Current File : //00_Init_Initialization.conf

# ---------------------------------------------------------------
# Comodo ModSecurity Rules
# Copyright (C) 2022 Comodo Security solutions All rights reserved.
#
# The COMODO SECURITY SOLUTIONS Mod Security Rule Set is distributed under
# THE COMODO SECURITY SOLUTIONS END USER LICENSE AGREEMENT,
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
# This is a FILE CONTAINING CHANGED or MODIFIED RULES FROM THE:
# OWASP ModSecurity Core Rule Set (CRS)
# ---------------------------------------------------------------

SecComponentSignature "CWAF_Apache"
SecResponseBodyAccess Off
SecDefaultAction \
	"phase:1,deny,log"

SecDefaultAction \
	"phase:2,deny,status:403,log,auditlog"

SecAction \
	"id:210000,phase:1,pass,setvar:'tx.max_num_args=100000',nolog,t:none"

SecRule &TX:domain "@eq 0" \
	"id:210002,phase:1,pass,setvar:'tx.domain=%{REQUEST_HEADERS.Host}',nolog,t:none,rev:7,severity:2,tag:'CWAF',tag:'Initialization'"

SecRule TX:domain "@pmf cwatch_managed_domains" \
	"id:210005,phase:1,pass,setvar:'tx.mode=M',nolog,t:none,t:lowercase,skip:2,rev:7,severity:2,tag:'CWAF',tag:'Initialization'"

SecRule TX:domain "@pmf cwatch_protected_domains" \
	"id:210006,phase:1,pass,setvar:'tx.mode=P',nolog,t:none,t:lowercase,skip:1,rev:7,severity:2,tag:'CWAF',tag:'Initialization'"

SecAction \
	"id:210003,phase:1,pass,setvar:'tx.mode=F',nolog"

SecAction \
	"id:210010,phase:1,pass,setvar:'tx.points_limit4=5',setvar:'tx.points_limit3=4',setvar:'tx.points_limit2=3',setvar:'tx.points_limit1=2',setvar:'tx.points=0',setvar:'tx.sqli_points=0',setvar:'tx.xss_points=0',setvar:'tx.incoming_points=0',setvar:'tx.outgoing_points=0',nolog,t:none"

SecAction \
	"id:210020,phase:1,pass,setvar:'tx.incoming_points_limit=5',setvar:'tx.outgoing_points_limit=4',setvar:'tx.points_blocking=off',setvar:'tx.process_response=off',nolog,t:none"

SecAction \
	"id:210030,phase:1,pass,setvar:'tx.brute_force_burst_time_slice=60',setvar:'tx.brute_force_counter_threshold=10',setvar:'tx.brute_force_block_timeout=300',nolog,t:none"

SecRule REQUEST_HEADERS:Content-Type "text/xml" \
	"id:210050,chain,phase:1,pass,nolog,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'Initialization'"
SecRule REQBODY_PROCESSOR "!@streq XML" \
	"ctl:requestBodyProcessor=XML"

SecRule REQUEST_HEADERS:User-Agent "^(.{0,})$" \
	"id:210060,phase:1,pass,setvar:'tx.ua_hash=%{matched_var}',nolog,t:none,t:sha1,t:hexEncode,rev:1,severity:2,tag:'CWAF',tag:'Initialization'"

SecRule REQUEST_HEADERS:x-forwarded-for "^\b([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})\b" \
	"id:210070,phase:1,capture,pass,setvar:'tx.real_ip=%{tx.1}',nolog,t:none,rev:1,severity:2,tag:'CWAF',tag:'Initialization'"

SecRule &TX:REAL_IP "@eq 0" \
	"id:210090,chain,phase:1,pass,nolog,t:none,rev:8,severity:2,tag:'CWAF',tag:'Initialization'"
SecRule REMOTE_ADDR "@rx \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b" \
	"capture,setvar:'tx.real_ip=%{tx.0}',t:none"

SecRule &TX:REAL_IP "!@eq 0" \
	"id:210080,phase:1,pass,initcol:global=global,initcol:ip=%{tx.real_ip}_%{tx.ua_hash},nolog,t:none,rev:2,severity:2,tag:'CWAF',tag:'Initialization'"

SecAction \
	"id:209030,phase:1,pass,setvar:'tx.brute_force_counter_threshold=6000',setvar:'tx.brute_force_block_timeoutand=300',setvar:'tx.brute_force_burst_time_slice=60',nolog,t:none"