Protecting TYPO3 With Suhosin And Modsecurity
41
National Swiss-TUG Event Presentation by Xavier Perseguers Monday, January 26, 2009
-
Upload
xavier-perseguers -
Category
Technology
-
view
7.011 -
download
1
description
How to protect TYPO3 and your Apache web server as a whole with Suhosin (for PHP) and ModSecurity (Apache module)
Transcript of Protecting TYPO3 With Suhosin And Modsecurity
NationalSwiss-TUG Event
Presentation by Xavier PerseguersMonday, January 26, 2009
OverviewIntroduction
Suhosin
ModSecurity
Summary / Further Protection
Monday, January 26, 2009
Introduction
Monday, January 26, 2009
Introduction
About meSenior Consultant / Developer @ ELCA Informatique SA
Server administrator
Using TYPO3 since 2005/2006
Actively developing for TYPO3 since 2008
Monday, January 26, 2009
Introduction
The ProblemWide variety of threats
Integration of popular software packages
Server updates not installed
SQL injection, XSS
Unknown exploits
Monday, January 26, 2009
Client Web Server + extensions
Filesystem
R W X
Introduction
The Problem (Big Picture)
Z
DatabaseServer
Input Validation
ErrorSQL
Injection
XSS
File Disclosure
Privilege Escalation
Command Execution
Monday, January 26, 2009
Introduction
SolutionsPrompt patching and updating for server software
Code quality in your extensions
Developing extensions with security in mind
Firewall / Server hardening
Monday, January 26, 2009
Introduction
Solution, is that all?Secure development practices?
Firewall
TCP/IP layer
XSS, remote file inclusion, ...
SSL encrypted traffic?
Monday, January 26, 2009
Suhosin
Monday, January 26, 2009
Suhosin
What’s that?Advanced protection system for PHP (module / patch)
Runtime protection:
Transparent cookie / session encryption
Function black- and whitelist
...
With patch:
Low-level protection (buffer overflow, ...)
Monday, January 26, 2009
Suhosin
Sample CodeVery basic ACL check:
Monday, January 26, 2009
Suhosin
Sample Code (cont.)
read
Monday, January 26, 2009
Suhosin
Sample Code (cont.)
write
Monday, January 26, 2009
Suhosin
Sample Code (cont.)
Monday, January 26, 2009
TYPO3 does not have such code (hopefully)
But the extensions you use?
Let’s try Suhosin as PHP module
Suhosin
Sample Code (cont.)
Monday, January 26, 2009
Suhosin
How To Install (Debian)Install as usual# apt-get install php5-suhosin
Edit file /etc/php5/conf.d/suhosin.ini
Activate any feature you wish
Do not use characters {}[] and the like for cryptkeys
Restart Apache
Monday, January 26, 2009
Suhosin
Sample Code (again)
Monday, January 26, 2009
Suhosin
Sample Code (again)
Monday, January 26, 2009
Suhosin
Sample Code (again)
Monday, January 26, 2009
Suhosin
(Some) Other FeaturesScanning uploaded files
Use a script that outputs “1” if the file is valid. If not, $_FILES will be empty!
Disallow script to change memory limit or force an upper bound when not using safe_mode
Monday, January 26, 2009
ModSecurity
Monday, January 26, 2009
ModSecurity
Web Application FirewallFiltering requests with regular expressions
Able to scan uploaded files (just as Suhosin does)
Prevents JavaScript/SQL injection
much more
ModSecurityApplication
Monday, January 26, 2009
ModSecurity
How To InstallCompile from source or
Use a package (available from official website)
Debian, Fedora, FreeBSD, RedHat, ...
Core rules included in distribution (more on this later)
Monday, January 26, 2009
ModSecurity
Let’s Start Blocking!Create file /etc/apache2/conf.d/mod-security2
Open your browser
Monday, January 26, 2009
ModSecurity
Let’s Start Blocking!Create file /etc/apache2/conf.d/mod-security2
Open your browser
Monday, January 26, 2009
ModSecurity
Let’s Start Blocking!--b1361a18-A--[23/Jan/2009:10:27:01 +0100] SXmNY38AAQEAADmWkaQAAAAG 84.73.171.189 46474 193.33.30.197 80--b1361a18-B--GET /?attack HTTP/1.1Host: yoursite.comUser-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.5) Gecko/2008120121 Firefox/3.0.5Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-us,en;q=0.5Accept-Encoding: gzip,deflateAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7Keep-Alive: 300Connection: keep-aliveCookie: fe_typo_user=kCTZx3iDYyAZxRI2UWtEv4xZSTBM96VPknodB1dnx1OPzDcA0is0q8ewWvOb16XM
--b1361a18-F--HTTP/1.1 412 Precondition FailedVary: Accept-EncodingContent-Encoding: gzipContent-Length: 267Keep-Alive: timeout=15, max=100Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1
--b1361a18-H--Message: Access denied with code 412 (phase 2). Pattern match "attack" at REQUEST_LINE. [file "/etc/apache2/conf.d/mod-security2"] [line "7"]Action: Intercepted (phase 2)Stopwatch: 1232702819271014 2259647 (3639 3892 -)Producer: ModSecurity for Apache/2.5.7 (http://www.modsecurity.org/).Server: Apache/2.2.9 (Debian) mod_gnutls/0.5.1
--b1361a18-Z--
GET /?attack HTTP/1.1Host: yoursite.com
Message: Access denied with code 412 (phase 2). Pattern match "attack" at REQUEST_LINE.
Monday, January 26, 2009
# Validate request line#SecRule REQUEST_LINE "!^(?:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+|get /[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?)$" \ "t:none,t:lowercase,phase:2,deny,log,auditlog,status:400,msg:'Invalid HTTP Request Line',id:'960911',severity:'2'"
# HTTP Request Smuggling#SecRule REQUEST_HEADERS:'/(Content-Length|Transfer-Encoding)/' "," "phase:2,t:none,deny,log,auditlog,status:400,msg:'HTTP Request Smuggling Attack.',id:'950012',tag:'WEB_ATTACK/REQUEST_SMUGGLING',severity:'1'"
# Block request with malformed content.# ModSecurity will not inspect these, but the server application might do so#SecRule REQBODY_PROCESSOR_ERROR "!@eq 0" "t:none,phase:2,deny,log,auditlog,status:400,msg:'Request Body Parsing Failed. %{REQBODY_PROCESSOR_ERROR_MSG}',id:'960912',severity:'2'"
# Accept only digits in content length #SecRule REQUEST_HEADERS:Content-Length "!^\d+$" "phase:2,t:none,deny,log,auditlog,status:400,msg:'Content-Length HTTP header is not numeric', severity:'2',id:'960016',tag:'PROTOCOL_VIOLATION/INVALID_HREQ'"
# Do not accept GET or HEAD requests with bodies# HTTP standard allows GET requests to have a body but this# feature is not used in real life. Attackers could try to force# a request body on an unsuspecting web applications.#SecRule REQUEST_METHOD "^(?:GET|HEAD)$" "chain,phase:2,t:none,deny,log,auditlog,status:400,msg:'GET or HEAD requests with bodies', severity:'2',id:'960011',tag:'PROTOCOL_VIOLATION/EVASION'"SecRule REQUEST_HEADERS:Content-Length "!^0?$" t:none
# Require Content-Length to be provided with every POST request.#SecRule REQUEST_METHOD "^POST$" "chain,phase:2,t:none,deny,log,auditlog,status:400,msg:'POST request must have a Content-Length header',id:'960012',tag:'PROTOCOL_VIOLATION/EVASION',severity:'4'"SecRule &REQUEST_HEADERS:Content-Length "@eq 0" t:none
# Don't accept transfer encodings we know we don't know how to handle## NOTE ModSecurity does not support chunked transfer encodings at# this time. You MUST reject all such requests.#SecRule REQUEST_HEADERS:Transfer-Encoding "!^$" "phase:2,t:none,deny,log,auditlog,status:501,msg:'ModSecurity does not support transfer encodings',id:'960013',tag:'PROTOCOL_VIOLATION/EVASION',severity:'3'"
# Check encodingsSecRule REQUEST_BODY|REQUEST_URI|XML:/* "\%(?!$|\W|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" \!"chain,phase:2,t:none,deny,log,auditlog,status:400,msg:'URL Encoding Abuse Attack Attempt',id:'950107',tag:'PROTOCOL_VIOLATION/EVASION',severity:'4'"SecRule REQUEST_BODY|REQUEST_URI|XML:/* "@validateUrlEncoding"
# Check UTF enconding# Uncomment this rule if your system uses UTF encoding.#SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "@validateUtf8Encoding" "phase:2,t:none,deny,log,auditlog,status:400,msg:'UTF8 Encoding Abuse Attack Attempt',id:'950801',tag:'PROTOCOL_VIOLATION/EVASION',severity:'4'"
# Disallow use of full-width unicodeSecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "\%u[fF]{2}[0-9a-fA-F]{2}" \ "t:none,phase:2,deny,log,auditlog,status:400,msg:'Unicode Full/Half Width Abuse Attack Attempt',id:'950116',severity:'4'"
# Proxy access attempt# NOTE Apache blocks such access by default if not set as a proxy. The rule is # included in case Apache proxy is misconfigured.SecRule REQUEST_URI_RAW ^\w+:/ "phase:2,t:none,deny,log,auditlog,status:400,msg:'Proxy access attempt', severity:'2',id:'960014',tag:'PROTOCOL_VIOLATION/PROXY_ACCESS'"
## Restrict type of characters sent## NOTE In order to be broad and support localized applications this rule# only validates that NULL Is not used.##! The strict policy version also validates that protocol and application #! generated fields are limited to printable ASCII. ## TODO If your application use the range 32-126 for parameters.#SecRule REQUEST_FILENAME|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer \!"@validateByteRange 1-255" \!"phase:2,deny,log,auditlog,status:400,msg:'Invalid character in request',id:'960018',tag:'PROTOCOL_VIOLATION/EVASION',severity:'4',t:none,t:urlDecodeUni"
SecRule ARGS|ARGS_NAMES|REQUEST_HEADERS:Referer "@validateByteRange 1-255" \!"phase:2,deny,log,auditlog,status:400,msg:'Invalid character in request',id:'960901',tag:'PROTOCOL_VIOLATION/EVASION',severity:'4',t:none,t:urlDecodeUni"# ---------------------------------------------------------------# Core ModSecurity Rule Set ver.1.6.1# Copyright (C) 2006-2007 Breach Security Inc. All rights reserved.## The ModSecuirty Core Rule Set is distributed under GPL version 2# Please see the enclosed LICENCE file for full details.# ---------------------------------------------------------------
## TODO in some cases a valid client (usually automated) generates requests that# violates the HTTP protocol. Create exceptions for those clients, but try# to limit the exception to a source IP or other additional properties of # the request such as URL and not allow the violation generally. #
# Do not accept requests without common headers. # Implies either an attacker or a legitimate automation client. ## Exception for Apache SSL pinger
SecRule REQUEST_LINE "^GET /$" "chain,phase:2,t:none,pass,nolog,ctl:ruleRemoveById=960019,ctl:ruleRemoveById=960008,ctl:ruleRemoveById=960015,ctl:ruleRemoveById=960009,id:'999210',severity:'5'"SecRule REMOTE_ADDR "^127\.0\.0\.1$" t:none
# Exception for Apache internal dummy connectionSecRule REQUEST_LINE "^GET / HTTP/1.0$" "chain,phase:2,t:none,pass,nolog,ctl:ruleRemoveById=960019,ctl:ruleRemoveById=960008,ctl:ruleRemoveById=960015,ctl:ruleRemoveById=960009,id:'999211',severity:'5'"SecRule REMOTE_ADDR "^127\.0\.0\.1$" "chain,t:none"SecRule REQUEST_HEADERS:User-Agent "^Apache.*\(internal dummy connection\)$" "t:none"
# Detect HTTP/0.9 RequestsSecRule REQUEST_PROTOCOL ^http/0.9$ "t:none,t:lowercase,phase:2,log,auditlog,msg:'HTTP/0.9 Request Detected',id:'960019',severity:'4'"
SecRule &REQUEST_HEADERS:Host "@eq 0" \ "skip:1,phase:2,t:none,log,auditlog,msg:'Request Missing a Host Header',id:'960008',tag:'PROTOCOL_VIOLATION/MISSING_HEADER',severity:'4'"SecRule REQUEST_HEADERS:Host "^$" \ "phase:2,t:none,log,auditlog,msg:'Request Missing a Host Header',id:'960008',tag:'PROTOCOL_VIOLATION/MISSING_HEADER',severity:'4'"
SecRule &REQUEST_HEADERS:Accept "@eq 0" \ "chain,phase:2,skip:1,t:none,log,auditlog,msg:'Request Missing an Accept Header', severity:'2',id:'960015',tag:'PROTOCOL_VIOLATION/MISSING_HEADER'"SecRule REQUEST_METHOD "!^OPTIONS$" "t:none"SecRule REQUEST_HEADERS:Accept "^$" \ "chain,phase:2,t:none,log,auditlog,msg:'Request Missing an Accept Header', severity:'2',id:'960015',tag:'PROTOCOL_VIOLATION/MISSING_HEADER'"SecRule REQUEST_METHOD "!^OPTIONS$" "t:none"
SecRule &REQUEST_HEADERS:User-Agent "@eq 0" \ "skip:1,phase:2,t:none,log,auditlog,msg:'Request Missing a User Agent Header',id:'960009',tag:'PROTOCOL_VIOLATION/MISSING_HEADER',severity:'4'"SecRule REQUEST_HEADERS:User-Agent "^$" \ "t:none,log,auditlog,msg:'Request Missing a User Agent Header',id:'960009',tag:'PROTOCOL_VIOLATION/MISSING_HEADER',severity:'4'"
SecRule &REQUEST_HEADERS:Content-Type "@eq 0" \ "chain,phase:2,t:none,log,auditlog,msg:'Request Containing Content, but Missing Content-Type header',id:'960904',severity:'4'"SecRule REQUEST_HEADERS:Content-Length "!^0$" "t:none"
# Check that the host header is not an IP address #SecRule REQUEST_HEADERS:Host "^[\d\.]+$" "phase:2,t:none,deny,log,auditlog,status:400,msg:'Host header is a numeric IP address', severity:'2',id:'960017',tag:'PROTOCOL_VIOLATION/IP_HOST'"
# Log a security event when the request is rejected by apache#SecRule RESPONSE_STATUS ^400$ "t:none,phase:5,chain,log,auditlog,pass,msg:'Invalid request',id:'960913',severity:'2'"SecRule WEBSERVER_ERROR_LOG !ModSecurity "t:none"
# ---------------------------------------------------------------# Core ModSecurity Rule Set ver.1.6.1# Copyright (C) 2006-2007 Breach Security Inc. All rights reserved.## The ModSecuirty Core Rule Set is distributed under GPL version 2# Please see the enclosed LICENCE file for full details.# ---------------------------------------------------------------
# In most cases, you should expect a certain volume of each a request on your# website. For example, a request with 400 arguments, can be suspicious.# This file creates limitations on the request.# TODO Look at the rules in this file, and define the sizes you'd like to enforce.# Note that most of the rules are commented out by default.# Uncomment the rules you need#
## -- Arguments limits --
# Limit argument name length#SecRule ARGS_NAMES "^.{100}" "phase:2,t:none,deny,log,auditlog,status:403,msg:'Argument name too long',id:'960209',severity:'4'"
# Limit value name length#SecRule ARGS "^.{400}" "phase:2,t:none,deny,log,auditlog,status:403,msg:'Argument value too long',id:'960208',severity:'4'"
# Maximum number of arguments in request limitedSecRule &ARGS "@gt 255" "phase:2,t:none,deny,log,auditlog,status:403,msg:'Too many arguments in request',id:'960335',severity:'4'"
# Limit arguments total length#SecRule ARGS_COMBINED_SIZE "@gt 64000" "phase:2,t:none,deny,log,auditlog,status:403,msg:'Total arguments size exceeded',id:'960341',severity:'4'"
## -- File upload limits --
# Individual file size is limited#SecRule FILES_SIZES "@gt 1048576" "phase:2,t:none,deny,log,auditlog,status:403,msg:'Uploaded file size too large',id:'960342',severity:'4'"
# Combined file size is limited#SecRule FILES_COMBINED_SIZE "@gt 1048576" "phase:2,t:none,deny,log,auditlog,status:403,msg:'Total uploaded files size too large',id:'960343',severity:'4'"
## -- Apache Limits --
# These are Apache limit directives, but we are including them here because# they are often forgotten. If you already have these configured leave this# section entirely commented-out. Otherwise review the limits and uncomment# the directives.
# Maximum size of the request body.## NOTE If your application allows file uploads the value below will# most likely be way to low.##LimitRequestBody 64000
# Maximum number of request headers in a request.##LimitRequestFields 32
# Maximum size of request header lines.##LimitRequestFieldSize 8000
# Maximum size of the request line.##LimitRequestLine 4000
# ---------------------------------------------------------------# Core ModSecurity Rule Set ver.1.6.1# Copyright (C) 2006-2007 Breach Security Inc. All rights reserved.## The ModSecuirty Core Rule Set is distributed under GPL version 2# Please see the enclosed LICENCE file for full details.# ---------------------------------------------------------------
# HTTP policy enforcement# The HTTP policy enforcement rule set sets limitations on the use of HTTP by clients.
# Few applications require the breadth and depth of the HTTP protocol. On the # other hand many attacks abuse valid but rare HTTP use patterns. Restricting # HTTP protocol usage is effective in therefore effective in blocking many # application layer attacks. ## TODO If you are using the ModSecurity Core Ruleset template system you can set # the policy limitations in the ruleset.config file. Otherwise edit this # file manually to set you policy limitations.## TODO Many automation programs use non standard HTTP requests. While you may # want to allow some of those, try not to create exceptions only for the# automated program based on properties such as their source IP address or# the URL they access.#
# allow request methods## TODO Most applications only use GET, HEAD, and POST request# methods. If that is not the case with your environment, you are advised # to edit the line or uncomment it.#SecRule REQUEST_METHOD "!^((?:(?:POS|GE)T|OPTIONS|HEAD))$" \ "phase:2,t:none,log,auditlog,status:501,msg:'Method is not allowed by policy', severity:'2',id:'960032',tag:'POLICY/METHOD_NOT_ALLOWED'"
# Restrict which content-types we accept.## TODO Most applications support only two types for request bodies# because that is all browsers know how to produce. If you are using# automated tools to talk to the application you may be using other# content types and would want to change the list of supported types.# # Note though that ModSecurity parses only three content types:# application/x-www-form-urlencoded, multipart/form-data request and # text/xml. The protection provided for any other type is inferior.## TODO There are many applications that are not using multipart/form-data# types (typically only used for file uploads). This content type# can be disabled if not used. ## NOTE We allow any content type to be specified with GET or HEAD# because some tools incorrectly supply content type information# even when the body is not present. There is a rule further in# the file to prevent GET and HEAD requests to have bodies to we're# safe in that respect.## NOTE Use of WebDAV requires "text/xml" content type.## NOTE Philippe Bourcier (pbourcier AT citali DOT com) reports# applications running on the PocketPC and AvantGo platforms use# non-standard content types:## M-Business iAnywhere application/x-mal-client-data# UltraLite iAnywhere application/octet-stream#SecRule REQUEST_METHOD "!^(?:get|head|propfind|options)$" \ "phase:2,chain,t:none,t:lowercase,deny,log,auditlog,status:501,msg:'Request content type is not allowed by policy',id:'960010',tag:'POLICY/ENCODING_NOT_ALLOWED',severity:'4'"SecRule REQUEST_HEADERS:Content-Type "!(?:^(?:application\/x-www-form-urlencoded(?:;(?:\s?charset\s?=\s?[\w\d\-]{1,18})?)??$|multipart/form-data;)|text/xml)" "t:none"
# Restrict protocol versions.## TODO All modern browsers use HTTP version 1.1. For tight security, allow only # this version. ## NOTE Automation programs, both malicious and non malicious many times use # other HTTP versions. If you want to allow a specific automated program# to use your site, try to create a narrower expection and not allow any # client to send HTTP requests in a version lower than 1.1 # SecRule REQUEST_PROTOCOL "!^HTTP/(0\.9|1\.[01])$" \ "phase:2,t:none,deny,log,auditlog,status:505,msg:'HTTP protocol version is not allowed by policy', severity:'2',id:'960034',tag:'POLICY/PROTOCOL_NOT_ALLOWED'"
# Restrict file extension## TODO the list of file extensions below are virtually always considered unsafe# and not in use in any valid program. If your application uses one of # these extensions, please remove it from the list of blocked extensions.# You may need to use ModSecurity Core Rule Set Templates to do so, otherwise# comment the whole rule. #SecRule REQUEST_BASENAME "\.(?:c(?:o(?:nf(?:ig)?|m)|s(?:proj|r)?|dx|er|fg|md)|p(?:rinter|ass|db|ol|wd)|v(?:b(?:proj|s)?|sdisco)|a(?:s(?:ax?|cx)|xd)|d(?:bf?|at|ll|os)|i(?:d[acq]|n[ci])|ba(?:[kt]|ckup)|res(?:ources|x)|s(?:h?tm|ql|ys)|l(?:icx|nk|og)|\w{0,5}~|webinfo|ht[rw]|xs[dx]|key|mdb|old)$" \ "phase:2,t:none,t:urlDecodeUni, t:lowercase, deny,log,auditlog,status:500,msg:'URL file extension is restricted by policy', severity:'2',id:'960035',tag:'POLICY/EXT_RESTRICTED'"
# Restricted HTTP headers ## TODO the list of HTTP headers below are considered unsafe for your environment.# If your application uses one of these directories, please remove it from # the list of blocked extensions. You may need to use ModSecurity Core Rule # Set Templates to do so, otherwise comment the whole rule. #SecRule REQUEST_HEADERS_NAMES "(?:lock-token|translate|if)$" \ "phase:2,t:none,t:lowercase,deny,log,auditlog,status:500,msg:'HTTP header is restricted by policy',id:'960038',tag:'POLICY/HEADER_RESTRICTED',tag:'POLICY/FILES_NOT_ALLOWED',severity:'4'"
# Restricted Content Encodings## ModSecurity does not support compressed content. Therefore, the following# action will be taken:# - Inbound compressed content will be denied# - Outbound compressed content will be logged once, to alert the user# Deny inbound compressed contentSecRule REQUEST_HEADERS:Content-Encoding "!^Identity$" \ "phase:2,t:none,deny,log,auditlog,status:501,msg:'ModSecurity does not support content encodings',id:'960902',severity:'3'"# Log outbound compressed content (log once)SecRule RESPONSE_HEADERS:Content-Encoding "!^Identity$" \ "phase:4,t:none,pass,log,auditlog,msg:'ModSecurity does not support content encodings',id:'960903',severity:'4',chain,initcol:global=global"SecRule &GLOBAL:alerted_960903_compression "@eq 0" "setvar:global.alerted_960903_compression"
# ---------------------------------------------------------------# Core ModSecurity Rule Set ver.1.6.1# Copyright (C) 2006-2007 Breach Security Inc. All rights reserved.## The ModSecuirty Core Rule Set is distributed under GPL version 2# Please see the enclosed LICENCE file for full details.# ---------------------------------------------------------------
## NOTE Bad robots detection is based on checking elements easily # controlled by the client. As such a determined attacked can bypass# those checks. Therefore bad robots detection should not be viewed as# a security mechanism against targeted attacks but rather as a nuisance# reduction, eliminating most of the random attacks against your web# site.
SecRule REQUEST_HEADERS:User-Agent "(?:\b(?:m(?:ozilla\/4\.0 \(compatible\)|etis)|webtrends security analyzer|pmafind)\b|n(?:-stealth|sauditor|essus|ikto)|b(?:lack ?widow|rutus|ilbo)|(?:jaascoi|paro)s|webinspect|\.nasl)" \ "phase:2,t:none,t:lowercase,deny,log,auditlog,status:404,msg:'Request Indicates a Security Scanner Scanned the Site',id:'990002',tag:'AUTOMATION/SECURITY_SCANNER',severity:'2'"SecRule REQUEST_HEADERS_NAMES "\bacunetix-product\b" \ "phase:2,t:none,t:lowercase,deny,log,auditlog,status:404,msg:'Request Indicates a Security Scanner Scanned the Site',id:'990901',tag:'AUTOMATION/SECURITY_SCANNER',severity:'2'"SecRule REQUEST_FILENAME "^/nessustest" \ "phase:2,t:none,t:lowercase,deny,log,auditlog,status:404,msg:'Request Indicates a Security Scanner Scanned the Site',id:'990902',tag:'AUTOMATION/SECURITY_SCANNER',severity:'2'"
SecRule REQUEST_HEADERS:User-Agent "(?:e(?:mail(?:(?:collec|harves|magne)t|(?: extracto|reape)r|siphon|wolf)|(?:collecto|irgrabbe)r|xtractorpro|o browse)|m(?:ozilla\/4\.0 \(compatible; advanced email extractor|ailto:craftbot\@yahoo\.com)|a(?:t(?:tache|hens)|utoemailspider|dsarobot)|w(?:eb(?:emailextrac| by mail)|3mir)|f(?:astlwspider|loodgate)|p(?:cbrowser|ackrat|surf)|(?:digout4uagen|takeou)t|\bdatacha0s\b|hhjhj@yahoo|chinaclaw|rsync|shai|zeus)" \ "phase:2,t:none,t:lowercase,deny,log,auditlog,status:404,msg:'Rogue web site crawler',id:'990012',tag:'AUTOMATION/MALICIOUS',severity:'2'"
SecRule REQUEST_HEADERS:User-Agent "(?:\b(?:(?:indy librar|snoop)y|microsoft url control|lynx)\b|mozilla\/2\.0 \(compatible; newt activex; win32\)|w(?:3mirror|get)|download demon|l(?:ibwww|wp)|p(?:avuk|erl)|big brother|autohttp|netants|eCatch|curl)" \ "chain,phase:2,t:none,t:lowercase,log,auditlog,msg:'Request Indicates an automated program explored the site',id:'990011',tag:'AUTOMATION/MISC',severity:'5'"SecRule REQUEST_HEADERS:User-Agent "!^apache.*perl" "t:none,t:lowercase"
# ---------------------------------------------------------------# Core ModSecurity Rule Set ver.1.6.1# Copyright (C) 2006-2007 Breach Security Inc. All rights reserved.## The ModSecuirty Core Rule Set is distributed under GPL version 2# Please see the enclosed LICENCE file for full details.# ---------------------------------------------------------------
# # TODO While some of the pattern groups such as command injection are usually# safe of false positives, other pattern groups such as SQL injection and # XSS may require setting exceptions and therefore are set to log only by# default. ## Start ModSecurity in monitoring only mode and check whether your # application requires exceptions for a specific URL, Pattern or source IP# before moving to blocking mode.
## Session fixation#SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "@pm set-cookie .cookie" \ "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,pass,nolog,skip:1"SecAction phase:2,pass,nolog,skipAfter:959009SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "(?:\.cookie\b.*?;\W*?(?:expires|domain)\W*?=|\bhttp-equiv\W+set-cookie\b)" \ "phase:2,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,capture,ctl:auditLogParts=+E,log,auditlog,msg:'Session Fixation',id:'950009',tag:'WEB_ATTACK/SESSION_FIXATION',logdata:'%{TX.0}',severity:'2'"SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "(?:\.cookie\b.*?;\W*?(?:expires|domain)\W*?=|\bhttp-equiv\W+set-cookie\b)" \ "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,capture,ctl:auditLogParts=+E,log,auditlog,msg:'Session Fixation',id:'959009',tag:'WEB_ATTACK/SESSION_FIXATION',logdata:'%{TX.0}',severity:'2'"
## Blind SQL injection#SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "@pm sys.user_triggers sys.user_objects @@spid msysaces instr sys.user_views sys.tab charindex sys.user_catalog constraint_type locate select msysobjects attnotnull sys.user_tables sys.user_tab_columns sys.user_constraints waitfor mysql.user sys.all_tables msysrelationships msyscolumns msysqueries" \ "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,pass,nolog,skip:1"SecAction phase:2,pass,nolog,skipAfter:959007SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "(?:\b(?:(?:s(?:ys\.(?:user_(?:(?:t(?:ab(?:_column|le)|rigger)|object|view)s|c(?:onstraints|atalog))|all_tables|tab)|elect\b.{0,40}\b(?:substring|ascii|user))|m(?:sys(?:(?:queri|ac)e|relationship|column|object)s|ysql\.user)|c(?:onstraint_type|harindex)|waitfor\b\W*?\bdelay|attnotnull)\b|(?:locate|instr)\W+\()|\@\@spid\b)" \ "phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,log,auditlog,msg:'Blind SQL Injection Attack',id:'950007',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2'"SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "(?:\b(?:(?:s(?:ys\.(?:user_(?:(?:t(?:ab(?:_column|le)|rigger)|object|view)s|c(?:onstraints|atalog))|all_tables|tab)|elect\b.{0,40}\b(?:substring|ascii|user))|m(?:sys(?:(?:queri|ac)e|relationship|column|object)s|ysql\.user)|c(?:onstraint_type|harindex)|waitfor\b\W*?\bdelay|attnotnull)\b|(?:locate|instr)\W+\()|\@\@spid\b)" \ "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,log,auditlog,msg:'Blind SQL Injection Attack',id:'959007',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2'"! ! ! !#SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "\b(?:benchmark|encode)\b" \# "phase:2,chain,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'Blind SQL Injection Attack',id:'950903',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2'"#SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,(?:[\\\(\)\%#]|--)"#SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,\b(?:benchmark|encode)\b" \# "phase:2,chain,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'Blind SQL Injection Attack',id:'959903',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2'"#SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "(?:[\\\(\)\%#]|--)" t:none
SecRule REQUEST_FILENAME|ARGS|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "@pm substr xtype textpos all_objects rownum sysfilegroups sysprocesses user_group sysobjects user_tables systables pg_attribute user_users user_password column_id attrelid user_tab_columns table_name pg_class user_constraints user_objects object_type dba_users sysconstraints mb_users column_name atttypid object_id substring syscat user_ind_columns sysibm syscolumns sysdba object_name" \ "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,pass,nolog,skip:1"SecAction phase:2,pass,nolog,skipAfter:959904SecRule REQUEST_FILENAME|ARGS "\b(?:(?:s(?:ys(?:(?:(?:process|tabl)e|filegroup|object)s|c(?:o(?:nstraint|lumn)s|at)|dba|ibm)|ubstr(?:ing)?)|user_(?:(?:(?:constrain|objec)t|tab(?:_column|le)|ind_column|user)s|password|group)|a(?:tt(?:rel|typ)id|ll_objects)|object_(?:(?:nam|typ)e|id)|pg_(?:attribute|class)|column_(?:name|id)|(?:dba|mb)_users|xtype\W+\bchar|rownum)\b|t(?:able_name\b|extpos\W+\())" \ "phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'Blind SQL Injection Attack',id:'950904',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2'"SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "\b(?:(?:s(?:ys(?:(?:(?:process|tabl)e|filegroup|object)s|c(?:o(?:nstraint|lumn)s|at)|dba|ibm)|ubstr(?:ing)?)|user_(?:(?:(?:constrain|objec)t|tab(?:_column|le)|ind_column|user)s|password|group)|a(?:tt(?:rel|typ)id|ll_objects)|object_(?:(?:nam|typ)e|id)|pg_(?:attribute|class)|column_(?:name|id)|(?:dba|mb)_users|xtype\W+\bchar|rownum)\b|t(?:able_name\b|extpos\W+\())" \ "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'Blind SQL Injection Attack',id:'959904',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2'"
## SQL injection#SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "@pm insert xp_enumdsn infile openrowset nvarchar autonomous_transaction print data_type or outfile inner shutdown tbcreator @@version xp_filelist sp_prepare sql_longvarchar xp_regenumkeys xp_loginconfig xp_dirtree ifnull sp_addextendedproc xp_regaddmultistring delete sp_sqlexec and sp_oacreate sp_execute cast xp_ntsec xp_regdeletekey drop varchar xp_execresultset having utl_file xp_regenumvalues xp_terminate xp_availablemedia xp_regdeletevalue dumpfile isnull sql_variant select 'sa' xp_regremovemultistring xp_makecab 'msdasql' xp_cmdshell openquery sp_executesql 'sqloledb' dbms_java 'dbo' utl_http sp_makewebtask benchmark xp_regread xp_regwrite" \ "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,pass,nolog,skip:1"SecAction phase:2,pass,nolog,id:999501,skipAfter:959001SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "(?:\b(?:(?:s(?:elect\b(?:.{1,100}?\b(?:(?:length|count|top)\b.{1,100}?\bfrom|from\b.{1,100}?\bwhere)|.*?\b(?:d(?:ump\b.*\bfrom|ata_type)|(?:to_(?:numbe|cha)|inst)r))|p_(?:(?:addextendedpro|sqlexe)c|(?:oacreat|prepar)e|execute(?:sql)?|makewebtask)|ql_(?:longvarchar|variant))|xp_(?:reg(?:re(?:movemultistring|ad)|delete(?:value|key)|enum(?:value|key)s|addmultistring|write)|e(?:xecresultset|numdsn)|(?:terminat|dirtre)e|availablemedia|loginconfig|cmdshell|filelist|makecab|ntsec)|u(?:nion\b.{1,100}?\bselect|tl_(?:file|http))|group\b.*\bby\b.{1,100}?\bhaving|d(?:elete\b\W*?\bfrom|bms_java)|load\b\W*?\bdata\b.*\binfile|(?:n?varcha|tbcreato)r)\b|i(?:n(?:to\b\W*?\b(?:dump|out)file|sert\b\W*?\binto|ner\b\W*?\bjoin)\b|(?:f(?:\b\W*?\(\W*?\bbenchmark|null\b)|snull\b)\W*?\()|a(?:nd\b ?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"]) ?[=<>]+|utonomous_transaction\b)|o(?:r\b ?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"]) ?[=<>]+|pen(?:rowset|query)\b)|having\b ?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"]) ?[=<>]+|print\b\W*?\@\@|cast\b\W*?\()|(?:;\W*?\b(?:shutdown|drop)|\@\@version)\b|'(?:s(?:qloledb|a)|msdasql|dbo)')" \ "phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'SQL Injection Attack',id:'950001',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2'"SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "(?:\b(?:(?:s(?:elect\b(?:.{1,100}?\b(?:(?:length|count|top)\b.{1,100}?\bfrom|from\b.{1,100}?\bwhere)|.*?\b(?:d(?:ump\b.*\bfrom|ata_type)|(?:to_(?:numbe|cha)|inst)r))|p_(?:(?:addextendedpro|sqlexe)c|(?:oacreat|prepar)e|execute(?:sql)?|makewebtask)|ql_(?:longvarchar|variant))|xp_(?:reg(?:re(?:movemultistring|ad)|delete(?:value|key)|enum(?:value|key)s|addmultistring|write)|e(?:xecresultset|numdsn)|(?:terminat|dirtre)e|availablemedia|loginconfig|cmdshell|filelist|makecab|ntsec)|u(?:nion\b.{1,100}?\bselect|tl_(?:file|http))|group\b.*\bby\b.{1,100}?\bhaving|d(?:elete\b\W*?\bfrom|bms_java)|load\b\W*?\bdata\b.*\binfile|(?:n?varcha|tbcreato)r)\b|i(?:n(?:to\b\W*?\b(?:dump|out)file|sert\b\W*?\binto|ner\b\W*?\bjoin)\b|(?:f(?:\b\W*?\(\W*?\bbenchmark|null\b)|snull\b)\W*?\()|a(?:nd\b ?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"]) ?[=<>]+|utonomous_transaction\b)|o(?:r\b ?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"]) ?[=<>]+|pen(?:rowset|query)\b)|having\b ?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"]) ?[=<>]+|print\b\W*?\@\@|cast\b\W*?\()|(?:;\W*?\b(?:shutdown|drop)|\@\@version)\b|'(?:s(?:qloledb|a)|msdasql|dbo)')" \ "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'SQL Injection Attack',id:'959001',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2'"SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "\b(\d+) ?= ?\1\b|[\'\"](\w+)[\'\"] ?= ?[\'\"]\2\b" \ "phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'SQL Injection Attack',id:'950901',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2'"SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "\b(\d+) ?= ?\1\b|[\'\"](\w+)[\'\"] ?= ?[\'\"]\2\b" \ "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'SQL Injection Attack',id:'959901',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2'"
#SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "\b(?:rel(?:(?:nam|typ)e|kind)|a(?:ttn(?:ame|um)|scii)|c(?:o(?:nver|un)t|ha?r)|s(?:hutdown|elect)|to_(?:numbe|cha)r|u(?:pdate|nion)|d(?:elete|rop)|group\b\W*\bby|having|insert|length|where)\b" \# "phase:2,chain,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'SQL Injection Attack',id:'950905',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2'"#SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "(?:[\\\(\)\%#]|--)" "t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase"#SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "\b(?:rel(?:(?:nam|typ)e|kind)|a(?:ttn(?:ame|um)|scii)|c(?:o(?:nver|un)t|ha?r)|s(?:hutdown|elect)|to_(?:numbe|cha)r|u(?:pdate|nion)|d(?:elete|rop)|group\b\W*\bby|having|insert|length|where)\b" \# "phase:2,chain,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'SQL Injection Attack',id:'959905',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2'"#SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "(?:[\\\(\)\%#]|--)" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase"
SecRule REQUEST_FILENAME|ARGS|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "@pm user_objects object_type substr all_objects mb_users column_name rownum atttypid substring object_id user_group user_tables pg_attribute user_users column_id user_password attrelid object_name table_name pg_class" \ "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,pass,nolog,skip:1"SecAction phase:2,pass,nolog,skipAfter:959906SecRule REQUEST_FILENAME|ARGS "\b(?:user_(?:(?:object|table|user)s|password|group)|a(?:tt(?:rel|typ)id|ll_objects)|object_(?:(?:nam|typ)e|id)|pg_(?:attribute|class)|column_(?:name|id)|substr(?:ing)?|table_name|mb_users|rownum)\b" \ "phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'SQL Injection Attack',id:'950906',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2'"SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "\b(?:user_(?:(?:object|table|user)s|password|group)|a(?:tt(?:rel|typ)id|ll_objects)|object_(?:(?:nam|typ)e|id)|pg_(?:attribute|class)|column_(?:name|id)|substr(?:ing)?|table_name|mb_users|rownum)\b" \ "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'SQL Injection Attack',id:'959906',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2'"
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|!REQUEST_HEADERS:via "\b(?:coalesce\b|root\@)" \ "phase:2,capture,t:none,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'SQL Injection Attack',id:'950908',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2'"SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer|!REQUEST_HEADERS:via "\b(?:coalesce\b|root\@)" \ "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'SQL Injection Attack',id:'959908',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2'"
## XSS#SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "@pm jscript onsubmit copyparentfolder javascript meta onmove onkeydown onchange onkeyup activexobject expression onmouseup ecmascript onmouseover vbscript: <![cdata[ http: settimeout onabort shell: .innerhtml onmousedown onkeypress asfunction: onclick .fromcharcode background-image: .cookie ondragdrop onblur x-javascript mocha: onfocus javascript: getparentfolder lowsrc onresize @import alert onselect script onmouseout onmousemove background application .execscript livescript: getspecialfolder vbscript iframe .addimport onunload createtextrange onload <input" \ "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,pass,nolog,skip:1"SecAction phase:2,pass,nolog,skipAfter:959004SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "(?:\b(?:(?:type\b\W*?\b(?:text\b\W*?\b(?:j(?:ava)?|ecma|vb)|application\b\W*?\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\b.{0,100}?\bsrc)\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|down|up)|c(?:hange|lick)|s(?:elec|ubmi)t|(?:un)?load|dragdrop|resize|focus|blur)\b\W*?=|abort\b)|(?:l(?:owsrc\b\W*?\b(?:(?:java|vb)script|shell|http)|ivescript)|(?:href|url)\b\W*?\b(?:(?:java|vb)script|shell)|background-image|mocha):|s(?:(?:tyle\b\W*=.*\bexpression\b\W*|ettimeout\b\W*?)\(|rc\b\W*?\b(?:(?:java|vb)script|shell|http):)|a(?:ctivexobject\b|lert\b\W*?\(|sfunction:))|<(?:(?:body\b.*?\b(?:backgroun|onloa)d|input\b.*?\btype\b\W*?\bimage)\b| ?(?:(?:script|meta)\b|iframe)|!\[cdata\[)|(?:\.(?:(?:execscrip|addimpor)t|(?:fromcharcod|cooki)e|innerhtml)|\@import)\b)" \ "phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'950004',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2'"SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "(?:\b(?:(?:type\b\W*?\b(?:text\b\W*?\b(?:j(?:ava)?|ecma|vb)|application\b\W*?\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\b.{0,100}?\bsrc)\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|down|up)|c(?:hange|lick)|s(?:elec|ubmi)t|(?:un)?load|dragdrop|resize|focus|blur)\b\W*?=|abort\b)|(?:l(?:owsrc\b\W*?\b(?:(?:java|vb)script|shell|http)|ivescript)|(?:href|url)\b\W*?\b(?:(?:java|vb)script|shell)|background-image|mocha):|s(?:(?:tyle\b\W*=.*\bexpression\b\W*|ettimeout\b\W*?)\(|rc\b\W*?\b(?:(?:java|vb)script|shell|http):)|a(?:ctivexobject\b|lert\b\W*?\(|sfunction:))|<(?:(?:body\b.*?\b(?:backgroun|onloa)d|input\b.*?\btype\b\W*?\bimage)\b| ?(?:(?:script|meta)\b|iframe)|!\[cdata\[)|(?:\.(?:(?:execscrip|addimpor)t|(?:fromcharcod|cooki)e|innerhtml)|\@import)\b)" \ "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'Cross-site Scripting (XSS) Attack',id:'959004',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2'"
## File Injection#SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/* "@pm .www_acl .htpasswd .htaccess boot.ini httpd.conf /etc/ .htgroup global.asa .wwwacl" \ "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,pass,nolog,skip:1"SecAction phase:2,pass,nolog,skipAfter:959005SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "(?:\b(?:\.(?:ht(?:access|passwd|group)|www_?acl)|global\.asa|httpd\.conf|boot\.ini)\b|\/etc\/)" \ "phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'Remote File Access Attempt',id:'950005',tag:'WEB_ATTACK/FILE_INJECTION',logdata:'%{TX.0}',severity:'2'"SecRule REQUEST_HEADERS|XML:/* "(?:\b(?:\.(?:ht(?:access|passwd|group)|www_?acl)|global\.asa|httpd\.conf|boot\.ini)\b|\/etc\/)" \ "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'Remote File Access Attempt',id:'959005',tag:'WEB_ATTACK/FILE_INJECTION',logdata:'%{TX.0}',severity:'2'"
## Command access#SecRule REQUEST_FILENAME "\b(?:n(?:map|et|c)|w(?:guest|sh)|cmd(?:32)?|telnet|rcmd|ftp)\.exe\b" \ "phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'System Command Access',id:'950002',tag:'WEB_ATTACK/FILE_INJECTION',logdata:'%{TX.0}',severity:'2'"
## Command injection#SecRule ARGS "@pm uname wguest.exe /perl /nasm rcmd.exe nc tclsh /xterm finger tftp chown /echo nmap.exe ping /passwd /chsh ps /uname telnet.exe /ftp ls tclsh8 lsof /ping echo cmd.exe /kill python traceroute /ps perl passwd wsh.exe /rm /cpp chgrp /telnet localgroup kill /chgrp /finger nasm /ls nc.exe id /chmod /nc /g++ /id /chown cmd /nmap chsh /gcc net.exe /python /lsof ftp.exe ftp xterm mail /mail tracert nmap rm cd chmod cpp telnet cmd32.exe gcc g++" \ "phase:2,t:none,t:htmlEntityDecode,t:lowercase,pass,nolog,skip:1"SecAction phase:2,pass,nolog,skipAfter:950006SecRule ARGS "(?:\b(?:(?:n(?:et(?:\b\W+?\blocalgroup|\.exe)|(?:map|c)\.exe)|t(?:racer(?:oute|t)|elnet\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\.exe|echo\b\W*?\by+)\b|c(?:md(?:(?:32)?\.exe\b|\b\W*?\/c)|d(?:\b\W*?[\\\/]|\W*?\.\.)|hmod.{0,40}?\+.{0,3}x))|[\;\|\`]\W*?\b(?:(?:c(?:h(?:grp|mod|own|sh)|md|pp)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)\b|g(?:\+\+|cc\b))|\/(?:c(?:h(?:grp|mod|own|sh)|pp)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|g(?:\+\+|cc)|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)(?:[\'\"\|\;\`\-\s]|$))" \ "phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'System Command Injection',id:'950006',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2'"SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:'/^(Cookie|Referer|X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES \ "@pm uname wguest.exe /perl /nasm rcmd.exe nc tclsh /xterm finger tftp chown /echo nmap.exe ping /passwd /chsh ps /uname telnet.exe /ftp ls tclsh8 lsof /ping echo cmd.exe /kill python traceroute /ps perl passwd wsh.exe /rm /cpp chgrp /telnet localgroup kill /chgrp /finger nasm /ls nc.exe id /chmod /nc /g++ /id /chown cmd /nmap chsh /gcc net.exe /python /lsof ftp.exe ftp xterm mail /mail tracert nmap rm cd chmod cpp telnet cmd32.exe gcc g++" \ "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,pass,nolog,skip:1"SecAction pass,nolog,skipAfter:959006SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:'/^(Cookie|Referer|X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES \ "(?:\b(?:(?:n(?:et(?:\b\W+?\blocalgroup|\.exe)|(?:map|c)\.exe)|t(?:racer(?:oute|t)|elnet\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\.exe|echo\b\W*?\by+)\b|c(?:md(?:(?:32)?\.exe\b|\b\W*?\/c)|d(?:\b\W*?[\\\/]|\W*?\.\.)|hmod.{0,40}?\+.{0,3}x))|[\;\|\`]\W*?\b(?:(?:c(?:h(?:grp|mod|own|sh)|md|pp)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)\b|g(?:\+\+|cc\b))|\/(?:c(?:h(?:grp|mod|own|sh)|pp)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|g(?:\+\+|cc)|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)(?:[\'\"\|\;\`\-\s]|$))" \ "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'System Command Injection',id:'959006',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2'"
SecRule ARGS \! !"(?:(?:[\;\|\`]\W*?\bcc|\bwget)\b|\/cc(?:[\'\"\|\;\`\-\s]|$))" \ "phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'System Command Injection',id:'950907',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2'"SecRule "REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:'/^(Cookie|Referer|X-OS-Prefs|User-Agent)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES" \! !"(?:(?:[\;\|\`]\W*?\bcc|\bwget)\b|\/cc(?:[\'\"\|\;\`\-\s]|$))" \ "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'System Command Injection',id:'959907',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'2'"
## Coldfusion injection#SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "\bcf(?:usion_(?:d(?:bconnections_flush|ecrypt)|set(?:tings_refresh|odbcini)|getodbc(?:dsn|ini)|verifymail|encrypt)|_(?:(?:iscoldfusiondatasourc|getdatasourceusernam)e|setdatasource(?:password|username))|newinternal(?:adminsecurit|registr)y|admin_registry_(?:delete|set)|internaldebug)\b" \ "phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'Injection of Undocumented ColdFusion Tags',id:'950008',tag:'WEB_ATTACK/CF_INJECTION',logdata:'%{TX.0}',severity:'2'"SecRule REQUEST_HEADERS|XML:/* "\bcf(?:usion_(?:d(?:bconnections_flush|ecrypt)|set(?:tings_refresh|odbcini)|getodbc(?:dsn|ini)|verifymail|encrypt)|_(?:(?:iscoldfusiondatasourc|getdatasourceusernam)e|setdatasource(?:password|username))|newinternal(?:adminsecurit|registr)y|admin_registry_(?:delete|set)|internaldebug)\b" \ "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'Injection of Undocumented ColdFusion Tags',id:'959008',tag:'WEB_ATTACK/CF_INJECTION',logdata:'%{TX.0}',severity:'2'"
## LDAP injection#SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "(?:\((?:\W*?(?:objectc(?:ategory|lass)|homedirectory|[gu]idnumber|cn)\b\W*?=|[^\w\x80-\xFF]*?[\!\&\|][^\w\x80-\xFF]*?\()|\)[^\w\x80-\xFF]*?\([^\w\x80-\xFF]*?[\!\&\|])" \ "phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'LDAP Injection Attack',id:'950010',tag:'WEB_ATTACK/LDAP_INJECTION',logdata:'%{TX.0}',severity:'2'"SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "(?:\((?:\W*?(?:objectc(?:ategory|lass)|homedirectory|[gu]idnumber|cn)\b\W*?=|[^\w\x80-\xFF]*?[\!\&\|][^\w\x80-\xFF]*?\()|\)[^\w\x80-\xFF]*?\([^\w\x80-\xFF]*?[\!\&\|])" \ "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'LDAP Injection Attack',id:'959010',tag:'WEB_ATTACK/LDAP_INJECTION',logdata:'%{TX.0}',severity:'2'"
## SSI injection#SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "<!--\W*?#\W*?(?:e(?:cho|xec)|printenv|include|cmd)" \ "phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'SSI injection Attack',id:'950011',tag:'WEB_ATTACK/SSI_INJECTION',logdata:'%{TX.0}',severity:'2'"SecRule REQUEST_HEADERS|XML:/* "<!--\W*?#\W*?(?:e(?:cho|xec)|printenv|include|cmd)" \ "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'SSI injection Attack',id:'959011',tag:'WEB_ATTACK/SSI_INJECTION',logdata:'%{TX.0}',severity:'2'"
## PHP injection#SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/* "@pm <?fgets move_uploaded_file $_session readfile ftp_put ftp_fget gzencode ftp_nb_put bzopen readdir $_post fopen gzread ftp_nb_fput ftp_nb_fget ftp_get $_get scandir fscanf readgzfile fread proc_open fgetc fgetss ftp_fput ftp_nb_get session_start fwrite gzwrite gzopen gzcompress" \ "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,pass,nolog,skip:1"SecAction pass,nolog,skipAfter:959013SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "(?:(?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open)|\$_(?:(?:pos|ge)t|session))\b|<\?(?!xml))" \ "phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'PHP Injection Attack',id:'950013',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2'"SecRule REQUEST_HEADERS|XML:/* "(?:(?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open)|\$_(?:(?:pos|ge)t|session))\b|<\?(?!xml))" \ "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'PHP Injection Attack',id:'959013',tag:'WEB_ATTACK/PHP_INJECTION',tag:'WEB_ATTACK/HTTP_RESPONSSE_SPLITTING',logdata:'%{TX.0}',severity:'2'"
## UPDF XSS#SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "http:\/\/[\w\.]+?\/.*?\.pdf\b[^\x0d\x0a]*#" \ "phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'Persistent Universal PDF XSS attack',id:'950018',tag:'WEB_ATTACK/UPDF_XSS',severity:'2'"SecRule REQUEST_HEADERS|XML:/* "http:\/\/[\w\.]+?\/.*?\.pdf\b[^\x0d\x0a]*#" \ "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'Persistent Universal PDF XSS attack',id:'959018',tag:'WEB_ATTACK/UPDF_XSS',severity:'2'"
## Email Injection#SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "[\n\r]\s*\b(?:to|b?cc)\b\s*:.*?\@" \ "phase:2,t:none,t:htmlEntityDecode,t:lowercase,capture,ctl:auditLogParts=+E,log,auditlog,msg:'Email Injection Attack',id:'950019',logdata:'%{TX.0}',severity:'2'"SecRule REQUEST_HEADERS|XML:/* "[\n\r]\s*\b(?:to|b?cc)\b\s*:.*?\@" \ "phase:2,t:none,t:urlDecode,t:htmlEntityDecode,t:lowercase,capture,ctl:auditLogParts=+E,log,auditlog,msg:'Email Injection Attack',id:'959019',logdata:'%{TX.0}',severity:'2'"
## HTTP Response Splitting#SecRule REQUEST_URI|REQUEST_HEADERS|REQUEST_HEADERS_NAMES "%0[ad]" \ "phase:2,t:none,t:lowercase,capture,ctl:auditLogParts=+E,deny,log,auditlog,status:400,msg:'HTTP Response Splitting Attack',id:'950910',logdata:'%{TX.0}',severity:'1'"SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|XML:/* "(?:\bhttp\/(?:0\.9|1\.[01])|<(?:html|meta)\b)" \ "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:400,msg:'HTTP Response Splitting Attack',id:'950911',logdata:'%{TX.0}',severity:'1'"
# ---------------------------------------------------------------# Core ModSecurity Rule Set ver.1.6.1# Copyright (C) 2006-2007 Breach Security Inc. All rights reserved.## The ModSecuirty Core Rule Set is distributed under GPL version 2# Please see the enclosed LICENCE file for full details.# ---------------------------------------------------------------
# The trojan access detection rules detects access to known Trojans already # installed on a server. Uploading of Trojans is part of the Anti-Virus rules # and uses external Anti Virus program when uploading files.## Detection of Trojans access is especially important in a hosting environment# where the actual Trojan upload may be done through valid methods and not# through hacking.# --# # NOTE Trojans detection is based on checking elements controlled by the client. # A determined attacked can bypass those checks. We are working on # enchaining the checks so it would require a major change in the Trojan# to overcome.# # NOTE We found out that Trojan horses are not detected easily by Anti-Virus # software when uploading as the signature set of AV software is not tuned# for this purpose. We are working on adding signature tuned to detect# Trojans upload to file uploading inspection. #
SecRule REQUEST_HEADERS_NAMES "x_(?:key|file)\b" "phase:2,t:none,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:404,msg:'Backdoor access',id:'950110',tag:'MALICIOUS_SOFTWARE/TROJAN',severity:'2'"SecRule REQUEST_FILENAME "root\.exe" \ "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:404,msg:'Backdoor access',id:'950921',tag:'MALICIOUS_SOFTWARE/TROJAN',severity:'2'"SecRule RESPONSE_BODY "(?:<title>[^<]*?(?:\b(?:(?:c(?:ehennemden|gi-telnet)|gamma web shell)\b|imhabirligi phpftp)|(?:r(?:emote explorer|57shell)|aventis klasvayv|zehir)\b|\.::(?:news remote php shell injection::\.| rhtools\b)|ph(?:p(?:(?: commander|-terminal)\b|remoteview)|vayv)|myshell)|\b(?:(?:(?:microsoft windows\b.{,10}?\bversion\b.{,20}?\(c\) copyright 1985-.{,10}?\bmicrosoft corp|ntdaddy v1\.9 - obzerve \| fux0r inc)\.|(?:www\.sanalteror\.org - indexer and read|haxplor)er|php(?:konsole| shell)|c99shell)\b|aventgrup\.<br>|drwxr))" \ "phase:4,t:none,ctl:auditLogParts=+E,deny,log,auditlog,status:404,msg:'Backdoor access',id:'950922',tag:'MALICIOUS_SOFTWARE/TROJAN',severity:'2'"# ---------------------------------------------------------------# Core ModSecurity Rule Set ver.1.6.1# Copyright (C) 2006-2007 Breach Security Inc. All rights reserved.## The ModSecuirty Core Rule Set is distributed under GPL version 2# Please see the enclosed LICENCE file for full details.# ---------------------------------------------------------------
## NOTE By default the status code sent is 501, which implies that the web # server does not support the required operation. This is a non standard# of this status code which normally refers to unsupported HTTP methods. # It is used in order to confuse automated clients and scanners.
# Statistics pages revealedSecRule RESPONSE_BODY "\b(?:Th(?:is (?:summary was generated by.{0,100}?(?:w(?:ebcruncher|wwstat)|analog|Jware)|analysis was produced by.{0,100}?(?:calamaris|EasyStat|analog)|report was generated by WebLog)|ese statistics were produced by (?:getstats|PeLAB))|[gG]enerated by.{0,100}?[Ww]ebalizer)\b" \ "phase:4,t:none,ctl:auditLogParts=+E,deny,log,auditlog,status:404,msg:'Statistics Information Leakage',id:'970002',severity:'4'"
# SQL Errors leakageSecRule RESPONSE_BODY "(?:\b(?:(?:s(?:elect list because it is not contained in (?:an aggregate function and there is no|either an aggregate function or the) GROUP BY clause|upplied argument is not a valid (?:(?:M(?:S |y)|Postgre)SQL|O(?:racle|DBC)))|S(?:yntax error converting the \w+ value .*? to a column of data type|QL Server does not exist or access denied)|Either BOF or EOF is True, or the current record has been deleted(?:; the operation|\. Requested)|The column prefix .{0,50}? does not match with a table name or alias name used in the query|Could not find server '\w+' in sysservers\. execute sp_addlinkedserver)\b|Un(?:closed quotation mark before the character string\b|able to connect to PostgreSQL server:)|(?:Microsoft OLE DB Provider for .{0,30} [eE]rror |error '800a01b8)'|(?:Warning: mysql_connect\(\)|PostgreSQL query failed):|You have an error in your SQL syntax(?: near '|;)|cannot take a \w+ data type as an argument\.|incorrect syntax near (?:\'|the\b|@@error\b)|microsoft jet database engine error '8|ORA-\d{5}: )|\[Microsoft\]\[ODBC )" \ "phase:4,t:none,ctl:auditLogParts=+E,deny,log,auditlog,status:500,msg:'SQL Information Leakage',id:'970003',tag:'LEAKAGE/ERRORS',severity:'4'"
# IIS Errors leakageSecRule RESPONSE_BODY "(?:\b(?:A(?:DODB\.Command\b.{0,100}?\b(?:Application uses a value of the wrong type for the current operation\b|error')| trappable error occurred in an external object\. The script cannot continue running\b)|Microsoft VBScript (?:compilation (?:\(0x8|error)|runtime (?:Error|\(0x8))\b|Object required: '|error '800)|<b>Version Information:<\/b>(?: |\s)(?:Microsoft \.NET Framework|ASP\.NET) Version:|(?:\/[Ee]rror[Mm]essage\.aspx?\?[Ee]rror|>error 'ASP)\b)" \ "phase:4,t:none,ctl:auditLogParts=+E,deny,log,auditlog,status:500,msg:'IIS Information Leakage',id:'970004',tag:'LEAKAGE/ERRORS',severity:'4'"SecRule RESPONSE_BODY "\bServer Error in.{0,50}?\bApplication\b" \ "phase:4,chain,t:none,ctl:auditLogParts=+E,deny,log,auditlog,status:500,msg:'IIS Information Leakage',id:'970904',tag:'LEAKAGE/ERRORS',severity:'4'"SecRule RESPONSE_STATUS "!^404$" "t:none"
# Zope Information LeakageSecRule RESPONSE_BODY "<h2>Site Error<\/h2>.{0,20}<p>An error was encountered while publishing this resource\." \ "phase:4,t:none,ctl:auditLogParts=+E,deny,log,auditlog,status:500,msg:'Zope Information Leakage',id:'970007',tag:'LEAKAGE/ERRORS',severity:'4'"
# CF Information LeakageSecRule RESPONSE_BODY "\bThe error occurred in\b.{0,100}: line\b.{0,1000}\bColdFusion\b.*?\bStack Trace \(click to expand\)\b" \ "phase:4,t:none,ctl:auditLogParts=+E,deny,log,auditlog,status:500,msg:'Cold Fusion Information Leakage',id:'970008',tag:'LEAKAGE/ERRORS',severity:'4'"
# PHP Information LeakageSecRule RESPONSE_BODY "<b>Warning<\/b>.{0,100}?:.{0,1000}?\bon line\b" \ "phase:4,t:none,ctl:auditLogParts=+E,deny,log,auditlog,status:500,msg:'PHP Information Leakage',id:'970009',tag:'LEAKAGE/ERRORS',severity:'4'"
# ISA server existence revealedSecRule RESPONSE_BODY "\b403 Forbidden\b.*?\bInternet Security and Acceleration Server\b" \ "phase:4,t:none,ctl:auditLogParts=+E,log,auditlog,msg:'ISA server existence revealed',id:'970010',tag:'MISCONFIGURATION',severity:'4'"
# Microsoft Office document properties leakageSecRule RESPONSE_BODY "<o:documentproperties>" \ "phase:4,t:none,log,auditlog,msg:'Microsoft Office document properties leakage',id:'970012',tag:'LEAKAGE/INFO',severity:'4'"
# Directory ListingSecRule RESPONSE_BODY "(?:<(?:TITLE>Index of.*?<H|title>Index of.*?<h)1>Index of|>\[To Parent Directory\]<\/[Aa]><br>)" \ "phase:4,t:none,ctl:auditLogParts=+E,deny,log,auditlog,status:403,msg:'Directory Listing',id:'970013',tag:'LEAKAGE/INFO',severity:'4'"
# ASP/JSP source code leakageSecRule RESPONSE_BODY "(?:\b(?:(?:s(?:erver\.(?:(?:(?:htm|ur)lencod|execut)e|createobject|mappath)|cripting\.filesystemobject)|(?:response\.(?:binary)?writ|vbscript\.encod)e|wscript\.(?:network|shell))\b|javax\.servlet)|\.(?:(?:(?:createtex|ge)t|loadfrom)file|addheader)\b|<jsp:)" \ "phase:4,t:none,ctl:auditLogParts=+E,log,auditlog,msg:'ASP/JSP source code leakage',id:'970014',tag:'LEAKAGE/SOURCE_CODE',severity:'4'"SecRule RESPONSE_BODY "\<\%" "phase:4,chain,t:none,ctl:auditLogParts=+E,log,auditlog,msg:'ASP/JSP source code leakage',id:'970903',tag:'LEAKAGE/SOURCE_CODE',severity:'4'"SecRule RESPONSE_BODY "!(?:\b(?:(?:i(?:nterplay|hdr|d3)|m(?:ovi|thd)|(?:ex|jf)if|f(?:lv|ws)|varg|cws)\b|r(?:iff\b|ar!B)|gif)|B(?:%pdf|\.ra)\b)" "t:none"
# PHP source code leakageSecRule RESPONSE_BODY "(?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open)|\$_(?:(?:pos|ge)t|session))\b" \ "phase:4,t:none,ctl:auditLogParts=+E,log,auditlog,msg:'PHP source code leakage',id:'970015',tag:'LEAKAGE/SOURCE_CODE',severity:'4'"SecRule RESPONSE_BODY "<\?(?!xml)" \ "phase:4,chain,t:none,ctl:auditLogParts=+E,log,auditlog,msg:'PHP source code leakage',id:'970902',tag:'LEAKAGE/SOURCE_CODE',severity:'4'"SecRule RESPONSE_BODY "!(?:\b(?:(?:i(?:nterplay|hdr|d3)|m(?:ovi|thd)|(?:ex|jf)if|f(?:lv|ws)|varg|cws)\b|r(?:iff\b|ar!B)|gif)|B(?:%pdf|\.ra)\b)" "t:none"
# CF source code leakageSecRule RESPONSE_BODY "<cf" \ "phase:4,t:none,ctl:auditLogParts=+E,log,auditlog,msg:'Cold Fusion source code leakage',id:'970016',tag:'LEAKAGE/SOURCE_CODE',severity:'4'"
# IIS default locationSecRule RESPONSE_BODY "[a-z]:\\\\inetpub\b" \ "phase:4,t:none,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'IIS installed in default location',id:'970018',severity:'5',chain,initcol:global=global"SecRule &GLOBAL:alerted_970018_iisDefLoc "@eq 0" "setvar:global.alerted_970018_iisDefLoc"
# The application is not availableSecRule RESPONSE_STATUS "^503$" "phase:4,t:none,ctl:auditLogParts=+E,log,auditlog,msg:'The application is not available',id:'970901',severity:'5'"SecRule RESPONSE_BODY "(?:Microsoft OLE DB Provider for SQL Server(?:<\/font>.{1,20}?error '800(?:04005|40e31)'.{1,40}?Timeout expired| \(0x80040e31\)<br>Timeout expired<br>)|<h1>internal server error<\/h1>.*?<h2>part of the server has crashed or it has a configuration error\.<\/h2>|cannot connect to the server: timed out)" \ "phase:4,t:none,ctl:auditLogParts=+E,log,auditlog,msg:'The application is not available',id:'970118',severity:'5'"
# Weblogic information disclosureSecRule RESPONSE_STATUS "^500$" "phase:4,chain,t:none,ctl:auditLogParts=+E,log,auditlog,msg:'WebLogic information disclosure',id:'970021',severity:'4'"SecRule RESPONSE_BODY "t:none,<title>JSP compile error<\/title>" t:none
# File or Directory Names LeakageSecRule RESPONSE_BODY "href\s?=[\s\"\']*[A-Za-z]\:\x5c([^\"\']+)" "phase:4,chain,capture,t:none,ctl:auditLogParts=+E,log,auditlog,msg:'File or Directory Names Leakage',id:'970011',tag:'LEAKAGE/INFO',severity:'4'"SecRule TX:1 "!program files\x5cmicrosoft office\x5c(?:office|templates)" "t:none,t:lowercase"
ModSecurity
What about real protection?Willing to write “real” set of SecRules yourself?
Monday, January 26, 2009
ModSecurity
What about real protection?Willing to write “real” set of SecRules yourself?
I don’t!
Monday, January 26, 2009
ModSecurity
What about real protection?Core rules installed with Debian package/usr/share/doc/mod-security2-common/examples/rules/
Copy them to /var/lib/modsecurity2/core/
Edit your configuration
Monday, January 26, 2009
ModSecurity
What about real protection?Edit core rule file modsecurity_crs_10_config.conf
Fit your needs
Hint: modsecurity.conf-minimal (from package)
Restart Apache
Monday, January 26, 2009
ModSecurity
Let’s Use TYPO3
Monday, January 26, 2009
ModSecurity
TYPO3 needs some tuning...
--1a422639-A--[23/Jan/2009:16:08:59 +0100] SXndi38AAQEAADs5YUUAAAAB 84.73.171.189 37436 193.33.30.197 80--1a422639-B--POST /typo3/alt_doc.php?&returnUrl=%2Ftypo3conf%2Fext%2Ftemplavoila%2Fmod1%2Findex.php%3Fid%3D12&edit[tt_content][12]=edit HTTP/1.1.........--1a422639-H--Message: Access denied with code 412 (phase 2). Pattern match "(?:\b(?:(?:s(?:elect\b(?:.{1,100}?\b(?:(?:length|count|top)\b.{1,100}?\bfrom|from\b.{1,100}?\bwhere)|.*?\b(?:d(?:ump\b.*\bfrom|ata_type)|(?:to_(?:numbe|cha)|inst)r))|p_(?:(?:addextendedpro|sqlexe)c|(?:oacreat|prepar)e|execute(?:sql)?|makewebtask)|ql_(? ..." at ARGS:data[tt_content][12][bodytext]. [file "/var/lib/modsecurity2/core/modsecurity_crs_40_generic_attacks.conf"] [line "66"] [id "950001"] [msg "SQL Injection Attack"] [data "insert into"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQL_INJECTION"]
POST /typo3/alt_doc.php
id “950001”msg “SQL Injection Attack”
Monday, January 26, 2009
ModSecurity
Tuning for TYPO3Add exceptions to /etc/apache2/conf.typo3.d/exceptions
POST /typo3/alt_doc.php
id “950001”msg “SQL Injection Attack”
Monday, January 26, 2009
ModSecurity
Tuning for TYPO3Add exceptions to /etc/apache2/conf.typo3.d/exceptions
Reference this file for TYPO3 virtual hosts
Monday, January 26, 2009
ModSecurity
Tuning for TYPO3 (cont.)Manual tuning with “common” extensions > 100 lines
TYPO3 WAF project
Ready set of rules for ModSecurity
Lars Houmark and Lars E. D. Jensen
"Our goals with TYPO3 WAF. To create a minimal (server performance wise) rule set for
TYPO3 and extensions which address very generic methods of attacking and TYPO3/extension
security holes."
Monday, January 26, 2009
Summary&
Further Protection
Monday, January 26, 2009
SummarySuhosin
Protects PHP and lock down the system
ModSecurity
Focused on Web protocols
Can analyze SSL traffic
Do not only rely on those systems
Monday, January 26, 2009
Summary
Be ProactiveThink like the adversary
What is wrong with my system?
How can I exploit it?
Never too late to add security
Do not ignore risk but mitigate it
Compartmentalize / Least privilege
Fail safely w/o information disclosure
Monday, January 26, 2009
Summary
System Lock DownFix filesystem permission
Do not allow write unless needed (typo3conf, uploads, ...)
Prevent file execution
Use SSL whenever possible
mod_ssl (dedicated ip / port)
mod_gnutls (not well supported though)
Reverse proxy (Apache, pound, nginx, ...)
Monday, January 26, 2009
Summary
MonitoringKnow if you are compromised / attacked
Offsite backups
Recovery procedures
Monday, January 26, 2009
LinksSuhosin Websitehttp://www.hardened-php.net/suhosin/
ModSecurity Websitehttp://www.modsecurity.org
Additional Ruleset for ModSecurity
http://www.gotroot.com/mod_security+rules
http://typo3.org/waf.txt
WAF Project Newsgroupnews://news.netfielders.de/typo3.projects.waf
Monday, January 26, 2009
