SecDefaultAction "log,deny,auditlog,phase:2,status:403" # http://www.atomicorp.com/ # Atomicorp (Gotroot.com) ModSecurity rules # Application Security Rules for modsec 2.x # # Copyright 2005-2019 by Atomicorp, Inc., all rights reserved. # Redistribution is strictly prohibited in any form, including whole or in part. # # Distribution of this work or derivative of this work in any form is # prohibited unless prior written permission is obtained from the # copyright holder. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE # LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF # THE POSSIBILITY OF SUCH DAMAGE. # #---ASL-CONFIG-FILE--- # # Do not edit this file! # This file is generated and changes will be overwritten. # # If you need to make changes to the rules, please follow the procedure here: # http://www.atomicorp.com/wiki/index.php/Mod_security SecRule RESPONSE_STATUS "@streq 408" "phase:5,t:none,log,auditlog,pass,rev:1,id:343434,msg:'Atomicorp.com WAF Rules: Client Connection dropped by Apache due to slow connection, possible Slowaris attack',severity:'4'" #/?CtrlFunc_ SecRule REQUEST_METHOD "@streq POST" "chain,severity:2,log,t:none,deny,status:403,auditlog,phase:1,id:331215,rev:1,msg:'Atomicorp.com WAF Rules: CtrlFunc Brute Force Attack Dropped'" SecRule REQUEST_URI "@beginsWith /?CtrlFunc_" "t:none" #DOS Rules go right up front #Wordpress Resource Exhaustion attack SecRule REQUEST_URI "@pm /wp-trackback\.php" "phase:1,id:'393939',t:none,pass,nolog,noauditlog,skip:1" SecAction "phase:1,id:393940,t:none,pass,nolog,noauditlog,skipAfter:END_DOS_CHECKS_WP" SecRule ARGS:charset "(?:utf-8,utf-8,utf-8,utf-8,utf-8,utf-8|,.*,.*,.*,.*,)" "phase:1,deny,status:403,log,deny,auditlog,t:none,t:urlDecodeUni,t:compressWhitespace,t:lowercase,id:390639,rev:2,severity:2,msg:'Atomicorp.com WAF Rules - Just In Time Patch: WordPRess trackback resource exhaustion attack'" #Wordpress Resource Exhaustion attack exploit SecRule ARGS:title "abcedfgabcedfgabcedfgabcedfg" "phase:1,deny,status:403,log,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:390640,rev:1,severity:2,msg:'Atomicorp.com WAF Rules - Just In Time Patch: WordPRess trackback resource exhaustion attack'" SecMarker END_DOS_CHECKS_WP #Another variant of a DOS attack SecRule REQUEST_URI "\?(?:ptrxcz|xclzve)_" "log,auditlog,phase:1,deny,log,status:403,t:none,t:urlDecodeUni,t:lowercase,id:370145,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Known wormsign'" #/?CtrlFunc_ SecRule REQUEST_URI "\?-?[0-9]{3,6}=-?[0-9]{3,6}" "severity:2,log,auditlog,t:none,deny,status:403,phase:1,id:331216,rev:2,msg:'Atomicorp.com WAF Rules: Wordpress DOS Attack Dropped',chain" SecRule REQUEST_URI "!(^/administrator/)" "t:none,t:lowercase" #long lines SecRule REQUEST_METHOD "@streq HEAD" "chain,severity:2,log,auditlog,t:none,deny,phase:1,id:331217,rev:1,msg:'Atomicorp.com WAF Rules: Possible DOS Attack Dropped'" SecRule REQUEST_URI "\?[0-9a-z]{2000,}" "t:none,t:lowercase" #xmlrpc DOS attacks SecRule &REQUEST_HEADERS:Content-Type "@eq 0" "log,auditlog,chain,phase:1,rev:3,t:none,deny,log,status:403,msg:'Atomicorp.com WAF Rules: xmlrpc DOS attack',id:'392331',severity:'2'" SecRule REQUEST_HEADERS:Content-Length "!^0$" "t:none,chain" SecRule REQUEST_URI "xmlrpc\.php" "t:none,t:urlDecodeUni,t:lowercase" #Per count DOS checks SecAction "nolog,noauditlog,pass,id:350115,phase:1,t:none,setvar:'tx.dos_burst_time_slice=60',setvar:'tx.dos_counter_threshold=5',setvar:'tx.dos_block_timeout=600'" SecRule IP:DOS_BLOCK "@eq 1" "log,auditlog,chain,phase:1,id:350116,deny,log,status:404,severity:2,msg:'Atomicorp.com WAF Rules: Potential Denial of Service (DoS) Attack Identified from %{tx.real_ip} (%{tx.dos_block_counter} hits since last alert)',setvar:ip.dos_block_counter=+1" SecRule &IP:DOS_BLOCK_FLAG "@eq 0" "setvar:ip.dos_block_flag=1,expirevar:ip.dos_block_flag=60,setvar:tx.dos_block_counter=%{ip.dos_block_counter},setvar:ip.dos_block_counter=0" # Block and track # of requests but don't log, then skip because its already blocked SecRule IP:DOS_BLOCK "@eq 1" "phase:1,id:'350117',t:none,deny,status:404,noauditlog,nolog,severity:2,nolog,setvar:ip.dos_block_counter=+1" SecRule IP:DOS_BLOCK "@eq 1" "phase:5,id:'350118',t:none,nolog,noauditlog,pass,skipAfter:END_DOS_PROTECTION_CHECKS" # Count the number of requests to the protected resoures #SecRule REQUEST_FILENAME "@pmFromFile dos_protected.txt" SecRule REQUEST_FILENAME "xmlrpc\.php" "phase:5,id:'350112',t:none,t:urlDecodeUni,t:lowercase,nolog,noauditlog,pass,setvar:ip.dos_counter=+1" # If the request count is greater than or equal to our thresholds # then set the burst counter SecRule IP:DOS_COUNTER "@gt %{tx.dos_counter_threshold}" "phase:5,id:'350113',t:none,nolog,noauditlog,pass,t:none,setvar:ip.dos_burst_counter=+1,expirevar:ip.dos_burst_counter=%{tx.dos_burst_time_slice},setvar:!ip.dos_counter" # Check DOS Burst Counter # Check the burst counter - if greater than or equal to 2, then we set the IP # block variable for 5 mins and issue an alert. SecRule IP:DOS_BURST_COUNTER "@ge 2" "log,auditlog,phase:5,id:'350114',rev:1,severity:3,t:none,log,pass,msg:'Atomicorp.com WAF Rules: Potential Denial of Service (DoS) Attack from %{tx.real_ip} - # of Request Bursts: %{ip.dos_burst_counter}',setvar:ip.dos_block=1,expirevar:ip.dos_block=%{tx.dos_block_timeout},tag:'no_ar'" SecMarker END_DOS_PROTECTION_CHECKS #SecRule REQUEST_BASENAME "xmlrpc\.php" # "chain,phase:2,deny,log,auditlog,severity:2,id:'350116',rev:1,msg:'Atomicorp.com WAF Rules: Wodpress XML Pingback (Disable if you want to allow pingbacks to Wordpress)',t:none,t:lowercase,t:urlDecodeUni" #SecRule REQUEST_BODY|XML:/* "pingback\.ping" "t:none,t:lowercase"