# http://www.atomicorp.com/
# Atomicorp (Gotroot.com) ModSecurity rules
# Anti Malware rules
#
# Created by the Prometheus Group (http://www.prometheus-group.com)
# Copyright 2005,2006, 2007 and 2008 by the Prometheus Group, all rights reserved.
# Redistribution is strictly prohibited in any form, including whole or in part.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS 
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF 
# THE POSSIBILITY OF SUCH DAMAGE.
#
#---ASL-CONFIG-FILE---


# Phase 2 rules
# Rule 360000: Blacklist of referer malware hostnames
SecDefaultAction "log,deny,auditlog,phase:2,status:403,t:lowercase,t:replaceNulls,t:compressWhitespace"

# Broadcheck
#SecRule REQUEST_HEADERS:Referer|ARGS "!@pmFromFile malware-exclusion-local.txt" \
#        "t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:360000,rev:2,severity:2,msg:'Blacklist Malware Site (AE)'"
SecRule ARGS "@pmFromFile malware-blacklist.txt" \
        "capture,t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:360000,rev:2,severity:2,msg:'Blacklist Malware Site (AE)',logdata:'%{TX.0}'"

# Rule 330002: Blacklist of known malware sites w/ Anti-evasion features
SecRule REQUEST_URI "!(?:/imp/compose\.php)" \
        "capture,t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:360002,rev:1,severity:2,msg:'Malware Site in ARGS/Body (AE)',chain,logdata:'%{TX.0}'"
SecRule REQUEST_BODY|ARGS "(?:ogg|zlib|(?:ht|f)tps?)\:/" "chain"
#SecRule REQUEST_BODY|ARGS "!@pmFromFile malware-exclusion-local.txt" chain
SecRule REQUEST_BODY|ARGS "@pmFromFile malware-blacklist.txt"

# Rule 330003: Blacklist of known malware sites
SecRule REQUEST_URI "!(?:/imp/compose\.php)" \
        "capture,t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:360003,rev:4,severity:2,msg:'Malware Site in URI',chain,logdata:'%{TX.0}'"
SecRule REQUEST_URI "(?:ogg|zlib|(?:ht|f)tps?)\:/.*" "chain"
#SecRule REQUEST_URI "!@pmFromFile malware-exclusion-local.txt" "chain"
SecRule REQUEST_URI "@pmFromFile malware-blacklist.txt"

#Rule 330004: Blacklist suspicious sites in referral
SecRule REQUEST_HEADERS:Referer "@pmFromFile malware-blacklist.txt" \
        "capture,t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:360004,rev:2,severity:2,msg:'Suspicious Blacklist Malware Site in Referral',logdata:'%{TX.0}'"

##Rule 360005: Local malware lists
##SecRule REQUEST_HEADERS:Referer|ARGS "!@pmFromFile malware-exclusion-local.txt" \
##        "t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:360000,rev:2,severity:2,msg:'Blacklist Malware Site (AE)'"
#SecRule ARGS "@pmFromFile malware-blacklist-local.txt" \
#        "t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:360005,rev:2,severity:2,msg:'Local Blacklist Malware Site (AE)'"
#
## Rule 330006: Blacklist of known malware sites w/ Anti-evasion features
#SecRule REQUEST_URI "!(?:/imp/compose\.php)" \
#        "t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:360006,rev:1,severity:2,msg:'Local Malware Site in ARGS/Body (AE)',chain"
#SecRule REQUEST_BODY|ARGS "(?:ogg|zlib|(?:ht|f)tps?)\:/.*" "chain"
##SecRule REQUEST_BODY|ARGS "!@pmFromFile malware-exclusion-local.txt" chain
#SecRule REQUEST_BODY|ARGS "@pmFromFile malware-blacklist-local.txt"
#
## Rule 330003: Blacklist of known malware sites
#SecRule REQUEST_URI "!(?:/imp/compose\.php)" \
#        "t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:360007,rev:4,severity:2,msg:'Local Malware Site in URI',chain"
#SecRule REQUEST_URI "(?:ogg|zlib|(?:ht|f)tps?)\:/.*" "chain"
##SecRule REQUEST_URI "!@pmFromFile malware-exclusion-local.txt" "chain"
#SecRule REQUEST_URI "@pmFromFile malware-blacklist-local.txt"
#
##Rule 330004: Blacklist suspicious sites in referral
#SecRule REQUEST_HEADERS:Referer "@pmFromFile malware-blacklist-local.txt" \
#        "t:replaceNulls,t:htmlEntityDecode,t:urlDecodeUni,t:compressWhiteSpace,t:lowercase,id:360008,rev:2,severity:2,msg:'Suspicious Local Blacklist Malware Site in Referral'"
##