# --------------------------------------------------------------- # Core ModSecurity Rule Set ver.2.0.5 # Copyright (C) 2006-2010 Breach Security Inc. All rights reserved. # # The ModSecurity Core Rule Set is distributed under GPL version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- # # This ruleset file contains rules that are highly prone to FPs # Enable PARANOID_MODE in the 10 config file if you want to activate this rule # # # Directory Traversal # SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:1,rev:'2.0.5',t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Path Traversal Attack',id:'950103',severity:'2'" SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "(?:\x5c|(?:%(?:c(?:0%(?:9v|af)|1%1c)|2(?:5(?:2f|5c)|f)|u221[56]|1u|5c)|\/))(?:%(?:u2024|2e)|\.){2}(?:\x5c|(?:%(?:c(?:0%(?:9v|af)|1%1c)|2(?:5(?:2f|5c)|f)|u221[56]|1u|5c)|\/))" \ "t:none,t:lowercase,capture,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/DIR_TRAVERSAL-%{matched_var_name}=%{matched_var}'" # Weaker signature #SecRule REQUEST_FILENAME "\.\.[/\x5c]" "phase:1,rev:'2.0.5',t:none,t:urlDecodeUni,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Path Traversal Attack',id:'950103',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:'tx.%{rule.id}=%{matched_var_name}=%{matched_var}'"