69 lines
3.9 KiB
Plaintext
69 lines
3.9 KiB
Plaintext
|
SecDefaultAction "log,deny,auditlog,phase:2,status:403"
|
||
|
SecRule REQUEST_FILENAME "/remote\.php/webdav/" "phase:2,id:91042,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=391213"
|
||
|
|
||
|
# http://www.atomicorp.com/
|
||
|
# Atomicorp (Gotroot.com) ModSecurity rules
|
||
|
# Application Security Rules for modsec 2.x
|
||
|
#
|
||
|
# Copyright 2005-2022 by Atomicorp, Inc., all rights reserved.
|
||
|
# Redistribution is strictly prohibited in any form, including whole or in part.
|
||
|
#
|
||
|
# Distribution of this work or derivative of this work in any form is
|
||
|
# prohibited unless prior written permission is obtained from the
|
||
|
# copyright holder.
|
||
|
#
|
||
|
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS
|
||
|
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||
|
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||
|
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
|
||
|
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
||
|
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
||
|
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
||
|
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
||
|
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||
|
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
|
||
|
# THE POSSIBILITY OF SUCH DAMAGE.
|
||
|
#
|
||
|
#---ASL-CONFIG-FILE---
|
||
|
#
|
||
|
|
||
|
# Do not edit this file!
|
||
|
# This file is generated and changes will be overwritten.
|
||
|
#
|
||
|
# If you need to make changes to the rules, please follow the procedure here:
|
||
|
# http://www.atomicorp.com/wiki/index.php/Mod_security
|
||
|
#
|
||
|
SecAction "phase:1,id:'333792',t:none,nolog,noauditlog,pass, setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf|text/html|application/x-mal-client-data|application/octet-stream|text/plain|application/soap xml|application/soap+xml|application/json|application/json-rpc|application/vnd.svn-svndiff|image/jpeg|application/vnd.ms-sync.wbxml|message/rfc822|application/x-java-serialized-object|text/calendar|image/png|image/gif|image/jpg|application/x-fcs|application/vnd.svn-skel|text/vcard|application/vnd.open|application/x-git-upload-pack-request|application/dns-message'"
|
||
|
|
||
|
|
||
|
#restrict content types to prevent possible bypass attacks
|
||
|
SecRule REQUEST_HEADERS:Content-Type "^([^;\s]+)" "phase:1,t:none,chain,pass,nolog,noauditlog,id:'333791',severity:'4'"
|
||
|
SecRule TX:0 "!@within %{tx.allowed_request_content_type}" "t:none,ctl:forceRequestBodyVariable=On"
|
||
|
|
||
|
SecRule REQUEST_HEADERS:Content-Type "^(text/xml|application/(soap|xml))" "chain,id:334357,rev:3,phase:1,t:none,t:lowercase,pass,nolog,noauditlog"
|
||
|
SecRule REQBODY_PROCESSOR "!@streq XML" "ctl:requestBodyProcessor=XML"
|
||
|
|
||
|
|
||
|
#El5 doesnt have modsec 2.9, so this can only be enabled on EL6 and above
|
||
|
#SecRule REQUEST_HEADERS:Content-Type "application/json" # "id:'334367',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"
|
||
|
#
|
||
|
#
|
||
|
|
||
|
#Skip binary/octect for nginx amplify
|
||
|
#User-Agent: nginx-amplify-agent/0.34-2
|
||
|
#Content-Type: binary/octet-stream
|
||
|
SecRule REQUEST_HEADERS:Content-Type "^binary/octet-stream$" "phase:2,t:none,id:336719,pass,nolog,noauditlog,chain,skipAfter:END_391213"
|
||
|
SecRule REQUEST_HEADERS:User-Agent "^nginx-amplify-agent" "t:none"
|
||
|
|
||
|
#ModSecurity parses only three content types:
|
||
|
# application/x-www-form-urlencoded, multipart/form-data request and
|
||
|
# text/xml.
|
||
|
#
|
||
|
# The protection provided for any other type is inferior.
|
||
|
SecRule REQUEST_METHOD "!^(?:GET|HEAD|PROPFIND|OPTIONS)$" "phase:2,chain,t:none,deny,log,auditlog,status:403,msg:'Atomicorp.com WAF Rules: Request content type is not allowed by policy',id:'391213',severity:'4',logdata:'%{matched_var}'"
|
||
|
SecRule REQUEST_HEADERS:Content-Type "^([^;\s]+)" "chain,capture"
|
||
|
SecRule TX:0 "!^%{tx.allowed_request_content_type}$" "t:none,ctl:forceRequestBodyVariable=On"
|
||
|
|
||
|
SecMarker END_391213
|
||
|
|