modsecurity-waf/nginx-waf/00_asl_z_aa_threat_intellig...

53 lines
2.9 KiB
Plaintext
Raw Normal View History

2024-12-11 16:57:51 -05:00
SecDefaultAction "log,deny,auditlog,phase:2,status:403"
# http://www.atomicorp.com/
# Atomicorp (Gotroot.com) ModSecurity rules
# TI rules
#
# Created by Prometheus Global (http://www.prometheus-group.com)
# Copyright 2014-2019 by Atomicorp, all rights reserved.
# Redistribution is strictly prohibited in any form, including whole or in part.
# Distribution of this work or derivative of this work in any form is
# prohibited unless prior written permission is obtained from the
# copyright holder.
#
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
# THE POSSIBILITY OF SUCH DAMAGE.
#
#---ASL-CONFIG-FILE---
# Do not edit this file!
# This file is generated and changes will be overwritten.
#
# If you need to make changes to the rules, please follow the procedure here:
# http://www.atomicorp.com/wiki/index.php/Mod_security
SecAction "phase:1,id:343699,t:none,pass,nolog,noauditlog,initcol:ip=%{remote_addr}"
#Skip on broken 2.8.0 boxes
#SecRule MODSEC_BUILD "@gt 020777900" #phase:1,id:333777,rev:1,t:none,nolog,pass,skipAfter:END_TI
SecRule REMOTE_ADDR "@ipMatchFromFile /etc/asl/whitelist" "phase:1,pass,t:none,id:328745,nolog,noauditlog,skipAfter:END_TI"
SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" "phase:1,pass,t:none,id:328746,nolog,noauditlog,skipAfter:END_TI"
#Is already on the threat1 RBL, dont bother looking it up, DROP the connection
SecRule IP:threat1 "@eq 1" "phase:1,t:none,deny,status:403,log,auditlog,msg:'Atomicorp.com WAF Rules: Threat Intelligence Match for known Worm Source on Atomicorp Threat Intelligence RBL. See this URL for details http://www.atomicrbl.com (Previous TI Match)',severity:'1',id:350051,rev:1"
#Dont look up the IP if we've checked it in the last 3m
SecRule IP:PREVIOUS_LOOKUP "@eq 1" "phase:1,id:313134,t:none,pass,nolog,noauditlog,skipAfter:END_TI"
SecAction "phase:1,t:none,id:343698,nolog,noauditlog,pass,setvar:ip.previous_lookup=1,expirevar:ip.previous_lookup=180"
SecRule REMOTE_ADDR "@rbl threat1.atomicrbl.com." "phase:1,t:none,deny,status:403,log,auditlog,msg:'Atomicorp.com WAF Rules: Threat Intelligence Match for known Worm Source on Atomicorp Threat Intelligence RBL (TI-1). See this URL for details http://www.atomicrbl.com',severity:'1',setvar:ip.threat1=1,expirevar:ip.threat1=900,id:355500,rev:1"
SecMarker END_TI