Your IP : 216.73.216.95
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.0.2
# Copyright (c) 2006-2016 Trustwave and contributors. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#
SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:1,id:910011,nolog,pass,skipAfter:END-REQUEST-910-IP-REPUTATION"
SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:2,id:910012,nolog,pass,skipAfter:END-REQUEST-910-IP-REPUTATION"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.paranoia_level is sufficiently high: 1 or higher)
#
#
# -=[ IP Reputation Block Flag Check ]=-
#
# The first check we do is to see if the client IP address has already
# been blacklisted by rules from previous requests.
#
# If the rule matches, it will do a skipAfter and pick up processing
# at the end of the request phase for actual blocking.
#
SecRule TX:DO_REPUT_BLOCK "@eq 1" \
"msg:'Request from Known Malicious Client (Based on previous traffic violations).',\
logdata:'Previous Block Reason: %{ip.reput_block_reason}',\
severity:'CRITICAL',\
id:910000,\
phase:request,\
block,\
t:none,\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-reputation-ip',\
tag:'IP_REPUTATION/MALICIOUS_CLIENT',\
setvar:'tx.msg=%{rule.msg}',\
skipAfter:BEGIN_REQUEST_BLOCKING_EVAL,\
chain"
SecRule IP:REPUT_BLOCK_FLAG "@eq 1" \
"setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}"
#
# -=[ GeoIP Checks ]=-
#
# This rule requires activating the SecGeoLookupDB directive
# in the crs-setup.conf file and specifying
# the list of blocked countries (tx.high_risk_country_codes).
#
# This rule does a GeoIP resolution on the client IP address.
#
SecRule TX:HIGH_RISK_COUNTRY_CODES "!^$" \
"msg:'Client IP is from a HIGH Risk Country Location.',\
severity:'CRITICAL',\
id:910100,\
phase:request,\
block,\
t:none,\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-reputation-ip',\
chain"
SecRule TX:REAL_IP "@geoLookup" \
"chain"
SecRule GEO:COUNTRY_CODE "@within %{tx.high_risk_country_codes}" \
"setvar:'tx.msg=%{rule.msg}',\
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var},\
setvar:ip.reput_block_flag=1,\
expirevar:ip.reput_block_flag=%{tx.reput_block_duration},\
setvar:'ip.reput_block_reason=%{rule.msg}'"
#
# -=[ IP Reputation Checks ]=-
#
# ModSecurity Rules from Trustwave SpiderLabs: IP Blacklist Alert
# Ref: http://www.modsecurity.org/projects/commercial/rules/
#
# This rule checks the client IP address against a list of recent IPs captured
# from the SpiderLabs web honeypot systems (last 48 hours).
#
#SecRule TX:REAL_IP "@ipMatchFromFile ip_blacklist.data" \
"msg:'Client IP in Trustwave SpiderLabs IP Reputation Blacklist.',\
severity:'CRITICAL',\
id:910110,\
phase:request,\
block,\
t:none,\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-reputation-ip',\
setvar:'tx.msg=%{rule.msg}',\
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var},\
setvar:ip.reput_block_flag=1,\
expirevar:ip.reput_block_flag=%{tx.reput_block_duration},\
setvar:'ip.reput_block_reason=%{rule.msg}'"
#
# First check if we have already run an @rbl check for this IP by checking in IP collection.
# If we have, then skip doing another check.
#
SecRule IP:PREVIOUS_RBL_CHECK "@eq 1" \
"id:910120,\
phase:request,\
nolog,\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-reputation-ip',\
pass,\
t:none,\
skipAfter:END_RBL_LOOKUP"
#
# Check Client IP against ProjectHoneypot's HTTP Blacklist
# Ref: http://www.projecthoneypot.org/httpbl_api.php
#
# To use the blacklist, you must register for an HttpBL API Key
# and choose the traffic types to block. See section
# "Project Honey Pot HTTP Blacklist" in crs-setup.conf.
#
# Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecHttpBlKey
#
# Skip HttpBL checks if user has not defined one of the TX:block_* variables.
# This prevents error "Operator error: RBL httpBl called but no key defined: set SecHttpBlKey"
SecRule &TX:block_suspicious_ip "@eq 0" \
"id:910130,\
phase:request,\
t:none,\
nolog,\
pass,\
chain,\
skipAfter:END_RBL_CHECK"
SecRule &TX:block_harvester_ip "@eq 0" "chain"
SecRule &TX:block_spammer_ip "@eq 0" "chain"
SecRule &TX:block_search_ip "@eq 0"
SecRule TX:REAL_IP "@rbl dnsbl.httpbl.org" \
"id:910140,\
phase:request,\
capture,\
nolog,pass,t:none, \
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-reputation-ip',\
chain,\
setvar:tx.httpbl_msg=%{tx.0}"
SecRule TX:httpbl_msg "RBL lookup of .*?.dnsbl.httpbl.org succeeded at TX:checkip. (.*?): .*" \
"t:none,\
capture,\
setvar:tx.httpbl_msg=%{tx.1}"
# The following regexs are generated based off re_operators.c
SecRule TX:block_search_ip "@eq 1" \
"msg:'HTTP Blacklist match for search engine IP', \
severity:'CRITICAL', \
id:910150,\
phase:request,\
block,\
t:none,\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-reputation-ip',\
chain,\
skipAfter:END_RBL_CHECK"
SecRule TX:httpbl_msg "Search Engine" \
"setvar:'tx.msg=%{rule.msg}',\
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var},\
setvar:ip.reput_block_flag=1,\
expirevar:ip.reput_block_flag=%{tx.reput_block_duration},\
setvar:'ip.reput_block_reason=%{rule.msg}',\
setvar:ip.previous_rbl_check=1,\
expirevar:ip.previous_rbl_check=86400"
SecRule TX:block_spammer_ip "@eq 1" \
"msg:'HTTP Blacklist match for spammer IP',\
severity:'CRITICAL',\
id:910160,\
phase:request,\
block,\
t:none,\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-reputation-ip',\
chain,\
skipAfter:END_RBL_CHECK"
SecRule TX:httpbl_msg "(?i)^.*? spammer .*?$" \
"setvar:'tx.msg=%{rule.msg}',\
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var},\
setvar:ip.reput_block_flag=1,\
expirevar:ip.reput_block_flag=%{tx.reput_block_duration},\
setvar:'ip.reput_block_reason=%{rule.msg}',\
setvar:ip.previous_rbl_check=1,\
expirevar:ip.previous_rbl_check=86400"
SecRule TX:block_suspicious_ip "@eq 1" \
"msg:'HTTP Blacklist match for suspicious IP',\
severity:'CRITICAL',\
id:910170,\
phase:request,\
block,\
t:none,\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-reputation-ip',\
chain,\
skipAfter:END_RBL_CHECK"
SecRule TX:httpbl_msg "(?i)^.*? suspicious .*?$" \
"setvar:'tx.msg=%{rule.msg}',\
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var},\
setvar:ip.reput_block_flag=1,\
expirevar:ip.reput_block_flag=%{tx.reput_block_duration},\
setvar:'ip.reput_block_reason=%{rule.msg}',\
setvar:ip.previous_rbl_check=1,\
expirevar:ip.previous_rbl_check=86400"
SecRule TX:block_harvester_ip "@eq 1" \
"msg:'HTTP Blacklist match for harvester IP',\
severity:'CRITICAL',\
id:910180,\
phase:request,\
block,\
t:none,\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-reputation-ip',\
chain,\
skipAfter:END_RBL_CHECK"
SecRule TX:httpbl_msg "(?i)^.*? harvester .*?$" \
"setvar:'tx.msg=%{rule.msg}',\
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var},\
setvar:ip.reput_block_flag=1,\
expirevar:ip.reput_block_flag=%{tx.reput_block_duration},\
setvar:'ip.reput_block_reason=%{rule.msg}',\
setvar:ip.previous_rbl_check=1,\
expirevar:ip.previous_rbl_check=86400"
SecAction \
"id:910190,\
phase:request,\
nolog,\
pass,\
t:none,\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-reputation-ip',\
setvar:ip.previous_rbl_check=1,\
expirevar:ip.previous_rbl_check=86400"
SecMarker END_RBL_LOOKUP
SecMarker END_RBL_CHECK
SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:1,id:910013,nolog,pass,skipAfter:END-REQUEST-910-IP-REPUTATION"
SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:2,id:910014,nolog,pass,skipAfter:END-REQUEST-910-IP-REPUTATION"
#
# -= Paranoia Level 2 =- (apply only when tx.paranoia_level is sufficiently high: 2 or higher)
#
SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:1,id:910015,nolog,pass,skipAfter:END-REQUEST-910-IP-REPUTATION"
SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:2,id:910016,nolog,pass,skipAfter:END-REQUEST-910-IP-REPUTATION"
#
# -= Paranoia Level 3 =- (apply only when tx.paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:1,id:910017,nolog,pass,skipAfter:END-REQUEST-910-IP-REPUTATION"
SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:2,id:910018,nolog,pass,skipAfter:END-REQUEST-910-IP-REPUTATION"
#
# -= Paranoia Level 4 =- (apply only when tx.paranoia_level is sufficiently high: 4 or higher)
#
#
# -= Paranoia Levels Finished =-
#
SecMarker "END-REQUEST-910-IP-REPUTATION"