iniApp
/
modsecurity-waf
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
modsecurity-waf/nginx-waf/00_asl_zz_strict.conf

219 lines
19 KiB
Plaintext
Raw Permalink Blame History

SecDefaultAction "log,deny,auditlog,phase:2,status:403"
SecRule REQUEST_FILENAME "/wp-admin/user-new\.php" "phase:2,id:91007,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390703"
SecRule REQUEST_FILENAME "/wp-admin/options-permalink\.php" "phase:2,id:91008,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390703"
SecRule REQUEST_FILENAME "/shop/remote\.php" "phase:2,id:91009,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390703"
SecRule REQUEST_FILENAME "/administrator/ajax-tab\.php" "phase:2,id:91010,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390704"
SecRule REQUEST_FILENAME "/livezilla/server\.php" "phase:2,id:91011,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390704"
SecRule REQUEST_FILENAME "/wp-admin/options\.php" "phase:2,id:91012,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390704"
SecRule REQUEST_FILENAME "/shop/admin/remote\.php" "phase:2,id:91013,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390704"
SecRule REQUEST_FILENAME "/ts_manage\.php" "phase:2,id:91014,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390704"
SecRule REQUEST_FILENAME "/phpmyadmin/import\.php" "phase:2,id:91015,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=330792"
SecRule REQUEST_FILENAME "csfileshare/csfileshare\.cgi" "phase:2,id:91016,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=330792"
SecRule REQUEST_FILENAME "/ajax\.php" "phase:2,id:91017,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390704"
SecRule REQUEST_FILENAME "/beheer\.php" "phase:2,id:91018,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390703"
SecRule REQUEST_FILENAME "/wp-admin/async-upload\.php" "phase:2,id:91019,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=330791"
SecRule REQUEST_FILENAME "/wp-admin/post\.php" "phase:2,id:91020,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390704"
SecRule REQUEST_FILENAME "/newreply\.php" "phase:2,id:91021,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390704"
SecRule REQUEST_FILENAME "/showmail\.php" "phase:2,id:91022,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390704"
SecRule REQUEST_FILENAME "/parsechecker\.php" "phase:2,id:91023,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390704,ctl:ruleRemovebyID=390708"
SecRule REQUEST_FILENAME "/limesurvey/index\.php" "phase:2,id:91024,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390704"
SecRule REQUEST_FILENAME "/modules/v7_pages_engine\.php" "phase:2,id:91025,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390704"
SecRule REQUEST_FILENAME "/tce_file\.php" "phase:2,id:91026,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390704"
SecRule REQUEST_FILENAME "/admin/updatepage\.php" "phase:2,id:91027,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390704"
SecRule REQUEST_FILENAME "/redaxo/index\.php" "phase:2,id:91028,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390704"
SecRule REQUEST_FILENAME "/colors\.css\.php" "phase:2,id:91029,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390703"
SecRule REQUEST_FILENAME "/cgi-bin/potd/ir_potd_enter\.pl" "phase:2,id:91030,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390703,ctl:ruleRemovebyID=330793"
SecRule REQUEST_FILENAME "/multilang/" "phase:2,id:91031,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390703"
SecRule REQUEST_FILENAME "/soap\.hsp" "phase:2,id:91032,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390704"
SecRule REQUEST_FILENAME "/index\.php/api/xmlrpc" "phase:2,id:91033,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390704"
SecRule REQUEST_FILENAME "/amember/admin-users" "phase:2,id:91034,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390721"
SecRule REQUEST_FILENAME "/v2c/json/" "phase:2,id:91035,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390721"
SecRule REQUEST_FILENAME "/v2a/json/" "phase:2,id:91036,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390721"
SecRule REQUEST_FILENAME "/v1c/json/" "phase:2,id:91037,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390721"
SecRule REQUEST_FILENAME "/services/bmsubscribers\.json" "phase:2,id:91038,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390721"
SecRule REQUEST_FILENAME "/phpmyadmin/index\.php" "phase:2,id:91039,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390722"
SecRule REQUEST_FILENAME "/ipac20/ipac\.jsp" "phase:2,id:91040,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=390722"
SecRule REQUEST_FILENAME "/toolbox_nb/" "phase:2,id:91041,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=330791,ctl:ruleRemovebyID=330792,ctl:ruleRemovebyID=390722"
# http://www.atomicorp.com/
# Atomicorp (Gotroot.com) ModSecurity rules
# Application Security Rules for modsec 2.x
#
# Copyright 2005-2019 by Atomicorp, Inc., all rights reserved.
# Redistribution is strictly prohibited in any form, including whole or in part.
#
# Distribution of this work or derivative of this work in any form is
# prohibited unless prior written permission is obtained from the
# copyright holder.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
# THE POSSIBILITY OF SUCH DAMAGE.
#
#---ASL-CONFIG-FILE---
#
# Do not edit this file!
# This file is generated and changes will be overwritten.
#
# If you need to make changes to the rules, please follow the procedure here:
# http://www.atomicorp.com/wiki/index.php/Mod_security
#
#Detect possible evasion attempt
SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" "phase:2,log,auditlog,t:none,pass,msg:'Multipart parser detected a possible unmatched boundary. This may be an impedence mismatch attack, a broken application or a broken connection. This is not a false positive. Check your application or client for errors.',id:'330792',rev:3,severity:5,tag:'no_ar'"
#Disable below rule if filename contains a single quote
SecRule MULTIPART_BOUNDARY_QUOTED "@eq 0" "t:none,id:330794,nolog,noauditlog,phase:1,chain,pass,ctl:ruleRemoveById=330793"
SecRule REQBODY_PROCESSOR_ERROR "@eq 0" "t:none,chain"
SecRule MULTIPART_BOUNDARY_WHITESPACE "@eq 0" "t:none,chain"
SecRule MULTIPART_DATA_BEFORE "@eq 0" "t:none,chain"
SecRule MULTIPART_DATA_AFTER "@eq 0" "t:none,chain"
SecRule MULTIPART_HEADER_FOLDING "@eq 0" "t:none,chain"
SecRule MULTIPART_LF_LINE "@eq 0" "t:none,chain"
SecRule MULTIPART_INVALID_QUOTING "@eq 1" "t:none,chain"
SecRule MULTIPART_INVALID_HEADER_FOLDING "@eq 0" "t:none,chain"
SecRule MULTIPART_INVALID_PART "@eq 0" "t:none,chain"
SecRule MULTIPART_FILE_LIMIT_EXCEEDED "@eq 0" "t:none"
#Enforce strict multipart body checks
SecRule MULTIPART_STRICT_ERROR "!@eq 0" "phase:2,log,auditlog,t:none,deny,status:403,msg:'Multipart request body failed strict validation: PE %{REQBODY_PROCESSOR_ERROR}, BQ %{MULTIPART_BOUNDARY_QUOTED}, BW %{MULTIPART_BOUNDARY_WHITESPACE}, DB %{MULTIPART_DATA_BEFORE}, DA %{MULTIPART_DATA_AFTER}, HF %{MULTIPART_HEADER_FOLDING}, LF %{MULTIPART_LF_LINE}, SM %{MULTIPART_SEMICOLON_MISSING}, IQ %{MULTIPART_INVALID_QUOTING}, IH %{MULTIPART_INVALID_HEADER_FOLDING}, IP %{MULTIPART_INVALID_PART}, FL %{MULTIPART_FILE_LIMIT_EXCEEDED}',id:'330793',rev:3,severity:2"
SecRule TX:/^MSC_/ "!@streq 0" "id:'350708',severity:'3',phase:2,log,auditlog,t:none,deny,status:403,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
SecRule INBOUND_DATA_ERROR "@eq 1" "phase:1,id:350709,deny,status:403,t:none,auditlog,log,msg:'Request Body Larger than SecRequestBodyLimit Setting',severity:'4'"
SecRule OUTBOUND_DATA_ERROR "@eq 1" "phase:1,id:350710,deny,status:403,t:none,auditlog,log,msg:'Response Body Larger than SecResponseBodyLimit Setting',severity:'4'"
SecRule REQUEST_METHOD "COOK" "capture,deny,log,auditlog,status:403,t:none,phase:1,id:314681,rev:1,severity:3,msg:'Atomicorp.com WAF Rules: Invalid HTTP method detected',logdata:'%{TX.0}'"
SecRule REQUEST_URI "\%((?!$|\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" "chain,phase:2,t:none,log,auditlog,deny,status:400,msg:'Atomicorp.com WAF Rules: Possible URL Encoding Abuse Attack Attempt',id:'390703',rev:5,severity:'5'"
SecRule REQUEST_URI "@validateUrlEncoding"
SecRule REQUEST_HEADERS:Content-Type "^(text/xml|application/(soap|xml))" "chain,id:374357,rev:3,phase:1,t:none,t:lowercase,pass,nolog,noauditlog"
SecRule REQBODY_PROCESSOR "!@streq XML" "ctl:requestBodyProcessor=XML"
SecRule REQUEST_HEADERS:Content-Type "^(application\/x-www-form-urlencoded|text\/xml)(?:;(?:\s?charset\s?=\s?[\w\d\-]{1,18})?)??$" "chain,phase:2,t:none,log,auditlog,deny,status:400,msg:'Atomicorp.com WAF Rules: Possible Encoding Abuse Attack Attempt',id:'390704',rev:1,severity:'5'"
SecRule REQUEST_BODY|XML:/* "\%((?!$|\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" "chain"
SecRule REQUEST_BODY|XML:/* "@validateUrlEncoding"
#Check for suspiscious indicators, such as missing Host: headers, empty headers, numeric, etc.
SecRule &REQUEST_HEADERS:Host "@eq 0" "chain,skipAfter:END_HOST_CHECK,phase:2,rev:2,t:none,pass,msg:'Atomicorp.com WAF Rules: Suspicious activity detected - HTTP Request Missing a Host Header',id:'331030',severity:'5',tag:'no_ar'"
SecRule REMOTE_ADDR "!@ipMatch 127.0.0.1,::1" "t:none"
SecRule REQUEST_HEADERS:Host "^$" "phase:2,rev:1,log,auditlog,t:none,pass,msg:'Atomicorp.com WAF Rules: Suspicious activity detected - Empty Host Header detected in HTTP request',id:'331031',severity:'5',tag:'no_ar'"
SecRule REQUEST_HEADERS:Host "^[\d.:]+$" "chain,phase:2,rev:4,log,auditlog,t:none,pass,msg:'Atomicorp.com WAF Rules: Suspicious activity detected - Host header is a numeric IP address', severity:'2',id:'331032',severity:'5',tag:'no_ar'"
SecRule REMOTE_ADDR "!@ipMatch 127.0.0.1,::1" "t:none"
SecMarker END_HOST_CHECK
SecRule REQUEST_URI "^/eprocservice/supplierinboundservice" "phase:2,pass,t:none,t:lowercase,nolog,noauditlog,id:373944,skipAfter:END_390717"
#SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "%0[ad]content-(type|length) ?:" "log,auditlog,deny,log,status:403,phase:2,rev:3,t:none,t:lowercase,t:compressWhitespace,capture,ctl:auditLogParts=+E,auditlog,msg:'Atomicorp.com WAF Rules: HTTP Response Splitting Attack',id:'390713',logdata:'%{TX.0}',severity:'2'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx [\r\n]\W*?(?:content-(?:type|length)|set-cookie|location):\s*\w" "log,auditlog,deny,log,status:403,phase:2,rev:4,t:none,t:lowercase,t:compressWhitespace,capture,ctl:auditLogParts=+E,auditlog,msg:'Atomicorp.com WAF Rules: HTTP Response Splitting Attack',id:'390713',logdata:'%{TX.0}',severity:'2'"
SecRule REQUEST_FILENAME "@rx [\n\r]" "id:390714,rev:2,severity:2,phase:1,deny,status:403,t:none,t:urlDecodeUni,msg:'Atomicorp.com WAF Rules: HTTP Splitting (CR/LF in request filename detected)',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',log,auditlog"
SecAction "phase:2,id:'391009',t:none,nolog,noauditlog,pass,setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsx/'"
SecRule REQUEST_BASENAME "@rx \.([^.]+)$" "id:390716,rev:2,phase:2,deny,status:403,severity:3,capture,t:none,msg:'Atomicorp.com WAF Rules: URL file extension is restricted by policy',logdata:'%{TX.0}',setvar:'tx.extension=.%{tx.1}/',log,auditlog,chain"
SecRule TX:EXTENSION "@within %{tx.restricted_extensions}" "t:none,t:urlDecodeUni,t:lowercase"
SecRule REQUEST_BODY|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer|!REQUEST_HEADERS:Cookie "\%u[fF]{2}[0-9a-fA-F]{2}" "log,auditlog,deny,log,status:403,chain,t:none,capture,phase:2,msg:'Atomicorp.com WAF Rules: Unicode Width Attack Attempt',id:'390621',rev:5,severity:'4',logdata:'%{TX.0}'"
SecRule MATCHED_VAR "!(%uFFFD)" "t:none"
#bash style encoding evasion
#/???
SecRule REQUEST_URI|ARGS "\/\?\?\?/" "phase:2,t:none,t:urlDecodeUni,log,auditlog,deny,status:403,msg:'Atomicorp.com WAF Rules: Command Line style Encoding Abuse Attack Attempt',id:'390763',rev:5,severity:'2'"
#SecRule REQUEST_BODY "content-type ?:.*content-type ?:" "log,auditlog,deny,status:403,phase:2,rev:2,t:none,t:lowercase,t:compressWhitespace,capture,ctl:auditLogParts=+E,auditlog,msg:'Atomicorp.com WAF Rules: HTTP Response Splitting Attack',id:'390717',logdata:'%{TX.0}',severity:'2'"
#session fixation attacks
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "@pm set-cookie .cookie jsessionid aspsessionid asp.net_sessionid phpsession phpsessid weblogicsession session_id session-id cfid cftoken cfsid jservsession jwsession" "phase:2,id:'333795',t:none,t:urlDecodeUni,t:htmlEntityDecode,pass,nolog,noauditlog,skip:1"
SecAction "phase:2,id:334360,t:none,pass,nolog,noauditlog,skipAfter:END_SESSION_FIX_PROTECTION"
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|!ARGS:text "(?:\.cookie\b.*?;\W*?(?:expires|domain)\W*?=|\bhttp-equiv\W+set-cookie\b)" "phase:2,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'Atomicorp.com WAF Rules: Session Fixation Attack',id:'390708',rev:5,logdata:'%{TX.0}',severity:'2'"
SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "(?:\.cookie\b.*?;\W*?(?:expires|domain)\W*?=|\bhttp-equiv\W+set-cookie\b)" "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'Atomicorp.com WAF Rules: Session Fixation Attack',id:'390718',rev:1,logdata:'%{TX.0}',severity:'2'"
SecRule ARGS_NAMES "@pm jsessionid aspsessionid asp.net_sessionid phpsession phpsessid weblogicsession session_id session-id cfid cftoken cfsid jservsession jwsession" "log,auditlog,chain,phase:2,rev:1,t:none,t:lowercase,capture,ctl:auditLogParts=+E,deny,log,status:403,msg:'Atomicorp.com WAF Rules: Possible Session Fixation attack',id:390739,logdata:'%{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2'"
SecRule REQUEST_HEADERS:Referer "^(?:ht|f)tps?://(.*?)\/" "chain,capture"
SecRule TX:1 "!@beginsWith %{request_headers.host}"
SecMarker END_SESSION_FIX_PROTECTION
SecMarker END_390717
#Enforce proper requests per HTTP RFC
SecRule REQUEST_LINE "!^(?:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+|get /[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?)$" "chain,deny,status:403,t:none,t:lowercase,capture,phase:2,rev:2,log,auditlog,msg:'Atomicorp.com WAF Rules: Invalid HTTP Request Line in violation of RFC (if you do not wish to follow HTTP RFCs, disable this rule)',id:'330700',severity:'4',logdata:'%{TX.0}'"
#Java 1.6 doesnt seem to follow the RFC correctly
SecRule REQUEST_HEADERS:User-Agent "^java/1\.6"
SecRule &REQUEST_HEADERS:Proxy "@gt 0" "deny,status:403,t:none,capture,phase:2,rev:2,log,auditlog,msg:'Atomicorp.com WAF Rules: client redefining HTTP_PROXY value denied',id:'330773',severity:'4',logdata:'%{TX.0}'"
#Header sanitization
#php code injection in select headers
SecRule REQUEST_HEADERS:X-Forwarded-For|REQUEST_HEADERS:X-Real-IP|REQUEST_HEADERS:Reverse-Via|REQUEST_HEADERS:X-Varnish|REQUEST_HEADERS:X-UA-Compatible|REQUEST_HEADERS:X-Powered-By|REQUEST_HEADERS:TE|REQUEST_HEADERS:X-REQUESTED-WITH|REQUEST_HEADERS:X-PIPER-ID|REQUEST_HEADERS:X-UCBROWSER-UA|REQUEST_HEADERS:X-WAP-PROFILE|REQUEST_HEADERS:X-EBO-UA|REQUEST_HEADERS:X-OPERAMINI-*|REQUEST_HEADERS:DEVICE-STOCK-UA|REQUEST_HEADERS:FORWARDED|REQUEST_HEADERS:WAP-CONNECTION|REQUEST_HEADERS:X-CONTENT-OPT "< ?\? ?" "deny,status:403,phase:2,t:none,t:urlDecodeUni,t:compressWhiteSpace,rev:2,log,auditlog,msg:'Atomicorp.com WAF Rules: Code injection in HTTP header attack blocked',id:'356331',severity:'1',logdata:'%{TX.0}'"
#SecRule REQUEST_HEADERS:X-Forwarded-For "%" #SecRule REQUEST_HEADERS:X-Forwarded-For|REQUEST_HEADERS:X-ProxyUser-Ip "^[a-z0-9/ ,\:]+$" # "phase:2,deny,status:403,id:356332,rev:3,t:none,t:lowercase,log,auditlog,msg:'Atomicorp.com WAF Rules: invalid character in X-Forwarded for header',severity:'3'"
SecRule REQUEST_HEADERS:User-Agent "(?:><|\{\:\:)" "phase:2,deny,status:403,id:356332,rev:1,t:none,t:urlDecodeUni,t:removewhitespace,log,auditlog,msg:'Atomicorp.com WAF Rules: invalid characters in User-Agent header',severity:'2'"
#SecRule ARGS|!ARGS:_wp_http_referer|!ARGS:jsess|!ARGS:wp_http_referer|!ARGS:selection|!ARGS:permalink_structure|!ARGS:message|!ARGS:/post/|!ARGS:/dformat/|!ARGS:_u_b|!ARGS:state "@rx %[0-9a-fA-F]{2}" "id:390721,rev:5,phase:2,status:403,deny,log,auditlog,t:none,msg:'Atomicorp.com WAF Rules: Multiple URL Encoding Detected',logdata:'%{MATCHED_VAR}',severity:2"
#Vpatching add on
#Prevent Impedence mismatches on ARG names
SecRule REQUEST_FILENAME "\.php" "chain,capture,t:none,t:utf8toUnicode,t:urlDecodeUni,t:lowercase,phase:2,deny,status:403,id:390720,rev:6,msg:'Atomicorp.com WAF Rules: Possible Impedence Mismatch attack on PHP appliction using space to start argument name',logdata:'%{TX.0}',severity:'1',tag:'no_ar',log,auditlog"
SecRule ARGS_NAMES "^ " "t:none,t:utf8toUnicode,t:urlDecodeUni,t:removenulls,multimatch"
#SecRule ARGS_NAMES "!^[\^\$0-9a-zA-Z\#_-\.@\{\}\[\]\(\)]+$" "t:none,t:utf8toUnicode,t:urlDecodeUni"
SecRule ARGS_GET|!ARGS_GET:enhancedcontentdata "@rx [\n\r]" "id:390722,rev:5,phase:2,status:403,deny,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,msg:'Atomicorp.com WAF Rules: HTTP Header Injection Attack via payload (CR/LF detected)',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',ctl:auditLogParts=+E,severity:'CRITICAL'"
Reference in New Issue View Git Blame Copy Permalink