# --------------------------------------------------------------- # Core ModSecurity Rule Set ver.2.2.0 # Copyright (C) 2006-2011 Trustwave All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- # # -=[ OWASP AppSensor Detection Points - Setup ]=- # # - https://www.owasp.org/index.php/AppSensor_DetectionPoints # # Instead of creating rule set based on analyzing saved audit log data, we can # instead profile live transactions in phase:5 post processing and save data in # Resource-based persistent collections. Once we have seen enough traffic (as # defined below) we can then move into Enforcement Mode. # # # --[ Step 1: Initiate the Resource Collection ]-- # # We are using the REQUEST_FILENAME as the key and then set 2 variables - # # [resource.pattern_threshold] # Set the resource.pattern_threshold as the minimum number of times that a match should occur # in order to include it into the profile # # [resource.confidence_counter_threshold] # Set the resource.confidence_counter_threshold as the minimum number of "clean" transactions # to profile/inspect before enforcement of the profile begins. # SecAction "phase:1,id:'981082',t:none,nolog,pass,initcol:resource=%{REQUEST_FILENAME},setvar:resource.pattern_threshold=50,setvar:resource.confidence_counter_threshold=100" # # --[ Ignore Resource ]-- # # If you want to exclude a resource from being profiled, you can specify it in the # modsecurity_40_profiler_ignore.data file. This rule will evaluate the REQUEST_FILENAME # and if there is match in the @pmFromFile check, it will skip all profiling/enforcement # rules in this file. We have to run two checks here - # 1. For Phase:2 - Enforcement Checks # 2. For Phase:5 - Profiling Analysis # # If there is a match, the rules will skip down until it hits the SecMarker END_PROFILER_RULES # at the end of this file. # # If you want to use these rules you must: # 1. Uncomment the rules # 2. Create the modsecurity_40_appsensor_ignore.data file in the same directory # #SecRule REQUEST_FILENAME "@pmFromFile modsecurity_40_appsensor_ignore.data" "phase:2,id:'981083',t:none,nolog,pass,skipAfter:END_PROFILER_RULES" #SecRule REQUEST_FILENAME "@pmFromFile modsecurity_40_appsensor_ignore.data" "phase:5,id:'981084',t:none,nolog,pass,skipAfter:END_PROFILER_RULES"