D7net
Home
Console
Upload
information
Create File
Create Folder
About
Tools
:
/
opt
/
bitninja-waf
/
etc
/
crs
/
rules
/
Filename :
RESPONSE-954-DATA-LEAKAGES-IIS.conf
back
Copy
# ------------------------------------------------------------------------ # OWASP ModSecurity Core Rule Set ver.3.0.2 # Copyright (c) 2006-2016 Trustwave and contributors. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENSE file for full details. # ------------------------------------------------------------------------ # # -= Paranoia Level 0 (empty) =- (apply unconditionally) # SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:3,id:954011,nolog,pass,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:4,id:954012,nolog,pass,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" # # -= Paranoia Level 1 (default) =- (apply only when tx.paranoia_level is sufficiently high: 1 or higher) # # IIS default location SecRule RESPONSE_BODY "[a-z]:\\\\inetpub\b" \ "phase:4,\ rev:'3',\ ver:'OWASP_CRS/3.0.0',\ maturity:'9',\ accuracy:'9',\ t:none,\ capture,\ t:lowercase,\ ctl:auditLogParts=+E,\ block,\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-iis',\ tag:'platform-windows',\ tag:'attack-disclosure',\ msg:'Disclosure of IIS install location',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ id:954100,\ severity:'ERROR',\ chain" SecRule &GLOBAL:alerted_970018_iisDefLoc "@eq 0" \ "setvar:global.alerted_970018_iisDefLoc,\ setvar:'tx.msg=%{rule.msg}',\ setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},\ setvar:tx.anomaly_score=+%{tx.error_anomaly_score}" SecRule RESPONSE_BODY "(?:Microsoft OLE DB Provider for SQL Server(?:<\/font>.{1,20}?error '800(?:04005|40e31)'.{1,40}?Timeout expired| \(0x80040e31\)<br>Timeout expired<br>)|<h1>internal server error<\/h1>.*?<h2>part of the server has crashed or it has a configuration error\.<\/h2>|cannot connect to the server: timed out)" \ "phase:4,\ rev:'3',\ ver:'OWASP_CRS/3.0.0',\ maturity:'9',\ accuracy:'9',\ t:none,\ capture,\ ctl:auditLogParts=+E,\ block,\ msg:'Application Availability Error',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ id:954110,\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-iis',\ tag:'platform-windows',\ tag:'attack-disclosure',\ tag:'WASCTC/WASC-13',\ tag:'OWASP_TOP_10/A6',\ tag:'PCI/6.5.6',\ severity:'ERROR',\ setvar:'tx.msg=%{rule.msg}',\ setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},\ setvar:tx.anomaly_score=+%{tx.error_anomaly_score},\ setvar:tx.%{rule.id}-AVAILABILITY/APP_NOT_AVAIL-%{matched_var_name}=%{tx.0}" # # IIS Errors leakage # SecRule RESPONSE_BODY "(?:\b(?:A(?:DODB\.Command\b.{0,100}?\b(?:Application uses a value of the wrong type for the current operation\b|error')| trappable error occurred in an external object\. The script cannot continue running\b)|Microsoft VBScript (?:compilation (?:\(0x8|error)|runtime (?:Error|\(0x8))\b|Object required: '|error '800)|<b>Version Information:<\/b>(?: |\s)(?:Microsoft \.NET Framework|ASP\.NET) Version:|>error 'ASP\b|An Error Has Occurred|>Syntax error in string in query expression|\/[Ee]rror[Mm]essage\.aspx?\?[Ee]rror\b)" \ "phase:4,\ rev:'2',\ ver:'OWASP_CRS/3.0.0',\ maturity:'9',\ accuracy:'9',\ t:none,\ capture,\ ctl:auditLogParts=+E,\ block,\ msg:'IIS Information Leakage',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ id:954120,\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-iis',\ tag:'platform-windows',\ tag:'attack-disclosure',\ tag:'OWASP_CRS/LEAKAGE/ERRORS_IIS',\ tag:'WASCTC/WASC-13',\ tag:'OWASP_TOP_10/A6',\ tag:'PCI/6.5.6',\ severity:'ERROR',\ setvar:'tx.msg=%{rule.msg}',\ setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},\ setvar:tx.anomaly_score=+%{tx.error_anomaly_score},\ setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}" SecRule RESPONSE_STATUS "!^404$" \ "phase:4,\ rev:'2',\ ver:'OWASP_CRS/3.0.0',\ maturity:'9',\ accuracy:'9',\ t:none,\ capture,\ ctl:auditLogParts=+E,\ block,\ msg:'IIS Information Leakage',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ id:954130,\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-iis',\ tag:'platform-windows',\ tag:'attack-disclosure',\ tag:'OWASP_CRS/LEAKAGE/ERRORS_IIS',\ tag:'WASCTC/WASC-13',\ tag:'OWASP_TOP_10/A6',\ tag:'PCI/6.5.6',\ severity:'ERROR',\ chain" SecRule RESPONSE_BODY "\bServer Error in.{0,50}?\bApplication\b" \ "t:none,\ capture,\ setvar:'tx.msg=%{rule.msg}',\ setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},\ setvar:tx.anomaly_score=+%{tx.error_anomaly_score},\ setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}" SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:3,id:954013,nolog,pass,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:4,id:954014,nolog,pass,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" # # -= Paranoia Level 2 =- (apply only when tx.paranoia_level is sufficiently high: 2 or higher) # SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:3,id:954015,nolog,pass,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:4,id:954016,nolog,pass,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" # # -= Paranoia Level 3 =- (apply only when tx.paranoia_level is sufficiently high: 3 or higher) # SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:3,id:954017,nolog,pass,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" SecRule TX:PARANOIA_LEVEL "@lt 4" "phase:4,id:954018,nolog,pass,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" # # -= Paranoia Level 4 =- (apply only when tx.paranoia_level is sufficiently high: 4 or higher) # # # -= Paranoia Levels Finished =- # SecMarker "END-RESPONSE-954-DATA-LEAKAGES-IIS"