88 lines
7.3 KiB
Plaintext
88 lines
7.3 KiB
Plaintext
SecDefaultAction "log,deny,auditlog,phase:2,status:403"
|
|
# http://www.atomicorp.com/
|
|
# Atomicorp (Gotroot.com) ModSecurity rules
|
|
# Anti Malware rules
|
|
#
|
|
# Created by Prometheus Global (http://www.prometheus-group.com)
|
|
# Copyright 2005-2019 by Atomicorp, Inc. all rights reserved.
|
|
# Redistribution is strictly prohibited in any form, including whole or in part.
|
|
#
|
|
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS
|
|
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
|
|
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
|
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
|
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
|
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
|
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
|
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
|
|
# THE POSSIBILITY OF SUCH DAMAGE.
|
|
#
|
|
#---ASL-CONFIG-FILE---
|
|
|
|
# Do not edit this file!
|
|
# This file is generated and changes will be overwritten.
|
|
#
|
|
# If you need to make changes to the rules, please follow the procedure here:
|
|
# http://www.atomicorp.com/wiki/index.php/Mod_security
|
|
|
|
# Phase 2 rules
|
|
|
|
|
|
#skip this for certain file types
|
|
SecRule REQUEST_FILENAME "\.((m|j)pe?g4?|bmp|tiff?|p((p|g|b)m|n(g|m))|gif|js|css|ico|avi|w(mv|ebp)|mp(3|4)|cgm|svg|swf|og(m|v|x))$" "phase:2,pass,t:none,t:lowercase,nolog,noauditlog,id:333946,skipAfter:END_ANTI_MALWARE"
|
|
|
|
SecRule REQUEST_URI "/imp/compose\.php" "phase:2,pass,id:333947,t:none,t:lowercase,nolog,noauditlog,skipAfter:END_ANTI_MALWARE"
|
|
|
|
SecRule ARGS|REQUEST_URI|!ARGS:/description/|!ARGS:resolution|!ARGS:/subject/|!ARGS:/body/|!ARGS:SAMLResponse|!ARGS:SAMLResponse|!ARGS:message|!ARGS:/txt/|!ARGS:/solution/|XML:/* "@pm http:// https:// ftp:// ftps:// ogg:// data:// php:// zlib:// gopher://" "phase:2,id:338812,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceNulls,t:compressWhiteSpace,pass,nolog,noauditlog,skip:1"
|
|
SecAction "phase:2,id:338370,t:none,pass,nolog,noauditlog,skipAfter:END_ANTI_MALWARE"
|
|
|
|
|
|
# Broadcheck
|
|
#SecRule REQUEST_HEADERS:Referer|ARGS "!@pmFromFile malware-exclusion-local.txt" # "t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:360000,rev:2,severity:2,msg:'Blocklist Malware Site (AE)'"
|
|
SecRule REQUEST_URI|ARGS|!ARGS:wpReason|!ARGS:/description/|!ARGS:resolution|!ARGS:/subject/|!ARGS:/body/|!ARGS:SAMLResponse|!ARGS:message|!ARGS:/txt/|!ARGS:/solution/|XML:/* "(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "log,auditlog,phase:2,deny,log,status:403,chain,capture,t:none,t:urlDecodeUni,t:replaceNulls,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,id:360000,rev:7,severity:2,msg:'Atomicorp.com Malware Blocklist: Malware Site detected in URL/Argument (AE)',logdata:'%{TX.0}'"
|
|
SecRule REQUEST_URI|ARGS|!ARGS:wpReason|!ARGS:resolution|!ARGS:/description/|!ARGS:/subject/|!ARGS:/body/|!ARGS:SAMLResponse|!ARGS:/txt/|!ARGS:message|XML:/* "@pmFromFile malware-blacklist.txt" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace"
|
|
|
|
# Rule 330002: Blocklist of known malware sites w/ Anti-evasion features
|
|
#SecRule REQUEST_URI "!(?:/imp/compose\.php)" # "capture,t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:360002,rev:1,severity:2,msg:'Atomicorp.com Malware Blocklist: Malware Site detected in ARGS/Body (AE)',chain,logdata:'%{TX.0}'"
|
|
#SecRule REQUEST_BODY|ARGS|!ARGS:resolution|!ARGS:/description/|!ARGS:/subject/|!ARGS:/body/|!ARGS:/txt/|XML:/* "(?:ogg|zlib|(?:ht|f)tps?)\:/" "chain"
|
|
##SecRule REQUEST_BODY|ARGS "!@pmFromFile malware-exclusion-local.txt" chain
|
|
#SecRule REQUEST_BODY|ARGS|!ARGS:/description/|!ARGS:/subject/|!ARGS:/body/|!ARGS:/txt/|XML:/* "@pmFromFile malware-blacklist.txt"
|
|
|
|
# Rule 330003: Blocklist of known malware sites
|
|
#SecRule REQUEST_URI "!(?:/imp/compose\.php)" # "capture,t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:360003,rev:5,severity:2,msg:'Atomicorp.com Malware Blocklist: Malware Site detected in URI',chain,logdata:'%{TX.0}'"
|
|
#SecRule REQUEST_URI "(?:ogg|zlib|(?:ht|f)tps?)\:/.*" "chain"
|
|
##SecRule REQUEST_URI "!@pmFromFile malware-exclusion-local.txt" "chain"
|
|
#SecRule REQUEST_URI "@pmFromFile malware-blacklist.txt"
|
|
|
|
#Rule 330004: Blocklist suspicious sites in referral
|
|
#SecRule REQUEST_HEADERS:Referer "@pmFromFile malware-blacklist.txt" # "capture,t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:360004,rev:2,severity:2,msg:'Atomicorp.com Malware Blocklist: Suspicious Blocklist Malware Site detected in Referral',logdata:'%{TX.0}'"
|
|
#
|
|
|
|
# Rule 330005: Blocklist of known malware sites w/ Anti-evasion features
|
|
SecRule REQUEST_BODY|REQUEST_URI|ARGS|!ARGS:wpReason|!ARGS:/description/|!ARGS:resolution|!ARGS:/subject/|!ARGS:/body/|!ARGS:SAMLResponse|!ARGS:/txt/|XML:/* "(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" "log,auditlog,phase:2,deny,log,status:403,capture,t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase,id:360005,rev:1,severity:2,msg:'Atomicorp.com Malware Blocklist: Malware Site detected in ARGS/Body (AE)',chain,logdata:'%{TX.0}'"
|
|
#SecRule REQUEST_BODY|ARGS "!@pmFromFile malware-exclusion-local.txt" chain
|
|
SecRule REQUEST_BODY|REQUEST_URI|ARGS|!ARGS:wpReason|!ARGS:/description/|!ARGS:/subject/|!ARGS:/body/|!ARGS:/txt/|!ARGS:SAMLResponse "@pmFromFile malware-blacklist.txt" "t:none,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace"
|
|
|
|
##Rule 360005: Local malware lists
|
|
##SecRule REQUEST_HEADERS:Referer|ARGS "!@pmFromFile malware-exclusion-local.txt" ## "t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:360000,rev:2,severity:2,msg:'Blocklist Malware Site (AE)'"
|
|
#SecRule ARGS "@pmFromFile malware-blacklist-local.txt" # "t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:360005,rev:2,severity:2,msg:'Local Blocklist Malware Site (AE)'"
|
|
#
|
|
## Rule 330006: Blocklist of known malware sites w/ Anti-evasion features
|
|
#SecRule REQUEST_URI "!(?:/imp/compose\.php)" # "t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:360006,rev:1,severity:2,msg:'Local Malware Site in ARGS/Body (AE)',chain"
|
|
#SecRule REQUEST_BODY|ARGS "(?:ogg|zlib|(?:ht|f)tps?)\:/.*" "chain"
|
|
##SecRule REQUEST_BODY|ARGS "!@pmFromFile malware-exclusion-local.txt" chain
|
|
#SecRule REQUEST_BODY|ARGS "@pmFromFile malware-blacklist-local.txt"
|
|
#
|
|
## Rule 330003: Blocklist of known malware sites
|
|
#SecRule REQUEST_URI "!(?:/imp/compose\.php)" # "t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:360007,rev:4,severity:2,msg:'Local Malware Site in URI',chain"
|
|
#SecRule REQUEST_URI "(?:ogg|zlib|(?:ht|f)tps?)\:/.*" "chain"
|
|
##SecRule REQUEST_URI "!@pmFromFile malware-exclusion-local.txt" "chain"
|
|
#SecRule REQUEST_URI "@pmFromFile malware-blacklist-local.txt"
|
|
#
|
|
##Rule 330004: Blocklist suspicious sites in referral
|
|
#SecRule REQUEST_HEADERS:Referer "@pmFromFile malware-blacklist-local.txt" # "t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:360008,rev:2,severity:2,msg:'Suspicious Local Blocklist Malware Site in Referral'"
|
|
#
|
|
SecMarker END_ANTI_MALWARE
|