Modsecurity
ModSecurity is a popular open-source web application firewall (WAF). It can be used to protect web applications from a wide range of attacks, including SQL injection, cross-site scripting (XSS), and many others, by monitoring HTTP traffic in real-time.
Here are the top 20 use cases for blue teams using ModSecurity, along with sample rules and commands:
1. Blocking SQL Injection
Rule:
SecRule ARGS "SELECT.*FROM" "id:500001,deny,status:403"
Description: Blocks requests containing basic SQL injection patterns.
2. Blocking Cross-Site Scripting (XSS)
Rule:
SecRule ARGS "<script>" "id:500002,deny,status:403"
Description: Blocks requests containing basic XSS patterns.
3. Blocking Command Injection
Rule:
SecRule ARGS ";|&|`" "id:500003,deny,status:403"
Description: Blocks requests that attempt to execute system commands.
4. Blocking Local File Inclusion (LFI)
Rule:
SecRule ARGS "/etc/passwd" "id:500004,deny,status:403"
Description: Blocks attempts to read the
/etc/passwd
file.
5. Blocking Remote File Inclusion (RFI)
Rule:
SecRule ARGS "http://" "id:500005,deny,status:403"
Description: Blocks attempts to include remote files.
6. Blocking Common Web Shells
Rule:
SecRule ARGS "c99shell|phpshell" "id:500006,deny,status:403"
Description: Blocks common web shell patterns.
7. Blocking User Agents Associated with Scanners
Rule:
SecRule REQUEST_HEADERS:User-Agent "nikto|sqlmap" "id:500007,deny,status:403"
Description: Blocks requests from common vulnerability scanners.
8. Blocking Suspicious IP Addresses
Rule:
SecRule REMOTE_ADDR "^192\.168\.1\.10$" "id:500008,deny,status:403"
Description: Blocks a specific IP address.
9. Blocking HTTP Methods
Rule:
SecRule REQUEST_METHOD "^(TRACE|DELETE|TRACK)" "id:500009,deny,status:405"
Description: Blocks TRACE, DELETE, and TRACK HTTP methods.
10. Blocking Requests with No User-Agent
Rule:
SecRule REQUEST_HEADERS:User-Agent "^$" "id:500010,deny,status:403"
Description: Blocks requests that don't have a User-Agent header.
11. Blocking Requests with High Request Length
Rule:
SecRule REQUEST_HEADERS:Content-Length "@gt 5000" "id:500011,deny,status:413"
Description: Blocks requests with a content length greater than 5000.
12. Blocking Suspicious Query Strings
Rule:
SecRule QUERY_STRING "base64_encode" "id:500012,deny,status:403"
Description: Blocks requests containing `base64_encode` in the query string.
13. Blocking Suspicious File Uploads
Rule:
SecRule FILES_NAMES "(\.php|\.asp|\.exe)$" "id:500013,deny,status:403"
Description: Blocks file uploads with suspicious extensions.
14. Blocking Multiple URL Encodings
Rule:
SecRule ARGS "%%" "id:500014,deny,status:403"
Description: Blocks requests with multiple URL encodings.
15. Blocking Suspicious Cookies
Rule:
SecRule REQUEST_COOKIES "malicious_value" "id:500015,deny,status:403"
Description: Blocks requests with suspicious cookie values.
16. Blocking Suspicious Referers
Rule:
SecRule REQUEST_HEADERS:Referer "malicious_domain" "id:500016,deny,status:403"
Description: Blocks requests from suspicious referers.
17. Blocking Suspicious User-Agent Strings
Rule:
SecRule REQUEST_HEADERS:User-Agent "malicious_bot" "id:500017,deny,status:403"
Description: Blocks requests with suspicious User-Agent strings.
18. Blocking Suspicious Response Content
Rule:
SecRule RESPONSE_BODY "malicious_content" "id:500018,deny,status:403"
Description: Blocks responses containing suspicious content.
19. Blocking Directory Traversal Attacks
Rule:
SecRule ARGS "\.\./" "id:500019,deny,status:403"
Description: Blocks directory traversal patterns.
20. Blocking Requests to Sensitive Directories
Rule:
SecRule REQUEST_URI "^/admin/" "id:500020,deny,status:403"
Description: Blocks requests to the `/admin/` directory.
Last updated