Elgato_dark/bunkerweb
1
0
Fork 0
mirror of https://github.com/bunkerity/bunkerweb synced 2026-05-24 09:28:37 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

modsecurity - retrieve matched rules

Browse source
This commit is contained in:
Florian 2024-11-21 20:13:10 +01:00
parent 313edb4df3
commit f4974fbb9a
No known key found for this signature in database
GPG key ID: 52072123690D7318
44 changed files with 584 additions and 557 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
src/bw/lua/bunkerweb/utils.lua
View file

@ -307,7 +307,18 @@ utils.get_reason = function(ctx)
end
-- os.getenv
if os.getenv("REASON") == "modsecurity" then
return "modsecurity", {}, security_mode
local env_reason_data = os.getenv("REASON_DATA")
local reason_data = {}
if env_reason_data and env_reason_data ~= "" and env_reason_data ~= "none" then
if env_reason_data:sub(1, 1) == " " then
env_reason_data = env_reason_data:sub(2)
end
reason_data["ids"] = {}
for rule_id in env_reason_data:gmatch("%S+") do
table.insert(reason_data["ids"], rule_id)
end
end
return "modsecurity", reason_data, security_mode
end
-- datastore ban
local ip

8
src/common/core/modsecurity/confs/server-http/modsecurity-rules.conf.modsec
View file

@ -135,8 +135,8 @@ include /etc/nginx/modsec-crs/*.conf
include /etc/nginx/{{ service_id }}/modsec-crs/*.conf
{% endif %}
# unset REASON env var
SecAction "nolog,phase:1,setenv:REASON=none"
# unset REASON* env vars
SecAction "nolog,phase:1,setenv:REASON=none,setenv:REASON_DATA=none"
# Auto update allowed methods (Generated from ALLOWED_METHODS)
SecAction \
@ -212,8 +212,8 @@ include /etc/nginx/{{ service_id }}/modsec/*.conf
{% if USE_MODSECURITY_CRS == "yes" -%}
# set REASON env var
SecRuleUpdateActionById 949110 "t:none,deny,status:{{ DENY_HTTP_STATUS }},setenv:REASON=modsecurity"
SecRuleUpdateActionById 959100 "t:none,deny,status:{{ DENY_HTTP_STATUS }},setenv:REASON=modsecurity"
SecRuleUpdateActionById 949110 "t:none,deny,status:{{ DENY_HTTP_STATUS }},setenv:REASON=modsecurity,setenv:REASON_DATA=%{TX.BUNKERWEB_RULES}"
SecRuleUpdateActionById 959100 "t:none,deny,status:{{ DENY_HTTP_STATUS }},setenv:REASON=modsecurity,setenv:REASON_DATA=%{TX.BUNKERWEB_RULES}"
# let BW manage when method is not allowed (and save up some computing)
SecRuleUpdateActionById 911100 "t:none,allow,nolog"

14
src/common/core/modsecurity/files/coreruleset-v3/rules/REQUEST-910-IP-REPUTATION.conf vendored
View file

@ -46,7 +46,7 @@ SecRule TX:DO_REPUT_BLOCK "@eq 1" \
chain,\
skipAfter:BEGIN-REQUEST-BLOCKING-EVAL"
SecRule IP:REPUT_BLOCK_FLAG "@eq 1" \
"setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
"setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -77,7 +77,7 @@ SecRule TX:HIGH_RISK_COUNTRY_CODES "!@rx ^$" \
SecRule TX:REAL_IP "@geoLookup" \
"chain"
SecRule GEO:COUNTRY_CODE "@within %{tx.high_risk_country_codes}" \
"setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
"setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}',\
setvar:'ip.reput_block_flag=1',\
setvar:'ip.reput_block_reason=%{rule.msg}',\
expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'"
@ -104,7 +104,7 @@ SecRule TX:HIGH_RISK_COUNTRY_CODES "!@rx ^$" \
# tag:'attack-reputation-ip',\
# tag:'paranoia-level/1',\
# severity:'CRITICAL',\
# setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
# setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}',\
# setvar:'ip.reput_block_flag=1',\
# setvar:'ip.reput_block_reason=%{rule.msg}',\
# expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'"
@ -195,7 +195,7 @@ SecRule TX:block_search_ip "@eq 1" \
chain,\
skipAfter:END-RBL-CHECK"
SecRule TX:httpbl_msg "@rx Search Engine" \
"setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
"setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}',\
setvar:'ip.reput_block_flag=1',\
setvar:'ip.reput_block_reason=%{rule.msg}',\
setvar:'ip.previous_rbl_check=1',\
@ -219,7 +219,7 @@ SecRule TX:block_spammer_ip "@eq 1" \
chain,\
skipAfter:END-RBL-CHECK"
SecRule TX:httpbl_msg "@rx (?i)^.*? spammer .*?$" \
"setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
"setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}',\
setvar:'ip.reput_block_flag=1',\
setvar:'ip.reput_block_reason=%{rule.msg}',\
setvar:'ip.previous_rbl_check=1',\
@ -243,7 +243,7 @@ SecRule TX:block_suspicious_ip "@eq 1" \
chain,\
skipAfter:END-RBL-CHECK"
SecRule TX:httpbl_msg "@rx (?i)^.*? suspicious .*?$" \
"setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
"setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}',\
setvar:'ip.reput_block_flag=1',\
setvar:'ip.reput_block_reason=%{rule.msg}',\
setvar:'ip.previous_rbl_check=1',\
@ -267,7 +267,7 @@ SecRule TX:block_harvester_ip "@eq 1" \
chain,\
skipAfter:END-RBL-CHECK"
SecRule TX:httpbl_msg "@rx (?i)^.*? harvester .*?$" \
"setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
"setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}',\
setvar:'ip.reput_block_flag=1',\
setvar:'ip.reput_block_reason=%{rule.msg}',\
setvar:'ip.previous_rbl_check=1',\

2
src/common/core/modsecurity/files/coreruleset-v3/rules/REQUEST-911-METHOD-ENFORCEMENT.conf vendored
View file

@ -41,7 +41,7 @@ SecRule REQUEST_METHOD "!@within %{tx.allowed_methods}" \
tag:'PCI/12.1',\
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"

10
src/common/core/modsecurity/files/coreruleset-v3/rules/REQUEST-913-SCANNER-DETECTION.conf vendored
View file

@ -49,7 +49,7 @@ SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scanners-user-agents.data" \
tag:'PCI/6.5.10',\
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}',\
setvar:'ip.reput_block_flag=1',\
setvar:'ip.reput_block_reason=%{rule.msg}',\
expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'"
@ -72,7 +72,7 @@ SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@pmFromFile scanners-headers.data
tag:'PCI/6.5.10',\
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}',\
setvar:'ip.reput_block_flag=1',\
setvar:'ip.reput_block_reason=%{rule.msg}',\
expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'"
@ -97,7 +97,7 @@ SecRule REQUEST_FILENAME|ARGS "@pmFromFile scanners-urls.data" \
tag:'PCI/6.5.10',\
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}',\
setvar:'ip.reput_block_flag=1',\
setvar:'ip.reput_block_reason=%{rule.msg}',\
expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'"
@ -137,7 +137,7 @@ SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scripting-user-agents.data" \
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}',\
setvar:'ip.reput_block_flag=1',\
setvar:'ip.reput_block_reason=%{rule.msg}',\
expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'"
@ -171,7 +171,7 @@ SecRule REQUEST_HEADERS:User-Agent "@pmFromFile crawlers-user-agents.data" \
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}',\
setvar:'ip.reput_block_flag=1',\
setvar:'ip.reput_block_reason=%{rule.msg}',\
expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'"

62
src/common/core/modsecurity/files/coreruleset-v3/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf vendored
View file

@ -111,7 +111,7 @@ SecRule FILES_NAMES|FILES "@rx (?<!&(?:[aAoOuUyY]uml)|&(?:[aAeEiIoOuU]circ)|&(?:
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -140,7 +140,7 @@ SecRule REQUEST_HEADERS:Content-Length "!@rx ^\d+$" \
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -177,7 +177,7 @@ SecRule REQUEST_METHOD "@rx ^(?:GET|HEAD)$" \
chain"
SecRule REQUEST_HEADERS:Content-Length "!@rx ^0?$" \
"t:none,\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -202,7 +202,7 @@ SecRule REQUEST_METHOD "@rx ^(?:GET|HEAD)$" \
chain"
SecRule &REQUEST_HEADERS:Transfer-Encoding "!@eq 0" \
"t:none,\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -513,7 +513,7 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@validateByteRange 1-255" \
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -767,7 +767,7 @@ SecRule &TX:MAX_NUM_ARGS "@eq 1" \
chain"
SecRule &ARGS "@gt %{tx.max_num_args}" \
"t:none,\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
## -- Arguments limits --
#
@ -792,7 +792,7 @@ SecRule &TX:ARG_NAME_LENGTH "@eq 1" \
chain"
SecRule ARGS_NAMES "@gt %{tx.arg_name_length}" \
"t:none,t:length,\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
# Limit argument value length
@ -819,7 +819,7 @@ SecRule &TX:ARG_LENGTH "@eq 1" \
chain"
SecRule ARGS "@gt %{tx.arg_length}" \
"t:none,t:length,\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
# Limit arguments total length
@ -843,7 +843,7 @@ SecRule &TX:TOTAL_ARG_LENGTH "@eq 1" \
chain"
SecRule ARGS_COMBINED_SIZE "@gt %{tx.total_arg_length}" \
"t:none,\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -870,7 +870,7 @@ SecRule &TX:MAX_FILE_SIZE "@eq 1" \
"chain"
SecRule REQUEST_HEADERS:Content-Length "@gt %{tx.max_file_size}" \
"t:none,\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
# Combined file size is limited
@ -894,7 +894,7 @@ SecRule &TX:COMBINED_FILE_SIZES "@eq 1" \
chain"
SecRule FILES_COMBINED_SIZE "@gt %{tx.combined_file_sizes}" \
"t:none,\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
@ -929,7 +929,7 @@ SecRule REQUEST_HEADERS:Content-Type "!@rx ^[\w/.+-]+(?:\s?;\s?(?:action|boundar
tag:'PCI/12.1',\
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# In case Content-Type header can be parsed, check the mime-type against
# the policy defined in the 'allowed_request_content_type' variable.
@ -956,7 +956,7 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^[^;\s]+" \
chain"
SecRule TX:content_type "!@within %{tx.allowed_request_content_type}" \
"t:lowercase,\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -984,7 +984,7 @@ SecRule REQUEST_HEADERS:Content-Type "@rx charset\s*=\s*[\"']?([^;\"'\s]+)" \
SecRule TX:1 "!@rx ^%{tx.allowed_request_content_type_charset}$" \
"t:none,\
ctl:forceRequestBodyVariable=On,\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
# Restrict charset parameter inside content type header to occur max once.
@ -1006,7 +1006,7 @@ SecRule REQUEST_HEADERS:Content-Type "@rx charset.*?charset" \
tag:'PCI/12.1',\
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
# Restrict protocol versions.
@ -1028,7 +1028,7 @@ SecRule REQUEST_PROTOCOL "!@within %{tx.allowed_http_versions}" \
tag:'PCI/6.5.10',\
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
# Restrict file extension
@ -1055,7 +1055,7 @@ SecRule REQUEST_BASENAME "@rx \.([^.]+)$" \
chain"
SecRule TX:EXTENSION "@within %{tx.restricted_extensions}" \
"t:none,t:urlDecodeUni,t:lowercase,\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
# Backup or "working" file extension
@ -1078,7 +1078,7 @@ SecRule REQUEST_FILENAME "@rx \.[^.~]+~(?:/.*|)$" \
tag:'PCI/6.5.10',\
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
# Restricted HTTP headers
@ -1126,7 +1126,7 @@ SecRule REQUEST_HEADERS_NAMES "@rx ^.*$" \
setvar:'tx.header_name_%{tx.0}=/%{tx.0}/',\
chain"
SecRule TX:/^header_name_/ "@within %{tx.restricted_headers}" \
"setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
"setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
# Restrict response charsets that we allow.
@ -1158,7 +1158,7 @@ SecRule REQUEST_HEADERS:Accept "!@rx ^(?:(?:\*|[^\"(),\/:;<=>?![\x5c\]{}]+)\/(?:
tag:'OWASP_CRS',\
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
# The following rule (920620) checks for the presence of 2 or more request Content-Type headers.
@ -1190,7 +1190,7 @@ SecRule &REQUEST_HEADERS:Content-Type "@gt 1" \
tag:'OWASP_CRS',\
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:920013,phase:1,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:920014,phase:2,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
@ -1336,7 +1336,7 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@validateByteRange 9,10,13,
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
@ -1385,7 +1385,7 @@ SecRule FILES_NAMES|FILES "@rx ['\";=\x5c]" \
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -1413,7 +1413,7 @@ SecRule REQUEST_HEADERS:Content-Length "!@rx ^0$" \
chain"
SecRule &REQUEST_HEADERS:Content-Type "@eq 0" \
"t:none,\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:920015,phase:1,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
@ -1444,7 +1444,7 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES|REQUEST_BODY "@validateByteR
tag:'paranoia-level/3',\
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -1475,7 +1475,7 @@ SecRule &REQUEST_HEADERS:x-up-devcap-post-charset "@ge 1" \
chain"
SecRule REQUEST_HEADERS:User-Agent "@rx ^(?i)up" \
"t:none,\
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -1527,7 +1527,7 @@ SecRule &REQUEST_HEADERS:Cache-Control "@gt 0" \
severity:'CRITICAL',\
chain"
SecRule REQUEST_HEADERS:Cache-Control "!@rx ^(?:(?:max-age=[0-9]+|min-fresh=[0-9]+|no-cache|no-store|no-transform|only-if-cached|max-stale(?:=[0-9]+)?)(\s*\,\s*|$)){1,7}$" \
"setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
"setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:920017,phase:1,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
@ -1583,7 +1583,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_BODY "@validateByteRange 38,44-46,48-58,61,65-90
tag:'paranoia-level/4',\
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl4=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl4=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
# This is a stricter sibling of 920270.
@ -1604,7 +1604,7 @@ SecRule REQUEST_HEADERS|!REQUEST_HEADERS:User-Agent|!REQUEST_HEADERS:Referer|!RE
tag:'paranoia-level/4',\
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl4=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl4=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
# This is a stricter sibling of 920270.
@ -1628,7 +1628,7 @@ SecRule REQUEST_HEADERS:Sec-Fetch-User "@validateByteRange 32,34,38,42-59,61,63,
tag:'paranoia-level/4',\
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl4=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl4=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# -=[ Abnormal Character Escapes ]=-
#
@ -1675,7 +1675,7 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@rx (?:^|[^\\\\])\\\\[cdegh
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl4=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl4=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#

26
src/common/core/modsecurity/files/coreruleset-v3/rules/REQUEST-921-PROTOCOL-ATTACK.conf vendored
View file

@ -50,7 +50,7 @@ SecRule ARGS_NAMES|ARGS|REQUEST_BODY|XML:/* "@rx (?:get|post|head|options|connec
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
# -=[ HTTP Response Splitting ]=-
@ -83,7 +83,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:\bhttp/\d|<(?:html|meta)\b)" \
@ -105,7 +105,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
# -=[ HTTP Header Injection ]=-
@ -140,7 +140,7 @@ SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@rx [\n\r]" \
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# Detect newlines in argument names.
@ -169,7 +169,7 @@ SecRule ARGS_NAMES "@rx [\n\r]" \
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule ARGS_GET_NAMES|ARGS_GET "@rx [\n\r]+(?:\s|location|refresh|(?:set-)?cookie|(?:x-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))\s*:" \
@ -191,7 +191,7 @@ SecRule ARGS_GET_NAMES|ARGS_GET "@rx [\n\r]+(?:\s|location|refresh|(?:set-)?cook
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# -=[ HTTP Splitting ]=-
@ -217,7 +217,7 @@ SecRule REQUEST_FILENAME "@rx [\n\r]" \
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -249,7 +249,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
# -=[ Body Processor Bypass ]=-
@ -282,7 +282,7 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^[^;\s,]+[;\s,].*?(?:(?:application(?:
tag:'PCI/12.1',\
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:921013,phase:1,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
@ -317,7 +317,7 @@ SecRule ARGS_GET "@rx [\n\r]" \
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
# -=[ Body Processor Bypass ]=-
@ -352,7 +352,7 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^[^;\s,]+[;\s,].*?\b(?:(audio|image|vi
tag:'PCI/12.1',\
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:921015,phase:1,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
@ -388,7 +388,7 @@ SecRule &REQUEST_HEADERS:Range "@gt 0" \
tag:'capec/1000/210/272/220',\
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# -=[ HTTP Parameter Pollution ]=-
@ -442,7 +442,7 @@ SecRule TX:/paramcounter_.*/ "@gt 1" \
SecRule MATCHED_VARS_NAMES "@rx TX:paramcounter_(.*)" \
"capture,\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"

8
src/common/core/modsecurity/files/coreruleset-v3/rules/REQUEST-922-MULTIPART-ATTACK.conf vendored
View file

@ -43,7 +43,7 @@ SecRule &MULTIPART_PART_HEADERS:_charset_ "!@eq 0" \
chain"
SecRule ARGS:_charset_ "!@within |%{tx.allowed_request_content_type_charset}|" \
"t:lowercase,\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# Only allow specific charsets same as Rule 920600
@ -68,7 +68,7 @@ SecRule MULTIPART_PART_HEADERS "@rx ^content-type\s*+:\s*+(.*)$" \
chain"
SecRule TX:1 "!@rx ^(?:(?:\*|[^\"(),\/:;<=>?![\x5c\]{}]+)\/(?:\*|[^\"(),\/:;<=>?![\x5c\]{}]+))(?:\s*+;\s*+(?:(?:charset\s*+=\s*+(?:\"?(?:iso-8859-15?|windows-1252|utf-8)\b\"?))|(?:(?:c(?:h(?:a(?:r(?:s(?:e[^t\"(),\/:;<=>?![\x5c\]{}]|[^e\"(),/:;<=>?![\x5c\]{}])|[^s\"(),/:;<=>?![\x5c\]{}])|[^r\"(),/:;<=>?![\x5c\]{}])|[^a\"(),/:;<=>?![\x5c\]{}])|[^h\"(),/:;<=>?![\x5c\]{}])|[^c\"(),/:;<=>?![\x5c\]{}])[^\"(),/:;<=>?![\x5c\]{}]*(?:)\s*+=\s*+[^(),/:;<=>?![\x5c\]{}]+)|;?))*(?:\s*+,\s*+(?:(?:\*|[^\"(),\/:;<=>?![\x5c\]{}]+)\/(?:\*|[^\"(),\/:;<=>?![\x5c\]{}]+))(?:\s*+;\s*+(?:(?:charset\s*+=\s*+(?:\"?(?:iso-8859-15?|windows-1252|utf-8)\b\"?))|(?:(?:c(?:h(?:a(?:r(?:s(?:e[^t\"(),\/:;<=>?![\x5c\]{}]|[^e\"(),/:;<=>?![\x5c\]{}])|[^s\"(),/:;<=>?![\x5c\]{}])|[^r\"(),/:;<=>?![\x5c\]{}])|[^a\"(),/:;<=>?![\x5c\]{}])|[^h\"(),/:;<=>?![\x5c\]{}])|[^c\"(),/:;<=>?![\x5c\]{}])[^\"(),/:;<=>?![\x5c\]{}]*(?:)\s*+=\s*+[^(),/:;<=>?![\x5c\]{}]+)|;?))*)*$" \
"t:lowercase,\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# Content-Transfer-Encoding was deprecated by rfc7578 in 2015 and should not be used (see: https://www.rfc-editor.org/rfc/rfc7578#section-4.7)
# Note: this is in phase:2 because these are headers that come in the body
@ -89,7 +89,7 @@ SecRule MULTIPART_PART_HEADERS "@rx content-transfer-encoding:(.*)" \
tag:'paranoia-level/1',\
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# Multipart header names can't contain any characters outside of range 33 and 126,
# excluding 58 (':') which is the separator.
@ -112,4 +112,4 @@ SecRule MULTIPART_PART_HEADERS "@rx [^\x21-\x7E][\x21-\x39\x3B-\x7E]*:" \
tag:'capec/272/220',\
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"

8
src/common/core/modsecurity/files/coreruleset-v3/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf vendored
View file

@ -44,7 +44,7 @@ SecRule REQUEST_URI_RAW|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|XML:/* "@r
tag:'capec/1000/255/153/126',\
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}',\
setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}'"
#
@ -68,7 +68,7 @@ SecRule REQUEST_URI|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|XML:/* "@rx (?
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
multiMatch,\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}',\
setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}'"
#
@ -95,7 +95,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
# -=[ Restricted File Access ]=-
@ -122,7 +122,7 @@ SecRule REQUEST_FILENAME "@pmFromFile restricted-files.data" \
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"

8
src/common/core/modsecurity/files/coreruleset-v3/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf vendored
View file

@ -53,7 +53,7 @@ SecRule ARGS "@rx ^(?i:file|ftps?|https?):\/\/(?:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule QUERY_STRING|REQUEST_BODY "@rx (?i)(?:\binclude\s*\([^)]*|mosConfig_absolute_path|_CONF\[path\]|_SERVER\[DOCUMENT_ROOT\]|GALLERY_BASEDIR|path\[docroot\]|appserv_root|config\[root_dir\])=(?:file|ftps?|https?):\/\/" \
"id:931110,\
@ -74,7 +74,7 @@ SecRule QUERY_STRING|REQUEST_BODY "@rx (?i)(?:\binclude\s*\([^)]*|mosConfig_abso
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule ARGS "@rx ^(?i:file|ftps?|https?).*?\?+$" \
"id:931120,\
@ -95,7 +95,7 @@ SecRule ARGS "@rx ^(?i:file|ftps?|https?).*?\?+$" \
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
@ -127,7 +127,7 @@ SecRule ARGS "@rx ^(?i:file|ftps?|https?)://([^/]*).*$" \
SecRule TX:/rfi_parameter_.*/ "!@endsWith .%{request_headers.host}" \
"ctl:auditLogParts=+E,\
setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"

30
src/common/core/modsecurity/files/coreruleset-v3/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf vendored
View file

@ -120,7 +120,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# Apache 2.2 requires configuration file lines to be under 8kB.
# Therefore, some remaining commands have been split off to a separate rule.
@ -156,7 +156,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# [ Windows command injection ]
@ -253,7 +253,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# Apache 2.2 requires configuration file lines to be under 8kB.
# Therefore, some remaining commands have been split off to a separate rule.
@ -292,7 +292,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# [ Windows PowerShell, cmdlets and options ]
@ -327,7 +327,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# [ Unix shell expressions ]
@ -364,7 +364,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# [ Windows FOR, IF commands ]
@ -410,7 +410,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# [ Unix direct remote command execution ]
@ -461,7 +461,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# [ Unix shell snippets ]
@ -498,7 +498,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# [ Shellshock vulnerability (CVE-2014-6271 and CVE-2014-7169) ]
@ -530,7 +530,7 @@ SecRule REQUEST_HEADERS|REQUEST_LINE "@rx ^\(\s*\)\s+{" \
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule ARGS_NAMES|ARGS|FILES_NAMES "@rx ^\(\s*\)\s+{" \
"id:932171,\
@ -552,7 +552,7 @@ SecRule ARGS_NAMES|ARGS|FILES_NAMES "@rx ^\(\s*\)\s+{" \
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -587,7 +587,7 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:932013,phase:1,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE"
@ -635,7 +635,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
SecRule MATCHED_VAR "@rx /" "t:none,t:urlDecodeUni,chain"
SecRule MATCHED_VAR "@rx \s" "t:none,t:urlDecodeUni,\
setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:932015,phase:1,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE"
@ -682,7 +682,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
# -=[ Bypass Rule 930120 (wildcard) ]=-
@ -714,7 +714,7 @@ SecRule ARGS "@rx (?:/|\\\\)(?:[\?\*]+[a-z/\\\\]+|[a-z/\\\\]+[\?\*]+)" \
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:932017,phase:1,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:932018,phase:2,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE"

32
src/common/core/modsecurity/files/coreruleset-v3/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf vendored
View file

@ -63,7 +63,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
# [ PHP Script Uploads ]
@ -105,7 +105,7 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -133,7 +133,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
"capture,\
ctl:auditLogParts=+E,\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -158,7 +158,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -195,7 +195,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -224,7 +224,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -292,7 +292,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -346,7 +346,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -402,7 +402,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
@ -458,7 +458,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# [ PHP Functions: Variable Function Prevent Bypass ]
#
@ -500,7 +500,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:933013,phase:1,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:933014,phase:2,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
@ -547,7 +547,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
"capture,\
ctl:auditLogParts=+E,\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
@ -598,7 +598,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -644,7 +644,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -687,7 +687,7 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# [ PHP Closing Tag Found ]
@ -717,7 +717,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:933017,phase:1,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"

2
src/common/core/modsecurity/files/coreruleset-v3/rules/REQUEST-934-APPLICATION-ATTACK-NODEJS.conf vendored
View file

@ -67,7 +67,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
severity:'CRITICAL',\
multiMatch,\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:934013,phase:1,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS"

60
src/common/core/modsecurity/files/coreruleset-v3/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf vendored
View file

@ -53,7 +53,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -80,7 +80,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -106,7 +106,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -136,7 +136,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -162,7 +162,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -197,7 +197,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -222,7 +222,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -248,7 +248,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -275,7 +275,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:<.*[:]?vmlframe.*?[\s/+]*?src[\s/+]*=)" \
@ -297,7 +297,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:j|&#x?0*(?:74|4A|106|6A);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:a|&#x?0*(?:65|41|97|61);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:v|&#x?0*(?:86|56|118|76);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:a|&#x?0*(?:65|41|97|61);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:s|&#x?0*(?:83|53|115|73);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:c|&#x?0*(?:67|43|99|63);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:r|&#x?0*(?:82|52|114|72);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:i|&#x?0*(?:73|49|105|69);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:p|&#x?0*(?:80|50|112|70);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:t|&#x?0*(?:84|54|116|74);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?::|&(?:#x?0*(?:58|3A);?|colon;)).)" \
@ -319,7 +319,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:v|&#x?0*(?:86|56|118|76);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:b|&#x?0*(?:66|42|98|62);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:s|&#x?0*(?:83|53|115|73);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:c|&#x?0*(?:67|43|99|63);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:r|&#x?0*(?:82|52|114|72);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:i|&#x?0*(?:73|49|105|69);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:p|&#x?0*(?:80|50|112|70);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:t|&#x?0*(?:84|54|116|74);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?::|&(?:#x?0*(?:58|3A);?|colon;)).)" \
@ -341,7 +341,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)<EMBED[\s/+].*?(?:src|type).*?=" \
@ -363,7 +363,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx <[?]?import[\s\/+\S]*?implementation[\s\/+]*?=" \
@ -385,7 +385,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:<META[\s/+].*?http-equiv[\s/+]*=[\s/+]*[\"'`]?(?:(?:c|&#x?0*(?:67|43|99|63);?)|(?:r|&#x?0*(?:82|52|114|72);?)|(?:s|&#x?0*(?:83|53|115|73);?)))" \
@ -407,7 +407,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:<META[\s/+].*?charset[\s/+]*=)" \
@ -429,7 +429,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)<LINK[\s/+].*?href[\s/+]*=" \
@ -451,7 +451,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)<BASE[\s/+].*?href[\s/+]*=" \
@ -473,7 +473,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)<APPLET[\s/+>]" \
@ -495,7 +495,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)<OBJECT[\s/+].*?(?:type|codetype|classid|code|data)[\s/+]*=" \
@ -517,7 +517,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
# https://www.owasp.org/www-community/xss-filter-evasion-cheatsheet
@ -544,7 +544,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
# https://nedbatchelder.com/blog/200704/xss_with_utf7.html
@ -571,7 +571,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
# Defend against JSFuck and Hieroglyphy obfuscation of Javascript code
@ -613,7 +613,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
# Prevent 941180 bypass by using JavaScript global variables
@ -641,7 +641,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS|XML:
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:941013,phase:1,pass,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
@ -672,7 +672,7 @@ SecRule REQUEST_HEADERS:Referer "@detectXSS" \
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -698,7 +698,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# Detect tags that are the most common direct HTML injection points.
@ -781,7 +781,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:[\"'][ ]*(?:[^a-z0-9~_:' ]|in).*?(?:(?:l|\\\\u006C)(?:o|\\\\u006F)(?:c|\\\\u0063)(?:a|\\\\u0061)(?:t|\\\\u0074)(?:i|\\\\u0069)(?:o|\\\\u006F)(?:n|\\\\u006E)|(?:n|\\\\u006E)(?:a|\\\\u0061)(?:m|\\\\u006D)(?:e|\\\\u0065)|(?:o|\\\\u006F)(?:n|\\\\u006E)(?:e|\\\\u0065)(?:r|\\\\u0072)(?:r|\\\\u0072)(?:o|\\\\u006F)(?:r|\\\\u0072)|(?:v|\\\\u0076)(?:a|\\\\u0061)(?:l|\\\\u006C)(?:u|\\\\u0075)(?:e|\\\\u0065)(?:O|\\\\u004F)(?:f|\\\\u0066)).*?=)" \
"id:941330,\
@ -802,7 +802,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# This rule is also triggered by the following exploit(s):
# [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ]
@ -826,7 +826,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
# Defend against AngularJS client side template injection
@ -859,7 +859,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"

84
src/common/core/modsecurity/files/coreruleset-v3/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf vendored
View file

@ -62,7 +62,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
multiMatch,\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@ -97,7 +97,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -123,7 +123,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# Regexp generated from util/regexp-assemble/regexp-942170.data using Regexp::Assemble.
# To rebuild the regexp:
@ -152,7 +152,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# Regexp generated from util/regexp-assemble/regexp-942190.data using Regexp::Assemble.
# To rebuild the regexp:
@ -181,7 +181,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx ^(?i:-0000023456|4294967295|4294967296|2147483648|2147483647|0000012345|-2147483648|-2147483649|0000023456|3.0.00738585072007e-308|1e309)$" \
"id:942220,\
@ -202,7 +202,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:[\s()]case\s*?\(|\)\s*?like\s*?\(|having\s*?[^\s]+\s*?[^\w\s]|if\s?\([\d\w]\s*?[=<>~])" \
"id:942230,\
@ -223,7 +223,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# Regexp generated from util/regexp-assemble/regexp-942240.data using Regexp::Assemble.
# To rebuild the regexp:
@ -252,7 +252,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:merge.*?using\s*?\(|execute\s*?immediate\s*?[\"'`]|match\s*?[\w(),+-]+\s*?against\s*?\()" \
"id:942250,\
@ -273,7 +273,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)union.*?select.*?from" \
"id:942270,\
@ -294,7 +294,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# Regexp generated from util/regexp-assemble/regexp-942280.data using Regexp::Assemble.
# To rebuild the regexp:
@ -323,7 +323,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:\[\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|x?or|div|like|between|and)\]))" \
"id:942290,\
@ -344,7 +344,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# Regexp generated from util/regexp-assemble/regexp-942320.data using Regexp::Assemble.
# To rebuild the regexp:
@ -373,7 +373,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# Regexp generated from util/regexp-assemble/regexp-942350.data using Regexp::Assemble.
# To rebuild the regexp:
@ -402,7 +402,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# This rule has a stricter sibling: 942361.
# The keywords 'alter' and 'union' led to false positives.
@ -442,7 +442,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
# -=[ Detect MySQL in-line comments ]=-
@ -478,7 +478,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:942013,phase:1,pass,nolog,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
@ -552,7 +552,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:(?:^|\W)in[+\s]*\([\s\d\"]+[^()]*\)|\
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -588,7 +588,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?i:[\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?(?:
severity:'CRITICAL',\
multiMatch,\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -626,7 +626,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# Regexp generated from util/regexp-assemble/regexp-942180.data using Regexp::Assemble.
# To rebuild the regexp:
@ -655,7 +655,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# This rule is also triggered by the following exploit(s):
# [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ]
@ -687,7 +687,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# This rule is also triggered by the following exploit(s):
# [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ]
@ -719,7 +719,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# Regexp generated from util/regexp-assemble/regexp-942260.data using Regexp::Assemble.
# To rebuild the regexp:
@ -748,7 +748,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# Regexp generated from util/regexp-assemble/regexp-942300.data using Regexp::Assemble.
# To rebuild the regexp:
@ -777,7 +777,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# Regexp generated from util/regexp-assemble/regexp-942310.data using Regexp::Assemble.
# To rebuild the regexp:
@ -806,7 +806,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
# -=[ SQL Injection Probings ]=-
@ -843,7 +843,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# Regexp generated from util/regexp-assemble/regexp-942340.data using Regexp::Assemble.
# To rebuild the regexp:
@ -874,7 +874,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# This rule is a stricter sibling of 942360.
# The keywords 'alter' and 'union' led to false positives.
@ -899,7 +899,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# This rule is a sibling of 942330. See that rule for a description and overview.
#
@ -933,7 +933,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# Regexp generated from util/regexp-assemble/regexp-942380.data using Regexp::Assemble.
# To rebuild the regexp:
@ -960,7 +960,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# Regexp generated from util/regexp-assemble/regexp-942390.data using Regexp::Assemble.
# To rebuild the regexp:
@ -987,7 +987,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# Regexp generated from util/regexp-assemble/regexp-942400.data using Regexp::Assemble.
# To rebuild the regexp:
@ -1017,7 +1017,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# The former rule id 942410 was split into three new rules: 942410, 942470, 942480
#
@ -1054,7 +1054,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# The former rule id 942410 was split into three new rules: 942410, 942470, 942480
@ -1087,7 +1087,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# The former rule id 942410 was split into three new rules: 942410, 942470, 942480
@ -1120,7 +1120,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -1204,7 +1204,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@ -1230,7 +1230,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -1279,7 +1279,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:942015,phase:1,pass,nolog,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
@ -1318,7 +1318,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# This rule is a stricter sibling of 942330. See that rule for a
# description and overview.
@ -1342,7 +1342,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
# [ SQL Injection Character Anomaly Usage ]
@ -1475,7 +1475,7 @@ SecRule REQUEST_BASENAME "@detectSQLi" \
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -1525,7 +1525,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:942017,phase:1,pass,nolog,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:942018,phase:2,pass,nolog,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"

6
src/common/core/modsecurity/files/coreruleset-v3/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf vendored
View file

@ -47,7 +47,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.session_fixation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$" \
@ -74,7 +74,7 @@ SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsessio
SecRule TX:1 "!@endsWith %{request_headers.host}" \
"ctl:auditLogParts=+E,\
setvar:'tx.session_fixation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$" \
@ -98,7 +98,7 @@ SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsessio
SecRule &REQUEST_HEADERS:Referer "@eq 0" \
"ctl:auditLogParts=+E,\
setvar:'tx.session_fixation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"

18
src/common/core/modsecurity/files/coreruleset-v3/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf vendored
View file

@ -50,7 +50,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# This rule is also triggered by the following exploit(s):
# [ Apache Struts vulnerability CVE-2017-5638 - Exploit tested: https://github.com/xsscx/cve-2017-5638 ]
@ -86,7 +86,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
chain"
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* "@rx (?:unmarshaller|base64data|java\.)" \
"setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# Magic bytes detected and payload included possibly RCE vulnerable classes detected and process execution methods detected
# anomaly score set to critical as all conditions indicate the request try to perform RCE.
@ -113,7 +113,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
SecRule MATCHED_VARS "@rx (?:runtime|processbuilder)" \
"t:none,t:lowercase,\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# This rule is also triggered by the following exploit(s):
# [ Apache Struts vulnerability CVE-2017-5638 - Exploit tested: https://github.com/mazen160/struts-pwn ]
@ -144,7 +144,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:944013,phase:1,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
@ -183,7 +183,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# Detecting possible base64 text to match encoded magic bytes \xac\xed\x00\x05 with padding encoded in base64 strings are rO0ABQ KztAAU Cs7QAF
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
@ -205,7 +205,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)" \
@ -227,7 +227,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# This rule is also triggered by the following exploit(s):
# [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ]
@ -252,7 +252,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
@ -288,7 +288,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
ver:'OWASP_CRS/3.3.7',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:944017,phase:1,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"

6
src/common/core/modsecurity/files/coreruleset-v3/rules/RESPONSE-950-DATA-LEAKAGES.conf vendored
View file

@ -47,7 +47,7 @@ SecRule RESPONSE_BODY "@rx (?:<(?:TITLE>Index of.*?<H|title>Index of.*?<h)1>Inde
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.7',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}',\
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
#
@ -81,7 +81,7 @@ SecRule RESPONSE_BODY "@rx ^#\!\s?/" \
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.7',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}',\
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
@ -113,7 +113,7 @@ SecRule RESPONSE_STATUS "@rx ^5\d{2}$" \
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.7',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl2=+%{tx.error_anomaly_score}',\
setvar:'tx.outbound_anomaly_score_pl2=+%{tx.error_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}',\
setvar:'tx.anomaly_score_pl2=+%{tx.error_anomaly_score}'"

64
src/common/core/modsecurity/files/coreruleset-v3/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf vendored
View file

@ -62,9 +62,9 @@ SecRule TX:sql_error_match "@eq 1" \
SecRule RESPONSE_BODY "@rx (?i:JET Database Engine|Access Database Engine|\[Microsoft\]\[ODBC Microsoft Access Driver\])" \
"capture,\
ctl:auditLogParts=+E,\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule TX:sql_error_match "@eq 1" \
"id:951120,\
@ -87,9 +87,9 @@ SecRule TX:sql_error_match "@eq 1" \
SecRule RESPONSE_BODY "@rx (?i:ORA-[0-9][0-9][0-9][0-9]|java\.sql\.SQLException|Oracle error|Oracle.*Driver|Warning.*oci_.*|Warning.*ora_.*)" \
"capture,\
ctl:auditLogParts=+E,\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule TX:sql_error_match "@eq 1" \
"id:951130,\
@ -112,9 +112,9 @@ SecRule TX:sql_error_match "@eq 1" \
SecRule RESPONSE_BODY "@rx (?i:DB2 SQL error:|\[IBM\]\[CLI Driver\]\[DB2/6000\]|CLI Driver.*DB2|DB2 SQL error|db2_\w+\()" \
"capture,\
ctl:auditLogParts=+E,\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule TX:sql_error_match "@eq 1" \
"id:951140,\
@ -137,9 +137,9 @@ SecRule TX:sql_error_match "@eq 1" \
SecRule RESPONSE_BODY "@rx (?i:\[DM_QUERY_E_SYNTAX\]|has occurred in the vicinity of:)" \
"capture,\
ctl:auditLogParts=+E,\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule TX:sql_error_match "@eq 1" \
"id:951150,\
@ -162,9 +162,9 @@ SecRule TX:sql_error_match "@eq 1" \
SecRule RESPONSE_BODY "@rx (?i)Dynamic SQL Error" \
"capture,\
ctl:auditLogParts=+E,\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule TX:sql_error_match "@eq 1" \
@ -188,9 +188,9 @@ SecRule TX:sql_error_match "@eq 1" \
SecRule RESPONSE_BODY "@rx (?i)Exception (?:condition )?\d+\. Transaction rollback\." \
"capture,\
ctl:auditLogParts=+E,\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule TX:sql_error_match "@eq 1" \
"id:951170,\
@ -213,9 +213,9 @@ SecRule TX:sql_error_match "@eq 1" \
SecRule RESPONSE_BODY "@rx (?i)org\.hsqldb\.jdbc" \
"capture,\
ctl:auditLogParts=+E,\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule TX:sql_error_match "@eq 1" \
"id:951180,\
@ -238,9 +238,9 @@ SecRule TX:sql_error_match "@eq 1" \
SecRule RESPONSE_BODY "@rx (?i:An illegal character has been found in the statement|com\.informix\.jdbc|Exception.*Informix)" \
"capture,\
ctl:auditLogParts=+E,\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule TX:sql_error_match "@eq 1" \
@ -264,9 +264,9 @@ SecRule TX:sql_error_match "@eq 1" \
SecRule RESPONSE_BODY "@rx (?i:Warning.*ingres_|Ingres SQLSTATE|Ingres\W.*Driver)" \
"capture,\
ctl:auditLogParts=+E,\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule TX:sql_error_match "@eq 1" \
@ -290,9 +290,9 @@ SecRule TX:sql_error_match "@eq 1" \
SecRule RESPONSE_BODY "@rx (?i:<b>Warning</b>: ibase_|Unexpected end of command in statement)" \
"capture,\
ctl:auditLogParts=+E,\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule TX:sql_error_match "@eq 1" \
"id:951210,\
@ -315,9 +315,9 @@ SecRule TX:sql_error_match "@eq 1" \
SecRule RESPONSE_BODY "@rx (?i:SQL error.*POS[0-9]+.*|Warning.*maxdb.*)" \
"capture,\
ctl:auditLogParts=+E,\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule TX:sql_error_match "@eq 1" \
"id:951220,\
@ -340,9 +340,9 @@ SecRule TX:sql_error_match "@eq 1" \
SecRule RESPONSE_BODY "@rx (?i)(?:System\.Data\.OleDb\.OleDbException|\[Microsoft\]\[ODBC SQL Server Driver\]|\[Macromedia\]\[SQLServer JDBC Driver\]|\[SqlException|System\.Data\.SqlClient\.SqlException|Unclosed quotation mark after the character string|'80040e14'|mssql_query\(\)|Microsoft OLE DB Provider for ODBC Drivers|Microsoft OLE DB Provider for SQL Server|Incorrect syntax near|Sintaxis incorrecta cerca de|Syntax error in string in query expression|Procedure or function .* expects parameter|Unclosed quotation mark before the character string|Syntax error .* in query expression|Data type mismatch in criteria expression\.|ADODB\.Field \(0x800A0BCD\)|the used select statements have different number of columns|OLE DB.*SQL Server|Warning.*mssql_.*|Driver.*SQL[ _-]*Server|SQL Server.*Driver|SQL Server.*[0-9a-fA-F]{8}|Exception.*\WSystem\.Data\.SqlClient\.)" \
"capture,\
ctl:auditLogParts=+E,\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule TX:sql_error_match "@eq 1" \
"id:951230,\
@ -365,9 +365,9 @@ SecRule TX:sql_error_match "@eq 1" \
SecRule RESPONSE_BODY "@rx (?i)(?:supplied argument is not a valid MySQL|Column count doesn't match value count at row|mysql_fetch_array\(\)|on MySQL result index|You have an error in your SQL syntax;|You have an error in your SQL syntax near|MySQL server version for the right syntax to use|\[MySQL\]\[ODBC|Column count doesn't match|Table '[^']+' doesn't exist|SQL syntax.*MySQL|Warning.*mysql_.*|valid MySQL result|MySqlClient\.)" \
"capture,\
ctl:auditLogParts=+E,\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule TX:sql_error_match "@eq 1" \
"id:951240,\
@ -390,9 +390,9 @@ SecRule TX:sql_error_match "@eq 1" \
SecRule RESPONSE_BODY "@rx (?i:PostgreSQL query failed:|pg_query\(\) \[:|pg_exec\(\) \[:|PostgreSQL.*ERROR|Warning.*pg_.*|valid PostgreSQL result|Npgsql\.|PG::[a-zA-Z]*Error|Supplied argument is not a valid PostgreSQL .*? resource|Unable to connect to PostgreSQL server)" \
"capture,\
ctl:auditLogParts=+E,\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule TX:sql_error_match "@eq 1" \
"id:951250,\
@ -415,9 +415,9 @@ SecRule TX:sql_error_match "@eq 1" \
SecRule RESPONSE_BODY "@rx (?i)(?:Warning.*sqlite_.*|Warning.*SQLite3::|SQLite/JDBCDriver|SQLite\.Exception|System\.Data\.SQLite\.SQLiteException)" \
"capture,\
ctl:auditLogParts=+E,\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule TX:sql_error_match "@eq 1" \
"id:951260,\
@ -440,9 +440,9 @@ SecRule TX:sql_error_match "@eq 1" \
SecRule RESPONSE_BODY "@rx (?i)(?:Sybase message:|Warning.*sybase.*|Sybase.*Server message.*)" \
"capture,\
ctl:auditLogParts=+E,\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"

4
src/common/core/modsecurity/files/coreruleset-v3/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf vendored
View file

@ -42,7 +42,7 @@ SecRule RESPONSE_BODY "@pmFromFile java-code-leakages.data" \
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.7',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}',\
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
#
@ -69,7 +69,7 @@ SecRule RESPONSE_BODY "@pmFromFile java-errors.data" \
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.7',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}',\
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"

6
src/common/core/modsecurity/files/coreruleset-v3/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf vendored
View file

@ -42,7 +42,7 @@ SecRule RESPONSE_BODY "@pmFromFile php-errors.data" \
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.7',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}',\
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
#
@ -69,7 +69,7 @@ SecRule RESPONSE_BODY "@rx (?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scan
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.7',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}',\
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
# Detect the presence of the PHP open tag "<?" or "<?php" in output.
@ -104,7 +104,7 @@ SecRule RESPONSE_BODY "@rx <\?(?!xml)" \
"capture,\
t:none,\
ctl:auditLogParts=+E,\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}',\
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"

8
src/common/core/modsecurity/files/coreruleset-v3/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf vendored
View file

@ -40,7 +40,7 @@ SecRule RESPONSE_BODY "@rx [a-z]:\\\\inetpub\b" \
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.7',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}',\
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
SecRule RESPONSE_BODY "@rx (?:Microsoft OLE DB Provider for SQL Server(?:<\/font>.{1,20}?error '800(?:04005|40e31)'.{1,40}?Timeout expired| \(0x80040e31\)<br>Timeout expired<br>)|<h1>internal server error<\/h1>.*?<h2>part of the server has crashed or it has a configuration error\.<\/h2>|cannot connect to the server: timed out)" \
@ -63,7 +63,7 @@ SecRule RESPONSE_BODY "@rx (?:Microsoft OLE DB Provider for SQL Server(?:<\/font
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.7',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}',\
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
#
@ -89,7 +89,7 @@ SecRule RESPONSE_BODY "@rx (?:\b(?:A(?:DODB\.Command\b.{0,100}?\b(?:Application
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.7',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}',\
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
@ -117,7 +117,7 @@ SecRule RESPONSE_STATUS "!@rx ^404$" \
"capture,\
t:none,\
ctl:auditLogParts=+E,\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}',\
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"

2
src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-911-METHOD-ENFORCEMENT.conf vendored
View file

@ -41,7 +41,7 @@ SecRule REQUEST_METHOD "!@within %{tx.allowed_methods}" \
tag:'PCI/12.1',\
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"

2
src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-913-SCANNER-DETECTION.conf vendored
View file

@ -53,7 +53,7 @@ SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scanners-user-agents.data" \
tag:'PCI/6.5.10',\
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:913013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.8.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION"

118
src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf vendored
View file

@ -66,7 +66,7 @@ SecRule REQUEST_LINE "!@rx (?i)^(?:get /[^#\?]*(?:\?[^\s\x0b#]*)?(?:#[^\s\x0b]*)
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.8.0',\
severity:'WARNING',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -121,7 +121,7 @@ SecRule FILES|FILES_NAMES "!@rx (?i)^(?:&(?:(?:[acegilnorsuz]acut|[aeiou]grav|[a
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -150,7 +150,7 @@ SecRule REQUEST_HEADERS:Content-Length "!@rx ^\d+$" \
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -187,7 +187,7 @@ SecRule REQUEST_METHOD "@rx ^(?:GET|HEAD)$" \
chain"
SecRule REQUEST_HEADERS:Content-Length "!@rx ^0?$" \
"t:none,\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -212,7 +212,7 @@ SecRule REQUEST_METHOD "@rx ^(?:GET|HEAD)$" \
chain"
SecRule &REQUEST_HEADERS:Transfer-Encoding "!@eq 0" \
"t:none,\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -255,7 +255,7 @@ SecRule REQUEST_PROTOCOL "!@within HTTP/2 HTTP/2.0 HTTP/3 HTTP/3.0" \
SecRule &REQUEST_HEADERS:Content-Length "@eq 0" \
"chain"
SecRule &REQUEST_HEADERS:Transfer-Encoding "@eq 0" \
"setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'"
"setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
# As per RFC7230 3.3.2: A sender MUST NOT send a Content-Length
@ -282,7 +282,7 @@ SecRule &REQUEST_HEADERS:Transfer-Encoding "!@eq 0" \
chain"
SecRule &REQUEST_HEADERS:Content-Length "!@eq 0" \
"t:none,\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -319,7 +319,7 @@ SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx (\d+)-(\d+)" \
severity:'WARNING',\
chain"
SecRule TX:2 "@lt %{tx.1}" \
"setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'"
"setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -349,7 +349,7 @@ SecRule REQUEST_HEADERS:Connection "@rx \b(?:keep-alive|close),\s?(?:keep-alive|
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.8.0',\
severity:'WARNING',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
# Check URL encodings
@ -396,7 +396,7 @@ SecRule REQUEST_URI_RAW "@rx \x25" \
chain"
SecRule TX:1|TX:2 "@validateUrlEncoding" \
"t:none,t:urlDecodeUni,\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# Validate URI encoding of the last path segment, only if it does not look like a file name.
@ -427,7 +427,7 @@ SecRule REQUEST_BASENAME "!@rx ^.*%.*\.[^\s\x0b\.]+$" \
chain"
SecRule TX:0 "@validateUrlEncoding" \
"t:none,t:urlDecodeUni,\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -457,7 +457,7 @@ SecRule TX:CRS_VALIDATE_UTF8_ENCODING "@eq 1" \
severity:'WARNING',\
chain"
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "@validateUtf8Encoding" \
"setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'"
"setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -499,7 +499,7 @@ SecRule REQUEST_URI|REQUEST_BODY "@rx (?i)%uff[0-9a-f]{2}" \
tag:'capec/1000/255/153/267/72',\
ver:'OWASP_CRS/4.8.0',\
severity:'WARNING',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -555,7 +555,7 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@validateByteRange 1-255" \
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -587,7 +587,7 @@ SecRule &REQUEST_HEADERS:Host "@eq 0" \
tag:'PCI/6.5.10',\
ver:'OWASP_CRS/4.8.0',\
severity:'WARNING',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}',\
skipAfter:END-HOST-CHECK"
@ -606,7 +606,7 @@ SecRule REQUEST_HEADERS:Host "@rx ^$" \
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecMarker "END-HOST-CHECK"
@ -651,7 +651,7 @@ SecRule REQUEST_HEADERS:Accept "@rx ^$" \
"chain"
SecRule REQUEST_HEADERS:User-Agent "!@pm AppleWebKit Android Business Enterprise Entreprise" \
"t:none,\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.notice_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.notice_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
# This rule is a sibling of rule 920310.
@ -676,7 +676,7 @@ SecRule REQUEST_HEADERS:Accept "@rx ^$" \
"chain"
SecRule &REQUEST_HEADERS:User-Agent "@eq 0" \
"t:none,\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.notice_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.notice_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -704,7 +704,7 @@ SecRule REQUEST_HEADERS:User-Agent "@rx ^$" \
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.8.0',\
severity:'NOTICE',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.notice_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.notice_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
# Missing Content-Type Header with Request Body
@ -744,7 +744,7 @@ SecRule REQUEST_HEADERS:Content-Length "!@rx ^0$" \
chain"
SecRule &REQUEST_HEADERS:Content-Type "@eq 0" \
"t:none,\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.notice_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.notice_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# Check that the host header is not an IP address
# This is not an HTTP RFC violation but it is indicative of automated client access.
@ -786,7 +786,7 @@ SecRule REQUEST_HEADERS:Host "@rx (?:^([\d.]+|\[[\da-f:]+\]|[\da-f:]+)(:[\d]+)?$
tag:'PCI/6.5.10',\
ver:'OWASP_CRS/4.8.0',\
severity:'WARNING',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# In most cases, you should expect a certain volume of each a request on your
@ -821,7 +821,7 @@ SecRule &TX:MAX_NUM_ARGS "@eq 1" \
chain"
SecRule &ARGS "@gt %{tx.max_num_args}" \
"t:none,\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
## -- Arguments limits --
#
@ -846,7 +846,7 @@ SecRule &TX:ARG_NAME_LENGTH "@eq 1" \
chain"
SecRule ARGS_NAMES "@gt %{tx.arg_name_length}" \
"t:none,t:length,\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
# Limit argument value length
@ -873,7 +873,7 @@ SecRule &TX:ARG_LENGTH "@eq 1" \
chain"
SecRule ARGS "@gt %{tx.arg_length}" \
"t:none,t:length,\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
# Limit arguments total length
@ -897,7 +897,7 @@ SecRule &TX:TOTAL_ARG_LENGTH "@eq 1" \
chain"
SecRule ARGS_COMBINED_SIZE "@gt %{tx.total_arg_length}" \
"t:none,\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -924,7 +924,7 @@ SecRule &TX:MAX_FILE_SIZE "@eq 1" \
"chain"
SecRule REQUEST_HEADERS:Content-Length "@gt %{tx.max_file_size}" \
"t:none,\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
# Combined file size is limited
@ -948,7 +948,7 @@ SecRule &TX:COMBINED_FILE_SIZES "@eq 1" \
chain"
SecRule FILES_COMBINED_SIZE "@gt %{tx.combined_file_sizes}" \
"t:none,\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
@ -985,7 +985,7 @@ SecRule REQUEST_HEADERS:Content-Type "!@rx ^[\w/.+*-]+(?:\s?;\s*(?:action|bounda
tag:'PCI/12.1',\
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# In case Content-Type header can be parsed, check the mime-type against
# the policy defined in the 'allowed_request_content_type' variable.
@ -1012,7 +1012,7 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^[^;\s]+" \
chain"
SecRule TX:content_type "!@within %{tx.allowed_request_content_type}" \
"t:lowercase,\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -1041,7 +1041,7 @@ SecRule REQUEST_HEADERS:Content-Type "@rx charset\s*=\s*[\"']?([^;\"'\s]+)" \
SecRule TX:content_type_charset "!@within %{tx.allowed_request_content_type_charset}" \
"t:lowercase,\
ctl:forceRequestBodyVariable=On,\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
# Restrict charset parameter inside content type header to occur max once.
@ -1063,7 +1063,7 @@ SecRule REQUEST_HEADERS:Content-Type "@rx charset.*?charset" \
tag:'PCI/12.1',\
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
# Restrict protocol versions.
@ -1085,7 +1085,7 @@ SecRule REQUEST_PROTOCOL "!@within %{tx.allowed_http_versions}" \
tag:'PCI/6.5.10',\
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
# Restrict file extension
@ -1112,7 +1112,7 @@ SecRule REQUEST_BASENAME "@rx \.([^.]+)$" \
chain"
SecRule TX:EXTENSION "@within %{tx.restricted_extensions}" \
"t:none,t:lowercase,\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
# Backup or "working" file extension
@ -1135,7 +1135,7 @@ SecRule REQUEST_FILENAME "@rx \.[^.~]+~(?:/.*|)$" \
tag:'PCI/6.5.10',\
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
# Restricted HTTP headers
@ -1192,7 +1192,7 @@ SecRule REQUEST_HEADERS_NAMES "@rx ^.*$" \
setvar:'tx.header_name_920450_%{tx.0}=/%{tx.0}/',\
chain"
SecRule TX:/^header_name_920450_/ "@within %{tx.restricted_headers_basic}" \
"setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
"setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
# Rule against CVE-2022-21907
@ -1223,7 +1223,7 @@ SecRule REQUEST_HEADERS:Accept-Encoding "@gt 100" \
tag:'PCI/12.1',\
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
# Restrict response charsets that we allow.
@ -1255,7 +1255,7 @@ SecRule REQUEST_HEADERS:Accept "!@rx ^(?:(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)/(?:\*
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
# Unicode character bypass check for non JSON requests
@ -1280,7 +1280,7 @@ SecRule REQBODY_PROCESSOR "!@streq JSON" \
severity:'CRITICAL',\
chain"
SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@rx (?i)\x5cu[0-9a-f]{4}" \
"setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
"setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
# Disallow any raw URL fragments. The '#' character should be omitted or URL-encoded.
@ -1302,7 +1302,7 @@ SecRule REQUEST_URI_RAW "@contains #" \
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
# The following rule (920620) checks for the presence of 2 or more request Content-Type headers.
@ -1334,7 +1334,7 @@ SecRule &REQUEST_HEADERS:Content-Type "@gt 1" \
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:920013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.8.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
@ -1381,7 +1381,7 @@ SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d
severity:'WARNING',\
chain"
SecRule REQUEST_BASENAME "!@endsWith .pdf" \
"setvar:'tx.inbound_anomaly_score_pl2=+%{tx.warning_anomaly_score}'"
"setvar:'tx.inbound_anomaly_score_pl2=+%{tx.warning_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
# This is a sibling of rule 920200
@ -1405,7 +1405,7 @@ SecRule REQUEST_BASENAME "@endsWith .pdf" \
severity:'WARNING',\
chain"
SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d+)?-(?:\d+)?\s*,?\s*){63}" \
"setvar:'tx.inbound_anomaly_score_pl2=+%{tx.warning_anomaly_score}'"
"setvar:'tx.inbound_anomaly_score_pl2=+%{tx.warning_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule ARGS "@rx %[0-9a-fA-F]{2}" \
@ -1424,7 +1424,7 @@ SecRule ARGS "@rx %[0-9a-fA-F]{2}" \
tag:'capec/1000/255/153/267/120',\
ver:'OWASP_CRS/4.8.0',\
severity:'WARNING',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.warning_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.warning_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -1446,7 +1446,7 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@validateByteRange 9,10,13,
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
@ -1473,7 +1473,7 @@ SecRule &REQUEST_HEADERS:User-Agent "@eq 0" \
tag:'PCI/6.5.10',\
ver:'OWASP_CRS/4.8.0',\
severity:'NOTICE',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.notice_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.notice_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -1495,7 +1495,7 @@ SecRule FILES_NAMES|FILES "@rx ['\";=\x5c]" \
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -1523,7 +1523,7 @@ SecRule REQUEST_HEADERS:Content-Length "!@rx ^0$" \
chain"
SecRule &REQUEST_HEADERS:Content-Type "@eq 0" \
"t:none,\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -1550,7 +1550,7 @@ SecRule REQUEST_HEADERS_NAMES "@rx ^.*$" \
setvar:'tx.header_name_920451_%{tx.0}=/%{tx.0}/',\
chain"
SecRule TX:/^header_name_920451_/ "@within %{tx.restricted_headers_extended}" \
"setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
"setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -1578,7 +1578,7 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^(?i)application/x-www-form-urlencoded
SecRule REQUEST_BODY "@rx \x25" \
"chain"
SecRule REQUEST_BODY "@validateUrlEncoding" \
"setvar:'tx.inbound_anomaly_score_pl2=+%{tx.warning_anomaly_score}'"
"setvar:'tx.inbound_anomaly_score_pl2=+%{tx.warning_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:920015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.8.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:920016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.8.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
@ -1608,7 +1608,7 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES|REQUEST_BODY "@validateByteR
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
# Missing Accept Header
@ -1647,7 +1647,7 @@ SecRule &REQUEST_HEADERS:Accept "@eq 0" \
"chain"
SecRule REQUEST_HEADERS:User-Agent "!@pm AppleWebKit Android" \
"t:none,\
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.notice_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.notice_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -1678,7 +1678,7 @@ SecRule &REQUEST_HEADERS:x-up-devcap-post-charset "@ge 1" \
chain"
SecRule REQUEST_HEADERS:User-Agent "@rx ^(?i)up" \
"t:none,\
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -1730,7 +1730,7 @@ SecRule &REQUEST_HEADERS:Cache-Control "@gt 0" \
severity:'CRITICAL',\
chain"
SecRule REQUEST_HEADERS:Cache-Control "!@rx ^(?:(?:max-age=[0-9]+|min-fresh=[0-9]+|no-cache|no-store|no-transform|only-if-cached|max-stale(?:=[0-9]+)?)(?:\s*\,\s*|$)){1,7}$" \
"setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
"setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
# This rule checks for valid Accept-Encoding headers
@ -1759,7 +1759,7 @@ SecRule REQUEST_HEADERS:Accept-Encoding "!@rx br|compress|deflate|(?:pack200-)?g
tag:'PCI/12.1',\
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:920017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.8.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:920018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.8.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
@ -1789,7 +1789,7 @@ SecRule REQUEST_BASENAME "@endsWith .pdf" \
severity:'WARNING',\
chain"
SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d+)?-(?:\d+)?\s*,?\s*){6}" \
"setvar:'tx.inbound_anomaly_score_pl4=+%{tx.warning_anomaly_score}'"
"setvar:'tx.inbound_anomaly_score_pl4=+%{tx.warning_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -1814,7 +1814,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_BODY "@validateByteRange 38,44-46,48-58,61,65-90
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
# This is a stricter sibling of 920270.
@ -1835,7 +1835,7 @@ SecRule REQUEST_HEADERS|!REQUEST_HEADERS:User-Agent|!REQUEST_HEADERS:Referer|!RE
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
# This is a stricter sibling of 920270.
@ -1861,7 +1861,7 @@ SecRule REQUEST_HEADERS:Sec-Fetch-User|REQUEST_HEADERS:Sec-CH-UA-Mobile "!@rx ^(
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# -=[ Abnormal Character Escapes ]=-
#
@ -1906,7 +1906,7 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@rx (?:^|[^\x5c])\x5c[cdegh
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#

32
src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-921-PROTOCOL-ATTACK.conf vendored
View file

@ -49,7 +49,7 @@ SecRule ARGS_NAMES|ARGS|REQUEST_BODY|XML:/* "@rx (?:get|post|head|options|connec
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
# -=[ HTTP Response Splitting ]=-
@ -81,7 +81,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:\bhttp/\d|<(?:html|meta)\b)" \
@ -102,7 +102,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
# -=[ HTTP Header Injection ]=-
@ -136,7 +136,7 @@ SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@rx [\n\r]" \
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# Detect newlines in argument names.
@ -164,7 +164,7 @@ SecRule ARGS_NAMES "@rx [\n\r]" \
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule ARGS_GET_NAMES|ARGS_GET "@rx [\n\r]+(?:\s|location|refresh|(?:set-)?cookie|(?:x-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))\s*:" \
@ -185,7 +185,7 @@ SecRule ARGS_GET_NAMES|ARGS_GET "@rx [\n\r]+(?:\s|location|refresh|(?:set-)?cook
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# -=[ HTTP Splitting ]=-
@ -211,7 +211,7 @@ SecRule REQUEST_FILENAME "@rx [\n\r]" \
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -243,7 +243,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'capec/1000/152/248/136',\
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
# -=[ Body Processor Bypass ]=-
@ -276,7 +276,7 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^[^\s\x0b,;]+[\s\x0b,;].*?(?:applicati
tag:'PCI/12.1',\
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -302,7 +302,7 @@ SecRule REQUEST_URI "@rx unix:[^|]*\|" \
tag:'capec/1000/210/272/220/33',\
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:921013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.8.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
@ -336,7 +336,7 @@ SecRule ARGS_GET "@rx [\n\r]" \
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
# -=[ Body Processor Bypass ]=-
@ -371,7 +371,7 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^[^\s\x0b,;]+[\s\x0b,;].*?\b(?:((?:tex
tag:'PCI/12.1',\
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:921015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.8.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
@ -407,7 +407,7 @@ SecRule &REQUEST_HEADERS:Range "@gt 0" \
tag:'capec/1000/210/272/220',\
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# -=[ HTTP Parameter Pollution ]=-
@ -458,7 +458,7 @@ SecRule TX:/paramcounter_.*/ "@gt 1" \
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# -=[ HTTP Parameter Pollution ]=-
@ -500,7 +500,7 @@ SecRule ARGS_NAMES "@rx (][^\]]+$|][^\]]+\[)" \
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
@ -548,7 +548,7 @@ SecRule ARGS_NAMES "@rx \[" \
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"

8
src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-922-MULTIPART-ATTACK.conf vendored
View file

@ -44,7 +44,7 @@ SecRule &MULTIPART_PART_HEADERS:_charset_ "!@eq 0" \
chain"
SecRule TX:922100_CHARSET "!@within %{tx.allowed_request_content_type_charset}" \
"t:lowercase,\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# Only allow specific charsets same as Rule 920600
@ -73,7 +73,7 @@ SecRule MULTIPART_PART_HEADERS "@rx ^content-type\s*:\s*(.*)$" \
severity:'CRITICAL',\
chain"
SecRule TX:1 "!@rx ^(?:(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)/(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)|\*)(?:[\s\x0b]*;[\s\x0b]*(?:charset[\s\x0b]*=[\s\x0b]*\"?(?:iso-8859-15?|utf-8|windows-1252)\b\"?|(?:[^\s\x0b-\"\(\),/:-\?\[-\]c\{\}]|c(?:[^!\"\(\),/:-\?\[-\]h\{\}]|h(?:[^!\"\(\),/:-\?\[-\]a\{\}]|a(?:[^!\"\(\),/:-\?\[-\]r\{\}]|r(?:[^!\"\(\),/:-\?\[-\]s\{\}]|s(?:[^!\"\(\),/:-\?\[-\]e\{\}]|e[^!\"\(\),/:-\?\[-\]t\{\}]))))))[^!\"\(\),/:-\?\[-\]\{\}]*[\s\x0b]*=[\s\x0b]*[^!\(\),/:-\?\[-\]\{\}]+);?)*(?:[\s\x0b]*,[\s\x0b]*(?:(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)/(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)|\*)(?:[\s\x0b]*;[\s\x0b]*(?:charset[\s\x0b]*=[\s\x0b]*\"?(?:iso-8859-15?|utf-8|windows-1252)\b\"?|(?:[^\s\x0b-\"\(\),/:-\?\[-\]c\{\}]|c(?:[^!\"\(\),/:-\?\[-\]h\{\}]|h(?:[^!\"\(\),/:-\?\[-\]a\{\}]|a(?:[^!\"\(\),/:-\?\[-\]r\{\}]|r(?:[^!\"\(\),/:-\?\[-\]s\{\}]|s(?:[^!\"\(\),/:-\?\[-\]e\{\}]|e[^!\"\(\),/:-\?\[-\]t\{\}]))))))[^!\"\(\),/:-\?\[-\]\{\}]*[\s\x0b]*=[\s\x0b]*[^!\(\),/:-\?\[-\]\{\}]+);?)*)*$" \
"setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
"setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# Content-Transfer-Encoding was deprecated by rfc7578 in 2015 and should not be used (see: https://www.rfc-editor.org/rfc/rfc7578#section-4.7)
# Note: this is in phase:2 because these are headers that come in the body
@ -94,7 +94,7 @@ SecRule MULTIPART_PART_HEADERS "@rx content-transfer-encoding:(.*)" \
tag:'capec/272/220',\
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# Multipart header names can't contain any characters outside of range 33 and 126,
# excluding 58 (':') which is the separator.
@ -117,4 +117,4 @@ SecRule MULTIPART_PART_HEADERS "@rx [^\x21-\x7E][\x21-\x39\x3B-\x7E]*:" \
tag:'capec/272/220',\
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"

10
src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf vendored
View file

@ -49,7 +49,7 @@ SecRule REQUEST_URI_RAW|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|FILES|XML:
tag:'capec/1000/255/153/126',\
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}',\
setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}'"
#
@ -82,7 +82,7 @@ SecRule REQUEST_URI|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|FILES|XML:/* "
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
multiMatch,\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}',\
setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}'"
#
@ -113,7 +113,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
# -=[ Restricted File Access ]=-
@ -140,7 +140,7 @@ SecRule REQUEST_FILENAME "@pmFromFile restricted-files.data" \
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
@ -178,7 +178,7 @@ SecRule REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent "@pmFromFile lfi-os-f
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:930015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.8.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"

10
src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf vendored
View file

@ -52,7 +52,7 @@ SecRule ARGS "@rx ^(?i:file|ftps?|https?)://(?:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule QUERY_STRING|REQUEST_BODY "@rx (?i)(?:\binclude\s*\([^)]*|mosConfig_absolute_path|_CONF\[path\]|_SERVER\[DOCUMENT_ROOT\]|GALLERY_BASEDIR|path\[docroot\]|appserv_root|config\[root_dir\])=(?:file|ftps?|https?)://" \
"id:931110,\
@ -72,7 +72,7 @@ SecRule QUERY_STRING|REQUEST_BODY "@rx (?i)(?:\binclude\s*\([^)]*|mosConfig_abso
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule ARGS "@rx ^(?i:file|ftps?|https?).*?\?+$" \
"id:931120,\
@ -92,7 +92,7 @@ SecRule ARGS "@rx ^(?i:file|ftps?|https?).*?\?+$" \
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
@ -134,7 +134,7 @@ SecRule ARGS "@rx (?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b(?:eshare|it
chain"
SecRule TX:/rfi_parameter_.*/ "!@endsWith .%{request_headers.host}" \
"setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# This is a (stricter) sibling of 931130.
#
@ -164,7 +164,7 @@ SecRule REQUEST_FILENAME "@rx (?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b
chain"
SecRule TX:/rfi_parameter_.*/ "!@endsWith .%{request_headers.host}" \
"setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:931015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.8.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"

78
src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf vendored
View file

@ -138,7 +138,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# [ Unix command injection ]
#
@ -198,7 +198,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# [ Windows PowerShell, cmdlets and options ]
@ -231,7 +231,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# [ Windows Powershell cmdlet aliases ]
@ -265,7 +265,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# [ Unix shell expressions ]
@ -309,7 +309,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# [ Windows FOR, IF commands ]
@ -356,7 +356,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# [ Unix shell expressions - Bash Tilde expansion ]
@ -395,7 +395,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# [ Unix direct remote command execution ]
@ -476,7 +476,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# [ Unix command injection ]
#
@ -535,7 +535,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# [ Unix shell history invocation ]
#
@ -571,7 +571,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# [ Unix shell snippets ]
@ -612,7 +612,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# [ Shellshock vulnerability (CVE-2014-6271 and CVE-2014-7169) ]
@ -643,7 +643,7 @@ SecRule REQUEST_HEADERS|REQUEST_LINE "@rx ^\(\s*\)\s+{" \
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule ARGS_NAMES|ARGS|FILES_NAMES "@rx ^\(\s*\)\s+{" \
"id:932171,\
@ -664,7 +664,7 @@ SecRule ARGS_NAMES|ARGS|FILES_NAMES "@rx ^\(\s*\)\s+{" \
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# [ Unix shell alias detection ]
@ -706,7 +706,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -740,7 +740,7 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# [ Windows command injection ]
@ -834,7 +834,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
# This rule detects Windows shell command injections.
@ -871,7 +871,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:932013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.8.0',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE"
@ -937,7 +937,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# This is a stricter sibling of rule 932130.
#
@ -970,7 +970,7 @@ SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@rx \$(?:\((?:.*|\(.
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
# -=[ Rule 932200 ]=-
@ -1026,7 +1026,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
SecRule MATCHED_VAR "@rx \s" \
"t:none,\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
# -=[ Rule 932205 ]=-
@ -1072,7 +1072,7 @@ SecRule REQUEST_HEADERS:Referer "@rx ^[^#]+" \
SecRule TX:1 "@rx \s" \
"t:none,\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
# -=[ Rule 932206 ]=-
@ -1111,7 +1111,7 @@ SecRule REQUEST_HEADERS:Referer "@rx ^[^\.]*?(?:['\*\?\x5c`][^\n/]+/|/[^/]+?['\*
SecRule MATCHED_VAR "@rx \s" \
"t:none,\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# Regular expression generated from regex-assembly/932220.ra.
# To update the regular expression run the following shell script
@ -1137,7 +1137,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# -=[ Rule 932240 ]=-
#
@ -1204,7 +1204,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS|XML:
SecRule MATCHED_VAR "!@rx [0-9]\s*\'\s*[0-9]" \
"t:none,\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
@ -1242,7 +1242,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# -=[ SMTP/IMAP/POP3 Command Execution ]=-
#
@ -1284,7 +1284,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# =[ IMAP Command Execution ]=
#
@ -1316,7 +1316,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# =[ POP3 Command Execution ]=
#
@ -1350,7 +1350,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# [ Unix command injection ]
@ -1412,7 +1412,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# [ Unix command injection ]
#
@ -1474,7 +1474,7 @@ SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@rx (?i)(?:^|b[\"'\)
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# [ Unix shell snippets ]
@ -1509,7 +1509,7 @@ SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@pmFromFile unix-she
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:932015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.8.0',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE"
@ -1575,7 +1575,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# [ Unix command injection ]
#
@ -1632,7 +1632,7 @@ SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@rx (?i)\b(?:7z[arx]
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# [ Unix command injection ]
#
@ -1689,7 +1689,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -1725,7 +1725,7 @@ SecRule ARGS "@rx /(?:[?*]+[a-z/]+|[a-z/]+[?*]+)" \
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# -=[ SMTP commands ]=-
@ -1759,7 +1759,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# =[ IMAP4 Command Execution ]=
#
@ -1792,7 +1792,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# =[ POP3 Command Execution ]=
#
@ -1825,7 +1825,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# =[ Unix shell history invocation ]=
@ -1858,7 +1858,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:932017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.8.0',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE"

34
src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf vendored
View file

@ -62,7 +62,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
# [ PHP Script Uploads ]
@ -103,7 +103,7 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -134,7 +134,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
chain"
SecRule TX:1 "@pmFromFile php-config-directives.data" \
"setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -158,7 +158,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -194,7 +194,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -230,7 +230,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -297,7 +297,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -349,7 +349,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -404,7 +404,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
@ -459,7 +459,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# [ PHP Functions: Variable Function Prevent Bypass ]
#
@ -506,7 +506,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:933013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.8.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:933014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.8.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
@ -556,7 +556,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
chain"
SecRule TX:1 "@pmFromFile php-function-names-933151.data" \
"setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
@ -607,7 +607,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -651,7 +651,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -693,7 +693,7 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# [ PHP Closing Tag Found ]
@ -722,7 +722,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# [ PHP Functions: Variable Function Prevent Bypass ]
@ -757,7 +757,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:933017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.8.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"

18
src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-934-APPLICATION-ATTACK-GENERIC.conf vendored
View file

@ -69,7 +69,7 @@ SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIE
severity:'CRITICAL',\
multiMatch,\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# -=[ SSRF Attacks ]=-
#
@ -103,7 +103,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# JavaScript prototype pollution injection attempts
#
@ -139,7 +139,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
severity:'CRITICAL',\
multiMatch,\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# [ Ruby generic RCE signatures ]
#
@ -170,7 +170,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# [ NodeJS DoS signatures ]
#
@ -202,7 +202,7 @@ SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIE
severity:'CRITICAL',\
multiMatch,\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# [ PHP data: scheme ]
#
@ -231,7 +231,7 @@ SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIE
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:934013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.8.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:934014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.8.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
@ -260,7 +260,7 @@ SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIE
severity:'CRITICAL',\
multiMatch,\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# -=[ SSRF Attacks ]=-
#
@ -311,7 +311,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# [ Perl generic RCE signatures ]
@ -343,7 +343,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:934015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.8.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"

66
src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf vendored
View file

@ -97,7 +97,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -124,7 +124,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -154,7 +154,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -183,7 +183,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -216,7 +216,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -241,7 +241,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -268,7 +268,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -295,7 +295,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i:<.*[:]?vmlframe.*?[\s/+]*?src[\s/+]*=)" \
@ -317,7 +317,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)(?:j|&#(?:0*(?:74|106)|x0*[46]A);)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:a|&#(?:0*(?:65|97)|x0*[46]1);)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:v|&#(?:0*(?:86|118)|x0*[57]6);)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:a|&#(?:0*(?:65|97)|x0*[46]1);)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:s|&#(?:0*(?:115|83)|x0*[57]3);)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:c|&#(?:x0*[46]3|0*(?:99|67));)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:r|&#(?:x0*[57]2|0*(?:114|82));)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:i|&#(?:x0*[46]9|0*(?:105|73));)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:p|&#(?:x0*[57]0|0*(?:112|80));)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:t|&#(?:x0*[57]4|0*(?:116|84));)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?::|&(?:#(?:0*58|x0*3A);?|colon;))." \
@ -339,7 +339,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)(?:v|&#(?:0*(?:118|86)|x0*[57]6);)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:b|&#(?:0*(?:98|66)|x0*[46]2);)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:s|&#(?:0*(?:115|83)|x0*[57]3);)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:c|&#(?:x0*[46]3|0*(?:99|67));)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:r|&#(?:x0*[57]2|0*(?:114|82));)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:i|&#(?:x0*[46]9|0*(?:105|73));)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:p|&#(?:x0*[57]0|0*(?:112|80));)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:t|&#(?:x0*[57]4|0*(?:116|84));)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?::|&(?:#(?:0*58|x0*3A);?|colon;))." \
@ -361,7 +361,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)<EMBED[\s/+].*?(?:src|type).*?=" \
@ -383,7 +383,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx <[?]?import[\s/+\S]*?implementation[\s/+]*?=" \
@ -405,7 +405,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i:<META[\s/+].*?http-equiv[\s/+]*=[\s/+]*[\"'`]?(?:(?:c|&#x?0*(?:67|43|99|63);?)|(?:r|&#x?0*(?:82|52|114|72);?)|(?:s|&#x?0*(?:83|53|115|73);?)))" \
@ -427,7 +427,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i:<META[\s/+].*?charset[\s/+]*=)" \
@ -449,7 +449,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)<LINK[\s/+].*?href[\s/+]*=" \
@ -471,7 +471,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)<BASE[\s/+].*?href[\s/+]*=" \
@ -493,7 +493,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)<APPLET[\s/+>]" \
@ -515,7 +515,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)<OBJECT[\s/+].*?(?:type|codetype|classid|code|data)[\s/+]*=" \
@ -537,7 +537,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
# https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html
@ -599,7 +599,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
chain"
SecRule MATCHED_VARS "@rx (?:\xbc\s*/\s*[^\xbe>]*[\xbe>])|(?:<\s*/\s*[^\xbe]*\xbe)" \
"setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
# https://nedbatchelder.com/blog/200704/xss_with_utf7.html
@ -626,7 +626,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
# Defend against JSFuck and Hieroglyphy obfuscation of Javascript code
@ -668,7 +668,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
# Prevent 941180 bypass by using JavaScript global variables
@ -696,7 +696,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS|REQU
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
# JavaScript methods which take code as a string types are considered unsafe.
@ -728,7 +728,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -758,7 +758,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:941013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.8.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
@ -789,7 +789,7 @@ SecRule REQUEST_FILENAME|REQUEST_HEADERS:Referer "@detectXSS" \
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -823,7 +823,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -849,7 +849,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
@ -877,7 +877,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
@ -965,7 +965,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i:[\"'][ ]*(?:[^a-z0-9~_:' ]|in).*?(?:(?:l|\x5cu006C)(?:o|\x5cu006F)(?:c|\x5cu0063)(?:a|\x5cu0061)(?:t|\x5cu0074)(?:i|\x5cu0069)(?:o|\x5cu006F)(?:n|\x5cu006E)|(?:n|\x5cu006E)(?:a|\x5cu0061)(?:m|\x5cu006D)(?:e|\x5cu0065)|(?:o|\x5cu006F)(?:n|\x5cu006E)(?:e|\x5cu0065)(?:r|\x5cu0072)(?:r|\x5cu0072)(?:o|\x5cu006F)(?:r|\x5cu0072)|(?:v|\x5cu0076)(?:a|\x5cu0061)(?:l|\x5cu006C)(?:u|\x5cu0075)(?:e|\x5cu0065)(?:O|\x5cu004F)(?:f|\x5cu0066)).*?=)" \
"id:941330,\
@ -987,7 +987,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# This rule is also triggered by the following exploit(s):
# [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ]
@ -1012,7 +1012,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
# Defend against AngularJS client side template injection
@ -1045,7 +1045,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"

120
src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf vendored
View file

@ -62,7 +62,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
multiMatch,\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@ -93,7 +93,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -126,7 +126,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -170,7 +170,7 @@ SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIE
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# Regular expression generated from regex-assembly/942170.ra.
# To update the regular expression run the following shell script
@ -196,7 +196,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# Regular expression generated from regex-assembly/942190.ra.
# To update the regular expression run the following shell script
@ -222,7 +222,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# Magic number crash in PHP strtod from 2011:
# https://www.exploringbinary.com/php-hangs-on-numeric-value-2-2250738585072011e-308/
@ -246,7 +246,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# Regular expression generated from regex-assembly/942230.ra.
# To update the regular expression run the following shell script
@ -272,7 +272,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# Regular expression generated from regex-assembly/942240.ra.
# To update the regular expression run the following shell script
@ -298,7 +298,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:merge.*?using\s*?\(|execute\s*?immediate\s*?[\"'`]|match\s*?[\w(),+-]+\s*?against\s*?\()" \
"id:942250,\
@ -319,7 +319,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)union.*?select.*?from" \
"id:942270,\
@ -340,7 +340,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# Regular expression generated from regex-assembly/942280.ra.
# To update the regular expression run the following shell script
@ -366,7 +366,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# Regular expression generated from regex-assembly/942290.ra.
# To update the regular expression run the following shell script
@ -392,7 +392,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# This rule has a stricter sibling (942321) that checks for MySQL and PostgreSQL procedures / functions in
# request headers referer and user-agent.
@ -421,7 +421,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# Regular expression generated from regex-assembly/942350.ra.
# To update the regular expression run the following shell script
@ -447,7 +447,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# This rule has two stricter sibling: 942361 and 942362.
# The keywords 'alter' and 'union' led to false positives.
@ -486,7 +486,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
# -=[ Detect MySQL in-line comments ]=-
@ -528,7 +528,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
severity:'CRITICAL',\
multiMatch,\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# This rule catches an authentication bypass via SQL injection that abuses semi-colons to end the SQL query early.
@ -564,7 +564,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# This rule catches on Scientific Notation bypass payloads in MySQL
@ -593,7 +593,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# This rule tries to match JSON SQL syntax that could be used as a bypass technique.
@ -622,7 +622,7 @@ SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIE
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:942013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.8.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
@ -662,7 +662,7 @@ SecRule ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)[!=]=|&&|\|\||->|>[=>]|
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -707,7 +707,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\s\x0b\"'-\)`]*?\b([0-9A-Z_a-z]+)\b[\s\
SecRule TX:1 "@streq %{TX.2}" \
"t:none,\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# Rule Targeting logical inequalities that return TRUE (e.g. 1 != 2)
#
@ -744,7 +744,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\s\x0b\"'-\)`]*?\b([0-9A-Z_a-z]+)\b[\s\
SecRule TX:1 "!@streq %{TX.2}" \
"t:none,\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
# -=[ SQL Function Names ]=-
@ -776,7 +776,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
# -=[ SQL Authentication Bypasses ]=-
@ -819,7 +819,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# This rule is also triggered by the following exploit(s):
# [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ]
@ -848,7 +848,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# This rule is also triggered by the following exploit(s):
# [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ]
@ -877,7 +877,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# Regular expression generated from regex-assembly/942260.ra.
# To update the regular expression run the following shell script
@ -903,7 +903,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# Regular expression generated from regex-assembly/942300.ra.
# To update the regular expression run the following shell script
@ -929,7 +929,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# Regular expression generated from regex-assembly/942310.ra.
# To update the regular expression run the following shell script
@ -955,7 +955,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
# -=[ SQL Injection Probings ]=-
@ -989,7 +989,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# Regular expression generated from regex-assembly/942340.ra.
# To update the regular expression run the following shell script
@ -1018,7 +1018,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# This rule is a stricter sibling of 942360.
# The keywords 'alter' and 'union' led to false positives.
@ -1043,7 +1043,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# This rule is a stricter sibling of 942360.
# The loose word boundaries and light context led to false positives.
@ -1073,7 +1073,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# This rule is a sibling of 942330. See that rule for a description and overview.
@ -1105,7 +1105,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# Regular expression generated from regex-assembly/942380.ra.
# To update the regular expression run the following shell script
@ -1131,7 +1131,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# Regular expression generated from regex-assembly/942390.ra.
# To update the regular expression run the following shell script
@ -1157,7 +1157,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# Regular expression generated from regex-assembly/942400.ra.
# To update the regular expression run the following shell script
@ -1183,7 +1183,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# The former rule id 942410 was split into three new rules: 942410, 942470, 942480
#
@ -1214,7 +1214,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# The former rule id 942410 was split into three new rules: 942410, 942470, 942480
@ -1243,7 +1243,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# The former rule id 942410 was split into three new rules: 942410, 942470, 942480
@ -1272,7 +1272,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -1312,7 +1312,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.8.0',\
severity:'WARNING',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.warning_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.warning_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}',\
setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'"
#
@ -1402,7 +1402,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
chain"
SecRule MATCHED_VARS "!@rx ^ey[\-0-9A-Z_a-z]+\.ey[\-0-9A-Z_a-z]+\.[\-0-9A-Z_a-z]+$" \
"t:none,\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@ -1431,7 +1431,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -1478,7 +1478,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# Regular expression generated from regex-assembly/942520.ra.
@ -1505,7 +1505,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# Complementary rule to PL2 942520 that block and/or-based bypasses.
@ -1542,7 +1542,7 @@ SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/
SecRule TX:1 "@rx ^(?:and|or)$" \
"t:none,\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# Complementary rule to PL2 942521 that block escaped quotes followed by (and|or)
@ -1566,7 +1566,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx ^.*?\x5c['\"`](?:.*?['\"`])?\s*(?:and|or)\b"
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -1604,7 +1604,7 @@ SecRule REQUEST_BASENAME|REQUEST_FILENAME "@detectSQLi" \
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
# -=[ SQL Function Names ]=-
@ -1636,7 +1636,7 @@ SecRule REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent "@rx (?i)\b(?:a(?:dd(
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
# This rule is a stricter sibling of 942320.
@ -1666,7 +1666,7 @@ SecRule REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent "@rx (?i)create[\s\x0
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
@ -1706,7 +1706,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# This rule is a stricter sibling of 942330. See that rule for a
# description and overview.
@ -1730,7 +1730,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
# [ SQL Injection Character Anomaly Usage ]
@ -1769,7 +1769,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.8.0',\
severity:'WARNING',\
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.warning_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.warning_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}',\
setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'"
@ -1798,7 +1798,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.8.0',\
severity:'WARNING',\
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.warning_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.warning_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}',\
setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'"
@ -1829,7 +1829,7 @@ SecRule ARGS "@rx \W{4}" \
ver:'OWASP_CRS/4.8.0',\
severity:'WARNING',\
setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.warning_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.warning_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -1877,7 +1877,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# Detects ';
# ' Single quote. Used to delineate a query with an unmatched quote.
@ -1906,7 +1906,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:942017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.8.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
@ -1939,7 +1939,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.8.0',\
severity:'WARNING',\
setvar:'tx.inbound_anomaly_score_pl4=+%{tx.warning_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl4=+%{tx.warning_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}',\
setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'"
@ -1968,7 +1968,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.8.0',\
severity:'WARNING',\
setvar:'tx.inbound_anomaly_score_pl4=+%{tx.warning_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl4=+%{tx.warning_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}',\
setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'"

6
src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf vendored
View file

@ -46,7 +46,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.session_fixation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$" \
@ -73,7 +73,7 @@ SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsessio
chain"
SecRule TX:1 "!@endsWith %{request_headers.host}" \
"setvar:'tx.session_fixation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$" \
@ -97,7 +97,7 @@ SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsessio
chain"
SecRule &REQUEST_HEADERS:Referer "@eq 0" \
"setvar:'tx.session_fixation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"

28
src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf vendored
View file

@ -49,7 +49,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# This rule is also triggered by the following exploit(s):
# [ Apache Struts vulnerability CVE-2017-5638 - Exploit tested: https://github.com/xsscx/cve-2017-5638 ]
@ -83,7 +83,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
chain"
SecRule MATCHED_VARS|XML:/*|XML://@* "@rx (?i)(?:unmarshaller|base64data|java\.)" \
"setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# Magic bytes detected and payload included possibly RCE vulnerable classes detected and process execution methods detected
# anomaly score set to critical as all conditions indicate the request try to perform RCE.
@ -108,7 +108,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
chain"
SecRule MATCHED_VARS "@rx (?:runtime|processbuilder)" \
"setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# This rule is also triggered by the following exploit(s):
# [ Apache Struts vulnerability CVE-2017-5638 - Exploit tested: https://github.com/mazen160/struts-pwn ]
@ -138,7 +138,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
@ -176,7 +176,7 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# Log4J / Log4Shell Defense
@ -224,7 +224,7 @@ SecRule REQUEST_LINE|ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUE
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:944013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.8.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
@ -262,7 +262,7 @@ SecRule REQUEST_LINE|ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUE
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# [ Java deserialization vulnerability/Apache Commons (CVE-2015-4852) ]
#
@ -294,7 +294,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# Detecting possible base64 text to match encoded magic bytes \xac\xed\x00\x05 with padding encoded in base64 strings are rO0ABQ KztAAU Cs7QAF
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
@ -315,7 +315,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)" \
@ -336,7 +336,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# This rule is also triggered by the following exploit(s):
# [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ]
@ -360,7 +360,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# This rule is also triggered by the following exploit(s):
@ -385,7 +385,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:944015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.8.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
@ -419,7 +419,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:944017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.8.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
@ -455,7 +455,7 @@ SecRule REQUEST_LINE|ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUE
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'"
setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
# -= Paranoia Levels Finished =-

6
src/common/core/modsecurity/files/coreruleset-v4/rules/RESPONSE-950-DATA-LEAKAGES.conf vendored
View file

@ -58,7 +58,7 @@ SecRule RESPONSE_BODY "@rx (?:<(?:TITLE>Index of.*?<H|title>Index of.*?<h)1>Inde
tag:'PCI/6.5.6',\
ver:'OWASP_CRS/4.8.0',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
# -=[ CGI Source Code Leakage ]=-
@ -90,7 +90,7 @@ SecRule RESPONSE_BODY "@rx ^#\!\s?/" \
tag:'PCI/6.5.6',\
ver:'OWASP_CRS/4.8.0',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:950013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.8.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
@ -120,7 +120,7 @@ SecRule RESPONSE_STATUS "@rx ^5\d{2}$" \
tag:'PCI/6.5.6',\
ver:'OWASP_CRS/4.8.0',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl2=+%{tx.error_anomaly_score}'"
setvar:'tx.outbound_anomaly_score_pl2=+%{tx.error_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"

32
src/common/core/modsecurity/files/coreruleset-v4/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf vendored
View file

@ -66,7 +66,7 @@ SecRule RESPONSE_BODY "@rx (?i:JET Database Engine|Access Database Engine|\[Micr
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
# Regular expression generated from regex-assembly/951120.ra.
@ -91,7 +91,7 @@ SecRule RESPONSE_BODY "@rx (?i)\bORA-[0-9][0-9][0-9][0-9][0-9]:|java\.sql\.SQLEx
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
SecRule RESPONSE_BODY "@rx (?i:DB2 SQL error:|\[IBM\]\[CLI Driver\]\[DB2/6000\]|CLI Driver.*DB2|DB2 SQL error|db2_\w+\()" \
@ -111,7 +111,7 @@ SecRule RESPONSE_BODY "@rx (?i:DB2 SQL error:|\[IBM\]\[CLI Driver\]\[DB2/6000\]|
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
SecRule RESPONSE_BODY "@rx (?i:\[DM_QUERY_E_SYNTAX\]|has occurred in the vicinity of:)" \
@ -131,7 +131,7 @@ SecRule RESPONSE_BODY "@rx (?i:\[DM_QUERY_E_SYNTAX\]|has occurred in the vicinit
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
SecRule RESPONSE_BODY "@rx (?i)Dynamic SQL Error" \
@ -151,7 +151,7 @@ SecRule RESPONSE_BODY "@rx (?i)Dynamic SQL Error" \
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
SecRule RESPONSE_BODY "@rx (?i)Exception (?:condition )?\d+\. Transaction rollback\." \
@ -171,7 +171,7 @@ SecRule RESPONSE_BODY "@rx (?i)Exception (?:condition )?\d+\. Transaction rollba
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
SecRule RESPONSE_BODY "@rx (?i)org\.hsqldb\.jdbc" \
@ -191,7 +191,7 @@ SecRule RESPONSE_BODY "@rx (?i)org\.hsqldb\.jdbc" \
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
SecRule RESPONSE_BODY "@rx (?i:An illegal character has been found in the statement|com\.informix\.jdbc|Exception.*Informix)" \
@ -211,7 +211,7 @@ SecRule RESPONSE_BODY "@rx (?i:An illegal character has been found in the statem
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
SecRule RESPONSE_BODY "@rx (?i:Warning.*ingres_|Ingres SQLSTATE|Ingres\W.*Driver)" \
@ -231,7 +231,7 @@ SecRule RESPONSE_BODY "@rx (?i:Warning.*ingres_|Ingres SQLSTATE|Ingres\W.*Driver
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
SecRule RESPONSE_BODY "@rx (?i:<b>Warning</b>: ibase_|Unexpected end of command in statement)" \
@ -251,7 +251,7 @@ SecRule RESPONSE_BODY "@rx (?i:<b>Warning</b>: ibase_|Unexpected end of command
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
SecRule RESPONSE_BODY "@rx (?i:SQL error.*POS[0-9]+.*|Warning.*maxdb.*)" \
@ -271,7 +271,7 @@ SecRule RESPONSE_BODY "@rx (?i:SQL error.*POS[0-9]+.*|Warning.*maxdb.*)" \
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
SecRule RESPONSE_BODY "@rx (?i)(?:System\.Data\.OleDb\.OleDbException|\[Microsoft\]\[ODBC SQL Server Driver\]|\[Macromedia\]\[SQLServer JDBC Driver\]|\[SqlException|System\.Data\.SqlClient\.SqlException|Unclosed quotation mark after the character string|'80040e14'|mssql_query\(\)|Microsoft OLE DB Provider for ODBC Drivers|Microsoft OLE DB Provider for SQL Server|Incorrect syntax near|Sintaxis incorrecta cerca de|Syntax error in string in query expression|Procedure or function .* expects parameter|Unclosed quotation mark before the character string|Syntax error .* in query expression|Data type mismatch in criteria expression\.|ADODB\.Field \(0x800A0BCD\)|the used select statements have different number of columns|OLE DB.*SQL Server|Warning.*mssql_.*|Driver.*SQL[ _-]*Server|SQL Server.*Driver|SQL Server.*[0-9a-fA-F]{8}|Exception.*\WSystem\.Data\.SqlClient\.|Conversion failed when converting the varchar value .*? to data type int\.)" \
@ -291,7 +291,7 @@ SecRule RESPONSE_BODY "@rx (?i)(?:System\.Data\.OleDb\.OleDbException|\[Microsof
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
# Regular expression generated from regex-assembly/951230.ra.
@ -316,7 +316,7 @@ SecRule RESPONSE_BODY "@rx (?i)(?:supplied argument is not a valid |SQL syntax.*
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
# Regular expression generated from regex-assembly/951240.ra.
@ -341,7 +341,7 @@ SecRule RESPONSE_BODY "@rx (?i)P(?:ostgreSQL(?: query failed:|.{1,20}ERROR)|G::[
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
SecRule RESPONSE_BODY "@rx (?i)(?:Warning.*sqlite_.*|Warning.*SQLite3::|SQLite/JDBCDriver|SQLite\.Exception|System\.Data\.SQLite\.SQLiteException)" \
@ -361,7 +361,7 @@ SecRule RESPONSE_BODY "@rx (?i)(?:Warning.*sqlite_.*|Warning.*SQLite3::|SQLite/J
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
SecRule RESPONSE_BODY "@rx (?i)(?:Sybase message:|Warning.{2,20}sybase|Sybase.*Server message.*)" \
@ -381,7 +381,7 @@ SecRule RESPONSE_BODY "@rx (?i)(?:Sybase message:|Warning.{2,20}sybase|Sybase.*S
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
SecMarker "END-SQL-ERROR-MATCH-PL1"

4
src/common/core/modsecurity/files/coreruleset-v4/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf vendored
View file

@ -49,7 +49,7 @@ SecRule RESPONSE_BODY "@pmFromFile java-code-leakages.data" \
tag:'PCI/6.5.6',\
ver:'OWASP_CRS/4.8.0',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
# -=[ Java Errors ]=-
@ -74,7 +74,7 @@ SecRule RESPONSE_BODY "@pmFromFile java-errors.data" \
tag:'PCI/6.5.6',\
ver:'OWASP_CRS/4.8.0',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"

8
src/common/core/modsecurity/files/coreruleset-v4/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf vendored
View file

@ -49,7 +49,7 @@ SecRule RESPONSE_BODY "@pmFromFile php-errors.data" \
tag:'PCI/6.5.6',\
ver:'OWASP_CRS/4.8.0',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
# -=[ PHP source code leakage ]=-
@ -74,7 +74,7 @@ SecRule RESPONSE_BODY "@rx (?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scan
tag:'PCI/6.5.6',\
ver:'OWASP_CRS/4.8.0',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# Detect the presence of the PHP open tag "<? ", "<?= " or "<?php " in output.
#
@ -100,7 +100,7 @@ SecRule RESPONSE_BODY "@rx (?i)<\?(?:=|php)?\s+" \
tag:'PCI/6.5.6',\
ver:'OWASP_CRS/4.8.0',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:953013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.8.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
@ -133,7 +133,7 @@ SecRule RESPONSE_BODY "@pmFromFile php-errors-pl2.data" \
tag:'PCI/6.5.6',\
ver:'OWASP_CRS/4.8.0',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl2=+%{tx.error_anomaly_score}'"
setvar:'tx.outbound_anomaly_score_pl2=+%{tx.error_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:953015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.8.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"

8
src/common/core/modsecurity/files/coreruleset-v4/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf vendored
View file

@ -47,7 +47,7 @@ SecRule RESPONSE_BODY "@rx [a-z]:\x5cinetpub\b" \
tag:'capec/1000/118/116',\
ver:'OWASP_CRS/4.8.0',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule RESPONSE_BODY "@rx (?:Microsoft OLE DB Provider for SQL Server(?:</font>.{1,20}?error '800(?:04005|40e31)'.{1,40}?Timeout expired| \(0x80040e31\)<br>Timeout expired<br>)|<h1>internal server error</h1>.*?<h2>part of the server has crashed or it has a configuration error\.</h2>|cannot connect to the server: timed out)" \
"id:954110,\
@ -68,7 +68,7 @@ SecRule RESPONSE_BODY "@rx (?:Microsoft OLE DB Provider for SQL Server(?:</font>
tag:'PCI/6.5.6',\
ver:'OWASP_CRS/4.8.0',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
#
# IIS Errors leakage
@ -92,7 +92,7 @@ SecRule RESPONSE_BODY "@pmFromFile iis-errors.data" \
tag:'PCI/6.5.6',\
ver:'OWASP_CRS/4.8.0',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule RESPONSE_STATUS "!@rx ^404$" \
@ -118,7 +118,7 @@ SecRule RESPONSE_STATUS "!@rx ^404$" \
SecRule RESPONSE_BODY "@rx \bServer Error in.{0,50}?\bApplication\b" \
"capture,\
t:none,\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"

52
src/common/core/modsecurity/files/coreruleset-v4/rules/RESPONSE-955-WEB-SHELLS.conf vendored
View file

@ -46,7 +46,7 @@ SecRule RESPONSE_BODY "@pmFromFile web-shells-php.data" \
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# r57 web shell
SecRule RESPONSE_BODY "@rx <title>r57 Shell Version [0-9.]+</title>|<title>r57 shell</title>" \
@ -65,7 +65,7 @@ SecRule RESPONSE_BODY "@rx <title>r57 Shell Version [0-9.]+</title>|<title>r57 s
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# WSO web shell
SecRule RESPONSE_BODY "@rx ^<html><head><meta http-equiv='Content-Type' content='text/html; charset=Windows-1251'><title>.*? - WSO [0-9.]+</title>" \
@ -84,7 +84,7 @@ SecRule RESPONSE_BODY "@rx ^<html><head><meta http-equiv='Content-Type' content=
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# b4tm4n web shell (https://github.com/k4mpr3t/b4tm4n)
SecRule RESPONSE_BODY "@rx B4TM4N SH3LL</title>.*<meta name='author' content='k4mpr3t'/>" \
@ -103,7 +103,7 @@ SecRule RESPONSE_BODY "@rx B4TM4N SH3LL</title>.*<meta name='author' content='k4
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# Mini Shell web shell
SecRule RESPONSE_BODY "@rx <title>Mini Shell</title>.*Developed By LameHacker" \
@ -122,7 +122,7 @@ SecRule RESPONSE_BODY "@rx <title>Mini Shell</title>.*Developed By LameHacker" \
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# Ashiyane web shell
SecRule RESPONSE_BODY "@rx <title>\.:: .* ~ Ashiyane V [0-9.]+ ::\.</title>" \
@ -141,7 +141,7 @@ SecRule RESPONSE_BODY "@rx <title>\.:: .* ~ Ashiyane V [0-9.]+ ::\.</title>" \
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# Symlink_Sa web shell
SecRule RESPONSE_BODY "@rx <title>Symlink_Sa [0-9.]+</title>" \
@ -160,7 +160,7 @@ SecRule RESPONSE_BODY "@rx <title>Symlink_Sa [0-9.]+</title>" \
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# CasuS web shell
SecRule RESPONSE_BODY "@rx <title>CasuS [0-9.]+ by MafiABoY</title>" \
@ -179,7 +179,7 @@ SecRule RESPONSE_BODY "@rx <title>CasuS [0-9.]+ by MafiABoY</title>" \
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# GRP WebShell
SecRule RESPONSE_BODY "@rx ^<html>\r\n<head>\r\n<title>GRP WebShell [0-9.]+ " \
@ -198,7 +198,7 @@ SecRule RESPONSE_BODY "@rx ^<html>\r\n<head>\r\n<title>GRP WebShell [0-9.]+ " \
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# NGHshell web shell
SecRule RESPONSE_BODY "@rx <small>NGHshell [0-9.]+ by Cr4sh</body></html>\n$" \
@ -217,7 +217,7 @@ SecRule RESPONSE_BODY "@rx <small>NGHshell [0-9.]+ by Cr4sh</body></html>\n$" \
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# SimAttacker web shell
SecRule RESPONSE_BODY "@rx <title>SimAttacker - (?:Version|Vrsion) : [0-9.]+ - " \
@ -236,7 +236,7 @@ SecRule RESPONSE_BODY "@rx <title>SimAttacker - (?:Version|Vrsion) : [0-9.]+ - "
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# Unknown web shell
SecRule RESPONSE_BODY "@rx ^<!DOCTYPE html>\n<html>\n<!-- By Artyum .*<title>Web Shell</title>" \
@ -255,7 +255,7 @@ SecRule RESPONSE_BODY "@rx ^<!DOCTYPE html>\n<html>\n<!-- By Artyum .*<title>Web
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# lama's'hell web shell
SecRule RESPONSE_BODY "@rx <title>lama's'hell v. [0-9.]+</title>" \
@ -274,7 +274,7 @@ SecRule RESPONSE_BODY "@rx <title>lama's'hell v. [0-9.]+</title>" \
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# lostDC web shell
SecRule RESPONSE_BODY "@rx ^ *<html>\n[ ]+<head>\n[ ]+<title>lostDC - " \
@ -293,7 +293,7 @@ SecRule RESPONSE_BODY "@rx ^ *<html>\n[ ]+<head>\n[ ]+<title>lostDC - " \
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# Unknown web shell
SecRule RESPONSE_BODY "@rx ^<title>PHP Web Shell</title>\r\n<html>\r\n<body>\r\n <!-- Replaces command with Base64-encoded Data -->" \
@ -312,7 +312,7 @@ SecRule RESPONSE_BODY "@rx ^<title>PHP Web Shell</title>\r\n<html>\r\n<body>\r\n
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# Unknown web shell
SecRule RESPONSE_BODY "@rx ^<html>\n<head>\n<div align=\"left\"><font size=\"1\">Input command :</font></div>\n<form name=\"cmd\" method=\"POST\" enctype=\"multipart/form-data\">" \
@ -331,7 +331,7 @@ SecRule RESPONSE_BODY "@rx ^<html>\n<head>\n<div align=\"left\"><font size=\"1\"
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# Ru24PostWebShell web shell
# Removed '- ' from the end of the pattern so this file won't get detected as
@ -352,7 +352,7 @@ SecRule RESPONSE_BODY "@rx ^<html>\n<head>\n<title>Ru24PostWebShell " \
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# s72 Shell web shell
SecRule RESPONSE_BODY "@rx <title>s72 Shell v[0-9.]+ Codinf by Cr@zy_King</title>" \
@ -371,7 +371,7 @@ SecRule RESPONSE_BODY "@rx <title>s72 Shell v[0-9.]+ Codinf by Cr@zy_King</title
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# PhpSpy web shell
SecRule RESPONSE_BODY "@rx ^<html>\r\n<head>\r\n<meta http-equiv=\"Content-Type\" content=\"text/html; charset=gb2312\">\r\n<title>PhpSpy Ver [0-9]+</title>" \
@ -390,7 +390,7 @@ SecRule RESPONSE_BODY "@rx ^<html>\r\n<head>\r\n<meta http-equiv=\"Content-Type\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# g00nshell web shell
SecRule RESPONSE_BODY "@rx ^ <html>\n\n<head>\n\n<title>g00nshell v[0-9.]+ " \
@ -409,7 +409,7 @@ SecRule RESPONSE_BODY "@rx ^ <html>\n\n<head>\n\n<title>g00nshell v[0-9.]+ " \
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# PuNkHoLic shell web shell
# Various versions has this text written little differently so we need to do
@ -430,7 +430,7 @@ SecRule RESPONSE_BODY "@contains <title>punkholicshell</title>" \
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# azrail web shell
SecRule RESPONSE_BODY "@rx ^<html>\n <head>\n <title>azrail [0-9.]+ by C-W-M</title>" \
@ -449,7 +449,7 @@ SecRule RESPONSE_BODY "@rx ^<html>\n <head>\n <title>azrail [0-
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# SmEvK_PaThAn Shell web shell
SecRule RESPONSE_BODY "@rx >SmEvK_PaThAn Shell v[0-9]+ coded by <a href=" \
@ -468,7 +468,7 @@ SecRule RESPONSE_BODY "@rx >SmEvK_PaThAn Shell v[0-9]+ coded by <a href=" \
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# Shell I web shell
SecRule RESPONSE_BODY "@rx ^<html>\n<title>.*? ~ Shell I</title>\n<head>\n<style>" \
@ -487,7 +487,7 @@ SecRule RESPONSE_BODY "@rx ^<html>\n<title>.*? ~ Shell I</title>\n<head>\n<style
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
# b374k m1n1 web shell
SecRule RESPONSE_BODY "@rx ^ <html><head><title>:: b374k m1n1 [0-9.]+ ::</title>" \
@ -506,7 +506,7 @@ SecRule RESPONSE_BODY "@rx ^ <html><head><title>:: b374k m1n1 [0-9.]+ ::</title>
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
@ -534,7 +534,7 @@ SecRule RESPONSE_BODY "@contains <h1 style=\"margin-bottom: 0\">webadmin.php</h1
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.8.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
setvar:'tx.outbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}',setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:955015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.8.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:955016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.8.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"

16
src/common/core/modsecurity/misc/patch.sh Executable file
View file

@ -0,0 +1,16 @@
#!/bin/bash
rules_dir="./files/coreruleset-v$1/rules"
score_types=("critical" "error" "warning" "notice")
score_variables=("inbound" "outbound")
find "$rules_dir" -type f -name "*.conf" | while read -r file; do
for score_type in "${score_types[@]}"; do
for score_variable in "${score_variables[@]}"; do
search_pattern="setvar:'tx.${score_variable}_anomaly_score_pl[0-9]=+%{tx.${score_type}_anomaly_score}'"
sed -i "/$search_pattern/s/\($search_pattern\)/\1,setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'/" "$file"
done
done
sed -i "/setvar:'tx.anomaly_score_pl[0-9]=+%{tx.critical_anomaly_score}'/s/\(setvar:'tx.anomaly_score_pl[0-9]=+%{tx.critical_anomaly_score}'\)/\1,setvar:'tx.bunkerweb_rules=%{tx.bunkerweb_rules} %{rule.id}'/" "$file"
done

4
src/common/core/modsecurity/misc/versions.json
View file

@ -5,14 +5,14 @@
"name": "Coreruleset v3.3.7",
"url": "https://github.com/coreruleset/coreruleset.git",
"commit": "daedded8fe6f132e7db8875f9dd0b02850215b74",
"post_install": "rm -rf files/coreruleset-v3/tests files/coreruleset-v3/.github files/coreruleset-v3/docs && mv files/coreruleset-v3/crs-setup.conf.example files/crs-setup-v3.conf"
"post_install": "rm -rf files/coreruleset-v3/tests files/coreruleset-v3/.github files/coreruleset-v3/docs && mv files/coreruleset-v3/crs-setup.conf.example files/crs-setup-v3.conf && ./misc/patch.sh 3"
},
{
"id": "coreruleset-v4",
"name": "Coreruleset v4.8.0",
"url": "https://github.com/coreruleset/coreruleset.git",
"commit": "3dc7e0dbc971a6622ecc273a34c7febc14145b1c",
"post_install": "rm -rf files/coreruleset-v4/tests files/coreruleset-v4/.github files/coreruleset-v4/docs && mv files/coreruleset-v4/crs-setup.conf.example files/crs-setup-v4.conf"
"post_install": "rm -rf files/coreruleset-v4/tests files/coreruleset-v4/.github files/coreruleset-v4/docs && mv files/coreruleset-v4/crs-setup.conf.example files/crs-setup-v4.conf && ./misc/patch.sh 4"
}
]
}