mirror of
https://github.com/bunkerity/bunkerweb
synced 2026-05-24 09:28:37 +00:00
Update coreruleset-v4 version to v4.7.0
This commit is contained in:
Théophile Diot
parent
e2d5247592
commit
970874e983
40 changed files with 797 additions and 713 deletions
|
|
@ -23,6 +23,7 @@
|
|||
- [DOCS] Updated docs for all new features and changes
|
||||
- [MISC] Review security headers in the `headers` plugin to improve security
|
||||
- [MISC] Updated context of `realip`'s `USE_PROXY_PROTOCOL` setting to `global` as it was always applied globally even if set only on a service
|
||||
- [DEPS] Updated coreruleset-v4 version to v4.7.0
|
||||
|
||||
## v1.5.9 - 2024/07/22
|
||||
|
||||
|
|
|
|||
|
|
@ -261,7 +261,7 @@ ModSecurity is integrated and enabled by default alongside the OWASP Core Rule S
|
|||
You can choose between the following versions of the OWASP Core Rule Set :
|
||||
|
||||
- **3** : The version [v3.3.6](https://github.com/coreruleset/coreruleset/releases/tag/v3.3.6) of the OWASP Core Rule Set
|
||||
- **4** : The version [v4.6.0](https://github.com/coreruleset/coreruleset/releases/tag/v4.6.0) of the OWASP Core Rule Set (***default***)
|
||||
- **4** : The version [v4.7.0](https://github.com/coreruleset/coreruleset/releases/tag/v4.7.0) of the OWASP Core Rule Set (***default***)
|
||||
- **nightly** : The latest [nightly](https://github.com/coreruleset/coreruleset/releases/tag/nightly) build of the OWASP Core Rule Set which is updated every day
|
||||
|
||||
!!! example "OWASP Core Rule Set's nightly build"
|
||||
|
|
|
|||
|
|
@ -43,13 +43,44 @@ jobs:
|
|||
run: |
|
||||
git remote add upstream https://github.com/coreruleset/coreruleset
|
||||
git fetch --tags upstream
|
||||
|
||||
git fetch upstream main
|
||||
echo ${{ github.base_ref }}
|
||||
if [ -n "${{ github.base_ref }}" ]; then
|
||||
git fetch upstream "${{ github.base_ref }}"
|
||||
fi
|
||||
|
||||
- name: "Check CRS formatting"
|
||||
run: |
|
||||
pip install --upgrade setuptools
|
||||
pip install -r ./util/crs-rules-check/requirements.txt
|
||||
./util/crs-rules-check/rules-check.py --output=github -r crs-setup.conf.example -r rules/*.conf -t util/APPROVED_TAGS
|
||||
# Use the target branch to look up the latest tag, e.g., `v3.3/master`, fall back
|
||||
# to main branch.
|
||||
# The version is either a tag, if the current commit is tagged, or a string of the form
|
||||
# v<major>.<minor>.<patch>-<nr of commits>-g<hash>.
|
||||
# In the former case we simply use that as the version, in the latter we construct
|
||||
# v<major>.<minor + 1>.<patch>-dev.
|
||||
if [ -z "${{ github.base_ref }}" ]; then
|
||||
# e.g., force push
|
||||
version="$(git describe --tags --match "v*.*.*")"
|
||||
else
|
||||
version="$(git describe --tags --match "v*.*.*" "upstream/${{ github.base_ref }}")"
|
||||
fi
|
||||
version="$(cut -dv -f2 <<<"${version}")"
|
||||
echo "Detected version ${version}"
|
||||
if $(grep -q -- "-g" <<<"${version}"); then
|
||||
prefix="$(cut -d. -f1 <<<"${version}")"
|
||||
minor="$(cut -d. -f2 <<<"${version}")"
|
||||
suffix="$(cut -d. -f3 <<<"${version}")"
|
||||
version="${prefix}.$((minor + 1)).${suffix}"
|
||||
version="${version/-*-g*/}-dev"
|
||||
fi
|
||||
#echo "Required version for check: ${version}"
|
||||
#./util/crs-rules-check/rules-check.py \
|
||||
# --output=github \
|
||||
# -r crs-setup.conf.example \
|
||||
# -r rules/*.conf \
|
||||
# -t util/APPROVED_TAGS \
|
||||
# "-v ${version}"
|
||||
|
||||
- name: "Find rules without test"
|
||||
run: |
|
||||
|
|
|
|||
|
|
@ -5,8 +5,56 @@
|
|||
or the CRS Google Group at
|
||||
* https://groups.google.com/a/owasp.org/g/modsecurity-core-rule-set-project
|
||||
|
||||
## Nightly builds
|
||||
New changelog entries are written to `.changes-pending.md`. They will be moved to the main changelog before a release.
|
||||
## Version 4.7.0 - 2024-09-23
|
||||
|
||||
### 🆕 New features and detections 🎉
|
||||
* feat: added sendgrid.env into restricted files by @azurit in https://github.com/coreruleset/coreruleset/pull/3823
|
||||
### 🧰 Other Changes
|
||||
* fix: Changed regex (920470) to match multiple whitespaces after `Content-Type` parameters to avoid false-positives by @lostmann-owl-it in https://github.com/coreruleset/coreruleset/pull/3818
|
||||
* fix: fp with user-agent containing ; pg (932239 PL2) by @franbuehler in https://github.com/coreruleset/coreruleset/pull/3727
|
||||
* fix: update xss detection with onwebkitplaybacktargetavailabilitychanged event by @fzipi in https://github.com/coreruleset/coreruleset/pull/3822
|
||||
* feat: refactoring (944110 PL1) by @azurit in https://github.com/coreruleset/coreruleset/pull/3715
|
||||
|
||||
## New Contributors
|
||||
* @lostmann-owl-it made their first contribution in https://github.com/coreruleset/coreruleset/pull/3818
|
||||
|
||||
**Full Changelog**: https://github.com/coreruleset/coreruleset/compare/v4.6.0...v4.7.0
|
||||
|
||||
## Version 4.6.0 - 2024-08-27
|
||||
|
||||
### ⭐ Important changes
|
||||
* fix: prevent using backslash in file names by @fzipi in https://github.com/coreruleset/coreruleset/pull/3799
|
||||
* feat: add new rule to catch invalid character in multipart headers by @airween, @theseion, @fzipi in https://github.com/coreruleset/coreruleset/pull/3796
|
||||
|
||||
Big thanks tu @luelueking for reporting us these two ☝️ .
|
||||
|
||||
### 🧰 Other Changes
|
||||
* feat: rule to detect bash tilde expansion by @Xhoenix in https://github.com/coreruleset/coreruleset/pull/3765
|
||||
* fix: Update 932270's `ver` by @airween in https://github.com/coreruleset/coreruleset/pull/3786
|
||||
* perf: remove unnecessary chain rule and capture (921180 PL3) by @EsadCetiner in https://github.com/coreruleset/coreruleset/pull/3787
|
||||
* fix: add pem to restricted file extensions by @EsadCetiner in https://github.com/coreruleset/coreruleset/pull/3789
|
||||
* fix(942160): check REQUEST_FILENAME by @mat1010 in https://github.com/coreruleset/coreruleset/pull/3782
|
||||
|
||||
## New Contributors
|
||||
* @mat1010 made their first contribution in https://github.com/coreruleset/coreruleset/pull/3782
|
||||
|
||||
**Full Changelog**: https://github.com/coreruleset/coreruleset/compare/v4.5.0...v4.6.0
|
||||
|
||||
## Version 4.5.0 - 2024-07-23
|
||||
|
||||
### 🆕 New features and detections 🎉
|
||||
* feat: added arithmetic expansion payload by @Xhoenix in https://github.com/coreruleset/coreruleset/pull/3756
|
||||
### 🧰 Other Changes
|
||||
* fix(security): alias false negative by @Xhoenix in https://github.com/coreruleset/coreruleset/pull/3740
|
||||
* feat: add test overrides for nginx by @theseion in https://github.com/coreruleset/coreruleset/pull/3369
|
||||
* fix: use proper capture for log output of 932300 by @theseion in https://github.com/coreruleset/coreruleset/pull/3763
|
||||
* chore: use lowercase character class for 932320 by @theseion in https://github.com/coreruleset/coreruleset/pull/3772
|
||||
* fix: remove nonnecessary variable (932260 PL1) by @dune73 in https://github.com/coreruleset/coreruleset/pull/3773
|
||||
|
||||
## New Contributors
|
||||
* @aryehb made their first contribution in https://github.com/coreruleset/coreruleset/pull/3755
|
||||
|
||||
**Full Changelog**: https://github.com/coreruleset/coreruleset/compare/v4.4.0...v4.5.0
|
||||
|
||||
## Version 4.4.0 - 2024-06-23
|
||||
|
||||
|
|
|
|||
|
|
@ -80,6 +80,7 @@
|
|||
- [na1ex](https://github.com/na1ex)
|
||||
- [Jose Nazario](https://github.com/paralax)
|
||||
- [Scott O'Neil](https://github.com/cPanelScott)
|
||||
- [Lucas Ostmann](https://github.com/lostmann-owl-it)
|
||||
- [NiceYouKnow](https://github.com/NiceYouKnow)
|
||||
- [nobletrout](https://github.com/nobletrout)
|
||||
- [Fernando Outeda](https://github.com/fog94)
|
||||
|
|
|
|||
|
|
@ -11,8 +11,9 @@ Along those lines, OWASP CRS team may not issue security notifications for unsup
|
|||
|
||||
| Version | Supported |
|
||||
| --------- | ------------------ |
|
||||
| 4.6.x | :white_check_mark: |
|
||||
| 4.5.x | :white_check_mark: |
|
||||
| 4.4.x | :white_check_mark: |
|
||||
| 4.4.x | :x: |
|
||||
| 4.3.x | :x: |
|
||||
| 4.2.x | :x: |
|
||||
| 4.1.x | :x: |
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP CRS ver.4.6.0
|
||||
# OWASP CRS ver.4.7.0
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2024 CRS project. All rights reserved.
|
||||
#
|
||||
|
|
@ -181,7 +181,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
|
|||
# t:none,\
|
||||
# nolog,\
|
||||
# tag:'OWASP_CRS',\
|
||||
# ver:'OWASP_CRS/4.6.0',\
|
||||
# ver:'OWASP_CRS/4.7.0',\
|
||||
# setvar:tx.blocking_paranoia_level=1"
|
||||
|
||||
|
||||
|
|
@ -209,7 +209,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
|
|||
# t:none,\
|
||||
# nolog,\
|
||||
# tag:'OWASP_CRS',\
|
||||
# ver:'OWASP_CRS/4.6.0',\
|
||||
# ver:'OWASP_CRS/4.7.0',\
|
||||
# setvar:tx.detection_paranoia_level=1"
|
||||
|
||||
|
||||
|
|
@ -235,7 +235,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
|
|||
# t:none,\
|
||||
# nolog,\
|
||||
# tag:'OWASP_CRS',\
|
||||
# ver:'OWASP_CRS/4.6.0',\
|
||||
# ver:'OWASP_CRS/4.7.0',\
|
||||
# setvar:tx.enforce_bodyproc_urlencoded=1"
|
||||
|
||||
|
||||
|
|
@ -270,7 +270,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
|
|||
# t:none,\
|
||||
# nolog,\
|
||||
# tag:'OWASP_CRS',\
|
||||
# ver:'OWASP_CRS/4.6.0',\
|
||||
# ver:'OWASP_CRS/4.7.0',\
|
||||
# setvar:tx.critical_anomaly_score=5,\
|
||||
# setvar:tx.error_anomaly_score=4,\
|
||||
# setvar:tx.warning_anomaly_score=3,\
|
||||
|
|
@ -324,7 +324,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
|
|||
# t:none,\
|
||||
# nolog,\
|
||||
# tag:'OWASP_CRS',\
|
||||
# ver:'OWASP_CRS/4.6.0',\
|
||||
# ver:'OWASP_CRS/4.7.0',\
|
||||
# setvar:tx.inbound_anomaly_score_threshold=5,\
|
||||
# setvar:tx.outbound_anomaly_score_threshold=4"
|
||||
|
||||
|
|
@ -385,7 +385,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
|
|||
# t:none,\
|
||||
# nolog,\
|
||||
# tag:'OWASP_CRS',\
|
||||
# ver:'OWASP_CRS/4.6.0',\
|
||||
# ver:'OWASP_CRS/4.7.0',\
|
||||
# setvar:tx.reporting_level=4"
|
||||
|
||||
|
||||
|
|
@ -417,7 +417,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
|
|||
# t:none,\
|
||||
# nolog,\
|
||||
# tag:'OWASP_CRS',\
|
||||
# ver:'OWASP_CRS/4.6.0',\
|
||||
# ver:'OWASP_CRS/4.7.0',\
|
||||
# setvar:tx.early_blocking=1"
|
||||
|
||||
|
||||
|
|
@ -438,7 +438,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
|
|||
# t:none,\
|
||||
# nolog,\
|
||||
# tag:'OWASP_CRS',\
|
||||
# ver:'OWASP_CRS/4.6.0',\
|
||||
# ver:'OWASP_CRS/4.7.0',\
|
||||
# setvar:tx.enable_default_collections=1"
|
||||
|
||||
|
||||
|
|
@ -466,7 +466,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
|
|||
# t:none,\
|
||||
# nolog,\
|
||||
# tag:'OWASP_CRS',\
|
||||
# ver:'OWASP_CRS/4.6.0',\
|
||||
# ver:'OWASP_CRS/4.7.0',\
|
||||
# setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'"
|
||||
|
||||
# Content-Types that a client is allowed to send in a request.
|
||||
|
|
@ -496,7 +496,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
|
|||
# nolog,\
|
||||
# tag:'OWASP_CRS',\
|
||||
# ctl:ruleRemoveById=920420,\
|
||||
# ver:'OWASP_CRS/4.6.0',\
|
||||
# ver:'OWASP_CRS/4.7.0',\
|
||||
# chain"
|
||||
# SecRule REQUEST_URI "@rx ^/foo/bar" \
|
||||
# "t:none"
|
||||
|
|
@ -510,7 +510,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
|
|||
# t:none,\
|
||||
# nolog,\
|
||||
# tag:'OWASP_CRS',\
|
||||
# ver:'OWASP_CRS/4.6.0',\
|
||||
# ver:'OWASP_CRS/4.7.0',\
|
||||
# setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json|'"
|
||||
|
||||
# Allowed HTTP versions.
|
||||
|
|
@ -526,7 +526,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
|
|||
# t:none,\
|
||||
# nolog,\
|
||||
# tag:'OWASP_CRS',\
|
||||
# ver:'OWASP_CRS/4.6.0',\
|
||||
# ver:'OWASP_CRS/4.7.0',\
|
||||
# setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0 HTTP/3 HTTP/3.0'"
|
||||
|
||||
# Forbidden file extensions.
|
||||
|
|
@ -550,7 +550,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
|
|||
# t:none,\
|
||||
# nolog,\
|
||||
# tag:'OWASP_CRS',\
|
||||
# ver:'OWASP_CRS/4.6.0',\
|
||||
# ver:'OWASP_CRS/4.7.0',\
|
||||
# setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pem/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'"
|
||||
|
||||
# Restricted request headers.
|
||||
|
|
@ -595,7 +595,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
|
|||
# t:none,\
|
||||
# nolog,\
|
||||
# tag:'OWASP_CRS',\
|
||||
# ver:'OWASP_CRS/4.6.0',\
|
||||
# ver:'OWASP_CRS/4.7.0',\
|
||||
# setvar:'tx.restricted_headers_basic=/content-encoding/ /proxy/ /lock-token/ /content-range/ /if/ /x-http-method-override/ /x-http-method/ /x-method-override/'"
|
||||
#
|
||||
# [ Extended ]
|
||||
|
|
@ -621,7 +621,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
|
|||
# t:none,\
|
||||
# nolog,\
|
||||
# tag:'OWASP_CRS',\
|
||||
# ver:'OWASP_CRS/4.6.0',\
|
||||
# ver:'OWASP_CRS/4.7.0',\
|
||||
# setvar:'tx.restricted_headers_extended=/accept-charset/'"
|
||||
|
||||
# Content-Types charsets that a client is allowed to send in a request.
|
||||
|
|
@ -635,7 +635,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
|
|||
# t:none,\
|
||||
# nolog,\
|
||||
# tag:'OWASP_CRS',\
|
||||
# ver:'OWASP_CRS/4.6.0',\
|
||||
# ver:'OWASP_CRS/4.7.0',\
|
||||
# setvar:'tx.allowed_request_content_type_charset=|utf-8| |iso-8859-1| |iso-8859-15| |windows-1252|'"
|
||||
|
||||
#
|
||||
|
|
@ -661,7 +661,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
|
|||
# t:none,\
|
||||
# nolog,\
|
||||
# tag:'OWASP_CRS',\
|
||||
# ver:'OWASP_CRS/4.6.0',\
|
||||
# ver:'OWASP_CRS/4.7.0',\
|
||||
# setvar:tx.max_num_args=255"
|
||||
|
||||
# Block request if the length of any argument name is too high
|
||||
|
|
@ -675,7 +675,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
|
|||
# t:none,\
|
||||
# nolog,\
|
||||
# tag:'OWASP_CRS',\
|
||||
# ver:'OWASP_CRS/4.6.0',\
|
||||
# ver:'OWASP_CRS/4.7.0',\
|
||||
# setvar:tx.arg_name_length=100"
|
||||
|
||||
# Block request if the length of any argument value is too high
|
||||
|
|
@ -689,7 +689,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
|
|||
# t:none,\
|
||||
# nolog,\
|
||||
# tag:'OWASP_CRS',\
|
||||
# ver:'OWASP_CRS/4.6.0',\
|
||||
# ver:'OWASP_CRS/4.7.0',\
|
||||
# setvar:tx.arg_length=400"
|
||||
|
||||
# Block request if the total length of all combined arguments is too high
|
||||
|
|
@ -703,7 +703,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
|
|||
# t:none,\
|
||||
# nolog,\
|
||||
# tag:'OWASP_CRS',\
|
||||
# ver:'OWASP_CRS/4.6.0',\
|
||||
# ver:'OWASP_CRS/4.7.0',\
|
||||
# setvar:tx.total_arg_length=64000"
|
||||
|
||||
# Block request if the file size of any individual uploaded file is too high
|
||||
|
|
@ -717,7 +717,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
|
|||
# t:none,\
|
||||
# nolog,\
|
||||
# tag:'OWASP_CRS',\
|
||||
# ver:'OWASP_CRS/4.6.0',\
|
||||
# ver:'OWASP_CRS/4.7.0',\
|
||||
# setvar:tx.max_file_size=1048576"
|
||||
|
||||
# Block request if the total size of all combined uploaded files is too high
|
||||
|
|
@ -731,7 +731,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
|
|||
# t:none,\
|
||||
# nolog,\
|
||||
# tag:'OWASP_CRS',\
|
||||
# ver:'OWASP_CRS/4.6.0',\
|
||||
# ver:'OWASP_CRS/4.7.0',\
|
||||
# setvar:tx.combined_file_sizes=1048576"
|
||||
|
||||
|
||||
|
|
@ -771,7 +771,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
|
|||
# pass,\
|
||||
# nolog,\
|
||||
# tag:'OWASP_CRS',\
|
||||
# ver:'OWASP_CRS/4.6.0',\
|
||||
# ver:'OWASP_CRS/4.7.0',\
|
||||
# setvar:tx.sampling_percentage=100"
|
||||
|
||||
|
||||
|
|
@ -792,7 +792,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
|
|||
# t:none,\
|
||||
# nolog,\
|
||||
# tag:'OWASP_CRS',\
|
||||
# ver:'OWASP_CRS/4.6.0',\
|
||||
# ver:'OWASP_CRS/4.7.0',\
|
||||
# setvar:tx.crs_validate_utf8_encoding=1"
|
||||
|
||||
|
||||
|
|
@ -814,5 +814,5 @@ SecAction \
|
|||
t:none,\
|
||||
nolog,\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
setvar:tx.crs_setup_version=460"
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
setvar:tx.crs_setup_version=470"
|
||||
|
|
|
|||
|
|
@ -365,6 +365,7 @@
|
|||
onwebkitanimationend
|
||||
onwebkitanimationiteration
|
||||
onwebkitanimationstart
|
||||
onwebkitplaybacktargetavailabilitychanged
|
||||
onwebkittransitionend
|
||||
onwheel
|
||||
onzoom
|
||||
|
|
|
|||
|
|
@ -147,7 +147,7 @@ od@
|
|||
pax@
|
||||
pdb
|
||||
pf@
|
||||
pg
|
||||
pg@
|
||||
php@
|
||||
pic@
|
||||
pip~
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP CRS ver.4.6.0
|
||||
# OWASP CRS ver.4.7.0
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2024 CRS project. All rights reserved.
|
||||
#
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP CRS ver.4.6.0
|
||||
# OWASP CRS ver.4.7.0
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2024 CRS project. All rights reserved.
|
||||
#
|
||||
|
|
@ -26,7 +26,7 @@
|
|||
#
|
||||
# Ref: https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v2.x)#seccomponentsignature
|
||||
#
|
||||
SecComponentSignature "OWASP_CRS/4.6.0"
|
||||
SecComponentSignature "OWASP_CRS/4.7.0"
|
||||
|
||||
#
|
||||
# -=[ Default setup values ]=-
|
||||
|
|
@ -60,7 +60,7 @@ SecRule &TX:crs_setup_version "@eq 0" \
|
|||
auditlog,\
|
||||
msg:'ModSecurity CRS is deployed without configuration! Please copy the crs-setup.conf.example template to crs-setup.conf, and include the crs-setup.conf file in your webserver configuration before including the CRS rules. See the INSTALL file in the CRS directory for detailed instructions',\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL'"
|
||||
|
||||
|
||||
|
|
@ -79,7 +79,7 @@ SecRule &TX:inbound_anomaly_score_threshold "@eq 0" \
|
|||
pass,\
|
||||
nolog,\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
setvar:'tx.inbound_anomaly_score_threshold=5'"
|
||||
|
||||
# Default Outbound Anomaly Threshold Level (rule 900110 in crs-setup.conf)
|
||||
|
|
@ -89,7 +89,7 @@ SecRule &TX:outbound_anomaly_score_threshold "@eq 0" \
|
|||
pass,\
|
||||
nolog,\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
setvar:'tx.outbound_anomaly_score_threshold=4'"
|
||||
|
||||
# Default Reporting Level (rule 900115 in crs-setup.conf)
|
||||
|
|
@ -99,7 +99,7 @@ SecRule &TX:reporting_level "@eq 0" \
|
|||
pass,\
|
||||
nolog,\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
setvar:'tx.reporting_level=4'"
|
||||
|
||||
# Default Early Blocking (rule 900120 in crs-setup.conf)
|
||||
|
|
@ -109,7 +109,7 @@ SecRule &TX:early_blocking "@eq 0" \
|
|||
pass,\
|
||||
nolog,\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
setvar:'tx.early_blocking=0'"
|
||||
|
||||
# Default Blocking Paranoia Level (rule 900000 in crs-setup.conf)
|
||||
|
|
@ -119,7 +119,7 @@ SecRule &TX:blocking_paranoia_level "@eq 0" \
|
|||
pass,\
|
||||
nolog,\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
setvar:'tx.blocking_paranoia_level=1'"
|
||||
|
||||
# Default Detection Paranoia Level (rule 900001 in crs-setup.conf)
|
||||
|
|
@ -129,7 +129,7 @@ SecRule &TX:detection_paranoia_level "@eq 0" \
|
|||
pass,\
|
||||
nolog,\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
setvar:'tx.detection_paranoia_level=%{TX.blocking_paranoia_level}'"
|
||||
|
||||
# Default Sampling Percentage (rule 900400 in crs-setup.conf)
|
||||
|
|
@ -139,7 +139,7 @@ SecRule &TX:sampling_percentage "@eq 0" \
|
|||
pass,\
|
||||
nolog,\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
setvar:'tx.sampling_percentage=100'"
|
||||
|
||||
# Default Anomaly Scores (rule 900100 in crs-setup.conf)
|
||||
|
|
@ -149,7 +149,7 @@ SecRule &TX:critical_anomaly_score "@eq 0" \
|
|||
pass,\
|
||||
nolog,\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
setvar:'tx.critical_anomaly_score=5'"
|
||||
|
||||
SecRule &TX:error_anomaly_score "@eq 0" \
|
||||
|
|
@ -158,7 +158,7 @@ SecRule &TX:error_anomaly_score "@eq 0" \
|
|||
pass,\
|
||||
nolog,\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
setvar:'tx.error_anomaly_score=4'"
|
||||
|
||||
SecRule &TX:warning_anomaly_score "@eq 0" \
|
||||
|
|
@ -167,7 +167,7 @@ SecRule &TX:warning_anomaly_score "@eq 0" \
|
|||
pass,\
|
||||
nolog,\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
setvar:'tx.warning_anomaly_score=3'"
|
||||
|
||||
SecRule &TX:notice_anomaly_score "@eq 0" \
|
||||
|
|
@ -176,7 +176,7 @@ SecRule &TX:notice_anomaly_score "@eq 0" \
|
|||
pass,\
|
||||
nolog,\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
setvar:'tx.notice_anomaly_score=2'"
|
||||
|
||||
# Default HTTP policy: allowed_methods (rule 900200 in crs-setup.conf)
|
||||
|
|
@ -186,7 +186,7 @@ SecRule &TX:allowed_methods "@eq 0" \
|
|||
pass,\
|
||||
nolog,\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'"
|
||||
|
||||
# Default HTTP policy: allowed_request_content_type (rule 900220 in crs-setup.conf)
|
||||
|
|
@ -196,7 +196,7 @@ SecRule &TX:allowed_request_content_type "@eq 0" \
|
|||
pass,\
|
||||
nolog,\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json|'"
|
||||
|
||||
# Default HTTP policy: allowed_request_content_type_charset (rule 900280 in crs-setup.conf)
|
||||
|
|
@ -206,7 +206,7 @@ SecRule &TX:allowed_request_content_type_charset "@eq 0" \
|
|||
pass,\
|
||||
nolog,\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
setvar:'tx.allowed_request_content_type_charset=|utf-8| |iso-8859-1| |iso-8859-15| |windows-1252|'"
|
||||
|
||||
# Default HTTP policy: allowed_http_versions (rule 900230 in crs-setup.conf)
|
||||
|
|
@ -216,7 +216,7 @@ SecRule &TX:allowed_http_versions "@eq 0" \
|
|||
pass,\
|
||||
nolog,\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0 HTTP/3 HTTP/3.0'"
|
||||
|
||||
# Default HTTP policy: restricted_extensions (rule 900240 in crs-setup.conf)
|
||||
|
|
@ -226,7 +226,7 @@ SecRule &TX:restricted_extensions "@eq 0" \
|
|||
pass,\
|
||||
nolog,\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pem/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'"
|
||||
|
||||
# Default HTTP policy: restricted_headers_basic (rule 900250 in crs-setup.conf)
|
||||
|
|
@ -236,7 +236,7 @@ SecRule &TX:restricted_headers_basic "@eq 0" \
|
|||
pass,\
|
||||
nolog,\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
setvar:'tx.restricted_headers_basic=/content-encoding/ /proxy/ /lock-token/ /content-range/ /if/ /x-http-method-override/ /x-http-method/ /x-method-override/'"
|
||||
|
||||
# Default HTTP policy: restricted_headers_extended (rule 900255 in crs-setup.conf)
|
||||
|
|
@ -246,7 +246,7 @@ SecRule &TX:restricted_headers_extended "@eq 0" \
|
|||
pass,\
|
||||
nolog,\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
setvar:'tx.restricted_headers_extended=/accept-charset/'"
|
||||
|
||||
# Default enforcing of body processor URLENCODED (rule 900010 in crs-setup.conf)
|
||||
|
|
@ -256,7 +256,7 @@ SecRule &TX:enforce_bodyproc_urlencoded "@eq 0" \
|
|||
pass,\
|
||||
nolog,\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
setvar:'tx.enforce_bodyproc_urlencoded=0'"
|
||||
|
||||
# Default check for UTF8 encoding validation (rule 900950 in crs-setup.conf)
|
||||
|
|
@ -266,7 +266,7 @@ SecRule &TX:crs_validate_utf8_encoding "@eq 0" \
|
|||
pass,\
|
||||
nolog,\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
setvar:'tx.crs_validate_utf8_encoding=0'"
|
||||
|
||||
#
|
||||
|
|
@ -284,7 +284,7 @@ SecAction \
|
|||
t:none,\
|
||||
nolog,\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
setvar:'tx.blocking_inbound_anomaly_score=0',\
|
||||
setvar:'tx.detection_inbound_anomaly_score=0',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=0',\
|
||||
|
|
@ -326,7 +326,7 @@ SecRule TX:ENABLE_DEFAULT_COLLECTIONS "@eq 1" \
|
|||
pass,\
|
||||
nolog,\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
setvar:'tx.ua_hash=%{REQUEST_HEADERS.User-Agent}',\
|
||||
chain"
|
||||
SecRule TX:ua_hash "@unconditionalMatch" \
|
||||
|
|
@ -350,7 +350,7 @@ SecRule REQBODY_PROCESSOR "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" \
|
|||
msg:'Enabling body inspection',\
|
||||
tag:'OWASP_CRS',\
|
||||
ctl:forceRequestBodyVariable=On,\
|
||||
ver:'OWASP_CRS/4.6.0'"
|
||||
ver:'OWASP_CRS/4.7.0'"
|
||||
|
||||
# Force body processor URLENCODED
|
||||
SecRule TX:enforce_bodyproc_urlencoded "@eq 1" \
|
||||
|
|
@ -362,7 +362,7 @@ SecRule TX:enforce_bodyproc_urlencoded "@eq 1" \
|
|||
noauditlog,\
|
||||
msg:'Enabling forced body inspection for ASCII content',\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
chain"
|
||||
SecRule REQBODY_PROCESSOR "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" \
|
||||
"ctl:requestBodyProcessor=URLENCODED"
|
||||
|
|
@ -402,7 +402,7 @@ SecRule TX:sampling_percentage "@eq 100" \
|
|||
pass,\
|
||||
nolog,\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
skipAfter:END-SAMPLING"
|
||||
|
||||
SecRule UNIQUE_ID "@rx ^[a-f]*([0-9])[a-f]*([0-9])" \
|
||||
|
|
@ -413,7 +413,7 @@ SecRule UNIQUE_ID "@rx ^[a-f]*([0-9])[a-f]*([0-9])" \
|
|||
t:sha1,t:hexEncode,\
|
||||
nolog,\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
setvar:'TX.sampling_rnd100=%{TX.1}%{TX.2}'"
|
||||
|
||||
#
|
||||
|
|
@ -438,7 +438,7 @@ SecRule TX:sampling_rnd100 "!@lt %{tx.sampling_percentage}" \
|
|||
msg:'Sampling: Disable the rule engine based on sampling_percentage %{TX.sampling_percentage} and random number %{TX.sampling_rnd100}',\
|
||||
tag:'OWASP_CRS',\
|
||||
ctl:ruleRemoveByTag=OWASP_CRS,\
|
||||
ver:'OWASP_CRS/4.6.0'"
|
||||
ver:'OWASP_CRS/4.7.0'"
|
||||
|
||||
SecMarker "END-SAMPLING"
|
||||
|
||||
|
|
@ -457,4 +457,4 @@ SecRule TX:detection_paranoia_level "@lt %{tx.blocking_paranoia_level}" \
|
|||
log,\
|
||||
msg:'Detection paranoia level configured is lower than the paranoia level itself. This is illegal. Blocking request. Aborting',\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/4.6.0'"
|
||||
ver:'OWASP_CRS/4.7.0'"
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP CRS ver.4.6.0
|
||||
# OWASP CRS ver.4.7.0
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2024 CRS project. All rights reserved.
|
||||
#
|
||||
|
|
@ -25,7 +25,7 @@ SecRule REQUEST_LINE "@streq GET /" \
|
|||
tag:'platform-apache',\
|
||||
tag:'attack-generic',\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
chain"
|
||||
SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" \
|
||||
"t:none,\
|
||||
|
|
@ -46,7 +46,7 @@ SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" \
|
|||
tag:'platform-apache',\
|
||||
tag:'attack-generic',\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
chain"
|
||||
SecRule REQUEST_HEADERS:User-Agent "@endsWith (internal dummy connection)" \
|
||||
"t:none,\
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP CRS ver.4.6.0
|
||||
# OWASP CRS ver.4.7.0
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2024 CRS project. All rights reserved.
|
||||
#
|
||||
|
|
@ -14,8 +14,8 @@
|
|||
|
||||
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:911011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:911012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:911011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:911012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
|
||||
#
|
||||
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
|
||||
#
|
||||
|
|
@ -39,31 +39,31 @@ SecRule REQUEST_METHOD "!@within %{tx.allowed_methods}" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272/220/274',\
|
||||
tag:'PCI/12.1',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:911013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:911014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:911013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:911014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
|
||||
#
|
||||
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
|
||||
#
|
||||
|
||||
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:911015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:911016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:911015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:911016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
|
||||
#
|
||||
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
|
||||
#
|
||||
|
||||
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:911017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:911018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:911017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:911018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
|
||||
#
|
||||
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
|
||||
#
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP CRS ver.4.6.0
|
||||
# OWASP CRS ver.4.7.0
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2024 CRS project. All rights reserved.
|
||||
#
|
||||
|
|
@ -14,8 +14,8 @@
|
|||
|
||||
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:913011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:913012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:913011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:913012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
|
||||
#
|
||||
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
|
||||
#
|
||||
|
|
@ -51,29 +51,29 @@ SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scanners-user-agents.data" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/118/224/541/310',\
|
||||
tag:'PCI/6.5.10',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:913013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:913014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:913013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:913014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
|
||||
#
|
||||
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
|
||||
#
|
||||
|
||||
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:913015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:913016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:913015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:913016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
|
||||
#
|
||||
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
|
||||
#
|
||||
|
||||
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:913017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:913018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:913017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:913018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
|
||||
#
|
||||
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
|
||||
#
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP CRS ver.4.6.0
|
||||
# OWASP CRS ver.4.7.0
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2024 CRS project. All rights reserved.
|
||||
#
|
||||
|
|
@ -23,8 +23,8 @@
|
|||
#
|
||||
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:920011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:920012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:920011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:920012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
|
||||
#
|
||||
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
|
||||
#
|
||||
|
|
@ -64,7 +64,7 @@ SecRule REQUEST_LINE "!@rx (?i)^(?:get /[^#\?]*(?:\?[^\s\x0b#]*)?(?:#[^\s\x0b]*)
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'WARNING',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'"
|
||||
|
||||
|
|
@ -119,7 +119,7 @@ SecRule FILES|FILES_NAMES "!@rx (?i)^(?:&(?:(?:[acegilnorsuz]acut|[aeiou]grav|[a
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
|
@ -148,7 +148,7 @@ SecRule REQUEST_HEADERS:Content-Length "!@rx ^\d+$" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
|
@ -182,7 +182,7 @@ SecRule REQUEST_METHOD "@rx ^(?:GET|HEAD)$" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule REQUEST_HEADERS:Content-Length "!@rx ^0?$" \
|
||||
|
|
@ -207,7 +207,7 @@ SecRule REQUEST_METHOD "@rx ^(?:GET|HEAD)$" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule &REQUEST_HEADERS:Transfer-Encoding "!@eq 0" \
|
||||
|
|
@ -247,7 +247,7 @@ SecRule REQUEST_PROTOCOL "!@within HTTP/2 HTTP/2.0 HTTP/3 HTTP/3.0" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'WARNING',\
|
||||
chain"
|
||||
SecRule REQUEST_METHOD "@streq POST" \
|
||||
|
|
@ -277,7 +277,7 @@ SecRule &REQUEST_HEADERS:Transfer-Encoding "!@eq 0" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'WARNING',\
|
||||
chain"
|
||||
SecRule &REQUEST_HEADERS:Content-Length "!@eq 0" \
|
||||
|
|
@ -315,7 +315,7 @@ SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx (\d+)-(\d+)" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'WARNING',\
|
||||
chain"
|
||||
SecRule TX:2 "@lt %{tx.1}" \
|
||||
|
|
@ -347,7 +347,7 @@ SecRule REQUEST_HEADERS:Connection "@rx \b(?:keep-alive|close),\s?(?:keep-alive|
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'WARNING',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'"
|
||||
|
||||
|
|
@ -388,7 +388,7 @@ SecRule REQUEST_URI_RAW "@rx \x25" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/255/153/267/72',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule REQUEST_URI_RAW "@rx ^(.*)/(?:[^\?]+)?(\?.*)?$" \
|
||||
|
|
@ -422,7 +422,7 @@ SecRule REQUEST_BASENAME "!@rx ^.*%.*\.[^\s\x0b\.]+$" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/255/153/267/72',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule TX:0 "@validateUrlEncoding" \
|
||||
|
|
@ -453,7 +453,7 @@ SecRule TX:CRS_VALIDATE_UTF8_ENCODING "@eq 1" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/255/153/267',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'WARNING',\
|
||||
chain"
|
||||
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "@validateUtf8Encoding" \
|
||||
|
|
@ -497,7 +497,7 @@ SecRule REQUEST_URI|REQUEST_BODY "@rx (?i)%uff[0-9a-f]{2}" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/255/153/267/72',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'WARNING',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'"
|
||||
|
||||
|
|
@ -553,7 +553,7 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@validateByteRange 1-255" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
|
@ -585,7 +585,7 @@ SecRule &REQUEST_HEADERS:Host "@eq 0" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
tag:'PCI/6.5.10',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'WARNING',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}',\
|
||||
skipAfter:END-HOST-CHECK"
|
||||
|
|
@ -604,7 +604,7 @@ SecRule REQUEST_HEADERS:Host "@rx ^$" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
|
@ -644,7 +644,7 @@ SecRule REQUEST_HEADERS:Accept "@rx ^$" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'NOTICE',\
|
||||
chain"
|
||||
SecRule REQUEST_METHOD "!@rx ^OPTIONS$" \
|
||||
|
|
@ -669,7 +669,7 @@ SecRule REQUEST_HEADERS:Accept "@rx ^$" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'NOTICE',\
|
||||
chain"
|
||||
SecRule REQUEST_METHOD "!@rx ^OPTIONS$" \
|
||||
|
|
@ -702,7 +702,7 @@ SecRule REQUEST_HEADERS:User-Agent "@rx ^$" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'NOTICE',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.notice_anomaly_score}'"
|
||||
|
||||
|
|
@ -739,7 +739,7 @@ SecRule REQUEST_HEADERS:Content-Length "!@rx ^0$" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'NOTICE',\
|
||||
chain"
|
||||
SecRule &REQUEST_HEADERS:Content-Type "@eq 0" \
|
||||
|
|
@ -784,7 +784,7 @@ SecRule REQUEST_HEADERS:Host "@rx (?:^([\d.]+|\[[\da-f:]+\]|[\da-f:]+)(:[\d]+)?$
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
tag:'PCI/6.5.10',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'WARNING',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'"
|
||||
|
||||
|
|
@ -816,7 +816,7 @@ SecRule &TX:MAX_NUM_ARGS "@eq 1" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule &ARGS "@gt %{tx.max_num_args}" \
|
||||
|
|
@ -841,7 +841,7 @@ SecRule &TX:ARG_NAME_LENGTH "@eq 1" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule ARGS_NAMES "@gt %{tx.arg_name_length}" \
|
||||
|
|
@ -868,7 +868,7 @@ SecRule &TX:ARG_LENGTH "@eq 1" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule ARGS "@gt %{tx.arg_length}" \
|
||||
|
|
@ -892,7 +892,7 @@ SecRule &TX:TOTAL_ARG_LENGTH "@eq 1" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule ARGS_COMBINED_SIZE "@gt %{tx.total_arg_length}" \
|
||||
|
|
@ -917,7 +917,7 @@ SecRule &TX:MAX_FILE_SIZE "@eq 1" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule REQUEST_HEADERS:Content-Type "@rx ^(?i)multipart/form-data" \
|
||||
|
|
@ -943,7 +943,7 @@ SecRule &TX:COMBINED_FILE_SIZES "@eq 1" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule FILES_COMBINED_SIZE "@gt %{tx.combined_file_sizes}" \
|
||||
|
|
@ -968,7 +968,7 @@ SecRule &TX:COMBINED_FILE_SIZES "@eq 1" \
|
|||
# - application/soap+xml; charset=utf-8; action="urn:localhost-hwh#getQuestions"
|
||||
# - application/*+json
|
||||
|
||||
SecRule REQUEST_HEADERS:Content-Type "!@rx ^[\w/.+*-]+(?:\s?;\s?(?:action|boundary|charset|component|start(?:-info)?|type|version)\s?=\s?['\"\w.()+,/:=?<>@#*-]+)*$" \
|
||||
SecRule REQUEST_HEADERS:Content-Type "!@rx ^[\w/.+*-]+(?:\s?;\s*(?:action|boundary|charset|component|start(?:-info)?|type|version)\s?=\s?['\"\w.()+,/:=?<>@#*-]+)*$" \
|
||||
"id:920470,\
|
||||
phase:1,\
|
||||
block,\
|
||||
|
|
@ -983,7 +983,7 @@ SecRule REQUEST_HEADERS:Content-Type "!@rx ^[\w/.+*-]+(?:\s?;\s?(?:action|bounda
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/255/153',\
|
||||
tag:'PCI/12.1',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
|
@ -1006,7 +1006,7 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^[^;\s]+" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/255/153',\
|
||||
tag:'PCI/12.1',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.content_type=|%{tx.0}|',\
|
||||
chain"
|
||||
|
|
@ -1034,7 +1034,7 @@ SecRule REQUEST_HEADERS:Content-Type "@rx charset\s*=\s*[\"']?([^;\"'\s]+)" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/255/153',\
|
||||
tag:'PCI/12.1',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.content_type_charset=|%{tx.1}|',\
|
||||
chain"
|
||||
|
|
@ -1061,7 +1061,7 @@ SecRule REQUEST_HEADERS:Content-Type "@rx charset.*?charset" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/255/153',\
|
||||
tag:'PCI/12.1',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
|
@ -1083,7 +1083,7 @@ SecRule REQUEST_PROTOCOL "!@within %{tx.allowed_http_versions}" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
tag:'PCI/6.5.10',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
|
@ -1106,7 +1106,7 @@ SecRule REQUEST_BASENAME "@rx \.([^.]+)$" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
tag:'PCI/6.5.10',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.extension=.%{tx.1}/',\
|
||||
chain"
|
||||
|
|
@ -1133,7 +1133,7 @@ SecRule REQUEST_FILENAME "@rx \.[^.~]+~(?:/.*|)$" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
tag:'PCI/6.5.10',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
|
@ -1187,7 +1187,7 @@ SecRule REQUEST_HEADERS_NAMES "@rx ^.*$" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
tag:'PCI/12.1',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.header_name_920450_%{tx.0}=/%{tx.0}/',\
|
||||
chain"
|
||||
|
|
@ -1221,7 +1221,7 @@ SecRule REQUEST_HEADERS:Accept-Encoding "@gt 100" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/255/153',\
|
||||
tag:'PCI/12.1',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
|
@ -1253,7 +1253,7 @@ SecRule REQUEST_HEADERS:Accept "!@rx ^(?:(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)/(?:\*
|
|||
tag:'attack-protocol',\
|
||||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
|
@ -1276,7 +1276,7 @@ SecRule REQBODY_PROCESSOR "!@streq JSON" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/255/153/267/72',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@rx (?i)\x5cu[0-9a-f]{4}" \
|
||||
|
|
@ -1300,7 +1300,7 @@ SecRule REQUEST_URI_RAW "@contains #" \
|
|||
tag:'attack-protocol',\
|
||||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
|
@ -1332,13 +1332,13 @@ SecRule &REQUEST_HEADERS:Content-Type "@gt 1" \
|
|||
tag:'attack-protocol',\
|
||||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:920013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:920014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:920013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:920014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
|
||||
#
|
||||
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
|
||||
#
|
||||
|
|
@ -1377,7 +1377,7 @@ SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d
|
|||
tag:'paranoia-level/2',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'WARNING',\
|
||||
chain"
|
||||
SecRule REQUEST_BASENAME "!@endsWith .pdf" \
|
||||
|
|
@ -1401,7 +1401,7 @@ SecRule REQUEST_BASENAME "@endsWith .pdf" \
|
|||
tag:'paranoia-level/2',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'WARNING',\
|
||||
chain"
|
||||
SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d+)?-(?:\d+)?\s*,?\s*){63}" \
|
||||
|
|
@ -1422,7 +1422,7 @@ SecRule ARGS "@rx %[0-9a-fA-F]{2}" \
|
|||
tag:'paranoia-level/2',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/255/153/267/120',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'WARNING',\
|
||||
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.warning_anomaly_score}'"
|
||||
|
||||
|
|
@ -1444,7 +1444,7 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@validateByteRange 9,10,13,
|
|||
tag:'paranoia-level/2',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
|
@ -1471,7 +1471,7 @@ SecRule &REQUEST_HEADERS:User-Agent "@eq 0" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
tag:'PCI/6.5.10',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'NOTICE',\
|
||||
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.notice_anomaly_score}'"
|
||||
|
||||
|
|
@ -1493,7 +1493,7 @@ SecRule FILES_NAMES|FILES "@rx ['\";=\x5c]" \
|
|||
tag:'paranoia-level/2',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
|
@ -1518,7 +1518,7 @@ SecRule REQUEST_HEADERS:Content-Length "!@rx ^0$" \
|
|||
tag:'paranoia-level/2',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule &REQUEST_HEADERS:Content-Type "@eq 0" \
|
||||
|
|
@ -1545,7 +1545,7 @@ SecRule REQUEST_HEADERS_NAMES "@rx ^.*$" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
tag:'PCI/12.1',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.header_name_920451_%{tx.0}=/%{tx.0}/',\
|
||||
chain"
|
||||
|
|
@ -1572,7 +1572,7 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^(?i)application/x-www-form-urlencoded
|
|||
tag:'paranoia-level/2',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/255/153/267/72',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'WARNING',\
|
||||
chain"
|
||||
SecRule REQUEST_BODY "@rx \x25" \
|
||||
|
|
@ -1580,8 +1580,8 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^(?i)application/x-www-form-urlencoded
|
|||
SecRule REQUEST_BODY "@validateUrlEncoding" \
|
||||
"setvar:'tx.inbound_anomaly_score_pl2=+%{tx.warning_anomaly_score}'"
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:920015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:920016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:920015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:920016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
|
||||
#
|
||||
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
|
||||
#
|
||||
|
|
@ -1606,7 +1606,7 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES|REQUEST_BODY "@validateByteR
|
|||
tag:'paranoia-level/3',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
|
@ -1640,7 +1640,7 @@ SecRule &REQUEST_HEADERS:Accept "@eq 0" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
tag:'PCI/6.5.10',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'NOTICE',\
|
||||
chain"
|
||||
SecRule REQUEST_METHOD "!@rx ^(?:OPTIONS|CONNECT)$" \
|
||||
|
|
@ -1673,7 +1673,7 @@ SecRule &REQUEST_HEADERS:x-up-devcap-post-charset "@ge 1" \
|
|||
tag:'paranoia-level/3',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule REQUEST_HEADERS:User-Agent "@rx ^(?i)up" \
|
||||
|
|
@ -1726,7 +1726,7 @@ SecRule &REQUEST_HEADERS:Cache-Control "@gt 0" \
|
|||
tag:'paranoia-level/3',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule REQUEST_HEADERS:Cache-Control "!@rx ^(?:(?:max-age=[0-9]+|min-fresh=[0-9]+|no-cache|no-store|no-transform|only-if-cached|max-stale(?:=[0-9]+)?)(?:\s*\,\s*|$)){1,7}$" \
|
||||
|
|
@ -1757,12 +1757,12 @@ SecRule REQUEST_HEADERS:Accept-Encoding "!@rx br|compress|deflate|(?:pack200-)?g
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/255/153',\
|
||||
tag:'PCI/12.1',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:920017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:920018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:920017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:920018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
|
||||
#
|
||||
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
|
||||
#
|
||||
|
|
@ -1785,7 +1785,7 @@ SecRule REQUEST_BASENAME "@endsWith .pdf" \
|
|||
tag:'paranoia-level/4',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'WARNING',\
|
||||
chain"
|
||||
SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d+)?-(?:\d+)?\s*,?\s*){6}" \
|
||||
|
|
@ -1812,7 +1812,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_BODY "@validateByteRange 38,44-46,48-58,61,65-90
|
|||
tag:'paranoia-level/4',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
|
@ -1833,7 +1833,7 @@ SecRule REQUEST_HEADERS|!REQUEST_HEADERS:User-Agent|!REQUEST_HEADERS:Referer|!RE
|
|||
tag:'paranoia-level/4',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
|
@ -1859,7 +1859,7 @@ SecRule REQUEST_HEADERS:Sec-Fetch-User|REQUEST_HEADERS:Sec-CH-UA-Mobile "!@rx ^(
|
|||
tag:'paranoia-level/4',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
|
@ -1903,7 +1903,7 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@rx (?:^|[^\x5c])\x5c[cdegh
|
|||
tag:'paranoia-level/4',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/153/267',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'"
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP CRS ver.4.6.0
|
||||
# OWASP CRS ver.4.7.0
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2024 CRS project. All rights reserved.
|
||||
#
|
||||
|
|
@ -14,8 +14,8 @@
|
|||
|
||||
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:921011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:921012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:921011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:921012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
|
||||
#
|
||||
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
|
||||
#
|
||||
|
|
@ -46,7 +46,7 @@ SecRule ARGS_NAMES|ARGS|REQUEST_BODY|XML:/* "@rx (?:get|post|head|options|connec
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272/220/33',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -78,7 +78,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272/220/34',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -99,7 +99,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272/220/34',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -133,7 +133,7 @@ SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@rx [\n\r]" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272/220/273',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -161,7 +161,7 @@ SecRule ARGS_NAMES "@rx [\n\r]" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272/220/33',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -182,7 +182,7 @@ SecRule ARGS_GET_NAMES|ARGS_GET "@rx [\n\r]+(?:\s|location|refresh|(?:set-)?cook
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272/220/33',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -208,7 +208,7 @@ SecRule REQUEST_FILENAME "@rx [\n\r]" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272/220/34',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -241,7 +241,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/136',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
|
@ -274,7 +274,7 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^[^\s\x0b,;]+[\s\x0b,;].*?(?:applicati
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/255/153',\
|
||||
tag:'PCI/12.1',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
|
@ -300,13 +300,13 @@ SecRule REQUEST_URI "@rx unix:[^|]*\|" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272/220/33',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:921013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:921014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:921013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:921014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
|
||||
#
|
||||
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
|
||||
#
|
||||
|
|
@ -333,7 +333,7 @@ SecRule ARGS_GET "@rx [\n\r]" \
|
|||
tag:'paranoia-level/2',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272/220/33',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -369,13 +369,13 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^[^\s\x0b,;]+[\s\x0b,;].*?\b(?:((?:tex
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/255/153',\
|
||||
tag:'PCI/12.1',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:921015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:921016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:921015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:921016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
|
||||
#
|
||||
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
|
||||
#
|
||||
|
|
@ -405,7 +405,7 @@ SecRule &REQUEST_HEADERS:Range "@gt 0" \
|
|||
tag:'paranoia-level/3',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272/220',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
|
@ -439,7 +439,7 @@ SecRule ARGS_NAMES "@rx ." \
|
|||
tag:'attack-protocol',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/137/15/460',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
setvar:'TX.paramcounter_%{MATCHED_VAR_NAME}=+1'"
|
||||
|
||||
SecRule TX:/paramcounter_.*/ "@gt 1" \
|
||||
|
|
@ -455,7 +455,7 @@ SecRule TX:/paramcounter_.*/ "@gt 1" \
|
|||
tag:'paranoia-level/3',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/137/15/460',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -497,15 +497,15 @@ SecRule ARGS_NAMES "@rx (][^\]]+$|][^\]]+\[)" \
|
|||
tag:'paranoia-level/3',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/137/15/460',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:921017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:921018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:921017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:921018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
|
||||
#
|
||||
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
|
||||
#
|
||||
|
|
@ -545,7 +545,7 @@ SecRule ARGS_NAMES "@rx \[" \
|
|||
tag:'paranoia-level/4',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/137/15/460',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'"
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP CRS ver.4.6.0
|
||||
# OWASP CRS ver.4.7.0
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2024 CRS project. All rights reserved.
|
||||
#
|
||||
|
|
@ -38,7 +38,7 @@ SecRule &MULTIPART_PART_HEADERS:_charset_ "!@eq 0" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/255/153',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.922100_charset=|%{ARGS._charset_}|',\
|
||||
chain"
|
||||
|
|
@ -69,7 +69,7 @@ SecRule MULTIPART_PART_HEADERS "@rx ^content-type\s*:\s*(.*)$" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/272/220',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule TX:1 "!@rx ^(?:(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)/(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)|\*)(?:[\s\x0b]*;[\s\x0b]*(?:charset[\s\x0b]*=[\s\x0b]*\"?(?:iso-8859-15?|utf-8|windows-1252)\b\"?|(?:[^\s\x0b-\"\(\),/:-\?\[-\]c\{\}]|c(?:[^!\"\(\),/:-\?\[-\]h\{\}]|h(?:[^!\"\(\),/:-\?\[-\]a\{\}]|a(?:[^!\"\(\),/:-\?\[-\]r\{\}]|r(?:[^!\"\(\),/:-\?\[-\]s\{\}]|s(?:[^!\"\(\),/:-\?\[-\]e\{\}]|e[^!\"\(\),/:-\?\[-\]t\{\}]))))))[^!\"\(\),/:-\?\[-\]\{\}]*[\s\x0b]*=[\s\x0b]*[^!\(\),/:-\?\[-\]\{\}]+);?)*(?:[\s\x0b]*,[\s\x0b]*(?:(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)/(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)|\*)(?:[\s\x0b]*;[\s\x0b]*(?:charset[\s\x0b]*=[\s\x0b]*\"?(?:iso-8859-15?|utf-8|windows-1252)\b\"?|(?:[^\s\x0b-\"\(\),/:-\?\[-\]c\{\}]|c(?:[^!\"\(\),/:-\?\[-\]h\{\}]|h(?:[^!\"\(\),/:-\?\[-\]a\{\}]|a(?:[^!\"\(\),/:-\?\[-\]r\{\}]|r(?:[^!\"\(\),/:-\?\[-\]s\{\}]|s(?:[^!\"\(\),/:-\?\[-\]e\{\}]|e[^!\"\(\),/:-\?\[-\]t\{\}]))))))[^!\"\(\),/:-\?\[-\]\{\}]*[\s\x0b]*=[\s\x0b]*[^!\(\),/:-\?\[-\]\{\}]+);?)*)*$" \
|
||||
|
|
@ -92,7 +92,7 @@ SecRule MULTIPART_PART_HEADERS "@rx content-transfer-encoding:(.*)" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/272/220',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
|
@ -115,6 +115,6 @@ SecRule MULTIPART_PART_HEADERS "@rx [^\x21-\x7E][\x21-\x39\x3B-\x7E]*:" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/272/220',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP CRS ver.4.6.0
|
||||
# OWASP CRS ver.4.7.0
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2024 CRS project. All rights reserved.
|
||||
#
|
||||
|
|
@ -14,8 +14,8 @@
|
|||
|
||||
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:930011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:930012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:930011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:930012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
|
||||
#
|
||||
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
|
||||
#
|
||||
|
|
@ -47,7 +47,7 @@ SecRule REQUEST_URI_RAW|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|FILES|XML:
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/255/153/126',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -79,7 +79,7 @@ SecRule REQUEST_URI|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|FILES|XML:/* "
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/255/153/126',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
multiMatch,\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
|
|
@ -110,7 +110,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/255/153/126',\
|
||||
tag:'PCI/6.5.4',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -137,15 +137,15 @@ SecRule REQUEST_FILENAME "@pmFromFile restricted-files.data" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/255/153/126',\
|
||||
tag:'PCI/6.5.4',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:930013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:930014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:930013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:930014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
|
||||
#
|
||||
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
|
||||
#
|
||||
|
|
@ -175,22 +175,22 @@ SecRule REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent "@pmFromFile lfi-os-f
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/255/153/126',\
|
||||
tag:'PCI/6.5.4',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:930015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:930016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:930015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:930016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
|
||||
#
|
||||
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
|
||||
#
|
||||
|
||||
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:930017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:930018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:930017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:930018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
|
||||
#
|
||||
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
|
||||
#
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP CRS ver.4.6.0
|
||||
# OWASP CRS ver.4.7.0
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2024 CRS project. All rights reserved.
|
||||
#
|
||||
|
|
@ -17,8 +17,8 @@
|
|||
|
||||
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:931011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:931012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:931011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:931012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
|
||||
#
|
||||
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
|
||||
#
|
||||
|
|
@ -49,7 +49,7 @@ SecRule ARGS "@rx ^(?i:file|ftps?|https?)://(?:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/175/253',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -69,7 +69,7 @@ SecRule QUERY_STRING|REQUEST_BODY "@rx (?i)(?:\binclude\s*\([^)]*|mosConfig_abso
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/175/253',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -89,15 +89,15 @@ SecRule ARGS "@rx ^(?i:file|ftps?|https?).*?\?+$" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/175/253',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:931013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:931014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:931013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:931014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
|
||||
#
|
||||
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
|
||||
#
|
||||
|
|
@ -128,7 +128,7 @@ SecRule ARGS "@rx (?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b(?:eshare|it
|
|||
tag:'paranoia-level/2',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/175/253',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.rfi_parameter_%{MATCHED_VAR_NAME}=.%{tx.1}',\
|
||||
chain"
|
||||
|
|
@ -158,7 +158,7 @@ SecRule REQUEST_FILENAME "@rx (?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b
|
|||
tag:'paranoia-level/2',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/175/253',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.rfi_parameter_%{MATCHED_VAR_NAME}=.%{tx.1}',\
|
||||
chain"
|
||||
|
|
@ -167,16 +167,16 @@ SecRule REQUEST_FILENAME "@rx (?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b
|
|||
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:931015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:931016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:931015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:931016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
|
||||
#
|
||||
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
|
||||
#
|
||||
|
||||
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:931017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:931018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:931017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:931018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
|
||||
#
|
||||
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
|
||||
#
|
||||
|
|
|
|||
File diff suppressed because one or more lines are too long
|
|
@ -1,5 +1,5 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP CRS ver.4.6.0
|
||||
# OWASP CRS ver.4.7.0
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2024 CRS project. All rights reserved.
|
||||
#
|
||||
|
|
@ -14,8 +14,8 @@
|
|||
|
||||
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:933011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:933012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:933011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:933012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
|
||||
#
|
||||
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
|
||||
#
|
||||
|
|
@ -59,7 +59,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -100,7 +100,7 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -124,7 +124,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.933120_matched_var=%{MATCHED_VAR}',\
|
||||
setvar:'tx.933120_matched_var_name=%{MATCHED_VAR_NAME}',\
|
||||
|
|
@ -155,7 +155,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -191,7 +191,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -227,7 +227,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -294,7 +294,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -346,7 +346,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -401,7 +401,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -456,7 +456,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -503,13 +503,13 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:933013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:933014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:933013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:933014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
|
||||
#
|
||||
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
|
||||
#
|
||||
|
|
@ -546,7 +546,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
|
|||
tag:'paranoia-level/2',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.933151_matched_var=%{MATCHED_VAR}',\
|
||||
setvar:'tx.933151_matched_var_name=%{MATCHED_VAR_NAME}',\
|
||||
|
|
@ -561,8 +561,8 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
|
|||
|
||||
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:933015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:933016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:933015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:933016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
|
||||
#
|
||||
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
|
||||
#
|
||||
|
|
@ -604,7 +604,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'paranoia-level/3',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -648,7 +648,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
|
|||
tag:'paranoia-level/3',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -690,7 +690,7 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD
|
|||
tag:'paranoia-level/3',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -719,7 +719,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'paranoia-level/3',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -754,14 +754,14 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
|
|||
tag:'paranoia-level/3',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:933017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:933018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:933017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:933018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
|
||||
#
|
||||
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
|
||||
#
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP CRS ver.4.6.0
|
||||
# OWASP CRS ver.4.7.0
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2024 CRS project. All rights reserved.
|
||||
#
|
||||
|
|
@ -14,8 +14,8 @@
|
|||
|
||||
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:934011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:934012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:934011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:934012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
|
||||
#
|
||||
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
|
||||
#
|
||||
|
|
@ -65,7 +65,7 @@ SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIE
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
multiMatch,\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
|
|
@ -100,7 +100,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/225/664',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -135,7 +135,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1/180/77',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
multiMatch,\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
|
|
@ -167,7 +167,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -198,7 +198,7 @@ SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIE
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
multiMatch,\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
|
|
@ -228,13 +228,13 @@ SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIE
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:934013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:934014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:934013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:934014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
|
||||
#
|
||||
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
|
||||
#
|
||||
|
|
@ -256,7 +256,7 @@ SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIE
|
|||
tag:'paranoia-level/2',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
multiMatch,\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
|
|
@ -308,7 +308,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
|
|||
tag:'paranoia-level/2',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/225/664',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -340,20 +340,20 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'paranoia-level/2',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:934015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:934016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:934015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:934016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
|
||||
#
|
||||
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
|
||||
#
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:934017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:934018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:934017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:934018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
|
||||
#
|
||||
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
|
||||
#
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP CRS ver.4.6.0
|
||||
# OWASP CRS ver.4.7.0
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2024 CRS project. All rights reserved.
|
||||
#
|
||||
|
|
@ -14,8 +14,8 @@
|
|||
|
||||
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:941011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:941012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:941011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:941012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
|
||||
#
|
||||
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
|
||||
#
|
||||
|
|
@ -62,7 +62,7 @@ SecRule REQUEST_FILENAME "!@validateByteRange 20, 45-47, 48-57, 65-90, 95, 97-12
|
|||
nolog,\
|
||||
tag:'OWASP_CRS',\
|
||||
ctl:ruleRemoveTargetByTag=xss-perf-disable;REQUEST_FILENAME,\
|
||||
ver:'OWASP_CRS/4.6.0'"
|
||||
ver:'OWASP_CRS/4.7.0'"
|
||||
|
||||
|
||||
#
|
||||
|
|
@ -94,7 +94,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -121,7 +121,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -151,7 +151,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -180,7 +180,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -197,7 +197,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
|
|||
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
|
||||
# crs-toolchain regex update 941160
|
||||
#
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)<[^0-9<>A-Z_a-z]*(?:[^\s\x0b\"'<>]*:)?[^0-9<>A-Z_a-z]*[^0-9A-Z_a-z]*?(?:s[^0-9A-Z_a-z]*?(?:c[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?t|t[^0-9A-Z_a-z]*?y[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?e|v[^0-9A-Z_a-z]*?g|e[^0-9A-Z_a-z]*?t[^0-9>A-Z_a-z])|f[^0-9A-Z_a-z]*?o[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?m|d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?o[^0-9A-Z_a-z]*?g|m[^0-9A-Z_a-z]*?(?:a[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?q[^0-9A-Z_a-z]*?u[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?e|e[^0-9A-Z_a-z]*?t[^0-9A-Z_a-z]*?a[^0-9>A-Z_a-z])|(?:l[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?k|o[^0-9A-Z_a-z]*?b[^0-9A-Z_a-z]*?j[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?c[^0-9A-Z_a-z]*?t|e[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?b[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?d|a[^0-9A-Z_a-z]*?(?:p[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?t|u[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?o|n[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?t[^0-9A-Z_a-z]*?e)|p[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?m|i?[^0-9A-Z_a-z]*?f[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?e|b[^0-9A-Z_a-z]*?(?:a[^0-9A-Z_a-z]*?s[^0-9A-Z_a-z]*?e|o[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?y|i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?g[^0-9A-Z_a-z]*?s)|i[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?a?[^0-9A-Z_a-z]*?g[^0-9A-Z_a-z]*?e?|v[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?o)[^0-9>A-Z_a-z])|(?:<[0-9A-Z_a-z].*[\s\x0b/]|[\"'](?:.*[\s\x0b/])?)(?:background|formaction|lowsrc|on(?:a(?:bort|ctivate|d(?:apteradded|dtrack)|fter(?:print|(?:scriptexecu|upda)te)|lerting|n(?:imation(?:cancel|end|iteration|start)|tennastatechange)|ppcommand|u(?:dio(?:end|process|start)|xclick))|b(?:e(?:fore(?:(?:(?:(?:de)?activa|scriptexecu)t|toggl)e|c(?:opy|ut)|editfocus|input|p(?:aste|rint)|u(?:nload|pdate))|gin(?:Event)?)|l(?:ocked|ur)|oun(?:ce|dary)|roadcast|usy)|c(?:a(?:(?:ch|llschang)ed|nplay(?:through)?|rdstatechange)|(?:ell|fstate)change|h(?:a(?:rging(?:time)?cha)?nge|ecking)|l(?:ick|ose)|o(?:m(?:mand(?:update)?|p(?:lete|osition(?:end|start|update)))|n(?:nect(?:ed|ing)|t(?:extmenu|rolselect))|py)|u(?:echange|t))|d(?:ata(?:(?:availabl|chang)e|error|setc(?:hanged|omplete))|blclick|e(?:activate|livery(?:error|success)|vice(?:found|light|(?:mo|orienta)tion|proximity))|i(?:aling|s(?:abled|c(?:hargingtimechange|onnect(?:ed|ing))))|o(?:m(?:a(?:ctivate|ttrmodified)|(?:characterdata|subtree)modified|focus(?:in|out)|mousescroll|node(?:inserted(?:intodocument)?|removed(?:fromdocument)?))|wnloading)|r(?:ag(?:drop|e(?:n(?:d|ter)|xit)|(?:gestur|leav)e|over|start)|op)|urationchange)|e(?:mptied|n(?:abled|d(?:ed|Event)?|ter)|rror(?:update)?|xit)|f(?:ailed|i(?:lterchange|nish)|o(?:cus(?:in|out)?|rm(?:change|input))|ullscreenchange)|g(?:amepad(?:axismove|button(?:down|up)|(?:dis)?connected)|et)|h(?:ashchange|e(?:adphoneschange|l[dp])|olding)|i(?:cc(?:cardlockerror|infochange)|n(?:coming|put|valid))|key(?:down|press|up)|l(?:evelchange|o(?:ad(?:e(?:d(?:meta)?data|nd)|start)?|secapture)|y)|m(?:ark|essage|o(?:use(?:down|enter|(?:lea|mo)ve|o(?:ut|ver)|up|wheel)|ve(?:end|start)?|z(?:a(?:fterpaint|udioavailable)|(?:beforeresiz|orientationchang|t(?:apgestur|imechang))e|(?:edgeui(?:c(?:ancel|omplet)|start)e|network(?:down|up)loa)d|fullscreen(?:change|error)|m(?:agnifygesture(?:start|update)?|ouse(?:hittest|pixelscroll))|p(?:ointerlock(?:change|error)|resstapgesture)|rotategesture(?:start|update)?|s(?:crolledareachanged|wipegesture(?:end|start|update)?))))|no(?:match|update)|o(?:(?:bsolet|(?:ff|n)lin)e|pen|verflow(?:changed)?)|p(?:a(?:ge(?:hide|show)|int|(?:st|us)e)|lay(?:ing)?|o(?:inter(?:down|enter|(?:(?:lea|mo)v|rawupdat)e|o(?:ut|ver)|up)|p(?:state|up(?:hid(?:den|ing)|show(?:ing|n))))|ro(?:gress|pertychange))|r(?:atechange|e(?:adystatechange|ceived|movetrack|peat(?:Event)?|quest|s(?:et|ize|u(?:lt|m(?:e|ing)))|trieving)|ow(?:e(?:nter|xit)|s(?:delete|inserted)))|s(?:croll(?:end)?|e(?:arch|ek(?:complete|ed|ing)|lect(?:ionchange|start)?|n(?:ding|t)|t)|how|(?:ound|peech)(?:end|start)|t(?:a(?:lled|rt|t(?:echange|uschanged))|k(?:comma|sessione)nd|op)|u(?:bmit|ccess|spend)|vg(?:abort|error|(?:un)?load|resize|scroll|zoom))|t(?:ext|ime(?:out|update)|o(?:ggle|uch(?:cancel|en(?:d|ter)|(?:lea|mo)ve|start))|ransition(?:cancel|end|run|start))|u(?:n(?:derflow|handledrejection|load)|p(?:dateready|gradeneeded)|s(?:erproximity|sdreceived))|v(?:ersion|o(?:ic|lum)e)change|w(?:a(?:it|rn)ing|ebkit(?:animation(?:end|iteration|start)|transitionend)|heel)|zoom)|ping|s(?:rc|tyle))[\x08-\n\f\r ]*?=" \
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)<[^0-9<>A-Z_a-z]*(?:[^\s\x0b\"'<>]*:)?[^0-9<>A-Z_a-z]*[^0-9A-Z_a-z]*?(?:s[^0-9A-Z_a-z]*?(?:c[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?t|t[^0-9A-Z_a-z]*?y[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?e|v[^0-9A-Z_a-z]*?g|e[^0-9A-Z_a-z]*?t[^0-9>A-Z_a-z])|f[^0-9A-Z_a-z]*?o[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?m|d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?o[^0-9A-Z_a-z]*?g|m[^0-9A-Z_a-z]*?(?:a[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?q[^0-9A-Z_a-z]*?u[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?e|e[^0-9A-Z_a-z]*?t[^0-9A-Z_a-z]*?a[^0-9>A-Z_a-z])|(?:l[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?k|o[^0-9A-Z_a-z]*?b[^0-9A-Z_a-z]*?j[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?c[^0-9A-Z_a-z]*?t|e[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?b[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?d|a[^0-9A-Z_a-z]*?(?:p[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?t|u[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?o|n[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?t[^0-9A-Z_a-z]*?e)|p[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?m|i?[^0-9A-Z_a-z]*?f[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?e|b[^0-9A-Z_a-z]*?(?:a[^0-9A-Z_a-z]*?s[^0-9A-Z_a-z]*?e|o[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?y|i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?g[^0-9A-Z_a-z]*?s)|i[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?a?[^0-9A-Z_a-z]*?g[^0-9A-Z_a-z]*?e?|v[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?o)[^0-9>A-Z_a-z])|(?:<[0-9A-Z_a-z].*[\s\x0b/]|[\"'](?:.*[\s\x0b/])?)(?:background|formaction|lowsrc|on(?:a(?:bort|ctivate|d(?:apteradded|dtrack)|fter(?:print|(?:scriptexecu|upda)te)|lerting|n(?:imation(?:cancel|end|iteration|start)|tennastatechange)|ppcommand|u(?:dio(?:end|process|start)|xclick))|b(?:e(?:fore(?:(?:(?:(?:de)?activa|scriptexecu)t|toggl)e|c(?:opy|ut)|editfocus|input|p(?:aste|rint)|u(?:nload|pdate))|gin(?:Event)?)|l(?:ocked|ur)|oun(?:ce|dary)|roadcast|usy)|c(?:a(?:(?:ch|llschang)ed|nplay(?:through)?|rdstatechange)|(?:ell|fstate)change|h(?:a(?:rging(?:time)?cha)?nge|ecking)|l(?:ick|ose)|o(?:m(?:mand(?:update)?|p(?:lete|osition(?:end|start|update)))|n(?:nect(?:ed|ing)|t(?:extmenu|rolselect))|py)|u(?:echange|t))|d(?:ata(?:(?:availabl|chang)e|error|setc(?:hanged|omplete))|blclick|e(?:activate|livery(?:error|success)|vice(?:found|light|(?:mo|orienta)tion|proximity))|i(?:aling|s(?:abled|c(?:hargingtimechange|onnect(?:ed|ing))))|o(?:m(?:a(?:ctivate|ttrmodified)|(?:characterdata|subtree)modified|focus(?:in|out)|mousescroll|node(?:inserted(?:intodocument)?|removed(?:fromdocument)?))|wnloading)|r(?:ag(?:drop|e(?:n(?:d|ter)|xit)|(?:gestur|leav)e|over|start)|op)|urationchange)|e(?:mptied|n(?:abled|d(?:ed|Event)?|ter)|rror(?:update)?|xit)|f(?:ailed|i(?:lterchange|nish)|o(?:cus(?:in|out)?|rm(?:change|input))|ullscreenchange)|g(?:amepad(?:axismove|button(?:down|up)|(?:dis)?connected)|et)|h(?:ashchange|e(?:adphoneschange|l[dp])|olding)|i(?:cc(?:cardlockerror|infochange)|n(?:coming|put|valid))|key(?:down|press|up)|l(?:evelchange|o(?:ad(?:e(?:d(?:meta)?data|nd)|start)?|secapture)|y)|m(?:ark|essage|o(?:use(?:down|enter|(?:lea|mo)ve|o(?:ut|ver)|up|wheel)|ve(?:end|start)?|z(?:a(?:fterpaint|udioavailable)|(?:beforeresiz|orientationchang|t(?:apgestur|imechang))e|(?:edgeui(?:c(?:ancel|omplet)|start)e|network(?:down|up)loa)d|fullscreen(?:change|error)|m(?:agnifygesture(?:start|update)?|ouse(?:hittest|pixelscroll))|p(?:ointerlock(?:change|error)|resstapgesture)|rotategesture(?:start|update)?|s(?:crolledareachanged|wipegesture(?:end|start|update)?))))|no(?:match|update)|o(?:(?:bsolet|(?:ff|n)lin)e|pen|verflow(?:changed)?)|p(?:a(?:ge(?:hide|show)|int|(?:st|us)e)|lay(?:ing)?|o(?:inter(?:down|enter|(?:(?:lea|mo)v|rawupdat)e|o(?:ut|ver)|up)|p(?:state|up(?:hid(?:den|ing)|show(?:ing|n))))|ro(?:gress|pertychange))|r(?:atechange|e(?:adystatechange|ceived|movetrack|peat(?:Event)?|quest|s(?:et|ize|u(?:lt|m(?:e|ing)))|trieving)|ow(?:e(?:nter|xit)|s(?:delete|inserted)))|s(?:croll(?:end)?|e(?:arch|ek(?:complete|ed|ing)|lect(?:ionchange|start)?|n(?:ding|t)|t)|how|(?:ound|peech)(?:end|start)|t(?:a(?:lled|rt|t(?:echange|uschanged))|k(?:comma|sessione)nd|op)|u(?:bmit|ccess|spend)|vg(?:abort|error|(?:un)?load|resize|scroll|zoom))|t(?:ext|ime(?:out|update)|o(?:ggle|uch(?:cancel|en(?:d|ter)|(?:lea|mo)ve|start))|ransition(?:cancel|end|run|start))|u(?:n(?:derflow|handledrejection|load)|p(?:dateready|gradeneeded)|s(?:erproximity|sdreceived))|v(?:ersion|o(?:ic|lum)e)change|w(?:a(?:it|rn)ing|ebkit(?:animation(?:end|iteration|start)|(?:playbacktargetavailabilitychange|transitionen)d)|heel)|zoom)|ping|s(?:rc|tyle))[\x08-\n\f\r ]*?=" \
|
||||
"id:941160,\
|
||||
phase:2,\
|
||||
block,\
|
||||
|
|
@ -213,7 +213,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -238,7 +238,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -265,7 +265,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -292,7 +292,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -314,7 +314,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -336,7 +336,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -358,7 +358,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -380,7 +380,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -402,7 +402,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -424,7 +424,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -446,7 +446,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -468,7 +468,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -490,7 +490,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -512,7 +512,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -534,7 +534,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -594,7 +594,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule MATCHED_VARS "@rx (?:\xbc\s*/\s*[^\xbe>]*[\xbe>])|(?:<\s*/\s*[^\xbe]*\xbe)" \
|
||||
|
|
@ -623,7 +623,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -665,7 +665,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242/63',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -693,7 +693,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS|REQU
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242/63',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -725,7 +725,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -755,14 +755,14 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:941013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:941014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:941013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:941014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
|
||||
#
|
||||
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
|
||||
#
|
||||
|
|
@ -786,7 +786,7 @@ SecRule REQUEST_FILENAME|REQUEST_HEADERS:Referer "@detectXSS" \
|
|||
tag:'paranoia-level/2',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -797,14 +797,14 @@ SecRule REQUEST_FILENAME|REQUEST_HEADERS:Referer "@detectXSS" \
|
|||
# XSS vectors making use of event handlers like onerror, onload etc, e.g., <body onload="alert(1)">
|
||||
#
|
||||
# We are not listing all the known event handlers like rule 941160, but we
|
||||
# limit the alerts to keywords of 3-25 characters after the prefix ("on").
|
||||
# limit the alerts to keywords of 3-50 characters after the prefix ("on").
|
||||
#
|
||||
# The shortest known event is "onget". The longest known event is "onmozorientationchange"
|
||||
# with 23 chars after the prefix. 25 chars adds a little bit of safety.
|
||||
# The shortest known event is "onget". The longest known event is "onwebkitplaybacktargetavailabilitychanged"
|
||||
# with 39 chars after the prefix. 50 chars adds a little bit of safety.
|
||||
#
|
||||
# This rule has been moved to PL2 since it has a tendency to trigger on random input.
|
||||
#
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)[\s\"'`;/0-9=\x0B\x09\x0C\x3B\x2C\x28\x3B]on[a-zA-Z]{3,25}[\s\x0B\x09\x0C\x3B\x2C\x28\x3B]*?=[^=]" \
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)[\s\"'`;/0-9=\x0B\x09\x0C\x3B\x2C\x28\x3B]on[a-zA-Z]{3,50}[\s\x0B\x09\x0C\x3B\x2C\x28\x3B]*?=[^=]" \
|
||||
"id:941120,\
|
||||
phase:2,\
|
||||
block,\
|
||||
|
|
@ -820,7 +820,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
|
|||
tag:'paranoia-level/2',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -846,7 +846,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
|
|||
tag:'paranoia-level/2',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -874,7 +874,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'paranoia-level/2',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -962,7 +962,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242/63',\
|
||||
tag:'PCI/6.5.1',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -984,7 +984,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
tag:'PCI/6.5.1',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -1009,7 +1009,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
tag:'PCI/6.5.1',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -1042,23 +1042,23 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'paranoia-level/2',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242/63',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:941015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:941016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:941015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:941016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
|
||||
#
|
||||
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
|
||||
#
|
||||
|
||||
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:941017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:941018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:941017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:941018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
|
||||
#
|
||||
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
|
||||
#
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP CRS ver.4.6.0
|
||||
# OWASP CRS ver.4.7.0
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2024 CRS project. All rights reserved.
|
||||
#
|
||||
|
|
@ -14,8 +14,8 @@
|
|||
|
||||
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:942011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:942012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:942011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:942012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
|
||||
#
|
||||
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
|
||||
#
|
||||
|
|
@ -59,7 +59,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
multiMatch,\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
|
|
@ -90,7 +90,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -123,7 +123,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -167,7 +167,7 @@ SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIE
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -193,7 +193,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -219,7 +219,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -243,7 +243,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -269,7 +269,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -295,7 +295,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -316,7 +316,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -337,7 +337,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -363,7 +363,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -389,7 +389,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -418,7 +418,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -444,7 +444,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -483,7 +483,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -524,7 +524,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
multiMatch,\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
|
|
@ -561,7 +561,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -590,7 +590,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -619,14 +619,14 @@ SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIE
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:942013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:942014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:942013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:942014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
|
||||
#
|
||||
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
|
||||
#
|
||||
|
|
@ -659,7 +659,7 @@ SecRule ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)!=|&&|\|\||>[=>]|<(?:<|
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -700,7 +700,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\s\x0b\"'-\)`]*?\b([0-9A-Z_a-z]+)\b[\s\
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.942130_matched_var_name=%{matched_var_name}',\
|
||||
chain"
|
||||
|
|
@ -736,7 +736,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\s\x0b\"'-\)`]*?\b([0-9A-Z_a-z]+)\b[\s\
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
multiMatch,\
|
||||
setvar:'tx.942131_matched_var_name=%{matched_var_name}',\
|
||||
|
|
@ -773,7 +773,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -816,7 +816,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -845,7 +845,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -874,7 +874,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -900,7 +900,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -926,7 +926,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -952,7 +952,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -986,7 +986,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -1015,7 +1015,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -1040,7 +1040,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -1070,7 +1070,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -1102,7 +1102,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -1128,7 +1128,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -1154,7 +1154,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -1180,7 +1180,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -1211,7 +1211,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -1240,7 +1240,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -1269,7 +1269,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -1310,7 +1310,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'WARNING',\
|
||||
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.warning_anomaly_score}',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'"
|
||||
|
|
@ -1328,7 +1328,7 @@ SecRule ARGS_GET:fbclid "@rx [a-zA-Z0-9_-]{61,61}" \
|
|||
nolog,\
|
||||
tag:'OWASP_CRS',\
|
||||
ctl:ruleRemoveTargetById=942440;ARGS:fbclid,\
|
||||
ver:'OWASP_CRS/4.6.0'"
|
||||
ver:'OWASP_CRS/4.7.0'"
|
||||
|
||||
#
|
||||
# -=[ Exclusion rule for 942440 ]=-
|
||||
|
|
@ -1343,7 +1343,7 @@ SecRule ARGS_GET:gclid "@rx [a-zA-Z0-9_-]{91,91}" \
|
|||
nolog,\
|
||||
tag:'OWASP_CRS',\
|
||||
ctl:ruleRemoveTargetById=942440;ARGS:gclid,\
|
||||
ver:'OWASP_CRS/4.6.0'"
|
||||
ver:'OWASP_CRS/4.7.0'"
|
||||
|
||||
#
|
||||
# -=[ Detect SQL Comment Sequences ]=-
|
||||
|
|
@ -1397,7 +1397,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule MATCHED_VARS "!@rx ^ey[\-0-9A-Z_a-z]+\.ey[\-0-9A-Z_a-z]+\.[\-0-9A-Z_a-z]+$" \
|
||||
|
|
@ -1428,7 +1428,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -1475,7 +1475,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -1502,7 +1502,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -1535,7 +1535,7 @@ SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.942521_matched_var_name=%{matched_var_name}',\
|
||||
chain"
|
||||
|
|
@ -1563,7 +1563,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx ^.*?\x5c['\"`](?:.*?['\"`])?\s*(?:and|or)\b"
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -1601,7 +1601,7 @@ SecRule REQUEST_BASENAME|REQUEST_FILENAME "@detectSQLi" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -1633,7 +1633,7 @@ SecRule REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent "@rx (?i)\b(?:a(?:dd(
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -1663,15 +1663,15 @@ SecRule REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent "@rx (?i)create[\s\x0
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:942015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:942016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:942015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:942016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
|
||||
#
|
||||
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
|
||||
#
|
||||
|
|
@ -1703,7 +1703,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -1727,7 +1727,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -1767,7 +1767,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'WARNING',\
|
||||
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.warning_anomaly_score}',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'"
|
||||
|
|
@ -1796,7 +1796,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'WARNING',\
|
||||
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.warning_anomaly_score}',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'"
|
||||
|
|
@ -1826,7 +1826,7 @@ SecRule ARGS "@rx \W{4}" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'WARNING',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.warning_anomaly_score}'"
|
||||
|
|
@ -1874,7 +1874,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -1903,14 +1903,14 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:942017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:942018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:942017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:942018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
|
||||
#
|
||||
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
|
||||
#
|
||||
|
|
@ -1937,7 +1937,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'WARNING',\
|
||||
setvar:'tx.inbound_anomaly_score_pl4=+%{tx.warning_anomaly_score}',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'"
|
||||
|
|
@ -1966,7 +1966,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'WARNING',\
|
||||
setvar:'tx.inbound_anomaly_score_pl4=+%{tx.warning_anomaly_score}',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'"
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP CRS ver.4.6.0
|
||||
# OWASP CRS ver.4.7.0
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2024 CRS project. All rights reserved.
|
||||
#
|
||||
|
|
@ -14,8 +14,8 @@
|
|||
|
||||
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:943011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:943012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:943011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:943012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
|
||||
#
|
||||
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
|
||||
#
|
||||
|
|
@ -43,7 +43,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/225/21/593/61',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.session_fixation_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -64,7 +64,7 @@ SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsessio
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/225/21/593/61',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.943110_matched_var_name=%{matched_var_name}',\
|
||||
chain"
|
||||
|
|
@ -91,7 +91,7 @@ SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsessio
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/225/21/593/61',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.943120_matched_var_name=%{matched_var_name}',\
|
||||
chain"
|
||||
|
|
@ -102,24 +102,24 @@ SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsessio
|
|||
|
||||
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:943013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:943014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:943013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:943014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
|
||||
#
|
||||
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
|
||||
#
|
||||
|
||||
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:943015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:943016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:943015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:943016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
|
||||
#
|
||||
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
|
||||
#
|
||||
|
||||
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:943017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:943018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:943017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:943018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
|
||||
#
|
||||
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
|
||||
#
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP CRS ver.4.6.0
|
||||
# OWASP CRS ver.4.7.0
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2024 CRS project. All rights reserved.
|
||||
#
|
||||
|
|
@ -13,8 +13,8 @@
|
|||
#
|
||||
# Many rules check request bodies, use "SecRequestBodyAccess On" to enable it on main modsecurity configuration file.
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:944011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:944012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:944011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:944012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
|
||||
#
|
||||
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
|
||||
#
|
||||
|
|
@ -46,7 +46,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/137/6',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -63,8 +63,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
|
|||
# java. unmarshaller or base64data to trigger a potential payload execution
|
||||
# tested with https://www.exploit-db.com/exploits/42627/ and https://www.exploit-db.com/exploits/43458/
|
||||
|
||||
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
|
||||
"@rx (?:runtime|processbuilder)" \
|
||||
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* "@rx (?:runtime|processbuilder)" \
|
||||
"id:944110,\
|
||||
phase:2,\
|
||||
block,\
|
||||
|
|
@ -79,10 +78,10 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* "@rx (?:unmarshaller|base64data|java\.)" \
|
||||
SecRule MATCHED_VARS|XML:/*|XML://@* "@rx (?i)(?:unmarshaller|base64data|java\.)" \
|
||||
"setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
|
@ -104,7 +103,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule MATCHED_VARS "@rx (?:runtime|processbuilder)" \
|
||||
|
|
@ -136,7 +135,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -174,7 +173,7 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -222,14 +221,14 @@ SecRule REQUEST_LINE|ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUE
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/137/6',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:944013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:944014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:944013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:944014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
|
||||
#
|
||||
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
|
||||
#
|
||||
|
|
@ -260,7 +259,7 @@ SecRule REQUEST_LINE|ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUE
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/137/6',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -292,7 +291,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -313,7 +312,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -334,7 +333,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -358,7 +357,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -383,14 +382,14 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:944015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:944016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:944015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:944016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
|
||||
#
|
||||
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
|
||||
#
|
||||
|
|
@ -417,14 +416,14 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:944017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:944018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:944017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:944018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
|
||||
#
|
||||
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
|
||||
#
|
||||
|
|
@ -453,7 +452,7 @@ SecRule REQUEST_LINE|ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUE
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/137/6',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'"
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP CRS ver.4.6.0
|
||||
# OWASP CRS ver.4.7.0
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2024 CRS project. All rights reserved.
|
||||
#
|
||||
|
|
@ -24,7 +24,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 1" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl1}'"
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 1" \
|
||||
|
|
@ -34,7 +34,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 1" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl1}'"
|
||||
|
||||
SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 2" \
|
||||
|
|
@ -44,7 +44,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 2" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl2}'"
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 2" \
|
||||
|
|
@ -54,7 +54,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 2" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl2}'"
|
||||
|
||||
SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 3" \
|
||||
|
|
@ -64,7 +64,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 3" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl3}'"
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 3" \
|
||||
|
|
@ -74,7 +74,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 3" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl3}'"
|
||||
|
||||
SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 4" \
|
||||
|
|
@ -84,7 +84,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 4" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl4}'"
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 4" \
|
||||
|
|
@ -94,7 +94,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 4" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl4}'"
|
||||
|
||||
# at start of phase 2, we reset the aggregate scores to 0 to prevent duplicate counting of per-PL scores
|
||||
|
|
@ -106,7 +106,7 @@ SecAction \
|
|||
t:none,\
|
||||
nolog,\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
setvar:'tx.blocking_inbound_anomaly_score=0'"
|
||||
|
||||
SecAction \
|
||||
|
|
@ -116,7 +116,7 @@ SecAction \
|
|||
t:none,\
|
||||
nolog,\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
setvar:'tx.detection_inbound_anomaly_score=0'"
|
||||
|
||||
# Summing up the blocking and detection anomaly scores in phase 2
|
||||
|
|
@ -128,7 +128,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 1" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl1}'"
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 1" \
|
||||
|
|
@ -138,7 +138,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 1" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl1}'"
|
||||
|
||||
SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 2" \
|
||||
|
|
@ -148,7 +148,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 2" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl2}'"
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 2" \
|
||||
|
|
@ -158,7 +158,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 2" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl2}'"
|
||||
|
||||
SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 3" \
|
||||
|
|
@ -168,7 +168,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 3" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl3}'"
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 3" \
|
||||
|
|
@ -178,7 +178,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 3" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl3}'"
|
||||
|
||||
SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 4" \
|
||||
|
|
@ -188,7 +188,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 4" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl4}'"
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 4" \
|
||||
|
|
@ -198,7 +198,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 4" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl4}'"
|
||||
|
||||
|
||||
|
|
@ -217,7 +217,7 @@ SecRule TX:BLOCKING_INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_thresh
|
|||
msg:'Inbound Anomaly Score Exceeded in phase 1 (Total Score: %{TX.BLOCKING_INBOUND_ANOMALY_SCORE})',\
|
||||
tag:'anomaly-evaluation',\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
chain"
|
||||
SecRule TX:EARLY_BLOCKING "@eq 1"
|
||||
|
||||
|
|
@ -230,34 +230,34 @@ SecRule TX:BLOCKING_INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_thresh
|
|||
msg:'Inbound Anomaly Score Exceeded (Total Score: %{TX.BLOCKING_INBOUND_ANOMALY_SCORE})',\
|
||||
tag:'anomaly-evaluation',\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/4.6.0'"
|
||||
ver:'OWASP_CRS/4.7.0'"
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:949011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:949012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:949011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:949012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
|
||||
#
|
||||
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
|
||||
#
|
||||
|
||||
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:949013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:949014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:949013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:949014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
|
||||
#
|
||||
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
|
||||
#
|
||||
|
||||
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:949015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:949016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:949015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:949016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
|
||||
#
|
||||
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
|
||||
#
|
||||
|
||||
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:949017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:949018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:949017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:949018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
|
||||
#
|
||||
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
|
||||
#
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP CRS ver.4.6.0
|
||||
# OWASP CRS ver.4.7.0
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2024 CRS project. All rights reserved.
|
||||
#
|
||||
|
|
@ -28,11 +28,11 @@ SecRule RESPONSE_HEADERS:Content-Encoding "@pm gzip compress deflate br zstd" \
|
|||
pass,\
|
||||
nolog,\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:950011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:950012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:950011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:950012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
|
||||
#
|
||||
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
|
||||
#
|
||||
|
|
@ -56,7 +56,7 @@ SecRule RESPONSE_BODY "@rx (?:<(?:TITLE>Index of.*?<H|title>Index of.*?<h)1>Inde
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/118/116/54/127',\
|
||||
tag:'PCI/6.5.6',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'ERROR',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
|
||||
|
||||
|
|
@ -88,13 +88,13 @@ SecRule RESPONSE_BODY "@rx ^#\!\s?/" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/118/116',\
|
||||
tag:'PCI/6.5.6',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'ERROR',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
|
||||
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:950013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:950014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:950013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:950014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
|
||||
#
|
||||
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
|
||||
#
|
||||
|
|
@ -118,22 +118,22 @@ SecRule RESPONSE_STATUS "@rx ^5\d{2}$" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152',\
|
||||
tag:'PCI/6.5.6',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'ERROR',\
|
||||
setvar:'tx.outbound_anomaly_score_pl2=+%{tx.error_anomaly_score}'"
|
||||
|
||||
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:950015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:950016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:950015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:950016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
|
||||
#
|
||||
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
|
||||
#
|
||||
|
||||
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:950017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:950018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:950017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:950018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
|
||||
#
|
||||
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
|
||||
#
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP CRS ver.4.6.0
|
||||
# OWASP CRS ver.4.7.0
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2024 CRS project. All rights reserved.
|
||||
#
|
||||
|
|
@ -19,11 +19,11 @@ SecRule RESPONSE_HEADERS:Content-Encoding "@pm gzip compress deflate br zstd" \
|
|||
pass,\
|
||||
nolog,\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:951011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:951012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:951011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:951012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
|
||||
#
|
||||
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
|
||||
#
|
||||
|
|
@ -46,7 +46,7 @@ SecRule RESPONSE_BODY "!@pmFromFile sql-errors.data" \
|
|||
tag:'attack-disclosure',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/118/116/54',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
skipAfter:END-SQL-ERROR-MATCH-PL1"
|
||||
|
||||
SecRule RESPONSE_BODY "@rx (?i:JET Database Engine|Access Database Engine|\[Microsoft\]\[ODBC Microsoft Access Driver\])" \
|
||||
|
|
@ -64,7 +64,7 @@ SecRule RESPONSE_BODY "@rx (?i:JET Database Engine|Access Database Engine|\[Micr
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/118/116/54',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -89,7 +89,7 @@ SecRule RESPONSE_BODY "@rx (?i)\bORA-[0-9][0-9][0-9][0-9][0-9]:|java\.sql\.SQLEx
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/118/116/54',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -109,7 +109,7 @@ SecRule RESPONSE_BODY "@rx (?i:DB2 SQL error:|\[IBM\]\[CLI Driver\]\[DB2/6000\]|
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/118/116/54',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -129,7 +129,7 @@ SecRule RESPONSE_BODY "@rx (?i:\[DM_QUERY_E_SYNTAX\]|has occurred in the vicinit
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/118/116/54',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -149,7 +149,7 @@ SecRule RESPONSE_BODY "@rx (?i)Dynamic SQL Error" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/118/116/54',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -169,7 +169,7 @@ SecRule RESPONSE_BODY "@rx (?i)Exception (?:condition )?\d+\. Transaction rollba
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/118/116/54',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -189,7 +189,7 @@ SecRule RESPONSE_BODY "@rx (?i)org\.hsqldb\.jdbc" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/118/116/54',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -209,7 +209,7 @@ SecRule RESPONSE_BODY "@rx (?i:An illegal character has been found in the statem
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/118/116/54',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -229,7 +229,7 @@ SecRule RESPONSE_BODY "@rx (?i:Warning.*ingres_|Ingres SQLSTATE|Ingres\W.*Driver
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/118/116/54',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -249,7 +249,7 @@ SecRule RESPONSE_BODY "@rx (?i:<b>Warning</b>: ibase_|Unexpected end of command
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/118/116/54',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -269,7 +269,7 @@ SecRule RESPONSE_BODY "@rx (?i:SQL error.*POS[0-9]+.*|Warning.*maxdb.*)" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/118/116/54',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -289,7 +289,7 @@ SecRule RESPONSE_BODY "@rx (?i)(?:System\.Data\.OleDb\.OleDbException|\[Microsof
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/118/116/54',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -314,7 +314,7 @@ SecRule RESPONSE_BODY "@rx (?i)(?:supplied argument is not a valid |SQL syntax.*
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/118/116/54',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -339,7 +339,7 @@ SecRule RESPONSE_BODY "@rx (?i)P(?:ostgreSQL(?: query failed:|.{1,20}ERROR)|G::[
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/118/116/54',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -359,7 +359,7 @@ SecRule RESPONSE_BODY "@rx (?i)(?:Warning.*sqlite_.*|Warning.*SQLite3::|SQLite/J
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/118/116/54',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -379,7 +379,7 @@ SecRule RESPONSE_BODY "@rx (?i)(?:Sybase message:|Warning.{2,20}sybase|Sybase.*S
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/118/116/54',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
|
||||
|
|
@ -387,24 +387,24 @@ SecRule RESPONSE_BODY "@rx (?i)(?:Sybase message:|Warning.{2,20}sybase|Sybase.*S
|
|||
SecMarker "END-SQL-ERROR-MATCH-PL1"
|
||||
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:951013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:951014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:951013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:951014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
|
||||
#
|
||||
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
|
||||
#
|
||||
|
||||
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:951015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:951016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:951015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:951016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
|
||||
#
|
||||
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
|
||||
#
|
||||
|
||||
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:951017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:951018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:951017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:951018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
|
||||
#
|
||||
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
|
||||
#
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP CRS ver.4.6.0
|
||||
# OWASP CRS ver.4.7.0
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2024 CRS project. All rights reserved.
|
||||
#
|
||||
|
|
@ -19,11 +19,11 @@ SecRule RESPONSE_HEADERS:Content-Encoding "@pm gzip compress deflate br zstd" \
|
|||
pass,\
|
||||
nolog,\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:952011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:952012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:952011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:952012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
|
||||
#
|
||||
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
|
||||
#
|
||||
|
|
@ -47,7 +47,7 @@ SecRule RESPONSE_BODY "@pmFromFile java-code-leakages.data" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/118/116',\
|
||||
tag:'PCI/6.5.6',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'ERROR',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
|
||||
|
||||
|
|
@ -72,30 +72,30 @@ SecRule RESPONSE_BODY "@pmFromFile java-errors.data" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/118/116',\
|
||||
tag:'PCI/6.5.6',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'ERROR',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
|
||||
|
||||
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:952013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:952014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:952013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:952014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
|
||||
#
|
||||
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
|
||||
#
|
||||
|
||||
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:952015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:952016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:952015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:952016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
|
||||
#
|
||||
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
|
||||
#
|
||||
|
||||
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:952017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:952018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:952017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:952018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
|
||||
#
|
||||
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
|
||||
#
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP CRS ver.4.6.0
|
||||
# OWASP CRS ver.4.7.0
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2024 CRS project. All rights reserved.
|
||||
#
|
||||
|
|
@ -19,11 +19,11 @@ SecRule RESPONSE_HEADERS:Content-Encoding "@pm gzip compress deflate br zstd" \
|
|||
pass,\
|
||||
nolog,\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:953011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:953012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:953011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:953012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
|
||||
#
|
||||
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
|
||||
#
|
||||
|
|
@ -47,7 +47,7 @@ SecRule RESPONSE_BODY "@pmFromFile php-errors.data" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/118/116',\
|
||||
tag:'PCI/6.5.6',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'ERROR',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
|
||||
|
||||
|
|
@ -72,7 +72,7 @@ SecRule RESPONSE_BODY "@rx (?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scan
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/118/116',\
|
||||
tag:'PCI/6.5.6',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'ERROR',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
|
||||
|
||||
|
|
@ -98,13 +98,13 @@ SecRule RESPONSE_BODY "@rx (?i)<\?(?:=|php)?\s+" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/118/116',\
|
||||
tag:'PCI/6.5.6',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'ERROR',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
|
||||
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:953013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:953014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:953013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:953014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
|
||||
#
|
||||
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
|
||||
#
|
||||
|
|
@ -131,21 +131,21 @@ SecRule RESPONSE_BODY "@pmFromFile php-errors-pl2.data" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/118/116',\
|
||||
tag:'PCI/6.5.6',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'ERROR',\
|
||||
setvar:'tx.outbound_anomaly_score_pl2=+%{tx.error_anomaly_score}'"
|
||||
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:953015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:953016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:953015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:953016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
|
||||
#
|
||||
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
|
||||
#
|
||||
|
||||
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:953017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:953018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:953017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:953018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
|
||||
#
|
||||
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
|
||||
#
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP CRS ver.4.6.0
|
||||
# OWASP CRS ver.4.7.0
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2024 CRS project. All rights reserved.
|
||||
#
|
||||
|
|
@ -19,11 +19,11 @@ SecRule RESPONSE_HEADERS:Content-Encoding "@pm gzip compress deflate br zstd" \
|
|||
pass,\
|
||||
nolog,\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:954011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:954012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:954011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:954012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
|
||||
#
|
||||
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
|
||||
#
|
||||
|
|
@ -45,7 +45,7 @@ SecRule RESPONSE_BODY "@rx [a-z]:\x5cinetpub\b" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/118/116',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'ERROR',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
|
||||
|
||||
|
|
@ -66,7 +66,7 @@ SecRule RESPONSE_BODY "@rx (?:Microsoft OLE DB Provider for SQL Server(?:</font>
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/118/116',\
|
||||
tag:'PCI/6.5.6',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'ERROR',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
|
||||
|
||||
|
|
@ -90,7 +90,7 @@ SecRule RESPONSE_BODY "@pmFromFile iis-errors.data" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/118/116',\
|
||||
tag:'PCI/6.5.6',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'ERROR',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
|
||||
|
||||
|
|
@ -112,7 +112,7 @@ SecRule RESPONSE_STATUS "!@rx ^404$" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/118/116',\
|
||||
tag:'PCI/6.5.6',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'ERROR',\
|
||||
chain"
|
||||
SecRule RESPONSE_BODY "@rx \bServer Error in.{0,50}?\bApplication\b" \
|
||||
|
|
@ -122,24 +122,24 @@ SecRule RESPONSE_STATUS "!@rx ^404$" \
|
|||
|
||||
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:954013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:954014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:954013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:954014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
|
||||
#
|
||||
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
|
||||
#
|
||||
|
||||
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:954015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:954016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:954015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:954016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
|
||||
#
|
||||
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
|
||||
#
|
||||
|
||||
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:954017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:954018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:954017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:954018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
|
||||
#
|
||||
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
|
||||
#
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP CRS ver.4.6.0
|
||||
# OWASP CRS ver.4.7.0
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. (not) All rights reserved.
|
||||
# Copyright (c) 2021-2024 CRS project. All rights reserved.
|
||||
#
|
||||
|
|
@ -19,11 +19,11 @@ SecRule RESPONSE_HEADERS:Content-Encoding "@pm gzip compress deflate br zstd" \
|
|||
pass,\
|
||||
nolog,\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
skipAfter:END-RESPONSE-955-WEB-SHELLS"
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:955011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:955012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:955011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:955012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
|
||||
#
|
||||
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
|
||||
#
|
||||
|
|
@ -44,7 +44,7 @@ SecRule RESPONSE_BODY "@pmFromFile web-shells-php.data" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/225/122/17/650',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
|
@ -63,7 +63,7 @@ SecRule RESPONSE_BODY "@rx (<title>r57 Shell Version [0-9.]+</title>|<title>r57
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/225/122/17/650',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
|
@ -82,7 +82,7 @@ SecRule RESPONSE_BODY "@rx ^<html><head><meta http-equiv='Content-Type' content=
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/225/122/17/650',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
|
@ -101,7 +101,7 @@ SecRule RESPONSE_BODY "@rx B4TM4N SH3LL</title>.*<meta name='author' content='k4
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/225/122/17/650',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
|
@ -120,7 +120,7 @@ SecRule RESPONSE_BODY "@rx <title>Mini Shell</title>.*Developed By LameHacker" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/225/122/17/650',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
|
@ -139,7 +139,7 @@ SecRule RESPONSE_BODY "@rx <title>\.:: .* ~ Ashiyane V [0-9.]+ ::\.</title>" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/225/122/17/650',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
|
@ -158,7 +158,7 @@ SecRule RESPONSE_BODY "@rx <title>Symlink_Sa [0-9.]+</title>" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/225/122/17/650',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
|
@ -177,7 +177,7 @@ SecRule RESPONSE_BODY "@rx <title>CasuS [0-9.]+ by MafiABoY</title>" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/225/122/17/650',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
|
@ -196,7 +196,7 @@ SecRule RESPONSE_BODY "@rx ^<html>\r\n<head>\r\n<title>GRP WebShell [0-9.]+ " \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/225/122/17/650',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
|
@ -215,7 +215,7 @@ SecRule RESPONSE_BODY "@rx <small>NGHshell [0-9.]+ by Cr4sh</body></html>\n$" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/225/122/17/650',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
|
@ -234,7 +234,7 @@ SecRule RESPONSE_BODY "@rx <title>SimAttacker - (?:Version|Vrsion) : [0-9.]+ - "
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/225/122/17/650',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
|
@ -253,7 +253,7 @@ SecRule RESPONSE_BODY "@rx ^<!DOCTYPE html>\n<html>\n<!-- By Artyum .*<title>Web
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/225/122/17/650',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
|
@ -272,7 +272,7 @@ SecRule RESPONSE_BODY "@rx <title>lama's'hell v. [0-9.]+</title>" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/225/122/17/650',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
|
@ -291,7 +291,7 @@ SecRule RESPONSE_BODY "@rx ^ *<html>\n[ ]+<head>\n[ ]+<title>lostDC - " \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/225/122/17/650',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
|
@ -310,7 +310,7 @@ SecRule RESPONSE_BODY "@rx ^<title>PHP Web Shell</title>\r\n<html>\r\n<body>\r\n
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/225/122/17/650',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
|
@ -329,7 +329,7 @@ SecRule RESPONSE_BODY "@rx ^<html>\n<head>\n<div align=\"left\"><font size=\"1\"
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/225/122/17/650',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
|
@ -350,7 +350,7 @@ SecRule RESPONSE_BODY "@rx ^<html>\n<head>\n<title>Ru24PostWebShell " \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/225/122/17/650',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
|
@ -369,7 +369,7 @@ SecRule RESPONSE_BODY "@rx <title>s72 Shell v[0-9.]+ Codinf by Cr@zy_King</title
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/225/122/17/650',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
|
@ -388,7 +388,7 @@ SecRule RESPONSE_BODY "@rx ^<html>\r\n<head>\r\n<meta http-equiv=\"Content-Type\
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/225/122/17/650',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
|
@ -407,7 +407,7 @@ SecRule RESPONSE_BODY "@rx ^ <html>\n\n<head>\n\n<title>g00nshell v[0-9.]+ " \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/225/122/17/650',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
|
@ -428,7 +428,7 @@ SecRule RESPONSE_BODY "@contains <title>punkholicshell</title>" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/225/122/17/650',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
|
@ -447,7 +447,7 @@ SecRule RESPONSE_BODY "@rx ^<html>\n <head>\n <title>azrail [0-
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/225/122/17/650',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
|
@ -466,7 +466,7 @@ SecRule RESPONSE_BODY "@rx >SmEvK_PaThAn Shell v[0-9]+ coded by <a href=" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/225/122/17/650',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
|
@ -485,7 +485,7 @@ SecRule RESPONSE_BODY "@rx ^<html>\n<title>.*? ~ Shell I</title>\n<head>\n<style
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/225/122/17/650',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
|
@ -504,14 +504,14 @@ SecRule RESPONSE_BODY "@rx ^ <html><head><title>:: b374k m1n1 [0-9.]+ ::</title>
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/225/122/17/650',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:955013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:955014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:955013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:955014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
|
||||
#
|
||||
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
|
||||
#
|
||||
|
|
@ -532,20 +532,20 @@ SecRule RESPONSE_BODY "@contains <h1 style=\"margin-bottom: 0\">webadmin.php</h1
|
|||
tag:'paranoia-level/2',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/225/122/17/650',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.outbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:955015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:955016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:955015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:955016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
|
||||
#
|
||||
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
|
||||
#
|
||||
|
||||
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:955017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:955018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:955017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:955018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
|
||||
#
|
||||
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
|
||||
#
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP CRS ver.4.6.0
|
||||
# OWASP CRS ver.4.7.0
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2024 CRS project. All rights reserved.
|
||||
#
|
||||
|
|
@ -35,7 +35,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 1" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
setvar:'tx.blocking_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl1}'"
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 1" \
|
||||
|
|
@ -45,7 +45,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 1" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
setvar:'tx.detection_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl1}'"
|
||||
|
||||
SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 2" \
|
||||
|
|
@ -55,7 +55,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 2" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
setvar:'tx.blocking_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl2}'"
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 2" \
|
||||
|
|
@ -65,7 +65,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 2" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
setvar:'tx.detection_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl2}'"
|
||||
|
||||
SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 3" \
|
||||
|
|
@ -75,7 +75,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 3" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
setvar:'tx.blocking_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl3}'"
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 3" \
|
||||
|
|
@ -85,7 +85,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 3" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
setvar:'tx.detection_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl3}'"
|
||||
|
||||
SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 4" \
|
||||
|
|
@ -95,7 +95,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 4" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
setvar:'tx.blocking_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl4}'"
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 4" \
|
||||
|
|
@ -105,7 +105,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 4" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
setvar:'tx.detection_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl4}'"
|
||||
|
||||
# at start of phase 4, we reset the aggregate scores to 0 to prevent duplicate counting of per-PL scores
|
||||
|
|
@ -117,7 +117,7 @@ SecAction \
|
|||
t:none,\
|
||||
nolog,\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
setvar:'tx.blocking_outbound_anomaly_score=0'"
|
||||
|
||||
SecAction \
|
||||
|
|
@ -127,7 +127,7 @@ SecAction \
|
|||
t:none,\
|
||||
nolog,\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
setvar:'tx.detection_outbound_anomaly_score=0'"
|
||||
|
||||
SecMarker "EARLY_BLOCKING_ANOMALY_SCORING"
|
||||
|
|
@ -141,7 +141,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 1" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
setvar:'tx.blocking_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl1}'"
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 1" \
|
||||
|
|
@ -151,7 +151,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 1" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
setvar:'tx.detection_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl1}'"
|
||||
|
||||
SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 2" \
|
||||
|
|
@ -161,7 +161,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 2" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
setvar:'tx.blocking_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl2}'"
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 2" \
|
||||
|
|
@ -171,7 +171,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 2" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
setvar:'tx.detection_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl2}'"
|
||||
|
||||
SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 3" \
|
||||
|
|
@ -181,7 +181,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 3" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
setvar:'tx.blocking_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl3}'"
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 3" \
|
||||
|
|
@ -191,7 +191,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 3" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
setvar:'tx.detection_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl3}'"
|
||||
|
||||
SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 4" \
|
||||
|
|
@ -201,7 +201,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 4" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
setvar:'tx.blocking_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl4}'"
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 4" \
|
||||
|
|
@ -211,7 +211,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 4" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
setvar:'tx.detection_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl4}'"
|
||||
|
||||
#
|
||||
|
|
@ -227,7 +227,7 @@ SecRule TX:BLOCKING_OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_thre
|
|||
msg:'Outbound Anomaly Score Exceeded in phase 3 (Total Score: %{tx.blocking_outbound_anomaly_score})',\
|
||||
tag:'anomaly-evaluation',\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
chain"
|
||||
SecRule TX:EARLY_BLOCKING "@eq 1"
|
||||
|
||||
|
|
@ -240,34 +240,34 @@ SecRule TX:BLOCKING_OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_thre
|
|||
msg:'Outbound Anomaly Score Exceeded (Total Score: %{tx.blocking_outbound_anomaly_score})',\
|
||||
tag:'anomaly-evaluation',\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/4.6.0'"
|
||||
ver:'OWASP_CRS/4.7.0'"
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:959011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:959012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:959011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:959012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
|
||||
#
|
||||
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
|
||||
#
|
||||
|
||||
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:959013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:959014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:959013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:959014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
|
||||
#
|
||||
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
|
||||
#
|
||||
|
||||
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:959015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:959016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:959015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:959016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
|
||||
#
|
||||
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
|
||||
#
|
||||
|
||||
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:959017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:959018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:959017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:959018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
|
||||
#
|
||||
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
|
||||
#
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP CRS ver.4.6.0
|
||||
# OWASP CRS ver.4.7.0
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2024 CRS project. All rights reserved.
|
||||
#
|
||||
|
|
@ -28,7 +28,7 @@ SecAction \
|
|||
nolog,\
|
||||
noauditlog,\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
setvar:'tx.blocking_anomaly_score=%{tx.blocking_inbound_anomaly_score}',\
|
||||
setvar:'tx.blocking_anomaly_score=+%{tx.blocking_outbound_anomaly_score}',\
|
||||
setvar:'tx.detection_anomaly_score=%{tx.detection_inbound_anomaly_score}',\
|
||||
|
|
@ -41,33 +41,33 @@ SecAction \
|
|||
#
|
||||
|
||||
# -= Reporting Level 0 =- (Skip over reporting when tx.reporting_level is 0)
|
||||
SecRule TX:REPORTING_LEVEL "@eq 0" "id:980041,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REPORTING"
|
||||
SecRule TX:REPORTING_LEVEL "@eq 0" "id:980041,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REPORTING"
|
||||
|
||||
# -= Reporting Level 5 =- (Jump to reporting rule immediately when tx.reporting_level is 5 or greater)
|
||||
SecRule TX:REPORTING_LEVEL "@ge 5" "id:980042,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:LOG-REPORTING"
|
||||
SecRule TX:REPORTING_LEVEL "@ge 5" "id:980042,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:LOG-REPORTING"
|
||||
|
||||
# -= Zero detection score =- (Skip over reporting when sum of inbound and outbound detection score is equal to 0)
|
||||
SecRule TX:DETECTION_ANOMALY_SCORE "@eq 0" "id:980043,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REPORTING"
|
||||
SecRule TX:DETECTION_ANOMALY_SCORE "@eq 0" "id:980043,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REPORTING"
|
||||
|
||||
# -= Blocking score exceeds threshold =- (Jump to reporting rule immediately if a blocking score exceeds a threshold)
|
||||
SecRule TX:BLOCKING_INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" "id:980044,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:LOG-REPORTING"
|
||||
SecRule TX:BLOCKING_OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" "id:980045,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:LOG-REPORTING"
|
||||
SecRule TX:BLOCKING_INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" "id:980044,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:LOG-REPORTING"
|
||||
SecRule TX:BLOCKING_OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" "id:980045,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:LOG-REPORTING"
|
||||
|
||||
# -= Reporting Level 2 =- (Skip over reporting when tx.reporting_level is less than 2)
|
||||
SecRule TX:REPORTING_LEVEL "@lt 2" "id:980046,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REPORTING"
|
||||
SecRule TX:REPORTING_LEVEL "@lt 2" "id:980046,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REPORTING"
|
||||
|
||||
# -= Detection score exceeds threshold =- (Jump to reporting rule immediately if a detection score exceeds a threshold)
|
||||
SecRule TX:DETECTION_INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" "id:980047,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:LOG-REPORTING"
|
||||
SecRule TX:DETECTION_OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" "id:980048,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:LOG-REPORTING"
|
||||
SecRule TX:DETECTION_INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" "id:980047,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:LOG-REPORTING"
|
||||
SecRule TX:DETECTION_OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" "id:980048,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:LOG-REPORTING"
|
||||
|
||||
# -= Reporting Level 3 =- (Skip over reporting when tx.reporting_level is less than 3)
|
||||
SecRule TX:REPORTING_LEVEL "@lt 3" "id:980049,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REPORTING"
|
||||
SecRule TX:REPORTING_LEVEL "@lt 3" "id:980049,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REPORTING"
|
||||
|
||||
# -= Blocking score greater than zero =- (Jump to reporting rule immediately when sum of inbound and outbound blocking score is greater than zero)
|
||||
SecRule TX:BLOCKING_ANOMALY_SCORE "@gt 0" "id:980050,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:LOG-REPORTING"
|
||||
SecRule TX:BLOCKING_ANOMALY_SCORE "@gt 0" "id:980050,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:LOG-REPORTING"
|
||||
|
||||
# -= Reporting Level 4 =- (Skip over reporting when tx.reporting_level is less than 4)
|
||||
SecRule TX:REPORTING_LEVEL "@lt 4" "id:980051,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-REPORTING"
|
||||
SecRule TX:REPORTING_LEVEL "@lt 4" "id:980051,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-REPORTING"
|
||||
|
||||
# At this point, the reporting level is 4 and there's a non-zero detection
|
||||
# score (already established by rule 980043) so fall through to the reporting
|
||||
|
|
@ -95,37 +95,37 @@ SecAction \
|
|||
(SQLI=%{tx.sql_injection_score}, XSS=%{tx.xss_score}, RFI=%{tx.rfi_score}, LFI=%{tx.lfi_score}, RCE=%{tx.rce_score}, PHPI=%{tx.php_injection_score}, HTTP=%{tx.http_violation_score}, SESS=%{tx.session_fixation_score}, COMBINED_SCORE=%{tx.anomaly_score})',\
|
||||
tag:'reporting',\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/4.6.0'"
|
||||
ver:'OWASP_CRS/4.7.0'"
|
||||
|
||||
SecMarker "END-REPORTING"
|
||||
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:980011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-980-CORRELATION"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:980012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-980-CORRELATION"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:980011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-RESPONSE-980-CORRELATION"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:980012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-RESPONSE-980-CORRELATION"
|
||||
#
|
||||
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
|
||||
#
|
||||
|
||||
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:980013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-980-CORRELATION"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:980014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-980-CORRELATION"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:980013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-RESPONSE-980-CORRELATION"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:980014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-RESPONSE-980-CORRELATION"
|
||||
#
|
||||
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
|
||||
#
|
||||
|
||||
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:980015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-980-CORRELATION"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:980016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-980-CORRELATION"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:980015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-RESPONSE-980-CORRELATION"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:980016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-RESPONSE-980-CORRELATION"
|
||||
#
|
||||
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
|
||||
#
|
||||
|
||||
|
||||
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:980017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-980-CORRELATION"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:980018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.6.0',skipAfter:END-RESPONSE-980-CORRELATION"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:980017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-RESPONSE-980-CORRELATION"
|
||||
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:980018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.7.0',skipAfter:END-RESPONSE-980-CORRELATION"
|
||||
#
|
||||
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
|
||||
#
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP CRS ver.4.6.0
|
||||
# OWASP CRS ver.4.7.0
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2024 CRS project. All rights reserved.
|
||||
#
|
||||
|
|
|
|||
|
|
@ -180,6 +180,8 @@ BlockCypher.log
|
|||
config.inc.php
|
||||
config.sample.php
|
||||
defaults.inc.php
|
||||
# Contains credentials for SendGrid service
|
||||
sendgrid.env
|
||||
|
||||
# /proc entries (keep in sync with lfi-os-files.data)
|
||||
# grep -E "^proc/" lfi-os-files.data
|
||||
|
|
|
|||
|
|
@ -786,16 +786,16 @@ def remove_comments(data):
|
|||
|
||||
def errmsg(msg):
|
||||
if oformat == "github":
|
||||
print("::error %s" % (msg))
|
||||
print("::error::%s" % (msg))
|
||||
else:
|
||||
print(msg)
|
||||
|
||||
def errmsgf(msg):
|
||||
if oformat == "github":
|
||||
if 'message' in msg and msg['message'].strip() != "":
|
||||
print("::error%sfile={file},line={line},endLine={endLine},title={title}: {message}".format(**msg) % (msg['indent']*" "))
|
||||
print("::error%sfile={file},line={line},endLine={endLine},title={title}:: {message}".format(**msg) % (msg['indent']*" "))
|
||||
else:
|
||||
print("::error%sfile={file},line={line},endLine={endLine},title={title}".format(**msg) % (msg['indent']*" "))
|
||||
print("::error%sfile={file},line={line},endLine={endLine},title={title}::".format(**msg) % (msg['indent']*" "))
|
||||
else:
|
||||
if 'message' in msg and msg['message'].strip() != "":
|
||||
print("%sfile={file}, line={line}, endLine={endLine}, title={title}: {message}".format(**msg) % (msg['indent']*" "))
|
||||
|
|
@ -804,7 +804,7 @@ def errmsgf(msg):
|
|||
|
||||
def msg(msg):
|
||||
if oformat == "github":
|
||||
print("::debug %s" % (msg))
|
||||
print("::debug::%s" % (msg))
|
||||
else:
|
||||
print(msg)
|
||||
|
||||
|
|
@ -850,7 +850,7 @@ if __name__ == "__main__":
|
|||
# if no --version/-v was given, get version from git describe --tags output
|
||||
crsversion = generate_version_string()
|
||||
else:
|
||||
crsversion = args.version
|
||||
crsversion = args.version.strip()
|
||||
# if no "OWASP_CRS/" prefix, append it
|
||||
if not crsversion.startswith("OWASP_CRS/"):
|
||||
crsversion = "OWASP_CRS/" + crsversion
|
||||
|
|
@ -1100,17 +1100,17 @@ if __name__ == "__main__":
|
|||
errmsgf(a)
|
||||
retval = 1
|
||||
### check for ver action
|
||||
# c.check_ver_action(crsversion)
|
||||
# if len(c.noveract) == 0:
|
||||
# msg(" No rule without correct ver action.")
|
||||
# else:
|
||||
# errmsg(" There are one or more rules without ver action.")
|
||||
# for a in c.noveract:
|
||||
# a['indent'] = 2
|
||||
# a['file'] = f
|
||||
# a['title'] = "ver is missing / incorrect"
|
||||
# errmsgf(a)
|
||||
# retval = 1
|
||||
c.check_ver_action(crsversion)
|
||||
if len(c.noveract) == 0:
|
||||
msg(" No rule without correct ver action.")
|
||||
else:
|
||||
errmsg(" There are one or more rules without ver action.")
|
||||
for a in c.noveract:
|
||||
a['indent'] = 2
|
||||
a['file'] = f
|
||||
a['title'] = "ver is missing / incorrect"
|
||||
errmsgf(a)
|
||||
retval = 1
|
||||
|
||||
msg("End of checking parsed rules")
|
||||
msg("Cumulated report about unused TX variables")
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP CRS ver.4.6.0
|
||||
# OWASP CRS ver.4.7.0
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2024 CRS project. All rights reserved.
|
||||
#
|
||||
|
|
@ -181,7 +181,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
|
|||
# t:none,\
|
||||
# nolog,\
|
||||
# tag:'OWASP_CRS',\
|
||||
# ver:'OWASP_CRS/4.6.0',\
|
||||
# ver:'OWASP_CRS/4.7.0',\
|
||||
# setvar:tx.blocking_paranoia_level=1"
|
||||
|
||||
|
||||
|
|
@ -209,7 +209,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
|
|||
# t:none,\
|
||||
# nolog,\
|
||||
# tag:'OWASP_CRS',\
|
||||
# ver:'OWASP_CRS/4.6.0',\
|
||||
# ver:'OWASP_CRS/4.7.0',\
|
||||
# setvar:tx.detection_paranoia_level=1"
|
||||
|
||||
|
||||
|
|
@ -235,7 +235,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
|
|||
# t:none,\
|
||||
# nolog,\
|
||||
# tag:'OWASP_CRS',\
|
||||
# ver:'OWASP_CRS/4.6.0',\
|
||||
# ver:'OWASP_CRS/4.7.0',\
|
||||
# setvar:tx.enforce_bodyproc_urlencoded=1"
|
||||
|
||||
|
||||
|
|
@ -270,7 +270,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
|
|||
# t:none,\
|
||||
# nolog,\
|
||||
# tag:'OWASP_CRS',\
|
||||
# ver:'OWASP_CRS/4.6.0',\
|
||||
# ver:'OWASP_CRS/4.7.0',\
|
||||
# setvar:tx.critical_anomaly_score=5,\
|
||||
# setvar:tx.error_anomaly_score=4,\
|
||||
# setvar:tx.warning_anomaly_score=3,\
|
||||
|
|
@ -324,7 +324,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
|
|||
# t:none,\
|
||||
# nolog,\
|
||||
# tag:'OWASP_CRS',\
|
||||
# ver:'OWASP_CRS/4.6.0',\
|
||||
# ver:'OWASP_CRS/4.7.0',\
|
||||
# setvar:tx.inbound_anomaly_score_threshold=5,\
|
||||
# setvar:tx.outbound_anomaly_score_threshold=4"
|
||||
|
||||
|
|
@ -385,7 +385,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
|
|||
# t:none,\
|
||||
# nolog,\
|
||||
# tag:'OWASP_CRS',\
|
||||
# ver:'OWASP_CRS/4.6.0',\
|
||||
# ver:'OWASP_CRS/4.7.0',\
|
||||
# setvar:tx.reporting_level=4"
|
||||
|
||||
|
||||
|
|
@ -417,7 +417,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
|
|||
# t:none,\
|
||||
# nolog,\
|
||||
# tag:'OWASP_CRS',\
|
||||
# ver:'OWASP_CRS/4.6.0',\
|
||||
# ver:'OWASP_CRS/4.7.0',\
|
||||
# setvar:tx.early_blocking=1"
|
||||
|
||||
|
||||
|
|
@ -438,7 +438,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
|
|||
# t:none,\
|
||||
# nolog,\
|
||||
# tag:'OWASP_CRS',\
|
||||
# ver:'OWASP_CRS/4.6.0',\
|
||||
# ver:'OWASP_CRS/4.7.0',\
|
||||
# setvar:tx.enable_default_collections=1"
|
||||
|
||||
|
||||
|
|
@ -466,7 +466,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
|
|||
# t:none,\
|
||||
# nolog,\
|
||||
# tag:'OWASP_CRS',\
|
||||
# ver:'OWASP_CRS/4.6.0',\
|
||||
# ver:'OWASP_CRS/4.7.0',\
|
||||
# setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'"
|
||||
|
||||
# Content-Types that a client is allowed to send in a request.
|
||||
|
|
@ -496,7 +496,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
|
|||
# nolog,\
|
||||
# tag:'OWASP_CRS',\
|
||||
# ctl:ruleRemoveById=920420,\
|
||||
# ver:'OWASP_CRS/4.6.0',\
|
||||
# ver:'OWASP_CRS/4.7.0',\
|
||||
# chain"
|
||||
# SecRule REQUEST_URI "@rx ^/foo/bar" \
|
||||
# "t:none"
|
||||
|
|
@ -510,7 +510,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
|
|||
# t:none,\
|
||||
# nolog,\
|
||||
# tag:'OWASP_CRS',\
|
||||
# ver:'OWASP_CRS/4.6.0',\
|
||||
# ver:'OWASP_CRS/4.7.0',\
|
||||
# setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json|'"
|
||||
|
||||
# Allowed HTTP versions.
|
||||
|
|
@ -526,7 +526,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
|
|||
# t:none,\
|
||||
# nolog,\
|
||||
# tag:'OWASP_CRS',\
|
||||
# ver:'OWASP_CRS/4.6.0',\
|
||||
# ver:'OWASP_CRS/4.7.0',\
|
||||
# setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0 HTTP/3 HTTP/3.0'"
|
||||
|
||||
# Forbidden file extensions.
|
||||
|
|
@ -550,7 +550,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
|
|||
# t:none,\
|
||||
# nolog,\
|
||||
# tag:'OWASP_CRS',\
|
||||
# ver:'OWASP_CRS/4.6.0',\
|
||||
# ver:'OWASP_CRS/4.7.0',\
|
||||
# setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pem/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'"
|
||||
|
||||
# Restricted request headers.
|
||||
|
|
@ -595,7 +595,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
|
|||
# t:none,\
|
||||
# nolog,\
|
||||
# tag:'OWASP_CRS',\
|
||||
# ver:'OWASP_CRS/4.6.0',\
|
||||
# ver:'OWASP_CRS/4.7.0',\
|
||||
# setvar:'tx.restricted_headers_basic=/content-encoding/ /proxy/ /lock-token/ /content-range/ /if/ /x-http-method-override/ /x-http-method/ /x-method-override/'"
|
||||
#
|
||||
# [ Extended ]
|
||||
|
|
@ -621,7 +621,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
|
|||
# t:none,\
|
||||
# nolog,\
|
||||
# tag:'OWASP_CRS',\
|
||||
# ver:'OWASP_CRS/4.6.0',\
|
||||
# ver:'OWASP_CRS/4.7.0',\
|
||||
# setvar:'tx.restricted_headers_extended=/accept-charset/'"
|
||||
|
||||
# Content-Types charsets that a client is allowed to send in a request.
|
||||
|
|
@ -635,7 +635,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
|
|||
# t:none,\
|
||||
# nolog,\
|
||||
# tag:'OWASP_CRS',\
|
||||
# ver:'OWASP_CRS/4.6.0',\
|
||||
# ver:'OWASP_CRS/4.7.0',\
|
||||
# setvar:'tx.allowed_request_content_type_charset=|utf-8| |iso-8859-1| |iso-8859-15| |windows-1252|'"
|
||||
|
||||
#
|
||||
|
|
@ -661,7 +661,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
|
|||
# t:none,\
|
||||
# nolog,\
|
||||
# tag:'OWASP_CRS',\
|
||||
# ver:'OWASP_CRS/4.6.0',\
|
||||
# ver:'OWASP_CRS/4.7.0',\
|
||||
# setvar:tx.max_num_args=255"
|
||||
|
||||
# Block request if the length of any argument name is too high
|
||||
|
|
@ -675,7 +675,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
|
|||
# t:none,\
|
||||
# nolog,\
|
||||
# tag:'OWASP_CRS',\
|
||||
# ver:'OWASP_CRS/4.6.0',\
|
||||
# ver:'OWASP_CRS/4.7.0',\
|
||||
# setvar:tx.arg_name_length=100"
|
||||
|
||||
# Block request if the length of any argument value is too high
|
||||
|
|
@ -689,7 +689,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
|
|||
# t:none,\
|
||||
# nolog,\
|
||||
# tag:'OWASP_CRS',\
|
||||
# ver:'OWASP_CRS/4.6.0',\
|
||||
# ver:'OWASP_CRS/4.7.0',\
|
||||
# setvar:tx.arg_length=400"
|
||||
|
||||
# Block request if the total length of all combined arguments is too high
|
||||
|
|
@ -703,7 +703,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
|
|||
# t:none,\
|
||||
# nolog,\
|
||||
# tag:'OWASP_CRS',\
|
||||
# ver:'OWASP_CRS/4.6.0',\
|
||||
# ver:'OWASP_CRS/4.7.0',\
|
||||
# setvar:tx.total_arg_length=64000"
|
||||
|
||||
# Block request if the file size of any individual uploaded file is too high
|
||||
|
|
@ -717,7 +717,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
|
|||
# t:none,\
|
||||
# nolog,\
|
||||
# tag:'OWASP_CRS',\
|
||||
# ver:'OWASP_CRS/4.6.0',\
|
||||
# ver:'OWASP_CRS/4.7.0',\
|
||||
# setvar:tx.max_file_size=1048576"
|
||||
|
||||
# Block request if the total size of all combined uploaded files is too high
|
||||
|
|
@ -731,7 +731,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
|
|||
# t:none,\
|
||||
# nolog,\
|
||||
# tag:'OWASP_CRS',\
|
||||
# ver:'OWASP_CRS/4.6.0',\
|
||||
# ver:'OWASP_CRS/4.7.0',\
|
||||
# setvar:tx.combined_file_sizes=1048576"
|
||||
|
||||
|
||||
|
|
@ -771,7 +771,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
|
|||
# pass,\
|
||||
# nolog,\
|
||||
# tag:'OWASP_CRS',\
|
||||
# ver:'OWASP_CRS/4.6.0',\
|
||||
# ver:'OWASP_CRS/4.7.0',\
|
||||
# setvar:tx.sampling_percentage=100"
|
||||
|
||||
|
||||
|
|
@ -792,7 +792,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
|
|||
# t:none,\
|
||||
# nolog,\
|
||||
# tag:'OWASP_CRS',\
|
||||
# ver:'OWASP_CRS/4.6.0',\
|
||||
# ver:'OWASP_CRS/4.7.0',\
|
||||
# setvar:tx.crs_validate_utf8_encoding=1"
|
||||
|
||||
|
||||
|
|
@ -814,5 +814,5 @@ SecAction \
|
|||
t:none,\
|
||||
nolog,\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/4.6.0',\
|
||||
setvar:tx.crs_setup_version=460"
|
||||
ver:'OWASP_CRS/4.7.0',\
|
||||
setvar:tx.crs_setup_version=470"
|
||||
|
|
|
|||
|
|
@ -9,9 +9,9 @@
|
|||
},
|
||||
{
|
||||
"id": "coreruleset-v4",
|
||||
"name": "Coreruleset v4.6.0",
|
||||
"name": "Coreruleset v4.7.0",
|
||||
"url": "https://github.com/coreruleset/coreruleset.git",
|
||||
"commit": "f8d20d19ba4c79e2288ff2b5c37165e8af96bf35",
|
||||
"commit": "ffa61145614ebf1ddbc335ccadfcf47b0a67949e",
|
||||
"post_install": "rm -rf files/coreruleset-v4/tests && cp files/coreruleset-v4/crs-setup.conf.example files/crs-setup-v4.conf"
|
||||
}
|
||||
]
|
||||
|
|
|
|||
Loading…
Reference in a new issue