modsecurity-waf/nginx-waf/01_asl_content.conf

SecDefaultAction "log,deny,auditlog,phase:2,status:403"
SecRule REQUEST_FILENAME "/remote\.php/webdav/" "phase:2,id:91042,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=391213"

# http://www.atomicorp.com/
# Atomicorp (Gotroot.com) ModSecurity rules
# Application Security Rules for modsec 2.x
#
# Copyright 2005-2022 by Atomicorp, Inc., all rights reserved.
# Redistribution is strictly prohibited in any form, including whole or in part.
#
# Distribution of this work or derivative of this work in any form is
# prohibited unless prior written permission is obtained from the
# copyright holder.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
# THE POSSIBILITY OF SUCH DAMAGE.
#
#---ASL-CONFIG-FILE---
#

# Do not edit this file!
# This file is generated and changes will be overwritten.
#
# If you need to make changes to the rules, please follow the procedure here:
# http://www.atomicorp.com/wiki/index.php/Mod_security
#
SecAction "phase:1,id:'333792',t:none,nolog,noauditlog,pass, setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf|text/html|application/x-mal-client-data|application/octet-stream|text/plain|application/soap xml|application/soap+xml|application/json|application/json-rpc|application/vnd.svn-svndiff|image/jpeg|application/vnd.ms-sync.wbxml|message/rfc822|application/x-java-serialized-object|text/calendar|image/png|image/gif|image/jpg|application/x-fcs|application/vnd.svn-skel|text/vcard|application/vnd.open|application/x-git-upload-pack-request|application/dns-message'"


#restrict content types to prevent possible bypass attacks
SecRule REQUEST_HEADERS:Content-Type "^([^;\s]+)" "phase:1,t:none,chain,pass,nolog,noauditlog,id:'333791',severity:'4'"
SecRule TX:0 "!@within %{tx.allowed_request_content_type}" "t:none,ctl:forceRequestBodyVariable=On"

SecRule REQUEST_HEADERS:Content-Type "^(text/xml|application/(soap|xml))"         "chain,id:334357,rev:3,phase:1,t:none,t:lowercase,pass,nolog,noauditlog"
 SecRule REQBODY_PROCESSOR "!@streq XML" "ctl:requestBodyProcessor=XML"


#El5 doesnt have modsec 2.9, so this can only be enabled on EL6 and above
#SecRule REQUEST_HEADERS:Content-Type "application/json" #     "id:'334367',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"
#
#     

#Skip binary/octect for nginx amplify
#User-Agent: nginx-amplify-agent/0.34-2
#Content-Type: binary/octet-stream
SecRule REQUEST_HEADERS:Content-Type "^binary/octet-stream$"  "phase:2,t:none,id:336719,pass,nolog,noauditlog,chain,skipAfter:END_391213"
SecRule REQUEST_HEADERS:User-Agent "^nginx-amplify-agent" "t:none" 

#ModSecurity parses only three content types:
#      application/x-www-form-urlencoded, multipart/form-data request and
#      text/xml.
#
#      The protection provided for any other type is inferior.
SecRule REQUEST_METHOD "!^(?:GET|HEAD|PROPFIND|OPTIONS)$" "phase:2,chain,t:none,deny,log,auditlog,status:403,msg:'Atomicorp.com WAF Rules: Request content type is not allowed by policy',id:'391213',severity:'4',logdata:'%{matched_var}'"
        SecRule REQUEST_HEADERS:Content-Type "^([^;\s]+)" "chain,capture"
                                SecRule TX:0 "!^%{tx.allowed_request_content_type}$" "t:none,ctl:forceRequestBodyVariable=On"

SecMarker END_391213