#############################
# < 웹호스팅 업체용 >
# 
# 이 Rule은 다수의 웹사이트가 운영되는 웹호스팅 서버에서 활용가능한 최소공격차단 Rule입니다. 
# 이 Rule을 참고하여 각 웹사이트에 적합한 Rule로 커스트마이징하시기 바랍니다.
# Rule 커스트마이징 후에는 공격탐지시 차단하도록 SecFilterSignatureAction 에서  
# pass를 deny로 수정하시기 바랍니다.
#
# Update : '09. 03. 11
# - 2.x 버전용 샘플룰 오류 수정
# - Mass SQL Injection 시그니쳐 추가
# - WebShell 시그니쳐 추가
# - 공개 게시판 솔루션 신규 취약점 추가
# - Tomcat, Oracle, MySQL, MSSQL 시그니쳐 추가
#
#############################


#############################
# 1. ModSecurity 동작 유/무
# SecFilterEngine On | Off
# On : ModSecurity 기능 활성화
# Off : ModSecurity 기능 비활성화

SecFilterEngine On 


#############################
# 2. 기본 설정
# 기본적으로 룰이 매치 될 경우 행위(Action) 지정
#
# 실질적인 공격패턴에 대한 SignatureAction 지정
# SecFilterSignatureAction "행위"
# 행위 : deny, pass, allow, status:apache error code, redirect:/error.html
#
# 룰 커스트마이징 완료 후 공격탐지시 차단되도록 Action의 pass를 deny로 수정 필요
 SecFilterSignatureAction "deny,log,status:406"
#SecFilterSignatureAction "pass,log"

# 아파치의 기본 로그보다 자세한 공격관련 로그를 기록
SecAuditEngine RelevantOnly 
SecAuditLog logs/modsec_audit.log

# 로그의 양을 줄이기 위해 필요한 4xx 또는 5xx 관련 에러만 남긴다. 404 Not Found는 남기지 않는다.
# Apache 1.x 버전에서는 아래 옵션 사용
SecAuditLogRelevantStatus "^([45]\d[^4])"

# Apache 2.x 버전에서는 아래 옵션 사용
#SecAuditLogRelevantStatus "^(?:5|4\d[^4])"

# 웹서버의 헤더 정보 변경
SecServerSignature "Microsoft-IIS/5.0"

# POST 메소드의 Payload를 점검
# 호스팅업체와 같은 다수사이트에 적용시 충분한 검토 후에 On 설정
SecFilterScanPost Off

# 인코딩된 문자를 일반 텍스트 문자로 변환
# 가령, 16진수로 인코딩된 %AB 형태를 일반 텍스트로 변환함
SecFilterCheckURLEncoding On

# SecFilterCheckUnicodeEncoding UTF-8 전용 서버일 경우 On
SecFilterCheckUnicodeEncoding Off 

# 다음의 메소드 이외에는 허용하지 않음.
SecFilterSelective REQUEST_METHOD "!(GET|POST|HEAD|OPTIONS)" "deny, log"

# Stack Overflow 공격에 대한 Byte 제한
SecFilterForceByteRange 1 255


#############################
# 3. PHP 인젝션 취약 공격 방지(공개 게시판 솔루션 대상 공격 포함)
SecFilterSelective REQUEST_URI "\.php\?" chain
SecFilterSelective REQUEST_URI "(dir|page)" chain
SecFilterSelective REQUEST_URI "=(http|https|ftp)\:/" "msg:'PHP Injection Attacks'"
SecFilterSelective REQUEST_URI "/include/write\.php\?dir=(ftp|http):" "msg:'PHP Injection Attacks'"
SecFilterSelective REQUEST_URI "/include/print_category\.php\?setup=1&dir=(ftp|http):" "msg:'PHP Injection Attacks'"
SecFilterSelective REQUEST_URI "/zero_vote/error\.php\?dir=(ftp|http):" "msg:'PHP Injection Attacks'"
SecFilterSelective REQUEST_URI "/outlogin\.php\?_zb_path=(ftp|http):" "msg:'PHP Injection Attacks'"
SecFilterSelective REQUEST_URI "filename=\|" "msg:'PHP Injection Attacks'"
SecFilterSelective REQUEST_URI "check_user_id\.php\?user_id=<script>alert(document\.cookie)" "msg:'PHP Injection & XSS Attacks'"
SecFilterSelective REQUEST_URI "/zero_vote/login\.php\?dir=(ftp|http):" "msg:'PHP Injection Attacks'"
SecFilterSelective REQUEST_URI "/zero_vote/setup\.php\?dir=(ftp|http):" "msg:'PHP Injection Attacks'"
SecFilterSelective REQUEST_URI "/zero_vote/ask_password\.php\?dir=(ftp|http):" "msg:'PHP Injection Attacks'"
SecFilterSelective REQUEST_URI "view.php?theme=(ftp|http):" "msg:'PHP Injection Attacks'"
SecFilterSelective REQUEST_URI "view.php?theme=theme=(ftp|http):" "msg:'PHP Injection Attacks'"
SecFilterSelective REQUEST_URI "/latest/sirini_gallery_latest/list.php?path=(ftp|http):" "msg:'PHP Injection Attacks'"
SecFilterSelective REQUEST_URI "/include.php?grboard=(ftp|http):" "msg:'PHP Injection Attacks'"
SecFilterSelective REQUEST_URI "include/footer\.php\?_path" chain
SecFilterSelective REQUEST_URI "=(ftp|http):" "msg:'PHP Injection Attacks'"
SecFilterSelective REQUEST_URI "_footer\.php\?skin_path=(ftp|http):" "msg:'PHP Injection Attacks'"
SecFilterSelective REQUEST_URI "body_default\.php?GOODS[[:alnum:]]=deadbeef\&GOODS" chain
SecFilterSelective REQUEST_URI "psybnc"
SecFilterSelective REQUEST_URI "=deadbeef\&shop_this_skin_path=(ftp|http):" "msg:'PHP Injection Attacks'"
SecFilterSelective ARGS|REQUEST_URI "poll_result.php?po_id=" chain
SecFilterSelective ARGS|REQUEST_URI "skin_dir=(ftp:|http:|\.\.)" "msg:'PHP Injection Attacks'"


#############################
# 4. 명령어 실행 방지
SecFilterSelective ARGS_VALUES ";[[:space:]]*(ls|pwd|wget|cd)" "msg:'Command execution attack'"
SecFilterSelective REQUEST_URI "(perl|lynx|mkdir|cmd|lwp-(download|request|mirror|rget))" "msg:'Command execution attack'"
SecFilterSelective REQUEST_URI "(uname|net(stat|cat)|curl|telnet|gcc|rm\-[a-z|A-Z])" "msg:'Command execution attack'"


#############################
# 5. XSS 공격 방지
SecFilterSelective ARGS "alert[[:space:]]*\(" "msg:'XSS attack'"
SecFilterSelective ARGS "&#[[0-9a-fA-F]]{2}" "msg:'XSS attack'"
SecFilterSelective ARGS "eval[[:space:]]*\(" "msg:'XSS attack'"
SecFilterSelective ARGS "onKeyUp" "msg:'XSS attack'"
SecFilterSelective ARGS "\x5cx[0-9a-fA-F]{2}" "msg:'XSS attack'"
SecFilterSelective ARGS "fromCharCode" "msg:'XSS attack'"
SecFilterSelective ARGS "&\{.+\}" "msg:'XSS attack'"
SecFilterSelective ARGS "<script" "msg:'XSS attack'"
SecFilterSelective ARGS "vbscript:" "msg:'XSS attack'"
SecFilterSelective ARGS "expression[[:space:]]*\(" "msg:'XSS attack'"
SecFilterSelective ARGS "url[[:space:]]*\(" "msg:'XSS attack'"
SecFilterSelective ARGS "innerHTML" "msg:'XSS attack'"
SecFilterSelective ARGS "document\.body" "msg:'XSS attack'"
SecFilterSelective ARGS "document\.cookie" "msg:'XSS attack'"
SecFilterSelective ARGS "document\.location" "msg:'XSS attack'"
SecFilterSelective ARGS "document\.write" "msg:'XSS attack'"
SecFilterSelective ARGS "style[[:space:]]*=" "msg:'XSS attack'"
SecFilterSelective ARGS "dynsrc"  "msg:'XSS attack'"
SecFilterSelective ARGS_VALUES "jsessionid" "msg:'XSS attack'"
SecFilterSelective ARGS_VALUES "phpsessid" "msg:'XSS attack'"


#############################
# 6. SSI 인젝션 관련 공격 차단
SecFilterSelective ARGS "<!--[[:space:]]*#[[:space:]]*(exec|cmd|echo|include|printenv)" "msg:'SSI injection attack'"


#############################
# 7. 악성 프로그램 봇, User-Agent
SecFilterSelective HTTP_USER_AGENT "[Ww]eb[Bb]andit" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "WEBMOLE" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "Telesoft*" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "CherryPicker*" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "NICErsPRO" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "Advanced Email Extractor*" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "EmailSiphon" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "Extractorpro" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "EmailCollector" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "WebEMailExtrac*" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "EmailWolf" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "Microsoft URL Control" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "^Microsoft URL" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "SmartDownload" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "Offline Explorer" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "Ninja" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "NetZIP" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "HTTrack" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "Googlebot-Image" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "Download" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "Downloader" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "BackDoorBot" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "ah-ha" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "Alexibot" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "Atomz" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "Microsoft-WebDAV-MiniRedir" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "Microsoft-WebDAV-MiniRedir/5\.1\.2600" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "Googlebot/2\.1" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "PlantyNet_WebRobot_V1\.9" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "LWP::" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "lwp-trivial" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "Mozilla/2\.0" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "WebZIP" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "Teleport" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "GetRight" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "FlashGet" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "JetCar" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "Go!Zilla" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "NamoWebEditor" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "Namo" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "MSFrontPage" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "WebTrack-HTTPP" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "WebSymmetrix" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "AD2000" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "WebSpy" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "WebStripper" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "WebSnatcher" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "WebGet" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "HSlide" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "WebCopier" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "Website eXtractor" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "Internet Ninja" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "fortuna" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "SuperHTTP" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "WISEbot/1\.0" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "NaverBot-1\.0" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "Talkro Web-Shot/1\.0" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "Talkro" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "Web-Shot/1\.0" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "Arachmo" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "WinHTTrack Website Copier" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "BlackWidow" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "SuperBot" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "MM3-WebAssistant" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "Offline Explorer Pro" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "GetBot" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "SBWcc Website Capture" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "Leech" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "HTTP Weazel" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "WebGainer" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "Offline Explorer Enterprise" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "PageSucker" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "QuadSucker/Web" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "BackStreet Browser" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "Offline Navigator" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "Aaron's WebVacuum" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "JOC Web Spider" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "Grab-a-Site" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "PicScour" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "RafaBot" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "Cli-Mate" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "eNotebook" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "WebSlinky" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "Pictures Grabber" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "Web Dumper" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "WebCatcher" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "SurfOffline" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "NetGrabber" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "Power Siphon" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "Rip Clip" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "WebWhacker" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "Offline CHM" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "webpictureboss" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "Visual Web Task" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "Web Shutter" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "NavRoad" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "7 Download Services" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "WebCloner Standard" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "EZ Save MHT" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "Yahoo! Slurp" "msg:'Robot attack'"

###########################################
# 8. 검색엔진 Recon/Google 이용한 해킹 방지
SecFilterSelective HTTP_Referer  "Powered by Gravity Board" "msg:'Recon/Google attack'" 
SecFilterSelective HTTP_Referer  "Powered by SilverNews"  "msg:'Recon/Google attack'"
SecFilterSelective HTTP_Referer  "Powered.*PHPBB.*2\.0\.\ inurl\:"  "msg:'Recon/Google attack'"
SecFilterSelective HTTP_Referer  "PHPFreeNews inurl\:Admin\.php"  "msg:'Recon/Google attack'"
SecFilterSelective HTTP_Referer  "inurl.*/cgi-bin/query"  "msg:'Recon/Google attack'"
SecFilterSelective HTTP_Referer  "inurl.*tiki-edit_submission\.php"  "msg:'Recon/Google attack'"
SecFilterSelective HTTP_Referer  "inurl.*wps_shop\.cgi"  "msg:'Recon/Google attack'"
SecFilterSelective HTTP_Referer  "inurl.*edit_blog\.php.*filetype\:php"  "msg:'Recon/Google attack'"
SecFilterSelective HTTP_Referer  "inurl.*passwd.txt.*wwwboard.*webadmin"  "msg:'Recon/Google attack'"
SecFilterSelective HTTP_Referer  "inurl.*admin\.mdb"  "msg:'Recon/Google attack'"
SecFilterSelective HTTP_Referer  "filetype:sql \x28\x22passwd values.*password values.*pass values"  "msg:'Recon/Google attack'"
SecFilterSelective HTTP_Referer  "filetype.*blt.*buddylist" "msg:'Recon/Google attack'"
SecFilterSelective HTTP_Referer  "File Upload Manager v1\.3.*rename to" "msg:'Recon/Google attack'"
SecFilterSelective HTTP_Referer  "filetype\x3Aphp HAXPLORER .*Server Files Browser" "msg:'Recon/Google attack'"
SecFilterSelective HTTP_Referer  "inurl.*passlist\.txt" "msg:'Recon/Google attack'"
SecFilterSelective HTTP_Referer  "wwwboard WebAdmininurl\x3Apasswd\.txt wwwboard\x7Cwebadmin" "msg:'Recon/Google attack'"
SecFilterSelective HTTP_Referer  "Enter ip.*inurl\x3A\x22php-ping\.php\x22" "msg:'Recon/Google attack'"
SecFilterSelective HTTP_Referer  "intitle\.*PHP Shell.*Enable stderr.*filetype\.php" "msg:'Recon/Google attack'"
SecFilterSelective HTTP_Referer  "inurl\.*install.*install\.php" "msg:'Recon/Google attack'"
SecFilterSelective HTTP_Referer  "Powered by PHPFM.*filetype\.php -username" "msg:'Recon/Google attack'"
SecFilterSelective HTTP_Referer  "inurl\.*phpSysInfo.*created by phpsysinfo" "msg:'Recon/Google attack'"
SecFilterSelective HTTP_Referer  "SquirrelMail version 1\.4\.4.*inurl:src ext\.php" "msg:'Recon/Google attack'"
SecFilterSelective HTTP_Referer  "inurl\.*webutil\.pl" "msg:'Recon/Google attack'"

#############################
# 9. PHPMyAdmin 관련 공격 취약점 적용
# "subform" 로컬 파일 포함 취약점
SecFilterSelective REQUEST_URI "/libraries/grab_globals\.lib\.php" chain
SecFilterSelective ARG_subform "(/|\.\.|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/libraries/grab_globals\.lib\.php" chain
SecFilterSelective REQUEST_URI "usesubform.*=.*&usesubform.*=.*&subform.*(/|\.\.|(http|https|ftp)\:/)"

# 경로 취약점
SecFilterSelective REQUEST_URI "/css/phpmyadmin\.css\.php\?GLOBALS\[cfg\]\[ThemePath\]=/etc"
SecFilterSelective REQUEST_URI "/phpMyAdmin/css/phpmyadmin\.css\.php\?GLOBALS\[cfg\]\[ThemePath\]=(/|.*\.\./)"

# 문자열변환 파라미터 크로스사이트 스크립팅 취약점
SecFilterSelective REQUEST_URI "/phpmyadmin/index\.php\?pma_username=*&pma_password=*&server=.*&lang=.*&convcharset=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)"

# Export.PHP 파일 공개 취약점
SecFilterSelective SCRIPT_FILENAME "export\.php$" chain
SecFilterSelective ARG_what "\.\." 

# XSS 취약점
SecFilterSelective ARG_HTTP_HOST "(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=|javascript\:)"
SecFilterSelective REQUEST_URI "libraries/auth/cookie\.auth\.lib\.php" chain
SecFilter "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"
SecFilterSelective REQUEST_URI "/error\.php" chain
SecFilterSelective ARG_error "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"

# register_globals Emulation "import_blacklist" 조작 취약점
SecFilterSelective REQUEST_URI "/grab_globals\.php" chain
SecFilterSelective ARG_import_blacklist "(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|(http|https|ftp)\:/)"


#############################
# 10. 기타 공격 방지
# 허용하는 HTTP 리퀘스트 타입 (HTTP 0.9, 1.0 혹은 1.1) 이외 차단
# SecFilterSelective SERVER_PROTOCOL "!^HTTP/(0\.9|1\.0|1\.1)$" "msg:'Not allowed HTTP Protocol'"

# /etc/passwd 파일 접근 차단
SecFilterSelective THE_REQUEST "/etc/passwd"

# 웹을 이용한 SMTP redirect 금지
SecFilterSelective THE_REQUEST ^(http|https)\:/.+:25 

# Directory Traversal 공격 차단
SecFilterSelective REQUEST_URI "\.\./"


#############################
# 11. SQL Injection 공격 차단
# PHPMyAdmin을 사용할 경우 예외처리
SecFilterSelective HTTP_HOST "(127.0.0.1|localhost)" chain
SecFilterSelective REQUEST_URI "(/phpmyadmin|/myadmin)" skipnext:40

## Generic 
SecFilterSelective ARGS "(create|drop|delete)" chain
SecFilterSelective ARGS "(database|table|column|procedure|from|where)" "msg:'SQL injection attack'"
SecFilterSelective ARGS "(select|alter|update|insert|declare)" chain
SecFilterSelective ARGS "(database|table|procedure|from|where|into)" "msg:'SQL injection attack'"
SecFilterSelective ARGS "update.+set.+=" "msg:'SQL injection attack'"
SecFilterSelective ARGS "insert[[:space:]]+into.+values" "msg:'SQL injection attack'"
SecFilterSelective ARGS "bulk[[:space:]]+insert" "msg:'SQL injection attack'"
SecFilterSelective ARGS "union.+select" "msg:'SQL injection attack'"
SecFilterSelective ARGS "into[[:space:]]+outfile" "msg:'SQL injection attack'"
SecFilterSelective ARGS "load[[:space:]]+data" "msg:'SQL injection attack'"
SecFilterSelective ARGS "((order[[:space:]]|group[[:space:]])by|having)" "msg:'SQL injection attack'"
SecFilterSelective ARGS "('|;|%)" chain
SecFilterSelective ARGS "(like|and|or)" chain
SecFilterSelective ARGS "(--|#|/*)" "msg:'SQL injection attack'"
SecFilterSelective ARGS "/\*.+\*/"  "msg:'SQL injection attack'"
SecFilterSelective ARGS "or.+1[[:space:]]*=[[:space:]]1" "msg:'SQL injection attack'"

## MS-SQL
#SecFilterSelective ARGS "exec.+[xs]p_" "msg:'SQL injection attack'"
#SecFilterSelective ARGS "exec[[:space:]]*\(" "msg:'SQL injection attack'"
#SecFilterSelective ARGS "master(\.\.|\.dbo\.)" "msg:'SQL injection attack'"
#SecFilterSelective ARGS "@@[[:alnum:]]+" "msg:'SQL injection attack'"
#SecFilterSelective ARGS "open(query|rowset)" "msg:'SQL injection attack'"
#SecFilterSelective ARGS "(msdasql|sqloledb)" "msg:'SQL injection attack'"
#SecFilterSelective ARGS "(sys(objects|columns|logins|xlogins)|xtype)" "msg:'SQL injection attack'"
#SecFilterSelective ARGS "sp_(oa(create|method|setproperty)|add(extendedproc|srvrolemember)|login|password|droplogin|configure)" "msg:'SQL injection attack'"
#SecFilterSelective ARGS "xp_(cmdshell|servicecontrol|reg(read|write|enumvalues|delete(value|key)|msver|logininfo))" "msg:'SQL injection attack'"

## Mass SQL Injection with Cookie
SecFilterSelective ARGS|REQUEST_URI|HTTP_Cookie "declare.+nvarchar\([[:alnum:]]" "msg:'SQL injection attack'"
SecFilterSelective ARGS|REQUEST_URI|HTTP_Cookie "set.+cast\(" "msg:'SQL injection attack'"
SecFilterSelective ARGS|REQUEST_URI|HTTP_Cookie "exec\(\@" "msg:'SQL injection attack'"

## MySQL
SecFilterSelective ARGS "mysqladmin.+(create|drop|delete)" "msg:'SQL injection attack'"
SecFilterSelective ARGS "drop.+index" "msg:'SQL injection attack'"
SecFilterSelective ARGS "alter[[:space:]]table" chain
SecFilterSelective ARGS "(change|modify|column)(bigint|integer|not[[:space:]]null|varchar)" "msg:'SQL injection attack'"
SecFilterSelective ARGS "if[[:space:]]not[[:space:]]exist" "msg:'SQL injection attack'"
#SecFilterSelective ARGS "mysql\.(user|host|db)" "msg:'SQL injection attack'"
#SecFilterSelective ARGS "(union|select).+load_file" "msg:'SQL injection attack'"
#SecFilterSelective ARGS "load_file.+char\(" "msg:'SQL injection attack'"

## Oracle
#SecFilterSelective ARGS "(create|grant)" chain
#SecFilterSelective ARGS "identified[[:space:]]by" "msg:'SQL injection attack'"
#SecFilterSelective ARGS "(tablespace|grant.+(connect|resource)[[:space:]]to)" "msg:'SQL injection attack'"
#SecFilterSelective ARGS "SYS\.(USER_(OBJECTS|TABLES|VIEWS|TAB_COLUMNS|CATALOG)|TAB|ALL_TABLES)" "msg:'SQL injection attack'"

#############################
# 12. WebShell 공격 방지
# 오탐 발생시 관련 로그를 통해 해당 룰을 수정
SecFilterSelective ARGS "\?symlinktarget=" "msg:'WebShell attack'"
SecFilterSelective ARGS "\?(cpy|show)=\/" "msg:'WebShell attack'"
SecFilterSelective ARGS "\?(phpinfo|phpini|cpu|delete|tmp|img=1)" "msg:'WebShell attack'"
SecFilterSelective ARGS "\?runcmd=(canirun|showinfo|etcpasswdfile|netstat|upload|editfile|listdir)" "msg:'WebShell attack'"
SecFilterSelective REQUEST_URI "\?act=(tools|upload|eval|shell|security|processes|search|encoder|decoder|bypass|sql|bindport|cmd|edit|ftpquickbrute)" "msg:'WebShell attack'"
SecFilterSelective REQUEST_URI "\?act=gofile\&d=" "msg:'WebShell attack'"
SecFilterSelective REQUEST_URI "\?action=(editfile|dir)\&dir" "msg:'WebShell attack'"
SecFilterSelective REQUEST_URI "\?action=(shell|phpinfo|phpenv|sql|env|cmd\&method=|cmdbrowse|read|explorer|mysqlread)" "msg:'WebShell attack'"
SecFilterSelective REQUEST_URI "\?action=[0-9]\&dir_atual=" "msg:'WebShell attack'"
SecFilterSelective REQUEST_URI "\?action=.*\&act=(img\&img=home|chmod|f\&f=selfremove|processes|security)" "msg:'WebShell attack'"
SecFilterSelective REQUEST_URI "\?action=(newtime|proxy|rename)" "msg:'WebShell attack'"
SecFilterSelective REQUEST_URI "\?&action=(backtool|cmd)\&chdir=" "msg:'WebShell attack'"
SecFilterSelective REQUEST_URI "\?c=img\&name=(fon\&r=|home|back|up)" "msg:'WebShell attack'"
SecFilterSelective REQUEST_URI "\?c=(t&d=|tree\&d=|d\&d=|l\&d=)" "msg:'WebShell attack'"
SecFilterSelective REQUEST_URI "\?cmd=(id|pwd|ls|copy&file=|delfile\&file=|downl\&file=|newfile|con.+)" "msg:'WebShell attack'"
SecFilterSelective REQUEST_URI "\?dir=\.\&delfile=" "msg:'WebShell attack'"
SecFilterSelective REQUEST_URI "\?delfolder=/" "msg:'WebShell attack'"
SecFilterSelective REQUEST_URI "\?frame=[0-9]\&set_resolveIDs=" "msg:'WebShell attack'"
SecFilterSelective REQUEST_URI "\?frame=treeview\&(id=|plus=)" "msg:'WebShell attack'"
SecFilterSelective REQUEST_URI "\?id=fm\&(dir=/|fdownload=|fchmod=|fedit=/)" "msg:'WebShell attack'"
SecFilterSelective REQUEST_URI "\?id=(cmd|cshell)" "msg:'WebShell attack'"
SecFilterSelective REQUEST_URI "\&s=r\&cmd=(dir|copy|con|ren|file|upload)" "msg:'WebShell attack'"
SecFilterSelective REQUEST_URI "\&secret&(file_browser|dir|crypt|env|exec_st|edit)" "msg:'WebShell attack'"
SecFilterSelective ARGS|REQUEST_URI "\?p=(delete\&file|chmod\&dir|chmod\&file)=" "msg:'WebShell attack'"
SecFilterSelective ARGS|REQUEST_URI "\?p=(selfremover|sql)" "msg:'WebShell attack'"

######################################
# 13. Tomcat 취약점 이용한 공격 방지
#SecFilterSelective ARGS|REQUEST_URI "%c0%ae" "msg:'Tomcat Directory Traversal attack'"
#SecFilterSelective ARGS|REQUEST_URI "\\.\./" "msg:'Tomcat Directory Traversal attack'"
#SecFilterSelective ARGS "getRuntime.+exec" "msg:'Command Execution attack'"
#SecFilterSelective REQUEST_URI "/;.a+\.(jsp|do)" "msg:'Tomcat Directory Traversal attack'"