Current File : //11_HTTP_HTTPDoS.conf

# ---------------------------------------------------------------
# Comodo ModSecurity Rules
# Copyright (C) 2022 Comodo Security solutions All rights reserved.
#
# The COMODO SECURITY SOLUTIONS Mod Security Rule Set is distributed under
# THE COMODO SECURITY SOLUTIONS END USER LICENSE AGREEMENT,
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
# This is a FILE CONTAINING CHANGED or MODIFIED RULES FROM THE:
# OWASP ModSecurity Core Rule Set (CRS)
# ---------------------------------------------------------------

SecRule RESPONSE_STATUS "@streq 408" \
	"id:230040,phase:5,pass,setvar:'ip.slowloris_counter=+1',expirevar:'ip.slowloris_counter=300',nolog,t:none,rev:1,severity:2,tag:'CWAF',tag:'HTTPDoS'"

SecRule IP:SLOWLORIS_COUNTER "@gt 5" \
	"id:230041,msg:'COMODO WAF: Slowloris HTTP DoS attack detected||%{tx.domain}|%{tx.mode}|2',phase:1,drop,log,t:none,rev:1,severity:2,tag:'CWAF',tag:'HTTPDoS'"

SecRule WEBSERVER_ERROR_LOG "@contains dateinterval::__construct():unknownorbadformat" \
	"id:217100,phase:5,pass,setvar:'IP.buffer_dos_count=+1',expirevar:'IP.buffer_dos_count=60',nolog,t:none,t:removeWhitespace,t:lowercase,rev:4,severity:2,tag:'CWAF',tag:'HTTPDoS'"

SecRule IP:buffer_dos_count "@gt 5" \
	"id:217101,msg:'COMODO WAF: Overflow and DOS Attack Vulnerability in the PHP through 5.5.6 (CVE-2013-6712)||%{tx.domain}|%{tx.mode}|2',phase:1,drop,status:408,log,t:none,rev:4,severity:2,tag:'CWAF',tag:'HTTPDoS'"

SecRule &TX:dos_burst_time_slice "@eq 0" \
	"id:217110,chain,phase:1,pass,nolog,t:none,skipAfter:'END_DOS_PROTECTION_CHECKS',rev:3,severity:2,tag:'CWAF',tag:'HTTPDoS'"
SecRule &TX:dos_counter_threshold "@eq 0" \
	"chain"
SecRule &TX:dos_block_timeout "@eq 0"

SecRule &TX:dos_burst_time_slice "@eq 0" \
	"id:217120,chain,phase:5,pass,nolog,t:none,skipAfter:'END_DOS_PROTECTION_CHECKS',rev:6,severity:2,tag:'CWAF',tag:'HTTPDoS'"
SecRule &TX:dos_counter_threshold "@eq 0" \
	"chain"
SecRule &TX:dos_block_timeout "@eq 0"

SecRule IP:DOS_BLOCK "@eq 1" \
	"id:217130,chain,msg:'DoS attack identified from %{tx.real_ip} (%{tx.dos_block_counter} hits since last alert)||%{tx.domain}|%{tx.mode}|2',phase:1,drop,rev:4,severity:2,tag:'CWAF',tag:'HTTPDoS'"
SecRule &IP:DOS_BLOCK_FLAG "@eq 0" \
	"setvar:'ip.dos_block_counter=+1',setvar:'ip.dos_block_flag=1',setvar:'tx.dos_block_counter=%{ip.dos_block_counter}',setvar:'ip.dos_block_counter=0',expirevar:'ip.dos_block_flag=60'"

SecRule IP:DOS_BLOCK "@eq 1" \
	"id:217140,phase:1,drop,setvar:'ip.dos_block_counter=+1',nolog,t:none,rev:2,severity:2,tag:'CWAF',tag:'HTTPDoS'"

SecRule IP:DOS_BLOCK "@eq 1" \
	"id:217150,phase:5,deny,pass,nolog,t:none,skipAfter:'END_DOS_PROTECTION_CHECKS',rev:2,severity:2,tag:'CWAF',tag:'HTTPDoS'"

SecRule REQUEST_BASENAME "@rx \.[a-z0-9]{1,10}$" \
	"id:217160,chain,phase:5,capture,pass,setvar:'tx.extension=%{TX.1}',nolog,t:none,t:lowercase,rev:6,severity:2,tag:'CWAF',tag:'HTTPDoS'"
SecRule TX:EXTENSION "!@pmFromFile userdata_wl_extensions" \
	"setvar:'ip.dos_counter=+1'"

SecRule IP:DOS_COUNTER "@gt %{tx.dos_counter_threshold}" \
	"id:217170,chain,phase:5,pass,nolog,rev:3,severity:2,tag:'CWAF',tag:'HTTPDoS'"
SecRule &IP:DOS_BURST_COUNTER "@eq 0" \
	"setvar:'ip.dos_burst_counter=+1',setvar:'!ip.dos_counter',expirevar:'ip.dos_burst_counter=%{tx.dos_burst_time_slice}',t:none"

SecRule IP:DOS_COUNTER "@gt %{tx.dos_counter_threshold}" \
	"id:217171,chain,phase:5,pass,nolog,rev:3,severity:2,tag:'CWAF',tag:'HTTPDoS'"
SecRule &IP:DOS_BURST_COUNTER "@ge 1" \
	"setvar:'ip.dos_burst_counter=2',setvar:'!ip.dos_counter',expirevar:'ip.dos_burst_counter=%{tx.dos_burst_time_slice}'"

SecRule IP:DOS_BURST_COUNTER "@ge 2" \
	"id:217180,msg:'Potential Denial of Service (DoS) Attack from %{tx.real_ip} - # of Request Bursts: %{ip.dos_burst_counter}||%{tx.domain}|%{tx.mode}|2',phase:5,pass,setvar:'ip.dos_block=1',expirevar:'ip.dos_block=%{tx.dos_block_timeout}',log,t:none,rev:3,severity:2,tag:'CWAF',tag:'HTTPDoS'"

SecMarker END_DOS_PROTECTION_CHECKS