/etc/apache2/conf.d/modsec2/ Current File: //etc/apache2/conf.d/modsec2/11_asl_data_loss.conf
# http://www.atomicorp.com/
# Atomicorp (Gotroot.com) ModSecurity rules
# Application Security Rules for modsec 2.x
#
# Created by the Prometheus Global (http://www.prometheus-group.com)
# Copyright 2005-2011 by Prometheus Global, all rights reserved.
# This file, 11_asl_data_loss.conf, is distributed under GPL version 3
# http://www.gnu.org/licenses/gpl.txt
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS   
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE   
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE   
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE   
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR   
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF   
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS   
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN   
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)   
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF   
# THE POSSIBILITY OF SUCH DAMAGE.
#
#
#---ASL-CONFIG-FILE---

# Do not edit this file!
# This file is generated and changes will be overwritten.
#
# If you need to make changes to the rules, please follow the procedure here:
# http://www.atomicorp.com/wiki/index.php/Mod_security

SecDefaultAction "log,deny,auditlog,phase:4"

#skip for ASL GUI
SecRule SERVER_PORT "@streq 30000" phase:4,id:333710,pass,t:none,nolog,skipAfter:END_POTENTIAL_CREDIT_CARD_OUT

#Detect sensitive numbers in output
SecRule RESPONSE_BODY|RESPONSE_HEADERS:Location "@verifyCC (?:^|[^\d])(?<!google_ad_client = \"pub-)(\d{4}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{1,4})(?:[^\d]|$)" \
        "phase:4,id:333711,t:none,pass,nolog,skip:1"
SecAction "phase:4,id:333712,t:none,pass,nolog,skipAfter:END_POTENTIAL_CREDIT_CARD_OUT"


# GSA SmartPay
SecRule RESPONSE_BODY|RESPONSE_HEADERS:Location "@verifyCC (?:^|[^\d])(?<!google_ad_client = \"pub-)((?:5568|4(?:486|716))\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{4}|8699\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{3})(?:[^\d]|$)" \
        "chain,logdata:'Start of CC #: %{tx.ccdata_begin}***...',phase:4,t:none,pass,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Potential credit card number detected in output (NOT BLOCKED) - GSA SmartPay Card Number sent from site to user',id:'361020',severity:'1',tag:'no_ar'"
        SecRule TX:1 "(\d{4}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{1,4})" "chain,capture,setvar:tx.ccdata=%{tx.1}"
                SecRule TX:CCDATA "^(\d{4}\-?)" "capture,setvar:tx.ccdata_begin=%{tx.1}"


# MasterCard

SecRule RESPONSE_BODY|RESPONSE_HEADERS:Location "@verifyCC (?:^|[^\d])(?<!google_ad_client = \"pub-)(5[1-5]\d{2}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{4})(?:[^\d]|$)" \
        "chain,logdata:'Start of CC #: %{tx.ccdata_begin}***...',phase:4,t:none,pass,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: MasterCard Credit Card Number sent from site to user',id:'361006',severity:'1',tag:'no_ar'"
        SecRule TX:1 "(\d{4}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{1,4})" "chain,capture,setvar:tx.ccdata=%{tx.1}"
                SecRule TX:CCDATA "^(\d{4}\-?)" "capture,setvar:tx.ccdata_begin=%{tx.1}"

# Visa
SecRule RESPONSE_BODY|RESPONSE_HEADERS:Location "@verifyCC (?:^|[^\d])(?<!google_ad_client = \"pub-)(4\d{3}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d(?:\d{3})??)(?:[^\d]|$)" \
        "chain,logdata:'Start of CC #: %{tx.ccdata_begin}***...',phase:4,t:none,pass,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules:  Potential credit card number detected in output (NOT BLOCKED) -Visa Credit Card Number sent from site to user',id:'361008',severity:'1',tag:'no_ar'"
        SecRule TX:1 "(\d{4}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{1,4})" "chain,capture,setvar:tx.ccdata=%{tx.1}"
                SecRule TX:CCDATA "^(\d{4}\-?)" "capture,setvar:tx.ccdata_begin=%{tx.1}"

# American Express
SecRule RESPONSE_BODY|RESPONSE_HEADERS:Location "@verifyCC (?:^|[^\d])(?<!google_ad_client = \"pub-)(3[47]\d{2}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{3})(?:[^\d]|$)" \
	"chain,logdata:'Start of CC #: %{tx.ccdata_begin}***...',phase:4,t:none,pass,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules:  Potential credit card number detected in output (NOT BLOCKED) -American Express Credit Card Number sent from site to user',id:361010,severity:'1',tag:'no_ar'"
 SecRule TX:1 "(\d{4}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{1,4})" "chain,capture,setvar:tx.ccdata=%{tx.1}"
                SecRule TX:CCDATA "^(\d{4}\-?)" "capture,setvar:tx.ccdata_begin=%{tx.1}"


# Diners Club
SecRule RESPONSE_BODY|RESPONSE_HEADERS:Location "@verifyCC (?:^|[^\d])(?<!google_ad_client = \"pub-)((?:30[0-5]|3[68]\d)\d\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{2})(?:[^\d]|$)" \
	"chain,logdata:'Start of CC #: %{tx.ccdata_begin}***...',phase:4,t:none,pass,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules:  Potential credit card number detected in output (NOT BLOCKED) -Diners Club Credit Card Number sent from site to user',id:'361012',severity:'1',tag:'no_ar'"
 SecRule TX:1 "(\d{4}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{1,4})" "chain,capture,setvar:tx.ccdata=%{tx.1}"
                SecRule TX:CCDATA "^(\d{4}\-?)" "capture,setvar:tx.ccdata_begin=%{tx.1}"


# enRoute
#SecRule RESPONSE_BODY|RESPONSE_HEADERS:Location "(?:^|[^\d])(?<!google_ad_client = \"pub-)(2(?:014|149)\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{2}|55\d{2}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{3})(?:[^\d]|$)" \
#	"logdata:'Start of CC #: %{tx.ccdata_begin}***...',phase:4,t:none,pass,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules:  Potential credit card number detected in output (NOT BLOCKED) -enRoute Credit Card Number sent from site to user',id:'361014',severity:'1',tag:'no_ar'"

# Discover
SecRule RESPONSE_BODY|RESPONSE_HEADERS:Location "@verifyCC (?:^|[^\d])(?<!google_ad_client = \"pub-)(6(?:011|5\d{2})\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{4})(?:[^\d]|$)" \
	"chain,logdata:'Start of CC #: %{tx.ccdata_begin}***...',phase:4,t:none,pass,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules:  Potential credit card number detected in output (NOT BLOCKED) -Discover Credit Card Number sent from site to user',id:'361016',severity:'1',tag:'no_ar'"
        SecRule TX:1 "(\d{4}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{1,4})" "chain,capture,setvar:tx.ccdata=%{tx.1}"
                SecRule TX:CCDATA "^(\d{4}\-?)" "capture,setvar:tx.ccdata_begin=%{tx.1}"


# JCB
SecRule RESPONSE_BODY|RESPONSE_HEADERS:Location "@verifyCC (?:^|[^\d])(?<!google_ad_client = \"pub-)(3\d{3}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{4}|(?:1800|21(?:31|00))\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{3})(?:[^\d]|$)" \
        "chain,logdata:'Start of CC #: %{tx.ccdata_begin}***...',phase:4,t:none,pass,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules:  Potential credit card number detected in output (NOT BLOCKED) -JCB Credit Card Number sent from site to user',id:'361018',severity:'1',tag:'no_ar'"
        SecRule TX:1 "(\d{4}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{1,4})" "chain,capture,setvar:tx.ccdata=%{tx.1}"
                SecRule TX:CCDATA "^(\d{4}\-?)" "capture,setvar:tx.ccdata_begin=%{tx.1}"


SecMarker END_POTENTIAL_CREDIT_CARD_OUT

SecRule REQUEST_URI "^/index\.php\?module=asl" \
phase:4,id:349852,pass,t:none,t:lowercase,nolog,chain,skipAfter:END_DLP_OUTPUT
SecRule SERVER_PORT "@streq 30000" 

#Detect potential error messages that leak sensitive information
SecRule RESPONSE_BODY "@pm Error Tomcat mysql_connect( MySQL Warning: SQLite. PostgreSQL" "phase:4,t:none,pass,nolog,skip:1,id:333713,tag:'no_ar'"
SecAction "phase:4,t:none,pass,nolog,id:333714,skipAfter:END_POTENTIAL_ERROR_LEAK"

SecRule RESPONSE_BODY "<title>Apache Tomcat.*Error report" "phase:4,deny,status:404,t:none,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules:  Potential Error Message with sensitive information sent from tomcat',id:'361019',severity:'1',tag:'no_ar'"

SecRule RESPONSE_BODY "\bWarning: mysql_connect\(\)\:" \
        "phase:4,rev:1,t:none,capture,ctl:auditLogParts=+E,deny,status:404,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules:  Potential SQL Information Leakage',id:'361021',severity:'1',tag:'no_ar'"

SecRule RESPONSE_BODY "You have an error in your SQL syntax; check the manual " \
        "phase:4,rev:2,t:none,capture,ctl:auditLogParts=+E,deny,status:404,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules:  Potential SQL Information Leakage',id:'361022',severity:'1',tag:'no_ar'"

SecRule RESPONSE_BODY "SQLite.Exception|System.Data.SQLite.SQLiteException|Warning:.{,100}(?:sqlite_|SQLite3::)" \
        "phase:4,rev:1,t:none,capture,ctl:auditLogParts=+E,deny,status:404,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules:  Potential SQL Information Leakage',id:'361023',severity:'1',tag:'no_ar'"
SecRule RESPONSE_BODY "\bsupplied argument is not a valid MySQL\b" \
        "phase:4,rev:1,t:none,capture,ctl:auditLogParts=+E,deny,status:404,msg:'Atomicorp.com UNSUPPORTED DELAYED Rules: Potential SQL Information Leakage',id:'361024',severity:'1',tag:'no_ar'"

SecRule RESPONSE_BODY "\bsupplied argument is not a valid PostgreSQL result\b" \
        "phase:4,rev:1,t:none,capture,ctl:auditLogParts=+E,deny,status:404,msg:'SQL Information Leakage',id:'361025',severity:'1',tag:'no_ar'"

SecMarker  END_DLP_OUTPUT

SecMarker END_POTENTIAL_ERROR_LEAK
<LocationMatch /ajax/getSymptoms.php>
SecRuleRemoveById 361008
</LocationMatch>