custom http/server confs and better modsec customization
This commit is contained in:
parent
43403f69ee
commit
716e54e597
|
@ -15,7 +15,7 @@ RUN apk --no-cache add php7-fpm certbot libstdc++ libmaxminddb geoip pcre yajl &
|
|||
mkdir /www && \
|
||||
adduser -h /dev/null -g '' -s /sbin/nologin -D -H nginx
|
||||
|
||||
VOLUME /www /confs
|
||||
VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs
|
||||
|
||||
EXPOSE 80/tcp 443/tcp
|
||||
|
||||
|
|
|
@ -54,6 +54,10 @@ SecAuditLogRelevantStatus "^(?:5|4(?!04))"
|
|||
SecAuditLogType Serial
|
||||
SecAuditLog /var/log/modsec_audit.log
|
||||
|
||||
# include custom rules
|
||||
%MODSECURITY_INCLUDE_CUSTOM_RULES%
|
||||
|
||||
# include OWASP CRS rules
|
||||
include /etc/nginx/owasp-crs.conf
|
||||
include /etc/nginx/owasp-crs/*.conf
|
||||
%MODSECURITY_INCLUDE_CRS%
|
||||
%MODSECURITY_INCLUDE_CUSTOM_CRS%
|
||||
%MODSECURITY_INCLUDE_CRS_RULES%
|
||||
|
|
|
@ -75,4 +75,7 @@ http {
|
|||
|
||||
# enable/disable ModSecurity
|
||||
%USE_MODSECURITY%
|
||||
|
||||
# custom http confs
|
||||
include /http-confs/*.conf;
|
||||
}
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.1.1
|
||||
# OWASP ModSecurity Core Rule Set ver.3.2.0
|
||||
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
|
@ -354,11 +354,12 @@ SecDefaultAction "phase:2,log,auditlog,pass"
|
|||
# nolog,\
|
||||
# pass,\
|
||||
# t:none,\
|
||||
# setvar:tx.crs_exclusions_cpanel=1,\
|
||||
# setvar:tx.crs_exclusions_drupal=1,\
|
||||
# setvar:tx.crs_exclusions_wordpress=1,\
|
||||
# setvar:tx.crs_exclusions_nextcloud=1,\
|
||||
# setvar:tx.crs_exclusions_dokuwiki=1,\
|
||||
# setvar:tx.crs_exclusions_cpanel=1"
|
||||
# setvar:tx.crs_exclusions_nextcloud=1,\
|
||||
# setvar:tx.crs_exclusions_wordpress=1,\
|
||||
# setvar:tx.crs_exclusions_xenforo=1"
|
||||
|
||||
#
|
||||
# -- [[ HTTP Policy Settings ]] ------------------------------------------------
|
||||
|
@ -389,7 +390,8 @@ SecDefaultAction "phase:2,log,auditlog,pass"
|
|||
# Content-Types that a client is allowed to send in a request.
|
||||
# Default: application/x-www-form-urlencoded|multipart/form-data|text/xml|\
|
||||
# application/xml|application/soap+xml|application/x-amf|application/json|\
|
||||
# application/octet-stream|text/plain
|
||||
# application/octet-stream|application/csp-report|\
|
||||
# application/xss-auditor-report|text/plain
|
||||
# Uncomment this rule to change the default.
|
||||
#SecAction \
|
||||
# "id:900220,\
|
||||
|
@ -397,20 +399,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
|
|||
# nolog,\
|
||||
# pass,\
|
||||
# t:none,\
|
||||
# setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/soap+xml|application/x-amf|application/json|application/octet-stream|text/plain'"
|
||||
|
||||
# Content-Types charsets that a client is allowed to send in a request.
|
||||
# Default: utf-8|iso-8859-1|iso-8859-15|windows-1252
|
||||
# Uncomment this rule to change the default.
|
||||
# Use "|" to separate multiple charsets like in the rule defining
|
||||
# tx.allowed_request_content_type.
|
||||
#SecAction \
|
||||
# "id:900270,\
|
||||
# phase:1,\
|
||||
# nolog,\
|
||||
# pass,\
|
||||
# t:none,\
|
||||
# setvar:'tx.allowed_request_content_type_charset=utf-8|iso-8859-1|iso-8859-15|windows-1252'"
|
||||
# setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/soap+xml|application/x-amf|application/json|application/octet-stream|application/csp-report|application/xss-auditor-report|text/plain'"
|
||||
|
||||
# Allowed HTTP versions.
|
||||
# Default: HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0
|
||||
|
@ -428,8 +417,8 @@ SecDefaultAction "phase:2,log,auditlog,pass"
|
|||
|
||||
# Forbidden file extensions.
|
||||
# Guards against unintended exposure of development/configuration files.
|
||||
# Default: .asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/
|
||||
# Example: .bak/ .config/ .conf/ .db/ .ini/ .log/ .old/ .pass/ .pdb/ .sql/
|
||||
# Default: .asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/
|
||||
# Example: .bak/ .config/ .conf/ .db/ .ini/ .log/ .old/ .pass/ .pdb/ .rdb/ .sql/
|
||||
# Uncomment this rule to change the default.
|
||||
#SecAction \
|
||||
# "id:900240,\
|
||||
|
@ -437,7 +426,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
|
|||
# nolog,\
|
||||
# pass,\
|
||||
# t:none,\
|
||||
# setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'"
|
||||
# setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'"
|
||||
|
||||
# Forbidden request headers.
|
||||
# Header names should be lowercase, enclosed by /slashes/ as delimiters.
|
||||
|
@ -465,6 +454,18 @@ SecDefaultAction "phase:2,log,auditlog,pass"
|
|||
# t:none,\
|
||||
# setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ /.webp/'"
|
||||
|
||||
# Content-Types charsets that a client is allowed to send in a request.
|
||||
# Default: utf-8|iso-8859-1|iso-8859-15|windows-1252
|
||||
# Uncomment this rule to change the default.
|
||||
# Use "|" to separate multiple charsets like in the rule defining
|
||||
# tx.allowed_request_content_type.
|
||||
#SecAction \
|
||||
# "id:900280,\
|
||||
# phase:1,\
|
||||
# nolog,\
|
||||
# pass,\
|
||||
# t:none,\
|
||||
# setvar:'tx.allowed_request_content_type_charset=utf-8|iso-8859-1|iso-8859-15|windows-1252'"
|
||||
|
||||
#
|
||||
# -- [[ HTTP Argument/Upload Limits ]] -----------------------------------------
|
||||
|
@ -779,52 +780,6 @@ SecDefaultAction "phase:2,log,auditlog,pass"
|
|||
SecCollectionTimeout 600
|
||||
|
||||
|
||||
#
|
||||
# -- [[ Debug Mode ]] ----------------------------------------------------------
|
||||
#
|
||||
# To enable rule development and debugging, CRS has an optional debug mode
|
||||
# that does not block a request, but instead sends detection information
|
||||
# back to the HTTP client.
|
||||
#
|
||||
# This functionality is currently only supported with the Apache web server.
|
||||
# The Apache mod_headers module is required.
|
||||
#
|
||||
# In debug mode, the webserver inserts "X-WAF-Events" / "X-WAF-Score"
|
||||
# response headers whenever a debug client makes a request. Example:
|
||||
#
|
||||
# # curl -v 'http://192.168.1.100/?foo=../etc/passwd'
|
||||
# X-WAF-Events: TX:930110-OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL-REQUEST_URI,
|
||||
# TX:930120-OWASP_CRS/WEB_ATTACK/FILE_INJECTION-ARGS:foo,
|
||||
# TX:932160-OWASP_CRS/WEB_ATTACK/RCE-ARGS:foo
|
||||
# X-WAF-Score: Total=15; sqli=0; xss=0; rfi=0; lfi=10; rce=5; php=0; http=0; ses=0
|
||||
#
|
||||
# To enable debug mode, include the RESPONSE-981-DEBUG.conf file.
|
||||
# This file resides in a separate folder, as it is not compatible with
|
||||
# nginx and IIS.
|
||||
#
|
||||
# You must specify the source IP address/network where you will be running the
|
||||
# tests from. The source IP will BYPASS all CRS blocking, and will be sent the
|
||||
# response headers as specified above. Be careful to only list your private
|
||||
# IP addresses/networks here.
|
||||
#
|
||||
# Tip: for regression testing of CRS or your own ModSecurity rules, you may
|
||||
# be interested in using the OWASP CRS regression testing suite instead.
|
||||
# View the file util/regression-tests/README for more information.
|
||||
#
|
||||
# Uncomment these rules, filling in your CRS path and the source IP address,
|
||||
# to enable debug mode:
|
||||
#
|
||||
#Include /path/to/crs/util/debug/RESPONSE-981-DEBUG.conf
|
||||
#SecRule REMOTE_ADDR "@ipMatch 192.168.1.100" \
|
||||
# "id:900980,\
|
||||
# phase:1,\
|
||||
# nolog,\
|
||||
# pass,\
|
||||
# t:none,\
|
||||
# ctl:ruleEngine=DetectionOnly,\
|
||||
# setvar:tx.crs_debug_mode=1"
|
||||
|
||||
|
||||
#
|
||||
# -- [[ End of setup ]] --------------------------------------------------------
|
||||
#
|
||||
|
@ -842,4 +797,4 @@ SecAction \
|
|||
nolog,\
|
||||
pass,\
|
||||
t:none,\
|
||||
setvar:tx.crs_setup_version=311"
|
||||
setvar:tx.crs_setup_version=320"
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.1.1
|
||||
# OWASP ModSecurity Core Rule Set ver.3.2.0
|
||||
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
|
@ -141,7 +141,7 @@
|
|||
# phase:2,\
|
||||
# pass,\
|
||||
# nolog,\
|
||||
# ctl:ruleRemoveTargetByTag=CRS;ARGS:pwd"
|
||||
# ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pwd"
|
||||
|
||||
#
|
||||
# Example Exclusion Rule: Removing a range of rules
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.1.1
|
||||
# OWASP ModSecurity Core Rule Set ver.3.2.0
|
||||
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
|
@ -21,11 +21,11 @@
|
|||
#
|
||||
# Rule version data is added to the "Producer" line of Section H of the Audit log:
|
||||
#
|
||||
# - Producer: ModSecurity for Apache/2.9.3 (http://www.modsecurity.org/); OWASP_CRS/3.1.1.
|
||||
# - Producer: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/); OWASP_CRS/3.1.0.
|
||||
#
|
||||
# Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecComponentSignature
|
||||
#
|
||||
SecComponentSignature "OWASP_CRS/3.1.1"
|
||||
SecComponentSignature "OWASP_CRS/3.2.0"
|
||||
|
||||
#
|
||||
# -=[ Default setup values ]=-
|
||||
|
@ -168,7 +168,7 @@ SecRule &TX:allowed_request_content_type "@eq 0" \
|
|||
phase:1,\
|
||||
pass,\
|
||||
nolog,\
|
||||
setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/soap+xml|application/x-amf|application/json|application/octet-stream|text/plain'"
|
||||
setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/soap+xml|application/x-amf|application/json|application/octet-stream|application/csp-report|application/xss-auditor-report|text/plain'"
|
||||
|
||||
# Default HTTP policy: allowed_request_content_type_charset (rule 900270)
|
||||
SecRule &TX:allowed_request_content_type_charset "@eq 0" \
|
||||
|
@ -192,7 +192,7 @@ SecRule &TX:restricted_extensions "@eq 0" \
|
|||
phase:1,\
|
||||
pass,\
|
||||
nolog,\
|
||||
setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'"
|
||||
setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'"
|
||||
|
||||
# Default HTTP policy: restricted_headers (rule 900250)
|
||||
SecRule &TX:restricted_headers "@eq 0" \
|
||||
|
@ -218,7 +218,6 @@ SecRule &TX:enforce_bodyproc_urlencoded "@eq 0" \
|
|||
nolog,\
|
||||
setvar:'tx.enforce_bodyproc_urlencoded=0'"
|
||||
|
||||
|
||||
#
|
||||
# -=[ Initialize internal variables ]=-
|
||||
#
|
||||
|
@ -298,7 +297,7 @@ SecRule REQBODY_PROCESSOR "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" \
|
|||
msg:'Enabling body inspection',\
|
||||
tag:'paranoia-level/1',\
|
||||
ctl:forceRequestBodyVariable=On,\
|
||||
ver:'OWASP_CRS/3.1.1'"
|
||||
ver:'OWASP_CRS/3.2.0'"
|
||||
|
||||
# Force body processor URLENCODED
|
||||
SecRule TX:enforce_bodyproc_urlencoded "@eq 1" \
|
||||
|
@ -309,7 +308,7 @@ SecRule TX:enforce_bodyproc_urlencoded "@eq 1" \
|
|||
nolog,\
|
||||
noauditlog,\
|
||||
msg:'Enabling forced body inspection for ASCII content',\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
chain"
|
||||
SecRule REQBODY_PROCESSOR "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" \
|
||||
"ctl:requestBodyProcessor=URLENCODED"
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.1.1
|
||||
# OWASP ModSecurity Core Rule Set ver.3.2.0
|
||||
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
|
@ -117,8 +117,8 @@ SecRule REQUEST_FILENAME "@endsWith /core/install.php" \
|
|||
phase:2,\
|
||||
pass,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:account[pass][pass1],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:account[pass][pass2]"
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:account[pass][pass1],\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:account[pass][pass2]"
|
||||
|
||||
SecRule REQUEST_FILENAME "@endsWith /user/login" \
|
||||
"id:9001112,\
|
||||
|
@ -126,24 +126,24 @@ SecRule REQUEST_FILENAME "@endsWith /user/login" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:pass"
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass"
|
||||
|
||||
SecRule REQUEST_FILENAME "@endsWith /admin/people/create" \
|
||||
"id:9001114,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:pass[pass1],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:pass[pass2]"
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass[pass1],\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass[pass2]"
|
||||
|
||||
SecRule REQUEST_FILENAME "@rx /user/[0-9]+/edit$" \
|
||||
"id:9001116,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:current_pass,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:pass[pass1],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:pass[pass2]"
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:current_pass,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass[pass1],\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass[pass2]"
|
||||
|
||||
|
||||
#
|
||||
|
@ -171,14 +171,14 @@ SecRule REQUEST_FILENAME "@endsWith /admin/config/people/accounts" \
|
|||
nolog,\
|
||||
ctl:ruleRemoveById=920271,\
|
||||
ctl:ruleRemoveById=942440,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:user_mail_cancel_confirm_body,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:user_mail_password_reset_body,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:user_mail_register_admin_created_body,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:user_mail_register_no_approval_required_body,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:user_mail_register_pending_approval_body,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:user_mail_status_activated_body,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:user_mail_status_blocked_body,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:user_mail_status_canceled_body"
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:user_mail_cancel_confirm_body,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:user_mail_password_reset_body,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:user_mail_register_admin_created_body,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:user_mail_register_no_approval_required_body,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:user_mail_register_pending_approval_body,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:user_mail_status_activated_body,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:user_mail_status_blocked_body,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:user_mail_status_canceled_body"
|
||||
|
||||
SecRule REQUEST_FILENAME "@endsWith /admin/config/development/configuration/single/import" \
|
||||
"id:9001126,\
|
||||
|
@ -242,8 +242,8 @@ SecRule REQUEST_FILENAME "@endsWith /admin/config/content/formats/manage/full_ht
|
|||
phase:2,\
|
||||
pass,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:editor[settings][toolbar][button_groups],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:filters[filter_html][settings][allowed_html]"
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:editor[settings][toolbar][button_groups],\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:filters[filter_html][settings][allowed_html]"
|
||||
|
||||
|
||||
#
|
||||
|
@ -296,7 +296,7 @@ SecRule REQUEST_METHOD "@streq POST" \
|
|||
"chain"
|
||||
SecRule REQUEST_HEADERS:Content-Length "@gt 31486341" \
|
||||
"chain"
|
||||
SecRule REQUEST_HEADERS:Content-Type "@rx ^(?i)multipart/form-data" \
|
||||
SecRule REQUEST_HEADERS:Content-Type "@rx ^(?i)multipart/form-data" \
|
||||
"chain"
|
||||
SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx ^[a-zA-Z0-9_-]+" \
|
||||
"ctl:requestBodyAccess=Off"
|
||||
|
@ -316,7 +316,7 @@ SecRule REQUEST_FILENAME "@endsWith /node/add/article" \
|
|||
phase:2,\
|
||||
pass,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:body[0][value],\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:body[0][value],\
|
||||
ctl:ruleRemoveTargetById=942410;ARGS:uid[0][target_id]"
|
||||
|
||||
SecRule REQUEST_FILENAME "@endsWith /node/add/page" \
|
||||
|
@ -324,7 +324,7 @@ SecRule REQUEST_FILENAME "@endsWith /node/add/page" \
|
|||
phase:2,\
|
||||
pass,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:body[0][value],\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:body[0][value],\
|
||||
ctl:ruleRemoveTargetById=942410;ARGS:uid[0][target_id]"
|
||||
|
||||
SecRule REQUEST_FILENAME "@rx /node/[0-9]+/edit$" \
|
||||
|
@ -332,7 +332,7 @@ SecRule REQUEST_FILENAME "@rx /node/[0-9]+/edit$" \
|
|||
phase:2,\
|
||||
pass,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:body[0][value],\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:body[0][value],\
|
||||
ctl:ruleRemoveTargetById=942410;ARGS:uid[0][target_id],\
|
||||
ctl:ruleRemoveTargetById=932110;ARGS:destination"
|
||||
|
||||
|
@ -341,42 +341,42 @@ SecRule REQUEST_FILENAME "@endsWith /block/add" \
|
|||
phase:2,\
|
||||
pass,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:body[0][value]"
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:body[0][value]"
|
||||
|
||||
SecRule REQUEST_FILENAME "@endsWith /admin/structure/block/block-content/manage/basic" \
|
||||
"id:9001208,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:description"
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:description"
|
||||
|
||||
SecRule REQUEST_FILENAME "@rx /editor/filter_xss/(?:full|basic)_html$" \
|
||||
"id:9001210,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:value"
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:value"
|
||||
|
||||
SecRule REQUEST_FILENAME "@rx /user/[0-9]+/contact$" \
|
||||
"id:9001212,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:message[0][value]"
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message[0][value]"
|
||||
|
||||
SecRule REQUEST_FILENAME "@endsWith /admin/config/development/maintenance" \
|
||||
"id:9001214,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:maintenance_mode_message"
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:maintenance_mode_message"
|
||||
|
||||
SecRule REQUEST_FILENAME "@endsWith /admin/config/services/rss-publishing" \
|
||||
"id:9001216,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:feed_description"
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:feed_description"
|
||||
|
||||
|
||||
SecMarker "END-DRUPAL-RULE-EXCLUSIONS"
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.1.1
|
||||
# OWASP ModSecurity Core Rule Set ver.3.2.0
|
||||
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
|
@ -49,7 +49,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-login.php" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:pwd"
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pwd"
|
||||
|
||||
# Reset password
|
||||
SecRule REQUEST_FILENAME "@endsWith /wp-login.php" \
|
||||
|
@ -64,9 +64,9 @@ SecRule REQUEST_FILENAME "@endsWith /wp-login.php" \
|
|||
chain"
|
||||
SecRule &ARGS:action "@eq 1" \
|
||||
"t:none,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:pass1,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:pass1-text,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:pass2"
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1-text,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass2"
|
||||
|
||||
|
||||
#
|
||||
|
@ -83,6 +83,38 @@ SecRule REQUEST_FILENAME "@endsWith /wp-comments-post.php" \
|
|||
ctl:ruleRemoveTargetById=931130;ARGS:url"
|
||||
|
||||
|
||||
#
|
||||
# [ Gutenberg Editor ]
|
||||
# Used when a user (auto)saves a post/page with Gutenberg.
|
||||
#
|
||||
|
||||
# Gutenberg
|
||||
SecRule REQUEST_FILENAME "@rx ^/wp\-json/wp/v[0-9]+/(?:posts|pages)" \
|
||||
"id:9002140,\
|
||||
phase:1,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:content,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:json.content"
|
||||
|
||||
# Gutenberg via rest_route for sites without pretty permalinks
|
||||
SecRule REQUEST_FILENAME "@endsWith /index.php" \
|
||||
"id:9002141,\
|
||||
phase:1,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
chain"
|
||||
SecRule &ARGS:rest_route "@eq 1" \
|
||||
"t:none,\
|
||||
nolog,\
|
||||
chain"
|
||||
SecRule ARGS:rest_route "@rx ^/wp/v[0-9]+/(?:posts|pages)" \
|
||||
"t:none,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:content,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:json.content"
|
||||
|
||||
#
|
||||
# [ Live preview ]
|
||||
# Used when an administrator customizes the site and previews the result
|
||||
|
@ -221,7 +253,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/setup-config.php" \
|
|||
chain"
|
||||
SecRule &ARGS:step "@eq 1" \
|
||||
"t:none,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:pwd"
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pwd"
|
||||
|
||||
# WordPress installation: exclude admin password
|
||||
SecRule REQUEST_FILENAME "@endsWith /wp-admin/install.php" \
|
||||
|
@ -236,9 +268,9 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/install.php" \
|
|||
chain"
|
||||
SecRule &ARGS:step "@eq 1" \
|
||||
"t:none,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:admin_password,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:admin_password2,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:pass1-text"
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:admin_password,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:admin_password2,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1-text"
|
||||
|
||||
|
||||
#
|
||||
|
@ -261,9 +293,11 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/profile.php" \
|
|||
ctl:ruleRemoveTargetById=931130;ARGS:url,\
|
||||
ctl:ruleRemoveTargetById=931130;ARGS:facebook,\
|
||||
ctl:ruleRemoveTargetById=931130;ARGS:googleplus,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:pass1,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:pass1-text,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:pass2"
|
||||
ctl:ruleRemoveTargetById=931130;ARGS:instagram,\
|
||||
ctl:ruleRemoveTargetById=931130;ARGS:linkedin,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1-text,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass2"
|
||||
|
||||
# Edit user
|
||||
SecRule REQUEST_FILENAME "@endsWith /wp-admin/user-edit.php" \
|
||||
|
@ -279,9 +313,9 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/user-edit.php" \
|
|||
SecRule &ARGS:action "@eq 1" \
|
||||
"t:none,\
|
||||
ctl:ruleRemoveTargetById=931130;ARGS:url,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:pass1,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:pass1-text,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:pass2"
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1-text,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass2"
|
||||
|
||||
# Create user
|
||||
SecRule REQUEST_FILENAME "@endsWith /wp-admin/user-new.php" \
|
||||
|
@ -297,9 +331,9 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/user-new.php" \
|
|||
SecRule &ARGS:action "@eq 1" \
|
||||
"t:none,\
|
||||
ctl:ruleRemoveTargetById=931130;ARGS:url,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:pass1,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:pass1-text,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:pass2"
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1-text,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass2"
|
||||
|
||||
|
||||
#
|
||||
|
@ -321,6 +355,7 @@ SecAction \
|
|||
ctl:ruleRemoveTargetById=942200;ARGS:_wp_http_referer,\
|
||||
ctl:ruleRemoveTargetById=942260;ARGS:_wp_http_referer,\
|
||||
ctl:ruleRemoveTargetById=942431;ARGS:_wp_http_referer,\
|
||||
ctl:ruleRemoveTargetById=942440;ARGS:_wp_http_referer,\
|
||||
ctl:ruleRemoveTargetById=920230;ARGS:wp_http_referer,\
|
||||
ctl:ruleRemoveTargetById=931130;ARGS:wp_http_referer,\
|
||||
ctl:ruleRemoveTargetById=932150;ARGS:wp_http_referer,\
|
||||
|
@ -352,7 +387,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/post.php" \
|
|||
SecRule &ARGS:action "@eq 1" \
|
||||
"t:none,\
|
||||
ctl:ruleRemoveTargetByTag=attack-sqli;ARGS:post_title,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:content,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:content,\
|
||||
ctl:ruleRemoveById=920272,\
|
||||
ctl:ruleRemoveById=921180"
|
||||
|
||||
|
@ -371,7 +406,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
|
|||
SecRule &ARGS:action "@eq 1" \
|
||||
"t:none,\
|
||||
ctl:ruleRemoveTargetByTag=attack-sqli;ARGS:data[wp_autosave][post_title],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:data[wp_autosave][content],\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:data[wp_autosave][content],\
|
||||
ctl:ruleRemoveTargetById=942431;ARGS_NAMES:data[wp-refresh-post-lock][post_id],\
|
||||
ctl:ruleRemoveTargetById=942431;ARGS_NAMES:data[wp-refresh-post-lock][lock],\
|
||||
ctl:ruleRemoveTargetById=942431;ARGS_NAMES:data[wp-check-locked-posts][],\
|
||||
|
@ -415,46 +450,46 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
|
|||
chain"
|
||||
SecRule &ARGS:action "@eq 1" \
|
||||
"t:none,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[0][text],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[1][text],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[2][text],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[3][text],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[4][text],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[5][text],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[6][text],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[7][text],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[8][text],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[9][text],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[10][text],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[11][text],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[12][text],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[13][text],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[14][text],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[15][text],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[16][text],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[17][text],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[18][text],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[19][text],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[20][text],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[21][text],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[22][text],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[23][text],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[24][text],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[25][text],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[26][text],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[27][text],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[28][text],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[29][text],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[30][text],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[31][text],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[32][text],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[33][text],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[34][text],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[35][text],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[36][text],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[37][text],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[38][text],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[39][text]"
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[0][text],\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[1][text],\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[2][text],\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[3][text],\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[4][text],\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[5][text],\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[6][text],\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[7][text],\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[8][text],\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[9][text],\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[10][text],\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[11][text],\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[12][text],\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[13][text],\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[14][text],\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[15][text],\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[16][text],\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[17][text],\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[18][text],\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[19][text],\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[20][text],\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[21][text],\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[22][text],\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[23][text],\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[24][text],\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[25][text],\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[26][text],\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[27][text],\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[28][text],\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[29][text],\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[30][text],\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[31][text],\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[32][text],\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[33][text],\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[34][text],\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[35][text],\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[36][text],\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[37][text],\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[38][text],\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[39][text]"
|
||||
|
||||
# Reorder widgets
|
||||
SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
|
||||
|
@ -527,7 +562,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
|
|||
chain"
|
||||
SecRule &ARGS:action "@eq 1" \
|
||||
"t:none,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:html"
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:html"
|
||||
|
||||
|
||||
#
|
||||
|
@ -591,8 +626,17 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/options.php" \
|
|||
chain"
|
||||
SecRule &ARGS:action "@eq 1" \
|
||||
"t:none,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:blacklist_keys,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:moderation_keys"
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:blacklist_keys,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:moderation_keys"
|
||||
|
||||
# Posts/pages overview search
|
||||
SecRule REQUEST_FILENAME "@endsWith /wp-admin/edit.php" \
|
||||
"id:9002830,\
|
||||
phase:1,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:s"
|
||||
|
||||
|
||||
#
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.1.1
|
||||
# OWASP ModSecurity Core Rule Set ver.3.2.0
|
||||
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
|
@ -123,7 +123,7 @@ SecRule REQUEST_METHOD "@streq PUT" \
|
|||
chain"
|
||||
SecRule REQUEST_FILENAME "@rx (?:/public\.php/webdav/|/remote\.php/dav/uploads/)" \
|
||||
"ctl:ruleRemoveById=920340,\
|
||||
ctl:ruleRemoveById=920420"
|
||||
ctl:ruleRemoveById=920420"
|
||||
|
||||
|
||||
# Allow characters like /../ in files.
|
||||
|
@ -243,7 +243,7 @@ SecRule REQUEST_FILENAME "@contains /index.php/apps/files_texteditor/" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:filecontents,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:filecontents,\
|
||||
ctl:ruleRemoveTargetById=921110-921160;ARGS:filecontents,\
|
||||
ctl:ruleRemoveTargetById=932150;ARGS:filename,\
|
||||
ctl:ruleRemoveTargetById=920370-920390;ARGS:filecontents,\
|
||||
|
@ -318,7 +318,7 @@ SecRule REQUEST_FILENAME "@contains /index.php/login" \
|
|||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetById=941100;ARGS:requesttoken,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:password"
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:password"
|
||||
|
||||
# Reset password.
|
||||
|
||||
|
@ -334,9 +334,9 @@ SecRule REQUEST_FILENAME "@endsWith /index.php/login" \
|
|||
chain"
|
||||
SecRule &ARGS:action "@eq 1" \
|
||||
"t:none,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:pass1,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:pass1-text,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:pass2"
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1-text,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass2"
|
||||
|
||||
# Change Password and Setting up a new user/password
|
||||
|
||||
|
@ -346,8 +346,8 @@ SecRule REQUEST_FILENAME "@endsWith /index.php/settings/users" \
|
|||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:newuserpassword,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:password"
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:newuserpassword,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:password"
|
||||
|
||||
|
||||
SecMarker "END-NEXTCLOUD-ADMIN"
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.1.1
|
||||
# OWASP ModSecurity Core Rule Set ver.3.2.0
|
||||
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
|
@ -85,17 +85,17 @@ SecRule REQUEST_FILENAME "@rx (?:/doku.php|/lib/exe/ajax.php)$" \
|
|||
SecRule REQUEST_COOKIES:/S?DW[a-f0-9]+/ "@rx ^[%a-zA-Z0-9_-]+" \
|
||||
"t:none,\
|
||||
ctl:ruleRemoveTargetByTag=attack-protocol;ARGS:wikitext,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:wikitext,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:wikitext,\
|
||||
ctl:ruleRemoveTargetByTag=attack-protocol;ARGS:suffix,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:suffix,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:suffix,\
|
||||
ctl:ruleRemoveTargetByTag=attack-protocol;ARGS:prefix,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:prefix,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:prefix,\
|
||||
ctl:ruleRemoveTargetById=930100-930110;REQUEST_BODY"
|
||||
|
||||
|
||||
# Allow it to upload files. But check for cookies just to make sure.
|
||||
|
||||
SecRule REQUEST_FILENAME "@endsWith /lib/exe/ajax.php"\
|
||||
SecRule REQUEST_FILENAME "@endsWith /lib/exe/ajax.php" \
|
||||
"id:9004110,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
|
@ -113,7 +113,7 @@ SecRule REQUEST_FILENAME "@endsWith /lib/exe/ajax.php"\
|
|||
|
||||
# Show the index, even if things like "postgresql" or other things show up.
|
||||
|
||||
SecRule REQUEST_FILENAME "@endsWith /doku.php"\
|
||||
SecRule REQUEST_FILENAME "@endsWith /doku.php" \
|
||||
"id:9004130,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
|
@ -137,7 +137,7 @@ SecRule REQUEST_FILENAME "@endsWith /doku.php"\
|
|||
# Turn off checks for password.
|
||||
|
||||
SecRule REQUEST_FILENAME "@endsWith /doku.php" \
|
||||
"id:9004200,\
|
||||
"id:9004200,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
|
@ -149,7 +149,7 @@ SecRule REQUEST_FILENAME "@endsWith /doku.php" \
|
|||
chain"
|
||||
SecRule &ARGS:do "@eq 1" \
|
||||
"t:none,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:p"
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:p"
|
||||
|
||||
|
||||
#
|
||||
|
@ -188,12 +188,12 @@ SecRule REQUEST_FILENAME "@endsWith /doku.php" \
|
|||
chain"
|
||||
SecRule ARGS:do "@streq login" \
|
||||
"t:none,\
|
||||
chain"
|
||||
chain"
|
||||
SecRule &ARGS:do "@eq 1" \
|
||||
"t:none,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:pass1,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:pass1-text,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:pass2"
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1-text,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass2"
|
||||
|
||||
|
||||
# [ Save config ]
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.1.1
|
||||
# OWASP ModSecurity Core Rule Set ver.3.2.0
|
||||
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
|
|
|
@ -0,0 +1,509 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.2.0
|
||||
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
# Please see the enclosed LICENSE file for full details.
|
||||
# ------------------------------------------------------------------------
|
||||
|
||||
# These exclusions remedy false positives in a default XenForo install.
|
||||
# The exclusions are only active if crs_exclusions_xenforo=1 is set.
|
||||
# See rule 900130 in crs-setup.conf.example for instructions.
|
||||
|
||||
SecRule &TX:crs_exclusions_xenforo|TX:crs_exclusions_xenforo "@eq 0" \
|
||||
"id:9006000,\
|
||||
phase:1,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
skipAfter:END-XENFORO"
|
||||
|
||||
SecRule &TX:crs_exclusions_xenforo|TX:crs_exclusions_xenforo "@eq 0" \
|
||||
"id:9006001,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
skipAfter:END-XENFORO"
|
||||
|
||||
|
||||
#
|
||||
# -=[ XenForo Front-End ]=-
|
||||
#
|
||||
|
||||
# Proxy for images and remote content embedded in forum posts
|
||||
# GET /xf/proxy.php?image=https://example.com/some.jpg&hash=foo
|
||||
# GET /xf/proxy.php?link=https://example.com&hash=foo
|
||||
# POST /xf/proxy.php, body: referrer=...
|
||||
SecRule REQUEST_FILENAME "@endsWith /proxy.php" \
|
||||
"id:9006100,\
|
||||
phase:1,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:image,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:link,\
|
||||
ctl:ruleRemoveTargetById=931130;ARGS:referrer,\
|
||||
ctl:ruleRemoveTargetById=942230;ARGS:referrer"
|
||||
|
||||
# Store drafts for private message, forum post, thread reply
|
||||
# POST /xf/conversations/draft
|
||||
# POST /xf/conversations/convo-title.12345/draft
|
||||
# POST /xf/forums/forum-title.12345/draft
|
||||
# POST /xf/threads/thread-title-%E2%98%85.12345/draft
|
||||
#
|
||||
# attachment_hash_combined example:
|
||||
# {"type":"post","context":{"post_id":12345},"hash":"0123456789abcdef..."}
|
||||
SecRule REQUEST_FILENAME "@rx /(?:conversations|(?:conversations|forums|threads)/.*\.\d+)/draft$" \
|
||||
"id:9006110,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetById=931130;ARGS:href,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:title,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message_html,\
|
||||
ctl:ruleRemoveTargetById=942200;ARGS:attachment_hash_combined,\
|
||||
ctl:ruleRemoveTargetById=942260;ARGS:attachment_hash_combined,\
|
||||
ctl:ruleRemoveTargetById=942340;ARGS:attachment_hash_combined,\
|
||||
ctl:ruleRemoveTargetById=942370;ARGS:attachment_hash_combined"
|
||||
|
||||
# Send PM, edit post, create thread, reply to thread
|
||||
# POST /xf/conversations/add
|
||||
# POST /xf/conversations/add-preview
|
||||
# POST /xf/conversations/messages/1463947/edit
|
||||
# POST /xf/posts/12345/edit
|
||||
# POST /xf/posts/12345/preview
|
||||
# POST /xf/conversations/convo-title.12345/add-reply
|
||||
# POST /xf/threads/thread-title.12345/add-reply
|
||||
# POST /xf/threads/thread-title.12345/reply-preview
|
||||
# POST /xf/forums/forum-title.12345/post-thread
|
||||
# POST /xf/forums/forum-title.12345/thread-preview
|
||||
SecRule REQUEST_FILENAME "@rx /(?:conversations/add(?:-preview)?|conversations/messages/\d+/edit|posts/\d+/(?:edit|preview)|(?:conversations|threads)/.*\.\d+/(?:add-reply|reply-preview)|forums/.*\.\d+/(?:post-thread|thread-preview))$" \
|
||||
"id:9006120,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:title,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message_html,\
|
||||
ctl:ruleRemoveTargetById=942200;ARGS:attachment_hash_combined,\
|
||||
ctl:ruleRemoveTargetById=942260;ARGS:attachment_hash_combined,\
|
||||
ctl:ruleRemoveTargetById=942340;ARGS:attachment_hash_combined,\
|
||||
ctl:ruleRemoveTargetById=942370;ARGS:attachment_hash_combined"
|
||||
|
||||
# Quote
|
||||
# POST /xf/posts/12345/quote
|
||||
SecRule REQUEST_FILENAME "@rx /posts/\d+/quote$" \
|
||||
"id:9006130,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:quoteHtml"
|
||||
|
||||
# Multi quote
|
||||
# POST /xf/conversations/convo-title.12345/multi-quote
|
||||
# POST /xf/threads/thread-title.12345/multi-quote
|
||||
# quotes={"12345":["quote-html"]}
|
||||
SecRule REQUEST_FILENAME "@rx /(?:conversations|threads)/.*\.\d+/multi-quote$" \
|
||||
"id:9006140,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:quotes,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[0][value],\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[1][value],\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[2][value],\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[3][value],\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[4][value],\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[5][value],\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[6][value],\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[7][value],\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[8][value],\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[9][value]"
|
||||
|
||||
# Delete thread
|
||||
SecRule REQUEST_FILENAME "@rx /threads/.*\.\d+/delete$" \
|
||||
"id:9006150,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetById=942130;ARGS:starter_alert_reason"
|
||||
|
||||
# Inline moderate thread
|
||||
# POST /xf/inline-mod/
|
||||
SecRule REQUEST_FILENAME "@streq /inline-mod/" \
|
||||
"id:9006160,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message"
|
||||
|
||||
# Warn member
|
||||
# POST /xf/members/name.12345/warn
|
||||
SecRule REQUEST_FILENAME "@rx /members/\*\.\d+/warn$" \
|
||||
"id:9006170,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:conversation_message,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:notes"
|
||||
|
||||
# Editor
|
||||
SecRule REQUEST_URI "@endsWith /index.php?editor/to-html" \
|
||||
"id:9006200,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:bb_code,\
|
||||
ctl:ruleRemoveTargetById=942200;ARGS:attachment_hash_combined,\
|
||||
ctl:ruleRemoveTargetById=942260;ARGS:attachment_hash_combined,\
|
||||
ctl:ruleRemoveTargetById=942340;ARGS:attachment_hash_combined,\
|
||||
ctl:ruleRemoveTargetById=942370;ARGS:attachment_hash_combined"
|
||||
|
||||
# Editor
|
||||
SecRule REQUEST_URI "@endsWith /index.php?editor/to-bb-code" \
|
||||
"id:9006210,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:html"
|
||||
|
||||
# Post attachment
|
||||
# POST /xf/account/avatar
|
||||
# POST /xf/attachments/upload?type=post&context[thread_id]=12345&hash=foo
|
||||
SecRule REQUEST_FILENAME "@rx /(?:account/avatar|attachments/upload)$" \
|
||||
"id:9006220,\
|
||||
phase:1,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveById=200003,\
|
||||
ctl:ruleRemoveTargetById=942220;ARGS:flowChunkSize,\
|
||||
ctl:ruleRemoveTargetById=942440;ARGS:flowIdentifier,\
|
||||
ctl:ruleRemoveTargetById=942440;ARGS:flowFilename,\
|
||||
ctl:ruleRemoveTargetById=942440;ARGS:flowRelativePath"
|
||||
|
||||
# Media
|
||||
# POST /xf/index.php?editor/media
|
||||
SecRule REQUEST_URI "@endsWith /index.php?editor/media" \
|
||||
"id:9006230,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetById=931130;ARGS:url,\
|
||||
ctl:ruleRemoveTargetById=942130;ARGS:url"
|
||||
|
||||
# Emoji
|
||||
# GET /xf/index.php?misc/find-emoji&q=(%0A%0A
|
||||
SecRule REQUEST_URI "@rx /index\.php\?misc/find-emoji&q=" \
|
||||
"id:9006240,\
|
||||
phase:1,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetById=921151;ARGS:q"
|
||||
|
||||
# Login
|
||||
# POST /xf/login/login
|
||||
SecRule REQUEST_FILENAME "@endsWith /login/login" \
|
||||
"id:9006300,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:password"
|
||||
|
||||
# Register account
|
||||
# POST /xf/register/register
|
||||
# The password is passed in a variable-name form parameter. We don't
|
||||
# want to exclude all parameters completely as this would cause an
|
||||
# unacceptable bypass. So, we exclude only commonly hit rules.
|
||||
SecRule REQUEST_FILENAME "@endsWith /register/register" \
|
||||
"id:9006310,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetById=942130;ARGS,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:reg_key"
|
||||
|
||||
# Edit account
|
||||
# POST /xf/account/account-details
|
||||
SecRule REQUEST_FILENAME "@endsWith /account/account-details" \
|
||||
"id:9006320,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetById=931130;ARGS:custom_fields[picture],\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:about_html"
|
||||
|
||||
# Lost password
|
||||
# POST /xf/lost-password/user-name.12345/confirm?c=foo
|
||||
SecRule REQUEST_FILENAME "@rx /lost-password/.*\.\d+/confirm$" \
|
||||
"id:9006330,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:c"
|
||||
|
||||
# Set forum signature
|
||||
# POST /xf/account/signature
|
||||
SecRule REQUEST_FILENAME "@endsWith /account/signature" \
|
||||
"id:9006340,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:signature_html"
|
||||
|
||||
# Search
|
||||
# POST /xf/search/search
|
||||
SecRule REQUEST_FILENAME "@endsWith /search/search" \
|
||||
"id:9006400,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:keywords,\
|
||||
ctl:ruleRemoveTargetById=942200;ARGS:constraints,\
|
||||
ctl:ruleRemoveTargetById=942260;ARGS:constraints,\
|
||||
ctl:ruleRemoveTargetById=942340;ARGS:constraints,\
|
||||
ctl:ruleRemoveTargetById=942370;ARGS:constraints"
|
||||
|
||||
# Search within thread
|
||||
# GET /xf/threads/foo.12345/page12?highlight=foo
|
||||
SecRule REQUEST_FILENAME "@rx /threads/.*\.\d+/(?:page\d+)?$" \
|
||||
"id:9006410,\
|
||||
phase:1,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:highlight"
|
||||
|
||||
# Search within search result
|
||||
# GET /xf/search/12345/?q=foo
|
||||
SecRule REQUEST_FILENAME "@rx /search/\d+/$" \
|
||||
"id:9006420,\
|
||||
phase:1,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:q"
|
||||
|
||||
# Contact form
|
||||
# POST /xf/misc/contact
|
||||
SecRule REQUEST_FILENAME "@endsWith /misc/contact" \
|
||||
"id:9006500,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:subject"
|
||||
|
||||
# Report post
|
||||
# POST /xf/posts/12345/report
|
||||
SecRule REQUEST_FILENAME "@rx /posts/\d+/report$" \
|
||||
"id:9006510,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message"
|
||||
|
||||
# Alternate thread view route
|
||||
# /xf/index.php?threads/title-having-some-sql.12345/
|
||||
#
|
||||
# Especially threads with the HAVING sql keyword are FP prone.
|
||||
# This rule has some chains to narrow down the exclusion,
|
||||
# making it harder for an attacker to abuse the ARGS_NAMES
|
||||
# exclusion on other endpoints.
|
||||
SecRule REQUEST_FILENAME "@endsWith /index.php" \
|
||||
"id:9006600,\
|
||||
phase:1,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
chain"
|
||||
SecRule REQUEST_METHOD "@streq GET" \
|
||||
"t:none,\
|
||||
chain"
|
||||
SecRule &ARGS "@eq 1" \
|
||||
"t:none,\
|
||||
chain"
|
||||
SecRule REQUEST_URI "@rx /index\.php\?threads/.*\.\d+/$" \
|
||||
"t:none,\
|
||||
ctl:ruleRemoveTargetById=942100;ARGS_NAMES,\
|
||||
ctl:ruleRemoveTargetById=942230;ARGS_NAMES"
|
||||
|
||||
# Browser fingerprint (DBTech security extension)
|
||||
# May Contain various javascript/XSS false positives
|
||||
SecRule REQUEST_URI "@endsWith /index.php?dbtech-security/fingerprint" \
|
||||
"id:9006700,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:components[14][value],\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:components[15][value],\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:components[16][value]"
|
||||
|
||||
# Get location info
|
||||
SecRule REQUEST_FILENAME "@endsWith /misc/location-info" \
|
||||
"id:9006710,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:location"
|
||||
|
||||
#
|
||||
# -=[ XenForo Global Exclusions ]=-
|
||||
#
|
||||
|
||||
# _xfRedirect, _xfRequestUri can appear on various endpoints.
|
||||
# Cookies can appear on all endpoints.
|
||||
|
||||
SecAction \
|
||||
"id:9006800,\
|
||||
phase:1,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetById=931120;ARGS:_xfRedirect,\
|
||||
ctl:ruleRemoveTargetById=941150;ARGS:_xfRedirect,\
|
||||
ctl:ruleRemoveTargetById=931120;ARGS:_xfRequestUri,\
|
||||
ctl:ruleRemoveTargetById=941150;ARGS:_xfRequestUri,\
|
||||
ctl:ruleRemoveTargetById=942130;ARGS:_xfRequestUri,\
|
||||
ctl:ruleRemoveTargetById=942230;ARGS:_xfRequestUri,\
|
||||
ctl:ruleRemoveTargetById=942260;ARGS:_xfRequestUri,\
|
||||
ctl:ruleRemoveTargetById=942100;REQUEST_COOKIES:xf_csrf,\
|
||||
ctl:ruleRemoveTargetById=942210;REQUEST_COOKIES:xf_csrf,\
|
||||
ctl:ruleRemoveTargetById=942440;REQUEST_COOKIES:xf_csrf,\
|
||||
ctl:ruleRemoveTargetById=942150;REQUEST_COOKIES:xf_emoji_usage,\
|
||||
ctl:ruleRemoveTargetById=942410;REQUEST_COOKIES:xf_emoji_usage,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;REQUEST_COOKIES:xf_ls,\
|
||||
ctl:ruleRemoveTargetById=942100;REQUEST_COOKIES:xf_user"
|
||||
|
||||
#
|
||||
# -=[ XenForo Administration Back-End ]=-
|
||||
#
|
||||
|
||||
# Skip this section for performance unless requested file is admin.php
|
||||
|
||||
SecRule REQUEST_FILENAME "!@endsWith /admin.php" \
|
||||
"id:9006900,\
|
||||
phase:1,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
skipAfter:END-XENFORO-ADMIN"
|
||||
|
||||
SecRule REQUEST_FILENAME "!@endsWith /admin.php" \
|
||||
"id:9006901,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
skipAfter:END-XENFORO-ADMIN"
|
||||
|
||||
# Admin edit user
|
||||
# POST /xf/admin.php?users/the-user-name.12345/edit
|
||||
SecRule REQUEST_FILENAME "@endsWith /admin.php" \
|
||||
"id:9006910,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
chain"
|
||||
SecRule REQUEST_URI "@rx /admin\.php\?users/.*\.\d+/edit$" \
|
||||
"t:none,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:profile[about],\
|
||||
ctl:ruleRemoveTargetById=931130;ARGS:profile[website]"
|
||||
|
||||
# Admin save user
|
||||
# POST /xf/admin.php?users/the-user-name.12345/save
|
||||
SecRule REQUEST_FILENAME "@endsWith /admin.php" \
|
||||
"id:9006920,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
chain"
|
||||
SecRule REQUEST_URI "@rx /admin\.php\?users/.*\.\d+/save$" \
|
||||
"t:none,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:custom_fields[occupation],\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:custom_fields[personal_quote],\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:profile[about],\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:profile[signature],\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:custom_fields[sexuality],\
|
||||
ctl:ruleRemoveTargetById=931130;ARGS:custom_fields[picture],\
|
||||
ctl:ruleRemoveTargetById=931130;ARGS:profile[website]"
|
||||
|
||||
|
||||
# Admin edit forum notice
|
||||
# POST /xf/admin.php?notices/0/save
|
||||
# POST /xf/admin.php?notices/forum-name.12345/save
|
||||
SecRule REQUEST_FILENAME "@endsWith /admin.php" \
|
||||
"id:9006930,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
chain"
|
||||
SecRule REQUEST_URI "@rx /admin\.php\?notices/(?:.*\.)?\d+/save$" \
|
||||
"t:none,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message,\
|
||||
ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:title"
|
||||
|
||||
# Admin batch thread update
|
||||
# POST /xf/admin.php?threads/batch-update/action
|
||||
SecRule REQUEST_FILENAME "@endsWith /admin.php" \
|
||||
"id:9006940,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
chain"
|
||||
SecRule REQUEST_URI "@rx /admin\.php\?threads/batch-update/action$" \
|
||||
"t:none,\
|
||||
ctl:ruleRemoveTargetById=942200;ARGS:criteria,\
|
||||
ctl:ruleRemoveTargetById=942260;ARGS:criteria,\
|
||||
ctl:ruleRemoveTargetById=942330;ARGS:criteria,\
|
||||
ctl:ruleRemoveTargetById=942340;ARGS:criteria,\
|
||||
ctl:ruleRemoveTargetById=942370;ARGS:criteria"
|
||||
|
||||
# Edit forum theme
|
||||
# POST /xf/admin.php?styles/title.1234/style-properties/group&group=basic
|
||||
SecRule REQUEST_FILENAME "@endsWith /admin.php" \
|
||||
"id:9006950,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
chain"
|
||||
SecRule REQUEST_URI "@rx /admin\.php\?styles/" \
|
||||
"t:none,\
|
||||
ctl:ruleRemoveTargetById=942200;ARGS:json,\
|
||||
ctl:ruleRemoveTargetById=942260;ARGS:json,\
|
||||
ctl:ruleRemoveTargetById=942330;ARGS:json,\
|
||||
ctl:ruleRemoveTargetById=942340;ARGS:json,\
|
||||
ctl:ruleRemoveTargetById=942370;ARGS:json"
|
||||
|
||||
SecMarker "END-XENFORO-ADMIN"
|
||||
|
||||
SecMarker "END-XENFORO"
|
|
@ -1,5 +1,5 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.1.1
|
||||
# OWASP ModSecurity Core Rule Set ver.3.2.0
|
||||
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.1.1
|
||||
# OWASP ModSecurity Core Rule Set ver.3.2.0
|
||||
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
|
@ -39,13 +39,11 @@ SecRule TX:DO_REPUT_BLOCK "@eq 1" \
|
|||
tag:'platform-multi',\
|
||||
tag:'attack-reputation-ip',\
|
||||
tag:'IP_REPUTATION/MALICIOUS_CLIENT',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
severity:'CRITICAL',\
|
||||
chain,\
|
||||
skipAfter:BEGIN-REQUEST-BLOCKING-EVAL"
|
||||
SecRule IP:REPUT_BLOCK_FLAG "@eq 1" \
|
||||
"setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-AUTOMATION/MALICIOUS-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'"
|
||||
"setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
#
|
||||
|
@ -73,9 +71,7 @@ SecRule TX:HIGH_RISK_COUNTRY_CODES "!@rx ^$" \
|
|||
SecRule TX:REAL_IP "@geoLookup" \
|
||||
"chain"
|
||||
SecRule GEO:COUNTRY_CODE "@within %{tx.high_risk_country_codes}" \
|
||||
"setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-AUTOMATION/MALICIOUS-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\
|
||||
"setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'ip.reput_block_flag=1',\
|
||||
setvar:'ip.reput_block_reason=%{rule.msg}',\
|
||||
expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'"
|
||||
|
@ -101,9 +97,7 @@ SecRule TX:HIGH_RISK_COUNTRY_CODES "!@rx ^$" \
|
|||
# tag:'platform-multi',\
|
||||
# tag:'attack-reputation-ip',\
|
||||
# severity:'CRITICAL',\
|
||||
# setvar:'tx.msg=%{rule.msg}',\
|
||||
# setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
# setvar:'tx.%{rule.id}-AUTOMATION/MALICIOUS-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\
|
||||
# setvar:'ip.reput_block_flag=1',\
|
||||
# setvar:'ip.reput_block_reason=%{rule.msg}',\
|
||||
# expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'"
|
||||
|
@ -185,9 +179,7 @@ SecRule TX:block_search_ip "@eq 1" \
|
|||
chain,\
|
||||
skipAfter:END-RBL-CHECK"
|
||||
SecRule TX:httpbl_msg "@rx Search Engine" \
|
||||
"setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-AUTOMATION/MALICIOUS-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\
|
||||
"setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'ip.reput_block_flag=1',\
|
||||
setvar:'ip.reput_block_reason=%{rule.msg}',\
|
||||
setvar:'ip.previous_rbl_check=1',\
|
||||
|
@ -208,9 +200,7 @@ SecRule TX:block_spammer_ip "@eq 1" \
|
|||
chain,\
|
||||
skipAfter:END-RBL-CHECK"
|
||||
SecRule TX:httpbl_msg "@rx (?i)^.*? spammer .*?$" \
|
||||
"setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-AUTOMATION/MALICIOUS-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\
|
||||
"setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'ip.reput_block_flag=1',\
|
||||
setvar:'ip.reput_block_reason=%{rule.msg}',\
|
||||
setvar:'ip.previous_rbl_check=1',\
|
||||
|
@ -231,9 +221,7 @@ SecRule TX:block_suspicious_ip "@eq 1" \
|
|||
chain,\
|
||||
skipAfter:END-RBL-CHECK"
|
||||
SecRule TX:httpbl_msg "@rx (?i)^.*? suspicious .*?$" \
|
||||
"setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-AUTOMATION/MALICIOUS-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\
|
||||
"setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'ip.reput_block_flag=1',\
|
||||
setvar:'ip.reput_block_reason=%{rule.msg}',\
|
||||
setvar:'ip.previous_rbl_check=1',\
|
||||
|
@ -254,9 +242,7 @@ SecRule TX:block_harvester_ip "@eq 1" \
|
|||
chain,\
|
||||
skipAfter:END-RBL-CHECK"
|
||||
SecRule TX:httpbl_msg "@rx (?i)^.*? harvester .*?$" \
|
||||
"setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-AUTOMATION/MALICIOUS-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\
|
||||
"setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'ip.reput_block_flag=1',\
|
||||
setvar:'ip.reput_block_reason=%{rule.msg}',\
|
||||
setvar:'ip.previous_rbl_check=1',\
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.1.1
|
||||
# OWASP ModSecurity Core Rule Set ver.3.2.0
|
||||
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
|
@ -34,16 +34,15 @@ SecRule REQUEST_METHOD "!@within %{tx.allowed_methods}" \
|
|||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-generic',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/POLICY/METHOD_NOT_ALLOWED',\
|
||||
tag:'WASCTC/WASC-15',\
|
||||
tag:'OWASP_TOP_10/A6',\
|
||||
tag:'OWASP_AppSensor/RE1',\
|
||||
tag:'PCI/12.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/POLICY/METHOD_NOT_ALLOWED-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'"
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.1.1
|
||||
# OWASP ModSecurity Core Rule Set ver.3.2.0
|
||||
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
|
@ -105,11 +105,11 @@ SecRule IP:DOS_BLOCK "@eq 1" \
|
|||
"id:912120,\
|
||||
phase:1,\
|
||||
drop,\
|
||||
msg:'Denial of Service (DoS) attack identified from %{tx.real_ip} (%{tx.dos_block_counter} hits since last alert)',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-dos',\
|
||||
msg:'Denial of Service (DoS) attack identified from %{tx.real_ip} (%{tx.dos_block_counter} hits since last alert)',\
|
||||
chain"
|
||||
SecRule &IP:DOS_BLOCK_FLAG "@eq 0" \
|
||||
"setvar:'ip.dos_block_counter=+1',\
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.1.1
|
||||
# OWASP ModSecurity Core Rule Set ver.3.2.0
|
||||
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
|
@ -42,20 +42,19 @@ SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scanners-user-agents.data" \
|
|||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-reputation-scanner',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/AUTOMATION/SECURITY_SCANNER',\
|
||||
tag:'WASCTC/WASC-21',\
|
||||
tag:'OWASP_TOP_10/A7',\
|
||||
tag:'PCI/6.5.10',\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/AUTOMATION/SECURITY_SCANNER-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\
|
||||
setvar:'ip.reput_block_flag=1',\
|
||||
setvar:'ip.reput_block_reason=%{rule.msg}',\
|
||||
expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'"
|
||||
|
||||
SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@pmf scanners-headers.data" \
|
||||
SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@pmFromFile scanners-headers.data" \
|
||||
"id:913110,\
|
||||
phase:2,\
|
||||
block,\
|
||||
|
@ -67,22 +66,21 @@ SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@pmf scanners-headers.data" \
|
|||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-reputation-scanner',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/AUTOMATION/SECURITY_SCANNER',\
|
||||
tag:'WASCTC/WASC-21',\
|
||||
tag:'OWASP_TOP_10/A7',\
|
||||
tag:'PCI/6.5.10',\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/AUTOMATION/SECURITY_SCANNER-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\
|
||||
setvar:'ip.reput_block_flag=1',\
|
||||
setvar:'ip.reput_block_reason=%{rule.msg}',\
|
||||
expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'"
|
||||
|
||||
|
||||
|
||||
SecRule REQUEST_FILENAME|ARGS "@pmf scanners-urls.data" \
|
||||
SecRule REQUEST_FILENAME|ARGS "@pmFromFile scanners-urls.data" \
|
||||
"id:913120,\
|
||||
phase:2,\
|
||||
block,\
|
||||
|
@ -94,15 +92,14 @@ SecRule REQUEST_FILENAME|ARGS "@pmf scanners-urls.data" \
|
|||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-reputation-scanner',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/AUTOMATION/SECURITY_SCANNER',\
|
||||
tag:'WASCTC/WASC-21',\
|
||||
tag:'OWASP_TOP_10/A7',\
|
||||
tag:'PCI/6.5.10',\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/AUTOMATION/SECURITY_SCANNER-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\
|
||||
setvar:'ip.reput_block_flag=1',\
|
||||
setvar:'ip.reput_block_reason=%{rule.msg}',\
|
||||
expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'"
|
||||
|
@ -136,16 +133,15 @@ SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scripting-user-agents.data" \
|
|||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-reputation-scripting',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/AUTOMATION/SCRIPTING',\
|
||||
tag:'WASCTC/WASC-21',\
|
||||
tag:'OWASP_TOP_10/A7',\
|
||||
tag:'PCI/6.5.10',\
|
||||
tag:'paranoia-level/2',\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/AUTOMATION/SCRIPTING-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\
|
||||
setvar:'ip.reput_block_flag=1',\
|
||||
setvar:'ip.reput_block_reason=%{rule.msg}',\
|
||||
expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'"
|
||||
|
@ -173,16 +169,15 @@ SecRule REQUEST_HEADERS:User-Agent "@pmFromFile crawlers-user-agents.data" \
|
|||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-reputation-crawler',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/AUTOMATION/CRAWLER',\
|
||||
tag:'WASCTC/WASC-21',\
|
||||
tag:'OWASP_TOP_10/A7',\
|
||||
tag:'PCI/6.5.10',\
|
||||
tag:'paranoia-level/2',\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/AUTOMATION/CRAWLER-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\
|
||||
setvar:'ip.reput_block_flag=1',\
|
||||
setvar:'ip.reput_block_reason=%{rule.msg}',\
|
||||
expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'"
|
||||
|
|
File diff suppressed because it is too large
Load Diff
|
@ -1,5 +1,5 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.1.1
|
||||
# OWASP ModSecurity Core Rule Set ver.3.2.0
|
||||
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
|
@ -42,13 +42,13 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx [\n\r]+(?:get|post|head|options|connect|put|
|
|||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-protocol',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/REQUEST_SMUGGLING',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/REQUEST-SMUGGLING-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
#
|
||||
# -=[ HTTP Response Splitting ]=-
|
||||
|
@ -68,19 +68,19 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
block,\
|
||||
capture,\
|
||||
t:none,t:urlDecodeUni,t:lowercase,\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
msg:'HTTP Response Splitting Attack',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-protocol',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/RESPONSE_SPLITTING',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESPONSE_SPLITTING-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:\bhttp\/(?:0\.9|1\.[01])|<(?:html|meta)\b)" \
|
||||
|
@ -89,19 +89,19 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
block,\
|
||||
capture,\
|
||||
t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
msg:'HTTP Response Splitting Attack',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-protocol',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/RESPONSE_SPLITTING',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESPONSE_SPLITTING-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
#
|
||||
# -=[ HTTP Header Injection ]=-
|
||||
|
@ -129,19 +129,22 @@ SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@rx [\n\r]" \
|
|||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-protocol',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/HEADER_INJECTION',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/HEADER_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
# Detect newlines in argument names.
|
||||
# Checking for GET arguments has been moved to paranoia level 2 (921151)
|
||||
# in order to mitigate possible false positives.
|
||||
#
|
||||
# This rule is also triggered by the following exploit(s):
|
||||
# [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ]
|
||||
#
|
||||
SecRule ARGS_NAMES "@rx [\n\r]" \
|
||||
"id:921150,\
|
||||
phase:2,\
|
||||
|
@ -154,13 +157,13 @@ SecRule ARGS_NAMES "@rx [\n\r]" \
|
|||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-protocol',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/HEADER_INJECTION',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/HEADER_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
SecRule ARGS_GET_NAMES|ARGS_GET "@rx (?:\n|\r)+(?:\s|location|refresh|(?:set-)?cookie|(?:x-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))\s*:" \
|
||||
|
@ -175,13 +178,13 @@ SecRule ARGS_GET_NAMES|ARGS_GET "@rx (?:\n|\r)+(?:\s|location|refresh|(?:set-)?c
|
|||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-protocol',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/HEADER_INJECTION',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/HEADER_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
|
||||
|
@ -211,13 +214,13 @@ SecRule ARGS_GET "@rx [\n\r]" \
|
|||
tag:'platform-multi',\
|
||||
tag:'attack-protocol',\
|
||||
tag:'paranoia-level/2',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/HEADER_INJECTION',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/HEADER_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:921015,phase:1,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
|
||||
|
@ -256,7 +259,7 @@ SecRule ARGS_NAMES "@rx ." \
|
|||
tag:'attack-protocol',\
|
||||
tag:'paranoia-level/3',\
|
||||
tag:'CAPEC-460',\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
setvar:'TX.paramcounter_%{MATCHED_VAR_NAME}=+1'"
|
||||
|
||||
SecRule TX:/paramcounter_.*/ "@gt 1" \
|
||||
|
@ -269,17 +272,17 @@ SecRule TX:/paramcounter_.*/ "@gt 1" \
|
|||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-protocol',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/HTTP_PARAMETER_POLLUTION',\
|
||||
tag:'paranoia-level/3',\
|
||||
tag:'CAPEC-460',\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule MATCHED_VARS_NAMES "@rx TX:paramcounter_(.*)" \
|
||||
"capture,\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/HTTP_PARAMETER_POLLUTION-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.1.1
|
||||
# OWASP ModSecurity Core Rule Set ver.3.2.0
|
||||
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
|
@ -38,18 +38,17 @@ SecRule REQUEST_URI_RAW|REQUEST_BODY|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|XM
|
|||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-lfi',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL',\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'"
|
||||
setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
#
|
||||
# [ Decoded /../ Payloads ]
|
||||
#
|
||||
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|XML:/* "@pm ..\ ../" \
|
||||
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|XML:/* "@rx (?:^|[\\/])\.\.(?:[\\/]|$)" \
|
||||
"id:930110,\
|
||||
phase:2,\
|
||||
block,\
|
||||
|
@ -61,21 +60,20 @@ SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|XML:/*
|
|||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-lfi',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL',\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
multiMatch,\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'"
|
||||
setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
#
|
||||
# -=[ OS File Access ]=-
|
||||
#
|
||||
# Ref: https://github.com/lightos/Panoptic/blob/master/cases.xml
|
||||
#
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmf lfi-os-files.data" \
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmFromFile lfi-os-files.data" \
|
||||
"id:930120,\
|
||||
phase:2,\
|
||||
block,\
|
||||
|
@ -87,16 +85,15 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-lfi',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/FILE_INJECTION',\
|
||||
tag:'WASCTC/WASC-33',\
|
||||
tag:'OWASP_TOP_10/A4',\
|
||||
tag:'PCI/6.5.4',\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/FILE_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
#
|
||||
# -=[ Restricted File Access ]=-
|
||||
|
@ -104,28 +101,27 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
# Detects attempts to retrieve application source code, metadata,
|
||||
# credentials and version control history possibly reachable in a web root.
|
||||
#
|
||||
SecRule REQUEST_FILENAME "@pmf restricted-files.data" \
|
||||
SecRule REQUEST_FILENAME "@pmFromFile restricted-files.data" \
|
||||
"id:930130,\
|
||||
phase:2,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin,t:lowercase,\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
msg:'Restricted File Access Attempt',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-lfi',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/FILE_INJECTION',\
|
||||
tag:'WASCTC/WASC-33',\
|
||||
tag:'OWASP_TOP_10/A4',\
|
||||
tag:'PCI/6.5.4',\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/FILE_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.1.1
|
||||
# OWASP ModSecurity Core Rule Set ver.3.2.0
|
||||
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
|
@ -45,14 +45,13 @@ SecRule ARGS "@rx ^(?i:file|ftps?|https?):\/\/(?:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1
|
|||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-rfi',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/RFI',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RFI-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
SecRule QUERY_STRING|REQUEST_BODY "@rx (?i)(?:\binclude\s*\([^)]*|mosConfig_absolute_path|_CONF\[path\]|_SERVER\[DOCUMENT_ROOT\]|GALLERY_BASEDIR|path\[docroot\]|appserv_root|config\[root_dir\])=(?:file|ftps?|https?):\/\/" \
|
||||
"id:931110,\
|
||||
|
@ -66,14 +65,13 @@ SecRule QUERY_STRING|REQUEST_BODY "@rx (?i)(?:\binclude\s*\([^)]*|mosConfig_abso
|
|||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-rfi',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/RFI',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RFI-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
SecRule ARGS "@rx ^(?i:file|ftps?|https?).*?\?+$" \
|
||||
"id:931120,\
|
||||
|
@ -87,14 +85,13 @@ SecRule ARGS "@rx ^(?i:file|ftps?|https?).*?\?+$" \
|
|||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-rfi',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/RFI',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RFI-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
|
||||
|
@ -116,18 +113,17 @@ SecRule ARGS "@rx ^(?i:file|ftps?|https?)://(.*)$" \
|
|||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-rfi',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/RFI',\
|
||||
tag:'paranoia-level/2',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.rfi_parameter_%{MATCHED_VAR_NAME}=%{tx.1}',\
|
||||
chain"
|
||||
SecRule TX:/rfi_parameter_.*/ "!@beginsWith %{request_headers.host}" \
|
||||
"setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RFI-%{MATCHED_VAR_NAME}=%{tx.1}'"
|
||||
"setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.1.1
|
||||
# OWASP ModSecurity Core Rule Set ver.3.2.0
|
||||
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
|
@ -31,6 +31,9 @@ SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:932012,phase:2,pass,nolog,skipAf
|
|||
# The vulnerability exists when an application executes a shell command
|
||||
# without proper input escaping/validation.
|
||||
#
|
||||
# This rule is also triggered by an Oracle WebLogic Remote Command Execution exploit:
|
||||
# [ Oracle WebLogic vulnerability CVE-2017-10271 - Exploit tested: https://www.exploit-db.com/exploits/43458 ]
|
||||
#
|
||||
# To prevent false positives, we look for a 'starting sequence' that
|
||||
# precedes a command in shell syntax, such as: ; | & $( ` <( >(
|
||||
# Anatomy of the regexp with examples of patterns caught:
|
||||
|
@ -108,17 +111,16 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'language-shell',\
|
||||
tag:'platform-unix',\
|
||||
tag:'attack-rce',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
|
||||
tag:'WASCTC/WASC-31',\
|
||||
tag:'OWASP_TOP_10/A1',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
# Apache 2.2 requires configuration file lines to be under 8kB.
|
||||
# Therefore, some remaining commands have been split off to a separate rule.
|
||||
|
@ -146,17 +148,16 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'language-shell',\
|
||||
tag:'platform-unix',\
|
||||
tag:'attack-rce',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
|
||||
tag:'WASCTC/WASC-31',\
|
||||
tag:'OWASP_TOP_10/A1',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
# [ Windows command injection ]
|
||||
|
@ -245,22 +246,24 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'language-shell',\
|
||||
tag:'platform-windows',\
|
||||
tag:'attack-rce',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
|
||||
tag:'WASCTC/WASC-31',\
|
||||
tag:'OWASP_TOP_10/A1',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
# Apache 2.2 requires configuration file lines to be under 8kB.
|
||||
# Therefore, some remaining commands have been split off to a separate rule.
|
||||
# For explanation of this rule, see rule 932110.
|
||||
#
|
||||
# This rule is also triggered by an Oracle WebLogic Remote Command Execution exploit:
|
||||
# [ Oracle WebLogic vulnerability CVE-2017-10271 - Exploit tested: https://www.exploit-db.com/exploits/43458 ]
|
||||
#
|
||||
# To rebuild the word list regexp:
|
||||
# cd util/regexp-assemble
|
||||
# cat regexp-932115.txt | ./regexp-cmdline.py windows | ./regexp-assemble.pl
|
||||
|
@ -283,17 +286,16 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'language-shell',\
|
||||
tag:'platform-windows',\
|
||||
tag:'attack-rce',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
|
||||
tag:'WASCTC/WASC-31',\
|
||||
tag:'OWASP_TOP_10/A1',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
# [ Windows PowerShell, cmdlets and options ]
|
||||
|
@ -307,7 +309,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
# https://technet.microsoft.com/en-us/magazine/ff714569.aspx
|
||||
# https://msdn.microsoft.com/en-us/powershell/scripting/core-powershell/console/powershell.exe-command-line-help
|
||||
#
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmf windows-powershell-commands.data" \
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmFromFile windows-powershell-commands.data" \
|
||||
"id:932120,\
|
||||
phase:2,\
|
||||
block,\
|
||||
|
@ -320,17 +322,16 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'language-powershell',\
|
||||
tag:'platform-windows',\
|
||||
tag:'attack-rce',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
|
||||
tag:'WASCTC/WASC-31',\
|
||||
tag:'OWASP_TOP_10/A1',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
# [ Unix shell expressions ]
|
||||
|
@ -345,7 +346,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
# $((foo)) Arithmetic expansion
|
||||
#
|
||||
# Regexp generated from util/regexp-assemble/regexp-932130.data using Regexp::Assemble.
|
||||
# See http://blog.modsecurity.org/2007/06/optimizing-regu.html for usage.
|
||||
# See https://coreruleset.org/20190826/optimizing-regular-expressions/ for usage.
|
||||
#
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:\$(?:\((?:\(.*\)|.*)\)|\{.*\})|[<>]\(.*\))" \
|
||||
"id:932130,\
|
||||
|
@ -359,17 +360,16 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'language-shell',\
|
||||
tag:'platform-unix',\
|
||||
tag:'attack-rce',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
|
||||
tag:'WASCTC/WASC-31',\
|
||||
tag:'OWASP_TOP_10/A1',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
# [ Windows FOR, IF commands ]
|
||||
|
@ -393,9 +393,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
# http://ss64.com/nt/for.html
|
||||
#
|
||||
# Regexp generated from util/regexp-assemble/regexp-932140.data using Regexp::Assemble.
|
||||
# See http://blog.modsecurity.org/2007/06/optimizing-regu.html for usage.
|
||||
# See https://coreruleset.org/20190826/optimizing-regular-expressions/ for usage.
|
||||
#
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \b(?:if(?:/i)?(?: not)?(?: exist\b| defined\b| errorlevel\b| cmdextversion\b|(?: |\().*(?:\bgeq\b|\bequ\b|\bneq\b|\bleq\b|\bgtr\b|\blss\b|==))|for(/[dflr].*)* %+[^ ]+ in\(.*\)\s?do)" \
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \b(?:if(?:/i)?(?: not)?(?: exist\b| defined\b| errorlevel\b| cmdextversion\b|(?: |\().*(?:\bgeq\b|\bequ\b|\bneq\b|\bleq\b|\bgtr\b|\blss\b|==))|for(?:/[dflr].*)? %+[^ ]+ in\(.*\)\s?do)" \
|
||||
"id:932140,\
|
||||
phase:2,\
|
||||
block,\
|
||||
|
@ -407,17 +407,16 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'language-shell',\
|
||||
tag:'platform-windows',\
|
||||
tag:'attack-rce',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
|
||||
tag:'WASCTC/WASC-31',\
|
||||
tag:'OWASP_TOP_10/A1',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
# [ Unix direct remote command execution ]
|
||||
|
@ -429,6 +428,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
# command string is appended (injected) to a regular parameter, and then
|
||||
# passed to a shell unescaped.
|
||||
#
|
||||
# This rule is also triggered by an Oracle WebLogic Remote Command Execution exploit:
|
||||
# [ Oracle WebLogic vulnerability CVE-2017-10271 - Exploit tested: https://www.exploit-db.com/exploits/43458 ]
|
||||
#
|
||||
# Due to a higher risk of false positives, the following changes have been
|
||||
# made relative to rule 932100:
|
||||
# 1) the set of commands is smaller
|
||||
|
@ -457,17 +459,16 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'language-shell',\
|
||||
tag:'platform-unix',\
|
||||
tag:'attack-rce',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
|
||||
tag:'WASCTC/WASC-31',\
|
||||
tag:'OWASP_TOP_10/A1',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
# [ Unix shell snippets ]
|
||||
|
@ -478,7 +479,13 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
# have been added here with their full path, in order to catch some
|
||||
# cases where the full path is sent.
|
||||
#
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmf unix-shell.data" \
|
||||
# This rule is also triggered by an Apache Struts Remote Code Execution exploit:
|
||||
# [ Apache Struts vulnerability CVE-2017-9805 - Exploit tested: https://www.exploit-db.com/exploits/42627 ]
|
||||
#
|
||||
# This rule is also triggered by an Oracle WebLogic Remote Command Execution exploit:
|
||||
# [ Oracle WebLogic vulnerability CVE-2017-10271 - Exploit tested: https://www.exploit-db.com/exploits/43458 ]
|
||||
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmFromFile unix-shell.data" \
|
||||
"id:932160,\
|
||||
phase:2,\
|
||||
block,\
|
||||
|
@ -490,17 +497,16 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'language-shell',\
|
||||
tag:'platform-unix',\
|
||||
tag:'attack-rce',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
|
||||
tag:'WASCTC/WASC-31',\
|
||||
tag:'OWASP_TOP_10/A1',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
# [ Shellshock vulnerability (CVE-2014-6271 and CVE-2014-7169) ]
|
||||
|
@ -524,17 +530,16 @@ SecRule REQUEST_HEADERS|REQUEST_LINE "@rx ^\(\s*\)\s+{" \
|
|||
tag:'language-shell',\
|
||||
tag:'platform-unix',\
|
||||
tag:'attack-rce',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
|
||||
tag:'WASCTC/WASC-31',\
|
||||
tag:'OWASP_TOP_10/A1',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
SecRule ARGS_NAMES|ARGS|FILES_NAMES "@rx ^\(\s*\)\s+{" \
|
||||
"id:932171,\
|
||||
|
@ -548,17 +553,16 @@ SecRule ARGS_NAMES|ARGS|FILES_NAMES "@rx ^\(\s*\)\s+{" \
|
|||
tag:'language-shell',\
|
||||
tag:'platform-unix',\
|
||||
tag:'attack-rce',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
|
||||
tag:'WASCTC/WASC-31',\
|
||||
tag:'OWASP_TOP_10/A1',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
#
|
||||
|
@ -574,28 +578,27 @@ SecRule ARGS_NAMES|ARGS|FILES_NAMES "@rx ^\(\s*\)\s+{" \
|
|||
# code execution.
|
||||
#
|
||||
SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X-File-Name \
|
||||
"@pmf restricted-upload.data" \
|
||||
"@pmFromFile restricted-upload.data" \
|
||||
"id:932180,\
|
||||
phase:2,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,t:lowercase,\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
msg:'Restricted File Upload Attempt',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-rce',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
|
||||
tag:'WASCTC/WASC-31',\
|
||||
tag:'OWASP_TOP_10/A1',\
|
||||
tag:'PCI/6.5.2',\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/FILE_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:932013,phase:1,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE"
|
||||
|
@ -642,18 +645,17 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'language-shell',\
|
||||
tag:'platform-unix',\
|
||||
tag:'attack-rce',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
|
||||
tag:'WASCTC/WASC-31',\
|
||||
tag:'OWASP_TOP_10/A1',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/3',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
#
|
||||
# -=[ Bypass Rule 930120 (wildcard) ]=-
|
||||
|
@ -677,6 +679,7 @@ SecRule ARGS "@rx (?:/|\\\\)(?:[\?\*]+[a-z/\\\\]+|[a-z/\\\\]+[\?\*]+)" \
|
|||
tag:'language-shell',\
|
||||
tag:'platform-unix',\
|
||||
tag:'attack-rce',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
|
||||
tag:'WASCTC/WASC-31',\
|
||||
tag:'OWASP_TOP_10/A1',\
|
||||
|
@ -684,10 +687,8 @@ SecRule ARGS "@rx (?:/|\\\\)(?:[\?\*]+[a-z/\\\\]+|[a-z/\\\\]+[\?\*]+)" \
|
|||
tag:'paranoia-level/3',\
|
||||
ctl:auditLogParts=+E,\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:932017,phase:1,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:932018,phase:2,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE"
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.1.1
|
||||
# OWASP ModSecurity Core Rule Set ver.3.2.0
|
||||
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
|
@ -43,6 +43,8 @@ SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:933012,phase:2,pass,nolog,skipAf
|
|||
# Therefore, that pattern is now checked by rule 933190 in paranoia levels
|
||||
# 3 or higher.
|
||||
#
|
||||
# Not supported by re2 (?!re).
|
||||
#
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:<\?(?!xml\s)|<\?php|\[(?:/|\\\\)?php\])" \
|
||||
"id:933100,\
|
||||
phase:2,\
|
||||
|
@ -55,15 +57,14 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'language-php',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-injection-php',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
|
||||
tag:'OWASP_TOP_10/A1',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
#
|
||||
# [ PHP Script Uploads ]
|
||||
|
@ -86,7 +87,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
# X_Filename, or X-File-Name to transmit the file name to the server;
|
||||
# scan these request headers as well as multipart/form-data file names.
|
||||
#
|
||||
SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X-File-Name "@rx .*\.(?:php\d*|phtml)\.*$" \
|
||||
SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X.Filename|REQUEST_HEADERS:X-File-Name "@rx .*\.(?:php\d*|phtml)\.*$" \
|
||||
"id:933110,\
|
||||
phase:2,\
|
||||
block,\
|
||||
|
@ -98,21 +99,20 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD
|
|||
tag:'language-php',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-injection-php',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
|
||||
tag:'OWASP_TOP_10/A1',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
#
|
||||
# [ PHP Configuration Directives ]
|
||||
#
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmf php-config-directives.data" \
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmFromFile php-config-directives.data" \
|
||||
"id:933120,\
|
||||
phase:2,\
|
||||
block,\
|
||||
|
@ -124,24 +124,23 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'language-php',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-injection-php',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
|
||||
tag:'OWASP_TOP_10/A1',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule MATCHED_VARS "@pm =" \
|
||||
"capture,\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
#
|
||||
# [ PHP Variables ]
|
||||
#
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmf php-variables.data" \
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmFromFile php-variables.data" \
|
||||
"id:933130,\
|
||||
phase:2,\
|
||||
block,\
|
||||
|
@ -153,15 +152,14 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'language-php',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-injection-php',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
|
||||
tag:'OWASP_TOP_10/A1',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
#
|
||||
|
@ -191,15 +189,43 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'language-php',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-injection-php',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
|
||||
tag:'OWASP_TOP_10/A1',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
#
|
||||
# [ PHP Wrappers ]
|
||||
#
|
||||
# PHP comes with many built-in wrappers for various URL-style protocols for use with the filesystem
|
||||
# functions such as fopen(), copy(), file_exists() and filesize(). Abusing of PHP wrappers like phar://
|
||||
# could lead to RCE as describled by Sam Thomas at BlackHat USA 2018 (https://bit.ly/2yaKV5X), even
|
||||
# wrappers like zlib://, glob://, rar://, zip://, etc... could lead to LFI and expect:// to RCE.
|
||||
#
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:zlib|glob|phar|ssh2|rar|ogg|expect|zip)://" \
|
||||
"id:933200,\
|
||||
phase:2,\
|
||||
block,\
|
||||
t:none,t:utf8toUnicode,t:urlDecodeUni,t:removeNulls,t:cmdLine,\
|
||||
msg:'PHP Injection Attack: Wrapper scheme detected',\
|
||||
logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-php',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-injection-php',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
|
||||
tag:'OWASP_TOP_10/A1',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
#
|
||||
|
@ -215,7 +241,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
# - Rule 933150: ~40 words highly common to PHP injection payloads and extremely rare in
|
||||
# natural language or other contexts.
|
||||
# Examples: 'base64_decode', 'file_get_contents'.
|
||||
# These words are detected as a match directly using @pmf.
|
||||
# These words are detected as a match directly using @pmFromFile.
|
||||
# Function names are defined in php-function-names-933150.data
|
||||
#
|
||||
# - Rule 933160: ~220 words which are common in PHP code, but have a higher chance to cause
|
||||
|
@ -226,7 +252,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
#
|
||||
# - Rule 933151: ~1300 words of lesser importance. This includes most PHP functions and keywords.
|
||||
# Examples: 'addslashes', 'array_diff'.
|
||||
# For performance reasons, the @pmf operator is used, and many functions from lesser
|
||||
# For performance reasons, the @pmFromFile operator is used, and many functions from lesser
|
||||
# used PHP extensions are removed.
|
||||
# To mitigate false positives, we only match when the '(' character is also found.
|
||||
# This rule only runs in paranoia level 2 or higher.
|
||||
|
@ -248,7 +274,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
# We block these function names outright, without using a complex regexp or chain.
|
||||
# This could make the detection a bit more robust against possible bypasses.
|
||||
#
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@pmf php-function-names-933150.data" \
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@pmFromFile php-function-names-933150.data" \
|
||||
"id:933150,\
|
||||
phase:2,\
|
||||
block,\
|
||||
|
@ -260,15 +286,14 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
|
|||
tag:'language-php',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-injection-php',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
|
||||
tag:'OWASP_TOP_10/A1',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
#
|
||||
|
@ -292,8 +317,14 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
|
|||
# system //comment \n (...)
|
||||
# system #comment \n (...)
|
||||
#
|
||||
# This rule is also triggered by the following exploit(s):
|
||||
# [ Apache Struts vulnerability CVE-2017-9791 - Exploit tested: https://www.exploit-db.com/exploits/42324 ]
|
||||
# [ Apache Struts vulnerability CVE-2018-11776 - Exploit tested: https://www.exploit-db.com/exploits/45260 ]
|
||||
# [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ]
|
||||
#
|
||||
# Regexp generated from util/regexp-assemble/regexp-933160.data using Regexp::Assemble.
|
||||
# See http://blog.modsecurity.org/2007/06/optimizing-regu.html for usage.
|
||||
# See https://coreruleset.org/20190826/optimizing-regular-expressions/ for usage.
|
||||
#
|
||||
# Note that after assemble, PHP function syntax pre/postfix is added to the Regexp::Assemble
|
||||
# output. Example: "@rx (?i)\bASSEMBLE_OUTPUT_HERE(?:\s|/\*.*\*/|//.*|#.*)*\(.*\)"
|
||||
#
|
||||
|
@ -309,15 +340,14 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
|
|||
tag:'language-php',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-injection-php',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
|
||||
tag:'OWASP_TOP_10/A1',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
#
|
||||
|
@ -366,15 +396,14 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
|
|||
tag:'language-php',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-injection-php',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
|
||||
tag:'OWASP_TOP_10/A1',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
|
||||
|
@ -423,16 +452,56 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
|
|||
tag:'language-php',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-injection-php',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
|
||||
tag:'OWASP_TOP_10/A1',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
# [ PHP Functions: Variable Function Prevent Bypass ]
|
||||
#
|
||||
# Referring to https://www.secjuice.com/php-rce-bypass-filters-sanitization-waf/
|
||||
# the rule 933180 could be bypassed by using the following payloads:
|
||||
#
|
||||
# - (system)('uname')
|
||||
# - (sy.(st).em)('uname')
|
||||
# - (string)"system"('uname')
|
||||
# - define('x', 'sys' . 'tem');(x)/* comment */('uname')
|
||||
# - $y = 'sys'.'tem';($y)('uname')
|
||||
# - define('z', [['sys' .'tem']]);(z)[0][0]('uname');
|
||||
# - (system)(ls)
|
||||
# - (/**/system)(ls/**/);
|
||||
# - (['system'])[0]('uname');
|
||||
# - (++[++system++][++0++])++{/*dsasd*/0}++(++ls++);
|
||||
#
|
||||
# This rule blocks all payloads above and avoids to block values like:
|
||||
#
|
||||
# - [ACME] this is a test (just a test)
|
||||
# - Test (with two) rounded (brackets)
|
||||
#
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?:(?:\(|\[)[a-zA-Z0-9_.$\"'\[\](){}/*\s]+(?:\)|\])[0-9_.$\"'\[\](){}/*\s]*\([a-zA-Z0-9_.$\"'\[\](){}/*\s].*\)|\([\s]*string[\s]*\)[\s]*(?:\"|'))" \
|
||||
"id:933210,\
|
||||
phase:2,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,t:urlDecode,t:replaceComments,t:compressWhitespace,\
|
||||
msg:'PHP Injection Attack: Variable Function Call Found',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-php',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-injection-php',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
|
||||
tag:'OWASP_TOP_10/A1',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:933013,phase:1,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:933014,phase:2,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
|
||||
|
@ -448,7 +517,7 @@ SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:933014,phase:2,pass,nolog,skipAf
|
|||
# The size of the PHP function list is considerable.
|
||||
# Even after excluding the more obscure PHP extensions, 1300+ functions remain.
|
||||
# For performance and maintenance reasons, this rule does not use a regexp,
|
||||
# but uses a phrase file (@pmf), and additionally looks for an '(' character
|
||||
# but uses a phrase file (@pmFromFile), and additionally looks for an '(' character
|
||||
# in the matched variable.
|
||||
#
|
||||
# This approach carries some risk for false positives. Therefore, the function list
|
||||
|
@ -457,7 +526,7 @@ SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:933014,phase:2,pass,nolog,skipAf
|
|||
#
|
||||
# This rule is a stricter sibling of rule 933150.
|
||||
#
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@pmf php-function-names-933151.data" \
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@pmFromFile php-function-names-933151.data" \
|
||||
"id:933151,\
|
||||
phase:2,\
|
||||
block,\
|
||||
|
@ -469,19 +538,18 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
|
|||
tag:'language-php',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-injection-php',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
|
||||
tag:'OWASP_TOP_10/A1',\
|
||||
tag:'paranoia-level/2',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule MATCHED_VARS "@pm (" \
|
||||
"capture,\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
|
||||
|
@ -506,7 +574,7 @@ SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:933016,phase:2,pass,nolog,skipAf
|
|||
# parameter names or values and this will lead to false positives.
|
||||
# Because this list is not expected to change and it is limited in size we use a
|
||||
# regex in this case to look for these values whereas in its sibling rule we use
|
||||
# @pmf for flexibility and performance.
|
||||
# @pmFromFile for flexibility and performance.
|
||||
#
|
||||
# To rebuild the regexp:
|
||||
# cd util/regexp-assemble
|
||||
|
@ -525,16 +593,15 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'language-php',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-injection-php',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
|
||||
tag:'OWASP_TOP_10/A1',\
|
||||
tag:'paranoia-level/3',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
#
|
||||
|
@ -551,8 +618,13 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
#
|
||||
# This rule is a stricter sibling of rule 933160.
|
||||
#
|
||||
# This rule is also triggered by the following exploit(s):
|
||||
# [ Apache Struts vulnerability CVE-2018-11776 - Exploit tested: https://www.exploit-db.com/exploits/45262 ]
|
||||
# [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ]
|
||||
#
|
||||
# Regexp generated from util/regexp-assemble/regexp-933161.data using Regexp::Assemble.
|
||||
# See http://blog.modsecurity.org/2007/06/optimizing-regu.html for usage.
|
||||
# See https://coreruleset.org/20190826/optimizing-regular-expressions/ for usage.
|
||||
#
|
||||
# Note that after assemble, PHP function syntax pre/postfix is added to the Regexp::Assemble
|
||||
# output. Example: "@rx (?i)\bASSEMBLE_OUTPUT_HERE(?:\s|/\*.*\*/|//.*|#.*)*\(.*\)"
|
||||
#
|
||||
|
@ -568,16 +640,15 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
|
|||
tag:'language-php',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-injection-php',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
|
||||
tag:'OWASP_TOP_10/A1',\
|
||||
tag:'paranoia-level/3',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
#
|
||||
|
@ -601,7 +672,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
|
|||
#
|
||||
# This rule is a stricter sibling of rule 933110.
|
||||
#
|
||||
SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X-File-Name "@rx .*\.(?:php\d*|phtml)\..*$" \
|
||||
SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X.Filename|REQUEST_HEADERS:X-File-Name "@rx .*\.(?:php\d*|phtml)\..*$" \
|
||||
"id:933111,\
|
||||
phase:2,\
|
||||
block,\
|
||||
|
@ -613,16 +684,15 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD
|
|||
tag:'language-php',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-injection-php',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
|
||||
tag:'OWASP_TOP_10/A1',\
|
||||
tag:'paranoia-level/3',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
# [ PHP Closing Tag Found ]
|
||||
|
@ -634,27 +704,26 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD
|
|||
# See issue #654 for discussion.
|
||||
#
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pm ?>" \
|
||||
"msg:'PHP Injection Attack: PHP Closing Tag Found',\
|
||||
"id:933190,\
|
||||
phase:2,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
t:none,t:urlDecodeUni,\
|
||||
ctl:auditLogParts=+E,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,t:urlDecodeUni,\
|
||||
msg:'PHP Injection Attack: PHP Closing Tag Found',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
id:933190,\
|
||||
severity:'CRITICAL',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-php',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-injection-php',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
|
||||
tag:'OWASP_TOP_10/A1',\
|
||||
tag:'paranoia-level/3',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:933017,phase:1,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
|
||||
|
|
|
@ -0,0 +1,94 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.2.0
|
||||
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
# Please see the enclosed LICENSE file for full details.
|
||||
# ------------------------------------------------------------------------
|
||||
|
||||
#
|
||||
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
|
||||
#
|
||||
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:934011,phase:1,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:934012,phase:2,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS"
|
||||
#
|
||||
# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher)
|
||||
#
|
||||
|
||||
|
||||
# [ Insecure unserialization / generic RCE signatures ]
|
||||
#
|
||||
# Libraries performing insecure unserialization:
|
||||
# - node-serialize: _$$ND_FUNC$$_ (CVE-2017-5941)
|
||||
# - funcster: __js_function
|
||||
#
|
||||
# See:
|
||||
# https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution/
|
||||
# https://www.acunetix.com/blog/web-security-zone/deserialization-vulnerabilities-attacking-deserialization-in-js/
|
||||
#
|
||||
# Some generic snippets used:
|
||||
# - function() {
|
||||
# - new Function(
|
||||
# - eval(
|
||||
# - String.fromCharCode(
|
||||
#
|
||||
# Last two are used by nodejsshell.py,
|
||||
# https://github.com/ajinabraham/Node.Js-Security-Course/blob/master/nodejsshell.py
|
||||
#
|
||||
# As base64 is sometimes (but not always) used to encode serialized values,
|
||||
# use multiMatch and t:base64decode.
|
||||
#
|
||||
# Regexp generated from util/regexp-assemble/regexp-934100.data using Regexp::Assemble.
|
||||
# See https://coreruleset.org/20190826/optimizing-regular-expressions/ for usage.
|
||||
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:(?:_(?:\$\$ND_FUNC\$\$_|_js_function)|(?:new\s+Function|\beval)\s*\(|String\s*\.\s*fromCharCode|function\s*\(\s*\)\s*{|this\.constructor)|module\.exports\s*=)" \
|
||||
"id:934100,\
|
||||
phase:2,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,t:urlDecodeUni,t:base64Decode,\
|
||||
msg:'Node.js Injection Attack',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-javascript',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-rce',\
|
||||
tag:'attack-injection-nodejs',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/NODEJS_INJECTION',\
|
||||
tag:'OWASP_TOP_10/A1',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
multiMatch,\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:934013,phase:1,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:934014,phase:2,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS"
|
||||
#
|
||||
# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher)
|
||||
#
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:934015,phase:1,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:934016,phase:2,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS"
|
||||
#
|
||||
# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher)
|
||||
#
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:934017,phase:1,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:934018,phase:2,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS"
|
||||
#
|
||||
# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher)
|
||||
#
|
||||
|
||||
|
||||
|
||||
#
|
||||
# -= Paranoia Levels Finished =-
|
||||
#
|
||||
SecMarker "END-REQUEST-934-APPLICATION-ATTACK-NODEJS"
|
|
@ -1,5 +1,5 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.1.1
|
||||
# OWASP ModSecurity Core Rule Set ver.3.2.0
|
||||
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
|
@ -45,6 +45,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
|
|||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-xss',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
|
||||
tag:'WASCTC/WASC-8',\
|
||||
tag:'WASCTC/WASC-22',\
|
||||
|
@ -52,12 +53,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
|
|||
tag:'OWASP_AppSensor/IE1',\
|
||||
tag:'CAPEC-242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
#
|
||||
|
@ -65,7 +64,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
|
|||
# http://xssplayground.net23.net/xssfilter.html
|
||||
# script tag based XSS vectors, e.g., <script> alert(1)</script>
|
||||
#
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i)[<<]script[^>>]*[>>][\s\S]*?" \
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i)<script[^>]*>[\s\S]*?" \
|
||||
"id:941110,\
|
||||
phase:2,\
|
||||
block,\
|
||||
|
@ -77,6 +76,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
|
|||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-xss',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
|
||||
tag:'WASCTC/WASC-8',\
|
||||
tag:'WASCTC/WASC-22',\
|
||||
|
@ -84,12 +84,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
|
|||
tag:'OWASP_AppSensor/IE1',\
|
||||
tag:'CAPEC-242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
#
|
||||
|
@ -108,6 +106,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
|
|||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-xss',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
|
||||
tag:'WASCTC/WASC-8',\
|
||||
tag:'WASCTC/WASC-22',\
|
||||
|
@ -115,18 +114,16 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
|
|||
tag:'OWASP_AppSensor/IE1',\
|
||||
tag:'CAPEC-242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
#
|
||||
# -=[ XSS Filters - Category 3 ]=-
|
||||
#
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\s\S](?:x(?:link:href|html|mlns)|!ENTITY.*?SYSTEM|data:text\/html|pattern(?=.*?=)|formaction|\@import|base64)\b" \
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\s\S]((?:x(?:link:href|html|mlns)|!ENTITY.*?(?:SYSTEM|PUBLIC)|data:text\/html|formaction|\@import|base64)\b|pattern\b.*?=)" \
|
||||
"id:941130,\
|
||||
phase:2,\
|
||||
block,\
|
||||
|
@ -138,6 +135,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
|
|||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-xss',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
|
||||
tag:'WASCTC/WASC-8',\
|
||||
tag:'WASCTC/WASC-22',\
|
||||
|
@ -145,12 +143,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
|
|||
tag:'OWASP_AppSensor/IE1',\
|
||||
tag:'CAPEC-242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
#
|
||||
|
@ -169,6 +165,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
|
|||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-xss',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
|
||||
tag:'WASCTC/WASC-8',\
|
||||
tag:'WASCTC/WASC-22',\
|
||||
|
@ -176,12 +173,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
|
|||
tag:'OWASP_AppSensor/IE1',\
|
||||
tag:'CAPEC-242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
#
|
||||
|
@ -190,7 +185,14 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
|
|||
#
|
||||
# [NoScript InjectionChecker] HTML injection
|
||||
#
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i)<[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*(?:\W*?s\W*?c\W*?r\W*?i\W*?p\W*?t|\W*?f\W*?o\W*?r\W*?m|\W*?s\W*?t\W*?y\W*?l\W*?e|\W*?s\W*?v\W*?g|\W*?m\W*?a\W*?r\W*?q\W*?u\W*?e\W*?e|(?:\W*?l\W*?i\W*?n\W*?k|\W*?o\W*?b\W*?j\W*?e\W*?c\W*?t|\W*?e\W*?m\W*?b\W*?e\W*?d|\W*?a\W*?p\W*?p\W*?l\W*?e\W*?t|\W*?p\W*?a\W*?r\W*?a\W*?m|\W*?i?\W*?f\W*?r\W*?a\W*?m\W*?e|\W*?b\W*?a\W*?s\W*?e|\W*?b\W*?o\W*?d\W*?y|\W*?m\W*?e\W*?t\W*?a|\W*?i\W*?m\W*?a?\W*?g\W*?e?|\W*?v\W*?i\W*?d\W*?e\W*?o|\W*?a\W*?u\W*?d\W*?i\W*?o|\W*?b\W*?i\W*?n\W*?d\W*?i\W*?n\W*?g\W*?s|\W*?s\W*?e\W*?t|\W*?a\W*?n\W*?i\W*?m\W*?a\W*?t\W*?e)[^>\w])|(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)(?:formaction|style|background|src|lowsrc|ping|on(?:d(?:e(?:vice(?:(?:orienta|mo)tion|proximity|found|light)|livery(?:success|error)|activate)|r(?:ag(?:e(?:n(?:ter|d)|xit)|(?:gestur|leav)e|start|drop|over)?|op)|i(?:s(?:c(?:hargingtimechange|onnect(?:ing|ed))|abled)|aling)|ata(?:setc(?:omplete|hanged)|(?:availabl|chang)e|error)|urationchange|ownloading|blclick)|Moz(?:M(?:agnifyGesture(?:Update|Start)?|ouse(?:PixelScroll|Hittest))|S(?:wipeGesture(?:Update|Start|End)?|crolledAreaChanged)|(?:(?:Press)?TapGestur|BeforeResiz)e|EdgeUI(?:C(?:omplet|ancel)|Start)ed|RotateGesture(?:Update|Start)?|A(?:udioAvailable|fterPaint))|c(?:o(?:m(?:p(?:osition(?:update|start|end)|lete)|mand(?:update)?)|n(?:t(?:rolselect|extmenu)|nect(?:ing|ed))|py)|a(?:(?:llschang|ch)ed|nplay(?:through)?|rdstatechange)|h(?:(?:arging(?:time)?ch)?ange|ecking)|(?:fstate|ell)change|u(?:echange|t)|l(?:ick|ose))|m(?:o(?:z(?:pointerlock(?:change|error)|(?:orientation|time)change|fullscreen(?:change|error)|network(?:down|up)load)|use(?:(?:lea|mo)ve|o(?:ver|ut)|enter|wheel|down|up)|ve(?:start|end)?)|essage|ark)|s(?:t(?:a(?:t(?:uschanged|echange)|lled|rt)|k(?:sessione|comma)nd|op)|e(?:ek(?:complete|ing|ed)|(?:lec(?:tstar)?)?t|n(?:ding|t))|u(?:ccess|spend|bmit)|peech(?:start|end)|ound(?:start|end)|croll|how)|b(?:e(?:for(?:e(?:(?:scriptexecu|activa)te|u(?:nload|pdate)|p(?:aste|rint)|c(?:opy|ut)|editfocus)|deactivate)|gin(?:Event)?)|oun(?:dary|ce)|l(?:ocked|ur)|roadcast|usy)|a(?:n(?:imation(?:iteration|start|end)|tennastatechange)|fter(?:(?:scriptexecu|upda)te|print)|udio(?:process|start|end)|d(?:apteradded|dtrack)|ctivate|lerting|bort)|DOM(?:Node(?:Inserted(?:IntoDocument)?|Removed(?:FromDocument)?)|(?:CharacterData|Subtree)Modified|A(?:ttrModified|ctivate)|Focus(?:Out|In)|MouseScroll)|r(?:e(?:s(?:u(?:m(?:ing|e)|lt)|ize|et)|adystatechange|pea(?:tEven)?t|movetrack|trieving|ceived)|ow(?:s(?:inserted|delete)|e(?:nter|xit))|atechange)|p(?:op(?:up(?:hid(?:den|ing)|show(?:ing|n))|state)|a(?:ge(?:hide|show)|(?:st|us)e|int)|ro(?:pertychange|gress)|lay(?:ing)?)|t(?:ouch(?:(?:lea|mo)ve|en(?:ter|d)|cancel|start)|ime(?:update|out)|ransitionend|ext)|u(?:s(?:erproximity|sdreceived)|p(?:gradeneeded|dateready)|n(?:derflow|load))|f(?:o(?:rm(?:change|input)|cus(?:out|in)?)|i(?:lterchange|nish)|ailed)|l(?:o(?:ad(?:e(?:d(?:meta)?data|nd)|start)?|secapture)|evelchange|y)|g(?:amepad(?:(?:dis)?connected|button(?:down|up)|axismove)|et)|e(?:n(?:d(?:Event|ed)?|abled|ter)|rror(?:update)?|mptied|xit)|i(?:cc(?:cardlockerror|infochange)|n(?:coming|valid|put))|o(?:(?:(?:ff|n)lin|bsolet)e|verflow(?:changed)?|pen)|SVG(?:(?:Unl|L)oad|Resize|Scroll|Abort|Error|Zoom)|h(?:e(?:adphoneschange|l[dp])|ashchange|olding)|v(?:o(?:lum|ic)e|ersion)change|w(?:a(?:it|rn)ing|heel)|key(?:press|down|up)|(?:AppComman|Loa)d|no(?:update|match)|Request|zoom))[\s\x08]*?=" \
|
||||
# Regexp generated from util/regexp-assemble/regexp-941160.data using Regexp::Assemble.
|
||||
# To rebuild the regexp:
|
||||
# cd util/regexp-assemble
|
||||
# ./regexp-assemble.pl regexp-941160.data
|
||||
# Note that after assemble an ignore case flag (i) is added to the to the Regexp::Assemble output:
|
||||
# Add ignore case flag between '?' and ':': "(?i:...)"
|
||||
#
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)(?:on(?:d(?:e(?:vice(?:(?:orienta|mo)tion|proximity|found|light)|livery(?:success|error)|activate)|r(?:ag(?:e(?:n(?:ter|d)|xit)|(?:gestur|leav)e|start|drop|over)|op)|i(?:s(?:c(?:hargingtimechange|onnect(?:ing|ed))|abled)|aling)|ata(?:setc(?:omplete|hanged)|(?:availabl|chang)e|error)|urationchange|ownloading|blclick)|Moz(?:M(?:agnifyGesture(?:Update|Start)?|ouse(?:PixelScroll|Hittest))|S(?:wipeGesture(?:Update|Start|End)?|crolledAreaChanged)|(?:(?:Press)?TapGestur|BeforeResiz)e|EdgeUI(?:C(?:omplet|ancel)|Start)ed|RotateGesture(?:Update|Start)?|A(?:udioAvailable|fterPaint))|c(?:o(?:m(?:p(?:osition(?:update|start|end)|lete)|mand(?:update)?)|n(?:t(?:rolselect|extmenu)|nect(?:ing|ed))|py)|a(?:(?:llschang|ch)ed|nplay(?:through)?|rdstatechange)|h(?:(?:arging(?:time)?ch)?ange|ecking)|(?:fstate|ell)change|u(?:echange|t)|l(?:ick|ose))|s(?:t(?:a(?:t(?:uschanged|echange)|lled|rt)|k(?:sessione|comma)nd|op)|e(?:ek(?:complete|ing|ed)|(?:lec(?:tstar)?)?t|n(?:ding|t))|(?:peech|ound)(?:start|end)|u(?:ccess|spend|bmit)|croll|how)|m(?:o(?:z(?:(?:pointerlock|fullscreen)(?:change|error)|(?:orientation|time)change|network(?:down|up)load)|use(?:(?:lea|mo)ve|o(?:ver|ut)|enter|wheel|down|up)|ve(?:start|end)?)|essage|ark)|b(?:e(?:for(?:e(?:(?:scriptexecu|activa)te|u(?:nload|pdate)|p(?:aste|rint)|c(?:opy|ut)|editfocus)|deactivate)|gin(?:Event)?)|oun(?:dary|ce)|l(?:ocked|ur)|roadcast|usy)|a(?:n(?:imation(?:iteration|start|end)|tennastatechange)|fter(?:(?:scriptexecu|upda)te|print)|udio(?:process|start|end)|d(?:apteradded|dtrack)|ctivate|lerting|bort)|DOM(?:Node(?:Inserted(?:IntoDocument)?|Removed(?:FromDocument)?)|(?:CharacterData|Subtree)Modified|A(?:ttrModified|ctivate)|Focus(?:Out|In)|MouseScroll)|r(?:e(?:s(?:u(?:m(?:ing|e)|lt)|ize|et)|adystatechange|pea(?:tEven)?t|movetrack|trieving|ceived)|ow(?:s(?:inserted|delete)|e(?:nter|xit))|atechange)|p(?:op(?:up(?:hid(?:den|ing)|show(?:ing|n))|state)|a(?:ge(?:hide|show)|(?:st|us)e|int)|ro(?:pertychange|gress)|lay(?:ing)?)|t(?:ouch(?:(?:lea|mo)ve|en(?:ter|d)|cancel|start)|ime(?:update|out)|ransitionend|ext)|u(?:s(?:erproximity|sdreceived)|p(?:gradeneeded|dateready)|n(?:derflow|load))|f(?:o(?:rm(?:change|input)|cus(?:out|in)?)|i(?:lterchange|nish)|ailed)|l(?:o(?:ad(?:e(?:d(?:meta)?data|nd)|start)|secapture)|evelchange|y)|g(?:amepad(?:(?:dis)?connected|button(?:down|up)|axismove)|et)|e(?:n(?:d(?:Event|ed)?|abled|ter)|rror(?:update)?|mptied|xit)|i(?:cc(?:cardlockerror|infochange)|n(?:coming|valid|put))|o(?:(?:(?:ff|n)lin|bsolet)e|verflow(?:changed)?|pen)|SVG(?:(?:Unl|L)oad|Resize|Scroll|Abort|Error|Zoom)|h(?:e(?:adphoneschange|l[dp])|ashchange|olding)|v(?:o(?:lum|ic)e|ersion)change|w(?:a(?:it|rn)ing|heel)|key(?:press|down|up)|(?:AppComman|Loa)d|no(?:update|match)|Request|zoom)|s(?:tyle|rc)|background|formaction|lowsrc|ping)[\s\x08]*?=|<[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*\W*?(?:(?:a\W*?(?:n\W*?i\W*?m\W*?a\W*?t\W*?e|p\W*?p\W*?l\W*?e\W*?t|u\W*?d\W*?i\W*?o)|b\W*?(?:i\W*?n\W*?d\W*?i\W*?n\W*?g\W*?s|a\W*?s\W*?e|o\W*?d\W*?y)|i?\W*?f\W*?r\W*?a\W*?m\W*?e|o\W*?b\W*?j\W*?e\W*?c\W*?t|i\W*?m\W*?a?\W*?g\W*?e?|e\W*?m\W*?b\W*?e\W*?d|p\W*?a\W*?r\W*?a\W*?m|v\W*?i\W*?d\W*?e\W*?o|l\W*?i\W*?n\W*?k)[^>\w]|s\W*?(?:c\W*?r\W*?i\W*?p\W*?t|t\W*?y\W*?l\W*?e|e\W*?t[^>\w]|v\W*?g)|m\W*?(?:a\W*?r\W*?q\W*?u\W*?e\W*?e|e\W*?t\W*?a[^>\w])|f\W*?o\W*?r\W*?m))" \
|
||||
"id:941160,\
|
||||
phase:2,\
|
||||
block,\
|
||||
|
@ -202,6 +204,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
|
|||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-xss',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
|
||||
tag:'WASCTC/WASC-8',\
|
||||
tag:'WASCTC/WASC-22',\
|
||||
|
@ -209,12 +212,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
|
|||
tag:'OWASP_AppSensor/IE1',\
|
||||
tag:'CAPEC-242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
#
|
||||
|
@ -232,6 +233,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
|
|||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-xss',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
|
||||
tag:'WASCTC/WASC-8',\
|
||||
tag:'WASCTC/WASC-22',\
|
||||
|
@ -239,19 +241,17 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
|
|||
tag:'OWASP_AppSensor/IE1',\
|
||||
tag:'CAPEC-242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
#
|
||||
# [Blacklist Keywords from Node-Validator]
|
||||
# https://raw.github.com/chriso/node-validator/master/validator.js
|
||||
#
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pm document.cookie document.write document[ self[ .parentnode .innerhtml window.location -moz-binding <!-- --> <![cdata[" \
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pm document.cookie document.write .parentnode .innerhtml window.location -moz-binding <!-- --> <![cdata[" \
|
||||
"id:941180,\
|
||||
phase:2,\
|
||||
block,\
|
||||
|
@ -263,6 +263,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-xss',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
|
||||
tag:'WASCTC/WASC-8',\
|
||||
tag:'WASCTC/WASC-22',\
|
||||
|
@ -270,12 +271,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_AppSensor/IE1',\
|
||||
tag:'CAPEC-242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
#
|
||||
|
@ -283,7 +282,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
# Ref: http://blogs.technet.com/srd/archive/2008/08/18/ie-8-xss-filter-architecture-implementation.aspx
|
||||
# Ref: http://xss.cx/examples/ie/internet-exploror-ie9-xss-filter-rules-example-regexp-mshtmldll.txt
|
||||
#
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:<style.*?>.*?((@[i\\\\])|(([:=]|(&#x?0*((58)|(3A)|(61)|(3D));?)).*?([(\\\\]|(&#x?0*((40)|(28)|(92)|(5C));?)))))" \
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:<style.*?>.*?(?:@[i\\\\]|(?:[:=]|&#x?0*(?:58|3A|61|3D);?).*?(?:[(\\\\]|&#x?0*(?:40|28|92|5C);?)))" \
|
||||
"id:941190,\
|
||||
phase:2,\
|
||||
block,\
|
||||
|
@ -295,6 +294,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-xss',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
|
||||
tag:'WASCTC/WASC-8',\
|
||||
tag:'WASCTC/WASC-22',\
|
||||
|
@ -302,12 +302,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_AppSensor/IE1',\
|
||||
tag:'CAPEC-242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:<.*[:]?vmlframe.*?[\s/+]*?src[\s/+]*=)" \
|
||||
|
@ -322,6 +320,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-xss',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
|
||||
tag:'WASCTC/WASC-8',\
|
||||
tag:'WASCTC/WASC-22',\
|
||||
|
@ -329,15 +328,13 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_AppSensor/IE1',\
|
||||
tag:'CAPEC-242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(j|(&#x?0*((74)|(4A)|(106)|(6A));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(a|(&#x?0*((65)|(41)|(97)|(61));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(v|(&#x?0*((86)|(56)|(118)|(76));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(a|(&#x?0*((65)|(41)|(97)|(61));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(s|(&#x?0*((83)|(53)|(115)|(73));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(c|(&#x?0*((67)|(43)|(99)|(63));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(r|(&#x?0*((82)|(52)|(114)|(72));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(i|(&#x?0*((73)|(49)|(105)|(69));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(p|(&#x?0*((80)|(50)|(112)|(70));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(t|(&#x?0*((84)|(54)|(116)|(74));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(:|(&((#x?0*((58)|(3A));?)|(colon;)))).)" \
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:j|&#x?0*(?:74|4A|106|6A);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:a|&#x?0*(?:65|41|97|61);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:v|&#x?0*(?:86|56|118|76);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:a|&#x?0*(?:65|41|97|61);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:s|&#x?0*(?:83|53|115|73);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:c|&#x?0*(?:67|43|99|63);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:r|&#x?0*(?:82|52|114|72);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:i|&#x?0*(?:73|49|105|69);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:p|&#x?0*(?:80|50|112|70);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:t|&#x?0*(?:84|54|116|74);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?::|&(?:#x?0*(?:58|3A);?|colon;)).)" \
|
||||
"id:941210,\
|
||||
phase:2,\
|
||||
block,\
|
||||
|
@ -349,6 +346,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-xss',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
|
||||
tag:'WASCTC/WASC-8',\
|
||||
tag:'WASCTC/WASC-22',\
|
||||
|
@ -356,15 +354,13 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_AppSensor/IE1',\
|
||||
tag:'CAPEC-242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(v|(&#x?0*((86)|(56)|(118)|(76));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(b|(&#x?0*((66)|(42)|(98)|(62));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(s|(&#x?0*((83)|(53)|(115)|(73));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(c|(&#x?0*((67)|(43)|(99)|(63));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(r|(&#x?0*((82)|(52)|(114)|(72));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(i|(&#x?0*((73)|(49)|(105)|(69));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(p|(&#x?0*((80)|(50)|(112)|(70));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(t|(&#x?0*((84)|(54)|(116)|(74));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(:|(&((#x?0*((58)|(3A));?)|(colon;)))).)" \
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:v|&#x?0*(?:86|56|118|76);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:b|&#x?0*(?:66|42|98|62);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:s|&#x?0*(?:83|53|115|73);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:c|&#x?0*(?:67|43|99|63);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:r|&#x?0*(?:82|52|114|72);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:i|&#x?0*(?:73|49|105|69);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:p|&#x?0*(?:80|50|112|70);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:t|&#x?0*(?:84|54|116|74);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?::|&(?:#x?0*(?:58|3A);?|colon;)).)" \
|
||||
"id:941220,\
|
||||
phase:2,\
|
||||
block,\
|
||||
|
@ -376,6 +372,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-xss',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
|
||||
tag:'WASCTC/WASC-8',\
|
||||
tag:'WASCTC/WASC-22',\
|
||||
|
@ -383,12 +380,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_AppSensor/IE1',\
|
||||
tag:'CAPEC-242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)<EMBED[\s/+].*?(?:src|type).*?=" \
|
||||
|
@ -403,6 +398,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-xss',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
|
||||
tag:'WASCTC/WASC-8',\
|
||||
tag:'WASCTC/WASC-22',\
|
||||
|
@ -410,12 +406,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_AppSensor/IE1',\
|
||||
tag:'CAPEC-242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx <[?]?import[\s\/+\S]*?implementation[\s\/+]*?=" \
|
||||
|
@ -430,6 +424,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-xss',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
|
||||
tag:'WASCTC/WASC-8',\
|
||||
tag:'WASCTC/WASC-22',\
|
||||
|
@ -437,15 +432,13 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_AppSensor/IE1',\
|
||||
tag:'CAPEC-242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:<META[\s/+].*?http-equiv[\s/+]*=[\s/+]*[\"\'`]?(((c|(&#x?0*((67)|(43)|(99)|(63));?)))|((r|(&#x?0*((82)|(52)|(114)|(72));?)))|((s|(&#x?0*((83)|(53)|(115)|(73));?)))))" \
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:<META[\s/+].*?http-equiv[\s/+]*=[\s/+]*[\"'`]?(?:(?:c|&#x?0*(?:67|43|99|63);?)|(?:r|&#x?0*(?:82|52|114|72);?)|(?:s|&#x?0*(?:83|53|115|73);?)))" \
|
||||
"id:941250,\
|
||||
phase:2,\
|
||||
block,\
|
||||
|
@ -457,6 +450,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-xss',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
|
||||
tag:'WASCTC/WASC-8',\
|
||||
tag:'WASCTC/WASC-22',\
|
||||
|
@ -464,12 +458,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_AppSensor/IE1',\
|
||||
tag:'CAPEC-242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:<META[\s/+].*?charset[\s/+]*=)" \
|
||||
|
@ -484,6 +476,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-xss',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
|
||||
tag:'WASCTC/WASC-8',\
|
||||
tag:'WASCTC/WASC-22',\
|
||||
|
@ -491,12 +484,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_AppSensor/IE1',\
|
||||
tag:'CAPEC-242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)<LINK[\s/+].*?href[\s/+]*=" \
|
||||
|
@ -511,6 +502,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-xss',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
|
||||
tag:'WASCTC/WASC-8',\
|
||||
tag:'WASCTC/WASC-22',\
|
||||
|
@ -518,12 +510,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_AppSensor/IE1',\
|
||||
tag:'CAPEC-242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)<BASE[\s/+].*?href[\s/+]*=" \
|
||||
|
@ -538,6 +528,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-xss',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
|
||||
tag:'WASCTC/WASC-8',\
|
||||
tag:'WASCTC/WASC-22',\
|
||||
|
@ -545,12 +536,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_AppSensor/IE1',\
|
||||
tag:'CAPEC-242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)<APPLET[\s/+>]" \
|
||||
|
@ -565,6 +554,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-xss',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
|
||||
tag:'WASCTC/WASC-8',\
|
||||
tag:'WASCTC/WASC-22',\
|
||||
|
@ -572,12 +562,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_AppSensor/IE1',\
|
||||
tag:'CAPEC-242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)<OBJECT[\s/+].*?(?:type|codetype|classid|code|data)[\s/+]*=" \
|
||||
|
@ -592,6 +580,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-xss',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
|
||||
tag:'WASCTC/WASC-8',\
|
||||
tag:'WASCTC/WASC-22',\
|
||||
|
@ -599,12 +588,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_AppSensor/IE1',\
|
||||
tag:'CAPEC-242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
#
|
||||
# https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
|
||||
|
@ -624,6 +611,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'language-multi',\
|
||||
tag:'platform-tomcat',\
|
||||
tag:'attack-xss',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
|
||||
tag:'WASCTC/WASC-8',\
|
||||
tag:'WASCTC/WASC-22',\
|
||||
|
@ -631,12 +619,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_AppSensor/IE1',\
|
||||
tag:'CAPEC-242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
#
|
||||
# UTF-7 encoding XSS filter evasion for IE.
|
||||
|
@ -648,13 +634,14 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
phase:2,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,t:urlDecodeUni,t:lowercase,t:urlDecode,t:htmlEntityDecode,t:jsDecode,\
|
||||
t:none,t:urlDecodeUni,t:urlDecode,t:htmlEntityDecode,t:jsDecode,\
|
||||
msg:'UTF-7 Encoding IE XSS - Attack Detected.',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-internet-explorer',\
|
||||
tag:'attack-xss',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
|
||||
tag:'WASCTC/WASC-8',\
|
||||
tag:'WASCTC/WASC-22',\
|
||||
|
@ -662,12 +649,80 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'OWASP_AppSensor/IE1',\
|
||||
tag:'CAPEC-242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
#
|
||||
# Defend against JSFuck and Hieroglyphy obfuscation of Javascript code
|
||||
#
|
||||
# https://en.wikipedia.org/wiki/JSFuck
|
||||
# https://github.com/alcuadrado/hieroglyphy
|
||||
#
|
||||
# These JS obfuscations mostly aim for client side XSS exploits, hence the
|
||||
# integration of this rule into the XSS rule group. But serverside JS could
|
||||
# also be attacked via these techniques.
|
||||
#
|
||||
# Detection pattern / Core elements of JSFuck and Hieroglyphy are the
|
||||
# following two items:
|
||||
# !![]
|
||||
# !+[]
|
||||
#
|
||||
# ModSecurity always transforms "+" into " " with query strings and the
|
||||
# URLENCODE body processor (but not for JSON). So we need to check for
|
||||
# the following patterns:
|
||||
# !![]
|
||||
# !+[]
|
||||
# ! []
|
||||
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx ![!+ ]\[\]" \
|
||||
"id:941360,\
|
||||
phase:2,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,\
|
||||
msg:'JSFuck / Hieroglyphy obfuscation detected',\
|
||||
logdata:'Matched Data: Suspicious payload found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'attack-xss',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
|
||||
tag:'OWASP_TOP_10/A7',\
|
||||
tag:'CAPEC-63',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
#
|
||||
# Prevent 941180 bypass by using JavaScript global variables
|
||||
# Examples:
|
||||
# - /?search=/?a=";+alert(self["document"]["cookie"]);//
|
||||
# - /?search=/?a=";+document+/*foo*/+.+/*bar*/+cookie;//
|
||||
#
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS|XML:/* "@rx (?:self|document|this|top|window)\s*\)*(?:\[[^\]]+\]|\.\s*document|\.\s*cookie)" \
|
||||
"id:941370,\
|
||||
phase:2,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,t:removeComments,t:urlDecodeUni,\
|
||||
msg:'JavaScript global variable found',\
|
||||
logdata:'Matched Data: Suspicious JS global variable found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'attack-xss',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
|
||||
tag:'OWASP_TOP_10/A7',\
|
||||
tag:'CAPEC-63',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:941013,phase:1,pass,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
|
||||
|
@ -691,6 +746,7 @@ SecRule REQUEST_HEADERS:Referer "@detectXSS" \
|
|||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-xss',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
|
||||
tag:'WASCTC/WASC-8',\
|
||||
tag:'WASCTC/WASC-22',\
|
||||
|
@ -699,12 +755,10 @@ SecRule REQUEST_HEADERS:Referer "@detectXSS" \
|
|||
tag:'CAPEC-242',\
|
||||
tag:'paranoia-level/2',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
#
|
||||
|
@ -723,6 +777,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
|
|||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-xss',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
|
||||
tag:'WASCTC/WASC-8',\
|
||||
tag:'WASCTC/WASC-22',\
|
||||
|
@ -731,12 +786,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
|
|||
tag:'CAPEC-242',\
|
||||
tag:'paranoia-level/2',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
# Detect tags that are the most common direct HTML injection points.
|
||||
|
@ -797,6 +850,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
|
|||
# - Links do not have to be fully qualified. For example, the following works:
|
||||
# <script src="//ha.ckers.org/.j">
|
||||
#
|
||||
# This rule is also triggered by the following exploit(s):
|
||||
# [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ]
|
||||
#
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx <(?:a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|hr|html|i|iframe|ilayer|img|input|ins|isindex|kdb|keygen|label|layer|legend|li|limittext|link|listing|map|marquee|menu|meta|multicol|nobr|noembed|noframes|noscript|nosmartquotes|object|ol|optgroup|option|p|param|plaintext|pre|q|rt|ruby|s|samp|script|select|server|shadow|sidebar|small|spacer|span|strike|strong|style|sub|sup|table|tbody|td|textarea|tfoot|th|thead|title|tr|tt|u|ul|var|wbr|xml|xmp)\W" \
|
||||
"id:941320,\
|
||||
phase:2,\
|
||||
|
@ -809,6 +865,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
|
|||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-xss',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
|
||||
tag:'WASCTC/WASC-8',\
|
||||
tag:'WASCTC/WASC-22',\
|
||||
|
@ -816,25 +873,24 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
|
|||
tag:'OWASP_AppSensor/IE1',\
|
||||
tag:'PCI/6.5.1',\
|
||||
tag:'paranoia-level/2',\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:[\"\'][ ]*(([^a-z0-9~_:\' ])|(in)).*?(((l|(\\\\u006C))(o|(\\\\u006F))(c|(\\\\u0063))(a|(\\\\u0061))(t|(\\\\u0074))(i|(\\\\u0069))(o|(\\\\u006F))(n|(\\\\u006E)))|((n|(\\\\u006E))(a|(\\\\u0061))(m|(\\\\u006D))(e|(\\\\u0065)))|((o|(\\\\u006F))(n|(\\\\u006E))(e|(\\\\u0065))(r|(\\\\u0072))(r|(\\\\u0072))(o|(\\\\u006F))(r|(\\\\u0072)))|((v|(\\\\u0076))(a|(\\\\u0061))(l|(\\\\u006C))(u|(\\\\u0075))(e|(\\\\u0065))(O|(\\\\u004F))(f|(\\\\u0066)))).*?=)" \
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:[\"'][ ]*(?:[^a-z0-9~_:' ]|in).*?(?:(?:l|\\\\u006C)(?:o|\\\\u006F)(?:c|\\\\u0063)(?:a|\\\\u0061)(?:t|\\\\u0074)(?:i|\\\\u0069)(?:o|\\\\u006F)(?:n|\\\\u006E)|(?:n|\\\\u006E)(?:a|\\\\u0061)(?:m|\\\\u006D)(?:e|\\\\u0065)|(?:o|\\\\u006F)(?:n|\\\\u006E)(?:e|\\\\u0065)(?:r|\\\\u0072)(?:r|\\\\u0072)(?:o|\\\\u006F)(?:r|\\\\u0072)|(?:v|\\\\u0076)(?:a|\\\\u0061)(?:l|\\\\u006C)(?:u|\\\\u0075)(?:e|\\\\u0065)(?:O|\\\\u004F)(?:f|\\\\u0066)).*?=)" \
|
||||
"id:941330,\
|
||||
phase:2,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,\
|
||||
t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,\
|
||||
msg:'IE XSS Filters - Attack Detected.',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-xss',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
|
||||
tag:'WASCTC/WASC-8',\
|
||||
tag:'WASCTC/WASC-22',\
|
||||
|
@ -842,25 +898,27 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
|
|||
tag:'OWASP_AppSensor/IE1',\
|
||||
tag:'PCI/6.5.1',\
|
||||
tag:'paranoia-level/2',\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
# This rule is also triggered by the following exploit(s):
|
||||
# [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ]
|
||||
#
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\"\'][ ]*(?:[^a-z0-9~_:\' ]|in).+?[.].+?=" \
|
||||
"id:941340,\
|
||||
phase:2,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,\
|
||||
t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,\
|
||||
msg:'IE XSS Filters - Attack Detected.',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-xss',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
|
||||
tag:'WASCTC/WASC-8',\
|
||||
tag:'WASCTC/WASC-22',\
|
||||
|
@ -868,13 +926,45 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
|
|||
tag:'OWASP_AppSensor/IE1',\
|
||||
tag:'PCI/6.5.1',\
|
||||
tag:'paranoia-level/2',\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
#
|
||||
# Defend against AngularJS client side template injection
|
||||
#
|
||||
# Of course, pure client-side AngularJS commands can not be intercepted.
|
||||
# But once a command is sent to the server, the CRS will trigger.
|
||||
#
|
||||
# https://portswigger.net/blog/xss-without-html-client-side-template-injection-with-angularjs
|
||||
#
|
||||
# Example payload:
|
||||
# http://localhost/login?user=%20x%20%7B%7Bconstructor.constructor(%27alert(1)%27)()%7D%7D%20.%20ff
|
||||
# Decoded argument:
|
||||
# {{constructor.constructor('alert(1)')()}}
|
||||
#
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx {{.*?}}" \
|
||||
"id:941380,\
|
||||
phase:2,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,\
|
||||
msg:'AngularJS client side template injection detected',\
|
||||
logdata:'Matched Data: Suspicious payload found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'attack-xss',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
|
||||
tag:'OWASP_TOP_10/A7',\
|
||||
tag:'CAPEC-63',\
|
||||
tag:'paranoia-level/2',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
|
||||
|
|
File diff suppressed because it is too large
Load Diff
|
@ -1,5 +1,5 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.1.1
|
||||
# OWASP ModSecurity Core Rule Set ver.3.2.0
|
||||
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
|
@ -39,16 +39,15 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
|
|||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-fixation',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/SESSION_FIXATION',\
|
||||
tag:'WASCTC/WASC-37',\
|
||||
tag:'CAPEC-61',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.session_fixation_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SESSION_FIXATION-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$" \
|
||||
|
@ -63,21 +62,20 @@ SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsessio
|
|||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-fixation',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/SESSION_FIXATION',\
|
||||
tag:'WASCTC/WASC-37',\
|
||||
tag:'CAPEC-61',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule REQUEST_HEADERS:Referer "@rx ^(?:ht|f)tps?://(.*?)\/" \
|
||||
"capture,\
|
||||
chain"
|
||||
SecRule TX:1 "!@endsWith %{request_headers.host}" \
|
||||
"setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.session_fixation_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SESSION_FIXATION-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
"setvar:'tx.session_fixation_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$" \
|
||||
|
@ -92,18 +90,17 @@ SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsessio
|
|||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-fixation',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/SESSION_FIXATION',\
|
||||
tag:'WASCTC/WASC-37',\
|
||||
tag:'CAPEC-61',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule &REQUEST_HEADERS:Referer "@eq 0" \
|
||||
"setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.session_fixation_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SESSION_FIXATION-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
"setvar:'tx.session_fixation_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.1.1
|
||||
# OWASP ModSecurity Core Rule Set ver.3.2.0
|
||||
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
|
@ -12,38 +12,54 @@
|
|||
#
|
||||
# Many rules check request bodies, use "SecRequestBodyAccess On" to enable it on main modsecurity configuration file.
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "phase:1,id:944011,nolog,pass,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "phase:2,id:944012,nolog,pass,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:944011,phase:1,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:944012,phase:2,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
|
||||
#
|
||||
# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher)
|
||||
#
|
||||
# This rule is also triggered by an Apache Struts exploit:
|
||||
# [ Apache Struts vulnerability CVE-2017-5638 - Exploit tested: https://github.com/xsscx/cve-2017-5638 ]
|
||||
#
|
||||
# This rule is also triggered by an Apache Struts Remote Code Execution exploit:
|
||||
# [ Apache Struts vulnerability CVE-2017-9791 - Exploit tested: https://www.exploit-db.com/exploits/42324 ]
|
||||
#
|
||||
# This rule is also triggered by an Apache Struts Remote Code Execution exploit:
|
||||
# [ Apache Struts vulnerability CVE-2017-9805 - Exploit tested: https://www.exploit-db.com/exploits/42627 ]
|
||||
#
|
||||
# This rule is also triggered by an Oracle WebLogic Remote Command Execution exploit:
|
||||
# [ Oracle WebLogic vulnerability CVE-2017-10271 - Exploit tested: https://www.exploit-db.com/exploits/43458 ]
|
||||
#
|
||||
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
|
||||
"@rx java\.lang\.(?:runtime|processbuilder)" \
|
||||
"id:944100,\
|
||||
phase:2,\
|
||||
block,\
|
||||
t:none,t:lowercase,\
|
||||
log,\
|
||||
msg:'Remote Command Execution: Suspicious Java class detected',\
|
||||
logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
|
||||
t:none,t:lowercase,\
|
||||
tag:'application-multi',\
|
||||
tag:'language-java',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-rce',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/JAVA_INJECTION',\
|
||||
tag:'WASCTC/WASC-31',\
|
||||
tag:'OWASP_TOP_10/A1',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/1',\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'"
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
# This rule is also triggered by the following exploit(s):
|
||||
# [ Apache Struts vulnerability CVE-2017-5638 - Exploit tested: https://github.com/xsscx/cve-2017-5638 ]
|
||||
# [ Apache Struts vulnerability CVE-2017-9791 - Exploit tested: https://www.exploit-db.com/exploits/42324 ]
|
||||
# [ Apache Struts vulnerability CVE-2017-9805 - Exploit tested: https://www.exploit-db.com/exploits/42627 ]
|
||||
# [ Java deserialization vulnerability/Apache Struts (CVE-2017-9805) ]
|
||||
# [ Java deserialization vulnerability/Oracle Weblogic (CVE-2017-10271) ]
|
||||
# [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ]
|
||||
#
|
||||
# Generic rule to detect processbuilder or runtime calls, if any of thos is found and the same target contains
|
||||
# java. unmarshaller or base64data to trigger a potential payload execution
|
||||
|
@ -62,19 +78,18 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
|
|||
tag:'language-java',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-rce',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/JAVA_INJECTION',\
|
||||
tag:'WASCTC/WASC-31',\
|
||||
tag:'OWASP_TOP_10/A1',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/1',\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* "@rx (?:unmarshaller|base64data|java\.)" \
|
||||
"setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'"
|
||||
"setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
# Magic bytes detected and payload included possibly RCE vulnerable classess detected and process execution methods detected
|
||||
# anomaly score set to critical as all conditions indicate the request try to perform RCE.
|
||||
|
@ -91,49 +106,56 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
|
|||
tag:'language-java',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-rce',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/JAVA_INJECTION',\
|
||||
tag:'WASCTC/WASC-31',\
|
||||
tag:'OWASP_TOP_10/A1',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/1',\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule MATCHED_VARS "@rx (?:runtime|processbuilder)" \
|
||||
"t:none,t:lowercase,\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'"
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
|
||||
"@pmf java-classes.data" \
|
||||
# This rule is also triggered by the following exploit(s):
|
||||
# [ Apache Struts vulnerability CVE-2017-5638 - Exploit tested: https://github.com/mazen160/struts-pwn ]
|
||||
# [ Apache Struts vulnerability CVE-2017-5638 - Exploit tested: https://github.com/xsscx/cve-2017-5638 ]
|
||||
# [ Apache Struts vulnerability CVE-2017-9791 - Exploit tested: https://www.exploit-db.com/exploits/42324 ]
|
||||
# [ Apache Struts vulnerability CVE-2017-9805 - Exploit tested: https://www.exploit-db.com/exploits/42627 ]
|
||||
# [ Oracle WebLogic vulnerability CVE-2017-10271 - Exploit tested: https://www.exploit-db.com/exploits/43458 ]
|
||||
# [ Apache Struts vulnerability CVE-2018-11776 - Exploit tested: https://www.exploit-db.com/exploits/45262 ]
|
||||
# [ Apache Struts vulnerability CVE-2018-11776 - Exploit tested: https://www.exploit-db.com/exploits/45260 ]
|
||||
#
|
||||
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_FILENAME|REQUEST_HEADERS|XML:/*|XML://@* \
|
||||
"@pmFromFile java-classes.data" \
|
||||
"id:944130,\
|
||||
phase:2,\
|
||||
block,\
|
||||
t:none,t:lowercase,\
|
||||
log,\
|
||||
msg:'Suspicious Java class detected',\
|
||||
logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
|
||||
t:none,t:lowercase,\
|
||||
tag:'application-multi',\
|
||||
tag:'language-java',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-rce',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/JAVA_INJECTION',\
|
||||
tag:'WASCTC/WASC-31',\
|
||||
tag:'OWASP_TOP_10/A1',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/1',\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'"
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "phase:1,id:944013,nolog,pass,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "phase:2,id:944014,nolog,pass,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:944013,phase:1,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:944014,phase:2,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
|
||||
#
|
||||
# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher)
|
||||
#
|
||||
|
@ -161,17 +183,16 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
|
|||
tag:'language-java',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-rce',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/JAVA_INJECTION',\
|
||||
tag:'WASCTC/WASC-31',\
|
||||
tag:'OWASP_TOP_10/A1',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/2',\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'"
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
# Detecting possibe base64 text to match encoded magic bytes \xac\xed\x00\x05 with padding encoded in base64 strings are rO0ABQ KztAAU Cs7QAF
|
||||
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
|
||||
|
@ -186,17 +207,16 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
|
|||
tag:'language-java',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-rce',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/JAVA_INJECTION',\
|
||||
tag:'WASCTC/WASC-31',\
|
||||
tag:'OWASP_TOP_10/A1',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/2',\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'"
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
|
||||
"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)" \
|
||||
|
@ -211,47 +231,48 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
|
|||
tag:'language-java',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-rce',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/JAVA_INJECTION',\
|
||||
tag:'WASCTC/WASC-31',\
|
||||
tag:'OWASP_TOP_10/A1',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/2',\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'"
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
# This rule is also triggered by the following exploit(s):
|
||||
# [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ]
|
||||
#
|
||||
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
|
||||
"@rx java\b.+(?:runtime|processbuilder)" \
|
||||
"id:944250,\
|
||||
phase:2,\
|
||||
block,\
|
||||
t:lowercase,\
|
||||
log,\
|
||||
msg:'Remote Command Execution: Suspicious Java method detected',\
|
||||
logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
|
||||
t:lowercase,\
|
||||
tag:'application-multi',\
|
||||
tag:'language-java',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-rce',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/JAVA_INJECTION',\
|
||||
tag:'WASCTC/WASC-31',\
|
||||
tag:'OWASP_TOP_10/A1',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/2',\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'"
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "phase:1,id:944015,nolog,pass,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "phase:2,id:944016,nolog,pass,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:944015,phase:1,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:944016,phase:2,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
|
||||
#
|
||||
# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher)
|
||||
#
|
||||
|
@ -275,21 +296,20 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
|
|||
tag:'language-java',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-rce',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/JAVA_INJECTION',\
|
||||
tag:'WASCTC/WASC-31',\
|
||||
tag:'OWASP_TOP_10/A1',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/3',\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'"
|
||||
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "phase:1,id:944017,nolog,pass,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "phase:2,id:944018,nolog,pass,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:944017,phase:1,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:944018,phase:2,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
|
||||
#
|
||||
# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher)
|
||||
#
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.1.1
|
||||
# OWASP ModSecurity Core Rule Set ver.3.2.0
|
||||
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
|
@ -71,8 +71,7 @@ SecRule IP:REPUT_BLOCK_FLAG "@eq 1" \
|
|||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule TX:DO_REPUT_BLOCK "@eq 1" \
|
||||
"setvar:'tx.inbound_tx_msg=%{tx.msg}',\
|
||||
setvar:'tx.inbound_anomaly_score=%{tx.anomaly_score}'"
|
||||
"setvar:'tx.inbound_anomaly_score=%{tx.anomaly_score}'"
|
||||
|
||||
#
|
||||
# -=[ Anomaly Mode: Overall Transaction Anomaly Score ]=-
|
||||
|
@ -89,7 +88,6 @@ SecRule TX:ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" \
|
|||
tag:'platform-multi',\
|
||||
tag:'attack-generic',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.inbound_tx_msg=%{tx.msg}',\
|
||||
setvar:'tx.inbound_anomaly_score=%{tx.anomaly_score}'"
|
||||
|
||||
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.1.1
|
||||
# OWASP ModSecurity Core Rule Set ver.3.2.0
|
||||
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
|
@ -39,18 +39,51 @@ SecRule RESPONSE_BODY "@rx (?:<(?:TITLE>Index of.*?<H|title>Index of.*?<h)1>Inde
|
|||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-disclosure',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/LEAKAGE/INFO_DIRECTORY_LISTING',\
|
||||
tag:'WASCTC/WASC-13',\
|
||||
tag:'OWASP_TOP_10/A6',\
|
||||
tag:'PCI/6.5.6',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'ERROR',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/INFO-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
|
||||
|
||||
#
|
||||
# -=[ CGI Source Code Leakage ]=-
|
||||
#
|
||||
# A CGI script begins normally with #! and the interpreter,
|
||||
# for example:
|
||||
#
|
||||
# #!/usr/bin/perl
|
||||
# #!/usr/bin/python
|
||||
# #!/usr/bin/ruby
|
||||
#
|
||||
# If the CGI script processors or MIME type handlers are misconfigured,
|
||||
# the script's source code could be erroneously returned to the client.
|
||||
SecRule RESPONSE_BODY "@rx ^#\!\s?/" \
|
||||
"id:950140,\
|
||||
phase:4,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,\
|
||||
msg:'CGI source code leakage',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-disclosure',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/LEAKAGE/SOURCE_CODE_CGI',\
|
||||
tag:'WASCTC/WASC-13',\
|
||||
tag:'OWASP_TOP_10/A6',\
|
||||
tag:'PCI/6.5.6',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'ERROR',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:950013,phase:3,pass,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
|
||||
|
@ -79,12 +112,10 @@ SecRule RESPONSE_STATUS "@rx ^5\d{2}$" \
|
|||
tag:'PCI/6.5.6',\
|
||||
tag:'paranoia-level/2',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'ERROR',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.outbound_anomaly_score_pl2=+%{tx.error_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.error_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-AVAILABILITY/APP_NOT_AVAIL-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.error_anomaly_score}'"
|
||||
|
||||
|
||||
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.1.1
|
||||
# OWASP ModSecurity Core Rule Set ver.3.2.0
|
||||
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
|
@ -29,13 +29,13 @@ SecRule RESPONSE_BODY "@pmFromFile sql-errors.data" \
|
|||
"id:951100,\
|
||||
phase:4,\
|
||||
pass,\
|
||||
nolog,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-disclosure',\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
setvar:'tx.sql_error_match=1'"
|
||||
|
||||
SecRule TX:sql_error_match "@eq 1" \
|
||||
|
@ -50,19 +50,18 @@ SecRule TX:sql_error_match "@eq 1" \
|
|||
tag:'language-multi',\
|
||||
tag:'platform-msaccess',\
|
||||
tag:'attack-disclosure',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
|
||||
tag:'CWE-209',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule RESPONSE_BODY "@rx (?i:JET Database Engine|Access Database Engine|\[Microsoft\]\[ODBC Microsoft Access Driver\])" \
|
||||
"capture,\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
SecRule TX:sql_error_match "@eq 1" \
|
||||
"id:951120,\
|
||||
|
@ -76,19 +75,18 @@ SecRule TX:sql_error_match "@eq 1" \
|
|||
tag:'language-multi',\
|
||||
tag:'platform-oracle',\
|
||||
tag:'attack-disclosure',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
|
||||
tag:'CWE-209',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule RESPONSE_BODY "@rx (?i:ORA-[0-9][0-9][0-9][0-9]|java\.sql\.SQLException|Oracle error|Oracle.*Driver|Warning.*oci_.*|Warning.*ora_.*)" \
|
||||
"capture,\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
SecRule TX:sql_error_match "@eq 1" \
|
||||
"id:951130,\
|
||||
|
@ -102,19 +100,18 @@ SecRule TX:sql_error_match "@eq 1" \
|
|||
tag:'language-multi',\
|
||||
tag:'platform-db2',\
|
||||
tag:'attack-disclosure',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
|
||||
tag:'CWE-209',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule RESPONSE_BODY "@rx (?i:DB2 SQL error:|\[IBM\]\[CLI Driver\]\[DB2/6000\]|CLI Driver.*DB2|DB2 SQL error|db2_\w+\()" \
|
||||
"capture,\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
SecRule TX:sql_error_match "@eq 1" \
|
||||
"id:951140,\
|
||||
|
@ -128,19 +125,18 @@ SecRule TX:sql_error_match "@eq 1" \
|
|||
tag:'language-multi',\
|
||||
tag:'platform-emc',\
|
||||
tag:'attack-disclosure',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
|
||||
tag:'CWE-209',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule RESPONSE_BODY "@rx (?i:\[DM_QUERY_E_SYNTAX\]|has occurred in the vicinity of:)" \
|
||||
"capture,\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
SecRule TX:sql_error_match "@eq 1" \
|
||||
"id:951150,\
|
||||
|
@ -154,19 +150,18 @@ SecRule TX:sql_error_match "@eq 1" \
|
|||
tag:'language-multi',\
|
||||
tag:'platform-firebird',\
|
||||
tag:'attack-disclosure',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
|
||||
tag:'CWE-209',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule RESPONSE_BODY "@rx (?i)Dynamic SQL Error" \
|
||||
"capture,\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
SecRule TX:sql_error_match "@eq 1" \
|
||||
|
@ -181,19 +176,18 @@ SecRule TX:sql_error_match "@eq 1" \
|
|||
tag:'language-multi',\
|
||||
tag:'platform-frontbase',\
|
||||
tag:'attack-disclosure',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
|
||||
tag:'CWE-209',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule RESPONSE_BODY "@rx (?i)Exception (?:condition )?\d+\. Transaction rollback\." \
|
||||
"capture,\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
SecRule TX:sql_error_match "@eq 1" \
|
||||
"id:951170,\
|
||||
|
@ -207,19 +201,18 @@ SecRule TX:sql_error_match "@eq 1" \
|
|||
tag:'language-multi',\
|
||||
tag:'platform-hsqldb',\
|
||||
tag:'attack-disclosure',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
|
||||
tag:'CWE-209',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule RESPONSE_BODY "@rx (?i)org\.hsqldb\.jdbc" \
|
||||
"capture,\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
SecRule TX:sql_error_match "@eq 1" \
|
||||
"id:951180,\
|
||||
|
@ -233,19 +226,18 @@ SecRule TX:sql_error_match "@eq 1" \
|
|||
tag:'language-multi',\
|
||||
tag:'platform-informix',\
|
||||
tag:'attack-disclosure',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
|
||||
tag:'CWE-209',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule RESPONSE_BODY "@rx (?i:An illegal character has been found in the statement|com\.informix\.jdbc|Exception.*Informix)" \
|
||||
"capture,\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
SecRule TX:sql_error_match "@eq 1" \
|
||||
|
@ -260,19 +252,18 @@ SecRule TX:sql_error_match "@eq 1" \
|
|||
tag:'language-multi',\
|
||||
tag:'platform-ingres',\
|
||||
tag:'attack-disclosure',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
|
||||
tag:'CWE-209',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule RESPONSE_BODY "@rx (?i:Warning.*ingres_|Ingres SQLSTATE|Ingres\W.*Driver)" \
|
||||
"capture,\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
SecRule TX:sql_error_match "@eq 1" \
|
||||
|
@ -287,19 +278,18 @@ SecRule TX:sql_error_match "@eq 1" \
|
|||
tag:'language-multi',\
|
||||
tag:'platform-interbase',\
|
||||
tag:'attack-disclosure',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
|
||||
tag:'CWE-209',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule RESPONSE_BODY "@rx (?i:<b>Warning</b>: ibase_|Unexpected end of command in statement)" \
|
||||
"capture,\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
SecRule TX:sql_error_match "@eq 1" \
|
||||
"id:951210,\
|
||||
|
@ -313,19 +303,18 @@ SecRule TX:sql_error_match "@eq 1" \
|
|||
tag:'language-multi',\
|
||||
tag:'platform-maxdb',\
|
||||
tag:'attack-disclosure',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
|
||||
tag:'CWE-209',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule RESPONSE_BODY "@rx (?i:SQL error.*POS[0-9]+.*|Warning.*maxdb.*)" \
|
||||
"capture,\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
SecRule TX:sql_error_match "@eq 1" \
|
||||
"id:951220,\
|
||||
|
@ -339,19 +328,18 @@ SecRule TX:sql_error_match "@eq 1" \
|
|||
tag:'language-multi',\
|
||||
tag:'platform-mssql',\
|
||||
tag:'attack-disclosure',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
|
||||
tag:'CWE-209',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule RESPONSE_BODY "@rx (?i)(?:System\.Data\.OleDb\.OleDbException|\[Microsoft\]\[ODBC SQL Server Driver\]|\[Macromedia\]\[SQLServer JDBC Driver\]|\[SqlException|System\.Data\.SqlClient\.SqlException|Unclosed quotation mark after the character string|'80040e14'|mssql_query\(\)|Microsoft OLE DB Provider for ODBC Drivers|Microsoft OLE DB Provider for SQL Server|Incorrect syntax near|Sintaxis incorrecta cerca de|Syntax error in string in query expression|Procedure or function .* expects parameter|Unclosed quotation mark before the character string|Syntax error .* in query expression|Data type mismatch in criteria expression\.|ADODB\.Field \(0x800A0BCD\)|the used select statements have different number of columns|OLE DB.*SQL Server|Warning.*mssql_.*|Driver.*SQL[\-\_\ ]*Server|SQL Server.*Driver|SQL Server.*[0-9a-fA-F]{8}|Exception.*\WSystem\.Data\.SqlClient\.)" \
|
||||
"capture,\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
SecRule TX:sql_error_match "@eq 1" \
|
||||
"id:951230,\
|
||||
|
@ -365,19 +353,18 @@ SecRule TX:sql_error_match "@eq 1" \
|
|||
tag:'language-multi',\
|
||||
tag:'platform-mysql',\
|
||||
tag:'attack-disclosure',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
|
||||
tag:'CWE-209',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule RESPONSE_BODY "@rx (?i)(?:supplied argument is not a valid MySQL|Column count doesn't match value count at row|mysql_fetch_array\(\)|on MySQL result index|You have an error in your SQL syntax;|You have an error in your SQL syntax near|MySQL server version for the right syntax to use|\[MySQL\]\[ODBC|Column count doesn't match|Table '[^']+' doesn't exist|SQL syntax.*MySQL|Warning.*mysql_.*|valid MySQL result|MySqlClient\.)" \
|
||||
"capture,\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
SecRule TX:sql_error_match "@eq 1" \
|
||||
"id:951240,\
|
||||
|
@ -391,19 +378,18 @@ SecRule TX:sql_error_match "@eq 1" \
|
|||
tag:'language-multi',\
|
||||
tag:'platform-pgsql',\
|
||||
tag:'attack-disclosure',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
|
||||
tag:'CWE-209',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule RESPONSE_BODY "@rx (?i)(?:PostgreSQL query failed:|pg_query\(\) \[:|pg_exec\(\) \[:|PostgreSQL.*ERROR|Warning.*pg_.*|valid PostgreSQL result|Npgsql\.|PG::([a-zA-Z]*)Error|Supplied argument is not a valid PostgreSQL (?:.*?) resource|Unable to connect to PostgreSQL server)" \
|
||||
SecRule RESPONSE_BODY "@rx (?i:PostgreSQL query failed:|pg_query\(\) \[:|pg_exec\(\) \[:|PostgreSQL.*ERROR|Warning.*pg_.*|valid PostgreSQL result|Npgsql\.|PG::[a-zA-Z]*Error|Supplied argument is not a valid PostgreSQL .*? resource|Unable to connect to PostgreSQL server)" \
|
||||
"capture,\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
SecRule TX:sql_error_match "@eq 1" \
|
||||
"id:951250,\
|
||||
|
@ -417,19 +403,18 @@ SecRule TX:sql_error_match "@eq 1" \
|
|||
tag:'language-multi',\
|
||||
tag:'platform-sqlite',\
|
||||
tag:'attack-disclosure',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
|
||||
tag:'CWE-209',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule RESPONSE_BODY "@rx (?i)(?:Warning.*sqlite_.*|Warning.*SQLite3::|SQLite/JDBCDriver|SQLite\.Exception|System\.Data\.SQLite\.SQLiteException)" \
|
||||
"capture,\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
SecRule TX:sql_error_match "@eq 1" \
|
||||
"id:951260,\
|
||||
|
@ -443,19 +428,18 @@ SecRule TX:sql_error_match "@eq 1" \
|
|||
tag:'language-multi',\
|
||||
tag:'platform-sybase',\
|
||||
tag:'attack-disclosure',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
|
||||
tag:'CWE-209',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule RESPONSE_BODY "@rx (?i)(?:Sybase message:|Warning.*sybase.*|Sybase.*Server message.*)" \
|
||||
"capture,\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
||||
|
||||
|
||||
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.1.1
|
||||
# OWASP ModSecurity Core Rule Set ver.3.2.0
|
||||
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
|
@ -34,17 +34,16 @@ SecRule RESPONSE_BODY "@pmFromFile java-code-leakages.data" \
|
|||
tag:'language-java',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-disclosure',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/LEAKAGE/SOURCE_CODE_JAVA',\
|
||||
tag:'WASCTC/WASC-13',\
|
||||
tag:'OWASP_TOP_10/A6',\
|
||||
tag:'PCI/6.5.6',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'ERROR',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/SOURCE_CODE-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
|
||||
|
||||
#
|
||||
# -=[ Java Errors ]=-
|
||||
|
@ -63,17 +62,16 @@ SecRule RESPONSE_BODY "@pmFromFile java-errors.data" \
|
|||
tag:'language-java',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-disclosure',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/LEAKAGE/ERRORS_JAVA',\
|
||||
tag:'WASCTC/WASC-13',\
|
||||
tag:'OWASP_TOP_10/A6',\
|
||||
tag:'PCI/6.5.6',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'ERROR',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
|
||||
|
||||
|
||||
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.1.1
|
||||
# OWASP ModSecurity Core Rule Set ver.3.2.0
|
||||
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
|
@ -22,7 +22,7 @@ SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:953012,phase:4,pass,nolog,skipAf
|
|||
#
|
||||
# -=[ PHP Error Message Leakage ]=-
|
||||
#
|
||||
SecRule RESPONSE_BODY "@pmf php-errors.data" \
|
||||
SecRule RESPONSE_BODY "@pmFromFile php-errors.data" \
|
||||
"id:953100,\
|
||||
phase:4,\
|
||||
block,\
|
||||
|
@ -34,17 +34,16 @@ SecRule RESPONSE_BODY "@pmf php-errors.data" \
|
|||
tag:'language-php',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-disclosure',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/LEAKAGE/ERRORS_PHP',\
|
||||
tag:'WASCTC/WASC-13',\
|
||||
tag:'OWASP_TOP_10/A6',\
|
||||
tag:'PCI/6.5.6',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'ERROR',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
|
||||
|
||||
#
|
||||
# -=[ PHP source code leakage ]=-
|
||||
|
@ -63,17 +62,16 @@ SecRule RESPONSE_BODY "@rx (?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scan
|
|||
tag:'language-php',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-disclosure',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/LEAKAGE/SOURCE_CODE_PHP',\
|
||||
tag:'WASCTC/WASC-13',\
|
||||
tag:'OWASP_TOP_10/A6',\
|
||||
tag:'PCI/6.5.6',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'ERROR',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/SOURCE_CODE-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
|
||||
|
||||
# Detect the presence of the PHP open tag "<?" or "<?php" in output.
|
||||
#
|
||||
|
@ -82,6 +80,8 @@ SecRule RESPONSE_BODY "@rx (?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scan
|
|||
# some common binary file format headers, such as gzip (\x1f\x8b\x08),
|
||||
# png (IHDR), mp3 (ID3), movie formats et cetera.
|
||||
#
|
||||
# Not supported by re2 (?!re).
|
||||
#
|
||||
SecRule RESPONSE_BODY "@rx <\?(?!xml)" \
|
||||
"id:953120,\
|
||||
phase:4,\
|
||||
|
@ -94,21 +94,20 @@ SecRule RESPONSE_BODY "@rx <\?(?!xml)" \
|
|||
tag:'language-php',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-disclosure',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/LEAKAGE/SOURCE_CODE_PHP',\
|
||||
tag:'WASCTC/WASC-13',\
|
||||
tag:'OWASP_TOP_10/A6',\
|
||||
tag:'PCI/6.5.6',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'ERROR',\
|
||||
chain"
|
||||
SecRule RESPONSE_BODY "!@rx (?:\x1f\x8b\x08|\b(?:(?:i(?:nterplay|hdr|d3)|m(?:ovi|thd)|r(?:ar!|iff)|(?:ex|jf)if|f(?:lv|ws)|varg|cws)\b|gif)|B(?:%pdf|\.ra)\b)" \
|
||||
"t:none,\
|
||||
capture,\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
SecRule RESPONSE_BODY "!@rx (?:\x1f\x8b\x08|\b(?:(?:i(?:nterplay|hdr|d3)|m(?:ovi|thd)|r(?:ar!|iff)|(?:ex|jf)if|f(?:lv|ws)|varg|cws)\b|gif)|B(?:%pdf|\.ra)\b|^wOF(?:F|2))" \
|
||||
"capture,\
|
||||
t:none,\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/SOURCE_CODE-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:953013,phase:3,pass,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.1.1
|
||||
# OWASP ModSecurity Core Rule Set ver.3.2.0
|
||||
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
|
@ -34,9 +34,8 @@ SecRule RESPONSE_BODY "@rx [a-z]:\\\\inetpub\b" \
|
|||
tag:'platform-windows',\
|
||||
tag:'attack-disclosure',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'ERROR',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
|
||||
|
||||
|
@ -57,12 +56,10 @@ SecRule RESPONSE_BODY "@rx (?:Microsoft OLE DB Provider for SQL Server(?:<\/font
|
|||
tag:'OWASP_TOP_10/A6',\
|
||||
tag:'PCI/6.5.6',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'ERROR',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-AVAILABILITY/APP_NOT_AVAIL-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
|
||||
|
||||
#
|
||||
# IIS Errors leakage
|
||||
|
@ -80,17 +77,16 @@ SecRule RESPONSE_BODY "@rx (?:\b(?:A(?:DODB\.Command\b.{0,100}?\b(?:Application
|
|||
tag:'platform-iis',\
|
||||
tag:'platform-windows',\
|
||||
tag:'attack-disclosure',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/LEAKAGE/ERRORS_IIS',\
|
||||
tag:'WASCTC/WASC-13',\
|
||||
tag:'OWASP_TOP_10/A6',\
|
||||
tag:'PCI/6.5.6',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'ERROR',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
|
||||
|
||||
|
||||
SecRule RESPONSE_STATUS "!@rx ^404$" \
|
||||
|
@ -106,21 +102,20 @@ SecRule RESPONSE_STATUS "!@rx ^404$" \
|
|||
tag:'platform-iis',\
|
||||
tag:'platform-windows',\
|
||||
tag:'attack-disclosure',\
|
||||
tag:'OWASP_CRS',\
|
||||
tag:'OWASP_CRS/LEAKAGE/ERRORS_IIS',\
|
||||
tag:'WASCTC/WASC-13',\
|
||||
tag:'OWASP_TOP_10/A6',\
|
||||
tag:'PCI/6.5.6',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
ver:'OWASP_CRS/3.2.0',\
|
||||
severity:'ERROR',\
|
||||
chain"
|
||||
SecRule RESPONSE_BODY "@rx \bServer Error in.{0,50}?\bApplication\b" \
|
||||
"t:none,\
|
||||
capture,\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
"capture,\
|
||||
t:none,\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
|
||||
|
||||
|
||||
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.1.1
|
||||
# OWASP ModSecurity Core Rule Set ver.3.2.0
|
||||
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
|
@ -60,13 +60,19 @@ SecRule TX:PARANOIA_LEVEL "@ge 4" \
|
|||
|
||||
# Alert and Block on High Anomaly Scores - this would block outbound data leakages
|
||||
#
|
||||
# Note: This rule also sets the 'tx.anomaly_score' variable.
|
||||
# That variable name was formerly used in CRS, but not any longer.
|
||||
# However, Jwall AuditConsole depends on this exact variable name.
|
||||
# Without setting it, the 'Outbound Score' in the AuditConsole GUI would always be 0.
|
||||
|
||||
SecRule TX:OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" \
|
||||
"id:959100,\
|
||||
phase:4,\
|
||||
deny,\
|
||||
t:none,\
|
||||
msg:'Outbound Anomaly Score Exceeded (Total Score: %{TX.OUTBOUND_ANOMALY_SCORE})',\
|
||||
tag:'anomaly-evaluation'"
|
||||
tag:'anomaly-evaluation',\
|
||||
setvar:'tx.anomaly_score=+%{tx.outbound_anomaly_score}'"
|
||||
|
||||
|
||||
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.1.1
|
||||
# OWASP ModSecurity Core Rule Set ver.3.2.0
|
||||
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
|
@ -27,7 +27,7 @@ SecRule &TX:'/LEAKAGE\\\/ERRORS/' "@ge 1" \
|
|||
pass,\
|
||||
t:none,\
|
||||
log,\
|
||||
msg:'Correlated Successful Attack Identified: (Total Score: %{tx.anomaly_score}) Inbound Attack (%{tx.inbound_tx_msg} - Inbound Anomaly Score: %{TX.INBOUND_ANOMALY_SCORE}) + Outbound Data Leakage (%{tx.msg} - Outbound Anomaly Score: %{TX.OUTBOUND_ANOMALY_SCORE})',\
|
||||
msg:'Correlated Successful Attack Identified: (Total Score: %{tx.anomaly_score}) Inbound Attack (Inbound Anomaly Score: %{TX.INBOUND_ANOMALY_SCORE}) + Outbound Data Leakage (Outbound Anomaly Score: %{TX.OUTBOUND_ANOMALY_SCORE})',\
|
||||
tag:'event-correlation',\
|
||||
severity:'EMERGENCY',\
|
||||
chain,\
|
||||
|
@ -43,9 +43,9 @@ SecRule &TX:'/AVAILABILITY\\\/APP_NOT_AVAIL/' "@ge 1" \
|
|||
pass,\
|
||||
t:none,\
|
||||
log,\
|
||||
msg:'Correlated Attack Attempt Identified: (Total Score: %{tx.anomaly_score}) Inbound Attack (%{tx.inbound_tx_msg} Inbound Anomaly Score: %{TX.INBOUND_ANOMALY_SCORE}) + Outbound Application Error (%{tx.msg} - Outbound Anomaly Score: %{TX.OUTBOUND_ANOMALY_SCORE})',\
|
||||
severity:'ALERT',\
|
||||
msg:'Correlated Attack Attempt Identified: (Total Score: %{tx.anomaly_score}) Inbound Attack (Inbound Anomaly Score: %{TX.INBOUND_ANOMALY_SCORE}) + Outbound Application Error (Outbound Anomaly Score: %{TX.OUTBOUND_ANOMALY_SCORE})',\
|
||||
tag:'event-correlation',\
|
||||
severity:'ALERT',\
|
||||
chain,\
|
||||
skipAfter:END-CORRELATION"
|
||||
SecRule &TX:'/WEB_ATTACK/' "@ge 1" "t:none"
|
||||
|
@ -70,7 +70,7 @@ SecRule TX:INBOUND_ANOMALY_SCORE "@lt %{tx.inbound_anomaly_score_threshold}" \
|
|||
t:none,\
|
||||
log,\
|
||||
noauditlog,\
|
||||
msg:'Inbound Anomaly Score (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE} - SQLI=%{tx.sql_injection_score},XSS=%{tx.xss_score},RFI=%{tx.rfi_score},LFI=%{tx.lfi_score},RCE=%{tx.rce_score},PHPI=%{tx.php_injection_score},HTTP=%{tx.http_violation_score},SESS=%{tx.session_fixation_score}): %{tx.inbound_tx_msg}; individual paranoia level scores: %{TX.ANOMALY_SCORE_PL1}, %{TX.ANOMALY_SCORE_PL2}, %{TX.ANOMALY_SCORE_PL3}, %{TX.ANOMALY_SCORE_PL4}',\
|
||||
msg:'Inbound Anomaly Score (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE} - SQLI=%{tx.sql_injection_score},XSS=%{tx.xss_score},RFI=%{tx.rfi_score},LFI=%{tx.lfi_score},RCE=%{tx.rce_score},PHPI=%{tx.php_injection_score},HTTP=%{tx.http_violation_score},SESS=%{tx.session_fixation_score}): individual paranoia level scores: %{TX.ANOMALY_SCORE_PL1}, %{TX.ANOMALY_SCORE_PL2}, %{TX.ANOMALY_SCORE_PL3}, %{TX.ANOMALY_SCORE_PL4}',\
|
||||
tag:'event-correlation',\
|
||||
chain"
|
||||
SecRule TX:MONITOR_ANOMALY_SCORE "@gt 1"
|
||||
|
@ -82,7 +82,7 @@ SecRule TX:INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" \
|
|||
t:none,\
|
||||
log,\
|
||||
noauditlog,\
|
||||
msg:'Inbound Anomaly Score Exceeded (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE} - SQLI=%{tx.sql_injection_score},XSS=%{tx.xss_score},RFI=%{tx.rfi_score},LFI=%{tx.lfi_score},RCE=%{tx.rce_score},PHPI=%{tx.php_injection_score},HTTP=%{tx.http_violation_score},SESS=%{tx.session_fixation_score}): %{tx.inbound_tx_msg}; individual paranoia level scores: %{TX.ANOMALY_SCORE_PL1}, %{TX.ANOMALY_SCORE_PL2}, %{TX.ANOMALY_SCORE_PL3}, %{TX.ANOMALY_SCORE_PL4}',\
|
||||
msg:'Inbound Anomaly Score Exceeded (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE} - SQLI=%{tx.sql_injection_score},XSS=%{tx.xss_score},RFI=%{tx.rfi_score},LFI=%{tx.lfi_score},RCE=%{tx.rce_score},PHPI=%{tx.php_injection_score},HTTP=%{tx.http_violation_score},SESS=%{tx.session_fixation_score}): individual paranoia level scores: %{TX.ANOMALY_SCORE_PL1}, %{TX.ANOMALY_SCORE_PL2}, %{TX.ANOMALY_SCORE_PL3}, %{TX.ANOMALY_SCORE_PL4}',\
|
||||
tag:'event-correlation'"
|
||||
|
||||
SecRule TX:OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" \
|
||||
|
@ -92,7 +92,7 @@ SecRule TX:OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" \
|
|||
t:none,\
|
||||
log,\
|
||||
noauditlog,\
|
||||
msg:'Outbound Anomaly Score Exceeded (score %{TX.OUTBOUND_ANOMALY_SCORE}): %{tx.msg}; individual paranoia level scores: %{TX.OUTBOUND_ANOMALY_SCORE_PL1}, %{TX.OUTBOUND_ANOMALY_SCORE_PL2}, %{TX.OUTBOUND_ANOMALY_SCORE_PL3}, %{TX.OUTBOUND_ANOMALY_SCORE_PL4}',\
|
||||
msg:'Outbound Anomaly Score Exceeded (score %{TX.OUTBOUND_ANOMALY_SCORE}): individual paranoia level scores: %{TX.OUTBOUND_ANOMALY_SCORE_PL1}, %{TX.OUTBOUND_ANOMALY_SCORE_PL2}, %{TX.OUTBOUND_ANOMALY_SCORE_PL3}, %{TX.OUTBOUND_ANOMALY_SCORE_PL4}',\
|
||||
tag:'event-correlation'"
|
||||
|
||||
# Creating a total sum of all triggered outbound rules, including the ones only being monitored
|
||||
|
@ -115,7 +115,7 @@ SecRule TX:OUTBOUND_ANOMALY_SCORE "@lt %{tx.outbound_anomaly_score_threshold}" \
|
|||
t:none,\
|
||||
log,\
|
||||
noauditlog,\
|
||||
msg:'Outbound Anomaly Score (Total Outbound Score: %{TX.OUTBOUND_ANOMALY_SCORE}): %{tx.msg}; individual paranoia level scores: %{TX.OUTBOUND_ANOMALY_SCORE_PL1}, %{TX.OUTBOUND_ANOMALY_SCORE_PL2}, %{TX.OUTBOUND_ANOMALY_SCORE_PL3}, %{TX.OUTBOUND_ANOMALY_SCORE_PL4}',\
|
||||
msg:'Outbound Anomaly Score (Total Outbound Score: %{TX.OUTBOUND_ANOMALY_SCORE}): individual paranoia level scores: %{TX.OUTBOUND_ANOMALY_SCORE_PL1}, %{TX.OUTBOUND_ANOMALY_SCORE_PL2}, %{TX.OUTBOUND_ANOMALY_SCORE_PL3}, %{TX.OUTBOUND_ANOMALY_SCORE_PL4}',\
|
||||
tag:'event-correlation',\
|
||||
chain"
|
||||
SecRule TX:MONITOR_ANOMALY_SCORE "@gt 1"
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.1.1
|
||||
# OWASP ModSecurity Core Rule Set ver.3.2.0
|
||||
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
|
|
|
@ -1,5 +1,7 @@
|
|||
# Search engine crawlers and other bots
|
||||
|
||||
# crawler
|
||||
# https://80legs.com/
|
||||
80legs
|
||||
# site ripper
|
||||
# http://www.softbytelabs.com/en/BlackWidow/
|
||||
black widow
|
||||
|
@ -32,3 +34,5 @@ MJ12bot
|
|||
Owlin bot
|
||||
# misbehaving spider
|
||||
Lingewoud-550-Spyder
|
||||
# https://www.wappalyzer.com/
|
||||
Wappalyzer
|
||||
|
|
|
@ -8,6 +8,8 @@ java.io.CharArrayReader
|
|||
java.io.DataInputStream
|
||||
java.io.File
|
||||
java.io.FileOutputStream
|
||||
java.io.FilePermission
|
||||
java.io.FileWriter
|
||||
java.io.FilterInputStream
|
||||
java.io.FilterOutputStream
|
||||
java.io.FilterReader
|
||||
|
@ -35,4 +37,7 @@ java.lang.StringBuilder
|
|||
java.lang.System
|
||||
javax.script.ScriptEngineManager
|
||||
org.apache.commons
|
||||
org.apache.struts
|
||||
org.apache.struts2
|
||||
org.omg.CORBA
|
||||
java.beans.XMLDecode
|
||||
|
|
|
@ -1,4 +1,3 @@
|
|||
<b>Warning</b>:
|
||||
No row with the given identifier
|
||||
open_basedir restriction in effect
|
||||
eval()'d code</b> on line <b>
|
||||
|
|
|
@ -10,6 +10,11 @@ convert_uudecode
|
|||
file_get_contents
|
||||
file_put_contents
|
||||
fsockopen
|
||||
get_class_methods
|
||||
get_class_vars
|
||||
get_defined_constants
|
||||
get_defined_functions
|
||||
get_defined_vars
|
||||
gzdecode
|
||||
gzinflate
|
||||
gzuncompress
|
||||
|
|
|
@ -218,14 +218,9 @@ gd_info
|
|||
get_browser
|
||||
get_called_class
|
||||
get_class
|
||||
get_class_methods
|
||||
get_class_vars
|
||||
get_declared_classes
|
||||
get_declared_interfaces
|
||||
get_declared_traits
|
||||
get_defined_constants
|
||||
get_defined_functions
|
||||
get_defined_vars
|
||||
get_extension_funcs
|
||||
get_headers
|
||||
get_html_translation_table
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
.htaccess
|
||||
.htdigest
|
||||
.htpasswd
|
||||
# dotfiles (keep in sync with lfi-os-files.data)
|
||||
# home level dotfiles (keep in sync with lfi-os-files.data)
|
||||
.aptitude/config
|
||||
.bash_config
|
||||
.bash_history
|
||||
|
@ -107,10 +107,39 @@ wp-config.txt
|
|||
/packages.json
|
||||
# dotenv
|
||||
/.env
|
||||
/.env
|
||||
# OSX
|
||||
/.DS_Store
|
||||
# WS FTP
|
||||
/.ws_ftp.ini
|
||||
# common, old network config file
|
||||
.netrc
|
||||
# New Top Level dotfiles
|
||||
.thunderbird/
|
||||
.vmware/
|
||||
.kube/
|
||||
.java/
|
||||
.anydesk/
|
||||
.docker/
|
||||
.npm/
|
||||
.nvm/
|
||||
.minikube/
|
||||
.atom/
|
||||
.aws/config
|
||||
.aws/credentials
|
||||
.cups/
|
||||
.dbus/
|
||||
.boto
|
||||
.gem/
|
||||
.gnonme/
|
||||
.gsutil/
|
||||
# New Per-Project Files
|
||||
.idea
|
||||
nbproject/
|
||||
bower.json
|
||||
.bowerrc
|
||||
.eslintrc
|
||||
.jshintrc
|
||||
.gitlab-ci.yml
|
||||
.travis.yml
|
||||
database.yml
|
||||
Dockerfile
|
||||
|
|
|
@ -61,6 +61,9 @@ floodgate
|
|||
# "F-Secure Radar is a turnkey vulnerability scanning and management platform."
|
||||
F-Secure Radar
|
||||
get-minimal
|
||||
# Scanner that looks for existing or hidden web objects
|
||||
# https://github.com/OJ/gobuster
|
||||
gobuster
|
||||
# vuln scanner
|
||||
gootkit auto-rooter scanner
|
||||
grabber
|
||||
|
@ -77,6 +80,8 @@ internet ninja
|
|||
jaascois
|
||||
# vuln scanner
|
||||
zmeu
|
||||
# "Mozilla/5.0 Jorgee", vuln scanner
|
||||
Jorgee
|
||||
# port scanner
|
||||
# https://github.com/robertdavidgraham/masscan
|
||||
masscan
|
||||
|
@ -137,6 +142,8 @@ sqlmap
|
|||
# sql injection
|
||||
# http://sqlninja.sourceforge.net/
|
||||
sqlninja
|
||||
# https://www.cyber.nj.gov/threat-profiles/trojan-variants/sysscan
|
||||
sysscan
|
||||
# password cracker
|
||||
# http://foofus.net/goons/jmk/medusa/medusa.html
|
||||
teh forest lobster
|
||||
|
@ -193,3 +200,6 @@ struts-pwn
|
|||
# Detectify website vulnerability scanner
|
||||
# https://detectify.com/
|
||||
Detectify
|
||||
# ZGrab scanner (Mozilla/5.0 zgrab/0.x)
|
||||
# https://zmap.io
|
||||
zgrab
|
||||
|
|
|
@ -1,236 +0,0 @@
|
|||
abs
|
||||
acos
|
||||
adddate
|
||||
addtime
|
||||
aes_decrypt
|
||||
aes_encrypt
|
||||
ascii
|
||||
asciistr
|
||||
asin
|
||||
atan
|
||||
atan2
|
||||
avg
|
||||
benchmark
|
||||
bin
|
||||
bin_to_num
|
||||
bit_and
|
||||
bit_count
|
||||
bit_length
|
||||
bit_or
|
||||
bit_xor
|
||||
cast
|
||||
ciel
|
||||
cieling
|
||||
char_length
|
||||
char
|
||||
character_length
|
||||
charset
|
||||
chr
|
||||
coalesce
|
||||
coercibility
|
||||
collation
|
||||
compress
|
||||
concat_ws
|
||||
concat
|
||||
connection_id
|
||||
conv
|
||||
convert_tz
|
||||
convert
|
||||
cos
|
||||
cot
|
||||
count
|
||||
dcount
|
||||
cr32
|
||||
curdate
|
||||
current_date
|
||||
current_time
|
||||
current_timestamp
|
||||
current_user
|
||||
curtime
|
||||
database
|
||||
date
|
||||
date_add
|
||||
date_format
|
||||
date_sub
|
||||
datediff
|
||||
day
|
||||
dayname
|
||||
dayofmonth
|
||||
dayofweek
|
||||
dayofyear
|
||||
decode
|
||||
default
|
||||
degrees
|
||||
des_decrypt
|
||||
des_encrypt
|
||||
dump
|
||||
elt
|
||||
encode
|
||||
encrypt
|
||||
exp
|
||||
export_set
|
||||
extract
|
||||
extractvalue
|
||||
field
|
||||
field_in_set
|
||||
find_in_set
|
||||
floor
|
||||
format
|
||||
found_rows
|
||||
from_base64
|
||||
from_days
|
||||
from_unixtime
|
||||
get_format
|
||||
get_lock
|
||||
greatest
|
||||
group_concat
|
||||
hex
|
||||
hextoraw
|
||||
rawtohex
|
||||
hour
|
||||
if
|
||||
ifnull
|
||||
in
|
||||
inet6_aton
|
||||
inet6_ntoa
|
||||
inet_aton
|
||||
inet_ntoa
|
||||
insert
|
||||
instr
|
||||
interval
|
||||
isnull
|
||||
is_free_lock
|
||||
is_ipv4_compat
|
||||
is_ipv4_mapped
|
||||
is_ipv4
|
||||
is_ipv6
|
||||
is_not_null
|
||||
is_not
|
||||
is_null
|
||||
is_used_lock
|
||||
last
|
||||
last_day
|
||||
last_inser_id
|
||||
lcase
|
||||
least
|
||||
left
|
||||
length
|
||||
ln
|
||||
load_file
|
||||
local
|
||||
localtimestamp
|
||||
locate
|
||||
log
|
||||
log2
|
||||
log10
|
||||
lower
|
||||
lpad
|
||||
ltrim
|
||||
make_set
|
||||
makedate
|
||||
master_pos_wait
|
||||
max
|
||||
md5
|
||||
microsecond
|
||||
mid
|
||||
min
|
||||
minute
|
||||
mod
|
||||
month
|
||||
monthname
|
||||
name_const
|
||||
not_in
|
||||
now
|
||||
nullif
|
||||
oct
|
||||
octet_length
|
||||
old_password
|
||||
ord
|
||||
password
|
||||
period_add
|
||||
period_diff
|
||||
pi
|
||||
position
|
||||
pow
|
||||
power
|
||||
procedure_analyse
|
||||
quarter
|
||||
quote
|
||||
radians
|
||||
rand
|
||||
release_lock
|
||||
repeat
|
||||
replace
|
||||
reverse
|
||||
right
|
||||
round
|
||||
row_count
|
||||
rpad
|
||||
rtrim
|
||||
schema
|
||||
sec_to_time
|
||||
second
|
||||
session_user
|
||||
sha
|
||||
sha1
|
||||
sha2
|
||||
sign
|
||||
sin
|
||||
pg_sleep
|
||||
sleep
|
||||
soundex
|
||||
space
|
||||
sqrt
|
||||
std
|
||||
stddev_pop
|
||||
stddev_samp
|
||||
str_to_date
|
||||
strcmp
|
||||
subdate
|
||||
substring
|
||||
substring_index
|
||||
substr
|
||||
subtime
|
||||
sum
|
||||
sysdate
|
||||
system_user
|
||||
tan
|
||||
time
|
||||
timestamp
|
||||
timestampadd
|
||||
timestampdiff
|
||||
timediff
|
||||
time_format
|
||||
time_to_sec
|
||||
to_base64
|
||||
todays
|
||||
toseconds
|
||||
tochar
|
||||
tonchar
|
||||
trim
|
||||
truncate
|
||||
ucase
|
||||
uncompress
|
||||
uncompressed_length
|
||||
unhex
|
||||
unix_timestamp
|
||||
updatexml
|
||||
upper
|
||||
user
|
||||
utc_date
|
||||
utc_time
|
||||
utc_timestamp
|
||||
uuid
|
||||
uuid_short
|
||||
values
|
||||
var_pop
|
||||
var_samp
|
||||
variance
|
||||
version
|
||||
week
|
||||
weekday
|
||||
weekofyear
|
||||
weight_string
|
||||
year
|
||||
yearweek
|
||||
xmltype
|
|
@ -1,3 +1,21 @@
|
|||
${CDPATH}
|
||||
${DIRSTACK}
|
||||
${HOME}
|
||||
${HOSTNAME}
|
||||
${IFS}
|
||||
${OLDPWD}
|
||||
${OSTYPE}
|
||||
${PATH}
|
||||
${PWD}
|
||||
$CDPATH
|
||||
$DIRSTACK
|
||||
$HOME
|
||||
$HOSTNAME
|
||||
$IFS
|
||||
$OLDPWD
|
||||
$OSTYPE
|
||||
$PATH
|
||||
$PWD
|
||||
bin/bash
|
||||
bin/cat
|
||||
bin/csh
|
||||
|
@ -7,6 +25,7 @@ bin/echo
|
|||
bin/grep
|
||||
bin/less
|
||||
bin/ls
|
||||
bin/mknod
|
||||
bin/more
|
||||
bin/nc
|
||||
bin/ps
|
||||
|
@ -32,6 +51,9 @@ etc/shadow
|
|||
etc/shells
|
||||
etc/spwd.db
|
||||
proc/self/
|
||||
usr/bin/awk
|
||||
usr/bin/base64
|
||||
usr/bin/cat
|
||||
usr/bin/cc
|
||||
usr/bin/clang
|
||||
usr/bin/clang++
|
||||
|
@ -42,31 +64,46 @@ usr/bin/fetch
|
|||
usr/bin/file
|
||||
usr/bin/find
|
||||
usr/bin/ftp
|
||||
usr/bin/gawk
|
||||
usr/bin/gcc
|
||||
usr/bin/head
|
||||
usr/bin/hexdump
|
||||
usr/bin/id
|
||||
usr/bin/less
|
||||
usr/bin/ln
|
||||
usr/bin/mkfifo
|
||||
usr/bin/more
|
||||
usr/bin/nc
|
||||
usr/bin/ncat
|
||||
usr/bin/nice
|
||||
usr/bin/nmap
|
||||
usr/bin/perl
|
||||
usr/bin/php
|
||||
usr/bin/php5
|
||||
usr/bin/php7
|
||||
usr/bin/php-cgi
|
||||
usr/bin/printf
|
||||
usr/bin/psed
|
||||
usr/bin/python
|
||||
usr/bin/python2
|
||||
usr/bin/python3
|
||||
usr/bin/ruby
|
||||
usr/bin/sed
|
||||
usr/bin/socat
|
||||
usr/bin/tail
|
||||
usr/bin/tee
|
||||
usr/bin/telnet
|
||||
usr/bin/top
|
||||
usr/bin/uname
|
||||
usr/bin/wget
|
||||
usr/bin/who
|
||||
usr/bin/whoami
|
||||
usr/bin/xargs
|
||||
usr/bin/xxd
|
||||
usr/bin/yes
|
||||
usr/local/bin/bash
|
||||
usr/local/bin/curl
|
||||
usr/local/bin/ncat
|
||||
usr/local/bin/nmap
|
||||
usr/local/bin/perl
|
||||
usr/local/bin/php
|
||||
|
|
|
@ -22,5 +22,5 @@ server {
|
|||
%BLOCK_TOR_EXIT_NODE%
|
||||
%COOKIE_FLAGS%
|
||||
%ERRORS%
|
||||
include /confs/*.conf;
|
||||
include /server-confs/*.conf;
|
||||
}
|
||||
|
|
|
@ -55,8 +55,9 @@ PHP_ALLOW_URL_FOPEN="${PHP_ALLOW_URL_FOPEN-no}"
|
|||
PHP_ALLOW_URL_INCLUDE="${PHP_ALLOW_URL_INCLUDE-no}"
|
||||
PHP_FILE_UPLOADS="${PHP_FILE_UPLOADS-yes}"
|
||||
PHP_UPLOAD_MAX_FILESIZE="${PHP_UPLOAD_MAX_FILESIZE-10M}"
|
||||
PHP_DISABLE_FUNCTIONS="${PHP_DISABLE_FUNCTIONS-system, exec, shell_exec, passthru, phpinfo, show_source, highlight_file, popen, proc_open, fopen_with_path, dbmopen, dbase_open, putenv, chdir, mkdir, rmdir, chmod, rename, filepro, filepro_rowcount, filepro_retrieve, posix_mkfifo}"
|
||||
PHP_DISABLE_FUNCTIONS="${PHP_DISABLE_FUNCTIONS-system, exec, shell_exec, passthru, phpinfo, show_source, highlight_file, popen, proc_open, fopen_with_path, dbmopen, dbase_open, putenv, filepro, filepro_rowcount, filepro_retrieve, posix_mkfifo}"
|
||||
USE_MODSECURITY="${USE_MODSECURITY-yes}"
|
||||
USE_MODSECURITY_CRS="${USE_MODSECURITY_CRS-yes}"
|
||||
CONTENT_SECURITY_POLICY="${CONTENT_SECURITY_POLICY-default-src 'self'; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content; sandbox allow-forms allow-same-origin allow-scripts; reflected-xss block; base-uri 'self'; referrer no-referrer}"
|
||||
COOKIE_FLAGS="${COOKIE_FLAGS-* HttpOnly}"
|
||||
SERVE_FILES="${SERVE_FILES-yes}"
|
||||
|
@ -224,6 +225,24 @@ fi
|
|||
|
||||
if [ "$USE_MODSECURITY" = "yes" ] ; then
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%USE_MODSECURITY%" "include /etc/nginx/modsecurity.conf;"
|
||||
if ls /modsec-confs/*.conf > /dev/null 2>&1 ; then
|
||||
replace_in_file "/etc/nginx/modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_RULES%" "include /modsec-confs/*.conf"
|
||||
else
|
||||
replace_in_file "/etc/nginx/modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_RULES%" ""
|
||||
fi
|
||||
if [ "$USE_MODSECURITY_CRS" = "yes" ] ; then
|
||||
replace_in_file "/etc/nginx/modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS%" "include /etc/nginx/owasp-crs.conf"
|
||||
if ls /modsec-crs-confs/*.conf > /dev/null 2>&1 ; then
|
||||
replace_in_file "/etc/nginx/modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_CRS%" "include /modsec-crs-confs/*.conf"
|
||||
else
|
||||
replace_in_file "/etc/nginx/modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_CRS%" ""
|
||||
fi
|
||||
replace_in_file "/etc/nginx/modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS_RULES%" "include /etc/nginx/owasp-crs/*.conf"
|
||||
else
|
||||
replace_in_file "/etc/nginx/modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS%" ""
|
||||
replace_in_file "/etc/nginx/modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_CRS%" ""
|
||||
replace_in_file "/etc/nginx/modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS_RULES%" ""
|
||||
fi
|
||||
else
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%USE_MODSECURITY%" ""
|
||||
fi
|
||||
|
|
Loading…
Reference in New Issue