# removed the following for modsec3 nginx compat (noble 5/20/2022)
# 1990001 1990003 1990011 1990024 1990025 1990026 1990028 1990029 1990032 1990033 1990035 1990038 1990040 1990050 1990052 1990054 1990056 1990059 1990062 1990063 1990069 1990073 1990075 1990078 1990084 1990082

#Whitelist IP list
SecRule REMOTE_ADDR "@ipMatchFromFile dh_whitelist_ip.data" "id:1000,phase:1,nolog,allow,ctl:ruleEngine=off"

# ignored modsecurity_crs_42_comment_spam.conf rules and rules pertaining to php function names
SecRuleRemoveById 981137 981138 981139 981140 999010 999011 950923 950020 933150 933210 933120

SecRule REQUEST_URI|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "\.\./\.\./\.\./\.\./\.\./\.\." \
	"phase:1,capture,t:htmlEntityDecode,t:lowercase,deny,log,auditlog,msg:'Deep directory recursion',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'CRITICAL',id:1980000"
SecRule REQUEST_URI|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "\./proc/self/environ" \
	"phase:1,capture,t:htmlEntityDecode,t:lowercase,deny,log,auditlog,msg:'/proc/self/environ access',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'CRITICAL',id:1980001"
SecRule REQUEST_URI|ARGS|ARGS_NAMES "\.\./etc/(?:passwd|shadow)" \
	"phase:1,capture,t:htmlEntityDecode,t:lowercase,deny,log,auditlog,msg:'passwd/shadow access',tag:'WEB_ATTACK/COMMAND_INJECTION',logdata:'%{TX.0}',severity:'CRITICAL',id:'1980002'"

# WP sql injection attack plaguing us 2008-11-26
SecRule REQUEST_URI "/index.php" "chain,log,deny,id:1989998,msg:'WP SQLi attack'"
	SecRule ARGS:cat ".?[0-9]+.UNION.SELECT"

## WP hack 04/17/09
SecRule REQUEST_HEADERS:Cookie "_wp_debugger=" \
	"phase:1,log,auditlog,msg:'WP Issue id 1234512345', severity:'CRITICAL',id:'1234512345',tag:'POLICY/WPHACK',msg:'Legacy WordPress cookie vulnerabilitity'"

# rl blocking
SecRule RESPONSE_BODY ">by eqbal, updated by szalinski<" "phase:4,nolog,auditlog,deny,id:1989999,msg:'Known shell content'"
SecRule REQUEST_URI "/audl.php" "chain,id:1990000,phase:1,msg:'Known backdoor'"
	SecRule ARGS:GO "GO" "setenv:pirated,block,nolog,auditlog"
SecRule REQUEST_URI "/auul.php" "chain,id:1990002,phase:1,msg:'Known backdoor'"
	SecRule ARGS:action "upload" "setenv:pirated,block,nolog,auditlog"


# ZenCart 1.3.8 remote code execution attack -- http://www.milw0rm.com/exploits/9004
SecRule REQUEST_URI "/admin/record_company.php/password_forgotten.php" "chain,id:1990004,deny,msg:'ZenCart 1.3.8 RCE'"
	SecRule REQBODY_PROCESSOR "MULTIPART" "chain"
		SecRule FILES_NAMES "record_company_image" "chain"
			SecRule ARGS:action "insert" "chain"
				SecRule ARGS:record_company_name "0"

# This rule prevents the requests made to anything located in a ".sys" folder that's all -- Robert R
# One specific attacker is uploading a backdoor and malware into a folder named .sys -- then distribute it via spam
# Appears that these attacks may be related to the customer's computer being compromised itself
SecRule REQUEST_URI "/\.sys/" "phase:1,setvar:tx.ruleid=1990007,id:1990007,allow,msg:'Known compromise indicator'"

# SecRule ID 1990008 removed due to frequent false positives



# PHP coded User Agent -- Robert R.
SecRule REQUEST_HEADERS:User-Agent "eval\(base64_decode\(" "phase:1,deny,setvar:tx.ruleid=1990012,id:1990012,msg:'Obfuscated PHP eval() in User-Agent'"

# directory traversal -- Robert R.
SecRule ARGS "^[\.|/]+(proc/|dev/shm/)" "deny,t:normalisePath,setvar:tx.ruleid=1990013,id:1990013,msg:'Directory traversal'"

# NULL byte at end of URI -- Robert R.
SecRule REQUEST_URI "%00+$" "phase:1,deny,setvar:tx.ruleid=1990014,id:1990014,msg:'NULL byte at end of URI'"

# c99 and other shell backdoor, common password -- Robert R.
SecRule ARGS_POST:pass "mikjhljiu" "setvar:tx.ruleid=1990017,id:1990017,deny,msg:'Known backdoor/shell credentials'"

SecRule REQUEST_COOKIES:dgpass "mikjhljiu" "phase:1,setvar:tx.ruleid=1990018,id:1990018,deny,msg:'Known backdoor/shell credentials'"

SecRule REQUEST_HEADERS "mikjhljiu" "phase:1,setvar:tx.ruleid=1990019,id:1990019,deny,msg:'Known backdoor/shell credentials'"

# Excessive arguments/cookies/etc... causes hash variable collision DoS -- Robert R.
# http://events.ccc.de/congress/2011/Fahrplan/events/4680.en.html
SecRule &REQUEST_COOKIES_NAMES "@gt 5000" "pass,log,setvar:tx.ruleid=1990030,id:1990030"
SecRule &ARGS "@gt 5000" "pass,log,setvar:tx.ruleid=1990031,id:1990031"

# Mr sality backdoor pass
SecRule ARGS:ses "mr.sality" "setvar:tx.ruleid=1990036,id:1990036,allow,msg:'Mr. Sality backdoor'"
SecRule REQUEST_HEADERS "mr.sality" "phase:1,allow,setvar:tx.ruleid=1990037,id:1990037,msg:'Mr. Sality backdoor'"

#China based Spider/Botnet that hammers CGI
SecRule REQUEST_HEADERS:User-Agent "^Mozilla.4.0 .compatible. MSIE 6.0. Windows NT 5.1. SV1.$" "phase:1,setvar:tx.ruleid=1990051,id:1990051,nolog,auditlog,deny,msg:'Known faked User-Agent, closely associated with Chinese botnets'"


#Joomla Com_JCE Exploit Block
SecRule REQUEST_LINE "@contains option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form" "phase:1,id:1990055,log,deny,msg:'Joomla Com_JCE exploit'"


#Bash Exploit Mitigation CVE-2014-6271
SecRule REQUEST_HEADERS "^\(\) {" "phase:1,deny,id:1990064,msg:'CVE-2014-6271 - Bash Attack'"
SecRule REQUEST_LINE "\(\) {" "phase:1,deny,id:1990065, msg:'CVE-2014-6271 - Bash Attack'"
SecRule ARGS_NAMES "^\(\) {" "phase:2,deny,id:1990066 ,msg:'CVE-2014-6271 - Bash Attack'"
SecRule ARGS "^\(\) {" "phase:2,deny,id:1990067,msg:'CVE-2014-6271 - Bash Attack'"
SecRule FILES_NAMES "^\(\) {"  "phase:2,deny,id:1990068,msg:'CVE-2014-6271  - Bash Attack'"

#Web Shell Command Blocking
SecRule ARGS "@pm urlencode curl_init preg_ wget GLOBALS base64_decode passwd ,amo! ,amo WQGP wqgp curl ../../" "t:base64decode,log,deny,id:1990070,msg:'Common known arguments for backdoor shell present in %{MATCHED_VAR_NAME}'"

#RevSlider_Show_Image vulnerablitiy - http://themeforest.net/forums/thread/slider-revolution-plugin-critical-vulnerability-being-exploited/141223
SecRule ARGS_GET "wp-config.php" "phase:1,id:1990071,log,deny,msg:'wp-config.php Local File Inclusion Attempt'"

#Base64 encoded Spammer Command block
SecRule ARGS:passes "a:0:{}" "t:base64decode,log,deny,id:1990072,msg:'base64-encoded spammer command'"

#WordPress 2.2 xmlrpc.php SQLi blocks incompatable with Jetpack in WP 4.X+
SecRuleRemoveById 2004654 2004655 2004656 2004657 2004658 2004659

#WordPress DOM XSS
SecRule REQUEST_LINE "/genericons/example.html" "phase:1,deny,log,id:1990077,msg:'WP DOM XSS'"

#bots searching for low-hanging fruit in backup config files
SecRule REQUEST_URI "^/(?:wp-)?config(?:uration)?\.(?:php|bac?k|off|ori?g)" "phase:1,id:1990079,deny,msg:'Bot searching for config file'"

#SQLMap and Massscan Default User-Agent Block
SecRule REQUEST_HEADERS:User-Agent "@pm sqlmap masscan" "phase:1,t:lowercase,deny,id:1990087,log,msg:'Block Scans by SQLMap & Masscan UA'"

#WordPress scan by abdullkarem
SecRule QUERY_STRING "abdullkarem" "phase:1,deny,id:1990088,log,msg:'WordPress Exploit Scan'"

#Obfuscated SQLi Injection
SecRule ARGS "0x4142433134355a5136324457514146504f4959434644" "phase:1,deny,id:1990089,log,msg:'Obfuscated SQLi'"

#Blind SQLi using sleep() and benchmark()
SecRule ARGS_NAMES|ARGS "(?i:(sleep\((\s*?)(\d*?)(\s*?)\)|benchmark\((.*?)\,(.*?)\)))" "phase:1,id:'1990090',t:urlDecodeUni,deny,msg:'Detects blind sqli tests using sleep() or benchmark().'"

#Block hex encoded ARGS used for SQLi
SecRule ARGS_NAMES|ARGS "(?i:(?:\A|[^\d])0x[a-f\d]{3,}[a-f\d]*)+" "phase:1,id:'1990091',t:urlDecodeUni,deny,msg:'SQL Hex Encoding Identified'"

#WP 4.7-4.7.1 REST API Content Injection - https://www.exploit-db.com/exploits/41223/
# This catches GET and urlencoded-POST parameters
SecRule REQUEST_URI "@rx wp/v2/[\w_-]+/\d+" "phase:2,id:'1990092',log,deny,msg:'Block WordPress API Content Injection',chain"
	SecRule ARGS:id "!@rx ^\d+$" "t:none"
# This catches JSON POST parameters
SecRule REQUEST_URI "@rx wp/v2/[\w_-]+/\d+" "phase:1,id:'1990093',log,deny,msg:'Block WordPress API Content Injection',chain"
	SecRule REQUEST_HEADERS:Content-Type "application/json" "t:none,t:lowercase,ctl:requestBodyProcessor=JSON,chain"
		SecRule ARGS:id "!@rx ^\d+$" "t:none"

#User-Agent Blocks - Joomla/WP Exploit/Spam Bots
SecRule REQUEST_HEADERS:User-Agent "^Mozilla/5.0 \(X11; U; Linux i686; en-US\) U2/1.0.0 UCBrowser/9.3.1.344$" "phase:1,id:1990094,log,auditlog,deny,msg:'Malicious Bot UA'"
SecRule REQUEST_HEADERS:User-Agent "^Mozilla/5.0 \(X11; Linux x86_64\) AppleWebKit/537.36 \(KHTML, like Gecko\) Chrome/31.0.1650.48 Safari/537.36$" "phase:1,id:1990095,log,auditlog,deny,msg:'Malicious Bot UA'"
SecRule REQUEST_HEADERS:User-Agent "^Mozilla/5.0 \(X11; Linux x86_64; rv:29.0\) Gecko/20100101 Firefox/29.0 SeaMonkey/2.26$" "phase:1,id:1990096,log,auditlog,deny,msg:'Malicious Bot UA'"
SecRule REQUEST_HEADERS:User-Agent "^Mozilla/5.0 \(X11; Ubuntu; Linux i686; rv:24.0\) Gecko/20100101 Firefox/24.0$" "phase:1,id:1990097,log,auditlog,deny,msg:'Malicious Bot UA'"
SecRule REQUEST_HEADERS:User-Agent "^Mozilla/5.0 \(Windows NT 6.1; WOW64; rv:40.0\) Gecko/20100101 Firefox/40.1$" "phase:1,id:1990098,log,auditlog,deny,msg:'Malicious Bot UA'"

#WordPress Python User-Agent wp-login.php brute force mitigation
SecRule REQUEST_HEADERS:User-Agent "python-requests/2.18.4" "phase:1,id:1990101,log,auditlog,chain,deny,msg:'Malicious Bot UA'"
	SecRule REQUEST_URI "/wp-login.php"

#User-Agent Block - WP Attacks
SecRule REQUEST_HEADERS:User-Agent "^Mozilla/5.0 \(Macintosh; U; Intel Mac OS X 10.6; fr; rv:1.9.2.8\) Gecko/20100722 Firefox/3.6.8$" "phase:1,id:1990102,log,auditlog,deny,msg:'Malicious Bot UA'"

#User-Agent Block - WP Attacks
SecRule REQUEST_HEADERS:User-Agent "^Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36$" "phase:1,id:1990104,log,auditlog,deny,msg:'Malicious Bot UA'"
SecRule REQUEST_HEADERS:User-Agent "^Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0$" "phase:1,id:1990105,log,auditlog,deny,msg:'Malicious Bot UA'"

#User-Agent Block - Javascript
SecRule REQUEST_HEADERS:User-Agent "^><script type=text/javascript src=" "phase:1,id:1990106,log,auditlog,deny,msg:'Javascript include in UA'"

# blocks from EAP on 05/01/2020 WP Attacks
SecRule REQUEST_HEADERS:User-Agent "^Mozilla$" "phase:1,id:1990107,log,auditlog,deny,msg:'Bot UA - Mozilla'"
SecRule REQUEST_URI "php.suspected$" "phase:1,id:1990108,deny,log,auditlog,msg:'WP exploit pack files'"

# Unique Accept-Language header in DDOS Script - TRASH FLOOD BY SERPICO
SecRule REQUEST_HEADERS:Accept-Language "^en-US,en;q=0.9,he-IL;q=0.8,he;q=0.7,fr;q=0.6$" "phase:1,id:1990109,log,deny,msg:'DDOS - TRASH FLOOD BY SERPICO'"

#DDOS vs. load-scripts.php in WordPress
SecRule ARGS "@contains eutil,common,wp-a11y,sack,quicktag,colorpicker,editor,wp-fullscreen-stu,wp-ajax-response,wp-api-request,wp-pointer,autosave,heartbeat,wp-auth-check,wp-lists,prototype,scriptaculous-root,scriptaculous-builder" "chain,phase:2,id:1990110,log,deny,msg:'DDOS load-scripts.php'"
        SecRule REQUEST_URI "/load-scripts.php"

# blocking outdated Apple UA that was only used for scraping wp-config files
SecRule REQUEST_HEADERS:User-Agent "^Mozilla\/5.0 \(iPhone\; CPU iPhone OS 6_1_2 like Mac OS X\)" "phase:1,id:1990112,log,auditlog,deny,msg:'Outdated Apple UA - scraping wp-config files'"

#WordPress File Manager Plug-in Exploit https://www.wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-zero-day-vulnerability-in-file-manager-plugin/
SecRule REQUEST_URI "@contains /connector.minimal.php" "phase:1,id:'1990113',log,deny,msg:'Block WordPress File Manager Exploit'"

#IDBTE4M CoDE87 User agent for attack tools
SecRule REQUEST_HEADERS:User-Agent "IDBTE4M CODE87" "phase:1,id:1990114,log,auditlog,deny,msg:'Malicious Bot UA: IDBTE4M'"

# block log4j crawling
SecRule REQUEST_HEADERS:User-Agent "^jndi:ldap$" "phase:1,id:1990115,log,auditlog,deny,msg:'Log4j2 exploit crawling'"

#Block keywords in Mailer scripts used for spam
SecRule RESPONSE_BODY "@pmFromFile spam-mailer.data" "phase:4,nolog,auditlog,deny,id:1990116,msg:'Mailer spam script'"

#SQLi Defense - Enhanced to detect comment-based obfuscation
SecRule ARGS|ARGS_NAMES "@rx (?i)(?:INFORMATION_SCHEMA(?:\s|/\*.*?\*/)*\.(?:\s|/\*.*?\*/)*(?:[^\s,\)]+))(?:\s|/\*.*?\*/)*.*?(?:COUNT(?:\s|/\*.*?\*/)*\((?:\s|/\*.*?\*/)*\*(?:\s|/\*.*?\*/)*\))" "id:1990117,phase:2,block,capture,t:none,t:urlDecodeUni,msg:'SQL Injection Attack: INFORMATION_SCHEMA with COUNT(*) detected',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-sqli',tag:'OWASP_CRS',tag:'capec/1000/152/248/66',tag:'PCI/6.5.2',severity:'CRITICAL',setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" 

#Detect XOR operator with COUNT(*) patterns - Enhanced to detect comment-based obfuscation
SecRule ARGS|ARGS_NAMES "@rx (?i)(?:COUNT(?:\s|/\*.*?\*/)*\((?:\s|/\*.*?\*/)*\*(?:\s|/\*.*?\*/)*\)(?:\s|/\*.*?\*/)*.*?(?:WHERE|AND)(?:\s|/\*.*?\*/)*.*?(?:0(?:\s|/\*.*?\*/)*(?:XOR|x(?:\s|/\*.*?\*/)*o(?:\s|/\*.*?\*/)*r)(?:\s|/\*.*?\*/)*1))" "id:1990118,phase:2,block,capture,t:none,t:urlDecodeUni,msg:'SQL Injection Attack: COUNT(*) with XOR operator detected',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-sqli',tag:'OWASP_CRS',tag:'capec/1000/152/248/66',tag:'PCI/6.5.2',severity:'CRITICAL',setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"

#Detect excessive SQL comment usage as potential obfuscation technique
SecRule ARGS|ARGS_NAMES "@rx (?:/\*.*?\*/){3,}" "id:1990119,phase:2,block,capture,t:none,t:urlDecodeUni,msg:'SQL Injection Attack: Multiple SQL comments detected (potential obfuscation)',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-sqli',tag:'OWASP_CRS',tag:'capec/1000/152/248/66',tag:'PCI/6.5.2',severity:'CRITICAL',setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"