# ---------------------------------------------------------------
# Comodo ModSecurity Rules
# Copyright (C) 2022 Comodo Security solutions All rights reserved.
#
# The COMODO SECURITY SOLUTIONS Mod Security Rule Set is distributed under
# THE COMODO SECURITY SOLUTIONS END USER LICENSE AGREEMENT,
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
# This is a FILE CONTAINING CHANGED or MODIFIED RULES FROM THE:
# OWASP ModSecurity Core Rule Set (CRS)
# ---------------------------------------------------------------

SecRule REQUEST_FILENAME "\.(avi|bmp|css|cgm|gif|ico|js|mp(3|4)|og(m|v|x)|p(n(g|m)|(b|g|p)m)|svg|swf|tiff{0,1}|w(ebp|mv)|(j|m)pe{0,1}g4{0,1})$" \
	"id:210900,phase:2,pass,nolog,t:none,t:lowercase,skipAfter:'SECMARKER_210900',rev:1,severity:2,tag:'CWAF',tag:'Domains'"

SecRule REQUEST_URI "/imp/compose\.php" \
	"id:210910,phase:2,pass,nolog,t:none,t:lowercase,skipAfter:'SECMARKER_210900',rev:1,severity:2,tag:'CWAF',tag:'Domains'"

SecRule ARGS|REQUEST_BODY|REQUEST_URI|XML:/*|!ARGS:/body/|!ARGS:/description/|!ARGS:/subject/|!ARGS:/txt/|!ARGS:resolution "(?:data|gopher|ogg|php|zlib|(?:f|ht)tps{0,1}):/" \
	"id:210930,chain,msg:'COMODO WAF: Malicious site name found in body||%{tx.domain}|%{tx.mode}|2',phase:2,capture,deny,status:403,logdata:'%{TX.0}',t:none,t:base64Decode,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace,t:lowercase,rev:3,severity:2,tag:'CWAF',tag:'Domains'"
SecRule ARGS|REQUEST_BODY|REQUEST_URI|!ARGS:/body/|!ARGS:/description/|!ARGS:/subject/|!ARGS:/txt/ "!@pmFromFile userdata_wl_domains" \
	"chain,t:base64Decode,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace"
SecRule ARGS|REQUEST_BODY|REQUEST_URI|!ARGS:/body/|!ARGS:/description/|!ARGS:/subject/|!ARGS:/txt/ "@pmFromFile bl_domains" \
	"t:none,t:base64Decode,t:urlDecodeUni,t:replaceNulls,t:compressWhiteSpace"

SecMarker SECMARKER_210900