mirror of
https://github.com/fabriziosalmi/patterns.git
synced 2025-12-17 17:55:48 +00:00
19 lines
3.0 KiB
Plaintext
19 lines
3.0 KiB
Plaintext
# Apache ModSecurity rules for RFI
|
|
SecRuleEngine On
|
|
|
|
SecRule REQUEST_URI "@lt 1" "id:1577,phase:1,deny,status:403,log,msg:'rfi attack detected'"
|
|
SecRule REQUEST_URI "@lt 1" "id:1578,phase:1,deny,status:403,log,msg:'rfi attack detected'"
|
|
SecRule REQUEST_URI "@rx ^(?i:file|ftps?|https?)://(?:d{1,3}.d{1,3}.d{1,3}.d{1,3})" "id:1579,phase:1,deny,status:403,log,msg:'rfi attack detected'"
|
|
SecRule REQUEST_URI "@rx (?i)(?:bincludes*([^)]*|mosConfig_absolute_path|_CONF[path]|_SERVER[DOCUMENT_ROOT]|GALLERY_BASEDIR|path[docroot]|appserv_root|config[root_dir])=(?:file|ftps?|https?)://" "id:1580,phase:1,deny,status:403,log,msg:'rfi attack detected'"
|
|
SecRule REQUEST_URI "@rx ^(?i:file|ftps?|https?).*??+$" "id:1581,phase:1,deny,status:403,log,msg:'rfi attack detected'"
|
|
SecRule REQUEST_URI "@lt 2" "id:1582,phase:1,deny,status:403,log,msg:'rfi attack detected'"
|
|
SecRule REQUEST_URI "@lt 2" "id:1583,phase:1,deny,status:403,log,msg:'rfi attack detected'"
|
|
SecRule REQUEST_URI "@rx (?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://(?:[^@]+@)?([^/]*)" "id:1584,phase:1,deny,status:403,log,msg:'rfi attack detected'"
|
|
SecRule REQUEST_URI "!@endsWith .%{request_headers.host}" "id:1585,phase:1,deny,status:403,log,msg:'rfi attack detected'"
|
|
SecRule REQUEST_URI "@rx (?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://(?:[^@]+@)?([^/]*)" "id:1586,phase:1,deny,status:403,log,msg:'rfi attack detected'"
|
|
SecRule REQUEST_URI "!@endsWith .%{request_headers.host}" "id:1587,phase:1,deny,status:403,log,msg:'rfi attack detected'"
|
|
SecRule REQUEST_URI "@lt 3" "id:1588,phase:1,deny,status:403,log,msg:'rfi attack detected'"
|
|
SecRule REQUEST_URI "@lt 3" "id:1589,phase:1,deny,status:403,log,msg:'rfi attack detected'"
|
|
SecRule REQUEST_URI "@lt 4" "id:1590,phase:1,deny,status:403,log,msg:'rfi attack detected'"
|
|
SecRule REQUEST_URI "@lt 4" "id:1591,phase:1,deny,status:403,log,msg:'rfi attack detected'"
|