# http://www.gotroot.com/mod_security+rules
# Gotroot.com ModSecurity rules
# Application Security Rules
#
# modsecurity is trademark of Thinking Stone, Ltd.
#
# Version: N-20061013-02
#
# Download from: http://www.gotroot.com/downloads/ftp/mod_security/rules.conf
#
# Created by Michael Shinn of the Prometheus Group (http://www.prometheus-group.com)
# Copyright 2005 and 2006 by Michael Shinn and the Prometheus Group, all rights reserved.
# Redistribution is strictly prohibited in any form, including whole or in part.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS 
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF 
# THE POSSIBILITY OF SUCH DAMAGE.

#--------------------------------
# notes
#--------------------------------
# Rules work with modsecurity 1.9.x and above only

#--------------------------------
#start rules
#--------------------------------
#Enforce proper HTTP requests
SecFilterSelective SERVER_PROTOCOL "!^HTTP/(0\.9|1\.0|1\.1)$" "id:340000,rev:1,severity:1,msg:'Bad HTTP Protocol'"

# Only accept request encodings we know how to handle
SecFilterSelective REQUEST_METHOD "!^(GET|HEAD|POST|PUT|PROPFIND|OPTIONS)$" "chain,id:340001,rev:1,severity:2,msg:'Restricted HTTP function'"
SecFilterSelective HTTP_Content-Type "!(^$|^application/x-www-form-urlencoded$|^multipart/form-data)" 

#Block WebDav PUTS
#Comment this rule out if you need WebDAV
SecFilterSelective REQUEST_METHOD "^PUT$" "id:340002,rev:1,severity:2,msg:'Restricted HTTP function'"

#Generic rule for allowed characters, adjust for your site before activating
#SecFilterSelective REQUEST_URI "!^[-a-zA-z0-9\.\+_/\-\?\=]+$" "chain,id:390002,rev:1,severity:2,msg:'Restricted HTTP character set'"


# Require Content-Length to be provided with
# every POST request
SecFilterSelective REQUEST_METHOD "^POST$" "chain,id:340003,rev:1,severity:2,msg:'Content Length not provided with POST'"
SecFilterSelective HTTP_Content-Length "^$"

# Don't accept transfer encodings we know we don't handle
# (and you don't need it anyway)
SecFilterSelective HTTP_Transfer-Encoding "!^$" "id:340004,rev:1,severity:2,msg:'Dis-allowed Transfer Encoding'"

#HTTP response spilting generic sigs
SecFilter "Content-Length\:.*Content-Type\:.*Content-Type\:" "id:340005,rev:1,severity:2,msg:'HTTP response splitting'"

#HTTP response spilting generic sigs
SecFilter "Content-Length\:" "chain,id:340006,rev:1,severity:2,msg:'HTTP response splitting'"
SecFilter "Content-Type\:" chain
SecFilter "Content-Type\:"

#deny TRACE method
SecFilterSelective REQUEST_METHOD "TRACE" "id:340007,rev:1,severity:2,msg:'TRACE method denied'"

#XSS insertion into Content-Type
SecFilterSelective THE_REQUEST "Content-Type\:.*(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=|javascript\:)" "id:300002,rev:1,severity:2,msg:'XSS attack in Content-type header'"


#Don't accept chunked encodings
#modsecurity can not look at these, so this is a hole
#that can bypass your rules, the rule before this one
#should cover this, but hey paranoia is cheap
SecFilterSelective HTTP_Transfer-Encoding "chunked" "id:300003,rev:1,severity:2,msg:'Chunked Transfer Encoding denied'"

#Code injection via content length
SecFilterSelective HTTP_Content-Length "\;(system|passthru|exec)\(" "id:330003,rev:1,severity:2,msg:'Code Injection in Content-Length header'"

#broad cross site scripting rule
#False alarms are a problem with this, use with caution
#SecFilterSelective THE_REQUEST "<(.|\n)+>"

##generic recursion signatures
SecFilterSelective REQUEST_URI "!(alt_mod_frameset\.php)" "chain,id:300004,rev:2,severity:2,msg:'Generic Path Recursion denied'"
SecFilterSelective REQUEST_URI "\.\./\.\./"
#generic path recurision sig


#generic recursion signatures
SecFilterSelective THE_REQUEST "\.\|\./\.\|\./\.\|" "id:300005,rev:1,severity:2,msg:'Generic Path Recursion denied'"

#generic bogus path sigs
SecFilterSelective THE_REQUEST "\.\.\./" "id:300006,rev:1,severity:2,msg:'Bogus Path denied'"
SecFilterSelective POST_PAYLOAD "[[:space:]]+\.\.\.+\;" "id:300007,rev:1,severity:2,msg:'Bogus Path denied'"

#Generic PHP exploit signatures
SecFilterSelective THE_REQUEST "(chr|fwrite|fopen|system|e?chr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;" "id:330001,rev:1,severity:2,msg:'Generic PHP exploit pattern denied'"

#Generic PHP exploit signatures
SecFilterSelective POST_PAYLOAD|REQUEST_URI "<\?php (chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;" "id:330002,rev:1,severity:2,msg:'Generic PHP exploit pattern denied'"

#slightly tighter rules with narrower focus
SecFilterSelective REQUEST_URI|POST_PAYLOAD "(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;" "id:300008,rev:1,severity:2,msg:'Generic PHP exploit pattern denied'"

#generic XSS PHP attack types
SecFilterSelective REQUEST_URI "\.php\?" "chain,id:300010,rev:1,severity:2,msg:'Generic PHP XSS exploit pattern denied'"
SecFilter "(javascript\:/(.*new\x20ActiveXObject.*Sh\.regwrite|.*window\.opener\.document\.body.\innerHTML=window\.opener\.document\.body\.innerHTML\.replace)|onmouseover=\'javascript)"


#Prevent SQL injection in cookies
SecFilterSelective COOKIE_VALUES "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|UNION SELECT.*\'.*\'.*,[0-9].*INTO.*FROM)" "id:300011,rev:1,severity:2,msg:'Generic SQL injection in cookie'"

#Prevent command injection through cookies
SecFilterSelective COOKIE_VALUES "\; cmd="

#Prevent SQL injection in UA
SecFilterSelective HTTP_USER_AGENT "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|UNION SELECT.*\'.*\'.*,[0-9].*INTO.*FROM)" "id:300012,rev:1,severity:2,msg:'Generic SQL injection in User Agent header'"

#simple buffer overflow protection
#there is an issue with positives with this, so use with care
#SecFilterSelective THE_REQUEST "!^[\x0a\x0d\x20-\x7f]+$" "id:300013,rev:1,severity:2,msg:'Generic Simple Buffer Overflow protection'"

# Generic filter to prevent SQL injection attacks
# Understand that all SQL filters are very limited and are very difficult 
# to prevent false postives and negatives.  
# Pplease report false positives/negatives to mike@gotroot.com
SecFilterSelective REQUEST_URI "!((/wp-admin/post|privmsg|/ticket/admin|/misc|tiki-editpage|/post|/horde3?/imp/compose|/posting)\.php|/modules\.php\?op=modload&name=(Downloads|Submit_News)|/admin\.php\?module=NS\-AddStory\&op=|/index\.php\?name=PNphpBB2&file=posting&mode=reply.*|/phpMyAdmin/|/PNphpBB2-posting\.html|/otrs/index\.pl|tiki-index\.php\?page=|/index\.php\?title=.*&action=edit|/_mmServerScripts/|/node/[0-9]+/edit|/_vti_bin/.*\.exe/)" "chain,id:300013,rev:1,severity:2,msg:'Generic SQL injection protection'"
SecFilter "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|UNION SELECT.*\'.*\'.*,[0-9].*INTO.*FROM)"

#Generic SQL sigs
SecFilterSelective ARGS "(or.+1[[:space:]]*=[[:space:]]1|(or 1=1|'.+)--')" "id:300014,rev:1,severity:2,msg:'Generic SQL injection protection'"

#Generic SQL sigs
SecFilterSelective ARGS "((alter|create|drop)[[:space:]]+(column|database|procedure|table)|delete[[:space:]]+from|update.+set.+=)" "id:300015,rev:1,severity:2,msg:'Generic SQL injection protection'"

#Generic SQL sigs
SecFilterSelective REQUEST_URI "!(/node/[0-9]+/edit|/forum/posting\.php|/admins/wnedit\.php|/alt_doc\.php\?returnUrl=.*edit|/admin/categories\.php\?cPath=.*|modules\.php\?name=Forums&file=posting&mode=.*)" "chain,id:300016,rev:2,severity:2,msg:'Generic SQL injection protection'"
SecFilterSelective ARGS "(insert[[:space:]]+into.+values|select.*from.+[a-z|A-Z|0-9]|select.+from|bulk[[:space:]]+insert|union.+select|convert.+\(.*from)" 

#Meta character SQL injection
SecFilterSelective REQUEST_URI "\'.*(insert[[:space:]]+into.+values|select.*from.+[a-z|A-Z|0-9]|select.+from|bulk[[:space:]]+insert|union.+select|convert.+\(.*from)|and.*char\(.*\)"  "id:380015,rev:1,severity:2,msg:'Generic SQL metacharacter URI injection protection'"

#Generic command line attack filter
SecFilterSelective REQUEST_URI "!(/Count\.cgi)" "chain,id:300017,rev:1,severity:2,msg:'Generic command line attack filter'"
SecFilterSelective THE_REQUEST "\|+.*[\x20].*[\x20].*\|"

#Generic PHP bad functions protection
#PHP copy() function: http://securitytracker.com/alerts/2006/Apr/1015882.html
SecFilterSelective ARGS_VALUES compress\.zlib:

#Generic XSS filter
#please report false positives
SecFilterSelective REQUEST_URI "!/mt\.cgi" chain
SecFilter "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"

#XSS in referrer and UA headers
SecFilterSelective HTTP_REFERER|HTTP_USER_AGENT "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"

#PHP Injection Attack generic signature
SecFilterSelective REQUEST_URI  "\.php" chain
SecFilter "(\?((LOCAL|INCLUDE|PEAR|SQUIZLIB)_PATH|action|content|dir|name|menu|pm_path|path|pathtoroot|cat|pagina|path|include_location|root|page|gorumDir|site|topside|pun_root|open|seite)=(http|https|ftp)\:/|(cmd|command)=(cd|\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |id|cmd|pwd|wget |lwp-(download|request|mirror|rget) |uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |\./|whoami|killall |rm \-[a-z|A-Z]))"

#PHP Injection Attack generic signature
SecFilterSelective REQUEST_URI  "\.php\?(((LOCAL|INCLUDE|PEAR|SQUIZLIB)_PATH|action|content|dir|name|menu|pm_path|pagina|path|pathtoroot|cat|include_location|gorumDir|root|page|site|topside|pun_root|open|seite)=(http|https|ftp)\:/|.*(cmd|command)=(cd|\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat)|rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z]))"

#Generic PHP remote file inclusion attack signature
SecFilterSelective REQUEST_URI "\.php\?" chain
SecFilter "(http|https|ftp)\:/" chain
SecFilter "(cmd|command)=(cd|\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])"

#Generic PHP remote file inclusion attack signature with command
SecFilterSelective REQUEST_URI "\.php\?" chain
SecFilter "(http|https|ftp)\:/" chain
SecFilter "(cmd|command)=.*(cd|\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])"

#really broad furl_fopen attack sig
#tune this for your system
SecFilterSelective REQUEST_URI "!(/tiki-objectpermissions|aardvarkts/install/index|/do_command|banner_click|wp-login|tiki-view_cache|/horde/index|/horde/services/go|/goto|gallery2?/main|ad-?server/adjs)" "chain,id:300018,rev:3,severity:2,msg:'Generic PHP code injection protection via ARGS'"
SecFilterSelective REQUEST_URI "\.php(3|4|5)?(\?|&)" chain
SecFilterSelective ARGS "(ht|f)tps?:/"  chain
SecFilterSelective HTTP_Referer "!/imp/login\.php"
SecFilterSelective REQUEST_URI "!(/tiki-objectpermissions|aardvarkts/install/index|/do_command|banner_click|wp-login|tiki-view_cache|/horde/index|/horde/services/go|/goto|gallery2?/main|ad-?server/adjs)" "chain,id:300040,rev:1,severity:2,msg:'Generic PHP code injection protection in URI'"
SecFilterSelective REQUEST_URI "\.php(3|4|5)?(\?|&).*=(ht|f)tps?:/"  chain
SecFilterSelective HTTP_Referer "!/imp/login\.php"


#Genenric PHP body attack
SecFilterSelective THE_REQUEST "(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)" chain
SecFilterSelective POST_PAYLOAD "^PHP\:*((cd|mkdir)[[:space:]]+(/|[A-Z|a-z|0-9]|\.)*|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat)|rexec |smbclient |t?ftp |ncftp |chmod |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])"

#Generic PHP remote file injection
SecFilterSelective REQUEST_URI "!(/do_command)" chain
SecFilterSelective REQUEST_URI "\.php\?.*=(https?|ftp)\:/.*(cmd|command)="

#script, perl, etc. code in HTTP_Referer string
SecFilterSelective HTTP_Referer "\#\!.*/"

#generic command line attack
SecFilterSelective REQUEST_URI|ARGS "\|*id\;echo*\|"

#remote file inclusion generic attack signature
SecFilterSelective THE_REQUEST  "\.(dat|gif|jpg|png|bmp|txt|vir|dot)\?" chain
SecFilter "((name|pm_path|pagina|path|include_location|root|page|open)=(http|https|ftp)|(cmd|command|inc)=)"

#remote file inclusion generic attack signature
SecFilterSelective THE_REQUEST  "\.(dat|gif|jpg|png|bmp|txt|vir|dot)\?\&(cmd|command|inc|name)="

#remote file inclusion generic attack signature
SecFilterSelective ARGS  "\.(dat|gif|jpg|png|bmp|txt|vir|dot)" chain
SecFilter "\?\&(cmd|inc|name)="

#remote file inclusion generic attack signature
SecFilterSelective ARGS  "\.(dat|gif|jpg|png|bmp|txt|vir|dot)\?\&(cmd|inc|name)="

#remote file inclusion generic attack signature
SecFilterSelective REQUEST_URI  "\.php\?.*=(http|https|ftp)\:/.*\?&cmd="

#Bogus file extensions generic signature
SecFilterSelective THE_REQUEST  "[A-Za-z0-9]\.(gif|jpg|png|bmp)\.txt"

#PHP remote path attach generic signature
SecFilterSelective REQUEST_URI  "\.ph(p(3|4)?).*path=(http|https|ftp)\:/"
SecFilterSelective REQUEST_URI  "\.php.*path=(http|https|ftp)\:/"

#generic attack sig
SecFilterSelective THE_REQUEST "cd\x20*\;(cd|\;|echo|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |\./)"

# WEB-ATTACKS uname -a command attempt
SecFilterSelective THE_REQUEST "uname" chain
SecFilter "\x20-a" 

#Generic argument protection rule against bad meta characters
#SecFilterSelective "ARGS" "!^[A-Za-z0-9.&/?@_%=:;, -]*$"

#generic php attack sigs
SecFilterSelective REQUEST_URI "(&(cmd|command)=(id|uname)\x20|cmd\?(cmd|command)=|(spy|cmd|cmd_out|sh)\.(gif|jpg|png|bmp|txt)\?&(cmd|command)=|\.php\?&(cmd|command)=)"

# WEB-ATTACKS xterm command attempt
SecFilterSelective THE_REQUEST "/usr/X11R6/bin/xterm"

# WEB-ATTACKS /etc/shadow access
SecFilterSelective THE_REQUEST "/etc/shadow"

# WEB-ATTACKS /bin/ps command attempt
SecFilterSelective THE_REQUEST "/bin/ps"

# WEB-ATTACKS /usr/bin/id command attempt
SecFilterSelective THE_REQUEST  "/usr/bin/id" chain
SecFilter "\x20" 

# WEB-ATTACKS echo command attempt
SecFilterSelective THE_REQUEST  "/bin/echo" chain
SecFilter "\x20" 

# WEB-ATTACKS kill command attempt
SecFilterSelective THE_REQUEST  "/bin/kill" chain
SecFilter "\x20" 

# WEB-ATTACKS chmod command attempt
SecFilterSelective THE_REQUEST  "/bin/chmod" chain
SecFilter "\x20" 

# WEB-ATTACKS chsh command attempt
SecFilterSelective THE_REQUEST   "/usr/bin/chsh"

# WEB-ATTACKS gcc command attempt
SecFilterSelective THE_REQUEST  "gcc" chain
SecFilter "x20-o" 

# WEB-ATTACKS /usr/bin/cc command attempt
SecFilterSelective THE_REQUEST  "/usr/bin/cc" chain
SecFilter "\x20" 

# WEB-ATTACKS /usr/bin/cpp command attempt
SecFilterSelective THE_REQUEST  "/usr/bin/cpp" chain
SecFilter "\x20" 

# WEB-ATTACKS /usr/bin/g++ command attempt
SecFilterSelective THE_REQUEST  "/usr/bin/g\+\+" chain
SecFilter "\x20" 

# WEB-ATTACKS g++ command attempt
SecFilterSelective THE_REQUEST  "g\+\+\x20" chain
SecFilter "\x20" 

# WEB-ATTACKS bin/python access attempt
SecFilterSelective THE_REQUEST  "bin/python" chain
SecFilter "\x20" 

# WEB-ATTACKS python access attempt
#SecFilter "python\x20"

# WEB-ATTACKS bin/tclsh execution attempt
SecFilterSelective THE_REQUEST "bin/tclsh"

# WEB-ATTACKS tclsh execution attempt
SecFilterSelective THE_REQUEST "tclsh8\x20"

# WEB-ATTACKS bin/nasm command attempt
SecFilterSelective THE_REQUEST "bin/nasm"

# WEB-ATTACKS nasm command attempt
SecFilterSelective THE_REQUEST "nasm\x20"

# WEB-ATTACKS /usr/bin/perl execution attempt
SecFilterSelective THE_REQUEST "/usr/bin/perl"

# WEB-ATTACKS traceroute command attempt
SecFilterSelective THE_REQUEST  "traceroute" chain
SecFilter "\x20([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" 

# WEB-ATTACKS ping command attempt
SecFilterSelective THE_REQUEST  "/bin/ping" chain
SecFilter "\x20" 

# WEB-ATTACKS X application to remote host attempt
SecFilterSelective THE_REQUEST "\x20-display\x20"

# WEB-ATTACKS mail command attempt
SecFilterSelective THE_REQUEST  "/bin/mail" chain
SecFilter "\x20" 

# WEB-ATTACKS /bin/ls command attempt
SecFilterSelective THE_REQUEST "/bin/ls" chain
SecFilter "\x20" 

# WEB-ATTACKS /etc/inetd.conf access
SecFilterSelective THE_REQUEST  "/etc/inetd\.conf"

# WEB-ATTACKS /etc/motd access
SecFilterSelective THE_REQUEST  "/etc/motd"
# WEB-ATTACKS conf/httpd.conf attempt
SecFilterSelective THE_REQUEST  "conf/httpd\.conf"

# WEB-MISC .htpasswd access
SecFilterSelective THE_REQUEST  "\.htpasswd" 

# WEB-MISC /etc/passwd access
SecFilterSelective REQUEST_URI  "/etc/passwd" 

# WEB-MISC nessus 1.X 404 probe
SecFilterSelective REQUEST_URI "/nessus_is_probing_you_" 

# WEB-MISC nessus 2.x 404 probe
SecFilterSelective REQUEST_URI "/NessusTest" 

# WEB-MISC ls%20-l
SecFilterSelective THE_REQUEST  "ls" chain
SecFilter "\x20-l" 

# WEB-MISC apache directory disclosure attempt
SecFilterSelective THE_REQUEST "////////" 

#musicat empower attempt
SecFilterSelective REQUEST_URI "/empower\?DB="

# WEB-MISC Apache Chunked-Encoding worm attempt
SecFilter "CCCCCCC\: AAAAAAAAAAAAAAAAAAA"

# WEB-MISC *%0a.pl access
SecFilterSelective REQUEST_URI "/*\x0a\.pl" 

#PHPBB worm sigs
SecFilterSelective REQUEST_URI "!(tiki-searchindex\.php)" chain
SecFilterSelective ARG_highlight "(\x27|%27|\x2527|%2527)"

#PHP defenses
SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$" 

#PHP defenses
SecFilterSelective ARGS_NAMES "^(globals($|\[)|php:/)"

#PHP defenses
SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"

#PHP defenses
SecFilterSelective COOKIE_sessionid "!^[0-9a-z\.]*$"

# Web-attacks chdir
SecFilterSelective REQUEST_URI "&(cmd|command)=chdir\x20"

# TIKIWIKI
SecFilterSelective REQUEST_URI  "/tiki-map.phtml\?mapfile=\.\./\.\./"

#SMTP redirects
SecFilterSelective THE_REQUEST ^(http|https)\:/.+:25 

#These are VERY experiemental, please report false positives/negatives, etc.
#very experimental generic remote download sig
#foo IP or FQDN, or foo http/https/ftp://whatever
SecFilterSelective THE_REQUEST "(perl|t?ftp|links|elinks|lynx|ncftp|(s|r)(cp|sh)|wget|lwp-(download|request|mirror|rget)|curl|cvs|svn).*\x20((http|https|ftp)\:/|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|.*[A-Za-z|0-9]\.[a-zA-Z]{2,4}/|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" 

#Command inline detection
SecFilterSelective THE_REQUEST "( |\;|/|\'|,|\&|\=|\.)((s|r)(sh|cp)) *(.*\@.*|(http|https|ftp)\:/|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|.*[A-Za-z|0-9]\.[a-zA-Z]{2,4}/|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" 

#very experimental connect command sig
SecFilterSelective THE_REQUEST "( |\;|/|\'|,|\&|\=|\.)(perl|nc|telnet|(rs)sh|rexec) .*([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|[A-Za-z|0-9]\.[a-zA-Z]{2,4}|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)"

#Commands, also need a major rework, these also have issues
SecFilterSelective REQUEST_URI "\;\x20+?perl\x20+[A-Za-z|0-9]+;" 
#SecFilterSelective THE_REQUEST "echo\x20" 
SecFilterSelective THE_REQUEST "links -dump "
SecFilterSelective THE_REQUEST "links -dump-(charset|width) "
SecFilterSelective THE_REQUEST "links (http|https|ftp)\:/"
SecFilterSelective THE_REQUEST "links -source "
#SecFilterSelective THE_REQUEST "mkdir\x20" 
SecFilterSelective THE_REQUEST "cd\x20/(tmp|/var/tmp)" 

SecFilterSelective THE_REQUEST "cd \.\." 
SecFilterSelective THE_REQUEST "/\.(history|bash_history) HTTP\/(0\.9|1\.0|1\.1)$" 

#generic block for fwrite fopen uploads
SecFilterSelective THE_REQUEST "fwrite" chain
SecFilterSelective THE_REQUEST "fopen" 

#generic sig for more bad PHP functions
SecFilterSelective THE_REQUEST "chr\(([0-9]{1,3})\)"
SecFilterSelective ARGS_NAMES "^php:/"

# WEB-MISC Tomcat view source attempt
SecFilterSelective THE_REQUEST "\x252ejsp"

# WEB-MISC whisker HEAD/./
#SecFilter "HEAD/./"

# WEB-FRONTPAGE .... request
SecFilterSelective THE_REQUEST "\.\.\.\./"

#experimental CSS rule
#SecFilterSelective REQUEST_URI "/(\x3C|<)(\x2F|\/)*[a-z0-9\%]+(\x3E|>)"

#Generic attack rules pcre format
#cross site scripting attempt IMG onerror or onload
SecFilterSelective THE_REQUEST "\<IMG.*/\bonerror\b[\s]*="

#cross site scripting attempt TYPE + JAVASCRIPT
SecFilterSelective THE_REQUEST "TYPE\s*=\s*[\'\"]text\/javascript"

#cross site scripting attempt STYLE + JAVASCRIPT
SecFilterSelective THE_REQUEST "TYPE\s*=\s*[\'\"]application\/x-javascript"

#cross site scripting attempt STYLE + JSCRIPT
SecFilterSelective THE_REQUEST "TYPE\s*=\s*[\'\"]text\/jscript"

# cross site scripting attempt STYLE + VBSCRIPT
SecFilterSelective THE_REQUEST "TYPE\s*=\s*[\'\"]text\/vbscript"

#cross site scripting attempt STYLE + VBSCRIPT
SecFilterSelective THE_REQUEST "TYPE\s*=\s*[\'\"]application\/x-vbscript"

#cross site scripting attempt STYLE + ECMACRIPT
SecFilterSelective THE_REQUEST "TYPE\s*=\s*[\'\"]text\/ecmascript"

# cross site scripting attempt STYLE + EXPRESSION
SecFilterSelective THE_REQUEST "STYLE[\s]*=[\s]*[^>]expression[\s]*\("

#cross site scripting attempt STYLE + EXPRESSION
SecFilterSelective THE_REQUEST "[\s]*expression[\s]*\([^}]}[\s]*<\/STYLE>"

# cross site scripting attempt using XML
SecFilterSelective THE_REQUEST "<!\[CDATA\[<\]\]>SCRIPT"

#cross site scripting attempt executing hidden Javascript
SecFilterSelective THE_REQUEST "eval[\s]*\([\s]*[^\.]\.innerHTML[\s]*\)"

#cross site scripting attempt executing hidden Javascript
SecFilterSelective THE_REQUEST "window\.execScript[\s]*\("

#cross site scripting attempt to execute Javascript code
SecFilterSelective THE_REQUEST "/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*[\'\"]*javascript[\:]"

#cross site scripting stealth attempt to execute Javascript code
#may false alarm for some language sets
SecFilterSelective REQUEST_URI "!(/index\.php\?module=Blocks&type=admin&func=update|/index\.php\?go=.*&edit=)" chain
SecFilter "(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*[\'\"]*[\x09\x0a\x0b\x0c\x0d]*j[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*v[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*c[\x09\x0a\x0b\x0c\x0d]*r[\x09\x0a\x0b\x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*p[\x09\x0a\x0b\x0c\x0d]*t[\x09\x0a\x0b\x0c\x0d]*[\:]"

#cross site scripting HTML Image tag set to javascript attempt
SecFilterSelective THE_REQUEST "img src=javascript"

#Apache /server-info accessible
SecFilterSelective REQUEST_URI   "/server-info" chain
SecFilterSelective REMOTE_ADDR "!^127\.0\.0\.1$"

#Apache /server-status accessible
#Modified so apache-protect can run
SecFilterSelective REQUEST_URI "^/server-status/$" chain
SecFilterSelective REMOTE_ADDR "!^127\.0\.0\.1$"

#generic Common HTTP vulnerability
SecFilterSelective THE_REQUEST "/\?cwd=/"

#General [url] php forum protections (phpbb and others, to protect against script injection attacks in url links)
SecFilterSelective THE_REQUEST "\.php\?" chain
SecFilter "\[url=(script|javascript|applet|about|chrome|activex)\:/.*\].*\[/url\]"

#Experimental XML-RPC generic attack sigs
SecFilter "\'\,\'\'\)\)\;"
SecFilter "\<param\>\<name\>.*\'\)\;"

#XML-RPC generic attack sigs
SecFilterSelective POST_PAYLOAD "^Content-Type\: application/xml" chain
SecFilter "(\<xml|\<.*xml)" chain
SecFilter "(echo( |\(|\').*\;|chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;" chain
SecFilter "methodCall\>"

#Specific XML-RPC attacks on xmlrpc.php
SecFilterSelective THE_REQUEST "(/xmlrpc|.*xmlrpc_services)\.php" chain
SecFilter "(\<xml|\<.*xml)" chain
SecFilter "(echo( |\(|\').*\;|chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;"

#Too generic, unless you know you won't see this in any of the fields of an XMLRPC message on your system
#SecFilterSelective THE_REQUEST "/xmlrpc\.php" chain
#SecFilter "(cd|perl |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |id|uname |cvs |svn |(s|r)(cp|sh) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |\./)"

#XML-RPC SQL injection generic signature
SecFilterSelective THE_REQUEST "(/xmlrpc|.*xmlrpc_services)\.php" chain
SecFilter "<methodName>.*</methodName>.*<value><string>.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view).*methodName\>"

#generic remote file inclusion vulns
SecFilterSelective THE_REQUEST "/index\.php\?do=.*&page=(http|https|ftp)\:/"
SecFilterSelective THE_REQUEST "/index\.php\?kietu\[.*\]=(http|https|ftp)\:/"
SecFilterSelective THE_REQUEST "/index\.php\?libDir=http://xxxxxxxx"
SecFilterSelective THE_REQUEST "/init\.php\?HTTP_POST_VARS\[GALLERY_BASEDIR\]=(http|https|ftp)\:/"

#Virus HTTP Challenge/Reponse Auth
SecFilterSelective THE_REQUEST "^Authorization\: Negotiate" chain
SecFilter "YIIQegYGKwYBBQUCoIIQbjCCEGqhghBmI4IQYgOCBAEAQUFBQUFBQUFBQUFBQUFB"

#catch smuggling attacks
SecFilter "^(GET|POST).*Host:.*^(GET|POST)" 

#Drupal remote command execution vulnerability exploit signature
#This is already covered in another generic signature, but just in case you leave it out, here it is
#again with a slightly tigher regexp
SecFilter "\<.*php .*\(.*\)\;system\(.*\).*php*\>"
#Slightly stronger version of the above
SecFilter "\<.*php .*\(.*\)\;(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\).*php*\>"

#Generic PHP attack sig
SecFilterSelective THE_REQUEST "system\(getenv\(HTTP_PHP\)\)"

#Generic Nessus request filter
SecFilterSelective THE_REQUEST "NessusTest*\.html"

#Generic PHP payload command injection and upload vulnerabilities
SecFilterSelective POST_PAYLOAD "<\?php" chain
SecFilter  "((fputs|fread)\(.*\,.*\)\;|fsockopen\(gethostbyname|chr\(.*\)\.chr\(.*\)\.chr\(|(fclose|fgets)\(.*\)\;|(system|exec)\(.*\)\;)" chain
SecFilter "\<\?php"

#Generic XML RPC attack sig
SecFilterSelective POST_PAYLOAD "\'(______BEGIN______|_____FIM_____)\'\;"

#HTTP header PHP code injection attacks
SecFilterSelective HTTP_CLIENT_IP|HTTP_USER_AGENT|HTTP_Referer "(<\?php|<[[:space:]]?\?[[:space:]]?php|<\? php)"
#wormsign
SecFilter "XXXXXXXXXXXXXXX\: \+\+\+\+\+\+\+\+\+\+\+\+\+"
SecFilterSelective THE_REQUEST "THMC\.\$dbhost\.THMC\.\$dbname\.THMC\.\$dbuser\.THMC\.\$dbpasswd\.THMC"

#phpbb wormsign
SecFilterSelective THE_REQUEST "echo _GHC/RST_"

#Generic PHP avatar upload exploits
SecFilterSelective REQUEST_URI "\.php" chain
SecFilterSelective POST_PAYLOAD "Content-Disposition\: form-data\; name=\"avatar\"\;" chain
SecFilter "\<\?php" chain
SecFilter "\?>"

#Fake image file shell attacvk
SecFilterSelective HTTP_Content-Type "image/.*"
SecFilterSelective POST_PAYLOAD "chr\("

#bogus graphics file
SecFilterSelective HTTP_Content-Disposition "\.php" chain
SecFilterSelective HTTP_Content-Type "(image/gif|image/jpg|image/png|image/bmp)"

#wormsign
SecFilterSelective REQUEST_URI "Hacked.*by.*member.*of.*SCC"

#Special account protection
SecFilterSelective THE_REQUEST "/~(root|ftp|bin|nobody|named|guest|logs|sshd)(/\S*)? HTTP/(0\.9|1\.[01])$"
SecFilterSelective REQUEST_URI "/~(root|ftp|bin|nobody|named|guest|logs|sshd)/"

#Generic PHP fopen sig
SecFilterSelective THE_REQUEST "fp=fopen\("