ꦫꦣꦺꦤ꧀ꦄꦤ꧀ꦠꦱꦺꦤ

PATH: opt / bitninja-waf3 / coreruleset / BitNinja

# SecAction "id:400000, phase:1,\
#  nolog,\
#  pass,\
#  t:none,\
#  setvar:tx.bn_inbound_found=0,\
#  setvar:tx.bn_outbound_found=0,\
#  setvar:tx.bn_pattern_lockdown=0,\
#  setvar:tx.bn_pattern_can_honeypotify=0,\
#  setvar:tx.bn_pattern="  
SecRule TX:BN_PATTERN_LOCKDOWN "@lt 1" "phase:1, id:400010, nolog,noauditlog,pass,skipAfter:BITNINJA-LOCKDOWN"
SecRule TX:BN_PATTERN_LOCKDOWN "@lt 1" "phase:2, id:400011, nolog,noauditlog,pass,skipAfter:BITNINJA-LOCKDOWN"
SecRule &ARGS_POST "@gt 0" \
  "id:400110, \
  phase:2,\
  msg:'Requested location [%{tx.bn_pattern}] is on lockdown. No POST data allowed.',\
  logdata:'POST data not allowed.',\
  deny,\
  status:405,\
  severity:WARNING"
SecRule TX:BN_PATTERN_CAN_HONEYPOTIFY "@lt 1" "phase:2, id:400013, nolog,noauditlog,pass,skipAfter:VIRTUAL-HONEYPOT"
SecRule &ARGS_POST "@gt 0" \
  "id:400112, \
  phase:2,\
  rev:'1',\
  msg:'Requested location is a virtual honeypot location. No POST data allowed.',\
  logdata:'Requested location is a virtual honeypot location. No POST data allowed.',\
  block,\
  setvar:tx.bn_inbound_found=+1,\
  severity:CRITICAL"
# Many user enabled virtual honeypotification on / and made there sites unreachable.
# This is not the way this should be used.
SecRule TX:BN_PATTERN_CAN_HONEYPOTIFY "@lt 1" "phase:1, id:400012, nolog,noauditlog,pass,skipAfter:VIRTUAL-HONEYPOT"
SecRule REQUEST_BODY "(?:(?:<\?php|<\?)\s)" \
  "setvar:tx.bn_inbound_found=+1,\
  id:400114, \
  phase:2,\
  rev:'1',\
  msg:'PHP file upload not allowed on this location',\
  logdata:'PHP file upload not allowed on this location',\
  block,\
  severity:CRITICAL"

SecMarker "VIRTUAL-HONEYPOT"
SecRule &ARGS_GET "@gt 0" \
  "id:400113, \
  phase:2,\
  rev:'1',\
  msg:'Requested location is a virtual honeypot location. No GET data allowed.',\
  logdata:'Requested location is a virtual honeypot location. No GET data allowed.',\
  block,\
  setvar:tx.bn_inbound_found=+1,\
  severity:CRITICAL"

SecRule &ARGS_POST "@gt 0" \
  "id:400111,\
  phase:1, \
  msg:'Requested location [${tx.pattern}] is on lockdown. No POST data allowed.',\
  logdata:'POST data not allowed.',\
  deny,\
  status:405,\
  severity:WARNING"

SecMarker "BITNINJA-LOCKDOWN" 
SecRule REQUEST_URI "@contains /wp-admin/" \
  "id:301090, \
  phase:3,\
  nolog,\
  rev:'1',\
  severity:info,\
  pass,\
  chain"
SecRule &REQUEST_COOKIES:/^wordpress_logged_in_/ "@ge 1" "t:none,chain" 
SecRule RESPONSE_STATUS "@streq 200" "t:none,chain"
SecRule REQUEST_URI "!@contains wp-login.php" "t:none,chain"
SecRule REQUEST_URI "!@contains admin-ajax.php" "t:none,t:normalizePath,setvar:tx.wp_admin_in=1"

SecRule REQUEST_URI "@endsWith /xmlrpc.php" "id:301091,phase:2,nolog,severity:info,t:none,t:normalizePath,pass,chain"
SecRule REQUEST_BODY "@contains <methodCall>" "t:none,chain"
SecRule REQUEST_BODY "@endsWith </methodCall>" "setvar:tx.bn_xmlrpc_call=1"

SecRule ARGS_POST_NAMES "^cpanel_jsonapi_module$" "id:301092,phase:2,nolog,severity:info,t:none,t:normalizePath,pass,chain"
SecRule ARGS_POST_NAMES "^cpanel_jsonapi_func$" "setvar:tx.bn_cpanel_call=1"

[-] 405-MAGENTO-REMOTE-EXECUTION-PROTECTION.conf [edit]
[-] 400030-status.conf [edit]
[+] ..
[-] 404-SCANNER-PROTECTION.conf [edit]
[-] malware-endpoints.data [edit]
[-] 419-REQUEST-BLOCKING-EVALUATION-BN.conf [edit]
[-] 402-DRUPAL-REMOTE-EXECUTION-PROTECTION.conf [edit]
[-] 401-WORDPRESS-BACKDOOR-PROTECTION.conf [edit]
[-] 410-OTHER-BN.conf [edit]
[-] 400-BITNINJA-INITIALIZATION.conf [edit]
[-] scripting-user-agents.data [edit]
[-] 104-TYPO3-MAGENTO-EXCLUSION-RULES.conf [edit]
[-] botnet-post-request.data [edit]
[-] 407-BOTNET-PROTECTION.conf [edit]
[-] 406-WORDPRESS-PLUGIN-VULNERABILITY-PROTECTION.conf [edit]
[-] 403-MODX-REVOLUTION-REMOETE-EXECUTION-PROTECTION.conf [edit]
[-] 408-SYMFONY-PROTECTION-BN.conf [edit]
[-] 409-ANTIMALWARE-PROTECTION-BN.conf [edit]
[-] web-shell-uri.data [edit]