External/patterns
1
0
Fork 0
mirror of https://github.com/fabriziosalmi/patterns.git synced 2025-12-17 17:55:48 +00:00
Code Issues Packages Projects Releases Wiki Activity
patterns/waf_patterns/apache/attack.conf
github-actions[bot] 5be5b718a6 Update: [Tue Jan 21 00:25:04 UTC 2025]
2025-01-21 00:25:04 +00:00

21 lines
2.5 KiB
Plaintext
Raw Blame History

# Apache ModSecurity rules for ATTACK
SecRuleEngine On
SecRule REQUEST_URI "\." "id:1050,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "TX:paramcounter_\(\.\*\)" "id:1052,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\(\?:bhttp/d\|<\(\?:html\|meta\)b\)" "id:1040,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\^content\-types\*:s\*\(\.\*\)\$" "id:1036,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\[nr\]\+\(\?:s\|location\|refresh\|\(\?:set\-\)\?cookie\|\(\?:x\-\)\?\(\?:forwarded\-\(\?:for\|host\|server\)\|host\|via\|remote\-ip\|remote\-addr\|originating\-IP\)\)s\*:" "id:1043,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@gt\ 0" "id:1049,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@gt\ 1" "id:1051,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\[nr\]" "id:1042,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "unix:\[\^\|\]\*\|" "id:1046,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\[rn\]W\*\?\(\?:content\-\(\?:type\|length\)\|set\-cookie\|location\):s\*w" "id:1039,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\^\[\^sv,;\]\+\[sv,;\]\.\*\?\(\?:application/\(\?:\.\+\+\)\?json\|\(\?:application/\(\?:soap\+\)\?\|text/\)xml\)" "id:1045,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\^\[\^sv,;\]\+\[sv,;\]\.\*\?b\(\?:\(\(\?:tex\|multipar\)t\|application\)\|\(\(\?:audi\|vide\)o\|image\|cs\[sv\]\|\(\?:vn\|relate\)d\|p\(\?:df\|lain\)\|json\|\(\?:soa\|cs\)p\|x\(\?:ml\|\-www\-form\-urlencoded\)\|form\-data\|x\-amf\|\(\?:octe\|repor\)t\|stream\)\|\(\[\+/\]\)\)b" "id:1048,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\(\?:get\|post\|head\|options\|connect\|put\|delete\|trace\|track\|patch\|propfind\|propatch\|mkcol\|copy\|move\|lock\|unlock\)s\+\[\^s\]\+s\+http/d" "id:1038,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\[nr\]" "id:1041,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\[nr\]" "id:1047,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "content\-transfer\-encoding:\(\.\*\)" "id:1037,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "\[nr\]" "id:1044,phase:1,deny,status:403,log,msg:'attack attack detected'"
Reference in New Issue View Git Blame Copy Permalink