|
1 | 1 | # ------------------------------------------------------------------------ |
2 | | -# OWASP ModSecurity Core Rule Set ver.3.2.0 |
3 | | -# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved. |
| 2 | +# OWASP CRS ver.4.9.0-dev |
| 3 | +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. |
| 4 | +# Copyright (c) 2021-2024 CRS project. All rights reserved. |
4 | 5 | # |
5 | | -# The OWASP ModSecurity Core Rule Set is distributed under |
| 6 | +# The OWASP CRS is distributed under |
6 | 7 | # Apache Software License (ASL) version 2 |
7 | 8 | # Please see the enclosed LICENSE file for full details. |
8 | 9 | # ------------------------------------------------------------------------ |
|
81 | 82 | # This ruleset allows you to control how ModSecurity will handle traffic |
82 | 83 | # originating from Authorized Vulnerability Scanning (AVS) sources. See |
83 | 84 | # related blog post - |
84 | | -# http://blog.spiderlabs.com/2010/12/advanced-topic-of-the-week-handling-authorized-scanning-traffic.html |
| 85 | +# https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/updated-advanced-topic-of-the-week-handling-authorized-scanning-traffic/ |
85 | 86 | # |
86 | | -# White-list ASV network block (no blocking or logging of AVS traffic) Update |
| 87 | +# Allow List ASV network block (no blocking or logging of AVS traffic) Update |
87 | 88 | # IP network block as appropriate for your AVS traffic |
88 | 89 | # |
89 | 90 | # ModSec Rule Exclusion: Disable Rule Engine for known ASV IP |
|
101 | 102 | # This rule shows how to conditionally exclude the "password" |
102 | 103 | # parameter for rule 942100 when the REQUEST_URI is /index.php |
103 | 104 | # ModSecurity Rule Exclusion: 942100 SQL Injection Detected via libinjection |
104 | | -## |
105 | | -#SecRule SERVER_ADDR "@ipMatch 服务器IP" \ |
106 | | -# "id:1001, \ |
107 | | -# phase:1, \ |
108 | | -# pass, \ |
109 | | -# nolog, \ |
110 | | -# ctl:ruleRemoveByTag=attack-dos" |
| 105 | +# |
111 | 106 | # SecRule REQUEST_URI "@beginsWith /index.php" \ |
112 | 107 | # "id:1001,\ |
113 | 108 | # phase:1,\ |
|
135 | 130 | # Example Exclusion Rule: Removing a specific ARGS parameter from inspection |
136 | 131 | # for all CRS rules |
137 | 132 | # |
138 | | -# This rule illustrates that we can use tagging very effectively to whitelist a |
| 133 | +# This rule illustrates that we can use tagging very effectively to allow list a |
139 | 134 | # common false positive across an entire ModSecurity instance. This can be done |
140 | 135 | # because every rule in OWASP_CRS is tagged with OWASP_CRS. This will NOT |
141 | 136 | # affect custom rules. |
|
155 | 150 | # This rule illustrates that we can remove a rule range via a ctl action. |
156 | 151 | # This uses the fact, that rules are grouped by topic in rule files covering |
157 | 152 | # a certain id range. |
| 153 | +# IMPORTANT: ModSecurity v3, aka libModSecurity, does not currently support the |
| 154 | +# use of rule ranges in a ruleRemoveById ctl action (this feature has been |
| 155 | +# planned for v3.1). Consider using ruleRemoveByTag as a workaround, if |
| 156 | +# appropriate. |
158 | 157 | # |
159 | 158 | # ModSecurity Rule Exclusion: Disable all SQLi and XSS rules |
160 | 159 | # SecRule REQUEST_FILENAME "@beginsWith /admin" \ |
|
165 | 164 | # ctl:ruleRemoveById=941000-942999" |
166 | 165 | # |
167 | 166 | # |
168 | | -# The application specific rule exclusion files |
169 | | -# REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf |
170 | | -# REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf |
171 | | -# bring additional examples which can be useful then tuning a service. |
| 167 | +# The application-specific rule exclusion plugins |
| 168 | +# (see: https://github.com/coreruleset/plugin-registry) |
| 169 | +# provide additional examples which can be useful then tuning a service. |
172 | 170 |
|
173 | | -SecRule REMOTE_ADDR "@pmFromFile white_list.data" |
174 | | - "id:1000,phase:1,pass,nolog,ctl:ruleEngine=Off" |
175 | 171 |
|
176 | | -SecRule REQUEST_URI "@pmFromFile white_url.data" |
177 | | - "id:10000,phase:1,pass,nolog,ctl:ruleEngine=Off" |
| 172 | +# |
| 173 | +# Example Rule: Allow monitoring tools and scripts |
| 174 | +# |
| 175 | +# Uncomment this rule to allow all requests from trusted IPs and User-Agent. |
| 176 | +# This can be useful for monitoring tools like Monit, Nagios, or other agents. |
| 177 | +# For example, if you're using AWS Load Balancer, you may need to trust all |
| 178 | +# requests from "10.0.0.0/8" subnet that come with the user-agent |
| 179 | +# "ELB-HealthChecker/2.0". By doing this, all requests that match these |
| 180 | +# conditions will not be matched against the following rules: |
| 181 | +# |
| 182 | +# - id: 911100 (allowed methods) |
| 183 | +# - id: 913100 (scan detection) |
| 184 | +# - id: 920280 (missing/empty host header) |
| 185 | +# - id: 920350 (IP address in host header) |
| 186 | +# - tag: attack-disclosure (all RESPONSE-*-DATA-LEAKAGES rules) |
| 187 | +# |
| 188 | +# SecRule REMOTE_ADDR "@ipMatch 10.0.0.0/8" \ |
| 189 | +# "id:1005,\ |
| 190 | +# phase:1,\ |
| 191 | +# pass,\ |
| 192 | +# nolog,\ |
| 193 | +# chain" |
| 194 | +# SecRule REQUEST_METHOD "@pm GET HEAD" "chain" |
| 195 | +# SecRule REQUEST_HEADERS:User-Agent "@pm ELB-HealthChecker" \ |
| 196 | +# "ctl:ruleRemoveById=911100,\ |
| 197 | +# ctl:ruleRemoveById=913100,\ |
| 198 | +# ctl:ruleRemoveById=920280,\ |
| 199 | +# ctl:ruleRemoveById=920350,\ |
| 200 | +# ctl:ruleRemoveByTag=attack-disclosure" |
0 commit comments