Links

Modsecurity

ModSecurity is a popular open-source web application firewall (WAF). It can be used to protect web applications from a wide range of attacks, including SQL injection, cross-site scripting (XSS), and many others, by monitoring HTTP traffic in real-time.
Here are the top 20 use cases for blue teams using ModSecurity, along with sample rules and commands:

1. Blocking SQL Injection

  • Rule:
    SecRule ARGS "SELECT.*FROM" "id:500001,deny,status:403"
  • Description: Blocks requests containing basic SQL injection patterns.

2. Blocking Cross-Site Scripting (XSS)

  • Rule:
    SecRule ARGS "<script>" "id:500002,deny,status:403"
  • Description: Blocks requests containing basic XSS patterns.

3. Blocking Command Injection

  • Rule:
    SecRule ARGS ";|&|`" "id:500003,deny,status:403"
  • Description: Blocks requests that attempt to execute system commands.

4. Blocking Local File Inclusion (LFI)

  • Rule:
    SecRule ARGS "/etc/passwd" "id:500004,deny,status:403"
  • Description: Blocks attempts to read the /etc/passwd file.

5. Blocking Remote File Inclusion (RFI)

  • Rule:
    SecRule ARGS "http://" "id:500005,deny,status:403"
  • Description: Blocks attempts to include remote files.

6. Blocking Common Web Shells

  • Rule:
    SecRule ARGS "c99shell|phpshell" "id:500006,deny,status:403"
  • Description: Blocks common web shell patterns.

7. Blocking User Agents Associated with Scanners

  • Rule:
    SecRule REQUEST_HEADERS:User-Agent "nikto|sqlmap" "id:500007,deny,status:403"
  • Description: Blocks requests from common vulnerability scanners.

8. Blocking Suspicious IP Addresses

  • Rule:
    SecRule REMOTE_ADDR "^192\.168\.1\.10$" "id:500008,deny,status:403"
  • Description: Blocks a specific IP address.

9. Blocking HTTP Methods

  • Rule:
    SecRule REQUEST_METHOD "^(TRACE|DELETE|TRACK)" "id:500009,deny,status:405"
  • Description: Blocks TRACE, DELETE, and TRACK HTTP methods.

10. Blocking Requests with No User-Agent

Rule:
SecRule REQUEST_HEADERS:User-Agent "^$" "id:500010,deny,status:403"
Description: Blocks requests that don't have a User-Agent header.

11. Blocking Requests with High Request Length

Rule:
SecRule REQUEST_HEADERS:Content-Length "@gt 5000" "id:500011,deny,status:413"
Description: Blocks requests with a content length greater than 5000.

12. Blocking Suspicious Query Strings

Rule:
SecRule QUERY_STRING "base64_encode" "id:500012,deny,status:403"
Description: Blocks requests containing `base64_encode` in the query string.

13. Blocking Suspicious File Uploads

Rule:
SecRule FILES_NAMES "(\.php|\.asp|\.exe)$" "id:500013,deny,status:403"
Description: Blocks file uploads with suspicious extensions.

14. Blocking Multiple URL Encodings

Rule:
SecRule ARGS "%%" "id:500014,deny,status:403"
Description: Blocks requests with multiple URL encodings.

15. Blocking Suspicious Cookies

Rule:
SecRule REQUEST_COOKIES "malicious_value" "id:500015,deny,status:403"
Description: Blocks requests with suspicious cookie values.

16. Blocking Suspicious Referers

Rule:
SecRule REQUEST_HEADERS:Referer "malicious_domain" "id:500016,deny,status:403"
Description: Blocks requests from suspicious referers.

17. Blocking Suspicious User-Agent Strings

Rule:
SecRule REQUEST_HEADERS:User-Agent "malicious_bot" "id:500017,deny,status:403"
Description: Blocks requests with suspicious User-Agent strings.

18. Blocking Suspicious Response Content

Rule:
SecRule RESPONSE_BODY "malicious_content" "id:500018,deny,status:403"
Description: Blocks responses containing suspicious content.

19. Blocking Directory Traversal Attacks

Rule:
SecRule ARGS "\.\./" "id:500019,deny,status:403"
Description: Blocks directory traversal patterns.

20. Blocking Requests to Sensitive Directories

Rule:
SecRule REQUEST_URI "^/admin/" "id:500020,deny,status:403"
Description: Blocks requests to the `/admin/` directory.