# --------------------------------------------------------------- # Core ModSecurity Rule Set ver.2.0.5 # Copyright (C) 2006-2010 Breach Security Inc. All rights reserved. # # The ModSecurity Core Rule Set is distributed under GPL version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- # HTTP policy enforcement # The HTTP policy enforcement rule set sets limitations on the use of HTTP by clients. # Few applications require the breadth and depth of the HTTP protocol. On the # other hand many attacks abuse valid but rare HTTP use patterns. Restricting # HTTP protocol usage is effective in therefore effective in blocking many # application layer attacks. # # TODO Many automation programs use non standard HTTP requests. While you may # want to allow some of those, try not to create exceptions only for the # automated program based on properties such as their source IP address or # the URL they access. # # allow request methods # # TODO Most applications only use GET, HEAD, and POST request # methods. If that is not the case with your environment, you are advised # to edit the line or uncomment it. # SecRule REQUEST_METHOD "!@within %{tx.allowed_methods}" "phase:2,t:none,pass,nolog,auditlog,msg:'Method is not allowed by policy', severity:'2',id:'960032',tag:'POLICY/METHOD_NOT_ALLOWED',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A6',tag:'OWASP_AppSensor/RE1',tag:'PCI/12.1',logdata:'%{matched_var}',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.policy_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-POLICY/METHOD_NOT_ALLOWED-%{matched_var_name}=%{matched_var}" # Restrict which content-types we accept. # # TODO Most applications support only two types for request bodies # because that is all browsers know how to produce. If you are using # automated tools to talk to the application you may be using other # content types and would want to change the list of supported types. # # Note though that ModSecurity parses only three content types: # application/x-www-form-urlencoded, multipart/form-data request and # text/xml. The protection provided for any other type is inferior. # # TODO There are many applications that are not using multipart/form-data # types (typically only used for file uploads). This content type # can be disabled if not used. # # NOTE We allow any content type to be specified with GET or HEAD # because some tools incorrectly supply content type information # even when the body is not present. There is a rule further in # the file to prevent GET and HEAD requests to have bodies to we're # safe in that respect. # # NOTE Use of WebDAV requires "text/xml" content type. # # NOTE Philippe Bourcier (pbourcier AT citali DOT com) reports # applications running on the PocketPC and AvantGo platforms use # non-standard content types: # # M-Business iAnywhere application/x-mal-client-data # UltraLite iAnywhere application/octet-stream # SecRule REQUEST_METHOD "!^(?:GET|HEAD|PROPFIND|OPTIONS)$" "phase:2,chain,t:none,pass,nolog,auditlog,msg:'Request content type is not allowed by policy',id:'960010',tag:'POLICY/ENCODING_NOT_ALLOWED',tag:'WASCTC/WASC-20',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/EE2',tag:'PCI/12.1',severity:'4',logdata:'%{matched_var}'" SecRule REQUEST_HEADERS:Content-Type "^([^;\s]+)" "capture" SecRule TX:0 "!@within %{tx.allowed_request_content_type}" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.policy_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-POLICY/CONTENT_TYPE_NOT_ALLOWED-%{matched_var_name}=%{matched_var}" # Restrict protocol versions. # # TODO All modern browsers use HTTP version 1.1. For tight security, allow only # this version. # # NOTE Automation programs, both malicious and non malicious many times use # other HTTP versions. If you want to allow a specific automated program # to use your site, try to create a narrower expection and not allow any # client to send HTTP requests in a version lower than 1.1 # SecRule REQUEST_PROTOCOL "!@within %{tx.allowed_http_versions}" "phase:2,t:none,pass,nolog,auditlog,msg:'HTTP protocol version is not allowed by policy', severity:'2',id:'960034',tag:'POLICY/PROTOCOL_NOT_ALLOWED',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.10',logdata:'%{matched_var}',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.policy_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-POLICY/PROTOCOL_NOT_ALLOWED-%{matched_var_name}=%{matched_var}" # Restrict file extension # # TODO the list of file extensions below are virtually always considered unsafe # and not in use in any valid program. If your application uses one of # these extensions, please remove it from the list of blocked extensions. # You may need to use ModSecurity Core Rule Set Templates to do so, otherwise # comment the whole rule. # SecRule REQUEST_BASENAME "\.(.*)$" "chain,capture,phase:2,t:none,t:urlDecodeUni,t:lowercase,pass,nolog,auditlog,msg:'URL file extension is restricted by policy', severity:'2',id:'960035',tag:'POLICY/EXT_RESTRICTED',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',logdata:'%{TX.0}'" SecRule TX:0 "@within %{tx.restricted_extensions}" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.policy_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-POLICY/EXT_RESTRICTED-%{matched_var_name}=%{matched_var}" # Restricted HTTP headers # # TODO the list of HTTP headers below are considered unsafe for your environment. # If your application uses one of these directories, please remove it from # the list of blocked extensions. You may need to use ModSecurity Core Rule # Set Templates to do so, otherwise comment the whole rule. # SecRule REQUEST_HEADERS_NAMES "(?:(?:Proxy-Connectio|Lock-Toke)n|(?:Content-Rang|Translat)e|via|if)$" "phase:2,t:none,pass,nolog,auditlog,msg:'HTTP header is restricted by policy',id:'960038',tag:'POLICY/HEADER_RESTRICTED',tag:'POLICY/FILES_NOT_ALLOWED',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/12.1',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A7',tag:'PCI/12.1',severity:'4',logdata:'%{matched_var}',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.policy_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}"