rpms / prelude-lml

Clone
Source Code
GIT

Blame prelude-lml-0.9.13-modsecurity.patch

epel7 epel8 epel9 f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f24 f25 f26 f27 f28 f29 f30 f31 f32 f33 f34 f35 f36 f37 f38 f39 f40 f7 f8 f9 fc6 main rawhide
  1.   72b1be1cd056ed1710575727bfd7a9da27c3396e
  2.   prelude-lml-0.9.13-modsecurity.patch
Blob History Raw
72b1be1 
diff -ur prelude-lml-0.9.13.orig/plugins/pcre/ruleset/modsecurity.rules prelude-lml-0.9.13/plugins/pcre/ruleset/modsecurity.rules
72b1be1 
--- prelude-lml-0.9.13.orig/plugins/pcre/ruleset/modsecurity.rules	2008-10-11 14:30:01.000000000 -0400
72b1be1 
+++ prelude-lml-0.9.13/plugins/pcre/ruleset/modsecurity.rules	2008-10-11 14:33:08.000000000 -0400
72b1be1 
@@ -20,7 +20,7 @@
72b1be1 
 # the Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA.
72b1be1 
 #
72b1be1 
 #####
72b1be1 
-# The rules developed using mod_security-2.1.6.
72b1be1 
+# The rules developed using mod_security-2.5.6 (tested with 2.1.7 and 2.5.6)
72b1be1 
 #####
72b1be1
72b1be1 
 # Here are some example log entries that should match against rules defined below:
72b1be1 
@@ -33,28 +33,120 @@
72b1be1 
 # LOG:[Mon Jul 21 16:55:56 2008] [error] [client 127.0.0.1] ModSecurity: Warning. Operator EQ match: 0. [id "960008"] [msg "Request Missing a Host Header"] [severity "WARNING"] [uri "/\\xc4\\x9b+\\xc5\\xa1\\xc4\\x8d\\xc5\\xa1\\xc5\\x99\\xc5\\x99\\xc4\\x8d\\xc3\\xbd\\xc3\\xbd\\xc3\\xa1"] [unique_id "pNLe4woiIjEAAF4fLq0AAAAH"]
72b1be1 
 # LOG:[Mon Jul 21 16:55:56 2008] [error] [client 127.0.0.1] ModSecurity: Warning. Match of "rx ^OPTIONS$" against "REQUEST_METHOD" required. [id "960015"] [msg "Request Missing an Accept Header"] [severity "CRITICAL"] [uri "/\\xc4\\x9b+\\xc5\\xa1\\xc4\\x8d\\xc5\\xa1\\xc5\\x99\\xc5\\x99\\xc4\\x8d\\xc3\\xbd\\xc3\\xbd\\xc3\\xa1"] [unique_id "S2NY@woiIjEAAF4eLX8AAAAG"]
72b1be1
72b1be1 
-# 3160-3167
72b1be1 
-regex=\[severity "(?:EMERGENCY|ALERT|CRITICAL|ERROR)"\]; \
72b1be1 
- id=3160; \
72b1be1 
+########################
72b1be1 
+
72b1be1 
+# Protocol violation
72b1be1 
+regex=\[id "(960911|950012|960912|960016|960011|960012|960013|950107|950801|950116|960014|960018|960901)"\]; \
72b1be1 
+ id=3167; \
72b1be1 
+ classification.text=HTTP Protocol violation; \
72b1be1 
+ assessment.impact.severity=medium; \
72b1be1 
+ additional_data(1).type=integer; \
72b1be1 
+ additional_data(1).meaning=ModSec Rule ID; \
72b1be1 
+ additional_data(1).data=$1; \
72b1be1 
+ chained; silent;
72b1be1 
+
72b1be1 
+# Protocol anomaly
72b1be1 
+regex=\[id "(960019|960008|960015|960009|960904|960017|960913)"\]; \
72b1be1 
+ id=3168; \
72b1be1 
+ classification.text=HTTP Protocol anomaly; \
72b1be1 
+ assessment.impact.severity=low; \
72b1be1 
+ additional_data(1).type=integer; \
72b1be1 
+ additional_data(1).meaning=ModSec Rule ID; \
72b1be1 
+ additional_data(1).data=$1; \
72b1be1 
+ chained; silent;
72b1be1 
+
72b1be1 
+# Request limits
72b1be1 
+regex=\[id "(960335)"\]; \
72b1be1 
+ id=3169; \
72b1be1 
+ classification.text=HTTP Request limit exceeded; \
72b1be1 
+ assessment.impact.severity=high; \
72b1be1 
+ additional_data(1).type=integer; \
72b1be1 
+ additional_data(1).meaning=ModSec Rule ID; \
72b1be1 
+ additional_data(1).data=$1; \
72b1be1 
+ chained; silent;
72b1be1 
+
72b1be1 
+# HTTP policy
72b1be1 
+regex=\[id "(960032|960010|960034|960035|960038|960902|960903)"\]; \
72b1be1 
+ id=3170; \
72b1be1 
+ classification.text=HTTP policy violation; \
72b1be1 
+ assessment.impact.severity=high; \
72b1be1 
+ additional_data(1).type=integer; \
72b1be1 
+ additional_data(1).meaning=ModSec Rule ID; \
72b1be1 
+ additional_data(1).data=$1; \
72b1be1 
+ chained; silent;
72b1be1 
+
72b1be1 
+# Bad robots
72b1be1 
+regex=\[id "(990002|990901|990902|990012|990011)"\]; \
72b1be1 
+ id=3171; \
72b1be1 
+ classification.text=Bad HTTP robot; \
72b1be1 
+ assessment.impact.severity=info; \
72b1be1 
+ additional_data(1).type=integer; \
72b1be1 
+ additional_data(1).meaning=ModSec Rule ID; \
72b1be1 
+ additional_data(1).data=$1; \
72b1be1 
+ chained; silent;
72b1be1 
+
72b1be1 
+# Generic attacks
72b1be1 
+regex=\[id "(959009|950007|959007|950904|959904|950001|959001|950901|959901|950906|959906|950908|959908|950004|959004|950005|959005|950002|950006|959006|950907|959907|950008|959008|950010|959010|950011|959011|950013|959013|950018|959018|950019|959019|950910|950911)"\]; \
72b1be1 
+ id=3172; \
72b1be1 
+ classification.text=Generic HTTP attack; \
72b1be1 
+ assessment.impact.severity=high; \
72b1be1 
+ additional_data(1).type=integer; \
72b1be1 
+ additional_data(1).meaning=ModSec Rule ID; \
72b1be1 
+ additional_data(1).data=$1; \
72b1be1 
+ chained; silent;
72b1be1 
+
72b1be1 
+# Trojans
72b1be1 
+regex=\[id "(950921|950922)"\]; \
72b1be1 
+ id=3173; \
72b1be1 
+ classification.text=HTTP trojan; \
72b1be1 
  assessment.impact.severity=high; \
72b1be1 
+ additional_data(1).type=integer; \
72b1be1 
+ additional_data(1).meaning=ModSec Rule ID; \
72b1be1 
+ additional_data(1).data=$1; \
72b1be1 
+ chained; silent;
72b1be1 
+
72b1be1 
+# Outbound
72b1be1 
+regex=\[id "(970003|970004|970904|970007|970008|970009|970010|970012|970013|970014|970903|970015|970902|970016|970018|970901|970118|970021|970011)"\]; \
72b1be1 
+ id=3174; \
72b1be1 
+ classification.text=HTTP outbound policy violation; \
72b1be1 
+ assessment.impact.severity=high; \
72b1be1 
+ additional_data(1).type=integer; \
72b1be1 
+ additional_data(1).meaning=ModSec Rule ID; \
72b1be1 
+ additional_data(1).data=$1; \
72b1be1 
+ chained; silent;
72b1be1 
+
72b1be1 
+#########################
72b1be1 
+
72b1be1 
+# 3160-3166
72b1be1 
+regex=\[file "([^"]+)"\]; \
72b1be1 
+ id=3160; \
72b1be1 
+ additional_data(>>).type=string; \
72b1be1 
+ additional_data(-1).meaning=ModSec Ruleset File; \
72b1be1 
+ additional_data(-1).data=$1; \
72b1be1 
  chained; silent;
72b1be1
72b1be1 
-regex=\[severity "WARNING"\]; \
72b1be1 
+regex=\[line "(\d+)"\]; \
72b1be1 
  id=3161; \
72b1be1 
- assessment.impact.severity=medium; \
72b1be1 
+ additional_data(>>).type=integer; \
72b1be1 
+ additional_data(-1).meaning=ModSec Ruleset Line; \
72b1be1 
+ additional_data(-1).data=$1; \
72b1be1 
  chained; silent;
72b1be1
72b1be1 
-regex=\[severity "NOTICE"\]; \
72b1be1 
+regex=\[tag "(\S+)"\]; \
72b1be1 
  id=3162; \
72b1be1 
- assessment.impact.severity=low; \
72b1be1 
+ additional_data(>>).type=string; \
72b1be1 
+ additional_data(-1).meaning=ModSec Rule Tag; \
72b1be1 
+ additional_data(-1).data=$1; \
72b1be1 
  chained; silent;
72b1be1
72b1be1 
-regex=\[severity "(?:INFO|DEBUG)"\]; \
72b1be1 
+regex=\[severity "(\S+)"\]; \
72b1be1 
  id=3163; \
72b1be1 
- assessment.impact.severity=info; \
72b1be1 
+ additional_data(>>).type=string; \
72b1be1 
+ additional_data(-1).meaning=ModSec Severity; \
72b1be1 
+ additional_data(-1).data=$1; \
72b1be1 
  chained; silent;
72b1be1
72b1be1 
-regex=\[msg "([^"]+)"\]; \
72b1be1 
+regex=\[msg "([^"]+)"\]; optgoto=3167-3174; min-optgoto-match=1; \
72b1be1 
  id=3164; \
72b1be1 
  classification.reference(0).meaning=$1; \
72b1be1 
  classification.reference(0).origin=vendor-specific; \
72b1be1 
@@ -62,67 +154,89 @@
72b1be1
72b1be1 
 regex=\[hostname "(\S+)"\]; \
72b1be1 
  id=3165; \
72b1be1 
- target(0).node.address(1).address=$1; \
72b1be1 
- chained; silent;
72b1be1 
-
72b1be1 
-regex=\[id "(\d+)"\]; \
72b1be1 
- id=3166; \
72b1be1 
- additional_data(1).type=integer; \
72b1be1 
- additional_data(1).meaning=ModSec Rule ID; \
72b1be1 
- additional_data(1).data=$1; \
72b1be1 
- classification.reference(0).name=$1; \
72b1be1 
+ target(0).node.address(0).address=$1; \
72b1be1 
  chained; silent;
72b1be1
72b1be1 
 regex=\[unique_id "(\S+)"\]; \
72b1be1 
- id=3167; \
72b1be1 
- additional_data(2).type=string; \
72b1be1 
- additional_data(2).meaning=Unique ID; \
72b1be1 
- additional_data(2).data=$1; \
72b1be1 
- chained; silent;
72b1be1 
+ id=3166; \
72b1be1 
+ additional_data(>>).type=string; \
72b1be1 
+ additional_data(-1).meaning=Unique ID; \
72b1be1 
+ additional_data(-1).data=$1; \
72b1be1 
+ chained; silent;
72b1be1 
+
72b1be1 
+#regex=\[id "(\d+)"\]; \
72b1be1 
+# id=3166; \
72b1be1 
+# additional_data(1).type=integer; \
72b1be1 
+# additional_data(1).meaning=ModSec Rule ID; \
72b1be1 
+# additional_data(1).data=$1; \
72b1be1 
+# classification.reference(0).name=$1; \
72b1be1 
+# chained; silent;
72b1be1 
+#########################
72b1be1
72b1be1 
-# 3120-3121;
72b1be1 
-regex=Match of "(.+)" against "(\S+)" required\.; optgoto=3160-3167; \
72b1be1 
+# 3120-3125
72b1be1 
+regex=Match of "(.+)" against "(\S+)" required\.; optgoto=3160-3166; \
72b1be1 
  id=3120; \
72b1be1 
  assessment.impact.description=ModSecurity found pattern match "$1" in HTTP object $2.; \
72b1be1 
  chained; silent;
72b1be1
72b1be1 
-regex=Operator ([A-Z]{2}) match: (\d+)\.; optgoto=3160-3167; \
72b1be1 
+regex=Operator ([A-Z]{2}) match: (\d+)\.; optgoto=3160-3166; \
72b1be1 
  id=3121; \
72b1be1 
  assessment.impact.description=ModSecurity found operator "$1" match "$2".; \
72b1be1 
  chained; silent;
72b1be1
72b1be1 
-regex=Pattern match "(.+)" at (\S+)\.; optgoto=3160-3167; \
72b1be1 
+regex=Pattern match "(.+)" at (.+?)\.; optgoto=3160-3166; \
72b1be1 
  id=3122; \
72b1be1 
  assessment.impact.description=ModSecurity found pattern match "$1" in HTTP object $2.; \
72b1be1 
  chained; silent;
72b1be1
72b1be1 
+regex=Operator ([A-Z]{2}) matched (\d+) at (\S+)\.; optgoto=3160-3166; \
72b1be1 
+ id=3123; \
72b1be1 
+ assessment.impact.description=ModSecurity found operator "$1" match "$2".; \
72b1be1 
+ chained; silent;
72b1be1 
+
72b1be1 
+regex=Found (\d+) byte\(s\) in (\S+) outside range: (\S+)\.; optgoto=3160-3166; \
72b1be1 
+ id=3124; \
72b1be1 
+ assessment.impact.description=ModSecurity found $1 byte(s) in "$2" outside range $3.; \
72b1be1 
+ chained; silent;
72b1be1 
+
72b1be1 
+regex=Found (\d+) byte\(s\) outside range: (\S+)\.; optgoto=3160-3166; \
72b1be1 
+ id=3125; \
72b1be1 
+ assessment.impact.description=ModSecurity found $1 byte(s) outside range $3.; \
72b1be1 
+ chained; silent;
72b1be1 
+
72b1be1 
 # 3130-3133; Access denied + ...
72b1be1 
-regex=with code (\d+) \(phase \d\)\.; optgoto=3120-3122; \
72b1be1 
+regex=with code (\d+) \(phase \d\)\.; optgoto=3120-3125; \
72b1be1 
  id=3130; \
72b1be1 
  assessment.action(0).category = block-installed; \
72b1be1 
  assessment.action(0).description = Access was blocked with HTTP response code $1.; \
72b1be1 
  chained; silent;
72b1be1
72b1be1 
-regex=using proxy to \(phase (\d+)\) (\S+)\.; optgoto=3120-3122; \
72b1be1 
+regex=using proxy to \(phase (\d+)\) (\S+)\.; optgoto=3120-3125; \
72b1be1 
  id=3131; \
72b1be1 
  assessment.action(0).category = block-installed; \
72b1be1 
  assessment.action(0).description = Access was denied using proxy to $2.; \
72b1be1 
  chained; silent;
72b1be1
72b1be1 
-regex=with redirection to (\S+) using status (\d+) \(phase (\d+)\)\.; optgoto=3120-3122; \
72b1be1 
+regex=with redirection to (\S+) using status (\d+) \(phase (\d+)\)\.; optgoto=3120-3125; \
72b1be1 
  id=3132; \
72b1be1 
  assessment.action(0).category = block-installed; \
72b1be1 
  assessment.action(0).description = Access was redirected to $1.; \
72b1be1 
  chained; silent;
72b1be1
72b1be1 
-regex=with connection close \(phase (\d+)\).; optgoto=3120-3122; \
72b1be1 
+regex=with connection close \(phase (\d+)\).; optgoto=3120-3125; \
72b1be1 
  id=3133; \
72b1be1 
  assessment.action(0).category = block-installed; \
72b1be1 
  assessment.action(0).description = Connection was closed.; \
72b1be1 
  chained; silent;
72b1be1
72b1be1 
+# Output filter
72b1be1 
+regex=Response body too large \(over limit of (\d+)(.+?)\)\.; optgoto=3160-3166; \
72b1be1 
+ id=3150; \
72b1be1 
+ assessment.impact.description=Response body too large (over limit of $1$2); \
72b1be1 
+ chained; silent;
72b1be1 
+
72b1be1 
 # 3100-3102
72b1be1 
-regex=Warning\.; optgoto=3120-3121; \
72b1be1 
+regex=Warning\.; optgoto=3120-3125; \
72b1be1 
  id=3101; \
72b1be1 
  classification.text=HTTP Warning.; \
72b1be1 
  assessment.impact.completion=succeeded; \
72b1be1 
@@ -134,7 +248,14 @@
72b1be1 
  assessment.impact.completion=failed; \
72b1be1 
  chained; silent;
72b1be1
72b1be1 
-regex=\[client ([\d\.]+)\] ModSecurity:.*\[uri "([^"]+)"\]; optgoto=3101-3102; \
72b1be1 
+regex=Output filter:; optgoto=3150; \
72b1be1 
+ id=3103; \
72b1be1 
+ classification.text=HTTP Output filer error; \
72b1be1 
+ assessment.impact.completion=failed; \
72b1be1 
+ assessment.impact.severity=high; \
72b1be1 
+ chained; silent;
72b1be1 
+
72b1be1 
+regex=\[client ([\d\.]+)\] ModSecurity:.*\[uri "([^"]+)"\]; optgoto=3101-3103; \
72b1be1 
  id=3100; \
72b1be1 
  analyzer(0).name=ModSecurity; \
72b1be1 
  analyzer(0).manufacturer=www.modsecurity.org; \
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.