From 419d08393cd59439ed1a0528fda8975f35c3b13b Mon Sep 17 00:00:00 2001 From: Athmane Madjoudj Date: Mon, 1 Oct 2012 21:00:53 +0100 Subject: [PATCH] Add a patch to fix incompatible rules. Update to new git release --- .gitignore | 1 + mod_security_crs-fix-incompatible-rules.patch | 1351 +++++++++++++++++ mod_security_crs.spec | 12 +- sources | 2 +- 4 files changed, 1362 insertions(+), 4 deletions(-) create mode 100644 mod_security_crs-fix-incompatible-rules.patch diff --git a/.gitignore b/.gitignore index 3ab9bc7..9ba5cca 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ /modsecurity-crs_2.2.4.tar.gz /modsecurity-crs_2.2.5.tar.gz /SpiderLabs-owasp-modsecurity-crs-21197fc.tar.gz +/SpiderLabs-owasp-modsecurity-crs-v2.2.6-0-g3f85c76.tar.gz diff --git a/mod_security_crs-fix-incompatible-rules.patch b/mod_security_crs-fix-incompatible-rules.patch new file mode 100644 index 0000000..54e7e62 --- /dev/null +++ b/mod_security_crs-fix-incompatible-rules.patch @@ -0,0 +1,1351 @@ +diff -ru SpiderLabs-owasp-modsecurity-crs-3f85c76.orig/base_rules/modsecurity_crs_20_protocol_violations.conf SpiderLabs-owasp-modsecurity-crs-3f85c76/base_rules/modsecurity_crs_20_protocol_violations.conf +--- SpiderLabs-owasp-modsecurity-crs-3f85c76.orig/base_rules/modsecurity_crs_20_protocol_violations.conf 2012-10-01 20:39:50.587035360 +0100 ++++ SpiderLabs-owasp-modsecurity-crs-3f85c76/base_rules/modsecurity_crs_20_protocol_violations.conf 2012-10-01 20:40:55.534035107 +0100 +@@ -37,10 +37,7 @@ + "msg:'Invalid HTTP Request Line',\ + severity:'4',\ + id:'960911',\ +- ver:'OWASP_CRS/2.2.6',\ + rev:'2',\ +- maturity:'9',\ +- accuracy:'9',\ + logdata:'%{request_line}',\ + phase:1,\ + block,\ +@@ -67,10 +64,7 @@ + "msg:'Apache Error: Invalid URI in Request.', \ + severity:'4', \ + id:'981227', \ +- ver:'OWASP_CRS/2.2.6', \ + rev:'1', \ +- maturity:'9', \ +- accuracy:'9', \ + logdata:'%{request_line}', \ + phase:5, \ + pass, \ +@@ -103,10 +97,7 @@ + "msg:'Attempted multipart/form-data bypass', \ + severity:'2', \ + id:'960000', \ +- ver:'OWASP_CRS/2.2.6', \ + rev:'1', \ +- maturity:'9', \ +- accuracy:'7', \ + logdata:'%{matched_var}', \ + phase:2, \ + block, \ +@@ -136,10 +127,7 @@ + "msg:'Failed to parse request body.', \ + severity:'2', \ + id:'960912', \ +- ver:'OWASP_CRS/2.2.6', \ + rev:'1', \ +- maturity:'9', \ +- accuracy:'9', \ + logdata:'%{REQBODY_ERROR_MSG}', \ + phase:2, \ + block, \ +@@ -178,10 +166,7 @@ + FLE %{MULTIPART_FILE_LIMIT_EXCEEDED}', \ + severity:'2', \ + id:'960914', \ +- ver:'OWASP_CRS/2.2.6', \ + rev:'1', \ +- maturity:'8', \ +- accuracy:'7', \ + phase:2, \ + block, \ + t:none, \ +@@ -205,10 +190,7 @@ + "msg:'Multipart parser detected a possible unmatched boundary.', \ + severity:'2', \ + id:'960915', \ +- ver:'OWASP_CRS/2.2.6', \ + rev:'1', \ +- maturity:'8', \ +- accuracy:'8', \ + phase:2, \ + block, \ + t:none, \ +@@ -233,10 +215,7 @@ + "msg:'Content-Length HTTP header is not numeric.',\ + severity:'2',\ + id:'960016',\ +- ver:'OWASP_CRS/2.2.6',\ + rev:'1',\ +- maturity:'9',\ +- accuracy:'9',\ + phase:1,\ + block,\ + logdata:'%{matched_var}',\ +@@ -267,10 +246,7 @@ + "msg:'GET or HEAD Request with Body Content.',\ + severity:'2',\ + id:'960011',\ +- ver:'OWASP_CRS/2.2.6',\ + rev:'1',\ +- maturity:'9',\ +- accuracy:'9',\ + phase:1,\ + block,\ + logdata:'%{matched_var}',\ +@@ -299,10 +275,7 @@ + "msg:'POST request missing Content-Length Header.',\ + severity:'4',\ + id:'960012',\ +- ver:'OWASP_CRS/2.2.6',\ + rev:'1',\ +- maturity:'9',\ +- accuracy:'9',\ + phase:1,\ + block,\ + logdata:'%{matched_var}',\ +@@ -334,10 +307,7 @@ + "msg:'Invalid Use of Identity Encoding.',\ + severity:'4',\ + id:'960902',\ +- ver:'OWASP_CRS/2.2.6',\ + rev:'2',\ +- maturity:'9',\ +- accuracy:'9',\ + phase:1,\ + block,\ + logdata:'%{matched_var}',\ +@@ -365,10 +335,7 @@ + "msg:'Expect Header Not Allowed for HTTP 1.0.',\ + severity:'5',\ + id:'960022',\ +- ver:'OWASP_CRS/2.2.6',\ + rev:'2',\ +- maturity:'7',\ +- accuracy:'9',\ + phase:1,\ + block,\ + logdata:'%{matched_var}',\ +@@ -396,7 +363,7 @@ + # -=[ References ]=- + # http://www.bad-behavior.ioerror.us/documentation/how-it-works/ + # +-SecRule &REQUEST_HEADERS:Pragma "@eq 1" "chain,phase:2,rev:'1',ver:'OWASP_CRS/2.2.6',maturity:'6',accuracy:'8',t:none,block,msg:'Pragma Header requires Cache-Control Header for HTTP/1.1 requests.',severity:'5',id:'960020',tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ'" ++SecRule &REQUEST_HEADERS:Pragma "@eq 1" "chain,phase:2,rev:'1',t:none,block,msg:'Pragma Header requires Cache-Control Header for HTTP/1.1 requests.',severity:'5',id:'960020',tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ'" + SecRule &REQUEST_HEADERS:Cache-Control "@eq 0" "chain" + SecRule REQUEST_PROTOCOL "@streq HTTP/1.1" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}" + +@@ -424,12 +391,12 @@ + # + # 3. Identifies an excessive number of byte range fields within one request + # +-SecRule REQUEST_HEADERS:Range "@beginsWith bytes=0-" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'6',accuracy:'8',t:none,block,msg:'Range: field exists and begins with 0.',logdata:'%{matched_var}',severity:'4',id:'958291',tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}" ++SecRule REQUEST_HEADERS:Range "@beginsWith bytes=0-" "phase:2,rev:'2',t:none,block,msg:'Range: field exists and begins with 0.',logdata:'%{matched_var}',severity:'4',id:'958291',tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}" + +-SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "(\d+)\-(\d+)\," "chain,capture,phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'6',accuracy:'8',t:none,block,msg:'Range: Invalid Last Byte Value.',logdata:'%{matched_var}',severity:'4',id:'958230',tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}" ++SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "(\d+)\-(\d+)\," "chain,capture,phase:2,rev:'2',t:none,block,msg:'Range: Invalid Last Byte Value.',logdata:'%{matched_var}',severity:'4',id:'958230',tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}" + SecRule TX:2 "!@ge %{tx.1}" + +-SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "^bytes=(\d+)?\-(\d+)?\,\s?(\d+)?\-(\d+)?\,\s?(\d+)?\-(\d+)?\,\s?(\d+)?\-(\d+)?\,\s?(\d+)?\-(\d+)?\," "phase:2,capture,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'6',accuracy:'8',t:none,block,msg:'Range: Too many fields',logdata:'%{matched_var}',severity:'4',id:'958231',tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}" ++SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "^bytes=(\d+)?\-(\d+)?\,\s?(\d+)?\-(\d+)?\,\s?(\d+)?\-(\d+)?\,\s?(\d+)?\-(\d+)?\,\s?(\d+)?\-(\d+)?\," "phase:2,capture,rev:'2',t:none,block,msg:'Range: Too many fields',logdata:'%{matched_var}',severity:'4',id:'958231',tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}" + + + # +@@ -443,7 +410,7 @@ + # -=[ References ]=- + # http://www.bad-behavior.ioerror.us/documentation/how-it-works/ + # +-SecRule REQUEST_HEADERS:Connection "\b(keep-alive|close),\s?(keep-alive|close)\b" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'6',accuracy:'8',t:none,block,msg:'Multiple/Conflicting Connection Header Data Found.',logdata:'%{matched_var}',id:'958295',tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}" ++SecRule REQUEST_HEADERS:Connection "\b(keep-alive|close),\s?(keep-alive|close)\b" "phase:2,rev:'2',t:none,block,msg:'Multiple/Conflicting Connection Header Data Found.',logdata:'%{matched_var}',id:'958295',tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}" + + # + # Check URL encodings +@@ -457,14 +424,14 @@ + # http://www.ietf.org/rfc/rfc1738.txt + # + SecRule REQUEST_URI "\%((?!$|\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" \ +- "chain,phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'6',accuracy:'8',t:none,block,msg:'URL Encoding Abuse Attack Attempt',id:'950107',tag:'OWASP_CRS/PROTOCOL_VIOLATION/EVASION',severity:'4'" ++ "chain,phase:2,rev:'2',t:none,block,msg:'URL Encoding Abuse Attack Attempt',id:'950107',tag:'OWASP_CRS/PROTOCOL_VIOLATION/EVASION',severity:'4'" + SecRule REQUEST_URI "@validateUrlEncoding" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}" + + SecRule ARGS "\%((?!$|\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" \ +- "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'6',accuracy:'8',t:none,block,msg:'Multiple URL Encoding Detected',id:'950109',tag:'OWASP_CRS/PROTOCOL_VIOLATION/EVASION',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}" ++ "phase:2,rev:'2',t:none,block,msg:'Multiple URL Encoding Detected',id:'950109',tag:'OWASP_CRS/PROTOCOL_VIOLATION/EVASION',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}" + + SecRule REQUEST_HEADERS:Content-Type "^(application\/x-www-form-urlencoded|text\/xml)(?:;(?:\s?charset\s?=\s?[\w\d\-]{1,18})?)??$" \ +- "chain,phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'6',accuracy:'8',t:none,block,msg:'URL Encoding Abuse Attack Attempt',id:'950108',tag:'OWASP_CRS/PROTOCOL_VIOLATION/EVASION',severity:'4'" ++ "chain,phase:2,rev:'2',t:none,block,msg:'URL Encoding Abuse Attack Attempt',id:'950108',tag:'OWASP_CRS/PROTOCOL_VIOLATION/EVASION',severity:'4'" + SecRule REQUEST_BODY|XML:/* "\%((?!$|\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" "chain" + SecRule REQUEST_BODY|XML:/* "@validateUrlEncoding" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}" + +@@ -478,7 +445,7 @@ + # This chained rule first checks to see if the admin has set the TX:CRS_VALIDATE_UTF8_ENCODING + # variable in the modsecurity_crs_10_config.conf file. + # +-SecRule TX:CRS_VALIDATE_UTF8_ENCODING "@eq 1" "chain,phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'6',accuracy:'8',t:none,block,msg:'UTF8 Encoding Abuse Attack Attempt',id:'950801',tag:'OWASP_CRS/PROTOCOL_VIOLATION/EVASION',severity:'4'" ++SecRule TX:CRS_VALIDATE_UTF8_ENCODING "@eq 1" "chain,phase:2,rev:'2',t:none,block,msg:'UTF8 Encoding Abuse Attack Attempt',id:'950801',tag:'OWASP_CRS/PROTOCOL_VIOLATION/EVASION',severity:'4'" + SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "@validateUtf8Encoding" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}" + + +@@ -493,7 +460,7 @@ + # http://www.kb.cert.org/vuls/id/739224 + # + SecRule REQUEST_URI|REQUEST_BODY "\%u[fF]{2}[0-9a-fA-F]{2}" \ +- "t:none,phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'6',accuracy:'8',block,msg:'Unicode Full/Half Width Abuse Attack Attempt',id:'950116',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}" ++ "t:none,phase:2,rev:'2',block,msg:'Unicode Full/Half Width Abuse Attack Attempt',id:'950116',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}" + + # + # Proxy access attempt +@@ -509,7 +476,7 @@ + # If it is, then this data is compared against the Cononical SERVER_NAME. If it does + # not match, then the client is making a request for an off-site location. + # +-#SecRule REQUEST_URI_RAW "^\w+:/" "chain,phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'6',accuracy:'8',t:none,block,msg:'Proxy access attempt',severity:'3',id:'960014',tag:'OWASP_CRS/PROTOCOL_VIOLATION/PROXY_ACCESS'" ++#SecRule REQUEST_URI_RAW "^\w+:/" "chain,phase:2,rev:'2',t:none,block,msg:'Proxy access attempt',severity:'3',id:'960014',tag:'OWASP_CRS/PROTOCOL_VIOLATION/PROXY_ACCESS'" + #SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/PROXY_ACCESS-%{matched_var_name}=%{matched_var}" + + +@@ -530,9 +497,9 @@ + # + + SecRule ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "@validateByteRange 1-255" \ +- "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',block,msg:'Invalid character in request',id:'960901',tag:'OWASP_CRS/PROTOCOL_VIOLATION/EVASION',severity:'3',t:none,t:urlDecodeUni,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}" ++ "phase:2,rev:'2',block,msg:'Invalid character in request',id:'960901',tag:'OWASP_CRS/PROTOCOL_VIOLATION/EVASION',severity:'3',t:none,t:urlDecodeUni,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}" + +-SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'8',accuracy:'7',block,msg:'Invalid character in request',id:'960018',tag:'OWASP_CRS/PROTOCOL_VIOLATION/EVASION',severity:'3',t:none,t:urlDecodeUni" ++SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,rev:'2',block,msg:'Invalid character in request',id:'960018',tag:'OWASP_CRS/PROTOCOL_VIOLATION/EVASION',severity:'3',t:none,t:urlDecodeUni" + SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA \ + "@validateByteRange 32-126" \ + "t:urlDecodeUni,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}" +diff -ru SpiderLabs-owasp-modsecurity-crs-3f85c76.orig/base_rules/modsecurity_crs_21_protocol_anomalies.conf SpiderLabs-owasp-modsecurity-crs-3f85c76/base_rules/modsecurity_crs_21_protocol_anomalies.conf +--- SpiderLabs-owasp-modsecurity-crs-3f85c76.orig/base_rules/modsecurity_crs_21_protocol_anomalies.conf 2012-10-01 20:39:50.589035472 +0100 ++++ SpiderLabs-owasp-modsecurity-crs-3f85c76/base_rules/modsecurity_crs_21_protocol_anomalies.conf 2012-10-01 20:40:55.535035131 +0100 +@@ -26,9 +26,9 @@ + SecMarker BEGIN_HOST_CHECK + + SecRule &REQUEST_HEADERS:Host "@eq 0" \ +- "skipAfter:END_HOST_CHECK,phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,block,msg:'Request Missing a Host Header',id:'960008',tag:'OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_HOST',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}" ++ "skipAfter:END_HOST_CHECK,phase:2,rev:'2',t:none,block,msg:'Request Missing a Host Header',id:'960008',tag:'OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_HOST',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}" + SecRule REQUEST_HEADERS:Host "^$" \ +- "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,block,msg:'Empty Host Header',id:'960007',tag:'OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_HOST',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}" ++ "phase:2,rev:'2',t:none,block,msg:'Empty Host Header',id:'960007',tag:'OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_HOST',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}" + + SecMarker END_HOST_CHECK + +@@ -44,10 +44,10 @@ + SecMarker BEGIN_ACCEPT_CHECK + + SecRule REQUEST_METHOD "!^OPTIONS$" \ +- "skipAfter:END_ACCEPT_CHECK,chain,phase:2,rev:'1',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,block,msg:'Request Missing an Accept Header',severity:'5',id:'960015',tag:'OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10'" ++ "skipAfter:END_ACCEPT_CHECK,chain,phase:2,rev:'1',t:none,block,msg:'Request Missing an Accept Header',severity:'5',id:'960015',tag:'OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10'" + SecRule &REQUEST_HEADERS:Accept "@eq 0" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}" + SecRule REQUEST_METHOD "!^OPTIONS$" \ +- "chain,phase:2,rev:'1',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,block,msg:'Request Has an Empty Accept Header',severity:'5',id:'960021',tag:'OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT'" ++ "chain,phase:2,rev:'1',t:none,block,msg:'Request Has an Empty Accept Header',severity:'5',id:'960021',tag:'OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT'" + SecRule REQUEST_HEADERS:Accept "^$" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}" + + SecMarker END_ACCEPT_CHECK +@@ -63,9 +63,9 @@ + SecMarker BEGIN_UA_CHECK + + SecRule &REQUEST_HEADERS:User-Agent "@eq 0" \ +- "skipAfter:END_UA_CHECK,phase:2,rev:'1',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,block,msg:'Request Missing a User Agent Header',id:'960009',tag:'OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_UA',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'5',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}" ++ "skipAfter:END_UA_CHECK,phase:2,rev:'1',t:none,block,msg:'Request Missing a User Agent Header',id:'960009',tag:'OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_UA',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'5',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}" + SecRule REQUEST_HEADERS:User-Agent "^$" \ +- "phase:2,t:none,block,msg:'Empty User Agent Header',id:'960006',rev:'1',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',tag:'OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_UA',severity:'5',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}" ++ "phase:2,t:none,block,msg:'Empty User Agent Header',id:'960006',rev:'1',tag:'OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_UA',severity:'5',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}" + + SecMarker END_UA_CHECK + +@@ -81,7 +81,7 @@ + # + + SecRule &REQUEST_HEADERS:Content-Type "@eq 0" \ +- "chain,phase:1,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,block,msg:'Request Containing Content, but Missing Content-Type header',id:'960904',severity:'5'" ++ "chain,phase:1,rev:'2',t:none,block,msg:'Request Containing Content, but Missing Content-Type header',id:'960904',severity:'5'" + SecRule REQUEST_HEADERS:Content-Length "!^0$" "t:none,ctl:forceRequestBodyVariable=On,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}" + + # Check that the host header is not an IP address +@@ -95,7 +95,7 @@ + # http://technet.microsoft.com/en-us/magazine/2005.01.hackerbasher.aspx + # + +-SecRule REQUEST_HEADERS:Host "^[\d.:]+$" "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,block,msg:'Host header is a numeric IP address',logdata:'%{matched_var}',severity:'4',id:'960017',tag:'OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',tag:'http://technet.microsoft.com/en-us/magazine/2005.01.hackerbasher.aspx',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/IP_HOST-%{matched_var_name}=%{matched_var}" ++SecRule REQUEST_HEADERS:Host "^[\d.:]+$" "phase:2,rev:'2',t:none,block,msg:'Host header is a numeric IP address',logdata:'%{matched_var}',severity:'4',id:'960017',tag:'OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',tag:'http://technet.microsoft.com/en-us/magazine/2005.01.hackerbasher.aspx',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/IP_HOST-%{matched_var_name}=%{matched_var}" + + # Log a security event when the request is rejected by apache + # +diff -ru SpiderLabs-owasp-modsecurity-crs-3f85c76.orig/base_rules/modsecurity_crs_23_request_limits.conf SpiderLabs-owasp-modsecurity-crs-3f85c76/base_rules/modsecurity_crs_23_request_limits.conf +--- SpiderLabs-owasp-modsecurity-crs-3f85c76.orig/base_rules/modsecurity_crs_23_request_limits.conf 2012-10-01 20:39:50.588035418 +0100 ++++ SpiderLabs-owasp-modsecurity-crs-3f85c76/base_rules/modsecurity_crs_23_request_limits.conf 2012-10-01 20:40:55.535035131 +0100 +@@ -20,30 +20,30 @@ + ## -- Arguments limits -- + + # Limit argument name length +-SecRule &TX:ARG_NAME_LENGTH "@eq 1" "chain,phase:2,t:none,block,msg:'Argument name too long',id:'960209',severity:'4',rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',tag:'OWASP_CRS/POLICY/SIZE_LIMIT'" ++SecRule &TX:ARG_NAME_LENGTH "@eq 1" "chain,phase:2,t:none,block,msg:'Argument name too long',id:'960209',severity:'4',rev:'2',tag:'OWASP_CRS/POLICY/SIZE_LIMIT'" + SecRule ARGS_NAMES "@gt %{tx.arg_name_length}" "t:none,t:length,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}" + + # Limit value name length +-SecRule &TX:ARG_LENGTH "@eq 1" "chain,phase:2,t:none,block,msg:'Argument value too long',id:'960208',severity:'4',rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',tag:'OWASP_CRS/POLICY/SIZE_LIMIT'" ++SecRule &TX:ARG_LENGTH "@eq 1" "chain,phase:2,t:none,block,msg:'Argument value too long',id:'960208',severity:'4',rev:'2',tag:'OWASP_CRS/POLICY/SIZE_LIMIT'" + SecRule ARGS "@gt %{tx.arg_length}" "t:none,t:length,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}" + + # Maximum number of arguments in request limited +-SecRule &TX:MAX_NUM_ARGS "@eq 1" "chain,phase:2,t:none,block,msg:'Too many arguments in request',id:'960335',severity:'4',rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',tag:'OWASP_CRS/POLICY/SIZE_LIMIT'" ++SecRule &TX:MAX_NUM_ARGS "@eq 1" "chain,phase:2,t:none,block,msg:'Too many arguments in request',id:'960335',severity:'4',rev:'2',tag:'OWASP_CRS/POLICY/SIZE_LIMIT'" + SecRule &ARGS "@gt %{tx.max_num_args}" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}" + + # Limit arguments total length +-SecRule &TX:TOTAL_ARG_LENGTH "@eq 1" "chain,phase:2,t:none,block,msg:'Total arguments size exceeded',id:'960341',severity:'4',rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',tag:'OWASP_CRS/POLICY/SIZE_LIMIT'" ++SecRule &TX:TOTAL_ARG_LENGTH "@eq 1" "chain,phase:2,t:none,block,msg:'Total arguments size exceeded',id:'960341',severity:'4',rev:'2',tag:'OWASP_CRS/POLICY/SIZE_LIMIT'" + SecRule ARGS_COMBINED_SIZE "@gt %{tx.total_arg_length}" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}" + + + ## -- File upload limits -- + + # Individual file size is limited +-SecRule &TX:MAX_FILE_SIZE "@eq 1" "chain,phase:1,t:none,block,msg:'Uploaded file size too large',id:'960342',severity:'4',rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',tag:'OWASP_CRS/POLICY/SIZE_LIMIT'" ++SecRule &TX:MAX_FILE_SIZE "@eq 1" "chain,phase:1,t:none,block,msg:'Uploaded file size too large',id:'960342',severity:'4',rev:'2',tag:'OWASP_CRS/POLICY/SIZE_LIMIT'" + SecRule REQUEST_HEADERS:Content-Type "@beginsWith multipart/form-data" "chain" + SecRule REQUEST_HEADERS:Content-Length "@gt %{tx.max_file_size}" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}" + + # Combined file size is limited +-SecRule &TX:COMBINED_FILE_SIZES "@eq 1" "chain,phase:2,t:none,block,msg:'Total uploaded files size too large',id:'960343',severity:'4',rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',tag:'OWASP_CRS/POLICY/SIZE_LIMIT'" ++SecRule &TX:COMBINED_FILE_SIZES "@eq 1" "chain,phase:2,t:none,block,msg:'Total uploaded files size too large',id:'960343',severity:'4',rev:'2',tag:'OWASP_CRS/POLICY/SIZE_LIMIT'" + SecRule FILES_COMBINED_SIZE "@gt %{tx.combined_file_sizes}" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}" + +diff -ru SpiderLabs-owasp-modsecurity-crs-3f85c76.orig/base_rules/modsecurity_crs_30_http_policy.conf SpiderLabs-owasp-modsecurity-crs-3f85c76/base_rules/modsecurity_crs_30_http_policy.conf +--- SpiderLabs-owasp-modsecurity-crs-3f85c76.orig/base_rules/modsecurity_crs_30_http_policy.conf 2012-10-01 20:39:50.588035418 +0100 ++++ SpiderLabs-owasp-modsecurity-crs-3f85c76/base_rules/modsecurity_crs_30_http_policy.conf 2012-10-01 20:40:55.536035151 +0100 +@@ -28,7 +28,7 @@ + # methods. If that is not the case with your environment, you are advised + # to edit the line or uncomment it. + # +-SecRule REQUEST_METHOD "!@within %{tx.allowed_methods}" "phase:1,t:none,block,msg:'Method is not allowed by policy',logdata:'%{matched_var}',severity:'2',rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',id:'960032',tag:'OWASP_CRS/POLICY/METHOD_NOT_ALLOWED',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A6',tag:'OWASP_AppSensor/RE1',tag:'PCI/12.1',logdata:'%{matched_var}',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/METHOD_NOT_ALLOWED-%{matched_var_name}=%{matched_var}" ++SecRule REQUEST_METHOD "!@within %{tx.allowed_methods}" "phase:1,t:none,block,msg:'Method is not allowed by policy',logdata:'%{matched_var}',severity:'2',rev:'2',id:'960032',tag:'OWASP_CRS/POLICY/METHOD_NOT_ALLOWED',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A6',tag:'OWASP_AppSensor/RE1',tag:'PCI/12.1',logdata:'%{matched_var}',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/METHOD_NOT_ALLOWED-%{matched_var_name}=%{matched_var}" + + + # Restrict which content-types we accept. +@@ -61,7 +61,7 @@ + # M-Business iAnywhere application/x-mal-client-data + # UltraLite iAnywhere application/octet-stream + # +-SecRule REQUEST_METHOD "!^(?:GET|HEAD|PROPFIND|OPTIONS)$" "phase:1,chain,t:none,block,msg:'Request content type is not allowed by policy',rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',id:'960010',tag:'OWASP_CRS/POLICY/ENCODING_NOT_ALLOWED',tag:'WASCTC/WASC-20',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/EE2',tag:'PCI/12.1',severity:'2',logdata:'%{matched_var}'" ++SecRule REQUEST_METHOD "!^(?:GET|HEAD|PROPFIND|OPTIONS)$" "phase:1,chain,t:none,block,msg:'Request content type is not allowed by policy',rev:'2',id:'960010',tag:'OWASP_CRS/POLICY/ENCODING_NOT_ALLOWED',tag:'WASCTC/WASC-20',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/EE2',tag:'PCI/12.1',severity:'2',logdata:'%{matched_var}'" + SecRule REQUEST_HEADERS:Content-Type "^([^;\s]+)" "chain,capture" + SecRule TX:0 "!^%{tx.allowed_request_content_type}$" "t:none,ctl:forceRequestBodyVariable=On,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/CONTENT_TYPE_NOT_ALLOWED-%{matched_var_name}=%{matched_var}" + +@@ -75,7 +75,7 @@ + # to use your site, try to create a narrower expection and not allow any + # client to send HTTP requests in a version lower than 1.1 + # +-SecRule REQUEST_PROTOCOL "!@within %{tx.allowed_http_versions}" "phase:2,t:none,block,msg:'HTTP protocol version is not allowed by policy',severity:'2',rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',id:'960034',tag:'OWASP_CRS/POLICY/PROTOCOL_NOT_ALLOWED',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.10',logdata:'%{matched_var}',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/PROTOCOL_NOT_ALLOWED-%{matched_var_name}=%{matched_var}" ++SecRule REQUEST_PROTOCOL "!@within %{tx.allowed_http_versions}" "phase:2,t:none,block,msg:'HTTP protocol version is not allowed by policy',severity:'2',rev:'2',id:'960034',tag:'OWASP_CRS/POLICY/PROTOCOL_NOT_ALLOWED',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.10',logdata:'%{matched_var}',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/PROTOCOL_NOT_ALLOWED-%{matched_var_name}=%{matched_var}" + + # Restrict file extension + # +@@ -85,7 +85,7 @@ + # You may need to use ModSecurity Core Rule Set Templates to do so, otherwise + # comment the whole rule. + # +-SecRule REQUEST_BASENAME "\.(.*)$" "chain,capture,setvar:tx.extension=.%{tx.1}/,phase:2,t:none,t:urlDecodeUni,t:lowercase,block,msg:'URL file extension is restricted by policy',severity:'2',rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',id:'960035',tag:'OWASP_CRS/POLICY/EXT_RESTRICTED',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',logdata:'%{TX.0}'" ++SecRule REQUEST_BASENAME "\.(.*)$" "chain,capture,setvar:tx.extension=.%{tx.1}/,phase:2,t:none,t:urlDecodeUni,t:lowercase,block,msg:'URL file extension is restricted by policy',severity:'2',rev:'2',id:'960035',tag:'OWASP_CRS/POLICY/EXT_RESTRICTED',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',logdata:'%{TX.0}'" + SecRule TX:EXTENSION "@within %{tx.restricted_extensions}" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/EXT_RESTRICTED-%{matched_var_name}=%{matched_var}" + + +@@ -97,6 +97,6 @@ + # the list of blocked extensions. You may need to use ModSecurity Core Rule + # Set Templates to do so, otherwise comment the whole rule. + # +-SecRule REQUEST_HEADERS_NAMES "^(.*)$" "chain,phase:2,t:none,block,msg:'HTTP header is restricted by policy',rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',id:'960038',tag:'OWASP_CRS/POLICY/HEADER_RESTRICTED',tag:'OWASP_CRS/POLICY/FILES_NOT_ALLOWED',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/12.1',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A7',tag:'PCI/12.1',severity:'4',logdata:'%{matched_var}',capture,setvar:'tx.header_name=/%{tx.0}/'" ++SecRule REQUEST_HEADERS_NAMES "^(.*)$" "chain,phase:2,t:none,block,msg:'HTTP header is restricted by policy',rev:'2',id:'960038',tag:'OWASP_CRS/POLICY/HEADER_RESTRICTED',tag:'OWASP_CRS/POLICY/FILES_NOT_ALLOWED',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/12.1',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A7',tag:'PCI/12.1',severity:'4',logdata:'%{matched_var}',capture,setvar:'tx.header_name=/%{tx.0}/'" + SecRule TX:HEADER_NAME "@within %{tx.restricted_headers}" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}" + +diff -ru SpiderLabs-owasp-modsecurity-crs-3f85c76.orig/base_rules/modsecurity_crs_35_bad_robots.conf SpiderLabs-owasp-modsecurity-crs-3f85c76/base_rules/modsecurity_crs_35_bad_robots.conf +--- SpiderLabs-owasp-modsecurity-crs-3f85c76.orig/base_rules/modsecurity_crs_35_bad_robots.conf 2012-10-01 20:39:50.589035472 +0100 ++++ SpiderLabs-owasp-modsecurity-crs-3f85c76/base_rules/modsecurity_crs_35_bad_robots.conf 2012-10-01 20:40:55.536035151 +0100 +@@ -17,14 +17,14 @@ + # site. + + SecRule REQUEST_HEADERS:User-Agent "@pmFromFile modsecurity_35_scanners.data" \ +- "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,t:lowercase,block,msg:'Request Indicates a Security Scanner Scanned the Site',logdata:'%{matched_var}',id:'990002',tag:'OWASP_CRS/AUTOMATION/SECURITY_SCANNER',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/AUTOMATION/SECURITY_SCANNER-%{matched_var_name}=%{matched_var}" ++ "phase:2,rev:'2',t:none,t:lowercase,block,msg:'Request Indicates a Security Scanner Scanned the Site',logdata:'%{matched_var}',id:'990002',tag:'OWASP_CRS/AUTOMATION/SECURITY_SCANNER',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/AUTOMATION/SECURITY_SCANNER-%{matched_var_name}=%{matched_var}" + SecRule REQUEST_HEADERS_NAMES "\bacunetix-product\b" \ +- "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,t:lowercase,block,msg:'Request Indicates a Security Scanner Scanned the Site',logdata:'%{matched_var}',id:'990901',tag:'OWASP_CRS/AUTOMATION/SECURITY_SCANNER',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/AUTOMATION/SECURITY_SCANNER-%{matched_var_name}=%{matched_var}" ++ "phase:2,rev:'2',t:none,t:lowercase,block,msg:'Request Indicates a Security Scanner Scanned the Site',logdata:'%{matched_var}',id:'990901',tag:'OWASP_CRS/AUTOMATION/SECURITY_SCANNER',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/AUTOMATION/SECURITY_SCANNER-%{matched_var_name}=%{matched_var}" + SecRule REQUEST_FILENAME "^/nessustest" \ +- "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,t:lowercase,block,msg:'Request Indicates a Security Scanner Scanned the Site',logdata:'%{matched_var}',id:'990902',tag:'OWASP_CRS/AUTOMATION/SECURITY_SCANNER',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/AUTOMATION/SECURITY_SCANNER-%{matched_var_name}=%{matched_var}" ++ "phase:2,rev:'2',t:none,t:lowercase,block,msg:'Request Indicates a Security Scanner Scanned the Site',logdata:'%{matched_var}',id:'990902',tag:'OWASP_CRS/AUTOMATION/SECURITY_SCANNER',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/AUTOMATION/SECURITY_SCANNER-%{matched_var_name}=%{matched_var}" + + SecRule REQUEST_HEADERS:User-Agent "@pmFromFile modsecurity_35_bad_robots.data" \ +- "chain,phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',t:none,block,msg:'Rogue web site crawler',id:'990012',tag:'OWASP_CRS/AUTOMATION/MALICIOUS',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'4',capture,logdata:'%{TX.0}'" ++ "chain,phase:2,rev:'2',t:none,block,msg:'Rogue web site crawler',id:'990012',tag:'OWASP_CRS/AUTOMATION/MALICIOUS',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'4',capture,logdata:'%{TX.0}'" + SecRule REQUEST_HEADERS:User-Agent "(?i:(?:c(?:o(?:n(?:t(?:entsmartz|actbot/)|cealed defense|veracrawler)|mpatible(?: ;(?: msie|\.)|-)|py(?:rightcheck|guard)|re-project/1.0)|h(?:ina(?: local browse 2\.|claw)|e(?:rrypicker|esebot))|rescent internet toolpak)|w(?:e(?:b(?: (?:downloader|by mail)|(?:(?:altb|ro)o|bandi)t|emailextract?|vulnscan|mole)|lls search ii|p Search 00)|i(?:ndows(?:-update-agent| xp 5)|se(?:nut)?bot)|ordpress(?: hash grabber|\/4\.01)|3mir)|m(?:o(?:r(?:feus fucking scanner|zilla)|zilla\/3\.mozilla\/2\.01$|siac 1.)|i(?:crosoft (?:internet explorer\/5\.0$|url control)|ssigua)|ailto:craftbot\@yahoo\.com|urzillo compatible)|p(?:ro(?:gram shareware 1\.0\.|duction bot|webwalker)|a(?:nscient\.com|ckrat)|oe-component-client|s(?:ycheclone|urf)|leasecrawl\/1\.|cbrowser|e 1\.4|mafind)|e(?:mail(?:(?:collec|harves|magne)t|(?: extracto|reape)r|(siphon|spider)|siphon|wolf)|(?:collecto|irgrabbe)r|ducate search vxb|xtractorpro|o browse)|t(?:(?: ?h ?a ?t ?' ?s g ?o ?t ?t ?a ? h ?u ?r ?|his is an exploi|akeou)t|oata dragostea mea pentru diavola|ele(?:port pro|soft)|uring machine)|a(?:t(?:(?:omic_email_hunt|spid)er|tache|hens)|d(?:vanced email extractor|sarobot)|gdm79\@mail\.ru|miga-aweb\/3\.4|utoemailspider| href=)|^(?:(google|i?explorer?\.exe|(ms)?ie( [0-9.]+)?\ ?(compatible( browser)?)?)$|www\.weblogs\.com|(?:jakart|vi)a|microsoft url|user-Agent)|s(?:e(?:archbot admin@google.com|curity scan)|(?:tress tes|urveybo)t|\.t\.a\.l\.k\.e\.r\.|afexplorer tl|itesnagger|hai)|n(?:o(?:kia-waptoolkit.* googlebot.*googlebot| browser)|e(?:(?:wt activeX; win3|uralbot\/0\.)2|ssus)|ameofagent|ikto)|f(?:a(?:(?:ntombrows|stlwspid)er|xobot)|(?:ranklin locato|iddle)r|ull web bot|loodgate|oobar/)|i(?:n(?:ternet(?: (?:exploiter sux|ninja)|-exprorer)|dy library)|sc systems irc search 2\.1)|g(?:ameBoy, powered by nintendo|rub(?: crawler|-client)|ecko\/25)|(myie2|libwen-us|murzillo compatible|webaltbot|wisenutbot)|b(?:wh3_user_agent|utch__2\.1\.1|lack hole|ackdoor)|d(?:ig(?:imarc webreader|out4uagent)|ts agent)|(?:(script|sql) inject|$botname/$botvers)ion|(msie .+; .*windows xp|compatible \; msie)|h(?:l_ftien_spider|hjhj@yahoo|anzoweb)|(?:8484 boston projec|xmlrpc exploi)t|u(?:nder the rainbow 2\.|ser-agent:)|(sogou develop spider|sohu agent)|(?:(?:d|e)browse|demo bot)|zeus(?: .*webster pro)?|[a-z]surf[0-9][0-9]|v(?:adixbot|oideye)|larbin@unspecified|\bdatacha0s\b|kenjin spider|; widows|rsync|\\\r))" "capture,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}" + SecMarker END_ROBOT_CHECK + +diff -ru SpiderLabs-owasp-modsecurity-crs-3f85c76.orig/base_rules/modsecurity_crs_40_generic_attacks.conf SpiderLabs-owasp-modsecurity-crs-3f85c76/base_rules/modsecurity_crs_40_generic_attacks.conf +--- SpiderLabs-owasp-modsecurity-crs-3f85c76.orig/base_rules/modsecurity_crs_40_generic_attacks.conf 2012-10-01 20:39:50.589035472 +0100 ++++ SpiderLabs-owasp-modsecurity-crs-3f85c76/base_rules/modsecurity_crs_40_generic_attacks.conf 2012-10-01 20:40:55.537035160 +0100 +@@ -22,7 +22,7 @@ + # http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project + # + SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:[\;\|\`]\W*?\bcc|\b(wget|curl))\b|\/cc(?:[\'\"\|\;\`\-\s]|$))" \ +- "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'8',capture,t:none,t:normalisePath,ctl:auditLogParts=+E,block,msg:'System Command Injection',id:'950907',tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0},skipAfter:END_COMMAND_INJECTION1" ++ "phase:2,rev:'2',capture,t:none,t:normalisePath,ctl:auditLogParts=+E,block,msg:'System Command Injection',id:'950907',tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0},skipAfter:END_COMMAND_INJECTION1" + + SecMarker END_COMMAND_INJECTION1 + +@@ -36,7 +36,7 @@ + # http://www.adobe.com/devnet/security/security_zone/asb99-10.html + # + SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bcf(?:usion_(?:d(?:bconnections_flush|ecrypt)|set(?:tings_refresh|odbcini)|getodbc(?:dsn|ini)|verifymail|encrypt)|_(?:(?:iscoldfusiondatasourc|getdatasourceusernam)e|setdatasource(?:password|username))|newinternal(?:adminsecurit|registr)y|admin_registry_(?:delete|set)|internaldebug|execute)\b" \ +- "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,block,msg:'Injection of Undocumented ColdFusion Tags',id:'950008',tag:'OWASP_CRS/WEB_ATTACK/CF_INJECTION',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/CF_INJECTION-%{matched_var_name}=%{tx.0},skipAfter:END_CF_INJECTION" ++ "phase:2,rev:'2',capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,block,msg:'Injection of Undocumented ColdFusion Tags',id:'950008',tag:'OWASP_CRS/WEB_ATTACK/CF_INJECTION',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/CF_INJECTION-%{matched_var_name}=%{tx.0},skipAfter:END_CF_INJECTION" + + SecMarker END_CF_INJECTION + +@@ -50,7 +50,7 @@ + # http://technet.microsoft.com/en-us/library/aa996205%28EXCHG.65%29.aspx + # + SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?:\((?:\W*?(?:objectc(?:ategory|lass)|homedirectory|[gu]idnumber|cn)\b\W*?=|[^\w\x80-\xFF]*?[\!\&\|][^\w\x80-\xFF]*?\()|\)[^\w\x80-\xFF]*?\([^\w\x80-\xFF]*?[\!\&\|])" \ +- "phase:2,rev:'2',ver:'OWASP_CRS/2.2.6',maturity:'9',accuracy:'9',capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,block,msg:'LDAP Injection Attack',id:'950010',tag:'OWASP_CRS/WEB_ATTACK/LDAP_INJECTION',tag:'WASCTC/WASC-29',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/LDAP_INJECTION-%{matched_var_name}=%{tx.0},skipAfter:END_LDAP_INJECTION" ++ "phase:2,rev:'2',capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,block,msg:'LDAP Injection Attack',id:'950010',tag:'OWASP_CRS/WEB_ATTACK/LDAP_INJECTION',tag:'WASCTC/WASC-29',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/LDAP_INJECTION-%{matched_var_name}=%{tx.0},skipAfter:END_LDAP_INJECTION" + + SecMarker END_LDAP_INJECTION + +@@ -64,7 +64,7 @@ + # http://projects.webappsec.org/SSI-Injection + # + SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "