Elgato_dark/bunkerweb
1
0
Fork 0
mirror of https://github.com/bunkerity/bunkerweb synced 2026-05-24 09:28:37 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge pull request #1210 from bunkerity/dev

Browse source 
Merge branch "dev" into branch "staging"
This commit is contained in:
Théophile Diot 2024-05-25 15:47:26 +01:00 committed by GitHub
commit f8cf4b6ae0
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
99 changed files with 1590 additions and 1203 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
.github/workflows/container-build.yml vendored
View file

@ -117,7 +117,7 @@ jobs:
# Check OS vulnerabilities
- name: Check OS vulnerabilities
if: ${{ inputs.CACHE_SUFFIX != 'arm' }}
uses: aquasecurity/trivy-action@b2933f565dbc598b29947660e66259e3c7bc8561 # v0.20.0
uses: aquasecurity/trivy-action@fd25fed6972e341ff0007ddb61f77e88103953c2 # v0.21.0
with:
vuln-type: os
skip-dirs: /root/.cargo

2
.github/workflows/push-packagecloud.yml vendored
View file

@ -42,7 +42,7 @@ jobs:
- name: Check out repository code
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
- name: Install ruby
uses: ruby/setup-ruby@7dc18ff0ca6e3630d3f29d2a85ebf6cc27ae9d6c # v1.177.0
uses: ruby/setup-ruby@943103cae7d3f1bb1e4951d5fcc7928b40e4b742 # v1.177.1
with:
ruby-version: "3.0"
- name: Install packagecloud

1
.github/workflows/tests-ui-linux.yml vendored
View file

@ -80,6 +80,7 @@ jobs:
sudo mkdir -p /etc/bunkerweb
echo "SERVER_NAME=" | sudo tee /etc/bunkerweb/variables.env
echo "HTTP_PORT=80" | sudo tee -a /etc/bunkerweb/variables.env
echo "HTTPS_PORT=443" | sudo tee -a /etc/bunkerweb/variables.env
echo "BAD_BEHAVIOR_THRESHOLD=20" | sudo tee -a /etc/bunkerweb/variables.env
echo 'DNS_RESOLVERS=9.9.9.9 8.8.8.8 8.8.4.4' | sudo tee -a /etc/bunkerweb/variables.env
echo 'API_LISTEN_IP=127.0.0.1' | sudo tee -a /etc/bunkerweb/variables.env

3
CHANGELOG.md
View file

@ -4,6 +4,9 @@
- [FEATURE] Add nightly build of the OWASP coreruleset that are automatically downloaded and updated
- [FEATURE] Enhance security on error pages, default server page and loading page by adding a custom `Content-Security-Policy` header with nonces and removing the `Server` header
- [UI] Force HTTPS on setup wizard
- [UI] Fallback to self-signed certificate when UI is installed with setup wizard and let's encrypt is not used
- [DEPS] Updated coreruleset-v4 version to v4.3.0
## v1.5.7 - 2024/05/14

2
docs/integrations.md
View file

@ -1207,3 +1207,5 @@ You can easily deploy BunkerWeb on your Azure subscription in several ways:
Get BunkerWeb from the [Create resource menu](https://portal.azure.com/#view/Microsoft_Azure_Marketplace/GalleryItemDetailsBladeNopdl/id/bunkerity.bunkerweb){:target="_blank"}.
You can also go through the [Marketplace](https://azuremarketplace.microsoft.com/fr-fr/marketplace/apps/bunkerity.bunkerweb?tab=Overview){:target="_blank"}.
You can access the setup wizard by browsing the `https://your-ip-address/setup` URI of your virtual machine.

63
docs/requirements.txt
View file

@ -645,36 +645,39 @@ verspec==0.1.0 \
--hash=sha256:741877d5633cc9464c45a469ae2a31e801e6dbbaa85b9675d481cda100f11c31 \
--hash=sha256:c4504ca697b2056cdb4bfa7121461f5a0e81809255b41c03dda4ba823637c01e
# via mike
watchdog==4.0.0 \
--hash=sha256:11e12fafb13372e18ca1bbf12d50f593e7280646687463dd47730fd4f4d5d257 \
--hash=sha256:2895bf0518361a9728773083908801a376743bcc37dfa252b801af8fd281b1ca \
--hash=sha256:39cb34b1f1afbf23e9562501673e7146777efe95da24fab5707b88f7fb11649b \
--hash=sha256:45cc09cc4c3b43fb10b59ef4d07318d9a3ecdbff03abd2e36e77b6dd9f9a5c85 \
--hash=sha256:4986db5e8880b0e6b7cd52ba36255d4793bf5cdc95bd6264806c233173b1ec0b \
--hash=sha256:5369136a6474678e02426bd984466343924d1df8e2fd94a9b443cb7e3aa20d19 \
--hash=sha256:557ba04c816d23ce98a06e70af6abaa0485f6d94994ec78a42b05d1c03dcbd50 \
--hash=sha256:6a4db54edea37d1058b08947c789a2354ee02972ed5d1e0dca9b0b820f4c7f92 \
--hash=sha256:6a80d5cae8c265842c7419c560b9961561556c4361b297b4c431903f8c33b269 \
--hash=sha256:6a9c71a0b02985b4b0b6d14b875a6c86ddea2fdbebd0c9a720a806a8bbffc69f \
--hash=sha256:6c47bdd680009b11c9ac382163e05ca43baf4127954c5f6d0250e7d772d2b80c \
--hash=sha256:6e949a8a94186bced05b6508faa61b7adacc911115664ccb1923b9ad1f1ccf7b \
--hash=sha256:73c7a935e62033bd5e8f0da33a4dcb763da2361921a69a5a95aaf6c93aa03a87 \
--hash=sha256:76ad8484379695f3fe46228962017a7e1337e9acadafed67eb20aabb175df98b \
--hash=sha256:8350d4055505412a426b6ad8c521bc7d367d1637a762c70fdd93a3a0d595990b \
--hash=sha256:87e9df830022488e235dd601478c15ad73a0389628588ba0b028cb74eb72fed8 \
--hash=sha256:8f9a542c979df62098ae9c58b19e03ad3df1c9d8c6895d96c0d51da17b243b1c \
--hash=sha256:8fec441f5adcf81dd240a5fe78e3d83767999771630b5ddfc5867827a34fa3d3 \
--hash=sha256:9a03e16e55465177d416699331b0f3564138f1807ecc5f2de9d55d8f188d08c7 \
--hash=sha256:ba30a896166f0fee83183cec913298151b73164160d965af2e93a20bbd2ab605 \
--hash=sha256:c17d98799f32e3f55f181f19dd2021d762eb38fdd381b4a748b9f5a36738e935 \
--hash=sha256:c522392acc5e962bcac3b22b9592493ffd06d1fc5d755954e6be9f4990de932b \
--hash=sha256:d0f9bd1fd919134d459d8abf954f63886745f4660ef66480b9d753a7c9d40927 \
--hash=sha256:d18d7f18a47de6863cd480734613502904611730f8def45fc52a5d97503e5101 \
--hash=sha256:d31481ccf4694a8416b681544c23bd271f5a123162ab603c7d7d2dd7dd901a07 \
--hash=sha256:e3e7065cbdabe6183ab82199d7a4f6b3ba0a438c5a512a68559846ccb76a78ec \
--hash=sha256:eed82cdf79cd7f0232e2fdc1ad05b06a5e102a43e331f7d041e5f0e0a34a51c4 \
--hash=sha256:f970663fa4f7e80401a7b0cbeec00fa801bf0287d93d48368fc3e6fa32716245 \
--hash=sha256:f9b2fdca47dc855516b2d66eef3c39f2672cbf7e7a42e7e67ad2cbfcd6ba107d
watchdog==4.0.1 \
--hash=sha256:0144c0ea9997b92615af1d94afc0c217e07ce2c14912c7b1a5731776329fcfc7 \
--hash=sha256:03e70d2df2258fb6cb0e95bbdbe06c16e608af94a3ffbd2b90c3f1e83eb10767 \
--hash=sha256:093b23e6906a8b97051191a4a0c73a77ecc958121d42346274c6af6520dec175 \
--hash=sha256:123587af84260c991dc5f62a6e7ef3d1c57dfddc99faacee508c71d287248459 \
--hash=sha256:17e32f147d8bf9657e0922c0940bcde863b894cd871dbb694beb6704cfbd2fb5 \
--hash=sha256:206afc3d964f9a233e6ad34618ec60b9837d0582b500b63687e34011e15bb429 \
--hash=sha256:4107ac5ab936a63952dea2a46a734a23230aa2f6f9db1291bf171dac3ebd53c6 \
--hash=sha256:4513ec234c68b14d4161440e07f995f231be21a09329051e67a2118a7a612d2d \
--hash=sha256:611be3904f9843f0529c35a3ff3fd617449463cb4b73b1633950b3d97fa4bfb7 \
--hash=sha256:62c613ad689ddcb11707f030e722fa929f322ef7e4f18f5335d2b73c61a85c28 \
--hash=sha256:667f3c579e813fcbad1b784db7a1aaa96524bed53437e119f6a2f5de4db04235 \
--hash=sha256:6e8c70d2cd745daec2a08734d9f63092b793ad97612470a0ee4cbb8f5f705c57 \
--hash=sha256:7577b3c43e5909623149f76b099ac49a1a01ca4e167d1785c76eb52fa585745a \
--hash=sha256:998d2be6976a0ee3a81fb8e2777900c28641fb5bfbd0c84717d89bca0addcdc5 \
--hash=sha256:a3c2c317a8fb53e5b3d25790553796105501a235343f5d2bf23bb8649c2c8709 \
--hash=sha256:ab998f567ebdf6b1da7dc1e5accfaa7c6992244629c0fdaef062f43249bd8dee \
--hash=sha256:ac7041b385f04c047fcc2951dc001671dee1b7e0615cde772e84b01fbf68ee84 \
--hash=sha256:bca36be5707e81b9e6ce3208d92d95540d4ca244c006b61511753583c81c70dd \
--hash=sha256:c9904904b6564d4ee8a1ed820db76185a3c96e05560c776c79a6ce5ab71888ba \
--hash=sha256:cad0bbd66cd59fc474b4a4376bc5ac3fc698723510cbb64091c2a793b18654db \
--hash=sha256:d10a681c9a1d5a77e75c48a3b8e1a9f2ae2928eda463e8d33660437705659682 \
--hash=sha256:d4925e4bf7b9bddd1c3de13c9b8a2cdb89a468f640e66fbfabaf735bd85b3e35 \
--hash=sha256:d7b9f5f3299e8dd230880b6c55504a1f69cf1e4316275d1b215ebdd8187ec88d \
--hash=sha256:da2dfdaa8006eb6a71051795856bedd97e5b03e57da96f98e375682c48850645 \
--hash=sha256:dddba7ca1c807045323b6af4ff80f5ddc4d654c8bce8317dde1bd96b128ed253 \
--hash=sha256:e7921319fe4430b11278d924ef66d4daa469fafb1da679a2e48c935fa27af193 \
--hash=sha256:e93f451f2dfa433d97765ca2634628b789b49ba8b504fdde5837cdcf25fdb53b \
--hash=sha256:eebaacf674fa25511e8867028d281e602ee6500045b57f43b08778082f7f8b44 \
--hash=sha256:ef0107bbb6a55f5be727cfc2ef945d5676b97bffb8425650dadbb184be9f9a2b \
--hash=sha256:f0de0f284248ab40188f23380b03b59126d1479cd59940f2a34f8852db710625 \
--hash=sha256:f27279d060e2ab24c0aa98363ff906d2386aa6c4dc2f1a374655d4e02a6c5e5e \
--hash=sha256:f8affdf3c0f0466e69f5b3917cdd042f89c8c63aebdb9f7c078996f607cdb0f5
# via mkdocs
webencodings==0.5.1 \
--hash=sha256:a0af1213f3c2226497a97e2b3aa01a7e4bee4f403f95be16fc9acd2947514a78 \

106
docs/upgrading.md
View file

@ -122,42 +122,88 @@
2. **Upgrade BunkerWeb**:
- Upgrade BunkerWeb to the latest version.
=== "Docker"
=== "Docker"
1. **Update the Docker Compose file**: Update the Docker Compose file to use the new version of the BunkerWeb image.
```yaml
services:
bunkerweb:
image: bunkerity/bunkerweb:1.5.7
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.7
...
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.5.7
...
bw-ui:
image: bunkerity/bunkerweb-ui:1.5.7
...
```
1. **Update the Docker Compose file**: Update the Docker Compose file to use the new version of the BunkerWeb image.
```yaml
services:
bunkerweb:
image: bunkerity/bunkerweb:1.5.7
...
bw-scheduler:
image: bunkerity/bunkerweb-scheduler:1.5.7
...
bw-autoconf:
image: bunkerity/bunkerweb-autoconf:1.5.7
...
bw-ui:
image: bunkerity/bunkerweb-ui:1.5.7
...
```
2. **Restart the containers**: Restart the containers to apply the changes.
```bash
docker compose down
docker compose up -d
```
2. **Restart the containers**: Restart the containers to apply the changes.
```bash
docker compose down
docker compose up -d
```
=== "Linux"
=== "Linux"
3. **Stop the services**:
```bash
systemctl stop bunkerweb
systemctl stop bunkerweb-ui
```
3. **Stop the services**:
```bash
systemctl stop bunkerweb
systemctl stop bunkerweb-ui
```
4. **Update BunkerWeb**:
- Update BunkerWeb to the latest version by following the instructions in the [integration Linux page](integrations.md#linux).
4. **Update BunkerWeb**:
=== "Debian/Ubuntu"
First, if you have previously hold the BunkerWeb package, unhold it :
You can print a list of packages on hold with `apt-mark showhold`
```shell
sudo apt-mark unhold bunkerweb
```
Them, you can update BunkerWeb package :
```shell
sudo apt install -y bunkerweb=1.5.7
```
To prevent upgrading BunkerWeb package when executing `apt upgrade`, you can use the following command :
```shell
sudo apt-mark hold bunkerweb
```
More details in the [integration Linux page](integrations.md#__tabbed_1_1).
=== "Fedora/RedHat"
First, if you have previously hold the BunkerWeb package, unhold it :
You can print a list of packages on hold with `dnf versionlock list`
```shell
sudo dnf versionlock delete package bunkerweb
```
Them, you can update BunkerWeb package :
```shell
sudo dnf install -y bunkerweb-1.5.7
```
To prevent upgrading BunkerWeb package when executing `dnf upgrade`, you can use the following command :
```shell
sudo dnf versionlock add bunkerweb
```
More details in the [integration Linux page](integrations.md#__tabbed_1_3).
3. **Check the logs**: Check the logs of the scheduler service to ensure that the migration was successful.

22
docs/web-ui.md
View file

@ -39,7 +39,7 @@ Because the web UI is a web application, the recommended installation procedure
!!! info "Wizard"
The setup wizard is a feature that helps you to **configure** and **install the web UI** using a **user-friendly interface**. You will need to set the `UI_HOST` setting (`http://hostname-of-web-ui:7000`) and browse the `/setup` URI of your server to access the setup wizard.
The setup wizard is a feature that helps you to **configure** and **install the web UI** using a **user-friendly interface**. You will need to set the `UI_HOST` setting (`https://hostname-of-web-ui:7000`) and browse the `/setup` URI of your server to access the setup wizard.
<figure markdown>
![Overview](assets/img/ui-wizard-account.webp){ align=center, width="350" }
@ -70,7 +70,7 @@ Review your final BunkerWeb UI URL and then click on the `Setup` button. Once th
!!! tip "Accessing the setup wizard"
You can access the setup wizard by browsing the `http://your-ip-address/setup` URI of your server.
You can access the setup wizard by browsing the `https://your-ip-address/setup` URI of your server.
Here is the docker-compose boilerplate that you can use (don't forget to edit the `changeme` data) :
@ -162,7 +162,7 @@ Review your final BunkerWeb UI URL and then click on the `Setup` button. Once th
!!! tip "Accessing the setup wizard"
You can access the setup wizard by browsing the `http://your-ip-address/setup` URI of your server.
You can access the setup wizard by browsing the `https://your-ip-address/setup` URI of your server.
Here is the docker-compose boilerplate that you can use (don't forget to edit the `changeme` data) :
@ -269,7 +269,7 @@ Review your final BunkerWeb UI URL and then click on the `Setup` button. Once th
!!! tip "Accessing the setup wizard"
You can access the setup wizard by browsing the `http://your-ip-address/setup` URI of your server.
You can access the setup wizard by browsing the `https://your-ip-address/setup` URI of your server.
Here is the stack boilerplate that you can use (don't forget to edit the `changeme` data) :
@ -399,7 +399,7 @@ Review your final BunkerWeb UI URL and then click on the `Setup` button. Once th
!!! tip "Accessing the setup wizard"
You can access the setup wizard by browsing the `http://your-ip-address/setup` URI of your server.
You can access the setup wizard by browsing the `https://your-ip-address/setup` URI of your server.
Here is the yaml boilerplate that you can use (don't forget to edit the `changeme` data) :
@ -717,7 +717,7 @@ Review your final BunkerWeb UI URL and then click on the `Setup` button. Once th
!!! tip "Accessing the setup wizard"
You can access the setup wizard by browsing the `http://your-ip-address/setup` URI of your server.
You can access the setup wizard by browsing the `https://your-ip-address/setup` URI of your server.
## Account management
@ -752,6 +752,16 @@ When your BunkerWeb instance has upgraded to the PRO version, you will see your
### Username / Password
!!! tip "Overriding admin credentials from environment variables"
If you want to override the admin credentials from environment variables, you can set the following variables :
- `OVERRIDE_ADMIN_CREDS` : set it to `yes` to enable the override even if the admin credentials are already set (default is `no`)
- `ADMIN_USERNAME` : username to access the web UI
- `ADMIN_PASSWORD` : password to access the web UI
The web UI will use these variables to authenticate you.
!!! warning "Lost password/username"
In case you forgot your UI credentials, you can reset them from the CLI following [the steps described in the troubleshooting section](troubleshooting.md#web-ui).

15
src/common/core/letsencrypt/jobs/certbot-new.py
View file

@ -29,7 +29,7 @@ LETS_ENCRYPT_WORK_DIR = join(sep, "var", "lib", "bunkerweb", "letsencrypt")
LETS_ENCRYPT_LOGS_DIR = join(sep, "var", "log", "bunkerweb")
def certbot_new(domains: str, email: str, use_letsencrypt_staging: bool = False) -> int:
def certbot_new(domains: str, email: str, use_letsencrypt_staging: bool = False, *, force: bool = False) -> int:
process = Popen(
[
CERTBOT_BIN,
@ -54,7 +54,8 @@ def certbot_new(domains: str, email: str, use_letsencrypt_staging: bool = False)
"--agree-tos",
"--expand",
]
+ (["--staging"] if use_letsencrypt_staging else []),
+ (["--staging"] if use_letsencrypt_staging else [])
+ (["--force-renewal"] if force else []),
stdin=DEVNULL,
stderr=PIPE,
universal_newlines=True,
@ -96,7 +97,7 @@ try:
# Restore Let's Encrypt data from db cache
JOB.restore_cache(job_name="certbot-renew")
domains_to_ask = []
domains_to_ask = {}
# Multisite case
if is_multisite:
domains_server_names = {}
@ -133,18 +134,18 @@ try:
if proc.returncode != 0:
LOGGER.error(f"Error while checking certificates :\n{proc.stdout}")
domains_to_ask = server_names
domains_to_ask = {domain: True for domain in server_names}
else:
for first_server, domains in domains_server_names.items():
generated_domains.update(domains.split(" "))
current_domains = search(rf"Domains: {first_server}(?P<domains>.*)$", stdout, MULTILINE)
if not current_domains:
domains_to_ask.append(first_server)
domains_to_ask[first_server] = False
continue
elif set(f"{first_server}{current_domains.groupdict()['domains']}".strip().split(" ")) != set(domains.split(" ")):
LOGGER.warning(f"Domains for {first_server} are not the same as in the certificate, asking new certificate...")
domains_to_ask.append(first_server)
domains_to_ask[first_server] = True
continue
LOGGER.info(f"Certificates already exists for domain(s) {domains}")
@ -159,7 +160,7 @@ try:
use_letsencrypt_staging = getenv(f"{first_server}_USE_LETS_ENCRYPT_STAGING", getenv("USE_LETS_ENCRYPT_STAGING", "no")) == "yes"
LOGGER.info(f"Asking certificates for domain(s) : {domains} (email = {real_email}) to Let's Encrypt {'staging ' if use_letsencrypt_staging else ''}...")
if certbot_new(domains.replace(" ", ","), real_email, use_letsencrypt_staging) != 0:
if certbot_new(domains.replace(" ", ","), real_email, use_letsencrypt_staging, force=domains_to_ask[first_server]) != 0:
status = 2
LOGGER.error(f"Certificate generation failed for domain(s) {domains} ...")
continue

44
src/common/core/modsecurity/files/coreruleset-v4/.github/create-changelog-prs.py vendored
View file

@ -30,14 +30,38 @@ def get_pr(repository: str, number: int) -> dict:
def get_prs(
repository: str, start_date: datetime.date, end_date: datetime.date
repository: str, start_date: datetime.date, end_date: datetime.date, dry_run: bool
) -> (list, list):
print(f"Fetching PRs from {start_date} through {end_date}")
print(f"Fetching merged PRs from {start_date} through {end_date}")
options = ['--merged-at "{start_date}..{end_date}"']
all_prs = fetch_prs(repository, options, dry_run)
print(f"Fetching open changelog PRs from {start_date} through {end_date}")
options = ["--state open"]
all_prs.extend(fetch_prs(repository, options, dry_run))
prs = []
changelog_prs = []
for result in all_prs:
if CHANGELOG_LABEL in [label["name"] for label in result["labels"]]:
changelog_prs.append(get_pr(repository, result["number"]))
else:
prs.append(get_pr(repository, result["number"]))
return (prs, changelog_prs)
def fetch_prs(repository: str, options: list[str], dry_run: bool) -> list[dict]:
command = f"""gh search prs \
--repo "{repository}" \
--merged-at "{start_date}..{end_date}" \
--json number,labels
--json number,labels \
"""
for option in options:
command += " " + option
if dry_run:
print(command)
return []
with subprocess.Popen(
command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE
) as proc:
@ -45,15 +69,7 @@ def get_prs(
if proc.returncode != 0:
print_errors(errors)
sys.exit(1)
prs = []
changelog_prs = []
for result in json.loads(prs_json):
if CHANGELOG_LABEL in [label["name"] for label in result["labels"]]:
changelog_prs.append(get_pr(repository, result["number"]))
else:
prs.append(get_pr(repository, result["number"]))
return (prs, changelog_prs)
return json.loads(prs_json)
def parse_prs(prs: list) -> dict:
@ -277,7 +293,7 @@ def run_workflow(
end_date: datetime.date,
dry_run: bool,
):
prs, changelog_prs = get_prs(source_repository, start_date, end_date)
prs, changelog_prs = get_prs(source_repository, start_date, end_date, dry_run)
prs_length = len(prs)
print(f"Found {prs_length} PRs")
if prs_length == 0:

29
src/common/core/modsecurity/files/coreruleset-v4/.github/release.yml vendored Normal file
View file

@ -0,0 +1,29 @@
# .github/release.yml
changelog:
exclude:
labels:
- ignore-for-release
- release:ignore
authors:
- octocat
- changelog-pr-bot
categories:
- title: ⭐ Important changes
labels:
- release:important
- title: Breaking Changes 🛠
labels:
- Semver-Major
- breaking-change
- release:breaking
- title: 🆕 New features and detections 🎉
labels:
- Semver-Minor
- enhancement
- release:new-detection
- release:new-feature
- title: 🧰 Other Changes
labels:
- "*"

4
src/common/core/modsecurity/files/coreruleset-v4/.gitmodules vendored
View file

@ -1,4 +0,0 @@
[submodule "docs/OWASP-CRS-Documentation"]
path = docs/OWASP-CRS-Documentation
url = https://github.com/coreruleset/documentation.git
branch = main

22
src/common/core/modsecurity/files/coreruleset-v4/CHANGES.md vendored
View file

@ -8,6 +8,27 @@
## Nightly builds
New changelog entries are written to `.changes-pending.md`. They will be moved to the main changelog before a release.
## Version 4.3.0 - 2024-05-24
### 🆕 New features and detections 🎉
* feat: catch Java PostgreSQL errors (951240 PL1) by @azurit in https://github.com/coreruleset/coreruleset/pull/3686
* feat: block The Mysterious Mozlila User Agent bot (913100 PL1) by @brentclark in https://github.com/coreruleset/coreruleset/pull/3646
### 🧰 Other Changes
* fix: Oracle SQL database data leakage FP (951120 PL1) by @azurit in https://github.com/coreruleset/coreruleset/pull/3685
* fix: typos in 920330 and 942280 tests by @TimDiam0nd in https://github.com/coreruleset/coreruleset/pull/3688
* test: change pl-1 to pl1 to be inline with others by @TimDiam0nd in https://github.com/coreruleset/coreruleset/pull/3690
* feat: use renovate to update docker-compose by @theseion in https://github.com/coreruleset/coreruleset/pull/3697
* fix: FP for `sched` (932235 PL1, 932236 PL2, 932237 PL3, 932239 PL2, … by @theseion in https://github.com/coreruleset/coreruleset/pull/3701
* fix: collections not being initialized without User-Agent header by @azurit in https://github.com/coreruleset/coreruleset/pull/3645
* feat: refactoring of rule 941310 (PL1 941310) by @azurit in https://github.com/coreruleset/coreruleset/pull/3700
* fix: resolving more FPs with Oracle error messages (951120 PL1) by @azurit in https://github.com/coreruleset/coreruleset/pull/3703
* fix: removing double t:urlDecodeUni (920221 PL1, 920440 PL1, 932200 PL2, 932205 PL2, 932206 PL2) by @azurit in https://github.com/coreruleset/coreruleset/pull/3699
* fix: false positives from PHP config directives and functions (933120 PL1, 933151 PL2) by @ssigwart in https://github.com/coreruleset/coreruleset/pull/3638
* feat: prevent detection of web shells rules as malware by Windows Defender (955260 PL1) by @azurit in https://github.com/coreruleset/coreruleset/pull/3687
* fix: fp with name axel by removing it from rce rule (932260 PL1) by @franbuehler in https://github.com/coreruleset/coreruleset/pull/3705
## Version 4.2.0 - 2024-04-23
Changes with direct rule impact (sorted by lowest rule ID per change where available):
@ -27,6 +48,7 @@ Changes without direct rule impact:
Changes with direct rule impact (sorted by lowest rule ID per change where available):
* feat: add support for additional ansible and chef commands (932160 PL1, 932161 PL2, 932235 PL1, 932260 PL1, 932236 PL2, 932239 PL2, 932237 PL3) (Esad Cetiner) [#3601]
* feat: move HTTP header rules to phase 1 (932161 PL2, 932205 PL2, 932206 PL2, 932237 PL3) (Esad Cetiner) [#3570]
* fix: remove t:lowercase from rules that use '(?i)' modifier in their regex (942150 PL2, 942151 PL1, 942152 PL2) (Ervin Hegedus) [#3585]
* fix: prevent FPs against names due to "cron" (932260 PL1, 932236 PL2, 932237 PL3, 932239 PL2) (@superlgn) [#3578]

2
src/common/core/modsecurity/files/coreruleset-v4/CONTRIBUTORS.md vendored
View file

@ -146,3 +146,5 @@
- [NiceYouKnow](https://github.com/NiceYouKnow)
- [floyd](https://github.com/floyd)
- [superlgn](https://github.com/superlgn)
- [TimDiam0nd](https://github.com/TimDiam0nd)
- [brentclark](https://github.com/brentclark)

54
src/common/core/modsecurity/files/coreruleset-v4/crs-setup.conf.example vendored
View file

@ -1,5 +1,5 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.2.0
# OWASP CRS ver.4.3.0
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2024 CRS project. All rights reserved.
#
@ -181,7 +181,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.2.0',\
# ver:'OWASP_CRS/4.3.0',\
# setvar:tx.blocking_paranoia_level=1"
@ -209,7 +209,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.2.0',\
# ver:'OWASP_CRS/4.3.0',\
# setvar:tx.detection_paranoia_level=1"
@ -235,7 +235,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.2.0',\
# ver:'OWASP_CRS/4.3.0',\
# setvar:tx.enforce_bodyproc_urlencoded=1"
@ -270,7 +270,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.2.0',\
# ver:'OWASP_CRS/4.3.0',\
# setvar:tx.critical_anomaly_score=5,\
# setvar:tx.error_anomaly_score=4,\
# setvar:tx.warning_anomaly_score=3,\
@ -324,7 +324,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.2.0',\
# ver:'OWASP_CRS/4.3.0',\
# setvar:tx.inbound_anomaly_score_threshold=5,\
# setvar:tx.outbound_anomaly_score_threshold=4"
@ -385,7 +385,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.2.0',\
# ver:'OWASP_CRS/4.3.0',\
# setvar:tx.reporting_level=4"
@ -417,7 +417,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.2.0',\
# ver:'OWASP_CRS/4.3.0',\
# setvar:tx.early_blocking=1"
@ -438,7 +438,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.2.0',\
# ver:'OWASP_CRS/4.3.0',\
# setvar:tx.enable_default_collections=1"
@ -466,7 +466,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.2.0',\
# ver:'OWASP_CRS/4.3.0',\
# setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'"
# Content-Types that a client is allowed to send in a request.
@ -496,7 +496,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# nolog,\
# tag:'OWASP_CRS',\
# ctl:ruleRemoveById=920420,\
# ver:'OWASP_CRS/4.2.0',\
# ver:'OWASP_CRS/4.3.0',\
# chain"
# SecRule REQUEST_URI "@rx ^/foo/bar" \
# "t:none"
@ -510,7 +510,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.2.0',\
# ver:'OWASP_CRS/4.3.0',\
# setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json|'"
# Allowed HTTP versions.
@ -526,7 +526,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.2.0',\
# ver:'OWASP_CRS/4.3.0',\
# setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0 HTTP/3 HTTP/3.0'"
# Forbidden file extensions.
@ -550,7 +550,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.2.0',\
# ver:'OWASP_CRS/4.3.0',\
# setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'"
# Restricted request headers.
@ -595,7 +595,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.2.0',\
# ver:'OWASP_CRS/4.3.0',\
# setvar:'tx.restricted_headers_basic=/content-encoding/ /proxy/ /lock-token/ /content-range/ /if/ /x-http-method-override/ /x-http-method/ /x-method-override/'"
#
# [ Extended ]
@ -621,7 +621,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.2.0',\
# ver:'OWASP_CRS/4.3.0',\
# setvar:'tx.restricted_headers_extended=/accept-charset/'"
# Content-Types charsets that a client is allowed to send in a request.
@ -635,7 +635,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.2.0',\
# ver:'OWASP_CRS/4.3.0',\
# setvar:'tx.allowed_request_content_type_charset=|utf-8| |iso-8859-1| |iso-8859-15| |windows-1252|'"
#
@ -661,7 +661,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.2.0',\
# ver:'OWASP_CRS/4.3.0',\
# setvar:tx.max_num_args=255"
# Block request if the length of any argument name is too high
@ -675,7 +675,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.2.0',\
# ver:'OWASP_CRS/4.3.0',\
# setvar:tx.arg_name_length=100"
# Block request if the length of any argument value is too high
@ -689,7 +689,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.2.0',\
# ver:'OWASP_CRS/4.3.0',\
# setvar:tx.arg_length=400"
# Block request if the total length of all combined arguments is too high
@ -703,7 +703,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.2.0',\
# ver:'OWASP_CRS/4.3.0',\
# setvar:tx.total_arg_length=64000"
# Block request if the file size of any individual uploaded file is too high
@ -717,7 +717,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.2.0',\
# ver:'OWASP_CRS/4.3.0',\
# setvar:tx.max_file_size=1048576"
# Block request if the total size of all combined uploaded files is too high
@ -731,7 +731,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.2.0',\
# ver:'OWASP_CRS/4.3.0',\
# setvar:tx.combined_file_sizes=1048576"
@ -771,7 +771,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# pass,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.2.0',\
# ver:'OWASP_CRS/4.3.0',\
# setvar:tx.sampling_percentage=100"
@ -792,7 +792,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.2.0',\
# ver:'OWASP_CRS/4.3.0',\
# setvar:tx.crs_validate_utf8_encoding=1"
@ -814,5 +814,5 @@ SecAction \
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.2.0',\
setvar:tx.crs_setup_version=420"
ver:'OWASP_CRS/4.3.0',\
setvar:tx.crs_setup_version=430"

17
src/common/core/modsecurity/files/coreruleset-v4/docs/README vendored
View file

@ -1,17 +0,0 @@
Welcome to the OWASP Core Rule Set (CRS) documentation.
The latest version of the documentation can be read at:
https://coreruleset.org/docs/
The OWASP CRS documentation is generated by Hugo and is stored
in a separate Github repository:
https://github.com/coreruleset/documentation/
While the documentation is available as part of the CRS project,
it is provided in the form of a Git submodule. Using a Git
submodule allows us to update the documentation without making
changes to the main rule repository.
You can download the documentation using git:
git submodule update --init docs

10
src/common/core/modsecurity/files/coreruleset-v4/docs/README.md vendored Normal file
View file

@ -0,0 +1,10 @@
# Welcome to the OWASP CRS documentation.
The latest version of the documentation can be read at:
https://coreruleset.org/docs/
Documentation is generated by Hugo and is stored
in a separate Github repository:
https://github.com/coreruleset/documentation/

17
src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/951120.ra vendored Normal file
View file

@ -0,0 +1,17 @@
##! Please refer to the documentation at
##! https://coreruleset.org/docs/development/regex_assembly/.
##!+ i
##! ORA-04021: timeout occurred while waiting to lock object SYS.<package like UTL_FILE
\bORA-[0-9][0-9][0-9][0-9][0-9]:
java\.sql\.SQLException
Oracle error
##! Cannot initiate JDBC driver with class name oracle jdbc Oracle Driver
##! [informatica][Oracle JDBC Driver][Oracle]Connection refused
##! JDBC Driver class not found: oracle.jdbc.OracleDriver
Oracle[^()]{0,20}Driver
##! Warning</b>: oci_connect(): ...
Warning.{1,10}oci_.{1,30}
##! Warning</b>: ora_logon(): ...
Warning.{1,10}ora_.{1,20}

1
src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/951240.ra vendored
View file

@ -15,3 +15,4 @@ PG::[a-z]*Error
Supplied argument is not a valid PostgreSQL .*? resource
Unable to connect to PostgreSQL server
invalid input syntax for integer
org\.postgresql\.util\.PSQLException:

3
src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/exclude/unix-shell-fps-pl1.ra vendored
View file

@ -120,6 +120,9 @@ awk
awk@
aws
aws@
axel
axel@
axel~
basename
basename@
basename~

2
src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/include/unix-shell-4andup.ra vendored
View file

@ -433,7 +433,7 @@ run-parts
rview
rvim
sash@
sched
sched@
screen@
script@
sdiff

10
src/common/core/modsecurity/files/coreruleset-v4/renovate.json vendored Normal file
View file

@ -0,0 +1,10 @@
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [
"local>coreruleset/renovate-config",
"schedule:weekly"
],
"enabledManagers": [
"docker-compose"
]
}

2
src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example vendored
View file

@ -1,5 +1,5 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.2.0
# OWASP CRS ver.4.3.0
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2024 CRS project. All rights reserved.
#

68
src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-901-INITIALIZATION.conf vendored
View file

@ -1,5 +1,5 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.2.0
# OWASP CRS ver.4.3.0
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2024 CRS project. All rights reserved.
#
@ -26,7 +26,7 @@
#
# Ref: https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v2.x)#seccomponentsignature
#
SecComponentSignature "OWASP_CRS/4.2.0"
SecComponentSignature "OWASP_CRS/4.3.0"
#
# -=[ Default setup values ]=-
@ -60,7 +60,7 @@ SecRule &TX:crs_setup_version "@eq 0" \
auditlog,\
msg:'ModSecurity CRS is deployed without configuration! Please copy the crs-setup.conf.example template to crs-setup.conf, and include the crs-setup.conf file in your webserver configuration before including the CRS rules. See the INSTALL file in the CRS directory for detailed instructions',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL'"
@ -79,7 +79,7 @@ SecRule &TX:inbound_anomaly_score_threshold "@eq 0" \
pass,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
setvar:'tx.inbound_anomaly_score_threshold=5'"
# Default Outbound Anomaly Threshold Level (rule 900110 in crs-setup.conf)
@ -89,7 +89,7 @@ SecRule &TX:outbound_anomaly_score_threshold "@eq 0" \
pass,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
setvar:'tx.outbound_anomaly_score_threshold=4'"
# Default Reporting Level (rule 900115 in crs-setup.conf)
@ -99,7 +99,7 @@ SecRule &TX:reporting_level "@eq 0" \
pass,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
setvar:'tx.reporting_level=4'"
# Default Early Blocking (rule 900120 in crs-setup.conf)
@ -109,7 +109,7 @@ SecRule &TX:early_blocking "@eq 0" \
pass,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
setvar:'tx.early_blocking=0'"
# Default Blocking Paranoia Level (rule 900000 in crs-setup.conf)
@ -119,7 +119,7 @@ SecRule &TX:blocking_paranoia_level "@eq 0" \
pass,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
setvar:'tx.blocking_paranoia_level=1'"
# Default Detection Paranoia Level (rule 900001 in crs-setup.conf)
@ -129,7 +129,7 @@ SecRule &TX:detection_paranoia_level "@eq 0" \
pass,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
setvar:'tx.detection_paranoia_level=%{TX.blocking_paranoia_level}'"
# Default Sampling Percentage (rule 900400 in crs-setup.conf)
@ -139,7 +139,7 @@ SecRule &TX:sampling_percentage "@eq 0" \
pass,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
setvar:'tx.sampling_percentage=100'"
# Default Anomaly Scores (rule 900100 in crs-setup.conf)
@ -149,7 +149,7 @@ SecRule &TX:critical_anomaly_score "@eq 0" \
pass,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
setvar:'tx.critical_anomaly_score=5'"
SecRule &TX:error_anomaly_score "@eq 0" \
@ -158,7 +158,7 @@ SecRule &TX:error_anomaly_score "@eq 0" \
pass,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
setvar:'tx.error_anomaly_score=4'"
SecRule &TX:warning_anomaly_score "@eq 0" \
@ -167,7 +167,7 @@ SecRule &TX:warning_anomaly_score "@eq 0" \
pass,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
setvar:'tx.warning_anomaly_score=3'"
SecRule &TX:notice_anomaly_score "@eq 0" \
@ -176,7 +176,7 @@ SecRule &TX:notice_anomaly_score "@eq 0" \
pass,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
setvar:'tx.notice_anomaly_score=2'"
# Default HTTP policy: allowed_methods (rule 900200 in crs-setup.conf)
@ -186,7 +186,7 @@ SecRule &TX:allowed_methods "@eq 0" \
pass,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'"
# Default HTTP policy: allowed_request_content_type (rule 900220 in crs-setup.conf)
@ -196,7 +196,7 @@ SecRule &TX:allowed_request_content_type "@eq 0" \
pass,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json|'"
# Default HTTP policy: allowed_request_content_type_charset (rule 900280 in crs-setup.conf)
@ -206,7 +206,7 @@ SecRule &TX:allowed_request_content_type_charset "@eq 0" \
pass,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
setvar:'tx.allowed_request_content_type_charset=|utf-8| |iso-8859-1| |iso-8859-15| |windows-1252|'"
# Default HTTP policy: allowed_http_versions (rule 900230 in crs-setup.conf)
@ -216,7 +216,7 @@ SecRule &TX:allowed_http_versions "@eq 0" \
pass,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0 HTTP/3 HTTP/3.0'"
# Default HTTP policy: restricted_extensions (rule 900240 in crs-setup.conf)
@ -226,7 +226,7 @@ SecRule &TX:restricted_extensions "@eq 0" \
pass,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'"
# Default HTTP policy: restricted_headers_basic (rule 900250 in crs-setup.conf)
@ -236,7 +236,7 @@ SecRule &TX:restricted_headers_basic "@eq 0" \
pass,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
setvar:'tx.restricted_headers_basic=/content-encoding/ /proxy/ /lock-token/ /content-range/ /if/ /x-http-method-override/ /x-http-method/ /x-method-override/'"
# Default HTTP policy: restricted_headers_extended (rule 900255 in crs-setup.conf)
@ -246,7 +246,7 @@ SecRule &TX:restricted_headers_extended "@eq 0" \
pass,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
setvar:'tx.restricted_headers_extended=/accept-charset/'"
# Default enforcing of body processor URLENCODED (rule 900010 in crs-setup.conf)
@ -256,7 +256,7 @@ SecRule &TX:enforce_bodyproc_urlencoded "@eq 0" \
pass,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
setvar:'tx.enforce_bodyproc_urlencoded=0'"
# Default check for UTF8 encoding validation (rule 900950 in crs-setup.conf)
@ -266,7 +266,7 @@ SecRule &TX:crs_validate_utf8_encoding "@eq 0" \
pass,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
setvar:'tx.crs_validate_utf8_encoding=0'"
#
@ -284,7 +284,7 @@ SecAction \
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
setvar:'tx.blocking_inbound_anomaly_score=0',\
setvar:'tx.detection_inbound_anomaly_score=0',\
setvar:'tx.inbound_anomaly_score_pl1=0',\
@ -317,15 +317,19 @@ SecAction \
# IP collection is initialized with the IP address concatened with the hashed user agent.
# Disable collection initialization by default (see rule 900130 in crs-setup.conf)
# The creation of the IP and the GLOBAL collection is not being tested as
# of this writing due to limits in ftw and our testing setup.
# Proper testing would involve the checking of a variable in the said collections.
SecRule TX:ENABLE_DEFAULT_COLLECTIONS "@eq 1" \
"id:901320,\
phase:1,\
pass,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
setvar:'tx.ua_hash=%{REQUEST_HEADERS.User-Agent}',\
chain"
SecRule REQUEST_HEADERS:User-Agent "@rx ^.*$" \
SecRule TX:ua_hash "@unconditionalMatch" \
"t:none,t:sha1,t:hexEncode,\
initcol:global=global,\
initcol:ip=%{remote_addr}_%{MATCHED_VAR}"
@ -346,7 +350,7 @@ SecRule REQBODY_PROCESSOR "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" \
msg:'Enabling body inspection',\
tag:'OWASP_CRS',\
ctl:forceRequestBodyVariable=On,\
ver:'OWASP_CRS/4.2.0'"
ver:'OWASP_CRS/4.3.0'"
# Force body processor URLENCODED
SecRule TX:enforce_bodyproc_urlencoded "@eq 1" \
@ -358,7 +362,7 @@ SecRule TX:enforce_bodyproc_urlencoded "@eq 1" \
noauditlog,\
msg:'Enabling forced body inspection for ASCII content',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
chain"
SecRule REQBODY_PROCESSOR "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" \
"ctl:requestBodyProcessor=URLENCODED"
@ -398,7 +402,7 @@ SecRule TX:sampling_percentage "@eq 100" \
pass,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
skipAfter:END-SAMPLING"
SecRule UNIQUE_ID "@rx ^[a-f]*([0-9])[a-f]*([0-9])" \
@ -409,7 +413,7 @@ SecRule UNIQUE_ID "@rx ^[a-f]*([0-9])[a-f]*([0-9])" \
t:sha1,t:hexEncode,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
setvar:'TX.sampling_rnd100=%{TX.1}%{TX.2}'"
#
@ -434,7 +438,7 @@ SecRule TX:sampling_rnd100 "!@lt %{tx.sampling_percentage}" \
msg:'Sampling: Disable the rule engine based on sampling_percentage %{TX.sampling_percentage} and random number %{TX.sampling_rnd100}',\
tag:'OWASP_CRS',\
ctl:ruleRemoveByTag=OWASP_CRS,\
ver:'OWASP_CRS/4.2.0'"
ver:'OWASP_CRS/4.3.0'"
SecMarker "END-SAMPLING"
@ -453,4 +457,4 @@ SecRule TX:detection_paranoia_level "@lt %{tx.blocking_paranoia_level}" \
log,\
msg:'Detection paranoia level configured is lower than the paranoia level itself. This is illegal. Blocking request. Aborting',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.2.0'"
ver:'OWASP_CRS/4.3.0'"

6
src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-905-COMMON-EXCEPTIONS.conf vendored
View file

@ -1,5 +1,5 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.2.0
# OWASP CRS ver.4.3.0
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2024 CRS project. All rights reserved.
#
@ -25,7 +25,7 @@ SecRule REQUEST_LINE "@streq GET /" \
tag:'platform-apache',\
tag:'attack-generic',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
chain"
SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" \
"t:none,\
@ -46,7 +46,7 @@ SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" \
tag:'platform-apache',\
tag:'attack-generic',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
chain"
SecRule REQUEST_HEADERS:User-Agent "@endsWith (internal dummy connection)" \
"t:none,\

20
src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-911-METHOD-ENFORCEMENT.conf vendored
View file

@ -1,5 +1,5 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.2.0
# OWASP CRS ver.4.3.0
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2024 CRS project. All rights reserved.
#
@ -14,8 +14,8 @@
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:911011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:911012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:911011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:911012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
#
@ -39,31 +39,31 @@ SecRule REQUEST_METHOD "!@within %{tx.allowed_methods}" \
tag:'OWASP_CRS',\
tag:'capec/1000/210/272/220/274',\
tag:'PCI/12.1',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:911013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:911014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:911013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:911014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
#
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:911015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:911016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:911015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:911016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
#
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:911017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:911018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:911017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:911018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
#
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
#

20
src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-913-SCANNER-DETECTION.conf vendored
View file

@ -1,5 +1,5 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.2.0
# OWASP CRS ver.4.3.0
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2024 CRS project. All rights reserved.
#
@ -14,8 +14,8 @@
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:913011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:913012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:913011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:913012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
#
@ -51,29 +51,29 @@ SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scanners-user-agents.data" \
tag:'OWASP_CRS',\
tag:'capec/1000/118/224/541/310',\
tag:'PCI/6.5.10',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:913013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:913014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:913013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:913014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
#
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:913015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:913016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:913015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:913016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
#
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:913017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:913018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:913017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:913018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
#
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
#

138
src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf vendored
View file

@ -1,5 +1,5 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.2.0
# OWASP CRS ver.4.3.0
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2024 CRS project. All rights reserved.
#
@ -23,8 +23,8 @@
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:920011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:920012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:920011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:920012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
#
@ -64,7 +64,7 @@ SecRule REQUEST_LINE "!@rx (?i)^(?:get /[^#\?]*(?:\?[^\s\x0b#]*)?(?:#[^\s\x0b]*)
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'WARNING',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'"
@ -119,7 +119,7 @@ SecRule FILES|FILES_NAMES "!@rx (?i)^(?:&(?:(?:[acegilnorsuz]acut|[aeiou]grav|[a
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -148,7 +148,7 @@ SecRule REQUEST_HEADERS:Content-Length "!@rx ^\d+$" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -182,7 +182,7 @@ SecRule REQUEST_METHOD "@rx ^(?:GET|HEAD)$" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
chain"
SecRule REQUEST_HEADERS:Content-Length "!@rx ^0?$" \
@ -207,7 +207,7 @@ SecRule REQUEST_METHOD "@rx ^(?:GET|HEAD)$" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
chain"
SecRule &REQUEST_HEADERS:Transfer-Encoding "!@eq 0" \
@ -247,7 +247,7 @@ SecRule REQUEST_PROTOCOL "!@within HTTP/2 HTTP/2.0 HTTP/3 HTTP/3.0" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'WARNING',\
chain"
SecRule REQUEST_METHOD "@streq POST" \
@ -277,7 +277,7 @@ SecRule &REQUEST_HEADERS:Transfer-Encoding "!@eq 0" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'WARNING',\
chain"
SecRule &REQUEST_HEADERS:Content-Length "!@eq 0" \
@ -315,7 +315,7 @@ SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx (\d+)-(\d+)" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'WARNING',\
chain"
SecRule TX:2 "@lt %{tx.1}" \
@ -347,7 +347,7 @@ SecRule REQUEST_HEADERS:Connection "@rx \b(?:keep-alive|close),\s?(?:keep-alive|
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'WARNING',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'"
@ -388,7 +388,7 @@ SecRule REQUEST_URI_RAW "@rx \x25" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/255/153/267/72',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
chain"
SecRule REQUEST_URI_RAW "@rx ^(.*)/(?:[^\?]+)?(\?.*)?$" \
@ -422,7 +422,7 @@ SecRule REQUEST_BASENAME "!@rx ^.*%.*\.[^\s\x0b\.]+$" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/255/153/267/72',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
chain"
SecRule TX:0 "@validateUrlEncoding" \
@ -453,7 +453,7 @@ SecRule TX:CRS_VALIDATE_UTF8_ENCODING "@eq 1" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/255/153/267',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'WARNING',\
chain"
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "@validateUtf8Encoding" \
@ -497,7 +497,7 @@ SecRule REQUEST_URI|REQUEST_BODY "@rx (?i)%uff[0-9a-f]{2}" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/255/153/267/72',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'WARNING',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'"
@ -553,7 +553,7 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@validateByteRange 1-255" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -585,7 +585,7 @@ SecRule &REQUEST_HEADERS:Host "@eq 0" \
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'PCI/6.5.10',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'WARNING',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}',\
skipAfter:END-HOST-CHECK"
@ -604,7 +604,7 @@ SecRule REQUEST_HEADERS:Host "@rx ^$" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -644,7 +644,7 @@ SecRule REQUEST_HEADERS:Accept "@rx ^$" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'NOTICE',\
chain"
SecRule REQUEST_METHOD "!@rx ^OPTIONS$" \
@ -669,7 +669,7 @@ SecRule REQUEST_HEADERS:Accept "@rx ^$" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'NOTICE',\
chain"
SecRule REQUEST_METHOD "!@rx ^OPTIONS$" \
@ -702,7 +702,7 @@ SecRule REQUEST_HEADERS:User-Agent "@rx ^$" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'NOTICE',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.notice_anomaly_score}'"
@ -739,7 +739,7 @@ SecRule REQUEST_HEADERS:Content-Length "!@rx ^0$" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'NOTICE',\
chain"
SecRule &REQUEST_HEADERS:Content-Type "@eq 0" \
@ -784,7 +784,7 @@ SecRule REQUEST_HEADERS:Host "@rx (?:^([\d.]+|\[[\da-f:]+\]|[\da-f:]+)(:[\d]+)?$
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'PCI/6.5.10',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'WARNING',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'"
@ -816,7 +816,7 @@ SecRule &TX:MAX_NUM_ARGS "@eq 1" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
chain"
SecRule &ARGS "@gt %{tx.max_num_args}" \
@ -841,7 +841,7 @@ SecRule &TX:ARG_NAME_LENGTH "@eq 1" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
chain"
SecRule ARGS_NAMES "@gt %{tx.arg_name_length}" \
@ -868,7 +868,7 @@ SecRule &TX:ARG_LENGTH "@eq 1" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
chain"
SecRule ARGS "@gt %{tx.arg_length}" \
@ -892,7 +892,7 @@ SecRule &TX:TOTAL_ARG_LENGTH "@eq 1" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
chain"
SecRule ARGS_COMBINED_SIZE "@gt %{tx.total_arg_length}" \
@ -917,7 +917,7 @@ SecRule &TX:MAX_FILE_SIZE "@eq 1" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
chain"
SecRule REQUEST_HEADERS:Content-Type "@rx ^(?i)multipart/form-data" \
@ -943,7 +943,7 @@ SecRule &TX:COMBINED_FILE_SIZES "@eq 1" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
chain"
SecRule FILES_COMBINED_SIZE "@gt %{tx.combined_file_sizes}" \
@ -983,7 +983,7 @@ SecRule REQUEST_HEADERS:Content-Type "!@rx ^[\w/.+*-]+(?:\s?;\s?(?:action|bounda
tag:'OWASP_CRS',\
tag:'capec/1000/255/153',\
tag:'PCI/12.1',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -1006,7 +1006,7 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^[^;\s]+" \
tag:'OWASP_CRS',\
tag:'capec/1000/255/153',\
tag:'PCI/12.1',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.content_type=|%{tx.0}|',\
chain"
@ -1034,7 +1034,7 @@ SecRule REQUEST_HEADERS:Content-Type "@rx charset\s*=\s*[\"']?([^;\"'\s]+)" \
tag:'OWASP_CRS',\
tag:'capec/1000/255/153',\
tag:'PCI/12.1',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.content_type_charset=|%{tx.1}|',\
chain"
@ -1061,7 +1061,7 @@ SecRule REQUEST_HEADERS:Content-Type "@rx charset.*?charset" \
tag:'OWASP_CRS',\
tag:'capec/1000/255/153',\
tag:'PCI/12.1',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -1083,7 +1083,7 @@ SecRule REQUEST_PROTOCOL "!@within %{tx.allowed_http_versions}" \
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'PCI/6.5.10',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -1106,12 +1106,12 @@ SecRule REQUEST_BASENAME "@rx \.([^.]+)$" \
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'PCI/6.5.10',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.extension=.%{tx.1}/',\
chain"
SecRule TX:EXTENSION "@within %{tx.restricted_extensions}" \
"t:none,t:urlDecodeUni,t:lowercase,\
"t:none,t:lowercase,\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
#
@ -1133,7 +1133,7 @@ SecRule REQUEST_FILENAME "@rx \.[^.~]+~(?:/.*|)$" \
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'PCI/6.5.10',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -1187,7 +1187,7 @@ SecRule REQUEST_HEADERS_NAMES "@rx ^.*$" \
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'PCI/12.1',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.header_name_920450_%{tx.0}=/%{tx.0}/',\
chain"
@ -1221,7 +1221,7 @@ SecRule REQUEST_HEADERS:Accept-Encoding "@gt 100" \
tag:'OWASP_CRS',\
tag:'capec/1000/255/153',\
tag:'PCI/12.1',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -1253,7 +1253,7 @@ SecRule REQUEST_HEADERS:Accept "!@rx ^(?:(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)/(?:\*
tag:'attack-protocol',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -1276,7 +1276,7 @@ SecRule REQBODY_PROCESSOR "!@streq JSON" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/255/153/267/72',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
chain"
SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@rx (?i)\x5cu[0-9a-f]{4}" \
@ -1300,7 +1300,7 @@ SecRule REQUEST_URI_RAW "@contains #" \
tag:'attack-protocol',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -1332,13 +1332,13 @@ SecRule &REQUEST_HEADERS:Content-Type "@gt 1" \
tag:'attack-protocol',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:920013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:920014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:920013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:920014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
#
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
#
@ -1377,7 +1377,7 @@ SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'WARNING',\
chain"
SecRule REQUEST_BASENAME "!@endsWith .pdf" \
@ -1401,7 +1401,7 @@ SecRule REQUEST_BASENAME "@endsWith .pdf" \
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'WARNING',\
chain"
SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d+)?-(?:\d+)?\s*,?\s*){63}" \
@ -1422,7 +1422,7 @@ SecRule ARGS "@rx %[0-9a-fA-F]{2}" \
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'capec/1000/255/153/267/120',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'WARNING',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.warning_anomaly_score}'"
@ -1444,7 +1444,7 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@validateByteRange 9,10,13,
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -1471,7 +1471,7 @@ SecRule &REQUEST_HEADERS:User-Agent "@eq 0" \
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'PCI/6.5.10',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'NOTICE',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.notice_anomaly_score}'"
@ -1493,7 +1493,7 @@ SecRule FILES_NAMES|FILES "@rx ['\";=]" \
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -1518,7 +1518,7 @@ SecRule REQUEST_HEADERS:Content-Length "!@rx ^0$" \
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
chain"
SecRule &REQUEST_HEADERS:Content-Type "@eq 0" \
@ -1545,7 +1545,7 @@ SecRule REQUEST_HEADERS_NAMES "@rx ^.*$" \
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'PCI/12.1',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.header_name_920451_%{tx.0}=/%{tx.0}/',\
chain"
@ -1572,7 +1572,7 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^(?i)application/x-www-form-urlencoded
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'capec/1000/255/153/267/72',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'WARNING',\
chain"
SecRule REQUEST_BODY "@rx \x25" \
@ -1580,8 +1580,8 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^(?i)application/x-www-form-urlencoded
SecRule REQUEST_BODY "@validateUrlEncoding" \
"setvar:'tx.inbound_anomaly_score_pl2=+%{tx.warning_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:920015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:920016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:920015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:920016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
#
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
#
@ -1606,7 +1606,7 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES|REQUEST_BODY "@validateByteR
tag:'paranoia-level/3',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@ -1640,7 +1640,7 @@ SecRule &REQUEST_HEADERS:Accept "@eq 0" \
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'PCI/6.5.10',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'NOTICE',\
chain"
SecRule REQUEST_METHOD "!@rx ^(?:OPTIONS|CONNECT)$" \
@ -1673,7 +1673,7 @@ SecRule &REQUEST_HEADERS:x-up-devcap-post-charset "@ge 1" \
tag:'paranoia-level/3',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
chain"
SecRule REQUEST_HEADERS:User-Agent "@rx ^(?i)up" \
@ -1726,7 +1726,7 @@ SecRule &REQUEST_HEADERS:Cache-Control "@gt 0" \
tag:'paranoia-level/3',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
chain"
SecRule REQUEST_HEADERS:Cache-Control "!@rx ^(?:(?:max-age=[0-9]+|min-fresh=[0-9]+|no-cache|no-store|no-transform|only-if-cached|max-stale(?:=[0-9]+)?)(?:\s*\,\s*|$)){1,7}$" \
@ -1757,12 +1757,12 @@ SecRule REQUEST_HEADERS:Accept-Encoding "!@rx br|compress|deflate|(?:pack200-)?g
tag:'OWASP_CRS',\
tag:'capec/1000/255/153',\
tag:'PCI/12.1',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:920017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:920018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:920017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:920018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
#
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
#
@ -1785,7 +1785,7 @@ SecRule REQUEST_BASENAME "@endsWith .pdf" \
tag:'paranoia-level/4',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'WARNING',\
chain"
SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d+)?-(?:\d+)?\s*,?\s*){6}" \
@ -1812,7 +1812,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_BODY "@validateByteRange 38,44-46,48-58,61,65-90
tag:'paranoia-level/4',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'"
@ -1833,7 +1833,7 @@ SecRule REQUEST_HEADERS|!REQUEST_HEADERS:User-Agent|!REQUEST_HEADERS:Referer|!RE
tag:'paranoia-level/4',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'"
@ -1859,7 +1859,7 @@ SecRule REQUEST_HEADERS:Sec-Fetch-User|REQUEST_HEADERS:Sec-CH-UA-Mobile "!@rx ^(
tag:'paranoia-level/4',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'"
@ -1903,7 +1903,7 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@rx (?:^|[^\x5c])\x5c[cdegh
tag:'paranoia-level/4',\
tag:'OWASP_CRS',\
tag:'capec/1000/153/267',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'"

52
src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-921-PROTOCOL-ATTACK.conf vendored
View file

@ -1,5 +1,5 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.2.0
# OWASP CRS ver.4.3.0
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2024 CRS project. All rights reserved.
#
@ -14,8 +14,8 @@
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:921011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:921012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:921011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:921012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
#
@ -46,7 +46,7 @@ SecRule ARGS_NAMES|ARGS|REQUEST_BODY|XML:/* "@rx (?:get|post|head|options|connec
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272/220/33',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -78,7 +78,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272/220/34',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -99,7 +99,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272/220/34',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -133,7 +133,7 @@ SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@rx [\n\r]" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272/220/273',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -161,7 +161,7 @@ SecRule ARGS_NAMES "@rx [\n\r]" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272/220/33',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -182,7 +182,7 @@ SecRule ARGS_GET_NAMES|ARGS_GET "@rx [\n\r]+(?:\s|location|refresh|(?:set-)?cook
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272/220/33',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -208,7 +208,7 @@ SecRule REQUEST_FILENAME "@rx [\n\r]" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272/220/34',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -241,7 +241,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/136',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -274,7 +274,7 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^[^\s\x0b,;]+[\s\x0b,;].*?(?:applicati
tag:'OWASP_CRS',\
tag:'capec/1000/255/153',\
tag:'PCI/12.1',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -300,13 +300,13 @@ SecRule REQUEST_URI "@rx unix:[^|]*\|" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272/220/33',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:921013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:921014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:921013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:921014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
#
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
#
@ -333,7 +333,7 @@ SecRule ARGS_GET "@rx [\n\r]" \
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272/220/33',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -369,13 +369,13 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^[^\s\x0b,;]+[\s\x0b,;].*?\b(?:((?:tex
tag:'OWASP_CRS',\
tag:'capec/1000/255/153',\
tag:'PCI/12.1',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:921015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:921016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:921015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:921016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
#
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
#
@ -405,7 +405,7 @@ SecRule &REQUEST_HEADERS:Range "@gt 0" \
tag:'paranoia-level/3',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272/220',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@ -439,7 +439,7 @@ SecRule ARGS_NAMES "@rx ." \
tag:'attack-protocol',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/137/15/460',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
setvar:'TX.paramcounter_%{MATCHED_VAR_NAME}=+1'"
SecRule TX:/paramcounter_.*/ "@gt 1" \
@ -455,7 +455,7 @@ SecRule TX:/paramcounter_.*/ "@gt 1" \
tag:'paranoia-level/3',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/137/15/460',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
chain"
SecRule MATCHED_VARS_NAMES "@rx TX:paramcounter_(.*)" \
@ -500,15 +500,15 @@ SecRule ARGS_NAMES "@rx (][^\]]+$|][^\]]+\[)" \
tag:'paranoia-level/3',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/137/15/460',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:921017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:921018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:921017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:921018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
#
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
#
@ -548,7 +548,7 @@ SecRule ARGS_NAMES "@rx \[" \
tag:'paranoia-level/4',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/137/15/460',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'"

8
src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-922-MULTIPART-ATTACK.conf vendored
View file

@ -1,5 +1,5 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.2.0
# OWASP CRS ver.4.3.0
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2024 CRS project. All rights reserved.
#
@ -38,7 +38,7 @@ SecRule &MULTIPART_PART_HEADERS:_charset_ "!@eq 0" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/255/153',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.922100_charset=|%{ARGS._charset_}|',\
chain"
@ -69,7 +69,7 @@ SecRule MULTIPART_PART_HEADERS "@rx ^content-type\s*:\s*(.*)$" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/272/220',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
chain"
SecRule TX:1 "!@rx ^(?:(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)/(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)|\*)(?:[\s\x0b]*;[\s\x0b]*(?:charset[\s\x0b]*=[\s\x0b]*\"?(?:iso-8859-15?|utf-8|windows-1252)\b\"?|(?:[^\s\x0b-\"\(\),/:-\?\[-\]c\{\}]|c(?:[^!\"\(\),/:-\?\[-\]h\{\}]|h(?:[^!\"\(\),/:-\?\[-\]a\{\}]|a(?:[^!\"\(\),/:-\?\[-\]r\{\}]|r(?:[^!\"\(\),/:-\?\[-\]s\{\}]|s(?:[^!\"\(\),/:-\?\[-\]e\{\}]|e[^!\"\(\),/:-\?\[-\]t\{\}]))))))[^!\"\(\),/:-\?\[-\]\{\}]*[\s\x0b]*=[\s\x0b]*[^!\(\),/:-\?\[-\]\{\}]+);?)*(?:[\s\x0b]*,[\s\x0b]*(?:(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)/(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)|\*)(?:[\s\x0b]*;[\s\x0b]*(?:charset[\s\x0b]*=[\s\x0b]*\"?(?:iso-8859-15?|utf-8|windows-1252)\b\"?|(?:[^\s\x0b-\"\(\),/:-\?\[-\]c\{\}]|c(?:[^!\"\(\),/:-\?\[-\]h\{\}]|h(?:[^!\"\(\),/:-\?\[-\]a\{\}]|a(?:[^!\"\(\),/:-\?\[-\]r\{\}]|r(?:[^!\"\(\),/:-\?\[-\]s\{\}]|s(?:[^!\"\(\),/:-\?\[-\]e\{\}]|e[^!\"\(\),/:-\?\[-\]t\{\}]))))))[^!\"\(\),/:-\?\[-\]\{\}]*[\s\x0b]*=[\s\x0b]*[^!\(\),/:-\?\[-\]\{\}]+);?)*)*$" \
@ -92,6 +92,6 @@ SecRule MULTIPART_PART_HEADERS "@rx content-transfer-encoding:(.*)" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/272/220',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"

28
src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf vendored
View file

@ -1,5 +1,5 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.2.0
# OWASP CRS ver.4.3.0
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2024 CRS project. All rights reserved.
#
@ -14,8 +14,8 @@
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:930011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:930012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:930011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:930012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
#
@ -47,7 +47,7 @@ SecRule REQUEST_URI_RAW|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|FILES|XML:
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/255/153/126',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}'"
@ -79,7 +79,7 @@ SecRule REQUEST_URI|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|FILES|XML:/* "
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/255/153/126',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
multiMatch,\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
@ -110,7 +110,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/255/153/126',\
tag:'PCI/6.5.4',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -137,15 +137,15 @@ SecRule REQUEST_FILENAME "@pmFromFile restricted-files.data" \
tag:'OWASP_CRS',\
tag:'capec/1000/255/153/126',\
tag:'PCI/6.5.4',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:930013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:930014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:930013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:930014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
#
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
#
@ -175,22 +175,22 @@ SecRule REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent "@pmFromFile lfi-os-f
tag:'OWASP_CRS',\
tag:'capec/1000/255/153/126',\
tag:'PCI/6.5.4',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:930015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:930016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:930015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:930016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
#
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:930017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:930018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:930017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:930018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
#
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
#

28
src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf vendored
View file

@ -1,5 +1,5 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.2.0
# OWASP CRS ver.4.3.0
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2024 CRS project. All rights reserved.
#
@ -17,8 +17,8 @@
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:931011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:931012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:931011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:931012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
#
@ -49,7 +49,7 @@ SecRule ARGS "@rx ^(?i:file|ftps?|https?)://(?:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/175/253',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -69,7 +69,7 @@ SecRule QUERY_STRING|REQUEST_BODY "@rx (?i)(?:\binclude\s*\([^)]*|mosConfig_abso
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/175/253',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -89,15 +89,15 @@ SecRule ARGS "@rx ^(?i:file|ftps?|https?).*?\?+$" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/175/253',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:931013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:931014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:931013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:931014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
#
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
#
@ -128,7 +128,7 @@ SecRule ARGS "@rx (?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b(?:eshare|it
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/175/253',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.rfi_parameter_%{MATCHED_VAR_NAME}=.%{tx.1}',\
chain"
@ -158,7 +158,7 @@ SecRule REQUEST_FILENAME "@rx (?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/175/253',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.rfi_parameter_%{MATCHED_VAR_NAME}=.%{tx.1}',\
chain"
@ -167,16 +167,16 @@ SecRule REQUEST_FILENAME "@rx (?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:931015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:931016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:931015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:931016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
#
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:931017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:931018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:931017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:931018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
#
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
#

118
src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf vendored
View file

File diff suppressed because one or more lines are too long

78
src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf vendored
View file

@ -1,5 +1,5 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.2.0
# OWASP CRS ver.4.3.0
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2024 CRS project. All rights reserved.
#
@ -14,8 +14,8 @@
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:933011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:933012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:933011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:933012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
#
@ -59,7 +59,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -100,7 +100,7 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -116,7 +116,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
capture,\
t:none,t:normalisePath,\
msg:'PHP Injection Attack: Configuration Directive Found',\
logdata:'Matched Data: %{TX.933120_TX_0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
logdata:'Matched Data: %{TX.1} found within %{TX.933120_MATCHED_VAR_NAME}: %{TX.933120_MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-php',\
tag:'platform-multi',\
@ -124,14 +124,17 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.933120_tx_0=%{tx.0}',\
setvar:'tx.933120_matched_var=%{MATCHED_VAR}',\
setvar:'tx.933120_matched_var_name=%{MATCHED_VAR_NAME}',\
chain"
SecRule MATCHED_VARS "@pm =" \
SecRule MATCHED_VARS "@rx \b([^\s]+)\s*=" \
"capture,\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
chain"
SecRule TX:1 "@pmFromFile php-config-directives.data" \
"setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
#
@ -152,7 +155,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -188,7 +191,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -224,7 +227,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -291,7 +294,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -343,7 +346,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -398,7 +401,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -453,7 +456,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -500,13 +503,13 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:933013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:933014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:933013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:933014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
#
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
#
@ -535,7 +538,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
capture,\
t:none,\
msg:'PHP Injection Attack: Medium-Risk PHP Function Name Found',\
logdata:'Matched Data: %{TX.933151_TX_0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
logdata:'Matched Data: %{TX.1} found within %{TX.933151_MATCHED_VAR_NAME}: %{TX.933151_MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-php',\
tag:'platform-multi',\
@ -543,20 +546,23 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.933151_tx_0=%{tx.0}',\
setvar:'tx.933151_matched_var=%{MATCHED_VAR}',\
setvar:'tx.933151_matched_var_name=%{MATCHED_VAR_NAME}',\
chain"
SecRule MATCHED_VARS "@pm (" \
SecRule MATCHED_VARS "@rx \b([^\s]+)\s*[(]" \
"capture,\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
chain"
SecRule TX:1 "@pmFromFile php-function-names-933151.data" \
"setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:933015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:933016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:933015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:933016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
#
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
#
@ -598,7 +604,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/3',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@ -642,7 +648,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
tag:'paranoia-level/3',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@ -684,7 +690,7 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD
tag:'paranoia-level/3',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@ -713,7 +719,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/3',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@ -748,14 +754,14 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
tag:'paranoia-level/3',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:933017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:933018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:933017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:933018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
#
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
#

36
src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-934-APPLICATION-ATTACK-GENERIC.conf vendored
View file

@ -1,5 +1,5 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.2.0
# OWASP CRS ver.4.3.0
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2024 CRS project. All rights reserved.
#
@ -14,8 +14,8 @@
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:934011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:934012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:934011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:934012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
#
@ -65,7 +65,7 @@ SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIE
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
multiMatch,\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
@ -100,7 +100,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/664',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -135,7 +135,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1/180/77',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
multiMatch,\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
@ -167,7 +167,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -198,7 +198,7 @@ SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIE
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
multiMatch,\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
@ -228,13 +228,13 @@ SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIE
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:934013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:934014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:934013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:934014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
#
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
#
@ -256,7 +256,7 @@ SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIE
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
multiMatch,\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
@ -308,7 +308,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/664',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -340,20 +340,20 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:934015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:934016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:934015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:934016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
#
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:934017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:934018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:934017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:934018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
#
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
#

91
src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf vendored
View file

@ -1,5 +1,5 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.2.0
# OWASP CRS ver.4.3.0
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2024 CRS project. All rights reserved.
#
@ -14,8 +14,8 @@
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:941011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:941012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:941011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:941012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
#
@ -62,7 +62,7 @@ SecRule REQUEST_FILENAME "!@validateByteRange 20, 45-47, 48-57, 65-90, 95, 97-12
nolog,\
tag:'OWASP_CRS',\
ctl:ruleRemoveTargetByTag=xss-perf-disable;REQUEST_FILENAME,\
ver:'OWASP_CRS/4.2.0'"
ver:'OWASP_CRS/4.3.0'"
#
@ -94,7 +94,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -121,7 +121,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -151,7 +151,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -180,7 +180,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -213,7 +213,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -238,7 +238,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -265,7 +265,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -292,7 +292,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -314,7 +314,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -336,7 +336,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -358,7 +358,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -380,7 +380,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -402,7 +402,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -424,7 +424,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -446,7 +446,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -468,7 +468,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -490,7 +490,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -512,7 +512,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -534,7 +534,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -594,12 +594,11 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
chain"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?:\xbc\s*/\s*[^\xbe>]*[\xbe>])|(?:<\s*/\s*[^\xbe]*\xbe)" \
"t:none,t:lowercase,t:urlDecode,t:htmlEntityDecode,t:jsDecode,\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
SecRule MATCHED_VARS "@rx (?:\xbc\s*/\s*[^\xbe>]*[\xbe>])|(?:<\s*/\s*[^\xbe]*\xbe)" \
"setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
#
@ -624,7 +623,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -666,7 +665,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242/63',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -694,7 +693,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS|REQU
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242/63',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -726,7 +725,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -756,14 +755,14 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:941013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:941014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:941013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:941014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
#
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
#
@ -787,7 +786,7 @@ SecRule REQUEST_FILENAME|REQUEST_HEADERS:Referer "@detectXSS" \
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -821,7 +820,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -847,7 +846,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -875,7 +874,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -963,7 +962,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
tag:'OWASP_CRS',\
tag:'capec/1000/152/242/63',\
tag:'PCI/6.5.1',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -985,7 +984,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
tag:'PCI/6.5.1',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -1010,7 +1009,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
tag:'PCI/6.5.1',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -1043,23 +1042,23 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242/63',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:941015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:941016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:941015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:941016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
#
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:941017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:941018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:941017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:941018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
#
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
#

142
src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf vendored
View file

@ -1,5 +1,5 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.2.0
# OWASP CRS ver.4.3.0
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2024 CRS project. All rights reserved.
#
@ -14,8 +14,8 @@
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:942011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:942012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:942011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:942012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
#
@ -59,7 +59,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
multiMatch,\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
@ -90,7 +90,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -123,7 +123,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -166,7 +166,7 @@ SecRule REQUEST_BASENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIE
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -192,7 +192,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -218,7 +218,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -242,7 +242,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -268,7 +268,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -294,7 +294,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -315,7 +315,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -336,7 +336,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -362,7 +362,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -388,7 +388,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -417,7 +417,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -443,7 +443,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -482,7 +482,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -523,7 +523,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
multiMatch,\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
@ -560,7 +560,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -589,7 +589,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -618,14 +618,14 @@ SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIE
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:942013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:942014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:942013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:942014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
#
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
#
@ -658,7 +658,7 @@ SecRule ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)!=|&&|\|\||>[=>]|<(?:<|
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -699,7 +699,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\s\x0b\"'-\)`]*?\b([0-9A-Z_a-z]+)\b[\s\
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.942130_matched_var_name=%{matched_var_name}',\
chain"
@ -735,7 +735,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\s\x0b\"'-\)`]*?\b([0-9A-Z_a-z]+)\b[\s\
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
multiMatch,\
setvar:'tx.942131_matched_var_name=%{matched_var_name}',\
@ -772,7 +772,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -815,7 +815,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -844,7 +844,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -873,7 +873,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -899,7 +899,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -925,7 +925,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -951,7 +951,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -985,7 +985,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -1014,7 +1014,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -1039,7 +1039,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -1069,7 +1069,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -1101,7 +1101,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -1127,7 +1127,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -1153,7 +1153,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -1179,7 +1179,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -1210,7 +1210,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -1239,7 +1239,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -1268,7 +1268,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -1309,7 +1309,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'WARNING',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.warning_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'"
@ -1327,7 +1327,7 @@ SecRule ARGS_GET:fbclid "@rx [a-zA-Z0-9_-]{61,61}" \
nolog,\
tag:'OWASP_CRS',\
ctl:ruleRemoveTargetById=942440;ARGS:fbclid,\
ver:'OWASP_CRS/4.2.0'"
ver:'OWASP_CRS/4.3.0'"
#
# -=[ Exclusion rule for 942440 ]=-
@ -1342,7 +1342,7 @@ SecRule ARGS_GET:gclid "@rx [a-zA-Z0-9_-]{91,91}" \
nolog,\
tag:'OWASP_CRS',\
ctl:ruleRemoveTargetById=942440;ARGS:gclid,\
ver:'OWASP_CRS/4.2.0'"
ver:'OWASP_CRS/4.3.0'"
#
# -=[ Detect SQL Comment Sequences ]=-
@ -1396,7 +1396,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
chain"
SecRule MATCHED_VARS "!@rx ^ey[\-0-9A-Z_a-z]+\.ey[\-0-9A-Z_a-z]+\.[\-0-9A-Z_a-z]+$" \
@ -1427,7 +1427,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -1474,7 +1474,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -1501,7 +1501,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -1534,7 +1534,7 @@ SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.942521_matched_var_name=%{matched_var_name}',\
chain"
@ -1562,7 +1562,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx ^.*?\x5c['\"`](?:.*?['\"`])?\s*(?:and|or)\b"
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -1600,7 +1600,7 @@ SecRule REQUEST_BASENAME|REQUEST_FILENAME "@detectSQLi" \
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -1632,7 +1632,7 @@ SecRule REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent "@rx (?i)\b(?:a(?:dd(
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -1662,15 +1662,15 @@ SecRule REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent "@rx (?i)create[\s\x0
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:942015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:942016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:942015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:942016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
#
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
#
@ -1702,7 +1702,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@ -1726,7 +1726,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@ -1766,7 +1766,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'WARNING',\
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.warning_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'"
@ -1795,7 +1795,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'WARNING',\
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.warning_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'"
@ -1825,7 +1825,7 @@ SecRule ARGS "@rx \W{4}" \
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'WARNING',\
setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.warning_anomaly_score}'"
@ -1873,7 +1873,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@ -1902,14 +1902,14 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:942017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:942018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:942017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:942018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
#
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
#
@ -1936,7 +1936,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'WARNING',\
setvar:'tx.inbound_anomaly_score_pl4=+%{tx.warning_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'"
@ -1965,7 +1965,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'WARNING',\
setvar:'tx.inbound_anomaly_score_pl4=+%{tx.warning_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'"

24
src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf vendored
View file

@ -1,5 +1,5 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.2.0
# OWASP CRS ver.4.3.0
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2024 CRS project. All rights reserved.
#
@ -14,8 +14,8 @@
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:943011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:943012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:943011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:943012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
#
@ -43,7 +43,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/21/593/61',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.session_fixation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -64,7 +64,7 @@ SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsessio
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/21/593/61',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.943110_matched_var_name=%{matched_var_name}',\
chain"
@ -91,7 +91,7 @@ SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsessio
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/21/593/61',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.943120_matched_var_name=%{matched_var_name}',\
chain"
@ -102,24 +102,24 @@ SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsessio
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:943013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:943014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:943013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:943014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
#
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:943015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:943016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:943015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:943016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
#
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:943017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:943018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:943017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:943018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
#
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
#

46
src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf vendored
View file

@ -1,5 +1,5 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.2.0
# OWASP CRS ver.4.3.0
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2024 CRS project. All rights reserved.
#
@ -13,8 +13,8 @@
#
# Many rules check request bodies, use "SecRequestBodyAccess On" to enable it on main modsecurity configuration file.
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:944011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:944012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:944011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:944012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
#
@ -46,7 +46,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
tag:'OWASP_CRS',\
tag:'capec/1000/152/137/6',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -79,7 +79,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
tag:'OWASP_CRS',\
tag:'capec/1000/152/248',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
chain"
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* "@rx (?:unmarshaller|base64data|java\.)" \
@ -104,7 +104,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
tag:'OWASP_CRS',\
tag:'capec/1000/152/248',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
chain"
SecRule MATCHED_VARS "@rx (?:runtime|processbuilder)" \
@ -136,7 +136,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
tag:'OWASP_CRS',\
tag:'capec/1000/152/248',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -174,7 +174,7 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -222,14 +222,14 @@ SecRule REQUEST_LINE|ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUE
tag:'OWASP_CRS',\
tag:'capec/1000/152/137/6',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:944013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:944014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:944013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:944014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
#
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
#
@ -260,7 +260,7 @@ SecRule REQUEST_LINE|ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUE
tag:'OWASP_CRS',\
tag:'capec/1000/152/137/6',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -292,7 +292,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
tag:'OWASP_CRS',\
tag:'capec/1000/152/248',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -313,7 +313,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
tag:'OWASP_CRS',\
tag:'capec/1000/152/248',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -334,7 +334,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
tag:'OWASP_CRS',\
tag:'capec/1000/152/248',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -358,7 +358,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
tag:'OWASP_CRS',\
tag:'capec/1000/152/248',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -383,14 +383,14 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
tag:'OWASP_CRS',\
tag:'capec/1000/152/248',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:944015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:944016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:944015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:944016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
#
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
#
@ -417,14 +417,14 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
tag:'OWASP_CRS',\
tag:'capec/1000/152/248',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:944017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:944018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:944017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:944018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
#
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
#
@ -453,7 +453,7 @@ SecRule REQUEST_LINE|ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUE
tag:'OWASP_CRS',\
tag:'capec/1000/152/137/6',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'"

58
src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-949-BLOCKING-EVALUATION.conf vendored
View file

@ -1,5 +1,5 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.2.0
# OWASP CRS ver.4.3.0
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2024 CRS project. All rights reserved.
#
@ -24,7 +24,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 1" \
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl1}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 1" \
@ -34,7 +34,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 1" \
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl1}'"
SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 2" \
@ -44,7 +44,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 2" \
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl2}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 2" \
@ -54,7 +54,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 2" \
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl2}'"
SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 3" \
@ -64,7 +64,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 3" \
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl3}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 3" \
@ -74,7 +74,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 3" \
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl3}'"
SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 4" \
@ -84,7 +84,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 4" \
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl4}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 4" \
@ -94,7 +94,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 4" \
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl4}'"
# at start of phase 2, we reset the aggregate scores to 0 to prevent duplicate counting of per-PL scores
@ -106,7 +106,7 @@ SecAction \
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
setvar:'tx.blocking_inbound_anomaly_score=0'"
SecAction \
@ -116,7 +116,7 @@ SecAction \
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
setvar:'tx.detection_inbound_anomaly_score=0'"
# Summing up the blocking and detection anomaly scores in phase 2
@ -128,7 +128,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 1" \
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl1}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 1" \
@ -138,7 +138,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 1" \
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl1}'"
SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 2" \
@ -148,7 +148,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 2" \
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl2}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 2" \
@ -158,7 +158,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 2" \
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl2}'"
SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 3" \
@ -168,7 +168,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 3" \
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl3}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 3" \
@ -178,7 +178,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 3" \
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl3}'"
SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 4" \
@ -188,7 +188,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 4" \
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl4}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 4" \
@ -198,7 +198,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 4" \
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl4}'"
@ -217,7 +217,7 @@ SecRule TX:BLOCKING_INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_thresh
msg:'Inbound Anomaly Score Exceeded in phase 1 (Total Score: %{TX.BLOCKING_INBOUND_ANOMALY_SCORE})',\
tag:'anomaly-evaluation',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
chain"
SecRule TX:EARLY_BLOCKING "@eq 1"
@ -230,34 +230,34 @@ SecRule TX:BLOCKING_INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_thresh
msg:'Inbound Anomaly Score Exceeded (Total Score: %{TX.BLOCKING_INBOUND_ANOMALY_SCORE})',\
tag:'anomaly-evaluation',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.2.0'"
ver:'OWASP_CRS/4.3.0'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:949011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:949012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:949011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:949012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:949013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:949014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:949013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:949014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
#
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:949015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:949016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:949015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:949016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
#
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:949017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:949018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:949017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:949018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
#
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
#

24
src/common/core/modsecurity/files/coreruleset-v4/rules/RESPONSE-950-DATA-LEAKAGES.conf vendored
View file

@ -1,5 +1,5 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.2.0
# OWASP CRS ver.4.3.0
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2024 CRS project. All rights reserved.
#
@ -23,8 +23,8 @@
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:950011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:950012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:950011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:950012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
#
@ -48,7 +48,7 @@ SecRule RESPONSE_BODY "@rx (?:<(?:TITLE>Index of.*?<H|title>Index of.*?<h)1>Inde
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54/127',\
tag:'PCI/6.5.6',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
@ -80,13 +80,13 @@ SecRule RESPONSE_BODY "@rx ^#\!\s?/" \
tag:'OWASP_CRS',\
tag:'capec/1000/118/116',\
tag:'PCI/6.5.6',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:950013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:950014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:950013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:950014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
#
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
#
@ -110,22 +110,22 @@ SecRule RESPONSE_STATUS "@rx ^5\d{2}$" \
tag:'OWASP_CRS',\
tag:'capec/1000/152',\
tag:'PCI/6.5.6',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl2=+%{tx.error_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:950015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:950016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:950015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:950016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
#
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:950017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:950018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:950017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:950018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
#
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
#

61
src/common/core/modsecurity/files/coreruleset-v4/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf vendored
View file

@ -1,5 +1,5 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.2.0
# OWASP CRS ver.4.3.0
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2024 CRS project. All rights reserved.
#
@ -14,8 +14,8 @@
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:951011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:951012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:951011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:951012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
#
@ -38,7 +38,7 @@ SecRule RESPONSE_BODY "!@pmFromFile sql-errors.data" \
tag:'attack-disclosure',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
skipAfter:END-SQL-ERROR-MATCH-PL1"
SecRule RESPONSE_BODY "@rx (?i:JET Database Engine|Access Database Engine|\[Microsoft\]\[ODBC Microsoft Access Driver\])" \
@ -56,12 +56,17 @@ SecRule RESPONSE_BODY "@rx (?i:JET Database Engine|Access Database Engine|\[Micr
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
SecRule RESPONSE_BODY "@rx (?i:ORA-[0-9][0-9][0-9][0-9]|java\.sql\.SQLException|Oracle error|Oracle.*Driver|Warning.*oci_.*|Warning.*ora_.*)" \
# Regular expression generated from regex-assembly/951120.ra.
# To update the regular expression run the following shell script
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
# crs-toolchain regex update 951120
#
SecRule RESPONSE_BODY "@rx (?i)\bORA-[0-9][0-9][0-9][0-9][0-9]:|java\.sql\.SQLException|Oracle(?: erro|[^\(\)]{0,20}Drive)r|Warning.{1,10}o(?:ci_.{1,30}|ra_.{1,20})" \
"id:951120,\
phase:4,\
block,\
@ -76,7 +81,7 @@ SecRule RESPONSE_BODY "@rx (?i:ORA-[0-9][0-9][0-9][0-9]|java\.sql\.SQLException|
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@ -96,7 +101,7 @@ SecRule RESPONSE_BODY "@rx (?i:DB2 SQL error:|\[IBM\]\[CLI Driver\]\[DB2/6000\]|
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@ -116,7 +121,7 @@ SecRule RESPONSE_BODY "@rx (?i:\[DM_QUERY_E_SYNTAX\]|has occurred in the vicinit
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@ -136,7 +141,7 @@ SecRule RESPONSE_BODY "@rx (?i)Dynamic SQL Error" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@ -156,7 +161,7 @@ SecRule RESPONSE_BODY "@rx (?i)Exception (?:condition )?\d+\. Transaction rollba
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@ -176,7 +181,7 @@ SecRule RESPONSE_BODY "@rx (?i)org\.hsqldb\.jdbc" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@ -196,7 +201,7 @@ SecRule RESPONSE_BODY "@rx (?i:An illegal character has been found in the statem
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@ -216,7 +221,7 @@ SecRule RESPONSE_BODY "@rx (?i:Warning.*ingres_|Ingres SQLSTATE|Ingres\W.*Driver
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@ -236,7 +241,7 @@ SecRule RESPONSE_BODY "@rx (?i:<b>Warning</b>: ibase_|Unexpected end of command
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@ -256,7 +261,7 @@ SecRule RESPONSE_BODY "@rx (?i:SQL error.*POS[0-9]+.*|Warning.*maxdb.*)" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@ -276,7 +281,7 @@ SecRule RESPONSE_BODY "@rx (?i)(?:System\.Data\.OleDb\.OleDbException|\[Microsof
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@ -301,7 +306,7 @@ SecRule RESPONSE_BODY "@rx (?i)(?:supplied argument is not a valid |SQL syntax.*
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@ -311,7 +316,7 @@ SecRule RESPONSE_BODY "@rx (?i)(?:supplied argument is not a valid |SQL syntax.*
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
# crs-toolchain regex update 951240
#
SecRule RESPONSE_BODY "@rx (?i)P(?:ostgreSQL(?: query failed:|.{1,20}ERROR)|G::[a-z]*Error)|pg_(?:query|exec)\(\) \[:|Warning.{1,20}\bpg_.*|valid PostgreSQL result|Npgsql\.|Supplied argument is not a valid PostgreSQL .*? resource|(?:Unable to connect to PostgreSQL serv|invalid input syntax for integ)er" \
SecRule RESPONSE_BODY "@rx (?i)P(?:ostgreSQL(?: query failed:|.{1,20}ERROR)|G::[a-z]*Error)|(?:pg_(?:query|exec)\(\) \[|org\.postgresql\.util\.PSQLException):|Warning.{1,20}\bpg_.*|valid PostgreSQL result|Npgsql\.|Supplied argument is not a valid PostgreSQL .*? resource|(?:Unable to connect to PostgreSQL serv|invalid input syntax for integ)er" \
"id:951240,\
phase:4,\
block,\
@ -326,7 +331,7 @@ SecRule RESPONSE_BODY "@rx (?i)P(?:ostgreSQL(?: query failed:|.{1,20}ERROR)|G::[
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@ -346,7 +351,7 @@ SecRule RESPONSE_BODY "@rx (?i)(?:Warning.*sqlite_.*|Warning.*SQLite3::|SQLite/J
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@ -366,7 +371,7 @@ SecRule RESPONSE_BODY "@rx (?i)(?:Sybase message:|Warning.{2,20}sybase|Sybase.*S
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@ -374,24 +379,24 @@ SecRule RESPONSE_BODY "@rx (?i)(?:Sybase message:|Warning.{2,20}sybase|Sybase.*S
SecMarker "END-SQL-ERROR-MATCH-PL1"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:951013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:951014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:951013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:951014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
#
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:951015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:951016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:951015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:951016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
#
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:951017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:951018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:951017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:951018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
#
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
#

22
src/common/core/modsecurity/files/coreruleset-v4/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf vendored
View file

@ -1,5 +1,5 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.2.0
# OWASP CRS ver.4.3.0
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2024 CRS project. All rights reserved.
#
@ -14,8 +14,8 @@
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:952011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:952012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:952011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:952012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
#
@ -39,7 +39,7 @@ SecRule RESPONSE_BODY "@pmFromFile java-code-leakages.data" \
tag:'OWASP_CRS',\
tag:'capec/1000/118/116',\
tag:'PCI/6.5.6',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
@ -64,30 +64,30 @@ SecRule RESPONSE_BODY "@pmFromFile java-errors.data" \
tag:'OWASP_CRS',\
tag:'capec/1000/118/116',\
tag:'PCI/6.5.6',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:952013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:952014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:952013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:952014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
#
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:952015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:952016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:952015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:952016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
#
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:952017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:952018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:952017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:952018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
#
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
#

26
src/common/core/modsecurity/files/coreruleset-v4/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf vendored
View file

@ -1,5 +1,5 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.2.0
# OWASP CRS ver.4.3.0
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2024 CRS project. All rights reserved.
#
@ -14,8 +14,8 @@
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:953011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:953012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:953011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:953012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
#
@ -39,7 +39,7 @@ SecRule RESPONSE_BODY "@pmFromFile php-errors.data" \
tag:'OWASP_CRS',\
tag:'capec/1000/118/116',\
tag:'PCI/6.5.6',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
@ -64,7 +64,7 @@ SecRule RESPONSE_BODY "@rx (?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scan
tag:'OWASP_CRS',\
tag:'capec/1000/118/116',\
tag:'PCI/6.5.6',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
@ -90,13 +90,13 @@ SecRule RESPONSE_BODY "@rx (?i)<\?(?:=|php)?\s+" \
tag:'OWASP_CRS',\
tag:'capec/1000/118/116',\
tag:'PCI/6.5.6',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:953013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:953014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:953013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:953014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
#
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
#
@ -123,21 +123,21 @@ SecRule RESPONSE_BODY "@pmFromFile php-errors-pl2.data" \
tag:'OWASP_CRS',\
tag:'capec/1000/118/116',\
tag:'PCI/6.5.6',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl2=+%{tx.error_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:953015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:953016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:953015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:953016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
#
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:953017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:953018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:953017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:953018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
#
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
#

26
src/common/core/modsecurity/files/coreruleset-v4/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf vendored
View file

@ -1,5 +1,5 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.2.0
# OWASP CRS ver.4.3.0
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2024 CRS project. All rights reserved.
#
@ -14,8 +14,8 @@
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:954011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:954012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:954011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:954012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
#
@ -37,7 +37,7 @@ SecRule RESPONSE_BODY "@rx [a-z]:\x5cinetpub\b" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
@ -58,7 +58,7 @@ SecRule RESPONSE_BODY "@rx (?:Microsoft OLE DB Provider for SQL Server(?:</font>
tag:'OWASP_CRS',\
tag:'capec/1000/118/116',\
tag:'PCI/6.5.6',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
@ -82,7 +82,7 @@ SecRule RESPONSE_BODY "@pmFromFile iis-errors.data" \
tag:'OWASP_CRS',\
tag:'capec/1000/118/116',\
tag:'PCI/6.5.6',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
@ -104,7 +104,7 @@ SecRule RESPONSE_STATUS "!@rx ^404$" \
tag:'OWASP_CRS',\
tag:'capec/1000/118/116',\
tag:'PCI/6.5.6',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'ERROR',\
chain"
SecRule RESPONSE_BODY "@rx \bServer Error in.{0,50}?\bApplication\b" \
@ -114,24 +114,24 @@ SecRule RESPONSE_STATUS "!@rx ^404$" \
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:954013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:954014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:954013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:954014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
#
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:954015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:954016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:954015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:954016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
#
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:954017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:954018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:954017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:954018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
#
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
#

74
src/common/core/modsecurity/files/coreruleset-v4/rules/RESPONSE-955-WEB-SHELLS.conf vendored
View file

@ -1,5 +1,5 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.2.0
# OWASP CRS ver.4.3.0
# Copyright (c) 2006-2020 Trustwave and contributors. (not) All rights reserved.
# Copyright (c) 2021-2024 CRS project. All rights reserved.
#
@ -14,8 +14,8 @@
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:955011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:955012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:955011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:955012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
#
@ -36,7 +36,7 @@ SecRule RESPONSE_BODY "@pmFromFile web-shells-php.data" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -55,7 +55,7 @@ SecRule RESPONSE_BODY "@rx (<title>r57 Shell Version [0-9.]+</title>|<title>r57
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -74,7 +74,7 @@ SecRule RESPONSE_BODY "@rx ^<html><head><meta http-equiv='Content-Type' content=
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -93,7 +93,7 @@ SecRule RESPONSE_BODY "@rx B4TM4N SH3LL</title>.*<meta name='author' content='k4
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -112,7 +112,7 @@ SecRule RESPONSE_BODY "@rx <title>Mini Shell</title>.*Developed By LameHacker" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -131,7 +131,7 @@ SecRule RESPONSE_BODY "@rx <title>\.:: .* ~ Ashiyane V [0-9.]+ ::\.</title>" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -150,7 +150,7 @@ SecRule RESPONSE_BODY "@rx <title>Symlink_Sa [0-9.]+</title>" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -169,7 +169,7 @@ SecRule RESPONSE_BODY "@rx <title>CasuS [0-9.]+ by MafiABoY</title>" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -188,7 +188,7 @@ SecRule RESPONSE_BODY "@rx ^<html>\r\n<head>\r\n<title>GRP WebShell [0-9.]+ " \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -207,7 +207,7 @@ SecRule RESPONSE_BODY "@rx <small>NGHshell [0-9.]+ by Cr4sh</body></html>\n$" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -226,7 +226,7 @@ SecRule RESPONSE_BODY "@rx <title>SimAttacker - (?:Version|Vrsion) : [0-9.]+ - "
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -245,7 +245,7 @@ SecRule RESPONSE_BODY "@rx ^<!DOCTYPE html>\n<html>\n<!-- By Artyum .*<title>Web
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -264,7 +264,7 @@ SecRule RESPONSE_BODY "@rx <title>lama's'hell v. [0-9.]+</title>" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -283,7 +283,7 @@ SecRule RESPONSE_BODY "@rx ^ *<html>\n[ ]+<head>\n[ ]+<title>lostDC - " \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -302,7 +302,7 @@ SecRule RESPONSE_BODY "@rx ^<title>PHP Web Shell</title>\r\n<html>\r\n<body>\r\n
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -321,12 +321,14 @@ SecRule RESPONSE_BODY "@rx ^<html>\n<head>\n<div align=\"left\"><font size=\"1\"
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
# Ru24PostWebShell web shell
SecRule RESPONSE_BODY "@rx ^<html>\n<head>\n<title>Ru24PostWebShell - " \
# Removed '- ' from the end of the pattern so this file won't get detected as
# malware by Windows Defender.
SecRule RESPONSE_BODY "@rx ^<html>\n<head>\n<title>Ru24PostWebShell " \
"id:955260,\
phase:4,\
block,\
@ -340,7 +342,7 @@ SecRule RESPONSE_BODY "@rx ^<html>\n<head>\n<title>Ru24PostWebShell - " \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -359,7 +361,7 @@ SecRule RESPONSE_BODY "@rx <title>s72 Shell v[0-9.]+ Codinf by Cr@zy_King</title
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -378,7 +380,7 @@ SecRule RESPONSE_BODY "@rx ^<html>\r\n<head>\r\n<meta http-equiv=\"Content-Type\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -397,7 +399,7 @@ SecRule RESPONSE_BODY "@rx ^ <html>\n\n<head>\n\n<title>g00nshell v[0-9.]+ " \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -418,7 +420,7 @@ SecRule RESPONSE_BODY "@contains <title>punkholicshell</title>" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -437,7 +439,7 @@ SecRule RESPONSE_BODY "@rx ^<html>\n <head>\n <title>azrail [0-
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -456,7 +458,7 @@ SecRule RESPONSE_BODY "@rx >SmEvK_PaThAn Shell v[0-9]+ coded by <a href=" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -475,7 +477,7 @@ SecRule RESPONSE_BODY "@rx ^<html>\n<title>.*? ~ Shell I</title>\n<head>\n<style
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -494,14 +496,14 @@ SecRule RESPONSE_BODY "@rx ^ <html><head><title>:: b374k m1n1 [0-9.]+ ::</title>
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:955013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:955014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:955013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:955014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
#
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
#
@ -522,20 +524,20 @@ SecRule RESPONSE_BODY "@contains <h1 style=\"margin-bottom: 0\">webadmin.php</h1
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:955015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:955016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:955015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:955016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
#
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:955017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:955018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:955017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:955018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
#
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
#

58
src/common/core/modsecurity/files/coreruleset-v4/rules/RESPONSE-959-BLOCKING-EVALUATION.conf vendored
View file

@ -1,5 +1,5 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.2.0
# OWASP CRS ver.4.3.0
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2024 CRS project. All rights reserved.
#
@ -35,7 +35,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 1" \
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
setvar:'tx.blocking_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl1}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 1" \
@ -45,7 +45,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 1" \
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
setvar:'tx.detection_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl1}'"
SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 2" \
@ -55,7 +55,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 2" \
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
setvar:'tx.blocking_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl2}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 2" \
@ -65,7 +65,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 2" \
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
setvar:'tx.detection_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl2}'"
SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 3" \
@ -75,7 +75,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 3" \
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
setvar:'tx.blocking_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl3}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 3" \
@ -85,7 +85,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 3" \
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
setvar:'tx.detection_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl3}'"
SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 4" \
@ -95,7 +95,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 4" \
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
setvar:'tx.blocking_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl4}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 4" \
@ -105,7 +105,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 4" \
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
setvar:'tx.detection_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl4}'"
# at start of phase 4, we reset the aggregate scores to 0 to prevent duplicate counting of per-PL scores
@ -117,7 +117,7 @@ SecAction \
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
setvar:'tx.blocking_outbound_anomaly_score=0'"
SecAction \
@ -127,7 +127,7 @@ SecAction \
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
setvar:'tx.detection_outbound_anomaly_score=0'"
SecMarker "EARLY_BLOCKING_ANOMALY_SCORING"
@ -141,7 +141,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 1" \
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
setvar:'tx.blocking_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl1}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 1" \
@ -151,7 +151,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 1" \
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
setvar:'tx.detection_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl1}'"
SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 2" \
@ -161,7 +161,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 2" \
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
setvar:'tx.blocking_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl2}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 2" \
@ -171,7 +171,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 2" \
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
setvar:'tx.detection_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl2}'"
SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 3" \
@ -181,7 +181,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 3" \
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
setvar:'tx.blocking_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl3}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 3" \
@ -191,7 +191,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 3" \
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
setvar:'tx.detection_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl3}'"
SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 4" \
@ -201,7 +201,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 4" \
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
setvar:'tx.blocking_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl4}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 4" \
@ -211,7 +211,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 4" \
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
setvar:'tx.detection_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl4}'"
#
@ -227,7 +227,7 @@ SecRule TX:BLOCKING_OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_thre
msg:'Outbound Anomaly Score Exceeded in phase 3 (Total Score: %{tx.blocking_outbound_anomaly_score})',\
tag:'anomaly-evaluation',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
chain"
SecRule TX:EARLY_BLOCKING "@eq 1"
@ -240,34 +240,34 @@ SecRule TX:BLOCKING_OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_thre
msg:'Outbound Anomaly Score Exceeded (Total Score: %{tx.blocking_outbound_anomaly_score})',\
tag:'anomaly-evaluation',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.2.0'"
ver:'OWASP_CRS/4.3.0'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:959011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:959012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:959011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:959012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:959013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:959014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:959013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:959014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
#
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:959015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:959016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:959015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:959016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
#
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:959017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:959018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:959017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:959018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
#
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
#

44
src/common/core/modsecurity/files/coreruleset-v4/rules/RESPONSE-980-CORRELATION.conf vendored
View file

@ -1,5 +1,5 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.2.0
# OWASP CRS ver.4.3.0
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2024 CRS project. All rights reserved.
#
@ -28,7 +28,7 @@ SecAction \
nolog,\
noauditlog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.2.0',\
ver:'OWASP_CRS/4.3.0',\
setvar:'tx.blocking_anomaly_score=%{tx.blocking_inbound_anomaly_score}',\
setvar:'tx.blocking_anomaly_score=+%{tx.blocking_outbound_anomaly_score}',\
setvar:'tx.detection_anomaly_score=%{tx.detection_inbound_anomaly_score}',\
@ -41,33 +41,33 @@ SecAction \
#
# -= Reporting Level 0 =- (Skip over reporting when tx.reporting_level is 0)
SecRule TX:REPORTING_LEVEL "@eq 0" "id:980041,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REPORTING"
SecRule TX:REPORTING_LEVEL "@eq 0" "id:980041,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REPORTING"
# -= Reporting Level 5 =- (Jump to reporting rule immediately when tx.reporting_level is 5 or greater)
SecRule TX:REPORTING_LEVEL "@ge 5" "id:980042,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:LOG-REPORTING"
SecRule TX:REPORTING_LEVEL "@ge 5" "id:980042,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:LOG-REPORTING"
# -= Zero detection score =- (Skip over reporting when sum of inbound and outbound detection score is equal to 0)
SecRule TX:DETECTION_ANOMALY_SCORE "@eq 0" "id:980043,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REPORTING"
SecRule TX:DETECTION_ANOMALY_SCORE "@eq 0" "id:980043,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REPORTING"
# -= Blocking score exceeds threshold =- (Jump to reporting rule immediately if a blocking score exceeds a threshold)
SecRule TX:BLOCKING_INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" "id:980044,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:LOG-REPORTING"
SecRule TX:BLOCKING_OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" "id:980045,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:LOG-REPORTING"
SecRule TX:BLOCKING_INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" "id:980044,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:LOG-REPORTING"
SecRule TX:BLOCKING_OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" "id:980045,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:LOG-REPORTING"
# -= Reporting Level 2 =- (Skip over reporting when tx.reporting_level is less than 2)
SecRule TX:REPORTING_LEVEL "@lt 2" "id:980046,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REPORTING"
SecRule TX:REPORTING_LEVEL "@lt 2" "id:980046,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REPORTING"
# -= Detection score exceeds threshold =- (Jump to reporting rule immediately if a detection score exceeds a threshold)
SecRule TX:DETECTION_INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" "id:980047,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:LOG-REPORTING"
SecRule TX:DETECTION_OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" "id:980048,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:LOG-REPORTING"
SecRule TX:DETECTION_INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" "id:980047,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:LOG-REPORTING"
SecRule TX:DETECTION_OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" "id:980048,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:LOG-REPORTING"
# -= Reporting Level 3 =- (Skip over reporting when tx.reporting_level is less than 3)
SecRule TX:REPORTING_LEVEL "@lt 3" "id:980049,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REPORTING"
SecRule TX:REPORTING_LEVEL "@lt 3" "id:980049,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REPORTING"
# -= Blocking score greater than zero =- (Jump to reporting rule immediately when sum of inbound and outbound blocking score is greater than zero)
SecRule TX:BLOCKING_ANOMALY_SCORE "@gt 0" "id:980050,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:LOG-REPORTING"
SecRule TX:BLOCKING_ANOMALY_SCORE "@gt 0" "id:980050,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:LOG-REPORTING"
# -= Reporting Level 4 =- (Skip over reporting when tx.reporting_level is less than 4)
SecRule TX:REPORTING_LEVEL "@lt 4" "id:980051,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-REPORTING"
SecRule TX:REPORTING_LEVEL "@lt 4" "id:980051,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-REPORTING"
# At this point, the reporting level is 4 and there's a non-zero detection
# score (already established by rule 980043) so fall through to the reporting
@ -95,37 +95,37 @@ SecAction \
(SQLI=%{tx.sql_injection_score}, XSS=%{tx.xss_score}, RFI=%{tx.rfi_score}, LFI=%{tx.lfi_score}, RCE=%{tx.rce_score}, PHPI=%{tx.php_injection_score}, HTTP=%{tx.http_violation_score}, SESS=%{tx.session_fixation_score}, COMBINED_SCORE=%{tx.anomaly_score})',\
tag:'reporting',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.2.0'"
ver:'OWASP_CRS/4.3.0'"
SecMarker "END-REPORTING"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:980011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-980-CORRELATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:980012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-980-CORRELATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:980011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-980-CORRELATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:980012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-980-CORRELATION"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:980013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-980-CORRELATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:980014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-980-CORRELATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:980013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-980-CORRELATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:980014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-980-CORRELATION"
#
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:980015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-980-CORRELATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:980016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-980-CORRELATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:980015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-980-CORRELATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:980016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-980-CORRELATION"
#
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:980017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-980-CORRELATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:980018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.2.0',skipAfter:END-RESPONSE-980-CORRELATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:980017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-980-CORRELATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:980018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.3.0',skipAfter:END-RESPONSE-980-CORRELATION"
#
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
#

2
src/common/core/modsecurity/files/coreruleset-v4/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example vendored
View file

@ -1,5 +1,5 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.2.0
# OWASP CRS ver.4.3.0
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2024 CRS project. All rights reserved.
#

2
src/common/core/modsecurity/files/coreruleset-v4/rules/php-config-directives.data vendored
View file

@ -11,7 +11,7 @@
#
# Small post-processing is needed to remove numbers coming from a column,
# and `*` chars (e.g. `pdo.dsn.*`).
# Also removed single words like `engine`, `extension`, `from` and `precision`, to prevent FP.
# Also removed single words like `from` to prevent FP.
#
# Example usage:
# `xidel https://www.php.net/manual/en/ini.core.php https://www.php.net/manual/en/ini.list.php --xpath '//table/tbody/tr/td[1]' | sort | uniq`

4
src/common/core/modsecurity/files/coreruleset-v4/rules/scanners-user-agents.data vendored
View file

@ -57,6 +57,10 @@ masscan
morfeus
# The Mysterious Mozlila User Agent bot
# https://trunc.org/learning/the-mozlila-user-agent-bot
Mozlila
# Nessus
# http://www.tenable.com/products/nessus-vulnerability-scanner
nessus

54
src/common/core/modsecurity/files/crs-setup-v4.conf vendored
View file

@ -1,5 +1,5 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.2.0
# OWASP CRS ver.4.3.0
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2024 CRS project. All rights reserved.
#
@ -181,7 +181,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.2.0',\
# ver:'OWASP_CRS/4.3.0',\
# setvar:tx.blocking_paranoia_level=1"
@ -209,7 +209,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.2.0',\
# ver:'OWASP_CRS/4.3.0',\
# setvar:tx.detection_paranoia_level=1"
@ -235,7 +235,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.2.0',\
# ver:'OWASP_CRS/4.3.0',\
# setvar:tx.enforce_bodyproc_urlencoded=1"
@ -270,7 +270,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.2.0',\
# ver:'OWASP_CRS/4.3.0',\
# setvar:tx.critical_anomaly_score=5,\
# setvar:tx.error_anomaly_score=4,\
# setvar:tx.warning_anomaly_score=3,\
@ -324,7 +324,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.2.0',\
# ver:'OWASP_CRS/4.3.0',\
# setvar:tx.inbound_anomaly_score_threshold=5,\
# setvar:tx.outbound_anomaly_score_threshold=4"
@ -385,7 +385,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.2.0',\
# ver:'OWASP_CRS/4.3.0',\
# setvar:tx.reporting_level=4"
@ -417,7 +417,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.2.0',\
# ver:'OWASP_CRS/4.3.0',\
# setvar:tx.early_blocking=1"
@ -438,7 +438,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.2.0',\
# ver:'OWASP_CRS/4.3.0',\
# setvar:tx.enable_default_collections=1"
@ -466,7 +466,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.2.0',\
# ver:'OWASP_CRS/4.3.0',\
# setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'"
# Content-Types that a client is allowed to send in a request.
@ -496,7 +496,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# nolog,\
# tag:'OWASP_CRS',\
# ctl:ruleRemoveById=920420,\
# ver:'OWASP_CRS/4.2.0',\
# ver:'OWASP_CRS/4.3.0',\
# chain"
# SecRule REQUEST_URI "@rx ^/foo/bar" \
# "t:none"
@ -510,7 +510,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.2.0',\
# ver:'OWASP_CRS/4.3.0',\
# setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json|'"
# Allowed HTTP versions.
@ -526,7 +526,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.2.0',\
# ver:'OWASP_CRS/4.3.0',\
# setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0 HTTP/3 HTTP/3.0'"
# Forbidden file extensions.
@ -550,7 +550,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.2.0',\
# ver:'OWASP_CRS/4.3.0',\
# setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'"
# Restricted request headers.
@ -595,7 +595,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.2.0',\
# ver:'OWASP_CRS/4.3.0',\
# setvar:'tx.restricted_headers_basic=/content-encoding/ /proxy/ /lock-token/ /content-range/ /if/ /x-http-method-override/ /x-http-method/ /x-method-override/'"
#
# [ Extended ]
@ -621,7 +621,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.2.0',\
# ver:'OWASP_CRS/4.3.0',\
# setvar:'tx.restricted_headers_extended=/accept-charset/'"
# Content-Types charsets that a client is allowed to send in a request.
@ -635,7 +635,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.2.0',\
# ver:'OWASP_CRS/4.3.0',\
# setvar:'tx.allowed_request_content_type_charset=|utf-8| |iso-8859-1| |iso-8859-15| |windows-1252|'"
#
@ -661,7 +661,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.2.0',\
# ver:'OWASP_CRS/4.3.0',\
# setvar:tx.max_num_args=255"
# Block request if the length of any argument name is too high
@ -675,7 +675,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.2.0',\
# ver:'OWASP_CRS/4.3.0',\
# setvar:tx.arg_name_length=100"
# Block request if the length of any argument value is too high
@ -689,7 +689,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.2.0',\
# ver:'OWASP_CRS/4.3.0',\
# setvar:tx.arg_length=400"
# Block request if the total length of all combined arguments is too high
@ -703,7 +703,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.2.0',\
# ver:'OWASP_CRS/4.3.0',\
# setvar:tx.total_arg_length=64000"
# Block request if the file size of any individual uploaded file is too high
@ -717,7 +717,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.2.0',\
# ver:'OWASP_CRS/4.3.0',\
# setvar:tx.max_file_size=1048576"
# Block request if the total size of all combined uploaded files is too high
@ -731,7 +731,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.2.0',\
# ver:'OWASP_CRS/4.3.0',\
# setvar:tx.combined_file_sizes=1048576"
@ -771,7 +771,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# pass,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.2.0',\
# ver:'OWASP_CRS/4.3.0',\
# setvar:tx.sampling_percentage=100"
@ -792,7 +792,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.2.0',\
# ver:'OWASP_CRS/4.3.0',\
# setvar:tx.crs_validate_utf8_encoding=1"
@ -814,5 +814,5 @@ SecAction \
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.2.0',\
setvar:tx.crs_setup_version=420"
ver:'OWASP_CRS/4.3.0',\
setvar:tx.crs_setup_version=430"

4
src/common/core/modsecurity/misc/versions.json
View file

@ -9,9 +9,9 @@
},
{
"id": "coreruleset-v4",
"name": "Coreruleset v4.2.0",
"name": "Coreruleset v4.3.0",
"url": "https://github.com/coreruleset/coreruleset.git",
"commit": "666b722cc97f0545c2627351cc815107ffe18fba",
"commit": "386f8db6e5f21ed8f0dc9fe8d15d4f59dd213d7a",
"post_install": "rm -rf files/coreruleset-v4/tests && cp files/coreruleset-v4/crs-setup.conf.example files/crs-setup-v4.conf"
}
]

9
src/common/core/ui/confs/default-server-http/ui.conf
View file

@ -1,4 +1,13 @@
{% if UI_HOST != "" and not has_variable(all, "USE_UI", "yes") +%}
access_by_lua_block {
local ngx_var = ngx.var
local scheme = ngx_var.scheme
local http_host = ngx_var.http_host
local request_uri = ngx_var.request_uri
if scheme == "http" and http_host ~= nil and http_host ~= "" and request_uri and request_uri ~= "" then
return ngx.redirect("https://" .. http_host .. request_uri, ngx.HTTP_MOVED_PERMANENTLY)
end
}
location /setup {
etag off;
add_header Last-Modified "";

337
src/common/db/Database.py
View file

@ -12,7 +12,7 @@ from re import compile as re_compile
from sys import argv, path as sys_path
from typing import Any, Dict, List, Literal, Optional, Tuple, Union
from time import sleep
from traceback import format_exc
from uuid import uuid4
from zipfile import ZIP_DEFLATED, ZipFile
from model import (
@ -45,6 +45,7 @@ from sqlalchemy.engine import Engine
from sqlalchemy.exc import (
ArgumentError,
DatabaseError,
IntegrityError,
OperationalError,
ProgrammingError,
SQLAlchemyError,
@ -136,8 +137,8 @@ class Database:
except ArgumentError:
self.logger.error(f"Invalid database URI: {sqlalchemy_string}")
error = True
except SQLAlchemyError:
self.logger.error(f"Error when trying to create the engine: {format_exc()}")
except SQLAlchemyError as e:
self.logger.error(f"Error when trying to create the engine: {e}")
error = True
finally:
if error:
@ -149,8 +150,16 @@ class Database:
self.logger.error("The database engine is not initialized")
_exit(1)
DATABASE_RETRY_TIMEOUT = getenv("DATABASE_RETRY_TIMEOUT", "60")
if not DATABASE_RETRY_TIMEOUT.isdigit():
self.logger.warning(f"Invalid DATABASE_RETRY_TIMEOUT value: {DATABASE_RETRY_TIMEOUT}, using default value (60)")
DATABASE_RETRY_TIMEOUT = "60"
DATABASE_RETRY_TIMEOUT = int(DATABASE_RETRY_TIMEOUT)
current_time = datetime.now()
not_connected = True
retries = 15
fallback = False
while not_connected:
try:
@ -159,42 +168,39 @@ class Database:
conn.execute(text("SELECT 1"))
else:
with self.sql_engine.connect() as conn:
conn.execute(text("CREATE TABLE IF NOT EXISTS test (id INT)"))
conn.execute(text("DROP TABLE test"))
table_name = uuid4().hex
conn.execute(text(f"CREATE TABLE IF NOT EXISTS test_{table_name} (id INT)"))
conn.execute(text(f"DROP TABLE IF EXISTS test_{table_name}"))
not_connected = False
except (OperationalError, DatabaseError) as e:
if retries <= 0:
if "attempt to write a readonly database" in str(e):
if not self.readonly:
self.logger.warning("The database is read-only, trying one last time to connect in read-only mode")
self.readonly = True
self.last_fallback = datetime.now()
elif self.database_uri_readonly and sqlalchemy_string != self.database_uri_readonly:
self.logger.warning("Can't connect to the database in read-only mode, falling back to read-only one")
sqlalchemy_string = self.database_uri_readonly
self.last_fallback = datetime.now()
else:
self.logger.error(f"Can't connect to database : {format_exc()}")
_exit(1)
else:
self.logger.error(f"Can't connect to database : {format_exc()}")
_exit(1)
if (datetime.now() - current_time).total_seconds() > DATABASE_RETRY_TIMEOUT:
if not fallback and self.database_uri_readonly:
self.logger.error(f"Can't connect to database after {DATABASE_RETRY_TIMEOUT} seconds. Falling back to read-only database connection")
self.sql_engine.dispose(close=True)
self.sql_engine = create_engine(self.database_uri_readonly, **self._engine_kwargs)
self.readonly = True
self.last_fallback = datetime.now()
fallback = True
continue
self.logger.error(f"Can't connect to database after {DATABASE_RETRY_TIMEOUT} seconds: {e}")
_exit(1)
if "attempt to write a readonly database" in str(e):
if "readonly" in str(e) or "read-only" in str(e) or "command denied" in str(e):
if log:
self.logger.warning("The database is read-only, waiting for it to become writable. Retrying in 5 seconds ...")
self.logger.warning("The database is read-only. Retrying in read-only mode in 5 seconds ...")
self.sql_engine.dispose(close=True)
self.sql_engine = create_engine(sqlalchemy_string, **self._engine_kwargs)
self.readonly = True
self.last_fallback = datetime.now()
if "Unknown table" in str(e):
not_connected = False
continue
elif log:
self.logger.warning("Can't connect to database, retrying in 5 seconds ...")
retries -= 1
sleep(5)
except BaseException:
self.logger.error(f"Error when trying to connect to the database: {format_exc()}")
except BaseException as e:
self.logger.error(f"Error when trying to connect to the database: {e}")
exit(1)
self.suffix_rx = re_compile(r"_\d+$")
@ -209,6 +215,14 @@ class Database:
if self.sql_engine:
self.sql_engine.dispose()
def test_write(self):
"""Test the write access to the database"""
with self.__db_session() as session:
table_name = uuid4().hex
session.execute(text(f"CREATE TABLE IF NOT EXISTS test_{table_name} (id INT)"))
session.execute(text(f"DROP TABLE IF EXISTS test_{table_name}"))
session.commit()
def retry_connection(self, *, readonly: bool = False, fallback: bool = False, **kwargs) -> None:
"""Retry the connection to the database"""
@ -262,7 +276,7 @@ class Database:
if session:
session.rollback()
if "attempt to write a readonly database" in str(e):
if "readonly" in str(e) or "read-only" in str(e) or "command denied" in str(e):
self.logger.warning("The database is read-only, retrying in read-only mode ...")
try:
self.retry_connection(readonly=True, pool_timeout=1)
@ -298,8 +312,8 @@ class Database:
metadata.autoconf_loaded = value
session.commit()
except BaseException:
return format_exc()
except BaseException as e:
return str(e)
return ""
@ -326,8 +340,8 @@ class Database:
metadata.scheduler_first_start = value
session.commit()
except BaseException:
return format_exc()
except BaseException as e:
return str(e)
return ""
@ -346,8 +360,8 @@ class Database:
for key, value in data.items():
setattr(metadata, key, value)
session.commit()
except BaseException:
return format_exc()
except BaseException as e:
return str(e)
return ""
@ -401,8 +415,8 @@ class Database:
)
)
session.commit()
except BaseException:
return format_exc()
except BaseException as e:
return str(e)
return ""
@ -455,8 +469,8 @@ class Database:
"default": False,
}
)
except BaseException:
self.logger.debug(f"Can't get the metadata: {format_exc()}")
except BaseException as e:
self.logger.debug(f"Can't get the metadata: {e}")
return data
@ -484,8 +498,8 @@ class Database:
config_changed=metadata is not None and metadata.config_changed,
instances_changed=metadata is not None and metadata.instances_changed,
)
except BaseException:
return format_exc()
except BaseException as e:
return str(e)
def checked_changes(self, changes: Optional[List[str]] = None, value: Optional[bool] = False) -> str:
"""Set changed bit for config, custom configs, instances and plugins"""
@ -519,8 +533,8 @@ class Database:
if "instances" in changes:
metadata.instances_changed = value
session.commit()
except BaseException:
return format_exc()
except BaseException as e:
return str(e)
return ""
@ -545,12 +559,23 @@ class Database:
if db_version != bunkerweb_version:
self.logger.warning(f"Database version ({db_version}) is different from Bunkerweb version ({bunkerweb_version}), migrating ...")
metadata = sql_metadata()
metadata.reflect(self.sql_engine)
curren_time = datetime.now()
error = True
while error:
try:
metadata = sql_metadata()
metadata.reflect(self.sql_engine)
error = False
except BaseException as e:
if (datetime.now() - curren_time).total_seconds() > 10:
raise e
sleep(1)
assert isinstance(metadata, sql_metadata)
for table_name in Base.metadata.tables.keys():
if not inspector.has_table(table_name):
self.logger.warning(f'Table "{table_name}" is missing')
self.logger.warning(f'Table "{table_name}" is missing, creating it')
has_all_tables = False
continue
@ -560,12 +585,13 @@ class Database:
# Rename the old tables
db_version_id = db_version.replace(".", "_")
for table_name in metadata.tables.keys():
if table_name not in Base.metadata.tables:
if table_name in Base.metadata.tables:
with self.__db_session() as session:
if inspector.has_table(f"{table_name}_{db_version_id}"):
self.logger.warning(f'Table "{table_name}" already exists, dropping it to make room for the new one')
session.execute(text(f"DROP TABLE {table_name}_{db_version_id}"))
session.execute(text(f"ALTER TABLE {table_name} RENAME TO {table_name}_{db_version_id}"))
session.commit()
Base.metadata.drop_all(self.sql_engine)
@ -574,26 +600,8 @@ class Database:
try:
Base.metadata.create_all(self.sql_engine, checkfirst=True)
except BaseException:
return False, format_exc()
if db_version and db_version != bunkerweb_version:
with self.__db_session() as session:
for table_name, data in old_data.items():
for row in data:
has_external_column = "external" in row
row = {
column: getattr(row, column)
for column in Base.metadata.tables[table_name].columns.keys() + (["external"] if has_external_column else [])
if hasattr(row, column)
}
# ? As the external column has been replaced by the type column, we need to update the data if the column exists
if table_name == "bw_plugins" and "external" in row:
row["type"] = "external" if row.pop("external") else "core"
session.execute(Base.metadata.tables[table_name].insert().values(row))
session.commit()
except BaseException as e:
return False, str(e)
to_put = []
with self.__db_session() as session:
@ -626,6 +634,30 @@ class Database:
if not isinstance(plugins, list):
plugins = [plugins]
db_values = [
plugin.id
for plugin in session.query(Plugins)
.with_entities(Plugins.id)
.filter(Plugins.id.in_([plugin["id"] for plugin in plugins if "id" in plugin]))
]
missing_values = [plugin for plugin in db_values if plugin not in [plugin["id"] for plugin in plugins if "id" in plugin]]
if missing_values:
# Remove plugins that are no longer in the list
session.query(Plugins).filter(Plugins.id.in_(missing_values)).delete()
session.query(Plugin_pages).filter(Plugin_pages.plugin_id.in_(missing_values)).delete()
session.query(BwcliCommands).filter(BwcliCommands.plugin_id.in_(missing_values)).delete()
for plugin_job in session.query(Jobs).with_entities(Jobs.name).filter(Jobs.plugin_id.in_(missing_values)):
session.query(Jobs_cache).filter(Jobs_cache.job_name == plugin_job.name).delete()
session.query(Jobs).filter(Jobs.name == plugin_job.name).delete()
for plugin_setting in session.query(Settings).with_entities(Settings.id).filter(Settings.plugin_id.in_(missing_values)):
session.query(Selects).filter(Selects.setting_id == plugin_setting.id).delete()
session.query(Services_settings).filter(Services_settings.setting_id == plugin_setting.id).delete()
session.query(Global_values).filter(Global_values.setting_id == plugin_setting.id).delete()
session.query(Settings).filter(Settings.id == plugin_setting.id).delete()
for plugin in plugins:
settings = {}
jobs = []
@ -647,6 +679,16 @@ class Database:
if not isinstance(commands, dict):
commands = {}
if "bw_plugins" in old_data:
found = False
for i, old_plugin in enumerate(old_data["bw_plugins"]):
if old_plugin.id == plugin["id"]:
found = True
break
if found:
del old_data["bw_plugins"][i]
db_plugin = session.query(Plugins).filter_by(id=plugin["id"]).first()
if db_plugin:
updates = {}
@ -693,6 +735,23 @@ class Database:
)
)
db_values = [setting.id for setting in session.query(Settings).with_entities(Settings.id).filter_by(plugin_id=plugin["id"])]
missing_values = [setting for setting in db_values if setting not in settings]
if missing_values:
# Remove settings that are no longer in the list
self.logger.warning(f'Removing {len(missing_values)} settings from plugin "{plugin["id"]}" as they are no longer in the list')
session.query(Settings).filter(Settings.id.in_(missing_values)).delete()
session.query(Selects).filter(Selects.setting_id.in_(missing_values)).delete()
session.query(Services_settings).filter(Services_settings.setting_id.in_(missing_values)).delete()
session.query(Global_values).filter(Global_values.setting_id.in_(missing_values)).delete()
if "bw_settings" in old_data:
indexes = [i for i, setting in enumerate(old_data["bw_settings"]) if setting.plugin_id == plugin["id"]]
if indexes:
for i in indexes:
del old_data["bw_settings"][i]
order = 0
for setting, value in settings.items():
value.update(
@ -702,6 +761,17 @@ class Database:
"id": setting,
}
)
if "bw_settings" in old_data:
found = False
for i, old_setting in enumerate(old_data["bw_settings"]):
if old_setting.id == value["id"]:
found = True
break
if found:
del old_data["bw_settings"][i]
db_setting = session.query(Settings).filter_by(id=setting).first()
select_values = value.pop("select", [])
@ -749,6 +819,12 @@ class Database:
db_values = [select.value for select in session.query(Selects).with_entities(Selects.value).filter_by(setting_id=value["id"])]
missing_values = [select for select in db_values if select not in select_values]
if "bw_selects" in old_data and missing_values:
indexes = [i for i, select in enumerate(old_data["bw_selects"]) if select.setting_id == value["id"]]
if indexes:
for i in indexes:
del old_data["bw_selects"][i]
if select_values:
if missing_values:
# Remove selects that are no longer in the list
@ -756,6 +832,16 @@ class Database:
session.query(Selects).filter(Selects.value.in_(missing_values)).delete()
for select in select_values:
if "bw_selects" in old_data:
found = False
for i, old_select in enumerate(old_data["bw_selects"]):
if old_select.value == select:
found = True
break
if found:
del old_data["bw_selects"][i]
if select not in db_values:
to_put.append(Selects(setting_id=value["id"], value=select))
else:
@ -775,7 +861,23 @@ class Database:
session.query(Jobs).filter(Jobs.name.in_(missing_names), Jobs.plugin_id == plugin["id"]).delete()
session.query(Jobs_cache).filter(Jobs_cache.job_name.in_(missing_names)).delete()
if "bw_jobs" in old_data:
indexes = [i for i, job in enumerate(old_data["bw_jobs"]) if job.plugin_id == plugin["id"]]
if indexes:
for i in indexes:
del old_data["bw_jobs"][i]
for job in jobs:
if "bw_jobs" in old_data:
found = False
for i, old_job in enumerate(old_data["bw_jobs"]):
if old_job.name == job["name"]:
found = True
break
if found:
del old_data["bw_jobs"][i]
db_job = (
session.query(Jobs)
.with_entities(Jobs.file_name, Jobs.every, Jobs.reload)
@ -807,6 +909,16 @@ class Database:
session.query(Jobs_cache).filter(Jobs_cache.job_name == job["name"]).delete()
session.query(Jobs).filter(Jobs.name == job["name"]).update(updates)
if "bw_plugin_pages" in old_data:
found = False
for i, plugin_page in enumerate(old_data["bw_plugin_pages"]):
if plugin_page.plugin_id == plugin["id"]:
found = True
break
if found:
del old_data["bw_plugin_pages"][i]
plugin_path = (
Path(sep, "usr", "share", "bunkerweb", "core", plugin["id"])
if plugin.get("type", "core") == "core"
@ -911,7 +1023,23 @@ class Database:
self.logger.warning(f'Removing {len(missing_names)} commands from plugin "{plugin["id"]}" as they are no longer in the list')
session.query(BwcliCommands).filter(BwcliCommands.name.in_(missing_names), BwcliCommands.plugin_id == plugin["id"]).delete()
if "bwcli_commands" in old_data:
indexes = [i for i, command in enumerate(old_data["bwcli_commands"]) if command.plugin_id == plugin["id"]]
if indexes:
for i in indexes:
del old_data["bwcli_commands"][i]
for command, file_name in commands.items():
if "bwcli_commands" in old_data:
found = False
for i, old_command in enumerate(old_data["bwcli_commands"]):
if old_command.name == command:
found = True
break
if found:
del old_data["bwcli_commands"][i]
db_command = session.query(BwcliCommands).with_entities(BwcliCommands.file_name).filter_by(name=command, plugin_id=plugin["id"]).first()
command_path = plugin_path.joinpath("bwcli", file_name)
@ -941,8 +1069,41 @@ class Database:
try:
session.add_all(to_put)
session.commit()
except BaseException:
return False, format_exc()
except BaseException as e:
return False, str(e)
if db_version and db_version != bunkerweb_version:
for table_name, data in old_data.items():
if table_name == "bw_metadata" or not data:
continue
self.logger.warning(f'Restoring data for table "{table_name}"')
self.logger.debug(f"Data: {data}")
for row in data:
has_external_column = "external" in row
row = {
column: getattr(row, column)
for column in Base.metadata.tables[table_name].columns.keys() + (["external"] if has_external_column else [])
if hasattr(row, column)
}
# ? As the external column has been replaced by the type column, we need to update the data if the column exists
if table_name == "bw_plugins" and "external" in row:
row["type"] = "external" if row.pop("external") else "core"
with self.__db_session() as session:
try:
# Check if the row already exists in the table
existing_row = session.query(Base.metadata.tables[table_name]).filter_by(**row).first()
if not existing_row:
session.execute(Base.metadata.tables[table_name].insert().values(row))
session.commit()
except IntegrityError as e:
session.rollback()
if "Duplicate entry" not in str(e):
self.logger.error(f"Error when trying to restore data for table {table_name}: {e}")
continue
self.logger.debug(e)
return True, ""
@ -1177,8 +1338,8 @@ class Database:
try:
session.add_all(to_put)
session.commit()
except BaseException:
return format_exc()
except BaseException as e:
return str(e)
return ""
@ -1270,8 +1431,8 @@ class Database:
try:
session.add_all(to_put)
session.commit()
except BaseException:
return f"{f'{message}{endl}' if message else ''}{format_exc()}"
except BaseException as e:
return f"{f'{message}{endl}' if message else ''}{e}"
return message
@ -1426,8 +1587,8 @@ class Database:
try:
session.commit()
except BaseException:
return format_exc()
except BaseException as e:
return str(e)
return ""
@ -1445,8 +1606,8 @@ class Database:
try:
session.query(Jobs_cache).filter_by(**filters).delete()
except BaseException:
return format_exc()
except BaseException as e:
return str(e)
return ""
@ -1486,8 +1647,8 @@ class Database:
try:
session.commit()
except BaseException:
return format_exc()
except BaseException as e:
return str(e)
return ""
@ -1998,8 +2159,8 @@ class Database:
try:
session.add_all(to_put)
session.commit()
except BaseException:
return format_exc()
except BaseException as e:
return str(e)
return ""
@ -2212,8 +2373,8 @@ class Database:
try:
session.commit()
except BaseException:
return f"An error occurred while adding the instance {hostname} (port: {port}, server name: {server_name}).\n{format_exc()}"
except BaseException as e:
return f"An error occurred while adding the instance {hostname} (port: {port}, server name: {server_name}).\n{e}"
return ""
@ -2244,8 +2405,8 @@ class Database:
try:
session.add_all(to_put)
session.commit()
except BaseException:
return format_exc()
except BaseException as e:
return str(e)
return ""
@ -2324,8 +2485,8 @@ class Database:
try:
session.commit()
except BaseException:
return format_exc()
except BaseException as e:
return str(e)
return ""
@ -2349,7 +2510,7 @@ class Database:
try:
session.commit()
except BaseException:
return format_exc()
except BaseException as e:
return str(e)
return ""

18
src/common/db/model.py
View file

@ -90,6 +90,15 @@ class Settings(Base):
plugin = relationship("Plugins", back_populates="settings")
class Selects(Base):
__tablename__ = "bw_selects"
setting_id = Column(String(256), ForeignKey("bw_settings.id", onupdate="cascade", ondelete="cascade"), primary_key=True)
value = Column(String(256), primary_key=True)
setting = relationship("Settings", back_populates="selects")
class Global_values(Base):
__tablename__ = "bw_global_values"
@ -186,15 +195,6 @@ class Custom_configs(Base):
service = relationship("Services", back_populates="custom_configs")
class Selects(Base):
__tablename__ = "bw_selects"
setting_id = Column(String(256), ForeignKey("bw_settings.id", onupdate="cascade", ondelete="cascade"), primary_key=True)
value = Column(String(256), primary_key=True)
setting = relationship("Settings", back_populates="selects")
class Instances(Base):
__tablename__ = "bw_instances"

6
src/common/db/requirements.armv7.txt
View file

@ -222,9 +222,9 @@ sqlalchemy==2.0.30 \
--hash=sha256:f7703c2010355dd28f53deb644a05fc30f796bd8598b43f0ba678878780b6e4c \
--hash=sha256:fa561138a64f949f3e889eb9ab8c58e1504ab351d6cf55259dc4c248eaa19da6
# via -r requirements.armv7.in
typing-extensions==4.11.0 \
--hash=sha256:83f085bd5ca59c80295fc2a82ab5dac679cbe02b9f33f7d83af68e241bea51b0 \
--hash=sha256:c1f94d72897edaf4ce775bb7558d5b79d8126906a14ea5ed1635921406c0387a
typing-extensions==4.12.0 \
--hash=sha256:8cbcdc8606ebcb0d95453ad7dc5065e6237b6aa230a31e81d0f440c30fed5fd8 \
--hash=sha256:b349c66bea9016ac22978d800cfff206d5f9816951f12a7d0ec5578b0a819594
# via
# psycopg
# psycopg-pool

6
src/common/db/requirements.txt
View file

@ -284,9 +284,9 @@ sqlalchemy==2.0.30 \
--hash=sha256:f7703c2010355dd28f53deb644a05fc30f796bd8598b43f0ba678878780b6e4c \
--hash=sha256:fa561138a64f949f3e889eb9ab8c58e1504ab351d6cf55259dc4c248eaa19da6
# via -r requirements.in
typing-extensions==4.11.0 \
--hash=sha256:83f085bd5ca59c80295fc2a82ab5dac679cbe02b9f33f7d83af68e241bea51b0 \
--hash=sha256:c1f94d72897edaf4ce775bb7558d5b79d8126906a14ea5ed1635921406c0387a
typing-extensions==4.12.0 \
--hash=sha256:8cbcdc8606ebcb0d95453ad7dc5065e6237b6aa230a31e81d0f440c30fed5fd8 \
--hash=sha256:b349c66bea9016ac22978d800cfff206d5f9816951f12a7d0ec5578b0a819594
# via
# psycopg
# psycopg-pool

2
src/common/gen/requirements.in
View file

@ -1,4 +1,4 @@
docker==7.0.0
docker==7.1.0
jinja2==3.1.4
kubernetes==29.0.0
python-dotenv==1.0.1

10
src/common/gen/requirements.txt
View file

@ -110,9 +110,9 @@ charset-normalizer==3.3.2 \
--hash=sha256:fd1abc0d89e30cc4e02e4064dc67fcc51bd941eb395c502aac3ec19fab46b519 \
--hash=sha256:ff8fa367d09b717b2a17a052544193ad76cd49979c805768879cb63d9ca50561
# via requests
docker==7.0.0 \
--hash=sha256:12ba681f2777a0ad28ffbcc846a69c31b4dfd9752b47eb425a274ee269c5e14b \
--hash=sha256:323736fb92cd9418fc5e7133bc953e11a9da04f4483f828b527db553f1e7e5a3
docker==7.1.0 \
--hash=sha256:ad8c70e6e3f8926cb8a92619b832b4ea5299e2831c14284663184e200546fa6c \
--hash=sha256:c96b93b7f0a746f9e77d325bcfb87422a3d8bd4f03136ae8a85b37f1898d5fc0
# via -r requirements.in
google-auth==2.29.0 \
--hash=sha256:672dff332d073227550ffc7457868ac4218d6c500b155fe6cc17d2b13602c360 \
@ -198,10 +198,6 @@ oauthlib==3.2.2 \
# via
# kubernetes
# requests-oauthlib
packaging==24.0 \
--hash=sha256:2ddfb553fdf02fb784c234c7ba6ccc288296ceabec964ad2eae3777778130bc5 \
--hash=sha256:eb82c5e3e56209074766e6885bb04b8c38a0c015d0a30036ebe7ece34c9989e9
# via docker
pyasn1==0.6.0 \
--hash=sha256:3a35ab2c4b5ef98e17dfdec8ab074046fbda76e281c5a706ccd82328cfc8f64c \
--hash=sha256:cca4bb0f2df5504f02f6f8a775b6e416ff9b0b3b16f7ee80b5a3153d9b804473

22
src/common/utils/jobs.py
View file

@ -9,7 +9,7 @@ from os.path import sep
from pathlib import Path
from shutil import rmtree
from sys import argv
from tarfile import open as tar_open
from tarfile import TarFile, open as tar_open
from threading import Lock
from traceback import format_exc
from typing import Any, Dict, Literal, Optional, Tuple, Union
@ -80,15 +80,22 @@ class Job:
rmtree(extract_path, ignore_errors=True)
extract_path.mkdir(parents=True, exist_ok=True)
with tar_open(fileobj=BytesIO(job_cache_file["data"]), mode="r:gz") as tar:
assert isinstance(tar, TarFile)
try:
tar.extractall(extract_path, filter="fully_trusted")
except TypeError:
tar.extractall(extract_path)
for member in tar.getmembers():
try:
tar.extract(member, path=extract_path)
except Exception as e:
self.logger.error(f"Error extracting {member.name}: {e}")
except Exception as e:
self.logger.error(f"Error extracting tar file: {e}")
self.logger.debug(f"Restored cache directory {extract_path}")
continue
elif job_cache_file["job_name"] != job_name:
continue
cache_path.parent.mkdir(parents=True, exist_ok=True)
cache_path.write_bytes(job_cache_file["data"])
self.logger.debug(f"Restored cache file {job_cache_file['file_name']}")
except BaseException as e:
self.logger.error(f"Exception while restoring cache file {job_cache_file['file_name']} :\n{e}")
ret = False
@ -96,12 +103,7 @@ class Job:
with LOCK:
if not manual and self.job_path.is_dir():
for file in self.job_path.rglob("*"):
skipped = False
if file.as_posix().startswith(tuple(ignored_dirs)):
skipped = True
break
if skipped:
continue
self.logger.debug(f"Checking if {file} should be removed")
@ -207,7 +209,7 @@ class Job:
tgz.add(dir_path, arcname=".")
content.seek(0, 0)
return self.cache_file(file_name, content.read(), job_name=job_name, service_id=service_id)
return self.cache_file(file_name, content.getvalue(), job_name=job_name, service_id=service_id)
def del_cache(self, name: str, *, job_name: str = "", service_id: str = "") -> Tuple[bool, str]:
"""Delete cache file from database and local cache file."""

4
src/linux/Dockerfile-rhel
View file

@ -1,4 +1,4 @@
FROM redhat/ubi8:8.9@sha256:627867e53ad6846afba2dfbf5cef1d54c868a9025633ef0afd546278d4654eac as builder
FROM redhat/ubi8:8.10@sha256:a424544997de1960a93466b57d12f1f3fac62be0f4cd35482435bae305a6ca27 as builder
ENV OS=rhel
ENV NGINX_VERSION 1.24.0
@ -68,7 +68,7 @@ COPY src/scheduler scheduler
COPY src/ui ui
COPY src/VERSION VERSION
FROM redhat/ubi8:8.9@sha256:627867e53ad6846afba2dfbf5cef1d54c868a9025633ef0afd546278d4654eac
FROM redhat/ubi8:8.10@sha256:a424544997de1960a93466b57d12f1f3fac62be0f4cd35482435bae305a6ca27
# Set default umask to prevent huge recursive chmod increasing the final image size
RUN umask 027

88
src/scheduler/JobScheduler.py
View file

@ -235,23 +235,9 @@ class JobScheduler(ApiCaller):
if not threads:
return True
if self.db.database_uri and self.db.readonly:
try:
self.db.retry_connection(pool_timeout=5)
self.db.readonly = False
self.__logger.info("The database is no longer read-only, defaulting to read-write mode")
except BaseException:
try:
self.db.retry_connection(readonly=True, pool_timeout=5)
except BaseException:
if self.db.database_uri_readonly:
with suppress(BaseException):
self.db.retry_connection(fallback=True, pool_timeout=5)
self.db.readonly = True
if self.db.readonly:
self.__logger.error("Database is in read-only mode, jobs will not be executed")
return True
err = self.try_database_readonly()
if err:
return True
self.__job_success = True
self.__job_reload = False
@ -289,23 +275,9 @@ class JobScheduler(ApiCaller):
return success
def run_once(self) -> bool:
if self.db.database_uri and self.db.readonly:
try:
self.db.retry_connection(pool_timeout=1)
self.db.readonly = False
self.__logger.info("The database is no longer read-only, defaulting to read-write mode")
except BaseException:
try:
self.db.retry_connection(readonly=True, pool_timeout=1)
except BaseException:
if self.db.database_uri_readonly:
with suppress(BaseException):
self.db.retry_connection(fallback=True, pool_timeout=1)
self.db.readonly = True
if self.db.readonly:
self.__logger.error("Database is in read-only mode, jobs will not be executed")
return True
err = self.try_database_readonly()
if err:
return True
threads = []
self.__job_success = True
@ -330,23 +302,9 @@ class JobScheduler(ApiCaller):
return ret
def run_single(self, job_name: str) -> bool:
if self.db.database_uri and self.db.readonly:
try:
self.db.retry_connection(pool_timeout=1)
self.db.readonly = False
self.__logger.info("The database is no longer read-only, defaulting to read-write mode")
except BaseException:
try:
self.db.retry_connection(readonly=True, pool_timeout=1)
except BaseException:
if self.db.database_uri_readonly:
with suppress(BaseException):
self.db.retry_connection(fallback=True, pool_timeout=1)
self.db.readonly = True
if self.db.readonly:
self.__logger.error("Database is in read-only mode, jobs will not be executed")
return True
err = self.try_database_readonly()
if err:
return True
if self.__lock:
self.__lock.acquire()
@ -392,3 +350,31 @@ class JobScheduler(ApiCaller):
self.__logger.error(f"Exception while reloading scheduler {format_exc()}")
return False
return ret
def try_database_readonly(self) -> bool:
if not self.db.readonly:
try:
self.db.test_write()
except BaseException:
self.db.readonly = True
return True
if self.db.database_uri and self.db.readonly:
try:
self.db.retry_connection(pool_timeout=1)
self.db.readonly = False
self.__logger.info("The database is no longer read-only, defaulting to read-write mode")
except BaseException:
try:
self.db.retry_connection(readonly=True, pool_timeout=1)
except BaseException:
if self.db.database_uri_readonly:
with suppress(BaseException):
self.db.retry_connection(fallback=True, pool_timeout=1)
self.db.readonly = True
if self.db.readonly:
self.__logger.error("Database is in read-only mode, jobs will not be executed")
return True
return self.db.readonly

192
src/scheduler/main.py
View file

@ -14,7 +14,7 @@ from signal import SIGINT, SIGTERM, signal, SIGHUP
from stat import S_IEXEC
from subprocess import run as subprocess_run, DEVNULL, STDOUT, PIPE
from sys import path as sys_path
from tarfile import open as tar_open
from tarfile import TarFile, open as tar_open
from threading import Thread
from time import sleep
from traceback import format_exc
@ -167,11 +167,16 @@ def generate_custom_configs(configs: List[Dict[str, Any]], *, original_path: Uni
logger.error("Sending custom configs failed, configuration will not work as expected...")
def generate_external_plugins(plugins: List[Dict[str, Any]], *, original_path: Union[Path, str] = EXTERNAL_PLUGINS_PATH):
def generate_external_plugins(plugins: Optional[List[Dict[str, Any]]], *, original_path: Union[Path, str] = EXTERNAL_PLUGINS_PATH):
if not isinstance(original_path, Path):
original_path = Path(original_path)
pro = "pro" in original_path.parts
if not plugins:
assert SCHEDULER is not None
plugins = SCHEDULER.db.get_plugins(_type="pro" if pro else "external", with_data=True)
assert plugins is not None, "Couldn't get plugins from database"
# Remove old external/pro plugins files
logger.info(f"Removing old/changed {'pro ' if pro else ''}external plugins files ...")
ignored_plugins = set()
@ -231,12 +236,15 @@ def generate_external_plugins(plugins: List[Dict[str, Any]], *, original_path: U
logger.error(f"Sending {'pro ' if pro else ''}external plugins failed, configuration will not work as expected...")
def generate_caches(plugins: List[Any], db: Database):
def generate_caches(plugins: List[Dict[str, Any]]):
assert SCHEDULER is not None
for plugin in plugins:
job_cache_files = db.get_jobs_cache_files(plugin_id=plugin["id"])
job_cache_files = SCHEDULER.db.get_jobs_cache_files(plugin_id=plugin["id"])
plugin_cache_files = set()
ignored_dirs = set()
job_path = Path(sep, "var", "cache", "bunkerweb", plugin["id"])
for job_cache_file in job_cache_files:
cache_path = job_path.joinpath(job_cache_file["service_id"] or "", job_cache_file["file_name"])
plugin_cache_files.add(cache_path)
@ -250,22 +258,28 @@ def generate_caches(plugins: List[Any], db: Database):
rmtree(extract_path, ignore_errors=True)
extract_path.mkdir(parents=True, exist_ok=True)
with tar_open(fileobj=BytesIO(job_cache_file["data"]), mode="r:gz") as tar:
assert isinstance(tar, TarFile)
try:
tar.extractall(extract_path, filter="fully_trusted")
except TypeError:
tar.extractall(extract_path)
else:
cache_path.parent.mkdir(parents=True, exist_ok=True)
cache_path.write_bytes(job_cache_file["data"])
for member in tar.getmembers():
try:
tar.extract(member, path=extract_path)
except Exception as e:
logger.error(f"Error extracting {member.name}: {e}")
except Exception as e:
logger.error(f"Error extracting tar file: {e}")
logger.debug(f"Restored cache directory {extract_path}")
continue
cache_path.parent.mkdir(parents=True, exist_ok=True)
cache_path.write_bytes(job_cache_file["data"])
logger.debug(f"Restored cache file {job_cache_file['file_name']}")
except BaseException as e:
logger.error(f"Exception while restoring cache file {job_cache_file['file_name']} :\n{e}")
if job_path.is_dir():
for file in job_path.rglob("*"):
skipped = False
if file.as_posix().startswith(tuple(ignored_dirs)):
skipped = True
if skipped:
continue
logger.debug(f"Checking if {file} should be removed")
if file not in plugin_cache_files and file.is_file():
logger.debug(f"Removing non-cached file {file}")
@ -313,7 +327,7 @@ def run_in_slave_mode():
generate_custom_configs(SCHEDULER.db.get_custom_configs())
# Download caches
generate_caches(pro_plugins + external_plugins, SCHEDULER.db)
generate_caches(pro_plugins + external_plugins)
# Gen config
content = ""
@ -374,15 +388,6 @@ if __name__ == "__main__":
run_in_slave_mode()
stop(1)
if INTEGRATION in ("Swarm", "Kubernetes", "Autoconf"):
while not SCHEDULER.db.is_initialized():
logger.warning("Database is not initialized, retrying in 5s ...")
sleep(5)
while not SCHEDULER.db.is_autoconf_loaded():
logger.warning("Autoconf is not loaded yet in the database, retrying in 5s ...")
sleep(5)
if (
INTEGRATION in ("Swarm", "Kubernetes", "Autoconf")
or not tmp_variables_path.exists()
@ -432,6 +437,8 @@ if __name__ == "__main__":
# Instantiate scheduler
SCHEDULER.env = env | environ
threads = []
if INTEGRATION in ("Docker", "Swarm", "Kubernetes", "Autoconf"):
# Automatically setup the scheduler apis
while not SCHEDULER.apis:
@ -440,49 +447,52 @@ if __name__ == "__main__":
if not SCHEDULER.apis:
logger.warning("No BunkerWeb API found, retrying in 5s ...")
sleep(5)
SCHEDULER.db.update_instances([api_to_instance(api) for api in SCHEDULER.apis])
threads.append(Thread(target=SCHEDULER.db.update_instances, args=([api_to_instance(api) for api in SCHEDULER.apis],)))
scheduler_first_start = SCHEDULER.db.is_scheduler_first_start()
logger.info("Scheduler started ...")
# Checking if any custom config has been created by the user
logger.info("Checking if there are any changes in custom configs ...")
custom_configs = []
db_configs = SCHEDULER.db.get_custom_configs()
changes = False
for file in CUSTOM_CONFIGS_PATH.rglob("*.conf"):
if len(file.parts) > len(CUSTOM_CONFIGS_PATH.parts) + 3:
logger.warning(f"Custom config file {file} is not in the correct path, skipping ...")
def check_configs_changes():
# Checking if any custom config has been created by the user
logger.info("Checking if there are any changes in custom configs ...")
custom_configs = []
db_configs = SCHEDULER.db.get_custom_configs()
changes = False
for file in CUSTOM_CONFIGS_PATH.rglob("*.conf"):
if len(file.parts) > len(CUSTOM_CONFIGS_PATH.parts) + 3:
logger.warning(f"Custom config file {file} is not in the correct path, skipping ...")
content = file.read_text(encoding="utf-8")
service_id = file.parent.name if file.parent.name not in CUSTOM_CONFIGS_DIRS else None
config_type = file.parent.parent.name if service_id else file.parent.name
content = file.read_text(encoding="utf-8")
service_id = file.parent.name if file.parent.name not in CUSTOM_CONFIGS_DIRS else None
config_type = file.parent.parent.name if service_id else file.parent.name
saving = True
in_db = False
for db_conf in db_configs:
if db_conf["service_id"] == service_id and db_conf["name"] == file.stem:
in_db = True
saving = True
in_db = False
for db_conf in db_configs:
if db_conf["service_id"] == service_id and db_conf["name"] == file.stem:
in_db = True
if not in_db and content.startswith("# CREATED BY ENV"):
saving = False
changes = True
if not in_db and content.startswith("# CREATED BY ENV"):
saving = False
changes = True
if saving:
custom_configs.append({"value": content, "exploded": (service_id, config_type, file.stem)})
if saving:
custom_configs.append({"value": content, "exploded": (service_id, config_type, file.stem)})
changes = changes or {hash(dict_to_frozenset(d)) for d in custom_configs} != {hash(dict_to_frozenset(d)) for d in db_configs}
changes = changes or {hash(dict_to_frozenset(d)) for d in custom_configs} != {hash(dict_to_frozenset(d)) for d in db_configs}
if changes:
err = SCHEDULER.db.save_custom_configs(custom_configs, "manual")
if err:
logger.error(f"Couldn't save some manually created custom configs to database: {err}")
if changes:
try:
err = SCHEDULER.db.save_custom_configs(custom_configs, "manual")
if err:
logger.error(f"Couldn't save some manually created custom configs to database: {err}")
except BaseException as e:
logger.error(f"Error while saving custom configs to database: {e}")
if (scheduler_first_start and db_configs) or changes:
generate_custom_configs(SCHEDULER.db.get_custom_configs())
del custom_configs, db_configs
threads.append(Thread(target=check_configs_changes))
def check_plugin_changes(_type: Literal["external", "pro"] = "external"):
# Check if any external or pro plugin has been added by the user
@ -529,15 +539,22 @@ if __name__ == "__main__":
changes = {hash(dict_to_frozenset(d)) for d in tmp_external_plugins} != {hash(dict_to_frozenset(d)) for d in db_plugins}
if changes:
err = SCHEDULER.db.update_external_plugins(external_plugins, _type=_type, delete_missing=True)
if err:
logger.error(f"Couldn't save some manually added {_type} plugins to database: {err}")
try:
err = SCHEDULER.db.update_external_plugins(external_plugins, _type=_type, delete_missing=True)
if err:
logger.error(f"Couldn't save some manually added {_type} plugins to database: {err}")
except BaseException as e:
logger.error(f"Error while saving {_type} plugins to database: {e}")
if (scheduler_first_start and db_plugins) or changes:
generate_external_plugins(SCHEDULER.db.get_plugins(_type=_type, with_data=True), original_path=plugin_path)
generate_external_plugins(SCHEDULER.db.get_plugins(_type=_type, with_data=True), original_path=plugin_path)
check_plugin_changes("external")
check_plugin_changes("pro")
threads.extend([Thread(target=check_plugin_changes, args=("external",)), Thread(target=check_plugin_changes, args=("pro",))])
for thread in threads:
thread.start()
for thread in threads:
thread.join()
logger.info("Running plugins download jobs ...")
@ -550,10 +567,18 @@ if __name__ == "__main__":
changes = SCHEDULER.db.check_changes()
if INTEGRATION not in ("Swarm", "Kubernetes", "Autoconf") and (changes["pro_plugins_changed"] or changes["external_plugins_changed"]):
threads.clear()
if changes["pro_plugins_changed"]:
generate_external_plugins(SCHEDULER.db.get_plugins(_type="pro", with_data=True), original_path=PRO_PLUGINS_PATH)
threads.append(Thread(target=generate_external_plugins, args=(None,), kwargs={"original_path": PRO_PLUGINS_PATH}))
if changes["external_plugins_changed"]:
generate_external_plugins(SCHEDULER.db.get_plugins(_type="external", with_data=True))
threads.append(Thread(target=generate_external_plugins, args=(None,)))
for thread in threads:
thread.start()
for thread in threads:
thread.join()
# run the config saver to save potential ignored external plugins settings
logger.info("Running config saver to save potential ignored external plugins settings ...")
@ -584,7 +609,6 @@ if __name__ == "__main__":
CONFIG_NEED_GENERATION = True
RUN_JOBS_ONCE = True
CHANGES = []
threads = []
def send_nginx_configs():
logger.info(f"Sending {join(sep, 'etc', 'nginx')} folder ...")
@ -609,9 +633,17 @@ if __name__ == "__main__":
if event["Action"] in ("start", "die"):
logger.info(f"🐋 Detected {event['Action']} event on container {event['Actor']['Attributes']['name']}")
SCHEDULER.auto_setup()
SCHEDULER.db.update_instances([api_to_instance(api) for api in SCHEDULER.apis], changed=event["Action"] == "die")
if event["Action"] == "start":
SCHEDULER.db.checked_changes(value=True)
try:
ret = SCHEDULER.db.update_instances([api_to_instance(api) for api in SCHEDULER.apis], changed=event["Action"] == "die")
if ret:
logger.error(f"Error while updating instances after {event['Action']} event: {ret}")
continue
if event["Action"] == "start":
ret = SCHEDULER.db.checked_changes(value=True)
if ret:
logger.error(f"Error while setting changes to checked in the database after {event['Action']} event: {ret}")
except BaseException as e:
logger.error(f"Error while updating instances after {event['Action']} event: {e}")
if INTEGRATION == "Docker" and not override_instances:
Thread(target=listen_for_instances_reload, name="listen_for_instances_reload").start()
@ -625,6 +657,8 @@ if __name__ == "__main__":
logger.error("At least one job in run_once() failed")
else:
logger.info("All jobs in run_once() were successful")
if SCHEDULER.db.readonly:
generate_caches(SCHEDULER.db.get_plugins())
if CONFIG_NEED_GENERATION:
content = ""
@ -702,11 +736,12 @@ if __name__ == "__main__":
except:
logger.error(f"Exception while reloading after running jobs once scheduling : {format_exc()}")
ret = SCHEDULER.db.checked_changes(CHANGES)
if ret:
logger.error(f"An error occurred when setting the changes to checked in the database : {ret}")
stop(1)
try:
ret = SCHEDULER.db.checked_changes(CHANGES)
if ret:
logger.error(f"An error occurred when setting the changes to checked in the database : {ret}")
except BaseException as e:
logger.error(f"Error while setting changes to checked in the database: {e}")
NEED_RELOAD = False
RUN_JOBS_ONCE = False
@ -717,14 +752,17 @@ if __name__ == "__main__":
INSTANCES_NEED_GENERATION = False
if scheduler_first_start:
ret = SCHEDULER.db.set_scheduler_first_start()
try:
ret = SCHEDULER.db.set_scheduler_first_start()
if ret == "The database is read-only, the changes will not be saved":
logger.warning("The database is read-only, the scheduler first start will not be saved")
elif ret:
logger.error(f"An error occurred when setting the scheduler first start : {ret}")
stop(1)
scheduler_first_start = False
if ret == "The database is read-only, the changes will not be saved":
logger.warning("The database is read-only, the scheduler first start will not be saved")
elif ret:
logger.error(f"An error occurred when setting the scheduler first start : {ret}")
except BaseException as e:
logger.error(f"Error while setting the scheduler first start : {e}")
finally:
scheduler_first_start = False
if not HEALTHY_PATH.is_file():
HEALTHY_PATH.write_text(datetime.now().isoformat(), encoding="utf-8")

24
src/ui/gunicorn.conf.py
View file

@ -78,21 +78,29 @@ def on_starting(server):
USER = User(**USER)
if getenv("ADMIN_USERNAME") or getenv("ADMIN_PASSWORD"):
if USER.method == "manual":
override_admin_creds = getenv("OVERRIDE_ADMIN_CREDS", "no").lower() == "yes"
if USER.method == "manual" or override_admin_creds:
updated = False
if getenv("ADMIN_USERNAME", "") and USER.get_id() != getenv("ADMIN_USERNAME", ""):
USER.id = getenv("ADMIN_USERNAME", "")
updated = True
if getenv("ADMIN_PASSWORD", "") and not USER.check_password(getenv("ADMIN_PASSWORD", "")):
USER.update_password(getenv("ADMIN_PASSWORD", ""))
updated = True
if not USER_PASSWORD_RX.match(getenv("ADMIN_PASSWORD", "")):
LOGGER.warning(
"The admin password is not strong enough. It must contain at least 8 characters, including at least 1 uppercase letter, 1 lowercase letter, 1 number and 1 special character (#@?!$%^&*-). It will not be updated."
)
else:
USER.update_password(getenv("ADMIN_PASSWORD", ""))
updated = True
if updated:
ret = db.update_ui_user(USER.get_id(), USER.password_hash, USER.is_two_factor_enabled, USER.secret_token)
if ret:
LOGGER.error(f"Couldn't update the admin user in the database: {ret}")
exit(1)
LOGGER.info("The admin user was updated successfully")
if override_admin_creds:
LOGGER.warning("Overriding the admin user credentials, as the OVERRIDE_ADMIN_CREDS environment variable is set to 'yes'.")
err = db.update_ui_user(USER.get_id(), USER.password_hash, USER.is_two_factor_enabled, USER.secret_token, method="manual")
if err:
LOGGER.error(f"Couldn't update the admin user in the database: {err}")
else:
LOGGER.info("The admin user was updated successfully")
else:
LOGGER.warning("The admin user wasn't created manually. You can't change it from the environment variables.")
elif getenv("ADMIN_USERNAME") and getenv("ADMIN_PASSWORD"):

38
src/ui/main.py
View file

@ -445,11 +445,13 @@ def handle_csrf_error(_):
@app.before_request
def before_request():
try:
db_user = app.config["DB"].get_ui_user()
except BaseException:
db_user = app.config["DB"].get_ui_user()
if not app.config["DB"].readonly:
try:
app.config["DB"].test_write()
except BaseException:
app.config["DB"].readonly = True
db_user = app.config["DB"].get_ui_user()
if db_user:
app.config["USER"] = User(**db_user)
@ -518,6 +520,9 @@ def setup():
return redirect(url_for("login"), 301)
if request.method == "POST":
if app.config["DB"].readonly:
return redirect_flash_error("Database is in read-only mode", "setup")
is_request_form("setup")
required_keys = ["server_name", "ui_host", "ui_url"]
@ -576,6 +581,7 @@ def setup():
"REVERSE_PROXY_HOST": request.form["ui_host"],
"REVERSE_PROXY_URL": request.form["ui_url"] or "/",
"AUTO_LETS_ENCRYPT": request.form.get("auto_lets_encrypt", "no"),
"GENERATE_SELF_SIGNED_SSL": "yes" if request.form.get("auto_lets_encrypt", "no") == "no" else "no",
"INTERCEPTED_ERROR_CODES": "400 404 405 413 429 500 501 502 503 504",
"MAX_CLIENT_SIZE": "50m",
},
@ -604,7 +610,6 @@ def setup():
@login_required
def totp():
if request.method == "POST":
is_request_form("totp")
is_request_params(["totp_token"], "totp")
@ -690,6 +695,9 @@ def home():
@login_required
def account():
if request.method == "POST":
if app.config["DB"].readonly:
return redirect_flash_error("Database is in read-only mode", "account")
# Check form data validity
is_request_form("account")
@ -888,6 +896,8 @@ def instances():
@login_required
def services():
if request.method == "POST":
if app.config["DB"].readonly:
return redirect_flash_error("Database is in read-only mode", "services")
is_request_params(["operation", "is_draft"], "services", True)
@ -1089,6 +1099,9 @@ def services():
@login_required
def global_config():
if request.method == "POST":
if app.config["DB"].readonly:
return redirect_flash_error("Database is in read-only mode", "global_config")
# Check variables
variables = request.form.to_dict().copy()
del variables["csrf_token"]
@ -1174,6 +1187,9 @@ def configs():
db_configs = app.config["DB"].get_custom_configs()
if request.method == "POST":
if app.config["DB"].readonly:
return redirect_flash_error("Database is in read-only mode", "configs")
operation = ""
is_request_params(["operation"], "configs", True)
@ -1291,6 +1307,9 @@ def plugins():
tmp_ui_path = TMP_DIR.joinpath("ui")
if request.method == "POST":
if app.config["DB"].readonly:
return redirect_flash_error("Database is in read-only mode", "plugins")
error = 0
# Delete plugin
if "operation" in request.form and request.form["operation"] == "delete":
@ -1586,6 +1605,9 @@ def plugins():
@app.route("/plugins/upload", methods=["POST"])
@login_required
def upload_plugin():
if app.config["DB"].readonly:
return {"status": "ko", "message": "Database is in read-only mode"}, 403
if not request.files:
return {"status": "ko"}, 400
@ -2074,6 +2096,9 @@ def reports():
@app.route("/bans", methods=["GET", "POST"])
@login_required
def bans():
if request.method == "POST" and app.config["DB"].readonly:
return redirect_flash_error("Database is in read-only mode", "bans")
redis_client = None
db_config = app.config["CONFIG"].get_config(methods=False)
use_redis = db_config.get("USE_REDIS", "no") == "yes"
@ -2145,9 +2170,6 @@ def bans():
flash("Couldn't connect to redis, ban list might be incomplete", "error")
if request.method == "POST":
if app.config["DB"].readonly:
return redirect_flash_error("Read only mode is enabled", "bans")
# Check variables
is_request_form("bans")

6
src/ui/requirements.txt
View file

@ -258,9 +258,9 @@ soupsieve==2.5 \
--hash=sha256:5663d5a7b3bfaeee0bc4372e7fc48f9cff4940b3eec54a6451cc5299f1097690 \
--hash=sha256:eaa337ff55a1579b6549dc679565eac1e3d000563bcb1c8ab0d0fefbc0c2cdc7
# via beautifulsoup4
typing-extensions==4.11.0 \
--hash=sha256:83f085bd5ca59c80295fc2a82ab5dac679cbe02b9f33f7d83af68e241bea51b0 \
--hash=sha256:c1f94d72897edaf4ce775bb7558d5b79d8126906a14ea5ed1635921406c0387a
typing-extensions==4.12.0 \
--hash=sha256:8cbcdc8606ebcb0d95453ad7dc5065e6237b6aa230a31e81d0f440c30fed5fd8 \
--hash=sha256:b349c66bea9016ac22978d800cfff206d5f9816951f12a7d0ec5578b0a819594
# via qrcode
werkzeug==3.0.3 \
--hash=sha256:097e5bfda9f0aba8da6b8545146def481d06aa7d3266e7448e2cccf67dd8bd18 \

2
src/ui/src/Config.py
View file

@ -204,7 +204,7 @@ class Config:
if k.startswith(old_server_name_splitted[0]):
config.pop(k)
ret = self.__gen_conf(config, services, check_changes=check_changes, changed_service=variables["SERVER_NAME"])
ret = self.__gen_conf(config, services, check_changes=check_changes, changed_service=server_name_splitted[0])
if ret:
return ret, 1
return f"Configuration for {old_server_name_splitted[0]} has been edited.", 0

2
src/ui/static/css/dashboard.css
View file

File diff suppressed because one or more lines are too long

55
src/ui/static/js/global.js
View file

@ -85,7 +85,7 @@ class News {
) {
sessionStorage.setItem(
"lastRefetch",
Math.round(new Date().getTime() / 1000) + 3600,
Math.round(new Date().getTime() / 1000) + 3600
);
sessionStorage.setItem("lastNews", JSON.stringify(lastNews));
}
@ -102,7 +102,7 @@ class News {
news.photo.url,
news.excerpt,
news.tags,
news.date,
news.date
);
const BASE_URL = this.BASE_URL;
let cleanHTML = DOMPurify.sanitize(cardHTML);
@ -114,7 +114,7 @@ class News {
slug.addEventListener("click", function () {
window.open(
`${BASE_URL}blog/post/${news.slug}?utm_campaign=self&utm_source=ui`,
"_blank",
"_blank"
);
});
});
@ -268,7 +268,7 @@ class FlashMsg {
if (Number(this.flashCount.textContent) > 0) this.animeBtn();
// display only one fixed flash message
const flashFixedEls = document.querySelectorAll(
"[data-flash-message-fixed]",
"[data-flash-message-fixed]"
);
if (flashFixedEls.length > 1) {
flashFixedEls.forEach((el, i) => {
@ -298,7 +298,7 @@ class FlashMsg {
flashEl.remove();
//update count
this.flashCount.textContent = document.querySelectorAll(
"[data-flash-message]",
"[data-flash-message]"
).length;
}
} catch (err) {}
@ -401,7 +401,7 @@ class Banner {
// Try to get data from api
if (sessionStorage.getItem("bannerNews") !== null) {
return this.updateBanner(
JSON.parse(sessionStorage.getItem("bannerNews")),
JSON.parse(sessionStorage.getItem("bannerNews"))
);
}
fetch("https://www.bunkerweb.io/api/bw-ui-news")
@ -413,7 +413,7 @@ class Banner {
// Refetch after one hour
sessionStorage.setItem(
"bannerRefetch",
Math.round(new Date().getTime() / 1000) + 3600,
Math.round(new Date().getTime() / 1000) + 3600
);
return this.updateBanner(res.data[0].data);
})
@ -446,7 +446,7 @@ class Banner {
this.bannerEl.querySelector(
`[role="listitem"][data-id="${
+visibleEl.getAttribute("data-id") + 1
}"]`,
}"]`
) || this.bannerEl.querySelector(`[role="listitem"][data-id="0"]`);
// Hide current one
@ -534,30 +534,33 @@ class Clipboard {
navigator.permissions
.query({ name: "clipboard-write" })
.then((result) => {
if (result.state === "granted" || result.state === "prompt") {
/* write to the clipboard now */
const copyEl = document.querySelector(
e.target.getAttribute("data-clipboard-target"),
);
try {
if (result.state === "granted" || result.state === "prompt") {
/* write to the clipboard now */
const copyEl = document.querySelector(
e.target.getAttribute("data-clipboard-target")
);
copyEl.select();
copyEl.setSelectionRange(0, 99999); // For mobile devices
copyEl.select();
copyEl.setSelectionRange(0, 99999); // For mobile devices
// Copy the text inside the text field
// Copy the text inside the text field
navigator.clipboard.writeText(copyEl.value);
// Stop selecting
copyEl.blur();
this.isCopy = true;
}
});
navigator.clipboard.writeText(copyEl.value);
// Stop selecting
copyEl.blur();
this.isCopy = true;
}
} catch (e) {}
})
.catch((e) => {});
} catch (e) {}
// With Firefox
try {
if (this.isCopy) return;
/* write to the clipboard now */
const copyEl = document.querySelector(
e.target.getAttribute("data-clipboard-target"),
e.target.getAttribute("data-clipboard-target")
);
copyEl.select();
@ -575,7 +578,7 @@ class Clipboard {
if (this.isCopy) return;
/* write to the clipboard now */
const copyEl = document.querySelector(
e.target.getAttribute("data-clipboard-target"),
e.target.getAttribute("data-clipboard-target")
);
copyEl.select();
@ -609,13 +612,13 @@ const setMenu = new Menu();
const setNewsSidebar = new Sidebar(
"[data-sidebar-info]",
"[data-sidebar-info-open]",
"[data-sidebar-info-close]",
"[data-sidebar-info-close]"
);
const setFlashSidebar = new Sidebar(
"[data-flash-sidebar]",
"[data-flash-sidebar-open]",
"[data-flash-sidebar-close]",
"[data-flash-sidebar-close]"
);
const setClipboard = new Clipboard();

18
src/ui/styles.css
View file

@ -190,7 +190,7 @@
/*---------------------------------------------*/
.home-card {
@apply break-all break-words dark:brightness-110 sm:max-h-28 hover:scale-102 transition col-span-12 md:col-span-6 2xl:col-span-4 flex p-4 justify-between w-full shadow-md break-words bg-white dark:bg-slate-850 dark:shadow-dark-xl rounded-2xl bg-clip-border;
@apply break-all break-words dark:brightness-110 sm:max-h-28 transition col-span-12 md:col-span-6 2xl:col-span-4 flex p-4 justify-between w-full shadow-md break-words bg-white dark:bg-slate-850 dark:shadow-dark-xl rounded-2xl bg-clip-border;
}
.home-card-name {
@ -282,11 +282,19 @@
}
.core-card {
@apply ml-2 mr-2 mb-2 mt-2 h-fit transition hover:scale-102 col-span-12 md:col-span-6 2xl:col-span-4 3xl:col-span-3 p-4 relative min-w-0 break-words dark:brightness-110 bg-white shadow-xl dark:bg-slate-850 dark:shadow-dark-xl rounded-2xl bg-clip-border;
@apply ml-2 mr-2 mb-2 mt-2 h-fit transition col-span-12 md:col-span-6 2xl:col-span-4 3xl:col-span-3 p-4 relative min-w-0 break-words dark:brightness-110 bg-white shadow-xl dark:bg-slate-850 dark:shadow-dark-xl rounded-2xl bg-clip-border;
}
.core-card-list-large {
@apply overflow-x-auto overflow-y-hidden ml-2 mr-2 mt-2 h-fit lg:h-full mb-2 lg:mb-0 transition col-span-12 lg:col-span-6 p-4 relative min-w-0 break-words dark:brightness-110 bg-white shadow-xl dark:bg-slate-850 dark:shadow-dark-xl rounded-2xl bg-clip-border;
}
.core-card-filter {
@apply col-span-12 md:col-span-6 2xl:col-span-4 p-4 relative flex flex-col min-w-0 break-words bg-white shadow-xl dark:bg-slate-850 dark:shadow-dark-xl rounded-2xl bg-clip-border;
}
.core-card-lg {
@apply ml-2 mr-2 mb-2 mt-2 h-fit transition hover:scale-102 col-span-12 md:col-span-6 p-4 relative min-w-0 break-words dark:brightness-110 bg-white shadow-xl dark:bg-slate-850 dark:shadow-dark-xl rounded-2xl bg-clip-border;
@apply ml-2 mr-2 mb-2 mt-2 h-fit transition col-span-12 md:col-span-6 p-4 relative min-w-0 break-words dark:brightness-110 bg-white shadow-xl dark:bg-slate-850 dark:shadow-dark-xl rounded-2xl bg-clip-border;
}
.core-card-wrap {
@ -334,7 +342,7 @@
}
.core-card-status {
@apply ml-2 mr-2 mb-2 mt-2 col-span-12 md:col-span-6 2xl:col-span-3 3xl:col-span-2 h-fit transition hover:scale-102 p-4 relative min-w-0 break-words dark:brightness-110 bg-white shadow-xl dark:bg-slate-850 dark:shadow-dark-xl rounded-2xl bg-clip-border;
@apply ml-2 mr-2 mb-2 mt-2 col-span-12 md:col-span-6 2xl:col-span-3 3xl:col-span-2 h-fit transition p-4 relative min-w-0 break-words dark:brightness-110 bg-white shadow-xl dark:bg-slate-850 dark:shadow-dark-xl rounded-2xl bg-clip-border;
}
.core-card-status-container {
@ -430,7 +438,7 @@
}
.core-card-metrics {
@apply ml-2 mr-2 mb-2 mt-2 h-fit sm:max-h-28 hover:scale-102 transition col-span-12 md:col-span-6 2xl:col-span-4 flex p-4 justify-between break-words dark:brightness-110 bg-white shadow-xl dark:bg-slate-850 dark:shadow-dark-xl rounded-2xl bg-clip-border;
@apply ml-2 mr-2 mb-2 mt-2 h-fit sm:max-h-28 transition col-span-12 md:col-span-6 2xl:col-span-4 flex p-4 justify-between break-words dark:brightness-110 bg-white shadow-xl dark:bg-slate-850 dark:shadow-dark-xl rounded-2xl bg-clip-border;
}
.core-card-metrics-name {

14
src/ui/templates/setup.html vendored
View file

@ -320,7 +320,7 @@
Your BunkerWeb UI final URL will be
</h5>
<p class="family-text text-center text-sm md:text-base break-words w-full px-4"
data-resume>http://</p>
data-resume>https://</p>
</div>
<div class="col-span-12 flex justify-center">
<button tabindex="2"
@ -370,7 +370,7 @@
e.preventDefault();
this.updateCheck("unknown");
// get resume
const api = `http://${this.servInp.value}/setup/check`;
const api = `${location.protocol}://${this.servInp.value}/setup/check`;
fetch(api)
.then((res) => {
this.updateCheck("success");
@ -437,14 +437,12 @@
}
updateResume() {
this.servInp.value = this.servInp.value.replace('https://', '').replace('http://', '');
this.servInp.value = this.servInp.value.replace('https://', '');
if (!this.urlInp.value.startsWith("/")) {
this.urlInp.value = "/" + this.urlInp.value;
}
this.urlInp.value = this.urlInp.value.replace("//", "/");
this.resumeEl.textContent = `http${
this.sslCheck.getAttribute("data-checked") === "true" ? "s" : ""
}://${this.servInp.value}${this.urlInp.value}`;
this.resumeEl.textContent = `https://${this.servInp.value}${this.urlInp.value}`;
}
}
@ -600,9 +598,7 @@
// send form and wait for response
let api = `http${
this.sslCheck.getAttribute("data-checked") === "true" ? "s" : ""
}://${this.servInp.value}${this.urlInp.value}`;
let api = `https://${this.servInp.value}${this.urlInp.value}`;
if (!api.endsWith("/")) {
api = `${api}/`;
}

3
tests/core/backup/requirements.in
View file

@ -1,2 +1 @@
docker==7.0.0
requests<2.32.0
docker==7.1.0

18
tests/core/backup/requirements.txt
View file

@ -100,24 +100,18 @@ charset-normalizer==3.3.2 \
--hash=sha256:fd1abc0d89e30cc4e02e4064dc67fcc51bd941eb395c502aac3ec19fab46b519 \
--hash=sha256:ff8fa367d09b717b2a17a052544193ad76cd49979c805768879cb63d9ca50561
# via requests
docker==7.0.0 \
--hash=sha256:12ba681f2777a0ad28ffbcc846a69c31b4dfd9752b47eb425a274ee269c5e14b \
--hash=sha256:323736fb92cd9418fc5e7133bc953e11a9da04f4483f828b527db553f1e7e5a3
docker==7.1.0 \
--hash=sha256:ad8c70e6e3f8926cb8a92619b832b4ea5299e2831c14284663184e200546fa6c \
--hash=sha256:c96b93b7f0a746f9e77d325bcfb87422a3d8bd4f03136ae8a85b37f1898d5fc0
# via -r requirements.in
idna==3.7 \
--hash=sha256:028ff3aadf0609c1fd278d8ea3089299412a7a8b9bd005dd08b9f8285bcb5cfc \
--hash=sha256:82fee1fc78add43492d3a1898bfa6d8a904cc97d8427f683ed8e798d07761aa0
# via requests
packaging==24.0 \
--hash=sha256:2ddfb553fdf02fb784c234c7ba6ccc288296ceabec964ad2eae3777778130bc5 \
--hash=sha256:eb82c5e3e56209074766e6885bb04b8c38a0c015d0a30036ebe7ece34c9989e9
requests==2.32.2 \
--hash=sha256:dd951ff5ecf3e3b3aa26b40703ba77495dab41da839ae72ef3c8e5d8e2433289 \
--hash=sha256:fc06670dd0ed212426dfeb94fc1b983d917c4f9847c863f313c9dfaaffb7c23c
# via docker
requests==2.31.0 \
--hash=sha256:58cd2187c01e70e6e26505bca751777aa9f2ee0b7f4300988b709f44e013003f \
--hash=sha256:942c5a758f98d790eaed1a29cb6eefc7ffb0d1cf7af05c3d2791656dbd6ad1e1
# via
# -r requirements.in
# docker
urllib3==2.2.1 \
--hash=sha256:450b20ec296a467077128bff42b73080516e71b56ff59a60a02bef2232c4fa9d \
--hash=sha256:d0570876c61ab9e520d776c38acbbb5b05a776d3f9ff98a5c8fd5162a444cf19

2
tests/core/badbehavior/requirements.in
View file

@ -1,2 +1,2 @@
docker==7.0.0
docker==7.1.0
requests==2.32.2

10
tests/core/badbehavior/requirements.txt
View file

@ -100,18 +100,14 @@ charset-normalizer==3.3.2 \
--hash=sha256:fd1abc0d89e30cc4e02e4064dc67fcc51bd941eb395c502aac3ec19fab46b519 \
--hash=sha256:ff8fa367d09b717b2a17a052544193ad76cd49979c805768879cb63d9ca50561
# via requests
docker==7.0.0 \
--hash=sha256:12ba681f2777a0ad28ffbcc846a69c31b4dfd9752b47eb425a274ee269c5e14b \
--hash=sha256:323736fb92cd9418fc5e7133bc953e11a9da04f4483f828b527db553f1e7e5a3
docker==7.1.0 \
--hash=sha256:ad8c70e6e3f8926cb8a92619b832b4ea5299e2831c14284663184e200546fa6c \
--hash=sha256:c96b93b7f0a746f9e77d325bcfb87422a3d8bd4f03136ae8a85b37f1898d5fc0
# via -r requirements.in
idna==3.7 \
--hash=sha256:028ff3aadf0609c1fd278d8ea3089299412a7a8b9bd005dd08b9f8285bcb5cfc \
--hash=sha256:82fee1fc78add43492d3a1898bfa6d8a904cc97d8427f683ed8e798d07761aa0
# via requests
packaging==24.0 \
--hash=sha256:2ddfb553fdf02fb784c234c7ba6ccc288296ceabec964ad2eae3777778130bc5 \
--hash=sha256:eb82c5e3e56209074766e6885bb04b8c38a0c015d0a30036ebe7ece34c9989e9
# via docker
requests==2.32.2 \
--hash=sha256:dd951ff5ecf3e3b3aa26b40703ba77495dab41da839ae72ef3c8e5d8e2433289 \
--hash=sha256:fc06670dd0ed212426dfeb94fc1b983d917c4f9847c863f313c9dfaaffb7c23c

6
tests/core/blacklist/api/requirements.txt
View file

@ -400,9 +400,9 @@ typer==0.12.3 \
--hash=sha256:070d7ca53f785acbccba8e7d28b08dcd88f79f1fbda035ade0aecec71ca5c914 \
--hash=sha256:49e73131481d804288ef62598d97a1ceef3058905aa536a1134f90891ba35482
# via fastapi-cli
typing-extensions==4.11.0 \
--hash=sha256:83f085bd5ca59c80295fc2a82ab5dac679cbe02b9f33f7d83af68e241bea51b0 \
--hash=sha256:c1f94d72897edaf4ce775bb7558d5b79d8126906a14ea5ed1635921406c0387a
typing-extensions==4.12.0 \
--hash=sha256:8cbcdc8606ebcb0d95453ad7dc5065e6237b6aa230a31e81d0f440c30fed5fd8 \
--hash=sha256:b349c66bea9016ac22978d800cfff206d5f9816951f12a7d0ec5578b0a819594
# via
# anyio
# fastapi

6
tests/core/bunkernet/api/requirements.txt
View file

@ -400,9 +400,9 @@ typer==0.12.3 \
--hash=sha256:070d7ca53f785acbccba8e7d28b08dcd88f79f1fbda035ade0aecec71ca5c914 \
--hash=sha256:49e73131481d804288ef62598d97a1ceef3058905aa536a1134f90891ba35482
# via fastapi-cli
typing-extensions==4.11.0 \
--hash=sha256:83f085bd5ca59c80295fc2a82ab5dac679cbe02b9f33f7d83af68e241bea51b0 \
--hash=sha256:c1f94d72897edaf4ce775bb7558d5b79d8126906a14ea5ed1635921406c0387a
typing-extensions==4.12.0 \
--hash=sha256:8cbcdc8606ebcb0d95453ad7dc5065e6237b6aa230a31e81d0f440c30fed5fd8 \
--hash=sha256:b349c66bea9016ac22978d800cfff206d5f9816951f12a7d0ec5578b0a819594
# via
# anyio
# fastapi

3
tests/core/bwcli/requirements.in
View file

@ -1,2 +1 @@
docker==7.0.0
requests<2.32.0
docker==7.1.0

18
tests/core/bwcli/requirements.txt
View file

@ -100,24 +100,18 @@ charset-normalizer==3.3.2 \
--hash=sha256:fd1abc0d89e30cc4e02e4064dc67fcc51bd941eb395c502aac3ec19fab46b519 \
--hash=sha256:ff8fa367d09b717b2a17a052544193ad76cd49979c805768879cb63d9ca50561
# via requests
docker==7.0.0 \
--hash=sha256:12ba681f2777a0ad28ffbcc846a69c31b4dfd9752b47eb425a274ee269c5e14b \
--hash=sha256:323736fb92cd9418fc5e7133bc953e11a9da04f4483f828b527db553f1e7e5a3
docker==7.1.0 \
--hash=sha256:ad8c70e6e3f8926cb8a92619b832b4ea5299e2831c14284663184e200546fa6c \
--hash=sha256:c96b93b7f0a746f9e77d325bcfb87422a3d8bd4f03136ae8a85b37f1898d5fc0
# via -r requirements.in
idna==3.7 \
--hash=sha256:028ff3aadf0609c1fd278d8ea3089299412a7a8b9bd005dd08b9f8285bcb5cfc \
--hash=sha256:82fee1fc78add43492d3a1898bfa6d8a904cc97d8427f683ed8e798d07761aa0
# via requests
packaging==24.0 \
--hash=sha256:2ddfb553fdf02fb784c234c7ba6ccc288296ceabec964ad2eae3777778130bc5 \
--hash=sha256:eb82c5e3e56209074766e6885bb04b8c38a0c015d0a30036ebe7ece34c9989e9
requests==2.32.2 \
--hash=sha256:dd951ff5ecf3e3b3aa26b40703ba77495dab41da839ae72ef3c8e5d8e2433289 \
--hash=sha256:fc06670dd0ed212426dfeb94fc1b983d917c4f9847c863f313c9dfaaffb7c23c
# via docker
requests==2.31.0 \
--hash=sha256:58cd2187c01e70e6e26505bca751777aa9f2ee0b7f4300988b709f44e013003f \
--hash=sha256:942c5a758f98d790eaed1a29cb6eefc7ffb0d1cf7af05c3d2791656dbd6ad1e1
# via
# -r requirements.in
# docker
urllib3==2.2.1 \
--hash=sha256:450b20ec296a467077128bff42b73080516e71b56ff59a60a02bef2232c4fa9d \
--hash=sha256:d0570876c61ab9e520d776c38acbbb5b05a776d3f9ff98a5c8fd5162a444cf19

6
tests/core/db/requirements.txt
View file

@ -286,9 +286,9 @@ sqlalchemy==2.0.30 \
--hash=sha256:f7703c2010355dd28f53deb644a05fc30f796bd8598b43f0ba678878780b6e4c \
--hash=sha256:fa561138a64f949f3e889eb9ab8c58e1504ab351d6cf55259dc4c248eaa19da6
# via -r requirements.in
typing-extensions==4.11.0 \
--hash=sha256:83f085bd5ca59c80295fc2a82ab5dac679cbe02b9f33f7d83af68e241bea51b0 \
--hash=sha256:c1f94d72897edaf4ce775bb7558d5b79d8126906a14ea5ed1635921406c0387a
typing-extensions==4.12.0 \
--hash=sha256:8cbcdc8606ebcb0d95453ad7dc5065e6237b6aa230a31e81d0f440c30fed5fd8 \
--hash=sha256:b349c66bea9016ac22978d800cfff206d5f9816951f12a7d0ec5578b0a819594
# via
# psycopg
# psycopg-pool

6
tests/core/greylist/api/requirements.txt
View file

@ -400,9 +400,9 @@ typer==0.12.3 \
--hash=sha256:070d7ca53f785acbccba8e7d28b08dcd88f79f1fbda035ade0aecec71ca5c914 \
--hash=sha256:49e73131481d804288ef62598d97a1ceef3058905aa536a1134f90891ba35482
# via fastapi-cli
typing-extensions==4.11.0 \
--hash=sha256:83f085bd5ca59c80295fc2a82ab5dac679cbe02b9f33f7d83af68e241bea51b0 \
--hash=sha256:c1f94d72897edaf4ce775bb7558d5b79d8126906a14ea5ed1635921406c0387a
typing-extensions==4.12.0 \
--hash=sha256:8cbcdc8606ebcb0d95453ad7dc5065e6237b6aa230a31e81d0f440c30fed5fd8 \
--hash=sha256:b349c66bea9016ac22978d800cfff206d5f9816951f12a7d0ec5578b0a819594
# via
# anyio
# fastapi

6
tests/core/limit/requirements.txt
View file

@ -140,9 +140,9 @@ sniffio==1.3.1 \
# via
# anyio
# httpx
typing-extensions==4.11.0 \
--hash=sha256:83f085bd5ca59c80295fc2a82ab5dac679cbe02b9f33f7d83af68e241bea51b0 \
--hash=sha256:c1f94d72897edaf4ce775bb7558d5b79d8126906a14ea5ed1635921406c0387a
typing-extensions==4.12.0 \
--hash=sha256:8cbcdc8606ebcb0d95453ad7dc5065e6237b6aa230a31e81d0f440c30fed5fd8 \
--hash=sha256:b349c66bea9016ac22978d800cfff206d5f9816951f12a7d0ec5578b0a819594
# via anyio
urllib3==2.2.1 \
--hash=sha256:450b20ec296a467077128bff42b73080516e71b56ff59a60a02bef2232c4fa9d \

2
tests/core/modsecurity/requirements.in
View file

@ -1,2 +1,2 @@
docker==7.0.0
docker==7.1.0
requests==2.32.2

10
tests/core/modsecurity/requirements.txt
View file

@ -100,18 +100,14 @@ charset-normalizer==3.3.2 \
--hash=sha256:fd1abc0d89e30cc4e02e4064dc67fcc51bd941eb395c502aac3ec19fab46b519 \
--hash=sha256:ff8fa367d09b717b2a17a052544193ad76cd49979c805768879cb63d9ca50561
# via requests
docker==7.0.0 \
--hash=sha256:12ba681f2777a0ad28ffbcc846a69c31b4dfd9752b47eb425a274ee269c5e14b \
--hash=sha256:323736fb92cd9418fc5e7133bc953e11a9da04f4483f828b527db553f1e7e5a3
docker==7.1.0 \
--hash=sha256:ad8c70e6e3f8926cb8a92619b832b4ea5299e2831c14284663184e200546fa6c \
--hash=sha256:c96b93b7f0a746f9e77d325bcfb87422a3d8bd4f03136ae8a85b37f1898d5fc0
# via -r requirements.in
idna==3.7 \
--hash=sha256:028ff3aadf0609c1fd278d8ea3089299412a7a8b9bd005dd08b9f8285bcb5cfc \
--hash=sha256:82fee1fc78add43492d3a1898bfa6d8a904cc97d8427f683ed8e798d07761aa0
# via requests
packaging==24.0 \
--hash=sha256:2ddfb553fdf02fb784c234c7ba6ccc288296ceabec964ad2eae3777778130bc5 \
--hash=sha256:eb82c5e3e56209074766e6885bb04b8c38a0c015d0a30036ebe7ece34c9989e9
# via docker
requests==2.32.2 \
--hash=sha256:dd951ff5ecf3e3b3aa26b40703ba77495dab41da839ae72ef3c8e5d8e2433289 \
--hash=sha256:fc06670dd0ed212426dfeb94fc1b983d917c4f9847c863f313c9dfaaffb7c23c

6
tests/core/redis/requirements.txt
View file

@ -546,9 +546,9 @@ typer==0.12.3 \
--hash=sha256:070d7ca53f785acbccba8e7d28b08dcd88f79f1fbda035ade0aecec71ca5c914 \
--hash=sha256:49e73131481d804288ef62598d97a1ceef3058905aa536a1134f90891ba35482
# via fastapi-cli
typing-extensions==4.11.0 \
--hash=sha256:83f085bd5ca59c80295fc2a82ab5dac679cbe02b9f33f7d83af68e241bea51b0 \
--hash=sha256:c1f94d72897edaf4ce775bb7558d5b79d8126906a14ea5ed1635921406c0387a
typing-extensions==4.12.0 \
--hash=sha256:8cbcdc8606ebcb0d95453ad7dc5065e6237b6aa230a31e81d0f440c30fed5fd8 \
--hash=sha256:b349c66bea9016ac22978d800cfff206d5f9816951f12a7d0ec5578b0a819594
# via
# anyio
# fastapi

6
tests/core/reverseproxy/api/requirements.txt
View file

@ -400,9 +400,9 @@ typer==0.12.3 \
--hash=sha256:070d7ca53f785acbccba8e7d28b08dcd88f79f1fbda035ade0aecec71ca5c914 \
--hash=sha256:49e73131481d804288ef62598d97a1ceef3058905aa536a1134f90891ba35482
# via fastapi-cli
typing-extensions==4.11.0 \
--hash=sha256:83f085bd5ca59c80295fc2a82ab5dac679cbe02b9f33f7d83af68e241bea51b0 \
--hash=sha256:c1f94d72897edaf4ce775bb7558d5b79d8126906a14ea5ed1635921406c0387a
typing-extensions==4.12.0 \
--hash=sha256:8cbcdc8606ebcb0d95453ad7dc5065e6237b6aa230a31e81d0f440c30fed5fd8 \
--hash=sha256:b349c66bea9016ac22978d800cfff206d5f9816951f12a7d0ec5578b0a819594
# via
# anyio
# fastapi

6
tests/core/reversescan/requirements.txt
View file

@ -498,9 +498,9 @@ typer==0.12.3 \
--hash=sha256:070d7ca53f785acbccba8e7d28b08dcd88f79f1fbda035ade0aecec71ca5c914 \
--hash=sha256:49e73131481d804288ef62598d97a1ceef3058905aa536a1134f90891ba35482
# via fastapi-cli
typing-extensions==4.11.0 \
--hash=sha256:83f085bd5ca59c80295fc2a82ab5dac679cbe02b9f33f7d83af68e241bea51b0 \
--hash=sha256:c1f94d72897edaf4ce775bb7558d5b79d8126906a14ea5ed1635921406c0387a
typing-extensions==4.12.0 \
--hash=sha256:8cbcdc8606ebcb0d95453ad7dc5065e6237b6aa230a31e81d0f440c30fed5fd8 \
--hash=sha256:b349c66bea9016ac22978d800cfff206d5f9816951f12a7d0ec5578b0a819594
# via
# anyio
# fastapi

6
tests/core/whitelist/api/requirements.txt
View file

@ -400,9 +400,9 @@ typer==0.12.3 \
--hash=sha256:070d7ca53f785acbccba8e7d28b08dcd88f79f1fbda035ade0aecec71ca5c914 \
--hash=sha256:49e73131481d804288ef62598d97a1ceef3058905aa536a1134f90891ba35482
# via fastapi-cli
typing-extensions==4.11.0 \
--hash=sha256:83f085bd5ca59c80295fc2a82ab5dac679cbe02b9f33f7d83af68e241bea51b0 \
--hash=sha256:c1f94d72897edaf4ce775bb7558d5b79d8126906a14ea5ed1635921406c0387a
typing-extensions==4.12.0 \
--hash=sha256:8cbcdc8606ebcb0d95453ad7dc5065e6237b6aa230a31e81d0f440c30fed5fd8 \
--hash=sha256:b349c66bea9016ac22978d800cfff206d5f9816951f12a7d0ec5578b0a819594
# via
# anyio
# fastapi

2
tests/linux/Dockerfile-rhel
View file

@ -1,4 +1,4 @@
FROM redhat/ubi8-init:8.9-7.1715071668@sha256:3bcb1434ddc595236a1e45b9c4d4722ab8f1348a371c6239973bbf4d67b24c96
FROM redhat/ubi8-init:8.10-2@sha256:26aec3f78f127e39cb45e7eebd1dafc17071246d78dc51be4cfcb205ffc89caa
ENV NGINX_VERSION 1.24.0

4
tests/terraform/providers.tf
View file

@ -2,7 +2,7 @@ terraform {
required_providers {
scaleway = {
source = "scaleway/scaleway"
version = "2.38.2"
version = "2.40.0"
}
kubectl = {
source = "gavinbunney/kubectl"
@ -10,7 +10,7 @@ terraform {
}
kubernetes = {
source = "hashicorp/kubernetes"
version = "2.27.0"
version = "2.30.0"
}
}
}

2
tests/ui/base.py
View file

@ -33,7 +33,7 @@ ready = False
retries = 0
while not ready:
with suppress(RequestException):
status_code = get(f"http://{DEFAULT_SERVER}/setup").status_code
status_code = get(f"http://{DEFAULT_SERVER}/setup", verify=False).status_code
if status_code > 500 and status_code != 502:
log_error("An error occurred with the server, exiting ...")

4
tests/ui/configs_page.py
View file

@ -167,7 +167,7 @@ location /hello {
sleep(30)
resp = get("http://www.example.com/hello")
resp = get("http://www.example.com/hello", verify=False)
if resp.status_code != 404:
log_error("The config hasn't been deleted correctly, exiting ...")
@ -221,7 +221,7 @@ location /hello {
DRIVER.close()
DRIVER.switch_to.window(DRIVER.window_handles[0])
resp = get("http://www.example.com/hello")
resp = get("http://www.example.com/hello", verify=False)
if resp.status_code != 404:
log_error("The config didn't get created only for the app1.example.com service, exiting ...")

2
tests/ui/docker-compose.dev.yml
View file

@ -10,10 +10,12 @@ services:
dockerfile: src/bw/Dockerfile
ports:
- 80:80
- 443:443
environment:
SERVER_NAME: ""
MULTISITE: "yes"
HTTP_PORT: "80"
HTTPS_PORT: "443"
API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
USE_BUNKERNET: "no"
USE_BLACKLIST: "no"

2
tests/ui/docker-compose.yml
View file

@ -9,10 +9,12 @@ services:
pull_policy: never
ports:
- 80:80
- 443:443
environment:
SERVER_NAME: ""
MULTISITE: "yes"
HTTP_PORT: "80"
HTTPS_PORT: "443"
API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
LOG_LEVEL: "info"
USE_BUNKERNET: "no"

2
tests/ui/jobs_page.py
View file

@ -86,7 +86,7 @@ try:
log_info("Reload filter is working, trying jobs cache ...")
resp = get(f"http://www.example.com{UI_URL}/jobs/download?job_name=mmdb-country&file_name=country.mmdb")
resp = get(f"http://www.example.com{UI_URL}/jobs/download?job_name=mmdb-country&file_name=country.mmdb", verify=False)
if resp.status_code != 200:
log_error("The cache download is not working, exiting ...")

3
tests/ui/logs_page.py
View file

@ -134,9 +134,10 @@ try:
current_date = datetime.now()
resp = get(
f"http://www.example.com{UI_URL}/logs/{first_instance}?from_date={int((current_date - timedelta(weeks=1)).timestamp())}&to_date={int((current_date - timedelta(days=1)).timestamp())}",
f"https://www.example.com{UI_URL}/logs/{first_instance}?from_date={int((current_date - timedelta(weeks=1)).timestamp())}&to_date={int((current_date - timedelta(days=1)).timestamp())}",
headers={"Host": "www.example.com", "User-Agent": DRIVER.execute_script("return navigator.userAgent;")},
cookies={"session": DRIVER.get_cookies()[0]["value"]},
verify=False,
)
if len(resp.json()["logs"]) != 0:

2
tests/ui/plugins_page.py
View file

@ -20,7 +20,7 @@ try:
access_page(DRIVER, "/html/body/aside[1]/div[2]/ul[1]/li[6]/a", "plugins")
for _ in range(5):
get(f"http://www.example.com{UI_URL}/?id=/etc/passwd")
get(f"http://www.example.com{UI_URL}/?id=/etc/passwd", verify=False)
sleep(1)
sleep(7)

2
tests/ui/reports_page.py
View file

@ -21,7 +21,7 @@ try:
log_info("No reports found, generating some ...")
for _ in range(5):
get("http://www.example.com/?id=/etc/passwd")
get("http://www.example.com/?id=/etc/passwd", verify=False)
sleep(1)
sleep(7)