SecDefaultAction "log,deny,auditlog,phase:2,status:403" # http://www.atomicorp.com/ # Atomicorp (Gotroot.com) ModSecurity rules # Anti Malware rules # # Created by Prometheus Global (http://www.prometheus-group.com) # Copyright 2005-2019 by Atomicorp, Inc. all rights reserved. # Redistribution is strictly prohibited in any form, including whole or in part. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE # LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF # THE POSSIBILITY OF SUCH DAMAGE. # #---ASL-CONFIG-FILE--- # Do not edit this file! # This file is generated and changes will be overwritten. # # If you need to make changes to the rules, please follow the procedure here: # http://www.atomicorp.com/wiki/index.php/Mod_security # Phase 2 rules #skip this for certain file types SecRule REQUEST_FILENAME "\.((m|j)pe?g4?|bmp|tiff?|p((p|g|b)m|n(g|m))|gif|js|css|ico|avi|w(mv|ebp)|mp(3|4)|cgm|svg|swf|og(m|v|x))$" "phase:2,pass,t:none,t:lowercase,nolog,noauditlog,id:333946,skipAfter:END_ANTI_MALWARE" SecRule REQUEST_URI "/imp/compose\.php" "phase:2,pass,id:333947,t:none,t:lowercase,nolog,noauditlog,skipAfter:END_ANTI_MALWARE" SecRule ARGS|REQUEST_URI|!ARGS:/description/|!ARGS:resolution|!ARGS:/subject/|!ARGS:/body/|!ARGS:SAMLResponse|!ARGS:SAMLResponse|!ARGS:message|!ARGS:/txt/|!ARGS:/solution/|XML:/* "@pm http:// https:// ftp:// ftps:// ogg:// data:// php:// zlib:// gopher://" "phase:2,id:338812,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceNulls,t:compressWhiteSpace,pass,nolog,noauditlog,skip:1" SecAction "phase:2,id:338370,t:none,pass,nolog,noauditlog,skipAfter:END_ANTI_MALWARE" # Broadcheck #SecRule REQUEST_HEADERS:Referer|ARGS "!@pmFromFile malware-exclusion-local.txt" # "t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:360000,rev:2,severity:2,msg:'Blocklist Malware Site (AE)'" SecRule REQUEST_URI|ARGS|!ARGS:wpReason|!ARGS:/description/|!ARGS:resolution|!ARGS:/subject/|!ARGS:/body/|!ARGS:SAMLResponse|!ARGS:message|!ARGS:/txt/|!ARGS:/solution/|XML:/* "(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "log,auditlog,phase:2,deny,log,status:403,chain,capture,t:none,t:urlDecodeUni,t:replaceNulls,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,id:360000,rev:7,severity:2,msg:'Atomicorp.com Malware Blocklist: Malware Site detected in URL/Argument (AE)',logdata:'%{TX.0}'" SecRule REQUEST_URI|ARGS|!ARGS:wpReason|!ARGS:resolution|!ARGS:/description/|!ARGS:/subject/|!ARGS:/body/|!ARGS:SAMLResponse|!ARGS:/txt/|!ARGS:message|XML:/* "@pmFromFile malware-blacklist.txt" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace" # Rule 330002: Blocklist of known malware sites w/ Anti-evasion features #SecRule REQUEST_URI "!(?:/imp/compose\.php)" # "capture,t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:360002,rev:1,severity:2,msg:'Atomicorp.com Malware Blocklist: Malware Site detected in ARGS/Body (AE)',chain,logdata:'%{TX.0}'" #SecRule REQUEST_BODY|ARGS|!ARGS:resolution|!ARGS:/description/|!ARGS:/subject/|!ARGS:/body/|!ARGS:/txt/|XML:/* "(?:ogg|zlib|(?:ht|f)tps?)\:/" "chain" ##SecRule REQUEST_BODY|ARGS "!@pmFromFile malware-exclusion-local.txt" chain #SecRule REQUEST_BODY|ARGS|!ARGS:/description/|!ARGS:/subject/|!ARGS:/body/|!ARGS:/txt/|XML:/* "@pmFromFile malware-blacklist.txt" # Rule 330003: Blocklist of known malware sites #SecRule REQUEST_URI "!(?:/imp/compose\.php)" # "capture,t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:360003,rev:5,severity:2,msg:'Atomicorp.com Malware Blocklist: Malware Site detected in URI',chain,logdata:'%{TX.0}'" #SecRule REQUEST_URI "(?:ogg|zlib|(?:ht|f)tps?)\:/.*" "chain" ##SecRule REQUEST_URI "!@pmFromFile malware-exclusion-local.txt" "chain" #SecRule REQUEST_URI "@pmFromFile malware-blacklist.txt" #Rule 330004: Blocklist suspicious sites in referral #SecRule REQUEST_HEADERS:Referer "@pmFromFile malware-blacklist.txt" # "capture,t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:360004,rev:2,severity:2,msg:'Atomicorp.com Malware Blocklist: Suspicious Blocklist Malware Site detected in Referral',logdata:'%{TX.0}'" # # Rule 330005: Blocklist of known malware sites w/ Anti-evasion features SecRule REQUEST_BODY|REQUEST_URI|ARGS|!ARGS:wpReason|!ARGS:/description/|!ARGS:resolution|!ARGS:/subject/|!ARGS:/body/|!ARGS:SAMLResponse|!ARGS:/txt/|XML:/* "(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "log,auditlog,phase:2,deny,log,status:403,capture,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase,id:360005,rev:1,severity:2,msg:'Atomicorp.com Malware Blocklist: Malware Site detected in ARGS/Body (AE)',chain,logdata:'%{TX.0}'" #SecRule REQUEST_BODY|ARGS "!@pmFromFile malware-exclusion-local.txt" chain SecRule REQUEST_BODY|REQUEST_URI|ARGS|!ARGS:wpReason|!ARGS:/description/|!ARGS:/subject/|!ARGS:/body/|!ARGS:/txt/|!ARGS:SAMLResponse "@pmFromFile malware-blacklist.txt" "t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace" ##Rule 360005: Local malware lists ##SecRule REQUEST_HEADERS:Referer|ARGS "!@pmFromFile malware-exclusion-local.txt" ## "t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:360000,rev:2,severity:2,msg:'Blocklist Malware Site (AE)'" #SecRule ARGS "@pmFromFile malware-blacklist-local.txt" # "t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:360005,rev:2,severity:2,msg:'Local Blocklist Malware Site (AE)'" # ## Rule 330006: Blocklist of known malware sites w/ Anti-evasion features #SecRule REQUEST_URI "!(?:/imp/compose\.php)" # "t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:360006,rev:1,severity:2,msg:'Local Malware Site in ARGS/Body (AE)',chain" #SecRule REQUEST_BODY|ARGS "(?:ogg|zlib|(?:ht|f)tps?)\:/.*" "chain" ##SecRule REQUEST_BODY|ARGS "!@pmFromFile malware-exclusion-local.txt" chain #SecRule REQUEST_BODY|ARGS "@pmFromFile malware-blacklist-local.txt" # ## Rule 330003: Blocklist of known malware sites #SecRule REQUEST_URI "!(?:/imp/compose\.php)" # "t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:360007,rev:4,severity:2,msg:'Local Malware Site in URI',chain" #SecRule REQUEST_URI "(?:ogg|zlib|(?:ht|f)tps?)\:/.*" "chain" ##SecRule REQUEST_URI "!@pmFromFile malware-exclusion-local.txt" "chain" #SecRule REQUEST_URI "@pmFromFile malware-blacklist-local.txt" # ##Rule 330004: Blocklist suspicious sites in referral #SecRule REQUEST_HEADERS:Referer "@pmFromFile malware-blacklist-local.txt" # "t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:360008,rev:2,severity:2,msg:'Suspicious Local Blocklist Malware Site in Referral'" # SecMarker END_ANTI_MALWARE