FILE: C:\Program Files (x86)\Plesk\ModSecurity\rules\atomic.backup\modsec\01_asl_content.conf

--
# http://www.atomicorp.com/
# Atomicorp (Gotroot.com) ModSecurity rules
# Application Security Rules for modsec 2.x
#
# Created by Prometheus Global (http://www.prometheus-group.com)
# Copyright 2005-2011 by Prometheus Global, all rights reserved.
# Redistribution is strictly prohibited in any form, including whole or in part.
#
# Distribution of this work or derivative of this work in any form is 
# prohibited unless prior written permission is obtained from the 
# copyright holder. 
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS   
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE   
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE   
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE   
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR   
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF   
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS   
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN   
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)   
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF   
# THE POSSIBILITY OF SUCH DAMAGE.
#
#---ASL-CONFIG-FILE---
#

# Do not edit this file!
# This file is generated and changes will be overwritten.
#
# If you need to make changes to the rules, please follow the procedure here:
# http://www.atomicorp.com/wiki/index.php/Mod_security
#
SecAction "phase:1,id:'333792',t:none,nolog,pass, \
setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf|text/html|application/x-mal-client-data|application/octet-stream|text/plain|application/soap xml|application/soap+xml|application/json|application/json-rpc|application/vnd.svn-svndiff|image/jpeg|application/vnd.ms-sync.wbxml|message/rfc822|application/x-java-serialized-object|text/calendar|image/png|image/gif|image/jpg|application/x-fcs'


#restrict content types to prevent possible bypass attacks
SecRule REQUEST_HEADERS:Content-Type "^([^;\s]+)" "phase:1,t:none,chain,pass,nolog,id:'333791',severity:'4'"
SecRule TX:0 "!@within %{tx.allowed_request_content_type}" "t:none,ctl:forceRequestBodyVariable=On"

SecRule REQUEST_HEADERS:Content-Type "^(?:(?:text|application)/xml|application/soap)" \
        "id:334357,rev:2,phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"

#ModSecurity parses only three content types:
#      application/x-www-form-urlencoded, multipart/form-data request and 
#      text/xml. 
#
#      The protection provided for any other type is inferior.
SecRule REQUEST_METHOD "!^(?:GET|HEAD|PROPFIND|OPTIONS)$" "phase:2,chain,t:none,deny,status:403,msg:'Atomicorp.com WAF Rules: Request content type is not allowed by policy',id:'391213',severity:'4',logdata:'%{matched_var}'"
        SecRule REQUEST_HEADERS:Content-Type "^([^;\s]+)" "chain,capture"
                                SecRule TX:0 "!^%{tx.allowed_request_content_type}$" "t:none,ctl:forceRequestBodyVariable=On"


--