UPDATE conf SET value='1.98' WHERE var='version'; UPDATE filter SET rules=' # --------------------------------------------------------------- # Core ModSecurity Rule Set # Copyright (C) 2006 Breach Security Inc. All rights reserved. # # The ModSecuirty Core Rule Set is distributed under GPL version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- # # NOTE By default the status code sent is 501, which implies that the web # server does not support the required operation. This is a non standard # of this status code which normally refers to unsupported HTTP methods. # It is used in order to confuse automated clients and scanners. SecDefaultAction \"log,pass,status:501,phase:4\" SecRule RESPONSE_BODY \"\\b(?:Th(?:is (?:summary was generated by .{0,100}? (?:w(?:ebcruncher|wwstat)|analog|Jware)|analysis was produced by .{0,100}? (?:calamaris|EasyStat|analog)|report was generated by WebLog)|ese statistics were produced by (?:getstats|PeLAB))|[gG]enerated by [Ww]ebalizer)\\b\" \\ \"ctl:auditLogParts=+E,deny,log,auditlog,status:404,msg:\''Statistics Information Leakage\'',,id:\''970002\'',severity:\''4\''\" SecRule RESPONSE_BODY \"\\b(?:(?:s(?:elect list because it is not contained in (?:an aggregate function and there is no|either an aggregate function or the) GROUP BY clause|upplied argument is not a valid (?:(?:M(?:S |y)|Postgre)SQL|O(?:racle|DBC)))|S(?:yntax error converting the \\w+ value .*? to a column of data type|QL Server does not exist or access denied)|Either BOF or EOF is True, or the current record has been deleted(?:; the operation|\\. Requested)|The column prefix .{0,50}? does not match with a table name or alias name used in the query|Could not find server \''\\w+\'' in sysservers\\. execute sp_addlinkedserver)\\b|(?:(?:Microsoft OLE DB Provider for .{0,30} [eE]rro|You have an error in your SQL syntax nea)r |error \''800a01b8)\''|Un(?:closed quotation mark before the character string\\b|able to connect to PostgreSQL server:)|(?:Warning: mysql_connect\\(\\)|PostgreSQL query failed):|cannot take a \\w+ data type as an argument\\.|incorrect syntax near (?:\\\''|the\\b|@@error\\b)|microsoft jet database engine error \''8|(?:\\[Microsoft\\]\\[ODBC|ORA-\\d{5}:) )\" \\ \"ctl:auditLogParts=+E,deny,log,auditlog,status:500,msg:\''SQL Information Leakage\'',,id:\''970003\'',severity:\''4\''\" SecRule RESPONSE_BODY \"(?:\\b(?:A(?:DODB\\.Command\\b.{0,100}?\\b(?:Application uses a value of the wrong type for the current operation\\b|error\'')| trappable error occurred in an external object\\. The script cannot continue running\\b)|Microsoft VBScript (?:compilation (?:\\(0x8|error)|runtime (?:Error|\\(0x8))\\b|Object required: \''|error \''800)|Version Information:<\\/b>(?: |\\s)(?:Microsoft \\.NET Framework|ASP\\.NET) Version:|(?:\\/[Ee]rror[Mm]essage\\.aspx?\\?[Ee]rror|>error \''ASP)\\b)\" \\ \"ctl:auditLogParts=+E,deny,log,auditlog,status:500,msg:\''IIS Information Leakage\'',,id:\''970004\'',severity:\''4\''\" SecRule RESPONSE_BODY \"\\bServer Error in.{0,50}?\\bApplication\\b\" \\ \"chain,ctl:auditLogParts=+E,deny,log,auditlog,status:500,msg:\''IIS Information Leakage\'',,id:\''970904\'',severity:\''4\''\" SecRule RESPONSE_STATUS \"!^404$\" SecRule RESPONSE_BODY \"\\ban error was encountered while publishing this resource\\b\" \\ \"ctl:auditLogParts=+E,deny,log,auditlog,status:500,msg:\''Zope Information Leakage\'',,id:\''970007\'',severity:\''4\''\" SecRule RESPONSE_BODY \"\\bthe error occurred in\\b.{0,100}\\: line\\b.{0,1000}\\bcoldfusion\\b.*?\\bstack trace \\(click to expand\\)\\b\" \\ \"ctl:auditLogParts=+E,deny,log,auditlog,status:500,msg:\''Cold Fusion Information Leakage\'',,id:\''970008\'',severity:\''4\''\" SecRule RESPONSE_BODY \"\\warning\\<\\/b\\>\\:\\b\\W*?\\bon line\\b\" \\ \"ctl:auditLogParts=+E,deny,log,auditlog,status:500,msg:\''PHP Information Leakage\'',,id:\''970009\'',severity:\''4\''\" SecRule RESPONSE_BODY \"\\b403 forbidden\\b\\W*?\\binternet security and acceleration server\\b\" \\ \"ctl:auditLogParts=+E,log,auditlog,msg:\''ISA server existence revealed\'',,id:\''970010\'',severity:\''4\''\" SecRule RESPONSE_BODY \"\\b\\b\" \\ \"log,auditlog,msg:\''Microsoft Word document properties leakage\'',,id:\''970012\'',severity:\''4\''\" SecRule RESPONSE_BODY \"(?:>\\[To Parent Directory\\]<\\/[Aa]>
|Index of.*?<h1>Index of)\" \\ \"ctl:auditLogParts=+E,deny,log,auditlog,status:403,msg:\''Directory Listing\'',,id:\''970013\'',severity:\''4\''\" SecRule RESPONSE_BODY \"(?:\\b(?:(?:s(?:erver\\.(?:(?:(?:htm|ur)lencod|execut)e|createobject|mappath)|cripting\\.filesystemobject)|(?:response\\.(?:binary)?writ|vbscript\\.encod)e|wscript\\.(?:network|shell))\\b|javax\\.servlet|<jsp:)|\\.(?:(?:(?:createtex|ge)t|loadfrom)file|addheader)\\b)\" \\ \"ctl:auditLogParts=+E,log,auditlog,msg:\''ASP/JSP source code leakage\'',,id:\''970014\'',severity:\''4\''\" SecRule RESPONSE_BODY \"\\<\\%\" \"chain,ctl:auditLogParts=+E,log,auditlog,msg:\''ASP/JSP source code leakage\'',,id:\''970903\'',severity:\''4\''\" SecRule RESPONSE_BODY \"!(?:\\b(?:(?:i(?:nterplay|hdr|d3)|m(?:ovi|thd)|(?:ex|jf)if|f(?:lv|ws)|varg|cws)\\b|r(?:iff\\b|ar!B)|gif)|B(?:%pdf|\\.ra)\\b)\" SecRule RESPONSE_BODY \"(?:\\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open)|\\$_(?:(?:pos|ge)t|session))\\b\" \\ \"ctl:auditLogParts=+E,log,auditlog,msg:\''PHP source code leakage\'',,id:\''970015\'',severity:\''4\''\" SecRule RESPONSE_BODY \"<\\?(?!xml)\" \\ \"chain,ctl:auditLogParts=+E,log,auditlog,msg:\''PHP source code leakage\'',,id:\''970902\'',severity:\''4\''\" SecRule RESPONSE_BODY \"!(?:\\b(?:(?:i(?:nterplay|hdr|d3)|m(?:ovi|thd)|(?:ex|jf)if|f(?:lv|ws)|varg|cws)\\b|r(?:iff\\b|ar!B)|gif)|B(?:%pdf|\\.ra)\\b)\" SecRule RESPONSE_BODY \"\\b<cf\" \\ \"ctl:auditLogParts=+E,log,auditlog,msg:\''Cold Fusion source code leakage\'',,id:\''970016\'',severity:\''4\''\" SecRule RESPONSE_BODY \"[a-z]:\\\\\\\\inetpub\\b\" \\ \"t:none,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:\''IIS installed in default location\'',,id:\''970018\'',severity:\''5\'',chain\" SecRule &RESOURCE:alerted_970018_iisDefLoc \"@eq 0\" \"setvar:resource.alerted_970018_iisDefLoc\" SecRule RESPONSE_STATUS \"^503$\" \"ctl:auditLogParts=+E,log,auditlog,msg:\''The application is not available\'',,id:\''970901\'',severity:\''5\''\" SecRule RESPONSE_BODY \"(?:(?:<h1>internal server error<\\/h1>.*?<h2>part of the server has crashed or it has a configuration error\\.<\\/h2|microsoft ole db provider for sql server \\(0x80040e31\\)<br>timeout expired<br)>|cannot connect to the server: timed out)\" \\ \"ctl:auditLogParts=+E,log,auditlog,msg:\''The application is not available\'',,id:\''970118\'',severity:\''5\''\" SecRule RESPONSE_STATUS \"^500$\" \"chain,ctl:auditLogParts=+E,log,auditlog,msg:\''WebLogic information disclosure\'',,id:\''970021\'',severity:\''4\''\" SecRule RESPONSE_BODY \"<title>JSP compile error<\\/title>\" t:none ' WHERE name='Outbound'; UPDATE filter SET rules='# --------------------------------------------------------------- # Core ModSecurity Rule Set # Copyright (C) 2006 Breach Security Inc. All rights reserved. # # The ModSecuirty Core Rule Set is distributed under GPL version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- # # TODO in some cases a valid client (usually automated) generates requests that # violates the HTTP protocol. Create exceptions for those clients, but try # to limit the exception to a source IP or other additional properties of # the request such as URL and not allow the violation generally. # # # Use status code 400 response status code by default as protocol violations # are in essence bad requests. SecDefaultAction \"log,pass,phase:2,status:400\" # Validate request line # SecRule REQUEST_LINE \"!^[a-z]{3,10}\\s*(?:\\w{3,7}?\\:\\/\\/[\\w\\-\\.\\/]*)??\\/[\\w\\-\\.\\/~%:@&=+$,;]*(?:\\?[\\S]*)??\\s*http\\/\\d\\.\\d$\" \\ \"t:none,t:lowercase,deny,log,auditlog,status:400,msg:\''Invalid HTTP Request Line\'',,id:\''960911\'',severity:\''2\''\" # HTTP Request Smuggling # SecRule REQUEST_HEADERS:\''/(Content-Length|Transfer-Encoding)/\'' \",\" \"deny,log,auditlog,status:400,msg:\''HTTP Request Smuggling Attack.\'',,id:\''950012\'',severity:\''1\''\" # Block request with malformed content. # ModSecurity will not inspect these, but the server application might do so # SecRule REQBODY_PROCESSOR_ERROR \"!@eq 0\" \"t:none,deny,log,auditlog,status:400,msg:\''Invalid request body\'',,id:\''960912\'',severity:\''2\''\" # Accept only digits in content length # SecRule REQUEST_HEADERS:Content-Length \"!^\\d+$\" \"deny,log,auditlog,status:400,msg:\''Content-Length HTTP header is not numeric\'', severity:\''2\'',,id:\''960016\'',\" # Do not accept GET or HEAD requests with bodies # HTTP standard allows GET requests to have a body but this # feature is not used in real life. Attackers could try to force # a request body on an unsuspecting web applications. # SecRule REQUEST_METHOD \"^(?:GET|HEAD)$\" \"chain,deny,log,auditlog,status:400,msg:\''GET or HEAD requests with bodies\'', severity:\''2\'',,id:\''960011\'',\" SecRule REQUEST_HEADERS:Content-Length \"!^0?$\" # Require Content-Length to be provided with every POST request. # SecRule REQUEST_METHOD \"^POST$\" \"chain,deny,log,auditlog,status:400,msg:\''POST request must have a Content-Length header\'',,id:\''960012\'',severity:\''4\''\" SecRule &REQUEST_HEADERS:Content-Length \"@eq 0\" # Don\''t accept transfer encodings we know we don\''t know how to handle # # NOTE ModSecurity does not support chunked transfer encodings at # this time. You MUST reject all such requests. # SecRule REQUEST_HEADERS:Transfer-Encoding \"!^$\" \"deny,log,auditlog,status:501,msg:\''ModSecurity does not support transfer encodings\'',,id:\''960013\'',severity:\''3\''\" # Check decodings SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer \"@validateUrlEncoding\" \\ \"chain, deny,log,auditlog,status:400,msg:\''URL Encoding Abuse Attack Attempt\'',,id:\''950107\'',severity:\''4\''\" SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer \"\\%(?!$|\\W|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})\" SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer \"@validateUtf8Encoding\" \"deny,log,auditlog,status:400,msg:\''UTF8 Encoding Abuse Attack Attempt\'',,id:\''950801\'',severity:\''4\''\" # Disallow use of full-width unicode SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer \"\\%u[fF]{2}[0-9a-fA-F]{2}\" \\ \"t:none,deny,log,auditlog,status:400,msg:\''Unicode Full/Half Width Abuse Attack Attempt\'',,id:\''950116\'',severity:\''4\''\" # Proxy access attempt # NOTE Apache blocks such access by default if not set as a proxy. The rule is # included in case Apache proxy is misconfigured. SecRule REQUEST_URI_RAW ^\\w+:/ \"deny,log,auditlog,status:400,msg:\''Proxy access attempt\'', severity:\''2\'',,id:\''960014\'',\" # # Restrict type of characters sent # # NOTE In order to be broad and support localized applications this rule # only validates that NULL Is not used. # # The strict policy version also validates that protocol and application # generated fields are limited to printable ASCII. # # TODO If your application use the range 32-126 for parameters. # SecRule REQUEST_FILENAME|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer \\ \"@validateByteRange 1-255\" \\ \"deny,log,auditlog,status:400,msg:\''Invalid character in request\'',,id:\''960018\'',severity:\''4\'',t:urlDecodeUni\" SecRule ARGS|ARGS_NAMES|REQUEST_HEADERS:Referer \"@validateByteRange 1-255\" \\ \"deny,log,auditlog,status:400,msg:\''Invalid character in request\'',,id:\''960901\'',severity:\''4\'',t:urlDecodeUni\" ' WHERE name='Protocol violations'; UPDATE filter SET rules='# --------------------------------------------------------------- # Core ModSecurity Rule Set # Copyright (C) 2006 Breach Security Inc. All rights reserved. # # The ModSecuirty Core Rule Set is distributed under GPL version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- # # TODO in some cases a valid client (usually automated) generates requests that # violates the HTTP protocol. Create exceptions for those clients, but try # to limit the exception to a source IP or other additional properties of # the request such as URL and not allow the violation generally. # # Use status code 400 response status code by default as protocol violations # are in essence bad requests. SecDefaultAction \"log,pass,phase:2,status:400\" # Do not accept requests without common headers. # # Implies either an attacker or a legitimate automation client. # SecRule REQUEST_URI \"^/$\" \"chain,skip:4\" SecRule REMOTE_ADDR \"^127\\.0\\.0\\.1$\" \"chain\" SecRule REQUEST_HEADERS:User-Agent \"^Apache.*\\(internal dummy connection\\)$\" \"t:none\" SecRule &REQUEST_HEADERS:Host \"@eq 0\" \\ \"skip:1,log,auditlog,msg:\''Request Missing a Host Header\'',,id:\''960008\'',severity:\''4\''\" SecRule REQUEST_HEADERS:Host \"^$\" \\ \"log,auditlog,msg:\''Request Missing a Host Header\'',,id:\''960008\'',severity:\''4\''\" SecRule &REQUEST_HEADERS:Accept \"@eq 0\" \\ \"chain,skip:1,log,auditlog,msg:\''Request Missing an Accept Header\'', severity:\''2\'',,id:\''960015\'',\" SecRule REQUEST_METHOD \"!^OPTIONS$\" \"t:none\" SecRule REQUEST_HEADERS:Accept \"^$\" \\ \"chain,log,auditlog,msg:\''Request Missing an Accept Header\'', severity:\''2\'',,id:\''960015\'',\" SecRule REQUEST_METHOD \"!^OPTIONS$\" \"t:none\" SecRule &REQUEST_HEADERS:User-Agent \"@eq 0\" \\ \"skip:1,log,auditlog,msg:\''Request Missing a User Agent Header\'',,id:\''960009\'',severity:\''4\''\" SecRule REQUEST_HEADERS:User-Agent \"^$\" \\ \"log,auditlog,msg:\''Request Missing a User Agent Header\'',,id:\''960009\'',severity:\''4\''\" SecRule &REQUEST_HEADERS:Content-Type \"@eq 0\" \\ \"chain,log,auditlog,msg:\''Request Containing Content, but Missing Content-Type header\'',,id:\''960904\'',severity:\''4\''\" SecRule REQUEST_HEADERS:Content-Length \"!^0$\" # Check that the host header is not an IP address # SecRule REQUEST_HEADERS:Host \"^[\\d\\.]+$\" \"deny,log,auditlog,status:400,msg:\''Host header is a numeric IP address\'', severity:\''2\'',,id:\''960017\'',\" # Log a security event when the request is rejected by apache # SecRule RESPONSE_STATUS ^400$ \"t:none,phase:5,chain,log,auditlog,msg:\''Invalid request\'',,id:\''960913\'',severity:\''2\''\" SecRule WEBSERVER_ERROR_LOG !ModSecurity ' WHERE name='Protocol anomalies'; UPDATE filter SET rules=' # --------------------------------------------------------------- # Core ModSecurity Rule Set # Copyright (C) 2006 Breach Security Inc. All rights reserved. # # The ModSecuirty Core Rule Set is distributed under GPL version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- #%name 30 - HTTP policy enforcement #%desc The HTTP policy enforcement rule set sets limitations on the use of HTTP by clients. # Few applications require the breadth and depth of the HTTP protocol. On the # other hand many attacks abuse valid but rare HTTP use patterns. Restricting # HTTP protocol usage is effective in therefore effective in blocking many # application layer attacks. # # TODO If you are using the ModSecurity Core Ruleset template system you can set # the policy limitations in the ruleset.config file. Otherwise edit this # file manually to set you policy limitations. # # TODO Many automation programs use non standard HTTP requests. While you may # want to allow some of those, try not to create exceptions only for the # automated program based on properties such as their source IP address or # the URL they access. # SecDefaultAction \"pass,log,status:400,phase:2\" # allow request methods # # TODO Most applications only use GET, HEAD, and POST request # methods, if so uncomment the line below. Otherwise you are advised # to edit the line before uncommenting it. # SecRule REQUEST_METHOD \"!^((?:(?:POS|GE)T|OPTIONS|HEAD))$\" \\ \"phase:2,log,auditlog,status:501,msg:\''Method is not allowed by policy\'', severity:\''2\'',,id:\''960032\'',\" # Restrict which content-types we accept. # # TODO Most applications support only two types for request bodies # because that is all browsers know how to produce. If you are using # automated tools to talk to the application you may be using other # content types and would want to change the list of supported types. # # Note though that ModSecurity parses only three content types: # application/x-www-form-urlencoded, multipart/form-data request and # text/xml. The protection provided for any other type is inferior. # # TODO There are many applications that are not using multipart/form-data # types (typically only used for file uploads). This content type # can be disabled if not used. # # NOTE We allow any content type to be specified with GET or HEAD # because some tools incorrectly supply content type information # even when the body is not present. There is a rule further in # the file to prevent GET and HEAD requests to have bodies to we\''re # safe in that respect. # # NOTE Use of WebDAV requires \"text/xml\" content type. # # NOTE Philippe Bourcier (pbourcier AT citali DOT com) reports # applications running on the PocketPC and AvantGo platforms use # non-standard content types: # # M-Business iAnywhere application/x-mal-client-data # UltraLite iAnywhere application/octet-stream # SecRule REQUEST_METHOD \"!^(?:get|head|propfind|options)$\" \\ \"chain, t:lowercase, deny,log,auditlog,status:501,msg:\''Request content type is not allowed by policy\'',,id:\''960010\'',severity:\''4\''\" SecRule REQUEST_HEADERS:Content-Type \"!(?:^(?:application\\/x-www-form-urlencoded(?:;(?:\\s?charset\\s?=\\s?[\\w\\d\\-]{1,18})?)??$|multipart/form-data;)|text/xml)\" # Restrict protocol versions. # # TODO All modern browsers use HTTP version 1.1. For tight security, allow only # this version. # # NOTE Automation programs, both malicious and non malicious many times use # other HTTP versions. If you want to allow a specific automated program # to use your site, try to create a narrower expection and not allow any # client to send HTTP requests in a version lower than 1.1 # SecRule REQUEST_PROTOCOL \"!^HTTP/(0\\.9|1\\.[01])$\" \\ \"t:none, deny,log,auditlog,status:505,msg:\''HTTP protocol version is not allowed by policy\'', severity:\''2\'',,id:\''960034\'',\" # Restrict file extension # # TODO the list of file extensions below are virtually always considered unsafe # and not in use in any valid program. If your application uses one of # these extensions, please remove it from the list of blocked extensions. # You may need to use ModSecurity Core Rule Set Templates to do so, otherwise # comment the whole rule. # SecRule REQUEST_BASENAME \"\\.(?:c(?:o(?:nf(?:ig)?|m)|s(?:proj|r)?|dx|er|fg|md)|p(?:rinter|ass|db|ol|wd)|v(?:b(?:proj|s)?|sdisco)|a(?:s(?:ax?|cx)|xd)|d(?:bf?|at|ll|os)|i(?:d[acq]|n[ci])|ba(?:[kt]|ckup)|res(?:ources|x)|s(?:h?tm|ql|ys)|l(?:icx|nk|og)|\\w{0,5}~|webinfo|ht[rw]|xs[dx]|key|mdb|old)$\" \\ \"t:urlDecodeUni, t:lowercase, deny,log,auditlog,status:500,msg:\''URL file extension is restricted by policy\'', severity:\''2\'',,id:\''960035\'',\" # Restricted HTTP headers # # TODO the list of HTTP headers below are considered unsafe for your environment. # If your application uses one of these directories, please remove it from # the list of blocked extensions. You may need to use ModSecurity Core Rule # Set Templates to do so, otherwise comment the whole rule. # SecRule REQUEST_HEADERS_NAMES \"(?:lock-token|translate|if)$\" \\ \"t:lowercase,deny,log,auditlog,status:500,msg:\''HTTP header is restricted by policy\'',,id:\''960038\'',severity:\''4\''\" # Restricted Content Encodings # # ModSecurity does not support compressed content. Therefore, the following # action will be taken: # - Inbound compressed content will be denied # - Outbound compressed content will be logged once, to alert the user # Deny inbound compressed content SecRule REQUEST_HEADERS:Content-Encoding \"!^Identity$\" \\ \"phase:2,t:none,deny,log,auditlog,status:501,msg:\''ModSecurity does not support content encodings\'',,id:\''960902\'',severity:\''3\''\" # Log outbound compressed content (once per location) SecRule RESPONSE_HEADERS:Content-Encoding \"!^Identity$\" \\ \"phase:5,t:none,pass,log,auditlog,msg:\''ModSecurity does not support content encodings\'',,id:\''960903\'',severity:\''4\'',chain\" SecRule &RESOURCE:alerted_960903_compression \"@eq 0\" \"setvar:resource.alerted_960903_compression\" ## -- Apache Limits ---------------------------------------------------------- # These are Apache limit directives, but we are including them here because # they are often forgotten. If you already have these configured leave this # section entirely commented-out. Otherwise review the limits and uncomment # the directives. # Maximum size of the request body. # # NOTE If your application allows file uploads the value below will # most likely be way to low. # #LimitRequestBody 64000 # Maximum number of request headers in a request. # #LimitRequestFields 32 # Maximum size of request header lines. # #LimitRequestFieldSize 8000 # Maximum size of the request line. # #LimitRequestLine 4000 ' WHERE name='HTTP policy'; UPDATE filter SET rules='# --------------------------------------------------------------- # Core ModSecurity Rule Set # Copyright (C) 2006 Breach Security Inc. All rights reserved. # # The ModSecuirty Core Rule Set is distributed under GPL version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- # # NOTE Bad robots detection is based on checking elements easily # controlled by the client. As such a determined attacked can bypass # those checks. Therefore bad robots detection should not be viewed as # a security mechanism against targeted attacks but rather as a nuisance # reduction, eliminating most of the random attacks against your web # site. SecDefaultAction \"log,pass,phase:2,t:lowercase\" SecRule REQUEST_HEADERS:User-Agent \"(?:\\b(?:m(?:ozilla\\/4\\.0 \\(compatible\\)|etis)|webtrends security analyzer|pmafind)\\b|n(?:-stealth|sauditor|essus|ikto)|b(?:lack ?widow|rutus|ilbo)|(?:jaascoi|paro)s|internet explorer|webinspect|\\.nasl)\" \\ \"deny,log,auditlog,status:404,msg:\''Request Indicates a Security Scanner Scanned the Site\'',,id:\''990002\'',severity:\''2\''\" SecRule REQUEST_HEADERS_NAMES \"\\bacunetix-product\\b\" \\ \"deny,log,auditlog,status:404,msg:\''Request Indicates a Security Scanner Scanned the Site\'',,id:\''990901\'',severity:\''2\''\" SecRule REQUEST_FILENAME \"^/nessustest\" \\ \"deny,log,auditlog,status:404,msg:\''Request Indicates a Security Scanner Scanned the Site\'',,id:\''990902\'',severity:\''2\''\" SecRule REQUEST_HEADERS:User-Agent \"(?:e(?:mail(?:(?:collec|harves|magne)t|(?: extracto|reape)r|siphon|wolf)|(?:collecto|irgrabbe)r|xtractorpro|o browse)|m(?:ozilla\\/4\\.0 \\(compatible; advanced email extractor|ailto:craftbot\\@yahoo\\.com)|a(?:t(?:tache|hens)|utoemailspider|dsarobot)|w(?:eb(?:emailextrac| by mail)|3mir)|f(?:astlwspider|loodgate)|p(?:cbrowser|ackrat|surf)|(?:digout4uagen|takeou)t|\\bdatacha0s\\b|hhjhj@yahoo|chinaclaw|rsync|shai|zeus)\" \\ \"deny,log,auditlog,status:404,msg:\''Rogue web site crawler\'',,id:\''990012\'',severity:\''2\''\" SecRule REQUEST_HEADERS:User-Agent \"(?:\\b(?:(?:indy librar|snoop)y|microsoft url control|lynx)\\b|mozilla\\/2\\.0 \\(compatible; newt activex; win32\\)|w(?:3mirror|get)|download demon|l(?:ibwww|wp)|p(?:avuk|erl)|big brother|autohttp|netants|eCatch|curl)\" \\ \"chain,log,auditlog,msg:\''Request Indicates an automated program explored the site\'',,id:\''990011\'',severity:\''5\''\" SecRule REQUEST_HEADERS:User-Agent \"!^apache.*perl\" ' WHERE name='Bad robots'; UPDATE filter SET rules='# --------------------------------------------------------------- # Core ModSecurity Rule Set # Copyright (C) 2006 Breach Security Inc. All rights reserved. # # The ModSecuirty Core Rule Set is distributed under GPL version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- # # TODO While some of the pattern groups such as command injection are usually # safe of false positives, other pattern groups such as SQL injection and # XSS may require setting exceptions and therefore are set to log only by # default. # # Start ModSecurity in monitoring only mode and check whether your # application requires exceptions for a specific URL, Pattern or source IP # before moving to blocking mode. SecDefaultAction \"log,pass,phase:2,status:500,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase\" # Session fixation SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer \"(?:\\.cookie\\b.*?;\\W*?(?:expires|domain)\\W*?=|\\bhttp-equiv\\W+set-cookie\\b)\" \\ \"capture,ctl:auditLogParts=+E,log,auditlog,msg:\''Session Fixation. Matched signature <%{TX.0}>\'',,id:\''950009\'',severity:\''2\''\" # Blind SQL injection SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer \"(?:\\b(?:(?:s(?:ys\\.(?:user_(?:(?:t(?:ab(?:_column|le)|rigger)|object|view)s|c(?:onstraints|atalog))|all_tables|tab)|elect\\b.{0,40}\\b(?:substring|ascii|user))|m(?:sys(?:(?:queri|ac)e|relationship|column|object)s|ysql\\.user)|c(?:onstraint_type|harindex)|attnotnull)\\b|(?:locate|instr)\\W+\\()|\\@\\@spid\\b)\" \\ \"capture,t:replaceComments,ctl:auditLogParts=+E,log,auditlog,msg:\''Blind SQL Injection Attack. Matched signature <%{TX.0}>\'',,id:\''950007\'',severity:\''2\''\" #SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer \"\\b(?:benchmark|encode)\\b\" \\ # \"chain,ctl:auditLogParts=+E,log,auditlog,msg:\''Blind SQL Injection Attack. Matched signature <%{TX.0}>\'',,id:\''950903\'',severity:\''2\''\" #SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer \"[\\\\(\\)\\%#]\\|--\" SecRule REQUEST_FILENAME|ARGS|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer \"\\b(?:(?:s(?:ys(?:(?:(?:process|tabl)e|filegroup|object)s|c(?:o(?:nstraint|lumn)s|at)|dba|ibm)|ubstr(?:ing)?)|user_(?:(?:(?:constrain|objec)t|tab(?:_column|le)|ind_column|user)s|password|group)|a(?:tt(?:rel|typ)id|ll_objects)|object_(?:(?:nam|typ)e|id)|pg_(?:attribute|class)|column_(?:name|id)|(?:dba|mb)_users|xtype\\W+\\bchar|rownum)\\b|t(?:able_name\\b|extpos\\W+\\())\" \\ \"capture,t:replaceComments,ctl:auditLogParts=+E,log,auditlog,msg:\''Blind SQL Injection Attack. Matched signature <%{TX.0}>\'',,id:\''950904\'',severity:\''2\''\" # SQL injection SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer \"(?:\\b(?:(?:s(?:elect\\b(?:.{1,100}?\\b(?:(?:length|count|top)\\b.{1,100}?\\bfrom|from\\b.{1,100}?\\bwhere)|.*?\\b(?:d(?:ump\\b.*\\bfrom|ata_type)|(?:to_(?:numbe|cha)|inst)r))|p_(?:(?:addextendedpro|sqlexe)c|(?:oacreat|prepar)e|execute(?:sql)?|makewebtask)|ql_(?:longvarchar|variant))|xp_(?:reg(?:re(?:movemultistring|ad)|delete(?:value|key)|enum(?:value|key)s|addmultistring|write)|e(?:xecresultset|numdsn)|(?:terminat|dirtre)e|availablemedia|loginconfig|cmdshell|filelist|makecab|ntsec)|u(?:nion\\b.{1,100}?\\bselect|tl_(?:file|http))|group\\b.*\\bby\\b.{1,100}?\\bhaving|load\\b\\W*?\\bdata\\b.*\\binfile|(?:n?varcha|tbcreato)r|autonomous_transaction|open(?:rowset|query)|1\\s*=\\s*1|dbms_java)\\b|i(?:n(?:to\\b\\W*?\\b(?:dump|out)file|sert\\b\\W*?\\binto|ner\\b\\W*?\\bjoin)\\b|(?:f(?:\\b\\W*?\\(\\W*?\\bbenchmark|null\\b)|snull\\b)\\W*?\\()|(?:having|or|and)\\b\\s+(?:\\d{1,10}|[\\\''\\\"][^=]{1,10}[\\\''\\\"])\\s*[=<>]+|print\\b\\W*?\\@\\@|cast\\b\\W*?\\()|(?:;\\W*?\\b(?:shutdown|drop)|\\@\\@version)\\b|\''(?:s(?:qloledb|a)|msdasql|dbo)\'')\" \\ \"capture,t:replaceComments,ctl:auditLogParts=+E,log,auditlog,msg:\''SQL Injection Attack. Matched signature <%{TX.0}>\'',,id:\''950001\'',severity:\''2\''\" #SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer \"\\b(?:rel(?:(?:nam|typ)e|kind)|a(?:ttn(?:ame|um)|scii)|c(?:o(?:nver|un)t|ha?r)|s(?:hutdown|elect)|to_(?:numbe|cha)r|u(?:pdate|nion)|d(?:elete|rop)|group\\b\\W*\\bby|having|insert|length|where)\\b\" \\ # \"chain,ctl:auditLogParts=+E,log,auditlog,msg:\''SQL Injection Attack. Matched signature <%{TX.0}>\'',,id:\''950905\'',severity:\''2\''\" #SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer \"[\\\\(\\)\\%#]\\|--\" SecRule REQUEST_FILENAME|ARGS|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer \"\\b(?:user_(?:(?:object|table|user)s|password|group)|a(?:tt(?:rel|typ)id|ll_objects)|object_(?:(?:nam|typ)e|id)|pg_(?:attribute|class)|column_(?:name|id)|substr(?:ing)?|table_name|mb_users|rownum)\\b\" \\ \"capture,t:replaceComments,ctl:auditLogParts=+E,log,auditlog,msg:\''SQL Injection Attack. Matched signature <%{TX.0}>\'',,id:\''950906\'',severity:\''2\''\" SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer|!REQUEST_HEADERS:via \"\\b(?:coalesce\\b|root\\@)\" \\ \"capture,t:replaceComments,ctl:auditLogParts=+E,log,auditlog,msg:\''SQL Injection Attack. Matched signature <%{TX.0}>\'',,id:\''950908\'',severity:\''2\''\" # XSS SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer \"(?:\\b(?:(?:type\\b\\W*?\\b(?:text\\b\\W*?\\b(?:j(?:ava)?|ecma|vb)|application\\b\\W*?\\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder)\\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|down|up)|c(?:hange|lick)|s(?:elec|ubmi)t|(?:un)?load|dragdrop|resize|focus|blur)\\b\\W*?=|abort\\b)|(?:l(?:owsrc\\b\\W*?\\b(?:(?:java|vb)script|shell)|ivescript)|(?:href|url)\\b\\W*?\\b(?:(?:java|vb)script|shell)|background-image|mocha):|s(?:(?:tyle\\b\\W*=.*\\bexpression\\b\\W*|ettimeout\\b\\W*?)\\(|rc\\b\\W*?\\b(?:(?:java|vb)script|shell|http):)|a(?:ctivexobject\\b|lert\\b\\W*?\\())|<(?:(?:body\\b.*?\\b(?:backgroun|onloa)d|input\\b.*?\\btype\\b\\W*?\\bimage|script|meta)\\b|!\\[cdata\\[)|(?:\\.(?:(?:execscrip|addimpor)t|(?:fromcharcod|cooki)e|innerhtml)|\\@import)\\b)\" \\ \"capture,ctl:auditLogParts=+E,log,auditlog,msg:\''Cross-site Scripting (XSS) Attack. Matched signature <%{TX.0}>\'',,id:\''950004\'',severity:\''2\''\" # file injection SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/* \"(?:\\b(?:\\.(?:ht(?:access|passwd|group)|www_?acl)|global\\.asa|httpd\\.conf|boot\\.ini)\\b|\\/etc\\/)\" \\ \"capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:\''Remote File Access Attempt. Matched signature <%{TX.0}>\'',,id:\''950005\'',severity:\''2\''\" # Command access SecRule REQUEST_FILENAME \"\\b(?:n(?:map|et|c)|w(?:guest|sh)|cmd(?:32)?|telnet|rcmd|ftp)\\.exe\\b\" \\ \"capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:\''System Command Access. Matched signature <%{TX.0}>\'',,id:\''950002\'',severity:\''2\''\" # Command injection SecRule ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:\''/(Cookie|Referer|X-OS-Prefs)/\''|REQUEST_COOKIES|REQUEST_COOKIES_NAMES \"(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\\\/]|\\W*?\\.\\.)|hmod.{0,40}?\\+.{0,3}x))|[\\;\\|\\`]\\W*?\\b(?:(?:c(?:h(?:grp|mod|own|sh)|md|pp|c)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)\\b|g(?:\\+\\+|cc\\b))|\\/(?:c(?:h(?:grp|mod|own|sh)|pp|c)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|g(?:\\+\\+|cc)|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)(?:[\\\''\\\"\\|\\;\\`\\-\\s]|$))\" \\ \"capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:\''System Command Injection. Matched signature <%{TX.0}>\'',,id:\''950006\'',severity:\''2\''\" SecRule \"ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:User-Agent\" \\ \"\\bwget\\b\" \\ \"capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:\''System Command Injection. Matched signature <%{TX.0}>\'',,id:\''950907\'',severity:\''2\''\" # Coldfusion injection SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/* \"\\bcf(?:usion_(?:d(?:bconnections_flush|ecrypt)|set(?:tings_refresh|odbcini)|getodbc(?:dsn|ini)|verifymail|encrypt)|_(?:(?:iscoldfusiondatasourc|getdatasourceusernam)e|setdatasource(?:password|username))|newinternal(?:adminsecurit|registr)y|admin_registry_(?:delete|set)|internaldebug)\\b\" \\ \"capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:\''Injection of Undocumented ColdFusion Tags. Matched signature <%{TX.0}>\'',,id:\''950008\'',severity:\''2\''\" # LDAP injection SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer \"(?:\\((?:\\W*?(?:objectc(?:ategory|lass)|homedirectory|[gu]idnumber|cn)\\b\\W*?=|[^\\w\\x80-\\xFF]*?[\\!\\&\\|][^\\w\\x80-\\xFF]*?\\()|\\)[^\\w\\x80-\\xFF]*?\\([^\\w\\x80-\\xFF]*?[\\!\\&\\|])\" \\ \"capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:\''LDAP Injection Attack. Matched signature <%{TX.0}>\'',,id:\''950010\'',severity:\''2\''\" # SSI injection SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/* \"<!--\\W*?#\\W*?(?:e(?:cho|xec)|printenv|include|cmd)\" \\ \"capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:\''SSI injection Attack. Matched signature <%{TX.0}>\'',,id:\''950011\'',severity:\''2\''\" # PHP injection SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/* \"(?:(?:\\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open)|\\$_(?:(?:pos|ge)t|session))\\b|<\\?(?!xml))\" \\ \"capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:\''PHP Injection Attack. Matched signature <%{TX.0}>\'',,id:\''950013\'',severity:\''2\''\" # HTTP Response Splitting SecRule REQUEST_URI|REQUEST_HEADERS|REQUEST_HEADERS_NAMES \"%0[ad]\" \\ \"t:none,t:lowercase,capture,ctl:auditLogParts=+E,deny,log,auditlog,status:400,msg:\''HTTP Response Splitting Attack. Matched signature <%{TX.0}>\'',,id:\''950910\'',severity:\''1\''\" SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|XML:/* \"(?:\\bhttp\\/(?:0\\.9|1\\.[01])|<(?:html|meta)\\b)\" \\ \"capture,ctl:auditLogParts=+E,deny,log,auditlog,status:400,msg:\''HTTP Response Splitting Attack. Matched signature <%{TX.0}>\'',,id:\''950911\'',severity:\''1\''\" # UPDF XSS SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/* \"http:\\/\\/[\\w\\.]+?\\/.*?\\.pdf\\b[^\\x0d\\x0a]*#\" \\ \"capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:\''Persistent Universal PDF XSS attack\'',,id:\''950018\'',severity:\''2\''\" # Email Injection SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/* \"[\\n\\r]\\s*(?:to|bcc|cc)\\s*:.*?\\@\" \\ \"t:none,t:lowercase,t:urlDecode,capture,ctl:auditLogParts=+E,log,auditlog,msg:\''Email Injection Attack. Matched signature <%{TX.0}>\'',,id:\''950019\'',severity:\''2\''\" ' WHERE name='Generic attacks'; UPDATE filter SET rules='# --------------------------------------------------------------- # Core ModSecurity Rule Set # Copyright (C) 2006 Breach Security Inc. All rights reserved. # # The ModSecuirty Core Rule Set is distributed under GPL version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- # The trojan access detection rules detects access to known Trojans already # installed on a server. Uploading of Trojans is part of the Anti-Virus rules # and uses external Anti Virus program when uploading files. # # Detection of Trojans access is especially important in a hosting environment # where the actual Trojan upload may be done through valid methods and not # through hacking. # -- # # NOTE Trojans detection is based on checking elements controlled by the client. # A determined attacked can bypass those checks. We are working on # enchaining the checks so it would require a major change in the Trojan # to overcome. # # NOTE We found out that Trojan horses are not detected easily by Anti-Virus # software when uploading as the signature set of AV software is not tuned # for this purpose. We are working on adding signature tuned to detect # Trojans upload to file uploading inspection. # SecDefaultAction \"log,pass,phase:2,t:lowercase,status:404\" SecRule REQUEST_HEADERS_NAMES \"x_(?:key|file)\\b\" \"ctl:auditLogParts=+E,deny,log,auditlog,status:404,msg:\''Backdoor access\'',,id:\''950110\'',severity:\''2\''\" SecRule REQUEST_FILENAME \"root\\.exe\" \\ \"t:urlDecodeUni,t:htmlEntityDecode,ctl:auditLogParts=+E,deny,log,auditlog,status:404,msg:\''Backdoor access\'',,id:\''950921\'',severity:\''2\''\" SecRule RESPONSE_BODY \"(?:<title>[^<]*?(?:\\b(?:(?:c(?:ehennemden|gi-telnet)|gamma web shell)\\b|imhabirligi phpftp)|(?:r(?:emote explorer|57shell)|aventis klasvayv|zehir)\\b|\\.::(?:news remote php shell injection::\\.| rhtools\\b)|ph(?:p(?:(?: commander|-terminal)\\b|remoteview)|vayv)|myshell)|\\b(?:(?:(?:microsoft windows\\b.{,10}?\\bversion\\b.{,20}?\\(c\\) copyright 1985-.{,10}?\\bmicrosoft corp|ntdaddy v1\\.9 - obzerve \\| fux0r inc)\\.|(?:www\\.sanalteror\\.org - indexer and read|haxplor)er|php(?:konsole| shell)|c99shell)\\b|aventgrup\\.<br>|drwxr))\" \\ \"phase:4,ctl:auditLogParts=+E,deny,log,auditlog,status:404,msg:\''Backdoor access\'',,id:\''950922\'',severity:\''2\''\" ' WHERE name='Trojans'; UPDATE filter SET rules='# --------------------------------------------------------------- # Core ModSecurity Rule Set # Copyright (C) 2006 Breach Security Inc. All rights reserved. # # The ModSecuirty Core Rule Set is distributed under GPL version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- # These rules do not have a security importance, but shows other benefits of # monitoring and logging HTTP transactions. # -- SecDefaultAction \"log,pass,phase:2,t:lowercase\" SecRule REQUEST_HEADERS:User-Agent \"msn(?:bot|ptc)\" \\ \"log,auditlog,msg:\''MSN robot activity\'',,id:\''910008\'',severity:\''5\''\" SecRule REQUEST_HEADERS:User-Agent \"\\byahoo(?:-(?:mmcrawler|blogs)|! slurp)\\b\" \\ \"log,auditlog,msg:\''Yahoo robot activity\'',,id:\''910007\'',severity:\''5\''\" SecRule REQUEST_HEADERS:User-Agent \"(?:(?:gsa-crawler \\(enterprise; s4-e9lj2b82fjjaa; me\\@mycompany\\.com|adsbot-google \\(\\+http:\\/\\/www\\.google\\.com\\/adsbot\\.html)\\)|\\b(?:google(?:-sitemaps|bot)|mediapartners-google)\\b)\" \\ \"log,auditlog,msg:\''Google robot activity\'',,id:\''910006\'',severity:\''5\''\" ' WHERE name='Marketing'; INSERT INTO log (name, rules) VALUES('Debug','LogLevel debug LogFormat \"%h %l %u %t \\\"%r\\\" %>s %b \\\"%{Referer}i\\\" \\\"%{User-Agent}i\\\"\" combined ErrorLog /var/log/Vulture-%NAME%-error_log CustomLog /var/log/Vulture-%NAME%-access_log combined'); UPDATE sql SET uri='dbi:SQLite2:dbname=/opt/INTRINsec/vulture/sql/db' WHERE uri='dbi:SQLite:dbname=/opt/INTRINsec/vulture/sql/db'; UPDATE sql SET uri='dbi:SQLite2:dbname=/var/www/vulture/sql/db' WHERE uri='dbi:SQLite:dbname=/var/www/vulture/sql/db'; INSERT INTO components (type, desc) VALUES('sso_forward','RT'); INSERT INTO post (id_component, field_desc, field_var, field_type, field_value, field_prefix, field_suffix) VALUES((SELECT id FROM components WHERE desc='RT'),'User', 'user', 'autologon_user', '', '', ''); INSERT INTO post (id_component, field_desc, field_var, field_type, field_value, field_prefix, field_suffix) VALUES((SELECT id FROM components WHERE desc='RT'),'Password', 'pass', 'autologon_password', '', '', ''); INSERT INTO components (type, desc) VALUES('sso_forward','Phenix'); INSERT INTO post (id_component, field_desc, field_var, field_type, field_value, field_prefix, field_suffix) VALUES((SELECT id FROM components WHERE desc='Phenix'), 'ztLogin', 'ztLogin', 'autologon_user', '', '', ''); INSERT INTO post (id_component, field_desc, field_var, field_type, field_value, field_prefix, field_suffix) VALUES((SELECT id FROM components WHERE desc='Phenix'), 'ztPasswd', 'ztPasswd', 'autologon_password', '', '', ''); INSERT INTO post (id_component, field_desc, field_var, field_type, field_value, field_prefix, field_suffix) VALUES((SELECT id FROM components WHERE desc='Phenix'), 'ztPasswdMD5', 'ztPasswdMD5', 'script', '/opt/INTRINsec/vulture/script/md5.pl', '', ''); INSERT INTO post (id_component, field_desc, field_var, field_type, field_value, field_prefix, field_suffix) VALUES((SELECT id FROM components WHERE desc='Phenix'), 'btSubmit', 'btSubmit', 'hidden', 'Se connecter', '', '');