Recommended mod_security best Rules

mode_security

Mod_security is a popular Apache plugin that serves as a Web Application Firewall, screening requests coming in to the webserver based on a set of configurable rules. 

The “best rules” for mod_security are often requested, although there is not a ruleset that is absolutely the best. Every website and application has slightly different circumstances, which will require some fine-tuning of the rules to make sure they are strict enough to be protective, but not so strict as to disallow normal users. 

We recommend the rules below, which help to screen command injection and other forms of web-based attacks. You should copy the entire text of these rules (or whichever rules you would like to activate) into your modsec2.user.conf configuration file, or the configuration file your mod_security installation has setup for user-configurable rules.

 

Best mod_security Rules : 

make sure delete any old rules from modsec2.user.conf 

and add this rules : 

source :  http://download.east4serv.com/modsec2.user.conf

 

# Deprecated due to security issues so it should be off: http://blog.modsecurity.org/2008/08/transformation.html
SecCacheTransformations Off

# Check Content-Length and reject all non numeric ones
SecRule REQUEST_HEADERS:Content-Length "!^\d+$" "deny,log,auditlog,msg:'Content-Length HTTP header is not numeric', severity:'2',id:'960016'"

# Do not accept GET or HEAD requests with bodies
SecRule REQUEST_METHOD "^(?:GET|HEAD)$" "chain,phase:2,t:none,deny,log,auditlog,status:400,msg:'GET or HEAD requests with bodies', severity:'2',id:'960011',tag:'PROTOCOL_VIOLATION/EVASION'"
SecRule REQUEST_HEADERS:Content-Length "!^0?$" t:none

# Require Content-Length to be provided with every POST request.
SecRule REQUEST_METHOD "^POST$" "chain,phase:2,t:none,deny,log,auditlog,status:400,msg:'POST request must have a Content-Length header',id:'960012',tag:'PROTOCOL_VIOLATION/EVASION',severity:'4'"
SecRule &REQUEST_HEADERS:Content-Length "@eq 0" t:none

# Don't accept transfer encodings we know we don't know how to handle
SecRule REQUEST_HEADERS:Transfer-Encoding "!^$" "phase:2,t:none,deny,log,auditlog,status:501,msg:'ModSecurity does not support transfer encodings',id:'960013',tag:'PROTOCOL_VIOLATION/EVASION',severity:'3'"

# Check decodings
##SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "@validateUrlEncoding" \
##	"chain, deny,log,auditlog,msg:'URL Encoding Abuse Attack Attempt',id:'950107',severity:'4'"
##SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "\%(?![0-9a-fA-F]{2}|u[0-9a-fA-F]{4})"

##SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "@validateUtf8Encoding" "deny,log,auditlog,msg:'UTF8 Encoding Abuse Attack Attempt',id:'950801',severity:'4'"

# Proxy access attempt

# Restrict type of characters sent
SecRule REQUEST_FILENAME|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer \
	"@validateByteRange 1-255" \
	"log,auditlog,msg:'Request Missing an Accept Header', severity:'2',id:'960015',t:urlDecodeUni,phase:1"

SecRule ARGS|ARGS_NAMES "@validateByteRange 1-255" \
	"deny,log,auditlog,msg:'Invalid character in request',id:'960901',severity:'4',t:urlDecodeUni,phase:2"


# Restrict file extension
# removed exe so that frontpage will work

# Restricted HTTP headers 
SecRule REQUEST_HEADERS_NAMES "\.(?:Lock-Token|Translate|If)$" \
    "deny,log,auditlog,msg:'HTTP header is restricted by policy',id:'960038',severity:'4'"

SecRule HTTP_User-Agent "(?:\b(?:m(?:ozilla\/4\.0 \(compatible\)|etis)|webtrends security analyzer|pmafind)\b|n(?:-stealth|sauditor|essus|ikto)|b(?:lack ?widow|rutus|ilbo)|(?:jaascoi|paro)s|internet explorer|webinspect|\.nasl)" \
        "deny,log,auditlog,msg:'Request Indicates a Security Scanner Scanned the Site',id:'990002',severity:'2'"
SecRule REQUEST_HEADERS_NAMES "\bacunetix-product\b" \
        "deny,log,auditlog,msg:'Request Indicates a Security Scanner Scanned the Site',id:'990901',severity:'2'"
SecRule REQUEST_FILENAME "^/nessustest" \
        "deny,log,auditlog,msg:'Request Indicates a Security Scanner Scanned the Site',id:'990902',severity:'2'"

SecRule REQUEST_HEADERS:User-Agent "(?:m(?:ozilla\/(?:4\.0 \(compatible; advanced email extractor|2\.0 \(compatible; newt activex; win32\))|ailto:craftbot\@yahoo\.com)|e(?:mail(?:(?:collec|harves|magne)t|(?: extracto|reape)r|siphon|wolf)|(?:collecto|irgrabbe)r|xtractorpro|o browse)|a(?:t(?:tache|hens)|utoemailspider|dsarobot)|w(?:eb(?:emailextrac| by mail)|3mir)|f(?:astlwspider|loodgate)|p(?:cbrowser|ackrat|surf)|(?:digout4uagen|takeou)t|(?:chinacla|be)[email protected]|rsync|shai|zeus)" \
        "deny,log,auditlog,msg:'Rogue web site crawler',id:'990012',severity:'2'"


# Session fixation


# Deprecated due to security issues so it should be off: http://blog.modsecurity.org/2008/08/transformation.html
SecCacheTransformations Off

#fake server banner - NOYB used - no one needs to know what we are using
SecServerSignature "Secured By East4Serv.com"

SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI ".htaccess" "id:1234123475"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI "secured" "id:1234123476"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI "public_HTML" "id:1234123477"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI "/etc" "id:1234123478"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI "/root" "id:1234123479"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI "/usr" "id:1234123480"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI "/boot" "id:1234123481"
SecRule REQUEST_LINE|RESPONSE_BODY|REQUEST_BODY|REQUEST_URI "/bin" "id:1234123483"


# Check Content-Length and reject all non numeric ones
  
# For deny Shells opening 
SecRule REQUEST_FILENAME "/(r57shell|donkey|TrYg|m0rtix|r0nin|donkeyell|phpshell|sa3ekashell|crackit|c777|void\.ru|.ini|phpremoteview|directmail|bash_history|\.ru/|brute|c991)\.php" "id:1234123514"
SecRule REQUEST_FILENAME "perl .*\.pl(\s|\t)*\;" "id:1234123516"
SecRule REQUEST_FILENAME "\;(\s|\t)*perl .*\.pl" "id:1234123517"
SecRule RESPONSE_BODY "donkey" "id:1234123518"
SecRule RESPONSE_BODY "shell" "id:1234123519"
SecRule REQUEST_LINE "a=kil" "id:1234123520"
SecRule REQUEST_FILENAME "\.pl" "id:1234123522"
SecRule REQUEST_FILENAME "perl .*\.pl(\s|\t)*\;" "id:1234123523"
SecRule REQUEST_FILENAME "\;(\s|\t)*perl .*\.pl" "id:1234123524"
SecRule REQUEST_LINE "ac=eval" "id:1234123525"
SecRule REQUEST_LINE "ac=upload" "id:1234123526"
SecRule REQUEST_LINE "ac=shell" "id:1234123527"
SecRule REQUEST_LINE "ac=tools" "id:1234123528"
SecRule REQUEST_LINE "copy=1" "id:1234123529"
SecRule REQUEST_LINE "proxy=" "id:1234123530"
SecRule REQUEST_LINE "shell=id" "id:1234123531"
SecRule REQUEST_LINE "user=user&xp=" "id:1234123532"
SecRule REQUEST_LINE "ssh" "id:1234123533"
SecRule RESPONSE_BODY "Sniper" "id:1234123534"
SecRule RESPONSE_BODY "donkey" "id:1234123535"
SecRule RESPONSE_BODY "c99" "id:1234123536"
SecRule REQUEST_LINE "action=bGlzdERCcw== " "id:1234123537"
SecRule REQUEST_LINE "action=utils" "id:1234123538"
SecRule REQUEST_LINE "action=utils&command=show_status" "id:1234123539"
SecRule REQUEST_LINE "unknown" "id:1234123540"
SecRule REQUEST_LINE "ya3beet.ini" "id:1234123541"
SecRule REQUEST_LINE ".php?action=view&file=/home/" "id:1234123542"
SecRule REQUEST_LINE "mysql&dir=/home/" "id:1234123543"
SecRule REQUEST_LINE "secured&dir=/home/" "id:1234123544"
SecRule REQUEST_LINE "phpinfo&dir" "id:1234123545"
SecRule REQUEST_LINE "md5&dir=/home/" "id:1234123546"
SecRule REQUEST_LINE "edit&dir=/home" "id:1234123547"
SecRule REQUEST_LINE "public_html&file=/home" "id:1234123548"
SecRule REQUEST_LINE "public_html/secured.php" "id:1234123549"
SecRule REQUEST_LINE "dir=/home" "id:1234123550"
SecRule REQUEST_LINE "delete&file=/home" "id:1234123551"
SecRule REQUEST_LINE "a=vba" "id:1234123552"
SecRule REQUEST_LINE "a=nuke" "id:1234123553"
SecRule REQUEST_LINE "a=wp" "id:1234123554"
SecRule REQUEST_LINE "a=sym" "id:1234123555"
SecRule REQUEST_LINE "a=indv" "id:1234123556"
SecRule REQUEST_LINE "a=incl" "id:1234123557"
SecRule REQUEST_LINE "a=ins" "id:1234123558"
SecRule REQUEST_LINE "a=kil" "id:1234123559"
#SecRule REQUEST_BODY "secured"
SecRule REQUEST_BODY "donkey_datapipe.pl" "id:1234123560"
SecRule REQUEST_BODY "listDBs" "id:1234123561"
SecRule REQUEST_BODY "%2home%2" "id:1234123562"
SecRule REQUEST_BODY "%2home%" "id:1234123563"
SecRule REQUEST_BODY "%home%" "id:1234123564"
SecRule REQUEST_BODY "%home" "id:1234123565"
SecRule REQUEST_BODY "home%" "id:1234123566"
SecRule REQUEST_BODY "%2Fhome%2" "id:1234123567"
SecRule REQUEST_BODY "%2Fhome%" "id:1234123568"
SecRule REQUEST_BODY "%Fhome%" "id:1234123569"
SecRule REQUEST_BODY "%Fhome" "id:1234123570"
SecRule REQUEST_BODY "Fhome%" "id:1234123571"
SecRule REQUEST_BODY "2Fpublic_html&" "id:1234123572"
SecRule REQUEST_BODY "/etc/" "id:1234123573"
SecRule REQUEST_BODY "db_server" "id:1234123574"
SecRule REQUEST_BODY "SHOW unknown " "id:1234123575"

# Basic rules with arbitrary command detection
SecRule REQUEST_URI "\.htgroup" "id:1234123576"
SecRule REQUEST_URI "\.htaccess" "id:1234123577"
SecRule REQUEST_URI "cd\.\." "id:1234123578"
SecRule REQUEST_URI "///cgi-bin" "id:1234123579"
SecRule REQUEST_URI "/cgi-bin///" "id:1234123580"
SecRule REQUEST_URI "/~root" "id:1234123581"
SecRule REQUEST_URI "/~ftp" "id:1234123582"
SecRule REQUEST_URI "/htgrep" "id:1234123583"
SecRule REQUEST_URI "/\.history" "id:1234123584"
SecRule REQUEST_URI "/\.bash_history" "id:1234123585"
SecRule REQUEST_URI "/~nobody" "id:1234123586"
SecRule REQUEST_URI "<script" "id:1234123587"
SecRule REQUEST_URI "psybnc" "id:1234123588"
SecRule REQUEST_URI "cmd=cd\x20/var" "id:1234123589"
SecRule REQUEST_URI "dir=http" "id:1234123590"
SecRule REQUEST_URI "\?STRENGUR" "id:1234123591"
SecRule REQUEST_URI "/etc/motd" "id:1234123592"
SecRule REQUEST_URI "/etc/passwd" "id:1234123593"
SecRule REQUEST_URI "conf/httpd\.conf" "id:1234123594"
SecRule REQUEST_URI "/bin/ps" "id:1234123595"
SecRule REQUEST_URI "bin/tclsh" "id:1234123596"
SecRule REQUEST_URI "tclsh8\x20" "id:1234123597"
SecRule REQUEST_URI "udp\.pl" "id:1234123598"
SecRule REQUEST_URI "linuxdaybot\.txt" "id:1234123599"
SecRule REQUEST_URI "wget\x20" "id:1234123600"
SecRule REQUEST_URI "bin/nasm" "id:1234123601"
SecRule REQUEST_URI "nasm\x20" "id:1234123602"
SecRule REQUEST_URI "/usr/bin/perl" "id:1234123603"
SecRule REQUEST_URI "links -dump " "id:1234123604"
SecRule REQUEST_URI "links -dump-(charset|width) " "id:1234123605"
SecRule REQUEST_URI "links (http|https|ftp)\:/" "id:1234123606"
SecRule REQUEST_URI "links -source " "id:1234123607"
SecRule REQUEST_URI "cd\x20/(tmp|var/tmp|etc/httpd/proxy|dev/shm)" "id:1234123608"
SecRule REQUEST_URI "cd\.\." "id:1234123609"
SecRule REQUEST_URI "///cgi-bin" "id:1234123610"
SecRule REQUEST_URI "/cgi-bin///" "id:1234123611"
SecRule REQUEST_URI "/~named(/| HTTP\/(0\.9|1\.0|1\.1)$)" "id:1234123612"
SecRule REQUEST_URI "/~guest(/| HTTP\/(0\.9|1\.0|1\.1)$)" "id:1234123613"
SecRule REQUEST_URI "/~logs(/| HTTP\/(0\.9|1\.0|1\.1)$)" "id:1234123614"
SecRule REQUEST_URI "/~sshd(/| HTTP\/(0\.9|1\.0|1\.1)$)" "id:1234123615"
SecRule REQUEST_URI "/~ftp(/| HTTP\/(0\.9|1\.0|1\.1)$)" "id:1234123616"
SecRule REQUEST_URI "/~bin(/| HTTP\/(0\.9|1\.0|1\.1)$)" "id:1234123617"
SecRule REQUEST_URI "/~nobody(/| HTTP\/(0\.9|1\.0|1\.1)$)" "id:1234123618"
SecRule REQUEST_URI "/\.history HTTP\/(0\.9|1\.0|1\.1)$" "id:1234123619"
SecRule REQUEST_URI "/\.bash_history HTTP\/(0\.9|1\.0|1\.1)$" "id:1234123620"
SecRule REQUEST_URI "lynx " "id:1234123621"
SecRule REQUEST_URI "Fhome" "id:1234123622"
SecRule REQUEST_URI "cvs" "id:1234123623"
SecRule REQUEST_URI "\.php\?phpinfo" "id:1234123624"
SecRule REQUEST_URI "\.php\?phpini" "id:1234123625"
SecRule REQUEST_URI "\.php\?mem" "id:1234123626"
SecRule REQUEST_URI "\.php\?cpu" "id:1234123627"
SecRule REQUEST_URI "\.php\?users" "id:1234123628"
SecRule REQUEST_URI "\.php\?tmp" "id:1234123629"
SecRule REQUEST_URI "\.php\?delete" "id:1234123630"
SecRule REQUEST_URI "curl " "id:1234123631"
SecRule REQUEST_URI "echo " "id:1234123632"
SecRule REQUEST_URI "links -dump-width " "id:1234123633"
SecRule REQUEST_URI "links http:// " "id:1234123634"
SecRule REQUEST_URI "links ftp:// " "id:1234123635"
SecRule REQUEST_URI "links -source " "id:1234123636"
SecRule REQUEST_URI "cd /tmp " "id:1234123637"
SecRule REQUEST_URI "cd /var/tmp " "id:1234123638"
SecRule REQUEST_URI "cd /etc/httpd/proxy " "id:1234123639"
SecRule REQUEST_URI "&highlight=%2527%252E " "id:1234123640"
SecRule REQUEST_URI "changedir=%2Ftmp%2F.php " "id:1234123641"
SecRule REQUEST_URI "arta\.zip " "id:1234123642"
SecRule REQUEST_URI "cmd=cd\x20/var " "id:1234123643"
SecRule REQUEST_URI "HCL_path=http " "id:1234123644"
SecRule REQUEST_URI "clamav-partial " "id:1234123645"
SecRule REQUEST_URI "vi\.recover " "id:1234123646"
SecRule REQUEST_URI "netenberg " "id:1234123647"
SecRule REQUEST_URI "psybnc " "id:1234123648"
#SecRule REQUEST_URI "Waseem.php"
SecRule REQUEST_URI "fantastico_de_luxe " "id:1234123649"
SecRule REQUEST_URI "2Fpublic_html&" "id:1234123650"
SecRule REQUEST_URI ".htaccess" "id:1234123651"
SecRule REQUEST_URI "donkey_datapipe.pl" "id:1234123652"
SecRule REQUEST_URI "listDBs" "id:1234123653"
SecRule REQUEST_URI "%2home%2" "id:1234123654"
SecRule REQUEST_URI "%2home%" "id:1234123655"
SecRule REQUEST_URI "%home%" "id:1234123656"
SecRule REQUEST_URI "%home" "id:1234123657"
SecRule REQUEST_URI "home%" "id:1234123658"
SecRule REQUEST_URI "%2Fhome%2" "id:1234123659"
SecRule REQUEST_URI "%2Fhome%" "id:1234123660"
SecRule REQUEST_URI "%Fhome%" "id:1234123661"
SecRule REQUEST_URI "%Fhome" "id:1234123662"
SecRule REQUEST_URI "Fhome%" "id:1234123663"
SecRule REQUEST_URI "2Fpublic_html&" "id:1234123664"
SecRule REQUEST_URI "/etc/" "id:1234123665"
SecRule REQUEST_URI "sqlman" "id:1234123666"
SecRule REQUEST_URI "act=security" "id:1234123667"
SecRule REQUEST_URI "act=cmd" "id:1234123668"
SecRule REQUEST_URI "act=secured" "id:1234123669"
SecRule REQUEST_URI "act=ls&d=" "id:1234123670"
SecRule REQUEST_URI "act=f&f=" "id:1234123671"
SecRule REQUEST_URI "act=sql" "id:1234123672"
SecRule REQUEST_URI "Bcc:" "id:1234123673"
SecRule REQUEST_URI "Bcc:\x20" "id:1234123674"
SecRule REQUEST_URI "cc:" "id:1234123675"
SecRule REQUEST_URI "cc:\x20" "id:1234123676"
SecRule REQUEST_URI "bcc:" "id:1234123677"
SecRule REQUEST_URI "bcc:\x20" "id:1234123678"
SecRule REQUEST_URI "bcc: " "id:1234123679"
SecRule REQUEST_URI "cd " "id:1234123680"
## -- phpBB attack --------------------
SecRule ARGS:highlight "(\x27|%27|\x2527|%2527)" "id:1234123681"
 
SecRule REQUEST_LINE "wget " "id:1234123682"
SecRule REQUEST_LINE "lynx " "id:1234123683"
SecRule REQUEST_LINE "Fhome" "id:1234123684"
SecRule REQUEST_LINE "ftp " "id:1234123685"
SecRule REQUEST_LINE "cvs" "id:1234123686"
SecRule REQUEST_LINE "php?phpinfo" "id:1234123687"
SecRule REQUEST_LINE "php?phpini" "id:1234123688"
SecRule REQUEST_LINE "php?mem" "id:1234123689"
SecRule REQUEST_LINE "php?cpu" "id:1234123690"
SecRule REQUEST_LINE "php?users" "id:1234123691"
SecRule REQUEST_LINE "php?tmp" "id:1234123692"
SecRule REQUEST_LINE "php?delete" "id:1234123693"
SecRule REQUEST_LINE "cmd" "id:1234123694"
SecRule REQUEST_LINE "curl " "id:1234123695"
SecRule REQUEST_LINE "act=sql&" "id:1234123696"
SecRule REQUEST_LINE "ssh " "id:1234123697"
SecRule REQUEST_LINE "echo " "id:1234123698"
SecRule REQUEST_LINE "links -dump " "id:1234123699"
SecRule REQUEST_LINE "links -dump-charset " "id:1234123700"
SecRule REQUEST_LINE "links -dump-width " "id:1234123701"
SecRule REQUEST_LINE "links http:// " "id:1234123702"
SecRule REQUEST_LINE "links ftp:// " "id:1234123703"
SecRule REQUEST_LINE "links -source " "id:1234123704"
SecRule REQUEST_LINE "mkdir " "id:1234123705"
SecRule REQUEST_LINE "cd /tmp " "id:1234123706"
SecRule REQUEST_LINE "cd /var/tmp " "id:1234123707"
SecRule REQUEST_LINE "cd /etc/httpd/proxy " "id:1234123708"
SecRule REQUEST_LINE "/secured.php?v=1&DIR " "id:1234123709"
SecRule REQUEST_LINE "&highlight=%2527%252E " "id:1234123710"
SecRule REQUEST_LINE "changedir=%2Ftmp%2F.php " "id:1234123711"
SecRule REQUEST_LINE "arta\.zip " "id:1234123712"
SecRule REQUEST_LINE "cmd=cd\x20/var " "id:1234123713"
SecRule REQUEST_LINE "HCL_path=http " "id:1234123714"
SecRule REQUEST_LINE "clamav-partial " "id:1234123715"
SecRule REQUEST_LINE "vi\.recover " "id:1234123716"
SecRule REQUEST_LINE "netenberg " "id:1234123717"
SecRule REQUEST_LINE "psybnc " "id:1234123718"
SecRule REQUEST_LINE "fantastico_de_luxe " "id:1234123719"
SecRule REQUEST_LINE "2Fpublic_html&" "id:1234123720"
SecRule REQUEST_LINE ".htaccess" "id:1234123721"
SecRule REQUEST_LINE "secured" "id:1234123722"
SecRule REQUEST_LINE "donkey_datapipe.pl" "id:1234123723"
SecRule REQUEST_LINE "listDBs" "id:1234123724"
SecRule REQUEST_LINE "%2home%2" "id:1234123725"
SecRule REQUEST_LINE "%2home%" "id:1234123726"
SecRule REQUEST_LINE "%home%" "id:1234123727"
SecRule REQUEST_LINE "%home" "id:1234123728"
SecRule REQUEST_LINE "home%" "id:1234123729"
SecRule REQUEST_LINE "%2Fhome%2" "id:1234123730"
SecRule REQUEST_LINE "%2Fhome%" "id:1234123731"
SecRule REQUEST_LINE "%Fhome%" "id:1234123732"
SecRule REQUEST_LINE "%Fhome" "id:1234123733"
SecRule REQUEST_LINE "Fhome%" "id:1234123734"
SecRule REQUEST_LINE "2Fpublic_html&" "id:1234123735"
SecRule REQUEST_LINE "/etc/" "id:1234123736"
SecRule REQUEST_LINE "bcc:" "id:1234123737"
SecRule REQUEST_LINE "bcc\x3a" "id:1234123738"
SecRule REQUEST_LINE "cc:" "id:1234123739"
SecRule REQUEST_LINE "cc\x3a" "id:1234123740"
SecRule REQUEST_BODY "Bcc:" "id:1234123741"
SecRule REQUEST_BODY "Bcc:\x20" "id:1234123742"
SecRule REQUEST_BODY "cc:" "id:1234123743"
SecRule REQUEST_BODY "cc:\x20" "id:1234123744"
SecRule REQUEST_BODY "bcc:" "id:1234123745"
SecRule REQUEST_BODY "bcc:\x20" "id:1234123746"
SecRule REQUEST_BODY "bcc: " "id:1234123747"
SecRule REQUEST_LINE "Bcc:" "id:1234123748"
SecRule REQUEST_LINE "Bcc:\x20" "id:1234123749"
SecRule REQUEST_LINE "cc:" "id:1234123750"
SecRule REQUEST_LINE "cc:\x20" "id:1234123751"
SecRule REQUEST_LINE "bcc:" "id:1234123752"
SecRule REQUEST_LINE "bcc:\x20" "id:1234123753"
SecRule REQUEST_LINE "bcc: " "id:1234123754"
#SecRule REQUEST_LINE "cd " "id:1234123755"
#SecRule REQUEST_LINE "cat "
#SecRule REQUEST_LINE "ls "
SecRule REQUEST_LINE "id " "id:1234123756"
#SecRule REQUEST_URI "/admincp/user\.php" chain
#WEB-PHP phpbb quick-reply.php arbitrary command attempt
SecRule REQUEST_BODY "wget " "id:1234123757"
SecRule REQUEST_BODY "lynx " "id:1234123758"
SecRule REQUEST_BODY "Fhome" "id:1234123759"
SecRule REQUEST_BODY "ftp " "id:1234123760"
SecRule REQUEST_BODY "cvs " "id:1234123761"
#SecRule REQUEST_BODY "cmd"
SecRule REQUEST_BODY "curl " "id:1234123762"
SecRule REQUEST_BODY "act=sql&" "id:1234123763"
SecRule REQUEST_BODY "ssh " "id:1234123764"
SecRule REQUEST_BODY "echo " "id:1234123765"
SecRule REQUEST_BODY "links -dump " "id:1234123766"
SecRule REQUEST_BODY "links -dump-charset " "id:1234123767"
SecRule REQUEST_BODY "links -dump-width " "id:1234123768"
SecRule REQUEST_BODY "links http:// " "id:1234123769"
SecRule REQUEST_BODY "links ftp:// " "id:1234123770"
SecRule REQUEST_BODY "links -source " "id:1234123771"
SecRule REQUEST_BODY "mkdir " "id:1234123772"
SecRule REQUEST_BODY "cd /tmp " "id:1234123773"
SecRule REQUEST_BODY "cd /var/tmp " "id:1234123774"
SecRule REQUEST_BODY "cd /etc/httpd/proxy " "id:1234123775"
SecRule REQUEST_BODY "/secured.php?v=1&DIR " "id:1234123776"
SecRule REQUEST_BODY "&highlight=%2527%252E " "id:1234123777"
SecRule REQUEST_BODY "changedir=%2Ftmp%2F.php " "id:1234123778"
SecRule REQUEST_BODY "arta\.zip " "id:1234123779"
SecRule REQUEST_BODY "cmd=cd\x20/var " "id:1234123780"
SecRule REQUEST_BODY "HCL_path=http " "id:1234123781"
SecRule REQUEST_BODY "clamav-partial " "id:1234123782"
SecRule REQUEST_BODY "vi\.recover " "id:1234123783"
SecRule REQUEST_BODY "netenberg " "id:1234123784"
SecRule REQUEST_BODY "psybnc " "id:1234123785"
SecRule REQUEST_BODY "fantastico_de_luxe " "id:1234123786"
SecRule REQUEST_BODY ".htaccess" "id:1234123787"
#SecRule REQUEST_BODY "secured"
SecRule REQUEST_BODY "donkey_datapipe.pl" "id:1234123788"
SecRule REQUEST_BODY "listDBs" "id:1234123789"
SecRule REQUEST_BODY "%2home%2" "id:1234123790"
SecRule REQUEST_BODY "%2home%" "id:1234123791"
SecRule REQUEST_BODY "%home%" "id:1234123792"
SecRule REQUEST_BODY "%home" "id:1234123793"
SecRule REQUEST_BODY "home%" "id:1234123794"
SecRule REQUEST_BODY "%2Fhome%2" "id:1234123795"
SecRule REQUEST_BODY "%2Fhome%" "id:1234123796"
SecRule REQUEST_BODY "%Fhome%" "id:1234123797"
SecRule REQUEST_BODY "%Fhome" "id:1234123798"
SecRule REQUEST_BODY "Fhome%" "id:1234123799"
SecRule REQUEST_BODY "2Fpublic_html&" "id:1234123800"
SecRule REQUEST_BODY "/etc/" "id:1234123801"
SecRule REQUEST_BODY "db_server" "id:1234123802"
SecRule REQUEST_BODY "SHOW unknown " "id:1234123803"

Do not forget restart apache efter added rules 

? we welcome any inquiries and new ideas 

Regards ,, 🙂

 

 

Share Button