|
|
72b1be1 |
diff -ur prelude-lml-0.9.13.orig/plugins/pcre/ruleset/modsecurity.rules prelude-lml-0.9.13/plugins/pcre/ruleset/modsecurity.rules
|
|
|
72b1be1 |
--- prelude-lml-0.9.13.orig/plugins/pcre/ruleset/modsecurity.rules 2008-10-11 14:30:01.000000000 -0400
|
|
|
72b1be1 |
+++ prelude-lml-0.9.13/plugins/pcre/ruleset/modsecurity.rules 2008-10-11 14:33:08.000000000 -0400
|
|
|
72b1be1 |
@@ -20,7 +20,7 @@
|
|
|
72b1be1 |
# the Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA.
|
|
|
72b1be1 |
#
|
|
|
72b1be1 |
#####
|
|
|
72b1be1 |
-# The rules developed using mod_security-2.1.6.
|
|
|
72b1be1 |
+# The rules developed using mod_security-2.5.6 (tested with 2.1.7 and 2.5.6)
|
|
|
72b1be1 |
#####
|
|
|
72b1be1 |
|
|
|
72b1be1 |
# Here are some example log entries that should match against rules defined below:
|
|
|
72b1be1 |
@@ -33,28 +33,120 @@
|
|
|
72b1be1 |
# LOG:[Mon Jul 21 16:55:56 2008] [error] [client 127.0.0.1] ModSecurity: Warning. Operator EQ match: 0. [id "960008"] [msg "Request Missing a Host Header"] [severity "WARNING"] [uri "/\\xc4\\x9b+\\xc5\\xa1\\xc4\\x8d\\xc5\\xa1\\xc5\\x99\\xc5\\x99\\xc4\\x8d\\xc3\\xbd\\xc3\\xbd\\xc3\\xa1"] [unique_id "pNLe4woiIjEAAF4fLq0AAAAH"]
|
|
|
72b1be1 |
# LOG:[Mon Jul 21 16:55:56 2008] [error] [client 127.0.0.1] ModSecurity: Warning. Match of "rx ^OPTIONS$" against "REQUEST_METHOD" required. [id "960015"] [msg "Request Missing an Accept Header"] [severity "CRITICAL"] [uri "/\\xc4\\x9b+\\xc5\\xa1\\xc4\\x8d\\xc5\\xa1\\xc5\\x99\\xc5\\x99\\xc4\\x8d\\xc3\\xbd\\xc3\\xbd\\xc3\\xa1"] [unique_id "S2NY@woiIjEAAF4eLX8AAAAG"]
|
|
|
72b1be1 |
|
|
|
72b1be1 |
-# 3160-3167
|
|
|
72b1be1 |
-regex=\[severity "(?:EMERGENCY|ALERT|CRITICAL|ERROR)"\]; \
|
|
|
72b1be1 |
- id=3160; \
|
|
|
72b1be1 |
+########################
|
|
|
72b1be1 |
+
|
|
|
72b1be1 |
+# Protocol violation
|
|
|
72b1be1 |
+regex=\[id "(960911|950012|960912|960016|960011|960012|960013|950107|950801|950116|960014|960018|960901)"\]; \
|
|
|
72b1be1 |
+ id=3167; \
|
|
|
72b1be1 |
+ classification.text=HTTP Protocol violation; \
|
|
|
72b1be1 |
+ assessment.impact.severity=medium; \
|
|
|
72b1be1 |
+ additional_data(1).type=integer; \
|
|
|
72b1be1 |
+ additional_data(1).meaning=ModSec Rule ID; \
|
|
|
72b1be1 |
+ additional_data(1).data=$1; \
|
|
|
72b1be1 |
+ chained; silent;
|
|
|
72b1be1 |
+
|
|
|
72b1be1 |
+# Protocol anomaly
|
|
|
72b1be1 |
+regex=\[id "(960019|960008|960015|960009|960904|960017|960913)"\]; \
|
|
|
72b1be1 |
+ id=3168; \
|
|
|
72b1be1 |
+ classification.text=HTTP Protocol anomaly; \
|
|
|
72b1be1 |
+ assessment.impact.severity=low; \
|
|
|
72b1be1 |
+ additional_data(1).type=integer; \
|
|
|
72b1be1 |
+ additional_data(1).meaning=ModSec Rule ID; \
|
|
|
72b1be1 |
+ additional_data(1).data=$1; \
|
|
|
72b1be1 |
+ chained; silent;
|
|
|
72b1be1 |
+
|
|
|
72b1be1 |
+# Request limits
|
|
|
72b1be1 |
+regex=\[id "(960335)"\]; \
|
|
|
72b1be1 |
+ id=3169; \
|
|
|
72b1be1 |
+ classification.text=HTTP Request limit exceeded; \
|
|
|
72b1be1 |
+ assessment.impact.severity=high; \
|
|
|
72b1be1 |
+ additional_data(1).type=integer; \
|
|
|
72b1be1 |
+ additional_data(1).meaning=ModSec Rule ID; \
|
|
|
72b1be1 |
+ additional_data(1).data=$1; \
|
|
|
72b1be1 |
+ chained; silent;
|
|
|
72b1be1 |
+
|
|
|
72b1be1 |
+# HTTP policy
|
|
|
72b1be1 |
+regex=\[id "(960032|960010|960034|960035|960038|960902|960903)"\]; \
|
|
|
72b1be1 |
+ id=3170; \
|
|
|
72b1be1 |
+ classification.text=HTTP policy violation; \
|
|
|
72b1be1 |
+ assessment.impact.severity=high; \
|
|
|
72b1be1 |
+ additional_data(1).type=integer; \
|
|
|
72b1be1 |
+ additional_data(1).meaning=ModSec Rule ID; \
|
|
|
72b1be1 |
+ additional_data(1).data=$1; \
|
|
|
72b1be1 |
+ chained; silent;
|
|
|
72b1be1 |
+
|
|
|
72b1be1 |
+# Bad robots
|
|
|
72b1be1 |
+regex=\[id "(990002|990901|990902|990012|990011)"\]; \
|
|
|
72b1be1 |
+ id=3171; \
|
|
|
72b1be1 |
+ classification.text=Bad HTTP robot; \
|
|
|
72b1be1 |
+ assessment.impact.severity=info; \
|
|
|
72b1be1 |
+ additional_data(1).type=integer; \
|
|
|
72b1be1 |
+ additional_data(1).meaning=ModSec Rule ID; \
|
|
|
72b1be1 |
+ additional_data(1).data=$1; \
|
|
|
72b1be1 |
+ chained; silent;
|
|
|
72b1be1 |
+
|
|
|
72b1be1 |
+# Generic attacks
|
|
|
72b1be1 |
+regex=\[id "(959009|950007|959007|950904|959904|950001|959001|950901|959901|950906|959906|950908|959908|950004|959004|950005|959005|950002|950006|959006|950907|959907|950008|959008|950010|959010|950011|959011|950013|959013|950018|959018|950019|959019|950910|950911)"\]; \
|
|
|
72b1be1 |
+ id=3172; \
|
|
|
72b1be1 |
+ classification.text=Generic HTTP attack; \
|
|
|
72b1be1 |
+ assessment.impact.severity=high; \
|
|
|
72b1be1 |
+ additional_data(1).type=integer; \
|
|
|
72b1be1 |
+ additional_data(1).meaning=ModSec Rule ID; \
|
|
|
72b1be1 |
+ additional_data(1).data=$1; \
|
|
|
72b1be1 |
+ chained; silent;
|
|
|
72b1be1 |
+
|
|
|
72b1be1 |
+# Trojans
|
|
|
72b1be1 |
+regex=\[id "(950921|950922)"\]; \
|
|
|
72b1be1 |
+ id=3173; \
|
|
|
72b1be1 |
+ classification.text=HTTP trojan; \
|
|
|
72b1be1 |
assessment.impact.severity=high; \
|
|
|
72b1be1 |
+ additional_data(1).type=integer; \
|
|
|
72b1be1 |
+ additional_data(1).meaning=ModSec Rule ID; \
|
|
|
72b1be1 |
+ additional_data(1).data=$1; \
|
|
|
72b1be1 |
+ chained; silent;
|
|
|
72b1be1 |
+
|
|
|
72b1be1 |
+# Outbound
|
|
|
72b1be1 |
+regex=\[id "(970003|970004|970904|970007|970008|970009|970010|970012|970013|970014|970903|970015|970902|970016|970018|970901|970118|970021|970011)"\]; \
|
|
|
72b1be1 |
+ id=3174; \
|
|
|
72b1be1 |
+ classification.text=HTTP outbound policy violation; \
|
|
|
72b1be1 |
+ assessment.impact.severity=high; \
|
|
|
72b1be1 |
+ additional_data(1).type=integer; \
|
|
|
72b1be1 |
+ additional_data(1).meaning=ModSec Rule ID; \
|
|
|
72b1be1 |
+ additional_data(1).data=$1; \
|
|
|
72b1be1 |
+ chained; silent;
|
|
|
72b1be1 |
+
|
|
|
72b1be1 |
+#########################
|
|
|
72b1be1 |
+
|
|
|
72b1be1 |
+# 3160-3166
|
|
|
72b1be1 |
+regex=\[file "([^"]+)"\]; \
|
|
|
72b1be1 |
+ id=3160; \
|
|
|
72b1be1 |
+ additional_data(>>).type=string; \
|
|
|
72b1be1 |
+ additional_data(-1).meaning=ModSec Ruleset File; \
|
|
|
72b1be1 |
+ additional_data(-1).data=$1; \
|
|
|
72b1be1 |
chained; silent;
|
|
|
72b1be1 |
|
|
|
72b1be1 |
-regex=\[severity "WARNING"\]; \
|
|
|
72b1be1 |
+regex=\[line "(\d+)"\]; \
|
|
|
72b1be1 |
id=3161; \
|
|
|
72b1be1 |
- assessment.impact.severity=medium; \
|
|
|
72b1be1 |
+ additional_data(>>).type=integer; \
|
|
|
72b1be1 |
+ additional_data(-1).meaning=ModSec Ruleset Line; \
|
|
|
72b1be1 |
+ additional_data(-1).data=$1; \
|
|
|
72b1be1 |
chained; silent;
|
|
|
72b1be1 |
|
|
|
72b1be1 |
-regex=\[severity "NOTICE"\]; \
|
|
|
72b1be1 |
+regex=\[tag "(\S+)"\]; \
|
|
|
72b1be1 |
id=3162; \
|
|
|
72b1be1 |
- assessment.impact.severity=low; \
|
|
|
72b1be1 |
+ additional_data(>>).type=string; \
|
|
|
72b1be1 |
+ additional_data(-1).meaning=ModSec Rule Tag; \
|
|
|
72b1be1 |
+ additional_data(-1).data=$1; \
|
|
|
72b1be1 |
chained; silent;
|
|
|
72b1be1 |
|
|
|
72b1be1 |
-regex=\[severity "(?:INFO|DEBUG)"\]; \
|
|
|
72b1be1 |
+regex=\[severity "(\S+)"\]; \
|
|
|
72b1be1 |
id=3163; \
|
|
|
72b1be1 |
- assessment.impact.severity=info; \
|
|
|
72b1be1 |
+ additional_data(>>).type=string; \
|
|
|
72b1be1 |
+ additional_data(-1).meaning=ModSec Severity; \
|
|
|
72b1be1 |
+ additional_data(-1).data=$1; \
|
|
|
72b1be1 |
chained; silent;
|
|
|
72b1be1 |
|
|
|
72b1be1 |
-regex=\[msg "([^"]+)"\]; \
|
|
|
72b1be1 |
+regex=\[msg "([^"]+)"\]; optgoto=3167-3174; min-optgoto-match=1; \
|
|
|
72b1be1 |
id=3164; \
|
|
|
72b1be1 |
classification.reference(0).meaning=$1; \
|
|
|
72b1be1 |
classification.reference(0).origin=vendor-specific; \
|
|
|
72b1be1 |
@@ -62,67 +154,89 @@
|
|
|
72b1be1 |
|
|
|
72b1be1 |
regex=\[hostname "(\S+)"\]; \
|
|
|
72b1be1 |
id=3165; \
|
|
|
72b1be1 |
- target(0).node.address(1).address=$1; \
|
|
|
72b1be1 |
- chained; silent;
|
|
|
72b1be1 |
-
|
|
|
72b1be1 |
-regex=\[id "(\d+)"\]; \
|
|
|
72b1be1 |
- id=3166; \
|
|
|
72b1be1 |
- additional_data(1).type=integer; \
|
|
|
72b1be1 |
- additional_data(1).meaning=ModSec Rule ID; \
|
|
|
72b1be1 |
- additional_data(1).data=$1; \
|
|
|
72b1be1 |
- classification.reference(0).name=$1; \
|
|
|
72b1be1 |
+ target(0).node.address(0).address=$1; \
|
|
|
72b1be1 |
chained; silent;
|
|
|
72b1be1 |
|
|
|
72b1be1 |
regex=\[unique_id "(\S+)"\]; \
|
|
|
72b1be1 |
- id=3167; \
|
|
|
72b1be1 |
- additional_data(2).type=string; \
|
|
|
72b1be1 |
- additional_data(2).meaning=Unique ID; \
|
|
|
72b1be1 |
- additional_data(2).data=$1; \
|
|
|
72b1be1 |
- chained; silent;
|
|
|
72b1be1 |
+ id=3166; \
|
|
|
72b1be1 |
+ additional_data(>>).type=string; \
|
|
|
72b1be1 |
+ additional_data(-1).meaning=Unique ID; \
|
|
|
72b1be1 |
+ additional_data(-1).data=$1; \
|
|
|
72b1be1 |
+ chained; silent;
|
|
|
72b1be1 |
+
|
|
|
72b1be1 |
+#regex=\[id "(\d+)"\]; \
|
|
|
72b1be1 |
+# id=3166; \
|
|
|
72b1be1 |
+# additional_data(1).type=integer; \
|
|
|
72b1be1 |
+# additional_data(1).meaning=ModSec Rule ID; \
|
|
|
72b1be1 |
+# additional_data(1).data=$1; \
|
|
|
72b1be1 |
+# classification.reference(0).name=$1; \
|
|
|
72b1be1 |
+# chained; silent;
|
|
|
72b1be1 |
+#########################
|
|
|
72b1be1 |
|
|
|
72b1be1 |
-# 3120-3121;
|
|
|
72b1be1 |
-regex=Match of "(.+)" against "(\S+)" required\.; optgoto=3160-3167; \
|
|
|
72b1be1 |
+# 3120-3125
|
|
|
72b1be1 |
+regex=Match of "(.+)" against "(\S+)" required\.; optgoto=3160-3166; \
|
|
|
72b1be1 |
id=3120; \
|
|
|
72b1be1 |
assessment.impact.description=ModSecurity found pattern match "$1" in HTTP object $2.; \
|
|
|
72b1be1 |
chained; silent;
|
|
|
72b1be1 |
|
|
|
72b1be1 |
-regex=Operator ([A-Z]{2}) match: (\d+)\.; optgoto=3160-3167; \
|
|
|
72b1be1 |
+regex=Operator ([A-Z]{2}) match: (\d+)\.; optgoto=3160-3166; \
|
|
|
72b1be1 |
id=3121; \
|
|
|
72b1be1 |
assessment.impact.description=ModSecurity found operator "$1" match "$2".; \
|
|
|
72b1be1 |
chained; silent;
|
|
|
72b1be1 |
|
|
|
72b1be1 |
-regex=Pattern match "(.+)" at (\S+)\.; optgoto=3160-3167; \
|
|
|
72b1be1 |
+regex=Pattern match "(.+)" at (.+?)\.; optgoto=3160-3166; \
|
|
|
72b1be1 |
id=3122; \
|
|
|
72b1be1 |
assessment.impact.description=ModSecurity found pattern match "$1" in HTTP object $2.; \
|
|
|
72b1be1 |
chained; silent;
|
|
|
72b1be1 |
|
|
|
72b1be1 |
+regex=Operator ([A-Z]{2}) matched (\d+) at (\S+)\.; optgoto=3160-3166; \
|
|
|
72b1be1 |
+ id=3123; \
|
|
|
72b1be1 |
+ assessment.impact.description=ModSecurity found operator "$1" match "$2".; \
|
|
|
72b1be1 |
+ chained; silent;
|
|
|
72b1be1 |
+
|
|
|
72b1be1 |
+regex=Found (\d+) byte\(s\) in (\S+) outside range: (\S+)\.; optgoto=3160-3166; \
|
|
|
72b1be1 |
+ id=3124; \
|
|
|
72b1be1 |
+ assessment.impact.description=ModSecurity found $1 byte(s) in "$2" outside range $3.; \
|
|
|
72b1be1 |
+ chained; silent;
|
|
|
72b1be1 |
+
|
|
|
72b1be1 |
+regex=Found (\d+) byte\(s\) outside range: (\S+)\.; optgoto=3160-3166; \
|
|
|
72b1be1 |
+ id=3125; \
|
|
|
72b1be1 |
+ assessment.impact.description=ModSecurity found $1 byte(s) outside range $3.; \
|
|
|
72b1be1 |
+ chained; silent;
|
|
|
72b1be1 |
+
|
|
|
72b1be1 |
# 3130-3133; Access denied + ...
|
|
|
72b1be1 |
-regex=with code (\d+) \(phase \d\)\.; optgoto=3120-3122; \
|
|
|
72b1be1 |
+regex=with code (\d+) \(phase \d\)\.; optgoto=3120-3125; \
|
|
|
72b1be1 |
id=3130; \
|
|
|
72b1be1 |
assessment.action(0).category = block-installed; \
|
|
|
72b1be1 |
assessment.action(0).description = Access was blocked with HTTP response code $1.; \
|
|
|
72b1be1 |
chained; silent;
|
|
|
72b1be1 |
|
|
|
72b1be1 |
-regex=using proxy to \(phase (\d+)\) (\S+)\.; optgoto=3120-3122; \
|
|
|
72b1be1 |
+regex=using proxy to \(phase (\d+)\) (\S+)\.; optgoto=3120-3125; \
|
|
|
72b1be1 |
id=3131; \
|
|
|
72b1be1 |
assessment.action(0).category = block-installed; \
|
|
|
72b1be1 |
assessment.action(0).description = Access was denied using proxy to $2.; \
|
|
|
72b1be1 |
chained; silent;
|
|
|
72b1be1 |
|
|
|
72b1be1 |
-regex=with redirection to (\S+) using status (\d+) \(phase (\d+)\)\.; optgoto=3120-3122; \
|
|
|
72b1be1 |
+regex=with redirection to (\S+) using status (\d+) \(phase (\d+)\)\.; optgoto=3120-3125; \
|
|
|
72b1be1 |
id=3132; \
|
|
|
72b1be1 |
assessment.action(0).category = block-installed; \
|
|
|
72b1be1 |
assessment.action(0).description = Access was redirected to $1.; \
|
|
|
72b1be1 |
chained; silent;
|
|
|
72b1be1 |
|
|
|
72b1be1 |
-regex=with connection close \(phase (\d+)\).; optgoto=3120-3122; \
|
|
|
72b1be1 |
+regex=with connection close \(phase (\d+)\).; optgoto=3120-3125; \
|
|
|
72b1be1 |
id=3133; \
|
|
|
72b1be1 |
assessment.action(0).category = block-installed; \
|
|
|
72b1be1 |
assessment.action(0).description = Connection was closed.; \
|
|
|
72b1be1 |
chained; silent;
|
|
|
72b1be1 |
|
|
|
72b1be1 |
+# Output filter
|
|
|
72b1be1 |
+regex=Response body too large \(over limit of (\d+)(.+?)\)\.; optgoto=3160-3166; \
|
|
|
72b1be1 |
+ id=3150; \
|
|
|
72b1be1 |
+ assessment.impact.description=Response body too large (over limit of $1$2); \
|
|
|
72b1be1 |
+ chained; silent;
|
|
|
72b1be1 |
+
|
|
|
72b1be1 |
# 3100-3102
|
|
|
72b1be1 |
-regex=Warning\.; optgoto=3120-3121; \
|
|
|
72b1be1 |
+regex=Warning\.; optgoto=3120-3125; \
|
|
|
72b1be1 |
id=3101; \
|
|
|
72b1be1 |
classification.text=HTTP Warning.; \
|
|
|
72b1be1 |
assessment.impact.completion=succeeded; \
|
|
|
72b1be1 |
@@ -134,7 +248,14 @@
|
|
|
72b1be1 |
assessment.impact.completion=failed; \
|
|
|
72b1be1 |
chained; silent;
|
|
|
72b1be1 |
|
|
|
72b1be1 |
-regex=\[client ([\d\.]+)\] ModSecurity:.*\[uri "([^"]+)"\]; optgoto=3101-3102; \
|
|
|
72b1be1 |
+regex=Output filter:; optgoto=3150; \
|
|
|
72b1be1 |
+ id=3103; \
|
|
|
72b1be1 |
+ classification.text=HTTP Output filer error; \
|
|
|
72b1be1 |
+ assessment.impact.completion=failed; \
|
|
|
72b1be1 |
+ assessment.impact.severity=high; \
|
|
|
72b1be1 |
+ chained; silent;
|
|
|
72b1be1 |
+
|
|
|
72b1be1 |
+regex=\[client ([\d\.]+)\] ModSecurity:.*\[uri "([^"]+)"\]; optgoto=3101-3103; \
|
|
|
72b1be1 |
id=3100; \
|
|
|
72b1be1 |
analyzer(0).name=ModSecurity; \
|
|
|
72b1be1 |
analyzer(0).manufacturer=www.modsecurity.org; \
|