# --------------------------------------------------------------- # Core ModSecurity Rule Set ver.1.5 # Copyright (C) 2006-2007 Breach Security Inc. All rights reserved. # # The ModSecuirty Core Rule Set is distributed under GPL version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- #%name 30 - HTTP policy enforcement #%desc The HTTP policy enforcement rule set sets limitations on the use of HTTP by clients. # Few applications require the breadth and depth of the HTTP protocol. On the # other hand many attacks abuse valid but rare HTTP use patterns. Restricting # HTTP protocol usage is effective in therefore effective in blocking many # application layer attacks. # # TODO If you are using the ModSecurity Core Ruleset template system you can set # the policy limitations in the ruleset.config file. Otherwise edit this # file manually to set you policy limitations. # # TODO Many automation programs use non standard HTTP requests. While you may # want to allow some of those, try not to create exceptions only for the # automated program based on properties such as their source IP address or # the URL they access. # SecDefaultAction "pass,log,status:400,phase:2" # allow request methods # # TODO Most applications only use GET, HEAD, and POST request # methods, if so uncomment the line below. Otherwise you are advised # to edit the line before uncommenting it. # SecRule REQUEST_METHOD "!^((?:(?:POS|GE)T|OPTIONS|HEAD))$" \ "phase:2,log,auditlog,status:501,msg:'Method is not allowed by policy', severity:'2',id:'960032'" # Restrict which content-types we accept. # # TODO Most applications support only two types for request bodies # because that is all browsers know how to produce. If you are using # automated tools to talk to the application you may be using other # content types and would want to change the list of supported types. # # Note though that ModSecurity parses only three content types: # application/x-www-form-urlencoded, multipart/form-data request and # text/xml. The protection provided for any other type is inferior. # # TODO There are many applications that are not using multipart/form-data # types (typically only used for file uploads). This content type # can be disabled if not used. # # NOTE We allow any content type to be specified with GET or HEAD # because some tools incorrectly supply content type information # even when the body is not present. There is a rule further in # the file to prevent GET and HEAD requests to have bodies to we're # safe in that respect. # # NOTE Use of WebDAV requires "text/xml" content type. # # NOTE Philippe Bourcier (pbourcier AT citali DOT com) reports # applications running on the PocketPC and AvantGo platforms use # non-standard content types: # # M-Business iAnywhere application/x-mal-client-data # UltraLite iAnywhere application/octet-stream # SecRule REQUEST_METHOD "!^(?:get|head|propfind|options)$" \ "chain, t:lowercase, deny,log,auditlog,status:501,msg:'Request content type is not allowed by policy',id:'960010',severity:'4'" SecRule REQUEST_HEADERS:Content-Type "!(?:^(?:application\/x-www-form-urlencoded(?:;(?:\s?charset\s?=\s?[\w\d\-]{1,18})?)??$|multipart/form-data;)|text/xml)" # Restrict protocol versions. # # TODO All modern browsers use HTTP version 1.1. For tight security, allow only # this version. # # NOTE Automation programs, both malicious and non malicious many times use # other HTTP versions. If you want to allow a specific automated program # to use your site, try to create a narrower expection and not allow any # client to send HTTP requests in a version lower than 1.1 # SecRule REQUEST_PROTOCOL "!^HTTP/(0\.9|1\.[01])$" \ "t:none, deny,log,auditlog,status:505,msg:'HTTP protocol version is not allowed by policy', severity:'2',id:'960034'" # Restrict file extension # # TODO the list of file extensions below are virtually always considered unsafe # and not in use in any valid program. If your application uses one of # these extensions, please remove it from the list of blocked extensions. # You may need to use ModSecurity Core Rule Set Templates to do so, otherwise # comment the whole rule. # SecRule REQUEST_BASENAME "\.(?:c(?:o(?:nf(?:ig)?|m)|s(?:proj|r)?|dx|er|fg|md)|p(?:rinter|ass|db|ol|wd)|v(?:b(?:proj|s)?|sdisco)|a(?:s(?:ax?|cx)|xd)|d(?:bf?|at|ll|os)|i(?:d[acq]|n[ci])|ba(?:[kt]|ckup)|res(?:ources|x)|s(?:h?tm|ql|ys)|l(?:icx|nk|og)|\w{0,5}~|webinfo|ht[rw]|xs[dx]|key|mdb|old)$" \ "t:urlDecodeUni, t:lowercase, deny,log,auditlog,status:500,msg:'URL file extension is restricted by policy', severity:'2',id:'960035'" # Restricted HTTP headers # # TODO the list of HTTP headers below are considered unsafe for your environment. # If your application uses one of these directories, please remove it from # the list of blocked extensions. You may need to use ModSecurity Core Rule # Set Templates to do so, otherwise comment the whole rule. # SecRule REQUEST_HEADERS_NAMES "(?:lock-token|translate|if)$" \ "t:lowercase,deny,log,auditlog,status:500,msg:'HTTP header is restricted by policy',id:'960038',severity:'4'" # Restricted Content Encodings # # ModSecurity does not support compressed content. Therefore, the following # action will be taken: # - Inbound compressed content will be denied # - Outbound compressed content will be logged once, to alert the user # Deny inbound compressed content SecRule REQUEST_HEADERS:Content-Encoding "!^Identity$" \ "phase:2,t:none,deny,log,auditlog,status:501,msg:'ModSecurity does not support content encodings',id:'960902',severity:'3'" # Log outbound compressed content (once per location) SecRule RESPONSE_HEADERS:Content-Encoding "!^Identity$" \ "phase:5,t:none,pass,log,auditlog,msg:'ModSecurity does not support content encodings',id:'960903',severity:'4',chain" SecRule &RESOURCE:alerted_960903_compression "@eq 0" "setvar:resource.alerted_960903_compression"