system: Linux mars.sprixweb.com 3.10.0-1160.119.1.el7.x86_64 #1 SMP Tue Jun 4 14:43:51 UTC 2024 x86_64
# ---------------------------------------------------------------
# Comodo ModSecurity Rules
# Copyright (C) 2022 Comodo Security solutions All rights reserved.
#
# The COMODO SECURITY SOLUTIONS Mod Security Rule Set is distributed under
# THE COMODO SECURITY SOLUTIONS END USER LICENSE AGREEMENT,
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
# This is a FILE CONTAINING CHANGED or MODIFIED RULES FROM THE:
# OWASP ModSecurity Core Rule Set (CRS)
# ---------------------------------------------------------------
SecRule REQUEST_METHOD "!@pmFromFile userdata_wl_methods" \
"id:210700,msg:'COMODO WAF: Request method is not allowed by policy. Please update file userdata_wl_methods.||%{tx.domain}|%{tx.mode}|2',phase:1,pass,logdata:'%{matched_var}',nolog,t:none,rev:5,severity:2,tag:'CWAF',tag:'HTTP'"
SecRule REQUEST_METHOD "!@rx ^(?:GET|HEAD|PROPFIND|OPTIONS)$" \
"id:210710,chain,msg:'COMODO WAF: Request content type is not allowed by policy. Please update file userdata_wl_content_type.||%{tx.domain}|%{tx.mode}|2',phase:1,pass,logdata:'%{matched_var_name}=%{matched_var}',t:none,rev:5,severity:2,tag:'CWAF',tag:'HTTP'"
SecRule REQUEST_HEADERS:Content-Type "@rx ^([^;\s]+)" \
"chain,capture"
SecRule TX:0 "!@pmFromFile userdata_wl_content_type" \
"setvar:'tx.points=+%{tx.points_limit4}',ctl:forceRequestBodyVariable=On,t:none"
SecRule REQUEST_PROTOCOL "!@rx HTTP\/\d+(?:\.\d+)?" \
"id:210720,msg:'COMODO WAF: HTTP protocol version is not allowed by policy||%{tx.domain}|%{tx.mode}|2',phase:2,block,setvar:'tx.points=+%{tx.points_limit2}',logdata:'%{matched_var}',t:none,rev:2,severity:2,tag:'CWAF',tag:'HTTP'"
SecRule REQUEST_BASENAME "@rx \.(.{0,399})$" \
"id:210730,chain,msg:'COMODO WAF: URL file extension is restricted by policy||%{tx.domain}|%{tx.mode}|2',phase:2,capture,block,setvar:'tx.extension=.%{tx.1}/',logdata:'%{TX.0}',t:none,t:urlDecodeUni,t:lowercase,rev:5,severity:2,tag:'CWAF',tag:'HTTP'"
SecRule TX:EXTENSION "@pmFromFile userdata_bl_extensions" \
"chain,setvar:'tx.points=+%{tx.points_limit4}',t:none"
SecRule TX:EXTENSION "!@pmFromFile userdata_wl_extensions"
SecRule REQUEST_HEADERS_NAMES "^(.{0,})$" \
"id:210740,chain,msg:'COMODO WAF: HTTP header is restricted by policy||%{tx.domain}|%{tx.mode}|4',phase:2,capture,block,setvar:'tx.header_name=/%{tx.0}/',logdata:'%{matched_var}',t:none,rev:2,severity:4,tag:'CWAF',tag:'HTTP'"
SecRule TX:HEADER_NAME "@pmFromFile userdata_bl_headers" \
"setvar:'tx.points=+%{tx.points_limit2}'"
SecRule REQUEST_HEADERS:'/(Content-Length|Transfer-Encoding)/' "," \
"id:211070,msg:'COMODO WAF: HTTP Request Smuggling Attack.||%{tx.domain}|%{tx.mode}|2',phase:1,capture,block,setvar:'tx.points=+%{tx.points_limit4}',t:none,rev:1,severity:2,tag:'CWAF',tag:'HTTP'"
SecRule TX:CWAF_modsec "!@eq 1" \
"id:211090,chain,msg:'COMODO WAF: HTTP Response Splitting Attack||%{tx.domain}|%{tx.mode}|2',phase:2,capture,block,logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',t:none,rev:3,severity:2,tag:'CWAF',tag:'HTTP'"
SecRule REQUEST_FILENAME "!@endsWith /sysext/install/start/install.php" \
"chain,setvar:'tx.points=+%{tx.points_limit4}',ctl:auditLogParts=+E,t:none,t:lowercase,t:normalizePath"
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:/message/|!ARGS:Post|!ARGS:desc|!ARGS:emailglobalheader|!ARGS:html_message|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "(?:\bhttp/(?:0\.9|1\.[01])|<(?:html|meta)\b)" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase"
SecRule REQUEST_HEADERS:Referer "@pmFromFile userdata_bl_referers" \
"id:217010,msg:'COMODO WAF: Referer is not allowed by policy||%{tx.domain}|%{tx.mode}|2',phase:2,block,setvar:'tx.points=+%{tx.points_limit4}',log,t:none,t:lowercase,rev:1,severity:2,tag:'CWAF',tag:'HTTP'"
SecRule REQUEST_COOKIES_NAMES "@pmFromFile userdata_bl_cookies" \
"id:217020,msg:'COMODO WAF: Cookie is not allowed by policy||%{tx.domain}|%{tx.mode}|2',phase:2,block,setvar:'tx.points=+%{tx.points_limit4}',log,t:none,t:lowercase,rev:2,severity:2,tag:'CWAF',tag:'HTTP'"