Merge pull request #4 from Rev3rseSecurity/v1.1/dev

Rev3rseSecurity · web-flow · commit 4cf7b945f88e · 2018-09-04T17:12:05.000+02:00
v1.1
diff --git a/01-SETUP.conf b/01-SETUP.conf
@@ -101,3 +101,15 @@
 # default: 1
 #
 #SecAction "id:22000030,phase:1,nolog,pass,t:none,setvar:tx.wprs_allow_user_enumeration=1"
+
+
+# -=[ Rule 22000035: DoS Attack ]=-
+# This rule enable or disable protection against DoS attacks.
+# For example prevent CVE-2018-6389.
+#
+# setvar:tx.wprs_check_dos=1 = enable DoS protection
+# setvar:tx.wprs_check_dos=0 = disable DoS protection
+#
+# default: 1
+#
+#SecAction "id:22000035,phase:1,nolog,pass,t:none,setvar:tx.wprs_check_dos=1"
diff --git a/02-INITIALIZATION.conf b/02-INITIALIZATION.conf
@@ -54,6 +54,13 @@ SecRule &tx:wprs_allow_user_enumeration "@eq 0" \
   nolog,\
   setvar:tx.wprs_allow_user_enumeration=1"
 
+SecRule &tx:wprs_check_dos "@eq 0" \
+  "phase:1,\
+  id:22000108,\
+  pass,\
+  nolog,\
+  setvar:tx.wprs_check_dos=1"
+
 SecAction \
   "id:22000199,\
    phase:1,\
diff --git a/03-BRUTEFORCE.conf b/03-BRUTEFORCE.conf
@@ -9,6 +9,20 @@ SecRule tx:wprs_check_bruteforce "@eq 0" \
   nolog,\
   skipAfter:END_WPRS_BRUTEFORCE"
 
+SecRule tx:wprs_check_bruteforce "@eq 0" \
+  "phase:2,\
+  id:22100002,\
+  pass,\
+  nolog,\
+  skipAfter:END_WPRS_BRUTEFORCE"
+
+SecRule tx:wprs_check_bruteforce "@eq 0" \
+  "phase:3,\
+  id:22100003,\
+  pass,\
+  nolog,\
+  skipAfter:END_WPRS_BRUTEFORCE"
+
 SecMarker BEGIN_WPRS_BRUTEFORCE
 
 SecAction "phase:1,id:22100011,nolog,pass,initcol:ip=%{tx.wprs_client_ip}"
diff --git a/04-EVENTS.conf b/04-EVENTS.conf
@@ -40,4 +40,22 @@ SecRule RESPONSE_STATUS "@eq 302" "phase:3,id:22110013,nolog,chain,pass"
         tag:'logout',\
         msg:'WordPress: User logged out'"
 
+SecRule &RESPONSE_HEADERS:Set-Cookie "@eq 1" "phase:3,id:22110014,nolog,chain,pass"
+  SecRule &RESPONSE_HEADERS:Location "@eq 0" "id:22110014,nolog,chain"
+    SecRule REQUEST_METHOD "^POST$" "id:22110014,t:uppercase,nolog,chain"
+      SecRule &ARGS_POST_NAMES:log "@ge 1" "id:22110014,t:lowercase,nolog,chain"
+        SecRule &ARGS_POST_NAMES:pwd "@ge 1" "id:22110014,t:lowercase,nolog,chain"
+          SecRule REQUEST_FILENAME "^/wp\-login\.php" "id:22110014,t:lowercase,\
+            log,\
+            rev:'1',\
+            severity:'6',\
+            maturity:'9',\
+            accuracy:'9',\
+            ver:'%{tx.wprs_version}',\
+            tag:'wordpress',\
+            tag:'login',\
+            tag:'failed',\
+            logdata:'Login failed with username: %{ARGS_POST:log}',\
+            msg:'WordPress: Login failed'"
+
 SecMarker END_WPRS_LOG_AUTH
diff --git a/05-HARDENING.conf b/05-HARDENING.conf
@@ -94,3 +94,30 @@ SecRule REQUEST_FILENAME "^(/wp\-json/wp/v[0-9]+/users)" "phase:1,id:22200033,\
   msg:'WordPress: User enumeration'"
 
 SecMarker END_WPRS_USER_ENUMERATION
+
+SecRule tx:wprs_check_dos "@eq 0" \
+  "phase:1,\
+  id:22200036,\
+  pass,\
+  nolog,\
+  skipAfter:END_WPRS_DOS"
+
+SecMarker BEGIN_WPRS_DOS
+
+SecRule REQUEST_URI "@rx ^/wp\-admin/(load\-styles|load\-scripts)\.php.*load\[\]\=([^&,]*,){20,}" "phase:1,id:22200039,\
+  t:lowercase,t:urlDecode,t:trim,t:normalizePath,t:removeWhitespace,\
+  block,\
+  log,\
+  rev:'1',\
+  severity:'6',\
+  maturity:'9',\
+  accuracy:'9',\
+  capture,\
+  ver:'%{tx.wprs_version}',\
+  tag:'wordpress',\
+  tag:'dos',\
+  tag:'cve-2018-6389',\
+  logdata:'Detected on script: %{TX:1}.php',\
+  msg:'WordPress: DoS Attack Attempt'"
+
+SecMarker END_WPRS_DOS
