| Current File : //09_Bruteforce_Bruteforce.conf |
# ---------------------------------------------------------------
# Comodo ModSecurity Rules
# Copyright (C) 2022 Comodo Security solutions All rights reserved.
#
# The COMODO SECURITY SOLUTIONS Mod Security Rule Set is distributed under
# THE COMODO SECURITY SOLUTIONS END USER LICENSE AGREEMENT,
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
# This is a FILE CONTAINING CHANGED or MODIFIED RULES FROM THE:
# OWASP ModSecurity Core Rule Set (CRS)
# ---------------------------------------------------------------
SecRule REQUEST_METHOD "@streq POST" \
"id:230000,chain,msg:'COMODO WAF: Brute Force Attack Identified|Source %{tx.real_ip} (%{tx.brute_force_block_counter} hits since last alert)|%{tx.domain}|%{tx.mode}|2',phase:1,block,t:none,rev:3,severity:2,tag:'CWAF',tag:'Bruteforce'"
SecRule ARGS_GET:page "!@streq akeebabackupwp/akeebabackupwp.php" \
"chain,t:none,t:urlDecodeUni,t:lowercase"
SecRule REQUEST_FILENAME "@pmFromFile userdata_login_pages" \
"chain,t:none"
SecRule IP:BRUTE_FORCE_BLOCK "@eq 1" \
"chain,setvar:'ip.brute_force_block_counter=+1'"
SecRule &IP:BRUTE_FORCE_BLOCK_FLAG "@eq 0" \
"setvar:'ip.brute_force_block_flag=1',setvar:'tx.brute_force_block_counter=%{ip.brute_force_block_counter}',setvar:'ip.brute_force_block_counter=0',expirevar:'ip.brute_force_block_flag=60'"
SecRule REQUEST_METHOD "@streq POST" \
"id:230001,chain,phase:1,block,nolog,t:none,rev:3,severity:2,tag:'CWAF',tag:'Bruteforce'"
SecRule REQUEST_FILENAME "@pmFromFile userdata_login_pages" \
"chain,t:none"
SecRule IP:BRUTE_FORCE_BLOCK "@eq 1" \
"setvar:'ip.brute_force_block_counter=+1'"
SecRule REQUEST_METHOD "!@streq POST" \
"id:230002,phase:5,pass,nolog,t:none,skipAfter:'GENERIC_POST_BRUTEFORCE_END',rev:3,severity:2,tag:'CWAF',tag:'Bruteforce'"
SecRule REQUEST_FILENAME "!@pmFromFile userdata_login_pages" \
"id:230003,phase:5,pass,nolog,t:none,skipAfter:'GENERIC_POST_BRUTEFORCE_END',rev:3,severity:2,tag:'CWAF',tag:'Bruteforce'"
SecRule IP:BRUTE_FORCE_BLOCK "@eq 1" \
"id:230004,phase:5,pass,nolog,t:none,skipAfter:'GENERIC_POST_BRUTEFORCE_END',rev:3,severity:2,tag:'CWAF',tag:'Bruteforce'"
SecAction \
"id:230005,phase:5,pass,setvar:'ip.brute_force_counter=+1',nolog,t:none"
SecRule IP:BRUTE_FORCE_COUNTER "@gt %{tx.brute_force_counter_threshold}" \
"id:230006,phase:5,pass,setvar:'ip.brute_force_burst_counter=+1',setvar:'!ip.brute_force_counter',expirevar:'ip.brute_force_burst_counter=%{tx.brute_force_burst_time_slice}',nolog,t:none,rev:3,severity:2,tag:'CWAF',tag:'Bruteforce'"
SecRule IP:BRUTE_FORCE_BURST_COUNTER "@ge 2" \
"id:230007,msg:'COMODO WAF: Potential Brute Force Attack|Source %{tx.real_ip} - # of Request Bursts: %{ip.brute_force_burst_counter}|%{tx.domain}|%{tx.mode}|2',phase:5,pass,setvar:'ip.brute_force_block=1',expirevar:'ip.brute_force_block=%{tx.brute_force_block_timeout}',log,t:none,rev:3,severity:2,tag:'CWAF',tag:'Bruteforce'"
SecMarker GENERIC_POST_BRUTEFORCE_END
SecRule REQUEST_FILENAME "@contains wp-login.php" \
"id:230010,chain,phase:2,pass,nolog,t:none,rev:3,severity:2,tag:'CWAF',tag:'Bruteforce'"
SecRule REQUEST_METHOD "@streq POST" \
"chain"
SecRule &ARGS:log "!eq 0" \
"chain"
SecRule &IP:PREVIOUS_USERNAME "@eq 0" \
"setvar:'ip.previous_username=%{args.log}'"
SecRule REQUEST_FILENAME "@contains wp-login.php" \
"id:230011,chain,msg:'COMODO WAF: Multiple Username Violation: Too Many Usernames Submitted for Authentication.||%{tx.domain}|%{tx.mode}|2',phase:2,block,logdata:'Current Username: %{args.log}',t:none,rev:3,severity:2,tag:'CWAF',tag:'Bruteforce'"
SecRule REQUEST_METHOD "@streq POST" \
"chain"
SecRule &ARGS:log "!@eq 0" \
"chain"
SecRule &IP:PREVIOUS_USERNAME "@eq 1" \
"chain"
SecRule ARGS:log "!within %{ip.previous_username}" \
"chain,setvar:'ip.multiple_username_count=+1',setvar:'ip.previous_username=%{ip.previous_username}, %{args.log}',expirevar:'ip.multiple_username_count=60'"
SecRule IP:MULTIPLE_USERNAME_COUNT "@gt 5"
SecRule REQUEST_FILENAME "@contains administrator" \
"id:230020,chain,phase:2,pass,nolog,t:none,rev:4,severity:2,tag:'CWAF',tag:'Bruteforce'"
SecRule REQUEST_METHOD "@streq POST" \
"chain"
SecRule &ARGS:username "!@eq 0" \
"chain"
SecRule &IP:PREVIOUS_USERNAME "@eq 0" \
"setvar:'ip.previous_username=%{args.username}'"
SecRule REQUEST_FILENAME "@contains administrator" \
"id:230021,chain,msg:'COMODO WAF: Multiple Username Violation: Too Many Usernames Submitted for Authentication.||%{tx.domain}|%{tx.mode}|2',phase:2,block,logdata:'Current Username: %{args.username}',t:none,rev:4,severity:2,tag:'CWAF',tag:'Bruteforce'"
SecRule REQUEST_METHOD "@streq POST" \
"chain"
SecRule &ARGS:username "!eq 0" \
"chain"
SecRule &IP:PREVIOUS_USERNAME "@eq 1" \
"chain"
SecRule ARGS:username "!within %{ip.previous_username}" \
"chain,setvar:'ip.multiple_username_count=+1',setvar:'ip.previous_username=%{ip.previous_username}, %{args.name}',expirevar:'ip.multiple_username_count=60'"
SecRule IP:MULTIPLE_USERNAME_COUNT "@gt 5"
SecRule REQUEST_METHOD "@streq POST" \
"id:230030,chain,phase:2,pass,nolog,t:none,rev:3,severity:2,tag:'CWAF',tag:'Bruteforce'"
SecRule ARGS_GET:q "@streq node" \
"chain"
SecRule ARGS_GET:destination "@streq node" \
"chain"
SecRule &ARGS:name "!@eq 0" \
"chain"
SecRule &IP:PREVIOUS_USERNAME "@eq 0" \
"setvar:'ip.previous_username=%{args.name}'"
SecRule REQUEST_METHOD "@streq POST" \
"id:230031,chain,msg:'COMODO WAF: Multiple Username Violation: Too Many Usernames Submitted for Authentication.||%{tx.domain}|%{tx.mode}|2',phase:2,block,logdata:'Current Username: %{args.name}',t:none,rev:3,severity:2,tag:'CWAF',tag:'Bruteforce'"
SecRule ARGS_GET:q "@streq node" \
"chain"
SecRule ARGS_GET:destination "@streq node" \
"chain"
SecRule &ARGS:name "!eq 0" \
"chain"
SecRule ARGS:name "!within %{ip.previous_username}" \
"chain,setvar:'ip.multiple_username_count=+1',setvar:'ip.previous_username=%{ip.previous_username}, %{args.name}',expirevar:'ip.multiple_username_count=60'"
SecRule &IP:PREVIOUS_USERNAME "@eq 1" \
"chain"
SecRule IP:MULTIPLE_USERNAME_COUNT "@gt 5"