443 lines
39 KiB
Plaintext
443 lines
39 KiB
Plaintext
SecDefaultAction "log,deny,auditlog,phase:2,status:403"
|
|
SecRule REQUEST_FILENAME "/cron/index\.php" "phase:2,id:95076,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=330017"
|
|
|
|
SecRule REQUEST_FILENAME "/ssp_director/index\.php" "phase:2,id:95077,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=330069"
|
|
|
|
SecRule REQUEST_FILENAME "/ssp_director" "phase:2,id:95078,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=330069"
|
|
|
|
SecRule REQUEST_FILENAME "/silentpost\.php" "phase:2,id:95079,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=330030"
|
|
|
|
SecRule REQUEST_FILENAME "/cgi/upload\.cgi" "phase:2,id:95080,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=330069"
|
|
|
|
SecRule REQUEST_FILENAME "/tfu/tfu_upload\.php" "phase:2,id:95081,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=330069"
|
|
|
|
SecRule REQUEST_FILENAME "/qm/dm\.master" "phase:2,id:95082,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=330072"
|
|
|
|
SecRule REQUEST_FILENAME "/dump_full_recs\.txt" "phase:2,id:95083,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=330072"
|
|
|
|
SecRule REQUEST_FILENAME "/export/kelkoo\.php" "phase:2,id:95084,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=330128"
|
|
|
|
SecRule REQUEST_FILENAME "/admincp" "phase:2,id:95085,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=330069"
|
|
|
|
SecRule REQUEST_FILENAME "/ideal_wbp1ah\.php" "phase:2,id:95086,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=330036"
|
|
|
|
SecRule REQUEST_FILENAME "/checkout/onepage" "phase:2,id:95087,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=330036"
|
|
|
|
SecRule REQUEST_FILENAME "/postsale\.php" "phase:2,id:95088,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=330036"
|
|
|
|
SecRule REQUEST_FILENAME "/cancel\.php" "phase:2,id:95089,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=330036"
|
|
|
|
SecRule REQUEST_FILENAME "/cp-res-cancel\.php" "phase:2,id:95090,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=330036"
|
|
|
|
SecRule REQUEST_FILENAME "/cron\.php" "phase:2,id:95091,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=330017"
|
|
|
|
SecRule REQUEST_FILENAME "/linkmachine/linkmachine\.php" "phase:2,id:95092,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=330072"
|
|
|
|
SecRule REQUEST_FILENAME "/api/postback" "phase:2,id:95093,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=330036"
|
|
|
|
SecRule REQUEST_FILENAME "/spinclude\.cgi" "phase:2,id:95094,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=330039"
|
|
|
|
SecRule REQUEST_FILENAME "/vmpayment/realex/notify\.php" "phase:2,id:95095,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=330039"
|
|
|
|
SecRule REQUEST_FILENAME "/alipay_callback\.php" "phase:2,id:95096,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=330131"
|
|
|
|
SecRule REQUEST_FILENAME "/cgi-bin/quickshow\.cgi" "phase:2,id:95097,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=332039,ctl:ruleRemovebyID=336657"
|
|
|
|
SecRule REQUEST_FILENAME "/payment/barclays/barclays_response\.php" "phase:2,id:95098,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=330036"
|
|
|
|
SecRule REQUEST_FILENAME "/modules/ogone/validation\.php" "phase:2,id:95099,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=330036"
|
|
|
|
# http://www.atomicorp.com/
|
|
# Atomicorp (Gotroot.com) ModSecurity rules
|
|
# User Agent Security Rules for modsec 2.x
|
|
#
|
|
# Copyright 2005-2023 by Atomicorp, Inc., all rights reserved.
|
|
# Redistribution is strictly prohibited in any form, including whole or in part.
|
|
#
|
|
# Distribution of this work or derivative of this work in any form is
|
|
# prohibited unless prior written permission is obtained from the
|
|
# copyright holder.
|
|
#
|
|
#
|
|
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS
|
|
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
|
|
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
|
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
|
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
|
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
|
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
|
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
|
|
# THE POSSIBILITY OF SUCH DAMAGE.
|
|
#
|
|
# ---ASL-CONFIG-FILE---
|
|
|
|
# Do not edit this file!
|
|
# This file is generated and changes will be overwritten.
|
|
#
|
|
# If you need to make changes to the rules, please follow the procedure here:
|
|
# http://www.atomicorp.com/wiki/index.php/Mod_security
|
|
|
|
|
|
|
|
SecRule ARGS "acunetix_wvs_security_test" "phase:2,rev:'3',t:none,t:lowercase,deny,log,auditlog,status:403,msg:'Atomicorp.com WAF Rules: Acunetix Security Scanner Scanned the Site',id:333331,severity:'2'"
|
|
|
|
#check headers for known malicious clients and agents
|
|
SecRule REQUEST_HEADERS|REQUEST_HEADERS_NAMES|REQUEST_COOKIES "@pm aaaaaa x-scan-memo acunetix ethereumstratum xmrig xmr-stak-cpu minername cpuminer" "id:334927,rev:1,phase:2,t:none,pass,nolog,noauditlog,skip:1"
|
|
SecAction "phase:2,id:333729,pass,nolog,noauditlog,skipAfter:END_UA_H_CHECKS"
|
|
|
|
SecRule REQUEST_HEADERS "x-aaaaaa" "phase:2,deny,log,auditlog,status:403,t:none,t:lowercase,id:330001,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Spam: Generic spam header detected'"
|
|
|
|
SecRule REQUEST_HEADERS_NAMES|REQUEST_COOKIES "acunetix" "phase:2,rev:'3',t:none,t:lowercase,deny,log,auditlog,status:403,msg:'Atomicorp.com WAF Rules: Acunetix Security Scanner Scanned the Site',id:333301,severity:'2'"
|
|
|
|
SecRule REQUEST_HEADERS_NAMES|REQUEST_COOKIES "(?:ethereumstratum|xmrig/|xmr-stak-cpu|minername/|cpuminer/)" "phase:2,rev:'4',t:none,t:lowercase,deny,log,auditlog,status:403,msg:'Atomicorp.com WAF Rules: Cryptoware blocked',id:333330,severity:'2'"
|
|
|
|
SecRule REQUEST_HEADERS_NAMES|REQUEST_COOKIES "X-Scan-Memo" "phase:2,rev:'3',t:none,deny,log,auditlog,status:403,msg:'Atomicorp.com WAF Rules: Security Scanner Scanned the Site',id:333341,severity:'2'"
|
|
|
|
SecMarker END_UA_H_CHECKS
|
|
|
|
SecRule REQUEST_HEADERS:User-Agent "^Internet Explorer " "phase:2,t:none,deny,log,auditlog,status:403,id:330305,rev:3,severity:2,msg:'Atomicorp.com WAF Rules: Fake Microsoft Internet Explorer Browser'"
|
|
|
|
SecRule REQUEST_HEADERS:User-Agent "baidu; baiduspider" "phase:2,t:none,deny,log,auditlog,status:403,id:330363,rev:3,severity:2,msg:'Atomicorp.com WAF Rules: Known malicious agent and fake baiduspider'"
|
|
|
|
SecRule REQUEST_HEADERS:User-Agent "^Windows NT 6.1; Win64; x64$" "phase:2,t:none,deny,log,auditlog,status:403,id:333332,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Known malicious agent'"
|
|
|
|
# Rule 330006: recursion attack in UA field
|
|
#SecRule REQUEST_HEADERS:User-Agent "\.\./\.\." "id:330006,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: recursion attack in UA field'"
|
|
|
|
#May cause false positives with some software, comment out if it does
|
|
#SecRule REMOTE_ADDR "!^127\.0\.0\.1$" "chain,id:390000,rev:1,severity:1,msg:'Atomicorp.com WAF Rules: Suspicious Automated or Manual Request'"
|
|
#SecRule "REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Host|REQUEST_HEADERS:Accept" "^$"
|
|
#
|
|
SecRule &REQUEST_HEADERS:x-up-devcap-post-charset "@ge 1" "phase:2,t:none,deny,log,auditlog,status:403,id:333333,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: WAF bypass detected using x-up-devcap-post-charset in combination with prefix \'UP\' to User-Agent',chain"
|
|
SecRule REQUEST_HEADERS:User-Agent "@rx ^(?i)up" "t:none"
|
|
|
|
|
|
#Parallel skip
|
|
SecRule REQUEST_HEADERS:User-Agent|REQUEST_URI "@pm Xs_Kontrol NextGenSearchBot Synapse App3leWebKit MJ12bot sosospider fdm ICS python libcurl js-kit bot 5.0 8484 admin@google.com agdm79@mail mua amiga-aweb/3.4 analyzer atomic_email_hunter backdoor bilbo black blackwidow brutus butch__2 bwh3_user_agent cgichk cherrypickernicerspro china combine concealed contentsmartz copyguard copyrightcheck cisco-torch sql springenwerk toata scan whcc sundayddr nmap prog.customcrawler network-services-auditor grendel-scan get-minimal pymills-spider dav.pm crescent datacha0s dbrowse demo digimarc download dts ebrowse ecollector emailcollector emailwolf exploit godzilla dirbuster dotdotpwn extractor extractorpro fantombrowser foobar franklin full gameboy grabber grub hole indy injection internet-exprorer isc jaascois k1b larbin@unspecified libwen-us pycurl blacksun cyberdog absinthe autogetcolumn metis missigua morfeus morzilla mosiac mozilla/3 mozilla/2.01 mozilla/4.0 mozilla/4.76 mozilla/5. murzillo nameofagent .nasl nessus arachni havij acunetix whatweb newt nikto ninja nokia-waptoolkit nsauditor n-stealth paros pavuk picscout pe pmafind poe-component-client production prowebwaler psycheclone rainbow safexplorer security shareware siphon sitesnagger sohu spider s.t.a.l.k.e.r stress surf teleport telesoft test voideye vxb webbandit webcopier webemailextract webinspect weblogs webmole webroot webster webstripper webtrends webvulnscan webzip wells wep widow windows-update-agent < php http_get_vars super happy fun psycheclone grub crawl hurt core-project/ winnie poh siphon nutscrape/ missigua emailsiphon digger nutchcvs trackback/ autoemailspider pussycat user-agent: omniexplorer ecollector cherrypicker zemu revolt casper kmccrew planetwork dex sledink perl kangen sasqia t34mh4k mama jcomers indonetwork goblox ayumi_im0etz whitehat zmeu w3af.sourceforge.net yandex chinaclaw googlehttpclient playstation script about applet activex chrome object www.80legs.com netscape winhttp.winhttprequest.5 obot shell_exec if r00t intelium b55 cybeye riddler loadimpact 2600 patchone pogs chishijen12 typhoeus table href iframe script php xmlset blackseo appscan xSlurp .exe Pcore-HTTP Datanyze struts-pwn raphaelrocks nuclei) wp_is_mobile tsunami openvas fuzz" "id:333924,rev:3,phase:2,t:none,pass,nolog,noauditlog,skip:1"
|
|
SecAction "phase:2,id:333719,pass,nolog,noauditlog,skipAfter:END_UA_CHECKS_1"
|
|
|
|
SecRule REQUEST_HEADERS:User-Agent "wp_is_mobile" "phase:2,deny,log,auditlog,status:403,t:none,t:lowercase,id:337741,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: AccessPress Themes backdoor blocked'"
|
|
|
|
#nmaplowercheck
|
|
SecRule REQUEST_URI "nmaplowercheck" "phase:2,deny,log,auditlog,status:403,t:none,t:lowercase,id:337764,rev:2,severity:3,msg:'Atomicorp.com WAF Rules: NMAP scanner blocked'"
|
|
|
|
#Pcore-HTTP
|
|
SecRule REQUEST_HEADERS:User-Agent "Datanyze" "phase:2,deny,log,auditlog,status:403,t:none,id:337749,rev:2,severity:3,msg:'Atomicorp.com WAF Rules: Datanyze bot blocked'"
|
|
|
|
#Pcore-HTTP
|
|
SecRule REQUEST_HEADERS:User-Agent "Pcore-HTTP" "phase:2,deny,log,auditlog,status:403,t:none,id:334749,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Pcore-HTTP'"
|
|
|
|
#Xs_Kontrol
|
|
SecRule REQUEST_HEADERS:User-Agent "Xs_Kontrol" "phase:2,deny,log,auditlog,status:403,t:none,id:347749,rev:2,severity:3,msg:'Atomicorp.com WAF Rules: Xs_Kontrol bot blocked'"
|
|
|
|
#Yahoo!xSlurp
|
|
SecRule REQUEST_HEADERS:User-Agent "Yahoo\!xSlurp" "phase:2,deny,log,auditlog,status:403,t:none,id:334729,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Fake SUPEE-5344 malware agent blocked'"
|
|
#Yahoo!xSlurp
|
|
SecRule REQUEST_HEADERS:User-Agent "NextGenSearchBot" "phase:2,deny,log,auditlog,status:403,t:none,id:334739,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Fake zoominfo search bot blocked'"
|
|
|
|
#Blackseo Agent v 0.1
|
|
SecRule REQUEST_HEADERS:User-Agent "blackseo agent" "phase:2,deny,log,auditlog,status:403,t:none,t:compressWhitespace,t:lowercase,id:334719,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Blackseo Agent blocked'"
|
|
|
|
#droptable
|
|
SecRule REQUEST_HEADERS:User-Agent "(?:drop ?table| href|iframe|< ?(?:script|php)|xmlset)" "phase:2,deny,log,auditlog,status:403,t:none,t:compressWhitespace,t:lowercase,id:334709,rev:3,severity:2,msg:'Atomicorp.com WAF Rules: Malicious user-agent header attack',chain"
|
|
SecRule REQUEST_HEADERS:User-Agent "!(Iframely)" "t:none"
|
|
|
|
#Mozilla/4.0 (compatible; Synapse)
|
|
SecRule REQUEST_HEADERS:User-Agent "Mozilla/4\.0 \(compatible; Synapse\)" "phase:2,deny,log,auditlog,status:403,t:none,id:334009,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Potentially Malicious Open Proxy Connection Attempt'"
|
|
|
|
#chishijen12
|
|
SecRule REQUEST_HEADERS:User-Agent "chishijen12" "phase:2,deny,log,auditlog,status:403,t:none,t:lowercase,id:334309,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: CryptoPHP Malicious UserAgent Blocked'"
|
|
|
|
#Netscape 6.0; WinNT6.1
|
|
SecRule REQUEST_HEADERS:User-Agent "^Netscape " "phase:2,deny,log,auditlog,status:403,t:none,id:334003,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Fake Netscape Browser'"
|
|
|
|
#Known worm sign
|
|
SecRule REQUEST_HEADERS:User-Agent "WinHttp\.WinHttpRequest\.5" "phase:2,deny,log,auditlog,status:403,t:none,id:334703,rev:4,severity:2,msg:'Atomicorp.com WAF Rules: WinHttp.WinHttpRequest.5 known worm sign detected'"
|
|
|
|
# Rule 330003: XSS in the UA field
|
|
SecRule REQUEST_HEADERS:User-Agent "<(?:.|\s|\n)?(?:script|about|applet|activex|chrome|object)" "phase:2,deny,log,auditlog,status:403,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,id:330003,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: XSS in User Agent field'"
|
|
|
|
|
|
# Rule 330004: PHP code injection attack
|
|
SecRule REQUEST_HEADERS:User-Agent "(?:< ?\? ?php|^ ?< ?\?)" "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,deny,log,auditlog,status:403,id:330004,rev:3,severity:2,msg:'Atomicorp.com WAF Rules: PHP code injection via User Agent'"
|
|
|
|
# Rule 330005: PHP code injection attack
|
|
SecRule REQUEST_HEADERS:User-Agent "http_get_vars" "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,deny,log,auditlog,status:403,id:330005,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: PHP code injection via User Agent 2'"
|
|
|
|
#Joomla bot
|
|
#BOT/0.1 (BOT for JCE)
|
|
SecRule REQUEST_HEADERS:User-Agent "Sosospider" "phase:2,t:none,deny,log,auditlog,status:403,id:330215,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Sosospider - Known abusive bot'"
|
|
|
|
#Joomla bot
|
|
#BOT/0.1 (BOT for JCE)
|
|
SecRule REQUEST_HEADERS:User-Agent "bot for jce" "phase:2,t:none,t:compressWhitespace,t:lowercase,deny,log,auditlog,status:403,id:330205,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Joomla Exploit Bot'"
|
|
|
|
#Mozilla/4.0 (compatible; ICS)"
|
|
SecRule REQUEST_HEADERS:User-Agent "Mozilla/4\.0 \(compatible; ICS\)" "phase:2,t:none,deny,log,auditlog,status:403,id:360205,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: ICS Bot'"
|
|
|
|
#Free Download Manager
|
|
SecRule REQUEST_HEADERS:User-Agent "FDM" "phase:2,t:none,deny,log,auditlog,status:403,id:360215,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Free Download Manager'"
|
|
|
|
#Joomla bot
|
|
#Mua
|
|
SecRule REQUEST_HEADERS:User-Agent "^mua$" "phase:2,t:none,t:compressWhitespace,t:lowercase,deny,log,auditlog,status:403,id:330206,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Joomla Exploit Bot'"
|
|
|
|
# Rule 330010: DataCha0s
|
|
SecRule REQUEST_HEADERS:User-Agent "datacha0s/2\.0" "phase:2,t:none,t:lowercase,deny,log,auditlog,status:403,id:330010,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Bad User Agent: DataCha0s'"
|
|
|
|
# Rule 330011: Damn fine UA
|
|
SecRule REQUEST_HEADERS:User-Agent "(?:exploit|morzilla|cyberdog|blacksun|absinthe|autogetcolumn|bsqlbf|cisco-torch|crimscanner|dav\.pm|pymills-spider|get-minimal|grendel-scan|mysqloit|prog\.customcrawler|sql power injector|sqlmap|sundayddr|friendly-scanner|toata dragostea|b\:2600|loadimpact|patchone|pogs/2\.0|shellshock-scan|appscan|(?:xpymep|start)\.exe|struts-pwn|raphaelrocks|tsunami)" "phase:2,t:none,t:lowercase,deny,log,auditlog,status:403,id:330011,rev:8,severity:2,msg:'Atomicorp.com WAF Rules: Bad User Agent: Known Exploit Tool Detected'"
|
|
|
|
# Rule 330014: XML RPC exploit tool
|
|
SecRule REQUEST_HEADERS:User-Agent "(?:dirbuster|dotdotpwn)" "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,log,auditlog,status:403,id:330015,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Bad User Agent: Exploit tool'"
|
|
|
|
#Playstation
|
|
#SecRule REQUEST_HEADERS:User-Agent "psp \(playstation portable\)" "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,status:403,id:393716,phase:2,t:lowercase,msg:'Atomicorp.com WAF Rules: Bad User Agent: Playstation Portable',deny,status:403"
|
|
|
|
# Rule 330016: A friendly little exploit banner for a WP vuln
|
|
SecRule REQUEST_HEADERS:User-Agent "wordpress hash grabber" "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,log,auditlog,status:403,id:330016,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Bad User Agent: Wordpress hash grabber'"
|
|
|
|
# Rule 330017: Blocks scripts
|
|
#SecRule REQUEST_URI "!(/webprobilling/pipe/pop\.php|/cron/index\.php|/read\.php|/pg/cron/)" "chain,id:330017,rev:5,severity:2,msg:'Atomicorp.com WAF Rules: Suspicious User Agent: lwp - Disable this rule if you are using LWP'"
|
|
#SecRule REQUEST_HEADERS:User-Agent lwp
|
|
|
|
# Rule 330019: Web leaches
|
|
SecRule REQUEST_HEADERS:User-Agent "^(?:web(?:(?:st(?:ripp)?| download|copi)er|zip)|(?:prowebwalk|sitesnagg)er|c(?:heesebot|ombine)|teleport pro|black hole|chinaclaw)" "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,log,auditlog,status:403,id:330019,rev:3,severity:3,msg:'Atomicorp.com WAF Rules: Suspicious Web Client Detected (Disable this rule if you wish to allow these clients)'"
|
|
|
|
# Rule 330031: Bogus Mozilla UA lines
|
|
SecRule REQUEST_HEADERS:User-Agent "m(?:icrosoft internet explorer/5.0|ozilla/3.mozilla/(?:2.01|5\.0)|ozilla/4\.0 \(compatible; msie 7\.0; na; \))$" "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,log,auditlog,status:403,capture,id:330031,rev:4,severity:2,msg:'Atomicorp.com WAF Rules: Fake Browser User agent detected',logdata:'%{TX.0}'"
|
|
|
|
|
|
# Rule 330033: Bogus UA
|
|
SecRule REQUEST_HEADERS:User-Agent "(?:f(?:oobar/|axobot)|^www\.weblogs\.com)" "phase:2,t:none,t:lowercase,deny,log,auditlog,status:403,id:330033,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Malicious bot attack blocked'"
|
|
|
|
# Rule 330034: Vuln scanner UA
|
|
SecRule REQUEST_HEADERS:User-Agent "(?:n(?:-stealth|sauditor|e(?:ssus|etwork-services-auditor)|ikto|map)|b(?:lack ?widow|rutus|ilbo)|web(?:inspec|roo)t|p(?:mafind|aros|avuk)|cgichk|jaascois|\.nasl|metis|w(?:ebtrends security analyzer|hcc|3af\.sourceforge\.net)|\bzmeu\b|springenwerk|arachni|acunetix-product|\bhavij\b|^b55 |\briddler\b|netsparker|projectdiscovery/nuclei| openvas|fuzz faster)" "capture,phase:2,t:none,t:lowercase,t:compressWhitespace,deny,log,auditlog,status:403,id:330034,rev:14,severity:2,msg:'Atomicorp.com WAF Rules: Unauthorized Vulnerability Scanner detected',logdata:'%{TX.0}'"
|
|
|
|
# Rule 330035: Vuln scanner UA
|
|
SecRule &REQUEST_HEADERS:X-Scanner "@eq 1" "capture,phase:2,t:none,t:lowercase,t:compressWhitespace,deny,log,auditlog,status:403,id:330035,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Unauthorized Vulnerability Scanner detected',logdata:'%{TX.0}'"
|
|
|
|
# Rule 330037: WhatWeb/
|
|
SecRule REQUEST_HEADERS:User-Agent "whatweb/" "phase:2,t:none,t:lowercase,deny,log,auditlog,status:403,id:330037,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: WhatWeb web scanner detected'"
|
|
|
|
# Rule 330036: BAd/Bogus UAs
|
|
SecRule REQUEST_HEADERS:User-Agent "indy library" "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,log,auditlog,status:403,id:330036,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Suspicious User agent detected. Disable this rule if you use indy library.'"
|
|
# Rule 330038: BAd/Bogus UAs
|
|
SecRule REQUEST_HEADERS:User-Agent "safexplorer tl" "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,log,auditlog,status:403,id:330038,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Suspicious Unusual User Agent (SAFEXPLORER)'"
|
|
|
|
# Rule 330039: Libwww-perl
|
|
SecRule REMOTE_ADDR "!@ipMatch 127.0.0.1,::1" "phase:2,t:none,deny,log,auditlog,status:403,chain,id:330039,rev:4,severity:2,msg:'Atomicorp.com WAF Rules: Suspicious Unusual User Agent (libwww-perl). Disable this rule if you use libwww-perl. '"
|
|
SecRule REQUEST_HEADERS:User-Agent "libwww-perl" "chain,t:none,t:lowercase"
|
|
SecRule REQUEST_HEADERS:User-Agent "!(^w3c-|systran\))" "t:none,t:lowercase"
|
|
|
|
# Rule 330039: python-requests/
|
|
SecRule REMOTE_ADDR "!@ipMatch 127.0.0.1,::1" "phase:2,t:none,deny,log,auditlog,status:403,chain,id:332039,rev:4,severity:2,msg:'Atomicorp.com WAF Rules: Suspicious Unusual User Agent (python-requests). Disable this rule if you use python-requests/. '"
|
|
SecRule REQUEST_HEADERS:User-Agent "python-requests/" "t:none,t:lowercase"
|
|
|
|
SecRule REQUEST_FILENAME "admin/controllers/cron\.php$" "phase:2,id:343759,pass,t:none,t:lowercase,nolog,noauditlog,skipAfter:END_332139"
|
|
|
|
# Rule 332139: libcurl
|
|
SecRule REMOTE_ADDR "!@ipMatch 127.0.0.1,::1" "phase:2,t:none,deny,log,auditlog,status:403,chain,id:332139,rev:4,severity:2,msg:'Atomicorp.com WAF Rules: Suspicious Unusual User Agent (libcurl). Disable this rule if you use libcurl. '"
|
|
SecRule REQUEST_HEADERS:User-Agent "libcurl" "t:none,t:lowercase"
|
|
SecMarker END_332139
|
|
|
|
#typhoeus
|
|
SecRule REMOTE_ADDR "!@ipMatch 127.0.0.1,::1" "phase:2,t:none,deny,log,auditlog,status:403,chain,id:332150,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Suspicious User Agent (typhoeus). Disable this rule if you use typhoeus. '"
|
|
SecRule REQUEST_HEADERS:User-Agent "typhoeus" "t:none,t:lowercase"
|
|
|
|
# Rule 331039: Python-urllib
|
|
SecRule REMOTE_ADDR "!@ipMatch 127.0.0.1,::1" "phase:2,t:none,deny,log,auditlog,status:403,chain,id:331039,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Suspicious Unusual User Agent (Python-urllib). Disable this rule if you use Python-urllib. '"
|
|
SecRule REQUEST_HEADERS:User-Agent "python-urllib" "chain,t:none,t:lowercase"
|
|
SecRule REQUEST_HEADERS:User-Agent "!(^w3c-|systran\))" "t:none,t:lowercase"
|
|
|
|
# Rule 330040: TwengaBot
|
|
SecRule REQUEST_HEADERS:User-Agent "twengabot" "phase:2,t:none,t:lowercase,deny,log,auditlog,status:403,id:330040,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Impolite bot - TwengaBot detected. Disable this rule if you want to allow TwengaBot. '"
|
|
|
|
# Rule 330040: TwengaBot
|
|
SecRule REQUEST_HEADERS:User-Agent "(?:JS-Kit URL Resolver|JSKitBotURLResolver|js-kit\.com)" "phase:2,t:none,deny,log,auditlog,status:403,id:330140,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Impolite bot - JS-Kit URL Resolver detected. Disable this rule if you want to allow JS-Kit URL Resolver. '"
|
|
# Rule 330041:VB development library used by many spammers, might block legite VBscripts
|
|
#comment out if you have problems
|
|
SecRule REQUEST_HEADERS:User-Agent "crescent internet toolpak" "phase:2,t:none,t:lowercase,deny,log,auditlog,status:403,id:330041,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Suspicious User agent detected'"
|
|
|
|
# Rule 330039: Libpycurl
|
|
SecRule REMOTE_ADDR "!@ipMatch 127.0.0.1,::1" "phase:2,t:none,deny,log,auditlog,status:403,chain,id:330045,rev:3,severity:2,msg:'Atomicorp.com WAF Rules: Suspicious Unusual User Agent (pycurl). Disable this rule if you use pycurl. '"
|
|
SecRule REQUEST_HEADERS:User-Agent "pycurl" "t:none,t:lowercase"
|
|
|
|
# Rule 330044: e-mail collectors and spammers
|
|
SecRule REQUEST_HEADERS:User-Agent "(?:e(?:mail(?:s(?:iphon|pider)|collector|wolf)|xtractor(?:pro)?|collector)|web(?:(?:emailextrac|bandi)t|mole)|autoemailspider|cherrypicker|under the rainbow 2|nicerspro|telesoft|grub|j12bot\/v1\.0\.8|(?:blogsearchbot-marti|super happy fu)n|c(?:ore-project\/|herrypicker)|p(?:sycheclone|ussycat)|(?:grub crawl|omniexplor)er|auto ?email ?spider|winnie poh|nut(?:scrape/|chcvs)|app3lewebkit)" "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,log,auditlog,status:403,chain,id:330056,rev:10,severity:2,msg:'Atomicorp.com WAF Rules: Email Harvester Spambot User agent detected'"
|
|
SecRule REQUEST_HEADERS:User-Agent "!(windows-live-social-object-extractor-engine|nutch-)" "t:none,t:lowercase"
|
|
|
|
#Spiders that eat up bandwidth for their customers
|
|
# Rule 330057: Not a spammer, just a spider, comment out if you like
|
|
SecRule REQUEST_HEADERS:User-Agent "(?:copy(?:rightcheck|guard)|digimarc webreader|picscout)" "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,log,auditlog,status:403,id:330057,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: DRM Spider User agent detected'"
|
|
|
|
# Rule 330060: MArketing spiders
|
|
SecRule REQUEST_HEADERS:User-Agent "zeus .*webster pro" "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,log,auditlog,status:403,id:330060,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Marketing Spider User agent detected'"
|
|
|
|
|
|
# Rule 330061: Poker spam
|
|
SecRule REQUEST_HEADERS:User-Agent "(?:(?:w(?:ise(?:nut)?|ebalt)bo|(?:nameof|dts )agen|8484 boston projec)t|(?:f(?:ranklin locato|antombrowse)|atspide)r|china local browse 2|murzillo compatible|libwen-us|program shareware 1|we(?:lls search ii|p search 00)|digger|trackback\/)" "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,log,auditlog,status:403,id:330061,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Spambot User agent detected'"
|
|
|
|
#330269 suspicious UA
|
|
SecRule REQUEST_HEADERS:User-Agent "poe-component-client" "phase:2,t:none,t:lowercase,deny,log,auditlog,status:403,id:330269,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Suspicious User Agent (POE-Component-Client)'"
|
|
|
|
# Rule 330070: spam bots
|
|
SecRule REQUEST_HEADERS:User-Agent "missigua" "phase:2,t:none,t:lowercase,deny,log,auditlog,status:403,id:330070,rev:3,severity:2,msg:'Atomicorp.com WAF Rules: Suspicious unusual User Agent'"
|
|
|
|
#spammer
|
|
SecRule REQUEST_HEADERS:User-Agent "(?:agdm79@mail\.ru|larbin@unspecified|butch__2\.1\.1|internet exploiter|hl_ftien_spider|godzilla)" "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,log,auditlog,status:403,id:330079,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Comment Spammer User Agent'"
|
|
|
|
#Fake Gameboy UA
|
|
SecRule REQUEST_HEADERS:User-Agent "gameboy\, powered by nintendo" "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,log,auditlog,status:403,id:330080,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Comment Spammer User Agent (Fake Gamboy UA)'"
|
|
|
|
#bogus amiga UA
|
|
SecRule REQUEST_HEADERS:User-Agent "amiga-aweb/3\.4" "phase:2,t:none,t:lowercase,deny,log,auditlog,status:403,id:330081,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Fake Amiga Web Agent'"
|
|
|
|
#bogus googlebot UA
|
|
SecRule REQUEST_HEADERS:User-Agent "(?:nokia-waptoolkit.* googlebot.*googlebot|googlehttpclient)" "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,log,auditlog,status:403,id:330083,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Fake GoogleBot'"
|
|
|
|
#exploit UA
|
|
SecRule REQUEST_HEADERS:User-Agent "(?:mo(?:rfeus fucking scanner|siac 1)|internet(?:-exprorer| ninja)|s\.t\.a\.l\.k\.e\.r\.|kenjin spider|neuralbot/| obot|shell_exec|if \(|r00t|intelium|cybeye|\bcaptch|^apitool$)" "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,log,auditlog,status:403,id:330082,rev:4,severity:2,msg:'Atomicorp.com WAF Rules: Known Exploit User Agent'"
|
|
|
|
#fake UA
|
|
SecRule REQUEST_URI "!(\.asmx$)" "phase:2,t:none,t:lowercase,deny,log,auditlog,status:403,chain,id:330090,rev:3,severity:2,msg:'Atomicorp.com WAF Rules: Comment Spammer User Agent (Fake Windows Update Agent)'"
|
|
SecRule REQUEST_HEADERS:User-Agent "windows-update-agent"
|
|
|
|
#Vadix bot
|
|
SecRule REQUEST_HEADERS:User-Agent "vadixbot" "phase:2,t:none,t:lowercase,deny,log,auditlog,status:403,id:330095,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Vadixbot User Agent String'"
|
|
|
|
SecRule REQUEST_HEADERS:User-Agent "concealed defense" "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,log,auditlog,status:403,id:330096,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Concealed Defense User Agent String'"
|
|
|
|
SecRule REQUEST_HEADERS:User-Agent "core-project/1." "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,log,auditlog,status:403,id:330097,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: core-project/1.0 User Agent String'"
|
|
|
|
SecRule REQUEST_HEADERS:User-Agent "(?:no browser|user[- ]agent ?:)" "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,log,auditlog,status:403,chain,id:330094,rev:5,severity:2,msg:'Atomicorp.com WAF Rules: Compromised User-Agent Agent Attack blocked'"
|
|
SecRule REQUEST_HEADERS:User-Agent "!(http://bsalsa\.com|^site24x7)"
|
|
|
|
|
|
SecRule REQUEST_HEADERS:User-Agent "backdoor" "phase:2,t:none,t:lowercase,deny,log,auditlog,status:403,id:330099,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: backdoor User Agent String'"
|
|
|
|
SecRule REQUEST_HEADERS:User-Agent "(?:script|sql) injection" "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,log,auditlog,status:403,id:330100,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: script injection User Agent String'"
|
|
|
|
SecRule REQUEST_HEADERS:User-Agent "security scan" "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,log,auditlog,status:403,id:330101,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: script injection User Agent String'"
|
|
|
|
SecRule REQUEST_HEADERS:User-Agent "stress test" "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,log,auditlog,status:403,id:330102,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Stress Test User Agent String'"
|
|
|
|
SecRule REQUEST_HEADERS:User-Agent "voideye" "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,log,auditlog,status:403,id:330103,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: VoidEYE User Agent String'"
|
|
|
|
SecRule REQUEST_HEADERS:User-Agent "$botname/$botversion" "phase:2,t:none,t:lowercase,deny,log,auditlog,status:403,id:330105,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Broken Bot Generic User Agent String Detected'"
|
|
|
|
SecRule REQUEST_HEADERS:User-Agent "(?:p(?:e 1\.4|roduction bot|sycheclone)|[a-z]surf[0-9][0-9])" "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,log,auditlog,status:403,id:330110,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Scanbot User Agent String Detected'"
|
|
|
|
SecRule REQUEST_HEADERS:User-Agent "searchbot admin@google\.com" "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,log,auditlog,status:403,id:330115,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Fake Google Searchengine User Agent String Detected'"
|
|
|
|
SecRule REQUEST_HEADERS:User-Agent "(?:sogou develop spider|sohu agent)" "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,log,auditlog,status:403,id:330116,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Fake Sogou Searchengine User Agent String Detected'"
|
|
|
|
SecRule REQUEST_HEADERS:User-Agent "(?:bwh3_user_agent|zemu|mama (?:casper|cyber|sox|xirio)|(?:kmccrew|sasqia|casper|planetwork|dex|jcomers|sledink|goblox|indo(?:com|network)) bot search|^perl post$|rk q kangen|t34mh4k|^revolt$)" "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,log,auditlog,status:403,id:330122,rev:4,severity:2,msg:'Atomicorp.com WAF Rules: Attack Script User Agent String Detected'"
|
|
|
|
SecRule REQUEST_HEADERS:User-Agent "(?:con(?:tentsmartz|tactbot/)|atomic_email_hunter|isc systems irc search 2\.1)" "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,log,auditlog,status:403,id:330124,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Email Harvester Spambot User Agent String Detected'"
|
|
|
|
SecRule REQUEST_HEADERS:User-Agent "(?:demo bot|educate search vxb|full web bot)" "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,log,auditlog,status:403,chain,id:330125,rev:3,severity:2,msg:'Atomicorp.com WAF Rules: Scanbot User Agent String Detected'"
|
|
SecRule REQUEST_HEADERS:User-Agent "!(flipboardbrowser)" "t:none,t:lowercase"
|
|
|
|
|
|
SecRule REQUEST_HEADERS:User-Agent "k1b compatible; rss 6.0; windows sot 5.1 security kol" "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,log,auditlog,status:403,id:330132,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Attacker User Agent String Detected'"
|
|
|
|
|
|
SecRule REQUEST_HEADERS:User-Agent "pleasecrawl/1\." "phase:2,t:none,t:lowercase,deny,log,auditlog,status:403,id:330136,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Badbot User Agent String Detected'"
|
|
|
|
#SecRule REQUEST_HEADERS:User-Agent "yandexbot" # "id:330137,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: YandexBot Search Engine User Agent Detected (Disable this rules if you wish to allow this search bot, this is not a false positive)'"
|
|
# Rule 330014: Exploit UA
|
|
|
|
SecRule REQUEST_HEADERS:User-Agent "that's gotta hurt" "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,log,auditlog,status:403,id:330014,rev:3,severity:2,msg:'Atomicorp.com WAF Rules: Exploit User Agent Detected'"
|
|
|
|
SecRule REQUEST_HEADERS:User-Agent "www\.80legs\.com" "phase:2,t:none,t:lowercase,deny,log,auditlog,status:403,id:333514,rev:4,severity:2,msg:'Atomicorp.com WAF Rules: Bad Bot www.80legs.com'"
|
|
|
|
SecRule REQUEST_HEADERS:User-Agent "MJ12bot" "phase:2,t:none,deny,log,auditlog,status:403,id:333515,rev:4,severity:4,msg:'Atomicorp.com WAF Rules: MJ12 Distributed bot detected (Disable this rule if you want to allow this bot)',tag:'no_ar'"
|
|
SecMarker END_UA_CHECKS_1
|
|
|
|
|
|
#Suspicious useragent
|
|
#SecRule REQUEST_HEADERS:User-Agent "@endsWith ;)" "chain,phase:2,t:none,t:compressWhitespace,deny,log,auditlog,status:403,id:309925,severity:2,rev:10,msg:'Atomicorp.com WAF Rules: Suspicious User-Agent, parenthesis closed with a semicolon %{REQUEST_HEADERS.User-Agent}'"
|
|
#SecRule REQUEST_HEADERS:User-Agent "!(Qualidator\.com|ExaleadCloudView|^Mozilla/4\.0 \(compatible;\)$|UTVDriveBot|Add Catalog|^Appcelerator|GoHome Spider|^ownCloud News|^Hatena|^facebookexternalhit|DashLinkPreviews|Google-InspectionTool)" "t:none"
|
|
|
|
#Check major browsers for validity
|
|
SecRule REQUEST_HEADERS:User-Agent "@pm mozilla ;. newt google explore msie compatible opera" "id:333925,t:none,phase:2,pass,nolog,noauditlog,skip:1"
|
|
SecAction "phase:2,id:333720,pass,nolog,noauditlog,skipAfter:END_UA_CHECKS_2"
|
|
|
|
#"Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.71 Safari/537.36"
|
|
#"Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.71 Safari/537.36"
|
|
SecRule REQUEST_HEADERS:User-Agent "Mozilla/5\.0 \(Windows NT 5\.1\) AppleWebKit/537\.36 \(KHTML, like Gecko\) Chrome/46\.0\.2490\.71 Safari/537\.36" "chain,phase:2,log,deny,auditlog,t:none,id:357989,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Joomla DOS bot blocked'"
|
|
SecRule REQUEST_URI "/administrator" "t:none,t:lowercase"
|
|
|
|
#Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
|
|
SecRule REQUEST_HEADERS:User-Agent "Mozilla/4\.0 \(compatible\; MSIE 6\.0\; Windows" "chain,phase:2,log,deny,auditlog,t:none,id:397989,rev:1,severity:4,msg:'Atomicorp.com WAF Rules: MSIE 6.0 detected (Disable if you want to allow MSIE 6)'"
|
|
SecRule REQUEST_HEADERS:User-Agent "!(MS Web Services Client Protocol|WormlyBot|webauth@cmcm\.com)" "t:none"
|
|
|
|
#Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
|
|
SecRule REQUEST_HEADERS:User-Agent "(?:Mozilla/4.0 \(compatible: MSIE 7\.0; Windows NT 6\.0|Mozilla/5\.0 \(Windows; U; MSIE 7\.0)" "chain,phase:2,log,deny,auditlog,t:none,id:354321,rev:2,severity:4,msg:'Atomicorp.com WAF Rules: MSIE 7.0 detected (Disable if you want to allow MSIE 7)'"
|
|
SecRule REQUEST_HEADERS:User-Agent "!(MS Web Services Client Protocol|WormlyBot|webauth@cmcm\.com)" "t:none"
|
|
|
|
#Fake MSIE 6
|
|
SecRule REQUEST_HEADERS:User-Agent "Mozilla/4\.0 \(compatible\; MSIE (?:6\.0\.|6\.00)" "chain,phase:2,log,deny,auditlog,t:none,id:397999,rev:3,severity:4,msg:'Atomicorp.com WAF Rules: Fake MSIE 6.0 detected'"
|
|
SecRule REQUEST_HEADERS:User-Agent "!(MS Web Services Client Protocol|WormlyBot)" "t:none"
|
|
|
|
#Fake MSIE 5.01
|
|
#User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
|
|
SecRule REQUEST_HEADERS:User-Agent "Mozilla/4\.0 \(compatible; MSIE 5\.01\)" "phase:2,log,deny,auditlog,t:none,id:397970,rev:1,severity:3,msg:'Atomicorp.com WAF Rules: Fake MSIE 5.01 detected'"
|
|
|
|
#MSIE 5.5
|
|
SecRule REQUEST_HEADERS:User-Agent "Mozilla/4\.0 \(compatible; MSIE 5\.5; Windows NT 5\.0\)" "phase:2,log,deny,auditlog,t:none,id:397990,rev:1,severity:3,msg:'Atomicorp.com WAF Rules: Fake MSIE 5.5 detected'"
|
|
|
|
#Fake Mozilla UA string
|
|
SecRule REQUEST_HEADERS:User-Agent "(?:$mozilla^|mozilla/[45]\.[1-9]|^mozilla/4\.0$)" "phase:2,t:none,t:lowercase,deny,log,auditlog,status:403,id:330131,rev:3,severity:2,msg:'Atomicorp.com WAF Rules: Malicious Bot Blocked (Fake Mozilla User Agent String Detected)'"
|
|
|
|
#Fake Opera browser
|
|
#SecRule REQUEST_HEADERS:User-Agent "^.* Opera[ /][0-9]\." # "phase:2,t:none,deny,status:403,id:336655,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Fake Opera browser',chain"
|
|
#SecRule &REQUEST_HEADERS:X-Wap-Profile "@eq 0" "t:none"
|
|
#SecRule &REQUEST_HEADERS:X-Wap-Profile "@eq 0" "t:none,chain"
|
|
#SecRule REQUEST_HEADERS:User-Agent "!(Nintendo DSi)" "t:none"
|
|
|
|
#Fake MSIE 9
|
|
SecRule REQUEST_HEADERS:User-Agent "^Mozilla/4\.0 \(compatible; MSIE 9.0; Windows NT 6.1\)$" "phase:2,t:none,deny,status:403,id:336656,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Fake MSIE 9./0 browser %{REQUEST_HEADERS.User-Agent}.',log,auditlog"
|
|
|
|
#Broken Bot
|
|
SecRule REQUEST_HEADERS:User-Agent "compatible ;\." "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,log,auditlog,status:403,id:330130,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Broken Bot User Agent String Detected'"
|
|
|
|
# Rule 330072: Some regexps to catch silly bots
|
|
#SecRule REQUEST_HEADERS:User-Agent "(?:^(?:google|i?explorer?\.exe|(?:ms)?ie( [0-9.]+)?[ ]?(?:compatible(?: browser)?)?|mozilla(?: [0-9.]+)?[ ]?\((?:windows|linux|(?:ie )?compatible)\))$|compatible \; msie)" #"chain,phase:2,t:none,t:compressWhitespace,t:lowercase,deny,status:403,id:330072,rev:6,severity:2,msg:'Atomicorp.com WAF Rules: Possible Fake Browser detected'"
|
|
#SecRule REQUEST_HEADERS:User-Agent "!(placeware rpc 1\.0\)$)"
|
|
|
|
# Rule 330074: Some regexps to catch silly bots
|
|
#SecRule REQUEST_HEADERS:User-Agent "^(?:mozilla/5\.0 \(x11; u; linux i686; en-us; rv\:0\.9\.6\+\) gecko/2001112|mozilla/.+[. ]+|mozilla/4\.0 \(compatible\; msie 6\.0\; windows nt 5\.1)$" # "id:330074,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Comment Spammer User Agent (Fake Mozilla)'"
|
|
|
|
|
|
#330076: Broken spammer tool
|
|
SecRule REQUEST_HEADERS:User-Agent "^mozilla/4\.0\+" "phase:2,t:none,t:lowercase,deny,status:403,chain,auditlog,log,id:330076,rev:4,severity:2,msg:'Atomicorp.com WAF Rules: Possible Fake User Agent (Spammer converting spaces to plus signs)'"
|
|
SecRule REQUEST_HEADERS:User-Agent "^!(mozilla/4.0+\(compatible; uptimerobot/1\..; http://www.uptimerobot.com/\))$"
|
|
|
|
#SecRule REQUEST_HEADERS:User-Agent "mozilla/4\.0 \(compatible; msie 7\.0; windows nt 5\.1; trident/4\.0 ?; ?(\.net clr.*){4,}.*msoffice 12" SecRule REQUEST_HEADERS:User-Agent "mozilla/4\.0 \(compatible; msie 7\.0; windows nt 5\.1; trident/4\.0 ?; \.net clr 1\.1\.4322; \.net clr 2\.0\.503l3; \.net clr 3\.0\.4506\.2152; \.net clr 3\.5\.30729; ?msoffice 12" "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,log,auditlog,status:403,id:331136,rev:4,severity:2,msg:'Atomicorp.com WAF Rules: Possible slowloris DOS attack tool detected'"
|
|
|
|
# Rule 330042: Borland Delphi signature, as above, comment out if it gives you problems
|
|
#spammers sometimes use these UAs
|
|
SecRule REQUEST_HEADERS:User-Agent "(?:newt activex\; win32|mozilla.*newt)" "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,log,auditlog,status:403,id:330042,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Suspicious User agent detected'"
|
|
|
|
#Older MSIE6 on newer platforms
|
|
#SecRule REQUEST_HEADERS:User-Agent "msie 6\.0[ab]?;(?: .+;)? windows nt [56]\." # "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,status:403,id:336657,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Client using IE6 on verion of Windows that should have IE7 or higher installed'"
|
|
|
|
#Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
|
|
#
|
|
#Mozilla/5.0 (Wihndows NT
|
|
SecRule REQUEST_HEADERS:User-Agent "Mozilla/5\.0 \(Wihndows NT" "log,auditlog,phase:1,t:none,deny,log,status:403,id:336658,rev:1,severity:2,msg:'Atomicorp.com WAF Rules: Known DOS Attack Tool'"
|
|
|
|
|
|
#Known attack box
|
|
#^Mozilla/4.76 \[ru\] \(X11; U; SunOS 5.7 sun4u\)
|
|
SecRule REQUEST_HEADERS:User-Agent "mozilla/4\.76 \[ru\]" "phase:2,t:none,t:lowercase,t:compressWhitespace,deny,log,auditlog,status:403,id:330043,rev:2,severity:2,msg:'Atomicorp.com WAF Rules: Suspicious User agent detected'"
|
|
|
|
SecMarker END_UA_CHECKS_2
|
|
|
|
#exclusions
|
|
|