'Bogus Path denied'" # Rule 340009: #Generic PHP exploit signatures SecRule REQUEST_BODY "(?:chr|fwrite|fopen|system|e?chr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;" \ "id:340009,rev:1,severity:2,msg:'Generic PHP exploit pattern denied'" # Rule 340010: #Generic PHP exploit signatures SecRule REQUEST_BODY|REQUEST_URI "<\?php (?:chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;" \ "id:340010,rev:1,severity:2,msg:'Generic PHP exploit pattern denied'" # Rule 340011: #slightly tighter rules with narrower focus SecRule REQUEST_URI|REQUEST_BODY "(?:chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;" \ "id:340011,rev:1,severity:2,msg:'Generic PHP exploit pattern denied'" # Rule 340012: #generic XSS PHP attack types SecRule REQUEST_URI "\.php\?" \ "chain,id:340012,rev:1,severity:2,msg:'Generic PHP XSS exploit pattern denied'" SecRule REQUEST_BODY|REQUEST_URI "(?:javascript\:/(?:.*new\x20ActiveXObject.*Sh\.regwrite|.*window\.opener\.document\.body.\innerHTML=window\.opener\.document\.body\.innerHTML\.replace)|onmouseover=\'javascript)" # Rule 340013: #Prevent SQL injection in cookies SecRule REQUEST_COOKIES "(?:(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(?:from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|UNION SELECT.*\'.*\'.*,[0-9].*INTO.*FROM)" \ "id:340013,rev:1,severity:2,msg:'Generic SQL injection in cookie'" # Rule 340014: #Prevent command injection through cookies SecRule REQUEST_COOKIES "\; cmd=" \ "id:340014,rev:1,severity:2,msg:'CMD injection'" # Rule 340015: #Prevent SQL injection in UA SecRule REQUEST_HEADERS:User-Agent "(?:(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(?:from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|UNION SELECT.*\'.*\'.*,[0-9].*INTO.*FROM)"\ "id:340015,rev:1,severity:2,msg:'Generic SQL injection in User Agent header'" # Rule 340016: # Generic filter to prevent SQL injection attacks # Understand that all SQL filters are very limited and are very difficult # to prevent false postives and negatives. # Pplease report false positives/negatives to mike@gotroot.com SecRule REQUEST_URI "!(?:(?:/wp-admin/post|privmsg|/ticket/admin|/misc|tiki-editpage|/post|/horde3?/imp/compose|/posting)\.php|/modules\.php\?op=modload&name=(?:Downloads|Submit_News)|/admin\.php\?module=NS\-AddStory\&op=|/index\.php\?name=PNphpBB2&file=posting&mode=reply.*|/phpMyAdmin/|/PNphpBB2-posting\.html|/otrs/index\.pl|tiki-index\.php\?page=|/index\.php\?title=.*&action=edit|/_mmServerScripts/|/node/[0-9]+/edit|/_vti_bin/.*\.exe/)" \ "chain,id:340016,rev:2,severity:2,msg:'Generic SQL injection protection'" SecRule REQUEST_URI|REQUEST_BODY "(?:(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(?:from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|UNION SELECT.*\'.*\'.*,[0-9].*INTO.*FROM)" # Rule 340017: #Generic SQL sigs # SecRule REQUEST_URI "!(?:^/edit_page$|/node/[0-9]+/edit|^/forum/posting\.php|^/admins/wnedit\.php|/alt_doc\.php\?returnUrl=.*edit|^/admin/categories\.php\?cPath=.*|modules\.php\?name=Forums&file=posting&mode=.*|^/joomla/administrator/index2\.php|^/wiki/index\.php?.*action=submit|^/imp/compose\.php|^/horde/imp/compose\.php|ubbthreads\.php|/sql.php|/tbl_(?:change|sql)\.php|/admincp/template\.php\?do=(?:insert|update)template|admin/area/save-page\.php$|^/cgi-bin/cookmail\.exe$|^/catalog/secure_admin/categories\.php\?cPath=)" \ "chain,id:340017,rev:32,severity:2,msg:'Generic SQL injection protection'" SecRule ARGS|!ARGS:text|!ARGS:edited|!ARGS:content|!ARGS:description|!ARGS:introtext|!ARGS:Post|!ARGS:sql_query|!ARGS:itembigtext|!ARGS:article_content|!ARGS:body|!ARGS:myTextArea|!ARGS:ll_content_message|!ARGS:page-content|!ARGS:reply|!ARGS:xml|!ARGS:content_en|!ARGS:filecontent|!ARGS:message|!ARGS:content_en|!ARGS:general[description] "(?:insert[[:space:]]+into.+values|select\s+from.+[a-z|A-Z|0-9]|bulk[[:space:]]+insert|union.+select|convert.+\(.*from)" # Rule 340018: #Generic command line attack filter SecRule REQUEST_URI "!(?:/count\.cgi|^/magento/index\.php/admin/dashboard/)" \ "chain,id:340018,rev:3,severity:2,msg:'Generic command line attack filter'" SecRule REQUEST_URI|REQUEST_BODY|!ARGS:site_first "\|+.*[\x20].*[\x20].*\|" # Rule 340019: #Generic PHP bad functions protection #PHP copy() function: http://securitytracker.com/alerts/2006/Apr/1015882.html SecRule ARGS "compress\.zlib:" \ "id:340019,rev:1,severity:2,msg:'Generic PHP bad functions protection'" # Rule 340020: #XSS in referrer and UA headers SecRule REQUEST_HEADERS:REFERER|REQUEST_URI "!(?:/plugins/editors/tinymce/jscripts/|/modules/tinymce/tinymce/jscripts|/phpinfo_iframe\.php)" \ "id:340020,t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:11,severity:2,msg:'XSS in referrer and UA headers',chain" SecRule REQUEST_HEADERS:REFERER "!(^pagead[0-9]\.googlesyndication\.com/pagead/|/gills\.swf?txt=|activexobject|(?:\.add|\@)import|asfunction\:|background-image\:|e(?:cma|xec)script|\.fromcharcode|get(?:parentfolder|specialfolder)|iframe |\.innerhtml|\)" # Rule 340099: cross site scripting attempt IMG onerror or onload SecRule REQUEST_URI "\]expression[\s]*\(" \ "id:340106,rev:1,severity:2,msg:'cross site scripting attempt STYLE + EXPRESSION'" # Rule 340107: cross site scripting attempt STYLE + EXPRESSION SecRule REQUEST_URI "[\s]*expression[\s]*\([^}]}[\s]*<\/STYLE>" \ "id:340107,rev:1,severity:2,msg:'cross site scripting attempt STYLE + EXPRESSION'" # Rule 340108: There is no 340108. # Rule 340109: cross site scripting attempt using XML SecRule REQUEST_URI "SCRIPT" \ "id:340109,rev:1,severity:2,msg:'cross site scripting attempt using XML'" # Rule 340110: cross site scripting attempt executing hidden Javascript SecRule REQUEST_URI "eval[\s]*\([\s]*[^\.]\.innerHTML[\s]*\)" \ "id:340110,rev:1,severity:2,msg:'cross site scripting attempt executing hidden Javascript'" # Rule 340111: cross site scripting attempt executing hidden Javascript SecRule REQUEST_URI "window\.execScript[\s]*\(" \ "id:340111,rev:1,severity:2,msg:'cross site scripting attempt executing hidden Javascript'" # Rule 340112: cross site scripting attempt to execute Javascript code SecRule REQUEST_URI "/(?:(?:(?:URL|SRC|HREF|LOWSRC)[\s]*=)|(?:url[\s]*[\(]))[\s]*[\'\"]*javascript[\:]" \ "id:340112,rev:1,severity:2,msg:'cross site scripting attempt to execute Javascript code'" # Rule 340113: cross site scripting stealth attempt to execute Javascript code # may false alarm for some language sets SecRule REQUEST_URI "!(?:/index\.php\?module=Blocks&type=admin&func=update|/index\.php\?go=.*&edit=)"\ "chain,id:340113,rev:1,severity:2,msg:'cross site scripting stealth attempt to execute Javascript code'" SecRule REQUEST_URI|REQUEST_BODY "(?:(?:(?:URL|SRC|HREF|LOWSRC)[\s]*=)|(?:url[\s]*[\(]))[\s]*[\'\"]*[\x09\x0a\x0b\x0c\x0d]*j[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*v[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*c[\x09\x0a\x0b\x0c\x0d]*r[\x09\x0a\x0b\x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*p[\x09\x0a\x0b\x0c\x0d]*t[\x09\x0a\x0b\x0c\x0d]*[\:]" \ # Rule 340114: Apache /server-info accessible SecRule REQUEST_URI "/server-info" \ "chain,id:340114,rev:1,severity:2,msg:'/server-info access attempt'" SecRule REMOTE_ADDR "!^127\.0\.0\.1$" # Rule 340115: Apache /server-status accessible # Modified so apache-protect can run SecRule REQUEST_URI "^/server-status/$" \ "chain,id:340115,rev:1,severity:2,msg:'/server-status access attempt'" SecRule REMOTE_ADDR "!^127\.0\.0\.1$" # Rule 340116: generic Common HTTP vulnerability SecRule REQUEST_URI "/\?cwd=/" \ "id:340116,rev:1,severity:2,msg:'Common HTTP vulnerability'" # Rule 340117: General [url] php forum protections (phpbb and others, to protect against script injection attacks in url links) SecRule REQUEST_URI "\.php\?" \ "chain,id:340117,rev:1,severity:2,msg:'General [url] php forum protections'" SecRule REQUEST_URI|REQUEST_BODY "\[url=(?:script|javascript|applet|about|chrome|activex)\:/.*\].*\[/url\]" # Rule 340118: Experimental XML-RPC generic attack sigs SecRule REQUEST_BODY "\'\,\'\'\)\)\;" \ "id:340118,rev:1,severity:2,msg:'Generic XML-RPC attack'" # Rule 340119: Generic XML-RPC generic attack sigs SecRule REQUEST_BODY "\\.*\'\)\;" \ "id:340119,rev:1,severity:2,msg:'Generic XML-RPC attack'" # Rule 340120: XML-RPC generic attack sigs SecRule REQUEST_HEADERS "^Content-Type\: application/xml" \ "chain,id:340120,rev:1,severity:2,msg:'Generic XML-RPC attack'" SecRule REQUEST_BODY "(?:\" # Rule 340121: Specific XML-RPC attacks on xmlrpc.php SecRule REQUEST_URI "(?:xmlrpc|xmlrpc.*)\.php" \ "chain,id:340121,rev:1,severity:2,msg:'XML-RPC attacks on xmlrpc.php'" SecRule REQUEST_BODY "(?:\.*.*.*(?:select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](?:from|into|table|database|index|view).*methodName\>" # Rule 340123: generic remote file inclusion vulns SecRule REQUEST_URI "/index\.php\?do=.*&page=(?:ogg|gopger|zlib|(?:ht|f)tps?)\:/" \ "id:340123,rev:1,severity:2,msg:'remote file inclusion attempt'" # Rule 340124: Remote file inclusion attempt SecRule REQUEST_URI "/index\.php\?kietu\[.*\]=(?:ogg|gopger|zlib|(?:ht|f)tps?)\:/" \ "id:340124,rev:1,severity:2,msg:'Remote file inclusion attempt'" # Rule 340125: Remote file inclusion attempt ##ZZZZ SecRule REQUEST_URI "/index\.php\?libDir=:/" \ "id:340125,rev:1,severity:2,msg:'Remote file inclusion attempt'" # Rule 340126: Remote file inclusion attempt SecRule REQUEST_URI "/init\.php\?HTTP_POST_VARS\[GALLERY_BASEDIR\]=(?:ogg|gopger|zlib|(?:ht|f)tps?)\:/" \ "id:340126,rev:1,severity:2,msg:'Remote file inclusion attempt'" # Rule 340XXX #catch smuggling attacks #SecRule "^(?:GET|POST).*Host:.*^(?:GET|POST)" # Rule 340127: Drupal remote command execution vulnerability exploit signature # This is already covered in another generic signature, but just in case you leave it out, here it is # again with a slightly tigher regexp SecRule REQUEST_BODY "\<.*php .*\(.*\)\;system\(.*\).*php*\>" \ "id:340127,rev:1,severity:2,msg:'Remote command exection (system)'" # Rule 340128: Slightly stronger version of the above SecRule REQUEST_BODY "\<.*php .*\(.*\)\;(?:chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\).*php*\>" \ "id:340128,rev:1,severity:2,msg:'Remote command exection (generic)'" # Rule 340129: Generic PHP attack sig SecRule REQUEST_BODY|REQUEST_URI "system\(getenv\(HTTP_PHP\)\)" \ "id:340129,rev:1,severity:2,msg:'Generic PHP attack sig'" # Rule 340130: Generic Nessus request filter SecRule REQUEST_URI "NessusTest*\.html" \ "id:340130,rev:1,severity:2,msg:'Nessus Scan'" # Rule 340131: Generic PHP payload command injection and upload vulnerabilities SecRule REQUEST_BODY "<\?php" \ "id:340131,rev:1,severity:2,msg:'Generic PHP payload command injection and upload vulnerabilities',chain" SecRule REQUEST_BODY "(?:(?:fputs|fread)\(.*\,.*\)\;|fsockopen\(gethostbyname|chr\(.*\)\.chr\(.*\)\.chr\(|(?:fclose|fgets)\(.*\)\;|(?:system|exec)\(.*\)\;)" chain SecRule REQUEST_BODY "\<\?php" # Rule 340132: Generic XML RPC attack sig SecRule REQUEST_BODY "\'(?:______BEGIN______|_____FIM_____)\'\;" \ "id:340132,rev:1,severity:2,msg:'Generic XML RPC attack'" # Rule 340133: HTTP header PHP code injection attacks SecRule REQUEST_HEADERS:Client-Ip|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "(?:<\?php|<[[:space:]]?\?[[:space:]]?php|<\? php)" \ "id:340133,rev:1,severity:2,msg:'HTTP header PHP code injection attack'" # Rule 340134: wormsign SecRule REQUEST_HEADERS "XXXXXXXXXXXXXXX\: \+\+\+\+\+\+\+\+\+\+\+\+\+" \ "id:340134,rev:1,severity:2,msg:'Worm signature'" # Rule 340135: THMC worm SecRule REQUEST_BODY "THMC\.\$dbhost\.THMC\.\$dbname\.THMC\.\$dbuser\.THMC\.\$dbpasswd\.THMC" \ "id:340135,rev:1,severity:2,msg:'THMC worm'" # Rule 340136: phpbb wormsign SecRule REQUEST_URI|REQUEST_BODY "echo _GHC/RST_" \ "id:340136,rev:1,severity:2,msg:'PHPBB worm'" # Rule 340137: Generic PHP avatar upload exploits SecRule REQUEST_URI "\.php" \ "id:340137,rev:1,severity:2,msg:'PHPBB avatar exploit',chain" SecRule REQUEST_BODY "Content-Disposition\: form-data\; name=\"avatar\"\;" chain SecRule REQUEST_BODY "\<\?php" chain SecRule REQUEST_BODY "\?>" # Rule 340138: Fake image file shell attacvk SecRule REQUEST_HEADERS:Content-Type "image/.*" \ "id:340138,rev:2,severity:2,msg:'Fake image file shell attack',chain" SecRule REQUEST_BODY "chr\(.*\)" # Rule 340140: bogus graphics file SecRule REQUEST_HEADERS:Content-Disposition "\.(?:php|txt)" \ "id:340140,rev:2,severity:2,msg:'Bogus graphics file',chain" SecRule REQUEST_HEADERS:Content-Type "(?:image/gif|image/jpg|image/png|image/bmp)" \ # Rule 340141: wormsign SecRule REQUEST_URI "Hacked.*by.*member.*of.*SCC" \ "id:340141,rev:1,severity:2,msg:'SCC worm'" # Rule 340142: Special account protection SecRule REQUEST_URI "/~(?:root|ftp|bin|nobody|named|guest|logs|sshd)/" \ "t:lowercase,t:replaceNulls,t:compressWhitespace,t:normalisePath,id:340142,rev:1,severity:2,msg:'Special account protection'" # Rule 340143: Generic PHP fopen sig SecRule REQUEST_URI|REQUEST_BODY "fp=fopen\(" \ "id:340143,rev:1,severity:2,msg:'PHP fopen attack'" # Rule 340144: Generic SQL sigs SecRule REQUEST_URI "!(?:(?:/wp-admin/post|privmsg|/ticket/admin|/misc|tiki-editpage|/post|/horde3?/imp/compose|/posting)\.php|/modules\.php\?op=modload&name=(?:Downloads|Submit_News)|/admin\.php\?module=NS\-AddStory\&op=|/index\.php\?name=PNphpBB2&file=posting&mode=reply.*|/phpMyAdmin/|/PNphpBB2-posting\.html|/otrs/index\.pl|tiki-index\.php\?page=|/index\.php\?title=.*&action=edit|/_mmServerScripts/|/node/[0-9]+/edit|/_vti_bin/.*\.exe/|/joomla/administrator/index2\.php|module=admin&act=dispLayoutAdminEdit&layout_srl=|upgrade.php?step=|^/ubbthreads/install/)" \ "id:340144,rev:7,severity:2,msg:'Generic SQL injection protection 2',chain" SecRule ARGS "(?:(?:alter|create|drop)[[:space:]]*(?:column|database|procedure|table)|delete[[:space:]]*update.+set.+=)" # Rule 340145: Generic SQL sigs SecRule ARGS "(?:or.+1[[:space:]]*=[[:space:]]1|(?:or 1=1|'.+)--')" \ "id:340145,rev:1,severity:2,msg:'Generic SQL injection protection'" # Rule 340146: Meta character SQL injection SecRule REQUEST_URI "\'.*(?:insert[[:space:]]+into.+values|select.*from.+[a-z|A-Z|0-9]|select.+from|bulk[[:space:]]+insert|union.+select|convert.+\(.*from)|and.*char\(.*\)" \ "id:340146,rev:1,severity:2,msg:'Generic SQL metacharacter URI injection protection'" # Rule 340147: Generic XSS filter SecRule REQUEST_URI "!/mt\.cgi" \ "id:340147,rev:1,severity:2,msg:'Generic XSS filter',chain" SecRule REQUEST_URI|REQUEST_BODY "<[[:space:]]*(?:script|about|applet|activex|chrome)*>.*(?:script|about|applet|activex|chrome)[[:space:]]*>" # Rule 340148: PHP Injection Attack generic signature SecRule REQUEST_URI "!(?:/imp/compose|/editor|/tiki-objectpermissions|aardvarkts/install/index|/do_command|banner_click|wp-login|tiki-view_cache|/horde/index|/horde/services/go|/goto|gallery2?/main|ad-?server/adjs|calendar/index\.php\?act=calendar&code=edit&cal_id=.*&event_id=|^/go\.php\?u=affilorama&t=http://)"\ "id:340148,rev:11,severity:2,msg:'Generic PHP code injection protection in URI',chain" SecRule REQUEST_HEADERS:Referer "!/imp/login\.php" chain SecRule REQUEST_URI "\.php(?:3|4|5)?(?:\?|&).*=(?:ogg|gopher|zlib|(?:ht|f)tps?)\:/" chain SecRule ARGS|!ARGS:url|!ARGS:base_url|!ARGS:serverurl|!ARGS:url2send|!ARGS:referrer|!ARGS:team[logo]|!ARGS:team[url]|!ARGS:helpurl|!ARGS:helpbox|!ARGS:website|!ARGS:return|!ARGS:ureferrer|!ARGS:refertoyouby|!ARGS:ajaxurl|!ARGS:redirect|!ARGS:backurl|!ARGS:oaparams "(?:ogg|gopher|zlib|(?:ht|f)tps?)\:/" # Rule 340149: PHP Remote path #SecRule REQUEST_URI "\.php.*path=(?:http|https|ftp)\:/" \ # "id:340149,rev:2,severity:2,msg:'PHP Remote path attach',chain" # Rule 340150: Dfind signature # w00tw00t.at.ISC.SANS.DFind SecRule REQUEST_URI "/w00tw00t\.at\.ISC\.SANS\.DFind" \ "id:340150,rev:1,severity:2,msg:'DFind scanner attempt'" #Rule 340152: PHP Injection attack SecRule REQUEST_URI "!(?:^/newsletter/admin/\?page=spageedit|^\?q=node/add/page$|^\?q=(?:en|de)/node/[0-9]/edit$|^/(?:maillist|lists)/admin/\?page=(template|template&id=[0-9]+)$|^/leap/\?admin\.menus\.edit\.[0-9]+$)" \ "t:normalisePath,id:340152,rev:23,severity:2,msg:'Generic PHP code injection protection via ARGS 2',chain" SecRule REQUEST_URI "/+\?" chain #SecRule ARGS "!@pmFromFile trusted-domains.conf" chain SecRule ARGS|!ARGS:return|!ARGS:url|!ARGS:base_url|!ARGS:outbound|!ARGS:out|!ARGS:message|!ARGS:serverurl|!ARGS:redirect_to|!ARGS:external_link|!ARGS:site_footer|!ARGS:body_html|!ARGS:referrer|!ARGS:team[logo]|!ARGS:team[url]|!ARGS:helpurl|!ARGS:helpbox|!ARGS:website|!ARGS:return|!ARGS:attach-url||!ARGS:url2send|!ARGS:ureferrer|!ARGS:comment|!ARGS:basehref|!ARGS:redirect|!ARGS:refertoyouby|!ARGS:ajaxurl|!ARGS:product[media_gallery][images]|!ARGS:loc|!ARGS:backurl|!ARGS:referer|!ARGS:resource "(?:ogg|gopher|zlib|(?:ht|f)tps?\:/)" # Rule 340151: Generic PHP code injection protection in URI w/ anti-evasion SecRule REQUEST_FILENAME|REQUEST_URI "!(?:^/signup\.php|^/go\.php\?u=affilorama&t=http://)" \ "id:340151,t:normalisePath,t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,chain,rev:15,severity:2,msg:'PHP Injection attempt in URI'" SecRule REQUEST_URI "(?:\.php(?:3|4|5)?(?:\?|&)|^/(?:\?|&)).*=(?:ogg|gopger|zlib|(?:ht|f)tps?)\:/" chain SecRule REQUEST_URI "!(?:/imp/compose\.php|/tiki-(?:objectpermissions|editpage)|/cowadmin/editor/.*/editor|index\.php\?url=|aardvarkts/install/index|/do_command|banner_click|wp-login|tiki-view_cache|/horde/index|/horde/services/go|/goto|gallery2?/main|ad-?server/adjs|signup\.php|calendar/index\.php\?act=calendar&code=edit&cal_id=.*&event_id=|cgi-bin/stats\.cgi\?id=shop&loc=http)" chain #SecRule ARGS "!@pmFromFile trusted-domains.conf" chain SecRule ARGS|!ARGS:url|!ARGS:base_url|!ARGS:outbound|!ARGS:out|!ARGS:referer|!ARGS:serverurl|!ARGS:referrer|!ARGS:team[logo]|!ARGS:team[url]|!ARGS:helpurl|!ARGS:helpbox|!ARGS:website|!ARGS:return|!ARGS:url2send|!ARGS:attach-url|!ARGS:ureferrer|!ARGS:comment|!ARGS:basehref|!ARGS:redirect|!ARGS:refertoyouby|!ARGS:ajaxurl||!ARGS:product[media_gallery][images]|!ARGS:oaparams|!ARGS:loc|!ARGS:backurl "(?:ogg|gopher|zlib|(?:ht|f)tps?)\:/" #Rule 340153: PHP Injection attack w/ antievasion SecRule REQUEST_URI "!(?:^/newsletter/admin/\?page=spageedit|^\?q=node/add/page$|^\?q=(?:en|de)/node/[0-9]/edit$)" \ "id:340153,t:normalisePath,t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,chain,rev:18,severity:2,msg:'Generic PHP code injection protection via ARGS 3'" SecRule REQUEST_URI "/\?" chain #SecRule ARGS "!@pmFromFile trusted-domains.conf" chain SecRule ARGS|!ARGS:return|!ARGS:url|!ARGS:base_url|!ARGS:outbound|!ARGS:out|!ARGS:message|!ARGS:serverurl|!ARGS:redirect_to|!ARGS:external_link|!ARGS:site_footer|!ARGS:body_html|!ARGS:referrer|!ARGS:team[logo]|!ARGS:team[url]|!ARGS:helpurl|!ARGS:helpbox|!ARGS:website|!ARGS:return|!ARGS:attach-url||!ARGS:url2send|!ARGS:ureferrer|!ARGS:redirect|!ARGS:refertoyouby|!ARGS:ajaxurl|!ARGS:product[media_gallery][images]|!ARGS:oaparams|!ARGS:loc|!ARGS:backurl|!ARGS:referer|!ARGS:resource "(?:ogg|gopher|zlib|(?:ht|f)tps?\:/)" #Rule 340154: Enhanced XSS protection w/antievasion #SecRule ARGS|ARGS_NAMES|REQUEST_FILNAME|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "@pmFromFile xss.txt" \ # "t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,chain,id:340154,rev:1,severity:2,msg:'Generic PHP code injection protection via ARGS 3'" #Always SQL injection cases w/ antievasion SecRule ARGS|ARGS_NAMES|REQUEST_FILENAME|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer|!REQUEST_COOKIES:utmctr "@pmFromFile sql.txt" \ "id:340155,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,rev:3,severity:2,msg:'Generic SQL Injection protection'" #Always bad SQL injection case w/ antievasion SecRule ARGS|ARGS_NAMES|REQUEST_FILENAME|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer|!REQUEST_HEADERS:Cookie|!ARGS:topicseen|!ARGS_NAMES:posted_data[product_substring] "\b(\d+) ?= ?\1\b|[\'\"](\w+)[\'\"] ?= ?[\'\"]\2\b" \ "id:340156,capture,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,rev:7,severity:2,msg:'Generic SQL injection protection'" #SQL inline command attack SecRule REQUEST_URI "!(?:/ubbthreads/ubbthreads\.php|/phpBB3/install/index\.php|/index\.php\?mode=install&sub=create_table$)" \ "id:340157,t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,t:replaceComments,rev:11,severity:2,msg:'Generic SQL inline command protection',chain" SecRule REQUEST_URI|ARGS|!ARGS:form[pagina_text]|!ARGS:description|!ARGS:message "(?:(\w+)and(\w+)char\([0-9]+\)|(?:execute|convert)\(|(?:\;delete.*;(?:insert|declare|varchar)|(?:and .* \(select |(?:drop|create)(\w+)table|declare .* varchar\())|convert\(varchar|null,(?:null,(?:null|accesslevel|user_name),|concat\()|union select )" # Rule 340158: #XSS in referrer SecRule REQUEST_HEADERS:REFERER|REQUEST_URI "!(?:/plugins/editors/tinymce/jscripts/|/modules/tinymce/tinymce/jscripts|/phpinfo_iframe\.php)" \ "id:340158,t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,rev:5,severity:2,msg:'XSS in referrer',chain" SecRule REQUEST_HEADERS:REFERER "!(^pagead[0-9]\.googlesyndication\.com/pagead/)" chain SecRule REQUEST_HEADERS:REFERER "(?:\'(?:ogg|gopher|zlib|(?:ht|f)tps?)\:/|<[[:space:]]*(?:script|about|applet|activex|chrome)*>.*(?:script|about|applet|activex|chrome)[[:space:]]*>|activexobject|(?:\.add|\@)import|asfunction\:|background-image\:|e(?:cma|exec)script|\.fromcharcode|get(?:parentfolder|specialfolder)|iframe |\.innerhtml|