SecDefaultAction "log,deny,auditlog,phase:2,status:403" # Atomicorp (Gotroot.com) ModSecurity rules # Anti Spam rules # # Created by Prometheus Global (http://www.prometheus-group.com) # Copyright 2005 - 2022 by Atomicorp, Inc. All rights reserved. # Redistribution is strictly prohibited in any form, including whole or in part. # # Distribution of this work or derivative of this work in any form is # prohibited unless prior written permission is obtained from the # copyright holder. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE # LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF # THE POSSIBILITY OF SUCH DAMAGE. # #---ASL-CONFIG-FILE--- # Do not edit this file! # This file is generated and changes will be overwritten. # # If you need to make changes to the rules, please follow the procedure here: # http://www.atomicorp.com/wiki/index.php/Mod_security # Phase 2 rules # Rule 300000: Blacklist of referer spam hostnames SecRule SERVER_PORT "@streq 30000" "phase:1,id:339853,pass,t:none,nolog,noauditlog,skipAfter:END_SPAM_URI" #Skip SPAM rules if this is a not something to check for spam, like graphics, videos, CSS, ico, docs, etc. SecRule REQUEST_FILENAME "\.((m|j)pe?g4?|bmp|tiff?|p((p|g|b)m|n(g|m)|df|s)|gif|js|css|flv|ico|avi|w(m(?:v|a)|ebp)|mp(3|4)|cgm|svg|swf|og(m|v|x)|te?xt|doc|xls|od(?:t|s)|ppt|wbk)$" "phase:2,id:333938,pass,t:none,t:lowercase,nolog,noauditlog,skipAfter:END_SPAM_URI" #Concrete 5 editing bypass SecRule ARGS:ccm-edit-block-submit "^submit$" "phase:2,t:none,t:urlDecodeUni,t:lowercase,pass,nolog,noauditlog,id:333939,skipAfter:END_SPAM_URI" #Skip SPAM rules for admin applications and the like SecRule REQUEST_URI "(?:/(?:(?:i(?:nclude\.php?path=forum/editpost|mp/compose)|pr(?:o(?:duct_thumb|file)|eview_static_cgi)|callback|diagnostics|editsection|tickets)\.php|system/index\.php?s=.*c=(?:publish|edit)&m=new_entry$|workshops/register\.php|link(?:machine/linkmachine\.php|s/\?act=addsite)|(?:\?modulo=loja&action|update\.php?pageid)=|nav\.php\?nav=(?:moderate|addnews)|cgi-bin/mailinglist/mail\.cgi)|/(?:(?:s(?:itebuilder|hopadmin)|cms/resources/edit|hspc/pcc|node/add|vsadmin)/|w(?:p-(?:content/plugins|admin)/|izard/edit/html)|adm(?:in(?:istrator/)?|/))|\?(?:(?:p=admin_cms|task=edit|tab=admin[a-z]+)&|action=admin)|node/[0-9]+/edit|^/\?[sv]=|\?q=ckeditor|/secure/|/site-?admin/|/ndxz-studio/|/wp-admin/|/cms/|/file/ajax/|/members/editing/|/comment/reply/[0-9]+|/new/[0-9]+/confirm|/index\.php\?option=com_jreviews|/calendar/index\.php\?act=calendar&code=addnewevent)" "phase:2,t:none,t:urlDecodeUni,t:lowercase,pass,nolog,noauditlog,id:333940,skipAfter:END_SPAM_URI" ############ SPAMMY URLS ######################## # SecRule ARGS "@pm http:// https:// @" "id:333941,phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,pass,nolog,noauditlog,skip:1" SecAction "phase:2,id:353535,t:none,pass,nolog,noauditlog,skipAfter:END_SPAM_URI" #Check spam domain to see if its on the URIRBL list SecRule ARGS "https?\://(.*?)/" "chain,log,auditlog,phase:2,severity:2,id:377777,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,capture,msg:'Atomicorp.com WAF Rules: Possible Spam Domain: URIBL Match of Submitted Link Domain on urirbl.com blocklist. (Report False Positives to www.uribl.com)',logdata:'%{tx.domain}',setvar:tx.domain=%{tx.1}" SecRule TX:1 "@rbl multi.uribl.com" "capture,chain" SecRule TX:0 "(BLACK)" t:none #Check spam domain to see if its on the URIRBL list #SecRule ARGS "@(.*?)" # "chain,log,phase:2,id:377779,severity:2,rev:1,t:none,t:urlDecodeUni,t:lowercase,deny,capture,msg:'Atomicorp.com WAF Rules: Possible Spam Domain: URIBL Match of Submitted Link Domain on urirbl.com blocklist.',logdata:'%{tx.domain}',setvar:tx.domain=%{tx.1}" #SecRule TX:1 "@rbl multi.uribl.com" "capture,chain" #SecRule TX:0 "(BLACK)" t:none #All spam end SecMarker END_SPAM_URI