SecDefaultAction "log,deny,auditlog,phase:2,status:403" SecRule REQUEST_FILENAME "/remote\.php/webdav/" "phase:2,id:91042,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=391213" # http://www.atomicorp.com/ # Atomicorp (Gotroot.com) ModSecurity rules # Application Security Rules for modsec 2.x # # Copyright 2005-2022 by Atomicorp, Inc., all rights reserved. # Redistribution is strictly prohibited in any form, including whole or in part. # # Distribution of this work or derivative of this work in any form is # prohibited unless prior written permission is obtained from the # copyright holder. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE # LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF # THE POSSIBILITY OF SUCH DAMAGE. # #---ASL-CONFIG-FILE--- # # Do not edit this file! # This file is generated and changes will be overwritten. # # If you need to make changes to the rules, please follow the procedure here: # http://www.atomicorp.com/wiki/index.php/Mod_security # SecAction "phase:1,id:'333792',t:none,nolog,noauditlog,pass, setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf|text/html|application/x-mal-client-data|application/octet-stream|text/plain|application/soap xml|application/soap+xml|application/json|application/json-rpc|application/vnd.svn-svndiff|image/jpeg|application/vnd.ms-sync.wbxml|message/rfc822|application/x-java-serialized-object|text/calendar|image/png|image/gif|image/jpg|application/x-fcs|application/vnd.svn-skel|text/vcard|application/vnd.open|application/x-git-upload-pack-request|application/dns-message'" #restrict content types to prevent possible bypass attacks SecRule REQUEST_HEADERS:Content-Type "^([^;\s]+)" "phase:1,t:none,chain,pass,nolog,noauditlog,id:'333791',severity:'4'" SecRule TX:0 "!@within %{tx.allowed_request_content_type}" "t:none,ctl:forceRequestBodyVariable=On" SecRule REQUEST_HEADERS:Content-Type "^(text/xml|application/(soap|xml))" "chain,id:334357,rev:3,phase:1,t:none,t:lowercase,pass,nolog,noauditlog" SecRule REQBODY_PROCESSOR "!@streq XML" "ctl:requestBodyProcessor=XML" #El5 doesnt have modsec 2.9, so this can only be enabled on EL6 and above #SecRule REQUEST_HEADERS:Content-Type "application/json" # "id:'334367',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON" # # #Skip binary/octect for nginx amplify #User-Agent: nginx-amplify-agent/0.34-2 #Content-Type: binary/octet-stream SecRule REQUEST_HEADERS:Content-Type "^binary/octet-stream$" "phase:2,t:none,id:336719,pass,nolog,noauditlog,chain,skipAfter:END_391213" SecRule REQUEST_HEADERS:User-Agent "^nginx-amplify-agent" "t:none" #ModSecurity parses only three content types: # application/x-www-form-urlencoded, multipart/form-data request and # text/xml. # # The protection provided for any other type is inferior. SecRule REQUEST_METHOD "!^(?:GET|HEAD|PROPFIND|OPTIONS)$" "phase:2,chain,t:none,deny,log,auditlog,status:403,msg:'Atomicorp.com WAF Rules: Request content type is not allowed by policy',id:'391213',severity:'4',logdata:'%{matched_var}'" SecRule REQUEST_HEADERS:Content-Type "^([^;\s]+)" "chain,capture" SecRule TX:0 "!^%{tx.allowed_request_content_type}$" "t:none,ctl:forceRequestBodyVariable=On" SecMarker END_391213