librewolf
/
bunkerized-nginx
mirror of https://github.com/bunkerity/bunkerized-nginx
4
0
Fork 1
Code Issues Projects Releases Wiki Activity

Merge pull request #370 from TheophileDiot/dev 

Update modsec CRS to v3.3.4
This commit is contained in:
Théophile Diot 2022-11-21 15:46:03 +01:00 committed by GitHub
parent f0f9d7dcf3 103e4a0ae9
commit 2e0a733cdc
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
70 changed files with 2825 additions and 1023 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
src/common/core/modsecurity/files/coreruleset/.github/workflows/lint.yaml vendored
View File

@ -14,9 +14,10 @@ jobs:
uses: actions/checkout@v2
- name: Lint Yaml
uses: ibiqlik/action-yamllint@v1
uses: ibiqlik/action-yamllint@v3
with:
file_or_dir: tests/regression/tests/**/*.yaml
format: github
file_or_dir: tests/regression/tests
config_file: .yamllint.yml
- name: Linelint
@ -24,15 +25,13 @@ jobs:
id: linelint
- name: Set up Python 3
uses: actions/setup-python@v1
uses: actions/setup-python@v2
with:
python-version: 3.6
python-version: 3.7
- name: "Check CRS syntax"
run: |
python -V
pip install --upgrade setuptools
pip install -r tests/integration/requirements.txt
git clone https://github.com/CRS-support/secrules_parsing
pip install -r secrules_parsing/requirements.txt
python secrules_parsing/secrules_parser.py -c -f rules/*.conf
pip install secrules-parsing
secrules-parser -c --output-type github -f rules/*.conf

73
src/common/core/modsecurity/files/coreruleset/.github/workflows/test.yml vendored
View File

@ -22,53 +22,50 @@ jobs:
fail-fast: false
matrix:
modsec_version: [modsec2-apache]
tests: [REQUEST-911-METHOD-ENFORCEMENT,
REQUEST-913-SCANNER-DETECTION,
REQUEST-920-PROTOCOL-ENFORCEMENT,
REQUEST-921-PROTOCOL-ATTACK,
REQUEST-930-APPLICATION-ATTACK-LFI,
REQUEST-931-APPLICATION-ATTACK-RFI,
REQUEST-932-APPLICATION-ATTACK-RCE,
REQUEST-933-APPLICATION-ATTACK-PHP,
REQUEST-934-APPLICATION-ATTACK-NODEJS,
REQUEST-941-APPLICATION-ATTACK-XSS,
REQUEST-942-APPLICATION-ATTACK-SQLI,
REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION,
REQUEST-944-APPLICATION-ATTACK-JAVA]
# Will include soon for modsec3-nginx
steps:
- name: Checkout repo
- name: "Checkout repo"
uses: actions/checkout@v2
- name: Set up Python 2
uses: actions/setup-python@v1
- name: Set up Python 3
uses: actions/setup-python@v2
with:
python-version: 2.7
python-version: '3.x'
- uses: actions/cache@v2
id: cache
with:
path: ~/.cache/pip
key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements.txt') }}
restore-keys: |
${{ runner.os }}-pip-
- name: "Run tests for ${{ matrix.modsec_version }}`"
env:
CONFIG: ${{ matrix.modsec_version }}
- name: "Install dependencies"
run: |
python -V
mkdir -p logs/"${CONFIG}"
docker-compose -f ./tests/docker-compose.yml up -d "${CONFIG}"
pip install --upgrade setuptools
pip install --upgrade setuptools wheel
pip install -r tests/regression/requirements.txt
pip install pytest-github-actions-annotate-failures
- name: "Run tests for ${{ matrix.modsec_version }}"
run: |
mkdir -p tests/logs/${{ matrix.modsec_version }}/{nginx,apache2}
docker-compose -f ./tests/docker-compose.yml up -d "${{ matrix.modsec_version }}"
# Use mounted volume path
if [[ "${CONFIG}" == *"nginx" ]]; then
LOGDIR="/var/log/nginx"
else
LOGDIR="/var/log/apache2"
fi
sed -ie "s:${LOGDIR}:${GITHUB_WORKSPACE}/logs/${CONFIG}:g" tests/regression/config.ini
py.test -vs tests/regression/CRS_Tests.py \
--config="${CONFIG}" \
--ruledir=./tests/regression/tests/${{ matrix.tests }}
py.test -vs --tb=short tests/regression/CRS_Tests.py \
--config="${{ matrix.modsec_version }}" \
--ruledir_recurse=./tests/regression/tests/
- name: "Change permissions if failed"
if: failure()
run: |
# we want to get the audit log, so change permissions (file is only for root on docker)
sudo chmod 644 tests/logs/${{ matrix.modsec_version }}/modsec_audit.log
- uses: actions/upload-artifact@v2
if: failure()
with:
name: waf-logs
path: tests/logs/${{ matrix.modsec_version }}
- name: Clean docker-compose
env:
CONFIG: modsec2-apache
run: |
docker-compose -f ./tests/docker-compose.yml stop "${CONFIG}"
docker-compose -f ./tests/docker-compose.yml stop "${{ matrix.modsec_version }}"
docker-compose -f ./tests/docker-compose.yml down

22
src/common/core/modsecurity/files/coreruleset/CHANGES
View File

@ -5,6 +5,28 @@
or the CRS Google Group at
* https://groups.google.com/a/owasp.org/forum/#!forum/modsecurity-core-rule-set-project
== Version 3.3.4 - 2022-09-20 ==
Fixes and improvements:
* Fix a regression in our former release, with the impact that some Paranoia Level 2 rules would activate even when running in Paranoia Level 1. (Simon Studer, Walter Hop)
== Version 3.3.3 - 2022-09-19 ==
Important changes:
* This update requires ModSecurity version 2.9.6 or 3.0.8 (or an updated version with backports of the security fixes in these versions) or a compatible engine supporting these changes. If you do not upgrade ModSecurity, the file REQUEST-922-MULTIPART-ATTACK.conf will cause ModSecurity to fail to start. In that case, you can temporarily delete that file. However, you will be missing protection from these rules. Therefore, we recommend upgrading your ModSecurity or other engine instead.
* By default, the request headers "Accept-Charset" and "Content-Encoding" are now blocked to prevent a WAF bypass. Especially the "Accept-Charset" header may be in use by clients. If you need to serve clients that send this header, uncomment and edit rule 900250 in crs-setup.conf.
Fixes and improvements:
* Fix CVE-2022-39955 Multiple charsets defined in Content-Type header (Jan Gora)
* Fix CVE-2022-39956 Content-Type or Content-Transfer-Encoding MIME header fields abuse (Jan Gora, Felipe Zipitria)
* Fix CVE-2022-39957 Charset accept header field resulting in response rule set bypass (Karel Knibbe, Max Leske)
* Fix CVE-2022-39958 Small range header leading to response rule set bypass (Hussein Daher, Christian Folini)
* Fix MIME header abuse via _charset_ field (Jan Gora, Felipe Zipitria)
* Fix bypass using deflated request body (Karel Knibbe)
* Fix request body partial rule set bypass via Content-Type "text/plain" (Pinaki Mondal, Andrea Menin)
* Fix XML Body Parser abuse for non-XML request bodies (Jan Gora)
* Fix body processor bypass by content-type outside the mime type declaration (Jan Gora, Simon Studer, Ervin Hegedus)
== Version 3.3.2 - 2021-06-30 ==
Fixes and improvements:

52
src/common/core/modsecurity/files/coreruleset/CONTRIBUTORS.md
View File

@ -2,59 +2,79 @@
## Project Co-Leads:
- [Chaim Sanders](https://github.com/csanders-git)
- [Christian Folini](https://github.com/dune73)
- [Walter Hop](https://github.com/lifeforms)
- [Felipe Zipitría](https://github.com/fzipi)
## Developers:
- [Paul Beckett](https://github.com/53cur3M3)
- [Franziska Bühler](https://github.com/franbuehler)
- [Christoph Hansen](https://github.com/emphazer)
- [Ervin Hegedus](https://github.com/airween)
- [Victor Hora](https://github.com/victorhora)
- [Andrew Howe](https://github.com/RedXanadu)
- [Max Leske](https://github.com/theseion)
- [Andrea Menin](https://github.com/theMiddleBlue)
- [Chaim Sanders](https://github.com/csanders-git)
- [Federico G. Schwindt](https://github.com/fgsch)
- [Manuel Spartan](https://github.com/spartantri)
- [Felipe Zimmerle](https://github.com/zimmerle)
- [Felipe Zipitría](https://github.com/fzipi)
- [Manuel Leos Rivas](https://github.com/spartantri)
- [Simon Studer](https://github.com/studersi)
- [Jozef Sudolský](https://github.com/azurit)
## Contributors:
- [agusmu](https://github.com/agusmu)
- [Amir Hosein Aliakbarian](https://github.com/AmirHoseinAliakbarian)
- [Zack Allen](https://github.com/zmallen)
- [azhao155](https://github.com/azhao155)
- [azurit](https://github.com/azurit)
- [Matt Bagley](https://github.com/bagley)
- [Ryan Barnett](https://github.com/rcbarnett)
- [soufianebenali](https://github.com/soufianebenali)
- [Soufiane Benali](https://github.com/soufianebenali)
- [Peter Bittner](https://github.com/bittner)
- [Allan Boll](https://github.com/allanbomsft)
- [Jeremy Brown](https://github.com/jwbrown77)
- [Brent Clark](https://github.com/brentclark)
- [Jonathan Claudius](https://github.com/claudijd)
- [coolt](https://github.com/coolt)
- [Hussein Daher](https://github.com/hussein98d)
- [Abu Dawud](https://github.com/abudawud)
- [Ashish Dixit](https://github.com/tundal45)
- [Mirko Dziadzka](https://github.com/mirkodziadzka-avi)
- [Padraig Doran](https://github.com/padraigdoran)
- [Dan Ehrlich](https://github.com/danehrlich1)
- [İlteriş Eroğlu](https://github.com/linuxgemini)
- [Umar Farook](https://github.com/umarfarook882)
- [flo405](https://github.com/flo405)
- [Fregf](https://github.com/Fregf)
- [FrozenSolid](https://github.com/frozenSolid)
- [Pásztor Gábor](https://github.com/gpasztor87)
- [Jan Gora](https://github.com/terjanq)
- [Aaron Haaf](https://github.com/Everspace)
- [Karel Knibbe](https://github.com/karelorigin)
- [Michael Haas](https://github.com/MichaelHaas)
- [henkworks](https://github.com/henkworks)
- [Tim Herren](https://github.com/nerrehmit)
- [Victor Hora](https://github.com/victorhora)
- [itsTheFae](https://github.com/itsTheFae)
- [jamuse](https://github.com/jamuse)
- [jeremyjpj0916](https://github.com/jeremyjpj0916)
- [jschleus](https://github.com/jschleus)
- [k4n5ha0](https://github.com/k4n5ha0)
- [kam821](https://github.com/kam821)
- [Katherine](https://github.com/katef)
- [kyzentun](https://github.com/kyzentun)
- [Joost de Keijzer](https://github.com/joostdekeijzer)
- [Krzysztof Kotowicz](https://github.com/koto)
- [Max Leske](https://github.com/theseion)
- Manuel Leos
- [Evgeny Marmalstein](https://github.com/shimshon70)
- [meetug](https://github.com/meetug)
- [Christian Mehlmauer](https://github.com/FireFart)
- [Pinaki Mondal](https://github.com/0xinfection)
- [Glyn Mooney](https://github.com/skidoosh)
- [na1ex](https://github.com/na1ex)
- [Jose Nazario](https://github.com/paralax)
- [Tim Herren](https://github.com/nerrehmit)
- [Scott O'Neil](https://github.com/cPanelScott)
- [NiceYouKnow](https://github.com/NiceYouKnow)
- [nobletrout](https://github.com/nobletrout)
- [Fernando Outeda](https://github.com/fog94)
- [NullIsNot0](https://github.com/NullIsNot0)
- [Robert Paprocki](https://github.com/p0pr0ck5)
@ -62,15 +82,22 @@
- [Elia Pinto](https://github.com/yersinia)
- [pyllyukko](https://github.com/pyllyukko)
- [Brian Rectanus](https://github.com/b1v1r)
- [Vandan Rohatgi](https://github.com/vandanrohatgi)
- [Rufus125](https://github.com/Rufus125)
- Ofer Shezaf
- [Takaya Saeki](https://github.com/nullpo-head)
- Breno Silva
- [Deepshikha Sinha](https://github.com/deepshikha-s)
- siric\_
- Emile-Hugo Spir
- [somechris](https://github.com/somechris)
- [Marc Stern](https://github.com/marcstern)
- [Simon Studer](https://github.com/studersi)
- [supplient](https://github.com/supplient)
- [theMiddle](https://github.com/theMiddleBlue)
- [Mike Taylor](https://github.com/miketaylr)
- [ThanhPT](https://github.com/nevol1708)
- [Timo](https://github.com/ntimo)
- [Juan-Pablo Tosso](https://github.com/jptosso)
- [vijayasija99](https://github.com/vijayasija99)
- [Ben Williams](https://github.com/benwilliams)
- [Anna Winkler](https://github.com/annawinkler)
- [Avery Wong](https://github.com/4v3r9)
@ -79,6 +106,7 @@
- [XeroChen](https://github.com/XeroChen)
- [ygrek](https://github.com/ygrek)
- [Yu Yagihashi](https://github.com/yagihash)
- [Felipe "Zimmerle" Costa](https://github.com/zimmerle)
- [Zino](https://github.com/zinoe)
- Josh Zlatin
- [Zou Guangxian](https://github.com/zouguangxian)

2
src/common/core/modsecurity/files/coreruleset/README.md
View File

@ -29,4 +29,6 @@ We strive to make the OWASP ModSecurity CRS accessible to a wide audience of beg
Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
The OWASP ModSecurity Core Rule Set is distributed under Apache Software License (ASL) version 2. Please see the enclosed LICENSE file for full details.

10
src/common/core/modsecurity/files/coreruleset/SPONSORS.md Normal file
View File

@ -0,0 +1,10 @@
## GOLD SPONSORS
* VMWare (Avi Networks)
* F5/NGINX
* Microsoft
## SILVER SPONSORS
* Bug Bounty Switzerland
* Google Cloud Armor

58
src/common/core/modsecurity/files/coreruleset/crs-setup.conf.example
View File

@ -1,6 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.2
# OWASP ModSecurity Core Rule Set ver.3.3.4
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -389,17 +390,42 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# Content-Types that a client is allowed to send in a request.
# Default: |application/x-www-form-urlencoded| |multipart/form-data| |multipart/related|
# |text/xml| |application/xml| |application/soap+xml| |application/x-amf| |application/json|
# |application/cloudevents+json| |application/cloudevents-batch+json| |application/octet-stream|
# |application/csp-report| |application/xss-auditor-report| |text/plain|
# |text/xml| |application/xml| |application/soap+xml| |application/json|
# |application/cloudevents+json| |application/cloudevents-batch+json|
#
# Please note, that the rule where CRS uses this variable (920420) evaluates it with operator
# `@within`, which is case sensitive, but uses t:lowercase. You must add your whole custom
# Content-Type with lowercase.
#
# Bypass Warning: some applications may not rely on the content-type request header in order
# to parse the request body. This could make an attacker able to send malicious URLENCODED/JSON/XML
# payloads without being detected by the WAF. Allowing request content-type that doesn't activate any
# body processor (for example: "text/plain", "application/x-amf", "application/octet-stream", etc..)
# could lead to a WAF bypass. For example, a malicious JSON payload submitted with a "text/plain"
# content type may still be interpreted as JSON by a backend application but would not trigger the
# JSON body parser at the WAF, leading to a bypass.
#
# To prevent blocking request with not allowed content-type by default, you can create an exclusion
# rule that removes rule 920420. For example:
# SecRule REQUEST_HEADERS:Content-Type "@rx ^text/plain" \
# "id:1234,\
# phase:1,\
# nolog,\
# pass,\
# t:none,\
# ctl:ruleRemoveById=920420,\
# chain"
# SecRule REQUEST_URI "@rx ^/foo/bar" "t:none"
#
# Uncomment this rule to change the default.
#
#SecAction \
# "id:900220,\
# phase:1,\
# nolog,\
# pass,\
# t:none,\
# setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/x-amf| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json| |application/octet-stream| |application/csp-report| |application/xss-auditor-report| |text/plain|'"
# setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json|'"
# Allowed HTTP versions.
# Default: HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0
@ -430,8 +456,22 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# Forbidden request headers.
# Header names should be lowercase, enclosed by /slashes/ as delimiters.
# Blocking Proxy header prevents 'httpoxy' vulnerability: https://httpoxy.org
# Default: /proxy/ /lock-token/ /content-range/ /if/
# Default: /accept-charset/ /content-encoding/ /proxy/ /lock-token/ /content-range/ /if/
#
# Note: Accept-Charset is a deprecated header that should not be used by clients and
# ignored by servers. It can be used for a response WAF bypass, by asking for a charset
# that the WAF cannot decode.
# Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept-Charset
#
# Note: Content-Encoding is used to list any encodings that have been applied to the
# original payload. It is only used for compression, which isn't supported by CRS by
# default since it blocks newlines and null bytes inside the request body. Most
# compression algorithms require at least null bytes per RFC. Blocking it shouldn't
# break anything and increases security since ModSecurity is incapable of properly
# scanning compressed request bodies.
#
# Note: Blocking Proxy header prevents 'httpoxy' vulnerability: https://httpoxy.org
#
# Uncomment this rule to change the default.
#SecAction \
# "id:900250,\
@ -439,7 +479,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# nolog,\
# pass,\
# t:none,\
# setvar:'tx.restricted_headers=/proxy/ /lock-token/ /content-range/ /if/'"
# setvar:'tx.restricted_headers=/accept-charset/ /content-encoding/ /proxy/ /lock-token/ /content-range/ /if/'"
# File extensions considered static files.
# Extensions include the dot, lowercase, enclosed by /slashes/ as delimiters.
@ -826,4 +866,4 @@ SecAction \
nolog,\
pass,\
t:none,\
setvar:tx.crs_setup_version=332"
setvar:tx.crs_setup_version=334"

3
src/common/core/modsecurity/files/coreruleset/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example
View File

@ -1,6 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.2
# OWASP ModSecurity Core Rule Set ver.3.3.4
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2

73
src/common/core/modsecurity/files/coreruleset/rules/REQUEST-901-INITIALIZATION.conf
View File

@ -1,6 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.2
# OWASP ModSecurity Core Rule Set ver.3.3.4
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -25,7 +26,7 @@
#
# Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecComponentSignature
#
SecComponentSignature "OWASP_CRS/3.3.2"
SecComponentSignature "OWASP_CRS/3.3.4"
#
# -=[ Default setup values ]=-
@ -58,7 +59,7 @@ SecRule &TX:crs_setup_version "@eq 0" \
log,\
auditlog,\
msg:'ModSecurity Core Rule Set is deployed without configuration! Please copy the crs-setup.conf.example template to crs-setup.conf, and include the crs-setup.conf file in your webserver configuration before including the CRS rules. See the INSTALL file in the CRS directory for detailed instructions',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL'"
@ -76,7 +77,7 @@ SecRule &TX:inbound_anomaly_score_threshold "@eq 0" \
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
setvar:'tx.inbound_anomaly_score_threshold=5'"
# Default Outbound Anomaly Threshold Level (rule 900110 in setup.conf)
@ -85,7 +86,7 @@ SecRule &TX:outbound_anomaly_score_threshold "@eq 0" \
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
setvar:'tx.outbound_anomaly_score_threshold=4'"
# Default Paranoia Level (rule 900000 in setup.conf)
@ -94,7 +95,7 @@ SecRule &TX:paranoia_level "@eq 0" \
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
setvar:'tx.paranoia_level=1'"
# Default Executing Paranoia Level (rule 900000 in setup.conf)
@ -103,7 +104,7 @@ SecRule &TX:executing_paranoia_level "@eq 0" \
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
setvar:'tx.executing_paranoia_level=%{TX.PARANOIA_LEVEL}'"
# Default Sampling Percentage (rule 900400 in setup.conf)
@ -112,7 +113,7 @@ SecRule &TX:sampling_percentage "@eq 0" \
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
setvar:'tx.sampling_percentage=100'"
# Default Anomaly Scores (rule 900100 in setup.conf)
@ -121,7 +122,7 @@ SecRule &TX:critical_anomaly_score "@eq 0" \
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
setvar:'tx.critical_anomaly_score=5'"
SecRule &TX:error_anomaly_score "@eq 0" \
@ -129,7 +130,7 @@ SecRule &TX:error_anomaly_score "@eq 0" \
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
setvar:'tx.error_anomaly_score=4'"
SecRule &TX:warning_anomaly_score "@eq 0" \
@ -137,7 +138,7 @@ SecRule &TX:warning_anomaly_score "@eq 0" \
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
setvar:'tx.warning_anomaly_score=3'"
SecRule &TX:notice_anomaly_score "@eq 0" \
@ -145,7 +146,7 @@ SecRule &TX:notice_anomaly_score "@eq 0" \
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
setvar:'tx.notice_anomaly_score=2'"
# Default do_reput_block
@ -154,7 +155,7 @@ SecRule &TX:do_reput_block "@eq 0" \
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
setvar:'tx.do_reput_block=0'"
# Default block duration
@ -163,7 +164,7 @@ SecRule &TX:reput_block_duration "@eq 0" \
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
setvar:'tx.reput_block_duration=300'"
# Default HTTP policy: allowed_methods (rule 900200)
@ -172,7 +173,7 @@ SecRule &TX:allowed_methods "@eq 0" \
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'"
# Default HTTP policy: allowed_request_content_type (rule 900220)
@ -181,8 +182,8 @@ SecRule &TX:allowed_request_content_type "@eq 0" \
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/x-amf| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json| |application/octet-stream| |application/csp-report| |application/xss-auditor-report| |text/plain|'"
ver:'OWASP_CRS/3.3.4',\
setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json|'"
# Default HTTP policy: allowed_request_content_type_charset (rule 900270)
SecRule &TX:allowed_request_content_type_charset "@eq 0" \
@ -190,7 +191,7 @@ SecRule &TX:allowed_request_content_type_charset "@eq 0" \
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
setvar:'tx.allowed_request_content_type_charset=utf-8|iso-8859-1|iso-8859-15|windows-1252'"
# Default HTTP policy: allowed_http_versions (rule 900230)
@ -199,7 +200,7 @@ SecRule &TX:allowed_http_versions "@eq 0" \
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0'"
# Default HTTP policy: restricted_extensions (rule 900240)
@ -208,7 +209,7 @@ SecRule &TX:restricted_extensions "@eq 0" \
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'"
# Default HTTP policy: restricted_headers (rule 900250)
@ -217,8 +218,8 @@ SecRule &TX:restricted_headers "@eq 0" \
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
setvar:'tx.restricted_headers=/proxy/ /lock-token/ /content-range/ /if/'"
ver:'OWASP_CRS/3.3.4',\
setvar:'tx.restricted_headers=/accept-charset/ /content-encoding/ /proxy/ /lock-token/ /content-range/ /if/'"
# Default HTTP policy: static_extensions (rule 900260)
SecRule &TX:static_extensions "@eq 0" \
@ -226,7 +227,7 @@ SecRule &TX:static_extensions "@eq 0" \
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ /.webp/'"
# Default enforcing of body processor URLENCODED
@ -235,7 +236,7 @@ SecRule &TX:enforce_bodyproc_urlencoded "@eq 0" \
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
setvar:'tx.enforce_bodyproc_urlencoded=0'"
#
@ -253,7 +254,7 @@ SecAction \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
setvar:'tx.anomaly_score=0',\
setvar:'tx.anomaly_score_pl1=0',\
setvar:'tx.anomaly_score_pl2=0',\
@ -290,7 +291,7 @@ SecRule REQUEST_HEADERS:User-Agent "@rx ^.*$" \
pass,\
t:none,t:sha1,t:hexEncode,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
setvar:'tx.ua_hash=%{MATCHED_VAR}'"
SecAction \
@ -299,7 +300,7 @@ SecAction \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
initcol:global=global,\
initcol:ip=%{remote_addr}_%{tx.ua_hash},\
setvar:'tx.real_ip=%{remote_addr}'"
@ -320,7 +321,7 @@ SecRule REQBODY_PROCESSOR "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" \
msg:'Enabling body inspection',\
tag:'paranoia-level/1',\
ctl:forceRequestBodyVariable=On,\
ver:'OWASP_CRS/3.3.2'"
ver:'OWASP_CRS/3.3.4'"
# Force body processor URLENCODED
SecRule TX:enforce_bodyproc_urlencoded "@eq 1" \
@ -331,7 +332,7 @@ SecRule TX:enforce_bodyproc_urlencoded "@eq 1" \
nolog,\
noauditlog,\
msg:'Enabling forced body inspection for ASCII content',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
chain"
SecRule REQBODY_PROCESSOR "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" \
"ctl:requestBodyProcessor=URLENCODED"
@ -370,7 +371,7 @@ SecRule TX:sampling_percentage "@eq 100" \
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
skipAfter:END-SAMPLING"
SecRule UNIQUE_ID "@rx ^." \
@ -379,7 +380,7 @@ SecRule UNIQUE_ID "@rx ^." \
pass,\
t:sha1,t:hexEncode,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
setvar:'TX.sampling_rnd100=%{MATCHED_VAR}'"
SecRule DURATION "@rx (..)$" \
@ -388,7 +389,7 @@ SecRule DURATION "@rx (..)$" \
pass,\
capture,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
setvar:'TX.sampling_rnd100=%{TX.sampling_rnd100}%{TX.1}'"
SecRule TX:sampling_rnd100 "@rx ^[a-f]*([0-9])[a-f]*([0-9])" \
@ -397,7 +398,7 @@ SecRule TX:sampling_rnd100 "@rx ^[a-f]*([0-9])[a-f]*([0-9])" \
pass,\
capture,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
setvar:'TX.sampling_rnd100=%{TX.1}%{TX.2}'"
SecRule TX:sampling_rnd100 "@rx ^0([0-9])" \
@ -406,7 +407,7 @@ SecRule TX:sampling_rnd100 "@rx ^0([0-9])" \
pass,\
capture,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
setvar:'TX.sampling_rnd100=%{TX.1}'"
@ -431,7 +432,7 @@ SecRule TX:sampling_rnd100 "!@lt %{tx.sampling_percentage}" \
noauditlog,\
msg:'Sampling: Disable the rule engine based on sampling_percentage %{TX.sampling_percentage} and random number %{TX.sampling_rnd100}',\
ctl:ruleEngine=Off,\
ver:'OWASP_CRS/3.3.2'"
ver:'OWASP_CRS/3.3.4'"
SecMarker "END-SAMPLING"
@ -449,4 +450,4 @@ SecRule TX:executing_paranoia_level "@lt %{tx.paranoia_level}" \
t:none,\
log,\
msg:'Executing paranoia level configured is lower than the paranoia level itself. This is illegal. Blocking request. Aborting',\
ver:'OWASP_CRS/3.3.2'"
ver:'OWASP_CRS/3.3.4'"

49
src/common/core/modsecurity/files/coreruleset/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf
View File

@ -1,6 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.2
# OWASP ModSecurity Core Rule Set ver.3.3.4
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -68,7 +69,7 @@ SecRule &TX:crs_exclusions_drupal|TX:crs_exclusions_drupal "@eq 0" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
skipAfter:END-DRUPAL-RULE-EXCLUSIONS"
SecRule &TX:crs_exclusions_drupal|TX:crs_exclusions_drupal "@eq 0" \
@ -77,7 +78,7 @@ SecRule &TX:crs_exclusions_drupal|TX:crs_exclusions_drupal "@eq 0" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
skipAfter:END-DRUPAL-RULE-EXCLUSIONS"
@ -115,7 +116,7 @@ SecAction "id:9001100,\
nolog,\
ctl:ruleRemoveTargetById=942450;REQUEST_COOKIES_NAMES,\
ctl:ruleRemoveTargetById=942450;REQUEST_COOKIES,\
ver:'OWASP_CRS/3.3.2'"
ver:'OWASP_CRS/3.3.4'"
#
@ -130,7 +131,7 @@ SecRule REQUEST_FILENAME "@endsWith /core/install.php" \
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:account[pass][pass1],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:account[pass][pass2],\
ver:'OWASP_CRS/3.3.2'"
ver:'OWASP_CRS/3.3.4'"
SecRule REQUEST_FILENAME "@endsWith /user/login" \
"id:9001112,\
@ -139,7 +140,7 @@ SecRule REQUEST_FILENAME "@endsWith /user/login" \
t:none,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass,\
ver:'OWASP_CRS/3.3.2'"
ver:'OWASP_CRS/3.3.4'"
SecRule REQUEST_FILENAME "@endsWith /admin/people/create" \
"id:9001114,\
@ -148,7 +149,7 @@ SecRule REQUEST_FILENAME "@endsWith /admin/people/create" \
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass[pass1],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass[pass2],\
ver:'OWASP_CRS/3.3.2'"
ver:'OWASP_CRS/3.3.4'"
SecRule REQUEST_FILENAME "@rx /user/[0-9]+/edit$" \
"id:9001116,\
@ -158,7 +159,7 @@ SecRule REQUEST_FILENAME "@rx /user/[0-9]+/edit$" \
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:current_pass,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass[pass1],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass[pass2],\
ver:'OWASP_CRS/3.3.2'"
ver:'OWASP_CRS/3.3.4'"
#
@ -178,7 +179,7 @@ SecRule REQUEST_FILENAME "@contains /admin/config/" \
pass,\
nolog,\
ctl:ruleRemoveById=942430,\
ver:'OWASP_CRS/3.3.2'"
ver:'OWASP_CRS/3.3.4'"
SecRule REQUEST_FILENAME "@endsWith /admin/config/people/accounts" \
"id:9001124,\
@ -195,7 +196,7 @@ SecRule REQUEST_FILENAME "@endsWith /admin/config/people/accounts" \
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:user_mail_status_activated_body,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:user_mail_status_blocked_body,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:user_mail_status_canceled_body,\
ver:'OWASP_CRS/3.3.2'"
ver:'OWASP_CRS/3.3.4'"
SecRule REQUEST_FILENAME "@endsWith /admin/config/development/configuration/single/import" \
"id:9001126,\
@ -204,7 +205,7 @@ SecRule REQUEST_FILENAME "@endsWith /admin/config/development/configuration/sing
nolog,\
ctl:ruleRemoveById=920271,\
ctl:ruleRemoveById=942440,\
ver:'OWASP_CRS/3.3.2'"
ver:'OWASP_CRS/3.3.4'"
SecRule REQUEST_FILENAME "@endsWith /admin/config/development/maintenance" \
"id:9001128,\
@ -212,7 +213,7 @@ SecRule REQUEST_FILENAME "@endsWith /admin/config/development/maintenance" \
pass,\
nolog,\
ctl:ruleRemoveById=942440,\
ver:'OWASP_CRS/3.3.2'"
ver:'OWASP_CRS/3.3.4'"
#
@ -229,7 +230,7 @@ SecRule REQUEST_FILENAME "@endsWith /contextual/render" \
pass,\
nolog,\
ctl:ruleRemoveTargetById=942130;ARGS:ids[],\
ver:'OWASP_CRS/3.3.2'"
ver:'OWASP_CRS/3.3.4'"
#
@ -248,7 +249,7 @@ SecAction "id:9001160,\
ctl:ruleRemoveTargetById=942440;ARGS:form_build_id,\
ctl:ruleRemoveTargetById=942450;ARGS:form_token,\
ctl:ruleRemoveTargetById=942450;ARGS:form_build_id,\
ver:'OWASP_CRS/3.3.2'"
ver:'OWASP_CRS/3.3.4'"
#
@ -265,7 +266,7 @@ SecRule REQUEST_FILENAME "@endsWith /admin/config/content/formats/manage/full_ht
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:editor[settings][toolbar][button_groups],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:filters[filter_html][settings][allowed_html],\
ver:'OWASP_CRS/3.3.2'"
ver:'OWASP_CRS/3.3.4'"
#
@ -349,7 +350,7 @@ SecRule REQUEST_FILENAME "@endsWith /node/add/article" \
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:body[0][value],\
ctl:ruleRemoveTargetById=942410;ARGS:uid[0][target_id],\
ver:'OWASP_CRS/3.3.2'"
ver:'OWASP_CRS/3.3.4'"
SecRule REQUEST_FILENAME "@endsWith /node/add/page" \
"id:9001202,\
@ -358,7 +359,7 @@ SecRule REQUEST_FILENAME "@endsWith /node/add/page" \
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:body[0][value],\
ctl:ruleRemoveTargetById=942410;ARGS:uid[0][target_id],\
ver:'OWASP_CRS/3.3.2'"
ver:'OWASP_CRS/3.3.4'"
SecRule REQUEST_FILENAME "@rx /node/[0-9]+/edit$" \
"id:9001204,\
@ -368,7 +369,7 @@ SecRule REQUEST_FILENAME "@rx /node/[0-9]+/edit$" \
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:body[0][value],\
ctl:ruleRemoveTargetById=942410;ARGS:uid[0][target_id],\
ctl:ruleRemoveTargetById=932110;ARGS:destination,\
ver:'OWASP_CRS/3.3.2'"
ver:'OWASP_CRS/3.3.4'"
SecRule REQUEST_FILENAME "@endsWith /block/add" \
"id:9001206,\
@ -376,7 +377,7 @@ SecRule REQUEST_FILENAME "@endsWith /block/add" \
pass,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:body[0][value],\
ver:'OWASP_CRS/3.3.2'"
ver:'OWASP_CRS/3.3.4'"
SecRule REQUEST_FILENAME "@endsWith /admin/structure/block/block-content/manage/basic" \
"id:9001208,\
@ -384,7 +385,7 @@ SecRule REQUEST_FILENAME "@endsWith /admin/structure/block/block-content/manage/
pass,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:description,\
ver:'OWASP_CRS/3.3.2'"
ver:'OWASP_CRS/3.3.4'"
SecRule REQUEST_FILENAME "@rx /editor/filter_xss/(?:full|basic)_html$" \
"id:9001210,\
@ -392,7 +393,7 @@ SecRule REQUEST_FILENAME "@rx /editor/filter_xss/(?:full|basic)_html$" \
pass,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:value,\
ver:'OWASP_CRS/3.3.2'"
ver:'OWASP_CRS/3.3.4'"
SecRule REQUEST_FILENAME "@rx /user/[0-9]+/contact$" \
"id:9001212,\
@ -400,7 +401,7 @@ SecRule REQUEST_FILENAME "@rx /user/[0-9]+/contact$" \
pass,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message[0][value],\
ver:'OWASP_CRS/3.3.2'"
ver:'OWASP_CRS/3.3.4'"
SecRule REQUEST_FILENAME "@endsWith /admin/config/development/maintenance" \
"id:9001214,\
@ -408,7 +409,7 @@ SecRule REQUEST_FILENAME "@endsWith /admin/config/development/maintenance" \
pass,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:maintenance_mode_message,\
ver:'OWASP_CRS/3.3.2'"
ver:'OWASP_CRS/3.3.4'"
SecRule REQUEST_FILENAME "@endsWith /admin/config/services/rss-publishing" \
"id:9001216,\
@ -416,7 +417,7 @@ SecRule REQUEST_FILENAME "@endsWith /admin/config/services/rss-publishing" \
pass,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:feed_description,\
ver:'OWASP_CRS/3.3.2'"
ver:'OWASP_CRS/3.3.4'"
SecMarker "END-DRUPAL-RULE-EXCLUSIONS"

71
src/common/core/modsecurity/files/coreruleset/rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf
View File

@ -1,6 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.2
# OWASP ModSecurity Core Rule Set ver.3.3.4
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -22,7 +23,7 @@ SecRule &TX:crs_exclusions_wordpress|TX:crs_exclusions_wordpress "@eq 0" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
skipAfter:END-WORDPRESS"
SecRule &TX:crs_exclusions_wordpress|TX:crs_exclusions_wordpress "@eq 0" \
@ -31,7 +32,7 @@ SecRule &TX:crs_exclusions_wordpress|TX:crs_exclusions_wordpress "@eq 0" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
skipAfter:END-WORDPRESS"
@ -52,7 +53,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-login.php" \
t:none,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pwd,\
ver:'OWASP_CRS/3.3.2'"
ver:'OWASP_CRS/3.3.4'"
# Reset password
SecRule REQUEST_FILENAME "@endsWith /wp-login.php" \
@ -61,7 +62,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-login.php" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
chain"
SecRule ARGS:action "@streq resetpass" \
"t:none,\
@ -85,7 +86,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-comments-post.php" \
t:none,\
nolog,\
ctl:ruleRemoveTargetById=931130;ARGS:url,\
ver:'OWASP_CRS/3.3.2'"
ver:'OWASP_CRS/3.3.4'"
#
@ -102,7 +103,7 @@ SecRule REQUEST_FILENAME "@rx /wp-json/wp/v[0-9]+/(?:posts|pages)" \
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:content,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:json.content,\
ver:'OWASP_CRS/3.3.2'"
ver:'OWASP_CRS/3.3.4'"
# Gutenberg via rest_route for sites without pretty permalinks
SecRule REQUEST_FILENAME "@endsWith /index.php" \
@ -111,7 +112,7 @@ SecRule REQUEST_FILENAME "@endsWith /index.php" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
chain"
SecRule &ARGS:rest_route "@eq 1" \
"t:none,\
@ -131,7 +132,7 @@ SecRule REQUEST_FILENAME "@rx /wp-json/wp/v[0-9]+/media" \
nolog,\
ctl:ruleRemoveById=200002,\
ctl:ruleRemoveById=200003,\
ver:'OWASP_CRS/3.3.2'"
ver:'OWASP_CRS/3.3.4'"
# Gutenberg upload image/media via rest_route for sites without pretty permalinks
SecRule REQUEST_FILENAME "@endsWith /index.php" \
@ -140,7 +141,7 @@ SecRule REQUEST_FILENAME "@endsWith /index.php" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
chain"
SecRule &ARGS:rest_route "@eq 1" \
"t:none,\
@ -169,7 +170,7 @@ SecRule ARGS:wp_customize "@streq on" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
chain"
SecRule &ARGS:action "@eq 0" \
"t:none,\
@ -190,7 +191,7 @@ SecRule ARGS:wp_customize "@streq on" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
chain"
SecRule ARGS:action "@rx ^(?:|customize_save|update-widget)$" \
"t:none,\
@ -231,7 +232,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-cron.php" \
nolog,\
ctl:ruleRemoveById=920180,\
ctl:ruleRemoveById=920300,\
ver:'OWASP_CRS/3.3.2'"
ver:'OWASP_CRS/3.3.4'"
#
@ -246,7 +247,7 @@ SecRule REQUEST_COOKIES:_wp_session "@rx ^[0-9a-f]+\|\|\d+\|\|\d+$" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
chain"
SecRule &REQUEST_COOKIES:_wp_session "@eq 1" \
"t:none,\
@ -265,7 +266,7 @@ SecRule REQUEST_FILENAME "!@contains /wp-admin/" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
skipAfter:END-WORDPRESS-ADMIN"
SecRule REQUEST_FILENAME "!@contains /wp-admin/" \
@ -274,7 +275,7 @@ SecRule REQUEST_FILENAME "!@contains /wp-admin/" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
skipAfter:END-WORDPRESS-ADMIN"
@ -289,7 +290,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/setup-config.php" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
chain"
SecRule ARGS:step "@streq 2" \
"t:none,\
@ -305,7 +306,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/install.php" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
chain"
SecRule ARGS:step "@streq 2" \
"t:none,\
@ -328,7 +329,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/profile.php" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
chain"
SecRule ARGS:action "@streq update" \
"t:none,\
@ -356,7 +357,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/user-edit.php" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
chain"
SecRule ARGS:action "@streq update" \
"t:none,\
@ -385,7 +386,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/user-new.php" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
chain"
SecRule ARGS:action "@streq createuser" \
"t:none,\
@ -426,7 +427,7 @@ SecAction \
ctl:ruleRemoveTargetById=942200;ARGS:wp_http_referer,\
ctl:ruleRemoveTargetById=942260;ARGS:wp_http_referer,\
ctl:ruleRemoveTargetById=942431;ARGS:wp_http_referer,\
ver:'OWASP_CRS/3.3.2'"
ver:'OWASP_CRS/3.3.4'"
#
# [ Content editing ]
@ -443,7 +444,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/post.php" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
chain"
SecRule ARGS:action "@rx ^(?:edit|editpost)$" \
"t:none,\
@ -463,7 +464,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
chain"
SecRule ARGS:action "@streq heartbeat" \
"t:none,\
@ -485,7 +486,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/nav-menus.php" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
chain"
SecRule ARGS:action "@streq update" \
"t:none,\
@ -510,7 +511,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
chain"
SecRule ARGS:action "@rx ^(?:save-widget|update-widget)$" \
"t:none,\
@ -565,7 +566,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
chain"
SecRule ARGS:action "@streq widgets-order" \
"t:none,\
@ -594,7 +595,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
chain"
SecRule ARGS:action "@streq sample-permalink" \
"t:none,\
@ -610,7 +611,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
chain"
SecRule ARGS:action "@streq add-menu-item" \
"t:none,\
@ -626,7 +627,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
chain"
SecRule ARGS:action "@streq send-attachment-to-editor" \
"t:none,\
@ -647,7 +648,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/options.php" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
chain"
SecRule ARGS:option_page "@streq general" \
"t:none,\
@ -678,7 +679,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/options-permalink.php" \
ctl:ruleRemoveTargetById=920272;ARGS:permalink_structure,\
ctl:ruleRemoveTargetById=942431;ARGS:permalink_structure,\
ctl:ruleRemoveTargetById=920272;REQUEST_BODY,\
ver:'OWASP_CRS/3.3.2'"
ver:'OWASP_CRS/3.3.4'"
# Comments blacklist and moderation list
SecRule REQUEST_FILENAME "@endsWith /wp-admin/options.php" \
@ -687,7 +688,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/options.php" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
chain"
SecRule ARGS:option_page "@streq discussion" \
"t:none,\
@ -711,7 +712,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/edit.php" \
t:none,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:s,\
ver:'OWASP_CRS/3.3.2'"
ver:'OWASP_CRS/3.3.4'"
#
@ -750,7 +751,7 @@ SecRule REQUEST_FILENAME "@rx /wp-admin/load-(?:scripts|styles)\.php$" \
ctl:ruleRemoveTargetById=942430;ARGS:load[],\
ctl:ruleRemoveTargetById=942431;ARGS:load[],\
ctl:ruleRemoveTargetById=942432;ARGS:load[],\
ver:'OWASP_CRS/3.3.2'"
ver:'OWASP_CRS/3.3.4'"
SecMarker "END-WORDPRESS-ADMIN"

49
src/common/core/modsecurity/files/coreruleset/rules/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf
View File

@ -1,6 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.2
# OWASP ModSecurity Core Rule Set ver.3.3.4
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -43,7 +44,7 @@ SecRule &TX:crs_exclusions_nextcloud|TX:crs_exclusions_nextcloud "@eq 0" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
skipAfter:END-NEXTCLOUD"
SecRule &TX:crs_exclusions_nextcloud|TX:crs_exclusions_nextcloud "@eq 0" \
@ -52,7 +53,7 @@ SecRule &TX:crs_exclusions_nextcloud|TX:crs_exclusions_nextcloud "@eq 0" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
skipAfter:END-NEXTCLOUD"
@ -74,7 +75,7 @@ SecRule REQUEST_FILENAME "@contains /remote.php/webdav" \
ctl:ruleRemoveById=953100-953130,\
ctl:ruleRemoveById=920420,\
ctl:ruleRemoveById=920440,\
ver:'OWASP_CRS/3.3.2'"
ver:'OWASP_CRS/3.3.4'"
# Skip PUT parsing for invalid encoding / protocol violations in binary files.
@ -84,7 +85,7 @@ SecRule REQUEST_METHOD "@streq PUT" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
chain"
SecRule REQUEST_FILENAME "@contains /remote.php/webdav" \
"t:none,\
@ -102,7 +103,7 @@ SecRule REQUEST_FILENAME "@contains /remote.php/dav/files/" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type} |text/vcard|'"
# Allow the data type 'application/octet-stream'
@ -113,7 +114,7 @@ SecRule REQUEST_METHOD "@rx ^(?:PUT|MOVE)$" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
chain"
SecRule REQUEST_FILENAME "@rx /remote\.php/dav/(?:files|uploads)/" \
"setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type} |application/octet-stream|'"
@ -126,7 +127,7 @@ SecRule REQUEST_METHOD "@streq PUT" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
chain"
SecRule REQUEST_FILENAME "@rx (?:/public\.php/webdav/|/remote\.php/dav/uploads/)" \
"ctl:ruleRemoveById=920340,\
@ -147,7 +148,7 @@ SecRule REQUEST_FILENAME "@contains /remote.php/dav/files/" \
ctl:ruleRemoveById=951000-951999,\
ctl:ruleRemoveById=953100-953130,\
ctl:ruleRemoveById=920440,\
ver:'OWASP_CRS/3.3.2'"
ver:'OWASP_CRS/3.3.4'"
# Allow REPORT requests without Content-Type header (at least the iOS app does this)
@ -176,7 +177,7 @@ SecRule REQUEST_FILENAME "@contains /index.php/core/search" \
ctl:ruleRemoveTargetByTag=attack-injection-php;ARGS:query,\
ctl:ruleRemoveTargetById=941000-942999;ARGS:query,\
ctl:ruleRemoveTargetById=932000-932999;ARGS:query,\
ver:'OWASP_CRS/3.3.2'"
ver:'OWASP_CRS/3.3.4'"
# [ DAV ]
@ -198,7 +199,7 @@ SecRule REQUEST_FILENAME "@rx /(?:remote|index|public)\.php/" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
setvar:'tx.allowed_methods=%{tx.allowed_methods} PUT PATCH CHECKOUT COPY DELETE LOCK MERGE MKACTIVITY MKCOL MOVE PROPFIND PROPPATCH UNLOCK REPORT TRACE jsonp'"
@ -212,7 +213,7 @@ SecRule REQUEST_FILENAME "@rx /ocs/v[0-9]+\.php/apps/files_sharing/" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
setvar:'tx.allowed_methods=%{tx.allowed_methods} PUT DELETE'"
@ -225,7 +226,7 @@ SecRule REQUEST_FILENAME "@contains /index.php/core/preview.png" \
t:none,\
nolog,\
ctl:ruleRemoveTargetById=932150;ARGS:file,\
ver:'OWASP_CRS/3.3.2'"
ver:'OWASP_CRS/3.3.4'"
# Filepreview for trashbin
@ -237,7 +238,7 @@ SecRule REQUEST_FILENAME "@contains /index.php/apps/files_trashbin/ajax/preview.
nolog,\
ctl:ruleRemoveTargetById=932150;ARGS:file,\
ctl:ruleRemoveTargetById=942190;ARGS:file,\
ver:'OWASP_CRS/3.3.2'"
ver:'OWASP_CRS/3.3.4'"
SecRule REQUEST_FILENAME "@rx /index\.php/(?:apps/gallery/thumbnails|logout$)" \
"id:9003160,\
@ -246,7 +247,7 @@ SecRule REQUEST_FILENAME "@rx /index\.php/(?:apps/gallery/thumbnails|logout$)" \
t:none,\
nolog,\
ctl:ruleRemoveTargetById=941120;ARGS:requesttoken,\
ver:'OWASP_CRS/3.3.2'"
ver:'OWASP_CRS/3.3.4'"
# [ Ownnote ]
@ -258,7 +259,7 @@ SecRule REQUEST_FILENAME "@contains /index.php/apps/ownnote/" \
t:none,\
nolog,\
ctl:ruleRemoveById=941150,\
ver:'OWASP_CRS/3.3.2'"
ver:'OWASP_CRS/3.3.4'"
# [ Text Editor ]
@ -276,7 +277,7 @@ SecRule REQUEST_FILENAME "@contains /index.php/apps/files_texteditor/" \
ctl:ruleRemoveTargetById=932150;ARGS:filename,\
ctl:ruleRemoveTargetById=920370-920390;ARGS:filecontents,\
ctl:ruleRemoveTargetById=920370-920390;ARGS_COMBINED_SIZE,\
ver:'OWASP_CRS/3.3.2'"
ver:'OWASP_CRS/3.3.4'"
# [ Address Book ]
@ -289,7 +290,7 @@ SecRule REQUEST_FILENAME "@contains /remote.php/dav/addressbooks/" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type} |text/vcard|'"
# Allow modifying contacts via the web interface
@ -315,7 +316,7 @@ SecRule REQUEST_FILENAME "@contains /remote.php/dav/calendars/" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type} |text/calendar|'"
# Allow modifying calendar events via the web interface
@ -343,7 +344,7 @@ SecRule REQUEST_FILENAME "@contains /index.php/apps/notes/" \
t:none,\
nolog,\
ctl:ruleRemoveByTag=attack-injection-php,\
ver:'OWASP_CRS/3.3.2'"
ver:'OWASP_CRS/3.3.4'"
# [ Bookmarks ]
@ -357,7 +358,7 @@ SecRule REQUEST_FILENAME "@contains /index.php/apps/bookmarks/" \
t:none,\
nolog,\
ctl:ruleRemoveById=931130,\
ver:'OWASP_CRS/3.3.2'"
ver:'OWASP_CRS/3.3.4'"
#
@ -376,7 +377,7 @@ SecRule REQUEST_FILENAME "@contains /index.php/login" \
nolog,\
ctl:ruleRemoveTargetById=941100;ARGS:requesttoken,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:password,\
ver:'OWASP_CRS/3.3.2'"
ver:'OWASP_CRS/3.3.4'"
# Reset password.
@ -386,7 +387,7 @@ SecRule REQUEST_FILENAME "@endsWith /index.php/login" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
chain"
SecRule ARGS:action "@streq resetpass" \
"t:none,\
@ -407,7 +408,7 @@ SecRule REQUEST_FILENAME "@endsWith /index.php/settings/users" \
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:newuserpassword,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:password,\
ver:'OWASP_CRS/3.3.2'"
ver:'OWASP_CRS/3.3.4'"
SecMarker "END-NEXTCLOUD-ADMIN"

25
src/common/core/modsecurity/files/coreruleset/rules/REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES.conf
View File

@ -1,6 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.2
# OWASP ModSecurity Core Rule Set ver.3.3.4
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -26,7 +27,7 @@ SecRule &TX:crs_exclusions_dokuwiki|TX:crs_exclusions_dokuwiki "@eq 0" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
skipAfter:END-DOKUWIKI"
SecRule &TX:crs_exclusions_dokuwiki|TX:crs_exclusions_dokuwiki "@eq 0" \
@ -35,7 +36,7 @@ SecRule &TX:crs_exclusions_dokuwiki|TX:crs_exclusions_dokuwiki "@eq 0" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
skipAfter:END-DOKUWIKI"
@ -80,7 +81,7 @@ SecRule REQUEST_FILENAME "@rx (?:/doku.php|/lib/exe/ajax.php)$" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
chain"
SecRule REQUEST_METHOD "@streq POST" \
"t:none,\
@ -105,7 +106,7 @@ SecRule REQUEST_FILENAME "@endsWith /lib/exe/ajax.php" \
t:none,\
nolog,\
noauditlog,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
chain"
SecRule REQUEST_METHOD "@streq POST" \
"t:none,\
@ -124,7 +125,7 @@ SecRule REQUEST_FILENAME "@endsWith /doku.php" \
t:none,\
nolog,\
noauditlog,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
chain"
SecRule ARGS:do "@streq index" \
"t:none,\
@ -148,7 +149,7 @@ SecRule REQUEST_FILENAME "@endsWith /doku.php" \
t:none,\
nolog,\
noauditlog,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
chain"
SecRule ARGS:do "@streq login" \
"t:none,\
@ -169,7 +170,7 @@ SecRule ARGS:do "!@streq admin" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
skipAfter:END-DOKUWIKI-ADMIN"
SecRule ARGS:do "!@streq admin" \
@ -178,7 +179,7 @@ SecRule ARGS:do "!@streq admin" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
skipAfter:END-DOKUWIKI-ADMIN"
@ -193,7 +194,7 @@ SecRule REQUEST_FILENAME "@endsWith /doku.php" \
t:none,\
nolog,\
noauditlog,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
chain"
SecRule ARGS:do "@streq login" \
"t:none,\
@ -219,7 +220,7 @@ SecRule REQUEST_FILENAME "@endsWith /doku.php" \
t:none,\
nolog,\
noauditlog,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
chain"
SecRule ARGS:page "@streq config" \
"t:none,\
@ -251,7 +252,7 @@ SecRule REQUEST_FILENAME "@endsWith /doku.php" \
t:none,\
nolog,\
noauditlog,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
chain"
SecRule ARGS:page "@streq config" \
"t:none,\

9
src/common/core/modsecurity/files/coreruleset/rules/REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf
View File

@ -1,6 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.2
# OWASP ModSecurity Core Rule Set ver.3.3.4
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -18,7 +19,7 @@ SecRule &TX:crs_exclusions_cpanel|TX:crs_exclusions_cpanel "@eq 0" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
skipAfter:END-CPANEL"
SecRule &TX:crs_exclusions_cpanel|TX:crs_exclusions_cpanel "@eq 0" \
@ -27,7 +28,7 @@ SecRule &TX:crs_exclusions_cpanel|TX:crs_exclusions_cpanel "@eq 0" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
skipAfter:END-CPANEL"
@ -52,7 +53,7 @@ SecRule REQUEST_LINE "@rx ^GET /whm-server-status(?:/|/\?auto)? HTTP/[12]\.[01]$
tag:'language-multi',\
tag:'platform-apache',\
tag:'attack-generic',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
chain"
SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" \
"t:none,\

79
src/common/core/modsecurity/files/coreruleset/rules/REQUEST-903.9006-XENFORO-EXCLUSION-RULES.conf
View File

@ -1,6 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.2
# OWASP ModSecurity Core Rule Set ver.3.3.4
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -17,7 +18,7 @@ SecRule &TX:crs_exclusions_xenforo|TX:crs_exclusions_xenforo "@eq 0" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
skipAfter:END-XENFORO"
SecRule &TX:crs_exclusions_xenforo|TX:crs_exclusions_xenforo "@eq 0" \
@ -26,7 +27,7 @@ SecRule &TX:crs_exclusions_xenforo|TX:crs_exclusions_xenforo "@eq 0" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
skipAfter:END-XENFORO"
@ -48,7 +49,7 @@ SecRule REQUEST_FILENAME "@endsWith /proxy.php" \
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:link,\
ctl:ruleRemoveTargetById=931130;ARGS:referrer,\
ctl:ruleRemoveTargetById=942230;ARGS:referrer,\
ver:'OWASP_CRS/3.3.2'"
ver:'OWASP_CRS/3.3.4'"
# Store drafts for private message, forum post, thread reply
# POST /xf/conversations/draft
@ -72,7 +73,7 @@ SecRule REQUEST_FILENAME "@rx /(?:conversations|(?:conversations|forums|threads)
ctl:ruleRemoveTargetById=942260;ARGS:attachment_hash_combined,\
ctl:ruleRemoveTargetById=942340;ARGS:attachment_hash_combined,\
ctl:ruleRemoveTargetById=942370;ARGS:attachment_hash_combined,\
ver:'OWASP_CRS/3.3.2'"
ver:'OWASP_CRS/3.3.4'"
# Send PM, edit post, create thread, reply to thread
# POST /xf/conversations/add
@ -99,7 +100,7 @@ SecRule REQUEST_FILENAME "@rx /(?:conversations/add(?:-preview)?|conversations/m
ctl:ruleRemoveTargetById=942260;ARGS:attachment_hash_combined,\
ctl:ruleRemoveTargetById=942340;ARGS:attachment_hash_combined,\
ctl:ruleRemoveTargetById=942370;ARGS:attachment_hash_combined,\
ver:'OWASP_CRS/3.3.2'"
ver:'OWASP_CRS/3.3.4'"
# Quote
# POST /xf/posts/12345/quote
@ -110,7 +111,7 @@ SecRule REQUEST_FILENAME "@rx /posts/\d+/quote$" \
t:none,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:quoteHtml,\
ver:'OWASP_CRS/3.3.2'"
ver:'OWASP_CRS/3.3.4'"
# Multi quote
# POST /xf/conversations/convo-title.12345/multi-quote
@ -133,7 +134,7 @@ SecRule REQUEST_FILENAME "@rx /(?:conversations|threads)/.*\.\d+/multi-quote$" \
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[7][value],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[8][value],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[9][value],\
ver:'OWASP_CRS/3.3.2'"
ver:'OWASP_CRS/3.3.4'"
# Delete thread
# POST /xf/threads/thread-title.12345/delete
@ -144,7 +145,7 @@ SecRule REQUEST_FILENAME "@rx /threads/.*\.\d+/delete$" \
t:none,\
nolog,\
ctl:ruleRemoveTargetById=942130;ARGS:starter_alert_reason,\
ver:'OWASP_CRS/3.3.2'"
ver:'OWASP_CRS/3.3.4'"
# Feature thread
# POST /xf/threads/thread-title.12345/feature-edit
@ -166,7 +167,7 @@ SecRule REQUEST_FILENAME "@endsWith /inline-mod/" \
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:author_alert_reason,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message,\
ver:'OWASP_CRS/3.3.2'"
ver:'OWASP_CRS/3.3.4'"
# Warn member
# POST /xf/members/name.12345/warn
@ -179,7 +180,7 @@ SecRule REQUEST_FILENAME "@rx /(?:members/.*\.\d+|posts/\d+)/warn$" \
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:conversation_message,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:notes,\
ver:'OWASP_CRS/3.3.2'"
ver:'OWASP_CRS/3.3.4'"
# Editor
SecRule REQUEST_URI "@endsWith /index.php?editor/to-html" \
@ -193,7 +194,7 @@ SecRule REQUEST_URI "@endsWith /index.php?editor/to-html" \
ctl:ruleRemoveTargetById=942260;ARGS:attachment_hash_combined,\
ctl:ruleRemoveTargetById=942340;ARGS:attachment_hash_combined,\
ctl:ruleRemoveTargetById=942370;ARGS:attachment_hash_combined,\
ver:'OWASP_CRS/3.3.2'"
ver:'OWASP_CRS/3.3.4'"
# Editor
SecRule REQUEST_URI "@endsWith /index.php?editor/to-bb-code" \
@ -203,7 +204,7 @@ SecRule REQUEST_URI "@endsWith /index.php?editor/to-bb-code" \
t:none,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:html,\
ver:'OWASP_CRS/3.3.2'"
ver:'OWASP_CRS/3.3.4'"
# Post attachment
# POST /xf/account/avatar
@ -219,7 +220,7 @@ SecRule REQUEST_FILENAME "@rx /(?:account/avatar|attachments/upload)$" \
ctl:ruleRemoveTargetById=942440;ARGS:flowIdentifier,\
ctl:ruleRemoveTargetById=942440;ARGS:flowFilename,\
ctl:ruleRemoveTargetById=942440;ARGS:flowRelativePath,\
ver:'OWASP_CRS/3.3.2'"
ver:'OWASP_CRS/3.3.4'"
# Media
# POST /xf/index.php?editor/media
@ -231,7 +232,7 @@ SecRule REQUEST_URI "@endsWith /index.php?editor/media" \
nolog,\
ctl:ruleRemoveTargetById=931130;ARGS:url,\
ctl:ruleRemoveTargetById=942130;ARGS:url,\
ver:'OWASP_CRS/3.3.2'"
ver:'OWASP_CRS/3.3.4'"
# Emoji
# GET /xf/index.php?misc/find-emoji&q=(%0A%0A
@ -242,7 +243,7 @@ SecRule REQUEST_URI "@rx /index\.php\?misc/find-emoji&q=" \
t:none,\
nolog,\
ctl:ruleRemoveTargetById=921151;ARGS:q,\
ver:'OWASP_CRS/3.3.2'"
ver:'OWASP_CRS/3.3.4'"
# Login
# POST /xf/login/login
@ -253,7 +254,7 @@ SecRule REQUEST_FILENAME "@endsWith /login/login" \
t:none,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:password,\
ver:'OWASP_CRS/3.3.2'"
ver:'OWASP_CRS/3.3.4'"
# Register account
# POST /xf/register/register
@ -268,7 +269,7 @@ SecRule REQUEST_FILENAME "@endsWith /register/register" \
nolog,\
ctl:ruleRemoveTargetById=942130;ARGS,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:reg_key,\
ver:'OWASP_CRS/3.3.2'"
ver:'OWASP_CRS/3.3.4'"
# Confirm account
# GET /xf/account-confirmation/name.12345/email?c=foo
@ -290,7 +291,7 @@ SecRule REQUEST_FILENAME "@endsWith /account/account-details" \
nolog,\
ctl:ruleRemoveTargetById=931130;ARGS:custom_fields[picture],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:about_html,\
ver:'OWASP_CRS/3.3.2'"
ver:'OWASP_CRS/3.3.4'"
# Lost password
# POST /xf/lost-password/user-name.12345/confirm?c=foo
@ -301,7 +302,7 @@ SecRule REQUEST_FILENAME "@rx /lost-password/.*\.\d+/confirm$" \
t:none,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:c,\
ver:'OWASP_CRS/3.3.2'"
ver:'OWASP_CRS/3.3.4'"
# Set forum signature
# POST /xf/account/signature
@ -312,7 +313,7 @@ SecRule REQUEST_FILENAME "@endsWith /account/signature" \
t:none,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:signature_html,\
ver:'OWASP_CRS/3.3.2'"
ver:'OWASP_CRS/3.3.4'"
# Search
# POST /xf/search/search
@ -327,7 +328,7 @@ SecRule REQUEST_FILENAME "@endsWith /search/search" \
ctl:ruleRemoveTargetById=942260;ARGS:constraints,\
ctl:ruleRemoveTargetById=942340;ARGS:constraints,\
ctl:ruleRemoveTargetById=942370;ARGS:constraints,\
ver:'OWASP_CRS/3.3.2'"
ver:'OWASP_CRS/3.3.4'"
# Search within thread
# GET /xf/threads/foo.12345/page12?highlight=foo
@ -338,7 +339,7 @@ SecRule REQUEST_FILENAME "@rx /threads/.*\.\d+/(?:page\d+)?$" \
t:none,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:highlight,\
ver:'OWASP_CRS/3.3.2'"
ver:'OWASP_CRS/3.3.4'"
# Search within search result
# GET /xf/search/12345/?q=foo
@ -349,7 +350,7 @@ SecRule REQUEST_FILENAME "@rx /search/\d+/$" \
t:none,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:q,\
ver:'OWASP_CRS/3.3.2'"
ver:'OWASP_CRS/3.3.4'"
# Contact form
# POST /xf/misc/contact
@ -361,7 +362,7 @@ SecRule REQUEST_FILENAME "@endsWith /misc/contact" \
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:subject,\
ver:'OWASP_CRS/3.3.2'"
ver:'OWASP_CRS/3.3.4'"
# Report post
# POST /xf/posts/12345/report
@ -372,7 +373,7 @@ SecRule REQUEST_FILENAME "@rx /posts/\d+/report$" \
t:none,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message,\
ver:'OWASP_CRS/3.3.2'"
ver:'OWASP_CRS/3.3.4'"
# Alternate thread view route
# /xf/index.php?threads/title-having-some-sql.12345/
@ -387,7 +388,7 @@ SecRule REQUEST_FILENAME "@endsWith /index.php" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
chain"
SecRule REQUEST_METHOD "@streq GET" \
"t:none,\
@ -411,7 +412,7 @@ SecRule REQUEST_URI "@endsWith /index.php?dbtech-security/fingerprint" \
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:components[14][value],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:components[15][value],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:components[16][value],\
ver:'OWASP_CRS/3.3.2'"
ver:'OWASP_CRS/3.3.4'"
# Get location info
SecRule REQUEST_FILENAME "@endsWith /misc/location-info" \
@ -421,7 +422,7 @@ SecRule REQUEST_FILENAME "@endsWith /misc/location-info" \
t:none,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:location,\
ver:'OWASP_CRS/3.3.2'"
ver:'OWASP_CRS/3.3.4'"
#
# -=[ XenForo Global Exclusions ]=-
@ -454,7 +455,7 @@ SecAction \
ctl:ruleRemoveTargetByTag=OWASP_CRS;REQUEST_COOKIES:xf_ls,\
ctl:ruleRemoveTargetById=942100;REQUEST_COOKIES:xf_session,\
ctl:ruleRemoveTargetById=942100;REQUEST_COOKIES:xf_user,\
ver:'OWASP_CRS/3.3.2'"
ver:'OWASP_CRS/3.3.4'"
#
# -=[ XenForo Administration Back-End ]=-
@ -468,7 +469,7 @@ SecRule REQUEST_FILENAME "!@endsWith /admin.php" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
skipAfter:END-XENFORO-ADMIN"
SecRule REQUEST_FILENAME "!@endsWith /admin.php" \
@ -477,7 +478,7 @@ SecRule REQUEST_FILENAME "!@endsWith /admin.php" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
skipAfter:END-XENFORO-ADMIN"
# Admin edit user
@ -490,7 +491,7 @@ SecRule REQUEST_URI "@rx /admin\.php\?users/.*\.\d+/edit$" \
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:profile[about],\
ctl:ruleRemoveTargetById=931130;ARGS:profile[website],\
ver:'OWASP_CRS/3.3.2'"
ver:'OWASP_CRS/3.3.4'"
# Admin save user
# POST /xf/admin.php?users/the-user-name.12345/save
@ -509,7 +510,7 @@ SecRule REQUEST_URI "@rx /admin\.php\?users/.*\.\d+/save$" \
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:custom_fields[sexuality],\
ctl:ruleRemoveTargetById=931130;ARGS:custom_fields[picture],\
ctl:ruleRemoveTargetById=931130;ARGS:profile[website],\
ver:'OWASP_CRS/3.3.2'"
ver:'OWASP_CRS/3.3.4'"
# Admin edit forum notice
@ -523,7 +524,7 @@ SecRule REQUEST_URI "@rx /admin\.php\?notices/(?:.*\.)?\d+/save$" \
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:title,\
ver:'OWASP_CRS/3.3.2'"
ver:'OWASP_CRS/3.3.4'"
# Admin batch thread update
# POST /xf/admin.php?threads/batch-update/action
@ -538,7 +539,7 @@ SecRule REQUEST_URI "@rx /admin\.php\?(?:threads|users)/batch-update/action$" \
ctl:ruleRemoveTargetById=942330;ARGS:criteria,\
ctl:ruleRemoveTargetById=942340;ARGS:criteria,\
ctl:ruleRemoveTargetById=942370;ARGS:criteria,\
ver:'OWASP_CRS/3.3.2'"
ver:'OWASP_CRS/3.3.4'"
# Edit forum theme
# POST /xf/admin.php?styles/title.1234/style-properties/group&group=basic
@ -555,7 +556,7 @@ SecRule REQUEST_URI "@rx /admin\.php\?styles/" \
ctl:ruleRemoveTargetById=942340;ARGS:json,\
ctl:ruleRemoveTargetById=942370;ARGS:json,\
ctl:ruleRemoveTargetById=942440;ARGS:json,\
ver:'OWASP_CRS/3.3.2'"
ver:'OWASP_CRS/3.3.4'"
# Set forum options
# POST /xf/admin.php?options/update
@ -566,7 +567,7 @@ SecRule REQUEST_URI "@rx /admin\.php\?options/update" \
t:none,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:options[boardInactiveMessage],\
ver:'OWASP_CRS/3.3.2'"
ver:'OWASP_CRS/3.3.4'"
# Edit pages/templates
# POST /xf/admin.php?pages/0/save
@ -579,7 +580,7 @@ SecRule REQUEST_URI "@rx /admin\.php\?(?:pages|templates)/.*/save" \
t:none,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:template,\
ver:'OWASP_CRS/3.3.2'"
ver:'OWASP_CRS/3.3.4'"
SecMarker "END-XENFORO-ADMIN"

7
src/common/core/modsecurity/files/coreruleset/rules/REQUEST-905-COMMON-EXCEPTIONS.conf
View File

@ -1,6 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.2
# OWASP ModSecurity Core Rule Set ver.3.3.4
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -23,7 +24,7 @@ SecRule REQUEST_LINE "@streq GET /" \
tag:'language-multi',\
tag:'platform-apache',\
tag:'attack-generic',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
chain"
SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" \
"t:none,\
@ -43,7 +44,7 @@ SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" \
tag:'language-multi',\
tag:'platform-apache',\
tag:'attack-generic',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
chain"
SecRule REQUEST_HEADERS:User-Agent "@endsWith (internal dummy connection)" \
"t:none,\

23
src/common/core/modsecurity/files/coreruleset/rules/REQUEST-910-IP-REPUTATION.conf
View File

@ -1,6 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.2
# OWASP ModSecurity Core Rule Set ver.3.3.4
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -40,7 +41,7 @@ SecRule TX:DO_REPUT_BLOCK "@eq 1" \
tag:'attack-reputation-ip',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
chain,\
skipAfter:BEGIN-REQUEST-BLOCKING-EVAL"
@ -70,7 +71,7 @@ SecRule TX:HIGH_RISK_COUNTRY_CODES "!@rx ^$" \
tag:'attack-reputation-ip',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
chain"
SecRule TX:REAL_IP "@geoLookup" \
@ -125,7 +126,7 @@ SecRule IP:PREVIOUS_RBL_CHECK "@eq 1" \
tag:'attack-reputation-ip',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
skipAfter:END-RBL-LOOKUP"
#
@ -149,7 +150,7 @@ SecRule &TX:block_suspicious_ip "@eq 0" \
nolog,\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
chain,\
skipAfter:END-RBL-CHECK"
SecRule &TX:block_harvester_ip "@eq 0" \
@ -171,7 +172,7 @@ SecRule TX:REAL_IP "@rbl dnsbl.httpbl.org" \
tag:'attack-reputation-ip',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
setvar:'tx.httpbl_msg=%{tx.0}',\
chain"
SecRule TX:httpbl_msg "@rx RBL lookup of .*?.dnsbl.httpbl.org succeeded at TX:checkip. (.*?): .*" \
@ -192,7 +193,7 @@ SecRule TX:block_search_ip "@eq 1" \
tag:'attack-reputation-ip',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
chain,\
skipAfter:END-RBL-CHECK"
@ -216,7 +217,7 @@ SecRule TX:block_spammer_ip "@eq 1" \
tag:'attack-reputation-ip',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
chain,\
skipAfter:END-RBL-CHECK"
@ -240,7 +241,7 @@ SecRule TX:block_suspicious_ip "@eq 1" \
tag:'attack-reputation-ip',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
chain,\
skipAfter:END-RBL-CHECK"
@ -264,7 +265,7 @@ SecRule TX:block_harvester_ip "@eq 1" \
tag:'attack-reputation-ip',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
chain,\
skipAfter:END-RBL-CHECK"
@ -287,7 +288,7 @@ SecAction \
tag:'platform-multi',\
tag:'attack-reputation-ip',\
tag:'paranoia-level/1',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
setvar:'ip.previous_rbl_check=1',\
expirevar:'ip.previous_rbl_check=86400'"

5
src/common/core/modsecurity/files/coreruleset/rules/REQUEST-911-METHOD-ENFORCEMENT.conf
View File

@ -1,6 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.2
# OWASP ModSecurity Core Rule Set ver.3.3.4
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -38,7 +39,7 @@ SecRule REQUEST_METHOD "!@within %{tx.allowed_methods}" \
tag:'OWASP_CRS',\
tag:'capec/1000/210/272/220/274',\
tag:'PCI/12.1',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"

23
src/common/core/modsecurity/files/coreruleset/rules/REQUEST-912-DOS-PROTECTION.conf
View File

@ -1,6 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.2
# OWASP ModSecurity Core Rule Set ver.3.3.4
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -69,7 +70,7 @@ SecRule &TX:dos_burst_time_slice "@eq 0" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
chain,\
skipAfter:END-DOS-PROTECTION-CHECKS"
SecRule &TX:dos_counter_threshold "@eq 0" \
@ -82,7 +83,7 @@ SecRule &TX:dos_burst_time_slice "@eq 0" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
chain,\
skipAfter:END-DOS-PROTECTION-CHECKS"
SecRule &TX:dos_counter_threshold "@eq 0" \
@ -115,7 +116,7 @@ SecRule IP:DOS_BLOCK "@eq 1" \
tag:'attack-dos',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/227/469',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
chain"
SecRule &IP:DOS_BLOCK_FLAG "@eq 0" \
"setvar:'ip.dos_block_counter=+1',\
@ -141,7 +142,7 @@ SecRule IP:DOS_BLOCK "@eq 1" \
tag:'attack-dos',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/227/469',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
setvar:'ip.dos_block_counter=+1'"
@ -163,7 +164,7 @@ SecRule IP:DOS_BLOCK "@eq 1" \
tag:'platform-multi',\
tag:'paranoia-level/1',\
tag:'attack-dos',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
skipAfter:END-DOS-PROTECTION-CHECKS"
@ -184,7 +185,7 @@ SecRule REQUEST_BASENAME "@rx .*?(\.[a-z0-9]{1,10})?$" \
tag:'attack-dos',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/227/469',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
setvar:'tx.extension=/%{TX.1}/',\
chain"
SecRule TX:EXTENSION "!@within %{tx.static_extensions}" \
@ -216,7 +217,7 @@ SecRule IP:DOS_COUNTER "@ge %{tx.dos_counter_threshold}" \
tag:'attack-dos',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/227/469',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
chain"
SecRule &IP:DOS_BURST_COUNTER "@eq 0" \
"setvar:'ip.dos_burst_counter=1',\
@ -237,7 +238,7 @@ SecRule IP:DOS_COUNTER "@ge %{tx.dos_counter_threshold}" \
tag:'attack-dos',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/227/469',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
chain"
SecRule &IP:DOS_BURST_COUNTER "@ge 1" \
"setvar:'ip.dos_burst_counter=2',\
@ -264,7 +265,7 @@ SecRule IP:DOS_BURST_COUNTER "@ge 2" \
tag:'attack-dos',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/227/469',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
setvar:'ip.dos_block=1',\
expirevar:'ip.dos_block=%{tx.dos_block_timeout}'"
@ -298,7 +299,7 @@ SecRule IP:DOS_BURST_COUNTER "@ge 1" \
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/227/469',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
setvar:'ip.dos_block=1',\
expirevar:'ip.dos_block=%{tx.dos_block_timeout}'"

13
src/common/core/modsecurity/files/coreruleset/rules/REQUEST-913-SCANNER-DETECTION.conf
View File

@ -1,6 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.2
# OWASP ModSecurity Core Rule Set ver.3.3.4
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -46,7 +47,7 @@ SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scanners-user-agents.data" \
tag:'OWASP_CRS',\
tag:'capec/1000/118/224/541/310',\
tag:'PCI/6.5.10',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'ip.reput_block_flag=1',\
@ -69,7 +70,7 @@ SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@pmFromFile scanners-headers.data
tag:'OWASP_CRS',\
tag:'capec/1000/118/224/541/310',\
tag:'PCI/6.5.10',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'ip.reput_block_flag=1',\
@ -94,7 +95,7 @@ SecRule REQUEST_FILENAME|ARGS "@pmFromFile scanners-urls.data" \
tag:'OWASP_CRS',\
tag:'capec/1000/118/224/541/310',\
tag:'PCI/6.5.10',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'ip.reput_block_flag=1',\
@ -134,7 +135,7 @@ SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scripting-user-agents.data" \
tag:'capec/1000/118/224/541/310',\
tag:'PCI/6.5.10',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
setvar:'ip.reput_block_flag=1',\
@ -168,7 +169,7 @@ SecRule REQUEST_HEADERS:User-Agent "@pmFromFile crawlers-user-agents.data" \
tag:'capec/1000/118/224/541/310',\
tag:'PCI/6.5.10',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
setvar:'ip.reput_block_flag=1',\

157
src/common/core/modsecurity/files/coreruleset/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
View File

@ -1,6 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.2
# OWASP ModSecurity Core Rule Set ver.3.3.4
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -58,7 +59,7 @@ SecRule REQUEST_LINE "!@rx ^(?i:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'WARNING',\
setvar:'tx.anomaly_score_pl1=+%{tx.warning_anomaly_score}'"
@ -109,7 +110,7 @@ SecRule FILES_NAMES|FILES "@rx (?<!&(?:[aAoOuUyY]uml)|&(?:[aAeEiIoOuU]circ)|&(?:
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -138,7 +139,7 @@ SecRule REQUEST_HEADERS:Content-Length "!@rx ^\d+$" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -172,7 +173,7 @@ SecRule REQUEST_METHOD "@rx ^(?:GET|HEAD)$" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
chain"
SecRule REQUEST_HEADERS:Content-Length "!@rx ^0?$" \
@ -197,7 +198,7 @@ SecRule REQUEST_METHOD "@rx ^(?:GET|HEAD)$" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
chain"
SecRule &REQUEST_HEADERS:Transfer-Encoding "!@eq 0" \
@ -233,7 +234,7 @@ SecRule REQUEST_PROTOCOL "!@within HTTP/2 HTTP/2.0" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'WARNING',\
chain"
SecRule REQUEST_METHOD "@streq POST" \
@ -262,7 +263,7 @@ SecRule &REQUEST_HEADERS:Transfer-Encoding "!@eq 0" \
tag:'attack-protocol',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'WARNING',\
chain"
SecRule &REQUEST_HEADERS:Content-Length "!@eq 0" \
@ -300,7 +301,7 @@ SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx (\d+)-(\d+)" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'WARNING',\
chain"
SecRule TX:2 "@lt %{tx.1}" \
@ -333,7 +334,7 @@ SecRule REQUEST_HEADERS:Connection "@rx \b(?:keep-alive|close),\s?(?:keep-alive|
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'WARNING',\
setvar:'tx.anomaly_score_pl1=+%{tx.warning_anomaly_score}'"
@ -366,7 +367,7 @@ SecRule REQUEST_URI "@rx \x25" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/255/153/267/72',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'WARNING',\
chain"
SecRule REQUEST_URI "@validateUrlEncoding" \
@ -386,7 +387,7 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^(?i)application/x-www-form-urlencoded
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/255/153/267/72',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'WARNING',\
chain"
SecRule REQUEST_BODY "@rx \x25" \
@ -418,7 +419,7 @@ SecRule TX:CRS_VALIDATE_UTF8_ENCODING "@eq 1" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/255/153/267',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'WARNING',\
chain"
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "@validateUtf8Encoding" \
@ -457,7 +458,7 @@ SecRule REQUEST_URI|REQUEST_BODY "@rx \%u[fF]{2}[0-9a-fA-F]{2}" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/255/153/267/72',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'WARNING',\
setvar:'tx.anomaly_score_pl1=+%{tx.warning_anomaly_score}'"
@ -511,7 +512,7 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@validateByteRange 1-255" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -543,7 +544,7 @@ SecRule &REQUEST_HEADERS:Host "@eq 0" \
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'PCI/6.5.10',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'WARNING',\
setvar:'tx.anomaly_score_pl1=+%{tx.warning_anomaly_score}',\
skipAfter:END-HOST-CHECK"
@ -562,7 +563,7 @@ SecRule REQUEST_HEADERS:Host "@rx ^$" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'WARNING',\
setvar:'tx.anomaly_score_pl1=+%{tx.warning_anomaly_score}'"
@ -602,7 +603,7 @@ SecRule REQUEST_HEADERS:Accept "@rx ^$" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'NOTICE',\
chain"
SecRule REQUEST_METHOD "!@rx ^OPTIONS$" \
@ -627,7 +628,7 @@ SecRule REQUEST_HEADERS:Accept "@rx ^$" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'NOTICE',\
chain"
SecRule REQUEST_METHOD "!@rx ^OPTIONS$" \
@ -660,7 +661,7 @@ SecRule REQUEST_HEADERS:User-Agent "@rx ^$" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'NOTICE',\
setvar:'tx.anomaly_score_pl1=+%{tx.notice_anomaly_score}'"
@ -697,7 +698,7 @@ SecRule REQUEST_HEADERS:Content-Length "!@rx ^0$" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'NOTICE',\
chain"
SecRule &REQUEST_HEADERS:Content-Type "@eq 0" \
@ -730,7 +731,7 @@ SecRule REQUEST_HEADERS:Host "@rx ^[\d.:]+$" \
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'PCI/6.5.10',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'WARNING',\
setvar:'tx.anomaly_score_pl1=+%{tx.warning_anomaly_score}'"
@ -762,7 +763,7 @@ SecRule &TX:MAX_NUM_ARGS "@eq 1" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
chain"
SecRule &ARGS "@gt %{tx.max_num_args}" \
@ -787,7 +788,7 @@ SecRule &TX:ARG_NAME_LENGTH "@eq 1" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
chain"
SecRule ARGS_NAMES "@gt %{tx.arg_name_length}" \
@ -814,7 +815,7 @@ SecRule &TX:ARG_LENGTH "@eq 1" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
chain"
SecRule ARGS "@gt %{tx.arg_length}" \
@ -838,7 +839,7 @@ SecRule &TX:TOTAL_ARG_LENGTH "@eq 1" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
chain"
SecRule ARGS_COMBINED_SIZE "@gt %{tx.total_arg_length}" \
@ -863,7 +864,7 @@ SecRule &TX:MAX_FILE_SIZE "@eq 1" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
chain"
SecRule REQUEST_HEADERS:Content-Type "@rx ^(?i)multipart/form-data" \
@ -889,7 +890,7 @@ SecRule &TX:COMBINED_FILE_SIZES "@eq 1" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
chain"
SecRule FILES_COMBINED_SIZE "@gt %{tx.combined_file_sizes}" \
@ -927,7 +928,7 @@ SecRule REQUEST_HEADERS:Content-Type "!@rx ^[\w/.+-]+(?:\s?;\s?(?:action|boundar
tag:'OWASP_CRS',\
tag:'capec/1000/255/153',\
tag:'PCI/12.1',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -950,7 +951,7 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^[^;\s]+" \
tag:'OWASP_CRS',\
tag:'capec/1000/255/153',\
tag:'PCI/12.1',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.content_type=|%{tx.0}|',\
chain"
@ -978,7 +979,7 @@ SecRule REQUEST_HEADERS:Content-Type "@rx charset\s*=\s*[\"']?([^;\"'\s]+)" \
tag:'OWASP_CRS',\
tag:'capec/1000/255/153',\
tag:'PCI/12.1',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
chain"
SecRule TX:1 "!@rx ^%{tx.allowed_request_content_type_charset}$" \
@ -986,6 +987,27 @@ SecRule REQUEST_HEADERS:Content-Type "@rx charset\s*=\s*[\"']?([^;\"'\s]+)" \
ctl:forceRequestBodyVariable=On,\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
#
# Restrict charset parameter inside content type header to occur max once.
#
SecRule REQUEST_HEADERS:Content-Type "@rx charset.*?charset" \
"id:920530,\
phase:1,\
block,\
t:none,t:lowercase,\
msg:'Multiple charsets detected in content type header',\
logdata:'%{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/255/153',\
tag:'PCI/12.1',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
#
# Restrict protocol versions.
@ -1005,7 +1027,7 @@ SecRule REQUEST_PROTOCOL "!@within %{tx.allowed_http_versions}" \
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'PCI/6.5.10',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -1028,7 +1050,7 @@ SecRule REQUEST_BASENAME "@rx \.([^.]+)$" \
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'PCI/6.5.10',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.extension=.%{tx.1}/',\
chain"
@ -1055,7 +1077,7 @@ SecRule REQUEST_FILENAME "@rx \.[^.~]+~(?:/.*|)$" \
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'PCI/6.5.10',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -1100,13 +1122,46 @@ SecRule REQUEST_HEADERS_NAMES "@rx ^.*$" \
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'PCI/12.1',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.header_name_%{tx.0}=/%{tx.0}/',\
chain"
SecRule TX:/^header_name_/ "@within %{tx.restricted_headers}" \
"setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
#
# Restrict response charsets that we allow.
# The following rules make sure that the response will be in an ASCII-compatible charset that
# phase 4 rules can properly understand and block.
#
#
# Some servers rely on the request Accept header to determine what charset to respond with.
# This rule restricts these to familiar charsets.
#
# Regular expression generated from util/regexp-assemble/data/920600.data.
# To update the regular expression run the following shell script
# (consult util/regexp-assemble/README.md for details):
# util/regexp-assemble/regexp-assemble.py update 920600
#
SecRule REQUEST_HEADERS:Accept "!@rx ^(?:(?:\*|[^\"(),\/:;<=>?![\x5c\]{}]+)\/(?:\*|[^\"(),\/:;<=>?![\x5c\]{}]+))(?:\s*+;\s*+(?:(?:charset\s*+=\s*+(?:\"?(?:iso-8859-15?|windows-1252|utf-8)\b\"?))|(?:(?:c(?:h(?:a(?:r(?:s(?:e[^t\"(),\/:;<=>?![\x5c\]{}]|[^e\"(),/:;<=>?![\x5c\]{}])|[^s\"(),/:;<=>?![\x5c\]{}])|[^r\"(),/:;<=>?![\x5c\]{}])|[^a\"(),/:;<=>?![\x5c\]{}])|[^h\"(),/:;<=>?![\x5c\]{}])|[^c\"(),/:;<=>?![\x5c\]{}])[^\"(),/:;<=>?![\x5c\]{}]*(?:)\s*+=\s*+[^(),/:;<=>?![\x5c\]{}]+)|;?))*(?:\s*+,\s*+(?:(?:\*|[^\"(),\/:;<=>?![\x5c\]{}]+)\/(?:\*|[^\"(),\/:;<=>?![\x5c\]{}]+))(?:\s*+;\s*+(?:(?:charset\s*+=\s*+(?:\"?(?:iso-8859-15?|windows-1252|utf-8)\b\"?))|(?:(?:c(?:h(?:a(?:r(?:s(?:e[^t\"(),\/:;<=>?![\x5c\]{}]|[^e\"(),/:;<=>?![\x5c\]{}])|[^s\"(),/:;<=>?![\x5c\]{}])|[^r\"(),/:;<=>?![\x5c\]{}])|[^a\"(),/:;<=>?![\x5c\]{}])|[^h\"(),/:;<=>?![\x5c\]{}])|[^c\"(),/:;<=>?![\x5c\]{}])[^\"(),/:;<=>?![\x5c\]{}]*(?:)\s*+=\s*+[^(),/:;<=>?![\x5c\]{}]+)|;?))*)*$" \
"id:920600,\
phase:1,\
block,\
t:none,t:lowercase,\
msg:'Illegal Accept header: charset parameter',\
logdata:'%{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:920013,phase:1,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:920014,phase:2,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
#
@ -1147,7 +1202,7 @@ SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'WARNING',\
chain"
SecRule REQUEST_BASENAME "!@endsWith .pdf" \
@ -1171,7 +1226,7 @@ SecRule REQUEST_BASENAME "@endsWith .pdf" \
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'WARNING',\
chain"
SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d+)?-(?:\d+)?\s*,?\s*){63}" \
@ -1192,7 +1247,7 @@ SecRule ARGS "@rx %[0-9a-fA-F]{2}" \
tag:'OWASP_CRS',\
tag:'capec/1000/255/153/267/120',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'WARNING',\
setvar:'tx.anomaly_score_pl2=+%{tx.warning_anomaly_score}'"
@ -1223,7 +1278,7 @@ SecRule &REQUEST_HEADERS:Accept "@eq 0" \
tag:'capec/1000/210/272',\
tag:'PCI/6.5.10',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'NOTICE',\
chain"
SecRule REQUEST_METHOD "!@rx ^OPTIONS$" \
@ -1249,7 +1304,7 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@validateByteRange 9,10,13,
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -1276,7 +1331,7 @@ SecRule &REQUEST_HEADERS:User-Agent "@eq 0" \
tag:'capec/1000/210/272',\
tag:'PCI/6.5.10',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'NOTICE',\
setvar:'tx.anomaly_score_pl2=+%{tx.notice_anomaly_score}'"
@ -1298,7 +1353,7 @@ SecRule FILES_NAMES|FILES "@rx ['\";=]" \
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -1323,7 +1378,7 @@ SecRule REQUEST_HEADERS:Content-Length "!@rx ^0$" \
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
chain"
SecRule &REQUEST_HEADERS:Content-Type "@eq 0" \
@ -1357,7 +1412,7 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES|REQUEST_BODY "@validateByteR
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'paranoia-level/3',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@ -1385,7 +1440,7 @@ SecRule &REQUEST_HEADERS:x-up-devcap-post-charset "@ge 1" \
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'paranoia-level/3',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
chain"
SecRule REQUEST_HEADERS:User-Agent "@rx ^(?i)up" \
@ -1438,7 +1493,7 @@ SecRule &REQUEST_HEADERS:Cache-Control "@gt 0" \
tag:'paranoia-level/3',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
chain"
SecRule REQUEST_HEADERS:Cache-Control "!@rx ^(?:(?:max-age=[0-9]+|min-fresh=[0-9]+|no-cache|no-store|no-transform|only-if-cached|max-stale(?:=[0-9]+)?)(\s*\,\s*|$)){1,7}$" \
@ -1469,7 +1524,7 @@ SecRule REQUEST_BASENAME "@endsWith .pdf" \
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'paranoia-level/4',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'WARNING',\
chain"
SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d+)?-(?:\d+)?\s*,?\s*){6}" \
@ -1496,7 +1551,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_BODY "@validateByteRange 38,44-46,48-58,61,65-90
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'paranoia-level/4',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl4=+%{tx.critical_anomaly_score}'"
@ -1517,7 +1572,7 @@ SecRule REQUEST_HEADERS|!REQUEST_HEADERS:User-Agent|!REQUEST_HEADERS:Referer|!RE
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'paranoia-level/4',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl4=+%{tx.critical_anomaly_score}'"
@ -1541,7 +1596,7 @@ SecRule REQUEST_HEADERS:Sec-Fetch-User "@validateByteRange 32,34,38,42-59,61,63,
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'paranoia-level/4',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl4=+%{tx.critical_anomaly_score}'"
@ -1587,7 +1642,7 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@rx (?:^|[^\\\\])\\\\[cdegh
tag:'OWASP_CRS',\
tag:'capec/1000/153/267',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl4=+%{tx.critical_anomaly_score}'"

122
src/common/core/modsecurity/files/coreruleset/rules/REQUEST-921-PROTOCOL-ATTACK.conf
View File

@ -1,6 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.2
# OWASP ModSecurity Core Rule Set ver.3.3.4
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -46,7 +47,7 @@ SecRule ARGS_NAMES|ARGS|REQUEST_BODY|XML:/* "@rx (?:get|post|head|options|connec
tag:'OWASP_CRS',\
tag:'capec/1000/210/272/220/33',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -79,7 +80,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/210/272/220/34',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -101,7 +102,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/210/272/220/34',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -136,7 +137,7 @@ SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@rx [\n\r]" \
tag:'OWASP_CRS',\
tag:'capec/1000/210/272/220/273',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -165,7 +166,7 @@ SecRule ARGS_NAMES "@rx [\n\r]" \
tag:'OWASP_CRS',\
tag:'capec/1000/210/272/220/33',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -187,7 +188,7 @@ SecRule ARGS_GET_NAMES|ARGS_GET "@rx [\n\r]+(?:\s|location|refresh|(?:set-)?cook
tag:'OWASP_CRS',\
tag:'capec/1000/210/272/220/33',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -213,7 +214,7 @@ SecRule REQUEST_FILENAME "@rx [\n\r]" \
tag:'OWASP_CRS',\
tag:'capec/1000/210/272/220/34',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -246,7 +247,40 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/136',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
#
# -=[ Body Processor Bypass ]=-
#
# [ Rule Logic ]
#
# This rule intends to detect content types in the Content-Type header outside of the actual content type declaration.
# This prevents bypasses targeting the Modsecurity recommended rules controlling which body processor is used.
#
# Regular expression generated from util/regexp-assemble/data/921421.data.
# To update the regular expression run the following shell script
# (consult util/regexp-assemble/README.md for details):
# util/regexp-assemble/regexp-assemble.py update 921421
#
SecRule REQUEST_HEADERS:Content-Type "@rx ^[^;\s,]+[;\s,].*?(?:(?:application(?:\/soap\+|\/)|text\/)xml|application\/(?:.+[+])?json)" \
"id:921421,\
phase:1,\
block,\
capture,\
t:none,t:lowercase,\
msg:'Content-Type header: Dangerous content type outside the mime type declaration',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/255/153',\
tag:'PCI/12.1',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -280,11 +314,46 @@ SecRule ARGS_GET "@rx [\n\r]" \
tag:'OWASP_CRS',\
tag:'capec/1000/210/272/220/33',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
#
# -=[ Body Processor Bypass ]=-
#
# [ Rule Logic ]
#
# This rule intends to detect content types in the Content-Type header outside of the actual content type declaration.
#
# [ References ]
# * See rule 921422
#
# Regular expression generated from util/regexp-assemble/data/921422.data.
# To update the regular expression run the following shell script
# (consult util/regexp-assemble/README.md for details):
# util/regexp-assemble/regexp-assemble.py update 921422
#
SecRule REQUEST_HEADERS:Content-Type "@rx ^[^;\s,]+[;\s,].*?\b(?:(audio|image|video|csv|css|vnd|pdf|plain|json|soap|xml|x-www-form-urlencoded|form-data|related|x-amf|octet|stream|csp|report)|(text|multipart|application)|(\/|\+))\b" \
"id:921422,\
phase:1,\
block,\
capture,\
t:none,t:lowercase,\
msg:'Content-Type header: Dangerous content type outside the mime type declaration',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'capec/1000/255/153',\
tag:'PCI/12.1',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:921015,phase:1,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:921016,phase:2,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
@ -293,6 +362,35 @@ SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:921016,phase:2,pass,nolog,skipAf
#
#
# Forbid Request Range Header
#
# It is possible abuse the HTTP Request Range Header to leak error pages
# and other information in very small snippets.
# The easiest way to fight this is to deny the use of this header.
# This is a viable option since the header is only used in rare circumstances
# anymore.
# If it is necessary to use it in a certain setup, then it is best to
# create a rule exclusion for a given URI and this rule ID as a workaround.
#
SecRule &REQUEST_HEADERS:Range "@gt 0" \
"id:921230,\
phase:1,\
block,\
t:none,\
msg:'HTTP Range Header detected',\
logdata:'Matched Data: Header %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
tag:'paranoia-level/3',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272/220',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
# -=[ HTTP Parameter Pollution ]=-
#
# [ Rule Logic ]
@ -323,7 +421,7 @@ SecRule ARGS_NAMES "@rx ." \
tag:'paranoia-level/3',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/137/15/460',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
setvar:'TX.paramcounter_%{MATCHED_VAR_NAME}=+1'"
SecRule TX:/paramcounter_.*/ "@gt 1" \
@ -339,7 +437,7 @@ SecRule TX:/paramcounter_.*/ "@gt 1" \
tag:'OWASP_CRS',\
tag:'capec/1000/152/137/15/460',\
tag:'paranoia-level/3',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
chain"
SecRule MATCHED_VARS_NAMES "@rx TX:paramcounter_(.*)" \

92
src/common/core/modsecurity/files/coreruleset/rules/REQUEST-922-MULTIPART-ATTACK.conf Normal file
View File

@ -0,0 +1,92 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.4
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENSE file for full details.
# ------------------------------------------------------------------------
#
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#
# This file is to address the 3UWMWA6W vulnerability.
# It requires ModSecurity version 2.9.6 or 3.0.8 (or an updated version with backports
# of the security fixes in these versions) or a compatible engine supporting these changes.
#
# If you cannot upgrade ModSecurity, this file will cause ModSecurity to fail to start.
# In that case, you can temporarily delete this file. However, you will be missing
# protection from these rules. Therefore, we recommend upgrading your engine instead.
# The rules in this file will be part of the 920 / 921 in the future.
# Only allow specific charsets when using "_charset_"
# Note: this is in phase:2 because these are headers that come in the body
SecRule &MULTIPART_PART_HEADERS:_charset_ "!@eq 0" \
"id:922100,\
phase:2,\
block,\
t:none,\
msg:'Multipart content type global _charset_ definition is not allowed by policy',\
logdata:'Matched Data: %{ARGS._charset_}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-multipart-header',\
tag:'OWASP_CRS',\
tag:'capec/1000/255/153',\
tag:'paranoia-level/1',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
chain"
SecRule ARGS:_charset_ "!@within |%{tx.allowed_request_content_type_charset}|" \
"t:lowercase,\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
# Only allow specific charsets same as Rule 920600
# Note: this is in phase:2 because these are headers that come in the body
SecRule MULTIPART_PART_HEADERS "@rx ^content-type\s*+:\s*+(.*)$" \
"id:922110,\
phase:2,\
block,\
capture,\
t:none,t:lowercase,\
msg:'Illegal MIME Multipart Header content-type: charset parameter',\
logdata:'Matched Data: %{TX.1} found within Content-Type multipart form',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
tag:'OWASP_CRS',\
tag:'capec/272/220',\
tag:'paranoia-level/1',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
chain"
SecRule TX:1 "!@rx ^(?:(?:\*|[^\"(),\/:;<=>?![\x5c\]{}]+)\/(?:\*|[^\"(),\/:;<=>?![\x5c\]{}]+))(?:\s*+;\s*+(?:(?:charset\s*+=\s*+(?:\"?(?:iso-8859-15?|windows-1252|utf-8)\b\"?))|(?:(?:c(?:h(?:a(?:r(?:s(?:e[^t\"(),\/:;<=>?![\x5c\]{}]|[^e\"(),/:;<=>?![\x5c\]{}])|[^s\"(),/:;<=>?![\x5c\]{}])|[^r\"(),/:;<=>?![\x5c\]{}])|[^a\"(),/:;<=>?![\x5c\]{}])|[^h\"(),/:;<=>?![\x5c\]{}])|[^c\"(),/:;<=>?![\x5c\]{}])[^\"(),/:;<=>?![\x5c\]{}]*(?:)\s*+=\s*+[^(),/:;<=>?![\x5c\]{}]+)|;?))*(?:\s*+,\s*+(?:(?:\*|[^\"(),\/:;<=>?![\x5c\]{}]+)\/(?:\*|[^\"(),\/:;<=>?![\x5c\]{}]+))(?:\s*+;\s*+(?:(?:charset\s*+=\s*+(?:\"?(?:iso-8859-15?|windows-1252|utf-8)\b\"?))|(?:(?:c(?:h(?:a(?:r(?:s(?:e[^t\"(),\/:;<=>?![\x5c\]{}]|[^e\"(),/:;<=>?![\x5c\]{}])|[^s\"(),/:;<=>?![\x5c\]{}])|[^r\"(),/:;<=>?![\x5c\]{}])|[^a\"(),/:;<=>?![\x5c\]{}])|[^h\"(),/:;<=>?![\x5c\]{}])|[^c\"(),/:;<=>?![\x5c\]{}])[^\"(),/:;<=>?![\x5c\]{}]*(?:)\s*+=\s*+[^(),/:;<=>?![\x5c\]{}]+)|;?))*)*$" \
"t:lowercase,\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
# Content-Transfer-Encoding was deprecated by rfc7578 in 2015 and should not be used (see: https://www.rfc-editor.org/rfc/rfc7578#section-4.7)
# Note: this is in phase:2 because these are headers that come in the body
SecRule MULTIPART_PART_HEADERS "@rx content-transfer-encoding:(.*)" \
"id:922120,\
phase:2,\
block,\
capture,\
t:none,t:lowercase,\
msg:'Content-Transfer-Encoding was deprecated by rfc7578 in 2015 and should not be used',\
logdata:'Matched Data: %{TX.0}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-deprecated-header',\
tag:'OWASP_CRS',\
tag:'capec/272/220',\
tag:'paranoia-level/1',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"

11
src/common/core/modsecurity/files/coreruleset/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf
View File

@ -1,6 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.2
# OWASP ModSecurity Core Rule Set ver.3.3.4
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -41,7 +42,7 @@ SecRule REQUEST_URI_RAW|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|XML:/* "@r
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/255/153/126',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}'"
@ -64,7 +65,7 @@ SecRule REQUEST_URI|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|XML:/* "@rx (?
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/255/153/126',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
multiMatch,\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
@ -91,7 +92,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/255/153/126',\
tag:'PCI/6.5.4',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -118,7 +119,7 @@ SecRule REQUEST_FILENAME "@pmFromFile restricted-files.data" \
tag:'OWASP_CRS',\
tag:'capec/1000/255/153/126',\
tag:'PCI/6.5.4',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"

11
src/common/core/modsecurity/files/coreruleset/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf
View File

@ -1,6 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.2
# OWASP ModSecurity Core Rule Set ver.3.3.4
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -49,7 +50,7 @@ SecRule ARGS "@rx ^(?i:file|ftps?|https?):\/\/(?:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1
tag:'OWASP_CRS',\
tag:'capec/1000/152/175/253',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -70,7 +71,7 @@ SecRule QUERY_STRING|REQUEST_BODY "@rx (?i)(?:\binclude\s*\([^)]*|mosConfig_abso
tag:'OWASP_CRS',\
tag:'capec/1000/152/175/253',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -91,7 +92,7 @@ SecRule ARGS "@rx ^(?i:file|ftps?|https?).*?\?+$" \
tag:'OWASP_CRS',\
tag:'capec/1000/152/175/253',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -120,7 +121,7 @@ SecRule ARGS "@rx ^(?i:file|ftps?|https?)://([^/]*).*$" \
tag:'capec/1000/152/175/253',\
tag:'paranoia-level/2',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.rfi_parameter_%{MATCHED_VAR_NAME}=.%{tx.1}',\
chain"

33
src/common/core/modsecurity/files/coreruleset/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
View File

@ -1,6 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.2
# OWASP ModSecurity Core Rule Set ver.3.3.4
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -116,7 +117,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'capec/1000/152/248/88',\
tag:'PCI/6.5.2',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -152,7 +153,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'capec/1000/152/248/88',\
tag:'PCI/6.5.2',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -249,7 +250,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'capec/1000/152/248/88',\
tag:'PCI/6.5.2',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -288,7 +289,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'capec/1000/152/248/88',\
tag:'PCI/6.5.2',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -323,7 +324,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'capec/1000/152/248/88',\
tag:'PCI/6.5.2',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -360,7 +361,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'capec/1000/152/248/88',\
tag:'PCI/6.5.2',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -406,7 +407,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'capec/1000/152/248/88',\
tag:'PCI/6.5.2',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -457,7 +458,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'capec/1000/152/248/88',\
tag:'PCI/6.5.2',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -494,7 +495,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'capec/1000/152/248/88',\
tag:'PCI/6.5.2',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -526,7 +527,7 @@ SecRule REQUEST_HEADERS|REQUEST_LINE "@rx ^\(\s*\)\s+{" \
tag:'capec/1000/152/248/88',\
tag:'PCI/6.5.2',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -548,7 +549,7 @@ SecRule ARGS_NAMES|ARGS|FILES_NAMES "@rx ^\(\s*\)\s+{" \
tag:'capec/1000/152/248/88',\
tag:'PCI/6.5.2',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -583,7 +584,7 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/88',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -628,7 +629,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/88',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
chain"
SecRule MATCHED_VAR "@rx /" "t:none,t:urlDecodeUni,chain"
@ -678,7 +679,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'PCI/6.5.2',\
tag:'paranoia-level/3',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@ -710,7 +711,7 @@ SecRule ARGS "@rx (?:/|\\\\)(?:[\?\*]+[a-z/\\\\]+|[a-z/\\\\]+[\?\*]+)" \
tag:'PCI/6.5.2',\
tag:'paranoia-level/3',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"

35
src/common/core/modsecurity/files/coreruleset/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
View File

@ -1,6 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.2
# OWASP ModSecurity Core Rule Set ver.3.3.4
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -59,7 +60,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -101,7 +102,7 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -126,7 +127,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
chain"
SecRule MATCHED_VARS "@pm =" \
@ -154,7 +155,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -191,7 +192,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -220,7 +221,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -288,7 +289,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -342,7 +343,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -398,7 +399,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -454,7 +455,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -496,7 +497,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -540,7 +541,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
tag:'capec/1000/152/242',\
tag:'paranoia-level/2',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
chain"
SecRule MATCHED_VARS "@pm (" \
@ -594,7 +595,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'capec/1000/152/242',\
tag:'paranoia-level/3',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@ -640,7 +641,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
tag:'capec/1000/152/242',\
tag:'paranoia-level/3',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@ -683,7 +684,7 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD
tag:'capec/1000/152/242',\
tag:'paranoia-level/3',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@ -713,7 +714,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'capec/1000/152/242',\
tag:'paranoia-level/3',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"

5
src/common/core/modsecurity/files/coreruleset/rules/REQUEST-934-APPLICATION-ATTACK-NODEJS.conf
View File

@ -1,6 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.2
# OWASP ModSecurity Core Rule Set ver.3.3.4
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -62,7 +63,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
multiMatch,\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\

63
src/common/core/modsecurity/files/coreruleset/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
View File

@ -1,6 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.2
# OWASP ModSecurity Core Rule Set ver.3.3.4
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -49,7 +50,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -76,7 +77,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -102,7 +103,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -132,7 +133,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -158,7 +159,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -193,7 +194,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -218,7 +219,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -244,7 +245,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -271,7 +272,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -293,7 +294,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -315,7 +316,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -337,7 +338,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -359,7 +360,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -381,7 +382,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -403,7 +404,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -425,7 +426,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -447,7 +448,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -469,7 +470,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -491,7 +492,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -513,7 +514,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -540,7 +541,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -567,7 +568,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -609,7 +610,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/242/63',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -637,7 +638,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS|XML:
tag:'OWASP_CRS',\
tag:'capec/1000/152/242/63',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -668,7 +669,7 @@ SecRule REQUEST_HEADERS:Referer "@detectXSS" \
tag:'capec/1000/152/242',\
tag:'paranoia-level/2',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -694,7 +695,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
tag:'capec/1000/152/242',\
tag:'paranoia-level/2',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -777,7 +778,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
tag:'capec/1000/152/242/63',\
tag:'PCI/6.5.1',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -798,7 +799,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
tag:'capec/1000/152/242',\
tag:'PCI/6.5.1',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -822,7 +823,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
tag:'capec/1000/152/242',\
tag:'PCI/6.5.1',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -855,7 +856,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'capec/1000/152/242/63',\
tag:'paranoia-level/2',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"

101
src/common/core/modsecurity/files/coreruleset/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
View File

@ -1,6 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.2
# OWASP ModSecurity Core Rule Set ver.3.3.4
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -58,7 +59,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
multiMatch,\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
@ -93,7 +94,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -119,7 +120,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -148,7 +149,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -177,7 +178,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -198,7 +199,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -219,7 +220,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -248,7 +249,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -269,7 +270,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -290,7 +291,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -319,7 +320,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -340,7 +341,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -369,7 +370,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -398,7 +399,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -438,7 +439,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -474,7 +475,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -512,7 +513,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?:^\s*[\"'`;]+|[\"'`]+\s*$)" \
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'WARNING',\
setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.warning_anomaly_score}'"
@ -548,7 +549,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:(?:^|\W)in[+\s]*\([\s\d\"]+[^()]*\)|\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -583,7 +584,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?i:[\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?(?:
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
multiMatch,\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
@ -622,7 +623,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -651,7 +652,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -683,7 +684,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -715,7 +716,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -744,7 +745,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -773,7 +774,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -802,7 +803,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -839,7 +840,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -870,7 +871,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -895,7 +896,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -929,7 +930,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -956,7 +957,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -983,7 +984,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -1013,7 +1014,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -1050,7 +1051,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -1083,7 +1084,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -1116,7 +1117,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -1157,7 +1158,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'WARNING',\
setvar:'tx.anomaly_score_pl2=+%{tx.warning_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'"
@ -1201,7 +1202,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@ -1226,7 +1227,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -1275,7 +1276,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -1314,7 +1315,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/3',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@ -1338,7 +1339,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/3',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@ -1378,7 +1379,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/3',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'WARNING',\
setvar:'tx.anomaly_score_pl3=+%{tx.warning_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'"
@ -1407,7 +1408,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/3',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'WARNING',\
setvar:'tx.anomaly_score_pl3=+%{tx.warning_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'"
@ -1437,7 +1438,7 @@ SecRule ARGS "@rx \W{4}" \
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/3',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'WARNING',\
setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}',\
setvar:'tx.anomaly_score_pl3=+%{tx.warning_anomaly_score}'"
@ -1471,7 +1472,7 @@ SecRule REQUEST_BASENAME "@detectSQLi" \
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/3',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@ -1521,7 +1522,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/3',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@ -1554,7 +1555,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/4',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'WARNING',\
setvar:'tx.anomaly_score_pl4=+%{tx.warning_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'"
@ -1583,7 +1584,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/4',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'WARNING',\
setvar:'tx.anomaly_score_pl4=+%{tx.warning_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'"

9
src/common/core/modsecurity/files/coreruleset/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
View File

@ -1,6 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.2
# OWASP ModSecurity Core Rule Set ver.3.3.4
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -43,7 +44,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/225/21/593/61',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.session_fixation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -65,7 +66,7 @@ SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsessio
tag:'OWASP_CRS',\
tag:'capec/1000/225/21/593/61',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
chain"
SecRule REQUEST_HEADERS:Referer "@rx ^(?:ht|f)tps?://(.*?)\/" \
@ -92,7 +93,7 @@ SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsessio
tag:'OWASP_CRS',\
tag:'capec/1000/225/21/593/61',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
chain"
SecRule &REQUEST_HEADERS:Referer "@eq 0" \

21
src/common/core/modsecurity/files/coreruleset/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf
View File

@ -1,6 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.2
# OWASP ModSecurity Core Rule Set ver.3.3.4
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -46,7 +47,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
tag:'capec/1000/152/137/6',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/1',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -80,7 +81,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
tag:'capec/1000/152/248',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/1',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
chain"
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* "@rx (?:unmarshaller|base64data|java\.)" \
@ -106,7 +107,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
tag:'capec/1000/152/248',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/1',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
chain"
SecRule MATCHED_VARS "@rx (?:runtime|processbuilder)" \
@ -140,7 +141,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
tag:'capec/1000/152/248',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/1',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -179,7 +180,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
tag:'capec/1000/152/248',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -201,7 +202,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
tag:'capec/1000/152/248',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -223,7 +224,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
tag:'capec/1000/152/248',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -248,7 +249,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
tag:'capec/1000/152/248',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -284,7 +285,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
tag:'capec/1000/152/248',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/3',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"

7
src/common/core/modsecurity/files/coreruleset/rules/REQUEST-949-BLOCKING-EVALUATION.conf
View File

@ -1,6 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.2
# OWASP ModSecurity Core Rule Set ver.3.3.4
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -68,7 +69,7 @@ SecRule IP:REPUT_BLOCK_FLAG "@eq 1" \
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-reputation-ip',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
chain"
SecRule TX:DO_REPUT_BLOCK "@eq 1" \
@ -88,7 +89,7 @@ SecRule TX:ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" \
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-generic',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score=%{tx.anomaly_score}'"

9
src/common/core/modsecurity/files/coreruleset/rules/RESPONSE-950-DATA-LEAKAGES.conf
View File

@ -1,6 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.2
# OWASP ModSecurity Core Rule Set ver.3.3.4
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -44,7 +45,7 @@ SecRule RESPONSE_BODY "@rx (?:<(?:TITLE>Index of.*?<H|title>Index of.*?<h)1>Inde
tag:'capec/1000/118/116/54/127',\
tag:'PCI/6.5.6',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
@ -78,7 +79,7 @@ SecRule RESPONSE_BODY "@rx ^#\!\s?/" \
tag:'capec/1000/118/116',\
tag:'PCI/6.5.6',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
@ -110,7 +111,7 @@ SecRule RESPONSE_STATUS "@rx ^5\d{2}$" \
tag:'OWASP_CRS',\
tag:'capec/1000/152',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl2=+%{tx.error_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.error_anomaly_score}'"

37
src/common/core/modsecurity/files/coreruleset/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf
View File

@ -1,6 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.2
# OWASP ModSecurity Core Rule Set ver.3.3.4
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -38,7 +39,7 @@ SecRule RESPONSE_BODY "@pmFromFile sql-errors.data" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
setvar:'tx.sql_error_match=1'"
SecRule TX:sql_error_match "@eq 1" \
@ -57,7 +58,7 @@ SecRule TX:sql_error_match "@eq 1" \
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
chain"
SecRule RESPONSE_BODY "@rx (?i:JET Database Engine|Access Database Engine|\[Microsoft\]\[ODBC Microsoft Access Driver\])" \
@ -82,7 +83,7 @@ SecRule TX:sql_error_match "@eq 1" \
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
chain"
SecRule RESPONSE_BODY "@rx (?i:ORA-[0-9][0-9][0-9][0-9]|java\.sql\.SQLException|Oracle error|Oracle.*Driver|Warning.*oci_.*|Warning.*ora_.*)" \
@ -107,7 +108,7 @@ SecRule TX:sql_error_match "@eq 1" \
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
chain"
SecRule RESPONSE_BODY "@rx (?i:DB2 SQL error:|\[IBM\]\[CLI Driver\]\[DB2/6000\]|CLI Driver.*DB2|DB2 SQL error|db2_\w+\()" \
@ -132,7 +133,7 @@ SecRule TX:sql_error_match "@eq 1" \
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
chain"
SecRule RESPONSE_BODY "@rx (?i:\[DM_QUERY_E_SYNTAX\]|has occurred in the vicinity of:)" \
@ -157,7 +158,7 @@ SecRule TX:sql_error_match "@eq 1" \
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
chain"
SecRule RESPONSE_BODY "@rx (?i)Dynamic SQL Error" \
@ -183,7 +184,7 @@ SecRule TX:sql_error_match "@eq 1" \
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
chain"
SecRule RESPONSE_BODY "@rx (?i)Exception (?:condition )?\d+\. Transaction rollback\." \
@ -208,7 +209,7 @@ SecRule TX:sql_error_match "@eq 1" \
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
chain"
SecRule RESPONSE_BODY "@rx (?i)org\.hsqldb\.jdbc" \
@ -233,7 +234,7 @@ SecRule TX:sql_error_match "@eq 1" \
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
chain"
SecRule RESPONSE_BODY "@rx (?i:An illegal character has been found in the statement|com\.informix\.jdbc|Exception.*Informix)" \
@ -259,7 +260,7 @@ SecRule TX:sql_error_match "@eq 1" \
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
chain"
SecRule RESPONSE_BODY "@rx (?i:Warning.*ingres_|Ingres SQLSTATE|Ingres\W.*Driver)" \
@ -285,7 +286,7 @@ SecRule TX:sql_error_match "@eq 1" \
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
chain"
SecRule RESPONSE_BODY "@rx (?i:<b>Warning</b>: ibase_|Unexpected end of command in statement)" \
@ -310,7 +311,7 @@ SecRule TX:sql_error_match "@eq 1" \
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
chain"
SecRule RESPONSE_BODY "@rx (?i:SQL error.*POS[0-9]+.*|Warning.*maxdb.*)" \
@ -335,7 +336,7 @@ SecRule TX:sql_error_match "@eq 1" \
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
chain"
SecRule RESPONSE_BODY "@rx (?i)(?:System\.Data\.OleDb\.OleDbException|\[Microsoft\]\[ODBC SQL Server Driver\]|\[Macromedia\]\[SQLServer JDBC Driver\]|\[SqlException|System\.Data\.SqlClient\.SqlException|Unclosed quotation mark after the character string|'80040e14'|mssql_query\(\)|Microsoft OLE DB Provider for ODBC Drivers|Microsoft OLE DB Provider for SQL Server|Incorrect syntax near|Sintaxis incorrecta cerca de|Syntax error in string in query expression|Procedure or function .* expects parameter|Unclosed quotation mark before the character string|Syntax error .* in query expression|Data type mismatch in criteria expression\.|ADODB\.Field \(0x800A0BCD\)|the used select statements have different number of columns|OLE DB.*SQL Server|Warning.*mssql_.*|Driver.*SQL[ _-]*Server|SQL Server.*Driver|SQL Server.*[0-9a-fA-F]{8}|Exception.*\WSystem\.Data\.SqlClient\.)" \
@ -360,7 +361,7 @@ SecRule TX:sql_error_match "@eq 1" \
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
chain"
SecRule RESPONSE_BODY "@rx (?i)(?:supplied argument is not a valid MySQL|Column count doesn't match value count at row|mysql_fetch_array\(\)|on MySQL result index|You have an error in your SQL syntax;|You have an error in your SQL syntax near|MySQL server version for the right syntax to use|\[MySQL\]\[ODBC|Column count doesn't match|Table '[^']+' doesn't exist|SQL syntax.*MySQL|Warning.*mysql_.*|valid MySQL result|MySqlClient\.)" \
@ -385,7 +386,7 @@ SecRule TX:sql_error_match "@eq 1" \
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
chain"
SecRule RESPONSE_BODY "@rx (?i:PostgreSQL query failed:|pg_query\(\) \[:|pg_exec\(\) \[:|PostgreSQL.*ERROR|Warning.*pg_.*|valid PostgreSQL result|Npgsql\.|PG::[a-zA-Z]*Error|Supplied argument is not a valid PostgreSQL .*? resource|Unable to connect to PostgreSQL server)" \
@ -410,7 +411,7 @@ SecRule TX:sql_error_match "@eq 1" \
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
chain"
SecRule RESPONSE_BODY "@rx (?i)(?:Warning.*sqlite_.*|Warning.*SQLite3::|SQLite/JDBCDriver|SQLite\.Exception|System\.Data\.SQLite\.SQLiteException)" \
@ -435,7 +436,7 @@ SecRule TX:sql_error_match "@eq 1" \
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'CRITICAL',\
chain"
SecRule RESPONSE_BODY "@rx (?i)(?:Sybase message:|Warning.*sybase.*|Sybase.*Server message.*)" \

7
src/common/core/modsecurity/files/coreruleset/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf
View File

@ -1,6 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.2
# OWASP ModSecurity Core Rule Set ver.3.3.4
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -39,7 +40,7 @@ SecRule RESPONSE_BODY "@pmFromFile java-code-leakages.data" \
tag:'capec/1000/118/116',\
tag:'PCI/6.5.6',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
@ -66,7 +67,7 @@ SecRule RESPONSE_BODY "@pmFromFile java-errors.data" \
tag:'capec/1000/118/116',\
tag:'PCI/6.5.6',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"

9
src/common/core/modsecurity/files/coreruleset/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf
View File

@ -1,6 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.2
# OWASP ModSecurity Core Rule Set ver.3.3.4
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -39,7 +40,7 @@ SecRule RESPONSE_BODY "@pmFromFile php-errors.data" \
tag:'capec/1000/118/116',\
tag:'PCI/6.5.6',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
@ -66,7 +67,7 @@ SecRule RESPONSE_BODY "@rx (?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scan
tag:'capec/1000/118/116',\
tag:'PCI/6.5.6',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
@ -97,7 +98,7 @@ SecRule RESPONSE_BODY "@rx <\?(?!xml)" \
tag:'capec/1000/118/116',\
tag:'PCI/6.5.6',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'ERROR',\
chain"
SecRule RESPONSE_BODY "!@rx (?:\x1f\x8b\x08|\b(?:(?:i(?:nterplay|hdr|d3)|m(?:ovi|thd)|r(?:ar!|iff)|(?:ex|jf)if|f(?:lv|ws)|varg|cws)\b|gif)|B(?:%pdf|\.ra)\b|^wOF[F2])" \

11
src/common/core/modsecurity/files/coreruleset/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf
View File

@ -1,6 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.2
# OWASP ModSecurity Core Rule Set ver.3.3.4
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -37,7 +38,7 @@ SecRule RESPONSE_BODY "@rx [a-z]:\\\\inetpub\b" \
tag:'OWASP_CRS',\
tag:'capec/1000/118/116',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
@ -60,7 +61,7 @@ SecRule RESPONSE_BODY "@rx (?:Microsoft OLE DB Provider for SQL Server(?:<\/font
tag:'OWASP_CRS',\
tag:'capec/1000/118/116',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
@ -86,7 +87,7 @@ SecRule RESPONSE_BODY "@rx (?:\b(?:A(?:DODB\.Command\b.{0,100}?\b(?:Application
tag:'capec/1000/118/116',\
tag:'PCI/6.5.6',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
@ -110,7 +111,7 @@ SecRule RESPONSE_STATUS "!@rx ^404$" \
tag:'capec/1000/118/116',\
tag:'PCI/6.5.6',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'ERROR',\
chain"
SecRule RESPONSE_BODY "@rx \bServer Error in.{0,50}?\bApplication\b" \

5
src/common/core/modsecurity/files/coreruleset/rules/RESPONSE-959-BLOCKING-EVALUATION.conf
View File

@ -1,6 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.2
# OWASP ModSecurity Core Rule Set ver.3.3.4
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -72,7 +73,7 @@ SecRule TX:OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" \
t:none,\
msg:'Outbound Anomaly Score Exceeded (Total Score: %{TX.OUTBOUND_ANOMALY_SCORE})',\
tag:'anomaly-evaluation',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
setvar:'tx.anomaly_score=+%{tx.outbound_anomaly_score}'"

19
src/common/core/modsecurity/files/coreruleset/rules/RESPONSE-980-CORRELATION.conf
View File

@ -1,6 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.2
# OWASP ModSecurity Core Rule Set ver.3.3.4
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -29,7 +30,7 @@ SecRule &TX:'/LEAKAGE\\\/ERRORS/' "@ge 1" \
log,\
msg:'Correlated Successful Attack Identified: (Total Score: %{tx.anomaly_score}) Inbound Attack (Inbound Anomaly Score: %{TX.INBOUND_ANOMALY_SCORE}) + Outbound Data Leakage (Outbound Anomaly Score: %{TX.OUTBOUND_ANOMALY_SCORE})',\
tag:'event-correlation',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'EMERGENCY',\
chain,\
skipAfter:END-CORRELATION"
@ -46,7 +47,7 @@ SecRule &TX:'/AVAILABILITY\\\/APP_NOT_AVAIL/' "@ge 1" \
log,\
msg:'Correlated Attack Attempt Identified: (Total Score: %{tx.anomaly_score}) Inbound Attack (Inbound Anomaly Score: %{TX.INBOUND_ANOMALY_SCORE}) + Outbound Application Error (Outbound Anomaly Score: %{TX.OUTBOUND_ANOMALY_SCORE})',\
tag:'event-correlation',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
severity:'ALERT',\
chain,\
skipAfter:END-CORRELATION"
@ -60,7 +61,7 @@ SecAction \
t:none,\
nolog,\
noauditlog,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
setvar:'tx.executing_anomaly_score=%{tx.anomaly_score_pl1}',\
setvar:'tx.executing_anomaly_score=+%{tx.anomaly_score_pl2}',\
setvar:'tx.executing_anomaly_score=+%{tx.anomaly_score_pl3}',\
@ -75,7 +76,7 @@ SecRule TX:INBOUND_ANOMALY_SCORE "@lt %{tx.inbound_anomaly_score_threshold}" \
noauditlog,\
msg:'Inbound Anomaly Score (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE} - SQLI=%{tx.sql_injection_score},XSS=%{tx.xss_score},RFI=%{tx.rfi_score},LFI=%{tx.lfi_score},RCE=%{tx.rce_score},PHPI=%{tx.php_injection_score},HTTP=%{tx.http_violation_score},SESS=%{tx.session_fixation_score}): individual paranoia level scores: %{TX.ANOMALY_SCORE_PL1}, %{TX.ANOMALY_SCORE_PL2}, %{TX.ANOMALY_SCORE_PL3}, %{TX.ANOMALY_SCORE_PL4}',\
tag:'event-correlation',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
chain"
SecRule TX:MONITOR_ANOMALY_SCORE "@gt 1"
@ -88,7 +89,7 @@ SecRule TX:INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" \
noauditlog,\
msg:'Inbound Anomaly Score Exceeded (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE} - SQLI=%{tx.sql_injection_score},XSS=%{tx.xss_score},RFI=%{tx.rfi_score},LFI=%{tx.lfi_score},RCE=%{tx.rce_score},PHPI=%{tx.php_injection_score},HTTP=%{tx.http_violation_score},SESS=%{tx.session_fixation_score}): individual paranoia level scores: %{TX.ANOMALY_SCORE_PL1}, %{TX.ANOMALY_SCORE_PL2}, %{TX.ANOMALY_SCORE_PL3}, %{TX.ANOMALY_SCORE_PL4}',\
tag:'event-correlation',\
ver:'OWASP_CRS/3.3.2'"
ver:'OWASP_CRS/3.3.4'"
SecRule TX:OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" \
"id:980140,\
@ -99,7 +100,7 @@ SecRule TX:OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" \
noauditlog,\
msg:'Outbound Anomaly Score Exceeded (score %{TX.OUTBOUND_ANOMALY_SCORE}): individual paranoia level scores: %{TX.OUTBOUND_ANOMALY_SCORE_PL1}, %{TX.OUTBOUND_ANOMALY_SCORE_PL2}, %{TX.OUTBOUND_ANOMALY_SCORE_PL3}, %{TX.OUTBOUND_ANOMALY_SCORE_PL4}',\
tag:'event-correlation',\
ver:'OWASP_CRS/3.3.2'"
ver:'OWASP_CRS/3.3.4'"
# Creating a total sum of all triggered outbound rules, including the ones only being monitored
SecAction \
@ -109,7 +110,7 @@ SecAction \
t:none,\
nolog,\
noauditlog,\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
setvar:'tx.executing_anomaly_score=%{tx.outbound_anomaly_score_pl1}',\
setvar:'tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl2}',\
setvar:'tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl3}',\
@ -124,7 +125,7 @@ SecRule TX:OUTBOUND_ANOMALY_SCORE "@lt %{tx.outbound_anomaly_score_threshold}" \
noauditlog,\
msg:'Outbound Anomaly Score (Total Outbound Score: %{TX.OUTBOUND_ANOMALY_SCORE}): individual paranoia level scores: %{TX.OUTBOUND_ANOMALY_SCORE_PL1}, %{TX.OUTBOUND_ANOMALY_SCORE_PL2}, %{TX.OUTBOUND_ANOMALY_SCORE_PL3}, %{TX.OUTBOUND_ANOMALY_SCORE_PL4}',\
tag:'event-correlation',\
ver:'OWASP_CRS/3.3.2',\
ver:'OWASP_CRS/3.3.4',\
chain"
SecRule TX:MONITOR_ANOMALY_SCORE "@gt 1"

3
src/common/core/modsecurity/files/coreruleset/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example
View File

@ -1,6 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.2
# OWASP ModSecurity Core Rule Set ver.3.3.4
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2

79
src/common/core/modsecurity/files/coreruleset/tests/docker-compose.yml
View File

@ -1,41 +1,72 @@
version: '3.1'
version: '3.2'
# Only one of these will be up at a time for now.
# Concurrency will be on the tests folder we have.
services:
modsec2-apache:
image: owasp/modsecurity-crs:v3.2-modsec2-apache
container_name: modsec2-apache
image: owasp/modsecurity-crs:apache
environment:
- SERVERNAME=modsec2-apache
- MODSEC_RULE_ENGINE=DetectionOnly
- PARANOIA=5
SERVERNAME: modsec2-apache
BACKEND: http://backend
PORT: "80"
MODSEC_RULE_ENGINE: DetectionOnly
PARANOIA: 4
TZ: "${TZ}"
ERRORLOG: "/var/log/error.log"
ACCESSLOG: "/var/log/access.log"
MODSEC_AUDIT_LOG_FORMAT: Native
MODSEC_AUDIT_LOG_TYPE: Serial
MODSEC_AUDIT_LOG: "/var/log/modsec_audit.log"
MODSEC_TMP_DIR: "/tmp"
MODSEC_RESP_BODY_ACCESS: "On"
MODSEC_RESP_BODY_MIMETYPE: "text/plain text/html text/xml application/json"
COMBINED_FILE_SIZES: "65535"
CRS_ENABLE_TEST_MARKER: 1
volumes:
- ${GITHUB_WORKSPACE}/logs/modsec2-apache:/var/log/apache2
- ${GITHUB_WORKSPACE}/rules:/etc/modsecurity.d/owasp-crs/rules
- ./logs/modsec2-apache:/var/log:rw
- ../rules:/opt/owasp-crs/rules:ro
- ../crs-setup.conf.example:/etc/modsecurity.d/owasp-crs/crs-setup.conf.example
entrypoint: ["/bin/sh", "-c", "/bin/cp /etc/modsecurity.d/owasp-crs/crs-setup.conf.example /etc/modsecurity.d/owasp-crs/crs-setup.conf && /docker-entrypoint.sh && apachectl -D FOREGROUND"]
ports:
- "80:80"
depends_on:
- backend
modsec3-apache:
image: owasp/modsecurity-crs:v3.2-modsec3-apache
environment:
- SERVERNAME=modsec3-apache
- MODSEC_RULE_ENGINE=DetectionOnly
- PARANOIA=5
volumes:
- ${GITHUB_WORKSPACE}/logs/modsec3-apache:/var/log/apache2
- ${GITHUB_WORKSPACE}/rules:/etc/modsecurity.d/owasp-crs/rules
ports:
- "80:80"
modsec3-nginx:
image: owasp/modsecurity-crs:v3.2-modsec3-nginx
container_name: modsec3-nginx
image: owasp/modsecurity-crs:nginx
environment:
- SERVERNAME=modsec3-nginx
- MODSEC_RULE_ENGINE=DetectionOnly
- PARANOIA=5
SERVERNAME: modsec3-nginx
BACKEND: http://backend
PORT: "80"
MODSEC_RULE_ENGINE: DetectionOnly
PARANOIA: 4
TZ: "${TZ}"
ERRORLOG: "/var/log/error.log"
LOGLEVEL: "info"
ACCESSLOG: "/var/log/access.log"
MODSEC_AUDIT_LOG_FORMAT: Native
MODSEC_AUDIT_LOG_TYPE: Serial
MODSEC_AUDIT_LOG: "/var/log/modsec_audit.log"
MODSEC_RESP_BODY_ACCESS: "On"
MODSEC_RESP_BODY_MIMETYPE: "text/plain text/html text/xml application/json"
COMBINED_FILE_SIZES: "65535"
CRS_ENABLE_TEST_MARKER: 1
volumes:
- ${GITHUB_WORKSPACE}/logs/modsec3-nginx:/var/log/nginx
- ${GITHUB_WORKSPACE}/rules:/etc/modsecurity.d/owasp-crs/rules
- ./logs/modsec3-nginx:/var/log:rw
- ../rules:/opt/owasp-crs/rules:ro
- ../crs-setup.conf.example:/etc/modsecurity.d/owasp-crs/crs-setup.conf.example
command: ["nginx", "-g", "daemon off;"]
ports:
- "80:80"
depends_on:
- backend
# our test originally targeted www.example.com as backend
# and that would do real traffic, to a real site
#
backend:
image: docker.io/kennethreitz/httpbin

174
src/common/core/modsecurity/files/coreruleset/tests/regression/CRS_Tests.py
View File

@ -1,12 +1,12 @@
from ftw import ruleset, logchecker, testrunner
import datetime
from subprocess import TimeoutExpired
from ftw import logchecker, testrunner, http
from ftw.ruleset import Input
import pytest
import sys
import re
import os
CRS_HEADER = 'X-CRS-Test'
def test_crs(ruleset, test, logchecker_obj):
def test_crs(test, logchecker_obj):
runner = testrunner.TestRunner()
for stage in test.stages:
runner.run_stage(stage, logchecker_obj)
@ -15,49 +15,135 @@ def test_crs(ruleset, test, logchecker_obj):
class FooLogChecker(logchecker.LogChecker):
def __init__(self, config):
super(FooLogChecker, self).__init__()
self.log_location = config["log_location_linux"]
self.log_date_regex = config["log_date_regex"]
self.log_date_format = config["log_date_format"]
self.log_location = self.find_log_location(config)
self.backwards_reader = BackwardsReader(self.log_location)
self.start_marker = None
self.end_marker = None
def reverse_readline(self, filename):
with open(filename) as f:
f.seek(0, os.SEEK_END)
position = f.tell()
line = ""
while position >= 0:
f.seek(position)
next_char = f.read(1)
if next_char == "\n":
yield line[::-1]
line = ""
else:
line += next_char
position -= 1
yield line[::-1]
def mark_start(self, stage_id):
self.start_marker = self.find_marker(stage_id)
def mark_end(self, stage_id):
self.end_marker = self.find_marker(stage_id)
def find_marker(self, stage_id):
stage_id_bytes = stage_id.encode('utf-8')
header_bytes = CRS_HEADER.encode('utf-8')
def try_once():
self.mark_and_flush_log(stage_id)
self.backwards_reader.reset()
return self.backwards_reader.readline() or b''
line = try_once()
while not (header_bytes in line and stage_id_bytes in line):
line = try_once()
return line
def get_logs(self):
pattern = re.compile(r"%s" % self.log_date_regex)
our_logs = []
for lline in self.reverse_readline(self.log_location):
# Extract dates from each line
match = re.match(pattern, lline)
if match:
log_date = match.group(1)
log_date = datetime.datetime.strptime(log_date, self.log_date_format)
# NGINX doesn't give us microsecond level by detail, round down.
if "%f" not in self.log_date_format:
ftw_start = self.start.replace(microsecond=0)
else:
ftw_start = self.start
ftw_end = self.end
if log_date <= ftw_end and log_date >= ftw_start:
our_logs.append(lline)
# If our log is from before FTW started stop
if log_date < ftw_start:
break
return our_logs
logs = []
# At this point we're already at the end marker
for line in self.backwards_reader.readlines():
if line == self.start_marker:
break
logs.append(line.decode('utf-8'))
return logs
def mark_and_flush_log(self, header_value):
"""
Send a valid request to the server with a special header that will
generate an entry in the log. We can use this to flush the log and to
mark the output so we know where our test output is.
"""
http.HttpUA().send_request(Input(
headers={
'Host': 'localhost',
'User-Agent': 'CRS',
'Accept': '*/*',
CRS_HEADER: header_value
},
version='HTTP/1.0'))
@staticmethod
def find_log_location(config):
key = 'log_location_linux'
# First, try to find the log configuration from config.ini
if key in config:
return config[key]
else:
# Now we could check for the configuration that was passed
# on the command line. Unfortunately, we use a default, so we
# don't know whether it was *actually* on the command line.
# Let's try to find the Docker container instead.
import os.path
import subprocess
prefix = os.path.join('tests', 'logs')
log_file_name = 'error.log'
directory_name = 'modsec2-apache'
process = subprocess.Popen(
'docker ps --format "{{.Names}}"',
shell=True,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
try:
out, _ = process.communicate(timeout=10)
except TimeoutExpired:
out = ''
if b'modsec3-nginx' in out:
directory_name = 'modsec3-nginx'
return os.path.join(prefix, directory_name, log_file_name)
@pytest.fixture(scope="session")
@pytest.fixture(scope='session')
def logchecker_obj(config):
return FooLogChecker(config)
# Adapted from http://code.activestate.com/recipes/120686-read-a-text-file-backwards/
class BackwardsReader:
def __init__(self, file, blksize=4096):
"""initialize the internal structures"""
self.file = file
# how big of a block to read from the file...
self.blksize = blksize
self.f = open(file, 'rb')
self.reset()
def readline(self):
while len(self.data) == 1 and ((self.blkcount * self.blksize) < self.size):
self.blkcount = self.blkcount + 1
line = self.data[0]
try:
self.f.seek(-self.blksize * self.blkcount, os.SEEK_END) # read from end of file
self.data = (self.f.read(self.blksize) + line).split(b'\n')
except IOError: # can't seek before the beginning of the file
self.f.seek(0)
self.data = (self.f.read(self.size - (self.blksize * (self.blkcount-1))) + line).split(b'\n')
if len(self.data) == 0:
return ""
line = self.data.pop()
return line + b'\n'
def readlines(self):
line = self.readline()
while line:
yield line
line = self.readline()
def reset(self):
# get the file size
self.size = os.stat(self.file)[6]
# how many blocks we've read
self.blkcount = 1
# if the file is smaller than the blocksize, read a block,
# otherwise, read the whole thing...
if self.size > self.blksize:
self.f.seek(-self.blksize * self.blkcount, 2) # read from end of file
self.data = self.f.read(self.blksize).split(b'\n')
# strip the last item if it's empty... a byproduct of the last line having
# a newline at the end of it
if not self.data[-1]:
self.data.pop()

13
src/common/core/modsecurity/files/coreruleset/tests/regression/config.ini
View File

@ -1,14 +1,5 @@
[modsec2-apache]
log_date_format = %a %b %d %H:%M:%S.%f %Y
log_date_regex = \[([A-Z][a-z]{2} [A-z][a-z]{2} \d{1,2} \d{1,2}\:\d{1,2}\:\d{1,2}\.\d+? \d{4})\]
log_location_linux = /var/log/apache2/error.log
[modsec3-apache]
log_date_format = %a %b %d %H:%M:%S.%f %Y
log_date_regex = \[([A-Z][a-z]{2} [A-z][a-z]{2} \d{1,2} \d{1,2}\:\d{1,2}\:\d{1,2}\.\d+? \d{4})\]
log_location_linux = /var/log/apache2/error.log
log_location_linux = tests/logs/modsec2-apache/error.log
[modsec3-nginx]
log_date_format = %Y/%m/%d %H:%M:%S
log_date_regex = (\d{4}\/\d{2}\/\d{2} \d{2}:\d{2}:\d{2})
log_location_linux = /var/log/nginx/error.log
log_location_linux = tests/logs/modsec3-nginx/error.log

8
src/common/core/modsecurity/files/coreruleset/tests/regression/conftest.py
View File

@ -7,11 +7,11 @@ import pytest
def pytest_addoption(parser):
parser.addoption("--config", action="store", default="modsec2-apache")
parser.addoption('--config', action='store', default='modsec2-apache')
@pytest.fixture(scope="session")
@pytest.fixture(scope='session')
def config(request):
cp = configparser.RawConfigParser()
cp.read(os.path.join(os.path.dirname(__file__), "config.ini"))
return dict(cp.items(request.config.getoption("--config")))
cp.read(os.path.join(os.path.dirname(__file__), 'config.ini'))
return dict(cp.items(request.config.getoption('--config')))

2
src/common/core/modsecurity/files/coreruleset/tests/regression/requirements.txt
View File

@ -1 +1 @@
ftw==1.1.7
ftw==1.3.0

2
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920160.yaml
View File

@ -82,7 +82,7 @@
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
method: POST
port: 80
uri: /
uri: /post
version: HTTP/1.0
data: abc
output:

502
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920420.yaml
View File

@ -1,80 +1,70 @@
---
meta:
author: "csanders-git, Franziska Bühler"
enabled: true
name: "920420.yaml"
description: "Description"
tests:
-
test_title: 920420-1
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded"
data: "test=value"
output:
no_log_contains: "id \"920420\""
-
test_title: 920420-2
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "my-new-content-type"
data: "test"
output:
log_contains: "id \"920420\""
-
test_title: 920420-3
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "GET"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "my-new-content-type"
data: "test"
output:
log_contains: "id \"920420\""
-
test_title: 920420-4
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "PROPFIND"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "my-new-content-type"
data: "test"
output:
log_contains: "id \"920420\""
-
test_title: 920420-5
desc: Request content type is not allowed by policy (920420) from old modsec regressions
stages:
-
stage:
meta:
author: "csanders-git, Franziska Bühler"
enabled: true
name: "920420.yaml"
description: "Description"
tests:
- test_title: 920420-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded"
data: "test=value"
output:
no_log_contains: "id \"920420\""
- test_title: 920420-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "my-new-content-type"
data: "test"
output:
log_contains: "id \"920420\""
- test_title: 920420-3
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "GET"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "my-new-content-type"
data: "test"
output:
log_contains: "id \"920420\""
- test_title: 920420-4
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "PROPFIND"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "my-new-content-type"
data: "test"
output:
log_contains: "id \"920420\""
- test_title: 920420-5
desc: Request content type is not allowed by policy (920420) from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
@ -92,28 +82,26 @@
uri: /
version: HTTP/1.1
data:
- --0000
- 'Content-Disposition: form-data; name="name"'
- ''
- John Smith
- --0000
- 'Content-Disposition: form-data; name="email"'
- ''
- john.smith@example.com
- --0000
- 'Content-Disposition: form-data; name="image"; filename="image.jpg"'
- 'Content-Type: image/jpeg'
- ''
- BINARYDATA
- --0000--
- --0000
- 'Content-Disposition: form-data; name="name"'
- ''
- John Smith
- --0000
- 'Content-Disposition: form-data; name="email"'
- ''
- john.smith@example.com
- --0000
- 'Content-Disposition: form-data; name="image"; filename="image.jpg"'
- 'Content-Type: image/jpeg'
- ''
- BINARYDATA
- --0000--
output:
log_contains: id "920420"
-
test_title: 920420-6
desc: Request content type is not allowed by policy (920420) from old modsec regressions
stages:
-
stage:
- test_title: 920420-6
desc: Request content type is not allowed by policy (920420) from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
@ -131,28 +119,26 @@
uri: /
version: HTTP/1.1
data:
- --0000
- 'Content-Disposition: form-data; name="name"'
- ''
- John Smith
- --0000
- 'Content-Disposition: form-data; name="email"'
- ''
- john.smith@example.com
- --0000
- 'Content-Disposition: form-data; name="image"; filename="image.jpg"'
- 'Content-Type: image/jpeg'
- ''
- BINARYDATA
- --0000--
- --0000
- 'Content-Disposition: form-data; name="name"'
- ''
- John Smith
- --0000
- 'Content-Disposition: form-data; name="email"'
- ''
- john.smith@example.com
- --0000
- 'Content-Disposition: form-data; name="image"; filename="image.jpg"'
- 'Content-Type: image/jpeg'
- ''
- BINARYDATA
- --0000--
output:
log_contains: id "920420"
-
test_title: 920420-7
desc: Request content type is not allowed by policy (920420) from old modsec regressions
stages:
-
stage:
- test_title: 920420-7
desc: Request content type is not allowed by policy (920420) from old modsec regressions
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
@ -170,115 +156,179 @@
uri: /
version: HTTP/1.1
data:
- --0000
- 'Content-Disposition: form-data; name="name"'
- ''
- John Smith
- --0000
- 'Content-Disposition: form-data; name="email"'
- ''
- john.smith@example.com
- --0000
- 'Content-Disposition: form-data; name="image"; filename="image.jpg"'
- 'Content-Type: image/jpeg'
- ''
- BINARYDATA
- --0000--
- --0000
- 'Content-Disposition: form-data; name="name"'
- ''
- John Smith
- --0000
- 'Content-Disposition: form-data; name="email"'
- ''
- john.smith@example.com
- --0000
- 'Content-Disposition: form-data; name="image"; filename="image.jpg"'
- 'Content-Type: image/jpeg'
- ''
- BINARYDATA
- --0000--
output:
log_contains: id "920420"
-
test_title: 920420-8
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "HEAD"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "my-new-content-type"
data: "test"
output:
log_contains: "id \"920420\""
-
test_title: 920420-9
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "OPTIONS"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/json"
data: "test"
output:
no_log_contains: "id \"920420\""
-
test_title: 920420-10
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "OPTIONS"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application/soap+xml"
data: "test"
output:
no_log_contains: "id \"920420\""
-
test_title: 920420-11
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "OPTIONS"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "application"
data: "test"
output:
log_contains: "id \"920420\""
-
test_title: 920420-12
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "HEAD"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "multipart/related"
data: "test"
output:
no_log_contains: "id \"920420\""
-
test_title: 920420-13
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "HEAD"
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Content-Type: "Multipart/Related"
data: "test"
output:
no_log_contains: "id \"920420\""
- test_title: 920420-8
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "HEAD"
headers:
User-Agent: "OWASP ModSecurity Core Rule Set"
Host: "localhost"
Content-Type: "my-new-content-type"
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
data: "test"
output:
log_contains: "id \"920420\""
- test_title: 920420-9
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "OPTIONS"
headers:
User-Agent: "OWASP ModSecurity Core Rule Set"
Host: "localhost"
Content-Type: "application/json"
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
data: "test"
output:
no_log_contains: "id \"920420\""
- test_title: 920420-10
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "OPTIONS"
headers:
User-Agent: "OWASP ModSecurity Core Rule Set"
Host: "localhost"
Content-Type: "application/soap+xml"
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
data: "test"
output:
no_log_contains: "id \"920420\""
- test_title: 920420-11
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "OPTIONS"
headers:
User-Agent: "OWASP ModSecurity Core Rule Set"
Host: "localhost"
Content-Type: "application"
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
data: "test"
output:
log_contains: "id \"920420\""
- test_title: 920420-12
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "HEAD"
headers:
User-Agent: "OWASP ModSecurity Core Rule Set"
Host: "localhost"
Content-Type: "multipart/related"
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
data: "test"
output:
no_log_contains: "id \"920420\""
- test_title: 920420-13
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "HEAD"
headers:
User-Agent: "OWASP ModSecurity Core Rule Set"
Host: "localhost"
Content-Type: "Multipart/Related"
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
data: "test"
output:
no_log_contains: "id \"920420\""
- test_title: 920420-14
stages:
- stage:
input:
dest_addr: "127.0.0.1"
method: "POST"
port: 80
headers:
User-Agent: OWASP ModSecurity Core Rule Set
Host: "localhost"
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Content-Type: text/plain
data: 'cmd=/bin/unxz -c /var/log/something_sensitive.xz'
protocol: "http"
output:
log_contains: "id \"920420\""
- test_title: 920420-15
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Host: localhost
Proxy-Connection: keep-alive
User-Agent: OWASP ModSecurity Core Rule Set
Content-Type: text/plain
method: GET
port: 80
uri: /
version: HTTP/1.0
data: "{\"foo\" : \";+cat+/e\\\\t\\\\*/pa\\\\?s\\\\wd\"}"
output:
log_contains: "id \"920420\""
- test_title: 920420-16
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Host: localhost
Proxy-Connection: keep-alive
User-Agent: OWASP ModSecurity Core Rule Set
Content-Type: application/x-amf
method: GET
port: 80
uri: /
version: HTTP/1.0
data: "{\"foo\" : \";+cat+/e\\\\t\\\\*/pa\\\\?s\\\\wd\"}"
output:
log_contains: "id \"920420\""
- test_title: 920420-17
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Host: localhost
Proxy-Connection: keep-alive
User-Agent: OWASP ModSecurity Core Rule Set
Content-Type: application/octet-stream
method: GET
port: 80
uri: /
version: HTTP/1.0
data: "{\"foo\" : \";+cat+/e\\\\t\\\\*/pa\\\\?s\\\\wd\"}"
output:
log_contains: "id \"920420\""

45
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920450.yaml
View File

@ -1,6 +1,6 @@
---
meta:
author: "csanders-git"
author: "csanders-git, karelorigin"
enabled: true
name: "920450.yaml"
description: "Description"
@ -58,7 +58,6 @@
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
@ -82,7 +81,6 @@
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
@ -96,6 +94,7 @@
version: HTTP/1.1
output:
log_contains: id "920450"
-
test_title: 920450-6
stages:
@ -105,8 +104,42 @@
dest_addr: "127.0.0.1"
port: 80
headers:
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Range: "test"
User-Agent: "ModSecurity CRS 3 Tests"
Host: "localhost"
Range: "test"
output:
no_log_contains: "id \"920450\""
-
test_title: 920450-7
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/"
headers:
User-Agent: "OWASP ModSecurity Core Rule Set"
Host: "localhost"
Accept: text/html
Accept-Charset: UTF-8
output:
log_contains: "id \"920450\""
-
test_title: 920450-8
stages:
-
stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/"
headers:
User-Agent: "OWASP ModSecurity Core Rule Set"
Host: "localhost"
Accept: text/html
Content-Encoding: deflate
output:
log_contains: "id \"920450\""

71
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920530.yaml Normal file
View File

@ -0,0 +1,71 @@
---
meta:
author: "terjanq"
description: "Restrict multiple charsets inside the content type header"
enabled: true
name: "920530.yaml"
tests:
- test_title: 920530-1
desc: "A valid request with a single charset"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "OWASP ModSecurity Core Rule Set"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded; charset=utf-8"
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
data: "test=value"
output:
no_log_contains: "id \"920530\""
- test_title: 920530-2
desc: "Bypass attempt with two charsets"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "OWASP ModSecurity Core Rule Set"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded; charset=utf-8; charset=utf-7"
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
data: "test=value"
output:
log_contains: "id \"920530\""
- test_title: 920530-3
desc: "Bypass attempt with hiding the charset inside a field"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "OWASP ModSecurity Core Rule Set"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded; charset=utf-8; boundary=\"charset=utf-7\""
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
data: "test=value"
output:
log_contains: "id \"920530\""
- test_title: 920530-4
desc: "Bypass attempt with uppercase CHARSET"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
method: "POST"
headers:
User-Agent: "OWASP ModSecurity Core Rule Set"
Host: "localhost"
Content-Type: "application/x-www-form-urlencoded; charset=utf-8; CHARSET=utf-7"
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
data: "test=value"
output:
log_contains: "id \"920530\""

150
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920600.yaml Normal file
View File

@ -0,0 +1,150 @@
---
meta:
author: "karelorigin"
enabled: true
name: "920600.yaml"
description: "Accept header charset checks"
tests:
- test_title: 920600-1
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/"
headers:
User-Agent: "OWASP ModSecurity Core Rule Set"
Host: "localhost"
Accept: text/html;q=0.9;charset=CP1026,*/*;q=0.8
output:
log_contains: "id \"920600\""
- test_title: 920600-2
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/"
headers:
User-Agent: "OWASP ModSecurity Core Rule Set"
Host: "localhost"
Accept: text/html;q=0.9;charset="CP1026",*/*;q=0.8
output:
log_contains: "id \"920600\""
- test_title: 920600-3
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/"
headers:
User-Agent: "OWASP ModSecurity Core Rule Set"
Host: "localhost"
Accept: text/html;q=0.9;charset=UTF-8,*/*;q=0.8
output:
no_log_contains: "id \"920600\""
- test_title: 920600-4
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/"
headers:
User-Agent: "OWASP ModSecurity Core Rule Set"
Host: "localhost"
Accept: text/html;q=0.9;charset="UTF-8",*/*;q=0.8
output:
no_log_contains: "id \"920600\""
- test_title: 920600-5
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/"
headers:
User-Agent: "OWASP ModSecurity Core Rule Set"
Host: "localhost"
Accept: text/html;q=0.9;charset="iso-8859-1",*/*;q=0.8
output:
no_log_contains: "id \"920600\""
- test_title: 920600-6
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/"
headers:
User-Agent: "OWASP ModSecurity Core Rule Set"
Host: "localhost"
Accept: text/html;q=0.9;charset="iso-8859-1",*/*;q=0.8;charset=utf-16
output:
log_contains: "id \"920600\""
- test_title: 920600-7
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/"
headers:
User-Agent: "OWASP ModSecurity Core Rule Set"
Host: "localhost"
Accept: text/html;q=0.9;charset="iso-8859-1",*/*;q=0.8;charset=utf-8
output:
no_log_contains: "id \"920600\""
- test_title: 920600-8
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/"
headers:
User-Agent: "OWASP ModSecurity Core Rule Set"
Host: "localhost"
Accept: text/html;q=0.9;charset="iso-8859-15",*/*;q=0.8
output:
no_log_contains: "id \"920600\""
- test_title: 920600-9
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/"
headers:
User-Agent: "OWASP ModSecurity Core Rule Set"
Host: "localhost"
Accept: text/html;q=0.9;charset="windows-1252",*/*;q=0.8
output:
no_log_contains: "id \"920600\""
- test_title: 920600-10
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/"
headers:
User-Agent: "OWASP ModSecurity Core Rule Set"
Host: "localhost"
Accept: text/html;q=0.9;charset="windows-1252",*/*;q=0.8;
output:
no_log_contains: "id \"920600\""
- test_title: 920600-11
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
uri: "/"
headers:
User-Agent: "OWASP ModSecurity Core Rule Set"
Host: "localhost"
Accept: text/html;q=0.9;charset="windows-1252";,*/*;q=0.8
output:
no_log_contains: "id \"920600\""

22
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921230.yaml Normal file
View File

@ -0,0 +1,22 @@
---
meta:
author: "Christian Folini (dune73)"
description: "HTTP Range Header"
enabled: true
name: 921230.yaml
tests:
- test_title: 921230-1
desc: "Submit HTTP Range Header, forbidden at PL3 by default"
stages:
- stage:
input:
dest_addr: "127.0.0.1"
headers:
Host: "localhost"
User-Agent: "OWASP ModSecurity Core Rule Set"
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Range: 1-2
port: 80
uri: "/"
output:
log_contains: id "921230"

199
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921421.yaml Normal file
View File

@ -0,0 +1,199 @@
---
meta:
author: studersi
description: Test whether the recommended rules can be fooled into using the wrong body processor which can result in bypasses
enabled: true
name: 921421.yaml
tests:
- test_title: 921421-1
desc: Bypass targeting recommended rules (rule 200000)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: OWASP ModSecurity Core Rule Set
Content-Type: application/x-www-form-urlencoded;boundary="application/json"
method: POST
port: 80
uri: /post
version: HTTP/1.1
output:
log_contains: id "921421"
- test_title: 921421-2
desc: Bypass targeting recommended rules (rule 200006)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: OWASP ModSecurity Core Rule Set
Content-Type: application/x-www-form-urlencoded;boundary="application/vnd.mycompany.myapp.customer-v2+json"
method: POST
port: 80
uri: /post
version: HTTP/1.1
output:
log_contains: id "921421"
- test_title: 921421-3
desc: Bypass targeting recommended rules (rule 200001)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: OWASP ModSecurity Core Rule Set
Content-Type: application/x-www-form-urlencoded;boundary="text/xml"
method: POST
port: 80
uri: /post
version: HTTP/1.1
output:
log_contains: id "921421"
- test_title: 921421-4
desc: Bypass targeting recommended rules (rule 200001)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: OWASP ModSecurity Core Rule Set
Content-Type: application/x-www-form-urlencoded;boundary="application/xml"
method: POST
port: 80
uri: /post
version: HTTP/1.1
output:
log_contains: id "921421"
- test_title: 921421-5
desc: Bypass targeting recommended rules (rule 200001)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: OWASP ModSecurity Core Rule Set
Content-Type: application/x-www-form-urlencoded;boundary="application/soap+xml"
method: POST
port: 80
uri: /post
version: HTTP/1.1
output:
log_contains: id "921421"
- test_title: 921421-6
desc: Negative test for 921421-1
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: OWASP ModSecurity Core Rule Set
Content-Type: application/json
method: POST
port: 80
uri: /post
version: HTTP/1.1
output:
no_log_contains: id "921421"
- test_title: 921421-7
desc: Negative test for 921421-2
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: OWASP ModSecurity Core Rule Set
Content-Type: application/vnd.mycompany.myapp.customer-v2+json
method: POST
port: 80
uri: /post
version: HTTP/1.1
output:
no_log_contains: id "921421"
- test_title: 921421-8
desc: Negative test for 921421-3
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: OWASP ModSecurity Core Rule Set
Content-Type: text/xml
method: POST
port: 80
uri: /post
version: HTTP/1.1
output:
no_log_contains: id "921421"
- test_title: 921421-9
desc: Negative test for 921421-4
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: OWASP ModSecurity Core Rule Set
Content-Type: application/xml
method: POST
port: 80
uri: /post
version: HTTP/1.1
output:
no_log_contains: id "921421"
- test_title: 921421-10
desc: Negative test for 921421-5
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: OWASP ModSecurity Core Rule Set
Content-Type: application/soap+xml
method: POST
port: 80
uri: /post
version: HTTP/1.1
output:
no_log_contains: id "921421"
- test_title: 921421-11
desc: Negative test for rule 921421-6
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: OWASP ModSecurity Core Rule Set
Content-Type: text/html; charset=UTF-8
method: POST
port: 80
uri: /post
version: HTTP/1.1
output:
no_log_contains: id "921421"
- test_title: 921421-12
desc: Negative test for rule 921421-7
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: OWASP ModSecurity Core Rule Set
Content-Type: multipart/form-data; boundary=something
method: POST
port: 80
uri: /post
version: HTTP/1.1
output:
no_log_contains: id "921421"

279
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921422.yaml Normal file
View File

@ -0,0 +1,279 @@
---
meta:
author: studersi
description: Try to send mime types in different part of Content-Type header
enabled: true
name: 921422.yaml
tests:
- test_title: 921422-1
desc: Bypass targeting recommended rules (rule 200000)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: OWASP ModSecurity Core Rule Set
Content-Type: application/x-www-form-urlencoded;boundary="application/json"
method: POST
port: 80
uri: /post
version: HTTP/1.1
output:
log_contains: id "921422"
- test_title: 921422-2
desc: Bypass targeting recommended rules (rule 200006)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: OWASP ModSecurity Core Rule Set
Content-Type: application/x-www-form-urlencoded;boundary="application/vnd.mycompany.myapp.customer-v2+json"
method: POST
port: 80
uri: /post
version: HTTP/1.1
output:
log_contains: id "921422"
- test_title: 921422-3
desc: Bypass targeting recommended rules (rule 200001)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: OWASP ModSecurity Core Rule Set
Content-Type: application/x-www-form-urlencoded;boundary="text/xml"
method: POST
port: 80
uri: /post
version: HTTP/1.1
output:
log_contains: id "921422"
- test_title: 921422-4
desc: Bypass targeting recommended rules (rule 200001)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: OWASP ModSecurity Core Rule Set
Content-Type: application/x-www-form-urlencoded;boundary="application/xml"
method: POST
port: 80
uri: /post
version: HTTP/1.1
output:
log_contains: id "921422"
- test_title: 921422-5
desc: Bypass targeting recommended rules (rule 200001)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: OWASP ModSecurity Core Rule Set
Content-Type: application/x-www-form-urlencoded;boundary="multipart/related"
method: POST
port: 80
uri: /post
version: HTTP/1.1
output:
log_contains: id "921422"
- test_title: 921422-6
desc: Bypass targeting recommended rules (rule 200001)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: OWASP ModSecurity Core Rule Set
Content-Type: application/x-www-form-urlencoded;boundary="text/html"
method: POST
port: 80
uri: /post
version: HTTP/1.1
output:
log_contains: id "921422"
- test_title: 921422-7
desc: Bypass targeting recommended rules (rule 200001)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: OWASP ModSecurity Core Rule Set
Content-Type: application/x-www-form-urlencoded;boundary="image/jpeg"
method: POST
port: 80
uri: /post
version: HTTP/1.1
output:
log_contains: id "921422"
- test_title: 921422-8
desc: Bypass targeting recommended rules (rule 200001)
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: OWASP ModSecurity Core Rule Set
Content-Type: application/x-www-form-urlencoded;boundary="foobar/foobar"
method: POST
port: 80
uri: /post
version: HTTP/1.1
output:
log_contains: id "921422"
- test_title: 921422-9
desc: Negative test for 921422-1
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: OWASP ModSecurity Core Rule Set
Content-Type: application/json
method: POST
port: 80
uri: /post
version: HTTP/1.1
output:
no_log_contains: id "921422"
- test_title: 921422-10
desc: Negative test for 921422-2
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: OWASP ModSecurity Core Rule Set
Content-Type: application/vnd.mycompany.myapp.customer-v2+json
method: POST
port: 80
uri: /post
version: HTTP/1.1
output:
no_log_contains: id "921422"
- test_title: 921422-11
desc: Negative test for 921422-3
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: OWASP ModSecurity Core Rule Set
Content-Type: text/xml
method: POST
port: 80
uri: /post
version: HTTP/1.1
output:
no_log_contains: id "921422"
- test_title: 921422-12
desc: Negative test for 921422-4
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: OWASP ModSecurity Core Rule Set
Content-Type: application/xml
method: POST
port: 80
uri: /post
version: HTTP/1.1
output:
no_log_contains: id "921422"
- test_title: 921422-13
desc: Negative test for 921422-5
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: OWASP ModSecurity Core Rule Set
Content-Type: application/soap+xml
method: POST
port: 80
uri: /post
version: HTTP/1.1
output:
no_log_contains: id "921422"
- test_title: 921422-14
desc: Negative test for 921422-6
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: OWASP ModSecurity Core Rule Set
Content-Type: text/html
method: POST
port: 80
uri: /post
version: HTTP/1.1
output:
no_log_contains: id "921422"
- test_title: 921422-15
desc: Negative test for rule 921422-7
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: OWASP ModSecurity Core Rule Set
Content-Type: text/html; charset=UTF-8
method: POST
port: 80
uri: /post
version: HTTP/1.1
output:
no_log_contains: id "921422"
- test_title: 921422-16
desc: Negative test for rule 921422-8
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: OWASP ModSecurity Core Rule Set
Content-Type: multipart/form-data; boundary=something
method: POST
port: 80
uri: /post
version: HTTP/1.1
output:
no_log_contains: id "921422"
- test_title: 921422-17
desc: Negative test for rule 921422-9
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: localhost
User-Agent: OWASP ModSecurity Core Rule Set
Content-Type: multipart/form-data; boundary=----webkitformboundary12w4lszoxn26vnd
method: POST
port: 80
uri: /post
version: HTTP/1.1
output:
no_log_contains: id "921422"

63
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-922-MULTIPART-ATTACK/922100.yaml Normal file
View File

@ -0,0 +1,63 @@
---
meta:
author: "Felipe Zipitria"
description: Test Multipart/form-data
enabled: true
name: 922100.yaml
tests:
- test_title: 922100-1
desc: "Positive test: utf-7 is not in allowed charsets"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: "localhost"
User-Agent: OWASP ModSecurity Core Rule Set
Content-Type: multipart/form-data; boundary=boundary
Accept: "*/*"
method: POST
port: 80
uri: "/post"
version: "HTTP/1.1"
data: |
--boundary
Content-disposition: form-data; name="_charset_"
utf-7
--boundary
Content-disposition: form-data; name="positive"
Content-Type: text/plain
Let me see if I can use utf-7.
--boundary--
output:
log_contains: id "922100"
- test_title: 922100-2
desc: "Negative test: only allowed charsets when using _charset_"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: "localhost"
User-Agent: OWASP ModSecurity Core Rule Set
Content-Type: multipart/form-data; boundary=boundary
Accept: "*/*"
method: POST
port: 80
uri: "/post"
version: "HTTP/1.1"
data: |
--boundary
Content-disposition: form-data; name="_charset_"
utf-8
--boundary
Content-disposition: form-data; name="negative"
Content-Type: text/plain
This should be good as we use utf-8 that is allowed.
--boundary--
output:
no_log_contains: id "922100"

63
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-922-MULTIPART-ATTACK/922110.yaml Normal file
View File

@ -0,0 +1,63 @@
---
meta:
author: "Felipe Zipitria"
description: Test Multipart/form-data
enabled: true
name: 922110.yaml
tests:
- test_title: 922110-1
desc: "Positive test: utf-7 is not in allowed charsets"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: "localhost"
User-Agent: OWASP ModSecurity Core Rule Set
Content-Type: multipart/form-data; boundary=boundary
Accept: "*/*"
method: POST
port: 80
uri: "/post"
version: "HTTP/1.1"
data: |
--boundary
Content-disposition: form-data; name="_charset_"
utf-8
--boundary
Content-disposition: form-data; name="922110"
Content-Type: text/plain; charset=utf-7
Knock knock.
--boundary--
output:
log_contains: id "922110"
- test_title: 922110-2
desc: "Negative test: utf-8 is allowed"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: "localhost"
User-Agent: OWASP ModSecurity Core Rule Set
Content-Type: multipart/form-data; boundary=boundary
Accept: "*/*"
method: POST
port: 80
uri: "/post"
version: "HTTP/1.1"
data: |
--boundary
Content-disposition: form-data; name="_charset_"
utf-8
--boundary
Content-disposition: form-data; name="negative"
Content-Type: text/plain; charset=utf-8
I shold be allowed to get in.
--boundary--
output:
no_log_contains: id "922110"

56
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-922-MULTIPART-ATTACK/922120.yaml Normal file
View File

@ -0,0 +1,56 @@
---
meta:
author: "Felipe Zipitria"
description: Test Multipart/form-data
enabled: true
name: 922120.yaml
tests:
- test_title: 922120-1
desc: "Positive test: utf-7 is not in allowed charsets"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: "localhost"
User-Agent: OWASP ModSecurity Core Rule Set
Content-Type: multipart/form-data; boundary=boundary
Accept: "*/*"
method: POST
port: 80
uri: "/post"
version: "HTTP/1.1"
data: |
--boundary
Content-Disposition: form-data; name="flavors"
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset=utf-7
Pineapple. Pizza.
--boundary--
output:
log_contains: id "922120"
- test_title: 922120-2
desc: "Negative test: no content-transfer-encoding header should be good"
stages:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Host: "localhost"
User-Agent: OWASP ModSecurity Core Rule Set
Content-Type: multipart/form-data; boundary=boundary
Accept: "*/*"
method: POST
port: 80
uri: "/post"
version: "HTTP/1.1"
data: |
--boundary
Content-disposition: form-data; name="negative"
Content-Type: text/plain
This should be good as there is no content-transfer-encoding header.
--boundary--
output:
no_log_contains: id "922120"

4
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-941-APPLICATION-ATTACK-XSS/941310.yaml
View File

@ -15,7 +15,6 @@
dest_addr: 127.0.0.1
headers:
Host: localhost
Content-type: us-ascii
method: POST
port: 80
uri: /
@ -32,7 +31,6 @@
dest_addr: 127.0.0.1
headers:
Host: localhost
Content-type: us-ascii
method: POST
port: 80
uri: /
@ -49,7 +47,6 @@
dest_addr: 127.0.0.1
headers:
Host: localhost
Content-type: us-ascii
method: POST
port: 80
uri: /
@ -66,7 +63,6 @@
dest_addr: 127.0.0.1
headers:
Host: localhost
Content-type: us-ascii
method: POST
port: 80
uri: /

184
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/base_positive_rules.py
View File

@ -1,5 +1,5 @@
#!/usr/bin/env python
# @spartantri 2018
#@spartantri 2018
import sys
import argparse
@ -7,144 +7,98 @@ import base64
parser = argparse.ArgumentParser()
UserAgent = "ModSecurity CRS 3 Tests"
Accept = "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
AcceptCharset = "ISO-8859-1,utf-8;q=0.7,*;q=0.7"
AcceptEncoding = "gzip,deflate"
AcceptLanguage = "en-us,en;q=0.5"
ContentType = "application/x-www-form-urlencoded"
payloads = []
skeletontest = 0
Meta = """---
UserAgent="ModSecurity CRS 3 Tests"
Accept="text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"
AcceptCharset="ISO-8859-1,utf-8;q=0.7,*;q=0.7"
AcceptEncoding="gzip,deflate"
AcceptLanguage="en-us,en;q=0.5"
ContentType="application/x-www-form-urlencoded"
payloads=[]
skeletontest=0
Meta='''---
meta:
author: "spartantri"
enabled: true
name: "skeletonid.yaml"
description: "Positive tests for rule skeletonid"
tests:
"""
'''
parser.add_argument(
"-a", action="store", dest="Addr", help="Target ip address", default="127.0.0.1"
)
parser.add_argument("-p", action="store", dest="Port", help="Target port", default="80")
parser.add_argument(
"-v", action="store", dest="Host", help="Target virtual host", default="localhost"
)
parser.add_argument(
"-s",
action="store",
dest="skeleton",
help="Skeleton file",
default="positivetest.yaml.skeleton",
)
parser.add_argument("-o", action="store", dest="output", help="output file", default="")
parser.add_argument(
"-r", action="store", dest="ruleid", help="Rule id", default="944310"
)
parser.add_argument(
"-k",
action="store",
dest="combined_payload",
help="Keyword containing combined pipe separated payloads",
default="",
)
parser.add_argument(
"-i",
action="append",
dest="list_payload",
help="Keyword containing individual payload",
default=[],
)
parser.add_argument(
"-c",
action="store",
dest="prefix",
help="Prefix keyword for all payloads",
default="",
)
parser.add_argument(
"-e",
action="store",
dest="sufix",
help="Sufix keyword for all payloads",
default="",
)
parser.add_argument(
"-b",
action="store_true",
dest="base64encode",
help="Encode payload using Base64",
default=False,
)
parser.add_argument(
"-d",
action="store_true",
dest="demo",
help="Print demo rules if no data is provided",
default=False,
)
parser.add_argument(
"-t",
action="store_true",
dest="test",
help="Launch FTW and test output",
default=False,
)
parser.add_argument(
"-w", action="store", dest="author", help="Test author", default="spartantri"
)
parser.add_argument('-a', action='store', dest='Addr', help='Target ip address',
default='127.0.0.1')
parser.add_argument('-p', action='store', dest='Port', help='Target port',
default='80')
parser.add_argument('-v', action='store', dest='Host', help='Target virtual host',
default='localhost')
parser.add_argument('-s', action='store', dest='skeleton', help='Skeleton file',
default='positivetest.yaml.skeleton')
parser.add_argument('-o', action='store', dest='output', help='output file',
default='')
parser.add_argument('-r', action='store', dest='ruleid', help='Rule id',
default='944310')
parser.add_argument('-k', action='store', dest='combined_payload', help='Keyword containing combined pipe separated payloads',
default='')
parser.add_argument('-i', action='append', dest='list_payload', help='Keyword containing individual payload',
default=[])
parser.add_argument('-c', action='store', dest='prefix', help='Prefix keyword for all payloads',
default='')
parser.add_argument('-e', action='store', dest='sufix', help='Sufix keyword for all payloads',
default='')
parser.add_argument('-b', action='store_true', dest='base64encode', help='Encode payload using Base64',
default=False)
parser.add_argument('-d', action='store_true', dest='demo', help='Print demo rules if no data is provided',
default=False)
parser.add_argument('-t', action='store_true', dest='test', help='Launch FTW and test output',
default=False)
parser.add_argument('-w', action='store', dest='author', help='Test author',
default='spartantri')
start_options = parser.parse_args()
if len(sys.argv) < 2 and not start_options.demo:
if len(sys.argv)<2 and not start_options.demo:
parser.print_usage()
exit()
for p in start_options.combined_payload.split("|"):
for p in start_options.combined_payload.split('|'):
if p not in payloads:
# print('Checking %s' % (p))
if len(p) > 0:
payloads.append("".join([start_options.prefix, p, start_options.sufix]))
if len(p)>0:
payloads.append(''.join([start_options.prefix, p, start_options.sufix]))
for p in start_options.list_payload:
payloads.append("".join([start_options.prefix, p, start_options.sufix]))
payloads.append(''.join([start_options.prefix, p, start_options.sufix]))
if start_options.output == "":
o = sys.stdout
if start_options.output=='':
o=sys.stdout
else:
o = open(start_options.output, "w")
o=open(start_options.output, 'w')
o.write(
Meta.replace("skeletonid", start_options.ruleid).replace(
"spartantri", start_options.author
)
)
o.write(Meta.replace('skeletonid', start_options.ruleid).replace('spartantri', start_options.author))
for item in payloads:
if start_options.base64encode:
payload = base64.encodestring(item).replace("\n", "")
# print payload
payload=base64.encodestring(item).replace('\n', '')
#print payload
else:
payload = item
with open(start_options.skeleton, "r") as f:
payload=item
with open(start_options.skeleton,'r') as f:
for l in f:
l = l.replace("skeletonid", start_options.ruleid)
l = l.replace("skeletonkeyword", payload)
l = l.replace("skeletondefaultaddr", start_options.Addr)
l = l.replace("skeletondefaultport", start_options.Port)
l = l.replace("skeletondefaulthost", start_options.Host)
l = l.replace("skeletondefaultuseragent", UserAgent)
l = l.replace("skeletondefaultacceptcharset", AcceptCharset)
l = l.replace("skeletondefaultacceptencoding", AcceptEncoding)
l = l.replace("skeletondefaultacceptlanguage", AcceptLanguage)
l = l.replace("skeletondefaultcontenttype", ContentType)
l = l.replace("skeletondefaultaccept", Accept)
if "skeletontest" in l:
l = l.replace("skeletontest", str(skeletontest))
skeletontest += 1
l=l.replace('skeletonid', start_options.ruleid)
l=l.replace('skeletonkeyword', payload)
l=l.replace('skeletondefaultaddr', start_options.Addr)
l=l.replace('skeletondefaultport', start_options.Port)
l=l.replace('skeletondefaulthost', start_options.Host)
l=l.replace('skeletondefaultuseragent', UserAgent)
l=l.replace('skeletondefaultacceptcharset', AcceptCharset)
l=l.replace('skeletondefaultacceptencoding', AcceptEncoding)
l=l.replace('skeletondefaultacceptlanguage', AcceptLanguage)
l=l.replace('skeletondefaultcontenttype', ContentType)
l=l.replace('skeletondefaultaccept', Accept)
if 'skeletontest' in l:
l=l.replace('skeletontest', str(skeletontest))
skeletontest+=1
o.write(l)
if start_options.output != "":
print("Generated %s rules to file %s" % (str(skeletontest), start_options.output))
if start_options.output != '':
print ('Generated %s rules to file %s' % (str(skeletontest), start_options.output))
o.close()
# print('\nGenerated %s tests' % (str(skeletontest)))
#print('\nGenerated %s tests' % (str(skeletontest)))

40
src/common/core/modsecurity/files/coreruleset/util/crs2-renumbering/update.py
View File

@ -8,56 +8,41 @@ import argparse
import os
import sys
def main():
"""Main function that contains all the logic to relabel CRS IDs"""
id_translation_file = os.path.join(sys.path[0], "IdNumbering.csv")
if not os.path.isfile(id_translation_file):
sys.stderr.write(
"We were unable to locate the ID translation CSV (idNumbering.csv) \
please place this is the same directory as this script\n"
)
sys.stderr.write("We were unable to locate the ID translation CSV (idNumbering.csv) \
please place this is the same directory as this script\n")
sys.exit(1)
parser = argparse.ArgumentParser(
description="A program that takes in an exceptions file \
and renumbers all the ID to match OWASP CRS 3 numbers. Output will be directed to STDOUT."
)
parser.add_argument(
"-f",
"--file",
required=True,
action="store",
dest="fname",
help="the file to be renumbered",
)
parser = argparse.ArgumentParser(description="A program that takes in an exceptions file \
and renumbers all the ID to match OWASP CRS 3 numbers. Output will be directed to STDOUT.")
parser.add_argument("-f", "--file", required=True, action="store", dest="fname", \
help="the file to be renumbered")
args = parser.parse_args()
if not os.path.isfile((args.fname).encode("utf8")):
sys.stderr.write(
"We were unable to find the file you were trying to update the ID numbers \
in, please check your path\n"
)
if not os.path.isfile((args.fname).encode('utf8')):
sys.stderr.write("We were unable to find the file you were trying to update the ID numbers \
in, please check your path\n")
sys.exit(1)
fcontent = ""
try:
update_file = open((args.fname).encode("utf-8"), "r")
update_file = open((args.fname).encode('utf-8'), "r")
try:
fcontent = update_file.read()
finally:
update_file.close()
except IOError:
sys.stderr.write(
"There was an error opening the file you were trying to update"
)
sys.stderr.write("There was an error opening the file you were trying to update")
if fcontent != "":
# CSV File
id_csv_file = open(id_translation_file, "rt")
id_csv_file = open(id_translation_file, 'rt')
try:
reader = csv.reader(id_csv_file)
for row in reader:
@ -66,6 +51,5 @@ def main():
id_csv_file.close()
print(fcontent)
if __name__ == "__main__":
main()

4
src/common/core/modsecurity/files/coreruleset/util/join-multiline-rules/join.py
View File

@ -36,11 +36,11 @@ import fileinput, sys
for line in fileinput.input():
line = line.strip()
if line == "":
if line == '':
sys.stdout.write("\n")
continue
if line[-1] == "\\":
if line[-1] == '\\':
sys.stdout.write(line[0:-1])
else:
sys.stdout.write(line)

101
src/common/core/modsecurity/files/coreruleset/util/regexp-assemble/920600.data Normal file
View File

@ -0,0 +1,101 @@
##! Please refer to the documentation at
##! https://coreruleset.org/docs/development/regexp_assemble/.
##! The expression generated from this file matches a full HTTP
##! `Accept` header by following the specification as far as
##! necessary, while restricting the `charset` parameter
##! to a list of explicitly allowed values.
##! Where possible, the expression matches tokens "loosely",
##! to reduce complexity and the risk of false positives.
##! Specifications:
##! https://httpwg.org/specs/rfc7231.html#request.conneg
##! https://httpwg.org/specs/rfc7230.html
##!^ ^
##!$ $
##! Helpers
##!> template non-token-with-dquote-chars (),/:;<=>?![\x5c\]{}
##!> template non-token-chars \"{{non-token-with-dquote-chars}}
##!> template token-chars [^{{non-token-chars}}]
##!> template token-with-dquote-chars [^{{non-token-with-dquote-chars}}]
##!> template type-subtype (?:\*|{{token-chars}}+)
##!> template media-type {{type-subtype}}/{{type-subtype}}
##! list of allowed charsets
##!> assemble
(?:"?
##!=>
##!> include allowed-charsets
##!=>
\b"?))
##!=< allowed-charsets
##!<
##! Main assembly
##!> assemble
(?:{{media-type}})
##!=>
(?:\s*+;\s*+
##!=>
(?:(?:charset\s*+=\s*+
##!=>
##!=> allowed-charsets
##! If the first part wasn't a "charset", then
##! anything is allowed here that is not "charset".
##! Note that this doesn't follow the RFC strictly.
|(?:
##!=>
[^c{{non-token-chars}}]{{token-chars}}*
c[^h{{non-token-chars}}]{{token-chars}}*
ch[^a{{non-token-chars}}]{{token-chars}}*
cha[^r{{non-token-chars}}]{{token-chars}}*
char[^s{{non-token-chars}}]{{token-chars}}*
chars[^e{{non-token-chars}}]{{token-chars}}*
charse[^t{{non-token-chars}}]{{token-chars}}*
##!=>
)\s*+=\s*+{{token-with-dquote-chars}}+)
##! Clients like to violate the RFC, be lenient with
##! terminating semi-colons.
;?
##!=>
)*
##!=>
##! Multiple "media-range" expressions can be
##! specified, comma separated.
(?:\s*+,\s*+
##!=>
(?:{{media-type}})
##!=>
(?:\s*+;\s*+
##!=>
(?:(?:charset\s*+=\s*+
##!=>
##!=> allowed-charsets
|(?:
##!=>
[^c{{non-token-chars}}]{{token-chars}}*
c[^h{{non-token-chars}}]{{token-chars}}*
ch[^a{{non-token-chars}}]{{token-chars}}*
cha[^r{{non-token-chars}}]{{token-chars}}*
char[^s{{non-token-chars}}]{{token-chars}}*
chars[^e{{non-token-chars}}]{{token-chars}}*
charse[^t{{non-token-chars}}]{{token-chars}}*
##!=>
)\s*+=\s*+{{token-with-dquote-chars}}+)
##! Clients like to violate the RFC, be lenient with
##! terminating semi-colons.
;?
##!=>
)*)*
##!=>
##!<

17
src/common/core/modsecurity/files/coreruleset/util/regexp-assemble/921421.data Normal file
View File

@ -0,0 +1,17 @@
##! Please refer to the documentation at
##! https://coreruleset.org/docs/development/regexp_assemble/.
##! Attacks attempting bypass by forcing JSON body processor leveraging recommended rule 200000
##! Find Content-Type: application/x-www-form-urlencoded;boundary="application/json"
##! Find Content-Type: application/soap+xml;boundary="application/json"
^[^;\s,]+[;\s,].*?application\/json
##! Attacks attempting bypass by forcing JSON body processor leveraging recommended rule 200006
##! Find Content-Type: application/x-www-form-urlencoded;boundary="application/some.vendor+json"
##! Find Content-Type: application/soap+xml;boundary="application/some.vendor+json"
^[^;\s,]+[;\s,].*?application\/.+[+]json
##! Attacks attempting bypass by forcing XML body processor leveraging recommended rule 200001
##! Find Content-Type: application/x-www-form-urlencoded;boundary="application/xml"
##! Find Content-Type: application/json;boundary="application/soap+xml"
^[^;\s,]+[;\s,].*?(?:application(?:\/soap\+|\/)|text\/)xml

9
src/common/core/modsecurity/files/coreruleset/util/regexp-assemble/921422.data Normal file
View File

@ -0,0 +1,9 @@
##! Please refer to the documentation at
##! https://coreruleset.org/docs/development/regexp_assemble/.
##! Attacks attempting to bypass content-type restrictions or behaviour
##! Find Content-Type: application/x-www-form-urlencoded;boundary="multipart/form-data"
##! Find Content-Type: application/soap-xml;boundary="multipart/form-data"
^[^;\s,]+[;\s,].*?\b(text|multipart|application)\b
^[^;\s,]+[;\s,].*?\b(audio|image|video|csv|css|vnd|pdf|plain|json|soap|xml|x-www-form-urlencoded|form-data|related|x-amf|octet|stream|csp|report)\b
^[^;\s,]+[;\s,].*?\b(\/|\+)\b

105
src/common/core/modsecurity/files/coreruleset/util/regexp-assemble/922110-chain1.data Normal file
View File

@ -0,0 +1,105 @@
##! Please refer to the documentation at
##! https://coreruleset.org/docs/development/regexp_assemble/.
##! The expression generated from this file matches a full HTTP
##! `Accept` header by following the specification as far as
##! necessary, while restricting the `charset` parameter
##! to a list of explicitly allowed values.
##! Where possible, the expression matches tokens "loosely",
##! to reduce complexity and the risk of false positives.
##! Specifications:
##! https://httpwg.org/specs/rfc7231.html#request.conneg
##! https://httpwg.org/specs/rfc7230.html
##! This is a duplicate of the 920600.data file.
##! There will be support for inclusion in the regexp_assemble tool in the future.
##! In the meantime, please keep both files in sync.
##!^ ^
##!$ $
##! Helpers
##!> template non-token-with-dquote-chars (),/:;<=>?![\x5c\]{}
##!> template non-token-chars \"{{non-token-with-dquote-chars}}
##!> template token-chars [^{{non-token-chars}}]
##!> template token-with-dquote-chars [^{{non-token-with-dquote-chars}}]
##!> template type-subtype (?:\*|{{token-chars}}+)
##!> template media-type {{type-subtype}}/{{type-subtype}}
##! list of allowed charsets
##!> assemble
(?:"?
##!=>
##!> include allowed-charsets
##!=>
\b"?))
##!=< allowed-charsets
##!<
##! Main assembly
##!> assemble
(?:{{media-type}})
##!=>
(?:\s*+;\s*+
##!=>
(?:(?:charset\s*+=\s*+
##!=>
##!=> allowed-charsets
##! If the first part wasn't a "charset", then
##! anything is allowed here that is not "charset".
##! Note that this doesn't follow the RFC strictly.
|(?:
##!=>
[^c{{non-token-chars}}]{{token-chars}}*
c[^h{{non-token-chars}}]{{token-chars}}*
ch[^a{{non-token-chars}}]{{token-chars}}*
cha[^r{{non-token-chars}}]{{token-chars}}*
char[^s{{non-token-chars}}]{{token-chars}}*
chars[^e{{non-token-chars}}]{{token-chars}}*
charse[^t{{non-token-chars}}]{{token-chars}}*
##!=>
)\s*+=\s*+{{token-with-dquote-chars}}+)
##! Clients like to violate the RFC, be lenient with
##! terminating semi-colons.
;?
##!=>
)*
##!=>
##! Multiple "media-range" expressions can be
##! specified, comma separated.
(?:\s*+,\s*+
##!=>
(?:{{media-type}})
##!=>
(?:\s*+;\s*+
##!=>
(?:(?:charset\s*+=\s*+
##!=>
##!=> allowed-charsets
|(?:
##!=>
[^c{{non-token-chars}}]{{token-chars}}*
c[^h{{non-token-chars}}]{{token-chars}}*
ch[^a{{non-token-chars}}]{{token-chars}}*
cha[^r{{non-token-chars}}]{{token-chars}}*
char[^s{{non-token-chars}}]{{token-chars}}*
chars[^e{{non-token-chars}}]{{token-chars}}*
charse[^t{{non-token-chars}}]{{token-chars}}*
##!=>
)\s*+=\s*+{{token-with-dquote-chars}}+)
##! Clients like to violate the RFC, be lenient with
##! terminating semi-colons.
;?
##!=>
)*)*
##!=>
##!<

9
src/common/core/modsecurity/files/coreruleset/util/regexp-assemble/include/allowed-charsets.data Normal file
View File

@ -0,0 +1,9 @@
##! Please refer to the documentation at
##! https://coreruleset.org/docs/development/regexp_assemble/.
##! This list is in sync with the default value of tx.allowed_request_content_type_charset.
iso-8859-1
iso-8859-15
utf-8
windows-1252

34
src/common/core/modsecurity/files/coreruleset/util/regexp-assemble/regexp-cmdline.py
View File

@ -20,7 +20,7 @@ def regexp_str(str, evasion):
if str[0] == "'":
return str[1:]
result = ""
result = ''
for i, char in enumerate(str):
if i > 0:
result += evasion
@ -28,31 +28,29 @@ def regexp_str(str, evasion):
return result
# Ensure that some special characters are escaped
def regexp_char(char, evasion):
char = str.replace(char, ".", "\.")
char = str.replace(char, "-", "\-")
char = str.replace(char, "+", r"""(?:\s|<|>).*""")
# Unix: "cat foo", "cat<foo", "cat>foo"
char = str.replace(char, "@", r"""(?:[\s,;]|\.|/|<|>).*""")
# Windows: "more foo", "more,foo", "more;foo", "more.com", "more/e",
# "more<foo", "more>foo"
char = str.replace(char, " ", "\s+")
# Ensure multiple spaces are matched
char = str.replace(char, '.', '\.')
char = str.replace(char, '-', '\-')
char = str.replace(char, '+', r'''(?:\s|<|>).*''')
# Unix: "cat foo", "cat<foo", "cat>foo"
char = str.replace(char, '@', r'''(?:[\s,;]|\.|/|<|>).*''')
# Windows: "more foo", "more,foo", "more;foo", "more.com", "more/e",
# "more<foo", "more>foo"
char = str.replace(char, ' ', '\s+')
# Ensure multiple spaces are matched
return char
# Insert these sequences between characters to prevent evasion.
# This emulates the relevant parts of t:cmdLine.
evasions = {
"unix": r"""[\\\\'\"]*""",
"windows": r"""[\"\^]*""",
'unix': r'''[\\\\'\"]*''',
'windows': r'''[\"\^]*''',
}
# Parse arguments
if len(sys.argv) <= 1 or not sys.argv[1] in evasions:
print(sys.argv[0] + " unix|windows [infile]")
print(sys.argv[0] + ' unix|windows [infile]')
sys.exit(1)
evasion = evasions[sys.argv[1]]
@ -60,7 +58,7 @@ del sys.argv[1]
# Process lines from input file, or if not specified, standard input
for line in fileinput.input():
line = line.rstrip("\n ")
line = line.split("#")[0]
if line != "":
line = line.rstrip('\n ')
line = line.split('#')[0]
if line != '':
print(regexp_str(line, evasion))

121
src/common/core/modsecurity/files/coreruleset/util/regexp-tricks/negative-lookahead.py Normal file
View File

@ -0,0 +1,121 @@
import argparse
# WARNING: This script is EXPERIMENTAL. Use with caution.
#
# Known issues:
# * At the moment, it will probably not work with more than two strings.
#
# Known limitations:
# * Any substrings of a target string will also NOT be matched. This is probably due to a limitation in this technique,
# make sure that subtrings of the negative lookahead are not harmful in any way.
parser = argparse.ArgumentParser(description="This script takes a list of strings and converts them into \
a regex that acts like a negative lookahead")
parser.add_argument("strings", type=str, nargs='+',
help="the strings to convert into a negative lookahead")
parser.add_argument("--prefix", type=str, default="",
help="sets a prefix for the resulting regex")
parser.add_argument("--suffix", type=str, default="",
help="sets a suffix for the resulting regex")
args = parser.parse_args()
# Return the longest prefix of all list elements. Shamelessly copied from:
# https://stackoverflow.com/questions/6718196/determine-prefix-from-a-set-of-similar-strings
def commonprefix(m):
"Given a list of pathnames, returns the longest common leading component"
if not m: return ''
s1 = min(m)
s2 = max(m)
for i, c in enumerate(s1):
if c != s2[i]:
return s1[:i]
return s1
# flatten returns a string with concatenated dictionary keys
def flatten(dict):
s = ""
for key in dict.keys():
s += key
return s
# set returns a character set containing the unique characters across all strings for the given index
def set(strings, index, flags):
dict = {}
for s in strings:
# Continue so we don't panic
if index > len(s) -1:
continue
dict[s[index]] = ''
return "[" + flags + flatten(dict) + "]"
# prepare converts a string for negative lookaheads emulation
def prepare(s, offset):
r = ""
if len(s) == 0:
return r
for i in range(offset, len(s)):
for j in range(0, i + 1):
if j == i:
r += "[^" + s[j] + "]"
else:
r += s[j]
if i != len(s) - 1:
r += "|"
return r
# run runs the
def run():
strings = args.strings
r = ""
r += set(strings, 0, "^")
c = ""
d = {}
# Only find common string if we have more than one
if len(strings) > 1:
c = commonprefix(strings)
# Collect all characters after the common substring from every string
for s in strings:
if len(s) > len(c) and s.startswith(c):
d[s[len(c)]] = ''
# Add the common string to the regex to prevent accidental matching
if len(c) > 0:
if len(c) > 1:
r += "|" + "(?:" + prepare(c, 1) + ")"
r += "|" + "(?:" + c + "[^" + flatten(d) + "]" + ")"
for s in strings:
g = ""
# When the common string is > 0, offset with len(c) + 1 because we handled this earlier
if len(c) > 0:
g = prepare(s, len(c) + 1)
else:
g = prepare(s, 1)
# Add OR boolean if necessary
if len(g) > 0:
r += "|"
r += g
print(args.prefix + "(?:" + r + ")" + args.suffix)
# Only run if script is called directly
if __name__ == "__main__":
run()

58
src/common/core/modsecurity/files/crs-setup.conf
View File

@ -1,6 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.2
# OWASP ModSecurity Core Rule Set ver.3.3.4
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -389,17 +390,42 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# Content-Types that a client is allowed to send in a request.
# Default: |application/x-www-form-urlencoded| |multipart/form-data| |multipart/related|
# |text/xml| |application/xml| |application/soap+xml| |application/x-amf| |application/json|
# |application/cloudevents+json| |application/cloudevents-batch+json| |application/octet-stream|
# |application/csp-report| |application/xss-auditor-report| |text/plain|
# |text/xml| |application/xml| |application/soap+xml| |application/json|
# |application/cloudevents+json| |application/cloudevents-batch+json|
#
# Please note, that the rule where CRS uses this variable (920420) evaluates it with operator
# `@within`, which is case sensitive, but uses t:lowercase. You must add your whole custom
# Content-Type with lowercase.
#
# Bypass Warning: some applications may not rely on the content-type request header in order
# to parse the request body. This could make an attacker able to send malicious URLENCODED/JSON/XML
# payloads without being detected by the WAF. Allowing request content-type that doesn't activate any
# body processor (for example: "text/plain", "application/x-amf", "application/octet-stream", etc..)
# could lead to a WAF bypass. For example, a malicious JSON payload submitted with a "text/plain"
# content type may still be interpreted as JSON by a backend application but would not trigger the
# JSON body parser at the WAF, leading to a bypass.
#
# To prevent blocking request with not allowed content-type by default, you can create an exclusion
# rule that removes rule 920420. For example:
# SecRule REQUEST_HEADERS:Content-Type "@rx ^text/plain" \
# "id:1234,\
# phase:1,\
# nolog,\
# pass,\
# t:none,\
# ctl:ruleRemoveById=920420,\
# chain"
# SecRule REQUEST_URI "@rx ^/foo/bar" "t:none"
#
# Uncomment this rule to change the default.
#
#SecAction \
# "id:900220,\
# phase:1,\
# nolog,\
# pass,\
# t:none,\
# setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/x-amf| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json| |application/octet-stream| |application/csp-report| |application/xss-auditor-report| |text/plain|'"
# setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json|'"
# Allowed HTTP versions.
# Default: HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0
@ -430,8 +456,22 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# Forbidden request headers.
# Header names should be lowercase, enclosed by /slashes/ as delimiters.
# Blocking Proxy header prevents 'httpoxy' vulnerability: https://httpoxy.org
# Default: /proxy/ /lock-token/ /content-range/ /if/
# Default: /accept-charset/ /content-encoding/ /proxy/ /lock-token/ /content-range/ /if/
#
# Note: Accept-Charset is a deprecated header that should not be used by clients and
# ignored by servers. It can be used for a response WAF bypass, by asking for a charset
# that the WAF cannot decode.
# Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept-Charset
#
# Note: Content-Encoding is used to list any encodings that have been applied to the
# original payload. It is only used for compression, which isn't supported by CRS by
# default since it blocks newlines and null bytes inside the request body. Most
# compression algorithms require at least null bytes per RFC. Blocking it shouldn't
# break anything and increases security since ModSecurity is incapable of properly
# scanning compressed request bodies.
#
# Note: Blocking Proxy header prevents 'httpoxy' vulnerability: https://httpoxy.org
#
# Uncomment this rule to change the default.
#SecAction \
# "id:900250,\
@ -439,7 +479,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# nolog,\
# pass,\
# t:none,\
# setvar:'tx.restricted_headers=/proxy/ /lock-token/ /content-range/ /if/'"
# setvar:'tx.restricted_headers=/accept-charset/ /content-encoding/ /proxy/ /lock-token/ /content-range/ /if/'"
# File extensions considered static files.
# Extensions include the dot, lowercase, enclosed by /slashes/ as delimiters.
@ -826,4 +866,4 @@ SecAction \
nolog,\
pass,\
t:none,\
setvar:tx.crs_setup_version=332"
setvar:tx.crs_setup_version=334"

4
src/common/core/modsecurity/misc/crs.sh
View File

@ -46,7 +46,7 @@ function do_and_check_cmd() {
return 0
}
# CRS v3.3.2
# CRS v3.3.4
echo " Download CRS"
git_secure_clone "https://github.com/coreruleset/coreruleset.git" "18703f1bc47e9c4ec4096853d5fb4e2a204a07a2"
git_secure_clone "https://github.com/coreruleset/coreruleset.git" "98b9d811f34a1aa72792aaf6245cb2f2c0f0a5b8"
do_and_check_cmd cp -r files/coreruleset/crs-setup.conf.example files/crs-setup.conf