1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
|
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.0.5
# Copyright (C) 2006-2010 Breach Security Inc. All rights reserved.
#
# The ModSecurity Core Rule Set is distributed under GPL version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
#
# PHP-IDS rules (www.php-ids.org)
# Converter.php Section
# https://svn.php-ids.org/svn/trunk/lib/IDS/Converter.php
#
#
# Make sure the value to normalize and monitor doesn't contain
# possibilities for a regex DoS.
# http://www.checkmarx.com/Upload/Documents/PDF/Checkmarx_OWASP_IL_2009_ReDoS.pdf
#
SecRule ARGS|ARGS_NAMES|XML:/* "(?:(.{2,})\1{32,})|(?:[+=|\-@\s]{128,})" "skip:1,phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Possible RegEx DoS Payload',id:'973000',rev:'2.0.5',tag:'WEB_ATTACK/DOS',logdata:'%{TX.0}',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/DOS-%{matched_var_name}=%{tx.0}"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,rev:'2.0.5',t:none,nolog,auditlog,msg:'Possible RegEx DoS Payload',id:'973001',tag:'WEB_ATTACK/DOS',logdata:'%{TX.0}',severity:'4'"
SecRule REQUEST_BODY|REQUEST_URI_RAW "(?:(.{2,})\1{32,})|(?:[+=|\-@\s]{128,})" "capture,multiMatch,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/DOS-%{matched_var_name}=%{tx.0}"
#
# Identify Comment Evasion Attempts
#
SecRule ARGS|ARGS_NAMES|XML:/* "(?:\<!-|-->|\/\*|\*\/|\/\/\W*\w+\s*$)" "skip:1,phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Comment Evasion Attempt',id:'973002',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{tx.0}"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,rev:'2.0.5',t:none,nolog,auditlog,msg:'Comment Evasion Attempt',id:'973003',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4'"
SecRule REQUEST_BODY|REQUEST_URI_RAW "(?:\<!-|-->|\/\*|\*\/|\/\/\W*\w+\s*$)" "capture,multiMatch,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{tx.0}"
SecRule ARGS|ARGS_NAMES|XML:/* "(?:--[^-]*-)" "skip:1,phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Comment Evasion Attempt',id:'973004',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{tx.0}"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,rev:'2.0.5',t:none,nolog,auditlog,msg:'Comment Evasion Attempt',id:'973005',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4'"
SecRule REQUEST_BODY|REQUEST_URI_RAW "(?:--[^-]*-)" "capture,multiMatch,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{tx.0}"
SecRule ARGS|ARGS_NAMES|XML:/* "(?:(?:<!)(?:(?:--(?:[^-]*(?:-[^-]+)*)--\s*)*)(?:>))" "skip:1,phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Comment Evasion Attempt',id:'973006',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{tx.0}"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,rev:'2.0.5',t:none,nolog,auditlog,msg:'Comment Evasion Attempt',id:'973007',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4'"
SecRule REQUEST_BODY|REQUEST_URI_RAW "(?:(?:<!)(?:(?:--(?:[^-]*(?:-[^-]+)*)--\s*)*)(?:>))" "capture,multiMatch,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{tx.0}"
SecRule ARGS|ARGS_NAMES|XML:/* "(?:(?:\/\*\/*[^\/\*]*)+\*\/)" "skip:1,phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Comment Evasion Attempt',id:'973008',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{tx.0}"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,rev:'2.0.5',t:none,nolog,auditlog,msg:'Comment Evasion Attempt',id:'973009',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4'"
SecRule REQUEST_BODY|REQUEST_URI_RAW "(?:(?:\/\*\/*[^\/\*]*)+\*\/)" "capture,multiMatch,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{tx.0}"
SecRule ARGS|ARGS_NAMES|XML:/* "(?:--[^-]*-)" "skip:1,phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Comment Evasion Attempt',id:'973010',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{tx.0}"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,rev:'2.0.5',t:none,nolog,auditlog,msg:'Comment Evasion Attempt',id:'973011',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4'"
SecRule REQUEST_BODY|REQUEST_URI_RAW "(?:--[^-]*-)" "capture,multiMatch,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{tx.0}"
SecRule ARGS|ARGS_NAMES|XML:/* "(<\w+)\/+(\w+=?)" "skip:1,phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Comment Evasion Attempt',id:'973012',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{tx.0}"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,rev:'2.0.5',t:none,nolog,auditlog,msg:'Comment Evasion Attempt',id:'973013',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4'"
SecRule REQUEST_BODY|REQUEST_URI_RAW "(<\w+)\/+(\w+=?)" "capture,multiMatch,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{tx.0}"
SecRule ARGS|ARGS_NAMES|XML:/* "[^\\\:]\/\/(.*)$" "skip:1,phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Comment Evasion Attempt',id:'973014',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{tx.0}"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,rev:'2.0.5',t:none,nolog,auditlog,msg:'Comment Evasion Attempt',id:'973015',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4'"
SecRule REQUEST_BODY|REQUEST_URI_RAW "[^\\\:]\/\/(.*)$" "capture,multiMatch,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{tx.0}"
#
# Checks for common charcode patterns
#
# check if value matches typical charCode pattern
SecRule ARGS|ARGS_NAMES|XML:/* "(?:[\d+-=\/\* ]+(?:\s?,\s?[\d+-=\/\* ]+)){4,}" "skip:1,phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Basic Charcode Pattern Found',id:'973016',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{tx.0}"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,rev:'2.0.5',t:none,nolog,auditlog,msg:'Basic Charcode Pattern Found',id:'973017',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4'"
SecRule REQUEST_BODY|REQUEST_URI_RAW "(?:[\d+-=\/\* ]+(?:\s?,\s?[\d+-=\/\* ]+)){4,}" "capture,multiMatch,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{tx.0}"
#
# check for octal charcode pattern
SecRule ARGS|ARGS_NAMES|XML:/* "(?:(?:[\\\]+\d+[ \t]*){8,})" "skip:1,phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Octal Charcode Pattern Found',id:'973018',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{tx.0}"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,rev:'2.0.5',t:none,nolog,auditlog,msg:'Octal Charcode Pattern Found',id:'973019',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4'"
SecRule REQUEST_BODY|REQUEST_URI_RAW "(?:(?:[\\\]+\d+[ \t]*){8,})" "capture,multiMatch,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{tx.0}"
#
# check for hexadecimal charcode pattern
SecRule ARGS|ARGS_NAMES|XML:/* "(?:(?:[\\\]+\w+\s*){8,})" "skip:1,phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Hexadecimal Charcode Pattern Found',id:'973020',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{tx.0}"
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,rev:'2.0.5',t:none,nolog,auditlog,msg:'Hexadecimal Charcode Pattern Found',id:'973021',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4'
SecRule REQUEST_BODY|REQUEST_URI_RAW "(?:(?:[\\\]+\w+\s*){8,})" "capture,multiMatch,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{tx.0}"
|
