SecDefaultAction "log,deny,auditlog,phase:2,status:403" # http://www.atomicorp.com/ # Atomicorp (Gotroot.com) ModSecurity rules # Application Security Rules for modsec 2.x # # Copyright 2013-2017 Atomicorp, Inc., all rights reserved. # Redistribution is strictly prohibited in any form, including whole or in part. # # Distribution of this work or derivative of this work in any form is # prohibited unless prior written permission is obtained from the # copyright holder. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE # LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF # THE POSSIBILITY OF SUCH DAMAGE. # #---ASL-CONFIG-FILE--- # # Do not edit this file! # This file is generated and changes will be overwritten. # # If you need to make changes to the rules, please follow the procedure here: # http://www.atomicorp.com/wiki/index.php/Mod_security # # Note: These rules will not work without this apache setting # # HostnameLookups Double #Modsecurity 2.8.0 has a nasty bug that makes it not work with ipmatch rules #so we cant let these rules load in 2.8.0 boxes #SecRule MODSEC_BUILD "@gt 020777900" #phase:1,id:333772,rev:1,t:none,nolog,pass,skipAfter:END_SEARCH_ENGINE SecRule REQUEST_HEADERS:User-Agent "@pm googlebot bingbot yahoo yeti hailoobot technoratibot friendfeedbot newsgator blogscope gist bloglines/ netvibes yandex friendfeedbot/ baiduspider/ mediapartners-google Feedfetcher-Google Twitterbot" "id:318745,rev:1,phase:1,t:none,pass,nolog,noauditlog,skip:1" SecAction "phase:1,id:333722,rev:1,t:none,pass,nolog,noauditlog,skipAfter:END_SEARCH_ENGINE" #Twitterbot #199.59.148.0/22 SecRule REQUEST_HEADERS:User-Agent "Twitterbot" "id:338746,rev:1,phase:1,t:none,pass,nolog,noauditlog,skip:1" SecAction "phase:1,id:334904,rev:1,t:none,pass,nolog,noauditlog,skipAfter:END_TWITTER" SecRule REMOTE_HOST "@ipmatch 199.59.148.0/24" "id:343917,rev:1,phase:1,t:none,pass,nolog,noauditlog,skip:1" SecRule REMOTE_HOST "\.twttr\.com$" "id:303831,severity:'2',rev:1,t:none,deny,log,auditlog,status:403,msg:'Atomicorp.com WAF Rules: Fake twitter bot',phase:1" #Real MSN search engine SecRule TX:WHITELIST_SEARCH_ENGINES "@eq 1" "phase:1,id:'339331',t:none,nolog,noauditlog,allow" SecMarker END_TWITTER #User-Agent: Feedly/1.0 (+http://www.feedly.com/fetcher.html; like FeedFetcher-Google) SecRule REQUEST_HEADERS:User-Agent "^Feedly" "id:303990,rev:1,phase:1,t:none,pass,nolog,noauditlog,skip:1" SecAction "phase:1,id:303991,rev:1,t:none,pass,nolog,noauditlog,skipAfter:END_FEEDLY" SecRule REMOTE_HOST "@ipmatch 65.19.138.0/26,8.29.198.0/24" "id:323978,rev:1,phase:1,t:none,pass,nolog,noauditlog,skip:1" SecRule REMOTE_HOST "!@endsWith .feedly.com" "capture,id:303890,severity:'2',rev:4,t:none,log,auditlog,deny,status:403,msg:'Atomicorp.com WAF Rules: Fake Feedly webcrawler',phase:1,logdata:'%{TX.0}'" SecRule TX:WHITELIST_SEARCH_ENGINES "@eq 1" "phase:1,id:'303992',t:none,nolog,noauditlog,allow" SecMarker END_FEEDLY #Google SecRule REQUEST_HEADERS:User-Agent "^(?:Googlebot-richsnippets|OnPageBot)" "phase:1,id:323931,rev:1,t:none,pass,nolog,noauditlog,skipAfter:END_GOOGLE" SecRule REQUEST_HEADERS:User-Agent "@pm googlebot mediapartners-google" "id:323900,rev:1,phase:1,t:none,pass,nolog,noauditlog,skip:1" SecAction "phase:1,id:333901,rev:1,t:none,pass,nolog,noauditlog,skipAfter:END_GOOGLE" #74.125.0.0/16 is registered to google, but does not have a PTR record #66.249.64.0/19 is google SecRule REMOTE_HOST "@ipmatch 74.125.0.0/16,66.249.64.0/19,173.194.0.0/16" "id:323918,rev:1,phase:1,t:none,pass,nolog,noauditlog,skip:1" SecRule REMOTE_HOST "!@endsWith .googlebot.com" "capture,id:303800,rev:3,severity:'2',t:none,t:lowercase,log,auditlog,deny,status:403,msg:'Atomicorp.com WAF Rules: Fake Googlebot webcrawler',phase:1,logdata:'%{TX.0}'" #Real Google Search Engine #Allow all from google SecRule TX:WHITELIST_SEARCH_ENGINES "@eq 1" "phase:1,id:'303902',t:none,nolog,noauditlog,allow" SecMarker END_GOOGLE #Feedfetcher-Google SecRule REQUEST_HEADERS:User-Agent "@contains Feedfetcher-Google" "id:303947,rev:1,phase:1,t:none,pass,nolog,noauditlog,skip:1" SecAction "phase:1,id:343948,rev:1,t:none,pass,nolog,noauditlog,skipAfter:END_GOOGLE2" SecRule REMOTE_HOST "@ipmatch 74.125.0.0/16,66.249.64.0/19" "id:323928,rev:1,phase:1,t:none,pass,nolog,noauditlog,skip:1" SecRule REMOTE_HOST "!@endsWith .google.com" "capture,id:303833,severity:'2',rev:5,t:none,t:lowercase,log,auditlog,deny,status:403,msg:'Atomicorp.com WAF Rules: Fake Google Feedfetcher webcrawler',phase:1,logdata:'%{TX.0}'" #Allow all from google SecRule TX:WHITELIST_SEARCH_ENGINES "@eq 1" "phase:1,id:'303935',t:none,nolog,noauditlog,allow" SecMarker END_GOOGLE2 #MSN search engine SecRule REQUEST_HEADERS:User-Agent "@pm msnbot bingbot" "id:318746,rev:1,phase:1,t:none,pass,nolog,noauditlog,skip:1" SecAction "phase:1,id:333904,rev:1,t:none,pass,nolog,noauditlog,skipAfter:END_MSN" SecRule REMOTE_HOST "@ipmatch 157.54.0.0/15,207.46.0.0/16,40.124.0.0/16,40.96.0.0/12,40.112.0.0/13,40.125.0.0/17,40.74.0.0/15,40.120.0.0/14,40.80.0.0/12,40.76.0.0/14" "id:323917,rev:1,phase:1,t:none,pass,nolog,noauditlog,skip:1" SecRule REMOTE_HOST "!(^msnbot-[0-9]+-[0-9]+-[0-9]+-[0-9]+\.search\.msn\.com$)" "capture,id:303801,severity:'2',rev:6,t:none,deny,log,auditlog,status:403,msg:'Atomicorp.com WAF Rules: Fake msnbot/bingbot webcrawler',phase:1,logdata:'%{TX.0}'" #SecRule REMOTE_HOST "!(^msnbot-[0-9]+-[0-9]+-[0-9]+-[0-9]+\.search\.msn\.com$|^131\.253\.[2-4][0-9]\.[0-9]+$)" #Real MSN search engine SecRule TX:WHITELIST_SEARCH_ENGINES "@eq 1" "phase:1,id:'303903',t:none,nolog,noauditlog,allow" SecMarker END_MSN #Yahoo Slurp engine SecRule REQUEST_HEADERS:User-Agent "@contains yahoo! slurp" "id:323904,rev:1,phase:1,t:none,t:lowercase,pass,nolog,noauditlog,skip:1" SecAction "phase:1,id:333905,rev:1,t:none,pass,nolog,noauditlog,skipAfter:END_YAHOO" #China Yahoo ranges #110.75.160.0 - 110.75.191.255 #110.75.171.0 - 110.75.176.255 # #Other yahoo ranges #98.136.0.0/14 SecRule REMOTE_HOST "@ipmatch 110.75.160.0/19,98.136.0.0/14,68.180.128.0/17,217.146.179.0/24" "id:323914,rev:1,phase:1,t:none,pass,nolog,noauditlog,skip:1" SecRule REMOTE_HOST "!(\.yahoo\.(?:net|com)$)" "id:303802,severity:'2',rev:5,t:none,t:lowercase,deny,log,auditlog,status:403,msg:'Atomicorp.com WAF Rules: Fake Yahoo! Slurp webcrawler',phase:1" #Real Yahoo Slurp engine SecRule TX:WHITELIST_SEARCH_ENGINES "@eq 1" "phase:1,id:'303906',t:none,nolog,noauditlog,allow" SecMarker END_YAHOO SecRule REQUEST_HEADERS:User-Agent "@contains yahoo pipes" "id:303907,rev:1,phase:1,t:none,t:lowercase,pass,nolog,noauditlog,skip:1" SecAction "phase:1,id:333908,rev:1,t:none,pass,nolog,noauditlog,skipAfter:END_YAHOO2" SecRule REMOTE_HOST "!(\.yahoo\.(?:com|net)$)" "id:303803,severity:'2',rev:2,t:none,t:lowercase,deny,log,auditlog,status:403,msg:'Atomicorp.com WAF Rules: Fake Yahoo Pipes webcrawler',phase:1" SecRule TX:WHITELIST_SEARCH_ENGINES "@eq 1" "phase:1,id:'303908',t:none,nolog,noauditlog,allow" SecMarker END_YAHOO2 SecRule REQUEST_HEADERS:User-Agent "@beginsWith Yeti/" "id:303909,rev:1,phase:1,t:none,pass,nolog,noauditlog,skip:1" SecAction "phase:1,id:318749,rev:1,t:none,pass,nolog,noauditlog,skipAfter:END_YETI" #SecRule REMOTE_HOST "@ipmatch 61.247.192.0/19" # "id:323916,rev:1,phase:1,t:none,pass,nolog,noauditlog,skip:1" SecRule REMOTE_HOST "!(^crawl-[0-9]+-[0-9]+-[0-9]+-[0-9]+\.naver\.jp$)" "id:303804,severity:'2',rev:4,t:none,t:lowercase,deny,log,auditlog,status:403,msg:'Atomicorp.com WAF Rules: Fake Yeti webcrawler',phase:1" #SecRule REMOTE_HOST "!(^crawl-[0-9]+-[0-9]+-[0-9]+-[0-9]+\.naver\.jp$|^61\.247\.(19[2-9]|2[0-2][0-3])\.[0-9]{1,3}$" # SecRule TX:WHITELIST_SEARCH_ENGINES "@eq 1" "phase:1,id:'303910',t:none,nolog,noauditlog,allow" SecMarker END_YETI SecRule REQUEST_HEADERS:User-Agent "@contains hailoobot" "id:303913,rev:1,phase:1,t:none,t:lowercase,pass,nolog,noauditlog,skip:1" SecAction "phase:1,id:333911,rev:1,t:none,pass,nolog,noauditlog,skipAfter:END_HAIL" SecRule REMOTE_HOST "!@endswith webcrawler.hailoo.com" "id:303805,severity:'2',rev:1,t:none,t:lowercase,deny,log,auditlog,status:403,msg:'Atomicorp.com WAF Rules: Fake Hailoobot webcrawler.',phase:1" SecRule TX:WHITELIST_SEARCH_ENGINES "@eq 1" "phase:1,id:'303912',t:none,nolog,noauditlog,allow" SecMarker END_HAIL SecRule REQUEST_HEADERS:User-Agent "@contains technoratibot/" "id:303915,rev:1,phase:1,t:none,t:lowercase,pass,nolog,noauditlog,skip:1" SecAction "phase:1,id:333915,rev:1,t:none,pass,nolog,noauditlog,skipAfter:END_TECHNO" SecRule REMOTE_HOST "!@endswith .crawler.technorati.com" "id:303806,severity:'2',rev:1,t:none,t:lowercase,deny,log,auditlog,status:403,msg:'Atomicorp.com WAF Rules: Fake Technoratibot webcrawler.',phase:1" SecRule TX:WHITELIST_SEARCH_ENGINES "@eq 1" "phase:1,id:'303916',t:none,nolog,noauditlog,allow" SecMarker END_TECHNO SecRule REQUEST_HEADERS:User-Agent "@contains friendfeedbot/" "id:303917,rev:1,phase:1,t:none,t:lowercase,pass,nolog,noauditlog,skip:1" SecAction "phase:1,id:333918,rev:1,t:none,pass,nolog,noauditlog,skipAfter:END_FACEBOOK" SecRule REMOTE_HOST "!@endsWith .facebook.com" "id:303807,severity:'2',rev:1,t:none,t:lowercase,deny,log,auditlog,status:403,msg:'Atomicorp.com WAF Rules: Fake FriendFeed/Facebook webcrawler',phase:1" SecRule TX:WHITELIST_SEARCH_ENGINES "@eq 1" "phase:1,id:'303919',t:none,nolog,noauditlog,allow" SecMarker END_FACEBOOK SecRule REQUEST_HEADERS:User-Agent "yandex(?:bot|images|blog)" "id:303920,rev:2,phase:1,t:none,t:lowercase,pass,nolog,noauditlog,skip:1" SecAction "phase:1,id:303921,rev:1,t:none,pass,nolog,noauditlog,skipAfter:END_YANDEX" SecRule REMOTE_HOST "@ipmatch 95.108.158.128/25" "id:323916,rev:1,phase:1,t:none,pass,nolog,noauditlog,skip:1" SecRule REMOTE_HOST "!(\.yandex\.(?:ru|com|net)$)" "id:303808,severity:'2',rev:2,t:none,t:lowercase,t:lowercase,deny,log,auditlog,status:403,msg:'Atomicorp.com WAF Rules: Fake Yandex webcrawler.',phase:1" SecRule TX:WHITELIST_SEARCH_ENGINES "@eq 1" "phase:1,id:'303900',t:none,nolog,noauditlog,allow" SecMarker END_YANDEX SecRule REQUEST_HEADERS:User-Agent "@contains bloglines/" "id:313921,rev:1,phase:1,t:none,t:lowercase,pass,nolog,noauditlog,skip:1" SecAction "phase:1,id:313922,rev:1,t:none,pass,nolog,noauditlog,skipAfter:END_BLOGLINES" SecRule REMOTE_HOST "!@streq crawler.bloglines.com" "id:303810,severity:'2',rev:1,t:none,t:lowercase,deny,log,auditlog,status:403,msg:'Atomicorp.com WAF Rules: Fake Bloglines webcrawler.',phase:1" SecRule TX:WHITELIST_SEARCH_ENGINES "@eq 1" "phase:1,id:'303901',t:none,nolog,noauditlog,allow" SecMarker END_BLOGLINES SecRule REQUEST_HEADERS:User-Agent "@contains gist server" "id:303924,rev:1,phase:1,t:none,t:lowercase,pass,nolog,noauditlog,skip:1" SecAction "phase:1,id:303925,rev:1,t:none,pass,nolog,noauditlog,skipAfter:END_GIST" SecRule REMOTE_HOST "!@endsWith .gist.com" "id:303811,severity:'2',rev:1,t:none,t:lowercase,deny,log,auditlog,status:403,msg:'Atomicorp.com WAF Rules: Fake Gist webcrawler',phase:1" SecRule TX:WHITELIST_SEARCH_ENGINES "@eq 1" "phase:1,id:'303922',t:none,nolog,noauditlog,allow" SecMarker END_GIST SecRule REQUEST_HEADERS:User-Agent "@contains blogscope" "id:303927,rev:1,phase:1,t:none,t:lowercase,pass,nolog,noauditlog,skip:1" SecAction "phase:1,id:303928,rev:1,t:none,pass,nolog,noauditlog,skipAfter:END_BLOGSCOPE" SecRule REMOTE_HOST "!@endsWith .toronto.edu" "id:303812,severity:'2',rev:1,t:none,t:lowercase,deny,log,auditlog,status:403,msg:'Atomicorp.com WAF Rules: Fake BlogScope webcrawler',phase:1" SecRule TX:WHITELIST_SEARCH_ENGINES "@eq 1" "phase:1,id:'303923',t:none,nolog,noauditlog,allow" SecMarker END_BLOGSCOPE SecRule REQUEST_HEADERS:User-Agent "newsgator/2\.0 bot" "id:303930,rev:2,phase:1,t:none,t:lowercase,pass,nolog,noauditlog,skip:1" SecAction "phase:1,id:303931,rev:1,t:none,pass,nolog,noauditlog,skipAfter:END_NEWSGATOR" SecRule REMOTE_HOST "!@endsWith .newsgator.com" "id:303813,severity:'2',rev:1,t:none,t:lowercase,deny,log,auditlog,status:403,msg:'Atomicorp.com WAF Rules: Fake NewsGatorOnline webcrawler',phase:1" SecRule TX:WHITELIST_SEARCH_ENGINES "@eq 1" "phase:1,id:'303904',t:none,nolog,noauditlog,allow" SecMarker END_NEWSGATOR SecRule REQUEST_HEADERS:User-Agent "@contains netvibes" "id:303933,rev:1,phase:1,t:none,t:lowercase,pass,nolog,noauditlog,skip:1" SecAction "phase:1,id:303934,rev:1,t:none,pass,nolog,noauditlog,skipAfter:END_NETVIBES" SecRule REMOTE_HOST "!@endsWith .netvibes.com" "id:303814,severity:'2',rev:1,t:none,t:lowercase,deny,log,auditlog,status:403,msg:'Atomicorp.com WAF Rules: Fake Netvibes webcrawler',phase:1" SecRule TX:WHITELIST_SEARCH_ENGINES "@eq 1" "phase:1,id:'303905',t:none,nolog,noauditlog,allow" SecMarker END_NETVIBES #Baidu seems to have a broken resolver #The forward record never resolves # #nslookup baiduspider-180-76-5-87.crawl.baidu.com #** server can't find baiduspider-180-76-5-87.crawl.baidu.com: NXDOMAIN #nslookup 180.76.5.87 #87.5.76.180.in-addr.arpa name = baiduspider-180-76-5-87.crawl.baidu.com. #So some known static ranges are added #inetnum: 180.76.0.0 - 180.76.255.255 #netname: Baidu # #inetnum: 123.125.71.0 - 123.125.71.255 #netname: SADF #123.122.0.0 - 123.122.15.255 #119.63.192.0 - 119.63.199.255 #202.46.32.0 - 202.46.63.255 SecRule REQUEST_HEADERS:User-Agent "@contains baiduspider/" "id:303936,rev:1,phase:1,t:none,t:lowercase,pass,nolog,noauditlog,skip:1" SecAction "phase:1,id:323937,rev:1,t:none,pass,nolog,noauditlog,skipAfter:END_BAIDU" SecRule REMOTE_HOST "@ipmatch 180.76.0.0/16,123.122.0.0/20,123.125.71.0/24,119.63.192.0/21,220.181.0.0/16,202.46.32.0/19,185.10.104.0/22" "id:323915,rev:1,phase:1,t:none,pass,nolog,noauditlog,skip:1" SecRule REMOTE_HOST "!(\.crawl\.baidu\.com$)" "id:303937,severity:'2',rev:7,t:none,t:lowercase,deny,log,auditlog,status:403,msg:'Atomicorp.com WAF Rules: Fake Baidu webcrawler',phase:1" #SecRule REMOTE_HOST "!(\.crawl\.baidu\.com$|^180\.76\.[0-9]+\.[0-9]+$|^123\.125\.71\.[0-9]+$|^220\.181\.[0-9]+\.[0-9]+$|123\.122\.[0-15]\.[0-9]+$|^119\.63\.19[2-9]\.[0-9]+$)" SecRule TX:WHITELIST_SEARCH_ENGINES "@eq 1" "phase:1,id:'303938',t:none,nolog,noauditlog,allow" SecMarker END_BAIDU SecMarker END_SEARCH_ENGINE