Sophie

Sophie

distrib > Fedora > 15 > i386 > by-pkgid > 6e152889deff84d36ff414c0398b7dc5 > files > 16

mod_security-2.5.12-4.fc15.i686.rpm

# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.0.5
# Copyright (C) 2006-2010 Breach Security Inc. All rights reserved.
#
# The ModSecurity Core Rule Set is distributed under GPL version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------


# HTTP policy enforcement
# The HTTP policy enforcement rule set sets limitations on the use of HTTP by clients.

# Few applications require the breadth and depth of the HTTP protocol. On the 
# other hand many attacks abuse valid but rare HTTP use patterns. Restricting 
# HTTP protocol usage is effective in therefore effective in blocking many 
# application layer attacks. 
#
# TODO Many automation programs use non standard HTTP requests. While you may 
#      want to allow some of those, try not to create exceptions only for the
#      automated program based on properties such as their source IP address or
#      the URL they access.
#

# allow request methods
#
# TODO Most applications only use GET, HEAD, and POST request
#      methods. If that is not the case with your environment, you are advised 
#      to edit the line or uncomment it.
#
SecRule REQUEST_METHOD "!@within %{tx.allowed_methods}" "phase:2,t:none,pass,nolog,auditlog,msg:'Method is not allowed by policy', severity:'2',id:'960032',tag:'POLICY/METHOD_NOT_ALLOWED',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A6',tag:'OWASP_AppSensor/RE1',tag:'PCI/12.1',logdata:'%{matched_var}',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.policy_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-POLICY/METHOD_NOT_ALLOWED-%{matched_var_name}=%{matched_var}" 


# Restrict which content-types we accept.
#
# TODO Most applications support only two types for request bodies
#      because that is all browsers know how to produce. If you are using
#      automated tools to talk to the application you may be using other
#      content types and would want to change the list of supported types.
# 
#      Note though that ModSecurity parses only three content types:
#      application/x-www-form-urlencoded, multipart/form-data request and 
#      text/xml. The protection provided for any other type is inferior.
#
# TODO There are many applications that are not using multipart/form-data
#      types (typically only used for file uploads). This content type
#      can be disabled if not used.  
#
# NOTE We allow any content type to be specified with GET or HEAD
#      because some tools incorrectly supply content type information
#      even when the body is not present. There is a rule further in
#      the file to prevent GET and HEAD requests to have bodies to we're
#      safe in that respect.
#
# NOTE Use of WebDAV requires "text/xml" content type.
#
# NOTE Philippe Bourcier (pbourcier AT citali DOT com) reports
#      applications running on the PocketPC and AvantGo platforms use
#      non-standard content types:
#
#      M-Business iAnywhere      application/x-mal-client-data
#      UltraLite iAnywhere       application/octet-stream
#
SecRule REQUEST_METHOD "!^(?:GET|HEAD|PROPFIND|OPTIONS)$" "phase:2,chain,t:none,pass,nolog,auditlog,msg:'Request content type is not allowed by policy',id:'960010',tag:'POLICY/ENCODING_NOT_ALLOWED',tag:'WASCTC/WASC-20',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/EE2',tag:'PCI/12.1',severity:'4',logdata:'%{matched_var}'" 
	SecRule REQUEST_HEADERS:Content-Type "^([^;\s]+)" "capture"
		SecRule TX:0 "!@within %{tx.allowed_request_content_type}" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.policy_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-POLICY/CONTENT_TYPE_NOT_ALLOWED-%{matched_var_name}=%{matched_var}"

# Restrict protocol versions.
#
# TODO All modern browsers use HTTP version 1.1. For tight security, allow only 
#      this version. 
#
# NOTE Automation programs, both malicious and non malicious many times use 
#      other HTTP versions. If you want to allow a specific automated program
#      to use your site, try to create a narrower expection and not allow any 
#      client to send HTTP requests in a version lower than 1.1  
#       
SecRule REQUEST_PROTOCOL "!@within %{tx.allowed_http_versions}" "phase:2,t:none,pass,nolog,auditlog,msg:'HTTP protocol version is not allowed by policy', severity:'2',id:'960034',tag:'POLICY/PROTOCOL_NOT_ALLOWED',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.10',logdata:'%{matched_var}',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.policy_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-POLICY/PROTOCOL_NOT_ALLOWED-%{matched_var_name}=%{matched_var}" 

# Restrict file extension
#
# TODO the list of file extensions below are virtually always considered unsafe
#      and not in use in any valid program. If your application uses one of 
#      these extensions, please remove it from the list of blocked extensions.
#      You may need to use ModSecurity Core Rule Set Templates to do so, otherwise
#      comment the whole rule.       
#
SecRule REQUEST_BASENAME "\.(.*)$" "chain,capture,phase:2,t:none,t:urlDecodeUni,t:lowercase,pass,nolog,auditlog,msg:'URL file extension is restricted by policy', severity:'2',id:'960035',tag:'POLICY/EXT_RESTRICTED',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',logdata:'%{TX.0}'" 
	SecRule TX:0 "@within %{tx.restricted_extensions}" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.policy_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-POLICY/EXT_RESTRICTED-%{matched_var_name}=%{matched_var}"



# Restricted HTTP headers 
#
# TODO the list of HTTP headers below are considered unsafe for your environment.
#      If your application uses one of these directories, please remove it from 
#      the list of blocked extensions. You may need to use ModSecurity Core Rule 
#      Set Templates to do so, otherwise comment the whole rule.       
#
SecRule REQUEST_HEADERS_NAMES "(?:(?:Proxy-Connectio|Lock-Toke)n|(?:Content-Rang|Translat)e|via|if)$" "phase:2,t:none,pass,nolog,auditlog,msg:'HTTP header is restricted by policy',id:'960038',tag:'POLICY/HEADER_RESTRICTED',tag:'POLICY/FILES_NOT_ALLOWED',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/12.1',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A7',tag:'PCI/12.1',severity:'4',logdata:'%{matched_var}',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.policy_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}"

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional