Merge pull request #370 from TheophileDiot/dev
Update modsec CRS to v3.3.4
This commit is contained in:
commit
2e0a733cdc
|
@ -14,9 +14,10 @@ jobs:
|
|||
uses: actions/checkout@v2
|
||||
|
||||
- name: Lint Yaml
|
||||
uses: ibiqlik/action-yamllint@v1
|
||||
uses: ibiqlik/action-yamllint@v3
|
||||
with:
|
||||
file_or_dir: tests/regression/tests/**/*.yaml
|
||||
format: github
|
||||
file_or_dir: tests/regression/tests
|
||||
config_file: .yamllint.yml
|
||||
|
||||
- name: Linelint
|
||||
|
@ -24,15 +25,13 @@ jobs:
|
|||
id: linelint
|
||||
|
||||
- name: Set up Python 3
|
||||
uses: actions/setup-python@v1
|
||||
uses: actions/setup-python@v2
|
||||
with:
|
||||
python-version: 3.6
|
||||
python-version: 3.7
|
||||
|
||||
- name: "Check CRS syntax"
|
||||
run: |
|
||||
python -V
|
||||
pip install --upgrade setuptools
|
||||
pip install -r tests/integration/requirements.txt
|
||||
git clone https://github.com/CRS-support/secrules_parsing
|
||||
pip install -r secrules_parsing/requirements.txt
|
||||
python secrules_parsing/secrules_parser.py -c -f rules/*.conf
|
||||
pip install secrules-parsing
|
||||
secrules-parser -c --output-type github -f rules/*.conf
|
||||
|
||||
|
|
|
@ -22,53 +22,50 @@ jobs:
|
|||
fail-fast: false
|
||||
matrix:
|
||||
modsec_version: [modsec2-apache]
|
||||
tests: [REQUEST-911-METHOD-ENFORCEMENT,
|
||||
REQUEST-913-SCANNER-DETECTION,
|
||||
REQUEST-920-PROTOCOL-ENFORCEMENT,
|
||||
REQUEST-921-PROTOCOL-ATTACK,
|
||||
REQUEST-930-APPLICATION-ATTACK-LFI,
|
||||
REQUEST-931-APPLICATION-ATTACK-RFI,
|
||||
REQUEST-932-APPLICATION-ATTACK-RCE,
|
||||
REQUEST-933-APPLICATION-ATTACK-PHP,
|
||||
REQUEST-934-APPLICATION-ATTACK-NODEJS,
|
||||
REQUEST-941-APPLICATION-ATTACK-XSS,
|
||||
REQUEST-942-APPLICATION-ATTACK-SQLI,
|
||||
REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION,
|
||||
REQUEST-944-APPLICATION-ATTACK-JAVA]
|
||||
# Will include soon for modsec3-nginx
|
||||
|
||||
steps:
|
||||
- name: Checkout repo
|
||||
- name: "Checkout repo"
|
||||
uses: actions/checkout@v2
|
||||
|
||||
- name: Set up Python 2
|
||||
uses: actions/setup-python@v1
|
||||
- name: Set up Python 3
|
||||
uses: actions/setup-python@v2
|
||||
with:
|
||||
python-version: 2.7
|
||||
python-version: '3.x'
|
||||
- uses: actions/cache@v2
|
||||
id: cache
|
||||
with:
|
||||
path: ~/.cache/pip
|
||||
key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements.txt') }}
|
||||
restore-keys: |
|
||||
${{ runner.os }}-pip-
|
||||
|
||||
- name: "Run tests for ${{ matrix.modsec_version }}`"
|
||||
env:
|
||||
CONFIG: ${{ matrix.modsec_version }}
|
||||
- name: "Install dependencies"
|
||||
run: |
|
||||
python -V
|
||||
mkdir -p logs/"${CONFIG}"
|
||||
docker-compose -f ./tests/docker-compose.yml up -d "${CONFIG}"
|
||||
pip install --upgrade setuptools
|
||||
pip install --upgrade setuptools wheel
|
||||
pip install -r tests/regression/requirements.txt
|
||||
pip install pytest-github-actions-annotate-failures
|
||||
|
||||
- name: "Run tests for ${{ matrix.modsec_version }}"
|
||||
run: |
|
||||
mkdir -p tests/logs/${{ matrix.modsec_version }}/{nginx,apache2}
|
||||
docker-compose -f ./tests/docker-compose.yml up -d "${{ matrix.modsec_version }}"
|
||||
# Use mounted volume path
|
||||
if [[ "${CONFIG}" == *"nginx" ]]; then
|
||||
LOGDIR="/var/log/nginx"
|
||||
else
|
||||
LOGDIR="/var/log/apache2"
|
||||
fi
|
||||
sed -ie "s:${LOGDIR}:${GITHUB_WORKSPACE}/logs/${CONFIG}:g" tests/regression/config.ini
|
||||
py.test -vs tests/regression/CRS_Tests.py \
|
||||
--config="${CONFIG}" \
|
||||
--ruledir=./tests/regression/tests/${{ matrix.tests }}
|
||||
py.test -vs --tb=short tests/regression/CRS_Tests.py \
|
||||
--config="${{ matrix.modsec_version }}" \
|
||||
--ruledir_recurse=./tests/regression/tests/
|
||||
|
||||
- name: "Change permissions if failed"
|
||||
if: failure()
|
||||
run: |
|
||||
# we want to get the audit log, so change permissions (file is only for root on docker)
|
||||
sudo chmod 644 tests/logs/${{ matrix.modsec_version }}/modsec_audit.log
|
||||
|
||||
- uses: actions/upload-artifact@v2
|
||||
if: failure()
|
||||
with:
|
||||
name: waf-logs
|
||||
path: tests/logs/${{ matrix.modsec_version }}
|
||||
|
||||
- name: Clean docker-compose
|
||||
env:
|
||||
CONFIG: modsec2-apache
|
||||
run: |
|
||||
docker-compose -f ./tests/docker-compose.yml stop "${CONFIG}"
|
||||
docker-compose -f ./tests/docker-compose.yml stop "${{ matrix.modsec_version }}"
|
||||
docker-compose -f ./tests/docker-compose.yml down
|
||||
|
|
|
@ -5,6 +5,28 @@
|
|||
or the CRS Google Group at
|
||||
* https://groups.google.com/a/owasp.org/forum/#!forum/modsecurity-core-rule-set-project
|
||||
|
||||
== Version 3.3.4 - 2022-09-20 ==
|
||||
|
||||
Fixes and improvements:
|
||||
* Fix a regression in our former release, with the impact that some Paranoia Level 2 rules would activate even when running in Paranoia Level 1. (Simon Studer, Walter Hop)
|
||||
|
||||
== Version 3.3.3 - 2022-09-19 ==
|
||||
|
||||
Important changes:
|
||||
* This update requires ModSecurity version 2.9.6 or 3.0.8 (or an updated version with backports of the security fixes in these versions) or a compatible engine supporting these changes. If you do not upgrade ModSecurity, the file REQUEST-922-MULTIPART-ATTACK.conf will cause ModSecurity to fail to start. In that case, you can temporarily delete that file. However, you will be missing protection from these rules. Therefore, we recommend upgrading your ModSecurity or other engine instead.
|
||||
* By default, the request headers "Accept-Charset" and "Content-Encoding" are now blocked to prevent a WAF bypass. Especially the "Accept-Charset" header may be in use by clients. If you need to serve clients that send this header, uncomment and edit rule 900250 in crs-setup.conf.
|
||||
|
||||
Fixes and improvements:
|
||||
* Fix CVE-2022-39955 Multiple charsets defined in Content-Type header (Jan Gora)
|
||||
* Fix CVE-2022-39956 Content-Type or Content-Transfer-Encoding MIME header fields abuse (Jan Gora, Felipe Zipitria)
|
||||
* Fix CVE-2022-39957 Charset accept header field resulting in response rule set bypass (Karel Knibbe, Max Leske)
|
||||
* Fix CVE-2022-39958 Small range header leading to response rule set bypass (Hussein Daher, Christian Folini)
|
||||
* Fix MIME header abuse via _charset_ field (Jan Gora, Felipe Zipitria)
|
||||
* Fix bypass using deflated request body (Karel Knibbe)
|
||||
* Fix request body partial rule set bypass via Content-Type "text/plain" (Pinaki Mondal, Andrea Menin)
|
||||
* Fix XML Body Parser abuse for non-XML request bodies (Jan Gora)
|
||||
* Fix body processor bypass by content-type outside the mime type declaration (Jan Gora, Simon Studer, Ervin Hegedus)
|
||||
|
||||
== Version 3.3.2 - 2021-06-30 ==
|
||||
|
||||
Fixes and improvements:
|
||||
|
|
|
@ -2,59 +2,79 @@
|
|||
|
||||
## Project Co-Leads:
|
||||
|
||||
- [Chaim Sanders](https://github.com/csanders-git)
|
||||
- [Christian Folini](https://github.com/dune73)
|
||||
- [Walter Hop](https://github.com/lifeforms)
|
||||
- [Felipe Zipitría](https://github.com/fzipi)
|
||||
|
||||
## Developers:
|
||||
|
||||
- [Paul Beckett](https://github.com/53cur3M3)
|
||||
- [Franziska Bühler](https://github.com/franbuehler)
|
||||
- [Christoph Hansen](https://github.com/emphazer)
|
||||
- [Ervin Hegedus](https://github.com/airween)
|
||||
- [Victor Hora](https://github.com/victorhora)
|
||||
- [Andrew Howe](https://github.com/RedXanadu)
|
||||
- [Max Leske](https://github.com/theseion)
|
||||
- [Andrea Menin](https://github.com/theMiddleBlue)
|
||||
- [Chaim Sanders](https://github.com/csanders-git)
|
||||
- [Federico G. Schwindt](https://github.com/fgsch)
|
||||
- [Manuel Spartan](https://github.com/spartantri)
|
||||
- [Felipe Zimmerle](https://github.com/zimmerle)
|
||||
- [Felipe Zipitría](https://github.com/fzipi)
|
||||
- [Manuel Leos Rivas](https://github.com/spartantri)
|
||||
- [Simon Studer](https://github.com/studersi)
|
||||
- [Jozef Sudolský](https://github.com/azurit)
|
||||
|
||||
## Contributors:
|
||||
|
||||
- [agusmu](https://github.com/agusmu)
|
||||
- [Amir Hosein Aliakbarian](https://github.com/AmirHoseinAliakbarian)
|
||||
- [Zack Allen](https://github.com/zmallen)
|
||||
- [azhao155](https://github.com/azhao155)
|
||||
- [azurit](https://github.com/azurit)
|
||||
- [Matt Bagley](https://github.com/bagley)
|
||||
- [Ryan Barnett](https://github.com/rcbarnett)
|
||||
- [soufianebenali](https://github.com/soufianebenali)
|
||||
- [Soufiane Benali](https://github.com/soufianebenali)
|
||||
- [Peter Bittner](https://github.com/bittner)
|
||||
- [Allan Boll](https://github.com/allanbomsft)
|
||||
- [Jeremy Brown](https://github.com/jwbrown77)
|
||||
- [Brent Clark](https://github.com/brentclark)
|
||||
- [Jonathan Claudius](https://github.com/claudijd)
|
||||
- [coolt](https://github.com/coolt)
|
||||
- [Hussein Daher](https://github.com/hussein98d)
|
||||
- [Abu Dawud](https://github.com/abudawud)
|
||||
- [Ashish Dixit](https://github.com/tundal45)
|
||||
- [Mirko Dziadzka](https://github.com/mirkodziadzka-avi)
|
||||
- [Padraig Doran](https://github.com/padraigdoran)
|
||||
- [Dan Ehrlich](https://github.com/danehrlich1)
|
||||
- [İlteriş Eroğlu](https://github.com/linuxgemini)
|
||||
- [Umar Farook](https://github.com/umarfarook882)
|
||||
- [flo405](https://github.com/flo405)
|
||||
- [Fregf](https://github.com/Fregf)
|
||||
- [FrozenSolid](https://github.com/frozenSolid)
|
||||
- [Pásztor Gábor](https://github.com/gpasztor87)
|
||||
- [Jan Gora](https://github.com/terjanq)
|
||||
- [Aaron Haaf](https://github.com/Everspace)
|
||||
- [Karel Knibbe](https://github.com/karelorigin)
|
||||
- [Michael Haas](https://github.com/MichaelHaas)
|
||||
- [henkworks](https://github.com/henkworks)
|
||||
- [Tim Herren](https://github.com/nerrehmit)
|
||||
- [Victor Hora](https://github.com/victorhora)
|
||||
- [itsTheFae](https://github.com/itsTheFae)
|
||||
- [jamuse](https://github.com/jamuse)
|
||||
- [jeremyjpj0916](https://github.com/jeremyjpj0916)
|
||||
- [jschleus](https://github.com/jschleus)
|
||||
- [k4n5ha0](https://github.com/k4n5ha0)
|
||||
- [kam821](https://github.com/kam821)
|
||||
- [Katherine](https://github.com/katef)
|
||||
- [kyzentun](https://github.com/kyzentun)
|
||||
- [Joost de Keijzer](https://github.com/joostdekeijzer)
|
||||
- [Krzysztof Kotowicz](https://github.com/koto)
|
||||
- [Max Leske](https://github.com/theseion)
|
||||
- Manuel Leos
|
||||
- [Evgeny Marmalstein](https://github.com/shimshon70)
|
||||
- [meetug](https://github.com/meetug)
|
||||
- [Christian Mehlmauer](https://github.com/FireFart)
|
||||
- [Pinaki Mondal](https://github.com/0xinfection)
|
||||
- [Glyn Mooney](https://github.com/skidoosh)
|
||||
- [na1ex](https://github.com/na1ex)
|
||||
- [Jose Nazario](https://github.com/paralax)
|
||||
- [Tim Herren](https://github.com/nerrehmit)
|
||||
- [Scott O'Neil](https://github.com/cPanelScott)
|
||||
- [NiceYouKnow](https://github.com/NiceYouKnow)
|
||||
- [nobletrout](https://github.com/nobletrout)
|
||||
- [Fernando Outeda](https://github.com/fog94)
|
||||
- [NullIsNot0](https://github.com/NullIsNot0)
|
||||
- [Robert Paprocki](https://github.com/p0pr0ck5)
|
||||
|
@ -62,15 +82,22 @@
|
|||
- [Elia Pinto](https://github.com/yersinia)
|
||||
- [pyllyukko](https://github.com/pyllyukko)
|
||||
- [Brian Rectanus](https://github.com/b1v1r)
|
||||
- [Vandan Rohatgi](https://github.com/vandanrohatgi)
|
||||
- [Rufus125](https://github.com/Rufus125)
|
||||
- Ofer Shezaf
|
||||
- [Takaya Saeki](https://github.com/nullpo-head)
|
||||
- Breno Silva
|
||||
- [Deepshikha Sinha](https://github.com/deepshikha-s)
|
||||
- siric\_
|
||||
- Emile-Hugo Spir
|
||||
- [somechris](https://github.com/somechris)
|
||||
- [Marc Stern](https://github.com/marcstern)
|
||||
- [Simon Studer](https://github.com/studersi)
|
||||
- [supplient](https://github.com/supplient)
|
||||
- [theMiddle](https://github.com/theMiddleBlue)
|
||||
- [Mike Taylor](https://github.com/miketaylr)
|
||||
- [ThanhPT](https://github.com/nevol1708)
|
||||
- [Timo](https://github.com/ntimo)
|
||||
- [Juan-Pablo Tosso](https://github.com/jptosso)
|
||||
- [vijayasija99](https://github.com/vijayasija99)
|
||||
- [Ben Williams](https://github.com/benwilliams)
|
||||
- [Anna Winkler](https://github.com/annawinkler)
|
||||
- [Avery Wong](https://github.com/4v3r9)
|
||||
|
@ -79,6 +106,7 @@
|
|||
- [XeroChen](https://github.com/XeroChen)
|
||||
- [ygrek](https://github.com/ygrek)
|
||||
- [Yu Yagihashi](https://github.com/yagihash)
|
||||
- [Felipe "Zimmerle" Costa](https://github.com/zimmerle)
|
||||
- [Zino](https://github.com/zinoe)
|
||||
- Josh Zlatin
|
||||
- [Zou Guangxian](https://github.com/zouguangxian)
|
||||
|
|
|
@ -29,4 +29,6 @@ We strive to make the OWASP ModSecurity CRS accessible to a wide audience of beg
|
|||
|
||||
Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
|
||||
Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
|
||||
|
||||
The OWASP ModSecurity Core Rule Set is distributed under Apache Software License (ASL) version 2. Please see the enclosed LICENSE file for full details.
|
||||
|
|
|
@ -0,0 +1,10 @@
|
|||
## GOLD SPONSORS
|
||||
|
||||
* VMWare (Avi Networks)
|
||||
* F5/NGINX
|
||||
* Microsoft
|
||||
|
||||
## SILVER SPONSORS
|
||||
|
||||
* Bug Bounty Switzerland
|
||||
* Google Cloud Armor
|
|
@ -1,6 +1,7 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.2
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.4
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
|
@ -389,17 +390,42 @@ SecDefaultAction "phase:2,log,auditlog,pass"
|
|||
|
||||
# Content-Types that a client is allowed to send in a request.
|
||||
# Default: |application/x-www-form-urlencoded| |multipart/form-data| |multipart/related|
|
||||
# |text/xml| |application/xml| |application/soap+xml| |application/x-amf| |application/json|
|
||||
# |application/cloudevents+json| |application/cloudevents-batch+json| |application/octet-stream|
|
||||
# |application/csp-report| |application/xss-auditor-report| |text/plain|
|
||||
# |text/xml| |application/xml| |application/soap+xml| |application/json|
|
||||
# |application/cloudevents+json| |application/cloudevents-batch+json|
|
||||
#
|
||||
# Please note, that the rule where CRS uses this variable (920420) evaluates it with operator
|
||||
# `@within`, which is case sensitive, but uses t:lowercase. You must add your whole custom
|
||||
# Content-Type with lowercase.
|
||||
#
|
||||
# Bypass Warning: some applications may not rely on the content-type request header in order
|
||||
# to parse the request body. This could make an attacker able to send malicious URLENCODED/JSON/XML
|
||||
# payloads without being detected by the WAF. Allowing request content-type that doesn't activate any
|
||||
# body processor (for example: "text/plain", "application/x-amf", "application/octet-stream", etc..)
|
||||
# could lead to a WAF bypass. For example, a malicious JSON payload submitted with a "text/plain"
|
||||
# content type may still be interpreted as JSON by a backend application but would not trigger the
|
||||
# JSON body parser at the WAF, leading to a bypass.
|
||||
#
|
||||
# To prevent blocking request with not allowed content-type by default, you can create an exclusion
|
||||
# rule that removes rule 920420. For example:
|
||||
# SecRule REQUEST_HEADERS:Content-Type "@rx ^text/plain" \
|
||||
# "id:1234,\
|
||||
# phase:1,\
|
||||
# nolog,\
|
||||
# pass,\
|
||||
# t:none,\
|
||||
# ctl:ruleRemoveById=920420,\
|
||||
# chain"
|
||||
# SecRule REQUEST_URI "@rx ^/foo/bar" "t:none"
|
||||
#
|
||||
# Uncomment this rule to change the default.
|
||||
#
|
||||
#SecAction \
|
||||
# "id:900220,\
|
||||
# phase:1,\
|
||||
# nolog,\
|
||||
# pass,\
|
||||
# t:none,\
|
||||
# setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/x-amf| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json| |application/octet-stream| |application/csp-report| |application/xss-auditor-report| |text/plain|'"
|
||||
# setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json|'"
|
||||
|
||||
# Allowed HTTP versions.
|
||||
# Default: HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0
|
||||
|
@ -430,8 +456,22 @@ SecDefaultAction "phase:2,log,auditlog,pass"
|
|||
|
||||
# Forbidden request headers.
|
||||
# Header names should be lowercase, enclosed by /slashes/ as delimiters.
|
||||
# Blocking Proxy header prevents 'httpoxy' vulnerability: https://httpoxy.org
|
||||
# Default: /proxy/ /lock-token/ /content-range/ /if/
|
||||
# Default: /accept-charset/ /content-encoding/ /proxy/ /lock-token/ /content-range/ /if/
|
||||
#
|
||||
# Note: Accept-Charset is a deprecated header that should not be used by clients and
|
||||
# ignored by servers. It can be used for a response WAF bypass, by asking for a charset
|
||||
# that the WAF cannot decode.
|
||||
# Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept-Charset
|
||||
#
|
||||
# Note: Content-Encoding is used to list any encodings that have been applied to the
|
||||
# original payload. It is only used for compression, which isn't supported by CRS by
|
||||
# default since it blocks newlines and null bytes inside the request body. Most
|
||||
# compression algorithms require at least null bytes per RFC. Blocking it shouldn't
|
||||
# break anything and increases security since ModSecurity is incapable of properly
|
||||
# scanning compressed request bodies.
|
||||
#
|
||||
# Note: Blocking Proxy header prevents 'httpoxy' vulnerability: https://httpoxy.org
|
||||
#
|
||||
# Uncomment this rule to change the default.
|
||||
#SecAction \
|
||||
# "id:900250,\
|
||||
|
@ -439,7 +479,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
|
|||
# nolog,\
|
||||
# pass,\
|
||||
# t:none,\
|
||||
# setvar:'tx.restricted_headers=/proxy/ /lock-token/ /content-range/ /if/'"
|
||||
# setvar:'tx.restricted_headers=/accept-charset/ /content-encoding/ /proxy/ /lock-token/ /content-range/ /if/'"
|
||||
|
||||
# File extensions considered static files.
|
||||
# Extensions include the dot, lowercase, enclosed by /slashes/ as delimiters.
|
||||
|
@ -826,4 +866,4 @@ SecAction \
|
|||
nolog,\
|
||||
pass,\
|
||||
t:none,\
|
||||
setvar:tx.crs_setup_version=332"
|
||||
setvar:tx.crs_setup_version=334"
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.2
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.4
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.2
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.4
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
|
@ -25,7 +26,7 @@
|
|||
#
|
||||
# Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecComponentSignature
|
||||
#
|
||||
SecComponentSignature "OWASP_CRS/3.3.2"
|
||||
SecComponentSignature "OWASP_CRS/3.3.4"
|
||||
|
||||
#
|
||||
# -=[ Default setup values ]=-
|
||||
|
@ -58,7 +59,7 @@ SecRule &TX:crs_setup_version "@eq 0" \
|
|||
log,\
|
||||
auditlog,\
|
||||
msg:'ModSecurity Core Rule Set is deployed without configuration! Please copy the crs-setup.conf.example template to crs-setup.conf, and include the crs-setup.conf file in your webserver configuration before including the CRS rules. See the INSTALL file in the CRS directory for detailed instructions',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL'"
|
||||
|
||||
|
||||
|
@ -76,7 +77,7 @@ SecRule &TX:inbound_anomaly_score_threshold "@eq 0" \
|
|||
phase:1,\
|
||||
pass,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
setvar:'tx.inbound_anomaly_score_threshold=5'"
|
||||
|
||||
# Default Outbound Anomaly Threshold Level (rule 900110 in setup.conf)
|
||||
|
@ -85,7 +86,7 @@ SecRule &TX:outbound_anomaly_score_threshold "@eq 0" \
|
|||
phase:1,\
|
||||
pass,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
setvar:'tx.outbound_anomaly_score_threshold=4'"
|
||||
|
||||
# Default Paranoia Level (rule 900000 in setup.conf)
|
||||
|
@ -94,7 +95,7 @@ SecRule &TX:paranoia_level "@eq 0" \
|
|||
phase:1,\
|
||||
pass,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
setvar:'tx.paranoia_level=1'"
|
||||
|
||||
# Default Executing Paranoia Level (rule 900000 in setup.conf)
|
||||
|
@ -103,7 +104,7 @@ SecRule &TX:executing_paranoia_level "@eq 0" \
|
|||
phase:1,\
|
||||
pass,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
setvar:'tx.executing_paranoia_level=%{TX.PARANOIA_LEVEL}'"
|
||||
|
||||
# Default Sampling Percentage (rule 900400 in setup.conf)
|
||||
|
@ -112,7 +113,7 @@ SecRule &TX:sampling_percentage "@eq 0" \
|
|||
phase:1,\
|
||||
pass,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
setvar:'tx.sampling_percentage=100'"
|
||||
|
||||
# Default Anomaly Scores (rule 900100 in setup.conf)
|
||||
|
@ -121,7 +122,7 @@ SecRule &TX:critical_anomaly_score "@eq 0" \
|
|||
phase:1,\
|
||||
pass,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
setvar:'tx.critical_anomaly_score=5'"
|
||||
|
||||
SecRule &TX:error_anomaly_score "@eq 0" \
|
||||
|
@ -129,7 +130,7 @@ SecRule &TX:error_anomaly_score "@eq 0" \
|
|||
phase:1,\
|
||||
pass,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
setvar:'tx.error_anomaly_score=4'"
|
||||
|
||||
SecRule &TX:warning_anomaly_score "@eq 0" \
|
||||
|
@ -137,7 +138,7 @@ SecRule &TX:warning_anomaly_score "@eq 0" \
|
|||
phase:1,\
|
||||
pass,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
setvar:'tx.warning_anomaly_score=3'"
|
||||
|
||||
SecRule &TX:notice_anomaly_score "@eq 0" \
|
||||
|
@ -145,7 +146,7 @@ SecRule &TX:notice_anomaly_score "@eq 0" \
|
|||
phase:1,\
|
||||
pass,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
setvar:'tx.notice_anomaly_score=2'"
|
||||
|
||||
# Default do_reput_block
|
||||
|
@ -154,7 +155,7 @@ SecRule &TX:do_reput_block "@eq 0" \
|
|||
phase:1,\
|
||||
pass,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
setvar:'tx.do_reput_block=0'"
|
||||
|
||||
# Default block duration
|
||||
|
@ -163,7 +164,7 @@ SecRule &TX:reput_block_duration "@eq 0" \
|
|||
phase:1,\
|
||||
pass,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
setvar:'tx.reput_block_duration=300'"
|
||||
|
||||
# Default HTTP policy: allowed_methods (rule 900200)
|
||||
|
@ -172,7 +173,7 @@ SecRule &TX:allowed_methods "@eq 0" \
|
|||
phase:1,\
|
||||
pass,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'"
|
||||
|
||||
# Default HTTP policy: allowed_request_content_type (rule 900220)
|
||||
|
@ -181,8 +182,8 @@ SecRule &TX:allowed_request_content_type "@eq 0" \
|
|||
phase:1,\
|
||||
pass,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/x-amf| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json| |application/octet-stream| |application/csp-report| |application/xss-auditor-report| |text/plain|'"
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json|'"
|
||||
|
||||
# Default HTTP policy: allowed_request_content_type_charset (rule 900270)
|
||||
SecRule &TX:allowed_request_content_type_charset "@eq 0" \
|
||||
|
@ -190,7 +191,7 @@ SecRule &TX:allowed_request_content_type_charset "@eq 0" \
|
|||
phase:1,\
|
||||
pass,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
setvar:'tx.allowed_request_content_type_charset=utf-8|iso-8859-1|iso-8859-15|windows-1252'"
|
||||
|
||||
# Default HTTP policy: allowed_http_versions (rule 900230)
|
||||
|
@ -199,7 +200,7 @@ SecRule &TX:allowed_http_versions "@eq 0" \
|
|||
phase:1,\
|
||||
pass,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0'"
|
||||
|
||||
# Default HTTP policy: restricted_extensions (rule 900240)
|
||||
|
@ -208,7 +209,7 @@ SecRule &TX:restricted_extensions "@eq 0" \
|
|||
phase:1,\
|
||||
pass,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'"
|
||||
|
||||
# Default HTTP policy: restricted_headers (rule 900250)
|
||||
|
@ -217,8 +218,8 @@ SecRule &TX:restricted_headers "@eq 0" \
|
|||
phase:1,\
|
||||
pass,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
setvar:'tx.restricted_headers=/proxy/ /lock-token/ /content-range/ /if/'"
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
setvar:'tx.restricted_headers=/accept-charset/ /content-encoding/ /proxy/ /lock-token/ /content-range/ /if/'"
|
||||
|
||||
# Default HTTP policy: static_extensions (rule 900260)
|
||||
SecRule &TX:static_extensions "@eq 0" \
|
||||
|
@ -226,7 +227,7 @@ SecRule &TX:static_extensions "@eq 0" \
|
|||
phase:1,\
|
||||
pass,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ /.webp/'"
|
||||
|
||||
# Default enforcing of body processor URLENCODED
|
||||
|
@ -235,7 +236,7 @@ SecRule &TX:enforce_bodyproc_urlencoded "@eq 0" \
|
|||
phase:1,\
|
||||
pass,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
setvar:'tx.enforce_bodyproc_urlencoded=0'"
|
||||
|
||||
#
|
||||
|
@ -253,7 +254,7 @@ SecAction \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
setvar:'tx.anomaly_score=0',\
|
||||
setvar:'tx.anomaly_score_pl1=0',\
|
||||
setvar:'tx.anomaly_score_pl2=0',\
|
||||
|
@ -290,7 +291,7 @@ SecRule REQUEST_HEADERS:User-Agent "@rx ^.*$" \
|
|||
pass,\
|
||||
t:none,t:sha1,t:hexEncode,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
setvar:'tx.ua_hash=%{MATCHED_VAR}'"
|
||||
|
||||
SecAction \
|
||||
|
@ -299,7 +300,7 @@ SecAction \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
initcol:global=global,\
|
||||
initcol:ip=%{remote_addr}_%{tx.ua_hash},\
|
||||
setvar:'tx.real_ip=%{remote_addr}'"
|
||||
|
@ -320,7 +321,7 @@ SecRule REQBODY_PROCESSOR "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" \
|
|||
msg:'Enabling body inspection',\
|
||||
tag:'paranoia-level/1',\
|
||||
ctl:forceRequestBodyVariable=On,\
|
||||
ver:'OWASP_CRS/3.3.2'"
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
|
||||
# Force body processor URLENCODED
|
||||
SecRule TX:enforce_bodyproc_urlencoded "@eq 1" \
|
||||
|
@ -331,7 +332,7 @@ SecRule TX:enforce_bodyproc_urlencoded "@eq 1" \
|
|||
nolog,\
|
||||
noauditlog,\
|
||||
msg:'Enabling forced body inspection for ASCII content',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
chain"
|
||||
SecRule REQBODY_PROCESSOR "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" \
|
||||
"ctl:requestBodyProcessor=URLENCODED"
|
||||
|
@ -370,7 +371,7 @@ SecRule TX:sampling_percentage "@eq 100" \
|
|||
phase:1,\
|
||||
pass,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
skipAfter:END-SAMPLING"
|
||||
|
||||
SecRule UNIQUE_ID "@rx ^." \
|
||||
|
@ -379,7 +380,7 @@ SecRule UNIQUE_ID "@rx ^." \
|
|||
pass,\
|
||||
t:sha1,t:hexEncode,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
setvar:'TX.sampling_rnd100=%{MATCHED_VAR}'"
|
||||
|
||||
SecRule DURATION "@rx (..)$" \
|
||||
|
@ -388,7 +389,7 @@ SecRule DURATION "@rx (..)$" \
|
|||
pass,\
|
||||
capture,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
setvar:'TX.sampling_rnd100=%{TX.sampling_rnd100}%{TX.1}'"
|
||||
|
||||
SecRule TX:sampling_rnd100 "@rx ^[a-f]*([0-9])[a-f]*([0-9])" \
|
||||
|
@ -397,7 +398,7 @@ SecRule TX:sampling_rnd100 "@rx ^[a-f]*([0-9])[a-f]*([0-9])" \
|
|||
pass,\
|
||||
capture,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
setvar:'TX.sampling_rnd100=%{TX.1}%{TX.2}'"
|
||||
|
||||
SecRule TX:sampling_rnd100 "@rx ^0([0-9])" \
|
||||
|
@ -406,7 +407,7 @@ SecRule TX:sampling_rnd100 "@rx ^0([0-9])" \
|
|||
pass,\
|
||||
capture,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
setvar:'TX.sampling_rnd100=%{TX.1}'"
|
||||
|
||||
|
||||
|
@ -431,7 +432,7 @@ SecRule TX:sampling_rnd100 "!@lt %{tx.sampling_percentage}" \
|
|||
noauditlog,\
|
||||
msg:'Sampling: Disable the rule engine based on sampling_percentage %{TX.sampling_percentage} and random number %{TX.sampling_rnd100}',\
|
||||
ctl:ruleEngine=Off,\
|
||||
ver:'OWASP_CRS/3.3.2'"
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
|
||||
SecMarker "END-SAMPLING"
|
||||
|
||||
|
@ -449,4 +450,4 @@ SecRule TX:executing_paranoia_level "@lt %{tx.paranoia_level}" \
|
|||
t:none,\
|
||||
log,\
|
||||
msg:'Executing paranoia level configured is lower than the paranoia level itself. This is illegal. Blocking request. Aborting',\
|
||||
ver:'OWASP_CRS/3.3.2'"
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.2
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.4
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
|
@ -68,7 +69,7 @@ SecRule &TX:crs_exclusions_drupal|TX:crs_exclusions_drupal "@eq 0" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
skipAfter:END-DRUPAL-RULE-EXCLUSIONS"
|
||||
|
||||
SecRule &TX:crs_exclusions_drupal|TX:crs_exclusions_drupal "@eq 0" \
|
||||
|
@ -77,7 +78,7 @@ SecRule &TX:crs_exclusions_drupal|TX:crs_exclusions_drupal "@eq 0" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
skipAfter:END-DRUPAL-RULE-EXCLUSIONS"
|
||||
|
||||
|
||||
|
@ -115,7 +116,7 @@ SecAction "id:9001100,\
|
|||
nolog,\
|
||||
ctl:ruleRemoveTargetById=942450;REQUEST_COOKIES_NAMES,\
|
||||
ctl:ruleRemoveTargetById=942450;REQUEST_COOKIES,\
|
||||
ver:'OWASP_CRS/3.3.2'"
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
|
||||
|
||||
#
|
||||
|
@ -130,7 +131,7 @@ SecRule REQUEST_FILENAME "@endsWith /core/install.php" \
|
|||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:account[pass][pass1],\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:account[pass][pass2],\
|
||||
ver:'OWASP_CRS/3.3.2'"
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
|
||||
SecRule REQUEST_FILENAME "@endsWith /user/login" \
|
||||
"id:9001112,\
|
||||
|
@ -139,7 +140,7 @@ SecRule REQUEST_FILENAME "@endsWith /user/login" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass,\
|
||||
ver:'OWASP_CRS/3.3.2'"
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
|
||||
SecRule REQUEST_FILENAME "@endsWith /admin/people/create" \
|
||||
"id:9001114,\
|
||||
|
@ -148,7 +149,7 @@ SecRule REQUEST_FILENAME "@endsWith /admin/people/create" \
|
|||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass[pass1],\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass[pass2],\
|
||||
ver:'OWASP_CRS/3.3.2'"
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
|
||||
SecRule REQUEST_FILENAME "@rx /user/[0-9]+/edit$" \
|
||||
"id:9001116,\
|
||||
|
@ -158,7 +159,7 @@ SecRule REQUEST_FILENAME "@rx /user/[0-9]+/edit$" \
|
|||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:current_pass,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass[pass1],\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass[pass2],\
|
||||
ver:'OWASP_CRS/3.3.2'"
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
|
||||
|
||||
#
|
||||
|
@ -178,7 +179,7 @@ SecRule REQUEST_FILENAME "@contains /admin/config/" \
|
|||
pass,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveById=942430,\
|
||||
ver:'OWASP_CRS/3.3.2'"
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
|
||||
SecRule REQUEST_FILENAME "@endsWith /admin/config/people/accounts" \
|
||||
"id:9001124,\
|
||||
|
@ -195,7 +196,7 @@ SecRule REQUEST_FILENAME "@endsWith /admin/config/people/accounts" \
|
|||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:user_mail_status_activated_body,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:user_mail_status_blocked_body,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:user_mail_status_canceled_body,\
|
||||
ver:'OWASP_CRS/3.3.2'"
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
|
||||
SecRule REQUEST_FILENAME "@endsWith /admin/config/development/configuration/single/import" \
|
||||
"id:9001126,\
|
||||
|
@ -204,7 +205,7 @@ SecRule REQUEST_FILENAME "@endsWith /admin/config/development/configuration/sing
|
|||
nolog,\
|
||||
ctl:ruleRemoveById=920271,\
|
||||
ctl:ruleRemoveById=942440,\
|
||||
ver:'OWASP_CRS/3.3.2'"
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
|
||||
SecRule REQUEST_FILENAME "@endsWith /admin/config/development/maintenance" \
|
||||
"id:9001128,\
|
||||
|
@ -212,7 +213,7 @@ SecRule REQUEST_FILENAME "@endsWith /admin/config/development/maintenance" \
|
|||
pass,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveById=942440,\
|
||||
ver:'OWASP_CRS/3.3.2'"
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
|
||||
|
||||
#
|
||||
|
@ -229,7 +230,7 @@ SecRule REQUEST_FILENAME "@endsWith /contextual/render" \
|
|||
pass,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetById=942130;ARGS:ids[],\
|
||||
ver:'OWASP_CRS/3.3.2'"
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
|
||||
|
||||
#
|
||||
|
@ -248,7 +249,7 @@ SecAction "id:9001160,\
|
|||
ctl:ruleRemoveTargetById=942440;ARGS:form_build_id,\
|
||||
ctl:ruleRemoveTargetById=942450;ARGS:form_token,\
|
||||
ctl:ruleRemoveTargetById=942450;ARGS:form_build_id,\
|
||||
ver:'OWASP_CRS/3.3.2'"
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
|
||||
|
||||
#
|
||||
|
@ -265,7 +266,7 @@ SecRule REQUEST_FILENAME "@endsWith /admin/config/content/formats/manage/full_ht
|
|||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:editor[settings][toolbar][button_groups],\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:filters[filter_html][settings][allowed_html],\
|
||||
ver:'OWASP_CRS/3.3.2'"
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
|
||||
|
||||
#
|
||||
|
@ -349,7 +350,7 @@ SecRule REQUEST_FILENAME "@endsWith /node/add/article" \
|
|||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:body[0][value],\
|
||||
ctl:ruleRemoveTargetById=942410;ARGS:uid[0][target_id],\
|
||||
ver:'OWASP_CRS/3.3.2'"
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
|
||||
SecRule REQUEST_FILENAME "@endsWith /node/add/page" \
|
||||
"id:9001202,\
|
||||
|
@ -358,7 +359,7 @@ SecRule REQUEST_FILENAME "@endsWith /node/add/page" \
|
|||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:body[0][value],\
|
||||
ctl:ruleRemoveTargetById=942410;ARGS:uid[0][target_id],\
|
||||
ver:'OWASP_CRS/3.3.2'"
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
|
||||
SecRule REQUEST_FILENAME "@rx /node/[0-9]+/edit$" \
|
||||
"id:9001204,\
|
||||
|
@ -368,7 +369,7 @@ SecRule REQUEST_FILENAME "@rx /node/[0-9]+/edit$" \
|
|||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:body[0][value],\
|
||||
ctl:ruleRemoveTargetById=942410;ARGS:uid[0][target_id],\
|
||||
ctl:ruleRemoveTargetById=932110;ARGS:destination,\
|
||||
ver:'OWASP_CRS/3.3.2'"
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
|
||||
SecRule REQUEST_FILENAME "@endsWith /block/add" \
|
||||
"id:9001206,\
|
||||
|
@ -376,7 +377,7 @@ SecRule REQUEST_FILENAME "@endsWith /block/add" \
|
|||
pass,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:body[0][value],\
|
||||
ver:'OWASP_CRS/3.3.2'"
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
|
||||
SecRule REQUEST_FILENAME "@endsWith /admin/structure/block/block-content/manage/basic" \
|
||||
"id:9001208,\
|
||||
|
@ -384,7 +385,7 @@ SecRule REQUEST_FILENAME "@endsWith /admin/structure/block/block-content/manage/
|
|||
pass,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:description,\
|
||||
ver:'OWASP_CRS/3.3.2'"
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
|
||||
SecRule REQUEST_FILENAME "@rx /editor/filter_xss/(?:full|basic)_html$" \
|
||||
"id:9001210,\
|
||||
|
@ -392,7 +393,7 @@ SecRule REQUEST_FILENAME "@rx /editor/filter_xss/(?:full|basic)_html$" \
|
|||
pass,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:value,\
|
||||
ver:'OWASP_CRS/3.3.2'"
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
|
||||
SecRule REQUEST_FILENAME "@rx /user/[0-9]+/contact$" \
|
||||
"id:9001212,\
|
||||
|
@ -400,7 +401,7 @@ SecRule REQUEST_FILENAME "@rx /user/[0-9]+/contact$" \
|
|||
pass,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message[0][value],\
|
||||
ver:'OWASP_CRS/3.3.2'"
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
|
||||
SecRule REQUEST_FILENAME "@endsWith /admin/config/development/maintenance" \
|
||||
"id:9001214,\
|
||||
|
@ -408,7 +409,7 @@ SecRule REQUEST_FILENAME "@endsWith /admin/config/development/maintenance" \
|
|||
pass,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:maintenance_mode_message,\
|
||||
ver:'OWASP_CRS/3.3.2'"
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
|
||||
SecRule REQUEST_FILENAME "@endsWith /admin/config/services/rss-publishing" \
|
||||
"id:9001216,\
|
||||
|
@ -416,7 +417,7 @@ SecRule REQUEST_FILENAME "@endsWith /admin/config/services/rss-publishing" \
|
|||
pass,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:feed_description,\
|
||||
ver:'OWASP_CRS/3.3.2'"
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
|
||||
|
||||
SecMarker "END-DRUPAL-RULE-EXCLUSIONS"
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.2
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.4
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
|
@ -22,7 +23,7 @@ SecRule &TX:crs_exclusions_wordpress|TX:crs_exclusions_wordpress "@eq 0" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
skipAfter:END-WORDPRESS"
|
||||
|
||||
SecRule &TX:crs_exclusions_wordpress|TX:crs_exclusions_wordpress "@eq 0" \
|
||||
|
@ -31,7 +32,7 @@ SecRule &TX:crs_exclusions_wordpress|TX:crs_exclusions_wordpress "@eq 0" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
skipAfter:END-WORDPRESS"
|
||||
|
||||
|
||||
|
@ -52,7 +53,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-login.php" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pwd,\
|
||||
ver:'OWASP_CRS/3.3.2'"
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
|
||||
# Reset password
|
||||
SecRule REQUEST_FILENAME "@endsWith /wp-login.php" \
|
||||
|
@ -61,7 +62,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-login.php" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
chain"
|
||||
SecRule ARGS:action "@streq resetpass" \
|
||||
"t:none,\
|
||||
|
@ -85,7 +86,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-comments-post.php" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetById=931130;ARGS:url,\
|
||||
ver:'OWASP_CRS/3.3.2'"
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
|
||||
|
||||
#
|
||||
|
@ -102,7 +103,7 @@ SecRule REQUEST_FILENAME "@rx /wp-json/wp/v[0-9]+/(?:posts|pages)" \
|
|||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:content,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:json.content,\
|
||||
ver:'OWASP_CRS/3.3.2'"
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
|
||||
# Gutenberg via rest_route for sites without pretty permalinks
|
||||
SecRule REQUEST_FILENAME "@endsWith /index.php" \
|
||||
|
@ -111,7 +112,7 @@ SecRule REQUEST_FILENAME "@endsWith /index.php" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
chain"
|
||||
SecRule &ARGS:rest_route "@eq 1" \
|
||||
"t:none,\
|
||||
|
@ -131,7 +132,7 @@ SecRule REQUEST_FILENAME "@rx /wp-json/wp/v[0-9]+/media" \
|
|||
nolog,\
|
||||
ctl:ruleRemoveById=200002,\
|
||||
ctl:ruleRemoveById=200003,\
|
||||
ver:'OWASP_CRS/3.3.2'"
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
|
||||
# Gutenberg upload image/media via rest_route for sites without pretty permalinks
|
||||
SecRule REQUEST_FILENAME "@endsWith /index.php" \
|
||||
|
@ -140,7 +141,7 @@ SecRule REQUEST_FILENAME "@endsWith /index.php" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
chain"
|
||||
SecRule &ARGS:rest_route "@eq 1" \
|
||||
"t:none,\
|
||||
|
@ -169,7 +170,7 @@ SecRule ARGS:wp_customize "@streq on" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
chain"
|
||||
SecRule &ARGS:action "@eq 0" \
|
||||
"t:none,\
|
||||
|
@ -190,7 +191,7 @@ SecRule ARGS:wp_customize "@streq on" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
chain"
|
||||
SecRule ARGS:action "@rx ^(?:|customize_save|update-widget)$" \
|
||||
"t:none,\
|
||||
|
@ -231,7 +232,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-cron.php" \
|
|||
nolog,\
|
||||
ctl:ruleRemoveById=920180,\
|
||||
ctl:ruleRemoveById=920300,\
|
||||
ver:'OWASP_CRS/3.3.2'"
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
|
||||
|
||||
#
|
||||
|
@ -246,7 +247,7 @@ SecRule REQUEST_COOKIES:_wp_session "@rx ^[0-9a-f]+\|\|\d+\|\|\d+$" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
chain"
|
||||
SecRule &REQUEST_COOKIES:_wp_session "@eq 1" \
|
||||
"t:none,\
|
||||
|
@ -265,7 +266,7 @@ SecRule REQUEST_FILENAME "!@contains /wp-admin/" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
skipAfter:END-WORDPRESS-ADMIN"
|
||||
|
||||
SecRule REQUEST_FILENAME "!@contains /wp-admin/" \
|
||||
|
@ -274,7 +275,7 @@ SecRule REQUEST_FILENAME "!@contains /wp-admin/" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
skipAfter:END-WORDPRESS-ADMIN"
|
||||
|
||||
|
||||
|
@ -289,7 +290,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/setup-config.php" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
chain"
|
||||
SecRule ARGS:step "@streq 2" \
|
||||
"t:none,\
|
||||
|
@ -305,7 +306,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/install.php" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
chain"
|
||||
SecRule ARGS:step "@streq 2" \
|
||||
"t:none,\
|
||||
|
@ -328,7 +329,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/profile.php" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
chain"
|
||||
SecRule ARGS:action "@streq update" \
|
||||
"t:none,\
|
||||
|
@ -356,7 +357,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/user-edit.php" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
chain"
|
||||
SecRule ARGS:action "@streq update" \
|
||||
"t:none,\
|
||||
|
@ -385,7 +386,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/user-new.php" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
chain"
|
||||
SecRule ARGS:action "@streq createuser" \
|
||||
"t:none,\
|
||||
|
@ -426,7 +427,7 @@ SecAction \
|
|||
ctl:ruleRemoveTargetById=942200;ARGS:wp_http_referer,\
|
||||
ctl:ruleRemoveTargetById=942260;ARGS:wp_http_referer,\
|
||||
ctl:ruleRemoveTargetById=942431;ARGS:wp_http_referer,\
|
||||
ver:'OWASP_CRS/3.3.2'"
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
|
||||
#
|
||||
# [ Content editing ]
|
||||
|
@ -443,7 +444,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/post.php" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
chain"
|
||||
SecRule ARGS:action "@rx ^(?:edit|editpost)$" \
|
||||
"t:none,\
|
||||
|
@ -463,7 +464,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
chain"
|
||||
SecRule ARGS:action "@streq heartbeat" \
|
||||
"t:none,\
|
||||
|
@ -485,7 +486,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/nav-menus.php" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
chain"
|
||||
SecRule ARGS:action "@streq update" \
|
||||
"t:none,\
|
||||
|
@ -510,7 +511,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
chain"
|
||||
SecRule ARGS:action "@rx ^(?:save-widget|update-widget)$" \
|
||||
"t:none,\
|
||||
|
@ -565,7 +566,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
chain"
|
||||
SecRule ARGS:action "@streq widgets-order" \
|
||||
"t:none,\
|
||||
|
@ -594,7 +595,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
chain"
|
||||
SecRule ARGS:action "@streq sample-permalink" \
|
||||
"t:none,\
|
||||
|
@ -610,7 +611,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
chain"
|
||||
SecRule ARGS:action "@streq add-menu-item" \
|
||||
"t:none,\
|
||||
|
@ -626,7 +627,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
chain"
|
||||
SecRule ARGS:action "@streq send-attachment-to-editor" \
|
||||
"t:none,\
|
||||
|
@ -647,7 +648,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/options.php" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
chain"
|
||||
SecRule ARGS:option_page "@streq general" \
|
||||
"t:none,\
|
||||
|
@ -678,7 +679,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/options-permalink.php" \
|
|||
ctl:ruleRemoveTargetById=920272;ARGS:permalink_structure,\
|
||||
ctl:ruleRemoveTargetById=942431;ARGS:permalink_structure,\
|
||||
ctl:ruleRemoveTargetById=920272;REQUEST_BODY,\
|
||||
ver:'OWASP_CRS/3.3.2'"
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
|
||||
# Comments blacklist and moderation list
|
||||
SecRule REQUEST_FILENAME "@endsWith /wp-admin/options.php" \
|
||||
|
@ -687,7 +688,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/options.php" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
chain"
|
||||
SecRule ARGS:option_page "@streq discussion" \
|
||||
"t:none,\
|
||||
|
@ -711,7 +712,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/edit.php" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:s,\
|
||||
ver:'OWASP_CRS/3.3.2'"
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
|
||||
|
||||
#
|
||||
|
@ -750,7 +751,7 @@ SecRule REQUEST_FILENAME "@rx /wp-admin/load-(?:scripts|styles)\.php$" \
|
|||
ctl:ruleRemoveTargetById=942430;ARGS:load[],\
|
||||
ctl:ruleRemoveTargetById=942431;ARGS:load[],\
|
||||
ctl:ruleRemoveTargetById=942432;ARGS:load[],\
|
||||
ver:'OWASP_CRS/3.3.2'"
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
|
||||
|
||||
SecMarker "END-WORDPRESS-ADMIN"
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.2
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.4
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
|
@ -43,7 +44,7 @@ SecRule &TX:crs_exclusions_nextcloud|TX:crs_exclusions_nextcloud "@eq 0" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
skipAfter:END-NEXTCLOUD"
|
||||
|
||||
SecRule &TX:crs_exclusions_nextcloud|TX:crs_exclusions_nextcloud "@eq 0" \
|
||||
|
@ -52,7 +53,7 @@ SecRule &TX:crs_exclusions_nextcloud|TX:crs_exclusions_nextcloud "@eq 0" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
skipAfter:END-NEXTCLOUD"
|
||||
|
||||
|
||||
|
@ -74,7 +75,7 @@ SecRule REQUEST_FILENAME "@contains /remote.php/webdav" \
|
|||
ctl:ruleRemoveById=953100-953130,\
|
||||
ctl:ruleRemoveById=920420,\
|
||||
ctl:ruleRemoveById=920440,\
|
||||
ver:'OWASP_CRS/3.3.2'"
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
|
||||
# Skip PUT parsing for invalid encoding / protocol violations in binary files.
|
||||
|
||||
|
@ -84,7 +85,7 @@ SecRule REQUEST_METHOD "@streq PUT" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
chain"
|
||||
SecRule REQUEST_FILENAME "@contains /remote.php/webdav" \
|
||||
"t:none,\
|
||||
|
@ -102,7 +103,7 @@ SecRule REQUEST_FILENAME "@contains /remote.php/dav/files/" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type} |text/vcard|'"
|
||||
|
||||
# Allow the data type 'application/octet-stream'
|
||||
|
@ -113,7 +114,7 @@ SecRule REQUEST_METHOD "@rx ^(?:PUT|MOVE)$" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
chain"
|
||||
SecRule REQUEST_FILENAME "@rx /remote\.php/dav/(?:files|uploads)/" \
|
||||
"setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type} |application/octet-stream|'"
|
||||
|
@ -126,7 +127,7 @@ SecRule REQUEST_METHOD "@streq PUT" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
chain"
|
||||
SecRule REQUEST_FILENAME "@rx (?:/public\.php/webdav/|/remote\.php/dav/uploads/)" \
|
||||
"ctl:ruleRemoveById=920340,\
|
||||
|
@ -147,7 +148,7 @@ SecRule REQUEST_FILENAME "@contains /remote.php/dav/files/" \
|
|||
ctl:ruleRemoveById=951000-951999,\
|
||||
ctl:ruleRemoveById=953100-953130,\
|
||||
ctl:ruleRemoveById=920440,\
|
||||
ver:'OWASP_CRS/3.3.2'"
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
|
||||
# Allow REPORT requests without Content-Type header (at least the iOS app does this)
|
||||
|
||||
|
@ -176,7 +177,7 @@ SecRule REQUEST_FILENAME "@contains /index.php/core/search" \
|
|||
ctl:ruleRemoveTargetByTag=attack-injection-php;ARGS:query,\
|
||||
ctl:ruleRemoveTargetById=941000-942999;ARGS:query,\
|
||||
ctl:ruleRemoveTargetById=932000-932999;ARGS:query,\
|
||||
ver:'OWASP_CRS/3.3.2'"
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
|
||||
|
||||
# [ DAV ]
|
||||
|
@ -198,7 +199,7 @@ SecRule REQUEST_FILENAME "@rx /(?:remote|index|public)\.php/" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
setvar:'tx.allowed_methods=%{tx.allowed_methods} PUT PATCH CHECKOUT COPY DELETE LOCK MERGE MKACTIVITY MKCOL MOVE PROPFIND PROPPATCH UNLOCK REPORT TRACE jsonp'"
|
||||
|
||||
|
||||
|
@ -212,7 +213,7 @@ SecRule REQUEST_FILENAME "@rx /ocs/v[0-9]+\.php/apps/files_sharing/" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
setvar:'tx.allowed_methods=%{tx.allowed_methods} PUT DELETE'"
|
||||
|
||||
|
||||
|
@ -225,7 +226,7 @@ SecRule REQUEST_FILENAME "@contains /index.php/core/preview.png" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetById=932150;ARGS:file,\
|
||||
ver:'OWASP_CRS/3.3.2'"
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
|
||||
# Filepreview for trashbin
|
||||
|
||||
|
@ -237,7 +238,7 @@ SecRule REQUEST_FILENAME "@contains /index.php/apps/files_trashbin/ajax/preview.
|
|||
nolog,\
|
||||
ctl:ruleRemoveTargetById=932150;ARGS:file,\
|
||||
ctl:ruleRemoveTargetById=942190;ARGS:file,\
|
||||
ver:'OWASP_CRS/3.3.2'"
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
|
||||
SecRule REQUEST_FILENAME "@rx /index\.php/(?:apps/gallery/thumbnails|logout$)" \
|
||||
"id:9003160,\
|
||||
|
@ -246,7 +247,7 @@ SecRule REQUEST_FILENAME "@rx /index\.php/(?:apps/gallery/thumbnails|logout$)" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetById=941120;ARGS:requesttoken,\
|
||||
ver:'OWASP_CRS/3.3.2'"
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
|
||||
|
||||
# [ Ownnote ]
|
||||
|
@ -258,7 +259,7 @@ SecRule REQUEST_FILENAME "@contains /index.php/apps/ownnote/" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveById=941150,\
|
||||
ver:'OWASP_CRS/3.3.2'"
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
|
||||
|
||||
# [ Text Editor ]
|
||||
|
@ -276,7 +277,7 @@ SecRule REQUEST_FILENAME "@contains /index.php/apps/files_texteditor/" \
|
|||
ctl:ruleRemoveTargetById=932150;ARGS:filename,\
|
||||
ctl:ruleRemoveTargetById=920370-920390;ARGS:filecontents,\
|
||||
ctl:ruleRemoveTargetById=920370-920390;ARGS_COMBINED_SIZE,\
|
||||
ver:'OWASP_CRS/3.3.2'"
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
|
||||
|
||||
# [ Address Book ]
|
||||
|
@ -289,7 +290,7 @@ SecRule REQUEST_FILENAME "@contains /remote.php/dav/addressbooks/" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type} |text/vcard|'"
|
||||
|
||||
# Allow modifying contacts via the web interface
|
||||
|
@ -315,7 +316,7 @@ SecRule REQUEST_FILENAME "@contains /remote.php/dav/calendars/" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type} |text/calendar|'"
|
||||
|
||||
# Allow modifying calendar events via the web interface
|
||||
|
@ -343,7 +344,7 @@ SecRule REQUEST_FILENAME "@contains /index.php/apps/notes/" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveByTag=attack-injection-php,\
|
||||
ver:'OWASP_CRS/3.3.2'"
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
|
||||
|
||||
# [ Bookmarks ]
|
||||
|
@ -357,7 +358,7 @@ SecRule REQUEST_FILENAME "@contains /index.php/apps/bookmarks/" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveById=931130,\
|
||||
ver:'OWASP_CRS/3.3.2'"
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
|
||||
|
||||
#
|
||||
|
@ -376,7 +377,7 @@ SecRule REQUEST_FILENAME "@contains /index.php/login" \
|
|||
nolog,\
|
||||
ctl:ruleRemoveTargetById=941100;ARGS:requesttoken,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:password,\
|
||||
ver:'OWASP_CRS/3.3.2'"
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
|
||||
# Reset password.
|
||||
|
||||
|
@ -386,7 +387,7 @@ SecRule REQUEST_FILENAME "@endsWith /index.php/login" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
chain"
|
||||
SecRule ARGS:action "@streq resetpass" \
|
||||
"t:none,\
|
||||
|
@ -407,7 +408,7 @@ SecRule REQUEST_FILENAME "@endsWith /index.php/settings/users" \
|
|||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:newuserpassword,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:password,\
|
||||
ver:'OWASP_CRS/3.3.2'"
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
|
||||
|
||||
SecMarker "END-NEXTCLOUD-ADMIN"
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.2
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.4
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
|
@ -26,7 +27,7 @@ SecRule &TX:crs_exclusions_dokuwiki|TX:crs_exclusions_dokuwiki "@eq 0" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
skipAfter:END-DOKUWIKI"
|
||||
|
||||
SecRule &TX:crs_exclusions_dokuwiki|TX:crs_exclusions_dokuwiki "@eq 0" \
|
||||
|
@ -35,7 +36,7 @@ SecRule &TX:crs_exclusions_dokuwiki|TX:crs_exclusions_dokuwiki "@eq 0" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
skipAfter:END-DOKUWIKI"
|
||||
|
||||
|
||||
|
@ -80,7 +81,7 @@ SecRule REQUEST_FILENAME "@rx (?:/doku.php|/lib/exe/ajax.php)$" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
chain"
|
||||
SecRule REQUEST_METHOD "@streq POST" \
|
||||
"t:none,\
|
||||
|
@ -105,7 +106,7 @@ SecRule REQUEST_FILENAME "@endsWith /lib/exe/ajax.php" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
noauditlog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
chain"
|
||||
SecRule REQUEST_METHOD "@streq POST" \
|
||||
"t:none,\
|
||||
|
@ -124,7 +125,7 @@ SecRule REQUEST_FILENAME "@endsWith /doku.php" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
noauditlog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
chain"
|
||||
SecRule ARGS:do "@streq index" \
|
||||
"t:none,\
|
||||
|
@ -148,7 +149,7 @@ SecRule REQUEST_FILENAME "@endsWith /doku.php" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
noauditlog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
chain"
|
||||
SecRule ARGS:do "@streq login" \
|
||||
"t:none,\
|
||||
|
@ -169,7 +170,7 @@ SecRule ARGS:do "!@streq admin" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
skipAfter:END-DOKUWIKI-ADMIN"
|
||||
|
||||
SecRule ARGS:do "!@streq admin" \
|
||||
|
@ -178,7 +179,7 @@ SecRule ARGS:do "!@streq admin" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
skipAfter:END-DOKUWIKI-ADMIN"
|
||||
|
||||
|
||||
|
@ -193,7 +194,7 @@ SecRule REQUEST_FILENAME "@endsWith /doku.php" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
noauditlog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
chain"
|
||||
SecRule ARGS:do "@streq login" \
|
||||
"t:none,\
|
||||
|
@ -219,7 +220,7 @@ SecRule REQUEST_FILENAME "@endsWith /doku.php" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
noauditlog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
chain"
|
||||
SecRule ARGS:page "@streq config" \
|
||||
"t:none,\
|
||||
|
@ -251,7 +252,7 @@ SecRule REQUEST_FILENAME "@endsWith /doku.php" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
noauditlog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
chain"
|
||||
SecRule ARGS:page "@streq config" \
|
||||
"t:none,\
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.2
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.4
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
|
@ -18,7 +19,7 @@ SecRule &TX:crs_exclusions_cpanel|TX:crs_exclusions_cpanel "@eq 0" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
skipAfter:END-CPANEL"
|
||||
|
||||
SecRule &TX:crs_exclusions_cpanel|TX:crs_exclusions_cpanel "@eq 0" \
|
||||
|
@ -27,7 +28,7 @@ SecRule &TX:crs_exclusions_cpanel|TX:crs_exclusions_cpanel "@eq 0" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
skipAfter:END-CPANEL"
|
||||
|
||||
|
||||
|
@ -52,7 +53,7 @@ SecRule REQUEST_LINE "@rx ^GET /whm-server-status(?:/|/\?auto)? HTTP/[12]\.[01]$
|
|||
tag:'language-multi',\
|
||||
tag:'platform-apache',\
|
||||
tag:'attack-generic',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
chain"
|
||||
SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" \
|
||||
"t:none,\
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.2
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.4
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
|
@ -17,7 +18,7 @@ SecRule &TX:crs_exclusions_xenforo|TX:crs_exclusions_xenforo "@eq 0" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
skipAfter:END-XENFORO"
|
||||
|
||||
SecRule &TX:crs_exclusions_xenforo|TX:crs_exclusions_xenforo "@eq 0" \
|
||||
|
@ -26,7 +27,7 @@ SecRule &TX:crs_exclusions_xenforo|TX:crs_exclusions_xenforo "@eq 0" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
skipAfter:END-XENFORO"
|
||||
|
||||
|
||||
|
@ -48,7 +49,7 @@ SecRule REQUEST_FILENAME "@endsWith /proxy.php" \
|
|||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:link,\
|
||||
ctl:ruleRemoveTargetById=931130;ARGS:referrer,\
|
||||
ctl:ruleRemoveTargetById=942230;ARGS:referrer,\
|
||||
ver:'OWASP_CRS/3.3.2'"
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
|
||||
# Store drafts for private message, forum post, thread reply
|
||||
# POST /xf/conversations/draft
|
||||
|
@ -72,7 +73,7 @@ SecRule REQUEST_FILENAME "@rx /(?:conversations|(?:conversations|forums|threads)
|
|||
ctl:ruleRemoveTargetById=942260;ARGS:attachment_hash_combined,\
|
||||
ctl:ruleRemoveTargetById=942340;ARGS:attachment_hash_combined,\
|
||||
ctl:ruleRemoveTargetById=942370;ARGS:attachment_hash_combined,\
|
||||
ver:'OWASP_CRS/3.3.2'"
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
|
||||
# Send PM, edit post, create thread, reply to thread
|
||||
# POST /xf/conversations/add
|
||||
|
@ -99,7 +100,7 @@ SecRule REQUEST_FILENAME "@rx /(?:conversations/add(?:-preview)?|conversations/m
|
|||
ctl:ruleRemoveTargetById=942260;ARGS:attachment_hash_combined,\
|
||||
ctl:ruleRemoveTargetById=942340;ARGS:attachment_hash_combined,\
|
||||
ctl:ruleRemoveTargetById=942370;ARGS:attachment_hash_combined,\
|
||||
ver:'OWASP_CRS/3.3.2'"
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
|
||||
# Quote
|
||||
# POST /xf/posts/12345/quote
|
||||
|
@ -110,7 +111,7 @@ SecRule REQUEST_FILENAME "@rx /posts/\d+/quote$" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:quoteHtml,\
|
||||
ver:'OWASP_CRS/3.3.2'"
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
|
||||
# Multi quote
|
||||
# POST /xf/conversations/convo-title.12345/multi-quote
|
||||
|
@ -133,7 +134,7 @@ SecRule REQUEST_FILENAME "@rx /(?:conversations|threads)/.*\.\d+/multi-quote$" \
|
|||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[7][value],\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[8][value],\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[9][value],\
|
||||
ver:'OWASP_CRS/3.3.2'"
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
|
||||
# Delete thread
|
||||
# POST /xf/threads/thread-title.12345/delete
|
||||
|
@ -144,7 +145,7 @@ SecRule REQUEST_FILENAME "@rx /threads/.*\.\d+/delete$" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetById=942130;ARGS:starter_alert_reason,\
|
||||
ver:'OWASP_CRS/3.3.2'"
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
|
||||
# Feature thread
|
||||
# POST /xf/threads/thread-title.12345/feature-edit
|
||||
|
@ -166,7 +167,7 @@ SecRule REQUEST_FILENAME "@endsWith /inline-mod/" \
|
|||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:author_alert_reason,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message,\
|
||||
ver:'OWASP_CRS/3.3.2'"
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
|
||||
# Warn member
|
||||
# POST /xf/members/name.12345/warn
|
||||
|
@ -179,7 +180,7 @@ SecRule REQUEST_FILENAME "@rx /(?:members/.*\.\d+|posts/\d+)/warn$" \
|
|||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:conversation_message,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:notes,\
|
||||
ver:'OWASP_CRS/3.3.2'"
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
|
||||
# Editor
|
||||
SecRule REQUEST_URI "@endsWith /index.php?editor/to-html" \
|
||||
|
@ -193,7 +194,7 @@ SecRule REQUEST_URI "@endsWith /index.php?editor/to-html" \
|
|||
ctl:ruleRemoveTargetById=942260;ARGS:attachment_hash_combined,\
|
||||
ctl:ruleRemoveTargetById=942340;ARGS:attachment_hash_combined,\
|
||||
ctl:ruleRemoveTargetById=942370;ARGS:attachment_hash_combined,\
|
||||
ver:'OWASP_CRS/3.3.2'"
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
|
||||
# Editor
|
||||
SecRule REQUEST_URI "@endsWith /index.php?editor/to-bb-code" \
|
||||
|
@ -203,7 +204,7 @@ SecRule REQUEST_URI "@endsWith /index.php?editor/to-bb-code" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:html,\
|
||||
ver:'OWASP_CRS/3.3.2'"
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
|
||||
# Post attachment
|
||||
# POST /xf/account/avatar
|
||||
|
@ -219,7 +220,7 @@ SecRule REQUEST_FILENAME "@rx /(?:account/avatar|attachments/upload)$" \
|
|||
ctl:ruleRemoveTargetById=942440;ARGS:flowIdentifier,\
|
||||
ctl:ruleRemoveTargetById=942440;ARGS:flowFilename,\
|
||||
ctl:ruleRemoveTargetById=942440;ARGS:flowRelativePath,\
|
||||
ver:'OWASP_CRS/3.3.2'"
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
|
||||
# Media
|
||||
# POST /xf/index.php?editor/media
|
||||
|
@ -231,7 +232,7 @@ SecRule REQUEST_URI "@endsWith /index.php?editor/media" \
|
|||
nolog,\
|
||||
ctl:ruleRemoveTargetById=931130;ARGS:url,\
|
||||
ctl:ruleRemoveTargetById=942130;ARGS:url,\
|
||||
ver:'OWASP_CRS/3.3.2'"
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
|
||||
# Emoji
|
||||
# GET /xf/index.php?misc/find-emoji&q=(%0A%0A
|
||||
|
@ -242,7 +243,7 @@ SecRule REQUEST_URI "@rx /index\.php\?misc/find-emoji&q=" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetById=921151;ARGS:q,\
|
||||
ver:'OWASP_CRS/3.3.2'"
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
|
||||
# Login
|
||||
# POST /xf/login/login
|
||||
|
@ -253,7 +254,7 @@ SecRule REQUEST_FILENAME "@endsWith /login/login" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:password,\
|
||||
ver:'OWASP_CRS/3.3.2'"
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
|
||||
# Register account
|
||||
# POST /xf/register/register
|
||||
|
@ -268,7 +269,7 @@ SecRule REQUEST_FILENAME "@endsWith /register/register" \
|
|||
nolog,\
|
||||
ctl:ruleRemoveTargetById=942130;ARGS,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:reg_key,\
|
||||
ver:'OWASP_CRS/3.3.2'"
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
|
||||
# Confirm account
|
||||
# GET /xf/account-confirmation/name.12345/email?c=foo
|
||||
|
@ -290,7 +291,7 @@ SecRule REQUEST_FILENAME "@endsWith /account/account-details" \
|
|||
nolog,\
|
||||
ctl:ruleRemoveTargetById=931130;ARGS:custom_fields[picture],\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:about_html,\
|
||||
ver:'OWASP_CRS/3.3.2'"
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
|
||||
# Lost password
|
||||
# POST /xf/lost-password/user-name.12345/confirm?c=foo
|
||||
|
@ -301,7 +302,7 @@ SecRule REQUEST_FILENAME "@rx /lost-password/.*\.\d+/confirm$" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:c,\
|
||||
ver:'OWASP_CRS/3.3.2'"
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
|
||||
# Set forum signature
|
||||
# POST /xf/account/signature
|
||||
|
@ -312,7 +313,7 @@ SecRule REQUEST_FILENAME "@endsWith /account/signature" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:signature_html,\
|
||||
ver:'OWASP_CRS/3.3.2'"
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
|
||||
# Search
|
||||
# POST /xf/search/search
|
||||
|
@ -327,7 +328,7 @@ SecRule REQUEST_FILENAME "@endsWith /search/search" \
|
|||
ctl:ruleRemoveTargetById=942260;ARGS:constraints,\
|
||||
ctl:ruleRemoveTargetById=942340;ARGS:constraints,\
|
||||
ctl:ruleRemoveTargetById=942370;ARGS:constraints,\
|
||||
ver:'OWASP_CRS/3.3.2'"
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
|
||||
# Search within thread
|
||||
# GET /xf/threads/foo.12345/page12?highlight=foo
|
||||
|
@ -338,7 +339,7 @@ SecRule REQUEST_FILENAME "@rx /threads/.*\.\d+/(?:page\d+)?$" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:highlight,\
|
||||
ver:'OWASP_CRS/3.3.2'"
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
|
||||
# Search within search result
|
||||
# GET /xf/search/12345/?q=foo
|
||||
|
@ -349,7 +350,7 @@ SecRule REQUEST_FILENAME "@rx /search/\d+/$" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:q,\
|
||||
ver:'OWASP_CRS/3.3.2'"
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
|
||||
# Contact form
|
||||
# POST /xf/misc/contact
|
||||
|
@ -361,7 +362,7 @@ SecRule REQUEST_FILENAME "@endsWith /misc/contact" \
|
|||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:subject,\
|
||||
ver:'OWASP_CRS/3.3.2'"
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
|
||||
# Report post
|
||||
# POST /xf/posts/12345/report
|
||||
|
@ -372,7 +373,7 @@ SecRule REQUEST_FILENAME "@rx /posts/\d+/report$" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message,\
|
||||
ver:'OWASP_CRS/3.3.2'"
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
|
||||
# Alternate thread view route
|
||||
# /xf/index.php?threads/title-having-some-sql.12345/
|
||||
|
@ -387,7 +388,7 @@ SecRule REQUEST_FILENAME "@endsWith /index.php" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
chain"
|
||||
SecRule REQUEST_METHOD "@streq GET" \
|
||||
"t:none,\
|
||||
|
@ -411,7 +412,7 @@ SecRule REQUEST_URI "@endsWith /index.php?dbtech-security/fingerprint" \
|
|||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:components[14][value],\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:components[15][value],\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:components[16][value],\
|
||||
ver:'OWASP_CRS/3.3.2'"
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
|
||||
# Get location info
|
||||
SecRule REQUEST_FILENAME "@endsWith /misc/location-info" \
|
||||
|
@ -421,7 +422,7 @@ SecRule REQUEST_FILENAME "@endsWith /misc/location-info" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:location,\
|
||||
ver:'OWASP_CRS/3.3.2'"
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
|
||||
#
|
||||
# -=[ XenForo Global Exclusions ]=-
|
||||
|
@ -454,7 +455,7 @@ SecAction \
|
|||
ctl:ruleRemoveTargetByTag=OWASP_CRS;REQUEST_COOKIES:xf_ls,\
|
||||
ctl:ruleRemoveTargetById=942100;REQUEST_COOKIES:xf_session,\
|
||||
ctl:ruleRemoveTargetById=942100;REQUEST_COOKIES:xf_user,\
|
||||
ver:'OWASP_CRS/3.3.2'"
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
|
||||
#
|
||||
# -=[ XenForo Administration Back-End ]=-
|
||||
|
@ -468,7 +469,7 @@ SecRule REQUEST_FILENAME "!@endsWith /admin.php" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
skipAfter:END-XENFORO-ADMIN"
|
||||
|
||||
SecRule REQUEST_FILENAME "!@endsWith /admin.php" \
|
||||
|
@ -477,7 +478,7 @@ SecRule REQUEST_FILENAME "!@endsWith /admin.php" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
skipAfter:END-XENFORO-ADMIN"
|
||||
|
||||
# Admin edit user
|
||||
|
@ -490,7 +491,7 @@ SecRule REQUEST_URI "@rx /admin\.php\?users/.*\.\d+/edit$" \
|
|||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:profile[about],\
|
||||
ctl:ruleRemoveTargetById=931130;ARGS:profile[website],\
|
||||
ver:'OWASP_CRS/3.3.2'"
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
|
||||
# Admin save user
|
||||
# POST /xf/admin.php?users/the-user-name.12345/save
|
||||
|
@ -509,7 +510,7 @@ SecRule REQUEST_URI "@rx /admin\.php\?users/.*\.\d+/save$" \
|
|||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:custom_fields[sexuality],\
|
||||
ctl:ruleRemoveTargetById=931130;ARGS:custom_fields[picture],\
|
||||
ctl:ruleRemoveTargetById=931130;ARGS:profile[website],\
|
||||
ver:'OWASP_CRS/3.3.2'"
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
|
||||
|
||||
# Admin edit forum notice
|
||||
|
@ -523,7 +524,7 @@ SecRule REQUEST_URI "@rx /admin\.php\?notices/(?:.*\.)?\d+/save$" \
|
|||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:title,\
|
||||
ver:'OWASP_CRS/3.3.2'"
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
|
||||
# Admin batch thread update
|
||||
# POST /xf/admin.php?threads/batch-update/action
|
||||
|
@ -538,7 +539,7 @@ SecRule REQUEST_URI "@rx /admin\.php\?(?:threads|users)/batch-update/action$" \
|
|||
ctl:ruleRemoveTargetById=942330;ARGS:criteria,\
|
||||
ctl:ruleRemoveTargetById=942340;ARGS:criteria,\
|
||||
ctl:ruleRemoveTargetById=942370;ARGS:criteria,\
|
||||
ver:'OWASP_CRS/3.3.2'"
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
|
||||
# Edit forum theme
|
||||
# POST /xf/admin.php?styles/title.1234/style-properties/group&group=basic
|
||||
|
@ -555,7 +556,7 @@ SecRule REQUEST_URI "@rx /admin\.php\?styles/" \
|
|||
ctl:ruleRemoveTargetById=942340;ARGS:json,\
|
||||
ctl:ruleRemoveTargetById=942370;ARGS:json,\
|
||||
ctl:ruleRemoveTargetById=942440;ARGS:json,\
|
||||
ver:'OWASP_CRS/3.3.2'"
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
|
||||
# Set forum options
|
||||
# POST /xf/admin.php?options/update
|
||||
|
@ -566,7 +567,7 @@ SecRule REQUEST_URI "@rx /admin\.php\?options/update" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:options[boardInactiveMessage],\
|
||||
ver:'OWASP_CRS/3.3.2'"
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
|
||||
# Edit pages/templates
|
||||
# POST /xf/admin.php?pages/0/save
|
||||
|
@ -579,7 +580,7 @@ SecRule REQUEST_URI "@rx /admin\.php\?(?:pages|templates)/.*/save" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:template,\
|
||||
ver:'OWASP_CRS/3.3.2'"
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
|
||||
SecMarker "END-XENFORO-ADMIN"
|
||||
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.2
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.4
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
|
@ -23,7 +24,7 @@ SecRule REQUEST_LINE "@streq GET /" \
|
|||
tag:'language-multi',\
|
||||
tag:'platform-apache',\
|
||||
tag:'attack-generic',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
chain"
|
||||
SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" \
|
||||
"t:none,\
|
||||
|
@ -43,7 +44,7 @@ SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" \
|
|||
tag:'language-multi',\
|
||||
tag:'platform-apache',\
|
||||
tag:'attack-generic',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
chain"
|
||||
SecRule REQUEST_HEADERS:User-Agent "@endsWith (internal dummy connection)" \
|
||||
"t:none,\
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.2
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.4
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
|
@ -40,7 +41,7 @@ SecRule TX:DO_REPUT_BLOCK "@eq 1" \
|
|||
tag:'attack-reputation-ip',\
|
||||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
chain,\
|
||||
skipAfter:BEGIN-REQUEST-BLOCKING-EVAL"
|
||||
|
@ -70,7 +71,7 @@ SecRule TX:HIGH_RISK_COUNTRY_CODES "!@rx ^$" \
|
|||
tag:'attack-reputation-ip',\
|
||||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule TX:REAL_IP "@geoLookup" \
|
||||
|
@ -125,7 +126,7 @@ SecRule IP:PREVIOUS_RBL_CHECK "@eq 1" \
|
|||
tag:'attack-reputation-ip',\
|
||||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
skipAfter:END-RBL-LOOKUP"
|
||||
|
||||
#
|
||||
|
@ -149,7 +150,7 @@ SecRule &TX:block_suspicious_ip "@eq 0" \
|
|||
nolog,\
|
||||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
chain,\
|
||||
skipAfter:END-RBL-CHECK"
|
||||
SecRule &TX:block_harvester_ip "@eq 0" \
|
||||
|
@ -171,7 +172,7 @@ SecRule TX:REAL_IP "@rbl dnsbl.httpbl.org" \
|
|||
tag:'attack-reputation-ip',\
|
||||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
setvar:'tx.httpbl_msg=%{tx.0}',\
|
||||
chain"
|
||||
SecRule TX:httpbl_msg "@rx RBL lookup of .*?.dnsbl.httpbl.org succeeded at TX:checkip. (.*?): .*" \
|
||||
|
@ -192,7 +193,7 @@ SecRule TX:block_search_ip "@eq 1" \
|
|||
tag:'attack-reputation-ip',\
|
||||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
chain,\
|
||||
skipAfter:END-RBL-CHECK"
|
||||
|
@ -216,7 +217,7 @@ SecRule TX:block_spammer_ip "@eq 1" \
|
|||
tag:'attack-reputation-ip',\
|
||||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
chain,\
|
||||
skipAfter:END-RBL-CHECK"
|
||||
|
@ -240,7 +241,7 @@ SecRule TX:block_suspicious_ip "@eq 1" \
|
|||
tag:'attack-reputation-ip',\
|
||||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
chain,\
|
||||
skipAfter:END-RBL-CHECK"
|
||||
|
@ -264,7 +265,7 @@ SecRule TX:block_harvester_ip "@eq 1" \
|
|||
tag:'attack-reputation-ip',\
|
||||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
chain,\
|
||||
skipAfter:END-RBL-CHECK"
|
||||
|
@ -287,7 +288,7 @@ SecAction \
|
|||
tag:'platform-multi',\
|
||||
tag:'attack-reputation-ip',\
|
||||
tag:'paranoia-level/1',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
setvar:'ip.previous_rbl_check=1',\
|
||||
expirevar:'ip.previous_rbl_check=86400'"
|
||||
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.2
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.4
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
|
@ -38,7 +39,7 @@ SecRule REQUEST_METHOD "!@within %{tx.allowed_methods}" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272/220/274',\
|
||||
tag:'PCI/12.1',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.2
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.4
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
|
@ -69,7 +70,7 @@ SecRule &TX:dos_burst_time_slice "@eq 0" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
chain,\
|
||||
skipAfter:END-DOS-PROTECTION-CHECKS"
|
||||
SecRule &TX:dos_counter_threshold "@eq 0" \
|
||||
|
@ -82,7 +83,7 @@ SecRule &TX:dos_burst_time_slice "@eq 0" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
chain,\
|
||||
skipAfter:END-DOS-PROTECTION-CHECKS"
|
||||
SecRule &TX:dos_counter_threshold "@eq 0" \
|
||||
|
@ -115,7 +116,7 @@ SecRule IP:DOS_BLOCK "@eq 1" \
|
|||
tag:'attack-dos',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/227/469',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
chain"
|
||||
SecRule &IP:DOS_BLOCK_FLAG "@eq 0" \
|
||||
"setvar:'ip.dos_block_counter=+1',\
|
||||
|
@ -141,7 +142,7 @@ SecRule IP:DOS_BLOCK "@eq 1" \
|
|||
tag:'attack-dos',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/227/469',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
setvar:'ip.dos_block_counter=+1'"
|
||||
|
||||
|
||||
|
@ -163,7 +164,7 @@ SecRule IP:DOS_BLOCK "@eq 1" \
|
|||
tag:'platform-multi',\
|
||||
tag:'paranoia-level/1',\
|
||||
tag:'attack-dos',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
skipAfter:END-DOS-PROTECTION-CHECKS"
|
||||
|
||||
|
||||
|
@ -184,7 +185,7 @@ SecRule REQUEST_BASENAME "@rx .*?(\.[a-z0-9]{1,10})?$" \
|
|||
tag:'attack-dos',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/227/469',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
setvar:'tx.extension=/%{TX.1}/',\
|
||||
chain"
|
||||
SecRule TX:EXTENSION "!@within %{tx.static_extensions}" \
|
||||
|
@ -216,7 +217,7 @@ SecRule IP:DOS_COUNTER "@ge %{tx.dos_counter_threshold}" \
|
|||
tag:'attack-dos',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/227/469',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
chain"
|
||||
SecRule &IP:DOS_BURST_COUNTER "@eq 0" \
|
||||
"setvar:'ip.dos_burst_counter=1',\
|
||||
|
@ -237,7 +238,7 @@ SecRule IP:DOS_COUNTER "@ge %{tx.dos_counter_threshold}" \
|
|||
tag:'attack-dos',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/227/469',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
chain"
|
||||
SecRule &IP:DOS_BURST_COUNTER "@ge 1" \
|
||||
"setvar:'ip.dos_burst_counter=2',\
|
||||
|
@ -264,7 +265,7 @@ SecRule IP:DOS_BURST_COUNTER "@ge 2" \
|
|||
tag:'attack-dos',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/227/469',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
setvar:'ip.dos_block=1',\
|
||||
expirevar:'ip.dos_block=%{tx.dos_block_timeout}'"
|
||||
|
||||
|
@ -298,7 +299,7 @@ SecRule IP:DOS_BURST_COUNTER "@ge 1" \
|
|||
tag:'paranoia-level/2',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/227/469',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
setvar:'ip.dos_block=1',\
|
||||
expirevar:'ip.dos_block=%{tx.dos_block_timeout}'"
|
||||
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.2
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.4
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
|
@ -46,7 +47,7 @@ SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scanners-user-agents.data" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/118/224/541/310',\
|
||||
tag:'PCI/6.5.10',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'ip.reput_block_flag=1',\
|
||||
|
@ -69,7 +70,7 @@ SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@pmFromFile scanners-headers.data
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/118/224/541/310',\
|
||||
tag:'PCI/6.5.10',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'ip.reput_block_flag=1',\
|
||||
|
@ -94,7 +95,7 @@ SecRule REQUEST_FILENAME|ARGS "@pmFromFile scanners-urls.data" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/118/224/541/310',\
|
||||
tag:'PCI/6.5.10',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'ip.reput_block_flag=1',\
|
||||
|
@ -134,7 +135,7 @@ SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scripting-user-agents.data" \
|
|||
tag:'capec/1000/118/224/541/310',\
|
||||
tag:'PCI/6.5.10',\
|
||||
tag:'paranoia-level/2',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'ip.reput_block_flag=1',\
|
||||
|
@ -168,7 +169,7 @@ SecRule REQUEST_HEADERS:User-Agent "@pmFromFile crawlers-user-agents.data" \
|
|||
tag:'capec/1000/118/224/541/310',\
|
||||
tag:'PCI/6.5.10',\
|
||||
tag:'paranoia-level/2',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'ip.reput_block_flag=1',\
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.2
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.4
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
|
@ -58,7 +59,7 @@ SecRule REQUEST_LINE "!@rx ^(?i:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'WARNING',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.warning_anomaly_score}'"
|
||||
|
||||
|
@ -109,7 +110,7 @@ SecRule FILES_NAMES|FILES "@rx (?<!&(?:[aAoOuUyY]uml)|&(?:[aAeEiIoOuU]circ)|&(?:
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
@ -138,7 +139,7 @@ SecRule REQUEST_HEADERS:Content-Length "!@rx ^\d+$" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
@ -172,7 +173,7 @@ SecRule REQUEST_METHOD "@rx ^(?:GET|HEAD)$" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule REQUEST_HEADERS:Content-Length "!@rx ^0?$" \
|
||||
|
@ -197,7 +198,7 @@ SecRule REQUEST_METHOD "@rx ^(?:GET|HEAD)$" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule &REQUEST_HEADERS:Transfer-Encoding "!@eq 0" \
|
||||
|
@ -233,7 +234,7 @@ SecRule REQUEST_PROTOCOL "!@within HTTP/2 HTTP/2.0" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'WARNING',\
|
||||
chain"
|
||||
SecRule REQUEST_METHOD "@streq POST" \
|
||||
|
@ -262,7 +263,7 @@ SecRule &REQUEST_HEADERS:Transfer-Encoding "!@eq 0" \
|
|||
tag:'attack-protocol',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'WARNING',\
|
||||
chain"
|
||||
SecRule &REQUEST_HEADERS:Content-Length "!@eq 0" \
|
||||
|
@ -300,7 +301,7 @@ SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx (\d+)-(\d+)" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'WARNING',\
|
||||
chain"
|
||||
SecRule TX:2 "@lt %{tx.1}" \
|
||||
|
@ -333,7 +334,7 @@ SecRule REQUEST_HEADERS:Connection "@rx \b(?:keep-alive|close),\s?(?:keep-alive|
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'WARNING',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.warning_anomaly_score}'"
|
||||
|
||||
|
@ -366,7 +367,7 @@ SecRule REQUEST_URI "@rx \x25" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/255/153/267/72',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'WARNING',\
|
||||
chain"
|
||||
SecRule REQUEST_URI "@validateUrlEncoding" \
|
||||
|
@ -386,7 +387,7 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^(?i)application/x-www-form-urlencoded
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/255/153/267/72',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'WARNING',\
|
||||
chain"
|
||||
SecRule REQUEST_BODY "@rx \x25" \
|
||||
|
@ -418,7 +419,7 @@ SecRule TX:CRS_VALIDATE_UTF8_ENCODING "@eq 1" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/255/153/267',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'WARNING',\
|
||||
chain"
|
||||
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "@validateUtf8Encoding" \
|
||||
|
@ -457,7 +458,7 @@ SecRule REQUEST_URI|REQUEST_BODY "@rx \%u[fF]{2}[0-9a-fA-F]{2}" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/255/153/267/72',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'WARNING',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.warning_anomaly_score}'"
|
||||
|
||||
|
@ -511,7 +512,7 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@validateByteRange 1-255" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
@ -543,7 +544,7 @@ SecRule &REQUEST_HEADERS:Host "@eq 0" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
tag:'PCI/6.5.10',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'WARNING',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.warning_anomaly_score}',\
|
||||
skipAfter:END-HOST-CHECK"
|
||||
|
@ -562,7 +563,7 @@ SecRule REQUEST_HEADERS:Host "@rx ^$" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'WARNING',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.warning_anomaly_score}'"
|
||||
|
||||
|
@ -602,7 +603,7 @@ SecRule REQUEST_HEADERS:Accept "@rx ^$" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'NOTICE',\
|
||||
chain"
|
||||
SecRule REQUEST_METHOD "!@rx ^OPTIONS$" \
|
||||
|
@ -627,7 +628,7 @@ SecRule REQUEST_HEADERS:Accept "@rx ^$" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'NOTICE',\
|
||||
chain"
|
||||
SecRule REQUEST_METHOD "!@rx ^OPTIONS$" \
|
||||
|
@ -660,7 +661,7 @@ SecRule REQUEST_HEADERS:User-Agent "@rx ^$" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'NOTICE',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.notice_anomaly_score}'"
|
||||
|
||||
|
@ -697,7 +698,7 @@ SecRule REQUEST_HEADERS:Content-Length "!@rx ^0$" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'NOTICE',\
|
||||
chain"
|
||||
SecRule &REQUEST_HEADERS:Content-Type "@eq 0" \
|
||||
|
@ -730,7 +731,7 @@ SecRule REQUEST_HEADERS:Host "@rx ^[\d.:]+$" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
tag:'PCI/6.5.10',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'WARNING',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.warning_anomaly_score}'"
|
||||
|
||||
|
@ -762,7 +763,7 @@ SecRule &TX:MAX_NUM_ARGS "@eq 1" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule &ARGS "@gt %{tx.max_num_args}" \
|
||||
|
@ -787,7 +788,7 @@ SecRule &TX:ARG_NAME_LENGTH "@eq 1" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule ARGS_NAMES "@gt %{tx.arg_name_length}" \
|
||||
|
@ -814,7 +815,7 @@ SecRule &TX:ARG_LENGTH "@eq 1" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule ARGS "@gt %{tx.arg_length}" \
|
||||
|
@ -838,7 +839,7 @@ SecRule &TX:TOTAL_ARG_LENGTH "@eq 1" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule ARGS_COMBINED_SIZE "@gt %{tx.total_arg_length}" \
|
||||
|
@ -863,7 +864,7 @@ SecRule &TX:MAX_FILE_SIZE "@eq 1" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule REQUEST_HEADERS:Content-Type "@rx ^(?i)multipart/form-data" \
|
||||
|
@ -889,7 +890,7 @@ SecRule &TX:COMBINED_FILE_SIZES "@eq 1" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule FILES_COMBINED_SIZE "@gt %{tx.combined_file_sizes}" \
|
||||
|
@ -927,7 +928,7 @@ SecRule REQUEST_HEADERS:Content-Type "!@rx ^[\w/.+-]+(?:\s?;\s?(?:action|boundar
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/255/153',\
|
||||
tag:'PCI/12.1',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
@ -950,7 +951,7 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^[^;\s]+" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/255/153',\
|
||||
tag:'PCI/12.1',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.content_type=|%{tx.0}|',\
|
||||
chain"
|
||||
|
@ -978,7 +979,7 @@ SecRule REQUEST_HEADERS:Content-Type "@rx charset\s*=\s*[\"']?([^;\"'\s]+)" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/255/153',\
|
||||
tag:'PCI/12.1',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule TX:1 "!@rx ^%{tx.allowed_request_content_type_charset}$" \
|
||||
|
@ -986,6 +987,27 @@ SecRule REQUEST_HEADERS:Content-Type "@rx charset\s*=\s*[\"']?([^;\"'\s]+)" \
|
|||
ctl:forceRequestBodyVariable=On,\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
#
|
||||
# Restrict charset parameter inside content type header to occur max once.
|
||||
#
|
||||
SecRule REQUEST_HEADERS:Content-Type "@rx charset.*?charset" \
|
||||
"id:920530,\
|
||||
phase:1,\
|
||||
block,\
|
||||
t:none,t:lowercase,\
|
||||
msg:'Multiple charsets detected in content type header',\
|
||||
logdata:'%{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-protocol',\
|
||||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/255/153',\
|
||||
tag:'PCI/12.1',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
#
|
||||
# Restrict protocol versions.
|
||||
|
@ -1005,7 +1027,7 @@ SecRule REQUEST_PROTOCOL "!@within %{tx.allowed_http_versions}" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
tag:'PCI/6.5.10',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
@ -1028,7 +1050,7 @@ SecRule REQUEST_BASENAME "@rx \.([^.]+)$" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
tag:'PCI/6.5.10',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.extension=.%{tx.1}/',\
|
||||
chain"
|
||||
|
@ -1055,7 +1077,7 @@ SecRule REQUEST_FILENAME "@rx \.[^.~]+~(?:/.*|)$" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
tag:'PCI/6.5.10',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
@ -1100,13 +1122,46 @@ SecRule REQUEST_HEADERS_NAMES "@rx ^.*$" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
tag:'PCI/12.1',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.header_name_%{tx.0}=/%{tx.0}/',\
|
||||
chain"
|
||||
SecRule TX:/^header_name_/ "@within %{tx.restricted_headers}" \
|
||||
"setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
#
|
||||
# Restrict response charsets that we allow.
|
||||
# The following rules make sure that the response will be in an ASCII-compatible charset that
|
||||
# phase 4 rules can properly understand and block.
|
||||
#
|
||||
|
||||
#
|
||||
# Some servers rely on the request Accept header to determine what charset to respond with.
|
||||
# This rule restricts these to familiar charsets.
|
||||
#
|
||||
# Regular expression generated from util/regexp-assemble/data/920600.data.
|
||||
# To update the regular expression run the following shell script
|
||||
# (consult util/regexp-assemble/README.md for details):
|
||||
# util/regexp-assemble/regexp-assemble.py update 920600
|
||||
#
|
||||
SecRule REQUEST_HEADERS:Accept "!@rx ^(?:(?:\*|[^\"(),\/:;<=>?![\x5c\]{}]+)\/(?:\*|[^\"(),\/:;<=>?![\x5c\]{}]+))(?:\s*+;\s*+(?:(?:charset\s*+=\s*+(?:\"?(?:iso-8859-15?|windows-1252|utf-8)\b\"?))|(?:(?:c(?:h(?:a(?:r(?:s(?:e[^t\"(),\/:;<=>?![\x5c\]{}]|[^e\"(),/:;<=>?![\x5c\]{}])|[^s\"(),/:;<=>?![\x5c\]{}])|[^r\"(),/:;<=>?![\x5c\]{}])|[^a\"(),/:;<=>?![\x5c\]{}])|[^h\"(),/:;<=>?![\x5c\]{}])|[^c\"(),/:;<=>?![\x5c\]{}])[^\"(),/:;<=>?![\x5c\]{}]*(?:)\s*+=\s*+[^(),/:;<=>?![\x5c\]{}]+)|;?))*(?:\s*+,\s*+(?:(?:\*|[^\"(),\/:;<=>?![\x5c\]{}]+)\/(?:\*|[^\"(),\/:;<=>?![\x5c\]{}]+))(?:\s*+;\s*+(?:(?:charset\s*+=\s*+(?:\"?(?:iso-8859-15?|windows-1252|utf-8)\b\"?))|(?:(?:c(?:h(?:a(?:r(?:s(?:e[^t\"(),\/:;<=>?![\x5c\]{}]|[^e\"(),/:;<=>?![\x5c\]{}])|[^s\"(),/:;<=>?![\x5c\]{}])|[^r\"(),/:;<=>?![\x5c\]{}])|[^a\"(),/:;<=>?![\x5c\]{}])|[^h\"(),/:;<=>?![\x5c\]{}])|[^c\"(),/:;<=>?![\x5c\]{}])[^\"(),/:;<=>?![\x5c\]{}]*(?:)\s*+=\s*+[^(),/:;<=>?![\x5c\]{}]+)|;?))*)*$" \
|
||||
"id:920600,\
|
||||
phase:1,\
|
||||
block,\
|
||||
t:none,t:lowercase,\
|
||||
msg:'Illegal Accept header: charset parameter',\
|
||||
logdata:'%{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-protocol',\
|
||||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:920013,phase:1,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:920014,phase:2,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
|
||||
#
|
||||
|
@ -1147,7 +1202,7 @@ SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
tag:'paranoia-level/2',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'WARNING',\
|
||||
chain"
|
||||
SecRule REQUEST_BASENAME "!@endsWith .pdf" \
|
||||
|
@ -1171,7 +1226,7 @@ SecRule REQUEST_BASENAME "@endsWith .pdf" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
tag:'paranoia-level/2',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'WARNING',\
|
||||
chain"
|
||||
SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d+)?-(?:\d+)?\s*,?\s*){63}" \
|
||||
|
@ -1192,7 +1247,7 @@ SecRule ARGS "@rx %[0-9a-fA-F]{2}" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/255/153/267/120',\
|
||||
tag:'paranoia-level/2',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'WARNING',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.warning_anomaly_score}'"
|
||||
|
||||
|
@ -1223,7 +1278,7 @@ SecRule &REQUEST_HEADERS:Accept "@eq 0" \
|
|||
tag:'capec/1000/210/272',\
|
||||
tag:'PCI/6.5.10',\
|
||||
tag:'paranoia-level/2',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'NOTICE',\
|
||||
chain"
|
||||
SecRule REQUEST_METHOD "!@rx ^OPTIONS$" \
|
||||
|
@ -1249,7 +1304,7 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@validateByteRange 9,10,13,
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
tag:'paranoia-level/2',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
@ -1276,7 +1331,7 @@ SecRule &REQUEST_HEADERS:User-Agent "@eq 0" \
|
|||
tag:'capec/1000/210/272',\
|
||||
tag:'PCI/6.5.10',\
|
||||
tag:'paranoia-level/2',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'NOTICE',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.notice_anomaly_score}'"
|
||||
|
||||
|
@ -1298,7 +1353,7 @@ SecRule FILES_NAMES|FILES "@rx ['\";=]" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
tag:'paranoia-level/2',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
@ -1323,7 +1378,7 @@ SecRule REQUEST_HEADERS:Content-Length "!@rx ^0$" \
|
|||
tag:'paranoia-level/2',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule &REQUEST_HEADERS:Content-Type "@eq 0" \
|
||||
|
@ -1357,7 +1412,7 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES|REQUEST_BODY "@validateByteR
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
tag:'paranoia-level/3',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
@ -1385,7 +1440,7 @@ SecRule &REQUEST_HEADERS:x-up-devcap-post-charset "@ge 1" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
tag:'paranoia-level/3',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule REQUEST_HEADERS:User-Agent "@rx ^(?i)up" \
|
||||
|
@ -1438,7 +1493,7 @@ SecRule &REQUEST_HEADERS:Cache-Control "@gt 0" \
|
|||
tag:'paranoia-level/3',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule REQUEST_HEADERS:Cache-Control "!@rx ^(?:(?:max-age=[0-9]+|min-fresh=[0-9]+|no-cache|no-store|no-transform|only-if-cached|max-stale(?:=[0-9]+)?)(\s*\,\s*|$)){1,7}$" \
|
||||
|
@ -1469,7 +1524,7 @@ SecRule REQUEST_BASENAME "@endsWith .pdf" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
tag:'paranoia-level/4',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'WARNING',\
|
||||
chain"
|
||||
SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d+)?-(?:\d+)?\s*,?\s*){6}" \
|
||||
|
@ -1496,7 +1551,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_BODY "@validateByteRange 38,44-46,48-58,61,65-90
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
tag:'paranoia-level/4',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.anomaly_score_pl4=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
@ -1517,7 +1572,7 @@ SecRule REQUEST_HEADERS|!REQUEST_HEADERS:User-Agent|!REQUEST_HEADERS:Referer|!RE
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
tag:'paranoia-level/4',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.anomaly_score_pl4=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
@ -1541,7 +1596,7 @@ SecRule REQUEST_HEADERS:Sec-Fetch-User "@validateByteRange 32,34,38,42-59,61,63,
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272',\
|
||||
tag:'paranoia-level/4',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.anomaly_score_pl4=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
@ -1587,7 +1642,7 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@rx (?:^|[^\\\\])\\\\[cdegh
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/153/267',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl4=+%{tx.critical_anomaly_score}'"
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.2
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.4
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
|
@ -46,7 +47,7 @@ SecRule ARGS_NAMES|ARGS|REQUEST_BODY|XML:/* "@rx (?:get|post|head|options|connec
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272/220/33',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -79,7 +80,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272/220/34',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -101,7 +102,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272/220/34',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -136,7 +137,7 @@ SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@rx [\n\r]" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272/220/273',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -165,7 +166,7 @@ SecRule ARGS_NAMES "@rx [\n\r]" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272/220/33',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -187,7 +188,7 @@ SecRule ARGS_GET_NAMES|ARGS_GET "@rx [\n\r]+(?:\s|location|refresh|(?:set-)?cook
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272/220/33',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -213,7 +214,7 @@ SecRule REQUEST_FILENAME "@rx [\n\r]" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272/220/34',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -246,7 +247,40 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/136',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
#
|
||||
# -=[ Body Processor Bypass ]=-
|
||||
#
|
||||
# [ Rule Logic ]
|
||||
#
|
||||
# This rule intends to detect content types in the Content-Type header outside of the actual content type declaration.
|
||||
# This prevents bypasses targeting the Modsecurity recommended rules controlling which body processor is used.
|
||||
#
|
||||
# Regular expression generated from util/regexp-assemble/data/921421.data.
|
||||
# To update the regular expression run the following shell script
|
||||
# (consult util/regexp-assemble/README.md for details):
|
||||
# util/regexp-assemble/regexp-assemble.py update 921421
|
||||
#
|
||||
SecRule REQUEST_HEADERS:Content-Type "@rx ^[^;\s,]+[;\s,].*?(?:(?:application(?:\/soap\+|\/)|text\/)xml|application\/(?:.+[+])?json)" \
|
||||
"id:921421,\
|
||||
phase:1,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,t:lowercase,\
|
||||
msg:'Content-Type header: Dangerous content type outside the mime type declaration',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-protocol',\
|
||||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/255/153',\
|
||||
tag:'PCI/12.1',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
@ -280,11 +314,46 @@ SecRule ARGS_GET "@rx [\n\r]" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272/220/33',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
#
|
||||
# -=[ Body Processor Bypass ]=-
|
||||
#
|
||||
# [ Rule Logic ]
|
||||
#
|
||||
# This rule intends to detect content types in the Content-Type header outside of the actual content type declaration.
|
||||
#
|
||||
# [ References ]
|
||||
# * See rule 921422
|
||||
#
|
||||
# Regular expression generated from util/regexp-assemble/data/921422.data.
|
||||
# To update the regular expression run the following shell script
|
||||
# (consult util/regexp-assemble/README.md for details):
|
||||
# util/regexp-assemble/regexp-assemble.py update 921422
|
||||
#
|
||||
SecRule REQUEST_HEADERS:Content-Type "@rx ^[^;\s,]+[;\s,].*?\b(?:(audio|image|video|csv|css|vnd|pdf|plain|json|soap|xml|x-www-form-urlencoded|form-data|related|x-amf|octet|stream|csp|report)|(text|multipart|application)|(\/|\+))\b" \
|
||||
"id:921422,\
|
||||
phase:1,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,t:lowercase,\
|
||||
msg:'Content-Type header: Dangerous content type outside the mime type declaration',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-protocol',\
|
||||
tag:'paranoia-level/2',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/255/153',\
|
||||
tag:'PCI/12.1',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:921015,phase:1,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:921016,phase:2,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
|
||||
|
@ -293,6 +362,35 @@ SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:921016,phase:2,pass,nolog,skipAf
|
|||
#
|
||||
#
|
||||
|
||||
# Forbid Request Range Header
|
||||
#
|
||||
# It is possible abuse the HTTP Request Range Header to leak error pages
|
||||
# and other information in very small snippets.
|
||||
# The easiest way to fight this is to deny the use of this header.
|
||||
# This is a viable option since the header is only used in rare circumstances
|
||||
# anymore.
|
||||
# If it is necessary to use it in a certain setup, then it is best to
|
||||
# create a rule exclusion for a given URI and this rule ID as a workaround.
|
||||
#
|
||||
SecRule &REQUEST_HEADERS:Range "@gt 0" \
|
||||
"id:921230,\
|
||||
phase:1,\
|
||||
block,\
|
||||
t:none,\
|
||||
msg:'HTTP Range Header detected',\
|
||||
logdata:'Matched Data: Header %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-protocol',\
|
||||
tag:'paranoia-level/3',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/210/272/220',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
# -=[ HTTP Parameter Pollution ]=-
|
||||
#
|
||||
# [ Rule Logic ]
|
||||
|
@ -323,7 +421,7 @@ SecRule ARGS_NAMES "@rx ." \
|
|||
tag:'paranoia-level/3',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/137/15/460',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
setvar:'TX.paramcounter_%{MATCHED_VAR_NAME}=+1'"
|
||||
|
||||
SecRule TX:/paramcounter_.*/ "@gt 1" \
|
||||
|
@ -339,7 +437,7 @@ SecRule TX:/paramcounter_.*/ "@gt 1" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/137/15/460',\
|
||||
tag:'paranoia-level/3',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule MATCHED_VARS_NAMES "@rx TX:paramcounter_(.*)" \
|
||||
|
|
|
@ -0,0 +1,92 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.4
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
# Please see the enclosed LICENSE file for full details.
|
||||
# ------------------------------------------------------------------------
|
||||
|
||||
#
|
||||
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
|
||||
#
|
||||
|
||||
# This file is to address the 3UWMWA6W vulnerability.
|
||||
# It requires ModSecurity version 2.9.6 or 3.0.8 (or an updated version with backports
|
||||
# of the security fixes in these versions) or a compatible engine supporting these changes.
|
||||
#
|
||||
# If you cannot upgrade ModSecurity, this file will cause ModSecurity to fail to start.
|
||||
# In that case, you can temporarily delete this file. However, you will be missing
|
||||
# protection from these rules. Therefore, we recommend upgrading your engine instead.
|
||||
|
||||
# The rules in this file will be part of the 920 / 921 in the future.
|
||||
|
||||
# Only allow specific charsets when using "_charset_"
|
||||
# Note: this is in phase:2 because these are headers that come in the body
|
||||
SecRule &MULTIPART_PART_HEADERS:_charset_ "!@eq 0" \
|
||||
"id:922100,\
|
||||
phase:2,\
|
||||
block,\
|
||||
t:none,\
|
||||
msg:'Multipart content type global _charset_ definition is not allowed by policy',\
|
||||
logdata:'Matched Data: %{ARGS._charset_}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-multipart-header',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/255/153',\
|
||||
tag:'paranoia-level/1',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule ARGS:_charset_ "!@within |%{tx.allowed_request_content_type_charset}|" \
|
||||
"t:lowercase,\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
# Only allow specific charsets same as Rule 920600
|
||||
# Note: this is in phase:2 because these are headers that come in the body
|
||||
SecRule MULTIPART_PART_HEADERS "@rx ^content-type\s*+:\s*+(.*)$" \
|
||||
"id:922110,\
|
||||
phase:2,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,t:lowercase,\
|
||||
msg:'Illegal MIME Multipart Header content-type: charset parameter',\
|
||||
logdata:'Matched Data: %{TX.1} found within Content-Type multipart form',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-protocol',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/272/220',\
|
||||
tag:'paranoia-level/1',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule TX:1 "!@rx ^(?:(?:\*|[^\"(),\/:;<=>?![\x5c\]{}]+)\/(?:\*|[^\"(),\/:;<=>?![\x5c\]{}]+))(?:\s*+;\s*+(?:(?:charset\s*+=\s*+(?:\"?(?:iso-8859-15?|windows-1252|utf-8)\b\"?))|(?:(?:c(?:h(?:a(?:r(?:s(?:e[^t\"(),\/:;<=>?![\x5c\]{}]|[^e\"(),/:;<=>?![\x5c\]{}])|[^s\"(),/:;<=>?![\x5c\]{}])|[^r\"(),/:;<=>?![\x5c\]{}])|[^a\"(),/:;<=>?![\x5c\]{}])|[^h\"(),/:;<=>?![\x5c\]{}])|[^c\"(),/:;<=>?![\x5c\]{}])[^\"(),/:;<=>?![\x5c\]{}]*(?:)\s*+=\s*+[^(),/:;<=>?![\x5c\]{}]+)|;?))*(?:\s*+,\s*+(?:(?:\*|[^\"(),\/:;<=>?![\x5c\]{}]+)\/(?:\*|[^\"(),\/:;<=>?![\x5c\]{}]+))(?:\s*+;\s*+(?:(?:charset\s*+=\s*+(?:\"?(?:iso-8859-15?|windows-1252|utf-8)\b\"?))|(?:(?:c(?:h(?:a(?:r(?:s(?:e[^t\"(),\/:;<=>?![\x5c\]{}]|[^e\"(),/:;<=>?![\x5c\]{}])|[^s\"(),/:;<=>?![\x5c\]{}])|[^r\"(),/:;<=>?![\x5c\]{}])|[^a\"(),/:;<=>?![\x5c\]{}])|[^h\"(),/:;<=>?![\x5c\]{}])|[^c\"(),/:;<=>?![\x5c\]{}])[^\"(),/:;<=>?![\x5c\]{}]*(?:)\s*+=\s*+[^(),/:;<=>?![\x5c\]{}]+)|;?))*)*$" \
|
||||
"t:lowercase,\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
# Content-Transfer-Encoding was deprecated by rfc7578 in 2015 and should not be used (see: https://www.rfc-editor.org/rfc/rfc7578#section-4.7)
|
||||
# Note: this is in phase:2 because these are headers that come in the body
|
||||
SecRule MULTIPART_PART_HEADERS "@rx content-transfer-encoding:(.*)" \
|
||||
"id:922120,\
|
||||
phase:2,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,t:lowercase,\
|
||||
msg:'Content-Transfer-Encoding was deprecated by rfc7578 in 2015 and should not be used',\
|
||||
logdata:'Matched Data: %{TX.0}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-deprecated-header',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/272/220',\
|
||||
tag:'paranoia-level/1',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
|
@ -1,6 +1,7 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.2
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.4
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
|
@ -41,7 +42,7 @@ SecRule REQUEST_URI_RAW|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|XML:/* "@r
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/255/153/126',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -64,7 +65,7 @@ SecRule REQUEST_URI|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|XML:/* "@rx (?
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/255/153/126',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
multiMatch,\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
|
@ -91,7 +92,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/255/153/126',\
|
||||
tag:'PCI/6.5.4',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -118,7 +119,7 @@ SecRule REQUEST_FILENAME "@pmFromFile restricted-files.data" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/255/153/126',\
|
||||
tag:'PCI/6.5.4',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.2
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.4
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
|
@ -49,7 +50,7 @@ SecRule ARGS "@rx ^(?i:file|ftps?|https?):\/\/(?:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/175/253',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -70,7 +71,7 @@ SecRule QUERY_STRING|REQUEST_BODY "@rx (?i)(?:\binclude\s*\([^)]*|mosConfig_abso
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/175/253',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -91,7 +92,7 @@ SecRule ARGS "@rx ^(?i:file|ftps?|https?).*?\?+$" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/175/253',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -120,7 +121,7 @@ SecRule ARGS "@rx ^(?i:file|ftps?|https?)://([^/]*).*$" \
|
|||
tag:'capec/1000/152/175/253',\
|
||||
tag:'paranoia-level/2',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.rfi_parameter_%{MATCHED_VAR_NAME}=.%{tx.1}',\
|
||||
chain"
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.2
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.4
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
|
@ -116,7 +117,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'capec/1000/152/248/88',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -152,7 +153,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'capec/1000/152/248/88',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -249,7 +250,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'capec/1000/152/248/88',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -288,7 +289,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'capec/1000/152/248/88',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -323,7 +324,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'capec/1000/152/248/88',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -360,7 +361,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'capec/1000/152/248/88',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -406,7 +407,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'capec/1000/152/248/88',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -457,7 +458,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'capec/1000/152/248/88',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -494,7 +495,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'capec/1000/152/248/88',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -526,7 +527,7 @@ SecRule REQUEST_HEADERS|REQUEST_LINE "@rx ^\(\s*\)\s+{" \
|
|||
tag:'capec/1000/152/248/88',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -548,7 +549,7 @@ SecRule ARGS_NAMES|ARGS|FILES_NAMES "@rx ^\(\s*\)\s+{" \
|
|||
tag:'capec/1000/152/248/88',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -583,7 +584,7 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/88',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -628,7 +629,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/88',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule MATCHED_VAR "@rx /" "t:none,t:urlDecodeUni,chain"
|
||||
|
@ -678,7 +679,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/3',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -710,7 +711,7 @@ SecRule ARGS "@rx (?:/|\\\\)(?:[\?\*]+[a-z/\\\\]+|[a-z/\\\\]+[\?\*]+)" \
|
|||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/3',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.2
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.4
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
|
@ -59,7 +60,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -101,7 +102,7 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -126,7 +127,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule MATCHED_VARS "@pm =" \
|
||||
|
@ -154,7 +155,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -191,7 +192,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -220,7 +221,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -288,7 +289,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -342,7 +343,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -398,7 +399,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -454,7 +455,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -496,7 +497,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -540,7 +541,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
|
|||
tag:'capec/1000/152/242',\
|
||||
tag:'paranoia-level/2',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule MATCHED_VARS "@pm (" \
|
||||
|
@ -594,7 +595,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'capec/1000/152/242',\
|
||||
tag:'paranoia-level/3',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -640,7 +641,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
|
|||
tag:'capec/1000/152/242',\
|
||||
tag:'paranoia-level/3',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -683,7 +684,7 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD
|
|||
tag:'capec/1000/152/242',\
|
||||
tag:'paranoia-level/3',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -713,7 +714,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'capec/1000/152/242',\
|
||||
tag:'paranoia-level/3',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.2
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.4
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
|
@ -62,7 +63,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
multiMatch,\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.2
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.4
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
|
@ -49,7 +50,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -76,7 +77,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -102,7 +103,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -132,7 +133,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -158,7 +159,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -193,7 +194,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -218,7 +219,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -244,7 +245,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -271,7 +272,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -293,7 +294,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -315,7 +316,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -337,7 +338,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -359,7 +360,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -381,7 +382,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -403,7 +404,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -425,7 +426,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -447,7 +448,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -469,7 +470,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -491,7 +492,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -513,7 +514,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -540,7 +541,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -567,7 +568,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -609,7 +610,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242/63',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -637,7 +638,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS|XML:
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/242/63',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -668,7 +669,7 @@ SecRule REQUEST_HEADERS:Referer "@detectXSS" \
|
|||
tag:'capec/1000/152/242',\
|
||||
tag:'paranoia-level/2',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -694,7 +695,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
|
|||
tag:'capec/1000/152/242',\
|
||||
tag:'paranoia-level/2',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -777,7 +778,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
|
|||
tag:'capec/1000/152/242/63',\
|
||||
tag:'PCI/6.5.1',\
|
||||
tag:'paranoia-level/2',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -798,7 +799,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
|
|||
tag:'capec/1000/152/242',\
|
||||
tag:'PCI/6.5.1',\
|
||||
tag:'paranoia-level/2',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -822,7 +823,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
|
|||
tag:'capec/1000/152/242',\
|
||||
tag:'PCI/6.5.1',\
|
||||
tag:'paranoia-level/2',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -855,7 +856,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'capec/1000/152/242/63',\
|
||||
tag:'paranoia-level/2',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.2
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.4
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
|
@ -58,7 +59,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
multiMatch,\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
|
@ -93,7 +94,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -119,7 +120,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -148,7 +149,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -177,7 +178,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -198,7 +199,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -219,7 +220,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -248,7 +249,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -269,7 +270,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -290,7 +291,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -319,7 +320,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -340,7 +341,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -369,7 +370,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -398,7 +399,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -438,7 +439,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -474,7 +475,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -512,7 +513,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?:^\s*[\"'`;]+|[\"'`]+\s*$)" \
|
|||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/2',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'WARNING',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.warning_anomaly_score}'"
|
||||
|
@ -548,7 +549,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:(?:^|\W)in[+\s]*\([\s\d\"]+[^()]*\)|\
|
|||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/2',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -583,7 +584,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?i:[\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?(?:
|
|||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/2',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
multiMatch,\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
|
@ -622,7 +623,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/2',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -651,7 +652,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/2',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -683,7 +684,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/2',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -715,7 +716,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/2',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -744,7 +745,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/2',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -773,7 +774,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/2',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -802,7 +803,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/2',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -839,7 +840,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/2',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -870,7 +871,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/2',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -895,7 +896,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/2',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -929,7 +930,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/2',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -956,7 +957,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
|
|||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/2',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -983,7 +984,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
|
|||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/2',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -1013,7 +1014,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
|
|||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/2',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -1050,7 +1051,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
|
|||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/2',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -1083,7 +1084,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
|
|||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/2',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -1116,7 +1117,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
|
|||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/2',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -1157,7 +1158,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´
|
|||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/2',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'WARNING',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.warning_anomaly_score}',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'"
|
||||
|
@ -1201,7 +1202,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
|
|||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/2',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -1226,7 +1227,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
|
|||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/2',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -1275,7 +1276,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/2',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -1314,7 +1315,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/3',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -1338,7 +1339,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/3',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -1378,7 +1379,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
|
|||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/3',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'WARNING',\
|
||||
setvar:'tx.anomaly_score_pl3=+%{tx.warning_anomaly_score}',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'"
|
||||
|
@ -1407,7 +1408,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´
|
|||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/3',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'WARNING',\
|
||||
setvar:'tx.anomaly_score_pl3=+%{tx.warning_anomaly_score}',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'"
|
||||
|
@ -1437,7 +1438,7 @@ SecRule ARGS "@rx \W{4}" \
|
|||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/3',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'WARNING',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl3=+%{tx.warning_anomaly_score}'"
|
||||
|
@ -1471,7 +1472,7 @@ SecRule REQUEST_BASENAME "@detectSQLi" \
|
|||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/3',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -1521,7 +1522,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/3',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -1554,7 +1555,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
|
|||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/4',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'WARNING',\
|
||||
setvar:'tx.anomaly_score_pl4=+%{tx.warning_anomaly_score}',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'"
|
||||
|
@ -1583,7 +1584,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´
|
|||
tag:'capec/1000/152/248/66',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/4',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'WARNING',\
|
||||
setvar:'tx.anomaly_score_pl4=+%{tx.warning_anomaly_score}',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'"
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.2
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.4
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
|
@ -43,7 +44,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/225/21/593/61',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.session_fixation_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -65,7 +66,7 @@ SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsessio
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/225/21/593/61',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule REQUEST_HEADERS:Referer "@rx ^(?:ht|f)tps?://(.*?)\/" \
|
||||
|
@ -92,7 +93,7 @@ SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsessio
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/225/21/593/61',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule &REQUEST_HEADERS:Referer "@eq 0" \
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.2
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.4
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
|
@ -46,7 +47,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
|
|||
tag:'capec/1000/152/137/6',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/1',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -80,7 +81,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
|
|||
tag:'capec/1000/152/248',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/1',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* "@rx (?:unmarshaller|base64data|java\.)" \
|
||||
|
@ -106,7 +107,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
|
|||
tag:'capec/1000/152/248',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/1',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule MATCHED_VARS "@rx (?:runtime|processbuilder)" \
|
||||
|
@ -140,7 +141,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
|
|||
tag:'capec/1000/152/248',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/1',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -179,7 +180,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
|
|||
tag:'capec/1000/152/248',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/2',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -201,7 +202,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
|
|||
tag:'capec/1000/152/248',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/2',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -223,7 +224,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
|
|||
tag:'capec/1000/152/248',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/2',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -248,7 +249,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
|
|||
tag:'capec/1000/152/248',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/2',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
@ -284,7 +285,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
|
|||
tag:'capec/1000/152/248',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/3',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.2
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.4
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
|
@ -68,7 +69,7 @@ SecRule IP:REPUT_BLOCK_FLAG "@eq 1" \
|
|||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-reputation-ip',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule TX:DO_REPUT_BLOCK "@eq 1" \
|
||||
|
@ -88,7 +89,7 @@ SecRule TX:ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" \
|
|||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-generic',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.inbound_anomaly_score=%{tx.anomaly_score}'"
|
||||
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.2
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.4
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
|
@ -44,7 +45,7 @@ SecRule RESPONSE_BODY "@rx (?:<(?:TITLE>Index of.*?<H|title>Index of.*?<h)1>Inde
|
|||
tag:'capec/1000/118/116/54/127',\
|
||||
tag:'PCI/6.5.6',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'ERROR',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
|
||||
|
@ -78,7 +79,7 @@ SecRule RESPONSE_BODY "@rx ^#\!\s?/" \
|
|||
tag:'capec/1000/118/116',\
|
||||
tag:'PCI/6.5.6',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'ERROR',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
|
||||
|
@ -110,7 +111,7 @@ SecRule RESPONSE_STATUS "@rx ^5\d{2}$" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/152',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'ERROR',\
|
||||
setvar:'tx.outbound_anomaly_score_pl2=+%{tx.error_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.error_anomaly_score}'"
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.2
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.4
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
|
@ -38,7 +39,7 @@ SecRule RESPONSE_BODY "@pmFromFile sql-errors.data" \
|
|||
tag:'paranoia-level/1',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/118/116/54',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
setvar:'tx.sql_error_match=1'"
|
||||
|
||||
SecRule TX:sql_error_match "@eq 1" \
|
||||
|
@ -57,7 +58,7 @@ SecRule TX:sql_error_match "@eq 1" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/118/116/54',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule RESPONSE_BODY "@rx (?i:JET Database Engine|Access Database Engine|\[Microsoft\]\[ODBC Microsoft Access Driver\])" \
|
||||
|
@ -82,7 +83,7 @@ SecRule TX:sql_error_match "@eq 1" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/118/116/54',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule RESPONSE_BODY "@rx (?i:ORA-[0-9][0-9][0-9][0-9]|java\.sql\.SQLException|Oracle error|Oracle.*Driver|Warning.*oci_.*|Warning.*ora_.*)" \
|
||||
|
@ -107,7 +108,7 @@ SecRule TX:sql_error_match "@eq 1" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/118/116/54',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule RESPONSE_BODY "@rx (?i:DB2 SQL error:|\[IBM\]\[CLI Driver\]\[DB2/6000\]|CLI Driver.*DB2|DB2 SQL error|db2_\w+\()" \
|
||||
|
@ -132,7 +133,7 @@ SecRule TX:sql_error_match "@eq 1" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/118/116/54',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule RESPONSE_BODY "@rx (?i:\[DM_QUERY_E_SYNTAX\]|has occurred in the vicinity of:)" \
|
||||
|
@ -157,7 +158,7 @@ SecRule TX:sql_error_match "@eq 1" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/118/116/54',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule RESPONSE_BODY "@rx (?i)Dynamic SQL Error" \
|
||||
|
@ -183,7 +184,7 @@ SecRule TX:sql_error_match "@eq 1" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/118/116/54',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule RESPONSE_BODY "@rx (?i)Exception (?:condition )?\d+\. Transaction rollback\." \
|
||||
|
@ -208,7 +209,7 @@ SecRule TX:sql_error_match "@eq 1" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/118/116/54',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule RESPONSE_BODY "@rx (?i)org\.hsqldb\.jdbc" \
|
||||
|
@ -233,7 +234,7 @@ SecRule TX:sql_error_match "@eq 1" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/118/116/54',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule RESPONSE_BODY "@rx (?i:An illegal character has been found in the statement|com\.informix\.jdbc|Exception.*Informix)" \
|
||||
|
@ -259,7 +260,7 @@ SecRule TX:sql_error_match "@eq 1" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/118/116/54',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule RESPONSE_BODY "@rx (?i:Warning.*ingres_|Ingres SQLSTATE|Ingres\W.*Driver)" \
|
||||
|
@ -285,7 +286,7 @@ SecRule TX:sql_error_match "@eq 1" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/118/116/54',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule RESPONSE_BODY "@rx (?i:<b>Warning</b>: ibase_|Unexpected end of command in statement)" \
|
||||
|
@ -310,7 +311,7 @@ SecRule TX:sql_error_match "@eq 1" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/118/116/54',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule RESPONSE_BODY "@rx (?i:SQL error.*POS[0-9]+.*|Warning.*maxdb.*)" \
|
||||
|
@ -335,7 +336,7 @@ SecRule TX:sql_error_match "@eq 1" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/118/116/54',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule RESPONSE_BODY "@rx (?i)(?:System\.Data\.OleDb\.OleDbException|\[Microsoft\]\[ODBC SQL Server Driver\]|\[Macromedia\]\[SQLServer JDBC Driver\]|\[SqlException|System\.Data\.SqlClient\.SqlException|Unclosed quotation mark after the character string|'80040e14'|mssql_query\(\)|Microsoft OLE DB Provider for ODBC Drivers|Microsoft OLE DB Provider for SQL Server|Incorrect syntax near|Sintaxis incorrecta cerca de|Syntax error in string in query expression|Procedure or function .* expects parameter|Unclosed quotation mark before the character string|Syntax error .* in query expression|Data type mismatch in criteria expression\.|ADODB\.Field \(0x800A0BCD\)|the used select statements have different number of columns|OLE DB.*SQL Server|Warning.*mssql_.*|Driver.*SQL[ _-]*Server|SQL Server.*Driver|SQL Server.*[0-9a-fA-F]{8}|Exception.*\WSystem\.Data\.SqlClient\.)" \
|
||||
|
@ -360,7 +361,7 @@ SecRule TX:sql_error_match "@eq 1" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/118/116/54',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule RESPONSE_BODY "@rx (?i)(?:supplied argument is not a valid MySQL|Column count doesn't match value count at row|mysql_fetch_array\(\)|on MySQL result index|You have an error in your SQL syntax;|You have an error in your SQL syntax near|MySQL server version for the right syntax to use|\[MySQL\]\[ODBC|Column count doesn't match|Table '[^']+' doesn't exist|SQL syntax.*MySQL|Warning.*mysql_.*|valid MySQL result|MySqlClient\.)" \
|
||||
|
@ -385,7 +386,7 @@ SecRule TX:sql_error_match "@eq 1" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/118/116/54',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule RESPONSE_BODY "@rx (?i:PostgreSQL query failed:|pg_query\(\) \[:|pg_exec\(\) \[:|PostgreSQL.*ERROR|Warning.*pg_.*|valid PostgreSQL result|Npgsql\.|PG::[a-zA-Z]*Error|Supplied argument is not a valid PostgreSQL .*? resource|Unable to connect to PostgreSQL server)" \
|
||||
|
@ -410,7 +411,7 @@ SecRule TX:sql_error_match "@eq 1" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/118/116/54',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule RESPONSE_BODY "@rx (?i)(?:Warning.*sqlite_.*|Warning.*SQLite3::|SQLite/JDBCDriver|SQLite\.Exception|System\.Data\.SQLite\.SQLiteException)" \
|
||||
|
@ -435,7 +436,7 @@ SecRule TX:sql_error_match "@eq 1" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/118/116/54',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule RESPONSE_BODY "@rx (?i)(?:Sybase message:|Warning.*sybase.*|Sybase.*Server message.*)" \
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.2
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.4
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
|
@ -39,7 +40,7 @@ SecRule RESPONSE_BODY "@pmFromFile java-code-leakages.data" \
|
|||
tag:'capec/1000/118/116',\
|
||||
tag:'PCI/6.5.6',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'ERROR',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
|
||||
|
@ -66,7 +67,7 @@ SecRule RESPONSE_BODY "@pmFromFile java-errors.data" \
|
|||
tag:'capec/1000/118/116',\
|
||||
tag:'PCI/6.5.6',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'ERROR',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.2
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.4
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
|
@ -39,7 +40,7 @@ SecRule RESPONSE_BODY "@pmFromFile php-errors.data" \
|
|||
tag:'capec/1000/118/116',\
|
||||
tag:'PCI/6.5.6',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'ERROR',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
|
||||
|
@ -66,7 +67,7 @@ SecRule RESPONSE_BODY "@rx (?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scan
|
|||
tag:'capec/1000/118/116',\
|
||||
tag:'PCI/6.5.6',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'ERROR',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
|
||||
|
@ -97,7 +98,7 @@ SecRule RESPONSE_BODY "@rx <\?(?!xml)" \
|
|||
tag:'capec/1000/118/116',\
|
||||
tag:'PCI/6.5.6',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'ERROR',\
|
||||
chain"
|
||||
SecRule RESPONSE_BODY "!@rx (?:\x1f\x8b\x08|\b(?:(?:i(?:nterplay|hdr|d3)|m(?:ovi|thd)|r(?:ar!|iff)|(?:ex|jf)if|f(?:lv|ws)|varg|cws)\b|gif)|B(?:%pdf|\.ra)\b|^wOF[F2])" \
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.2
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.4
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
|
@ -37,7 +38,7 @@ SecRule RESPONSE_BODY "@rx [a-z]:\\\\inetpub\b" \
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/118/116',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'ERROR',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
|
||||
|
@ -60,7 +61,7 @@ SecRule RESPONSE_BODY "@rx (?:Microsoft OLE DB Provider for SQL Server(?:<\/font
|
|||
tag:'OWASP_CRS',\
|
||||
tag:'capec/1000/118/116',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'ERROR',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
|
||||
|
@ -86,7 +87,7 @@ SecRule RESPONSE_BODY "@rx (?:\b(?:A(?:DODB\.Command\b.{0,100}?\b(?:Application
|
|||
tag:'capec/1000/118/116',\
|
||||
tag:'PCI/6.5.6',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'ERROR',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
|
||||
|
@ -110,7 +111,7 @@ SecRule RESPONSE_STATUS "!@rx ^404$" \
|
|||
tag:'capec/1000/118/116',\
|
||||
tag:'PCI/6.5.6',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'ERROR',\
|
||||
chain"
|
||||
SecRule RESPONSE_BODY "@rx \bServer Error in.{0,50}?\bApplication\b" \
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.2
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.4
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
|
@ -72,7 +73,7 @@ SecRule TX:OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" \
|
|||
t:none,\
|
||||
msg:'Outbound Anomaly Score Exceeded (Total Score: %{TX.OUTBOUND_ANOMALY_SCORE})',\
|
||||
tag:'anomaly-evaluation',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
setvar:'tx.anomaly_score=+%{tx.outbound_anomaly_score}'"
|
||||
|
||||
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.2
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.4
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
|
@ -29,7 +30,7 @@ SecRule &TX:'/LEAKAGE\\\/ERRORS/' "@ge 1" \
|
|||
log,\
|
||||
msg:'Correlated Successful Attack Identified: (Total Score: %{tx.anomaly_score}) Inbound Attack (Inbound Anomaly Score: %{TX.INBOUND_ANOMALY_SCORE}) + Outbound Data Leakage (Outbound Anomaly Score: %{TX.OUTBOUND_ANOMALY_SCORE})',\
|
||||
tag:'event-correlation',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'EMERGENCY',\
|
||||
chain,\
|
||||
skipAfter:END-CORRELATION"
|
||||
|
@ -46,7 +47,7 @@ SecRule &TX:'/AVAILABILITY\\\/APP_NOT_AVAIL/' "@ge 1" \
|
|||
log,\
|
||||
msg:'Correlated Attack Attempt Identified: (Total Score: %{tx.anomaly_score}) Inbound Attack (Inbound Anomaly Score: %{TX.INBOUND_ANOMALY_SCORE}) + Outbound Application Error (Outbound Anomaly Score: %{TX.OUTBOUND_ANOMALY_SCORE})',\
|
||||
tag:'event-correlation',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
severity:'ALERT',\
|
||||
chain,\
|
||||
skipAfter:END-CORRELATION"
|
||||
|
@ -60,7 +61,7 @@ SecAction \
|
|||
t:none,\
|
||||
nolog,\
|
||||
noauditlog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
setvar:'tx.executing_anomaly_score=%{tx.anomaly_score_pl1}',\
|
||||
setvar:'tx.executing_anomaly_score=+%{tx.anomaly_score_pl2}',\
|
||||
setvar:'tx.executing_anomaly_score=+%{tx.anomaly_score_pl3}',\
|
||||
|
@ -75,7 +76,7 @@ SecRule TX:INBOUND_ANOMALY_SCORE "@lt %{tx.inbound_anomaly_score_threshold}" \
|
|||
noauditlog,\
|
||||
msg:'Inbound Anomaly Score (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE} - SQLI=%{tx.sql_injection_score},XSS=%{tx.xss_score},RFI=%{tx.rfi_score},LFI=%{tx.lfi_score},RCE=%{tx.rce_score},PHPI=%{tx.php_injection_score},HTTP=%{tx.http_violation_score},SESS=%{tx.session_fixation_score}): individual paranoia level scores: %{TX.ANOMALY_SCORE_PL1}, %{TX.ANOMALY_SCORE_PL2}, %{TX.ANOMALY_SCORE_PL3}, %{TX.ANOMALY_SCORE_PL4}',\
|
||||
tag:'event-correlation',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
chain"
|
||||
SecRule TX:MONITOR_ANOMALY_SCORE "@gt 1"
|
||||
|
||||
|
@ -88,7 +89,7 @@ SecRule TX:INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" \
|
|||
noauditlog,\
|
||||
msg:'Inbound Anomaly Score Exceeded (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE} - SQLI=%{tx.sql_injection_score},XSS=%{tx.xss_score},RFI=%{tx.rfi_score},LFI=%{tx.lfi_score},RCE=%{tx.rce_score},PHPI=%{tx.php_injection_score},HTTP=%{tx.http_violation_score},SESS=%{tx.session_fixation_score}): individual paranoia level scores: %{TX.ANOMALY_SCORE_PL1}, %{TX.ANOMALY_SCORE_PL2}, %{TX.ANOMALY_SCORE_PL3}, %{TX.ANOMALY_SCORE_PL4}',\
|
||||
tag:'event-correlation',\
|
||||
ver:'OWASP_CRS/3.3.2'"
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
|
||||
SecRule TX:OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" \
|
||||
"id:980140,\
|
||||
|
@ -99,7 +100,7 @@ SecRule TX:OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" \
|
|||
noauditlog,\
|
||||
msg:'Outbound Anomaly Score Exceeded (score %{TX.OUTBOUND_ANOMALY_SCORE}): individual paranoia level scores: %{TX.OUTBOUND_ANOMALY_SCORE_PL1}, %{TX.OUTBOUND_ANOMALY_SCORE_PL2}, %{TX.OUTBOUND_ANOMALY_SCORE_PL3}, %{TX.OUTBOUND_ANOMALY_SCORE_PL4}',\
|
||||
tag:'event-correlation',\
|
||||
ver:'OWASP_CRS/3.3.2'"
|
||||
ver:'OWASP_CRS/3.3.4'"
|
||||
|
||||
# Creating a total sum of all triggered outbound rules, including the ones only being monitored
|
||||
SecAction \
|
||||
|
@ -109,7 +110,7 @@ SecAction \
|
|||
t:none,\
|
||||
nolog,\
|
||||
noauditlog,\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
setvar:'tx.executing_anomaly_score=%{tx.outbound_anomaly_score_pl1}',\
|
||||
setvar:'tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl2}',\
|
||||
setvar:'tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl3}',\
|
||||
|
@ -124,7 +125,7 @@ SecRule TX:OUTBOUND_ANOMALY_SCORE "@lt %{tx.outbound_anomaly_score_threshold}" \
|
|||
noauditlog,\
|
||||
msg:'Outbound Anomaly Score (Total Outbound Score: %{TX.OUTBOUND_ANOMALY_SCORE}): individual paranoia level scores: %{TX.OUTBOUND_ANOMALY_SCORE_PL1}, %{TX.OUTBOUND_ANOMALY_SCORE_PL2}, %{TX.OUTBOUND_ANOMALY_SCORE_PL3}, %{TX.OUTBOUND_ANOMALY_SCORE_PL4}',\
|
||||
tag:'event-correlation',\
|
||||
ver:'OWASP_CRS/3.3.2',\
|
||||
ver:'OWASP_CRS/3.3.4',\
|
||||
chain"
|
||||
SecRule TX:MONITOR_ANOMALY_SCORE "@gt 1"
|
||||
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.2
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.4
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
|
|
|
@ -1,41 +1,72 @@
|
|||
version: '3.1'
|
||||
version: '3.2'
|
||||
|
||||
# Only one of these will be up at a time for now.
|
||||
# Concurrency will be on the tests folder we have.
|
||||
|
||||
services:
|
||||
modsec2-apache:
|
||||
image: owasp/modsecurity-crs:v3.2-modsec2-apache
|
||||
container_name: modsec2-apache
|
||||
image: owasp/modsecurity-crs:apache
|
||||
environment:
|
||||
- SERVERNAME=modsec2-apache
|
||||
- MODSEC_RULE_ENGINE=DetectionOnly
|
||||
- PARANOIA=5
|
||||
SERVERNAME: modsec2-apache
|
||||
BACKEND: http://backend
|
||||
PORT: "80"
|
||||
MODSEC_RULE_ENGINE: DetectionOnly
|
||||
PARANOIA: 4
|
||||
TZ: "${TZ}"
|
||||
ERRORLOG: "/var/log/error.log"
|
||||
ACCESSLOG: "/var/log/access.log"
|
||||
MODSEC_AUDIT_LOG_FORMAT: Native
|
||||
MODSEC_AUDIT_LOG_TYPE: Serial
|
||||
MODSEC_AUDIT_LOG: "/var/log/modsec_audit.log"
|
||||
MODSEC_TMP_DIR: "/tmp"
|
||||
MODSEC_RESP_BODY_ACCESS: "On"
|
||||
MODSEC_RESP_BODY_MIMETYPE: "text/plain text/html text/xml application/json"
|
||||
COMBINED_FILE_SIZES: "65535"
|
||||
CRS_ENABLE_TEST_MARKER: 1
|
||||
volumes:
|
||||
- ${GITHUB_WORKSPACE}/logs/modsec2-apache:/var/log/apache2
|
||||
- ${GITHUB_WORKSPACE}/rules:/etc/modsecurity.d/owasp-crs/rules
|
||||
- ./logs/modsec2-apache:/var/log:rw
|
||||
- ../rules:/opt/owasp-crs/rules:ro
|
||||
- ../crs-setup.conf.example:/etc/modsecurity.d/owasp-crs/crs-setup.conf.example
|
||||
entrypoint: ["/bin/sh", "-c", "/bin/cp /etc/modsecurity.d/owasp-crs/crs-setup.conf.example /etc/modsecurity.d/owasp-crs/crs-setup.conf && /docker-entrypoint.sh && apachectl -D FOREGROUND"]
|
||||
ports:
|
||||
- "80:80"
|
||||
depends_on:
|
||||
- backend
|
||||
|
||||
modsec3-apache:
|
||||
image: owasp/modsecurity-crs:v3.2-modsec3-apache
|
||||
environment:
|
||||
- SERVERNAME=modsec3-apache
|
||||
- MODSEC_RULE_ENGINE=DetectionOnly
|
||||
- PARANOIA=5
|
||||
volumes:
|
||||
- ${GITHUB_WORKSPACE}/logs/modsec3-apache:/var/log/apache2
|
||||
- ${GITHUB_WORKSPACE}/rules:/etc/modsecurity.d/owasp-crs/rules
|
||||
ports:
|
||||
- "80:80"
|
||||
|
||||
modsec3-nginx:
|
||||
image: owasp/modsecurity-crs:v3.2-modsec3-nginx
|
||||
container_name: modsec3-nginx
|
||||
image: owasp/modsecurity-crs:nginx
|
||||
environment:
|
||||
- SERVERNAME=modsec3-nginx
|
||||
- MODSEC_RULE_ENGINE=DetectionOnly
|
||||
- PARANOIA=5
|
||||
SERVERNAME: modsec3-nginx
|
||||
BACKEND: http://backend
|
||||
PORT: "80"
|
||||
MODSEC_RULE_ENGINE: DetectionOnly
|
||||
PARANOIA: 4
|
||||
TZ: "${TZ}"
|
||||
ERRORLOG: "/var/log/error.log"
|
||||
LOGLEVEL: "info"
|
||||
ACCESSLOG: "/var/log/access.log"
|
||||
MODSEC_AUDIT_LOG_FORMAT: Native
|
||||
MODSEC_AUDIT_LOG_TYPE: Serial
|
||||
MODSEC_AUDIT_LOG: "/var/log/modsec_audit.log"
|
||||
MODSEC_RESP_BODY_ACCESS: "On"
|
||||
MODSEC_RESP_BODY_MIMETYPE: "text/plain text/html text/xml application/json"
|
||||
COMBINED_FILE_SIZES: "65535"
|
||||
CRS_ENABLE_TEST_MARKER: 1
|
||||
volumes:
|
||||
- ${GITHUB_WORKSPACE}/logs/modsec3-nginx:/var/log/nginx
|
||||
- ${GITHUB_WORKSPACE}/rules:/etc/modsecurity.d/owasp-crs/rules
|
||||
- ./logs/modsec3-nginx:/var/log:rw
|
||||
- ../rules:/opt/owasp-crs/rules:ro
|
||||
- ../crs-setup.conf.example:/etc/modsecurity.d/owasp-crs/crs-setup.conf.example
|
||||
command: ["nginx", "-g", "daemon off;"]
|
||||
ports:
|
||||
- "80:80"
|
||||
depends_on:
|
||||
- backend
|
||||
|
||||
# our test originally targeted www.example.com as backend
|
||||
# and that would do real traffic, to a real site
|
||||
#
|
||||
backend:
|
||||
image: docker.io/kennethreitz/httpbin
|
||||
|
|
|
@ -1,12 +1,12 @@
|
|||
from ftw import ruleset, logchecker, testrunner
|
||||
import datetime
|
||||
from subprocess import TimeoutExpired
|
||||
from ftw import logchecker, testrunner, http
|
||||
from ftw.ruleset import Input
|
||||
import pytest
|
||||
import sys
|
||||
import re
|
||||
import os
|
||||
|
||||
CRS_HEADER = 'X-CRS-Test'
|
||||
|
||||
def test_crs(ruleset, test, logchecker_obj):
|
||||
def test_crs(test, logchecker_obj):
|
||||
runner = testrunner.TestRunner()
|
||||
for stage in test.stages:
|
||||
runner.run_stage(stage, logchecker_obj)
|
||||
|
@ -15,49 +15,135 @@ def test_crs(ruleset, test, logchecker_obj):
|
|||
class FooLogChecker(logchecker.LogChecker):
|
||||
def __init__(self, config):
|
||||
super(FooLogChecker, self).__init__()
|
||||
self.log_location = config["log_location_linux"]
|
||||
self.log_date_regex = config["log_date_regex"]
|
||||
self.log_date_format = config["log_date_format"]
|
||||
self.log_location = self.find_log_location(config)
|
||||
self.backwards_reader = BackwardsReader(self.log_location)
|
||||
self.start_marker = None
|
||||
self.end_marker = None
|
||||
|
||||
def reverse_readline(self, filename):
|
||||
with open(filename) as f:
|
||||
f.seek(0, os.SEEK_END)
|
||||
position = f.tell()
|
||||
line = ""
|
||||
while position >= 0:
|
||||
f.seek(position)
|
||||
next_char = f.read(1)
|
||||
if next_char == "\n":
|
||||
yield line[::-1]
|
||||
line = ""
|
||||
else:
|
||||
line += next_char
|
||||
position -= 1
|
||||
yield line[::-1]
|
||||
def mark_start(self, stage_id):
|
||||
self.start_marker = self.find_marker(stage_id)
|
||||
|
||||
def mark_end(self, stage_id):
|
||||
self.end_marker = self.find_marker(stage_id)
|
||||
|
||||
def find_marker(self, stage_id):
|
||||
stage_id_bytes = stage_id.encode('utf-8')
|
||||
header_bytes = CRS_HEADER.encode('utf-8')
|
||||
def try_once():
|
||||
self.mark_and_flush_log(stage_id)
|
||||
self.backwards_reader.reset()
|
||||
return self.backwards_reader.readline() or b''
|
||||
|
||||
line = try_once()
|
||||
while not (header_bytes in line and stage_id_bytes in line):
|
||||
line = try_once()
|
||||
return line
|
||||
|
||||
def get_logs(self):
|
||||
pattern = re.compile(r"%s" % self.log_date_regex)
|
||||
our_logs = []
|
||||
for lline in self.reverse_readline(self.log_location):
|
||||
# Extract dates from each line
|
||||
match = re.match(pattern, lline)
|
||||
if match:
|
||||
log_date = match.group(1)
|
||||
log_date = datetime.datetime.strptime(log_date, self.log_date_format)
|
||||
# NGINX doesn't give us microsecond level by detail, round down.
|
||||
if "%f" not in self.log_date_format:
|
||||
ftw_start = self.start.replace(microsecond=0)
|
||||
else:
|
||||
ftw_start = self.start
|
||||
ftw_end = self.end
|
||||
if log_date <= ftw_end and log_date >= ftw_start:
|
||||
our_logs.append(lline)
|
||||
# If our log is from before FTW started stop
|
||||
if log_date < ftw_start:
|
||||
break
|
||||
return our_logs
|
||||
logs = []
|
||||
# At this point we're already at the end marker
|
||||
for line in self.backwards_reader.readlines():
|
||||
if line == self.start_marker:
|
||||
break
|
||||
|
||||
logs.append(line.decode('utf-8'))
|
||||
return logs
|
||||
|
||||
def mark_and_flush_log(self, header_value):
|
||||
"""
|
||||
Send a valid request to the server with a special header that will
|
||||
generate an entry in the log. We can use this to flush the log and to
|
||||
mark the output so we know where our test output is.
|
||||
"""
|
||||
http.HttpUA().send_request(Input(
|
||||
headers={
|
||||
'Host': 'localhost',
|
||||
'User-Agent': 'CRS',
|
||||
'Accept': '*/*',
|
||||
CRS_HEADER: header_value
|
||||
},
|
||||
version='HTTP/1.0'))
|
||||
|
||||
@staticmethod
|
||||
def find_log_location(config):
|
||||
key = 'log_location_linux'
|
||||
# First, try to find the log configuration from config.ini
|
||||
if key in config:
|
||||
return config[key]
|
||||
else:
|
||||
# Now we could check for the configuration that was passed
|
||||
# on the command line. Unfortunately, we use a default, so we
|
||||
# don't know whether it was *actually* on the command line.
|
||||
# Let's try to find the Docker container instead.
|
||||
import os.path
|
||||
import subprocess
|
||||
prefix = os.path.join('tests', 'logs')
|
||||
log_file_name = 'error.log'
|
||||
directory_name = 'modsec2-apache'
|
||||
process = subprocess.Popen(
|
||||
'docker ps --format "{{.Names}}"',
|
||||
shell=True,
|
||||
stdout=subprocess.PIPE,
|
||||
stderr=subprocess.PIPE)
|
||||
try:
|
||||
out, _ = process.communicate(timeout=10)
|
||||
except TimeoutExpired:
|
||||
out = ''
|
||||
if b'modsec3-nginx' in out:
|
||||
directory_name = 'modsec3-nginx'
|
||||
return os.path.join(prefix, directory_name, log_file_name)
|
||||
|
||||
|
||||
@pytest.fixture(scope="session")
|
||||
|
||||
@pytest.fixture(scope='session')
|
||||
def logchecker_obj(config):
|
||||
return FooLogChecker(config)
|
||||
|
||||
# Adapted from http://code.activestate.com/recipes/120686-read-a-text-file-backwards/
|
||||
class BackwardsReader:
|
||||
def __init__(self, file, blksize=4096):
|
||||
"""initialize the internal structures"""
|
||||
self.file = file
|
||||
# how big of a block to read from the file...
|
||||
self.blksize = blksize
|
||||
self.f = open(file, 'rb')
|
||||
|
||||
self.reset()
|
||||
|
||||
def readline(self):
|
||||
while len(self.data) == 1 and ((self.blkcount * self.blksize) < self.size):
|
||||
self.blkcount = self.blkcount + 1
|
||||
line = self.data[0]
|
||||
try:
|
||||
self.f.seek(-self.blksize * self.blkcount, os.SEEK_END) # read from end of file
|
||||
self.data = (self.f.read(self.blksize) + line).split(b'\n')
|
||||
except IOError: # can't seek before the beginning of the file
|
||||
self.f.seek(0)
|
||||
self.data = (self.f.read(self.size - (self.blksize * (self.blkcount-1))) + line).split(b'\n')
|
||||
|
||||
if len(self.data) == 0:
|
||||
return ""
|
||||
|
||||
line = self.data.pop()
|
||||
return line + b'\n'
|
||||
|
||||
def readlines(self):
|
||||
line = self.readline()
|
||||
while line:
|
||||
yield line
|
||||
line = self.readline()
|
||||
|
||||
def reset(self):
|
||||
# get the file size
|
||||
self.size = os.stat(self.file)[6]
|
||||
# how many blocks we've read
|
||||
self.blkcount = 1
|
||||
# if the file is smaller than the blocksize, read a block,
|
||||
# otherwise, read the whole thing...
|
||||
if self.size > self.blksize:
|
||||
self.f.seek(-self.blksize * self.blkcount, 2) # read from end of file
|
||||
self.data = self.f.read(self.blksize).split(b'\n')
|
||||
# strip the last item if it's empty... a byproduct of the last line having
|
||||
# a newline at the end of it
|
||||
if not self.data[-1]:
|
||||
self.data.pop()
|
||||
|
|
|
@ -1,14 +1,5 @@
|
|||
[modsec2-apache]
|
||||
log_date_format = %a %b %d %H:%M:%S.%f %Y
|
||||
log_date_regex = \[([A-Z][a-z]{2} [A-z][a-z]{2} \d{1,2} \d{1,2}\:\d{1,2}\:\d{1,2}\.\d+? \d{4})\]
|
||||
log_location_linux = /var/log/apache2/error.log
|
||||
|
||||
[modsec3-apache]
|
||||
log_date_format = %a %b %d %H:%M:%S.%f %Y
|
||||
log_date_regex = \[([A-Z][a-z]{2} [A-z][a-z]{2} \d{1,2} \d{1,2}\:\d{1,2}\:\d{1,2}\.\d+? \d{4})\]
|
||||
log_location_linux = /var/log/apache2/error.log
|
||||
log_location_linux = tests/logs/modsec2-apache/error.log
|
||||
|
||||
[modsec3-nginx]
|
||||
log_date_format = %Y/%m/%d %H:%M:%S
|
||||
log_date_regex = (\d{4}\/\d{2}\/\d{2} \d{2}:\d{2}:\d{2})
|
||||
log_location_linux = /var/log/nginx/error.log
|
||||
log_location_linux = tests/logs/modsec3-nginx/error.log
|
||||
|
|
|
@ -7,11 +7,11 @@ import pytest
|
|||
|
||||
|
||||
def pytest_addoption(parser):
|
||||
parser.addoption("--config", action="store", default="modsec2-apache")
|
||||
parser.addoption('--config', action='store', default='modsec2-apache')
|
||||
|
||||
|
||||
@pytest.fixture(scope="session")
|
||||
@pytest.fixture(scope='session')
|
||||
def config(request):
|
||||
cp = configparser.RawConfigParser()
|
||||
cp.read(os.path.join(os.path.dirname(__file__), "config.ini"))
|
||||
return dict(cp.items(request.config.getoption("--config")))
|
||||
cp.read(os.path.join(os.path.dirname(__file__), 'config.ini'))
|
||||
return dict(cp.items(request.config.getoption('--config')))
|
||||
|
|
|
@ -1 +1 @@
|
|||
ftw==1.1.7
|
||||
ftw==1.3.0
|
||||
|
|
|
@ -82,7 +82,7 @@
|
|||
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
|
||||
method: POST
|
||||
port: 80
|
||||
uri: /
|
||||
uri: /post
|
||||
version: HTTP/1.0
|
||||
data: abc
|
||||
output:
|
||||
|
|
|
@ -1,80 +1,70 @@
|
|||
---
|
||||
meta:
|
||||
author: "csanders-git, Franziska Bühler"
|
||||
enabled: true
|
||||
name: "920420.yaml"
|
||||
description: "Description"
|
||||
tests:
|
||||
-
|
||||
test_title: 920420-1
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "POST"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Type: "application/x-www-form-urlencoded"
|
||||
data: "test=value"
|
||||
output:
|
||||
no_log_contains: "id \"920420\""
|
||||
-
|
||||
test_title: 920420-2
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "POST"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Type: "my-new-content-type"
|
||||
data: "test"
|
||||
output:
|
||||
log_contains: "id \"920420\""
|
||||
-
|
||||
test_title: 920420-3
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "GET"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Type: "my-new-content-type"
|
||||
data: "test"
|
||||
output:
|
||||
log_contains: "id \"920420\""
|
||||
-
|
||||
test_title: 920420-4
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "PROPFIND"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Type: "my-new-content-type"
|
||||
data: "test"
|
||||
output:
|
||||
log_contains: "id \"920420\""
|
||||
-
|
||||
test_title: 920420-5
|
||||
desc: Request content type is not allowed by policy (920420) from old modsec regressions
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
meta:
|
||||
author: "csanders-git, Franziska Bühler"
|
||||
enabled: true
|
||||
name: "920420.yaml"
|
||||
description: "Description"
|
||||
tests:
|
||||
- test_title: 920420-1
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "POST"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Type: "application/x-www-form-urlencoded"
|
||||
data: "test=value"
|
||||
output:
|
||||
no_log_contains: "id \"920420\""
|
||||
- test_title: 920420-2
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "POST"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Type: "my-new-content-type"
|
||||
data: "test"
|
||||
output:
|
||||
log_contains: "id \"920420\""
|
||||
- test_title: 920420-3
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "GET"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Type: "my-new-content-type"
|
||||
data: "test"
|
||||
output:
|
||||
log_contains: "id \"920420\""
|
||||
- test_title: 920420-4
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "PROPFIND"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Type: "my-new-content-type"
|
||||
data: "test"
|
||||
output:
|
||||
log_contains: "id \"920420\""
|
||||
- test_title: 920420-5
|
||||
desc: Request content type is not allowed by policy (920420) from old modsec regressions
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
|
@ -92,28 +82,26 @@
|
|||
uri: /
|
||||
version: HTTP/1.1
|
||||
data:
|
||||
- --0000
|
||||
- 'Content-Disposition: form-data; name="name"'
|
||||
- ''
|
||||
- John Smith
|
||||
- --0000
|
||||
- 'Content-Disposition: form-data; name="email"'
|
||||
- ''
|
||||
- john.smith@example.com
|
||||
- --0000
|
||||
- 'Content-Disposition: form-data; name="image"; filename="image.jpg"'
|
||||
- 'Content-Type: image/jpeg'
|
||||
- ''
|
||||
- BINARYDATA
|
||||
- --0000--
|
||||
- --0000
|
||||
- 'Content-Disposition: form-data; name="name"'
|
||||
- ''
|
||||
- John Smith
|
||||
- --0000
|
||||
- 'Content-Disposition: form-data; name="email"'
|
||||
- ''
|
||||
- john.smith@example.com
|
||||
- --0000
|
||||
- 'Content-Disposition: form-data; name="image"; filename="image.jpg"'
|
||||
- 'Content-Type: image/jpeg'
|
||||
- ''
|
||||
- BINARYDATA
|
||||
- --0000--
|
||||
output:
|
||||
log_contains: id "920420"
|
||||
-
|
||||
test_title: 920420-6
|
||||
desc: Request content type is not allowed by policy (920420) from old modsec regressions
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
- test_title: 920420-6
|
||||
desc: Request content type is not allowed by policy (920420) from old modsec regressions
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
|
@ -131,28 +119,26 @@
|
|||
uri: /
|
||||
version: HTTP/1.1
|
||||
data:
|
||||
- --0000
|
||||
- 'Content-Disposition: form-data; name="name"'
|
||||
- ''
|
||||
- John Smith
|
||||
- --0000
|
||||
- 'Content-Disposition: form-data; name="email"'
|
||||
- ''
|
||||
- john.smith@example.com
|
||||
- --0000
|
||||
- 'Content-Disposition: form-data; name="image"; filename="image.jpg"'
|
||||
- 'Content-Type: image/jpeg'
|
||||
- ''
|
||||
- BINARYDATA
|
||||
- --0000--
|
||||
- --0000
|
||||
- 'Content-Disposition: form-data; name="name"'
|
||||
- ''
|
||||
- John Smith
|
||||
- --0000
|
||||
- 'Content-Disposition: form-data; name="email"'
|
||||
- ''
|
||||
- john.smith@example.com
|
||||
- --0000
|
||||
- 'Content-Disposition: form-data; name="image"; filename="image.jpg"'
|
||||
- 'Content-Type: image/jpeg'
|
||||
- ''
|
||||
- BINARYDATA
|
||||
- --0000--
|
||||
output:
|
||||
log_contains: id "920420"
|
||||
-
|
||||
test_title: 920420-7
|
||||
desc: Request content type is not allowed by policy (920420) from old modsec regressions
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
- test_title: 920420-7
|
||||
desc: Request content type is not allowed by policy (920420) from old modsec regressions
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
|
@ -170,115 +156,179 @@
|
|||
uri: /
|
||||
version: HTTP/1.1
|
||||
data:
|
||||
- --0000
|
||||
- 'Content-Disposition: form-data; name="name"'
|
||||
- ''
|
||||
- John Smith
|
||||
- --0000
|
||||
- 'Content-Disposition: form-data; name="email"'
|
||||
- ''
|
||||
- john.smith@example.com
|
||||
- --0000
|
||||
- 'Content-Disposition: form-data; name="image"; filename="image.jpg"'
|
||||
- 'Content-Type: image/jpeg'
|
||||
- ''
|
||||
- BINARYDATA
|
||||
- --0000--
|
||||
- --0000
|
||||
- 'Content-Disposition: form-data; name="name"'
|
||||
- ''
|
||||
- John Smith
|
||||
- --0000
|
||||
- 'Content-Disposition: form-data; name="email"'
|
||||
- ''
|
||||
- john.smith@example.com
|
||||
- --0000
|
||||
- 'Content-Disposition: form-data; name="image"; filename="image.jpg"'
|
||||
- 'Content-Type: image/jpeg'
|
||||
- ''
|
||||
- BINARYDATA
|
||||
- --0000--
|
||||
output:
|
||||
log_contains: id "920420"
|
||||
-
|
||||
test_title: 920420-8
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "HEAD"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Type: "my-new-content-type"
|
||||
data: "test"
|
||||
output:
|
||||
log_contains: "id \"920420\""
|
||||
-
|
||||
test_title: 920420-9
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "OPTIONS"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Type: "application/json"
|
||||
data: "test"
|
||||
output:
|
||||
no_log_contains: "id \"920420\""
|
||||
-
|
||||
test_title: 920420-10
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "OPTIONS"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Type: "application/soap+xml"
|
||||
data: "test"
|
||||
output:
|
||||
no_log_contains: "id \"920420\""
|
||||
-
|
||||
test_title: 920420-11
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "OPTIONS"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Type: "application"
|
||||
data: "test"
|
||||
output:
|
||||
log_contains: "id \"920420\""
|
||||
-
|
||||
test_title: 920420-12
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "HEAD"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Type: "multipart/related"
|
||||
data: "test"
|
||||
output:
|
||||
no_log_contains: "id \"920420\""
|
||||
-
|
||||
test_title: 920420-13
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "HEAD"
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Content-Type: "Multipart/Related"
|
||||
data: "test"
|
||||
output:
|
||||
no_log_contains: "id \"920420\""
|
||||
- test_title: 920420-8
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "HEAD"
|
||||
headers:
|
||||
User-Agent: "OWASP ModSecurity Core Rule Set"
|
||||
Host: "localhost"
|
||||
Content-Type: "my-new-content-type"
|
||||
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
|
||||
data: "test"
|
||||
output:
|
||||
log_contains: "id \"920420\""
|
||||
- test_title: 920420-9
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "OPTIONS"
|
||||
headers:
|
||||
User-Agent: "OWASP ModSecurity Core Rule Set"
|
||||
Host: "localhost"
|
||||
Content-Type: "application/json"
|
||||
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
|
||||
data: "test"
|
||||
output:
|
||||
no_log_contains: "id \"920420\""
|
||||
- test_title: 920420-10
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "OPTIONS"
|
||||
headers:
|
||||
User-Agent: "OWASP ModSecurity Core Rule Set"
|
||||
Host: "localhost"
|
||||
Content-Type: "application/soap+xml"
|
||||
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
|
||||
data: "test"
|
||||
output:
|
||||
no_log_contains: "id \"920420\""
|
||||
- test_title: 920420-11
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "OPTIONS"
|
||||
headers:
|
||||
User-Agent: "OWASP ModSecurity Core Rule Set"
|
||||
Host: "localhost"
|
||||
Content-Type: "application"
|
||||
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
|
||||
data: "test"
|
||||
output:
|
||||
log_contains: "id \"920420\""
|
||||
- test_title: 920420-12
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "HEAD"
|
||||
headers:
|
||||
User-Agent: "OWASP ModSecurity Core Rule Set"
|
||||
Host: "localhost"
|
||||
Content-Type: "multipart/related"
|
||||
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
|
||||
data: "test"
|
||||
output:
|
||||
no_log_contains: "id \"920420\""
|
||||
- test_title: 920420-13
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "HEAD"
|
||||
headers:
|
||||
User-Agent: "OWASP ModSecurity Core Rule Set"
|
||||
Host: "localhost"
|
||||
Content-Type: "Multipart/Related"
|
||||
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
|
||||
data: "test"
|
||||
output:
|
||||
no_log_contains: "id \"920420\""
|
||||
- test_title: 920420-14
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
method: "POST"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: OWASP ModSecurity Core Rule Set
|
||||
Host: "localhost"
|
||||
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
|
||||
Content-Type: text/plain
|
||||
data: 'cmd=/bin/unxz -c /var/log/something_sensitive.xz'
|
||||
protocol: "http"
|
||||
output:
|
||||
log_contains: "id \"920420\""
|
||||
- test_title: 920420-15
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
|
||||
Host: localhost
|
||||
Proxy-Connection: keep-alive
|
||||
User-Agent: OWASP ModSecurity Core Rule Set
|
||||
Content-Type: text/plain
|
||||
method: GET
|
||||
port: 80
|
||||
uri: /
|
||||
version: HTTP/1.0
|
||||
data: "{\"foo\" : \";+cat+/e\\\\t\\\\*/pa\\\\?s\\\\wd\"}"
|
||||
output:
|
||||
log_contains: "id \"920420\""
|
||||
- test_title: 920420-16
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
|
||||
Host: localhost
|
||||
Proxy-Connection: keep-alive
|
||||
User-Agent: OWASP ModSecurity Core Rule Set
|
||||
Content-Type: application/x-amf
|
||||
method: GET
|
||||
port: 80
|
||||
uri: /
|
||||
version: HTTP/1.0
|
||||
data: "{\"foo\" : \";+cat+/e\\\\t\\\\*/pa\\\\?s\\\\wd\"}"
|
||||
output:
|
||||
log_contains: "id \"920420\""
|
||||
- test_title: 920420-17
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
|
||||
Host: localhost
|
||||
Proxy-Connection: keep-alive
|
||||
User-Agent: OWASP ModSecurity Core Rule Set
|
||||
Content-Type: application/octet-stream
|
||||
method: GET
|
||||
port: 80
|
||||
uri: /
|
||||
version: HTTP/1.0
|
||||
data: "{\"foo\" : \";+cat+/e\\\\t\\\\*/pa\\\\?s\\\\wd\"}"
|
||||
output:
|
||||
log_contains: "id \"920420\""
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
meta:
|
||||
author: "csanders-git"
|
||||
author: "csanders-git, karelorigin"
|
||||
enabled: true
|
||||
name: "920450.yaml"
|
||||
description: "Description"
|
||||
|
@ -58,7 +58,6 @@
|
|||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
|
||||
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
|
||||
Accept-Encoding: gzip,deflate
|
||||
Accept-Language: en-us,en;q=0.5
|
||||
Host: localhost
|
||||
|
@ -82,7 +81,6 @@
|
|||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
|
||||
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
|
||||
Accept-Encoding: gzip,deflate
|
||||
Accept-Language: en-us,en;q=0.5
|
||||
Host: localhost
|
||||
|
@ -96,6 +94,7 @@
|
|||
version: HTTP/1.1
|
||||
output:
|
||||
log_contains: id "920450"
|
||||
|
||||
-
|
||||
test_title: 920450-6
|
||||
stages:
|
||||
|
@ -105,8 +104,42 @@
|
|||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
headers:
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Range: "test"
|
||||
User-Agent: "ModSecurity CRS 3 Tests"
|
||||
Host: "localhost"
|
||||
Range: "test"
|
||||
output:
|
||||
no_log_contains: "id \"920450\""
|
||||
|
||||
-
|
||||
test_title: 920450-7
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/"
|
||||
headers:
|
||||
User-Agent: "OWASP ModSecurity Core Rule Set"
|
||||
Host: "localhost"
|
||||
Accept: text/html
|
||||
Accept-Charset: UTF-8
|
||||
output:
|
||||
log_contains: "id \"920450\""
|
||||
|
||||
-
|
||||
test_title: 920450-8
|
||||
stages:
|
||||
-
|
||||
stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/"
|
||||
headers:
|
||||
User-Agent: "OWASP ModSecurity Core Rule Set"
|
||||
Host: "localhost"
|
||||
Accept: text/html
|
||||
Content-Encoding: deflate
|
||||
output:
|
||||
log_contains: "id \"920450\""
|
||||
|
|
|
@ -0,0 +1,71 @@
|
|||
---
|
||||
meta:
|
||||
author: "terjanq"
|
||||
description: "Restrict multiple charsets inside the content type header"
|
||||
enabled: true
|
||||
name: "920530.yaml"
|
||||
tests:
|
||||
- test_title: 920530-1
|
||||
desc: "A valid request with a single charset"
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "POST"
|
||||
headers:
|
||||
User-Agent: "OWASP ModSecurity Core Rule Set"
|
||||
Host: "localhost"
|
||||
Content-Type: "application/x-www-form-urlencoded; charset=utf-8"
|
||||
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
|
||||
data: "test=value"
|
||||
output:
|
||||
no_log_contains: "id \"920530\""
|
||||
- test_title: 920530-2
|
||||
desc: "Bypass attempt with two charsets"
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "POST"
|
||||
headers:
|
||||
User-Agent: "OWASP ModSecurity Core Rule Set"
|
||||
Host: "localhost"
|
||||
Content-Type: "application/x-www-form-urlencoded; charset=utf-8; charset=utf-7"
|
||||
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
|
||||
data: "test=value"
|
||||
output:
|
||||
log_contains: "id \"920530\""
|
||||
- test_title: 920530-3
|
||||
desc: "Bypass attempt with hiding the charset inside a field"
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "POST"
|
||||
headers:
|
||||
User-Agent: "OWASP ModSecurity Core Rule Set"
|
||||
Host: "localhost"
|
||||
Content-Type: "application/x-www-form-urlencoded; charset=utf-8; boundary=\"charset=utf-7\""
|
||||
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
|
||||
data: "test=value"
|
||||
output:
|
||||
log_contains: "id \"920530\""
|
||||
- test_title: 920530-4
|
||||
desc: "Bypass attempt with uppercase CHARSET"
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
method: "POST"
|
||||
headers:
|
||||
User-Agent: "OWASP ModSecurity Core Rule Set"
|
||||
Host: "localhost"
|
||||
Content-Type: "application/x-www-form-urlencoded; charset=utf-8; CHARSET=utf-7"
|
||||
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
|
||||
data: "test=value"
|
||||
output:
|
||||
log_contains: "id \"920530\""
|
|
@ -0,0 +1,150 @@
|
|||
---
|
||||
meta:
|
||||
author: "karelorigin"
|
||||
enabled: true
|
||||
name: "920600.yaml"
|
||||
description: "Accept header charset checks"
|
||||
tests:
|
||||
- test_title: 920600-1
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/"
|
||||
headers:
|
||||
User-Agent: "OWASP ModSecurity Core Rule Set"
|
||||
Host: "localhost"
|
||||
Accept: text/html;q=0.9;charset=CP1026,*/*;q=0.8
|
||||
output:
|
||||
log_contains: "id \"920600\""
|
||||
- test_title: 920600-2
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/"
|
||||
headers:
|
||||
User-Agent: "OWASP ModSecurity Core Rule Set"
|
||||
Host: "localhost"
|
||||
Accept: text/html;q=0.9;charset="CP1026",*/*;q=0.8
|
||||
output:
|
||||
log_contains: "id \"920600\""
|
||||
- test_title: 920600-3
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/"
|
||||
headers:
|
||||
User-Agent: "OWASP ModSecurity Core Rule Set"
|
||||
Host: "localhost"
|
||||
Accept: text/html;q=0.9;charset=UTF-8,*/*;q=0.8
|
||||
output:
|
||||
no_log_contains: "id \"920600\""
|
||||
- test_title: 920600-4
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/"
|
||||
headers:
|
||||
User-Agent: "OWASP ModSecurity Core Rule Set"
|
||||
Host: "localhost"
|
||||
Accept: text/html;q=0.9;charset="UTF-8",*/*;q=0.8
|
||||
output:
|
||||
no_log_contains: "id \"920600\""
|
||||
- test_title: 920600-5
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/"
|
||||
headers:
|
||||
User-Agent: "OWASP ModSecurity Core Rule Set"
|
||||
Host: "localhost"
|
||||
Accept: text/html;q=0.9;charset="iso-8859-1",*/*;q=0.8
|
||||
output:
|
||||
no_log_contains: "id \"920600\""
|
||||
- test_title: 920600-6
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/"
|
||||
headers:
|
||||
User-Agent: "OWASP ModSecurity Core Rule Set"
|
||||
Host: "localhost"
|
||||
Accept: text/html;q=0.9;charset="iso-8859-1",*/*;q=0.8;charset=utf-16
|
||||
output:
|
||||
log_contains: "id \"920600\""
|
||||
- test_title: 920600-7
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/"
|
||||
headers:
|
||||
User-Agent: "OWASP ModSecurity Core Rule Set"
|
||||
Host: "localhost"
|
||||
Accept: text/html;q=0.9;charset="iso-8859-1",*/*;q=0.8;charset=utf-8
|
||||
output:
|
||||
no_log_contains: "id \"920600\""
|
||||
- test_title: 920600-8
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/"
|
||||
headers:
|
||||
User-Agent: "OWASP ModSecurity Core Rule Set"
|
||||
Host: "localhost"
|
||||
Accept: text/html;q=0.9;charset="iso-8859-15",*/*;q=0.8
|
||||
output:
|
||||
no_log_contains: "id \"920600\""
|
||||
- test_title: 920600-9
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/"
|
||||
headers:
|
||||
User-Agent: "OWASP ModSecurity Core Rule Set"
|
||||
Host: "localhost"
|
||||
Accept: text/html;q=0.9;charset="windows-1252",*/*;q=0.8
|
||||
output:
|
||||
no_log_contains: "id \"920600\""
|
||||
- test_title: 920600-10
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/"
|
||||
headers:
|
||||
User-Agent: "OWASP ModSecurity Core Rule Set"
|
||||
Host: "localhost"
|
||||
Accept: text/html;q=0.9;charset="windows-1252",*/*;q=0.8;
|
||||
output:
|
||||
no_log_contains: "id \"920600\""
|
||||
- test_title: 920600-11
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
port: 80
|
||||
uri: "/"
|
||||
headers:
|
||||
User-Agent: "OWASP ModSecurity Core Rule Set"
|
||||
Host: "localhost"
|
||||
Accept: text/html;q=0.9;charset="windows-1252";,*/*;q=0.8
|
||||
output:
|
||||
no_log_contains: "id \"920600\""
|
|
@ -0,0 +1,22 @@
|
|||
---
|
||||
meta:
|
||||
author: "Christian Folini (dune73)"
|
||||
description: "HTTP Range Header"
|
||||
enabled: true
|
||||
name: 921230.yaml
|
||||
tests:
|
||||
- test_title: 921230-1
|
||||
desc: "Submit HTTP Range Header, forbidden at PL3 by default"
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: "127.0.0.1"
|
||||
headers:
|
||||
Host: "localhost"
|
||||
User-Agent: "OWASP ModSecurity Core Rule Set"
|
||||
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
|
||||
Range: 1-2
|
||||
port: 80
|
||||
uri: "/"
|
||||
output:
|
||||
log_contains: id "921230"
|
|
@ -0,0 +1,199 @@
|
|||
---
|
||||
meta:
|
||||
author: studersi
|
||||
description: Test whether the recommended rules can be fooled into using the wrong body processor which can result in bypasses
|
||||
enabled: true
|
||||
name: 921421.yaml
|
||||
tests:
|
||||
- test_title: 921421-1
|
||||
desc: Bypass targeting recommended rules (rule 200000)
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Host: localhost
|
||||
User-Agent: OWASP ModSecurity Core Rule Set
|
||||
Content-Type: application/x-www-form-urlencoded;boundary="application/json"
|
||||
method: POST
|
||||
port: 80
|
||||
uri: /post
|
||||
version: HTTP/1.1
|
||||
output:
|
||||
log_contains: id "921421"
|
||||
- test_title: 921421-2
|
||||
desc: Bypass targeting recommended rules (rule 200006)
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Host: localhost
|
||||
User-Agent: OWASP ModSecurity Core Rule Set
|
||||
Content-Type: application/x-www-form-urlencoded;boundary="application/vnd.mycompany.myapp.customer-v2+json"
|
||||
method: POST
|
||||
port: 80
|
||||
uri: /post
|
||||
version: HTTP/1.1
|
||||
output:
|
||||
log_contains: id "921421"
|
||||
- test_title: 921421-3
|
||||
desc: Bypass targeting recommended rules (rule 200001)
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Host: localhost
|
||||
User-Agent: OWASP ModSecurity Core Rule Set
|
||||
Content-Type: application/x-www-form-urlencoded;boundary="text/xml"
|
||||
method: POST
|
||||
port: 80
|
||||
uri: /post
|
||||
version: HTTP/1.1
|
||||
output:
|
||||
log_contains: id "921421"
|
||||
- test_title: 921421-4
|
||||
desc: Bypass targeting recommended rules (rule 200001)
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Host: localhost
|
||||
User-Agent: OWASP ModSecurity Core Rule Set
|
||||
Content-Type: application/x-www-form-urlencoded;boundary="application/xml"
|
||||
method: POST
|
||||
port: 80
|
||||
uri: /post
|
||||
version: HTTP/1.1
|
||||
output:
|
||||
log_contains: id "921421"
|
||||
- test_title: 921421-5
|
||||
desc: Bypass targeting recommended rules (rule 200001)
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Host: localhost
|
||||
User-Agent: OWASP ModSecurity Core Rule Set
|
||||
Content-Type: application/x-www-form-urlencoded;boundary="application/soap+xml"
|
||||
method: POST
|
||||
port: 80
|
||||
uri: /post
|
||||
version: HTTP/1.1
|
||||
output:
|
||||
log_contains: id "921421"
|
||||
- test_title: 921421-6
|
||||
desc: Negative test for 921421-1
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Host: localhost
|
||||
User-Agent: OWASP ModSecurity Core Rule Set
|
||||
Content-Type: application/json
|
||||
method: POST
|
||||
port: 80
|
||||
uri: /post
|
||||
version: HTTP/1.1
|
||||
output:
|
||||
no_log_contains: id "921421"
|
||||
- test_title: 921421-7
|
||||
desc: Negative test for 921421-2
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Host: localhost
|
||||
User-Agent: OWASP ModSecurity Core Rule Set
|
||||
Content-Type: application/vnd.mycompany.myapp.customer-v2+json
|
||||
method: POST
|
||||
port: 80
|
||||
uri: /post
|
||||
version: HTTP/1.1
|
||||
output:
|
||||
no_log_contains: id "921421"
|
||||
- test_title: 921421-8
|
||||
desc: Negative test for 921421-3
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Host: localhost
|
||||
User-Agent: OWASP ModSecurity Core Rule Set
|
||||
Content-Type: text/xml
|
||||
method: POST
|
||||
port: 80
|
||||
uri: /post
|
||||
version: HTTP/1.1
|
||||
output:
|
||||
no_log_contains: id "921421"
|
||||
- test_title: 921421-9
|
||||
desc: Negative test for 921421-4
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Host: localhost
|
||||
User-Agent: OWASP ModSecurity Core Rule Set
|
||||
Content-Type: application/xml
|
||||
method: POST
|
||||
port: 80
|
||||
uri: /post
|
||||
version: HTTP/1.1
|
||||
output:
|
||||
no_log_contains: id "921421"
|
||||
- test_title: 921421-10
|
||||
desc: Negative test for 921421-5
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Host: localhost
|
||||
User-Agent: OWASP ModSecurity Core Rule Set
|
||||
Content-Type: application/soap+xml
|
||||
method: POST
|
||||
port: 80
|
||||
uri: /post
|
||||
version: HTTP/1.1
|
||||
output:
|
||||
no_log_contains: id "921421"
|
||||
- test_title: 921421-11
|
||||
desc: Negative test for rule 921421-6
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Host: localhost
|
||||
User-Agent: OWASP ModSecurity Core Rule Set
|
||||
Content-Type: text/html; charset=UTF-8
|
||||
method: POST
|
||||
port: 80
|
||||
uri: /post
|
||||
version: HTTP/1.1
|
||||
output:
|
||||
no_log_contains: id "921421"
|
||||
- test_title: 921421-12
|
||||
desc: Negative test for rule 921421-7
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Host: localhost
|
||||
User-Agent: OWASP ModSecurity Core Rule Set
|
||||
Content-Type: multipart/form-data; boundary=something
|
||||
method: POST
|
||||
port: 80
|
||||
uri: /post
|
||||
version: HTTP/1.1
|
||||
output:
|
||||
no_log_contains: id "921421"
|
|
@ -0,0 +1,279 @@
|
|||
---
|
||||
meta:
|
||||
author: studersi
|
||||
description: Try to send mime types in different part of Content-Type header
|
||||
enabled: true
|
||||
name: 921422.yaml
|
||||
tests:
|
||||
- test_title: 921422-1
|
||||
desc: Bypass targeting recommended rules (rule 200000)
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Host: localhost
|
||||
User-Agent: OWASP ModSecurity Core Rule Set
|
||||
Content-Type: application/x-www-form-urlencoded;boundary="application/json"
|
||||
method: POST
|
||||
port: 80
|
||||
uri: /post
|
||||
version: HTTP/1.1
|
||||
output:
|
||||
log_contains: id "921422"
|
||||
- test_title: 921422-2
|
||||
desc: Bypass targeting recommended rules (rule 200006)
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Host: localhost
|
||||
User-Agent: OWASP ModSecurity Core Rule Set
|
||||
Content-Type: application/x-www-form-urlencoded;boundary="application/vnd.mycompany.myapp.customer-v2+json"
|
||||
method: POST
|
||||
port: 80
|
||||
uri: /post
|
||||
version: HTTP/1.1
|
||||
output:
|
||||
log_contains: id "921422"
|
||||
- test_title: 921422-3
|
||||
desc: Bypass targeting recommended rules (rule 200001)
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Host: localhost
|
||||
User-Agent: OWASP ModSecurity Core Rule Set
|
||||
Content-Type: application/x-www-form-urlencoded;boundary="text/xml"
|
||||
method: POST
|
||||
port: 80
|
||||
uri: /post
|
||||
version: HTTP/1.1
|
||||
output:
|
||||
log_contains: id "921422"
|
||||
- test_title: 921422-4
|
||||
desc: Bypass targeting recommended rules (rule 200001)
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Host: localhost
|
||||
User-Agent: OWASP ModSecurity Core Rule Set
|
||||
Content-Type: application/x-www-form-urlencoded;boundary="application/xml"
|
||||
method: POST
|
||||
port: 80
|
||||
uri: /post
|
||||
version: HTTP/1.1
|
||||
output:
|
||||
log_contains: id "921422"
|
||||
- test_title: 921422-5
|
||||
desc: Bypass targeting recommended rules (rule 200001)
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Host: localhost
|
||||
User-Agent: OWASP ModSecurity Core Rule Set
|
||||
Content-Type: application/x-www-form-urlencoded;boundary="multipart/related"
|
||||
method: POST
|
||||
port: 80
|
||||
uri: /post
|
||||
version: HTTP/1.1
|
||||
output:
|
||||
log_contains: id "921422"
|
||||
- test_title: 921422-6
|
||||
desc: Bypass targeting recommended rules (rule 200001)
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Host: localhost
|
||||
User-Agent: OWASP ModSecurity Core Rule Set
|
||||
Content-Type: application/x-www-form-urlencoded;boundary="text/html"
|
||||
method: POST
|
||||
port: 80
|
||||
uri: /post
|
||||
version: HTTP/1.1
|
||||
output:
|
||||
log_contains: id "921422"
|
||||
- test_title: 921422-7
|
||||
desc: Bypass targeting recommended rules (rule 200001)
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Host: localhost
|
||||
User-Agent: OWASP ModSecurity Core Rule Set
|
||||
Content-Type: application/x-www-form-urlencoded;boundary="image/jpeg"
|
||||
method: POST
|
||||
port: 80
|
||||
uri: /post
|
||||
version: HTTP/1.1
|
||||
output:
|
||||
log_contains: id "921422"
|
||||
- test_title: 921422-8
|
||||
desc: Bypass targeting recommended rules (rule 200001)
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Host: localhost
|
||||
User-Agent: OWASP ModSecurity Core Rule Set
|
||||
Content-Type: application/x-www-form-urlencoded;boundary="foobar/foobar"
|
||||
method: POST
|
||||
port: 80
|
||||
uri: /post
|
||||
version: HTTP/1.1
|
||||
output:
|
||||
log_contains: id "921422"
|
||||
- test_title: 921422-9
|
||||
desc: Negative test for 921422-1
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Host: localhost
|
||||
User-Agent: OWASP ModSecurity Core Rule Set
|
||||
Content-Type: application/json
|
||||
method: POST
|
||||
port: 80
|
||||
uri: /post
|
||||
version: HTTP/1.1
|
||||
output:
|
||||
no_log_contains: id "921422"
|
||||
- test_title: 921422-10
|
||||
desc: Negative test for 921422-2
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Host: localhost
|
||||
User-Agent: OWASP ModSecurity Core Rule Set
|
||||
Content-Type: application/vnd.mycompany.myapp.customer-v2+json
|
||||
method: POST
|
||||
port: 80
|
||||
uri: /post
|
||||
version: HTTP/1.1
|
||||
output:
|
||||
no_log_contains: id "921422"
|
||||
- test_title: 921422-11
|
||||
desc: Negative test for 921422-3
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Host: localhost
|
||||
User-Agent: OWASP ModSecurity Core Rule Set
|
||||
Content-Type: text/xml
|
||||
method: POST
|
||||
port: 80
|
||||
uri: /post
|
||||
version: HTTP/1.1
|
||||
output:
|
||||
no_log_contains: id "921422"
|
||||
- test_title: 921422-12
|
||||
desc: Negative test for 921422-4
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Host: localhost
|
||||
User-Agent: OWASP ModSecurity Core Rule Set
|
||||
Content-Type: application/xml
|
||||
method: POST
|
||||
port: 80
|
||||
uri: /post
|
||||
version: HTTP/1.1
|
||||
output:
|
||||
no_log_contains: id "921422"
|
||||
- test_title: 921422-13
|
||||
desc: Negative test for 921422-5
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Host: localhost
|
||||
User-Agent: OWASP ModSecurity Core Rule Set
|
||||
Content-Type: application/soap+xml
|
||||
method: POST
|
||||
port: 80
|
||||
uri: /post
|
||||
version: HTTP/1.1
|
||||
output:
|
||||
no_log_contains: id "921422"
|
||||
- test_title: 921422-14
|
||||
desc: Negative test for 921422-6
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Host: localhost
|
||||
User-Agent: OWASP ModSecurity Core Rule Set
|
||||
Content-Type: text/html
|
||||
method: POST
|
||||
port: 80
|
||||
uri: /post
|
||||
version: HTTP/1.1
|
||||
output:
|
||||
no_log_contains: id "921422"
|
||||
- test_title: 921422-15
|
||||
desc: Negative test for rule 921422-7
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Host: localhost
|
||||
User-Agent: OWASP ModSecurity Core Rule Set
|
||||
Content-Type: text/html; charset=UTF-8
|
||||
method: POST
|
||||
port: 80
|
||||
uri: /post
|
||||
version: HTTP/1.1
|
||||
output:
|
||||
no_log_contains: id "921422"
|
||||
- test_title: 921422-16
|
||||
desc: Negative test for rule 921422-8
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Host: localhost
|
||||
User-Agent: OWASP ModSecurity Core Rule Set
|
||||
Content-Type: multipart/form-data; boundary=something
|
||||
method: POST
|
||||
port: 80
|
||||
uri: /post
|
||||
version: HTTP/1.1
|
||||
output:
|
||||
no_log_contains: id "921422"
|
||||
- test_title: 921422-17
|
||||
desc: Negative test for rule 921422-9
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Host: localhost
|
||||
User-Agent: OWASP ModSecurity Core Rule Set
|
||||
Content-Type: multipart/form-data; boundary=----webkitformboundary12w4lszoxn26vnd
|
||||
method: POST
|
||||
port: 80
|
||||
uri: /post
|
||||
version: HTTP/1.1
|
||||
output:
|
||||
no_log_contains: id "921422"
|
|
@ -0,0 +1,63 @@
|
|||
---
|
||||
meta:
|
||||
author: "Felipe Zipitria"
|
||||
description: Test Multipart/form-data
|
||||
enabled: true
|
||||
name: 922100.yaml
|
||||
tests:
|
||||
- test_title: 922100-1
|
||||
desc: "Positive test: utf-7 is not in allowed charsets"
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Host: "localhost"
|
||||
User-Agent: OWASP ModSecurity Core Rule Set
|
||||
Content-Type: multipart/form-data; boundary=boundary
|
||||
Accept: "*/*"
|
||||
method: POST
|
||||
port: 80
|
||||
uri: "/post"
|
||||
version: "HTTP/1.1"
|
||||
data: |
|
||||
--boundary
|
||||
Content-disposition: form-data; name="_charset_"
|
||||
|
||||
utf-7
|
||||
--boundary
|
||||
Content-disposition: form-data; name="positive"
|
||||
Content-Type: text/plain
|
||||
|
||||
Let me see if I can use utf-7.
|
||||
--boundary--
|
||||
output:
|
||||
log_contains: id "922100"
|
||||
- test_title: 922100-2
|
||||
desc: "Negative test: only allowed charsets when using _charset_"
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Host: "localhost"
|
||||
User-Agent: OWASP ModSecurity Core Rule Set
|
||||
Content-Type: multipart/form-data; boundary=boundary
|
||||
Accept: "*/*"
|
||||
method: POST
|
||||
port: 80
|
||||
uri: "/post"
|
||||
version: "HTTP/1.1"
|
||||
data: |
|
||||
--boundary
|
||||
Content-disposition: form-data; name="_charset_"
|
||||
|
||||
utf-8
|
||||
--boundary
|
||||
Content-disposition: form-data; name="negative"
|
||||
Content-Type: text/plain
|
||||
|
||||
This should be good as we use utf-8 that is allowed.
|
||||
--boundary--
|
||||
output:
|
||||
no_log_contains: id "922100"
|
|
@ -0,0 +1,63 @@
|
|||
---
|
||||
meta:
|
||||
author: "Felipe Zipitria"
|
||||
description: Test Multipart/form-data
|
||||
enabled: true
|
||||
name: 922110.yaml
|
||||
tests:
|
||||
- test_title: 922110-1
|
||||
desc: "Positive test: utf-7 is not in allowed charsets"
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Host: "localhost"
|
||||
User-Agent: OWASP ModSecurity Core Rule Set
|
||||
Content-Type: multipart/form-data; boundary=boundary
|
||||
Accept: "*/*"
|
||||
method: POST
|
||||
port: 80
|
||||
uri: "/post"
|
||||
version: "HTTP/1.1"
|
||||
data: |
|
||||
--boundary
|
||||
Content-disposition: form-data; name="_charset_"
|
||||
|
||||
utf-8
|
||||
--boundary
|
||||
Content-disposition: form-data; name="922110"
|
||||
Content-Type: text/plain; charset=utf-7
|
||||
|
||||
Knock knock.
|
||||
--boundary--
|
||||
output:
|
||||
log_contains: id "922110"
|
||||
- test_title: 922110-2
|
||||
desc: "Negative test: utf-8 is allowed"
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Host: "localhost"
|
||||
User-Agent: OWASP ModSecurity Core Rule Set
|
||||
Content-Type: multipart/form-data; boundary=boundary
|
||||
Accept: "*/*"
|
||||
method: POST
|
||||
port: 80
|
||||
uri: "/post"
|
||||
version: "HTTP/1.1"
|
||||
data: |
|
||||
--boundary
|
||||
Content-disposition: form-data; name="_charset_"
|
||||
|
||||
utf-8
|
||||
--boundary
|
||||
Content-disposition: form-data; name="negative"
|
||||
Content-Type: text/plain; charset=utf-8
|
||||
|
||||
I shold be allowed to get in.
|
||||
--boundary--
|
||||
output:
|
||||
no_log_contains: id "922110"
|
|
@ -0,0 +1,56 @@
|
|||
---
|
||||
meta:
|
||||
author: "Felipe Zipitria"
|
||||
description: Test Multipart/form-data
|
||||
enabled: true
|
||||
name: 922120.yaml
|
||||
tests:
|
||||
- test_title: 922120-1
|
||||
desc: "Positive test: utf-7 is not in allowed charsets"
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Host: "localhost"
|
||||
User-Agent: OWASP ModSecurity Core Rule Set
|
||||
Content-Type: multipart/form-data; boundary=boundary
|
||||
Accept: "*/*"
|
||||
method: POST
|
||||
port: 80
|
||||
uri: "/post"
|
||||
version: "HTTP/1.1"
|
||||
data: |
|
||||
--boundary
|
||||
Content-Disposition: form-data; name="flavors"
|
||||
Content-Transfer-Encoding: 8bit
|
||||
Content-Type: text/plain; charset=utf-7
|
||||
|
||||
Pineapple. Pizza.
|
||||
--boundary--
|
||||
output:
|
||||
log_contains: id "922120"
|
||||
- test_title: 922120-2
|
||||
desc: "Negative test: no content-transfer-encoding header should be good"
|
||||
stages:
|
||||
- stage:
|
||||
input:
|
||||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Host: "localhost"
|
||||
User-Agent: OWASP ModSecurity Core Rule Set
|
||||
Content-Type: multipart/form-data; boundary=boundary
|
||||
Accept: "*/*"
|
||||
method: POST
|
||||
port: 80
|
||||
uri: "/post"
|
||||
version: "HTTP/1.1"
|
||||
data: |
|
||||
--boundary
|
||||
Content-disposition: form-data; name="negative"
|
||||
Content-Type: text/plain
|
||||
|
||||
This should be good as there is no content-transfer-encoding header.
|
||||
--boundary--
|
||||
output:
|
||||
no_log_contains: id "922120"
|
|
@ -15,7 +15,6 @@
|
|||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Host: localhost
|
||||
Content-type: us-ascii
|
||||
method: POST
|
||||
port: 80
|
||||
uri: /
|
||||
|
@ -32,7 +31,6 @@
|
|||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Host: localhost
|
||||
Content-type: us-ascii
|
||||
method: POST
|
||||
port: 80
|
||||
uri: /
|
||||
|
@ -49,7 +47,6 @@
|
|||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Host: localhost
|
||||
Content-type: us-ascii
|
||||
method: POST
|
||||
port: 80
|
||||
uri: /
|
||||
|
@ -66,7 +63,6 @@
|
|||
dest_addr: 127.0.0.1
|
||||
headers:
|
||||
Host: localhost
|
||||
Content-type: us-ascii
|
||||
method: POST
|
||||
port: 80
|
||||
uri: /
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
#!/usr/bin/env python
|
||||
# @spartantri 2018
|
||||
#@spartantri 2018
|
||||
|
||||
import sys
|
||||
import argparse
|
||||
|
@ -7,144 +7,98 @@ import base64
|
|||
|
||||
parser = argparse.ArgumentParser()
|
||||
|
||||
UserAgent = "ModSecurity CRS 3 Tests"
|
||||
Accept = "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
|
||||
AcceptCharset = "ISO-8859-1,utf-8;q=0.7,*;q=0.7"
|
||||
AcceptEncoding = "gzip,deflate"
|
||||
AcceptLanguage = "en-us,en;q=0.5"
|
||||
ContentType = "application/x-www-form-urlencoded"
|
||||
payloads = []
|
||||
skeletontest = 0
|
||||
Meta = """---
|
||||
UserAgent="ModSecurity CRS 3 Tests"
|
||||
Accept="text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
|
||||
AcceptCharset="ISO-8859-1,utf-8;q=0.7,*;q=0.7"
|
||||
AcceptEncoding="gzip,deflate"
|
||||
AcceptLanguage="en-us,en;q=0.5"
|
||||
ContentType="application/x-www-form-urlencoded"
|
||||
payloads=[]
|
||||
skeletontest=0
|
||||
Meta='''---
|
||||
meta:
|
||||
author: "spartantri"
|
||||
enabled: true
|
||||
name: "skeletonid.yaml"
|
||||
description: "Positive tests for rule skeletonid"
|
||||
tests:
|
||||
"""
|
||||
'''
|
||||
|
||||
parser.add_argument(
|
||||
"-a", action="store", dest="Addr", help="Target ip address", default="127.0.0.1"
|
||||
)
|
||||
parser.add_argument("-p", action="store", dest="Port", help="Target port", default="80")
|
||||
parser.add_argument(
|
||||
"-v", action="store", dest="Host", help="Target virtual host", default="localhost"
|
||||
)
|
||||
parser.add_argument(
|
||||
"-s",
|
||||
action="store",
|
||||
dest="skeleton",
|
||||
help="Skeleton file",
|
||||
default="positivetest.yaml.skeleton",
|
||||
)
|
||||
parser.add_argument("-o", action="store", dest="output", help="output file", default="")
|
||||
parser.add_argument(
|
||||
"-r", action="store", dest="ruleid", help="Rule id", default="944310"
|
||||
)
|
||||
parser.add_argument(
|
||||
"-k",
|
||||
action="store",
|
||||
dest="combined_payload",
|
||||
help="Keyword containing combined pipe separated payloads",
|
||||
default="",
|
||||
)
|
||||
parser.add_argument(
|
||||
"-i",
|
||||
action="append",
|
||||
dest="list_payload",
|
||||
help="Keyword containing individual payload",
|
||||
default=[],
|
||||
)
|
||||
parser.add_argument(
|
||||
"-c",
|
||||
action="store",
|
||||
dest="prefix",
|
||||
help="Prefix keyword for all payloads",
|
||||
default="",
|
||||
)
|
||||
parser.add_argument(
|
||||
"-e",
|
||||
action="store",
|
||||
dest="sufix",
|
||||
help="Sufix keyword for all payloads",
|
||||
default="",
|
||||
)
|
||||
parser.add_argument(
|
||||
"-b",
|
||||
action="store_true",
|
||||
dest="base64encode",
|
||||
help="Encode payload using Base64",
|
||||
default=False,
|
||||
)
|
||||
parser.add_argument(
|
||||
"-d",
|
||||
action="store_true",
|
||||
dest="demo",
|
||||
help="Print demo rules if no data is provided",
|
||||
default=False,
|
||||
)
|
||||
parser.add_argument(
|
||||
"-t",
|
||||
action="store_true",
|
||||
dest="test",
|
||||
help="Launch FTW and test output",
|
||||
default=False,
|
||||
)
|
||||
parser.add_argument(
|
||||
"-w", action="store", dest="author", help="Test author", default="spartantri"
|
||||
)
|
||||
parser.add_argument('-a', action='store', dest='Addr', help='Target ip address',
|
||||
default='127.0.0.1')
|
||||
parser.add_argument('-p', action='store', dest='Port', help='Target port',
|
||||
default='80')
|
||||
parser.add_argument('-v', action='store', dest='Host', help='Target virtual host',
|
||||
default='localhost')
|
||||
parser.add_argument('-s', action='store', dest='skeleton', help='Skeleton file',
|
||||
default='positivetest.yaml.skeleton')
|
||||
parser.add_argument('-o', action='store', dest='output', help='output file',
|
||||
default='')
|
||||
parser.add_argument('-r', action='store', dest='ruleid', help='Rule id',
|
||||
default='944310')
|
||||
parser.add_argument('-k', action='store', dest='combined_payload', help='Keyword containing combined pipe separated payloads',
|
||||
default='')
|
||||
parser.add_argument('-i', action='append', dest='list_payload', help='Keyword containing individual payload',
|
||||
default=[])
|
||||
parser.add_argument('-c', action='store', dest='prefix', help='Prefix keyword for all payloads',
|
||||
default='')
|
||||
parser.add_argument('-e', action='store', dest='sufix', help='Sufix keyword for all payloads',
|
||||
default='')
|
||||
parser.add_argument('-b', action='store_true', dest='base64encode', help='Encode payload using Base64',
|
||||
default=False)
|
||||
parser.add_argument('-d', action='store_true', dest='demo', help='Print demo rules if no data is provided',
|
||||
default=False)
|
||||
parser.add_argument('-t', action='store_true', dest='test', help='Launch FTW and test output',
|
||||
default=False)
|
||||
parser.add_argument('-w', action='store', dest='author', help='Test author',
|
||||
default='spartantri')
|
||||
start_options = parser.parse_args()
|
||||
|
||||
if len(sys.argv) < 2 and not start_options.demo:
|
||||
if len(sys.argv)<2 and not start_options.demo:
|
||||
parser.print_usage()
|
||||
exit()
|
||||
|
||||
for p in start_options.combined_payload.split("|"):
|
||||
for p in start_options.combined_payload.split('|'):
|
||||
if p not in payloads:
|
||||
# print('Checking %s' % (p))
|
||||
if len(p) > 0:
|
||||
payloads.append("".join([start_options.prefix, p, start_options.sufix]))
|
||||
if len(p)>0:
|
||||
payloads.append(''.join([start_options.prefix, p, start_options.sufix]))
|
||||
|
||||
for p in start_options.list_payload:
|
||||
payloads.append("".join([start_options.prefix, p, start_options.sufix]))
|
||||
payloads.append(''.join([start_options.prefix, p, start_options.sufix]))
|
||||
|
||||
if start_options.output == "":
|
||||
o = sys.stdout
|
||||
if start_options.output=='':
|
||||
o=sys.stdout
|
||||
else:
|
||||
o = open(start_options.output, "w")
|
||||
o=open(start_options.output, 'w')
|
||||
|
||||
o.write(
|
||||
Meta.replace("skeletonid", start_options.ruleid).replace(
|
||||
"spartantri", start_options.author
|
||||
)
|
||||
)
|
||||
o.write(Meta.replace('skeletonid', start_options.ruleid).replace('spartantri', start_options.author))
|
||||
for item in payloads:
|
||||
if start_options.base64encode:
|
||||
payload = base64.encodestring(item).replace("\n", "")
|
||||
# print payload
|
||||
payload=base64.encodestring(item).replace('\n', '')
|
||||
#print payload
|
||||
else:
|
||||
payload = item
|
||||
with open(start_options.skeleton, "r") as f:
|
||||
payload=item
|
||||
with open(start_options.skeleton,'r') as f:
|
||||
for l in f:
|
||||
l = l.replace("skeletonid", start_options.ruleid)
|
||||
l = l.replace("skeletonkeyword", payload)
|
||||
l = l.replace("skeletondefaultaddr", start_options.Addr)
|
||||
l = l.replace("skeletondefaultport", start_options.Port)
|
||||
l = l.replace("skeletondefaulthost", start_options.Host)
|
||||
l = l.replace("skeletondefaultuseragent", UserAgent)
|
||||
l = l.replace("skeletondefaultacceptcharset", AcceptCharset)
|
||||
l = l.replace("skeletondefaultacceptencoding", AcceptEncoding)
|
||||
l = l.replace("skeletondefaultacceptlanguage", AcceptLanguage)
|
||||
l = l.replace("skeletondefaultcontenttype", ContentType)
|
||||
l = l.replace("skeletondefaultaccept", Accept)
|
||||
if "skeletontest" in l:
|
||||
l = l.replace("skeletontest", str(skeletontest))
|
||||
skeletontest += 1
|
||||
l=l.replace('skeletonid', start_options.ruleid)
|
||||
l=l.replace('skeletonkeyword', payload)
|
||||
l=l.replace('skeletondefaultaddr', start_options.Addr)
|
||||
l=l.replace('skeletondefaultport', start_options.Port)
|
||||
l=l.replace('skeletondefaulthost', start_options.Host)
|
||||
l=l.replace('skeletondefaultuseragent', UserAgent)
|
||||
l=l.replace('skeletondefaultacceptcharset', AcceptCharset)
|
||||
l=l.replace('skeletondefaultacceptencoding', AcceptEncoding)
|
||||
l=l.replace('skeletondefaultacceptlanguage', AcceptLanguage)
|
||||
l=l.replace('skeletondefaultcontenttype', ContentType)
|
||||
l=l.replace('skeletondefaultaccept', Accept)
|
||||
if 'skeletontest' in l:
|
||||
l=l.replace('skeletontest', str(skeletontest))
|
||||
skeletontest+=1
|
||||
o.write(l)
|
||||
|
||||
if start_options.output != "":
|
||||
print("Generated %s rules to file %s" % (str(skeletontest), start_options.output))
|
||||
if start_options.output != '':
|
||||
print ('Generated %s rules to file %s' % (str(skeletontest), start_options.output))
|
||||
o.close()
|
||||
|
||||
# print('\nGenerated %s tests' % (str(skeletontest)))
|
||||
#print('\nGenerated %s tests' % (str(skeletontest)))
|
||||
|
|
|
@ -8,56 +8,41 @@ import argparse
|
|||
import os
|
||||
import sys
|
||||
|
||||
|
||||
def main():
|
||||
"""Main function that contains all the logic to relabel CRS IDs"""
|
||||
|
||||
id_translation_file = os.path.join(sys.path[0], "IdNumbering.csv")
|
||||
|
||||
if not os.path.isfile(id_translation_file):
|
||||
sys.stderr.write(
|
||||
"We were unable to locate the ID translation CSV (idNumbering.csv) \
|
||||
please place this is the same directory as this script\n"
|
||||
)
|
||||
sys.stderr.write("We were unable to locate the ID translation CSV (idNumbering.csv) \
|
||||
please place this is the same directory as this script\n")
|
||||
sys.exit(1)
|
||||
|
||||
parser = argparse.ArgumentParser(
|
||||
description="A program that takes in an exceptions file \
|
||||
and renumbers all the ID to match OWASP CRS 3 numbers. Output will be directed to STDOUT."
|
||||
)
|
||||
parser.add_argument(
|
||||
"-f",
|
||||
"--file",
|
||||
required=True,
|
||||
action="store",
|
||||
dest="fname",
|
||||
help="the file to be renumbered",
|
||||
)
|
||||
parser = argparse.ArgumentParser(description="A program that takes in an exceptions file \
|
||||
and renumbers all the ID to match OWASP CRS 3 numbers. Output will be directed to STDOUT.")
|
||||
parser.add_argument("-f", "--file", required=True, action="store", dest="fname", \
|
||||
help="the file to be renumbered")
|
||||
args = parser.parse_args()
|
||||
|
||||
if not os.path.isfile((args.fname).encode("utf8")):
|
||||
sys.stderr.write(
|
||||
"We were unable to find the file you were trying to update the ID numbers \
|
||||
in, please check your path\n"
|
||||
)
|
||||
if not os.path.isfile((args.fname).encode('utf8')):
|
||||
sys.stderr.write("We were unable to find the file you were trying to update the ID numbers \
|
||||
in, please check your path\n")
|
||||
sys.exit(1)
|
||||
|
||||
fcontent = ""
|
||||
|
||||
try:
|
||||
update_file = open((args.fname).encode("utf-8"), "r")
|
||||
update_file = open((args.fname).encode('utf-8'), "r")
|
||||
try:
|
||||
fcontent = update_file.read()
|
||||
finally:
|
||||
update_file.close()
|
||||
except IOError:
|
||||
sys.stderr.write(
|
||||
"There was an error opening the file you were trying to update"
|
||||
)
|
||||
sys.stderr.write("There was an error opening the file you were trying to update")
|
||||
|
||||
if fcontent != "":
|
||||
# CSV File
|
||||
id_csv_file = open(id_translation_file, "rt")
|
||||
id_csv_file = open(id_translation_file, 'rt')
|
||||
try:
|
||||
reader = csv.reader(id_csv_file)
|
||||
for row in reader:
|
||||
|
@ -66,6 +51,5 @@ def main():
|
|||
id_csv_file.close()
|
||||
print(fcontent)
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
main()
|
||||
|
|
|
@ -36,11 +36,11 @@ import fileinput, sys
|
|||
|
||||
for line in fileinput.input():
|
||||
line = line.strip()
|
||||
if line == "":
|
||||
if line == '':
|
||||
sys.stdout.write("\n")
|
||||
continue
|
||||
|
||||
if line[-1] == "\\":
|
||||
if line[-1] == '\\':
|
||||
sys.stdout.write(line[0:-1])
|
||||
else:
|
||||
sys.stdout.write(line)
|
||||
|
|
|
@ -0,0 +1,101 @@
|
|||
##! Please refer to the documentation at
|
||||
##! https://coreruleset.org/docs/development/regexp_assemble/.
|
||||
|
||||
##! The expression generated from this file matches a full HTTP
|
||||
##! `Accept` header by following the specification as far as
|
||||
##! necessary, while restricting the `charset` parameter
|
||||
##! to a list of explicitly allowed values.
|
||||
##! Where possible, the expression matches tokens "loosely",
|
||||
##! to reduce complexity and the risk of false positives.
|
||||
|
||||
##! Specifications:
|
||||
##! https://httpwg.org/specs/rfc7231.html#request.conneg
|
||||
##! https://httpwg.org/specs/rfc7230.html
|
||||
|
||||
##!^ ^
|
||||
##!$ $
|
||||
|
||||
##! Helpers
|
||||
##!> template non-token-with-dquote-chars (),/:;<=>?![\x5c\]{}
|
||||
|
||||
##!> template non-token-chars \"{{non-token-with-dquote-chars}}
|
||||
|
||||
##!> template token-chars [^{{non-token-chars}}]
|
||||
|
||||
##!> template token-with-dquote-chars [^{{non-token-with-dquote-chars}}]
|
||||
|
||||
##!> template type-subtype (?:\*|{{token-chars}}+)
|
||||
|
||||
##!> template media-type {{type-subtype}}/{{type-subtype}}
|
||||
|
||||
##! list of allowed charsets
|
||||
##!> assemble
|
||||
(?:"?
|
||||
##!=>
|
||||
##!> include allowed-charsets
|
||||
##!=>
|
||||
\b"?))
|
||||
##!=< allowed-charsets
|
||||
##!<
|
||||
|
||||
|
||||
##! Main assembly
|
||||
##!> assemble
|
||||
(?:{{media-type}})
|
||||
##!=>
|
||||
(?:\s*+;\s*+
|
||||
##!=>
|
||||
(?:(?:charset\s*+=\s*+
|
||||
##!=>
|
||||
##!=> allowed-charsets
|
||||
|
||||
##! If the first part wasn't a "charset", then
|
||||
##! anything is allowed here that is not "charset".
|
||||
##! Note that this doesn't follow the RFC strictly.
|
||||
|(?:
|
||||
##!=>
|
||||
[^c{{non-token-chars}}]{{token-chars}}*
|
||||
c[^h{{non-token-chars}}]{{token-chars}}*
|
||||
ch[^a{{non-token-chars}}]{{token-chars}}*
|
||||
cha[^r{{non-token-chars}}]{{token-chars}}*
|
||||
char[^s{{non-token-chars}}]{{token-chars}}*
|
||||
chars[^e{{non-token-chars}}]{{token-chars}}*
|
||||
charse[^t{{non-token-chars}}]{{token-chars}}*
|
||||
##!=>
|
||||
)\s*+=\s*+{{token-with-dquote-chars}}+)
|
||||
##! Clients like to violate the RFC, be lenient with
|
||||
##! terminating semi-colons.
|
||||
;?
|
||||
##!=>
|
||||
)*
|
||||
##!=>
|
||||
|
||||
##! Multiple "media-range" expressions can be
|
||||
##! specified, comma separated.
|
||||
(?:\s*+,\s*+
|
||||
##!=>
|
||||
(?:{{media-type}})
|
||||
##!=>
|
||||
(?:\s*+;\s*+
|
||||
##!=>
|
||||
(?:(?:charset\s*+=\s*+
|
||||
##!=>
|
||||
##!=> allowed-charsets
|
||||
|(?:
|
||||
##!=>
|
||||
[^c{{non-token-chars}}]{{token-chars}}*
|
||||
c[^h{{non-token-chars}}]{{token-chars}}*
|
||||
ch[^a{{non-token-chars}}]{{token-chars}}*
|
||||
cha[^r{{non-token-chars}}]{{token-chars}}*
|
||||
char[^s{{non-token-chars}}]{{token-chars}}*
|
||||
chars[^e{{non-token-chars}}]{{token-chars}}*
|
||||
charse[^t{{non-token-chars}}]{{token-chars}}*
|
||||
##!=>
|
||||
)\s*+=\s*+{{token-with-dquote-chars}}+)
|
||||
##! Clients like to violate the RFC, be lenient with
|
||||
##! terminating semi-colons.
|
||||
;?
|
||||
##!=>
|
||||
)*)*
|
||||
##!=>
|
||||
##!<
|
|
@ -0,0 +1,17 @@
|
|||
##! Please refer to the documentation at
|
||||
##! https://coreruleset.org/docs/development/regexp_assemble/.
|
||||
|
||||
##! Attacks attempting bypass by forcing JSON body processor leveraging recommended rule 200000
|
||||
##! Find Content-Type: application/x-www-form-urlencoded;boundary="application/json"
|
||||
##! Find Content-Type: application/soap+xml;boundary="application/json"
|
||||
^[^;\s,]+[;\s,].*?application\/json
|
||||
|
||||
##! Attacks attempting bypass by forcing JSON body processor leveraging recommended rule 200006
|
||||
##! Find Content-Type: application/x-www-form-urlencoded;boundary="application/some.vendor+json"
|
||||
##! Find Content-Type: application/soap+xml;boundary="application/some.vendor+json"
|
||||
^[^;\s,]+[;\s,].*?application\/.+[+]json
|
||||
|
||||
##! Attacks attempting bypass by forcing XML body processor leveraging recommended rule 200001
|
||||
##! Find Content-Type: application/x-www-form-urlencoded;boundary="application/xml"
|
||||
##! Find Content-Type: application/json;boundary="application/soap+xml"
|
||||
^[^;\s,]+[;\s,].*?(?:application(?:\/soap\+|\/)|text\/)xml
|
|
@ -0,0 +1,9 @@
|
|||
##! Please refer to the documentation at
|
||||
##! https://coreruleset.org/docs/development/regexp_assemble/.
|
||||
|
||||
##! Attacks attempting to bypass content-type restrictions or behaviour
|
||||
##! Find Content-Type: application/x-www-form-urlencoded;boundary="multipart/form-data"
|
||||
##! Find Content-Type: application/soap-xml;boundary="multipart/form-data"
|
||||
^[^;\s,]+[;\s,].*?\b(text|multipart|application)\b
|
||||
^[^;\s,]+[;\s,].*?\b(audio|image|video|csv|css|vnd|pdf|plain|json|soap|xml|x-www-form-urlencoded|form-data|related|x-amf|octet|stream|csp|report)\b
|
||||
^[^;\s,]+[;\s,].*?\b(\/|\+)\b
|
|
@ -0,0 +1,105 @@
|
|||
##! Please refer to the documentation at
|
||||
##! https://coreruleset.org/docs/development/regexp_assemble/.
|
||||
|
||||
##! The expression generated from this file matches a full HTTP
|
||||
##! `Accept` header by following the specification as far as
|
||||
##! necessary, while restricting the `charset` parameter
|
||||
##! to a list of explicitly allowed values.
|
||||
##! Where possible, the expression matches tokens "loosely",
|
||||
##! to reduce complexity and the risk of false positives.
|
||||
|
||||
##! Specifications:
|
||||
##! https://httpwg.org/specs/rfc7231.html#request.conneg
|
||||
##! https://httpwg.org/specs/rfc7230.html
|
||||
|
||||
##! This is a duplicate of the 920600.data file.
|
||||
##! There will be support for inclusion in the regexp_assemble tool in the future.
|
||||
##! In the meantime, please keep both files in sync.
|
||||
|
||||
##!^ ^
|
||||
##!$ $
|
||||
|
||||
##! Helpers
|
||||
##!> template non-token-with-dquote-chars (),/:;<=>?![\x5c\]{}
|
||||
|
||||
##!> template non-token-chars \"{{non-token-with-dquote-chars}}
|
||||
|
||||
##!> template token-chars [^{{non-token-chars}}]
|
||||
|
||||
##!> template token-with-dquote-chars [^{{non-token-with-dquote-chars}}]
|
||||
|
||||
##!> template type-subtype (?:\*|{{token-chars}}+)
|
||||
|
||||
##!> template media-type {{type-subtype}}/{{type-subtype}}
|
||||
|
||||
##! list of allowed charsets
|
||||
##!> assemble
|
||||
(?:"?
|
||||
##!=>
|
||||
##!> include allowed-charsets
|
||||
##!=>
|
||||
\b"?))
|
||||
##!=< allowed-charsets
|
||||
##!<
|
||||
|
||||
|
||||
##! Main assembly
|
||||
##!> assemble
|
||||
(?:{{media-type}})
|
||||
##!=>
|
||||
(?:\s*+;\s*+
|
||||
##!=>
|
||||
(?:(?:charset\s*+=\s*+
|
||||
##!=>
|
||||
##!=> allowed-charsets
|
||||
|
||||
##! If the first part wasn't a "charset", then
|
||||
##! anything is allowed here that is not "charset".
|
||||
##! Note that this doesn't follow the RFC strictly.
|
||||
|(?:
|
||||
##!=>
|
||||
[^c{{non-token-chars}}]{{token-chars}}*
|
||||
c[^h{{non-token-chars}}]{{token-chars}}*
|
||||
ch[^a{{non-token-chars}}]{{token-chars}}*
|
||||
cha[^r{{non-token-chars}}]{{token-chars}}*
|
||||
char[^s{{non-token-chars}}]{{token-chars}}*
|
||||
chars[^e{{non-token-chars}}]{{token-chars}}*
|
||||
charse[^t{{non-token-chars}}]{{token-chars}}*
|
||||
##!=>
|
||||
)\s*+=\s*+{{token-with-dquote-chars}}+)
|
||||
##! Clients like to violate the RFC, be lenient with
|
||||
##! terminating semi-colons.
|
||||
;?
|
||||
##!=>
|
||||
)*
|
||||
##!=>
|
||||
|
||||
##! Multiple "media-range" expressions can be
|
||||
##! specified, comma separated.
|
||||
(?:\s*+,\s*+
|
||||
##!=>
|
||||
(?:{{media-type}})
|
||||
##!=>
|
||||
(?:\s*+;\s*+
|
||||
##!=>
|
||||
(?:(?:charset\s*+=\s*+
|
||||
##!=>
|
||||
##!=> allowed-charsets
|
||||
|(?:
|
||||
##!=>
|
||||
[^c{{non-token-chars}}]{{token-chars}}*
|
||||
c[^h{{non-token-chars}}]{{token-chars}}*
|
||||
ch[^a{{non-token-chars}}]{{token-chars}}*
|
||||
cha[^r{{non-token-chars}}]{{token-chars}}*
|
||||
char[^s{{non-token-chars}}]{{token-chars}}*
|
||||
chars[^e{{non-token-chars}}]{{token-chars}}*
|
||||
charse[^t{{non-token-chars}}]{{token-chars}}*
|
||||
##!=>
|
||||
)\s*+=\s*+{{token-with-dquote-chars}}+)
|
||||
##! Clients like to violate the RFC, be lenient with
|
||||
##! terminating semi-colons.
|
||||
;?
|
||||
##!=>
|
||||
)*)*
|
||||
##!=>
|
||||
##!<
|
|
@ -0,0 +1,9 @@
|
|||
##! Please refer to the documentation at
|
||||
##! https://coreruleset.org/docs/development/regexp_assemble/.
|
||||
|
||||
##! This list is in sync with the default value of tx.allowed_request_content_type_charset.
|
||||
|
||||
iso-8859-1
|
||||
iso-8859-15
|
||||
utf-8
|
||||
windows-1252
|
|
@ -20,7 +20,7 @@ def regexp_str(str, evasion):
|
|||
if str[0] == "'":
|
||||
return str[1:]
|
||||
|
||||
result = ""
|
||||
result = ''
|
||||
for i, char in enumerate(str):
|
||||
if i > 0:
|
||||
result += evasion
|
||||
|
@ -28,31 +28,29 @@ def regexp_str(str, evasion):
|
|||
|
||||
return result
|
||||
|
||||
|
||||
# Ensure that some special characters are escaped
|
||||
def regexp_char(char, evasion):
|
||||
char = str.replace(char, ".", "\.")
|
||||
char = str.replace(char, "-", "\-")
|
||||
char = str.replace(char, "+", r"""(?:\s|<|>).*""")
|
||||
# Unix: "cat foo", "cat<foo", "cat>foo"
|
||||
char = str.replace(char, "@", r"""(?:[\s,;]|\.|/|<|>).*""")
|
||||
# Windows: "more foo", "more,foo", "more;foo", "more.com", "more/e",
|
||||
# "more<foo", "more>foo"
|
||||
char = str.replace(char, " ", "\s+")
|
||||
# Ensure multiple spaces are matched
|
||||
char = str.replace(char, '.', '\.')
|
||||
char = str.replace(char, '-', '\-')
|
||||
char = str.replace(char, '+', r'''(?:\s|<|>).*''')
|
||||
# Unix: "cat foo", "cat<foo", "cat>foo"
|
||||
char = str.replace(char, '@', r'''(?:[\s,;]|\.|/|<|>).*''')
|
||||
# Windows: "more foo", "more,foo", "more;foo", "more.com", "more/e",
|
||||
# "more<foo", "more>foo"
|
||||
char = str.replace(char, ' ', '\s+')
|
||||
# Ensure multiple spaces are matched
|
||||
return char
|
||||
|
||||
|
||||
# Insert these sequences between characters to prevent evasion.
|
||||
# This emulates the relevant parts of t:cmdLine.
|
||||
evasions = {
|
||||
"unix": r"""[\\\\'\"]*""",
|
||||
"windows": r"""[\"\^]*""",
|
||||
'unix': r'''[\\\\'\"]*''',
|
||||
'windows': r'''[\"\^]*''',
|
||||
}
|
||||
|
||||
# Parse arguments
|
||||
if len(sys.argv) <= 1 or not sys.argv[1] in evasions:
|
||||
print(sys.argv[0] + " unix|windows [infile]")
|
||||
print(sys.argv[0] + ' unix|windows [infile]')
|
||||
sys.exit(1)
|
||||
|
||||
evasion = evasions[sys.argv[1]]
|
||||
|
@ -60,7 +58,7 @@ del sys.argv[1]
|
|||
|
||||
# Process lines from input file, or if not specified, standard input
|
||||
for line in fileinput.input():
|
||||
line = line.rstrip("\n ")
|
||||
line = line.split("#")[0]
|
||||
if line != "":
|
||||
line = line.rstrip('\n ')
|
||||
line = line.split('#')[0]
|
||||
if line != '':
|
||||
print(regexp_str(line, evasion))
|
||||
|
|
|
@ -0,0 +1,121 @@
|
|||
import argparse
|
||||
|
||||
# WARNING: This script is EXPERIMENTAL. Use with caution.
|
||||
#
|
||||
# Known issues:
|
||||
# * At the moment, it will probably not work with more than two strings.
|
||||
#
|
||||
# Known limitations:
|
||||
# * Any substrings of a target string will also NOT be matched. This is probably due to a limitation in this technique,
|
||||
# make sure that subtrings of the negative lookahead are not harmful in any way.
|
||||
|
||||
parser = argparse.ArgumentParser(description="This script takes a list of strings and converts them into \
|
||||
a regex that acts like a negative lookahead")
|
||||
parser.add_argument("strings", type=str, nargs='+',
|
||||
help="the strings to convert into a negative lookahead")
|
||||
parser.add_argument("--prefix", type=str, default="",
|
||||
help="sets a prefix for the resulting regex")
|
||||
parser.add_argument("--suffix", type=str, default="",
|
||||
help="sets a suffix for the resulting regex")
|
||||
|
||||
args = parser.parse_args()
|
||||
|
||||
# Return the longest prefix of all list elements. Shamelessly copied from:
|
||||
# https://stackoverflow.com/questions/6718196/determine-prefix-from-a-set-of-similar-strings
|
||||
def commonprefix(m):
|
||||
"Given a list of pathnames, returns the longest common leading component"
|
||||
if not m: return ''
|
||||
s1 = min(m)
|
||||
s2 = max(m)
|
||||
for i, c in enumerate(s1):
|
||||
if c != s2[i]:
|
||||
return s1[:i]
|
||||
return s1
|
||||
|
||||
# flatten returns a string with concatenated dictionary keys
|
||||
def flatten(dict):
|
||||
s = ""
|
||||
|
||||
for key in dict.keys():
|
||||
s += key
|
||||
|
||||
return s
|
||||
|
||||
# set returns a character set containing the unique characters across all strings for the given index
|
||||
def set(strings, index, flags):
|
||||
dict = {}
|
||||
|
||||
for s in strings:
|
||||
# Continue so we don't panic
|
||||
if index > len(s) -1:
|
||||
continue
|
||||
|
||||
dict[s[index]] = ''
|
||||
|
||||
return "[" + flags + flatten(dict) + "]"
|
||||
|
||||
# prepare converts a string for negative lookaheads emulation
|
||||
def prepare(s, offset):
|
||||
r = ""
|
||||
|
||||
if len(s) == 0:
|
||||
return r
|
||||
|
||||
for i in range(offset, len(s)):
|
||||
for j in range(0, i + 1):
|
||||
if j == i:
|
||||
r += "[^" + s[j] + "]"
|
||||
else:
|
||||
r += s[j]
|
||||
|
||||
if i != len(s) - 1:
|
||||
r += "|"
|
||||
|
||||
return r
|
||||
|
||||
# run runs the
|
||||
def run():
|
||||
strings = args.strings
|
||||
|
||||
r = ""
|
||||
r += set(strings, 0, "^")
|
||||
|
||||
c = ""
|
||||
d = {}
|
||||
|
||||
# Only find common string if we have more than one
|
||||
if len(strings) > 1:
|
||||
c = commonprefix(strings)
|
||||
|
||||
# Collect all characters after the common substring from every string
|
||||
for s in strings:
|
||||
if len(s) > len(c) and s.startswith(c):
|
||||
d[s[len(c)]] = ''
|
||||
|
||||
# Add the common string to the regex to prevent accidental matching
|
||||
if len(c) > 0:
|
||||
if len(c) > 1:
|
||||
r += "|" + "(?:" + prepare(c, 1) + ")"
|
||||
|
||||
r += "|" + "(?:" + c + "[^" + flatten(d) + "]" + ")"
|
||||
|
||||
for s in strings:
|
||||
g = ""
|
||||
|
||||
# When the common string is > 0, offset with len(c) + 1 because we handled this earlier
|
||||
if len(c) > 0:
|
||||
g = prepare(s, len(c) + 1)
|
||||
else:
|
||||
g = prepare(s, 1)
|
||||
|
||||
# Add OR boolean if necessary
|
||||
if len(g) > 0:
|
||||
r += "|"
|
||||
|
||||
r += g
|
||||
|
||||
print(args.prefix + "(?:" + r + ")" + args.suffix)
|
||||
|
||||
# Only run if script is called directly
|
||||
if __name__ == "__main__":
|
||||
run()
|
|
@ -1,6 +1,7 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.2
|
||||
# OWASP ModSecurity Core Rule Set ver.3.3.4
|
||||
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
|
||||
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
|
@ -389,17 +390,42 @@ SecDefaultAction "phase:2,log,auditlog,pass"
|
|||
|
||||
# Content-Types that a client is allowed to send in a request.
|
||||
# Default: |application/x-www-form-urlencoded| |multipart/form-data| |multipart/related|
|
||||
# |text/xml| |application/xml| |application/soap+xml| |application/x-amf| |application/json|
|
||||
# |application/cloudevents+json| |application/cloudevents-batch+json| |application/octet-stream|
|
||||
# |application/csp-report| |application/xss-auditor-report| |text/plain|
|
||||
# |text/xml| |application/xml| |application/soap+xml| |application/json|
|
||||
# |application/cloudevents+json| |application/cloudevents-batch+json|
|
||||
#
|
||||
# Please note, that the rule where CRS uses this variable (920420) evaluates it with operator
|
||||
# `@within`, which is case sensitive, but uses t:lowercase. You must add your whole custom
|
||||
# Content-Type with lowercase.
|
||||
#
|
||||
# Bypass Warning: some applications may not rely on the content-type request header in order
|
||||
# to parse the request body. This could make an attacker able to send malicious URLENCODED/JSON/XML
|
||||
# payloads without being detected by the WAF. Allowing request content-type that doesn't activate any
|
||||
# body processor (for example: "text/plain", "application/x-amf", "application/octet-stream", etc..)
|
||||
# could lead to a WAF bypass. For example, a malicious JSON payload submitted with a "text/plain"
|
||||
# content type may still be interpreted as JSON by a backend application but would not trigger the
|
||||
# JSON body parser at the WAF, leading to a bypass.
|
||||
#
|
||||
# To prevent blocking request with not allowed content-type by default, you can create an exclusion
|
||||
# rule that removes rule 920420. For example:
|
||||
# SecRule REQUEST_HEADERS:Content-Type "@rx ^text/plain" \
|
||||
# "id:1234,\
|
||||
# phase:1,\
|
||||
# nolog,\
|
||||
# pass,\
|
||||
# t:none,\
|
||||
# ctl:ruleRemoveById=920420,\
|
||||
# chain"
|
||||
# SecRule REQUEST_URI "@rx ^/foo/bar" "t:none"
|
||||
#
|
||||
# Uncomment this rule to change the default.
|
||||
#
|
||||
#SecAction \
|
||||
# "id:900220,\
|
||||
# phase:1,\
|
||||
# nolog,\
|
||||
# pass,\
|
||||
# t:none,\
|
||||
# setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/x-amf| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json| |application/octet-stream| |application/csp-report| |application/xss-auditor-report| |text/plain|'"
|
||||
# setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json|'"
|
||||
|
||||
# Allowed HTTP versions.
|
||||
# Default: HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0
|
||||
|
@ -430,8 +456,22 @@ SecDefaultAction "phase:2,log,auditlog,pass"
|
|||
|
||||
# Forbidden request headers.
|
||||
# Header names should be lowercase, enclosed by /slashes/ as delimiters.
|
||||
# Blocking Proxy header prevents 'httpoxy' vulnerability: https://httpoxy.org
|
||||
# Default: /proxy/ /lock-token/ /content-range/ /if/
|
||||
# Default: /accept-charset/ /content-encoding/ /proxy/ /lock-token/ /content-range/ /if/
|
||||
#
|
||||
# Note: Accept-Charset is a deprecated header that should not be used by clients and
|
||||
# ignored by servers. It can be used for a response WAF bypass, by asking for a charset
|
||||
# that the WAF cannot decode.
|
||||
# Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept-Charset
|
||||
#
|
||||
# Note: Content-Encoding is used to list any encodings that have been applied to the
|
||||
# original payload. It is only used for compression, which isn't supported by CRS by
|
||||
# default since it blocks newlines and null bytes inside the request body. Most
|
||||
# compression algorithms require at least null bytes per RFC. Blocking it shouldn't
|
||||
# break anything and increases security since ModSecurity is incapable of properly
|
||||
# scanning compressed request bodies.
|
||||
#
|
||||
# Note: Blocking Proxy header prevents 'httpoxy' vulnerability: https://httpoxy.org
|
||||
#
|
||||
# Uncomment this rule to change the default.
|
||||
#SecAction \
|
||||
# "id:900250,\
|
||||
|
@ -439,7 +479,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
|
|||
# nolog,\
|
||||
# pass,\
|
||||
# t:none,\
|
||||
# setvar:'tx.restricted_headers=/proxy/ /lock-token/ /content-range/ /if/'"
|
||||
# setvar:'tx.restricted_headers=/accept-charset/ /content-encoding/ /proxy/ /lock-token/ /content-range/ /if/'"
|
||||
|
||||
# File extensions considered static files.
|
||||
# Extensions include the dot, lowercase, enclosed by /slashes/ as delimiters.
|
||||
|
@ -826,4 +866,4 @@ SecAction \
|
|||
nolog,\
|
||||
pass,\
|
||||
t:none,\
|
||||
setvar:tx.crs_setup_version=332"
|
||||
setvar:tx.crs_setup_version=334"
|
||||
|
|
|
@ -46,7 +46,7 @@ function do_and_check_cmd() {
|
|||
return 0
|
||||
}
|
||||
|
||||
# CRS v3.3.2
|
||||
# CRS v3.3.4
|
||||
echo "ℹ️ Download CRS"
|
||||
git_secure_clone "https://github.com/coreruleset/coreruleset.git" "18703f1bc47e9c4ec4096853d5fb4e2a204a07a2"
|
||||
git_secure_clone "https://github.com/coreruleset/coreruleset.git" "98b9d811f34a1aa72792aaf6245cb2f2c0f0a5b8"
|
||||
do_and_check_cmd cp -r files/coreruleset/crs-setup.conf.example files/crs-setup.conf
|
||||
|
|
Loading…
Reference in New Issue