# --------------------------------------------------------------- # Core ModSecurity Rule Set ver.2.2.8 # Copyright (C) 2006-2012 Trustwave All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- # Uncomment the anomaly sections you wish to use. # These rules use the anomaly score settings specified in the 10 config file. # You should also set the desired disruptive action (deny, redirect, etc...). # # Alert and Block based on Anomaly Score and OSVDB Check # SecRule TX:ANOMALY_SCORE "@gt 0" \ "chain,phase:2,id:'981175',t:none,deny,log,msg:'Inbound Attack Targeting OSVDB Flagged Resource.',setvar:tx.inbound_tx_msg=%{tx.msg},setvar:tx.inbound_anomaly_score=%{tx.anomaly_score}" SecRule RESOURCE:OSVDB_VULNERABLE "@eq 1" chain SecRule TX:ANOMALY_SCORE_BLOCKING "@streq on" # Alert and Block based on Anomaly Scores # SecRule TX:ANOMALY_SCORE "@gt 0" \ "chain,phase:2,id:'981176',t:none,deny,log,msg:'Inbound Anomaly Score Exceeded (Total Score: %{TX.ANOMALY_SCORE}, SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}): Last Matched Message: %{tx.msg}',logdata:'Last Matched Data: %{matched_var}',setvar:tx.inbound_tx_msg=%{tx.msg},setvar:tx.inbound_anomaly_score=%{tx.anomaly_score}" SecRule TX:ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_level}" chain SecRule TX:ANOMALY_SCORE_BLOCKING "@streq on" chain SecRule TX:/^\d+\-/ "(.*)" # Alert and Block on a specific attack category such as SQL Injection # #SecRule TX:SQL_INJECTION_SCORE "@gt 0" \ # "phase:2,t:none,log,block,msg:'SQL Injection Detected (score %{TX.SQL_INJECTION_SCORE}): %{tx.msg}'"