SecDefaultAction "log,deny,auditlog,phase:2,status:403" # http://www.atomicorp.com/ # Atomicorp (Gotroot.com) ModSecurity rules # Application Security Rules for modsec 2.x # # Copyright 2005-2023 by Atomicorp, Inc. all rights reserved. # Redistribution is strictly prohibited in any form, including whole or in part. # # Distribution of this work or derivative of this work in any form is # prohibited unless prior written permission is obtained from the # copyright holder. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE # LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF # THE POSSIBILITY OF SUCH DAMAGE. # #---ASL-CONFIG-FILE--- # # Do not edit this file! # This file is generated and changes will be overwritten. # # If you need to make changes to the rules, please follow the procedure here: # http://www.atomicorp.com/wiki/index.php/Mod_security # Detect HTTP Smuggling attempts by checking for multiple conflicting headers # Rule to detect multiple Content-Length headers SecRule &REQUEST_HEADERS:Content-Length "@ge 2" "id:300111,rev:1,phase:2,t:none,log,auditlog,deny,status:403,msg:'Atomicorp.com WAF Rules: HTTP Smuggling Attack: Multiple Content-Length headers detected',severity:CRITICAL" # Rule to detect multiple Transfer-Encoding headers SecRule &REQUEST_HEADERS:Transfer-Encoding "@ge 2" "id:300112,rev:1,phase:2,t:none,log,auditlog,deny,status:403,msg:'Atomicorp.com WAF Rules: HTTP Smuggling Attack: Multiple Transfer-Encoding headers detected',severity:CRITICAL" # Rule to detect both Content-Length and Transfer-Encoding headers in the same request SecRule REQUEST_HEADERS:Content-Length "[0-9]+" "chain,id:300113,rev:2,phase:2,t:none,log,auditlog,deny,status:403,msg:'Atomicorp.com WAF Rules: HTTP Smuggling Attack: Both Content-Length and Transfer-Encoding headers detected',severity:CRITICAL" SecRule REQUEST_HEADERS:Transfer-Encoding "chunked" "t:none,t:lowercase" # Rule to detect inconsistent Content-Length and Transfer-Encoding headers SecRule REQUEST_HEADERS:Content-Length "[0-9]+" "chain,id:300114,rev:2,phase:2,t:none,log,auditlog,deny,status:403,msg:'Atomicorp.com WAF Rules: HTTP Smuggling Attack: Inconsistent Content-Length and Transfer-Encoding headers detected',severity:CRITICAL" SecRule REQUEST_HEADERS:Transfer-Encoding "!@rx ^(identity|chunked)$" "t:none,t:lowercase"