The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Question about mod_security

Discussion in 'Security' started by Robertosky, Jun 2, 2014.

  1. Robertosky

    Robertosky Member

    Joined:
    May 23, 2014
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    i saw some rules requires .data file for make rules working!
    where i should upload .data file inside my server what path ?
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,764
    Likes Received:
    662
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Could you provide us with more information about the specific rule you are adding, and how you are configuring it? Is it part of a rules package?

    Thank you.
     
  3. Robertosky

    Robertosky Member

    Joined:
    May 23, 2014
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    hello best!

    yes i'm took rules from a website OWASP! yes on rules are two file like!

    GenericAttack.data
    GenericAttack.conf


    .data file
    Code:
    set-cookie
    .cookie
    expiressys.user_objects
    sys.user_triggers
    @@spid
    msysaces
    instr
    sys.user_views
    mysql.
    sys.tab
    charindex
    locate
    sys.user_catalog
    constraint_type
    msysobjects
    attnotnull
    select
    sys.user_tables
    sys.user_constraints
    sys.user_tab_columns
    waitfor
    sys.all_tables
    msysrelationships
    msyscolumns
    msysqueriessubstr
    xtype
    textpos
    all_objects
    rownum
    sysfilegroups
    sysprocesses
    user_group
    sysobjects
    systables
    user_tables
    pg_attribute
    column_id
    user_password
    user_users
    attrelid
    user_tab_columns
    table_name
    pg_class
    user_constraints
    user_objects
    object_type
    sysconstraints
    mb_users
    column_name
    atttypid
    substring
    object_id
    syscat
    sysibm
    user_ind_columns
    syscolumns
    sysdba
    object_name
    sqrt
    insert
    date
    instr
    floor
    autonomous_transaction
    print
    encode
    coalesce
    if
    degrees
    release_lock
    procedure_analyse
    password
    least
    cr32
    subdate
    xp_filelist
    owa_util
    trim
    xp_regenumkeys
    charset
    ciel
    bit_or
    delete
    time
    month
    xp_execresultset
    round
    dba_users
    is
    master_pos_wait
    decode
    unhex
    char_length
    strcmp
    rtrim
    'sa'
    version
    ord
    xp_makecab
    truncate
    last
    concat
    coercibility
    right
    length
    ascii
    var_samp
    char
    extract
    get_
    bit_length
    xp_regread
    export_set
    aes_decrypt
    name_const
    left
    conv
    bin
    not_in
    infile
    substr
    uuid
    is_srvrolemember
    var_pop
    ln
    aes_encrypt
    outfile
    current_date
    quote
    in
    user
    locate
    @@version
    exp
    current_timestamp
    sql_longvarchar
    values
    subtime
    xp_loginconfig
    sin
    xp_regaddmultistring
    replace
    tan
    xmltype
    character_length
    cast
    current_time
    varchar
    position
    to_number
    addtime
    mid
    found_rows
    stddev
    xp_availablemedia
    substring
    dumpfile
    isnull
    cot
    select
    concat_ws
    convert
    uncompress
    radians
    uncompressed_length
    acos
    'sqloledb'
    dbms_pipe.receive_message
    utl_http
    cieling
    row_count
    benchmark
    sec_to_time
    sysdate
    hour
    current_user
    utc_
    curdate
    nvarchar
    schema
    data_type
    lcase
    inner
    make_set
    day
    tbcreator
    sum
    sign
    adddate
    ltrim
    variance
    weight_string
    second
    microsecond
    system_user
    abs
    ifnull
    minute
    unix_timestamp
    collation
    curtime
    lower
    repeat
    sp_oacreate
    group_concat
    sp_execute
    xp_ntsec
    xp_regdeletekey
    drop
    quarter
    local
    str_to_date
    nullif
    from_
    old_password
    xp_regdeletevalue
    asin
    oct
    load_file
    sp_password
    bit_xor
    xp_regremovemultistring
    chr
    avg
    std
    openquery
    makedate
    database
    updatexml
    datediff
    now
    year
    mod
    bit_and
    lpad
    xp_enumdsn
    max
    period_
    soundex
    shutdown
    bit_count
    field
    connection_id
    sha
    default
    interval
    xp_dirtree
    reverse
    ucase
    compress
    xp_terminate_process
    md5
    rpad
    session_user
    find_in_set
    dump
    convert_tz
    having
    des_
    greatest
    xp_regenumvalues
    utl_file
    cos
    log
    pi
    sql_variant
    encrypt
    upper
    rand
    week
    min
    xp_cmdshell
    'msdasql'
    space
    sp_executesql
    elt
    pow
    'dbo'
    sp_makewebtask
    dbms_java
    to_
    format
    xp_regwrite
    sp_helpjscript
    onsubmit
    copyparentfolder
    document
    javascript
    meta
    onchange
    onmove
    onkeydown
    onkeyup
    activexobject
    onerror
    onmouseup
    ecmascript
    bexpression
    onmouseover
    vbscript:
    <![cdata[
    http:
    .innerhtml
    settimeout
    shell:
    onabort
    asfunction:
    onkeypress
    onmousedown
    onclick
    .fromcharcode
    background-image:
    x-javascript
    ondragdrop
    onblur
    mocha:
    javascript:
    onfocus
    lowsrc
    getparentfolder
    onresize
    @import
    alert
    script
    onselect
    onmouseout
    application
    onmousemove
    background
    .execscript
    livescript:
    vbscript
    getspecialfolder
    .addimport
    iframe
    onunload
    createtextrange
    <input
    onload.www_acl
    .htpasswd
    .htaccess
    httpd.conf
    boot.ini
    /etc/
    .htgroup
    global.asa
    .wwwaclnet.exe
    cmd.exe
    cmd
    telnet.exe
    wguest.exe
    ftp.exe
    nmap.exe
    wsh.exe
    rcmd.exe
    nc.exe
    cmd32.exechgrp
    cmd32
    uname
    kill
    localgroup
    wguest.exe
    nasm
    rcmd.exe
    nc.exe
    id
    nc
    tclsh
    finger
    tftp
    cmd
    chown
    chsh
    ping
    nmap.exe
    ps
    net.exe
    telnet.exe
    ls
    tclsh8
    ftp.exe
    ftp
    lsof
    xterm
    mail
    echo
    tracert
    nmap
    cmd.exe
    rm
    python
    cd
    traceroute
    chmod
    perl
    passwd
    wsh.exe
    cpp
    telnet
    gcc
    g++chgrp
    cmd32
    uname
    kill
    localgroup
    wguest.exe
    nasm
    rcmd.exe
    nc.exe
    id
    nc
    tclsh
    finger
    tftp
    cmd
    chown
    chsh
    ping
    nmap.exe
    ps
    net.exe
    telnet.exe
    ls
    tclsh8
    ftp.exe
    ftp
    lsof
    xterm
    mail
    echo
    tracert
    nmap
    cmd.exe
    rm
    python
    cd
    traceroute
    chmod
    perl
    passwd
    wsh.exe
    cpp
    telnet
    gcc
    g++<?
    

    .conf
    Code:
    # ---------------------------------------------------------------
    # Core ModSecurity Rule Set ver.2.2.9
    # Copyright (C) 2006-2012 Trustwave All rights reserved.
    #
    # The OWASP ModSecurity Core Rule Set is distributed under 
    # Apache Software License (ASL) version 2
    # Please see the enclosed LICENCE file for full details.
    # ---------------------------------------------------------------
    
    
    #
    # OS Command Injection Attacks
    #
    # -=[ Rule Logic ]=-
    # These rules look for attempts to access OS commands such as curl, wget and cc
    # These commands are often used in injection attacks to force the victim web
    # application to initiate a connection out to a hacker site to download, compile
    # and install malicious toolkits such as those to participate in Botnets.
    #
    # -=[ References ]=- 
    # http://projects.webappsec.org/OS-Commanding
    # http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
    #
    SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:[\;\|\`]\W*?\bcc|\b(wget|curl))\b|\/cc(?:[\'\"\|\;\`\-\s]|$))" \
    		"phase:2,rev:'2',ver:'OWASP_CRS/2.2.9',maturity:'9',accuracy:'8',capture,t:none,t:normalisePath,ctl:auditLogParts=+E,block,msg:'System Command Injection',id:'950907',tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0},skipAfter:END_COMMAND_INJECTION1"
    
    SecMarker END_COMMAND_INJECTION1
    
    
    #
    # -=[ Heuristic Checks ]=-
    #
    # [ Repeatative Non-Word Chars ]
    #
    # This rule attempts to identify when multiple (4 or more) non-word characters are repeated in sequence
    #
    SecRule ARGS "\W{4,}" "phase:2,capture,t:none,t:urlDecodeUni,block,id:'960024',rev:'2',ver:'OWASP_CRS/2.2.9',maturity:'9',accuracy:'8',msg:'Meta-Character Anomaly Detection Alert - Repetative Non-Word Characters',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:'tx.msg=%{rule.msg}',setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
    
    
    
    #
    # Coldfusion Injection
    #
    # -=[ Rule Logic ]=-
    # These rules look for the existence of undocumented ColdFusion Admin functions on input
    #
    # -=[ References ]=-
    # http://www.adobe.com/devnet/security/security_zone/asb99-10.html
    #  
    SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\bcf(?:usion_(?:d(?:bconnections_flush|ecrypt)|set(?:tings_refresh|odbcini)|getodbc(?:dsn|ini)|verifymail|encrypt)|_(?:(?:iscoldfusiondatasourc|getdatasourceusernam)e|setdatasource(?:password|username))|newinternal(?:adminsecurit|registr)y|admin_registry_(?:delete|set)|internaldebug|execute)\b" \
            "phase:2,rev:'2',ver:'OWASP_CRS/2.2.9',maturity:'9',accuracy:'9',capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,block,msg:'Injection of Undocumented ColdFusion Tags',id:'950008',tag:'OWASP_CRS/WEB_ATTACK/CF_INJECTION',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/CF_INJECTION-%{matched_var_name}=%{tx.0},skipAfter:END_CF_INJECTION"
    
    SecMarker END_CF_INJECTION
    
    #
    # LDAP Injection
    #
    # -=[ Rule Logic ]=-
    # These rules look for common LDAP data constructions.
    # 
    # -=[ References ]=-
    # http://technet.microsoft.com/en-us/library/aa996205%28EXCHG.65%29.aspx
    #
    SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?:\((?:\W*?(?:objectc(?:ategory|lass)|homedirectory|[gu]idnumber|cn)\b\W*?=|[^\w\x80-\xFF]*?[\!\&\|][^\w\x80-\xFF]*?\()|\)[^\w\x80-\xFF]*?\([^\w\x80-\xFF]*?[\!\&\|])" \
            "phase:2,rev:'2',ver:'OWASP_CRS/2.2.9',maturity:'9',accuracy:'9',capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,block,msg:'LDAP Injection Attack',id:'950010',tag:'OWASP_CRS/WEB_ATTACK/LDAP_INJECTION',tag:'WASCTC/WASC-29',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/LDAP_INJECTION-%{matched_var_name}=%{tx.0},skipAfter:END_LDAP_INJECTION"
    
    SecMarker END_LDAP_INJECTION
    
    #
    # SSI injection
    #
    # -=[ Rule Logic ]=-
    # These rules look for common Server-Site Include format data on input.
    #
    # -=[ References ]=-
    # http://projects.webappsec.org/SSI-Injection
    #
    SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "<!--\W*?#\W*?(?:e(?:cho|xec)|printenv|include|cmd)" \
            "phase:2,rev:'2',ver:'OWASP_CRS/2.2.9',maturity:'9',accuracy:'9',capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,block,msg:'SSI injection Attack',id:'950011',tag:'OWASP_CRS/WEB_ATTACK/SSI_INJECTION',tag:'WASCTC/WASC-36',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SSI_INJECTION-%{matched_var_name}=%{tx.0},skipAfter:END_SSI_INJECTION"
    
    SecMarker END_SSI_INJECTION
    
    #
    # UPDF XSS
    #
    # -=[ Rule Logic ]=-
    # This rule looks for a link being submitted that contains the # fragment in a query_string.
    #
    # -=[ References ]=-
    # http://www.modsecurity.org/projects/modsecurity/apache/feature_universal_pdf_xss.html
    #
    SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "http:\/\/[\w\.]+?\/.*?\.pdf\b[^\x0d\x0a]*#" \
            "phase:2,rev:'2',ver:'OWASP_CRS/2.2.9',maturity:'9',accuracy:'9',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Universal PDF XSS URL Detected.',id:'950018',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/UPDF_XSS-%{matched_var_name}=%{tx.0}"
    
    
    #
    # Email Injection
    #
    # -=[ References ]=-
    # http://projects.webappsec.org/Mail-Command-Injection
    #
    SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "[\n\r]\s*\b(?:to|b?cc)\b\s*:.*?\@" \
            "phase:2,rev:'2',ver:'OWASP_CRS/2.2.9',maturity:'9',accuracy:'9',t:none,t:htmlEntityDecode,t:lowercase,capture,ctl:auditLogParts=+E,block,msg:'Email Injection Attack',id:'950019',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/EMAIL_INJECTION-%{matched_var_name}=%{tx.0}"
    
    
    #
    # HTTP Request Smuggling
    #
    # -=[ Rule Logic ]=-
    # This rule looks for a comma character in either the Content-Length or Transfer-Encoding
    # request headers.  This character would indicate that there were more than one request header
    # with this same name.  In these instances, Apache treats the data in a similar manner as 
    # multiple cookie values.
    #
    # -=[ References ]=-
    # http://projects.webappsec.org/HTTP-Request-Smuggling
    # http://article.gmane.org/gmane.comp.apache.mod-security.user/3299
    #
    SecRule REQUEST_HEADERS:'/(Content-Length|Transfer-Encoding)/' "," "phase:1,rev:'2',ver:'OWASP_CRS/2.2.9',maturity:'9',accuracy:'9',t:none,capture,block,msg:'HTTP Request Smuggling Attack.',id:'950012',tag:'OWASP_CRS/WEB_ATTACK/REQUEST_SMUGGLING',tag:'WASCTC/WASC-26',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/REQUEST_SMUGGLING-%{matched_var_name}=%{tx.0}"
    
    #
    # HTTP Response Splitting
    #
    # -=[ Rule Logic ]=-
    # These rules look for Carriage Return (CR) %0d and Linefeed (LF) %0a characters.
    # These characters may cause problems if the data is returned in a respones header and
    # may be interpreted by an intermediary proxy server and treated as two separate 
    # responses.
    # 
    # -=[ References ]=-
    # http://projects.webappsec.org/HTTP-Response-Splitting
    #
    SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "[\n\r](?:content-(type|length)|set-cookie|location):" \
            "phase:2,rev:'2',ver:'OWASP_CRS/2.2.9',maturity:'9',accuracy:'9',t:none,t:lowercase,capture,ctl:auditLogParts=+E,block,msg:'HTTP Response Splitting Attack',id:'950910',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESPONSE_SPLITTING-%{matched_var_name}=%{tx.0}"
    SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?:\bhttp\/(?:0\.9|1\.[01])|<(?:html|meta)\b)" \
            "phase:2,rev:'2',ver:'OWASP_CRS/2.2.9',maturity:'9',accuracy:'9',capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,block,msg:'HTTP Response Splitting Attack',id:'950911',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESPONSE_SPLITTING-%{matched_var_name}=%{tx.0}"
    
    
    #
    # RFI Attack
    #
    # -=[ Rule Logic ]=-
    # These rules look for common types of Remote File Inclusion (RFI) attack methods.
    #	- URL Contains an IP Address
    #	- The PHP "include()" Function
    #	- RFI Data Ends with Question Mark(s) (?)
    #	- RFI Host Doesn't Match Local Host
    #
    # -=[ References ]=-
    # http://projects.webappsec.org/Remote-File-Inclusion
    # http://tacticalwebappsec.blogspot.com/2009/06/generic-remote-file-inclusion-attack.html
    #
    SecRule ARGS "^(?i)(?:ht|f)tps?:\/\/(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" \
            "phase:2,rev:'2',ver:'OWASP_CRS/2.2.9',maturity:'9',accuracy:'9',t:none,capture,ctl:auditLogParts=+E,block,msg:'Remote File Inclusion Attack',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'950117',severity:'2',tag:'OWASP_CRS/WEB_ATTACK/RFI',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RFI-%{matched_var_name}=%{tx.0}"
    
    SecRule QUERY_STRING|REQUEST_BODY "(?i:(\binclude\s*\([^)]*|mosConfig_absolute_path|_CONF\[path\]|_SERVER\[DOCUMENT_ROOT\]|GALLERY_BASEDIR|path\[docroot\]|appserv_root|config\[root_dir\])=(ht|f)tps?:\/\/)" \
            "phase:2,rev:'3',ver:'OWASP_CRS/2.2.9',maturity:'9',accuracy:'9',t:none,t:urlDecodeUni,capture,ctl:auditLogParts=+E,block,msg:'Remote File Inclusion Attack',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'950118',severity:'2',tag:'OWASP_CRS/WEB_ATTACK/RFI',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RFI-%{matched_var_name}=%{tx.0}"
    
    SecRule ARGS "^(?i)(?:ft|htt)ps?(.*?)\?+$" \
            "phase:2,rev:'2',ver:'OWASP_CRS/2.2.9',maturity:'9',accuracy:'9',t:none,capture,ctl:auditLogParts=+E,block,msg:'Remote File Inclusion Attack',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'950119',severity:'2',tag:'OWASP_CRS/WEB_ATTACK/RFI',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RFI-%{matched_var_name}=%{tx.0}"
    
    SecRule ARGS "^(?:ht|f)tps?://(.*)$" \
            "chain,phase:2,rev:'3',ver:'OWASP_CRS/2.2.9',maturity:'9',accuracy:'9',t:none,capture,ctl:auditLogParts=+E,block,msg:'Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',id:'950120',severity:'2',tag:'OWASP_CRS/WEB_ATTACK/RFI'"
            SecRule TX:1 "!@beginsWith %{request_headers.host}" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RFI-%{matched_var_name}=%{tx.1}"
    
    #
    # Prequalify Request Matches
    #
    SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmFromFile modsecurity_40_generic_attacks.data" \
    	"phase:2,id:'981133',rev:'2',ver:'OWASP_CRS/2.2.9',maturity:'9',accuracy:'9',t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,nolog,pass,setvar:tx.pm_score=+1"
    
    SecRule TX:PM_SCORE "@eq 0" "phase:2,id:'981134',rev:'2',ver:'OWASP_CRS/2.2.9',maturity:'9',accuracy:'9',t:none,pass,skipAfter:END_PM_CHECK,nolog"
    
    #
    # Begin RegEx Checks for target locations that matched the prequalifier checks
    #
    	#
    	# Session fixation
    	# 
    	# -=[ References ]=-
    	# http://projects.webappsec.org/Session-Fixation
    	#	
    	SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i)(?:\.cookie\b.*?;\W*?(?:expires|domain)\W*?=|\bhttp-equiv\W+set-cookie\b)" \
    		"phase:2,rev:'2',ver:'OWASP_CRS/2.2.9',maturity:'9',accuracy:'9',t:none,t:urlDecodeUni,capture,ctl:auditLogParts=+E,block,msg:'Session Fixation Attack',id:'950009',tag:'OWASP_CRS/WEB_ATTACK/SESSION_FIXATION',tag:'WASCTC/WASC-37',tag:'OWASP_TOP_10/A3',tag:'PCI/6.5.7',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SESSION_FIXATION-%{matched_var_name}=%{tx.0}"
    
    
    	SecRule ARGS_NAMES "@pm jsessionid aspsessionid asp.net_sessionid phpsession phpsessid weblogicsession session_id session-id cfid cftoken cfsid jservsession jwsession" \
    		"chain,phase:2,rev:'1',ver:'OWASP_CRS/2.2.9',maturity:'1',accuracy:'7',t:none,t:lowercase,capture,ctl:auditLogParts=+E,block,msg:'Session Fixation',id:'950003',tag:'OWASP_CRS/WEB_ATTACK/SESSION_FIXATION',tag:'WASCTC/WASC-37',tag:'OWASP_TOP_10/A3',tag:'PCI/6.5.7',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2'"
    		SecRule REQUEST_HEADERS:Referer	"^(?:ht|f)tps?://(.*?)\/" "chain,capture" 
            		SecRule TX:1 "!@beginsWith %{request_headers.host}" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SESSION_FIXATION-%{matched_var_name}=%{tx.0}" 
    
    
            SecRule ARGS_NAMES "@pm jsessionid aspsessionid asp.net_sessionid phpsession phpsessid weblogicsession session_id session-id cfid cftoken cfsid jservsession jwsession" \
                    "chain,phase:2,rev:'1',ver:'OWASP_CRS/2.2.9',maturity:'1',accuracy:'7',t:none,t:lowercase,capture,ctl:auditLogParts=+E,block,msg:'Session Fixation',id:'950000',tag:'OWASP_CRS/WEB_ATTACK/SESSION_FIXATION',tag:'WASCTC/WASC-37',tag:'OWASP_TOP_10/A3',tag:'PCI/6.5.7',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2'"
                    SecRule &REQUEST_HEADERS:Referer "@eq 0" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SESSION_FIXATION-%{matched_var_name}=%{tx.0}"
    
    
    	SecMarker END_SESSION_FIXATION
    	
    	
    	#
    	# File Injection
    	#
    	SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?:\b(?:\.(?:ht(?:access|passwd|group)|www_?acl)|global\.asa|httpd\.conf|boot\.ini)\b|\/etc\/)" \
    		"phase:2,rev:'3',ver:'OWASP_CRS/2.2.9',maturity:'9',accuracy:'9',capture,t:none,t:cmdLine,ctl:auditLogParts=+E,block,msg:'Remote File Access Attempt',id:'950005',tag:'OWASP_CRS/WEB_ATTACK/FILE_INJECTION',tag:'WASCTC/WASC-33',tag:'OWASP_TOP_10/A4',tag:'PCI/6.5.4',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/FILE_INJECTION-%{matched_var_name}=%{tx.0}"
    
    	SecMarker END_FILE_INJECTION
    
    	#
    	# Command access
    	#
    	SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "\b(?:(?:n(?:map|et|c)|w(?:guest|sh)|telnet|rcmd|ftp)\.exe\b|cmd(?:(?:32)?\.exe\b|\b\W*?\/c))" \
    		"phase:2,rev:'3',ver:'OWASP_CRS/2.2.9',maturity:'9',accuracy:'9',capture,t:none,t:cmdLine,ctl:auditLogParts=+E,block,msg:'System Command Access',id:'950002',tag:'OWASP_CRS/WEB_ATTACK/FILE_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/COMMAND_ACCESS-%{matched_var_name}=%{tx.0}"
    
    	SecMarker END_COMMAND_ACCESS
    
    	#
    	# Command injection
    	#
    	SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?:\b(?:(?:n(?:et(?:\b\W+?\blocalgroup|\.exe)|(?:map|c)\.exe)|t(?:racer(?:oute|t)|elnet\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\.exe|echo\b\W*?\by+)\b|c(?:md(?:(?:\.exe|32)\b|\b\W*?\/c)|d(?:\b\W*?[\\/]|\W*?\.\.)|hmod.{0,40}?\+.{0,3}x))|[\;\|\`]\W*?\b(?:(?:c(?:h(?:grp|mod|own|sh)|md|pp)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)\b|g(?:\+\+|cc\b)))" \
    		"phase:2,rev:'3',ver:'OWASP_CRS/2.2.9',maturity:'9',accuracy:'9',capture,t:none,t:cmdLine,ctl:auditLogParts=+E,block,msg:'System Command Injection',id:'950006',tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
    
    	SecMarker END_COMMAND_INJECTION
    		
    	#
    	# PHP injection
    	#
    	
    	SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "<\?(?!xml)" \
    	        "phase:2,rev:'2',ver:'OWASP_CRS/2.2.9',maturity:'9',accuracy:'9',capture,t:none,t:htmlEntityDecode,t:compressWhitespace,t:lowercase,ctl:auditLogParts=+E,block,msg:'PHP Injection Attack',id:'959151',severity:'2',tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.2',tag:'WASCTC/WASC-25',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE4',tag:'PCI/6.5.2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}"
    		
    	SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i)(?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open|call_user_func)|\$_(?:(?:pos|ge)t|session))\b" \
    	        "phase:2,rev:'2',ver:'OWASP_CRS/2.2.9',maturity:'9',accuracy:'9',capture,t:none,ctl:auditLogParts=+E,block,msg:'PHP Injection Attack',id:'958976',tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.2',tag:'WASCTC/WASC-25',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE4',tag:'PCI/6.5.2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}"
    	
    	SecRule QUERY_STRING "@pm allow_url_include= safe_mode= suhosin.simulation= disable_functions= open_basedir= auto_prepend_file= php://input" \
    		"phase:2,rev:'1',ver:'OWASP_CRS/2.2.9',maturity:'1',accuracy:'9',t:none,t:urlDecodeUni,t:lowercase,ctl:auditLogParts=+E,block,msg:'PHP Injection Attack',id:'958977',tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.2',tag:'WASCTC/WASC-25',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE4',tag:'PCI/6.5.2',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{matched_var_name}=%{tx.0}"
    
    SecMarker END_PM_CHECK
    
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,764
    Likes Received:
    662
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  5. Robertosky

    Robertosky Member

    Joined:
    May 23, 2014
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    i'm upload conf to mod_security so they should be on mod_security path ?
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,764
    Likes Received:
    662
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Could you provide the specific paths you are referring to?

    Thank you.
     
Loading...

Share This Page