diff --git a/.github/ISSUE_TEMPLATE/bug_report.yml b/.github/ISSUE_TEMPLATE/bug_report.yml index 831dde372..271d31b2f 100644 --- a/.github/ISSUE_TEMPLATE/bug_report.yml +++ b/.github/ISSUE_TEMPLATE/bug_report.yml @@ -47,7 +47,7 @@ body: label: BunkerWeb version description: What version of BunkerWeb are you running? placeholder: Version - value: 1.5.7 + value: 1.5.8 validations: required: true - type: dropdown diff --git a/.github/workflows/tests-ui-linux.yml b/.github/workflows/tests-ui-linux.yml index 082ddc0fe..3128b4f14 100644 --- a/.github/workflows/tests-ui-linux.yml +++ b/.github/workflows/tests-ui-linux.yml @@ -80,6 +80,7 @@ jobs: sudo mkdir -p /etc/bunkerweb echo "SERVER_NAME=" | sudo tee /etc/bunkerweb/variables.env echo "HTTP_PORT=80" | sudo tee -a /etc/bunkerweb/variables.env + echo "HTTPS_PORT=443" | sudo tee -a /etc/bunkerweb/variables.env echo "BAD_BEHAVIOR_THRESHOLD=20" | sudo tee -a /etc/bunkerweb/variables.env echo 'DNS_RESOLVERS=9.9.9.9 8.8.8.8 8.8.4.4' | sudo tee -a /etc/bunkerweb/variables.env echo 'API_LISTEN_IP=127.0.0.1' | sudo tee -a /etc/bunkerweb/variables.env diff --git a/CHANGELOG.md b/CHANGELOG.md index a3aed899f..8e5cce58d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,9 @@ - [FEATURE] Add nightly build of the OWASP coreruleset that are automatically downloaded and updated - [FEATURE] Enhance security on error pages, default server page and loading page by adding a custom `Content-Security-Policy` header with nonces and removing the `Server` header +- [UI] Force HTTPS on setup wizard +- [UI] Fallback to self-signed certificate when UI is installed with setup wizard and let's encrypt is not used +- [DEPS] Updated coreruleset-v4 version to v4.3.0 ## v1.5.7 - 2024/05/14 diff --git a/README.md b/README.md index 54b49d0a3..c537b098b 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,5 @@

- BunkerWeb logo + BunkerWeb logo

@@ -26,7 +26,7 @@ | 👨‍💻 Demo | - 🛡️ Examples + 🛡️ Examples | 💬 Chat | @@ -44,14 +44,14 @@ # BunkerWeb

- Overview banner + Overview banner

BunkerWeb is a next-generation and open-source Web Application Firewall (WAF). -Being a full-featured web server (based on [NGINX](https://nginx.org/) under the hood), it will protect your web services to make them "secure by default". BunkerWeb integrates seamlessly into your existing environments ([Linux](https://docs.bunkerweb.io/1.5.7/integrations/?utm_campaign=self&utm_source=github#linux), [Docker](https://docs.bunkerweb.io/1.5.7/integrations/?utm_campaign=self&utm_source=github#docker), [Swarm](https://docs.bunkerweb.io/1.5.7/integrations/?utm_campaign=self&utm_source=github#swarm), [Kubernetes](https://docs.bunkerweb.io/1.5.7/integrations/?utm_campaign=self&utm_source=github#kubernetes), …) and is fully configurable (don't panic, there is an [awesome web UI](https://docs.bunkerweb.io/1.5.7/web-ui/?utm_campaign=self&utm_source=github) if you don't like the CLI) to meet your own use-cases . In other words, cybersecurity is no more a hassle. +Being a full-featured web server (based on [NGINX](https://nginx.org/) under the hood), it will protect your web services to make them "secure by default". BunkerWeb integrates seamlessly into your existing environments ([Linux](https://docs.bunkerweb.io/1.5.8/integrations/?utm_campaign=self&utm_source=github#linux), [Docker](https://docs.bunkerweb.io/1.5.8/integrations/?utm_campaign=self&utm_source=github#docker), [Swarm](https://docs.bunkerweb.io/1.5.8/integrations/?utm_campaign=self&utm_source=github#swarm), [Kubernetes](https://docs.bunkerweb.io/1.5.8/integrations/?utm_campaign=self&utm_source=github#kubernetes), …) and is fully configurable (don't panic, there is an [awesome web UI](https://docs.bunkerweb.io/1.5.8/web-ui/?utm_campaign=self&utm_source=github) if you don't like the CLI) to meet your own use-cases . In other words, cybersecurity is no more a hassle. -BunkerWeb contains primary [security features](https://docs.bunkerweb.io/1.5.7/security-tuning/?utm_campaign=self&utm_source=github) as part of the core but can be easily extended with additional ones thanks to a [plugin system](https://docs.bunkerweb.io/1.5.7/plugins/?utm_campaign=self&utm_source=github). +BunkerWeb contains primary [security features](https://docs.bunkerweb.io/1.5.8/security-tuning/?utm_campaign=self&utm_source=github) as part of the core but can be easily extended with additional ones thanks to a [plugin system](https://docs.bunkerweb.io/1.5.8/plugins/?utm_campaign=self&utm_source=github). ## Why BunkerWeb ? @@ -76,7 +76,7 @@ A non-exhaustive list of security features : - **Block known bad IPs** with external blacklists and DNSBL - And much more ... -Learn more about the core security features in the [security tuning](https://docs.bunkerweb.io/1.5.7/security-tuning/?utm_campaign=self&utm_source=github) section of the documentation. +Learn more about the core security features in the [security tuning](https://docs.bunkerweb.io/1.5.8/security-tuning/?utm_campaign=self&utm_source=github) section of the documentation. ## Demo @@ -92,13 +92,13 @@ When using BunkerWeb you have the choice of the version you want to use : open-s Whether it's enhanced security, an enriched user experience, or technical supervision, the BunkerWeb PRO version will allow you to fully benefit from BunkerWeb and respond to your professional needs. -Be it in the documentation or the user interface, the PRO features are annotated with a crown crow pro icon to distinguish them from those integrated into the open-source version. +Be it in the documentation or the user interface, the PRO features are annotated with a crown crow pro icon to distinguish them from those integrated into the open-source version. You can upgrade from the open-source version to the PRO one easily and at any time you want. The process is pretty straightforward : - Claim your [free trial on the BunkerWeb panel](https://panel.bunkerweb.io/?utm_campaign=self&utm_source=doc) - Once connected to the client area, copy your PRO license key -- Paste your private key into BunkerWeb using the [web UI](https://docs.bunkerweb.io/1.5.7/web-ui/#upgrade-to-pro) or [specific setting](https://docs.bunkerweb.io/1.5.7/settings/#pro) +- Paste your private key into BunkerWeb using the [web UI](https://docs.bunkerweb.io/1.5.8/web-ui/#upgrade-to-pro) or [specific setting](https://docs.bunkerweb.io/1.5.8/settings/#pro) Do not hesitate to visit the [BunkerWeb panel](https://panel.bunkerweb.io/knowledgebase?utm_campaign=self&utm_source=doc) or [contact us](https://panel.bunkerweb.io/contact.php?utm_campaign=self&utm_source=doc) if you have any question regarding the PRO version. @@ -131,10 +131,10 @@ Community and social networks : # Concepts

- Concepts banner + Concepts banner

-You will find more information about the key concepts of BunkerWeb in the [documentation](https://docs.bunkerweb.io/1.5.7/concepts/?utm_campaign=self&utm_source=github). +You will find more information about the key concepts of BunkerWeb in the [documentation](https://docs.bunkerweb.io/1.5.8/concepts/?utm_campaign=self&utm_source=github). ## Integrations @@ -142,12 +142,12 @@ The first concept is the integration of BunkerWeb into the target environment. W The following integrations are officially supported : -- [Docker](https://docs.bunkerweb.io/1.5.7/integrations/?utm_campaign=self&utm_source=github#docker) -- [Linux](https://docs.bunkerweb.io/1.5.7/integrations/?utm_campaign=self&utm_source=github#linux) -- [Docker autoconf](https://docs.bunkerweb.io/1.5.7/integrations/?utm_campaign=self&utm_source=github#docker-autoconf) -- [Kubernetes](https://docs.bunkerweb.io/1.5.7/integrations/?utm_campaign=self&utm_source=github#kubernetes) -- [Swarm](https://docs.bunkerweb.io/1.5.7/integrations/?utm_campaign=self&utm_source=github#swarm) -- [Microsoft Azure](https://docs.bunkerweb.io/1.5.7/integrations/?utm_campaign=self&utm_source=github#microsoft-azure) +- [Docker](https://docs.bunkerweb.io/1.5.8/integrations/?utm_campaign=self&utm_source=github#docker) +- [Linux](https://docs.bunkerweb.io/1.5.8/integrations/?utm_campaign=self&utm_source=github#linux) +- [Docker autoconf](https://docs.bunkerweb.io/1.5.8/integrations/?utm_campaign=self&utm_source=github#docker-autoconf) +- [Kubernetes](https://docs.bunkerweb.io/1.5.8/integrations/?utm_campaign=self&utm_source=github#kubernetes) +- [Swarm](https://docs.bunkerweb.io/1.5.8/integrations/?utm_campaign=self&utm_source=github#swarm) +- [Microsoft Azure](https://docs.bunkerweb.io/1.5.8/integrations/?utm_campaign=self&utm_source=github#microsoft-azure) ## Settings @@ -179,7 +179,7 @@ When multisite mode is enabled, BunkerWeb will serve and protect multiple web ap ## Custom configurations -Because meeting all the use cases only using the settings is not an option (even with [external plugins](https://docs.bunkerweb.io/1.5.7/plugins/?utm_campaign=self&utm_source=github)), you can use custom configurations to solve your specific challenges. +Because meeting all the use cases only using the settings is not an option (even with [external plugins](https://docs.bunkerweb.io/1.5.8/plugins/?utm_campaign=self&utm_source=github)), you can use custom configurations to solve your specific challenges. Under the hood, BunkerWeb uses the notorious NGINX web server, that's why you can leverage its configuration system for your specific needs. Custom NGINX configurations can be included in different [contexts](https://docs.nginx.com/nginx/admin-guide/basic-functionality/managing-configuration-files/#contexts) like HTTP or server (all servers and/or specific server block). @@ -188,7 +188,7 @@ Another core component of BunkerWeb is the ModSecurity Web Application Firewall ## Database

- Database model + Database model

State of the current configuration of BunkerWeb is stored in a backend database which contains the following data : @@ -217,7 +217,7 @@ In other words, the scheduler is the brain of BunkerWeb. ## Docker

- Docker banner + Docker banner

We provide ready to use prebuilt images for x64, x86, armv7 and arm64 platforms on [Docker Hub](https://hub.docker.com/u/bunkerity). @@ -228,46 +228,46 @@ Docker integration key concepts are : - **Scheduler** container to store configuration and execute jobs - **Networks** to expose ports for clients and connect to upstream web services -You will find more information in the [Docker integration section](https://docs.bunkerweb.io/1.5.7/integrations/?utm_campaign=self&utm_source=github#docker) of the documentation. +You will find more information in the [Docker integration section](https://docs.bunkerweb.io/1.5.8/integrations/?utm_campaign=self&utm_source=github#docker) of the documentation. ## Docker autoconf

- Docker autoconf banner + Docker autoconf banner

The downside of using environment variables is that the container needs to be recreated each time there is an update which is not very convenient. To counter that issue, you can use another image called **autoconf** which will listen for Docker events and automatically reconfigure BunkerWeb in real-time without recreating the container. Instead of defining environment variables for the BunkerWeb container, you simply add **labels** to your web applications containers and the **autoconf** will "automagically" take care of the rest. -You will find more information in the [Docker autoconf section](https://docs.bunkerweb.io/1.5.7/integrations/?utm_campaign=self&utm_source=github#docker-autoconf) of the documentation. +You will find more information in the [Docker autoconf section](https://docs.bunkerweb.io/1.5.8/integrations/?utm_campaign=self&utm_source=github#docker-autoconf) of the documentation. ## Swarm

- Swarm banner + Swarm banner

To automatically configure BunkerWeb instances, a special service, called **autoconf** will listen for Docker Swarm events like service creation or deletion and automatically configure the **BunkerWeb instances** in real-time without downtime. -Like the [Docker autoconf integration](https://docs.bunkerweb.io/1.5.7/integrations/?utm_campaign=self&utm_source=github#docker-autoconf), configuration for web services is defined using labels starting with the special **bunkerweb.** prefix. +Like the [Docker autoconf integration](https://docs.bunkerweb.io/1.5.8/integrations/?utm_campaign=self&utm_source=github#docker-autoconf), configuration for web services is defined using labels starting with the special **bunkerweb.** prefix. -You will find more information in the [Swarm section](https://docs.bunkerweb.io/1.5.7/integrations/?utm_campaign=self&utm_source=github#swarm) of the documentation. +You will find more information in the [Swarm section](https://docs.bunkerweb.io/1.5.8/integrations/?utm_campaign=self&utm_source=github#swarm) of the documentation. ## Kubernetes

- Kubernetes banner + Kubernetes banner

The autoconf acts as an [Ingress controller](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/) and will configure the BunkerWeb instances according to the [Ingress resources](https://kubernetes.io/docs/concepts/services-networking/ingress/). It also monitors other Kubernetes objects like [ConfigMap](https://kubernetes.io/docs/concepts/configuration/configmap/) for custom configurations. -You will find more information in the [Kubernetes section](https://docs.bunkerweb.io/1.5.7/integrations/?utm_campaign=self&utm_source=github#kubernetes) of the documentation. +You will find more information in the [Kubernetes section](https://docs.bunkerweb.io/1.5.8/integrations/?utm_campaign=self&utm_source=github#kubernetes) of the documentation. ## Linux

- Linux banner + Linux banner

List of supported Linux distros : @@ -281,7 +281,7 @@ List of supported Linux distros : Repositories of Linux packages for BunkerWeb are available on [PackageCloud](https://packagecloud.io/bunkerity/bunkerweb), they provide a bash script to automatically add and trust the repository (but you can also follow the [manual installation](https://packagecloud.io/bunkerity/bunkerweb/install) instructions if you prefer). -You will find more information in the [Linux section](https://docs.bunkerweb.io/1.5.7/integrations/?utm_campaign=self&utm_source=github#linux) of the documentation. +You will find more information in the [Linux section](https://docs.bunkerweb.io/1.5.8/integrations/?utm_campaign=self&utm_source=github#linux) of the documentation. > [!IMPORTANT] > As of Ubuntu 24.04, the `nginx` package is not available in the official repository. You will need to use the `jammy` repository to install NGINX 1.24.0. Also we do not yet run automated tests on Ubuntu 24.04, so please consider this version as experimental. @@ -289,16 +289,16 @@ You will find more information in the [Linux section](https://docs.bunkerweb.io/ ## Microsoft Azure

- Azure banner + Azure banner

-BunkerWeb is referenced in the [Azure Marketplace](https://azuremarketplace.microsoft.com/fr-fr/marketplace/apps/bunkerity.bunkerweb?tab=Overview) and a ARM template is available in the [misc folder](https://github.com/bunkerity/bunkerweb/raw/v1.5.7/misc/integrations/azure-arm-template.json). +BunkerWeb is referenced in the [Azure Marketplace](https://azuremarketplace.microsoft.com/fr-fr/marketplace/apps/bunkerity.bunkerweb?tab=Overview) and a ARM template is available in the [misc folder](https://github.com/bunkerity/bunkerweb/raw/v1.5.8/misc/integrations/azure-arm-template.json). -You will find more information in the [Microsoft Azure section](https://docs.bunkerweb.io/1.5.7/integrations/?utm_campaign=self&utm_source=github#microsoft-azure) of the documentation. +You will find more information in the [Microsoft Azure section](https://docs.bunkerweb.io/1.5.8/integrations/?utm_campaign=self&utm_source=github#microsoft-azure) of the documentation. # Quickstart guide -Once you have setup BunkerWeb with the integration of your choice, you can follow the [quickstart guide](https://docs.bunkerweb.io/1.5.7/quickstart-guide/?utm_campaign=self&utm_source=github) that will cover the following common use cases : +Once you have setup BunkerWeb with the integration of your choice, you can follow the [quickstart guide](https://docs.bunkerweb.io/1.5.8/quickstart-guide/?utm_campaign=self&utm_source=github) that will cover the following common use cases : - Protecting a single HTTP application - Protecting multiple HTTP application @@ -309,9 +309,9 @@ Once you have setup BunkerWeb with the integration of your choice, you can follo # Security tuning -BunkerWeb offers many security features that you can configure with [settings](https://docs.bunkerweb.io/1.5.7/settings/?utm_campaign=self&utm_source=github). Even if the default values of settings ensure a minimal "security by default", we strongly recommend you to tune them. By doing so you will be able to ensure a security level of your choice but also manage false positives. +BunkerWeb offers many security features that you can configure with [settings](https://docs.bunkerweb.io/1.5.8/settings/?utm_campaign=self&utm_source=github). Even if the default values of settings ensure a minimal "security by default", we strongly recommend you to tune them. By doing so you will be able to ensure a security level of your choice but also manage false positives. -You will find more information in the [security tuning section](https://docs.bunkerweb.io/1.5.7/security-tuning/?utm_campaign=self&utm_source=github) of the documentation. +You will find more information in the [security tuning section](https://docs.bunkerweb.io/1.5.8/security-tuning/?utm_campaign=self&utm_source=github) of the documentation. # Settings @@ -321,13 +321,13 @@ As a general rule when multisite mode is enabled, if you want to apply settings When settings are considered as "multiple", it means that you can have multiple groups of settings for the same feature by adding numbers as suffix like `REVERSE_PROXY_URL_1=/subdir`, `REVERSE_PROXY_HOST_1=http://myhost1`, `REVERSE_PROXY_URL_2=/anotherdir`, `REVERSE_PROXY_HOST_2=http://myhost2`, ... for example. -Check the [settings section](https://docs.bunkerweb.io/1.5.7/settings/?utm_campaign=self&utm_source=github) of the documentation to get the full list. +Check the [settings section](https://docs.bunkerweb.io/1.5.8/settings/?utm_campaign=self&utm_source=github) of the documentation to get the full list. # Web UI

- +

@@ -341,7 +341,7 @@ The "Web UI" is a web application that helps you manage your BunkerWeb instance - Monitor jobs execution - View the logs and search pattern -You will find more information in the [Web UI section](https://docs.bunkerweb.io/1.5.7/web-ui/?utm_campaign=self&utm_source=github) of the documentation. +You will find more information in the [Web UI section](https://docs.bunkerweb.io/1.5.8/web-ui/?utm_campaign=self&utm_source=github) of the documentation. # Plugins @@ -359,7 +359,7 @@ Here is the list of "official" plugins that we maintain (see the [bunkerweb-plug | **VirusTotal** | 1.5 | Automatically scans uploaded files with the VirusTotal API and denies the request when a file is detected as malicious. | [bunkerweb-plugins/virustotal](https://github.com/bunkerity/bunkerweb-plugins/tree/main/virustotal) | | **WebHook** | 1.5 | Send security notifications to a custom HTTP endpoint using a Webhook. | [bunkerweb-plugins/slack](https://github.com/bunkerity/bunkerweb-plugins/tree/main/webhook) | -You will find more information in the [plugins section](https://docs.bunkerweb.io/1.5.7/plugins/?utm_campaign=self&utm_source=github) of the documentation. +You will find more information in the [plugins section](https://docs.bunkerweb.io/1.5.8/plugins/?utm_campaign=self&utm_source=github) of the documentation. # Support @@ -382,15 +382,15 @@ Please don't use [GitHub issues](https://github.com/bunkerity/bunkerweb/issues) # License -This project is licensed under the terms of the [GNU Affero General Public License (AGPL) version 3](https://github.com/bunkerity/bunkerweb/raw/v1.5.7/LICENSE.md). +This project is licensed under the terms of the [GNU Affero General Public License (AGPL) version 3](https://github.com/bunkerity/bunkerweb/raw/v1.5.8/LICENSE.md). # Contribute -If you would like to contribute to the plugins you can read the [contributing guidelines](https://github.com/bunkerity/bunkerweb/raw/v1.5.7/CONTRIBUTING.md) to get started. +If you would like to contribute to the plugins you can read the [contributing guidelines](https://github.com/bunkerity/bunkerweb/raw/v1.5.8/CONTRIBUTING.md) to get started. # Security policy -We take security bugs as serious issues and encourage responsible disclosure, see our [security policy](https://github.com/bunkerity/bunkerweb/raw/v1.5.7/SECURITY.md) for more information. +We take security bugs as serious issues and encourage responsible disclosure, see our [security policy](https://github.com/bunkerity/bunkerweb/raw/v1.5.8/SECURITY.md) for more information. # Stargazers over time diff --git a/docs/concepts.md b/docs/concepts.md index 0df134214..543cad4bb 100644 --- a/docs/concepts.md +++ b/docs/concepts.md @@ -83,7 +83,7 @@ app3.example.com_USE_BAD_BEHAVIOR=no !!! info "Going further" - You will find concrete examples of multisite mode in the [quickstart guide](quickstart-guide.md) of the documentation and the [examples](https://github.com/bunkerity/bunkerweb/tree/v1.5.7/examples) directory of the repository. + You will find concrete examples of multisite mode in the [quickstart guide](quickstart-guide.md) of the documentation and the [examples](https://github.com/bunkerity/bunkerweb/tree/v1.5.8/examples) directory of the repository. ## Custom configurations @@ -97,7 +97,7 @@ By leveraging custom configurations, you unlock a world of possibilities to tail !!! info "Going further" - You will find concrete examples of custom configurations in the [quickstart guide](quickstart-guide.md) of the documentation and the [examples](https://github.com/bunkerity/bunkerweb/tree/v1.5.7/examples) directory of the repository. + You will find concrete examples of custom configurations in the [quickstart guide](quickstart-guide.md) of the documentation and the [examples](https://github.com/bunkerity/bunkerweb/tree/v1.5.8/examples) directory of the repository. ## Database diff --git a/docs/integrations.md b/docs/integrations.md index ef3af5eb1..063675404 100644 --- a/docs/integrations.md +++ b/docs/integrations.md @@ -21,13 +21,13 @@ By accessing these prebuilt images from Docker Hub, you can quickly pull and run Whether you're conducting tests, developing applications, or deploying BunkerWeb in production, the Docker containerization option provides flexibility and ease of use. Embracing this method empowers you to take full advantage of BunkerWeb's features while leveraging the benefits of Docker technology. ```shell -docker pull bunkerity/bunkerweb:1.5.7 +docker pull bunkerity/bunkerweb:1.5.8 ``` Docker images are also available on [GitHub packages](https://github.com/orgs/bunkerity/packages?repo_name=bunkerweb) and can be downloaded using the `ghcr.io` repository address : ```shell -docker pull ghcr.io/bunkerity/bunkerweb:1.5.7 +docker pull ghcr.io/bunkerity/bunkerweb:1.5.8 ``` Alternatively, if you prefer a more hands-on approach, you have the option to build the Docker image directly from the [source](https://github.com/bunkerity/bunkerweb). Building the image from source gives you greater control and customization over the deployment process. However, please note that this method may take some time to complete, depending on your hardware configuration. @@ -57,7 +57,7 @@ When integrating BunkerWeb with Docker, there are key concepts to keep in mind, - **Networks**: Docker networks play a vital role in the integration of BunkerWeb. These networks serve two main purposes: exposing ports to clients and connecting to upstream web services. By exposing ports, BunkerWeb can accept incoming requests from clients, allowing them to access the protected web services. Additionally, by connecting to upstream web services, BunkerWeb can efficiently route and manage the traffic, providing enhanced security and performance. !!! info "Database backend" - Please be aware that our instructions assume you are using SQLite as the default database backend, as configured by the `DATABASE_URI` setting. However, we understand that you may prefer to utilize alternative backends for your Docker integration. If that is the case, rest assured that other database backends are still possible. See docker-compose files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.5.7/misc/integrations) folder of the repository for more information. + Please be aware that our instructions assume you are using SQLite as the default database backend, as configured by the `DATABASE_URI` setting. However, we understand that you may prefer to utilize alternative backends for your Docker integration. If that is the case, rest assured that other database backends are still possible. See docker-compose files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.5.8/misc/integrations) folder of the repository for more information. ### Environment variables @@ -67,7 +67,7 @@ Settings are passed to BunkerWeb using Docker environment variables : ... services: mybunker: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 labels: - "bunkerweb.INSTANCE=yes" environment: @@ -86,7 +86,7 @@ Please note that the `bunkerweb.INSTANCE` is mandatory to make sure the schedule The [scheduler](concepts.md#scheduler) is executed in its own container which is also available on Docker Hub : ```shell -docker pull bunkerity/bunkerweb-scheduler:1.5.7 +docker pull bunkerity/bunkerweb-scheduler:1.5.8 ``` Alternatively, you can build the Docker image directly from the [source](https://github.com/bunkerity/bunkerweb) (less coffee ☕ needed than BunkerWeb image) : @@ -103,7 +103,7 @@ A volume is needed to store the SQLite database that will be used by the schedul ... services: bw-scheduler: - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 volumes: - bw-data:/data ... @@ -165,7 +165,7 @@ You will need to create the Docker API proxy container, mount the socket and set ... services: bw-scheduler: - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 env: - DOCKER_HOST=tcp://bw-docker:2375 ... @@ -213,7 +213,7 @@ To secure the communication between the scheduler and BunkerWeb API, it is impor ... services: mybunker: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 ports: - 80:8080 - 443:8443 @@ -222,7 +222,7 @@ services: - bw-universe ... bw-scheduler: - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 networks: - bw-universe - bw-docker @@ -252,7 +252,7 @@ version: "3.5" services: bunkerweb: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 ports: - 80:8080 - 443:8443 @@ -266,7 +266,7 @@ services: - bw-services bw-scheduler: - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 depends_on: - bunkerweb - bw-docker @@ -357,12 +357,12 @@ To simplify the installation process, Linux package repositories for BunkerWeb a export UI_WIZARD=1 ``` - And finally install BunkerWeb 1.5.7 : + And finally install BunkerWeb 1.5.8 : ```shell curl -s https://packagecloud.io/install/repositories/bunkerity/bunkerweb/script.deb.sh | sudo bash && \ sudo apt update && \ - sudo -E apt install -y bunkerweb=1.5.7 + sudo -E apt install -y bunkerweb=1.5.8 ``` To prevent upgrading NGINX and/or BunkerWeb packages when executing `apt upgrade`, you can use the following command : @@ -409,12 +409,12 @@ To simplify the installation process, Linux package repositories for BunkerWeb a export UI_WIZARD=1 ``` - And finally install BunkerWeb 1.5.7 : + And finally install BunkerWeb 1.5.8 : ```shell curl -s https://packagecloud.io/install/repositories/bunkerity/bunkerweb/script.deb.sh | sudo bash && \ sudo apt update && \ - sudo -E apt install -y bunkerweb=1.5.7 + sudo -E apt install -y bunkerweb=1.5.8 ``` To prevent upgrading NGINX and/or BunkerWeb packages when executing `apt upgrade`, you can use the following command : @@ -437,14 +437,14 @@ To simplify the installation process, Linux package repositories for BunkerWeb a export UI_WIZARD=1 ``` - And finally install BunkerWeb 1.5.7 : + And finally install BunkerWeb 1.5.8 : ```shell curl -s https://packagecloud.io/install/repositories/bunkerity/bunkerweb/script.rpm.sh | \ sed 's/yum install -y pygpgme --disablerepo='\''bunkerity_bunkerweb'\''/yum install -y python-gnupg/g' | \ sed 's/pypgpme_check=`rpm -qa | grep -qw pygpgme`/python-gnupg_check=`rpm -qa | grep -qw python-gnupg`/g' | sudo bash && \ sudo dnf makecache && \ - sudo -E dnf install -y bunkerweb-1.5.7 + sudo -E dnf install -y bunkerweb-1.5.8 ``` To prevent upgrading NGINX and/or BunkerWeb packages when executing `dnf upgrade`, you can use the following command : @@ -488,13 +488,13 @@ To simplify the installation process, Linux package repositories for BunkerWeb a export UI_WIZARD=1 ``` - And finally install BunkerWeb 1.5.7 : + And finally install BunkerWeb 1.5.8 : ```shell sudo dnf install -y epel-release && \ curl -s https://packagecloud.io/install/repositories/bunkerity/bunkerweb/script.rpm.sh | sudo bash && \ sudo dnf check-update && \ - sudo -E dnf install -y bunkerweb-1.5.7 + sudo -E dnf install -y bunkerweb-1.5.8 ``` To prevent upgrading NGINX and/or BunkerWeb packages when executing `dnf upgrade`, you can use the following command : @@ -542,7 +542,7 @@ By adopting this approach, you can enjoy real-time reconfiguration of BunkerWeb The Docker autoconf integration implies the use of **multisite mode**. Please refer to the [multisite section](concepts.md#multisite-mode) of the documentation for more information. !!! info "Database backend" - Please be aware that our instructions assume you are using MariaDB as the default database backend, as configured by the `DATABASE_URI` setting. However, we understand that you may prefer to utilize alternative backends for your Docker integration. If that is the case, rest assured that other database backends are still possible. See docker-compose files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.5.7/misc/integrations) folder of the repository for more information. + Please be aware that our instructions assume you are using MariaDB as the default database backend, as configured by the `DATABASE_URI` setting. However, we understand that you may prefer to utilize alternative backends for your Docker integration. If that is the case, rest assured that other database backends are still possible. See docker-compose files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.5.8/misc/integrations) folder of the repository for more information. To enable automated configuration updates, include an additional container called `bw-autoconf` in the stack. This container hosts the autoconf service, which manages dynamic configuration changes for BunkerWeb. To support this functionality, use a dedicated "real" database backend (e.g., MariaDB, MySQL, or PostgreSQL) for synchronized configuration storage. By integrating `bw-autoconf` and a suitable database backend, you establish the infrastructure for seamless automated configuration management in BunkerWeb. @@ -551,7 +551,7 @@ version: "3.5" services: bunkerweb: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 ports: - 80:8080 - 443:8443 @@ -568,7 +568,7 @@ services: - bw-services bw-autoconf: - image: bunkerity/bunkerweb-autoconf:1.5.7 + image: bunkerity/bunkerweb-autoconf:1.5.8 depends_on: - bunkerweb - bw-docker @@ -581,7 +581,7 @@ services: - bw-docker bw-scheduler: - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 depends_on: - bunkerweb - bw-docker @@ -673,7 +673,7 @@ For an optimal setup, it is recommended to define BunkerWeb as a **[DaemonSet](h Given the presence of multiple BunkerWeb instances, it is necessary to establish a shared data store implemented as a [Redis](https://redis.io/) service. This Redis service will be utilized by the instances to cache and share data among themselves. Further information about the Redis settings can be found [here](settings.md#redis). !!! info "Database backend" - Please be aware that our instructions assume you are using MariaDB as the default database backend, as configured by the `DATABASE_URI` setting. However, we understand that you may prefer to utilize alternative backends for your Docker integration. If that is the case, rest assured that other database backends are still possible. See docker-compose files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.5.7/misc/integrations) folder of the repository for more information. + Please be aware that our instructions assume you are using MariaDB as the default database backend, as configured by the `DATABASE_URI` setting. However, we understand that you may prefer to utilize alternative backends for your Docker integration. If that is the case, rest assured that other database backends are still possible. See docker-compose files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.5.8/misc/integrations) folder of the repository for more information. Clustered database backends setup are out-of-the-scope of this documentation. @@ -734,7 +734,7 @@ spec: containers: # using bunkerweb as name is mandatory - name: bunkerweb - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 imagePullPolicy: Always securityContext: runAsUser: 101 @@ -804,7 +804,7 @@ spec: serviceAccountName: sa-bunkerweb containers: - name: bunkerweb-controller - image: bunkerity/bunkerweb-autoconf:1.5.7 + image: bunkerity/bunkerweb-autoconf:1.5.8 imagePullPolicy: Always env: - name: KUBERNETES_MODE @@ -831,7 +831,7 @@ spec: serviceAccountName: sa-bunkerweb containers: - name: bunkerweb-scheduler - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 imagePullPolicy: Always env: - name: KUBERNETES_MODE @@ -994,7 +994,7 @@ Since multiple instances of BunkerWeb are running, a shared data store implement As for the database volume, the documentation does not specify a specific approach. Choosing either a shared folder or a specific driver for the database volume is dependent on your unique use-case and is left as an exercise for the reader. !!! info "Database backend" - Please be aware that our instructions assume you are using MariaDB as the default database backend, as configured by the `DATABASE_URI` setting. However, we understand that you may prefer to utilize alternative backends for your Docker integration. If that is the case, rest assured that other database backends are still possible. See docker-compose files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.5.7/misc/integrations) folder of the repository for more information. + Please be aware that our instructions assume you are using MariaDB as the default database backend, as configured by the `DATABASE_URI` setting. However, we understand that you may prefer to utilize alternative backends for your Docker integration. If that is the case, rest assured that other database backends are still possible. See docker-compose files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.5.8/misc/integrations) folder of the repository for more information. Clustered database backends setup are out-of-the-scope of this documentation. @@ -1005,7 +1005,7 @@ version: "3.5" services: bunkerweb: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 ports: - published: 80 target: 8080 @@ -1035,7 +1035,7 @@ services: - "bunkerweb.INSTANCE=yes" bw-autoconf: - image: bunkerity/bunkerweb-autoconf:1.5.7 + image: bunkerity/bunkerweb-autoconf:1.5.8 environment: - SWARM_MODE=yes - DOCKER_HOST=tcp://bw-docker:2375 @@ -1067,7 +1067,7 @@ services: - "node.role == manager" bw-scheduler: - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 environment: - SWARM_MODE=yes - DOCKER_HOST=tcp://bw-docker:2375 @@ -1207,3 +1207,5 @@ You can easily deploy BunkerWeb on your Azure subscription in several ways: Get BunkerWeb from the [Create resource menu](https://portal.azure.com/#view/Microsoft_Azure_Marketplace/GalleryItemDetailsBladeNopdl/id/bunkerity.bunkerweb){:target="_blank"}. You can also go through the [Marketplace](https://azuremarketplace.microsoft.com/fr-fr/marketplace/apps/bunkerity.bunkerweb?tab=Overview){:target="_blank"}. + +You can access the setup wizard by browsing the `https://your-ip-address/setup` URI of your virtual machine. diff --git a/docs/plugins.md b/docs/plugins.md index 0a1acdf7f..a3447ea14 100644 --- a/docs/plugins.md +++ b/docs/plugins.md @@ -91,7 +91,7 @@ The first step is to install the plugin by putting the plugin files inside the c services: ... bw-scheduler: - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 volumes: - ./bw-data:/data ... @@ -128,7 +128,7 @@ The first step is to install the plugin by putting the plugin files inside the c services: ... bw-scheduler: - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 volumes: - ./bw-data:/data ... @@ -167,7 +167,7 @@ The first step is to install the plugin by putting the plugin files inside the c services: ... bw-scheduler: - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 volumes: - /shared/bw-plugins:/data/plugins ... @@ -214,7 +214,7 @@ The first step is to install the plugin by putting the plugin files inside the c serviceAccountName: sa-bunkerweb containers: - name: bunkerweb-scheduler - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 imagePullPolicy: Always env: - name: KUBERNETES_MODE @@ -254,7 +254,7 @@ The first step is to install the plugin by putting the plugin files inside the c !!! tip "Existing plugins" - If the documentation is not enough, you can have a look at the existing source code of [official plugins](https://github.com/bunkerity/bunkerweb-plugins) and the [core plugins](https://github.com/bunkerity/bunkerweb/tree/v1.5.7/src/common/core) (already included in BunkerWeb but they are plugins, technically speaking). + If the documentation is not enough, you can have a look at the existing source code of [official plugins](https://github.com/bunkerity/bunkerweb-plugins) and the [core plugins](https://github.com/bunkerity/bunkerweb/tree/v1.5.8/src/common/core) (already included in BunkerWeb but they are plugins, technically speaking). What a plugin structure looks like : ``` @@ -524,7 +524,7 @@ end !!! tip "More examples" - If you want to see the full list of available functions, you can have a look at the files present in the [lua directory](https://github.com/bunkerity/bunkerweb/tree/v1.5.7/src/bw/lua/bunkerweb) of the repository. + If you want to see the full list of available functions, you can have a look at the files present in the [lua directory](https://github.com/bunkerity/bunkerweb/tree/v1.5.8/src/bw/lua/bunkerweb) of the repository. ### Jobs diff --git a/docs/quickstart-guide.md b/docs/quickstart-guide.md index 98a7ceab5..5a4d4ec8e 100644 --- a/docs/quickstart-guide.md +++ b/docs/quickstart-guide.md @@ -6,7 +6,7 @@ !!! tip "Going further" - To demonstrate the use of BunkerWeb, we will deploy a dummy "Hello World" web application as an example. See the [examples folder](https://github.com/bunkerity/bunkerweb/tree/v1.5.7/examples) of the repository to get real-world examples. + To demonstrate the use of BunkerWeb, we will deploy a dummy "Hello World" web application as an example. See the [examples folder](https://github.com/bunkerity/bunkerweb/tree/v1.5.8/examples) of the repository to get real-world examples. ## Protect HTTP applications @@ -37,7 +37,7 @@ You will find more settings about reverse proxy in the [settings section](settin - bw-services bunkerweb: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 ports: - 80:8080 - 443:8443 @@ -54,7 +54,7 @@ You will find more settings about reverse proxy in the [settings section](settin - bw-services bw-scheduler: - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 depends_on: - bunkerweb - bw-docker @@ -295,7 +295,7 @@ You will find more settings about reverse proxy in the [settings section](settin - bw-services bunkerweb: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 ports: - 80:8080 - 443:8443 @@ -315,7 +315,7 @@ You will find more settings about reverse proxy in the [settings section](settin - bw-services bw-scheduler: - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 depends_on: - bunkerweb - bw-docker @@ -634,7 +634,7 @@ REAL_IP_HEADER=X-Forwarded-For ```yaml mybunker: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 ... environment: - USE_REAL_IP=yes @@ -649,7 +649,7 @@ REAL_IP_HEADER=X-Forwarded-For ```yaml mybunker: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 ... environment: - USE_REAL_IP=yes @@ -664,7 +664,7 @@ REAL_IP_HEADER=X-Forwarded-For ```yaml mybunker: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 ... environment: - USE_REAL_IP=yes @@ -738,7 +738,7 @@ REAL_IP_HEADER=proxy_protocol ```yaml mybunker: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 ... environment: - USE_REAL_IP=yes @@ -754,7 +754,7 @@ REAL_IP_HEADER=proxy_protocol ```yaml mybunker: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 ... environment: - USE_REAL_IP=yes @@ -770,7 +770,7 @@ REAL_IP_HEADER=proxy_protocol ```yaml mybunker: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 ... environment: - USE_REAL_IP=yes @@ -869,7 +869,7 @@ For complete list of settings regarding `stream` mode, please refer to the [sett - bw-services bunkerweb: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 ports: - 80:8080 # Keep it if you want to use Let's Encrypt automation - 10000:10000 # app1 @@ -891,7 +891,7 @@ For complete list of settings regarding `stream` mode, please refer to the [sett - bw-services bw-scheduler: - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 depends_on: - bunkerweb - bw-docker @@ -940,7 +940,7 @@ For complete list of settings regarding `stream` mode, please refer to the [sett services: bunkerweb: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 ports: - 80:8080 # Keep it if you want to use Let's Encrypt automation - 10000:10000 # app1 @@ -998,7 +998,7 @@ For complete list of settings regarding `stream` mode, please refer to the [sett services: bunkerweb: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 ports: # Keep it if you want to use Let's Encrypt automation - published: 80 @@ -1142,7 +1142,7 @@ Some integrations provide more convenient ways to apply configurations, such as ```yaml ... mybunker: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 environment: - | CUSTOM_CONF_SERVER_HTTP_hello-world= @@ -1185,7 +1185,7 @@ Some integrations provide more convenient ways to apply configurations, such as ```yaml bw-scheduler: - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 volumes: - ./bw-data:/data ... @@ -1255,7 +1255,7 @@ Some integrations provide more convenient ways to apply configurations, such as ```yaml bw-scheduler: - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 volumes: - ./bw-data:/data ... @@ -1439,7 +1439,7 @@ BunkerWeb supports PHP using external or remote [PHP-FPM](https://www.php.net/ma - bw-services bunkerweb: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 volumes: - ./www:/var/www/html ports: @@ -1462,7 +1462,7 @@ BunkerWeb supports PHP using external or remote [PHP-FPM](https://www.php.net/ma - bw-services bw-scheduler: - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 depends_on: - bunkerweb - bw-docker @@ -1540,7 +1540,7 @@ BunkerWeb supports PHP using external or remote [PHP-FPM](https://www.php.net/ma services: bunkerweb: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 volumes: - ./www:/var/www/html labels: @@ -1554,7 +1554,7 @@ BunkerWeb supports PHP using external or remote [PHP-FPM](https://www.php.net/ma - bw-services bw-scheduler: - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 depends_on: - bunkerweb - bw-docker @@ -1698,7 +1698,7 @@ BunkerWeb supports PHP using external or remote [PHP-FPM](https://www.php.net/ma services: bunkerweb: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 volumes: - /shared/www:/var/www/html ... @@ -1889,7 +1889,7 @@ By default, BunkerWeb will only listen on IPv4 addresses and won't use IPv6 for services: bunkerweb: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 environment: - USE_IPv6=yes @@ -1934,7 +1934,7 @@ By default, BunkerWeb will only listen on IPv4 addresses and won't use IPv6 for services: bunkerweb: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 environment: - USE_IPv6=yes diff --git a/docs/security-tuning.md b/docs/security-tuning.md index fe94ff89c..a48d010f0 100644 --- a/docs/security-tuning.md +++ b/docs/security-tuning.md @@ -602,7 +602,7 @@ You can quickly protect sensitive resources like the admin area for example, by ### Auth request -You can deploy complex authentication (e.g. SSO), by using the auth request settings (see [here](https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-subrequest-authentication/) for more information on the feature). Please note that you will find [Authelia](https://www.authelia.com/) and [Authentik](https://goauthentik.io/) examples in the [repository](https://github.com/bunkerity/bunkerweb/tree/v1.5.7/examples). +You can deploy complex authentication (e.g. SSO), by using the auth request settings (see [here](https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-subrequest-authentication/) for more information on the feature). Please note that you will find [Authelia](https://www.authelia.com/) and [Authentik](https://goauthentik.io/) examples in the [repository](https://github.com/bunkerity/bunkerweb/tree/v1.5.8/examples). **Auth request settings are related to reverse proxy rules.** diff --git a/docs/upgrading.md b/docs/upgrading.md index 8485c757a..c914fbd7a 100644 --- a/docs/upgrading.md +++ b/docs/upgrading.md @@ -122,42 +122,88 @@ 2. **Upgrade BunkerWeb**: - Upgrade BunkerWeb to the latest version. - === "Docker" + === "Docker" - 1. **Update the Docker Compose file**: Update the Docker Compose file to use the new version of the BunkerWeb image. - ```yaml - services: - bunkerweb: - image: bunkerity/bunkerweb:1.5.7 - ... - bw-scheduler: - image: bunkerity/bunkerweb-scheduler:1.5.7 - ... - bw-autoconf: - image: bunkerity/bunkerweb-autoconf:1.5.7 - ... - bw-ui: - image: bunkerity/bunkerweb-ui:1.5.7 - ... - ``` + 1. **Update the Docker Compose file**: Update the Docker Compose file to use the new version of the BunkerWeb image. + ```yaml + services: + bunkerweb: + image: bunkerity/bunkerweb:1.5.8 + ... + bw-scheduler: + image: bunkerity/bunkerweb-scheduler:1.5.8 + ... + bw-autoconf: + image: bunkerity/bunkerweb-autoconf:1.5.8 + ... + bw-ui: + image: bunkerity/bunkerweb-ui:1.5.8 + ... + ``` - 2. **Restart the containers**: Restart the containers to apply the changes. - ```bash - docker compose down - docker compose up -d - ``` + 2. **Restart the containers**: Restart the containers to apply the changes. + ```bash + docker compose down + docker compose up -d + ``` - === "Linux" + === "Linux" - 3. **Stop the services**: - ```bash - systemctl stop bunkerweb - systemctl stop bunkerweb-ui - ``` + 3. **Stop the services**: + ```bash + systemctl stop bunkerweb + systemctl stop bunkerweb-ui + ``` - 4. **Update BunkerWeb**: - - Update BunkerWeb to the latest version by following the instructions in the [integration Linux page](integrations.md#linux). + 4. **Update BunkerWeb**: + === "Debian/Ubuntu" + + First, if you have previously hold the BunkerWeb package, unhold it : + + You can print a list of packages on hold with `apt-mark showhold` + + ```shell + sudo apt-mark unhold bunkerweb + ``` + + Them, you can update BunkerWeb package : + + ```shell + sudo apt install -y bunkerweb=1.5.8 + ``` + + To prevent upgrading BunkerWeb package when executing `apt upgrade`, you can use the following command : + + ```shell + sudo apt-mark hold bunkerweb + ``` + + More details in the [integration Linux page](integrations.md#__tabbed_1_1). + + === "Fedora/RedHat" + + First, if you have previously hold the BunkerWeb package, unhold it : + + You can print a list of packages on hold with `dnf versionlock list` + + ```shell + sudo dnf versionlock delete package bunkerweb + ``` + + Them, you can update BunkerWeb package : + + ```shell + sudo dnf install -y bunkerweb-1.5.8 + ``` + + To prevent upgrading BunkerWeb package when executing `dnf upgrade`, you can use the following command : + + ```shell + sudo dnf versionlock add bunkerweb + ``` + + More details in the [integration Linux page](integrations.md#__tabbed_1_3). 3. **Check the logs**: Check the logs of the scheduler service to ensure that the migration was successful. @@ -321,7 +367,7 @@ !!! warning "Read this if you were a 1.4.X user" - A lot of things changed since the 1.4.X releases. Container-based integrations stacks contain more services but, trust us, fundamental principles of BunkerWeb are still there. You will find ready to use boilerplates for various integrations in the [misc/integrations](https://github.com/bunkerity/bunkerweb/tree/v1.5.7/misc/integrations) folder of the repository. + A lot of things changed since the 1.4.X releases. Container-based integrations stacks contain more services but, trust us, fundamental principles of BunkerWeb are still there. You will find ready to use boilerplates for various integrations in the [misc/integrations](https://github.com/bunkerity/bunkerweb/tree/v1.5.8/misc/integrations) folder of the repository. ### Scheduler diff --git a/docs/web-ui.md b/docs/web-ui.md index 508809a45..65f65f809 100644 --- a/docs/web-ui.md +++ b/docs/web-ui.md @@ -39,7 +39,7 @@ Because the web UI is a web application, the recommended installation procedure !!! info "Wizard" - The setup wizard is a feature that helps you to **configure** and **install the web UI** using a **user-friendly interface**. You will need to set the `UI_HOST` setting (`http://hostname-of-web-ui:7000`) and browse the `/setup` URI of your server to access the setup wizard. + The setup wizard is a feature that helps you to **configure** and **install the web UI** using a **user-friendly interface**. You will need to set the `UI_HOST` setting (`https://hostname-of-web-ui:7000`) and browse the `/setup` URI of your server to access the setup wizard.
![Overview](assets/img/ui-wizard-account.webp){ align=center, width="350" } @@ -70,7 +70,7 @@ Review your final BunkerWeb UI URL and then click on the `Setup` button. Once th !!! tip "Accessing the setup wizard" - You can access the setup wizard by browsing the `http://your-ip-address/setup` URI of your server. + You can access the setup wizard by browsing the `https://your-ip-address/setup` URI of your server. Here is the docker-compose boilerplate that you can use (don't forget to edit the `changeme` data) : @@ -80,7 +80,7 @@ Review your final BunkerWeb UI URL and then click on the `Setup` button. Once th services: bunkerweb: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 ports: - 80:8080 - 443:8443 @@ -96,7 +96,7 @@ Review your final BunkerWeb UI URL and then click on the `Setup` button. Once th - bw-services bw-scheduler: - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 depends_on: - bunkerweb - bw-docker @@ -118,7 +118,7 @@ Review your final BunkerWeb UI URL and then click on the `Setup` button. Once th - bw-docker bw-ui: - image: bunkerity/bunkerweb-ui:1.5.7 + image: bunkerity/bunkerweb-ui:1.5.8 depends_on: - bw-docker environment: @@ -162,7 +162,7 @@ Review your final BunkerWeb UI URL and then click on the `Setup` button. Once th !!! tip "Accessing the setup wizard" - You can access the setup wizard by browsing the `http://your-ip-address/setup` URI of your server. + You can access the setup wizard by browsing the `https://your-ip-address/setup` URI of your server. Here is the docker-compose boilerplate that you can use (don't forget to edit the `changeme` data) : @@ -171,7 +171,7 @@ Review your final BunkerWeb UI URL and then click on the `Setup` button. Once th services: bunkerweb: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 ports: - 80:8080 - 443:8443 @@ -188,7 +188,7 @@ Review your final BunkerWeb UI URL and then click on the `Setup` button. Once th - bw-services bw-autoconf: - image: bunkerity/bunkerweb-autoconf:1.5.7 + image: bunkerity/bunkerweb-autoconf:1.5.8 depends_on: - bunkerweb - bw-docker @@ -201,7 +201,7 @@ Review your final BunkerWeb UI URL and then click on the `Setup` button. Once th - bw-docker bw-scheduler: - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 depends_on: - bunkerweb - bw-docker @@ -236,7 +236,7 @@ Review your final BunkerWeb UI URL and then click on the `Setup` button. Once th - bw-docker bw-ui: - image: bunkerity/bunkerweb-ui:1.5.7 + image: bunkerity/bunkerweb-ui:1.5.8 networks: bw-docker: bw-universe: @@ -269,7 +269,7 @@ Review your final BunkerWeb UI URL and then click on the `Setup` button. Once th !!! tip "Accessing the setup wizard" - You can access the setup wizard by browsing the `http://your-ip-address/setup` URI of your server. + You can access the setup wizard by browsing the `https://your-ip-address/setup` URI of your server. Here is the stack boilerplate that you can use (don't forget to edit the `changeme` data) : @@ -278,7 +278,7 @@ Review your final BunkerWeb UI URL and then click on the `Setup` button. Once th services: bunkerweb: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 ports: - published: 80 target: 8080 @@ -308,7 +308,7 @@ Review your final BunkerWeb UI URL and then click on the `Setup` button. Once th - "bunkerweb.INSTANCE=yes" bw-autoconf: - image: bunkerity/bunkerweb-autoconf:1.5.7 + image: bunkerity/bunkerweb-autoconf:1.5.8 environment: - SWARM_MODE=yes - DOCKER_HOST=tcp://bw-docker:2375 @@ -336,7 +336,7 @@ Review your final BunkerWeb UI URL and then click on the `Setup` button. Once th - "node.role == manager" bw-scheduler: - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 environment: - SWARM_MODE=yes - DOCKER_HOST=tcp://bw-docker:2375 @@ -363,7 +363,7 @@ Review your final BunkerWeb UI URL and then click on the `Setup` button. Once th - bw-universe bw-ui: - image: bunkerity/bunkerweb-ui:1.5.7 + image: bunkerity/bunkerweb-ui:1.5.8 environment: - SWARM_MODE=yes - DOCKER_HOST=tcp://bw-docker:2375 @@ -399,7 +399,7 @@ Review your final BunkerWeb UI URL and then click on the `Setup` button. Once th !!! tip "Accessing the setup wizard" - You can access the setup wizard by browsing the `http://your-ip-address/setup` URI of your server. + You can access the setup wizard by browsing the `https://your-ip-address/setup` URI of your server. Here is the yaml boilerplate that you can use (don't forget to edit the `changeme` data) : @@ -454,7 +454,7 @@ Review your final BunkerWeb UI URL and then click on the `Setup` button. Once th containers: # using bunkerweb as name is mandatory - name: bunkerweb - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 imagePullPolicy: Always securityContext: runAsUser: 101 @@ -527,7 +527,7 @@ Review your final BunkerWeb UI URL and then click on the `Setup` button. Once th serviceAccountName: sa-bunkerweb containers: - name: bunkerweb-controller - image: bunkerity/bunkerweb-autoconf:1.5.7 + image: bunkerity/bunkerweb-autoconf:1.5.8 imagePullPolicy: Always env: - name: KUBERNETES_MODE @@ -554,7 +554,7 @@ Review your final BunkerWeb UI URL and then click on the `Setup` button. Once th serviceAccountName: sa-bunkerweb containers: - name: bunkerweb-scheduler - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 imagePullPolicy: Always env: - name: KUBERNETES_MODE @@ -639,7 +639,7 @@ Review your final BunkerWeb UI URL and then click on the `Setup` button. Once th serviceAccountName: sa-bunkerweb containers: - name: bunkerweb-ui - image: bunkerity/bunkerweb-ui:1.5.7 + image: bunkerity/bunkerweb-ui:1.5.8 imagePullPolicy: Always env: - name: KUBERNETES_MODE @@ -717,7 +717,7 @@ Review your final BunkerWeb UI URL and then click on the `Setup` button. Once th !!! tip "Accessing the setup wizard" - You can access the setup wizard by browsing the `http://your-ip-address/setup` URI of your server. + You can access the setup wizard by browsing the `https://your-ip-address/setup` URI of your server. ## Account management @@ -837,7 +837,7 @@ After a successful login/password combination, you will be prompted to enter you !!! info "Database backend" - If you want another Database backend than MariaDB please refer to the docker-compose files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.5.7/misc/integrations) of the repository. + If you want another Database backend than MariaDB please refer to the docker-compose files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.5.8/misc/integrations) of the repository. Here is the docker-compose boilerplate that you can use (don't forget to edit the `changeme` data) : @@ -846,7 +846,7 @@ After a successful login/password combination, you will be prompted to enter you services: bunkerweb: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 ports: - 80:8080 - 443:8443 @@ -871,7 +871,7 @@ After a successful login/password combination, you will be prompted to enter you - bw-services bw-scheduler: - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 depends_on: - bunkerweb - bw-docker @@ -893,7 +893,7 @@ After a successful login/password combination, you will be prompted to enter you - bw-docker bw-ui: - image: bunkerity/bunkerweb-ui:1.5.7 + image: bunkerity/bunkerweb-ui:1.5.8 depends_on: - bw-docker environment: @@ -958,7 +958,7 @@ After a successful login/password combination, you will be prompted to enter you !!! info "Database backend" - If you want another Database backend than MariaDB please refer to the docker-compose files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.5.7/misc/integrations) of the repository. + If you want another Database backend than MariaDB please refer to the docker-compose files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.5.8/misc/integrations) of the repository. Here is the docker-compose boilerplate that you can use (don't forget to edit the `changeme` data) : @@ -967,7 +967,7 @@ After a successful login/password combination, you will be prompted to enter you services: bunkerweb: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 ports: - 80:8080 - 443:8443 @@ -984,7 +984,7 @@ After a successful login/password combination, you will be prompted to enter you - bw-services bw-autoconf: - image: bunkerity/bunkerweb-autoconf:1.5.7 + image: bunkerity/bunkerweb-autoconf:1.5.8 depends_on: - bunkerweb - bw-docker @@ -997,7 +997,7 @@ After a successful login/password combination, you will be prompted to enter you - bw-docker bw-scheduler: - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 depends_on: - bunkerweb - bw-docker @@ -1032,7 +1032,7 @@ After a successful login/password combination, you will be prompted to enter you - bw-docker bw-ui: - image: bunkerity/bunkerweb-ui:1.5.7 + image: bunkerity/bunkerweb-ui:1.5.8 networks: bw-docker: bw-universe: @@ -1093,7 +1093,7 @@ After a successful login/password combination, you will be prompted to enter you !!! info "Database backend" - If you want another Database backend than MariaDB please refer to the stack files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.5.7/misc/integrations) of the repository. + If you want another Database backend than MariaDB please refer to the stack files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.5.8/misc/integrations) of the repository. Here is the stack boilerplate that you can use (don't forget to edit the `changeme` data) : @@ -1102,7 +1102,7 @@ After a successful login/password combination, you will be prompted to enter you services: bunkerweb: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 ports: - published: 80 target: 8080 @@ -1132,7 +1132,7 @@ After a successful login/password combination, you will be prompted to enter you - "bunkerweb.INSTANCE=yes" bw-autoconf: - image: bunkerity/bunkerweb-autoconf:1.5.7 + image: bunkerity/bunkerweb-autoconf:1.5.8 environment: - SWARM_MODE=yes - DOCKER_HOST=tcp://bw-docker:2375 @@ -1160,7 +1160,7 @@ After a successful login/password combination, you will be prompted to enter you - "node.role == manager" bw-scheduler: - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 environment: - SWARM_MODE=yes - DOCKER_HOST=tcp://bw-docker:2375 @@ -1187,7 +1187,7 @@ After a successful login/password combination, you will be prompted to enter you - bw-universe bw-ui: - image: bunkerity/bunkerweb-ui:1.5.7 + image: bunkerity/bunkerweb-ui:1.5.8 environment: - DATABASE_URI=mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db # Remember to set a stronger password for the database - DOCKER_HOST=tcp://bw-docker:2375 @@ -1241,7 +1241,7 @@ After a successful login/password combination, you will be prompted to enter you !!! info "Database backend" - If you want another Database backend than MariaDB please refer to the yaml files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.5.7/misc/integrations) of the repository. + If you want another Database backend than MariaDB please refer to the yaml files in the [misc/integrations folder](https://github.com/bunkerity/bunkerweb/tree/v1.5.8/misc/integrations) of the repository. Here is the yaml boilerplate that you can use (don't forget to edit the `changeme` data) : @@ -1296,7 +1296,7 @@ After a successful login/password combination, you will be prompted to enter you containers: # using bunkerweb as name is mandatory - name: bunkerweb - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 imagePullPolicy: Always securityContext: runAsUser: 101 @@ -1366,7 +1366,7 @@ After a successful login/password combination, you will be prompted to enter you serviceAccountName: sa-bunkerweb containers: - name: bunkerweb-controller - image: bunkerity/bunkerweb-autoconf:1.5.7 + image: bunkerity/bunkerweb-autoconf:1.5.8 imagePullPolicy: Always env: - name: KUBERNETES_MODE @@ -1393,7 +1393,7 @@ After a successful login/password combination, you will be prompted to enter you serviceAccountName: sa-bunkerweb containers: - name: bunkerweb-scheduler - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 imagePullPolicy: Always env: - name: KUBERNETES_MODE @@ -1478,7 +1478,7 @@ After a successful login/password combination, you will be prompted to enter you serviceAccountName: sa-bunkerweb containers: - name: bunkerweb-ui - image: bunkerity/bunkerweb-ui:1.5.7 + image: bunkerity/bunkerweb-ui:1.5.8 imagePullPolicy: Always env: - name: ADMIN_USERNAME diff --git a/examples/authelia/docker-compose.yml b/examples/authelia/docker-compose.yml index 9762f1615..313c38d0d 100644 --- a/examples/authelia/docker-compose.yml +++ b/examples/authelia/docker-compose.yml @@ -2,7 +2,7 @@ version: "3.4" services: mybunker: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 ports: - 80:8080 - 443:8443 @@ -44,7 +44,7 @@ services: - app2.example.com_REVERSE_PROXY_HEADERS=Remote-User $$user;Remote-Groups $$groups;Remote-Name $$name;Remote-Email $$email bw-scheduler: - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 depends_on: - mybunker environment: diff --git a/examples/authentik/docker-compose.yml b/examples/authentik/docker-compose.yml index 03c74235c..2ea761d45 100644 --- a/examples/authentik/docker-compose.yml +++ b/examples/authentik/docker-compose.yml @@ -2,7 +2,7 @@ version: "3.4" services: mybunker: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 ports: - 80:8080 - 443:8443 @@ -53,7 +53,7 @@ services: - app2.example.com_REVERSE_PROXY_HEADERS=X-authentik-username $$authentik_username;X-authentik-groups $$authentik_groups;X-authentik-email $$authentik_email;X-authentik-name $$authentik_name;X-authentik-uid $$authentik_uid bw-scheduler: - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 depends_on: - mybunker environment: diff --git a/examples/behind-reverse-proxy/docker-compose.yml b/examples/behind-reverse-proxy/docker-compose.yml index a5b66dedb..e89935e03 100644 --- a/examples/behind-reverse-proxy/docker-compose.yml +++ b/examples/behind-reverse-proxy/docker-compose.yml @@ -2,7 +2,7 @@ version: "3" services: mybunker: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 environment: - SERVER_NAME=www.example.com # replace with your domains - API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24 @@ -24,7 +24,7 @@ services: - bw-services bw-scheduler: - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 depends_on: - mybunker environment: diff --git a/examples/bigbluebutton/docker-compose.yml b/examples/bigbluebutton/docker-compose.yml index a3a315567..de73df8f5 100644 --- a/examples/bigbluebutton/docker-compose.yml +++ b/examples/bigbluebutton/docker-compose.yml @@ -27,7 +27,7 @@ services: ... mybunker: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 ports: - 80:8080 - 443:8443 @@ -50,7 +50,7 @@ services: bw-universe: bw-scheduler: - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 depends_on: - mybunker environment: diff --git a/examples/certbot-dns-cloudflare/docker-compose.yml b/examples/certbot-dns-cloudflare/docker-compose.yml index d1312e815..6e2028a8a 100644 --- a/examples/certbot-dns-cloudflare/docker-compose.yml +++ b/examples/certbot-dns-cloudflare/docker-compose.yml @@ -2,7 +2,7 @@ version: "3" services: mybunker: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 ports: - 80:8080 - 443:8443 @@ -33,7 +33,7 @@ services: - bw-services bw-scheduler: - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 depends_on: - mybunker environment: diff --git a/examples/certbot-dns-digitalocean/docker-compose.yml b/examples/certbot-dns-digitalocean/docker-compose.yml index addb2a64a..98ceb0c7b 100644 --- a/examples/certbot-dns-digitalocean/docker-compose.yml +++ b/examples/certbot-dns-digitalocean/docker-compose.yml @@ -2,7 +2,7 @@ version: "3" services: mybunker: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 ports: - 80:8080 - 443:8443 @@ -33,7 +33,7 @@ services: - bw-services bw-scheduler: - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 depends_on: - mybunker environment: diff --git a/examples/certbot-dns-google/docker-compose.yml b/examples/certbot-dns-google/docker-compose.yml index 003beef01..03e358327 100644 --- a/examples/certbot-dns-google/docker-compose.yml +++ b/examples/certbot-dns-google/docker-compose.yml @@ -2,7 +2,7 @@ version: "3" services: mybunker: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 ports: - 80:8080 - 443:8443 @@ -33,7 +33,7 @@ services: - bw-services bw-scheduler: - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 depends_on: - mybunker environment: diff --git a/examples/certbot-dns-ovh/docker-compose.yml b/examples/certbot-dns-ovh/docker-compose.yml index b00db8f20..316f4f93e 100644 --- a/examples/certbot-dns-ovh/docker-compose.yml +++ b/examples/certbot-dns-ovh/docker-compose.yml @@ -2,7 +2,7 @@ version: "3" services: mybunker: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 ports: - 80:8080 - 443:8443 @@ -33,7 +33,7 @@ services: - bw-services bw-scheduler: - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 depends_on: - mybunker environment: diff --git a/examples/certbot-dns-route53/docker-compose.yml b/examples/certbot-dns-route53/docker-compose.yml index ed8885237..73f9a49bc 100644 --- a/examples/certbot-dns-route53/docker-compose.yml +++ b/examples/certbot-dns-route53/docker-compose.yml @@ -2,7 +2,7 @@ version: "3" services: mybunker: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 ports: - 80:8080 - 443:8443 @@ -33,7 +33,7 @@ services: - bw-services bbw-scheduler: - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 depends_on: - mybunker environment: diff --git a/examples/cors/docker-compose.yml b/examples/cors/docker-compose.yml index 20d6da3e8..62769377e 100644 --- a/examples/cors/docker-compose.yml +++ b/examples/cors/docker-compose.yml @@ -2,7 +2,7 @@ version: "3" services: mybunker: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 ports: - 80:8080 - 443:8443 @@ -38,7 +38,7 @@ services: - bw-services bw-scheduler: - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 depends_on: - mybunker environment: diff --git a/examples/docker-configs/docker-compose.yml b/examples/docker-configs/docker-compose.yml index 9c1867883..ef823a05b 100644 --- a/examples/docker-configs/docker-compose.yml +++ b/examples/docker-configs/docker-compose.yml @@ -2,7 +2,7 @@ version: "3" services: mybunker: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 ports: - 80:8080 - 443:8443 @@ -53,7 +53,7 @@ services: - bw-services bw-scheduler: - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 depends_on: - mybunker environment: diff --git a/examples/drupal/docker-compose.yml b/examples/drupal/docker-compose.yml index f19f4bb1a..31b97bb66 100644 --- a/examples/drupal/docker-compose.yml +++ b/examples/drupal/docker-compose.yml @@ -2,7 +2,7 @@ version: "3" services: mybunker: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 ports: - 80:8080 - 443:8443 @@ -28,7 +28,7 @@ services: - bw-services bw-scheduler: - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 depends_on: - mybunker environment: diff --git a/examples/ghost/docker-compose.yml b/examples/ghost/docker-compose.yml index fe2c392db..d91d1c520 100644 --- a/examples/ghost/docker-compose.yml +++ b/examples/ghost/docker-compose.yml @@ -2,7 +2,7 @@ version: "3" services: mybunker: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 ports: - 80:8080 - 443:8443 @@ -24,7 +24,7 @@ services: - bw-services bw-scheduler: - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 depends_on: - mybunker environment: diff --git a/examples/gogs/docker-compose.yml b/examples/gogs/docker-compose.yml index 3d7697c0c..22648a096 100644 --- a/examples/gogs/docker-compose.yml +++ b/examples/gogs/docker-compose.yml @@ -2,7 +2,7 @@ version: "3" services: mybunker: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 ports: - 80:8080 - 443:8443 @@ -28,7 +28,7 @@ services: - bw-services bw-scheduler: - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 depends_on: - mybunker environment: diff --git a/examples/hardened/docker-compose.yml b/examples/hardened/docker-compose.yml index b38ee831e..f0867c485 100644 --- a/examples/hardened/docker-compose.yml +++ b/examples/hardened/docker-compose.yml @@ -2,7 +2,7 @@ version: "3" services: mybunker: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 # dropping all capabilities cap_drop: - ALL @@ -39,7 +39,7 @@ services: - bw-services bw-scheduler: - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 depends_on: - mybunker environment: diff --git a/examples/joomla/docker-compose.yml b/examples/joomla/docker-compose.yml index a19c87cd4..0ee3af136 100644 --- a/examples/joomla/docker-compose.yml +++ b/examples/joomla/docker-compose.yml @@ -2,7 +2,7 @@ version: "3" services: mybunker: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 ports: - 80:8080 - 443:8443 @@ -28,7 +28,7 @@ services: - bw-services bw-scheduler: - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 depends_on: - mybunker environment: diff --git a/examples/load-balancer/docker-compose.yml b/examples/load-balancer/docker-compose.yml index fc1aa32dc..451bcdaaf 100644 --- a/examples/load-balancer/docker-compose.yml +++ b/examples/load-balancer/docker-compose.yml @@ -2,7 +2,7 @@ version: "3" services: mybunker: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 ports: - 80:8080 - 443:8443 @@ -31,7 +31,7 @@ services: - bw-services bw-scheduler: - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 depends_on: - mybunker environment: diff --git a/examples/magento/docker-compose.yml b/examples/magento/docker-compose.yml index cc6d6e1d1..99c06cacf 100644 --- a/examples/magento/docker-compose.yml +++ b/examples/magento/docker-compose.yml @@ -2,7 +2,7 @@ version: "3" services: mybunker: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 ports: - 80:8080 - 443:8443 @@ -29,7 +29,7 @@ services: - bw-services bw-scheduler: - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 depends_on: - mybunker environment: diff --git a/examples/mattermost/docker-compose.yml b/examples/mattermost/docker-compose.yml index f4e522d97..973c009f7 100644 --- a/examples/mattermost/docker-compose.yml +++ b/examples/mattermost/docker-compose.yml @@ -2,7 +2,7 @@ version: "3" services: mybunker: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 ports: - 80:8080 - 443:8443 @@ -44,7 +44,7 @@ services: - bw-services bw-scheduler: - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 depends_on: - mybunker environment: diff --git a/examples/mongo-express/docker-compose.yml b/examples/mongo-express/docker-compose.yml index 19b2f5564..3135e35fb 100644 --- a/examples/mongo-express/docker-compose.yml +++ b/examples/mongo-express/docker-compose.yml @@ -2,7 +2,7 @@ version: "3" services: mybunker: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 ports: - 80:8080 - 443:8443 @@ -27,7 +27,7 @@ services: - bw-services bw-scheduler: - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 depends_on: - mybunker environment: diff --git a/examples/moodle/docker-compose.yml b/examples/moodle/docker-compose.yml index 28e475615..079cf17d6 100644 --- a/examples/moodle/docker-compose.yml +++ b/examples/moodle/docker-compose.yml @@ -2,7 +2,7 @@ version: "3" services: mybunker: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 ports: - 80:8080 - 443:8443 @@ -25,7 +25,7 @@ services: - bw-services bw-scheduler: - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 depends_on: - mybunker environment: diff --git a/examples/nextcloud/docker-compose.yml b/examples/nextcloud/docker-compose.yml index 38ed6a26e..b6d427ec2 100644 --- a/examples/nextcloud/docker-compose.yml +++ b/examples/nextcloud/docker-compose.yml @@ -2,7 +2,7 @@ version: "3" services: mybunker: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 ports: - 80:8080 - 443:8443 @@ -54,7 +54,7 @@ services: - bw-services bw-scheduler: - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 depends_on: - mybunker environment: diff --git a/examples/passbolt/docker-compose.yml b/examples/passbolt/docker-compose.yml index 9042a4dd4..104e793f8 100644 --- a/examples/passbolt/docker-compose.yml +++ b/examples/passbolt/docker-compose.yml @@ -2,7 +2,7 @@ version: "3" services: mybunker: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 ports: - 80:8080 - 443:8443 @@ -26,7 +26,7 @@ services: - bw-services bw-scheduler: - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 depends_on: - mybunker environment: diff --git a/examples/php-cookie-flags/docker-compose.yml b/examples/php-cookie-flags/docker-compose.yml index 7b856e280..b622083f0 100644 --- a/examples/php-cookie-flags/docker-compose.yml +++ b/examples/php-cookie-flags/docker-compose.yml @@ -2,7 +2,7 @@ version: "3" services: mybunker: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 ports: - 80:8080 - 443:8443 @@ -31,7 +31,7 @@ services: - bw-services bw-scheduler: - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 depends_on: - mybunker environment: diff --git a/examples/php-multisite/docker-compose.yml b/examples/php-multisite/docker-compose.yml index 004a38046..cf44f7797 100644 --- a/examples/php-multisite/docker-compose.yml +++ b/examples/php-multisite/docker-compose.yml @@ -2,7 +2,7 @@ version: "3" services: mybunker: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 ports: - 80:8080 - 443:8443 @@ -34,7 +34,7 @@ services: - net-app2 bw-scheduler: - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 depends_on: - mybunker environment: diff --git a/examples/php-singlesite/docker-compose.yml b/examples/php-singlesite/docker-compose.yml index 7ce47c58e..fea3dd9d8 100644 --- a/examples/php-singlesite/docker-compose.yml +++ b/examples/php-singlesite/docker-compose.yml @@ -2,7 +2,7 @@ version: "3" services: mybunker: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 ports: - 80:8080 - 443:8443 @@ -30,7 +30,7 @@ services: - bw-services bw-scheduler: - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 depends_on: - mybunker environment: diff --git a/examples/prestashop/docker-compose.yml b/examples/prestashop/docker-compose.yml index 0dd834ecf..f398cf985 100644 --- a/examples/prestashop/docker-compose.yml +++ b/examples/prestashop/docker-compose.yml @@ -2,7 +2,7 @@ version: "3" services: mybunker: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 ports: - 80:8080 - 443:8443 @@ -28,7 +28,7 @@ services: - bw-services bw-scheduler: - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 depends_on: - mybunker environment: diff --git a/examples/proxy-protocol/docker-compose.yml b/examples/proxy-protocol/docker-compose.yml index 2b67484a9..ed97f79bd 100644 --- a/examples/proxy-protocol/docker-compose.yml +++ b/examples/proxy-protocol/docker-compose.yml @@ -2,7 +2,7 @@ version: "3" services: mybunker: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 environment: - SERVER_NAME=www.example.com # replace with your domains - API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24 @@ -27,7 +27,7 @@ services: - bw-services bw-scheduler: - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 depends_on: - mybunker environment: diff --git a/examples/radarr/docker-compose.yml b/examples/radarr/docker-compose.yml index 00e676e7e..8cb1cc926 100644 --- a/examples/radarr/docker-compose.yml +++ b/examples/radarr/docker-compose.yml @@ -2,7 +2,7 @@ version: "3.5" services: mybunker: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 ports: - 80:8080 - 443:8443 @@ -34,7 +34,7 @@ services: - bw-services bw-scheduler: - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 depends_on: - mybunker environment: diff --git a/examples/redmine/docker-compose.yml b/examples/redmine/docker-compose.yml index 3e97d798e..4be6d6639 100644 --- a/examples/redmine/docker-compose.yml +++ b/examples/redmine/docker-compose.yml @@ -2,7 +2,7 @@ version: "3" services: mybunker: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 ports: - 80:8080 - 443:8443 @@ -24,7 +24,7 @@ services: - bw-services bw-scheduler: - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 depends_on: - mybunker environment: diff --git a/examples/reverse-proxy-multisite/docker-compose.yml b/examples/reverse-proxy-multisite/docker-compose.yml index 0ebada55f..cf0be5922 100644 --- a/examples/reverse-proxy-multisite/docker-compose.yml +++ b/examples/reverse-proxy-multisite/docker-compose.yml @@ -2,7 +2,7 @@ version: "3" services: mybunker: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 ports: - 80:8080 - 443:8443 @@ -27,7 +27,7 @@ services: - bw-services bw-scheduler: - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 depends_on: - mybunker environment: diff --git a/examples/reverse-proxy-singlesite/docker-compose.yml b/examples/reverse-proxy-singlesite/docker-compose.yml index bde836aa0..4d9d9a3d7 100644 --- a/examples/reverse-proxy-singlesite/docker-compose.yml +++ b/examples/reverse-proxy-singlesite/docker-compose.yml @@ -2,7 +2,7 @@ version: "3" services: mybunker: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 ports: - 80:8080 - 443:8443 @@ -32,7 +32,7 @@ services: - bw-services bw-scheduler: - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 depends_on: - mybunker environment: diff --git a/examples/reverse-proxy-websocket/docker-compose.yml b/examples/reverse-proxy-websocket/docker-compose.yml index 5367ff972..469d17c19 100644 --- a/examples/reverse-proxy-websocket/docker-compose.yml +++ b/examples/reverse-proxy-websocket/docker-compose.yml @@ -2,7 +2,7 @@ version: "3" services: mybunker: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 ports: - 80:8080 - 443:8443 @@ -25,7 +25,7 @@ services: - bw-services bw-scheduler: - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 depends_on: - mybunker environment: diff --git a/examples/stream-multisite/docker-compose.yml b/examples/stream-multisite/docker-compose.yml index 9587aca87..547e9c971 100644 --- a/examples/stream-multisite/docker-compose.yml +++ b/examples/stream-multisite/docker-compose.yml @@ -2,7 +2,7 @@ version: "3" services: mybunker: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 ports: - 80:8080 # required to resolve let's encrypt challenges - 10000:10000 # app1 without SSL/TLS @@ -33,7 +33,7 @@ services: - bw-services bw-scheduler: - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 depends_on: - mybunker environment: diff --git a/examples/syslog/docker-compose.yml b/examples/syslog/docker-compose.yml index 9856e4169..61f4d9e87 100644 --- a/examples/syslog/docker-compose.yml +++ b/examples/syslog/docker-compose.yml @@ -2,7 +2,7 @@ version: "3" services: mybunker: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 logging: driver: syslog options: @@ -28,7 +28,7 @@ services: - bw-services bw-scheduler: - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 logging: driver: syslog options: diff --git a/examples/tomcat/docker-compose.yml b/examples/tomcat/docker-compose.yml index 00c21580f..ad205bbe6 100644 --- a/examples/tomcat/docker-compose.yml +++ b/examples/tomcat/docker-compose.yml @@ -2,7 +2,7 @@ version: "3" services: mybunker: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 ports: - 80:8080 - 443:8443 @@ -23,7 +23,7 @@ services: - bw-services bw-scheduler: - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 depends_on: - mybunker environment: diff --git a/examples/tor-hidden-service/docker-compose.yml b/examples/tor-hidden-service/docker-compose.yml index fa853a62f..54756c9da 100644 --- a/examples/tor-hidden-service/docker-compose.yml +++ b/examples/tor-hidden-service/docker-compose.yml @@ -12,7 +12,7 @@ services: - bw-universe mybunker: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 environment: - API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24 # disable common security measures based on IP @@ -34,7 +34,7 @@ services: - bw-services bw-scheduler: - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 depends_on: - mybunker environment: diff --git a/examples/web-ui/docker-compose.wizard.yml b/examples/web-ui/docker-compose.wizard.yml index 7e6d35e75..08967dbd7 100644 --- a/examples/web-ui/docker-compose.wizard.yml +++ b/examples/web-ui/docker-compose.wizard.yml @@ -2,7 +2,7 @@ version: "3.5" services: bunkerweb: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 ports: - 80:8080 - 443:8443 @@ -23,7 +23,7 @@ services: - bw-services bw-scheduler: - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 depends_on: - bunkerweb - bw-docker @@ -45,7 +45,7 @@ services: - bw-docker bw-ui: - image: bunkerity/bunkerweb-ui:1.5.7 + image: bunkerity/bunkerweb-ui:1.5.8 depends_on: - bw-docker environment: diff --git a/examples/web-ui/docker-compose.yml b/examples/web-ui/docker-compose.yml index 82446cacc..723757358 100644 --- a/examples/web-ui/docker-compose.yml +++ b/examples/web-ui/docker-compose.yml @@ -2,7 +2,7 @@ version: "3.5" services: bunkerweb: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 ports: - 80:8080 - 443:8443 @@ -28,7 +28,7 @@ services: - bw-services bw-scheduler: - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 depends_on: - bunkerweb - bw-docker @@ -50,7 +50,7 @@ services: - bw-docker bw-ui: - image: bunkerity/bunkerweb-ui:1.5.7 + image: bunkerity/bunkerweb-ui:1.5.8 depends_on: - bw-docker environment: diff --git a/examples/wordpress/docker-compose.yml b/examples/wordpress/docker-compose.yml index 744326dfd..bfd3a9c41 100644 --- a/examples/wordpress/docker-compose.yml +++ b/examples/wordpress/docker-compose.yml @@ -2,7 +2,7 @@ version: "3" services: mybunker: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 ports: - 80:8080 - 443:8443 @@ -25,7 +25,7 @@ services: - bw-services bw-scheduler: - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 depends_on: - mybunker environment: diff --git a/misc/integrations/autoconf.mariadb.ui.yml b/misc/integrations/autoconf.mariadb.ui.yml index bf08b240f..ade095ca3 100644 --- a/misc/integrations/autoconf.mariadb.ui.yml +++ b/misc/integrations/autoconf.mariadb.ui.yml @@ -2,7 +2,7 @@ version: "3.5" services: bunkerweb: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 ports: - 80:8080 - 443:8443 @@ -19,7 +19,7 @@ services: - bw-services bw-autoconf: - image: bunkerity/bunkerweb-autoconf:1.5.7 + image: bunkerity/bunkerweb-autoconf:1.5.8 depends_on: - bunkerweb - bw-docker @@ -32,7 +32,7 @@ services: - bw-docker bw-scheduler: - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 depends_on: - bunkerweb - bw-docker @@ -67,7 +67,7 @@ services: - bw-docker bw-ui: - image: bunkerity/bunkerweb-ui:1.5.7 + image: bunkerity/bunkerweb-ui:1.5.8 networks: bw-docker: bw-universe: diff --git a/misc/integrations/autoconf.mariadb.yml b/misc/integrations/autoconf.mariadb.yml index 569cf1d19..f8de36bf6 100644 --- a/misc/integrations/autoconf.mariadb.yml +++ b/misc/integrations/autoconf.mariadb.yml @@ -2,7 +2,7 @@ version: "3.5" services: bunkerweb: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 ports: - 80:8080 - 443:8443 @@ -19,7 +19,7 @@ services: - bw-services bw-autoconf: - image: bunkerity/bunkerweb-autoconf:1.5.7 + image: bunkerity/bunkerweb-autoconf:1.5.8 depends_on: - bunkerweb - bw-docker @@ -32,7 +32,7 @@ services: - bw-docker bw-scheduler: - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 depends_on: - bunkerweb - bw-docker diff --git a/misc/integrations/autoconf.mysql.ui.yml b/misc/integrations/autoconf.mysql.ui.yml index 6eeb4fdd9..3a76846a0 100644 --- a/misc/integrations/autoconf.mysql.ui.yml +++ b/misc/integrations/autoconf.mysql.ui.yml @@ -2,7 +2,7 @@ version: "3.5" services: bunkerweb: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 ports: - 80:8080 - 443:8443 @@ -19,7 +19,7 @@ services: - bw-services bw-autoconf: - image: bunkerity/bunkerweb-autoconf:1.5.7 + image: bunkerity/bunkerweb-autoconf:1.5.8 depends_on: - bunkerweb - bw-docker @@ -32,7 +32,7 @@ services: - bw-docker bw-scheduler: - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 depends_on: - bunkerweb - bw-docker @@ -67,7 +67,7 @@ services: - bw-docker bw-ui: - image: bunkerity/bunkerweb-ui:1.5.7 + image: bunkerity/bunkerweb-ui:1.5.8 networks: bw-docker: bw-universe: diff --git a/misc/integrations/autoconf.mysql.yml b/misc/integrations/autoconf.mysql.yml index b5e99aa50..1ebc86c9e 100644 --- a/misc/integrations/autoconf.mysql.yml +++ b/misc/integrations/autoconf.mysql.yml @@ -2,7 +2,7 @@ version: "3.5" services: bunkerweb: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 ports: - 80:8080 - 443:8443 @@ -19,7 +19,7 @@ services: - bw-services bw-autoconf: - image: bunkerity/bunkerweb-autoconf:1.5.7 + image: bunkerity/bunkerweb-autoconf:1.5.8 depends_on: - bunkerweb - bw-docker @@ -32,7 +32,7 @@ services: - bw-docker bw-scheduler: - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 depends_on: - bunkerweb - bw-docker diff --git a/misc/integrations/autoconf.postgres.ui.yml b/misc/integrations/autoconf.postgres.ui.yml index 42b969a56..a81349da0 100644 --- a/misc/integrations/autoconf.postgres.ui.yml +++ b/misc/integrations/autoconf.postgres.ui.yml @@ -2,7 +2,7 @@ version: "3.5" services: bunkerweb: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 ports: - 80:8080 - 443:8443 @@ -19,7 +19,7 @@ services: - bw-services bw-autoconf: - image: bunkerity/bunkerweb-autoconf:1.5.7 + image: bunkerity/bunkerweb-autoconf:1.5.8 depends_on: - bunkerweb - bw-docker @@ -32,7 +32,7 @@ services: - bw-docker bw-scheduler: - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 depends_on: - bunkerweb - bw-docker @@ -66,7 +66,7 @@ services: - bw-docker bw-ui: - image: bunkerity/bunkerweb-ui:1.5.7 + image: bunkerity/bunkerweb-ui:1.5.8 networks: bw-docker: bw-universe: diff --git a/misc/integrations/autoconf.postgres.yml b/misc/integrations/autoconf.postgres.yml index 1a90cafb2..4bbb384fa 100644 --- a/misc/integrations/autoconf.postgres.yml +++ b/misc/integrations/autoconf.postgres.yml @@ -2,7 +2,7 @@ version: "3.5" services: bunkerweb: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 ports: - 80:8080 - 443:8443 @@ -19,7 +19,7 @@ services: - bw-services bw-autoconf: - image: bunkerity/bunkerweb-autoconf:1.5.7 + image: bunkerity/bunkerweb-autoconf:1.5.8 depends_on: - bunkerweb - bw-docker @@ -32,7 +32,7 @@ services: - bw-docker bw-scheduler: - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 depends_on: - bunkerweb - bw-docker diff --git a/misc/integrations/autoconf.ui.yml b/misc/integrations/autoconf.ui.yml index f03e2f6ed..0d8621def 100644 --- a/misc/integrations/autoconf.ui.yml +++ b/misc/integrations/autoconf.ui.yml @@ -2,7 +2,7 @@ version: "3.5" services: bunkerweb: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 ports: - 80:8080 - 443:8443 @@ -18,7 +18,7 @@ services: - bw-services bw-autoconf: - image: bunkerity/bunkerweb-autoconf:1.5.7 + image: bunkerity/bunkerweb-autoconf:1.5.8 depends_on: - bunkerweb - bw-docker @@ -32,7 +32,7 @@ services: - bw-docker bw-scheduler: - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 depends_on: - bunkerweb - bw-docker @@ -56,7 +56,7 @@ services: - bw-docker bw-ui: - image: bunkerity/bunkerweb-ui:1.5.7 + image: bunkerity/bunkerweb-ui:1.5.8 networks: bw-docker: bw-universe: diff --git a/misc/integrations/autoconf.yml b/misc/integrations/autoconf.yml index db9130e00..8f7821f17 100644 --- a/misc/integrations/autoconf.yml +++ b/misc/integrations/autoconf.yml @@ -2,7 +2,7 @@ version: "3.5" services: bunkerweb: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 ports: - 80:8080 - 443:8443 @@ -18,7 +18,7 @@ services: - bw-services bw-autoconf: - image: bunkerity/bunkerweb-autoconf:1.5.7 + image: bunkerity/bunkerweb-autoconf:1.5.8 depends_on: - bunkerweb - bw-docker @@ -32,7 +32,7 @@ services: - bw-docker bw-scheduler: - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 depends_on: - bunkerweb - bw-docker diff --git a/misc/integrations/docker.mariadb.ui.yml b/misc/integrations/docker.mariadb.ui.yml index 27867ccb6..9ad63f501 100644 --- a/misc/integrations/docker.mariadb.ui.yml +++ b/misc/integrations/docker.mariadb.ui.yml @@ -2,7 +2,7 @@ version: "3.5" services: bunkerweb: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 ports: - 80:8080 - 443:8443 @@ -27,7 +27,7 @@ services: - bw-services bw-scheduler: - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 depends_on: - bunkerweb - bw-docker @@ -49,7 +49,7 @@ services: - bw-docker bw-ui: - image: bunkerity/bunkerweb-ui:1.5.7 + image: bunkerity/bunkerweb-ui:1.5.8 depends_on: - bw-docker environment: diff --git a/misc/integrations/docker.mariadb.yml b/misc/integrations/docker.mariadb.yml index c6c89b71e..ab544b998 100644 --- a/misc/integrations/docker.mariadb.yml +++ b/misc/integrations/docker.mariadb.yml @@ -2,7 +2,7 @@ version: "3.5" services: bunkerweb: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 ports: - 80:8080 - 443:8443 @@ -17,7 +17,7 @@ services: - bw-services bw-scheduler: - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 depends_on: - bunkerweb - bw-docker diff --git a/misc/integrations/docker.mysql.ui.yml b/misc/integrations/docker.mysql.ui.yml index 4cd025d1d..ef535e47e 100644 --- a/misc/integrations/docker.mysql.ui.yml +++ b/misc/integrations/docker.mysql.ui.yml @@ -2,7 +2,7 @@ version: "3.5" services: bunkerweb: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 ports: - 80:8080 - 443:8443 @@ -27,7 +27,7 @@ services: - bw-services bw-scheduler: - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 depends_on: - bunkerweb - bw-docker @@ -49,7 +49,7 @@ services: - bw-docker bw-ui: - image: bunkerity/bunkerweb-ui:1.5.7 + image: bunkerity/bunkerweb-ui:1.5.8 depends_on: - bw-docker environment: diff --git a/misc/integrations/docker.mysql.yml b/misc/integrations/docker.mysql.yml index 1ac33260b..68b08ae23 100644 --- a/misc/integrations/docker.mysql.yml +++ b/misc/integrations/docker.mysql.yml @@ -2,7 +2,7 @@ version: "3.5" services: bunkerweb: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 ports: - 80:8080 - 443:8443 @@ -17,7 +17,7 @@ services: - bw-services bw-scheduler: - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 depends_on: - bunkerweb - bw-docker diff --git a/misc/integrations/docker.postgres.ui.yml b/misc/integrations/docker.postgres.ui.yml index 0ebbb1ebc..aa7c3928c 100644 --- a/misc/integrations/docker.postgres.ui.yml +++ b/misc/integrations/docker.postgres.ui.yml @@ -2,7 +2,7 @@ version: "3.5" services: bunkerweb: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 ports: - 80:8080 - 443:8443 @@ -28,7 +28,7 @@ services: - bw-services bw-scheduler: - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 depends_on: - bunkerweb - bw-docker @@ -50,7 +50,7 @@ services: - bw-docker bw-ui: - image: bunkerity/bunkerweb-ui:1.5.7 + image: bunkerity/bunkerweb-ui:1.5.8 depends_on: - bw-docker environment: diff --git a/misc/integrations/docker.postgres.yml b/misc/integrations/docker.postgres.yml index 52faab97d..3bce5323b 100644 --- a/misc/integrations/docker.postgres.yml +++ b/misc/integrations/docker.postgres.yml @@ -2,7 +2,7 @@ version: "3.5" services: bunkerweb: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 ports: - 80:8080 - 443:8443 @@ -17,7 +17,7 @@ services: - bw-services bw-scheduler: - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 depends_on: - bunkerweb - bw-docker diff --git a/misc/integrations/docker.ui.yml b/misc/integrations/docker.ui.yml index 36447dbc3..f77ed0a2f 100644 --- a/misc/integrations/docker.ui.yml +++ b/misc/integrations/docker.ui.yml @@ -2,7 +2,7 @@ version: "3.5" services: bunkerweb: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 ports: - 80:8080 - 443:8443 @@ -23,7 +23,7 @@ services: - bw-services bw-scheduler: - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 depends_on: - bunkerweb - bw-docker @@ -46,7 +46,7 @@ services: - bw-docker bw-ui: - image: bunkerity/bunkerweb-ui:1.5.7 + image: bunkerity/bunkerweb-ui:1.5.8 depends_on: - bw-docker volumes: diff --git a/misc/integrations/docker.yml b/misc/integrations/docker.yml index 20ab32986..c26c28d43 100644 --- a/misc/integrations/docker.yml +++ b/misc/integrations/docker.yml @@ -2,7 +2,7 @@ version: "3.5" services: bunkerweb: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 ports: - 80:8080 - 443:8443 @@ -16,7 +16,7 @@ services: - bw-services bw-scheduler: - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 depends_on: - bunkerweb - bw-docker diff --git a/misc/integrations/k8s.mariadb.ui.yml b/misc/integrations/k8s.mariadb.ui.yml index 8619ed262..6839514b6 100644 --- a/misc/integrations/k8s.mariadb.ui.yml +++ b/misc/integrations/k8s.mariadb.ui.yml @@ -48,7 +48,7 @@ spec: containers: # using bunkerweb as name is mandatory - name: bunkerweb - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 imagePullPolicy: Always securityContext: runAsUser: 101 @@ -118,7 +118,7 @@ spec: serviceAccountName: sa-bunkerweb containers: - name: bunkerweb-controller - image: bunkerity/bunkerweb-autoconf:1.5.7 + image: bunkerity/bunkerweb-autoconf:1.5.8 imagePullPolicy: Always env: - name: KUBERNETES_MODE @@ -145,7 +145,7 @@ spec: serviceAccountName: sa-bunkerweb containers: - name: bunkerweb-scheduler - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 imagePullPolicy: Always env: - name: KUBERNETES_MODE @@ -230,7 +230,7 @@ spec: serviceAccountName: sa-bunkerweb containers: - name: bunkerweb-ui - image: bunkerity/bunkerweb-ui:1.5.7 + image: bunkerity/bunkerweb-ui:1.5.8 imagePullPolicy: Always env: - name: ADMIN_USERNAME diff --git a/misc/integrations/k8s.mariadb.yml b/misc/integrations/k8s.mariadb.yml index 6f74039bc..9e0166c9b 100644 --- a/misc/integrations/k8s.mariadb.yml +++ b/misc/integrations/k8s.mariadb.yml @@ -59,7 +59,7 @@ spec: containers: # using bunkerweb as name is mandatory - name: bunkerweb - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 imagePullPolicy: Always securityContext: runAsUser: 101 @@ -129,7 +129,7 @@ spec: serviceAccountName: sa-bunkerweb containers: - name: bunkerweb-controller - image: bunkerity/bunkerweb-autoconf:1.5.7 + image: bunkerity/bunkerweb-autoconf:1.5.8 imagePullPolicy: Always env: - name: KUBERNETES_MODE @@ -156,7 +156,7 @@ spec: serviceAccountName: sa-bunkerweb containers: - name: bunkerweb-scheduler - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 imagePullPolicy: Always env: - name: KUBERNETES_MODE diff --git a/misc/integrations/k8s.mysql.ui.yml b/misc/integrations/k8s.mysql.ui.yml index ea36bf17a..c841f0bd4 100644 --- a/misc/integrations/k8s.mysql.ui.yml +++ b/misc/integrations/k8s.mysql.ui.yml @@ -48,7 +48,7 @@ spec: containers: # using bunkerweb as name is mandatory - name: bunkerweb - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 imagePullPolicy: Always securityContext: runAsUser: 101 @@ -118,7 +118,7 @@ spec: serviceAccountName: sa-bunkerweb containers: - name: bunkerweb-controller - image: bunkerity/bunkerweb-autoconf:1.5.7 + image: bunkerity/bunkerweb-autoconf:1.5.8 imagePullPolicy: Always env: - name: KUBERNETES_MODE @@ -145,7 +145,7 @@ spec: serviceAccountName: sa-bunkerweb containers: - name: bunkerweb-scheduler - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 imagePullPolicy: Always env: - name: KUBERNETES_MODE @@ -230,7 +230,7 @@ spec: serviceAccountName: sa-bunkerweb containers: - name: bunkerweb-ui - image: bunkerity/bunkerweb-ui:1.5.7 + image: bunkerity/bunkerweb-ui:1.5.8 imagePullPolicy: Always env: - name: ADMIN_USERNAME diff --git a/misc/integrations/k8s.mysql.yml b/misc/integrations/k8s.mysql.yml index 18881dcc7..5fc9f60a7 100644 --- a/misc/integrations/k8s.mysql.yml +++ b/misc/integrations/k8s.mysql.yml @@ -48,7 +48,7 @@ spec: containers: # using bunkerweb as name is mandatory - name: bunkerweb - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 imagePullPolicy: Always securityContext: runAsUser: 101 @@ -118,7 +118,7 @@ spec: serviceAccountName: sa-bunkerweb containers: - name: bunkerweb-controller - image: bunkerity/bunkerweb-autoconf:1.5.7 + image: bunkerity/bunkerweb-autoconf:1.5.8 imagePullPolicy: Always env: - name: KUBERNETES_MODE @@ -144,7 +144,7 @@ spec: spec: containers: - name: bunkerweb-controller - image: bunkerity/bunkerweb-autoconf:1.5.7 + image: bunkerity/bunkerweb-autoconf:1.5.8 imagePullPolicy: Always env: - name: KUBERNETES_MODE diff --git a/misc/integrations/k8s.postgres.ui.yml b/misc/integrations/k8s.postgres.ui.yml index 6ee9735f6..c1c7201b4 100644 --- a/misc/integrations/k8s.postgres.ui.yml +++ b/misc/integrations/k8s.postgres.ui.yml @@ -48,7 +48,7 @@ spec: containers: # using bunkerweb as name is mandatory - name: bunkerweb - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 imagePullPolicy: Always securityContext: runAsUser: 101 @@ -118,7 +118,7 @@ spec: serviceAccountName: sa-bunkerweb containers: - name: bunkerweb-controller - image: bunkerity/bunkerweb-autoconf:1.5.7 + image: bunkerity/bunkerweb-autoconf:1.5.8 imagePullPolicy: Always env: - name: KUBERNETES_MODE @@ -145,7 +145,7 @@ spec: serviceAccountName: sa-bunkerweb containers: - name: bunkerweb-scheduler - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 imagePullPolicy: Always env: - name: KUBERNETES_MODE @@ -230,7 +230,7 @@ spec: serviceAccountName: sa-bunkerweb containers: - name: bunkerweb-ui - image: bunkerity/bunkerweb-ui:1.5.7 + image: bunkerity/bunkerweb-ui:1.5.8 imagePullPolicy: Always env: - name: ADMIN_USERNAME diff --git a/misc/integrations/k8s.postgres.yml b/misc/integrations/k8s.postgres.yml index 3d17113e7..ca509024c 100644 --- a/misc/integrations/k8s.postgres.yml +++ b/misc/integrations/k8s.postgres.yml @@ -48,7 +48,7 @@ spec: containers: # using bunkerweb as name is mandatory - name: bunkerweb - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 imagePullPolicy: Always securityContext: runAsUser: 101 @@ -118,7 +118,7 @@ spec: serviceAccountName: sa-bunkerweb containers: - name: bunkerweb-controller - image: bunkerity/bunkerweb-autoconf:1.5.7 + image: bunkerity/bunkerweb-autoconf:1.5.8 imagePullPolicy: Always env: - name: KUBERNETES_MODE @@ -144,7 +144,7 @@ spec: spec: containers: - name: bunkerweb-controller - image: bunkerity/bunkerweb-autoconf:1.5.7 + image: bunkerity/bunkerweb-autoconf:1.5.8 imagePullPolicy: Always env: - name: KUBERNETES_MODE diff --git a/misc/integrations/swarm.mariadb.ui.yml b/misc/integrations/swarm.mariadb.ui.yml index 2e71c823b..0b70249e8 100644 --- a/misc/integrations/swarm.mariadb.ui.yml +++ b/misc/integrations/swarm.mariadb.ui.yml @@ -2,7 +2,7 @@ version: "3.5" services: bunkerweb: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 ports: - published: 80 target: 8080 @@ -32,7 +32,7 @@ services: - "bunkerweb.INSTANCE=yes" bw-autoconf: - image: bunkerity/bunkerweb-autoconf:1.5.7 + image: bunkerity/bunkerweb-autoconf:1.5.8 environment: - SWARM_MODE=yes - DOCKER_HOST=tcp://bw-docker:2375 @@ -60,7 +60,7 @@ services: - "node.role == manager" bw-scheduler: - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 environment: - SWARM_MODE=yes - DOCKER_HOST=tcp://bw-docker:2375 @@ -87,7 +87,7 @@ services: - bw-universe bw-ui: - image: bunkerity/bunkerweb-ui:1.5.7 + image: bunkerity/bunkerweb-ui:1.5.8 environment: - DATABASE_URI=mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db # Remember to set a stronger password for the database - DOCKER_HOST=tcp://bw-docker:2375 diff --git a/misc/integrations/swarm.mariadb.yml b/misc/integrations/swarm.mariadb.yml index 24fbd507b..3ac421040 100644 --- a/misc/integrations/swarm.mariadb.yml +++ b/misc/integrations/swarm.mariadb.yml @@ -2,7 +2,7 @@ version: "3.5" services: bunkerweb: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 ports: - published: 80 target: 8080 @@ -32,7 +32,7 @@ services: - "bunkerweb.INSTANCE=yes" bw-autoconf: - image: bunkerity/bunkerweb-autoconf:1.5.7 + image: bunkerity/bunkerweb-autoconf:1.5.8 environment: - SWARM_MODE=yes - DOCKER_HOST=tcp://bw-docker:2375 @@ -64,7 +64,7 @@ services: - "node.role == manager" bw-scheduler: - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 environment: - SWARM_MODE=yes - DOCKER_HOST=tcp://bw-docker:2375 diff --git a/misc/integrations/swarm.mysql.ui.yml b/misc/integrations/swarm.mysql.ui.yml index 8b254f39e..d963b1f66 100644 --- a/misc/integrations/swarm.mysql.ui.yml +++ b/misc/integrations/swarm.mysql.ui.yml @@ -2,7 +2,7 @@ version: "3.5" services: bunkerweb: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 ports: - published: 80 target: 8080 @@ -32,7 +32,7 @@ services: - "bunkerweb.INSTANCE=yes" bw-autoconf: - image: bunkerity/bunkerweb-autoconf:1.5.7 + image: bunkerity/bunkerweb-autoconf:1.5.8 environment: - SWARM_MODE=yes - DOCKER_HOST=tcp://bw-docker:2375 @@ -60,7 +60,7 @@ services: - "node.role == manager" bw-scheduler: - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 environment: - SWARM_MODE=yes - DOCKER_HOST=tcp://bw-docker:2375 @@ -87,7 +87,7 @@ services: - bw-universe bw-ui: - image: bunkerity/bunkerweb-ui:1.5.7 + image: bunkerity/bunkerweb-ui:1.5.8 environment: - DATABASE_URI=mariadb+pymysql://bunkerweb:changeme@bw-db:3306/db # Remember to set a stronger password for the database - DOCKER_HOST=tcp://bw-docker:2375 diff --git a/misc/integrations/swarm.mysql.yml b/misc/integrations/swarm.mysql.yml index 01b8236bf..0a95c2d25 100644 --- a/misc/integrations/swarm.mysql.yml +++ b/misc/integrations/swarm.mysql.yml @@ -2,7 +2,7 @@ version: "3.5" services: bunkerweb: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 ports: - published: 80 target: 8080 @@ -32,7 +32,7 @@ services: - "bunkerweb.INSTANCE=yes" bw-autoconf: - image: bunkerity/bunkerweb-autoconf:1.5.7 + image: bunkerity/bunkerweb-autoconf:1.5.8 environment: - SWARM_MODE=yes - DOCKER_HOST=tcp://bw-docker:2375 @@ -60,7 +60,7 @@ services: - "node.role == manager" bw-scheduler: - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 environment: - SWARM_MODE=yes - DOCKER_HOST=tcp://bw-docker:2375 diff --git a/misc/integrations/swarm.postgres.ui.yml b/misc/integrations/swarm.postgres.ui.yml index e3e2f4026..9e5678b93 100644 --- a/misc/integrations/swarm.postgres.ui.yml +++ b/misc/integrations/swarm.postgres.ui.yml @@ -2,7 +2,7 @@ version: "3.5" services: bunkerweb: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 ports: - published: 80 target: 8080 @@ -32,7 +32,7 @@ services: - "bunkerweb.INSTANCE=yes" bw-autoconf: - image: bunkerity/bunkerweb-autoconf:1.5.7 + image: bunkerity/bunkerweb-autoconf:1.5.8 environment: - SWARM_MODE=yes - DOCKER_HOST=tcp://bw-docker:2375 @@ -60,7 +60,7 @@ services: - "node.role == manager" bw-scheduler: - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 environment: - SWARM_MODE=yes - DOCKER_HOST=tcp://bw-docker:2375 @@ -86,7 +86,7 @@ services: - bw-universe bw-ui: - image: bunkerity/bunkerweb-ui:1.5.7 + image: bunkerity/bunkerweb-ui:1.5.8 environment: - DATABASE_URI=postgresql://bunkerweb:changeme@bw-db:5432/db - DOCKER_HOST=tcp://bw-docker:2375 diff --git a/misc/integrations/swarm.postgres.yml b/misc/integrations/swarm.postgres.yml index 6b13b1d1e..b12d26082 100644 --- a/misc/integrations/swarm.postgres.yml +++ b/misc/integrations/swarm.postgres.yml @@ -2,7 +2,7 @@ version: "3.5" services: bunkerweb: - image: bunkerity/bunkerweb:1.5.7 + image: bunkerity/bunkerweb:1.5.8 ports: - published: 80 target: 8080 @@ -32,7 +32,7 @@ services: - "bunkerweb.INSTANCE=yes" bw-autoconf: - image: bunkerity/bunkerweb-autoconf:1.5.7 + image: bunkerity/bunkerweb-autoconf:1.5.8 environment: - SWARM_MODE=yes - DOCKER_HOST=tcp://bw-docker:2375 @@ -60,7 +60,7 @@ services: - "node.role == manager" bw-scheduler: - image: bunkerity/bunkerweb-scheduler:1.5.7 + image: bunkerity/bunkerweb-scheduler:1.5.8 environment: - SWARM_MODE=yes - DOCKER_HOST=tcp://bw-docker:2375 diff --git a/pyproject.toml b/pyproject.toml index 2b1fe0665..6a2fa300d 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,7 +1,7 @@ [project] name = "BunkerWeb" description = "Make your web services secure by default !" -version = "1.5.7" +version = "1.5.8" authors = [ { name = "Bunkerity", email = "contact@bunkerity.com" } ] diff --git a/src/VERSION b/src/VERSION index f5a0d9d92..fa5512aec 100644 --- a/src/VERSION +++ b/src/VERSION @@ -1 +1 @@ -1.5.7 \ No newline at end of file +1.5.8 \ No newline at end of file diff --git a/src/autoconf/Dockerfile b/src/autoconf/Dockerfile index 1f16dfc8e..3aae17f06 100644 --- a/src/autoconf/Dockerfile +++ b/src/autoconf/Dockerfile @@ -65,7 +65,7 @@ RUN apk add --no-cache "busybox>=1.36.1-r17" "busybox-binsh>=1.36.1-r17" "ssl_cl RUN apk add --no-cache "libcrypto3>=3.1.5-r0" "libssl3>=3.1.5-r0" # CVE-2024-4603 LABEL maintainer "Bunkerity " -LABEL version "1.5.7" +LABEL version "1.5.8" LABEL url "https://www.bunkerweb.io" LABEL bunkerweb.type "autoconf" diff --git a/src/bw/Dockerfile b/src/bw/Dockerfile index b057f52bb..b53ce6395 100644 --- a/src/bw/Dockerfile +++ b/src/bw/Dockerfile @@ -71,7 +71,7 @@ RUN apk add --no-cache openssl pcre bash python3 yajl geoip libxml2 libgd curl & RUN apk add --no-cache "busybox>=1.35.0-r30" "busybox-binsh>=1.35.0-r30" "ssl_client>=1.35.0-r30" # CVE-2023-42366 LABEL maintainer "Bunkerity " -LABEL version "1.5.7" +LABEL version "1.5.8" LABEL url "https://www.bunkerweb.io" LABEL bunkerweb.type "bunkerweb" LABEL bunkerweb.INSTANCE "bunkerweb" diff --git a/src/common/core/modsecurity/files/coreruleset-v4/.github/create-changelog-prs.py b/src/common/core/modsecurity/files/coreruleset-v4/.github/create-changelog-prs.py index ba3dded21..761cc3d5d 100755 --- a/src/common/core/modsecurity/files/coreruleset-v4/.github/create-changelog-prs.py +++ b/src/common/core/modsecurity/files/coreruleset-v4/.github/create-changelog-prs.py @@ -30,14 +30,38 @@ def get_pr(repository: str, number: int) -> dict: def get_prs( - repository: str, start_date: datetime.date, end_date: datetime.date + repository: str, start_date: datetime.date, end_date: datetime.date, dry_run: bool ) -> (list, list): - print(f"Fetching PRs from {start_date} through {end_date}") + print(f"Fetching merged PRs from {start_date} through {end_date}") + options = ['--merged-at "{start_date}..{end_date}"'] + all_prs = fetch_prs(repository, options, dry_run) + + print(f"Fetching open changelog PRs from {start_date} through {end_date}") + options = ["--state open"] + all_prs.extend(fetch_prs(repository, options, dry_run)) + prs = [] + changelog_prs = [] + for result in all_prs: + if CHANGELOG_LABEL in [label["name"] for label in result["labels"]]: + changelog_prs.append(get_pr(repository, result["number"])) + else: + prs.append(get_pr(repository, result["number"])) + + return (prs, changelog_prs) + + +def fetch_prs(repository: str, options: list[str], dry_run: bool) -> list[dict]: command = f"""gh search prs \ --repo "{repository}" \ - --merged-at "{start_date}..{end_date}" \ - --json number,labels + --json number,labels \ """ + for option in options: + command += " " + option + + if dry_run: + print(command) + return [] + with subprocess.Popen( command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE ) as proc: @@ -45,15 +69,7 @@ def get_prs( if proc.returncode != 0: print_errors(errors) sys.exit(1) - prs = [] - changelog_prs = [] - for result in json.loads(prs_json): - if CHANGELOG_LABEL in [label["name"] for label in result["labels"]]: - changelog_prs.append(get_pr(repository, result["number"])) - else: - prs.append(get_pr(repository, result["number"])) - - return (prs, changelog_prs) + return json.loads(prs_json) def parse_prs(prs: list) -> dict: @@ -277,7 +293,7 @@ def run_workflow( end_date: datetime.date, dry_run: bool, ): - prs, changelog_prs = get_prs(source_repository, start_date, end_date) + prs, changelog_prs = get_prs(source_repository, start_date, end_date, dry_run) prs_length = len(prs) print(f"Found {prs_length} PRs") if prs_length == 0: diff --git a/src/common/core/modsecurity/files/coreruleset-v4/.github/release.yml b/src/common/core/modsecurity/files/coreruleset-v4/.github/release.yml new file mode 100644 index 000000000..c2c0535ae --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v4/.github/release.yml @@ -0,0 +1,29 @@ +# .github/release.yml + +changelog: + exclude: + labels: + - ignore-for-release + - release:ignore + authors: + - octocat + - changelog-pr-bot + categories: + - title: ⭐ Important changes + labels: + - release:important + - title: Breaking Changes 🛠 + labels: + - Semver-Major + - breaking-change + - release:breaking + - title: 🆕 New features and detections 🎉 + labels: + - Semver-Minor + - enhancement + - release:new-detection + - release:new-feature + - title: 🧰 Other Changes + labels: + - "*" + diff --git a/src/common/core/modsecurity/files/coreruleset-v4/.gitmodules b/src/common/core/modsecurity/files/coreruleset-v4/.gitmodules index c68ffddc5..e69de29bb 100644 --- a/src/common/core/modsecurity/files/coreruleset-v4/.gitmodules +++ b/src/common/core/modsecurity/files/coreruleset-v4/.gitmodules @@ -1,4 +0,0 @@ -[submodule "docs/OWASP-CRS-Documentation"] - path = docs/OWASP-CRS-Documentation - url = https://github.com/coreruleset/documentation.git - branch = main diff --git a/src/common/core/modsecurity/files/coreruleset-v4/CHANGES.md b/src/common/core/modsecurity/files/coreruleset-v4/CHANGES.md index 7854ff821..136a54a9d 100644 --- a/src/common/core/modsecurity/files/coreruleset-v4/CHANGES.md +++ b/src/common/core/modsecurity/files/coreruleset-v4/CHANGES.md @@ -8,6 +8,27 @@ ## Nightly builds New changelog entries are written to `.changes-pending.md`. They will be moved to the main changelog before a release. +## Version 4.3.0 - 2024-05-24 + +### 🆕 New features and detections 🎉 + +* feat: catch Java PostgreSQL errors (951240 PL1) by @azurit in https://github.com/coreruleset/coreruleset/pull/3686 +* feat: block The Mysterious Mozlila User Agent bot (913100 PL1) by @brentclark in https://github.com/coreruleset/coreruleset/pull/3646 + +### 🧰 Other Changes +* fix: Oracle SQL database data leakage FP (951120 PL1) by @azurit in https://github.com/coreruleset/coreruleset/pull/3685 +* fix: typos in 920330 and 942280 tests by @TimDiam0nd in https://github.com/coreruleset/coreruleset/pull/3688 +* test: change pl-1 to pl1 to be inline with others by @TimDiam0nd in https://github.com/coreruleset/coreruleset/pull/3690 +* feat: use renovate to update docker-compose by @theseion in https://github.com/coreruleset/coreruleset/pull/3697 +* fix: FP for `sched` (932235 PL1, 932236 PL2, 932237 PL3, 932239 PL2, … by @theseion in https://github.com/coreruleset/coreruleset/pull/3701 +* fix: collections not being initialized without User-Agent header by @azurit in https://github.com/coreruleset/coreruleset/pull/3645 +* feat: refactoring of rule 941310 (PL1 941310) by @azurit in https://github.com/coreruleset/coreruleset/pull/3700 +* fix: resolving more FPs with Oracle error messages (951120 PL1) by @azurit in https://github.com/coreruleset/coreruleset/pull/3703 +* fix: removing double t:urlDecodeUni (920221 PL1, 920440 PL1, 932200 PL2, 932205 PL2, 932206 PL2) by @azurit in https://github.com/coreruleset/coreruleset/pull/3699 +* fix: false positives from PHP config directives and functions (933120 PL1, 933151 PL2) by @ssigwart in https://github.com/coreruleset/coreruleset/pull/3638 +* feat: prevent detection of web shells rules as malware by Windows Defender (955260 PL1) by @azurit in https://github.com/coreruleset/coreruleset/pull/3687 +* fix: fp with name axel by removing it from rce rule (932260 PL1) by @franbuehler in https://github.com/coreruleset/coreruleset/pull/3705 + ## Version 4.2.0 - 2024-04-23 Changes with direct rule impact (sorted by lowest rule ID per change where available): @@ -27,6 +48,7 @@ Changes without direct rule impact: Changes with direct rule impact (sorted by lowest rule ID per change where available): + * feat: add support for additional ansible and chef commands (932160 PL1, 932161 PL2, 932235 PL1, 932260 PL1, 932236 PL2, 932239 PL2, 932237 PL3) (Esad Cetiner) [#3601] * feat: move HTTP header rules to phase 1 (932161 PL2, 932205 PL2, 932206 PL2, 932237 PL3) (Esad Cetiner) [#3570] * fix: remove t:lowercase from rules that use '(?i)' modifier in their regex (942150 PL2, 942151 PL1, 942152 PL2) (Ervin Hegedus) [#3585] * fix: prevent FPs against names due to "cron" (932260 PL1, 932236 PL2, 932237 PL3, 932239 PL2) (@superlgn) [#3578] diff --git a/src/common/core/modsecurity/files/coreruleset-v4/CONTRIBUTORS.md b/src/common/core/modsecurity/files/coreruleset-v4/CONTRIBUTORS.md index a7877b3ab..ef9beb40d 100644 --- a/src/common/core/modsecurity/files/coreruleset-v4/CONTRIBUTORS.md +++ b/src/common/core/modsecurity/files/coreruleset-v4/CONTRIBUTORS.md @@ -146,3 +146,5 @@ - [NiceYouKnow](https://github.com/NiceYouKnow) - [floyd](https://github.com/floyd) - [superlgn](https://github.com/superlgn) +- [TimDiam0nd](https://github.com/TimDiam0nd) +- [brentclark](https://github.com/brentclark) diff --git a/src/common/core/modsecurity/files/coreruleset-v4/crs-setup.conf.example b/src/common/core/modsecurity/files/coreruleset-v4/crs-setup.conf.example index 068884e38..46b6cefc4 100644 --- a/src/common/core/modsecurity/files/coreruleset-v4/crs-setup.conf.example +++ b/src/common/core/modsecurity/files/coreruleset-v4/crs-setup.conf.example @@ -1,5 +1,5 @@ # ------------------------------------------------------------------------ -# OWASP CRS ver.4.2.0 +# OWASP CRS ver.4.3.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # Copyright (c) 2021-2024 CRS project. All rights reserved. # @@ -181,7 +181,7 @@ SecDefaultAction "phase:2,log,auditlog,pass" # t:none,\ # nolog,\ # tag:'OWASP_CRS',\ -# ver:'OWASP_CRS/4.2.0',\ +# ver:'OWASP_CRS/4.3.0',\ # setvar:tx.blocking_paranoia_level=1" @@ -209,7 +209,7 @@ SecDefaultAction "phase:2,log,auditlog,pass" # t:none,\ # nolog,\ # tag:'OWASP_CRS',\ -# ver:'OWASP_CRS/4.2.0',\ +# ver:'OWASP_CRS/4.3.0',\ # setvar:tx.detection_paranoia_level=1" @@ -235,7 +235,7 @@ SecDefaultAction "phase:2,log,auditlog,pass" # t:none,\ # nolog,\ # tag:'OWASP_CRS',\ -# ver:'OWASP_CRS/4.2.0',\ +# ver:'OWASP_CRS/4.3.0',\ # setvar:tx.enforce_bodyproc_urlencoded=1" @@ -270,7 +270,7 @@ SecDefaultAction "phase:2,log,auditlog,pass" # t:none,\ # nolog,\ # tag:'OWASP_CRS',\ -# ver:'OWASP_CRS/4.2.0',\ +# ver:'OWASP_CRS/4.3.0',\ # setvar:tx.critical_anomaly_score=5,\ # setvar:tx.error_anomaly_score=4,\ # setvar:tx.warning_anomaly_score=3,\ @@ -324,7 +324,7 @@ SecDefaultAction "phase:2,log,auditlog,pass" # t:none,\ # nolog,\ # tag:'OWASP_CRS',\ -# ver:'OWASP_CRS/4.2.0',\ +# ver:'OWASP_CRS/4.3.0',\ # setvar:tx.inbound_anomaly_score_threshold=5,\ # setvar:tx.outbound_anomaly_score_threshold=4" @@ -385,7 +385,7 @@ SecDefaultAction "phase:2,log,auditlog,pass" # t:none,\ # nolog,\ # tag:'OWASP_CRS',\ -# ver:'OWASP_CRS/4.2.0',\ +# ver:'OWASP_CRS/4.3.0',\ # setvar:tx.reporting_level=4" @@ -417,7 +417,7 @@ SecDefaultAction "phase:2,log,auditlog,pass" # t:none,\ # nolog,\ # tag:'OWASP_CRS',\ -# ver:'OWASP_CRS/4.2.0',\ +# ver:'OWASP_CRS/4.3.0',\ # setvar:tx.early_blocking=1" @@ -438,7 +438,7 @@ SecDefaultAction "phase:2,log,auditlog,pass" # t:none,\ # nolog,\ # tag:'OWASP_CRS',\ -# ver:'OWASP_CRS/4.2.0',\ +# ver:'OWASP_CRS/4.3.0',\ # setvar:tx.enable_default_collections=1" @@ -466,7 +466,7 @@ SecDefaultAction "phase:2,log,auditlog,pass" # t:none,\ # nolog,\ # tag:'OWASP_CRS',\ -# ver:'OWASP_CRS/4.2.0',\ +# ver:'OWASP_CRS/4.3.0',\ # setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'" # Content-Types that a client is allowed to send in a request. @@ -496,7 +496,7 @@ SecDefaultAction "phase:2,log,auditlog,pass" # nolog,\ # tag:'OWASP_CRS',\ # ctl:ruleRemoveById=920420,\ -# ver:'OWASP_CRS/4.2.0',\ +# ver:'OWASP_CRS/4.3.0',\ # chain" # SecRule REQUEST_URI "@rx ^/foo/bar" \ # "t:none" @@ -510,7 +510,7 @@ SecDefaultAction "phase:2,log,auditlog,pass" # t:none,\ # nolog,\ # tag:'OWASP_CRS',\ -# ver:'OWASP_CRS/4.2.0',\ +# ver:'OWASP_CRS/4.3.0',\ # setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json|'" # Allowed HTTP versions. @@ -526,7 +526,7 @@ SecDefaultAction "phase:2,log,auditlog,pass" # t:none,\ # nolog,\ # tag:'OWASP_CRS',\ -# ver:'OWASP_CRS/4.2.0',\ +# ver:'OWASP_CRS/4.3.0',\ # setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0 HTTP/3 HTTP/3.0'" # Forbidden file extensions. @@ -550,7 +550,7 @@ SecDefaultAction "phase:2,log,auditlog,pass" # t:none,\ # nolog,\ # tag:'OWASP_CRS',\ -# ver:'OWASP_CRS/4.2.0',\ +# ver:'OWASP_CRS/4.3.0',\ # setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'" # Restricted request headers. @@ -595,7 +595,7 @@ SecDefaultAction "phase:2,log,auditlog,pass" # t:none,\ # nolog,\ # tag:'OWASP_CRS',\ -# ver:'OWASP_CRS/4.2.0',\ +# ver:'OWASP_CRS/4.3.0',\ # setvar:'tx.restricted_headers_basic=/content-encoding/ /proxy/ /lock-token/ /content-range/ /if/ /x-http-method-override/ /x-http-method/ /x-method-override/'" # # [ Extended ] @@ -621,7 +621,7 @@ SecDefaultAction "phase:2,log,auditlog,pass" # t:none,\ # nolog,\ # tag:'OWASP_CRS',\ -# ver:'OWASP_CRS/4.2.0',\ +# ver:'OWASP_CRS/4.3.0',\ # setvar:'tx.restricted_headers_extended=/accept-charset/'" # Content-Types charsets that a client is allowed to send in a request. @@ -635,7 +635,7 @@ SecDefaultAction "phase:2,log,auditlog,pass" # t:none,\ # nolog,\ # tag:'OWASP_CRS',\ -# ver:'OWASP_CRS/4.2.0',\ +# ver:'OWASP_CRS/4.3.0',\ # setvar:'tx.allowed_request_content_type_charset=|utf-8| |iso-8859-1| |iso-8859-15| |windows-1252|'" # @@ -661,7 +661,7 @@ SecDefaultAction "phase:2,log,auditlog,pass" # t:none,\ # nolog,\ # tag:'OWASP_CRS',\ -# ver:'OWASP_CRS/4.2.0',\ +# ver:'OWASP_CRS/4.3.0',\ # setvar:tx.max_num_args=255" # Block request if the length of any argument name is too high @@ -675,7 +675,7 @@ SecDefaultAction "phase:2,log,auditlog,pass" # t:none,\ # nolog,\ # tag:'OWASP_CRS',\ -# ver:'OWASP_CRS/4.2.0',\ +# ver:'OWASP_CRS/4.3.0',\ # setvar:tx.arg_name_length=100" # Block request if the length of any argument value is too high @@ -689,7 +689,7 @@ SecDefaultAction "phase:2,log,auditlog,pass" # t:none,\ # nolog,\ # tag:'OWASP_CRS',\ -# ver:'OWASP_CRS/4.2.0',\ +# ver:'OWASP_CRS/4.3.0',\ # setvar:tx.arg_length=400" # Block request if the total length of all combined arguments is too high @@ -703,7 +703,7 @@ SecDefaultAction "phase:2,log,auditlog,pass" # t:none,\ # nolog,\ # tag:'OWASP_CRS',\ -# ver:'OWASP_CRS/4.2.0',\ +# ver:'OWASP_CRS/4.3.0',\ # setvar:tx.total_arg_length=64000" # Block request if the file size of any individual uploaded file is too high @@ -717,7 +717,7 @@ SecDefaultAction "phase:2,log,auditlog,pass" # t:none,\ # nolog,\ # tag:'OWASP_CRS',\ -# ver:'OWASP_CRS/4.2.0',\ +# ver:'OWASP_CRS/4.3.0',\ # setvar:tx.max_file_size=1048576" # Block request if the total size of all combined uploaded files is too high @@ -731,7 +731,7 @@ SecDefaultAction "phase:2,log,auditlog,pass" # t:none,\ # nolog,\ # tag:'OWASP_CRS',\ -# ver:'OWASP_CRS/4.2.0',\ +# ver:'OWASP_CRS/4.3.0',\ # setvar:tx.combined_file_sizes=1048576" @@ -771,7 +771,7 @@ SecDefaultAction "phase:2,log,auditlog,pass" # pass,\ # nolog,\ # tag:'OWASP_CRS',\ -# ver:'OWASP_CRS/4.2.0',\ +# ver:'OWASP_CRS/4.3.0',\ # setvar:tx.sampling_percentage=100" @@ -792,7 +792,7 @@ SecDefaultAction "phase:2,log,auditlog,pass" # t:none,\ # nolog,\ # tag:'OWASP_CRS',\ -# ver:'OWASP_CRS/4.2.0',\ +# ver:'OWASP_CRS/4.3.0',\ # setvar:tx.crs_validate_utf8_encoding=1" @@ -814,5 +814,5 @@ SecAction \ t:none,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.2.0',\ - setvar:tx.crs_setup_version=420" + ver:'OWASP_CRS/4.3.0',\ + setvar:tx.crs_setup_version=430" diff --git a/src/common/core/modsecurity/files/coreruleset-v4/docs/README b/src/common/core/modsecurity/files/coreruleset-v4/docs/README deleted file mode 100644 index aa961033f..000000000 --- a/src/common/core/modsecurity/files/coreruleset-v4/docs/README +++ /dev/null @@ -1,17 +0,0 @@ -Welcome to the OWASP Core Rule Set (CRS) documentation. - -The latest version of the documentation can be read at: -https://coreruleset.org/docs/ - -The OWASP CRS documentation is generated by Hugo and is stored -in a separate Github repository: -https://github.com/coreruleset/documentation/ - -While the documentation is available as part of the CRS project, -it is provided in the form of a Git submodule. Using a Git -submodule allows us to update the documentation without making -changes to the main rule repository. - -You can download the documentation using git: - - git submodule update --init docs diff --git a/src/common/core/modsecurity/files/coreruleset-v4/docs/README.md b/src/common/core/modsecurity/files/coreruleset-v4/docs/README.md new file mode 100644 index 000000000..13e798796 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v4/docs/README.md @@ -0,0 +1,10 @@ +# Welcome to the OWASP CRS documentation. + +The latest version of the documentation can be read at: +https://coreruleset.org/docs/ + +Documentation is generated by Hugo and is stored +in a separate Github repository: + +https://github.com/coreruleset/documentation/ + diff --git a/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/951120.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/951120.ra new file mode 100644 index 000000000..12e5214d0 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/951120.ra @@ -0,0 +1,17 @@ +##! Please refer to the documentation at +##! https://coreruleset.org/docs/development/regex_assembly/. + +##!+ i + +##! ORA-04021: timeout occurred while waiting to lock object SYS.: oci_connect(): ... +Warning.{1,10}oci_.{1,30} +##! Warning: ora_logon(): ... +Warning.{1,10}ora_.{1,20} diff --git a/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/951240.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/951240.ra index 7be6aa136..44f23c48e 100644 --- a/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/951240.ra +++ b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/951240.ra @@ -15,3 +15,4 @@ PG::[a-z]*Error Supplied argument is not a valid PostgreSQL .*? resource Unable to connect to PostgreSQL server invalid input syntax for integer +org\.postgresql\.util\.PSQLException: diff --git a/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/exclude/unix-shell-fps-pl1.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/exclude/unix-shell-fps-pl1.ra index a38db6864..5fa6bb130 100644 --- a/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/exclude/unix-shell-fps-pl1.ra +++ b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/exclude/unix-shell-fps-pl1.ra @@ -120,6 +120,9 @@ awk awk@ aws aws@ +axel +axel@ +axel~ basename basename@ basename~ diff --git a/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/include/unix-shell-4andup.ra b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/include/unix-shell-4andup.ra index a6d77e392..f69c1e9a0 100644 --- a/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/include/unix-shell-4andup.ra +++ b/src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/include/unix-shell-4andup.ra @@ -433,7 +433,7 @@ run-parts rview rvim sash@ -sched +sched@ screen@ script@ sdiff diff --git a/src/common/core/modsecurity/files/coreruleset-v4/renovate.json b/src/common/core/modsecurity/files/coreruleset-v4/renovate.json new file mode 100644 index 000000000..26f58fa20 --- /dev/null +++ b/src/common/core/modsecurity/files/coreruleset-v4/renovate.json @@ -0,0 +1,10 @@ +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "extends": [ + "local>coreruleset/renovate-config", + "schedule:weekly" + ], + "enabledManagers": [ + "docker-compose" + ] +} diff --git a/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example b/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example index e89d3e0ed..058386bc1 100644 --- a/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example +++ b/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example @@ -1,5 +1,5 @@ # ------------------------------------------------------------------------ -# OWASP CRS ver.4.2.0 +# OWASP CRS ver.4.3.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # Copyright (c) 2021-2024 CRS project. All rights reserved. # diff --git a/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-901-INITIALIZATION.conf b/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-901-INITIALIZATION.conf index fe92572c2..8f9a55de3 100644 --- a/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-901-INITIALIZATION.conf +++ b/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-901-INITIALIZATION.conf @@ -1,5 +1,5 @@ # ------------------------------------------------------------------------ -# OWASP CRS ver.4.2.0 +# OWASP CRS ver.4.3.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # Copyright (c) 2021-2024 CRS project. All rights reserved. # @@ -26,7 +26,7 @@ # # Ref: https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v2.x)#seccomponentsignature # -SecComponentSignature "OWASP_CRS/4.2.0" +SecComponentSignature "OWASP_CRS/4.3.0" # # -=[ Default setup values ]=- @@ -60,7 +60,7 @@ SecRule &TX:crs_setup_version "@eq 0" \ auditlog,\ msg:'ModSecurity CRS is deployed without configuration! Please copy the crs-setup.conf.example template to crs-setup.conf, and include the crs-setup.conf file in your webserver configuration before including the CRS rules. See the INSTALL file in the CRS directory for detailed instructions',\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL'" @@ -79,7 +79,7 @@ SecRule &TX:inbound_anomaly_score_threshold "@eq 0" \ pass,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ setvar:'tx.inbound_anomaly_score_threshold=5'" # Default Outbound Anomaly Threshold Level (rule 900110 in crs-setup.conf) @@ -89,7 +89,7 @@ SecRule &TX:outbound_anomaly_score_threshold "@eq 0" \ pass,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ setvar:'tx.outbound_anomaly_score_threshold=4'" # Default Reporting Level (rule 900115 in crs-setup.conf) @@ -99,7 +99,7 @@ SecRule &TX:reporting_level "@eq 0" \ pass,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ setvar:'tx.reporting_level=4'" # Default Early Blocking (rule 900120 in crs-setup.conf) @@ -109,7 +109,7 @@ SecRule &TX:early_blocking "@eq 0" \ pass,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ setvar:'tx.early_blocking=0'" # Default Blocking Paranoia Level (rule 900000 in crs-setup.conf) @@ -119,7 +119,7 @@ SecRule &TX:blocking_paranoia_level "@eq 0" \ pass,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ setvar:'tx.blocking_paranoia_level=1'" # Default Detection Paranoia Level (rule 900001 in crs-setup.conf) @@ -129,7 +129,7 @@ SecRule &TX:detection_paranoia_level "@eq 0" \ pass,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ setvar:'tx.detection_paranoia_level=%{TX.blocking_paranoia_level}'" # Default Sampling Percentage (rule 900400 in crs-setup.conf) @@ -139,7 +139,7 @@ SecRule &TX:sampling_percentage "@eq 0" \ pass,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ setvar:'tx.sampling_percentage=100'" # Default Anomaly Scores (rule 900100 in crs-setup.conf) @@ -149,7 +149,7 @@ SecRule &TX:critical_anomaly_score "@eq 0" \ pass,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ setvar:'tx.critical_anomaly_score=5'" SecRule &TX:error_anomaly_score "@eq 0" \ @@ -158,7 +158,7 @@ SecRule &TX:error_anomaly_score "@eq 0" \ pass,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ setvar:'tx.error_anomaly_score=4'" SecRule &TX:warning_anomaly_score "@eq 0" \ @@ -167,7 +167,7 @@ SecRule &TX:warning_anomaly_score "@eq 0" \ pass,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ setvar:'tx.warning_anomaly_score=3'" SecRule &TX:notice_anomaly_score "@eq 0" \ @@ -176,7 +176,7 @@ SecRule &TX:notice_anomaly_score "@eq 0" \ pass,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ setvar:'tx.notice_anomaly_score=2'" # Default HTTP policy: allowed_methods (rule 900200 in crs-setup.conf) @@ -186,7 +186,7 @@ SecRule &TX:allowed_methods "@eq 0" \ pass,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'" # Default HTTP policy: allowed_request_content_type (rule 900220 in crs-setup.conf) @@ -196,7 +196,7 @@ SecRule &TX:allowed_request_content_type "@eq 0" \ pass,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json|'" # Default HTTP policy: allowed_request_content_type_charset (rule 900280 in crs-setup.conf) @@ -206,7 +206,7 @@ SecRule &TX:allowed_request_content_type_charset "@eq 0" \ pass,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ setvar:'tx.allowed_request_content_type_charset=|utf-8| |iso-8859-1| |iso-8859-15| |windows-1252|'" # Default HTTP policy: allowed_http_versions (rule 900230 in crs-setup.conf) @@ -216,7 +216,7 @@ SecRule &TX:allowed_http_versions "@eq 0" \ pass,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0 HTTP/3 HTTP/3.0'" # Default HTTP policy: restricted_extensions (rule 900240 in crs-setup.conf) @@ -226,7 +226,7 @@ SecRule &TX:restricted_extensions "@eq 0" \ pass,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'" # Default HTTP policy: restricted_headers_basic (rule 900250 in crs-setup.conf) @@ -236,7 +236,7 @@ SecRule &TX:restricted_headers_basic "@eq 0" \ pass,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ setvar:'tx.restricted_headers_basic=/content-encoding/ /proxy/ /lock-token/ /content-range/ /if/ /x-http-method-override/ /x-http-method/ /x-method-override/'" # Default HTTP policy: restricted_headers_extended (rule 900255 in crs-setup.conf) @@ -246,7 +246,7 @@ SecRule &TX:restricted_headers_extended "@eq 0" \ pass,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ setvar:'tx.restricted_headers_extended=/accept-charset/'" # Default enforcing of body processor URLENCODED (rule 900010 in crs-setup.conf) @@ -256,7 +256,7 @@ SecRule &TX:enforce_bodyproc_urlencoded "@eq 0" \ pass,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ setvar:'tx.enforce_bodyproc_urlencoded=0'" # Default check for UTF8 encoding validation (rule 900950 in crs-setup.conf) @@ -266,7 +266,7 @@ SecRule &TX:crs_validate_utf8_encoding "@eq 0" \ pass,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ setvar:'tx.crs_validate_utf8_encoding=0'" # @@ -284,7 +284,7 @@ SecAction \ t:none,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ setvar:'tx.blocking_inbound_anomaly_score=0',\ setvar:'tx.detection_inbound_anomaly_score=0',\ setvar:'tx.inbound_anomaly_score_pl1=0',\ @@ -317,15 +317,19 @@ SecAction \ # IP collection is initialized with the IP address concatened with the hashed user agent. # Disable collection initialization by default (see rule 900130 in crs-setup.conf) +# The creation of the IP and the GLOBAL collection is not being tested as +# of this writing due to limits in ftw and our testing setup. +# Proper testing would involve the checking of a variable in the said collections. SecRule TX:ENABLE_DEFAULT_COLLECTIONS "@eq 1" \ "id:901320,\ phase:1,\ pass,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ + setvar:'tx.ua_hash=%{REQUEST_HEADERS.User-Agent}',\ chain" - SecRule REQUEST_HEADERS:User-Agent "@rx ^.*$" \ + SecRule TX:ua_hash "@unconditionalMatch" \ "t:none,t:sha1,t:hexEncode,\ initcol:global=global,\ initcol:ip=%{remote_addr}_%{MATCHED_VAR}" @@ -346,7 +350,7 @@ SecRule REQBODY_PROCESSOR "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" \ msg:'Enabling body inspection',\ tag:'OWASP_CRS',\ ctl:forceRequestBodyVariable=On,\ - ver:'OWASP_CRS/4.2.0'" + ver:'OWASP_CRS/4.3.0'" # Force body processor URLENCODED SecRule TX:enforce_bodyproc_urlencoded "@eq 1" \ @@ -358,7 +362,7 @@ SecRule TX:enforce_bodyproc_urlencoded "@eq 1" \ noauditlog,\ msg:'Enabling forced body inspection for ASCII content',\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ chain" SecRule REQBODY_PROCESSOR "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" \ "ctl:requestBodyProcessor=URLENCODED" @@ -398,7 +402,7 @@ SecRule TX:sampling_percentage "@eq 100" \ pass,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ skipAfter:END-SAMPLING" SecRule UNIQUE_ID "@rx ^[a-f]*([0-9])[a-f]*([0-9])" \ @@ -409,7 +413,7 @@ SecRule UNIQUE_ID "@rx ^[a-f]*([0-9])[a-f]*([0-9])" \ t:sha1,t:hexEncode,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ setvar:'TX.sampling_rnd100=%{TX.1}%{TX.2}'" # @@ -434,7 +438,7 @@ SecRule TX:sampling_rnd100 "!@lt %{tx.sampling_percentage}" \ msg:'Sampling: Disable the rule engine based on sampling_percentage %{TX.sampling_percentage} and random number %{TX.sampling_rnd100}',\ tag:'OWASP_CRS',\ ctl:ruleRemoveByTag=OWASP_CRS,\ - ver:'OWASP_CRS/4.2.0'" + ver:'OWASP_CRS/4.3.0'" SecMarker "END-SAMPLING" @@ -453,4 +457,4 @@ SecRule TX:detection_paranoia_level "@lt %{tx.blocking_paranoia_level}" \ log,\ msg:'Detection paranoia level configured is lower than the paranoia level itself. This is illegal. Blocking request. Aborting',\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.2.0'" + ver:'OWASP_CRS/4.3.0'" diff --git a/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-905-COMMON-EXCEPTIONS.conf b/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-905-COMMON-EXCEPTIONS.conf index 3b2fbb975..7cc3b93f6 100644 --- a/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-905-COMMON-EXCEPTIONS.conf +++ b/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-905-COMMON-EXCEPTIONS.conf @@ -1,5 +1,5 @@ # ------------------------------------------------------------------------ -# OWASP CRS ver.4.2.0 +# OWASP CRS ver.4.3.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # Copyright (c) 2021-2024 CRS project. All rights reserved. # @@ -25,7 +25,7 @@ SecRule REQUEST_LINE "@streq GET /" \ tag:'platform-apache',\ tag:'attack-generic',\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ chain" SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" \ "t:none,\ @@ -46,7 +46,7 @@ SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" \ tag:'platform-apache',\ tag:'attack-generic',\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ chain" SecRule REQUEST_HEADERS:User-Agent "@endsWith (internal dummy connection)" \ "t:none,\ diff --git a/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-911-METHOD-ENFORCEMENT.conf b/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-911-METHOD-ENFORCEMENT.conf index 9b507c525..d3d62a9ab 100644 --- a/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-911-METHOD-ENFORCEMENT.conf +++ b/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-911-METHOD-ENFORCEMENT.conf @@ -1,5 +1,5 @@ # ------------------------------------------------------------------------ -# OWASP CRS ver.4.2.0 +# OWASP CRS ver.4.3.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # Copyright (c) 2021-2024 CRS project. All rights reserved. # @@ -14,8 +14,8 @@ -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:911011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:911012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:911011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:911012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" # # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher) # @@ -39,31 +39,31 @@ SecRule REQUEST_METHOD "!@within %{tx.allowed_methods}" \ tag:'OWASP_CRS',\ tag:'capec/1000/210/272/220/274',\ tag:'PCI/12.1',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:911013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:911014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:911013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:911014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" # # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher) # -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:911015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:911016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:911015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:911016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" # # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher) # -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:911017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:911018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:911017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:911018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" # # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher) # diff --git a/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-913-SCANNER-DETECTION.conf b/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-913-SCANNER-DETECTION.conf index d114d7bdb..26df0b749 100644 --- a/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-913-SCANNER-DETECTION.conf +++ b/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-913-SCANNER-DETECTION.conf @@ -1,5 +1,5 @@ # ------------------------------------------------------------------------ -# OWASP CRS ver.4.2.0 +# OWASP CRS ver.4.3.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # Copyright (c) 2021-2024 CRS project. All rights reserved. # @@ -14,8 +14,8 @@ -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:913011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:913012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:913011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:913012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION" # # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher) # @@ -51,29 +51,29 @@ SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scanners-user-agents.data" \ tag:'OWASP_CRS',\ tag:'capec/1000/118/224/541/310',\ tag:'PCI/6.5.10',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:913013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:913014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:913013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:913014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION" # # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher) # -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:913015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:913016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:913015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:913016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION" # # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher) # -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:913017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:913018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:913017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:913018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION" # # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher) # diff --git a/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf b/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf index 6ba5acbff..f63ab2d1e 100644 --- a/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf +++ b/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf @@ -1,5 +1,5 @@ # ------------------------------------------------------------------------ -# OWASP CRS ver.4.2.0 +# OWASP CRS ver.4.3.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # Copyright (c) 2021-2024 CRS project. All rights reserved. # @@ -23,8 +23,8 @@ # -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:920011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:920012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:920011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:920012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" # # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher) # @@ -64,7 +64,7 @@ SecRule REQUEST_LINE "!@rx (?i)^(?:get /[^#\?]*(?:\?[^\s\x0b#]*)?(?:#[^\s\x0b]*) tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'WARNING',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'" @@ -119,7 +119,7 @@ SecRule FILES|FILES_NAMES "!@rx (?i)^(?:&(?:(?:[acegilnorsuz]acut|[aeiou]grav|[a tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -148,7 +148,7 @@ SecRule REQUEST_HEADERS:Content-Length "!@rx ^\d+$" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -182,7 +182,7 @@ SecRule REQUEST_METHOD "@rx ^(?:GET|HEAD)$" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ chain" SecRule REQUEST_HEADERS:Content-Length "!@rx ^0?$" \ @@ -207,7 +207,7 @@ SecRule REQUEST_METHOD "@rx ^(?:GET|HEAD)$" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ chain" SecRule &REQUEST_HEADERS:Transfer-Encoding "!@eq 0" \ @@ -247,7 +247,7 @@ SecRule REQUEST_PROTOCOL "!@within HTTP/2 HTTP/2.0 HTTP/3 HTTP/3.0" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'WARNING',\ chain" SecRule REQUEST_METHOD "@streq POST" \ @@ -277,7 +277,7 @@ SecRule &REQUEST_HEADERS:Transfer-Encoding "!@eq 0" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'WARNING',\ chain" SecRule &REQUEST_HEADERS:Content-Length "!@eq 0" \ @@ -315,7 +315,7 @@ SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx (\d+)-(\d+)" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'WARNING',\ chain" SecRule TX:2 "@lt %{tx.1}" \ @@ -347,7 +347,7 @@ SecRule REQUEST_HEADERS:Connection "@rx \b(?:keep-alive|close),\s?(?:keep-alive| tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'WARNING',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'" @@ -388,7 +388,7 @@ SecRule REQUEST_URI_RAW "@rx \x25" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/255/153/267/72',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ chain" SecRule REQUEST_URI_RAW "@rx ^(.*)/(?:[^\?]+)?(\?.*)?$" \ @@ -422,7 +422,7 @@ SecRule REQUEST_BASENAME "!@rx ^.*%.*\.[^\s\x0b\.]+$" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/255/153/267/72',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ chain" SecRule TX:0 "@validateUrlEncoding" \ @@ -453,7 +453,7 @@ SecRule TX:CRS_VALIDATE_UTF8_ENCODING "@eq 1" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/255/153/267',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'WARNING',\ chain" SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "@validateUtf8Encoding" \ @@ -497,7 +497,7 @@ SecRule REQUEST_URI|REQUEST_BODY "@rx (?i)%uff[0-9a-f]{2}" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/255/153/267/72',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'WARNING',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'" @@ -553,7 +553,7 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@validateByteRange 1-255" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -585,7 +585,7 @@ SecRule &REQUEST_HEADERS:Host "@eq 0" \ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ tag:'PCI/6.5.10',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'WARNING',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}',\ skipAfter:END-HOST-CHECK" @@ -604,7 +604,7 @@ SecRule REQUEST_HEADERS:Host "@rx ^$" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -644,7 +644,7 @@ SecRule REQUEST_HEADERS:Accept "@rx ^$" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'NOTICE',\ chain" SecRule REQUEST_METHOD "!@rx ^OPTIONS$" \ @@ -669,7 +669,7 @@ SecRule REQUEST_HEADERS:Accept "@rx ^$" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'NOTICE',\ chain" SecRule REQUEST_METHOD "!@rx ^OPTIONS$" \ @@ -702,7 +702,7 @@ SecRule REQUEST_HEADERS:User-Agent "@rx ^$" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'NOTICE',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.notice_anomaly_score}'" @@ -739,7 +739,7 @@ SecRule REQUEST_HEADERS:Content-Length "!@rx ^0$" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'NOTICE',\ chain" SecRule &REQUEST_HEADERS:Content-Type "@eq 0" \ @@ -784,7 +784,7 @@ SecRule REQUEST_HEADERS:Host "@rx (?:^([\d.]+|\[[\da-f:]+\]|[\da-f:]+)(:[\d]+)?$ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ tag:'PCI/6.5.10',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'WARNING',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'" @@ -816,7 +816,7 @@ SecRule &TX:MAX_NUM_ARGS "@eq 1" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ chain" SecRule &ARGS "@gt %{tx.max_num_args}" \ @@ -841,7 +841,7 @@ SecRule &TX:ARG_NAME_LENGTH "@eq 1" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ chain" SecRule ARGS_NAMES "@gt %{tx.arg_name_length}" \ @@ -868,7 +868,7 @@ SecRule &TX:ARG_LENGTH "@eq 1" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ chain" SecRule ARGS "@gt %{tx.arg_length}" \ @@ -892,7 +892,7 @@ SecRule &TX:TOTAL_ARG_LENGTH "@eq 1" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ chain" SecRule ARGS_COMBINED_SIZE "@gt %{tx.total_arg_length}" \ @@ -917,7 +917,7 @@ SecRule &TX:MAX_FILE_SIZE "@eq 1" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ chain" SecRule REQUEST_HEADERS:Content-Type "@rx ^(?i)multipart/form-data" \ @@ -943,7 +943,7 @@ SecRule &TX:COMBINED_FILE_SIZES "@eq 1" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ chain" SecRule FILES_COMBINED_SIZE "@gt %{tx.combined_file_sizes}" \ @@ -983,7 +983,7 @@ SecRule REQUEST_HEADERS:Content-Type "!@rx ^[\w/.+*-]+(?:\s?;\s?(?:action|bounda tag:'OWASP_CRS',\ tag:'capec/1000/255/153',\ tag:'PCI/12.1',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -1006,7 +1006,7 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^[^;\s]+" \ tag:'OWASP_CRS',\ tag:'capec/1000/255/153',\ tag:'PCI/12.1',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.content_type=|%{tx.0}|',\ chain" @@ -1034,7 +1034,7 @@ SecRule REQUEST_HEADERS:Content-Type "@rx charset\s*=\s*[\"']?([^;\"'\s]+)" \ tag:'OWASP_CRS',\ tag:'capec/1000/255/153',\ tag:'PCI/12.1',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.content_type_charset=|%{tx.1}|',\ chain" @@ -1061,7 +1061,7 @@ SecRule REQUEST_HEADERS:Content-Type "@rx charset.*?charset" \ tag:'OWASP_CRS',\ tag:'capec/1000/255/153',\ tag:'PCI/12.1',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -1083,7 +1083,7 @@ SecRule REQUEST_PROTOCOL "!@within %{tx.allowed_http_versions}" \ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ tag:'PCI/6.5.10',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -1106,12 +1106,12 @@ SecRule REQUEST_BASENAME "@rx \.([^.]+)$" \ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ tag:'PCI/6.5.10',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.extension=.%{tx.1}/',\ chain" SecRule TX:EXTENSION "@within %{tx.restricted_extensions}" \ - "t:none,t:urlDecodeUni,t:lowercase,\ + "t:none,t:lowercase,\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # @@ -1133,7 +1133,7 @@ SecRule REQUEST_FILENAME "@rx \.[^.~]+~(?:/.*|)$" \ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ tag:'PCI/6.5.10',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -1187,7 +1187,7 @@ SecRule REQUEST_HEADERS_NAMES "@rx ^.*$" \ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ tag:'PCI/12.1',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.header_name_920450_%{tx.0}=/%{tx.0}/',\ chain" @@ -1221,7 +1221,7 @@ SecRule REQUEST_HEADERS:Accept-Encoding "@gt 100" \ tag:'OWASP_CRS',\ tag:'capec/1000/255/153',\ tag:'PCI/12.1',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -1253,7 +1253,7 @@ SecRule REQUEST_HEADERS:Accept "!@rx ^(?:(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)/(?:\* tag:'attack-protocol',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -1276,7 +1276,7 @@ SecRule REQBODY_PROCESSOR "!@streq JSON" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/255/153/267/72',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ chain" SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@rx (?i)\x5cu[0-9a-f]{4}" \ @@ -1300,7 +1300,7 @@ SecRule REQUEST_URI_RAW "@contains #" \ tag:'attack-protocol',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -1332,13 +1332,13 @@ SecRule &REQUEST_HEADERS:Content-Type "@gt 1" \ tag:'attack-protocol',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:920013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:920014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:920013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:920014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" # # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher) # @@ -1377,7 +1377,7 @@ SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d tag:'paranoia-level/2',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'WARNING',\ chain" SecRule REQUEST_BASENAME "!@endsWith .pdf" \ @@ -1401,7 +1401,7 @@ SecRule REQUEST_BASENAME "@endsWith .pdf" \ tag:'paranoia-level/2',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'WARNING',\ chain" SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d+)?-(?:\d+)?\s*,?\s*){63}" \ @@ -1422,7 +1422,7 @@ SecRule ARGS "@rx %[0-9a-fA-F]{2}" \ tag:'paranoia-level/2',\ tag:'OWASP_CRS',\ tag:'capec/1000/255/153/267/120',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'WARNING',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.warning_anomaly_score}'" @@ -1444,7 +1444,7 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@validateByteRange 9,10,13, tag:'paranoia-level/2',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1471,7 +1471,7 @@ SecRule &REQUEST_HEADERS:User-Agent "@eq 0" \ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ tag:'PCI/6.5.10',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'NOTICE',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.notice_anomaly_score}'" @@ -1493,7 +1493,7 @@ SecRule FILES_NAMES|FILES "@rx ['\";=]" \ tag:'paranoia-level/2',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1518,7 +1518,7 @@ SecRule REQUEST_HEADERS:Content-Length "!@rx ^0$" \ tag:'paranoia-level/2',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ chain" SecRule &REQUEST_HEADERS:Content-Type "@eq 0" \ @@ -1545,7 +1545,7 @@ SecRule REQUEST_HEADERS_NAMES "@rx ^.*$" \ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ tag:'PCI/12.1',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.header_name_920451_%{tx.0}=/%{tx.0}/',\ chain" @@ -1572,7 +1572,7 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^(?i)application/x-www-form-urlencoded tag:'paranoia-level/2',\ tag:'OWASP_CRS',\ tag:'capec/1000/255/153/267/72',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'WARNING',\ chain" SecRule REQUEST_BODY "@rx \x25" \ @@ -1580,8 +1580,8 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^(?i)application/x-www-form-urlencoded SecRule REQUEST_BODY "@validateUrlEncoding" \ "setvar:'tx.inbound_anomaly_score_pl2=+%{tx.warning_anomaly_score}'" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:920015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:920016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:920015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:920016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" # # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher) # @@ -1606,7 +1606,7 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES|REQUEST_BODY "@validateByteR tag:'paranoia-level/3',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" @@ -1640,7 +1640,7 @@ SecRule &REQUEST_HEADERS:Accept "@eq 0" \ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ tag:'PCI/6.5.10',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'NOTICE',\ chain" SecRule REQUEST_METHOD "!@rx ^(?:OPTIONS|CONNECT)$" \ @@ -1673,7 +1673,7 @@ SecRule &REQUEST_HEADERS:x-up-devcap-post-charset "@ge 1" \ tag:'paranoia-level/3',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ chain" SecRule REQUEST_HEADERS:User-Agent "@rx ^(?i)up" \ @@ -1726,7 +1726,7 @@ SecRule &REQUEST_HEADERS:Cache-Control "@gt 0" \ tag:'paranoia-level/3',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ chain" SecRule REQUEST_HEADERS:Cache-Control "!@rx ^(?:(?:max-age=[0-9]+|min-fresh=[0-9]+|no-cache|no-store|no-transform|only-if-cached|max-stale(?:=[0-9]+)?)(?:\s*\,\s*|$)){1,7}$" \ @@ -1757,12 +1757,12 @@ SecRule REQUEST_HEADERS:Accept-Encoding "!@rx br|compress|deflate|(?:pack200-)?g tag:'OWASP_CRS',\ tag:'capec/1000/255/153',\ tag:'PCI/12.1',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:920017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:920018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:920017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:920018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" # # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher) # @@ -1785,7 +1785,7 @@ SecRule REQUEST_BASENAME "@endsWith .pdf" \ tag:'paranoia-level/4',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'WARNING',\ chain" SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d+)?-(?:\d+)?\s*,?\s*){6}" \ @@ -1812,7 +1812,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_BODY "@validateByteRange 38,44-46,48-58,61,65-90 tag:'paranoia-level/4',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'" @@ -1833,7 +1833,7 @@ SecRule REQUEST_HEADERS|!REQUEST_HEADERS:User-Agent|!REQUEST_HEADERS:Referer|!RE tag:'paranoia-level/4',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'" @@ -1859,7 +1859,7 @@ SecRule REQUEST_HEADERS:Sec-Fetch-User|REQUEST_HEADERS:Sec-CH-UA-Mobile "!@rx ^( tag:'paranoia-level/4',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'" @@ -1903,7 +1903,7 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@rx (?:^|[^\x5c])\x5c[cdegh tag:'paranoia-level/4',\ tag:'OWASP_CRS',\ tag:'capec/1000/153/267',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'" diff --git a/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-921-PROTOCOL-ATTACK.conf b/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-921-PROTOCOL-ATTACK.conf index c93a344e4..d16474e5b 100644 --- a/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-921-PROTOCOL-ATTACK.conf +++ b/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-921-PROTOCOL-ATTACK.conf @@ -1,5 +1,5 @@ # ------------------------------------------------------------------------ -# OWASP CRS ver.4.2.0 +# OWASP CRS ver.4.3.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # Copyright (c) 2021-2024 CRS project. All rights reserved. # @@ -14,8 +14,8 @@ -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:921011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:921012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:921011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:921012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" # # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher) # @@ -46,7 +46,7 @@ SecRule ARGS_NAMES|ARGS|REQUEST_BODY|XML:/* "@rx (?:get|post|head|options|connec tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272/220/33',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -78,7 +78,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272/220/34',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -99,7 +99,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272/220/34',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -133,7 +133,7 @@ SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@rx [\n\r]" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272/220/273',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -161,7 +161,7 @@ SecRule ARGS_NAMES "@rx [\n\r]" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272/220/33',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -182,7 +182,7 @@ SecRule ARGS_GET_NAMES|ARGS_GET "@rx [\n\r]+(?:\s|location|refresh|(?:set-)?cook tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272/220/33',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -208,7 +208,7 @@ SecRule REQUEST_FILENAME "@rx [\n\r]" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272/220/34',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -241,7 +241,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/136',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -274,7 +274,7 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^[^\s\x0b,;]+[\s\x0b,;].*?(?:applicati tag:'OWASP_CRS',\ tag:'capec/1000/255/153',\ tag:'PCI/12.1',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -300,13 +300,13 @@ SecRule REQUEST_URI "@rx unix:[^|]*\|" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272/220/33',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:921013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:921014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:921013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:921014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" # # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher) # @@ -333,7 +333,7 @@ SecRule ARGS_GET "@rx [\n\r]" \ tag:'paranoia-level/2',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272/220/33',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -369,13 +369,13 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^[^\s\x0b,;]+[\s\x0b,;].*?\b(?:((?:tex tag:'OWASP_CRS',\ tag:'capec/1000/255/153',\ tag:'PCI/12.1',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:921015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:921016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:921015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:921016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" # # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher) # @@ -405,7 +405,7 @@ SecRule &REQUEST_HEADERS:Range "@gt 0" \ tag:'paranoia-level/3',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272/220',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" @@ -439,7 +439,7 @@ SecRule ARGS_NAMES "@rx ." \ tag:'attack-protocol',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/137/15/460',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ setvar:'TX.paramcounter_%{MATCHED_VAR_NAME}=+1'" SecRule TX:/paramcounter_.*/ "@gt 1" \ @@ -455,7 +455,7 @@ SecRule TX:/paramcounter_.*/ "@gt 1" \ tag:'paranoia-level/3',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/137/15/460',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ chain" SecRule MATCHED_VARS_NAMES "@rx TX:paramcounter_(.*)" \ @@ -500,15 +500,15 @@ SecRule ARGS_NAMES "@rx (][^\]]+$|][^\]]+\[)" \ tag:'paranoia-level/3',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/137/15/460',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:921017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:921018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:921017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:921018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" # # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher) # @@ -548,7 +548,7 @@ SecRule ARGS_NAMES "@rx \[" \ tag:'paranoia-level/4',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/137/15/460',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'" diff --git a/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-922-MULTIPART-ATTACK.conf b/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-922-MULTIPART-ATTACK.conf index efc412b90..62298d661 100644 --- a/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-922-MULTIPART-ATTACK.conf +++ b/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-922-MULTIPART-ATTACK.conf @@ -1,5 +1,5 @@ # ------------------------------------------------------------------------ -# OWASP CRS ver.4.2.0 +# OWASP CRS ver.4.3.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # Copyright (c) 2021-2024 CRS project. All rights reserved. # @@ -38,7 +38,7 @@ SecRule &MULTIPART_PART_HEADERS:_charset_ "!@eq 0" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/255/153',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.922100_charset=|%{ARGS._charset_}|',\ chain" @@ -69,7 +69,7 @@ SecRule MULTIPART_PART_HEADERS "@rx ^content-type\s*:\s*(.*)$" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/272/220',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ chain" SecRule TX:1 "!@rx ^(?:(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)/(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)|\*)(?:[\s\x0b]*;[\s\x0b]*(?:charset[\s\x0b]*=[\s\x0b]*\"?(?:iso-8859-15?|utf-8|windows-1252)\b\"?|(?:[^\s\x0b-\"\(\),/:-\?\[-\]c\{\}]|c(?:[^!\"\(\),/:-\?\[-\]h\{\}]|h(?:[^!\"\(\),/:-\?\[-\]a\{\}]|a(?:[^!\"\(\),/:-\?\[-\]r\{\}]|r(?:[^!\"\(\),/:-\?\[-\]s\{\}]|s(?:[^!\"\(\),/:-\?\[-\]e\{\}]|e[^!\"\(\),/:-\?\[-\]t\{\}]))))))[^!\"\(\),/:-\?\[-\]\{\}]*[\s\x0b]*=[\s\x0b]*[^!\(\),/:-\?\[-\]\{\}]+);?)*(?:[\s\x0b]*,[\s\x0b]*(?:(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)/(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)|\*)(?:[\s\x0b]*;[\s\x0b]*(?:charset[\s\x0b]*=[\s\x0b]*\"?(?:iso-8859-15?|utf-8|windows-1252)\b\"?|(?:[^\s\x0b-\"\(\),/:-\?\[-\]c\{\}]|c(?:[^!\"\(\),/:-\?\[-\]h\{\}]|h(?:[^!\"\(\),/:-\?\[-\]a\{\}]|a(?:[^!\"\(\),/:-\?\[-\]r\{\}]|r(?:[^!\"\(\),/:-\?\[-\]s\{\}]|s(?:[^!\"\(\),/:-\?\[-\]e\{\}]|e[^!\"\(\),/:-\?\[-\]t\{\}]))))))[^!\"\(\),/:-\?\[-\]\{\}]*[\s\x0b]*=[\s\x0b]*[^!\(\),/:-\?\[-\]\{\}]+);?)*)*$" \ @@ -92,6 +92,6 @@ SecRule MULTIPART_PART_HEADERS "@rx content-transfer-encoding:(.*)" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/272/220',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" diff --git a/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf b/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf index 4cf716ac3..c8cf35247 100644 --- a/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf +++ b/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf @@ -1,5 +1,5 @@ # ------------------------------------------------------------------------ -# OWASP CRS ver.4.2.0 +# OWASP CRS ver.4.3.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # Copyright (c) 2021-2024 CRS project. All rights reserved. # @@ -14,8 +14,8 @@ -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:930011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:930012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:930011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:930012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" # # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher) # @@ -47,7 +47,7 @@ SecRule REQUEST_URI_RAW|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|FILES|XML: tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/255/153/126',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}'" @@ -79,7 +79,7 @@ SecRule REQUEST_URI|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|FILES|XML:/* " tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/255/153/126',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ multiMatch,\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ @@ -110,7 +110,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/255/153/126',\ tag:'PCI/6.5.4',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -137,15 +137,15 @@ SecRule REQUEST_FILENAME "@pmFromFile restricted-files.data" \ tag:'OWASP_CRS',\ tag:'capec/1000/255/153/126',\ tag:'PCI/6.5.4',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:930013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:930014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:930013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:930014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" # # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher) # @@ -175,22 +175,22 @@ SecRule REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent "@pmFromFile lfi-os-f tag:'OWASP_CRS',\ tag:'capec/1000/255/153/126',\ tag:'PCI/6.5.4',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:930015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:930016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:930015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:930016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" # # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher) # -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:930017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:930018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:930017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:930018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" # # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher) # diff --git a/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf b/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf index e61ca18b2..a4693843a 100644 --- a/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf +++ b/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf @@ -1,5 +1,5 @@ # ------------------------------------------------------------------------ -# OWASP CRS ver.4.2.0 +# OWASP CRS ver.4.3.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # Copyright (c) 2021-2024 CRS project. All rights reserved. # @@ -17,8 +17,8 @@ -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:931011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:931012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:931011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:931012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" # # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher) # @@ -49,7 +49,7 @@ SecRule ARGS "@rx ^(?i:file|ftps?|https?)://(?:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3 tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/175/253',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -69,7 +69,7 @@ SecRule QUERY_STRING|REQUEST_BODY "@rx (?i)(?:\binclude\s*\([^)]*|mosConfig_abso tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/175/253',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -89,15 +89,15 @@ SecRule ARGS "@rx ^(?i:file|ftps?|https?).*?\?+$" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/175/253',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:931013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:931014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:931013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:931014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" # # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher) # @@ -128,7 +128,7 @@ SecRule ARGS "@rx (?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b(?:eshare|it tag:'paranoia-level/2',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/175/253',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.rfi_parameter_%{MATCHED_VAR_NAME}=.%{tx.1}',\ chain" @@ -158,7 +158,7 @@ SecRule REQUEST_FILENAME "@rx (?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b tag:'paranoia-level/2',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/175/253',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.rfi_parameter_%{MATCHED_VAR_NAME}=.%{tx.1}',\ chain" @@ -167,16 +167,16 @@ SecRule REQUEST_FILENAME "@rx (?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:931015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:931016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:931015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:931016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" # # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher) # -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:931017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:931018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:931017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:931018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" # # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher) # diff --git a/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf b/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf index cc0f2292a..bfeb6dd72 100644 --- a/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf +++ b/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf @@ -1,5 +1,5 @@ # ------------------------------------------------------------------------ -# OWASP CRS ver.4.2.0 +# OWASP CRS ver.4.3.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # Copyright (c) 2021-2024 CRS project. All rights reserved. # @@ -14,8 +14,8 @@ -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:932011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:932012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:932011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:932012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" # # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher) # @@ -134,7 +134,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -178,7 +178,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 932235 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)?|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|\{)|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:(?:HEAD|POST|y(?:arn|elp))[\s\x0b&\)<>\|]|a(?:dd(?:group|user)|getty|(?:l(?:ias|pine)|xel)[\s\x0b&\)<>\|]|nsible|pt(?:-get|itude[\s\x0b&\)<>\|])|r(?:ch[\s\x0b&\)<>\|]|ia2c)|s(?:cii(?:-xfr|85)|pell)|tobm)|b(?:a(?:s(?:e(?:32|64|n(?:ame[\s\x0b&\)<>\|]|c))|h[\s\x0b&\)<>\|])|tch[\s\x0b&\)<>\|])|lkid|pftrace|r(?:eaksw|idge[\s\x0b&\)<>\|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[\s\x0b&\)<>\|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu)|z(?:c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more))|c(?:a(?:ncel|psh)[\s\x0b&\)<>\|]|ertbot|h(?:attr|(?:dir|root)[\s\x0b&\)<>\|]|e(?:ck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|f[\s\x0b&\)\-<>\|])|(?:flag|pas)s|g(?:passwd|rp)|mod|o(?:om|wn)|sh)|lang(?:[\s\x0b&\)<>\|]|\+\+)|o(?:(?:b|pro)c|(?:lumn|m(?:m(?:and)?|p(?:oser|ress)))[\s\x0b&\)<>\|]|w(?:say|think))|p(?:an|io|ulimit)|r(?:ash[\s\x0b&\)<>\|]|on(?:[\s\x0b&\)<>\|]|tab))|s(?:cli[\s\x0b&\)<>\|]|plit|vtool)|u(?:psfilter|rl[\s\x0b&\)<>\|]))|d(?:(?:a(?:sh|te)|i(?:alog|ff))[\s\x0b&\)<>\|]|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[\s\x0b&\)<>\|]|sbox)|pkg|vips)|e(?:2fsck|(?:asy_instal|va)l|cho[\s\x0b&\)<>\|]|fax|grep|macs|n(?:d(?:if|sw)|v-update)|sac|x(?:ec[\s\x0b&\)<>\|]|iftool|p(?:(?:and|(?:ec|or)t)[\s\x0b&\)<>\|]|r)))|f(?:acter|(?:etch|lock|unction)[\s\x0b&\)<>\|]|grep|i(?:le(?:[\s\x0b&\)<>\|]|test)|(?:n(?:d|ger)|sh)[\s\x0b&\)<>\|])|o(?:ld[\s\x0b&\)<>\|]|reach)|ping|tp(?:stats|who))|g(?:awk[\s\x0b&\)<>\|]|core|e(?:ni(?:e[\s\x0b&\)<>\|]|soimage)|tfacl[\s\x0b&\)<>\|])|hci|i(?:mp[\s\x0b&\)<>\|]|nsh)|r(?:ep[\s\x0b&\)<>\|]|oup(?:[\s\x0b&\)<>\|]|mod))|tester|unzip|z(?:cat|exe|ip))|h(?:(?:ash|i(?:ghlight|story))[\s\x0b&\)<>\|]|e(?:ad[\s\x0b&\)<>\|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op|passwd))|i(?:conv|f(?:config|top)|nstall[\s\x0b&\)<>\|]|onice|p(?:6?tables|config)|spell)|j(?:ava[\s\x0b&\)<>\|]|exec|o(?:(?:bs|in)[\s\x0b&\)<>\|]|urnalctl)|runscript)|k(?:ill(?:[\s\x0b&\)<>\|]|all)|nife[\s\x0b&\)<>\|]|sshell)|l(?:a(?:st(?:[\s\x0b&\)<>\|]|comm|log(?:in)?)|tex[\s\x0b&\)<>\|])|dconfig|ess(?:[\s\x0b&\)<>\|]|echo|(?:fil|pip)e)|ftp(?:get)?|(?:inks|ynx)[\s\x0b&\)<>\|]|o(?:(?:ca(?:l|te)|ok)[\s\x0b&\)<>\|]|g(?:inctl|(?:nam|sav)e)|setup)|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)|trace|ua(?:la)?tex|wp-(?:d(?:ownload|ump)|mirror|request)|z(?:4c(?:at)?|c(?:at|mp)|diff|[ef]?grep|less|m(?:a(?:dec|info)?|ore)))|m(?:a(?:il(?:[\s\x0b&\)<>q\|]|x[\s\x0b&\)<>\|])|ke[\s\x0b&\)<>\|]|ster\.passwd|wk)|k(?:dir[\s\x0b&\)<>\|]|fifo|nod|temp)|locate|o(?:squitto|unt[\s\x0b&\)<>\|])|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|utt[\s\x0b&\)<>\|]|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:a(?:no[\s\x0b&\)<>\|]|sm|wk)|c(?:\.(?:openbsd|traditional)|at)|e(?:ofetch|t(?:(?:c|st)at|kit-ftp|plan))|(?:ice|ull)[\s\x0b&\)<>\|]|map|o(?:de[\s\x0b&\)<>\|]|hup)|ping|roff|s(?:enter|lookup|tat))|o(?:ctave[\s\x0b&\)<>\|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:(?:cman|rted|tch)[\s\x0b&\)<>\|]|s(?:swd|te[\s\x0b&\)<>\|]))|d(?:f(?:la)?tex|ksh)|er(?:(?:f|ms)[\s\x0b&\)<>\|]|l(?:[\s\x0b&\)5<>\|]|sh))|(?:ft|gre)p|hp(?:-cgi|[57])|i(?:(?:co|ng)[\s\x0b&\)<>\|]|dstat|gz)|k(?:exec|g_?info|ill)|opd|rint(?:env|f[\s\x0b&\)<>\|])|s(?:ed|ftp|ql)|tar(?:diff|grep)?|u(?:ppet[\s\x0b&\)<>\|]|shd)|wd\.db|y(?:thon[^\s\x0b]|3?versions))|r(?:ak(?:e[\s\x0b&\)<>\|]|u)|bash|e(?:a(?:delf|lpath)|(?:dcarpet|name|p(?:eat|lace))[\s\x0b&\)<>\|]|stic)|l(?:ogin|wrap)|m(?:dir[\s\x0b&\)<>\|]|user)|nano|oute[\s\x0b&\)<>\|]|pm(?:db|(?:quer|verif)y)|sync|u(?:by[^\s\x0b]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:(?:ash|nap)[\s\x0b&\)<>\|]|c(?:hed|r(?:een|ipt)[\s\x0b&\)<>\|])|diff|e(?:(?:lf|rvice)[\s\x0b&\)<>\|]|ndmail|t(?:arch|env|facl[\s\x0b&\)<>\|]|sid))|ftp|h(?:\.distrib|(?:adow|ells)[\s\x0b&\)<>\|]|u(?:f|tdown[\s\x0b&\)<>\|]))|l(?:eep[\s\x0b&\)<>\|]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[\s\x0b&\)<>\|])|p(?:lit[\s\x0b&\)<>\|]|wd\.db)|qlite3|sh(?:-key(?:ge|sca)n|pass)|t(?:art-stop-daemon|d(?:buf|err|in|out)|r(?:ace|ings[\s\x0b&\)<>\|]))|udo|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:il[\s\x0b&\)<>f\|]|sk(?:[\s\x0b&\)<>\|]|set))|c(?:l?sh|p(?:dump|ing|traceroute))|elnet|ftp|ime(?:datectl|out[\s\x0b&\)<>\|])|mux|ouch[\s\x0b&\)<>\|]|r(?:aceroute6?|off)|shark)|u(?:limit[\s\x0b&\)<>\|]|n(?:ame|(?:compress|s(?:et|hare))[\s\x0b&\)<>\|]|expand|iq|l(?:ink[\s\x0b&\)<>\|]|z(?:4|ma))|(?:pig|x)z|rar|z(?:ip[\s\x0b&\)<>\|]|std))|p(?:2date[\s\x0b&\)<>\|]|date-alternatives)|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:algrind|i(?:ew[\s\x0b&\)<>\|]|gr|mdiff|pw|rsh|sudo)|olatility[\s\x0b&\)<>\|])|w(?:a(?:ll|tch)[\s\x0b&\)<>\|]|get|h(?:iptail[\s\x0b&\)<>\|]|o(?:ami|is))|i(?:reshark|sh[\s\x0b&\)<>\|]))|x(?:args|e(?:la)?tex|mo(?:dmap|re)|pad|term|z(?:c(?:at|mp)|d(?:ec|iff)|[ef]?grep|less|more))|z(?:athura|c(?:at|mp)|diff|e(?:grep|ro[\s\x0b&\)<>\|])|f?grep|ip(?:c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|less|more|run|s(?:oelim|td(?:(?:ca|m)t|grep|less)?)|ypper))" \ +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)?|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|\{)|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:(?:HEAD|POST|y(?:arn|elp))[\s\x0b&\)<>\|]|a(?:dd(?:group|user)|getty|(?:l(?:ias|pine)|xel)[\s\x0b&\)<>\|]|nsible|pt(?:-get|itude[\s\x0b&\)<>\|])|r(?:ch[\s\x0b&\)<>\|]|ia2c)|s(?:cii(?:-xfr|85)|pell)|tobm)|b(?:a(?:s(?:e(?:32|64|n(?:ame[\s\x0b&\)<>\|]|c))|h[\s\x0b&\)<>\|])|tch[\s\x0b&\)<>\|])|lkid|pftrace|r(?:eaksw|idge[\s\x0b&\)<>\|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[\s\x0b&\)<>\|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu)|z(?:c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more))|c(?:a(?:ncel|psh)[\s\x0b&\)<>\|]|ertbot|h(?:attr|(?:dir|root)[\s\x0b&\)<>\|]|e(?:ck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|f[\s\x0b&\)\-<>\|])|(?:flag|pas)s|g(?:passwd|rp)|mod|o(?:om|wn)|sh)|lang(?:[\s\x0b&\)<>\|]|\+\+)|o(?:(?:b|pro)c|(?:lumn|m(?:m(?:and)?|p(?:oser|ress)))[\s\x0b&\)<>\|]|w(?:say|think))|p(?:an|io|ulimit)|r(?:ash[\s\x0b&\)<>\|]|on(?:[\s\x0b&\)<>\|]|tab))|s(?:cli[\s\x0b&\)<>\|]|plit|vtool)|u(?:psfilter|rl[\s\x0b&\)<>\|]))|d(?:(?:a(?:sh|te)|i(?:alog|ff))[\s\x0b&\)<>\|]|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[\s\x0b&\)<>\|]|sbox)|pkg|vips)|e(?:2fsck|(?:asy_instal|va)l|cho[\s\x0b&\)<>\|]|fax|grep|macs|n(?:d(?:if|sw)|v-update)|sac|x(?:ec[\s\x0b&\)<>\|]|iftool|p(?:(?:and|(?:ec|or)t)[\s\x0b&\)<>\|]|r)))|f(?:acter|(?:etch|lock|unction)[\s\x0b&\)<>\|]|grep|i(?:le(?:[\s\x0b&\)<>\|]|test)|(?:n(?:d|ger)|sh)[\s\x0b&\)<>\|])|o(?:ld[\s\x0b&\)<>\|]|reach)|ping|tp(?:stats|who))|g(?:awk[\s\x0b&\)<>\|]|core|e(?:ni(?:e[\s\x0b&\)<>\|]|soimage)|tfacl[\s\x0b&\)<>\|])|hci|i(?:mp[\s\x0b&\)<>\|]|nsh)|r(?:ep[\s\x0b&\)<>\|]|oup(?:[\s\x0b&\)<>\|]|mod))|tester|unzip|z(?:cat|exe|ip))|h(?:(?:ash|i(?:ghlight|story))[\s\x0b&\)<>\|]|e(?:ad[\s\x0b&\)<>\|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op|passwd))|i(?:conv|f(?:config|top)|nstall[\s\x0b&\)<>\|]|onice|p(?:6?tables|config)|spell)|j(?:ava[\s\x0b&\)<>\|]|exec|o(?:(?:bs|in)[\s\x0b&\)<>\|]|urnalctl)|runscript)|k(?:ill(?:[\s\x0b&\)<>\|]|all)|nife[\s\x0b&\)<>\|]|sshell)|l(?:a(?:st(?:[\s\x0b&\)<>\|]|comm|log(?:in)?)|tex[\s\x0b&\)<>\|])|dconfig|ess(?:[\s\x0b&\)<>\|]|echo|(?:fil|pip)e)|ftp(?:get)?|(?:inks|ynx)[\s\x0b&\)<>\|]|o(?:(?:ca(?:l|te)|ok)[\s\x0b&\)<>\|]|g(?:inctl|(?:nam|sav)e)|setup)|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)|trace|ua(?:la)?tex|wp-(?:d(?:ownload|ump)|mirror|request)|z(?:4c(?:at)?|c(?:at|mp)|diff|[ef]?grep|less|m(?:a(?:dec|info)?|ore)))|m(?:a(?:il(?:[\s\x0b&\)<>q\|]|x[\s\x0b&\)<>\|])|ke[\s\x0b&\)<>\|]|ster\.passwd|wk)|k(?:dir[\s\x0b&\)<>\|]|fifo|nod|temp)|locate|o(?:squitto|unt[\s\x0b&\)<>\|])|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|utt[\s\x0b&\)<>\|]|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:a(?:no[\s\x0b&\)<>\|]|sm|wk)|c(?:\.(?:openbsd|traditional)|at)|e(?:ofetch|t(?:(?:c|st)at|kit-ftp|plan))|(?:ice|ull)[\s\x0b&\)<>\|]|map|o(?:de[\s\x0b&\)<>\|]|hup)|ping|roff|s(?:enter|lookup|tat))|o(?:ctave[\s\x0b&\)<>\|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:(?:cman|rted|tch)[\s\x0b&\)<>\|]|s(?:swd|te[\s\x0b&\)<>\|]))|d(?:f(?:la)?tex|ksh)|er(?:(?:f|ms)[\s\x0b&\)<>\|]|l(?:[\s\x0b&\)5<>\|]|sh))|(?:ft|gre)p|hp(?:-cgi|[57])|i(?:(?:co|ng)[\s\x0b&\)<>\|]|dstat|gz)|k(?:exec|g_?info|ill)|opd|rint(?:env|f[\s\x0b&\)<>\|])|s(?:ed|ftp|ql)|tar(?:diff|grep)?|u(?:ppet[\s\x0b&\)<>\|]|shd)|wd\.db|y(?:thon[^\s\x0b]|3?versions))|r(?:ak(?:e[\s\x0b&\)<>\|]|u)|bash|e(?:a(?:delf|lpath)|(?:dcarpet|name|p(?:eat|lace))[\s\x0b&\)<>\|]|stic)|l(?:ogin|wrap)|m(?:dir[\s\x0b&\)<>\|]|user)|nano|oute[\s\x0b&\)<>\|]|pm(?:db|(?:quer|verif)y)|sync|u(?:by[^\s\x0b]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:(?:ash|c(?:hed|r(?:een|ipt))|nap)[\s\x0b&\)<>\|]|diff|e(?:(?:lf|rvice)[\s\x0b&\)<>\|]|ndmail|t(?:arch|env|facl[\s\x0b&\)<>\|]|sid))|ftp|h(?:\.distrib|(?:adow|ells)[\s\x0b&\)<>\|]|u(?:f|tdown[\s\x0b&\)<>\|]))|l(?:eep[\s\x0b&\)<>\|]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[\s\x0b&\)<>\|])|p(?:lit[\s\x0b&\)<>\|]|wd\.db)|qlite3|sh(?:-key(?:ge|sca)n|pass)|t(?:art-stop-daemon|d(?:buf|err|in|out)|r(?:ace|ings[\s\x0b&\)<>\|]))|udo|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:il[\s\x0b&\)<>f\|]|sk(?:[\s\x0b&\)<>\|]|set))|c(?:l?sh|p(?:dump|ing|traceroute))|elnet|ftp|ime(?:datectl|out[\s\x0b&\)<>\|])|mux|ouch[\s\x0b&\)<>\|]|r(?:aceroute6?|off)|shark)|u(?:limit[\s\x0b&\)<>\|]|n(?:ame|(?:compress|s(?:et|hare))[\s\x0b&\)<>\|]|expand|iq|l(?:ink[\s\x0b&\)<>\|]|z(?:4|ma))|(?:pig|x)z|rar|z(?:ip[\s\x0b&\)<>\|]|std))|p(?:2date[\s\x0b&\)<>\|]|date-alternatives)|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:algrind|i(?:ew[\s\x0b&\)<>\|]|gr|mdiff|pw|rsh|sudo)|olatility[\s\x0b&\)<>\|])|w(?:a(?:ll|tch)[\s\x0b&\)<>\|]|get|h(?:iptail[\s\x0b&\)<>\|]|o(?:ami|is))|i(?:reshark|sh[\s\x0b&\)<>\|]))|x(?:args|e(?:la)?tex|mo(?:dmap|re)|pad|term|z(?:c(?:at|mp)|d(?:ec|iff)|[ef]?grep|less|more))|z(?:athura|c(?:at|mp)|diff|e(?:grep|ro[\s\x0b&\)<>\|])|f?grep|ip(?:c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|less|more|run|s(?:oelim|td(?:(?:ca|m)t|grep|less)?)|ypper))" \ "id:932235,\ phase:2,\ block,\ @@ -194,7 +194,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -227,7 +227,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -261,7 +261,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -304,7 +304,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -351,7 +351,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -432,7 +432,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -475,7 +475,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 932260 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:^|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)?|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|\{)|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:a(?:ddgroup|nsible|xel[\s\x0b&\)<>\|])|b(?:ase(?:32|64|nc)|lkid|sd(?:cat|iff|tar)|u(?:iltin|nzip2|sybox)|yobu|z(?:c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more))|c(?:h(?:ef[\s\x0b&\)\-<>\|]|g(?:passwd|rp)|pass|sh)|lang\+\+|o(?:mm[\s\x0b&\)<>\|]|proc)|(?:ron|scli)[\s\x0b&\)<>\|])|d(?:iff[\s\x0b&\)<>\|]|mesg|oas)|e(?:2fsck|grep)|f(?:grep|iletest|tp(?:stats|who))|g(?:r(?:ep[\s\x0b&\)<>\|]|oupmod)|unzip|z(?:cat|exe|ip))|htop|l(?:ast(?:comm|log(?:in)?)|ess(?:echo|(?:fil|pip)e)|ftp(?:get)?|osetup|s(?:-F|b_release|cpu|mod|of|pci|usb)|wp-download|z(?:4c(?:at)?|c(?:at|mp)|diff|[ef]?grep|less|m(?:a(?:dec|info)?|ore)))|m(?:a(?:ilq|ster\.passwd)|k(?:fifo|nod|temp)|locate|ysql(?:admin|dump(?:slow)?|hotcopy|show))|n(?:c(?:\.(?:openbsd|traditional)|at)|et(?:(?:c|st)at|kit-ftp|plan)|ohup|ping|stat)|onintr|p(?:dksh|er(?:f[\s\x0b&\)<>\|]|l[\s\x0b&\)5<>\|])|(?:ft|gre)p|hp(?:-cgi|[57])|igz|k(?:exec|ill)|(?:op|se)d|rint(?:env|f[\s\x0b&\)<>\|])|tar(?:diff|grep)?|wd\.db|y(?:thon[23]|3?versions))|r(?:(?:bas|ealpat)h|m(?:dir[\s\x0b&\)<>\|]|user)|nano|sync)|s(?:diff|e(?:ndmail|t(?:env|sid))|ftp|(?:h\.distri|pwd\.d)b|ocat|td(?:err|in|out)|udo|ysctl)|t(?:ailf|c(?:p(?:ing|traceroute)|sh)|elnet|imeout[\s\x0b&\)<>\|]|raceroute6?)|u(?:n(?:ame|lz(?:4|ma)|(?:pig|x)z|rar|zstd)|ser(?:(?:ad|mo)d|del))|vi(?:gr|pw|sudo)|w(?:get|hoami)|x(?:args|z(?:c(?:at|mp)|d(?:ec|iff)|[ef]?grep|less|more))|z(?:c(?:at|mp)|diff|[ef]?grep|ip(?:c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|less|more|run|std(?:(?:ca|m)t|grep|less)?))" \ +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:^|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)?|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|\{)|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:a(?:ddgroup|nsible)|b(?:ase(?:32|64|nc)|lkid|sd(?:cat|iff|tar)|u(?:iltin|nzip2|sybox)|yobu|z(?:c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more))|c(?:h(?:ef[\s\x0b&\)\-<>\|]|g(?:passwd|rp)|pass|sh)|lang\+\+|o(?:mm[\s\x0b&\)<>\|]|proc)|(?:ron|scli)[\s\x0b&\)<>\|])|d(?:iff[\s\x0b&\)<>\|]|mesg|oas)|e(?:2fsck|grep)|f(?:grep|iletest|tp(?:stats|who))|g(?:r(?:ep[\s\x0b&\)<>\|]|oupmod)|unzip|z(?:cat|exe|ip))|htop|l(?:ast(?:comm|log(?:in)?)|ess(?:echo|(?:fil|pip)e)|ftp(?:get)?|osetup|s(?:-F|b_release|cpu|mod|of|pci|usb)|wp-download|z(?:4c(?:at)?|c(?:at|mp)|diff|[ef]?grep|less|m(?:a(?:dec|info)?|ore)))|m(?:a(?:ilq|ster\.passwd)|k(?:fifo|nod|temp)|locate|ysql(?:admin|dump(?:slow)?|hotcopy|show))|n(?:c(?:\.(?:openbsd|traditional)|at)|et(?:(?:c|st)at|kit-ftp|plan)|ohup|ping|stat)|onintr|p(?:dksh|er(?:f[\s\x0b&\)<>\|]|l[\s\x0b&\)5<>\|])|(?:ft|gre)p|hp(?:-cgi|[57])|igz|k(?:exec|ill)|(?:op|se)d|rint(?:env|f[\s\x0b&\)<>\|])|tar(?:diff|grep)?|wd\.db|y(?:thon[23]|3?versions))|r(?:(?:bas|ealpat)h|m(?:dir[\s\x0b&\)<>\|]|user)|nano|sync)|s(?:diff|e(?:ndmail|t(?:env|sid))|ftp|(?:h\.distri|pwd\.d)b|ocat|td(?:err|in|out)|udo|ysctl)|t(?:ailf|c(?:p(?:ing|traceroute)|sh)|elnet|imeout[\s\x0b&\)<>\|]|raceroute6?)|u(?:n(?:ame|lz(?:4|ma)|(?:pig|x)z|rar|zstd)|ser(?:(?:ad|mo)d|del))|vi(?:gr|pw|sudo)|w(?:get|hoami)|x(?:args|z(?:c(?:at|mp)|d(?:ec|iff)|[ef]?grep|less|more))|z(?:c(?:at|mp)|diff|[ef]?grep|ip(?:c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|less|more|run|std(?:(?:ca|m)t|grep|less)?))" \ "id:932260,\ phase:2,\ block,\ @@ -491,7 +491,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.932260_matched_var_name=%{matched_var_name}',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ @@ -528,7 +528,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -569,7 +569,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -600,7 +600,7 @@ SecRule REQUEST_HEADERS|REQUEST_LINE "@rx ^\(\s*\)\s+{" \ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -621,7 +621,7 @@ SecRule ARGS_NAMES|ARGS|FILES_NAMES "@rx ^\(\s*\)\s+{" \ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -663,7 +663,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -697,7 +697,7 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -791,7 +791,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -828,14 +828,14 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:932013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:932014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:932013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:932014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" # # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher) # @@ -894,7 +894,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -927,7 +927,7 @@ SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@rx \$(?:\((?:.*|\(. tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -976,15 +976,15 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.932200_matched_var_name=%{matched_var_name}',\ chain" SecRule MATCHED_VAR "@rx /" \ - "t:none,t:urlDecodeUni,\ + "t:none,\ chain" SecRule MATCHED_VAR "@rx \s" \ - "t:none,t:urlDecodeUni,\ + "t:none,\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1018,19 +1018,19 @@ SecRule REQUEST_HEADERS:Referer "@rx ^[^#]+" \ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.932205_matched_var_name=%{matched_var_name}',\ chain" SecRule TX:0 "@rx ^[^\.]+\.[^;\?]+[;\?](.*(['\*\?\x5c`][^\n/]+/|/[^/]+?['\*\?\x5c`]|\$[!#\$\(\*\-0-9\?-\[_a-\{]))" \ "capture,\ - t:none,t:urlDecodeUni,\ + t:none,\ chain" SecRule TX:1 "@rx /" \ - "t:none,t:urlDecodeUni,\ + "t:none,\ chain" SecRule TX:1 "@rx \s" \ - "t:none,t:urlDecodeUni,\ + "t:none,\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1061,15 +1061,15 @@ SecRule REQUEST_HEADERS:Referer "@rx ^[^\.]*?(?:['\*\?\x5c`][^\n/]+/|/[^/]+?['\* tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.932206_matched_var_name=%{matched_var_name}',\ chain" SecRule MATCHED_VAR "@rx /" \ - "t:none,t:urlDecodeUni,\ + "t:none,\ chain" SecRule MATCHED_VAR "@rx \s" \ - "t:none,t:urlDecodeUni,\ + "t:none,\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1094,7 +1094,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1157,7 +1157,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS|XML: tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.932240_matched_var_name=%{matched_var_name}',\ chain" @@ -1199,7 +1199,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1240,7 +1240,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/137/134',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1272,7 +1272,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/137/134',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1306,7 +1306,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/137/134',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1352,7 +1352,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 932236 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:^|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)?|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|\{)|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:7z[arx]?|(?:(?:GE|POS)T|HEAD)[\s\x0b&\)<>\|]|a(?:(?:b|w[ks]|l(?:ias|pine)|xel)[\s\x0b&\)<>\|]|pt(?:[\s\x0b&\)<>\|]|-get)|r(?:[\s\x0b&\)<>j\|]|(?:p|ch)[\s\x0b&\)<>\|]|ia2c)|s(?:h[\s\x0b&\)<>\|]|cii(?:-xfr|85)|pell)|dd(?:group|user)|getty|nsible|tobm)|b(?:z(?:z[\s\x0b&\)<>\|]|c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more)|a(?:s(?:e(?:32|64|n(?:ame[\s\x0b&\)<>\|]|c))|h[\s\x0b&\)<>\|])|tch[\s\x0b&\)<>\|])|lkid|pftrace|r(?:eaksw|idge[\s\x0b&\)<>\|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[\s\x0b&\)<>\|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu))|c(?:[89]9|(?:a(?:t|ncel|psh)|c)[\s\x0b&\)<>\|]|mp|p(?:[\s\x0b&\)<>\|]|an|io|ulimit)|s(?:h|cli[\s\x0b&\)<>\|]|plit|vtool)|u(?:(?:t|rl)[\s\x0b&\)<>\|]|psfilter)|ertbot|h(?:attr|(?:dir|root)[\s\x0b&\)<>\|]|e(?:ck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|f[\s\x0b&\)\-<>\|])|(?:flag|pas)s|g(?:passwd|rp)|mod|o(?:om|wn)|sh)|lang(?:[\s\x0b&\)<>\|]|\+\+)|o(?:(?:b|pro)c|(?:lumn|m(?:m(?:and)?|p(?:oser|ress)))[\s\x0b&\)<>\|]|w(?:say|think))|r(?:ash[\s\x0b&\)<>\|]|on(?:[\s\x0b&\)<>\|]|tab)))|d(?:(?:[du]|i(?:(?:alo)?g|r|ff)|a(?:sh|te))[\s\x0b&\)<>\|]|f|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[\s\x0b&\)<>\|]|sbox)|pkg|vips)|e(?:(?:[bd]|cho)[\s\x0b&\)<>\|]|n(?:v(?:[\s\x0b&\)<>\|]|-update)|d(?:if|sw))|qn|s(?:[\s\x0b&\)<>h\|]|ac)|x(?:(?:ec)?[\s\x0b&\)<>\|]|iftool|p(?:(?:and|(?:ec|or)t)[\s\x0b&\)<>\|]|r))|2fsck|(?:asy_instal|va)l|fax|grep|macs)|f(?:(?:c|etch|lock|unction)[\s\x0b&\)<>\|]|d|g(?:rep)?|i(?:(?:n(?:d|ger)|sh)?[\s\x0b&\)<>\|]|le(?:[\s\x0b&\)<>\|]|test))|mt|tp(?:[\s\x0b&\)<>\|]|stats|who)|acter|o(?:ld[\s\x0b&\)<>\|]|reach)|ping)|g(?:c(?:c[^\s\x0b]|ore)|db|e(?:(?:m|tfacl)[\s\x0b&\)<>\|]|ni(?:e[\s\x0b&\)<>\|]|soimage))|hci?|i(?:(?:t|mp)[\s\x0b&\)<>\|]|nsh)|(?:o|awk)[\s\x0b&\)<>\|]|pg|r(?:c|ep[\s\x0b&\)<>\|]|oup(?:[\s\x0b&\)<>\|]|mod))|tester|unzip|z(?:cat|exe|ip))|h(?:(?:d|up|ash|i(?:ghlight|story))[\s\x0b&\)<>\|]|e(?:ad[\s\x0b&\)<>\|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op|passwd))|i(?:d|p(?:6?tables|config)?|rb|conv|f(?:config|top)|nstall[\s\x0b&\)<>\|]|onice|spell)|j(?:js|q|ava[\s\x0b&\)<>\|]|exec|o(?:(?:bs|in)[\s\x0b&\)<>\|]|urnalctl)|runscript)|k(?:s(?:h|shell)|ill(?:[\s\x0b&\)<>\|]|all)|nife[\s\x0b&\)<>\|])|l(?:d(?:d?[\s\x0b&\)<>\|]|config)|(?:[np]|inks|ynx)[\s\x0b&\)<>\|]|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)?|ua(?:[\s\x0b&\)<>\|]|(?:la)?tex)|z(?:[\s\x0b&\)4<>\|]|4c(?:at)?|c(?:at|mp)|diff|[ef]?grep|less|m(?:a(?:dec|info)?|ore))|a(?:st(?:[\s\x0b&\)<>\|]|comm|log(?:in)?)|tex[\s\x0b&\)<>\|])|ess(?:[\s\x0b&\)<>\|]|echo|(?:fil|pip)e)|ftp(?:get)?|o(?:(?:ca(?:l|te)|ok)[\s\x0b&\)<>\|]|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:(?:n|ke)[\s\x0b&\)<>\|]|il(?:[\s\x0b&\)<>q\|]|x[\s\x0b&\)<>\|])|ster\.passwd|wk)|tr|(?:v|utt)[\s\x0b&\)<>\|]|k(?:dir[\s\x0b&\)<>\|]|fifo|nod|temp)|locate|o(?:squitto|unt[\s\x0b&\)<>\|])|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:c(?:[\s\x0b&\)<>\|]|\.(?:openbsd|traditional)|at)|e(?:t(?:[\s\x0b&\)<>\|]|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:(?:ul)?l|ice)[\s\x0b&\)<>\|]|m(?:[\s\x0b&\)<>\|]|ap)|p(?:m[\s\x0b&\)<>\|]|ing)|a(?:no[\s\x0b&\)<>\|]|sm|wk)|o(?:de[\s\x0b&\)<>\|]|hup)|roff|s(?:enter|lookup|tat))|o(?:(?:d|ctave)[\s\x0b&\)<>\|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:(?:x|rted|tch)[\s\x0b&\)<>\|]|s(?:swd|te[\s\x0b&\)<>\|]))|d(?:b|f(?:la)?tex|ksh)|f(?:[\s\x0b&\)<>\|]|tp)|g(?:rep)?|hp(?:[\s\x0b&\)57<>\|]|-cgi)|i(?:(?:co?|ng)[\s\x0b&\)<>\|]|p[^\s\x0b]|dstat|gz)|k(?:g(?:_?info)?|exec|ill)|r(?:y?[\s\x0b&\)<>\|]|int(?:env|f[\s\x0b&\)<>\|]))|t(?:x|ar(?:diff|grep)?)|wd(?:\.db)?|xz|er(?:(?:f|ms)[\s\x0b&\)<>\|]|l(?:[\s\x0b&\)5<>\|]|sh))|opd|s(?:ed|ftp|ql)|u(?:ppet[\s\x0b&\)<>\|]|shd)|y(?:thon[^\s\x0b]|3?versions))|r(?:a(?:r[\s\x0b&\)<>\|]|k(?:e[\s\x0b&\)<>\|]|u))|c(?:p[\s\x0b&\)<>\|])?|e(?:(?:d(?:carpet)?|v|name|p(?:eat|lace))[\s\x0b&\)<>\|]|a(?:delf|lpath)|stic)|m(?:(?:dir)?[\s\x0b&\)<>\|]|user)|pm(?:[\s\x0b&\)<>\|]|db|(?:quer|verif)y)|bash|l(?:ogin|wrap)|nano|oute[\s\x0b&\)<>\|]|sync|u(?:by[^\s\x0b]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:c(?:p|hed|r(?:een|ipt)[\s\x0b&\)<>\|])|e(?:(?:d|lf|rvice)[\s\x0b&\)<>\|]|t(?:(?:facl)?[\s\x0b&\)<>\|]|arch|env|sid)|ndmail)|(?:g|ash|nap)[\s\x0b&\)<>\|]|h(?:(?:adow|ells)?[\s\x0b&\)<>\|]|\.distrib|u(?:f|tdown[\s\x0b&\)<>\|]))|s(?:[\s\x0b&\)<>\|]|h(?:[\s\x0b&\)<>\|]|-key(?:ge|sca)n|pass))|u(?:[\s\x0b&\)<>\|]|do)|vn|diff|ftp|l(?:eep[\s\x0b&\)<>\|]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[\s\x0b&\)<>\|])|p(?:lit[\s\x0b&\)<>\|]|wd\.db)|qlite3|t(?:art-stop-daemon|d(?:buf|err|in|out)|r(?:ace|ings[\s\x0b&\)<>\|]))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:c|r[\s\x0b&\)<>\|]|il[\s\x0b&\)<>f\|]|sk(?:[\s\x0b&\)<>\|]|set))|bl|c(?:p(?:[\s\x0b&\)<>\|]|dump|ing|traceroute)|l?sh)|e(?:[ex][\s\x0b&\)<>\|]|lnet)|i(?:c[\s\x0b&\)<>\|]|me(?:datectl|out[\s\x0b&\)<>\|]))|o(?:p|uch[\s\x0b&\)<>\|])|ftp|mux|r(?:aceroute6?|off)|shark)|u(?:dp|l(?:imit)?[\s\x0b&\)<>\|]|n(?:ame|(?:compress|s(?:et|hare))[\s\x0b&\)<>\|]|expand|iq|l(?:ink[\s\x0b&\)<>\|]|z(?:4|ma))|(?:pig|x)z|rar|z(?:ip[\s\x0b&\)<>\|]|std))|pdate-alternatives|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:m(?:[\s\x0b&\)<>\|]|diff)|ew[\s\x0b&\)<>\|]|gr|pw|rsh|sudo)|algrind|olatility[\s\x0b&\)<>\|])|w(?:3m|c|a(?:ll|tch)[\s\x0b&\)<>\|]|get|h(?:iptail[\s\x0b&\)<>\|]|o(?:ami|is))|i(?:reshark|sh[\s\x0b&\)<>\|]))|x(?:(?:x|pa)d|z(?:[\s\x0b&\)<>\|]|c(?:at|mp)|d(?:ec|iff)|[ef]?grep|less|more)|args|e(?:la)?tex|mo(?:dmap|re)|term)|y(?:(?:e(?:s|lp)|arn)[\s\x0b&\)<>\|]|um)|z(?:ip(?:[\s\x0b&\)<>\|]|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h|oelim|td(?:(?:ca|m)t|grep|less)?)|athura|c(?:at|mp)|diff|e(?:grep|ro[\s\x0b&\)<>\|])|f?grep|less|more|run|ypper))" \ +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:^|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)?|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|\{)|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:7z[arx]?|(?:(?:GE|POS)T|HEAD)[\s\x0b&\)<>\|]|a(?:(?:b|w[ks]|l(?:ias|pine)|xel)[\s\x0b&\)<>\|]|pt(?:[\s\x0b&\)<>\|]|-get)|r(?:[\s\x0b&\)<>j\|]|(?:p|ch)[\s\x0b&\)<>\|]|ia2c)|s(?:h[\s\x0b&\)<>\|]|cii(?:-xfr|85)|pell)|dd(?:group|user)|getty|nsible|tobm)|b(?:z(?:z[\s\x0b&\)<>\|]|c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more)|a(?:s(?:e(?:32|64|n(?:ame[\s\x0b&\)<>\|]|c))|h[\s\x0b&\)<>\|])|tch[\s\x0b&\)<>\|])|lkid|pftrace|r(?:eaksw|idge[\s\x0b&\)<>\|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[\s\x0b&\)<>\|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu))|c(?:[89]9|(?:a(?:t|ncel|psh)|c)[\s\x0b&\)<>\|]|mp|p(?:[\s\x0b&\)<>\|]|an|io|ulimit)|s(?:h|cli[\s\x0b&\)<>\|]|plit|vtool)|u(?:(?:t|rl)[\s\x0b&\)<>\|]|psfilter)|ertbot|h(?:attr|(?:dir|root)[\s\x0b&\)<>\|]|e(?:ck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|f[\s\x0b&\)\-<>\|])|(?:flag|pas)s|g(?:passwd|rp)|mod|o(?:om|wn)|sh)|lang(?:[\s\x0b&\)<>\|]|\+\+)|o(?:(?:b|pro)c|(?:lumn|m(?:m(?:and)?|p(?:oser|ress)))[\s\x0b&\)<>\|]|w(?:say|think))|r(?:ash[\s\x0b&\)<>\|]|on(?:[\s\x0b&\)<>\|]|tab)))|d(?:(?:[du]|i(?:(?:alo)?g|r|ff)|a(?:sh|te))[\s\x0b&\)<>\|]|f|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[\s\x0b&\)<>\|]|sbox)|pkg|vips)|e(?:(?:[bd]|cho)[\s\x0b&\)<>\|]|n(?:v(?:[\s\x0b&\)<>\|]|-update)|d(?:if|sw))|qn|s(?:[\s\x0b&\)<>h\|]|ac)|x(?:(?:ec)?[\s\x0b&\)<>\|]|iftool|p(?:(?:and|(?:ec|or)t)[\s\x0b&\)<>\|]|r))|2fsck|(?:asy_instal|va)l|fax|grep|macs)|f(?:(?:c|etch|lock|unction)[\s\x0b&\)<>\|]|d|g(?:rep)?|i(?:(?:n(?:d|ger)|sh)?[\s\x0b&\)<>\|]|le(?:[\s\x0b&\)<>\|]|test))|mt|tp(?:[\s\x0b&\)<>\|]|stats|who)|acter|o(?:ld[\s\x0b&\)<>\|]|reach)|ping)|g(?:c(?:c[^\s\x0b]|ore)|db|e(?:(?:m|tfacl)[\s\x0b&\)<>\|]|ni(?:e[\s\x0b&\)<>\|]|soimage))|hci?|i(?:(?:t|mp)[\s\x0b&\)<>\|]|nsh)|(?:o|awk)[\s\x0b&\)<>\|]|pg|r(?:c|ep[\s\x0b&\)<>\|]|oup(?:[\s\x0b&\)<>\|]|mod))|tester|unzip|z(?:cat|exe|ip))|h(?:(?:d|up|ash|i(?:ghlight|story))[\s\x0b&\)<>\|]|e(?:ad[\s\x0b&\)<>\|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op|passwd))|i(?:d|p(?:6?tables|config)?|rb|conv|f(?:config|top)|nstall[\s\x0b&\)<>\|]|onice|spell)|j(?:js|q|ava[\s\x0b&\)<>\|]|exec|o(?:(?:bs|in)[\s\x0b&\)<>\|]|urnalctl)|runscript)|k(?:s(?:h|shell)|ill(?:[\s\x0b&\)<>\|]|all)|nife[\s\x0b&\)<>\|])|l(?:d(?:d?[\s\x0b&\)<>\|]|config)|(?:[np]|inks|ynx)[\s\x0b&\)<>\|]|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)?|ua(?:[\s\x0b&\)<>\|]|(?:la)?tex)|z(?:[\s\x0b&\)4<>\|]|4c(?:at)?|c(?:at|mp)|diff|[ef]?grep|less|m(?:a(?:dec|info)?|ore))|a(?:st(?:[\s\x0b&\)<>\|]|comm|log(?:in)?)|tex[\s\x0b&\)<>\|])|ess(?:[\s\x0b&\)<>\|]|echo|(?:fil|pip)e)|ftp(?:get)?|o(?:(?:ca(?:l|te)|ok)[\s\x0b&\)<>\|]|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:(?:n|ke)[\s\x0b&\)<>\|]|il(?:[\s\x0b&\)<>q\|]|x[\s\x0b&\)<>\|])|ster\.passwd|wk)|tr|(?:v|utt)[\s\x0b&\)<>\|]|k(?:dir[\s\x0b&\)<>\|]|fifo|nod|temp)|locate|o(?:squitto|unt[\s\x0b&\)<>\|])|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:c(?:[\s\x0b&\)<>\|]|\.(?:openbsd|traditional)|at)|e(?:t(?:[\s\x0b&\)<>\|]|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:(?:ul)?l|ice)[\s\x0b&\)<>\|]|m(?:[\s\x0b&\)<>\|]|ap)|p(?:m[\s\x0b&\)<>\|]|ing)|a(?:no[\s\x0b&\)<>\|]|sm|wk)|o(?:de[\s\x0b&\)<>\|]|hup)|roff|s(?:enter|lookup|tat))|o(?:(?:d|ctave)[\s\x0b&\)<>\|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:(?:x|rted|tch)[\s\x0b&\)<>\|]|s(?:swd|te[\s\x0b&\)<>\|]))|d(?:b|f(?:la)?tex|ksh)|f(?:[\s\x0b&\)<>\|]|tp)|g(?:rep)?|hp(?:[\s\x0b&\)57<>\|]|-cgi)|i(?:(?:co?|ng)[\s\x0b&\)<>\|]|p[^\s\x0b]|dstat|gz)|k(?:g(?:_?info)?|exec|ill)|r(?:y?[\s\x0b&\)<>\|]|int(?:env|f[\s\x0b&\)<>\|]))|t(?:x|ar(?:diff|grep)?)|wd(?:\.db)?|xz|er(?:(?:f|ms)[\s\x0b&\)<>\|]|l(?:[\s\x0b&\)5<>\|]|sh))|opd|s(?:ed|ftp|ql)|u(?:ppet[\s\x0b&\)<>\|]|shd)|y(?:thon[^\s\x0b]|3?versions))|r(?:a(?:r[\s\x0b&\)<>\|]|k(?:e[\s\x0b&\)<>\|]|u))|c(?:p[\s\x0b&\)<>\|])?|e(?:(?:d(?:carpet)?|v|name|p(?:eat|lace))[\s\x0b&\)<>\|]|a(?:delf|lpath)|stic)|m(?:(?:dir)?[\s\x0b&\)<>\|]|user)|pm(?:[\s\x0b&\)<>\|]|db|(?:quer|verif)y)|bash|l(?:ogin|wrap)|nano|oute[\s\x0b&\)<>\|]|sync|u(?:by[^\s\x0b]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:c(?:p|(?:hed|r(?:een|ipt))[\s\x0b&\)<>\|])|e(?:(?:d|lf|rvice)[\s\x0b&\)<>\|]|t(?:(?:facl)?[\s\x0b&\)<>\|]|arch|env|sid)|ndmail)|(?:g|ash|nap)[\s\x0b&\)<>\|]|h(?:(?:adow|ells)?[\s\x0b&\)<>\|]|\.distrib|u(?:f|tdown[\s\x0b&\)<>\|]))|s(?:[\s\x0b&\)<>\|]|h(?:[\s\x0b&\)<>\|]|-key(?:ge|sca)n|pass))|u(?:[\s\x0b&\)<>\|]|do)|vn|diff|ftp|l(?:eep[\s\x0b&\)<>\|]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[\s\x0b&\)<>\|])|p(?:lit[\s\x0b&\)<>\|]|wd\.db)|qlite3|t(?:art-stop-daemon|d(?:buf|err|in|out)|r(?:ace|ings[\s\x0b&\)<>\|]))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:c|r[\s\x0b&\)<>\|]|il[\s\x0b&\)<>f\|]|sk(?:[\s\x0b&\)<>\|]|set))|bl|c(?:p(?:[\s\x0b&\)<>\|]|dump|ing|traceroute)|l?sh)|e(?:[ex][\s\x0b&\)<>\|]|lnet)|i(?:c[\s\x0b&\)<>\|]|me(?:datectl|out[\s\x0b&\)<>\|]))|o(?:p|uch[\s\x0b&\)<>\|])|ftp|mux|r(?:aceroute6?|off)|shark)|u(?:dp|l(?:imit)?[\s\x0b&\)<>\|]|n(?:ame|(?:compress|s(?:et|hare))[\s\x0b&\)<>\|]|expand|iq|l(?:ink[\s\x0b&\)<>\|]|z(?:4|ma))|(?:pig|x)z|rar|z(?:ip[\s\x0b&\)<>\|]|std))|pdate-alternatives|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:m(?:[\s\x0b&\)<>\|]|diff)|ew[\s\x0b&\)<>\|]|gr|pw|rsh|sudo)|algrind|olatility[\s\x0b&\)<>\|])|w(?:3m|c|a(?:ll|tch)[\s\x0b&\)<>\|]|get|h(?:iptail[\s\x0b&\)<>\|]|o(?:ami|is))|i(?:reshark|sh[\s\x0b&\)<>\|]))|x(?:(?:x|pa)d|z(?:[\s\x0b&\)<>\|]|c(?:at|mp)|d(?:ec|iff)|[ef]?grep|less|more)|args|e(?:la)?tex|mo(?:dmap|re)|term)|y(?:(?:e(?:s|lp)|arn)[\s\x0b&\)<>\|]|um)|z(?:ip(?:[\s\x0b&\)<>\|]|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h|oelim|td(?:(?:ca|m)t|grep|less)?)|athura|c(?:at|mp)|diff|e(?:grep|ro[\s\x0b&\)<>\|])|f?grep|less|more|run|ypper))" \ "id:932236,\ phase:2,\ block,\ @@ -1368,7 +1368,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1414,7 +1414,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 932239 # -SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@rx (?i)(?:^|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)?|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|\{)|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:7z[arx]?|(?:(?:GE|POS)T|HEAD)[\s\x0b&\)<>\|]|a(?:(?:b|w[ks]|l(?:ias|pine)|xel)[\s\x0b&\)<>\|]|pt(?:[\s\x0b&\)<>\|]|-get)|r(?:[\s\x0b&\)<>j\|]|(?:p|ch)[\s\x0b&\)<>\|]|ia2c)|s(?:h[\s\x0b&\)<>\|]|cii(?:-xfr|85)|pell)|dd(?:group|user)|getty|nsible|tobm)|b(?:z(?:z[\s\x0b&\)<>\|]|c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more)|a(?:s(?:e(?:32|64|n(?:ame[\s\x0b&\)<>\|]|c))|h[\s\x0b&\)<>\|])|tch[\s\x0b&\)<>\|])|lkid|pftrace|r(?:eaksw|idge[\s\x0b&\)<>\|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[\s\x0b&\)<>\|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu))|c(?:[89]9|(?:a(?:t|ncel|psh)|c)[\s\x0b&\)<>\|]|mp|p(?:[\s\x0b&\)<>\|]|io|ulimit)|s(?:h|cli[\s\x0b&\)<>\|]|plit|vtool)|u(?:t[\s\x0b&\)<>\|]|psfilter)|ertbot|h(?:attr|(?:dir|root)[\s\x0b&\)<>\|]|e(?:ck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|f[\s\x0b&\)\-<>\|])|(?:flag|pas)s|g(?:passwd|rp)|mod|o(?:om|wn)|sh)|lang(?:[\s\x0b&\)<>\|]|\+\+)|o(?:(?:b|pro)c|(?:lumn|m(?:m(?:and)?|p(?:oser|ress)))[\s\x0b&\)<>\|]|w(?:say|think))|r(?:ash[\s\x0b&\)<>\|]|on(?:[\s\x0b&\)<>\|]|tab)))|d(?:(?:[du]|i(?:(?:alo)?g|r|ff)|a(?:sh|te))[\s\x0b&\)<>\|]|f|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[\s\x0b&\)<>\|]|sbox)|pkg|vips)|e(?:(?:[bd]|cho)[\s\x0b&\)<>\|]|n(?:v(?:[\s\x0b&\)<>\|]|-update)|d(?:if|sw))|qn|s(?:[\s\x0b&\)<>h\|]|ac)|x(?:(?:ec)?[\s\x0b&\)<>\|]|iftool|p(?:(?:and|(?:ec|or)t)[\s\x0b&\)<>\|]|r))|2fsck|(?:asy_instal|va)l|fax|grep|macs)|f(?:(?:c|etch|lock|unction)[\s\x0b&\)<>\|]|d|g(?:rep)?|i(?:(?:n(?:d|ger)|sh)?[\s\x0b&\)<>\|]|le(?:[\s\x0b&\)<>\|]|test))|mt|tp(?:[\s\x0b&\)<>\|]|stats|who)|acter|o(?:ld[\s\x0b&\)<>\|]|reach)|ping)|g(?:c(?:c[^\s\x0b]|ore)|db|e(?:(?:m|tfacl)[\s\x0b&\)<>\|]|ni(?:e[\s\x0b&\)<>\|]|soimage))|hci?|i(?:(?:t|mp)[\s\x0b&\)<>\|]|nsh)|(?:o|awk)[\s\x0b&\)<>\|]|pg|r(?:c|ep[\s\x0b&\)<>\|]|oup(?:[\s\x0b&\)<>\|]|mod))|tester|unzip|z(?:cat|exe|ip))|h(?:(?:d|up|ash|i(?:ghlight|story))[\s\x0b&\)<>\|]|e(?:ad[\s\x0b&\)<>\|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op|passwd))|i(?:d|p(?:6?tables|config)?|rb|conv|f(?:config|top)|nstall[\s\x0b&\)<>\|]|onice|spell)|j(?:js|q|ava[\s\x0b&\)<>\|]|exec|o(?:(?:bs|in)[\s\x0b&\)<>\|]|urnalctl)|runscript)|k(?:s(?:h|shell)|ill(?:[\s\x0b&\)<>\|]|all)|nife[\s\x0b&\)<>\|])|l(?:d(?:d?[\s\x0b&\)<>\|]|config)|(?:[np]|ynx)[\s\x0b&\)<>\|]|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)?|ua(?:[\s\x0b&\)<>\|]|(?:la)?tex)|z(?:[\s\x0b&\)4<>\|]|4c(?:at)?|c(?:at|mp)|diff|[ef]?grep|less|m(?:a(?:dec|info)?|ore))|a(?:st(?:[\s\x0b&\)<>\|]|comm|log(?:in)?)|tex[\s\x0b&\)<>\|])|ess(?:[\s\x0b&\)<>\|]|echo|(?:fil|pip)e)|ftp(?:get)?|o(?:(?:ca(?:l|te)|ok)[\s\x0b&\)<>\|]|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:(?:n|ke)[\s\x0b&\)<>\|]|il(?:[\s\x0b&\)<>q\|]|x[\s\x0b&\)<>\|])|ster\.passwd|wk)|tr|(?:v|utt)[\s\x0b&\)<>\|]|k(?:dir[\s\x0b&\)<>\|]|fifo|nod|temp)|locate|o(?:squitto|unt[\s\x0b&\)<>\|])|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:c(?:[\s\x0b&\)<>\|]|\.(?:openbsd|traditional)|at)|e(?:t(?:[\s\x0b&\)<>\|]|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:(?:ul)?l|ice)[\s\x0b&\)<>\|]|m(?:[\s\x0b&\)<>\|]|ap)|p(?:m[\s\x0b&\)<>\|]|ing)|a(?:no[\s\x0b&\)<>\|]|sm|wk)|o(?:de[\s\x0b&\)<>\|]|hup)|roff|s(?:enter|lookup|tat))|o(?:(?:d|ctave)[\s\x0b&\)<>\|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:(?:x|rted|tch)[\s\x0b&\)<>\|]|s(?:swd|te[\s\x0b&\)<>\|]))|d(?:b|f(?:la)?tex|ksh)|f(?:[\s\x0b&\)<>\|]|tp)|g(?:rep)?|hp(?:[\s\x0b&\)57<>\|]|-cgi)|i(?:(?:co?|ng)[\s\x0b&\)<>\|]|p[^\s\x0b]|dstat|gz)|k(?:g(?:_?info)?|exec|ill)|r(?:y?[\s\x0b&\)<>\|]|int(?:env|f[\s\x0b&\)<>\|]))|t(?:x|ar(?:diff|grep)?)|wd(?:\.db)?|xz|er(?:(?:f|ms)[\s\x0b&\)<>\|]|l(?:[\s\x0b&\)5<>\|]|sh))|opd|s(?:ed|ftp|ql)|u(?:ppet[\s\x0b&\)<>\|]|shd)|y(?:thon[23]|3?versions))|r(?:a(?:r[\s\x0b&\)<>\|]|k(?:e[\s\x0b&\)<>\|]|u))|c(?:p[\s\x0b&\)<>\|])?|e(?:(?:d(?:carpet)?|v|name|p(?:eat|lace))[\s\x0b&\)<>\|]|a(?:delf|lpath)|stic)|m(?:(?:dir)?[\s\x0b&\)<>\|]|user)|pm(?:[\s\x0b&\)<>\|]|db|(?:quer|verif)y)|bash|l(?:ogin|wrap)|nano|oute[\s\x0b&\)<>\|]|sync|u(?:by[^\s\x0b]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:c(?:p|hed|r(?:een|ipt)[\s\x0b&\)<>\|])|e(?:(?:d|lf|rvice)[\s\x0b&\)<>\|]|t(?:(?:facl)?[\s\x0b&\)<>\|]|arch|env|sid)|ndmail)|(?:g|ash)[\s\x0b&\)<>\|]|h(?:(?:adow|ells)?[\s\x0b&\)<>\|]|\.distrib|u(?:f|tdown[\s\x0b&\)<>\|]))|s(?:[\s\x0b&\)<>\|]|h(?:[\s\x0b&\)<>\|]|-key(?:ge|sca)n|pass))|u(?:[\s\x0b&\)<>\|]|do)|vn|diff|ftp|l(?:eep[\s\x0b&\)<>\|]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[\s\x0b&\)<>\|])|p(?:lit[\s\x0b&\)<>\|]|wd\.db)|qlite3|t(?:art-stop-daemon|d(?:buf|err|in|out)|r(?:ace|ings[\s\x0b&\)<>\|]))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:c|r[\s\x0b&\)<>\|]|il[\s\x0b&\)<>f\|]|sk(?:[\s\x0b&\)<>\|]|set))|bl|c(?:p(?:[\s\x0b&\)<>\|]|dump|ing|traceroute)|l?sh)|e(?:[ex][\s\x0b&\)<>\|]|lnet)|i(?:c[\s\x0b&\)<>\|]|me(?:datectl|out[\s\x0b&\)<>\|]))|o(?:p|uch[\s\x0b&\)<>\|])|ftp|mux|r(?:aceroute6?|off)|shark)|u(?:dp|l(?:imit)?[\s\x0b&\)<>\|]|n(?:ame|(?:compress|s(?:et|hare))[\s\x0b&\)<>\|]|expand|iq|l(?:ink[\s\x0b&\)<>\|]|z(?:4|ma))|(?:pig|x)z|rar|z(?:ip[\s\x0b&\)<>\|]|std))|pdate-alternatives|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:m(?:[\s\x0b&\)<>\|]|diff)|ew[\s\x0b&\)<>\|]|gr|pw|rsh|sudo)|algrind|olatility[\s\x0b&\)<>\|])|w(?:c|a(?:ll|tch)[\s\x0b&\)<>\|]|h(?:iptail[\s\x0b&\)<>\|]|o(?:ami|is))|i(?:reshark|sh[\s\x0b&\)<>\|]))|x(?:(?:x|pa)d|z(?:[\s\x0b&\)<>\|]|c(?:at|mp)|d(?:ec|iff)|[ef]?grep|less|more)|args|e(?:la)?tex|mo(?:dmap|re)|term)|y(?:(?:e(?:s|lp)|arn)[\s\x0b&\)<>\|]|um)|z(?:ip(?:[\s\x0b&\)<>\|]|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h|oelim|td(?:(?:ca|m)t|grep|less)?)|athura|c(?:at|mp)|diff|e(?:grep|ro[\s\x0b&\)<>\|])|f?grep|less|more|run|ypper))" \ +SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@rx (?i)(?:^|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)?|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|\{)|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:7z[arx]?|(?:(?:GE|POS)T|HEAD)[\s\x0b&\)<>\|]|a(?:(?:b|w[ks]|l(?:ias|pine)|xel)[\s\x0b&\)<>\|]|pt(?:[\s\x0b&\)<>\|]|-get)|r(?:[\s\x0b&\)<>j\|]|(?:p|ch)[\s\x0b&\)<>\|]|ia2c)|s(?:h[\s\x0b&\)<>\|]|cii(?:-xfr|85)|pell)|dd(?:group|user)|getty|nsible|tobm)|b(?:z(?:z[\s\x0b&\)<>\|]|c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more)|a(?:s(?:e(?:32|64|n(?:ame[\s\x0b&\)<>\|]|c))|h[\s\x0b&\)<>\|])|tch[\s\x0b&\)<>\|])|lkid|pftrace|r(?:eaksw|idge[\s\x0b&\)<>\|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[\s\x0b&\)<>\|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu))|c(?:[89]9|(?:a(?:t|ncel|psh)|c)[\s\x0b&\)<>\|]|mp|p(?:[\s\x0b&\)<>\|]|io|ulimit)|s(?:h|cli[\s\x0b&\)<>\|]|plit|vtool)|u(?:t[\s\x0b&\)<>\|]|psfilter)|ertbot|h(?:attr|(?:dir|root)[\s\x0b&\)<>\|]|e(?:ck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|f[\s\x0b&\)\-<>\|])|(?:flag|pas)s|g(?:passwd|rp)|mod|o(?:om|wn)|sh)|lang(?:[\s\x0b&\)<>\|]|\+\+)|o(?:(?:b|pro)c|(?:lumn|m(?:m(?:and)?|p(?:oser|ress)))[\s\x0b&\)<>\|]|w(?:say|think))|r(?:ash[\s\x0b&\)<>\|]|on(?:[\s\x0b&\)<>\|]|tab)))|d(?:(?:[du]|i(?:(?:alo)?g|r|ff)|a(?:sh|te))[\s\x0b&\)<>\|]|f|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[\s\x0b&\)<>\|]|sbox)|pkg|vips)|e(?:(?:[bd]|cho)[\s\x0b&\)<>\|]|n(?:v(?:[\s\x0b&\)<>\|]|-update)|d(?:if|sw))|qn|s(?:[\s\x0b&\)<>h\|]|ac)|x(?:(?:ec)?[\s\x0b&\)<>\|]|iftool|p(?:(?:and|(?:ec|or)t)[\s\x0b&\)<>\|]|r))|2fsck|(?:asy_instal|va)l|fax|grep|macs)|f(?:(?:c|etch|lock|unction)[\s\x0b&\)<>\|]|d|g(?:rep)?|i(?:(?:n(?:d|ger)|sh)?[\s\x0b&\)<>\|]|le(?:[\s\x0b&\)<>\|]|test))|mt|tp(?:[\s\x0b&\)<>\|]|stats|who)|acter|o(?:ld[\s\x0b&\)<>\|]|reach)|ping)|g(?:c(?:c[^\s\x0b]|ore)|db|e(?:(?:m|tfacl)[\s\x0b&\)<>\|]|ni(?:e[\s\x0b&\)<>\|]|soimage))|hci?|i(?:(?:t|mp)[\s\x0b&\)<>\|]|nsh)|(?:o|awk)[\s\x0b&\)<>\|]|pg|r(?:c|ep[\s\x0b&\)<>\|]|oup(?:[\s\x0b&\)<>\|]|mod))|tester|unzip|z(?:cat|exe|ip))|h(?:(?:d|up|ash|i(?:ghlight|story))[\s\x0b&\)<>\|]|e(?:ad[\s\x0b&\)<>\|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op|passwd))|i(?:d|p(?:6?tables|config)?|rb|conv|f(?:config|top)|nstall[\s\x0b&\)<>\|]|onice|spell)|j(?:js|q|ava[\s\x0b&\)<>\|]|exec|o(?:(?:bs|in)[\s\x0b&\)<>\|]|urnalctl)|runscript)|k(?:s(?:h|shell)|ill(?:[\s\x0b&\)<>\|]|all)|nife[\s\x0b&\)<>\|])|l(?:d(?:d?[\s\x0b&\)<>\|]|config)|(?:[np]|ynx)[\s\x0b&\)<>\|]|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)?|ua(?:[\s\x0b&\)<>\|]|(?:la)?tex)|z(?:[\s\x0b&\)4<>\|]|4c(?:at)?|c(?:at|mp)|diff|[ef]?grep|less|m(?:a(?:dec|info)?|ore))|a(?:st(?:[\s\x0b&\)<>\|]|comm|log(?:in)?)|tex[\s\x0b&\)<>\|])|ess(?:[\s\x0b&\)<>\|]|echo|(?:fil|pip)e)|ftp(?:get)?|o(?:(?:ca(?:l|te)|ok)[\s\x0b&\)<>\|]|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:(?:n|ke)[\s\x0b&\)<>\|]|il(?:[\s\x0b&\)<>q\|]|x[\s\x0b&\)<>\|])|ster\.passwd|wk)|tr|(?:v|utt)[\s\x0b&\)<>\|]|k(?:dir[\s\x0b&\)<>\|]|fifo|nod|temp)|locate|o(?:squitto|unt[\s\x0b&\)<>\|])|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:c(?:[\s\x0b&\)<>\|]|\.(?:openbsd|traditional)|at)|e(?:t(?:[\s\x0b&\)<>\|]|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:(?:ul)?l|ice)[\s\x0b&\)<>\|]|m(?:[\s\x0b&\)<>\|]|ap)|p(?:m[\s\x0b&\)<>\|]|ing)|a(?:no[\s\x0b&\)<>\|]|sm|wk)|o(?:de[\s\x0b&\)<>\|]|hup)|roff|s(?:enter|lookup|tat))|o(?:(?:d|ctave)[\s\x0b&\)<>\|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:(?:x|rted|tch)[\s\x0b&\)<>\|]|s(?:swd|te[\s\x0b&\)<>\|]))|d(?:b|f(?:la)?tex|ksh)|f(?:[\s\x0b&\)<>\|]|tp)|g(?:rep)?|hp(?:[\s\x0b&\)57<>\|]|-cgi)|i(?:(?:co?|ng)[\s\x0b&\)<>\|]|p[^\s\x0b]|dstat|gz)|k(?:g(?:_?info)?|exec|ill)|r(?:y?[\s\x0b&\)<>\|]|int(?:env|f[\s\x0b&\)<>\|]))|t(?:x|ar(?:diff|grep)?)|wd(?:\.db)?|xz|er(?:(?:f|ms)[\s\x0b&\)<>\|]|l(?:[\s\x0b&\)5<>\|]|sh))|opd|s(?:ed|ftp|ql)|u(?:ppet[\s\x0b&\)<>\|]|shd)|y(?:thon[23]|3?versions))|r(?:a(?:r[\s\x0b&\)<>\|]|k(?:e[\s\x0b&\)<>\|]|u))|c(?:p[\s\x0b&\)<>\|])?|e(?:(?:d(?:carpet)?|v|name|p(?:eat|lace))[\s\x0b&\)<>\|]|a(?:delf|lpath)|stic)|m(?:(?:dir)?[\s\x0b&\)<>\|]|user)|pm(?:[\s\x0b&\)<>\|]|db|(?:quer|verif)y)|bash|l(?:ogin|wrap)|nano|oute[\s\x0b&\)<>\|]|sync|u(?:by[^\s\x0b]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:c(?:p|(?:hed|r(?:een|ipt))[\s\x0b&\)<>\|])|e(?:(?:d|lf|rvice)[\s\x0b&\)<>\|]|t(?:(?:facl)?[\s\x0b&\)<>\|]|arch|env|sid)|ndmail)|(?:g|ash)[\s\x0b&\)<>\|]|h(?:(?:adow|ells)?[\s\x0b&\)<>\|]|\.distrib|u(?:f|tdown[\s\x0b&\)<>\|]))|s(?:[\s\x0b&\)<>\|]|h(?:[\s\x0b&\)<>\|]|-key(?:ge|sca)n|pass))|u(?:[\s\x0b&\)<>\|]|do)|vn|diff|ftp|l(?:eep[\s\x0b&\)<>\|]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[\s\x0b&\)<>\|])|p(?:lit[\s\x0b&\)<>\|]|wd\.db)|qlite3|t(?:art-stop-daemon|d(?:buf|err|in|out)|r(?:ace|ings[\s\x0b&\)<>\|]))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:c|r[\s\x0b&\)<>\|]|il[\s\x0b&\)<>f\|]|sk(?:[\s\x0b&\)<>\|]|set))|bl|c(?:p(?:[\s\x0b&\)<>\|]|dump|ing|traceroute)|l?sh)|e(?:[ex][\s\x0b&\)<>\|]|lnet)|i(?:c[\s\x0b&\)<>\|]|me(?:datectl|out[\s\x0b&\)<>\|]))|o(?:p|uch[\s\x0b&\)<>\|])|ftp|mux|r(?:aceroute6?|off)|shark)|u(?:dp|l(?:imit)?[\s\x0b&\)<>\|]|n(?:ame|(?:compress|s(?:et|hare))[\s\x0b&\)<>\|]|expand|iq|l(?:ink[\s\x0b&\)<>\|]|z(?:4|ma))|(?:pig|x)z|rar|z(?:ip[\s\x0b&\)<>\|]|std))|pdate-alternatives|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:m(?:[\s\x0b&\)<>\|]|diff)|ew[\s\x0b&\)<>\|]|gr|pw|rsh|sudo)|algrind|olatility[\s\x0b&\)<>\|])|w(?:c|a(?:ll|tch)[\s\x0b&\)<>\|]|h(?:iptail[\s\x0b&\)<>\|]|o(?:ami|is))|i(?:reshark|sh[\s\x0b&\)<>\|]))|x(?:(?:x|pa)d|z(?:[\s\x0b&\)<>\|]|c(?:at|mp)|d(?:ec|iff)|[ef]?grep|less|more)|args|e(?:la)?tex|mo(?:dmap|re)|term)|y(?:(?:e(?:s|lp)|arn)[\s\x0b&\)<>\|]|um)|z(?:ip(?:[\s\x0b&\)<>\|]|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h|oelim|td(?:(?:ca|m)t|grep|less)?)|athura|c(?:at|mp)|diff|e(?:grep|ro[\s\x0b&\)<>\|])|f?grep|less|more|run|ypper))" \ "id:932239,\ phase:1,\ block,\ @@ -1430,7 +1430,7 @@ SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@rx (?i)(?:^|b[\"'\) tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1465,14 +1465,14 @@ SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@pmFromFile unix-she tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:932015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:932016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:932015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:932016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" # # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher) # @@ -1531,7 +1531,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" @@ -1572,7 +1572,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 932237 # -SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@rx (?i)\b(?:7z[arx]?|(?:(?:GE|POS)T|HEAD)[\s\x0b&\)<>\|]|a(?:(?:b|w[ks]|l(?:ias|pine)|xel)[\s\x0b&\)<>\|]|pt(?:(?:itude)?[\s\x0b&\)<>\|]|-get)|r(?:[\s\x0b&\)<>j\|]|(?:p|ch)[\s\x0b&\)<>\|]|ia2c)|s(?:h?[\s\x0b&\)<>\|]|cii(?:-xfr|85)|pell)|t(?:[\s\x0b&\)<>\|]|obm)|dd(?:group|user)|getty|nsible)|b(?:z(?:z[\s\x0b&\)<>\|]|c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more)|a(?:s(?:e(?:32|64|n(?:ame[\s\x0b&\)<>\|]|c))|h[\s\x0b&\)<>\|])|tch[\s\x0b&\)<>\|])|lkid|pftrace|r(?:eaksw|idge[\s\x0b&\)<>\|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[\s\x0b&\)<>\|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu))|c(?:[89]9|(?:a(?:t|ncel|psh)|c)[\s\x0b&\)<>\|]|mp|p(?:[\s\x0b&\)<>\|]|io|ulimit)|s(?:h|cli[\s\x0b&\)<>\|]|plit|vtool)|u(?:t[\s\x0b&\)<>\|]|psfilter)|ertbot|h(?:attr|(?:dir|root)[\s\x0b&\)<>\|]|e(?:ck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|f[\s\x0b&\)\-<>\|])|(?:flag|pas)s|g(?:passwd|rp)|mod|o(?:om|wn)|sh)|lang(?:[\s\x0b&\)<>\|]|\+\+)|o(?:(?:b|pro)c|(?:lumn|m(?:m(?:and)?|p(?:oser|ress)))[\s\x0b&\)<>\|]|w(?:say|think))|r(?:ash[\s\x0b&\)<>\|]|on(?:[\s\x0b&\)<>\|]|tab)))|d(?:(?:[du]|i(?:(?:alo)?g|r|ff)|a(?:sh|te))[\s\x0b&\)<>\|]|n?f|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[\s\x0b&\)<>\|]|sbox)|pkg|vips)|e(?:(?:[bd]|cho)[\s\x0b&\)<>\|]|n(?:v(?:[\s\x0b&\)<>\|]|-update)|d(?:if|sw))|qn|s(?:[\s\x0b&\)<>h\|]|ac)|x(?:(?:ec)?[\s\x0b&\)<>\|]|iftool|p(?:(?:and|(?:ec|or)t)[\s\x0b&\)<>\|]|r))|2fsck|(?:asy_instal|va)l|fax|grep|macs)|f(?:(?:c|etch|lock|unction)[\s\x0b&\)<>\|]|d|g(?:rep)?|i(?:(?:n(?:d|ger)|sh)?[\s\x0b&\)<>\|]|le(?:[\s\x0b&\)<>\|]|test))|mt|tp(?:[\s\x0b&\)<>\|]|stats|who)|acter|o(?:ld[\s\x0b&\)<>\|]|reach)|ping)|g(?:c(?:c[^\s\x0b]|ore)|db|e(?:(?:m|tfacl)[\s\x0b&\)<>\|]|ni(?:e[\s\x0b&\)<>\|]|soimage))|hci?|i(?:(?:t|mp)[\s\x0b&\)<>\|]|nsh)|(?:o|awk)[\s\x0b&\)<>\|]|pg|r(?:c|ep[\s\x0b&\)<>\|]|oup(?:[\s\x0b&\)<>\|]|mod))|tester|unzip|z(?:cat|exe|ip))|h(?:(?:d|up|ash|i(?:ghlight|story))[\s\x0b&\)<>\|]|e(?:ad[\s\x0b&\)<>\|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op|passwd))|i(?:d|p(?:6?tables|config)?|rb|conv|f(?:config|top)|nstall[\s\x0b&\)<>\|]|onice|spell)|j(?:js|q|ava[\s\x0b&\)<>\|]|exec|o(?:(?:bs|in)[\s\x0b&\)<>\|]|urnalctl)|runscript)|k(?:s(?:h|shell)|ill(?:[\s\x0b&\)<>\|]|all)|nife[\s\x0b&\)<>\|])|l(?:d(?:d?[\s\x0b&\)<>\|]|config)|(?:[np]|ynx)[\s\x0b&\)<>\|]|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)?|ua(?:[\s\x0b&\)<>\|]|(?:la)?tex)|z(?:[\s\x0b&\)4<>\|]|4c(?:at)?|c(?:at|mp)|diff|[ef]?grep|less|m(?:a(?:dec|info)?|ore))|a(?:st(?:[\s\x0b&\)<>\|]|comm|log(?:in)?)|tex[\s\x0b&\)<>\|])|ess(?:[\s\x0b&\)<>\|]|echo|(?:fil|pip)e)|ftp(?:get)?|o(?:(?:ca(?:l|te)|ok)[\s\x0b&\)<>\|]|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:(?:n|ke)[\s\x0b&\)<>\|]|il(?:[\s\x0b&\)<>q\|]|x[\s\x0b&\)<>\|])|ster\.passwd|wk)|tr|(?:v|utt)[\s\x0b&\)<>\|]|k(?:dir[\s\x0b&\)<>\|]|fifo|nod|temp)|locate|o(?:(?:re|unt)[\s\x0b&\)<>\|]|squitto)|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:c(?:[\s\x0b&\)<>\|]|\.(?:openbsd|traditional)|at)|e(?:t(?:[\s\x0b&\)<>\|]|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:(?:ul)?l|ice)[\s\x0b&\)<>\|]|m(?:[\s\x0b&\)<>\|]|ap)|p(?:m[\s\x0b&\)<>\|]|ing)|a(?:no[\s\x0b&\)<>\|]|sm|wk)|o(?:de[\s\x0b&\)<>\|]|hup)|roff|s(?:enter|lookup|tat))|o(?:(?:d|ctave)[\s\x0b&\)<>\|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:(?:x|cman|rted|tch)[\s\x0b&\)<>\|]|s(?:swd|te[\s\x0b&\)<>\|]))|d(?:b|f(?:la)?tex|ksh)|f(?:[\s\x0b&\)<>\|]|tp)|g(?:rep)?|hp(?:[\s\x0b&\)57<>\|]|-cgi)|i(?:(?:co?|ng)[\s\x0b&\)<>\|]|p[^\s\x0b]|dstat|gz)|k(?:g(?:_?info)?|exec|ill)|r(?:y?[\s\x0b&\)<>\|]|int(?:env|f[\s\x0b&\)<>\|]))|s(?:[\s\x0b&\)<>\|]|ed|ftp|ql)?|t(?:x|ar(?:diff|grep)?)|wd(?:\.db)?|xz|er(?:(?:f|ms)[\s\x0b&\)<>\|]|l(?:[\s\x0b&\)5<>\|]|sh))|opd|u(?:ppet[\s\x0b&\)<>\|]|shd)|y(?:thon[23]|3?versions))|r(?:a(?:r[\s\x0b&\)<>\|]|k(?:e[\s\x0b&\)<>\|]|u))|c(?:p[\s\x0b&\)<>\|])?|e(?:(?:d(?:carpet)?|v|name|p(?:eat|lace))[\s\x0b&\)<>\|]|a(?:delf|lpath)|stic)|m(?:(?:dir)?[\s\x0b&\)<>\|]|user)|pm(?:[\s\x0b&\)<>\|]|db|(?:quer|verif)y)|bash|l(?:ogin|wrap)|nano|oute[\s\x0b&\)<>\|]|sync|u(?:by[^\s\x0b]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:c(?:p|hed|r(?:een|ipt)[\s\x0b&\)<>\|])|e(?:(?:d|lf|rvice)[\s\x0b&\)<>\|]|t(?:(?:facl)?[\s\x0b&\)<>\|]|arch|env|sid)|ndmail)|(?:g|ash)[\s\x0b&\)<>\|]|h(?:(?:adow|ells)?[\s\x0b&\)<>\|]|\.distrib|u(?:f|tdown[\s\x0b&\)<>\|]))|s(?:[\s\x0b&\)<>\|]|h(?:[\s\x0b&\)<>\|]|-key(?:ge|sca)n|pass))|u(?:[\s\x0b&\)<>\|]|do)|vn|diff|ftp|l(?:eep[\s\x0b&\)<>\|]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[\s\x0b&\)<>\|])|p(?:lit[\s\x0b&\)<>\|]|wd\.db)|qlite3|t(?:art-stop-daemon|d(?:buf|err|in|out)|r(?:ace|ings[\s\x0b&\)<>\|]))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:c|r[\s\x0b&\)<>\|]|il[\s\x0b&\)<>f\|]|sk(?:[\s\x0b&\)<>\|]|set))|bl|c(?:p(?:[\s\x0b&\)<>\|]|dump|ing|traceroute)|l?sh)|e(?:[ex][\s\x0b&\)<>\|]|lnet)|i(?:c[\s\x0b&\)<>\|]|me(?:(?:out)?[\s\x0b&\)<>\|]|datectl))|o(?:p|uch[\s\x0b&\)<>\|])|ftp|mux|r(?:aceroute6?|off)|shark)|u(?:dp|l(?:imit)?[\s\x0b&\)<>\|]|n(?:ame|(?:compress|s(?:et|hare))[\s\x0b&\)<>\|]|expand|iq|l(?:ink[\s\x0b&\)<>\|]|z(?:4|ma))|(?:pig|x)z|rar|z(?:ip[\s\x0b&\)<>\|]|std))|p(?:2date[\s\x0b&\)<>\|]|date-alternatives)|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:(?:ew)?[\s\x0b&\)<>\|]|m(?:[\s\x0b&\)<>\|]|diff)|gr|pw|rsh|sudo)|algrind|olatility[\s\x0b&\)<>\|])|w(?:[\s\x0b&\)<>c\|]|h(?:o(?:[\s\x0b&\)<>\|]|ami|is)?|iptail[\s\x0b&\)<>\|])|a(?:ll|tch)[\s\x0b&\)<>\|]|i(?:reshark|sh[\s\x0b&\)<>\|]))|x(?:(?:x|pa)d|z(?:[\s\x0b&\)<>\|]|c(?:at|mp)|d(?:ec|iff)|[ef]?grep|less|more)|args|e(?:la)?tex|mo(?:dmap|re)|term)|y(?:(?:e(?:s|lp)|arn)[\s\x0b&\)<>\|]|um)|z(?:ip(?:[\s\x0b&\)<>\|]|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h|oelim|td(?:(?:ca|m)t|grep|less)?)|athura|c(?:at|mp)|diff|e(?:grep|ro[\s\x0b&\)<>\|])|f?grep|less|more|run|ypper))(?:\b|[^0-9A-Z_a-z])" \ +SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@rx (?i)\b(?:7z[arx]?|(?:(?:GE|POS)T|HEAD)[\s\x0b&\)<>\|]|a(?:(?:b|w[ks]|l(?:ias|pine)|xel)[\s\x0b&\)<>\|]|pt(?:(?:itude)?[\s\x0b&\)<>\|]|-get)|r(?:[\s\x0b&\)<>j\|]|(?:p|ch)[\s\x0b&\)<>\|]|ia2c)|s(?:h?[\s\x0b&\)<>\|]|cii(?:-xfr|85)|pell)|t(?:[\s\x0b&\)<>\|]|obm)|dd(?:group|user)|getty|nsible)|b(?:z(?:z[\s\x0b&\)<>\|]|c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more)|a(?:s(?:e(?:32|64|n(?:ame[\s\x0b&\)<>\|]|c))|h[\s\x0b&\)<>\|])|tch[\s\x0b&\)<>\|])|lkid|pftrace|r(?:eaksw|idge[\s\x0b&\)<>\|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[\s\x0b&\)<>\|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu))|c(?:[89]9|(?:a(?:t|ncel|psh)|c)[\s\x0b&\)<>\|]|mp|p(?:[\s\x0b&\)<>\|]|io|ulimit)|s(?:h|cli[\s\x0b&\)<>\|]|plit|vtool)|u(?:t[\s\x0b&\)<>\|]|psfilter)|ertbot|h(?:attr|(?:dir|root)[\s\x0b&\)<>\|]|e(?:ck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|f[\s\x0b&\)\-<>\|])|(?:flag|pas)s|g(?:passwd|rp)|mod|o(?:om|wn)|sh)|lang(?:[\s\x0b&\)<>\|]|\+\+)|o(?:(?:b|pro)c|(?:lumn|m(?:m(?:and)?|p(?:oser|ress)))[\s\x0b&\)<>\|]|w(?:say|think))|r(?:ash[\s\x0b&\)<>\|]|on(?:[\s\x0b&\)<>\|]|tab)))|d(?:(?:[du]|i(?:(?:alo)?g|r|ff)|a(?:sh|te))[\s\x0b&\)<>\|]|n?f|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[\s\x0b&\)<>\|]|sbox)|pkg|vips)|e(?:(?:[bd]|cho)[\s\x0b&\)<>\|]|n(?:v(?:[\s\x0b&\)<>\|]|-update)|d(?:if|sw))|qn|s(?:[\s\x0b&\)<>h\|]|ac)|x(?:(?:ec)?[\s\x0b&\)<>\|]|iftool|p(?:(?:and|(?:ec|or)t)[\s\x0b&\)<>\|]|r))|2fsck|(?:asy_instal|va)l|fax|grep|macs)|f(?:(?:c|etch|lock|unction)[\s\x0b&\)<>\|]|d|g(?:rep)?|i(?:(?:n(?:d|ger)|sh)?[\s\x0b&\)<>\|]|le(?:[\s\x0b&\)<>\|]|test))|mt|tp(?:[\s\x0b&\)<>\|]|stats|who)|acter|o(?:ld[\s\x0b&\)<>\|]|reach)|ping)|g(?:c(?:c[^\s\x0b]|ore)|db|e(?:(?:m|tfacl)[\s\x0b&\)<>\|]|ni(?:e[\s\x0b&\)<>\|]|soimage))|hci?|i(?:(?:t|mp)[\s\x0b&\)<>\|]|nsh)|(?:o|awk)[\s\x0b&\)<>\|]|pg|r(?:c|ep[\s\x0b&\)<>\|]|oup(?:[\s\x0b&\)<>\|]|mod))|tester|unzip|z(?:cat|exe|ip))|h(?:(?:d|up|ash|i(?:ghlight|story))[\s\x0b&\)<>\|]|e(?:ad[\s\x0b&\)<>\|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op|passwd))|i(?:d|p(?:6?tables|config)?|rb|conv|f(?:config|top)|nstall[\s\x0b&\)<>\|]|onice|spell)|j(?:js|q|ava[\s\x0b&\)<>\|]|exec|o(?:(?:bs|in)[\s\x0b&\)<>\|]|urnalctl)|runscript)|k(?:s(?:h|shell)|ill(?:[\s\x0b&\)<>\|]|all)|nife[\s\x0b&\)<>\|])|l(?:d(?:d?[\s\x0b&\)<>\|]|config)|(?:[np]|ynx)[\s\x0b&\)<>\|]|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)?|ua(?:[\s\x0b&\)<>\|]|(?:la)?tex)|z(?:[\s\x0b&\)4<>\|]|4c(?:at)?|c(?:at|mp)|diff|[ef]?grep|less|m(?:a(?:dec|info)?|ore))|a(?:st(?:[\s\x0b&\)<>\|]|comm|log(?:in)?)|tex[\s\x0b&\)<>\|])|ess(?:[\s\x0b&\)<>\|]|echo|(?:fil|pip)e)|ftp(?:get)?|o(?:(?:ca(?:l|te)|ok)[\s\x0b&\)<>\|]|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:(?:n|ke)[\s\x0b&\)<>\|]|il(?:[\s\x0b&\)<>q\|]|x[\s\x0b&\)<>\|])|ster\.passwd|wk)|tr|(?:v|utt)[\s\x0b&\)<>\|]|k(?:dir[\s\x0b&\)<>\|]|fifo|nod|temp)|locate|o(?:(?:re|unt)[\s\x0b&\)<>\|]|squitto)|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:c(?:[\s\x0b&\)<>\|]|\.(?:openbsd|traditional)|at)|e(?:t(?:[\s\x0b&\)<>\|]|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:(?:ul)?l|ice)[\s\x0b&\)<>\|]|m(?:[\s\x0b&\)<>\|]|ap)|p(?:m[\s\x0b&\)<>\|]|ing)|a(?:no[\s\x0b&\)<>\|]|sm|wk)|o(?:de[\s\x0b&\)<>\|]|hup)|roff|s(?:enter|lookup|tat))|o(?:(?:d|ctave)[\s\x0b&\)<>\|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:(?:x|cman|rted|tch)[\s\x0b&\)<>\|]|s(?:swd|te[\s\x0b&\)<>\|]))|d(?:b|f(?:la)?tex|ksh)|f(?:[\s\x0b&\)<>\|]|tp)|g(?:rep)?|hp(?:[\s\x0b&\)57<>\|]|-cgi)|i(?:(?:co?|ng)[\s\x0b&\)<>\|]|p[^\s\x0b]|dstat|gz)|k(?:g(?:_?info)?|exec|ill)|r(?:y?[\s\x0b&\)<>\|]|int(?:env|f[\s\x0b&\)<>\|]))|s(?:[\s\x0b&\)<>\|]|ed|ftp|ql)?|t(?:x|ar(?:diff|grep)?)|wd(?:\.db)?|xz|er(?:(?:f|ms)[\s\x0b&\)<>\|]|l(?:[\s\x0b&\)5<>\|]|sh))|opd|u(?:ppet[\s\x0b&\)<>\|]|shd)|y(?:thon[23]|3?versions))|r(?:a(?:r[\s\x0b&\)<>\|]|k(?:e[\s\x0b&\)<>\|]|u))|c(?:p[\s\x0b&\)<>\|])?|e(?:(?:d(?:carpet)?|v|name|p(?:eat|lace))[\s\x0b&\)<>\|]|a(?:delf|lpath)|stic)|m(?:(?:dir)?[\s\x0b&\)<>\|]|user)|pm(?:[\s\x0b&\)<>\|]|db|(?:quer|verif)y)|bash|l(?:ogin|wrap)|nano|oute[\s\x0b&\)<>\|]|sync|u(?:by[^\s\x0b]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:c(?:p|(?:hed|r(?:een|ipt))[\s\x0b&\)<>\|])|e(?:(?:d|lf|rvice)[\s\x0b&\)<>\|]|t(?:(?:facl)?[\s\x0b&\)<>\|]|arch|env|sid)|ndmail)|(?:g|ash)[\s\x0b&\)<>\|]|h(?:(?:adow|ells)?[\s\x0b&\)<>\|]|\.distrib|u(?:f|tdown[\s\x0b&\)<>\|]))|s(?:[\s\x0b&\)<>\|]|h(?:[\s\x0b&\)<>\|]|-key(?:ge|sca)n|pass))|u(?:[\s\x0b&\)<>\|]|do)|vn|diff|ftp|l(?:eep[\s\x0b&\)<>\|]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[\s\x0b&\)<>\|])|p(?:lit[\s\x0b&\)<>\|]|wd\.db)|qlite3|t(?:art-stop-daemon|d(?:buf|err|in|out)|r(?:ace|ings[\s\x0b&\)<>\|]))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:c|r[\s\x0b&\)<>\|]|il[\s\x0b&\)<>f\|]|sk(?:[\s\x0b&\)<>\|]|set))|bl|c(?:p(?:[\s\x0b&\)<>\|]|dump|ing|traceroute)|l?sh)|e(?:[ex][\s\x0b&\)<>\|]|lnet)|i(?:c[\s\x0b&\)<>\|]|me(?:(?:out)?[\s\x0b&\)<>\|]|datectl))|o(?:p|uch[\s\x0b&\)<>\|])|ftp|mux|r(?:aceroute6?|off)|shark)|u(?:dp|l(?:imit)?[\s\x0b&\)<>\|]|n(?:ame|(?:compress|s(?:et|hare))[\s\x0b&\)<>\|]|expand|iq|l(?:ink[\s\x0b&\)<>\|]|z(?:4|ma))|(?:pig|x)z|rar|z(?:ip[\s\x0b&\)<>\|]|std))|p(?:2date[\s\x0b&\)<>\|]|date-alternatives)|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:(?:ew)?[\s\x0b&\)<>\|]|m(?:[\s\x0b&\)<>\|]|diff)|gr|pw|rsh|sudo)|algrind|olatility[\s\x0b&\)<>\|])|w(?:[\s\x0b&\)<>c\|]|h(?:o(?:[\s\x0b&\)<>\|]|ami|is)?|iptail[\s\x0b&\)<>\|])|a(?:ll|tch)[\s\x0b&\)<>\|]|i(?:reshark|sh[\s\x0b&\)<>\|]))|x(?:(?:x|pa)d|z(?:[\s\x0b&\)<>\|]|c(?:at|mp)|d(?:ec|iff)|[ef]?grep|less|more)|args|e(?:la)?tex|mo(?:dmap|re)|term)|y(?:(?:e(?:s|lp)|arn)[\s\x0b&\)<>\|]|um)|z(?:ip(?:[\s\x0b&\)<>\|]|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h|oelim|td(?:(?:ca|m)t|grep|less)?)|athura|c(?:at|mp)|diff|e(?:grep|ro[\s\x0b&\)<>\|])|f?grep|less|more|run|ypper))(?:\b|[^0-9A-Z_a-z])" \ "id:932237,\ phase:1,\ block,\ @@ -1588,7 +1588,7 @@ SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@rx (?i)\b(?:7z[arx] tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" @@ -1645,7 +1645,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" @@ -1681,7 +1681,7 @@ SecRule ARGS "@rx /(?:[?*]+[a-z/]+|[a-z/]+[?*]+)" \ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" @@ -1715,7 +1715,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/137/134',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" @@ -1748,7 +1748,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/137/134',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" @@ -1781,7 +1781,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/137/134',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" @@ -1814,14 +1814,14 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:932017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:932018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:932017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:932018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" # # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher) # diff --git a/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf b/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf index 69257e35e..89d605630 100644 --- a/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf +++ b/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf @@ -1,5 +1,5 @@ # ------------------------------------------------------------------------ -# OWASP CRS ver.4.2.0 +# OWASP CRS ver.4.3.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # Copyright (c) 2021-2024 CRS project. All rights reserved. # @@ -14,8 +14,8 @@ -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:933011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:933012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:933011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:933012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" # # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher) # @@ -59,7 +59,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -100,7 +100,7 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -116,7 +116,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME capture,\ t:none,t:normalisePath,\ msg:'PHP Injection Attack: Configuration Directive Found',\ - logdata:'Matched Data: %{TX.933120_TX_0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + logdata:'Matched Data: %{TX.1} found within %{TX.933120_MATCHED_VAR_NAME}: %{TX.933120_MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-php',\ tag:'platform-multi',\ @@ -124,14 +124,17 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ - setvar:'tx.933120_tx_0=%{tx.0}',\ + setvar:'tx.933120_matched_var=%{MATCHED_VAR}',\ + setvar:'tx.933120_matched_var_name=%{MATCHED_VAR_NAME}',\ chain" - SecRule MATCHED_VARS "@pm =" \ + SecRule MATCHED_VARS "@rx \b([^\s]+)\s*=" \ "capture,\ - setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + chain" + SecRule TX:1 "@pmFromFile php-config-directives.data" \ + "setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # @@ -152,7 +155,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -188,7 +191,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -224,7 +227,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -291,7 +294,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -343,7 +346,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -398,7 +401,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -453,7 +456,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -500,13 +503,13 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:933013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:933014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:933013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:933014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" # # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher) # @@ -535,7 +538,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F capture,\ t:none,\ msg:'PHP Injection Attack: Medium-Risk PHP Function Name Found',\ - logdata:'Matched Data: %{TX.933151_TX_0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + logdata:'Matched Data: %{TX.1} found within %{TX.933151_MATCHED_VAR_NAME}: %{TX.933151_MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-php',\ tag:'platform-multi',\ @@ -543,20 +546,23 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F tag:'paranoia-level/2',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ - setvar:'tx.933151_tx_0=%{tx.0}',\ + setvar:'tx.933151_matched_var=%{MATCHED_VAR}',\ + setvar:'tx.933151_matched_var_name=%{MATCHED_VAR_NAME}',\ chain" - SecRule MATCHED_VARS "@pm (" \ + SecRule MATCHED_VARS "@rx \b([^\s]+)\s*[(]" \ "capture,\ - setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + chain" + SecRule TX:1 "@pmFromFile php-function-names-933151.data" \ + "setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:933015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:933016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:933015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:933016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" # # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher) # @@ -598,7 +604,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'paranoia-level/3',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" @@ -642,7 +648,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F tag:'paranoia-level/3',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" @@ -684,7 +690,7 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD tag:'paranoia-level/3',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" @@ -713,7 +719,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'paranoia-level/3',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" @@ -748,14 +754,14 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F tag:'paranoia-level/3',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:933017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:933018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:933017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:933018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" # # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher) # diff --git a/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-934-APPLICATION-ATTACK-GENERIC.conf b/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-934-APPLICATION-ATTACK-GENERIC.conf index a02458ee1..23e4953e7 100644 --- a/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-934-APPLICATION-ATTACK-GENERIC.conf +++ b/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-934-APPLICATION-ATTACK-GENERIC.conf @@ -1,5 +1,5 @@ # ------------------------------------------------------------------------ -# OWASP CRS ver.4.2.0 +# OWASP CRS ver.4.3.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # Copyright (c) 2021-2024 CRS project. All rights reserved. # @@ -14,8 +14,8 @@ -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:934011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:934012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:934011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:934012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC" # # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher) # @@ -65,7 +65,7 @@ SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIE tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ multiMatch,\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ @@ -100,7 +100,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/225/664',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -135,7 +135,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1/180/77',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ multiMatch,\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ @@ -167,7 +167,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -198,7 +198,7 @@ SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIE tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ multiMatch,\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ @@ -228,13 +228,13 @@ SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIE tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:934013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:934014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:934013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:934014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC" # # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher) # @@ -256,7 +256,7 @@ SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIE tag:'paranoia-level/2',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ multiMatch,\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ @@ -308,7 +308,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F tag:'paranoia-level/2',\ tag:'OWASP_CRS',\ tag:'capec/1000/225/664',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -340,20 +340,20 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'paranoia-level/2',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:934015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:934016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:934015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:934016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC" # # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher) # -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:934017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:934018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:934017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:934018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC" # # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher) # diff --git a/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf b/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf index adc56c29c..81e277b07 100644 --- a/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf +++ b/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf @@ -1,5 +1,5 @@ # ------------------------------------------------------------------------ -# OWASP CRS ver.4.2.0 +# OWASP CRS ver.4.3.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # Copyright (c) 2021-2024 CRS project. All rights reserved. # @@ -14,8 +14,8 @@ -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:941011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:941012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:941011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:941012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" # # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher) # @@ -62,7 +62,7 @@ SecRule REQUEST_FILENAME "!@validateByteRange 20, 45-47, 48-57, 65-90, 95, 97-12 nolog,\ tag:'OWASP_CRS',\ ctl:ruleRemoveTargetByTag=xss-perf-disable;REQUEST_FILENAME,\ - ver:'OWASP_CRS/4.2.0'" + ver:'OWASP_CRS/4.3.0'" # @@ -94,7 +94,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -121,7 +121,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -151,7 +151,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -180,7 +180,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -213,7 +213,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -238,7 +238,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -265,7 +265,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -292,7 +292,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -314,7 +314,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -336,7 +336,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -358,7 +358,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -380,7 +380,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -402,7 +402,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -424,7 +424,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -446,7 +446,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -468,7 +468,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -490,7 +490,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -512,7 +512,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -534,7 +534,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -594,12 +594,11 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ chain" - SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?:\xbc\s*/\s*[^\xbe>]*[\xbe>])|(?:<\s*/\s*[^\xbe]*\xbe)" \ - "t:none,t:lowercase,t:urlDecode,t:htmlEntityDecode,t:jsDecode,\ - setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ + SecRule MATCHED_VARS "@rx (?:\xbc\s*/\s*[^\xbe>]*[\xbe>])|(?:<\s*/\s*[^\xbe]*\xbe)" \ + "setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # @@ -624,7 +623,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -666,7 +665,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242/63',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -694,7 +693,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS|REQU tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242/63',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -726,7 +725,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -756,14 +755,14 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:941013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:941014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:941013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:941014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" # # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher) # @@ -787,7 +786,7 @@ SecRule REQUEST_FILENAME|REQUEST_HEADERS:Referer "@detectXSS" \ tag:'paranoia-level/2',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -821,7 +820,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H tag:'paranoia-level/2',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -847,7 +846,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H tag:'paranoia-level/2',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -875,7 +874,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'paranoia-level/2',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -963,7 +962,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU tag:'OWASP_CRS',\ tag:'capec/1000/152/242/63',\ tag:'PCI/6.5.1',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -985,7 +984,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ tag:'PCI/6.5.1',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1010,7 +1009,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ tag:'PCI/6.5.1',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1043,23 +1042,23 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'paranoia-level/2',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242/63',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:941015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:941016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:941015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:941016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" # # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher) # -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:941017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:941018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:941017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:941018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" # # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher) # diff --git a/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf b/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf index 282de337e..f9cb0f937 100644 --- a/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf +++ b/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf @@ -1,5 +1,5 @@ # ------------------------------------------------------------------------ -# OWASP CRS ver.4.2.0 +# OWASP CRS ver.4.3.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # Copyright (c) 2021-2024 CRS project. All rights reserved. # @@ -14,8 +14,8 @@ -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:942011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:942012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:942011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:942012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" # # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher) # @@ -59,7 +59,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ multiMatch,\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ @@ -90,7 +90,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -123,7 +123,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -166,7 +166,7 @@ SecRule REQUEST_BASENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIE tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -192,7 +192,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -218,7 +218,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -242,7 +242,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -268,7 +268,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -294,7 +294,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -315,7 +315,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -336,7 +336,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -362,7 +362,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -388,7 +388,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -417,7 +417,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -443,7 +443,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -482,7 +482,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -523,7 +523,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ multiMatch,\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ @@ -560,7 +560,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'paranoia-level/1',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -589,7 +589,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -618,14 +618,14 @@ SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIE tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:942013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:942014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:942013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:942014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" # # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher) # @@ -658,7 +658,7 @@ SecRule ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)!=|&&|\|\||>[=>]|<(?:<| tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -699,7 +699,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\s\x0b\"'-\)`]*?\b([0-9A-Z_a-z]+)\b[\s\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.942130_matched_var_name=%{matched_var_name}',\ chain" @@ -735,7 +735,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\s\x0b\"'-\)`]*?\b([0-9A-Z_a-z]+)\b[\s\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ multiMatch,\ setvar:'tx.942131_matched_var_name=%{matched_var_name}',\ @@ -772,7 +772,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -815,7 +815,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -844,7 +844,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -873,7 +873,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -899,7 +899,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -925,7 +925,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -951,7 +951,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -985,7 +985,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1014,7 +1014,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1039,7 +1039,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1069,7 +1069,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1101,7 +1101,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1127,7 +1127,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1153,7 +1153,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1179,7 +1179,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1210,7 +1210,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1239,7 +1239,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1268,7 +1268,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1309,7 +1309,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'WARNING',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.warning_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'" @@ -1327,7 +1327,7 @@ SecRule ARGS_GET:fbclid "@rx [a-zA-Z0-9_-]{61,61}" \ nolog,\ tag:'OWASP_CRS',\ ctl:ruleRemoveTargetById=942440;ARGS:fbclid,\ - ver:'OWASP_CRS/4.2.0'" + ver:'OWASP_CRS/4.3.0'" # # -=[ Exclusion rule for 942440 ]=- @@ -1342,7 +1342,7 @@ SecRule ARGS_GET:gclid "@rx [a-zA-Z0-9_-]{91,91}" \ nolog,\ tag:'OWASP_CRS',\ ctl:ruleRemoveTargetById=942440;ARGS:gclid,\ - ver:'OWASP_CRS/4.2.0'" + ver:'OWASP_CRS/4.3.0'" # # -=[ Detect SQL Comment Sequences ]=- @@ -1396,7 +1396,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ chain" SecRule MATCHED_VARS "!@rx ^ey[\-0-9A-Z_a-z]+\.ey[\-0-9A-Z_a-z]+\.[\-0-9A-Z_a-z]+$" \ @@ -1427,7 +1427,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1474,7 +1474,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1501,7 +1501,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1534,7 +1534,7 @@ SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.942521_matched_var_name=%{matched_var_name}',\ chain" @@ -1562,7 +1562,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx ^.*?\x5c['\"`](?:.*?['\"`])?\s*(?:and|or)\b" tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1600,7 +1600,7 @@ SecRule REQUEST_BASENAME|REQUEST_FILENAME "@detectSQLi" \ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1632,7 +1632,7 @@ SecRule REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent "@rx (?i)\b(?:a(?:dd( tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1662,15 +1662,15 @@ SecRule REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent "@rx (?i)create[\s\x0 tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:942015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:942016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:942015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:942016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" # # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher) # @@ -1702,7 +1702,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" @@ -1726,7 +1726,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" @@ -1766,7 +1766,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'WARNING',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.warning_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'" @@ -1795,7 +1795,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'WARNING',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.warning_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'" @@ -1825,7 +1825,7 @@ SecRule ARGS "@rx \W{4}" \ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'WARNING',\ setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.warning_anomaly_score}'" @@ -1873,7 +1873,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" @@ -1902,14 +1902,14 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:942017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:942018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:942017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:942018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" # # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher) # @@ -1936,7 +1936,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'WARNING',\ setvar:'tx.inbound_anomaly_score_pl4=+%{tx.warning_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'" @@ -1965,7 +1965,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'WARNING',\ setvar:'tx.inbound_anomaly_score_pl4=+%{tx.warning_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'" diff --git a/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf b/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf index 909b033ba..2b273f6d8 100644 --- a/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf +++ b/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf @@ -1,5 +1,5 @@ # ------------------------------------------------------------------------ -# OWASP CRS ver.4.2.0 +# OWASP CRS ver.4.3.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # Copyright (c) 2021-2024 CRS project. All rights reserved. # @@ -14,8 +14,8 @@ -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:943011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:943012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:943011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:943012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" # # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher) # @@ -43,7 +43,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/225/21/593/61',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.session_fixation_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -64,7 +64,7 @@ SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsessio tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/225/21/593/61',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.943110_matched_var_name=%{matched_var_name}',\ chain" @@ -91,7 +91,7 @@ SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsessio tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/225/21/593/61',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.943120_matched_var_name=%{matched_var_name}',\ chain" @@ -102,24 +102,24 @@ SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsessio -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:943013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:943014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:943013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:943014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" # # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher) # -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:943015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:943016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:943015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:943016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" # # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher) # -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:943017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:943018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:943017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:943018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" # # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher) # diff --git a/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf b/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf index 2fd1c2234..b75755f6a 100644 --- a/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf +++ b/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf @@ -1,5 +1,5 @@ # ------------------------------------------------------------------------ -# OWASP CRS ver.4.2.0 +# OWASP CRS ver.4.3.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # Copyright (c) 2021-2024 CRS project. All rights reserved. # @@ -13,8 +13,8 @@ # # Many rules check request bodies, use "SecRequestBodyAccess On" to enable it on main modsecurity configuration file. -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:944011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:944012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:944011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:944012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" # # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher) # @@ -46,7 +46,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES tag:'OWASP_CRS',\ tag:'capec/1000/152/137/6',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -79,7 +79,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES tag:'OWASP_CRS',\ tag:'capec/1000/152/248',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ chain" SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* "@rx (?:unmarshaller|base64data|java\.)" \ @@ -104,7 +104,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES tag:'OWASP_CRS',\ tag:'capec/1000/152/248',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ chain" SecRule MATCHED_VARS "@rx (?:runtime|processbuilder)" \ @@ -136,7 +136,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES tag:'OWASP_CRS',\ tag:'capec/1000/152/248',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -174,7 +174,7 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -222,14 +222,14 @@ SecRule REQUEST_LINE|ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUE tag:'OWASP_CRS',\ tag:'capec/1000/152/137/6',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:944013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:944014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:944013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:944014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" # # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher) # @@ -260,7 +260,7 @@ SecRule REQUEST_LINE|ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUE tag:'OWASP_CRS',\ tag:'capec/1000/152/137/6',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -292,7 +292,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES tag:'OWASP_CRS',\ tag:'capec/1000/152/248',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -313,7 +313,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES tag:'OWASP_CRS',\ tag:'capec/1000/152/248',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -334,7 +334,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES tag:'OWASP_CRS',\ tag:'capec/1000/152/248',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -358,7 +358,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES tag:'OWASP_CRS',\ tag:'capec/1000/152/248',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -383,14 +383,14 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES tag:'OWASP_CRS',\ tag:'capec/1000/152/248',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:944015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:944016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:944015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:944016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" # # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher) # @@ -417,14 +417,14 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES tag:'OWASP_CRS',\ tag:'capec/1000/152/248',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:944017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:944018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:944017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:944018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" # # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher) # @@ -453,7 +453,7 @@ SecRule REQUEST_LINE|ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUE tag:'OWASP_CRS',\ tag:'capec/1000/152/137/6',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'" diff --git a/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-949-BLOCKING-EVALUATION.conf b/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-949-BLOCKING-EVALUATION.conf index 242eb1e4d..73b4e6928 100644 --- a/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-949-BLOCKING-EVALUATION.conf +++ b/src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-949-BLOCKING-EVALUATION.conf @@ -1,5 +1,5 @@ # ------------------------------------------------------------------------ -# OWASP CRS ver.4.2.0 +# OWASP CRS ver.4.3.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # Copyright (c) 2021-2024 CRS project. All rights reserved. # @@ -24,7 +24,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 1" \ t:none,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl1}'" SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 1" \ @@ -34,7 +34,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 1" \ t:none,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl1}'" SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 2" \ @@ -44,7 +44,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 2" \ t:none,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl2}'" SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 2" \ @@ -54,7 +54,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 2" \ t:none,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl2}'" SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 3" \ @@ -64,7 +64,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 3" \ t:none,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl3}'" SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 3" \ @@ -74,7 +74,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 3" \ t:none,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl3}'" SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 4" \ @@ -84,7 +84,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 4" \ t:none,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl4}'" SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 4" \ @@ -94,7 +94,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 4" \ t:none,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl4}'" # at start of phase 2, we reset the aggregate scores to 0 to prevent duplicate counting of per-PL scores @@ -106,7 +106,7 @@ SecAction \ t:none,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ setvar:'tx.blocking_inbound_anomaly_score=0'" SecAction \ @@ -116,7 +116,7 @@ SecAction \ t:none,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ setvar:'tx.detection_inbound_anomaly_score=0'" # Summing up the blocking and detection anomaly scores in phase 2 @@ -128,7 +128,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 1" \ t:none,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl1}'" SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 1" \ @@ -138,7 +138,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 1" \ t:none,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl1}'" SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 2" \ @@ -148,7 +148,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 2" \ t:none,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl2}'" SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 2" \ @@ -158,7 +158,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 2" \ t:none,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl2}'" SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 3" \ @@ -168,7 +168,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 3" \ t:none,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl3}'" SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 3" \ @@ -178,7 +178,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 3" \ t:none,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl3}'" SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 4" \ @@ -188,7 +188,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 4" \ t:none,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl4}'" SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 4" \ @@ -198,7 +198,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 4" \ t:none,\ nolog,\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl4}'" @@ -217,7 +217,7 @@ SecRule TX:BLOCKING_INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_thresh msg:'Inbound Anomaly Score Exceeded in phase 1 (Total Score: %{TX.BLOCKING_INBOUND_ANOMALY_SCORE})',\ tag:'anomaly-evaluation',\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ chain" SecRule TX:EARLY_BLOCKING "@eq 1" @@ -230,34 +230,34 @@ SecRule TX:BLOCKING_INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_thresh msg:'Inbound Anomaly Score Exceeded (Total Score: %{TX.BLOCKING_INBOUND_ANOMALY_SCORE})',\ tag:'anomaly-evaluation',\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.2.0'" + ver:'OWASP_CRS/4.3.0'" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:949011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:949012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:949011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:949012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" # # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher) # -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:949013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:949014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:949013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:949014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" # # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher) # -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:949015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:949016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:949015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:949016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" # # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher) # -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:949017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:949018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:949017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:949018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" # # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher) # diff --git a/src/common/core/modsecurity/files/coreruleset-v4/rules/RESPONSE-950-DATA-LEAKAGES.conf b/src/common/core/modsecurity/files/coreruleset-v4/rules/RESPONSE-950-DATA-LEAKAGES.conf index 04c8f64fd..052aa1d01 100644 --- a/src/common/core/modsecurity/files/coreruleset-v4/rules/RESPONSE-950-DATA-LEAKAGES.conf +++ b/src/common/core/modsecurity/files/coreruleset-v4/rules/RESPONSE-950-DATA-LEAKAGES.conf @@ -1,5 +1,5 @@ # ------------------------------------------------------------------------ -# OWASP CRS ver.4.2.0 +# OWASP CRS ver.4.3.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # Copyright (c) 2021-2024 CRS project. All rights reserved. # @@ -23,8 +23,8 @@ -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:950011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:950012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:950011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:950012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES" # # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher) # @@ -48,7 +48,7 @@ SecRule RESPONSE_BODY "@rx (?:<(?:TITLE>Index of.*?Index of.*?Inde tag:'OWASP_CRS',\ tag:'capec/1000/118/116/54/127',\ tag:'PCI/6.5.6',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'ERROR',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'" @@ -80,13 +80,13 @@ SecRule RESPONSE_BODY "@rx ^#\!\s?/" \ tag:'OWASP_CRS',\ tag:'capec/1000/118/116',\ tag:'PCI/6.5.6',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'ERROR',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:950013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:950014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:950013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:950014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES" # # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher) # @@ -110,22 +110,22 @@ SecRule RESPONSE_STATUS "@rx ^5\d{2}$" \ tag:'OWASP_CRS',\ tag:'capec/1000/152',\ tag:'PCI/6.5.6',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'ERROR',\ setvar:'tx.outbound_anomaly_score_pl2=+%{tx.error_anomaly_score}'" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:950015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:950016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:950015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:950016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES" # # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher) # -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:950017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:950018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:950017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:950018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES" # # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher) # diff --git a/src/common/core/modsecurity/files/coreruleset-v4/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf b/src/common/core/modsecurity/files/coreruleset-v4/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf index 5403202d5..b743b521a 100644 --- a/src/common/core/modsecurity/files/coreruleset-v4/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf +++ b/src/common/core/modsecurity/files/coreruleset-v4/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf @@ -1,5 +1,5 @@ # ------------------------------------------------------------------------ -# OWASP CRS ver.4.2.0 +# OWASP CRS ver.4.3.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # Copyright (c) 2021-2024 CRS project. All rights reserved. # @@ -14,8 +14,8 @@ -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:951011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:951012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:951011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:951012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" # # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher) # @@ -38,7 +38,7 @@ SecRule RESPONSE_BODY "!@pmFromFile sql-errors.data" \ tag:'attack-disclosure',\ tag:'OWASP_CRS',\ tag:'capec/1000/118/116/54',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ skipAfter:END-SQL-ERROR-MATCH-PL1" SecRule RESPONSE_BODY "@rx (?i:JET Database Engine|Access Database Engine|\[Microsoft\]\[ODBC Microsoft Access Driver\])" \ @@ -56,12 +56,17 @@ SecRule RESPONSE_BODY "@rx (?i:JET Database Engine|Access Database Engine|\[Micr tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/118/116/54',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" -SecRule RESPONSE_BODY "@rx (?i:ORA-[0-9][0-9][0-9][0-9]|java\.sql\.SQLException|Oracle error|Oracle.*Driver|Warning.*oci_.*|Warning.*ora_.*)" \ +# Regular expression generated from regex-assembly/951120.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 951120 +# +SecRule RESPONSE_BODY "@rx (?i)\bORA-[0-9][0-9][0-9][0-9][0-9]:|java\.sql\.SQLException|Oracle(?: erro|[^\(\)]{0,20}Drive)r|Warning.{1,10}o(?:ci_.{1,30}|ra_.{1,20})" \ "id:951120,\ phase:4,\ block,\ @@ -76,7 +81,7 @@ SecRule RESPONSE_BODY "@rx (?i:ORA-[0-9][0-9][0-9][0-9]|java\.sql\.SQLException| tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/118/116/54',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" @@ -96,7 +101,7 @@ SecRule RESPONSE_BODY "@rx (?i:DB2 SQL error:|\[IBM\]\[CLI Driver\]\[DB2/6000\]| tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/118/116/54',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" @@ -116,7 +121,7 @@ SecRule RESPONSE_BODY "@rx (?i:\[DM_QUERY_E_SYNTAX\]|has occurred in the vicinit tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/118/116/54',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" @@ -136,7 +141,7 @@ SecRule RESPONSE_BODY "@rx (?i)Dynamic SQL Error" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/118/116/54',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" @@ -156,7 +161,7 @@ SecRule RESPONSE_BODY "@rx (?i)Exception (?:condition )?\d+\. Transaction rollba tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/118/116/54',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" @@ -176,7 +181,7 @@ SecRule RESPONSE_BODY "@rx (?i)org\.hsqldb\.jdbc" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/118/116/54',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" @@ -196,7 +201,7 @@ SecRule RESPONSE_BODY "@rx (?i:An illegal character has been found in the statem tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/118/116/54',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" @@ -216,7 +221,7 @@ SecRule RESPONSE_BODY "@rx (?i:Warning.*ingres_|Ingres SQLSTATE|Ingres\W.*Driver tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/118/116/54',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" @@ -236,7 +241,7 @@ SecRule RESPONSE_BODY "@rx (?i:Warning: ibase_|Unexpected end of command tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/118/116/54',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" @@ -256,7 +261,7 @@ SecRule RESPONSE_BODY "@rx (?i:SQL error.*POS[0-9]+.*|Warning.*maxdb.*)" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/118/116/54',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" @@ -276,7 +281,7 @@ SecRule RESPONSE_BODY "@rx (?i)(?:System\.Data\.OleDb\.OleDbException|\[Microsof tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/118/116/54',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" @@ -301,7 +306,7 @@ SecRule RESPONSE_BODY "@rx (?i)(?:supplied argument is not a valid |SQL syntax.* tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/118/116/54',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" @@ -311,7 +316,7 @@ SecRule RESPONSE_BODY "@rx (?i)(?:supplied argument is not a valid |SQL syntax.* # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 951240 # -SecRule RESPONSE_BODY "@rx (?i)P(?:ostgreSQL(?: query failed:|.{1,20}ERROR)|G::[a-z]*Error)|pg_(?:query|exec)\(\) \[:|Warning.{1,20}\bpg_.*|valid PostgreSQL result|Npgsql\.|Supplied argument is not a valid PostgreSQL .*? resource|(?:Unable to connect to PostgreSQL serv|invalid input syntax for integ)er" \ +SecRule RESPONSE_BODY "@rx (?i)P(?:ostgreSQL(?: query failed:|.{1,20}ERROR)|G::[a-z]*Error)|(?:pg_(?:query|exec)\(\) \[|org\.postgresql\.util\.PSQLException):|Warning.{1,20}\bpg_.*|valid PostgreSQL result|Npgsql\.|Supplied argument is not a valid PostgreSQL .*? resource|(?:Unable to connect to PostgreSQL serv|invalid input syntax for integ)er" \ "id:951240,\ phase:4,\ block,\ @@ -326,7 +331,7 @@ SecRule RESPONSE_BODY "@rx (?i)P(?:ostgreSQL(?: query failed:|.{1,20}ERROR)|G::[ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/118/116/54',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" @@ -346,7 +351,7 @@ SecRule RESPONSE_BODY "@rx (?i)(?:Warning.*sqlite_.*|Warning.*SQLite3::|SQLite/J tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/118/116/54',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" @@ -366,7 +371,7 @@ SecRule RESPONSE_BODY "@rx (?i)(?:Sybase message:|Warning.{2,20}sybase|Sybase.*S tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/118/116/54',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" @@ -374,24 +379,24 @@ SecRule RESPONSE_BODY "@rx (?i)(?:Sybase message:|Warning.{2,20}sybase|Sybase.*S SecMarker "END-SQL-ERROR-MATCH-PL1" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:951013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:951014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:951013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:951014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" # # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher) # -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:951015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:951016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:951015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:951016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" # # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher) # -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:951017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:951018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:951017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:951018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL" # # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher) # diff --git a/src/common/core/modsecurity/files/coreruleset-v4/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf b/src/common/core/modsecurity/files/coreruleset-v4/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf index 0045e2d0a..0460050d1 100644 --- a/src/common/core/modsecurity/files/coreruleset-v4/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf +++ b/src/common/core/modsecurity/files/coreruleset-v4/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf @@ -1,5 +1,5 @@ # ------------------------------------------------------------------------ -# OWASP CRS ver.4.2.0 +# OWASP CRS ver.4.3.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # Copyright (c) 2021-2024 CRS project. All rights reserved. # @@ -14,8 +14,8 @@ -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:952011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:952012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:952011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:952012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" # # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher) # @@ -39,7 +39,7 @@ SecRule RESPONSE_BODY "@pmFromFile java-code-leakages.data" \ tag:'OWASP_CRS',\ tag:'capec/1000/118/116',\ tag:'PCI/6.5.6',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'ERROR',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'" @@ -64,30 +64,30 @@ SecRule RESPONSE_BODY "@pmFromFile java-errors.data" \ tag:'OWASP_CRS',\ tag:'capec/1000/118/116',\ tag:'PCI/6.5.6',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'ERROR',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:952013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:952014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:952013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:952014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" # # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher) # -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:952015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:952016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:952015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:952016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" # # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher) # -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:952017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:952018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:952017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:952018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA" # # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher) # diff --git a/src/common/core/modsecurity/files/coreruleset-v4/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf b/src/common/core/modsecurity/files/coreruleset-v4/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf index 1482ccb24..0e75412fa 100644 --- a/src/common/core/modsecurity/files/coreruleset-v4/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf +++ b/src/common/core/modsecurity/files/coreruleset-v4/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf @@ -1,5 +1,5 @@ # ------------------------------------------------------------------------ -# OWASP CRS ver.4.2.0 +# OWASP CRS ver.4.3.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # Copyright (c) 2021-2024 CRS project. All rights reserved. # @@ -14,8 +14,8 @@ -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:953011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:953012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:953011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:953012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" # # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher) # @@ -39,7 +39,7 @@ SecRule RESPONSE_BODY "@pmFromFile php-errors.data" \ tag:'OWASP_CRS',\ tag:'capec/1000/118/116',\ tag:'PCI/6.5.6',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'ERROR',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'" @@ -64,7 +64,7 @@ SecRule RESPONSE_BODY "@rx (?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scan tag:'OWASP_CRS',\ tag:'capec/1000/118/116',\ tag:'PCI/6.5.6',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'ERROR',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'" @@ -90,13 +90,13 @@ SecRule RESPONSE_BODY "@rx (?i)<\?(?:=|php)?\s+" \ tag:'OWASP_CRS',\ tag:'capec/1000/118/116',\ tag:'PCI/6.5.6',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'ERROR',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:953013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:953014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:953013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:953014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" # # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher) # @@ -123,21 +123,21 @@ SecRule RESPONSE_BODY "@pmFromFile php-errors-pl2.data" \ tag:'OWASP_CRS',\ tag:'capec/1000/118/116',\ tag:'PCI/6.5.6',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'ERROR',\ setvar:'tx.outbound_anomaly_score_pl2=+%{tx.error_anomaly_score}'" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:953015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:953016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:953015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:953016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" # # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher) # -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:953017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:953018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:953017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:953018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP" # # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher) # diff --git a/src/common/core/modsecurity/files/coreruleset-v4/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf b/src/common/core/modsecurity/files/coreruleset-v4/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf index 0660b9c4a..d1062b7fd 100644 --- a/src/common/core/modsecurity/files/coreruleset-v4/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf +++ b/src/common/core/modsecurity/files/coreruleset-v4/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf @@ -1,5 +1,5 @@ # ------------------------------------------------------------------------ -# OWASP CRS ver.4.2.0 +# OWASP CRS ver.4.3.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. # Copyright (c) 2021-2024 CRS project. All rights reserved. # @@ -14,8 +14,8 @@ -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:954011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:954012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:954011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:954012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" # # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher) # @@ -37,7 +37,7 @@ SecRule RESPONSE_BODY "@rx [a-z]:\x5cinetpub\b" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/118/116',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'ERROR',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'" @@ -58,7 +58,7 @@ SecRule RESPONSE_BODY "@rx (?:Microsoft OLE DB Provider for SQL Server(?: tag:'OWASP_CRS',\ tag:'capec/1000/118/116',\ tag:'PCI/6.5.6',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'ERROR',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'" @@ -82,7 +82,7 @@ SecRule RESPONSE_BODY "@pmFromFile iis-errors.data" \ tag:'OWASP_CRS',\ tag:'capec/1000/118/116',\ tag:'PCI/6.5.6',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'ERROR',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'" @@ -104,7 +104,7 @@ SecRule RESPONSE_STATUS "!@rx ^404$" \ tag:'OWASP_CRS',\ tag:'capec/1000/118/116',\ tag:'PCI/6.5.6',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'ERROR',\ chain" SecRule RESPONSE_BODY "@rx \bServer Error in.{0,50}?\bApplication\b" \ @@ -114,24 +114,24 @@ SecRule RESPONSE_STATUS "!@rx ^404$" \ -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:954013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:954014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:954013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:954014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" # # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher) # -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:954015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:954016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:954015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:954016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" # # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher) # -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:954017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:954018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:954017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:954018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS" # # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher) # diff --git a/src/common/core/modsecurity/files/coreruleset-v4/rules/RESPONSE-955-WEB-SHELLS.conf b/src/common/core/modsecurity/files/coreruleset-v4/rules/RESPONSE-955-WEB-SHELLS.conf index c49215b3a..730dc7224 100644 --- a/src/common/core/modsecurity/files/coreruleset-v4/rules/RESPONSE-955-WEB-SHELLS.conf +++ b/src/common/core/modsecurity/files/coreruleset-v4/rules/RESPONSE-955-WEB-SHELLS.conf @@ -1,5 +1,5 @@ # ------------------------------------------------------------------------ -# OWASP CRS ver.4.2.0 +# OWASP CRS ver.4.3.0 # Copyright (c) 2006-2020 Trustwave and contributors. (not) All rights reserved. # Copyright (c) 2021-2024 CRS project. All rights reserved. # @@ -14,8 +14,8 @@ -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:955011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-955-WEB-SHELLS" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:955012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-955-WEB-SHELLS" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:955011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-955-WEB-SHELLS" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:955012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-955-WEB-SHELLS" # # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher) # @@ -36,7 +36,7 @@ SecRule RESPONSE_BODY "@pmFromFile web-shells-php.data" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/225/122/17/650',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -55,7 +55,7 @@ SecRule RESPONSE_BODY "@rx (r57 Shell Version [0-9.]+|r57 tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/225/122/17/650',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -74,7 +74,7 @@ SecRule RESPONSE_BODY "@rx ^<html><head><meta http-equiv='Content-Type' content= tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/225/122/17/650',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -93,7 +93,7 @@ SecRule RESPONSE_BODY "@rx B4TM4N SH3LL.*Mini Shell.*Developed By LameHacker" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/225/122/17/650',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -131,7 +131,7 @@ SecRule RESPONSE_BODY "@rx \.:: .* ~ Ashiyane V [0-9.]+ ::\." \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/225/122/17/650',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -150,7 +150,7 @@ SecRule RESPONSE_BODY "@rx Symlink_Sa [0-9.]+" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/225/122/17/650',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -169,7 +169,7 @@ SecRule RESPONSE_BODY "@rx CasuS [0-9.]+ by MafiABoY" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/225/122/17/650',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -188,7 +188,7 @@ SecRule RESPONSE_BODY "@rx ^\r\n\r\nGRP WebShell [0-9.]+ " \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/225/122/17/650',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -207,7 +207,7 @@ SecRule RESPONSE_BODY "@rx <small>NGHshell [0-9.]+ by Cr4sh</body></html>\n$" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/225/122/17/650',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -226,7 +226,7 @@ SecRule RESPONSE_BODY "@rx <title>SimAttacker - (?:Version|Vrsion) : [0-9.]+ - " tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/225/122/17/650',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -245,7 +245,7 @@ SecRule RESPONSE_BODY "@rx ^<!DOCTYPE html>\n<html>\n<!-- By Artyum .*<title>Web tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/225/122/17/650',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -264,7 +264,7 @@ SecRule RESPONSE_BODY "@rx <title>lama's'hell v. [0-9.]+" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/225/122/17/650',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -283,7 +283,7 @@ SecRule RESPONSE_BODY "@rx ^ *\n[ ]+\n[ ]+lostDC - " \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/225/122/17/650',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -302,7 +302,7 @@ SecRule RESPONSE_BODY "@rx ^<title>PHP Web Shell\r\n\r\n\r\n tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/225/122/17/650',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -321,12 +321,14 @@ SecRule RESPONSE_BODY "@rx ^\n\n
\n\nRu24PostWebShell - " \ +# Removed '- ' from the end of the pattern so this file won't get detected as +# malware by Windows Defender. +SecRule RESPONSE_BODY "@rx ^<html>\n<head>\n<title>Ru24PostWebShell " \ "id:955260,\ phase:4,\ block,\ @@ -340,7 +342,7 @@ SecRule RESPONSE_BODY "@rx ^<html>\n<head>\n<title>Ru24PostWebShell - " \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/225/122/17/650',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -359,7 +361,7 @@ SecRule RESPONSE_BODY "@rx <title>s72 Shell v[0-9.]+ Codinf by Cr@zy_King\r\n\r\n\n\n\n\ng00nshell v[0-9.]+ " \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/225/122/17/650',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -418,7 +420,7 @@ SecRule RESPONSE_BODY "@contains <title>punkholicshell" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/225/122/17/650',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -437,7 +439,7 @@ SecRule RESPONSE_BODY "@rx ^\n \n azrail [0- tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/225/122/17/650',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -456,7 +458,7 @@ SecRule RESPONSE_BODY "@rx >SmEvK_PaThAn Shell v[0-9]+ coded by <a href=" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/225/122/17/650',\ - ver:'OWASP_CRS/4.2.0',\ + ver:'OWASP_CRS/4.3.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -475,7 +477,7 @@ SecRule RESPONSE_BODY "@rx ^<html>\n<title>.*? ~ Shell I\n\n