# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.0
# Copyright (C) 2006-2011 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under 
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------


#
# The rules in this file are considered experimental/beta rules.  They attempt to address
# some advanced attacks, use some new ModSecurity features or new rules language techniques.
#

#
# Restricted Character Anomaly Usage
# These rules attempted to gauge when there is an exccesive use of
# restricted, meta-characters within a single parameter payload.
#
# The most likely false positive instances will be free-form text fields.
# Adjust the the @ge operator value appropriately for your site.  Increasing
# the score will reduce false positives but may also decrease detection of
# obfuscated attack payloads.
#
SecRule ARGS "@pm ~ ` ! @ # $ % ^ & * ( ) - + = { } [ ] | : ; \" ' < >" "phase:2,id:'981146',t:none,nolog,pass,nolog,setvar:tx.restricted_char_payload=%{matched_var}"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains ~" "phase:2,id:'981147',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains `" "phase:2,id:'981148',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains !" "phase:2,id:'981149',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains @" "phase:2,id:'981150',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains #" "phase:2,id:'981151',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains $" "phase:2,id:'981152',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains %" "phase:2,id:'981153',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains ^" "phase:2,id:'981154',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains &" "phase:2,id:'981155',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains *" "phase:2,id:'981156',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains (" "phase:2,id:'981157',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains )" "phase:2,id:'981158',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains -" "phase:2,id:'981159',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains +" "phase:2,id:'981160',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains =" "phase:2,id:'981161',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains {" "phase:2,id:'981162',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains }" "phase:2,id:'981163',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains [" "phase:2,id:'981164',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains ]" "phase:2,id:'981165',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains |" "phase:2,id:'981166',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains :" "phase:2,id:'981167',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains ;" "phase:2,id:'981168',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains \"" "phase:2,id:'981169',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains '" "phase:2,id:'981170',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains <" "phase:2,id:'981171',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains >" "phase:2,id:'981172',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
SecRule TX:RESTRICTED_CHAR_COUNT "@ge 5" "phase:2,t:none,block,nolog,auditlog,id:'960023',rev:'2.2.0',msg:'Restricted Character Anomaly Detection Alert - Total # of special characters exceeded',logdata:'%{matched_var}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score}"

#
# This rule attempts to identify when multiple (3 or more) speciail, non-word characters are repeated
#
SecRule ARGS "\W{4,}" "phase:2,capture,t:none,block,nolog,auditlog,id:'960024',rev:'2.2.0',msg:'Restricted Character Anomaly Detection Alert - Repetative Non-Word Characters',logdata:'%{tx.0}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score}"