modsecurity-waf/nginx-waf/12_asl_brute.conf

258 lines
22 KiB
Plaintext
Raw Permalink Normal View History

2024-12-11 16:57:51 -05:00
SecDefaultAction "log,deny,auditlog,phase:2,status:403"
# http://www.atomicorp.com/
# Atomicorp (Gotroot.com) ModSecurity rules
# Application Security Rules for modsec 2.9+
#
# Created by Atomicorp (http://www.atomicorp.com)
# Copyright 2005-2019 by Atomicorp, all rights reserved.
# Redistribution is strictly prohibited in any form, including whole or in part.
#
# Distribution of this work or derivative of this work in any form is
# prohibited unless prior written permission is obtained from the
# copyright holder.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
# THE POSSIBILITY OF SUCH DAMAGE.
#
#---ASL-CONFIG-FILE---
#
# Do not edit this file!
# This file is generated and changes will be overwritten.
#
# If you need to make changes to the rules, please follow the procedure here:
# http://www.atomicorp.com/wiki/index.php/Mod_security
#
#SecRule REQUEST_METHOD "^post$" #phase:2,pass,t:none,t:lowercase,nolog,skip:1
#SecAction phase:2,t:none,pass,nolog,skipAfter:END_BRUTE_IN
#vbulletin
#set a variable that someone tried to login
#SecRule REQUEST_URI "/login\.php" # "pass,nolog,t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:compressWhiteSpace,setvar:tx.brute_vbulletin_login=yes,noauditlog,nolog,id:377400,rev:1,severity:2"
#SecRule ARGS:do "^login$"
#PHP logins
#SecRule REQUEST_URI "/ucp\.php" # "chain,pass,nolog,noauditlog,t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:compressWhiteSpace,setvar:tx.brute_phpbb_login=yes"
#SecRule ARGS:mode "^login$"
#wikimedia
#"POST /wiki/index.php?title=Special:UserLogin&action=submitlogin&type=login&returnto=Main_Page
#SecRule ARGS:title "^special\:userlogin$" # "chain,pass,nolog,noauditlog,t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:compressWhiteSpace,setvar:tx.brute_phpbb_login=yes"
#SecRule ARGS:action "^submitlogin$" chain
#SecRule ARGS:type "^login$"
#SecMarker END_BRUTE_IN
SecRule REQUEST_METHOD "@streq POST" "phase:5,chain,t:none,auditlog,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: Wordpress Login Attempt Failure ',id:'377360',rev:2,severity:'4',tag:'no_ar'"
SecRule REQUEST_URI "/wp-login\.php" "t:none,t:urlDecodeUni,t:lowercase,chain"
SecRule RESPONSE_STATUS "200" "t:none"
SecRule REQUEST_URI "/wp-login\.php" "phase:2,chain,t:none,t:utf8toUnicode,t:urlDecodeUni,t:lowercase,auditlog,deny,log,status:403,msg:'Atomicorp.com WAF Rules - Login Failure Detection: Wordpress Login with no user-agent or referrer, Bot attempting Wordpress Login',id:'377390',rev:3,severity:'2'"
SecRule &REQUEST_HEADERS:Referer "@eq 0" "t:none,chain"
SecRule &REQUEST_HEADERS:User-Agent "@eq 0" "t:none"
SecRule REQUEST_URI "/wp-login\.php" "phase:2,chain,t:none,t:utf8toUnicode,t:urlDecodeUni,t:lowercase,auditlog,deny,log,status:403,msg:'Atomicorp.com WAF Rules - Login Failure Detection: Wordpress Login with empty user-agent and referrer, possible bot',id:'377391',rev:4,severity:'2'"
SecRule REQUEST_HEADERS:User-Agent "^$" "t:none,t:removeWhiteSpace,chain"
SecRule REQUEST_HEADERS:Referer "^$" "t:none,t:removeWhiteSpace"
#multi-auth blocking for wordpress xmlrpc
#wp.getUsersBlogs
SecRule REQUEST_URI "/xmlrpc\.php" "t:none,t:urlDecodeUni,t:lowercase,phase:2,id:345868,pass,nolog,noauditlog,chain,skip:1"
SecRule REQUEST_METHOD "@streq POST" "t:none"
SecAction "phase:2,id:323318,t:none,pass,nolog,noauditlog,skipAfter:END_XMLRPC_BRUTE_1"
SecRule REQUEST_BODY|XML:/* "(?:wp|blogger|m(?:w|t))\.(?:(?:g|s)et|new|edit|delete|suggest).*(?:wp|blogger|m(?:w|t))\.(?:(?:g|s)et|new|edit|delete|suggest).*(?:wp|blogger|m(?:w|t))\.(?:(?:g|s)et|new|edit|delete|suggest)" "phase:2,t:none,log,auditlog,deny,status:403,msg:'Atomicorp.com WAF Rules - Bruteforce Login Failure Detection: WordPress Multiple Simultaneous Login Attempt Failure ',id:'377609',rev:4,severity:'2'"
SecRule REQUEST_URI "^/xmlrpc.php\?for=jetpack" "phase:2,id:323338,t:none,t:lowercase,pass,log,skipAfter:END_XMLRPC_BRUTE_2"
SecRule REQUEST_BODY|XML:/* "system\.multicall" "phase:2,t:none,log,auditlog,deny,status:403,msg:'Atomicorp.com WAF Rules - Bruteforce Login Failure Detection: WordPress Multiple Simultaneous Login Attempt Failure ',id:'377619',rev:2,severity:'2'"
#wp.getUsersBlogs, wp.newPost, wp.editPost, wp.deletePost, wp.getPost, wp.getPosts, wp.newTerm, wp.editTerm, wp.deleteTerm, wp.getTerm, wp.getTerms, wp.getTaxonomy, wp.getTaxonomies, wp.getUser, wp.getUsers, wp.getProfile, wp.editProfile, wp.getPage, wp.getPages, wp.newPage, wp.deletePage, wp.editPage, wp.getPageList, wp.getAuthors, wp.getTags, wp.newCategory, wp.deleteCategory, wp.suggestCategories, wp.getComment, wp.getComments, wp.deleteComment, wp.editComment, wp.newComment, wp.getCommentStatusList, wp.getCommentCount, wp.getPostStatusList, wp.getPageStatusList, wp.getPageTemplates, wp.getOptions, wp.setOptions, wp.getMediaItem, wp.getMediaLibrary, wp.getPostFormats, wp.getPostType, wp.getPostTypes, wp.getRevisions, wp.restoreRevision, blogger.getUsersBlogs, blogger.getUserInfo, blogger.getPost, blogger.getRecentPosts, blogger.newPost, blogger.editPost, blogger.deletePost, mw.newPost, mw.editPost, mw.getPost, mw.getRecentPosts, mw.getCategories, mw.newMediaObject, mt.getRecentPostTitles, mt.getPostCategories, mt.setPostCategories
#
SecMarker END_XMLRPC_BRUTE_2
SecRule XML:/* "wp\.getUserBlogs.{,400}wp\.getUserBlogs.{,400}wp\.getUserBlogs" "phase:2,t:none,auditlog,deny,log,status:403,msg:'Atomicorp.com WAF Rules - Login Failure Detection: Multiple Wordpress Login Attempt Failure ',id:'377368',rev:2,severity:'2'"
SecRule XML:/* "(?:wp\.getusersblogs|system\.multicall)" "phase:2,chain,t:none,t:lowercase,auditlog,deny,log,status:403,msg:'Atomicorp.com WAF Rules - Login Failure Detection: Multiple Wordpress Login Attempt Failure ',id:'377367',rev:2,severity:'2'"
SecRule XML:/* "params" "t:none,t:lowercase,chain"
SecRule XML:/* "(?:admin.{,400}admin|string.{,200}string.{,200}string.{,200}string)" "t:none,t:lowercase"
SecMarker END_XMLRPC_BRUTE_1
SecRule SERVER_PORT "@streq 30000" "phase:4,id:339854,pass,t:none,nolog,noauditlog,skipAfter:END_BRUTE_OUT_1"
SecRule RESPONSE_BODY "@pm incorrect passwort password wrong match valid unrecognized succeed re-type error sorry, messagestackerror error-msg blank usuario isadmin" "phase:4,id:333862,pass,t:none,nolog,noauditlog,skip:1"
SecAction "phase:4,id:333318,t:none,pass,nolog,noauditlog,skipAfter:END_BRUTE_OUT"
#Login Details Incorrect. Please try again.
SecRule RESPONSE_BODY "<p>Login Details Incorrect\. Please try again\." "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: WHMCS login failure',id:'378410',rev:1,severity:'4',tag:'no_ar'"
#Recaptcha invalid response
# <td class="row3" colspan="2" align="center"><span class="gensmall error">The visual confirmation code you submitted was incorrect</span></td>
#phpbb login failure
SecRule RESPONSE_BODY ">The visual confirmation code you submitted was incorrect</span>" "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: Recaptcha invalid code',id:'377410',rev:1,severity:'4',tag:'no_ar'"
#phpbb login failure
SecRule RESPONSE_BODY "You have entered an invalid username or password\. Please enter the correct details and" "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: VBulletin Login Attempt Failure ',id:'377300',rev:1,severity:'4',tag:'no_ar'"
#377301
#phpbb login failure
#You have specified an incorrect password. Please check your password and try again.
SecRule RESPONSE_BODY "You have specified an incorrect password\. Please check your password and try again\." "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: PHPBB Login Attempt Failure ',id:'377301',rev:1,severity:'4',tag:'no_ar'"
#mediawiki
#Incorrect password entered. Please try again
SecRule RESPONSE_BODY "Incorrect password entered\. Please try again\." "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: Wikimedia Login Attempt Failure ',id:'377302',rev:1,severity:'4',tag:'no_ar'"
#sugarcrm
SecRule RESPONSE_BODY "You must specify a valid username and password\." "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: Sugarcrm Administration system Login Attempt Failure ',id:'377303',rev:1,severity:'4',tag:'no_ar'"
#joomla
#Use a valid username and password to gain access to the Administrator Back-end
SecRule RESPONSE_BODY "(?:<li>Username and password do not match|Use a valid username and password to gain access to the Administrator Back-end|Nombre de usuario y contraseña no encontrados|Usuario no existe|Benutzername und Passwort falsch oder das Benutzerkonto existiert noch nicht)" "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: Joomla Administration Login Attempt Failure ',id:'377304',rev:5,severity:'4',tag:'no_ar'"
#wordpress
#<div id="login_error"> <strong>ERROR</strong>: The password you entered for the username <strong>admin</strong> is incorrect. <a href="http://server2/wordpress/wp-login.php?action=lostpassword" title="Password Lost and Found">Lost your password</a>?<br />
SecRule RESPONSE_BODY "<strong>E(?:rror|RROR)</strong>\: The password you entered for the username" "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: WordPress Login Attempt Failure ',id:'377305',rev:2,severity:'4',tag:'no_ar'"
#Newer versions of WP
SecRule RESPONSE_BODY "<strong>E(?:rror|RROR)</strong>\: Incorrect password" "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: WordPress Login Attempt Failure ',id:'377605',rev:2,severity:'4',tag:'no_ar'"
#Multiple WP xmlrpc brute force
SecRule RESPONSE_BODY|XML:/* "faultString.{,32}Incorrect username or password.{,100}faultString.{,32}Incorrect username or password.{,100}faultString.{,32}Incorrect username or password" "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,deny,status:403,msg:'Atomicorp.com WAF Rules - Login Failure Detection: WordPress Multiple Simultaneous Login Attempt Failure ',id:'377679',rev:2,severity:'2'"
SecRule RESPONSE_BODY|XML:/* "isAdmin.{,100}boolean.{,100}isAdmin.{,100}boolean.{,100}isAdmin.{,100}boolean" "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,deny,status:403,msg:'Atomicorp.com WAF Rules - Login Failure Detection: WordPress Multiple Simultaneous Login Attempt Failure ',id:'377689',rev:2,severity:'2'"
#Newer versions of WP XMLRPC API
SecRule RESPONSE_BODY|XML:/* "(?:<string>|faultString.{,128})Incorrect username or password" "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: WordPress Login Attempt Failure ',id:'377625',rev:3,severity:'4',tag:'no_ar'"
#Newer versions of WP XMLRPC API
SecRule RESPONSE_BODY "<string>server error. requested method wp\." "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules: Potential WordPress Method Probe Detected ',id:'377626',rev:3,severity:'4',tag:'no_ar'"
#wordpress
#<div id="login_error"> <strong>ERROR</strong>: Invalid username. <a href="http://server2/wordpress/wp-login.php?action=lostpassword" title="Password Lost and Found">Lost your password</a>?<br />
SecRule RESPONSE_BODY "<strong>E(?:rror|RROR)</strong>: (?:Invalid|Unknown) username" "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: Wordpress invalid username failure ',id:'377306',rev:2,severity:'4',tag:'no_ar'"
#Drupal
SecRule RESPONSE_BODY "Sorry, unrecognized username or password" "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: Drupal invalid username or password failure ',id:'377308',rev:2,severity:'4',tag:'no_ar'"
#typo3
#<h2>Your login attempt did not succeed</h2>
# <p>Make sure to spell your username and password correctly, including upper/lowercase characters.</p>
SecRule RESPONSE_BODY "<h2>Your login attempt did not succeed</h2>" "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: Typo3 invalid username or password failure ',id:'377309',rev:1,severity:'4',tag:'no_ar'"
#modx
# <p class="error">That account could not be located. Check the username and re-type the password to try again.</p> </div></div></div>
SecRule RESPONSE_BODY ">That account could not be located\. Check the username and re-type the password to try again\.</p>" "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: MODX invalid username failure ',id:'377310',rev:1,severity:'4',tag:'no_ar'"
# <p class="error">The username or password you entered is incorrect. Please check the username, re-type the password, and try again.</p> </div></div></div>
SecRule RESPONSE_BODY "The username or password you entered is incorrect\. Please check the username" "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: MODX password login failure ',id:'377311',rev:1,severity:'4',tag:'no_ar'"
#moodle
# <div class="loginerrors"><span class="error">Invalid login, please try again</span></div> <form action="http://server2/moodle/login/index.php" method="post" id="login" >
SecRule RESPONSE_BODY ">Invalid login, please try again</span></div>" "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: Moodle login failure ',id:'377312',rev:1,severity:'4',tag:'no_ar'"
#Plesk
#</SPAN>You have entered incorrect username or password.</DIV>
SecRule RESPONSE_BODY "</SPAN>You have entered incorrect username or password\.</DIV>" "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: Plesk login failure ',id:'377313',rev:1,severity:'4',tag:'no_ar'"
#oscommerce customer login
#Error: No match for E-Mail Address and/or Password.</td>
SecRule RESPONSE_BODY "Error\: No match for E-Mail Address and/or Password\.</td>" "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: Oscommerce customer login failure ',id:'377314',rev:1,severity:'4',tag:'no_ar'"
#oscommerce admin login
SecRule RESPONSE_BODY "(?:Error\: Identification of the store administrator failed\.|Invalid administrator login attempt\.)" "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: Oscommerce admin login failure ',id:'377315',rev:2,severity:'4',tag:'no_ar'"
#zencart customer login
#Error: Sorry, there is no match for that email address and/or password.</
SecRule RESPONSE_BODY "Error\: Sorry, there is no match for that email address and/or password\.</" "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: ZenCart customer login failure ',id:'377323',rev:1,severity:'4',tag:'no_ar'"
#zencart admin login
#messageStackError">You entered the wrong username or password.
SecRule RESPONSE_BODY "messageStackError\">You entered the wrong username or password\." "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: ZenCart admin login failure ',id:'377316',rev:1,severity:'4',tag:'no_ar'"
#dokuwiki
# <div class="error">Sorry, username or password was wrong.</div>
SecRule RESPONSE_BODY "<div class=\"error\">Sorry, username or password was wrong\." "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: Dokuwiki login failure ',id:'377317',rev:1,severity:'4',tag:'no_ar'"
# magento customer
# Please enter a valid email address. For example johndoe@domain.com.
#SecRule RESPONSE_BODY "Please enter a valid email address\. For example johndoe@domain.com\." # "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: Magento customer login failure ',id:'377318',rev:1,severity:'4'"
# magento admin
# <li class="error-msg"><ul><li><span>Invalid Username or Password.</span>
SecRule RESPONSE_BODY "<li class=\"error-msg\"><ul><li><span>Invalid Username or Password\.</span>" "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: Magento admin login failure ',id:'377319',rev:1,severity:'4',tag:'no_ar'"
# prestashop invalid password
# <li>Invalid password</li>
SecRule RESPONSE_BODY "<li>Invalid password</li>" "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: Prestashop login failure (invalid password)',id:'377320',rev:1,severity:'4',tag:'no_ar'"
# prestashop invalid email
# <ol style="margin: 0 0 0 20px;"><li>Employee does not exist or password is incorrect.</li>
SecRule RESPONSE_BODY "<li>Employee does not exist or password is incorrect\.</li>" "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: Prestashop login failure (invalid email)',id:'377321',rev:1,severity:'4',tag:'no_ar'"
# prestashop blank password
# <ol style="margin: 0 0 0 20px;"><li>Password is blank</li>
SecRule RESPONSE_BODY "<li>Password is blank</li>" "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: Prestashop login failure (blank password)',id:'377322',rev:1,severity:'4',tag:'no_ar'"
#phpbb login failure
#You have specified an incorrect password. Please check your password and try again.
SecRule RESPONSE_BODY "You have specified an incorrect username\. Please check your username and try again\." "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: PHPBB Login Attempt Failure - Incorrect Username ',id:'377326',rev:1,severity:'4',tag:'no_ar'"
#377324 is next
SecMarker END_BRUTE_OUT_1
#ASL bruteforce
SecRule RESPONSE_BODY "(?:<span class=\'text_red\'>Invalid username or password</span>|class=\"td_login_fail\">Invalid username or password</td>)" "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: ASL GUI invalid username or password failure ',id:'377307',rev:3,severity:'4',tag:'no_ar'"
SecRule REQUEST_URI "^/login/\?login_only=1" "t:none,t:urlDecodeUni,t:lowercase,phase:5,id:335897,pass,nolog,noauditlog,skip:1"
SecAction "phase:5,id:333319,t:none,pass,nolog,noauditlog,skipAfter:END_BRUTE_OUT"
#Cpanel
SecRule REQUEST_METHOD "@streq POST" "phase:5,chain,t:none,auditlog,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: Cpanel WHM Login Attempt Failure ',id:'377363',rev:2,severity:'4',tag:'no_ar'"
SecRule REQUEST_URI "^/login/\?login_only=1" "chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule RESPONSE_STATUS "401" "t:none"
#successful cpanel root login
SecRule REQUEST_METHOD "@streq POST" "phase:5,chain,t:none,auditlog,pass,msg:'Atomicorp.com WAF Rules - Login Detection: Cpanel WHM root Login succeeded ',id:'377364',rev:2,severity:'5',tag:'no_ar'"
SecRule REQUEST_URI "^/login/\?login_only=1" "chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule ARGS:user "root" "chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule RESPONSE_STATUS "200" "t:none"
#SecRule REQUEST_FILENAME "/wp-login\.php" "chain,phase:4,severity:2,id:377365,t:none,t:lowercase,t:urlDecodeUni,deny,status:403,msg:'Atomicorp.com WAF Rules - Login Detection: Wordpress Admin Authentication Failure Violation.',logdata:'Number of Authentication Failures in 60 seconds: %{ip.failed_auth_attempt}'"
# SecRule REQUEST_METHOD "@streq POST" "t:none,chain"
# SecRule ARGS:log "admin" "chain,t:none,t:lowercase,t:urlDecodeUni"
# SecRule RESPONSE_STATUS "200" "chain,t:none"
# SecRule RESPONSE_BODY "@contains <strong>Error</strong>:Incorrect password." "chain,t:none,setvar:ip.failed_auth_attempt=+1,expirevar:ip.failed_auth_attempt=60"
# SecRule IP:FAILED_AUTH_ATTEMPT "@gt 5"
#
#SecRule REQUEST_FILENAME "/wp-login\.php" "chain,phase:4,severity:2,id:377366,t:none,t:lowercase,t:urlDecodeUni,deny,status:403,msg:'Atomicorp.com WAF Rules - Login Detection: Wordpress Authentication Failure Violation.',logdata:'Number of Authentication Failures in 60 seconds: %{ip.failed_auth_attempt} '"
# SecRule REQUEST_METHOD "@streq POST" "t:none,chain"
# SecRule RESPONSE_STATUS "200" "chain,t:none"
# SecRule RESPONSE_BODY "@contains <strong>Error</strong>:Incorrect password." "chain,t:none,setvar:ip.failed_auth_attempt=+1,expirevar:ip.failed_auth_attempt=60"
# SecRule IP:FAILED_AUTH_ATTEMPT "@gt 10"
SecMarker END_BRUTE_OUT
#Wordpress login probes
SecRule REQUEST_URI "wp-login\.php" "chain,phase:2,id:307367,severity:2,t:none,t:lowercase,t:urlDecodeUni,deny,log,auditlog,status:403,msg:'Atomicorp.com WAF Rules - Login Brute Force: Wordpress Authentication Probes detected .',logdata:'Number of probes in 60 seconds: %{ip.login_probe} '"
SecRule REQUEST_METHOD "@streq HEAD" "t:none,chain,setvar:ip.login_probe=+1,expirevar:ip.login_probe=60"
SecRule IP:LOGIN_PROBE "@gt 5"
#cpanel login probes
SecRule REQUEST_URI "(?:dologin|clientarea)\.php" "chain,phase:2,severity:2,id:317368,t:none,t:lowercase,t:urlDecodeUni,deny,log,auditlog,status:403,msg:'Atomicorp.com WAF Rules: WHMCS brute force probe blocked.'"
SecRule REQUEST_METHOD "@streq HEAD" "t:none"
#Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
#SecRule REQUEST_HEADERS:User-Agent "MSIE 7\.0" #"chain,phase:2,log,deny,auditlog,t:none,id:354322,rev:3,severity:4,msg:'Atomicorp.com WAF Rules: Cpanel brute force attack detected'"
#SecRule REQUEST_URI "(?:dologin|clientarea)\.php" "t:none,t:lowercase"