# http://www.atomicorp.com/ # Atomicorp (Gotroot.com) ModSecurity rules # Special Application Security Rules for Apache 2.x # # Created by the Prometheus Group (http://www.prometheus-group.com) # Copyright 2005,2006 and 2007 by the Prometheus Group, all rights reserved. # Redistribution is strictly prohibited in any form, including whole or in part. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE # LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF # THE POSSIBILITY OF SUCH DAMAGE. # #NOTE: These rules will only work for systems running Apache 2.x. # SecDefaultAction "log,deny,auditlog,phase:2,status:403,t:lowercase" # Rule 380000: phpbb Session Cookie SecRule REQUEST_COOKIES:sessionid "phpbb2mysql_data=a\x3A2\x3A\x7Bs\x3A11\x3A\x22autologinid\x22\x3Bb\x3A1\x3Bs\x3A6\x3A\x22userid\x22\x3Bs\x3A1\x3A\x222\x22\x3B\x7D" \ "id:380000,rev:1,severity:2,msg:'PHP session cookie attack'" # Rule 380001: phpbb Session Cookie SecRule REQUEST_URI|ARGS|REQUEST_BODY "phpbb2mysql_data=a\x3A2\x3A\x7Bs\x3A11\x3A\x22autologinid\x22\x3Bb\x3A1\x3Bs\x3A6\x3A\x22userid\x22\x3Bs\x3A1\x3A\x222\x22\x3B\x7D" \ "id:380001,rev:1,severity:2,msg:'PHP session cookie attack'" # Rule 380002: schema overflow attempt SecRule REQUEST_URI|ARGS|REQUEST_BODY "\|3A\|///^[^\/]{14,}?\x3a\/\//U" \ "id:380002,rev:1,severity:2,msg:'PHP session cookie attack'" # Rule 380003: HappyMall Command Execution member_html.cgi SecRule REQUEST_URI "/member_html\.cgi\x3F.*file\x3D(\x3B|\x7C)" \ "id:380003,rev:1,severity:2,msg:'PHP session cookie attack'" # Rule 380004: HappyMall Command Execution normal_html.cgi SecRule REQUEST_URI "/normal_html\.cgi\x3F.*file\x3D(\x3B|\x7C)" \ "id:380004,rev:1,severity:2,msg:'PHP session cookie attack'" # Rule 380005: phpBB Remote Code Execution Attempt SecRule REQUEST_URI "/viewtopic\.php\?" \ "id:380005,rev:1,severity:2,msg:'PHP session cookie attack',chain" SecRule REQUEST_URI|ARGS|REQUEST_BODY "highlight=.*(\'|\%[a-f0-9]{4})(\.|\/|\\|\%[a-f0-9]{4}).+?(\'|\%[a-f0-9]{4})" # Rule 380006: XSS generic sig SecRule REQUEST_URI|ARGS|REQUEST_BODY|!ARGS:message "/(\x3D|=)[^\n]*(\x3C|<)[^\n]+(\x3E|>)" \ "id:380006,rev:2,severity:2,msg:'XSS Generic attack'" # Rule 380007: generic SQL injection sigs using PCRE SecRule REQUEST_URI|ARGS|REQUEST_BODY "/\w*(\x27|\’)(\x6F|o|\x4F)(\x72|r|\x52)/ix" \ "id:380007,rev:1,severity:2,msg:'SQL Inject Generic signature'" # Rule 380008: TWiki "rev" Shell Command Injection Vulnerability SecRule REQUEST_URI "/TWikiUsers\?rev=\x20\x7C" \ "id:380008,rev:1,severity:2,msg:'TWiki rev Shell Command injection attempt'" # Rule 380009: ATutor Multiple Vulnerabilities SecRule REQUEST_URI "/(body_header\.inc|print)\.php\?section.*\x00" \ "id:380009,rev:1,severity:2,msg:'ATutor exploit attempt'" # Rule 380010: faqmanager.cgi arbitrary file access attempt SecRule REQUEST_URI "/faqmanager.cgi?toc=.*(\|00\||\x00)" \ "id:380010,rev:1,severity:2,msg:'Faqmanager arbitrary file access attempt'"