modsecurity-waf/nginx-waf/03_asl_dos.conf

98 lines
6.3 KiB
Plaintext
Raw Permalink Normal View History

2024-12-11 16:57:51 -05:00
SecDefaultAction "log,deny,auditlog,phase:2,status:403"
# http://www.atomicorp.com/
# Atomicorp (Gotroot.com) ModSecurity rules
# Application Security Rules for modsec 2.x
#
# Copyright 2005-2019 by Atomicorp, Inc., all rights reserved.
# Redistribution is strictly prohibited in any form, including whole or in part.
#
# Distribution of this work or derivative of this work in any form is
# prohibited unless prior written permission is obtained from the
# copyright holder.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
# THE POSSIBILITY OF SUCH DAMAGE.
#
#---ASL-CONFIG-FILE---
#
# Do not edit this file!
# This file is generated and changes will be overwritten.
#
# If you need to make changes to the rules, please follow the procedure here:
# http://www.atomicorp.com/wiki/index.php/Mod_security
SecRule RESPONSE_STATUS "@streq 408" "phase:5,t:none,log,auditlog,pass,rev:1,id:343434,msg:'Atomicorp.com WAF Rules: Client Connection dropped by Apache due to slow connection, possible Slowaris attack',severity:'4'"
#/?CtrlFunc_
SecRule REQUEST_METHOD "@streq POST" "chain,severity:2,log,t:none,deny,status:403,auditlog,phase:1,id:331215,rev:1,msg:'Atomicorp.com WAF Rules: CtrlFunc Brute Force Attack Dropped'"
SecRule REQUEST_URI "@beginsWith /?CtrlFunc_" "t:none"
#DOS Rules go right up front
#Wordpress Resource Exhaustion attack
SecRule REQUEST_URI "@pm /wp-trackback\.php" "phase:1,id:'393939',t:none,pass,nolog,noauditlog,skip:1"
SecAction "phase:1,id:393940,t:none,pass,nolog,noauditlog,skipAfter:END_DOS_CHECKS_WP"
SecRule ARGS:charset "(?:utf-8,utf-8,utf-8,utf-8,utf-8,utf-8|,.*,.*,.*,.*,)" "phase:1,deny,status:403,log,deny,auditlog,t:none,t:urlDecodeUni,t:compressWhitespace,t:lowercase,id:390639,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Just In Time Patch: WordPRess trackback resource exhaustion attack'"
#Wordpress Resource Exhaustion attack exploit
SecRule ARGS:title "abcedfgabcedfgabcedfgabcedfg" "phase:1,deny,status:403,log,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:390640,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Just In Time Patch: WordPRess trackback resource exhaustion attack'"
SecMarker END_DOS_CHECKS_WP
#Another variant of a DOS attack
SecRule REQUEST_URI "\?(?:ptrxcz|xclzve)_" "log,auditlog,phase:1,deny,log,status:403,t:none,t:urlDecodeUni,t:lowercase,id:370145,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Known wormsign'"
#/?CtrlFunc_
SecRule REQUEST_URI "\?-?[0-9]{3,6}=-?[0-9]{3,6}" "severity:2,log,auditlog,t:none,deny,status:403,phase:1,id:331216,rev:2,msg:'Atomicorp.com WAF Rules: Wordpress DOS Attack Dropped',chain"
SecRule REQUEST_URI "!(^/administrator/)" "t:none,t:lowercase"
#long lines
SecRule REQUEST_METHOD "@streq HEAD" "chain,severity:2,log,auditlog,t:none,deny,phase:1,id:331217,rev:1,msg:'Atomicorp.com WAF Rules: Possible DOS Attack Dropped'"
SecRule REQUEST_URI "\?[0-9a-z]{2000,}" "t:none,t:lowercase"
#xmlrpc DOS attacks
SecRule &REQUEST_HEADERS:Content-Type "@eq 0" "log,auditlog,chain,phase:1,rev:3,t:none,deny,log,status:403,msg:'Atomicorp.com WAF Rules: xmlrpc DOS attack',id:'392331',severity:'2'"
SecRule REQUEST_HEADERS:Content-Length "!^0$" "t:none,chain"
SecRule REQUEST_URI "xmlrpc\.php" "t:none,t:urlDecodeUni,t:lowercase"
#Per count DOS checks
SecAction "nolog,noauditlog,pass,id:350115,phase:1,t:none,setvar:'tx.dos_burst_time_slice=60',setvar:'tx.dos_counter_threshold=5',setvar:'tx.dos_block_timeout=600'"
SecRule IP:DOS_BLOCK "@eq 1" "log,auditlog,chain,phase:1,id:350116,deny,log,status:404,severity:2,msg:'Atomicorp.com WAF Rules: Potential Denial of Service (DoS) Attack Identified from %{tx.real_ip} (%{tx.dos_block_counter} hits since last alert)',setvar:ip.dos_block_counter=+1"
SecRule &IP:DOS_BLOCK_FLAG "@eq 0" "setvar:ip.dos_block_flag=1,expirevar:ip.dos_block_flag=60,setvar:tx.dos_block_counter=%{ip.dos_block_counter},setvar:ip.dos_block_counter=0"
# Block and track # of requests but don't log, then skip because its already blocked
SecRule IP:DOS_BLOCK "@eq 1" "phase:1,id:'350117',t:none,deny,status:404,noauditlog,nolog,severity:2,nolog,setvar:ip.dos_block_counter=+1"
SecRule IP:DOS_BLOCK "@eq 1" "phase:5,id:'350118',t:none,nolog,noauditlog,pass,skipAfter:END_DOS_PROTECTION_CHECKS"
# Count the number of requests to the protected resoures
#SecRule REQUEST_FILENAME "@pmFromFile dos_protected.txt"
SecRule REQUEST_FILENAME "xmlrpc\.php" "phase:5,id:'350112',t:none,t:urlDecodeUni,t:lowercase,nolog,noauditlog,pass,setvar:ip.dos_counter=+1"
# If the request count is greater than or equal to our thresholds
# then set the burst counter
SecRule IP:DOS_COUNTER "@gt %{tx.dos_counter_threshold}" "phase:5,id:'350113',t:none,nolog,noauditlog,pass,t:none,setvar:ip.dos_burst_counter=+1,expirevar:ip.dos_burst_counter=%{tx.dos_burst_time_slice},setvar:!ip.dos_counter"
# Check DOS Burst Counter
# Check the burst counter - if greater than or equal to 2, then we set the IP
# block variable for 5 mins and issue an alert.
SecRule IP:DOS_BURST_COUNTER "@ge 2" "log,auditlog,phase:5,id:'350114',rev:1,severity:3,t:none,log,pass,msg:'Atomicorp.com WAF Rules: Potential Denial of Service (DoS) Attack from %{tx.real_ip} - # of Request Bursts: %{ip.dos_burst_counter}',setvar:ip.dos_block=1,expirevar:ip.dos_block=%{tx.dos_block_timeout},tag:'no_ar'"
SecMarker END_DOS_PROTECTION_CHECKS
#SecRule REQUEST_BASENAME "xmlrpc\.php" # "chain,phase:2,deny,log,auditlog,severity:2,id:'350116',rev:1,msg:'Atomicorp.com WAF Rules: Wodpress XML Pingback (Disable if you want to allow pingbacks to Wordpress)',t:none,t:lowercase,t:urlDecodeUni"
#SecRule REQUEST_BODY|XML:/* "pingback\.ping" "t:none,t:lowercase"