# --------------------------------------------------------------- # Core ModSecurity Rule Set ver.2.0.5 # Copyright (C) 2006-2010 Breach Security Inc. All rights reserved. # # The ModSecurity Core Rule Set is distributed under GPL version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- # In most cases, you should expect a certain volume of each a request on your # website. For example, a request with 400 arguments, can be suspicious. # This file creates limitations on the request. # # TODO Look at the rules in this file, and define the sizes you'd like to enforce. # Note that most of the rules are commented out by default. # Uncomment the rules you need # ## -- Arguments limits -- # Limit argument name length SecRule &TX:ARG_NAME_LENGTH "@eq 1" "chain,phase:2,t:none,pass,nolog,auditlog,msg:'Argument name too long',id:'960209',severity:'4',rev:'2.0.5'" SecRule ARGS_NAMES "@gt %{tx.arg_name_length}" "t:none,t:length,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}" # Limit value name length SecRule &TX:ARG_LENGTH "@eq 1" "chain,phase:2,t:none,pass,nolog,auditlog,msg:'Argument value too long',id:'960208',severity:'4',rev:'2.0.5'" SecRule ARGS "@gt %{tx.arg_length}" "t:none,t:length,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}" # Maximum number of arguments in request limited SecRule &TX:MAX_NUM_ARGS "@eq 1" "chain,phase:2,t:none,pass,nolog,auditlog,msg:'Too many arguments in request',id:'960335',severity:'4',rev:'2.0.5'" SecRule &ARGS "@gt %{tx.max_num_args}" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}" # Limit arguments total length SecRule &TX:TOTAL_ARG_LENGTH "@eq 1" "chain,phase:2,t:none,pass,nolog,auditlog,msg:'Total arguments size exceeded',id:'960341',severity:'4',rev:'2.0.5'" SecRule ARGS_COMBINED_SIZE "@gt %{tx.total_arg_length}" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}" ## -- File upload limits -- # Individual file size is limited SecRule &TX:MAX_FILE_SIZE "@eq 1" "chain,phase:2,t:none,pass,nolog,auditlog,msg:'Uploaded file size too large',id:'960342',severity:'4',rev:'2.0.5'" SecRule FILES_SIZES "@gt %{tx.max_file_size}" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}" # Combined file size is limited SecRule &TX:COMBINED_FILE_SIZES "@eq 1" "chain,phase:2,t:none,pass,nolog,auditlog,msg:'Total uploaded files size too large',id:'960343',severity:'4',rev:'2.0.5'" SecRule FILES_COMBINED_SIZE "@gt %{tx.combined_file_sizes}" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"