Sophie: mod_security-2.5.12-4.fc15 i686

mod_security-2.5.12-4.fc15.i686.rpm

# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.0.5
# Copyright (C) 2006-2010 Breach Security Inc. All rights reserved.
#
# The ModSecurity Core Rule Set is distributed under GPL version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------


# 
#      This ruleset file contains rules that are highly prone to FPs
#      Enable PARANOID_MODE in the 10 config file if you want to activate this rule	
#
 
#
# Directory Traversal
#
SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:1,rev:'2.0.5',t:none,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Path Traversal Attack',id:'950103',severity:'2'"
	SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "(?:\x5c|(?:%(?:c(?:0%(?:9v|af)|1%1c)|2(?:5(?:2f|5c)|f)|u221[56]|1u|5c)|\/))(?:%(?:u2024|2e)|\.){2}(?:\x5c|(?:%(?:c(?:0%(?:9v|af)|1%1c)|2(?:5(?:2f|5c)|f)|u221[56]|1u|5c)|\/))" \
        	"t:none,t:lowercase,capture,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{rule.id}-WEB_ATTACK/DIR_TRAVERSAL-%{matched_var_name}=%{matched_var}'"

# Weaker signature
#SecRule REQUEST_FILENAME "\.\.[/\x5c]" "phase:1,rev:'2.0.5',t:none,t:urlDecodeUni,capture,ctl:auditLogParts=+E,pass,nolog,auditlog,msg:'Path Traversal Attack',id:'950103',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:'tx.%{rule.id}=%{matched_var_name}=%{matched_var}'"