Mod_security Conf

1. <IfModule security2_module>
2.  
3. # Turn the filtering engine On or Off
4. SecRuleEngine On
5.  
6. # The audit engine works independently and
7. # can be turned On of Off on the per-server or
8. # on the per-directory basis
9. SecAuditEngine RelevantOnly
10.  
11. # The name of the audit log file
12. SecAuditLog "d:/wamp/logs/modsec_log.log"
13.  
14. # Action to take by default
15. SecDefaultAction "deny,phase:2,status:403"
16.  
17. # Prevent path traversal (..) attacks
18. SecRule ARGS "\.\./" "t:normalizePathWin,id:50904,severity:4,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,msg:'Drive Access'"
19.  
20. # Maximum request body size we will accept for buffering. If you support
21. # file uploads then the value given on the first line has to be as large
22. # as the largest file you are willing to accept. The second value refers
23. # to the size of data, with files excluded. You want to keep that value as
24. # low as practical.
25. SecRequestBodyLimit 13107200
26. SecRequestBodyNoFilesLimit 131072
27.  
28. # Store up to 128 KB of request body data in memory. When the multipart
29. # parser reachers this limit, it will start using your hard disk for
30. # storage. That is slow, but unavoidable.
31. SecRequestBodyInMemoryLimit 131072
32.  
33. # What do do if the request body size is above our configured limit.
34. # Keep in mind that this setting will automatically be set to ProcessPartial
35. # when SecRuleEngine is set to DetectionOnly mode in order to minimize
36. # disruptions when initially deploying ModSecurity.
37. SecRequestBodyLimitAction Reject
38.  
39. # Verify that we've correctly processed the request body.
40. # As a rule of thumb, when failing to process a request body
41. # you should reject the request (when deployed in blocking mode)
42. # or log a high-severity alert (when deployed in detection-only mode).
43. SecRule REQBODY_ERROR "!@eq 0" \
44. "id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
45.  
46. # By default be strict with what we accept in the multipart/form-data
47. # request body. If the rule below proves to be too strict for your
48. # environment consider changing it to detection-only. You are encouraged
49. # _not_ to remove it altogether.
50. SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
51. "id:'200002',phase:2,t:none,log,deny,status:44, \
52. msg:'Multipart request body failed strict validation: \
53. PE %{REQBODY_PROCESSOR_ERROR}, \
54. BQ %{MULTIPART_BOUNDARY_QUOTED}, \
55. BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
56. DB %{MULTIPART_DATA_BEFORE}, \
57. DA %{MULTIPART_DATA_AFTER}, \
58. HF %{MULTIPART_HEADER_FOLDING}, \
59. LF %{MULTIPART_LF_LINE}, \
60. SM %{MULTIPART_MISSING_SEMICOLON}, \
61. IQ %{MULTIPART_INVALID_QUOTING}, \
62. IP %{MULTIPART_INVALID_PART}, \
63. IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
64. FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
65.  
66. # Did we see anything that might be a boundary?
67. SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
68. "id:'200003',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"
69.  
70. # PCRE Tuning
71. # We want to avoid a potential RegEx DoS condition
72. SecPcreMatchLimit 1000
73. SecPcreMatchLimitRecursion 1000
74.  
75. # Some internal errors will set flags in TX and we will need to look for these.
76. # All of these are prefixed with "MSC_". The following flags currently exist:
77. #
78. # MSC_PCRE_LIMITS_EXCEEDED: PCRE match limits were exceeded.
79. SecRule TX:/^MSC_/ "!@streq 0" \
80. "id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
81.  
82. # -- Response body handling --------------------------------------------------
83.  
84. # Allow ModSecurity to access response bodies.
85. # You should have this directive enabled in order to identify errors
86. # and data leakage issues.
87. #
88. # Do keep in mind that enabling this directive does increases both
89. # memory consumption and response latency.
90. #
91. SecResponseBodyAccess On
92.  
93. # Which response MIME types do you want to inspect? You should adjust the
94. # configuration below to catch documents but avoid static files
95. # (e.g., images and archives).
96. #
97. SecResponseBodyMimeType text/plain text/html text/xml
98.  
99. # Buffer response bodies of up to 512 KB in length.
100. SecResponseBodyLimit 524288
101.  
102. # What happens when we encounter a response body larger than the configured
103. # limit? By default, we process what we have and let the rest through.
104. # That's somewhat less secure, but does not break any legitimate pages.
105. #
106. SecResponseBodyLimitAction ProcessPartial
107.  
108. # -- Miscellaneous -----------------------------------------------------------
109.  
110. # Use the most commonly used application/x-www-form-urlencoded parameter
111. # separator. There's probably only one application somewhere that uses
112. # something else so don't expect to change this value.
113. #
114. SecArgumentSeparator &
115.  
116. # Settle on version 0 (zero) cookies, as that is what most applications
117. # use. Using an incorrect cookie version may open your installation to
118. # evasion attacks (against the rules that examine named cookies).
119. #
120. SecCookieFormat 0
121.  
122. # Specify your Unicode Code Point.
123. # This mapping is used by the t:urlDecodeUni transformation function
124. # to properly map encoded data to your language. Properly setting
125. # these directives helps to reduce false positives and negatives.
126. #
127. #SecUnicodeCodePage 20127
128. #SecUnicodeMapFile unicode.mapping
129.  
130. </IfModule>