FILE: C:\Program Files (x86)\Plesk\ModSecurity\rules\atomic\modsec\03_asl_dos.conf

--
# http://www.atomicorp.com/
# Atomicorp (Gotroot.com) ModSecurity rules
# Application Security Rules for modsec 2.x
#
# Created by Prometheus Global (http://www.prometheus-group.com)
# Copyright 2005-2013 by Prometheus Global, all rights reserved.
# Redistribution is strictly prohibited in any form, including whole or in part.
#
# Distribution of this work or derivative of this work in any form is 
# prohibited unless prior written permission is obtained from the 
# copyright holder. 
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS   
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE   
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE   
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE   
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR   
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF   
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS   
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN   
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)   
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF   
# THE POSSIBILITY OF SUCH DAMAGE.
#
#---ASL-CONFIG-FILE---
#

# Do not edit this file!
# This file is generated and changes will be overwritten.
#
# If you need to make changes to the rules, please follow the procedure here:
# http://www.atomicorp.com/wiki/index.php/Mod_security


SecRule RESPONSE_STATUS "@streq 408" \
"phase:5,t:none,log,auditlog,pass,rev:1,id:343434,msg:'Atomicorp.com WAF Rules: Client Connection dropped by Apache due to slow connection, possible Slowaris attack',severity:'4'"

#/?CtrlFunc_
SecRule REQUEST_METHOD "@streq POST" "chain,severity:2,log,t:none,drop,auditlog,phase:1,id:331215,rev:1,msg:'Atomicorp.com WAF Rules: CtrlFunc Brute Force Attack Dropped'"
SecRule REQUEST_URI "@beginsWith /?CtrlFunc_" "t:none"

#/?CtrlFunc_
SecRule REQUEST_URI "\?-?[0-9]{4,6}=-?[0-9]{4,6}" "severity:2,log,auditlog,t:none,drop,phase:1,id:331216,rev:1,msg:'Atomicorp.com WAF Rules: Wordpress DOS Attack Dropped'"

#long lines
SecRule REQUEST_METHOD "@streq HEAD" \
"chain,severity:2,log,auditlog,t:none,deny,phase:1,id:331217,rev:1,msg:'Atomicorp.com WAF Rules: Possible DOS Attack Dropped'"
SecRule REQUEST_URI "\?[0-9a-z]{2000,}"  "t:none,t:lowercase"


#Per count DOS checks
SecAction "nolog,pass,id:350115,phase:1,t:none,setvar:'tx.dos_burst_time_slice=60',setvar:'tx.dos_counter_threshold=5',setvar:'tx.dos_block_timeout=600'"

SecRule IP:DOS_BLOCK "@eq 1" "log,auditlog,chain,phase:1,id:350116,deny,status:403,severity:2,,msg:'Atomicorp.com WAF Rules: Potential Denial of Service (DoS) Attack Identified from %{tx.real_ip} (%{tx.dos_block_counter} hits since last alert)',setvar:ip.dos_block_counter=+1"
	SecRule &IP:DOS_BLOCK_FLAG "@eq 0" "setvar:ip.dos_block_flag=1,expirevar:ip.dos_block_flag=60,setvar:tx.dos_block_counter=%{ip.dos_block_counter},setvar:ip.dos_block_counter=0"

# Block and track # of requests but don't log, then skip because its already blocked
SecRule IP:DOS_BLOCK "@eq 1" "phase:1,id:'350117',t:none,deny,status:403,severity:2,nolog,setvar:ip.dos_block_counter=+1"
SecRule IP:DOS_BLOCK "@eq 1" "phase:5,id:'350118',t:none,nolog,pass,skipAfter:END_DOS_PROTECTION_CHECKS"

# Count the number of requests to the protected resoures
# Possibly use @pmfromfile in future to block other targets
SecRule REQUEST_URI "xmlrpc\.php"  \
"phase:5,id:'350112',t:none,t:urlDecodeUni,t:lowercase,nolog,pass,setvar:ip.dos_counter=+1"

# If the request count is greater than or equal to our thresholds
# then set the burst counter
SecRule IP:DOS_COUNTER "@gt %{tx.dos_counter_threshold}" "phase:5,id:'350113',t:none,nolog,pass,t:none,setvar:ip.dos_burst_counter=+1,expirevar:ip.dos_burst_counter=%{tx.dos_burst_time_slice},setvar:!ip.dos_counter"

# Check DOS Burst Counter 
# Check the burst counter - if greater than or equal to 2, then we set the IP
# block variable for 5 mins and issue an alert.
SecRule IP:DOS_BURST_COUNTER "@ge 2" "log,auditlog,phase:5,id:'350114',rev:1,severity:3,t:none,log,pass,msg:'Atomicorp.com WAF Rules: Potential Denial of Service (DoS) Attack from %{tx.real_ip} - # of Request Bursts: %{ip.dos_burst_counter}',setvar:ip.dos_block=1,expirevar:ip.dos_block=%{tx.dos_block_timeout},tag:'no_ar'"

SecMarker END_DOS_PROTECTION_CHECKS

--