????
Your IP : 216.73.216.152
# http://www.atomicorp.com/
# Atomicorp (Gotroot.com) ModSecurity rules
# Anti Malware rules
#
# Created by Prometheus Global (http://www.prometheus-group.com)
# Copyright 2005-2011 by Prometheus Global, all rights reserved.
# Redistribution is strictly prohibited in any form, including whole or in part.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
# THE POSSIBILITY OF SUCH DAMAGE.
#
#---ASL-CONFIG-FILE---
# Do not edit this file!
# This file is generated and changes will be overwritten.
#
# If you need to make changes to the rules, please follow the procedure here:
# http://www.atomicorp.com/wiki/index.php/Mod_security
# Phase 2 rules
SecDefaultAction "log,deny,auditlog,phase:2,status:403"
#DOS Rules go right up front
#Wordpress Resource Exhaustion attack
SecRule REQUEST_URI "@pm /wp-trackback\.php" \
"phase:2,id:'393939',t:none,pass,nolog,skip:1"
SecAction phase:2,id:393940,t:none,pass,nolog,skipAfter:END_DOS_CHECKS_WP
SecRule ARGS:charset "(?:utf-8,utf-8,utf-8,utf-8,utf-8,utf-8|,.*,.*,.*,.*,)" \
"phase:2,drop,log,deny,auditlog,t:none,t:urlDecodeUni,t:compressWhitespace,t:lowercase,id:390639,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules - Just In Time Patch: WordPRess trackback resource exhaustion attack'"
#Wordpress Resource Exhaustion attack exploit
SecRule ARGS:title "abcedfgabcedfgabcedfgabcedfg" \
"phase:2,drop,log,auditlog,t:none,t:urlDecodeUni,t:lowercase,id:390640,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules - Just In Time Patch: WordPRess trackback resource exhaustion attack'"
SecMarker END_DOS_CHECKS_WP
#Another variant of a DOS attack
SecRule REQUEST_URI "\?(?:ptrxcz|xclzve)_" \
"phase:2,drop,t:none,t:urlDecodeUni,t:lowercase,id:370145,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Known wormsign'"
#skip this for certain file types
SecRule REQUEST_FILENAME "\.((m|j)pe?g4?|bmp|tiff?|p((p|g|b)m|n(g|m))|gif|js|css|ico|avi|w(mv|ebp)|mp(3|4)|cgm|svg|swf|og(m|v|x))$" phase:2,pass,t:none,t:lowercase,nolog,id:333946,skipAfter:END_ANTI_MALWARE
SecRule REQUEST_URI "/imp/compose\.php" phase:2,pass,id:333947,t:none,t:lowercase,nolog,skipAfter:END_ANTI_MALWARE
# Broadcheck
#SecRule REQUEST_HEADERS:Referer|ARGS "!@pmFromFile malware-exclusion-local.txt" \
# "t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:360000,rev:2,severity:2,msg:'Blocklist Malware Site (AE)'"
SecRule REQUEST_URI|ARGS|!ARGS:/description/|!ARGS:resolution|!ARGS:/subject/|!ARGS:/body/|!ARGS:message|!ARGS:/txt/|XML:/* "(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \
"phase:2,deny,status:403,chain,capture,t:none,t:urlDecodeUni,t:replaceNulls,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,id:360000,rev:5,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Malware Blocklist: Malware Site detected in URL/Argument (AE)',logdata:'%{TX.0}'"
SecRule REQUEST_URI|ARGS|!ARGS:resolution|!ARGS:/description/|!ARGS:/subject/|!ARGS:/body/|!ARGS:/txt/|!ARGS:message|XML:/* "@pmFromFile malware-blacklist.txt" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace"
# Rule 330002: Blocklist of known malware sites w/ Anti-evasion features
#SecRule REQUEST_URI "!(?:/imp/compose\.php)" \
# "capture,t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:360002,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Malware Blocklist: Malware Site detected in ARGS/Body (AE)',chain,logdata:'%{TX.0}'"
#SecRule REQUEST_BODY|ARGS|!ARGS:resolution|!ARGS:/description/|!ARGS:/subject/|!ARGS:/body/|!ARGS:/txt/|XML:/* "(?:ogg|zlib|(?:ht|f)tps?)\:/" "chain"
##SecRule REQUEST_BODY|ARGS "!@pmFromFile malware-exclusion-local.txt" chain
#SecRule REQUEST_BODY|ARGS|!ARGS:/description/|!ARGS:/subject/|!ARGS:/body/|!ARGS:/txt/|XML:/* "@pmFromFile malware-blacklist.txt"
# Rule 330003: Blocklist of known malware sites
#SecRule REQUEST_URI "!(?:/imp/compose\.php)" \
# "capture,t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:360003,rev:5,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Malware Blocklist: Malware Site detected in URI',chain,logdata:'%{TX.0}'"
#SecRule REQUEST_URI "(?:ogg|zlib|(?:ht|f)tps?)\:/.*" "chain"
##SecRule REQUEST_URI "!@pmFromFile malware-exclusion-local.txt" "chain"
#SecRule REQUEST_URI "@pmFromFile malware-blacklist.txt"
#Rule 330004: Blocklist suspicious sites in referral
#SecRule REQUEST_HEADERS:Referer "@pmFromFile malware-blacklist.txt" \
# "capture,t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:360004,rev:2,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Malware Blocklist: Suspicious Blocklist Malware Site detected in Referral',logdata:'%{TX.0}'"
#
# Rule 330005: Blocklist of known malware sites w/ Anti-evasion features
SecRule REQUEST_BODY|REQUEST_URI|ARGS|!ARGS:/description/|!ARGS:resolution|!ARGS:/subject/|!ARGS:/body/|!ARGS:/txt/|XML:/* "(?:ogg|gopher|data|php|zlib|(?:ht|f)tps?):/" \
"phase:2,deny,status:403,capture,t:none,t:base64Decode,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase,id:360005,rev:1,severity:2,msg:'Atomicorp.com UNSUPPORTED DELAYED Malware Blocklist: Malware Site detected in ARGS/Body (AE)',chain,logdata:'%{TX.0}'"
#SecRule REQUEST_BODY|ARGS "!@pmFromFile malware-exclusion-local.txt" chain
SecRule REQUEST_BODY|REQUEST_URI|ARGS|!ARGS:/description/|!ARGS:/subject/|!ARGS:/body/|!ARGS:/txt/ "@pmFromFile malware-blacklist.txt" "t:none,t:base64Decode,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace"
##Rule 360005: Local malware lists
##SecRule REQUEST_HEADERS:Referer|ARGS "!@pmFromFile malware-exclusion-local.txt" \
## "t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:360000,rev:2,severity:2,msg:'Blocklist Malware Site (AE)'"
#SecRule ARGS "@pmFromFile malware-blacklist-local.txt" \
# "t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:360005,rev:2,severity:2,msg:'Local Blocklist Malware Site (AE)'"
#
## Rule 330006: Blocklist of known malware sites w/ Anti-evasion features
#SecRule REQUEST_URI "!(?:/imp/compose\.php)" \
# "t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:360006,rev:1,severity:2,msg:'Local Malware Site in ARGS/Body (AE)',chain"
#SecRule REQUEST_BODY|ARGS "(?:ogg|zlib|(?:ht|f)tps?)\:/.*" "chain"
##SecRule REQUEST_BODY|ARGS "!@pmFromFile malware-exclusion-local.txt" chain
#SecRule REQUEST_BODY|ARGS "@pmFromFile malware-blacklist-local.txt"
#
## Rule 330003: Blocklist of known malware sites
#SecRule REQUEST_URI "!(?:/imp/compose\.php)" \
# "t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:360007,rev:4,severity:2,msg:'Local Malware Site in URI',chain"
#SecRule REQUEST_URI "(?:ogg|zlib|(?:ht|f)tps?)\:/.*" "chain"
##SecRule REQUEST_URI "!@pmFromFile malware-exclusion-local.txt" "chain"
#SecRule REQUEST_URI "@pmFromFile malware-blacklist-local.txt"
#
##Rule 330004: Blocklist suspicious sites in referral
#SecRule REQUEST_HEADERS:Referer "@pmFromFile malware-blacklist-local.txt" \
# "t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:360008,rev:2,severity:2,msg:'Suspicious Local Blocklist Malware Site in Referral'"
#
SecMarker END_ANTI_MALWARE