--- /dev/null
+# ---------------------------------------------------------------
+# Core ModSecurity Rule Set ver.2.2.6
+# Copyright (C) 2006-2012 Trustwave All rights reserved.
+#
+# The OWASP ModSecurity Core Rule Set is distributed under
+# Apache Software License (ASL) version 2
+# Please see the enclosed LICENCE file for full details.
+# ---------------------------------------------------------------
+
+
+#
+# -- [[ Recommended Base Configuration ]] -------------------------------------------------
+#
+# The configuration directives/settings in this file are used to control
+# the OWASP ModSecurity CRS. These settings do **NOT** configure the main
+# ModSecurity settings such as:
+#
+# - SecRuleEngine
+# - SecRequestBodyAccess
+# - SecAuditEngine
+# - SecDebugLog
+#
+# You should use the modsecurity.conf-recommended file that comes with the
+# ModSecurity source code archive.
+#
+# Ref: http://mod-security.svn.sourceforge.net/viewvc/mod-security/m2/trunk/modsecurity.conf-recommended
+#
+
+
+#
+# -- [[ Rule Version ]] -------------------------------------------------------------------
+#
+# Rule version data is added to the "Producer" line of Section H of the Audit log:
+#
+# - Producer: ModSecurity for Apache/2.7.0-rc1 (http://www.modsecurity.org/); OWASP_CRS/2.2.4.
+#
+# Ref: https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual#SecComponentSignature
+#
+SecComponentSignature "OWASP_CRS/2.2.6"
+
+
+#
+# -- [[ Modes of Operation: Self-Contained vs. Collaborative Detection ]] -----------------
+#
+# Each detection rule uses the "block" action which will inherit the SecDefaultAction
+# specified below. Your settings here will determine which mode of operation you use.
+#
+# -- [[ Self-Contained Mode ]] --
+# Rules inherit the "deny" disruptive action. The first rule that matches will block.
+#
+# -- [[ Collaborative Detection Mode ]] --
+# This is a "delayed blocking" mode of operation where each matching rule will inherit
+# the "pass" action and will only contribute to anomaly scores. Transactional blocking
+# can be applied
+#
+# -- [[ Alert Logging Control ]] --
+# You have three options -
+#
+# - To log to both the Apache error_log and ModSecurity audit_log file use: "log"
+# - To log *only* to the ModSecurity audit_log file use: "nolog,auditlog"
+# - To log *only* to the Apache error_log file use: "log,noauditlog"
+#
+# Ref: http://blog.spiderlabs.com/2010/11/advanced-topic-of-the-week-traditional-vs-anomaly-scoring-detection-modes.html
+# Ref: https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual#SecDefaultAction
+#
+SecDefaultAction "phase:1,deny,log"
+
+
+#
+# -- [[ Collaborative Detection Severity Levels ]] ----------------------------------------
+#
+# These are the default scoring points for each severity level. You may
+# adjust these to you liking. These settings will be used in macro expansion
+# in the rules to increment the anomaly scores when rules match.
+#
+# These are the default Severity ratings (with anomaly scores) of the individual rules -
+#
+# - 2: Critical - Anomaly Score of 5.
+# Is the highest severity level possible without correlation. It is
+# normally generated by the web attack rules (40 level files).
+# - 3: Error - Anomaly Score of 4.
+# Is generated mostly from outbound leakage rules (50 level files).
+# - 4: Warning - Anomaly Score of 3.
+# Is generated by malicious client rules (35 level files).
+# - 5: Notice - Anomaly Score of 2.
+# Is generated by the Protocol policy and anomaly files.
+#
+SecAction \
+ "id:'900001', \
+ phase:1, \
+ t:none, \
+ setvar:tx.critical_anomaly_score=5, \
+ setvar:tx.error_anomaly_score=4, \
+ setvar:tx.warning_anomaly_score=3, \
+ setvar:tx.notice_anomaly_score=2, \
+ nolog, \
+ pass"
+
+
+#
+# -- [[ Collaborative Detection Scoring Threshold Levels ]] ------------------------------
+#
+# These variables are used in macro expansion in the 49 inbound blocking and 59
+# outbound blocking files.
+#
+# **MUST HAVE** ModSecurity v2.5.12 or higher to use macro expansion in numeric
+# operators. If you have an earlier version, edit the 49/59 files directly to
+# set the appropriate anomaly score levels.
+#
+# You should set the score to the proper threshold you would prefer. If set to "5"
+# it will work similarly to previous Mod CRS rules and will create an event in the error_log
+# file if there are any rules that match. If you would like to lessen the number of events
+# generated in the error_log file, you should increase the anomaly score threshold to
+# something like "20". This would only generate an event in the error_log file if
+# there are multiple lower severity rule matches or if any 1 higher severity item matches.
+#
+SecAction \
+ "id:'900002', \
+ phase:1, \
+ t:none, \
+ setvar:tx.inbound_anomaly_score_level=5, \
+ nolog, \
+ pass"
+
+
+SecAction \
+ "id:'900003', \
+ phase:1, \
+ t:none, \
+ setvar:tx.outbound_anomaly_score_level=4, \
+ nolog, \
+ pass"
+
+
+#
+# -- [[ Collaborative Detection Blocking ]] -----------------------------------------------
+#
+# This is a collaborative detection mode where each rule will increment an overall
+# anomaly score for the transaction. The scores are then evaluated in the following files:
+#
+# Inbound anomaly score - checked in the modsecurity_crs_49_inbound_blocking.conf file
+# Outbound anomaly score - checked in the modsecurity_crs_59_outbound_blocking.conf file
+#
+# If you want to use anomaly scoring mode, then uncomment this line.
+#
+#SecAction \
+ "id:'900004', \
+ phase:1, \
+ t:none, \
+ setvar:tx.anomaly_score_blocking=on, \
+ nolog, \
+ pass"
+
+
+#
+# -- [[ GeoIP Database ]] -----------------------------------------------------------------
+#
+# There are some rulesets that need to inspect the GEO data of the REMOTE_ADDR data.
+#
+# You must first download the MaxMind GeoIP Lite City DB -
+#
+# http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
+#
+# You then need to define the proper path for the SecGeoLookupDb directive
+#
+# Ref: http://blog.spiderlabs.com/2010/10/detecting-malice-with-modsecurity-geolocation-data.html
+# Ref: http://blog.spiderlabs.com/2010/11/detecting-malice-with-modsecurity-ip-forensics.html
+#
+#SecGeoLookupDb /opt/modsecurity/lib/GeoLiteCity.dat
+
+#
+# -- [[ Regression Testing Mode ]] --------------------------------------------------------
+#
+# If you are going to run the regression testing mode, you should uncomment the
+# following rule. It will enable DetectionOnly mode for the SecRuleEngine and
+# will enable Response Header tagging so that the client testing script can see
+# which rule IDs have matched.
+#
+# You must specify the your source IP address where you will be running the tests
+# from.
+#
+#SecRule REMOTE_ADDR "@ipMatch 192.168.1.100" \
+ "id:'900005', \
+ phase:1, \
+ t:none, \
+ ctl:ruleEngine=DetectionOnly, \
+ setvar:tx.regression_testing=1, \
+ nolog, \
+ pass"
+
+
+#
+# -- [[ HTTP Policy Settings ]] ----------------------------------------------------------
+#
+# Set the following policy settings here and they will be propagated to the 23 rules
+# file (modsecurity_common_23_request_limits.conf) by using macro expansion.
+# If you run into false positives, you can adjust the settings here.
+#
+# Only the max number of args is uncommented by default as there are a high rate
+# of false positives. Uncomment the items you wish to set.
+#
+#
+# -- Maximum number of arguments in request limited
+SecAction \
+ "id:'900006', \
+ phase:1, \
+ t:none, \
+ setvar:tx.max_num_args=255, \
+ nolog, \
+ pass"
+
+#
+# -- Limit argument name length
+#SecAction \
+ "id:'900007', \
+ phase:1, \
+ t:none, \
+ setvar:tx.arg_name_length=100, \
+ nolog, \
+ pass"
+
+#
+# -- Limit value name length
+#SecAction \
+ "id:'900008', \
+ phase:1, \
+ t:none, \
+ setvar:tx.arg_length=400, \
+ nolog, \
+ pass"
+
+#
+# -- Limit arguments total length
+#SecAction \
+ "id:'900009', \
+ phase:1, \
+ t:none, \
+ setvar:tx.total_arg_length=64000, \
+ nolog, \
+ pass"
+
+#
+# -- Individual file size is limited
+#SecAction \
+ "id:'900010', \
+ phase:1, \
+ t:none, \
+ setvar:tx.max_file_size=1048576, \
+ nolog, \
+ pass"
+
+#
+# -- Combined file size is limited
+#SecAction \
+ "id:'900011', \
+ phase:1, \
+ t:none, \
+ setvar:tx.combined_file_sizes=1048576, \
+ nolog, \
+ pass"
+
+
+#
+# Set the following policy settings here and they will be propagated to the 30 rules
+# file (modsecurity_crs_30_http_policy.conf) by using macro expansion.
+# If you run into false positves, you can adjust the settings here.
+#
+SecAction \
+ "id:'900012', \
+ phase:1, \
+ t:none, \
+ setvar:'tx.allowed_methods=<%= @allowed_methods -%>', \
+ setvar:'tx.allowed_request_content_type=<%= @content_types -%>', \
+ setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1', \
+ setvar:'tx.restricted_extensions=<%= @restricted_extensions -%>', \
+ setvar:'tx.restricted_headers=<%= @restricted_headers -%>', \
+ nolog, \
+ pass"
+
+
+#
+# -- [[ Content Security Policy (CSP) Settings ]] -----------------------------------------
+#
+# The purpose of these settings is to send CSP response headers to
+# Mozilla FireFox users so that you can enforce how dynamic content
+# is used. CSP usage helps to prevent XSS attacks against your users.
+#
+# Reference Link:
+#
+# https://developer.mozilla.org/en/Security/CSP
+#
+# Uncomment this SecAction line if you want use CSP enforcement.
+# You need to set the appropriate directives and settings for your site/domain and
+# and activate the CSP file in the experimental_rules directory.
+#
+# Ref: http://blog.spiderlabs.com/2011/04/modsecurity-advanced-topic-of-the-week-integrating-content-security-policy-csp.html
+#
+#SecAction \
+ "id:'900013', \
+ phase:1, \
+ t:none, \
+ setvar:tx.csp_report_only=1, \
+ setvar:tx.csp_report_uri=/csp_violation_report, \
+ setenv:'csp_policy=allow \'self\'; img-src *.yoursite.com; media-src *.yoursite.com; style-src *.yoursite.com; frame-ancestors *.yoursite.com; script-src *.yoursite.com; report-uri %{tx.csp_report_uri}', \
+ nolog, \
+ pass"
+
+
+#
+# -- [[ Brute Force Protection ]] ---------------------------------------------------------
+#
+# If you are using the Brute Force Protection rule set, then uncomment the following
+# lines and set the following variables:
+# - Protected URLs: resources to protect (e.g. login pages) - set to your login page
+# - Burst Time Slice Interval: time interval window to monitor for bursts
+# - Request Threshold: request # threshold to trigger a burst
+# - Block Period: temporary block timeout
+#
+#SecAction \
+ "id:'900014', \
+ phase:1, \
+ t:none, \
+ setvar:'tx.brute_force_protected_urls=/login.jsp /partner_login.php', \
+ setvar:'tx.brute_force_burst_time_slice=60', \
+ setvar:'tx.brute_force_counter_threshold=10', \
+ setvar:'tx.brute_force_block_timeout=300', \
+ nolog, \
+ pass"
+
+
+#
+# -- [[ DoS Protection ]] ----------------------------------------------------------------
+#
+# If you are using the DoS Protection rule set, then uncomment the following
+# lines and set the following variables:
+# - Burst Time Slice Interval: time interval window to monitor for bursts
+# - Request Threshold: request # threshold to trigger a burst
+# - Block Period: temporary block timeout
+#
+#SecAction \
+ "id:'900015', \
+ phase:1, \
+ t:none, \
+ setvar:'tx.dos_burst_time_slice=60', \
+ setvar:'tx.dos_counter_threshold=100', \
+ setvar:'tx.dos_block_timeout=600', \
+ nolog, \
+ pass"
+
+
+#
+# -- [[ Check UTF enconding ]] -----------------------------------------------------------
+#
+# We only want to apply this check if UTF-8 encoding is actually used by the site, otherwise
+# it will result in false positives.
+#
+# Uncomment this line if your site uses UTF8 encoding
+#SecAction \
+ "id:'900016', \
+ phase:1, \
+ t:none, \
+ setvar:tx.crs_validate_utf8_encoding=1, \
+ nolog, \
+ pass"
+
+
+#
+# -- [[ Enable XML Body Parsing ]] -------------------------------------------------------
+#
+# The rules in this file will trigger the XML parser upon an XML request
+#
+# Initiate XML Processor in case of xml content-type
+#
+SecRule REQUEST_HEADERS:Content-Type "text/xml" \
+ "id:'900017', \
+ phase:1, \
+ t:none,t:lowercase, \
+ nolog, \
+ pass, \
+ chain"
+ SecRule REQBODY_PROCESSOR "!@streq XML" \
+ "ctl:requestBodyProcessor=XML"
+
+
+#
+# -- [[ Global and IP Collections ]] -----------------------------------------------------
+#
+# Create both Global and IP collections for rules to use
+# There are some CRS rules that assume that these two collections
+# have already been initiated.
+#
+SecRule REQUEST_HEADERS:User-Agent "^(.*)$" \
+ "id:'900018', \
+ phase:1, \
+ t:none,t:sha1,t:hexEncode, \
+ setvar:tx.ua_hash=%{matched_var}, \
+ nolog, \
+ pass"
+
+
+SecRule REQUEST_HEADERS:x-forwarded-for "^\b(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\b" \
+ "id:'900019', \
+ phase:1, \
+ t:none, \
+ capture, \
+ setvar:tx.real_ip=%{tx.1}, \
+ nolog, \
+ pass"
+
+
+SecRule &TX:REAL_IP "!@eq 0" \
+ "id:'900020', \
+ phase:1, \
+ t:none, \
+ initcol:global=global, \
+ initcol:ip=%{tx.real_ip}_%{tx.ua_hash}, \
+ nolog, \
+ pass"
+
+
+SecRule &TX:REAL_IP "@eq 0" \
+ "id:'900021', \
+ phase:1, \
+ t:none, \
+ initcol:global=global, \
+ initcol:ip=%{remote_addr}_%{tx.ua_hash}, \
+ nolog, \
+ pass"
projects / dsa-puppet.git / blobdiff