# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.1.6.1
# Copyright (C) 2006-2007 Breach Security Inc. All rights reserved.
#
# The ModSecuirty Core Rule Set is distributed under GPL version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------


# 
#      This ruleset file contains rules that are highly prone to FPs
#
#      When installing this ruleset, you are advised to activate ModSecurity
#      in DetectionOnly, and verify that this ruleset doesn't intercept too
#      many legit requests. 
#
 
#
# Directory Traversal
#
SecRule REQUEST_URI "(?:\x5c|(?:%(?:c(?:0%(?:9v|af)|1%1c)|2(?:5(?:2f|5c)|f)|u221[56]|1u|5c)|\/))(?:%(?:u2024|2e)|\.){2}(?:\x5c|(?:%(?:c(?:0%(?:9v|af)|1%1c)|2(?:5(?:2f|5c)|f)|u221[56]|1u|5c)|\/))" \
        "phase:1,t:none,t:lowercase,capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'Path Traversal Attack',id:'950103',severity:'2'"

# Weaker signature
SecRule REQUEST_FILENAME "\.\.[/\x5c]" "phase:1,t:none,t:urlDecodeUni,capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'Path Traversal Attack',id:'950103',severity:'2'"


#
# RFI Attack
#
SecRule ARGS "^(?:ht|f)tp:/" \
        "phase:2,t:none,t:htmlEntityDecode,t:lowercase,capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'Remote File Inclusion Attack',id:'950117',severity:'2'"

