librewolf/bunkerized-nginx
4
0
Fork 1
mirror of https://github.com/bunkerity/bunkerized-nginx synced 2023-12-13 21:30:18 +01:00
Code Issues Projects Releases Wiki Activity

Merge pull request #629 from bunkerity/dev

Browse source 
Update coreruleset to version 3.3.5 and Fix permissions with folders in linux integrations
This commit is contained in:
Théophile Diot 2023-09-08 11:03:10 +02:00 committed by GitHub
commit 5811dc549c
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
218 changed files with 41975 additions and 47151 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
CHANGELOG.md
View file

@ -8,11 +8,13 @@
- [BUGFIX] Fix logs page not working in UI on Linux integrations
- [BUGFIX] Fix settings regex that had issues in general and with the UI
- [BUGFIX] Fix scheduler error with external plugins when reloading
- [BUGFIX] Fix permissions with folders in linux integrations
- [MISC] Push Docker images to GitHub packages (ghcr.io repository)
- [MISC] Improved CI/CD
- [MISC] Updated python dependencies
- [MISC] Updated Python Docker image to 3.11.5-alpine in Dockerfiles
- [MISC] Add support for ModSecurity JSON LogFormat
- [MISC] Updated OWASP coreruleset to 3.3.5
## v1.5.1 - 2023/08/08

34
src/common/core/modsecurity/files/coreruleset/.github/workflows/test.yml vendored
View file

@ -14,44 +14,32 @@ on:
- '.github/**'
jobs:
# "modsec2-apache", "modsec3-apache", "modsec3-nginx"
regression:
runs-on: ubuntu-latest
strategy:
# change to true
fail-fast: false
matrix:
modsec_version: [modsec2-apache]
steps:
- name: "Checkout repo"
uses: actions/checkout@v2
- name: Set up Python 3
uses: actions/setup-python@v2
with:
python-version: '3.x'
- uses: actions/cache@v2
id: cache
with:
path: ~/.cache/pip
key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements.txt') }}
restore-keys: |
${{ runner.os }}-pip-
uses: actions/checkout@v3
- name: "Install dependencies"
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO_FTW_VERSION: '0.4.6'
run: |
pip install --upgrade setuptools wheel
pip install -r tests/regression/requirements.txt
pip install pytest-github-actions-annotate-failures
gh release download -R coreruleset/go-ftw v${GO_FTW_VERSION} -p "ftw_${GO_FTW_VERSION}_linux_amd64.tar.gz" -O - | tar -xzvf - ftw
- name: "Run tests for ${{ matrix.modsec_version }}"
run: |
mkdir -p tests/logs/${{ matrix.modsec_version }}/{nginx,apache2}
docker-compose -f ./tests/docker-compose.yml up -d "${{ matrix.modsec_version }}"
# Use mounted volume path
py.test -vs --tb=short tests/regression/CRS_Tests.py \
--config="${{ matrix.modsec_version }}" \
--ruledir_recurse=./tests/regression/tests/
docker-compose -f ./tests/docker-compose.yml logs
[ $(docker inspect ${{ matrix.modsec_version }} --format='{{.State.Running}}') = 'true' ]
./ftw check -d tests/regression/tests
./ftw run -d tests/regression/tests --show-failures-only
env:
FTW_LOGFILE: './tests/logs/modsec2-apache/error.log'
- name: "Change permissions if failed"
if: failure()

4
src/common/core/modsecurity/files/coreruleset/.yamllint.yml
View file

@ -15,4 +15,6 @@ rules:
# don't bother me with this rule
indentation: disable
comments: {require-starting-space: false}
comments:
require-starting-space: true # default
min-spaces-from-content: 1

1465
src/common/core/modsecurity/files/coreruleset/CHANGES
View file

File diff suppressed because it is too large Load diff

1499
src/common/core/modsecurity/files/coreruleset/CHANGES.md Normal file
View file

File diff suppressed because it is too large Load diff

33
src/common/core/modsecurity/files/coreruleset/SECURITY.md
View file

@ -1,35 +1,4 @@
# Security Policy
## Supported Versions
See policy here: https://github.com/coreruleset/coreruleset/blob/v4.0/dev/SECURITY.md
OWASP CRS has two types of releases, Major releases (3.0.0, 3.1.0, 3.2.0 etc.) and point releases (3.0.1, 3.0.2 etc.).
For more information see our [wiki](https://github.com/SpiderLabs/owasp-modsecurity-crs/wiki/Release-Policy).
The OWASP CRS officially supports the two point releases with security patching preceding the current major release .
We are happy to receive and merge PR's that address security issues in older versions of the project, but the team itself may choose not to fix these.
Along those lines, OWASP CRS team may not issue security notifications for unsupported software.
| Version | Supported |
| --------- | ------------------ |
| 3.3.x-dev | :white_check_mark: |
| 3.2.x | :white_check_mark: |
| 3.1.x | :white_check_mark: |
| 3.0.x | :x: |
## Reporting a Vulnerability
We strive to make the OWASP ModSecurity CRS accessible to a wide audience of beginner and experienced users.
We welcome bug reports, false positive alert reports, evasions, usability issues, and suggestions for new detections.
Submit these types of non-vulnerability related issues via Github.
Please include your installed version and the relevant portions of your audit log.
False negative or common bypasses should [create an issue](https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/new) so they can be addressed.
Do this before submitting a vulnerability using our email:
1) Verify that you have the latest version of OWASP CRS.
2) Validate which Paranoia Level this bypass applies to. If it works in PL4, please send us an email.
3) If you detected anything that causes unexpected behavior of the engine via manipulation of existing CRS provided rules, please send it by email.
Our email is [security@coreruleset.org](mailto:security@coreruleset.org). You can send us encrypted email using [this key](https://coreruleset.org/security.asc), (fingerprint: `3600 6F0E 0BA1 6783 2158 8211 38EE ACA1 AB8A 6E72`).
We are happy to work with the community to provide CVE identifiers for any discovered security issues if requested.
If in doubt, feel free to reach out to us!

9
src/common/core/modsecurity/files/coreruleset/SPONSORS.md
View file

@ -1,10 +1,13 @@
## GOLD SPONSORS
* VMWare (Avi Networks)
* F5/NGINX
* Edgio
* Google
* Microsoft
* Nginx (Part of F5)
* United Security Providers
* VMWare
## SILVER SPONSORS
* Bug Bounty Switzerland
* Google Cloud Armor

8
src/common/core/modsecurity/files/coreruleset/crs-setup.conf.example
View file

@ -1,7 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.4
# OWASP ModSecurity Core Rule Set ver.3.3.5
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -863,7 +863,7 @@ SecCollectionTimeout 600
SecAction \
"id:900990,\
phase:1,\
nolog,\
pass,\
t:none,\
setvar:tx.crs_setup_version=334"
nolog,\
setvar:tx.crs_setup_version=335"

4
src/common/core/modsecurity/files/coreruleset/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example
View file

@ -1,7 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.4
# OWASP ModSecurity Core Rule Set ver.3.3.5
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2

89
src/common/core/modsecurity/files/coreruleset/rules/REQUEST-901-INITIALIZATION.conf
View file

@ -1,7 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.4
# OWASP ModSecurity Core Rule Set ver.3.3.5
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -26,7 +26,7 @@
#
# Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecComponentSignature
#
SecComponentSignature "OWASP_CRS/3.3.4"
SecComponentSignature "OWASP_CRS/3.3.5"
#
# -=[ Default setup values ]=-
@ -59,7 +59,7 @@ SecRule &TX:crs_setup_version "@eq 0" \
log,\
auditlog,\
msg:'ModSecurity Core Rule Set is deployed without configuration! Please copy the crs-setup.conf.example template to crs-setup.conf, and include the crs-setup.conf file in your webserver configuration before including the CRS rules. See the INSTALL file in the CRS directory for detailed instructions',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL'"
@ -77,7 +77,7 @@ SecRule &TX:inbound_anomaly_score_threshold "@eq 0" \
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
setvar:'tx.inbound_anomaly_score_threshold=5'"
# Default Outbound Anomaly Threshold Level (rule 900110 in setup.conf)
@ -86,7 +86,7 @@ SecRule &TX:outbound_anomaly_score_threshold "@eq 0" \
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
setvar:'tx.outbound_anomaly_score_threshold=4'"
# Default Paranoia Level (rule 900000 in setup.conf)
@ -95,7 +95,7 @@ SecRule &TX:paranoia_level "@eq 0" \
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
setvar:'tx.paranoia_level=1'"
# Default Executing Paranoia Level (rule 900000 in setup.conf)
@ -104,7 +104,7 @@ SecRule &TX:executing_paranoia_level "@eq 0" \
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
setvar:'tx.executing_paranoia_level=%{TX.PARANOIA_LEVEL}'"
# Default Sampling Percentage (rule 900400 in setup.conf)
@ -113,7 +113,7 @@ SecRule &TX:sampling_percentage "@eq 0" \
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
setvar:'tx.sampling_percentage=100'"
# Default Anomaly Scores (rule 900100 in setup.conf)
@ -122,7 +122,7 @@ SecRule &TX:critical_anomaly_score "@eq 0" \
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
setvar:'tx.critical_anomaly_score=5'"
SecRule &TX:error_anomaly_score "@eq 0" \
@ -130,7 +130,7 @@ SecRule &TX:error_anomaly_score "@eq 0" \
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
setvar:'tx.error_anomaly_score=4'"
SecRule &TX:warning_anomaly_score "@eq 0" \
@ -138,7 +138,7 @@ SecRule &TX:warning_anomaly_score "@eq 0" \
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
setvar:'tx.warning_anomaly_score=3'"
SecRule &TX:notice_anomaly_score "@eq 0" \
@ -146,7 +146,7 @@ SecRule &TX:notice_anomaly_score "@eq 0" \
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
setvar:'tx.notice_anomaly_score=2'"
# Default do_reput_block
@ -155,7 +155,7 @@ SecRule &TX:do_reput_block "@eq 0" \
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
setvar:'tx.do_reput_block=0'"
# Default block duration
@ -164,7 +164,7 @@ SecRule &TX:reput_block_duration "@eq 0" \
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
setvar:'tx.reput_block_duration=300'"
# Default HTTP policy: allowed_methods (rule 900200)
@ -173,7 +173,7 @@ SecRule &TX:allowed_methods "@eq 0" \
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'"
# Default HTTP policy: allowed_request_content_type (rule 900220)
@ -182,7 +182,7 @@ SecRule &TX:allowed_request_content_type "@eq 0" \
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json|'"
# Default HTTP policy: allowed_request_content_type_charset (rule 900270)
@ -191,7 +191,7 @@ SecRule &TX:allowed_request_content_type_charset "@eq 0" \
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
setvar:'tx.allowed_request_content_type_charset=utf-8|iso-8859-1|iso-8859-15|windows-1252'"
# Default HTTP policy: allowed_http_versions (rule 900230)
@ -200,7 +200,7 @@ SecRule &TX:allowed_http_versions "@eq 0" \
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0'"
# Default HTTP policy: restricted_extensions (rule 900240)
@ -209,7 +209,7 @@ SecRule &TX:restricted_extensions "@eq 0" \
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'"
# Default HTTP policy: restricted_headers (rule 900250)
@ -218,7 +218,7 @@ SecRule &TX:restricted_headers "@eq 0" \
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
setvar:'tx.restricted_headers=/accept-charset/ /content-encoding/ /proxy/ /lock-token/ /content-range/ /if/'"
# Default HTTP policy: static_extensions (rule 900260)
@ -227,7 +227,7 @@ SecRule &TX:static_extensions "@eq 0" \
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ /.webp/'"
# Default enforcing of body processor URLENCODED
@ -236,9 +236,27 @@ SecRule &TX:enforce_bodyproc_urlencoded "@eq 0" \
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
setvar:'tx.enforce_bodyproc_urlencoded=0'"
# Default check for UTF8 encoding validation
SecRule &TX:crs_validate_utf8_encoding "@eq 0" \
"id:901169,\
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.5',\
setvar:'tx.crs_validate_utf8_encoding=0'"
# Default monitor_anomaly_score value
SecRule &TX:monitor_anomaly_score "@eq 0" \
"id:901170,\
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.5',\
setvar:'tx.monitor_anomaly_score=0'"
#
# -=[ Initialize internal variables ]=-
#
@ -254,7 +272,7 @@ SecAction \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
setvar:'tx.anomaly_score=0',\
setvar:'tx.anomaly_score_pl1=0',\
setvar:'tx.anomaly_score_pl2=0',\
@ -291,7 +309,7 @@ SecRule REQUEST_HEADERS:User-Agent "@rx ^.*$" \
pass,\
t:none,t:sha1,t:hexEncode,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
setvar:'tx.ua_hash=%{MATCHED_VAR}'"
SecAction \
@ -300,7 +318,7 @@ SecAction \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
initcol:global=global,\
initcol:ip=%{remote_addr}_%{tx.ua_hash},\
setvar:'tx.real_ip=%{remote_addr}'"
@ -319,9 +337,8 @@ SecRule REQBODY_PROCESSOR "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" \
nolog,\
noauditlog,\
msg:'Enabling body inspection',\
tag:'paranoia-level/1',\
ctl:forceRequestBodyVariable=On,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# Force body processor URLENCODED
SecRule TX:enforce_bodyproc_urlencoded "@eq 1" \
@ -332,7 +349,7 @@ SecRule TX:enforce_bodyproc_urlencoded "@eq 1" \
nolog,\
noauditlog,\
msg:'Enabling forced body inspection for ASCII content',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain"
SecRule REQBODY_PROCESSOR "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" \
"ctl:requestBodyProcessor=URLENCODED"
@ -371,7 +388,7 @@ SecRule TX:sampling_percentage "@eq 100" \
phase:1,\
pass,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
skipAfter:END-SAMPLING"
SecRule UNIQUE_ID "@rx ^." \
@ -380,7 +397,7 @@ SecRule UNIQUE_ID "@rx ^." \
pass,\
t:sha1,t:hexEncode,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
setvar:'TX.sampling_rnd100=%{MATCHED_VAR}'"
SecRule DURATION "@rx (..)$" \
@ -389,7 +406,7 @@ SecRule DURATION "@rx (..)$" \
pass,\
capture,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
setvar:'TX.sampling_rnd100=%{TX.sampling_rnd100}%{TX.1}'"
SecRule TX:sampling_rnd100 "@rx ^[a-f]*([0-9])[a-f]*([0-9])" \
@ -398,7 +415,7 @@ SecRule TX:sampling_rnd100 "@rx ^[a-f]*([0-9])[a-f]*([0-9])" \
pass,\
capture,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
setvar:'TX.sampling_rnd100=%{TX.1}%{TX.2}'"
SecRule TX:sampling_rnd100 "@rx ^0([0-9])" \
@ -407,7 +424,7 @@ SecRule TX:sampling_rnd100 "@rx ^0([0-9])" \
pass,\
capture,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
setvar:'TX.sampling_rnd100=%{TX.1}'"
@ -432,7 +449,7 @@ SecRule TX:sampling_rnd100 "!@lt %{tx.sampling_percentage}" \
noauditlog,\
msg:'Sampling: Disable the rule engine based on sampling_percentage %{TX.sampling_percentage} and random number %{TX.sampling_rnd100}',\
ctl:ruleEngine=Off,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
SecMarker "END-SAMPLING"
@ -450,4 +467,4 @@ SecRule TX:executing_paranoia_level "@lt %{tx.paranoia_level}" \
t:none,\
log,\
msg:'Executing paranoia level configured is lower than the paranoia level itself. This is illegal. Blocking request. Aborting',\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"

50
src/common/core/modsecurity/files/coreruleset/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf
View file

@ -1,7 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.4
# OWASP ModSecurity Core Rule Set ver.3.3.5
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -69,7 +69,7 @@ SecRule &TX:crs_exclusions_drupal|TX:crs_exclusions_drupal "@eq 0" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
skipAfter:END-DRUPAL-RULE-EXCLUSIONS"
SecRule &TX:crs_exclusions_drupal|TX:crs_exclusions_drupal "@eq 0" \
@ -78,7 +78,7 @@ SecRule &TX:crs_exclusions_drupal|TX:crs_exclusions_drupal "@eq 0" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
skipAfter:END-DRUPAL-RULE-EXCLUSIONS"
@ -116,7 +116,7 @@ SecAction "id:9001100,\
nolog,\
ctl:ruleRemoveTargetById=942450;REQUEST_COOKIES_NAMES,\
ctl:ruleRemoveTargetById=942450;REQUEST_COOKIES,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
#
@ -131,7 +131,7 @@ SecRule REQUEST_FILENAME "@endsWith /core/install.php" \
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:account[pass][pass1],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:account[pass][pass2],\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
SecRule REQUEST_FILENAME "@endsWith /user/login" \
"id:9001112,\
@ -140,7 +140,7 @@ SecRule REQUEST_FILENAME "@endsWith /user/login" \
t:none,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
SecRule REQUEST_FILENAME "@endsWith /admin/people/create" \
"id:9001114,\
@ -149,7 +149,7 @@ SecRule REQUEST_FILENAME "@endsWith /admin/people/create" \
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass[pass1],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass[pass2],\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
SecRule REQUEST_FILENAME "@rx /user/[0-9]+/edit$" \
"id:9001116,\
@ -159,7 +159,7 @@ SecRule REQUEST_FILENAME "@rx /user/[0-9]+/edit$" \
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:current_pass,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass[pass1],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass[pass2],\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
#
@ -179,7 +179,7 @@ SecRule REQUEST_FILENAME "@contains /admin/config/" \
pass,\
nolog,\
ctl:ruleRemoveById=942430,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
SecRule REQUEST_FILENAME "@endsWith /admin/config/people/accounts" \
"id:9001124,\
@ -196,7 +196,7 @@ SecRule REQUEST_FILENAME "@endsWith /admin/config/people/accounts" \
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:user_mail_status_activated_body,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:user_mail_status_blocked_body,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:user_mail_status_canceled_body,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
SecRule REQUEST_FILENAME "@endsWith /admin/config/development/configuration/single/import" \
"id:9001126,\
@ -205,7 +205,7 @@ SecRule REQUEST_FILENAME "@endsWith /admin/config/development/configuration/sing
nolog,\
ctl:ruleRemoveById=920271,\
ctl:ruleRemoveById=942440,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
SecRule REQUEST_FILENAME "@endsWith /admin/config/development/maintenance" \
"id:9001128,\
@ -213,7 +213,7 @@ SecRule REQUEST_FILENAME "@endsWith /admin/config/development/maintenance" \
pass,\
nolog,\
ctl:ruleRemoveById=942440,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
#
@ -230,7 +230,7 @@ SecRule REQUEST_FILENAME "@endsWith /contextual/render" \
pass,\
nolog,\
ctl:ruleRemoveTargetById=942130;ARGS:ids[],\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
#
@ -249,7 +249,7 @@ SecAction "id:9001160,\
ctl:ruleRemoveTargetById=942440;ARGS:form_build_id,\
ctl:ruleRemoveTargetById=942450;ARGS:form_token,\
ctl:ruleRemoveTargetById=942450;ARGS:form_build_id,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
#
@ -266,7 +266,7 @@ SecRule REQUEST_FILENAME "@endsWith /admin/config/content/formats/manage/full_ht
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:editor[settings][toolbar][button_groups],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:filters[filter_html][settings][allowed_html],\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
#
@ -350,7 +350,7 @@ SecRule REQUEST_FILENAME "@endsWith /node/add/article" \
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:body[0][value],\
ctl:ruleRemoveTargetById=942410;ARGS:uid[0][target_id],\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
SecRule REQUEST_FILENAME "@endsWith /node/add/page" \
"id:9001202,\
@ -359,7 +359,7 @@ SecRule REQUEST_FILENAME "@endsWith /node/add/page" \
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:body[0][value],\
ctl:ruleRemoveTargetById=942410;ARGS:uid[0][target_id],\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
SecRule REQUEST_FILENAME "@rx /node/[0-9]+/edit$" \
"id:9001204,\
@ -369,7 +369,7 @@ SecRule REQUEST_FILENAME "@rx /node/[0-9]+/edit$" \
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:body[0][value],\
ctl:ruleRemoveTargetById=942410;ARGS:uid[0][target_id],\
ctl:ruleRemoveTargetById=932110;ARGS:destination,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
SecRule REQUEST_FILENAME "@endsWith /block/add" \
"id:9001206,\
@ -377,7 +377,7 @@ SecRule REQUEST_FILENAME "@endsWith /block/add" \
pass,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:body[0][value],\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
SecRule REQUEST_FILENAME "@endsWith /admin/structure/block/block-content/manage/basic" \
"id:9001208,\
@ -385,7 +385,7 @@ SecRule REQUEST_FILENAME "@endsWith /admin/structure/block/block-content/manage/
pass,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:description,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
SecRule REQUEST_FILENAME "@rx /editor/filter_xss/(?:full|basic)_html$" \
"id:9001210,\
@ -393,7 +393,7 @@ SecRule REQUEST_FILENAME "@rx /editor/filter_xss/(?:full|basic)_html$" \
pass,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:value,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
SecRule REQUEST_FILENAME "@rx /user/[0-9]+/contact$" \
"id:9001212,\
@ -401,7 +401,7 @@ SecRule REQUEST_FILENAME "@rx /user/[0-9]+/contact$" \
pass,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message[0][value],\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
SecRule REQUEST_FILENAME "@endsWith /admin/config/development/maintenance" \
"id:9001214,\
@ -409,7 +409,7 @@ SecRule REQUEST_FILENAME "@endsWith /admin/config/development/maintenance" \
pass,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:maintenance_mode_message,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
SecRule REQUEST_FILENAME "@endsWith /admin/config/services/rss-publishing" \
"id:9001216,\
@ -417,7 +417,7 @@ SecRule REQUEST_FILENAME "@endsWith /admin/config/services/rss-publishing" \
pass,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:feed_description,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
SecMarker "END-DRUPAL-RULE-EXCLUSIONS"

72
src/common/core/modsecurity/files/coreruleset/rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf
View file

@ -1,7 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.4
# OWASP ModSecurity Core Rule Set ver.3.3.5
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -23,7 +23,7 @@ SecRule &TX:crs_exclusions_wordpress|TX:crs_exclusions_wordpress "@eq 0" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
skipAfter:END-WORDPRESS"
SecRule &TX:crs_exclusions_wordpress|TX:crs_exclusions_wordpress "@eq 0" \
@ -32,7 +32,7 @@ SecRule &TX:crs_exclusions_wordpress|TX:crs_exclusions_wordpress "@eq 0" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
skipAfter:END-WORDPRESS"
@ -53,7 +53,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-login.php" \
t:none,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pwd,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# Reset password
SecRule REQUEST_FILENAME "@endsWith /wp-login.php" \
@ -62,7 +62,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-login.php" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain"
SecRule ARGS:action "@streq resetpass" \
"t:none,\
@ -86,7 +86,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-comments-post.php" \
t:none,\
nolog,\
ctl:ruleRemoveTargetById=931130;ARGS:url,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
#
@ -103,7 +103,7 @@ SecRule REQUEST_FILENAME "@rx /wp-json/wp/v[0-9]+/(?:posts|pages)" \
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:content,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:json.content,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# Gutenberg via rest_route for sites without pretty permalinks
SecRule REQUEST_FILENAME "@endsWith /index.php" \
@ -112,7 +112,7 @@ SecRule REQUEST_FILENAME "@endsWith /index.php" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain"
SecRule &ARGS:rest_route "@eq 1" \
"t:none,\
@ -132,7 +132,7 @@ SecRule REQUEST_FILENAME "@rx /wp-json/wp/v[0-9]+/media" \
nolog,\
ctl:ruleRemoveById=200002,\
ctl:ruleRemoveById=200003,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# Gutenberg upload image/media via rest_route for sites without pretty permalinks
SecRule REQUEST_FILENAME "@endsWith /index.php" \
@ -141,7 +141,7 @@ SecRule REQUEST_FILENAME "@endsWith /index.php" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain"
SecRule &ARGS:rest_route "@eq 1" \
"t:none,\
@ -170,7 +170,7 @@ SecRule ARGS:wp_customize "@streq on" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain"
SecRule &ARGS:action "@eq 0" \
"t:none,\
@ -191,7 +191,7 @@ SecRule ARGS:wp_customize "@streq on" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain"
SecRule ARGS:action "@rx ^(?:|customize_save|update-widget)$" \
"t:none,\
@ -232,7 +232,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-cron.php" \
nolog,\
ctl:ruleRemoveById=920180,\
ctl:ruleRemoveById=920300,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
#
@ -247,7 +247,7 @@ SecRule REQUEST_COOKIES:_wp_session "@rx ^[0-9a-f]+\|\|\d+\|\|\d+$" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain"
SecRule &REQUEST_COOKIES:_wp_session "@eq 1" \
"t:none,\
@ -266,7 +266,7 @@ SecRule REQUEST_FILENAME "!@contains /wp-admin/" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
skipAfter:END-WORDPRESS-ADMIN"
SecRule REQUEST_FILENAME "!@contains /wp-admin/" \
@ -275,7 +275,7 @@ SecRule REQUEST_FILENAME "!@contains /wp-admin/" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
skipAfter:END-WORDPRESS-ADMIN"
@ -290,7 +290,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/setup-config.php" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain"
SecRule ARGS:step "@streq 2" \
"t:none,\
@ -306,7 +306,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/install.php" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain"
SecRule ARGS:step "@streq 2" \
"t:none,\
@ -329,7 +329,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/profile.php" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain"
SecRule ARGS:action "@streq update" \
"t:none,\
@ -357,7 +357,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/user-edit.php" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain"
SecRule ARGS:action "@streq update" \
"t:none,\
@ -386,7 +386,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/user-new.php" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain"
SecRule ARGS:action "@streq createuser" \
"t:none,\
@ -427,7 +427,7 @@ SecAction \
ctl:ruleRemoveTargetById=942200;ARGS:wp_http_referer,\
ctl:ruleRemoveTargetById=942260;ARGS:wp_http_referer,\
ctl:ruleRemoveTargetById=942431;ARGS:wp_http_referer,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
#
# [ Content editing ]
@ -444,7 +444,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/post.php" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain"
SecRule ARGS:action "@rx ^(?:edit|editpost)$" \
"t:none,\
@ -464,7 +464,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain"
SecRule ARGS:action "@streq heartbeat" \
"t:none,\
@ -486,7 +486,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/nav-menus.php" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain"
SecRule ARGS:action "@streq update" \
"t:none,\
@ -511,7 +511,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain"
SecRule ARGS:action "@rx ^(?:save-widget|update-widget)$" \
"t:none,\
@ -566,7 +566,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain"
SecRule ARGS:action "@streq widgets-order" \
"t:none,\
@ -595,7 +595,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain"
SecRule ARGS:action "@streq sample-permalink" \
"t:none,\
@ -611,7 +611,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain"
SecRule ARGS:action "@streq add-menu-item" \
"t:none,\
@ -627,7 +627,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain"
SecRule ARGS:action "@streq send-attachment-to-editor" \
"t:none,\
@ -648,7 +648,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/options.php" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain"
SecRule ARGS:option_page "@streq general" \
"t:none,\
@ -679,7 +679,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/options-permalink.php" \
ctl:ruleRemoveTargetById=920272;ARGS:permalink_structure,\
ctl:ruleRemoveTargetById=942431;ARGS:permalink_structure,\
ctl:ruleRemoveTargetById=920272;REQUEST_BODY,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# Comments blacklist and moderation list
SecRule REQUEST_FILENAME "@endsWith /wp-admin/options.php" \
@ -688,7 +688,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/options.php" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain"
SecRule ARGS:option_page "@streq discussion" \
"t:none,\
@ -712,7 +712,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/edit.php" \
t:none,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:s,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
#
@ -751,7 +751,7 @@ SecRule REQUEST_FILENAME "@rx /wp-admin/load-(?:scripts|styles)\.php$" \
ctl:ruleRemoveTargetById=942430;ARGS:load[],\
ctl:ruleRemoveTargetById=942431;ARGS:load[],\
ctl:ruleRemoveTargetById=942432;ARGS:load[],\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
SecMarker "END-WORDPRESS-ADMIN"

50
src/common/core/modsecurity/files/coreruleset/rules/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf
View file

@ -1,7 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.4
# OWASP ModSecurity Core Rule Set ver.3.3.5
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -44,7 +44,7 @@ SecRule &TX:crs_exclusions_nextcloud|TX:crs_exclusions_nextcloud "@eq 0" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
skipAfter:END-NEXTCLOUD"
SecRule &TX:crs_exclusions_nextcloud|TX:crs_exclusions_nextcloud "@eq 0" \
@ -53,7 +53,7 @@ SecRule &TX:crs_exclusions_nextcloud|TX:crs_exclusions_nextcloud "@eq 0" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
skipAfter:END-NEXTCLOUD"
@ -75,7 +75,7 @@ SecRule REQUEST_FILENAME "@contains /remote.php/webdav" \
ctl:ruleRemoveById=953100-953130,\
ctl:ruleRemoveById=920420,\
ctl:ruleRemoveById=920440,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# Skip PUT parsing for invalid encoding / protocol violations in binary files.
@ -85,7 +85,7 @@ SecRule REQUEST_METHOD "@streq PUT" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain"
SecRule REQUEST_FILENAME "@contains /remote.php/webdav" \
"t:none,\
@ -103,7 +103,7 @@ SecRule REQUEST_FILENAME "@contains /remote.php/dav/files/" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type} |text/vcard|'"
# Allow the data type 'application/octet-stream'
@ -114,7 +114,7 @@ SecRule REQUEST_METHOD "@rx ^(?:PUT|MOVE)$" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain"
SecRule REQUEST_FILENAME "@rx /remote\.php/dav/(?:files|uploads)/" \
"setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type} |application/octet-stream|'"
@ -127,7 +127,7 @@ SecRule REQUEST_METHOD "@streq PUT" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain"
SecRule REQUEST_FILENAME "@rx (?:/public\.php/webdav/|/remote\.php/dav/uploads/)" \
"ctl:ruleRemoveById=920340,\
@ -148,7 +148,7 @@ SecRule REQUEST_FILENAME "@contains /remote.php/dav/files/" \
ctl:ruleRemoveById=951000-951999,\
ctl:ruleRemoveById=953100-953130,\
ctl:ruleRemoveById=920440,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# Allow REPORT requests without Content-Type header (at least the iOS app does this)
@ -177,7 +177,7 @@ SecRule REQUEST_FILENAME "@contains /index.php/core/search" \
ctl:ruleRemoveTargetByTag=attack-injection-php;ARGS:query,\
ctl:ruleRemoveTargetById=941000-942999;ARGS:query,\
ctl:ruleRemoveTargetById=932000-932999;ARGS:query,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# [ DAV ]
@ -199,7 +199,7 @@ SecRule REQUEST_FILENAME "@rx /(?:remote|index|public)\.php/" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
setvar:'tx.allowed_methods=%{tx.allowed_methods} PUT PATCH CHECKOUT COPY DELETE LOCK MERGE MKACTIVITY MKCOL MOVE PROPFIND PROPPATCH UNLOCK REPORT TRACE jsonp'"
@ -213,7 +213,7 @@ SecRule REQUEST_FILENAME "@rx /ocs/v[0-9]+\.php/apps/files_sharing/" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
setvar:'tx.allowed_methods=%{tx.allowed_methods} PUT DELETE'"
@ -226,7 +226,7 @@ SecRule REQUEST_FILENAME "@contains /index.php/core/preview.png" \
t:none,\
nolog,\
ctl:ruleRemoveTargetById=932150;ARGS:file,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# Filepreview for trashbin
@ -238,7 +238,7 @@ SecRule REQUEST_FILENAME "@contains /index.php/apps/files_trashbin/ajax/preview.
nolog,\
ctl:ruleRemoveTargetById=932150;ARGS:file,\
ctl:ruleRemoveTargetById=942190;ARGS:file,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
SecRule REQUEST_FILENAME "@rx /index\.php/(?:apps/gallery/thumbnails|logout$)" \
"id:9003160,\
@ -247,7 +247,7 @@ SecRule REQUEST_FILENAME "@rx /index\.php/(?:apps/gallery/thumbnails|logout$)" \
t:none,\
nolog,\
ctl:ruleRemoveTargetById=941120;ARGS:requesttoken,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# [ Ownnote ]
@ -259,7 +259,7 @@ SecRule REQUEST_FILENAME "@contains /index.php/apps/ownnote/" \
t:none,\
nolog,\
ctl:ruleRemoveById=941150,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# [ Text Editor ]
@ -277,7 +277,7 @@ SecRule REQUEST_FILENAME "@contains /index.php/apps/files_texteditor/" \
ctl:ruleRemoveTargetById=932150;ARGS:filename,\
ctl:ruleRemoveTargetById=920370-920390;ARGS:filecontents,\
ctl:ruleRemoveTargetById=920370-920390;ARGS_COMBINED_SIZE,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# [ Address Book ]
@ -290,7 +290,7 @@ SecRule REQUEST_FILENAME "@contains /remote.php/dav/addressbooks/" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type} |text/vcard|'"
# Allow modifying contacts via the web interface
@ -316,7 +316,7 @@ SecRule REQUEST_FILENAME "@contains /remote.php/dav/calendars/" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type} |text/calendar|'"
# Allow modifying calendar events via the web interface
@ -344,7 +344,7 @@ SecRule REQUEST_FILENAME "@contains /index.php/apps/notes/" \
t:none,\
nolog,\
ctl:ruleRemoveByTag=attack-injection-php,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# [ Bookmarks ]
@ -358,7 +358,7 @@ SecRule REQUEST_FILENAME "@contains /index.php/apps/bookmarks/" \
t:none,\
nolog,\
ctl:ruleRemoveById=931130,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
#
@ -377,7 +377,7 @@ SecRule REQUEST_FILENAME "@contains /index.php/login" \
nolog,\
ctl:ruleRemoveTargetById=941100;ARGS:requesttoken,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:password,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# Reset password.
@ -387,7 +387,7 @@ SecRule REQUEST_FILENAME "@endsWith /index.php/login" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain"
SecRule ARGS:action "@streq resetpass" \
"t:none,\
@ -408,7 +408,7 @@ SecRule REQUEST_FILENAME "@endsWith /index.php/settings/users" \
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:newuserpassword,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:password,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
SecMarker "END-NEXTCLOUD-ADMIN"

26
src/common/core/modsecurity/files/coreruleset/rules/REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES.conf
View file

@ -1,7 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.4
# OWASP ModSecurity Core Rule Set ver.3.3.5
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -27,7 +27,7 @@ SecRule &TX:crs_exclusions_dokuwiki|TX:crs_exclusions_dokuwiki "@eq 0" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
skipAfter:END-DOKUWIKI"
SecRule &TX:crs_exclusions_dokuwiki|TX:crs_exclusions_dokuwiki "@eq 0" \
@ -36,7 +36,7 @@ SecRule &TX:crs_exclusions_dokuwiki|TX:crs_exclusions_dokuwiki "@eq 0" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
skipAfter:END-DOKUWIKI"
@ -81,7 +81,7 @@ SecRule REQUEST_FILENAME "@rx (?:/doku.php|/lib/exe/ajax.php)$" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain"
SecRule REQUEST_METHOD "@streq POST" \
"t:none,\
@ -106,7 +106,7 @@ SecRule REQUEST_FILENAME "@endsWith /lib/exe/ajax.php" \
t:none,\
nolog,\
noauditlog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain"
SecRule REQUEST_METHOD "@streq POST" \
"t:none,\
@ -125,7 +125,7 @@ SecRule REQUEST_FILENAME "@endsWith /doku.php" \
t:none,\
nolog,\
noauditlog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain"
SecRule ARGS:do "@streq index" \
"t:none,\
@ -149,7 +149,7 @@ SecRule REQUEST_FILENAME "@endsWith /doku.php" \
t:none,\
nolog,\
noauditlog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain"
SecRule ARGS:do "@streq login" \
"t:none,\
@ -170,7 +170,7 @@ SecRule ARGS:do "!@streq admin" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
skipAfter:END-DOKUWIKI-ADMIN"
SecRule ARGS:do "!@streq admin" \
@ -179,7 +179,7 @@ SecRule ARGS:do "!@streq admin" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
skipAfter:END-DOKUWIKI-ADMIN"
@ -194,7 +194,7 @@ SecRule REQUEST_FILENAME "@endsWith /doku.php" \
t:none,\
nolog,\
noauditlog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain"
SecRule ARGS:do "@streq login" \
"t:none,\
@ -220,7 +220,7 @@ SecRule REQUEST_FILENAME "@endsWith /doku.php" \
t:none,\
nolog,\
noauditlog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain"
SecRule ARGS:page "@streq config" \
"t:none,\
@ -252,7 +252,7 @@ SecRule REQUEST_FILENAME "@endsWith /doku.php" \
t:none,\
nolog,\
noauditlog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain"
SecRule ARGS:page "@streq config" \
"t:none,\

10
src/common/core/modsecurity/files/coreruleset/rules/REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf
View file

@ -1,7 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.4
# OWASP ModSecurity Core Rule Set ver.3.3.5
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -19,7 +19,7 @@ SecRule &TX:crs_exclusions_cpanel|TX:crs_exclusions_cpanel "@eq 0" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
skipAfter:END-CPANEL"
SecRule &TX:crs_exclusions_cpanel|TX:crs_exclusions_cpanel "@eq 0" \
@ -28,7 +28,7 @@ SecRule &TX:crs_exclusions_cpanel|TX:crs_exclusions_cpanel "@eq 0" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
skipAfter:END-CPANEL"
@ -53,7 +53,7 @@ SecRule REQUEST_LINE "@rx ^GET /whm-server-status(?:/|/\?auto)? HTTP/[12]\.[01]$
tag:'language-multi',\
tag:'platform-apache',\
tag:'attack-generic',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain"
SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" \
"t:none,\

80
src/common/core/modsecurity/files/coreruleset/rules/REQUEST-903.9006-XENFORO-EXCLUSION-RULES.conf
View file

@ -1,7 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.4
# OWASP ModSecurity Core Rule Set ver.3.3.5
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -18,7 +18,7 @@ SecRule &TX:crs_exclusions_xenforo|TX:crs_exclusions_xenforo "@eq 0" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
skipAfter:END-XENFORO"
SecRule &TX:crs_exclusions_xenforo|TX:crs_exclusions_xenforo "@eq 0" \
@ -27,7 +27,7 @@ SecRule &TX:crs_exclusions_xenforo|TX:crs_exclusions_xenforo "@eq 0" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
skipAfter:END-XENFORO"
@ -49,7 +49,7 @@ SecRule REQUEST_FILENAME "@endsWith /proxy.php" \
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:link,\
ctl:ruleRemoveTargetById=931130;ARGS:referrer,\
ctl:ruleRemoveTargetById=942230;ARGS:referrer,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# Store drafts for private message, forum post, thread reply
# POST /xf/conversations/draft
@ -73,7 +73,7 @@ SecRule REQUEST_FILENAME "@rx /(?:conversations|(?:conversations|forums|threads)
ctl:ruleRemoveTargetById=942260;ARGS:attachment_hash_combined,\
ctl:ruleRemoveTargetById=942340;ARGS:attachment_hash_combined,\
ctl:ruleRemoveTargetById=942370;ARGS:attachment_hash_combined,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# Send PM, edit post, create thread, reply to thread
# POST /xf/conversations/add
@ -100,7 +100,7 @@ SecRule REQUEST_FILENAME "@rx /(?:conversations/add(?:-preview)?|conversations/m
ctl:ruleRemoveTargetById=942260;ARGS:attachment_hash_combined,\
ctl:ruleRemoveTargetById=942340;ARGS:attachment_hash_combined,\
ctl:ruleRemoveTargetById=942370;ARGS:attachment_hash_combined,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# Quote
# POST /xf/posts/12345/quote
@ -111,7 +111,7 @@ SecRule REQUEST_FILENAME "@rx /posts/\d+/quote$" \
t:none,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:quoteHtml,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# Multi quote
# POST /xf/conversations/convo-title.12345/multi-quote
@ -134,7 +134,7 @@ SecRule REQUEST_FILENAME "@rx /(?:conversations|threads)/.*\.\d+/multi-quote$" \
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[7][value],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[8][value],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[9][value],\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# Delete thread
# POST /xf/threads/thread-title.12345/delete
@ -145,7 +145,7 @@ SecRule REQUEST_FILENAME "@rx /threads/.*\.\d+/delete$" \
t:none,\
nolog,\
ctl:ruleRemoveTargetById=942130;ARGS:starter_alert_reason,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# Feature thread
# POST /xf/threads/thread-title.12345/feature-edit
@ -167,7 +167,7 @@ SecRule REQUEST_FILENAME "@endsWith /inline-mod/" \
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:author_alert_reason,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# Warn member
# POST /xf/members/name.12345/warn
@ -180,7 +180,7 @@ SecRule REQUEST_FILENAME "@rx /(?:members/.*\.\d+|posts/\d+)/warn$" \
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:conversation_message,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:notes,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# Editor
SecRule REQUEST_URI "@endsWith /index.php?editor/to-html" \
@ -194,7 +194,7 @@ SecRule REQUEST_URI "@endsWith /index.php?editor/to-html" \
ctl:ruleRemoveTargetById=942260;ARGS:attachment_hash_combined,\
ctl:ruleRemoveTargetById=942340;ARGS:attachment_hash_combined,\
ctl:ruleRemoveTargetById=942370;ARGS:attachment_hash_combined,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# Editor
SecRule REQUEST_URI "@endsWith /index.php?editor/to-bb-code" \
@ -204,7 +204,7 @@ SecRule REQUEST_URI "@endsWith /index.php?editor/to-bb-code" \
t:none,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:html,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# Post attachment
# POST /xf/account/avatar
@ -220,7 +220,7 @@ SecRule REQUEST_FILENAME "@rx /(?:account/avatar|attachments/upload)$" \
ctl:ruleRemoveTargetById=942440;ARGS:flowIdentifier,\
ctl:ruleRemoveTargetById=942440;ARGS:flowFilename,\
ctl:ruleRemoveTargetById=942440;ARGS:flowRelativePath,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# Media
# POST /xf/index.php?editor/media
@ -232,7 +232,7 @@ SecRule REQUEST_URI "@endsWith /index.php?editor/media" \
nolog,\
ctl:ruleRemoveTargetById=931130;ARGS:url,\
ctl:ruleRemoveTargetById=942130;ARGS:url,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# Emoji
# GET /xf/index.php?misc/find-emoji&q=(%0A%0A
@ -243,7 +243,7 @@ SecRule REQUEST_URI "@rx /index\.php\?misc/find-emoji&q=" \
t:none,\
nolog,\
ctl:ruleRemoveTargetById=921151;ARGS:q,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# Login
# POST /xf/login/login
@ -254,7 +254,7 @@ SecRule REQUEST_FILENAME "@endsWith /login/login" \
t:none,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:password,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# Register account
# POST /xf/register/register
@ -269,7 +269,7 @@ SecRule REQUEST_FILENAME "@endsWith /register/register" \
nolog,\
ctl:ruleRemoveTargetById=942130;ARGS,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:reg_key,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# Confirm account
# GET /xf/account-confirmation/name.12345/email?c=foo
@ -291,7 +291,7 @@ SecRule REQUEST_FILENAME "@endsWith /account/account-details" \
nolog,\
ctl:ruleRemoveTargetById=931130;ARGS:custom_fields[picture],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:about_html,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# Lost password
# POST /xf/lost-password/user-name.12345/confirm?c=foo
@ -302,7 +302,7 @@ SecRule REQUEST_FILENAME "@rx /lost-password/.*\.\d+/confirm$" \
t:none,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:c,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# Set forum signature
# POST /xf/account/signature
@ -313,7 +313,7 @@ SecRule REQUEST_FILENAME "@endsWith /account/signature" \
t:none,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:signature_html,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# Search
# POST /xf/search/search
@ -328,7 +328,7 @@ SecRule REQUEST_FILENAME "@endsWith /search/search" \
ctl:ruleRemoveTargetById=942260;ARGS:constraints,\
ctl:ruleRemoveTargetById=942340;ARGS:constraints,\
ctl:ruleRemoveTargetById=942370;ARGS:constraints,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# Search within thread
# GET /xf/threads/foo.12345/page12?highlight=foo
@ -339,7 +339,7 @@ SecRule REQUEST_FILENAME "@rx /threads/.*\.\d+/(?:page\d+)?$" \
t:none,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:highlight,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# Search within search result
# GET /xf/search/12345/?q=foo
@ -350,7 +350,7 @@ SecRule REQUEST_FILENAME "@rx /search/\d+/$" \
t:none,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:q,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# Contact form
# POST /xf/misc/contact
@ -362,7 +362,7 @@ SecRule REQUEST_FILENAME "@endsWith /misc/contact" \
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:subject,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# Report post
# POST /xf/posts/12345/report
@ -373,7 +373,7 @@ SecRule REQUEST_FILENAME "@rx /posts/\d+/report$" \
t:none,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# Alternate thread view route
# /xf/index.php?threads/title-having-some-sql.12345/
@ -388,7 +388,7 @@ SecRule REQUEST_FILENAME "@endsWith /index.php" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain"
SecRule REQUEST_METHOD "@streq GET" \
"t:none,\
@ -412,7 +412,7 @@ SecRule REQUEST_URI "@endsWith /index.php?dbtech-security/fingerprint" \
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:components[14][value],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:components[15][value],\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:components[16][value],\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# Get location info
SecRule REQUEST_FILENAME "@endsWith /misc/location-info" \
@ -422,7 +422,7 @@ SecRule REQUEST_FILENAME "@endsWith /misc/location-info" \
t:none,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:location,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
#
# -=[ XenForo Global Exclusions ]=-
@ -455,7 +455,7 @@ SecAction \
ctl:ruleRemoveTargetByTag=OWASP_CRS;REQUEST_COOKIES:xf_ls,\
ctl:ruleRemoveTargetById=942100;REQUEST_COOKIES:xf_session,\
ctl:ruleRemoveTargetById=942100;REQUEST_COOKIES:xf_user,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
#
# -=[ XenForo Administration Back-End ]=-
@ -469,7 +469,7 @@ SecRule REQUEST_FILENAME "!@endsWith /admin.php" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
skipAfter:END-XENFORO-ADMIN"
SecRule REQUEST_FILENAME "!@endsWith /admin.php" \
@ -478,7 +478,7 @@ SecRule REQUEST_FILENAME "!@endsWith /admin.php" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
skipAfter:END-XENFORO-ADMIN"
# Admin edit user
@ -491,7 +491,7 @@ SecRule REQUEST_URI "@rx /admin\.php\?users/.*\.\d+/edit$" \
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:profile[about],\
ctl:ruleRemoveTargetById=931130;ARGS:profile[website],\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# Admin save user
# POST /xf/admin.php?users/the-user-name.12345/save
@ -510,7 +510,7 @@ SecRule REQUEST_URI "@rx /admin\.php\?users/.*\.\d+/save$" \
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:custom_fields[sexuality],\
ctl:ruleRemoveTargetById=931130;ARGS:custom_fields[picture],\
ctl:ruleRemoveTargetById=931130;ARGS:profile[website],\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# Admin edit forum notice
@ -524,7 +524,7 @@ SecRule REQUEST_URI "@rx /admin\.php\?notices/(?:.*\.)?\d+/save$" \
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:title,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# Admin batch thread update
# POST /xf/admin.php?threads/batch-update/action
@ -539,7 +539,7 @@ SecRule REQUEST_URI "@rx /admin\.php\?(?:threads|users)/batch-update/action$" \
ctl:ruleRemoveTargetById=942330;ARGS:criteria,\
ctl:ruleRemoveTargetById=942340;ARGS:criteria,\
ctl:ruleRemoveTargetById=942370;ARGS:criteria,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# Edit forum theme
# POST /xf/admin.php?styles/title.1234/style-properties/group&group=basic
@ -556,7 +556,7 @@ SecRule REQUEST_URI "@rx /admin\.php\?styles/" \
ctl:ruleRemoveTargetById=942340;ARGS:json,\
ctl:ruleRemoveTargetById=942370;ARGS:json,\
ctl:ruleRemoveTargetById=942440;ARGS:json,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# Set forum options
# POST /xf/admin.php?options/update
@ -567,7 +567,7 @@ SecRule REQUEST_URI "@rx /admin\.php\?options/update" \
t:none,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:options[boardInactiveMessage],\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# Edit pages/templates
# POST /xf/admin.php?pages/0/save
@ -580,7 +580,7 @@ SecRule REQUEST_URI "@rx /admin\.php\?(?:pages|templates)/.*/save" \
t:none,\
nolog,\
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:template,\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
SecMarker "END-XENFORO-ADMIN"

8
src/common/core/modsecurity/files/coreruleset/rules/REQUEST-905-COMMON-EXCEPTIONS.conf
View file

@ -1,7 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.4
# OWASP ModSecurity Core Rule Set ver.3.3.5
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -24,7 +24,7 @@ SecRule REQUEST_LINE "@streq GET /" \
tag:'language-multi',\
tag:'platform-apache',\
tag:'attack-generic',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain"
SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" \
"t:none,\
@ -44,7 +44,7 @@ SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" \
tag:'language-multi',\
tag:'platform-apache',\
tag:'attack-generic',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain"
SecRule REQUEST_HEADERS:User-Agent "@endsWith (internal dummy connection)" \
"t:none,\

28
src/common/core/modsecurity/files/coreruleset/rules/REQUEST-910-IP-REPUTATION.conf
View file

@ -1,7 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.4
# OWASP ModSecurity Core Rule Set ver.3.3.5
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -41,7 +41,7 @@ SecRule TX:DO_REPUT_BLOCK "@eq 1" \
tag:'attack-reputation-ip',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain,\
skipAfter:BEGIN-REQUEST-BLOCKING-EVAL"
@ -71,7 +71,7 @@ SecRule TX:HIGH_RISK_COUNTRY_CODES "!@rx ^$" \
tag:'attack-reputation-ip',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain"
SecRule TX:REAL_IP "@geoLookup" \
@ -124,9 +124,8 @@ SecRule IP:PREVIOUS_RBL_CHECK "@eq 1" \
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-reputation-ip',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
skipAfter:END-RBL-LOOKUP"
#
@ -148,9 +147,8 @@ SecRule &TX:block_suspicious_ip "@eq 0" \
pass,\
t:none,\
nolog,\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain,\
skipAfter:END-RBL-CHECK"
SecRule &TX:block_harvester_ip "@eq 0" \
@ -170,9 +168,8 @@ SecRule TX:REAL_IP "@rbl dnsbl.httpbl.org" \
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-reputation-ip',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
setvar:'tx.httpbl_msg=%{tx.0}',\
chain"
SecRule TX:httpbl_msg "@rx RBL lookup of .*?.dnsbl.httpbl.org succeeded at TX:checkip. (.*?): .*" \
@ -193,7 +190,7 @@ SecRule TX:block_search_ip "@eq 1" \
tag:'attack-reputation-ip',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain,\
skipAfter:END-RBL-CHECK"
@ -217,7 +214,7 @@ SecRule TX:block_spammer_ip "@eq 1" \
tag:'attack-reputation-ip',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain,\
skipAfter:END-RBL-CHECK"
@ -241,7 +238,7 @@ SecRule TX:block_suspicious_ip "@eq 1" \
tag:'attack-reputation-ip',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain,\
skipAfter:END-RBL-CHECK"
@ -265,7 +262,7 @@ SecRule TX:block_harvester_ip "@eq 1" \
tag:'attack-reputation-ip',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain,\
skipAfter:END-RBL-CHECK"
@ -287,8 +284,7 @@ SecAction \
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-reputation-ip',\
tag:'paranoia-level/1',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
setvar:'ip.previous_rbl_check=1',\
expirevar:'ip.previous_rbl_check=86400'"

6
src/common/core/modsecurity/files/coreruleset/rules/REQUEST-911-METHOD-ENFORCEMENT.conf
View file

@ -1,7 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.4
# OWASP ModSecurity Core Rule Set ver.3.3.5
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -39,7 +39,7 @@ SecRule REQUEST_METHOD "!@within %{tx.allowed_methods}" \
tag:'OWASP_CRS',\
tag:'capec/1000/210/272/220/274',\
tag:'PCI/12.1',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"

29
src/common/core/modsecurity/files/coreruleset/rules/REQUEST-912-DOS-PROTECTION.conf
View file

@ -1,7 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.4
# OWASP ModSecurity Core Rule Set ver.3.3.5
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -70,7 +70,7 @@ SecRule &TX:dos_burst_time_slice "@eq 0" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain,\
skipAfter:END-DOS-PROTECTION-CHECKS"
SecRule &TX:dos_counter_threshold "@eq 0" \
@ -83,7 +83,7 @@ SecRule &TX:dos_burst_time_slice "@eq 0" \
pass,\
t:none,\
nolog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain,\
skipAfter:END-DOS-PROTECTION-CHECKS"
SecRule &TX:dos_counter_threshold "@eq 0" \
@ -116,7 +116,7 @@ SecRule IP:DOS_BLOCK "@eq 1" \
tag:'attack-dos',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/227/469',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain"
SecRule &IP:DOS_BLOCK_FLAG "@eq 0" \
"setvar:'ip.dos_block_counter=+1',\
@ -138,11 +138,10 @@ SecRule IP:DOS_BLOCK "@eq 1" \
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'paranoia-level/1',\
tag:'attack-dos',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/227/469',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
setvar:'ip.dos_block_counter=+1'"
@ -162,9 +161,8 @@ SecRule IP:DOS_BLOCK "@eq 1" \
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'paranoia-level/1',\
tag:'attack-dos',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
skipAfter:END-DOS-PROTECTION-CHECKS"
@ -181,11 +179,10 @@ SecRule REQUEST_BASENAME "@rx .*?(\.[a-z0-9]{1,10})?$" \
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'paranoia-level/1',\
tag:'attack-dos',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/227/469',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
setvar:'tx.extension=/%{TX.1}/',\
chain"
SecRule TX:EXTENSION "!@within %{tx.static_extensions}" \
@ -213,11 +210,10 @@ SecRule IP:DOS_COUNTER "@ge %{tx.dos_counter_threshold}" \
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'paranoia-level/1',\
tag:'attack-dos',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/227/469',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain"
SecRule &IP:DOS_BURST_COUNTER "@eq 0" \
"setvar:'ip.dos_burst_counter=1',\
@ -234,11 +230,10 @@ SecRule IP:DOS_COUNTER "@ge %{tx.dos_counter_threshold}" \
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'paranoia-level/1',\
tag:'attack-dos',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/227/469',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain"
SecRule &IP:DOS_BURST_COUNTER "@ge 1" \
"setvar:'ip.dos_burst_counter=2',\
@ -265,7 +260,7 @@ SecRule IP:DOS_BURST_COUNTER "@ge 2" \
tag:'attack-dos',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/227/469',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
setvar:'ip.dos_block=1',\
expirevar:'ip.dos_block=%{tx.dos_block_timeout}'"
@ -299,7 +294,7 @@ SecRule IP:DOS_BURST_COUNTER "@ge 1" \
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/227/469',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
setvar:'ip.dos_block=1',\
expirevar:'ip.dos_block=%{tx.dos_block_timeout}'"

14
src/common/core/modsecurity/files/coreruleset/rules/REQUEST-913-SCANNER-DETECTION.conf
View file

@ -1,7 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.4
# OWASP ModSecurity Core Rule Set ver.3.3.5
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -47,7 +47,7 @@ SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scanners-user-agents.data" \
tag:'OWASP_CRS',\
tag:'capec/1000/118/224/541/310',\
tag:'PCI/6.5.10',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'ip.reput_block_flag=1',\
@ -70,7 +70,7 @@ SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@pmFromFile scanners-headers.data
tag:'OWASP_CRS',\
tag:'capec/1000/118/224/541/310',\
tag:'PCI/6.5.10',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'ip.reput_block_flag=1',\
@ -95,7 +95,7 @@ SecRule REQUEST_FILENAME|ARGS "@pmFromFile scanners-urls.data" \
tag:'OWASP_CRS',\
tag:'capec/1000/118/224/541/310',\
tag:'PCI/6.5.10',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'ip.reput_block_flag=1',\
@ -135,7 +135,7 @@ SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scripting-user-agents.data" \
tag:'capec/1000/118/224/541/310',\
tag:'PCI/6.5.10',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
setvar:'ip.reput_block_flag=1',\
@ -169,7 +169,7 @@ SecRule REQUEST_HEADERS:User-Agent "@pmFromFile crawlers-user-agents.data" \
tag:'capec/1000/118/224/541/310',\
tag:'PCI/6.5.10',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
setvar:'ip.reput_block_flag=1',\

139
src/common/core/modsecurity/files/coreruleset/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
View file

@ -1,7 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.4
# OWASP ModSecurity Core Rule Set ver.3.3.5
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -59,7 +59,7 @@ SecRule REQUEST_LINE "!@rx ^(?i:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'WARNING',\
setvar:'tx.anomaly_score_pl1=+%{tx.warning_anomaly_score}'"
@ -110,7 +110,7 @@ SecRule FILES_NAMES|FILES "@rx (?<!&(?:[aAoOuUyY]uml)|&(?:[aAeEiIoOuU]circ)|&(?:
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -139,7 +139,7 @@ SecRule REQUEST_HEADERS:Content-Length "!@rx ^\d+$" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -173,7 +173,7 @@ SecRule REQUEST_METHOD "@rx ^(?:GET|HEAD)$" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain"
SecRule REQUEST_HEADERS:Content-Length "!@rx ^0?$" \
@ -198,7 +198,7 @@ SecRule REQUEST_METHOD "@rx ^(?:GET|HEAD)$" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain"
SecRule &REQUEST_HEADERS:Transfer-Encoding "!@eq 0" \
@ -234,7 +234,7 @@ SecRule REQUEST_PROTOCOL "!@within HTTP/2 HTTP/2.0" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'WARNING',\
chain"
SecRule REQUEST_METHOD "@streq POST" \
@ -263,7 +263,7 @@ SecRule &REQUEST_HEADERS:Transfer-Encoding "!@eq 0" \
tag:'attack-protocol',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'WARNING',\
chain"
SecRule &REQUEST_HEADERS:Content-Length "!@eq 0" \
@ -301,7 +301,7 @@ SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx (\d+)-(\d+)" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'WARNING',\
chain"
SecRule TX:2 "@lt %{tx.1}" \
@ -334,7 +334,7 @@ SecRule REQUEST_HEADERS:Connection "@rx \b(?:keep-alive|close),\s?(?:keep-alive|
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'WARNING',\
setvar:'tx.anomaly_score_pl1=+%{tx.warning_anomaly_score}'"
@ -367,7 +367,7 @@ SecRule REQUEST_URI "@rx \x25" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/255/153/267/72',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'WARNING',\
chain"
SecRule REQUEST_URI "@validateUrlEncoding" \
@ -387,7 +387,7 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^(?i)application/x-www-form-urlencoded
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/255/153/267/72',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'WARNING',\
chain"
SecRule REQUEST_BODY "@rx \x25" \
@ -419,7 +419,7 @@ SecRule TX:CRS_VALIDATE_UTF8_ENCODING "@eq 1" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/255/153/267',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'WARNING',\
chain"
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "@validateUtf8Encoding" \
@ -458,7 +458,7 @@ SecRule REQUEST_URI|REQUEST_BODY "@rx \%u[fF]{2}[0-9a-fA-F]{2}" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/255/153/267/72',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'WARNING',\
setvar:'tx.anomaly_score_pl1=+%{tx.warning_anomaly_score}'"
@ -512,7 +512,7 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@validateByteRange 1-255" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -544,7 +544,7 @@ SecRule &REQUEST_HEADERS:Host "@eq 0" \
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'PCI/6.5.10',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'WARNING',\
setvar:'tx.anomaly_score_pl1=+%{tx.warning_anomaly_score}',\
skipAfter:END-HOST-CHECK"
@ -563,7 +563,7 @@ SecRule REQUEST_HEADERS:Host "@rx ^$" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'WARNING',\
setvar:'tx.anomaly_score_pl1=+%{tx.warning_anomaly_score}'"
@ -603,7 +603,7 @@ SecRule REQUEST_HEADERS:Accept "@rx ^$" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'NOTICE',\
chain"
SecRule REQUEST_METHOD "!@rx ^OPTIONS$" \
@ -628,7 +628,7 @@ SecRule REQUEST_HEADERS:Accept "@rx ^$" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'NOTICE',\
chain"
SecRule REQUEST_METHOD "!@rx ^OPTIONS$" \
@ -661,7 +661,7 @@ SecRule REQUEST_HEADERS:User-Agent "@rx ^$" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'NOTICE',\
setvar:'tx.anomaly_score_pl1=+%{tx.notice_anomaly_score}'"
@ -698,7 +698,7 @@ SecRule REQUEST_HEADERS:Content-Length "!@rx ^0$" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'NOTICE',\
chain"
SecRule &REQUEST_HEADERS:Content-Type "@eq 0" \
@ -731,7 +731,7 @@ SecRule REQUEST_HEADERS:Host "@rx ^[\d.:]+$" \
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'PCI/6.5.10',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'WARNING',\
setvar:'tx.anomaly_score_pl1=+%{tx.warning_anomaly_score}'"
@ -763,7 +763,7 @@ SecRule &TX:MAX_NUM_ARGS "@eq 1" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain"
SecRule &ARGS "@gt %{tx.max_num_args}" \
@ -788,7 +788,7 @@ SecRule &TX:ARG_NAME_LENGTH "@eq 1" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain"
SecRule ARGS_NAMES "@gt %{tx.arg_name_length}" \
@ -815,7 +815,7 @@ SecRule &TX:ARG_LENGTH "@eq 1" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain"
SecRule ARGS "@gt %{tx.arg_length}" \
@ -839,7 +839,7 @@ SecRule &TX:TOTAL_ARG_LENGTH "@eq 1" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain"
SecRule ARGS_COMBINED_SIZE "@gt %{tx.total_arg_length}" \
@ -864,7 +864,7 @@ SecRule &TX:MAX_FILE_SIZE "@eq 1" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain"
SecRule REQUEST_HEADERS:Content-Type "@rx ^(?i)multipart/form-data" \
@ -890,7 +890,7 @@ SecRule &TX:COMBINED_FILE_SIZES "@eq 1" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain"
SecRule FILES_COMBINED_SIZE "@gt %{tx.combined_file_sizes}" \
@ -928,7 +928,7 @@ SecRule REQUEST_HEADERS:Content-Type "!@rx ^[\w/.+-]+(?:\s?;\s?(?:action|boundar
tag:'OWASP_CRS',\
tag:'capec/1000/255/153',\
tag:'PCI/12.1',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -951,7 +951,7 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^[^;\s]+" \
tag:'OWASP_CRS',\
tag:'capec/1000/255/153',\
tag:'PCI/12.1',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.content_type=|%{tx.0}|',\
chain"
@ -979,7 +979,7 @@ SecRule REQUEST_HEADERS:Content-Type "@rx charset\s*=\s*[\"']?([^;\"'\s]+)" \
tag:'OWASP_CRS',\
tag:'capec/1000/255/153',\
tag:'PCI/12.1',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain"
SecRule TX:1 "!@rx ^%{tx.allowed_request_content_type_charset}$" \
@ -1005,7 +1005,7 @@ SecRule REQUEST_HEADERS:Content-Type "@rx charset.*?charset" \
tag:'OWASP_CRS',\
tag:'capec/1000/255/153',\
tag:'PCI/12.1',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -1027,7 +1027,7 @@ SecRule REQUEST_PROTOCOL "!@within %{tx.allowed_http_versions}" \
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'PCI/6.5.10',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -1050,7 +1050,7 @@ SecRule REQUEST_BASENAME "@rx \.([^.]+)$" \
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'PCI/6.5.10',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.extension=.%{tx.1}/',\
chain"
@ -1077,7 +1077,7 @@ SecRule REQUEST_FILENAME "@rx \.[^.~]+~(?:/.*|)$" \
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'PCI/6.5.10',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -1122,7 +1122,7 @@ SecRule REQUEST_HEADERS_NAMES "@rx ^.*$" \
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'PCI/12.1',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.header_name_%{tx.0}=/%{tx.0}/',\
chain"
@ -1157,10 +1157,41 @@ SecRule REQUEST_HEADERS:Accept "!@rx ^(?:(?:\*|[^\"(),\/:;<=>?![\x5c\]{}]+)\/(?:
tag:'attack-protocol',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
#
# The following rule (920620) checks for the presence of 2 or more request Content-Type headers.
# Content-Type confusion poses a significant security risk to a web application. It occurs when
# the server and client have different interpretations of the Content-Type header, leading to
# miscommunication, potential exploitation and WAF bypass.
#
# Using Apache, when multiple Content-Type request headers are received, the server combines them
# into a single header with the values separated by commas. For example, if a client sends multiple
# Content-Type headers with values "application/json" and "text/plain", Apache will combine them
# into a single header like this: "Content-Type: application/json, text/plain".
#
# On the other hand, Nginx handles multiple Content-Type headers differently. It preserves each
# header as a separate entity without combining them. So, if a client sends multiple Content-Type
# headers, Nginx will keep them separate, maintaining the original values.
#
SecRule &REQUEST_HEADERS:Content-Type "@gt 1" \
"id:920620,\
phase:1,\
block,\
t:none,\
msg:'Multiple Content-Type Request Headers',\
logdata:'%{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:920013,phase:1,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:920014,phase:2,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
@ -1202,7 +1233,7 @@ SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'WARNING',\
chain"
SecRule REQUEST_BASENAME "!@endsWith .pdf" \
@ -1226,7 +1257,7 @@ SecRule REQUEST_BASENAME "@endsWith .pdf" \
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'WARNING',\
chain"
SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d+)?-(?:\d+)?\s*,?\s*){63}" \
@ -1247,7 +1278,7 @@ SecRule ARGS "@rx %[0-9a-fA-F]{2}" \
tag:'OWASP_CRS',\
tag:'capec/1000/255/153/267/120',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'WARNING',\
setvar:'tx.anomaly_score_pl2=+%{tx.warning_anomaly_score}'"
@ -1278,7 +1309,7 @@ SecRule &REQUEST_HEADERS:Accept "@eq 0" \
tag:'capec/1000/210/272',\
tag:'PCI/6.5.10',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'NOTICE',\
chain"
SecRule REQUEST_METHOD "!@rx ^OPTIONS$" \
@ -1304,7 +1335,7 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@validateByteRange 9,10,13,
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -1331,7 +1362,7 @@ SecRule &REQUEST_HEADERS:User-Agent "@eq 0" \
tag:'capec/1000/210/272',\
tag:'PCI/6.5.10',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'NOTICE',\
setvar:'tx.anomaly_score_pl2=+%{tx.notice_anomaly_score}'"
@ -1353,7 +1384,7 @@ SecRule FILES_NAMES|FILES "@rx ['\";=]" \
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -1378,7 +1409,7 @@ SecRule REQUEST_HEADERS:Content-Length "!@rx ^0$" \
tag:'paranoia-level/2',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain"
SecRule &REQUEST_HEADERS:Content-Type "@eq 0" \
@ -1412,7 +1443,7 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES|REQUEST_BODY "@validateByteR
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'paranoia-level/3',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@ -1440,7 +1471,7 @@ SecRule &REQUEST_HEADERS:x-up-devcap-post-charset "@ge 1" \
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'paranoia-level/3',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain"
SecRule REQUEST_HEADERS:User-Agent "@rx ^(?i)up" \
@ -1493,7 +1524,7 @@ SecRule &REQUEST_HEADERS:Cache-Control "@gt 0" \
tag:'paranoia-level/3',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain"
SecRule REQUEST_HEADERS:Cache-Control "!@rx ^(?:(?:max-age=[0-9]+|min-fresh=[0-9]+|no-cache|no-store|no-transform|only-if-cached|max-stale(?:=[0-9]+)?)(\s*\,\s*|$)){1,7}$" \
@ -1524,7 +1555,7 @@ SecRule REQUEST_BASENAME "@endsWith .pdf" \
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'paranoia-level/4',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'WARNING',\
chain"
SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d+)?-(?:\d+)?\s*,?\s*){6}" \
@ -1551,7 +1582,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_BODY "@validateByteRange 38,44-46,48-58,61,65-90
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'paranoia-level/4',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl4=+%{tx.critical_anomaly_score}'"
@ -1572,7 +1603,7 @@ SecRule REQUEST_HEADERS|!REQUEST_HEADERS:User-Agent|!REQUEST_HEADERS:Referer|!RE
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'paranoia-level/4',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl4=+%{tx.critical_anomaly_score}'"
@ -1596,7 +1627,7 @@ SecRule REQUEST_HEADERS:Sec-Fetch-User "@validateByteRange 32,34,38,42-59,61,63,
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'paranoia-level/4',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl4=+%{tx.critical_anomaly_score}'"
@ -1642,7 +1673,7 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@rx (?:^|[^\\\\])\\\\[cdegh
tag:'OWASP_CRS',\
tag:'capec/1000/153/267',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl4=+%{tx.critical_anomaly_score}'"

35
src/common/core/modsecurity/files/coreruleset/rules/REQUEST-921-PROTOCOL-ATTACK.conf
View file

@ -1,7 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.4
# OWASP ModSecurity Core Rule Set ver.3.3.5
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -47,7 +47,7 @@ SecRule ARGS_NAMES|ARGS|REQUEST_BODY|XML:/* "@rx (?:get|post|head|options|connec
tag:'OWASP_CRS',\
tag:'capec/1000/210/272/220/33',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -80,7 +80,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/210/272/220/34',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -102,7 +102,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/210/272/220/34',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -137,7 +137,7 @@ SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@rx [\n\r]" \
tag:'OWASP_CRS',\
tag:'capec/1000/210/272/220/273',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -166,7 +166,7 @@ SecRule ARGS_NAMES "@rx [\n\r]" \
tag:'OWASP_CRS',\
tag:'capec/1000/210/272/220/33',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -188,7 +188,7 @@ SecRule ARGS_GET_NAMES|ARGS_GET "@rx [\n\r]+(?:\s|location|refresh|(?:set-)?cook
tag:'OWASP_CRS',\
tag:'capec/1000/210/272/220/33',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -214,7 +214,7 @@ SecRule REQUEST_FILENAME "@rx [\n\r]" \
tag:'OWASP_CRS',\
tag:'capec/1000/210/272/220/34',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -247,7 +247,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/136',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -280,7 +280,7 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^[^;\s,]+[;\s,].*?(?:(?:application(?:
tag:'OWASP_CRS',\
tag:'capec/1000/255/153',\
tag:'PCI/12.1',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -314,7 +314,7 @@ SecRule ARGS_GET "@rx [\n\r]" \
tag:'OWASP_CRS',\
tag:'capec/1000/210/272/220/33',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -350,9 +350,9 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^[^;\s,]+[;\s,].*?\b(?:(audio|image|vi
tag:'OWASP_CRS',\
tag:'capec/1000/255/153',\
tag:'PCI/12.1',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:921015,phase:1,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
@ -386,7 +386,7 @@ SecRule &REQUEST_HEADERS:Range "@gt 0" \
tag:'paranoia-level/3',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272/220',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@ -418,10 +418,9 @@ SecRule ARGS_NAMES "@rx ." \
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
tag:'paranoia-level/3',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/137/15/460',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
setvar:'TX.paramcounter_%{MATCHED_VAR_NAME}=+1'"
SecRule TX:/paramcounter_.*/ "@gt 1" \
@ -437,7 +436,7 @@ SecRule TX:/paramcounter_.*/ "@gt 1" \
tag:'OWASP_CRS',\
tag:'capec/1000/152/137/15/460',\
tag:'paranoia-level/3',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain"
SecRule MATCHED_VARS_NAMES "@rx TX:paramcounter_(.*)" \

10
src/common/core/modsecurity/files/coreruleset/rules/REQUEST-922-MULTIPART-ATTACK.conf
View file

@ -1,7 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.4
# OWASP ModSecurity Core Rule Set ver.3.3.5
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -38,7 +38,7 @@ SecRule &MULTIPART_PART_HEADERS:_charset_ "!@eq 0" \
tag:'OWASP_CRS',\
tag:'capec/1000/255/153',\
tag:'paranoia-level/1',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain"
SecRule ARGS:_charset_ "!@within |%{tx.allowed_request_content_type_charset}|" \
@ -63,7 +63,7 @@ SecRule MULTIPART_PART_HEADERS "@rx ^content-type\s*+:\s*+(.*)$" \
tag:'OWASP_CRS',\
tag:'capec/272/220',\
tag:'paranoia-level/1',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain"
SecRule TX:1 "!@rx ^(?:(?:\*|[^\"(),\/:;<=>?![\x5c\]{}]+)\/(?:\*|[^\"(),\/:;<=>?![\x5c\]{}]+))(?:\s*+;\s*+(?:(?:charset\s*+=\s*+(?:\"?(?:iso-8859-15?|windows-1252|utf-8)\b\"?))|(?:(?:c(?:h(?:a(?:r(?:s(?:e[^t\"(),\/:;<=>?![\x5c\]{}]|[^e\"(),/:;<=>?![\x5c\]{}])|[^s\"(),/:;<=>?![\x5c\]{}])|[^r\"(),/:;<=>?![\x5c\]{}])|[^a\"(),/:;<=>?![\x5c\]{}])|[^h\"(),/:;<=>?![\x5c\]{}])|[^c\"(),/:;<=>?![\x5c\]{}])[^\"(),/:;<=>?![\x5c\]{}]*(?:)\s*+=\s*+[^(),/:;<=>?![\x5c\]{}]+)|;?))*(?:\s*+,\s*+(?:(?:\*|[^\"(),\/:;<=>?![\x5c\]{}]+)\/(?:\*|[^\"(),\/:;<=>?![\x5c\]{}]+))(?:\s*+;\s*+(?:(?:charset\s*+=\s*+(?:\"?(?:iso-8859-15?|windows-1252|utf-8)\b\"?))|(?:(?:c(?:h(?:a(?:r(?:s(?:e[^t\"(),\/:;<=>?![\x5c\]{}]|[^e\"(),/:;<=>?![\x5c\]{}])|[^s\"(),/:;<=>?![\x5c\]{}])|[^r\"(),/:;<=>?![\x5c\]{}])|[^a\"(),/:;<=>?![\x5c\]{}])|[^h\"(),/:;<=>?![\x5c\]{}])|[^c\"(),/:;<=>?![\x5c\]{}])[^\"(),/:;<=>?![\x5c\]{}]*(?:)\s*+=\s*+[^(),/:;<=>?![\x5c\]{}]+)|;?))*)*$" \
@ -87,6 +87,6 @@ SecRule MULTIPART_PART_HEADERS "@rx content-transfer-encoding:(.*)" \
tag:'OWASP_CRS',\
tag:'capec/272/220',\
tag:'paranoia-level/1',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"

12
src/common/core/modsecurity/files/coreruleset/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf
View file

@ -1,7 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.4
# OWASP ModSecurity Core Rule Set ver.3.3.5
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -42,7 +42,7 @@ SecRule REQUEST_URI_RAW|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|XML:/* "@r
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/255/153/126',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}'"
@ -65,7 +65,7 @@ SecRule REQUEST_URI|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|XML:/* "@rx (?
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/255/153/126',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
multiMatch,\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
@ -92,7 +92,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/255/153/126',\
tag:'PCI/6.5.4',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -119,7 +119,7 @@ SecRule REQUEST_FILENAME "@pmFromFile restricted-files.data" \
tag:'OWASP_CRS',\
tag:'capec/1000/255/153/126',\
tag:'PCI/6.5.4',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"

16
src/common/core/modsecurity/files/coreruleset/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf
View file

@ -1,7 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.4
# OWASP ModSecurity Core Rule Set ver.3.3.5
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -50,7 +50,7 @@ SecRule ARGS "@rx ^(?i:file|ftps?|https?):\/\/(?:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1
tag:'OWASP_CRS',\
tag:'capec/1000/152/175/253',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -71,7 +71,7 @@ SecRule QUERY_STRING|REQUEST_BODY "@rx (?i)(?:\binclude\s*\([^)]*|mosConfig_abso
tag:'OWASP_CRS',\
tag:'capec/1000/152/175/253',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -92,7 +92,7 @@ SecRule ARGS "@rx ^(?i:file|ftps?|https?).*?\?+$" \
tag:'OWASP_CRS',\
tag:'capec/1000/152/175/253',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -120,13 +120,13 @@ SecRule ARGS "@rx ^(?i:file|ftps?|https?)://([^/]*).*$" \
tag:'OWASP_CRS',\
tag:'capec/1000/152/175/253',\
tag:'paranoia-level/2',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.rfi_parameter_%{MATCHED_VAR_NAME}=.%{tx.1}',\
chain"
SecRule TX:/rfi_parameter_.*/ "!@endsWith .%{request_headers.host}" \
"setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\
"ctl:auditLogParts=+E,\
setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"

34
src/common/core/modsecurity/files/coreruleset/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
View file

@ -1,7 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.4
# OWASP ModSecurity Core Rule Set ver.3.3.5
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -117,7 +117,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'capec/1000/152/248/88',\
tag:'PCI/6.5.2',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -153,7 +153,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'capec/1000/152/248/88',\
tag:'PCI/6.5.2',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -250,7 +250,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'capec/1000/152/248/88',\
tag:'PCI/6.5.2',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -289,7 +289,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'capec/1000/152/248/88',\
tag:'PCI/6.5.2',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -324,7 +324,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'capec/1000/152/248/88',\
tag:'PCI/6.5.2',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -361,7 +361,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'capec/1000/152/248/88',\
tag:'PCI/6.5.2',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -407,7 +407,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'capec/1000/152/248/88',\
tag:'PCI/6.5.2',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -458,7 +458,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'capec/1000/152/248/88',\
tag:'PCI/6.5.2',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -495,7 +495,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'capec/1000/152/248/88',\
tag:'PCI/6.5.2',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -527,7 +527,7 @@ SecRule REQUEST_HEADERS|REQUEST_LINE "@rx ^\(\s*\)\s+{" \
tag:'capec/1000/152/248/88',\
tag:'PCI/6.5.2',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -549,7 +549,7 @@ SecRule ARGS_NAMES|ARGS|FILES_NAMES "@rx ^\(\s*\)\s+{" \
tag:'capec/1000/152/248/88',\
tag:'PCI/6.5.2',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -584,7 +584,7 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/88',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -629,7 +629,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/88',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain"
SecRule MATCHED_VAR "@rx /" "t:none,t:urlDecodeUni,chain"
@ -679,7 +679,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'PCI/6.5.2',\
tag:'paranoia-level/3',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@ -711,7 +711,7 @@ SecRule ARGS "@rx (?:/|\\\\)(?:[\?\*]+[a-z/\\\\]+|[a-z/\\\\]+[\?\*]+)" \
tag:'PCI/6.5.2',\
tag:'paranoia-level/3',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"

40
src/common/core/modsecurity/files/coreruleset/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
View file

@ -1,7 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.4
# OWASP ModSecurity Core Rule Set ver.3.3.5
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -60,7 +60,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -102,7 +102,7 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -126,12 +126,12 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain"
SecRule MATCHED_VARS "@pm =" \
"capture,\
ctl:auditLogParts=+E,\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -155,7 +155,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -192,7 +192,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -221,7 +221,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -289,7 +289,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -343,7 +343,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -399,7 +399,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -455,7 +455,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -497,7 +497,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -540,12 +540,12 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
tag:'paranoia-level/2',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain"
SecRule MATCHED_VARS "@pm (" \
"capture,\
ctl:auditLogParts=+E,\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -595,7 +595,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'capec/1000/152/242',\
tag:'paranoia-level/3',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@ -641,7 +641,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
tag:'capec/1000/152/242',\
tag:'paranoia-level/3',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@ -684,7 +684,7 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD
tag:'capec/1000/152/242',\
tag:'paranoia-level/3',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@ -714,7 +714,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'capec/1000/152/242',\
tag:'paranoia-level/3',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"

6
src/common/core/modsecurity/files/coreruleset/rules/REQUEST-934-APPLICATION-ATTACK-NODEJS.conf
View file

@ -1,7 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.4
# OWASP ModSecurity Core Rule Set ver.3.3.5
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -63,7 +63,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
multiMatch,\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\

64
src/common/core/modsecurity/files/coreruleset/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
View file

@ -1,7 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.4
# OWASP ModSecurity Core Rule Set ver.3.3.5
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -50,7 +50,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -77,7 +77,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -103,7 +103,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -133,7 +133,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -159,7 +159,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -194,7 +194,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -219,7 +219,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -245,7 +245,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -272,7 +272,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -294,7 +294,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -316,7 +316,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -338,7 +338,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -360,7 +360,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -382,7 +382,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -404,7 +404,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -426,7 +426,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -448,7 +448,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -470,7 +470,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -492,7 +492,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -514,7 +514,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -541,7 +541,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -568,7 +568,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/242',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -610,7 +610,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/242/63',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -638,7 +638,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS|XML:
tag:'OWASP_CRS',\
tag:'capec/1000/152/242/63',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -669,7 +669,7 @@ SecRule REQUEST_HEADERS:Referer "@detectXSS" \
tag:'capec/1000/152/242',\
tag:'paranoia-level/2',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -695,7 +695,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
tag:'capec/1000/152/242',\
tag:'paranoia-level/2',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -778,7 +778,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
tag:'capec/1000/152/242/63',\
tag:'PCI/6.5.1',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -799,7 +799,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
tag:'capec/1000/152/242',\
tag:'PCI/6.5.1',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -823,7 +823,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
tag:'capec/1000/152/242',\
tag:'PCI/6.5.1',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -856,7 +856,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'capec/1000/152/242/63',\
tag:'paranoia-level/2',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"

102
src/common/core/modsecurity/files/coreruleset/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
View file

@ -1,7 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.4
# OWASP ModSecurity Core Rule Set ver.3.3.5
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -59,7 +59,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
multiMatch,\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
@ -94,7 +94,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -120,7 +120,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -149,7 +149,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -178,7 +178,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -199,7 +199,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -220,7 +220,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -249,7 +249,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -270,7 +270,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -291,7 +291,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -320,7 +320,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -341,7 +341,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -370,7 +370,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -399,7 +399,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -439,7 +439,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -475,7 +475,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -513,7 +513,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?:^\s*[\"'`;]+|[\"'`]+\s*$)" \
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'WARNING',\
setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.warning_anomaly_score}'"
@ -549,7 +549,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:(?:^|\W)in[+\s]*\([\s\d\"]+[^()]*\)|\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -584,7 +584,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?i:[\s'\"`()]*?\b([\d\w]+)\b[\s'\"`()]*?(?:
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
multiMatch,\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
@ -623,7 +623,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -652,7 +652,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -684,7 +684,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -716,7 +716,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -745,7 +745,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -774,7 +774,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -803,7 +803,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -840,7 +840,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -871,7 +871,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -896,7 +896,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -930,7 +930,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -957,7 +957,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -984,7 +984,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -1014,7 +1014,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -1051,7 +1051,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -1084,7 +1084,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -1117,7 +1117,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -1158,7 +1158,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'WARNING',\
setvar:'tx.anomaly_score_pl2=+%{tx.warning_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'"
@ -1202,7 +1202,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@ -1227,7 +1227,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -1276,7 +1276,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -1315,7 +1315,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/3',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@ -1339,7 +1339,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/3',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@ -1379,7 +1379,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/3',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'WARNING',\
setvar:'tx.anomaly_score_pl3=+%{tx.warning_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'"
@ -1408,7 +1408,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/3',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'WARNING',\
setvar:'tx.anomaly_score_pl3=+%{tx.warning_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'"
@ -1438,7 +1438,7 @@ SecRule ARGS "@rx \W{4}" \
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/3',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'WARNING',\
setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}',\
setvar:'tx.anomaly_score_pl3=+%{tx.warning_anomaly_score}'"
@ -1472,7 +1472,7 @@ SecRule REQUEST_BASENAME "@detectSQLi" \
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/3',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@ -1522,7 +1522,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/3',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@ -1555,7 +1555,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/4',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'WARNING',\
setvar:'tx.anomaly_score_pl4=+%{tx.warning_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'"
@ -1584,7 +1584,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/4',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'WARNING',\
setvar:'tx.anomaly_score_pl4=+%{tx.warning_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'"

18
src/common/core/modsecurity/files/coreruleset/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
View file

@ -1,7 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.4
# OWASP ModSecurity Core Rule Set ver.3.3.5
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -44,7 +44,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
tag:'OWASP_CRS',\
tag:'capec/1000/225/21/593/61',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.session_fixation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -65,15 +65,15 @@ SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsessio
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/21/593/61',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain"
SecRule REQUEST_HEADERS:Referer "@rx ^(?:ht|f)tps?://(.*?)\/" \
"capture,\
chain"
SecRule TX:1 "!@endsWith %{request_headers.host}" \
"setvar:'tx.session_fixation_score=+%{tx.critical_anomaly_score}',\
"ctl:auditLogParts=+E,\
setvar:'tx.session_fixation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -92,12 +92,12 @@ SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsessio
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/225/21/593/61',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain"
SecRule &REQUEST_HEADERS:Referer "@eq 0" \
"setvar:'tx.session_fixation_score=+%{tx.critical_anomaly_score}',\
"ctl:auditLogParts=+E,\
setvar:'tx.session_fixation_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"

22
src/common/core/modsecurity/files/coreruleset/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf
View file

@ -1,7 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.4
# OWASP ModSecurity Core Rule Set ver.3.3.5
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -47,7 +47,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
tag:'capec/1000/152/137/6',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/1',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -81,7 +81,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
tag:'capec/1000/152/248',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/1',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain"
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* "@rx (?:unmarshaller|base64data|java\.)" \
@ -107,7 +107,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
tag:'capec/1000/152/248',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/1',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain"
SecRule MATCHED_VARS "@rx (?:runtime|processbuilder)" \
@ -141,7 +141,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
tag:'capec/1000/152/248',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/1',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -180,7 +180,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
tag:'capec/1000/152/248',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -202,7 +202,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
tag:'capec/1000/152/248',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -224,7 +224,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
tag:'capec/1000/152/248',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -249,7 +249,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
tag:'capec/1000/152/248',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@ -285,7 +285,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
tag:'capec/1000/152/248',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/3',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"

8
src/common/core/modsecurity/files/coreruleset/rules/REQUEST-949-BLOCKING-EVALUATION.conf
View file

@ -1,7 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.4
# OWASP ModSecurity Core Rule Set ver.3.3.5
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -69,7 +69,7 @@ SecRule IP:REPUT_BLOCK_FLAG "@eq 1" \
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-reputation-ip',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain"
SecRule TX:DO_REPUT_BLOCK "@eq 1" \
@ -89,7 +89,7 @@ SecRule TX:ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" \
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-generic',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score=%{tx.anomaly_score}'"

10
src/common/core/modsecurity/files/coreruleset/rules/RESPONSE-950-DATA-LEAKAGES.conf
View file

@ -1,7 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.4
# OWASP ModSecurity Core Rule Set ver.3.3.5
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -45,7 +45,7 @@ SecRule RESPONSE_BODY "@rx (?:<(?:TITLE>Index of.*?<H|title>Index of.*?<h)1>Inde
tag:'capec/1000/118/116/54/127',\
tag:'PCI/6.5.6',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
@ -79,7 +79,7 @@ SecRule RESPONSE_BODY "@rx ^#\!\s?/" \
tag:'capec/1000/118/116',\
tag:'PCI/6.5.6',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
@ -111,7 +111,7 @@ SecRule RESPONSE_STATUS "@rx ^5\d{2}$" \
tag:'OWASP_CRS',\
tag:'capec/1000/152',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl2=+%{tx.error_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.error_anomaly_score}'"

71
src/common/core/modsecurity/files/coreruleset/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf
View file

@ -1,7 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.4
# OWASP ModSecurity Core Rule Set ver.3.3.5
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -36,10 +36,9 @@ SecRule RESPONSE_BODY "@pmFromFile sql-errors.data" \
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-disclosure',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
setvar:'tx.sql_error_match=1'"
SecRule TX:sql_error_match "@eq 1" \
@ -57,12 +56,12 @@ SecRule TX:sql_error_match "@eq 1" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain"
SecRule RESPONSE_BODY "@rx (?i:JET Database Engine|Access Database Engine|\[Microsoft\]\[ODBC Microsoft Access Driver\])" \
"capture,\
ctl:auditLogParts=+E,\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -82,12 +81,12 @@ SecRule TX:sql_error_match "@eq 1" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain"
SecRule RESPONSE_BODY "@rx (?i:ORA-[0-9][0-9][0-9][0-9]|java\.sql\.SQLException|Oracle error|Oracle.*Driver|Warning.*oci_.*|Warning.*ora_.*)" \
"capture,\
ctl:auditLogParts=+E,\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -107,12 +106,12 @@ SecRule TX:sql_error_match "@eq 1" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain"
SecRule RESPONSE_BODY "@rx (?i:DB2 SQL error:|\[IBM\]\[CLI Driver\]\[DB2/6000\]|CLI Driver.*DB2|DB2 SQL error|db2_\w+\()" \
"capture,\
ctl:auditLogParts=+E,\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -132,12 +131,12 @@ SecRule TX:sql_error_match "@eq 1" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain"
SecRule RESPONSE_BODY "@rx (?i:\[DM_QUERY_E_SYNTAX\]|has occurred in the vicinity of:)" \
"capture,\
ctl:auditLogParts=+E,\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -157,12 +156,12 @@ SecRule TX:sql_error_match "@eq 1" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain"
SecRule RESPONSE_BODY "@rx (?i)Dynamic SQL Error" \
"capture,\
ctl:auditLogParts=+E,\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -183,12 +182,12 @@ SecRule TX:sql_error_match "@eq 1" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain"
SecRule RESPONSE_BODY "@rx (?i)Exception (?:condition )?\d+\. Transaction rollback\." \
"capture,\
ctl:auditLogParts=+E,\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -208,12 +207,12 @@ SecRule TX:sql_error_match "@eq 1" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain"
SecRule RESPONSE_BODY "@rx (?i)org\.hsqldb\.jdbc" \
"capture,\
ctl:auditLogParts=+E,\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -233,12 +232,12 @@ SecRule TX:sql_error_match "@eq 1" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain"
SecRule RESPONSE_BODY "@rx (?i:An illegal character has been found in the statement|com\.informix\.jdbc|Exception.*Informix)" \
"capture,\
ctl:auditLogParts=+E,\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -259,12 +258,12 @@ SecRule TX:sql_error_match "@eq 1" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain"
SecRule RESPONSE_BODY "@rx (?i:Warning.*ingres_|Ingres SQLSTATE|Ingres\W.*Driver)" \
"capture,\
ctl:auditLogParts=+E,\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -285,12 +284,12 @@ SecRule TX:sql_error_match "@eq 1" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain"
SecRule RESPONSE_BODY "@rx (?i:<b>Warning</b>: ibase_|Unexpected end of command in statement)" \
"capture,\
ctl:auditLogParts=+E,\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -310,12 +309,12 @@ SecRule TX:sql_error_match "@eq 1" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain"
SecRule RESPONSE_BODY "@rx (?i:SQL error.*POS[0-9]+.*|Warning.*maxdb.*)" \
"capture,\
ctl:auditLogParts=+E,\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -335,12 +334,12 @@ SecRule TX:sql_error_match "@eq 1" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain"
SecRule RESPONSE_BODY "@rx (?i)(?:System\.Data\.OleDb\.OleDbException|\[Microsoft\]\[ODBC SQL Server Driver\]|\[Macromedia\]\[SQLServer JDBC Driver\]|\[SqlException|System\.Data\.SqlClient\.SqlException|Unclosed quotation mark after the character string|'80040e14'|mssql_query\(\)|Microsoft OLE DB Provider for ODBC Drivers|Microsoft OLE DB Provider for SQL Server|Incorrect syntax near|Sintaxis incorrecta cerca de|Syntax error in string in query expression|Procedure or function .* expects parameter|Unclosed quotation mark before the character string|Syntax error .* in query expression|Data type mismatch in criteria expression\.|ADODB\.Field \(0x800A0BCD\)|the used select statements have different number of columns|OLE DB.*SQL Server|Warning.*mssql_.*|Driver.*SQL[ _-]*Server|SQL Server.*Driver|SQL Server.*[0-9a-fA-F]{8}|Exception.*\WSystem\.Data\.SqlClient\.)" \
"capture,\
ctl:auditLogParts=+E,\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -360,12 +359,12 @@ SecRule TX:sql_error_match "@eq 1" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain"
SecRule RESPONSE_BODY "@rx (?i)(?:supplied argument is not a valid MySQL|Column count doesn't match value count at row|mysql_fetch_array\(\)|on MySQL result index|You have an error in your SQL syntax;|You have an error in your SQL syntax near|MySQL server version for the right syntax to use|\[MySQL\]\[ODBC|Column count doesn't match|Table '[^']+' doesn't exist|SQL syntax.*MySQL|Warning.*mysql_.*|valid MySQL result|MySqlClient\.)" \
"capture,\
ctl:auditLogParts=+E,\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -385,12 +384,12 @@ SecRule TX:sql_error_match "@eq 1" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain"
SecRule RESPONSE_BODY "@rx (?i:PostgreSQL query failed:|pg_query\(\) \[:|pg_exec\(\) \[:|PostgreSQL.*ERROR|Warning.*pg_.*|valid PostgreSQL result|Npgsql\.|PG::[a-zA-Z]*Error|Supplied argument is not a valid PostgreSQL .*? resource|Unable to connect to PostgreSQL server)" \
"capture,\
ctl:auditLogParts=+E,\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -410,12 +409,12 @@ SecRule TX:sql_error_match "@eq 1" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain"
SecRule RESPONSE_BODY "@rx (?i)(?:Warning.*sqlite_.*|Warning.*SQLite3::|SQLite/JDBCDriver|SQLite\.Exception|System\.Data\.SQLite\.SQLiteException)" \
"capture,\
ctl:auditLogParts=+E,\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@ -435,12 +434,12 @@ SecRule TX:sql_error_match "@eq 1" \
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/118/116/54',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
chain"
SecRule RESPONSE_BODY "@rx (?i)(?:Sybase message:|Warning.*sybase.*|Sybase.*Server message.*)" \
"capture,\
ctl:auditLogParts=+E,\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"

8
src/common/core/modsecurity/files/coreruleset/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf
View file

@ -1,7 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.4
# OWASP ModSecurity Core Rule Set ver.3.3.5
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -40,7 +40,7 @@ SecRule RESPONSE_BODY "@pmFromFile java-code-leakages.data" \
tag:'capec/1000/118/116',\
tag:'PCI/6.5.6',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
@ -67,7 +67,7 @@ SecRule RESPONSE_BODY "@pmFromFile java-errors.data" \
tag:'capec/1000/118/116',\
tag:'PCI/6.5.6',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"

12
src/common/core/modsecurity/files/coreruleset/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf
View file

@ -1,7 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.4
# OWASP ModSecurity Core Rule Set ver.3.3.5
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -40,7 +40,7 @@ SecRule RESPONSE_BODY "@pmFromFile php-errors.data" \
tag:'capec/1000/118/116',\
tag:'PCI/6.5.6',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
@ -67,7 +67,7 @@ SecRule RESPONSE_BODY "@rx (?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scan
tag:'capec/1000/118/116',\
tag:'PCI/6.5.6',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
@ -97,13 +97,13 @@ SecRule RESPONSE_BODY "@rx <\?(?!xml)" \
tag:'OWASP_CRS',\
tag:'capec/1000/118/116',\
tag:'PCI/6.5.6',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'ERROR',\
chain"
SecRule RESPONSE_BODY "!@rx (?:\x1f\x8b\x08|\b(?:(?:i(?:nterplay|hdr|d3)|m(?:ovi|thd)|r(?:ar!|iff)|(?:ex|jf)if|f(?:lv|ws)|varg|cws)\b|gif)|B(?:%pdf|\.ra)\b|^wOF[F2])" \
"capture,\
t:none,\
ctl:auditLogParts=+E,\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"

14
src/common/core/modsecurity/files/coreruleset/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf
View file

@ -1,7 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.4
# OWASP ModSecurity Core Rule Set ver.3.3.5
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -38,7 +38,7 @@ SecRule RESPONSE_BODY "@rx [a-z]:\\\\inetpub\b" \
tag:'OWASP_CRS',\
tag:'capec/1000/118/116',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
@ -61,7 +61,7 @@ SecRule RESPONSE_BODY "@rx (?:Microsoft OLE DB Provider for SQL Server(?:<\/font
tag:'OWASP_CRS',\
tag:'capec/1000/118/116',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
@ -87,7 +87,7 @@ SecRule RESPONSE_BODY "@rx (?:\b(?:A(?:DODB\.Command\b.{0,100}?\b(?:Application
tag:'capec/1000/118/116',\
tag:'PCI/6.5.6',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'ERROR',\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
@ -110,13 +110,13 @@ SecRule RESPONSE_STATUS "!@rx ^404$" \
tag:'OWASP_CRS',\
tag:'capec/1000/118/116',\
tag:'PCI/6.5.6',\
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'ERROR',\
chain"
SecRule RESPONSE_BODY "@rx \bServer Error in.{0,50}?\bApplication\b" \
"capture,\
t:none,\
ctl:auditLogParts=+E,\
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"

6
src/common/core/modsecurity/files/coreruleset/rules/RESPONSE-959-BLOCKING-EVALUATION.conf
View file

@ -1,7 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.4
# OWASP ModSecurity Core Rule Set ver.3.3.5
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -73,7 +73,7 @@ SecRule TX:OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" \
t:none,\
msg:'Outbound Anomaly Score Exceeded (Total Score: %{TX.OUTBOUND_ANOMALY_SCORE})',\
tag:'anomaly-evaluation',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
setvar:'tx.anomaly_score=+%{tx.outbound_anomaly_score}'"

20
src/common/core/modsecurity/files/coreruleset/rules/RESPONSE-980-CORRELATION.conf
View file

@ -1,7 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.4
# OWASP ModSecurity Core Rule Set ver.3.3.5
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
@ -30,7 +30,7 @@ SecRule &TX:'/LEAKAGE\\\/ERRORS/' "@ge 1" \
log,\
msg:'Correlated Successful Attack Identified: (Total Score: %{tx.anomaly_score}) Inbound Attack (Inbound Anomaly Score: %{TX.INBOUND_ANOMALY_SCORE}) + Outbound Data Leakage (Outbound Anomaly Score: %{TX.OUTBOUND_ANOMALY_SCORE})',\
tag:'event-correlation',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'EMERGENCY',\
chain,\
skipAfter:END-CORRELATION"
@ -47,7 +47,7 @@ SecRule &TX:'/AVAILABILITY\\\/APP_NOT_AVAIL/' "@ge 1" \
log,\
msg:'Correlated Attack Attempt Identified: (Total Score: %{tx.anomaly_score}) Inbound Attack (Inbound Anomaly Score: %{TX.INBOUND_ANOMALY_SCORE}) + Outbound Application Error (Outbound Anomaly Score: %{TX.OUTBOUND_ANOMALY_SCORE})',\
tag:'event-correlation',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'ALERT',\
chain,\
skipAfter:END-CORRELATION"
@ -61,7 +61,7 @@ SecAction \
t:none,\
nolog,\
noauditlog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
setvar:'tx.executing_anomaly_score=%{tx.anomaly_score_pl1}',\
setvar:'tx.executing_anomaly_score=+%{tx.anomaly_score_pl2}',\
setvar:'tx.executing_anomaly_score=+%{tx.anomaly_score_pl3}',\
@ -76,7 +76,7 @@ SecRule TX:INBOUND_ANOMALY_SCORE "@lt %{tx.inbound_anomaly_score_threshold}" \
noauditlog,\
msg:'Inbound Anomaly Score (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE} - SQLI=%{tx.sql_injection_score},XSS=%{tx.xss_score},RFI=%{tx.rfi_score},LFI=%{tx.lfi_score},RCE=%{tx.rce_score},PHPI=%{tx.php_injection_score},HTTP=%{tx.http_violation_score},SESS=%{tx.session_fixation_score}): individual paranoia level scores: %{TX.ANOMALY_SCORE_PL1}, %{TX.ANOMALY_SCORE_PL2}, %{TX.ANOMALY_SCORE_PL3}, %{TX.ANOMALY_SCORE_PL4}',\
tag:'event-correlation',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain"
SecRule TX:MONITOR_ANOMALY_SCORE "@gt 1"
@ -89,7 +89,7 @@ SecRule TX:INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" \
noauditlog,\
msg:'Inbound Anomaly Score Exceeded (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE} - SQLI=%{tx.sql_injection_score},XSS=%{tx.xss_score},RFI=%{tx.rfi_score},LFI=%{tx.lfi_score},RCE=%{tx.rce_score},PHPI=%{tx.php_injection_score},HTTP=%{tx.http_violation_score},SESS=%{tx.session_fixation_score}): individual paranoia level scores: %{TX.ANOMALY_SCORE_PL1}, %{TX.ANOMALY_SCORE_PL2}, %{TX.ANOMALY_SCORE_PL3}, %{TX.ANOMALY_SCORE_PL4}',\
tag:'event-correlation',\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
SecRule TX:OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" \
"id:980140,\
@ -100,7 +100,7 @@ SecRule TX:OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" \
noauditlog,\
msg:'Outbound Anomaly Score Exceeded (score %{TX.OUTBOUND_ANOMALY_SCORE}): individual paranoia level scores: %{TX.OUTBOUND_ANOMALY_SCORE_PL1}, %{TX.OUTBOUND_ANOMALY_SCORE_PL2}, %{TX.OUTBOUND_ANOMALY_SCORE_PL3}, %{TX.OUTBOUND_ANOMALY_SCORE_PL4}',\
tag:'event-correlation',\
ver:'OWASP_CRS/3.3.4'"
ver:'OWASP_CRS/3.3.5'"
# Creating a total sum of all triggered outbound rules, including the ones only being monitored
SecAction \
@ -110,7 +110,7 @@ SecAction \
t:none,\
nolog,\
noauditlog,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
setvar:'tx.executing_anomaly_score=%{tx.outbound_anomaly_score_pl1}',\
setvar:'tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl2}',\
setvar:'tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl3}',\
@ -125,7 +125,7 @@ SecRule TX:OUTBOUND_ANOMALY_SCORE "@lt %{tx.outbound_anomaly_score_threshold}" \
noauditlog,\
msg:'Outbound Anomaly Score (Total Outbound Score: %{TX.OUTBOUND_ANOMALY_SCORE}): individual paranoia level scores: %{TX.OUTBOUND_ANOMALY_SCORE_PL1}, %{TX.OUTBOUND_ANOMALY_SCORE_PL2}, %{TX.OUTBOUND_ANOMALY_SCORE_PL3}, %{TX.OUTBOUND_ANOMALY_SCORE_PL4}',\
tag:'event-correlation',\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
chain"
SecRule TX:MONITOR_ANOMALY_SCORE "@gt 1"

4
src/common/core/modsecurity/files/coreruleset/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example
View file

@ -1,7 +1,7 @@
# ------------------------------------------------------------------------
# OWASP ModSecurity Core Rule Set ver.3.3.4
# OWASP ModSecurity Core Rule Set ver.3.3.5
# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved.
# Copyright (c) 2021-2023 Core Rule Set project. All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2

50
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-911-METHOD-ENFORCEMENT/911100.yaml
View file

@ -5,11 +5,9 @@
name: "911100.yaml"
description: "Description"
tests:
-
test_title: 911100-1
- test_title: 911100-1
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
@ -18,11 +16,9 @@
Host: "localhost"
output:
no_log_contains: "id \"911100\""
-
test_title: 911100-2
- test_title: 911100-2
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
@ -32,11 +28,9 @@
Host: "localhost"
output:
no_log_contains: "id \"911100\""
-
test_title: 911100-3
- test_title: 911100-3
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
method: "HEAD"
@ -46,11 +40,9 @@
Host: "localhost"
output:
no_log_contains: "id \"911100\""
-
test_title: 911100-4
- test_title: 911100-4
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
method: "POST"
@ -62,11 +54,9 @@
data: "test=value"
output:
no_log_contains: "id \"911100\""
-
test_title: 911100-5
- test_title: 911100-5
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
method: "TEST"
@ -76,12 +66,10 @@
Host: "localhost"
output:
log_contains: "id \"911100\""
-
test_title: 911100-6
- test_title: 911100-6
desc: Method is not allowed by policy (911100) from old modsec regressions
stages:
-
stage:
- stage:
input:
dest_addr: 127.0.0.1
headers:
@ -99,13 +87,10 @@
version: HTTP/1.0
output:
log_contains: id "911100"
-
test_title: 911100-7
- test_title: 911100-7
desc: Method is not allowed by policy (911100) from old modsec regressions
stages:
-
stage:
- stage:
input:
dest_addr: 127.0.0.1
headers:
@ -123,13 +108,10 @@
version: HTTP/1.0
output:
log_contains: id "911100"
-
test_title: 911100-8
- test_title: 911100-8
desc: Method is not allowed by policy (911100) from old modsec regressions
stages:
-
stage:
- stage:
input:
dest_addr: 127.0.0.1
headers:

28
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-913-SCANNER-DETECTION/913100.yaml
View file

@ -5,12 +5,10 @@
enabled: true
name: 913100.yaml
tests:
-
test_title: 913100-1
- test_title: 913100-1
desc: Request Indicates a Security Scanner Scanned the Site (913100) from old modsec regressions
stages:
-
stage:
- stage:
input:
dest_addr: 127.0.0.1
headers:
@ -21,20 +19,17 @@
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET
CLR 2.0.50727) Havij
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) Havij
method: GET
port: 80
uri: /
version: HTTP/1.0
output:
log_contains: id "913100"
-
test_title: 913100-2
- test_title: 913100-2
desc: Request Indicates a Security Scanner Scanned the Site (913100) from old modsec regressions
stages:
-
stage:
- stage:
input:
dest_addr: 127.0.0.1
headers:
@ -52,13 +47,10 @@
version: HTTP/1.0
output:
log_contains: id "913100"
-
test_title: 913100-3
- test_title: 913100-3
desc: Request Indicates a Security Scanner Scanned the Site (913100) from old modsec regressions
stages:
-
stage:
- stage:
input:
dest_addr: 127.0.0.1
headers:
@ -76,12 +68,10 @@
version: HTTP/1.0
output:
log_contains: id "913100"
-
test_title: 913100-4
- test_title: 913100-4
desc: "Scanner identification based on User-agent field"
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
method: "GET"

18
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-913-SCANNER-DETECTION/913110.yaml
View file

@ -5,13 +5,10 @@
enabled: true
name: 913110.yaml
tests:
-
test_title: 913110-1
desc: Request Indicates a Security Scanner Scanned the Site (913110) from old modsec
regressions
- test_title: 913110-1
desc: Request Indicates a Security Scanner Scanned the Site (913110) from old modsec regressions
stages:
-
stage:
- stage:
input:
dest_addr: 127.0.0.1
headers:
@ -23,20 +20,17 @@
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET
CLR 2.0.50727)
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
method: GET
port: 80
uri: /
version: HTTP/1.0
output:
log_contains: id "913110"
-
test_title: 913110-2
- test_title: 913110-2
desc: "Scanner identification based on custom header"
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
method: "GET"

24
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-913-SCANNER-DETECTION/913120.yaml
View file

@ -5,13 +5,10 @@
enabled: true
name: 913120.yaml
tests:
-
test_title: 913120-1
desc: Request Indicates a Security Scanner Scanned the Site (913120) from old modsec
regressions
- test_title: 913120-1
desc: Request Indicates a Security Scanner Scanned the Site (913120) from old modsec regressions
stages:
-
stage:
- stage:
input:
dest_addr: 127.0.0.1
headers:
@ -22,20 +19,17 @@
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET
CLR 2.0.50727)
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
method: GET
port: 80
uri: /nessustest
version: HTTP/1.0
output:
log_contains: id "913120"
-
test_title: 913120-2
- test_title: 913120-2
desc: IBM fingerprint from (http://www-01.ibm.com/support/docview.wss?uid=swg21293132)
stages:
-
stage:
- stage:
input:
dest_addr: 127.0.0.1
headers:
@ -45,12 +39,10 @@
version: HTTP/1.0
output:
log_contains: id "913120"
-
test_title: 913120-3
- test_title: 913120-3
desc: "Scanner identification based on uri"
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
method: "GET"

97
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920100.yaml
View file

@ -5,12 +5,10 @@
name: "920100.yaml"
description: "Tests to trigger, or not trigger 920100"
tests:
-
# Standard GET request
- # Standard GET request
test_title: 920100-1
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
@ -23,13 +21,11 @@
version: "HTTP/1.1"
output:
no_log_contains: "id \"920100\""
-
# Request has tab (\t) before request method - Apache complains
- # Request has tab (\t) before request method - Apache complains
# AH00126: Invalid URI in request GET / HTTP/1.1
test_title: 920100-2
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
method: " GET"
@ -41,13 +37,11 @@
uri: "/"
version: "HTTP/1.1"
output:
status: 400
-
# Perfectly valid OPTIONS request
status: [400]
- # Perfectly valid OPTIONS request
test_title: 920100-3
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
method: "OPTIONS"
@ -60,12 +54,10 @@
version: "HTTP/1.1"
output:
no_log_contains: "id \"920100\""
-
# Valid CONNECT request however this is disabled by Apache default
- # Valid CONNECT request however this is disabled by Apache default
test_title: 920100-4
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
method: "CONNECT"
@ -78,12 +70,10 @@
version: "HTTP/1.1"
output:
status: [405, 403]
-
# invalid Connect request, domains require ports
- # invalid Connect request, domains require ports
test_title: 920100-5
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
method: "CONNECT"
@ -95,13 +85,11 @@
uri: "www.cnn.com"
version: "HTTP/1.1"
output:
status: 400
-
# This is an acceptable CONNECT request for SSL tunneling
status: [400]
- # This is an acceptable CONNECT request for SSL tunneling
test_title: 920100-6
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
method: "CONNECT"
@ -114,12 +102,10 @@
version: "HTTP/1.1"
output:
log_contains: "id \"920100\""
-
# Valid request with query and anchor components
- # Valid request with query and anchor components
test_title: 920100-7
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
@ -132,13 +118,11 @@
version: "HTTP/1.1"
output:
no_log_contains: "id \"920100\""
-
# The colon in the path is not allowed. Apache will block by default
- # The colon in the path is not allowed. Apache will block by default
# (20024)The given path is misformatted or contained invalid characters: [client 127.0.0.1:4142] AH00127: Cannot map GET /index.html:80?I=Like&Apples=Today#tag HTTP/1.1 to file
test_title: 920100-8
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
@ -151,12 +135,10 @@
version: "HTTP/1.1"
output:
status: [400, 403]
-
# Normal Options request with path
- # Normal Options request with path
test_title: 920100-9
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
method: "OPTIONS"
@ -169,12 +151,10 @@
version: "HTTP/1.1"
output:
no_log_contains: "id \"920100\""
-
# An invalid method with a long name
- # An invalid method with a long name
test_title: 920100-10
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
method: "REALLYLONGUNREALMETHOD"
@ -187,14 +167,12 @@
version: "HTTP/1.1"
output:
log_contains: "id \"920100\""
-
# An invalid request because a backslash is used in uri
- # An invalid request because a backslash is used in uri
# Apache will end up blocking this before it gets to CRS.
# We will need to support OR output tests to fix this
test_title: 920100-11
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
@ -206,13 +184,10 @@
version: "HTTP/1.1"
output:
status: [403, 400]
#log_contains: "id \"920100\""
-
test_title: 920100-12
- test_title: 920100-12
desc: Invalid HTTP Request Line (920100) - Test 1 from old modsec regressions
stages:
-
stage:
- stage:
input:
dest_addr: 127.0.0.1
headers:
@ -226,13 +201,11 @@
uri: /
version: HTTP/1.1
output:
status: 400
-
test_title: 920100-13
status: [400]
- test_title: 920100-13
desc: Invalid HTTP Request Line (920100) - Test 2 from old modsec regressions
stages:
-
stage:
- stage:
input:
dest_addr: 127.0.0.1
headers:
@ -248,12 +221,10 @@
output:
status: [403, 400]
# log_contains: id "920100"
-
test_title: 920100-14
- test_title: 920100-14
desc: Invalid HTTP Request Line (920100) - Test 3 from old modsec regressions
stages:
-
stage:
- stage:
input:
dest_addr: 127.0.0.1
headers:
@ -268,12 +239,10 @@
version: HTTP/1.0
output:
log_contains: id "920100"
-
test_title: 920100-15
- test_title: 920100-15
desc: Test as described in http://www.client9.com/article/five-interesting-injection-attacks/
stages:
-
stage:
- stage:
input:
dest_addr: 127.0.0.1
method: GET

88
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920120.yaml
View file

@ -5,11 +5,9 @@
name: "920120.yaml"
description: "Tests to trigger rule 920120"
tests:
-
test_title: 920120-1
- test_title: 920120-1
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
method: "POST"
@ -22,22 +20,20 @@
Connection: "close"
Referer: "http://localhost/"
Content-Type: "multipart/form-data; boundary=--------397236876"
data:
- "----------397236876"
- "Content-Disposition: form-data; name=\"fileRap\"; filename=\"file=.txt\""
- "Content-Type: text/plain"
- ""
- "555-555-0199@example.com"
- "----------397236876--"
data: |
----------397236876
Content-Disposition: form-data; name="fileRap"; filename="file=.txt"
Content-Type: text/plain
555-555-0199@example.com
----------397236876--
protocol: "http"
output:
log_contains: "id \"920120\""
-
test_title: 920120-2
- test_title: 920120-2
desc: Attempted multipart/form-data bypass (920120) from old modsec regressions
stages:
-
stage:
- stage:
input:
dest_addr: 127.0.0.1
headers:
@ -55,26 +51,24 @@
port: 80
uri: /cgi-bin/fup.cgi
version: HTTP/1.1
data:
- '-----------------------------627652292512397580456702590'
- 'Content-Disposition: form-data; name="fi=le"; filename="test"'
- 'Content-Type: text/plain'
- ''
- 'email: security@modsecurity.org'
- ''
- '-----------------------------627652292512397580456702590'
- 'Content-Disposition: form-data; name="note"'
- ''
- Contact info.
- '-----------------------------627652292512397580456702590--'
data: |
-----------------------------627652292512397580456702590
Content-Disposition: form-data; name="fi=le"; filename="test"
Content-Type: text/plain
email: security@modsecurity.org
-----------------------------627652292512397580456702590
Content-Disposition: form-data; name="note"
Contact info.
-----------------------------627652292512397580456702590--
output:
log_contains: id "920120"
-
test_title: 920120-3
- test_title: 920120-3
desc: Invalid Request Body (920120) from old modsec regressions
stages:
-
stage:
- stage:
input:
dest_addr: 127.0.0.1
headers:
@ -91,21 +85,21 @@
port: 80
uri: /
version: HTTP/1.1
data:
- '-----------------------------265001916915724'
- 'Content-Disposition: form-data; name="fi;le"; filename="test"'
- 'Content-Type: application/octet-stream'
- ''
- Rotem & Ayala
- ''
- '-----------------------------265001916915724'
- 'Content-Disposition: form-data; name="name"'
- ''
- tt2
- '-----------------------------265001916915724'
- 'Content-Disposition: form-data; name="B1"'
- ''
- Submit
- '-----------------------------265001916915724--'
data: |
-----------------------------265001916915724
Content-Disposition: form-data; name="fi;le"; filename="test"
Content-Type: application/octet-stream
Rotem & Ayala
-----------------------------265001916915724
Content-Disposition: form-data; name="name"
t2
-----------------------------265001916915724
Content-Disposition: form-data; name="B1"
Submit
-----------------------------265001916915724--
output:
log_contains: id "920120"

38
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920160.yaml
View file

@ -5,12 +5,10 @@
name: "920160.yaml"
description: "Tests to trigger rule 920160"
tests:
-
# Non digit Content-Length without content-type
- # Non digit Content-Length without content-type
test_title: 920160-1
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
@ -22,13 +20,11 @@
protocol: "http"
uri: "/"
output:
status: 400
-
# Non digit content-length with content-type
status: [400]
- # Non digit content-length with content-type
test_title: 920160-2
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
method: "POST"
@ -41,13 +37,11 @@
protocol: "http"
uri: "/"
output:
status: 400
-
# Mixed digit and non digit content length
status: [400]
- # Mixed digit and non digit content length
test_title: 920160-3
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
method: "POST"
@ -60,14 +54,12 @@
protocol: "http"
uri: "/"
output:
status: 400
-
# Apache auto corrects for this error now so the log should not contain anything
status: [400]
- # Apache auto corrects for this error now so the log should not contain anything
test_title: 920160-4
desc: Content-Length HTTP header is not numeric (920160) from old modsec regressions
stages:
-
stage:
- stage:
input:
dest_addr: 127.0.0.1
headers:
@ -86,14 +78,12 @@
version: HTTP/1.0
data: abc
output:
status: 200
status: [200]
no_log_contains: id "920160"
-
test_title: 920160-5
- test_title: 920160-5
desc: Content-Length HTTP header is not numeric (920160) from old modsec regressions
stages:
-
stage:
- stage:
input:
dest_addr: 127.0.0.1
headers:

36
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920170.yaml
View file

@ -5,12 +5,10 @@
name: "920170.yaml"
description: "A Selection of tests to trigger rule 920170"
tests:
-
# POST Request with data (valid)
- # POST Request with data (valid)
test_title: 920170-1
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
method: "POST"
@ -23,12 +21,10 @@
uri: "/"
output:
no_log_contains: "id \"920170\""
-
# GET request with data
- # GET request with data
test_title: 920170-2
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
@ -41,12 +37,10 @@
uri: "/"
output:
log_contains: "id \"920170\""
-
# Head Request with data
- # Head Request with data
test_title: 920170-3
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
method: "HEAD"
@ -59,13 +53,11 @@
uri: "/"
output:
log_contains: "id \"920170\""
-
# GET Request but content length is 0 and data is provided
- # GET Request but content length is 0 and data is provided
# Weird HTTP 1.0 support bug in Apache, without newline causes 408
test_title: 920170-5
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
@ -81,12 +73,10 @@
uri: "/"
output:
no_log_contains: "id \"920170\""
-
# GET request with content length 0 and no data.
- # GET request with content length 0 and no data.
test_title: 920170-6
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
@ -101,12 +91,10 @@
uri: "/"
output:
no_log_contains: "id \"920170\""
-
test_title: 920170-7
- test_title: 920170-7
desc: GET or HEAD Request with Body Content (920170) from old modsec regressions
stages:
-
stage:
- stage:
input:
dest_addr: 127.0.0.1
headers:

24
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920180.yaml
View file

@ -5,11 +5,9 @@
name: "920180.yaml"
description: "Description"
tests:
-
test_title: 920180-1
- test_title: 920180-1
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
method: "POST"
@ -24,11 +22,9 @@
uri: "/"
output:
log_contains: id "920180"
-
test_title: 920180-2
- test_title: 920180-2
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
method: "POST"
@ -42,12 +38,10 @@
uri: "/"
output:
no_log_contains: id "920180"
-
test_title: 920180-3
- test_title: 920180-3
desc: POST request missing Content-Length Header (920180) from old modsec regressions
stages:
-
stage:
- stage:
input:
dest_addr: 127.0.0.1
headers:
@ -65,12 +59,10 @@
version: HTTP/1.0
output:
log_contains: id "920180"
-
test_title: 920180-4
- test_title: 920180-4
desc: Ignore check of CT header if protocol is HTTP/2
stages:
-
stage:
- stage:
input:
dest_addr: 127.0.0.1
headers:

18
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920181.yaml
View file

@ -5,11 +5,9 @@
name: "920181.yaml"
description: "Description"
tests:
-
test_title: 920181-1
- test_title: 920181-1
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
@ -22,12 +20,12 @@
Content-Type: "application/x-www-form-urlencoded"
Transfer-Encoding: "chunked"
User-Agent: "ModSecurity CRS 3 Tests"
data:
- "7"
- "foo=bar"
- "0"
- ""
- ""
data: |
7
foo=bar
0
stop_magic: true
output:
# Apache unsets the Content-Length header if

12
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920190.yaml
View file

@ -5,11 +5,9 @@
name: "920190.yaml"
description: "Description"
tests:
-
test_title: 920190-1
- test_title: 920190-1
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
@ -22,12 +20,10 @@
uri: "/"
output:
no_log_contains: id "920190"
-
test_title: 920190-2
- test_title: 920190-2
desc: 'Range: Invalid Last Byte Value (920190) from old modsec regressions'
stages:
-
stage:
- stage:
input:
dest_addr: 127.0.0.1
headers:

60
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920200.yaml
View file

@ -5,11 +5,9 @@
name: "920200.yaml"
description: "Description"
tests:
-
test_title: 920200-1
- test_title: 920200-1
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
@ -19,12 +17,10 @@
Range: "bytes=1-10,11-20,21-30,31-40,41-50,51-60"
output:
log_contains: "id \"920200\""
-
# Sample taken from https://github.com/alienwithin/php-utilities/blob/master/apache-byte-range-server-dos/apache_byte_range_server_dos.php
- # Sample taken from https://github.com/alienwithin/php-utilities/blob/master/apache-byte-range-server-dos/apache_byte_range_server_dos.php
test_title: 920200-2
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
@ -34,11 +30,9 @@
Request-Range: "bytes=5-0,1-1,2-2,3-3,4-4,5-5,6-6,7-7,8-8,9-9,10-10,11-11"
output:
log_contains: "id \"920200\""
-
test_title: 920200-3
- test_title: 920200-3
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
@ -48,11 +42,9 @@
Range: "bytes=1-10, 11-20, 21-30, 31-40, 41-50"
output:
no_log_contains: "id \"920200\""
-
test_title: 920200-4
- test_title: 920200-4
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
@ -62,11 +54,9 @@
Range: "bytes=-10,-, 21-30,31-40,41-50,51-500,"
output:
log_contains: "id \"920200\""
-
test_title: 920200-5
- test_title: 920200-5
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
@ -76,12 +66,10 @@
Range: "bytes=1-,11-20, 21-30,31-40,41-50,51-500"
output:
log_contains: "id \"920200\""
-
test_title: 920200-6
- test_title: 920200-6
desc: 'Range: Too many fields (920200) from old modsec regressions'
stages:
-
stage:
- stage:
input:
dest_addr: 127.0.0.1
headers:
@ -100,12 +88,10 @@
version: HTTP/1.1
output:
log_contains: id "920200"
-
test_title: 920200-7
- test_title: 920200-7
desc: This should PASS (PL2)
stages:
-
stage:
- stage:
input:
dest_addr: 127.0.0.1
headers:
@ -117,12 +103,10 @@
uri: /index.html
output:
no_log_contains: id "920200"
-
test_title: 920200-8
- test_title: 920200-8
desc: "This should FAIL with rule 920200 (PL2)"
stages:
-
stage:
- stage:
input:
dest_addr: 127.0.0.1
headers:
@ -134,12 +118,10 @@
uri: /index.html
output:
log_contains: id "920200"
-
test_title: 920200-9
- test_title: 920200-9
desc: This should PASS (PL2)
stages:
-
stage:
- stage:
input:
dest_addr: 127.0.0.1
headers:
@ -151,12 +133,10 @@
uri: /index.pdf
output:
no_log_contains: id "920200"
-
test_title: 920200-10
- test_title: 920200-10
desc: This should PASS (PL2)
stages:
-
stage:
- stage:
input:
dest_addr: 127.0.0.1
headers:

6
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920201.yaml
View file

@ -5,12 +5,10 @@
name: "920201.yaml"
description: "Tests for 920201"
tests:
-
test_title: 920201-1
- test_title: 920201-1
desc: This should FAIL with rule 920201 (PL2)
stages:
-
stage:
- stage:
input:
dest_addr: 127.0.0.1
headers:

6
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920202.yaml
View file

@ -5,12 +5,10 @@
name: "920202.yaml"
description: "Tests for 920202"
tests:
-
test_title: 920202-1
- test_title: 920202-1
desc: This should FAIL with rule 920202 (PL4)
stages:
-
stage:
- stage:
input:
dest_addr: 127.0.0.1
headers:

48
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920210.yaml
View file

@ -5,11 +5,9 @@
name: "920210.yaml"
description: "Tests that trigger rule 920210"
tests:
-
test_title: 920210-1
- test_title: 920210-1
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
@ -19,11 +17,9 @@
Connection: "keep-alive"
output:
no_log_contains: "id \"920210\""
-
test_title: 920210-2
- test_title: 920210-2
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
@ -33,11 +29,9 @@
Connection: "keep-alive,keep-alive"
output:
log_contains: "id \"920210\""
-
test_title: 920210-3
- test_title: 920210-3
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
@ -47,11 +41,9 @@
Connection: "keep-alive,close"
output:
log_contains: "id \"920210\""
-
test_title: 920210-4
- test_title: 920210-4
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
@ -61,11 +53,9 @@
Connection: "close,close"
output:
log_contains: "id \"920210\""
-
test_title: 920210-5
- test_title: 920210-5
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
@ -75,13 +65,10 @@
Connection: "User-Agent"
output:
no_log_contains: "id \"920210\""
-
test_title: 920210-6
desc: Multiple/Conflicting Connection Header Data Found (920210) from old modsec
regressions
- test_title: 920210-6
desc: Multiple/Conflicting Connection Header Data Found (920210) from old modsec regressions
stages:
-
stage:
- stage:
input:
dest_addr: 127.0.0.1
headers:
@ -99,13 +86,10 @@
version: HTTP/1.1
output:
log_contains: id "920210"
-
test_title: 920210-7
desc: Multiple/Conflicting Connection Header Data Found (920210) from old modsec
regressions
- test_title: 920210-7
desc: Multiple/Conflicting Connection Header Data Found (920210) from old modsec regressions
stages:
-
stage:
- stage:
input:
dest_addr: 127.0.0.1
headers:

30
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920220.yaml
View file

@ -5,12 +5,10 @@
name: "920220.yaml"
description: "Tests to trigger rule 920220"
tests:
-
# This gets a percent but not a number after, invalid
- # This gets a percent but not a number after, invalid
test_title: 920220-1
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
@ -20,12 +18,10 @@
Host: "localhost"
output:
log_contains: "id \"920220\""
-
# We have a valid percent encoding here
- # We have a valid percent encoding here
test_title: 920220-2
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
@ -35,12 +31,10 @@
Host: "localhost"
output:
no_log_contains: "id \"920220\""
-
# url encoding includes spaces as plusses, this is valid
- # url encoding includes spaces as plusses, this is valid
test_title: 920220-3
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
@ -50,12 +44,10 @@
Host: "localhost"
output:
no_log_contains: "id \"920220\""
-
# testURL Encoding Abuse Attack Attempt from old modsec regressions
- # testURL Encoding Abuse Attack Attempt from old modsec regressions
test_title: 920220-4
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
@ -65,12 +57,10 @@
Host: "localhost"
output:
log_contains: "id \"920220\""
-
# testURL Encoding Abuse Attack Attempt from old modsec regressions
- # testURL Encoding Abuse Attack Attempt from old modsec regressions
test_title: 920220-5
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80

12
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920230.yaml
View file

@ -5,12 +5,10 @@
name: "920230.yaml"
description: "Description"
tests:
-
# From old modsec regression tests
- # From old modsec regression tests
test_title: 920230-1
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
@ -25,12 +23,10 @@
Proxy-Connection: "keep-alive"
output:
log_contains: "id \"920230\""
-
# From old modsec regression tests
- # From old modsec regression tests
test_title: 920230-2
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80

55
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920240.yaml
View file

@ -5,11 +5,9 @@
name: "920240.yaml"
description: "Description"
tests:
-
test_title: 920240-1
- test_title: 920240-1
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
@ -23,11 +21,9 @@
stop_magic: true
output:
log_contains: "id \"920240\""
-
test_title: 920240-2
- test_title: 920240-2
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
@ -41,11 +37,9 @@
stop_magic: true
output:
no_log_contains: "id \"920240\""
-
test_title: 920240-3
- test_title: 920240-3
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
@ -57,13 +51,10 @@
data: "param=value"
output:
no_log_contains: "id \"920240\""
-
# We have a valid percent encoding here
- # We have a valid percent encoding here
test_title: 920240-4
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
@ -77,23 +68,21 @@
Keep-Alive: "300"
Proxy-Connection: "keep-alive"
Content-Type: "text/xml"
data:
- "<SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\">"
- " <SOAP-ENV:Body>"
- " <xkms:StatusRequest xmlns:xkms=\"http://www.w3.org/2002/03/xkms#\" Id=\"_6ee48478-fdd6-4d7d-b1bf-e7b4c3254659\" ResponseId=\"_c1c36b3f-f962-4aea-bfbd-07ed58468c9b\" Service=\"http://www.soapclient.com/xml/xkms2\">"
- " <xkms:ResponseMechanism>http://www.w3.org/2002/03/xkms#Pending</xkms:ResponseMechanism>"
- " <xkms:RespondWith>%1Gwww.attack.org</xkms:RespondWith>"
- " </xkms:StatusRequest>"
- " </SOAP-ENV:Body>"
- "</SOAP-ENV:Envelope>"
data: |
<SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\">
<SOAP-ENV:Body>
<xkms:StatusRequest xmlns:xkms=\"http://www.w3.org/2002/03/xkms#\" Id=\"_6ee48478-fdd6-4d7d-b1bf-e7b4c3254659\" ResponseId=\"_c1c36b3f-f962-4aea-bfbd-07ed58468c9b\" Service=\"http://www.soapclient.com/xml/xkms2\">
<xkms:ResponseMechanism>http://www.w3.org/2002/03/xkms#Pending</xkms:ResponseMechanism>
<xkms:RespondWith>%1Gwww.attack.org</xkms:RespondWith>
</xkms:StatusRequest>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
output:
no_log_contains: "id \"920240\""
-
# test URL Encoding Abuse Attack Attempt from old regression tests
- # test URL Encoding Abuse Attack Attempt from old regression tests
test_title: 920240-5
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
@ -112,12 +101,10 @@
stop_magic: true
output:
log_contains: "id \"920240\""
-
# test URL Encoding Abuse Attack Attempt from old regression tests
- # test URL Encoding Abuse Attack Attempt from old regression tests
test_title: 920240-6
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80

18
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920250.yaml
View file

@ -5,13 +5,11 @@
name: "920250.yaml"
description: "Description"
tests:
-
# crs-setup.conf needs to have CRS_VALIDATE_UTF8_ENCODING set
- # crs-setup.conf needs to have CRS_VALIDATE_UTF8_ENCODING set
# Taken from existing modsec regression
test_title: 920250-1
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
@ -26,12 +24,10 @@
Proxy-Connection: "keep-alive"
output:
log_contains: "id \"920250\""
-
# Taken from existing modsec regression
- # Taken from existing modsec regression
test_title: 920250-2
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
@ -46,12 +42,10 @@
Proxy-Connection: "keep-alive"
output:
log_contains: "id \"920250\""
-
# Taken from existing modsec regression
- # Taken from existing modsec regression
test_title: 920250-3
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80

18
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920260.yaml
View file

@ -5,11 +5,9 @@
name: "920260.yaml"
description: "Description"
tests:
-
test_title: 920260-1
- test_title: 920260-1
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
@ -19,11 +17,9 @@
Host: "localhost"
output:
log_contains: "id \"920260\""
-
test_title: 920260-2
- test_title: 920260-2
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
@ -33,12 +29,10 @@
Host: "localhost"
output:
no_log_contains: "id \"920260\""
-
# Test taken from existing modsec regression
- # Test taken from existing modsec regression
test_title: 920260-3
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80

54
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920270.yaml
View file

@ -5,11 +5,9 @@
name: "920270.yaml"
description: "Description"
tests:
-
test_title: 920270-1
- test_title: 920270-1
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
@ -19,11 +17,9 @@
Host: "localhost"
output:
log_contains: "id \"920270\""
-
test_title: 920270-2
- test_title: 920270-2
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
@ -33,11 +29,9 @@
Host: "localhost"
output:
log_contains: "id \"920270\""
-
test_title: 920270-3
- test_title: 920270-3
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
@ -47,13 +41,11 @@
Host: "localhost"
output:
log_contains: "id \"920270\""
-
# This causes apache to error before it gets to CRS. Therefore
- # This causes apache to error before it gets to CRS. Therefore
# we'll mark this as a status 400 now until the FTW OR output is added
test_title: 920270-4
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
@ -64,11 +56,9 @@
output:
status: [403, 400]
# log_contains: "id \"920270\""
-
test_title: 920270-5
- test_title: 920270-5
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
@ -79,11 +69,9 @@
Referer: "anything%00"
output:
log_contains: "id \"920270\""
-
test_title: 920270-6
- test_title: 920270-6
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
@ -93,11 +81,9 @@
Host: "localhost"
output:
no_log_contains: "id \"920270\""
-
test_title: 920270-7
- test_title: 920270-7
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
@ -107,11 +93,9 @@
Host: "localhost"
output:
no_log_contains: "id \"920270\""
-
test_title: 920270-8
- test_title: 920270-8
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
@ -121,12 +105,10 @@
Host: "localhost"
output:
no_log_contains: "id \"920270\""
-
# Test converted from old tests
- # Test converted from old tests
test_title: 920270-9
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80

36
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920271.yaml
View file

@ -5,11 +5,9 @@
name: "920271.yaml"
description: "Description"
tests:
-
test_title: 920271-1
- test_title: 920271-1
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
@ -19,11 +17,9 @@
Host: "localhost"
output:
log_contains: "id \"920271\""
-
test_title: 920271-2
- test_title: 920271-2
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
@ -33,11 +29,9 @@
Host: "localhost"
output:
log_contains: "id \"920271\""
-
test_title: 920271-3
- test_title: 920271-3
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
@ -47,11 +41,9 @@
Host: "localhost"
output:
log_contains: "id \"920271\""
-
test_title: 920271-4
- test_title: 920271-4
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
@ -62,11 +54,9 @@
Cookie: hi%13=bye
output:
log_contains: "id \"920271\""
-
test_title: 920271-5
- test_title: 920271-5
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
@ -76,11 +66,9 @@
Host: "localhost"
output:
no_log_contains: "id \"920271\""
-
test_title: 920271-6
- test_title: 920271-6
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80

31
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920272.yaml
View file

@ -5,11 +5,9 @@
name: "920272.yaml"
description: "Description"
tests:
-
test_title: 920272-1
- test_title: 920272-1
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
@ -19,11 +17,9 @@
Host: "localhost"
output:
log_contains: "id \"920272\""
-
test_title: 920272-2
- test_title: 920272-2
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
@ -33,11 +29,9 @@
Host: "localhost"
output:
log_contains: "id \"920272\""
-
test_title: 920272-3
- test_title: 920272-3
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
@ -47,11 +41,9 @@
Host: "localhost"
output:
log_contains: "id \"920272\""
-
test_title: 920272-4
- test_title: 920272-4
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
@ -61,13 +53,10 @@
Host: "localhost"
output:
no_log_contains: "id \"920272\""
-
# This will not trigger with Apache because Apache will block with AH00127
#(22)Invalid argument: [client 127.0.0.1:47427] AH00127: Cannot map GET /i%FFndex.html?test=test1 HTTP/1.1 to file. It will return a 404 instead so we accept either.
- # This will not trigger with Apache because Apache will block with AH00127
test_title: 920272-5
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80

30
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920273.yaml
View file

@ -5,11 +5,9 @@
name: "920273.yaml"
description: "Description"
tests:
-
test_title: 920273-1
- test_title: 920273-1
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
@ -19,12 +17,10 @@
Host: "localhost"
output:
log_contains: "id \"920273\""
-
# the '&' is one of the only symbol allowed
- # the '&' is one of the only symbol allowed
test_title: 920273-2
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
@ -34,11 +30,9 @@
Host: "localhost"
output:
no_log_contains: "id \"920273\""
-
test_title: 920273-3
- test_title: 920273-3
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
@ -49,11 +43,9 @@
data: "<hello"
output:
log_contains: "id \"920273\""
-
test_title: 920273-4
- test_title: 920273-4
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
@ -63,11 +55,9 @@
Host: "localhost"
output:
no_log_contains: "id \"920273\""
-
test_title: 920273-5
- test_title: 920273-5
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80

30
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920274.yaml
View file

@ -5,15 +5,13 @@
name: "920274.yaml"
description: "Description"
tests:
-
# Apache will just error on this and return 400
- # Apache will just error on this and return 400
# as a result we look for forbidden or 400
# In the future FTW should support OR versus AND output
# https://github.com/CRS-support/ftw/issues/19
test_title: 920274-1
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
@ -24,11 +22,9 @@
output:
status: [200, 403, 400]
# log_contains: "id \"920274\""
-
test_title: 920274-2
- test_title: 920274-2
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
@ -38,11 +34,9 @@
Host: "localhost"
output:
no_log_contains: "id \"920274\""
-
test_title: 920274-3
- test_title: 920274-3
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
@ -53,11 +47,9 @@
Test: "ThisISATEST%5F"
output:
no_log_contains: "id \"920274\""
-
test_title: 920274-4
- test_title: 920274-4
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
@ -68,11 +60,9 @@
Test: "ThisIsATest%60"
output:
log_contains: "id \"920274\""
-
test_title: 920274-5
- test_title: 920274-5
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80

20
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920280.yaml
View file

@ -5,11 +5,9 @@
name: "920280.yaml"
description: "Description"
tests:
-
test_title: 920280-1
- test_title: 920280-1
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
@ -18,11 +16,9 @@
User-Agent: "ModSecurity CRS 3 Tests"
output:
log_contains: "id \"920280\""
-
test_title: 920280-2
- test_title: 920280-2
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
@ -31,11 +27,9 @@
Host: "localhost"
output:
no_log_contains: "id \"920280\""
-
test_title: 920280-3
- test_title: 920280-3
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
@ -44,4 +38,4 @@
User-Agent: "ModSecurity CRS 3 Tests"
output:
# Technically valid but Apache doesn't allow 0.9 anymore
status: 400
status: [400]

34
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920290.yaml
View file

@ -5,14 +5,12 @@
name: "920290.yaml"
description: "Description"
tests:
-
# Apache will block this with a 400 and it will
- # Apache will block this with a 400 and it will
# never get to CRS. We will fix this more when
# FTW supports the OR operator for outputs.
test_title: 920290-1
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
@ -21,31 +19,3 @@
Host: ""
output:
status: [403, 400]
#log_contains: "id \"920290\""
#-
#test_title: 920290-2
#stages:
# -
# stage:
# input:
# dest_addr: "127.0.0.1"
# port: 80
# headers:
# User-Agent: "ModSecurity CRS 3 Tests"
# Host: "%00"
# output:
# no_log_contains: "id \"920290\""
# -
# test_title: 920290-3
# stages:
# -
# stage:
# input:
# dest_addr: "127.0.0.1"
# port: 80
# headers:
# User-Agent: "ModSecurity CRS 3 Tests"
# Host: "localhost"
# output:
# no_log_contains: "id \"920290\""

6
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920300.yaml
View file

@ -5,12 +5,10 @@
enabled: true
name: 920300.yaml
tests:
-
test_title: 920300-1
- test_title: 920300-1
desc: Request Missing an Accept Header (920300) from old modsec regressions
stages:
-
stage:
- stage:
input:
dest_addr: 127.0.0.1
headers:

37
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920310.yaml
View file

@ -5,11 +5,9 @@
name: "920310.yaml"
description: "Description"
tests:
-
test_title: 920310-1
- test_title: 920310-1
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
@ -19,11 +17,9 @@
Accept: ""
output:
log_contains: "id \"920310\""
-
test_title: 920310-2
- test_title: 920310-2
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
@ -34,11 +30,9 @@
Accept: ""
output:
no_log_contains: "id \"920310\""
-
test_title: 920310-3
- test_title: 920310-3
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
@ -48,11 +42,9 @@
Accept: ""
output:
no_log_contains: "id \"920310\""
-
test_title: 920310-4
- test_title: 920310-4
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
@ -62,12 +54,9 @@
Accept: ""
output:
log_contains: "id \"920310\""
-
test_title: 920310-5
- test_title: 920310-5
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
@ -77,11 +66,9 @@
Accept: ""
output:
no_log_contains: "id \"920310\""
-
test_title: 920310-6
- test_title: 920310-6
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80

18
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920311.yaml
View file

@ -5,11 +5,9 @@
name: "920311.yaml"
description: "Description"
tests:
-
test_title: 920311-1
- test_title: 920311-1
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
@ -18,11 +16,9 @@
Accept: ""
output:
log_contains: "id \"920311\""
-
test_title: 920311-2
- test_title: 920311-2
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
@ -32,11 +28,9 @@
Accept: ""
output:
no_log_contains: "id \"920311\""
-
test_title: 920311-3
- test_title: 920311-3
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80

12
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920320.yaml
View file

@ -5,11 +5,9 @@
name: "920320.yaml"
description: "Description"
tests:
-
test_title: 920320-1
- test_title: 920320-1
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
@ -17,11 +15,9 @@
Host: "localhost"
output:
log_contains: "id \"920320\""
-
test_title: 920320-2
- test_title: 920320-2
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80

12
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920330.yaml
View file

@ -5,11 +5,9 @@
name: "920320.yaml"
description: "Description"
tests:
-
test_title: 920330-1
- test_title: 920330-1
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
@ -18,11 +16,9 @@
Host: "localhost"
output:
log_contains: "id \"920330\""
-
test_title: 920330-2
- test_title: 920330-2
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80

12
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920340.yaml
View file

@ -5,11 +5,9 @@
name: "920340.yaml"
description: "Description"
tests:
-
test_title: 920340-1
- test_title: 920340-1
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
@ -21,11 +19,9 @@
stop_magic: true
output:
log_contains: "id \"920340\""
-
test_title: 920340-2
- test_title: 920340-2
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80

18
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920350.yaml
View file

@ -5,11 +5,9 @@
name: "920350.yaml"
description: "Description"
tests:
-
test_title: 920350-1
- test_title: 920350-1
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
@ -21,11 +19,9 @@
uri: "/"
output:
log_contains: "id \"920350\""
-
test_title: 920350-2
- test_title: 920350-2
stages:
-
stage:
- stage:
input:
dest_addr: "localhost"
method: "GET"
@ -37,11 +33,9 @@
uri: "/"
output:
no_log_contains: "id \"920350\""
-
test_title: 920350-3
- test_title: 920350-3
stages:
-
stage:
- stage:
input:
dest_addr: "localhost"
method: "GET"

6
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920360.yaml
View file

@ -6,12 +6,10 @@
enabled: false
name: 920360.yaml
tests:
-
test_title: 920360-1
- test_title: 920360-1
desc: Argument name too long (920360) from old modsec regressions
stages:
-
stage:
- stage:
input:
dest_addr: 127.0.0.1
headers:

6
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920370.yaml
View file

@ -6,12 +6,10 @@
enabled: false
name: 920370.yaml
tests:
-
test_title: 920370-1
- test_title: 920370-1
desc: Argument value too long (920370) from old modsec regressions
stages:
-
stage:
- stage:
input:
dest_addr: 127.0.0.1
headers:

9
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920380.yaml
View file

@ -6,23 +6,20 @@
enabled: false
name: 920380.yaml
tests:
-
test_title: 920380-1
- test_title: 920380-1
desc: Too many arguments in request (920380) from old modsec regressions
stages:
-
stage:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Host: localhost
Keep-Alive: '300'
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
User-Agent: OWASP ModSecurity Core Rule Set
method: GET
port: 80
uri: /?param1=1&param2=1&param3=1&param4=1&param5=1&param6=1&param7=1&param8=1&param9=1&param10=1&param11=1&param12=1&param13=1&param14=1&param15=1&param16=1&param17=1&param18=1&param19=1&param20=1&param21=1&param22=1&param23=1&param24=1&param25=1&param26=1&param27=1&param28=1&param29=1&param30=1&param31=1&param32=1&param33=1&param34=1&param35=1&param36=1&param37=1&param38=1&param39=1&param40=1&param41=1&param42=1&param43=1&param44=1&param45=1&param46=1&param47=1&param48=1&param49=1&param50=1&param51=1&param52=1&param53=1&param54=1&param55=1&param56=1&param57=1&param58=1&param59=1&param60=1&param61=1&param62=1&param63=1&param64=1&param65=1&param66=1&param67=1&param68=1&param69=1&param70=1&param71=1&param72=1&param73=1&param74=1&param75=1&param76=1&param77=1&param78=1&param79=1&param80=1&param81=1&param82=1&param83=1&param84=1&param85=1&param86=1&param87=1&param88=1&param89=1&param90=1&param91=1&param92=1&param93=1&param94=1&param95=1&param96=1&param97=1&param98=1&param99=1&param100=1&param101=1&param102=1&param103=1&param104=1&param105=1&param106=1&param107=1&param108=1&param109=1&param110=1&param111=1&param112=1&param113=1&param114=1&param115=1&param116=1&param117=1&param118=1&param119=1&param120=1&param121=1&param122=1&param123=1&param124=1&param125=1&param126=1&param127=1&param128=1&param129=1&param130=1&param131=1&param132=1&param133=1&param134=1&param135=1&param136=1&param137=1&param138=1&param139=1&param140=1&param141=1&param142=1&param143=1&param144=1&param145=1&param146=1&param147=1&param148=1&param149=1&param150=1&param151=1&param152=1&param153=1&param154=1&param155=1&param156=1&param157=1&param158=1&param159=1&param160=1&param161=1&param162=1&param163=1&param164=1&param165=1&param166=1&param167=1&param168=1&param169=1&param170=1&param171=1&param172=1&param173=1&param174=1&param175=1&param176=1&param177=1&param178=1&param179=1&param180=1&param181=1&param182=1&param183=1&param184=1&param185=1&param186=1&param187=1&param188=1&param189=1&param190=1&param191=1&param192=1&param193=1&param194=1&param195=1&param196=1&param197=1&param198=1&param199=1&param200=1&param201=1&param202=1&param203=1&param204=1&param205=1&param206=1&param207=1&param208=1&param209=1&param210=1&param211=1&param212=1&param213=1&param214=1&param215=1&param216=1&param217=1&param218=1&param219=1&param220=1&param221=1&param222=1&param223=1&param224=1&param225=1&param226=1&param227=1&param228=1&param229=1&param230=1&param231=1&param232=1&param233=1&param234=1&param235=1&param236=1&param237=1&param238=1&param239=1&param240=1&param241=1&param242=1&param243=1&param244=1&param245=1&param246=1&param247=1&param248=1&param249=1&param250=1&param251=1&param252=1&param253=1&param254=1&param255=1&param256=1

6
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920390.yaml
View file

@ -6,12 +6,10 @@
enabled: false
name: 920390.yaml
tests:
-
test_title: 920390-1
- test_title: 920390-1
desc: Total arguments size exceeded (920390) from old modsec regressions
stages:
-
stage:
- stage:
input:
dest_addr: 127.0.0.1
headers:

38
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920400.yaml
View file

@ -5,12 +5,10 @@
enabled: true
name: 920400.yaml
tests:
-
test_title: 920400-1
- test_title: 920400-1
desc: Uploaded file size too large (920400) from old modsec regressions
stages:
-
stage:
- stage:
input:
dest_addr: 127.0.0.1
headers:
@ -29,22 +27,22 @@
port: 80
uri: /
version: HTTP/1.1
data:
- '-----------------------------265001916915724'
- 'Content-Disposition: form-data; name="file"; filename="test"'
- 'Content-Type: application/octet-stream'
- ''
- Rotem & Ayala
- ''
- '-----------------------------265001916915724'
- 'Content-Disposition: form-data; name="name"'
- ''
- tt2
- '-----------------------------265001916915724'
- 'Content-Disposition: form-data; name="B1"'
- ''
- Submit
- '-----------------------------265001916915724--'
data: |
-----------------------------265001916915724
Content-Disposition: form-data; name="file"; filename="test"
Content-Type: application/octet-stream
Rotem & Ayala
-----------------------------265001916915724
Content-Disposition: form-data; name="name"
tt2
-----------------------------265001916915724
Content-Disposition: form-data; name="B1"
Submit
-----------------------------265001916915724--
output:
# Most web servers simply won't respond to invalid requests like
# like this they'll just time out when we get OR type checks

90
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920420.yaml
View file

@ -81,21 +81,21 @@ tests:
port: 80
uri: /
version: HTTP/1.1
data:
- --0000
- 'Content-Disposition: form-data; name="name"'
- ''
- John Smith
- --0000
- 'Content-Disposition: form-data; name="email"'
- ''
- john.smith@example.com
- --0000
- 'Content-Disposition: form-data; name="image"; filename="image.jpg"'
- 'Content-Type: image/jpeg'
- ''
- BINARYDATA
- --0000--
data: |
--0000
Content-Disposition: form-data; name="name"
John Smith
--0000
Content-Disposition: form-data; name="email"
john.smith@example.com
--0000
Content-Disposition: form-data; name="image"; filename="image.jpg"
Content-Type: image/jpeg
BINARYDATA
--0000--
output:
log_contains: id "920420"
- test_title: 920420-6
@ -118,21 +118,21 @@ tests:
port: 80
uri: /
version: HTTP/1.1
data:
- --0000
- 'Content-Disposition: form-data; name="name"'
- ''
- John Smith
- --0000
- 'Content-Disposition: form-data; name="email"'
- ''
- john.smith@example.com
- --0000
- 'Content-Disposition: form-data; name="image"; filename="image.jpg"'
- 'Content-Type: image/jpeg'
- ''
- BINARYDATA
- --0000--
data: |
--0000
Content-Disposition: form-data; name="name"
John Smith
--0000
Content-Disposition: form-data; name="email"
john.smith@example.com
--0000
Content-Disposition: form-data; name="image"; filename="image.jpg"
Content-Type: image/jpeg
BINARYDATA
--0000--
output:
log_contains: id "920420"
- test_title: 920420-7
@ -155,21 +155,21 @@ tests:
port: 80
uri: /
version: HTTP/1.1
data:
- --0000
- 'Content-Disposition: form-data; name="name"'
- ''
- John Smith
- --0000
- 'Content-Disposition: form-data; name="email"'
- ''
- john.smith@example.com
- --0000
- 'Content-Disposition: form-data; name="image"; filename="image.jpg"'
- 'Content-Type: image/jpeg'
- ''
- BINARYDATA
- --0000--
data: |
--0000
Content-Disposition: form-data; name="name"
John Smith
--0000
Content-Disposition: form-data; name="email"
john.smith@example.com
--0000
Content-Disposition: form-data; name="image"; filename="image.jpg"
Content-Type: image/jpeg
BINARYDATA
--0000--
output:
log_contains: id "920420"
- test_title: 920420-8

63
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920430.yaml
View file

@ -5,11 +5,9 @@
name: "920430.yaml"
description: "Description"
tests:
-
test_title: 920430-1
- test_title: 920430-1
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
@ -19,11 +17,9 @@
Host: "localhost"
output:
no_log_contains: "id \"920430\""
-
test_title: 920430-2
- test_title: 920430-2
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
@ -33,11 +29,9 @@
Host: "localhost"
output:
no_log_contains: "id \"920430\""
-
test_title: 920430-3
- test_title: 920430-3
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
@ -48,11 +42,9 @@
output:
status: [403, 400]
# log_contains: "id \"920430\""
-
test_title: 920430-4
- test_title: 920430-4
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
@ -62,14 +54,12 @@
Host: "localhost"
output:
no_log_contains: "id \"920430\""
-
# Currently FTW won't process HTTP 1.0 simple response items
- # Currently FTW won't process HTTP 1.0 simple response items
# This request generates such a response, so even though it will
# generate the alert, it will error.
test_title: 920430-5
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
@ -79,11 +69,9 @@
Host: "localhost"
output:
expect_error: true
-
test_title: 920430-6
- test_title: 920430-6
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
@ -94,11 +82,9 @@
output:
status: [403, 400]
# log_contains: "id \"920430\""
-
test_title: 920430-7
- test_title: 920430-7
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
@ -109,13 +95,10 @@
output:
status: [403, 400]
# log_contains: "id \"920430\""
-
test_title: 920430-8
- test_title: 920430-8
desc: HTTP protocol version is not allowed by policy (920430) from old modsec regressions
stages:
-
stage:
- stage:
input:
dest_addr: 127.0.0.1
headers:
@ -133,13 +116,10 @@
version: HTTP/3.0
output:
log_contains: id "920430"
-
test_title: 920430-9
- test_title: 920430-9
desc: HTTP protocol version is not allowed by policy (920430) from old modsec regressions
stages:
-
stage:
- stage:
input:
dest_addr: 127.0.0.1
headers:
@ -157,13 +137,10 @@
version: HTTP/0.8
output:
status: [403, 400]
#log_contains: id "920430"
-
test_title: 920430-10
- test_title: 920430-10
desc: HTTP protocol version is not allowed by policy (920430) from old modsec regressions
stages:
-
stage:
- stage:
input:
dest_addr: 127.0.0.1
headers:

1
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920440.yaml
View file

@ -26,7 +26,6 @@ tests:
version: HTTP/1.1
output:
log_contains: id "920440"
- test_title: 920440-2
desc: URL file extension is restricted by policy (920440) from old modsec regressions
stages:

53
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920450.yaml
View file

@ -5,11 +5,9 @@
name: "920450.yaml"
description: "Description"
tests:
-
test_title: 920450-1
- test_title: 920450-1
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
@ -19,11 +17,9 @@
Content-range: "test"
output:
log_contains: "id \"920450\""
-
test_title: 920450-2
- test_title: 920450-2
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
@ -33,11 +29,9 @@
If: "test"
output:
log_contains: "id \"920450\""
-
test_title: 920450-3
- test_title: 920450-3
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
@ -47,13 +41,10 @@
lock-token: "test"
output:
log_contains: "id \"920450\""
-
test_title: 920450-4
- test_title: 920450-4
desc: HTTP header is restricted by policy (920450) from old modsec regressions, we no longer block proxy-connection in 3.0
stages:
-
stage:
- stage:
input:
dest_addr: 127.0.0.1
headers:
@ -70,13 +61,10 @@
version: HTTP/1.1
output:
no_log_contains: id "920450"
-
test_title: 920450-5
- test_title: 920450-5
desc: HTTP header is restricted by policy (920450) from old modsec regressions
stages:
-
stage:
- stage:
input:
dest_addr: 127.0.0.1
headers:
@ -94,12 +82,9 @@
version: HTTP/1.1
output:
log_contains: id "920450"
-
test_title: 920450-6
- test_title: 920450-6
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
@ -109,12 +94,9 @@
Range: "test"
output:
no_log_contains: "id \"920450\""
-
test_title: 920450-7
- test_title: 920450-7
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
@ -126,12 +108,9 @@
Accept-Charset: UTF-8
output:
log_contains: "id \"920450\""
-
test_title: 920450-8
- test_title: 920450-8
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80

30
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920460.yaml
View file

@ -5,11 +5,9 @@
name: "920460.yaml"
description: "Description"
tests:
-
test_title: 920460-1
- test_title: 920460-1
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
@ -25,11 +23,9 @@
stop_magic: true
output:
log_contains: "id \"920460\""
-
test_title: 920460-2
- test_title: 920460-2
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
@ -39,11 +35,9 @@
Host: "localhost"
output:
log_contains: "id \"920460\""
-
test_title: 920460-3
- test_title: 920460-3
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
@ -53,11 +47,9 @@
Host: "localhost"
output:
log_contains: "id \"920460\""
-
test_title: 920460-4
- test_title: 920460-4
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
@ -67,11 +59,9 @@
Host: "localhost"
output:
no_log_contains: "id \"920460\""
-
test_title: 920460-5
- test_title: 920460-5
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80

17
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920620.yaml Normal file
View file

@ -0,0 +1,17 @@
---
meta:
author: "Andrea (theMiddle) Menin"
enabled: false
name: "920620.yaml"
description: "Tests for 920620"
tests:
- test_title: 920620-1
desc: Multiple Content-Type request headers
stages:
- stage:
input:
dest_addr: "127.0.0.1"
port: 80
encoded_request: "R0VUIC9nZXQgSFRUUC8xLjENCkhvc3Q6IGxvY2FsaG9zdA0KVXNlci1BZ2VudDogT1dBU1AgQ1JTIHRlc3QgYWdlbnQNCkFjY2VwdDogdGV4dC94bWwsYXBwbGljYXRpb24veG1sLGFwcGxpY2F0aW9uL3hodG1sK3htbCx0ZXh0L2h0bWw7cT0wLjksdGV4dC9wbGFpbjtxPTAuOCxpbWFnZS9wbmcsKi8qO3E9MC41DQpDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL2pzb24NCkNvbnRlbnQtVHlwZTogYXBwbGljYXRpb24veG1sDQoNCg=="
output:
log_contains: "id \"920620\""

48
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921110.yaml
View file

@ -5,12 +5,10 @@
enabled: true
name: 921110.yaml
tests:
-
test_title: 921110-1
- test_title: 921110-1
desc: "HTTP Response Splitting"
stages:
-
stage:
- stage:
input:
dest_addr: 127.0.0.1
headers:
@ -22,12 +20,10 @@
version: HTTP/1.0
output:
log_contains: id "921110"
-
test_title: 921110-2
- test_title: 921110-2
desc: "HTTP Response Splitting"
stages:
-
stage:
- stage:
input:
dest_addr: 127.0.0.1
headers:
@ -39,12 +35,10 @@
version: HTTP/1.0
output:
log_contains: id "921110"
-
test_title: 921110-3
- test_title: 921110-3
desc: "HTTP Response Splitting"
stages:
-
stage:
- stage:
input:
dest_addr: 127.0.0.1
headers:
@ -56,12 +50,10 @@
version: HTTP/1.0
output:
log_contains: id "921110"
-
test_title: 921110-4
- test_title: 921110-4
desc: "HTTP Response Splitting"
stages:
-
stage:
- stage:
input:
dest_addr: 127.0.0.1
headers:
@ -73,12 +65,10 @@
version: HTTP/1.0
output:
log_contains: id "921110"
-
test_title: 921110-5
- test_title: 921110-5
desc: "HTTP Response Splitting"
stages:
-
stage:
- stage:
input:
dest_addr: 127.0.0.1
headers:
@ -90,12 +80,10 @@
version: HTTP/1.0
output:
no_log_contains: id "921110"
-
test_title: 921110-6
- test_title: 921110-6
desc: HTTP Request Smuggling bypass with Content-Type text/plain
stages:
-
stage:
- stage:
input:
dest_addr: 127.0.0.1
headers:
@ -110,12 +98,10 @@
data: "barGET /a.html HTTP/1.1\r\nSomething: GET /b.html HTTP/1.1\r\nHost: foo.com\r\nUser-Agent: foo\r\nAccept: */*\r\n\r\n"
output:
log_contains: id "921110"
-
test_title: 921110-7
- test_title: 921110-7
desc: HTTP Request Smuggling with not supported HTTP versions such as HTTP/1.2
stages:
-
stage:
- stage:
input:
dest_addr: 127.0.0.1
headers:
@ -127,12 +113,10 @@
uri: /?arg1=GET%20http%3A%2F%2Fwww.foo.bar%20HTTP%2F1.2
output:
log_contains: id "921110"
-
test_title: 921110-8
- test_title: 921110-8
desc: HTTP Request Smuggling with not supported HTTP versions such as HTTP/3
stages:
-
stage:
- stage:
input:
dest_addr: 127.0.0.1
headers:

22
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921120.yaml
View file

@ -5,18 +5,14 @@
enabled: true
name: 921120.yaml
tests:
-
test_title: 921120-1
- test_title: 921120-1
desc: HTTP response splitting (921120) from old modsec regressions
stages:
-
stage:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash,
*/*
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-sg
Host: localhost
@ -30,12 +26,10 @@
version: HTTP/1.1
output:
log_contains: id "921120"
-
test_title: 921120-2
- test_title: 921120-2
desc: "HTTP Response splitting attack"
stages:
-
stage:
- stage:
input:
dest_addr: 127.0.0.1
headers:
@ -49,12 +43,10 @@
version: HTTP/1.1
output:
log_contains: id "921120"
-
test_title: 921120-3
- test_title: 921120-3
desc: "Fix FP issue 1615. Header followed by word chars."
stages:
-
stage:
- stage:
input:
dest_addr: 127.0.0.1
headers:

28
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921130.yaml
View file

@ -5,18 +5,14 @@
enabled: true
name: 921130.yaml
tests:
-
test_title: 921130-1
- test_title: 921130-1
desc: HTTP response splitting (921130) from old modsec regressions
stages:
-
stage:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash,
*/*
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-sg
Host: localhost
@ -30,12 +26,10 @@
version: HTTP/1.1
output:
log_contains: id "921130"
-
test_title: 921130-2
- test_title: 921130-2
desc: "HTTP Response splitting attack: cookie data"
stages:
-
stage:
- stage:
input:
dest_addr: 127.0.0.1
headers:
@ -47,12 +41,10 @@
uri: "/"
output:
log_contains: id "921130"
-
test_title: 921130-3
- test_title: 921130-3
desc: HTTP Request Smuggling with not supported HTTP versions such as HTTP/1.2
stages:
-
stage:
- stage:
input:
dest_addr: 127.0.0.1
headers:
@ -64,12 +56,10 @@
uri: /?arg1=GET%20http%3A%2F%2Fwww.foo.bar%20HTTP%2F1.2
output:
log_contains: id "921130"
-
test_title: 921130-4
- test_title: 921130-4
desc: HTTP Request Smuggling with not supported HTTP versions such as HTTP/3
stages:
-
stage:
- stage:
input:
dest_addr: 127.0.0.1
headers:

14
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921140.yaml
View file

@ -5,12 +5,10 @@
name: "921140.yaml"
description: "Tests for protocol based attacks"
tests:
-
test_title: 921140-1
- test_title: 921140-1
desc: "HTTP Header Injection Attack via headers"
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
@ -20,14 +18,12 @@
SomeHeader: "Headerdata\rInjectedHeader: response_splitting_code"
uri: "/"
output:
status: 400
status: [400]
no_log_contains: "id:921140"
-
test_title: 921140-2
- test_title: 921140-2
desc: "HTTP Header Injection Attack via headers"
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
method: "GET"

6
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921150.yaml
View file

@ -5,12 +5,10 @@
name: "921150.yaml"
description: "Tests for protocol based attacks"
tests:
-
test_title: 921150-1
- test_title: 921150-1
desc: "HTTP Header Injection Attack via payload"
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
method: "GET"

30
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921160.yaml
View file

@ -5,12 +5,10 @@
name: "921160.yaml"
description: "Tests for protocol based attacks"
tests:
-
test_title: 921160-1
- test_title: 921160-1
desc: "HTTP Header Injection Attack via payload: w/header, invalid line break, newlines after key"
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
@ -21,12 +19,10 @@
uri: "/script_rule921160.jsp?variableX=bar&variable2=Y&%0d%0Remote-addr%0d%0d%0d:%20foo.bar.com"
output:
log_contains: id "921160"
-
test_title: 921160-2
- test_title: 921160-2
desc: "HTTP Header Injection Attack via payload: w/header, correct line break, newlines after key"
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
@ -37,12 +33,10 @@
uri: "/script_rule921160.jsp?variableX=bar&variable2=Y&%0d%0aRemote-addr%0d%0d%0d:%20foo.bar.com"
output:
log_contains: id "921160"
-
test_title: 921160-3
- test_title: 921160-3
desc: "HTTP Header Injection Attack via payload: w/header"
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
@ -53,12 +47,10 @@
uri: "/script_rule921160.jsp?variableX=bar&variable2=Y&%0d%0aRemote-addr:%20foo.bar.com"
output:
log_contains: id "921160"
-
test_title: 921160-4
- test_title: 921160-4
desc: "HTTP Header Injection Attack via payload: w/header, attack explicitly in value rather than key"
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
@ -69,12 +61,10 @@
uri: "/script_rule921160.jsp?variableX=bar&variable2=%0d%0aRemote-addr:%20foo.bar.com"
output:
log_contains: id "921160"
-
test_title: 921160-5
- test_title: 921160-5
desc: "HTTP Header Injection Attack via payload: w/header, attack explicitly in key rather than value"
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
method: "GET"

12
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921190.yaml
View file

@ -5,8 +5,7 @@
enabled: true
name: 921190.yaml
tests:
-
test_title: 921190-1
- test_title: 921190-1
desc: "New line char in request filename (1)"
stages:
- stage:
@ -19,8 +18,7 @@
uri: "/foo%0Abar"
output:
log_contains: id "921190"
-
test_title: 921190-2
- test_title: 921190-2
desc: "New line char in request filename (2)"
stages:
- stage:
@ -33,8 +31,7 @@
uri: "/foo%0abar"
output:
log_contains: id "921190"
-
test_title: 921190-3
- test_title: 921190-3
desc: "FastCGI variable injection: Nginx + PHP-FPM (CVE-2019-11043)"
stages:
- stage:
@ -47,8 +44,7 @@
uri: "/index.php/PHP%0Ainfo.php?QQQ"
output:
log_contains: id "921190"
-
test_title: 921190-4
- test_title: 921190-4
desc: "PHP Settings injection: Nginx + PHP-FPM (CVE-2019-11043)"
stages:
- stage:

30
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-921-PROTOCOL-ATTACK/921200.yaml
View file

@ -5,8 +5,7 @@
enabled: true
name: 921200.yaml
tests:
-
test_title: 921200-1
- test_title: 921200-1
desc: "Testing for FP, this should not trigger"
stages:
- stage:
@ -21,8 +20,7 @@
uri: "/"
output:
no_log_contains: id "921200"
-
test_title: 921200-2
- test_title: 921200-2
desc: "Testing for FP, this should not trigger"
stages:
- stage:
@ -37,8 +35,7 @@
uri: "/"
output:
no_log_contains: id "921200"
-
test_title: 921200-3
- test_title: 921200-3
desc: "Testing for FP, this should not trigger"
stages:
- stage:
@ -53,8 +50,7 @@
uri: "/"
output:
no_log_contains: id "921200"
-
test_title: 921200-4
- test_title: 921200-4
desc: "Testing for rule, this should trigger"
stages:
- stage:
@ -69,8 +65,7 @@
port: 80
output:
log_contains: id "921200"
-
test_title: 921200-5
- test_title: 921200-5
desc: "Testing for rule, this should trigger"
stages:
- stage:
@ -85,8 +80,7 @@
port: 80
output:
log_contains: id "921200"
-
test_title: 921200-6
- test_title: 921200-6
desc: "Testing for rule, this should trigger"
stages:
- stage:
@ -101,8 +95,7 @@
port: 80
output:
log_contains: id "921200"
-
test_title: 921200-7
- test_title: 921200-7
desc: "Testing for rule, this should trigger"
stages:
- stage:
@ -117,8 +110,7 @@
port: 80
output:
log_contains: id "921200"
-
test_title: 921200-8
- test_title: 921200-8
desc: "Testing for rule, this should trigger"
stages:
- stage:
@ -133,8 +125,7 @@
port: 80
output:
log_contains: id "921200"
-
test_title: 921200-9
- test_title: 921200-9
desc: "Testing for rule, this should trigger"
stages:
- stage:
@ -149,8 +140,7 @@
port: 80
output:
log_contains: id "921200"
-
test_title: 921200-10
- test_title: 921200-10
desc: "Testing for rule, this should trigger"
stages:
- stage:

6
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-930-APPLICATION-ATTACK-LFI/930100.yaml
View file

@ -5,12 +5,10 @@
name: "930100.yaml"
description: "Application attack LFI"
tests:
-
test_title: 930100-1
- test_title: 930100-1
desc: "Path Traversal Attack (/../) encoded"
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
method: "GET"

36
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-930-APPLICATION-ATTACK-LFI/930110.yaml
View file

@ -5,12 +5,10 @@
name: "930110.yaml"
description: "Application attacks: Local file include"
tests:
-
test_title: 930110-1
- test_title: 930110-1
desc: "Path Traversal Attack (/../)"
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
method: "GET"
@ -21,12 +19,10 @@
uri: "/"
output:
log_contains: id "930110"
-
test_title: 930110-2
- test_title: 930110-2
desc: "Path Traversal Attack (/../) query string"
stages:
-
stage:
- stage:
input:
dest_addr: "localhost"
method: "GET"
@ -37,12 +33,10 @@
uri: "/?arg=../../../etc/passwd"
output:
log_contains: id "930110"
-
test_title: 930110-3
- test_title: 930110-3
desc: "Path Traversal Attack (/../) query string"
stages:
-
stage:
- stage:
input:
dest_addr: "localhost"
method: "POST"
@ -53,12 +47,10 @@
data: "arg=../../../etc/passwd&foo=var"
output:
log_contains: id "930110"
-
test_title: 930110-4
- test_title: 930110-4
desc: "Path Traversal Attack (/../) query string"
stages:
-
stage:
- stage:
input:
dest_addr: "localhost"
method: "GET"
@ -68,12 +60,10 @@
uri: "/foo../1234"
output:
no_log_contains: id "930110"
-
test_title: 930110-5
- test_title: 930110-5
desc: "Path Traversal Attack (/../) query string"
stages:
-
stage:
- stage:
input:
dest_addr: "localhost"
method: "GET"
@ -83,12 +73,10 @@
uri: "/foo.../1234"
output:
no_log_contains: id "930110"
-
test_title: 930110-6
- test_title: 930110-6
desc: "Path Traversal Attack (/../) query string"
stages:
-
stage:
- stage:
input:
dest_addr: "localhost"
method: "GET"

36
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-930-APPLICATION-ATTACK-LFI/930120.yaml
View file

@ -5,18 +5,14 @@
enabled: true
name: 930120.yaml
tests:
-
test_title: 930120-1
- test_title: 930120-1
desc: Remote File Access Attempt (930120) from old modsec regressions
stages:
-
stage:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash,
*/*
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-sg
Content-Type: application/x-www-form-urlencoded
@ -30,18 +26,14 @@
version: HTTP/1.1
output:
log_contains: id "930120"
-
test_title: 930120-2
- test_title: 930120-2
desc: Remote File Access Attempt (930120) from old modsec regressions
stages:
-
stage:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash,
*/*
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-sg
Content-Type: application/x-www-form-urlencoded
@ -55,18 +47,14 @@
version: HTTP/1.1
output:
log_contains: id "930120"
-
test_title: 930120-3
- test_title: 930120-3
desc: Remote File Access Attempt (930120) from old modsec regressions
stages:
-
stage:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash,
*/*
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-sg
Content-Type: application/x-www-form-urlencoded
@ -80,12 +68,10 @@
version: HTTP/1.1
output:
log_contains: id "930120"
-
test_title: 930120-4
- test_title: 930120-4
desc: "OS File Access"
stages:
-
stage:
- stage:
input:
dest_addr: "127.0.0.1"
method: "GET"

10
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-931-APPLICATION-ATTACK-RFI/931100.yaml
View file

@ -5,18 +5,14 @@
enabled: true
name: 931100.yaml
tests:
-
test_title: 931100-1
- test_title: 931100-1
desc: Remote File Inclusion Attack (931100) from old modsec regressions
stages:
-
stage:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash,
*/*
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-sg
Host: localhost

30
src/common/core/modsecurity/files/coreruleset/tests/regression/tests/REQUEST-931-APPLICATION-ATTACK-RFI/931110.yaml
View file

@ -5,18 +5,14 @@
enabled: true
name: 931110.yaml
tests:
-
test_title: 931110-1
- test_title: 931110-1
desc: Remote File Inclusion Attack (931110) from old modsec regressions
stages:
-
stage:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash,
*/*
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-sg
Host: localhost
@ -30,18 +26,14 @@
version: HTTP/1.1
output:
log_contains: id "931110"
-
test_title: 931110-2
- test_title: 931110-2
desc: Remote File Inclusion Attack (931110) from old modsec regressions
stages:
-
stage:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash,
*/*
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-sg
Host: localhost
@ -55,18 +47,14 @@
version: HTTP/1.1
output:
log_contains: id "931110"
-
test_title: 931110-3
- test_title: 931110-3
desc: Remote File Inclusion Attack (931110) from old modsec regressions
stages:
-
stage:
- stage:
input:
dest_addr: 127.0.0.1
headers:
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash,
*/*
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-sg
Host: localhost

Some files were not shown because too many files have changed in this diff Show more