system: Linux mars.sprixweb.com 3.10.0-1160.119.1.el7.x86_64 #1 SMP Tue Jun 4 14:43:51 UTC 2024 x86_64
# ---------------------------------------------------------------
# Comodo ModSecurity Rules
# Copyright (C) 2022 Comodo Security solutions All rights reserved.
#
# The COMODO SECURITY SOLUTIONS Mod Security Rule Set is distributed under
# THE COMODO SECURITY SOLUTIONS END USER LICENSE AGREEMENT,
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
# This is a FILE CONTAINING CHANGED or MODIFIED RULES FROM THE:
# OWASP ModSecurity Core Rule Set (CRS)
# ---------------------------------------------------------------
SecRule REQUEST_FILENAME "\.(avi|bmp|css|cgm|gif|ico|js|mp(3|4)|og(m|v|x)|p(n(g|m)|(b|g|p)m)|svg|swf|tiff{0,1}|w(ebp|mv)|(j|m)pe{0,1}g4{0,1})$" \
"id:210900,phase:2,pass,nolog,t:none,t:lowercase,skipAfter:'SECMARKER_210900',rev:1,severity:2,tag:'CWAF',tag:'Domains'"
SecRule REQUEST_URI "/imp/compose\.php" \
"id:210910,phase:2,pass,nolog,t:none,t:lowercase,skipAfter:'SECMARKER_210900',rev:1,severity:2,tag:'CWAF',tag:'Domains'"
SecRule ARGS|REQUEST_URI|XML:/*|!ARGS:/body/|!ARGS:/description/|!ARGS:/solution/|!ARGS:/subject/|!ARGS:/txt/|!ARGS:message|!ARGS:resolution "(?:data|gopher|ogg|php|zlib|(?:f|ht)tps{0,1}):/" \
"id:210920,chain,msg:'COMODO WAF: Malicious site name found in request||%{tx.domain}|%{tx.mode}|2',phase:2,capture,deny,status:403,logdata:'%{TX.0}',t:none,t:urlDecodeUni,t:replaceNulls,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,rev:4,severity:2,tag:'CWAF',tag:'Domains'"
SecRule ARGS|REQUEST_URI|XML:/*|!ARGS:/body/|!ARGS:/description/|!ARGS:/subject/|!ARGS:/txt/|!ARGS:message|!ARGS:resolution "!@pmFromFile userdata_wl_domains" \
"chain,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace"
SecRule ARGS|REQUEST_URI|XML:/*|!ARGS:/body/|!ARGS:/description/|!ARGS:/subject/|!ARGS:/txt/|!ARGS:message|!ARGS:resolution "@pmFromFile bl_domains" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace"
SecRule ARGS|REQUEST_URI|XML:/* "(?:data|gopher|ogg|php|zlib|(?:f|ht)tps{0,1}):/" \
"id:210921,chain,msg:'COMODO WAF: Malicious site name found in request blacklisted by userdata||%{tx.domain}|%{tx.mode}|2',phase:2,capture,deny,status:403,logdata:'%{TX.0}',t:none,t:urlDecodeUni,t:replaceNulls,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,rev:4,severity:2,tag:'CWAF',tag:'Domains'"
SecRule ARGS|REQUEST_URI|XML:/* "@pmFromFile userdata_bl_domains" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace"
SecRule ARGS|REQUEST_BODY|REQUEST_URI|XML:/*|!ARGS:/body/|!ARGS:/description/|!ARGS:/subject/|!ARGS:/txt/|!ARGS:resolution "(?:data|gopher|ogg|php|zlib|(?:f|ht)tps{0,1}):/" \
"id:210930,chain,msg:'COMODO WAF: Malicious site name found in body||%{tx.domain}|%{tx.mode}|2',phase:2,capture,deny,status:403,logdata:'%{TX.0}',t:none,t:base64Decode,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase,rev:3,severity:2,tag:'CWAF',tag:'Domains'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI|!ARGS:/body/|!ARGS:/description/|!ARGS:/subject/|!ARGS:/txt/ "!@pmFromFile userdata_wl_domains" \
"chain,t:base64Decode,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace"
SecRule ARGS|REQUEST_BODY|REQUEST_URI|!ARGS:/body/|!ARGS:/description/|!ARGS:/subject/|!ARGS:/txt/ "@pmFromFile bl_domains" \
"t:none,t:base64Decode,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace"
SecMarker SECMARKER_210900