# --------------------------------------------------------------- # Core ModSecurity Rule - Updated B Wael Isa # Copyright (C) 2006-2009 Breach Security Inc. All rights reserved. # # The ModSecuirty Core Rule Set is distributed under GPL version 2 # Please see the enclosed LICENCE file for full details. # # 22-07-2008 # --------------------------------------------------------------- # Configuration contained in this file should be customized # for your specific requirements before deployment. # # Next to each rule there is a description of what it does. Each # location where customization is needed is marked with "TODO". It # is recommended that you: # # 1) Keep a copy of the original file. This will allow you to use # the "diff" command to quickly see the changes. It will also # make upgrades to future rule sets easier. # # 2) Document your changes thoroughly. # # You are advised to start with ModSecurity in detection mode only. # Switch to protection when you are comfortable with your rule set. # For maximum protection monitor your logs on daily basis (or # better). # # TODO You may want to provide an error friendly message to your # users when you start rejecting requests. You can do this using # the Apache ErrorDocument directive. You should also add # mod_unique_id to your configuration and display the unique # request ID on the error page. This would allow your users to # report the request ID back to you so that you can investigate # the false positive (if that's what it is). A nice error page # usually reduces the impact of false positives on the users. # # The drawback of this user friendly approach is that it is # easier for the attackers to figure out there is an web # application firewall protecting the application. # # ErrorDocument 403 /path/to/error_document.php # # For more information see # http://httpd.apache.org/docs-2.0/custom-error.html ## -- Configuration ---------------------------------------------------------- # Turn ModSecurity on ("On"), set to monitoring only # ("DetectionOnly") or turn off ("Off"). # SecRuleEngine On # Define which part of the HTTP transaction to inspect. # # Inspecting request body (SecRequestBodyAccess) should probably be always set # to "on". Only very high volume sites that never use POST requests might want # to set it to "off" to optimize performance. # # Inspecting response body is useful for monitoring for information leaks, # or for signs of intrusion. However, it does require all responses to be # buffered in memory. For most sites this should not be a problem, but special # care must be taken to avoid buffering file downloads (through # MIME type selection, as shown below). # # TODO If you decide to enable output filtering make sure to # review the list of scanned MIME types. If pages of the types specified # for outbound inspection are smaller than 512K in you application # (which is usually the case) you may reduce the SecResponseBodyLimit # to protect from potential denial of service attacks. # SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType (null) text/html text/plain text/xml SecResponseBodyLimit 524288 # Initiate XML Processor in case of xml content-type # # TODO Uncomment this rule if you wish to parse # text/xml requests using the XML parser. Note # that this may cause considerable overhead in processing # text/xml requests. #SecRule REQUEST_HEADERS:Content-Type "text/xml" \ #"phase:1,pass,nolog,ctl:requestBodyProcessor=XML" # What to do when an error is encountered. # # The default is to log the error and let the request go through. # This is a reasonable setting to start with because you do not # want to reject legitimate requests with an untuned rule set. # # If, after monitoring the performance of the rule set after a # sufficient period, you determine the rules never (or rarely # trigger on legitimate requests) you can change to something # else, such as "log,deny,status:403". You can also leave the # default setting here as is, but use per rule action configuration # to only configure some rules to reject requests, leaving most # of them to work in detection mode. # #SecDefaultAction "phase:2,log,deny,status:403,t:lowercase,t:replaceNulls,t:compressWhitespace" # Set web server identification string # # TODO In case you use Apache, you may want specify a simple server signature # instead of the detailed Apache default signature that list most modules # used on the specific Apache deployment: # "Apache/2.2.0 (Fedora)" # For this directive to work, you need to set Apache ServerTokens # to Full (this is the default option) SecServerSignature "Mod_Security 2.5.9 enabled" # Add ruleset identity to the logs # SecComponentSignature "core ruleset/1.6.0" ## -- File uploads configuration ----------------------------------------------- # Temporary file storage path. # # TODO Change the temporary folder setting to a path where only # the web server has access. # SecUploadDir /tmp # Whether or not to keep the stored files. # # In most cases you don't want to keep the uploaded files (especially # when there is a lot of them). It may be useful to change the setting # to "RelevantOnly", in which case the files uploaded in suspicious # requests will be stored. # SecUploadKeepFiles Off # Inspect uploaded files. # # TODO If there is a danger of attack through uploaded files then it # is possible to configure an external script to inspect each file # before it is seen by the application. An example script is # included with ModSecurity (/util/modsec-clamscan.pl). # # Inspecting uploaded files is especially important in a hosting, # community or blogging environments where uploading files is permitted. # # NOTE the t:none action is required in order not to process the files names # passed to the script based on previously defined actions in a # SecDefaultAction directive. # # SecRule FILES_TMPNAMES "@inspectFile /opt/apache/bin/inspect_script.pl" \ # "t:none" ## -- Logging ---------------------------------------------------------------- # Whether to log requests to the ModSecurity audit log. # # By default, only requests that trigger a ModSecurity events (as detected # by) or a serer error are logged ("RelevantOnly"). This is a reasonable # setting. Full logging can be set by using # "on". If the system is used # for protection only and no logging is desired (not reccomended) logging can # be turned of using "off" # # NOTE It is also possible to configure forensic logging on the # per request basis using the "auditlog" and "noauditlog" rule # actions. # # TODO The default rule set logs requests that generate a 404 "file not found" # response. These events are interesting, but may log a lot of information. # you may consider removing it by setting SecAuditLogRelevantStatus # to "^(?:5|4\d[^4])". # SecAuditEngine RelevantOnly SecAuditLogRelevantStatus "^(?:5|4(?!04))" # Log files structure # # You can select to log all events to a single log file (set SecAuditLogType to # "Serial") or to log each request to a separate file (set it to "Concurrent"). # The former is usually easier to use, but if full logging is required or if # the protected system supports a large transaction volume the later may # be a better option. # # TODO Set the SecAuditLog (for "Serial" logging) or SecAuditLogStorageDir (for # "Concurrent" logging). # # TODO If you change from "Serial" to "Concurrent" uncomment the # SecAuditLogStorageDir directive and make sure the direcory specified # exists and has write permissions for the Apache user. SecAuditLogType Serial #SecAuditLog logs/modsec_audit.log # SecAuditLogStorageDir logs/modsec_audit # Select what portions of the request to log # # Modify the string by adding any of the letter below to it: # A - audit log header (mandatory) # B - request headers # C - request body (present only if the request body exists and ModSecurity is # configured to intercept it) # E - intermediary response body (present only if ModSecurity is configured to # intercept response bodies, and if the audit log engine is configured to # record it). Intermediary response body is the same as the actual response # body unless ModSecurity intercepts the intermediary response body, in # which case the actual response body will contain the error message # (either the Apache default error message, or the ErrorDocument page). # F - final response headers (excluding the Date and Server headers, which are # always added by Apache in the late stage of content delivery). # H - audit log trailer # I - This part is a replacement for part C. It will log the same data as C in # all cases except when multipart/form-data encoding in used. In this case # it will log a fake application/x-www-form-urlencoded body that contains # the information about parameters but not about the files. This is handy # if you don't want to have (often large) files stored in your audit logs. # Z - final boundary, signifies the end of the entry (mandatory) SecAuditLogParts "ABIFHKZ" # Create a separate log to monitor performance. # # TODO Performance monitoring only works with Apache 2.x. You need # to add mod_unique_id and mod_logio to your configuration. Then # uncomment the following two lines. # # LogFormat "%V %h %t %{UNIQUE_ID}e \"%r\" %>s %X | %I %O | %<{mod_security-time1}n %<{mod_security-time2}n %<{mod_security-time3}n %D" mperformance # CustomLog logs/modsec_performance.log mperformance # Custom application access log. # # TODO You should consider creating a custom access log. It could contain # the performance metrics from above, but should also record the # session ID for every request. That would make it possible to # list all requests performed as part of a session. # # One custom log should be used per application but if you want # multiple applications to share one log file make sure each # line includes a unique application ID (unless the hostname is # sufficient for differentiation). ## -- Tuning and debugging # This section include tuning and debugging directives that usually require no # modifications unless # Parameters separator # # Specifies which character to use as separator for # application/x-www-form-urlencoded content. # Defaults to "&". Applications are sometimes (very rarely) written to use # a semicolon (";"). # # NOTE Changing the value for this directive has significant influence on how # ModSecurity works. Make the change only if you are absolutely sure it # is required. SecArgumentSeparator "&" # Selects the cookie format that will be used in the current configuration # context. # # Possible values are: # 0 - use version 0 (Netscape) cookies. This is what most applications use. # It is the default value. # 1 - use version 1 cookies. SecCookieFormat 0 # Maximum size of the request body to keep in memory # # A higher value requires more server memory while a lower number would slow # the server due to additional disk access. By default the limit is 128 KB: SecRequestBodyInMemoryLimit 131072 # Whether to send ModSecurity messages to a separate debug log. # # Debug messages are very useful for, well, debugging. The default # setting here copies (they always appear in the Apache error log) # only the most important messages (errors and warnings). # # NOTE Debug logging is generally very slow. You should never # use values greater than "3" in production. # #SecDebugLog logs/modsec_debug.log #SecDebugLogLevel 3 # Path where persistent data (e.g. IP address data, session data, etc) is to # be stored. Must be writable by the web server user. # # TODO It is advisable to create a directory structure for ModSecurity such as # /var/log/msa and create sub directories for SecDataDir, SecTmpDir, # SecUploadDir, SecAuditLog and SecAuditLogStorageDir # underneath it and set the permission for read and write only by the # Apache user. SecDataDir /tmp # Configures the directory where temporary files will be created. SecTmpDir /tmp # # NOTE Bad robots detection is based on checking elements easily # controlled by the client. As such a determined attacked can bypass # those checks. Therefore bad robots detection should not be viewed as # a security mechanism against targeted attacks but rather as a nuisance # reduction, eliminating most of the random attacks against your web # site. SecRule REQUEST_HEADERS:User-Agent "(?:\b(?:m(?:ozilla\/4\.0 \(compatible\)|etis)|webtrends security analyzer|pmafind)\b|n(?:-stealth|sauditor|essus|ikto)|b(?:lack ?widow|rutus|ilbo)|(?:jaascoi|paro)s|webinspect|\.nasl)" \ "phase:2,t:none,t:lowercase,deny,log,auditlog,status:404,msg:'Request Indicates a Security Scanner Scanned the Site',id:'990002',tag:'AUTOMATION/SECURITY_SCANNER',severity:'2'" SecRule REQUEST_HEADERS_NAMES "\bacunetix-product\b" \ "phase:2,t:none,t:lowercase,deny,log,auditlog,status:404,msg:'Request Indicates a Security Scanner Scanned the Site',id:'990901',tag:'AUTOMATION/SECURITY_SCANNER',severity:'2'" SecRule REQUEST_FILENAME "^/nessustest" \ "phase:2,t:none,t:lowercase,deny,log,auditlog,status:404,msg:'Request Indicates a Security Scanner Scanned the Site',id:'990902',tag:'AUTOMATION/SECURITY_SCANNER',severity:'2'" SecRule REQUEST_HEADERS:User-Agent "(?:e(?:mail(?:(?:collec|harves|magne)t|(?: extracto|reape)r|siphon|wolf)|(?:collecto|irgrabbe)r|xtractorpro|o browse)|m(?:ozilla\/4\.0 \(compatible; advanced email extractor|ailto:craftbot\@yahoo\.com)|a(?:t(?:tache|hens)|utoemailspider|dsarobot)|w(?:eb(?:emailextrac| by mail)|3mir)|f(?:astlwspider|loodgate)|p(?:cbrowser|ackrat|surf)|(?:digout4uagen|takeou)t|\bdatacha0s\b|hhjhj@yahoo|chinaclaw|rsync|shai|zeus)" \ "phase:2,t:none,t:lowercase,deny,log,auditlog,status:404,msg:'Rogue web site crawler',id:'990012',tag:'AUTOMATION/MALICIOUS',severity:'2'" SecRule REQUEST_HEADERS:User-Agent "(?:\b(?:(?:indy librar|snoop)y|microsoft url control|lynx)\b|mozilla\/2\.0 \(compatible; newt activex; win32\)|w(?:3mirror|get)|download demon|l(?:ibwww|wp)|p(?:avuk|erl)|big brother|autohttp|netants|eCatch|curl)" \ "chain,phase:2,t:none,t:lowercase,log,auditlog,msg:'Request Indicates an automated program explored the site',id:'990011',tag:'AUTOMATION/MISC',severity:'5'" SecRule REQUEST_HEADERS:User-Agent "!^apache.*perl" "t:none,t:lowercase" # The trojan access detection rules detects access to known Trojans already # installed on a server. Uploading of Trojans is part of the Anti-Virus rules # and uses external Anti Virus program when uploading files. # # Detection of Trojans access is especially important in a hosting environment # where the actual Trojan upload may be done through valid methods and not # through hacking. # -- # # NOTE Trojans detection is based on checking elements controlled by the client. # A determined attacked can bypass those checks. We are working on # enchaining the checks so it would require a major change in the Trojan # to overcome. # # NOTE We found out that Trojan horses are not detected easily by Anti-Virus # software when uploading as the signature set of AV software is not tuned # for this purpose. We are working on adding signature tuned to detect # Trojans upload to file uploading inspection. # SecRule REQUEST_HEADERS_NAMES "x_(?:key|file)\b" "phase:2,t:none,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:404,msg:'Backdoor access',id:'950110',tag:'MALICIOUS_SOFTWARE/TROJAN',severity:'2'" SecRule REQUEST_FILENAME "root\.exe" \ "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:404,msg:'Backdoor access',id:'950921',tag:'MALICIOUS_SOFTWARE/TROJAN',severity:'2'" SecRule RESPONSE_BODY "(?:[^<]*?(?:\b(?:(?:c(?:ehennemden|gi-telnet)|gamma web shell)\b|imhabirligi phpftp)|(?:r(?:emote explorer|57shell)|aventis klasvayv|zehir)\b|\.::(?:news remote php shell injection::\.| rhtools\b)|ph(?:p(?:(?: commander|-terminal)\b|remoteview)|vayv)|myshell)|\b(?:(?:(?:microsoft windows\b.{,10}?\bversion\b.{,20}?\(c\) copyright 1985-.{,10}?\bmicrosoft corp|ntdaddy v1\.9 - obzerve \| fux0r inc)\.|(?:www\.sanalteror\.org - indexer and read|haxplor)er|php(?:konsole| shell)|c99shell)\b|aventgrup\.<br>|drwxr))" \ "phase:4,t:none,ctl:auditLogParts=+E,deny,log,auditlog,status:404,msg:'Backdoor access',id:'950922',tag:'MALICIOUS_SOFTWARE/TROJAN',severity:'2'" # http://www.atomicorp.com/ # Atomicorp (Gotroot.com) ModSecurity rules # Search Engine Recon/Google Hacks Security Rules for modsec 2.x # # Note: For modsecurity 2.x and above only SecDefaultAction "log,deny,auditlog,phase:2,status:403,t:lowercase,t:replaceNulls,t:compressWhitespace" SecRule REQUEST_HEADERS:Referer "Powered by Gravity Board" "id:350000,rev:1,severity:2,msg:'Gravity Board Google Recon attempt'" SecRule REQUEST_HEADERS:Referer "Powered by SilverNews" "id:350001,rev:1,severity:2,msg:'SilverNews Google Recon attempt'" SecRule REQUEST_HEADERS:Referer "Powered.*PHPBB.*2\.0\.\ inurl\:" "id:350002,rev:1,severity:2,msg:'PHPBB 2.0 Google Recon attempt'" SecRule REQUEST_HEADERS:Referer "PHPFreeNews inurl\:Admin\.php" "id:350003,rev:1,severity:2,msg:'PHPFreeNews Google Recon attempt'" SecRule REQUEST_HEADERS:Referer "inurl.*/cgi-bin/query" "id:350004,rev:1,severity:2,msg:'/cgi-bin/guery Google Recon attempt'" SecRule REQUEST_HEADERS:Referer "inurl.*tiki-edit_submission\.php" "id:350005,rev:1,severity:2,msg:'tiki-edit Google Recon attempt'" SecRule REQUEST_HEADERS:Referer "inurl.*wps_shop\.cgi" "id:350006,rev:1,severity:2,msg:'wps_shop.cgi Google Recon attempt'" SecRule REQUEST_HEADERS:Referer "inurl.*edit_blog\.php.*filetype\:php" "id:350007,rev:1,severity:2,msg:'edit_blog.php Google Recon attempt'" SecRule REQUEST_HEADERS:Referer "inurl.*passwd.txt.*wwwboard.*webadmin" "id:350008,rev:1,severity:2,msg:'passwd.txt Google Recon attempt'" SecRule REQUEST_HEADERS:Referer "inurl.*admin\.mdb" "id:350008,rev:1,severity:2,msg:'admin.mdb Google Recon attempt'" SecRule REQUEST_HEADERS:Referer "filetype:sql \x28\x22passwd values.*password values.*pass values" "id:350009,rev:1,severity:2,msg:'passwd values Google Recon attempt'" SecRule REQUEST_HEADERS:Referer "filetype.*blt.*buddylist" "id:350010,rev:1,severity:2,msg:'buddy list Google Recon attempt'" SecRule REQUEST_HEADERS:Referer "File Upload Manager v1\.3.*rename to" "id:350011,rev:1,severity:2,msg:'Vulnerable App Google Recon attempt'" SecRule REQUEST_HEADERS:Referer "filetype\x3Aphp HAXPLORER .*Server Files Browser" "id:350012,rev:1,severity:2,msg:'Vulnerable App Google Recon attempt'" SecRule REQUEST_HEADERS:Referer "inurl.*passlist\.txt" "id:350013,rev:1,severity:2,msg:'Password list Google Recon attempt'" SecRule REQUEST_HEADERS:Referer "wwwboard WebAdmininurl\x3Apasswd\.txt wwwboard\x7Cwebadmin" "id:350014,rev:1,severity:2,msg:'Vulnerable App Google Recon attempt'" SecRule REQUEST_HEADERS:Referer "Enter ip.*inurl\x3A\x22php-ping\.php\x22" "id:350015,rev:1,severity:2,msg:'Vulnerable App Google Recon attempt'" SecRule REQUEST_HEADERS:Referer "intitle\.*PHP Shell.*Enable stderr.*filetype\.php" "id:350016,rev:1,severity:2,msg:'Vulnerable App Google Recon attempt'" SecRule REQUEST_HEADERS:Referer "inurl\.*install.*install\.php" "id:350017,rev:1,severity:2,msg:'Vulnerable App Google Recon attempt'" SecRule REQUEST_HEADERS:Referer "Powered by PHPFM.*filetype\.php -username" "id:350018,rev:1,severity:2,msg:'Vulnerable App Google Recon attempt'" SecRule REQUEST_HEADERS:Referer "inurl\.*phpSysInfo.*created by phpsysinfo" "id:350019,rev:1,severity:2,msg:'Vulnerable App Google Recon attempt'" SecRule REQUEST_HEADERS:Referer "SquirrelMail version 1\.4\.4.*inurl:src ext\.php" "id:350020,rev:1,severity:2,msg:'Vulnerable App Google Recon attempt'" SecRule REQUEST_HEADERS:Referer "inurl\.*webutil\.pl" "id:350021,rev:1,severity:2,msg:'Vulnerable App Google Recon attempt'" SecRule REQUEST_HEADERS:Referer "Powered by 6rbScript" "id:350022,rev:1,severity:2,msg:'Vulnerable App Google Recon attempt'" #sumthin variant #OSSEC 404 stuff does this better SecRule REQUEST_URI "thisdoesnotexistahaha\.php" "id:350022,rev:1,severity:2,msg:'Non-Existant File Google Recon attempt'" # http://www.atomicorp.com/ # Atomicorp (Gotroot.com) ModSecurity rules # User Agent Security Rules for modsec 2.x # # Rule 330001: Comment spam header line SecRule REQUEST_HEADERS "x-aaaaaa.*" \ "id:330001,rev:1,severity:2,msg:'Spam: Generic spam header detected'" # Rule 330002: Comment spam header line SecRule REQUEST_BODY "X-AAAAAA.*" \ "id:330002,rev:1,severity:2,msg:'Spam: Generic spam header detected'" #check for bad meta characters in User-Agent field #SecRule REQUEST_HEADERS:User-Agent ".*\'" # Rule 330003: XSS in the UA field SecRule REQUEST_HEADERS:User-Agent "<(.|\s|\n)?(script|about|applet|activex|chrome|object)(.|\s|\n)?>.*<(.|\s|\n)?(script|about|applet|activex|chrome|object)" \ "id:330003,rev:1,severity:2,msg:'XSS in User Agent field'" # Rule 330004: PHP code injection attack SecRule REQUEST_HEADERS:User-Agent "(<\?php|<[[:space:]]*\?[[:space:]]*php)" \ "id:330004,rev:1,severity:2,msg:'PHP code injection via User Agent'" # Rule 330005: PHP code injection attack SecRule REQUEST_HEADERS:User-Agent ".*HTTP_GET_VARS" \ "id:330005,rev:1,severity:2,msg:'PHP code injection via User Agent 2'" # Rule 330006: recursion attack in UA field SecRule REQUEST_HEADERS:User-Agent "\.\./\.\." \ "id:330006,rev:1,severity:2,msg:'recursion attack in UA field'" #May cause false positives with some software, comment out if it does #SecRule REMOTE_ADDR "!^127\.0\.0\.1$" "chain,id:390000,rev:1,severity:1,msg:'Suspicious Automated or Manual Request'" #SecRule "REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Host|REQUEST_HEADERS:Accept" "^$" # Rule 330007: Exploit agent SecRule REQUEST_HEADERS:User-Agent "Mosiac 1\.*" \ "id:330007,rev:1,severity:2,msg:'Exploit agent indicater in UA'" # Rule 330008: Bad agent SecRule REQUEST_HEADERS:User-Agent "Brutus/AET" \ "id:330008,rev:1,severity:2,msg:'Bad User Agent: Brutus/AET'" # Rule 330009: CGI vuln scan tool SecRule REQUEST_HEADERS:User-Agent "cgichk" \ "id:330009,rev:1,severity:2,msg:'Bad User Agent: CGICHK vulnerabilty scanner'" # Rule 330010: DataCha0s SecRule REQUEST_HEADERS:User-Agent "DataCha0s/2\.0" \ "id:330010,rev:1,severity:2,msg:'Bad User Agent: DataCha0s'" # Rule 330011: Damn fine UA SecRule REQUEST_HEADERS:User-Agent ".*THIS IS AN EXPLOIT*" \ "id:330011,rev:1,severity:2,msg:'Bad User Agent: Damn fine UA'" # Rule 330012: Damn fine UA SecRule REQUEST_HEADERS:User-Agent "Morzilla" \ "id:330012,rev:1,severity:2,msg:'Bad User Agent: Damn fine UA'" # Rule 330013: CIRT.DK Webroot auditing tool SecRule REQUEST_HEADERS:User-Agent ".*WebRoot " \ "id:330013,rev:1,severity:2,msg:'Bad User Agent: Webroot vulnerabilty scanner'" # Rule 330014: Exploit UA SecRule REQUEST_HEADERS:User-Agent ".*T H A T \' S G O T T A H U R T*" \ "id:330014,rev:1,severity:2,msg:'Bad User Agent: GOTTA HURT'" # Rule 330014: XML RPC exploit tool SecRule REQUEST_HEADERS:User-Agent "xmlrpc exploit*" \ "id:330015,rev:1,severity:2,msg:'Bad User Agent: XMLRPC exploit tool'" # Rule 330016: A friendly little exploit banner for a WP vuln SecRule REQUEST_HEADERS:User-Agent "Wordpress Hash Grabber" \ "id:330016,rev:1,severity:2,msg:'Bad User Agent: Wordpress hash grabber'" # Rule 330017: Blocks scripts SecRule REQUEST_URI "!^/webprobilling/pipe/pop\.php$" \ "chain,id:330017,rev:2,severity:2,msg:'Suspicious User Agent: lwp'" SecRule REQUEST_HEADERS:User-Agent lwp # Rule 330018: Web leaches SecRule REQUEST_HEADERS:User-Agent "Suspicious User Agent: Web Downloader" \ "id:330018,rev:1,severity:2,msg:'Web leech: Web Downloader'" # Rule 330019: Web leaches SecRule REQUEST_HEADERS:User-Agent WebZIP # Rule 330020: Web leaches SecRule REQUEST_HEADERS:User-Agent WebCopier # Rule 330021: Web leaches SecRule REQUEST_HEADERS:User-Agent Webster # Rule 330023: Web leaches SecRule REQUEST_HEADERS:User-Agent WebStripper # Rule 330034: Web leaches SecRule REQUEST_HEADERS:User-Agent "teleport pro" # Rule 330025: Web leaches SecRule REQUEST_HEADERS:User-Agent combine # Rule 330026: Web leaches SecRule REQUEST_HEADERS:User-Agent "Black Hole" # Rule 330027: Web leaches SecRule REQUEST_HEADERS:User-Agent "SiteSnagger" # Rule 330028: Web leaches SecRule REQUEST_HEADERS:User-Agent "ProWebWalker" # Rule 330029: Web leaches SecRule REQUEST_HEADERS:User-Agent "CheeseBot" # Rule 330030: Bogus Mozilla UA lines SecRule REQUEST_HEADERS:User-Agent "Mozilla/(4|5)\.0$" # Rule 330031: Bogus Mozilla UA lines SecRule REQUEST_HEADERS:User-Agent "Mozilla/3\.Mozilla/2\.01$" # Rule 330032: Bogus IE UA line SecRule REQUEST_HEADERS:User-Agent "Microsoft Internet Explorer/5\.0$" # Rule 330033: Bogus UA SecRule REQUEST_HEADERS:User-Agent "FooBar/42" # Rule 330034: Nessus Vuln scanner UA SecRule REQUEST_HEADERS:User-Agent "Mozilla.*Nessus" # Rule 330035: Nikto vuln scanner UA SecRule REQUEST_HEADERS:User-Agent ".*Nikto" # Rule 330036: BAd/Bogus UAs SecRule REQUEST_HEADERS:User-Agent "Indy Library" # Rule 330037: BAd/Bogus UAs SecRule REQUEST_HEADERS:User-Agent "Faxobot" # Rule 330038: BAd/Bogus UAs SecRule REQUEST_HEADERS:User-Agent ".*SAFEXPLORER TL" # Rule 330039: Spam spinder UAs SecRule REQUEST_HEADERS:User-Agent ".*fantomBrowser" # Rule 330040: Spam spinder UAs SecRule REQUEST_HEADERS:User-Agent ".*fantomCrew Browser" # Rule 330041:VB development library used by many spammers, might block legite VBscripts #comment out if you have problems SecRule REQUEST_HEADERS:User-Agent "Crescent Internet ToolPak" # Rule 330042: Borland Delphi signature, as above, comment out if it gives you problems #spammers sometimes use these UAs SecRule REQUEST_HEADERS:User-Agent "NEWT ActiveX\; Win32" # Rule 330043: Borland Delphi signature, as above, comment out if it gives you problems SecRule REQUEST_HEADERS:User-Agent "Mozilla.*NEWT" #Part of the Microsoft MSINET.OCX, as above, spammers sometimes use this, if #it causes problems, comment out. If you are a member of the Microsoft Site #Builder Network, you probably do NOT want to block this ID. #SecRule REQUEST_HEADERS:User-Agent "Microsoft URL Control" #SecRule REQUEST_HEADERS:User-Agent "^Microsoft URL" # Rule 330044: e-mail collectors and spammers SecRule REQUEST_HEADERS:User-Agent "WebBandit" # Rule 330045: e-mail collectors and spammers SecRule REQUEST_HEADERS:User-Agent "WEBMOLE" # Rule 330046: e-mail collectors and spammers SecRule REQUEST_HEADERS:User-Agent "Telesoft*" # Rule 330047: e-mail collectors and spammers SecRule REQUEST_HEADERS:User-Agent "WebEMailExtractor" # Rule 330048: e-mail collectors and spammers SecRule REQUEST_HEADERS:User-Agent "CherryPicker*" # Rule 330049: e-mail collectors and spammers SecRule REQUEST_HEADERS:User-Agent NICErsPRO # Rule 330050: e-mail collectors and spammers SecRule REQUEST_HEADERS:User-Agent "Advanced Email Extractor*" # Rule 330051: e-mail collectors and spammers SecRule REQUEST_HEADERS:User-Agent EmailSiphon # Rule 330052: e-mail collectors and spammers SecRule REQUEST_HEADERS:User-Agent Extractorpro # Rule 330053: e-mail collectors and spammers SecRule REQUEST_HEADERS:User-Agent webbandit # Rule 330054: e-mail collectors and spammers SecRule REQUEST_HEADERS:User-Agent EmailCollector # Rule 330055: e-mail collectors and spammers SecRule REQUEST_HEADERS:User-Agent "WebEMailExtrac*" # Rule 330056: e-mail collectors and spammers SecRule REQUEST_HEADERS:User-Agent EmailWolf #Spiders that eat up bandwidth for their customers # Rule 330057: Not a spammer, just a spider, comment out if you like SecRule REQUEST_HEADERS:User-Agent "CopyRightCheck" # Rule 330058: Not a spammer, just a spider, comment out if you like SecRule REQUEST_HEADERS:User-Agent "CopyGuard" # Rule 330059: Not a spammer, just a spider, comment out if you like SecRule REQUEST_HEADERS:User-Agent "Digimarc WebReader" # Rule 330060: MArketing spiders SecRule REQUEST_HEADERS:User-Agent "Zeus .*Webster Pro*" # Rule 330061: Poker spam SecRule REQUEST_HEADERS:User-Agent "8484 Boston Project" # Rule 330062: collectors SecRule REQUEST_HEADERS:User-Agent "autoemailspider" # Rule 330063: collectors SecRule REQUEST_HEADERS:User-Agent "ecollector" # Rule 330064: collectors SecRule REQUEST_HEADERS:User-Agent "grub crawler" # Rule 330065: referrer spam, not the real weblogs SecRule REQUEST_HEADERS:User-Agent "^www\.weblogs\.com" # Rule 330066: spam bots SecRule REQUEST_HEADERS:User-Agent "DTS Agent" # Rule 330067: spam bots SecRule REQUEST_HEADERS:User-Agent "POE-Component-Client" # Rule 330068: spam bots SecRule REQUEST_HEADERS:User-Agent "WISEbot" # Rule 330069: spam bots SecRule REQUEST_URI "!(?:/index\.php/admin/catalog_product_gallery/upload/|/components/com_expose/expose/)" \ "chain, id:330069,rev:3,severity:2,msg:'Suspicious Unusual User Agent (Shockwave Flash)'" SecRule REQUEST_HEADERS:User-Agent "^Shockwave Flash" # Rule 330070: spam bots SecRule REQUEST_HEADERS:User-Agent "Missigua" \ "id:330070,rev:3,severity:2,msg:'Suspicious unusual User Agent'" # Rule 330071: comment spam sign SecRule REQUEST_HEADERS:User-Agent "compatible \; MSIE" \ "id:330071,rev:1,severity:2,msg:'Comment Spammer User Agent (IE)'" # Rule 330072: Some regexps to catch silly bots SecRule REQUEST_URI "!/ps(zones\|comp).txt1" "chain,id:330072,rev:1,severity:2,msg:'Comment Spammer User Agent (IE)'" SecRule REQUEST_HEADERS:User-Agent "^(google|i?explorer?\.exe|(MS)?IE( [0-9.]+)?[ ]?(Compatible( Browser)?)?)$" # Rule 330073: Some regexps to catch silly bots SecRule REQUEST_HEADERS:User-Agent "^(Mozilla( [0-9.]+)?[ ]?\((Windows|Linux|(IE )?Compatible)\))$" \ "id:330073,rev:1,severity:2,msg:'Comment Spammer User Agent (IE)'" # Rule 330074: Some regexps to catch silly bots SecRule REQUEST_HEADERS:User-Agent "^Mozilla/5\.0 \(X11; U; Linux i686; en-US; rv\:0\.9\.6\+\) Gecko/2001112$" \ "id:330074,rev:1,severity:2,msg:'Comment Spammer User Agent (Mozilla)'" # Rule 330075: Some regexps to catch silly bots #SecRule REQUEST_HEADERS:User-Agent "^Mozilla/[0-9.]+ \(compatible; MSIE [0-9.]+; Windows( NT)?( [0-9.]*)?;[0-9./ ]*\)?$" \ # "id:330075,rev:1,severity:2,msg:'Comment Spammer User Agent (IE) 2'" # Rule 330076: Some regexps to catch silly bots SecRule REQUEST_HEADERS:User-Agent "^Mozilla/.+[. ]+$" \ "id:330076,rev:1,severity:2,msg:'Comment Spammer User Agent (Mozilla) 2'" #spammer SecRule REQUEST_HEADERS:User-Agent "Butch__2\.1\.1" \ "id:330077,rev:1,severity:2,msg:'Comment Spammer User Agent'" #spammer SecRule REQUEST_HEADERS:User-Agent "agdm79@mail\.ru" \ "id:330079,rev:1,severity:2,msg:'Comment Spammer User Agent'" #Fake Gameboy UA SecRule REQUEST_HEADERS:User-Agent "GameBoy\, Powered by Nintendo" \ "id:330080,rev:1,severity:2,msg:'Comment Spammer User Agent (Mozilla) 2'" #bogus amiga UA SecRule REQUEST_HEADERS:User-Agent "Amiga-AWeb/3\.4" \ "id:330081,rev:1,severity:2,msg:'Fake Amiga Web Agent'" #exploit UA SecRule REQUEST_HEADERS:User-Agent "Internet Ninja " \ "id:330082,rev:1,severity:2,msg:'Exploit User Agent'" #bogus googlebot UA SecRule REQUEST_HEADERS:User-Agent "Nokia-WAPToolkit.* googlebot.*googlebot" \ "id:330083,rev:1,severity:2,msg:'Fake GoogleBot'" #recently caught sending spam referrals, from their actual crawler IP #SecRule REQUEST_HEADERS:User-Agent "BecomeBot" # "id:330076,rev:1,severity:2,msg:'Comment Spammer User Agent (Mozilla) 2'" #Suverybot #SecRule REQUEST_HEADERS:User-Agent "SurveyBot" #exploit SecRule REQUEST_HEADERS:User-Agent "S\.T\.A\.L\.K\.E\.R\." \ "id:330084,rev:1,severity:2,msg:'Exploit User Agent'" #exploit SecRule REQUEST_HEADERS:User-Agent "NeuralBot/0\.2" \ "id:330085,rev:1,severity:2,msg:'Exploit User Agent'" #exploit SecRule REQUEST_HEADERS:User-Agent "Kenjin Spider" \ "id:330086,rev:1,severity:2,msg:'Exploit User Agent'" #WebvulnScan SecRule REQUEST_HEADERS:User-Agent "WebVulnScan" \ "id:330087,rev:1,severity:2,msg:'WebVulnScan User Agent'" #broken spam tool SecRule REQUEST_HEADERS:User-Agent "Mozilla/4\.0 \(compatible\; MSIE 6\.0\; Windows NT 5\.1$" \ "id:330088,rev:1,severity:2,msg:'Comment Spammer User Agent (Fake Mozilla)'" #PHPBB worm UA SecRule REQUEST_HEADERS:User-Agent "INTERNET EXPLOITER SUX" \ "id:330089,rev:1,severity:2,msg:'Comment Spammer User Agent (Fake Mozilla)'" #fake UA SecRule REQUEST_HEADERS:User-Agent "Windows-Update-Agent" \ "id:330090,rev:1,severity:2,msg:'Comment Spammer User Agent (Fake Windows Update Agent)'" #exploit SecRule REQUEST_HEADERS:User-Agent "Internet-exprorer" \ "id:330091,rev:1,severity:2,msg:'Exploit User Agent'" # Bad Spider SecRule REQUEST_HEADERS:User-Agent "hl_ftien_spider" \ "id:330092,rev:1,severity:2,msg:'Comment Spammer User Agent'" # PMAFind SecRule REQUEST_HEADERS:User-Agent "PMAFind" \ "id:330093,rev:1,severity:2,msg:'Comment Spammer User Agent'" #Morfeus Fucking Scanner SecRule REQUEST_HEADERS:User-Agent "Morfeus Fucking Scanner" \ "id:330094,rev:1,severity:2,msg:'Exploit User Agent (MFS)'" #Vadix bot SecRule REQUEST_HEADERS:User-Agent "Vadixbot" \ "id:330095,rev:1,severity:2,msg:'Vadixbot User Agent String'" # --------------------------------------------------------------- # Core ModSecurity Rule - Updated B Wael Isa <web4host.net> # Copyright (C) 2006-2009 Breach Security Inc. All rights reserved. # # The ModSecuirty Core Rule Set is distributed under GPL version 2 # Please see the enclosed LICENCE file for full details. # # End # ---------------------------------------------------------------