°­ÁÂ

  • À¥¼­¹ö
  • ¾ÆÆÄÄ¡
  • ÅèÄÏ
HOME > °­ÁÂ >
°­ÁÂ| ¸®´ª½º ¹× ¿ÀǼҽº¿¡ °ü·ÃµÈ °­Á¸¦ º¸½Ç ¼ö ÀÖ½À´Ï´Ù.
 
mod_security ¼³Ä¡ ¿Í ±¸Ãà
Á¶È¸ : 162,247  


mod_security ¼³Ä¡ ¿Í ±¸Ãà







¡Ø ¾Æ·¡ Âü°í ³»¿ë

#############################
# < À¥È£½ºÆà ¾÷ü¿ë >
#  
# ÀÌ RuleÀº ´Ù¼öÀÇ À¥»çÀÌÆ®°¡ ¿î¿µµÇ´Â À¥È£½ºÆà ¼­¹ö¿¡¼­ È°¿ë°¡´ÉÇÑ ÃÖ¼Ò°ø°ÝÂ÷´Ü RuleÀÔ´Ï´Ù.  
# ÀÌ RuleÀ» Âü°íÇÏ¿© °¢ À¥»çÀÌÆ®¿¡ ÀûÇÕÇÑ Rule·Î Ä¿½ºÆ®¸¶ÀÌ¡ÇϽñ⠹ٶø´Ï´Ù.
# Rule Ä¿½ºÆ®¸¶ÀÌ¡ ÈÄ¿¡´Â °ø°ÝŽÁö½Ã Â÷´ÜÇϵµ·Ï SecFilterSignatureAction ¿¡¼­   
# pass¸¦ deny·Î ¼öÁ¤ÇϽñ⠹ٶø´Ï´Ù.
#
# Update : '09. 03. 11
# - 2.x ¹öÀü¿ë »ùÇÃ·ê ¿À·ù ¼öÁ¤
# - Mass SQL Injection ½Ã±×´ÏÃÄ Ãß°¡
# - WebShell ½Ã±×´ÏÃÄ Ãß°¡
# - °ø°³ °Ô½ÃÆÇ ¼Ö·ç¼Ç ½Å±Ô Ãë¾àÁ¡ Ãß°¡
# - Tomcat, Oracle, MySQL, MSSQL ½Ã±×´ÏÃÄ Ãß°¡
#
#############################
 
 
#############################
# 1. ModSecurity µ¿ÀÛ À¯/¹«
# SecFilterEngine On | Off
# On : ModSecurity ±â´É È°¼ºÈ­
# Off : ModSecurity ±â´É ºñÈ°¼ºÈ­
 
SecFilterEngine On  
 
 
#############################
# 2. ±âº» ¼³Á¤
# ±âº»ÀûÀ¸·Î ·êÀÌ ¸ÅÄ¡ µÉ °æ¿ì ÇàÀ§(Action) ÁöÁ¤
#
# ½ÇÁúÀûÀÎ °ø°ÝÆÐÅÏ¿¡ ´ëÇÑ SignatureAction ÁöÁ¤
# SecFilterSignatureAction "ÇàÀ§"
# ÇàÀ§ : deny, pass, allow, status:apache error code, redirect:/error.html
#
# ·ê Ä¿½ºÆ®¸¶ÀÌ¡ ¿Ï·á ÈÄ °ø°ÝŽÁö½Ã Â÷´ÜµÇµµ·Ï ActionÀÇ pass¸¦ deny·Î ¼öÁ¤ ÇÊ¿ä
# SecFilterSignatureAction "deny,log,status:406"
SecFilterSignatureAction "pass,log"
 
# ¾ÆÆÄÄ¡ÀÇ ±âº» ·Î±×º¸´Ù ÀÚ¼¼ÇÑ °ø°Ý°ü·Ã ·Î±×¸¦ ±â·Ï
SecAuditEngine RelevantOnly  
SecAuditLog logs/modsec_audit.log
 
# ·Î±×ÀÇ ¾çÀ» ÁÙÀ̱â À§ÇØ ÇÊ¿äÇÑ 4xx ¶Ç´Â 5xx °ü·Ã ¿¡·¯¸¸ ³²±ä´Ù. 404 Not Found´Â ³²±âÁö ¾Ê´Â´Ù.
# Apache 1.x ¹öÀü¿¡¼­´Â ¾Æ·¡ ¿É¼Ç »ç¿ë
SecAuditLogRelevantStatus "^([45]\d[^4])"
 
# Apache 2.x ¹öÀü¿¡¼­´Â ¾Æ·¡ ¿É¼Ç »ç¿ë
#SecAuditLogRelevantStatus "^(?:5|4\d[^4])"
 
# À¥¼­¹öÀÇ Çì´õ Á¤º¸ º¯°æ
SecServerSignature "Microsoft-IIS/5.0"
 
# POST ¸Þ¼ÒµåÀÇ Payload¸¦ Á¡°Ë
# È£½ºÆþ÷ü¿Í °°Àº ´Ù¼ö»çÀÌÆ®¿¡ Àû¿ë½Ã ÃæºÐÇÑ °ËÅä ÈÄ¿¡ On ¼³Á¤
SecFilterScanPost Off
 
# ÀÎÄÚµùµÈ ¹®ÀÚ¸¦ ÀÏ¹Ý ÅؽºÆ® ¹®ÀÚ·Î º¯È¯
# °¡·É, 16Áø¼ö·Î ÀÎÄÚµùµÈ %AB ÇüŸ¦ ÀÏ¹Ý ÅؽºÆ®·Î º¯È¯ÇÔ
SecFilterCheckURLEncoding On
 
# SecFilterCheckUnicodeEncoding UTF-8 Àü¿ë ¼­¹öÀÏ °æ¿ì On
SecFilterCheckUnicodeEncoding Off  
 
# ´ÙÀ½ÀÇ ¸Þ¼Òµå ÀÌ¿Ü¿¡´Â Çã¿ëÇÏÁö ¾ÊÀ½.
SecFilterSelective REQUEST_METHOD "!(GET|POST|HEAD|OPTIONS)" "deny, log"
 
# Stack Overflow °ø°Ý¿¡ ´ëÇÑ Byte Á¦ÇÑ
SecFilterForceByteRange 1 255
 
 
#############################
# 3. PHP ÀÎÁ§¼Ç Ãë¾à °ø°Ý ¹æÁö(°ø°³ °Ô½ÃÆÇ ¼Ö·ç¼Ç ´ë»ó °ø°Ý Æ÷ÇÔ)
SecFilterSelective REQUEST_URI "\.php\?" chain
SecFilterSelective REQUEST_URI "(dir|page)" chain
SecFilterSelective REQUEST_URI "=(http|https|ftp)\:/" "msg:'PHP Injection Attacks'"
SecFilterSelective REQUEST_URI "/include/write\.php\?dir=(ftp|http):" "msg:'PHP Injection Attacks'"
SecFilterSelective REQUEST_URI "/include/print_category\.php\?setup=1&dir=(ftp|http):" "msg:'PHP Injection Attacks'"
SecFilterSelective REQUEST_URI "/zero_vote/error\.php\?dir=(ftp|http):" "msg:'PHP Injection Attacks'"
SecFilterSelective REQUEST_URI "/outlogin\.php\?_zb_path=(ftp|http):" "msg:'PHP Injection Attacks'"
SecFilterSelective REQUEST_URI "filename=\|" "msg:'PHP Injection Attacks'"
SecFilterSelective REQUEST_URI "check_user_id\.php\?user_id=<script>alert(document\.cookie)" "msg:'PHP Injection & XSS Attacks'"
SecFilterSelective REQUEST_URI "/zero_vote/login\.php\?dir=(ftp|http):" "msg:'PHP Injection Attacks'"
SecFilterSelective REQUEST_URI "/zero_vote/setup\.php\?dir=(ftp|http):" "msg:'PHP Injection Attacks'"
SecFilterSelective REQUEST_URI "/zero_vote/ask_password\.php\?dir=(ftp|http):" "msg:'PHP Injection Attacks'"
SecFilterSelective REQUEST_URI "view.php?theme=(ftp|http):" "msg:'PHP Injection Attacks'"
SecFilterSelective REQUEST_URI "view.php?theme=theme=(ftp|http):" "msg:'PHP Injection Attacks'"
SecFilterSelective REQUEST_URI "/latest/sirini_gallery_latest/list.php?path=(ftp|http):" "msg:'PHP Injection Attacks'"
SecFilterSelective REQUEST_URI "/include.php?grboard=(ftp|http):" "msg:'PHP Injection Attacks'"
SecFilterSelective REQUEST_URI "include/footer\.php\?_path" chain
SecFilterSelective REQUEST_URI "=(ftp|http):" "msg:'PHP Injection Attacks'"
SecFilterSelective REQUEST_URI "_footer\.php\?skin_path=(ftp|http):" "msg:'PHP Injection Attacks'"
SecFilterSelective REQUEST_URI "body_default\.php?GOODS[[:alnum:]]=deadbeef\&GOODS" chain
SecFilterSelective REQUEST_URI "=deadbeef\&shop_this_skin_path=(ftp|http):" "msg:'PHP Injection Attacks'"
SecFilterSelective ARGS|REQUEST_URI "poll_result.php?po_id=" chain
SecFilterSelective ARGS|REQUEST_URI "skin_dir=(ftp:|http:|\.\.)" "msg:'PHP Injection Attacks'"
 
 
#############################
# 4. ¸í·É¾î ½ÇÇà ¹æÁö
SecFilterSelective ARGS_VALUES ";[[:space:]]*(ls|pwd|wget|cd)" "msg:'Command execution attack'"
SecFilterSelective REQUEST_URI "(perl|lynx|mkdir|cmd|lwp-(download|request|mirror|rget))" "msg:'Command execution attack'"
SecFilterSelective REQUEST_URI "(uname|net(stat|cat)|curl|telnet|gcc|rm\-[a-z|A-Z])" "msg:'Command execution attack'"
 
 
#############################
# 5. XSS °ø°Ý ¹æÁö
SecFilterSelective ARGS "alert[[:space:]]*\(" "msg:'XSS attack'"
SecFilterSelective ARGS "&#[[0-9a-fA-F]]{2}" "msg:'XSS attack'"
SecFilterSelective ARGS "eval[[:space:]]*\(" "msg:'XSS attack'"
SecFilterSelective ARGS "onKeyUp" "msg:'XSS attack'"
SecFilterSelective ARGS "\x5cx[0-9a-fA-F]{2}" "msg:'XSS attack'"
SecFilterSelective ARGS "fromCharCode" "msg:'XSS attack'"
SecFilterSelective ARGS "&\{.+\}" "msg:'XSS attack'"
SecFilterSelective ARGS "<script" "msg:'XSS attack'"
SecFilterSelective ARGS "vbscript:" "msg:'XSS attack'"
SecFilterSelective ARGS "expression[[:space:]]*\(" "msg:'XSS attack'"
SecFilterSelective ARGS "url[[:space:]]*\(" "msg:'XSS attack'"
SecFilterSelective ARGS "innerHTML" "msg:'XSS attack'"
SecFilterSelective ARGS "document\.body" "msg:'XSS attack'"
SecFilterSelective ARGS "document\.cookie" "msg:'XSS attack'"
SecFilterSelective ARGS "document\.location" "msg:'XSS attack'"
SecFilterSelective ARGS "document\.write" "msg:'XSS attack'"
SecFilterSelective ARGS "style[[:space:]]*=" "msg:'XSS attack'"
SecFilterSelective ARGS "dynsrc"  "msg:'XSS attack'"
SecFilterSelective ARGS_VALUES "jsessionid" "msg:'XSS attack'"
SecFilterSelective ARGS_VALUES "phpsessid" "msg:'XSS attack'"
 
 
#############################
# 6. SSI ÀÎÁ§¼Ç °ü·Ã °ø°Ý Â÷´Ü
SecFilterSelective ARGS "<!--[[:space:]]*#[[:space:]]*(exec|cmd|echo|include|printenv)" "msg:'SSI injection attack'"
 
 
#############################
# 7. ¾Ç¼º ÇÁ·Î±×·¥ º¿, User-Agent
SecFilterSelective HTTP_USER_AGENT "[Ww]eb[Bb]andit" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "WEBMOLE" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "Telesoft*" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "CherryPicker*" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "NICErsPRO" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "Advanced Email Extractor*" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "EmailSiphon" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "Extractorpro" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "EmailCollector" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "WebEMailExtrac*" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "EmailWolf" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "Microsoft URL Control" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "^Microsoft URL" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "SmartDownload" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "Offline Explorer" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "Ninja" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "NetZIP" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "HTTrack" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "Googlebot-Image" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "Download" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "Downloader" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "BackDoorBot" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "ah-ha" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "Alexibot" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "Atomz" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "Microsoft-WebDAV-MiniRedir" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "Microsoft-WebDAV-MiniRedir/5\.1\.2600" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "Googlebot/2\.1" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "PlantyNet_WebRobot_V1\.9" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "LWP::" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "lwp-trivial" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "Mozilla/2\.0" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "WebZIP" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "Teleport" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "GetRight" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "FlashGet" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "JetCar" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "Go!Zilla" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "NamoWebEditor" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "Namo" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "MSFrontPage" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "WebTrack-HTTPP" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "WebSymmetrix" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "AD2000" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "WebSpy" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "WebStripper" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "WebSnatcher" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "WebGet" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "HSlide" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "WebCopier" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "Website eXtractor" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "Internet Ninja" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "fortuna" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "SuperHTTP" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "WISEbot/1\.0" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "NaverBot-1\.0" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "Talkro Web-Shot/1\.0" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "Talkro" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "Web-Shot/1\.0" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "Arachmo" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "WinHTTrack Website Copier" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "BlackWidow" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "SuperBot" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "MM3-WebAssistant" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "Offline Explorer Pro" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "GetBot" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "SBWcc Website Capture" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "Leech" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "HTTP Weazel" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "WebGainer" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "Offline Explorer Enterprise" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "PageSucker" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "QuadSucker/Web" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "BackStreet Browser" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "Offline Navigator" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "Aaron's WebVacuum" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "JOC Web Spider" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "Grab-a-Site" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "PicScour" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "RafaBot" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "Cli-Mate" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "eNotebook" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "WebSlinky" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "Pictures Grabber" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "Web Dumper" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "WebCatcher" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "SurfOffline" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "NetGrabber" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "Power Siphon" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "Rip Clip" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "WebWhacker" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "Offline CHM" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "webpictureboss" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "Visual Web Task" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "Web Shutter" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "NavRoad" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "7 Download Services" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "WebCloner Standard" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "EZ Save MHT" "msg:'Robot attack'"
SecFilterSelective HTTP_USER_AGENT "Yahoo! Slurp" "msg:'Robot attack'"
 
###########################################
# 8. °Ë»ö¿£Áø Recon/Google ÀÌ¿ëÇÑ ÇØÅ· ¹æÁö
SecFilterSelective HTTP_Referer  "Powered by Gravity Board" "msg:'Recon/Google attack'"  
SecFilterSelective HTTP_Referer  "Powered by SilverNews"  "msg:'Recon/Google attack'"
SecFilterSelective HTTP_Referer  "Powered.*PHPBB.*2\.0\.\ inurl\:"  "msg:'Recon/Google attack'"
SecFilterSelective HTTP_Referer  "PHPFreeNews inurl\:Admin\.php"  "msg:'Recon/Google attack'"
SecFilterSelective HTTP_Referer  "inurl.*/cgi-bin/query"  "msg:'Recon/Google attack'"
SecFilterSelective HTTP_Referer  "inurl.*tiki-edit_submission\.php"  "msg:'Recon/Google attack'"
SecFilterSelective HTTP_Referer  "inurl.*wps_shop\.cgi"  "msg:'Recon/Google attack'"
SecFilterSelective HTTP_Referer  "inurl.*edit_blog\.php.*filetype\:php"  "msg:'Recon/Google attack'"
SecFilterSelective HTTP_Referer  "inurl.*passwd.txt.*wwwboard.*webadmin"  "msg:'Recon/Google attack'"
SecFilterSelective HTTP_Referer  "inurl.*admin\.mdb"  "msg:'Recon/Google attack'"
SecFilterSelective HTTP_Referer  "filetype:sql \x28\x22passwd values.*password values.*pass values"  "msg:'Recon/Google attack'"
SecFilterSelective HTTP_Referer  "filetype.*blt.*buddylist" "msg:'Recon/Google attack'"
SecFilterSelective HTTP_Referer  "File Upload Manager v1\.3.*rename to" "msg:'Recon/Google attack'"
SecFilterSelective HTTP_Referer  "filetype\x3Aphp HAXPLORER .*Server Files Browser" "msg:'Recon/Google attack'"
SecFilterSelective HTTP_Referer  "inurl.*passlist\.txt" "msg:'Recon/Google attack'"
SecFilterSelective HTTP_Referer  "wwwboard WebAdmininurl\x3Apasswd\.txt wwwboard\x7Cwebadmin" "msg:'Recon/Google attack'"
SecFilterSelective HTTP_Referer  "Enter ip.*inurl\x3A\x22php-ping\.php\x22" "msg:'Recon/Google attack'"
SecFilterSelective HTTP_Referer  "intitle\.*PHP Shell.*Enable stderr.*filetype\.php" "msg:'Recon/Google attack'"
SecFilterSelective HTTP_Referer  "inurl\.*install.*install\.php" "msg:'Recon/Google attack'"
SecFilterSelective HTTP_Referer  "Powered by PHPFM.*filetype\.php -username" "msg:'Recon/Google attack'"
SecFilterSelective HTTP_Referer  "inurl\.*phpSysInfo.*created by phpsysinfo" "msg:'Recon/Google attack'"
SecFilterSelective HTTP_Referer  "SquirrelMail version 1\.4\.4.*inurl:src ext\.php" "msg:'Recon/Google attack'"
SecFilterSelective HTTP_Referer  "inurl\.*webutil\.pl" "msg:'Recon/Google attack'"
 
#############################
# 9. PHPMyAdmin °ü·Ã °ø°Ý Ãë¾àÁ¡ Àû¿ë
# "subform" ·ÎÄà ÆÄÀÏ Æ÷ÇÔ Ãë¾àÁ¡
SecFilterSelective REQUEST_URI "/libraries/grab_globals\.lib\.php" chain
SecFilterSelective ARG_subform "(/|\.\.|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/libraries/grab_globals\.lib\.php" chain
SecFilterSelective REQUEST_URI "usesubform.*=.*&usesubform.*=.*&subform.*(/|\.\.|(http|https|ftp)\:/)"
 
# °æ·Î Ãë¾àÁ¡
SecFilterSelective REQUEST_URI "/css/phpmyadmin\.css\.php\?GLOBALS\[cfg\]\[ThemePath\]=/etc"
SecFilterSelective REQUEST_URI "/phpMyAdmin/css/phpmyadmin\.css\.php\?GLOBALS\[cfg\]\[ThemePath\]=(/|.*\.\./)"
 
# ¹®ÀÚ¿­º¯È¯ ÆĶó¹ÌÅÍ Å©·Î½º»çÀÌÆ® ½ºÅ©¸³Æà Ãë¾àÁ¡
SecFilterSelective REQUEST_URI "/phpmyadmin/index\.php\?pma_username=*&pma_password=*&server=.*&lang=.*&convcharset=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)"
 
# Export.PHP ÆÄÀÏ °ø°³ Ãë¾àÁ¡
SecFilterSelective scRIPT_FILENAME "export\.php$" chain
SecFilterSelective ARG_what "\.\."  
 
# XSS Ãë¾àÁ¡
SecFilterSelective ARG_HTTP_HOST "(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=|javascript\:)"
SecFilterSelective REQUEST_URI "libraries/auth/cookie\.auth\.lib\.php" chain
SecFilter "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"
SecFilterSelective REQUEST_URI "/error\.php" chain
SecFilterSelective ARG_error "<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>"
 
# register_globals Emulation "import_blacklist" Á¶ÀÛ Ãë¾àÁ¡
SecFilterSelective REQUEST_URI "/grab_globals\.php" chain
SecFilterSelective ARG_import_blacklist "(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|(http|https|ftp)\:/)"
 
 
#############################
# 10. ±âŸ °ø°Ý ¹æÁö
# Çã¿ëÇÏ´Â HTTP ¸®Äù½ºÆ® ŸÀÔ (HTTP 0.9, 1.0 ȤÀº 1.1) ÀÌ¿Ü Â÷´Ü
# SecFilterSelective SERVER_PROTOCOL "!^HTTP/(0\.9|1\.0|1\.1)$" "msg:'Not allowed HTTP Protocol'"
 
# /etc/passwd ÆÄÀÏ Á¢±Ù Â÷´Ü
SecFilterSelective THE_REQUEST "/etc/passwd"
 
# À¥À» ÀÌ¿ëÇÑ SMTP redirect ±ÝÁö
SecFilterSelective THE_REQUEST ^(http|https)\:/.+:25  
 
# Directory Traversal °ø°Ý Â÷´Ü
SecFilterSelective REQUEST_URI "\.\./"
 
 
#############################
# 11. SQL Injection °ø°Ý Â÷´Ü
# PHPMyAdminÀ» »ç¿ëÇÒ °æ¿ì ¿¹¿Üó¸®
SecFilterSelective HTTP_HOST "(127.0.0.1|localhost)" chain
SecFilterSelective REQUEST_URI "(/phpmyadmin|/myadmin)" skipnext:40
 
## Generic  
SecFilterSelective ARGS "(create|drop|delete)" chain
SecFilterSelective ARGS "(database|table|column|procedure|from|where)" "msg:'SQL injection attack'"
SecFilterSelective ARGS "(select|alter|update|insert|declare)" chain
SecFilterSelective ARGS "(database|table|procedure|from|where|into)" "msg:'SQL injection attack'"
SecFilterSelective ARGS "update.+set.+=" "msg:'SQL injection attack'"
SecFilterSelective ARGS "insert[[:space:]]+into.+values" "msg:'SQL injection attack'"
SecFilterSelective ARGS "bulk[[:space:]]+insert" "msg:'SQL injection attack'"
SecFilterSelective ARGS "union.+select" "msg:'SQL injection attack'"
SecFilterSelective ARGS "into[[:space:]]+outfile" "msg:'SQL injection attack'"
SecFilterSelective ARGS "load[[:space:]]+data" "msg:'SQL injection attack'"
SecFilterSelective ARGS "((order[[:space:]]|group[[:space:]])by|having)" "msg:'SQL injection attack'"
SecFilterSelective ARGS "('|;|%)" chain
SecFilterSelective ARGS "(like|and|or)" chain
SecFilterSelective ARGS "(--|#|/*)" "msg:'SQL injection attack'"
SecFilterSelective ARGS "/\*.+\*/"  "msg:'SQL injection attack'"
SecFilterSelective ARGS "or.+1[[:space:]]*=[[:space:]]1" "msg:'SQL injection attack'"
 
## MS-SQL
#SecFilterSelective ARGS "exec.+[xs]p_" "msg:'SQL injection attack'"
#SecFilterSelective ARGS "exec[[:space:]]*\(" "msg:'SQL injection attack'"
#SecFilterSelective ARGS "master(\.\.|\.dbo\.)" "msg:'SQL injection attack'"
#SecFilterSelective ARGS "@@[[:alnum:]]+" "msg:'SQL injection attack'"
#SecFilterSelective ARGS "open(query|rowset)" "msg:'SQL injection attack'"
#SecFilterSelective ARGS "(msdasql|sqloledb)" "msg:'SQL injection attack'"
#SecFilterSelective ARGS "(sys(objects|columns|logins|xlogins)|xtype)" "msg:'SQL injection attack'"
#SecFilterSelective ARGS "sp_(oa(create|method|setproperty)|add(extendedproc|srvrolemember)|login|password|droplogin|configure)" "msg:'SQL injection attack'"
#SecFilterSelective ARGS "xp_(cmdshell|servicecontrol|reg(read|write|enumvalues|delete(value|key)|msver|logininfo))" "msg:'SQL injection attack'"
 
## Mass SQL Injection with Cookie
SecFilterSelective ARGS|REQUEST_URI|HTTP_Cookie "declare.+nvarchar\([[:alnum:]]" "msg:'SQL injection attack'"
SecFilterSelective ARGS|REQUEST_URI|HTTP_Cookie "set.+cast\(" "msg:'SQL injection attack'"
SecFilterSelective ARGS|REQUEST_URI|HTTP_Cookie "exec\(\@" "msg:'SQL injection attack'"
 
## MySQL
SecFilterSelective ARGS "mysqladmin.+(create|drop|delete)" "msg:'SQL injection attack'"
SecFilterSelective ARGS "drop.+index" "msg:'SQL injection attack'"
SecFilterSelective ARGS "alter[[:space:]]table" chain
SecFilterSelective ARGS "(change|modify|column)(bigint|integer|not[[:space:]]null|varchar)" "msg:'SQL injection attack'"
SecFilterSelective ARGS "if[[:space:]]not[[:space:]]exist" "msg:'SQL injection attack'"
#SecFilterSelective ARGS "mysql\.(user|host|db)" "msg:'SQL injection attack'"
#SecFilterSelective ARGS "(union|select).+load_file" "msg:'SQL injection attack'"
#SecFilterSelective ARGS "load_file.+char\(" "msg:'SQL injection attack'"
 
## Oracle
#SecFilterSelective ARGS "(create|grant)" chain
#SecFilterSelective ARGS "identified[[:space:]]by" "msg:'SQL injection attack'"
#SecFilterSelective ARGS "(tablespace|grant.+(connect|resource)[[:space:]]to)" "msg:'SQL injection attack'"
#SecFilterSelective ARGS "SYS\.(USER_(OBJECTS|TABLES|VIEWS|TAB_COLUMNS|CATALOG)|TAB|ALL_TABLES)" "msg:'SQL injection attack'"
 
#############################
# 12. WebShell °ø°Ý ¹æÁö
# ¿ÀŽ ¹ß»ý½Ã °ü·Ã ·Î±×¸¦ ÅëÇØ ÇØ´ç ·êÀ» ¼öÁ¤
SecFilterSelective ARGS "\?symlinktarget=" "msg:'WebShell attack'"
SecFilterSelective ARGS "\?(cpy|show)=\/" "msg:'WebShell attack'"
SecFilterSelective ARGS "\?(phpinfo|phpini|cpu|delete|tmp|img=1)" "msg:'WebShell attack'"
SecFilterSelective ARGS "\?runcmd=(canirun|showinfo|etcpasswdfile|netstat|upload|editfile|listdir)" "msg:'WebShell attack'"
SecFilterSelective REQUEST_URI "\?act=(tools|upload|eval|shell|security|processes|search|encoder|decoder|bypass|sql|bindport|cmd|edit|ftpquickbrute)" "msg:'WebShell attack'"
SecFilterSelective REQUEST_URI "\?act=gofile\&d=" "msg:'WebShell attack'"
SecFilterSelective REQUEST_URI "\?action=(editfile|dir)\&dir" "msg:'WebShell attack'"
SecFilterSelective REQUEST_URI "\?action=(shell|phpinfo|phpenv|sql|env|cmd\&method=|cmdbrowse|read|explorer|mysqlread)" "msg:'WebShell attack'"
SecFilterSelective REQUEST_URI "\?action=[0-9]\&dir_atual=" "msg:'WebShell attack'"
SecFilterSelective REQUEST_URI "\?action=.*\&act=(img\&img=home|chmod|f\&f=selfremove|processes|security)" "msg:'WebShell attack'"
SecFilterSelective REQUEST_URI "\?action=(newtime|proxy|rename)" "msg:'WebShell attack'"
SecFilterSelective REQUEST_URI "\?&action=(backtool|cmd)\&chdir=" "msg:'WebShell attack'"
SecFilterSelective REQUEST_URI "\?c=img\&name=(fon\&r=|home|back|up)" "msg:'WebShell attack'"
SecFilterSelective REQUEST_URI "\?c=(t&d=|tree\&d=|d\&d=|l\&d=)" "msg:'WebShell attack'"
SecFilterSelective REQUEST_URI "\?cmd=(id|pwd|ls|copy&file=|delfile\&file=|downl\&file=|newfile|con.+)" "msg:'WebShell attack'"
SecFilterSelective REQUEST_URI "\?dir=\.\&delfile=" "msg:'WebShell attack'"
SecFilterSelective REQUEST_URI "\?delfolder=/" "msg:'WebShell attack'"
SecFilterSelective REQUEST_URI "\?frame=[0-9]\&set_resolveIDs=" "msg:'WebShell attack'"
SecFilterSelective REQUEST_URI "\?frame=treeview\&(id=|plus=)" "msg:'WebShell attack'"
SecFilterSelective REQUEST_URI "\?id=fm\&(dir=/|fdownload=|fchmod=|fedit=/)" "msg:'WebShell attack'"
SecFilterSelective REQUEST_URI "\?id=(cmd|cshell)" "msg:'WebShell attack'"
SecFilterSelective REQUEST_URI "\&s=r\&cmd=(dir|copy|con|ren|file|upload)" "msg:'WebShell attack'"
SecFilterSelective REQUEST_URI "\&secret&(file_browser|dir|crypt|env|exec_st|edit)" "msg:'WebShell attack'"
SecFilterSelective ARGS|REQUEST_URI "\?p=(delete\&file|chmod\&dir|chmod\&file)=" "msg:'WebShell attack'"
SecFilterSelective ARGS|REQUEST_URI "\?p=(selfremover|sql)" "msg:'WebShell attack'"
 
######################################
# 13. Tomcat Ãë¾àÁ¡ ÀÌ¿ëÇÑ °ø°Ý ¹æÁö
#SecFilterSelective ARGS|REQUEST_URI "%c0%ae" "msg:'Tomcat Directory Traversal attack'"
#SecFilterSelective ARGS|REQUEST_URI "\\.\./" "msg:'Tomcat Directory Traversal attack'"
#SecFilterSelective ARGS "getRuntime.+exec" "msg:'Command Execution attack'"
#SecFilterSelective REQUEST_URI "/;.a+\.(jsp|do)" "msg:'Tomcat Directory Traversal attack'"

[¿ø±Û¸µÅ©] : https://www.linux.co.kr/home2/board/subbs/board.php?bo_table=lecture&wr_id=1732


ÀÌ ±ÛÀ» Æ®À§ÅÍ·Î º¸³»±â ÀÌ ±ÛÀ» ÆäÀ̽ººÏÀ¸·Î º¸³»±â ÀÌ ±ÛÀ» ¹ÌÅõµ¥ÀÌ·Î º¸³»±â

 
¿ø´ë·Î
1. À̸§ : ¿ø´ë·Î
2. E-mail : loadblack °ñ¹ðÀÌ suidc.com
3.¼Ò¼Ó : (ÁÖ)¼öÆÛÀ¯ÀúÄÚ¸®¾Æ