Elgato_dark/bunkerweb
1
0
Fork 0
mirror of https://github.com/bunkerity/bunkerweb synced 2026-05-24 09:28:37 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Update ModSecurity's coreruleset-v4 to version 4.1.0

Browse source
This commit is contained in:
Théophile Diot 2024-03-21 15:21:55 +00:00
parent d3ac9dd0e8
commit ffab0642ba
No known key found for this signature in database
GPG key ID: 248FEA4BAE400D06
62 changed files with 2618 additions and 963 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
src/common/core/modsecurity/files/coreruleset-v4/.changes-pending.md vendored
View file

@ -0,0 +1,11 @@
* feat: add check for combinations of t:lowercase and (?i) to lint (Franziska Bühler) [#3584]
* fix: remove t:lowercase from rules that use '(?i)' modifier in their regex (942150 PL2, 942151 PL1, 942152 PL2) (Ervin Hegedus) [#3585]
* test: change HTTP method to uppercase for test 932260-28 (Matteo Pace) [#3580]
* feat: move HTTP header rules to phase 1 (932161 PL2, 932205 PL2, 932206 PL2, 932237 PL3) (Esad Cetiner) [#3570]
* fix: prevent FPs against names due to "cron" (932260 PL1, 932236 PL2, 932237 PL3, 932239 PL2) (@superlgn) [#3578]
* chore: add Esad Cetiner to list of developers (@EsadCetiner) [#3589]
* fix: add missing tags and ver action (various rules) (Jozef Sudolský) [#3571]
* fix: adding more missing tags and ver actions (Jozef Sudolský) [#3593]
* fix: do not check URL fragments in referer headers as part of the existing rule to prevent FPs (932205 PL2) (Max Leske) [#3485]
* chore(deps): update workflow actions (Max Leske) [#3613]
* fix: range expressions must not start with `\v` (various rules) (Max Leske) [#3615]

326
src/common/core/modsecurity/files/coreruleset-v4/.github/create-changelog-prs.py vendored
View file

@ -6,179 +6,223 @@ import datetime
import sys
import os
import re
from inspect import getframeinfo, currentframe
DEVELOPERS = dict()
DEVELOPERS = {}
def get_pr(repository: str, number: int) -> dict:
command = f"""gh pr view \
--repo "{repository}" \
"{number}" \
--json mergeCommit,mergedBy,title,author,baseRefName,number
"""
proc = subprocess.Popen(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
pr_json, errors = proc.communicate()
if proc.returncode != 0:
print(errors)
exit(1)
return json.loads(pr_json)
command = f"""gh pr view \
--repo "{repository}" \
"{number}" \
--json mergeCommit,mergedBy,title,author,headRefName,baseRefName,number
"""
with subprocess.Popen(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) as proc:
pr_json, errors = proc.communicate()
if proc.returncode != 0:
print_errors(errors)
sys.exit(1)
return json.loads(pr_json)
def get_prs(repository: str, day: datetime.date) -> list:
print(f"Fetching PRs for {day}")
command = f"""gh search prs \
--repo "{repository}" \
--merged-at "{day}" \
--json number \
-- \
-label:changelog-pr # ignore changelog prs
"""
proc = subprocess.Popen(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
prs_json, errors = proc.communicate()
if proc.returncode != 0:
print(errors)
exit(1)
prs = list()
for result in json.loads(prs_json):
prs.append(get_pr(repository, result["number"]))
def get_prs(repository: str, start_date: datetime.date, end_date: datetime.date) -> list:
print("Fetching PR for start_date")
command = f"""gh search prs \
--repo "{repository}" \
--merged-at "{end_date}..{start_date}" \
--json number \
-- \
-label:changelog-pr # ignore changelog prs
"""
with subprocess.Popen(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) as proc:
prs_json, errors = proc.communicate()
if proc.returncode != 0:
print_errors(errors)
sys.exit(1)
prs = []
for result in json.loads(prs_json):
prs.append(get_pr(repository, result["number"]))
return prs
return prs
def parse_prs(prs: list) -> dict:
pr_map = dict()
for pr in prs:
merged_by = pr["mergedBy"]["login"]
if merged_by not in pr_map:
pr_list = list()
pr_map[merged_by] = pr_list
else:
pr_list = pr_map[merged_by]
pr_list.append(pr)
return pr_map
pr_map = {}
for pr in prs:
merged_by = pr["mergedBy"]["login"]
if merged_by not in pr_map:
pr_list = []
pr_map[merged_by] = pr_list
else:
pr_list = pr_map[merged_by]
pr_list.append(pr)
return pr_map
# Accepts a single date on purpose. Gathering PRs over more than a single day
# is for debugging only.
def create_prs(repository: str, merged_by_prs_map: dict, day: datetime.date):
for author in merged_by_prs_map.keys():
create_pr(repository, author, merged_by_prs_map[author], day)
base_pr = find_latest_open_changelog_pr(repository)
base_ref = base_pr["headRefName"] if base_pr else None
for author in merged_by_prs_map.keys():
base_ref = create_pr(repository, base_ref, author, merged_by_prs_map[author], day)
def create_pr(repository: str, merged_by: str, prs: list, day: datetime.date):
if len(prs) == 0:
return
print(f"Creating changelog PR for @{merged_by}")
def find_latest_open_changelog_pr(repository: str) -> dict | None:
command = f"""gh search prs \
--repo "{repository}" \
--label "changelog-pr" \
--state open \
--sort created \
--json number
"""
with subprocess.Popen(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) as proc:
pr_json, errors = proc.communicate()
if proc.returncode != 0:
print_errors(errors)
sys.exit(1)
ids = json.loads(pr_json)
base_pr_id = ids[0]["number"] if ids else None
if not base_pr_id:
print("No open changelog PR found to use as base")
return None
sample_pr = prs[0]
base_branch = sample_pr["baseRefName"]
pr_branch_name = create_pr_branch(day, merged_by, base_branch)
pr_body, changelog_lines = generate_content(prs, merged_by)
create_commit(changelog_lines)
push_pr_branch(pr_branch_name)
base_pr = get_pr(repository, base_pr_id)
print(f"Found existing changelog PR to use as base: {base_pr_id}")
return base_pr
command = f"""gh pr create \
--repo "{repository}" \
--assignee "{merged_by}" \
--base "{base_branch}" \
--label "changelog-pr" \
--title "chore: changelog updates for {day}, merged by @{merged_by}" \
--body-file -
"""
def create_pr(repository: str, base_ref: str | None, merged_by: str, prs: list, day: datetime.date) -> str:
if len(prs) == 0:
return base_ref
proc = subprocess.Popen(command, shell=True, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
outs, errors = proc.communicate(input=pr_body.encode())
if proc.returncode != 0:
print(errors)
exit(1)
print(f"Created PR: {outs.decode()}")
print(f"Creating changelog PR for @{merged_by}")
base_branch = base_ref if base_ref else prs[0]["baseRefName"]
pr_branch_name = create_pr_branch(day, merged_by, base_branch)
pr_body, changelog_lines = generate_content(prs, merged_by)
create_commit(changelog_lines)
push_pr_branch(pr_branch_name)
print("\tCreating PR...")
command = f"""gh pr create \
--repo "{repository}" \
--assignee "{merged_by}" \
--base "{base_branch}" \
--label "changelog-pr" \
--title "chore: changelog updates for {day}, merged by @{merged_by}" \
--body-file -
"""
with subprocess.Popen(command, shell=True, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE) as proc:
outs, errors = proc.communicate(input=pr_body.encode())
if proc.returncode != 0:
print_errors(errors)
sys.exit(1)
print(f"Created PR: {outs.decode()}")
return pr_branch_name
def create_commit(changelog_lines: str):
with open('.changes-pending.md', 'a') as changelog:
changelog.write(changelog_lines)
print("\tCreating commit...")
with open('.changes-pending.md', 'a', encoding='utf-8s') as changelog:
changelog.write(changelog_lines)
command = "git commit .changes-pending.md -m 'Add pending changelog entries'"
proc = subprocess.Popen(command, shell=True, stderr=subprocess.PIPE)
_, errors = proc.communicate()
if proc.returncode != 0:
print(errors)
exit(1)
command = "git commit .changes-pending.md -m 'Add pending changelog entries'"
with subprocess.Popen(command, shell=True, stderr=subprocess.PIPE) as proc:
_, errors = proc.communicate()
if proc.returncode != 0:
print_errors(errors)
sys.exit(1)
def generate_content(prs: list, merged_by: str) -> (str, str):
changelog_lines = ""
pr_body = f"This PR was auto-generated to update the changelog with the following entries, merged by @{merged_by}:\n```\n"
pr_links = ""
for pr in prs:
pr_number = pr["number"]
pr_title = pr["title"]
pr_author = get_pr_author_name(pr["author"]["login"])
new_line = f" * {pr_title} ({pr_author}) [#{pr_number}]\n"
pr_body += new_line
pr_links += f"- #{pr_number}\n"
print("\tGenerating PR content...")
changelog_lines = ""
pr_body = f"This PR was auto-generated to update the changelog with the following entries, merged by @{merged_by}:\n```\n"
pr_links = ""
for pr in prs:
pr_number = pr["number"]
pr_title = pr["title"]
pr_author = get_pr_author_name(pr["author"]["login"])
new_line = f" * {pr_title} ({pr_author}) [#{pr_number}]\n"
pr_body += new_line
pr_links += f"- #{pr_number}\n"
changelog_lines += new_line
pr_body += "```\n\n" + pr_links
changelog_lines += new_line
pr_body += "```\n\n" + pr_links
return pr_body, changelog_lines
return pr_body, changelog_lines
def get_pr_author_name(login: str) -> str:
if len(DEVELOPERS) == 0:
parse_contributors()
if len(DEVELOPERS) == 0:
parse_contributors()
return DEVELOPERS[login] if login in DEVELOPERS else f"@{login}"
return DEVELOPERS[login] if login in DEVELOPERS else f"@{login}"
def parse_contributors():
regex = re.compile(r'^\s*?-\s*?\[([^]]+)\]\s*?\(http.*/([^/]+)\s*?\)')
with open('CONTRIBUTORS.md', 'rt') as handle:
line = handle.readline()
while not ('##' in line and 'Contributors' in line):
match = regex.match(line)
if match:
DEVELOPERS[match.group(2)] = match.group(1)
line = handle.readline()
regex = re.compile(r'^\s*?-\s*?\[([^]]+)\]\s*?\(http.*/([^/]+)\s*?\)')
with open('CONTRIBUTORS.md', 'rt', encoding='utf-8') as handle:
line = handle.readline()
while not ('##' in line and 'Contributors' in line):
match = regex.match(line)
if match:
DEVELOPERS[match.group(2)] = match.group(1)
line = handle.readline()
def create_pr_branch(day: datetime.date, author: str, base_branch: str) -> str:
branch_name = f"changelog-updates-for-{day}-{author} {base_branch}"
command = f"git checkout -b {branch_name}"
proc = subprocess.Popen(command, shell=True, stderr=subprocess.PIPE)
_, errors = proc.communicate()
if proc.returncode != 0:
print(errors)
exit(1)
print("\tCreating branch...")
branch_name = f"changelog-updates-for-{day}-{author}"
command = f"git checkout {base_branch}; git checkout -b {branch_name}"
with subprocess.Popen(command, shell=True, stderr=subprocess.PIPE) as proc:
_, errors = proc.communicate()
if proc.returncode != 0:
print_errors(errors)
sys.exit(1)
return branch_name
return branch_name
def push_pr_branch(branch_name: str):
command = f"git push -u origin {branch_name}"
proc = subprocess.Popen(command, shell=True, stderr=subprocess.PIPE)
_, errors = proc.communicate()
if proc.returncode != 0:
print(errors)
exit(1)
print("\tPushing branch...")
command = f"git push -u origin {branch_name}"
with subprocess.Popen(command, shell=True, stderr=subprocess.PIPE) as proc:
_, errors = proc.communicate()
if proc.returncode != 0:
print_errors(errors)
sys.exit(1)
def run(source_repository: str, target_repository: str, today: datetime.date):
day = today - datetime.timedelta(days=1)
prs = get_prs(source_repository, day)
prs_length = len(prs)
print(f"Found {prs_length} PRs")
if prs_length == 0:
return
def run():
# disable pager
os.environ["GH_PAGER"] = ''
# set variables for Git
os.environ["GIT_AUTHOR_NAME"] = "changelog-pr-bot"
os.environ["GIT_AUTHOR_EMAIL"] = "dummy@coreruleset.org"
os.environ["GIT_COMMITTER_NAME"] = "changelog-pr-bot"
os.environ["GIT_COMMITTER_EMAIL"] = "dummy@coreruleset.org"
merged_by_prs_map = parse_prs(prs)
create_prs(target_repository, merged_by_prs_map, day)
source_repository = 'coreruleset/coreruleset'
target_repository = source_repository
# the cron schedule for the workflow uses UTC
start_date = datetime.datetime.now(datetime.timezone.utc).date()
days = 1
if len(sys.argv) > 1 and len(sys.argv[1]) > 0:
source_repository = sys.argv[1]
if len(sys.argv) > 2 and len(sys.argv[2]) > 0:
target_repository = sys.argv[2]
if len(sys.argv) > 3 and len(sys.argv[3]) > 0:
start_date = datetime.date.fromisoformat(sys.argv[3])
if len(sys.argv) > 4 and len(sys.argv[4]) > 0:
days = int(sys.argv[4])
run_workflow(source_repository, target_repository, start_date, days)
def run_workflow(source_repository: str, target_repository: str, start_date: datetime.date, days: int):
end_date = start_date - datetime.timedelta(days=days)
prs = get_prs(source_repository, start_date, end_date)
prs_length = len(prs)
print(f"Found {prs_length} PRs")
if prs_length == 0:
return
merged_by_prs_map = parse_prs(prs)
create_prs(target_repository, merged_by_prs_map, start_date)
def print_errors(errors: str):
print(f"{getframeinfo(currentframe().f_back).lineno}:", errors)
if __name__ == "__main__":
# disable pager
os.environ["GH_PAGER"] = ''
# set variables for Git
os.environ["GIT_AUTHOR_NAME"] = "changelog-pr-bot"
os.environ["GIT_AUTHOR_EMAIL"] = "dummy@coreruleset.org"
os.environ["GIT_COMMITTER_NAME"] = "changelog-pr-bot"
os.environ["GIT_COMMITTER_EMAIL"] = "dummy@coreruleset.org"
source_repository = 'coreruleset/coreruleset'
target_repository = source_repository
# the cron schedule for the workflow uses UTC
today = datetime.datetime.now(datetime.timezone.utc).date()
if len(sys.argv) > 1:
source_repository = sys.argv[1]
if len(sys.argv) > 2:
target_repository = sys.argv[2]
if len(sys.argv) > 3:
today = datetime.date.fromisoformat(sys.argv[3])
run(source_repository, target_repository, today)
run()

11
src/common/core/modsecurity/files/coreruleset-v4/.github/workflows/check-pr-title.yaml vendored
View file

@ -1,4 +1,8 @@
name: Check PR title
# default token permissions: none
permissions: {}
on:
pull_request_target:
types:
@ -8,9 +12,12 @@ on:
- synchronize
jobs:
check-pr-title:
main:
name: Validate PR title
runs-on: ubuntu-latest
permissions:
pull-requests: read
steps:
- uses: aslafy-z/conventional-pr-title-action@v3
- uses: amannn/action-semantic-pull-request@e9fabac35e210fea40ca5b14c0da95a099eff26f # v5.4.0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

10
src/common/core/modsecurity/files/coreruleset-v4/.github/workflows/lint.yaml vendored
View file

@ -1,27 +1,27 @@
name: Lint
on: [push, pull_request]
on: [push, pull_request, merge_group]
jobs:
check-syntax:
runs-on: ubuntu-latest
steps:
- name: Checkout repo
uses: actions/checkout@v4
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.2
- name: Lint Yaml
uses: ibiqlik/action-yamllint@v3
uses: ibiqlik/action-yamllint@2576378a8e339169678f9939646ee3ee325e845c # v3.1.1
with:
format: github
file_or_dir: tests/regression/tests
config_file: .yamllint.yml
- name: Linelint
uses: fernandrone/linelint@master
uses: fernandrone/linelint@7907a5dca0c28ea7dd05c6d8d8cacded713aca11 # v0.0.6
id: linelint
- name: Set up Python 3
uses: actions/setup-python@v4
uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
with:
python-version: 3.7

2
src/common/core/modsecurity/files/coreruleset-v4/.github/workflows/nightly.yml vendored
View file

@ -10,7 +10,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: "Checkout repo"
uses: actions/checkout@v4
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.2
- name: Delete previous nightly release
run: |

2
src/common/core/modsecurity/files/coreruleset-v4/.github/workflows/stale.yml vendored
View file

@ -10,7 +10,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/stale@v3
- uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
stale-issue-message: 'This issue has been open 30 days waiting for feedback. Remove the stale label or comment, or this will be closed in 14 days'

5
src/common/core/modsecurity/files/coreruleset-v4/.github/workflows/test.yml vendored
View file

@ -12,6 +12,7 @@ on:
- 'tests/**'
- 'util/**'
- '.github/**'
merge_group:
jobs:
regression:
@ -21,7 +22,7 @@ jobs:
modsec_version: [modsec2-apache]
steps:
- name: "Checkout repo"
uses: actions/checkout@v4
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.2
- name: "Install dependencies"
env:
@ -47,7 +48,7 @@ jobs:
# we want to get the audit log, so change permissions (file is only for root on docker)
sudo chmod 644 tests/logs/${{ matrix.modsec_version }}/modsec_audit.log
- uses: actions/upload-artifact@v3
- uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
if: failure()
with:
name: waf-logs

12
src/common/core/modsecurity/files/coreruleset-v4/.github/workflows/update-changelog.yaml vendored
View file

@ -1,18 +1,24 @@
name: Create changelog PRs
# default token permissions: none
permissions: {}
on:
schedule:
- cron: '0 2 * * *' # run at 2 AM UTC
jobs:
create-changelog-prs:
name:
permissions:
contents: write
pull-requests: write
runs-on: ubuntu-latest
steps:
- name: "Checkout repo"
uses: actions/checkout@v4
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.2
- name: Set up Python 3
uses: actions/setup-python@v4
uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
with:
python-version: 3.12

19
src/common/core/modsecurity/files/coreruleset-v4/CONTRIBUTORS.md vendored
View file

@ -3,26 +3,30 @@
## Project Co-Leads:
- [Christian Folini](https://github.com/dune73)
- [Walter Hop](https://github.com/lifeforms)
- [Felipe Zipitría](https://github.com/fzipi)
## Developers:
- [Paul Beckett](https://github.com/53cur3M3)
- [Franziska Bühler](https://github.com/franbuehler)
- [Christoph Hansen](https://github.com/emphazer)
- [Esad Cetiner](https://github.com/esadcetiner)
- [Ervin Hegedus](https://github.com/airween)
- [Andrew Howe](https://github.com/RedXanadu)
- [Karel Knibbe](https://github.com/karelorigin)
- [Max Leske](https://github.com/theseion)
- [Andrea Menin](https://github.com/theMiddleBlue)
- [Matteo Pace](https://github.com/M4tteoP)
- [Jitendra Patro](https://github.com/Xhoenix)
- [Jozef Sudolský](https://github.com/azurit)
## Former and Inactive Developers:
- [Paul Beckett](https://github.com/53cur3M3)
- [Christoph Hansen](https://github.com/emphazer)
- [Walter Hop](https://github.com/lifeforms) †
- [Manuel Leos Rivas](https://github.com/spartantri)
- [Andrea Menin](https://github.com/theMiddleBlue)
- [Chaim Sanders](https://github.com/csanders-git)
- [Federico G. Schwindt](https://github.com/fgsch)
- [Manuel Leos Rivas](https://github.com/spartantri)
- [Simon Studer](https://github.com/studersi)
- [Jozef Sudolský](https://github.com/azurit)
## Contributors:
@ -36,7 +40,6 @@
- [Peter Bittner](https://github.com/bittner)
- [Allan Boll](https://github.com/allanbomsft)
- [Jeremy Brown](https://github.com/jwbrown77)
- [Esad Cetiner](https://github.com/esadcetiner/)
- [Brent Clark](https://github.com/brentclark)
- [Jonathan Claudius](https://github.com/claudijd)
- [coolt](https://github.com/coolt)
@ -141,3 +144,5 @@
- [ThanhPT](https://github.com/thanhpt1708)
- [Vandan Rohatgi](https://github.com/vandanrohatgi)
- [NiceYouKnow](https://github.com/NiceYouKnow)
- [floyd](https://github.com/floyd)
- [superlgn](https://github.com/superlgn)

1
src/common/core/modsecurity/files/coreruleset-v4/SECURITY.md vendored
View file

@ -11,6 +11,7 @@ Along those lines, OWASP CRS team may not issue security notifications for unsup
| Version | Supported |
| --------- | ------------------ |
| 4.1.0 | :white_check_mark: |
| 4.0.0 | :white_check_mark: |
| 3.3.x | :white_check_mark: |
| 3.2.x | :x: |

54
src/common/core/modsecurity/files/coreruleset-v4/crs-setup.conf.example vendored
View file

@ -1,5 +1,5 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.0.0
# OWASP CRS ver.4.1.0
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2024 CRS project. All rights reserved.
#
@ -180,6 +180,8 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# pass,\
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.1.0',\
# setvar:tx.blocking_paranoia_level=1"
@ -206,6 +208,8 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# pass,\
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.1.0',\
# setvar:tx.detection_paranoia_level=1"
@ -230,6 +234,8 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# pass,\
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.1.0',\
# setvar:tx.enforce_bodyproc_urlencoded=1"
@ -263,6 +269,8 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# pass,\
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.1.0',\
# setvar:tx.critical_anomaly_score=5,\
# setvar:tx.error_anomaly_score=4,\
# setvar:tx.warning_anomaly_score=3,\
@ -315,6 +323,8 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# pass,\
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.1.0',\
# setvar:tx.inbound_anomaly_score_threshold=5,\
# setvar:tx.outbound_anomaly_score_threshold=4"
@ -374,6 +384,8 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# pass,\
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.1.0',\
# setvar:tx.reporting_level=4"
@ -404,6 +416,8 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# pass,\
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.1.0',\
# setvar:tx.early_blocking=1"
@ -423,6 +437,8 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# pass,\
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.1.0',\
# setvar:tx.enable_default_collections=1"
@ -449,6 +465,8 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# pass,\
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.1.0',\
# setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'"
# Content-Types that a client is allowed to send in a request.
@ -476,7 +494,9 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# pass,\
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ctl:ruleRemoveById=920420,\
# ver:'OWASP_CRS/4.1.0',\
# chain"
# SecRule REQUEST_URI "@rx ^/foo/bar" \
# "t:none"
@ -489,6 +509,8 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# pass,\
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.1.0',\
# setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json|'"
# Allowed HTTP versions.
@ -503,6 +525,8 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# pass,\
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.1.0',\
# setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0 HTTP/3 HTTP/3.0'"
# Forbidden file extensions.
@ -525,6 +549,8 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# pass,\
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.1.0',\
# setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'"
# Restricted request headers.
@ -568,6 +594,8 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# pass,\
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.1.0',\
# setvar:'tx.restricted_headers_basic=/content-encoding/ /proxy/ /lock-token/ /content-range/ /if/ /x-http-method-override/ /x-http-method/ /x-method-override/'"
#
# [ Extended ]
@ -592,6 +620,8 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# pass,\
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.1.0',\
# setvar:'tx.restricted_headers_extended=/accept-charset/'"
# Content-Types charsets that a client is allowed to send in a request.
@ -604,6 +634,8 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# pass,\
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.1.0',\
# setvar:'tx.allowed_request_content_type_charset=|utf-8| |iso-8859-1| |iso-8859-15| |windows-1252|'"
#
@ -628,6 +660,8 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# pass,\
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.1.0',\
# setvar:tx.max_num_args=255"
# Block request if the length of any argument name is too high
@ -640,6 +674,8 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# pass,\
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.1.0',\
# setvar:tx.arg_name_length=100"
# Block request if the length of any argument value is too high
@ -652,6 +688,8 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# pass,\
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.1.0',\
# setvar:tx.arg_length=400"
# Block request if the total length of all combined arguments is too high
@ -664,6 +702,8 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# pass,\
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.1.0',\
# setvar:tx.total_arg_length=64000"
# Block request if the file size of any individual uploaded file is too high
@ -676,6 +716,8 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# pass,\
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.1.0',\
# setvar:tx.max_file_size=1048576"
# Block request if the total size of all combined uploaded files is too high
@ -688,6 +730,8 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# pass,\
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.1.0',\
# setvar:tx.combined_file_sizes=1048576"
@ -726,6 +770,8 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# phase:1,\
# pass,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.1.0',\
# setvar:tx.sampling_percentage=100"
@ -745,6 +791,8 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# pass,\
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.1.0',\
# setvar:tx.crs_validate_utf8_encoding=1"
@ -765,4 +813,6 @@ SecAction \
pass,\
t:none,\
nolog,\
setvar:tx.crs_setup_version=400"
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.1.0',\
setvar:tx.crs_setup_version=410"

0
src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/932205.ra → src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/932205-chain1.ra vendored
View file

6
src/common/core/modsecurity/files/coreruleset-v4/regex-assembly/include/unix-shell-4andup.ra vendored
View file

@ -83,7 +83,7 @@ adduser
agetty
alias@
alpine@
ansible-playbook
ansible
apt-get
aptitude@
arch@
@ -136,6 +136,8 @@ check_memory
check_raid
check_ssl_cert
check_statusfile
chef@
chef-
chflags
chgpasswd
chgrp
@ -160,7 +162,7 @@ cpan
cpio
cpulimit
crash@
cron
cron@
crontab
csplit
csvtool

2
src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example vendored
View file

@ -1,5 +1,5 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.0.0
# OWASP CRS ver.4.1.0
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2024 CRS project. All rights reserved.
#

91
src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-901-INITIALIZATION.conf vendored
View file

@ -1,5 +1,5 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.0.0
# OWASP CRS ver.4.1.0
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2024 CRS project. All rights reserved.
#
@ -26,7 +26,7 @@
#
# Ref: https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v2.x)#seccomponentsignature
#
SecComponentSignature "OWASP_CRS/4.0.0"
SecComponentSignature "OWASP_CRS/4.1.0"
#
# -=[ Default setup values ]=-
@ -59,7 +59,8 @@ SecRule &TX:crs_setup_version "@eq 0" \
log,\
auditlog,\
msg:'ModSecurity CRS is deployed without configuration! Please copy the crs-setup.conf.example template to crs-setup.conf, and include the crs-setup.conf file in your webserver configuration before including the CRS rules. See the INSTALL file in the CRS directory for detailed instructions',\
ver:'OWASP_CRS/4.0.0',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL'"
@ -77,7 +78,8 @@ SecRule &TX:inbound_anomaly_score_threshold "@eq 0" \
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/4.0.0',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.1.0',\
setvar:'tx.inbound_anomaly_score_threshold=5'"
# Default Outbound Anomaly Threshold Level (rule 900110 in crs-setup.conf)
@ -86,7 +88,8 @@ SecRule &TX:outbound_anomaly_score_threshold "@eq 0" \
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/4.0.0',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.1.0',\
setvar:'tx.outbound_anomaly_score_threshold=4'"
# Default Reporting Level (rule 900115 in crs-setup.conf)
@ -95,7 +98,8 @@ SecRule &TX:reporting_level "@eq 0" \
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/4.0.0',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.1.0',\
setvar:'tx.reporting_level=4'"
# Default Early Blocking (rule 900120 in crs-setup.conf)
@ -104,7 +108,8 @@ SecRule &TX:early_blocking "@eq 0" \
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/4.0.0',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.1.0',\
setvar:'tx.early_blocking=0'"
# Default Blocking Paranoia Level (rule 900000 in crs-setup.conf)
@ -113,7 +118,8 @@ SecRule &TX:blocking_paranoia_level "@eq 0" \
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/4.0.0',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.1.0',\
setvar:'tx.blocking_paranoia_level=1'"
# Default Detection Paranoia Level (rule 900001 in crs-setup.conf)
@ -122,7 +128,8 @@ SecRule &TX:detection_paranoia_level "@eq 0" \
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/4.0.0',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.1.0',\
setvar:'tx.detection_paranoia_level=%{TX.blocking_paranoia_level}'"
# Default Sampling Percentage (rule 900400 in crs-setup.conf)
@ -131,7 +138,8 @@ SecRule &TX:sampling_percentage "@eq 0" \
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/4.0.0',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.1.0',\
setvar:'tx.sampling_percentage=100'"
# Default Anomaly Scores (rule 900100 in crs-setup.conf)
@ -140,7 +148,8 @@ SecRule &TX:critical_anomaly_score "@eq 0" \
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/4.0.0',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.1.0',\
setvar:'tx.critical_anomaly_score=5'"
SecRule &TX:error_anomaly_score "@eq 0" \
@ -148,7 +157,8 @@ SecRule &TX:error_anomaly_score "@eq 0" \
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/4.0.0',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.1.0',\
setvar:'tx.error_anomaly_score=4'"
SecRule &TX:warning_anomaly_score "@eq 0" \
@ -156,7 +166,8 @@ SecRule &TX:warning_anomaly_score "@eq 0" \
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/4.0.0',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.1.0',\
setvar:'tx.warning_anomaly_score=3'"
SecRule &TX:notice_anomaly_score "@eq 0" \
@ -164,7 +175,8 @@ SecRule &TX:notice_anomaly_score "@eq 0" \
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/4.0.0',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.1.0',\
setvar:'tx.notice_anomaly_score=2'"
# Default HTTP policy: allowed_methods (rule 900200 in crs-setup.conf)
@ -173,7 +185,8 @@ SecRule &TX:allowed_methods "@eq 0" \
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/4.0.0',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.1.0',\
setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'"
# Default HTTP policy: allowed_request_content_type (rule 900220 in crs-setup.conf)
@ -182,7 +195,8 @@ SecRule &TX:allowed_request_content_type "@eq 0" \
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/4.0.0',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.1.0',\
setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json|'"
# Default HTTP policy: allowed_request_content_type_charset (rule 900280 in crs-setup.conf)
@ -191,7 +205,8 @@ SecRule &TX:allowed_request_content_type_charset "@eq 0" \
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/4.0.0',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.1.0',\
setvar:'tx.allowed_request_content_type_charset=|utf-8| |iso-8859-1| |iso-8859-15| |windows-1252|'"
# Default HTTP policy: allowed_http_versions (rule 900230 in crs-setup.conf)
@ -200,7 +215,8 @@ SecRule &TX:allowed_http_versions "@eq 0" \
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/4.0.0',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.1.0',\
setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0 HTTP/3 HTTP/3.0'"
# Default HTTP policy: restricted_extensions (rule 900240 in crs-setup.conf)
@ -209,7 +225,8 @@ SecRule &TX:restricted_extensions "@eq 0" \
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/4.0.0',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.1.0',\
setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'"
# Default HTTP policy: restricted_headers_basic (rule 900250 in crs-setup.conf)
@ -218,7 +235,8 @@ SecRule &TX:restricted_headers_basic "@eq 0" \
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/4.0.0',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.1.0',\
setvar:'tx.restricted_headers_basic=/content-encoding/ /proxy/ /lock-token/ /content-range/ /if/ /x-http-method-override/ /x-http-method/ /x-method-override/'"
# Default HTTP policy: restricted_headers_extended (rule 900255 in crs-setup.conf)
@ -227,7 +245,8 @@ SecRule &TX:restricted_headers_extended "@eq 0" \
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/4.0.0',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.1.0',\
setvar:'tx.restricted_headers_extended=/accept-charset/'"
# Default enforcing of body processor URLENCODED (rule 900010 in crs-setup.conf)
@ -236,7 +255,8 @@ SecRule &TX:enforce_bodyproc_urlencoded "@eq 0" \
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/4.0.0',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.1.0',\
setvar:'tx.enforce_bodyproc_urlencoded=0'"
# Default check for UTF8 encoding validation (rule 900950 in crs-setup.conf)
@ -245,7 +265,8 @@ SecRule &TX:crs_validate_utf8_encoding "@eq 0" \
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/4.0.0',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.1.0',\
setvar:'tx.crs_validate_utf8_encoding=0'"
#
@ -262,7 +283,8 @@ SecAction \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/4.0.0',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.1.0',\
setvar:'tx.blocking_inbound_anomaly_score=0',\
setvar:'tx.detection_inbound_anomaly_score=0',\
setvar:'tx.inbound_anomaly_score_pl1=0',\
@ -300,7 +322,8 @@ SecRule TX:ENABLE_DEFAULT_COLLECTIONS "@eq 1" \
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/4.0.0',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.1.0',\
chain"
SecRule REQUEST_HEADERS:User-Agent "@rx ^.*$" \
"t:none,t:sha1,t:hexEncode,\
@ -321,8 +344,9 @@ SecRule REQBODY_PROCESSOR "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" \
nolog,\
noauditlog,\
msg:'Enabling body inspection',\
tag:'OWASP_CRS',\
ctl:forceRequestBodyVariable=On,\
ver:'OWASP_CRS/4.0.0'"
ver:'OWASP_CRS/4.1.0'"
# Force body processor URLENCODED
SecRule TX:enforce_bodyproc_urlencoded "@eq 1" \
@ -333,7 +357,8 @@ SecRule TX:enforce_bodyproc_urlencoded "@eq 1" \
nolog,\
noauditlog,\
msg:'Enabling forced body inspection for ASCII content',\
ver:'OWASP_CRS/4.0.0',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.1.0',\
chain"
SecRule REQBODY_PROCESSOR "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" \
"ctl:requestBodyProcessor=URLENCODED"
@ -372,7 +397,8 @@ SecRule TX:sampling_percentage "@eq 100" \
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/4.0.0',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.1.0',\
skipAfter:END-SAMPLING"
SecRule UNIQUE_ID "@rx ^[a-f]*([0-9])[a-f]*([0-9])" \
@ -382,7 +408,8 @@ SecRule UNIQUE_ID "@rx ^[a-f]*([0-9])[a-f]*([0-9])" \
capture,\
t:sha1,t:hexEncode,\
nolog,\
ver:'OWASP_CRS/4.0.0',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.1.0',\
setvar:'TX.sampling_rnd100=%{TX.1}%{TX.2}'"
#
@ -405,8 +432,9 @@ SecRule TX:sampling_rnd100 "!@lt %{tx.sampling_percentage}" \
log,\
noauditlog,\
msg:'Sampling: Disable the rule engine based on sampling_percentage %{TX.sampling_percentage} and random number %{TX.sampling_rnd100}',\
tag:'OWASP_CRS',\
ctl:ruleRemoveByTag=OWASP_CRS,\
ver:'OWASP_CRS/4.0.0'"
ver:'OWASP_CRS/4.1.0'"
SecMarker "END-SAMPLING"
@ -424,4 +452,5 @@ SecRule TX:detection_paranoia_level "@lt %{tx.blocking_paranoia_level}" \
t:none,\
log,\
msg:'Detection paranoia level configured is lower than the paranoia level itself. This is illegal. Blocking request. Aborting',\
ver:'OWASP_CRS/4.0.0'"
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.1.0'"

8
src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-905-COMMON-EXCEPTIONS.conf vendored
View file

@ -1,5 +1,5 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.0.0
# OWASP CRS ver.4.1.0
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2024 CRS project. All rights reserved.
#
@ -24,7 +24,8 @@ SecRule REQUEST_LINE "@streq GET /" \
tag:'language-multi',\
tag:'platform-apache',\
tag:'attack-generic',\
ver:'OWASP_CRS/4.0.0',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.1.0',\
chain"
SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" \
"t:none,\
@ -44,7 +45,8 @@ SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" \
tag:'language-multi',\
tag:'platform-apache',\
tag:'attack-generic',\
ver:'OWASP_CRS/4.0.0',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.1.0',\
chain"
SecRule REQUEST_HEADERS:User-Agent "@endsWith (internal dummy connection)" \
"t:none,\

20
src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-911-METHOD-ENFORCEMENT.conf vendored
View file

@ -1,5 +1,5 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.0.0
# OWASP CRS ver.4.1.0
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2024 CRS project. All rights reserved.
#
@ -14,8 +14,8 @@
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:911011,phase:1,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:911012,phase:2,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:911011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:911012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
#
@ -39,31 +39,31 @@ SecRule REQUEST_METHOD "!@within %{tx.allowed_methods}" \
tag:'OWASP_CRS',\
tag:'capec/1000/210/272/220/274',\
tag:'PCI/12.1',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:911013,phase:1,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:911014,phase:2,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:911013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:911014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
#
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:911015,phase:1,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:911016,phase:2,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:911015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:911016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
#
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:911017,phase:1,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:911018,phase:2,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:911017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:911018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
#
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
#

20
src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-913-SCANNER-DETECTION.conf vendored
View file

@ -1,5 +1,5 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.0.0
# OWASP CRS ver.4.1.0
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2024 CRS project. All rights reserved.
#
@ -14,8 +14,8 @@
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:913011,phase:1,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:913012,phase:2,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:913011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:913012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
#
@ -51,29 +51,29 @@ SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scanners-user-agents.data" \
tag:'OWASP_CRS',\
tag:'capec/1000/118/224/541/310',\
tag:'PCI/6.5.10',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:913013,phase:1,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:913014,phase:2,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:913013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:913014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
#
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:913015,phase:1,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:913016,phase:2,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:913015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:913016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
#
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:913017,phase:1,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:913018,phase:2,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:913017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:913018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
#
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
#

170
src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf vendored
View file

@ -1,5 +1,5 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.0.0
# OWASP CRS ver.4.1.0
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2024 CRS project. All rights reserved.
#
@ -23,8 +23,8 @@
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:920011,phase:1,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:920012,phase:2,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:920011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:920012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
#
@ -50,7 +50,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:920012,phase:2,pass,nolog,skipAf
# https://www.rfc-editor.org/rfc/rfc9110.html#section-4.2.1
# http://capec.mitre.org/data/definitions/272.html
#
SecRule REQUEST_LINE "!@rx (?i)^(?:get /[^#\?]*(?:\?[^\s\v#]*)?(?:#[^\s\v]*)?|(?:connect (?:(?:[0-9]{1,3}\.){3}[0-9]{1,3}\.?(?::[0-9]+)?|[\--9A-Z_a-z]+:[0-9]+)|options \*|[a-z]{3,10}[\s\v]+(?:[0-9A-Z_a-z]{3,7}?://[\--9A-Z_a-z]*(?::[0-9]+)?)?/[^#\?]*(?:\?[^\s\v#]*)?(?:#[^\s\v]*)?)[\s\v]+[\.-9A-Z_a-z]+)$" \
SecRule REQUEST_LINE "!@rx (?i)^(?:get /[^#\?]*(?:\?[^\s\x0b#]*)?(?:#[^\s\x0b]*)?|(?:connect (?:(?:[0-9]{1,3}\.){3}[0-9]{1,3}\.?(?::[0-9]+)?|[\--9A-Z_a-z]+:[0-9]+)|options \*|[a-z]{3,10}[\s\x0b]+(?:[0-9A-Z_a-z]{3,7}?://[\--9A-Z_a-z]*(?::[0-9]+)?)?/[^#\?]*(?:\?[^\s\x0b#]*)?(?:#[^\s\x0b]*)?)[\s\x0b]+[\.-9A-Z_a-z]+)$" \
"id:920100,\
phase:1,\
block,\
@ -64,7 +64,7 @@ SecRule REQUEST_LINE "!@rx (?i)^(?:get /[^#\?]*(?:\?[^\s\v#]*)?(?:#[^\s\v]*)?|(?
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'WARNING',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'"
@ -105,7 +105,7 @@ SecRule REQUEST_LINE "!@rx (?i)^(?:get /[^#\?]*(?:\?[^\s\v#]*)?(?:#[^\s\v]*)?|(?
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
# crs-toolchain regex update 920120
#
SecRule FILES|FILES_NAMES "!@rx (?i)^(?:&(?:(?:[acegiln-or-suz]acut|[aeiou]grav|[ain-o]tild)e|[c-elnr-tz]caron|(?:[cgk-lnr-t]cedi|[aeiouy]um)l|[aceg-josuwy]circ|[au]ring|a(?:mp|pos)|nbsp|oslash);|[^\"';=])*$" \
SecRule FILES|FILES_NAMES "!@rx (?i)^(?:&(?:(?:[acegilnorsuz]acut|[aeiou]grav|[aino]tild)e|[c-elnr-tz]caron|(?:[cgklnr-t]cedi|[aeiouy]um)l|[aceg-josuwy]circ|[au]ring|a(?:mp|pos)|nbsp|oslash);|[^\"';=])*$" \
"id:920120,\
phase:2,\
block,\
@ -119,7 +119,7 @@ SecRule FILES|FILES_NAMES "!@rx (?i)^(?:&(?:(?:[acegiln-or-suz]acut|[aeiou]grav|
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -148,7 +148,7 @@ SecRule REQUEST_HEADERS:Content-Length "!@rx ^\d+$" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -182,7 +182,7 @@ SecRule REQUEST_METHOD "@rx ^(?:GET|HEAD)$" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
chain"
SecRule REQUEST_HEADERS:Content-Length "!@rx ^0?$" \
@ -207,7 +207,7 @@ SecRule REQUEST_METHOD "@rx ^(?:GET|HEAD)$" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
chain"
SecRule &REQUEST_HEADERS:Transfer-Encoding "!@eq 0" \
@ -247,7 +247,7 @@ SecRule REQUEST_PROTOCOL "!@within HTTP/2 HTTP/2.0 HTTP/3 HTTP/3.0" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'WARNING',\
chain"
SecRule REQUEST_METHOD "@streq POST" \
@ -277,7 +277,7 @@ SecRule &REQUEST_HEADERS:Transfer-Encoding "!@eq 0" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'WARNING',\
chain"
SecRule &REQUEST_HEADERS:Content-Length "!@eq 0" \
@ -315,7 +315,7 @@ SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx (\d+)-(\d+)" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'WARNING',\
chain"
SecRule TX:2 "@lt %{tx.1}" \
@ -347,7 +347,7 @@ SecRule REQUEST_HEADERS:Connection "@rx \b(?:keep-alive|close),\s?(?:keep-alive|
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'WARNING',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'"
@ -388,7 +388,7 @@ SecRule REQUEST_URI_RAW "@rx \x25" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/255/153/267/72',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
chain"
SecRule REQUEST_URI_RAW "@rx ^(.*)/(?:[^\?]+)?(\?.*)?$" \
@ -407,7 +407,7 @@ SecRule REQUEST_URI_RAW "@rx \x25" \
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
# crs-toolchain regex update 920221
#
SecRule REQUEST_BASENAME "!@rx ^.*%.*\.[^\s\v\.]+$" \
SecRule REQUEST_BASENAME "!@rx ^.*%.*\.[^\s\x0b\.]+$" \
"id:920221,\
phase:1,\
block,\
@ -422,7 +422,7 @@ SecRule REQUEST_BASENAME "!@rx ^.*%.*\.[^\s\v\.]+$" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/255/153/267/72',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
chain"
SecRule TX:0 "@validateUrlEncoding" \
@ -453,7 +453,7 @@ SecRule TX:CRS_VALIDATE_UTF8_ENCODING "@eq 1" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/255/153/267',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'WARNING',\
chain"
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "@validateUtf8Encoding" \
@ -497,7 +497,7 @@ SecRule REQUEST_URI|REQUEST_BODY "@rx (?i)%uff[0-9a-f]{2}" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/255/153/267/72',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'WARNING',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'"
@ -553,7 +553,7 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@validateByteRange 1-255" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -585,7 +585,7 @@ SecRule &REQUEST_HEADERS:Host "@eq 0" \
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'PCI/6.5.10',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'WARNING',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}',\
skipAfter:END-HOST-CHECK"
@ -604,7 +604,7 @@ SecRule REQUEST_HEADERS:Host "@rx ^$" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -644,7 +644,7 @@ SecRule REQUEST_HEADERS:Accept "@rx ^$" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'NOTICE',\
chain"
SecRule REQUEST_METHOD "!@rx ^OPTIONS$" \
@ -669,7 +669,7 @@ SecRule REQUEST_HEADERS:Accept "@rx ^$" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'NOTICE',\
chain"
SecRule REQUEST_METHOD "!@rx ^OPTIONS$" \
@ -702,7 +702,7 @@ SecRule REQUEST_HEADERS:User-Agent "@rx ^$" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'NOTICE',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.notice_anomaly_score}'"
@ -739,7 +739,7 @@ SecRule REQUEST_HEADERS:Content-Length "!@rx ^0$" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'NOTICE',\
chain"
SecRule &REQUEST_HEADERS:Content-Type "@eq 0" \
@ -784,7 +784,7 @@ SecRule REQUEST_HEADERS:Host "@rx (?:^([\d.]+|\[[\da-f:]+\]|[\da-f:]+)(:[\d]+)?$
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'PCI/6.5.10',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'WARNING',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'"
@ -816,7 +816,7 @@ SecRule &TX:MAX_NUM_ARGS "@eq 1" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
chain"
SecRule &ARGS "@gt %{tx.max_num_args}" \
@ -841,7 +841,7 @@ SecRule &TX:ARG_NAME_LENGTH "@eq 1" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
chain"
SecRule ARGS_NAMES "@gt %{tx.arg_name_length}" \
@ -868,7 +868,7 @@ SecRule &TX:ARG_LENGTH "@eq 1" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
chain"
SecRule ARGS "@gt %{tx.arg_length}" \
@ -892,7 +892,7 @@ SecRule &TX:TOTAL_ARG_LENGTH "@eq 1" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
chain"
SecRule ARGS_COMBINED_SIZE "@gt %{tx.total_arg_length}" \
@ -917,7 +917,7 @@ SecRule &TX:MAX_FILE_SIZE "@eq 1" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
chain"
SecRule REQUEST_HEADERS:Content-Type "@rx ^(?i)multipart/form-data" \
@ -943,7 +943,7 @@ SecRule &TX:COMBINED_FILE_SIZES "@eq 1" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
chain"
SecRule FILES_COMBINED_SIZE "@gt %{tx.combined_file_sizes}" \
@ -983,7 +983,7 @@ SecRule REQUEST_HEADERS:Content-Type "!@rx ^[\w/.+*-]+(?:\s?;\s?(?:action|bounda
tag:'OWASP_CRS',\
tag:'capec/1000/255/153',\
tag:'PCI/12.1',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -1006,7 +1006,7 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^[^;\s]+" \
tag:'OWASP_CRS',\
tag:'capec/1000/255/153',\
tag:'PCI/12.1',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.content_type=|%{tx.0}|',\
chain"
@ -1034,7 +1034,7 @@ SecRule REQUEST_HEADERS:Content-Type "@rx charset\s*=\s*[\"']?([^;\"'\s]+)" \
tag:'OWASP_CRS',\
tag:'capec/1000/255/153',\
tag:'PCI/12.1',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.content_type_charset=|%{tx.1}|',\
chain"
@ -1061,7 +1061,7 @@ SecRule REQUEST_HEADERS:Content-Type "@rx charset.*?charset" \
tag:'OWASP_CRS',\
tag:'capec/1000/255/153',\
tag:'PCI/12.1',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -1083,7 +1083,7 @@ SecRule REQUEST_PROTOCOL "!@within %{tx.allowed_http_versions}" \
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'PCI/6.5.10',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -1106,7 +1106,7 @@ SecRule REQUEST_BASENAME "@rx \.([^.]+)$" \
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'PCI/6.5.10',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.extension=.%{tx.1}/',\
chain"
@ -1133,7 +1133,7 @@ SecRule REQUEST_FILENAME "@rx \.[^.~]+~(?:/.*|)$" \
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'PCI/6.5.10',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -1187,7 +1187,7 @@ SecRule REQUEST_HEADERS_NAMES "@rx ^.*$" \
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'PCI/12.1',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.header_name_920450_%{tx.0}=/%{tx.0}/',\
chain"
@ -1219,7 +1219,7 @@ SecRule REQUEST_HEADERS:Accept-Encoding "@gt 50" \
tag:'OWASP_CRS',\
tag:'capec/1000/255/153',\
tag:'PCI/12.1',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -1238,7 +1238,7 @@ SecRule REQUEST_HEADERS:Accept-Encoding "@gt 50" \
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
# crs-toolchain regex update 920600
#
SecRule REQUEST_HEADERS:Accept "!@rx ^(?:(?:\*|[^!-\"\(-\),/:-\?\[-\]\{\}]+)/(?:\*|[^!-\"\(-\),/:-\?\[-\]\{\}]+)|\*)(?:[\s\v]*;[\s\v]*(?:charset[\s\v]*=[\s\v]*\"?(?:iso-8859-15?|utf-8|windows-1252)\b\"?|(?:[^\s\v -\"\(-\),/:-\?\[-\]c\{\}]|c(?:[^!-\"\(-\),/:-\?\[-\]h\{\}]|h(?:[^!-\"\(-\),/:-\?\[-\]a\{\}]|a(?:[^!-\"\(-\),/:-\?\[-\]r\{\}]|r(?:[^!-\"\(-\),/:-\?\[-\]s\{\}]|s(?:[^!-\"\(-\),/:-\?\[-\]e\{\}]|e[^!-\"\(-\),/:-\?\[-\]t\{\}]))))))[^!-\"\(-\),/:-\?\[-\]\{\}]*[\s\v]*=[\s\v]*[^!\(-\),/:-\?\[-\]\{\}]+);?)*(?:[\s\v]*,[\s\v]*(?:(?:\*|[^!-\"\(-\),/:-\?\[-\]\{\}]+)/(?:\*|[^!-\"\(-\),/:-\?\[-\]\{\}]+)|\*)(?:[\s\v]*;[\s\v]*(?:charset[\s\v]*=[\s\v]*\"?(?:iso-8859-15?|utf-8|windows-1252)\b\"?|(?:[^\s\v -\"\(-\),/:-\?\[-\]c\{\}]|c(?:[^!-\"\(-\),/:-\?\[-\]h\{\}]|h(?:[^!-\"\(-\),/:-\?\[-\]a\{\}]|a(?:[^!-\"\(-\),/:-\?\[-\]r\{\}]|r(?:[^!-\"\(-\),/:-\?\[-\]s\{\}]|s(?:[^!-\"\(-\),/:-\?\[-\]e\{\}]|e[^!-\"\(-\),/:-\?\[-\]t\{\}]))))))[^!-\"\(-\),/:-\?\[-\]\{\}]*[\s\v]*=[\s\v]*[^!\(-\),/:-\?\[-\]\{\}]+);?)*)*$" \
SecRule REQUEST_HEADERS:Accept "!@rx ^(?:(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)/(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)|\*)(?:[\s\x0b]*;[\s\x0b]*(?:charset[\s\x0b]*=[\s\x0b]*\"?(?:iso-8859-15?|utf-8|windows-1252)\b\"?|(?:[^\s\x0b-\"\(\),/:-\?\[-\]c\{\}]|c(?:[^!\"\(\),/:-\?\[-\]h\{\}]|h(?:[^!\"\(\),/:-\?\[-\]a\{\}]|a(?:[^!\"\(\),/:-\?\[-\]r\{\}]|r(?:[^!\"\(\),/:-\?\[-\]s\{\}]|s(?:[^!\"\(\),/:-\?\[-\]e\{\}]|e[^!\"\(\),/:-\?\[-\]t\{\}]))))))[^!\"\(\),/:-\?\[-\]\{\}]*[\s\x0b]*=[\s\x0b]*[^!\(\),/:-\?\[-\]\{\}]+);?)*(?:[\s\x0b]*,[\s\x0b]*(?:(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)/(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)|\*)(?:[\s\x0b]*;[\s\x0b]*(?:charset[\s\x0b]*=[\s\x0b]*\"?(?:iso-8859-15?|utf-8|windows-1252)\b\"?|(?:[^\s\x0b-\"\(\),/:-\?\[-\]c\{\}]|c(?:[^!\"\(\),/:-\?\[-\]h\{\}]|h(?:[^!\"\(\),/:-\?\[-\]a\{\}]|a(?:[^!\"\(\),/:-\?\[-\]r\{\}]|r(?:[^!\"\(\),/:-\?\[-\]s\{\}]|s(?:[^!\"\(\),/:-\?\[-\]e\{\}]|e[^!\"\(\),/:-\?\[-\]t\{\}]))))))[^!\"\(\),/:-\?\[-\]\{\}]*[\s\x0b]*=[\s\x0b]*[^!\(\),/:-\?\[-\]\{\}]+);?)*)*$" \
"id:920600,\
phase:1,\
block,\
@ -1251,7 +1251,7 @@ SecRule REQUEST_HEADERS:Accept "!@rx ^(?:(?:\*|[^!-\"\(-\),/:-\?\[-\]\{\}]+)/(?:
tag:'attack-protocol',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -1274,7 +1274,7 @@ SecRule REQBODY_PROCESSOR "!@streq JSON" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/255/153/267/72',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
chain"
SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@rx (?i)\x5cu[0-9a-f]{4}" \
@ -1298,7 +1298,7 @@ SecRule REQUEST_URI_RAW "@contains #" \
tag:'attack-protocol',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -1330,13 +1330,13 @@ SecRule &REQUEST_HEADERS:Content-Type "@gt 1" \
tag:'attack-protocol',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:920013,phase:1,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:920014,phase:2,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:920013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:920014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
#
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
#
@ -1372,10 +1372,10 @@ SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'WARNING',\
chain"
SecRule REQUEST_BASENAME "!@endsWith .pdf" \
@ -1396,10 +1396,10 @@ SecRule REQUEST_BASENAME "@endsWith .pdf" \
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'WARNING',\
chain"
SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d+)?-(?:\d+)?\s*,?\s*){63}" \
@ -1417,10 +1417,10 @@ SecRule ARGS "@rx %[0-9a-fA-F]{2}" \
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'capec/1000/255/153/267/120',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'WARNING',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.warning_anomaly_score}'"
@ -1439,10 +1439,10 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@validateByteRange 9,10,13,
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -1465,11 +1465,11 @@ SecRule &REQUEST_HEADERS:User-Agent "@eq 0" \
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'PCI/6.5.10',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'NOTICE',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.notice_anomaly_score}'"
@ -1488,10 +1488,10 @@ SecRule FILES_NAMES|FILES "@rx ['\";=]" \
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -1516,7 +1516,7 @@ SecRule REQUEST_HEADERS:Content-Length "!@rx ^0$" \
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
chain"
SecRule &REQUEST_HEADERS:Content-Type "@eq 0" \
@ -1543,7 +1543,7 @@ SecRule REQUEST_HEADERS_NAMES "@rx ^.*$" \
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'PCI/12.1',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.header_name_920451_%{tx.0}=/%{tx.0}/',\
chain"
@ -1570,7 +1570,7 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^(?i)application/x-www-form-urlencoded
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'capec/1000/255/153/267/72',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'WARNING',\
chain"
SecRule REQUEST_BODY "@rx \x25" \
@ -1578,8 +1578,8 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^(?i)application/x-www-form-urlencoded
SecRule REQUEST_BODY "@validateUrlEncoding" \
"setvar:'tx.inbound_anomaly_score_pl2=+%{tx.warning_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:920015,phase:1,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:920016,phase:2,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:920015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:920016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
#
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
#
@ -1601,10 +1601,10 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES|REQUEST_BODY "@validateByteR
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
tag:'paranoia-level/3',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'paranoia-level/3',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@ -1634,11 +1634,11 @@ SecRule &REQUEST_HEADERS:Accept "@eq 0" \
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
tag:'paranoia-level/3',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'PCI/6.5.10',\
tag:'paranoia-level/3',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'NOTICE',\
chain"
SecRule REQUEST_METHOD "!@rx ^(?:OPTIONS|CONNECT)$" \
@ -1668,10 +1668,10 @@ SecRule &REQUEST_HEADERS:x-up-devcap-post-charset "@ge 1" \
tag:'language-aspnet',\
tag:'platform-windows',\
tag:'attack-protocol',\
tag:'paranoia-level/3',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'paranoia-level/3',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
chain"
SecRule REQUEST_HEADERS:User-Agent "@rx ^(?i)up" \
@ -1724,7 +1724,7 @@ SecRule &REQUEST_HEADERS:Cache-Control "@gt 0" \
tag:'paranoia-level/3',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
chain"
SecRule REQUEST_HEADERS:Cache-Control "!@rx ^(?:(?:max-age=[0-9]+|min-fresh=[0-9]+|no-cache|no-store|no-transform|only-if-cached|max-stale(?:=[0-9]+)?)(?:\s*\,\s*|$)){1,7}$" \
@ -1755,12 +1755,12 @@ SecRule REQUEST_HEADERS:Accept-Encoding "!@rx br|compress|deflate|(?:pack200-)?g
tag:'OWASP_CRS',\
tag:'capec/1000/255/153',\
tag:'PCI/12.1',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:920017,phase:1,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:920018,phase:2,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:920017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:920018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
#
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
#
@ -1780,10 +1780,10 @@ SecRule REQUEST_BASENAME "@endsWith .pdf" \
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
tag:'paranoia-level/4',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'paranoia-level/4',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'WARNING',\
chain"
SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d+)?-(?:\d+)?\s*,?\s*){6}" \
@ -1807,10 +1807,10 @@ SecRule ARGS|ARGS_NAMES|REQUEST_BODY "@validateByteRange 38,44-46,48-58,61,65-90
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
tag:'paranoia-level/4',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'paranoia-level/4',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'"
@ -1828,10 +1828,10 @@ SecRule REQUEST_HEADERS|!REQUEST_HEADERS:User-Agent|!REQUEST_HEADERS:Referer|!RE
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
tag:'paranoia-level/4',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'paranoia-level/4',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'"
@ -1854,10 +1854,10 @@ SecRule REQUEST_HEADERS:Sec-Fetch-User|REQUEST_HEADERS:Sec-CH-UA-Mobile "!@rx ^(
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
tag:'paranoia-level/4',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'paranoia-level/4',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'"
@ -1901,7 +1901,7 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@rx (?:^|[^\x5c])\x5c[cdegh
tag:'paranoia-level/4',\
tag:'OWASP_CRS',\
tag:'capec/1000/153/267',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'"

62
src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-921-PROTOCOL-ATTACK.conf vendored
View file

@ -1,5 +1,5 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.0.0
# OWASP CRS ver.4.1.0
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2024 CRS project. All rights reserved.
#
@ -14,8 +14,8 @@
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:921011,phase:1,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:921012,phase:2,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:921011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:921012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
#
@ -46,7 +46,7 @@ SecRule ARGS_NAMES|ARGS|REQUEST_BODY|XML:/* "@rx (?:get|post|head|options|connec
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272/220/33',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -78,7 +78,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272/220/34',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -99,7 +99,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272/220/34',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -133,7 +133,7 @@ SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@rx [\n\r]" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272/220/273',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -161,7 +161,7 @@ SecRule ARGS_NAMES "@rx [\n\r]" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272/220/33',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -182,7 +182,7 @@ SecRule ARGS_GET_NAMES|ARGS_GET "@rx [\n\r]+(?:\s|location|refresh|(?:set-)?cook
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272/220/33',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -208,7 +208,7 @@ SecRule REQUEST_FILENAME "@rx [\n\r]" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272/220/34',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -241,7 +241,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/136',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -258,7 +258,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
# crs-toolchain regex update 921421
#
SecRule REQUEST_HEADERS:Content-Type "@rx ^[^\s\v,;]+[\s\v,;].*?(?:application/(?:.+\+)?json|(?:application/(?:soap\+)?|text/)xml)" \
SecRule REQUEST_HEADERS:Content-Type "@rx ^[^\s\x0b,;]+[\s\x0b,;].*?(?:application/(?:.+\+)?json|(?:application/(?:soap\+)?|text/)xml)" \
"id:921421,\
phase:1,\
block,\
@ -274,7 +274,7 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^[^\s\v,;]+[\s\v,;].*?(?:application/(
tag:'OWASP_CRS',\
tag:'capec/1000/255/153',\
tag:'PCI/12.1',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -300,13 +300,13 @@ SecRule REQUEST_URI "@rx unix:[^|]*\|" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272/220/33',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:921013,phase:1,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:921014,phase:2,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:921013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:921014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
#
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
#
@ -333,7 +333,7 @@ SecRule ARGS_GET "@rx [\n\r]" \
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272/220/33',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -353,7 +353,7 @@ SecRule ARGS_GET "@rx [\n\r]" \
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
# crs-toolchain regex update 921422
#
SecRule REQUEST_HEADERS:Content-Type "@rx ^[^\s\v,;]+[\s\v,;].*?\b(?:((?:tex|multipar)t|application)|((?:audi|vide)o|image|cs[sv]|(?:vn|relate)d|p(?:df|lain)|json|(?:soa|cs)p|x(?:ml|-www-form-urlencoded)|form-data|x-amf|(?:octe|repor)t|stream)|([\+/]))\b" \
SecRule REQUEST_HEADERS:Content-Type "@rx ^[^\s\x0b,;]+[\s\x0b,;].*?\b(?:((?:tex|multipar)t|application)|((?:audi|vide)o|image|cs[sv]|(?:vn|relate)d|p(?:df|lain)|json|(?:soa|cs)p|x(?:ml|-www-form-urlencoded)|form-data|x-amf|(?:octe|repor)t|stream)|([\+/]))\b" \
"id:921422,\
phase:1,\
block,\
@ -369,13 +369,13 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^[^\s\v,;]+[\s\v,;].*?\b(?:((?:tex|mul
tag:'OWASP_CRS',\
tag:'capec/1000/255/153',\
tag:'PCI/12.1',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:921015,phase:1,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:921016,phase:2,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:921015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:921016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
#
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
#
@ -405,7 +405,7 @@ SecRule &REQUEST_HEADERS:Range "@gt 0" \
tag:'paranoia-level/3',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272/220',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@ -439,7 +439,7 @@ SecRule ARGS_NAMES "@rx ." \
tag:'attack-protocol',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/137/15/460',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
setvar:'TX.paramcounter_%{MATCHED_VAR_NAME}=+1'"
SecRule TX:/paramcounter_.*/ "@gt 1" \
@ -452,10 +452,10 @@ SecRule TX:/paramcounter_.*/ "@gt 1" \
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
tag:'paranoia-level/3',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/137/15/460',\
tag:'paranoia-level/3',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
chain"
SecRule MATCHED_VARS_NAMES "@rx TX:paramcounter_(.*)" \
@ -497,18 +497,18 @@ SecRule ARGS_NAMES "@rx (][^\]]+$|][^\]]+\[)" \
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
tag:'paranoia-level/3',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/137/15/460',\
tag:'paranoia-level/3',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:921017,phase:1,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:921018,phase:2,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:921017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:921018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
#
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
#
@ -545,10 +545,10 @@ SecRule ARGS_NAMES "@rx \[" \
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
tag:'paranoia-level/4',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/137/15/460',\
tag:'paranoia-level/4',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'"

16
src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-922-MULTIPART-ATTACK.conf vendored
View file

@ -1,5 +1,5 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.0.0
# OWASP CRS ver.4.1.0
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2024 CRS project. All rights reserved.
#
@ -35,10 +35,10 @@ SecRule &MULTIPART_PART_HEADERS:_charset_ "!@eq 0" \
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-multipart-header',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/255/153',\
tag:'paranoia-level/1',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.922100_charset=|%{ARGS._charset_}|',\
chain"
@ -66,13 +66,13 @@ SecRule MULTIPART_PART_HEADERS "@rx ^content-type\s*:\s*(.*)$" \
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/272/220',\
tag:'paranoia-level/1',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
chain"
SecRule TX:1 "!@rx ^(?:(?:\*|[^!-\"\(-\),/:-\?\[-\]\{\}]+)/(?:\*|[^!-\"\(-\),/:-\?\[-\]\{\}]+)|\*)(?:[\s\v]*;[\s\v]*(?:charset[\s\v]*=[\s\v]*\"?(?:iso-8859-15?|utf-8|windows-1252)\b\"?|(?:[^\s\v -\"\(-\),/:-\?\[-\]c\{\}]|c(?:[^!-\"\(-\),/:-\?\[-\]h\{\}]|h(?:[^!-\"\(-\),/:-\?\[-\]a\{\}]|a(?:[^!-\"\(-\),/:-\?\[-\]r\{\}]|r(?:[^!-\"\(-\),/:-\?\[-\]s\{\}]|s(?:[^!-\"\(-\),/:-\?\[-\]e\{\}]|e[^!-\"\(-\),/:-\?\[-\]t\{\}]))))))[^!-\"\(-\),/:-\?\[-\]\{\}]*[\s\v]*=[\s\v]*[^!\(-\),/:-\?\[-\]\{\}]+);?)*(?:[\s\v]*,[\s\v]*(?:(?:\*|[^!-\"\(-\),/:-\?\[-\]\{\}]+)/(?:\*|[^!-\"\(-\),/:-\?\[-\]\{\}]+)|\*)(?:[\s\v]*;[\s\v]*(?:charset[\s\v]*=[\s\v]*\"?(?:iso-8859-15?|utf-8|windows-1252)\b\"?|(?:[^\s\v -\"\(-\),/:-\?\[-\]c\{\}]|c(?:[^!-\"\(-\),/:-\?\[-\]h\{\}]|h(?:[^!-\"\(-\),/:-\?\[-\]a\{\}]|a(?:[^!-\"\(-\),/:-\?\[-\]r\{\}]|r(?:[^!-\"\(-\),/:-\?\[-\]s\{\}]|s(?:[^!-\"\(-\),/:-\?\[-\]e\{\}]|e[^!-\"\(-\),/:-\?\[-\]t\{\}]))))))[^!-\"\(-\),/:-\?\[-\]\{\}]*[\s\v]*=[\s\v]*[^!\(-\),/:-\?\[-\]\{\}]+);?)*)*$" \
SecRule TX:1 "!@rx ^(?:(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)/(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)|\*)(?:[\s\x0b]*;[\s\x0b]*(?:charset[\s\x0b]*=[\s\x0b]*\"?(?:iso-8859-15?|utf-8|windows-1252)\b\"?|(?:[^\s\x0b-\"\(\),/:-\?\[-\]c\{\}]|c(?:[^!\"\(\),/:-\?\[-\]h\{\}]|h(?:[^!\"\(\),/:-\?\[-\]a\{\}]|a(?:[^!\"\(\),/:-\?\[-\]r\{\}]|r(?:[^!\"\(\),/:-\?\[-\]s\{\}]|s(?:[^!\"\(\),/:-\?\[-\]e\{\}]|e[^!\"\(\),/:-\?\[-\]t\{\}]))))))[^!\"\(\),/:-\?\[-\]\{\}]*[\s\x0b]*=[\s\x0b]*[^!\(\),/:-\?\[-\]\{\}]+);?)*(?:[\s\x0b]*,[\s\x0b]*(?:(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)/(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)|\*)(?:[\s\x0b]*;[\s\x0b]*(?:charset[\s\x0b]*=[\s\x0b]*\"?(?:iso-8859-15?|utf-8|windows-1252)\b\"?|(?:[^\s\x0b-\"\(\),/:-\?\[-\]c\{\}]|c(?:[^!\"\(\),/:-\?\[-\]h\{\}]|h(?:[^!\"\(\),/:-\?\[-\]a\{\}]|a(?:[^!\"\(\),/:-\?\[-\]r\{\}]|r(?:[^!\"\(\),/:-\?\[-\]s\{\}]|s(?:[^!\"\(\),/:-\?\[-\]e\{\}]|e[^!\"\(\),/:-\?\[-\]t\{\}]))))))[^!\"\(\),/:-\?\[-\]\{\}]*[\s\x0b]*=[\s\x0b]*[^!\(\),/:-\?\[-\]\{\}]+);?)*)*$" \
"setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
# Content-Transfer-Encoding was deprecated by rfc7578 in 2015 and should not be used (see: https://www.rfc-editor.org/rfc/rfc7578#section-4.7)
@ -89,9 +89,9 @@ SecRule MULTIPART_PART_HEADERS "@rx content-transfer-encoding:(.*)" \
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-deprecated-header',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/272/220',\
tag:'paranoia-level/1',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"

30
src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf vendored
View file

@ -1,5 +1,5 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.0.0
# OWASP CRS ver.4.1.0
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2024 CRS project. All rights reserved.
#
@ -14,8 +14,8 @@
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:930011,phase:1,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:930012,phase:2,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:930011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:930012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
#
@ -32,7 +32,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:930012,phase:2,pass,nolog,skipAf
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
# crs-toolchain regex update 930100
#
SecRule REQUEST_URI_RAW|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|FILES|XML:/* "@rx (?i)(?:[/\x5c]|%(?:2(?:f|5(?:2f|5c|c(?:1%259c|0%25af))|%46)|5c|c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|(?:bg%q|(?:e|f(?:8%8)?0%8)0%80%a)f|u(?:221[5-6]|EFC8|F025|002f)|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|1u)|0x(?:2f|5c))(?:\.(?:%0[0-1]|\?)?|\?\.?|%(?:2(?:(?:5(?:2|c0%25a))?e|%45)|c0(?:\.|%[25-6ae-f]e)|u(?:(?:ff0|002)e|2024)|%32(?:%(?:%6|4)5|E)|(?:e|f(?:(?:8|c%80)%8)?0%8)0%80%ae)|0x2e){2,3}(?:[/\x5c]|%(?:2(?:f|5(?:2f|5c|c(?:1%259c|0%25af))|%46)|5c|c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|(?:bg%q|(?:e|f(?:8%8)?0%8)0%80%a)f|u(?:221[5-6]|EFC8|F025|002f)|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|1u)|0x(?:2f|5c))" \
SecRule REQUEST_URI_RAW|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|FILES|XML:/* "@rx (?i)(?:[/\x5c]|%(?:2(?:f|5(?:2f|5c|c(?:1%259c|0%25af))|%46)|5c|c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|(?:bg%q|(?:e|f(?:8%8)?0%8)0%80%a)f|u(?:221[56]|EFC8|F025|002f)|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|1u)|0x(?:2f|5c))(?:\.(?:%0[01]|\?)?|\?\.?|%(?:2(?:(?:5(?:2|c0%25a))?e|%45)|c0(?:\.|%[256aef]e)|u(?:(?:ff0|002)e|2024)|%32(?:%(?:%6|4)5|E)|(?:e|f(?:(?:8|c%80)%8)?0%8)0%80%ae)|0x2e){2,3}(?:[/\x5c]|%(?:2(?:f|5(?:2f|5c|c(?:1%259c|0%25af))|%46)|5c|c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|(?:bg%q|(?:e|f(?:8%8)?0%8)0%80%a)f|u(?:221[56]|EFC8|F025|002f)|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|1u)|0x(?:2f|5c))" \
"id:930100,\
phase:2,\
block,\
@ -47,7 +47,7 @@ SecRule REQUEST_URI_RAW|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|FILES|XML:
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/255/153/126',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}'"
@ -79,7 +79,7 @@ SecRule REQUEST_URI|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|FILES|XML:/* "
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/255/153/126',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
multiMatch,\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
@ -110,7 +110,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/255/153/126',\
tag:'PCI/6.5.4',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -137,15 +137,15 @@ SecRule REQUEST_FILENAME "@pmFromFile restricted-files.data" \
tag:'OWASP_CRS',\
tag:'capec/1000/255/153/126',\
tag:'PCI/6.5.4',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:930013,phase:1,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:930014,phase:2,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:930013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:930014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
#
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
#
@ -175,22 +175,22 @@ SecRule REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent "@pmFromFile lfi-os-f
tag:'OWASP_CRS',\
tag:'capec/1000/255/153/126',\
tag:'PCI/6.5.4',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:930015,phase:1,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:930016,phase:2,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:930015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:930016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
#
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:930017,phase:1,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:930018,phase:2,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:930017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:930018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
#
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
#

32
src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf vendored
View file

@ -1,5 +1,5 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.0.0
# OWASP CRS ver.4.1.0
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2024 CRS project. All rights reserved.
#
@ -17,8 +17,8 @@
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:931011,phase:1,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:931012,phase:2,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:931011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:931012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
#
@ -49,7 +49,7 @@ SecRule ARGS "@rx ^(?i:file|ftps?|https?)://(?:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/175/253',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -69,7 +69,7 @@ SecRule QUERY_STRING|REQUEST_BODY "@rx (?i)(?:\binclude\s*\([^)]*|mosConfig_abso
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/175/253',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -89,15 +89,15 @@ SecRule ARGS "@rx ^(?i:file|ftps?|https?).*?\?+$" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/175/253',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:931013,phase:1,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:931014,phase:2,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:931013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:931014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
#
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
#
@ -125,10 +125,10 @@ SecRule ARGS "@rx (?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b(?:eshare|it
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-rfi',\
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/175/253',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.rfi_parameter_%{MATCHED_VAR_NAME}=.%{tx.1}',\
chain"
@ -155,10 +155,10 @@ SecRule REQUEST_FILENAME "@rx (?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-rfi',\
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/175/253',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.rfi_parameter_%{MATCHED_VAR_NAME}=.%{tx.1}',\
chain"
@ -167,16 +167,16 @@ SecRule REQUEST_FILENAME "@rx (?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:931015,phase:1,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:931016,phase:2,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:931015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:931016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
#
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:931017,phase:1,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:931018,phase:2,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:931017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:931018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
#
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
#

175
src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf vendored
View file

File diff suppressed because one or more lines are too long

70
src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf vendored
View file

@ -1,5 +1,5 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.0.0
# OWASP CRS ver.4.1.0
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2024 CRS project. All rights reserved.
#
@ -14,8 +14,8 @@
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:933011,phase:1,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:933012,phase:2,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:933011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:933012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
#
@ -59,7 +59,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -100,7 +100,7 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -124,7 +124,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.933120_tx_0=%{tx.0}',\
chain"
@ -152,7 +152,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -188,7 +188,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -224,7 +224,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -291,7 +291,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -328,7 +328,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
# crs-toolchain regex update 933160
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b\(?[\"']*(?:assert(?:_options)?|c(?:hr|reate_function)|e(?:val|x(?:ec|p))|file(?:group)?|glob|i(?:mage(?:gif|(?:jpe|pn)g|wbmp|xbm)|s_a)|md5|o(?:pendir|rd)|p(?:assthru|open|rev)|(?:read|tmp)file|un(?:pac|lin)k|s(?:tat|ubstr|ystem))(?:/(?:\*.*\*/|/.*)|#.*|[\s\v\"])*[\"']*\)?[\s\v]*\(.*\)" \
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b\(?[\"']*(?:assert(?:_options)?|c(?:hr|reate_function)|e(?:val|x(?:ec|p))|file(?:group)?|glob|i(?:mage(?:gif|(?:jpe|pn)g|wbmp|xbm)|s_a)|md5|o(?:pendir|rd)|p(?:assthru|open|rev)|(?:read|tmp)file|un(?:pac|lin)k|s(?:tat|ubstr|ystem))(?:/(?:\*.*\*/|/.*)|#.*|[\s\x0b\"])*[\"']*\)?[\s\x0b]*\(.*\)" \
"id:933160,\
phase:2,\
block,\
@ -343,7 +343,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -398,7 +398,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -453,7 +453,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -485,7 +485,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
# crs-toolchain regex update 933210
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?:\((?:.+\)(?:[\"'][\-0-9A-Z_a-z]+[\"'])?\(.+|[^\)]*string[^\)]*\)[\s\v\"'\--\.0-9A-\[\]_a-\{\}]+\([^\)]*)|(?:\[[0-9]+\]|\{[0-9]+\}|\$[^\(-\),\.-/;\x5c]+|[\"'][\-0-9A-Z\x5c_a-z]+[\"'])\(.+)\);" \
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?:\((?:.+\)(?:[\"'][\-0-9A-Z_a-z]+[\"'])?\(.+|[^\)]*string[^\)]*\)[\s\x0b\"'\-\.0-9A-\[\]_a-\{\}]+\([^\)]*)|(?:\[[0-9]+\]|\{[0-9]+\}|\$[^\(\),\./;\x5c]+|[\"'][\-0-9A-Z\x5c_a-z]+[\"'])\(.+)\);" \
"id:933210,\
phase:2,\
block,\
@ -500,13 +500,13 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:933013,phase:1,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:933014,phase:2,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:933013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:933014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
#
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
#
@ -540,10 +540,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-injection-php',\
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.933151_tx_0=%{tx.0}',\
chain"
@ -555,8 +555,8 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:933015,phase:1,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:933016,phase:2,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:933015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:933016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
#
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
#
@ -595,10 +595,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-injection-php',\
tag:'paranoia-level/3',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
tag:'paranoia-level/3',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@ -627,7 +627,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
# crs-toolchain regex update 933161
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:a(?:bs|s(?:in|sert(?:_options)?))|basename|c(?:h(?:eckdate|r(?:oot)?)|o(?:(?:mpac|(?:nsta|u)n)t|py|sh?)|r(?:eate_function|ypt)|urrent)|d(?:ate|e(?:coct|fined?)|ir)|e(?:nd|val|x(?:ec|p(?:lode)?|tract))|f(?:ile(?:(?:[acm]tim|inod|siz|typ)e|group|owner|perms)?|l(?:o(?:ck|or)|ush))|glob|h(?:ash|eader)|i(?:date|m(?:age(?:gif|(?:jpe|pn)g|wbmp|xbm)|plode)|s_a)|key|l(?:ink|og)|m(?:a(?:il|x)|d5|in)|n(?:ame|ext)|o(?:pendir|rd)|p(?:a(?:ck|ss(?:thru)?)|i|o(?:pen|w)|rev)|r(?:an(?:d|ge)|e(?:(?:adfil|nam)e|set)|ound)|s(?:(?:erializ|huffl)e|in|leep|(?:or|ta)t|ubstr|y(?:mlink|s(?:log|tem)))|t(?:an|(?:im|mpfil)e|ouch|rim)|u(?:cfirst|n(?:lin|pac)k)|virtual)(?:[\s\v]|/\*.*\*/|(?:#|//).*)*\(.*\)" \
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:a(?:bs|s(?:in|sert(?:_options)?))|basename|c(?:h(?:eckdate|r(?:oot)?)|o(?:(?:mpac|(?:nsta|u)n)t|py|sh?)|r(?:eate_function|ypt)|urrent)|d(?:ate|e(?:coct|fined?)|ir)|e(?:nd|val|x(?:ec|p(?:lode)?|tract))|f(?:ile(?:(?:[acm]tim|inod|siz|typ)e|group|owner|perms)?|l(?:o(?:ck|or)|ush))|glob|h(?:ash|eader)|i(?:date|m(?:age(?:gif|(?:jpe|pn)g|wbmp|xbm)|plode)|s_a)|key|l(?:ink|og)|m(?:a(?:il|x)|d5|in)|n(?:ame|ext)|o(?:pendir|rd)|p(?:a(?:ck|ss(?:thru)?)|i|o(?:pen|w)|rev)|r(?:an(?:d|ge)|e(?:(?:adfil|nam)e|set)|ound)|s(?:(?:erializ|huffl)e|in|leep|(?:or|ta)t|ubstr|y(?:mlink|s(?:log|tem)))|t(?:an|(?:im|mpfil)e|ouch|rim)|u(?:cfirst|n(?:lin|pac)k)|virtual)(?:[\s\x0b]|/\*.*\*/|(?:#|//).*)*\(.*\)" \
"id:933161,\
phase:2,\
block,\
@ -639,10 +639,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-injection-php',\
tag:'paranoia-level/3',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
tag:'paranoia-level/3',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@ -681,10 +681,10 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-injection-php',\
tag:'paranoia-level/3',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
tag:'paranoia-level/3',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@ -710,10 +710,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'language-php',\
tag:'platform-multi',\
tag:'attack-injection-php',\
tag:'paranoia-level/3',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
tag:'paranoia-level/3',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@ -733,7 +733,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
# crs-toolchain regex update 933211
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?:\((?:.+\)(?:[\"'][\-0-9A-Z_a-z]+[\"'])?\(.+|[^\)]*string[^\)]*\)[\s\v\"'\--\.0-9A-\[\]_a-\{\}]+\([^\)]*)|(?:\[[0-9]+\]|\{[0-9]+\}|\$[^\(-\),\.-/;\x5c]+|[\"'][\-0-9A-Z\x5c_a-z]+[\"'])\(.+)\)(?:;|$)?" \
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?:\((?:.+\)(?:[\"'][\-0-9A-Z_a-z]+[\"'])?\(.+|[^\)]*string[^\)]*\)[\s\x0b\"'\-\.0-9A-\[\]_a-\{\}]+\([^\)]*)|(?:\[[0-9]+\]|\{[0-9]+\}|\$[^\(\),\./;\x5c]+|[\"'][\-0-9A-Z\x5c_a-z]+[\"'])\(.+)\)(?:;|$)?" \
"id:933211,\
phase:2,\
block,\
@ -748,14 +748,14 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
tag:'paranoia-level/3',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:933017,phase:1,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:933018,phase:2,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:933017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:933018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
#
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
#

48
src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-934-APPLICATION-ATTACK-GENERIC.conf vendored
View file

@ -1,5 +1,5 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.0.0
# OWASP CRS ver.4.1.0
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2024 CRS project. All rights reserved.
#
@ -14,8 +14,8 @@
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:934011,phase:1,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:934012,phase:2,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:934011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:934012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
#
@ -49,7 +49,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:934012,phase:2,pass,nolog,skipAf
# crs-toolchain regex update 934100
#
# Stricter sibling: 934101
SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx _(?:\$\$ND_FUNC\$\$_|_js_function)|(?:\beval|new[\s\v]+Function[\s\v]*)\(|String\.fromCharCode|function\(\)\{|this\.constructor|module\.exports=|\([\s\v]*[^0-9A-Z_a-z]child_process[^0-9A-Z_a-z][\s\v]*\)|process(?:\.(?:(?:a(?:ccess|ppendfile|rgv|vailability)|c(?:aveats|h(?:mod|own)|(?:los|opyfil)e|p|reate(?:read|write)stream)|ex(?:ec(?:file)?|ists)|f(?:ch(?:mod|own)|data(?:sync)?|s(?:tat|ync)|utimes)|inodes|l(?:chmod|ink|stat|utimes)|mkd(?:ir|temp)|open(?:dir)?|r(?:e(?:ad(?:dir|file|link|v)?|name)|m)|s(?:pawn(?:file)?|tat|ymlink)|truncate|u(?:n(?:link|watchfile)|times)|w(?:atchfile|rite(?:file|v)?))(?:sync)?(?:\.call)?\(|binding|constructor|env|global|main(?:Module)?|process|require)|\[[\"'`](?:(?:a(?:ccess|ppendfile|rgv|vailability)|c(?:aveats|h(?:mod|own)|(?:los|opyfil)e|p|reate(?:read|write)stream)|ex(?:ec(?:file)?|ists)|f(?:ch(?:mod|own)|data(?:sync)?|s(?:tat|ync)|utimes)|inodes|l(?:chmod|ink|stat|utimes)|mkd(?:ir|temp)|open(?:dir)?|r(?:e(?:ad(?:dir|file|link|v)?|name)|m)|s(?:pawn(?:file)?|tat|ymlink)|truncate|u(?:n(?:link|watchfile)|times)|w(?:atchfile|rite(?:file|v)?))(?:sync)?|binding|constructor|env|global|main(?:Module)?|process|require)[\"'`]\])|(?:binding|constructor|env|global|main(?:Module)?|process|require)\[|console(?:\.(?:debug|error|info|trace|warn)(?:\.call)?\(|\[[\"'`](?:debug|error|info|trace|warn)[\"'`]\])|require(?:\.(?:resolve(?:\.call)?\(|main|extensions|cache)|\[[\"'`](?:(?:resolv|cach)e|main|extensions)[\"'`]\])" \
SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx _(?:\$\$ND_FUNC\$\$_|_js_function)|(?:\beval|new[\s\x0b]+Function[\s\x0b]*)\(|String\.fromCharCode|function\(\)\{|this\.constructor|module\.exports=|\([\s\x0b]*[^0-9A-Z_a-z]child_process[^0-9A-Z_a-z][\s\x0b]*\)|process(?:\.(?:(?:a(?:ccess|ppendfile|rgv|vailability)|c(?:aveats|h(?:mod|own)|(?:los|opyfil)e|p|reate(?:read|write)stream)|ex(?:ec(?:file)?|ists)|f(?:ch(?:mod|own)|data(?:sync)?|s(?:tat|ync)|utimes)|inodes|l(?:chmod|ink|stat|utimes)|mkd(?:ir|temp)|open(?:dir)?|r(?:e(?:ad(?:dir|file|link|v)?|name)|m)|s(?:pawn(?:file)?|tat|ymlink)|truncate|u(?:n(?:link|watchfile)|times)|w(?:atchfile|rite(?:file|v)?))(?:sync)?(?:\.call)?\(|binding|constructor|env|global|main(?:Module)?|process|require)|\[[\"'`](?:(?:a(?:ccess|ppendfile|rgv|vailability)|c(?:aveats|h(?:mod|own)|(?:los|opyfil)e|p|reate(?:read|write)stream)|ex(?:ec(?:file)?|ists)|f(?:ch(?:mod|own)|data(?:sync)?|s(?:tat|ync)|utimes)|inodes|l(?:chmod|ink|stat|utimes)|mkd(?:ir|temp)|open(?:dir)?|r(?:e(?:ad(?:dir|file|link|v)?|name)|m)|s(?:pawn(?:file)?|tat|ymlink)|truncate|u(?:n(?:link|watchfile)|times)|w(?:atchfile|rite(?:file|v)?))(?:sync)?|binding|constructor|env|global|main(?:Module)?|process|require)[\"'`]\])|(?:binding|constructor|env|global|main(?:Module)?|process|require)\[|console(?:\.(?:debug|error|info|trace|warn)(?:\.call)?\(|\[[\"'`](?:debug|error|info|trace|warn)[\"'`]\])|require(?:\.(?:resolve(?:\.call)?\(|main|extensions|cache)|\[[\"'`](?:(?:resolv|cach)e|main|extensions)[\"'`]\])" \
"id:934100,\
phase:2,\
block,\
@ -65,7 +65,7 @@ SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIE
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
multiMatch,\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
@ -100,7 +100,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/664',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -135,7 +135,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1/180/77',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
multiMatch,\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
@ -151,7 +151,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
# crs-toolchain regex update 934150
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx Process[\s\v]*\.[\s\v]*spawn[\s\v]*\(" \
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx Process[\s\x0b]*\.[\s\x0b]*spawn[\s\x0b]*\(" \
"id:934150,\
phase:2,\
block,\
@ -167,7 +167,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -182,7 +182,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
# crs-toolchain regex update 934160
#
SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx while[\s\v]*\([\s\v\(]*(?:!+(?:false|null|undefined|NaN|[\+\-]?0|\"{2}|'{2}|`{2})|(?:!!)*(?:(?:t(?:rue|his)|[\+\-]?(?:Infinity|[1-9][0-9]*)|new [A-Za-z][0-9A-Z_a-z]*|window|String|(?:Boolea|Functio)n|Object|Array)\b|\{.*\}|\[.*\]|\"[^\"]+\"|'[^']+'|`[^`]+`)).*\)" \
SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx while[\s\x0b]*\([\s\x0b\(]*(?:!+(?:false|null|undefined|NaN|[\+\-]?0|\"{2}|'{2}|`{2})|(?:!!)*(?:(?:t(?:rue|his)|[\+\-]?(?:Infinity|[1-9][0-9]*)|new [A-Za-z][0-9A-Z_a-z]*|window|String|(?:Boolea|Functio)n|Object|Array)\b|\{.*\}|\[.*\]|\"[^\"]+\"|'[^']+'|`[^`]+`)).*\)" \
"id:934160,\
phase:2,\
block,\
@ -198,7 +198,7 @@ SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIE
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
multiMatch,\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
@ -213,7 +213,7 @@ SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIE
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
# crs-toolchain regex update 934170
#
SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx ^data:(?:(?:\*|[^!-\"\(-\),/:-\?\[-\]\{\}]+)/(?:\*|[^!-\"\(-\),/:-\?\[-\]\{\}]+)|\*)(?:[\s\v]*;[\s\v]*(?:charset[\s\v]*=[\s\v]*\"?(?:iso-8859-15?|utf-8|windows-1252)\b\"?|(?:[^\s\v -\"\(-\),/:-\?\[-\]c\{\}]|c(?:[^!-\"\(-\),/:-\?\[-\]h\{\}]|h(?:[^!-\"\(-\),/:-\?\[-\]a\{\}]|a(?:[^!-\"\(-\),/:-\?\[-\]r\{\}]|r(?:[^!-\"\(-\),/:-\?\[-\]s\{\}]|s(?:[^!-\"\(-\),/:-\?\[-\]e\{\}]|e[^!-\"\(-\),/:-\?\[-\]t\{\}]))))))[^!-\"\(-\),/:-\?\[-\]\{\}]*[\s\v]*=[\s\v]*[^!\(-\),/:-\?\[-\]\{\}]+);?)*(?:[\s\v]*,[\s\v]*(?:(?:\*|[^!-\"\(-\),/:-\?\[-\]\{\}]+)/(?:\*|[^!-\"\(-\),/:-\?\[-\]\{\}]+)|\*)(?:[\s\v]*;[\s\v]*(?:charset[\s\v]*=[\s\v]*\"?(?:iso-8859-15?|utf-8|windows-1252)\b\"?|(?:[^\s\v -\"\(-\),/:-\?\[-\]c\{\}]|c(?:[^!-\"\(-\),/:-\?\[-\]h\{\}]|h(?:[^!-\"\(-\),/:-\?\[-\]a\{\}]|a(?:[^!-\"\(-\),/:-\?\[-\]r\{\}]|r(?:[^!-\"\(-\),/:-\?\[-\]s\{\}]|s(?:[^!-\"\(-\),/:-\?\[-\]e\{\}]|e[^!-\"\(-\),/:-\?\[-\]t\{\}]))))))[^!-\"\(-\),/:-\?\[-\]\{\}]*[\s\v]*=[\s\v]*[^!\(-\),/:-\?\[-\]\{\}]+);?)*)*" \
SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx ^data:(?:(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)/(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)|\*)(?:[\s\x0b]*;[\s\x0b]*(?:charset[\s\x0b]*=[\s\x0b]*\"?(?:iso-8859-15?|utf-8|windows-1252)\b\"?|(?:[^\s\x0b-\"\(\),/:-\?\[-\]c\{\}]|c(?:[^!\"\(\),/:-\?\[-\]h\{\}]|h(?:[^!\"\(\),/:-\?\[-\]a\{\}]|a(?:[^!\"\(\),/:-\?\[-\]r\{\}]|r(?:[^!\"\(\),/:-\?\[-\]s\{\}]|s(?:[^!\"\(\),/:-\?\[-\]e\{\}]|e[^!\"\(\),/:-\?\[-\]t\{\}]))))))[^!\"\(\),/:-\?\[-\]\{\}]*[\s\x0b]*=[\s\x0b]*[^!\(\),/:-\?\[-\]\{\}]+);?)*(?:[\s\x0b]*,[\s\x0b]*(?:(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)/(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)|\*)(?:[\s\x0b]*;[\s\x0b]*(?:charset[\s\x0b]*=[\s\x0b]*\"?(?:iso-8859-15?|utf-8|windows-1252)\b\"?|(?:[^\s\x0b-\"\(\),/:-\?\[-\]c\{\}]|c(?:[^!\"\(\),/:-\?\[-\]h\{\}]|h(?:[^!\"\(\),/:-\?\[-\]a\{\}]|a(?:[^!\"\(\),/:-\?\[-\]r\{\}]|r(?:[^!\"\(\),/:-\?\[-\]s\{\}]|s(?:[^!\"\(\),/:-\?\[-\]e\{\}]|e[^!\"\(\),/:-\?\[-\]t\{\}]))))))[^!\"\(\),/:-\?\[-\]\{\}]*[\s\x0b]*=[\s\x0b]*[^!\(\),/:-\?\[-\]\{\}]+);?)*)*" \
"id:934170,\
phase:2,\
block,\
@ -228,19 +228,19 @@ SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIE
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:934013,phase:1,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:934014,phase:2,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:934013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:934014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
#
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
#
# This rule is a stricter sibling of 934100.
SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:close|exists|fork|(?:ope|spaw)n|re(?:ad|quire)|w(?:atch|rite))[\s\v]*\(" \
SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:close|exists|fork|(?:ope|spaw)n|re(?:ad|quire)|w(?:atch|rite))[\s\x0b]*\(" \
"id:934101,\
phase:2,\
block,\
@ -256,7 +256,7 @@ SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIE
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
multiMatch,\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
@ -293,7 +293,7 @@ SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIE
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
# crs-toolchain regex update 934120
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?i)((?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:\+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://(?:[0-9]{10}|(?:0x[0-9a-f]{2}\.){3}0x[0-9a-f]{2}|0x(?:[0-9a-f]{8}|[0-9a-f]{16})|(?:0{1,4}[0-9]{1,3}\.){3}0{1,4}[0-9]{1,3}|[0-9]{1,3}\.(?:[0-9]{1,3}\.[0-9]{5}|[0-9]{8})|(?:\x5c\x5c[\-0-9a-z]\.?_?)+|\[[0-:a-f]+(?:[\.0-9]+|%[0-9A-Z_a-z]+)?\]|[a-z][\--\.0-9A-Z_a-z]{1,255}:[0-9]{1,5}(?:#?[\s\v]*&?@(?:(?:[0-9]{1,3}\.){3}[0-9]{1,3}|[a-z][\--\.0-9A-Z_a-z]{1,255}):[0-9]{1,5}/?)+|[\.0-9]{0,11}(?:\xe2(?:\x91[\xa0-\xbf]|\x92[\x80-\xbf]|\x93[\x80-\xa9\xab-\xbf])|\xe3\x80\x82)+))" \
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?i)((?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:\+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://(?:[0-9]{10}|(?:0x[0-9a-f]{2}\.){3}0x[0-9a-f]{2}|0x(?:[0-9a-f]{8}|[0-9a-f]{16})|(?:0{1,4}[0-9]{1,3}\.){3}0{1,4}[0-9]{1,3}|[0-9]{1,3}\.(?:[0-9]{1,3}\.[0-9]{5}|[0-9]{8})|(?:\x5c\x5c[\-0-9a-z]\.?_?)+|\[[0-:a-f]+(?:[\.0-9]+|%[0-9A-Z_a-z]+)?\]|[a-z][\-\.0-9A-Z_a-z]{1,255}:[0-9]{1,5}(?:#?[\s\x0b]*&?@(?:(?:[0-9]{1,3}\.){3}[0-9]{1,3}|[a-z][\-\.0-9A-Z_a-z]{1,255}):[0-9]{1,5}/?)+|[\.0-9]{0,11}(?:\xe2(?:\x91[\xa0-\xbf]|\x92[\x80-\xbf]|\x93[\x80-\xa9\xab-\xbf])|\xe3\x80\x82)+))" \
"id:934120,\
phase:2,\
block,\
@ -308,7 +308,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/664',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -340,20 +340,20 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:934015,phase:1,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:934016,phase:2,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:934015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:934016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
#
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:934017,phase:1,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:934018,phase:2,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:934017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:934018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
#
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
#

110
src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf vendored
View file

@ -1,5 +1,5 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.0.0
# OWASP CRS ver.4.1.0
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2024 CRS project. All rights reserved.
#
@ -14,8 +14,8 @@
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:941011,phase:1,pass,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:941012,phase:2,pass,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:941011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:941012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
#
@ -60,7 +60,9 @@ SecRule REQUEST_FILENAME "!@validateByteRange 20, 45-47, 48-57, 65-90, 95, 97-12
pass,\
t:none,\
nolog,\
ctl:ruleRemoveTargetByTag=xss-perf-disable;REQUEST_FILENAME"
tag:'OWASP_CRS',\
ctl:ruleRemoveTargetByTag=xss-perf-disable;REQUEST_FILENAME,\
ver:'OWASP_CRS/4.1.0'"
#
@ -92,7 +94,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -119,7 +121,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -133,7 +135,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
# crs-toolchain regex update 941130
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i).(?:\b(?:x(?:link:href|html|mlns)|data:text/html|formaction|pattern\b.*?=)|!ENTITY[\s\v]+(?:%[\s\v]+)?[^\s\v]+[\s\v]+(?:SYSTEM|PUBLIC)|@import|;base64)\b" \
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i).(?:\b(?:x(?:link:href|html|mlns)|data:text/html|formaction|pattern\b.*?=)|!ENTITY[\s\x0b]+(?:%[\s\x0b]+)?[^\s\x0b]+[\s\x0b]+(?:SYSTEM|PUBLIC)|@import|;base64)\b" \
"id:941130,\
phase:2,\
block,\
@ -149,7 +151,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -178,7 +180,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -195,7 +197,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
# crs-toolchain regex update 941160
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)<[^0-9<>A-Z_a-z]*(?:[^\s\v\"'<>]*:)?[^0-9<>A-Z_a-z]*[^0-9A-Z_a-z]*?(?:s[^0-9A-Z_a-z]*?(?:c[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?t|t[^0-9A-Z_a-z]*?y[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?e|v[^0-9A-Z_a-z]*?g|e[^0-9A-Z_a-z]*?t[^0-9>A-Z_a-z])|f[^0-9A-Z_a-z]*?o[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?m|d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?o[^0-9A-Z_a-z]*?g|m[^0-9A-Z_a-z]*?(?:a[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?q[^0-9A-Z_a-z]*?u[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?e|e[^0-9A-Z_a-z]*?t[^0-9A-Z_a-z]*?a[^0-9>A-Z_a-z])|(?:l[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?k|o[^0-9A-Z_a-z]*?b[^0-9A-Z_a-z]*?j[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?c[^0-9A-Z_a-z]*?t|e[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?b[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?d|a[^0-9A-Z_a-z]*?(?:p[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?t|u[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?o|n[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?t[^0-9A-Z_a-z]*?e)|p[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?m|i?[^0-9A-Z_a-z]*?f[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?e|b[^0-9A-Z_a-z]*?(?:a[^0-9A-Z_a-z]*?s[^0-9A-Z_a-z]*?e|o[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?y|i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?g[^0-9A-Z_a-z]*?s)|i[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?a?[^0-9A-Z_a-z]*?g[^0-9A-Z_a-z]*?e?|v[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?o)[^0-9>A-Z_a-z])|(?:<[0-9A-Z_a-z].*[\s\v/]|[\"'](?:.*[\s\v/])?)(?:background|formaction|lowsrc|on(?:a(?:bort|ctivate|d(?:apteradded|dtrack)|fter(?:print|(?:scriptexecu|upda)te)|lerting|n(?:imation(?:cancel|end|iteration|start)|tennastatechange)|ppcommand|u(?:dio(?:end|process|start)|xclick))|b(?:e(?:fore(?:(?:(?:(?:de)?activa|scriptexecu)t|toggl)e|c(?:opy|ut)|editfocus|input|p(?:aste|rint)|u(?:nload|pdate))|gin(?:Event)?)|l(?:ocked|ur)|oun(?:ce|dary)|roadcast|usy)|c(?:a(?:(?:ch|llschang)ed|nplay(?:through)?|rdstatechange)|(?:ell|fstate)change|h(?:a(?:rging(?:time)?cha)?nge|ecking)|l(?:ick|ose)|o(?:m(?:mand(?:update)?|p(?:lete|osition(?:end|start|update)))|n(?:nect(?:ed|ing)|t(?:extmenu|rolselect))|py)|u(?:echange|t))|d(?:ata(?:(?:availabl|chang)e|error|setc(?:hanged|omplete))|blclick|e(?:activate|livery(?:error|success)|vice(?:found|light|(?:mo|orienta)tion|proximity))|i(?:aling|s(?:abled|c(?:hargingtimechange|onnect(?:ed|ing))))|o(?:m(?:a(?:ctivate|ttrmodified)|(?:characterdata|subtree)modified|focus(?:in|out)|mousescroll|node(?:inserted(?:intodocument)?|removed(?:fromdocument)?))|wnloading)|r(?:ag(?:drop|e(?:n(?:d|ter)|xit)|(?:gestur|leav)e|over|start)|op)|urationchange)|e(?:mptied|n(?:abled|d(?:ed|Event)?|ter)|rror(?:update)?|xit)|f(?:ailed|i(?:lterchange|nish)|o(?:cus(?:in|out)?|rm(?:change|input))|ullscreenchange)|g(?:amepad(?:axismove|button(?:down|up)|(?:dis)?connected)|et)|h(?:ashchange|e(?:adphoneschange|l[dp])|olding)|i(?:cc(?:cardlockerror|infochange)|n(?:coming|put|valid))|key(?:down|press|up)|l(?:evelchange|o(?:ad(?:e(?:d(?:meta)?data|nd)|start)?|secapture)|y)|m(?:ark|essage|o(?:use(?:down|enter|(?:lea|mo)ve|o(?:ut|ver)|up|wheel)|ve(?:end|start)?|z(?:a(?:fterpaint|udioavailable)|(?:beforeresiz|orientationchang|t(?:apgestur|imechang))e|(?:edgeui(?:c(?:ancel|omplet)|start)e|network(?:down|up)loa)d|fullscreen(?:change|error)|m(?:agnifygesture(?:start|update)?|ouse(?:hittest|pixelscroll))|p(?:ointerlock(?:change|error)|resstapgesture)|rotategesture(?:start|update)?|s(?:crolledareachanged|wipegesture(?:end|start|update)?))))|no(?:match|update)|o(?:(?:bsolet|(?:ff|n)lin)e|pen|verflow(?:changed)?)|p(?:a(?:ge(?:hide|show)|int|(?:st|us)e)|lay(?:ing)?|o(?:inter(?:down|enter|(?:(?:lea|mo)v|rawupdat)e|o(?:ut|ver)|up)|p(?:state|up(?:hid(?:den|ing)|show(?:ing|n))))|ro(?:gress|pertychange))|r(?:atechange|e(?:adystatechange|ceived|movetrack|peat(?:Event)?|quest|s(?:et|ize|u(?:lt|m(?:e|ing)))|trieving)|ow(?:e(?:nter|xit)|s(?:delete|inserted)))|s(?:croll(?:end)?|e(?:arch|ek(?:complete|ed|ing)|lect(?:ionchange|start)?|n(?:ding|t)|t)|how|(?:ound|peech)(?:end|start)|t(?:a(?:lled|rt|t(?:echange|uschanged))|k(?:comma|sessione)nd|op)|u(?:bmit|ccess|spend)|vg(?:abort|error|(?:un)?load|resize|scroll|zoom))|t(?:ext|ime(?:out|update)|o(?:ggle|uch(?:cancel|en(?:d|ter)|(?:lea|mo)ve|start))|ransition(?:cancel|end|run|start))|u(?:n(?:derflow|handledrejection|load)|p(?:dateready|gradeneeded)|s(?:erproximity|sdreceived))|v(?:ersion|o(?:ic|lum)e)change|w(?:a(?:it|rn)ing|ebkit(?:animation(?:end|iteration|start)|transitionend)|heel)|zoom)|ping|s(?:rc|tyle))[\x08-\n\f-\r ]*?=" \
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)<[^0-9<>A-Z_a-z]*(?:[^\s\x0b\"'<>]*:)?[^0-9<>A-Z_a-z]*[^0-9A-Z_a-z]*?(?:s[^0-9A-Z_a-z]*?(?:c[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?t|t[^0-9A-Z_a-z]*?y[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?e|v[^0-9A-Z_a-z]*?g|e[^0-9A-Z_a-z]*?t[^0-9>A-Z_a-z])|f[^0-9A-Z_a-z]*?o[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?m|d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?o[^0-9A-Z_a-z]*?g|m[^0-9A-Z_a-z]*?(?:a[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?q[^0-9A-Z_a-z]*?u[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?e|e[^0-9A-Z_a-z]*?t[^0-9A-Z_a-z]*?a[^0-9>A-Z_a-z])|(?:l[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?k|o[^0-9A-Z_a-z]*?b[^0-9A-Z_a-z]*?j[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?c[^0-9A-Z_a-z]*?t|e[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?b[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?d|a[^0-9A-Z_a-z]*?(?:p[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?t|u[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?o|n[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?t[^0-9A-Z_a-z]*?e)|p[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?m|i?[^0-9A-Z_a-z]*?f[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?e|b[^0-9A-Z_a-z]*?(?:a[^0-9A-Z_a-z]*?s[^0-9A-Z_a-z]*?e|o[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?y|i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?g[^0-9A-Z_a-z]*?s)|i[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?a?[^0-9A-Z_a-z]*?g[^0-9A-Z_a-z]*?e?|v[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?o)[^0-9>A-Z_a-z])|(?:<[0-9A-Z_a-z].*[\s\x0b/]|[\"'](?:.*[\s\x0b/])?)(?:background|formaction|lowsrc|on(?:a(?:bort|ctivate|d(?:apteradded|dtrack)|fter(?:print|(?:scriptexecu|upda)te)|lerting|n(?:imation(?:cancel|end|iteration|start)|tennastatechange)|ppcommand|u(?:dio(?:end|process|start)|xclick))|b(?:e(?:fore(?:(?:(?:(?:de)?activa|scriptexecu)t|toggl)e|c(?:opy|ut)|editfocus|input|p(?:aste|rint)|u(?:nload|pdate))|gin(?:Event)?)|l(?:ocked|ur)|oun(?:ce|dary)|roadcast|usy)|c(?:a(?:(?:ch|llschang)ed|nplay(?:through)?|rdstatechange)|(?:ell|fstate)change|h(?:a(?:rging(?:time)?cha)?nge|ecking)|l(?:ick|ose)|o(?:m(?:mand(?:update)?|p(?:lete|osition(?:end|start|update)))|n(?:nect(?:ed|ing)|t(?:extmenu|rolselect))|py)|u(?:echange|t))|d(?:ata(?:(?:availabl|chang)e|error|setc(?:hanged|omplete))|blclick|e(?:activate|livery(?:error|success)|vice(?:found|light|(?:mo|orienta)tion|proximity))|i(?:aling|s(?:abled|c(?:hargingtimechange|onnect(?:ed|ing))))|o(?:m(?:a(?:ctivate|ttrmodified)|(?:characterdata|subtree)modified|focus(?:in|out)|mousescroll|node(?:inserted(?:intodocument)?|removed(?:fromdocument)?))|wnloading)|r(?:ag(?:drop|e(?:n(?:d|ter)|xit)|(?:gestur|leav)e|over|start)|op)|urationchange)|e(?:mptied|n(?:abled|d(?:ed|Event)?|ter)|rror(?:update)?|xit)|f(?:ailed|i(?:lterchange|nish)|o(?:cus(?:in|out)?|rm(?:change|input))|ullscreenchange)|g(?:amepad(?:axismove|button(?:down|up)|(?:dis)?connected)|et)|h(?:ashchange|e(?:adphoneschange|l[dp])|olding)|i(?:cc(?:cardlockerror|infochange)|n(?:coming|put|valid))|key(?:down|press|up)|l(?:evelchange|o(?:ad(?:e(?:d(?:meta)?data|nd)|start)?|secapture)|y)|m(?:ark|essage|o(?:use(?:down|enter|(?:lea|mo)ve|o(?:ut|ver)|up|wheel)|ve(?:end|start)?|z(?:a(?:fterpaint|udioavailable)|(?:beforeresiz|orientationchang|t(?:apgestur|imechang))e|(?:edgeui(?:c(?:ancel|omplet)|start)e|network(?:down|up)loa)d|fullscreen(?:change|error)|m(?:agnifygesture(?:start|update)?|ouse(?:hittest|pixelscroll))|p(?:ointerlock(?:change|error)|resstapgesture)|rotategesture(?:start|update)?|s(?:crolledareachanged|wipegesture(?:end|start|update)?))))|no(?:match|update)|o(?:(?:bsolet|(?:ff|n)lin)e|pen|verflow(?:changed)?)|p(?:a(?:ge(?:hide|show)|int|(?:st|us)e)|lay(?:ing)?|o(?:inter(?:down|enter|(?:(?:lea|mo)v|rawupdat)e|o(?:ut|ver)|up)|p(?:state|up(?:hid(?:den|ing)|show(?:ing|n))))|ro(?:gress|pertychange))|r(?:atechange|e(?:adystatechange|ceived|movetrack|peat(?:Event)?|quest|s(?:et|ize|u(?:lt|m(?:e|ing)))|trieving)|ow(?:e(?:nter|xit)|s(?:delete|inserted)))|s(?:croll(?:end)?|e(?:arch|ek(?:complete|ed|ing)|lect(?:ionchange|start)?|n(?:ding|t)|t)|how|(?:ound|peech)(?:end|start)|t(?:a(?:lled|rt|t(?:echange|uschanged))|k(?:comma|sessione)nd|op)|u(?:bmit|ccess|spend)|vg(?:abort|error|(?:un)?load|resize|scroll|zoom))|t(?:ext|ime(?:out|update)|o(?:ggle|uch(?:cancel|en(?:d|ter)|(?:lea|mo)ve|start))|ransition(?:cancel|end|run|start))|u(?:n(?:derflow|handledrejection|load)|p(?:dateready|gradeneeded)|s(?:erproximity|sdreceived))|v(?:ersion|o(?:ic|lum)e)change|w(?:a(?:it|rn)ing|ebkit(?:animation(?:end|iteration|start)|transitionend)|heel)|zoom)|ping|s(?:rc|tyle))[\x08-\n\f\r ]*?=" \
"id:941160,\
phase:2,\
block,\
@ -211,7 +213,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -236,7 +238,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -263,7 +265,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -290,7 +292,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -312,13 +314,13 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)(?:j|&#(?:0*(?:74|106)|x0*[46]A);)(?:[\t-\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:a|&#(?:0*(?:65|97)|x0*[46]1);)(?:[\t-\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:v|&#(?:0*(?:86|118)|x0*[57]6);)(?:[\t-\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:a|&#(?:0*(?:65|97)|x0*[46]1);)(?:[\t-\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:s|&#(?:0*(?:115|83)|x0*[57]3);)(?:[\t-\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:c|&#(?:x0*[46]3|0*(?:99|67));)(?:[\t-\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:r|&#(?:x0*[57]2|0*(?:114|82));)(?:[\t-\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:i|&#(?:x0*[46]9|0*(?:105|73));)(?:[\t-\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:p|&#(?:x0*[57]0|0*(?:112|80));)(?:[\t-\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:t|&#(?:x0*[57]4|0*(?:116|84));)(?:[\t-\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?::|&(?:#(?:0*58|x0*3A);?|colon;))." \
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)(?:j|&#(?:0*(?:74|106)|x0*[46]A);)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:a|&#(?:0*(?:65|97)|x0*[46]1);)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:v|&#(?:0*(?:86|118)|x0*[57]6);)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:a|&#(?:0*(?:65|97)|x0*[46]1);)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:s|&#(?:0*(?:115|83)|x0*[57]3);)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:c|&#(?:x0*[46]3|0*(?:99|67));)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:r|&#(?:x0*[57]2|0*(?:114|82));)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:i|&#(?:x0*[46]9|0*(?:105|73));)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:p|&#(?:x0*[57]0|0*(?:112|80));)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:t|&#(?:x0*[57]4|0*(?:116|84));)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?::|&(?:#(?:0*58|x0*3A);?|colon;))." \
"id:941210,\
phase:2,\
block,\
@ -334,13 +336,13 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)(?:v|&#(?:0*(?:118|86)|x0*[57]6);)(?:[\t-\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:b|&#(?:0*(?:98|66)|x0*[46]2);)(?:[\t-\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:s|&#(?:0*(?:115|83)|x0*[57]3);)(?:[\t-\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:c|&#(?:x0*[46]3|0*(?:99|67));)(?:[\t-\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:r|&#(?:x0*[57]2|0*(?:114|82));)(?:[\t-\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:i|&#(?:x0*[46]9|0*(?:105|73));)(?:[\t-\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:p|&#(?:x0*[57]0|0*(?:112|80));)(?:[\t-\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:t|&#(?:x0*[57]4|0*(?:116|84));)(?:[\t-\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?::|&(?:#(?:0*58|x0*3A);?|colon;))." \
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)(?:v|&#(?:0*(?:118|86)|x0*[57]6);)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:b|&#(?:0*(?:98|66)|x0*[46]2);)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:s|&#(?:0*(?:115|83)|x0*[57]3);)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:c|&#(?:x0*[46]3|0*(?:99|67));)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:r|&#(?:x0*[57]2|0*(?:114|82));)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:i|&#(?:x0*[46]9|0*(?:105|73));)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:p|&#(?:x0*[57]0|0*(?:112|80));)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:t|&#(?:x0*[57]4|0*(?:116|84));)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?::|&(?:#(?:0*58|x0*3A);?|colon;))." \
"id:941220,\
phase:2,\
block,\
@ -356,7 +358,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -378,7 +380,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -400,7 +402,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -422,7 +424,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -444,7 +446,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -466,7 +468,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -488,7 +490,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -510,7 +512,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -532,7 +534,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -592,7 +594,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
chain"
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?:\xbc\s*/\s*[^\xbe>]*[\xbe>])|(?:<\s*/\s*[^\xbe]*\xbe)" \
@ -622,7 +624,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -664,7 +666,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242/63',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -692,7 +694,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS|REQU
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242/63',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -709,7 +711,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS|REQU
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
# crs-toolchain regex update 941390
#
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)\b(?:eval|set(?:timeout|interval)|new[\s\v]+Function|a(?:lert|tob)|btoa|prompt|confirm)[\s\v]*\(" \
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)\b(?:eval|set(?:timeout|interval)|new[\s\x0b]+Function|a(?:lert|tob)|btoa|prompt|confirm)[\s\x0b]*\(" \
"id:941390,\
phase:2,\
block,\
@ -724,7 +726,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -754,14 +756,14 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:941013,phase:1,pass,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:941014,phase:2,pass,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:941013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:941014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
#
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
#
@ -782,10 +784,10 @@ SecRule REQUEST_FILENAME|REQUEST_HEADERS:Referer "@detectXSS" \
tag:'platform-multi',\
tag:'attack-xss',\
tag:'xss-perf-disable',\
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -819,7 +821,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -842,10 +844,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
tag:'platform-multi',\
tag:'attack-xss',\
tag:'xss-perf-disable',\
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -873,7 +875,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -957,11 +959,11 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
tag:'platform-multi',\
tag:'attack-xss',\
tag:'xss-perf-disable',\
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242/63',\
tag:'PCI/6.5.1',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -979,11 +981,11 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
tag:'platform-multi',\
tag:'attack-xss',\
tag:'xss-perf-disable',\
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
tag:'PCI/6.5.1',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -1004,11 +1006,11 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
tag:'platform-multi',\
tag:'attack-xss',\
tag:'xss-perf-disable',\
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
tag:'PCI/6.5.1',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -1038,26 +1040,26 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'language-multi',\
tag:'attack-xss',\
tag:'xss-perf-disable',\
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242/63',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:941015,phase:1,pass,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:941016,phase:2,pass,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:941015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:941016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
#
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:941017,phase:1,pass,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:941018,phase:2,pass,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:941017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:941018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
#
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
#

302
src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf vendored
View file

File diff suppressed because it is too large Load diff

24
src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf vendored
View file

@ -1,5 +1,5 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.0.0
# OWASP CRS ver.4.1.0
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2024 CRS project. All rights reserved.
#
@ -14,8 +14,8 @@
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:943011,phase:1,pass,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:943012,phase:2,pass,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:943011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:943012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
#
@ -43,7 +43,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/21/593/61',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.session_fixation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -64,7 +64,7 @@ SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsessio
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/21/593/61',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.943110_matched_var_name=%{matched_var_name}',\
chain"
@ -91,7 +91,7 @@ SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsessio
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/21/593/61',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.943120_matched_var_name=%{matched_var_name}',\
chain"
@ -102,24 +102,24 @@ SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsessio
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:943013,phase:1,pass,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:943014,phase:2,pass,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:943013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:943014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
#
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:943015,phase:1,pass,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:943016,phase:2,pass,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:943015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:943016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
#
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:943017,phase:1,pass,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:943018,phase:2,pass,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:943017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:943018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
#
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
#

72
src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf vendored
View file

@ -1,5 +1,5 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.0.0
# OWASP CRS ver.4.1.0
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2024 CRS project. All rights reserved.
#
@ -13,8 +13,8 @@
#
# Many rules check request bodies, use "SecRequestBodyAccess On" to enable it on main modsecurity configuration file.
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:944011,phase:1,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:944012,phase:2,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:944011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:944012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
#
@ -42,11 +42,11 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
tag:'language-java',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/137/6',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/1',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -75,11 +75,11 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
tag:'language-java',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/248',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/1',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
chain"
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* "@rx (?:unmarshaller|base64data|java\.)" \
@ -100,11 +100,11 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
tag:'language-java',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/248',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/1',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
chain"
SecRule MATCHED_VARS "@rx (?:runtime|processbuilder)" \
@ -132,11 +132,11 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
tag:'language-java',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/248',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/1',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -174,7 +174,7 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -218,18 +218,18 @@ SecRule REQUEST_LINE|ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUE
tag:'language-java',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/137/6',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/1',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:944013,phase:1,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:944014,phase:2,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:944013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:944014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
#
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
#
@ -256,11 +256,11 @@ SecRule REQUEST_LINE|ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUE
tag:'language-java',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/137/6',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -288,11 +288,11 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
tag:'language-java',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/248',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -309,11 +309,11 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
tag:'language-java',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/248',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -330,11 +330,11 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
tag:'language-java',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/248',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -354,11 +354,11 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
tag:'language-java',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/248',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -379,18 +379,18 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
tag:'language-java',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/248',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:944015,phase:1,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:944016,phase:2,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:944015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:944016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
#
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
#
@ -413,18 +413,18 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
tag:'language-java',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'paranoia-level/3',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/248',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/3',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:944017,phase:1,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:944018,phase:2,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:944017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:944018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
#
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
#
@ -449,11 +449,11 @@ SecRule REQUEST_LINE|ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUE
tag:'language-java',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'paranoia-level/4',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/137/6',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/4',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'"

69
src/common/core/modsecurity/files/coreruleset-v4/rules/REQUEST-949-BLOCKING-EVALUATION.conf vendored
View file

@ -1,5 +1,5 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.0.0
# OWASP CRS ver.4.1.0
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2024 CRS project. All rights reserved.
#
@ -23,13 +23,18 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 1" \
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.1.0',\
setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl1}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 1" \
"id:949152,\
phase:1,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.1.0',\
setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl1}'"
SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 2" \
@ -38,13 +43,18 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 2" \
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.1.0',\
setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl2}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 2" \
"id:949153,\
phase:1,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.1.0',\
setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl2}'"
SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 3" \
@ -53,13 +63,18 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 3" \
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.1.0',\
setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl3}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 3" \
"id:949154,\
phase:1,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.1.0',\
setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl3}'"
SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 4" \
@ -68,13 +83,18 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 4" \
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.1.0',\
setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl4}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 4" \
"id:949155,\
phase:1,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.1.0',\
setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl4}'"
# at start of phase 2, we reset the aggregate scores to 0 to prevent duplicate counting of per-PL scores
@ -85,13 +105,18 @@ SecAction \
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.1.0',\
setvar:'tx.blocking_inbound_anomaly_score=0'"
SecAction \
"id:949159,\
phase:2,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.1.0',\
setvar:'tx.detection_inbound_anomaly_score=0'"
# Summing up the blocking and detection anomaly scores in phase 2
@ -102,13 +127,18 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 1" \
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.1.0',\
setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl1}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 1" \
"id:949160,\
phase:2,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.1.0',\
setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl1}'"
SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 2" \
@ -117,13 +147,18 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 2" \
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.1.0',\
setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl2}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 2" \
"id:949161,\
phase:2,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.1.0',\
setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl2}'"
SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 3" \
@ -132,13 +167,18 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 3" \
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.1.0',\
setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl3}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 3" \
"id:949162,\
phase:2,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.1.0',\
setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl3}'"
SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 4" \
@ -147,13 +187,18 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 4" \
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.1.0',\
setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl4}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 4" \
"id:949163,\
phase:2,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.1.0',\
setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl4}'"
@ -171,7 +216,8 @@ SecRule TX:BLOCKING_INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_thresh
t:none,\
msg:'Inbound Anomaly Score Exceeded in phase 1 (Total Score: %{TX.BLOCKING_INBOUND_ANOMALY_SCORE})',\
tag:'anomaly-evaluation',\
ver:'OWASP_CRS/4.0.0',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.1.0',\
chain"
SecRule TX:EARLY_BLOCKING "@eq 1"
@ -183,34 +229,35 @@ SecRule TX:BLOCKING_INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_thresh
t:none,\
msg:'Inbound Anomaly Score Exceeded (Total Score: %{TX.BLOCKING_INBOUND_ANOMALY_SCORE})',\
tag:'anomaly-evaluation',\
ver:'OWASP_CRS/4.0.0'"
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.1.0'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:949011,phase:1,pass,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:949012,phase:2,pass,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:949011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:949012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:949013,phase:1,pass,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:949014,phase:2,pass,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:949013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:949014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
#
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:949015,phase:1,pass,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:949016,phase:2,pass,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:949015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:949016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
#
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:949017,phase:1,pass,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:949018,phase:2,pass,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:949017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:949018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
#
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
#

26
src/common/core/modsecurity/files/coreruleset-v4/rules/RESPONSE-950-DATA-LEAKAGES.conf vendored
View file

@ -1,5 +1,5 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.0.0
# OWASP CRS ver.4.1.0
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2024 CRS project. All rights reserved.
#
@ -23,8 +23,8 @@
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:950011,phase:3,pass,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:950012,phase:4,pass,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:950011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:950012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
#
@ -48,7 +48,7 @@ SecRule RESPONSE_BODY "@rx (?:<(?:TITLE>Index of.*?<H|title>Index of.*?<h)1>Inde
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54/127',\
tag:'PCI/6.5.6',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
@ -80,13 +80,13 @@ SecRule RESPONSE_BODY "@rx ^#\!\s?/" \
tag:'OWASP_CRS',\
tag:'capec/1000/118/116',\
tag:'PCI/6.5.6',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:950013,phase:3,pass,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:950014,phase:4,pass,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:950013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:950014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
#
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
#
@ -106,26 +106,26 @@ SecRule RESPONSE_STATUS "@rx ^5\d{2}$" \
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-disclosure',\
tag:'PCI/6.5.6',\
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'capec/1000/152',\
ver:'OWASP_CRS/4.0.0',\
tag:'PCI/6.5.6',\
ver:'OWASP_CRS/4.1.0',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl2=+%{tx.error_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:950015,phase:3,pass,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:950016,phase:4,pass,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:950015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:950016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
#
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:950017,phase:3,pass,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:950018,phase:4,pass,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:950017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:950018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
#
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
#

54
src/common/core/modsecurity/files/coreruleset-v4/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf vendored
View file

@ -1,5 +1,5 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.0.0
# OWASP CRS ver.4.1.0
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2024 CRS project. All rights reserved.
#
@ -14,8 +14,8 @@
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:951011,phase:3,pass,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:951012,phase:4,pass,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:951011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:951012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
#
@ -38,7 +38,7 @@ SecRule RESPONSE_BODY "!@pmFromFile sql-errors.data" \
tag:'attack-disclosure',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
skipAfter:END-SQL-ERROR-MATCH-PL1"
SecRule RESPONSE_BODY "@rx (?i:JET Database Engine|Access Database Engine|\[Microsoft\]\[ODBC Microsoft Access Driver\])" \
@ -56,7 +56,7 @@ SecRule RESPONSE_BODY "@rx (?i:JET Database Engine|Access Database Engine|\[Micr
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@ -76,7 +76,7 @@ SecRule RESPONSE_BODY "@rx (?i:ORA-[0-9][0-9][0-9][0-9]|java\.sql\.SQLException|
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@ -96,7 +96,7 @@ SecRule RESPONSE_BODY "@rx (?i:DB2 SQL error:|\[IBM\]\[CLI Driver\]\[DB2/6000\]|
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@ -116,7 +116,7 @@ SecRule RESPONSE_BODY "@rx (?i:\[DM_QUERY_E_SYNTAX\]|has occurred in the vicinit
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@ -136,7 +136,7 @@ SecRule RESPONSE_BODY "@rx (?i)Dynamic SQL Error" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@ -156,7 +156,7 @@ SecRule RESPONSE_BODY "@rx (?i)Exception (?:condition )?\d+\. Transaction rollba
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@ -176,7 +176,7 @@ SecRule RESPONSE_BODY "@rx (?i)org\.hsqldb\.jdbc" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@ -196,7 +196,7 @@ SecRule RESPONSE_BODY "@rx (?i:An illegal character has been found in the statem
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@ -216,7 +216,7 @@ SecRule RESPONSE_BODY "@rx (?i:Warning.*ingres_|Ingres SQLSTATE|Ingres\W.*Driver
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@ -236,7 +236,7 @@ SecRule RESPONSE_BODY "@rx (?i:<b>Warning</b>: ibase_|Unexpected end of command
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@ -256,7 +256,7 @@ SecRule RESPONSE_BODY "@rx (?i:SQL error.*POS[0-9]+.*|Warning.*maxdb.*)" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@ -276,7 +276,7 @@ SecRule RESPONSE_BODY "@rx (?i)(?:System\.Data\.OleDb\.OleDbException|\[Microsof
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@ -286,7 +286,7 @@ SecRule RESPONSE_BODY "@rx (?i)(?:System\.Data\.OleDb\.OleDbException|\[Microsof
# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
# crs-toolchain regex update 951230
#
SecRule RESPONSE_BODY "@rx (?i)(?:supplied argument is not a valid |SQL syntax.*)MySQL|Column count doesn't match(?: value count at row)?|mysql_fetch_array\(\)|on MySQL result index|You have an error in your SQL syntax(?:;| near)|MyS(?:QL server version for the right syntax to use|qlClient\.)|\[MySQL\]\[ODBC|(?:Table '[^']+' doesn't exis|valid MySQL resul)t|Warning.{1,10}mysql_(?:[\(-\)_a-z]{1,26})?|(?:ERROR [0-9]{4} \([0-9a-z]{5}\)|XPATH syntax error):" \
SecRule RESPONSE_BODY "@rx (?i)(?:supplied argument is not a valid |SQL syntax.*)MySQL|Column count doesn't match(?: value count at row)?|mysql_fetch_array\(\)|on MySQL result index|You have an error in your SQL syntax(?:;| near)|MyS(?:QL server version for the right syntax to use|qlClient\.)|\[MySQL\]\[ODBC|(?:Table '[^']+' doesn't exis|valid MySQL resul)t|Warning.{1,10}mysql_(?:[\(\)_a-z]{1,26})?|(?:ERROR [0-9]{4} \([0-9a-z]{5}\)|XPATH syntax error):" \
"id:951230,\
phase:4,\
block,\
@ -301,7 +301,7 @@ SecRule RESPONSE_BODY "@rx (?i)(?:supplied argument is not a valid |SQL syntax.*
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@ -326,7 +326,7 @@ SecRule RESPONSE_BODY "@rx (?i)P(?:ostgreSQL(?: query failed:|.{1,20}ERROR)|G::[
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@ -346,7 +346,7 @@ SecRule RESPONSE_BODY "@rx (?i)(?:Warning.*sqlite_.*|Warning.*SQLite3::|SQLite/J
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@ -366,7 +366,7 @@ SecRule RESPONSE_BODY "@rx (?i)(?:Sybase message:|Warning.{2,20}sybase|Sybase.*S
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@ -374,24 +374,24 @@ SecRule RESPONSE_BODY "@rx (?i)(?:Sybase message:|Warning.{2,20}sybase|Sybase.*S
SecMarker "END-SQL-ERROR-MATCH-PL1"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:951013,phase:3,pass,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:951014,phase:4,pass,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:951013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:951014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
#
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:951015,phase:3,pass,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:951016,phase:4,pass,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:951015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:951016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
#
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:951017,phase:3,pass,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:951018,phase:4,pass,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:951017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:951018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
#
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
#

22
src/common/core/modsecurity/files/coreruleset-v4/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf vendored
View file

@ -1,5 +1,5 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.0.0
# OWASP CRS ver.4.1.0
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2024 CRS project. All rights reserved.
#
@ -14,8 +14,8 @@
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:952011,phase:3,pass,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:952012,phase:4,pass,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:952011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:952012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
#
@ -39,7 +39,7 @@ SecRule RESPONSE_BODY "@pmFromFile java-code-leakages.data" \
tag:'OWASP_CRS',\
tag:'capec/1000/118/116',\
tag:'PCI/6.5.6',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
@ -64,30 +64,30 @@ SecRule RESPONSE_BODY "@pmFromFile java-errors.data" \
tag:'OWASP_CRS',\
tag:'capec/1000/118/116',\
tag:'PCI/6.5.6',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:952013,phase:3,pass,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:952014,phase:4,pass,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:952013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:952014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
#
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:952015,phase:3,pass,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:952016,phase:4,pass,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:952015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:952016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
#
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:952017,phase:3,pass,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:952018,phase:4,pass,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:952017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:952018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
#
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
#

26
src/common/core/modsecurity/files/coreruleset-v4/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf vendored
View file

@ -1,5 +1,5 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.0.0
# OWASP CRS ver.4.1.0
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2024 CRS project. All rights reserved.
#
@ -14,8 +14,8 @@
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:953011,phase:3,pass,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:953012,phase:4,pass,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:953011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:953012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
#
@ -39,7 +39,7 @@ SecRule RESPONSE_BODY "@pmFromFile php-errors.data" \
tag:'OWASP_CRS',\
tag:'capec/1000/118/116',\
tag:'PCI/6.5.6',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
@ -64,7 +64,7 @@ SecRule RESPONSE_BODY "@rx (?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scan
tag:'OWASP_CRS',\
tag:'capec/1000/118/116',\
tag:'PCI/6.5.6',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
@ -90,13 +90,13 @@ SecRule RESPONSE_BODY "@rx (?i)<\?(?:=|php)?\s+" \
tag:'OWASP_CRS',\
tag:'capec/1000/118/116',\
tag:'PCI/6.5.6',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:953013,phase:3,pass,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:953014,phase:4,pass,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:953013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:953014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
#
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
#
@ -123,21 +123,21 @@ SecRule RESPONSE_BODY "@pmFromFile php-errors-pl2.data" \
tag:'OWASP_CRS',\
tag:'capec/1000/118/116',\
tag:'PCI/6.5.6',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl2=+%{tx.error_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:953015,phase:3,pass,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:953016,phase:4,pass,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:953015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:953016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
#
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:953017,phase:3,pass,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:953018,phase:4,pass,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:953017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:953018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
#
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
#

28
src/common/core/modsecurity/files/coreruleset-v4/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf vendored
View file

@ -1,5 +1,5 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.0.0
# OWASP CRS ver.4.1.0
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2024 CRS project. All rights reserved.
#
@ -14,8 +14,8 @@
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:954011,phase:3,pass,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:954012,phase:4,pass,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:954011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:954012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
#
@ -37,7 +37,7 @@ SecRule RESPONSE_BODY "@rx [a-z]:\x5cinetpub\b" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
@ -55,10 +55,10 @@ SecRule RESPONSE_BODY "@rx (?:Microsoft OLE DB Provider for SQL Server(?:</font>
tag:'platform-windows',\
tag:'attack-disclosure',\
tag:'paranoia-level/1',\
tag:'PCI/6.5.6',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116',\
ver:'OWASP_CRS/4.0.0',\
tag:'PCI/6.5.6',\
ver:'OWASP_CRS/4.1.0',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
@ -82,7 +82,7 @@ SecRule RESPONSE_BODY "@pmFromFile iis-errors.data" \
tag:'OWASP_CRS',\
tag:'capec/1000/118/116',\
tag:'PCI/6.5.6',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
@ -104,7 +104,7 @@ SecRule RESPONSE_STATUS "!@rx ^404$" \
tag:'OWASP_CRS',\
tag:'capec/1000/118/116',\
tag:'PCI/6.5.6',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'ERROR',\
chain"
SecRule RESPONSE_BODY "@rx \bServer Error in.{0,50}?\bApplication\b" \
@ -114,24 +114,24 @@ SecRule RESPONSE_STATUS "!@rx ^404$" \
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:954013,phase:3,pass,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:954014,phase:4,pass,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:954013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:954014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
#
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:954015,phase:3,pass,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:954016,phase:4,pass,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:954015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:954016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
#
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:954017,phase:3,pass,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:954018,phase:4,pass,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:954017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:954018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
#
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
#

70
src/common/core/modsecurity/files/coreruleset-v4/rules/RESPONSE-955-WEB-SHELLS.conf vendored
View file

@ -1,5 +1,5 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.0.0
# OWASP CRS ver.4.1.0
# Copyright (c) 2006-2020 Trustwave and contributors. (not) All rights reserved.
# Copyright (c) 2021-2024 CRS project. All rights reserved.
#
@ -14,8 +14,8 @@
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:955011,phase:3,pass,nolog,skipAfter:END-RESPONSE-955-WEB-SHELLS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:955012,phase:4,pass,nolog,skipAfter:END-RESPONSE-955-WEB-SHELLS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:955011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:955012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
#
@ -36,7 +36,7 @@ SecRule RESPONSE_BODY "@pmFromFile web-shells-php.data" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -55,7 +55,7 @@ SecRule RESPONSE_BODY "@rx (<title>r57 Shell Version [0-9.]+</title>|<title>r57
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -74,7 +74,7 @@ SecRule RESPONSE_BODY "@rx ^<html><head><meta http-equiv='Content-Type' content=
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -93,7 +93,7 @@ SecRule RESPONSE_BODY "@rx B4TM4N SH3LL</title>.*<meta name='author' content='k4
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -112,7 +112,7 @@ SecRule RESPONSE_BODY "@rx <title>Mini Shell</title>.*Developed By LameHacker" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -131,7 +131,7 @@ SecRule RESPONSE_BODY "@rx <title>\.:: .* ~ Ashiyane V [0-9.]+ ::\.</title>" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -150,7 +150,7 @@ SecRule RESPONSE_BODY "@rx <title>Symlink_Sa [0-9.]+</title>" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -169,7 +169,7 @@ SecRule RESPONSE_BODY "@rx <title>CasuS [0-9.]+ by MafiABoY</title>" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -188,7 +188,7 @@ SecRule RESPONSE_BODY "@rx ^<html>\r\n<head>\r\n<title>GRP WebShell [0-9.]+ " \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -207,7 +207,7 @@ SecRule RESPONSE_BODY "@rx <small>NGHshell [0-9.]+ by Cr4sh</body></html>\n$" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -226,7 +226,7 @@ SecRule RESPONSE_BODY "@rx <title>SimAttacker - (?:Version|Vrsion) : [0-9.]+ - "
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -245,7 +245,7 @@ SecRule RESPONSE_BODY "@rx ^<!DOCTYPE html>\n<html>\n<!-- By Artyum .*<title>Web
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -264,7 +264,7 @@ SecRule RESPONSE_BODY "@rx <title>lama's'hell v. [0-9.]+</title>" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -283,7 +283,7 @@ SecRule RESPONSE_BODY "@rx ^ *<html>\n[ ]+<head>\n[ ]+<title>lostDC - " \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -302,7 +302,7 @@ SecRule RESPONSE_BODY "@rx ^<title>PHP Web Shell</title>\r\n<html>\r\n<body>\r\n
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -321,7 +321,7 @@ SecRule RESPONSE_BODY "@rx ^<html>\n<head>\n<div align=\"left\"><font size=\"1\"
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -340,7 +340,7 @@ SecRule RESPONSE_BODY "@rx ^<html>\n<head>\n<title>Ru24PostWebShell - " \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -359,7 +359,7 @@ SecRule RESPONSE_BODY "@rx <title>s72 Shell v[0-9.]+ Codinf by Cr@zy_King</title
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -378,7 +378,7 @@ SecRule RESPONSE_BODY "@rx ^<html>\r\n<head>\r\n<meta http-equiv=\"Content-Type\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -397,7 +397,7 @@ SecRule RESPONSE_BODY "@rx ^ <html>\n\n<head>\n\n<title>g00nshell v[0-9.]+ " \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -418,7 +418,7 @@ SecRule RESPONSE_BODY "@contains <title>punkholicshell</title>" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -437,7 +437,7 @@ SecRule RESPONSE_BODY "@rx ^<html>\n <head>\n <title>azrail [0-
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -456,7 +456,7 @@ SecRule RESPONSE_BODY "@rx >SmEvK_PaThAn Shell v[0-9]+ coded by <a href=" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -475,7 +475,7 @@ SecRule RESPONSE_BODY "@rx ^<html>\n<title>.*? ~ Shell I</title>\n<head>\n<style
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -494,14 +494,14 @@ SecRule RESPONSE_BODY "@rx ^ <html><head><title>:: b374k m1n1 [0-9.]+ ::</title>
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:955013,phase:3,pass,nolog,skipAfter:END-RESPONSE-955-WEB-SHELLS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:955014,phase:4,pass,nolog,skipAfter:END-RESPONSE-955-WEB-SHELLS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:955013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:955014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
#
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
#
@ -522,20 +522,20 @@ SecRule RESPONSE_BODY "@contains <h1 style=\"margin-bottom: 0\">webadmin.php</h1
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/122/17/650',\
ver:'OWASP_CRS/4.0.0',\
ver:'OWASP_CRS/4.1.0',\
severity:'CRITICAL',\
setvar:'tx.outbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:955015,phase:3,pass,nolog,skipAfter:END-RESPONSE-955-WEB-SHELLS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:955016,phase:4,pass,nolog,skipAfter:END-RESPONSE-955-WEB-SHELLS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:955015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:955016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
#
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:955017,phase:3,pass,nolog,skipAfter:END-RESPONSE-955-WEB-SHELLS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:955018,phase:4,pass,nolog,skipAfter:END-RESPONSE-955-WEB-SHELLS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:955017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:955018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
#
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
#

69
src/common/core/modsecurity/files/coreruleset-v4/rules/RESPONSE-959-BLOCKING-EVALUATION.conf vendored
View file

@ -1,5 +1,5 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.0.0
# OWASP CRS ver.4.1.0
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2024 CRS project. All rights reserved.
#
@ -34,13 +34,18 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 1" \
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.1.0',\
setvar:'tx.blocking_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl1}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 1" \
"id:959152,\
phase:3,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.1.0',\
setvar:'tx.detection_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl1}'"
SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 2" \
@ -49,13 +54,18 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 2" \
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.1.0',\
setvar:'tx.blocking_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl2}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 2" \
"id:959153,\
phase:3,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.1.0',\
setvar:'tx.detection_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl2}'"
SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 3" \
@ -64,13 +74,18 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 3" \
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.1.0',\
setvar:'tx.blocking_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl3}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 3" \
"id:959154,\
phase:3,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.1.0',\
setvar:'tx.detection_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl3}'"
SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 4" \
@ -79,13 +94,18 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 4" \
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.1.0',\
setvar:'tx.blocking_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl4}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 4" \
"id:959155,\
phase:3,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.1.0',\
setvar:'tx.detection_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl4}'"
# at start of phase 4, we reset the aggregate scores to 0 to prevent duplicate counting of per-PL scores
@ -96,13 +116,18 @@ SecAction \
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.1.0',\
setvar:'tx.blocking_outbound_anomaly_score=0'"
SecAction \
"id:959159,\
phase:4,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.1.0',\
setvar:'tx.detection_outbound_anomaly_score=0'"
SecMarker "EARLY_BLOCKING_ANOMALY_SCORING"
@ -115,13 +140,18 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 1" \
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.1.0',\
setvar:'tx.blocking_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl1}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 1" \
"id:959160,\
phase:4,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.1.0',\
setvar:'tx.detection_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl1}'"
SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 2" \
@ -130,13 +160,18 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 2" \
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.1.0',\
setvar:'tx.blocking_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl2}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 2" \
"id:959161,\
phase:4,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.1.0',\
setvar:'tx.detection_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl2}'"
SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 3" \
@ -145,13 +180,18 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 3" \
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.1.0',\
setvar:'tx.blocking_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl3}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 3" \
"id:959162,\
phase:4,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.1.0',\
setvar:'tx.detection_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl3}'"
SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 4" \
@ -160,13 +200,18 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 4" \
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.1.0',\
setvar:'tx.blocking_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl4}'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 4" \
"id:959163,\
phase:4,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.1.0',\
setvar:'tx.detection_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl4}'"
#
@ -181,7 +226,8 @@ SecRule TX:BLOCKING_OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_thre
t:none,\
msg:'Outbound Anomaly Score Exceeded in phase 3 (Total Score: %{tx.blocking_outbound_anomaly_score})',\
tag:'anomaly-evaluation',\
ver:'OWASP_CRS/4.0.0',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.1.0',\
chain"
SecRule TX:EARLY_BLOCKING "@eq 1"
@ -193,34 +239,35 @@ SecRule TX:BLOCKING_OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_thre
t:none,\
msg:'Outbound Anomaly Score Exceeded (Total Score: %{tx.blocking_outbound_anomaly_score})',\
tag:'anomaly-evaluation',\
ver:'OWASP_CRS/4.0.0'"
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.1.0'"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:959011,phase:3,pass,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:959012,phase:4,pass,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:959011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:959012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:959013,phase:3,pass,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:959014,phase:4,pass,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:959013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:959014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
#
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:959015,phase:3,pass,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:959016,phase:4,pass,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:959015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:959016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
#
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:959017,phase:3,pass,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:959018,phase:4,pass,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:959017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:959018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
#
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
#

46
src/common/core/modsecurity/files/coreruleset-v4/rules/RESPONSE-980-CORRELATION.conf vendored
View file

@ -1,5 +1,5 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.0.0
# OWASP CRS ver.4.1.0
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2024 CRS project. All rights reserved.
#
@ -27,7 +27,8 @@ SecAction \
t:none,\
nolog,\
noauditlog,\
ver:'OWASP_CRS/4.0.0',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.1.0',\
setvar:'tx.blocking_anomaly_score=%{tx.blocking_inbound_anomaly_score}',\
setvar:'tx.blocking_anomaly_score=+%{tx.blocking_outbound_anomaly_score}',\
setvar:'tx.detection_anomaly_score=%{tx.detection_inbound_anomaly_score}',\
@ -40,33 +41,33 @@ SecAction \
#
# -= Reporting Level 0 =- (Skip over reporting when tx.reporting_level is 0)
SecRule TX:REPORTING_LEVEL "@eq 0" "id:980041,phase:5,pass,nolog,skipAfter:END-REPORTING"
SecRule TX:REPORTING_LEVEL "@eq 0" "id:980041,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REPORTING"
# -= Reporting Level 5 =- (Jump to reporting rule immediately when tx.reporting_level is 5 or greater)
SecRule TX:REPORTING_LEVEL "@ge 5" "id:980042,phase:5,pass,nolog,skipAfter:LOG-REPORTING"
SecRule TX:REPORTING_LEVEL "@ge 5" "id:980042,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:LOG-REPORTING"
# -= Zero detection score =- (Skip over reporting when sum of inbound and outbound detection score is equal to 0)
SecRule TX:DETECTION_ANOMALY_SCORE "@eq 0" "id:980043,phase:5,pass,nolog,skipAfter:END-REPORTING"
SecRule TX:DETECTION_ANOMALY_SCORE "@eq 0" "id:980043,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REPORTING"
# -= Blocking score exceeds threshold =- (Jump to reporting rule immediately if a blocking score exceeds a threshold)
SecRule TX:BLOCKING_INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" "id:980044,phase:5,pass,nolog,skipAfter:LOG-REPORTING"
SecRule TX:BLOCKING_OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" "id:980045,phase:5,pass,nolog,skipAfter:LOG-REPORTING"
SecRule TX:BLOCKING_INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" "id:980044,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:LOG-REPORTING"
SecRule TX:BLOCKING_OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" "id:980045,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:LOG-REPORTING"
# -= Reporting Level 2 =- (Skip over reporting when tx.reporting_level is less than 2)
SecRule TX:REPORTING_LEVEL "@lt 2" "id:980046,phase:5,pass,nolog,skipAfter:END-REPORTING"
SecRule TX:REPORTING_LEVEL "@lt 2" "id:980046,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REPORTING"
# -= Detection score exceeds threshold =- (Jump to reporting rule immediately if a detection score exceeds a threshold)
SecRule TX:DETECTION_INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" "id:980047,phase:5,pass,nolog,skipAfter:LOG-REPORTING"
SecRule TX:DETECTION_OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" "id:980048,phase:5,pass,nolog,skipAfter:LOG-REPORTING"
SecRule TX:DETECTION_INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" "id:980047,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:LOG-REPORTING"
SecRule TX:DETECTION_OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" "id:980048,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:LOG-REPORTING"
# -= Reporting Level 3 =- (Skip over reporting when tx.reporting_level is less than 3)
SecRule TX:REPORTING_LEVEL "@lt 3" "id:980049,phase:5,pass,nolog,skipAfter:END-REPORTING"
SecRule TX:REPORTING_LEVEL "@lt 3" "id:980049,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REPORTING"
# -= Blocking score greater than zero =- (Jump to reporting rule immediately when sum of inbound and outbound blocking score is greater than zero)
SecRule TX:BLOCKING_ANOMALY_SCORE "@gt 0" "id:980050,phase:5,pass,nolog,skipAfter:LOG-REPORTING"
SecRule TX:BLOCKING_ANOMALY_SCORE "@gt 0" "id:980050,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:LOG-REPORTING"
# -= Reporting Level 4 =- (Skip over reporting when tx.reporting_level is less than 4)
SecRule TX:REPORTING_LEVEL "@lt 4" "id:980051,phase:5,pass,nolog,skipAfter:END-REPORTING"
SecRule TX:REPORTING_LEVEL "@lt 4" "id:980051,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-REPORTING"
# At this point, the reporting level is 4 and there's a non-zero detection
# score (already established by rule 980043) so fall through to the reporting
@ -93,37 +94,38 @@ SecAction \
(Outbound Scores: blocking=%{tx.blocking_outbound_anomaly_score}, detection=%{tx.detection_outbound_anomaly_score}, per_pl=%{tx.outbound_anomaly_score_pl1}-%{tx.outbound_anomaly_score_pl2}-%{tx.outbound_anomaly_score_pl3}-%{tx.outbound_anomaly_score_pl4}, threshold=%{tx.outbound_anomaly_score_threshold}) - \
(SQLI=%{tx.sql_injection_score}, XSS=%{tx.xss_score}, RFI=%{tx.rfi_score}, LFI=%{tx.lfi_score}, RCE=%{tx.rce_score}, PHPI=%{tx.php_injection_score}, HTTP=%{tx.http_violation_score}, SESS=%{tx.session_fixation_score}, COMBINED_SCORE=%{tx.anomaly_score})',\
tag:'reporting',\
ver:'OWASP_CRS/4.0.0'"
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.1.0'"
SecMarker "END-REPORTING"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:980011,phase:1,pass,nolog,skipAfter:END-RESPONSE-980-CORRELATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:980012,phase:2,pass,nolog,skipAfter:END-RESPONSE-980-CORRELATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:980011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-RESPONSE-980-CORRELATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:980012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-RESPONSE-980-CORRELATION"
#
# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:980013,phase:1,pass,nolog,skipAfter:END-RESPONSE-980-CORRELATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:980014,phase:2,pass,nolog,skipAfter:END-RESPONSE-980-CORRELATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:980013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-RESPONSE-980-CORRELATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:980014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-RESPONSE-980-CORRELATION"
#
# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:980015,phase:1,pass,nolog,skipAfter:END-RESPONSE-980-CORRELATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:980016,phase:2,pass,nolog,skipAfter:END-RESPONSE-980-CORRELATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:980015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-RESPONSE-980-CORRELATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:980016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-RESPONSE-980-CORRELATION"
#
# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
#
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:980017,phase:1,pass,nolog,skipAfter:END-RESPONSE-980-CORRELATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:980018,phase:2,pass,nolog,skipAfter:END-RESPONSE-980-CORRELATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:980017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-RESPONSE-980-CORRELATION"
SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:980018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.1.0',skipAfter:END-RESPONSE-980-CORRELATION"
#
# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
#

2
src/common/core/modsecurity/files/coreruleset-v4/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example vendored
View file

@ -1,5 +1,5 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.0.0
# OWASP CRS ver.4.1.0
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2024 CRS project. All rights reserved.
#

3
src/common/core/modsecurity/files/coreruleset-v4/rules/unix-shell.data vendored
View file

@ -43,7 +43,7 @@ bin/adduser
bin/agetty
bin/alias
bin/alpine
bin/ansible-playbook
bin/ansible
bin/apt
bin/apt-get
bin/aptitude
@ -110,6 +110,7 @@ bin/check_memory
bin/check_raid
bin/check_ssl_cert
bin/check_statusfile
bin/chef
bin/chflags
bin/chgrp
bin/chmod

4
src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920100.yaml vendored
View file

@ -87,7 +87,7 @@ tests:
Host: "localhost"
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
protocol: "http"
uri: "www.cnn.com"
uri: "www.coreruleset.org"
version: "HTTP/1.1"
output:
status: [400]
@ -104,7 +104,7 @@ tests:
Host: "localhost"
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
protocol: "http"
uri: "www.cnn.com:80"
uri: "www.coreruleset.org:80"
version: "HTTP/1.1"
output:
no_log_contains: "id \"920100\""

2
src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920300.yaml vendored
View file

@ -54,7 +54,7 @@ tests:
Proxy-Connection: "Keep-Alive"
# Test needs a missing 'Accept' header
method: "CONNECT"
uri: "www.cnn.com:80"
uri: "www.coreruleset.org:80"
version: "HTTP/1.1"
output:
no_log_contains: "id \"920300\""

34
src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932160.yaml vendored
View file

@ -1,6 +1,6 @@
---
meta:
author: "Paul Beckett"
author: "Paul Beckett, Esad Cetiner"
enabled: true
name: "932160.yaml"
description: "Tests to trigger or not trigger rule 932160"
@ -165,3 +165,35 @@ tests:
version: HTTP/1.0
output:
log_contains: id "932160"
- test_title: 932160-11
desc: "Positive test: Match against bin/ansible"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Host: "localhost"
User-Agent: "OWASP CRS test agent"
method: GET
port: 80
uri: /get?a=bin/ansible
version: HTTP/1.0
output:
log_contains: id "932160"
- test_title: 932160-12
desc: "Positive test: Match against bin/chef"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Host: "localhost"
User-Agent: "OWASP CRS test agent"
method: GET
port: 80
uri: /get?a=bin/chef
version: HTTP/1.0
output:
log_contains: id "932160"

34
src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932205.yaml vendored
View file

@ -90,3 +90,37 @@ tests:
version: HTTP/1.0
output:
no_log_contains: id "932205"
- test_title: 932205-6
desc: False positive test against syntax highlighter (generic)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Host: localhost
User-Agent: "OWASP CRS test agent"
Referer: "https://coreruleset.org/#:~:text=generic%20attack%20detection"
method: GET
port: 80
uri: /get
version: HTTP/1.0
output:
no_log_contains: id "932205"
- test_title: 932205-7
desc: False positive test against fragment (scroll to text fragment)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Host: localhost
User-Agent: "OWASP CRS test agent"
Referer: "https://www.google.com/url?q=https://example.com/path/#:~:text=Inoltre%2C%20non%20vi%20sono%20evidenze,'immaginario%20comune%20(1).&sa=U&ved=2ahUKEwjSluGs8eX9AhWiSvEDHaaEChEQFnoECAgQBQ&usg=AOvVaw1_nmpM50Zh9-mGx1DsMw7j"
method: GET
port: 80
uri: /get
version: HTTP/1.0
output:
no_log_contains: id "932205"

234
src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932235.yaml vendored
View file

@ -398,3 +398,237 @@ tests:
code=nohup ifconfig
output:
log_contains: id "932235"
- test_title: 932235-23
desc: "Block ad-hoc ansible commands"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Host: localhost
User-Agent: "OWASP CRS test agent"
method: POST
port: 80
uri: /post
version: HTTP/1.0
data: |
code=time; ansible all -m ping
output:
log_contains: id "932235"
- test_title: 932235-24
desc: "Block ansible config dump command"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Host: localhost
User-Agent: "OWASP CRS test agent"
method: POST
port: 80
uri: /post
version: HTTP/1.0
data: |
code=time; ansible-config dump
output:
log_contains: id "932235"
- test_title: 932235-25
desc: "Block installing collections from ansible galaxy"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Host: localhost
User-Agent: "OWASP CRS test agent"
method: POST
port: 80
uri: /post
version: HTTP/1.0
data: |
code=time; ansible-galaxy collection install community.general
output:
log_contains: id "932235"
- test_title: 932235-26
desc: "Block ad-hoc ansible commands using ansible-console"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Host: localhost
User-Agent: "OWASP CRS test agent"
method: POST
port: 80
uri: /post
version: HTTP/1.0
data: |
code=time; ansible-console
output:
log_contains: id "932235"
- test_title: 932235-27
desc: "Block ansible-doc command"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Host: localhost
User-Agent: "OWASP CRS test agent"
method: POST
port: 80
uri: /post
version: HTTP/1.0
data: |
code=time; ansible-doc plugin ping
output:
log_contains: id "932235"
- test_title: 932235-28
desc: "Block dumping ansible inventory file and variables"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Host: localhost
User-Agent: "OWASP CRS test agent"
method: POST
port: 80
uri: /post
version: HTTP/1.0
data: |
code=time; ansible-inventory --list
output:
log_contains: id "932235"
- test_title: 932235-29
desc: "Block ansible pull from remote repository"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Host: localhost
User-Agent: "OWASP CRS test agent"
method: POST
port: 80
uri: /post
version: HTTP/1.0
data: |
code=time; ansible-pull --url example.com
output:
log_contains: id "932235"
- test_title: 932235-30
desc: "Block decrypting ansible secrets"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Host: localhost
User-Agent: "OWASP CRS test agent"
method: POST
port: 80
uri: /post
version: HTTP/1.0
data: |
code=time; ansible-vault decrypt secret
output:
log_contains: id "932235"
- test_title: 932235-31
desc: "Block execution of ansible playbooks"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Host: localhost
User-Agent: "OWASP CRS test agent"
method: POST
port: 80
uri: /post
version: HTTP/1.0
data: |
code=time; ansible-playbook site.yml
output:
log_contains: id "932235"
- test_title: 932235-32
desc: "Block decryption of secrets with chef-vault"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Host: localhost
User-Agent: "OWASP CRS test agent"
method: POST
port: 80
uri: /post
version: HTTP/1.0
data: |
code=time; chef-vault -i secret
output:
log_contains: id "932235"
- test_title: 932235-33
desc: "Block execution of chef-shell command"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Host: localhost
User-Agent: "OWASP CRS test agent"
method: POST
port: 80
uri: /post
version: HTTP/1.0
data: |
code=time; chef-shell
output:
log_contains: id "932235"
- test_title: 932235-34
desc: "Block execution chef recipie book"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Host: localhost
User-Agent: "OWASP CRS test agent"
method: POST
port: 80
uri: /post
version: HTTP/1.0
data: |
code=time; chef-run all recipie.rb
output:
log_contains: id "932235"
- test_title: 932235-35
desc: "Block execution chef recipie book against a specific node"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Host: localhost
User-Agent: "OWASP CRS test agent"
method: POST
port: 80
uri: /post
version: HTTP/1.0
data: |
code=time; chef-client -t 1.1.1.1
output:
log_contains: id "932235"

252
src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932236.yaml vendored
View file

@ -1176,3 +1176,255 @@ tests:
code=nohup ifconfig
output:
log_contains: id "932236"
- test_title: 932236-65
desc: "Block ad-hoc ansible commands"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Host: localhost
User-Agent: "OWASP CRS test agent"
method: POST
port: 80
uri: /post
version: HTTP/1.0
data: |
code=ansible all -m ping
output:
log_contains: id "932236"
- test_title: 932236-66
desc: "Block ansible config dump command"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Host: localhost
User-Agent: "OWASP CRS test agent"
method: POST
port: 80
uri: /post
version: HTTP/1.0
data: |
code=ansible-config dump
output:
log_contains: id "932236"
- test_title: 932236-67
desc: "Block installing collections from ansible galaxy"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Host: localhost
User-Agent: "OWASP CRS test agent"
method: POST
port: 80
uri: /post
version: HTTP/1.0
data: |
code=ansible-galaxy collection install community.general
output:
log_contains: id "932236"
- test_title: 932236-68
desc: "Block ad-hoc ansible commands using ansible-console"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Host: localhost
User-Agent: "OWASP CRS test agent"
method: POST
port: 80
uri: /post
version: HTTP/1.0
data: |
code=ansible-console
output:
log_contains: id "932236"
- test_title: 932236-69
desc: "Block ansible-doc command"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Host: localhost
User-Agent: "OWASP CRS test agent"
method: POST
port: 80
uri: /post
version: HTTP/1.0
data: |
code=ansible-doc plugin ping
output:
log_contains: id "932236"
- test_title: 932236-70
desc: "Block dumping ansible inventory file and variables"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Host: localhost
User-Agent: "OWASP CRS test agent"
method: POST
port: 80
uri: /post
version: HTTP/1.0
data: |
code=ansible-inventory --list
output:
log_contains: id "932236"
- test_title: 932236-71
desc: "Block ansible pull from remote repository"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Host: localhost
User-Agent: "OWASP CRS test agent"
method: POST
port: 80
uri: /post
version: HTTP/1.0
data: |
code=ansible-pull --url example.com
output:
log_contains: id "932236"
- test_title: 932236-72
desc: "Block decrypting ansible secrets"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Host: localhost
User-Agent: "OWASP CRS test agent"
method: POST
port: 80
uri: /post
version: HTTP/1.0
data: |
code=ansible-vault decrypt secret
output:
log_contains: id "932236"
- test_title: 932236-73
desc: "Block execution of ansible playbooks"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Host: localhost
User-Agent: "OWASP CRS test agent"
method: POST
port: 80
uri: /post
version: HTTP/1.0
data: |
code=ansible-playbook site.yml
output:
log_contains: id "932236"
- test_title: 932236-74
desc: "Block decryption of secrets with chef-vault"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Host: localhost
User-Agent: "OWASP CRS test agent"
method: POST
port: 80
uri: /post
version: HTTP/1.0
data: |
code=chef-vault -i secret
output:
log_contains: id "932236"
- test_title: 932236-75
desc: "Block execution of chef-shell command"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Host: localhost
User-Agent: "OWASP CRS test agent"
method: POST
port: 80
uri: /post
version: HTTP/1.0
data: |
code=chef-shell
output:
log_contains: id "932236"
- test_title: 932236-76
desc: "Block execution chef recipie book"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Host: localhost
User-Agent: "OWASP CRS test agent"
method: POST
port: 80
uri: /post
version: HTTP/1.0
data: |
code=chef-run all recipie.rb
output:
log_contains: id "932236"
- test_title: 932236-77
desc: "Block execution chef recipie book against a specific node"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Host: localhost
User-Agent: "OWASP CRS test agent"
method: POST
port: 80
uri: /post
version: HTTP/1.0
data: |
code=chef-client -t 1.1.1.1
output:
log_contains: id "932236"
- test_title: 932236-78
desc: "Block execution chef command"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Host: localhost
User-Agent: "OWASP CRS test agent"
method: POST
port: 80
uri: /post
version: HTTP/1.0
data: |
code=chef report nodes
output:
log_contains: id "932236"

224
src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932237.yaml vendored
View file

@ -285,3 +285,227 @@ tests:
protocol: "http"
output:
log_contains: "id \"932237\""
- test_title: 932237-19
desc: "Block ad-hoc ansible commands"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Host: localhost
User-Agent: "ansible all -m ping"
method: POST
port: 80
uri: /post
version: HTTP/1.0
output:
log_contains: id "932237"
- test_title: 932237-20
desc: "Block ansible config dump command"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Host: localhost
User-Agent: "ansible-config dump"
method: POST
port: 80
uri: /post
version: HTTP/1.0
output:
log_contains: id "932237"
- test_title: 932237-21
desc: "Block installing collections from ansible galaxy"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Host: localhost
User-Agent: "ansible-galaxy collection install community.general"
method: POST
port: 80
uri: /post
version: HTTP/1.0
output:
log_contains: id "932237"
- test_title: 932237-22
desc: "Block ad-hoc ansible commands using ansible-console"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Host: localhost
User-Agent: "code=ansible-console"
method: POST
port: 80
uri: /post
version: HTTP/1.0
output:
log_contains: id "932237"
- test_title: 932237-23
desc: "Block ansible-doc command"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Host: localhost
User-Agent: "ansible-doc plugin ping"
method: POST
port: 80
uri: /post
version: HTTP/1.0
output:
log_contains: id "932237"
- test_title: 932237-24
desc: "Block dumping ansible inventory file and variables"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Host: localhost
User-Agent: "ansible-inventory --list"
method: POST
port: 80
uri: /post
version: HTTP/1.0
output:
log_contains: id "932237"
- test_title: 932237-25
desc: "Block ansible pull from remote repository"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Host: localhost
User-Agent: "ansible-pull --url example.com"
method: POST
port: 80
uri: /post
version: HTTP/1.0
output:
log_contains: id "932237"
- test_title: 932237-26
desc: "Block decrypting ansible secrets"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Host: localhost
User-Agent: "ansible-vault decrypt secret"
method: POST
port: 80
uri: /post
version: HTTP/1.0
output:
log_contains: id "932237"
- test_title: 932237-27
desc: "Block execution of ansible playbooks"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Host: localhost
User-Agent: "ansible-playbook site.yml"
method: POST
port: 80
uri: /post
version: HTTP/1.0
output:
log_contains: id "932237"
- test_title: 932237-28
desc: "Block decryption of secrets with chef-vault"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Host: localhost
User-Agent: "chef-vault -i secret"
method: POST
port: 80
uri: /post
version: HTTP/1.0
output:
log_contains: id "932237"
- test_title: 932237-29
desc: "Block execution of chef-shell command"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Host: localhost
User-Agent: "chef-shell"
method: POST
port: 80
uri: /post
version: HTTP/1.0
output:
log_contains: id "932237"
- test_title: 932237-30
desc: "Block execution chef recipie book"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Host: localhost
User-Agent: "chef-run all recipie.rb"
method: POST
port: 80
uri: /post
version: HTTP/1.0
output:
log_contains: id "932237"
- test_title: 932237-31
desc: "Block execution chef recipie book against a specific node"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Host: localhost
User-Agent: "chef-client -t 1.1.1.1"
method: POST
port: 80
uri: /post
version: HTTP/1.0
output:
log_contains: id "932237"
- test_title: 932237-32
desc: "Block execution chef command"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Host: localhost
User-Agent: "chef report nodes"
method: POST
port: 80
uri: /post
version: HTTP/1.0
output:
log_contains: id "932237"

224
src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932239.yaml vendored
View file

@ -647,3 +647,227 @@ tests:
version: HTTP/1.0
output:
log_contains: id "932239"
- test_title: 932239-38
desc: "Block ad-hoc ansible commands"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Host: localhost
User-Agent: "ansible all -m ping"
method: POST
port: 80
uri: /post
version: HTTP/1.0
output:
log_contains: id "932239"
- test_title: 932239-39
desc: "Block ansible config dump command"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Host: localhost
User-Agent: "ansible-config dump"
method: POST
port: 80
uri: /post
version: HTTP/1.0
output:
log_contains: id "932239"
- test_title: 932239-40
desc: "Block installing collections from ansible galaxy"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Host: localhost
User-Agent: "ansible-galaxy collection install community.general"
method: POST
port: 80
uri: /post
version: HTTP/1.0
output:
log_contains: id "932239"
- test_title: 932239-41
desc: "Block ad-hoc ansible commands using ansible-console"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Host: localhost
User-Agent: "code=ansible-console"
method: POST
port: 80
uri: /post
version: HTTP/1.0
output:
log_contains: id "932239"
- test_title: 932239-42
desc: "Block ansible-doc command"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Host: localhost
User-Agent: "ansible-doc plugin ping"
method: POST
port: 80
uri: /post
version: HTTP/1.0
output:
log_contains: id "932239"
- test_title: 932239-43
desc: "Block dumping ansible inventory file and variables"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Host: localhost
User-Agent: "ansible-inventory --list"
method: POST
port: 80
uri: /post
version: HTTP/1.0
output:
log_contains: id "932239"
- test_title: 932239-44
desc: "Block ansible pull from remote repository"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Host: localhost
User-Agent: "ansible-pull --url example.com"
method: POST
port: 80
uri: /post
version: HTTP/1.0
output:
log_contains: id "932239"
- test_title: 932239-45
desc: "Block decrypting ansible secrets"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Host: localhost
User-Agent: "ansible-vault decrypt secret"
method: POST
port: 80
uri: /post
version: HTTP/1.0
output:
log_contains: id "932239"
- test_title: 932239-46
desc: "Block execution of ansible playbooks"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Host: localhost
User-Agent: "ansible-playbook site.yml"
method: POST
port: 80
uri: /post
version: HTTP/1.0
output:
log_contains: id "932239"
- test_title: 932239-47
desc: "Block decryption of secrets with chef-vault"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Host: localhost
User-Agent: "chef-vault -i secret"
method: POST
port: 80
uri: /post
version: HTTP/1.0
output:
log_contains: id "932239"
- test_title: 932239-48
desc: "Block execution of chef-shell command"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Host: localhost
User-Agent: "chef-shell"
method: POST
port: 80
uri: /post
version: HTTP/1.0
output:
log_contains: id "932239"
- test_title: 932239-49
desc: "Block execution chef recipie book"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Host: localhost
User-Agent: "chef-run all recipie.rb"
method: POST
port: 80
uri: /post
version: HTTP/1.0
output:
log_contains: id "932239"
- test_title: 932239-50
desc: "Block execution chef recipie book against a specific node"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Host: localhost
User-Agent: "chef-client -t 1.1.1.1"
method: POST
port: 80
uri: /post
version: HTTP/1.0
output:
log_contains: id "932239"
- test_title: 932239-51
desc: "Block execution chef command"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Host: localhost
User-Agent: "chef report nodes"
method: POST
port: 80
uri: /post
version: HTTP/1.0
output:
log_contains: id "932239"

252
src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-932-APPLICATION-ATTACK-RCE/932260.yaml vendored
View file

@ -458,9 +458,259 @@ tests:
User-Agent: "OWASP CRS test agent"
Host: localhost
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
method: get
method: GET
port: 80
uri: /get/?a=whoami;0'0'"
version: HTTP/1.1
output:
log_contains: id "932260"
- test_title: 932260-29
desc: "FP against word 'Cronk'"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
User-Agent: "OWASP CRS test agent"
Host: localhost
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
method: GET
port: 80
uri: /get?last_name=Cronk
version: HTTP/1.0
output:
no_log_contains: id "932260"
- test_title: 932260-30
desc: "Block ad-hoc ansible commands"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Host: localhost
User-Agent: "OWASP CRS test agent"
method: POST
port: 80
uri: /post
version: HTTP/1.0
data: |
code=ansible all -m ping
output:
log_contains: id "932260"
- test_title: 932260-31
desc: "Block ansible config dump command"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Host: localhost
User-Agent: "OWASP CRS test agent"
method: POST
port: 80
uri: /post
version: HTTP/1.0
data: |
code=ansible-config dump
output:
log_contains: id "932260"
- test_title: 932260-32
desc: "Block installing collections from ansible galaxy"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Host: localhost
User-Agent: "OWASP CRS test agent"
method: POST
port: 80
uri: /post
version: HTTP/1.0
data: |
code=ansible-galaxy collection install community.general
output:
log_contains: id "932260"
- test_title: 932260-33
desc: "Block ad-hoc ansible commands using ansible-console"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Host: localhost
User-Agent: "OWASP CRS test agent"
method: POST
port: 80
uri: /post
version: HTTP/1.0
data: |
code=ansible-console
output:
log_contains: id "932260"
- test_title: 932260-34
desc: "Block ansible-doc command"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Host: localhost
User-Agent: "OWASP CRS test agent"
method: POST
port: 80
uri: /post
version: HTTP/1.0
data: |
code=ansible-doc plugin ping
output:
log_contains: id "932260"
- test_title: 932260-35
desc: "Block dumping ansible inventory file and variables"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Host: localhost
User-Agent: "OWASP CRS test agent"
method: POST
port: 80
uri: /post
version: HTTP/1.0
data: |
code=ansible-inventory --list
output:
log_contains: id "932260"
- test_title: 932260-36
desc: "Block ansible pull from remote repository"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Host: localhost
User-Agent: "OWASP CRS test agent"
method: POST
port: 80
uri: /post
version: HTTP/1.0
data: |
code=ansible-pull --url example.com
output:
log_contains: id "932260"
- test_title: 932260-37
desc: "Block decrypting ansible secrets"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Host: localhost
User-Agent: "OWASP CRS test agent"
method: POST
port: 80
uri: /post
version: HTTP/1.0
data: |
code=ansible-vault decrypt secret
output:
log_contains: id "932260"
- test_title: 932260-38
desc: "Block execution of ansible playbooks"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Host: localhost
User-Agent: "OWASP CRS test agent"
method: POST
port: 80
uri: /post
version: HTTP/1.0
data: |
code=ansible-playbook site.yml
output:
log_contains: id "932260"
- test_title: 932260-39
desc: "Block decryption of secrets with chef-vault"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Host: localhost
User-Agent: "OWASP CRS test agent"
method: POST
port: 80
uri: /post
version: HTTP/1.0
data: |
code=chef-vault -i secret
output:
log_contains: id "932260"
- test_title: 932260-40
desc: "Block execution of chef-shell command"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Host: localhost
User-Agent: "OWASP CRS test agent"
method: POST
port: 80
uri: /post
version: HTTP/1.0
data: |
code=chef-shell
output:
log_contains: id "932260"
- test_title: 932260-41
desc: "Block execution chef recipie book"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Host: localhost
User-Agent: "OWASP CRS test agent"
method: POST
port: 80
uri: /post
version: HTTP/1.0
data: |
code=chef-run all recipie.rb
output:
log_contains: id "932260"
- test_title: 932260-42
desc: "Block execution chef recipie book against a specific node"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
Host: localhost
User-Agent: "OWASP CRS test agent"
method: POST
port: 80
uri: /post
version: HTTP/1.0
data: |
code=chef-client -t 1.1.1.1
output:
log_contains: id "932260"

2
src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941100.yaml vendored
View file

@ -61,7 +61,7 @@ tests:
uri: /
headers:
User-Agent: "OWASP CRS test agent"
Referer: http://www.cnn.com
Referer: http://www.coreruleset.org
Host: localhost
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
output:

8
src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941140.yaml vendored
View file

@ -11,9 +11,9 @@ tests:
- stage:
input:
dest_addr: 127.0.0.1
method: GET
method: POST
port: 80
uri: '/foo'
uri: '/post'
headers:
User-Agent: "OWASP CRS test agent"
Host: localhost
@ -27,9 +27,9 @@ tests:
- stage:
input:
dest_addr: 127.0.0.1
method: GET
method: POST
port: 80
uri: '/bar'
uri: '/post'
headers:
User-Agent: "OWASP CRS test agent"
Host: localhost

4
src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941150.yaml vendored
View file

@ -11,9 +11,9 @@ tests:
- stage:
input:
dest_addr: 127.0.0.1
method: GET
method: POST
port: 80
uri: '/foo'
uri: '/post'
headers:
User-Agent: "OWASP CRS test agent"
Host: localhost

8
src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941190.yaml vendored
View file

@ -11,9 +11,9 @@ tests:
- stage:
input:
dest_addr: 127.0.0.1
method: GET
method: POST
port: 80
uri: '/foo'
uri: '/post'
headers:
User-Agent: "OWASP CRS test agent"
Host: localhost
@ -27,9 +27,9 @@ tests:
- stage:
input:
dest_addr: 127.0.0.1
method: GET
method: POST
port: 80
uri: '/bar'
uri: '/post'
headers:
User-Agent: "OWASP CRS test agent"
Host: localhost

8
src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941200.yaml vendored
View file

@ -11,9 +11,9 @@ tests:
- stage:
input:
dest_addr: 127.0.0.1
method: GET
method: POST
port: 80
uri: '/foo'
uri: '/post'
headers:
User-Agent: "OWASP CRS test agent"
Host: localhost
@ -27,9 +27,9 @@ tests:
- stage:
input:
dest_addr: 127.0.0.1
method: GET
method: POST
port: 80
uri: '/bar'
uri: '/post'
headers:
User-Agent: "OWASP CRS test agent"
Host: localhost

23
src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941370.yaml vendored
View file

@ -15,7 +15,7 @@ tests:
Host: localhost
User-Agent: "OWASP CRS test agent"
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
method: GET
method: POST
port: 80
data: "a=document+%2F%2Afoo%2A%2F+.+++++cookie"
version: HTTP/1.1
@ -47,8 +47,9 @@ tests:
Host: localhost
User-Agent: "OWASP CRS test agent"
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
method: GET
method: POST
port: 80
uri: '/post'
data: "a=window%5B%22alert%22%5D%28window%5B%22document%22%5D%5B%22cookie%22%5D%29"
version: HTTP/1.1
output:
@ -63,8 +64,9 @@ tests:
Host: localhost
User-Agent: "OWASP CRS test agent"
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
method: GET
method: POST
port: 80
uri: '/post'
data: "a=self%5B%2F%2Afoo%2A%2F%22alert%22%5D%28self%5B%22document%22%2F%2Abar%2A%2F%5D%5B%22cookie%22%5D%29"
version: HTTP/1.1
output:
@ -79,8 +81,9 @@ tests:
Host: localhost
User-Agent: "OWASP CRS test agent"
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
method: GET
method: POST
port: 80
uri: '/post'
data: "a=self%5B%2F%2Afoo%2A%2F%22alert%22%5D%28self%5B%22document%22%2F%2Abar%2A%2F%5D%5B%22cookie%22%5D%29"
version: HTTP/1.1
output:
@ -95,8 +98,9 @@ tests:
Host: localhost
User-Agent: "OWASP CRS test agent"
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
method: GET
method: POST
port: 80
uri: '/post'
data: "a=self++%2F%2Ajhb%2A%2F++%5B++%2F%2Abar%2A%2F++%22alert%22%5D%28%22xss%22%29"
version: HTTP/1.1
output:
@ -127,8 +131,9 @@ tests:
Host: localhost
User-Agent: "OWASP CRS test agent"
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
method: GET
method: POST
port: 80
uri: '/post'
data: "a=self%5B%22%5Cx24%22%5D"
version: HTTP/1.1
output:
@ -143,8 +148,9 @@ tests:
Host: localhost
User-Agent: "OWASP CRS test agent"
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
method: GET
method: POST
port: 80
uri: '/post'
data: "a=%28document%29%5B%22cookie%22%5D"
version: HTTP/1.1
output:
@ -159,8 +165,9 @@ tests:
Host: localhost
User-Agent: "OWASP CRS test agent"
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
method: GET
method: POST
port: 80
uri: '/post'
data: "a=%28document%2F%2Afoo%2A%2F%29%5B%22cookie%22%5D"
version: HTTP/1.1
output:

2
src/common/core/modsecurity/files/coreruleset-v4/tests/regression/tests/REQUEST-949-BLOCKING-EVALUATION/949110.yaml vendored
View file

@ -35,7 +35,7 @@ tests:
uri: /
headers:
User-Agent: "OWASP CRS test agent"
Referer: http://www.cnn.com
Referer: http://www.coreruleset.org
Host: localhost
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
output:

37
src/common/core/modsecurity/files/coreruleset-v4/util/crs-rules-check/README.md vendored
View file

@ -50,6 +50,7 @@ Second, the script loops over each of the parsed structures. Each iteration cons
* the variable is in an expansion, e.g., as part of the value of a `msg` action: `msg:'Current value of variable: %{tx.foo}`
* **Check rule tags** - only tags listed in `util/APPROVED_TAGS` may be used as tags in rules
* to use a new tag on a rule, it **must** first be registered in the util/APPROVED_TAGS file
* **Check t:lowercase and (?i) flag** - No combination of t:lowercase and (?i) should appear in the same rule.
Finally, the script prints a report of all unused TX variables. Usually, unused TX variables occur when a rule creates a TX variable (e.g., `setvar:tx.foo=1`) but the value of the variable is never used anywhere else. This will only be revealed after the script has checked all rules.
@ -416,3 +417,39 @@ SecRule ARGS "@rx ^.*$" \
In this rule file, there are more problems:
* rule 1001 used an uninitialized variable (`TX:foo`)
* rule 1002 sets a TX variable which never used
### Test 10 - combination of t:lowercase and (?i) in the same rule
```
SecRule ARGS "@rx (?i)foo" \
"id:1,\
phase:1,\
pass,\
t:lowercase,\
nolog"
```
Rule 1 uses a combination of t:lowercase and the (?i) in the regex
```
./rules-check.py -r examples/test10.conf
Config file: examples/test10.conf
Parsing ok.
Checking parsed rules...
examples/test10.conf
Ignore case check ok.
Action order check ok.
Indentation check ok.
no 'ctl:auditLogParts' action found.
no duplicate id's
paranoia-level tags are correct.
PL anomaly_scores are correct.
All TX variables are set.
No new tags added.
There are one or more combinations of t:lowercase and (?i) flag.
file=examples/test10.conf, line=5, endLine=5, title=t:lowercase and (?i): rule uses (?i) in combination with t:lowercase: 'lowercase'; rule id: 1
End of checking parsed rules
Cumulated report about unused TX variables
No unused TX variable
```

6
src/common/core/modsecurity/files/coreruleset-v4/util/crs-rules-check/examples/test10.conf vendored Normal file
View file

@ -0,0 +1,6 @@
SecRule ARGS "@rx (?i)foo" \
"id:1,\
phase:1,\
pass,\
t:lowercase,\
nolog"

39
src/common/core/modsecurity/files/coreruleset-v4/util/crs-rules-check/rules-check.py vendored
View file

@ -79,6 +79,7 @@ class Check(object):
self.dupes = [] # list of duplicated id's
self.ids = {} # list of rule id's
self.newtags = [] # list of new, unlisted tags
self.ignorecase = [] # list of combinations of t:lowercase and (?i)
self.re_tx_var = re.compile("%\{\}")
@ -601,6 +602,30 @@ class Check(object):
})
aidx += 1
def check_lowercase_ignorecase(self):
ruleid = 0
for d in self.data:
if d['type'].lower() == "secrule":
if d['operator'] == "@rx":
regex = d['operator_argument']
if regex.startswith("(?i)"):
if "actions" in d:
aidx = 0 # stores the index of current action
while aidx < len(d['actions']):
# read the action into 'a'
a = d['actions'][aidx]
if a['act_name'] == "id":
ruleid = int(a['act_arg'])
if a['act_name'] == 't':
# check the transform is valid
if a['act_arg'].lower() == "lowercase":
self.ignorecase.append({
'ruleid' : ruleid,
'line' : a['lineno'],
'endLine': a['lineno'],
'message': "rule uses (?i) in combination with t:lowercase: '%s'; rule id: %d" % (a['act_arg'], ruleid)
})
aidx += 1
def remove_comments(data):
"""
@ -924,6 +949,19 @@ if __name__ == "__main__":
a['title'] = "new unlisted tag"
errmsgf(a)
retval = 1
### check for t:lowercase in combination with (?i) in regex
c.check_lowercase_ignorecase()
if len(c.ignorecase) == 0:
msg(" No t:lowercase and (?i) flag used.")
else:
errmsg(" There are one or more combinations of t:lowercase and (?i) flag.")
for a in c.ignorecase:
a['indent'] = 2
a['file'] = f
a['title'] = "t:lowercase and (?i)"
errmsgf(a)
retval = 1
msg("End of checking parsed rules")
msg("Cumulated report about unused TX variables")
has_unused = False
@ -943,3 +981,4 @@ if __name__ == "__main__":
msg(" No unused TX variable")
sys.exit(retval)

54
src/common/core/modsecurity/files/crs-setup-v4.conf vendored
View file

@ -1,5 +1,5 @@
# ------------------------------------------------------------------------
# OWASP CRS ver.4.0.0
# OWASP CRS ver.4.1.0
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2024 CRS project. All rights reserved.
#
@ -180,6 +180,8 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# pass,\
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.1.0',\
# setvar:tx.blocking_paranoia_level=1"
@ -206,6 +208,8 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# pass,\
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.1.0',\
# setvar:tx.detection_paranoia_level=1"
@ -230,6 +234,8 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# pass,\
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.1.0',\
# setvar:tx.enforce_bodyproc_urlencoded=1"
@ -263,6 +269,8 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# pass,\
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.1.0',\
# setvar:tx.critical_anomaly_score=5,\
# setvar:tx.error_anomaly_score=4,\
# setvar:tx.warning_anomaly_score=3,\
@ -315,6 +323,8 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# pass,\
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.1.0',\
# setvar:tx.inbound_anomaly_score_threshold=5,\
# setvar:tx.outbound_anomaly_score_threshold=4"
@ -374,6 +384,8 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# pass,\
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.1.0',\
# setvar:tx.reporting_level=4"
@ -404,6 +416,8 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# pass,\
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.1.0',\
# setvar:tx.early_blocking=1"
@ -423,6 +437,8 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# pass,\
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.1.0',\
# setvar:tx.enable_default_collections=1"
@ -449,6 +465,8 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# pass,\
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.1.0',\
# setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'"
# Content-Types that a client is allowed to send in a request.
@ -476,7 +494,9 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# pass,\
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ctl:ruleRemoveById=920420,\
# ver:'OWASP_CRS/4.1.0',\
# chain"
# SecRule REQUEST_URI "@rx ^/foo/bar" \
# "t:none"
@ -489,6 +509,8 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# pass,\
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.1.0',\
# setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json|'"
# Allowed HTTP versions.
@ -503,6 +525,8 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# pass,\
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.1.0',\
# setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0 HTTP/3 HTTP/3.0'"
# Forbidden file extensions.
@ -525,6 +549,8 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# pass,\
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.1.0',\
# setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'"
# Restricted request headers.
@ -568,6 +594,8 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# pass,\
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.1.0',\
# setvar:'tx.restricted_headers_basic=/content-encoding/ /proxy/ /lock-token/ /content-range/ /if/ /x-http-method-override/ /x-http-method/ /x-method-override/'"
#
# [ Extended ]
@ -592,6 +620,8 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# pass,\
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.1.0',\
# setvar:'tx.restricted_headers_extended=/accept-charset/'"
# Content-Types charsets that a client is allowed to send in a request.
@ -604,6 +634,8 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# pass,\
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.1.0',\
# setvar:'tx.allowed_request_content_type_charset=|utf-8| |iso-8859-1| |iso-8859-15| |windows-1252|'"
#
@ -628,6 +660,8 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# pass,\
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.1.0',\
# setvar:tx.max_num_args=255"
# Block request if the length of any argument name is too high
@ -640,6 +674,8 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# pass,\
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.1.0',\
# setvar:tx.arg_name_length=100"
# Block request if the length of any argument value is too high
@ -652,6 +688,8 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# pass,\
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.1.0',\
# setvar:tx.arg_length=400"
# Block request if the total length of all combined arguments is too high
@ -664,6 +702,8 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# pass,\
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.1.0',\
# setvar:tx.total_arg_length=64000"
# Block request if the file size of any individual uploaded file is too high
@ -676,6 +716,8 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# pass,\
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.1.0',\
# setvar:tx.max_file_size=1048576"
# Block request if the total size of all combined uploaded files is too high
@ -688,6 +730,8 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# pass,\
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.1.0',\
# setvar:tx.combined_file_sizes=1048576"
@ -726,6 +770,8 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# phase:1,\
# pass,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.1.0',\
# setvar:tx.sampling_percentage=100"
@ -745,6 +791,8 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# pass,\
# t:none,\
# nolog,\
# tag:'OWASP_CRS',\
# ver:'OWASP_CRS/4.1.0',\
# setvar:tx.crs_validate_utf8_encoding=1"
@ -765,4 +813,6 @@ SecAction \
pass,\
t:none,\
nolog,\
setvar:tx.crs_setup_version=400"
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.1.0',\
setvar:tx.crs_setup_version=410"

4
src/common/core/modsecurity/misc/versions.json
View file

@ -9,9 +9,9 @@
},
{
"id": "coreruleset-v4",
"name": "Coreruleset v4.0.0",
"name": "Coreruleset v4.1.0",
"url": "https://github.com/coreruleset/coreruleset.git",
"commit": "1d95422bb31983a5290720b7fb662ce3dd51f753",
"commit": "f2ab9c3063fece423e6a4156aad145f7f7e6ef96",
"post_install": "cp files/coreruleset-v4/crs-setup.conf.example files/crs-setup-v4.conf"
}
]