r4180 - in trunk/varnish-tools: . security.vcl security.vcl/tools security.vcl/vcl security.vcl/vcl/breach security.vcl/vcl/modules
kristian at projects.linpro.no
kristian at projects.linpro.no
Fri Aug 14 12:54:54 CEST 2009
Author: kristian
Date: 2009-08-14 12:54:53 +0200 (Fri, 14 Aug 2009)
New Revision: 4180
Added:
trunk/varnish-tools/security.vcl/
trunk/varnish-tools/security.vcl/LICENSE
trunk/varnish-tools/security.vcl/README
trunk/varnish-tools/security.vcl/tools/
trunk/varnish-tools/security.vcl/tools/2vcl.pl
trunk/varnish-tools/security.vcl/tools/all2vcl.sh
trunk/varnish-tools/security.vcl/tools/check_variables
trunk/varnish-tools/security.vcl/tools/generate_variables
trunk/varnish-tools/security.vcl/tools/rule_test
trunk/varnish-tools/security.vcl/tools/varnish_reload
trunk/varnish-tools/security.vcl/vcl/
trunk/varnish-tools/security.vcl/vcl/Makefile
trunk/varnish-tools/security.vcl/vcl/breach/
trunk/varnish-tools/security.vcl/vcl/breach/20_protocol_violations.vcl
trunk/varnish-tools/security.vcl/vcl/breach/21_protocol_anomalies.vcl
trunk/varnish-tools/security.vcl/vcl/breach/23_request_limits.vcl
trunk/varnish-tools/security.vcl/vcl/breach/30_http_policy.vcl
trunk/varnish-tools/security.vcl/vcl/breach/35_bad_robots.vcl
trunk/varnish-tools/security.vcl/vcl/breach/40_generic_attacks.vcl
trunk/varnish-tools/security.vcl/vcl/breach/45_trojans.vcl
trunk/varnish-tools/security.vcl/vcl/breach/50_outbound.vcl
trunk/varnish-tools/security.vcl/vcl/main.vcl
trunk/varnish-tools/security.vcl/vcl/modules/
trunk/varnish-tools/security.vcl/vcl/modules/cmd.vcl
trunk/varnish-tools/security.vcl/vcl/modules/content-encoding.vcl
trunk/varnish-tools/security.vcl/vcl/modules/content-type.vcl
trunk/varnish-tools/security.vcl/vcl/modules/demo.vcl
trunk/varnish-tools/security.vcl/vcl/modules/localfiles.vcl
trunk/varnish-tools/security.vcl/vcl/modules/php.vcl
trunk/varnish-tools/security.vcl/vcl/modules/request.vcl
trunk/varnish-tools/security.vcl/vcl/modules/restricted-file-extensions.vcl
trunk/varnish-tools/security.vcl/vcl/modules/sql.vcl
trunk/varnish-tools/security.vcl/vcl/modules/user-agent.vcl
trunk/varnish-tools/security.vcl/vcl/modules/xss.vcl
Log:
Initial commit of Security.VCL
Added: trunk/varnish-tools/security.vcl/LICENSE
===================================================================
--- trunk/varnish-tools/security.vcl/LICENSE (rev 0)
+++ trunk/varnish-tools/security.vcl/LICENSE 2009-08-14 10:54:53 UTC (rev 4180)
@@ -0,0 +1,339 @@
+ GNU GENERAL PUBLIC LICENSE
+ Version 2, June 1991
+
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
+ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+ Preamble
+
+ The licenses for most software are designed to take away your
+freedom to share and change it. By contrast, the GNU General Public
+License is intended to guarantee your freedom to share and change free
+software--to make sure the software is free for all its users. This
+General Public License applies to most of the Free Software
+Foundation's software and to any other program whose authors commit to
+using it. (Some other Free Software Foundation software is covered by
+the GNU Lesser General Public License instead.) You can apply it to
+your programs, too.
+
+ When we speak of free software, we are referring to freedom, not
+price. Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+this service if you wish), that you receive source code or can get it
+if you want it, that you can change the software or use pieces of it
+in new free programs; and that you know you can do these things.
+
+ To protect your rights, we need to make restrictions that forbid
+anyone to deny you these rights or to ask you to surrender the rights.
+These restrictions translate to certain responsibilities for you if you
+distribute copies of the software, or if you modify it.
+
+ For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must give the recipients all the rights that
+you have. You must make sure that they, too, receive or can get the
+source code. And you must show them these terms so they know their
+rights.
+
+ We protect your rights with two steps: (1) copyright the software, and
+(2) offer you this license which gives you legal permission to copy,
+distribute and/or modify the software.
+
+ Also, for each author's protection and ours, we want to make certain
+that everyone understands that there is no warranty for this free
+software. If the software is modified by someone else and passed on, we
+want its recipients to know that what they have is not the original, so
+that any problems introduced by others will not reflect on the original
+authors' reputations.
+
+ Finally, any free program is threatened constantly by software
+patents. We wish to avoid the danger that redistributors of a free
+program will individually obtain patent licenses, in effect making the
+program proprietary. To prevent this, we have made it clear that any
+patent must be licensed for everyone's free use or not licensed at all.
+
+ The precise terms and conditions for copying, distribution and
+modification follow.
+
+ GNU GENERAL PUBLIC LICENSE
+ TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+ 0. This License applies to any program or other work which contains
+a notice placed by the copyright holder saying it may be distributed
+under the terms of this General Public License. The "Program", below,
+refers to any such program or work, and a "work based on the Program"
+means either the Program or any derivative work under copyright law:
+that is to say, a work containing the Program or a portion of it,
+either verbatim or with modifications and/or translated into another
+language. (Hereinafter, translation is included without limitation in
+the term "modification".) Each licensee is addressed as "you".
+
+Activities other than copying, distribution and modification are not
+covered by this License; they are outside its scope. The act of
+running the Program is not restricted, and the output from the Program
+is covered only if its contents constitute a work based on the
+Program (independent of having been made by running the Program).
+Whether that is true depends on what the Program does.
+
+ 1. You may copy and distribute verbatim copies of the Program's
+source code as you receive it, in any medium, provided that you
+conspicuously and appropriately publish on each copy an appropriate
+copyright notice and disclaimer of warranty; keep intact all the
+notices that refer to this License and to the absence of any warranty;
+and give any other recipients of the Program a copy of this License
+along with the Program.
+
+You may charge a fee for the physical act of transferring a copy, and
+you may at your option offer warranty protection in exchange for a fee.
+
+ 2. You may modify your copy or copies of the Program or any portion
+of it, thus forming a work based on the Program, and copy and
+distribute such modifications or work under the terms of Section 1
+above, provided that you also meet all of these conditions:
+
+ a) You must cause the modified files to carry prominent notices
+ stating that you changed the files and the date of any change.
+
+ b) You must cause any work that you distribute or publish, that in
+ whole or in part contains or is derived from the Program or any
+ part thereof, to be licensed as a whole at no charge to all third
+ parties under the terms of this License.
+
+ c) If the modified program normally reads commands interactively
+ when run, you must cause it, when started running for such
+ interactive use in the most ordinary way, to print or display an
+ announcement including an appropriate copyright notice and a
+ notice that there is no warranty (or else, saying that you provide
+ a warranty) and that users may redistribute the program under
+ these conditions, and telling the user how to view a copy of this
+ License. (Exception: if the Program itself is interactive but
+ does not normally print such an announcement, your work based on
+ the Program is not required to print an announcement.)
+
+These requirements apply to the modified work as a whole. If
+identifiable sections of that work are not derived from the Program,
+and can be reasonably considered independent and separate works in
+themselves, then this License, and its terms, do not apply to those
+sections when you distribute them as separate works. But when you
+distribute the same sections as part of a whole which is a work based
+on the Program, the distribution of the whole must be on the terms of
+this License, whose permissions for other licensees extend to the
+entire whole, and thus to each and every part regardless of who wrote it.
+
+Thus, it is not the intent of this section to claim rights or contest
+your rights to work written entirely by you; rather, the intent is to
+exercise the right to control the distribution of derivative or
+collective works based on the Program.
+
+In addition, mere aggregation of another work not based on the Program
+with the Program (or with a work based on the Program) on a volume of
+a storage or distribution medium does not bring the other work under
+the scope of this License.
+
+ 3. You may copy and distribute the Program (or a work based on it,
+under Section 2) in object code or executable form under the terms of
+Sections 1 and 2 above provided that you also do one of the following:
+
+ a) Accompany it with the complete corresponding machine-readable
+ source code, which must be distributed under the terms of Sections
+ 1 and 2 above on a medium customarily used for software interchange; or,
+
+ b) Accompany it with a written offer, valid for at least three
+ years, to give any third party, for a charge no more than your
+ cost of physically performing source distribution, a complete
+ machine-readable copy of the corresponding source code, to be
+ distributed under the terms of Sections 1 and 2 above on a medium
+ customarily used for software interchange; or,
+
+ c) Accompany it with the information you received as to the offer
+ to distribute corresponding source code. (This alternative is
+ allowed only for noncommercial distribution and only if you
+ received the program in object code or executable form with such
+ an offer, in accord with Subsection b above.)
+
+The source code for a work means the preferred form of the work for
+making modifications to it. For an executable work, complete source
+code means all the source code for all modules it contains, plus any
+associated interface definition files, plus the scripts used to
+control compilation and installation of the executable. However, as a
+special exception, the source code distributed need not include
+anything that is normally distributed (in either source or binary
+form) with the major components (compiler, kernel, and so on) of the
+operating system on which the executable runs, unless that component
+itself accompanies the executable.
+
+If distribution of executable or object code is made by offering
+access to copy from a designated place, then offering equivalent
+access to copy the source code from the same place counts as
+distribution of the source code, even though third parties are not
+compelled to copy the source along with the object code.
+
+ 4. You may not copy, modify, sublicense, or distribute the Program
+except as expressly provided under this License. Any attempt
+otherwise to copy, modify, sublicense or distribute the Program is
+void, and will automatically terminate your rights under this License.
+However, parties who have received copies, or rights, from you under
+this License will not have their licenses terminated so long as such
+parties remain in full compliance.
+
+ 5. You are not required to accept this License, since you have not
+signed it. However, nothing else grants you permission to modify or
+distribute the Program or its derivative works. These actions are
+prohibited by law if you do not accept this License. Therefore, by
+modifying or distributing the Program (or any work based on the
+Program), you indicate your acceptance of this License to do so, and
+all its terms and conditions for copying, distributing or modifying
+the Program or works based on it.
+
+ 6. Each time you redistribute the Program (or any work based on the
+Program), the recipient automatically receives a license from the
+original licensor to copy, distribute or modify the Program subject to
+these terms and conditions. You may not impose any further
+restrictions on the recipients' exercise of the rights granted herein.
+You are not responsible for enforcing compliance by third parties to
+this License.
+
+ 7. If, as a consequence of a court judgment or allegation of patent
+infringement or for any other reason (not limited to patent issues),
+conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License. If you cannot
+distribute so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you
+may not distribute the Program at all. For example, if a patent
+license would not permit royalty-free redistribution of the Program by
+all those who receive copies directly or indirectly through you, then
+the only way you could satisfy both it and this License would be to
+refrain entirely from distribution of the Program.
+
+If any portion of this section is held invalid or unenforceable under
+any particular circumstance, the balance of the section is intended to
+apply and the section as a whole is intended to apply in other
+circumstances.
+
+It is not the purpose of this section to induce you to infringe any
+patents or other property right claims or to contest validity of any
+such claims; this section has the sole purpose of protecting the
+integrity of the free software distribution system, which is
+implemented by public license practices. Many people have made
+generous contributions to the wide range of software distributed
+through that system in reliance on consistent application of that
+system; it is up to the author/donor to decide if he or she is willing
+to distribute software through any other system and a licensee cannot
+impose that choice.
+
+This section is intended to make thoroughly clear what is believed to
+be a consequence of the rest of this License.
+
+ 8. If the distribution and/or use of the Program is restricted in
+certain countries either by patents or by copyrighted interfaces, the
+original copyright holder who places the Program under this License
+may add an explicit geographical distribution limitation excluding
+those countries, so that distribution is permitted only in or among
+countries not thus excluded. In such case, this License incorporates
+the limitation as if written in the body of this License.
+
+ 9. The Free Software Foundation may publish revised and/or new versions
+of the General Public License from time to time. Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+Each version is given a distinguishing version number. If the Program
+specifies a version number of this License which applies to it and "any
+later version", you have the option of following the terms and conditions
+either of that version or of any later version published by the Free
+Software Foundation. If the Program does not specify a version number of
+this License, you may choose any version ever published by the Free Software
+Foundation.
+
+ 10. If you wish to incorporate parts of the Program into other free
+programs whose distribution conditions are different, write to the author
+to ask for permission. For software which is copyrighted by the Free
+Software Foundation, write to the Free Software Foundation; we sometimes
+make exceptions for this. Our decision will be guided by the two goals
+of preserving the free status of all derivatives of our free software and
+of promoting the sharing and reuse of software generally.
+
+ NO WARRANTY
+
+ 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
+FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
+OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
+PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
+OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
+TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
+PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
+REPAIR OR CORRECTION.
+
+ 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
+REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
+INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
+OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
+TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
+YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
+PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGES.
+
+ END OF TERMS AND CONDITIONS
+
+ How to Apply These Terms to Your New Programs
+
+ If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+ To do so, attach the following notices to the program. It is safest
+to attach them to the start of each source file to most effectively
+convey the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+ <one line to give the program's name and a brief idea of what it does.>
+ Copyright (C) <year> <name of author>
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License along
+ with this program; if not, write to the Free Software Foundation, Inc.,
+ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+Also add information on how to contact you by electronic and paper mail.
+
+If the program is interactive, make it output a short notice like this
+when it starts in an interactive mode:
+
+ Gnomovision version 69, Copyright (C) year name of author
+ Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+ This is free software, and you are welcome to redistribute it
+ under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License. Of course, the commands you use may
+be called something other than `show w' and `show c'; they could even be
+mouse-clicks or menu items--whatever suits your program.
+
+You should also get your employer (if you work as a programmer) or your
+school, if any, to sign a "copyright disclaimer" for the program, if
+necessary. Here is a sample; alter the names:
+
+ Yoyodyne, Inc., hereby disclaims all copyright interest in the program
+ `Gnomovision' (which makes passes at compilers) written by James Hacker.
+
+ <signature of Ty Coon>, 1 April 1989
+ Ty Coon, President of Vice
+
+This General Public License does not permit incorporating your program into
+proprietary programs. If your program is a subroutine library, you may
+consider it more useful to permit linking proprietary applications with the
+library. If this is what you want to do, use the GNU Lesser General
+Public License instead of this License.
Added: trunk/varnish-tools/security.vcl/README
===================================================================
--- trunk/varnish-tools/security.vcl/README (rev 0)
+++ trunk/varnish-tools/security.vcl/README 2009-08-14 10:54:53 UTC (rev 4180)
@@ -0,0 +1,70 @@
+Security.VCL
+
+This is work in progress. This was (as is too common) developed internally
+and thrown into a public repository. Use at your own discretion.
+
+=================================
+1. About Security.VCL
+2. Basic usage
+3. The Architecture
+4. Handlers
+=================================
+
+
+1. About Security.VCL
+=====================
+
+Security.VCL aims to provide:
+ - A standardized framework for security-related filters
+ - Several core rule-sets
+ - A tool to generate Security.VCL modules from mod_security rules.
+ - A limited set of default 'handlers', for instance CGI scripts to call
+ upon when Bad Stuff happens.
+
+This is done mainly by using clever VCL, and with as little impact on
+normal operation as possible. The incident handlers are mainly CGI-like
+scripts on a backend.
+
+2. Basic usage
+==============
+
+To use Security.VCL, you currently have to:
+
+$ cd vcl/
+$ make
+$ cd ..
+$ cp -a vcl/ /etc/varnish/security.vcl/
+ (alternatively you could symlink it, of course).
+
+Then you edit your normal VCL and add this line near the top:
+
+ include "/etc/varnish/security.vcl/main.vcl";
+
+At this point, you should only need to reload your varnish configuration.
+You may have to or want to modify main.vcl to fit your needs. At the
+moment, paths are hardcoded.
+
+3. The Architecture
+===================
+
+Security.VCL currently have two categories of rules: rules generated from
+mod_security, located in vcl/breach/ and our own rules, vcl/modules/.
+
+Security.VCL works by including all modules, then defining a number of
+standard functions. Each module will call sec_sevN, where N is the
+severity, which in turn typically calls error or some other handler.
+
+4. Handlers
+===========
+
+Handlers are still not well developed, but the general concept is that
+Security.VCL either throws an error (vcl_error) of some kind, which can
+potentially redirect the client or do any other synthetic response, or
+Security.VCL can rewrite the original request and send it to a backend
+designed to do more clever things, like:
+
+- Block the client in a firewall
+- Log the event
+- Test-run the code.
+- Paint you a pretty picture....
+- ....
Added: trunk/varnish-tools/security.vcl/tools/2vcl.pl
===================================================================
--- trunk/varnish-tools/security.vcl/tools/2vcl.pl (rev 0)
+++ trunk/varnish-tools/security.vcl/tools/2vcl.pl 2009-08-14 10:54:53 UTC (rev 4180)
@@ -0,0 +1,380 @@
+#!/usr/bin/perl
+#
+# 2009-08-04 Kacper Wysocki <kwy at redpill-linpro.com>
+#
+# Usage: 2vcl.pl foo.conf > bar.vcl
+#
+# Unsupported variables:
+# REQUEST_LINE
+# X-Sec-VCL-mod
+use strict;
+
+# kill newlines and leading spaces
+our $TABLEVEL = 0;
+our $TABSIZE = 3;
+our $TABCHAR = ' ';
+our $DEFAULT_ACTION = q(call sec_sev1;);
+our $DENY_ACTION = q(call sec_sev1;);
+
+our $DEBUG = 0;
+
+# don't touch these, eh?
+
+# ".*?\\".*?[^\\]"
+#
+
+my $re_vararg = '[\w_-\d\:\/\*&!\|\'()^$]+';
+#my $re_op = q("[^\\"]*(\\.[^\\"]*)*"|[^\s"']+|'[^\\']*(\\.[^\\']*)*');#|"[^"]*"|'[^']*');
+my $re_op = qq(".*?[^\\\\]"|[^\s"']|'.*?[^\\\\]');
+my $re_var = '[\w_\d]+';
+#my $re_arg = ':[\w\d\*\/\|\'\-()\^\$]+';
+my $re_arg = q(:'.+?[^\\\\]'|:[\w\d\*\/\|\-()\^\$]+);
+my $re_num = q('?(\d*)'?);
+
+sub skip_rule {
+ my ($var, $func, $arg) = @_;
+ # this is an expression that returns true or false
+ $var =~ /^(XML| # XML body parse
+ WEBSERVER_ERROR_LOG| # errorlog something
+ REQUEST_BODY| # raw body
+ REQUEST_LINE| # whole HTTP request
+ REQBODY_PROCESSOR| # body parse error
+ REMOTE_HOST| # we don't resolve
+ REMOTE_ADDR| # we don't resolve
+ RESPONSE_ # any response logic
+ )/x or $func =~
+ /validate(UrlEncoding|ByteRange)|lt|le|gt|ge|eq|ne|pm/x or
+ ($var eq 'REQUEST_HEADERS' and not $arg)
+}
+sub emit {
+ my $out = join " ", @_;
+ print $TABCHAR x ($TABLEVEL * $TABSIZE) . qq($out\n);
+}
+# indent more
+sub memit {
+ $TABLEVEL++;
+ emit @_;
+}
+# indent less
+sub lemit {
+ $TABLEVEL--;
+ emit @_;
+}
+# indent after
+sub aemit {
+ emit @_;
+ $TABLEVEL++;
+}
+
+sub killnil {
+ s/^\s*(.*)\n?$/\1/;
+}
+
+# skip empty lines and comments
+sub skip_line {
+ while($_ and /^\s*#?\s*$/){
+ $_ = <>;
+ chomp;
+ }
+}
+
+sub normalize_line {
+ killnil;
+ # normalize line: join escaped multilines
+ while(/\\$/){
+ chop;
+ $_ .= <>;
+ killnil;
+ }
+}
+
+sub parse_input {
+ aemit q(sub vcl_recv {);
+ emit q(set req.http.X-Sec-Module = "2vcl";);
+
+ while(<>){
+ parse_line();
+ # I monk around with <>, so we gots to recheck eof
+ last if eof;
+ }
+ lemit qq(}\n);
+}
+
+sub parse_line {
+ skip_line;
+ normalize_line;
+ # Syntax: SecRule VARIABLES OPERATOR [ACTIONS]
+ if(/^SecRule\s*("?$re_vararg"?)\s*($re_op)\s*(.*)?$/){
+ my ($vars, $ops, $actions) = ($1, $2, $3);
+ print STDERR "# line: VAR: $vars\n#OP: $ops\n#ACT: $actions\n" if $DEBUG == 2;
+ #emit "# line: VAR: $vars\n#OP: $ops\n#ACT: $actions\n";
+ parse_secrule($vars,$ops,$actions);
+ }elsif(/^SecRule\s*($re_vararg)\s*/){
+ print STDERR "#2 Rule fell thru cracks: $_\n";
+ }elsif(/^SecRule/){
+ print STDERR "#3 Rule fell thru cracks: $_\n";
+ }
+ # Other rule modifiers / matcher
+}
+
+sub emit_rule {
+ my ($target, $ops, $neg_op, $neg_var, $func, $action) = @_;
+
+ # pm pmFromFile rbl
+ # validateUrlEncoding/Utf8Encoding verifyCC
+ # within => acl
+ $func = parse_func($func);
+ if($func eq 'beginsWith'){
+ $func = '~';
+ $ops = '^'.$ops;
+ }elsif($func eq 'endsWith'){
+ $func = '~';
+ $ops .= '$';
+ }elsif($func eq 'pm'){
+ # uses funky Aho-Corasick fast collection matching
+ # we could use ACLs here to match on collection
+ $func = '~';
+ #$ops = emit_acl(split / /,$ops);
+
+ $ops = '('. join "|",split / /,$ops .')';
+ }elsif($func eq 'within'){
+ $func = '~';
+ my $tmp = '('. join "|",split / /,$ops .')';
+ $ops = $target;
+ $target = $tmp;
+ }
+
+ aemit qq(if($neg_op$target $func "$ops"){);
+ emit_action($action,$target,$ops,$neg_op,$neg_var,$func);
+ lemit qq(});
+}
+
+# translate funcs
+sub parse_func {
+ my ($func) = @_;
+ if(not $func or $func eq 'rx') {
+ $func = '~';
+ }elsif($func eq 'eq'){
+ $func = '==';
+ }elsif($func eq 'ge'){
+ $func = '>=';
+ }elsif($func eq 'le'){
+ $func = '<=';
+ }elsif($func eq 'gt'){
+ $func = '>';
+ }elsif($func eq 'lt'){
+ $func = '<';
+ }elsif($func eq 'contains'){
+ $func = '~';
+ }
+ return $func;
+}
+sub parse_secrule {
+ my ($vars, $ops, $actions) = @_;
+
+ # parse OPERATOR (regex default)
+ my $neg_op;
+ my $func;
+ ($func, $ops) = parse_ops($ops);
+ # parse VARIABLES
+ print STDERR ";;$vars;;\n" if $DEBUG == 2;
+
+ my @var = split_vars($vars);
+ #my @var = split /\|/, $vars;
+ for (@var){
+ my ($var, $arg, $neg_var, $amp) = split_args($_);
+ emit "#1 $vars: Var slipped thu: '$_'\n" if not $var;
+
+ # skip this rule if it is not interesting
+ # ie if we can't match for it in VCL yet
+ if(skip_rule($var,$func,$arg) ){
+ print STDERR "skipped $var $func :$arg\n" if $DEBUG == 2;
+ emit qq(# skipped $neg_var $amp $var $func $arg $ops);
+ next;
+ }
+ emit qq(## Rule: $var $func :$arg);
+
+ emit_code($var,$ops,$actions,$func,$arg,$neg_var,$neg_op,$amp);
+ }
+}
+sub split_vars {
+ my ($vars, @var) = @_;
+ $vars =~ s/^"(.*)"$/$1/;
+ while($vars){
+ $vars =~ s/([!&]?(?:$re_var)(?:$re_arg)?)\|?//; # welcome to ehll
+ #print "PUSH $1\n";
+ push @var, $1;
+ #print "#REDUCE :$vars\n";
+ }
+ return @var;
+}
+
+sub split_args {
+ ($_) = @_;
+ my ($neg_var, $amp, $var, $arg) = /(!?)(&?)($re_var)($re_arg)?/;
+ # get rid of :'/(
+ emit qq(## $neg_var$amp$var, $arg);
+ if($arg =~ /:'\/^?\(([^']*)\)\$?\/'/){
+ $arg = $1;
+ emit q(# AA );
+ }elsif($arg =~ /:"\/^?\(([^"]*)\)\$?\/"/){
+ $arg = $1;
+ emit q(# AB );
+ }elsif($arg =~ /:([^'"]+)/){
+ $arg = $1;
+ emit qq(# AC $arg );
+ }
+ return ($var, $arg, $neg_var, $amp);
+}
+
+sub parse_ops {
+ my ($ops) = @_;
+ my $neg;
+ my $func = 'rx'; # regex is the default operator
+ if($ops =~ /^"?(!?)(@?)(.*?[^\\])"?$/){
+ $neg = $1;
+ if($2 eq '@'){
+ ($func, $ops) = split / /,$3,2;
+ }else{
+ $ops = $3;
+ }
+ # translate pcre to posix regex
+ $ops =~ s/\\?%/%25/g;
+ $ops =~ s/\\"/%22/g;
+ $ops =~ s/\(\?:/\(/g;
+ #$ops =~ s/([^\\])([\{\}])/$1\\$2/g;
+ #print "OP: $neg_op\@$func $ops\n";
+ }else{
+ print STDERR "error '$ops'\n$_\n";
+ }
+ return ($func, $ops, $neg);
+}
+
+# Do the dirty deed: map ModSec to vcl
+sub emit_code {
+ my ($var,$ops,$action,$func,$arg,$neg_var,$neg_op,$amp) = @_;
+ my $target;
+ my $status = '800';
+ my $msg = 'Hack attack, try again.';
+ print STDERR "# code VAR: $var\n#OP: $ops\n#ACT: $action\n" if $DEBUG;
+
+ #emit qq(## $neg_var $amp $var \@$func $arg $ops); # : $actions
+ if($var eq 'REQUEST_HEADERS' and $arg){
+ # Support REQUEST_HEADERS:foo
+ $arg =~ s#^:'/\^\((.*?)\)\$/'#$1#;
+ emit qq(# AAA $arg);
+ my @args = split /\|/,$arg;
+ for(@args){
+ $target = "req.http.$_";
+ emit_rule($target,$ops,$neg_op,$neg_var,$func,$action);
+ }
+ }elsif($var =~/^ARGS/){ # ARGS, ARGS_NAMES, ARGS_GET etc..
+ # XXX ARGS should only apply to param _values_ ?p=v&q=w
+ $target = 'req.url';
+ emit_rule($target,$ops,$neg_op,$neg_var,$func,$action);
+ }else{
+ if($var =~ /^(REQUEST_URI_RAW|REQUEST_URI)$/){
+ $target = 'req.url';
+ }elsif($var eq 'REQUEST_METHOD'){
+ $target = "req.request";
+ }elsif($var eq 'REQUEST_PROTOCOL'){
+ $target = "req.proto";
+ }elsif($var eq 'REMOTE_ADDR'){
+ $target = 'client.ip';
+ # More hacks!
+ $ops =~ s/\\|\^|\$//g;
+ }elsif($var =~ /^REQUEST_COOKIES/){
+ $target = 'req.http.Cookie';
+ }elsif($var eq 'REQUEST_FILENAME'){
+ # XXX should be URL minus QUERY
+ $target = 'req.url';
+ }
+
+ if($target){
+ emit_rule($target,$ops,$neg_op,$neg_var,$func,$action);
+ }
+ }
+
+}
+# default action: phase:2,log,auditlog,pass
+# deal with chains!
+sub emit_action {
+ my ($action,$target,$ops,$neg_op,$neg_var,$func) = @_;
+ $action =~ s/^"([^"]*)"$/$1/;
+ #emit "## ACTION $action\n";
+ my @act = split /,/, $action;
+ my ($chain, $phase);
+ my $transforms = ''; #no default xforms
+ my $end = $DEFAULT_ACTION;
+ my $id;
+ for(@act){
+ # APEShiT: The Action Parse Engine Short Circuit
+ # Warning! An expression must return TRUE
+ # to stop matching the next 'or' clause.
+ # In particular, assigments return the assigned value
+ # which is FALSE if it is an empty string
+ /phase:(\d*)/ and $phase = $1 or
+ /chain/ and $chain = 1 or
+ /status:$re_num/ and
+ emit qq(set req.http.X-Sec-Return = "$1";) or
+ /severity:'?(\d*)'/ and
+ emit qq(set req.http.X-Sec-Severity = "$1";) or
+ /id:$re_num/ and
+ $id = $1 or
+ /rev:$re_num/ and
+ $id .= "-$1" or
+ /tag:'([^']*)'/ and
+ emit qq(set req.http.X-Sec-RuleName = "$1";) or
+ /msg:'([^']*)'/ and
+ emit qq(set req.http.X-Sec-RuleInfo = "$1";) or
+ /t:none/ and
+ $transforms = '' or 1 or
+ /t:(.*)/ and
+ $transforms .= "$1;" or
+ /allow:phase/ and
+ emit qq(# should last in this phase..) and
+ emit qq(deliver;) or
+ /allow:request/ and
+ emit qq(# skip to RESPONSE_HEADERS..) and
+ emit qq(deliver;) or
+ /allow/ and emit qq(deliver;) or
+
+ /(audit)?log(.*)/ and emit qq(# $1log$2 this plz) or
+ /block/ and
+ $end = $DEFAULT_ACTION or
+ /deny/ and
+ $end = $DENY_ACTION or
+ /drop/ and
+ emit qq(# send a FIN and drop) and
+ $end = $DENY_ACTION or
+ /pass/ and
+ emit qq(# pass to next rule) and $end = '' or
+ /skip:$re_num/ and
+ emit qq(# rule action skips next $1 rules!) or
+ /skipAfter:$re_num/ and
+ emit qq(# rule action skips after id/marker $1) or
+ /pause:(.*)/ and
+ emit qq(# sleep $1) or
+ /proxy:(.*)/ and
+ emit qq(# proxy to host: $1) or
+ /redirect:(.*)/ and
+ emit qq(# redirect to $1) or
+ /exec:(.*)/ and emit qq(# exec $1) or
+ /capture/ and emit qq(# capture action) or
+ /ctl:(.*)/ and emit qq(# ctl:$1) or
+ /(pre|ap)pend:(.*)/ and emit qq(# body $1pend $2) or
+ emit qq(# action : $_)
+ }
+ if($id){
+ emit qq(set req.http.X-Sec-RuleId = "$id";);
+ }
+ emit qq(# transforms: $transforms) if $transforms;
+ if($chain){
+ emit qq(# chained rule);
+ $end = '';
+ $_ = ''; parse_line;
+ }
+ emit $end if $end;
+}
+
+parse_input;
Property changes on: trunk/varnish-tools/security.vcl/tools/2vcl.pl
___________________________________________________________________
Name: svn:executable
+ *
Added: trunk/varnish-tools/security.vcl/tools/all2vcl.sh
===================================================================
--- trunk/varnish-tools/security.vcl/tools/all2vcl.sh (rev 0)
+++ trunk/varnish-tools/security.vcl/tools/all2vcl.sh 2009-08-14 10:54:53 UTC (rev 4180)
@@ -0,0 +1,8 @@
+#!/bin/sh
+for i in modsecurity-apache_2.5.9/rules/modsecurity_crs_[2345]*
+do
+ v=`basename $i`
+ v=${v#modsecurity_crs_}
+ echo $v
+ ./tools/2vcl.pl $i > vcl/breach/${v%.conf}.vcl
+done
Property changes on: trunk/varnish-tools/security.vcl/tools/all2vcl.sh
___________________________________________________________________
Name: svn:executable
+ *
Added: trunk/varnish-tools/security.vcl/tools/check_variables
===================================================================
--- trunk/varnish-tools/security.vcl/tools/check_variables (rev 0)
+++ trunk/varnish-tools/security.vcl/tools/check_variables 2009-08-14 10:54:53 UTC (rev 4180)
@@ -0,0 +1,24 @@
+#!/bin/bash
+#
+# Braindead script to verify that all X-SEC-VCL-variables are part of
+# VARIABLES.
+
+if [ ! -f VARIABLES ]; then
+ echo 1>&2 "No VARIABLES-file found. Bailing."
+ exit 1;
+fi
+
+RET=0
+
+for a in `grep --exclude=variables.vcl 'X-SEC-' *vcl modules/*vcl | sed 's/.*X-SEC/X-SEC/;s/\s.*//;s/\;\s*$//' | sort | uniq`; do
+ if ! grep -q $a VARIABLES; then
+ echo >&2 "Variable $a found in a module, but not in VARIABLES! Unsafe."
+ grep $a *vcl modules/*vcl | cat 1>&2
+ if [ "x$a" = "xX-SEC-Info" ]; then
+ echo >&2 "Are you sure you didn't mean X-SEC-RuleInfo?"
+ fi
+ RET=1;
+ fi
+done
+
+exit $RET
Property changes on: trunk/varnish-tools/security.vcl/tools/check_variables
___________________________________________________________________
Name: svn:executable
+ *
Added: trunk/varnish-tools/security.vcl/tools/generate_variables
===================================================================
--- trunk/varnish-tools/security.vcl/tools/generate_variables (rev 0)
+++ trunk/varnish-tools/security.vcl/tools/generate_variables 2009-08-14 10:54:53 UTC (rev 4180)
@@ -0,0 +1,27 @@
+#!/bin/bash
+#
+# Braindead script to generate variables.vcl
+
+
+TARGET=build/variables.vcl
+
+if [ ! -f VARIABLES ]; then
+ echo 1>&2 "No VARIABLES-file found. Bailing."
+ exit 1;
+fi
+
+cat > $TARGET << __EOF__
+/* Autogenerated with $0 at $(date)
+ *
+ * Do not modify, modify VARIABLES and rerun $0 instead.
+ */
+
+sub vcl_recv
+{
+__EOF__
+
+grep -Ev '^(#.*|$)' VARIABLES | while read a; do
+ echo " unset req.http.$a;" >> $TARGET
+done
+
+echo "}" >> $TARGET
Property changes on: trunk/varnish-tools/security.vcl/tools/generate_variables
___________________________________________________________________
Name: svn:executable
+ *
Added: trunk/varnish-tools/security.vcl/tools/rule_test
===================================================================
--- trunk/varnish-tools/security.vcl/tools/rule_test (rev 0)
+++ trunk/varnish-tools/security.vcl/tools/rule_test 2009-08-14 10:54:53 UTC (rev 4180)
@@ -0,0 +1,26 @@
+#!/usr/bin/awk -f
+# This thing is quite ugly, and should probably not be used as-is.
+# Author: Kristian Lyngstol <kristian at redpill-linpro.com>
+/\/\/TEST:/ {
+ FS=":"
+ ORS=""
+ print $3 " -Used 'http://localhost:8081"
+ for(n=4; n<=NF; n++) {
+ if (n > 4)
+ print ":"
+ print $n
+ }
+ print "' | grep -q " $2" && echo Rule positive test " $2 " Ok || echo Rule positive test" $2 " FAILED"
+ print "\n"
+} END { print "\n"} BEGIN { FS = ":" }
+/\/\/TESTN:/ {
+ FS=":"
+ ORS=""
+ print $3 " -Used 'http://localhost:8081"
+ for(n=4; n<=NF; n++) {
+ if (n > 4)
+ print ":"
+ print $n
+ }
+ print "' | grep -q " $2" && echo Rule negative test " $2 " FAILED || echo Rule negative test" $2 " Ok"
+} END { print "\n"} BEGIN { FS = ":" }
Property changes on: trunk/varnish-tools/security.vcl/tools/rule_test
___________________________________________________________________
Name: svn:executable
+ *
Added: trunk/varnish-tools/security.vcl/tools/varnish_reload
===================================================================
--- trunk/varnish-tools/security.vcl/tools/varnish_reload (rev 0)
+++ trunk/varnish-tools/security.vcl/tools/varnish_reload 2009-08-14 10:54:53 UTC (rev 4180)
@@ -0,0 +1,23 @@
+#!/bin/bash
+# Reload a varnish config
+# Author: Kristian Lyngstol <kristian at linpro.no>
+
+FILE="/etc/varnish/default.vcl"
+
+# Hostname and management port
+# (defined in /etc/default/varnish or on startup)
+HOSTPORT="localhost:6082"
+NOW=`date +%s`
+
+error()
+{
+ echo 1>&2 "Failed to reload $FILE."
+ exit 1
+}
+
+varnishadm -T $HOSTPORT vcl.load reload$NOW $FILE || error
+sleep 0.1
+varnishadm -T $HOSTPORT vcl.use reload$NOW || error
+sleep 0.1
+echo Current configs:
+varnishadm -T $HOSTPORT vcl.list
Property changes on: trunk/varnish-tools/security.vcl/tools/varnish_reload
___________________________________________________________________
Name: svn:executable
+ *
Added: trunk/varnish-tools/security.vcl/vcl/Makefile
===================================================================
--- trunk/varnish-tools/security.vcl/vcl/Makefile (rev 0)
+++ trunk/varnish-tools/security.vcl/vcl/Makefile 2009-08-14 10:54:53 UTC (rev 4180)
@@ -0,0 +1,40 @@
+# Braindead Makefile. Feel free to improve.
+# Copyright (c) 2009 Redpill Linpro AS
+# Author: Kristian Lyngstol <kristian at redpill-linpro.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+# Basic logic:
+# build/variables.vcl and VARIABLES allows us to do easy testing of
+# whether we properly clean up (aka: check). Ruletest is fairly dirty.
+
+all: build/variables.vcl check
+
+check:
+ @../tools/check_variables
+ @echo "Check passed: No unknown variables found"
+
+ruletest:
+ @../tools/rule_test */*vcl| bash
+
+clean:
+ rm -r build
+
+build/variables.vcl: VARIABLES
+ @mkdir -p build
+ @echo -n "Generating build/variables.vcl: "
+ @../tools/generate_variables
+ @echo "done"
+
Added: trunk/varnish-tools/security.vcl/vcl/breach/20_protocol_violations.vcl
===================================================================
--- trunk/varnish-tools/security.vcl/vcl/breach/20_protocol_violations.vcl (rev 0)
+++ trunk/varnish-tools/security.vcl/vcl/breach/20_protocol_violations.vcl 2009-08-14 10:54:53 UTC (rev 4180)
@@ -0,0 +1,151 @@
+sub vcl_recv {
+ set req.http.X-Sec-Module = "2vcl";
+ ## REQUEST_LINE,
+ # skipped REQUEST_LINE rx ^(([a-z]{3,10}\s+(\w{3,7}?://[\w\-\./]*(:\d+)?)?/[^?#]*(\?[^#\s]*)?(#[\S]*)?|connect (\d{1,3}\.){3}\d{1,3}\.?(:\d+)?|options \*)\s+[\w\./]+|get /[^?#]*(\?[^#\s]*)?(#[\S]*)?)$
+ ## REQUEST_HEADERS, :'/(Content-Length|Transfer-Encoding)/'
+ # AA
+ ## Rule: REQUEST_HEADERS rx :Content-Length|Transfer-Encoding
+ # AAA Content-Length|Transfer-Encoding
+ if(req.http.Content-Length ~ ","){
+ set req.http.X-Sec-Return = "400";
+ set req.http.X-Sec-RuleInfo = "HTTP Request Smuggling Attack.";
+ set req.http.X-Sec-RuleName = "WEB_ATTACK/REQUEST_SMUGGLING";
+ set req.http.X-Sec-Severity = "1";
+ set req.http.X-Sec-RuleId = "950012";
+ call sec_sev1;
+ }
+ if(req.http.Transfer-Encoding ~ ","){
+ set req.http.X-Sec-Return = "400";
+ set req.http.X-Sec-RuleInfo = "HTTP Request Smuggling Attack.";
+ set req.http.X-Sec-RuleName = "WEB_ATTACK/REQUEST_SMUGGLING";
+ set req.http.X-Sec-Severity = "1";
+ set req.http.X-Sec-RuleId = "950012";
+ call sec_sev1;
+ }
+ ## REQBODY_PROCESSOR_ERROR,
+ # skipped REQBODY_PROCESSOR_ERROR eq 0
+ ## REQUEST_HEADERS, :Content-Length
+ # AC Content-Length
+ ## Rule: REQUEST_HEADERS rx :Content-Length
+ # AAA Content-Length
+ if(req.http.Content-Length ~ "^\d+$"){
+ set req.http.X-Sec-Return = "400";
+ set req.http.X-Sec-RuleInfo = "Content-Length HTTP header is not numeric";
+ set req.http.X-Sec-Severity = "2";
+ set req.http.X-Sec-RuleName = "PROTOCOL_VIOLATION/INVALID_HREQ";
+ set req.http.X-Sec-RuleId = "960016";
+ call sec_sev1;
+ }
+ ## REQUEST_METHOD,
+ ## Rule: REQUEST_METHOD rx :
+ if(req.request ~ "^(GET|HEAD)$"){
+ set req.http.X-Sec-Return = "400";
+ set req.http.X-Sec-RuleInfo = "GET or HEAD requests with bodies";
+ set req.http.X-Sec-Severity = "2";
+ set req.http.X-Sec-RuleName = "PROTOCOL_VIOLATION/EVASION";
+ set req.http.X-Sec-RuleId = "960011";
+ # chained rule
+ }
+ ## REQUEST_HEADERS, :Content-Length
+ # AC Content-Length
+ ## Rule: REQUEST_HEADERS rx :Content-Length
+ # AAA Content-Length
+ if(req.http.Content-Length ~ "^0?$"){
+ call sec_sev1;
+ }
+ ## REQUEST_METHOD,
+ ## Rule: REQUEST_METHOD rx :
+ if(req.request ~ "^POST$"){
+ set req.http.X-Sec-Return = "400";
+ set req.http.X-Sec-RuleInfo = "POST request must have a Content-Length header";
+ set req.http.X-Sec-RuleName = "PROTOCOL_VIOLATION/EVASION";
+ set req.http.X-Sec-Severity = "4";
+ set req.http.X-Sec-RuleId = "960012";
+ # chained rule
+ }
+ ## &REQUEST_HEADERS, :Content-Length
+ # AC Content-Length
+ # skipped & REQUEST_HEADERS eq Content-Length 0
+ ## REQUEST_HEADERS, :Transfer-Encoding
+ # AC Transfer-Encoding
+ ## Rule: REQUEST_HEADERS rx :Transfer-Encoding
+ # AAA Transfer-Encoding
+ if(req.http.Transfer-Encoding ~ "^$"){
+ set req.http.X-Sec-Return = "501";
+ set req.http.X-Sec-RuleInfo = "ModSecurity does not support transfer encodings";
+ set req.http.X-Sec-RuleName = "PROTOCOL_VIOLATION/EVASION";
+ set req.http.X-Sec-Severity = "3";
+ set req.http.X-Sec-RuleId = "960013";
+ call sec_sev1;
+ }
+ ## REQUEST_FILENAME,
+ ## Rule: REQUEST_FILENAME rx :
+ if(req.url ~ "%25u[fF]{2}[0-9a-fA-F]{2}"){
+ set req.http.X-Sec-Return = "400";
+ set req.http.X-Sec-RuleInfo = "Unicode Full/Half Width Abuse Attack Attempt";
+ set req.http.X-Sec-Severity = "4";
+ set req.http.X-Sec-RuleId = "950116";
+ call sec_sev1;
+ }
+ ## ARGS,
+ ## Rule: ARGS rx :
+ if(req.url ~ "%25u[fF]{2}[0-9a-fA-F]{2}"){
+ set req.http.X-Sec-Return = "400";
+ set req.http.X-Sec-RuleInfo = "Unicode Full/Half Width Abuse Attack Attempt";
+ set req.http.X-Sec-Severity = "4";
+ set req.http.X-Sec-RuleId = "950116";
+ call sec_sev1;
+ }
+ ## ARGS_NAMES,
+ ## Rule: ARGS_NAMES rx :
+ if(req.url ~ "%25u[fF]{2}[0-9a-fA-F]{2}"){
+ set req.http.X-Sec-Return = "400";
+ set req.http.X-Sec-RuleInfo = "Unicode Full/Half Width Abuse Attack Attempt";
+ set req.http.X-Sec-Severity = "4";
+ set req.http.X-Sec-RuleId = "950116";
+ call sec_sev1;
+ }
+ ## REQUEST_HEADERS,
+ # skipped REQUEST_HEADERS rx %25u[fF]{2}[0-9a-fA-F]{2}
+ ## XML, :/*|
+ # AC /*|
+ # skipped XML rx /*| %25u[fF]{2}[0-9a-fA-F]{2}
+ ## !REQUEST_HEADERS, :Referer
+ # AC Referer
+ ## Rule: REQUEST_HEADERS rx :Referer
+ # AAA Referer
+ if(req.http.Referer ~ "%25u[fF]{2}[0-9a-fA-F]{2}"){
+ set req.http.X-Sec-Return = "400";
+ set req.http.X-Sec-RuleInfo = "Unicode Full/Half Width Abuse Attack Attempt";
+ set req.http.X-Sec-Severity = "4";
+ set req.http.X-Sec-RuleId = "950116";
+ call sec_sev1;
+ }
+ ## REQUEST_URI_RAW,
+ ## Rule: REQUEST_URI_RAW rx :
+ if(req.url ~ "^"){
+ set req.http.X-Sec-Return = "400";
+ set req.http.X-Sec-RuleInfo = "Proxy access attempt";
+ set req.http.X-Sec-Severity = "2";
+ set req.http.X-Sec-RuleName = "PROTOCOL_VIOLATION/PROXY_ACCESS";
+ set req.http.X-Sec-RuleId = "960014";
+ call sec_sev1;
+ }
+ ## REQUEST_FILENAME,
+ # skipped REQUEST_FILENAME validateByteRange 1-255
+ ## REQUEST_HEADERS_NAMES,
+ # skipped REQUEST_HEADERS_NAMES validateByteRange 1-255
+ ## REQUEST_HEADERS,
+ # skipped REQUEST_HEADERS validateByteRange 1-255
+ ## !REQUEST_HEADERS, :Referer
+ # AC Referer
+ # skipped ! REQUEST_HEADERS validateByteRange Referer 1-255
+ ## ARGS,
+ # skipped ARGS validateByteRange 1-255
+ ## ARGS_NAMES,
+ # skipped ARGS_NAMES validateByteRange 1-255
+ ## REQUEST_HEADERS, :Referer
+ # AC Referer
+ # skipped REQUEST_HEADERS validateByteRange Referer 1-255
+}
+
Added: trunk/varnish-tools/security.vcl/vcl/breach/21_protocol_anomalies.vcl
===================================================================
--- trunk/varnish-tools/security.vcl/vcl/breach/21_protocol_anomalies.vcl (rev 0)
+++ trunk/varnish-tools/security.vcl/vcl/breach/21_protocol_anomalies.vcl 2009-08-14 10:54:53 UTC (rev 4180)
@@ -0,0 +1,105 @@
+sub vcl_recv {
+ set req.http.X-Sec-Module = "2vcl";
+ ## REQUEST_LINE,
+ # skipped REQUEST_LINE rx ^GET /$
+ ## REMOTE_ADDR,
+ # skipped REMOTE_ADDR rx ^127\.0\.0\.1$
+ ## REQUEST_LINE,
+ # skipped REQUEST_LINE rx ^GET / HTTP/1.0$
+ ## REMOTE_ADDR,
+ # skipped REMOTE_ADDR rx ^127\.0\.0\.1$
+ ## REQUEST_HEADERS, :User-Agent
+ # AC User-Agent
+ ## Rule: REQUEST_HEADERS rx :User-Agent
+ # AAA User-Agent
+ if(req.http.User-Agent ~ "^Apache.*\(internal dummy connection\)$"){
+ call sec_sev1;
+ }
+ ## REQUEST_PROTOCOL,
+ ## Rule: REQUEST_PROTOCOL rx :
+ if(req.proto ~ "^"){
+ set req.http.X-Sec-RuleInfo = "HTTP/0.9 Request Detected";
+ set req.http.X-Sec-Severity = "4";
+ set req.http.X-Sec-RuleId = "960019";
+ call sec_sev1;
+ }
+ ## &REQUEST_HEADERS, :Host
+ # AC Host
+ # skipped & REQUEST_HEADERS eq Host 0
+ ## REQUEST_HEADERS, :Host
+ # AC Host
+ ## Rule: REQUEST_HEADERS rx :Host
+ # AAA Host
+ if(req.http.Host ~ "^$"){
+ set req.http.X-Sec-RuleInfo = "Request Missing a Host Header";
+ set req.http.X-Sec-RuleName = "PROTOCOL_VIOLATION/MISSING_HEADER";
+ set req.http.X-Sec-Severity = "4";
+ set req.http.X-Sec-RuleId = "960008";
+ call sec_sev1;
+ }
+ ## &REQUEST_HEADERS, :Accept
+ # AC Accept
+ # skipped & REQUEST_HEADERS eq Accept 0
+ ## REQUEST_METHOD,
+ ## Rule: REQUEST_METHOD rx :
+ if(req.request ~ "^OPTIONS$"){
+ call sec_sev1;
+ }
+ ## REQUEST_HEADERS, :Accept
+ # AC Accept
+ ## Rule: REQUEST_HEADERS rx :Accept
+ # AAA Accept
+ if(req.http.Accept ~ "^$"){
+ set req.http.X-Sec-RuleInfo = "Request Missing an Accept Header";
+ set req.http.X-Sec-Severity = "2";
+ set req.http.X-Sec-RuleName = "PROTOCOL_VIOLATION/MISSING_HEADER";
+ set req.http.X-Sec-RuleId = "960015";
+ # chained rule
+ }
+ ## REQUEST_METHOD,
+ ## Rule: REQUEST_METHOD rx :
+ if(req.request ~ "^OPTIONS$"){
+ call sec_sev1;
+ }
+ ## &REQUEST_HEADERS, :User-Agent
+ # AC User-Agent
+ # skipped & REQUEST_HEADERS eq User-Agent 0
+ ## REQUEST_HEADERS, :User-Agent
+ # AC User-Agent
+ ## Rule: REQUEST_HEADERS rx :User-Agent
+ # AAA User-Agent
+ if(req.http.User-Agent ~ "^$"){
+ set req.http.X-Sec-RuleInfo = "Request Missing a User Agent Header";
+ set req.http.X-Sec-RuleName = "PROTOCOL_VIOLATION/MISSING_HEADER";
+ set req.http.X-Sec-Severity = "4";
+ set req.http.X-Sec-RuleId = "960009";
+ call sec_sev1;
+ }
+ ## &REQUEST_HEADERS, :Content-Type
+ # AC Content-Type
+ # skipped & REQUEST_HEADERS eq Content-Type 0
+ ## REQUEST_HEADERS, :Content-Length
+ # AC Content-Length
+ ## Rule: REQUEST_HEADERS rx :Content-Length
+ # AAA Content-Length
+ if(req.http.Content-Length ~ "^0$"){
+ call sec_sev1;
+ }
+ ## REQUEST_HEADERS, :Host
+ # AC Host
+ ## Rule: REQUEST_HEADERS rx :Host
+ # AAA Host
+ if(req.http.Host ~ "^[\d\.]+$"){
+ set req.http.X-Sec-Return = "400";
+ set req.http.X-Sec-RuleInfo = "Host header is a numeric IP address";
+ set req.http.X-Sec-Severity = "2";
+ set req.http.X-Sec-RuleName = "PROTOCOL_VIOLATION/IP_HOST";
+ set req.http.X-Sec-RuleId = "960017";
+ call sec_sev1;
+ }
+ ## RESPONSE_STATUS,
+ # skipped RESPONSE_STATUS rx ^
+ ## WEBSERVER_ERROR_LOG,
+ # skipped WEBSERVER_ERROR_LOG rx !
+}
+
Added: trunk/varnish-tools/security.vcl/vcl/breach/23_request_limits.vcl
===================================================================
--- trunk/varnish-tools/security.vcl/vcl/breach/23_request_limits.vcl (rev 0)
+++ trunk/varnish-tools/security.vcl/vcl/breach/23_request_limits.vcl 2009-08-14 10:54:53 UTC (rev 4180)
@@ -0,0 +1,6 @@
+sub vcl_recv {
+ set req.http.X-Sec-Module = "2vcl";
+ ## &ARGS,
+ # skipped & ARGS gt 255
+}
+
Added: trunk/varnish-tools/security.vcl/vcl/breach/30_http_policy.vcl
===================================================================
--- trunk/varnish-tools/security.vcl/vcl/breach/30_http_policy.vcl (rev 0)
+++ trunk/varnish-tools/security.vcl/vcl/breach/30_http_policy.vcl 2009-08-14 10:54:53 UTC (rev 4180)
@@ -0,0 +1,62 @@
+sub vcl_recv {
+ set req.http.X-Sec-Module = "2vcl";
+ ## REQUEST_METHOD,
+ ## Rule: REQUEST_METHOD rx :
+ if(req.request ~ "^(((POS|GE)T|OPTIONS|HEAD))$"){
+ set req.http.X-Sec-Return = "501";
+ set req.http.X-Sec-RuleInfo = "Method is not allowed by policy";
+ set req.http.X-Sec-Severity = "2";
+ set req.http.X-Sec-RuleName = "POLICY/METHOD_NOT_ALLOWED";
+ set req.http.X-Sec-RuleId = "960032";
+ call sec_sev1;
+ }
+ ## REQUEST_METHOD,
+ ## Rule: REQUEST_METHOD rx :
+ if(req.request ~ "^(get|head|propfind|options)$"){
+ set req.http.X-Sec-Return = "501";
+ set req.http.X-Sec-RuleInfo = "Request content type is not allowed by policy";
+ set req.http.X-Sec-RuleName = "POLICY/ENCODING_NOT_ALLOWED";
+ set req.http.X-Sec-Severity = "4";
+ set req.http.X-Sec-RuleId = "960010";
+ # chained rule
+ }
+ ## REQUEST_HEADERS, :Content-Type
+ # AC Content-Type
+ ## Rule: REQUEST_HEADERS rx :Content-Type
+ # AAA Content-Type
+ if(req.http.Content-Type ~ "(^(application\/x-www-form-urlencoded(;(\s?charset\s?=\s?[\w\d\-]{1,18})?)??$|multipart/form-data;)|text/xml)"){
+ call sec_sev1;
+ }
+ ## REQUEST_PROTOCOL,
+ ## Rule: REQUEST_PROTOCOL rx :
+ if(req.proto ~ "^HTTP/(0\.9|1\.[01])$"){
+ set req.http.X-Sec-Return = "505";
+ set req.http.X-Sec-RuleInfo = "HTTP protocol version is not allowed by policy";
+ set req.http.X-Sec-Severity = "2";
+ set req.http.X-Sec-RuleName = "POLICY/PROTOCOL_NOT_ALLOWED";
+ set req.http.X-Sec-RuleId = "960034";
+ call sec_sev1;
+ }
+ ## REQUEST_BASENAME,
+ ## Rule: REQUEST_BASENAME rx :
+ ## REQUEST_HEADERS_NAMES,
+ ## Rule: REQUEST_HEADERS_NAMES rx :
+ ## REQUEST_HEADERS, :Content-Encoding
+ # AC Content-Encoding
+ ## Rule: REQUEST_HEADERS rx :Content-Encoding
+ # AAA Content-Encoding
+ if(req.http.Content-Encoding ~ "^Identity$"){
+ set req.http.X-Sec-Return = "501";
+ set req.http.X-Sec-RuleInfo = "ModSecurity does not support content encodings";
+ set req.http.X-Sec-Severity = "3";
+ set req.http.X-Sec-RuleId = "960902";
+ call sec_sev1;
+ }
+ ## RESPONSE_HEADERS, :Content-Encoding
+ # AC Content-Encoding
+ # skipped RESPONSE_HEADERS rx Content-Encoding ^Identity$
+ ## &GLOBAL, :alerted_960903_compression
+ # AC alerted_960903_compression
+ # skipped & GLOBAL eq alerted_960903_compression 0
+}
+
Added: trunk/varnish-tools/security.vcl/vcl/breach/35_bad_robots.vcl
===================================================================
--- trunk/varnish-tools/security.vcl/vcl/breach/35_bad_robots.vcl (rev 0)
+++ trunk/varnish-tools/security.vcl/vcl/breach/35_bad_robots.vcl 2009-08-14 10:54:53 UTC (rev 4180)
@@ -0,0 +1,58 @@
+sub vcl_recv {
+ set req.http.X-Sec-Module = "2vcl";
+ ## REQUEST_HEADERS, :User-Agent
+ # AC User-Agent
+ ## Rule: REQUEST_HEADERS rx :User-Agent
+ # AAA User-Agent
+ if(req.http.User-Agent ~ "(\b(m(ozilla\/4\.0 \(compatible\)|etis)|webtrends security analyzer|pmafind)\b|n(-stealth|sauditor|essus|ikto)|b(lack ?widow|rutus|ilbo)|(jaascoi|paro)s|webinspect|\.nasl)"){
+ set req.http.X-Sec-Return = "404";
+ set req.http.X-Sec-RuleInfo = "Request Indicates a Security Scanner Scanned the Site";
+ set req.http.X-Sec-RuleName = "AUTOMATION/SECURITY_SCANNER";
+ set req.http.X-Sec-Severity = "2";
+ set req.http.X-Sec-RuleId = "990002";
+ call sec_sev1;
+ }
+ ## REQUEST_HEADERS_NAMES,
+ ## Rule: REQUEST_HEADERS_NAMES rx :
+ ## REQUEST_FILENAME,
+ ## Rule: REQUEST_FILENAME rx :
+ if(req.url ~ "^/nessustest"){
+ set req.http.X-Sec-Return = "404";
+ set req.http.X-Sec-RuleInfo = "Request Indicates a Security Scanner Scanned the Site";
+ set req.http.X-Sec-RuleName = "AUTOMATION/SECURITY_SCANNER";
+ set req.http.X-Sec-Severity = "2";
+ set req.http.X-Sec-RuleId = "990902";
+ call sec_sev1;
+ }
+ ## REQUEST_HEADERS, :User-Agent
+ # AC User-Agent
+ ## Rule: REQUEST_HEADERS rx :User-Agent
+ # AAA User-Agent
+ if(req.http.User-Agent ~ "(e(mail((collec|harves|magne)t|( extracto|reape)r|siphon|wolf)|(collecto|irgrabbe)r|xtractorpro|o browse)|m(ozilla\/4\.0 \(compatible; advanced email extractor|ailto:craftbot\@yahoo\.com)|a(t(tache|hens)|utoemailspider|dsarobot)|w(eb(emailextrac| by mail)|3mir)|f(astlwspider|loodgate)|p(cbrowser|ackrat|surf)|(digout4uagen|takeou)t|\bdatacha0s\b|hhjhj at yahoo|chinaclaw|rsync|shai|zeus)"){
+ set req.http.X-Sec-Return = "404";
+ set req.http.X-Sec-RuleInfo = "Rogue web site crawler";
+ set req.http.X-Sec-RuleName = "AUTOMATION/MALICIOUS";
+ set req.http.X-Sec-Severity = "2";
+ set req.http.X-Sec-RuleId = "990012";
+ call sec_sev1;
+ }
+ ## REQUEST_HEADERS, :User-Agent
+ # AC User-Agent
+ ## Rule: REQUEST_HEADERS rx :User-Agent
+ # AAA User-Agent
+ if(req.http.User-Agent ~ "(\b((indy librar|snoop)y|microsoft url control|lynx)\b|mozilla\/2\.0 \(compatible; newt activex; win32\)|w(3mirror|get)|download demon|l(ibwww|wp)|p(avuk|erl)|big brother|autohttp|netants|eCatch|curl)"){
+ set req.http.X-Sec-RuleInfo = "Request Indicates an automated program explored the site";
+ set req.http.X-Sec-RuleName = "AUTOMATION/MISC";
+ set req.http.X-Sec-Severity = "5";
+ set req.http.X-Sec-RuleId = "990011";
+ # chained rule
+ }
+ ## REQUEST_HEADERS, :User-Agent
+ # AC User-Agent
+ ## Rule: REQUEST_HEADERS rx :User-Agent
+ # AAA User-Agent
+ if(req.http.User-Agent ~ "^apache.*perl"){
+ call sec_sev1;
+ }
+}
+
Added: trunk/varnish-tools/security.vcl/vcl/breach/40_generic_attacks.vcl
===================================================================
--- trunk/varnish-tools/security.vcl/vcl/breach/40_generic_attacks.vcl (rev 0)
+++ trunk/varnish-tools/security.vcl/vcl/breach/40_generic_attacks.vcl 2009-08-14 10:54:53 UTC (rev 4180)
@@ -0,0 +1,873 @@
+sub vcl_recv {
+ set req.http.X-Sec-Module = "2vcl";
+ ## REQUEST_FILENAME,
+ # skipped REQUEST_FILENAME pm set-cookie .cookie
+ ## ARGS,
+ # skipped ARGS pm set-cookie .cookie
+ ## ARGS_NAMES,
+ # skipped ARGS_NAMES pm set-cookie .cookie
+ ## REQUEST_HEADERS,
+ # skipped REQUEST_HEADERS pm set-cookie .cookie
+ ## XML, :/*|
+ # AC /*|
+ # skipped XML pm /*| set-cookie .cookie
+ ## !REQUEST_HEADERS, :Referer
+ # AC Referer
+ # skipped ! REQUEST_HEADERS pm Referer set-cookie .cookie
+ ## REQUEST_FILENAME,
+ ## Rule: REQUEST_FILENAME rx :
+ if(req.url ~ "(\.cookie\b.*?;\W*?(expires|domain)\W*?=|\bhttp-equiv\W+set-cookie\b)"){
+ set req.http.X-Sec-RuleInfo = "Session Fixation";
+ set req.http.X-Sec-RuleName = "WEB_ATTACK/SESSION_FIXATION";
+ set req.http.X-Sec-Severity = "2";
+ set req.http.X-Sec-RuleId = "950009";
+ call sec_sev1;
+ }
+ ## ARGS,
+ ## Rule: ARGS rx :
+ if(req.url ~ "(\.cookie\b.*?;\W*?(expires|domain)\W*?=|\bhttp-equiv\W+set-cookie\b)"){
+ set req.http.X-Sec-RuleInfo = "Session Fixation";
+ set req.http.X-Sec-RuleName = "WEB_ATTACK/SESSION_FIXATION";
+ set req.http.X-Sec-Severity = "2";
+ set req.http.X-Sec-RuleId = "950009";
+ call sec_sev1;
+ }
+ ## ARGS_NAMES,
+ ## Rule: ARGS_NAMES rx :
+ if(req.url ~ "(\.cookie\b.*?;\W*?(expires|domain)\W*?=|\bhttp-equiv\W+set-cookie\b)"){
+ set req.http.X-Sec-RuleInfo = "Session Fixation";
+ set req.http.X-Sec-RuleName = "WEB_ATTACK/SESSION_FIXATION";
+ set req.http.X-Sec-Severity = "2";
+ set req.http.X-Sec-RuleId = "950009";
+ call sec_sev1;
+ }
+ ## REQUEST_HEADERS,
+ # skipped REQUEST_HEADERS rx (\.cookie\b.*?;\W*?(expires|domain)\W*?=|\bhttp-equiv\W+set-cookie\b)
+ ## XML, :/*|
+ # AC /*|
+ # skipped XML rx /*| (\.cookie\b.*?;\W*?(expires|domain)\W*?=|\bhttp-equiv\W+set-cookie\b)
+ ## !REQUEST_HEADERS, :Referer
+ # AC Referer
+ ## Rule: REQUEST_HEADERS rx :Referer
+ # AAA Referer
+ if(req.http.Referer ~ "(\.cookie\b.*?;\W*?(expires|domain)\W*?=|\bhttp-equiv\W+set-cookie\b)"){
+ set req.http.X-Sec-RuleInfo = "Session Fixation";
+ set req.http.X-Sec-RuleName = "WEB_ATTACK/SESSION_FIXATION";
+ set req.http.X-Sec-Severity = "2";
+ set req.http.X-Sec-RuleId = "959009";
+ call sec_sev1;
+ }
+ ## REQUEST_FILENAME,
+ # skipped REQUEST_FILENAME pm sys.user_triggers sys.user_objects @@spid msysaces instr sys.user_views sys.tab charindex sys.user_catalog constraint_type locate select msysobjects attnotnull sys.user_tables sys.user_tab_columns sys.user_constraints waitfor mysql.user sys.all_tables msysrelationships msyscolumns msysqueries
+ ## ARGS,
+ # skipped ARGS pm sys.user_triggers sys.user_objects @@spid msysaces instr sys.user_views sys.tab charindex sys.user_catalog constraint_type locate select msysobjects attnotnull sys.user_tables sys.user_tab_columns sys.user_constraints waitfor mysql.user sys.all_tables msysrelationships msyscolumns msysqueries
+ ## ARGS_NAMES,
+ # skipped ARGS_NAMES pm sys.user_triggers sys.user_objects @@spid msysaces instr sys.user_views sys.tab charindex sys.user_catalog constraint_type locate select msysobjects attnotnull sys.user_tables sys.user_tab_columns sys.user_constraints waitfor mysql.user sys.all_tables msysrelationships msyscolumns msysqueries
+ ## REQUEST_HEADERS,
+ # skipped REQUEST_HEADERS pm sys.user_triggers sys.user_objects @@spid msysaces instr sys.user_views sys.tab charindex sys.user_catalog constraint_type locate select msysobjects attnotnull sys.user_tables sys.user_tab_columns sys.user_constraints waitfor mysql.user sys.all_tables msysrelationships msyscolumns msysqueries
+ ## XML, :/*|
+ # AC /*|
+ # skipped XML pm /*| sys.user_triggers sys.user_objects @@spid msysaces instr sys.user_views sys.tab charindex sys.user_catalog constraint_type locate select msysobjects attnotnull sys.user_tables sys.user_tab_columns sys.user_constraints waitfor mysql.user sys.all_tables msysrelationships msyscolumns msysqueries
+ ## !REQUEST_HEADERS, :Referer
+ # AC Referer
+ # skipped ! REQUEST_HEADERS pm Referer sys.user_triggers sys.user_objects @@spid msysaces instr sys.user_views sys.tab charindex sys.user_catalog constraint_type locate select msysobjects attnotnull sys.user_tables sys.user_tab_columns sys.user_constraints waitfor mysql.user sys.all_tables msysrelationships msyscolumns msysqueries
+ ## REQUEST_FILENAME,
+ ## Rule: REQUEST_FILENAME rx :
+ if(req.url ~ "(\b((s(ys\.(user_((t(ab(_column|le)|rigger)|object|view)s|c(onstraints|atalog))|all_tables|tab)|elect\b.{0,40}\b(substring|ascii|user))|m(sys((queri|ac)e|relationship|column|object)s|ysql\.user)|c(onstraint_type|harindex)|waitfor\b\W*?\bdelay|attnotnull)\b|(locate|instr)\W+\()|\@\@spid\b)"){
+ set req.http.X-Sec-RuleInfo = "Blind SQL Injection Attack";
+ set req.http.X-Sec-RuleName = "WEB_ATTACK/SQL_INJECTION";
+ set req.http.X-Sec-Severity = "2";
+ set req.http.X-Sec-RuleId = "950007";
+ call sec_sev1;
+ }
+ ## ARGS,
+ ## Rule: ARGS rx :
+ if(req.url ~ "(\b((s(ys\.(user_((t(ab(_column|le)|rigger)|object|view)s|c(onstraints|atalog))|all_tables|tab)|elect\b.{0,40}\b(substring|ascii|user))|m(sys((queri|ac)e|relationship|column|object)s|ysql\.user)|c(onstraint_type|harindex)|waitfor\b\W*?\bdelay|attnotnull)\b|(locate|instr)\W+\()|\@\@spid\b)"){
+ set req.http.X-Sec-RuleInfo = "Blind SQL Injection Attack";
+ set req.http.X-Sec-RuleName = "WEB_ATTACK/SQL_INJECTION";
+ set req.http.X-Sec-Severity = "2";
+ set req.http.X-Sec-RuleId = "950007";
+ call sec_sev1;
+ }
+ ## ARGS_NAMES,
+ ## Rule: ARGS_NAMES rx :
+ if(req.url ~ "(\b((s(ys\.(user_((t(ab(_column|le)|rigger)|object|view)s|c(onstraints|atalog))|all_tables|tab)|elect\b.{0,40}\b(substring|ascii|user))|m(sys((queri|ac)e|relationship|column|object)s|ysql\.user)|c(onstraint_type|harindex)|waitfor\b\W*?\bdelay|attnotnull)\b|(locate|instr)\W+\()|\@\@spid\b)"){
+ set req.http.X-Sec-RuleInfo = "Blind SQL Injection Attack";
+ set req.http.X-Sec-RuleName = "WEB_ATTACK/SQL_INJECTION";
+ set req.http.X-Sec-Severity = "2";
+ set req.http.X-Sec-RuleId = "950007";
+ call sec_sev1;
+ }
+ ## REQUEST_HEADERS,
+ # skipped REQUEST_HEADERS rx (\b((s(ys\.(user_((t(ab(_column|le)|rigger)|object|view)s|c(onstraints|atalog))|all_tables|tab)|elect\b.{0,40}\b(substring|ascii|user))|m(sys((queri|ac)e|relationship|column|object)s|ysql\.user)|c(onstraint_type|harindex)|waitfor\b\W*?\bdelay|attnotnull)\b|(locate|instr)\W+\()|\@\@spid\b)
+ ## XML, :/*|
+ # AC /*|
+ # skipped XML rx /*| (\b((s(ys\.(user_((t(ab(_column|le)|rigger)|object|view)s|c(onstraints|atalog))|all_tables|tab)|elect\b.{0,40}\b(substring|ascii|user))|m(sys((queri|ac)e|relationship|column|object)s|ysql\.user)|c(onstraint_type|harindex)|waitfor\b\W*?\bdelay|attnotnull)\b|(locate|instr)\W+\()|\@\@spid\b)
+ ## !REQUEST_HEADERS, :Referer
+ # AC Referer
+ ## Rule: REQUEST_HEADERS rx :Referer
+ # AAA Referer
+ if(req.http.Referer ~ "(\b((s(ys\.(user_((t(ab(_column|le)|rigger)|object|view)s|c(onstraints|atalog))|all_tables|tab)|elect\b.{0,40}\b(substring|ascii|user))|m(sys((queri|ac)e|relationship|column|object)s|ysql\.user)|c(onstraint_type|harindex)|waitfor\b\W*?\bdelay|attnotnull)\b|(locate|instr)\W+\()|\@\@spid\b)"){
+ set req.http.X-Sec-RuleInfo = "Blind SQL Injection Attack";
+ set req.http.X-Sec-RuleName = "WEB_ATTACK/SQL_INJECTION";
+ set req.http.X-Sec-Severity = "2";
+ set req.http.X-Sec-RuleId = "959007";
+ call sec_sev1;
+ }
+ ## REQUEST_FILENAME,
+ # skipped REQUEST_FILENAME pm substr xtype textpos all_objects rownum sysfilegroups sysprocesses user_group sysobjects user_tables systables pg_attribute user_users user_password column_id attrelid user_tab_columns table_name pg_class user_constraints user_objects object_type dba_users sysconstraints mb_users column_name atttypid object_id substring syscat user_ind_columns sysibm syscolumns sysdba object_name
+ ## ARGS,
+ # skipped ARGS pm substr xtype textpos all_objects rownum sysfilegroups sysprocesses user_group sysobjects user_tables systables pg_attribute user_users user_password column_id attrelid user_tab_columns table_name pg_class user_constraints user_objects object_type dba_users sysconstraints mb_users column_name atttypid object_id substring syscat user_ind_columns sysibm syscolumns sysdba object_name
+ ## REQUEST_HEADERS,
+ # skipped REQUEST_HEADERS pm substr xtype textpos all_objects rownum sysfilegroups sysprocesses user_group sysobjects user_tables systables pg_attribute user_users user_password column_id attrelid user_tab_columns table_name pg_class user_constraints user_objects object_type dba_users sysconstraints mb_users column_name atttypid object_id substring syscat user_ind_columns sysibm syscolumns sysdba object_name
+ ## XML, :/*|
+ # AC /*|
+ # skipped XML pm /*| substr xtype textpos all_objects rownum sysfilegroups sysprocesses user_group sysobjects user_tables systables pg_attribute user_users user_password column_id attrelid user_tab_columns table_name pg_class user_constraints user_objects object_type dba_users sysconstraints mb_users column_name atttypid object_id substring syscat user_ind_columns sysibm syscolumns sysdba object_name
+ ## !REQUEST_HEADERS, :Referer
+ # AC Referer
+ # skipped ! REQUEST_HEADERS pm Referer substr xtype textpos all_objects rownum sysfilegroups sysprocesses user_group sysobjects user_tables systables pg_attribute user_users user_password column_id attrelid user_tab_columns table_name pg_class user_constraints user_objects object_type dba_users sysconstraints mb_users column_name atttypid object_id substring syscat user_ind_columns sysibm syscolumns sysdba object_name
+ ## REQUEST_FILENAME,
+ ## Rule: REQUEST_FILENAME rx :
+ if(req.url ~ "\b((s(ys(((process|tabl)e|filegroup|object)s|c(o(nstraint|lumn)s|at)|dba|ibm)|ubstr(ing)?)|user_(((constrain|objec)t|tab(_column|le)|ind_column|user)s|password|group)|a(tt(rel|typ)id|ll_objects)|object_((nam|typ)e|id)|pg_(attribute|class)|column_(name|id)|(dba|mb)_users|xtype\W+\bchar|rownum)\b|t(able_name\b|extpos\W+\())"){
+ set req.http.X-Sec-RuleInfo = "Blind SQL Injection Attack";
+ set req.http.X-Sec-RuleName = "WEB_ATTACK/SQL_INJECTION";
+ set req.http.X-Sec-Severity = "2";
+ set req.http.X-Sec-RuleId = "950904";
+ call sec_sev1;
+ }
+ ## ARGS,
+ ## Rule: ARGS rx :
+ if(req.url ~ "\b((s(ys(((process|tabl)e|filegroup|object)s|c(o(nstraint|lumn)s|at)|dba|ibm)|ubstr(ing)?)|user_(((constrain|objec)t|tab(_column|le)|ind_column|user)s|password|group)|a(tt(rel|typ)id|ll_objects)|object_((nam|typ)e|id)|pg_(attribute|class)|column_(name|id)|(dba|mb)_users|xtype\W+\bchar|rownum)\b|t(able_name\b|extpos\W+\())"){
+ set req.http.X-Sec-RuleInfo = "Blind SQL Injection Attack";
+ set req.http.X-Sec-RuleName = "WEB_ATTACK/SQL_INJECTION";
+ set req.http.X-Sec-Severity = "2";
+ set req.http.X-Sec-RuleId = "950904";
+ call sec_sev1;
+ }
+ ## REQUEST_HEADERS,
+ # skipped REQUEST_HEADERS rx \b((s(ys(((process|tabl)e|filegroup|object)s|c(o(nstraint|lumn)s|at)|dba|ibm)|ubstr(ing)?)|user_(((constrain|objec)t|tab(_column|le)|ind_column|user)s|password|group)|a(tt(rel|typ)id|ll_objects)|object_((nam|typ)e|id)|pg_(attribute|class)|column_(name|id)|(dba|mb)_users|xtype\W+\bchar|rownum)\b|t(able_name\b|extpos\W+\())
+ ## XML, :/*|
+ # AC /*|
+ # skipped XML rx /*| \b((s(ys(((process|tabl)e|filegroup|object)s|c(o(nstraint|lumn)s|at)|dba|ibm)|ubstr(ing)?)|user_(((constrain|objec)t|tab(_column|le)|ind_column|user)s|password|group)|a(tt(rel|typ)id|ll_objects)|object_((nam|typ)e|id)|pg_(attribute|class)|column_(name|id)|(dba|mb)_users|xtype\W+\bchar|rownum)\b|t(able_name\b|extpos\W+\())
+ ## !REQUEST_HEADERS, :Referer
+ # AC Referer
+ ## Rule: REQUEST_HEADERS rx :Referer
+ # AAA Referer
+ if(req.http.Referer ~ "\b((s(ys(((process|tabl)e|filegroup|object)s|c(o(nstraint|lumn)s|at)|dba|ibm)|ubstr(ing)?)|user_(((constrain|objec)t|tab(_column|le)|ind_column|user)s|password|group)|a(tt(rel|typ)id|ll_objects)|object_((nam|typ)e|id)|pg_(attribute|class)|column_(name|id)|(dba|mb)_users|xtype\W+\bchar|rownum)\b|t(able_name\b|extpos\W+\())"){
+ set req.http.X-Sec-RuleInfo = "Blind SQL Injection Attack";
+ set req.http.X-Sec-RuleName = "WEB_ATTACK/SQL_INJECTION";
+ set req.http.X-Sec-Severity = "2";
+ set req.http.X-Sec-RuleId = "959904";
+ call sec_sev1;
+ }
+ ## REQUEST_FILENAME,
+ # skipped REQUEST_FILENAME pm insert xp_enumdsn infile openrowset nvarchar autonomous_transaction print data_type or outfile inner shutdown tbcreator @@version xp_filelist sp_prepare sql_longvarchar xp_regenumkeys xp_loginconfig xp_dirtree ifnull sp_addextendedproc xp_regaddmultistring delete sp_sqlexec and sp_oacreate sp_execute cast xp_ntsec xp_regdeletekey drop varchar xp_execresultset having utl_file xp_regenumvalues xp_terminate xp_availablemedia xp_regdeletevalue dumpfile isnull sql_variant select 'sa' xp_regremovemultistring xp_makecab 'msdasql' xp_cmdshell openquery sp_executesql 'sqloledb' dbms_java 'dbo' utl_http sp_makewebtask benchmark xp_regread xp_regwrite
+ ## ARGS,
+ # skipped ARGS pm insert xp_enumdsn infile openrowset nvarchar autonomous_transaction print data_type or outfile inner shutdown tbcreator @@version xp_filelist sp_prepare sql_longvarchar xp_regenumkeys xp_loginconfig xp_dirtree ifnull sp_addextendedproc xp_regaddmultistring delete sp_sqlexec and sp_oacreate sp_execute cast xp_ntsec xp_regdeletekey drop varchar xp_execresultset having utl_file xp_regenumvalues xp_terminate xp_availablemedia xp_regdeletevalue dumpfile isnull sql_variant select 'sa' xp_regremovemultistring xp_makecab 'msdasql' xp_cmdshell openquery sp_executesql 'sqloledb' dbms_java 'dbo' utl_http sp_makewebtask benchmark xp_regread xp_regwrite
+ ## ARGS_NAMES,
+ # skipped ARGS_NAMES pm insert xp_enumdsn infile openrowset nvarchar autonomous_transaction print data_type or outfile inner shutdown tbcreator @@version xp_filelist sp_prepare sql_longvarchar xp_regenumkeys xp_loginconfig xp_dirtree ifnull sp_addextendedproc xp_regaddmultistring delete sp_sqlexec and sp_oacreate sp_execute cast xp_ntsec xp_regdeletekey drop varchar xp_execresultset having utl_file xp_regenumvalues xp_terminate xp_availablemedia xp_regdeletevalue dumpfile isnull sql_variant select 'sa' xp_regremovemultistring xp_makecab 'msdasql' xp_cmdshell openquery sp_executesql 'sqloledb' dbms_java 'dbo' utl_http sp_makewebtask benchmark xp_regread xp_regwrite
+ ## REQUEST_HEADERS,
+ # skipped REQUEST_HEADERS pm insert xp_enumdsn infile openrowset nvarchar autonomous_transaction print data_type or outfile inner shutdown tbcreator @@version xp_filelist sp_prepare sql_longvarchar xp_regenumkeys xp_loginconfig xp_dirtree ifnull sp_addextendedproc xp_regaddmultistring delete sp_sqlexec and sp_oacreate sp_execute cast xp_ntsec xp_regdeletekey drop varchar xp_execresultset having utl_file xp_regenumvalues xp_terminate xp_availablemedia xp_regdeletevalue dumpfile isnull sql_variant select 'sa' xp_regremovemultistring xp_makecab 'msdasql' xp_cmdshell openquery sp_executesql 'sqloledb' dbms_java 'dbo' utl_http sp_makewebtask benchmark xp_regread xp_regwrite
+ ## XML, :/*|
+ # AC /*|
+ # skipped XML pm /*| insert xp_enumdsn infile openrowset nvarchar autonomous_transaction print data_type or outfile inner shutdown tbcreator @@version xp_filelist sp_prepare sql_longvarchar xp_regenumkeys xp_loginconfig xp_dirtree ifnull sp_addextendedproc xp_regaddmultistring delete sp_sqlexec and sp_oacreate sp_execute cast xp_ntsec xp_regdeletekey drop varchar xp_execresultset having utl_file xp_regenumvalues xp_terminate xp_availablemedia xp_regdeletevalue dumpfile isnull sql_variant select 'sa' xp_regremovemultistring xp_makecab 'msdasql' xp_cmdshell openquery sp_executesql 'sqloledb' dbms_java 'dbo' utl_http sp_makewebtask benchmark xp_regread xp_regwrite
+ ## !REQUEST_HEADERS, :Referer
+ # AC Referer
+ # skipped ! REQUEST_HEADERS pm Referer insert xp_enumdsn infile openrowset nvarchar autonomous_transaction print data_type or outfile inner shutdown tbcreator @@version xp_filelist sp_prepare sql_longvarchar xp_regenumkeys xp_loginconfig xp_dirtree ifnull sp_addextendedproc xp_regaddmultistring delete sp_sqlexec and sp_oacreate sp_execute cast xp_ntsec xp_regdeletekey drop varchar xp_execresultset having utl_file xp_regenumvalues xp_terminate xp_availablemedia xp_regdeletevalue dumpfile isnull sql_variant select 'sa' xp_regremovemultistring xp_makecab 'msdasql' xp_cmdshell openquery sp_executesql 'sqloledb' dbms_java 'dbo' utl_http sp_makewebtask benchmark xp_regread xp_regwrite
+ ## REQUEST_FILENAME,
+ ## Rule: REQUEST_FILENAME rx :
+ if(req.url ~ "(\b((s(elect\b(.{1,100}?\b((length|count|top)\b.{1,100}?\bfrom|from\b.{1,100}?\bwhere)|.*?\b(d(ump\b.*\bfrom|ata_type)|(to_(numbe|cha)|inst)r))|p_((addextendedpro|sqlexe)c|(oacreat|prepar)e|execute(sql)?|makewebtask)|ql_(longvarchar|variant))|xp_(reg(re(movemultistring|ad)|delete(value|key)|enum(value|key)s|addmultistring|write)|e(xecresultset|numdsn)|(terminat|dirtre)e|availablemedia|loginconfig|cmdshell|filelist|makecab|ntsec)|u(nion\b.{1,100}?\bselect|tl_(file|http))|group\b.*\bby\b.{1,100}?\bhaving|d(elete\b\W*?\bfrom|bms_java)|load\b\W*?\bdata\b.*\binfile|(n?varcha|tbcreato)r)\b|i(n(to\b\W*?\b(dump|out)file|sert\b\W*?\binto|ner\b\W*?\bjoin)\b|(f(\b\W*?\(\W*?\bbenchmark|null\b)|snull\b)\W*?\()|a(nd\b ?(\d{1,10}|[\'%22][^=]{1,10}[\'%22]) ?[=<>]+|utonomous_transaction\b)|o(r\b ?(\d{1,10}|[\'%22][^=]{1,10}[\'%22]) ?[=<>]+|pen(rowset|query)\b)|having\b ?(\d{1,10}|[\'%22][^=]{1,10}[\'%22]) ?[=<>]+|print\b\W*?\@\@|cast\b\W*?\()|(;\W*?\b(shutdown|drop)|\@\@version)\b|'(s(qloledb|a)|msdasql|dbo)')"){
+ set req.http.X-Sec-RuleInfo = "SQL Injection Attack";
+ set req.http.X-Sec-RuleName = "WEB_ATTACK/SQL_INJECTION";
+ set req.http.X-Sec-Severity = "2";
+ set req.http.X-Sec-RuleId = "950001";
+ call sec_sev1;
+ }
+ ## ARGS,
+ ## Rule: ARGS rx :
+ if(req.url ~ "(\b((s(elect\b(.{1,100}?\b((length|count|top)\b.{1,100}?\bfrom|from\b.{1,100}?\bwhere)|.*?\b(d(ump\b.*\bfrom|ata_type)|(to_(numbe|cha)|inst)r))|p_((addextendedpro|sqlexe)c|(oacreat|prepar)e|execute(sql)?|makewebtask)|ql_(longvarchar|variant))|xp_(reg(re(movemultistring|ad)|delete(value|key)|enum(value|key)s|addmultistring|write)|e(xecresultset|numdsn)|(terminat|dirtre)e|availablemedia|loginconfig|cmdshell|filelist|makecab|ntsec)|u(nion\b.{1,100}?\bselect|tl_(file|http))|group\b.*\bby\b.{1,100}?\bhaving|d(elete\b\W*?\bfrom|bms_java)|load\b\W*?\bdata\b.*\binfile|(n?varcha|tbcreato)r)\b|i(n(to\b\W*?\b(dump|out)file|sert\b\W*?\binto|ner\b\W*?\bjoin)\b|(f(\b\W*?\(\W*?\bbenchmark|null\b)|snull\b)\W*?\()|a(nd\b ?(\d{1,10}|[\'%22][^=]{1,10}[\'%22]) ?[=<>]+|utonomous_transaction\b)|o(r\b ?(\d{1,10}|[\'%22][^=]{1,10}[\'%22]) ?[=<>]+|pen(rowset|query)\b)|having\b ?(\d{1,10}|[\'%22][^=]{1,10}[\'%22]) ?[=<>]+|print\b\W*?\@\@|cast\b\W*?\()|(;\W*?\b(shutdown|drop)|\@\@version)\b|'(s(qloledb|a)|msdasql|dbo)')"){
+ set req.http.X-Sec-RuleInfo = "SQL Injection Attack";
+ set req.http.X-Sec-RuleName = "WEB_ATTACK/SQL_INJECTION";
+ set req.http.X-Sec-Severity = "2";
+ set req.http.X-Sec-RuleId = "950001";
+ call sec_sev1;
+ }
+ ## ARGS_NAMES,
+ ## Rule: ARGS_NAMES rx :
+ if(req.url ~ "(\b((s(elect\b(.{1,100}?\b((length|count|top)\b.{1,100}?\bfrom|from\b.{1,100}?\bwhere)|.*?\b(d(ump\b.*\bfrom|ata_type)|(to_(numbe|cha)|inst)r))|p_((addextendedpro|sqlexe)c|(oacreat|prepar)e|execute(sql)?|makewebtask)|ql_(longvarchar|variant))|xp_(reg(re(movemultistring|ad)|delete(value|key)|enum(value|key)s|addmultistring|write)|e(xecresultset|numdsn)|(terminat|dirtre)e|availablemedia|loginconfig|cmdshell|filelist|makecab|ntsec)|u(nion\b.{1,100}?\bselect|tl_(file|http))|group\b.*\bby\b.{1,100}?\bhaving|d(elete\b\W*?\bfrom|bms_java)|load\b\W*?\bdata\b.*\binfile|(n?varcha|tbcreato)r)\b|i(n(to\b\W*?\b(dump|out)file|sert\b\W*?\binto|ner\b\W*?\bjoin)\b|(f(\b\W*?\(\W*?\bbenchmark|null\b)|snull\b)\W*?\()|a(nd\b ?(\d{1,10}|[\'%22][^=]{1,10}[\'%22]) ?[=<>]+|utonomous_transaction\b)|o(r\b ?(\d{1,10}|[\'%22][^=]{1,10}[\'%22]) ?[=<>]+|pen(rowset|query)\b)|having\b ?(\d{1,10}|[\'%22][^=]{1,10}[\'%22]) ?[=<>]+|print\b\W*?\@\@|cast\b\W*?\()|(;\W*?\b(shutdown|drop)|\@\@version)\b|'(s(qloledb|a)|msdasql|dbo)')"){
+ set req.http.X-Sec-RuleInfo = "SQL Injection Attack";
+ set req.http.X-Sec-RuleName = "WEB_ATTACK/SQL_INJECTION";
+ set req.http.X-Sec-Severity = "2";
+ set req.http.X-Sec-RuleId = "950001";
+ call sec_sev1;
+ }
+ ## REQUEST_HEADERS,
+ # skipped REQUEST_HEADERS rx (\b((s(elect\b(.{1,100}?\b((length|count|top)\b.{1,100}?\bfrom|from\b.{1,100}?\bwhere)|.*?\b(d(ump\b.*\bfrom|ata_type)|(to_(numbe|cha)|inst)r))|p_((addextendedpro|sqlexe)c|(oacreat|prepar)e|execute(sql)?|makewebtask)|ql_(longvarchar|variant))|xp_(reg(re(movemultistring|ad)|delete(value|key)|enum(value|key)s|addmultistring|write)|e(xecresultset|numdsn)|(terminat|dirtre)e|availablemedia|loginconfig|cmdshell|filelist|makecab|ntsec)|u(nion\b.{1,100}?\bselect|tl_(file|http))|group\b.*\bby\b.{1,100}?\bhaving|d(elete\b\W*?\bfrom|bms_java)|load\b\W*?\bdata\b.*\binfile|(n?varcha|tbcreato)r)\b|i(n(to\b\W*?\b(dump|out)file|sert\b\W*?\binto|ner\b\W*?\bjoin)\b|(f(\b\W*?\(\W*?\bbenchmark|null\b)|snull\b)\W*?\()|a(nd\b ?(\d{1,10}|[\'%22][^=]{1,10}[\'%22]) ?[=<>]+|utonomous_transaction\b)|o(r\b ?(\d{1,10}|[\'%22][^=]{1,10}[\'%22]) ?[=<>]+|pen(rowset|query)\b)|having\b ?(\d{1,10}|[\'%22][^=]{1,10}[\'%22]) ?[=<>]+|print\b\W*?\@\@|cast\b\W*?\()|(;\W*?\b(shutdown|drop)|\@\@version)\b|'(s(qloledb|a)|msdasql|dbo)')
+ ## XML, :/*|
+ # AC /*|
+ # skipped XML rx /*| (\b((s(elect\b(.{1,100}?\b((length|count|top)\b.{1,100}?\bfrom|from\b.{1,100}?\bwhere)|.*?\b(d(ump\b.*\bfrom|ata_type)|(to_(numbe|cha)|inst)r))|p_((addextendedpro|sqlexe)c|(oacreat|prepar)e|execute(sql)?|makewebtask)|ql_(longvarchar|variant))|xp_(reg(re(movemultistring|ad)|delete(value|key)|enum(value|key)s|addmultistring|write)|e(xecresultset|numdsn)|(terminat|dirtre)e|availablemedia|loginconfig|cmdshell|filelist|makecab|ntsec)|u(nion\b.{1,100}?\bselect|tl_(file|http))|group\b.*\bby\b.{1,100}?\bhaving|d(elete\b\W*?\bfrom|bms_java)|load\b\W*?\bdata\b.*\binfile|(n?varcha|tbcreato)r)\b|i(n(to\b\W*?\b(dump|out)file|sert\b\W*?\binto|ner\b\W*?\bjoin)\b|(f(\b\W*?\(\W*?\bbenchmark|null\b)|snull\b)\W*?\()|a(nd\b ?(\d{1,10}|[\'%22][^=]{1,10}[\'%22]) ?[=<>]+|utonomous_transaction\b)|o(r\b ?(\d{1,10}|[\'%22][^=]{1,10}[\'%22]) ?[=<>]+|pen(rowset|query)\b)|having\b ?(\d{1,10}|[\'%22][^=]{1,10}[\'%22]) ?[=<>]+|print\b\W*?\@\@|cast\b\W*?\()|(;\W*?\b(shutdown|drop)|\@\@version)\b|'(s(qloledb|a)|msdasql|dbo)')
+ ## !REQUEST_HEADERS, :Referer
+ # AC Referer
+ ## Rule: REQUEST_HEADERS rx :Referer
+ # AAA Referer
+ if(req.http.Referer ~ "(\b((s(elect\b(.{1,100}?\b((length|count|top)\b.{1,100}?\bfrom|from\b.{1,100}?\bwhere)|.*?\b(d(ump\b.*\bfrom|ata_type)|(to_(numbe|cha)|inst)r))|p_((addextendedpro|sqlexe)c|(oacreat|prepar)e|execute(sql)?|makewebtask)|ql_(longvarchar|variant))|xp_(reg(re(movemultistring|ad)|delete(value|key)|enum(value|key)s|addmultistring|write)|e(xecresultset|numdsn)|(terminat|dirtre)e|availablemedia|loginconfig|cmdshell|filelist|makecab|ntsec)|u(nion\b.{1,100}?\bselect|tl_(file|http))|group\b.*\bby\b.{1,100}?\bhaving|d(elete\b\W*?\bfrom|bms_java)|load\b\W*?\bdata\b.*\binfile|(n?varcha|tbcreato)r)\b|i(n(to\b\W*?\b(dump|out)file|sert\b\W*?\binto|ner\b\W*?\bjoin)\b|(f(\b\W*?\(\W*?\bbenchmark|null\b)|snull\b)\W*?\()|a(nd\b ?(\d{1,10}|[\'%22][^=]{1,10}[\'%22]) ?[=<>]+|utonomous_transaction\b)|o(r\b ?(\d{1,10}|[\'%22][^=]{1,10}[\'%22]) ?[=<>]+|pen(rowset|query)\b)|having\b ?(\d{1,10}|[\'%22][^=]{1,10}[\'%22]) ?[=<>]+|print\b\W*?\@\@|cast\b\W*?\()|(;\W*?\b(shutdown|drop)|\@\@version)\b|'(s(qloledb|a)|msdasql|dbo)')"){
+ set req.http.X-Sec-RuleInfo = "SQL Injection Attack";
+ set req.http.X-Sec-RuleName = "WEB_ATTACK/SQL_INJECTION";
+ set req.http.X-Sec-Severity = "2";
+ set req.http.X-Sec-RuleId = "959001";
+ call sec_sev1;
+ }
+ ## REQUEST_FILENAME,
+ ## Rule: REQUEST_FILENAME rx :
+ if(req.url ~ "\b(\d+) ?= ?\1\b|[\'%22](\w+)[\'%22] ?= ?[\'%22]\2\b"){
+ set req.http.X-Sec-RuleInfo = "SQL Injection Attack";
+ set req.http.X-Sec-RuleName = "WEB_ATTACK/SQL_INJECTION";
+ set req.http.X-Sec-Severity = "2";
+ set req.http.X-Sec-RuleId = "950901";
+ call sec_sev1;
+ }
+ ## ARGS,
+ ## Rule: ARGS rx :
+ if(req.url ~ "\b(\d+) ?= ?\1\b|[\'%22](\w+)[\'%22] ?= ?[\'%22]\2\b"){
+ set req.http.X-Sec-RuleInfo = "SQL Injection Attack";
+ set req.http.X-Sec-RuleName = "WEB_ATTACK/SQL_INJECTION";
+ set req.http.X-Sec-Severity = "2";
+ set req.http.X-Sec-RuleId = "950901";
+ call sec_sev1;
+ }
+ ## ARGS_NAMES,
+ ## Rule: ARGS_NAMES rx :
+ if(req.url ~ "\b(\d+) ?= ?\1\b|[\'%22](\w+)[\'%22] ?= ?[\'%22]\2\b"){
+ set req.http.X-Sec-RuleInfo = "SQL Injection Attack";
+ set req.http.X-Sec-RuleName = "WEB_ATTACK/SQL_INJECTION";
+ set req.http.X-Sec-Severity = "2";
+ set req.http.X-Sec-RuleId = "950901";
+ call sec_sev1;
+ }
+ ## REQUEST_HEADERS,
+ # skipped REQUEST_HEADERS rx \b(\d+) ?= ?\1\b|[\'%22](\w+)[\'%22] ?= ?[\'%22]\2\b
+ ## XML, :/*|
+ # AC /*|
+ # skipped XML rx /*| \b(\d+) ?= ?\1\b|[\'%22](\w+)[\'%22] ?= ?[\'%22]\2\b
+ ## !REQUEST_HEADERS, :Referer
+ # AC Referer
+ ## Rule: REQUEST_HEADERS rx :Referer
+ # AAA Referer
+ if(req.http.Referer ~ "\b(\d+) ?= ?\1\b|[\'%22](\w+)[\'%22] ?= ?[\'%22]\2\b"){
+ set req.http.X-Sec-RuleInfo = "SQL Injection Attack";
+ set req.http.X-Sec-RuleName = "WEB_ATTACK/SQL_INJECTION";
+ set req.http.X-Sec-Severity = "2";
+ set req.http.X-Sec-RuleId = "959901";
+ call sec_sev1;
+ }
+ ## REQUEST_FILENAME,
+ # skipped REQUEST_FILENAME pm user_objects object_type substr all_objects mb_users column_name rownum atttypid substring object_id user_group user_tables pg_attribute user_users column_id user_password attrelid object_name table_name pg_class
+ ## ARGS,
+ # skipped ARGS pm user_objects object_type substr all_objects mb_users column_name rownum atttypid substring object_id user_group user_tables pg_attribute user_users column_id user_password attrelid object_name table_name pg_class
+ ## REQUEST_HEADERS,
+ # skipped REQUEST_HEADERS pm user_objects object_type substr all_objects mb_users column_name rownum atttypid substring object_id user_group user_tables pg_attribute user_users column_id user_password attrelid object_name table_name pg_class
+ ## XML, :/*|
+ # AC /*|
+ # skipped XML pm /*| user_objects object_type substr all_objects mb_users column_name rownum atttypid substring object_id user_group user_tables pg_attribute user_users column_id user_password attrelid object_name table_name pg_class
+ ## !REQUEST_HEADERS, :Referer
+ # AC Referer
+ # skipped ! REQUEST_HEADERS pm Referer user_objects object_type substr all_objects mb_users column_name rownum atttypid substring object_id user_group user_tables pg_attribute user_users column_id user_password attrelid object_name table_name pg_class
+ ## REQUEST_FILENAME,
+ ## Rule: REQUEST_FILENAME rx :
+ if(req.url ~ "\b(user_((object|table|user)s|password|group)|a(tt(rel|typ)id|ll_objects)|object_((nam|typ)e|id)|pg_(attribute|class)|column_(name|id)|substr(ing)?|table_name|mb_users|rownum)\b"){
+ set req.http.X-Sec-RuleInfo = "SQL Injection Attack";
+ set req.http.X-Sec-RuleName = "WEB_ATTACK/SQL_INJECTION";
+ set req.http.X-Sec-Severity = "2";
+ set req.http.X-Sec-RuleId = "950906";
+ call sec_sev1;
+ }
+ ## ARGS,
+ ## Rule: ARGS rx :
+ if(req.url ~ "\b(user_((object|table|user)s|password|group)|a(tt(rel|typ)id|ll_objects)|object_((nam|typ)e|id)|pg_(attribute|class)|column_(name|id)|substr(ing)?|table_name|mb_users|rownum)\b"){
+ set req.http.X-Sec-RuleInfo = "SQL Injection Attack";
+ set req.http.X-Sec-RuleName = "WEB_ATTACK/SQL_INJECTION";
+ set req.http.X-Sec-Severity = "2";
+ set req.http.X-Sec-RuleId = "950906";
+ call sec_sev1;
+ }
+ ## REQUEST_HEADERS,
+ # skipped REQUEST_HEADERS rx \b(user_((object|table|user)s|password|group)|a(tt(rel|typ)id|ll_objects)|object_((nam|typ)e|id)|pg_(attribute|class)|column_(name|id)|substr(ing)?|table_name|mb_users|rownum)\b
+ ## XML, :/*|
+ # AC /*|
+ # skipped XML rx /*| \b(user_((object|table|user)s|password|group)|a(tt(rel|typ)id|ll_objects)|object_((nam|typ)e|id)|pg_(attribute|class)|column_(name|id)|substr(ing)?|table_name|mb_users|rownum)\b
+ ## !REQUEST_HEADERS, :Referer
+ # AC Referer
+ ## Rule: REQUEST_HEADERS rx :Referer
+ # AAA Referer
+ if(req.http.Referer ~ "\b(user_((object|table|user)s|password|group)|a(tt(rel|typ)id|ll_objects)|object_((nam|typ)e|id)|pg_(attribute|class)|column_(name|id)|substr(ing)?|table_name|mb_users|rownum)\b"){
+ set req.http.X-Sec-RuleInfo = "SQL Injection Attack";
+ set req.http.X-Sec-RuleName = "WEB_ATTACK/SQL_INJECTION";
+ set req.http.X-Sec-Severity = "2";
+ set req.http.X-Sec-RuleId = "959906";
+ call sec_sev1;
+ }
+ ## REQUEST_FILENAME,
+ ## Rule: REQUEST_FILENAME rx :
+ if(req.url ~ "\b(coalesce\b|root\@)"){
+ set req.http.X-Sec-RuleInfo = "SQL Injection Attack";
+ set req.http.X-Sec-RuleName = "WEB_ATTACK/SQL_INJECTION";
+ set req.http.X-Sec-Severity = "2";
+ set req.http.X-Sec-RuleId = "950908";
+ call sec_sev1;
+ }
+ ## ARGS,
+ ## Rule: ARGS rx :
+ if(req.url ~ "\b(coalesce\b|root\@)"){
+ set req.http.X-Sec-RuleInfo = "SQL Injection Attack";
+ set req.http.X-Sec-RuleName = "WEB_ATTACK/SQL_INJECTION";
+ set req.http.X-Sec-Severity = "2";
+ set req.http.X-Sec-RuleId = "950908";
+ call sec_sev1;
+ }
+ ## ARGS_NAMES,
+ ## Rule: ARGS_NAMES rx :
+ if(req.url ~ "\b(coalesce\b|root\@)"){
+ set req.http.X-Sec-RuleInfo = "SQL Injection Attack";
+ set req.http.X-Sec-RuleName = "WEB_ATTACK/SQL_INJECTION";
+ set req.http.X-Sec-Severity = "2";
+ set req.http.X-Sec-RuleId = "950908";
+ call sec_sev1;
+ }
+ ## !REQUEST_HEADERS, :via
+ # AC via
+ ## Rule: REQUEST_HEADERS rx :via
+ # AAA via
+ if(req.http.via ~ "\b(coalesce\b|root\@)"){
+ set req.http.X-Sec-RuleInfo = "SQL Injection Attack";
+ set req.http.X-Sec-RuleName = "WEB_ATTACK/SQL_INJECTION";
+ set req.http.X-Sec-Severity = "2";
+ set req.http.X-Sec-RuleId = "950908";
+ call sec_sev1;
+ }
+ ## REQUEST_HEADERS,
+ # skipped REQUEST_HEADERS rx \b(coalesce\b|root\@)
+ ## XML, :/*|
+ # AC /*|
+ # skipped XML rx /*| \b(coalesce\b|root\@)
+ ## !REQUEST_HEADERS, :Referer|
+ # AC Referer|
+ ## Rule: REQUEST_HEADERS rx :Referer|
+ # AAA Referer|
+ if(req.http.Referer ~ "\b(coalesce\b|root\@)"){
+ set req.http.X-Sec-RuleInfo = "SQL Injection Attack";
+ set req.http.X-Sec-RuleName = "WEB_ATTACK/SQL_INJECTION";
+ set req.http.X-Sec-Severity = "2";
+ set req.http.X-Sec-RuleId = "959908";
+ call sec_sev1;
+ }
+ ## !REQUEST_HEADERS, :via
+ # AC via
+ ## Rule: REQUEST_HEADERS rx :via
+ # AAA via
+ if(req.http.via ~ "\b(coalesce\b|root\@)"){
+ set req.http.X-Sec-RuleInfo = "SQL Injection Attack";
+ set req.http.X-Sec-RuleName = "WEB_ATTACK/SQL_INJECTION";
+ set req.http.X-Sec-Severity = "2";
+ set req.http.X-Sec-RuleId = "959908";
+ call sec_sev1;
+ }
+ ## REQUEST_FILENAME,
+ # skipped REQUEST_FILENAME pm jscript onsubmit copyparentfolder javascript meta onmove onkeydown onchange onkeyup activexobject expression onmouseup ecmascript onmouseover vbscript: <![cdata[ http: settimeout onabort shell: .innerhtml onmousedown onkeypress asfunction: onclick .fromcharcode background-image: .cookie ondragdrop onblur x-javascript mocha: onfocus javascript: getparentfolder lowsrc onresize @import alert onselect script onmouseout onmousemove background application .execscript livescript: getspecialfolder vbscript iframe .addimport onunload createtextrange onload <input
+ ## ARGS,
+ # skipped ARGS pm jscript onsubmit copyparentfolder javascript meta onmove onkeydown onchange onkeyup activexobject expression onmouseup ecmascript onmouseover vbscript: <![cdata[ http: settimeout onabort shell: .innerhtml onmousedown onkeypress asfunction: onclick .fromcharcode background-image: .cookie ondragdrop onblur x-javascript mocha: onfocus javascript: getparentfolder lowsrc onresize @import alert onselect script onmouseout onmousemove background application .execscript livescript: getspecialfolder vbscript iframe .addimport onunload createtextrange onload <input
+ ## ARGS_NAMES,
+ # skipped ARGS_NAMES pm jscript onsubmit copyparentfolder javascript meta onmove onkeydown onchange onkeyup activexobject expression onmouseup ecmascript onmouseover vbscript: <![cdata[ http: settimeout onabort shell: .innerhtml onmousedown onkeypress asfunction: onclick .fromcharcode background-image: .cookie ondragdrop onblur x-javascript mocha: onfocus javascript: getparentfolder lowsrc onresize @import alert onselect script onmouseout onmousemove background application .execscript livescript: getspecialfolder vbscript iframe .addimport onunload createtextrange onload <input
+ ## REQUEST_HEADERS,
+ # skipped REQUEST_HEADERS pm jscript onsubmit copyparentfolder javascript meta onmove onkeydown onchange onkeyup activexobject expression onmouseup ecmascript onmouseover vbscript: <![cdata[ http: settimeout onabort shell: .innerhtml onmousedown onkeypress asfunction: onclick .fromcharcode background-image: .cookie ondragdrop onblur x-javascript mocha: onfocus javascript: getparentfolder lowsrc onresize @import alert onselect script onmouseout onmousemove background application .execscript livescript: getspecialfolder vbscript iframe .addimport onunload createtextrange onload <input
+ ## XML, :/*|
+ # AC /*|
+ # skipped XML pm /*| jscript onsubmit copyparentfolder javascript meta onmove onkeydown onchange onkeyup activexobject expression onmouseup ecmascript onmouseover vbscript: <![cdata[ http: settimeout onabort shell: .innerhtml onmousedown onkeypress asfunction: onclick .fromcharcode background-image: .cookie ondragdrop onblur x-javascript mocha: onfocus javascript: getparentfolder lowsrc onresize @import alert onselect script onmouseout onmousemove background application .execscript livescript: getspecialfolder vbscript iframe .addimport onunload createtextrange onload <input
+ ## !REQUEST_HEADERS, :Referer
+ # AC Referer
+ # skipped ! REQUEST_HEADERS pm Referer jscript onsubmit copyparentfolder javascript meta onmove onkeydown onchange onkeyup activexobject expression onmouseup ecmascript onmouseover vbscript: <![cdata[ http: settimeout onabort shell: .innerhtml onmousedown onkeypress asfunction: onclick .fromcharcode background-image: .cookie ondragdrop onblur x-javascript mocha: onfocus javascript: getparentfolder lowsrc onresize @import alert onselect script onmouseout onmousemove background application .execscript livescript: getspecialfolder vbscript iframe .addimport onunload createtextrange onload <input
+ ## REQUEST_FILENAME,
+ ## Rule: REQUEST_FILENAME rx :
+ if(req.url ~ "(\b((type\b\W*?\b(text\b\W*?\b(j(ava)?|ecma|vb)|application\b\W*?\bx-(java|vb))script|c(opyparentfolder|reatetextrange)|get(special|parent)folder|iframe\b.{0,100}?\bsrc)\b|on((mo(use(o(ver|ut)|down|move|up)|ve)|key(press|down|up)|c(hange|lick)|s(elec|ubmi)t|(un)?load|dragdrop|resize|focus|blur)\b\W*?=|abort\b)|(l(owsrc\b\W*?\b((java|vb)script|shell|http)|ivescript)|(href|url)\b\W*?\b((java|vb)script|shell)|background-image|mocha):|s((tyle\b\W*=.*\bexpression\b\W*|ettimeout\b\W*?)\(|rc\b\W*?\b((java|vb)script|shell|http):)|a(ctivexobject\b|lert\b\W*?\(|sfunction:))|<((body\b.*?\b(backgroun|onloa)d|input\b.*?\btype\b\W*?\bimage)\b| ?((script|meta)\b|iframe)|!\[cdata\[)|(\.((execscrip|addimpor)t|(fromcharcod|cooki)e|innerhtml)|\@import)\b)"){
+ set req.http.X-Sec-RuleInfo = "Cross-site Scripting (XSS) Attack";
+ set req.http.X-Sec-RuleName = "WEB_ATTACK/XSS";
+ set req.http.X-Sec-Severity = "2";
+ set req.http.X-Sec-RuleId = "950004";
+ call sec_sev1;
+ }
+ ## ARGS,
+ ## Rule: ARGS rx :
+ if(req.url ~ "(\b((type\b\W*?\b(text\b\W*?\b(j(ava)?|ecma|vb)|application\b\W*?\bx-(java|vb))script|c(opyparentfolder|reatetextrange)|get(special|parent)folder|iframe\b.{0,100}?\bsrc)\b|on((mo(use(o(ver|ut)|down|move|up)|ve)|key(press|down|up)|c(hange|lick)|s(elec|ubmi)t|(un)?load|dragdrop|resize|focus|blur)\b\W*?=|abort\b)|(l(owsrc\b\W*?\b((java|vb)script|shell|http)|ivescript)|(href|url)\b\W*?\b((java|vb)script|shell)|background-image|mocha):|s((tyle\b\W*=.*\bexpression\b\W*|ettimeout\b\W*?)\(|rc\b\W*?\b((java|vb)script|shell|http):)|a(ctivexobject\b|lert\b\W*?\(|sfunction:))|<((body\b.*?\b(backgroun|onloa)d|input\b.*?\btype\b\W*?\bimage)\b| ?((script|meta)\b|iframe)|!\[cdata\[)|(\.((execscrip|addimpor)t|(fromcharcod|cooki)e|innerhtml)|\@import)\b)"){
+ set req.http.X-Sec-RuleInfo = "Cross-site Scripting (XSS) Attack";
+ set req.http.X-Sec-RuleName = "WEB_ATTACK/XSS";
+ set req.http.X-Sec-Severity = "2";
+ set req.http.X-Sec-RuleId = "950004";
+ call sec_sev1;
+ }
+ ## ARGS_NAMES,
+ ## Rule: ARGS_NAMES rx :
+ if(req.url ~ "(\b((type\b\W*?\b(text\b\W*?\b(j(ava)?|ecma|vb)|application\b\W*?\bx-(java|vb))script|c(opyparentfolder|reatetextrange)|get(special|parent)folder|iframe\b.{0,100}?\bsrc)\b|on((mo(use(o(ver|ut)|down|move|up)|ve)|key(press|down|up)|c(hange|lick)|s(elec|ubmi)t|(un)?load|dragdrop|resize|focus|blur)\b\W*?=|abort\b)|(l(owsrc\b\W*?\b((java|vb)script|shell|http)|ivescript)|(href|url)\b\W*?\b((java|vb)script|shell)|background-image|mocha):|s((tyle\b\W*=.*\bexpression\b\W*|ettimeout\b\W*?)\(|rc\b\W*?\b((java|vb)script|shell|http):)|a(ctivexobject\b|lert\b\W*?\(|sfunction:))|<((body\b.*?\b(backgroun|onloa)d|input\b.*?\btype\b\W*?\bimage)\b| ?((script|meta)\b|iframe)|!\[cdata\[)|(\.((execscrip|addimpor)t|(fromcharcod|cooki)e|innerhtml)|\@import)\b)"){
+ set req.http.X-Sec-RuleInfo = "Cross-site Scripting (XSS) Attack";
+ set req.http.X-Sec-RuleName = "WEB_ATTACK/XSS";
+ set req.http.X-Sec-Severity = "2";
+ set req.http.X-Sec-RuleId = "950004";
+ call sec_sev1;
+ }
+ ## REQUEST_HEADERS,
+ # skipped REQUEST_HEADERS rx (\b((type\b\W*?\b(text\b\W*?\b(j(ava)?|ecma|vb)|application\b\W*?\bx-(java|vb))script|c(opyparentfolder|reatetextrange)|get(special|parent)folder|iframe\b.{0,100}?\bsrc)\b|on((mo(use(o(ver|ut)|down|move|up)|ve)|key(press|down|up)|c(hange|lick)|s(elec|ubmi)t|(un)?load|dragdrop|resize|focus|blur)\b\W*?=|abort\b)|(l(owsrc\b\W*?\b((java|vb)script|shell|http)|ivescript)|(href|url)\b\W*?\b((java|vb)script|shell)|background-image|mocha):|s((tyle\b\W*=.*\bexpression\b\W*|ettimeout\b\W*?)\(|rc\b\W*?\b((java|vb)script|shell|http):)|a(ctivexobject\b|lert\b\W*?\(|sfunction:))|<((body\b.*?\b(backgroun|onloa)d|input\b.*?\btype\b\W*?\bimage)\b| ?((script|meta)\b|iframe)|!\[cdata\[)|(\.((execscrip|addimpor)t|(fromcharcod|cooki)e|innerhtml)|\@import)\b)
+ ## XML, :/*|
+ # AC /*|
+ # skipped XML rx /*| (\b((type\b\W*?\b(text\b\W*?\b(j(ava)?|ecma|vb)|application\b\W*?\bx-(java|vb))script|c(opyparentfolder|reatetextrange)|get(special|parent)folder|iframe\b.{0,100}?\bsrc)\b|on((mo(use(o(ver|ut)|down|move|up)|ve)|key(press|down|up)|c(hange|lick)|s(elec|ubmi)t|(un)?load|dragdrop|resize|focus|blur)\b\W*?=|abort\b)|(l(owsrc\b\W*?\b((java|vb)script|shell|http)|ivescript)|(href|url)\b\W*?\b((java|vb)script|shell)|background-image|mocha):|s((tyle\b\W*=.*\bexpression\b\W*|ettimeout\b\W*?)\(|rc\b\W*?\b((java|vb)script|shell|http):)|a(ctivexobject\b|lert\b\W*?\(|sfunction:))|<((body\b.*?\b(backgroun|onloa)d|input\b.*?\btype\b\W*?\bimage)\b| ?((script|meta)\b|iframe)|!\[cdata\[)|(\.((execscrip|addimpor)t|(fromcharcod|cooki)e|innerhtml)|\@import)\b)
+ ## !REQUEST_HEADERS, :Referer
+ # AC Referer
+ ## Rule: REQUEST_HEADERS rx :Referer
+ # AAA Referer
+ if(req.http.Referer ~ "(\b((type\b\W*?\b(text\b\W*?\b(j(ava)?|ecma|vb)|application\b\W*?\bx-(java|vb))script|c(opyparentfolder|reatetextrange)|get(special|parent)folder|iframe\b.{0,100}?\bsrc)\b|on((mo(use(o(ver|ut)|down|move|up)|ve)|key(press|down|up)|c(hange|lick)|s(elec|ubmi)t|(un)?load|dragdrop|resize|focus|blur)\b\W*?=|abort\b)|(l(owsrc\b\W*?\b((java|vb)script|shell|http)|ivescript)|(href|url)\b\W*?\b((java|vb)script|shell)|background-image|mocha):|s((tyle\b\W*=.*\bexpression\b\W*|ettimeout\b\W*?)\(|rc\b\W*?\b((java|vb)script|shell|http):)|a(ctivexobject\b|lert\b\W*?\(|sfunction:))|<((body\b.*?\b(backgroun|onloa)d|input\b.*?\btype\b\W*?\bimage)\b| ?((script|meta)\b|iframe)|!\[cdata\[)|(\.((execscrip|addimpor)t|(fromcharcod|cooki)e|innerhtml)|\@import)\b)"){
+ set req.http.X-Sec-RuleInfo = "Cross-site Scripting (XSS) Attack";
+ set req.http.X-Sec-RuleName = "WEB_ATTACK/XSS";
+ set req.http.X-Sec-Severity = "2";
+ set req.http.X-Sec-RuleId = "959004";
+ call sec_sev1;
+ }
+ ## REQUEST_FILENAME,
+ # skipped REQUEST_FILENAME pm .www_acl .htpasswd .htaccess boot.ini httpd.conf /etc/ .htgroup global.asa .wwwacl
+ ## ARGS,
+ # skipped ARGS pm .www_acl .htpasswd .htaccess boot.ini httpd.conf /etc/ .htgroup global.asa .wwwacl
+ ## ARGS_NAMES,
+ # skipped ARGS_NAMES pm .www_acl .htpasswd .htaccess boot.ini httpd.conf /etc/ .htgroup global.asa .wwwacl
+ ## REQUEST_HEADERS,
+ # skipped REQUEST_HEADERS pm .www_acl .htpasswd .htaccess boot.ini httpd.conf /etc/ .htgroup global.asa .wwwacl
+ ## XML, :/*
+ # AC /*
+ # skipped XML pm /* .www_acl .htpasswd .htaccess boot.ini httpd.conf /etc/ .htgroup global.asa .wwwacl
+ ## REQUEST_FILENAME,
+ ## Rule: REQUEST_FILENAME rx :
+ if(req.url ~ "(\b(\.(ht(access|passwd|group)|www_?acl)|global\.asa|httpd\.conf|boot\.ini)\b|\/etc\/)"){
+ set req.http.X-Sec-Return = "501";
+ set req.http.X-Sec-RuleInfo = "Remote File Access Attempt";
+ set req.http.X-Sec-RuleName = "WEB_ATTACK/FILE_INJECTION";
+ set req.http.X-Sec-Severity = "2";
+ set req.http.X-Sec-RuleId = "950005";
+ call sec_sev1;
+ }
+ ## ARGS,
+ ## Rule: ARGS rx :
+ if(req.url ~ "(\b(\.(ht(access|passwd|group)|www_?acl)|global\.asa|httpd\.conf|boot\.ini)\b|\/etc\/)"){
+ set req.http.X-Sec-Return = "501";
+ set req.http.X-Sec-RuleInfo = "Remote File Access Attempt";
+ set req.http.X-Sec-RuleName = "WEB_ATTACK/FILE_INJECTION";
+ set req.http.X-Sec-Severity = "2";
+ set req.http.X-Sec-RuleId = "950005";
+ call sec_sev1;
+ }
+ ## ARGS_NAMES,
+ ## Rule: ARGS_NAMES rx :
+ if(req.url ~ "(\b(\.(ht(access|passwd|group)|www_?acl)|global\.asa|httpd\.conf|boot\.ini)\b|\/etc\/)"){
+ set req.http.X-Sec-Return = "501";
+ set req.http.X-Sec-RuleInfo = "Remote File Access Attempt";
+ set req.http.X-Sec-RuleName = "WEB_ATTACK/FILE_INJECTION";
+ set req.http.X-Sec-Severity = "2";
+ set req.http.X-Sec-RuleId = "950005";
+ call sec_sev1;
+ }
+ ## REQUEST_HEADERS,
+ # skipped REQUEST_HEADERS rx (\b(\.(ht(access|passwd|group)|www_?acl)|global\.asa|httpd\.conf|boot\.ini)\b|\/etc\/)
+ ## XML, :/*
+ # AC /*
+ # skipped XML rx /* (\b(\.(ht(access|passwd|group)|www_?acl)|global\.asa|httpd\.conf|boot\.ini)\b|\/etc\/)
+ ## REQUEST_FILENAME,
+ ## Rule: REQUEST_FILENAME rx :
+ if(req.url ~ "\b(n(map|et|c)|w(guest|sh)|cmd(32)?|telnet|rcmd|ftp)\.exe\b"){
+ set req.http.X-Sec-Return = "501";
+ set req.http.X-Sec-RuleInfo = "System Command Access";
+ set req.http.X-Sec-RuleName = "WEB_ATTACK/FILE_INJECTION";
+ set req.http.X-Sec-Severity = "2";
+ set req.http.X-Sec-RuleId = "950002";
+ call sec_sev1;
+ }
+ ## ARGS,
+ # skipped ARGS pm uname wguest.exe /perl /nasm rcmd.exe nc tclsh /xterm finger tftp chown /echo nmap.exe ping /passwd /chsh ps /uname telnet.exe /ftp ls tclsh8 lsof /ping echo cmd.exe /kill python traceroute /ps perl passwd wsh.exe /rm /cpp chgrp /telnet localgroup kill /chgrp /finger nasm /ls nc.exe id /chmod /nc /g++ /id /chown cmd /nmap chsh /gcc net.exe /python /lsof ftp.exe ftp xterm mail /mail tracert nmap rm cd chmod cpp telnet cmd32.exe gcc g++
+ ## ARGS,
+ ## Rule: ARGS rx :
+ if(req.url ~ "(\b((n(et(\b\W+?\blocalgroup|\.exe)|(map|c)\.exe)|t(racer(oute|t)|elnet\.exe|clsh8?|ftp)|(w(guest|sh)|rcmd|ftp)\.exe|echo\b\W*?\by+)\b|c(md((32)?\.exe\b|\b\W*?\/c)|d(\b\W*?[\\\/]|\W*?\.\.)|hmod.{0,40}?\+.{0,3}x))|[\;\|\`]\W*?\b((c(h(grp|mod|own|sh)|md|pp)|p(asswd|ython|erl|ing|s)|n(asm|map|c)|f(inger|tp)|(kil|mai)l|(xte)?rm|ls(of)?|telnet|uname|echo|id)\b|g(\+\+|cc\b))|\/(c(h(grp|mod|own|sh)|pp)|p(asswd|ython|erl|ing|s)|n(asm|map|c)|f(inger|tp)|(kil|mai)l|g(\+\+|cc)|(xte)?rm|ls(of)?|telnet|uname|echo|id)([\'%22\|\;\`\-\s]|$))"){
+ set req.http.X-Sec-Return = "501";
+ set req.http.X-Sec-RuleInfo = "System Command Injection";
+ set req.http.X-Sec-RuleName = "WEB_ATTACK/COMMAND_INJECTION";
+ set req.http.X-Sec-Severity = "2";
+ set req.http.X-Sec-RuleId = "950006";
+ call sec_sev1;
+ }
+ ## REQUEST_HEADERS,
+ # skipped REQUEST_HEADERS pm uname wguest.exe /perl /nasm rcmd.exe nc tclsh /xterm finger tftp chown /echo nmap.exe ping /passwd /chsh ps /uname telnet.exe /ftp ls tclsh8 lsof /ping echo cmd.exe /kill python traceroute /ps perl passwd wsh.exe /rm /cpp chgrp /telnet localgroup kill /chgrp /finger nasm /ls nc.exe id /chmod /nc /g++ /id /chown cmd /nmap chsh /gcc net.exe /python /lsof ftp.exe ftp xterm mail /mail tracert nmap rm cd chmod cpp telnet cmd32.exe gcc g++
+ ## XML, :/*|
+ # AC /*|
+ # skipped XML pm /*| uname wguest.exe /perl /nasm rcmd.exe nc tclsh /xterm finger tftp chown /echo nmap.exe ping /passwd /chsh ps /uname telnet.exe /ftp ls tclsh8 lsof /ping echo cmd.exe /kill python traceroute /ps perl passwd wsh.exe /rm /cpp chgrp /telnet localgroup kill /chgrp /finger nasm /ls nc.exe id /chmod /nc /g++ /id /chown cmd /nmap chsh /gcc net.exe /python /lsof ftp.exe ftp xterm mail /mail tracert nmap rm cd chmod cpp telnet cmd32.exe gcc g++
+ ## !REQUEST_HEADERS, :'/^(Cookie|Referer|X-OS-Prefs)$/'
+ # skipped ! REQUEST_HEADERS pm :'/^(Cookie|Referer|X-OS-Prefs)$/' uname wguest.exe /perl /nasm rcmd.exe nc tclsh /xterm finger tftp chown /echo nmap.exe ping /passwd /chsh ps /uname telnet.exe /ftp ls tclsh8 lsof /ping echo cmd.exe /kill python traceroute /ps perl passwd wsh.exe /rm /cpp chgrp /telnet localgroup kill /chgrp /finger nasm /ls nc.exe id /chmod /nc /g++ /id /chown cmd /nmap chsh /gcc net.exe /python /lsof ftp.exe ftp xterm mail /mail tracert nmap rm cd chmod cpp telnet cmd32.exe gcc g++
+ ## REQUEST_COOKIES,
+ # skipped REQUEST_COOKIES pm uname wguest.exe /perl /nasm rcmd.exe nc tclsh /xterm finger tftp chown /echo nmap.exe ping /passwd /chsh ps /uname telnet.exe /ftp ls tclsh8 lsof /ping echo cmd.exe /kill python traceroute /ps perl passwd wsh.exe /rm /cpp chgrp /telnet localgroup kill /chgrp /finger nasm /ls nc.exe id /chmod /nc /g++ /id /chown cmd /nmap chsh /gcc net.exe /python /lsof ftp.exe ftp xterm mail /mail tracert nmap rm cd chmod cpp telnet cmd32.exe gcc g++
+ ## REQUEST_COOKIES_NAMES,
+ # skipped REQUEST_COOKIES_NAMES pm uname wguest.exe /perl /nasm rcmd.exe nc tclsh /xterm finger tftp chown /echo nmap.exe ping /passwd /chsh ps /uname telnet.exe /ftp ls tclsh8 lsof /ping echo cmd.exe /kill python traceroute /ps perl passwd wsh.exe /rm /cpp chgrp /telnet localgroup kill /chgrp /finger nasm /ls nc.exe id /chmod /nc /g++ /id /chown cmd /nmap chsh /gcc net.exe /python /lsof ftp.exe ftp xterm mail /mail tracert nmap rm cd chmod cpp telnet cmd32.exe gcc g++
+ ## REQUEST_HEADERS,
+ # skipped REQUEST_HEADERS rx (\b((n(et(\b\W+?\blocalgroup|\.exe)|(map|c)\.exe)|t(racer(oute|t)|elnet\.exe|clsh8?|ftp)|(w(guest|sh)|rcmd|ftp)\.exe|echo\b\W*?\by+)\b|c(md((32)?\.exe\b|\b\W*?\/c)|d(\b\W*?[\\\/]|\W*?\.\.)|hmod.{0,40}?\+.{0,3}x))|[\;\|\`]\W*?\b((c(h(grp|mod|own|sh)|md|pp)|p(asswd|ython|erl|ing|s)|n(asm|map|c)|f(inger|tp)|(kil|mai)l|(xte)?rm|ls(of)?|telnet|uname|echo|id)\b|g(\+\+|cc\b))|\/(c(h(grp|mod|own|sh)|pp)|p(asswd|ython|erl|ing|s)|n(asm|map|c)|f(inger|tp)|(kil|mai)l|g(\+\+|cc)|(xte)?rm|ls(of)?|telnet|uname|echo|id)([\'%22\|\;\`\-\s]|$))
+ ## XML, :/*|
+ # AC /*|
+ # skipped XML rx /*| (\b((n(et(\b\W+?\blocalgroup|\.exe)|(map|c)\.exe)|t(racer(oute|t)|elnet\.exe|clsh8?|ftp)|(w(guest|sh)|rcmd|ftp)\.exe|echo\b\W*?\by+)\b|c(md((32)?\.exe\b|\b\W*?\/c)|d(\b\W*?[\\\/]|\W*?\.\.)|hmod.{0,40}?\+.{0,3}x))|[\;\|\`]\W*?\b((c(h(grp|mod|own|sh)|md|pp)|p(asswd|ython|erl|ing|s)|n(asm|map|c)|f(inger|tp)|(kil|mai)l|(xte)?rm|ls(of)?|telnet|uname|echo|id)\b|g(\+\+|cc\b))|\/(c(h(grp|mod|own|sh)|pp)|p(asswd|ython|erl|ing|s)|n(asm|map|c)|f(inger|tp)|(kil|mai)l|g(\+\+|cc)|(xte)?rm|ls(of)?|telnet|uname|echo|id)([\'%22\|\;\`\-\s]|$))
+ ## !REQUEST_HEADERS, :'/^(Cookie|Referer|X-OS-Prefs)$/'
+ ## Rule: REQUEST_HEADERS rx ::'/^(Cookie|Referer|X-OS-Prefs)$/'
+ # AAA Cookie|Referer|X-OS-Prefs
+ if(req.http.Cookie ~ "(\b((n(et(\b\W+?\blocalgroup|\.exe)|(map|c)\.exe)|t(racer(oute|t)|elnet\.exe|clsh8?|ftp)|(w(guest|sh)|rcmd|ftp)\.exe|echo\b\W*?\by+)\b|c(md((32)?\.exe\b|\b\W*?\/c)|d(\b\W*?[\\\/]|\W*?\.\.)|hmod.{0,40}?\+.{0,3}x))|[\;\|\`]\W*?\b((c(h(grp|mod|own|sh)|md|pp)|p(asswd|ython|erl|ing|s)|n(asm|map|c)|f(inger|tp)|(kil|mai)l|(xte)?rm|ls(of)?|telnet|uname|echo|id)\b|g(\+\+|cc\b))|\/(c(h(grp|mod|own|sh)|pp)|p(asswd|ython|erl|ing|s)|n(asm|map|c)|f(inger|tp)|(kil|mai)l|g(\+\+|cc)|(xte)?rm|ls(of)?|telnet|uname|echo|id)([\'%22\|\;\`\-\s]|$))"){
+ set req.http.X-Sec-Return = "501";
+ set req.http.X-Sec-RuleInfo = "System Command Injection";
+ set req.http.X-Sec-RuleName = "WEB_ATTACK/COMMAND_INJECTION";
+ set req.http.X-Sec-Severity = "2";
+ set req.http.X-Sec-RuleId = "959006";
+ call sec_sev1;
+ }
+ if(req.http.Referer ~ "(\b((n(et(\b\W+?\blocalgroup|\.exe)|(map|c)\.exe)|t(racer(oute|t)|elnet\.exe|clsh8?|ftp)|(w(guest|sh)|rcmd|ftp)\.exe|echo\b\W*?\by+)\b|c(md((32)?\.exe\b|\b\W*?\/c)|d(\b\W*?[\\\/]|\W*?\.\.)|hmod.{0,40}?\+.{0,3}x))|[\;\|\`]\W*?\b((c(h(grp|mod|own|sh)|md|pp)|p(asswd|ython|erl|ing|s)|n(asm|map|c)|f(inger|tp)|(kil|mai)l|(xte)?rm|ls(of)?|telnet|uname|echo|id)\b|g(\+\+|cc\b))|\/(c(h(grp|mod|own|sh)|pp)|p(asswd|ython|erl|ing|s)|n(asm|map|c)|f(inger|tp)|(kil|mai)l|g(\+\+|cc)|(xte)?rm|ls(of)?|telnet|uname|echo|id)([\'%22\|\;\`\-\s]|$))"){
+ set req.http.X-Sec-Return = "501";
+ set req.http.X-Sec-RuleInfo = "System Command Injection";
+ set req.http.X-Sec-RuleName = "WEB_ATTACK/COMMAND_INJECTION";
+ set req.http.X-Sec-Severity = "2";
+ set req.http.X-Sec-RuleId = "959006";
+ call sec_sev1;
+ }
+ if(req.http.X-OS-Prefs ~ "(\b((n(et(\b\W+?\blocalgroup|\.exe)|(map|c)\.exe)|t(racer(oute|t)|elnet\.exe|clsh8?|ftp)|(w(guest|sh)|rcmd|ftp)\.exe|echo\b\W*?\by+)\b|c(md((32)?\.exe\b|\b\W*?\/c)|d(\b\W*?[\\\/]|\W*?\.\.)|hmod.{0,40}?\+.{0,3}x))|[\;\|\`]\W*?\b((c(h(grp|mod|own|sh)|md|pp)|p(asswd|ython|erl|ing|s)|n(asm|map|c)|f(inger|tp)|(kil|mai)l|(xte)?rm|ls(of)?|telnet|uname|echo|id)\b|g(\+\+|cc\b))|\/(c(h(grp|mod|own|sh)|pp)|p(asswd|ython|erl|ing|s)|n(asm|map|c)|f(inger|tp)|(kil|mai)l|g(\+\+|cc)|(xte)?rm|ls(of)?|telnet|uname|echo|id)([\'%22\|\;\`\-\s]|$))"){
+ set req.http.X-Sec-Return = "501";
+ set req.http.X-Sec-RuleInfo = "System Command Injection";
+ set req.http.X-Sec-RuleName = "WEB_ATTACK/COMMAND_INJECTION";
+ set req.http.X-Sec-Severity = "2";
+ set req.http.X-Sec-RuleId = "959006";
+ call sec_sev1;
+ }
+ ## REQUEST_COOKIES,
+ ## Rule: REQUEST_COOKIES rx :
+ if(req.http.Cookie ~ "(\b((n(et(\b\W+?\blocalgroup|\.exe)|(map|c)\.exe)|t(racer(oute|t)|elnet\.exe|clsh8?|ftp)|(w(guest|sh)|rcmd|ftp)\.exe|echo\b\W*?\by+)\b|c(md((32)?\.exe\b|\b\W*?\/c)|d(\b\W*?[\\\/]|\W*?\.\.)|hmod.{0,40}?\+.{0,3}x))|[\;\|\`]\W*?\b((c(h(grp|mod|own|sh)|md|pp)|p(asswd|ython|erl|ing|s)|n(asm|map|c)|f(inger|tp)|(kil|mai)l|(xte)?rm|ls(of)?|telnet|uname|echo|id)\b|g(\+\+|cc\b))|\/(c(h(grp|mod|own|sh)|pp)|p(asswd|ython|erl|ing|s)|n(asm|map|c)|f(inger|tp)|(kil|mai)l|g(\+\+|cc)|(xte)?rm|ls(of)?|telnet|uname|echo|id)([\'%22\|\;\`\-\s]|$))"){
+ set req.http.X-Sec-Return = "501";
+ set req.http.X-Sec-RuleInfo = "System Command Injection";
+ set req.http.X-Sec-RuleName = "WEB_ATTACK/COMMAND_INJECTION";
+ set req.http.X-Sec-Severity = "2";
+ set req.http.X-Sec-RuleId = "959006";
+ call sec_sev1;
+ }
+ ## REQUEST_COOKIES_NAMES,
+ ## Rule: REQUEST_COOKIES_NAMES rx :
+ if(req.http.Cookie ~ "(\b((n(et(\b\W+?\blocalgroup|\.exe)|(map|c)\.exe)|t(racer(oute|t)|elnet\.exe|clsh8?|ftp)|(w(guest|sh)|rcmd|ftp)\.exe|echo\b\W*?\by+)\b|c(md((32)?\.exe\b|\b\W*?\/c)|d(\b\W*?[\\\/]|\W*?\.\.)|hmod.{0,40}?\+.{0,3}x))|[\;\|\`]\W*?\b((c(h(grp|mod|own|sh)|md|pp)|p(asswd|ython|erl|ing|s)|n(asm|map|c)|f(inger|tp)|(kil|mai)l|(xte)?rm|ls(of)?|telnet|uname|echo|id)\b|g(\+\+|cc\b))|\/(c(h(grp|mod|own|sh)|pp)|p(asswd|ython|erl|ing|s)|n(asm|map|c)|f(inger|tp)|(kil|mai)l|g(\+\+|cc)|(xte)?rm|ls(of)?|telnet|uname|echo|id)([\'%22\|\;\`\-\s]|$))"){
+ set req.http.X-Sec-Return = "501";
+ set req.http.X-Sec-RuleInfo = "System Command Injection";
+ set req.http.X-Sec-RuleName = "WEB_ATTACK/COMMAND_INJECTION";
+ set req.http.X-Sec-Severity = "2";
+ set req.http.X-Sec-RuleId = "959006";
+ call sec_sev1;
+ }
+ ## ARGS,
+ ## Rule: ARGS rx :
+ if(req.url ~ "(([\;\|\`]\W*?\bcc|\bwget)\b|\/cc([\'%22\|\;\`\-\s]|$))"){
+ set req.http.X-Sec-Return = "501";
+ set req.http.X-Sec-RuleInfo = "System Command Injection";
+ set req.http.X-Sec-RuleName = "WEB_ATTACK/COMMAND_INJECTION";
+ set req.http.X-Sec-Severity = "2";
+ set req.http.X-Sec-RuleId = "950907";
+ call sec_sev1;
+ }
+ ## REQUEST_HEADERS,
+ # skipped REQUEST_HEADERS rx (([\;\|\`]\W*?\bcc|\bwget)\b|\/cc([\'%22\|\;\`\-\s]|$))
+ ## XML, :/*|
+ # AC /*|
+ # skipped XML rx /*| (([\;\|\`]\W*?\bcc|\bwget)\b|\/cc([\'%22\|\;\`\-\s]|$))
+ ## !REQUEST_HEADERS, :'/^(Cookie|Referer|X-OS-Prefs|User-Agent)$/'
+ ## Rule: REQUEST_HEADERS rx ::'/^(Cookie|Referer|X-OS-Prefs|User-Agent)$/'
+ # AAA Cookie|Referer|X-OS-Prefs|User-Agent
+ if(req.http.Cookie ~ "(([\;\|\`]\W*?\bcc|\bwget)\b|\/cc([\'%22\|\;\`\-\s]|$))"){
+ set req.http.X-Sec-Return = "501";
+ set req.http.X-Sec-RuleInfo = "System Command Injection";
+ set req.http.X-Sec-RuleName = "WEB_ATTACK/COMMAND_INJECTION";
+ set req.http.X-Sec-Severity = "2";
+ set req.http.X-Sec-RuleId = "959907";
+ call sec_sev1;
+ }
+ if(req.http.Referer ~ "(([\;\|\`]\W*?\bcc|\bwget)\b|\/cc([\'%22\|\;\`\-\s]|$))"){
+ set req.http.X-Sec-Return = "501";
+ set req.http.X-Sec-RuleInfo = "System Command Injection";
+ set req.http.X-Sec-RuleName = "WEB_ATTACK/COMMAND_INJECTION";
+ set req.http.X-Sec-Severity = "2";
+ set req.http.X-Sec-RuleId = "959907";
+ call sec_sev1;
+ }
+ if(req.http.X-OS-Prefs ~ "(([\;\|\`]\W*?\bcc|\bwget)\b|\/cc([\'%22\|\;\`\-\s]|$))"){
+ set req.http.X-Sec-Return = "501";
+ set req.http.X-Sec-RuleInfo = "System Command Injection";
+ set req.http.X-Sec-RuleName = "WEB_ATTACK/COMMAND_INJECTION";
+ set req.http.X-Sec-Severity = "2";
+ set req.http.X-Sec-RuleId = "959907";
+ call sec_sev1;
+ }
+ if(req.http.User-Agent ~ "(([\;\|\`]\W*?\bcc|\bwget)\b|\/cc([\'%22\|\;\`\-\s]|$))"){
+ set req.http.X-Sec-Return = "501";
+ set req.http.X-Sec-RuleInfo = "System Command Injection";
+ set req.http.X-Sec-RuleName = "WEB_ATTACK/COMMAND_INJECTION";
+ set req.http.X-Sec-Severity = "2";
+ set req.http.X-Sec-RuleId = "959907";
+ call sec_sev1;
+ }
+ ## REQUEST_COOKIES,
+ ## Rule: REQUEST_COOKIES rx :
+ if(req.http.Cookie ~ "(([\;\|\`]\W*?\bcc|\bwget)\b|\/cc([\'%22\|\;\`\-\s]|$))"){
+ set req.http.X-Sec-Return = "501";
+ set req.http.X-Sec-RuleInfo = "System Command Injection";
+ set req.http.X-Sec-RuleName = "WEB_ATTACK/COMMAND_INJECTION";
+ set req.http.X-Sec-Severity = "2";
+ set req.http.X-Sec-RuleId = "959907";
+ call sec_sev1;
+ }
+ ## REQUEST_COOKIES_NAMES,
+ ## Rule: REQUEST_COOKIES_NAMES rx :
+ if(req.http.Cookie ~ "(([\;\|\`]\W*?\bcc|\bwget)\b|\/cc([\'%22\|\;\`\-\s]|$))"){
+ set req.http.X-Sec-Return = "501";
+ set req.http.X-Sec-RuleInfo = "System Command Injection";
+ set req.http.X-Sec-RuleName = "WEB_ATTACK/COMMAND_INJECTION";
+ set req.http.X-Sec-Severity = "2";
+ set req.http.X-Sec-RuleId = "959907";
+ call sec_sev1;
+ }
+ ## REQUEST_FILENAME,
+ ## Rule: REQUEST_FILENAME rx :
+ if(req.url ~ "\bcf(usion_(d(bconnections_flush|ecrypt)|set(tings_refresh|odbcini)|getodbc(dsn|ini)|verifymail|encrypt)|_((iscoldfusiondatasourc|getdatasourceusernam)e|setdatasource(password|username))|newinternal(adminsecurit|registr)y|admin_registry_(delete|set)|internaldebug)\b"){
+ set req.http.X-Sec-Return = "501";
+ set req.http.X-Sec-RuleInfo = "Injection of Undocumented ColdFusion Tags";
+ set req.http.X-Sec-RuleName = "WEB_ATTACK/CF_INJECTION";
+ set req.http.X-Sec-Severity = "2";
+ set req.http.X-Sec-RuleId = "950008";
+ call sec_sev1;
+ }
+ ## ARGS,
+ ## Rule: ARGS rx :
+ if(req.url ~ "\bcf(usion_(d(bconnections_flush|ecrypt)|set(tings_refresh|odbcini)|getodbc(dsn|ini)|verifymail|encrypt)|_((iscoldfusiondatasourc|getdatasourceusernam)e|setdatasource(password|username))|newinternal(adminsecurit|registr)y|admin_registry_(delete|set)|internaldebug)\b"){
+ set req.http.X-Sec-Return = "501";
+ set req.http.X-Sec-RuleInfo = "Injection of Undocumented ColdFusion Tags";
+ set req.http.X-Sec-RuleName = "WEB_ATTACK/CF_INJECTION";
+ set req.http.X-Sec-Severity = "2";
+ set req.http.X-Sec-RuleId = "950008";
+ call sec_sev1;
+ }
+ ## ARGS_NAMES,
+ ## Rule: ARGS_NAMES rx :
+ if(req.url ~ "\bcf(usion_(d(bconnections_flush|ecrypt)|set(tings_refresh|odbcini)|getodbc(dsn|ini)|verifymail|encrypt)|_((iscoldfusiondatasourc|getdatasourceusernam)e|setdatasource(password|username))|newinternal(adminsecurit|registr)y|admin_registry_(delete|set)|internaldebug)\b"){
+ set req.http.X-Sec-Return = "501";
+ set req.http.X-Sec-RuleInfo = "Injection of Undocumented ColdFusion Tags";
+ set req.http.X-Sec-RuleName = "WEB_ATTACK/CF_INJECTION";
+ set req.http.X-Sec-Severity = "2";
+ set req.http.X-Sec-RuleId = "950008";
+ call sec_sev1;
+ }
+ ## REQUEST_HEADERS,
+ # skipped REQUEST_HEADERS rx \bcf(usion_(d(bconnections_flush|ecrypt)|set(tings_refresh|odbcini)|getodbc(dsn|ini)|verifymail|encrypt)|_((iscoldfusiondatasourc|getdatasourceusernam)e|setdatasource(password|username))|newinternal(adminsecurit|registr)y|admin_registry_(delete|set)|internaldebug)\b
+ ## XML, :/*
+ # AC /*
+ # skipped XML rx /* \bcf(usion_(d(bconnections_flush|ecrypt)|set(tings_refresh|odbcini)|getodbc(dsn|ini)|verifymail|encrypt)|_((iscoldfusiondatasourc|getdatasourceusernam)e|setdatasource(password|username))|newinternal(adminsecurit|registr)y|admin_registry_(delete|set)|internaldebug)\b
+ ## REQUEST_FILENAME,
+ ## Rule: REQUEST_FILENAME rx :
+ if(req.url ~ "(\((\W*?(objectc(ategory|lass)|homedirectory|[gu]idnumber|cn)\b\W*?=|[^\w\x80-\xFF]*?[\!\&\|][^\w\x80-\xFF]*?\()|\)[^\w\x80-\xFF]*?\([^\w\x80-\xFF]*?[\!\&\|])"){
+ set req.http.X-Sec-Return = "501";
+ set req.http.X-Sec-RuleInfo = "LDAP Injection Attack";
+ set req.http.X-Sec-RuleName = "WEB_ATTACK/LDAP_INJECTION";
+ set req.http.X-Sec-Severity = "2";
+ set req.http.X-Sec-RuleId = "950010";
+ call sec_sev1;
+ }
+ ## ARGS,
+ ## Rule: ARGS rx :
+ if(req.url ~ "(\((\W*?(objectc(ategory|lass)|homedirectory|[gu]idnumber|cn)\b\W*?=|[^\w\x80-\xFF]*?[\!\&\|][^\w\x80-\xFF]*?\()|\)[^\w\x80-\xFF]*?\([^\w\x80-\xFF]*?[\!\&\|])"){
+ set req.http.X-Sec-Return = "501";
+ set req.http.X-Sec-RuleInfo = "LDAP Injection Attack";
+ set req.http.X-Sec-RuleName = "WEB_ATTACK/LDAP_INJECTION";
+ set req.http.X-Sec-Severity = "2";
+ set req.http.X-Sec-RuleId = "950010";
+ call sec_sev1;
+ }
+ ## ARGS_NAMES,
+ ## Rule: ARGS_NAMES rx :
+ if(req.url ~ "(\((\W*?(objectc(ategory|lass)|homedirectory|[gu]idnumber|cn)\b\W*?=|[^\w\x80-\xFF]*?[\!\&\|][^\w\x80-\xFF]*?\()|\)[^\w\x80-\xFF]*?\([^\w\x80-\xFF]*?[\!\&\|])"){
+ set req.http.X-Sec-Return = "501";
+ set req.http.X-Sec-RuleInfo = "LDAP Injection Attack";
+ set req.http.X-Sec-RuleName = "WEB_ATTACK/LDAP_INJECTION";
+ set req.http.X-Sec-Severity = "2";
+ set req.http.X-Sec-RuleId = "950010";
+ call sec_sev1;
+ }
+ ## REQUEST_HEADERS,
+ # skipped REQUEST_HEADERS rx (\((\W*?(objectc(ategory|lass)|homedirectory|[gu]idnumber|cn)\b\W*?=|[^\w\x80-\xFF]*?[\!\&\|][^\w\x80-\xFF]*?\()|\)[^\w\x80-\xFF]*?\([^\w\x80-\xFF]*?[\!\&\|])
+ ## XML, :/*|
+ # AC /*|
+ # skipped XML rx /*| (\((\W*?(objectc(ategory|lass)|homedirectory|[gu]idnumber|cn)\b\W*?=|[^\w\x80-\xFF]*?[\!\&\|][^\w\x80-\xFF]*?\()|\)[^\w\x80-\xFF]*?\([^\w\x80-\xFF]*?[\!\&\|])
+ ## !REQUEST_HEADERS, :Referer
+ # AC Referer
+ ## Rule: REQUEST_HEADERS rx :Referer
+ # AAA Referer
+ if(req.http.Referer ~ "(\((\W*?(objectc(ategory|lass)|homedirectory|[gu]idnumber|cn)\b\W*?=|[^\w\x80-\xFF]*?[\!\&\|][^\w\x80-\xFF]*?\()|\)[^\w\x80-\xFF]*?\([^\w\x80-\xFF]*?[\!\&\|])"){
+ set req.http.X-Sec-Return = "501";
+ set req.http.X-Sec-RuleInfo = "LDAP Injection Attack";
+ set req.http.X-Sec-RuleName = "WEB_ATTACK/LDAP_INJECTION";
+ set req.http.X-Sec-Severity = "2";
+ set req.http.X-Sec-RuleId = "959010";
+ call sec_sev1;
+ }
+ ## REQUEST_FILENAME,
+ ## Rule: REQUEST_FILENAME rx :
+ if(req.url ~ "<!--\W*?#\W*?(e(cho|xec)|printenv|include|cmd)"){
+ set req.http.X-Sec-Return = "501";
+ set req.http.X-Sec-RuleInfo = "SSI injection Attack";
+ set req.http.X-Sec-RuleName = "WEB_ATTACK/SSI_INJECTION";
+ set req.http.X-Sec-Severity = "2";
+ set req.http.X-Sec-RuleId = "950011";
+ call sec_sev1;
+ }
+ ## ARGS,
+ ## Rule: ARGS rx :
+ if(req.url ~ "<!--\W*?#\W*?(e(cho|xec)|printenv|include|cmd)"){
+ set req.http.X-Sec-Return = "501";
+ set req.http.X-Sec-RuleInfo = "SSI injection Attack";
+ set req.http.X-Sec-RuleName = "WEB_ATTACK/SSI_INJECTION";
+ set req.http.X-Sec-Severity = "2";
+ set req.http.X-Sec-RuleId = "950011";
+ call sec_sev1;
+ }
+ ## ARGS_NAMES,
+ ## Rule: ARGS_NAMES rx :
+ if(req.url ~ "<!--\W*?#\W*?(e(cho|xec)|printenv|include|cmd)"){
+ set req.http.X-Sec-Return = "501";
+ set req.http.X-Sec-RuleInfo = "SSI injection Attack";
+ set req.http.X-Sec-RuleName = "WEB_ATTACK/SSI_INJECTION";
+ set req.http.X-Sec-Severity = "2";
+ set req.http.X-Sec-RuleId = "950011";
+ call sec_sev1;
+ }
+ ## REQUEST_HEADERS,
+ # skipped REQUEST_HEADERS rx <!--\W*?#\W*?(e(cho|xec)|printenv|include|cmd)
+ ## XML, :/*
+ # AC /*
+ # skipped XML rx /* <!--\W*?#\W*?(e(cho|xec)|printenv|include|cmd)
+ ## REQUEST_FILENAME,
+ # skipped REQUEST_FILENAME pm <?fgets move_uploaded_file $_session readfile ftp_put ftp_fget gzencode ftp_nb_put bzopen readdir $_post fopen gzread ftp_nb_fput ftp_nb_fget ftp_get $_get scandir fscanf readgzfile fread proc_open fgetc fgetss ftp_fput ftp_nb_get session_start fwrite gzwrite gzopen gzcompress
+ ## ARGS,
+ # skipped ARGS pm <?fgets move_uploaded_file $_session readfile ftp_put ftp_fget gzencode ftp_nb_put bzopen readdir $_post fopen gzread ftp_nb_fput ftp_nb_fget ftp_get $_get scandir fscanf readgzfile fread proc_open fgetc fgetss ftp_fput ftp_nb_get session_start fwrite gzwrite gzopen gzcompress
+ ## ARGS_NAMES,
+ # skipped ARGS_NAMES pm <?fgets move_uploaded_file $_session readfile ftp_put ftp_fget gzencode ftp_nb_put bzopen readdir $_post fopen gzread ftp_nb_fput ftp_nb_fget ftp_get $_get scandir fscanf readgzfile fread proc_open fgetc fgetss ftp_fput ftp_nb_get session_start fwrite gzwrite gzopen gzcompress
+ ## REQUEST_HEADERS,
+ # skipped REQUEST_HEADERS pm <?fgets move_uploaded_file $_session readfile ftp_put ftp_fget gzencode ftp_nb_put bzopen readdir $_post fopen gzread ftp_nb_fput ftp_nb_fget ftp_get $_get scandir fscanf readgzfile fread proc_open fgetc fgetss ftp_fput ftp_nb_get session_start fwrite gzwrite gzopen gzcompress
+ ## XML, :/*
+ # AC /*
+ # skipped XML pm /* <?fgets move_uploaded_file $_session readfile ftp_put ftp_fget gzencode ftp_nb_put bzopen readdir $_post fopen gzread ftp_nb_fput ftp_nb_fget ftp_get $_get scandir fscanf readgzfile fread proc_open fgetc fgetss ftp_fput ftp_nb_get session_start fwrite gzwrite gzopen gzcompress
+ ## REQUEST_HEADERS,
+ # skipped REQUEST_HEADERS rx ((\b(f(tp_(nb_)?f?(ge|pu)t|get(s?s|c)|scanf|write|open|read)|gz((encod|writ)e|compress|open|read)|s(ession_start|candir)|read((gz)?file|dir)|move_uploaded_file|(proc_|bz)open)|\$_((pos|ge)t|session))\b|<\?(?!xml))
+ ## XML, :/*
+ # AC /*
+ # skipped XML rx /* ((\b(f(tp_(nb_)?f?(ge|pu)t|get(s?s|c)|scanf|write|open|read)|gz((encod|writ)e|compress|open|read)|s(ession_start|candir)|read((gz)?file|dir)|move_uploaded_file|(proc_|bz)open)|\$_((pos|ge)t|session))\b|<\?(?!xml))
+ ## REQUEST_FILENAME,
+ ## Rule: REQUEST_FILENAME rx :
+ if(req.url ~ "http:\/\/[\w\.]+?\/.*?\.pdf\b[^\x0d\x0a]*#"){
+ set req.http.X-Sec-Return = "501";
+ set req.http.X-Sec-RuleInfo = "Persistent Universal PDF XSS attack";
+ set req.http.X-Sec-RuleName = "WEB_ATTACK/UPDF_XSS";
+ set req.http.X-Sec-Severity = "2";
+ set req.http.X-Sec-RuleId = "950018";
+ call sec_sev1;
+ }
+ ## ARGS,
+ ## Rule: ARGS rx :
+ if(req.url ~ "http:\/\/[\w\.]+?\/.*?\.pdf\b[^\x0d\x0a]*#"){
+ set req.http.X-Sec-Return = "501";
+ set req.http.X-Sec-RuleInfo = "Persistent Universal PDF XSS attack";
+ set req.http.X-Sec-RuleName = "WEB_ATTACK/UPDF_XSS";
+ set req.http.X-Sec-Severity = "2";
+ set req.http.X-Sec-RuleId = "950018";
+ call sec_sev1;
+ }
+ ## ARGS_NAMES,
+ ## Rule: ARGS_NAMES rx :
+ if(req.url ~ "http:\/\/[\w\.]+?\/.*?\.pdf\b[^\x0d\x0a]*#"){
+ set req.http.X-Sec-Return = "501";
+ set req.http.X-Sec-RuleInfo = "Persistent Universal PDF XSS attack";
+ set req.http.X-Sec-RuleName = "WEB_ATTACK/UPDF_XSS";
+ set req.http.X-Sec-Severity = "2";
+ set req.http.X-Sec-RuleId = "950018";
+ call sec_sev1;
+ }
+ ## REQUEST_HEADERS,
+ # skipped REQUEST_HEADERS rx http:\/\/[\w\.]+?\/.*?\.pdf\b[^\x0d\x0a]*#
+ ## XML, :/*
+ # AC /*
+ # skipped XML rx /* http:\/\/[\w\.]+?\/.*?\.pdf\b[^\x0d\x0a]*#
+ ## REQUEST_FILENAME,
+ ## Rule: REQUEST_FILENAME rx :
+ if(req.url ~ "[\n\r]\s*\b(to|b?cc)\b\s*:.*?\@"){
+ set req.http.X-Sec-RuleInfo = "Email Injection Attack";
+ set req.http.X-Sec-Severity = "2";
+ set req.http.X-Sec-RuleId = "950019";
+ call sec_sev1;
+ }
+ ## ARGS,
+ ## Rule: ARGS rx :
+ if(req.url ~ "[\n\r]\s*\b(to|b?cc)\b\s*:.*?\@"){
+ set req.http.X-Sec-RuleInfo = "Email Injection Attack";
+ set req.http.X-Sec-Severity = "2";
+ set req.http.X-Sec-RuleId = "950019";
+ call sec_sev1;
+ }
+ ## ARGS_NAMES,
+ ## Rule: ARGS_NAMES rx :
+ if(req.url ~ "[\n\r]\s*\b(to|b?cc)\b\s*:.*?\@"){
+ set req.http.X-Sec-RuleInfo = "Email Injection Attack";
+ set req.http.X-Sec-Severity = "2";
+ set req.http.X-Sec-RuleId = "950019";
+ call sec_sev1;
+ }
+ ## REQUEST_HEADERS,
+ # skipped REQUEST_HEADERS rx [\n\r]\s*\b(to|b?cc)\b\s*:.*?\@
+ ## XML, :/*
+ # AC /*
+ # skipped XML rx /* [\n\r]\s*\b(to|b?cc)\b\s*:.*?\@
+ ## REQUEST_URI,
+ ## Rule: REQUEST_URI rx :
+ if(req.url ~ "%250[ad]"){
+ set req.http.X-Sec-Return = "400";
+ set req.http.X-Sec-RuleInfo = "HTTP Response Splitting Attack";
+ set req.http.X-Sec-Severity = "1";
+ set req.http.X-Sec-RuleId = "950910";
+ call sec_sev1;
+ }
+ ## REQUEST_HEADERS,
+ # skipped REQUEST_HEADERS rx %250[ad]
+ ## REQUEST_HEADERS_NAMES,
+ ## Rule: REQUEST_HEADERS_NAMES rx :
+ ## REQUEST_FILENAME,
+ ## Rule: REQUEST_FILENAME rx :
+ if(req.url ~ "(\bhttp\/(0\.9|1\.[01])|<(html|meta)\b)"){
+ set req.http.X-Sec-Return = "400";
+ set req.http.X-Sec-RuleInfo = "HTTP Response Splitting Attack";
+ set req.http.X-Sec-Severity = "1";
+ set req.http.X-Sec-RuleId = "950911";
+ call sec_sev1;
+ }
+ ## ARGS,
+ ## Rule: ARGS rx :
+ if(req.url ~ "(\bhttp\/(0\.9|1\.[01])|<(html|meta)\b)"){
+ set req.http.X-Sec-Return = "400";
+ set req.http.X-Sec-RuleInfo = "HTTP Response Splitting Attack";
+ set req.http.X-Sec-Severity = "1";
+ set req.http.X-Sec-RuleId = "950911";
+ call sec_sev1;
+ }
+ ## ARGS_NAMES,
+ ## Rule: ARGS_NAMES rx :
+ if(req.url ~ "(\bhttp\/(0\.9|1\.[01])|<(html|meta)\b)"){
+ set req.http.X-Sec-Return = "400";
+ set req.http.X-Sec-RuleInfo = "HTTP Response Splitting Attack";
+ set req.http.X-Sec-Severity = "1";
+ set req.http.X-Sec-RuleId = "950911";
+ call sec_sev1;
+ }
+ ## XML, :/*
+ # AC /*
+ # skipped XML rx /* (\bhttp\/(0\.9|1\.[01])|<(html|meta)\b)
+}
+
Added: trunk/varnish-tools/security.vcl/vcl/breach/45_trojans.vcl
===================================================================
--- trunk/varnish-tools/security.vcl/vcl/breach/45_trojans.vcl (rev 0)
+++ trunk/varnish-tools/security.vcl/vcl/breach/45_trojans.vcl 2009-08-14 10:54:53 UTC (rev 4180)
@@ -0,0 +1,18 @@
+sub vcl_recv {
+ set req.http.X-Sec-Module = "2vcl";
+ ## REQUEST_HEADERS_NAMES,
+ ## Rule: REQUEST_HEADERS_NAMES rx :
+ ## REQUEST_FILENAME,
+ ## Rule: REQUEST_FILENAME rx :
+ if(req.url ~ "root\.exe"){
+ set req.http.X-Sec-Return = "404";
+ set req.http.X-Sec-RuleInfo = "Backdoor access";
+ set req.http.X-Sec-RuleName = "MALICIOUS_SOFTWARE/TROJAN";
+ set req.http.X-Sec-Severity = "2";
+ set req.http.X-Sec-RuleId = "950921";
+ call sec_sev1;
+ }
+ ## RESPONSE_BODY,
+ # skipped RESPONSE_BODY rx (<title>[^<]*?(\b((c(ehennemden|gi-telnet)|gamma web shell)\b|imhabirligi phpftp)|(r(emote explorer|57shell)|aventis klasvayv|zehir)\b|\.::(news remote php shell injection::\.| rhtools\b)|ph(p(( commander|-terminal)\b|remoteview)|vayv)|myshell)|\b(((microsoft windows\b.{,10}?\bversion\b.{,20}?\(c\) copyright 1985-.{,10}?\bmicrosoft corp|ntdaddy v1\.9 - obzerve \| fux0r inc)\.|(www\.sanalteror\.org - indexer and read|haxplor)er|php(konsole| shell)|c99shell)\b|aventgrup\.<br>|drwxr))
+}
+
Added: trunk/varnish-tools/security.vcl/vcl/breach/50_outbound.vcl
===================================================================
--- trunk/varnish-tools/security.vcl/vcl/breach/50_outbound.vcl (rev 0)
+++ trunk/varnish-tools/security.vcl/vcl/breach/50_outbound.vcl 2009-08-14 10:54:53 UTC (rev 4180)
@@ -0,0 +1,58 @@
+sub vcl_recv {
+ set req.http.X-Sec-Module = "2vcl";
+ ## RESPONSE_BODY,
+ # skipped RESPONSE_BODY rx \b(Th(is (summary was generated by.{0,100}?(w(ebcruncher|wwstat)|analog|Jware)|analysis was produced by.{0,100}?(calamaris|EasyStat|analog)|report was generated by WebLog)|ese statistics were produced by (getstats|PeLAB))|[gG]enerated by.{0,100}?[Ww]ebalizer)\b
+ ## RESPONSE_BODY,
+ # skipped RESPONSE_BODY rx (\b((s(elect list because it is not contained in (an aggregate function and there is no|either an aggregate function or the) GROUP BY clause|upplied argument is not a valid ((M(S |y)|Postgre)SQL|O(racle|DBC)))|S(yntax error converting the \w+ value .*? to a column of data type|QL Server does not exist or access denied)|Either BOF or EOF is True, or the current record has been deleted(; the operation|\. Requested)|The column prefix .{0,50}? does not match with a table name or alias name used in the query|Could not find server '\w+' in sysservers\. execute sp_addlinkedserver)\b|Un(closed quotation mark before the character string\b|able to connect to PostgreSQL server:)|(Microsoft OLE DB Provider for .{0,30} [eE]rror |error '800a01b8)'|(Warning: mysql_connect\(\)|PostgreSQL query failed):|You have an error in your SQL syntax( near '|;)|cannot take a \w+ data type as an argument\.|incorrect syntax near (\'|the\b|@@error\b)|microsoft jet database engine error '8|ORA-\d{5}: )|\[Microsoft\]\[ODBC )
+ ## RESPONSE_BODY,
+ # skipped RESPONSE_BODY rx (\b(A(DODB\.Command\b.{0,100}?\b(Application uses a value of the wrong type for the current operation\b|error')| trappable error occurred in an external object\. The script cannot continue running\b)|Microsoft VBScript (compilation (\(0x8|error)|runtime (Error|\(0x8))\b|Object required: '|error '800)|<b>Version Information:<\/b>( |\s)(Microsoft \.NET Framework|ASP\.NET) Version:|(\/[Ee]rror[Mm]essage\.aspx?\?[Ee]rror|>error 'ASP)\b)
+ ## RESPONSE_BODY,
+ # skipped RESPONSE_BODY rx \bServer Error in.{0,50}?\bApplication\b
+ ## RESPONSE_STATUS,
+ # skipped RESPONSE_STATUS rx ^404$
+ ## RESPONSE_BODY,
+ # skipped RESPONSE_BODY rx <h2>Site Error<\/h2>.{0,20}<p>An error was encountered while publishing this resource\.
+ ## RESPONSE_BODY,
+ # skipped RESPONSE_BODY rx \bThe error occurred in\b.{0,100}: line\b.{0,1000}\bColdFusion\b.*?\bStack Trace \(click to expand\)\b
+ ## RESPONSE_BODY,
+ # skipped RESPONSE_BODY rx <b>Warning<\/b>.{0,100}?:.{0,1000}?\bon line\b
+ ## RESPONSE_BODY,
+ # skipped RESPONSE_BODY rx \b403 Forbidden\b.*?\bInternet Security and Acceleration Server\b
+ ## RESPONSE_BODY,
+ # skipped RESPONSE_BODY rx <o:documentproperties>
+ ## RESPONSE_BODY,
+ # skipped RESPONSE_BODY rx (<(TITLE>Index of.*?<H|title>Index of.*?<h)1>Index of|>\[To Parent Directory\]<\/[Aa]><br>)
+ ## RESPONSE_BODY,
+ # skipped RESPONSE_BODY rx (\b((s(erver\.(((htm|ur)lencod|execut)e|createobject|mappath)|cripting\.filesystemobject)|(response\.(binary)?writ|vbscript\.encod)e|wscript\.(network|shell))\b|javax\.servlet)|\.(((createtex|ge)t|loadfrom)file|addheader)\b|<jsp:)
+ ## RESPONSE_BODY,
+ # skipped RESPONSE_BODY rx \<%25
+ ## RESPONSE_BODY,
+ # skipped RESPONSE_BODY rx (\b((i(nterplay|hdr|d3)|m(ovi|thd)|(ex|jf)if|f(lv|ws)|varg|cws)\b|r(iff\b|ar!B)|gif)|B(%25pdf|\.ra)\b)
+ ## RESPONSE_BODY,
+ # skipped RESPONSE_BODY rx (\b(f(tp_(nb_)?f?(ge|pu)t|get(s?s|c)|scanf|write|open|read)|gz((encod|writ)e|compress|open|read)|s(ession_start|candir)|read((gz)?file|dir)|move_uploaded_file|(proc_|bz)open)|\$_((pos|ge)t|session))\b
+ ## RESPONSE_BODY,
+ # skipped RESPONSE_BODY rx <\?(?!xml)
+ ## RESPONSE_BODY,
+ # skipped RESPONSE_BODY rx (\b((i(nterplay|hdr|d3)|m(ovi|thd)|(ex|jf)if|f(lv|ws)|varg|cws)\b|r(iff\b|ar!B)|gif)|B(%25pdf|\.ra)\b)
+ ## RESPONSE_BODY,
+ # skipped RESPONSE_BODY rx <cf
+ ## RESPONSE_BODY,
+ # skipped RESPONSE_BODY rx [a-z]:\\\\inetpub\b
+ ## &GLOBAL, :alerted_970018_iisDefLoc
+ # AC alerted_970018_iisDefLoc
+ # skipped & GLOBAL eq alerted_970018_iisDefLoc 0
+ ## RESPONSE_STATUS,
+ # skipped RESPONSE_STATUS rx ^503$
+ ## RESPONSE_BODY,
+ # skipped RESPONSE_BODY rx (Microsoft OLE DB Provider for SQL Server(<\/font>.{1,20}?error '800(04005|40e31)'.{1,40}?Timeout expired| \(0x80040e31\)<br>Timeout expired<br>)|<h1>internal server error<\/h1>.*?<h2>part of the server has crashed or it has a configuration error\.<\/h2>|cannot connect to the server: timed out)
+ ## RESPONSE_STATUS,
+ # skipped RESPONSE_STATUS rx ^500$
+ ## RESPONSE_BODY,
+ # skipped RESPONSE_BODY rx t:none,<title>JSP compile error<\/title>
+ ## RESPONSE_BODY,
+ # skipped RESPONSE_BODY rx href\s?=[\s%22\']*[A-Za-z]\:\x5c([^%22\']+)
+ ## TX, :1
+ # AC 1
+ ## Rule: TX rx :1
+}
+
Added: trunk/varnish-tools/security.vcl/vcl/main.vcl
===================================================================
--- trunk/varnish-tools/security.vcl/vcl/main.vcl (rev 0)
+++ trunk/varnish-tools/security.vcl/vcl/main.vcl 2009-08-14 10:54:53 UTC (rev 4180)
@@ -0,0 +1,81 @@
+
+/* Security.vcl main VCL file
+ * Copyright (C) 2009 Redpill Linpro AS
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Author: Kristian Lyngstøl <kristian at redpill-linpro.com>
+ *
+ * FIXME: We might need a Makefile for the paths here, but for now, they are
+ * hardcoded. Blah.
+ */
+
+include "/etc/varnish/security/build/variables.vcl";
+include "/etc/varnish/security/modules/demo.vcl";
+include "/etc/varnish/security/modules/php.vcl";
+include "/etc/varnish/security/modules/sql.vcl";
+include "/etc/varnish/security/modules/xss.vcl";
+include "/etc/varnish/security/modules/cmd.vcl";
+include "/etc/varnish/security/modules/restricted-file-extensions.vcl";
+include "/etc/varnish/security/modules/content-encoding.vcl";
+include "/etc/varnish/security/modules/content-type.vcl";
+include "/etc/varnish/security/modules/localfiles.vcl";
+include "/etc/varnish/security/modules/request.vcl";
+
+#include "/etc/varnish/security/modules/user-agent.vcl";
+
+include "/etc/varnish/security/breach/20_protocol_violations.vcl";
+include "/etc/varnish/security/breach/21_protocol_anomalies.vcl";
+include "/etc/varnish/security/breach/23_request_limits.vcl";
+include "/etc/varnish/security/breach/30_http_policy.vcl";
+include "/etc/varnish/security/breach/35_bad_robots.vcl";
+include "/etc/varnish/security/breach/40_generic_attacks.vcl";
+include "/etc/varnish/security/breach/45_trojans.vcl";
+include "/etc/varnish/security/breach/50_outbound.vcl";
+
+/* The value of '800' and up is used because it is not actual HTTP error
+ * codes. They should not be exposed.
+ *
+ * The list thus far:
+ * 800 - Debug
+ * 801 - Plain error (401-unauthorized might be a bad rewrite here)
+ * 802 - Redirect
+ */
+sub vcl_error {
+ if (obj.status == 800) {
+ set obj.http.X-SEC-Rule = req.http.X-SEC-Module "-" req.http.X-SEC-RuleId;
+
+ set obj.status = 200;
+ } elsif (obj.status == 801) {
+ set obj.status = 401;
+ set obj.response = "Here be dragons! YARR! Wait, that's pirates.";
+ } elsif (obj.status == 802) {
+ set obj.status = 302;
+ set obj.response = "Redirected for fun and profit";
+ set obj.http.Location = "http://images.google.com/images?q=llama";
+ deliver;
+ }
+}
+
+/* Catch-all handler */
+sub sec_general {
+ error 800 "BOOOYA!";
+}
+
+sub sec_sev1 {
+ call sec_general;
+}
+
+/* vim: set syntax=c tw=76: */
Added: trunk/varnish-tools/security.vcl/vcl/modules/cmd.vcl
===================================================================
--- trunk/varnish-tools/security.vcl/vcl/modules/cmd.vcl (rev 0)
+++ trunk/varnish-tools/security.vcl/vcl/modules/cmd.vcl 2009-08-14 10:54:53 UTC (rev 4180)
@@ -0,0 +1,79 @@
+
+# For now
+sub sec_cmd_sev1 {
+ set req.http.X-SEC-Severity = "1";
+ call sec_sev1;
+}
+
+
+sub vcl_recv {
+ set req.http.X-SEC-Module = "cmd";
+
+# Should it be "wget%20", "wget " or "wget\s+" ?
+# "=cmd\W+" or "=cmd.+" is the best I can think of at the moment
+# What about "=cmd(\%20| )" or... ?
+
+ # Checks if someone tries to inject a common command name in URL
+ if (req.url ~ "(=|;|&&|%7C%7C)wget.+") {
+ set req.http.X-SEC-RuleName = "Common command in URL: wget";
+ set req.http.X-SEC-RuleId = "1";
+ set req.http.X-SEC-RuleInfo = "Checks if someone tries to inject a common command name in URL: wget";
+ call sec_cmd_sev1;
+ }
+
+ # Checks if someone tries to inject a common command name in URL
+ if (req.url ~ "(=|;|&&|%7C%7C)curl.+") {
+ set req.http.X-SEC-RuleName = "Common command in URL: curl";
+ set req.http.X-SEC-RuleId = "2";
+ set req.http.X-SEC-RuleInfo = "Checks if someone tries to inject a common command name in URL: curl";
+ call sec_cmd_sev1;
+ }
+
+ # Checks if someone tries to inject a common command name in URL
+ if (req.url ~ "(=|;|&&|%7C%7C)echo.+") {
+ set req.http.X-SEC-RuleName = "Common command in URL: curl";
+ set req.http.X-SEC-RuleId = "3";
+ set req.http.X-SEC-RuleInfo = "Checks if someone tries to inject a common command name in URL: curl";
+ call sec_cmd_sev1;
+ }
+
+ # Checks if someone tries to inject a common command name in URL
+ if (req.url ~ "(=|;|&&|%7C%7C)cat.+") {
+ set req.http.X-SEC-RuleName = "Common command in URL: curl";
+ set req.http.X-SEC-RuleId = "4";
+ set req.http.X-SEC-RuleInfo = "Checks if someone tries to inject a common command name in URL: curl";
+ call sec_cmd_sev1;
+ }
+
+ # Checks if someone tries to inject a common command name in URL
+ if (req.url ~ "(=|;|&&|%7C%7C)cmd.exe.+") {
+ set req.http.X-SEC-RuleName = "Common command in URL: cmd.exe";
+ set req.http.X-SEC-RuleId = "5";
+ set req.http.X-SEC-RuleInfo = "Checks if someone tries to inject a common command name in URL: cmd.exe";
+ call sec_cmd_sev1;
+ }
+
+ # Checks if someone tries to inject a common command name in URL
+ if (req.url ~ "(=|;|&&|%7C%7C)nc(.exe)?.+(\-(l|p)?)?") {
+ set req.http.X-SEC-RuleName = "Common command in URL: netcat";
+ set req.http.X-SEC-RuleId = "6";
+ set req.http.X-SEC-RuleInfo = "Checks if someone tries to inject a common command name in URL: netcat";
+ call sec_cmd_sev1;
+ }
+
+ # Checks if someone tries to inject a common command name in URL
+ if (req.url ~ "(=|;|&&|%7C%7C)(whoami|who|uptime|last|df).*") {
+ set req.http.X-SEC-RuleName = "Common command in URL: cmd.exe";
+ set req.http.X-SEC-RuleId = "7";
+ set req.http.X-SEC-RuleInfo = "Checks if someone tries to inject a common command name in URL: cmd.exe";
+ call sec_cmd_sev1;
+ }
+
+ # Checks if someone tries to redirect output to /dev/null
+ if (req.url ~ "(>|%3E|-o)+" && req.url ~ "/dev/null") {
+ set req.http.X-SEC-RuleName = "Common redirect of command ouput in URL: /dev/null";
+ set req.http.X-SEC-RuleId = "100";
+ set req.http.X-SEC-RuleInfo = "Checks if someone tries to redirect command output in URL: /dev/null";
+ call sec_cmd_sev1;
+ }
+}
Added: trunk/varnish-tools/security.vcl/vcl/modules/content-encoding.vcl
===================================================================
--- trunk/varnish-tools/security.vcl/vcl/modules/content-encoding.vcl (rev 0)
+++ trunk/varnish-tools/security.vcl/vcl/modules/content-encoding.vcl 2009-08-14 10:54:53 UTC (rev 4180)
@@ -0,0 +1,18 @@
+
+# For now
+sub sec_contentencoding_sev1 {
+ set req.http.X-SEC-Severity = "1";
+ call sec_sev1;
+}
+
+sub vcl_recv {
+ set req.http.X-SEC-Module = "contentencoding";
+
+ # Security.vcl does not support content encodings
+ if(req.http.Content-Encoding ~ "!^Identity$"){
+ set req.http.X-SEC-RuleName = "Inbound compressed content";
+ set req.http.X-SEC-RuleId = "1";
+ set req.http.X-SEC-RuleInfo = "Blocks inbound compressed content";
+ call sec_contentencoding_sev1;
+ }
+}
Added: trunk/varnish-tools/security.vcl/vcl/modules/content-type.vcl
===================================================================
--- trunk/varnish-tools/security.vcl/vcl/modules/content-type.vcl (rev 0)
+++ trunk/varnish-tools/security.vcl/vcl/modules/content-type.vcl 2009-08-14 10:54:53 UTC (rev 4180)
@@ -0,0 +1,21 @@
+
+# For now
+sub sec_contenttype_sev1 {
+ set req.http.X-SEC-Severity = "1";
+ call sec_sev1;
+}
+
+sub vcl_recv {
+ set req.http.X-SEC-Module = "contenttype";
+
+ # Checks for which content-types we accept in GET and HEAD request: application/x-www-form-urlencoded, multipart/form-data request and text/xml
+ if(( req.request == "GET" || req.request == "HEAD" )
+ # Content-type: application/x-www-form-urlencoded; charset=utf-8
+# && req.http.Content-Type ~ "(?:^(?:application\/x-www-form-urlencoded(?:;(?:\s?charset\s?=\s?[\w\d\-]{1,18})?)??$|multipart/form-data;)|text/xml)" ) {
+ && req.http.Content-Type ~ "application\/x-www-form-urlencoded;(\s?charset\s?=\s?[\w\d\-]{1,18})?)??$|multipart/form-data;)|text/xml)" ) {
+ set req.http.X-SEC-RuleName = "Request content type restricted";
+ set req.http.X-SEC-RuleId = "1";
+ set req.http.X-SEC-RuleInfo = "Checks for accepted content-types";
+ call sec_contenttype_sev1;
+ }
+}
Added: trunk/varnish-tools/security.vcl/vcl/modules/demo.vcl
===================================================================
--- trunk/varnish-tools/security.vcl/vcl/modules/demo.vcl (rev 0)
+++ trunk/varnish-tools/security.vcl/vcl/modules/demo.vcl 2009-08-14 10:54:53 UTC (rev 4180)
@@ -0,0 +1,43 @@
+
+/* Security.VCL demonstration rules
+ * Copyright (C) 2009 Redpill Linpro AS
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Author: Kristian Lyngstøl <kristian at redpill-linpro.com>
+ *
+ * This file demonstrates the intended use of Security VCL for
+ * rule-matching and how to handle the fallout.
+ */
+
+sub sec_demo_sev1 {
+ set req.http.X-SEC-Severity = "1";
+ call sec_sev1;
+}
+
+sub vcl_recv {
+ set req.http.X-SEC-Module = "demo";
+
+ if (req.url ~ "/exploit/") {
+ //TEST:demo-1:GET:/exploit/foo/bar:bla
+ //TESTN:demo-1:GET:/notexploit/foo/bar
+ set req.http.X-SEC-RuleName = "Awsome demo for Security.VCL";
+ set req.http.X-SEC-RuleId = "1";
+ set req.http.X-SEC-RuleInfo = "This rule triggers when an 31337 h4x0r accesses a dir with name /exploit/";
+ call sec_demo_sev1;
+ }
+}
+
+/* vim: set syntax=c tw=76: */
Added: trunk/varnish-tools/security.vcl/vcl/modules/localfiles.vcl
===================================================================
--- trunk/varnish-tools/security.vcl/vcl/modules/localfiles.vcl (rev 0)
+++ trunk/varnish-tools/security.vcl/vcl/modules/localfiles.vcl 2009-08-14 10:54:53 UTC (rev 4180)
@@ -0,0 +1,60 @@
+
+# For now
+sub sec_localfiles_sev1 {
+ set req.http.X-SEC-Severity = "1";
+ call sec_sev1;
+}
+
+
+sub vcl_recv {
+ set req.http.X-SEC-Module = "localfiles";
+
+ # Checks if someone tries to access common files from /etc/ dir
+ if (req.url ~ "/etc/(passwd(\-)?|(g)?shadow(\-)?|motd|group(\-)?)") {
+ set req.http.X-SEC-RuleName = "Local file access attempt in: /etc/";
+ set req.http.X-SEC-RuleId = "1";
+ set req.http.X-SEC-RuleInfo = "Checks if someone tries to access known local files in: /etc/";
+ call sec_localfiles_sev1;
+ }
+
+ # Checks if someone tries to access common dirs in /etc/ dir
+ if (req.url ~ "/etc/(apache(2)?|httpd|phpmyadmin|mysql|php(4|5)?)/") {
+ set req.http.X-SEC-RuleName = "Local dir access attempt in: /etc/";
+ set req.http.X-SEC-RuleId = "2";
+ set req.http.X-SEC-RuleInfo = "Checks if someone tries to access known local directories in: /etc/";
+ call sec_localfiles_sev1;
+ }
+
+ # Checks if someone tries to access /tmp/ dir
+ if (req.url ~ "/tmp/") {
+ set req.http.X-SEC-RuleName = "Local dir access attempt: /tmp/";
+ set req.http.X-SEC-RuleId = "3";
+ set req.http.X-SEC-RuleInfo = "Checks if someone tries access a local directory: /tmp/";
+ call sec_localfiles_sev1;
+ }
+
+ # Checks if someone tries to access common dirs in /var/ dir
+ if (req.url ~ "/var/(log|backups|mail|www)/") {
+ set req.http.X-SEC-RuleName = "Local dir access attempt in: /var/";
+ set req.http.X-SEC-RuleId = "4";
+ set req.http.X-SEC-RuleInfo = "Checks if someone tries access a local directory in: /var/";
+ call sec_localfiles_sev1;
+ }
+
+ # Checks if someone tries to access common files from /proc/ dir
+ if (req.url ~ "/proc/(self/environ|cmdline|cpuinfo|mounts|mdstat|partitions|version(_signature)?|uptime)") {
+ set req.http.X-SEC-RuleName = "Local file access attempt in: /proc/";
+ set req.http.X-SEC-RuleId = "5";
+ set req.http.X-SEC-RuleInfo = "Checks if someone tries to access known local files in: /proc/";
+ call sec_localfiles_sev1;
+ }
+
+ # Checks if someone tries a directory traversal
+ if (req.url ~ "\.(\.)?/\.(\.)?/\.(\.)?") {
+ set req.http.X-SEC-RuleName = "Directory traversal attempt: ../../.. or ././../ etc";
+ set req.http.X-SEC-RuleId = "6";
+ set req.http.X-SEC-RuleInfo = "Checks if someone tries a directory traversal of more than 3 dirs";
+ call sec_localfiles_sev1;
+ }
+
+}
Added: trunk/varnish-tools/security.vcl/vcl/modules/php.vcl
===================================================================
--- trunk/varnish-tools/security.vcl/vcl/modules/php.vcl (rev 0)
+++ trunk/varnish-tools/security.vcl/vcl/modules/php.vcl 2009-08-14 10:54:53 UTC (rev 4180)
@@ -0,0 +1,134 @@
+
+# For now
+sub sec_php_sev1 {
+ set req.http.X-SEC-Severity = "1";
+ call sec_sev1;
+}
+
+
+sub vcl_recv {
+ set req.http.X-SEC-Module = "php";
+
+ # Checks if someone tries to alter predefined $GLOBALS variable via url
+ if (req.url ~ "GLOBALS\[") {
+ set req.http.X-SEC-RuleName = "Manipulation of Predefined Variable GLOBALS";
+ set req.http.X-SEC-RuleId = "1";
+ set req.http.X-SEC-RuleInfo = "Manipulation of Predefined Variable: GLOBALS";
+ call sec_php_sev1;
+ }
+
+ # Checks if someone tries to alter predefined _SERVER variable via url
+ if (req.url ~ "_SERVER\[") {
+ set req.http.X-SEC-RuleName = "Manipulation of Predefined Variable _SERVER";
+ set req.http.X-SEC-RuleId = "2";
+ set req.http.X-SEC-RuleInfo = "Manipulation of Predefined Variable: _SERVER";
+ call sec_php_sev1;
+ }
+
+ # Checks if someone tries to alter predefined _GET variable via url
+ if (req.url ~ "_GET\[") {
+ set req.http.X-SEC-RuleName = "Manipulation of Predefined Variable _GET";
+ set req.http.X-SEC-RuleId = "3";
+ set req.http.X-SEC-RuleInfo = "Manipulation of Predefined Variable: _GET";
+ call sec_php_sev1;
+ }
+
+ # Checks if someone tries to alter predefined _POST variable via url
+ if (req.url ~ "_POST\[") {
+ set req.http.X-SEC-RuleName = "Manipulation of Predefined Variable _POST";
+ set req.http.X-SEC-RuleId = "4";
+ set req.http.X-SEC-RuleInfo = "Manipulation of Predefined Variable: _POST";
+ call sec_php_sev1;
+ }
+
+ # Checks if someone tries to alter predefined _FILE variable via url
+ if (req.url ~ "_FILES\[") {
+ set req.http.X-SEC-RuleName = "Manipulation of Predefined Variable _FILES";
+ set req.http.X-SEC-RuleId = "5";
+ set req.http.X-SEC-RuleInfo = "Manipulation of Predefined Variable: _FILES";
+ call sec_php_sev1;
+ }
+
+ # Checks if someone tries to alter predefined _REQUEST variable via url
+ if (req.url ~ "_REQUEST\[") {
+ set req.http.X-SEC-RuleName = "Manipulation of Predefined Variable _REQUEST";
+ set req.http.X-SEC-RuleId = "6";
+ set req.http.X-SEC-RuleInfo = "Manipulation of Predefined Variable: _REQUEST";
+ call sec_php_sev1;
+ }
+
+ # Checks if someone tries to alter predefined _SESSION variable via url
+ if (req.url ~ "_SESSION\[") {
+ set req.http.X-SEC-RuleName = "Manipulation of Predefined Variable _SESSION";
+ set req.http.X-SEC-RuleId = "7";
+ set req.http.X-SEC-RuleInfo = "Manipulation of Predefined Variable: _SESSION";
+ call sec_php_sev1;
+ }
+
+ # Checks if someone tries to alter predefined _ENV variable via url
+ if (req.url ~ "_ENV\[") {
+ set req.http.X-SEC-RuleName = "Manipulation of Predefined Variable _ENV";
+ set req.http.X-SEC-RuleId = "8";
+ set req.http.X-SEC-RuleInfo = "Manipulation of Predefined Variable: _ENV";
+ call sec_php_sev1;
+ }
+
+ # Checks if someone tries to alter predefined _COOKIE variable via url
+ if (req.url ~ "_COOKIE\[") {
+ set req.http.X-SEC-RuleName = "Manipulation of Predefined Variable _COOKIE";
+ set req.http.X-SEC-RuleId = "9";
+ set req.http.X-SEC-RuleInfo = "Manipulation of Predefined Variable: _COOKIE";
+ call sec_php_sev1;
+ }
+
+ # Checks if someone tries to alter predefined _REQUEST variable via url
+ if (req.url ~ "_REQUEST\[") {
+ set req.http.X-SEC-RuleName = "Manipulation of Predefined Variable _REQUEST";
+ set req.http.X-SEC-RuleId = "8";
+ set req.http.X-SEC-RuleInfo = "Manipulation of Predefined Variable: _REQUEST";
+ call sec_php_sev1;
+ }
+
+# One could make one long regexp with common php statements. For now:
+
+ # Generic check for code execution
+ if (req.url ~ "system\(") {
+ set req.http.X-SEC-RuleName = "PHP command: system()";
+ set req.http.X-SEC-RuleId = "9";
+ set req.http.X-SEC-RuleInfo = "Generic check for PHP commands in URL: system()";
+ call sec_php_sev1;
+ }
+
+ # Generic check for code execution
+ if (req.url ~ "passthru\(") {
+ set req.http.X-SEC-RuleName = "PHP command: passthru()";
+ set req.http.X-SEC-RuleId = "10";
+ set req.http.X-SEC-RuleInfo = "Generic check for PHP commands in URL: passthru()";
+ call sec_php_sev1;
+ }
+
+ # Generic check for code execution
+ if (req.url ~ "eval\(") {
+ set req.http.X-SEC-RuleName = "PHP command: eval()";
+ set req.http.X-SEC-RuleId = "11";
+ set req.http.X-SEC-RuleInfo = "Generic check for PHP commands in URL: eval()";
+ call sec_php_sev1;
+ }
+
+ # Generic check for PHP code inclusion in URL
+ if (req.url ~ "(<|\%3C)?\?(php)?.*(php)?\?(>|\%3E)?") {
+ set req.http.X-SEC-RuleName = "PHP code inclusion in URL: <?php ..code.. ?>";
+ set req.http.X-SEC-RuleId = "12";
+ set req.http.X-SEC-RuleInfo = "Generic check for PHP code in URL: <?php ..code.. ?>";
+ call sec_php_sev1;
+ }
+
+ # Generic check for remote code inclusion from external sites
+ if (req.url ~ "=?(https?|ftps?|php)://") {
+ set req.http.X-SEC-RuleName = "Remote site in URL parameter";
+ set req.http.X-SEC-RuleId = "100";
+ set req.http.X-SEC-RuleInfo = "Generic check for remote code inclusion from external sites";
+ call sec_php_sev1;
+ }
+
+}
Added: trunk/varnish-tools/security.vcl/vcl/modules/request.vcl
===================================================================
--- trunk/varnish-tools/security.vcl/vcl/modules/request.vcl (rev 0)
+++ trunk/varnish-tools/security.vcl/vcl/modules/request.vcl 2009-08-14 10:54:53 UTC (rev 4180)
@@ -0,0 +1,24 @@
+
+# For now
+sub sec_request_sev1 {
+ set req.http.X-SEC-Severity = "1";
+ call sec_sev1;
+}
+
+sub vcl_recv {
+ set req.http.X-SEC-Module = "request";
+
+#sub vcl_recv {
+ # Checks if someone tries use a blacklisted request method
+ if ( req.request == "PUT"
+# || req.request == "POST"
+ || req.request == "TRACE"
+ || req.request == "OPTIONS"
+ || req.request == "CONNECT"
+ || req.request == "DELETE") {
+ set req.http.X-SEC-RuleName = "Blocked Requestmethods";
+ set req.http.X-SEC-RuleId = "1";
+ set req.http.X-SEC-RuleInfo = "Checks if someone tries use a blacklisted request method";
+ call sec_request_sev1;
+ }
+}
Added: trunk/varnish-tools/security.vcl/vcl/modules/restricted-file-extensions.vcl
===================================================================
--- trunk/varnish-tools/security.vcl/vcl/modules/restricted-file-extensions.vcl (rev 0)
+++ trunk/varnish-tools/security.vcl/vcl/modules/restricted-file-extensions.vcl 2009-08-14 10:54:53 UTC (rev 4180)
@@ -0,0 +1,19 @@
+
+# For now
+sub sec_restrictedfileextentions_sev1 {
+ set req.http.X-SEC-Severity = "1";
+ call sec_sev1;
+}
+
+sub vcl_recv {
+ set req.http.X-SEC-Module = "restrictedfileextentions";
+
+ # List of file extensions to not allow (blacklist)
+# if ( req.url ~ "\.(?:c(?:o(?:nf(?:ig)?|m)|s(?:proj|r)?|dx|er|fg|md)|p(?:rinter|ass|db|ol|wd)|v(?:b(?:proj|s)?|sdisco)|a(?:s(?:ax?|cx)|xd)|d(?:bf?|at|ll|os)|i(?:d[acq]|n[ci])|ba(?:[kt]|ckup)|res(?:ources|x)|s(?:h?tm|ql|ys)|l(?:icx|nk|og)|\w{0,5}~|webinfo|ht[rw]|xs[dx]|key|mdb|old)$" ) {
+ if ( req.url ~ "\.(c(o(nf(ig)?|m)|s(proj|r)?|dx|er|fg|md)|p(rinter|ass|db|ol|wd)|v(b(proj|s)?|sdisco)|a(s(ax?|cx)|xd)|d(bf?|at|ll|os)|i(d[acq]|n[ci])|ba([kt]|ckup)|res(ources|x)|s(h?tm|ql|ys)|l(icx|nk|og)|\w{0,5}~|webinfo|ht[rw]|xs[dx]|key|mdb|old)$" ) {
+ set req.http.X-SEC-RuleName = "Restricted file extensions";
+ set req.http.X-SEC-RuleId = "1";
+ set req.http.X-SEC-RuleInfo = "Checks for file extensions that are not allowed";
+ call sec_restrictedfileextentions_sev1;
+ }
+}
Added: trunk/varnish-tools/security.vcl/vcl/modules/sql.vcl
===================================================================
--- trunk/varnish-tools/security.vcl/vcl/modules/sql.vcl (rev 0)
+++ trunk/varnish-tools/security.vcl/vcl/modules/sql.vcl 2009-08-14 10:54:53 UTC (rev 4180)
@@ -0,0 +1,76 @@
+
+# For now
+sub sec_sql_sev1 {
+ set req.http.X-SEC-Severity = "1";
+ call sec_sev1;
+}
+
+
+sub vcl_recv {
+ set req.http.X-SEC-Module = "sql";
+
+ # Checks if someone tries to use SQL statement in URL: SELECT FROM
+ if (req.url ~ ".+SELECT.+FROM") {
+ set req.http.X-SEC-RuleName = "SQL Injection Attempt: SELECT FROM";
+ set req.http.X-SEC-RuleId = "1";
+ set req.http.X-SEC-RuleInfo = "Checks if someone tries to use SQL statement in URL: SELECT FROM";
+ call sec_sql_sev1;
+ }
+
+ # Checks if someone tries to use SQL statement in URL: UNION SELECT
+ if (req.url ~ ".+UNION\s+SELECT") {
+ set req.http.X-SEC-RuleName = "SQL Injection Attempt: UNION SELECT";
+ set req.http.X-SEC-RuleId = "2";
+ set req.http.X-SEC-RuleInfo = "Checks if someone tries to use SQL statement in URL: UNION SELECT";
+ call sec_sql_sev1;
+ }
+
+ # Checks if someone tries to use SQL statement in URL: UPDATE SET
+ if (req.url ~ ".+UPDATE.+SET") {
+ set req.http.X-SEC-RuleName = "SQL Injection Attempt: UPDATE SET";
+ set req.http.X-SEC-RuleId = "3";
+ set req.http.X-SEC-RuleInfo = "Checks if someone tries to use SQL statement in URL: UPDATE SET";
+ call sec_sql_sev1;
+ }
+
+ # Checks if someone tries to use SQL statement in URL: INSERT INTO
+ if (req.url ~ ".+INSERT.+INTO") {
+ set req.http.X-SEC-RuleName = "SQL Injection Attempt: INSERT INTO";
+ set req.http.X-SEC-RuleId = "4";
+ set req.http.X-SEC-RuleInfo = "Checks if someone tries to use SQL statement in URL: INSERT INTO";
+ call sec_sql_sev1;
+ }
+
+ # Checks if someone tries to use SQL statement in URL: DELETE FROM
+ if (req.url ~ ".+DELETE.+FROM") {
+ set req.http.X-SEC-RuleName = "SQL Injection Attempt: DELETE FROM";
+ set req.http.X-SEC-RuleId = "5";
+ set req.http.X-SEC-RuleInfo = "Checks if someone tries to use SQL statement in URL: DELETE FROM";
+ call sec_sql_sev1;
+ }
+
+ # Checks if someone tries to use SQL statement in URL: ASCII SELECT
+ if (req.url ~ ".+ASCII\(.+SELECT") {
+ set req.http.X-SEC-RuleName = "SQL Injection Attempt: ASCII SELECT";
+ set req.http.X-SEC-RuleId = "6";
+ set req.http.X-SEC-RuleInfo = "Checks if someone tries to use SQL statement in URL: ASCII SELECT";
+ call sec_sql_sev1;
+ }
+
+ # Checks if someone tries to use SQL statement in URL: DROP TABLE
+ if (req.url ~ ".+DROP.+TABLE") {
+ set req.http.X-SEC-RuleName = "SQL Injection Attempt: DROP TABLE";
+ set req.http.X-SEC-RuleId = "7";
+ set req.http.X-SEC-RuleInfo = "Checks if someone tries to use SQL statement in URL: DROP TABLE";
+ call sec_sql_sev1;
+ }
+
+ # Checks if someone tries to use SQL statement in URL: DROP DATABASE
+ if (req.url ~ ".+DROP.+DATABASE") {
+ set req.http.X-SEC-RuleName = "SQL Injection Attempt: DROP DATABASE";
+ set req.http.X-SEC-RuleId = "8";
+ set req.http.X-SEC-RuleInfo = "Checks if someone tries to use SQL statement in URL: DROP DATABASE";
+ call sec_sql_sev1;
+ }
+
+}
Added: trunk/varnish-tools/security.vcl/vcl/modules/user-agent.vcl
===================================================================
--- trunk/varnish-tools/security.vcl/vcl/modules/user-agent.vcl (rev 0)
+++ trunk/varnish-tools/security.vcl/vcl/modules/user-agent.vcl 2009-08-14 10:54:53 UTC (rev 4180)
@@ -0,0 +1,200 @@
+
+# For now
+sub sec_useragent_sev1 {
+ set req.http.X-SEC-Severity = "1";
+ call sec_sev1;
+}
+
+
+sub vcl_recv {
+ set req.http.X-SEC-Module = "useragent";
+
+ # Checks for php code in User-Agent
+ if (req.http.user-agent ~ "php_uname\(") {
+ set req.http.X-SEC-RuleName = "PHP Code in User-Agent: php_uname";
+ set req.http.X-SEC-RuleId = "1";
+ set req.http.X-SEC-RuleInfo = "Checks for php code in User-Agent: php_uname";
+ call sec_useragent_sev1;
+ }
+
+ # Checks for php code in User-Agent
+ if (req.http.user-agent ~ "curl_init\(") {
+ set req.http.X-SEC-RuleName = "PHP Code in User-Agent: curl_init";
+ set req.http.X-SEC-RuleId = "2";
+ set req.http.X-SEC-RuleInfo = "Checks for php code in User-Agent: curl_init";
+ call sec_useragent_sev1;
+ }
+
+ # Checks for php code in User-Agent
+ if (req.http.user-agent ~ "curl_setopt\(") {
+ set req.http.X-SEC-RuleName = "PHP Code in User-Agent: curl_setopt";
+ set req.http.X-SEC-RuleId = "3";
+ set req.http.X-SEC-RuleInfo = "Checks for php code in User-Agent: curl_setopt";
+ call sec_useragent_sev1;
+ }
+
+ # Checks for php code in User-Agent
+ if (req.http.user-agent ~ "curl_exec\(") {
+ set req.http.X-SEC-RuleName = "PHP Code in User-Agent: curl_exec";
+ set req.http.X-SEC-RuleId = "4";
+ set req.http.X-SEC-RuleInfo = "Checks for php code in User-Agent: curl_exec";
+ call sec_useragent_sev1;
+ }
+
+ # Checks for php code in User-Agent
+ if (req.http.user-agent ~ "curl_close\(") {
+ set req.http.X-SEC-RuleName = "PHP Code in User-Agent: curl_close";
+ set req.http.X-SEC-RuleId = "5";
+ set req.http.X-SEC-RuleInfo = "Checks for php code in User-Agent: curl_close";
+ call sec_useragent_sev1;
+ }
+
+ # Checks for php code in User-Agent
+ if (req.http.user-agent ~ "fopen\(") {
+ set req.http.X-SEC-RuleName = "PHP Code in User-Agent: fopen";
+ set req.http.X-SEC-RuleId = "6";
+ set req.http.X-SEC-RuleInfo = "Checks for php code in User-Agent: fopen";
+ call sec_useragent_sev1;
+ }
+
+ # Checks for php code in User-Agent
+ if (req.http.user-agent ~ "fwrite\(") {
+ set req.http.X-SEC-RuleName = "PHP Code in User-Agent: fwrite";
+ set req.http.X-SEC-RuleId = "7";
+ set req.http.X-SEC-RuleInfo = "Checks for php code in User-Agent: fwrite";
+ call sec_useragent_sev1;
+ }
+
+ # Checks for bad User-Agent
+ if (
+ req.http.user-agent ~ "^$"
+ || req.http.user-agent ~ "^Java"
+ || req.http.user-agent ~ "^Jakarta"
+ || req.http.user-agent ~ "IDBot"
+ || req.http.user-agent ~ "id-search"
+ || req.http.user-agent ~ "User-Agent"
+ || req.http.user-agent ~ "compatible ;"
+ || req.http.user-agent ~ "ConveraCrawler"
+ || req.http.user-agent ~ "^Mozilla$"
+ || req.http.user-agent ~ "libwww"
+ || req.http.user-agent ~ "lwp-trivial"
+ || req.http.user-agent ~ "curl"
+ || req.http.user-agent ~ "PHP/"
+ || req.http.user-agent ~ "urllib"
+ || req.http.user-agent ~ "GT:WWW"
+ || req.http.user-agent ~ "Snoopy"
+ || req.http.user-agent ~ "MFC_Tear_Sample"
+ || req.http.user-agent ~ "HTTP::Lite"
+ || req.http.user-agent ~ "PHPCrawl"
+ || req.http.user-agent ~ "URI::Fetch"
+ || req.http.user-agent ~ "Zend_Http_Client"
+ || req.http.user-agent ~ "http client"
+ || req.http.user-agent ~ "PECL::HTTP"
+ || req.http.user-agent ~ "panscient.com"
+ || req.http.user-agent ~ "IBM EVV"
+ || req.http.user-agent ~ "Bork-edition"
+ || req.http.user-agent ~ "Fetch API Request"
+ || req.http.user-agent ~ "PleaseCrawl"
+ || req.http.user-agent ~ "[A-Z][a-z]{3,} [a-z]{4,} [a-z]{4,}"
+ || req.http.user-agent ~ "layeredtech.com"
+ || req.http.user-agent ~ "WEP Search"
+ || req.http.user-agent ~ "Wells Search II"
+ || req.http.user-agent ~ "Missigua Locator"
+ || req.http.user-agent ~ "ISC Systems iRc Search 2.1"
+ || req.http.user-agent ~ "Microsoft URL Control"
+ || req.http.user-agent ~ "Indy Library"
+ || req.http.user-agent == "8484 Boston Project v 1.0"
+ || req.http.user-agent == "Atomic_Email_Hunter/4.0"
+ || req.http.user-agent == "atSpider/1.0"
+ || req.http.user-agent == "autoemailspider"
+ || req.http.user-agent == "China Local Browse 2.6"
+ || req.http.user-agent == "ContactBot/0.2"
+ || req.http.user-agent == "ContentSmartz"
+ || req.http.user-agent == "DataCha0s/2.0"
+ || req.http.user-agent == "DataCha0s/2.0"
+ || req.http.user-agent == "DBrowse 1.4b"
+ || req.http.user-agent == "DBrowse 1.4d"
+ || req.http.user-agent == "Demo Bot DOT 16b"
+ || req.http.user-agent == "Demo Bot Z 16b"
+ || req.http.user-agent == "DSurf15a 01"
+ || req.http.user-agent == "DSurf15a 71"
+ || req.http.user-agent == "DSurf15a 81"
+ || req.http.user-agent == "DSurf15a VA"
+ || req.http.user-agent == "EBrowse 1.4b"
+ || req.http.user-agent == "Educate Search VxB"
+ || req.http.user-agent == "EmailSiphon"
+ || req.http.user-agent == "EmailWolf 1.00"
+ || req.http.user-agent == "ESurf15a 15"
+ || req.http.user-agent == "ExtractorPro"
+ || req.http.user-agent == "Franklin Locator 1.8"
+ || req.http.user-agent == "FSurf15a 01"
+ || req.http.user-agent == "Full Web Bot 0416B"
+ || req.http.user-agent == "Full Web Bot 0516B"
+ || req.http.user-agent == "Full Web Bot 2816B"
+ || req.http.user-agent == "Guestbook Auto Submitter"
+ || req.http.user-agent == "Industry Program 1.0.x"
+ || req.http.user-agent == "ISC Systems iRc Search 2.1"
+ || req.http.user-agent == "IUPUI Research Bot v 1.9a"
+ || req.http.user-agent == "LARBIN-EXPERIMENTAL (efp at gmx.net)"
+ || req.http.user-agent == "LetsCrawl.com/1.0 +http://letscrawl.com/"
+ || req.http.user-agent == "Lincoln State Web Browser"
+ || req.http.user-agent == "LMQueueBot/0.2"
+ || req.http.user-agent == "LWP::Simple/5.803"
+ || req.http.user-agent == "Mac Finder 1.0.xx"
+ || req.http.user-agent == "MFC Foundation Class Library 4.0"
+ || req.http.user-agent == "Microsoft URL Control - 6.00.8xxx"
+ || req.http.user-agent == "Missauga Locate 1.0.0"
+ || req.http.user-agent == "Missigua Locator 1.9"
+ || req.http.user-agent == "Missouri College Browse"
+ || req.http.user-agent == "Mizzu Labs 2.2"
+ || req.http.user-agent == "Mo College 1.9"
+ || req.http.user-agent == "Mozilla/2.0 (compatible; NEWT ActiveX; Win32)"
+ || req.http.user-agent == "Mozilla/3.0 (compatible; Indy Library)"
+ || req.http.user-agent == "Mozilla/4.0 (compatible; Advanced Email Extractor v2.xx)"
+ || req.http.user-agent == "Mozilla/4.0 (compatible; Iplexx Spider/1.0 http://www.iplexx.at)"
+ || req.http.user-agent == "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent"
+ || req.http.user-agent == "Mozilla/4.0 efp at gmx.net"
+ || req.http.user-agent == "Mozilla/5.0 (Version: xxxx Type:xx)"
+ || req.http.user-agent == "MVAClient"
+ || req.http.user-agent == "NameOfAgent (CMS Spider)"
+ || req.http.user-agent == "NASA Search 1.0"
+ || req.http.user-agent == "Nsauditor/1.x"
+ || req.http.user-agent == "PBrowse 1.4b"
+ || req.http.user-agent == "PEval 1.4b"
+ || req.http.user-agent == "Poirot"
+ || req.http.user-agent == "Port Huron Labs"
+ || req.http.user-agent == "Production Bot 0116B"
+ || req.http.user-agent == "Production Bot 2016B"
+ || req.http.user-agent == "Production Bot DOT 3016B"
+ || req.http.user-agent == "Program Shareware 1.0.2"
+ || req.http.user-agent == "PSurf15a 11"
+ || req.http.user-agent == "PSurf15a 51"
+ || req.http.user-agent == "PSurf15a VA"
+ || req.http.user-agent == "psycheclone"
+ || req.http.user-agent == "RSurf15a 41"
+ || req.http.user-agent == "RSurf15a 51"
+ || req.http.user-agent == "RSurf15a 81"
+ || req.http.user-agent == "searchbot admin at google.com"
+ || req.http.user-agent == "ShablastBot 1.0"
+ || req.http.user-agent == "snap.com beta crawler v0"
+ || req.http.user-agent == "Snapbot/1.0"
+ || req.http.user-agent == "sogou develop spider"
+ || req.http.user-agent == "Sogou Orion spider/3.0(+http://www.sogou.com/docs/help/webmasters.htm#07)"
+ || req.http.user-agent == "sogou spider"
+ || req.http.user-agent == "Sogou web spider/3.0(+http://www.sogou.com/docs/help/webmasters.htm#07)"
+ || req.http.user-agent == "sohu agent"
+ || req.http.user-agent == "SSurf15a 11"
+ || req.http.user-agent == "TSurf15a 11"
+ || req.http.user-agent == "Under the Rainbow 2.2"
+ || req.http.user-agent == "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
+ || req.http.user-agent == "VadixBot"
+ || req.http.user-agent == "WebVulnCrawl.blogspot.com/1.0 libwww-perl/5.803"
+ || req.http.user-agent == "Wells Search II"
+ || req.http.user-agent == "WEP Search 00"
+ ) {
+ set req.http.X-SEC-RuleName = "Unwanted User-Agent";
+ set req.http.X-SEC-RuleId = "100";
+ set req.http.X-SEC-RuleInfo = "Checks if User-Agent is in banned list";
+ call sec_useragent_sev1;
+ }
+}
Added: trunk/varnish-tools/security.vcl/vcl/modules/xss.vcl
===================================================================
--- trunk/varnish-tools/security.vcl/vcl/modules/xss.vcl (rev 0)
+++ trunk/varnish-tools/security.vcl/vcl/modules/xss.vcl 2009-08-14 10:54:53 UTC (rev 4180)
@@ -0,0 +1,58 @@
+
+# For now
+sub sec_xss_sev1 {
+ set req.http.X-SEC-Severity = "1";
+ call sec_sev1;
+}
+
+sub vcl_recv {
+ set req.http.X-SEC-Module = "xss";
+
+# # Checks if someone tries to inject java/vb script for XSS in URL
+# if (req.url ~ "<?(java|vb)?script>?.*<.+\/script>?") {
+# set req.http.X-SEC-RuleName = "Cross Site Scripting Attempt";
+# set req.http.X-SEC-RuleId = "1";
+# set req.http.X-SEC-RuleInfo = "Checks if someone tries to inject java/vb script for XSS in URL";
+# call sec_xss_sev1;
+# }
+
+ # Checks if someone tries to inject java/vb script for XSS in URL
+ if (req.url ~ "(<|\%3C)?(java|vb)?script(>|\%3E).*(<|\%3C).*\/script(>|\%3E)?") {
+ set req.http.X-SEC-RuleName = "Cross Site Scripting Attempt";
+ set req.http.X-SEC-RuleId = "1";
+ set req.http.X-SEC-RuleInfo = "Checks if someone tries to inject java/vb script for XSS in URL";
+ call sec_xss_sev1;
+ }
+
+ # Checks if someone tries to inject java/vb script for XSS in URL
+ if (req.url ~ "(java|vb)?script:") {
+ set req.http.X-SEC-RuleName = "Cross Site Scripting Attempt: (java|vb)script:";
+ set req.http.X-SEC-RuleId = "2";
+ set req.http.X-SEC-RuleInfo = "Checks if someone tries to inject java/vb script for XSS in URL";
+ call sec_xss_sev1;
+ }
+
+ # Checks if someone tries to inject java/vb script for XSS in URL
+ if (req.url ~ "\(.*javascript.*\)") {
+ set req.http.X-SEC-RuleName = "Cross Site Scripting Attempt: (javascript)";
+ set req.http.X-SEC-RuleId = "3";
+ set req.http.X-SEC-RuleInfo = "Checks if someone tries to inject java/vb script for XSS in URL";
+ call sec_xss_sev1;
+ }
+
+ # Checks if someone tries to inject java/vb script for XSS in URL
+ if (req.url ~ "\(.*vbscript.*\)") {
+ set req.http.X-SEC-RuleName = "Cross Site Scripting Attempt: (vbscript)";
+ set req.http.X-SEC-RuleId = "4";
+ set req.http.X-SEC-RuleInfo = "Checks if someone tries to inject java/vb script for XSS in URL";
+ call sec_xss_sev1;
+ }
+
+ # Checks if someone tries to inject java/vb script for XSS in URL
+ if (req.url ~ ":?.*url\(") {
+ set req.http.X-SEC-RuleName = "Cross Site Scripting Attempt: :url(";
+ set req.http.X-SEC-RuleId = "5";
+ set req.http.X-SEC-RuleInfo = "Checks if someone tries to inject java/vb script for XSS in URL";
+ call sec_xss_sev1;
+ }
+}
More information about the varnish-commit
mailing list