modsecurity-waf/nginx-waf/00_asl_z_antievasion.conf

61 lines
3.6 KiB
Plaintext
Raw Permalink Normal View History

2024-12-11 16:57:51 -05:00
SecDefaultAction "log,deny,auditlog,phase:2,status:403"
SecRule REQUEST_FILENAME "/modules/addon_file_editor/action_handler\.php" "phase:2,id:91001,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390700"
SecRule REQUEST_FILENAME "/imp/compose\.php" "phase:2,id:91002,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390700"
SecRule REQUEST_FILENAME "/file/ajax/" "phase:2,id:91003,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390700"
SecRule REQUEST_FILENAME "/ajax/actions\.hsp" "phase:2,id:91004,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390700"
SecRule REQUEST_FILENAME "/hallinta/hallinta-tiedostot\.php" "phase:2,id:91005,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390700"
SecRule REQUEST_FILENAME "/toolbox_nb/" "phase:2,id:91006,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=330791"
# http://www.atomicorp.com/
# Atomicorp (Gotroot.com) ModSecurity rules
# Application Security Rules for modsec 2.x
#
# Copyright 2005-2019 by Atomicorp, Inc., all rights reserved.
# Redistribution is strictly prohibited in any form, including whole or in part.
#
# Distribution of this work or derivative of this work in any form is
# prohibited unless prior written permission is obtained from the
# copyright holder.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
# THE POSSIBILITY OF SUCH DAMAGE.
#
#---ASL-CONFIG-FILE---
#
# Do not edit this file!
# This file is generated and changes will be overwritten.
#
# If you need to make changes to the rules, please follow the procedure here:
# http://www.atomicorp.com/wiki/index.php/Mod_security
#
#Detect request body processing errors
SecRule REQBODY_ERROR "!@eq 0" "phase:2,deny,t:none,status:400,msg:'Failed to parse request body. This may be an impedence mismatch attack, a broken application or a broken connection. This is not a false positive. Check your application or client for errors.',id:'330791',rev:3,auditlog,log,logdata:'%{reqbody_error_msg}',severity:2,tag:'no_ar'"
#Block malformed bodies
#Workaround for Plesk HSP multipart messages which are really broken
SecRule REQUEST_URI "^/supportcenter/server/" "id:334356,t:none,t:lowercase,pass,nolog,noauditlog,ctl:requestBodyAccess=off,tag:'no_ar'"
SecRule REQBODY_PROCESSOR_ERROR "!@eq 0" "t:none,phase:2,deny,log,auditlog,status:400,msg:'Request Body Parsing Failed. %{REQBODY_PROCESSOR_ERROR_MSG}: check your application or client for errors, this is not a false positive.',id:'340152',rev:1,severity:'5'"
# multipart/form-data name evasion attempts
SecRule FILES|FILES_NAMES|!FILES:pic|!FILES:/tablerate/|!FILES:async-upload|!FILES:/^ticketattachment/ "[\";=]" "capture,phase:2,deny,log,auditlog,id:390700,rev:7,t:none,t:urlDecodeUni,deny,status:403,msg:'Atomicorp.com WAF Rules: Evasion Attack: Invalid filename in FILES argument. Which may be a possible attempt at multipart/form-data bypass',logdata:'%{matched_var}'"