modsecurity-waf/nginx-waf/31_asl_urispam.conf

67 lines
4.4 KiB
Plaintext
Raw Normal View History

2024-12-11 16:57:51 -05:00
SecDefaultAction "log,deny,auditlog,phase:2,status:403"
# Atomicorp (Gotroot.com) ModSecurity rules
# Anti Spam rules
#
# Created by Prometheus Global (http://www.prometheus-group.com)
# Copyright 2005 - 2022 by Atomicorp, Inc. All rights reserved.
# Redistribution is strictly prohibited in any form, including whole or in part.
#
# Distribution of this work or derivative of this work in any form is
# prohibited unless prior written permission is obtained from the
# copyright holder.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
# THE POSSIBILITY OF SUCH DAMAGE.
#
#---ASL-CONFIG-FILE---
# Do not edit this file!
# This file is generated and changes will be overwritten.
#
# If you need to make changes to the rules, please follow the procedure here:
# http://www.atomicorp.com/wiki/index.php/Mod_security
# Phase 2 rules
# Rule 300000: Blacklist of referer spam hostnames
SecRule SERVER_PORT "@streq 30000" "phase:1,id:339853,pass,t:none,nolog,noauditlog,skipAfter:END_SPAM_URI"
#Skip SPAM rules if this is a not something to check for spam, like graphics, videos, CSS, ico, docs, etc.
SecRule REQUEST_FILENAME "\.((m|j)pe?g4?|bmp|tiff?|p((p|g|b)m|n(g|m)|df|s)|gif|js|css|flv|ico|avi|w(m(?:v|a)|ebp)|mp(3|4)|cgm|svg|swf|og(m|v|x)|te?xt|doc|xls|od(?:t|s)|ppt|wbk)$" "phase:2,id:333938,pass,t:none,t:lowercase,nolog,noauditlog,skipAfter:END_SPAM_URI"
#Concrete 5 editing bypass
SecRule ARGS:ccm-edit-block-submit "^submit$" "phase:2,t:none,t:urlDecodeUni,t:lowercase,pass,nolog,noauditlog,id:333939,skipAfter:END_SPAM_URI"
#Skip SPAM rules for admin applications and the like
SecRule REQUEST_URI "(?:/(?:(?:i(?:nclude\.php?path=forum/editpost|mp/compose)|pr(?:o(?:duct_thumb|file)|eview_static_cgi)|callback|diagnostics|editsection|tickets)\.php|system/index\.php?s=.*c=(?:publish|edit)&m=new_entry$|workshops/register\.php|link(?:machine/linkmachine\.php|s/\?act=addsite)|(?:\?modulo=loja&action|update\.php?pageid)=|nav\.php\?nav=(?:moderate|addnews)|cgi-bin/mailinglist/mail\.cgi)|/(?:(?:s(?:itebuilder|hopadmin)|cms/resources/edit|hspc/pcc|node/add|vsadmin)/|w(?:p-(?:content/plugins|admin)/|izard/edit/html)|adm(?:in(?:istrator/)?|/))|\?(?:(?:p=admin_cms|task=edit|tab=admin[a-z]+)&|action=admin)|node/[0-9]+/edit|^/\?[sv]=|\?q=ckeditor|/secure/|/site-?admin/|/ndxz-studio/|/wp-admin/|/cms/|/file/ajax/|/members/editing/|/comment/reply/[0-9]+|/new/[0-9]+/confirm|/index\.php\?option=com_jreviews|/calendar/index\.php\?act=calendar&code=addnewevent)" "phase:2,t:none,t:urlDecodeUni,t:lowercase,pass,nolog,noauditlog,id:333940,skipAfter:END_SPAM_URI"
############ SPAMMY URLS ########################
#
SecRule ARGS "@pm http:// https:// @" "id:333941,phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:353535,t:none,pass,nolog,noauditlog,skipAfter:END_SPAM_URI"
#Check spam domain to see if its on the URIRBL list
SecRule ARGS "https?\://(.*?)/" "chain,log,auditlog,phase:2,severity:2,id:377777,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,capture,msg:'Atomicorp.com WAF Rules: Possible Spam Domain: URIBL Match of Submitted Link Domain on urirbl.com blocklist. (Report False Positives to www.uribl.com)',logdata:'%{tx.domain}',setvar:tx.domain=%{tx.1}"
SecRule TX:1 "@rbl multi.uribl.com" "capture,chain"
SecRule TX:0 "(BLACK)" t:none
#Check spam domain to see if its on the URIRBL list
#SecRule ARGS "@(.*?)" # "chain,log,phase:2,id:377779,severity:2,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,capture,msg:'Atomicorp.com WAF Rules: Possible Spam Domain: URIBL Match of Submitted Link Domain on urirbl.com blocklist.',logdata:'%{tx.domain}',setvar:tx.domain=%{tx.1}"
#SecRule TX:1 "@rbl multi.uribl.com" "capture,chain"
#SecRule TX:0 "(BLACK)" t:none
#All spam end
SecMarker END_SPAM_URI