SecDefaultAction "log,deny,auditlog,phase:2,status:403" # http://www.atomicorp.com/ # Atomicorp (Gotroot.com) ModSecurity rules # Known rootkits, remote toolkits, etc. signatures for modsec 2.x # # Copyright 2005-2016 by Atomicorp, Inc., all rights reserved. # Redistribution is strictly prohibited in any form, including whole or in part. # # Distribution of this work or derivative of this work in any form is # prohibited unless prior written permission is obtained from the # copyright holder. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE # LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF # THE POSSIBILITY OF SUCH DAMAGE. # #---ASL-CONFIG-FILE--- # Do not edit this file! # This file is generated and changes will be overwritten. # # If you need to make changes to the rules, please follow the procedure here: # http://www.atomicorp.com/wiki/index.php/Mod_security #Master list of known malware script file names SecRule REQUEST_URI "(?:ogg|gopher|zlib|(?:ht|f)tps?)\:/" "phase:2,chain,capture,log,auditlog,t:none,t:urlDecodeUni,t:replaceNulls,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,id:390500,rev:2,severity:2,msg:'Atomicorp.com Malware Script Blacklist: Possible Malware Script detected in URL',logdata:'%{TX.0}'" SecRule REQUEST_URI "@pmFromFile malware_names.txt" SecRule SERVER_PORT "@streq 30000" "phase:2,id:337852,pass,t:none,nolog,noauditlog,skipAfter:END_ROOTKIT_FINAL_2" #default is to trick them with a 404 SecRule REQUEST_FILENAME "@pmFromFile malware_names.txt" "phase:2,chain,log,auditlog,deny,status:404,capture,t:none,t:urlDecodeUni,t:normalisePath,id:390501,rev:4,severity:2,msg:'Atomicorp.com Malware Script Blacklist: Known Malware detected in Request Filename',logdata:'%{TX.0}'" SecRule REQUEST_METHOD "(?:POST|GET)" "t:none,chain" SecRule REQUEST_FILENAME "!@rx ^/.well-known/acme-challenge/" "t:none" SecMarker END_ROOTKIT_FINAL_2