krcert에서 내놓은 mod_security rule 예제입니다. 왠만한 인젝션과 XSS해킹 기법의 차단을 하도록 되어있습니다.
[CODE]##### Configuration #####
SecFilterEngine On
SecFilterScanPost On
SecFilterScanOutput Off
SecFilterOutputMimeTypes “(null) text/html text/plain”
##### Validation #####
SecFilterCheckURLEncoding On
SecUploadDir /tmp
SecUploadKeepFiles Off
SecFilterCheckUnicodeEncoding Off
SecFilterForceByteRange 1 255
SecFilterDefaultAction “log,deny,status:403”
##### Logging #####
SecFilterDebugLog logs/modsec_debug.log
SecFilterDebugLevel 1
SecAuditEngine RelevantOnly
SecAuditLog logs/modsec_audit.log
##### Hardening #####
# Body를 가진 GET 또는 HEAD 요청 차단(공격 가능성 높음)
SecFilterSelective REQUEST_METHOD “^(GET|HEAD)$” chain
SecFilterSelective HTTP_Content-Length “!^$”
SecFilterSelective SERVER_PROTOCOL “!^HTTP/(0\.9|1\.0|1\.1)$”
# Content-Length가 없는 POST 요청 차단
SecFilterSelective REQUEST_METHOD “^POST$” chain
SecFilterSelective HTTP_Content-Length “^$”
SecFilterSelective HTTP_Transfer-Encoding “!^$”
##### General #####
SecFilterSelective HTTP_Host|HTTP_User-Agent|HTTP_Accept “^$”
SecFilterSelective HTTP_User-Agent “(libwhisker|paros|wget|libwww|perl|curl|java)”
##### SQL Injection Attacks #####
SecFilterSignatureAction “log,deny,msg:’SQL Injection attack'”
SecFilterSelective ARGS “delete[[:space:]]+from”
SecFilterSelective ARGS “drop[[:space:]]+database”
SecFilterSelective ARGS “drop[[:space:]]+table”
SecFilterSelective ARGS “drop[[:space:]]+column”
SecFilterSelective ARGS “drop[[:space:]]+procedure”
SecFilterSelective ARGS “create[[:space:]]+table”
SecFilterSelective ARGS “update.+set.+=”
SecFilterSelective ARGS “insert[[:space:]]+into.+values”
SecFilterSelective ARGS “select.+from”
SecFilterSelective ARGS “bulk[[:space:]]+insert”
SecFilterSelective ARGS “union.+select”
SecFilterSelective ARGS “or.+1[[:space:]]*=[[:space:]]1”
SecFilterSelective ARGS “alter[[:space:]]+table”
SecFilterSelective ARGS “or 1=1–‘”
SecFilterSelective ARGS “‘.+–“
SecFilterSelective ARGS “into[[:space:]]+outfile”
SecFilterSelective ARGS “load[[:space:]]+data”
SecFilterSelective ARGS “/\*.+\*/”
##### XSS Attacks #####
SecFilterSignatureAction “log,deny,msg:’XSS attack'”
SecFilterSelective ARGS “<script”
SecFilterSelective ARGS “”
SecFilterSelective ARGS “vbscript:”
SecFilterSelective ARGS “document\.cookie”
SecFilterSelective ARGS “document\.location”
SecFilterSelective ARGS “document\.write”
##### Command Execution #####
SecFilterSignatureAction “log,deny,msg:’Command execution attack'”
SecFilterSelective ARGS_VALUES “;[[:space:]]*(ls|id|pwd|wget)”
##### PHP Attacks #####
SecFilterSignatureAction “log,deny,msg:’PHP Injection Attacks'”
SecFilterSelective ARGS_VALUES “^http:/”
SecFilterSelective ARGS_NAMES “(^globals\[|^globals$)”[/HTML][/CODE]