Elgato_dark/bunkerweb
1
0
Fork 0
mirror of https://github.com/bunkerity/bunkerweb synced 2026-05-24 09:28:37 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

update: Update Coreruleset v4 to version 4.5.0

Browse source
This commit is contained in:
Théophile Diot 2024-07-24 12:26:26 +01:00
parent d152ea33c3
commit 198f087896
No known key found for this signature in database
GPG key ID: FA995104A0BA376A
39 changed files with 762 additions and 741 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
src/common/core/modsecurity/files/coreruleset-v4/.github/ISSUE_TEMPLATE/config.yml vendored
View file

@ -1,8 +1,8 @@
blank_issues_enabled: false
contact_links:
- name: Help and support
url: https://security.stackexchange.com/questions/tagged/owasp-crs
url: https://security.stackexchange.com/questions/tagged/owasp-crs
about: For help and support please go here.
- name: OWASP Core Rule Set mailing list
url: https://groups.google.com/a/owasp.org/g/modsecurity-core-rule-set-project
url: https://groups.google.com/a/owasp.org/g/modsecurity-core-rule-set-project
about: Ask general usage questions and participate in discussions on the CRS.

25
src/common/core/modsecurity/files/coreruleset-v4/.github/workflows/test.yml vendored
View file

@ -16,7 +16,7 @@ on:
# Pin tool versions to prevent problems
env:
GO_FTW_VERSION: '0.6.4'
GO_FTW_VERSION: '1.0.3'
jobs:
regression:
@ -36,22 +36,27 @@ jobs:
-p "ftw_${{ env.GO_FTW_VERSION }}_linux_amd64.tar.gz" -O - | tar -xzvf - ftw
- name: "Run tests for ${{ matrix.modsec_version }}"
env:
FTW_LOGFILE: './tests/logs/${{ matrix.modsec_version }}/error.log'
run: |
mkdir -p "tests/logs/${{ matrix.modsec_version }}/{nginx,apache2}"
chmod -R o+rw "tests/logs"
docker-compose -f ./tests/docker-compose.yml up -d "${{ matrix.modsec_version }}"
docker-compose -f ./tests/docker-compose.yml logs
[ "$(docker inspect ${{ matrix.modsec_version }} --format='{{.State.Running}}')" = "true" ]
./ftw check -d tests/regression/tests
./ftw run -d tests/regression/tests --show-failures-only
if ! [ "$(docker inspect ${{ matrix.modsec_version }} --format='{{.State.Running}}')" = "true" ]; then
echo "Web server failed to start. Aborting."
exit 1
fi
- name: "Change permissions if failed"
./ftw check -d tests/regression/tests
./ftw run \
-d tests/regression/tests \
--log-file "tests/logs/${{ matrix.modsec_version }}/error.log" \
--overrides tests/regression/httpd-overrides.yaml \
--show-failures-only
- name: "Change permissions of artifacts for upload"
if: failure()
run: |
# we want to get the audit log, so change permissions (file is only for root on docker)
sudo chmod 644 tests/logs/${{ matrix.modsec_version }}/modsec_audit.log
# Files created from the container will belong to root
sudo chmod -R a+r tests/logs
- uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
if: failure()

58
src/common/core/modsecurity/files/coreruleset-v4/CONTRIBUTING.md vendored
View file

@ -372,23 +372,23 @@ Documentation on how to run the CRS test suite can be found in the [online docum
Example of a simple *positive test*:
```yaml
- test_title: 932230-26
- test_id: 26
desc: "Unix command injection"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: "OWASP CRS test agent"
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
method: POST
port: 80
uri: "/post"
data: "var=` /bin/cat /etc/passwd`"
version: HTTP/1.1
output:
log_contains: id "932230"
- input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: "OWASP CRS test agent"
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
method: POST
port: 80
uri: "/post"
data: "var=` /bin/cat /etc/passwd`"
version: HTTP/1.1
output:
log:
expect_ids: [932230]
```
This test will succeed if the log output contains `id "932230"`, which would indicate that the rule in question matched and generated an alert.
@ -402,21 +402,21 @@ The rule's description field, `desc`, is important. It should describe what is b
Example of a simple *negative test*:
```yaml
- test_title: 932260-4
- test_id: 4
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "POST"
port: 80
headers:
User-Agent: "OWASP CRS test agent"
Host: "localhost"
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
data: 'foo=ping pong tables'
uri: '/post'
output:
no_log_contains: id "932260"
- input:
dest_addr: "127.0.0.1"
method: "POST"
port: 80
headers:
User-Agent: "OWASP CRS test agent"
Host: "localhost"
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
data: 'foo=ping pong tables'
uri: '/post'
output:
log:
no_expect_ids: [932260]
```
This test will succeed if the log output does **not** contain `id "932260"`, which would indicate that the rule in question did **not** match and so did **not** generate an alert.

7
src/common/core/modsecurity/files/coreruleset-v4/README.md vendored
View file

@ -1,10 +1,11 @@
![GHA build main](https://github.com/coreruleset/coreruleset/workflows/Regression%20Tests/badge.svg?branch=main)</br>
![GHA build v4.0/dev](https://github.com/coreruleset/coreruleset/workflows/Regression%20Tests/badge.svg?branch=v4.0%2Fdev)
![GHA build v3.3/dev](https://github.com/coreruleset/coreruleset/workflows/Regression%20Tests/badge.svg?branch=v3.3%2Fdev)
[![OWASP Flagship](https://img.shields.io/badge/owasp-flagship%20project-38a047.svg)](https://owasp.org/projects/)
[![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/1390/badge)](https://bestpractices.coreinfrastructure.org/projects/1390)
[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
| Branch | Status |
---------|-------|
| main | ![GHA build main](https://github.com/coreruleset/coreruleset/actions/workflows/test.yml/badge.svg?branch=main) |
| v3.3/master | ![GHA build v3.3/master](https://github.com/coreruleset/coreruleset/workflows/Regression%20Tests/badge.svg?branch=v3.3%2Fmaster) |
# OWASP CRS

9
src/common/core/modsecurity/files/coreruleset-v4/SECURITY.md vendored
View file

@ -11,9 +11,12 @@ Along those lines, OWASP CRS team may not issue security notifications for unsup
| Version | Supported |
| --------- | ------------------ |
| 4.2.0 | :white_check_mark: |
| 4.1.0 | :white_check_mark: |
| 4.0.0 | :white_check_mark: |
| 4.5.x | :white_check_mark: |
| 4.4.x | :white_check_mark: |
| 4.3.x | :x: |
| 4.2.x | :x: |
| 4.1.x | :x: |
| 4.0.x | :x: |
| 3.3.x | :white_check_mark: |
| 3.2.x | :x: |
| 3.1.x | :x: |

54
src/common/core/modsecurity/files/coreruleset-v4/crs-setup.conf.example vendored
View file

@ -1,5 +1,5 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.4.0
# OWASP CRS ver.4.5.0
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2024 CRS project. All rights reserved.
#
@ -181,7 +181,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.4.0',\
# ver:'OWASP_CRS/4.5.0',\
# setvar:tx.blocking_paranoia_level=1"
@ -209,7 +209,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.4.0',\
# ver:'OWASP_CRS/4.5.0',\
# setvar:tx.detection_paranoia_level=1"
@ -235,7 +235,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.4.0',\
# ver:'OWASP_CRS/4.5.0',\
# setvar:tx.enforce_bodyproc_urlencoded=1"
@ -270,7 +270,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.4.0',\
# ver:'OWASP_CRS/4.5.0',\
# setvar:tx.critical_anomaly_score=5,\
# setvar:tx.error_anomaly_score=4,\
# setvar:tx.warning_anomaly_score=3,\
@ -324,7 +324,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.4.0',\
# ver:'OWASP_CRS/4.5.0',\
# setvar:tx.inbound_anomaly_score_threshold=5,\
# setvar:tx.outbound_anomaly_score_threshold=4"
@ -385,7 +385,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.4.0',\
# ver:'OWASP_CRS/4.5.0',\
# setvar:tx.reporting_level=4"
@ -417,7 +417,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.4.0',\
# ver:'OWASP_CRS/4.5.0',\
# setvar:tx.early_blocking=1"
@ -438,7 +438,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.4.0',\
# ver:'OWASP_CRS/4.5.0',\
# setvar:tx.enable_default_collections=1"
@ -466,7 +466,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.4.0',\
# ver:'OWASP_CRS/4.5.0',\
# setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'"
# Content-Types that a client is allowed to send in a request.
@ -496,7 +496,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# nolog,\
# tag:'OWASP_CRS',\
# ctl:ruleRemoveById=920420,\
# ver:'OWASP_CRS/4.4.0',\
# ver:'OWASP_CRS/4.5.0',\
# chain"
# SecRule REQUEST_URI "@rx ^/foo/bar" \
# "t:none"
@ -510,7 +510,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.4.0',\
# ver:'OWASP_CRS/4.5.0',\
# setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json|'"
# Allowed HTTP versions.
@ -526,7 +526,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.4.0',\
# ver:'OWASP_CRS/4.5.0',\
# setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0 HTTP/3 HTTP/3.0'"
# Forbidden file extensions.
@ -550,7 +550,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.4.0',\
# ver:'OWASP_CRS/4.5.0',\
# setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'"
# Restricted request headers.
@ -595,7 +595,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.4.0',\
# ver:'OWASP_CRS/4.5.0',\
# setvar:'tx.restricted_headers_basic=/content-encoding/ /proxy/ /lock-token/ /content-range/ /if/ /x-http-method-override/ /x-http-method/ /x-method-override/'"
#
# [ Extended ]
@ -621,7 +621,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.4.0',\
# ver:'OWASP_CRS/4.5.0',\
# setvar:'tx.restricted_headers_extended=/accept-charset/'"
# Content-Types charsets that a client is allowed to send in a request.
@ -635,7 +635,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.4.0',\
# ver:'OWASP_CRS/4.5.0',\
# setvar:'tx.allowed_request_content_type_charset=|utf-8| |iso-8859-1| |iso-8859-15| |windows-1252|'"
#
@ -661,7 +661,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.4.0',\
# ver:'OWASP_CRS/4.5.0',\
# setvar:tx.max_num_args=255"
# Block request if the length of any argument name is too high
@ -675,7 +675,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.4.0',\
# ver:'OWASP_CRS/4.5.0',\
# setvar:tx.arg_name_length=100"
# Block request if the length of any argument value is too high
@ -689,7 +689,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.4.0',\
# ver:'OWASP_CRS/4.5.0',\
# setvar:tx.arg_length=400"
# Block request if the total length of all combined arguments is too high
@ -703,7 +703,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.4.0',\
# ver:'OWASP_CRS/4.5.0',\
# setvar:tx.total_arg_length=64000"
# Block request if the file size of any individual uploaded file is too high
@ -717,7 +717,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.4.0',\
# ver:'OWASP_CRS/4.5.0',\
# setvar:tx.max_file_size=1048576"
# Block request if the total size of all combined uploaded files is too high
@ -731,7 +731,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.4.0',\
# ver:'OWASP_CRS/4.5.0',\
# setvar:tx.combined_file_sizes=1048576"
@ -771,7 +771,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# pass,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.4.0',\
# ver:'OWASP_CRS/4.5.0',\
# setvar:tx.sampling_percentage=100"
@ -792,7 +792,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.4.0',\
# ver:'OWASP_CRS/4.5.0',\
# setvar:tx.crs_validate_utf8_encoding=1"
@ -814,5 +814,5 @@ SecAction \
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.4.0',\
setvar:tx.crs_setup_version=440"
ver:'OWASP_CRS/4.5.0',\
setvar:tx.crs_setup_version=450"

7
src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/932175.ra vendored
View file

@ -16,8 +16,13 @@
\b\s+
##!=>
##! match flags
(?:[+\-][a-z]+\+?\s+)?
##!=>
##! match the alias name
['"\w!%,@]+
##! The '.' and '-' character match payloads like "alias ls-al='ls -al'" and "alias ..='cd ..'"
[.'"\w!%\-,@]+
##!=>
##! match equals something

2
src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/932320.ra vendored
View file

@ -15,4 +15,4 @@ DELE \d+?
UIDL(?: \d+)?
APOP [\w]+ [a-f0-9]{32}
TOP \d+(?: \d+)?
AUTH [A-Z0-9-_]{1,20} (?:=|(?:[\w+/]{4})*(?:[\w+/]{2}==|[\w+/]{3}=))
AUTH [a-z0-9-_]{1,20} (?:=|(?:[\w+/]{4})*(?:[\w+/]{2}==|[\w+/]{3}=))

3
src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/include/932130.ra vendored
View file

@ -5,7 +5,10 @@
\$\{.*\}
<\(.*\)
>\(.*\)
##! arithmetic expansion
\$\(\(.*\)\)
##! arithmetic expansion (deprecated in bash, but exists in other shells, like zsh)
\$\[.*\]
##! Find wordlist bypasses using [ ] glob characters, like: /e[t]c
##! Require a / in front to prevent false positives like [text in brackets]

4
src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/include/unix-shell-evasion-prefix.ra vendored
View file

@ -39,8 +39,10 @@
\r
##! $(ifconfig)
\$\(
##! $((ifconfig))
##! $((1+2)) arithmetic expansion
\$\(\(
##! $[1+2] arithmetic expansion (deprecated in bash, but exists in other shells, like zsh)
\$\[
##! `ifconfig`
`
##! ${ifconfig}

2
src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example vendored
View file

@ -1,5 +1,5 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.4.0
# OWASP CRS ver.4.5.0
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2024 CRS project. All rights reserved.
#

62
src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-901-INITIALIZATION.conf vendored
View file

@ -1,5 +1,5 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.4.0
# OWASP CRS ver.4.5.0
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2024 CRS project. All rights reserved.
#
@ -26,7 +26,7 @@
#
# Ref: https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v2.x)#seccomponentsignature
#
SecComponentSignature "OWASP_CRS/4.4.0"
SecComponentSignature "OWASP_CRS/4.5.0"
#
# -=[ Default setup values ]=-
@ -60,7 +60,7 @@ SecRule &TX:crs_setup_version "@eq 0" \
auditlog,\
msg:'ModSecurity CRS is deployed without configuration! Please copy the crs-setup.conf.example template to crs-setup.conf, and include the crs-setup.conf file in your webserver configuration before including the CRS rules. See the INSTALL file in the CRS directory for detailed instructions',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL'"
@ -79,7 +79,7 @@ SecRule &TX:inbound_anomaly_score_threshold "@eq 0" \
pass,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
setvar:'tx.inbound_anomaly_score_threshold=5'"
# Default Outbound Anomaly Threshold Level (rule 900110 in crs-setup.conf)
@ -89,7 +89,7 @@ SecRule &TX:outbound_anomaly_score_threshold "@eq 0" \
pass,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
setvar:'tx.outbound_anomaly_score_threshold=4'"
# Default Reporting Level (rule 900115 in crs-setup.conf)
@ -99,7 +99,7 @@ SecRule &TX:reporting_level "@eq 0" \
pass,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
setvar:'tx.reporting_level=4'"
# Default Early Blocking (rule 900120 in crs-setup.conf)
@ -109,7 +109,7 @@ SecRule &TX:early_blocking "@eq 0" \
pass,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
setvar:'tx.early_blocking=0'"
# Default Blocking Paranoia Level (rule 900000 in crs-setup.conf)
@ -119,7 +119,7 @@ SecRule &TX:blocking_paranoia_level "@eq 0" \
pass,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
setvar:'tx.blocking_paranoia_level=1'"
# Default Detection Paranoia Level (rule 900001 in crs-setup.conf)
@ -129,7 +129,7 @@ SecRule &TX:detection_paranoia_level "@eq 0" \
pass,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
setvar:'tx.detection_paranoia_level=%{TX.blocking_paranoia_level}'"
# Default Sampling Percentage (rule 900400 in crs-setup.conf)
@ -139,7 +139,7 @@ SecRule &TX:sampling_percentage "@eq 0" \
pass,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
setvar:'tx.sampling_percentage=100'"
# Default Anomaly Scores (rule 900100 in crs-setup.conf)
@ -149,7 +149,7 @@ SecRule &TX:critical_anomaly_score "@eq 0" \
pass,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
setvar:'tx.critical_anomaly_score=5'"
SecRule &TX:error_anomaly_score "@eq 0" \
@ -158,7 +158,7 @@ SecRule &TX:error_anomaly_score "@eq 0" \
pass,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
setvar:'tx.error_anomaly_score=4'"
SecRule &TX:warning_anomaly_score "@eq 0" \
@ -167,7 +167,7 @@ SecRule &TX:warning_anomaly_score "@eq 0" \
pass,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
setvar:'tx.warning_anomaly_score=3'"
SecRule &TX:notice_anomaly_score "@eq 0" \
@ -176,7 +176,7 @@ SecRule &TX:notice_anomaly_score "@eq 0" \
pass,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
setvar:'tx.notice_anomaly_score=2'"
# Default HTTP policy: allowed_methods (rule 900200 in crs-setup.conf)
@ -186,7 +186,7 @@ SecRule &TX:allowed_methods "@eq 0" \
pass,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'"
# Default HTTP policy: allowed_request_content_type (rule 900220 in crs-setup.conf)
@ -196,7 +196,7 @@ SecRule &TX:allowed_request_content_type "@eq 0" \
pass,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json|'"
# Default HTTP policy: allowed_request_content_type_charset (rule 900280 in crs-setup.conf)
@ -206,7 +206,7 @@ SecRule &TX:allowed_request_content_type_charset "@eq 0" \
pass,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
setvar:'tx.allowed_request_content_type_charset=|utf-8| |iso-8859-1| |iso-8859-15| |windows-1252|'"
# Default HTTP policy: allowed_http_versions (rule 900230 in crs-setup.conf)
@ -216,7 +216,7 @@ SecRule &TX:allowed_http_versions "@eq 0" \
pass,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0 HTTP/3 HTTP/3.0'"
# Default HTTP policy: restricted_extensions (rule 900240 in crs-setup.conf)
@ -226,7 +226,7 @@ SecRule &TX:restricted_extensions "@eq 0" \
pass,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'"
# Default HTTP policy: restricted_headers_basic (rule 900250 in crs-setup.conf)
@ -236,7 +236,7 @@ SecRule &TX:restricted_headers_basic "@eq 0" \
pass,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
setvar:'tx.restricted_headers_basic=/content-encoding/ /proxy/ /lock-token/ /content-range/ /if/ /x-http-method-override/ /x-http-method/ /x-method-override/'"
# Default HTTP policy: restricted_headers_extended (rule 900255 in crs-setup.conf)
@ -246,7 +246,7 @@ SecRule &TX:restricted_headers_extended "@eq 0" \
pass,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
setvar:'tx.restricted_headers_extended=/accept-charset/'"
# Default enforcing of body processor URLENCODED (rule 900010 in crs-setup.conf)
@ -256,7 +256,7 @@ SecRule &TX:enforce_bodyproc_urlencoded "@eq 0" \
pass,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
setvar:'tx.enforce_bodyproc_urlencoded=0'"
# Default check for UTF8 encoding validation (rule 900950 in crs-setup.conf)
@ -266,7 +266,7 @@ SecRule &TX:crs_validate_utf8_encoding "@eq 0" \
pass,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
setvar:'tx.crs_validate_utf8_encoding=0'"
#
@ -284,7 +284,7 @@ SecAction \
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
setvar:'tx.blocking_inbound_anomaly_score=0',\
setvar:'tx.detection_inbound_anomaly_score=0',\
setvar:'tx.inbound_anomaly_score_pl1=0',\
@ -326,7 +326,7 @@ SecRule TX:ENABLE_DEFAULT_COLLECTIONS "@eq 1" \
pass,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
setvar:'tx.ua_hash=%{REQUEST_HEADERS.User-Agent}',\
chain"
SecRule TX:ua_hash "@unconditionalMatch" \
@ -350,7 +350,7 @@ SecRule REQBODY_PROCESSOR "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" \
msg:'Enabling body inspection',\
tag:'OWASP_CRS',\
ctl:forceRequestBodyVariable=On,\
ver:'OWASP_CRS/4.4.0'"
ver:'OWASP_CRS/4.5.0'"
# Force body processor URLENCODED
SecRule TX:enforce_bodyproc_urlencoded "@eq 1" \
@ -362,7 +362,7 @@ SecRule TX:enforce_bodyproc_urlencoded "@eq 1" \
noauditlog,\
msg:'Enabling forced body inspection for ASCII content',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
chain"
SecRule REQBODY_PROCESSOR "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" \
"ctl:requestBodyProcessor=URLENCODED"
@ -402,7 +402,7 @@ SecRule TX:sampling_percentage "@eq 100" \
pass,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
skipAfter:END-SAMPLING"
SecRule UNIQUE_ID "@rx ^[a-f]*([0-9])[a-f]*([0-9])" \
@ -413,7 +413,7 @@ SecRule UNIQUE_ID "@rx ^[a-f]*([0-9])[a-f]*([0-9])" \
t:sha1,t:hexEncode,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
setvar:'TX.sampling_rnd100=%{TX.1}%{TX.2}'"
#
@ -438,7 +438,7 @@ SecRule TX:sampling_rnd100 "!@lt %{tx.sampling_percentage}" \
msg:'Sampling: Disable the rule engine based on sampling_percentage %{TX.sampling_percentage} and random number %{TX.sampling_rnd100}',\
tag:'OWASP_CRS',\
ctl:ruleRemoveByTag=OWASP_CRS,\
ver:'OWASP_CRS/4.4.0'"
ver:'OWASP_CRS/4.5.0'"
SecMarker "END-SAMPLING"
@ -457,4 +457,4 @@ SecRule TX:detection_paranoia_level "@lt %{tx.blocking_paranoia_level}" \
log,\
msg:'Detection paranoia level configured is lower than the paranoia level itself. This is illegal. Blocking request. Aborting',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.4.0'"
ver:'OWASP_CRS/4.5.0'"

6
src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-905-COMMON-EXCEPTIONS.conf vendored
View file

@ -1,5 +1,5 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.4.0
# OWASP CRS ver.4.5.0
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2024 CRS project. All rights reserved.
#
@ -25,7 +25,7 @@ SecRule REQUEST_LINE "@streq GET /" \
tag:'platform-apache',\
tag:'attack-generic',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
chain"
SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" \
"t:none,\
@ -46,7 +46,7 @@ SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" \
tag:'platform-apache',\
tag:'attack-generic',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
chain"
SecRule REQUEST_HEADERS:User-Agent "@endsWith (internal dummy connection)" \
"t:none,\

20
src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-911-METHOD-ENFORCEMENT.conf vendored
View file

@ -1,5 +1,5 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.4.0
# OWASP CRS ver.4.5.0
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2024 CRS project. All rights reserved.
#
@ -14,8 +14,8 @@
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:911011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:911012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:911011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:911012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
#
@ -39,31 +39,31 @@ SecRule REQUEST_METHOD "!@within %{tx.allowed_methods}" \
tag:'OWASP_CRS',\
tag:'capec/1000/210/272/220/274',\
tag:'PCI/12.1',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:911013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:911014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:911013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:911014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
#
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:911015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:911016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:911015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:911016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
#
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:911017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:911018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:911017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:911018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
#
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
#

20
src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-913-SCANNER-DETECTION.conf vendored
View file

@ -1,5 +1,5 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.4.0
# OWASP CRS ver.4.5.0
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2024 CRS project. All rights reserved.
#
@ -14,8 +14,8 @@
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:913011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:913012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:913011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:913012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
#
@ -51,29 +51,29 @@ SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scanners-user-agents.data" \
tag:'OWASP_CRS',\
tag:'capec/1000/118/224/541/310',\
tag:'PCI/6.5.10',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:913013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:913014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:913013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:913014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
#
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:913015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:913016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:913015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:913016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
#
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:913017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:913018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:913017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:913018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
#
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
#

136
src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf vendored
View file

@ -1,5 +1,5 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.4.0
# OWASP CRS ver.4.5.0
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2024 CRS project. All rights reserved.
#
@ -23,8 +23,8 @@
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:920011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:920012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:920011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:920012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
#
@ -64,7 +64,7 @@ SecRule REQUEST_LINE "!@rx (?i)^(?:get /[^#\?]*(?:\?[^\s\x0b#]*)?(?:#[^\s\x0b]*)
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'WARNING',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'"
@ -119,7 +119,7 @@ SecRule FILES|FILES_NAMES "!@rx (?i)^(?:&(?:(?:[acegilnorsuz]acut|[aeiou]grav|[a
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -148,7 +148,7 @@ SecRule REQUEST_HEADERS:Content-Length "!@rx ^\d+$" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -182,7 +182,7 @@ SecRule REQUEST_METHOD "@rx ^(?:GET|HEAD)$" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
chain"
SecRule REQUEST_HEADERS:Content-Length "!@rx ^0?$" \
@ -207,7 +207,7 @@ SecRule REQUEST_METHOD "@rx ^(?:GET|HEAD)$" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
chain"
SecRule &REQUEST_HEADERS:Transfer-Encoding "!@eq 0" \
@ -247,7 +247,7 @@ SecRule REQUEST_PROTOCOL "!@within HTTP/2 HTTP/2.0 HTTP/3 HTTP/3.0" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'WARNING',\
chain"
SecRule REQUEST_METHOD "@streq POST" \
@ -277,7 +277,7 @@ SecRule &REQUEST_HEADERS:Transfer-Encoding "!@eq 0" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'WARNING',\
chain"
SecRule &REQUEST_HEADERS:Content-Length "!@eq 0" \
@ -315,7 +315,7 @@ SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx (\d+)-(\d+)" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'WARNING',\
chain"
SecRule TX:2 "@lt %{tx.1}" \
@ -347,7 +347,7 @@ SecRule REQUEST_HEADERS:Connection "@rx \b(?:keep-alive|close),\s?(?:keep-alive|
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'WARNING',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'"
@ -388,7 +388,7 @@ SecRule REQUEST_URI_RAW "@rx \x25" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/255/153/267/72',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
chain"
SecRule REQUEST_URI_RAW "@rx ^(.*)/(?:[^\?]+)?(\?.*)?$" \
@ -422,7 +422,7 @@ SecRule REQUEST_BASENAME "!@rx ^.*%.*\.[^\s\x0b\.]+$" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/255/153/267/72',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
chain"
SecRule TX:0 "@validateUrlEncoding" \
@ -453,7 +453,7 @@ SecRule TX:CRS_VALIDATE_UTF8_ENCODING "@eq 1" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/255/153/267',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'WARNING',\
chain"
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "@validateUtf8Encoding" \
@ -497,7 +497,7 @@ SecRule REQUEST_URI|REQUEST_BODY "@rx (?i)%uff[0-9a-f]{2}" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/255/153/267/72',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'WARNING',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'"
@ -553,7 +553,7 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@validateByteRange 1-255" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -585,7 +585,7 @@ SecRule &REQUEST_HEADERS:Host "@eq 0" \
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'PCI/6.5.10',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'WARNING',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}',\
skipAfter:END-HOST-CHECK"
@ -604,7 +604,7 @@ SecRule REQUEST_HEADERS:Host "@rx ^$" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -644,7 +644,7 @@ SecRule REQUEST_HEADERS:Accept "@rx ^$" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'NOTICE',\
chain"
SecRule REQUEST_METHOD "!@rx ^OPTIONS$" \
@ -669,7 +669,7 @@ SecRule REQUEST_HEADERS:Accept "@rx ^$" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'NOTICE',\
chain"
SecRule REQUEST_METHOD "!@rx ^OPTIONS$" \
@ -702,7 +702,7 @@ SecRule REQUEST_HEADERS:User-Agent "@rx ^$" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'NOTICE',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.notice_anomaly_score}'"
@ -739,7 +739,7 @@ SecRule REQUEST_HEADERS:Content-Length "!@rx ^0$" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'NOTICE',\
chain"
SecRule &REQUEST_HEADERS:Content-Type "@eq 0" \
@ -784,7 +784,7 @@ SecRule REQUEST_HEADERS:Host "@rx (?:^([\d.]+|\[[\da-f:]+\]|[\da-f:]+)(:[\d]+)?$
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'PCI/6.5.10',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'WARNING',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'"
@ -816,7 +816,7 @@ SecRule &TX:MAX_NUM_ARGS "@eq 1" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
chain"
SecRule &ARGS "@gt %{tx.max_num_args}" \
@ -841,7 +841,7 @@ SecRule &TX:ARG_NAME_LENGTH "@eq 1" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
chain"
SecRule ARGS_NAMES "@gt %{tx.arg_name_length}" \
@ -868,7 +868,7 @@ SecRule &TX:ARG_LENGTH "@eq 1" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
chain"
SecRule ARGS "@gt %{tx.arg_length}" \
@ -892,7 +892,7 @@ SecRule &TX:TOTAL_ARG_LENGTH "@eq 1" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
chain"
SecRule ARGS_COMBINED_SIZE "@gt %{tx.total_arg_length}" \
@ -917,7 +917,7 @@ SecRule &TX:MAX_FILE_SIZE "@eq 1" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
chain"
SecRule REQUEST_HEADERS:Content-Type "@rx ^(?i)multipart/form-data" \
@ -943,7 +943,7 @@ SecRule &TX:COMBINED_FILE_SIZES "@eq 1" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
chain"
SecRule FILES_COMBINED_SIZE "@gt %{tx.combined_file_sizes}" \
@ -983,7 +983,7 @@ SecRule REQUEST_HEADERS:Content-Type "!@rx ^[\w/.+*-]+(?:\s?;\s?(?:action|bounda
tag:'OWASP_CRS',\
tag:'capec/1000/255/153',\
tag:'PCI/12.1',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -1006,7 +1006,7 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^[^;\s]+" \
tag:'OWASP_CRS',\
tag:'capec/1000/255/153',\
tag:'PCI/12.1',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.content_type=|%{tx.0}|',\
chain"
@ -1034,7 +1034,7 @@ SecRule REQUEST_HEADERS:Content-Type "@rx charset\s*=\s*[\"']?([^;\"'\s]+)" \
tag:'OWASP_CRS',\
tag:'capec/1000/255/153',\
tag:'PCI/12.1',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.content_type_charset=|%{tx.1}|',\
chain"
@ -1061,7 +1061,7 @@ SecRule REQUEST_HEADERS:Content-Type "@rx charset.*?charset" \
tag:'OWASP_CRS',\
tag:'capec/1000/255/153',\
tag:'PCI/12.1',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -1083,7 +1083,7 @@ SecRule REQUEST_PROTOCOL "!@within %{tx.allowed_http_versions}" \
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'PCI/6.5.10',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -1106,7 +1106,7 @@ SecRule REQUEST_BASENAME "@rx \.([^.]+)$" \
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'PCI/6.5.10',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.extension=.%{tx.1}/',\
chain"
@ -1133,7 +1133,7 @@ SecRule REQUEST_FILENAME "@rx \.[^.~]+~(?:/.*|)$" \
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'PCI/6.5.10',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -1187,7 +1187,7 @@ SecRule REQUEST_HEADERS_NAMES "@rx ^.*$" \
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'PCI/12.1',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.header_name_920450_%{tx.0}=/%{tx.0}/',\
chain"
@ -1221,7 +1221,7 @@ SecRule REQUEST_HEADERS:Accept-Encoding "@gt 100" \
tag:'OWASP_CRS',\
tag:'capec/1000/255/153',\
tag:'PCI/12.1',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -1253,7 +1253,7 @@ SecRule REQUEST_HEADERS:Accept "!@rx ^(?:(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)/(?:\*
tag:'attack-protocol',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -1276,7 +1276,7 @@ SecRule REQBODY_PROCESSOR "!@streq JSON" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/255/153/267/72',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
chain"
SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@rx (?i)\x5cu[0-9a-f]{4}" \
@ -1300,7 +1300,7 @@ SecRule REQUEST_URI_RAW "@contains #" \
tag:'attack-protocol',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -1332,13 +1332,13 @@ SecRule &REQUEST_HEADERS:Content-Type "@gt 1" \
tag:'attack-protocol',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:920013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:920014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:920013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:920014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
#
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
#
@ -1377,7 +1377,7 @@ SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'WARNING',\
chain"
SecRule REQUEST_BASENAME "!@endsWith .pdf" \
@ -1401,7 +1401,7 @@ SecRule REQUEST_BASENAME "@endsWith .pdf" \
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'WARNING',\
chain"
SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d+)?-(?:\d+)?\s*,?\s*){63}" \
@ -1422,7 +1422,7 @@ SecRule ARGS "@rx %[0-9a-fA-F]{2}" \
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'capec/1000/255/153/267/120',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'WARNING',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.warning_anomaly_score}'"
@ -1444,7 +1444,7 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@validateByteRange 9,10,13,
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -1471,7 +1471,7 @@ SecRule &REQUEST_HEADERS:User-Agent "@eq 0" \
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'PCI/6.5.10',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'NOTICE',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.notice_anomaly_score}'"
@ -1493,7 +1493,7 @@ SecRule FILES_NAMES|FILES "@rx ['\";=]" \
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -1518,7 +1518,7 @@ SecRule REQUEST_HEADERS:Content-Length "!@rx ^0$" \
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
chain"
SecRule &REQUEST_HEADERS:Content-Type "@eq 0" \
@ -1545,7 +1545,7 @@ SecRule REQUEST_HEADERS_NAMES "@rx ^.*$" \
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'PCI/12.1',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.header_name_920451_%{tx.0}=/%{tx.0}/',\
chain"
@ -1572,7 +1572,7 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^(?i)application/x-www-form-urlencoded
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'capec/1000/255/153/267/72',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'WARNING',\
chain"
SecRule REQUEST_BODY "@rx \x25" \
@ -1580,8 +1580,8 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^(?i)application/x-www-form-urlencoded
SecRule REQUEST_BODY "@validateUrlEncoding" \
"setvar:'tx.inbound_anomaly_score_pl2=+%{tx.warning_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:920015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:920016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:920015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:920016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
#
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
#
@ -1606,7 +1606,7 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES|REQUEST_BODY "@validateByteR
tag:'paranoia-level/3',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@ -1640,7 +1640,7 @@ SecRule &REQUEST_HEADERS:Accept "@eq 0" \
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'PCI/6.5.10',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'NOTICE',\
chain"
SecRule REQUEST_METHOD "!@rx ^(?:OPTIONS|CONNECT)$" \
@ -1673,7 +1673,7 @@ SecRule &REQUEST_HEADERS:x-up-devcap-post-charset "@ge 1" \
tag:'paranoia-level/3',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
chain"
SecRule REQUEST_HEADERS:User-Agent "@rx ^(?i)up" \
@ -1726,7 +1726,7 @@ SecRule &REQUEST_HEADERS:Cache-Control "@gt 0" \
tag:'paranoia-level/3',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
chain"
SecRule REQUEST_HEADERS:Cache-Control "!@rx ^(?:(?:max-age=[0-9]+|min-fresh=[0-9]+|no-cache|no-store|no-transform|only-if-cached|max-stale(?:=[0-9]+)?)(?:\s*\,\s*|$)){1,7}$" \
@ -1757,12 +1757,12 @@ SecRule REQUEST_HEADERS:Accept-Encoding "!@rx br|compress|deflate|(?:pack200-)?g
tag:'OWASP_CRS',\
tag:'capec/1000/255/153',\
tag:'PCI/12.1',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:920017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:920018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:920017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:920018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
#
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
#
@ -1785,7 +1785,7 @@ SecRule REQUEST_BASENAME "@endsWith .pdf" \
tag:'paranoia-level/4',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'WARNING',\
chain"
SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d+)?-(?:\d+)?\s*,?\s*){6}" \
@ -1812,7 +1812,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_BODY "@validateByteRange 38,44-46,48-58,61,65-90
tag:'paranoia-level/4',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'"
@ -1833,7 +1833,7 @@ SecRule REQUEST_HEADERS|!REQUEST_HEADERS:User-Agent|!REQUEST_HEADERS:Referer|!RE
tag:'paranoia-level/4',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'"
@ -1859,7 +1859,7 @@ SecRule REQUEST_HEADERS:Sec-Fetch-User|REQUEST_HEADERS:Sec-CH-UA-Mobile "!@rx ^(
tag:'paranoia-level/4',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'"
@ -1903,7 +1903,7 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@rx (?:^|[^\x5c])\x5c[cdegh
tag:'paranoia-level/4',\
tag:'OWASP_CRS',\
tag:'capec/1000/153/267',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'"

52
src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-921-PROTOCOL-ATTACK.conf vendored
View file

@ -1,5 +1,5 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.4.0
# OWASP CRS ver.4.5.0
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2024 CRS project. All rights reserved.
#
@ -14,8 +14,8 @@
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:921011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:921012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:921011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:921012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
#
@ -46,7 +46,7 @@ SecRule ARGS_NAMES|ARGS|REQUEST_BODY|XML:/* "@rx (?:get|post|head|options|connec
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272/220/33',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -78,7 +78,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272/220/34',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -99,7 +99,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272/220/34',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -133,7 +133,7 @@ SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@rx [\n\r]" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272/220/273',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -161,7 +161,7 @@ SecRule ARGS_NAMES "@rx [\n\r]" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272/220/33',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -182,7 +182,7 @@ SecRule ARGS_GET_NAMES|ARGS_GET "@rx [\n\r]+(?:\s|location|refresh|(?:set-)?cook
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272/220/33',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -208,7 +208,7 @@ SecRule REQUEST_FILENAME "@rx [\n\r]" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272/220/34',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -241,7 +241,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/136',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -274,7 +274,7 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^[^\s\x0b,;]+[\s\x0b,;].*?(?:applicati
tag:'OWASP_CRS',\
tag:'capec/1000/255/153',\
tag:'PCI/12.1',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -300,13 +300,13 @@ SecRule REQUEST_URI "@rx unix:[^|]*\|" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272/220/33',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:921013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:921014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:921013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:921014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
#
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
#
@ -333,7 +333,7 @@ SecRule ARGS_GET "@rx [\n\r]" \
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272/220/33',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -369,13 +369,13 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^[^\s\x0b,;]+[\s\x0b,;].*?\b(?:((?:tex
tag:'OWASP_CRS',\
tag:'capec/1000/255/153',\
tag:'PCI/12.1',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:921015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:921016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:921015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:921016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
#
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
#
@ -405,7 +405,7 @@ SecRule &REQUEST_HEADERS:Range "@gt 0" \
tag:'paranoia-level/3',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272/220',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@ -439,7 +439,7 @@ SecRule ARGS_NAMES "@rx ." \
tag:'attack-protocol',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/137/15/460',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
setvar:'TX.paramcounter_%{MATCHED_VAR_NAME}=+1'"
SecRule TX:/paramcounter_.*/ "@gt 1" \
@ -455,7 +455,7 @@ SecRule TX:/paramcounter_.*/ "@gt 1" \
tag:'paranoia-level/3',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/137/15/460',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
chain"
SecRule MATCHED_VARS_NAMES "@rx TX:paramcounter_(.*)" \
@ -500,15 +500,15 @@ SecRule ARGS_NAMES "@rx (][^\]]+$|][^\]]+\[)" \
tag:'paranoia-level/3',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/137/15/460',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:921017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:921018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:921017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:921018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
#
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
#
@ -548,7 +548,7 @@ SecRule ARGS_NAMES "@rx \[" \
tag:'paranoia-level/4',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/137/15/460',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'"

8
src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-922-MULTIPART-ATTACK.conf vendored
View file

@ -1,5 +1,5 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.4.0
# OWASP CRS ver.4.5.0
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2024 CRS project. All rights reserved.
#
@ -38,7 +38,7 @@ SecRule &MULTIPART_PART_HEADERS:_charset_ "!@eq 0" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/255/153',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.922100_charset=|%{ARGS._charset_}|',\
chain"
@ -69,7 +69,7 @@ SecRule MULTIPART_PART_HEADERS "@rx ^content-type\s*:\s*(.*)$" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/272/220',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
chain"
SecRule TX:1 "!@rx ^(?:(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)/(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)|\*)(?:[\s\x0b]*;[\s\x0b]*(?:charset[\s\x0b]*=[\s\x0b]*\"?(?:iso-8859-15?|utf-8|windows-1252)\b\"?|(?:[^\s\x0b-\"\(\),/:-\?\[-\]c\{\}]|c(?:[^!\"\(\),/:-\?\[-\]h\{\}]|h(?:[^!\"\(\),/:-\?\[-\]a\{\}]|a(?:[^!\"\(\),/:-\?\[-\]r\{\}]|r(?:[^!\"\(\),/:-\?\[-\]s\{\}]|s(?:[^!\"\(\),/:-\?\[-\]e\{\}]|e[^!\"\(\),/:-\?\[-\]t\{\}]))))))[^!\"\(\),/:-\?\[-\]\{\}]*[\s\x0b]*=[\s\x0b]*[^!\(\),/:-\?\[-\]\{\}]+);?)*(?:[\s\x0b]*,[\s\x0b]*(?:(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)/(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)|\*)(?:[\s\x0b]*;[\s\x0b]*(?:charset[\s\x0b]*=[\s\x0b]*\"?(?:iso-8859-15?|utf-8|windows-1252)\b\"?|(?:[^\s\x0b-\"\(\),/:-\?\[-\]c\{\}]|c(?:[^!\"\(\),/:-\?\[-\]h\{\}]|h(?:[^!\"\(\),/:-\?\[-\]a\{\}]|a(?:[^!\"\(\),/:-\?\[-\]r\{\}]|r(?:[^!\"\(\),/:-\?\[-\]s\{\}]|s(?:[^!\"\(\),/:-\?\[-\]e\{\}]|e[^!\"\(\),/:-\?\[-\]t\{\}]))))))[^!\"\(\),/:-\?\[-\]\{\}]*[\s\x0b]*=[\s\x0b]*[^!\(\),/:-\?\[-\]\{\}]+);?)*)*$" \
@ -92,6 +92,6 @@ SecRule MULTIPART_PART_HEADERS "@rx content-transfer-encoding:(.*)" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/272/220',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"

28
src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf vendored
View file

@ -1,5 +1,5 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.4.0
# OWASP CRS ver.4.5.0
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2024 CRS project. All rights reserved.
#
@ -14,8 +14,8 @@
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:930011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:930012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:930011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:930012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
#
@ -47,7 +47,7 @@ SecRule REQUEST_URI_RAW|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|FILES|XML:
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/255/153/126',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}'"
@ -79,7 +79,7 @@ SecRule REQUEST_URI|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|FILES|XML:/* "
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/255/153/126',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
multiMatch,\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
@ -110,7 +110,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/255/153/126',\
tag:'PCI/6.5.4',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -137,15 +137,15 @@ SecRule REQUEST_FILENAME "@pmFromFile restricted-files.data" \
tag:'OWASP_CRS',\
tag:'capec/1000/255/153/126',\
tag:'PCI/6.5.4',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:930013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:930014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:930013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:930014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
#
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
#
@ -175,22 +175,22 @@ SecRule REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent "@pmFromFile lfi-os-f
tag:'OWASP_CRS',\
tag:'capec/1000/255/153/126',\
tag:'PCI/6.5.4',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:930015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:930016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:930015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:930016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
#
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:930017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:930018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:930017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:930018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
#
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
#

28
src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf vendored
View file

@ -1,5 +1,5 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.4.0
# OWASP CRS ver.4.5.0
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2024 CRS project. All rights reserved.
#
@ -17,8 +17,8 @@
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:931011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:931012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:931011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:931012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
#
@ -49,7 +49,7 @@ SecRule ARGS "@rx ^(?i:file|ftps?|https?)://(?:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/175/253',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -69,7 +69,7 @@ SecRule QUERY_STRING|REQUEST_BODY "@rx (?i)(?:\binclude\s*\([^)]*|mosConfig_abso
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/175/253',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -89,15 +89,15 @@ SecRule ARGS "@rx ^(?i:file|ftps?|https?).*?\?+$" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/175/253',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:931013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:931014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:931013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:931014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
#
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
#
@ -128,7 +128,7 @@ SecRule ARGS "@rx (?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b(?:eshare|it
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/175/253',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.rfi_parameter_%{MATCHED_VAR_NAME}=.%{tx.1}',\
chain"
@ -158,7 +158,7 @@ SecRule REQUEST_FILENAME "@rx (?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/175/253',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.rfi_parameter_%{MATCHED_VAR_NAME}=.%{tx.1}',\
chain"
@ -167,16 +167,16 @@ SecRule REQUEST_FILENAME "@rx (?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:931015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:931016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:931015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:931016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
#
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:931017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:931018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:931017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:931018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
#
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
#

130
src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf vendored
View file

File diff suppressed because one or more lines are too long

52
src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf vendored
View file

@ -1,5 +1,5 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.4.0
# OWASP CRS ver.4.5.0
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2024 CRS project. All rights reserved.
#
@ -14,8 +14,8 @@
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:933011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:933012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:933011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:933012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
#
@ -59,7 +59,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -100,7 +100,7 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -124,7 +124,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.933120_matched_var=%{MATCHED_VAR}',\
setvar:'tx.933120_matched_var_name=%{MATCHED_VAR_NAME}',\
@ -155,7 +155,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -191,7 +191,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -227,7 +227,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -294,7 +294,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -346,7 +346,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -401,7 +401,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -456,7 +456,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -503,13 +503,13 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:933013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:933014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:933013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:933014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
#
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
#
@ -546,7 +546,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.933151_matched_var=%{MATCHED_VAR}',\
setvar:'tx.933151_matched_var_name=%{MATCHED_VAR_NAME}',\
@ -561,8 +561,8 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:933015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:933016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:933015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:933016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
#
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
#
@ -604,7 +604,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/3',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@ -648,7 +648,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
tag:'paranoia-level/3',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@ -690,7 +690,7 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD
tag:'paranoia-level/3',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@ -719,7 +719,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/3',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@ -754,14 +754,14 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
tag:'paranoia-level/3',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:933017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:933018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:933017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:933018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
#
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
#

36
src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-934-APPLICATION-ATTACK-GENERIC.conf vendored
View file

@ -1,5 +1,5 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.4.0
# OWASP CRS ver.4.5.0
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2024 CRS project. All rights reserved.
#
@ -14,8 +14,8 @@
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:934011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:934012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:934011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:934012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
#
@ -65,7 +65,7 @@ SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIE
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
multiMatch,\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
@ -100,7 +100,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/664',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -135,7 +135,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1/180/77',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
multiMatch,\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
@ -167,7 +167,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -198,7 +198,7 @@ SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIE
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
multiMatch,\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
@ -228,13 +228,13 @@ SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIE
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:934013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:934014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:934013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:934014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
#
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
#
@ -256,7 +256,7 @@ SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIE
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
multiMatch,\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
@ -308,7 +308,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/664',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -340,20 +340,20 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:934015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:934016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:934015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:934016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
#
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:934017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:934018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:934017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:934018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
#
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
#

86
src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf vendored
View file

@ -1,5 +1,5 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.4.0
# OWASP CRS ver.4.5.0
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2024 CRS project. All rights reserved.
#
@ -14,8 +14,8 @@
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:941011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:941012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:941011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:941012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
#
@ -62,7 +62,7 @@ SecRule REQUEST_FILENAME "!@validateByteRange 20, 45-47, 48-57, 65-90, 95, 97-12
nolog,\
tag:'OWASP_CRS',\
ctl:ruleRemoveTargetByTag=xss-perf-disable;REQUEST_FILENAME,\
ver:'OWASP_CRS/4.4.0'"
ver:'OWASP_CRS/4.5.0'"
#
@ -94,7 +94,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -121,7 +121,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -151,7 +151,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -180,7 +180,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -213,7 +213,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -238,7 +238,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -265,7 +265,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -292,7 +292,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -314,7 +314,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -336,7 +336,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -358,7 +358,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -380,7 +380,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -402,7 +402,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -424,7 +424,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -446,7 +446,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -468,7 +468,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -490,7 +490,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -512,7 +512,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -534,7 +534,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -594,7 +594,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
chain"
SecRule MATCHED_VARS "@rx (?:\xbc\s*/\s*[^\xbe>]*[\xbe>])|(?:<\s*/\s*[^\xbe]*\xbe)" \
@ -623,7 +623,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -665,7 +665,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242/63',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -693,7 +693,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS|REQU
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242/63',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -725,7 +725,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -755,14 +755,14 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:941013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:941014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:941013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:941014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
#
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
#
@ -786,7 +786,7 @@ SecRule REQUEST_FILENAME|REQUEST_HEADERS:Referer "@detectXSS" \
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -820,7 +820,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -846,7 +846,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -874,7 +874,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -962,7 +962,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
tag:'OWASP_CRS',\
tag:'capec/1000/152/242/63',\
tag:'PCI/6.5.1',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -984,7 +984,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
tag:'PCI/6.5.1',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -1009,7 +1009,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
tag:'PCI/6.5.1',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -1042,23 +1042,23 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242/63',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:941015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:941016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:941015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:941016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
#
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:941017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:941018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:941017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:941018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
#
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
#

142
src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf vendored
View file

@ -1,5 +1,5 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.4.0
# OWASP CRS ver.4.5.0
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2024 CRS project. All rights reserved.
#
@ -14,8 +14,8 @@
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:942011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:942012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:942011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:942012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
#
@ -59,7 +59,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
multiMatch,\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
@ -90,7 +90,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -123,7 +123,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -166,7 +166,7 @@ SecRule REQUEST_BASENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIE
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -192,7 +192,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -218,7 +218,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -242,7 +242,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -268,7 +268,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -294,7 +294,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -315,7 +315,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -336,7 +336,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -362,7 +362,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -388,7 +388,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -417,7 +417,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -443,7 +443,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -482,7 +482,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -523,7 +523,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
multiMatch,\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
@ -560,7 +560,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -589,7 +589,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -618,14 +618,14 @@ SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIE
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:942013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:942014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:942013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:942014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
#
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
#
@ -658,7 +658,7 @@ SecRule ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)!=|&&|\|\||>[=>]|<(?:<|
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -699,7 +699,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\s\x0b\"'-\)`]*?\b([0-9A-Z_a-z]+)\b[\s\
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.942130_matched_var_name=%{matched_var_name}',\
chain"
@ -735,7 +735,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\s\x0b\"'-\)`]*?\b([0-9A-Z_a-z]+)\b[\s\
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
multiMatch,\
setvar:'tx.942131_matched_var_name=%{matched_var_name}',\
@ -772,7 +772,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -815,7 +815,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -844,7 +844,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -873,7 +873,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -899,7 +899,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -925,7 +925,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -951,7 +951,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -985,7 +985,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -1014,7 +1014,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -1039,7 +1039,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -1069,7 +1069,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -1101,7 +1101,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -1127,7 +1127,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -1153,7 +1153,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -1179,7 +1179,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -1210,7 +1210,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -1239,7 +1239,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -1268,7 +1268,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -1309,7 +1309,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'WARNING',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.warning_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'"
@ -1327,7 +1327,7 @@ SecRule ARGS_GET:fbclid "@rx [a-zA-Z0-9_-]{61,61}" \
nolog,\
tag:'OWASP_CRS',\
ctl:ruleRemoveTargetById=942440;ARGS:fbclid,\
ver:'OWASP_CRS/4.4.0'"
ver:'OWASP_CRS/4.5.0'"
#
# -=[ Exclusion rule for 942440 ]=-
@ -1342,7 +1342,7 @@ SecRule ARGS_GET:gclid "@rx [a-zA-Z0-9_-]{91,91}" \
nolog,\
tag:'OWASP_CRS',\
ctl:ruleRemoveTargetById=942440;ARGS:gclid,\
ver:'OWASP_CRS/4.4.0'"
ver:'OWASP_CRS/4.5.0'"
#
# -=[ Detect SQL Comment Sequences ]=-
@ -1396,7 +1396,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
chain"
SecRule MATCHED_VARS "!@rx ^ey[\-0-9A-Z_a-z]+\.ey[\-0-9A-Z_a-z]+\.[\-0-9A-Z_a-z]+$" \
@ -1427,7 +1427,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -1474,7 +1474,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -1501,7 +1501,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -1534,7 +1534,7 @@ SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.942521_matched_var_name=%{matched_var_name}',\
chain"
@ -1562,7 +1562,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx ^.*?\x5c['\"`](?:.*?['\"`])?\s*(?:and|or)\b"
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -1600,7 +1600,7 @@ SecRule REQUEST_BASENAME|REQUEST_FILENAME "@detectSQLi" \
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -1632,7 +1632,7 @@ SecRule REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent "@rx (?i)\b(?:a(?:dd(
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -1662,15 +1662,15 @@ SecRule REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent "@rx (?i)create[\s\x0
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:942015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:942016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:942015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:942016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
#
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
#
@ -1702,7 +1702,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@ -1726,7 +1726,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@ -1766,7 +1766,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'WARNING',\
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.warning_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'"
@ -1795,7 +1795,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'WARNING',\
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.warning_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'"
@ -1825,7 +1825,7 @@ SecRule ARGS "@rx \W{4}" \
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'WARNING',\
setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.warning_anomaly_score}'"
@ -1873,7 +1873,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@ -1902,14 +1902,14 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:942017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:942018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:942017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:942018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
#
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
#
@ -1936,7 +1936,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'WARNING',\
setvar:'tx.inbound_anomaly_score_pl4=+%{tx.warning_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'"
@ -1965,7 +1965,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'WARNING',\
setvar:'tx.inbound_anomaly_score_pl4=+%{tx.warning_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'"

24
src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf vendored
View file

@ -1,5 +1,5 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.4.0
# OWASP CRS ver.4.5.0
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2024 CRS project. All rights reserved.
#
@ -14,8 +14,8 @@
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:943011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:943012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:943011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:943012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
#
@ -43,7 +43,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/21/593/61',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.session_fixation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -64,7 +64,7 @@ SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsessio
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/21/593/61',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.943110_matched_var_name=%{matched_var_name}',\
chain"
@ -91,7 +91,7 @@ SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsessio
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/21/593/61',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.943120_matched_var_name=%{matched_var_name}',\
chain"
@ -102,24 +102,24 @@ SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsessio
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:943013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:943014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:943013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:943014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
#
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:943015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:943016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:943015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:943016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
#
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:943017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:943018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:943017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:943018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
#
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
#

46
src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf vendored
View file

@ -1,5 +1,5 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.4.0
# OWASP CRS ver.4.5.0
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2024 CRS project. All rights reserved.
#
@ -13,8 +13,8 @@
#
# Many rules check request bodies, use "SecRequestBodyAccess On" to enable it on main modsecurity configuration file.
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:944011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:944012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:944011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:944012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
#
@ -46,7 +46,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
tag:'OWASP_CRS',\
tag:'capec/1000/152/137/6',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -79,7 +79,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
tag:'OWASP_CRS',\
tag:'capec/1000/152/248',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
chain"
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* "@rx (?:unmarshaller|base64data|java\.)" \
@ -104,7 +104,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
tag:'OWASP_CRS',\
tag:'capec/1000/152/248',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
chain"
SecRule MATCHED_VARS "@rx (?:runtime|processbuilder)" \
@ -136,7 +136,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
tag:'OWASP_CRS',\
tag:'capec/1000/152/248',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -174,7 +174,7 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -222,14 +222,14 @@ SecRule REQUEST_LINE|ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUE
tag:'OWASP_CRS',\
tag:'capec/1000/152/137/6',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:944013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:944014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:944013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:944014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
#
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
#
@ -260,7 +260,7 @@ SecRule REQUEST_LINE|ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUE
tag:'OWASP_CRS',\
tag:'capec/1000/152/137/6',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -292,7 +292,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
tag:'OWASP_CRS',\
tag:'capec/1000/152/248',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -313,7 +313,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
tag:'OWASP_CRS',\
tag:'capec/1000/152/248',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -334,7 +334,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
tag:'OWASP_CRS',\
tag:'capec/1000/152/248',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -358,7 +358,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
tag:'OWASP_CRS',\
tag:'capec/1000/152/248',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -383,14 +383,14 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
tag:'OWASP_CRS',\
tag:'capec/1000/152/248',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:944015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:944016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:944015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:944016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
#
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
#
@ -417,14 +417,14 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
tag:'OWASP_CRS',\
tag:'capec/1000/152/248',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:944017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:944018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:944017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:944018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
#
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
#
@ -453,7 +453,7 @@ SecRule REQUEST_LINE|ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUE
tag:'OWASP_CRS',\
tag:'capec/1000/152/137/6',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'"

58
src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-949-BLOCKING-EVALUATION.conf vendored
View file

@ -1,5 +1,5 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.4.0
# OWASP CRS ver.4.5.0
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2024 CRS project. All rights reserved.
#
@ -24,7 +24,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 1" \
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl1}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 1" \
@ -34,7 +34,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 1" \
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl1}'"
SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 2" \
@ -44,7 +44,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 2" \
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl2}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 2" \
@ -54,7 +54,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 2" \
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl2}'"
SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 3" \
@ -64,7 +64,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 3" \
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl3}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 3" \
@ -74,7 +74,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 3" \
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl3}'"
SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 4" \
@ -84,7 +84,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 4" \
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl4}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 4" \
@ -94,7 +94,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 4" \
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl4}'"
# at start of phase 2, we reset the aggregate scores to 0 to prevent duplicate counting of per-PL scores
@ -106,7 +106,7 @@ SecAction \
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
setvar:'tx.blocking_inbound_anomaly_score=0'"
SecAction \
@ -116,7 +116,7 @@ SecAction \
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
setvar:'tx.detection_inbound_anomaly_score=0'"
# Summing up the blocking and detection anomaly scores in phase 2
@ -128,7 +128,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 1" \
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl1}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 1" \
@ -138,7 +138,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 1" \
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl1}'"
SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 2" \
@ -148,7 +148,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 2" \
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl2}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 2" \
@ -158,7 +158,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 2" \
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl2}'"
SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 3" \
@ -168,7 +168,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 3" \
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl3}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 3" \
@ -178,7 +178,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 3" \
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl3}'"
SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 4" \
@ -188,7 +188,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 4" \
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl4}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 4" \
@ -198,7 +198,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 4" \
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl4}'"
@ -217,7 +217,7 @@ SecRule TX:BLOCKING_INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_thresh
msg:'Inbound Anomaly Score Exceeded in phase 1 (Total Score: %{TX.BLOCKING_INBOUND_ANOMALY_SCORE})',\
tag:'anomaly-evaluation',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
chain"
SecRule TX:EARLY_BLOCKING "@eq 1"
@ -230,34 +230,34 @@ SecRule TX:BLOCKING_INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_thresh
msg:'Inbound Anomaly Score Exceeded (Total Score: %{TX.BLOCKING_INBOUND_ANOMALY_SCORE})',\
tag:'anomaly-evaluation',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.4.0'"
ver:'OWASP_CRS/4.5.0'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:949011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:949012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:949011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:949012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:949013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:949014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:949013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:949014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
#
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:949015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:949016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:949015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:949016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
#
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:949017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:949018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:949017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:949018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
#
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
#

26
src/common/core/modsecurity/files/coreruleset-v4/rules/RESPONSE-950-DATA-LEAKAGES.conf vendored
View file

@ -1,5 +1,5 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.4.0
# OWASP CRS ver.4.5.0
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2024 CRS project. All rights reserved.
#
@ -28,11 +28,11 @@ SecRule RESPONSE_HEADERS:Content-Encoding "@pm gzip compress deflate br zstd" \
pass,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:950011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:950012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:950011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:950012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
#
@ -56,7 +56,7 @@ SecRule RESPONSE_BODY "@rx (?:<(?:TITLE>Index of.*?<H|title>Index of.*?<h)1>Inde
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54/127',\
tag:'PCI/6.5.6',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
@ -88,13 +88,13 @@ SecRule RESPONSE_BODY "@rx ^#\!\s?/" \
tag:'OWASP_CRS',\
tag:'capec/1000/118/116',\
tag:'PCI/6.5.6',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:950013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:950014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:950013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:950014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
#
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
#
@ -118,22 +118,22 @@ SecRule RESPONSE_STATUS "@rx ^5\d{2}$" \
tag:'OWASP_CRS',\
tag:'capec/1000/152',\
tag:'PCI/6.5.6',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl2=+%{tx.error_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:950015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:950016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:950015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:950016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
#
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:950017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:950018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:950017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:950018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
#
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
#

54
src/common/core/modsecurity/files/coreruleset-v4/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf vendored
View file

@ -1,5 +1,5 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.4.0
# OWASP CRS ver.4.5.0
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2024 CRS project. All rights reserved.
#
@ -19,11 +19,11 @@ SecRule RESPONSE_HEADERS:Content-Encoding "@pm gzip compress deflate br zstd" \
pass,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:951011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:951012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:951011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:951012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
#
@ -46,7 +46,7 @@ SecRule RESPONSE_BODY "!@pmFromFile sql-errors.data" \
tag:'attack-disclosure',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
skipAfter:END-SQL-ERROR-MATCH-PL1"
SecRule RESPONSE_BODY "@rx (?i:JET Database Engine|Access Database Engine|\[Microsoft\]\[ODBC Microsoft Access Driver\])" \
@ -64,7 +64,7 @@ SecRule RESPONSE_BODY "@rx (?i:JET Database Engine|Access Database Engine|\[Micr
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@ -89,7 +89,7 @@ SecRule RESPONSE_BODY "@rx (?i)\bORA-[0-9][0-9][0-9][0-9][0-9]:|java\.sql\.SQLEx
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@ -109,7 +109,7 @@ SecRule RESPONSE_BODY "@rx (?i:DB2 SQL error:|\[IBM\]\[CLI Driver\]\[DB2/6000\]|
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@ -129,7 +129,7 @@ SecRule RESPONSE_BODY "@rx (?i:\[DM_QUERY_E_SYNTAX\]|has occurred in the vicinit
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@ -149,7 +149,7 @@ SecRule RESPONSE_BODY "@rx (?i)Dynamic SQL Error" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@ -169,7 +169,7 @@ SecRule RESPONSE_BODY "@rx (?i)Exception (?:condition )?\d+\. Transaction rollba
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@ -189,7 +189,7 @@ SecRule RESPONSE_BODY "@rx (?i)org\.hsqldb\.jdbc" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@ -209,7 +209,7 @@ SecRule RESPONSE_BODY "@rx (?i:An illegal character has been found in the statem
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@ -229,7 +229,7 @@ SecRule RESPONSE_BODY "@rx (?i:Warning.*ingres_|Ingres SQLSTATE|Ingres\W.*Driver
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@ -249,7 +249,7 @@ SecRule RESPONSE_BODY "@rx (?i:<b>Warning</b>: ibase_|Unexpected end of command
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@ -269,7 +269,7 @@ SecRule RESPONSE_BODY "@rx (?i:SQL error.*POS[0-9]+.*|Warning.*maxdb.*)" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@ -289,7 +289,7 @@ SecRule RESPONSE_BODY "@rx (?i)(?:System\.Data\.OleDb\.OleDbException|\[Microsof
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@ -314,7 +314,7 @@ SecRule RESPONSE_BODY "@rx (?i)(?:supplied argument is not a valid |SQL syntax.*
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@ -339,7 +339,7 @@ SecRule RESPONSE_BODY "@rx (?i)P(?:ostgreSQL(?: query failed:|.{1,20}ERROR)|G::[
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@ -359,7 +359,7 @@ SecRule RESPONSE_BODY "@rx (?i)(?:Warning.*sqlite_.*|Warning.*SQLite3::|SQLite/J
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@ -379,7 +379,7 @@ SecRule RESPONSE_BODY "@rx (?i)(?:Sybase message:|Warning.{2,20}sybase|Sybase.*S
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@ -387,24 +387,24 @@ SecRule RESPONSE_BODY "@rx (?i)(?:Sybase message:|Warning.{2,20}sybase|Sybase.*S
SecMarker "END-SQL-ERROR-MATCH-PL1"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:951013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:951014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:951013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:951014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
#
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:951015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:951016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:951015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:951016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
#
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:951017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:951018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:951017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:951018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
#
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
#

24
src/common/core/modsecurity/files/coreruleset-v4/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf vendored
View file

@ -1,5 +1,5 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.4.0
# OWASP CRS ver.4.5.0
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2024 CRS project. All rights reserved.
#
@ -19,11 +19,11 @@ SecRule RESPONSE_HEADERS:Content-Encoding "@pm gzip compress deflate br zstd" \
pass,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:952011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:952012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:952011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:952012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
#
@ -47,7 +47,7 @@ SecRule RESPONSE_BODY "@pmFromFile java-code-leakages.data" \
tag:'OWASP_CRS',\
tag:'capec/1000/118/116',\
tag:'PCI/6.5.6',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
@ -72,30 +72,30 @@ SecRule RESPONSE_BODY "@pmFromFile java-errors.data" \
tag:'OWASP_CRS',\
tag:'capec/1000/118/116',\
tag:'PCI/6.5.6',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:952013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:952014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:952013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:952014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
#
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:952015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:952016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:952015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:952016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
#
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:952017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:952018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:952017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:952018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
#
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
#

28
src/common/core/modsecurity/files/coreruleset-v4/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf vendored
View file

@ -1,5 +1,5 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.4.0
# OWASP CRS ver.4.5.0
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2024 CRS project. All rights reserved.
#
@ -19,11 +19,11 @@ SecRule RESPONSE_HEADERS:Content-Encoding "@pm gzip compress deflate br zstd" \
pass,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:953011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:953012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:953011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:953012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
#
@ -47,7 +47,7 @@ SecRule RESPONSE_BODY "@pmFromFile php-errors.data" \
tag:'OWASP_CRS',\
tag:'capec/1000/118/116',\
tag:'PCI/6.5.6',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
@ -72,7 +72,7 @@ SecRule RESPONSE_BODY "@rx (?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scan
tag:'OWASP_CRS',\
tag:'capec/1000/118/116',\
tag:'PCI/6.5.6',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
@ -98,13 +98,13 @@ SecRule RESPONSE_BODY "@rx (?i)<\?(?:=|php)?\s+" \
tag:'OWASP_CRS',\
tag:'capec/1000/118/116',\
tag:'PCI/6.5.6',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:953013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:953014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:953013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:953014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
#
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
#
@ -131,21 +131,21 @@ SecRule RESPONSE_BODY "@pmFromFile php-errors-pl2.data" \
tag:'OWASP_CRS',\
tag:'capec/1000/118/116',\
tag:'PCI/6.5.6',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl2=+%{tx.error_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:953015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:953016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:953015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:953016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
#
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:953017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:953018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:953017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:953018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
#
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
#

28
src/common/core/modsecurity/files/coreruleset-v4/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf vendored
View file

@ -1,5 +1,5 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.4.0
# OWASP CRS ver.4.5.0
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2024 CRS project. All rights reserved.
#
@ -19,11 +19,11 @@ SecRule RESPONSE_HEADERS:Content-Encoding "@pm gzip compress deflate br zstd" \
pass,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:954011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:954012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:954011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:954012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
#
@ -45,7 +45,7 @@ SecRule RESPONSE_BODY "@rx [a-z]:\x5cinetpub\b" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
@ -66,7 +66,7 @@ SecRule RESPONSE_BODY "@rx (?:Microsoft OLE DB Provider for SQL Server(?:</font>
tag:'OWASP_CRS',\
tag:'capec/1000/118/116',\
tag:'PCI/6.5.6',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
@ -90,7 +90,7 @@ SecRule RESPONSE_BODY "@pmFromFile iis-errors.data" \
tag:'OWASP_CRS',\
tag:'capec/1000/118/116',\
tag:'PCI/6.5.6',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
@ -112,7 +112,7 @@ SecRule RESPONSE_STATUS "!@rx ^404$" \
tag:'OWASP_CRS',\
tag:'capec/1000/118/116',\
tag:'PCI/6.5.6',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'ERROR',\
chain"
SecRule RESPONSE_BODY "@rx \bServer Error in.{0,50}?\bApplication\b" \
@ -122,24 +122,24 @@ SecRule RESPONSE_STATUS "!@rx ^404$" \
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:954013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:954014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:954013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:954014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
#
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:954015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:954016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:954015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:954016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
#
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:954017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:954018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:954017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:954018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
#
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
#

72
src/common/core/modsecurity/files/coreruleset-v4/rules/RESPONSE-955-WEB-SHELLS.conf vendored
View file

@ -1,5 +1,5 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.4.0
# OWASP CRS ver.4.5.0
# Copyright (c) 2006-2020 Trustwave and contributors. (not) All rights reserved.
# Copyright (c) 2021-2024 CRS project. All rights reserved.
#
@ -19,11 +19,11 @@ SecRule RESPONSE_HEADERS:Content-Encoding "@pm gzip compress deflate br zstd" \
pass,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
skipAfter:END-RESPONSE-955-WEB-SHELLS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:955011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:955012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:955011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:955012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
#
@ -44,7 +44,7 @@ SecRule RESPONSE_BODY "@pmFromFile web-shells-php.data" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -63,7 +63,7 @@ SecRule RESPONSE_BODY "@rx (<title>r57 Shell Version [0-9.]+</title>|<title>r57
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -82,7 +82,7 @@ SecRule RESPONSE_BODY "@rx ^<html><head><meta http-equiv='Content-Type' content=
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -101,7 +101,7 @@ SecRule RESPONSE_BODY "@rx B4TM4N SH3LL</title>.*<meta name='author' content='k4
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -120,7 +120,7 @@ SecRule RESPONSE_BODY "@rx <title>Mini Shell</title>.*Developed By LameHacker" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -139,7 +139,7 @@ SecRule RESPONSE_BODY "@rx <title>\.:: .* ~ Ashiyane V [0-9.]+ ::\.</title>" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -158,7 +158,7 @@ SecRule RESPONSE_BODY "@rx <title>Symlink_Sa [0-9.]+</title>" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -177,7 +177,7 @@ SecRule RESPONSE_BODY "@rx <title>CasuS [0-9.]+ by MafiABoY</title>" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -196,7 +196,7 @@ SecRule RESPONSE_BODY "@rx ^<html>\r\n<head>\r\n<title>GRP WebShell [0-9.]+ " \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -215,7 +215,7 @@ SecRule RESPONSE_BODY "@rx <small>NGHshell [0-9.]+ by Cr4sh</body></html>\n$" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -234,7 +234,7 @@ SecRule RESPONSE_BODY "@rx <title>SimAttacker - (?:Version|Vrsion) : [0-9.]+ - "
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -253,7 +253,7 @@ SecRule RESPONSE_BODY "@rx ^<!DOCTYPE html>\n<html>\n<!-- By Artyum .*<title>Web
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -272,7 +272,7 @@ SecRule RESPONSE_BODY "@rx <title>lama's'hell v. [0-9.]+</title>" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -291,7 +291,7 @@ SecRule RESPONSE_BODY "@rx ^ *<html>\n[ ]+<head>\n[ ]+<title>lostDC - " \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -310,7 +310,7 @@ SecRule RESPONSE_BODY "@rx ^<title>PHP Web Shell</title>\r\n<html>\r\n<body>\r\n
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -329,7 +329,7 @@ SecRule RESPONSE_BODY "@rx ^<html>\n<head>\n<div align=\"left\"><font size=\"1\"
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -350,7 +350,7 @@ SecRule RESPONSE_BODY "@rx ^<html>\n<head>\n<title>Ru24PostWebShell " \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -369,7 +369,7 @@ SecRule RESPONSE_BODY "@rx <title>s72 Shell v[0-9.]+ Codinf by Cr@zy_King</title
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -388,7 +388,7 @@ SecRule RESPONSE_BODY "@rx ^<html>\r\n<head>\r\n<meta http-equiv=\"Content-Type\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -407,7 +407,7 @@ SecRule RESPONSE_BODY "@rx ^ <html>\n\n<head>\n\n<title>g00nshell v[0-9.]+ " \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -428,7 +428,7 @@ SecRule RESPONSE_BODY "@contains <title>punkholicshell</title>" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -447,7 +447,7 @@ SecRule RESPONSE_BODY "@rx ^<html>\n <head>\n <title>azrail [0-
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -466,7 +466,7 @@ SecRule RESPONSE_BODY "@rx >SmEvK_PaThAn Shell v[0-9]+ coded by <a href=" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -485,7 +485,7 @@ SecRule RESPONSE_BODY "@rx ^<html>\n<title>.*? ~ Shell I</title>\n<head>\n<style
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -504,14 +504,14 @@ SecRule RESPONSE_BODY "@rx ^ <html><head><title>:: b374k m1n1 [0-9.]+ ::</title>
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:955013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:955014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:955013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:955014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
#
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
#
@ -532,20 +532,20 @@ SecRule RESPONSE_BODY "@contains <h1 style=\"margin-bottom: 0\">webadmin.php</h1
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:955015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:955016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:955015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:955016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
#
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:955017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:955018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:955017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:955018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
#
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
#

58
src/common/core/modsecurity/files/coreruleset-v4/rules/RESPONSE-959-BLOCKING-EVALUATION.conf vendored
View file

@ -1,5 +1,5 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.4.0
# OWASP CRS ver.4.5.0
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2024 CRS project. All rights reserved.
#
@ -35,7 +35,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 1" \
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
setvar:'tx.blocking_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl1}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 1" \
@ -45,7 +45,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 1" \
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
setvar:'tx.detection_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl1}'"
SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 2" \
@ -55,7 +55,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 2" \
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
setvar:'tx.blocking_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl2}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 2" \
@ -65,7 +65,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 2" \
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
setvar:'tx.detection_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl2}'"
SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 3" \
@ -75,7 +75,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 3" \
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
setvar:'tx.blocking_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl3}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 3" \
@ -85,7 +85,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 3" \
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
setvar:'tx.detection_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl3}'"
SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 4" \
@ -95,7 +95,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 4" \
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
setvar:'tx.blocking_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl4}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 4" \
@ -105,7 +105,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 4" \
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
setvar:'tx.detection_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl4}'"
# at start of phase 4, we reset the aggregate scores to 0 to prevent duplicate counting of per-PL scores
@ -117,7 +117,7 @@ SecAction \
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
setvar:'tx.blocking_outbound_anomaly_score=0'"
SecAction \
@ -127,7 +127,7 @@ SecAction \
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
setvar:'tx.detection_outbound_anomaly_score=0'"
SecMarker "EARLY_BLOCKING_ANOMALY_SCORING"
@ -141,7 +141,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 1" \
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
setvar:'tx.blocking_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl1}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 1" \
@ -151,7 +151,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 1" \
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
setvar:'tx.detection_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl1}'"
SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 2" \
@ -161,7 +161,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 2" \
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
setvar:'tx.blocking_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl2}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 2" \
@ -171,7 +171,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 2" \
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
setvar:'tx.detection_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl2}'"
SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 3" \
@ -181,7 +181,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 3" \
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
setvar:'tx.blocking_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl3}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 3" \
@ -191,7 +191,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 3" \
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
setvar:'tx.detection_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl3}'"
SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 4" \
@ -201,7 +201,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 4" \
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
setvar:'tx.blocking_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl4}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 4" \
@ -211,7 +211,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 4" \
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
setvar:'tx.detection_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl4}'"
#
@ -227,7 +227,7 @@ SecRule TX:BLOCKING_OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_thre
msg:'Outbound Anomaly Score Exceeded in phase 3 (Total Score: %{tx.blocking_outbound_anomaly_score})',\
tag:'anomaly-evaluation',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
chain"
SecRule TX:EARLY_BLOCKING "@eq 1"
@ -240,34 +240,34 @@ SecRule TX:BLOCKING_OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_thre
msg:'Outbound Anomaly Score Exceeded (Total Score: %{tx.blocking_outbound_anomaly_score})',\
tag:'anomaly-evaluation',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.4.0'"
ver:'OWASP_CRS/4.5.0'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:959011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:959012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:959011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:959012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:959013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:959014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:959013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:959014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
#
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:959015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:959016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:959015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:959016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
#
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:959017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:959018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:959017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:959018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
#
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
#

44
src/common/core/modsecurity/files/coreruleset-v4/rules/RESPONSE-980-CORRELATION.conf vendored
View file

@ -1,5 +1,5 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.4.0
# OWASP CRS ver.4.5.0
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2024 CRS project. All rights reserved.
#
@ -28,7 +28,7 @@ SecAction \
nolog,\
noauditlog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.4.0',\
ver:'OWASP_CRS/4.5.0',\
setvar:'tx.blocking_anomaly_score=%{tx.blocking_inbound_anomaly_score}',\
setvar:'tx.blocking_anomaly_score=+%{tx.blocking_outbound_anomaly_score}',\
setvar:'tx.detection_anomaly_score=%{tx.detection_inbound_anomaly_score}',\
@ -41,33 +41,33 @@ SecAction \
#
# -= Reporting Level 0 =- (Skip over reporting when tx.reporting_level is 0)
SecRule TX:REPORTING_LEVEL "@eq 0" "id:980041,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REPORTING"
SecRule TX:REPORTING_LEVEL "@eq 0" "id:980041,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REPORTING"
# -= Reporting Level 5 =- (Jump to reporting rule immediately when tx.reporting_level is 5 or greater)
SecRule TX:REPORTING_LEVEL "@ge 5" "id:980042,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:LOG-REPORTING"
SecRule TX:REPORTING_LEVEL "@ge 5" "id:980042,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:LOG-REPORTING"
# -= Zero detection score =- (Skip over reporting when sum of inbound and outbound detection score is equal to 0)
SecRule TX:DETECTION_ANOMALY_SCORE "@eq 0" "id:980043,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REPORTING"
SecRule TX:DETECTION_ANOMALY_SCORE "@eq 0" "id:980043,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REPORTING"
# -= Blocking score exceeds threshold =- (Jump to reporting rule immediately if a blocking score exceeds a threshold)
SecRule TX:BLOCKING_INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" "id:980044,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:LOG-REPORTING"
SecRule TX:BLOCKING_OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" "id:980045,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:LOG-REPORTING"
SecRule TX:BLOCKING_INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" "id:980044,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:LOG-REPORTING"
SecRule TX:BLOCKING_OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" "id:980045,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:LOG-REPORTING"
# -= Reporting Level 2 =- (Skip over reporting when tx.reporting_level is less than 2)
SecRule TX:REPORTING_LEVEL "@lt 2" "id:980046,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REPORTING"
SecRule TX:REPORTING_LEVEL "@lt 2" "id:980046,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REPORTING"
# -= Detection score exceeds threshold =- (Jump to reporting rule immediately if a detection score exceeds a threshold)
SecRule TX:DETECTION_INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" "id:980047,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:LOG-REPORTING"
SecRule TX:DETECTION_OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" "id:980048,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:LOG-REPORTING"
SecRule TX:DETECTION_INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" "id:980047,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:LOG-REPORTING"
SecRule TX:DETECTION_OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" "id:980048,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:LOG-REPORTING"
# -= Reporting Level 3 =- (Skip over reporting when tx.reporting_level is less than 3)
SecRule TX:REPORTING_LEVEL "@lt 3" "id:980049,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REPORTING"
SecRule TX:REPORTING_LEVEL "@lt 3" "id:980049,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REPORTING"
# -= Blocking score greater than zero =- (Jump to reporting rule immediately when sum of inbound and outbound blocking score is greater than zero)
SecRule TX:BLOCKING_ANOMALY_SCORE "@gt 0" "id:980050,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:LOG-REPORTING"
SecRule TX:BLOCKING_ANOMALY_SCORE "@gt 0" "id:980050,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:LOG-REPORTING"
# -= Reporting Level 4 =- (Skip over reporting when tx.reporting_level is less than 4)
SecRule TX:REPORTING_LEVEL "@lt 4" "id:980051,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-REPORTING"
SecRule TX:REPORTING_LEVEL "@lt 4" "id:980051,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REPORTING"
# At this point, the reporting level is 4 and there's a non-zero detection
# score (already established by rule 980043) so fall through to the reporting
@ -95,37 +95,37 @@ SecAction \
(SQLI=%{tx.sql_injection_score}, XSS=%{tx.xss_score}, RFI=%{tx.rfi_score}, LFI=%{tx.lfi_score}, RCE=%{tx.rce_score}, PHPI=%{tx.php_injection_score}, HTTP=%{tx.http_violation_score}, SESS=%{tx.session_fixation_score}, COMBINED_SCORE=%{tx.anomaly_score})',\
tag:'reporting',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.4.0'"
ver:'OWASP_CRS/4.5.0'"
SecMarker "END-REPORTING"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:980011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-RESPONSE-980-CORRELATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:980012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-RESPONSE-980-CORRELATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:980011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-980-CORRELATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:980012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-980-CORRELATION"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:980013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-RESPONSE-980-CORRELATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:980014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-RESPONSE-980-CORRELATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:980013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-980-CORRELATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:980014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-980-CORRELATION"
#
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:980015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-RESPONSE-980-CORRELATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:980016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-RESPONSE-980-CORRELATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:980015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-980-CORRELATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:980016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-980-CORRELATION"
#
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:980017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-RESPONSE-980-CORRELATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:980018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.4.0',skipAfter:END-RESPONSE-980-CORRELATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:980017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-980-CORRELATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:980018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-980-CORRELATION"
#
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
#

2
src/common/core/modsecurity/files/coreruleset-v4/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example vendored
View file

@ -1,5 +1,5 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.4.0
# OWASP CRS ver.4.5.0
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2024 CRS project. All rights reserved.
#

54
src/common/core/modsecurity/files/crs-setup-v4.conf vendored
View file

@ -1,5 +1,5 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.4.0
# OWASP CRS ver.4.5.0
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2024 CRS project. All rights reserved.
#
@ -181,7 +181,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.4.0',\
# ver:'OWASP_CRS/4.5.0',\
# setvar:tx.blocking_paranoia_level=1"
@ -209,7 +209,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.4.0',\
# ver:'OWASP_CRS/4.5.0',\
# setvar:tx.detection_paranoia_level=1"
@ -235,7 +235,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.4.0',\
# ver:'OWASP_CRS/4.5.0',\
# setvar:tx.enforce_bodyproc_urlencoded=1"
@ -270,7 +270,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.4.0',\
# ver:'OWASP_CRS/4.5.0',\
# setvar:tx.critical_anomaly_score=5,\
# setvar:tx.error_anomaly_score=4,\
# setvar:tx.warning_anomaly_score=3,\
@ -324,7 +324,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.4.0',\
# ver:'OWASP_CRS/4.5.0',\
# setvar:tx.inbound_anomaly_score_threshold=5,\
# setvar:tx.outbound_anomaly_score_threshold=4"
@ -385,7 +385,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.4.0',\
# ver:'OWASP_CRS/4.5.0',\
# setvar:tx.reporting_level=4"
@ -417,7 +417,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.4.0',\
# ver:'OWASP_CRS/4.5.0',\
# setvar:tx.early_blocking=1"
@ -438,7 +438,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.4.0',\
# ver:'OWASP_CRS/4.5.0',\
# setvar:tx.enable_default_collections=1"
@ -466,7 +466,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.4.0',\
# ver:'OWASP_CRS/4.5.0',\
# setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'"
# Content-Types that a client is allowed to send in a request.
@ -496,7 +496,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# nolog,\
# tag:'OWASP_CRS',\
# ctl:ruleRemoveById=920420,\
# ver:'OWASP_CRS/4.4.0',\
# ver:'OWASP_CRS/4.5.0',\
# chain"
# SecRule REQUEST_URI "@rx ^/foo/bar" \
# "t:none"
@ -510,7 +510,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.4.0',\
# ver:'OWASP_CRS/4.5.0',\
# setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json|'"
# Allowed HTTP versions.
@ -526,7 +526,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.4.0',\
# ver:'OWASP_CRS/4.5.0',\
# setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0 HTTP/3 HTTP/3.0'"
# Forbidden file extensions.
@ -550,7 +550,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.4.0',\
# ver:'OWASP_CRS/4.5.0',\
# setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'"
# Restricted request headers.
@ -595,7 +595,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.4.0',\
# ver:'OWASP_CRS/4.5.0',\
# setvar:'tx.restricted_headers_basic=/content-encoding/ /proxy/ /lock-token/ /content-range/ /if/ /x-http-method-override/ /x-http-method/ /x-method-override/'"
#
# [ Extended ]
@ -621,7 +621,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.4.0',\
# ver:'OWASP_CRS/4.5.0',\
# setvar:'tx.restricted_headers_extended=/accept-charset/'"
# Content-Types charsets that a client is allowed to send in a request.
@ -635,7 +635,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.4.0',\
# ver:'OWASP_CRS/4.5.0',\
# setvar:'tx.allowed_request_content_type_charset=|utf-8| |iso-8859-1| |iso-8859-15| |windows-1252|'"
#
@ -661,7 +661,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.4.0',\
# ver:'OWASP_CRS/4.5.0',\
# setvar:tx.max_num_args=255"
# Block request if the length of any argument name is too high
@ -675,7 +675,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.4.0',\
# ver:'OWASP_CRS/4.5.0',\
# setvar:tx.arg_name_length=100"
# Block request if the length of any argument value is too high
@ -689,7 +689,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.4.0',\
# ver:'OWASP_CRS/4.5.0',\
# setvar:tx.arg_length=400"
# Block request if the total length of all combined arguments is too high
@ -703,7 +703,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.4.0',\
# ver:'OWASP_CRS/4.5.0',\
# setvar:tx.total_arg_length=64000"
# Block request if the file size of any individual uploaded file is too high
@ -717,7 +717,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.4.0',\
# ver:'OWASP_CRS/4.5.0',\
# setvar:tx.max_file_size=1048576"
# Block request if the total size of all combined uploaded files is too high
@ -731,7 +731,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.4.0',\
# ver:'OWASP_CRS/4.5.0',\
# setvar:tx.combined_file_sizes=1048576"
@ -771,7 +771,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# pass,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.4.0',\
# ver:'OWASP_CRS/4.5.0',\
# setvar:tx.sampling_percentage=100"
@ -792,7 +792,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.4.0',\
# ver:'OWASP_CRS/4.5.0',\
# setvar:tx.crs_validate_utf8_encoding=1"
@ -814,5 +814,5 @@ SecAction \
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.4.0',\
setvar:tx.crs_setup_version=440"
ver:'OWASP_CRS/4.5.0',\
setvar:tx.crs_setup_version=450"

4
src/common/core/modsecurity/misc/versions.json
View file

@ -9,9 +9,9 @@
},
{
"id": "coreruleset-v4",
"name": "Coreruleset v4.4.0",
"name": "Coreruleset v4.5.0",
"url": "https://github.com/coreruleset/coreruleset.git",
"commit": "b3bc1a2138922e43a00875b39f1b0e46a5da89c1",
"commit": "a6913506683b3972ce18940f32298711f217fa54",
"post_install": "rm -rf files/coreruleset-v4/tests && cp files/coreruleset-v4/crs-setup.conf.example files/crs-setup-v4.conf"
}
]