External/patterns
1
0
Fork 0
mirror of https://github.com/fabriziosalmi/patterns.git synced 2025-12-17 17:55:48 +00:00
Code Issues Packages Projects Releases Wiki Activity
patterns/waf_patterns/apache/attack.conf
github-actions[bot] dd47e4b328 Update: [Mon Jan 6 00:28:11 UTC 2025]
2025-01-06 00:28:11 +00:00

35 lines
4.5 KiB
Plaintext
Raw Blame History

# Apache ModSecurity rules for ATTACK
SecRuleEngine On
SecRule REQUEST_URI "@lt 1" "id:1000,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@lt 1" "id:1001,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx (?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)s+[^s]+s+http/d" "id:1002,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx [rn]W*?(?:content-(?:type|length)|set-cookie|location):s*w" "id:1003,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx (?:bhttp/d|<(?:html|meta)b)" "id:1004,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx [nr]" "id:1005,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx [nr]" "id:1006,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx [nr]+(?:s|location|refresh|(?:set-)?cookie|(?:x-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))s*:" "id:1007,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx [nr]" "id:1008,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx ^[^:()&|!<>~]*)s*(?:((?:[^,()=&|!<>~]+[><~]?=|s*[&!|]s*(?:)|()?s*)|)s*(s*[&|!]s*|[&!|]s*([^()=&|!<>~]+[><~]?=[^:()&|!<>~]*)" "id:1009,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx ^[^sv,;]+[sv,;].*?(?:application/(?:.++)?json|(?:application/(?:soap+)?|text/)xml)" "id:1010,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx unix:[^|]*|" "id:1011,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@lt 2" "id:1012,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@lt 2" "id:1013,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx [nr]" "id:1014,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx ^[^sv,;]+[sv,;].*?b(?:((?:tex|multipar)t|application)|((?:audi|vide)o|image|cs[sv]|(?:vn|relate)d|p(?:df|lain)|json|(?:soa|cs)p|x(?:ml|-www-form-urlencoded)|form-data|x-amf|(?:octe|repor)t|stream)|([+/]))b" "id:1015,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@lt 3" "id:1016,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@lt 3" "id:1017,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@gt 0" "id:1018,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx ." "id:1019,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@gt 1" "id:1020,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx TX:paramcounter_(.*)" "id:1021,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx (][^]]+$|][^]]+[)" "id:1022,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@lt 4" "id:1023,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@lt 4" "id:1024,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx [" "id:1025,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "!@eq 0" "id:1472,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "!@within |%{tx.allowed_request_content_type_charset}|" "id:1473,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx ^content-types*:s*(.*)$" "id:1474,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "!@rx ^(?:(?:*|[^!-"(-),/:-?[-]{}]+)/(?:*|[^!-"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*"?(?:iso-8859-15?|utf-8|windows-1252)b"?|(?:[^sv -"(-),/:-?[-]c{}]|c(?:[^!-"(-),/:-?[-]h{}]|h(?:[^!-"(-),/:-?[-]a{}]|a(?:[^!-"(-),/:-?[-]r{}]|r(?:[^!-"(-),/:-?[-]s{}]|s(?:[^!-"(-),/:-?[-]e{}]|e[^!-"(-),/:-?[-]t{}]))))))[^!-"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*(?:[sv]*,[sv]*(?:(?:*|[^!-"(-),/:-?[-]{}]+)/(?:*|[^!-"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*"?(?:iso-8859-15?|utf-8|windows-1252)b"?|(?:[^sv -"(-),/:-?[-]c{}]|c(?:[^!-"(-),/:-?[-]h{}]|h(?:[^!-"(-),/:-?[-]a{}]|a(?:[^!-"(-),/:-?[-]r{}]|r(?:[^!-"(-),/:-?[-]s{}]|s(?:[^!-"(-),/:-?[-]e{}]|e[^!-"(-),/:-?[-]t{}]))))))[^!-"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*)*$" "id:1475,phase:1,deny,status:403,log,msg:'attack attack detected'"
SecRule REQUEST_URI "@rx content-transfer-encoding:(.*)" "id:1476,phase:1,deny,status:403,log,msg:'attack attack detected'"
Reference in New Issue View Git Blame Copy Permalink