diff --git a/docker/conf/modsecurity/crs/crs-setup.conf b/docker/conf/modsecurity/crs/crs-setup.conf index 5ebc48862142c1a4e016bcf344b024f72911eea9..961c8bfe1f73ad78208d492c948e479ae79c2b5d 100644 --- a/docker/conf/modsecurity/crs/crs-setup.conf +++ b/docker/conf/modsecurity/crs/crs-setup.conf @@ -1,6 +1,6 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.1.0 -# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved. +# OWASP ModSecurity Core Rule Set ver.3.3.0 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 @@ -88,7 +88,7 @@ # Default: Anomaly Scoring mode, log to error log, log to ModSecurity audit log # - By default, offending requests are blocked with an error 403 response. -# - To change the disruptive action, see RESPONSE-999-EXCEPTIONS.conf.example +# - To change the disruptive action, see RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example # and review section 'Changing the Disruptive Action for Anomaly Mode'. # - In Apache, you can use ErrorDocument to show a friendly error page or # perform a redirect: https://httpd.apache.org/docs/2.4/custom-error.html @@ -98,7 +98,7 @@ SecDefaultAction "phase:2,log,noauditlog,pass" # Example: Anomaly Scoring mode, log only to ModSecurity audit log # - By default, offending requests are blocked with an error 403 response. -# - To change the disruptive action, see RESPONSE-999-EXCEPTIONS.conf.example +# - To change the disruptive action, see RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example # and review section 'Changing the Disruptive Action for Anomaly Mode'. # - In Apache, you can use ErrorDocument to show a friendly error page or # perform a redirect: https://httpd.apache.org/docs/2.4/custom-error.html @@ -163,7 +163,7 @@ SecDefaultAction "phase:2,log,noauditlog,pass" # likely produce a very high number of FPs which have to be # treated before the site can go productive. # -# Rules in paranoia level 2 or higher will log their PL to the audit log; +# All rules will log their PL to the audit log; # example: [tag "paranoia-level/2"]. This allows you to deduct from the # audit log how the WAF behavior is affected by paranoia level. # @@ -383,9 +383,10 @@ SecAction \ # setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'" # Content-Types that a client is allowed to send in a request. -# Default: application/x-www-form-urlencoded|multipart/form-data|text/xml|\ -# application/xml|application/soap+xml|application/x-amf|application/json|\ -# application/octet-stream|text/plain +# Default: |application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| +# |text/xml| |application/xml| |application/soap+xml| |application/x-amf| |application/json| +# |application/cloudevents+json| |application/cloudevents-batch+json| |application/octet-stream| +# |application/csp-report| |application/xss-auditor-report| |text/plain| # Uncomment this rule to change the default. #SecAction \ # "id:900220,\ @@ -393,20 +394,7 @@ SecAction \ # nolog,\ # pass,\ # t:none,\ -# setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/soap+xml|application/x-amf|application/json|application/octet-stream|text/plain'" - -# Content-Types charsets that a client is allowed to send in a request. -# Default: utf-8|iso-8859-1|iso-8859-15|windows-1252 -# Uncomment this rule to change the default. -# Use "|" to separate multiple charsets like in the rule defining -# tx.allowed_request_content_type. -#SecAction \ -# "id:900270,\ -# phase:1,\ -# nolog,\ -# pass,\ -# t:none,\ -# setvar:'tx.allowed_request_content_type_charset=utf-8|iso-8859-1|iso-8859-15|windows-1252'" +# setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/x-amf| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json| |application/octet-stream| |application/csp-report| |application/xss-auditor-report| |text/plain|'" # Allowed HTTP versions. # Default: HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0 @@ -424,8 +412,8 @@ SecAction \ # Forbidden file extensions. # Guards against unintended exposure of development/configuration files. -# Default: .asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/ -# Example: .bak/ .config/ .conf/ .db/ .ini/ .log/ .old/ .pass/ .pdb/ .sql/ +# Default: .asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/ +# Example: .bak/ .config/ .conf/ .db/ .ini/ .log/ .old/ .pass/ .pdb/ .rdb/ .sql/ # Uncomment this rule to change the default. #SecAction \ # "id:900240,\ @@ -433,12 +421,12 @@ SecAction \ # nolog,\ # pass,\ # t:none,\ -# setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'" +# setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'" # Forbidden request headers. # Header names should be lowercase, enclosed by /slashes/ as delimiters. # Blocking Proxy header prevents 'httpoxy' vulnerability: https://httpoxy.org -# Default: /proxy/ /lock-token/ /content-range/ /translate/ /if/ +# Default: /proxy/ /lock-token/ /content-range/ /if/ # Uncomment this rule to change the default. #SecAction \ # "id:900250,\ @@ -446,7 +434,7 @@ SecAction \ # nolog,\ # pass,\ # t:none,\ -# setvar:'tx.restricted_headers=/proxy/ /lock-token/ /content-range/ /translate/ /if/'" +# setvar:'tx.restricted_headers=/proxy/ /lock-token/ /content-range/ /if/'" # File extensions considered static files. # Extensions include the dot, lowercase, enclosed by /slashes/ as delimiters. @@ -461,6 +449,18 @@ SecAction \ # t:none,\ # setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ /.webp/'" +# Content-Types charsets that a client is allowed to send in a request. +# Default: utf-8|iso-8859-1|iso-8859-15|windows-1252 +# Uncomment this rule to change the default. +# Use "|" to separate multiple charsets like in the rule defining +# tx.allowed_request_content_type. +#SecAction \ +# "id:900280,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:'tx.allowed_request_content_type_charset=utf-8|iso-8859-1|iso-8859-15|windows-1252'" # # -- [[ HTTP Argument/Upload Limits ]] ----------------------------------------- @@ -565,7 +565,7 @@ SecAction \ # entry in the audit log (for performance reasons), but an error log entry is # written. If you want to disable the error log entry, then issue the # following directive somewhere after the inclusion of the CRS -# (E.g., RESPONSE-999-EXCEPTIONS.conf). +# (E.g., RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf). # # SecRuleUpdateActionById 901150 "nolog" # @@ -617,20 +617,49 @@ SecAction \ # # To use geolocation, we make use of the MaxMind GeoIP database. # This database is not included with the CRS and must be downloaded. -# You should also update the database regularly, for instance every month. -# The CRS contains a tool to download it to util/geo-location/GeoIP.dat: -# util/upgrade.py --geoip # -# This product includes GeoLite data created by MaxMind, available from: -# http://www.maxmind.com. +# There are two formats for the GeoIP database. ModSecurity v2 uses GeoLite (.dat files), +# and ModSecurity v3 uses GeoLite2 (.mmdb files). +# +# If you use ModSecurity 3, MaxMind provides a binary for updating GeoLite2 files, +# see https://github.com/maxmind/geoipupdate. +# +# Download the package for your OS, and read https://dev.maxmind.com/geoip/geoipupdate/ +# for configuration options. +# +# Warning: GeoLite (not GeoLite2) databases are considered legacy, and not being updated anymore. +# See https://support.maxmind.com/geolite-legacy-discontinuation-notice/ for more info. +# +# Therefore, if you use ModSecurity v2, you need to regenerate updated .dat files +# from CSV files first. +# +# You can achieve this using https://github.com/sherpya/geolite2legacy +# Pick the zip files from maxmind site: +# https://geolite.maxmind.com/download/geoip/database/GeoLite2-Country-CSV.zip +# +# Follow the guidelines for installing the tool and run: +# ./geolite2legacy.py -i GeoLite2-Country-CSV.zip \ +# -f geoname2fips.csv -o /usr/share/GeoliteCountry.dat +# +# Update the database regularly, see Step 3 of the configuration link above. +# +# By default, when you execute `sudo geoipupdate` on Linux, files from the free database +# will be downloaded to `/usr/share/GeoIP` (both v1 and v2). +# +# Then choose from: +# - `GeoLite2-Country.mmdb` (if you are using ModSecurity v3) +# - `GeoLiteCountry.dat` (if you are using ModSecurity v2) # # Ref: http://blog.spiderlabs.com/2010/10/detecting-malice-with-modsecurity-geolocation-data.html # Ref: http://blog.spiderlabs.com/2010/11/detecting-malice-with-modsecurity-ip-forensics.html # -# Uncomment this rule to use this feature: +# Uncomment only one of the next rules here to use this feature. +# Choose the one depending on the ModSecurity version you are using, and change the path accordingly: # -#SecGeoLookupDB /usr/share/GeoIP/GeoLiteCity.dat - +# For ModSecurity v3: +#SecGeoLookupDB /usr/share/GeoIP/GeoLite2-Country.mmdb +# For ModSecurity v2 (points to the converted one): +#SecGeoLookupDB /usr/share/GeoIP/GeoLiteCountry.dat # # -=[ Block Countries ]=- @@ -711,7 +740,7 @@ SecAction \ # -- [[ Blocking Based on IP Reputation ]] ------------------------------------ # # Blocking based on reputation is permanent in the CRS. Unlike other rules, -# which look at the indvidual request, the blocking of IPs is based on +# which look at the individual request, the blocking of IPs is based on # a persistent record in the IP collection, which remains active for a # certain amount of time. # @@ -775,52 +804,6 @@ SecAction \ SecCollectionTimeout 600 -# -# -- [[ Debug Mode ]] ---------------------------------------------------------- -# -# To enable rule development and debugging, CRS has an optional debug mode -# that does not block a request, but instead sends detection information -# back to the HTTP client. -# -# This functionality is currently only supported with the Apache web server. -# The Apache mod_headers module is required. -# -# In debug mode, the webserver inserts "X-WAF-Events" / "X-WAF-Score" -# response headers whenever a debug client makes a request. Example: -# -# # curl -v 'http://192.168.1.100/?foo=../etc/passwd' -# X-WAF-Events: TX:930110-OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL-REQUEST_URI, -# TX:930120-OWASP_CRS/WEB_ATTACK/FILE_INJECTION-ARGS:foo, -# TX:932160-OWASP_CRS/WEB_ATTACK/RCE-ARGS:foo -# X-WAF-Score: Total=15; sqli=0; xss=0; rfi=0; lfi=10; rce=5; php=0; http=0; ses=0 -# -# To enable debug mode, include the RESPONSE-981-DEBUG.conf file. -# This file resides in a separate folder, as it is not compatible with -# nginx and IIS. -# -# You must specify the source IP address/network where you will be running the -# tests from. The source IP will BYPASS all CRS blocking, and will be sent the -# response headers as specified above. Be careful to only list your private -# IP addresses/networks here. -# -# Tip: for regression testing of CRS or your own ModSecurity rules, you may -# be interested in using the OWASP CRS regression testing suite instead. -# View the file util/regression-tests/README for more information. -# -# Uncomment these rules, filling in your CRS path and the source IP address, -# to enable debug mode: -# -#Include /usr/share/modsecurity-crs/util/debug/RESPONSE-981-DEBUG.conf -#SecRule REMOTE_ADDR "@ipMatch 192.168.1.100" \ -# "id:900980,\ -# phase:1,\ -# nolog,\ -# pass,\ -# t:none,\ -# ctl:ruleEngine=DetectionOnly,\ -# setvar:tx.crs_debug_mode=1" - - # # -- [[ End of setup ]] -------------------------------------------------------- # @@ -838,4 +821,4 @@ SecAction \ nolog,\ pass,\ t:none,\ - setvar:tx.crs_setup_version=310" + setvar:tx.crs_setup_version=330"