modsecurity-waf/nginx-waf/11_asl_data_loss.conf

SecRule REQUEST_FILENAME "/ajax/getsymptoms\.php" "phase:2,id:92738,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=361008"

# http://www.atomicorp.com/
# Atomicorp (Gotroot.com) ModSecurity rules
# Application Security Rules for modsec 2.x
#
# Created by the Prometheus Global (http://www.prometheus-group.com)
# Copyright 2005-2021 by Atomicorp, Inc. all rights reserved.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
# THE POSSIBILITY OF SUCH DAMAGE.
#
#
#---ASL-CONFIG-FILE---

# Do not edit this file!
# This file is generated and changes will be overwritten.
#
# If you need to make changes to the rules, please follow the procedure here:
# http://www.atomicorp.com/wiki/index.php/Mod_security

SecDefaultAction "log,deny,auditlog,phase:4"

#skip for ASL GUI
SecRule SERVER_PORT "@streq 30000" "phase:4,id:333710,pass,t:none,nolog,noauditlog,skipAfter:END_POTENTIAL_CREDIT_CARD_OUT"

#Detect sensitive numbers in output
SecRule RESPONSE_BODY|RESPONSE_HEADERS:Location "@verifyCC (?:^|[^\d])(?<!google_ad_client = \"pub-)(\d{4}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{1,4})(?:[^\d]|$)"         "phase:4,id:333711,t:none,pass,nolog,noauditlog,skip:1"
SecAction "phase:4,id:333712,t:none,pass,nolog,noauditlog,skipAfter:END_POTENTIAL_CREDIT_CARD_OUT"


# GSA SmartPay
SecRule RESPONSE_BODY|RESPONSE_HEADERS:Location "@verifyCC (?:^|[^\d])(?<!google_ad_client = \"pub-)((?:5568|4(?:486|716))\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{4}|8699\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{3})(?:[^\d]|$)"         "chain,logdata:'Start of CC #: %{tx.ccdata_begin}***...',phase:4,t:none,pass,msg:'Atomicorp.com WAF Rules: Potential credit card number detected in output (NOT BLOCKED) - GSA SmartPay Card Number sent from site to user',id:'361020',severity:'1',tag:'no_ar'"
        SecRule TX:1 "(\d{4}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{1,4})" "chain,capture,setvar:tx.ccdata=%{tx.1}"
                SecRule TX:CCDATA "^(\d{4}\-?)" "capture,setvar:tx.ccdata_begin=%{tx.1}"


# MasterCard

SecRule RESPONSE_BODY|RESPONSE_HEADERS:Location "@verifyCC (?:^|[^\d])(?<!google_ad_client = \"pub-)(5[1-5]\d{2}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{4})(?:[^\d]|$)"         "chain,logdata:'Start of CC #: %{tx.ccdata_begin}***...',phase:4,t:none,pass,msg:'Atomicorp.com WAF Rules: MasterCard Credit Card Number sent from site to user',id:'361006',severity:'1',tag:'no_ar'"
        SecRule TX:1 "(\d{4}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{1,4})" "chain,capture,setvar:tx.ccdata=%{tx.1}"
                SecRule TX:CCDATA "^(\d{4}\-?)" "capture,setvar:tx.ccdata_begin=%{tx.1}"

# Visa
SecRule RESPONSE_BODY|RESPONSE_HEADERS:Location "@verifyCC (?:^|[^\d])(?<!google_ad_client = \"pub-)(4\d{3}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d(?:\d{3})??)(?:[^\d]|$)"         "chain,logdata:'Start of CC #: %{tx.ccdata_begin}***...',phase:4,t:none,pass,msg:'Atomicorp.com WAF Rules:  Potential credit card number detected in output (NOT BLOCKED) -Visa Credit Card Number sent from site to user',id:'361008',severity:'1',tag:'no_ar'"
        SecRule TX:1 "(\d{4}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{1,4})" "chain,capture,setvar:tx.ccdata=%{tx.1}"
                SecRule TX:CCDATA "^(\d{4}\-?)" "capture,setvar:tx.ccdata_begin=%{tx.1}"

# American Express
SecRule RESPONSE_BODY|RESPONSE_HEADERS:Location "@verifyCC (?:^|[^\d])(?<!google_ad_client = \"pub-)(3[47]\d{2}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{3})(?:[^\d]|$)" 	"chain,logdata:'Start of CC #: %{tx.ccdata_begin}***...',phase:4,t:none,pass,msg:'Atomicorp.com WAF Rules:  Potential credit card number detected in output (NOT BLOCKED) -American Express Credit Card Number sent from site to user',id:361010,severity:'1',tag:'no_ar'"
 SecRule TX:1 "(\d{4}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{1,4})" "chain,capture,setvar:tx.ccdata=%{tx.1}"
                SecRule TX:CCDATA "^(\d{4}\-?)" "capture,setvar:tx.ccdata_begin=%{tx.1}"


# Diners Club
SecRule RESPONSE_BODY|RESPONSE_HEADERS:Location "@verifyCC (?:^|[^\d])(?<!google_ad_client = \"pub-)((?:30[0-5]|3[68]\d)\d\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{2})(?:[^\d]|$)" 	"chain,logdata:'Start of CC #: %{tx.ccdata_begin}***...',phase:4,t:none,pass,msg:'Atomicorp.com WAF Rules:  Potential credit card number detected in output (NOT BLOCKED) -Diners Club Credit Card Number sent from site to user',id:'361012',severity:'1',tag:'no_ar'"
 SecRule TX:1 "(\d{4}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{1,4})" "chain,capture,setvar:tx.ccdata=%{tx.1}"
                SecRule TX:CCDATA "^(\d{4}\-?)" "capture,setvar:tx.ccdata_begin=%{tx.1}"


# enRoute
#SecRule RESPONSE_BODY|RESPONSE_HEADERS:Location "(?:^|[^\d])(?<!google_ad_client = \"pub-)(2(?:014|149)\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{2}|55\d{2}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{3})(?:[^\d]|$)" #	"logdata:'Start of CC #: %{tx.ccdata_begin}***...',phase:4,t:none,pass,msg:'Atomicorp.com WAF Rules:  Potential credit card number detected in output (NOT BLOCKED) -enRoute Credit Card Number sent from site to user',id:'361014',severity:'1',tag:'no_ar'"

# Discover
SecRule RESPONSE_BODY|RESPONSE_HEADERS:Location "@verifyCC (?:^|[^\d])(?<!google_ad_client = \"pub-)(6(?:011|5\d{2})\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{4})(?:[^\d]|$)" 	"chain,logdata:'Start of CC #: %{tx.ccdata_begin}***...',phase:4,t:none,pass,msg:'Atomicorp.com WAF Rules:  Potential credit card number detected in output (NOT BLOCKED) -Discover Credit Card Number sent from site to user',id:'361016',severity:'1',tag:'no_ar'"
        SecRule TX:1 "(\d{4}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{1,4})" "chain,capture,setvar:tx.ccdata=%{tx.1}"
                SecRule TX:CCDATA "^(\d{4}\-?)" "capture,setvar:tx.ccdata_begin=%{tx.1}"


# JCB
SecRule RESPONSE_BODY|RESPONSE_HEADERS:Location "@verifyCC (?:^|[^\d])(?<!google_ad_client = \"pub-)(3\d{3}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{4}|(?:1800|21(?:31|00))\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{3})(?:[^\d]|$)"         "chain,logdata:'Start of CC #: %{tx.ccdata_begin}***...',phase:4,t:none,pass,msg:'Atomicorp.com WAF Rules:  Potential credit card number detected in output (NOT BLOCKED) -JCB Credit Card Number sent from site to user',id:'361018',severity:'1',tag:'no_ar'"
        SecRule TX:1 "(\d{4}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{1,4})" "chain,capture,setvar:tx.ccdata=%{tx.1}"
                SecRule TX:CCDATA "^(\d{4}\-?)" "capture,setvar:tx.ccdata_begin=%{tx.1}"


SecMarker END_POTENTIAL_CREDIT_CARD_OUT

SecRule REQUEST_URI "^/index\.php\?module=asl" 	"phase:4,id:349852,pass,t:none,t:lowercase,nolog,noauditlog,chain,skipAfter:END_DLP_OUTPUT"
SecRule SERVER_PORT "@streq 30000"

#Detect potential error messages that leak sensitive information
SecRule RESPONSE_BODY "@pm hsqldb DB2 error illegal unexpected Ingres maxdb ibase_ jdbc exception database ODBC Tomcat DM_QUERY_E_SYNTAX mysql_connect( MySQL Warning SQLite. PostgreSQL ORA- SQLException Driver oci_ ora_ exception SQLSTATE" "phase:4,t:none,pass,nolog,noauditlog,skip:1,id:333713,tag:'no_ar'"
SecAction "phase:4,t:none,pass,nolog,noauditlog,id:333714,skipAfter:END_POTENTIAL_ERROR_LEAK"

SecRule RESPONSE_BODY "<title>Apache Tomcat.{,512}Error report"  "phase:4,deny,log,auditlog,capture,ctl:auditLogParts=+E,status:404,t:none,msg:'Atomicorp.com WAF Rules:  Potential Error Message with sensitive information sent from tomcat',id:'361019',rev:2,severity:'1',tag:'no_ar'"

SecRule RESPONSE_BODY "\bWarning: mysql_connect\(\)\:"         "phase:4,rev:1,t:none,capture,ctl:auditLogParts=+E,deny,log,auditlog,status:404,msg:'Atomicorp.com WAF Rules:  Potential SQL Information Leakage',id:'361021',severity:'1',tag:'no_ar'"

SecRule RESPONSE_BODY "You have an error in your SQL syntax; check the manual "         "phase:4,rev:2,t:none,capture,ctl:auditLogParts=+E,deny,log,auditlog,status:404,msg:'Atomicorp.com WAF Rules:  Potential SQL Information Leakage',id:'361022',severity:'1',tag:'no_ar'"

SecRule RESPONSE_BODY "SQLite.Exception|System.Data.SQLite.SQLiteException|Warning:.{,100}(?:sqlite_|SQLite3::)"         "phase:4,rev:1,t:none,capture,ctl:auditLogParts=+E,deny,log,auditlog,status:404,msg:'Atomicorp.com WAF Rules:  Potential SQL Information Leakage',id:'361023',severity:'1',tag:'no_ar'"

SecRule RESPONSE_BODY "\bsupplied argument is not a valid (?:MySQL|PostgreSQL)\b"         "phase:4,rev:1,t:none,capture,ctl:auditLogParts=+E,deny,log,auditlog,status:404,msg:'Atomicorp.com WAF Rules: Potential SQL Information Leakage',id:'361024',severity:'1',tag:'no_ar'"

SecRule RESPONSE_BODY "\b(?:Column count doesn't match value count at row|MySQL server version for the right syntax to use)\b"         "phase:4,rev:1,t:none,capture,ctl:auditLogParts=+E,deny,log,auditlog,status:404,msg:'Atomicorp.com WAF Rules: SQL Information Leakage',id:'361025',severity:'1',tag:'no_ar'"

SecRule RESPONSE_BODY "(?:Warning.{,512}*(?:sqlite|SQLite3)|SQLite/JDBCDriver|SQLite\.Exception)"         "phase:4,rev:1,t:none,capture,ctl:auditLogParts=+E,deny,log,auditlog,status:404,msg:'Atomicorp.com WAF Rules: SQLite Information Leakage',id:'361225',severity:'1',tag:'no_ar'"

SecRule RESPONSE_BODY "Exception (condition )?\d+\. Transaction rollback\."         "phase:4,rev:1,t:none,capture,ctl:auditLogParts=+E,deny,log,auditlog,status:404,msg:'Atomicorp.com WAF Rules: Potential Frontbase SQL Information Leakage detected',id:'361026',severity:'1',tag:'no_ar'"

SecRule RESPONSE_BODY "org\.hsqldb\.jdbc"  "phase:4,deny,log,auditlog,capture,ctl:auditLogParts=+E,status:404,t:none,msg:'Atomicorp.com WAF Rules:  Potential hsqldb SQL Error Message with sensitive information sent',id:'361140',rev:2,severity:'1',tag:'no_ar'"

SecRule RESPONSE_BODY "(?:Warning.{,512}ingres_|Ingres SQLSTATE|Ingres\W.{,512}Driver)"  "phase:4,deny,log,auditlog,capture,ctl:auditLogParts=+E,status:404,t:none,msg:'Atomicorp.com WAF Rules:  Potential Informix SQL Error Message with sensitive information sent',id:'361141',rev:2,severity:'1',tag:'no_ar'"

SecRule RESPONSE_BODY "(?:<b>Warning</b>: ibase_|Unexpected end of command in statement)"  "phase:4,deny,log,auditlog,capture,ctl:auditLogParts=+E,status:404,t:none,msg:'Atomicorp.com WAF Rules:  Potential Informix SQL Error Message with sensitive information sent',id:'361142',rev:2,severity:'1',tag:'no_ar'"

SecRule RESPONSE_BODY "(?:An illegal character has been found in the statement|com\.informix\.jdbc|Exception.{,512}Informix)"  "phase:4,deny,log,auditlog,capture,ctl:auditLogParts=+E,status:404,t:none,msg:'Atomicorp.com WAF Rules:  Potential Informix SQL Error Message with sensitive information sent',id:'361143',rev:2,severity:'1',tag:'no_ar'"

SecRule RESPONSE_BODY "(?:SQL error.{,512}POS([0-9]+)|Warning.{,512}maxdb)"  "phase:4,deny,log,auditlog,capture,ctl:auditLogParts=+E,status:404,t:none,msg:'Atomicorp.com WAF Rules:  Potential maxDB SQL Error Message with sensitive information sent',id:'361144',rev:2,severity:'1',tag:'no_ar'"

SecRule RESPONSE_BODY "(?:Sybase message:|Warning.{,512}sybase|Sybase.{,512}Server message)"  "phase:4,deny,log,auditlog,capture,ctl:auditLogParts=+E,status:404,t:none,msg:'Atomicorp.com WAF Rules:  Potential maxDB SQL Error Message with sensitive information sent',id:'361145',rev:2,severity:'1',tag:'no_ar'"

SecRule RESPONSE_BODY "(?:DB2(?: SQL error:|/6000\])|\[IBM\]\[CLI Driver\]\[DB2/6000\]|CLI Driver.{,256}DB2|db2_ ?\()"  "phase:4,deny,log,auditlog,capture,ctl:auditLogParts=+E,status:404,t:none,msg:'Atomicorp.com WAF Rules:  Potential IBM DB2 SQL Error Message with sensitive information sent',id:'361031',rev:2,severity:'1',tag:'no_ar'"

SecRule RESPONSE_BODY "\[DM_QUERY_E_SYNTAX\]"  "phase:4,deny,log,auditlog,capture,ctl:auditLogParts=+E,status:404,t:none,msg:'Atomicorp.com WAF Rules:  Potential EMC Error Message with sensitive information sent',id:'361032',rev:2,severity:'1',tag:'no_ar'"


SecRule RESPONSE_BODY "Dynamic SQL Error"  "phase:4,deny,log,auditlog,capture,ctl:auditLogParts=+E,status:404,t:none,msg:'Atomicorp.com WAF Rules:  Potential Firebirg Error Message with sensitive information sent',id:'361033',rev:2,severity:'1',tag:'no_ar'"

SecRule RESPONSE_BODY "(?:(?:JET|Access) Database Engine|\[Microsoft\]\[ODBC Microsoft Access Driver\])"  "phase:4,deny,log,auditlog,capture,ctl:auditLogParts=+E,status:404,t:none,msg:'Atomicorp.com WAF Rules:  Potential Microsoft SQL Error Message with sensitive information sent',id:'361030',rev:2,severity:'1',tag:'no_ar'"


SecRule RESPONSE_BODY "(?:ORA-[0-9][0-9][0-9][0-9]|java\.sql\.SQLException|Oracle(?: error|.{,512}Driver)|Warning.{,512}oc(?:i|a)_)"  "phase:4,deny,log,auditlog,capture,ctl:auditLogParts=+E,status:404,t:none,msg:'Atomicorp.com WAF Rules:  Potential Orale SQL Error Message with sensitive information sent',id:'361229',rev:2,severity:'1',tag:'no_ar'"

SecRule RESPONSE_BODY "define\(\'(?:WP_DEBUG|DB_NAME)"  "phase:4,deny,log,auditlog,capture,ctl:auditLogParts=+E,status:404,t:none,msg:'Atomicorp.com WAF Rules:  Wordpress Config file download blocked',id:'361230',rev:3,severity:'1',tag:'no_ar'"

SecMarker  END_DLP_OUTPUT

SecMarker END_POTENTIAL_ERROR_LEAK