# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.1.5
# Copyright (C) 2006-2007 Breach Security Inc. All rights reserved.
#
# The ModSecuirty Core Rule Set is distributed under GPL version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------


#
# TODO in some cases a valid client (usually automated) generates requests that
#      violates the HTTP protocol. Create exceptions for those clients, but try
#      to limit the exception to a source IP or other additional properties of 
#      the request such as URL and not allow the violation generally. 
#

# Use status code 400 response status code by default as protocol violations 
# are in essence bad requests.
SecDefaultAction "log,pass,phase:2,status:400"

# Do not accept requests without common headers. 
#
# Implies either an attacker or a legitimate automation client. 
#
SecRule REQUEST_URI "^/$" "chain,skip:4,nolog,pass"
SecRule REMOTE_ADDR "^127\.0\.0\.1$" "chain"
SecRule REQUEST_HEADERS:User-Agent "^Apache.*\(internal dummy connection\)$" "t:none"

SecRule &REQUEST_HEADERS:Host "@eq 0" \
    "skip:1,log,auditlog,msg:'Request Missing a Host Header',id:'960008',severity:'4'"
SecRule REQUEST_HEADERS:Host "^$" \
    "log,auditlog,msg:'Request Missing a Host Header',id:'960008',severity:'4'"    


SecRule &REQUEST_HEADERS:Accept "@eq 0" \
    "chain,skip:1,log,auditlog,msg:'Request Missing an Accept Header', severity:'2',id:'960015'"
SecRule REQUEST_METHOD "!^OPTIONS$" "t:none"
SecRule REQUEST_HEADERS:Accept "^$" \
    "chain,log,auditlog,msg:'Request Missing an Accept Header', severity:'2',id:'960015'"
SecRule REQUEST_METHOD "!^OPTIONS$" "t:none"

SecRule &REQUEST_HEADERS:User-Agent "@eq 0" \
    "skip:1,log,auditlog,msg:'Request Missing a User Agent Header',id:'960009',severity:'4'"
SecRule REQUEST_HEADERS:User-Agent "^$" \
    "log,auditlog,msg:'Request Missing a User Agent Header',id:'960009',severity:'4'"


SecRule &REQUEST_HEADERS:Content-Type "@eq 0" \
    "chain,log,auditlog,msg:'Request Containing Content, but Missing Content-Type header',id:'960904',severity:'4'"
SecRule REQUEST_HEADERS:Content-Length "!^0$"


# Check that the host header is not an IP address 
#
SecRule REQUEST_HEADERS:Host "^[\d\.]+$" "deny,log,auditlog,status:400,msg:'Host header is a numeric IP address', severity:'2',id:'960017'"


# Log a security event when the request is rejected by apache
#
SecRule RESPONSE_STATUS ^400$ "t:none,phase:5,chain,log,auditlog,msg:'Invalid request',id:'960913',severity:'2'"
SecRule WEBSERVER_ERROR_LOG !ModSecurity