Editing: 01_base_rules.conf
# all.conf # Check Content-Length and reject all non numeric ones SecRule REQUEST_HEADERS:Content-Length "!^\d+$" \ "deny,log,auditlog,severity:'2',id:'96029',status:406\ msg:'Content-Length HTTP header is not numeric'" # Do not accept GET or HEAD requests with bodies SecRule REQUEST_METHOD "^(?:GET|HEAD)$" \ "chain,phase:2,t:none,deny,log,auditlog,status:406,severity:'2',\ id:'96024',msg:'GET or HEAD requests with bodies',\ tag:'PROTOCOL_VIOLATION/EVASION'" SecRule REQUEST_HEADERS:Content-Length "!^0?$" t:none # Require Content-Length to be provided with every POST request. SecRule REQUEST_METHOD "^POST$" \ "chain,phase:2,t:none,deny,log,auditlog,status:406,id:'96025',\ msg:'POST request must have a Content-Length header',\ tag:'PROTOCOL_VIOLATION/EVASION',severity:'4'" SecRule &REQUEST_HEADERS:Content-Length "@eq 0" t:none # Don't accept transfer encodings we know we don't know how to handle SecRule REQUEST_HEADERS:Transfer-Encoding "!^$" \ "phase:2,t:none,deny,log,auditlog,status:406,id:'96026',severity:'3',\ msg:'ModSecurity does not support transfer encodings',\ tag:'PROTOCOL_VIOLATION/EVASION'" # Proxy access attempt SecRule REQUEST_URI_RAW ^\w+:/ \ "phase:2,t:none,deny,log,auditlog,status:406,severity:'2',id:'96027',\ msg:'Proxy access attempt',\ tag:'PROTOCOL_VIOLATION/PROXY_ACCESS'" # Restrict type of characters sent SecRule REQUEST_FILENAME|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer \ "@validateByteRange 1-255" \ "log,auditlog,deny,status:406,severity:'2',id:'96028',t:urlDecodeUni,phase:1,\ msg:'Request Missing an Accept Header'" # Restricted HTTP headers SecRule REQUEST_HEADERS_NAMES "\.(?:Lock-Token|Translate|If)$" \ "deny,log,status:406,auditlog,id:'96030',severity:'4',\ msg:'HTTP header is restricted by policy'" SecRule HTTP_User-Agent \ "(?:\b(?:m(?:ozilla\/4\.0 \(compatible\)|etis)|webtrends security analyzer|pmafind)\b|n(?:-stealth|sauditor|essus|ikto)|b(?:lack ?widow|rutus|ilbo)|(?:jaascoi|paro)s|internet explorer|webinspect|\.nasl)" \ "deny,status:406,log,auditlog,id:'96031',severity:'2',\ msg:'Request Indicates a Security Scanner Scanned the Site'" SecRule REQUEST_HEADERS_NAMES "\bacunetix-product\b" \ "deny,status:406,log,auditlog,id:'96034',severity:'2',\ msg:'Request Indicates a Security Scanner Scanned the Site'" SecRule REQUEST_FILENAME "^/nessustest" \ "deny,status:406,log,auditlog,id:'96035',severity:'2',\ msg:'Request Indicates a Security Scanner Scanned the Site'" SecRule REQUEST_HEADERS:User-Agent \ "(?:m(?:ozilla\/(?:4\.0 \(compatible; advanced email extractor|2\.0 \(compatible; newt activex; win32\))|ailto:craftbot\@yahoo\.com)|e(?:mail(?:(?:collec|harves|magne)t|(?: extracto|reape)r|siphon|wolf)|(?:collecto|irgrabbe)r|xtractorpro|o browse)|a(?:t(?:tache|hens)|utoemailspider|dsarobot)|w(?:eb(?:emailextrac| by mail)|3mir)|f(?:astlwspider|loodgate)|p(?:cbrowser|ackrat|surf)|(?:digout4uagen|takeou)t|(?:chinacla|be)w|hhjhj@yahoo|rsync|shai|zeus)" \ "deny,status:406,log,auditlog,id:'96033',severity:'2',\ msg:'Rogue web site crawler'" # Session fixation SecRule REQUEST_FILENAME|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer \ "@pm set-cookie .cookie" \ "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,\ t:lowercase,pass,nolog,skip:1,id:15000" SecAction phase:2,pass,nolog,skipAfter:96017,id:15001 SecRule REQUEST_FILENAME "(?:\.cookie\b.*?;\W*?(?:expires|domain)\W*?=|\bhttp-equiv\W+set-cookie\b)" \ "phase:2,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,\ capture,ctl:auditLogParts=+E,log,auditlog,logdata:'%{TX.0}',severity:'2',\ msg:'Session Fixation',id:'96007',\ tag:'WEB_ATTACK/SESSION_FIXATION'" SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "(?:\.cookie\b.*?;\W*?(?:expires|domain)\W*?=|\bhttp-equiv\W+set-cookie\b)" \ "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,severity:'2',id:'96017',\ t:compressWhiteSpace,t:lowercase,capture,ctl:auditLogParts=+E,log,auditlog,\ msg:'Session Fixation',\ tag:'WEB_ATTACK/SESSION_FIXATION',logdata:'%{TX.0}'" # Blind SQL injection SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer \ "@pm sys.user_triggers sys.user_objects @@spid msysaces instr \ sys.user_views sys.tab charindex sys.user_catalog constraint_type \ locate select msysobjects attnotnull sys.user_tables sys.user_tab_columns \ sys.user_constraints waitfor mysql.user sys.all_tables \ msysrelationships msyscolumns msysqueries" \ "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,\ t:replaceComments,t:compressWhiteSpace,pass,nolog,skip:1,id:15002" SecAction phase:2,pass,nolog,skipAfter:96016,id:15003 SecRule REQUEST_HEADERS|!REQUEST_HEADERS:Referer \ "(?:\b(?:(?:s(?:ys\.(?:user_(?:(?:t(?:ab(?:_column|le)|rigger)|object|view)s|c(?:onstraints|atalog))|all_tables|tab)|elect\b.{0,40}\b(?:substring|ascii|user))|m(?:sys(?:(?:queri|ac)e|relationship|column|object)s|ysql.user)|c(?:onstraint_type|harindex)|attnotnull)\b|(?:locate|instr)\W+\()|\@\@spid\b)" \ "phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,t:replaceComments,\ t:compressWhiteSpace,ctl:auditLogParts=+E,log,auditlog,id:'96006',\ logdata:'%{TX.0}',severity:'2',\ msg:'Blind SQL Injection Attack',\ tag:'WEB_ATTACK/SQL_INJECTION'" SecRule REQUEST_HEADERS|!REQUEST_HEADERS:Referer \ "\b(?:(?:s(?:ys(?:(?:(?:process|tabl)e|filegroup|object)s|c(?:o(?:nstraint|lumn)s|at)|dba|ibm)|ubstr(?:ing)?)|user_(?:(?:(?:constrain|objec)t|tab(?:_column|le)|ind_column|user)s|password|group)|a(?:tt(?:rel|typ)id|ll_objects)|object_(?:(?:nam|typ)e|id)|pg_(?:attribute|class)|column_(?:name|id)|(?:dba|mb)_users|xtype\W+\bchar|rownum)\b|t(?:able_name\b|extpos\W+\())" \ "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,\ id:'96016',t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,\ log,auditlog,logdata:'%{TX.0}',severity:'2',\ msg:'Blind SQL Injection Attack',\ tag:'WEB_ATTACK/SQL_INJECTION'" SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer \ "@pm substr xtype textpos all_objects rownum sysfilegroups sysprocesses \ user_group sysobjects user_tables systables pg_attribute user_users \ user_password column_id attrelid user_tab_columns table_name pg_class \ user_constraints user_objects object_type dba_users sysconstraints \ mb_users column_name atttypid object_id substring syscat user_ind_columns \ sysibm syscolumns sysdba object_name" \ "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,\ t:compressWhiteSpace,t:lowercase,pass,nolog,skip:1,id:15004" SecAction phase:2,pass,nolog,id:15005 SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer \ "\b(?:(?:s(?:ys(?:(?:(?:process|tabl)e|filegroup|object)s|c(?:o(?:nstraint|lumn)s|at)|dba|ibm)|ubstr(?:ing)?)|user_(?:(?:(?:constrain|objec)t|tab(?:_column|le)|ind_column|user)s|password|group)|a(?:tt(?:rel|typ)id|ll_objects)|object_(?:(?:nam|typ)e|id)|pg_(?:attribute|class)|column_(?:name|id)|(?:dba|mb)_users|xtype\W+\bchar|rownum)\b|t(?:able_name\b|extpos\W+\())" \ "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,\ t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,\ log,auditlog,id:'96020',logdata:'%{TX.0}',severity:'2',\ msg:'Blind SQL Injection Attack',\ tag:'WEB_ATTACK/SQL_INJECTION'" # XSS SecRule REQUEST_FILENAME|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer \ "@pm jscript onsubmit copyparentfolder javascript meta onmove onkeydown \ onchange onkeyup activexobject expression onmouseup ecmascript onmouseover \ vbscript: <![cdata[ http: settimeout onabort shell: .innerhtml onmousedown \ onkeypress asfunction: onclick .fromcharcode background-image: .cookie \ ondragdrop onblur x-javascript mocha: onfocus javascript: getparentfolder \ lowsrc onresize @import alert onselect script onmouseout onmousemove \ background application .execscript livescript: getspecialfolder vbscript \ iframe .addimport onunload createtextrange onload <input" \ "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,pass,nolog,skip:1,id:15009" SecAction phase:2,pass,nolog,skipAfter:96039,id:15010 SecRule REQUEST_FILENAME \ "(?:\b(?:(?:type\b\W*?\b(?:text\b\W*?\b(?:j(?:ava)?|ecma|vb)|application\b\W*?\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\b.{0,100}?\bsrc)\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|down|up)|c(?:hange|lick)|s(?:elec|ubmi)t|(?:un)?load|dragdrop|resize|focus|blur)\b\W*?=|abort\b)|(?:l(?:owsrc\b\W*?\b(?:(?:java|vb)script|shell|http)|ivescript)|(?:href|url)\b\W*?\b(?:(?:java|vb)script|shell)|background-image|mocha):|s(?:(?:tyle\b\W*=.*\bexpression\b\W*|ettimeout\b\W*?)\(|rc\b\W*?\b(?:(?:java|vb)script|shell|http):)|a(?:ctivexobject\b|lert\b\W*?\(|sfunction:))|<(?:(?:body\b.*?\b(?:backgroun|onloa)d|input\b.*?\btype\b\W*?\bimage)\b| ?(?:(?:script|meta)\b|iframe)|!\[cdata\[)|(?:\.(?:(?:execscrip|addimpor)t|fromcharcode|innerhtml)|\@import)\b)" \ "phase:2,deny,status:406,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,\ t:lowercase,ctl:auditLogParts=+E,log,auditlog,logdata:'%{TX.0}',\ id:'96003',severity:'2',\ msg:'Cross-site Scripting (XSS) Attack',\ tag:'WEB_ATTACK/XSS'" SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "(?:\b(?:(?:type\b\W*?\b(?:text\b\W*?\b(?:j(?:ava)?|ecma|vb)|application\b\W*?\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\b.{0,100}?\bsrc)\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|down|up)|c(?:hange|lick)|s(?:elec|ubmi)t|(?:un)?load|dragdrop|resize|focus|blur)\b\W*?=|abort\b)|(?:l(?:owsrc\b\W*?\b(?:(?:java|vb)script|shell|http)|ivescript)|(?:href|url)\b\W*?\b(?:(?:java|vb)script|shell)|background-image|mocha):|s(?:(?:tyle\b\W*=.*\bexpression\b\W*|ettimeout\b\W*?)\(|rc\b\W*?\b(?:(?:java|vb)script|shell|http):)|a(?:ctivexobject\b|lert\b\W*?\(|sfunction:))|<(?:(?:body\b.*?\b(?:backgroun|onloa)d|input\b.*?\btype\b\W*?\bimage)\b| ?(?:(?:script|meta)\b|iframe)|!\[cdata\[)|(?:\.(?:(?:execscrip|addimpor)t|(?:fromcharcod|cooki)e|innerhtml)|\@import)\b)" \ "phase:2,deny,status:406,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'96039',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2'" # file injection SecRule REQUEST_FILENAME|REQUEST_HEADERS|XML:/* "@pm .www_acl .htpasswd .htaccess boot.ini httpd.conf /etc/ .htgroup global.asa .wwwacl" \ "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,pass,nolog,skip:1,id:15011" SecAction phase:2,pass,nolog,skipAfter:96040,id:15012 SecRule REQUEST_FILENAME "(?:\b(?:\.(?:ht(?:access|passwd|group)|www_?acl)|global\.asa|httpd\.conf|boot\.ini)\b|\/etc\/)" \ "phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:406,msg:'Remote File Access Attempt',id:'96004',tag:'WEB_ATTACK/FILE_INJECTION',logdata:'%{TX.0}',severity:'2'" SecRule REQUEST_HEADERS|XML:/* "(?:\b(?:\.(?:ht(?:access|passwd|group)|www_?acl)|global\.asa|httpd\.conf|boot\.ini)\b|\/etc\/)" \ "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:406,msg:'Remote File Access Attempt',id:'96040',tag:'WEB_ATTACK/FILE_INJECTION',logdata:'%{TX.0}',severity:'2'" # SSI injection SecRule REQUEST_FILENAME "<!--\W*?#\W*?(?:e(?:cho|xec)|printenv|include|cmd)" \ "phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:406,msg:'SSI injection Attack',id:'96008',tag:'WEB_ATTACK/SSI_INJECTION',logdata:'%{TX.0}',severity:'2'" SecRule REQUEST_HEADERS|XML:/* \ "<!--\W*?#\W*?(?:e(?:cho|xec)|printenv|include|cmd)" \ "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,\ ctl:auditLogParts=+E,deny,log,auditlog,status:406,id:'95911',\ logdata:'%{TX.0}',severity:'2',\ msg:'SSI injection Attack',\ tag:'WEB_ATTACK/SSI_INJECTION'" # PHP injection SecRule REQUEST_FILENAME|REQUEST_HEADERS|XML:/* \ "@pm <?fgets move_uploaded_file $_session readfile ftp_put ftp_fget \ gzencode ftp_nb_put bzopen readdir $_post fopen gzread ftp_nb_fput \ ftp_nb_fget ftp_get $_get scandir fscanf readgzfile fread proc_open \ fgetc fgetss ftp_fput ftp_nb_get session_start fwrite gzwrite \ gzopen gzcompress" \ "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,\ pass,nolog,skip:1,id:15017" SecAction pass,nolog,skipAfter:96018,id:15018 SecRule REQUEST_FILENAME "(?:(?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open)|\$_(?:(?:pos|ge)t|session))\b|<\?(?!xml))" \ "phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:406,msg:'PHP Injection Attack',id:'96009',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2'" SecRule REQUEST_HEADERS|XML:/* "(?:(?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open)|\$_(?:(?:pos|ge)t|session))\b|<\?(?!xml))" \ "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:406,msg:'PHP Injection Attack',id:'96018',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2'" # /index.php?main_page=conditions//admin/record_company.php/password_forgotten.php?action=insert SecRule REQUEST_URI "/password_forgotten\.php" \ "chain,log,deny,status:406,auditlog,t:none,t:urlDecodeUni,t:replaceNulls,\ t:replaceComments,t:compressWhiteSpace,t:lowercase,t:compressWhiteSpace,\ t:lowercase,id:13638,rev:1,severity:2,\ msg:'Atomicorp.com UNSUPPORTED DELAYED Rules - Virtual Patch: Zencart PHP code injection attack'" SecRule ARGS:admin_email "(union select|php|;+|shell_exec|wget|system\()" # No requests to any .php files with an md5 name in /cache/ folders SecRule REQUEST_METHOD "^GET|POST$" \ "chain,deny,log,auditlog,status:406,severity:'4',id:'13423',\ msg:'POST request to cache folder',\ tag:'WEB_ATTACK/SHELL ACCESS'" SecRule REQUEST_URI "/cache/[0-9a-f]{32}\.php" # No requests to any .php files with an external_md5 name in /cache/ folders SecRule REQUEST_METHOD "^GET|POST$" \ "chain,deny,log,auditlog,status:406,id:'13426',severity:'4',\ msg:'POST request to cache folder',\ tag:'WEB_ATTACK/SHELL ACCESS'" SecRule REQUEST_URI "/cache/external_[0-9a-f]{32}\.php" # Block requests from SQLMap SecRule HTTP_User-Agent "^sqlmap" \ "deny,log,auditlog,status:406,id:'13424',severity:'4',\ msg:'Request from SQLMap blocked',\ tag:'WEB_ATTACK/SHELL ACCESS'" # both.conf # Zen Cart/OSC Vuln. Ruleset (from http://updates.atomicorp.com/channels/rules/delayed/) # Added by T3/ErikS 7/10/11 # Rule 310019: Zen Cart Input Validation Hole in 'password_forgotten.php' sql injection SecRule REQUEST_URI "admin/password_forgotten\.php" \ "chain,deny,status:406,id:13019" SecRule ARGS:admin_email "(?:(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[a-z|0-9|\*| |\,]|\'|union.*select.*into)" #Zen Cart SQL injection SecRule REQUEST_URI "/admin/sqlpatch\.php" \ "chain,deny,status:406,t:urlDecodeUni,t:lowercase,id:13628,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules - Virtual Patch: Zen Cart SQL injection exploit'" SecRule ARGS "sql@jah" #/index.php?main_page=conditions//admin/record_company.php/password_forgotten.php?action=insert SecRule REQUEST_URI "/password_forgotten\.php" \ "chain,log,deny,status:406,auditlog,t:urlDecodeUni,t:lowercase,id:13637,rev:1,severity:2,\ msg:'Atomicorp.com UNSUPPORTED DELAYED Rules - Virtual Patch: Zencart PHP code injection attack'" SecRule ARGS:action "^insert$" chain SecRule ARGS|REQUEST_BODY "(php|;+|shell_exec|wget|system\()" #zencart sql injection SecRule REQUEST_URI "/sqlpatch\.php/password_forgotten\.php" \ "log,deny,status:406,auditlog,t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,\ t:compressWhiteSpace,capture,id:13757,rev:4,severity:2,logdata:'%{TX.0}',\ msg:'Atomicorp.com UNSUPPORTED DELAYED Rules - Virtual Patch: ZenCart Sql Injection Exploit'" #OS Commerce banner_manager.php file upload exploit SecRule REQUEST_URI "/admin/banner_manager\.php/login.php\?action\=insert" \ "log,deny,status:406,auditlog,id:13535,rev:1,severity:2,\ msg:'OS Commerce banner_manager.php file upload exploit'" #OS Commerce categories.php file upload exploit SecRule REQUEST_URI "/admin/categories\.php/login\.php\?cPath\=\&action\=new_product_preview" \ "log,deny,status:406,auditlog,id:13536,rev:1,severity:2,\ msg:'OS Commerce categories.php file upload exploit'" # ded.conf SecRule REQUEST_HEADERS:User-Agent \ "(?:\b(?:(?:indy librar|snoop)y|microsoft url control|lynx)\b|d(?:ownload demon|isco)|w(?:3mirror|get)|l(?:ibwww|wp)|p(?:avuk|erl)|cu(?:sto|rl)|big brother|autohttp|netants|eCatch)" \ "chain,deny,status:406,log,auditlog,id:'96032',severity:'5',\ msg:'Request Indicates an automated program explored the site'" SecRule REQUEST_HEADERS:User-Agent "!^apache.*perl" # Command access # Note: These were copied from the CRS which replaced them SecRule REQUEST_FILENAME "\b(?:n(?:map|et|c)|w(?:guest|sh)|cmd(?:32)?|telnet|rcmd|ftp)\.exe\b" \ "phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:406,msg:'System Command Access',id:'96002',tag:'WEB_ATTACK/FILE_INJECTION',logdata:'%{TX.0}',severity:'2'" SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:'/^(Cookie|Referer|X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES \ "@pm uname wguest.exe /perl /nasm rcmd.exe nc tclsh /xterm finger tftp chown /echo nmap.exe ping /passwd /chsh ps /uname telnet.exe /ftp ls tclsh8 lsof /ping echo cmd.exe /kill python traceroute /ps perl passwd wsh.exe /rm /cpp chgrp /telnet localgroup kill /chgrp /finger nasm /ls nc.exe id /chmod /nc /g++ /id /chown cmd /nmap chsh /gcc net.exe /python /lsof ftp.exe ftp xterm mail /mail tracert nmap rm cd chmod cpp telnet cmd32.exe gcc g++" \ "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,pass,nolog,skip:1,id:15015" SecAction pass,nolog,skipAfter:96015,id:15016 # SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:'/^(Cookie|Referer|X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES \ # "(?:\b(?:(?:n(?:et(?:\b\W+?\blocalgroup|\.exe)|(?:map|c)\.exe)|t(?:racer(?:oute|t)|elnet\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\.exe|echo\b\W*?\by+)\b|c(?:md(?:(?:32)?\.exe\b|\b\W*?\/c)|d(?:\b\W*?[\\\/]|\W*?\.\.)|hmod.{0,40}?\+.{0,3}x))|[\;\|\`]\W*?\b(?:(?:c(?:h(?:grp|mod|own|sh)|md|pp)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|(?:xte)?rm|ls(?:of)?|telnet|uname|echo)\b|g(?:\+\+|cc\b))|\/(?:c(?:h(?:grp|mod|own|sh)|pp)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|g(?:\+\+|cc)|(?:xte)?rm|ls(?:of)?|telnet|uname|echo)(?:[\'\"\|\;\`\-\s]|$))" \ # "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:406,msg:'System Command Injection',id:'96015',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2'"
Save
Back