Sophie

Sophie

distrib > Fedora > 15 > i386 > by-pkgid > 6e152889deff84d36ff414c0398b7dc5 > files > 19

mod_security-2.5.12-4.fc15.i686.rpm

# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.0.5
# Copyright (C) 2006-2010 Breach Security Inc. All rights reserved.
#
# The ModSecurity Core Rule Set is distributed under GPL version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------


#
# PHP-IDS rules (www.php-ids.org)
# Converter.php Section
# https://svn.php-ids.org/svn/trunk/lib/IDS/Converter.php
#

#
# Make sure the value to normalize and monitor doesn't contain
# possibilities for a regex DoS.
# http://www.checkmarx.com/Upload/Documents/PDF/Checkmarx_OWASP_IL_2009_ReDoS.pdf
#
SecRule ARGS|ARGS_NAMES|XML:/* "(?:(.{2,})\1{32,})|(?:[+=|\-@\s]{128,})" "skip:1,phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Possible RegEx DoS Payload',id:'973000',rev:'2.0.5',tag:'WEB_ATTACK/DOS',logdata:'%{TX.0}',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/DOS-%{matched_var_name}=%{tx.0}"

SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,rev:'2.0.5',t:none,nolog,auditlog,msg:'Possible RegEx DoS Payload',id:'973001',tag:'WEB_ATTACK/DOS',logdata:'%{TX.0}',severity:'4'"
	SecRule REQUEST_BODY|REQUEST_URI_RAW "(?:(.{2,})\1{32,})|(?:[+=|\-@\s]{128,})" "capture,multiMatch,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/DOS-%{matched_var_name}=%{tx.0}"

#
# Identify Comment Evasion Attempts
#
SecRule ARGS|ARGS_NAMES|XML:/* "(?:\<!-|-->|\/\*|\*\/|\/\/\W*\w+\s*$)" "skip:1,phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Comment Evasion Attempt',id:'973002',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{tx.0}"

SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,rev:'2.0.5',t:none,nolog,auditlog,msg:'Comment Evasion Attempt',id:'973003',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4'"
	SecRule REQUEST_BODY|REQUEST_URI_RAW "(?:\<!-|-->|\/\*|\*\/|\/\/\W*\w+\s*$)" "capture,multiMatch,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{tx.0}"

SecRule ARGS|ARGS_NAMES|XML:/* "(?:--[^-]*-)" "skip:1,phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Comment Evasion Attempt',id:'973004',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{tx.0}"

SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,rev:'2.0.5',t:none,nolog,auditlog,msg:'Comment Evasion Attempt',id:'973005',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4'"
	SecRule REQUEST_BODY|REQUEST_URI_RAW "(?:--[^-]*-)" "capture,multiMatch,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{tx.0}"

SecRule ARGS|ARGS_NAMES|XML:/* "(?:(?:<!)(?:(?:--(?:[^-]*(?:-[^-]+)*)--\s*)*)(?:>))" "skip:1,phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Comment Evasion Attempt',id:'973006',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{tx.0}"

SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,rev:'2.0.5',t:none,nolog,auditlog,msg:'Comment Evasion Attempt',id:'973007',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4'"
	SecRule REQUEST_BODY|REQUEST_URI_RAW "(?:(?:<!)(?:(?:--(?:[^-]*(?:-[^-]+)*)--\s*)*)(?:>))" "capture,multiMatch,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{tx.0}"

SecRule ARGS|ARGS_NAMES|XML:/* "(?:(?:\/\*\/*[^\/\*]*)+\*\/)" "skip:1,phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Comment Evasion Attempt',id:'973008',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{tx.0}"

SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,rev:'2.0.5',t:none,nolog,auditlog,msg:'Comment Evasion Attempt',id:'973009',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4'"
	SecRule REQUEST_BODY|REQUEST_URI_RAW "(?:(?:\/\*\/*[^\/\*]*)+\*\/)" "capture,multiMatch,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{tx.0}"

SecRule ARGS|ARGS_NAMES|XML:/* "(?:--[^-]*-)" "skip:1,phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Comment Evasion Attempt',id:'973010',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{tx.0}"

SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,rev:'2.0.5',t:none,nolog,auditlog,msg:'Comment Evasion Attempt',id:'973011',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4'"
	SecRule REQUEST_BODY|REQUEST_URI_RAW "(?:--[^-]*-)" "capture,multiMatch,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{tx.0}"

SecRule ARGS|ARGS_NAMES|XML:/* "(<\w+)\/+(\w+=?)" "skip:1,phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Comment Evasion Attempt',id:'973012',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{tx.0}"

SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,rev:'2.0.5',t:none,nolog,auditlog,msg:'Comment Evasion Attempt',id:'973013',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4'"
	SecRule REQUEST_BODY|REQUEST_URI_RAW "(<\w+)\/+(\w+=?)" "capture,multiMatch,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{tx.0}"

SecRule ARGS|ARGS_NAMES|XML:/* "[^\\\:]\/\/(.*)$" "skip:1,phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Comment Evasion Attempt',id:'973014',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{tx.0}"

SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,rev:'2.0.5',t:none,nolog,auditlog,msg:'Comment Evasion Attempt',id:'973015',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4'"
	SecRule REQUEST_BODY|REQUEST_URI_RAW "[^\\\:]\/\/(.*)$" "capture,multiMatch,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{tx.0}"

#
# Checks for common charcode patterns 
#
# check if value matches typical charCode pattern 
SecRule ARGS|ARGS_NAMES|XML:/* "(?:[\d+-=\/\* ]+(?:\s?,\s?[\d+-=\/\* ]+)){4,}" "skip:1,phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Basic Charcode Pattern Found',id:'973016',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{tx.0}"

SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,rev:'2.0.5',t:none,nolog,auditlog,msg:'Basic Charcode Pattern Found',id:'973017',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4'"
	SecRule REQUEST_BODY|REQUEST_URI_RAW "(?:[\d+-=\/\* ]+(?:\s?,\s?[\d+-=\/\* ]+)){4,}" "capture,multiMatch,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{tx.0}"

#
# check for octal charcode pattern
SecRule ARGS|ARGS_NAMES|XML:/* "(?:(?:[\\\]+\d+[ \t]*){8,})" "skip:1,phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Octal Charcode Pattern Found',id:'973018',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{tx.0}"

SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,rev:'2.0.5',t:none,nolog,auditlog,msg:'Octal Charcode Pattern Found',id:'973019',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4'"
	SecRule REQUEST_BODY|REQUEST_URI_RAW "(?:(?:[\\\]+\d+[ \t]*){8,})" "capture,multiMatch,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{tx.0}"

#
# check for hexadecimal charcode pattern
SecRule ARGS|ARGS_NAMES|XML:/* "(?:(?:[\\\]+\w+\s*){8,})" "skip:1,phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Hexadecimal Charcode Pattern Found',id:'973020',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{tx.0}"

SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,rev:'2.0.5',t:none,nolog,auditlog,msg:'Hexadecimal Charcode Pattern Found',id:'973021',tag:'WEB_ATTACK/EVASION',logdata:'%{TX.0}',severity:'4'
	SecRule REQUEST_BODY|REQUEST_URI_RAW "(?:(?:[\\\]+\w+\s*){8,})" "capture,multiMatch,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/EVASION-%{matched_var_name}=%{tx.0}"

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional