File: modsecurity_crs_35_bad_robots.conf

package info (click to toggle)
libapache-mod-security 2.5.12-1%2Bsqueeze4
  • links: PTS
  • area: main
  • in suites: squeeze-lts
  • size: 6,292 kB
  • ctags: 2,537
  • sloc: ansic: 21,266; sh: 6,512; xml: 6,320; perl: 1,653; makefile: 191
file content (29 lines) | stat: -rw-r--r-- 2,884 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
 
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.0.5
# Copyright (C) 2006-2010 Breach Security Inc. All rights reserved.
#
# The ModSecurity Core Rule Set is distributed under GPL version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------


#
# NOTE Bad robots detection is based on checking elements easily 
#      controlled by the client. As such a determined attacked can bypass
#      those checks. Therefore bad robots detection should not be viewed as
#      a security mechanism against targeted attacks but rather as a nuisance
#      reduction, eliminating most of the random attacks against your web
#      site. 

SecRule REQUEST_HEADERS:User-Agent "@pmFromFile modsecurity_35_scanners.data" \
        "phase:2,rev:'2.0.5',t:none,t:lowercase,pass,nolog,auditlog,msg:'Request Indicates a Security Scanner Scanned the Site',id:'990002',tag:'AUTOMATION/SECURITY_SCANNER',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.automation_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-AUTOMATION/SECURITY_SCANNER-%{matched_var_name}=%{matched_var}"
SecRule REQUEST_HEADERS_NAMES "\bacunetix-product\b" \
        "phase:2,rev:'2.0.5',t:none,t:lowercase,pass,nolog,auditlog,msg:'Request Indicates a Security Scanner Scanned the Site',id:'990901',tag:'AUTOMATION/SECURITY_SCANNER',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.automation_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-AUTOMATION/SECURITY_SCANNER-%{matched_var_name}=%{matched_var}"
SecRule REQUEST_FILENAME "^/nessustest" \
        "phase:2,rev:'2.0.5',t:none,t:lowercase,pass,nolog,auditlog,msg:'Request Indicates a Security Scanner Scanned the Site',id:'990902',tag:'AUTOMATION/SECURITY_SCANNER',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.automation_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-AUTOMATION/SECURITY_SCANNER-%{matched_var_name}=%{matched_var}"

SecRule REQUEST_HEADERS:User-Agent "@pmFromFile modsecurity_35_bad_robots.data" \
        "phase:2,rev:'2.0.5',t:none,pass,nolog,auditlog,msg:'Rogue web site crawler',id:'990012',tag:'AUTOMATION/MALICIOUS',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'4',capture,logdata:'%{TX.0}',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.automation_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}"

SecMarker END_ROBOT_CHECK