1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
|
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.0.5
# Copyright (C) 2006-2010 Breach Security Inc. All rights reserved.
#
# The ModSecurity Core Rule Set is distributed under GPL version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
# In most cases, you should expect a certain volume of each a request on your
# website. For example, a request with 400 arguments, can be suspicious.
# This file creates limitations on the request.
#
# TODO Look at the rules in this file, and define the sizes you'd like to enforce.
# Note that most of the rules are commented out by default.
# Uncomment the rules you need
#
## -- Arguments limits --
# Limit argument name length
SecRule &TX:ARG_NAME_LENGTH "@eq 1" "chain,phase:2,t:none,pass,nolog,auditlog,msg:'Argument name too long',id:'960209',severity:'4',rev:'2.0.5'"
SecRule ARGS_NAMES "@gt %{tx.arg_name_length}" "t:none,t:length,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"
# Limit value name length
SecRule &TX:ARG_LENGTH "@eq 1" "chain,phase:2,t:none,pass,nolog,auditlog,msg:'Argument value too long',id:'960208',severity:'4',rev:'2.0.5'"
SecRule ARGS "@gt %{tx.arg_length}" "t:none,t:length,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"
# Maximum number of arguments in request limited
SecRule &TX:MAX_NUM_ARGS "@eq 1" "chain,phase:2,t:none,pass,nolog,auditlog,msg:'Too many arguments in request',id:'960335',severity:'4',rev:'2.0.5'"
SecRule &ARGS "@gt %{tx.max_num_args}" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"
# Limit arguments total length
SecRule &TX:TOTAL_ARG_LENGTH "@eq 1" "chain,phase:2,t:none,pass,nolog,auditlog,msg:'Total arguments size exceeded',id:'960341',severity:'4',rev:'2.0.5'"
SecRule ARGS_COMBINED_SIZE "@gt %{tx.total_arg_length}" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"
## -- File upload limits --
# Individual file size is limited
SecRule &TX:MAX_FILE_SIZE "@eq 1" "chain,phase:2,t:none,pass,nolog,auditlog,msg:'Uploaded file size too large',id:'960342',severity:'4',rev:'2.0.5'"
SecRule FILES_SIZES "@gt %{tx.max_file_size}" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"
# Combined file size is limited
SecRule &TX:COMBINED_FILE_SIZES "@eq 1" "chain,phase:2,t:none,pass,nolog,auditlog,msg:'Total uploaded files size too large',id:'960343',severity:'4',rev:'2.0.5'"
SecRule FILES_COMBINED_SIZE "@gt %{tx.combined_file_sizes}" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"
|
