| Current File : //12_HTTP_Protocol.conf |
# ---------------------------------------------------------------
# Comodo ModSecurity Rules
# Copyright (C) 2022 Comodo Security solutions All rights reserved.
#
# The COMODO SECURITY SOLUTIONS Mod Security Rule Set is distributed under
# THE COMODO SECURITY SOLUTIONS END USER LICENSE AGREEMENT,
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
# This is a FILE CONTAINING CHANGED or MODIFIED RULES FROM THE:
# OWASP ModSecurity Core Rule Set (CRS)
# ---------------------------------------------------------------
SecRule WEBSERVER_ERROR_LOG "@contains Invalid URI in request" \
"id:210210,msg:'COMODO WAF: Apache Error: Invalid URI in Request.||%{tx.domain}|%{tx.mode}|4',phase:5,pass,setvar:'tx.points=+%{tx.points_limit1}',logdata:'%{request_line}',t:none,rev:2,severity:4,tag:'CWAF',tag:'Protocol'"
SecRule FILES|FILES_NAMES "[\x22';=]" \
"id:210220,msg:'COMODO WAF: Attempted multipart/form-data bypass||%{tx.domain}|%{tx.mode}|2',phase:2,block,setvar:'tx.points=+%{tx.points_limit4}',logdata:'%{matched_var}',t:none,t:urlDecodeUni,rev:1,severity:2,tag:'CWAF',tag:'Protocol'"
SecRule REQBODY_ERROR "!@eq 0" \
"id:210231,chain,msg:'COMODO WAF: XMLRPC protection||%{tx.domain}|%{tx.mode}|2',phase:2,deny,status:403,log,rev:2,severity:2,tag:'CWAF',tag:'Protocol'"
SecRule REQUEST_HEADERS:Content-Type "^text/xml$" \
"chain,t:none,t:lowercase"
SecRule REQUEST_FILENAME "@endsWith xmlrpc.php" \
"t:none,t:lowercase"
SecRule REQBODY_ERROR "!@eq 0" \
"id:210230,msg:'COMODO WAF: The request body could not be parsed. Possibility of an impedance mismatch attack. This is not a false positive.||%{tx.domain}|%{tx.mode}|2',phase:2,pass,setvar:'tx.points=+%{tx.points_limit4}',logdata:'%{REQBODY_ERROR_MSG}',t:none,rev:2,severity:2,tag:'CWAF',tag:'Protocol'"
SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
"id:210240,msg:'COMODO WAF: Multipart request body failed strict validation: PE %{REQBODY_PROCESSOR_ERROR}, BQ %{MULTIPART_BOUNDARY_QUOTED}, BW %{MULTIPART_BOUNDARY_WHITESPACE}, DB %{MULTIPART_DATA_BEFORE}, DA %{MULTIPART_DATA_AFTER}, HF %{MULTIPART_HEADER_FOLDING}, LF %{MULTIPART_LF_LINE}, SM %{MULTIPART_SEMICOLON_MISSING}, IQ %{MULTIPART_INVALID_QUOTING}, IH %{MULTIPART_INVALID_HEADER_FOLDING}, FLE %{MULTIPART_FILE_LIMIT_EXCEEDED}||%{tx.domain}|%{tx.mode}|2',phase:2,block,setvar:'tx.points=+%{tx.points_limit4}',t:none,rev:4,severity:2,tag:'CWAF',tag:'Protocol'"
SecRule REQUEST_HEADERS:Content-Length "!^[0-9]{1,}$" \
"id:210260,msg:'COMODO WAF: Content-Length HTTP header is not numeric or Integer overflow in CGit before 0.12 (CVE-2016-1901)||%{tx.domain}|%{tx.mode}|2',phase:1,block,setvar:'tx.points=+%{tx.points_limit4}',logdata:'%{matched_var}',t:none,rev:2,severity:2,tag:'CWAF',tag:'Protocol'"
SecRule REQUEST_METHOD "@streq HEAD" \
"id:210270,chain,msg:'COMODO WAF: HEAD Request with Body Content||%{tx.domain}|%{tx.mode}|2',phase:1,block,logdata:'%{matched_var}',t:none,rev:2,severity:2,tag:'CWAF',tag:'Protocol'"
SecRule REQUEST_HEADERS:Content-Length "!^0{0,1}$" \
"setvar:'tx.points=+%{tx.points_limit4}',t:none"
SecRule REQUEST_METHOD "@streq POST" \
"id:210280,chain,msg:'COMODO WAF: HTTP/1.0 POST request missing Content-Length Header||%{tx.domain}|%{tx.mode}|4',phase:1,block,logdata:'%{matched_var}',t:none,rev:4,severity:4,tag:'CWAF',tag:'Protocol'"
SecRule REQUEST_PROTOCOL "@streq HTTP/1.0" \
"chain"
SecRule &REQUEST_HEADERS:Content-Length "@eq 0" \
"setvar:'tx.points=+%{tx.points_limit1}',t:none"
SecRule REQUEST_HEADERS:Content-Encoding "^Identity$" \
"id:210290,msg:'COMODO WAF: Invalid Use of Identity Encoding||%{tx.domain}|%{tx.mode}|4',phase:1,block,setvar:'tx.points=+%{tx.points_limit1}',logdata:'%{matched_var}',t:none,rev:1,severity:4,tag:'CWAF',tag:'Protocol'"
SecRule REQUEST_HEADERS:Expect "@contains 100-continue" \
"id:210300,chain,msg:'COMODO WAF: Expect Header Not Allowed for HTTP 1.0||%{tx.domain}|%{tx.mode}|5',phase:1,block,logdata:'%{matched_var}',t:none,rev:1,severity:5,tag:'CWAF',tag:'Protocol'"
SecRule REQUEST_PROTOCOL "@streq HTTP/1.0" \
"setvar:'tx.points=+%{tx.points_limit1}',t:none"
SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "([0-9]{1,})-([0-9]{1,})," \
"id:210330,chain,msg:'COMODO WAF: Range: Invalid Last Byte Value||%{tx.domain}|%{tx.mode}|4',phase:2,capture,block,setvar:'tx.points=+%{tx.points_limit2}',logdata:'%{matched_var}',t:none,rev:1,severity:4,tag:'CWAF',tag:'Protocol'"
SecRule TX:2 "!@ge %{tx.1}"
SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "^bytes=((\d+)?\-(\d+)?\s*,?\s*){6}" \
"id:210340,chain,msg:'COMODO WAF: Range: Too many fields (6 or more)||%{tx.domain}|%{tx.mode}|4',phase:2,capture,block,logdata:'%{matched_var}',t:none,rev:3,severity:4,tag:'CWAF',tag:'Protocol'"
SecRule REQUEST_BASENAME "!@endsWith .pdf" \
"setvar:'tx.points=+%{tx.points_limit2}',t:none"
SecRule REQUEST_BASENAME "@endsWith .pdf" \
"id:210341,chain,msg:'COMODO WAF: Range: Too many fields for pdf request (35 or more)||%{tx.domain}|%{tx.mode}|2',phase:2,capture,block,log,logdata:'%{matched_var}',t:none,rev:3,severity:2,tag:'CWAF',tag:'Protocol'"
SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "^bytes=((\d+)?\-(\d+)?\s*,?\s*){35}" \
"setvar:'tx.points=+%{tx.points_limit2}',t:none"
SecRule REQUEST_HEADERS:Connection "\b(close|keep-alive),[\t\n\r ]{0,1}(close|keep-alive)\b" \
"id:210350,msg:'COMODO WAF: Multiple/Conflicting Connection Header Data Found||%{tx.domain}|%{tx.mode}|4',phase:2,block,setvar:'tx.points=+%{tx.points_limit2}',logdata:'%{matched_var}',t:none,rev:1,severity:4,tag:'CWAF',tag:'Protocol'"
SecRule REQUEST_HEADERS:Content-Type "@rx ^(application\/x-www-form-urlencoded|text\/xml)(?:;(?:\s?charset\s?=\s?[\w\d\-]{1,18})?)??$" \
"id:210380,chain,msg:'COMODO WAF: URL Encoding Abuse Attack Attempt||%{tx.domain}|%{tx.mode}|4',phase:2,block,logdata:'%{matched_var_name}=%{matched_var}',t:none,rev:6,severity:4,tag:'CWAF',tag:'Protocol'"
SecRule &ARGS_POST:message_backup "@eq 0" \
"chain,t:none"
SecRule REQUEST_BODY|XML:/* "@rx \%((?!$|\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" \
"chain"
SecRule REQUEST_BODY|XML:/* "@validateUrlEncoding" \
"setvar:'tx.points=+%{tx.points_limit2}'"
SecRule REQUEST_URI "@rx \%((?!$|\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" \
"id:210381,chain,msg:'COMODO WAF: URL Encoding Abuse Attack Attempt||%{tx.domain}|%{tx.mode}|4',phase:2,block,logdata:'%{matched_var_name}=%{matched_var}',t:none,rev:6,severity:4,tag:'CWAF',tag:'Protocol'"
SecRule REQUEST_URI "@validateUrlEncoding" \
"setvar:'tx.points=+%{tx.points_limit2}'"
SecRule TX:CRS_VALIDATE_UTF8_ENCODING "@eq 1" \
"id:210390,chain,msg:'COMODO WAF: UTF8 Encoding Abuse Attack Attempt||%{tx.domain}|%{tx.mode}|4',phase:2,block,t:none,rev:1,severity:4,tag:'CWAF',tag:'Protocol'"
SecRule ARGS|ARGS_NAMES|REQUEST_FILENAME "@validateUtf8Encoding" \
"setvar:'tx.points=+%{tx.points_limit2}'"
SecRule REQUEST_URI|REQUEST_BODY "@rx \%u[fF]{2}[0-9a-fA-F]{2}" \
"id:210400,msg:'COMODO WAF: Unicode Full/Half Width Abuse Attack Attempt||%{tx.domain}|%{tx.mode}|4',phase:2,block,setvar:'tx.points=+%{tx.points_limit2}',logdata:'%{matched_var_name}=%{matched_var}',t:none,rev:2,severity:4,tag:'CWAF',tag:'Protocol'"
SecRule ARGS|ARGS_NAMES|REQUEST_HEADERS|REQUEST_URI|!REQUEST_HEADERS:Referer "@validateByteRange 1-255" \
"id:210410,msg:'COMODO WAF: Invalid character in request||%{tx.domain}|%{tx.mode}|3',phase:2,block,setvar:'tx.points=+%{tx.points_limit3}',logdata:'%{matched_var_name}=%{matched_var}',t:none,t:urlDecodeUni,rev:4,severity:3,tag:'CWAF',tag:'Protocol'"
SecRule TX:PARANOID_MODE "@eq 1" \
"id:210420,chain,msg:'COMODO WAF: Invalid character in request||%{tx.domain}|%{tx.mode}|3',phase:2,block,t:none,t:urlDecodeUni,rev:1,severity:3,tag:'CWAF',tag:'Protocol'"
SecRule REQUEST_BODY|REQUEST_HEADERS|REQUEST_HEADERS_NAMES|REQUEST_URI|TX:HPP_DATA|!REQUEST_HEADERS:Referer "@validateByteRange 32-126" \
"setvar:'tx.points=+%{tx.points_limit3}',t:urlDecodeUni"
SecRule REQUEST_METHOD "@streq POST" \
"id:217200,chain,msg:'COMODO WAF: HTTP/1.1 POST request missing Content-Length Header||%{tx.domain}|%{tx.mode}|2',phase:1,block,logdata:'%{matched_var}',t:none,rev:2,severity:2,tag:'CWAF',tag:'Protocol'"
SecRule REQUEST_PROTOCOL "@streq HTTP/1.1" \
"chain"
SecRule &REQUEST_HEADERS:Transfer-Encoding "@eq 0" \
"chain"
SecRule &REQUEST_HEADERS:Content-Length "@eq 0" \
"chain,t:none"
SecRule REQUEST_FILENAME "!@endsWith /wp-cron.php" \
"setvar:'tx.points=+%{tx.points_limit1}',t:none,t:lowercase"
SecRule REQUEST_LINE "!^(?i:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+|get /[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?)$" \
"id:217210,msg:'COMODO WAF: Invalid HTTP Request Line||%{tx.domain}|%{tx.mode}|4',phase:2,block,log,logdata:'%{request_line}',t:none,rev:1,severity:4,tag:'CWAF',tag:'Protocol'"
SecRule REQUEST_HEADERS:Host "@rx ^$" \
"id:217230,msg:'COMODO WAF: Empty Host Header||%{tx.domain}|%{tx.mode}|4',phase:2,pass,setvar:'tx.points=+%{tx.points_limit2}',log,logdata:'%{matched_var_name}=%{matched_var}',t:none,rev:3,severity:4,tag:'CWAF',tag:'Protocol'"
SecRule REQUEST_HEADERS:User-Agent "@rx ^$" \
"id:217240,msg:'COMODO WAF: Empty User Agent Header||%{tx.domain}|%{tx.mode}|5',phase:2,pass,setvar:'tx.points=+%{tx.points_limit1}',log,logdata:'%{matched_var_name}=%{matched_var}',t:none,rev:3,severity:5,tag:'CWAF',tag:'Protocol'"
SecRule REQUEST_HEADERS:Accept "@rx ^$" \
"id:217260,chain,msg:'COMODO WAF: Request Has an Empty Accept Header||%{tx.domain}|%{tx.mode}|5',phase:2,pass,logdata:'%{matched_var_name}=%{matched_var}',t:none,rev:3,severity:5,tag:'CWAF',tag:'Protocol'"
SecRule REQUEST_METHOD "!@rx ^OPTIONS$" \
"chain,t:none"
SecRule REQUEST_HEADERS:User-Agent "!@pm AppleWebKit Android Business Enterprise Entreprise" \
"setvar:'tx.points=+%{tx.points_limit1}',t:none"
SecRule REQUEST_HEADERS:Accept "@rx ^$" \
"id:217261,chain,msg:'COMODO WAF: Request Has an Empty Accept Header||%{tx.domain}|%{tx.mode}|5',phase:2,pass,logdata:'%{matched_var_name}=%{matched_var}',t:none,rev:3,severity:5,tag:'CWAF',tag:'Protocol'"
SecRule REQUEST_METHOD "!@rx ^OPTIONS$" \
"chain,t:none"
SecRule &REQUEST_HEADERS:User-Agent "@eq 0" \
"setvar:'tx.points=+%{tx.points_limit1}',t:none"
SecRule ARGS_NAMES|ARGS|XML:/*|!ARGS:/content/|!ARGS:address_street|!ARGS_POST:wpcf7-form "@pm get post head options connect put delete trace propfind propatch mkcol copy move lock unlock" \
"id:217280,chain,msg:'COMODO WAF: HTTP Request Smuggling Attack||%{tx.domain}|%{tx.mode}|2',phase:2,capture,block,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',ctl:auditLogParts=+E,t:none,rev:6,severity:2,tag:'CWAF',tag:'Protocol'"
SecRule MATCHED_VAR "@rx (?:\n|\r)+(?:get|post|head|options|connect|put|delete|trace|propfind|propatch|mkcol|copy|move|lock|unlock)\s+" \
"setvar:'tx.points=+%{tx.points_limit4}',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase"
SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@rx (\n|\r)" \
"id:217290,msg:'COMODO WAF: HTTP Header Injection Attack via headers||%{tx.domain}|%{tx.mode}|2',phase:2,capture,block,setvar:'tx.points=+%{tx.points_limit4}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',ctl:auditLogParts=+E,t:none,t:htmlEntityDecode,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'Protocol'"
SecRule ARGS_NAMES "@rx (\n|\r)" \
"id:217291,msg:'HTTP Header Injection Attack via payload (CR/LF detected)||%{tx.domain}|%{tx.mode}|2',phase:2,capture,block,setvar:'tx.points=+%{tx.points_limit4}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',ctl:auditLogParts=+E,t:none,t:urlDecodeUni,t:htmlEntityDecode,rev:2,severity:2,tag:'CWAF',tag:'Protocol'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pm type length set-cookie location" \
"id:211080,chain,msg:'COMODO WAF: HTTP Response Splitting Attack||%{tx.domain}|%{tx.mode}|2',phase:2,capture,block,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',ctl:auditLogParts=+E,t:none,rev:2,severity:2,tag:'CWAF',tag:'Protocol'"
SecRule MATCHED_VAR "@rx [\r\n]\W*?(?:content-(type|length)|set-cookie|location):" \
"setvar:'tx.points=+%{tx.points_limit4}',t:none,t:urlDecodeUni,t:lowercase"