/
19_Outgoing_FilterOther.conf
30 lines (24 loc) · 3.01 KB
/
19_Outgoing_FilterOther.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
# ---------------------------------------------------------------
# Sliqua WAF based on Comodo ModSecurity Rules
# Copyright (C) 2016 Sliqua Enterprise Hosting, Inc.
# Copyright (C) 2015 Comodo Security solutions All rights reserved.
# Please see the enclosed LICENSE file for full details.
# ---------------------------------------------------------------
# This is a FILE CONTAINING CHANGED or MODIFIED RULES FROM THE:
# OWASP ModSecurity Core Rule Set (CRS)
# Comodo Web Application Firewall
# ----------------------------------------------------------------
SecRule RESPONSE_BODY "<h2>Site Error</h2>.{0,20}<p>An error was encountered while publishing this resource\." \
"id:214400,msg:'COMODO WAF: Zope Information Leakage||%{tx.domain}|%{tx.mode}|3',phase:4,capture,block,setvar:'tx.outgoing_points=+%{tx.points_limit3}',setvar:'tx.points=+%{tx.points_limit3}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',ctl:'auditLogParts=+E',t:'none',rev:1,severity:3"
SecRule RESPONSE_BODY "\bThe error occurred in\b.{0,100}: line\b.{0,1000}\bColdFusion\b.{0,}?\bStack Trace \(click to expand\)" \
"id:214410,msg:'COMODO WAF: Cold Fusion Information Leakage||%{tx.domain}|%{tx.mode}|3',phase:4,capture,block,setvar:'tx.outgoing_points=+%{tx.points_limit3}',setvar:'tx.points=+%{tx.points_limit3}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',ctl:'auditLogParts=+E',t:'none',rev:1,severity:3"
SecRule RESPONSE_BODY "\b403 Forbidden\b.{0,}?\bInternet Security and Acceleration Server\b" \
"id:214430,msg:'COMODO WAF: ISA server existence revealed||%{tx.domain}|%{tx.mode}|3',phase:4,capture,block,setvar:'tx.outgoing_points=+%{tx.points_limit3}',setvar:'tx.points=+%{tx.points_limit3}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',ctl:'auditLogParts=+E',t:'none',rev:1,severity:3"
SecRule RESPONSE_BODY "<o:documentproperties>" \
"id:214440,msg:'COMODO WAF: Microsoft Office document properties leakage||%{tx.domain}|%{tx.mode}|3',phase:4,capture,block,setvar:'tx.outgoing_points=+%{tx.points_limit3}',setvar:'tx.points=+%{tx.points_limit3}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:'none',rev:1,severity:3"
SecRule RESPONSE_BODY "<cf" \
"id:214460,msg:'COMODO WAF: Cold Fusion source code leakage||%{tx.domain}|%{tx.mode}|3',phase:4,capture,block,setvar:'tx.outgoing_points=+%{tx.points_limit3}',setvar:'tx.points=+%{tx.points_limit3}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',ctl:'auditLogParts=+E',t:'none',rev:1,severity:3"
SecRule RESPONSE_STATUS "^500$" \
"id:214500,chain,msg:'COMODO WAF: WebLogic information disclosure||%{tx.domain}|%{tx.mode}|3',phase:4,capture,block,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',ctl:'auditLogParts=+E',t:'none',rev:1,severity:3"
SecRule RESPONSE_BODY "<title>JSP compile error</title>" \
"capture,setvar:'tx.outgoing_points=+%{tx.points_limit3}',setvar:'tx.points=+%{tx.points_limit3}',t:'none'"