# http://www.gotroot.com/mod_security+rules # Gotroot.com ModSecurity rules # # Created by The Prometheus Group (http://www.prometheus-group.com) # # Application Security Rules # # Download from: http://www.gotroot.com/downloads/ftp/mod_security/rules.conf # Copyright 2005, all rights reserved. # # Commercial redistribution prohibited. # # Version: N-20051120-01 #-------------------------------- # notes #-------------------------------- #-------------------------------- #start rules #-------------------------------- #Enforce proper HTTP requests SecFilterSelective THE_REQUEST "!HTTP\/(0\.9|1\.0|1\.1)$" # Only accept request encodings we know how to handle # we exclude GET requests from this because some (automated) # clients supply "text/html" as Content-Type # DreamHost added REPORT for subversion on Apache 2 only SecFilterSelective REQUEST_METHOD "!^(GET|HEAD|POST|PUT|PROPFIND|OPTIONS|LOCK|REPORT)$" chain SecFilterSelective HTTP_Content-Type "!(^$|^application/x-www-form-urlencoded$|^multipart/form-data)" # Require Content-Length to be provided with # every POST request SecFilterSelective REQUEST_METHOD "^POST$" chain SecFilterSelective HTTP_Content-Length "^$" # Don't accept transfer encodings we know we don't handle # (and you don't need it anyway) SecFilterSelective HTTP_Transfer-Encoding "!^$" #XSS insertion into Content-Type SecFilterSelective THE_REQUEST "Content-Type\:.*(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=|javascript\:)" #Don't accept chunked encodings #modsecurity can not look at these, so this is a hole #that can bypass your rules, the rule before this one #should cover this, but hey paranoia is cheap SecFilterSelective HTTP_Transfer-Encoding "chunked" #Web Proxy GET Request SecFilter "^GET (http|https|ftp)\:/" #Web Proxy HEAD Request SecFilter "^HEAD (http|https|ftp)\:/" #Proxy POST Request SecFilter "^POST (http|https|ftp)\:/" #Generic PHP exploit signatures SecFilterSelective THE_REQUEST "\;(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;" #slightly tighter rules with narrower focus SecFilterSelective REQUEST_URI "(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;" SecFilterSelective POST_PAYLOAD "(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;" #prevent PHP error leakage SecFilterSelective OUTPUT "Fatal error:" #generic XSS PHP attack types SecFilterSelective THE_REQUEST "\.php\?" chain SecFilter "javascript\:/(.*new\x20ActiveXObject.*Sh\.regwrite|.*window\.opener\.document\.body.\innerHTML=window\.opener\.document\.body\.innerHTML\.replace)" #Prevent SQL injection in cookies SecFilterSelective COOKIE_VALUES "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|UNION SELECT.*\'.*\'.*,[0-9].*INTO.*FROM)" #Generic command line attack filter SecFilterSelective THE_REQUEST "\|+.*[\x20].*[\x20].*\|" #PHP Injection Attack generic signature SecFilterSelective THE_REQUEST "\.php*" chain SecFilter "(\?((LOCAL|INCLUDE|PEAR|SQUIZLIB)_PATH|action|content|dir|name|menu|pm_path|path|pathtoroot|pagina|path|include_location|root|page|gorumDir|site|pun_root|open|seite)=(http|https|ftp)\:/|(cmd|command)=(cd|\;|perl |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |id|cmd|pwd|wget |uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |\./|whoami|killall |rm \-[a-z|A-Z]))" SecFilterSelective THE_REQUEST "\.php\?(((LOCAL|INCLUDE|PEAR|SQUIZLIB)_PATH|action|content|dir|name|menu|pm_path|pagina|path|pathtoroot|include_location|gorumDir|root|page|site|pun_root|open|seite)=(http|https|ftp)\:/|.*(cmd|command)=(cd|\;|perl |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat)|rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z]))" #Generic PHP remote file inclusion attack signature SecFilterSelective THE_REQUEST "\.php\?" chain SecFilter "(http|https|ftp)\:/" chain SecFilter "(cmd|command)=(cd|\;|perl |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |id|uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])" SecFilterSelective THE_REQUEST "\.php\?" chain SecFilter "(http|https|ftp)\:/" chain SecFilter "(cmd|command)=.*(cd|\;|perl |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |id|uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])" #Genenric PHP body attack SecFilterSelective THE_REQUEST "(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)" chain SecFilterSelective POST_PAYLOAD "^PHP\:*((cd|mkdir)[[:space:]]+(/|[A-Z|a-z|0-9]|\.)*|perl |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat)|rexec |smbclient |t?ftp |ncftp |chmod |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])" #script, perl, etc. code in HTTP_Referer string SecFilterSelective HTTP_Referer "\#\!.*/" #generic command line attack SecFilterSelective THE_REQUEST "\|*id\;echo*\|" SecFilterSelective ARGS "\|*id\;echo*\|" #remote file inclusion generic attack signature SecFilterSelective THE_REQUEST "\.(dat|gif|jpg|png|bmp|txt|vir|dot)\?" chain SecFilter "((name|pm_path|pagina|path|include_location|root|page|open)=(http|https|ftp)|(cmd|command|inc)=)" SecFilterSelective THE_REQUEST "\.(dat|gif|jpg|png|bmp|txt|vir|dot)\?\&(cmd|command|inc|name)=" SecFilterSelective ARGS "\.(dat|gif|jpg|png|bmp|txt|vir|dot)" chain SecFilter "\?\&(cmd|inc|name)=" SecFilterSelective ARGS "\.(dat|gif|jpg|png|bmp|txt|vir|dot)\?\&(cmd|inc|name)=" SecFilterSelective REQUEST_URI "\.php\?.*=(http|https|ftp)\:/.*\?&cmd=" #Bogus file extensions generic signature SecFilterSelective THE_REQUEST "[A-Za-z0-9]\.(gif|jpg|png|bmp)\.txt" #PHP remote path attach generic signature SecFilterSelective REQUEST_URI "\.ph(p(3|4)?).*path=(http|https|ftp)\:/" SecFilterSelective REQUEST_URI "\.php.*path=(http|https|ftp)\:/" #generic attack sig SecFilterSelective THE_REQUEST "cd\x20*\;(cd|\;|echo|perl |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |\./)" # WEB-ATTACKS uname -a command attempt SecFilterSelective THE_REQUEST "uname" chain SecFilter "\x20-a" #generic php attack sigs SecFilterSelective REQUEST_URI "&(cmd|command)=(id|uname)\x20" SecFilterSelective REQUEST_URI "cmd\?(cmd|command)=" SecFilterSelective REQUEST_URI "(spy|cmd|cmd_out|sh)\.(gif|jpg|png|bmp|txt)\?&(cmd|command)=" SecFilterSelective REQUEST_URI "\.php\?&(cmd|command)=" #Generic PHP attack sig SecFilterSelective THE_REQUEST "system\(getenv\(HTTP_PHP\)\)" # WEB-ATTACKS /etc/shadow access SecFilterSelective THE_REQUEST "/etc/shadow" #remote bash shell SecFilterSelective THE_REQUEST "/shell\.php\&cmd=" SecFilterSelective ARGS "/shell\.php\&cmd=" #Generic PHP payload command injection and upload vulnerabilities SecFilterSelective POST_PAYLOAD "<\?php" chain SecFilter "((fputs|fread)\(.*\,.*\)\;|fsockopen\(gethostbyname|chr\(.*\)\.chr\(.*\)\.chr\(|(fclose|fgets)\(.*\)\;|(system|exec)\(.*\)\;)" chain SecFilter "\<\?php"