# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.0.2
# Copyright (C) 2006-2009 Breach Security Inc. All rights reserved.
#
# The ModSecuirty Core Rule Set is distributed under GPL version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
#
# This ruleset file contains rules that are highly prone to FPs
#
# When installing this ruleset, you are advised to activate ModSecurity
# in DetectionOnly, and verify that this ruleset doesn't intercept too
# many legit requests.
#
#
# Directory Traversal
#
SecRule REQUEST_URI "(?:\x5c|(?:%(?:c(?:0%(?:9v|af)|1%1c)|2(?:5(?:2f|5c)|f)|u221[56]|1u|5c)|\/))(?:%(?:u2024|2e)|\.){2}(?:\x5c|(?:%(?:c(?:0%(?:9v|af)|1%1c)|2(?:5(?:2f|5c)|f)|u221[56]|1u|5c)|\/))" \
"phase:1,t:none,t:lowercase,capture,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'Path Traversal Attack',id:'950103',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:'tx.%{rule.id}=%{matched_var_name}=%{matched_var}'"
# Weaker signature
#SecRule REQUEST_FILENAME "\.\.[/\x5c]" "phase:1,t:none,t:urlDecodeUni,capture,ctl:auditLogParts=+E,block,nolog,auditlog,status:501,msg:'Path Traversal Attack',id:'950103',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:'tx.%{rule.id}=%{matched_var_name}=%{matched_var}'"
distrib
>
Mandriva
>
2010.0
>
i586
>
media
>
contrib-release
>
by-pkgid
>
ec8d9d7e1251a670fddcb98de6880fe8
>
files
>
27
