-
-
Notifications
You must be signed in to change notification settings - Fork 344
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #41 from SpiderLabs/master
Moving v3.0.0 updates to TRUNK branch
- Loading branch information
Showing
18 changed files
with
487 additions
and
631 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,115 @@ | ||
# --------------------------------------------------------------- | ||
# Core ModSecurity Rule Set ver.3.0.0 | ||
# Copyright (C) 2006-2013 Trustwave All rights reserved. | ||
# | ||
# The OWASP ModSecurity Core Rule Set is distributed under | ||
# Apache Software License (ASL) version 2 | ||
# Please see the enclosed LICENCE file for full details. | ||
# --------------------------------------------------------------- | ||
|
||
# | ||
# -=[ GeoIP Checks ]=- | ||
# | ||
# This rule requires that have activated the SecGeoLookupDb directive | ||
# in the modsecurity_crs_10_setup.conf file and specified HIGH Risk | ||
# country codes. | ||
# | ||
# This rule does a GeoIP resolution o | ||
SecRule REMOTE_ADDR "@geoLookup" \ | ||
"msg:'Client IP is from a HIGH Risk Country Location.',\ | ||
severity:'WARNING',\ | ||
id:'900050',\ | ||
phase:request,\ | ||
block,\ | ||
t:none,\ | ||
tag:'AUTOMATION/MALICIOUS'\ | ||
chain" | ||
SecRule GEO:COUNTRY_CODE "@pm %{tx.high_risk_country_codes}" \ | ||
"setvar:'tx.msg=%{rule.msg}',\ | ||
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ | ||
setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}" | ||
|
||
# | ||
# -=[ IP Reputation Checks ]=- | ||
# | ||
# ModSecurity Rules from Trustwave SpiderLabs: IP Blacklist Alert | ||
# Ref: https://www.trustwave.com/modsecurity-rules-support.php | ||
# | ||
# This rule checks the client IP address against a list of recent IPs captured | ||
# from the SpiderLabs web honeypot systems (last 48 hours). | ||
# | ||
#SecRule REMOTE_ADDR "@ipMatchFromFile ip_blacklist.txt" \ | ||
"msg:'Client IP in Trustwave SpiderLabs Blacklist.',\ | ||
severity:'CRITICAL',\ | ||
id:'900051',\ | ||
phase:request,\ | ||
block,\ | ||
t:none,\ | ||
tag:'AUTOMATION/MALICIOUS',\ | ||
setvar:'tx.msg=%{rule.msg}',\ | ||
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ | ||
setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}" | ||
|
||
|
||
# | ||
# First check if we have already run an @rbl check for this IP by checking in IP collection. | ||
# If we have, then skip doing another check. | ||
# | ||
SecRule IP:PREVIOUS_RBL_CHECK "@eq 1" \ | ||
"id:'900051',\ | ||
phase:request,\ | ||
nolog,\ | ||
pass,\ | ||
t:none,\ | ||
skipAfter:END_RBL_LOOKUP" | ||
|
||
# | ||
# Check Client IP against ProjectHoneypot's HTTP Blacklist | ||
# Ref: http://www.projecthoneypot.org/httpbl_api.php | ||
# | ||
# Must register for an HttpBL API Key and configure SecHttpBlKey directive | ||
# in the modsecurity_crs_10_setup.conf file. | ||
# Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecHttpBlKey | ||
# | ||
#SecRule REMOTE_ADDR "@rbl dnsbl.httpbl.org" \ | ||
"msg:'HTTP Blacklist match for client IP.',\ | ||
severity:'CRITICAL',\ | ||
id:'981138',\ | ||
phase:request,\ | ||
block,\ | ||
t:none,\ | ||
tag:'AUTOMATION/MALICIOUS',\ | ||
setvar:'tx.msg=%{rule.msg}',\ | ||
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ | ||
setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var},\ | ||
setvar:ip.malicious_client=1,\ | ||
expirevar:ip.malicious_client=86400,\ | ||
setvar:ip.previous_rbl_check=1,\ | ||
expirevar:ip.previous_rbl_check=86400,\ | ||
skipAfter:END_RBL_CHECK" | ||
|
||
SecAction \ | ||
"id:'981139',\ | ||
phase:request,\ | ||
nolog,\ | ||
pass,\ | ||
t:none,\ | ||
setvar:ip.previous_rbl_check=1,\ | ||
expirevar:ip.previous_rbl_check=86400" | ||
|
||
SecMarker END_RBL_LOOKUP | ||
|
||
SecRule IP:MALICIOUS_CLIENT "@eq 1" \ | ||
"msg:'Request from Known Malicious Client (Previous RBL Match).',\ | ||
severity:'CRITICAL',\ | ||
id:'981140',\ | ||
phase:request,\ | ||
block,\ | ||
t:none,\ | ||
tag:'AUTOMATION/MALICIOUS',\ | ||
setvar:'tx.msg=%{rule.msg}',\ | ||
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\ | ||
setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}" | ||
|
||
SecMarker END_RBL_CHECK | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.