# --------------------------------------------------------------- # Core ModSecurity Rule Set ver.1.5 # Copyright (C) 2006-2007 Breach Security Inc. All rights reserved. # # The ModSecuirty Core Rule Set is distributed under GPL version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- # In most cases, you should expect a certain volume of each a request on your # website. For example, a request with 400 arguments, can be suspicious. # This file creates limitations on the request. # TODO Look at the rules in this file, and define the sizes you'd like to enforce. # Note that most of the rules are commented out by default. # Uncomment the rules you need # SecDefaultAction "pass,log,status:400,phase:2" ## -- Arguments limits -- # Limit argument name length #SecRule ARGS_NAMES "^.{100}" "phase:2,t:none,deny,log,auditlog,status:403,msg:'Argument name too long',id:'960209',severity:'4'" # Limit value name length #SecRule ARGS "^.{400}" "phase:2,t:none,deny,log,auditlog,status:403,msg:'Argument value too long',id:'960208',severity:'4'" # Maximum number of arguments in request limited SecRule &ARGS "@gt 255" "phase:2,t:none,deny,log,auditlog,status:403,msg:'Too many arguments in request',id:'960335',severity:'4'" # Limit arguments total length #SecRule ARGS_COMBINED_SIZE "@gt 64000" "phase:2,t:none,deny,log,auditlog,status:403,msg:'Total arguments size exceeded',id:'960341',severity:'4'" ## -- File upload limits -- # Individual file size is limited #SecRule FILES_SIZES "@gt 1048576" "phase:2,t:none,deny,log,auditlog,status:403,msg:'Uploaded file size too large',id:'960342',severity:'4'" # Combined file size is limited #SecRule FILES_COMBINED_SIZE "@gt 1048576" "phase:2,t:none,deny,log,auditlog,status:403,msg:'Total uploaded files size too large',id:'960343',severity:'4'" ## -- Apache Limits -- # These are Apache limit directives, but we are including them here because # they are often forgotten. If you already have these configured leave this # section entirely commented-out. Otherwise review the limits and uncomment # the directives. # Maximum size of the request body. # # NOTE If your application allows file uploads the value below will # most likely be way to low. # #LimitRequestBody 64000 # Maximum number of request headers in a request. # #LimitRequestFields 32 # Maximum size of request header lines. # #LimitRequestFieldSize 8000 # Maximum size of the request line. # #LimitRequestLine 4000