File: REQUEST-910-IP-REPUTATION.conf

package info (click to toggle)
modsecurity-crs 3.0.2-1~bpo9+1
  • links: PTS
  • area: main
  • in suites: stretch-backports
  • size: 1,064 kB
  • sloc: ansic: 727; perl: 428; python: 218; ruby: 69; makefile: 15
file content (307 lines) | stat: -rw-r--r-- 10,155 bytes parent folder | download | duplicates (3)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.0.2
# Copyright (c) 2006-2016 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------

#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#


SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:1,id:910011,nolog,pass,skipAfter:END-REQUEST-910-IP-REPUTATION"
SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:2,id:910012,nolog,pass,skipAfter:END-REQUEST-910-IP-REPUTATION"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.paranoia_level is sufficiently high: 1 or higher)
#

#
# -=[ IP Reputation Block Flag Check ]=-
#
# The first check we do is to see if the client IP address has already
# been blacklisted by rules from previous requests.
#
# If the rule matches, it will do a skipAfter and pick up processing
# at the end of the request phase for actual blocking.
#
SecRule TX:DO_REPUT_BLOCK "@eq 1" \
 "msg:'Request from Known Malicious Client (Based on previous traffic violations).',\
  logdata:'Previous Block Reason: %{ip.reput_block_reason}',\
  severity:'CRITICAL',\
  id:910000,\
  phase:request,\
  block,\
  t:none,\
  tag:'application-multi',\
  tag:'language-multi',\
  tag:'platform-multi',\
  tag:'attack-reputation-ip',\
  tag:'IP_REPUTATION/MALICIOUS_CLIENT',\
  setvar:'tx.msg=%{rule.msg}',\
  skipAfter:BEGIN_REQUEST_BLOCKING_EVAL,\
  chain"
  SecRule IP:REPUT_BLOCK_FLAG "@eq 1" \
    "setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
    setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}"


#
# -=[ GeoIP Checks ]=-
#
# This rule requires activating the SecGeoLookupDB directive
# in the crs-setup.conf file and specifying
# the list of blocked countries (tx.high_risk_country_codes).
#
# This rule does a GeoIP resolution on the client IP address.
#
SecRule TX:HIGH_RISK_COUNTRY_CODES "!^$" \
 "msg:'Client IP is from a HIGH Risk Country Location.',\
  severity:'CRITICAL',\
  id:910100,\
  phase:request,\
  block,\
  t:none,\
  tag:'application-multi',\
  tag:'language-multi',\
  tag:'platform-multi',\
  tag:'attack-reputation-ip',\
  chain"
  SecRule TX:REAL_IP "@geoLookup" \
   "chain"
    SecRule GEO:COUNTRY_CODE "@within %{tx.high_risk_country_codes}" \
     "setvar:'tx.msg=%{rule.msg}',\
      setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
      setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var},\
      setvar:ip.reput_block_flag=1,\
      expirevar:ip.reput_block_flag=%{tx.reput_block_duration},\
      setvar:'ip.reput_block_reason=%{rule.msg}'"


#
# -=[ IP Reputation Checks ]=-
#
# ModSecurity Rules from Trustwave SpiderLabs: IP Blacklist Alert
# Ref: http://www.modsecurity.org/projects/commercial/rules/
#
# This rule checks the client IP address against a list of recent IPs captured
# from the SpiderLabs web honeypot systems (last 48 hours).
#
#SecRule TX:REAL_IP "@ipMatchFromFile ip_blacklist.data" \
  "msg:'Client IP in Trustwave SpiderLabs IP Reputation Blacklist.',\
  severity:'CRITICAL',\
  id:910110,\
  phase:request,\
  block,\
  t:none,\
  tag:'application-multi',\
  tag:'language-multi',\
  tag:'platform-multi',\
  tag:'attack-reputation-ip',\
  setvar:'tx.msg=%{rule.msg}',\
  setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
  setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var},\
  setvar:ip.reput_block_flag=1,\
  expirevar:ip.reput_block_flag=%{tx.reput_block_duration},\
  setvar:'ip.reput_block_reason=%{rule.msg}'"


#
# First check if we have already run an @rbl check for this IP by checking in IP collection.
# If we have, then skip doing another check.
#
SecRule IP:PREVIOUS_RBL_CHECK "@eq 1" \
  "id:910120,\
  phase:request,\
  nolog,\
  tag:'application-multi',\
  tag:'language-multi',\
  tag:'platform-multi',\
  tag:'attack-reputation-ip',\
  pass,\
  t:none,\
  skipAfter:END_RBL_LOOKUP"

#
# Check Client IP against ProjectHoneypot's HTTP Blacklist
# Ref: http://www.projecthoneypot.org/httpbl_api.php
#
# To use the blacklist, you must register for an HttpBL API Key
# and choose the traffic types to block. See section
# "Project Honey Pot HTTP Blacklist" in crs-setup.conf.
#
# Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecHttpBlKey
#

# Skip HttpBL checks if user has not defined one of the TX:block_* variables.
# This prevents error "Operator error: RBL httpBl called but no key defined: set SecHttpBlKey"
SecRule &TX:block_suspicious_ip "@eq 0" \
  "id:910130,\
  phase:request,\
  t:none,\
  nolog,\
  pass,\
  chain,\
  skipAfter:END_RBL_CHECK"
  SecRule &TX:block_harvester_ip "@eq 0" "chain"
  SecRule &TX:block_spammer_ip "@eq 0" "chain"
  SecRule &TX:block_search_ip "@eq 0"

SecRule TX:REAL_IP "@rbl dnsbl.httpbl.org" \
  "id:910140,\
  phase:request,\
  capture,\
  nolog,pass,t:none, \
  tag:'application-multi',\
  tag:'language-multi',\
  tag:'platform-multi',\
  tag:'attack-reputation-ip',\
  chain,\
  setvar:tx.httpbl_msg=%{tx.0}"
        SecRule TX:httpbl_msg "RBL lookup of .*?.dnsbl.httpbl.org succeeded at TX:checkip. (.*?): .*" \
          "t:none,\
          capture,\
          setvar:tx.httpbl_msg=%{tx.1}"

# The following regexs are generated based off re_operators.c
SecRule TX:block_search_ip "@eq 1" \
   "msg:'HTTP Blacklist match for search engine IP',  \
   severity:'CRITICAL', \
   id:910150,\
   phase:request,\
   block,\
   t:none,\
   tag:'application-multi',\
   tag:'language-multi',\
   tag:'platform-multi',\
   tag:'attack-reputation-ip',\
   chain,\
   skipAfter:END_RBL_CHECK"
        SecRule TX:httpbl_msg "Search Engine" \
           "setvar:'tx.msg=%{rule.msg}',\
           setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
           setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var},\
           setvar:ip.reput_block_flag=1,\
           expirevar:ip.reput_block_flag=%{tx.reput_block_duration},\
           setvar:'ip.reput_block_reason=%{rule.msg}',\
           setvar:ip.previous_rbl_check=1,\
           expirevar:ip.previous_rbl_check=86400"

SecRule TX:block_spammer_ip "@eq 1" \
   "msg:'HTTP Blacklist match for spammer IP',\
   severity:'CRITICAL',\
   id:910160,\
   phase:request,\
   block,\
   t:none,\
   tag:'application-multi',\
   tag:'language-multi',\
   tag:'platform-multi',\
   tag:'attack-reputation-ip',\
   chain,\
   skipAfter:END_RBL_CHECK"
        SecRule TX:httpbl_msg "(?i)^.*? spammer .*?$" \
           "setvar:'tx.msg=%{rule.msg}',\
           setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
           setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var},\
           setvar:ip.reput_block_flag=1,\
           expirevar:ip.reput_block_flag=%{tx.reput_block_duration},\
           setvar:'ip.reput_block_reason=%{rule.msg}',\
           setvar:ip.previous_rbl_check=1,\
           expirevar:ip.previous_rbl_check=86400"

SecRule TX:block_suspicious_ip "@eq 1" \
   "msg:'HTTP Blacklist match for suspicious IP',\
   severity:'CRITICAL',\
   id:910170,\
   phase:request,\
   block,\
   t:none,\
   tag:'application-multi',\
   tag:'language-multi',\
   tag:'platform-multi',\
   tag:'attack-reputation-ip',\
   chain,\
   skipAfter:END_RBL_CHECK"
        SecRule TX:httpbl_msg "(?i)^.*? suspicious .*?$" \
           "setvar:'tx.msg=%{rule.msg}',\
           setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
           setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var},\
           setvar:ip.reput_block_flag=1,\
           expirevar:ip.reput_block_flag=%{tx.reput_block_duration},\
           setvar:'ip.reput_block_reason=%{rule.msg}',\
           setvar:ip.previous_rbl_check=1,\
           expirevar:ip.previous_rbl_check=86400"

SecRule TX:block_harvester_ip "@eq 1" \
   "msg:'HTTP Blacklist match for harvester IP',\
   severity:'CRITICAL',\
   id:910180,\
   phase:request,\
   block,\
   t:none,\
   tag:'application-multi',\
   tag:'language-multi',\
   tag:'platform-multi',\
   tag:'attack-reputation-ip',\
   chain,\
   skipAfter:END_RBL_CHECK"
        SecRule TX:httpbl_msg "(?i)^.*? harvester .*?$" \
           "setvar:'tx.msg=%{rule.msg}',\
           setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
           setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var},\
           setvar:ip.reput_block_flag=1,\
           expirevar:ip.reput_block_flag=%{tx.reput_block_duration},\
           setvar:'ip.reput_block_reason=%{rule.msg}',\
           setvar:ip.previous_rbl_check=1,\
           expirevar:ip.previous_rbl_check=86400"

SecAction \
  "id:910190,\
  phase:request,\
  nolog,\
  pass,\
  t:none,\
  tag:'application-multi',\
  tag:'language-multi',\
  tag:'platform-multi',\
  tag:'attack-reputation-ip',\
  setvar:ip.previous_rbl_check=1,\
  expirevar:ip.previous_rbl_check=86400"

SecMarker END_RBL_LOOKUP

SecMarker END_RBL_CHECK


SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:1,id:910013,nolog,pass,skipAfter:END-REQUEST-910-IP-REPUTATION"
SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:2,id:910014,nolog,pass,skipAfter:END-REQUEST-910-IP-REPUTATION"
#
# -= Paranoia Level 2 =- (apply only when tx.paranoia_level is sufficiently high: 2 or higher)
#



SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:1,id:910015,nolog,pass,skipAfter:END-REQUEST-910-IP-REPUTATION"
SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:2,id:910016,nolog,pass,skipAfter:END-REQUEST-910-IP-REPUTATION"
#
# -= Paranoia Level 3 =- (apply only when tx.paranoia_level is sufficiently high: 3 or higher)
#



SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:1,id:910017,nolog,pass,skipAfter:END-REQUEST-910-IP-REPUTATION"
SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:2,id:910018,nolog,pass,skipAfter:END-REQUEST-910-IP-REPUTATION"
#
# -= Paranoia Level 4 =- (apply only when tx.paranoia_level is sufficiently high: 4 or higher)
#



#
# -= Paranoia Levels Finished =-
#
SecMarker "END-REQUEST-910-IP-REPUTATION"