# ModSecurity Rules Project # (http://www.modsecurity.org/projects/rules/) # # $Id: modsecurity-hardening.conf,v 1.1.1.1 2006/01/03 13:52:16 ivanr Exp $ # # Copyright (C) 2005,2006 Thinking Stone (http://www.thinkingstone.com). # All rights reserved. # # Redistribution and use, with or without modification, are permitted # provided that the following conditions are met: # # * Redistributions must retain the above copyright notice, this list # of conditions and the following disclaimer in the source code # and in the documentation and/or other materials provided with the # distribution. # # * Neither the name of "Thinking Stone", "ModSecurity", nor the names # of its contributors may be used to endorse or promote products # derived from this software without specific prior written permission. # # THESE RULES ARE PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS # IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR # CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, # EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, # PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR # PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF # LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING # NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THESE # RULES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # This is a generic rule set for ModSecurity 1.9.x. It will work # as is, when included from the main Apache configuration file, # but to achieve maximum performance and protection, it needs to # be tweaked according to your specific circumstances. # # Next to each rule there is a description of what it does. Each # location where customisation is needed is marked with "TODO". It # is recommended that you: # # 1) Keep a copy of the original file. This will allow you to use # the "diff" command to quickly see the changes. It will also # make upgrades to future rule sets easier. # # 2) Document your changes thoroughly. # # You are advised to start with ModSecurity in detection mode only. # Switch to protection when you are comfortable with your rule set. # For maximum protection monitor your logs on daily basis (or # better). # # TODO You may want to provide an error friendly message to your # users when you start rejecting requests. You can do this using # the Apache ErrorDocument directive. You should also add # mod_unique_id to your configuration and display the unique # request ID on the error page. This would allow your users to # report the request ID back to you so that you can investigate # the false positive (if that's what it is). A nice error page # usually reduces the impact of false positives on the users. # # The drawback of this user-friendly approach is that it is # easier for the attackers to figure out there is an web # application firewall protecting the application. # # ErrorDocument 403 /path/to/error_document.php # # For more information see http://httpd.apache.org/docs-2.0/custom-error.html ## -- Configuration ---------------------------------------------------------- # Whether to allow ModSecurity to run ("On") or not ("Off"). # # TODO Consider whether to use "DynamicOnly" for "SecFilterEngine". # This setting may serve as an performance improvement but you # MUST verify the Apache handler is used correctly. If you don't # do this attacks may go through undetected. # # Simply change "On" to "DynamicOnly", restart Apache, and execute # one request (with an attack payload) for a static resource, and # another (also with an attack payload) for a dynamic resource. The # first request one should not produce an error/warning message. The # second one should. # SecFilterEngine On # Whether to allow ModSecurity to buffer and monitor request bodies. # # This setting should always be "On". You may want to turn # it to "Off" in some areas (e.g. file uploads) but be warned that # effectively disables ModSecurity for attacks carries out through # in request bodies. Take special care to secure scripts that receive # request bodies directly. # SecFilterScanPost Off # Whether to allow ModSecurity to buffer and monitor response (bodies). # # This is useful to monitor for information leaks, or for signs # of intrusion. However, it does require all responses to be buffered # in memory. For most sites this should not be a problem, but special # care must be taken to avoid buffering file downloads (through # MIME type selection, as shown below). # # TODO If you decide to enable output filtering make sure to # review the list of scanned MIME types. # # SecFilterScanOutput Off # SecFilterOutputMimeTypes "(null) text/html text/plain" # Whether to check if the URL encoding in the request is valid. # # If a request with an invalid URL encoding is discovered it will # we *rejected* even if the default action (see below) says otherwise. # There is no reason to use invalid URL encodings in a request but # sometimes applications do it by mistake (e.g. in cases when URIs are # constructed dynamically using JavaScript). # SecFilterCheckURLEncoding On # Temporary file storage path. # # TODO Change the temporary folder setting to a path where only # the web server has access. # SecUploadDir /tmp # Whether or not to keep the stored files. # # In most cases you don't want to keep the uploaded files (especially # when there is a lot of them). It may be useful to change the setting # to "RelevantOnly", in which case the files uploaded in suspicious # requests will be stored. # SecUploadKeepFiles Off # Inspect uploaded files. # # TODO If there is a danger of attack through uploaded files then it # is possible to configure an external script to inspect each file # before it is seen by the application. An example script is # included with ModSecurity (/util/modsec-clamscan.pl). # # SecUploadApproveScript /path/to/script.pl ## -- Validation ------------------------------------------------------------- # Whether to check if proper UTF-8 encoding is used in requests. # # TODO Change to "On" if the application uses Unicode. This setting # must be configured on the per-application level. # # NOTE UTF-8 encoding uses bytes in the higher range. # SecFilterCheckUnicodeEncoding Off # Whether to restrict which bytes can be used in a request. # # TODO The default setting is not very restrictive. It only disallows # the null byte (only known use of this value is for attacks). # Applications that are English-only could try to use "10 126" # or "32 126" (if there are not tags in the # application). # # This directive allows only one range to be specified. You should # note that it is possible to use regular expressions to specify # multiple ranges. For following example allows characters 10, 13 # and 32-126: # # SecFilterSelective THE_REQUEST "!^[\x0a\x0d\x20-\x7e]+$" # # NOTE Languages other than English require bytes in the higher range. # SecFilterForceByteRange 1 255 # What to do when an error is encountered. # # The default is to log the error and let the request go through. # This is a reasonable setting to start with because you do not # want to reject legitimate requests with an non-tuned rule set. # # If, after monitoring the performance of the rule set after a # sufficient period, you determine the rules never (or rarely # trigger on legitimate requests) you can change to something # else, such as "log,deny,status:403". You can also leave the # default setting here as is, but use per-rule action configuration # to only configure some rules to reject requests, leaving most # of them to work in detection mode. # # SecFilterDefaultAction "log,pass" SecFilterDefaultAction "log,deny,status:403" ## -- Logging ---------------------------------------------------------------- # Whether to send ModSecurity messages to a separate debug log. # # Debug messages are very useful for, well, debugging. The default # setting here copies (they always appear in the Apache error log) # only the most important messages (errors and warnings). # # NOTE Debug logging is generally very slow. You should never # use values greater than "1" in production. Only values "0" # and "1" are acceptable for production. # SecFilterDebugLog logs/modsec_debug.log SecFilterDebugLevel 1 # Whether to log requests to the forensic log. # # By default, only requests that trigger a warning or an error will # be logged. This is a reasonable setting. The next step up is to # log all dynamic requests. This can be done through the "DynamicOrRelevant" # setting. # # NOTE It is also possible to configure forensic logging on the # per request basis using the "auditlog" and "noauditlog" rule # actions. # SecAuditEngine RelevantOnly SecAuditLog logs/modsec_audit.log # Create a separate log to monitor performance. # # TODO Performance monitoring only works with Apache 2.x. You need # to add mod_unique_id and mod_logio to your configuration. Then # uncomment the following two lines. # # LogFormat "%V %h %t %{UNIQUE_ID}e \"%r\" %>s %X | %I %O | %<{mod_security-time1}n %<{mod_security-time2}n %<{mod_security-time3}n %D" mperformance # CustomLog logs/modsec_performance.log mperformance # Custom application access log. # # TODO You should consider creating a custom access log. It could contain # the performance metrics from above, but should also record the # session ID for every request. That would make it possible to # list all requests performed as part of a session. # # One custom log should be used per application but if you want # multiple applications to share one log file make sure each # line includes a unique application ID (unless the hostname is # sufficient for differentiation). ## -- Apache Limits ---------------------------------------------------------- # These are Apache limit directives, but we are including them here because # they are often forgotten. If you already have these configured leave this # section entirely commented-out. Otherwise review the limits and uncomment # the directives. # Maximum size of the request body. # # NOTE If your application allows file uploads the value below will # most likely be way to low. # #LimitRequestBody 64000 # Maximum number of request headers in a request. # #LimitRequestFields 32 # Maximum size of request header lines. # #LimitRequestFieldSize 8000 # Maximum size of the request line. # #LimitRequestLine 4000 # This setting should only affect WebDAV. # #LimitXMLRequestBody 32000 ## -- Hardening -------------------------------------------------------------- # Only accept request encodings we know how to handle. # # TODO Most applications support only two encodings for request bodies # because that is all browsers know how to produce. If you fall into # this category you should uncomment the rules below. If you are using # automated tools to talk to the application you may be using other # content types. # # TODO There are many applications that are not using multipart/form-data # encoding (typically only used for file uploads). This content type # should also be disabled if not used. # # NOTE We allow any content type to be specified with GET or HEAD # because some tools incorrectly supply content type information # even when the body is not present. There is a rule further in # the file to prevent GET and HEAD requests to have bodies to we're # safe in that respect. # # TODO To make use of WebDAV you also need to enable "text/xml" content type. # # TODO To make use of PocketPC and AvantGo you also need to enable # "application/x-mal-client-data" content type. # # SecFilterSelective REQUEST_METHOD "!^(GET|HEAD)$" chain # SecFilterSelective HTTP_Content-Type "!(^application/x-www-form-urlencoded$|^multipart/form-data;)" # Do not accept GET or HEAD requests with bodies # # HTTP standard allows GET requests to have a body but this # feature is not used in real-life. Attackers could try to force # a request body on an unsuspecting web applications. # SecFilterSelective REQUEST_METHOD "^(GET|HEAD)$" chain SecFilterSelective HTTP_Content-Length "!^$" # Restrict which request methods can be used # # TODO Most applications only use GET, HEAD, and POST request # methods. If you fall into this category then uncomment the # rule below. Otherwise update the list of allowed methods # and uncomment anyway. # # NOTE It is normally not possible to restrict TRACE with ModSecurity. # Use mod_rewrite instead. (Newer Apache versions have a directive # that controls whether TRACE is allowed or not.) # # SecFilterSelective REQUEST_METHOD "!^(GET|HEAD|POST)$" # Restrict protocol versions. # SecFilterSelective SERVER_PROTOCOL "!^HTTP/(0\.9|1\.0|1\.1)$" # Require Content-Length to be provided with every POST request. # SecFilterSelective REQUEST_METHOD "^POST$" chain SecFilterSelective HTTP_Content-Length "^$" # Don't accept transfer encodings we know we don't know how to handle # # NOTE ModSecurity does not support chunked transfer encodings at # this time. You MUST reject all such requests. # SecFilterSelective HTTP_Transfer-Encoding "!^$" ## -- Cross-Site Request Forgery (CSRF) -------------------------------------- # Cross-Site Request Forgery (CSRF) defence. Allow direct # requests and requests linked from our web site. Redirect # all other request to the entry page. # # TODO Put the real domain name instead of www.example.com # used below. The example assumes the allowed entry # pages are /, /index.html, and /welcome.html. # # NOTE This fragment must be customised for each domain name! # # NOTE This protection is not 100% effective but should cover # most common attacks. # # Allow empty Referer header, which happens when people # come to a URI directly. Also allow Referer values that # contain our domain name. Yes, this can be faked, but not # when request is part of a CSRF attack. # #SecFilterSelective HTTP_REFERER "!(^$|^http:/www\.example\.com/)" chain # # If we are here that means we believe the request originated # from some other web site. We allow direct entry only to a few # entry pages. In all other cases we issue an redirect to an # entry page. Note that we are very strict about what we allow # to pass through. For example, we do not allow request that contain # parameters, even if they specify an entry page correctly. # # It is a good idea to have a special page to redirect the users # to. Simply create a page that displays a message and redirects # again (automatically, after a few seconds), to a real entry page. # #SecFilterSelective REQUEST_URI "!^(/|/index\.html|/welcome\.html|)$" \ #"redirect:http://www.example.com/welcome.html" # http://www.gotroot.com/mod_security+rules # Gotroot.com ModSecurity rules # Application Security Rules # # modsecurity is trademark of Thinking Stone, Ltd. # # Version: N-20060803-01 # # Download from: http://www.gotroot.com/downloads/ftp/mod_security/rules.conf # # Created by The Prometheus Group (http://www.prometheus-group.com) # Redistribution is strictly prohibited. # Copyright 2005 and 2006, all rights reserved. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE # LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF # THE POSSIBILITY OF SUCH DAMAGE. #-------------------------------- # notes #-------------------------------- # Rules work with modsecurity 1.9.x and above only #-------------------------------- #start rules #-------------------------------- #Enforce proper HTTP requests SecFilterSelective SERVER_PROTOCOL "!^HTTP/(0\.9|1\.0|1\.1)$" "id:340000,rev:1,severity:1,msg:'Bad HTTP Protocol'" # Only accept request encodings we know how to handle # we exclude GET requests from this because some (automated) # clients supply "text/html" as Content-Type SecFilterSelective REQUEST_METHOD "!^(GET|HEAD|POST|PUT|PROPFIND|OPTIONS)$" "chain,id:340001,rev:1,severity:2,msg:'Restricted HTTP function'" SecFilterSelective HTTP_Content-Type "!(^$|^application/x-www-form-urlencoded$|^multipart/form-data)" #Generic rule for allowed characters, very broken at the moment, dont use it unless you can fix it #Then post your fix eh! #SecFilterSelective REQUEST_URI "!^[-a-zA-z0-9\.\+_/\-\?\=]+$" "chain,id:340002,rev:1,severity:2,msg:'Restricted HTTP character set'" # Require Content-Length to be provided with # every POST request SecFilterSelective REQUEST_METHOD "^POST$" "chain,id:340003,rev:1,severity:2,msg:'Content Length not provided with POST'" SecFilterSelective HTTP_Content-Length "^$" # Don't accept transfer encodings we know we don't handle # (and you don't need it anyway) SecFilterSelective HTTP_Transfer-Encoding "!^$" "id:340004,rev:1,severity:2,msg:'Dis-allowed Transfer Encoding'" #HTTP response spilting generic sigs SecFilter "Content-Length\:.*Content-Type\:.*Content-Type\:" "id:340005,rev:1,severity:2,msg:'HTTP response splitting'" #HTTP response spilting generic sigs SecFilter "Content-Length\:" "chain,id:340006,rev:1,severity:2,msg:'HTTP response splitting'" SecFilter "Content-Type\:" chain SecFilter "Content-Type\:" #deny TRACE method SecFilterSelective REQUEST_METHOD "TRACE" "id:340007,rev:1,severity:2,msg:'TRACE method denied'" #XSS insertion into Content-Type SecFilterSelective THE_REQUEST "Content-Type\:.*(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=|javascript\:)" "id:300002,rev:1,severity:2,msg:'XSS attack in Content-type header'" #Don't accept chunked encodings #modsecurity can not look at these, so this is a hole #that can bypass your rules, the rule before this one #should cover this, but hey paranoia is cheap SecFilterSelective HTTP_Transfer-Encoding "chunked" "id:300003,rev:1,severity:2,msg:'Chunked Transfer Encoding denied'" #Code injection via content length SecFilterSelective HTTP_Content-Length "\;(system|passthru|exec)\(" "id:330003,rev:1,severity:2,msg:'Code Injection in Content-Length header'" #broad cross site scripting rule #False alarms are a problem with this, use with caution #SecFilterSelective THE_REQUEST "<(.|\n)+>" #generic recursion signatures SecFilterSelective REQUEST_URI "!(alt_mod_frameset\.php)" "chain,id:300004,rev:1,severity:2,msg:'Generic Path Recursion denied'" SecFilterSelective THE_REQUEST "\.\./\.\./" #generic path recurision sig #generic recursion signatures SecFilterSelective THE_REQUEST "\.\|\./\.\|\./\.\|" "id:300005,rev:1,severity:2,msg:'Generic Path Recursion denied'" #generic bogus path sigs SecFilterSelective THE_REQUEST "\.\.\./" "id:300006,rev:1,severity:2,msg:'Bogus Path denied'" SecFilterSelective POST_PAYLOAD "[[:space:]]+\.\.\.+\;" "id:300007,rev:1,severity:2,msg:'Bogus Path denied'" #Generic PHP exploit signatures SecFilterSelective THE_REQUEST "(chr|fwrite|fopen|system|e?chr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;" "id:330001,rev:1,severity:2,msg:'Generic PHP exploit pattern denied'" #Generic PHP exploit signatures SecFilterSelective POST_PAYLOAD|REQUEST_URI "<\?php (chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;" "id:330002,rev:1,severity:2,msg:'Generic PHP exploit pattern denied'" #slightly tighter rules with narrower focus SecFilterSelective REQUEST_URI|POST_PAYLOAD "(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;" "id:300008,rev:1,severity:2,msg:'Generic PHP exploit pattern denied'" #generic XSS PHP attack types SecFilterSelective REQUEST_URI "\.php\?" "chain,id:300010,rev:1,severity:2,msg:'Generic PHP XSS exploit pattern denied'" SecFilter "(javascript\:/(.*new\x20ActiveXObject.*Sh\.regwrite|.*window\.opener\.document\.body.\innerHTML=window\.opener\.document\.body\.innerHTML\.replace)|onmouseover=\'javascript)" #Prevent SQL injection in cookies SecFilterSelective COOKIE_VALUES "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|UNION SELECT.*\'.*\'.*,[0-9].*INTO.*FROM)" "id:300011,rev:1,severity:2,msg:'Generic SQL injection in cookie'" #Prevent command injection through cookies SecFilterSelective COOKIE_VALUES "\; cmd=" #Prevent SQL injection in UA SecFilterSelective HTTP_USER_AGENT "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|UNION SELECT.*\'.*\'.*,[0-9].*INTO.*FROM)" "id:300012,rev:1,severity:2,msg:'Generic SQL injection in User Agent header'" #simple buffer overflow protection #there is an issue with positives with this, so use with care #SecFilterSelective THE_REQUEST "!^[\x0a\x0d\x20-\x7f]+$" "id:300013,rev:1,severity:2,msg:'Generic Simple Buffer Overflow protection'" # Generic filter to prevent SQL injection attacks # Understand that all SQL filters are very limited and are very difficult # to prevent false postives and negatives. # Pplease report false positives/negatives to mike@gotroot.com SecFilterSelective REQUEST_URI "!((/wp-admin/post|privmsg|/ticket/admin|/misc|tiki-editpage|/post|/horde3?/imp/compose|/posting)\.php|/modules\.php\?op=modload&name=(Downloads|Submit_News)|/admin\.php\?module=NS\-AddStory\&op=|/index\.php\?name=PNphpBB2&file=posting&mode=reply.*|/phpMyAdmin/|/PNphpBB2-posting\.html|/otrs/index\.pl|tiki-index\.php\?page=|/index\.php\?title=.*&action=edit|/_mmServerScripts/|/node/[0-9]+/edit|/_vti_bin/.*\.exe/)" "chain,id:300013,rev:1,severity:2,msg:'Generic SQL injection protection'" SecFilter "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|UNION SELECT.*\'.*\'.*,[0-9].*INTO.*FROM)" #Generic SQL sigs SecFilterSelective ARGS "(or.+1[[:space:]]*=[[:space:]]1|(or 1=1|'.+)--')" "id:300014,rev:1,severity:2,msg:'Generic SQL injection protection'" #Generic SQL sigs SecFilterSelective ARGS "((alter|create|drop)[[:space:]]+(column|database|procedure|table)|delete[[:space:]]+from|update.+set.+=)" "id:300015,rev:1,severity:2,msg:'Generic SQL injection protection'" #Generic SQL sigs #SecFilterSelective REQUEST_URI "!(/node/[0-9]+/edit|/forum/posting\.php|/admins/wnedit\.php|/alt_doc\.php\?returnUrl=.*edit|/admin/categories\.php\?cPath=.*|modules\.php\?name=Forums&file=posting&mode=.*)" "chain,id:300016,rev:1,severity:2,msg:'Generic SQL injection protection'" #SecFilterSelective ARGS "(insert[[:space:]]+into.+values|select.+from|bulk[[:space:]]+insert|union.+select)" #Generic command line attack filter SecFilterSelective REQUEST_URI "!(/Count\.cgi)" "chain,id:300017,rev:1,severity:2,msg:'Generic command line attack filter'" SecFilterSelective THE_REQUEST "\|+.*[\x20].*[\x20].*\|" #Generic PHP bad functions protection #PHP copy() function: http://securitytracker.com/alerts/2006/Apr/1015882.html SecFilterSelective ARGS_VALUES compress\.zlib: #Generic XSS filter #please report false positives SecFilterSelective REQUEST_URI "!/mt\.cgi" chain SecFilter "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" #XSS in referrer and UA headers SecFilterSelective HTTP_REFERER|HTTP_USER_AGENT "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>" #PHP Injection Attack generic signature SecFilterSelective REQUEST_URI "\.php" chain SecFilter "(\?((LOCAL|INCLUDE|PEAR|SQUIZLIB)_PATH|action|content|dir|name|menu|pm_path|path|pathtoroot|cat|pagina|path|include_location|root|page|gorumDir|site|topside|pun_root|open|seite)=(http|https|ftp)\:/|(cmd|command)=(cd|\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |id|cmd|pwd|wget |lwp-(download|request|mirror|rget) |uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |\./|whoami|killall |rm \-[a-z|A-Z]))" #PHP Injection Attack generic signature SecFilterSelective REQUEST_URI "\.php\?(((LOCAL|INCLUDE|PEAR|SQUIZLIB)_PATH|action|content|dir|name|menu|pm_path|pagina|path|pathtoroot|cat|include_location|gorumDir|root|page|site|topside|pun_root|open|seite)=(http|https|ftp)\:/|.*(cmd|command)=(cd|\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat)|rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z]))" #Generic PHP remote file inclusion attack signature SecFilterSelective REQUEST_URI "\.php\?" chain SecFilter "(http|https|ftp)\:/" chain SecFilter "(cmd|command)=(cd|\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])" #Generic PHP remote file inclusion attack signature SecFilterSelective REQUEST_URI "\.php\?" chain SecFilter "(http|https|ftp)\:/" chain SecFilter "(cmd|command)=.*(cd|\;|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])" #really broad furl_fopen attack sig #tune this for your system #MTS SecFilterSelective REQUEST_URI "!(/tiki-objectpermissions|aardvarkts/install/index|/gallery/do_command|banner_click|wp-login|tiki-view_cache|/horde/index|/horde/services/go|/goto|gallery2?/main|ad-?server/adjs)" "chain,id:300018,rev:1,severity:2,msg:'Generic PHP code injection protection'" SecFilterSelective REQUEST_URI "\.php(3|4|5)?(\?|&).*=(ht|f)tps?:/.*(\?|&)" #Genenric PHP body attack SecFilterSelective THE_REQUEST "(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)" chain SecFilterSelective POST_PAYLOAD "^PHP\:*((cd|mkdir)[[:space:]]+(/|[A-Z|a-z|0-9]|\.)*|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat)|rexec |smbclient |t?ftp |ncftp |chmod |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])" #Generic PHP remote file injection SecFilterSelective REQUEST_URI "!((galler(y|i)/do_command))" chain SecFilterSelective REQUEST_URI "\.php\?.*=(http|http|ftp)\:/.*(cmd|command)=" #script, perl, etc. code in HTTP_Referer string SecFilterSelective HTTP_Referer "\#\!.*/" #generic command line attack SecFilterSelective REQUEST_URI|ARGS "\|*id\;echo*\|" #remote file inclusion generic attack signature SecFilterSelective THE_REQUEST "\.(dat|gif|jpg|png|bmp|txt|vir|dot)\?" chain SecFilter "((name|pm_path|pagina|path|include_location|root|page|open)=(http|https|ftp)|(cmd|command|inc)=)" #remote file inclusion generic attack signature SecFilterSelective THE_REQUEST "\.(dat|gif|jpg|png|bmp|txt|vir|dot)\?\&(cmd|command|inc|name)=" #remote file inclusion generic attack signature SecFilterSelective ARGS "\.(dat|gif|jpg|png|bmp|txt|vir|dot)" chain SecFilter "\?\&(cmd|inc|name)=" #remote file inclusion generic attack signature SecFilterSelective ARGS "\.(dat|gif|jpg|png|bmp|txt|vir|dot)\?\&(cmd|inc|name)=" #remote file inclusion generic attack signature SecFilterSelective REQUEST_URI "\.php\?.*=(http|https|ftp)\:/.*\?&cmd=" #Bogus file extensions generic signature SecFilterSelective THE_REQUEST "[A-Za-z0-9]\.(gif|jpg|png|bmp)\.txt" #PHP remote path attach generic signature SecFilterSelective REQUEST_URI "\.ph(p(3|4)?).*path=(http|https|ftp)\:/" SecFilterSelective REQUEST_URI "\.php.*path=(http|https|ftp)\:/" #generic attack sig SecFilterSelective THE_REQUEST "cd\x20*\;(cd|\;|echo|perl |killall |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname |cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |\./)" # WEB-ATTACKS uname -a command attempt SecFilterSelective THE_REQUEST "uname" chain SecFilter "\x20-a" #Generic argument protection rule against bad meta characters #SecFilterSelective "ARGS" "!^[A-Za-z0-9.&/?@_%=:;, -]*$" #generic php attack sigs SecFilterSelective REQUEST_URI "(&(cmd|command)=(id|uname)\x20|cmd\?(cmd|command)=|(spy|cmd|cmd_out|sh)\.(gif|jpg|png|bmp|txt)\?&(cmd|command)=|\.php\?&(cmd|command)=)" # WEB-ATTACKS xterm command attempt SecFilterSelective THE_REQUEST "/usr/X11R6/bin/xterm" # WEB-ATTACKS /etc/shadow access SecFilterSelective THE_REQUEST "/etc/shadow" # WEB-ATTACKS /bin/ps command attempt SecFilterSelective THE_REQUEST "/bin/ps" # WEB-ATTACKS /usr/bin/id command attempt SecFilterSelective THE_REQUEST "/usr/bin/id" chain SecFilter "\x20" # WEB-ATTACKS echo command attempt SecFilterSelective THE_REQUEST "/bin/echo" chain SecFilter "\x20" # WEB-ATTACKS kill command attempt SecFilterSelective THE_REQUEST "/bin/kill" chain SecFilter "\x20" # WEB-ATTACKS chmod command attempt SecFilterSelective THE_REQUEST "/bin/chmod" chain SecFilter "\x20" # WEB-ATTACKS chsh command attempt SecFilterSelective THE_REQUEST "/usr/bin/chsh" # WEB-ATTACKS gcc command attempt SecFilterSelective THE_REQUEST "gcc" chain SecFilter "x20-o" # WEB-ATTACKS /usr/bin/cc command attempt SecFilterSelective THE_REQUEST "/usr/bin/cc" chain SecFilter "\x20" # WEB-ATTACKS /usr/bin/cpp command attempt SecFilterSelective THE_REQUEST "/usr/bin/cpp" chain SecFilter "\x20" # WEB-ATTACKS /usr/bin/g++ command attempt SecFilterSelective THE_REQUEST "/usr/bin/g\+\+" chain SecFilter "\x20" # WEB-ATTACKS g++ command attempt SecFilterSelective THE_REQUEST "g\+\+\x20" chain SecFilter "\x20" # WEB-ATTACKS bin/python access attempt SecFilterSelective THE_REQUEST "bin/python" chain SecFilter "\x20" # WEB-ATTACKS python access attempt #SecFilter "python\x20" # WEB-ATTACKS bin/tclsh execution attempt SecFilterSelective THE_REQUEST "bin/tclsh" # WEB-ATTACKS tclsh execution attempt SecFilterSelective THE_REQUEST "tclsh8\x20" # WEB-ATTACKS bin/nasm command attempt SecFilterSelective THE_REQUEST "bin/nasm" # WEB-ATTACKS nasm command attempt SecFilterSelective THE_REQUEST "nasm\x20" # WEB-ATTACKS /usr/bin/perl execution attempt SecFilterSelective THE_REQUEST "/usr/bin/perl" # WEB-ATTACKS traceroute command attempt SecFilterSelective THE_REQUEST "traceroute" chain SecFilter "\x20([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" # WEB-ATTACKS ping command attempt SecFilterSelective THE_REQUEST "/bin/ping" chain SecFilter "\x20" # WEB-ATTACKS X application to remote host attempt SecFilterSelective THE_REQUEST "\x20-display\x20" # WEB-ATTACKS mail command attempt SecFilterSelective THE_REQUEST "/bin/mail" chain SecFilter "\x20" # WEB-ATTACKS /bin/ls command attempt SecFilterSelective THE_REQUEST "/bin/ls" chain SecFilter "\x20" # WEB-ATTACKS /etc/inetd.conf access SecFilterSelective THE_REQUEST "/etc/inetd\.conf" # WEB-ATTACKS /etc/motd access SecFilterSelective THE_REQUEST "/etc/motd" # WEB-ATTACKS conf/httpd.conf attempt SecFilterSelective THE_REQUEST "conf/httpd\.conf" # WEB-MISC .htpasswd access SecFilterSelective THE_REQUEST "\.htpasswd" # WEB-MISC /etc/passwd access SecFilterSelective REQUEST_URI "/etc/passwd" # WEB-MISC nessus 1.X 404 probe SecFilterSelective REQUEST_URI "/nessus_is_probing_you_" # WEB-MISC nessus 2.x 404 probe SecFilterSelective REQUEST_URI "/NessusTest" # WEB-MISC ls%20-l SecFilterSelective THE_REQUEST "ls" chain SecFilter "\x20-l" # WEB-MISC apache directory disclosure attempt SecFilterSelective THE_REQUEST "////////" #musicat empower attempt SecFilterSelective REQUEST_URI "/empower\?DB=" # WEB-MISC Apache Chunked-Encoding worm attempt SecFilter "CCCCCCC\: AAAAAAAAAAAAAAAAAAA" # WEB-MISC *%0a.pl access SecFilterSelective REQUEST_URI "/*\x0a\.pl" #PHPBB worm sigs SecFilterSelective REQUEST_URI "!(tiki-searchindex\.php)" chain SecFilterSelective ARG_highlight "(\x27|%27|\x2527|%2527)" #PHP defenses SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$" #PHP defenses SecFilterSelective ARGS_NAMES "^(globals($|\[)|php:/)" #PHP defenses SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$" #PHP defenses SecFilterSelective COOKIE_sessionid "!^[0-9a-z\.]*$" # Web-attacks chdir SecFilterSelective REQUEST_URI "&(cmd|command)=chdir\x20" # TIKIWIKI SecFilterSelective REQUEST_URI "/tiki-map.phtml\?mapfile=\.\./\.\./" #SMTP redirects SecFilterSelective THE_REQUEST ^(http|https)\:/.+:25 #These are VERY experiemental, please report false positives/negatives, etc. #very experimental generic remote download sig #foo IP or FQDN, or foo http/https/ftp://whatever SecFilterSelective THE_REQUEST "(perl|t?ftp|links|elinks|lynx|ncftp|(s|r)(cp|sh)|wget|lwp-(download|request|mirror|rget)|curl|cvs|svn).*\x20((http|https|ftp)\:/|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|.*[A-Za-z|0-9]\.[a-zA-Z]{2,4}/|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" #Command inline detection SecFilterSelective THE_REQUEST "( |\;|/|\'|,|\&|\=|\.)((s|r)(sh|cp)) *(.*\@.*|(http|https|ftp)\:/|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|.*[A-Za-z|0-9]\.[a-zA-Z]{2,4}/|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" #very experimental connect command sig SecFilterSelective THE_REQUEST "( |\;|/|\'|,|\&|\=|\.)(perl|nc|telnet|(rs)sh|rexec) .*([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|[A-Za-z|0-9]\.[a-zA-Z]{2,4}|[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" #Commands, also need a major rework, these also have issues SecFilterSelective REQUEST_URI "\;\x20+?perl\x20+[A-Za-z|0-9]+;" #SecFilterSelective THE_REQUEST "echo\x20" SecFilterSelective THE_REQUEST "links -dump " SecFilterSelective THE_REQUEST "links -dump-(charset|width) " SecFilterSelective THE_REQUEST "links (http|https|ftp)\:/" SecFilterSelective THE_REQUEST "links -source " #SecFilterSelective THE_REQUEST "mkdir\x20" SecFilterSelective THE_REQUEST "cd\x20/(tmp|/var/tmp)" SecFilterSelective THE_REQUEST "cd \.\." SecFilterSelective THE_REQUEST "/\.(history|bash_history) HTTP\/(0\.9|1\.0|1\.1)$" #generic block for fwrite fopen uploads SecFilterSelective THE_REQUEST "fwrite" chain SecFilterSelective THE_REQUEST "fopen" #generic sig for more bad PHP functions SecFilterSelective THE_REQUEST "chr\(([0-9]{1,3})\)" SecFilterSelective ARGS_NAMES "^php:/" # WEB-MISC Tomcat view source attempt SecFilterSelective THE_REQUEST "\x252ejsp" # WEB-MISC whisker HEAD/./ #SecFilter "HEAD/./" # WEB-FRONTPAGE .... request SecFilterSelective THE_REQUEST "\.\.\.\./" #experimental CSS rule #SecFilterSelective REQUEST_URI "/(\x3C|<)(\x2F|\/)*[a-z0-9\%]+(\x3E|>)" #Generic attack rules pcre format #cross site scripting attempt IMG onerror or onload SecFilterSelective THE_REQUEST "\<IMG.*/\bonerror\b[\s]*=" #cross site scripting attempt TYPE + JAVASCRIPT SecFilterSelective THE_REQUEST "TYPE\s*=\s*[\'\"]text\/javascript" #cross site scripting attempt STYLE + JAVASCRIPT SecFilterSelective THE_REQUEST "TYPE\s*=\s*[\'\"]application\/x-javascript" #cross site scripting attempt STYLE + JSCRIPT SecFilterSelective THE_REQUEST "TYPE\s*=\s*[\'\"]text\/jscript" # cross site scripting attempt STYLE + VBSCRIPT SecFilterSelective THE_REQUEST "TYPE\s*=\s*[\'\"]text\/vbscript" #cross site scripting attempt STYLE + VBSCRIPT SecFilterSelective THE_REQUEST "TYPE\s*=\s*[\'\"]application\/x-vbscript" #cross site scripting attempt STYLE + ECMACRIPT SecFilterSelective THE_REQUEST "TYPE\s*=\s*[\'\"]text\/ecmascript" # cross site scripting attempt STYLE + EXPRESSION SecFilterSelective THE_REQUEST "STYLE[\s]*=[\s]*[^>]expression[\s]*\(" #cross site scripting attempt STYLE + EXPRESSION SecFilterSelective THE_REQUEST "[\s]*expression[\s]*\([^}]}[\s]*<\/STYLE>" # cross site scripting attempt using XML SecFilterSelective THE_REQUEST "<!\[CDATA\[<\]\]>SCRIPT" #cross site scripting attempt executing hidden Javascript SecFilterSelective THE_REQUEST "eval[\s]*\([\s]*[^\.]\.innerHTML[\s]*\)" #cross site scripting attempt executing hidden Javascript SecFilterSelective THE_REQUEST "window\.execScript[\s]*\(" #cross site scripting attempt to execute Javascript code SecFilterSelective THE_REQUEST "/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*[\'\"]*javascript[\:]" #cross site scripting stealth attempt to execute Javascript code #may false alarm for some language sets SecFilterSelective REQUEST_URI "!(/index\.php\?module=Blocks&type=admin&func=update|/index\.php\?go=.*&edit=)" chain SecFilter "(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*[\'\"]*[\x09\x0a\x0b\x0c\x0d]*j[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*v[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*c[\x09\x0a\x0b\x0c\x0d]*r[\x09\x0a\x0b\x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*p[\x09\x0a\x0b\x0c\x0d]*t[\x09\x0a\x0b\x0c\x0d]*[\:]" #cross site scripting HTML Image tag set to javascript attempt SecFilterSelective THE_REQUEST "img src=javascript" #Apache /server-info accessible SecFilterSelective REQUEST_URI "/server-info" chain SecFilterSelective REMOTE_ADDR "!^127\.0\.0\.1$" #Apache /server-status accessible #Modified so apache-protect can run SecFilterSelective REQUEST_URI "^/server-status/$" chain SecFilterSelective REMOTE_ADDR "!^127\.0\.0\.1$" #generic Common HTTP vulnerability SecFilterSelective THE_REQUEST "/\?cwd=/" #General [url] php forum protections (phpbb and others, to protect against script injection attacks in url links) SecFilterSelective THE_REQUEST "\.php\?" chain SecFilter "\[url=(script|javascript|applet|about|chrome|activex)\:/.*\].*\[/url\]" #Experimental XML-RPC generic attack sigs SecFilter "\'\,\'\'\)\)\;" SecFilter "\<param\>\<name\>.*\'\)\;" #XML-RPC generic attack sigs SecFilterSelective POST_PAYLOAD "^Content-Type\: application/xml" chain SecFilter "(\<xml|\<.*xml)" chain SecFilter "(echo( |\(|\').*\;|chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;" chain SecFilter "methodCall\>" #Specific XML-RPC attacks on xmlrpc.php SecFilterSelective THE_REQUEST "(/xmlrpc|.*xmlrpc_services)\.php" chain SecFilter "(\<xml|\<.*xml)" chain SecFilter "(echo( |\(|\').*\;|chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;" #Too generic, unless you know you won't see this in any of the fields of an XMLRPC message on your system #SecFilterSelective THE_REQUEST "/xmlrpc\.php" chain #SecFilter "(cd|perl |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |id|uname |cvs |svn |(s|r)(cp|sh) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |\./)" #XML-RPC SQL injection generic signature SecFilterSelective THE_REQUEST "(/xmlrpc|.*xmlrpc_services)\.php" chain SecFilter "<methodName>.*</methodName>.*<value><string>.*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view).*methodName\>" #generic remote file inclusion vulns SecFilterSelective THE_REQUEST "/index\.php\?do=.*&page=(http|https|ftp)\:/" SecFilterSelective THE_REQUEST "/index\.php\?kietu\[.*\]=(http|https|ftp)\:/" SecFilterSelective THE_REQUEST "/index\.php\?libDir=http://xxxxxxxx" SecFilterSelective THE_REQUEST "/init\.php\?HTTP_POST_VARS\[GALLERY_BASEDIR\]=(http|https|ftp)\:/" #Virus HTTP Challenge/Reponse Auth SecFilterSelective THE_REQUEST "^Authorization\: Negotiate" chain SecFilter "YIIQegYGKwYBBQUCoIIQbjCCEGqhghBmI4IQYgOCBAEAQUFBQUFBQUFBQUFBQUFB" #catch smuggling attacks SecFilter "^(GET|POST).*Host:.*^(GET|POST)" #Drupal remote command execution vulnerability exploit signature #This is already covered in another generic signature, but just in case you leave it out, here it is #again with a slightly tigher regexp SecFilter "\<.*php .*\(.*\)\;system\(.*\).*php*\>" #Slightly stronger version of the above SecFilter "\<.*php .*\(.*\)\;(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\).*php*\>" #Generic PHP attack sig SecFilterSelective THE_REQUEST "system\(getenv\(HTTP_PHP\)\)" #Generic Nessus request filter SecFilterSelective THE_REQUEST "NessusTest*\.html" #Generic PHP payload command injection and upload vulnerabilities SecFilterSelective POST_PAYLOAD "<\?php" chain SecFilter "((fputs|fread)\(.*\,.*\)\;|fsockopen\(gethostbyname|chr\(.*\)\.chr\(.*\)\.chr\(|(fclose|fgets)\(.*\)\;|(system|exec)\(.*\)\;)" chain SecFilter "\<\?php" #Generic XML RPC attack sig SecFilterSelective POST_PAYLOAD "\'(______BEGIN______|_____FIM_____)\'\;" #HTTP header PHP code injection attacks SecFilterSelective HTTP_CLIENT_IP|HTTP_USER_AGENT|HTTP_Referer "(<\?php|<[[:space:]]?\?[[:space:]]?php|<\? php)" #wormsign SecFilter "XXXXXXXXXXXXXXX\: \+\+\+\+\+\+\+\+\+\+\+\+\+" SecFilterSelective THE_REQUEST "THMC\.\$dbhost\.THMC\.\$dbname\.THMC\.\$dbuser\.THMC\.\$dbpasswd\.THMC" #phpbb wormsign SecFilterSelective THE_REQUEST "echo _GHC/RST_" #Generic PHP avatar upload exploits SecFilterSelective REQUEST_URI "\.php" chain SecFilterSelective POST_PAYLOAD "Content-Disposition\: form-data\; name=\"avatar\"\;" chain SecFilter "\<\?php" chain SecFilter "\?>" #Fake image file shell attacvk SecFilterSelective HTTP_Content-Type "image/.*" SecFilterSelective POST_PAYLOAD "chr\(" #bogus graphics file SecFilterSelective HTTP_Content-Disposition "\.php" chain SecFilterSelective HTTP_Content-Type "(image/gif|image/jpg|image/png|image/bmp)" #wormsign SecFilterSelective REQUEST_URI "Hacked.*by.*member.*of.*SCC" #Special account protection SecFilterSelective THE_REQUEST "/~(root|ftp|bin|nobody|named|guest|logs|sshd)(/\S*)? HTTP/(0\.9|1\.[01])$" SecFilterSelective REQUEST_URI "/~(root|ftp|bin|nobody|named|guest|logs|sshd)/" #Generic PHP fopen sig SecFilterSelective THE_REQUEST "fp=fopen\(" </IfModule>