|
IP Address: 80.252.133.24:443 You: 216.73.216.51
| |||||||||||||||||||
|
| ||||||||||||||||||
| MySQL: ON MSSQL: OFF Oracle: OFF PostgreSQL: OFF Curl: OFF Sockets: ON Fetch: OFF Wget: ON Perl: ON | |||||||||||||||||||
| Disabled Functions: pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority, | |||||||||||||||||||
|
[ System Info ]
[ Processes ]
[ SQL Manager ]
[ Eval ]
[ Encoder ]
[ Mailer ]
[ Back Connection ]
[ Backdoor Server ]
[ Kernel Exploit Search ]
[ MD5 Decrypter ]
[ Reverse IP ]
[ Kill Shell ]
[ FTP Brute-Force ] |
|||||||||||||||||||
|
| |||||||||||||||||||
/ usr/ share/ modsecurity-crs/ optional_rules/ - drwxr-xr-x | |||||||||||||||||||
|
Viewing file:
Select action/file-type: # ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.0.10
# Copyright (C) 2006-2010 Trustwave All rights reserved.
#
# The ModSecurity Core Rule Set is distributed under GPL version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
#
# The rules in this file are considered experimental/beta rules. They attempt to address
# some advanced attacks, use some new ModSecurity features or new rules language techniques.
#
#
# Restricted Character Anomaly Usage
# These rules attempted to gauge when there is an exccesive use of
# restricted, meta-characters within a single parameter payload.
#
# The most likely false positive instances will be free-form text fields.
# Adjust the the @ge operator value appropriately for your site. Increasing
# the score will reduce false positives but may also decrease detection of
# obfuscated attack payloads.
#
SecRule ARGS "@pm ~ ` ! @ # $ % ^ & * ( ) - + = { } [ ] | : ; \" ' < >" "phase:2,t:none,nolog,pass,nolog,setvar:tx.restricted_char_payload=%{matched_var}"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains ~" "phase:2,t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains `" "phase:2,t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains !" "phase:2,t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains @" "phase:2,t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains #" "phase:2,t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains $" "phase:2,t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains %" "phase:2,t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains ^" "phase:2,t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains &" "phase:2,t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains *" "phase:2,t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains (" "phase:2,t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains )" "phase:2,t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains -" "phase:2,t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains +" "phase:2,t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains =" "phase:2,t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains {" "phase:2,t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains }" "phase:2,t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains [" "phase:2,t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains ]" "phase:2,t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains |" "phase:2,t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains :" "phase:2,t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains ;" "phase:2,t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains \"" "phase:2,t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains '" "phase:2,t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains <" "phase:2,t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains >" "phase:2,t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_COUNT "@ge 5" "phase:2,t:none,block,nolog,auditlog,id:'960023',rev:'2.0.10',msg:'Restricted Character Anomaly Detection Alert - Total # of special characters exceeded',logdata:'%{matched_var}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score}"
#
# This rule attempts to identify when multiple (3 or more) speciail, non-word characters are repeated
#
SecRule ARGS "\W{4,}" "phase:2,capture,t:none,block,nolog,auditlog,id:'960024',rev:'2.0.10',msg:'Restricted Character Anomaly Detection Alert - Repetative Non-Word Characters',logdata:'%{tx.0}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score}"
#
# HTTP Parameter Pollution (HPP)
#
# One HPP attack vector is to try evade signature filters by distributing the attack payload
# across multiple parameters with the same name. This works as many security devices only
# apply signatures to individual parameter payloads, however the back-end web application
# may (in the case of ASP.NET) consolidate all of the payloads into one thus making the
# attack payload active.
#
# -=[ Rules Logic }=-
# The ruleset below is not looking for attacks directly, but rather is a crude normalization
# function that mimics ASP.NET with regards to joining the payloads of parameters with the
# same name. These rules will create a new TX:HPP_DATA variable that will hold this data.
# If you have enabled PARANOID_MODE, then this variable data will also be searched against
# attack filters.
#
# -=[ References ]=-
# http://tacticalwebappsec.blogspot.com/2009/05/http-parameter-pollution.html
#
SecRule ARGS "^" "chain,phase:2,t:none,nolog,pass,capture,id:'960022',rev:'2.0.10',setvar:tx.%{matched_var_name}=+1"
SecRule TX:/^ARGS:/ "@gt 1" "chain,t:none"
SecRule MATCHED_VAR_NAME "TX:(ARGS:.*)" "chain,capture,t:none,setvar:tx.hpp_names=%{tx.1}"
SecRule ARGS ".*" "chain,t:none,capture,setvar:tx.arg_counter=+1,setvar:'tx.hppnamedata_%{tx.arg_counter}=%{matched_var_name}=%{tx.0}'"
SecRule TX:/HPPNAMEDATA_/ "@contains %{tx.hpp_names}" "chain,setvar:tx.hpp_counter=+1,setvar:tx.hpp_counter_%{tx.hpp_counter}=%{matched_var}"
SecRule TX:/HPP_COUNTER_/ "ARGS:(.*)?=(.*)" "capture,setvar:'tx.hpp_data=%{tx.hpp_data},%{tx.2}'"
|