# --------------------------------------------------------------- # Core ModSecurity Rule Set ver.1.5 # Copyright (C) 2006-2007 Breach Security Inc. All rights reserved. # # The ModSecuirty Core Rule Set is distributed under GPL version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- # # TODO in some cases a valid client (usually automated) generates requests that # violates the HTTP protocol. Create exceptions for those clients, but try # to limit the exception to a source IP or other additional properties of # the request such as URL and not allow the violation generally. # # # Use status code 400 response status code by default as protocol violations # are in essence bad requests. SecDefaultAction "log,pass,phase:2,status:400" # Validate request line # SecRule REQUEST_LINE "!^(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+))??/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+$" \ "t:none,t:lowercase,deny,log,auditlog,status:400,msg:'Invalid HTTP Request Line',id:'960911',severity:'2'" # HTTP Request Smuggling # SecRule REQUEST_HEADERS:'/(Content-Length|Transfer-Encoding)/' "," "deny,log,auditlog,status:400,msg:'HTTP Request Smuggling Attack.',id:'950012',severity:'1'" # Block request with malformed content. # ModSecurity will not inspect these, but the server application might do so # SecRule REQBODY_PROCESSOR_ERROR "!@eq 0" "t:none,deny,log,auditlog,status:400,msg:'Request Body Parsing Failed. %{REQBODY_PROCESSOR_ERROR_MSG}',id:'960912',severity:'2'" # Accept only digits in content length # SecRule REQUEST_HEADERS:Content-Length "!^\d+$" "deny,log,auditlog,status:400,msg:'Content-Length HTTP header is not numeric', severity:'2',id:'960016'" # Do not accept GET or HEAD requests with bodies # HTTP standard allows GET requests to have a body but this # feature is not used in real life. Attackers could try to force # a request body on an unsuspecting web applications. # SecRule REQUEST_METHOD "^(?:GET|HEAD)$" "chain,deny,log,auditlog,status:400,msg:'GET or HEAD requests with bodies', severity:'2',id:'960011'" SecRule REQUEST_HEADERS:Content-Length "!^0?$" # Require Content-Length to be provided with every POST request. # SecRule REQUEST_METHOD "^POST$" "chain,deny,log,auditlog,status:400,msg:'POST request must have a Content-Length header',id:'960012',severity:'4'" SecRule &REQUEST_HEADERS:Content-Length "@eq 0" # Don't accept transfer encodings we know we don't know how to handle # # NOTE ModSecurity does not support chunked transfer encodings at # this time. You MUST reject all such requests. # SecRule REQUEST_HEADERS:Transfer-Encoding "!^$" "deny,log,auditlog,status:501,msg:'ModSecurity does not support transfer encodings',id:'960013',severity:'3'" # Check encodings SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "@validateUrlEncoding" \ "chain, deny,log,auditlog,status:400,msg:'URL Encoding Abuse Attack Attempt',id:'950107',severity:'4'" SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "\%(?!$|\W|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" # Check UTF enconding # Uncomment this rule if your system uses UTF encoding. #SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "@validateUtf8Encoding" "deny,log,auditlog,status:400,msg:'UTF8 Encoding Abuse Attack Attempt',id:'950801',severity:'4'" # Disallow use of full-width unicode SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "\%u[fF]{2}[0-9a-fA-F]{2}" \ "t:none,deny,log,auditlog,status:400,msg:'Unicode Full/Half Width Abuse Attack Attempt',id:'950116',severity:'4'" # Proxy access attempt # NOTE Apache blocks such access by default if not set as a proxy. The rule is # included in case Apache proxy is misconfigured. SecRule REQUEST_URI_RAW ^\w+:/ "deny,log,auditlog,status:400,msg:'Proxy access attempt', severity:'2',id:'960014'" # # Restrict type of characters sent # # NOTE In order to be broad and support localized applications this rule # only validates that NULL Is not used. # # The strict policy version also validates that protocol and application # generated fields are limited to printable ASCII. # # TODO If your application use the range 32-126 for parameters. # SecRule REQUEST_FILENAME|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer \ "@validateByteRange 1-255" \ "deny,log,auditlog,status:400,msg:'Invalid character in request',id:'960018',severity:'4',t:urlDecodeUni" SecRule ARGS|ARGS_NAMES|REQUEST_HEADERS:Referer "@validateByteRange 1-255" \ "deny,log,auditlog,status:400,msg:'Invalid character in request',id:'960901',severity:'4',t:urlDecodeUni"