--
# http://www.atomicorp.com/ # Atomicorp (Gotroot.com) ModSecurity rules # Application Security Rules for modsec 2.5+ # # Created by Atomicorp (http://www.atomicorp.com) # Copyright 2005-2012 by Atomicorp, all rights reserved. # Redistribution is strictly prohibited in any form, including whole or in part. # # Distribution of this work or derivative of this work in any form is # prohibited unless prior written permission is obtained from the # copyright holder. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE # LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF # THE POSSIBILITY OF SUCH DAMAGE. # #---ASL-CONFIG-FILE--- # # Do not edit this file! # This file is generated and changes will be overwritten. # # If you need to make changes to the rules, please follow the procedure here: # http://www.atomicorp.com/wiki/index.php/Mod_security # #SecRule REQUEST_METHOD "^post$" \ #phase:2,pass,t:none,t:lowercase,nolog,skip:1 #SecAction phase:2,t:none,pass,nolog,skipAfter:END_BRUTE_IN #vbulletin #set a variable that someone tried to login #SecRule REQUEST_URI "/login\.php" \ # "pass,nolog,t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:compressWhiteSpace,setvar:tx.brute_vbulletin_login=yes,noauditlog,nolog,id:377400,rev:1,severity:2" #SecRule ARGS:do "^login$" #PHP logins #SecRule REQUEST_URI "/ucp\.php" \ # "chain,pass,nolog,noauditlog,t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:compressWhiteSpace,setvar:tx.brute_phpbb_login=yes" #SecRule ARGS:mode "^login$" #wikimedia #"POST /wiki/index.php?title=Special:UserLogin&action=submitlogin&type=login&returnto=Main_Page #SecRule ARGS:title "^special\:userlogin$" \ # "chain,pass,nolog,noauditlog,t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:compressWhiteSpace,setvar:tx.brute_phpbb_login=yes" #SecRule ARGS:action "^submitlogin$" chain #SecRule ARGS:type "^login$" #SecMarker END_BRUTE_IN SecRule REQUEST_METHOD "@streq POST" \ "phase:5,chain,t:none,auditlog,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: Wordpress Login Attempt Failure ',id:'377360',rev:2,severity:'4',tag:'no_ar'" SecRule REQUEST_URI "/wp-login\.php" "t:none,t:urlDecodeUni,t:lowercase,chain" SecRule RESPONSE_STATUS "200" "t:none" SecRule SERVER_PORT "@streq 30000" phase:4,id:339854,pass,t:none,nolog,skipAfter:END_BRUTE_OUT_1 SecRule RESPONSE_BODY "@pm incorrect Passwort password wrong match valid unrecognized succeed re-type error sorry, messagestackerror error-msg blank usuario" \ phase:4,id:333862,pass,t:none,nolog,skip:1 SecAction phase:4,id:333318,t:none,pass,nolog,skipAfter:END_BRUTE_OUT #Recaptcha invalid response #The visual confirmation code you submitted was incorrect #phpbb login failure SecRule RESPONSE_BODY ">The visual confirmation code you submitted was incorrect" \ "phase:4,t:none,nolog,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: Recaptcha invalid code',id:'377410',rev:1,severity:'4',tag:'no_ar'" #phpbb login failure SecRule RESPONSE_BODY "You have entered an invalid username or password\. Please enter the correct details and" \ "phase:4,t:none,nolog,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: VBulletin Login Attempt Failure ',id:'377300',rev:1,severity:'4',tag:'no_ar'" #377301 #phpbb login failure #You have specified an incorrect password. Please check your password and try again. SecRule RESPONSE_BODY "You have specified an incorrect password\. Please check your password and try again\." \ "phase:4,t:none,nolog,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: PHPBB Login Attempt Failure ',id:'377301',rev:1,severity:'4',tag:'no_ar'" #mediawiki #Incorrect password entered. Please try again SecRule RESPONSE_BODY "Incorrect password entered\. Please try again\." \ "phase:4,t:none,nolog,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: Wikimedia Login Attempt Failure ',id:'377302',rev:1,severity:'4',tag:'no_ar'" #sugarcrm SecRule RESPONSE_BODY "You must specify a valid username and password\." \ "phase:4,t:none,nolog,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: Sugarcrm Administration system Login Attempt Failure ',id:'377303',rev:1,severity:'4',tag:'no_ar'" #joomla #Use a valid username and password to gain access to the Administrator Back-end SecRule RESPONSE_BODY "(?:
Make sure to spell your username and password correctly, including upper/lowercase characters.
SecRule RESPONSE_BODY "That account could not be located. Check the username and re-type the password to try again.
The username or password you entered is incorrect. Please check the username, re-type the password, and try again.
SecRule RESPONSE_BODY "The username or password you entered is incorrect\. Please check the username" \ "phase:4,t:none,nolog,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: MODX password login failure ',id:'377311',rev:1,severity:'4',tag:'no_ar'" #moodle #