modsecurity-waf/nginx-waf/00_asl_y_searchengines.conf

242 lines
15 KiB
Plaintext
Raw Permalink Normal View History

2024-12-11 16:57:51 -05:00
SecDefaultAction "log,deny,auditlog,phase:2,status:403"
# http://www.atomicorp.com/
# Atomicorp (Gotroot.com) ModSecurity rules
# Application Security Rules for modsec 2.x
#
# Copyright 2013-2017 Atomicorp, Inc., all rights reserved.
# Redistribution is strictly prohibited in any form, including whole or in part.
#
# Distribution of this work or derivative of this work in any form is
# prohibited unless prior written permission is obtained from the
# copyright holder.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
# THE POSSIBILITY OF SUCH DAMAGE.
#
#---ASL-CONFIG-FILE---
#
# Do not edit this file!
# This file is generated and changes will be overwritten.
#
# If you need to make changes to the rules, please follow the procedure here:
# http://www.atomicorp.com/wiki/index.php/Mod_security
#
# Note: These rules will not work without this apache setting
#
# HostnameLookups Double
#Modsecurity 2.8.0 has a nasty bug that makes it not work with ipmatch rules
#so we cant let these rules load in 2.8.0 boxes
#SecRule MODSEC_BUILD "@gt 020777900" #phase:1,id:333772,rev:1,t:none,nolog,pass,skipAfter:END_SEARCH_ENGINE
SecRule REQUEST_HEADERS:User-Agent "@pm googlebot bingbot yahoo yeti hailoobot technoratibot friendfeedbot newsgator blogscope gist bloglines/ netvibes yandex friendfeedbot/ baiduspider/ mediapartners-google Feedfetcher-Google Twitterbot" "id:318745,rev:1,phase:1,t:none,pass,nolog,noauditlog,skip:1"
SecAction "phase:1,id:333722,rev:1,t:none,pass,nolog,noauditlog,skipAfter:END_SEARCH_ENGINE"
#Twitterbot
#199.59.148.0/22
SecRule REQUEST_HEADERS:User-Agent "Twitterbot" "id:338746,rev:1,phase:1,t:none,pass,nolog,noauditlog,skip:1"
SecAction "phase:1,id:334904,rev:1,t:none,pass,nolog,noauditlog,skipAfter:END_TWITTER"
SecRule REMOTE_HOST "@ipmatch 199.59.148.0/24" "id:343917,rev:1,phase:1,t:none,pass,nolog,noauditlog,skip:1"
SecRule REMOTE_HOST "\.twttr\.com$" "id:303831,severity:'2',rev:1,t:none,deny,log,auditlog,status:403,msg:'Atomicorp.com WAF Rules: Fake twitter bot',phase:1"
#Real MSN search engine
SecRule TX:WHITELIST_SEARCH_ENGINES "@eq 1" "phase:1,id:'339331',t:none,nolog,noauditlog,allow"
SecMarker END_TWITTER
#User-Agent: Feedly/1.0 (+http://www.feedly.com/fetcher.html; like FeedFetcher-Google)
SecRule REQUEST_HEADERS:User-Agent "^Feedly" "id:303990,rev:1,phase:1,t:none,pass,nolog,noauditlog,skip:1"
SecAction "phase:1,id:303991,rev:1,t:none,pass,nolog,noauditlog,skipAfter:END_FEEDLY"
SecRule REMOTE_HOST "@ipmatch 65.19.138.0/26,8.29.198.0/24" "id:323978,rev:1,phase:1,t:none,pass,nolog,noauditlog,skip:1"
SecRule REMOTE_HOST "!@endsWith .feedly.com" "capture,id:303890,severity:'2',rev:4,t:none,log,auditlog,deny,status:403,msg:'Atomicorp.com WAF Rules: Fake Feedly webcrawler',phase:1,logdata:'%{TX.0}'"
SecRule TX:WHITELIST_SEARCH_ENGINES "@eq 1" "phase:1,id:'303992',t:none,nolog,noauditlog,allow"
SecMarker END_FEEDLY
#Google
SecRule REQUEST_HEADERS:User-Agent "^(?:Googlebot-richsnippets|OnPageBot)" "phase:1,id:323931,rev:1,t:none,pass,nolog,noauditlog,skipAfter:END_GOOGLE"
SecRule REQUEST_HEADERS:User-Agent "@pm googlebot mediapartners-google" "id:323900,rev:1,phase:1,t:none,pass,nolog,noauditlog,skip:1"
SecAction "phase:1,id:333901,rev:1,t:none,pass,nolog,noauditlog,skipAfter:END_GOOGLE"
#74.125.0.0/16 is registered to google, but does not have a PTR record
#66.249.64.0/19 is google
SecRule REMOTE_HOST "@ipmatch 74.125.0.0/16,66.249.64.0/19,173.194.0.0/16" "id:323918,rev:1,phase:1,t:none,pass,nolog,noauditlog,skip:1"
SecRule REMOTE_HOST "!@endsWith .googlebot.com" "capture,id:303800,rev:3,severity:'2',t:none,t:lowercase,log,auditlog,deny,status:403,msg:'Atomicorp.com WAF Rules: Fake Googlebot webcrawler',phase:1,logdata:'%{TX.0}'"
#Real Google Search Engine
#Allow all from google
SecRule TX:WHITELIST_SEARCH_ENGINES "@eq 1" "phase:1,id:'303902',t:none,nolog,noauditlog,allow"
SecMarker END_GOOGLE
#Feedfetcher-Google
SecRule REQUEST_HEADERS:User-Agent "@contains Feedfetcher-Google" "id:303947,rev:1,phase:1,t:none,pass,nolog,noauditlog,skip:1"
SecAction "phase:1,id:343948,rev:1,t:none,pass,nolog,noauditlog,skipAfter:END_GOOGLE2"
SecRule REMOTE_HOST "@ipmatch 74.125.0.0/16,66.249.64.0/19" "id:323928,rev:1,phase:1,t:none,pass,nolog,noauditlog,skip:1"
SecRule REMOTE_HOST "!@endsWith .google.com" "capture,id:303833,severity:'2',rev:5,t:none,t:lowercase,log,auditlog,deny,status:403,msg:'Atomicorp.com WAF Rules: Fake Google Feedfetcher webcrawler',phase:1,logdata:'%{TX.0}'"
#Allow all from google
SecRule TX:WHITELIST_SEARCH_ENGINES "@eq 1" "phase:1,id:'303935',t:none,nolog,noauditlog,allow"
SecMarker END_GOOGLE2
#MSN search engine
SecRule REQUEST_HEADERS:User-Agent "@pm msnbot bingbot" "id:318746,rev:1,phase:1,t:none,pass,nolog,noauditlog,skip:1"
SecAction "phase:1,id:333904,rev:1,t:none,pass,nolog,noauditlog,skipAfter:END_MSN"
SecRule REMOTE_HOST "@ipmatch 157.54.0.0/15,207.46.0.0/16,40.124.0.0/16,40.96.0.0/12,40.112.0.0/13,40.125.0.0/17,40.74.0.0/15,40.120.0.0/14,40.80.0.0/12,40.76.0.0/14" "id:323917,rev:1,phase:1,t:none,pass,nolog,noauditlog,skip:1"
SecRule REMOTE_HOST "!(^msnbot-[0-9]+-[0-9]+-[0-9]+-[0-9]+\.search\.msn\.com$)" "capture,id:303801,severity:'2',rev:6,t:none,deny,log,auditlog,status:403,msg:'Atomicorp.com WAF Rules: Fake msnbot/bingbot webcrawler',phase:1,logdata:'%{TX.0}'"
#SecRule REMOTE_HOST "!(^msnbot-[0-9]+-[0-9]+-[0-9]+-[0-9]+\.search\.msn\.com$|^131\.253\.[2-4][0-9]\.[0-9]+$)"
#Real MSN search engine
SecRule TX:WHITELIST_SEARCH_ENGINES "@eq 1" "phase:1,id:'303903',t:none,nolog,noauditlog,allow"
SecMarker END_MSN
#Yahoo Slurp engine
SecRule REQUEST_HEADERS:User-Agent "@contains yahoo! slurp" "id:323904,rev:1,phase:1,t:none,t:lowercase,pass,nolog,noauditlog,skip:1"
SecAction "phase:1,id:333905,rev:1,t:none,pass,nolog,noauditlog,skipAfter:END_YAHOO"
#China Yahoo ranges
#110.75.160.0 - 110.75.191.255
#110.75.171.0 - 110.75.176.255
#
#Other yahoo ranges
#98.136.0.0/14
SecRule REMOTE_HOST "@ipmatch 110.75.160.0/19,98.136.0.0/14,68.180.128.0/17,217.146.179.0/24" "id:323914,rev:1,phase:1,t:none,pass,nolog,noauditlog,skip:1"
SecRule REMOTE_HOST "!(\.yahoo\.(?:net|com)$)" "id:303802,severity:'2',rev:5,t:none,t:lowercase,deny,log,auditlog,status:403,msg:'Atomicorp.com WAF Rules: Fake Yahoo! Slurp webcrawler',phase:1"
#Real Yahoo Slurp engine
SecRule TX:WHITELIST_SEARCH_ENGINES "@eq 1" "phase:1,id:'303906',t:none,nolog,noauditlog,allow"
SecMarker END_YAHOO
SecRule REQUEST_HEADERS:User-Agent "@contains yahoo pipes" "id:303907,rev:1,phase:1,t:none,t:lowercase,pass,nolog,noauditlog,skip:1"
SecAction "phase:1,id:333908,rev:1,t:none,pass,nolog,noauditlog,skipAfter:END_YAHOO2"
SecRule REMOTE_HOST "!(\.yahoo\.(?:com|net)$)" "id:303803,severity:'2',rev:2,t:none,t:lowercase,deny,log,auditlog,status:403,msg:'Atomicorp.com WAF Rules: Fake Yahoo Pipes webcrawler',phase:1"
SecRule TX:WHITELIST_SEARCH_ENGINES "@eq 1" "phase:1,id:'303908',t:none,nolog,noauditlog,allow"
SecMarker END_YAHOO2
SecRule REQUEST_HEADERS:User-Agent "@beginsWith Yeti/" "id:303909,rev:1,phase:1,t:none,pass,nolog,noauditlog,skip:1"
SecAction "phase:1,id:318749,rev:1,t:none,pass,nolog,noauditlog,skipAfter:END_YETI"
#SecRule REMOTE_HOST "@ipmatch 61.247.192.0/19" # "id:323916,rev:1,phase:1,t:none,pass,nolog,noauditlog,skip:1"
SecRule REMOTE_HOST "!(^crawl-[0-9]+-[0-9]+-[0-9]+-[0-9]+\.naver\.jp$)" "id:303804,severity:'2',rev:4,t:none,t:lowercase,deny,log,auditlog,status:403,msg:'Atomicorp.com WAF Rules: Fake Yeti webcrawler',phase:1"
#SecRule REMOTE_HOST "!(^crawl-[0-9]+-[0-9]+-[0-9]+-[0-9]+\.naver\.jp$|^61\.247\.(19[2-9]|2[0-2][0-3])\.[0-9]{1,3}$" #
SecRule TX:WHITELIST_SEARCH_ENGINES "@eq 1" "phase:1,id:'303910',t:none,nolog,noauditlog,allow"
SecMarker END_YETI
SecRule REQUEST_HEADERS:User-Agent "@contains hailoobot" "id:303913,rev:1,phase:1,t:none,t:lowercase,pass,nolog,noauditlog,skip:1"
SecAction "phase:1,id:333911,rev:1,t:none,pass,nolog,noauditlog,skipAfter:END_HAIL"
SecRule REMOTE_HOST "!@endswith webcrawler.hailoo.com" "id:303805,severity:'2',rev:1,t:none,t:lowercase,deny,log,auditlog,status:403,msg:'Atomicorp.com WAF Rules: Fake Hailoobot webcrawler.',phase:1"
SecRule TX:WHITELIST_SEARCH_ENGINES "@eq 1" "phase:1,id:'303912',t:none,nolog,noauditlog,allow"
SecMarker END_HAIL
SecRule REQUEST_HEADERS:User-Agent "@contains technoratibot/" "id:303915,rev:1,phase:1,t:none,t:lowercase,pass,nolog,noauditlog,skip:1"
SecAction "phase:1,id:333915,rev:1,t:none,pass,nolog,noauditlog,skipAfter:END_TECHNO"
SecRule REMOTE_HOST "!@endswith .crawler.technorati.com" "id:303806,severity:'2',rev:1,t:none,t:lowercase,deny,log,auditlog,status:403,msg:'Atomicorp.com WAF Rules: Fake Technoratibot webcrawler.',phase:1"
SecRule TX:WHITELIST_SEARCH_ENGINES "@eq 1" "phase:1,id:'303916',t:none,nolog,noauditlog,allow"
SecMarker END_TECHNO
SecRule REQUEST_HEADERS:User-Agent "@contains friendfeedbot/" "id:303917,rev:1,phase:1,t:none,t:lowercase,pass,nolog,noauditlog,skip:1"
SecAction "phase:1,id:333918,rev:1,t:none,pass,nolog,noauditlog,skipAfter:END_FACEBOOK"
SecRule REMOTE_HOST "!@endsWith .facebook.com" "id:303807,severity:'2',rev:1,t:none,t:lowercase,deny,log,auditlog,status:403,msg:'Atomicorp.com WAF Rules: Fake FriendFeed/Facebook webcrawler',phase:1"
SecRule TX:WHITELIST_SEARCH_ENGINES "@eq 1" "phase:1,id:'303919',t:none,nolog,noauditlog,allow"
SecMarker END_FACEBOOK
SecRule REQUEST_HEADERS:User-Agent "yandex(?:bot|images|blog)" "id:303920,rev:2,phase:1,t:none,t:lowercase,pass,nolog,noauditlog,skip:1"
SecAction "phase:1,id:303921,rev:1,t:none,pass,nolog,noauditlog,skipAfter:END_YANDEX"
SecRule REMOTE_HOST "@ipmatch 95.108.158.128/25" "id:323916,rev:1,phase:1,t:none,pass,nolog,noauditlog,skip:1"
SecRule REMOTE_HOST "!(\.yandex\.(?:ru|com|net)$)" "id:303808,severity:'2',rev:2,t:none,t:lowercase,t:lowercase,deny,log,auditlog,status:403,msg:'Atomicorp.com WAF Rules: Fake Yandex webcrawler.',phase:1"
SecRule TX:WHITELIST_SEARCH_ENGINES "@eq 1" "phase:1,id:'303900',t:none,nolog,noauditlog,allow"
SecMarker END_YANDEX
SecRule REQUEST_HEADERS:User-Agent "@contains bloglines/" "id:313921,rev:1,phase:1,t:none,t:lowercase,pass,nolog,noauditlog,skip:1"
SecAction "phase:1,id:313922,rev:1,t:none,pass,nolog,noauditlog,skipAfter:END_BLOGLINES"
SecRule REMOTE_HOST "!@streq crawler.bloglines.com" "id:303810,severity:'2',rev:1,t:none,t:lowercase,deny,log,auditlog,status:403,msg:'Atomicorp.com WAF Rules: Fake Bloglines webcrawler.',phase:1"
SecRule TX:WHITELIST_SEARCH_ENGINES "@eq 1" "phase:1,id:'303901',t:none,nolog,noauditlog,allow"
SecMarker END_BLOGLINES
SecRule REQUEST_HEADERS:User-Agent "@contains gist server" "id:303924,rev:1,phase:1,t:none,t:lowercase,pass,nolog,noauditlog,skip:1"
SecAction "phase:1,id:303925,rev:1,t:none,pass,nolog,noauditlog,skipAfter:END_GIST"
SecRule REMOTE_HOST "!@endsWith .gist.com" "id:303811,severity:'2',rev:1,t:none,t:lowercase,deny,log,auditlog,status:403,msg:'Atomicorp.com WAF Rules: Fake Gist webcrawler',phase:1"
SecRule TX:WHITELIST_SEARCH_ENGINES "@eq 1" "phase:1,id:'303922',t:none,nolog,noauditlog,allow"
SecMarker END_GIST
SecRule REQUEST_HEADERS:User-Agent "@contains blogscope" "id:303927,rev:1,phase:1,t:none,t:lowercase,pass,nolog,noauditlog,skip:1"
SecAction "phase:1,id:303928,rev:1,t:none,pass,nolog,noauditlog,skipAfter:END_BLOGSCOPE"
SecRule REMOTE_HOST "!@endsWith .toronto.edu" "id:303812,severity:'2',rev:1,t:none,t:lowercase,deny,log,auditlog,status:403,msg:'Atomicorp.com WAF Rules: Fake BlogScope webcrawler',phase:1"
SecRule TX:WHITELIST_SEARCH_ENGINES "@eq 1" "phase:1,id:'303923',t:none,nolog,noauditlog,allow"
SecMarker END_BLOGSCOPE
SecRule REQUEST_HEADERS:User-Agent "newsgator/2\.0 bot" "id:303930,rev:2,phase:1,t:none,t:lowercase,pass,nolog,noauditlog,skip:1"
SecAction "phase:1,id:303931,rev:1,t:none,pass,nolog,noauditlog,skipAfter:END_NEWSGATOR"
SecRule REMOTE_HOST "!@endsWith .newsgator.com" "id:303813,severity:'2',rev:1,t:none,t:lowercase,deny,log,auditlog,status:403,msg:'Atomicorp.com WAF Rules: Fake NewsGatorOnline webcrawler',phase:1"
SecRule TX:WHITELIST_SEARCH_ENGINES "@eq 1" "phase:1,id:'303904',t:none,nolog,noauditlog,allow"
SecMarker END_NEWSGATOR
SecRule REQUEST_HEADERS:User-Agent "@contains netvibes" "id:303933,rev:1,phase:1,t:none,t:lowercase,pass,nolog,noauditlog,skip:1"
SecAction "phase:1,id:303934,rev:1,t:none,pass,nolog,noauditlog,skipAfter:END_NETVIBES"
SecRule REMOTE_HOST "!@endsWith .netvibes.com" "id:303814,severity:'2',rev:1,t:none,t:lowercase,deny,log,auditlog,status:403,msg:'Atomicorp.com WAF Rules: Fake Netvibes webcrawler',phase:1"
SecRule TX:WHITELIST_SEARCH_ENGINES "@eq 1" "phase:1,id:'303905',t:none,nolog,noauditlog,allow"
SecMarker END_NETVIBES
#Baidu seems to have a broken resolver
#The forward record never resolves
#
#nslookup baiduspider-180-76-5-87.crawl.baidu.com
#** server can't find baiduspider-180-76-5-87.crawl.baidu.com: NXDOMAIN
#nslookup 180.76.5.87
#87.5.76.180.in-addr.arpa name = baiduspider-180-76-5-87.crawl.baidu.com.
#So some known static ranges are added
#inetnum: 180.76.0.0 - 180.76.255.255
#netname: Baidu
#
#inetnum: 123.125.71.0 - 123.125.71.255
#netname: SADF
#123.122.0.0 - 123.122.15.255
#119.63.192.0 - 119.63.199.255
#202.46.32.0 - 202.46.63.255
SecRule REQUEST_HEADERS:User-Agent "@contains baiduspider/" "id:303936,rev:1,phase:1,t:none,t:lowercase,pass,nolog,noauditlog,skip:1"
SecAction "phase:1,id:323937,rev:1,t:none,pass,nolog,noauditlog,skipAfter:END_BAIDU"
SecRule REMOTE_HOST "@ipmatch 180.76.0.0/16,123.122.0.0/20,123.125.71.0/24,119.63.192.0/21,220.181.0.0/16,202.46.32.0/19,185.10.104.0/22" "id:323915,rev:1,phase:1,t:none,pass,nolog,noauditlog,skip:1"
SecRule REMOTE_HOST "!(\.crawl\.baidu\.com$)" "id:303937,severity:'2',rev:7,t:none,t:lowercase,deny,log,auditlog,status:403,msg:'Atomicorp.com WAF Rules: Fake Baidu webcrawler',phase:1"
#SecRule REMOTE_HOST "!(\.crawl\.baidu\.com$|^180\.76\.[0-9]+\.[0-9]+$|^123\.125\.71\.[0-9]+$|^220\.181\.[0-9]+\.[0-9]+$|123\.122\.[0-15]\.[0-9]+$|^119\.63\.19[2-9]\.[0-9]+$)"
SecRule TX:WHITELIST_SEARCH_ENGINES "@eq 1" "phase:1,id:'303938',t:none,nolog,noauditlog,allow"
SecMarker END_BAIDU
SecMarker END_SEARCH_ENGINE