This is mine, but i think is not good this ruleset:
# Turn the filtering engine On or Off
SecFilterEngine DynamicOnly
# Make sure that URL encoding is valid
SecFilterCheckURLEncoding On
SecFilterCheckUnicodeEncoding On
SecFilterCheckCookieFormat On
# Only allow bytes from this range
SecFilterForceByteRange 32 254
# SecFilterForceByteRange 0 255
# The audit engine works independently and
# can be turned On of Off on the per-server or
# on the per-directory basis
SecAuditEngine On
# The name of the audit log file
SecAuditLog logs/audit_log
SecFilterDebugLog logs/modsec_debug_log
SecFilterDebugLevel 9
# Should mod_security inspect POST payloads
SecFilterScanPOST On
# Action to take by default
SecFilterDefaultAction "deny,log,status:500"
#SecFilterDefaultAction "status:500,log,pass"
SecFilterSelective ARG_p secret allow
# Redirect user on filter match
SecFilter xxx redirect:
http://www.webkreator.com
# Execute the external script on filter match
SecFilter yyy log,exec:/home/users/ivanr/apache/bin/report-attack.pl
SecFilterSelective ARG_b2inc "!^$"
# Simple filter
SecFilter 111 pause:5000
# Only check the QUERY_STRING variable
SecFilterSelective QUERY_STRING 222
# Only check the body of the POST request
SecFilterSelective POST_PAYLOAD 333
# Only check arguments (will work for GET and POST)
SecFilterSelective ARGS 444
# Test filter
SecFilter "/cgi-bin/modsec-test.pl/keyword"
# Another test filter, will be denied with 404 but not logged
# action supplied as a parameter overrides the default action
SecFilter 999 "deny,nolog,status:500"
# Prevent OS specific keywords
SecFilter /etc/passwd
# Prevent path traversal (..) attacks
SecFilter "\.\./"
# Weaker XSS protection but allows common HTML tags
SecFilter "<[:space:]*script"
# Prevent XSS atacks (HTML/Javascript injection)
SecFilter "<.+>"
# Very crude filters to prevent SQL injection attacks
SecFilter "delete[[:space:]]+from"
SecFilter "insert[[:space:]]+into"
SecFilter "select.+from"
# Require HTTP_USER_AGENT and HTTP_HOST headers
SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"
# Forbid file upload
# SecFilterSelective "HTTP_CONTENT_TYPE" multipart/form-data
# Only watch argument p1
SecFilterSelective "ARG_p1" 555
# Watch all arguments except p1
SecFilterSelective "ARGS|!ARG_p2" 666
# Only allow our own test utility to send requests (or Mozilla)
SecFilterSelective HTTP_USER_AGENT "!(mod_security|mozilla|links)"
# Do not allow variables with this name
SecFilterSelective ARGS_NAMES 777
# Do now allow this variable value (names are ok)
SecFilterSelective ARGS_VALUES 888
# Test for a POST variable parsing bug, see test #41
SecFilterSelective ARG_p2 AAA
# Stop spamming through FormMail
# note the exclamation mark at the beginning
# of the filter - only requests that match this regex will
# be allowed
<Location /cgi-bin/FormMail>
SecFilterSelective "ARG_recipient" "!@webkreator.com$"
</Location>
# when allowing upload, only allow images
# note that this is not foolproof, a determined attacker
# could get around this
<Location /fileupload.php>
SecFilterInheritance Off
SecFilterSelective POST_PAYLOAD "!image/(jpeg|bmp|gif)"
</Location>
# SecChrootDir /chroot/apache
SecFilter "chicken"
SecFilterSelective ARG_p "/bin/ls"
SecServerSignature "MyServer x.y.z"
# SecFilterSelective REQUEST_URI "!^[-a-zA-z0-9\\._/]+$"
# SecFilter "!^[-a-zA-Z0-9_/.?]+$"
# test 50
SecFilterSelective ARG_q1 value1 chained
SecFilterSelective ARG_q2 value2
# test 51
SecFilterSelective ARG_q3 value3 skipnext
SecFilterSelective ARG_q3 value3
# test 52
SecFilterSelective ARG_q5 value5 skipnext:2
SecFilterSelective ARG_q5 value5
SecFilterSelective ARG_q5 value5
# test 52 - repeated with skip as an action
SecFilterSelective ARG_q5 value5 skip:2
SecFilterSelective ARG_q5 value5
SecFilterSelective ARG_q5 value5
# test 53
SecFilterSelective COOKIE_phpsessid "!(^$|^[a-zA-Z0-9]+$)"
# test 55
SecFilterSelective COOKIES_NAMES "fakephpsessid"
# test 56
SecFilterSelective COOKIES_VALUES "!(^$|^[a-zA-Z0-9]+$)"
# test 57
SecFilter "wget\x20wget"
SecFilterScanOutput On
# SecFilterOutputMimeTypes "(null) text/html text/plain"
SecFilterSelective OUTPUT "Fatal error:"
# test 70
SecFilterSelective ARGS "-bug70-"
</IfModule>
On this Site you.ll find more, but i don´t know which is the best to use!
http://www.gotroot.com
Any help?