modsecurity-waf/nginx-waf/11_asl_data_loss.conf

140 lines
13 KiB
Plaintext
Raw Normal View History

2024-12-11 16:57:51 -05:00
SecRule REQUEST_FILENAME "/ajax/getsymptoms\.php" "phase:2,id:92738,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=361008"
# http://www.atomicorp.com/
# Atomicorp (Gotroot.com) ModSecurity rules
# Application Security Rules for modsec 2.x
#
# Created by the Prometheus Global (http://www.prometheus-group.com)
# Copyright 2005-2021 by Atomicorp, Inc. all rights reserved.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
# THE POSSIBILITY OF SUCH DAMAGE.
#
#
#---ASL-CONFIG-FILE---
# Do not edit this file!
# This file is generated and changes will be overwritten.
#
# If you need to make changes to the rules, please follow the procedure here:
# http://www.atomicorp.com/wiki/index.php/Mod_security
SecDefaultAction "log,deny,auditlog,phase:4"
#skip for ASL GUI
SecRule SERVER_PORT "@streq 30000" "phase:4,id:333710,pass,t:none,nolog,noauditlog,skipAfter:END_POTENTIAL_CREDIT_CARD_OUT"
#Detect sensitive numbers in output
SecRule RESPONSE_BODY|RESPONSE_HEADERS:Location "@verifyCC (?:^|[^\d])(?<!google_ad_client = \"pub-)(\d{4}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{1,4})(?:[^\d]|$)" "phase:4,id:333711,t:none,pass,nolog,noauditlog,skip:1"
SecAction "phase:4,id:333712,t:none,pass,nolog,noauditlog,skipAfter:END_POTENTIAL_CREDIT_CARD_OUT"
# GSA SmartPay
SecRule RESPONSE_BODY|RESPONSE_HEADERS:Location "@verifyCC (?:^|[^\d])(?<!google_ad_client = \"pub-)((?:5568|4(?:486|716))\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{4}|8699\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{3})(?:[^\d]|$)" "chain,logdata:'Start of CC #: %{tx.ccdata_begin}***...',phase:4,t:none,pass,msg:'Atomicorp.com WAF Rules: Potential credit card number detected in output (NOT BLOCKED) - GSA SmartPay Card Number sent from site to user',id:'361020',severity:'1',tag:'no_ar'"
SecRule TX:1 "(\d{4}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{1,4})" "chain,capture,setvar:tx.ccdata=%{tx.1}"
SecRule TX:CCDATA "^(\d{4}\-?)" "capture,setvar:tx.ccdata_begin=%{tx.1}"
# MasterCard
SecRule RESPONSE_BODY|RESPONSE_HEADERS:Location "@verifyCC (?:^|[^\d])(?<!google_ad_client = \"pub-)(5[1-5]\d{2}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{4})(?:[^\d]|$)" "chain,logdata:'Start of CC #: %{tx.ccdata_begin}***...',phase:4,t:none,pass,msg:'Atomicorp.com WAF Rules: MasterCard Credit Card Number sent from site to user',id:'361006',severity:'1',tag:'no_ar'"
SecRule TX:1 "(\d{4}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{1,4})" "chain,capture,setvar:tx.ccdata=%{tx.1}"
SecRule TX:CCDATA "^(\d{4}\-?)" "capture,setvar:tx.ccdata_begin=%{tx.1}"
# Visa
SecRule RESPONSE_BODY|RESPONSE_HEADERS:Location "@verifyCC (?:^|[^\d])(?<!google_ad_client = \"pub-)(4\d{3}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d(?:\d{3})??)(?:[^\d]|$)" "chain,logdata:'Start of CC #: %{tx.ccdata_begin}***...',phase:4,t:none,pass,msg:'Atomicorp.com WAF Rules: Potential credit card number detected in output (NOT BLOCKED) -Visa Credit Card Number sent from site to user',id:'361008',severity:'1',tag:'no_ar'"
SecRule TX:1 "(\d{4}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{1,4})" "chain,capture,setvar:tx.ccdata=%{tx.1}"
SecRule TX:CCDATA "^(\d{4}\-?)" "capture,setvar:tx.ccdata_begin=%{tx.1}"
# American Express
SecRule RESPONSE_BODY|RESPONSE_HEADERS:Location "@verifyCC (?:^|[^\d])(?<!google_ad_client = \"pub-)(3[47]\d{2}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{3})(?:[^\d]|$)" "chain,logdata:'Start of CC #: %{tx.ccdata_begin}***...',phase:4,t:none,pass,msg:'Atomicorp.com WAF Rules: Potential credit card number detected in output (NOT BLOCKED) -American Express Credit Card Number sent from site to user',id:361010,severity:'1',tag:'no_ar'"
SecRule TX:1 "(\d{4}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{1,4})" "chain,capture,setvar:tx.ccdata=%{tx.1}"
SecRule TX:CCDATA "^(\d{4}\-?)" "capture,setvar:tx.ccdata_begin=%{tx.1}"
# Diners Club
SecRule RESPONSE_BODY|RESPONSE_HEADERS:Location "@verifyCC (?:^|[^\d])(?<!google_ad_client = \"pub-)((?:30[0-5]|3[68]\d)\d\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{2})(?:[^\d]|$)" "chain,logdata:'Start of CC #: %{tx.ccdata_begin}***...',phase:4,t:none,pass,msg:'Atomicorp.com WAF Rules: Potential credit card number detected in output (NOT BLOCKED) -Diners Club Credit Card Number sent from site to user',id:'361012',severity:'1',tag:'no_ar'"
SecRule TX:1 "(\d{4}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{1,4})" "chain,capture,setvar:tx.ccdata=%{tx.1}"
SecRule TX:CCDATA "^(\d{4}\-?)" "capture,setvar:tx.ccdata_begin=%{tx.1}"
# enRoute
#SecRule RESPONSE_BODY|RESPONSE_HEADERS:Location "(?:^|[^\d])(?<!google_ad_client = \"pub-)(2(?:014|149)\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{2}|55\d{2}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{3})(?:[^\d]|$)" # "logdata:'Start of CC #: %{tx.ccdata_begin}***...',phase:4,t:none,pass,msg:'Atomicorp.com WAF Rules: Potential credit card number detected in output (NOT BLOCKED) -enRoute Credit Card Number sent from site to user',id:'361014',severity:'1',tag:'no_ar'"
# Discover
SecRule RESPONSE_BODY|RESPONSE_HEADERS:Location "@verifyCC (?:^|[^\d])(?<!google_ad_client = \"pub-)(6(?:011|5\d{2})\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{4})(?:[^\d]|$)" "chain,logdata:'Start of CC #: %{tx.ccdata_begin}***...',phase:4,t:none,pass,msg:'Atomicorp.com WAF Rules: Potential credit card number detected in output (NOT BLOCKED) -Discover Credit Card Number sent from site to user',id:'361016',severity:'1',tag:'no_ar'"
SecRule TX:1 "(\d{4}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{1,4})" "chain,capture,setvar:tx.ccdata=%{tx.1}"
SecRule TX:CCDATA "^(\d{4}\-?)" "capture,setvar:tx.ccdata_begin=%{tx.1}"
# JCB
SecRule RESPONSE_BODY|RESPONSE_HEADERS:Location "@verifyCC (?:^|[^\d])(?<!google_ad_client = \"pub-)(3\d{3}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{4}|(?:1800|21(?:31|00))\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{3})(?:[^\d]|$)" "chain,logdata:'Start of CC #: %{tx.ccdata_begin}***...',phase:4,t:none,pass,msg:'Atomicorp.com WAF Rules: Potential credit card number detected in output (NOT BLOCKED) -JCB Credit Card Number sent from site to user',id:'361018',severity:'1',tag:'no_ar'"
SecRule TX:1 "(\d{4}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{1,4})" "chain,capture,setvar:tx.ccdata=%{tx.1}"
SecRule TX:CCDATA "^(\d{4}\-?)" "capture,setvar:tx.ccdata_begin=%{tx.1}"
SecMarker END_POTENTIAL_CREDIT_CARD_OUT
SecRule REQUEST_URI "^/index\.php\?module=asl" "phase:4,id:349852,pass,t:none,t:lowercase,nolog,noauditlog,chain,skipAfter:END_DLP_OUTPUT"
SecRule SERVER_PORT "@streq 30000"
#Detect potential error messages that leak sensitive information
SecRule RESPONSE_BODY "@pm hsqldb DB2 error illegal unexpected Ingres maxdb ibase_ jdbc exception database ODBC Tomcat DM_QUERY_E_SYNTAX mysql_connect( MySQL Warning SQLite. PostgreSQL ORA- SQLException Driver oci_ ora_ exception SQLSTATE" "phase:4,t:none,pass,nolog,noauditlog,skip:1,id:333713,tag:'no_ar'"
SecAction "phase:4,t:none,pass,nolog,noauditlog,id:333714,skipAfter:END_POTENTIAL_ERROR_LEAK"
SecRule RESPONSE_BODY "<title>Apache Tomcat.{,512}Error report" "phase:4,deny,log,auditlog,capture,ctl:auditLogParts=+E,status:404,t:none,msg:'Atomicorp.com WAF Rules: Potential Error Message with sensitive information sent from tomcat',id:'361019',rev:2,severity:'1',tag:'no_ar'"
SecRule RESPONSE_BODY "\bWarning: mysql_connect\(\)\:" "phase:4,rev:1,t:none,capture,ctl:auditLogParts=+E,deny,log,auditlog,status:404,msg:'Atomicorp.com WAF Rules: Potential SQL Information Leakage',id:'361021',severity:'1',tag:'no_ar'"
SecRule RESPONSE_BODY "You have an error in your SQL syntax; check the manual " "phase:4,rev:2,t:none,capture,ctl:auditLogParts=+E,deny,log,auditlog,status:404,msg:'Atomicorp.com WAF Rules: Potential SQL Information Leakage',id:'361022',severity:'1',tag:'no_ar'"
SecRule RESPONSE_BODY "SQLite.Exception|System.Data.SQLite.SQLiteException|Warning:.{,100}(?:sqlite_|SQLite3::)" "phase:4,rev:1,t:none,capture,ctl:auditLogParts=+E,deny,log,auditlog,status:404,msg:'Atomicorp.com WAF Rules: Potential SQL Information Leakage',id:'361023',severity:'1',tag:'no_ar'"
SecRule RESPONSE_BODY "\bsupplied argument is not a valid (?:MySQL|PostgreSQL)\b" "phase:4,rev:1,t:none,capture,ctl:auditLogParts=+E,deny,log,auditlog,status:404,msg:'Atomicorp.com WAF Rules: Potential SQL Information Leakage',id:'361024',severity:'1',tag:'no_ar'"
SecRule RESPONSE_BODY "\b(?:Column count doesn't match value count at row|MySQL server version for the right syntax to use)\b" "phase:4,rev:1,t:none,capture,ctl:auditLogParts=+E,deny,log,auditlog,status:404,msg:'Atomicorp.com WAF Rules: SQL Information Leakage',id:'361025',severity:'1',tag:'no_ar'"
SecRule RESPONSE_BODY "(?:Warning.{,512}*(?:sqlite|SQLite3)|SQLite/JDBCDriver|SQLite\.Exception)" "phase:4,rev:1,t:none,capture,ctl:auditLogParts=+E,deny,log,auditlog,status:404,msg:'Atomicorp.com WAF Rules: SQLite Information Leakage',id:'361225',severity:'1',tag:'no_ar'"
SecRule RESPONSE_BODY "Exception (condition )?\d+\. Transaction rollback\." "phase:4,rev:1,t:none,capture,ctl:auditLogParts=+E,deny,log,auditlog,status:404,msg:'Atomicorp.com WAF Rules: Potential Frontbase SQL Information Leakage detected',id:'361026',severity:'1',tag:'no_ar'"
SecRule RESPONSE_BODY "org\.hsqldb\.jdbc" "phase:4,deny,log,auditlog,capture,ctl:auditLogParts=+E,status:404,t:none,msg:'Atomicorp.com WAF Rules: Potential hsqldb SQL Error Message with sensitive information sent',id:'361140',rev:2,severity:'1',tag:'no_ar'"
SecRule RESPONSE_BODY "(?:Warning.{,512}ingres_|Ingres SQLSTATE|Ingres\W.{,512}Driver)" "phase:4,deny,log,auditlog,capture,ctl:auditLogParts=+E,status:404,t:none,msg:'Atomicorp.com WAF Rules: Potential Informix SQL Error Message with sensitive information sent',id:'361141',rev:2,severity:'1',tag:'no_ar'"
SecRule RESPONSE_BODY "(?:<b>Warning</b>: ibase_|Unexpected end of command in statement)" "phase:4,deny,log,auditlog,capture,ctl:auditLogParts=+E,status:404,t:none,msg:'Atomicorp.com WAF Rules: Potential Informix SQL Error Message with sensitive information sent',id:'361142',rev:2,severity:'1',tag:'no_ar'"
SecRule RESPONSE_BODY "(?:An illegal character has been found in the statement|com\.informix\.jdbc|Exception.{,512}Informix)" "phase:4,deny,log,auditlog,capture,ctl:auditLogParts=+E,status:404,t:none,msg:'Atomicorp.com WAF Rules: Potential Informix SQL Error Message with sensitive information sent',id:'361143',rev:2,severity:'1',tag:'no_ar'"
SecRule RESPONSE_BODY "(?:SQL error.{,512}POS([0-9]+)|Warning.{,512}maxdb)" "phase:4,deny,log,auditlog,capture,ctl:auditLogParts=+E,status:404,t:none,msg:'Atomicorp.com WAF Rules: Potential maxDB SQL Error Message with sensitive information sent',id:'361144',rev:2,severity:'1',tag:'no_ar'"
SecRule RESPONSE_BODY "(?:Sybase message:|Warning.{,512}sybase|Sybase.{,512}Server message)" "phase:4,deny,log,auditlog,capture,ctl:auditLogParts=+E,status:404,t:none,msg:'Atomicorp.com WAF Rules: Potential maxDB SQL Error Message with sensitive information sent',id:'361145',rev:2,severity:'1',tag:'no_ar'"
SecRule RESPONSE_BODY "(?:DB2(?: SQL error:|/6000\])|\[IBM\]\[CLI Driver\]\[DB2/6000\]|CLI Driver.{,256}DB2|db2_ ?\()" "phase:4,deny,log,auditlog,capture,ctl:auditLogParts=+E,status:404,t:none,msg:'Atomicorp.com WAF Rules: Potential IBM DB2 SQL Error Message with sensitive information sent',id:'361031',rev:2,severity:'1',tag:'no_ar'"
SecRule RESPONSE_BODY "\[DM_QUERY_E_SYNTAX\]" "phase:4,deny,log,auditlog,capture,ctl:auditLogParts=+E,status:404,t:none,msg:'Atomicorp.com WAF Rules: Potential EMC Error Message with sensitive information sent',id:'361032',rev:2,severity:'1',tag:'no_ar'"
SecRule RESPONSE_BODY "Dynamic SQL Error" "phase:4,deny,log,auditlog,capture,ctl:auditLogParts=+E,status:404,t:none,msg:'Atomicorp.com WAF Rules: Potential Firebirg Error Message with sensitive information sent',id:'361033',rev:2,severity:'1',tag:'no_ar'"
SecRule RESPONSE_BODY "(?:(?:JET|Access) Database Engine|\[Microsoft\]\[ODBC Microsoft Access Driver\])" "phase:4,deny,log,auditlog,capture,ctl:auditLogParts=+E,status:404,t:none,msg:'Atomicorp.com WAF Rules: Potential Microsoft SQL Error Message with sensitive information sent',id:'361030',rev:2,severity:'1',tag:'no_ar'"
SecRule RESPONSE_BODY "(?:ORA-[0-9][0-9][0-9][0-9]|java\.sql\.SQLException|Oracle(?: error|.{,512}Driver)|Warning.{,512}oc(?:i|a)_)" "phase:4,deny,log,auditlog,capture,ctl:auditLogParts=+E,status:404,t:none,msg:'Atomicorp.com WAF Rules: Potential Orale SQL Error Message with sensitive information sent',id:'361229',rev:2,severity:'1',tag:'no_ar'"
SecRule RESPONSE_BODY "define\(\'(?:WP_DEBUG|DB_NAME)" "phase:4,deny,log,auditlog,capture,ctl:auditLogParts=+E,status:404,t:none,msg:'Atomicorp.com WAF Rules: Wordpress Config file download blocked',id:'361230',rev:3,severity:'1',tag:'no_ar'"
SecMarker END_DLP_OUTPUT
SecMarker END_POTENTIAL_ERROR_LEAK