initial work
This commit is contained in:
parent
70f849fbb5
commit
e90060ce68
|
@ -0,0 +1,22 @@
|
|||
FROM alpine
|
||||
|
||||
COPY compile.sh /tmp/compile.sh
|
||||
RUN chmod +x /tmp/compile.sh && \
|
||||
/tmp/compile.sh && \
|
||||
rm -rf /tmp/*
|
||||
|
||||
COPY entrypoint.sh /opt/entrypoint.sh
|
||||
COPY confs/ /opt/confs
|
||||
COPY scripts/ /opt/scripts
|
||||
|
||||
RUN apk --no-cache add php7-fpm certbot libstdc++ libmaxminddb geoip pcre yajl && \
|
||||
chmod +x /opt/entrypoint.sh /opt/scripts/* && \
|
||||
mkdir /www && \
|
||||
adduser -h /dev/null -g '' -s /sbin/nologin -D -H nginx
|
||||
|
||||
VOLUME /www
|
||||
|
||||
EXPOSE 80
|
||||
EXPOSE 443
|
||||
|
||||
ENTRYPOINT ["/opt/entrypoint.sh"]
|
|
@ -0,0 +1,37 @@
|
|||
#/bin/sh
|
||||
|
||||
NTASK=$(($(nproc)*2))
|
||||
|
||||
# install build dependencies
|
||||
apk add --no-cache --virtual build autoconf libtool automake git geoip-dev yajl-dev g++ curl-dev libxml2-dev pcre-dev make linux-headers libmaxminddb-dev
|
||||
|
||||
# compile and install ModSecurity library
|
||||
cd /tmp
|
||||
git clone https://github.com/SpiderLabs/ModSecurity.git
|
||||
cd ModSecurity
|
||||
./build.sh
|
||||
git submodule init
|
||||
git submodule update
|
||||
./configure --enable-static=no --disable-doxygen-doc --disable-dependency-tracking
|
||||
make -j $NTASK
|
||||
make install-strip
|
||||
|
||||
# get nginx modules
|
||||
cd /tmp
|
||||
# ModSecurity connector for nginx
|
||||
git clone https://github.com/SpiderLabs/ModSecurity-nginx.git
|
||||
# headers more
|
||||
git clone https://github.com/openresty/headers-more-nginx-module.git
|
||||
# geoip
|
||||
git clone https://github.com/leev/ngx_http_geoip2_module.git
|
||||
|
||||
# compile and install nginx
|
||||
cd /tmp
|
||||
git clone https://github.com/nginx/nginx.git
|
||||
cd nginx
|
||||
./auto/configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --pid-path=/run/nginx/nginx.pid --modules-path=/usr/lib/nginx/modules --with-file-aio --with-http_ssl_module --with-http_v2_module --add-module=/tmp/ModSecurity-nginx --add-module=/tmp/headers-more-nginx-module --add-module=/tmp/ngx_http_geoip2_module
|
||||
make -j $NTASK
|
||||
make install
|
||||
|
||||
# remove build dependencies
|
||||
apk del build
|
|
@ -0,0 +1,8 @@
|
|||
listen 0.0.0.0:443 ssl %HTTP2%;
|
||||
server_name %SERVER_NAME%;
|
||||
ssl_certificate /etc/letsencrypt/live/%SERVER_NAME%/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/%SERVER_NAME%/privkey.pem;
|
||||
ssl_protocols TLSv1.3;
|
||||
ssl_prefer_server_ciphers off;
|
||||
ssl_session_tickets off;
|
||||
%STRICT_TRANSPORT_SECURITY%
|
|
@ -0,0 +1,3 @@
|
|||
if ($bad_user_agent = yes) {
|
||||
return 444;
|
||||
}
|
|
@ -0,0 +1,4 @@
|
|||
open_file_cache %CACHE%;
|
||||
open_file_cache_errors %CACHE_ERRORS%;
|
||||
open_file_cache_min_uses %CACHE_USES%;
|
||||
open_file_cache_valid %CACHE_VALID%;
|
|
@ -0,0 +1,4 @@
|
|||
server {
|
||||
listen 0.0.0.0:80 default_server;
|
||||
return 444;
|
||||
}
|
|
@ -0,0 +1,7 @@
|
|||
error_page %CODE% %PAGE%;
|
||||
|
||||
location = %PAGE% {
|
||||
root /www;
|
||||
modsecurity off;
|
||||
internal;
|
||||
}
|
|
@ -0,0 +1 @@
|
|||
more_set_headers "Feature-Policy: %FEATURE_POLICY%";
|
|
@ -0,0 +1,7 @@
|
|||
map $geoip2_data_country_code $allowed_country {
|
||||
default yes;
|
||||
%BLOCK_COUNTRY%
|
||||
}
|
||||
if ($allowed_country = no) {
|
||||
return 403;
|
||||
}
|
|
@ -0,0 +1,9 @@
|
|||
# /etc/nginx/gzip.conf
|
||||
|
||||
# enable/disable gzip compression
|
||||
gzip %USE_GZIP%;
|
||||
gzip_comp_level %GZIP_COMP_LEVEL%;
|
||||
gzip_disable msie6;
|
||||
gzip_min_length %GZIP_MIN_LENGTH%;
|
||||
gzip_proxied any;
|
||||
gzip_types %GZIP_TYPES%;
|
|
@ -0,0 +1,4 @@
|
|||
map $http_user_agent $bad_user_agent {
|
||||
default no;
|
||||
%BLOCK_USER_AGENT%
|
||||
}
|
|
@ -0,0 +1,59 @@
|
|||
# process rules with disruptive actions
|
||||
SecRuleEngine On
|
||||
|
||||
# allow body checks
|
||||
SecRequestBodyAccess On
|
||||
|
||||
# enable XML parsing
|
||||
SecRule REQUEST_HEADERS:Content-Type "(?:application(?:/soap\+|/)|text/)xml" \
|
||||
"id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
|
||||
|
||||
# enable JSON parsing
|
||||
SecRule REQUEST_HEADERS:Content-Type "application/json" \
|
||||
"id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"
|
||||
|
||||
# maximum data size
|
||||
SecRequestBodyLimit 13107200
|
||||
SecRequestBodyNoFilesLimit 131072
|
||||
|
||||
# reject requests if bigger than max data size
|
||||
SecRequestBodyLimitAction Reject
|
||||
|
||||
# reject if we can't process the body
|
||||
SecRule REQBODY_ERROR "!@eq 0" \
|
||||
"id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
|
||||
|
||||
# be strict with multipart/form-data body
|
||||
SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
|
||||
"id:'200003',phase:2,t:none,log,deny,status:400, \
|
||||
msg:'Multipart request body failed strict validation: \
|
||||
PE %{REQBODY_PROCESSOR_ERROR}, \
|
||||
BQ %{MULTIPART_BOUNDARY_QUOTED}, \
|
||||
BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
|
||||
DB %{MULTIPART_DATA_BEFORE}, \
|
||||
DA %{MULTIPART_DATA_AFTER}, \
|
||||
HF %{MULTIPART_HEADER_FOLDING}, \
|
||||
LF %{MULTIPART_LF_LINE}, \
|
||||
SM %{MULTIPART_MISSING_SEMICOLON}, \
|
||||
IQ %{MULTIPART_INVALID_QUOTING}, \
|
||||
IP %{MULTIPART_INVALID_PART}, \
|
||||
IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
|
||||
FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
|
||||
SecRule MULTIPART_UNMATCHED_BOUNDARY "@eq 1" \
|
||||
"id:'200004',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"
|
||||
|
||||
# enable response body checks
|
||||
SecResponseBodyAccess On
|
||||
SecResponseBodyMimeType text/plain text/html text/xml application/json
|
||||
SecResponseBodyLimit 524288
|
||||
SecResponseBodyLimitAction ProcessPartial
|
||||
|
||||
# log usefull stuff
|
||||
SecAuditEngine RelevantOnly
|
||||
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
|
||||
SecAuditLogType Serial
|
||||
SecAuditLog /var/log/modsec_audit.log
|
||||
|
||||
# include OWASP CRS rules
|
||||
include /etc/nginx/owasp-crs.conf
|
||||
include /etc/nginx/owasp-crs/*.conf
|
|
@ -0,0 +1,2 @@
|
|||
modsecurity on;
|
||||
modsecurity_rules_file /etc/nginx/modsecurity-rules.conf;
|
|
@ -0,0 +1,85 @@
|
|||
# /etc/nginx/nginx.conf
|
||||
|
||||
# do not run as daemon
|
||||
daemon off;
|
||||
|
||||
# do NOT run as root
|
||||
user nginx;
|
||||
|
||||
# worker number = CPU core(s)
|
||||
worker_processes auto;
|
||||
|
||||
# faster regexp
|
||||
pcre_jit on;
|
||||
|
||||
# display warnings and errors on stderr
|
||||
error_log stderr warn;
|
||||
|
||||
# config files for dynamic modules
|
||||
include /etc/nginx/modules/*.conf;
|
||||
|
||||
events {
|
||||
# max connections per worker
|
||||
worker_connections 1024;
|
||||
|
||||
# epoll seems to be the best on Linux
|
||||
use epoll;
|
||||
}
|
||||
|
||||
http {
|
||||
# zero copy within the kernel
|
||||
sendfile on;
|
||||
|
||||
# send packets only if filled
|
||||
tcp_nopush on;
|
||||
|
||||
# remove 200ms delay
|
||||
tcp_nodelay on;
|
||||
|
||||
# load mime types and set default one
|
||||
include /etc/nginx/mime.types;
|
||||
default_type application/octet-stream;
|
||||
|
||||
# load gzip custom config
|
||||
include /etc/nginx/gzip.conf;
|
||||
|
||||
# maximum request body size
|
||||
client_max_body_size %MAX_CLIENT_SIZE%;
|
||||
|
||||
# load caching custom config
|
||||
include /etc/nginx/cache.conf;
|
||||
|
||||
# close connections in FIN_WAIT1 state
|
||||
reset_timedout_connection on;
|
||||
|
||||
# timeouts
|
||||
client_body_timeout 12;
|
||||
client_header_timeout 12;
|
||||
keepalive_timeout 15;
|
||||
send_timeout 10;
|
||||
|
||||
# enable/disable sending nginx version
|
||||
server_tokens %SERVER_TOKENS%;
|
||||
|
||||
# display standard logs on stdout
|
||||
access_log /dev/stdout;
|
||||
|
||||
# server config
|
||||
include /etc/nginx/server.conf;
|
||||
|
||||
# disable default server
|
||||
%DISABLE_DEFAULT_SERVER%
|
||||
|
||||
# geoip2 config
|
||||
geoip2 /etc/nginx/geoip.mmdb {
|
||||
auto_reload 5m;
|
||||
$geoip2_metadata_country_build metadata build_epoch;
|
||||
$geoip2_data_country_code country iso_code;
|
||||
}
|
||||
|
||||
# check if user agent is blocked
|
||||
%BLOCK_USER_AGENT%
|
||||
|
||||
# enable ModSecurity
|
||||
%USE_MODSECURITY%
|
||||
}
|
|
@ -0,0 +1,845 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.1.1
|
||||
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
# Please see the enclosed LICENSE file for full details.
|
||||
# ------------------------------------------------------------------------
|
||||
|
||||
|
||||
#
|
||||
# -- [[ Introduction ]] --------------------------------------------------------
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set (CRS) is a set of generic attack
|
||||
# detection rules that provide a base level of protection for any web
|
||||
# application. They are written for the open source, cross-platform
|
||||
# ModSecurity Web Application Firewall.
|
||||
#
|
||||
# See also:
|
||||
# https://coreruleset.org/
|
||||
# https://github.com/SpiderLabs/owasp-modsecurity-crs
|
||||
# https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
|
||||
#
|
||||
|
||||
|
||||
#
|
||||
# -- [[ System Requirements ]] -------------------------------------------------
|
||||
#
|
||||
# CRS requires ModSecurity version 2.8.0 or above.
|
||||
# We recommend to always use the newest ModSecurity version.
|
||||
#
|
||||
# The configuration directives/settings in this file are used to control
|
||||
# the OWASP ModSecurity CRS. These settings do **NOT** configure the main
|
||||
# ModSecurity settings (modsecurity.conf) such as SecRuleEngine,
|
||||
# SecRequestBodyAccess, SecAuditEngine, SecDebugLog, and XML processing.
|
||||
#
|
||||
# The CRS assumes that modsecurity.conf has been loaded. It is bundled with
|
||||
# ModSecurity. If you don't have it, you can get it from:
|
||||
# 2.x: https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v2/master/modsecurity.conf-recommended
|
||||
# 3.x: https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended
|
||||
#
|
||||
# The order of file inclusion in your webserver configuration should always be:
|
||||
# 1. modsecurity.conf
|
||||
# 2. crs-setup.conf (this file)
|
||||
# 3. rules/*.conf (the CRS rule files)
|
||||
#
|
||||
# Please refer to the INSTALL file for detailed installation instructions.
|
||||
#
|
||||
|
||||
|
||||
#
|
||||
# -- [[ Mode of Operation: Anomaly Scoring vs. Self-Contained ]] ---------------
|
||||
#
|
||||
# The CRS can run in two modes:
|
||||
#
|
||||
# -- [[ Anomaly Scoring Mode (default) ]] --
|
||||
# In CRS3, anomaly mode is the default and recommended mode, since it gives the
|
||||
# most accurate log information and offers the most flexibility in setting your
|
||||
# blocking policies. It is also called "collaborative detection mode".
|
||||
# In this mode, each matching rule increases an 'anomaly score'.
|
||||
# At the conclusion of the inbound rules, and again at the conclusion of the
|
||||
# outbound rules, the anomaly score is checked, and the blocking evaluation
|
||||
# rules apply a disruptive action, by default returning an error 403.
|
||||
#
|
||||
# -- [[ Self-Contained Mode ]] --
|
||||
# In this mode, rules apply an action instantly. This was the CRS2 default.
|
||||
# It can lower resource usage, at the cost of less flexibility in blocking policy
|
||||
# and less informative audit logs (only the first detected threat is logged).
|
||||
# Rules inherit the disruptive action that you specify (i.e. deny, drop, etc).
|
||||
# The first rule that matches will execute this action. In most cases this will
|
||||
# cause evaluation to stop after the first rule has matched, similar to how many
|
||||
# IDSs function.
|
||||
#
|
||||
# -- [[ Alert Logging Control ]] --
|
||||
# In the mode configuration, you must also adjust the desired logging options.
|
||||
# There are three common options for dealing with logging. By default CRS enables
|
||||
# logging to the webserver error log (or Event viewer) plus detailed logging to
|
||||
# the ModSecurity audit log (configured under SecAuditLog in modsecurity.conf).
|
||||
#
|
||||
# - To log to both error log and ModSecurity audit log file, use: "log,auditlog"
|
||||
# - To log *only* to the ModSecurity audit log file, use: "nolog,auditlog"
|
||||
# - To log *only* to the error log file, use: "log,noauditlog"
|
||||
#
|
||||
# Examples for the various modes follow.
|
||||
# You must leave one of the following options enabled.
|
||||
# Note that you must specify the same line for phase:1 and phase:2.
|
||||
#
|
||||
|
||||
# Default: Anomaly Scoring mode, log to error log, log to ModSecurity audit log
|
||||
# - By default, offending requests are blocked with an error 403 response.
|
||||
# - To change the disruptive action, see RESPONSE-999-EXCEPTIONS.conf.example
|
||||
# and review section 'Changing the Disruptive Action for Anomaly Mode'.
|
||||
# - In Apache, you can use ErrorDocument to show a friendly error page or
|
||||
# perform a redirect: https://httpd.apache.org/docs/2.4/custom-error.html
|
||||
#
|
||||
SecDefaultAction "phase:1,log,auditlog,pass"
|
||||
SecDefaultAction "phase:2,log,auditlog,pass"
|
||||
|
||||
# Example: Anomaly Scoring mode, log only to ModSecurity audit log
|
||||
# - By default, offending requests are blocked with an error 403 response.
|
||||
# - To change the disruptive action, see RESPONSE-999-EXCEPTIONS.conf.example
|
||||
# and review section 'Changing the Disruptive Action for Anomaly Mode'.
|
||||
# - In Apache, you can use ErrorDocument to show a friendly error page or
|
||||
# perform a redirect: https://httpd.apache.org/docs/2.4/custom-error.html
|
||||
#
|
||||
# SecDefaultAction "phase:1,nolog,auditlog,pass"
|
||||
# SecDefaultAction "phase:2,nolog,auditlog,pass"
|
||||
|
||||
# Example: Self-contained mode, return error 403 on blocking
|
||||
# - In this configuration the default disruptive action becomes 'deny'. After a
|
||||
# rule triggers, it will stop processing the request and return an error 403.
|
||||
# - You can also use a different error status, such as 404, 406, et cetera.
|
||||
# - In Apache, you can use ErrorDocument to show a friendly error page or
|
||||
# perform a redirect: https://httpd.apache.org/docs/2.4/custom-error.html
|
||||
#
|
||||
# SecDefaultAction "phase:1,log,auditlog,deny,status:403"
|
||||
# SecDefaultAction "phase:2,log,auditlog,deny,status:403"
|
||||
|
||||
# Example: Self-contained mode, redirect back to homepage on blocking
|
||||
# - In this configuration the 'tag' action includes the Host header data in the
|
||||
# log. This helps to identify which virtual host triggered the rule (if any).
|
||||
# - Note that this might cause redirect loops in some situations; for example
|
||||
# if a Cookie or User-Agent header is blocked, it will also be blocked when
|
||||
# the client subsequently tries to access the homepage. You can also redirect
|
||||
# to another custom URL.
|
||||
# SecDefaultAction "phase:1,log,auditlog,redirect:'http://%{request_headers.host}/',tag:'Host: %{request_headers.host}'"
|
||||
# SecDefaultAction "phase:2,log,auditlog,redirect:'http://%{request_headers.host}/',tag:'Host: %{request_headers.host}'"
|
||||
|
||||
|
||||
#
|
||||
# -- [[ Paranoia Level Initialization ]] ---------------------------------------
|
||||
#
|
||||
# The Paranoia Level (PL) setting allows you to choose the desired level
|
||||
# of rule checks that will add to your anomaly scores.
|
||||
#
|
||||
# With each paranoia level increase, the CRS enables additional rules
|
||||
# giving you a higher level of security. However, higher paranoia levels
|
||||
# also increase the possibility of blocking some legitimate traffic due to
|
||||
# false alarms (also named false positives or FPs). If you use higher
|
||||
# paranoia levels, it is likely that you will need to add some exclusion
|
||||
# rules for certain requests and applications receiving complex input.
|
||||
#
|
||||
# - A paranoia level of 1 is default. In this level, most core rules
|
||||
# are enabled. PL1 is advised for beginners, installations
|
||||
# covering many different sites and applications, and for setups
|
||||
# with standard security requirements.
|
||||
# At PL1 you should face FPs rarely. If you encounter FPs, please
|
||||
# open an issue on the CRS GitHub site and don't forget to attach your
|
||||
# complete Audit Log record for the request with the issue.
|
||||
# - Paranoia level 2 includes many extra rules, for instance enabling
|
||||
# many regexp-based SQL and XSS injection protections, and adding
|
||||
# extra keywords checked for code injections. PL2 is advised
|
||||
# for moderate to experienced users desiring more complete coverage
|
||||
# and for installations with elevated security requirements.
|
||||
# PL2 comes with some FPs which you need to handle.
|
||||
# - Paranoia level 3 enables more rules and keyword lists, and tweaks
|
||||
# limits on special characters used. PL3 is aimed at users experienced
|
||||
# at the handling of FPs and at installations with a high security
|
||||
# requirement.
|
||||
# - Paranoia level 4 further restricts special characters.
|
||||
# The highest level is advised for experienced users protecting
|
||||
# installations with very high security requirements. Running PL4 will
|
||||
# likely produce a very high number of FPs which have to be
|
||||
# treated before the site can go productive.
|
||||
#
|
||||
# Rules in paranoia level 2 or higher will log their PL to the audit log;
|
||||
# example: [tag "paranoia-level/2"]. This allows you to deduct from the
|
||||
# audit log how the WAF behavior is affected by paranoia level.
|
||||
#
|
||||
# It is important to also look into the variable
|
||||
# tx.enforce_bodyproc_urlencoded (Enforce Body Processor URLENCODED)
|
||||
# defined below. Enabling it closes a possible bypass of CRS.
|
||||
#
|
||||
# Uncomment this rule to change the default:
|
||||
#
|
||||
#SecAction \
|
||||
# "id:900000,\
|
||||
# phase:1,\
|
||||
# nolog,\
|
||||
# pass,\
|
||||
# t:none,\
|
||||
# setvar:tx.paranoia_level=1"
|
||||
|
||||
|
||||
# It is possible to execute rules from a higher paranoia level but not include
|
||||
# them in the anomaly scoring. This allows you to take a well-tuned system on
|
||||
# paranoia level 1 and add rules from paranoia level 2 without having to fear
|
||||
# the new rules would lead to false positives that raise your score above the
|
||||
# threshold.
|
||||
# This optional feature is enabled by uncommenting the following rule and
|
||||
# setting the tx.executing_paranoia_level.
|
||||
# Technically, rules up to the level defined in tx.executing_paranoia_level
|
||||
# will be executed, but only the rules up to tx.paranoia_level affect the
|
||||
# anomaly scores.
|
||||
# By default, tx.executing_paranoia_level is set to tx.paranoia_level.
|
||||
# tx.executing_paranoia_level must not be lower than tx.paranoia_level.
|
||||
#
|
||||
# Please notice that setting tx.executing_paranoia_level to a higher paranoia
|
||||
# level results in a performance impact that is equally high as setting
|
||||
# tx.paranoia_level to said level.
|
||||
#
|
||||
#SecAction \
|
||||
# "id:900001,\
|
||||
# phase:1,\
|
||||
# nolog,\
|
||||
# pass,\
|
||||
# t:none,\
|
||||
# setvar:tx.executing_paranoia_level=1"
|
||||
|
||||
|
||||
#
|
||||
# -- [[ Enforce Body Processor URLENCODED ]] -----------------------------------
|
||||
#
|
||||
# ModSecurity selects the body processor based on the Content-Type request
|
||||
# header. But clients are not always setting the Content-Type header for their
|
||||
# request body payloads. This will leave ModSecurity with limited vision into
|
||||
# the payload. The variable tx.enforce_bodyproc_urlencoded lets you force the
|
||||
# URLENCODED body processor in these situations. This is off by default, as it
|
||||
# implies a change of the behaviour of ModSecurity beyond CRS (the body
|
||||
# processor applies to all rules, not only CRS) and because it may lead to
|
||||
# false positives already on paranoia level 1. However, enabling this variable
|
||||
# closes a possible bypass of CRS so it should be considered.
|
||||
#
|
||||
# Uncomment this rule to change the default:
|
||||
#
|
||||
#SecAction \
|
||||
# "id:900010,\
|
||||
# phase:1,\
|
||||
# nolog,\
|
||||
# pass,\
|
||||
# t:none,\
|
||||
# setvar:tx.enforce_bodyproc_urlencoded=1"
|
||||
|
||||
|
||||
#
|
||||
# -- [[ Anomaly Mode Severity Levels ]] ----------------------------------------
|
||||
#
|
||||
# Each rule in the CRS has an associated severity level.
|
||||
# These are the default scoring points for each severity level.
|
||||
# These settings will be used to increment the anomaly score if a rule matches.
|
||||
# You may adjust these points to your liking, but this is usually not needed.
|
||||
#
|
||||
# - CRITICAL severity: Anomaly Score of 5.
|
||||
# Mostly generated by the application attack rules (93x and 94x files).
|
||||
# - ERROR severity: Anomaly Score of 4.
|
||||
# Generated mostly from outbound leakage rules (95x files).
|
||||
# - WARNING severity: Anomaly Score of 3.
|
||||
# Generated mostly by malicious client rules (91x files).
|
||||
# - NOTICE severity: Anomaly Score of 2.
|
||||
# Generated mostly by the protocol rules (92x files).
|
||||
#
|
||||
# In anomaly mode, these scores are cumulative.
|
||||
# So it's possible for a request to hit multiple rules.
|
||||
#
|
||||
# (Note: In this file, we use 'phase:1' to set CRS configuration variables.
|
||||
# In general, 'phase:request' is used. However, we want to make absolutely sure
|
||||
# that all configuration variables are set before the CRS rules are processed.)
|
||||
#
|
||||
#SecAction \
|
||||
# "id:900100,\
|
||||
# phase:1,\
|
||||
# nolog,\
|
||||
# pass,\
|
||||
# t:none,\
|
||||
# setvar:tx.critical_anomaly_score=5,\
|
||||
# setvar:tx.error_anomaly_score=4,\
|
||||
# setvar:tx.warning_anomaly_score=3,\
|
||||
# setvar:tx.notice_anomaly_score=2"
|
||||
|
||||
|
||||
#
|
||||
# -- [[ Anomaly Mode Blocking Threshold Levels ]] ------------------------------
|
||||
#
|
||||
# Here, you can specify at which cumulative anomaly score an inbound request,
|
||||
# or outbound response, gets blocked.
|
||||
#
|
||||
# Most detected inbound threats will give a critical score of 5.
|
||||
# Smaller violations, like violations of protocol/standards, carry lower scores.
|
||||
#
|
||||
# [ At default value ]
|
||||
# If you keep the blocking thresholds at the defaults, the CRS will work
|
||||
# similarly to previous CRS versions: a single critical rule match will cause
|
||||
# the request to be blocked and logged.
|
||||
#
|
||||
# [ Using higher values ]
|
||||
# If you want to make the CRS less sensitive, you can increase the blocking
|
||||
# thresholds, for instance to 7 (which would require multiple rule matches
|
||||
# before blocking) or 10 (which would require at least two critical alerts - or
|
||||
# a combination of many lesser alerts), or even higher. However, increasing the
|
||||
# thresholds might cause some attacks to bypass the CRS rules or your policies.
|
||||
#
|
||||
# [ New deployment strategy: Starting high and decreasing ]
|
||||
# It is a common practice to start a fresh CRS installation with elevated
|
||||
# anomaly scoring thresholds (>100) and then lower the limits as your
|
||||
# confidence in the setup grows. You may also look into the Sampling
|
||||
# Percentage section below for a different strategy to ease into a new
|
||||
# CRS installation.
|
||||
#
|
||||
# [ Anomaly Threshold / Paranoia Level Quadrant ]
|
||||
#
|
||||
# High Anomaly Limit | High Anomaly Limit
|
||||
# Low Paranoia Level | High Paranoia Level
|
||||
# -> Fresh Site | -> Experimental Site
|
||||
# ------------------------------------------------------
|
||||
# Low Anomaly Limit | Low Anomaly Limit
|
||||
# Low Paranoia Level | High Paranoia Level
|
||||
# -> Standard Site | -> High Security Site
|
||||
#
|
||||
# Uncomment this rule to change the defaults:
|
||||
#
|
||||
#SecAction \
|
||||
# "id:900110,\
|
||||
# phase:1,\
|
||||
# nolog,\
|
||||
# pass,\
|
||||
# t:none,\
|
||||
# setvar:tx.inbound_anomaly_score_threshold=5,\
|
||||
# setvar:tx.outbound_anomaly_score_threshold=4"
|
||||
|
||||
#
|
||||
# -- [[ Application Specific Rule Exclusions ]] ----------------------------------------
|
||||
#
|
||||
# Some well-known applications may undertake actions that appear to be
|
||||
# malicious. This includes actions such as allowing HTML or Javascript within
|
||||
# parameters. In such cases the CRS aims to prevent false positives by allowing
|
||||
# administrators to enable prebuilt, application specific exclusions on an
|
||||
# application by application basis.
|
||||
# These application specific exclusions are distinct from the rules that would
|
||||
# be placed in the REQUEST-900-EXCLUSION-RULES-BEFORE-CRS configuration file as
|
||||
# they are prebuilt for specific applications. The 'REQUEST-900' file is
|
||||
# designed for users to add their own custom exclusions. Note, using these
|
||||
# application specific exclusions may loosen restrictions of the CRS,
|
||||
# especially if used with an application they weren't designed for. As a result
|
||||
# they should be applied with care.
|
||||
# To use this functionality you must specify a supported application. To do so
|
||||
# uncomment rule 900130. In addition to uncommenting the rule you will need to
|
||||
# specify which application(s) you'd like to enable exclusions for. Only a
|
||||
# (very) limited set of applications are currently supported, please use the
|
||||
# filenames prefixed with 'REQUEST-903' to guide you in your selection.
|
||||
# Such filenames use the following convention:
|
||||
# REQUEST-903.9XXX-{APPNAME}-EXCLUSIONS-RULES.conf
|
||||
#
|
||||
# It is recommended if you run multiple web applications on your site to limit
|
||||
# the effects of the exclusion to only the path where the excluded webapp
|
||||
# resides using a rule similar to the following example:
|
||||
# SecRule REQUEST_URI "@beginsWith /wordpress/" setvar:tx.crs_exclusions_wordpress=1
|
||||
|
||||
#
|
||||
# Modify and uncomment this rule to select which application:
|
||||
#
|
||||
#SecAction \
|
||||
# "id:900130,\
|
||||
# phase:1,\
|
||||
# nolog,\
|
||||
# pass,\
|
||||
# t:none,\
|
||||
# setvar:tx.crs_exclusions_drupal=1,\
|
||||
# setvar:tx.crs_exclusions_wordpress=1,\
|
||||
# setvar:tx.crs_exclusions_nextcloud=1,\
|
||||
# setvar:tx.crs_exclusions_dokuwiki=1,\
|
||||
# setvar:tx.crs_exclusions_cpanel=1"
|
||||
|
||||
#
|
||||
# -- [[ HTTP Policy Settings ]] ------------------------------------------------
|
||||
#
|
||||
# This section defines your policies for the HTTP protocol, such as:
|
||||
# - allowed HTTP versions, HTTP methods, allowed request Content-Types
|
||||
# - forbidden file extensions (e.g. .bak, .sql) and request headers (e.g. Proxy)
|
||||
#
|
||||
# These variables are used in the following rule files:
|
||||
# - REQUEST-911-METHOD-ENFORCEMENT.conf
|
||||
# - REQUEST-912-DOS-PROTECTION.conf
|
||||
# - REQUEST-920-PROTOCOL-ENFORCEMENT.conf
|
||||
|
||||
# HTTP methods that a client is allowed to use.
|
||||
# Default: GET HEAD POST OPTIONS
|
||||
# Example: for RESTful APIs, add the following methods: PUT PATCH DELETE
|
||||
# Example: for WebDAV, add the following methods: CHECKOUT COPY DELETE LOCK
|
||||
# MERGE MKACTIVITY MKCOL MOVE PROPFIND PROPPATCH PUT UNLOCK
|
||||
# Uncomment this rule to change the default.
|
||||
#SecAction \
|
||||
# "id:900200,\
|
||||
# phase:1,\
|
||||
# nolog,\
|
||||
# pass,\
|
||||
# t:none,\
|
||||
# setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'"
|
||||
|
||||
# Content-Types that a client is allowed to send in a request.
|
||||
# Default: application/x-www-form-urlencoded|multipart/form-data|text/xml|\
|
||||
# application/xml|application/soap+xml|application/x-amf|application/json|\
|
||||
# application/octet-stream|text/plain
|
||||
# Uncomment this rule to change the default.
|
||||
#SecAction \
|
||||
# "id:900220,\
|
||||
# phase:1,\
|
||||
# nolog,\
|
||||
# pass,\
|
||||
# t:none,\
|
||||
# setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/soap+xml|application/x-amf|application/json|application/octet-stream|text/plain'"
|
||||
|
||||
# Content-Types charsets that a client is allowed to send in a request.
|
||||
# Default: utf-8|iso-8859-1|iso-8859-15|windows-1252
|
||||
# Uncomment this rule to change the default.
|
||||
# Use "|" to separate multiple charsets like in the rule defining
|
||||
# tx.allowed_request_content_type.
|
||||
#SecAction \
|
||||
# "id:900270,\
|
||||
# phase:1,\
|
||||
# nolog,\
|
||||
# pass,\
|
||||
# t:none,\
|
||||
# setvar:'tx.allowed_request_content_type_charset=utf-8|iso-8859-1|iso-8859-15|windows-1252'"
|
||||
|
||||
# Allowed HTTP versions.
|
||||
# Default: HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0
|
||||
# Example for legacy clients: HTTP/0.9 HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0
|
||||
# Note that some web server versions use 'HTTP/2', some 'HTTP/2.0', so
|
||||
# we include both version strings by default.
|
||||
# Uncomment this rule to change the default.
|
||||
#SecAction \
|
||||
# "id:900230,\
|
||||
# phase:1,\
|
||||
# nolog,\
|
||||
# pass,\
|
||||
# t:none,\
|
||||
# setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0'"
|
||||
|
||||
# Forbidden file extensions.
|
||||
# Guards against unintended exposure of development/configuration files.
|
||||
# Default: .asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/
|
||||
# Example: .bak/ .config/ .conf/ .db/ .ini/ .log/ .old/ .pass/ .pdb/ .sql/
|
||||
# Uncomment this rule to change the default.
|
||||
#SecAction \
|
||||
# "id:900240,\
|
||||
# phase:1,\
|
||||
# nolog,\
|
||||
# pass,\
|
||||
# t:none,\
|
||||
# setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'"
|
||||
|
||||
# Forbidden request headers.
|
||||
# Header names should be lowercase, enclosed by /slashes/ as delimiters.
|
||||
# Blocking Proxy header prevents 'httpoxy' vulnerability: https://httpoxy.org
|
||||
# Default: /proxy/ /lock-token/ /content-range/ /translate/ /if/
|
||||
# Uncomment this rule to change the default.
|
||||
#SecAction \
|
||||
# "id:900250,\
|
||||
# phase:1,\
|
||||
# nolog,\
|
||||
# pass,\
|
||||
# t:none,\
|
||||
# setvar:'tx.restricted_headers=/proxy/ /lock-token/ /content-range/ /translate/ /if/'"
|
||||
|
||||
# File extensions considered static files.
|
||||
# Extensions include the dot, lowercase, enclosed by /slashes/ as delimiters.
|
||||
# Used in DoS protection rule. See section "Anti-Automation / DoS Protection".
|
||||
# Default: /.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ /.webp/
|
||||
# Uncomment this rule to change the default.
|
||||
#SecAction \
|
||||
# "id:900260,\
|
||||
# phase:1,\
|
||||
# nolog,\
|
||||
# pass,\
|
||||
# t:none,\
|
||||
# setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ /.webp/'"
|
||||
|
||||
|
||||
#
|
||||
# -- [[ HTTP Argument/Upload Limits ]] -----------------------------------------
|
||||
#
|
||||
# Here you can define optional limits on HTTP get/post parameters and uploads.
|
||||
# This can help to prevent application specific DoS attacks.
|
||||
#
|
||||
# These values are checked in REQUEST-920-PROTOCOL-ENFORCEMENT.conf.
|
||||
# Beware of blocking legitimate traffic when enabling these limits.
|
||||
#
|
||||
|
||||
# Block request if number of arguments is too high
|
||||
# Default: unlimited
|
||||
# Example: 255
|
||||
# Uncomment this rule to set a limit.
|
||||
#SecAction \
|
||||
# "id:900300,\
|
||||
# phase:1,\
|
||||
# nolog,\
|
||||
# pass,\
|
||||
# t:none,\
|
||||
# setvar:tx.max_num_args=255"
|
||||
|
||||
# Block request if the length of any argument name is too high
|
||||
# Default: unlimited
|
||||
# Example: 100
|
||||
# Uncomment this rule to set a limit.
|
||||
#SecAction \
|
||||
# "id:900310,\
|
||||
# phase:1,\
|
||||
# nolog,\
|
||||
# pass,\
|
||||
# t:none,\
|
||||
# setvar:tx.arg_name_length=100"
|
||||
|
||||
# Block request if the length of any argument value is too high
|
||||
# Default: unlimited
|
||||
# Example: 400
|
||||
# Uncomment this rule to set a limit.
|
||||
#SecAction \
|
||||
# "id:900320,\
|
||||
# phase:1,\
|
||||
# nolog,\
|
||||
# pass,\
|
||||
# t:none,\
|
||||
# setvar:tx.arg_length=400"
|
||||
|
||||
# Block request if the total length of all combined arguments is too high
|
||||
# Default: unlimited
|
||||
# Example: 64000
|
||||
# Uncomment this rule to set a limit.
|
||||
#SecAction \
|
||||
# "id:900330,\
|
||||
# phase:1,\
|
||||
# nolog,\
|
||||
# pass,\
|
||||
# t:none,\
|
||||
# setvar:tx.total_arg_length=64000"
|
||||
|
||||
# Block request if the file size of any individual uploaded file is too high
|
||||
# Default: unlimited
|
||||
# Example: 1048576
|
||||
# Uncomment this rule to set a limit.
|
||||
#SecAction \
|
||||
# "id:900340,\
|
||||
# phase:1,\
|
||||
# nolog,\
|
||||
# pass,\
|
||||
# t:none,\
|
||||
# setvar:tx.max_file_size=1048576"
|
||||
|
||||
# Block request if the total size of all combined uploaded files is too high
|
||||
# Default: unlimited
|
||||
# Example: 1048576
|
||||
# Uncomment this rule to set a limit.
|
||||
#SecAction \
|
||||
# "id:900350,\
|
||||
# phase:1,\
|
||||
# nolog,\
|
||||
# pass,\
|
||||
# t:none,\
|
||||
# setvar:tx.combined_file_sizes=1048576"
|
||||
|
||||
|
||||
#
|
||||
# -- [[ Easing In / Sampling Percentage ]] -------------------------------------
|
||||
#
|
||||
# Adding the Core Rule Set to an existing productive site can lead to false
|
||||
# positives, unexpected performance issues and other undesired side effects.
|
||||
#
|
||||
# It can be beneficial to test the water first by enabling the CRS for a
|
||||
# limited number of requests only and then, when you have solved the issues (if
|
||||
# any) and you have confidence in the setup, to raise the ratio of requests
|
||||
# being sent into the ruleset.
|
||||
#
|
||||
# Adjust the percentage of requests that are funnelled into the Core Rules by
|
||||
# setting TX.sampling_percentage below. The default is 100, meaning that every
|
||||
# request gets checked by the CRS. The selection of requests, which are going
|
||||
# to be checked, is based on a pseudo random number generated by ModSecurity.
|
||||
#
|
||||
# If a request is allowed to pass without being checked by the CRS, there is no
|
||||
# entry in the audit log (for performance reasons), but an error log entry is
|
||||
# written. If you want to disable the error log entry, then issue the
|
||||
# following directive somewhere after the inclusion of the CRS
|
||||
# (E.g., RESPONSE-999-EXCEPTIONS.conf).
|
||||
#
|
||||
# SecRuleUpdateActionById 901150 "nolog"
|
||||
#
|
||||
# ATTENTION: If this TX.sampling_percentage is below 100, then some of the
|
||||
# requests will bypass the Core Rules completely and you lose the ability to
|
||||
# protect your service with ModSecurity.
|
||||
#
|
||||
# Uncomment this rule to enable this feature:
|
||||
#
|
||||
#SecAction "id:900400,\
|
||||
# phase:1,\
|
||||
# pass,\
|
||||
# nolog,\
|
||||
# setvar:tx.sampling_percentage=100"
|
||||
|
||||
|
||||
#
|
||||
# -- [[ Project Honey Pot HTTP Blacklist ]] ------------------------------------
|
||||
#
|
||||
# Optionally, you can check the client IP address against the Project Honey Pot
|
||||
# HTTPBL (dnsbl.httpbl.org). In order to use this, you need to register to get a
|
||||
# free API key. Set it here with SecHttpBlKey.
|
||||
#
|
||||
# Project Honeypot returns multiple different malicious IP types.
|
||||
# You may specify which you want to block by enabling or disabling them below.
|
||||
#
|
||||
# Ref: https://www.projecthoneypot.org/httpbl.php
|
||||
# Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecHttpBlKey
|
||||
#
|
||||
# Uncomment these rules to use this feature:
|
||||
#
|
||||
#SecHttpBlKey XXXXXXXXXXXXXXXXX
|
||||
#SecAction "id:900500,\
|
||||
# phase:1,\
|
||||
# nolog,\
|
||||
# pass,\
|
||||
# t:none,\
|
||||
# setvar:tx.block_search_ip=1,\
|
||||
# setvar:tx.block_suspicious_ip=1,\
|
||||
# setvar:tx.block_harvester_ip=1,\
|
||||
# setvar:tx.block_spammer_ip=1"
|
||||
|
||||
|
||||
#
|
||||
# -- [[ GeoIP Database ]] ------------------------------------------------------
|
||||
#
|
||||
# There are some rulesets that inspect geolocation data of the client IP address
|
||||
# (geoLookup). The CRS uses geoLookup to implement optional country blocking.
|
||||
#
|
||||
# To use geolocation, we make use of the MaxMind GeoIP database.
|
||||
# This database is not included with the CRS and must be downloaded.
|
||||
# You should also update the database regularly, for instance every month.
|
||||
# The CRS contains a tool to download it to util/geo-location/GeoIP.dat:
|
||||
# util/upgrade.py --geoip
|
||||
#
|
||||
# This product includes GeoLite data created by MaxMind, available from:
|
||||
# http://www.maxmind.com.
|
||||
#
|
||||
# Ref: http://blog.spiderlabs.com/2010/10/detecting-malice-with-modsecurity-geolocation-data.html
|
||||
# Ref: http://blog.spiderlabs.com/2010/11/detecting-malice-with-modsecurity-ip-forensics.html
|
||||
#
|
||||
# Uncomment this rule to use this feature:
|
||||
#
|
||||
#SecGeoLookupDB util/geo-location/GeoIP.dat
|
||||
|
||||
|
||||
#
|
||||
# -=[ Block Countries ]=-
|
||||
#
|
||||
# Rules in the IP Reputation file can check the client against a list of high
|
||||
# risk country codes. These countries have to be defined in the variable
|
||||
# tx.high_risk_country_codes via their ISO 3166 two-letter country code:
|
||||
# https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2#Officially_assigned_code_elements
|
||||
#
|
||||
# If you are sure that you are not getting any legitimate requests from a given
|
||||
# country, then you can disable all access from that country via this variable.
|
||||
# The rule performing the test has the rule id 910100.
|
||||
#
|
||||
# This rule requires SecGeoLookupDB to be enabled and the GeoIP database to be
|
||||
# downloaded (see the section "GeoIP Database" above.)
|
||||
#
|
||||
# By default, the list is empty. A list used by some sites was the following:
|
||||
# setvar:'tx.high_risk_country_codes=UA ID YU LT EG RO BG TR RU PK MY CN'"
|
||||
#
|
||||
# Uncomment this rule to use this feature:
|
||||
#
|
||||
#SecAction \
|
||||
# "id:900600,\
|
||||
# phase:1,\
|
||||
# nolog,\
|
||||
# pass,\
|
||||
# t:none,\
|
||||
# setvar:'tx.high_risk_country_codes='"
|
||||
|
||||
|
||||
#
|
||||
# -- [[ Anti-Automation / DoS Protection ]] ------------------------------------
|
||||
#
|
||||
# Optional DoS protection against clients making requests too quickly.
|
||||
#
|
||||
# When a client is making more than 100 requests (excluding static files) within
|
||||
# 60 seconds, this is considered a 'burst'. After two bursts, the client is
|
||||
# blocked for 600 seconds.
|
||||
#
|
||||
# Requests to static files are not counted towards DoS; they are listed in the
|
||||
# 'tx.static_extensions' setting, which you can change in this file (see
|
||||
# section "HTTP Policy Settings").
|
||||
#
|
||||
# For a detailed description, see rule file REQUEST-912-DOS-PROTECTION.conf.
|
||||
#
|
||||
# Uncomment this rule to use this feature:
|
||||
#
|
||||
#SecAction \
|
||||
# "id:900700,\
|
||||
# phase:1,\
|
||||
# nolog,\
|
||||
# pass,\
|
||||
# t:none,\
|
||||
# setvar:'tx.dos_burst_time_slice=60',\
|
||||
# setvar:'tx.dos_counter_threshold=100',\
|
||||
# setvar:'tx.dos_block_timeout=600'"
|
||||
|
||||
|
||||
#
|
||||
# -- [[ Check UTF-8 encoding ]] ------------------------------------------------
|
||||
#
|
||||
# The CRS can optionally check request contents for invalid UTF-8 encoding.
|
||||
# We only want to apply this check if UTF-8 encoding is actually used by the
|
||||
# site; otherwise it will result in false positives.
|
||||
#
|
||||
# Uncomment this rule to use this feature:
|
||||
#
|
||||
#SecAction \
|
||||
# "id:900950,\
|
||||
# phase:1,\
|
||||
# nolog,\
|
||||
# pass,\
|
||||
# t:none,\
|
||||
# setvar:tx.crs_validate_utf8_encoding=1"
|
||||
|
||||
|
||||
#
|
||||
# -- [[ Blocking Based on IP Reputation ]] ------------------------------------
|
||||
#
|
||||
# Blocking based on reputation is permanent in the CRS. Unlike other rules,
|
||||
# which look at the indvidual request, the blocking of IPs is based on
|
||||
# a persistent record in the IP collection, which remains active for a
|
||||
# certain amount of time.
|
||||
#
|
||||
# There are two ways an individual client can become flagged for blocking:
|
||||
# - External information (RBL, GeoIP, etc.)
|
||||
# - Internal information (Core Rules)
|
||||
#
|
||||
# The record in the IP collection carries a flag, which tags requests from
|
||||
# individual clients with a flag named IP.reput_block_flag.
|
||||
# But the flag alone is not enough to have a client blocked. There is also
|
||||
# a global switch named tx.do_reput_block. This is off by default. If you set
|
||||
# it to 1 (=On), requests from clients with the IP.reput_block_flag will
|
||||
# be blocked for a certain duration.
|
||||
#
|
||||
# Variables
|
||||
# ip.reput_block_flag Blocking flag for the IP collection record
|
||||
# ip.reput_block_reason Reason (= rule message) that caused to blocking flag
|
||||
# tx.do_reput_block Switch deciding if we really block based on flag
|
||||
# tx.reput_block_duration Setting to define the duration of a block
|
||||
#
|
||||
# It may be important to know, that all the other core rules are skipped for
|
||||
# requests, when it is clear that they carry the blocking flag in question.
|
||||
#
|
||||
# Uncomment this rule to use this feature:
|
||||
#
|
||||
#SecAction \
|
||||
# "id:900960,\
|
||||
# phase:1,\
|
||||
# nolog,\
|
||||
# pass,\
|
||||
# t:none,\
|
||||
# setvar:tx.do_reput_block=1"
|
||||
#
|
||||
# Uncomment this rule to change the blocking time:
|
||||
# Default: 300 (5 minutes)
|
||||
#
|
||||
#SecAction \
|
||||
# "id:900970,\
|
||||
# phase:1,\
|
||||
# nolog,\
|
||||
# pass,\
|
||||
# t:none,\
|
||||
# setvar:tx.reput_block_duration=300"
|
||||
|
||||
|
||||
#
|
||||
# -- [[ Collection timeout ]] --------------------------------------------------
|
||||
#
|
||||
# Set the SecCollectionTimeout directive from the ModSecurity default (1 hour)
|
||||
# to a lower setting which is appropriate to most sites.
|
||||
# This increases performance by cleaning out stale collection (block) entries.
|
||||
#
|
||||
# This value should be greater than or equal to:
|
||||
# tx.reput_block_duration (see section "Blocking Based on IP Reputation") and
|
||||
# tx.dos_block_timeout (see section "Anti-Automation / DoS Protection").
|
||||
#
|
||||
# Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecCollectionTimeout
|
||||
|
||||
# Please keep this directive uncommented.
|
||||
# Default: 600 (10 minutes)
|
||||
SecCollectionTimeout 600
|
||||
|
||||
|
||||
#
|
||||
# -- [[ Debug Mode ]] ----------------------------------------------------------
|
||||
#
|
||||
# To enable rule development and debugging, CRS has an optional debug mode
|
||||
# that does not block a request, but instead sends detection information
|
||||
# back to the HTTP client.
|
||||
#
|
||||
# This functionality is currently only supported with the Apache web server.
|
||||
# The Apache mod_headers module is required.
|
||||
#
|
||||
# In debug mode, the webserver inserts "X-WAF-Events" / "X-WAF-Score"
|
||||
# response headers whenever a debug client makes a request. Example:
|
||||
#
|
||||
# # curl -v 'http://192.168.1.100/?foo=../etc/passwd'
|
||||
# X-WAF-Events: TX:930110-OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL-REQUEST_URI,
|
||||
# TX:930120-OWASP_CRS/WEB_ATTACK/FILE_INJECTION-ARGS:foo,
|
||||
# TX:932160-OWASP_CRS/WEB_ATTACK/RCE-ARGS:foo
|
||||
# X-WAF-Score: Total=15; sqli=0; xss=0; rfi=0; lfi=10; rce=5; php=0; http=0; ses=0
|
||||
#
|
||||
# To enable debug mode, include the RESPONSE-981-DEBUG.conf file.
|
||||
# This file resides in a separate folder, as it is not compatible with
|
||||
# nginx and IIS.
|
||||
#
|
||||
# You must specify the source IP address/network where you will be running the
|
||||
# tests from. The source IP will BYPASS all CRS blocking, and will be sent the
|
||||
# response headers as specified above. Be careful to only list your private
|
||||
# IP addresses/networks here.
|
||||
#
|
||||
# Tip: for regression testing of CRS or your own ModSecurity rules, you may
|
||||
# be interested in using the OWASP CRS regression testing suite instead.
|
||||
# View the file util/regression-tests/README for more information.
|
||||
#
|
||||
# Uncomment these rules, filling in your CRS path and the source IP address,
|
||||
# to enable debug mode:
|
||||
#
|
||||
#Include /path/to/crs/util/debug/RESPONSE-981-DEBUG.conf
|
||||
#SecRule REMOTE_ADDR "@ipMatch 192.168.1.100" \
|
||||
# "id:900980,\
|
||||
# phase:1,\
|
||||
# nolog,\
|
||||
# pass,\
|
||||
# t:none,\
|
||||
# ctl:ruleEngine=DetectionOnly,\
|
||||
# setvar:tx.crs_debug_mode=1"
|
||||
|
||||
|
||||
#
|
||||
# -- [[ End of setup ]] --------------------------------------------------------
|
||||
#
|
||||
# The CRS checks the tx.crs_setup_version variable to ensure that the setup
|
||||
# has been loaded. If you are not planning to use this setup template,
|
||||
# you must manually set the tx.crs_setup_version variable before including
|
||||
# the CRS rules/* files.
|
||||
#
|
||||
# The variable is a numerical representation of the CRS version number.
|
||||
# E.g., v3.0.0 is represented as 300.
|
||||
#
|
||||
SecAction \
|
||||
"id:900990,\
|
||||
phase:1,\
|
||||
nolog,\
|
||||
pass,\
|
||||
t:none,\
|
||||
setvar:tx.crs_setup_version=311"
|
|
@ -0,0 +1,165 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.1.1
|
||||
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
# Please see the enclosed LICENSE file for full details.
|
||||
# ------------------------------------------------------------------------
|
||||
|
||||
#
|
||||
# The purpose of this file is to hold LOCAL exceptions for your site. The
|
||||
# types of rules that would go into this file are one where you want to
|
||||
# short-circuit inspection and allow certain transactions to pass through
|
||||
# inspection or if you want to alter rules that are applied.
|
||||
#
|
||||
# This file is named REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example for a
|
||||
# very specific reason. Files affixed with the .example extension are designed
|
||||
# to contain user created/modified data. The '.example'. extension should be
|
||||
# renamed to end in .conf. The advantage of this is that when OWASP CRS is
|
||||
# updated, the updates will not overwrite a user generated configuration file.
|
||||
#
|
||||
# As a result of this design paradigm users are encouraged NOT to directly
|
||||
# modify rules. Instead they should use this
|
||||
# REQUEST-900-EXCLUSION-RULES-BEFORE-CRS and the
|
||||
# RESPONSE-999-EXCLUSION-RULES-AFTER-CRS file to modify OWASP rules using
|
||||
# methods similar to the examples specified below.
|
||||
#
|
||||
# REQUEST-900-EXCLUSION-RULES-BEFORE-CRS and
|
||||
# RESPONSE-999-EXCLUSION-RULES-AFTER-CRS serve different purposes. ModSecurity
|
||||
# effectively maintains two different context: startup, and per transaction.
|
||||
# As a rule, directives are processed within the startup context. While they
|
||||
# can affect the per transaction context they generally remain fixed during the
|
||||
# execution of ModSecurity.
|
||||
#
|
||||
# As a result if one wanted to disable a rule at bootup the SecRuleRemoveById
|
||||
# directive or one of its siblings would have to be placed AFTER the rule is
|
||||
# listed, otherwise it will not have knowledge of the rules existence (since
|
||||
# these rules are read in at the same time). This means that when using
|
||||
# directives that effect SecRules, these exceptions should be placed AFTER all
|
||||
# the existing rules. This is why RESPONSE-999-EXCLUSION-RULES-AFTER-CRS is
|
||||
# designed such that it loads LAST.
|
||||
#
|
||||
# Conversely, ModSecurity supports several actions that can change the state of
|
||||
# the underlying configuration during the per transaction context, this is when
|
||||
# rules are being processed. Generally, these are accomplished by using the
|
||||
# 'ctl' action. As these are part of a rule, they will be evaluated in the
|
||||
# order rules are applied (by physical location, considering phases). As a
|
||||
# result of this ordering a 'ctl' action should be placed with consideration to
|
||||
# when it will be executed. This is particularly relevant for the 'ctl' options
|
||||
# that involve modifying ID's (such as ruleRemoveById). In these cases it is
|
||||
# important that such rules are placed BEFORE the rule ID they will affect.
|
||||
# Unlike the setup context, by the time we process rules in the per-transaction
|
||||
# context, we are already aware of all the rule ID's. It is by this logic that
|
||||
# we include rules such as this BEFORE all the remaining rules. As a result
|
||||
# REQUEST-900-EXCLUSION-RULES-BEFORE-CRS is designed to load FIRST.
|
||||
#
|
||||
# As a general rule:
|
||||
# ctl:ruleEngine -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS
|
||||
# ctl:ruleRemoveById -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS
|
||||
# ctl:ruleRemoveByMsg -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS
|
||||
# ctl:ruleRemoveByTag -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS
|
||||
# ctl:ruleRemoveTargetById -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS
|
||||
# ctl:ruleRemoveTargetByMsg -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS
|
||||
# ctl:ruleRemoveTargetByTag -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS
|
||||
#
|
||||
# SecRuleRemoveById -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS
|
||||
# SecRuleRemoveByMsg -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS
|
||||
# SecRuleRemoveByTag -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS
|
||||
# SecRuleUpdateActionById -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS
|
||||
# SecRuleUpdateTargetById -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS
|
||||
# SecRuleUpdateTargetByMsg -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS
|
||||
# SecRuleUpdateTargetByTag -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS
|
||||
#
|
||||
#
|
||||
# What follows are a group of examples that show you how to perform rule
|
||||
# exclusions.
|
||||
#
|
||||
#
|
||||
# Example Exclusion Rule: Disable inspection for an authorized client
|
||||
#
|
||||
# This ruleset allows you to control how ModSecurity will handle traffic
|
||||
# originating from Authorized Vulnerability Scanning (AVS) sources. See
|
||||
# related blog post -
|
||||
# http://blog.spiderlabs.com/2010/12/advanced-topic-of-the-week-handling-authorized-scanning-traffic.html
|
||||
#
|
||||
# White-list ASV network block (no blocking or logging of AVS traffic) Update
|
||||
# IP network block as appropriate for your AVS traffic
|
||||
#
|
||||
# ModSec Rule Exclusion: Disable Rule Engine for known ASV IP
|
||||
# SecRule REMOTE_ADDR "@ipMatch 192.168.1.100" \
|
||||
# "id:1000,\
|
||||
# phase:1,\
|
||||
# pass,\
|
||||
# nolog,\
|
||||
# ctl:ruleEngine=Off"
|
||||
#
|
||||
#
|
||||
# Example Exclusion Rule: Removing a specific ARGS parameter from inspection
|
||||
# for an individual rule
|
||||
#
|
||||
# This rule shows how to conditionally exclude the "password"
|
||||
# parameter for rule 942100 when the REQUEST_URI is /index.php
|
||||
# ModSecurity Rule Exclusion: 942100 SQL Injection Detected via libinjection
|
||||
#
|
||||
# SecRule REQUEST_URI "@beginsWith /index.php" \
|
||||
# "id:1001,\
|
||||
# phase:1,\
|
||||
# pass,\
|
||||
# nolog,\
|
||||
# ctl:ruleRemoveTargetById=942100;ARGS:password"
|
||||
#
|
||||
#
|
||||
# Example Exclusion Rule: Removing a specific ARGS parameter from inspection
|
||||
# for only certain attacks
|
||||
#
|
||||
# Attack rules within the CRS are tagged, with tags such as 'attack-lfi',
|
||||
# 'attack-sqli', 'attack-xss', 'attack-injection-php', et cetera.
|
||||
#
|
||||
# ModSecurity Rule Exclusion: Disable inspection of ARGS:pwd
|
||||
# for all rules tagged attack-sqli
|
||||
# SecRule REQUEST_FILENAME "@endsWith /wp-login.php" \
|
||||
# "id:1002,\
|
||||
# phase:2,\
|
||||
# pass,\
|
||||
# nolog,\
|
||||
# ctl:ruleRemoveTargetByTag=attack-sqli;ARGS:pwd"
|
||||
#
|
||||
|
||||
# Example Exclusion Rule: Removing a specific ARGS parameter from inspection
|
||||
# for all CRS rules
|
||||
#
|
||||
# This rule illustrates that we can use tagging very effectively to whitelist a
|
||||
# common false positive across an entire ModSecurity instance. This can be done
|
||||
# because every rule in OWASP_CRS is tagged with OWASP_CRS. This will NOT
|
||||
# affect custom rules.
|
||||
#
|
||||
# ModSecurity Rule Exclusion: Disable inspection of ARGS:pwd
|
||||
# for all CRS rules
|
||||
# SecRule REQUEST_FILENAME "@endsWith /wp-login.php" \
|
||||
# "id:1003,\
|
||||
# phase:2,\
|
||||
# pass,\
|
||||
# nolog,\
|
||||
# ctl:ruleRemoveTargetByTag=CRS;ARGS:pwd"
|
||||
|
||||
#
|
||||
# Example Exclusion Rule: Removing a range of rules
|
||||
#
|
||||
# This rule illustrates that we can remove a rule range via a ctl action.
|
||||
# This uses the fact, that rules are grouped by topic in rule files covering
|
||||
# a certain id range.
|
||||
#
|
||||
# ModSecurity Rule Exclusion: Disable all SQLi and XSS rules
|
||||
# SecRule REQUEST_FILENAME "@beginsWith /admin" \
|
||||
# "id:1004,\
|
||||
# phase:2,\
|
||||
# pass,\
|
||||
# nolog,\
|
||||
# ctl:ruleRemoveById=941000-942999"
|
||||
#
|
||||
#
|
||||
# The application specific rule exclusion files
|
||||
# REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf
|
||||
# REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf
|
||||
# bring additional examples which can be useful then tuning a service.
|
|
@ -0,0 +1,424 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.1.1
|
||||
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
# Please see the enclosed LICENSE file for full details.
|
||||
# ------------------------------------------------------------------------
|
||||
|
||||
#
|
||||
# This file REQUEST-901-INITIALIZATION.conf initializes the Core Rules
|
||||
# and performs preparatory actions. It also fixes errors and omissions
|
||||
# of variable definitions in the file crs-setup.conf.
|
||||
# The setup.conf can and should be edited by the user, this file
|
||||
# is part of the CRS installation and should not be altered.
|
||||
#
|
||||
|
||||
|
||||
#
|
||||
# -=[ Rules Version ]=-
|
||||
#
|
||||
# Rule version data is added to the "Producer" line of Section H of the Audit log:
|
||||
#
|
||||
# - Producer: ModSecurity for Apache/2.9.3 (http://www.modsecurity.org/); OWASP_CRS/3.1.1.
|
||||
#
|
||||
# Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecComponentSignature
|
||||
#
|
||||
SecComponentSignature "OWASP_CRS/3.1.1"
|
||||
|
||||
#
|
||||
# -=[ Default setup values ]=-
|
||||
#
|
||||
# The CRS checks the tx.crs_setup_version variable to ensure that the setup
|
||||
# file is included at the correct time. This detects situations where
|
||||
# necessary settings are not defined, for instance if the file
|
||||
# inclusion order is incorrect, or if the user has forgotten to
|
||||
# include the crs-setup.conf file.
|
||||
#
|
||||
# If you are upgrading from an earlier version of the CRS and you are
|
||||
# getting this error, please make a new copy of the setup template
|
||||
# crs-setup.conf.example to crs-setup.conf, and re-apply your policy
|
||||
# changes. There have been many changes in settings syntax from CRS2
|
||||
# to CRS3, so an old setup file may cause unwanted behavior.
|
||||
#
|
||||
# If you are not planning to use the crs-setup.conf template, you must
|
||||
# manually set the tx.crs_setup_version variable before including
|
||||
# the CRS rules/* files.
|
||||
#
|
||||
# The variable is a numerical representation of the CRS version number.
|
||||
# E.g., v3.0.0 is represented as 300.
|
||||
#
|
||||
|
||||
SecRule &TX:crs_setup_version "@eq 0" \
|
||||
"id:901001,\
|
||||
phase:1,\
|
||||
deny,\
|
||||
status:500,\
|
||||
log,\
|
||||
auditlog,\
|
||||
msg:'ModSecurity Core Rule Set is deployed without configuration! Please copy the crs-setup.conf.example template to crs-setup.conf, and include the crs-setup.conf file in your webserver configuration before including the CRS rules. See the INSTALL file in the CRS directory for detailed instructions.',\
|
||||
severity:'CRITICAL'"
|
||||
|
||||
|
||||
#
|
||||
# -=[ Default setup values ]=-
|
||||
#
|
||||
# Some constructs or individual rules will fail if certain parameters
|
||||
# are not set in the setup.conf file. The following rules will catch
|
||||
# these cases and assign sane default values.
|
||||
#
|
||||
|
||||
# Default Inbound Anomaly Threshold Level (rule 900110 in setup.conf)
|
||||
SecRule &TX:inbound_anomaly_score_threshold "@eq 0" \
|
||||
"id:901100,\
|
||||
phase:1,\
|
||||
pass,\
|
||||
nolog,\
|
||||
setvar:'tx.inbound_anomaly_score_threshold=5'"
|
||||
|
||||
# Default Outbound Anomaly Threshold Level (rule 900110 in setup.conf)
|
||||
SecRule &TX:outbound_anomaly_score_threshold "@eq 0" \
|
||||
"id:901110,\
|
||||
phase:1,\
|
||||
pass,\
|
||||
nolog,\
|
||||
setvar:'tx.outbound_anomaly_score_threshold=4'"
|
||||
|
||||
# Default Paranoia Level (rule 900000 in setup.conf)
|
||||
SecRule &TX:paranoia_level "@eq 0" \
|
||||
"id:901120,\
|
||||
phase:1,\
|
||||
pass,\
|
||||
nolog,\
|
||||
setvar:'tx.paranoia_level=1'"
|
||||
|
||||
# Default Executing Paranoia Level (rule 900000 in setup.conf)
|
||||
SecRule &TX:executing_paranoia_level "@eq 0" \
|
||||
"id:901125,\
|
||||
phase:1,\
|
||||
pass,\
|
||||
nolog,\
|
||||
setvar:'tx.executing_paranoia_level=%{TX.PARANOIA_LEVEL}'"
|
||||
|
||||
# Default Sampling Percentage (rule 900400 in setup.conf)
|
||||
SecRule &TX:sampling_percentage "@eq 0" \
|
||||
"id:901130,\
|
||||
phase:1,\
|
||||
pass,\
|
||||
nolog,\
|
||||
setvar:'tx.sampling_percentage=100'"
|
||||
|
||||
# Default Anomaly Scores (rule 900100 in setup.conf)
|
||||
SecRule &TX:critical_anomaly_score "@eq 0" \
|
||||
"id:901140,\
|
||||
phase:1,\
|
||||
pass,\
|
||||
nolog,\
|
||||
setvar:'tx.critical_anomaly_score=5'"
|
||||
|
||||
SecRule &TX:error_anomaly_score "@eq 0" \
|
||||
"id:901141,\
|
||||
phase:1,\
|
||||
pass,\
|
||||
nolog,\
|
||||
setvar:'tx.error_anomaly_score=4'"
|
||||
|
||||
SecRule &TX:warning_anomaly_score "@eq 0" \
|
||||
"id:901142,\
|
||||
phase:1,\
|
||||
pass,\
|
||||
nolog,\
|
||||
setvar:'tx.warning_anomaly_score=3'"
|
||||
|
||||
SecRule &TX:notice_anomaly_score "@eq 0" \
|
||||
"id:901143,\
|
||||
phase:1,\
|
||||
pass,\
|
||||
nolog,\
|
||||
setvar:'tx.notice_anomaly_score=2'"
|
||||
|
||||
# Default do_reput_block
|
||||
SecRule &TX:do_reput_block "@eq 0" \
|
||||
"id:901150,\
|
||||
phase:1,\
|
||||
pass,\
|
||||
nolog,\
|
||||
setvar:'tx.do_reput_block=0'"
|
||||
|
||||
# Default block duration
|
||||
SecRule &TX:reput_block_duration "@eq 0" \
|
||||
"id:901152,\
|
||||
phase:1,\
|
||||
pass,\
|
||||
nolog,\
|
||||
setvar:'tx.reput_block_duration=300'"
|
||||
|
||||
# Default HTTP policy: allowed_methods (rule 900200)
|
||||
SecRule &TX:allowed_methods "@eq 0" \
|
||||
"id:901160,\
|
||||
phase:1,\
|
||||
pass,\
|
||||
nolog,\
|
||||
setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'"
|
||||
|
||||
# Default HTTP policy: allowed_request_content_type (rule 900220)
|
||||
SecRule &TX:allowed_request_content_type "@eq 0" \
|
||||
"id:901162,\
|
||||
phase:1,\
|
||||
pass,\
|
||||
nolog,\
|
||||
setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/soap+xml|application/x-amf|application/json|application/octet-stream|text/plain'"
|
||||
|
||||
# Default HTTP policy: allowed_request_content_type_charset (rule 900270)
|
||||
SecRule &TX:allowed_request_content_type_charset "@eq 0" \
|
||||
"id:901168,\
|
||||
phase:1,\
|
||||
pass,\
|
||||
nolog,\
|
||||
setvar:'tx.allowed_request_content_type_charset=utf-8|iso-8859-1|iso-8859-15|windows-1252'"
|
||||
|
||||
# Default HTTP policy: allowed_http_versions (rule 900230)
|
||||
SecRule &TX:allowed_http_versions "@eq 0" \
|
||||
"id:901163,\
|
||||
phase:1,\
|
||||
pass,\
|
||||
nolog,\
|
||||
setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0'"
|
||||
|
||||
# Default HTTP policy: restricted_extensions (rule 900240)
|
||||
SecRule &TX:restricted_extensions "@eq 0" \
|
||||
"id:901164,\
|
||||
phase:1,\
|
||||
pass,\
|
||||
nolog,\
|
||||
setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'"
|
||||
|
||||
# Default HTTP policy: restricted_headers (rule 900250)
|
||||
SecRule &TX:restricted_headers "@eq 0" \
|
||||
"id:901165,\
|
||||
phase:1,\
|
||||
pass,\
|
||||
nolog,\
|
||||
setvar:'tx.restricted_headers=/proxy/ /lock-token/ /content-range/ /translate/ /if/'"
|
||||
|
||||
# Default HTTP policy: static_extensions (rule 900260)
|
||||
SecRule &TX:static_extensions "@eq 0" \
|
||||
"id:901166,\
|
||||
phase:1,\
|
||||
pass,\
|
||||
nolog,\
|
||||
setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ /.webp/'"
|
||||
|
||||
# Default enforcing of body processor URLENCODED
|
||||
SecRule &TX:enforce_bodyproc_urlencoded "@eq 0" \
|
||||
"id:901167,\
|
||||
phase:1,\
|
||||
pass,\
|
||||
nolog,\
|
||||
setvar:'tx.enforce_bodyproc_urlencoded=0'"
|
||||
|
||||
|
||||
#
|
||||
# -=[ Initialize internal variables ]=-
|
||||
#
|
||||
|
||||
# Initialize anomaly scoring variables.
|
||||
# All _score variables start at 0, and are incremented by the various rules
|
||||
# upon detection of a possible attack.
|
||||
# sql_error_match is used for shortcutting rules for performance reasons.
|
||||
|
||||
SecAction \
|
||||
"id:901200,\
|
||||
phase:1,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
setvar:'tx.anomaly_score=0',\
|
||||
setvar:'tx.anomaly_score_pl1=0',\
|
||||
setvar:'tx.anomaly_score_pl2=0',\
|
||||
setvar:'tx.anomaly_score_pl3=0',\
|
||||
setvar:'tx.anomaly_score_pl4=0',\
|
||||
setvar:'tx.sql_injection_score=0',\
|
||||
setvar:'tx.xss_score=0',\
|
||||
setvar:'tx.rfi_score=0',\
|
||||
setvar:'tx.lfi_score=0',\
|
||||
setvar:'tx.rce_score=0',\
|
||||
setvar:'tx.php_injection_score=0',\
|
||||
setvar:'tx.http_violation_score=0',\
|
||||
setvar:'tx.session_fixation_score=0',\
|
||||
setvar:'tx.inbound_anomaly_score=0',\
|
||||
setvar:'tx.outbound_anomaly_score=0',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=0',\
|
||||
setvar:'tx.outbound_anomaly_score_pl2=0',\
|
||||
setvar:'tx.outbound_anomaly_score_pl3=0',\
|
||||
setvar:'tx.outbound_anomaly_score_pl4=0',\
|
||||
setvar:'tx.sql_error_match=0'"
|
||||
|
||||
|
||||
#
|
||||
# -=[ Initialize collections ]=-
|
||||
#
|
||||
# Create both Global and IP collections for rules to use.
|
||||
# There are some CRS rules that assume that these two collections
|
||||
# have already been initiated.
|
||||
#
|
||||
|
||||
SecRule REQUEST_HEADERS:User-Agent "@rx ^.*$" \
|
||||
"id:901318,\
|
||||
phase:1,\
|
||||
pass,\
|
||||
t:none,t:sha1,t:hexEncode,\
|
||||
nolog,\
|
||||
setvar:'tx.ua_hash=%{MATCHED_VAR}'"
|
||||
|
||||
SecAction \
|
||||
"id:901321,\
|
||||
phase:1,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
initcol:global=global,\
|
||||
initcol:ip=%{remote_addr}_%{tx.ua_hash},\
|
||||
setvar:'tx.real_ip=%{remote_addr}'"
|
||||
|
||||
#
|
||||
# -=[ Initialize Correct Body Processing ]=-
|
||||
#
|
||||
# Force request body variable and optionally request body processor
|
||||
#
|
||||
|
||||
# Force body variable
|
||||
SecRule REQBODY_PROCESSOR "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" \
|
||||
"id:901340,\
|
||||
phase:1,\
|
||||
pass,\
|
||||
nolog,\
|
||||
noauditlog,\
|
||||
msg:'Enabling body inspection',\
|
||||
tag:'paranoia-level/1',\
|
||||
ctl:forceRequestBodyVariable=On,\
|
||||
ver:'OWASP_CRS/3.1.1'"
|
||||
|
||||
# Force body processor URLENCODED
|
||||
SecRule TX:enforce_bodyproc_urlencoded "@eq 1" \
|
||||
"id:901350,\
|
||||
phase:1,\
|
||||
pass,\
|
||||
t:none,t:urlDecodeUni,\
|
||||
nolog,\
|
||||
noauditlog,\
|
||||
msg:'Enabling forced body inspection for ASCII content',\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
chain"
|
||||
SecRule REQBODY_PROCESSOR "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" \
|
||||
"ctl:requestBodyProcessor=URLENCODED"
|
||||
|
||||
|
||||
#
|
||||
# -=[ Easing In / Sampling Percentage ]=-
|
||||
#
|
||||
# This is used to send only a limited percentage of requests into the Core
|
||||
# Rule Set. The selection is based on TX.sampling_percentage and a pseudo
|
||||
# random number calculated below.
|
||||
#
|
||||
# Use this to ease into a new Core Rules installation with an existing
|
||||
# productive service.
|
||||
#
|
||||
# See
|
||||
# https://www.netnea.com/cms/2016/04/26/easing-in-conditional-modsecurity-rule-execution-based-on-pseudo-random-numbers/
|
||||
#
|
||||
|
||||
#
|
||||
# Generate the pseudo random number
|
||||
#
|
||||
# ATTENTION: This is no cryptographically secure random number. It's just
|
||||
# a cheap way to get some random number suitable for sampling.
|
||||
#
|
||||
# We take the entropy contained in the UNIQUE_ID. We hash that variable and
|
||||
# take the first integer numbers out of it. Theoretically, it is possible
|
||||
# there are no integers in a sha1 hash. We make sure we get two
|
||||
# integer numbers by taking the last two digits from the DURATION counter
|
||||
# (in microseconds).
|
||||
# Finally, leading zeros are removed from the two-digit random number.
|
||||
#
|
||||
|
||||
SecRule TX:sampling_percentage "@eq 100" \
|
||||
"id:901400,\
|
||||
phase:1,\
|
||||
pass,\
|
||||
nolog,\
|
||||
skipAfter:END-SAMPLING"
|
||||
|
||||
SecRule UNIQUE_ID "@rx ^." \
|
||||
"id:901410,\
|
||||
phase:1,\
|
||||
pass,\
|
||||
t:sha1,t:hexEncode,\
|
||||
nolog,\
|
||||
setvar:'TX.sampling_rnd100=%{MATCHED_VAR}'"
|
||||
|
||||
SecRule DURATION "@rx (..)$" \
|
||||
"id:901420,\
|
||||
phase:1,\
|
||||
pass,\
|
||||
capture,\
|
||||
nolog,\
|
||||
setvar:'TX.sampling_rnd100=%{TX.sampling_rnd100}%{TX.1}'"
|
||||
|
||||
SecRule TX:sampling_rnd100 "@rx ^[a-f]*([0-9])[a-f]*([0-9])" \
|
||||
"id:901430,\
|
||||
phase:1,\
|
||||
pass,\
|
||||
capture,\
|
||||
nolog,\
|
||||
setvar:'TX.sampling_rnd100=%{TX.1}%{TX.2}'"
|
||||
|
||||
SecRule TX:sampling_rnd100 "@rx ^0([0-9])" \
|
||||
"id:901440,\
|
||||
phase:1,\
|
||||
pass,\
|
||||
capture,\
|
||||
nolog,\
|
||||
setvar:'TX.sampling_rnd100=%{TX.1}'"
|
||||
|
||||
|
||||
#
|
||||
# Sampling decision
|
||||
#
|
||||
# If a request is allowed to pass without being checked by the CRS, there is no
|
||||
# entry in the audit log (for performance reasons), but an error log entry is
|
||||
# being written. If you want to disable the error log entry, then issue the
|
||||
# following directive somewhere after the inclusion of the CRS
|
||||
# (E.g., RESPONSE-999-EXCEPTIONS.conf).
|
||||
#
|
||||
# SecRuleUpdateActionById 901450 "nolog"
|
||||
#
|
||||
|
||||
|
||||
SecRule TX:sampling_rnd100 "!@lt %{tx.sampling_percentage}" \
|
||||
"id:901450,\
|
||||
phase:1,\
|
||||
pass,\
|
||||
log,\
|
||||
noauditlog,\
|
||||
msg:'Sampling: Disable the rule engine based on sampling_percentage \
|
||||
%{TX.sampling_percentage} and random number %{TX.sampling_rnd100}.',\
|
||||
ctl:ruleEngine=Off"
|
||||
|
||||
SecMarker "END-SAMPLING"
|
||||
|
||||
|
||||
#
|
||||
# Configuration Plausibility Checks
|
||||
#
|
||||
|
||||
# Make sure executing paranoia level is not lower than paranoia level
|
||||
SecRule TX:executing_paranoia_level "@lt %{tx.paranoia_level}" \
|
||||
"id:901500,\
|
||||
phase:1,\
|
||||
deny,\
|
||||
status:500,\
|
||||
t:none,\
|
||||
log,\
|
||||
msg:'Executing paranoia level configured is lower than the paranoia level itself. This is illegal. Blocking request. Aborting.'"
|
|
@ -0,0 +1,382 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.1.1
|
||||
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
# Please see the enclosed LICENSE file for full details.
|
||||
# ------------------------------------------------------------------------
|
||||
|
||||
# These exclusions remedy false positives in a default Drupal install.
|
||||
# The exclusions are only active if crs_exclusions_drupal=1 is set.
|
||||
# See rule 900130 in crs-setup.conf.example for instructions.
|
||||
|
||||
#
|
||||
# [ POLICY ]
|
||||
#
|
||||
# Drupal is a complex application that is hard to secure with the CRS. This set
|
||||
# of exclusion rules aims to sanitise the CRS in a way that allows a default
|
||||
# Drupal setup to be installed and configured without much hassle as far as
|
||||
# ModSecurity and the CRS are concerned.
|
||||
#
|
||||
# The exclusion rules are fairly straight forward in the sense that they
|
||||
# disable CRS on a set of well-known parameter fields that are often the source
|
||||
# of false positives / false alarms of the CRS. This includes namely the
|
||||
# session cookie, the password fields and article/node bodies.
|
||||
#
|
||||
# This is based on two assumptions: - You have a basic trust in your
|
||||
# authenticated users who are allowed to edit nodes. - Drupal allows html
|
||||
# content in nodes and it protects your users from attacks via these fields.
|
||||
#
|
||||
# If you think these assumptions are wrong or if you would prefer a more
|
||||
# careful/secure approach, you can disable the exclusion rules handling of said
|
||||
# node body false positives. Do this by placing the following directive in
|
||||
# RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.
|
||||
#
|
||||
# SecRuleRemoveById 9001200-9001299
|
||||
#
|
||||
# This will mean the CRS remain intact for the editing of node bodies.
|
||||
#
|
||||
# The exclusion rules in this file work without the need to define a Drupal
|
||||
# installation path prefix. Instead they look at the URI from the end - or
|
||||
# they use regular expressions when targeting dynamic URL. This is all not
|
||||
# totally foolproof. In some cases, an advanced attacker might be able to
|
||||
# doctor a request in a way that one of these exclusion rules is triggered
|
||||
# and the request will bypass all further inspection despite not being a
|
||||
# Drupal request at all. These exclusion rules could thus be leveraged to
|
||||
# disable the CRS completely. This is why these rules are off by default.
|
||||
#
|
||||
# The CRS rules covered by this ruleset are the rules with Paranoia Level 1 and
|
||||
# 2. If you chose to run Paranoia Level 3 or 4, you will be facing additional
|
||||
# false positives which you need to handle yourself.
|
||||
#
|
||||
# This set of exclusion rules does not cover any additional Drupal modules
|
||||
# outside of core.
|
||||
#
|
||||
# The exclusion rules are based on Drupal 8.1.10.
|
||||
#
|
||||
# And finally: This set of exclusion rules is in an experimental state. If you
|
||||
# encounter false positives with the basic Drupal functionality and they are
|
||||
# not covered by this rule file, then please report them. The aim is to be able
|
||||
# to install and run Drupal core in a seamless manner protected by
|
||||
# ModSecurity / CRS up to the paranoia level 2.
|
||||
|
||||
|
||||
SecRule &TX:crs_exclusions_drupal|TX:crs_exclusions_drupal "@eq 0" \
|
||||
"id:9001000,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
skipAfter:END-DRUPAL-RULE-EXCLUSIONS"
|
||||
|
||||
|
||||
# [ Table of Contents ]
|
||||
#
|
||||
# 9001100 Session Cookie
|
||||
# 9001110 Password
|
||||
# 9001120 FREE for use
|
||||
# 9001130 FREE for use
|
||||
# 9001140 Content and Descriptions
|
||||
# 9001150 FREE for use
|
||||
# 9001160 Form Token
|
||||
# 9001170 Text Formats and Editors
|
||||
# 9001180 WYSIWYG/CKEditor Assets and Upload
|
||||
# 9001190 FREE for use
|
||||
# 9001200 Content and Descriptions
|
||||
#
|
||||
# The rule id range from 9001200 to 9001999 is reserved for future
|
||||
# use (Drupal plugins / modules).
|
||||
|
||||
|
||||
# [ Session Cookie ]
|
||||
#
|
||||
# Giving the session cookie a dynamic name is most unfortunate
|
||||
# from a ModSecurity perspective. The rule language does not allow
|
||||
# us to disable rules in a granular way for individual cookies with
|
||||
# dynamic names. So we need to disable rule causing false positives
|
||||
# for all cookies and their names.
|
||||
#
|
||||
# Rule Exclusion Session Cookie: 942450 SQL Hex Encoding Identified
|
||||
#
|
||||
SecAction "id:9001100,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetById=942450;REQUEST_COOKIES_NAMES,\
|
||||
ctl:ruleRemoveTargetById=942450;REQUEST_COOKIES"
|
||||
|
||||
|
||||
#
|
||||
# [ Password ]
|
||||
#
|
||||
# Disable the CRS completely for all occurrences of passwords.
|
||||
#
|
||||
SecRule REQUEST_FILENAME "@endsWith /core/install.php" \
|
||||
"id:9001110,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:account[pass][pass1],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:account[pass][pass2]"
|
||||
|
||||
SecRule REQUEST_FILENAME "@endsWith /user/login" \
|
||||
"id:9001112,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:pass"
|
||||
|
||||
SecRule REQUEST_FILENAME "@endsWith /admin/people/create" \
|
||||
"id:9001114,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:pass[pass1],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:pass[pass2]"
|
||||
|
||||
SecRule REQUEST_FILENAME "@rx /user/[0-9]+/edit$" \
|
||||
"id:9001116,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:current_pass,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:pass[pass1],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:pass[pass2]"
|
||||
|
||||
|
||||
#
|
||||
# [ Admin Settings (general) ]
|
||||
#
|
||||
# Disable known false positives for various fields used on admin pages.
|
||||
#
|
||||
# Rule Exclusion: 920271 Invalid character in request on multiple fields/paths
|
||||
# Rule Exclusion: 942430 Restricted SQL Character Anomaly Detection (args)
|
||||
# Disabled completely for admin/config pages
|
||||
# For the people/accounts page, we disable the CRS completely for a number of
|
||||
# freeform text fields.
|
||||
#
|
||||
SecRule REQUEST_FILENAME "@contains /admin/config/" \
|
||||
"id:9001122,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveById=942430"
|
||||
|
||||
SecRule REQUEST_FILENAME "@endsWith /admin/config/people/accounts" \
|
||||
"id:9001124,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveById=920271,\
|
||||
ctl:ruleRemoveById=942440,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:user_mail_cancel_confirm_body,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:user_mail_password_reset_body,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:user_mail_register_admin_created_body,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:user_mail_register_no_approval_required_body,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:user_mail_register_pending_approval_body,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:user_mail_status_activated_body,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:user_mail_status_blocked_body,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:user_mail_status_canceled_body"
|
||||
|
||||
SecRule REQUEST_FILENAME "@endsWith /admin/config/development/configuration/single/import" \
|
||||
"id:9001126,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveById=920271,\
|
||||
ctl:ruleRemoveById=942440"
|
||||
|
||||
SecRule REQUEST_FILENAME "@endsWith /admin/config/development/maintenance" \
|
||||
"id:9001128,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveById=942440"
|
||||
|
||||
|
||||
#
|
||||
#
|
||||
# [ Content and Descriptions ]
|
||||
#
|
||||
# Disable known false positives for field "ids[]".
|
||||
#
|
||||
# Rule Exclusion: 942130 SQL Injection Attack: SQL Tautology Detected
|
||||
#
|
||||
SecRule REQUEST_FILENAME "@endsWith /contextual/render" \
|
||||
"id:9001140,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetById=942130;ARGS:ids[]"
|
||||
|
||||
|
||||
#
|
||||
# [ Form Token / Build ID ]
|
||||
#
|
||||
# Rule Exclusion for form_build_id: 942440 SQL Comment Sequence Detected on ...
|
||||
# Rule Exclusion for form_token: 942450 SQL Hex Encoding
|
||||
# Rule Exclusion for form_build_id: 942450 SQL Hex Encoding
|
||||
#
|
||||
# This is applied site-wide.
|
||||
#
|
||||
SecAction "id:9001160,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetById=942440;ARGS:form_build_id,\
|
||||
ctl:ruleRemoveTargetById=942450;ARGS:form_token,\
|
||||
ctl:ruleRemoveTargetById=942450;ARGS:form_build_id"
|
||||
|
||||
|
||||
#
|
||||
# [ Text Formats and Editors ]
|
||||
#
|
||||
# Disable the CRS completely for two fields triggering many, many rules
|
||||
#
|
||||
# Rule Exclusion for two fields: 942440 SQL Comment Sequence Detected
|
||||
#
|
||||
SecRule REQUEST_FILENAME "@endsWith /admin/config/content/formats/manage/full_html" \
|
||||
"id:9001170,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:editor[settings][toolbar][button_groups],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:filters[filter_html][settings][allowed_html]"
|
||||
|
||||
|
||||
#
|
||||
# [ WYSIWYG/CKEditor Assets and Upload ]
|
||||
#
|
||||
# Disable the unnecessary requestBodyAccess and for binary uploads
|
||||
# bigger than an arbitrary limit of 31486341 bytes.
|
||||
#
|
||||
# Extensive checks make sure these uploads are really legitimate.
|
||||
#
|
||||
SecRule REQUEST_METHOD "@streq POST" \
|
||||
"id:9001180,\
|
||||
phase:1,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
noauditlog,\
|
||||
chain"
|
||||
SecRule REQUEST_FILENAME "@rx /admin/content/assets/add/[a-z]+$" \
|
||||
"chain"
|
||||
SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx ^[a-zA-Z0-9_-]+" \
|
||||
"ctl:requestBodyAccess=Off"
|
||||
|
||||
SecRule REQUEST_METHOD "@streq POST" \
|
||||
"id:9001182,\
|
||||
phase:1,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
noauditlog,\
|
||||
chain"
|
||||
SecRule REQUEST_FILENAME "@rx /admin/content/assets/manage/[0-9]+$" \
|
||||
"chain"
|
||||
SecRule ARGS:destination "@streq admin/content/assets" \
|
||||
"chain"
|
||||
SecRule REQUEST_HEADERS:Content-Length "@gt 31486341" \
|
||||
"chain"
|
||||
SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx ^[a-zA-Z0-9_-]+" \
|
||||
"ctl:requestBodyAccess=Off"
|
||||
|
||||
SecRule REQUEST_METHOD "@streq POST" \
|
||||
"id:9001184,\
|
||||
phase:1,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
noauditlog,\
|
||||
chain"
|
||||
SecRule REQUEST_FILENAME "@rx /file/ajax/field_asset_[a-z0-9_]+/[ua]nd/0/form-[a-z0-9A-Z_-]+$" \
|
||||
"chain"
|
||||
SecRule REQUEST_HEADERS:Content-Length "@gt 31486341" \
|
||||
"chain"
|
||||
SecRule REQUEST_HEADERS:Content-Type "@rx ^(?i)multipart/form-data" \
|
||||
"chain"
|
||||
SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx ^[a-zA-Z0-9_-]+" \
|
||||
"ctl:requestBodyAccess=Off"
|
||||
|
||||
|
||||
#
|
||||
# [ Content and Descriptions ]
|
||||
#
|
||||
# Disable the CRS completely for node bodies and other free text fields.
|
||||
# Other rules are disabled individually.
|
||||
#
|
||||
# Rule Exclusion for ARGS:uid[0][target_id]: 942410 SQL Injection Attack
|
||||
# Rule Exclusion for ARGS:destination: 932110 RCE: Windows Command Inj.
|
||||
#
|
||||
SecRule REQUEST_FILENAME "@endsWith /node/add/article" \
|
||||
"id:9001200,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:body[0][value],\
|
||||
ctl:ruleRemoveTargetById=942410;ARGS:uid[0][target_id]"
|
||||
|
||||
SecRule REQUEST_FILENAME "@endsWith /node/add/page" \
|
||||
"id:9001202,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:body[0][value],\
|
||||
ctl:ruleRemoveTargetById=942410;ARGS:uid[0][target_id]"
|
||||
|
||||
SecRule REQUEST_FILENAME "@rx /node/[0-9]+/edit$" \
|
||||
"id:9001204,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:body[0][value],\
|
||||
ctl:ruleRemoveTargetById=942410;ARGS:uid[0][target_id],\
|
||||
ctl:ruleRemoveTargetById=932110;ARGS:destination"
|
||||
|
||||
SecRule REQUEST_FILENAME "@endsWith /block/add" \
|
||||
"id:9001206,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:body[0][value]"
|
||||
|
||||
SecRule REQUEST_FILENAME "@endsWith /admin/structure/block/block-content/manage/basic" \
|
||||
"id:9001208,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:description"
|
||||
|
||||
SecRule REQUEST_FILENAME "@rx /editor/filter_xss/(?:full|basic)_html$" \
|
||||
"id:9001210,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:value"
|
||||
|
||||
SecRule REQUEST_FILENAME "@rx /user/[0-9]+/contact$" \
|
||||
"id:9001212,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:message[0][value]"
|
||||
|
||||
SecRule REQUEST_FILENAME "@endsWith /admin/config/development/maintenance" \
|
||||
"id:9001214,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:maintenance_mode_message"
|
||||
|
||||
SecRule REQUEST_FILENAME "@endsWith /admin/config/services/rss-publishing" \
|
||||
"id:9001216,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:feed_description"
|
||||
|
||||
|
||||
SecMarker "END-DRUPAL-RULE-EXCLUSIONS"
|
|
@ -0,0 +1,639 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.1.1
|
||||
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
# Please see the enclosed LICENSE file for full details.
|
||||
# ------------------------------------------------------------------------
|
||||
|
||||
# These exclusions remedy false positives in a default WordPress install.
|
||||
# The exclusions are only active if crs_exclusions_wordpress=1 is set.
|
||||
# See rule 900130 in crs-setup.conf.example for instructions.
|
||||
#
|
||||
# Note that the WordPress comment field itself is currently NOT excluded
|
||||
# from checking. The reason is that malicious content is regularly being
|
||||
# posted to WordPress comment forms, and there have been various cases
|
||||
# of XSS and even RCE vulnerabilities exploited by WordPress comments.
|
||||
|
||||
SecRule &TX:crs_exclusions_wordpress|TX:crs_exclusions_wordpress "@eq 0" \
|
||||
"id:9002000,\
|
||||
phase:1,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
skipAfter:END-WORDPRESS"
|
||||
|
||||
SecRule &TX:crs_exclusions_wordpress|TX:crs_exclusions_wordpress "@eq 0" \
|
||||
"id:9002001,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
skipAfter:END-WORDPRESS"
|
||||
|
||||
|
||||
#
|
||||
# -=[ WordPress Front-End ]=-
|
||||
#
|
||||
|
||||
|
||||
#
|
||||
# [ Login form ]
|
||||
#
|
||||
|
||||
# User login password
|
||||
SecRule REQUEST_FILENAME "@endsWith /wp-login.php" \
|
||||
"id:9002100,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:pwd"
|
||||
|
||||
# Reset password
|
||||
SecRule REQUEST_FILENAME "@endsWith /wp-login.php" \
|
||||
"id:9002120,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
chain"
|
||||
SecRule ARGS:action "@streq resetpass" \
|
||||
"t:none,\
|
||||
chain"
|
||||
SecRule &ARGS:action "@eq 1" \
|
||||
"t:none,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:pass1,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:pass1-text,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:pass2"
|
||||
|
||||
|
||||
#
|
||||
# [ Comments ]
|
||||
#
|
||||
|
||||
# Post comment
|
||||
SecRule REQUEST_FILENAME "@endsWith /wp-comments-post.php" \
|
||||
"id:9002130,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetById=931130;ARGS:url"
|
||||
|
||||
|
||||
#
|
||||
# [ Live preview ]
|
||||
# Used when an administrator customizes the site and previews the result
|
||||
# as a normal user.
|
||||
#
|
||||
|
||||
# Theme select
|
||||
# Example: wp_customize=on&theme=twentyfifteen&customized=
|
||||
# {"old_sidebars_widgets_data":{"wp_inactive_widgets":[],
|
||||
# "sidebar-1":["search-2","recent-posts-2","recent-comments-2",
|
||||
# "archives-2","categories-2","meta-2"]}}&nonce=XXX&
|
||||
# customize_messenger_channel=preview-0
|
||||
SecRule ARGS:wp_customize "@streq on" \
|
||||
"id:9002150,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
chain"
|
||||
SecRule &ARGS:action "@eq 0" \
|
||||
"t:none,\
|
||||
ctl:ruleRemoveTargetById=942200;ARGS:customized,\
|
||||
ctl:ruleRemoveTargetById=942260;ARGS:customized,\
|
||||
ctl:ruleRemoveTargetById=942300;ARGS:customized,\
|
||||
ctl:ruleRemoveTargetById=942330;ARGS:customized,\
|
||||
ctl:ruleRemoveTargetById=942340;ARGS:customized,\
|
||||
ctl:ruleRemoveTargetById=942370;ARGS:customized,\
|
||||
ctl:ruleRemoveTargetById=942430;ARGS:customized,\
|
||||
ctl:ruleRemoveTargetById=942431;ARGS:customized,\
|
||||
ctl:ruleRemoveTargetById=942460;ARGS:customized"
|
||||
|
||||
# Appearance -> Widgets -> Live Preview
|
||||
SecRule ARGS:wp_customize "@streq on" \
|
||||
"id:9002160,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
chain"
|
||||
SecRule ARGS:action "@rx ^(?:|customize_save|update-widget)$" \
|
||||
"t:none,\
|
||||
chain"
|
||||
SecRule &ARGS:action "@eq 1" \
|
||||
"t:none,\
|
||||
ctl:ruleRemoveTargetById=942200;ARGS:customized,\
|
||||
ctl:ruleRemoveTargetById=942260;ARGS:customized,\
|
||||
ctl:ruleRemoveTargetById=942300;ARGS:customized,\
|
||||
ctl:ruleRemoveTargetById=942330;ARGS:customized,\
|
||||
ctl:ruleRemoveTargetById=942340;ARGS:customized,\
|
||||
ctl:ruleRemoveTargetById=942370;ARGS:customized,\
|
||||
ctl:ruleRemoveTargetById=942430;ARGS:customized,\
|
||||
ctl:ruleRemoveTargetById=942431;ARGS:customized,\
|
||||
ctl:ruleRemoveTargetById=942460;ARGS:customized,\
|
||||
ctl:ruleRemoveTargetById=920230;ARGS:partials,\
|
||||
ctl:ruleRemoveTargetById=941320;ARGS:partials,\
|
||||
ctl:ruleRemoveTargetById=942180;ARGS:partials,\
|
||||
ctl:ruleRemoveTargetById=942200;ARGS:partials,\
|
||||
ctl:ruleRemoveTargetById=942260;ARGS:partials,\
|
||||
ctl:ruleRemoveTargetById=942330;ARGS:partials,\
|
||||
ctl:ruleRemoveTargetById=942340;ARGS:partials,\
|
||||
ctl:ruleRemoveTargetById=942370;ARGS:partials,\
|
||||
ctl:ruleRemoveTargetById=942430;ARGS:partials,\
|
||||
ctl:ruleRemoveTargetById=942431;ARGS:partials,\
|
||||
ctl:ruleRemoveTargetById=942460;ARGS:partials"
|
||||
|
||||
|
||||
|
||||
# Self calls to wp-cron.php?doing_wp_cron=[timestamp]
|
||||
# These requests may be missing Accept, Content-Length headers.
|
||||
# This rule must run in phase:1.
|
||||
SecRule REQUEST_FILENAME "@endsWith /wp-cron.php" \
|
||||
"id:9002200,\
|
||||
phase:1,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveById=920180,\
|
||||
ctl:ruleRemoveById=920300"
|
||||
|
||||
|
||||
#
|
||||
# [ Cookies ]
|
||||
|
||||
# WP Session Manager
|
||||
# Cookie: _wp_session=[hex]||[timestamp]||[timestamp]
|
||||
# detected SQLi using libinjection with fingerprint 'n&1'
|
||||
SecRule REQUEST_COOKIES:_wp_session "@rx ^[0-9a-f]+\|\|\d+\|\|\d+$" \
|
||||
"id:9002300,\
|
||||
phase:1,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
chain"
|
||||
SecRule &REQUEST_COOKIES:_wp_session "@eq 1" \
|
||||
"t:none,\
|
||||
ctl:ruleRemoveTargetById=942100;REQUEST_COOKIES:_wp_session"
|
||||
|
||||
|
||||
#
|
||||
# -=[ WordPress Administration Back-End (wp-admin) ]=-
|
||||
#
|
||||
|
||||
# Skip this section for performance unless /wp-admin/ is in filename
|
||||
|
||||
SecRule REQUEST_FILENAME "!@contains /wp-admin/" \
|
||||
"id:9002400,\
|
||||
phase:1,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
skipAfter:END-WORDPRESS-ADMIN"
|
||||
|
||||
SecRule REQUEST_FILENAME "!@contains /wp-admin/" \
|
||||
"id:9002401,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
skipAfter:END-WORDPRESS-ADMIN"
|
||||
|
||||
|
||||
#
|
||||
# [ Installation ]
|
||||
#
|
||||
|
||||
# WordPress installation: exclude database password
|
||||
SecRule REQUEST_FILENAME "@endsWith /wp-admin/setup-config.php" \
|
||||
"id:9002410,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
chain"
|
||||
SecRule ARGS:step "@streq 2" \
|
||||
"t:none,\
|
||||
chain"
|
||||
SecRule &ARGS:step "@eq 1" \
|
||||
"t:none,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:pwd"
|
||||
|
||||
# WordPress installation: exclude admin password
|
||||
SecRule REQUEST_FILENAME "@endsWith /wp-admin/install.php" \
|
||||
"id:9002420,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
chain"
|
||||
SecRule ARGS:step "@streq 2" \
|
||||
"t:none,\
|
||||
chain"
|
||||
SecRule &ARGS:step "@eq 1" \
|
||||
"t:none,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:admin_password,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:admin_password2,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:pass1-text"
|
||||
|
||||
|
||||
#
|
||||
# [ User management ]
|
||||
#
|
||||
|
||||
# Edit logged-in user
|
||||
SecRule REQUEST_FILENAME "@endsWith /wp-admin/profile.php" \
|
||||
"id:9002520,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
chain"
|
||||
SecRule ARGS:action "@streq update" \
|
||||
"t:none,\
|
||||
chain"
|
||||
SecRule &ARGS:action "@eq 1" \
|
||||
"t:none,\
|
||||
ctl:ruleRemoveTargetById=931130;ARGS:url,\
|
||||
ctl:ruleRemoveTargetById=931130;ARGS:facebook,\
|
||||
ctl:ruleRemoveTargetById=931130;ARGS:googleplus,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:pass1,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:pass1-text,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:pass2"
|
||||
|
||||
# Edit user
|
||||
SecRule REQUEST_FILENAME "@endsWith /wp-admin/user-edit.php" \
|
||||
"id:9002530,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
chain"
|
||||
SecRule ARGS:action "@streq update" \
|
||||
"t:none,\
|
||||
chain"
|
||||
SecRule &ARGS:action "@eq 1" \
|
||||
"t:none,\
|
||||
ctl:ruleRemoveTargetById=931130;ARGS:url,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:pass1,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:pass1-text,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:pass2"
|
||||
|
||||
# Create user
|
||||
SecRule REQUEST_FILENAME "@endsWith /wp-admin/user-new.php" \
|
||||
"id:9002540,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
chain"
|
||||
SecRule ARGS:action "@streq createuser" \
|
||||
"t:none,\
|
||||
chain"
|
||||
SecRule &ARGS:action "@eq 1" \
|
||||
"t:none,\
|
||||
ctl:ruleRemoveTargetById=931130;ARGS:url,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:pass1,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:pass1-text,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:pass2"
|
||||
|
||||
|
||||
#
|
||||
# [ General exclusions ]
|
||||
#
|
||||
|
||||
# _wp_http_referer and wp_http_referer are passed on a lot of wp-admin pages
|
||||
SecAction \
|
||||
"id:9002600,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetById=920230;ARGS:_wp_http_referer,\
|
||||
ctl:ruleRemoveTargetById=931130;ARGS:_wp_http_referer,\
|
||||
ctl:ruleRemoveTargetById=932150;ARGS:_wp_http_referer,\
|
||||
ctl:ruleRemoveTargetById=941100;ARGS:_wp_http_referer,\
|
||||
ctl:ruleRemoveTargetById=942130;ARGS:_wp_http_referer,\
|
||||
ctl:ruleRemoveTargetById=942200;ARGS:_wp_http_referer,\
|
||||
ctl:ruleRemoveTargetById=942260;ARGS:_wp_http_referer,\
|
||||
ctl:ruleRemoveTargetById=942431;ARGS:_wp_http_referer,\
|
||||
ctl:ruleRemoveTargetById=920230;ARGS:wp_http_referer,\
|
||||
ctl:ruleRemoveTargetById=931130;ARGS:wp_http_referer,\
|
||||
ctl:ruleRemoveTargetById=932150;ARGS:wp_http_referer,\
|
||||
ctl:ruleRemoveTargetById=941100;ARGS:wp_http_referer,\
|
||||
ctl:ruleRemoveTargetById=942130;ARGS:wp_http_referer,\
|
||||
ctl:ruleRemoveTargetById=942200;ARGS:wp_http_referer,\
|
||||
ctl:ruleRemoveTargetById=942260;ARGS:wp_http_referer,\
|
||||
ctl:ruleRemoveTargetById=942431;ARGS:wp_http_referer"
|
||||
|
||||
#
|
||||
# [ Content editing ]
|
||||
#
|
||||
|
||||
# Edit posts and pages
|
||||
# /wp-admin/post.php, /wp-admin/post.php?t=[timestamp]
|
||||
# - Themes do not properly escape post_title in HTML, so beware of XSS
|
||||
# and be conservative in excluding this parameter.
|
||||
# - Parameter _wp_http_referer can appear multiple times.
|
||||
SecRule REQUEST_FILENAME "@endsWith /wp-admin/post.php" \
|
||||
"id:9002700,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
chain"
|
||||
SecRule ARGS:action "@rx ^(?:edit|editpost)$" \
|
||||
"t:none,\
|
||||
chain"
|
||||
SecRule &ARGS:action "@eq 1" \
|
||||
"t:none,\
|
||||
ctl:ruleRemoveTargetByTag=attack-sqli;ARGS:post_title,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:content,\
|
||||
ctl:ruleRemoveById=920272,\
|
||||
ctl:ruleRemoveById=921180"
|
||||
|
||||
# Autosave posts and pages
|
||||
# ARGS_NAMES:data[wp-check-locked-posts][] can appear multiple times
|
||||
SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
|
||||
"id:9002710,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
chain"
|
||||
SecRule ARGS:action "@streq heartbeat" \
|
||||
"t:none,\
|
||||
chain"
|
||||
SecRule &ARGS:action "@eq 1" \
|
||||
"t:none,\
|
||||
ctl:ruleRemoveTargetByTag=attack-sqli;ARGS:data[wp_autosave][post_title],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:data[wp_autosave][content],\
|
||||
ctl:ruleRemoveTargetById=942431;ARGS_NAMES:data[wp-refresh-post-lock][post_id],\
|
||||
ctl:ruleRemoveTargetById=942431;ARGS_NAMES:data[wp-refresh-post-lock][lock],\
|
||||
ctl:ruleRemoveTargetById=942431;ARGS_NAMES:data[wp-check-locked-posts][],\
|
||||
ctl:ruleRemoveById=921180,\
|
||||
ctl:ruleRemoveById=920272"
|
||||
|
||||
# Edit menus
|
||||
SecRule REQUEST_FILENAME "@endsWith /wp-admin/nav-menus.php" \
|
||||
"id:9002720,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
chain"
|
||||
SecRule ARGS:action "@streq update" \
|
||||
"t:none,\
|
||||
chain"
|
||||
SecRule &ARGS:action "@eq 1" \
|
||||
"t:none,\
|
||||
ctl:ruleRemoveTargetById=942460;ARGS:menu-name,\
|
||||
ctl:ruleRemoveTargetById=941330;ARGS:nav-menu-data,\
|
||||
ctl:ruleRemoveTargetById=941340;ARGS:nav-menu-data,\
|
||||
ctl:ruleRemoveTargetById=942200;ARGS:nav-menu-data,\
|
||||
ctl:ruleRemoveTargetById=942260;ARGS:nav-menu-data,\
|
||||
ctl:ruleRemoveTargetById=942330;ARGS:nav-menu-data,\
|
||||
ctl:ruleRemoveTargetById=942340;ARGS:nav-menu-data,\
|
||||
ctl:ruleRemoveTargetById=942430;ARGS:nav-menu-data,\
|
||||
ctl:ruleRemoveTargetById=942431;ARGS:nav-menu-data,\
|
||||
ctl:ruleRemoveTargetById=942460;ARGS:nav-menu-data"
|
||||
|
||||
# Edit text widgets (can contain custom HTML)
|
||||
SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
|
||||
"id:9002730,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
chain"
|
||||
SecRule ARGS:action "@rx ^(?:save-widget|update-widget)$" \
|
||||
"t:none,\
|
||||
chain"
|
||||
SecRule &ARGS:action "@eq 1" \
|
||||
"t:none,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[0][text],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[1][text],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[2][text],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[3][text],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[4][text],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[5][text],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[6][text],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[7][text],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[8][text],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[9][text],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[10][text],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[11][text],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[12][text],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[13][text],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[14][text],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[15][text],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[16][text],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[17][text],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[18][text],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[19][text],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[20][text],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[21][text],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[22][text],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[23][text],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[24][text],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[25][text],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[26][text],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[27][text],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[28][text],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[29][text],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[30][text],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[31][text],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[32][text],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[33][text],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[34][text],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[35][text],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[36][text],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[37][text],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[38][text],\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[39][text]"
|
||||
|
||||
# Reorder widgets
|
||||
SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
|
||||
"id:9002740,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
chain"
|
||||
SecRule ARGS:action "@streq widgets-order" \
|
||||
"t:none,\
|
||||
chain"
|
||||
SecRule &ARGS:action "@eq 1" \
|
||||
"t:none,\
|
||||
ctl:ruleRemoveTargetById=942430;ARGS:sidebars[sidebar-1],\
|
||||
ctl:ruleRemoveTargetById=942431;ARGS:sidebars[sidebar-1],\
|
||||
ctl:ruleRemoveTargetById=942430;ARGS:sidebars[sidebar-2],\
|
||||
ctl:ruleRemoveTargetById=942431;ARGS:sidebars[sidebar-2],\
|
||||
ctl:ruleRemoveTargetById=942430;ARGS:sidebars[sidebar-3],\
|
||||
ctl:ruleRemoveTargetById=942431;ARGS:sidebars[sidebar-3],\
|
||||
ctl:ruleRemoveTargetById=942430;ARGS:sidebars[sidebar-4],\
|
||||
ctl:ruleRemoveTargetById=942431;ARGS:sidebars[sidebar-4],\
|
||||
ctl:ruleRemoveTargetById=942430;ARGS:sidebars[sidebar-5],\
|
||||
ctl:ruleRemoveTargetById=942431;ARGS:sidebars[sidebar-5],\
|
||||
ctl:ruleRemoveTargetById=942430;ARGS:sidebars[sidebar-6],\
|
||||
ctl:ruleRemoveTargetById=942431;ARGS:sidebars[sidebar-6],\
|
||||
ctl:ruleRemoveTargetById=942430;ARGS:sidebars[sidebar-7],\
|
||||
ctl:ruleRemoveTargetById=942431;ARGS:sidebars[sidebar-7]"
|
||||
|
||||
# Create permalink sample for new post
|
||||
SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
|
||||
"id:9002750,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
chain"
|
||||
SecRule ARGS:action "@streq sample-permalink" \
|
||||
"t:none,\
|
||||
chain"
|
||||
SecRule &ARGS:action "@eq 1" \
|
||||
"t:none,\
|
||||
ctl:ruleRemoveTargetByTag=attack-sqli;ARGS:new_title"
|
||||
|
||||
# Add external link to menu
|
||||
SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
|
||||
"id:9002760,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
chain"
|
||||
SecRule ARGS:action "@streq add-menu-item" \
|
||||
"t:none,\
|
||||
chain"
|
||||
SecRule &ARGS:action "@eq 1" \
|
||||
"t:none,\
|
||||
ctl:ruleRemoveTargetById=931130;ARGS:menu-item[-1][menu-item-url]"
|
||||
|
||||
# Editor: Add Media, Insert Media, Insert into page
|
||||
SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
|
||||
"id:9002770,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
chain"
|
||||
SecRule ARGS:action "@streq send-attachment-to-editor" \
|
||||
"t:none,\
|
||||
chain"
|
||||
SecRule &ARGS:action "@eq 1" \
|
||||
"t:none,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:html"
|
||||
|
||||
|
||||
#
|
||||
# [ Options and Settings ]
|
||||
#
|
||||
|
||||
# Change site URL
|
||||
SecRule REQUEST_FILENAME "@endsWith /wp-admin/options.php" \
|
||||
"id:9002800,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
chain"
|
||||
SecRule ARGS:option_page "@streq general" \
|
||||
"t:none,\
|
||||
chain"
|
||||
SecRule &ARGS:option_page "@eq 1" \
|
||||
"t:none,\
|
||||
chain"
|
||||
SecRule ARGS:action "@streq update" \
|
||||
"t:none,\
|
||||
chain"
|
||||
SecRule &ARGS:action "@eq 1" \
|
||||
"t:none,\
|
||||
ctl:ruleRemoveTargetById=931130;ARGS:home,\
|
||||
ctl:ruleRemoveTargetById=931130;ARGS:siteurl"
|
||||
|
||||
# Permalink settings
|
||||
# permalink_structure=/index.php/%year%/%monthnum%/%day%/%postname%/
|
||||
SecRule REQUEST_FILENAME "@endsWith /wp-admin/options-permalink.php" \
|
||||
"id:9002810,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetById=920230;ARGS:selection,\
|
||||
ctl:ruleRemoveTargetById=920272;ARGS:selection,\
|
||||
ctl:ruleRemoveTargetById=942431;ARGS:selection,\
|
||||
ctl:ruleRemoveTargetById=920230;ARGS:permalink_structure,\
|
||||
ctl:ruleRemoveTargetById=920272;ARGS:permalink_structure,\
|
||||
ctl:ruleRemoveTargetById=942431;ARGS:permalink_structure,\
|
||||
ctl:ruleRemoveTargetById=920272;REQUEST_BODY"
|
||||
|
||||
# Comments blacklist and moderation list
|
||||
SecRule REQUEST_FILENAME "@endsWith /wp-admin/options.php" \
|
||||
"id:9002820,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
chain"
|
||||
SecRule ARGS:option_page "@streq discussion" \
|
||||
"t:none,\
|
||||
chain"
|
||||
SecRule &ARGS:option_page "@eq 1" \
|
||||
"t:none,\
|
||||
chain"
|
||||
SecRule ARGS:action "@streq update" \
|
||||
"t:none,\
|
||||
chain"
|
||||
SecRule &ARGS:action "@eq 1" \
|
||||
"t:none,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:blacklist_keys,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:moderation_keys"
|
||||
|
||||
|
||||
#
|
||||
# [ Helpers ]
|
||||
#
|
||||
|
||||
# /wp-admin/load-scripts.php?c=0&load%5B%5D=hoverIntent,common,
|
||||
# admin-bar,wp-ajax-response,jquery-color,wp-lists,quicktags,
|
||||
# jquery-query,admin-comments,svg-painter,heartbeat,&load%5B%5D=
|
||||
# wp-auth-check,wp-a11y,wplink,jquery-ui-core,jquery-ui-widget,
|
||||
# jquery-ui-position,jquery-ui-menu,jquery-ui-autocomplete&ver=4.6.1
|
||||
#
|
||||
# /wp-admin/load-styles.php?c=0&dir=ltr&load%5B%5D=dashicons,
|
||||
# admin-bar,buttons,media-views,common,forms,admin-menu,dashboard,
|
||||
# list-tables,edit,revisions,media,themes,about,nav-menu&load%5B%5D=
|
||||
# s,widgets,site-icon,l10n,wp-auth-check&ver=4.6.1
|
||||
#
|
||||
# /wp-admin/load-scripts.php?c=0&load%5B%5D=hoverIntent,common,
|
||||
# admin-bar,jquery-ui-widget,jquery-ui-position,wp-pointer,
|
||||
# wp-ajax-response,jquery-color,wp-lists,quicktags,
|
||||
# jqu&load%5B%5D=ery-query,admin-comments,jquery-ui-core,
|
||||
# jquery-ui-mouse,jquery-ui-sortable,postbox,dashboard,underscore,
|
||||
# customize-base,customize&load%5B%5D=-loader,thickbox,plugin-install,
|
||||
# wp-util,wp-a11y,updates,shortcode,media-upload,svg-painter,
|
||||
# jquery-ui-accordion&ver=3f9999390861a0133beda3ee8acf152e
|
||||
SecRule REQUEST_FILENAME "@rx /wp-admin/load-(?:scripts|styles)\.php$" \
|
||||
"id:9002900,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveById=921180,\
|
||||
ctl:ruleRemoveTargetById=920273;ARGS_NAMES:load[],\
|
||||
ctl:ruleRemoveTargetById=942432;ARGS_NAMES:load[],\
|
||||
ctl:ruleRemoveTargetById=942360;ARGS:load[],\
|
||||
ctl:ruleRemoveTargetById=942430;ARGS:load[],\
|
||||
ctl:ruleRemoveTargetById=942431;ARGS:load[],\
|
||||
ctl:ruleRemoveTargetById=942432;ARGS:load[]"
|
||||
|
||||
|
||||
SecMarker "END-WORDPRESS-ADMIN"
|
||||
|
||||
|
||||
SecMarker "END-WORDPRESS"
|
|
@ -0,0 +1,355 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.1.1
|
||||
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
# Please see the enclosed LICENSE file for full details.
|
||||
#
|
||||
# ------------------------------------------------------------------------
|
||||
|
||||
# These exclusions remedy false positives in a default NextCloud install.
|
||||
# They will likely work with OwnCloud too, but you may have to modify them.
|
||||
# The exclusions are only active if crs_exclusions_nextcloud=1 is set.
|
||||
# See rule 900130 in crs-setup.conf.example for instructions.
|
||||
#
|
||||
# To relax upload restrictions for only the php files that need it,
|
||||
# you put something like this in crs-setup.conf:
|
||||
#
|
||||
# SecRule REQUEST_FILENAME "@rx /(?:remote.php|index.php)/" \
|
||||
# "id:9003330,\
|
||||
# phase:1,\
|
||||
# t:none,\
|
||||
# nolog,\
|
||||
# pass,\
|
||||
# tx.restricted_extensions='.bak/ .config/ .conf/'"
|
||||
#
|
||||
# Large uploads can be modified with SecRequestBodyLimit. Or they
|
||||
# can be more controlled by using the following:
|
||||
#
|
||||
# SecRule REQUEST_URI "@endsWith /index.php/apps/files/ajax/upload.php" \
|
||||
# "id:9003610,\
|
||||
# phase:1,\
|
||||
# t:none,\
|
||||
# nolog,\
|
||||
# ctl:requestBodyLimit=1073741824"
|
||||
#
|
||||
# ---------------------
|
||||
|
||||
|
||||
SecRule &TX:crs_exclusions_nextcloud|TX:crs_exclusions_nextcloud "@eq 0" \
|
||||
"id:9003000,\
|
||||
phase:1,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
skipAfter:END-NEXTCLOUD"
|
||||
|
||||
SecRule &TX:crs_exclusions_nextcloud|TX:crs_exclusions_nextcloud "@eq 0" \
|
||||
"id:9003001,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
skipAfter:END-NEXTCLOUD"
|
||||
|
||||
|
||||
#
|
||||
# [ File Manager ]
|
||||
#
|
||||
#
|
||||
# The web interface uploads files, and interacts with the user.
|
||||
|
||||
SecRule REQUEST_FILENAME "@contains /remote.php/webdav" \
|
||||
"id:9003100,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveByTag=attack-injection-php,\
|
||||
ctl:ruleRemoveById=941000-942999,\
|
||||
ctl:ruleRemoveById=951000-951999,\
|
||||
ctl:ruleRemoveById=953100-953130,\
|
||||
ctl:ruleRemoveById=920420,\
|
||||
ctl:ruleRemoveById=920440"
|
||||
|
||||
# Skip PUT parsing for invalid encoding / protocol violations in binary files.
|
||||
|
||||
SecRule REQUEST_METHOD "@streq PUT" \
|
||||
"id:9003105,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
chain"
|
||||
SecRule REQUEST_FILENAME "@contains /remote.php/webdav" \
|
||||
"t:none,\
|
||||
ctl:ruleRemoveById=920000-920999,\
|
||||
ctl:ruleRemoveById=932000-932999,\
|
||||
ctl:ruleRemoveById=921150,\
|
||||
ctl:ruleRemoveById=930110,\
|
||||
ctl:ruleRemoveById=930120"
|
||||
|
||||
# Allow the data type 'text/vcard'
|
||||
|
||||
SecRule REQUEST_FILENAME "@contains /remote.php/dav/files/" \
|
||||
"id:9003110,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type}|text/vcard'"
|
||||
|
||||
# Allow the data type 'application/octet-stream'
|
||||
|
||||
SecRule REQUEST_METHOD "@rx ^(?:PUT|MOVE)$" \
|
||||
"id:9003115,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
chain"
|
||||
SecRule REQUEST_FILENAME "@rx /remote\.php/dav/(?:files|uploads)/" \
|
||||
"setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type}|application/octet-stream'"
|
||||
|
||||
# Allow data types like video/mp4
|
||||
|
||||
SecRule REQUEST_METHOD "@streq PUT" \
|
||||
"id:9003116,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
chain"
|
||||
SecRule REQUEST_FILENAME "@rx (?:/public\.php/webdav/|/remote\.php/dav/uploads/)" \
|
||||
"ctl:ruleRemoveById=920340,\
|
||||
ctl:ruleRemoveById=920420"
|
||||
|
||||
|
||||
# Allow characters like /../ in files.
|
||||
# Allow all kind of filetypes.
|
||||
# Allow source code.
|
||||
|
||||
SecRule REQUEST_FILENAME "@contains /remote.php/dav/files/" \
|
||||
"id:9003120,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveById=930100-930110,\
|
||||
ctl:ruleRemoveById=951000-951999,\
|
||||
ctl:ruleRemoveById=953100-953130,\
|
||||
ctl:ruleRemoveById=920440"
|
||||
|
||||
|
||||
# [ Searchengine ]
|
||||
#
|
||||
# NexCloud uses a search field for filename or content queries.
|
||||
|
||||
SecRule REQUEST_FILENAME "@contains /index.php/core/search" \
|
||||
"id:9003125,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=attack-injection-php;ARGS:query,\
|
||||
ctl:ruleRemoveTargetById=941000-942999;ARGS:query,\
|
||||
ctl:ruleRemoveTargetById=932000-932999;ARGS:query"
|
||||
|
||||
|
||||
# [ DAV ]
|
||||
#
|
||||
# NextCloud uses DAV methods with index.php and remote.php to do many things
|
||||
# The default ones in ModSecurity are: GET HEAD POST OPTIONS
|
||||
#
|
||||
# Looking through the code, and via testing, I found these:
|
||||
#
|
||||
# File manager: PUT DELETE MOVE PROPFIND PROPPATCH
|
||||
# Calendars: REPORT
|
||||
# Others in the code or js files: PATCH MKCOL MOVE TRACE
|
||||
# Others that I added just in case, and they seem related:
|
||||
# CHECKOUT COPY LOCK MERGE MKACTIVITY UNLOCK.
|
||||
|
||||
SecRule REQUEST_FILENAME "@rx /(?:remote|index|public)\.php/" \
|
||||
"id:9003130,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
setvar:'tx.allowed_methods=%{tx.allowed_methods} PUT PATCH CHECKOUT COPY DELETE LOCK MERGE MKACTIVITY MKCOL MOVE PROPFIND PROPPATCH UNLOCK REPORT TRACE jsonp'"
|
||||
|
||||
|
||||
# We need to allow DAV methods for sharing files, and removing shares
|
||||
# DELETE - when the share is removed
|
||||
# PUT - when setting a password / expiration time
|
||||
|
||||
SecRule REQUEST_FILENAME "@rx /ocs/v[0-9]+\.php/apps/files_sharing/" \
|
||||
"id:9003140,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
setvar:'tx.allowed_methods=%{tx.allowed_methods} PUT DELETE'"
|
||||
|
||||
|
||||
# [ Preview and Thumbnails ]
|
||||
|
||||
SecRule REQUEST_FILENAME "@contains /index.php/core/preview.png" \
|
||||
"id:9003150,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetById=932150;ARGS:file"
|
||||
|
||||
# Filepreview for trashbin
|
||||
|
||||
SecRule REQUEST_FILENAME "@contains /index.php/apps/files_trashbin/ajax/preview.php" \
|
||||
"id:9003155,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetById=932150;ARGS:file,\
|
||||
ctl:ruleRemoveTargetById=942190;ARGS:file"
|
||||
|
||||
SecRule REQUEST_FILENAME "@rx /index\.php/(?:apps/gallery/thumbnails|logout$)" \
|
||||
"id:9003160,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetById=941120;ARGS:requesttoken"
|
||||
|
||||
|
||||
# [ Ownnote ]
|
||||
|
||||
SecRule REQUEST_FILENAME "@contains /index.php/apps/ownnote/" \
|
||||
"id:9003300,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveById=941150"
|
||||
|
||||
|
||||
# [ Text Editor ]
|
||||
#
|
||||
# This file can save anything, and it's name could be lots of things.
|
||||
|
||||
SecRule REQUEST_FILENAME "@contains /index.php/apps/files_texteditor/" \
|
||||
"id:9003310,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:filecontents,\
|
||||
ctl:ruleRemoveTargetById=921110-921160;ARGS:filecontents,\
|
||||
ctl:ruleRemoveTargetById=932150;ARGS:filename,\
|
||||
ctl:ruleRemoveTargetById=920370-920390;ARGS:filecontents,\
|
||||
ctl:ruleRemoveTargetById=920370-920390;ARGS_COMBINED_SIZE"
|
||||
|
||||
|
||||
# [ Address Book ]
|
||||
#
|
||||
# Allow the data type 'text/vcard'
|
||||
|
||||
SecRule REQUEST_FILENAME "@contains /remote.php/dav/addressbooks/" \
|
||||
"id:9003320,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type}|text/vcard'"
|
||||
|
||||
|
||||
# [ Calendar ]
|
||||
#
|
||||
# Allow the data type 'text/calendar'
|
||||
|
||||
SecRule REQUEST_FILENAME "@contains /remote.php/dav/calendars/" \
|
||||
"id:9003330,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type}|text/calendar'"
|
||||
|
||||
|
||||
# [ Notes ]
|
||||
#
|
||||
# We want to allow a lot of things as the user is
|
||||
# allowed to note on anything.
|
||||
|
||||
SecRule REQUEST_FILENAME "@contains /index.php/apps/notes/" \
|
||||
"id:9003340,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveByTag=attack-injection-php"
|
||||
|
||||
|
||||
# [ Bookmarks ]
|
||||
#
|
||||
# Allow urls in data.
|
||||
|
||||
SecRule REQUEST_FILENAME "@contains /index.php/apps/bookmarks/" \
|
||||
"id:9003350,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveById=931130"
|
||||
|
||||
|
||||
#
|
||||
# [ Login forms ]
|
||||
#
|
||||
|
||||
# This removes checks on the 'password' and related fields:
|
||||
|
||||
# User login password.
|
||||
|
||||
SecRule REQUEST_FILENAME "@contains /index.php/login" \
|
||||
"id:9003400,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetById=941100;ARGS:requesttoken,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:password"
|
||||
|
||||
# Reset password.
|
||||
|
||||
SecRule REQUEST_FILENAME "@endsWith /index.php/login" \
|
||||
"id:9003410,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
chain"
|
||||
SecRule ARGS:action "@streq resetpass" \
|
||||
"t:none,\
|
||||
chain"
|
||||
SecRule &ARGS:action "@eq 1" \
|
||||
"t:none,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:pass1,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:pass1-text,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:pass2"
|
||||
|
||||
# Change Password and Setting up a new user/password
|
||||
|
||||
SecRule REQUEST_FILENAME "@endsWith /index.php/settings/users" \
|
||||
"id:9003500,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:newuserpassword,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:password"
|
||||
|
||||
|
||||
SecMarker "END-NEXTCLOUD-ADMIN"
|
||||
|
||||
SecMarker "END-NEXTCLOUD"
|
|
@ -0,0 +1,261 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.1.1
|
||||
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
# Please see the enclosed LICENSE file for full details.
|
||||
#
|
||||
# ------------------------------------------------------------------------
|
||||
|
||||
# These exclusions remedy false positives in a default Dokuwiki install.
|
||||
# The exclusions are only active if crs_exclusions_dokuwiki=1 is set.
|
||||
# See rule 900130 in crs-setup.conf.example for instructions.
|
||||
#
|
||||
# Note, if you want to relax the upload restrictions,
|
||||
# see rule 900240. For Dokuwiki you can limit the exception
|
||||
# to the ajax.php file:
|
||||
#
|
||||
# SecRule REQUEST_FILENAME "@endsWith /lib/exe/ajax.php" ...
|
||||
#
|
||||
|
||||
|
||||
SecRule &TX:crs_exclusions_dokuwiki|TX:crs_exclusions_dokuwiki "@eq 0" \
|
||||
"id:9004000,\
|
||||
phase:1,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
skipAfter:END-DOKUWIKI"
|
||||
|
||||
SecRule &TX:crs_exclusions_dokuwiki|TX:crs_exclusions_dokuwiki "@eq 0" \
|
||||
"id:9004001,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
skipAfter:END-DOKUWIKI"
|
||||
|
||||
|
||||
#
|
||||
# -=[ Dokuwiki Front-End ]=-
|
||||
#
|
||||
# Note on files specified:
|
||||
# /doku.php: shows pages, saves, edits, admin
|
||||
# /lib/exe/ajax.php: autosave, uploads
|
||||
#
|
||||
# Allow pages to be edited, and ajax to save drafts.
|
||||
#
|
||||
# ARGS 'wikitext', 'suffix', and 'prefix' must allow the same things,
|
||||
# as the page (in part or whole) is passed via 'suffix/prefix' at times.
|
||||
# attack-protocol (921110-921160/920230): Allows odd characters on the page.
|
||||
# CRS: (still need attack-protocol specified.)
|
||||
# attack-injection-php (930000-933999): Allows code on page.
|
||||
# attack-sqli (940000-942999): Allows SQL expressions on page.
|
||||
#
|
||||
# Others:
|
||||
# 930100-930110;REQUEST_BODY: if there's a /../ in the text.
|
||||
#
|
||||
# ARGS:summary (the text in the 'summary' box on page edits.):
|
||||
# Allowing 930120-930130 lets user save summaries with
|
||||
# system file names. This should not be needed in normal
|
||||
# use. But leaving a note here of how to allow in rule below:
|
||||
# ctl:ruleRemoveTargetById=930120;ARGS:summary
|
||||
# ctl:ruleRemoveTargetById=930130;ARGS:summary
|
||||
#
|
||||
# Also, can't specify:
|
||||
# SecRule ARGS:do "@streq edit" \
|
||||
# SecRule REQUEST_FILENAME "@endsWith /lib/exe/ajax.php"\
|
||||
# because at times the do=edit can get dropped, so if we use
|
||||
# above the edit will get blocked when the page is saved.
|
||||
|
||||
# Hint: those using .htaccess rewrites can remove/replace
|
||||
# this first 'SecRule...' line with 'SecAction \' (unsupported).
|
||||
|
||||
SecRule REQUEST_FILENAME "@rx (?:/doku.php|/lib/exe/ajax.php)$" \
|
||||
"id:9004100,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
chain"
|
||||
SecRule REQUEST_METHOD "@streq POST" \
|
||||
"t:none,\
|
||||
chain"
|
||||
SecRule REQUEST_COOKIES:/S?DW[a-f0-9]+/ "@rx ^[%a-zA-Z0-9_-]+" \
|
||||
"t:none,\
|
||||
ctl:ruleRemoveTargetByTag=attack-protocol;ARGS:wikitext,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:wikitext,\
|
||||
ctl:ruleRemoveTargetByTag=attack-protocol;ARGS:suffix,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:suffix,\
|
||||
ctl:ruleRemoveTargetByTag=attack-protocol;ARGS:prefix,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:prefix,\
|
||||
ctl:ruleRemoveTargetById=930100-930110;REQUEST_BODY"
|
||||
|
||||
|
||||
# Allow it to upload files. But check for cookies just to make sure.
|
||||
|
||||
SecRule REQUEST_FILENAME "@endsWith /lib/exe/ajax.php"\
|
||||
"id:9004110,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
noauditlog,\
|
||||
chain"
|
||||
SecRule REQUEST_METHOD "@streq POST" \
|
||||
"t:none,\
|
||||
chain"
|
||||
SecRule REQUEST_COOKIES:/S?DW[a-f0-9]+/ "@rx ^[%a-zA-Z0-9_-]+" \
|
||||
"t:none,\
|
||||
setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type}|application/octet-stream'"
|
||||
|
||||
|
||||
# Show the index, even if things like "postgresql" or other things show up.
|
||||
|
||||
SecRule REQUEST_FILENAME "@endsWith /doku.php"\
|
||||
"id:9004130,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
noauditlog,\
|
||||
chain"
|
||||
SecRule ARGS:do "@streq index" \
|
||||
"t:none,\
|
||||
chain"
|
||||
SecRule &ARGS:do "@eq 1" \
|
||||
"t:none,\
|
||||
ctl:ruleRemoveById=951240,\
|
||||
ctl:ruleRemoveById=953110"
|
||||
|
||||
|
||||
#
|
||||
# [ Login form ]
|
||||
#
|
||||
|
||||
# Turn off checks for password.
|
||||
|
||||
SecRule REQUEST_FILENAME "@endsWith /doku.php" \
|
||||
"id:9004200,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
noauditlog,\
|
||||
chain"
|
||||
SecRule ARGS:do "@streq login" \
|
||||
"t:none,\
|
||||
chain"
|
||||
SecRule &ARGS:do "@eq 1" \
|
||||
"t:none,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:p"
|
||||
|
||||
|
||||
#
|
||||
# [ Admin Area ]
|
||||
#
|
||||
# Skip this section for performance unless do=admin is in request
|
||||
|
||||
SecRule ARGS:do "!@streq admin" \
|
||||
"id:9004300,\
|
||||
phase:1,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
skipAfter:END-DOKUWIKI-ADMIN"
|
||||
|
||||
SecRule ARGS:do "!@streq admin" \
|
||||
"id:9004310,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
skipAfter:END-DOKUWIKI-ADMIN"
|
||||
|
||||
|
||||
# [ Reset password ]
|
||||
#
|
||||
# Turn off checks for pass1, pass1-text, pass2
|
||||
|
||||
SecRule REQUEST_FILENAME "@endsWith /doku.php" \
|
||||
"id:9004320,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
noauditlog,\
|
||||
chain"
|
||||
SecRule ARGS:do "@streq login" \
|
||||
"t:none,\
|
||||
chain"
|
||||
SecRule &ARGS:do "@eq 1" \
|
||||
"t:none,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:pass1,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:pass1-text,\
|
||||
ctl:ruleRemoveTargetByTag=CRS;ARGS:pass2"
|
||||
|
||||
|
||||
# [ Save config ]
|
||||
#
|
||||
# Allow the config to be saved:
|
||||
# 942200: If the user adds "..." to tagline: ARGS:config[tagline]
|
||||
# 942430: if ARGS:config[hidepages] has pages looking like sql statements
|
||||
# 942430,942440: "--- //[[@MAIL@|@NAME@]] @DATE@//"]" in ARGS:config[signature]
|
||||
|
||||
SecRule REQUEST_FILENAME "@endsWith /doku.php" \
|
||||
"id:9004370,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
noauditlog,\
|
||||
chain"
|
||||
SecRule ARGS:page "@streq config" \
|
||||
"t:none,\
|
||||
chain"
|
||||
SecRule &ARGS:page "@eq 1" \
|
||||
"t:none,\
|
||||
chain"
|
||||
SecRule REQUEST_METHOD "@streq POST" \
|
||||
"t:none,\
|
||||
chain"
|
||||
SecRule REQUEST_COOKIES:/S?DW[a-f0-9]+/ "@rx ^[%a-zA-Z0-9_-]+" \
|
||||
"t:none,\
|
||||
ctl:ruleRemoveTargetById=920230;ARGS:config[dformat],\
|
||||
ctl:ruleRemoveTargetById=942200;ARGS:config[tagline],\
|
||||
ctl:ruleRemoveTargetById=942430;ARGS:config[hidepages],\
|
||||
ctl:ruleRemoveTargetById=942430-942440;ARGS:config[signature]"
|
||||
|
||||
|
||||
# When the config loads after a save, it gets blocked because
|
||||
# it has 'readdir' and lines that look like sql
|
||||
# 942430,942440: "--- //[[@MAIL@|@NAME@]] @DATE@//"]" in ARGS:config[signature]
|
||||
# 951240,953110: When the page reloads, it triggers
|
||||
# postgress and php code disclosure rules.
|
||||
|
||||
SecRule REQUEST_FILENAME "@endsWith /doku.php" \
|
||||
"id:9004380,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
noauditlog,\
|
||||
chain"
|
||||
SecRule ARGS:page "@streq config" \
|
||||
"t:none,\
|
||||
chain"
|
||||
SecRule &ARGS:page "@eq 1" \
|
||||
"t:none,\
|
||||
chain"
|
||||
SecRule REQUEST_COOKIES:/S?DW[a-f0-9]+/ "@rx ^[%a-zA-Z0-9_-]+" \
|
||||
"t:none,\
|
||||
ctl:ruleRemoveById=951240,\
|
||||
ctl:ruleRemoveById=953110"
|
||||
|
||||
|
||||
# End [ Admin Area ]
|
||||
|
||||
SecMarker "END-DOKUWIKI-ADMIN"
|
||||
|
||||
SecMarker "END-DOKUWIKI"
|
|
@ -0,0 +1,60 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.1.1
|
||||
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
# Please see the enclosed LICENSE file for full details.
|
||||
# ------------------------------------------------------------------------
|
||||
|
||||
# These exclusions remedy false positives in a default cPanel environment.
|
||||
# The exclusions are only active if crs_exclusions_cpanel=1 is set.
|
||||
# See rule 900130 in crs-setup.conf.example for instructions.
|
||||
|
||||
|
||||
SecRule &TX:crs_exclusions_cpanel|TX:crs_exclusions_cpanel "@eq 0" \
|
||||
"id:9005000,\
|
||||
phase:1,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
skipAfter:END-CPANEL"
|
||||
|
||||
SecRule &TX:crs_exclusions_cpanel|TX:crs_exclusions_cpanel "@eq 0" \
|
||||
"id:9005001,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
skipAfter:END-CPANEL"
|
||||
|
||||
|
||||
#
|
||||
# [ cPanel whm-server-status ]
|
||||
#
|
||||
# Cpanel's WHM auto generates requests to /whm-server-status from
|
||||
# 127.0.0.1 (triggers rule 920280, non-blocking, log only) Once every 5 minutes.
|
||||
# These false positives have a low impact (logged, non-blocking) to a large number of users (all cPanel admins).
|
||||
#
|
||||
|
||||
#
|
||||
# Rule to allow cPanel whm-server-status requests from localhost without log entry.
|
||||
#
|
||||
SecRule REQUEST_LINE "@rx ^GET /whm-server-status(?:/|/\?auto)? HTTP/[12]\.[01]$" \
|
||||
"id:9005100,\
|
||||
phase:1,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-apache',\
|
||||
tag:'attack-generic',\
|
||||
chain"
|
||||
SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" \
|
||||
"t:none,\
|
||||
ctl:ruleRemoveById=920280,\
|
||||
ctl:ruleRemoveById=920350"
|
||||
|
||||
|
||||
SecMarker "END-CPANEL"
|
|
@ -0,0 +1,52 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.1.1
|
||||
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
# Please see the enclosed LICENSE file for full details.
|
||||
# ------------------------------------------------------------------------
|
||||
|
||||
|
||||
# This file is used as an exception mechanism to remove common false positives
|
||||
# that may be encountered.
|
||||
#
|
||||
# Exception for Apache SSL pinger
|
||||
#
|
||||
SecRule REQUEST_LINE "@streq GET /" \
|
||||
"id:905100,\
|
||||
phase:1,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-apache',\
|
||||
tag:'attack-generic',\
|
||||
chain"
|
||||
SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" \
|
||||
"t:none,\
|
||||
ctl:ruleEngine=Off,\
|
||||
ctl:auditEngine=Off"
|
||||
|
||||
#
|
||||
# Exception for Apache internal dummy connection
|
||||
#
|
||||
SecRule REQUEST_LINE "@rx ^(?:GET /|OPTIONS \*) HTTP/[12]\.[01]$" \
|
||||
"id:905110,\
|
||||
phase:1,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-apache',\
|
||||
tag:'attack-generic',\
|
||||
chain"
|
||||
SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" \
|
||||
"t:none,\
|
||||
chain"
|
||||
SecRule REQUEST_HEADERS:User-Agent "@rx ^.*\(internal dummy connection\)$" \
|
||||
"t:none,\
|
||||
ctl:ruleEngine=Off,\
|
||||
ctl:auditEngine=Off"
|
|
@ -0,0 +1,311 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.1.1
|
||||
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
# Please see the enclosed LICENSE file for full details.
|
||||
# ------------------------------------------------------------------------
|
||||
|
||||
#
|
||||
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
|
||||
#
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:910011,phase:1,pass,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:910012,phase:2,pass,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION"
|
||||
#
|
||||
# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher)
|
||||
#
|
||||
|
||||
#
|
||||
# -=[ IP Reputation Block Flag Check ]=-
|
||||
#
|
||||
# The first check we do is to see if the client IP address has already
|
||||
# been blacklisted by rules from previous requests.
|
||||
#
|
||||
# If the rule matches, it will do a skipAfter and pick up processing
|
||||
# at the end of the request phase for actual blocking.
|
||||
#
|
||||
SecRule TX:DO_REPUT_BLOCK "@eq 1" \
|
||||
"id:910000,\
|
||||
phase:2,\
|
||||
block,\
|
||||
t:none,\
|
||||
msg:'Request from Known Malicious Client (Based on previous traffic violations).',\
|
||||
logdata:'Previous Block Reason: %{ip.reput_block_reason}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-reputation-ip',\
|
||||
tag:'IP_REPUTATION/MALICIOUS_CLIENT',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
severity:'CRITICAL',\
|
||||
chain,\
|
||||
skipAfter:BEGIN-REQUEST-BLOCKING-EVAL"
|
||||
SecRule IP:REPUT_BLOCK_FLAG "@eq 1" \
|
||||
"setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-AUTOMATION/MALICIOUS-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'"
|
||||
|
||||
|
||||
#
|
||||
# -=[ GeoIP Checks ]=-
|
||||
#
|
||||
# This rule requires activating the SecGeoLookupDB directive
|
||||
# in the crs-setup.conf file and specifying
|
||||
# the list of blocked countries (tx.high_risk_country_codes).
|
||||
#
|
||||
# This rule does a GeoIP resolution on the client IP address.
|
||||
#
|
||||
SecRule TX:HIGH_RISK_COUNTRY_CODES "!@rx ^$" \
|
||||
"id:910100,\
|
||||
phase:2,\
|
||||
block,\
|
||||
t:none,\
|
||||
msg:'Client IP is from a HIGH Risk Country Location.',\
|
||||
logdata:'%{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-reputation-ip',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule TX:REAL_IP "@geoLookup" \
|
||||
"chain"
|
||||
SecRule GEO:COUNTRY_CODE "@within %{tx.high_risk_country_codes}" \
|
||||
"setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-AUTOMATION/MALICIOUS-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\
|
||||
setvar:'ip.reput_block_flag=1',\
|
||||
setvar:'ip.reput_block_reason=%{rule.msg}',\
|
||||
expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'"
|
||||
|
||||
|
||||
#
|
||||
# -=[ IP Reputation Checks ]=-
|
||||
#
|
||||
# ModSecurity Rules from Trustwave SpiderLabs: IP Blacklist Alert
|
||||
# Ref: http://www.modsecurity.org/projects/commercial/rules/
|
||||
#
|
||||
# This rule checks the client IP address against a list of recent IPs captured
|
||||
# from the SpiderLabs web honeypot systems (last 48 hours).
|
||||
#
|
||||
#SecRule TX:REAL_IP "@ipMatchFromFile ip_blacklist.data" \
|
||||
# "id:910110,\
|
||||
# phase:2,\
|
||||
# block,\
|
||||
# t:none,\
|
||||
# msg:'Client IP in Trustwave SpiderLabs IP Reputation Blacklist.',\
|
||||
# tag:'application-multi',\
|
||||
# tag:'language-multi',\
|
||||
# tag:'platform-multi',\
|
||||
# tag:'attack-reputation-ip',\
|
||||
# severity:'CRITICAL',\
|
||||
# setvar:'tx.msg=%{rule.msg}',\
|
||||
# setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
# setvar:'tx.%{rule.id}-AUTOMATION/MALICIOUS-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\
|
||||
# setvar:'ip.reput_block_flag=1',\
|
||||
# setvar:'ip.reput_block_reason=%{rule.msg}',\
|
||||
# expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'"
|
||||
|
||||
|
||||
#
|
||||
# First check if we have already run an @rbl check for this IP by checking in IP collection.
|
||||
# If we have, then skip doing another check.
|
||||
#
|
||||
SecRule IP:PREVIOUS_RBL_CHECK "@eq 1" \
|
||||
"id:910120,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-reputation-ip',\
|
||||
skipAfter:END-RBL-LOOKUP"
|
||||
|
||||
#
|
||||
# Check Client IP against ProjectHoneypot's HTTP Blacklist
|
||||
# Ref: http://www.projecthoneypot.org/httpbl_api.php
|
||||
#
|
||||
# To use the blacklist, you must register for an HttpBL API Key
|
||||
# and choose the traffic types to block. See section
|
||||
# "Project Honey Pot HTTP Blacklist" in crs-setup.conf.
|
||||
#
|
||||
# Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecHttpBlKey
|
||||
#
|
||||
|
||||
# Skip HttpBL checks if user has not defined one of the TX:block_* variables.
|
||||
# This prevents error "Operator error: RBL httpBl called but no key defined: set SecHttpBlKey"
|
||||
SecRule &TX:block_suspicious_ip "@eq 0" \
|
||||
"id:910130,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
chain,\
|
||||
skipAfter:END-RBL-CHECK"
|
||||
SecRule &TX:block_harvester_ip "@eq 0" \
|
||||
"chain"
|
||||
SecRule &TX:block_spammer_ip "@eq 0" \
|
||||
"chain"
|
||||
SecRule &TX:block_search_ip "@eq 0"
|
||||
|
||||
SecRule TX:REAL_IP "@rbl dnsbl.httpbl.org" \
|
||||
"id:910140,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
capture,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-reputation-ip',\
|
||||
setvar:'tx.httpbl_msg=%{tx.0}',\
|
||||
chain"
|
||||
SecRule TX:httpbl_msg "@rx RBL lookup of .*?.dnsbl.httpbl.org succeeded at TX:checkip. (.*?): .*" \
|
||||
"capture,\
|
||||
t:none,\
|
||||
setvar:'tx.httpbl_msg=%{tx.1}'"
|
||||
|
||||
# The following regexs are generated based off re_operators.c
|
||||
SecRule TX:block_search_ip "@eq 1" \
|
||||
"id:910150,\
|
||||
phase:2,\
|
||||
block,\
|
||||
t:none,\
|
||||
msg:'HTTP Blacklist match for search engine IP',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-reputation-ip',\
|
||||
severity:'CRITICAL',\
|
||||
chain,\
|
||||
skipAfter:END-RBL-CHECK"
|
||||
SecRule TX:httpbl_msg "@rx Search Engine" \
|
||||
"setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-AUTOMATION/MALICIOUS-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\
|
||||
setvar:'ip.reput_block_flag=1',\
|
||||
setvar:'ip.reput_block_reason=%{rule.msg}',\
|
||||
setvar:'ip.previous_rbl_check=1',\
|
||||
expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}',\
|
||||
expirevar:'ip.previous_rbl_check=86400'"
|
||||
|
||||
SecRule TX:block_spammer_ip "@eq 1" \
|
||||
"id:910160,\
|
||||
phase:2,\
|
||||
block,\
|
||||
t:none,\
|
||||
msg:'HTTP Blacklist match for spammer IP',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-reputation-ip',\
|
||||
severity:'CRITICAL',\
|
||||
chain,\
|
||||
skipAfter:END-RBL-CHECK"
|
||||
SecRule TX:httpbl_msg "@rx (?i)^.*? spammer .*?$" \
|
||||
"setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-AUTOMATION/MALICIOUS-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\
|
||||
setvar:'ip.reput_block_flag=1',\
|
||||
setvar:'ip.reput_block_reason=%{rule.msg}',\
|
||||
setvar:'ip.previous_rbl_check=1',\
|
||||
expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}',\
|
||||
expirevar:'ip.previous_rbl_check=86400'"
|
||||
|
||||
SecRule TX:block_suspicious_ip "@eq 1" \
|
||||
"id:910170,\
|
||||
phase:2,\
|
||||
block,\
|
||||
t:none,\
|
||||
msg:'HTTP Blacklist match for suspicious IP',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-reputation-ip',\
|
||||
severity:'CRITICAL',\
|
||||
chain,\
|
||||
skipAfter:END-RBL-CHECK"
|
||||
SecRule TX:httpbl_msg "@rx (?i)^.*? suspicious .*?$" \
|
||||
"setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-AUTOMATION/MALICIOUS-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\
|
||||
setvar:'ip.reput_block_flag=1',\
|
||||
setvar:'ip.reput_block_reason=%{rule.msg}',\
|
||||
setvar:'ip.previous_rbl_check=1',\
|
||||
expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}',\
|
||||
expirevar:'ip.previous_rbl_check=86400'"
|
||||
|
||||
SecRule TX:block_harvester_ip "@eq 1" \
|
||||
"id:910180,\
|
||||
phase:2,\
|
||||
block,\
|
||||
t:none,\
|
||||
msg:'HTTP Blacklist match for harvester IP',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-reputation-ip',\
|
||||
severity:'CRITICAL',\
|
||||
chain,\
|
||||
skipAfter:END-RBL-CHECK"
|
||||
SecRule TX:httpbl_msg "@rx (?i)^.*? harvester .*?$" \
|
||||
"setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-AUTOMATION/MALICIOUS-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\
|
||||
setvar:'ip.reput_block_flag=1',\
|
||||
setvar:'ip.reput_block_reason=%{rule.msg}',\
|
||||
setvar:'ip.previous_rbl_check=1',\
|
||||
expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}',\
|
||||
expirevar:'ip.previous_rbl_check=86400'"
|
||||
|
||||
SecAction \
|
||||
"id:910190,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-reputation-ip',\
|
||||
setvar:'ip.previous_rbl_check=1',\
|
||||
expirevar:'ip.previous_rbl_check=86400'"
|
||||
|
||||
SecMarker "END-RBL-LOOKUP"
|
||||
|
||||
SecMarker "END-RBL-CHECK"
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:910013,phase:1,pass,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:910014,phase:2,pass,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION"
|
||||
#
|
||||
# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher)
|
||||
#
|
||||
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:910015,phase:1,pass,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:910016,phase:2,pass,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION"
|
||||
#
|
||||
# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher)
|
||||
#
|
||||
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:910017,phase:1,pass,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:910018,phase:2,pass,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION"
|
||||
#
|
||||
# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher)
|
||||
#
|
||||
|
||||
|
||||
|
||||
#
|
||||
# -= Paranoia Levels Finished =-
|
||||
#
|
||||
SecMarker "END-REQUEST-910-IP-REPUTATION"
|
|
@ -0,0 +1,78 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.1.1
|
||||
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
# Please see the enclosed LICENSE file for full details.
|
||||
# ------------------------------------------------------------------------
|
||||
|
||||
#
|
||||
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
|
||||
#
|
||||
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:911011,phase:1,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:911012,phase:2,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
|
||||
#
|
||||
# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher)
|
||||
#
|
||||
|
||||
#
|
||||
# -=[ Allowed Request Methods ]=-
|
||||
#
|
||||
# tx.allowed_methods is defined in the crs-setup.conf file
|
||||
#
|
||||
SecRule REQUEST_METHOD "!@within %{tx.allowed_methods}" \
|
||||
"id:911100,\
|
||||
phase:2,\
|
||||
block,\
|
||||
msg:'Method is not allowed by policy',\
|
||||
logdata:'%{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-generic',\
|
||||
tag:'OWASP_CRS/POLICY/METHOD_NOT_ALLOWED',\
|
||||
tag:'WASCTC/WASC-15',\
|
||||
tag:'OWASP_TOP_10/A6',\
|
||||
tag:'OWASP_AppSensor/RE1',\
|
||||
tag:'PCI/12.1',\
|
||||
severity:'CRITICAL',\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/POLICY/METHOD_NOT_ALLOWED-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'"
|
||||
|
||||
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:911013,phase:1,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:911014,phase:2,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
|
||||
#
|
||||
# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher)
|
||||
#
|
||||
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:911015,phase:1,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:911016,phase:2,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
|
||||
#
|
||||
# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher)
|
||||
#
|
||||
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:911017,phase:1,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:911018,phase:2,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
|
||||
#
|
||||
# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher)
|
||||
#
|
||||
|
||||
|
||||
|
||||
#
|
||||
# -= Paranoia Levels Finished =-
|
||||
#
|
||||
SecMarker "END-REQUEST-911-METHOD-ENFORCEMENT"
|
|
@ -0,0 +1,297 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.1.1
|
||||
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
# Please see the enclosed LICENSE file for full details.
|
||||
# ------------------------------------------------------------------------
|
||||
|
||||
#
|
||||
# Anti-Automation rules to detect Denial of Service attacks.
|
||||
#
|
||||
# Description of mechanics:
|
||||
# When a request hits a non-static resource (TX:STATIC_EXTENSIONS), then a counter for the IP
|
||||
# address is being raised (IP:DOS_COUNTER). If the counter (IP:DOS_COUNTER) hits a limit
|
||||
# (TX:DOS_COUNTER_THRESHOLD), then a burst is identified (IP:DOS_BURST_COUNTER) and the
|
||||
# counter (IP:DOS_COUNTER) is reset. The burst counter expires within a timeout period
|
||||
# (TX:DOS_BURST_TIME_SLICE).
|
||||
# If the burst counter (IP:DOS_BURST_COUNTER) is greater equal 2, then the blocking flag
|
||||
# is being set (IP:DOS_BLOCK). The blocking flag (IP:DOS_BLOCK) expires within a timeout
|
||||
# period (TX:DOS_BLOCK_TIMEOUT). All this counting happens in phase 5.
|
||||
# There is a stricter sibling to this rule (912170) in paranoia level 2, where the
|
||||
# burst counter check (IP:DOS_BURST_COUNTER) hits at greater equal 1.
|
||||
#
|
||||
# The blocking is done in phase 1: When the blocking flag is encountered (IP:DOS_BLOCK),
|
||||
# then the request is dropped without sending a response. If this happens, then a
|
||||
# counter is # raised (IP:DOS_BLOCK_COUNTER).
|
||||
# When an IP address is blocked for the first time, then the blocking is reported in a
|
||||
# message and a flag (IP:DOS_BLOCK_FLAG) is set. This flag expires in 60 seconds.
|
||||
# When an IP address is blocked and the flag (IP:DOS_BLOCK_FLAG) is set, then the
|
||||
# blocking is not being reported (to prevent a flood of alerts). When the flag
|
||||
# (IP:DOS_BLOCK_FLAG) has expired and a new request is being blocked, then the
|
||||
# counter (IP:DOS_BLOCK_COUNTER) is being reset to 0 and the block is being treated
|
||||
# as the first block (-> alert).
|
||||
# In order to be able to display the counter (IP:DOS_BLOCK_COUNTER) and resetting
|
||||
# it at the same time, we copy the counter (IP:DOS_BLOCK_COUNTER) into a different
|
||||
# variable (TX:DOS_BLOCK_COUNTER), which is then displayed in turn.
|
||||
#
|
||||
# Variables:
|
||||
# IP:DOS_BLOCK Flag if an IP address should be blocked
|
||||
# IP:DOS_BLOCK_COUNTER Counter of blocked requests
|
||||
# IP:DOS_BLOCK_FLAG Flag keeping track of alert. Flag expires after 60 seconds.
|
||||
# IP:DOS_BURST_COUNTER Burst counter
|
||||
# IP:DOS_COUNTER Request counter (static resources are ignored)
|
||||
# TX:DOS_BLOCK_COUNTER Copy of IP:DOS_BLOCK_COUNTER (needed for display reasons)
|
||||
# TX:DOS_BLOCK_TIMEOUT Period in seconds a blocked IP will be blocked
|
||||
# TX:DOS_COUNTER_THRESHOLD Limit of requests, where a burst is identified
|
||||
# TX:DOS_BURST_TIME_SLICE Period in seconds when we will forget a burst
|
||||
# TX:STATIC_EXTENSIONS Paths which can be ignored with regards to DoS
|
||||
#
|
||||
# As a precondition for these rules, please set the following three variables:
|
||||
# - TX:DOS_BLOCK_TIMEOUT
|
||||
# - TX:DOS_COUNTER_THRESHOLD
|
||||
# - TX:DOS_BURST_TIME_SLICE
|
||||
#
|
||||
# And make sure that TX:STATIC_EXTENSIONS is also set.
|
||||
#
|
||||
|
||||
#
|
||||
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
|
||||
#
|
||||
|
||||
#
|
||||
# Skip if variables defining DoS protection are not set
|
||||
#
|
||||
SecRule &TX:dos_burst_time_slice "@eq 0" \
|
||||
"id:912100,\
|
||||
phase:1,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
chain,\
|
||||
skipAfter:END-DOS-PROTECTION-CHECKS"
|
||||
SecRule &TX:dos_counter_threshold "@eq 0" \
|
||||
"chain"
|
||||
SecRule &TX:dos_block_timeout "@eq 0"
|
||||
|
||||
SecRule &TX:dos_burst_time_slice "@eq 0" \
|
||||
"id:912110,\
|
||||
phase:5,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
chain,\
|
||||
skipAfter:END-DOS-PROTECTION-CHECKS"
|
||||
SecRule &TX:dos_counter_threshold "@eq 0" \
|
||||
"chain"
|
||||
SecRule &TX:dos_block_timeout "@eq 0"
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:912011,phase:1,pass,nolog,skipAfter:END-REQUEST-912-DOS-PROTECTION"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:912012,phase:2,pass,nolog,skipAfter:END-REQUEST-912-DOS-PROTECTION"
|
||||
#
|
||||
# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher)
|
||||
#
|
||||
|
||||
#
|
||||
# -=[ Anti-Automation / DoS Protection : Block ]=-
|
||||
#
|
||||
|
||||
#
|
||||
# Block and track # of requests and log
|
||||
#
|
||||
SecRule IP:DOS_BLOCK "@eq 1" \
|
||||
"id:912120,\
|
||||
phase:1,\
|
||||
drop,\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-dos',\
|
||||
msg:'Denial of Service (DoS) attack identified from %{tx.real_ip} (%{tx.dos_block_counter} hits since last alert)',\
|
||||
chain"
|
||||
SecRule &IP:DOS_BLOCK_FLAG "@eq 0" \
|
||||
"setvar:'ip.dos_block_counter=+1',\
|
||||
setvar:'ip.dos_block_flag=1',\
|
||||
setvar:'tx.dos_block_counter=%{ip.dos_block_counter}',\
|
||||
setvar:'ip.dos_block_counter=0',\
|
||||
expirevar:'ip.dos_block_flag=60'"
|
||||
|
||||
|
||||
#
|
||||
# Block and track # of requests but don't log
|
||||
#
|
||||
SecRule IP:DOS_BLOCK "@eq 1" \
|
||||
"id:912130,\
|
||||
phase:1,\
|
||||
drop,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-dos',\
|
||||
setvar:'ip.dos_block_counter=+1'"
|
||||
|
||||
|
||||
#
|
||||
# -=[ Anti-Automation / DoS Protection: Count requests ]=-
|
||||
#
|
||||
|
||||
#
|
||||
# Skip if we have blocked the request
|
||||
#
|
||||
SecRule IP:DOS_BLOCK "@eq 1" \
|
||||
"id:912140,\
|
||||
phase:5,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-dos',\
|
||||
skipAfter:END-DOS-PROTECTION-CHECKS"
|
||||
|
||||
|
||||
#
|
||||
# DOS Counter: Count the number of requests to non-static resources
|
||||
#
|
||||
SecRule REQUEST_BASENAME "@rx .*?(\.[a-z0-9]{1,10})?$" \
|
||||
"id:912150,\
|
||||
phase:5,\
|
||||
pass,\
|
||||
capture,\
|
||||
t:none,t:lowercase,\
|
||||
nolog,\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-dos',\
|
||||
setvar:'tx.extension=/%{TX.1}/',\
|
||||
chain"
|
||||
SecRule TX:EXTENSION "!@within %{tx.static_extensions}" \
|
||||
"setvar:'ip.dos_counter=+1'"
|
||||
|
||||
|
||||
#
|
||||
# Check DOS Counter
|
||||
# If the request count is greater than or equal to user settings,
|
||||
# we raise the burst counter. This happens via two separate rules:
|
||||
# - 912160: raise from 0 to 1
|
||||
# - 912161: raise from 1 to 2
|
||||
#
|
||||
# This approach with two rules avoids raising the burst counter
|
||||
# from 0 to 2 via two concurrent requests. We do not raise the
|
||||
# burst counter beyond 2.
|
||||
#
|
||||
#
|
||||
SecRule IP:DOS_COUNTER "@ge %{tx.dos_counter_threshold}" \
|
||||
"id:912160,\
|
||||
phase:5,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-dos',\
|
||||
chain"
|
||||
SecRule &IP:DOS_BURST_COUNTER "@eq 0" \
|
||||
"setvar:'ip.dos_burst_counter=1',\
|
||||
setvar:'!ip.dos_counter',\
|
||||
expirevar:'ip.dos_burst_counter=%{tx.dos_burst_time_slice}'"
|
||||
|
||||
|
||||
SecRule IP:DOS_COUNTER "@ge %{tx.dos_counter_threshold}" \
|
||||
"id:912161,\
|
||||
phase:5,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-dos',\
|
||||
chain"
|
||||
SecRule &IP:DOS_BURST_COUNTER "@ge 1" \
|
||||
"setvar:'ip.dos_burst_counter=2',\
|
||||
setvar:'!ip.dos_counter',\
|
||||
expirevar:'ip.dos_burst_counter=%{tx.dos_burst_time_slice}'"
|
||||
|
||||
|
||||
#
|
||||
# Check DOS Burst Counter and set Block
|
||||
# Check the burst counter - if greater than or equal to 2, then we set the IP
|
||||
# block variable for a given expiry and issue an alert.
|
||||
#
|
||||
SecRule IP:DOS_BURST_COUNTER "@ge 2" \
|
||||
"id:912170,\
|
||||
phase:5,\
|
||||
pass,\
|
||||
t:none,\
|
||||
log,\
|
||||
msg:'Potential Denial of Service (DoS) Attack from %{tx.real_ip} - # of Request Bursts: %{ip.dos_burst_counter}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-dos',\
|
||||
setvar:'ip.dos_block=1',\
|
||||
expirevar:'ip.dos_block=%{tx.dos_block_timeout}'"
|
||||
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:912013,phase:1,pass,nolog,skipAfter:END-REQUEST-912-DOS-PROTECTION"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:912014,phase:2,pass,nolog,skipAfter:END-REQUEST-912-DOS-PROTECTION"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:912019,phase:5,pass,nolog,skipAfter:END-REQUEST-912-DOS-PROTECTION"
|
||||
#
|
||||
# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher)
|
||||
#
|
||||
|
||||
#
|
||||
# Check DOS Burst Counter and set Block
|
||||
# Check the burst counter - if greater than or equal to 1, then we set the IP
|
||||
# block variable for a given expiry and issue an alert.
|
||||
#
|
||||
# This is a stricter sibling of rule 912170.
|
||||
#
|
||||
SecRule IP:DOS_BURST_COUNTER "@ge 1" \
|
||||
"id:912171,\
|
||||
phase:5,\
|
||||
pass,\
|
||||
t:none,\
|
||||
log,\
|
||||
msg:'Potential Denial of Service (DoS) Attack from %{tx.real_ip} - # of Request Bursts: %{ip.dos_burst_counter}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-dos',\
|
||||
tag:'paranoia-level/2',\
|
||||
setvar:'ip.dos_block=1',\
|
||||
expirevar:'ip.dos_block=%{tx.dos_block_timeout}'"
|
||||
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:912015,phase:1,pass,nolog,skipAfter:END-REQUEST-912-DOS-PROTECTION"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:912016,phase:2,pass,nolog,skipAfter:END-REQUEST-912-DOS-PROTECTION"
|
||||
#
|
||||
# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher)
|
||||
#
|
||||
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:912017,phase:1,pass,nolog,skipAfter:END-REQUEST-912-DOS-PROTECTION"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:912018,phase:2,pass,nolog,skipAfter:END-REQUEST-912-DOS-PROTECTION"
|
||||
#
|
||||
# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher)
|
||||
#
|
||||
|
||||
|
||||
|
||||
#
|
||||
# -= Paranoia Levels Finished =-
|
||||
#
|
||||
SecMarker "END-REQUEST-912-DOS-PROTECTION"
|
||||
|
||||
SecMarker "END-DOS-PROTECTION-CHECKS"
|
|
@ -0,0 +1,210 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.1.1
|
||||
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
# Please see the enclosed LICENSE file for full details.
|
||||
# ------------------------------------------------------------------------
|
||||
|
||||
#
|
||||
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
|
||||
#
|
||||
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:913011,phase:1,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:913012,phase:2,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION"
|
||||
#
|
||||
# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher)
|
||||
#
|
||||
|
||||
#
|
||||
# -=[ Vulnerability Scanner Checks ]=-
|
||||
#
|
||||
# These rules inspect the default User-Agent and Header values sent by
|
||||
# various commercial and open source vuln scanners.
|
||||
#
|
||||
# The following rules contain User-Agent lists:
|
||||
# 913100 - security scanners (data file scanners-user-agents.data)
|
||||
# 913101 - scripting/generic HTTP clients (data file scripting-user-agents.data)
|
||||
# 913102 - web crawlers/bots (data file crawlers-user-agents.data)
|
||||
#
|
||||
SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scanners-user-agents.data" \
|
||||
"id:913100,\
|
||||
phase:2,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,t:lowercase,\
|
||||
msg:'Found User-Agent associated with security scanner',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-reputation-scanner',\
|
||||
tag:'OWASP_CRS/AUTOMATION/SECURITY_SCANNER',\
|
||||
tag:'WASCTC/WASC-21',\
|
||||
tag:'OWASP_TOP_10/A7',\
|
||||
tag:'PCI/6.5.10',\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/AUTOMATION/SECURITY_SCANNER-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\
|
||||
setvar:'ip.reput_block_flag=1',\
|
||||
setvar:'ip.reput_block_reason=%{rule.msg}',\
|
||||
expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'"
|
||||
|
||||
SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@pmf scanners-headers.data" \
|
||||
"id:913110,\
|
||||
phase:2,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,t:lowercase,\
|
||||
msg:'Found request header associated with security scanner',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-reputation-scanner',\
|
||||
tag:'OWASP_CRS/AUTOMATION/SECURITY_SCANNER',\
|
||||
tag:'WASCTC/WASC-21',\
|
||||
tag:'OWASP_TOP_10/A7',\
|
||||
tag:'PCI/6.5.10',\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/AUTOMATION/SECURITY_SCANNER-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\
|
||||
setvar:'ip.reput_block_flag=1',\
|
||||
setvar:'ip.reput_block_reason=%{rule.msg}',\
|
||||
expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'"
|
||||
|
||||
|
||||
|
||||
SecRule REQUEST_FILENAME|ARGS "@pmf scanners-urls.data" \
|
||||
"id:913120,\
|
||||
phase:2,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,t:lowercase,\
|
||||
msg:'Found request filename/argument associated with security scanner',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-reputation-scanner',\
|
||||
tag:'OWASP_CRS/AUTOMATION/SECURITY_SCANNER',\
|
||||
tag:'WASCTC/WASC-21',\
|
||||
tag:'OWASP_TOP_10/A7',\
|
||||
tag:'PCI/6.5.10',\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/AUTOMATION/SECURITY_SCANNER-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\
|
||||
setvar:'ip.reput_block_flag=1',\
|
||||
setvar:'ip.reput_block_reason=%{rule.msg}',\
|
||||
expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'"
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:913013,phase:1,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:913014,phase:2,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION"
|
||||
#
|
||||
# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher)
|
||||
#
|
||||
|
||||
|
||||
#
|
||||
# -=[ Scripting/Generic User-Agents ]=-
|
||||
#
|
||||
# This rule detects user-agents associated with various HTTP client libraries
|
||||
# and scripting languages. Detection suggests attempted access by some
|
||||
# automated tool.
|
||||
#
|
||||
# This rule is a sibling of rule 913100.
|
||||
#
|
||||
SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scripting-user-agents.data" \
|
||||
"id:913101,\
|
||||
phase:2,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,t:lowercase,\
|
||||
msg:'Found User-Agent associated with scripting/generic HTTP client',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-reputation-scripting',\
|
||||
tag:'OWASP_CRS/AUTOMATION/SCRIPTING',\
|
||||
tag:'WASCTC/WASC-21',\
|
||||
tag:'OWASP_TOP_10/A7',\
|
||||
tag:'PCI/6.5.10',\
|
||||
tag:'paranoia-level/2',\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/AUTOMATION/SCRIPTING-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\
|
||||
setvar:'ip.reput_block_flag=1',\
|
||||
setvar:'ip.reput_block_reason=%{rule.msg}',\
|
||||
expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'"
|
||||
|
||||
|
||||
|
||||
#
|
||||
# -=[ Crawler User-Agents ]=-
|
||||
#
|
||||
# This rule detects user-agents associated with various crawlers, SEO tools,
|
||||
# and bots, which have been reported to potentially misbehave.
|
||||
# These crawlers can have legitimate uses when used with authorization.
|
||||
#
|
||||
# This rule is a sibling of rule 913100.
|
||||
#
|
||||
SecRule REQUEST_HEADERS:User-Agent "@pmFromFile crawlers-user-agents.data" \
|
||||
"id:913102,\
|
||||
phase:2,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,t:lowercase,\
|
||||
msg:'Found User-Agent associated with web crawler/bot',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-reputation-crawler',\
|
||||
tag:'OWASP_CRS/AUTOMATION/CRAWLER',\
|
||||
tag:'WASCTC/WASC-21',\
|
||||
tag:'OWASP_TOP_10/A7',\
|
||||
tag:'PCI/6.5.10',\
|
||||
tag:'paranoia-level/2',\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/AUTOMATION/CRAWLER-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\
|
||||
setvar:'ip.reput_block_flag=1',\
|
||||
setvar:'ip.reput_block_reason=%{rule.msg}',\
|
||||
expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'"
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:913015,phase:1,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:913016,phase:2,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION"
|
||||
#
|
||||
# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher)
|
||||
#
|
||||
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:913017,phase:1,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:913018,phase:2,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION"
|
||||
#
|
||||
# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher)
|
||||
#
|
||||
|
||||
|
||||
|
||||
#
|
||||
# -= Paranoia Levels Finished =-
|
||||
#
|
||||
SecMarker "END-REQUEST-913-SCANNER-DETECTION"
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,297 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.1.1
|
||||
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
# Please see the enclosed LICENSE file for full details.
|
||||
# ------------------------------------------------------------------------
|
||||
|
||||
#
|
||||
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
|
||||
#
|
||||
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:921011,phase:1,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:921012,phase:2,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
|
||||
#
|
||||
# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher)
|
||||
#
|
||||
|
||||
#
|
||||
# -=[ HTTP Request Smuggling ]=-
|
||||
#
|
||||
# [ Rule Logic ]
|
||||
# This rule looks for a CR/LF character in combination with a HTTP / WEBDAV method name.
|
||||
# This would point to an attempt to inject a 2nd request into the request, thus bypassing
|
||||
# tests carried out on the primary request.
|
||||
#
|
||||
# [ References ]
|
||||
# http://projects.webappsec.org/HTTP-Request-Smuggling
|
||||
#
|
||||
SecRule ARGS_NAMES|ARGS|XML:/* "@rx [\n\r]+(?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)\s+[^\s]+(?:\s+http|[\r\n])" \
|
||||
"id:921110,\
|
||||
phase:2,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,\
|
||||
msg:'HTTP Request Smuggling Attack',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-protocol',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/REQUEST-SMUGGLING-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
|
||||
#
|
||||
# -=[ HTTP Response Splitting ]=-
|
||||
#
|
||||
# [ Rule Logic ]
|
||||
# These rules look for Carriage Return (CR) %0d and Linefeed (LF) %0a characters.
|
||||
# These characters may cause problems if the data is returned in a respones header and
|
||||
# may be interpreted by an intermediary proxy server and treated as two separate
|
||||
# responses.
|
||||
#
|
||||
# [ References ]
|
||||
# http://projects.webappsec.org/HTTP-Response-Splitting
|
||||
#
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx [\r\n]\W*?(?:content-(?:type|length)|set-cookie|location):" \
|
||||
"id:921120,\
|
||||
phase:2,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,t:urlDecodeUni,t:lowercase,\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
msg:'HTTP Response Splitting Attack',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-protocol',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESPONSE_SPLITTING-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
|
||||
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:\bhttp\/(?:0\.9|1\.[01])|<(?:html|meta)\b)" \
|
||||
"id:921130,\
|
||||
phase:2,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
msg:'HTTP Response Splitting Attack',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-protocol',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESPONSE_SPLITTING-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
|
||||
#
|
||||
# -=[ HTTP Header Injection ]=-
|
||||
#
|
||||
# [ Rule Logic ]
|
||||
# These rules look for Carriage Return (CR) %0d and Linefeed (LF) %0a characters,
|
||||
# on their own or in combination with header field names.
|
||||
# These characters may cause problems if the data is returned in a respones header
|
||||
# and interpreted by the client.
|
||||
# The rules are similar to rules defending against the HTTP Request Splitting and
|
||||
# Request Smuggling rules.
|
||||
#
|
||||
# [ References ]
|
||||
# https://en.wikipedia.org/wiki/HTTP_header_injection
|
||||
#
|
||||
SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@rx [\n\r]" \
|
||||
"id:921140,\
|
||||
phase:2,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,t:htmlEntityDecode,t:lowercase,\
|
||||
msg:'HTTP Header Injection Attack via headers',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-protocol',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/HEADER_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
|
||||
|
||||
# Detect newlines in argument names.
|
||||
# Checking for GET arguments has been moved to paranoia level 2 (921151)
|
||||
# in order to mitigate possible false positives.
|
||||
#
|
||||
SecRule ARGS_NAMES "@rx [\n\r]" \
|
||||
"id:921150,\
|
||||
phase:2,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,t:urlDecodeUni,t:htmlEntityDecode,\
|
||||
msg:'HTTP Header Injection Attack via payload (CR/LF detected)',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-protocol',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/HEADER_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
|
||||
|
||||
SecRule ARGS_GET_NAMES|ARGS_GET "@rx (?:\n|\r)+(?:\s|location|refresh|(?:set-)?cookie|(?:x-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))\s*:" \
|
||||
"id:921160,\
|
||||
phase:1,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,\
|
||||
msg:'HTTP Header Injection Attack via payload (CR/LF and header-name detected)',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-protocol',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/HEADER_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:921013,phase:1,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:921014,phase:2,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
|
||||
#
|
||||
# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher)
|
||||
#
|
||||
|
||||
|
||||
# Detect newlines in GET argument values.
|
||||
# These may point to a HTTP header injection attack, but can also sometimes
|
||||
# occur in benign query parameters.
|
||||
#
|
||||
# See also: rule 921140, 921150
|
||||
#
|
||||
SecRule ARGS_GET "@rx [\n\r]" \
|
||||
"id:921151,\
|
||||
phase:2,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,t:urlDecodeUni,t:htmlEntityDecode,\
|
||||
msg:'HTTP Header Injection Attack via payload (CR/LF detected)',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-protocol',\
|
||||
tag:'paranoia-level/2',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/HEADER_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:921015,phase:1,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:921016,phase:2,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
|
||||
#
|
||||
# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher)
|
||||
#
|
||||
#
|
||||
|
||||
# -=[ HTTP Parameter Polution ]=-
|
||||
#
|
||||
# [ Rule Logic ]
|
||||
# These rules look for multiple parameters with the same name.
|
||||
# 921170 counts the occurrences of the individual parameters.
|
||||
# 921180 checks if any counter is > 1.
|
||||
#
|
||||
# One HPP attack vector is to try evade signature filters by distributing the
|
||||
# attack payload across multiple parameters with the same name.
|
||||
# This works as many security devices only apply signatures to individual
|
||||
# parameter payloads, however the back-end web application may (in the case
|
||||
# of ASP.NET) consolidate all of the payloads into one thus making the
|
||||
# attack payload active.
|
||||
#
|
||||
# [ References ]
|
||||
# http://tacticalwebappsec.blogspot.com/2009/05/http-parameter-pollution.html
|
||||
# https://capec.mitre.org/data/definitions/460.html
|
||||
#
|
||||
SecRule ARGS_NAMES "@rx ." \
|
||||
"id:921170,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
nolog,\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-protocol',\
|
||||
tag:'paranoia-level/3',\
|
||||
tag:'CAPEC-460',\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
setvar:'TX.paramcounter_%{MATCHED_VAR_NAME}=+1'"
|
||||
|
||||
SecRule TX:/paramcounter_.*/ "@gt 1" \
|
||||
"id:921180,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
msg:'HTTP Parameter Pollution (%{TX.1})',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-protocol',\
|
||||
tag:'paranoia-level/3',\
|
||||
tag:'CAPEC-460',\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule MATCHED_VARS_NAMES "@rx TX:paramcounter_(.*)" \
|
||||
"capture,\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/HTTP_PARAMETER_POLLUTION-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:921017,phase:1,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:921018,phase:2,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
|
||||
#
|
||||
# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher)
|
||||
#
|
||||
|
||||
|
||||
|
||||
#
|
||||
# -= Paranoia Levels Finished =-
|
||||
#
|
||||
SecMarker "END-REQUEST-921-PROTOCOL-ATTACK"
|
|
@ -0,0 +1,159 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.1.1
|
||||
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
# Please see the enclosed LICENSE file for full details.
|
||||
# ------------------------------------------------------------------------
|
||||
|
||||
#
|
||||
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
|
||||
#
|
||||
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:930011,phase:1,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:930012,phase:2,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
|
||||
#
|
||||
# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher)
|
||||
#
|
||||
|
||||
#
|
||||
# -=[ Directory Traversal Attacks ]=-
|
||||
#
|
||||
# Ref: https://github.com/wireghoul/dotdotpwn
|
||||
#
|
||||
# [ Encoded /../ Payloads ]
|
||||
#
|
||||
SecRule REQUEST_URI_RAW|REQUEST_BODY|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|XML:/* "@rx (?i)(?:\x5c|(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|\/))(?:%(?:(?:f(?:(?:c%80|8)%8)?0%8|e)0%80%ae|2(?:(?:5(?:c0%25a|2))?e|%45)|u(?:(?:002|ff0)e|2024)|%32(?:%(?:%6|4)5|E)|c0(?:%[256aef]e|\.))|\.(?:%0[01]|\?)?|\?\.?|0x2e){2}(?:\x5c|(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|\/))" \
|
||||
"id:930100,\
|
||||
phase:2,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,\
|
||||
msg:'Path Traversal Attack (/../)',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-lfi',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL',\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'"
|
||||
|
||||
#
|
||||
# [ Decoded /../ Payloads ]
|
||||
#
|
||||
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|XML:/* "@pm ..\ ../" \
|
||||
"id:930110,\
|
||||
phase:2,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,t:utf8toUnicode,t:urlDecodeUni,t:removeNulls,t:cmdLine,\
|
||||
msg:'Path Traversal Attack (/../)',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-lfi',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL',\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
multiMatch,\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'"
|
||||
|
||||
#
|
||||
# -=[ OS File Access ]=-
|
||||
#
|
||||
# Ref: https://github.com/lightos/Panoptic/blob/master/cases.xml
|
||||
#
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmf lfi-os-files.data" \
|
||||
"id:930120,\
|
||||
phase:2,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin,t:lowercase,\
|
||||
msg:'OS File Access Attempt',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-lfi',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/FILE_INJECTION',\
|
||||
tag:'WASCTC/WASC-33',\
|
||||
tag:'OWASP_TOP_10/A4',\
|
||||
tag:'PCI/6.5.4',\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/FILE_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
|
||||
#
|
||||
# -=[ Restricted File Access ]=-
|
||||
#
|
||||
# Detects attempts to retrieve application source code, metadata,
|
||||
# credentials and version control history possibly reachable in a web root.
|
||||
#
|
||||
SecRule REQUEST_FILENAME "@pmf restricted-files.data" \
|
||||
"id:930130,\
|
||||
phase:2,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin,t:lowercase,\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
msg:'Restricted File Access Attempt',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-lfi',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/FILE_INJECTION',\
|
||||
tag:'WASCTC/WASC-33',\
|
||||
tag:'OWASP_TOP_10/A4',\
|
||||
tag:'PCI/6.5.4',\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/FILE_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:930013,phase:1,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:930014,phase:2,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
|
||||
#
|
||||
# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher)
|
||||
#
|
||||
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:930015,phase:1,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:930016,phase:2,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
|
||||
#
|
||||
# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher)
|
||||
#
|
||||
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:930017,phase:1,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:930018,phase:2,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
|
||||
#
|
||||
# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher)
|
||||
#
|
||||
|
||||
|
||||
|
||||
#
|
||||
# -= Paranoia Levels Finished =-
|
||||
#
|
||||
SecMarker "END-REQUEST-930-APPLICATION-ATTACK-LFI"
|
|
@ -0,0 +1,153 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.1.1
|
||||
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
# Please see the enclosed LICENSE file for full details.
|
||||
# ------------------------------------------------------------------------
|
||||
#
|
||||
# RFI Attacks
|
||||
#
|
||||
|
||||
#
|
||||
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
|
||||
#
|
||||
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:931011,phase:1,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:931012,phase:2,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
|
||||
#
|
||||
# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher)
|
||||
#
|
||||
|
||||
# -=[ Rule Logic ]=-
|
||||
# These rules look for common types of Remote File Inclusion (RFI) attack methods.
|
||||
# - URL Contains an IP Address
|
||||
# - The PHP "include()" Function
|
||||
# - RFI Data Ends with Question Mark(s) (?)
|
||||
# - RFI Host Doesn't Match Local Host
|
||||
#
|
||||
# -=[ References ]=-
|
||||
# http://projects.webappsec.org/Remote-File-Inclusion
|
||||
# http://tacticalwebappsec.blogspot.com/2009/06/generic-remote-file-inclusion-attack.html
|
||||
#
|
||||
SecRule ARGS "@rx ^(?i:file|ftps?|https?):\/\/(?:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" \
|
||||
"id:931100,\
|
||||
phase:2,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,\
|
||||
msg:'Possible Remote File Inclusion (RFI) Attack: URL Parameter using IP Address',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-rfi',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/RFI',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RFI-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
|
||||
SecRule QUERY_STRING|REQUEST_BODY "@rx (?i)(?:\binclude\s*\([^)]*|mosConfig_absolute_path|_CONF\[path\]|_SERVER\[DOCUMENT_ROOT\]|GALLERY_BASEDIR|path\[docroot\]|appserv_root|config\[root_dir\])=(?:file|ftps?|https?):\/\/" \
|
||||
"id:931110,\
|
||||
phase:2,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,t:urlDecodeUni,\
|
||||
msg:'Possible Remote File Inclusion (RFI) Attack: Common RFI Vulnerable Parameter Name used w/URL Payload',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-rfi',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/RFI',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RFI-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
|
||||
SecRule ARGS "@rx ^(?i:file|ftps?|https?).*?\?+$" \
|
||||
"id:931120,\
|
||||
phase:2,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,\
|
||||
msg:'Possible Remote File Inclusion (RFI) Attack: URL Payload Used w/Trailing Question Mark Character (?)',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-rfi',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/RFI',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RFI-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:931013,phase:1,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:931014,phase:2,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
|
||||
#
|
||||
# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher)
|
||||
#
|
||||
|
||||
SecRule ARGS "@rx ^(?i:file|ftps?|https?)://(.*)$" \
|
||||
"id:931130,\
|
||||
phase:2,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,\
|
||||
msg:'Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-rfi',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/RFI',\
|
||||
tag:'paranoia-level/2',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.rfi_parameter_%{MATCHED_VAR_NAME}=%{tx.1}',\
|
||||
chain"
|
||||
SecRule TX:/rfi_parameter_.*/ "!@beginsWith %{request_headers.host}" \
|
||||
"setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RFI-%{MATCHED_VAR_NAME}=%{tx.1}'"
|
||||
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:931015,phase:1,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:931016,phase:2,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
|
||||
#
|
||||
# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher)
|
||||
#
|
||||
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:931017,phase:1,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:931018,phase:2,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
|
||||
#
|
||||
# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher)
|
||||
#
|
||||
|
||||
|
||||
|
||||
#
|
||||
# -= Paranoia Levels Finished =-
|
||||
#
|
||||
SecMarker "END-REQUEST-931-APPLICATION-ATTACK-RFI"
|
File diff suppressed because one or more lines are too long
|
@ -0,0 +1,671 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.1.1
|
||||
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
# Please see the enclosed LICENSE file for full details.
|
||||
# ------------------------------------------------------------------------
|
||||
|
||||
#
|
||||
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
|
||||
#
|
||||
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:933011,phase:1,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:933012,phase:2,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
|
||||
#
|
||||
# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher)
|
||||
#
|
||||
|
||||
#
|
||||
# -=[ PHP Injection Attacks ]=-
|
||||
#
|
||||
# [ References ]
|
||||
# http://rips-scanner.sourceforge.net/
|
||||
# https://www.owasp.org/index.php/PHP_Top_5#P1:_Remote_Code_Executionh
|
||||
#
|
||||
|
||||
#
|
||||
# [ PHP Open Tag Found ]
|
||||
#
|
||||
# Detects PHP open tags "<?" and "<?php".
|
||||
# http://www.php.net/manual/en/language.basic-syntax.phptags.php
|
||||
#
|
||||
# Care is taken to avoid false positives in XML declarations "<?xml..."
|
||||
#
|
||||
# Also detects "[php]", "[/php]" and "[\php]" tags used by some applications
|
||||
# to indicate PHP dynamic content.
|
||||
#
|
||||
# Previously, this rule also checked for the PHP close tag '?>', but
|
||||
# this resulted in false positives which were difficult to prevent.
|
||||
# Therefore, that pattern is now checked by rule 933190 in paranoia levels
|
||||
# 3 or higher.
|
||||
#
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:<\?(?!xml\s)|<\?php|\[(?:/|\\\\)?php\])" \
|
||||
"id:933100,\
|
||||
phase:2,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,t:urlDecodeUni,t:lowercase,\
|
||||
msg:'PHP Injection Attack: PHP Open Tag Found',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-php',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-injection-php',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
|
||||
tag:'OWASP_TOP_10/A1',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
|
||||
#
|
||||
# [ PHP Script Uploads ]
|
||||
#
|
||||
# Block file uploads with filenames ending in PHP related extensions
|
||||
# (.php, .phps, .phtml, .php5 etc).
|
||||
#
|
||||
# Many application contain Unrestricted File Upload vulnerabilities.
|
||||
# https://www.owasp.org/index.php/Unrestricted_File_Upload
|
||||
#
|
||||
# Attackers may use such a vulnerability to achieve remote code execution
|
||||
# by uploading a .php file. If the upload storage location is predictable
|
||||
# and not adequately protected, the attacker may then request the uploaded
|
||||
# .php file and have the code within it executed on the server.
|
||||
#
|
||||
# Also block files with just dot (.) characters after the extension:
|
||||
# https://community.rapid7.com/community/metasploit/blog/2013/08/15/time-to-patch-joomla
|
||||
#
|
||||
# Some AJAX uploaders use the nonstandard request headers X-Filename,
|
||||
# X_Filename, or X-File-Name to transmit the file name to the server;
|
||||
# scan these request headers as well as multipart/form-data file names.
|
||||
#
|
||||
SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X-File-Name "@rx .*\.(?:php\d*|phtml)\.*$" \
|
||||
"id:933110,\
|
||||
phase:2,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,t:lowercase,\
|
||||
msg:'PHP Injection Attack: PHP Script File Upload Found',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-php',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-injection-php',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
|
||||
tag:'OWASP_TOP_10/A1',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
|
||||
|
||||
#
|
||||
# [ PHP Configuration Directives ]
|
||||
#
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmf php-config-directives.data" \
|
||||
"id:933120,\
|
||||
phase:2,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,t:urlDecodeUni,t:normalisePath,t:lowercase,\
|
||||
msg:'PHP Injection Attack: Configuration Directive Found',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-php',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-injection-php',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
|
||||
tag:'OWASP_TOP_10/A1',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule MATCHED_VARS "@pm =" \
|
||||
"capture,\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
|
||||
|
||||
#
|
||||
# [ PHP Variables ]
|
||||
#
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmf php-variables.data" \
|
||||
"id:933130,\
|
||||
phase:2,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,t:normalisePath,t:urlDecodeUni,t:lowercase,\
|
||||
msg:'PHP Injection Attack: Variables Found',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-php',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-injection-php',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
|
||||
tag:'OWASP_TOP_10/A1',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
|
||||
|
||||
#
|
||||
# [ PHP I/O Streams ]
|
||||
#
|
||||
# The "php://" syntax can be used to refer to various objects, such as local files (for LFI),
|
||||
# remote urls (for RFI), or standard input/request body. Its occurrence indicates a possible attempt
|
||||
# to either inject PHP code or exploit a file inclusion vulnerability in a PHP web app.
|
||||
#
|
||||
# Examples:
|
||||
# php://filter/resource=./../../../wp-config.php
|
||||
# php://filter/resource=http://www.example.com
|
||||
# php://stdin
|
||||
# php://input
|
||||
#
|
||||
# http://php.net/manual/en/wrappers.php.php
|
||||
#
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)php://(?:std(?:in|out|err)|(?:in|out)put|fd|memory|temp|filter)" \
|
||||
"id:933140,\
|
||||
phase:2,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,\
|
||||
msg:'PHP Injection Attack: I/O Stream Found',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-php',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-injection-php',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
|
||||
tag:'OWASP_TOP_10/A1',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
|
||||
|
||||
#
|
||||
# [ PHP Functions ]
|
||||
#
|
||||
# Detecting PHP function names is useful to block PHP code injection attacks.
|
||||
# There are many PHP functions. We have to strike a balance between robust detection
|
||||
# of PHP code in content, and the risk of false positives.
|
||||
#
|
||||
# The list of PHP functions is divided into four groups of varying attack/false positive risk.
|
||||
# Four separate rules are used to detect these groups of functions:
|
||||
#
|
||||
# - Rule 933150: ~40 words highly common to PHP injection payloads and extremely rare in
|
||||
# natural language or other contexts.
|
||||
# Examples: 'base64_decode', 'file_get_contents'.
|
||||
# These words are detected as a match directly using @pmf.
|
||||
# Function names are defined in php-function-names-933150.data
|
||||
#
|
||||
# - Rule 933160: ~220 words which are common in PHP code, but have a higher chance to cause
|
||||
# false positives in natural language or other contexts.
|
||||
# Examples: 'chr', 'eval'.
|
||||
# To mitigate false positives, a regexp looks for PHP function syntax, e.g. 'eval()'.
|
||||
# Regexp is generated from function names in util/regexp-assemble/regexp-933160.data
|
||||
#
|
||||
# - Rule 933151: ~1300 words of lesser importance. This includes most PHP functions and keywords.
|
||||
# Examples: 'addslashes', 'array_diff'.
|
||||
# For performance reasons, the @pmf operator is used, and many functions from lesser
|
||||
# used PHP extensions are removed.
|
||||
# To mitigate false positives, we only match when the '(' character is also found.
|
||||
# This rule only runs in paranoia level 2 or higher.
|
||||
# Function names are defined in php-function-names-933151.data
|
||||
#
|
||||
# - Rule 933161: ~200 words with short or trivial names, possibly leading to false positives.
|
||||
# Examples: 'abs', 'cos'.
|
||||
# To mitigate false positives, a regexp matches on function syntax, e.g. 'abs()'.
|
||||
# This rule only runs in paranoia level 3 or higher.
|
||||
# Regexp is generated from function names in util/regexp-assemble/regexp-933161.data
|
||||
#
|
||||
|
||||
|
||||
#
|
||||
# [ PHP Functions: High-Risk PHP Function Names ]
|
||||
#
|
||||
# Rule 933150 contains a small list of function names which are highly indicative of a PHP
|
||||
# injection attack, for example 'base64_decode'.
|
||||
# We block these function names outright, without using a complex regexp or chain.
|
||||
# This could make the detection a bit more robust against possible bypasses.
|
||||
#
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@pmf php-function-names-933150.data" \
|
||||
"id:933150,\
|
||||
phase:2,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,t:lowercase,\
|
||||
msg:'PHP Injection Attack: High-Risk PHP Function Name Found',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-php',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-injection-php',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
|
||||
tag:'OWASP_TOP_10/A1',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
|
||||
|
||||
#
|
||||
# [ PHP Functions: High-Risk PHP Function Calls ]
|
||||
#
|
||||
# Some PHP function names have a certain risk of false positives, due to short
|
||||
# names, full or partial overlap with common natural language terms, uses in
|
||||
# other contexts, et cetera. Some examples are 'eval', 'exec', 'system'.
|
||||
#
|
||||
# For these function names, we apply a regexp to look for PHP function syntax.
|
||||
# The regexp looks for a word boundary and adjoining parentheses.
|
||||
# For instance, we want to block 'eval()', but we want to allow 'medieval()'.
|
||||
#
|
||||
# We have to be careful of possible bypasses using comment syntax. Examples:
|
||||
#
|
||||
# system(...)
|
||||
# system (...)
|
||||
# system\t(...)
|
||||
# system /*comment*/ (...)
|
||||
# system /*multiline \n comment*/ (...)
|
||||
# system //comment \n (...)
|
||||
# system #comment \n (...)
|
||||
#
|
||||
# Regexp generated from util/regexp-assemble/regexp-933160.data using Regexp::Assemble.
|
||||
# See http://blog.modsecurity.org/2007/06/optimizing-regu.html for usage.
|
||||
# Note that after assemble, PHP function syntax pre/postfix is added to the Regexp::Assemble
|
||||
# output. Example: "@rx (?i)\bASSEMBLE_OUTPUT_HERE(?:\s|/\*.*\*/|//.*|#.*)*\(.*\)"
|
||||
#
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:s(?:e(?:t(?:_(?:e(?:xception|rror)_handler|magic_quotes_runtime|include_path)|defaultstub)|ssion_s(?:et_save_handler|tart))|qlite_(?:(?:(?:unbuffered|single|array)_)?query|create_(?:aggregate|function)|p?open|exec)|tr(?:eam_(?:context_create|socket_client)|ipc?slashes|rev)|implexml_load_(?:string|file)|ocket_c(?:onnect|reate)|h(?:ow_sourc|a1_fil)e|pl_autoload_register|ystem)|p(?:r(?:eg_(?:replace(?:_callback(?:_array)?)?|match(?:_all)?|split)|oc_(?:(?:terminat|clos|nic)e|get_status|open)|int_r)|o(?:six_(?:get(?:(?:e[gu]|g)id|login|pwnam)|mk(?:fifo|nod)|ttyname|kill)|pen)|hp(?:_(?:strip_whitespac|unam)e|version|info)|g_(?:(?:execut|prepar)e|connect|query)|a(?:rse_(?:ini_file|str)|ssthru)|utenv)|r(?:unkit_(?:function_(?:re(?:defin|nam)e|copy|add)|method_(?:re(?:defin|nam)e|copy|add)|constant_(?:redefine|add))|e(?:(?:gister_(?:shutdown|tick)|name)_function|ad(?:(?:gz)?file|_exif_data|dir))|awurl(?:de|en)code)|i(?:mage(?:createfrom(?:(?:jpe|pn)g|x[bp]m|wbmp|gif)|(?:jpe|pn)g|g(?:d2?|if)|2?wbmp|xbm)|s_(?:(?:(?:execut|write?|read)ab|fi)le|dir)|ni_(?:get(?:_all)?|set)|terator_apply|ptcembed)|g(?:et(?:_(?:c(?:urrent_use|fg_va)r|meta_tags)|my(?:[gpu]id|inode)|(?:lastmo|cw)d|imagesize|env)|z(?:(?:(?:defla|wri)t|encod|fil)e|compress|open|read)|lob)|a(?:rray_(?:u(?:intersect(?:_u?assoc)?|diff(?:_u?assoc)?)|intersect_u(?:assoc|key)|diff_u(?:assoc|key)|filter|reduce|map)|ssert(?:_options)?)|h(?:tml(?:specialchars(?:_decode)?|_entity_decode|entities)|(?:ash(?:_(?:update|hmac))?|ighlight)_file|e(?:ader_register_callback|x2bin))|f(?:i(?:le(?:(?:[acm]tim|inod)e|(?:_exist|perm)s|group)?|nfo_open)|tp_(?:nb_(?:ge|pu)|connec|ge|pu)t|(?:unction_exis|pu)ts|write|open)|o(?:b_(?:get_(?:c(?:ontents|lean)|flush)|end_(?:clean|flush)|clean|flush|start)|dbc_(?:result(?:_all)?|exec(?:ute)?|connect)|pendir)|m(?:b_(?:ereg(?:_(?:replace(?:_callback)?|match)|i(?:_replace)?)?|parse_str)|(?:ove_uploaded|d5)_file|ethod_exists|ysql_query|kdir)|e(?:x(?:if_(?:t(?:humbnail|agname)|imagetype|read_data)|ec)|scapeshell(?:arg|cmd)|rror_reporting|val)|c(?:url_(?:file_create|exec|init)|onvert_uuencode|reate_function|hr)|u(?:n(?:serialize|pack)|rl(?:de|en)code|[ak]?sort)|(?:json_(?:de|en)cod|debug_backtrac|tmpfil)e|b(?:(?:son_(?:de|en)|ase64_en)code|zopen)|var_dump)(?:\s|/\*.*\*/|//.*|#.*)*\(.*\)" \
|
||||
"id:933160,\
|
||||
phase:2,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,\
|
||||
msg:'PHP Injection Attack: High-Risk PHP Function Call Found',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-php',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-injection-php',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
|
||||
tag:'OWASP_TOP_10/A1',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
|
||||
|
||||
#
|
||||
# [ PHP Object Injection ]
|
||||
#
|
||||
# PHP Object Injection is an application level vulnerability that could allow
|
||||
# an attacker to perform different kinds of malicious attacks, such as
|
||||
# Code Injection, SQL Injection, Path Traversal and Application Denial of Service,
|
||||
# depending on the context.
|
||||
#
|
||||
# The vulnerability occurs when user-supplied input is not properly sanitized
|
||||
# before being passed to the unserialize() PHP function. Since PHP allows object
|
||||
# serialization, attackers could pass ad-hoc serialized strings to a vulnerable
|
||||
# unserialize() call, resulting in an arbitrary PHP object(s) injection into the
|
||||
# application scope.
|
||||
#
|
||||
# https://www.owasp.org/index.php/PHP_Object_Injection
|
||||
#
|
||||
# In serialized form, PHP objects have the following format:
|
||||
#
|
||||
# O:8:"stdClass":1:{s:1:"a";i:2;}
|
||||
# O:3:"Foo":0:{}
|
||||
#
|
||||
# Also detected are PHP objects with a custom unserializer:
|
||||
# http://www.phpinternalsbook.com/classes_objects/serialization.html
|
||||
# These have the following format:
|
||||
#
|
||||
# C:11:"ArrayObject":37:{x:i:0;a:1:{s:1:"a";s:1:"b";};m:a:0:{}}
|
||||
# C:3:"Foo":23:{s:15:"My private data";}
|
||||
#
|
||||
# HTTP headers are inspected, since PHP object injection vulnerabilities have been
|
||||
# found in applications parsing them:
|
||||
# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8562 (User-Agent header)
|
||||
# https://www.exploit-db.com/exploits/39033/ (X-Forwarded-For header)
|
||||
# http://karmainsecurity.com/KIS-2015-10 (Host header)
|
||||
#
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS|ARGS_NAMES|ARGS|XML:/* "@rx [oOcC]:\d+:\".+?\":\d+:{.*}" \
|
||||
"id:933170,\
|
||||
phase:2,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,\
|
||||
msg:'PHP Injection Attack: Serialized Object Injection',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-php',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-injection-php',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
|
||||
tag:'OWASP_TOP_10/A1',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
|
||||
|
||||
|
||||
#
|
||||
# [ PHP Functions: Variable Function Calls ]
|
||||
#
|
||||
# PHP 'variable functions' provide an alternate syntax for calling PHP functions.
|
||||
# http://php.net/manual/en/functions.variable-functions.php
|
||||
#
|
||||
# An attacker may use variable function syntax to evade detection of function
|
||||
# names during exploitation of a remote code execution vulnerability.
|
||||
# An example to use the 'file_get_contents' function while evading rule 933150:
|
||||
#
|
||||
# $fn = 'file_' . 'get_' . 'contents';
|
||||
# echo $fn('wp-co' . 'nfig.php');
|
||||
#
|
||||
# Some examples from obfuscated malware:
|
||||
#
|
||||
# $OOO0000O0(...)
|
||||
# @$b374k(...)
|
||||
# $_[@-_]($_[@!+_] )
|
||||
#
|
||||
# A breakdown of the regular expression:
|
||||
#
|
||||
# \$+
|
||||
# The variable's '$' char, or multiple '$' for 'variable variables':
|
||||
# http://php.net/manual/en/language.variables.variable.php
|
||||
# (?:[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*|\s*{.+})
|
||||
# One of the following:
|
||||
# - A variable name; regexp from http://php.net/language.variables.basics
|
||||
# - A nonempty expression for variable variables: ${'fn'} or $ {'fn'}
|
||||
# (?:\s|\[.+\]|{.+}|/\*.*\*/|//.*|#.*)*
|
||||
# Optional whitespace, array access, or comments
|
||||
# \(.*\)
|
||||
# Parentheses optionally containing function parameters
|
||||
#
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx \$+(?:[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*|\s*{.+})(?:\s|\[.+\]|{.+}|/\*.*\*/|//.*|#.*)*\(.*\)" \
|
||||
"id:933180,\
|
||||
phase:2,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,\
|
||||
msg:'PHP Injection Attack: Variable Function Call Found',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-php',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-injection-php',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
|
||||
tag:'OWASP_TOP_10/A1',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:933013,phase:1,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:933014,phase:2,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
|
||||
#
|
||||
# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher)
|
||||
#
|
||||
|
||||
#
|
||||
# [ PHP Functions: Medium-Risk PHP Function Names ]
|
||||
#
|
||||
# In paranoia level 2, we add additional checks for most PHP functions.
|
||||
#
|
||||
# The size of the PHP function list is considerable.
|
||||
# Even after excluding the more obscure PHP extensions, 1300+ functions remain.
|
||||
# For performance and maintenance reasons, this rule does not use a regexp,
|
||||
# but uses a phrase file (@pmf), and additionally looks for an '(' character
|
||||
# in the matched variable.
|
||||
#
|
||||
# This approach carries some risk for false positives. Therefore, the function list
|
||||
# has been curated to remove words closely matching natural language and terms often
|
||||
# used in other contexts.
|
||||
#
|
||||
# This rule is a stricter sibling of rule 933150.
|
||||
#
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@pmf php-function-names-933151.data" \
|
||||
"id:933151,\
|
||||
phase:2,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,t:lowercase,\
|
||||
msg:'PHP Injection Attack: Medium-Risk PHP Function Name Found',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-php',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-injection-php',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
|
||||
tag:'OWASP_TOP_10/A1',\
|
||||
tag:'paranoia-level/2',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule MATCHED_VARS "@pm (" \
|
||||
"capture,\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
|
||||
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:933015,phase:1,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:933016,phase:2,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
|
||||
#
|
||||
# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher)
|
||||
#
|
||||
|
||||
#
|
||||
# [ PHP Variables: Common Variable Indexes ]
|
||||
#
|
||||
# In paranoia level 3, we add additional checks for parameters to many PHP variables.
|
||||
#
|
||||
#
|
||||
# One of the more common variables used within attacks on PHP is $_SERVER. Because
|
||||
# of how many different ways PHP has for executing variables (variable variables,
|
||||
# etc) often just looking for $_SERVER will be less effective than looking for the
|
||||
# various indexes within $_SERVER. This rule checks for these indexes.
|
||||
# This rule is located in PL 3 because often developers will use these names as
|
||||
# parameter names or values and this will lead to false positives.
|
||||
# Because this list is not expected to change and it is limited in size we use a
|
||||
# regex in this case to look for these values whereas in its sibling rule we use
|
||||
# @pmf for flexibility and performance.
|
||||
#
|
||||
# To rebuild the regexp:
|
||||
# cd util/regexp-assemble
|
||||
# ./regexp-assemble.pl < regexp-933131.data
|
||||
#
|
||||
# This rule is a stricter sibling of rule 933130.
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:HTTP_(?:ACCEPT(?:_(?:ENCODING|LANGUAGE|CHARSET))?|(?:X_FORWARDED_FO|REFERE)R|(?:USER_AGEN|HOS)T|CONNECTION|KEEP_ALIVE)|PATH_(?:TRANSLATED|INFO)|ORIG_PATH_INFO|QUERY_STRING|REQUEST_URI|AUTH_TYPE)" \
|
||||
"id:933131,\
|
||||
phase:2,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,t:normalisePath,t:urlDecodeUni,\
|
||||
msg:'PHP Injection Attack: Variables Found',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-php',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-injection-php',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
|
||||
tag:'OWASP_TOP_10/A1',\
|
||||
tag:'paranoia-level/3',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
|
||||
|
||||
#
|
||||
# [ PHP Functions: Low-Value PHP Function Calls ]
|
||||
#
|
||||
# In paranoia level 3, we add additional checks for the remaining PHP functions.
|
||||
#
|
||||
# Most of these function names are likely to cause false positives in natural text
|
||||
# or common parameter values, such as 'abs', 'copy', 'date', 'key', 'max', 'min'.
|
||||
# Therefore, these function names are not scanned in lower paranoia levels.
|
||||
#
|
||||
# To mitigate the risk of false positives somewhat, a regexp is used to look for
|
||||
# PHP function syntax. (See rule 933160 for a description.)
|
||||
#
|
||||
# This rule is a stricter sibling of rule 933160.
|
||||
#
|
||||
# Regexp generated from util/regexp-assemble/regexp-933161.data using Regexp::Assemble.
|
||||
# See http://blog.modsecurity.org/2007/06/optimizing-regu.html for usage.
|
||||
# Note that after assemble, PHP function syntax pre/postfix is added to the Regexp::Assemble
|
||||
# output. Example: "@rx (?i)\bASSEMBLE_OUTPUT_HERE(?:\s|/\*.*\*/|//.*|#.*)*\(.*\)"
|
||||
#
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:i(?:s(?:_(?:in(?:t(?:eger)?|finite)|n(?:u(?:meric|ll)|an)|(?:calla|dou)ble|s(?:calar|tring)|f(?:inite|loat)|re(?:source|al)|l(?:ink|ong)|a(?:rray)?|object|bool)|set)|n(?:(?:clud|vok)e|t(?:div|val))|(?:mplod|dat)e|conv)|s(?:t(?:r(?:(?:le|sp)n|coll)|at)|(?:e(?:rializ|ttyp)|huffl)e|i(?:milar_text|zeof|nh?)|p(?:liti?|rintf)|(?:candi|ubst)r|y(?:mlink|slog)|o(?:undex|rt)|leep|rand|qrt)|f(?:ile(?:(?:siz|typ)e|owner|pro)|l(?:o(?:atval|ck|or)|ush)|(?:rea|mo)d|t(?:ell|ok)|unction|close|gets|stat|eof)|c(?:h(?:o(?:wn|p)|eckdate|root|dir|mod)|o(?:(?:(?:nsta|u)n|mpac)t|sh?|py)|lose(?:dir|log)|(?:urren|ryp)t|eil)|e(?:x(?:(?:trac|i)t|p(?:lode)?)|a(?:ster_da(?:te|ys)|ch)|r(?:ror_log|egi?)|mpty|cho|nd)|l(?:o(?:g(?:1[0p])?|caltime)|i(?:nk(?:info)?|st)|(?:cfirs|sta)t|evenshtein|trim)|d(?:i(?:(?:skfreespac)?e|r(?:name)?)|e(?:fined?|coct)|(?:oubleva)?l|ate)|r(?:e(?:(?:quir|cod|nam)e|adlin[ek]|wind|set)|an(?:ge|d)|ound|sort|trim)|m(?:b(?:split|ereg)|i(?:crotime|n)|a(?:i[ln]|x)|etaphone|y?sql|hash)|u(?:n(?:(?:tain|se)t|iqid|link)|s(?:leep|ort)|cfirst|mask)|a(?:s(?:(?:se|o)rt|inh?)|r(?:sort|ray)|tan[2h]?|cosh?|bs)|t(?:e(?:xtdomain|mpnam)|a(?:int|nh?)|ouch|ime|rim)|h(?:e(?:ader(?:s_(?:lis|sen)t)?|brev)|ypot|ash)|p(?:a(?:thinfo|ck)|r(?:intf?|ev)|close|o[sw]|i)|g(?:et(?:t(?:ext|ype)|date)|mdate)|o(?:penlog|ctdec|rd)|b(?:asename|indec)|n(?:atsor|ex)t|k(?:sort|ey)|quotemeta|wordwrap|virtual|join)(?:\s|/\*.*\*/|//.*|#.*)*\(.*\)" \
|
||||
"id:933161,\
|
||||
phase:2,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,\
|
||||
msg:'PHP Injection Attack: Low-Value PHP Function Call Found',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-php',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-injection-php',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
|
||||
tag:'OWASP_TOP_10/A1',\
|
||||
tag:'paranoia-level/3',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
|
||||
|
||||
#
|
||||
# [ PHP Script Uploads: Superfluous extension ]
|
||||
#
|
||||
# Block file uploads with PHP related extensions (.php, .phps, .phtml,
|
||||
# .php5 etc) anywhere in the name, followed by a dot.
|
||||
#
|
||||
# Example: index.php.tmp
|
||||
#
|
||||
# Uploading of such files can lead to remote code execution if
|
||||
# Apache is configured with AddType and MultiViews, as Apache will
|
||||
# automatically do a filename match when the extension is unknown.
|
||||
# This configuration is fortunately not common in modern installs.
|
||||
#
|
||||
# Blocking these file names might lead to more false positives.
|
||||
#
|
||||
# Some AJAX uploaders use the nonstandard request headers X-Filename,
|
||||
# X_Filename, or X-File-Name to transmit the file name to the server;
|
||||
# scan these request headers as well as multipart/form-data file names.
|
||||
#
|
||||
# This rule is a stricter sibling of rule 933110.
|
||||
#
|
||||
SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X-File-Name "@rx .*\.(?:php\d*|phtml)\..*$" \
|
||||
"id:933111,\
|
||||
phase:2,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,t:lowercase,\
|
||||
msg:'PHP Injection Attack: PHP Script File Upload Found',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-php',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-injection-php',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
|
||||
tag:'OWASP_TOP_10/A1',\
|
||||
tag:'paranoia-level/3',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
|
||||
|
||||
# [ PHP Closing Tag Found ]
|
||||
#
|
||||
# http://www.php.net/manual/en/language.basic-syntax.phptags.php
|
||||
#
|
||||
# This check was extracted from 933100 (paranoia level 1), since the
|
||||
# checked sequence '?>' commonly causes false positives.
|
||||
# See issue #654 for discussion.
|
||||
#
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pm ?>" \
|
||||
"msg:'PHP Injection Attack: PHP Closing Tag Found',\
|
||||
phase:2,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
t:none,t:urlDecodeUni,\
|
||||
ctl:auditLogParts=+E,\
|
||||
block,\
|
||||
capture,\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
id:933190,\
|
||||
severity:'CRITICAL',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-php',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-injection-php',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
|
||||
tag:'OWASP_TOP_10/A1',\
|
||||
tag:'paranoia-level/3',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:933017,phase:1,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:933018,phase:2,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
|
||||
#
|
||||
# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher)
|
||||
#
|
||||
|
||||
|
||||
|
||||
#
|
||||
# -= Paranoia Levels Finished =-
|
||||
#
|
||||
SecMarker "END-REQUEST-933-APPLICATION-ATTACK-PHP"
|
|
@ -0,0 +1,900 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.1.1
|
||||
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
# Please see the enclosed LICENSE file for full details.
|
||||
# ------------------------------------------------------------------------
|
||||
|
||||
#
|
||||
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
|
||||
#
|
||||
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:941011,phase:1,pass,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:941012,phase:2,pass,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
|
||||
#
|
||||
# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher)
|
||||
#
|
||||
|
||||
|
||||
#
|
||||
# -=[ Libinjection - XSS Detection ]=-
|
||||
#
|
||||
# Ref: https://github.com/client9/libinjection
|
||||
# Ref: https://speakerdeck.com/ngalbreath/libinjection-from-sqli-to-xss
|
||||
#
|
||||
# -=[ Targets ]=-
|
||||
#
|
||||
# 941100: PL1 : REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|
|
||||
# REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|
|
||||
# ARGS_NAMES|ARGS|XML:/*
|
||||
#
|
||||
# 941101: PL2 : REQUEST_HEADERS:Referer
|
||||
#
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|XML:/* "@detectXSS" \
|
||||
"id:941100,\
|
||||
phase:2,\
|
||||
block,\
|
||||
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
|
||||
msg:'XSS Attack Detected via libinjection',\
|
||||
logdata:'Matched Data: XSS data found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-xss',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
|
||||
tag:'WASCTC/WASC-8',\
|
||||
tag:'WASCTC/WASC-22',\
|
||||
tag:'OWASP_TOP_10/A3',\
|
||||
tag:'OWASP_AppSensor/IE1',\
|
||||
tag:'CAPEC-242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
|
||||
|
||||
#
|
||||
# -=[ XSS Filters - Category 1 ]=-
|
||||
# http://xssplayground.net23.net/xssfilter.html
|
||||
# script tag based XSS vectors, e.g., <script> alert(1)</script>
|
||||
#
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i)[<<]script[^>>]*[>>][\s\S]*?" \
|
||||
"id:941110,\
|
||||
phase:2,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
|
||||
msg:'XSS Filter - Category 1: Script Tag Vector',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-xss',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
|
||||
tag:'WASCTC/WASC-8',\
|
||||
tag:'WASCTC/WASC-22',\
|
||||
tag:'OWASP_TOP_10/A3',\
|
||||
tag:'OWASP_AppSensor/IE1',\
|
||||
tag:'CAPEC-242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
|
||||
|
||||
#
|
||||
# -=[ XSS Filters - Category 2 ]=-
|
||||
# XSS vectors making use of event handlers like onerror, onload etc, e.g., <body onload="alert(1)">
|
||||
#
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\s\"'`;\/0-9=\x0B\x09\x0C\x3B\x2C\x28\x3B]+on[a-zA-Z]+[\s\x0B\x09\x0C\x3B\x2C\x28\x3B]*?=" \
|
||||
"id:941120,\
|
||||
phase:2,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
|
||||
msg:'XSS Filter - Category 2: Event Handler Vector',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-xss',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
|
||||
tag:'WASCTC/WASC-8',\
|
||||
tag:'WASCTC/WASC-22',\
|
||||
tag:'OWASP_TOP_10/A3',\
|
||||
tag:'OWASP_AppSensor/IE1',\
|
||||
tag:'CAPEC-242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
|
||||
|
||||
#
|
||||
# -=[ XSS Filters - Category 3 ]=-
|
||||
#
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\s\S](?:x(?:link:href|html|mlns)|!ENTITY.*?SYSTEM|data:text\/html|pattern(?=.*?=)|formaction|\@import|base64)\b" \
|
||||
"id:941130,\
|
||||
phase:2,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
|
||||
msg:'XSS Filter - Category 3: Attribute Vector',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-xss',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
|
||||
tag:'WASCTC/WASC-8',\
|
||||
tag:'WASCTC/WASC-22',\
|
||||
tag:'OWASP_TOP_10/A3',\
|
||||
tag:'OWASP_AppSensor/IE1',\
|
||||
tag:'CAPEC-242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
|
||||
|
||||
#
|
||||
# -=[ XSS Filters - Category 4 ]=-
|
||||
# XSS vectors making use of javascript uri and tags, e.g., <p style="background:url(javascript:alert(1))">
|
||||
#
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:<(?:(?:apple|objec)t|isindex|embed|style|form|meta)\b[^>]*?>[\s\S]*?|(?:=|U\s*?R\s*?L\s*?\()\s*?[^>]*?\s*?S\s*?C\s*?R\s*?I\s*?P\s*?T\s*?:)" \
|
||||
"id:941140,\
|
||||
phase:2,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
|
||||
msg:'XSS Filter - Category 4: Javascript URI Vector',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-xss',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
|
||||
tag:'WASCTC/WASC-8',\
|
||||
tag:'WASCTC/WASC-22',\
|
||||
tag:'OWASP_TOP_10/A3',\
|
||||
tag:'OWASP_AppSensor/IE1',\
|
||||
tag:'CAPEC-242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
|
||||
|
||||
#
|
||||
# -=[ NoScript XSS Filters ]=-
|
||||
# Ref: http://noscript.net/
|
||||
#
|
||||
# [NoScript InjectionChecker] HTML injection
|
||||
#
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i)<[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*(?:\W*?s\W*?c\W*?r\W*?i\W*?p\W*?t|\W*?f\W*?o\W*?r\W*?m|\W*?s\W*?t\W*?y\W*?l\W*?e|\W*?s\W*?v\W*?g|\W*?m\W*?a\W*?r\W*?q\W*?u\W*?e\W*?e|(?:\W*?l\W*?i\W*?n\W*?k|\W*?o\W*?b\W*?j\W*?e\W*?c\W*?t|\W*?e\W*?m\W*?b\W*?e\W*?d|\W*?a\W*?p\W*?p\W*?l\W*?e\W*?t|\W*?p\W*?a\W*?r\W*?a\W*?m|\W*?i?\W*?f\W*?r\W*?a\W*?m\W*?e|\W*?b\W*?a\W*?s\W*?e|\W*?b\W*?o\W*?d\W*?y|\W*?m\W*?e\W*?t\W*?a|\W*?i\W*?m\W*?a?\W*?g\W*?e?|\W*?v\W*?i\W*?d\W*?e\W*?o|\W*?a\W*?u\W*?d\W*?i\W*?o|\W*?b\W*?i\W*?n\W*?d\W*?i\W*?n\W*?g\W*?s|\W*?s\W*?e\W*?t|\W*?a\W*?n\W*?i\W*?m\W*?a\W*?t\W*?e)[^>\w])|(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)(?:formaction|style|background|src|lowsrc|ping|on(?:d(?:e(?:vice(?:(?:orienta|mo)tion|proximity|found|light)|livery(?:success|error)|activate)|r(?:ag(?:e(?:n(?:ter|d)|xit)|(?:gestur|leav)e|start|drop|over)?|op)|i(?:s(?:c(?:hargingtimechange|onnect(?:ing|ed))|abled)|aling)|ata(?:setc(?:omplete|hanged)|(?:availabl|chang)e|error)|urationchange|ownloading|blclick)|Moz(?:M(?:agnifyGesture(?:Update|Start)?|ouse(?:PixelScroll|Hittest))|S(?:wipeGesture(?:Update|Start|End)?|crolledAreaChanged)|(?:(?:Press)?TapGestur|BeforeResiz)e|EdgeUI(?:C(?:omplet|ancel)|Start)ed|RotateGesture(?:Update|Start)?|A(?:udioAvailable|fterPaint))|c(?:o(?:m(?:p(?:osition(?:update|start|end)|lete)|mand(?:update)?)|n(?:t(?:rolselect|extmenu)|nect(?:ing|ed))|py)|a(?:(?:llschang|ch)ed|nplay(?:through)?|rdstatechange)|h(?:(?:arging(?:time)?ch)?ange|ecking)|(?:fstate|ell)change|u(?:echange|t)|l(?:ick|ose))|m(?:o(?:z(?:pointerlock(?:change|error)|(?:orientation|time)change|fullscreen(?:change|error)|network(?:down|up)load)|use(?:(?:lea|mo)ve|o(?:ver|ut)|enter|wheel|down|up)|ve(?:start|end)?)|essage|ark)|s(?:t(?:a(?:t(?:uschanged|echange)|lled|rt)|k(?:sessione|comma)nd|op)|e(?:ek(?:complete|ing|ed)|(?:lec(?:tstar)?)?t|n(?:ding|t))|u(?:ccess|spend|bmit)|peech(?:start|end)|ound(?:start|end)|croll|how)|b(?:e(?:for(?:e(?:(?:scriptexecu|activa)te|u(?:nload|pdate)|p(?:aste|rint)|c(?:opy|ut)|editfocus)|deactivate)|gin(?:Event)?)|oun(?:dary|ce)|l(?:ocked|ur)|roadcast|usy)|a(?:n(?:imation(?:iteration|start|end)|tennastatechange)|fter(?:(?:scriptexecu|upda)te|print)|udio(?:process|start|end)|d(?:apteradded|dtrack)|ctivate|lerting|bort)|DOM(?:Node(?:Inserted(?:IntoDocument)?|Removed(?:FromDocument)?)|(?:CharacterData|Subtree)Modified|A(?:ttrModified|ctivate)|Focus(?:Out|In)|MouseScroll)|r(?:e(?:s(?:u(?:m(?:ing|e)|lt)|ize|et)|adystatechange|pea(?:tEven)?t|movetrack|trieving|ceived)|ow(?:s(?:inserted|delete)|e(?:nter|xit))|atechange)|p(?:op(?:up(?:hid(?:den|ing)|show(?:ing|n))|state)|a(?:ge(?:hide|show)|(?:st|us)e|int)|ro(?:pertychange|gress)|lay(?:ing)?)|t(?:ouch(?:(?:lea|mo)ve|en(?:ter|d)|cancel|start)|ime(?:update|out)|ransitionend|ext)|u(?:s(?:erproximity|sdreceived)|p(?:gradeneeded|dateready)|n(?:derflow|load))|f(?:o(?:rm(?:change|input)|cus(?:out|in)?)|i(?:lterchange|nish)|ailed)|l(?:o(?:ad(?:e(?:d(?:meta)?data|nd)|start)?|secapture)|evelchange|y)|g(?:amepad(?:(?:dis)?connected|button(?:down|up)|axismove)|et)|e(?:n(?:d(?:Event|ed)?|abled|ter)|rror(?:update)?|mptied|xit)|i(?:cc(?:cardlockerror|infochange)|n(?:coming|valid|put))|o(?:(?:(?:ff|n)lin|bsolet)e|verflow(?:changed)?|pen)|SVG(?:(?:Unl|L)oad|Resize|Scroll|Abort|Error|Zoom)|h(?:e(?:adphoneschange|l[dp])|ashchange|olding)|v(?:o(?:lum|ic)e|ersion)change|w(?:a(?:it|rn)ing|heel)|key(?:press|down|up)|(?:AppComman|Loa)d|no(?:update|match)|Request|zoom))[\s\x08]*?=" \
|
||||
"id:941160,\
|
||||
phase:2,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
|
||||
msg:'NoScript XSS InjectionChecker: HTML Injection',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-xss',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
|
||||
tag:'WASCTC/WASC-8',\
|
||||
tag:'WASCTC/WASC-22',\
|
||||
tag:'OWASP_TOP_10/A3',\
|
||||
tag:'OWASP_AppSensor/IE1',\
|
||||
tag:'CAPEC-242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
|
||||
|
||||
#
|
||||
# [NoScript InjectionChecker] Attributes injection
|
||||
#
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:\W|^)(?:javascript:(?:[\s\S]+[=\\\(\[\.<]|[\s\S]*?(?:\bname\b|\\[ux]\d))|data:(?:(?:[a-z]\w+\/\w[\w+-]+\w)?[;,]|[\s\S]*?;[\s\S]*?\b(?:base64|charset=)|[\s\S]*?,[\s\S]*?<[\s\S]*?\w[\s\S]*?>))|@\W*?i\W*?m\W*?p\W*?o\W*?r\W*?t\W*?(?:\/\*[\s\S]*?)?(?:[\"']|\W*?u\W*?r\W*?l[\s\S]*?\()|\W*?-\W*?m\W*?o\W*?z\W*?-\W*?b\W*?i\W*?n\W*?d\W*?i\W*?n\W*?g[\s\S]*?:[\s\S]*?\W*?u\W*?r\W*?l[\s\S]*?\(" \
|
||||
"id:941170,\
|
||||
phase:2,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
|
||||
msg:'NoScript XSS InjectionChecker: Attribute Injection',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-xss',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
|
||||
tag:'WASCTC/WASC-8',\
|
||||
tag:'WASCTC/WASC-22',\
|
||||
tag:'OWASP_TOP_10/A3',\
|
||||
tag:'OWASP_AppSensor/IE1',\
|
||||
tag:'CAPEC-242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
|
||||
|
||||
#
|
||||
# [Blacklist Keywords from Node-Validator]
|
||||
# https://raw.github.com/chriso/node-validator/master/validator.js
|
||||
#
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pm document.cookie document.write document[ self[ .parentnode .innerhtml window.location -moz-binding <!-- --> <![cdata[" \
|
||||
"id:941180,\
|
||||
phase:2,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:lowercase,t:removeNulls,\
|
||||
msg:'Node-Validator Blacklist Keywords',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-xss',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
|
||||
tag:'WASCTC/WASC-8',\
|
||||
tag:'WASCTC/WASC-22',\
|
||||
tag:'OWASP_TOP_10/A3',\
|
||||
tag:'OWASP_AppSensor/IE1',\
|
||||
tag:'CAPEC-242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
|
||||
|
||||
#
|
||||
# -=[ XSS Filters from IE ]=-
|
||||
# Ref: http://blogs.technet.com/srd/archive/2008/08/18/ie-8-xss-filter-architecture-implementation.aspx
|
||||
# Ref: http://xss.cx/examples/ie/internet-exploror-ie9-xss-filter-rules-example-regexp-mshtmldll.txt
|
||||
#
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:<style.*?>.*?((@[i\\\\])|(([:=]|(&#x?0*((58)|(3A)|(61)|(3D));?)).*?([(\\\\]|(&#x?0*((40)|(28)|(92)|(5C));?)))))" \
|
||||
"id:941190,\
|
||||
phase:2,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
|
||||
msg:'IE XSS Filters - Attack Detected.',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-xss',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
|
||||
tag:'WASCTC/WASC-8',\
|
||||
tag:'WASCTC/WASC-22',\
|
||||
tag:'OWASP_TOP_10/A3',\
|
||||
tag:'OWASP_AppSensor/IE1',\
|
||||
tag:'CAPEC-242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
|
||||
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:<.*[:]?vmlframe.*?[\s/+]*?src[\s/+]*=)" \
|
||||
"id:941200,\
|
||||
phase:2,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
|
||||
msg:'IE XSS Filters - Attack Detected.',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-xss',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
|
||||
tag:'WASCTC/WASC-8',\
|
||||
tag:'WASCTC/WASC-22',\
|
||||
tag:'OWASP_TOP_10/A3',\
|
||||
tag:'OWASP_AppSensor/IE1',\
|
||||
tag:'CAPEC-242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
|
||||
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(j|(&#x?0*((74)|(4A)|(106)|(6A));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(a|(&#x?0*((65)|(41)|(97)|(61));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(v|(&#x?0*((86)|(56)|(118)|(76));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(a|(&#x?0*((65)|(41)|(97)|(61));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(s|(&#x?0*((83)|(53)|(115)|(73));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(c|(&#x?0*((67)|(43)|(99)|(63));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(r|(&#x?0*((82)|(52)|(114)|(72));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(i|(&#x?0*((73)|(49)|(105)|(69));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(p|(&#x?0*((80)|(50)|(112)|(70));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(t|(&#x?0*((84)|(54)|(116)|(74));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(:|(&((#x?0*((58)|(3A));?)|(colon;)))).)" \
|
||||
"id:941210,\
|
||||
phase:2,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
|
||||
msg:'IE XSS Filters - Attack Detected.',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-xss',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
|
||||
tag:'WASCTC/WASC-8',\
|
||||
tag:'WASCTC/WASC-22',\
|
||||
tag:'OWASP_TOP_10/A3',\
|
||||
tag:'OWASP_AppSensor/IE1',\
|
||||
tag:'CAPEC-242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
|
||||
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(v|(&#x?0*((86)|(56)|(118)|(76));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(b|(&#x?0*((66)|(42)|(98)|(62));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(s|(&#x?0*((83)|(53)|(115)|(73));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(c|(&#x?0*((67)|(43)|(99)|(63));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(r|(&#x?0*((82)|(52)|(114)|(72));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(i|(&#x?0*((73)|(49)|(105)|(69));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(p|(&#x?0*((80)|(50)|(112)|(70));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(t|(&#x?0*((84)|(54)|(116)|(74));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(:|(&((#x?0*((58)|(3A));?)|(colon;)))).)" \
|
||||
"id:941220,\
|
||||
phase:2,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
|
||||
msg:'IE XSS Filters - Attack Detected.',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-xss',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
|
||||
tag:'WASCTC/WASC-8',\
|
||||
tag:'WASCTC/WASC-22',\
|
||||
tag:'OWASP_TOP_10/A3',\
|
||||
tag:'OWASP_AppSensor/IE1',\
|
||||
tag:'CAPEC-242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
|
||||
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)<EMBED[\s/+].*?(?:src|type).*?=" \
|
||||
"id:941230,\
|
||||
phase:2,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
|
||||
msg:'IE XSS Filters - Attack Detected.',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-xss',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
|
||||
tag:'WASCTC/WASC-8',\
|
||||
tag:'WASCTC/WASC-22',\
|
||||
tag:'OWASP_TOP_10/A3',\
|
||||
tag:'OWASP_AppSensor/IE1',\
|
||||
tag:'CAPEC-242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
|
||||
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx <[?]?import[\s\/+\S]*?implementation[\s\/+]*?=" \
|
||||
"id:941240,\
|
||||
phase:2,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:lowercase,t:removeNulls,\
|
||||
msg:'IE XSS Filters - Attack Detected.',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-xss',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
|
||||
tag:'WASCTC/WASC-8',\
|
||||
tag:'WASCTC/WASC-22',\
|
||||
tag:'OWASP_TOP_10/A3',\
|
||||
tag:'OWASP_AppSensor/IE1',\
|
||||
tag:'CAPEC-242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
|
||||
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:<META[\s/+].*?http-equiv[\s/+]*=[\s/+]*[\"\'`]?(((c|(&#x?0*((67)|(43)|(99)|(63));?)))|((r|(&#x?0*((82)|(52)|(114)|(72));?)))|((s|(&#x?0*((83)|(53)|(115)|(73));?)))))" \
|
||||
"id:941250,\
|
||||
phase:2,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
|
||||
msg:'IE XSS Filters - Attack Detected.',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-xss',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
|
||||
tag:'WASCTC/WASC-8',\
|
||||
tag:'WASCTC/WASC-22',\
|
||||
tag:'OWASP_TOP_10/A3',\
|
||||
tag:'OWASP_AppSensor/IE1',\
|
||||
tag:'CAPEC-242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
|
||||
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:<META[\s/+].*?charset[\s/+]*=)" \
|
||||
"id:941260,\
|
||||
phase:2,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
|
||||
msg:'IE XSS Filters - Attack Detected.',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-xss',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
|
||||
tag:'WASCTC/WASC-8',\
|
||||
tag:'WASCTC/WASC-22',\
|
||||
tag:'OWASP_TOP_10/A3',\
|
||||
tag:'OWASP_AppSensor/IE1',\
|
||||
tag:'CAPEC-242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
|
||||
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)<LINK[\s/+].*?href[\s/+]*=" \
|
||||
"id:941270,\
|
||||
phase:2,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
|
||||
msg:'IE XSS Filters - Attack Detected.',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-xss',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
|
||||
tag:'WASCTC/WASC-8',\
|
||||
tag:'WASCTC/WASC-22',\
|
||||
tag:'OWASP_TOP_10/A3',\
|
||||
tag:'OWASP_AppSensor/IE1',\
|
||||
tag:'CAPEC-242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
|
||||
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)<BASE[\s/+].*?href[\s/+]*=" \
|
||||
"id:941280,\
|
||||
phase:2,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
|
||||
msg:'IE XSS Filters - Attack Detected.',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-xss',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
|
||||
tag:'WASCTC/WASC-8',\
|
||||
tag:'WASCTC/WASC-22',\
|
||||
tag:'OWASP_TOP_10/A3',\
|
||||
tag:'OWASP_AppSensor/IE1',\
|
||||
tag:'CAPEC-242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
|
||||
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)<APPLET[\s/+>]" \
|
||||
"id:941290,\
|
||||
phase:2,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
|
||||
msg:'IE XSS Filters - Attack Detected.',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-xss',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
|
||||
tag:'WASCTC/WASC-8',\
|
||||
tag:'WASCTC/WASC-22',\
|
||||
tag:'OWASP_TOP_10/A3',\
|
||||
tag:'OWASP_AppSensor/IE1',\
|
||||
tag:'CAPEC-242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
|
||||
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)<OBJECT[\s/+].*?(?:type|codetype|classid|code|data)[\s/+]*=" \
|
||||
"id:941300,\
|
||||
phase:2,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
|
||||
msg:'IE XSS Filters - Attack Detected.',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-xss',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
|
||||
tag:'WASCTC/WASC-8',\
|
||||
tag:'WASCTC/WASC-22',\
|
||||
tag:'OWASP_TOP_10/A3',\
|
||||
tag:'OWASP_AppSensor/IE1',\
|
||||
tag:'CAPEC-242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
|
||||
#
|
||||
# https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
|
||||
# US-ASCII encoding bypass listed on XSS filter evasion
|
||||
# Reported by Mazin Ahmed
|
||||
#
|
||||
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:¾|¼).*(?:¾|¼|>)|(?:¾|¼|<).*(?:¾|¼)" \
|
||||
"id:941310,\
|
||||
phase:2,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,t:urlDecodeUni,t:lowercase,t:urlDecode,t:htmlEntityDecode,t:jsDecode,\
|
||||
msg:'US-ASCII Malformed Encoding XSS Filter - Attack Detected.',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-tomcat',\
|
||||
tag:'attack-xss',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
|
||||
tag:'WASCTC/WASC-8',\
|
||||
tag:'WASCTC/WASC-22',\
|
||||
tag:'OWASP_TOP_10/A3',\
|
||||
tag:'OWASP_AppSensor/IE1',\
|
||||
tag:'CAPEC-242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
|
||||
#
|
||||
# UTF-7 encoding XSS filter evasion for IE.
|
||||
# Reported by Vladimir Ivanov
|
||||
#
|
||||
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:\+ADw\-|\+AD4\-).*(?:\+ADw\-|\+AD4\-|>)|(?:\+ADw\-|\+AD4\-|<).*(?:\+ADw\-|\+AD4\-)" \
|
||||
"id:941350,\
|
||||
phase:2,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,t:urlDecodeUni,t:lowercase,t:urlDecode,t:htmlEntityDecode,t:jsDecode,\
|
||||
msg:'UTF-7 Encoding IE XSS - Attack Detected.',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-internet-explorer',\
|
||||
tag:'attack-xss',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
|
||||
tag:'WASCTC/WASC-8',\
|
||||
tag:'WASCTC/WASC-22',\
|
||||
tag:'OWASP_TOP_10/A3',\
|
||||
tag:'OWASP_AppSensor/IE1',\
|
||||
tag:'CAPEC-242',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:941013,phase:1,pass,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:941014,phase:2,pass,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
|
||||
#
|
||||
# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher)
|
||||
#
|
||||
|
||||
#
|
||||
# This is a stricter sibling of rule 941100.
|
||||
#
|
||||
SecRule REQUEST_HEADERS:Referer "@detectXSS" \
|
||||
"id:941101,\
|
||||
phase:2,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
|
||||
msg:'XSS Attack Detected via libinjection',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-xss',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
|
||||
tag:'WASCTC/WASC-8',\
|
||||
tag:'WASCTC/WASC-22',\
|
||||
tag:'OWASP_TOP_10/A3',\
|
||||
tag:'OWASP_AppSensor/IE1',\
|
||||
tag:'CAPEC-242',\
|
||||
tag:'paranoia-level/2',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
|
||||
|
||||
#
|
||||
# -=[ XSS Filters - Category 5 ]=-
|
||||
# HTML attribues - src, style and href
|
||||
#
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:s(?:tyle|rc)|href)\b[\s\S]*?=" \
|
||||
"id:941150,\
|
||||
phase:2,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
|
||||
msg:'XSS Filter - Category 5: Disallowed HTML Attributes',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-xss',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
|
||||
tag:'WASCTC/WASC-8',\
|
||||
tag:'WASCTC/WASC-22',\
|
||||
tag:'OWASP_TOP_10/A3',\
|
||||
tag:'OWASP_AppSensor/IE1',\
|
||||
tag:'CAPEC-242',\
|
||||
tag:'paranoia-level/2',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
|
||||
|
||||
# Detect tags that are the most common direct HTML injection points.
|
||||
#
|
||||
# <a href=javascript:...
|
||||
# <applet src="..." type=text/html>
|
||||
# <applet src="data:text/html;base64,PHNjcmlwdD5hbGVydCgvWFNTLyk8L3NjcmlwdD4" type=text/html>
|
||||
# <base href=javascript:...
|
||||
# <base href=... // change base URL to something else to exploit relative filename inclusion
|
||||
# <bgsound src=javascript:...
|
||||
# <body background=javascript:...
|
||||
# <body onload=...
|
||||
# <embed src=http://www.example.com/flash.swf allowScriptAccess=always
|
||||
# <embed src="data:image/svg+xml;
|
||||
# <frameset><frame src="javascript:..."></frameset>
|
||||
# <iframe src=javascript:...
|
||||
# <img src=x onerror=...
|
||||
# <input type=image src=javascript:...
|
||||
# <layer src=...
|
||||
# <link href="javascript:..." rel="stylesheet" type="text/css"
|
||||
# <link href="http://www.example.com/xss.css" rel="stylesheet" type="text/css"
|
||||
# <meta http-equiv="refresh" content="0;url=javascript:..."
|
||||
# <meta http-equiv="refresh" content="0;url=http://;javascript:..." // evasion
|
||||
# <meta http-equiv="link" rel=stylesheet content="http://www.example.com/xss.css">
|
||||
# <meta http-equiv="Set-Cookie" content="NEW_COOKIE_VALUE">
|
||||
# <object data=http://www.example.com
|
||||
# <object type=text/x-scriptlet data=...
|
||||
# <object type=application/x-shockwave-flash data=xss.swf>
|
||||
# <object classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:...></object> // not verified
|
||||
# <script>...</script>
|
||||
# <script src=http://www.example.com/xss.js></script> - TODO add another rule for this
|
||||
# <script src="data:text/javascript,alert(1)"></script>
|
||||
# <script src="data:text/javascript;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpOzwvc2NyaXB0Pg=="></script>
|
||||
# <style>STYLE</style>
|
||||
# <style type=text/css>STYLE</style>
|
||||
# <style type=text/javascript>alert('xss')</style>
|
||||
# <table background=javascript:...
|
||||
# <td background=javascript:
|
||||
#
|
||||
#
|
||||
# NOTES
|
||||
#
|
||||
# - Reference the WASC Script Mapping Project - http://projects.webappsec.org/Script-Mapping
|
||||
#
|
||||
# - Not using closing brackets because they are not needed for the
|
||||
# attacks to succeed. The following seems to work in FF: <body/s/onload=...
|
||||
#
|
||||
# - Also, browsers sometimes tend to translate < into >, in order to "repair"
|
||||
# what they think was a mistake made by the programmer/template designer.
|
||||
#
|
||||
# - Browsers are flexible when it comes to what they accept as separator between
|
||||
# tag names and attributes. The following is commonly used in payloads: <img/src=...
|
||||
# A better example: <BODY onload!#$%&()*~+-_.,:;?@[/|\]^=alert("XSS")>
|
||||
#
|
||||
# - Grave accents are sometimes used as an evasion technique (as a replacement for quotes),
|
||||
# but I don't believe we need to look for quotes anywhere.
|
||||
#
|
||||
# - Links do not have to be fully qualified. For example, the following works:
|
||||
# <script src="//ha.ckers.org/.j">
|
||||
#
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx <(?:a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|hr|html|i|iframe|ilayer|img|input|ins|isindex|kdb|keygen|label|layer|legend|li|limittext|link|listing|map|marquee|menu|meta|multicol|nobr|noembed|noframes|noscript|nosmartquotes|object|ol|optgroup|option|p|param|plaintext|pre|q|rt|ruby|s|samp|script|select|server|shadow|sidebar|small|spacer|span|strike|strong|style|sub|sup|table|tbody|td|textarea|tfoot|th|thead|title|tr|tt|u|ul|var|wbr|xml|xmp)\W" \
|
||||
"id:941320,\
|
||||
phase:2,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,t:urlDecodeUni,t:jsDecode,t:lowercase,\
|
||||
msg:'Possible XSS Attack Detected - HTML Tag Handler',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-xss',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
|
||||
tag:'WASCTC/WASC-8',\
|
||||
tag:'WASCTC/WASC-22',\
|
||||
tag:'OWASP_TOP_10/A2',\
|
||||
tag:'OWASP_AppSensor/IE1',\
|
||||
tag:'PCI/6.5.1',\
|
||||
tag:'paranoia-level/2',\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:[\"\'][ ]*(([^a-z0-9~_:\' ])|(in)).*?(((l|(\\\\u006C))(o|(\\\\u006F))(c|(\\\\u0063))(a|(\\\\u0061))(t|(\\\\u0074))(i|(\\\\u0069))(o|(\\\\u006F))(n|(\\\\u006E)))|((n|(\\\\u006E))(a|(\\\\u0061))(m|(\\\\u006D))(e|(\\\\u0065)))|((o|(\\\\u006F))(n|(\\\\u006E))(e|(\\\\u0065))(r|(\\\\u0072))(r|(\\\\u0072))(o|(\\\\u006F))(r|(\\\\u0072)))|((v|(\\\\u0076))(a|(\\\\u0061))(l|(\\\\u006C))(u|(\\\\u0075))(e|(\\\\u0065))(O|(\\\\u004F))(f|(\\\\u0066)))).*?=)" \
|
||||
"id:941330,\
|
||||
phase:2,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,\
|
||||
msg:'IE XSS Filters - Attack Detected.',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-xss',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
|
||||
tag:'WASCTC/WASC-8',\
|
||||
tag:'WASCTC/WASC-22',\
|
||||
tag:'OWASP_TOP_10/A2',\
|
||||
tag:'OWASP_AppSensor/IE1',\
|
||||
tag:'PCI/6.5.1',\
|
||||
tag:'paranoia-level/2',\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\"\'][ ]*(?:[^a-z0-9~_:\' ]|in).+?[.].+?=" \
|
||||
"id:941340,\
|
||||
phase:2,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,\
|
||||
msg:'IE XSS Filters - Attack Detected.',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-xss',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/XSS',\
|
||||
tag:'WASCTC/WASC-8',\
|
||||
tag:'WASCTC/WASC-22',\
|
||||
tag:'OWASP_TOP_10/A2',\
|
||||
tag:'OWASP_AppSensor/IE1',\
|
||||
tag:'PCI/6.5.1',\
|
||||
tag:'paranoia-level/2',\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
|
||||
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:941015,phase:1,pass,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:941016,phase:2,pass,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
|
||||
#
|
||||
# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher)
|
||||
#
|
||||
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:941017,phase:1,pass,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:941018,phase:2,pass,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
|
||||
#
|
||||
# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher)
|
||||
#
|
||||
|
||||
|
||||
|
||||
#
|
||||
# -= Paranoia Levels Finished =-
|
||||
#
|
||||
SecMarker "END-REQUEST-941-APPLICATION-ATTACK-XSS"
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,138 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.1.1
|
||||
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
# Please see the enclosed LICENSE file for full details.
|
||||
# ------------------------------------------------------------------------
|
||||
|
||||
#
|
||||
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
|
||||
#
|
||||
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:943011,phase:1,pass,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:943012,phase:2,pass,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
|
||||
#
|
||||
# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher)
|
||||
#
|
||||
|
||||
#
|
||||
# Session fixation
|
||||
#
|
||||
# -=[ References ]=-
|
||||
# http://projects.webappsec.org/Session-Fixation
|
||||
# http://projects.webappsec.org/w/page/13246960/Session%20Fixation
|
||||
# http://capec.mitre.org/data/definitions/61.html
|
||||
#
|
||||
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:\.cookie\b.*?;\W*?(?:expires|domain)\W*?=|\bhttp-equiv\W+set-cookie\b)" \
|
||||
"id:943100,\
|
||||
phase:2,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,t:urlDecodeUni,\
|
||||
msg:'Possible Session Fixation Attack: Setting Cookie Values in HTML',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-fixation',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/SESSION_FIXATION',\
|
||||
tag:'WASCTC/WASC-37',\
|
||||
tag:'CAPEC-61',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.session_fixation_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SESSION_FIXATION-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
|
||||
|
||||
SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$" \
|
||||
"id:943110,\
|
||||
phase:2,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,t:urlDecodeUni,t:lowercase,\
|
||||
msg:'Possible Session Fixation Attack: SessionID Parameter Name with Off-Domain Referer',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-fixation',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/SESSION_FIXATION',\
|
||||
tag:'WASCTC/WASC-37',\
|
||||
tag:'CAPEC-61',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule REQUEST_HEADERS:Referer "@rx ^(?:ht|f)tps?://(.*?)\/" \
|
||||
"capture,\
|
||||
chain"
|
||||
SecRule TX:1 "!@endsWith %{request_headers.host}" \
|
||||
"setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.session_fixation_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SESSION_FIXATION-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
|
||||
|
||||
SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$" \
|
||||
"id:943120,\
|
||||
phase:2,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,t:urlDecodeUni,t:lowercase,\
|
||||
msg:'Possible Session Fixation Attack: SessionID Parameter Name with No Referer',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-fixation',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/SESSION_FIXATION',\
|
||||
tag:'WASCTC/WASC-37',\
|
||||
tag:'CAPEC-61',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule &REQUEST_HEADERS:Referer "@eq 0" \
|
||||
"setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.session_fixation_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SESSION_FIXATION-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
|
||||
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:943013,phase:1,pass,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:943014,phase:2,pass,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
|
||||
#
|
||||
# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher)
|
||||
#
|
||||
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:943015,phase:1,pass,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:943016,phase:2,pass,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
|
||||
#
|
||||
# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher)
|
||||
#
|
||||
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:943017,phase:1,pass,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:943018,phase:2,pass,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
|
||||
#
|
||||
# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher)
|
||||
#
|
||||
|
||||
|
||||
|
||||
#
|
||||
# -= Paranoia Levels Finished =-
|
||||
#
|
||||
SecMarker "END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
|
|
@ -0,0 +1,301 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.1.1
|
||||
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
# Please see the enclosed LICENSE file for full details.
|
||||
# ------------------------------------------------------------------------
|
||||
|
||||
#
|
||||
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
|
||||
#
|
||||
# Many rules check request bodies, use "SecRequestBodyAccess On" to enable it on main modsecurity configuration file.
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "phase:1,id:944011,nolog,pass,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "phase:2,id:944012,nolog,pass,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
|
||||
#
|
||||
# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher)
|
||||
#
|
||||
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
|
||||
"@rx java\.lang\.(?:runtime|processbuilder)" \
|
||||
"id:944100,\
|
||||
phase:2,\
|
||||
block,\
|
||||
log,\
|
||||
msg:'Remote Command Execution: Suspicious Java class detected',\
|
||||
logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
|
||||
t:none,t:lowercase,\
|
||||
tag:'application-multi',\
|
||||
tag:'language-java',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-rce',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
|
||||
tag:'WASCTC/WASC-31',\
|
||||
tag:'OWASP_TOP_10/A1',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/1',\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'"
|
||||
|
||||
# [ Java deserialization vulnerability/Apache Struts (CVE-2017-9805) ]
|
||||
# [ Java deserialization vulnerability/Oracle Weblogic (CVE-2017-10271) ]
|
||||
#
|
||||
# Generic rule to detect processbuilder or runtime calls, if any of thos is found and the same target contains
|
||||
# java. unmarshaller or base64data to trigger a potential payload execution
|
||||
# tested with https://www.exploit-db.com/exploits/42627/ and https://www.exploit-db.com/exploits/43458/
|
||||
|
||||
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
|
||||
"@rx (?:runtime|processbuilder)" \
|
||||
"id:944110,\
|
||||
phase:2,\
|
||||
block,\
|
||||
t:none,t:lowercase,\
|
||||
log,\
|
||||
msg:'Remote Command Execution: Java process spawn (CVE-2017-9805)',\
|
||||
logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-java',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-rce',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
|
||||
tag:'WASCTC/WASC-31',\
|
||||
tag:'OWASP_TOP_10/A1',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/1',\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* "@rx (?:unmarshaller|base64data|java\.)" \
|
||||
"setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'"
|
||||
|
||||
# Magic bytes detected and payload included possibly RCE vulnerable classess detected and process execution methods detected
|
||||
# anomaly score set to critical as all conditions indicate the request try to perform RCE.
|
||||
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
|
||||
"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)" \
|
||||
"id:944120,\
|
||||
phase:2,\
|
||||
block,\
|
||||
t:none,t:lowercase,\
|
||||
log,\
|
||||
msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',\
|
||||
logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-java',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-rce',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
|
||||
tag:'WASCTC/WASC-31',\
|
||||
tag:'OWASP_TOP_10/A1',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/1',\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule MATCHED_VARS "@rx (?:runtime|processbuilder)" \
|
||||
"t:none,t:lowercase,\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'"
|
||||
|
||||
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
|
||||
"@pmf java-classes.data" \
|
||||
"id:944130,\
|
||||
phase:2,\
|
||||
block,\
|
||||
log,\
|
||||
msg:'Suspicious Java class detected',\
|
||||
logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
|
||||
t:none,t:lowercase,\
|
||||
tag:'application-multi',\
|
||||
tag:'language-java',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-rce',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
|
||||
tag:'WASCTC/WASC-31',\
|
||||
tag:'OWASP_TOP_10/A1',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/1',\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'"
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "phase:1,id:944013,nolog,pass,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "phase:2,id:944014,nolog,pass,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
|
||||
#
|
||||
# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher)
|
||||
#
|
||||
# [ Java deserialization vulnerability/Apache Commons (CVE-2015-4852) ]
|
||||
#
|
||||
# Detect exploitation of "Java deserialization" Apache Commons.
|
||||
#
|
||||
# Based on rules by @spartantri.
|
||||
# https://spartantri.com/ModSecurity/?p=44
|
||||
#
|
||||
# Interesting references about the vulnerability
|
||||
# https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
|
||||
# https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet
|
||||
#
|
||||
# Potential false positives with random fields, the anomaly level is set low to avoid blocking request
|
||||
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
|
||||
"@rx \xac\xed\x00\x05" \
|
||||
"id:944200,\
|
||||
phase:2,\
|
||||
block,\
|
||||
log,\
|
||||
msg:'Magic bytes Detected, probable java serialization in use',\
|
||||
logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-java',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-rce',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
|
||||
tag:'WASCTC/WASC-31',\
|
||||
tag:'OWASP_TOP_10/A1',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/2',\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'"
|
||||
|
||||
# Detecting possibe base64 text to match encoded magic bytes \xac\xed\x00\x05 with padding encoded in base64 strings are rO0ABQ KztAAU Cs7QAF
|
||||
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
|
||||
"@rx (?:rO0ABQ|KztAAU|Cs7QAF)" \
|
||||
"id:944210,\
|
||||
phase:2,\
|
||||
block,\
|
||||
log,\
|
||||
msg:'Magic bytes Detected Base64 Encoded, probable java serialization in use',\
|
||||
logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-java',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-rce',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
|
||||
tag:'WASCTC/WASC-31',\
|
||||
tag:'OWASP_TOP_10/A1',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/2',\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'"
|
||||
|
||||
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
|
||||
"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)" \
|
||||
"id:944240,\
|
||||
phase:2,\
|
||||
block,\
|
||||
t:none,t:lowercase,\
|
||||
log,\
|
||||
msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',\
|
||||
logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-java',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-rce',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
|
||||
tag:'WASCTC/WASC-31',\
|
||||
tag:'OWASP_TOP_10/A1',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/2',\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'"
|
||||
|
||||
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
|
||||
"@rx java\b.+(?:runtime|processbuilder)" \
|
||||
"id:944250,\
|
||||
phase:2,\
|
||||
block,\
|
||||
log,\
|
||||
msg:'Remote Command Execution: Suspicious Java method detected',\
|
||||
logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
|
||||
t:lowercase,\
|
||||
tag:'application-multi',\
|
||||
tag:'language-java',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-rce',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
|
||||
tag:'WASCTC/WASC-31',\
|
||||
tag:'OWASP_TOP_10/A1',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/2',\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'"
|
||||
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "phase:1,id:944015,nolog,pass,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "phase:2,id:944016,nolog,pass,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
|
||||
#
|
||||
# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher)
|
||||
#
|
||||
# Interesting keywords for possibly RCE on vulnerable classess and methods base64 encoded
|
||||
# Keywords = ['runtime', 'processbuilder', 'clonetransformer', 'forclosure', 'instantiatefactory', 'instantiatetransformer', 'invokertransformer', 'prototypeclonefactory', 'prototypeserializationfactory', 'whileclosure']
|
||||
#for item in keywords:
|
||||
# pad='\x00'
|
||||
# for padding in xrange(3):
|
||||
# print base64.b64encode(''.join([pad*padding,item])).replace('=','')[padding:],
|
||||
#cnVudGltZQ HJ1bnRpbWU BydW50aW1l cHJvY2Vzc2J1aWxkZXI HByb2Nlc3NidWlsZGVy Bwcm9jZXNzYnVpbGRlcg Y2xvbmV0cmFuc2Zvcm1lcg GNsb25ldHJhbnNmb3JtZXI BjbG9uZXRyYW5zZm9ybWVy Zm9yY2xvc3VyZQ GZvcmNsb3N1cmU Bmb3JjbG9zdXJl aW5zdGFudGlhdGVmYWN0b3J5 Gluc3RhbnRpYXRlZmFjdG9yeQ BpbnN0YW50aWF0ZWZhY3Rvcnk aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg Gluc3RhbnRpYXRldHJhbnNmb3JtZXI BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy aW52b2tlcnRyYW5zZm9ybWVy Gludm9rZXJ0cmFuc2Zvcm1lcg BpbnZva2VydHJhbnNmb3JtZXI cHJvdG90eXBlY2xvbmVmYWN0b3J5 HByb3RvdHlwZWNsb25lZmFjdG9yeQ Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5 Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ d2hpbGVjbG9zdXJl HdoaWxlY2xvc3VyZQ B3aGlsZWNsb3N1cmU
|
||||
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
|
||||
"@rx (?:cnVudGltZQ|HJ1bnRpbWU|BydW50aW1l|cHJvY2Vzc2J1aWxkZXI|HByb2Nlc3NidWlsZGVy|Bwcm9jZXNzYnVpbGRlcg|Y2xvbmV0cmFuc2Zvcm1lcg|GNsb25ldHJhbnNmb3JtZXI|BjbG9uZXRyYW5zZm9ybWVy|Zm9yY2xvc3VyZQ|GZvcmNsb3N1cmU|Bmb3JjbG9zdXJl|aW5zdGFudGlhdGVmYWN0b3J5|Gluc3RhbnRpYXRlZmFjdG9yeQ|BpbnN0YW50aWF0ZWZhY3Rvcnk|aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg|Gluc3RhbnRpYXRldHJhbnNmb3JtZXI|BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy|aW52b2tlcnRyYW5zZm9ybWVy|Gludm9rZXJ0cmFuc2Zvcm1lcg|BpbnZva2VydHJhbnNmb3JtZXI|cHJvdG90eXBlY2xvbmVmYWN0b3J5|HByb3RvdHlwZWNsb25lZmFjdG9yeQ|Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk|cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk|HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5|Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ|d2hpbGVjbG9zdXJl|HdoaWxlY2xvc3VyZQ|B3aGlsZWNsb3N1cmU)" \
|
||||
"id:944300,\
|
||||
phase:2,\
|
||||
block,\
|
||||
t:none,\
|
||||
log,\
|
||||
msg:'Base64 encoded string matched suspicious keyword',\
|
||||
logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-java',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-rce',\
|
||||
tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
|
||||
tag:'WASCTC/WASC-31',\
|
||||
tag:'OWASP_TOP_10/A1',\
|
||||
tag:'PCI/6.5.2',\
|
||||
tag:'paranoia-level/3',\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'"
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "phase:1,id:944017,nolog,pass,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "phase:2,id:944018,nolog,pass,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
|
||||
#
|
||||
# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher)
|
||||
#
|
||||
|
||||
|
||||
#
|
||||
# -= Paranoia Levels Finished =-
|
||||
#
|
||||
SecMarker "END-REQUEST-944-APPLICATION-ATTACK-JAVA"
|
|
@ -0,0 +1,132 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.1.1
|
||||
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
# Please see the enclosed LICENSE file for full details.
|
||||
# ------------------------------------------------------------------------
|
||||
|
||||
#
|
||||
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
|
||||
#
|
||||
|
||||
# Summing up the anomaly score.
|
||||
|
||||
# NOTE: tx.anomaly_score should not be set initially, but masking would lead to difficult bugs.
|
||||
# So we add to it.
|
||||
SecRule TX:PARANOIA_LEVEL "@ge 1" \
|
||||
"id:949060,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
setvar:'tx.anomaly_score=+%{tx.anomaly_score_pl1}'"
|
||||
|
||||
SecRule TX:PARANOIA_LEVEL "@ge 2" \
|
||||
"id:949061,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
setvar:'tx.anomaly_score=+%{tx.anomaly_score_pl2}'"
|
||||
|
||||
SecRule TX:PARANOIA_LEVEL "@ge 3" \
|
||||
"id:949062,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
setvar:'tx.anomaly_score=+%{tx.anomaly_score_pl3}'"
|
||||
|
||||
SecRule TX:PARANOIA_LEVEL "@ge 4" \
|
||||
"id:949063,\
|
||||
phase:2,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
setvar:'tx.anomaly_score=+%{tx.anomaly_score_pl4}'"
|
||||
|
||||
|
||||
SecMarker "BEGIN-REQUEST-BLOCKING-EVAL"
|
||||
|
||||
# These rules use the anomaly score settings specified in the 10 config file.
|
||||
# You should also set the desired disruptive action (deny, redirect, etc...).
|
||||
#
|
||||
# -=[ IP Reputation Checks ]=-
|
||||
#
|
||||
# Block based on variable IP.REPUT_BLOCK_FLAG and TX.DO_REPUT_BLOCK
|
||||
#
|
||||
SecRule IP:REPUT_BLOCK_FLAG "@eq 1" \
|
||||
"id:949100,\
|
||||
phase:2,\
|
||||
deny,\
|
||||
log,\
|
||||
msg:'Request Denied by IP Reputation Enforcement.',\
|
||||
logdata:'Previous Block Reason: %{ip.reput_block_reason}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-reputation-ip',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule TX:DO_REPUT_BLOCK "@eq 1" \
|
||||
"setvar:'tx.inbound_tx_msg=%{tx.msg}',\
|
||||
setvar:'tx.inbound_anomaly_score=%{tx.anomaly_score}'"
|
||||
|
||||
#
|
||||
# -=[ Anomaly Mode: Overall Transaction Anomaly Score ]=-
|
||||
#
|
||||
SecRule TX:ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" \
|
||||
"id:949110,\
|
||||
phase:2,\
|
||||
deny,\
|
||||
t:none,\
|
||||
log,\
|
||||
msg:'Inbound Anomaly Score Exceeded (Total Score: %{TX.ANOMALY_SCORE})',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-generic',\
|
||||
severity:'CRITICAL',\
|
||||
setvar:'tx.inbound_tx_msg=%{tx.msg}',\
|
||||
setvar:'tx.inbound_anomaly_score=%{tx.anomaly_score}'"
|
||||
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:949011,phase:1,pass,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:949012,phase:2,pass,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
|
||||
#
|
||||
# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher)
|
||||
#
|
||||
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:949013,phase:1,pass,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:949014,phase:2,pass,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
|
||||
#
|
||||
# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher)
|
||||
#
|
||||
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:949015,phase:1,pass,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:949016,phase:2,pass,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
|
||||
#
|
||||
# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher)
|
||||
#
|
||||
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:949017,phase:1,pass,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:949018,phase:2,pass,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
|
||||
#
|
||||
# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher)
|
||||
#
|
||||
|
||||
|
||||
|
||||
#
|
||||
# -= Paranoia Levels Finished =-
|
||||
#
|
||||
SecMarker "END-REQUEST-949-BLOCKING-EVALUATION"
|
|
@ -0,0 +1,110 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.1.1
|
||||
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
# Please see the enclosed LICENSE file for full details.
|
||||
# ------------------------------------------------------------------------
|
||||
|
||||
# The paranoia level skip rules 950020, 950021 and 950022 have odd
|
||||
# numbers not in sync with other paranoia level skip rules in other
|
||||
# files. This is done to avoid rule id collisions with CRSv2.
|
||||
# This is also true for rule 950130.
|
||||
|
||||
#
|
||||
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
|
||||
#
|
||||
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:950020,phase:3,pass,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:950021,phase:4,pass,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
|
||||
#
|
||||
# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher)
|
||||
#
|
||||
|
||||
#
|
||||
# -=[ Directory Listing ]=-
|
||||
#
|
||||
SecRule RESPONSE_BODY "@rx (?:<(?:TITLE>Index of.*?<H|title>Index of.*?<h)1>Index of|>\[To Parent Directory\]<\/[Aa]><br>)" \
|
||||
"id:950130,\
|
||||
phase:4,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,\
|
||||
msg:'Directory Listing',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-disclosure',\
|
||||
tag:'OWASP_CRS/LEAKAGE/INFO_DIRECTORY_LISTING',\
|
||||
tag:'WASCTC/WASC-13',\
|
||||
tag:'OWASP_TOP_10/A6',\
|
||||
tag:'PCI/6.5.6',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'ERROR',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/INFO-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:950013,phase:3,pass,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:950014,phase:4,pass,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
|
||||
#
|
||||
# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher)
|
||||
#
|
||||
|
||||
#
|
||||
# -=[ The application is not available - 5xx level status code ]=-
|
||||
#
|
||||
SecRule RESPONSE_STATUS "@rx ^5\d{2}$" \
|
||||
"id:950100,\
|
||||
phase:4,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,\
|
||||
msg:'The Application Returned a 500-Level Status Code',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-disclosure',\
|
||||
tag:'WASCTC/WASC-13',\
|
||||
tag:'OWASP_TOP_10/A6',\
|
||||
tag:'PCI/6.5.6',\
|
||||
tag:'paranoia-level/2',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'ERROR',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.outbound_anomaly_score_pl2=+%{tx.error_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl2=+%{tx.error_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-AVAILABILITY/APP_NOT_AVAIL-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:950015,phase:3,pass,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:950016,phase:4,pass,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
|
||||
#
|
||||
# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher)
|
||||
#
|
||||
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:950017,phase:3,pass,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:950022,phase:4,pass,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
|
||||
#
|
||||
# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher)
|
||||
#
|
||||
|
||||
|
||||
|
||||
#
|
||||
# -= Paranoia Levels Finished =-
|
||||
#
|
||||
SecMarker "END-RESPONSE-950-DATA-LEAKAGES"
|
|
@ -0,0 +1,489 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.1.1
|
||||
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
# Please see the enclosed LICENSE file for full details.
|
||||
# ------------------------------------------------------------------------
|
||||
|
||||
#
|
||||
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
|
||||
#
|
||||
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:951011,phase:3,pass,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:951012,phase:4,pass,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
|
||||
#
|
||||
# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher)
|
||||
#
|
||||
|
||||
#
|
||||
# -=[ SQL Error Leakages ]=-
|
||||
#
|
||||
# Ref: https://raw.github.com/sqlmapproject/sqlmap/master/xml/errors.xml
|
||||
# Ref: https://github.com/Arachni/arachni/tree/master/components/checks/active/sql_injection/regexps
|
||||
#
|
||||
SecRule RESPONSE_BODY "@pmFromFile sql-errors.data" \
|
||||
"id:951100,\
|
||||
phase:4,\
|
||||
pass,\
|
||||
nolog,\
|
||||
t:none,\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-disclosure',\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
setvar:'tx.sql_error_match=1'"
|
||||
|
||||
SecRule TX:sql_error_match "@eq 1" \
|
||||
"id:951110,\
|
||||
phase:4,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,\
|
||||
msg:'Microsoft Access SQL Information Leakage',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-msaccess',\
|
||||
tag:'attack-disclosure',\
|
||||
tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
|
||||
tag:'CWE-209',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule RESPONSE_BODY "@rx (?i:JET Database Engine|Access Database Engine|\[Microsoft\]\[ODBC Microsoft Access Driver\])" \
|
||||
"capture,\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
|
||||
SecRule TX:sql_error_match "@eq 1" \
|
||||
"id:951120,\
|
||||
phase:4,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,\
|
||||
msg:'Oracle SQL Information Leakage',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-oracle',\
|
||||
tag:'attack-disclosure',\
|
||||
tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
|
||||
tag:'CWE-209',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule RESPONSE_BODY "@rx (?i:ORA-[0-9][0-9][0-9][0-9]|java\.sql\.SQLException|Oracle error|Oracle.*Driver|Warning.*oci_.*|Warning.*ora_.*)" \
|
||||
"capture,\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
|
||||
SecRule TX:sql_error_match "@eq 1" \
|
||||
"id:951130,\
|
||||
phase:4,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,\
|
||||
msg:'DB2 SQL Information Leakage',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-db2',\
|
||||
tag:'attack-disclosure',\
|
||||
tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
|
||||
tag:'CWE-209',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule RESPONSE_BODY "@rx (?i:DB2 SQL error:|\[IBM\]\[CLI Driver\]\[DB2/6000\]|CLI Driver.*DB2|DB2 SQL error|db2_\w+\()" \
|
||||
"capture,\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
|
||||
SecRule TX:sql_error_match "@eq 1" \
|
||||
"id:951140,\
|
||||
phase:4,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,\
|
||||
msg:'EMC SQL Information Leakage',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-emc',\
|
||||
tag:'attack-disclosure',\
|
||||
tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
|
||||
tag:'CWE-209',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule RESPONSE_BODY "@rx (?i:\[DM_QUERY_E_SYNTAX\]|has occurred in the vicinity of:)" \
|
||||
"capture,\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
|
||||
SecRule TX:sql_error_match "@eq 1" \
|
||||
"id:951150,\
|
||||
phase:4,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,\
|
||||
msg:'firebird SQL Information Leakage',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-firebird',\
|
||||
tag:'attack-disclosure',\
|
||||
tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
|
||||
tag:'CWE-209',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule RESPONSE_BODY "@rx (?i)Dynamic SQL Error" \
|
||||
"capture,\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
|
||||
|
||||
SecRule TX:sql_error_match "@eq 1" \
|
||||
"id:951160,\
|
||||
phase:4,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,\
|
||||
msg:'Frontbase SQL Information Leakage',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-frontbase',\
|
||||
tag:'attack-disclosure',\
|
||||
tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
|
||||
tag:'CWE-209',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule RESPONSE_BODY "@rx (?i)Exception (?:condition )?\d+\. Transaction rollback\." \
|
||||
"capture,\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
|
||||
SecRule TX:sql_error_match "@eq 1" \
|
||||
"id:951170,\
|
||||
phase:4,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,\
|
||||
msg:'hsqldb SQL Information Leakage',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-hsqldb',\
|
||||
tag:'attack-disclosure',\
|
||||
tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
|
||||
tag:'CWE-209',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule RESPONSE_BODY "@rx (?i)org\.hsqldb\.jdbc" \
|
||||
"capture,\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
|
||||
SecRule TX:sql_error_match "@eq 1" \
|
||||
"id:951180,\
|
||||
phase:4,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,\
|
||||
msg:'informix SQL Information Leakage',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-informix',\
|
||||
tag:'attack-disclosure',\
|
||||
tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
|
||||
tag:'CWE-209',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule RESPONSE_BODY "@rx (?i:An illegal character has been found in the statement|com\.informix\.jdbc|Exception.*Informix)" \
|
||||
"capture,\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
|
||||
|
||||
SecRule TX:sql_error_match "@eq 1" \
|
||||
"id:951190,\
|
||||
phase:4,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,\
|
||||
msg:'ingres SQL Information Leakage',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-ingres',\
|
||||
tag:'attack-disclosure',\
|
||||
tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
|
||||
tag:'CWE-209',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule RESPONSE_BODY "@rx (?i:Warning.*ingres_|Ingres SQLSTATE|Ingres\W.*Driver)" \
|
||||
"capture,\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
|
||||
|
||||
SecRule TX:sql_error_match "@eq 1" \
|
||||
"id:951200,\
|
||||
phase:4,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,\
|
||||
msg:'interbase SQL Information Leakage',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-interbase',\
|
||||
tag:'attack-disclosure',\
|
||||
tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
|
||||
tag:'CWE-209',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule RESPONSE_BODY "@rx (?i:<b>Warning</b>: ibase_|Unexpected end of command in statement)" \
|
||||
"capture,\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
|
||||
SecRule TX:sql_error_match "@eq 1" \
|
||||
"id:951210,\
|
||||
phase:4,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,\
|
||||
msg:'maxDB SQL Information Leakage',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-maxdb',\
|
||||
tag:'attack-disclosure',\
|
||||
tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
|
||||
tag:'CWE-209',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule RESPONSE_BODY "@rx (?i:SQL error.*POS[0-9]+.*|Warning.*maxdb.*)" \
|
||||
"capture,\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
|
||||
SecRule TX:sql_error_match "@eq 1" \
|
||||
"id:951220,\
|
||||
phase:4,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,\
|
||||
msg:'mssql SQL Information Leakage',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-mssql',\
|
||||
tag:'attack-disclosure',\
|
||||
tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
|
||||
tag:'CWE-209',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule RESPONSE_BODY "@rx (?i)(?:System\.Data\.OleDb\.OleDbException|\[Microsoft\]\[ODBC SQL Server Driver\]|\[Macromedia\]\[SQLServer JDBC Driver\]|\[SqlException|System\.Data\.SqlClient\.SqlException|Unclosed quotation mark after the character string|'80040e14'|mssql_query\(\)|Microsoft OLE DB Provider for ODBC Drivers|Microsoft OLE DB Provider for SQL Server|Incorrect syntax near|Sintaxis incorrecta cerca de|Syntax error in string in query expression|Procedure or function .* expects parameter|Unclosed quotation mark before the character string|Syntax error .* in query expression|Data type mismatch in criteria expression\.|ADODB\.Field \(0x800A0BCD\)|the used select statements have different number of columns|OLE DB.*SQL Server|Warning.*mssql_.*|Driver.*SQL[\-\_\ ]*Server|SQL Server.*Driver|SQL Server.*[0-9a-fA-F]{8}|Exception.*\WSystem\.Data\.SqlClient\.)" \
|
||||
"capture,\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
|
||||
SecRule TX:sql_error_match "@eq 1" \
|
||||
"id:951230,\
|
||||
phase:4,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,\
|
||||
msg:'mysql SQL Information Leakage',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-mysql',\
|
||||
tag:'attack-disclosure',\
|
||||
tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
|
||||
tag:'CWE-209',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule RESPONSE_BODY "@rx (?i)(?:supplied argument is not a valid MySQL|Column count doesn't match value count at row|mysql_fetch_array\(\)|on MySQL result index|You have an error in your SQL syntax;|You have an error in your SQL syntax near|MySQL server version for the right syntax to use|\[MySQL\]\[ODBC|Column count doesn't match|Table '[^']+' doesn't exist|SQL syntax.*MySQL|Warning.*mysql_.*|valid MySQL result|MySqlClient\.)" \
|
||||
"capture,\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
|
||||
SecRule TX:sql_error_match "@eq 1" \
|
||||
"id:951240,\
|
||||
phase:4,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,\
|
||||
msg:'postgres SQL Information Leakage',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-pgsql',\
|
||||
tag:'attack-disclosure',\
|
||||
tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
|
||||
tag:'CWE-209',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule RESPONSE_BODY "@rx (?i)(?:PostgreSQL query failed:|pg_query\(\) \[:|pg_exec\(\) \[:|PostgreSQL.*ERROR|Warning.*pg_.*|valid PostgreSQL result|Npgsql\.|PG::([a-zA-Z]*)Error|Supplied argument is not a valid PostgreSQL (?:.*?) resource|Unable to connect to PostgreSQL server)" \
|
||||
"capture,\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
|
||||
SecRule TX:sql_error_match "@eq 1" \
|
||||
"id:951250,\
|
||||
phase:4,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,\
|
||||
msg:'sqlite SQL Information Leakage',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-sqlite',\
|
||||
tag:'attack-disclosure',\
|
||||
tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
|
||||
tag:'CWE-209',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule RESPONSE_BODY "@rx (?i)(?:Warning.*sqlite_.*|Warning.*SQLite3::|SQLite/JDBCDriver|SQLite\.Exception|System\.Data\.SQLite\.SQLiteException)" \
|
||||
"capture,\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
|
||||
SecRule TX:sql_error_match "@eq 1" \
|
||||
"id:951260,\
|
||||
phase:4,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,\
|
||||
msg:'Sybase SQL Information Leakage',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-sybase',\
|
||||
tag:'attack-disclosure',\
|
||||
tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
|
||||
tag:'CWE-209',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'CRITICAL',\
|
||||
chain"
|
||||
SecRule RESPONSE_BODY "@rx (?i)(?:Sybase message:|Warning.*sybase.*|Sybase.*Server message.*)" \
|
||||
"capture,\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:951013,phase:3,pass,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:951014,phase:4,pass,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
|
||||
#
|
||||
# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher)
|
||||
#
|
||||
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:951015,phase:3,pass,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:951016,phase:4,pass,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
|
||||
#
|
||||
# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher)
|
||||
#
|
||||
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:951017,phase:3,pass,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:951018,phase:4,pass,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
|
||||
#
|
||||
# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher)
|
||||
#
|
||||
|
||||
|
||||
|
||||
#
|
||||
# -= Paranoia Levels Finished =-
|
||||
#
|
||||
SecMarker "END-RESPONSE-951-DATA-LEAKAGES-SQL"
|
|
@ -0,0 +1,107 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.1.1
|
||||
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
# Please see the enclosed LICENSE file for full details.
|
||||
# ------------------------------------------------------------------------
|
||||
|
||||
#
|
||||
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
|
||||
#
|
||||
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:952011,phase:3,pass,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:952012,phase:4,pass,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
|
||||
#
|
||||
# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher)
|
||||
#
|
||||
|
||||
#
|
||||
# -=[ Java Source Code Leakages ]=-
|
||||
#
|
||||
SecRule RESPONSE_BODY "@pmFromFile java-code-leakages.data" \
|
||||
"id:952100,\
|
||||
phase:4,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,\
|
||||
msg:'Java Source Code Leakage',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-java',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-disclosure',\
|
||||
tag:'OWASP_CRS/LEAKAGE/SOURCE_CODE_JAVA',\
|
||||
tag:'WASCTC/WASC-13',\
|
||||
tag:'OWASP_TOP_10/A6',\
|
||||
tag:'PCI/6.5.6',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'ERROR',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/SOURCE_CODE-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
|
||||
#
|
||||
# -=[ Java Errors ]=-
|
||||
#
|
||||
# Ref: https://github.com/andresriancho/w3af/blob/master/w3af/plugins/grep/error_pages.py
|
||||
#
|
||||
SecRule RESPONSE_BODY "@pmFromFile java-errors.data" \
|
||||
"id:952110,\
|
||||
phase:4,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,\
|
||||
msg:'Java Errors',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-java',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-disclosure',\
|
||||
tag:'OWASP_CRS/LEAKAGE/ERRORS_JAVA',\
|
||||
tag:'WASCTC/WASC-13',\
|
||||
tag:'OWASP_TOP_10/A6',\
|
||||
tag:'PCI/6.5.6',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'ERROR',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:952013,phase:3,pass,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:952014,phase:4,pass,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
|
||||
#
|
||||
# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher)
|
||||
#
|
||||
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:952015,phase:3,pass,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:952016,phase:4,pass,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
|
||||
#
|
||||
# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher)
|
||||
#
|
||||
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:952017,phase:3,pass,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:952018,phase:4,pass,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
|
||||
#
|
||||
# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher)
|
||||
#
|
||||
|
||||
|
||||
|
||||
#
|
||||
# -= Paranoia Levels Finished =-
|
||||
#
|
||||
SecMarker "END-RESPONSE-952-DATA-LEAKAGES-JAVA"
|
|
@ -0,0 +1,141 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.1.1
|
||||
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
# Please see the enclosed LICENSE file for full details.
|
||||
# ------------------------------------------------------------------------
|
||||
|
||||
#
|
||||
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
|
||||
#
|
||||
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:953011,phase:3,pass,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:953012,phase:4,pass,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
|
||||
#
|
||||
# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher)
|
||||
#
|
||||
|
||||
#
|
||||
# -=[ PHP Error Message Leakage ]=-
|
||||
#
|
||||
SecRule RESPONSE_BODY "@pmf php-errors.data" \
|
||||
"id:953100,\
|
||||
phase:4,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,\
|
||||
msg:'PHP Information Leakage',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-php',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-disclosure',\
|
||||
tag:'OWASP_CRS/LEAKAGE/ERRORS_PHP',\
|
||||
tag:'WASCTC/WASC-13',\
|
||||
tag:'OWASP_TOP_10/A6',\
|
||||
tag:'PCI/6.5.6',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'ERROR',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
|
||||
#
|
||||
# -=[ PHP source code leakage ]=-
|
||||
#
|
||||
# Detect some common PHP keywords in output.
|
||||
#
|
||||
SecRule RESPONSE_BODY "@rx (?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open|call_user_func)|\$_(?:(?:pos|ge)t|session))\b" \
|
||||
"id:953110,\
|
||||
phase:4,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,\
|
||||
msg:'PHP source code leakage',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-php',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-disclosure',\
|
||||
tag:'OWASP_CRS/LEAKAGE/SOURCE_CODE_PHP',\
|
||||
tag:'WASCTC/WASC-13',\
|
||||
tag:'OWASP_TOP_10/A6',\
|
||||
tag:'PCI/6.5.6',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'ERROR',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/SOURCE_CODE-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
|
||||
# Detect the presence of the PHP open tag "<?" or "<?php" in output.
|
||||
#
|
||||
# To prevent false positives due to the short "<?" sequence, an attempt
|
||||
# is made to stop alerts in binary output. This is done by detecting
|
||||
# some common binary file format headers, such as gzip (\x1f\x8b\x08),
|
||||
# png (IHDR), mp3 (ID3), movie formats et cetera.
|
||||
#
|
||||
SecRule RESPONSE_BODY "@rx <\?(?!xml)" \
|
||||
"id:953120,\
|
||||
phase:4,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,\
|
||||
msg:'PHP source code leakage',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-php',\
|
||||
tag:'platform-multi',\
|
||||
tag:'attack-disclosure',\
|
||||
tag:'OWASP_CRS/LEAKAGE/SOURCE_CODE_PHP',\
|
||||
tag:'WASCTC/WASC-13',\
|
||||
tag:'OWASP_TOP_10/A6',\
|
||||
tag:'PCI/6.5.6',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'ERROR',\
|
||||
chain"
|
||||
SecRule RESPONSE_BODY "!@rx (?:\x1f\x8b\x08|\b(?:(?:i(?:nterplay|hdr|d3)|m(?:ovi|thd)|r(?:ar!|iff)|(?:ex|jf)if|f(?:lv|ws)|varg|cws)\b|gif)|B(?:%pdf|\.ra)\b)" \
|
||||
"t:none,\
|
||||
capture,\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/SOURCE_CODE-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:953013,phase:3,pass,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:953014,phase:4,pass,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
|
||||
#
|
||||
# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher)
|
||||
#
|
||||
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:953015,phase:3,pass,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:953016,phase:4,pass,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
|
||||
#
|
||||
# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher)
|
||||
#
|
||||
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:953017,phase:3,pass,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:953018,phase:4,pass,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
|
||||
#
|
||||
# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher)
|
||||
#
|
||||
|
||||
|
||||
|
||||
#
|
||||
# -= Paranoia Levels Finished =-
|
||||
#
|
||||
SecMarker "END-RESPONSE-953-DATA-LEAKAGES-PHP"
|
|
@ -0,0 +1,154 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.1.1
|
||||
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
# Please see the enclosed LICENSE file for full details.
|
||||
# ------------------------------------------------------------------------
|
||||
|
||||
#
|
||||
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
|
||||
#
|
||||
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:954011,phase:3,pass,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:954012,phase:4,pass,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
|
||||
#
|
||||
# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher)
|
||||
#
|
||||
|
||||
# IIS default location
|
||||
SecRule RESPONSE_BODY "@rx [a-z]:\\\\inetpub\b" \
|
||||
"id:954100,\
|
||||
phase:4,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,t:lowercase,\
|
||||
msg:'Disclosure of IIS install location',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-iis',\
|
||||
tag:'platform-windows',\
|
||||
tag:'attack-disclosure',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'ERROR',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
|
||||
|
||||
SecRule RESPONSE_BODY "@rx (?:Microsoft OLE DB Provider for SQL Server(?:<\/font>.{1,20}?error '800(?:04005|40e31)'.{1,40}?Timeout expired| \(0x80040e31\)<br>Timeout expired<br>)|<h1>internal server error<\/h1>.*?<h2>part of the server has crashed or it has a configuration error\.<\/h2>|cannot connect to the server: timed out)" \
|
||||
"id:954110,\
|
||||
phase:4,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,\
|
||||
msg:'Application Availability Error',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-iis',\
|
||||
tag:'platform-windows',\
|
||||
tag:'attack-disclosure',\
|
||||
tag:'WASCTC/WASC-13',\
|
||||
tag:'OWASP_TOP_10/A6',\
|
||||
tag:'PCI/6.5.6',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'ERROR',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-AVAILABILITY/APP_NOT_AVAIL-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
|
||||
#
|
||||
# IIS Errors leakage
|
||||
#
|
||||
SecRule RESPONSE_BODY "@rx (?:\b(?:A(?:DODB\.Command\b.{0,100}?\b(?:Application uses a value of the wrong type for the current operation\b|error')| trappable error occurred in an external object\. The script cannot continue running\b)|Microsoft VBScript (?:compilation (?:\(0x8|error)|runtime (?:Error|\(0x8))\b|Object required: '|error '800)|<b>Version Information:<\/b>(?: |\s)(?:Microsoft \.NET Framework|ASP\.NET) Version:|>error 'ASP\b|An Error Has Occurred|>Syntax error in string in query expression|\/[Ee]rror[Mm]essage\.aspx?\?[Ee]rror\b)" \
|
||||
"id:954120,\
|
||||
phase:4,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,\
|
||||
msg:'IIS Information Leakage',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-iis',\
|
||||
tag:'platform-windows',\
|
||||
tag:'attack-disclosure',\
|
||||
tag:'OWASP_CRS/LEAKAGE/ERRORS_IIS',\
|
||||
tag:'WASCTC/WASC-13',\
|
||||
tag:'OWASP_TOP_10/A6',\
|
||||
tag:'PCI/6.5.6',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'ERROR',\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
|
||||
|
||||
SecRule RESPONSE_STATUS "!@rx ^404$" \
|
||||
"id:954130,\
|
||||
phase:4,\
|
||||
block,\
|
||||
capture,\
|
||||
t:none,\
|
||||
msg:'IIS Information Leakage',\
|
||||
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
|
||||
tag:'application-multi',\
|
||||
tag:'language-multi',\
|
||||
tag:'platform-iis',\
|
||||
tag:'platform-windows',\
|
||||
tag:'attack-disclosure',\
|
||||
tag:'OWASP_CRS/LEAKAGE/ERRORS_IIS',\
|
||||
tag:'WASCTC/WASC-13',\
|
||||
tag:'OWASP_TOP_10/A6',\
|
||||
tag:'PCI/6.5.6',\
|
||||
ctl:auditLogParts=+E,\
|
||||
ver:'OWASP_CRS/3.1.1',\
|
||||
severity:'ERROR',\
|
||||
chain"
|
||||
SecRule RESPONSE_BODY "@rx \bServer Error in.{0,50}?\bApplication\b" \
|
||||
"t:none,\
|
||||
capture,\
|
||||
setvar:'tx.msg=%{rule.msg}',\
|
||||
setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
|
||||
setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}',\
|
||||
setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{MATCHED_VAR_NAME}=%{tx.0}'"
|
||||
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:954013,phase:3,pass,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:954014,phase:4,pass,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
|
||||
#
|
||||
# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher)
|
||||
#
|
||||
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:954015,phase:3,pass,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:954016,phase:4,pass,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
|
||||
#
|
||||
# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher)
|
||||
#
|
||||
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:954017,phase:3,pass,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:954018,phase:4,pass,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
|
||||
#
|
||||
# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher)
|
||||
#
|
||||
|
||||
|
||||
|
||||
#
|
||||
# -= Paranoia Levels Finished =-
|
||||
#
|
||||
SecMarker "END-RESPONSE-954-DATA-LEAKAGES-IIS"
|
|
@ -0,0 +1,108 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.1.1
|
||||
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
# Please see the enclosed LICENSE file for full details.
|
||||
# ------------------------------------------------------------------------
|
||||
|
||||
# You should set the score to the proper threshold you would prefer. If kept at "@gt 0"
|
||||
# it will work similarly to previous Mod CRS rules and will create an event in the error_log
|
||||
# file if there are any rules that match. If you would like to lessen the number of events
|
||||
# generated in the error_log file, you should increase the anomaly score threshold to
|
||||
# something like "@gt 20". This would only generate an event in the error_log file if
|
||||
# there are multiple lower severity rule matches or if any 1 higher severity item matches.
|
||||
#
|
||||
# You should also set the desired disruptive action (deny, redirect, etc...).
|
||||
#
|
||||
|
||||
#
|
||||
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
|
||||
#
|
||||
|
||||
# Summing up the anomaly score.
|
||||
|
||||
# NOTE: tx.anomaly_score should not be set initially, but masking would lead to difficult bugs.
|
||||
# So we add to it.
|
||||
SecRule TX:PARANOIA_LEVEL "@ge 1" \
|
||||
"id:959060,\
|
||||
phase:4,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
setvar:'tx.outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl1}'"
|
||||
|
||||
SecRule TX:PARANOIA_LEVEL "@ge 2" \
|
||||
"id:959061,\
|
||||
phase:4,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
setvar:'tx.outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl2}'"
|
||||
|
||||
SecRule TX:PARANOIA_LEVEL "@ge 3" \
|
||||
"id:959062,\
|
||||
phase:4,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
setvar:'tx.outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl3}'"
|
||||
|
||||
SecRule TX:PARANOIA_LEVEL "@ge 4" \
|
||||
"id:959063,\
|
||||
phase:4,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
setvar:'tx.outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl4}'"
|
||||
|
||||
|
||||
# Alert and Block on High Anomaly Scores - this would block outbound data leakages
|
||||
#
|
||||
SecRule TX:OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" \
|
||||
"id:959100,\
|
||||
phase:4,\
|
||||
deny,\
|
||||
t:none,\
|
||||
msg:'Outbound Anomaly Score Exceeded (Total Score: %{TX.OUTBOUND_ANOMALY_SCORE})',\
|
||||
tag:'anomaly-evaluation'"
|
||||
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:959011,phase:3,pass,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:959012,phase:4,pass,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
|
||||
#
|
||||
# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher)
|
||||
#
|
||||
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:959013,phase:3,pass,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:959014,phase:4,pass,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
|
||||
#
|
||||
# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher)
|
||||
#
|
||||
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:959015,phase:3,pass,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:959016,phase:4,pass,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
|
||||
#
|
||||
# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher)
|
||||
#
|
||||
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:959017,phase:3,pass,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:959018,phase:4,pass,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
|
||||
#
|
||||
# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher)
|
||||
#
|
||||
|
||||
|
||||
|
||||
#
|
||||
# -= Paranoia Levels Finished =-
|
||||
#
|
||||
SecMarker "END-RESPONSE-959-BLOCKING-EVALUATION"
|
|
@ -0,0 +1,161 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.1.1
|
||||
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
# Please see the enclosed LICENSE file for full details.
|
||||
# ------------------------------------------------------------------------
|
||||
|
||||
#
|
||||
# This file is used in post processing after the response has been sent to
|
||||
# the client (in the logging phase). Its purpose is to provide inbound+outbound
|
||||
# correlation of events to provide a more intelligent designation as to the outcome
|
||||
# or result of the transaction - meaning, was this a successful attack?
|
||||
#
|
||||
|
||||
#
|
||||
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
|
||||
#
|
||||
|
||||
#
|
||||
# -=[ Correlated Successful Attack ]=-
|
||||
#
|
||||
SecRule &TX:'/LEAKAGE\\\/ERRORS/' "@ge 1" \
|
||||
"id:980100,\
|
||||
phase:5,\
|
||||
pass,\
|
||||
t:none,\
|
||||
log,\
|
||||
msg:'Correlated Successful Attack Identified: (Total Score: %{tx.anomaly_score}) Inbound Attack (%{tx.inbound_tx_msg} - Inbound Anomaly Score: %{TX.INBOUND_ANOMALY_SCORE}) + Outbound Data Leakage (%{tx.msg} - Outbound Anomaly Score: %{TX.OUTBOUND_ANOMALY_SCORE})',\
|
||||
tag:'event-correlation',\
|
||||
severity:'EMERGENCY',\
|
||||
chain,\
|
||||
skipAfter:END-CORRELATION"
|
||||
SecRule &TX:'/WEB_ATTACK/' "@ge 1" "t:none"
|
||||
|
||||
#
|
||||
# -=[ Correlated Attack Attempt ]=-
|
||||
#
|
||||
SecRule &TX:'/AVAILABILITY\\\/APP_NOT_AVAIL/' "@ge 1" \
|
||||
"id:980110,\
|
||||
phase:5,\
|
||||
pass,\
|
||||
t:none,\
|
||||
log,\
|
||||
msg:'Correlated Attack Attempt Identified: (Total Score: %{tx.anomaly_score}) Inbound Attack (%{tx.inbound_tx_msg} Inbound Anomaly Score: %{TX.INBOUND_ANOMALY_SCORE}) + Outbound Application Error (%{tx.msg} - Outbound Anomaly Score: %{TX.OUTBOUND_ANOMALY_SCORE})',\
|
||||
severity:'ALERT',\
|
||||
tag:'event-correlation',\
|
||||
chain,\
|
||||
skipAfter:END-CORRELATION"
|
||||
SecRule &TX:'/WEB_ATTACK/' "@ge 1" "t:none"
|
||||
|
||||
# Creating a total sum of all triggered inbound rules, including the ones only being monitored
|
||||
SecAction \
|
||||
"id:980115,\
|
||||
phase:5,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
noauditlog,\
|
||||
setvar:'tx.executing_anomaly_score=%{tx.anomaly_score_pl1}',\
|
||||
setvar:'tx.executing_anomaly_score=+%{tx.anomaly_score_pl2}',\
|
||||
setvar:'tx.executing_anomaly_score=+%{tx.anomaly_score_pl3}',\
|
||||
setvar:'tx.executing_anomaly_score=+%{tx.anomaly_score_pl4}'"
|
||||
|
||||
SecRule TX:INBOUND_ANOMALY_SCORE "@lt %{tx.inbound_anomaly_score_threshold}" \
|
||||
"id:980120,\
|
||||
phase:5,\
|
||||
pass,\
|
||||
t:none,\
|
||||
log,\
|
||||
noauditlog,\
|
||||
msg:'Inbound Anomaly Score (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE} - SQLI=%{tx.sql_injection_score},XSS=%{tx.xss_score},RFI=%{tx.rfi_score},LFI=%{tx.lfi_score},RCE=%{tx.rce_score},PHPI=%{tx.php_injection_score},HTTP=%{tx.http_violation_score},SESS=%{tx.session_fixation_score}): %{tx.inbound_tx_msg}; individual paranoia level scores: %{TX.ANOMALY_SCORE_PL1}, %{TX.ANOMALY_SCORE_PL2}, %{TX.ANOMALY_SCORE_PL3}, %{TX.ANOMALY_SCORE_PL4}',\
|
||||
tag:'event-correlation',\
|
||||
chain"
|
||||
SecRule TX:MONITOR_ANOMALY_SCORE "@gt 1"
|
||||
|
||||
SecRule TX:INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" \
|
||||
"id:980130,\
|
||||
phase:5,\
|
||||
pass,\
|
||||
t:none,\
|
||||
log,\
|
||||
noauditlog,\
|
||||
msg:'Inbound Anomaly Score Exceeded (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE} - SQLI=%{tx.sql_injection_score},XSS=%{tx.xss_score},RFI=%{tx.rfi_score},LFI=%{tx.lfi_score},RCE=%{tx.rce_score},PHPI=%{tx.php_injection_score},HTTP=%{tx.http_violation_score},SESS=%{tx.session_fixation_score}): %{tx.inbound_tx_msg}; individual paranoia level scores: %{TX.ANOMALY_SCORE_PL1}, %{TX.ANOMALY_SCORE_PL2}, %{TX.ANOMALY_SCORE_PL3}, %{TX.ANOMALY_SCORE_PL4}',\
|
||||
tag:'event-correlation'"
|
||||
|
||||
SecRule TX:OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" \
|
||||
"id:980140,\
|
||||
phase:5,\
|
||||
pass,\
|
||||
t:none,\
|
||||
log,\
|
||||
noauditlog,\
|
||||
msg:'Outbound Anomaly Score Exceeded (score %{TX.OUTBOUND_ANOMALY_SCORE}): %{tx.msg}; individual paranoia level scores: %{TX.OUTBOUND_ANOMALY_SCORE_PL1}, %{TX.OUTBOUND_ANOMALY_SCORE_PL2}, %{TX.OUTBOUND_ANOMALY_SCORE_PL3}, %{TX.OUTBOUND_ANOMALY_SCORE_PL4}',\
|
||||
tag:'event-correlation'"
|
||||
|
||||
# Creating a total sum of all triggered outbound rules, including the ones only being monitored
|
||||
SecAction \
|
||||
"id:980145,\
|
||||
phase:5,\
|
||||
pass,\
|
||||
t:none,\
|
||||
nolog,\
|
||||
noauditlog,\
|
||||
setvar:'tx.executing_anomaly_score=%{tx.outbound_anomaly_score_pl1}',\
|
||||
setvar:'tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl2}',\
|
||||
setvar:'tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl3}',\
|
||||
setvar:'tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl4}'"
|
||||
|
||||
SecRule TX:OUTBOUND_ANOMALY_SCORE "@lt %{tx.outbound_anomaly_score_threshold}" \
|
||||
"id:980150,\
|
||||
phase:5,\
|
||||
pass,\
|
||||
t:none,\
|
||||
log,\
|
||||
noauditlog,\
|
||||
msg:'Outbound Anomaly Score (Total Outbound Score: %{TX.OUTBOUND_ANOMALY_SCORE}): %{tx.msg}; individual paranoia level scores: %{TX.OUTBOUND_ANOMALY_SCORE_PL1}, %{TX.OUTBOUND_ANOMALY_SCORE_PL2}, %{TX.OUTBOUND_ANOMALY_SCORE_PL3}, %{TX.OUTBOUND_ANOMALY_SCORE_PL4}',\
|
||||
tag:'event-correlation',\
|
||||
chain"
|
||||
SecRule TX:MONITOR_ANOMALY_SCORE "@gt 1"
|
||||
|
||||
SecMarker "END-CORRELATION"
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:980011,phase:1,pass,nolog,skipAfter:END-RESPONSE-980-CORRELATION"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:980012,phase:2,pass,nolog,skipAfter:END-RESPONSE-980-CORRELATION"
|
||||
#
|
||||
# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher)
|
||||
#
|
||||
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:980013,phase:1,pass,nolog,skipAfter:END-RESPONSE-980-CORRELATION"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:980014,phase:2,pass,nolog,skipAfter:END-RESPONSE-980-CORRELATION"
|
||||
#
|
||||
# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher)
|
||||
#
|
||||
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:980015,phase:1,pass,nolog,skipAfter:END-RESPONSE-980-CORRELATION"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:980016,phase:2,pass,nolog,skipAfter:END-RESPONSE-980-CORRELATION"
|
||||
#
|
||||
# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher)
|
||||
#
|
||||
|
||||
|
||||
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:980017,phase:1,pass,nolog,skipAfter:END-RESPONSE-980-CORRELATION"
|
||||
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:980018,phase:2,pass,nolog,skipAfter:END-RESPONSE-980-CORRELATION"
|
||||
#
|
||||
# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher)
|
||||
#
|
||||
|
||||
|
||||
|
||||
#
|
||||
# -= Paranoia Levels Finished =-
|
||||
#
|
||||
SecMarker "END-RESPONSE-980-CORRELATION"
|
|
@ -0,0 +1,75 @@
|
|||
# ------------------------------------------------------------------------
|
||||
# OWASP ModSecurity Core Rule Set ver.3.1.1
|
||||
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
|
||||
#
|
||||
# The OWASP ModSecurity Core Rule Set is distributed under
|
||||
# Apache Software License (ASL) version 2
|
||||
# Please see the enclosed LICENSE file for full details.
|
||||
# ------------------------------------------------------------------------
|
||||
|
||||
#
|
||||
# The purpose of this file is to hold LOCAL exceptions for your site.
|
||||
# The types of rules that would go into this file are one where you want
|
||||
# to unconditionally disable rules or modify their actions during startup.
|
||||
#
|
||||
# Please see the file REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example
|
||||
# for a description of the rule exclusions mechanism and the correct
|
||||
# use of this file.
|
||||
#
|
||||
|
||||
#
|
||||
# Example Exclusion Rule: To unconditionally disable a rule ID
|
||||
#
|
||||
# ModSecurity Rule Exclusion: 942100 SQL Injection Detected via libinjection
|
||||
# SecRuleRemoveById 942100
|
||||
|
||||
# Example Exclusion Rule: Remove a group of rules
|
||||
#
|
||||
# ModSecurity Rule Exclusion: Disable PHP injection rules
|
||||
# SecRuleRemoveByTag "attack-injection-php"
|
||||
|
||||
#
|
||||
# Example Exclusion Rule: To unconditionally remove parameter "foo" from
|
||||
# inspection for SQLi rules
|
||||
#
|
||||
# ModSecurity Rule Exclusion: disable sqli rules for parameter foo.
|
||||
# SecRuleUpdateTargetByTag "attack-sqli" "!ARGS:foo"
|
||||
|
||||
|
||||
# -- [[ Changing the Disruptive Action for Anomaly Mode ]] --
|
||||
#
|
||||
# In Anomaly Mode (default in CRS3), the rules in REQUEST-949-BLOCKING-EVALUATION.conf
|
||||
# and RESPONSE-959-BLOCKING-EVALUATION.conf check the accumulated attack scores
|
||||
# against your policy. To apply a disruptive action, they overwrite the default
|
||||
# actions specified in SecDefaultAction (setup.conf) with a 'deny' action.
|
||||
# This 'deny' is by default paired with a 'status:403' action.
|
||||
#
|
||||
# In order to change the disruptive action from 'deny' to something else,
|
||||
# you must use SecRuleUpdateActionByID directives AFTER the CRS rules
|
||||
# are configured, for instance in the RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf file.
|
||||
#
|
||||
# These actions only apply when using Anomaly Mode.
|
||||
#
|
||||
# Default action: block with error 403
|
||||
# (No configuration needed in this file if you want the default behavior.)
|
||||
#
|
||||
|
||||
# Example: redirect back to the homepage on blocking
|
||||
#
|
||||
# SecRuleUpdateActionById 949110 "t:none,redirect:'http://%{request_headers.host}/'"
|
||||
# SecRuleUpdateActionById 959100 "t:none,redirect:'http://%{request_headers.host}/'"
|
||||
|
||||
# Example: redirect to another URL on blocking
|
||||
#
|
||||
# SecRuleUpdateActionById 949110 "t:none,redirect:'http://example.com/report_problem'"
|
||||
# SecRuleUpdateActionById 959100 "t:none,redirect:'http://example.com/report_problem'"
|
||||
|
||||
# Example: send an error 404
|
||||
#
|
||||
# SecRuleUpdateActionById 949110 "t:none,deny,status:404"
|
||||
# SecRuleUpdateActionById 959100 "t:none,deny,status:404"
|
||||
|
||||
# Example: drop the connection (best for DoS attacks)
|
||||
#
|
||||
# SecRuleUpdateActionById 949110 "t:none,drop"
|
||||
# SecRuleUpdateActionById 959100 "t:none,drop"
|
|
@ -0,0 +1,34 @@
|
|||
# Search engine crawlers and other bots
|
||||
|
||||
# site ripper
|
||||
# http://www.softbytelabs.com/en/BlackWidow/
|
||||
black widow
|
||||
blackwidow
|
||||
# crawler
|
||||
# 2006
|
||||
prowebwalker
|
||||
# generic crawler
|
||||
pymills-spider/
|
||||
# SEO
|
||||
# https://ahrefs.com/robot
|
||||
AhrefsBot
|
||||
# people database
|
||||
# https://pipl.com/bot/
|
||||
PiplBot
|
||||
# advertising targeting
|
||||
# https://www.grapeshot.com/crawler/
|
||||
GrapeshotCrawler/2.0
|
||||
grapeFX
|
||||
# SEO
|
||||
# http://www.searchmetrics.com/searchmetricsbot/
|
||||
SearchmetricsBot
|
||||
# SEO
|
||||
# https://moz.com/help/guides/moz-procedures/what-is-rogerbot
|
||||
rogerbot
|
||||
# SEO
|
||||
# http://www.majestic12.co.uk/projects/dsearch/mj12bot.php
|
||||
MJ12bot
|
||||
# news service
|
||||
Owlin bot
|
||||
# misbehaving spider
|
||||
Lingewoud-550-Spyder
|
|
@ -0,0 +1,13 @@
|
|||
<h2 style="font:8pt/11pt verdana; color:000000">HTTP 403.6 - Forbidden: IP address rejected<br>
|
||||
<TITLE>500 Internal Server Error</TITLE>
|
||||
Microsoft VBScript runtime (0x8
|
||||
error '800
|
||||
Application uses a value of the wrong type for the current operation
|
||||
Microsoft VBScript compilation (0x8
|
||||
Microsoft VBScript compilation error
|
||||
Microsoft .NET Framework Version:
|
||||
A trappable error occurred in an external object. The script cannot continue running
|
||||
Microsoft VBScript runtime Error
|
||||
>Syntax error in string in query expression
|
||||
ADODB.Command
|
||||
Object required: '
|
|
@ -0,0 +1,38 @@
|
|||
com.opensymphony.xwork2
|
||||
com.sun.org.apache
|
||||
java.io.BufferedInputStream
|
||||
java.io.BufferedReader
|
||||
java.io.ByteArrayInputStream
|
||||
java.io.ByteArrayOutputStream
|
||||
java.io.CharArrayReader
|
||||
java.io.DataInputStream
|
||||
java.io.File
|
||||
java.io.FileOutputStream
|
||||
java.io.FilterInputStream
|
||||
java.io.FilterOutputStream
|
||||
java.io.FilterReader
|
||||
java.io.InputStream
|
||||
java.io.InputStreamReader
|
||||
java.io.LineNumberReader
|
||||
java.io.ObjectOutputStream
|
||||
java.io.OutputStream
|
||||
java.io.PipedOutputStream
|
||||
java.io.PipedReader
|
||||
java.io.PrintStream
|
||||
java.io.PushbackInputStream
|
||||
java.io.Reader
|
||||
java.io.StringReader
|
||||
java.lang.Class
|
||||
java.lang.Integer
|
||||
java.lang.Number
|
||||
java.lang.Object
|
||||
java.lang.Process
|
||||
java.lang.ProcessBuilder
|
||||
java.lang.reflect
|
||||
java.lang.Runtime
|
||||
java.lang.String
|
||||
java.lang.StringBuilder
|
||||
java.lang.System
|
||||
javax.script.ScriptEngineManager
|
||||
org.apache.commons
|
||||
org.omg.CORBA
|
|
@ -0,0 +1,17 @@
|
|||
<jsp:
|
||||
javax.servlet
|
||||
.addheader
|
||||
.createtextfile
|
||||
.getfile
|
||||
.loadfromfile
|
||||
response.binarywrite
|
||||
response.write
|
||||
scripting.filesystemobject
|
||||
server.createobject
|
||||
server.execute
|
||||
server.htmlencode
|
||||
server.mappath
|
||||
server.urlencode
|
||||
vbscript.encode
|
||||
wscript.network
|
||||
wscript.shell
|
|
@ -0,0 +1,10 @@
|
|||
[java.lang.
|
||||
class java.lang.
|
||||
java.lang.NullPointerException
|
||||
java.rmi.ServerException
|
||||
at java.lang.
|
||||
onclick="toggle('full exception chain stacktrace')"
|
||||
at org.apache.catalina
|
||||
at org.apache.coyote.
|
||||
at org.apache.tomcat.
|
||||
at org.apache.jasper.
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,276 @@
|
|||
allow_call_time_pass_reference
|
||||
allow_url_fopen
|
||||
allow_url_include
|
||||
always_populate_raw_post_data
|
||||
arg_separator.input
|
||||
arg_separator.output
|
||||
asp_tags
|
||||
assert.active
|
||||
assert.bail
|
||||
assert.callback
|
||||
assert.quiet_eval
|
||||
assert.warning
|
||||
auto_append_file
|
||||
auto_detect_line_endings
|
||||
auto_globals_jit
|
||||
auto_prepend_file
|
||||
bcmath.scale
|
||||
birdstep.max_links
|
||||
browscap
|
||||
cgi.fix_pathinfo
|
||||
cgi.force_redirect
|
||||
cgi.nph
|
||||
cgi.redirect_status_env
|
||||
cgi.rfc2616_headers
|
||||
com.allow_dcom
|
||||
com.autoregister_casesensitive
|
||||
com.autoregister_typelib
|
||||
com.autoregister_verbose
|
||||
com.code_page
|
||||
com.typelib_file
|
||||
date.default_latitude
|
||||
date.default_longitude
|
||||
date.sunrise_zenith
|
||||
date.sunset_zenith
|
||||
date.timezone
|
||||
dba.default_handler
|
||||
default_charset
|
||||
default_mimetype
|
||||
default_socket_timeout
|
||||
define_syslog_variables
|
||||
disable_classes
|
||||
disable_functions
|
||||
display_errors
|
||||
display_startup_errors
|
||||
doc_root
|
||||
docref_ext
|
||||
docref_root
|
||||
enable_dl
|
||||
error_append_string
|
||||
error_log
|
||||
error_prepend_string
|
||||
error_reporting
|
||||
exif.decode_jis_intel
|
||||
exif.decode_jis_motorola
|
||||
exif.decode_unicode_intel
|
||||
exif.decode_unicode_motorola
|
||||
exif.encode_jis
|
||||
exif.encode_unicode
|
||||
expose_php
|
||||
extension_dir
|
||||
fastcgi.impersonate
|
||||
fastcgi.logging
|
||||
file_uploads
|
||||
filter.default
|
||||
filter.default_flags
|
||||
gd.jpeg_ignore_warning
|
||||
highlight.bg
|
||||
highlight.comment
|
||||
highlight.default
|
||||
highlight.html
|
||||
highlight.keyword
|
||||
highlight.string
|
||||
html_errors
|
||||
ibase.allow_persistent
|
||||
ibase.dateformat
|
||||
ibase.default_charset
|
||||
ibase.default_db
|
||||
ibase.default_password
|
||||
ibase.default_user
|
||||
ibase.max_links
|
||||
ibase.max_persistent
|
||||
ibase.timeformat
|
||||
ibase.timestampformat
|
||||
iconv.input_encoding
|
||||
iconv.internal_encoding
|
||||
iconv.output_encoding
|
||||
ignore_repeated_errors
|
||||
ignore_repeated_source
|
||||
ignore_user_abort
|
||||
implicit_flush
|
||||
include_path
|
||||
intl.default_locale
|
||||
intl.error_level
|
||||
ldap.max_links
|
||||
log_errors
|
||||
log_errors_max_len
|
||||
magic_quotes_gpc
|
||||
magic_quotes_runtime
|
||||
magic_quotes_sybase
|
||||
mail.add_x_header
|
||||
mail.force_extra_parameters
|
||||
mail.log
|
||||
max_execution_time
|
||||
max_file_uploads
|
||||
max_input_nesting_level
|
||||
max_input_time
|
||||
mbstring.detect_order
|
||||
mbstring.encoding_translation
|
||||
mbstring.func_overload
|
||||
mbstring.http_input
|
||||
mbstring.http_output
|
||||
mbstring.http_output_conv_mimetype
|
||||
mbstring.internal_encoding
|
||||
mbstring.language
|
||||
mbstring.script_encoding
|
||||
mbstring.strict_detection
|
||||
mbstring.substitute_character
|
||||
mcrypt.algorithms_dir
|
||||
mcrypt.modes_dir
|
||||
memory_limit
|
||||
mssql.allow_persistent
|
||||
mssql.batchsize
|
||||
mssql.charset
|
||||
mssql.compatability_mode
|
||||
mssql.connect_timeout
|
||||
mssql.datetimeconvert
|
||||
mssql.max_links
|
||||
mssql.max_persistent
|
||||
mssql.max_procs
|
||||
mssql.min_error_severity
|
||||
mssql.min_message_severity
|
||||
mssql.secure_connection
|
||||
mssql.textlimit
|
||||
mssql.textsize
|
||||
mssql.timeout
|
||||
mysql.allow_local_infile
|
||||
mysql.allow_persistent
|
||||
mysql.cache_size
|
||||
mysql.connect_timeout
|
||||
mysql.default_host
|
||||
mysql.default_password
|
||||
mysql.default_port
|
||||
mysql.default_socket
|
||||
mysql.default_user
|
||||
mysql.max_links
|
||||
mysql.max_persistent
|
||||
mysql.trace_mode
|
||||
mysqli.allow_local_infile
|
||||
mysqli.allow_persistent
|
||||
mysqli.cache_size
|
||||
mysqli.default_host
|
||||
mysqli.default_port
|
||||
mysqli.default_pw
|
||||
mysqli.default_socket
|
||||
mysqli.default_user
|
||||
mysqli.max_links
|
||||
mysqli.max_persistent
|
||||
mysqli.reconnect
|
||||
mysqlnd.collect_memory_statistics
|
||||
mysqlnd.collect_statistics
|
||||
mysqlnd.net_cmd_buffer_size
|
||||
mysqlnd.net_read_buffer_size
|
||||
oci8.connection_class
|
||||
oci8.default_prefetch
|
||||
oci8.events
|
||||
oci8.max_persistent
|
||||
oci8.old_oci_close_semantics
|
||||
oci8.persistent_timeout
|
||||
oci8.ping_interval
|
||||
oci8.privileged_connect
|
||||
oci8.statement_cache_size
|
||||
odbc.allow_persistent
|
||||
odbc.check_persistent
|
||||
odbc.default_db
|
||||
odbc.default_pw
|
||||
odbc.default_user
|
||||
odbc.defaultbinmode
|
||||
odbc.defaultlrl
|
||||
odbc.max_links
|
||||
odbc.max_persistent
|
||||
open_basedir
|
||||
output_buffering
|
||||
output_handler
|
||||
pcre.backtrack_limit
|
||||
pcre.recursion_limit
|
||||
pdo_mysql.cache_size
|
||||
pdo_mysql.default_socket
|
||||
pdo_odbc.connection_pooling
|
||||
pgsql.allow_persistent
|
||||
pgsql.auto_reset_persistent
|
||||
pgsql.ignore_notice
|
||||
pgsql.log_notice
|
||||
pgsql.max_links
|
||||
pgsql.max_persistent
|
||||
phar.cache_list
|
||||
phar.readonly
|
||||
phar.require_hash
|
||||
post_max_size
|
||||
realpath_cache_size
|
||||
realpath_cache_ttl
|
||||
register_argc_argv
|
||||
register_globals
|
||||
register_long_arrays
|
||||
report_memleaks
|
||||
report_zend_debug
|
||||
request_order
|
||||
safe_mode
|
||||
safe_mode_allowed_env_vars
|
||||
safe_mode_exec_dir
|
||||
safe_mode_gid
|
||||
safe_mode_include_dir
|
||||
safe_mode_protected_env_vars
|
||||
sendmail_from
|
||||
sendmail_path
|
||||
serialize_precision
|
||||
session.auto_start
|
||||
session.bug_compat_42
|
||||
session.bug_compat_warn
|
||||
session.cache_expire
|
||||
session.cache_limiter
|
||||
session.cookie_domain
|
||||
session.cookie_httponly
|
||||
session.cookie_lifetime
|
||||
session.cookie_path
|
||||
session.cookie_secure
|
||||
session.entropy_file
|
||||
session.entropy_length
|
||||
session.gc_divisor
|
||||
session.gc_maxlifetime
|
||||
session.gc_probability
|
||||
session.hash_bits_per_character
|
||||
session.hash_function
|
||||
session.name
|
||||
session.referer_check
|
||||
session.save_handler
|
||||
session.save_path
|
||||
session.serialize_handler
|
||||
session.use_cookies
|
||||
session.use_only_cookies
|
||||
session.use_trans_sid
|
||||
short_open_tag
|
||||
soap.wsdl_cache_dir
|
||||
soap.wsdl_cache_enabled
|
||||
soap.wsdl_cache_limit
|
||||
soap.wsdl_cache_ttl
|
||||
sql.safe_mode
|
||||
sqlite.assoc_case
|
||||
sqlite3.extension_dir
|
||||
sybct.allow_persistent
|
||||
sybct.deadlock_retry_count
|
||||
sybct.hostname
|
||||
sybct.login_timeout
|
||||
sybct.max_links
|
||||
sybct.max_persistent
|
||||
sybct.min_client_severity
|
||||
sybct.min_server_severity
|
||||
sybct.timeout
|
||||
sysvshm.init_mem
|
||||
tidy.clean_output
|
||||
tidy.default_config
|
||||
track_errors
|
||||
unserialize_callback_func
|
||||
upload_max_filesize
|
||||
upload_tmp_dir
|
||||
url_rewriter.tags
|
||||
user_agent
|
||||
user_dir
|
||||
user_ini.cache_ttl
|
||||
user_ini.filename
|
||||
variables_order
|
||||
xmlrpc_error_number
|
||||
xmlrpc_errors
|
||||
y2k_compliance
|
||||
zlib.output_compression
|
||||
zlib.output_compression_level
|
||||
zlib.output_handler
|
|
@ -0,0 +1,220 @@
|
|||
<b>Warning</b>:
|
||||
No row with the given identifier
|
||||
open_basedir restriction in effect
|
||||
eval()'d code</b> on line <b>
|
||||
Cannot execute a blank command in
|
||||
Fatal error</b>: preg_replace
|
||||
thrown in <b>
|
||||
#0 {main}
|
||||
Stack trace:
|
||||
</b> on line <b>
|
||||
() cannot be called statically
|
||||
- not a Class::Method
|
||||
::__toString() must not throw an exception
|
||||
Access to undeclared static property:
|
||||
An iterator cannot be used with foreach by reference
|
||||
Array callback has to contain indices 0 and 1
|
||||
Arrived at end of main loop which shouldn't happen
|
||||
Attempt to destruct pending exception
|
||||
Attempt to unset static property
|
||||
Balloc() allocation exceeds list boundary
|
||||
Balloc() failed to allocate memory
|
||||
Base lambda function for closure not found
|
||||
Call to a member function
|
||||
Call to private
|
||||
Call to protected
|
||||
Call to undefined function
|
||||
Call to undefined method
|
||||
Can only throw objects
|
||||
Cannot access empty property
|
||||
Cannot access parent:: when current class scope has no parent
|
||||
Cannot access parent:: when no class scope is active
|
||||
Cannot access property started with '\\0'
|
||||
Cannot access self:: when no class scope is active
|
||||
Cannot access static:: when no class scope is active
|
||||
Cannot access undefined property for object with overloaded property access
|
||||
Cannot assign by reference to overloaded object
|
||||
Cannot break/continue %d level%s
|
||||
Cannot call abstract method
|
||||
Cannot call constructor
|
||||
Cannot call forward_static_call() when no class scope is active
|
||||
Cannot call non static method
|
||||
Cannot call overloaded function for non-object
|
||||
Cannot call private
|
||||
Cannot create references to/from string offsets
|
||||
Cannot create references to/from string offsets nor overloaded objects
|
||||
Cannot declare self-referencing constant
|
||||
Cannot destroy active lambda function
|
||||
Cannot get arguments for
|
||||
Cannot increment/decrement overloaded objects nor string offsets
|
||||
Cannot instantiate abstract class
|
||||
Cannot instantiate interface
|
||||
Cannot instantiate trait
|
||||
Cannot override final
|
||||
Cannot pass parameter
|
||||
Cannot redeclare
|
||||
Cannot redeclare class
|
||||
Cannot register a reverse output handler conflict outside of MINIT
|
||||
Cannot register an output handler alias outside of MINIT
|
||||
Cannot register an output handler conflict outside of MINIT
|
||||
Cannot resume an already running generator
|
||||
Cannot return string offsets by reference
|
||||
Cannot set non exception as previous exception
|
||||
Cannot unset string offsets
|
||||
Cannot use [] for reading
|
||||
Cannot use assign-op operators with overloaded objects nor string offsets
|
||||
Cannot use object as array
|
||||
Cannot use object of type
|
||||
Cannot use string offset as an array
|
||||
Cannot use string offset as an object
|
||||
Cannot yield from finally in a force-closed generator
|
||||
Cannot yield string offsets by reference
|
||||
Class entry requested for an object without PHP class
|
||||
Class name must be a valid object or a string
|
||||
Corrupted fcall_info provided to zend_call_function()
|
||||
DCOM has been disabled by your administrator [com.allow_dcom=0]
|
||||
DateFormat class not defined
|
||||
DateTimeInterface can't be implemented by user classes
|
||||
EXTREMELY fatal error: jmpbuf unrecoverable; terminating
|
||||
EXTREMELY fatal error: jmpbuf unrecoverable; terminating.
|
||||
EXTREMELY fatal error: longjmp returned control; terminating
|
||||
Encoding: '*' may only be first arraySize value in list
|
||||
Encoding: Attribute
|
||||
Encoding: Can't decode apache map, missing key
|
||||
Encoding: Can't decode apache map, missing value
|
||||
Encoding: Can't decode apache map, only Strings or Longs are allowd as keys
|
||||
Encoding: Cannot find encoding
|
||||
Encoding: Element
|
||||
Encoding: Error calling from_xml callback
|
||||
Encoding: Error calling to_xml callback
|
||||
Encoding: External reference
|
||||
Encoding: Internal Error
|
||||
Encoding: Invalid timestamp
|
||||
Encoding: SoapVar has no 'enc_type' property
|
||||
Encoding: Unresolved reference
|
||||
Encoding: Violation of encoding rules
|
||||
Encoding: Violation of id and ref information items
|
||||
Encoding: object has no '
|
||||
Encoding: object has no 'any' property
|
||||
Encoding: string '
|
||||
Error installing signal handler for
|
||||
Exception thrown without a stack frame
|
||||
Exceptions must be valid objects derived from the Exception base class
|
||||
Failed to clone SpoofChecker object
|
||||
Failed to register IntlDateFormatter class
|
||||
Failed to register MessageFormatter class
|
||||
Failed to register NumberFormatter class
|
||||
Failed to register ResourceBundle class
|
||||
Field width %d is too long
|
||||
First array member is not a valid class name or object
|
||||
Function name must be a string
|
||||
Illegal length modifier specified
|
||||
Illegal offset type
|
||||
Input string is too long
|
||||
Invalid RelaxNG Validation Context
|
||||
Invalid Schema Validation Context
|
||||
Invalid opcode
|
||||
Invalid serialization data for DatePeriod object
|
||||
Invalid serialization data for DateTime object
|
||||
Invalid serialization data for DateTimeImmutable object
|
||||
Maximum execution time of
|
||||
Method name must be a string
|
||||
Need to supply an object when throwing an exception
|
||||
Nesting level too deep - recursive dependency?
|
||||
NumberFormatter class not defined
|
||||
Object does not support method calls
|
||||
Only variables can be passed by reference
|
||||
PDO: driver
|
||||
Parsing Schema: <restriction> or <extension> expected in complexContent
|
||||
Parsing Schema: attribute
|
||||
Parsing Schema: attribute has both 'ref' and 'type' attributes
|
||||
Parsing Schema: attribute has both 'ref' attribute and subtype
|
||||
Parsing Schema: attribute has both 'type' attribute and subtype
|
||||
Parsing Schema: attribute has no 'name' nor 'ref' attributes
|
||||
Parsing Schema: attributeGroup
|
||||
Parsing Schema: attributeGroup has both 'ref' attribute and subattribute
|
||||
Parsing Schema: attributeGroup has no 'name' nor 'ref' attributes
|
||||
Parsing Schema: can't import schema from
|
||||
Parsing Schema: complexType has no 'name' attribute
|
||||
Parsing Schema: element has both 'default' and 'fixed' attributes
|
||||
Parsing Schema: element has both 'itemType' attribute and subtype
|
||||
Parsing Schema: element has both 'ref' and 'fixed' attributes
|
||||
Parsing Schema: element has both 'ref' and 'nillable' attributes
|
||||
Parsing Schema: element has both 'ref' and 'type' attributes
|
||||
Parsing Schema: element has both 'ref' attribute and subtype
|
||||
Parsing Schema: element has both 'type' attribute and subtype
|
||||
Parsing Schema: element has no 'name' nor 'ref' attributes
|
||||
Parsing Schema: expected <restriction> or <extension> in simpleContent
|
||||
Parsing Schema: expected <restriction>, <list> or <union> in simpleType
|
||||
Parsing Schema: extension has no 'base' attribute
|
||||
Parsing Schema: group has both 'ref' attribute and subcontent
|
||||
Parsing Schema: group has no 'name' nor 'ref' attributes
|
||||
Parsing Schema: include has no 'schemaLocation' attribute
|
||||
Parsing Schema: missing restriction value
|
||||
Parsing Schema: redefine has no 'schemaLocation' attribute
|
||||
Parsing Schema: restriction has no 'base' attribute
|
||||
Parsing Schema: simpleType has no 'name' attribute
|
||||
Parsing Schema: unexpected
|
||||
Parsing Schema: unresolved element 'ref' attribute
|
||||
Parsing Schema: unresolved group 'ref' attribute
|
||||
Parsing WSDL: <binding>
|
||||
Parsing WSDL: <binding> has no name attribute
|
||||
Parsing WSDL: <fault> with name
|
||||
Parsing WSDL: <message> has no name attribute
|
||||
Parsing WSDL: <portType>
|
||||
Parsing WSDL: <portType> has no name attribute
|
||||
Parsing WSDL: <service>
|
||||
Parsing WSDL: <service> has no name attribute
|
||||
Parsing WSDL: Could not find any usable binding services in WSDL.
|
||||
Parsing WSDL: Couldn't bind to service
|
||||
Parsing WSDL: Couldn't find <definitions> in
|
||||
Parsing WSDL: Couldn't load from
|
||||
Parsing WSDL: Missing 'name' attribute for <binding>
|
||||
Parsing WSDL: Missing 'name' attribute for <operation>
|
||||
Parsing WSDL: Missing 'type' attribute for <binding>
|
||||
Parsing WSDL: Missing <message> with name
|
||||
Parsing WSDL: Missing <portType> with name
|
||||
Parsing WSDL: Missing <portType>/<operation> with name
|
||||
Parsing WSDL: Missing message attribute for <header>
|
||||
Parsing WSDL: Missing name for <fault> of
|
||||
Parsing WSDL: Missing name for <input> of
|
||||
Parsing WSDL: Missing name for <output> of
|
||||
Parsing WSDL: Missing part '%s' in <message>
|
||||
Parsing WSDL: Missing part attribute for <header>
|
||||
Parsing WSDL: No <binding> element with name
|
||||
Parsing WSDL: No address associated with <port>
|
||||
Parsing WSDL: No binding associated with <port>
|
||||
Parsing WSDL: No location associated with <port>
|
||||
Parsing WSDL: No name associated with <part>
|
||||
Parsing WSDL: The fault message
|
||||
Parsing WSDL: Unexpected WSDL element <
|
||||
Parsing WSDL: Unexpected extensibility element <
|
||||
Parsing WSDL: Unknown encodingStyle '
|
||||
Parsing WSDL: Unknown required WSDL extension '
|
||||
Parsing WSDL: Unspecified encodingStyle
|
||||
Possible integer overflow in memory allocation (
|
||||
Second array member is not a valid method
|
||||
Spoofchecker class not defined
|
||||
String size overflow
|
||||
The object to be iterated is in an invalid state: "
|
||||
Trying to clone an uncloneable object
|
||||
Trying to clone an uncloneable object of class
|
||||
Unable to call
|
||||
Unable to cast node to string
|
||||
Undefined class constant '
|
||||
Undefined constant '
|
||||
Undefined offset for object of type
|
||||
Unexpected inconsistency in create_function()
|
||||
Unknown SOAP version
|
||||
Unknown typehint
|
||||
Unsupported operand types
|
||||
Using $this when not in object context
|
||||
Wrong parameters for ErrorException(
|
||||
Wrong parameters for Exception(
|
||||
You MUST load PDO before loading any PDO drivers
|
||||
[] operator not supported for strings
|
||||
and must therefore be declared abstract or implement the remaining methods
|
||||
namespace must not match the enclosing schema 'targetNamespace'
|
||||
requires PDO API version
|
||||
PDO Connection Error: SQLSTATE[HY000]
|
||||
(HY000/2002): Connection refused
|
|
@ -0,0 +1,39 @@
|
|||
__halt_compiler
|
||||
apache_child_terminate
|
||||
base64_decode
|
||||
bzdecompress
|
||||
call_user_func
|
||||
call_user_func_array
|
||||
call_user_method
|
||||
call_user_method_array
|
||||
convert_uudecode
|
||||
file_get_contents
|
||||
file_put_contents
|
||||
fsockopen
|
||||
gzdecode
|
||||
gzinflate
|
||||
gzuncompress
|
||||
include_once
|
||||
invokeargs
|
||||
pcntl_exec
|
||||
pcntl_fork
|
||||
pfsockopen
|
||||
posix_getcwd
|
||||
posix_getpwuid
|
||||
posix_getuid
|
||||
posix_uname
|
||||
ReflectionFunction
|
||||
require_once
|
||||
shell_exec
|
||||
str_rot13
|
||||
sys_get_temp_dir
|
||||
wp_remote_fopen
|
||||
wp_remote_get
|
||||
wp_remote_head
|
||||
wp_remote_post
|
||||
wp_remote_request
|
||||
wp_safe_remote_get
|
||||
wp_safe_remote_head
|
||||
wp_safe_remote_post
|
||||
wp_safe_remote_request
|
||||
zlib_decode
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,19 @@
|
|||
$GLOBALS
|
||||
$HTTP_COOKIE_VARS
|
||||
$HTTP_ENV_VARS
|
||||
$HTTP_GET_VARS
|
||||
$HTTP_POST_FILES
|
||||
$HTTP_POST_VARS
|
||||
$HTTP_RAW_POST_DATA
|
||||
$HTTP_REQUEST_VARS
|
||||
$HTTP_SERVER_VARS
|
||||
$_COOKIE
|
||||
$_ENV
|
||||
$_FILES
|
||||
$_GET
|
||||
$_POST
|
||||
$_REQUEST
|
||||
$_SERVER
|
||||
$_SESSION
|
||||
$argc
|
||||
$argv
|
|
@ -0,0 +1,116 @@
|
|||
# Apache
|
||||
# (no slash; also guards against old.htaccess, old.htpasswd, etc.)
|
||||
.htaccess
|
||||
.htdigest
|
||||
.htpasswd
|
||||
# dotfiles (keep in sync with lfi-os-files.data)
|
||||
.aptitude/config
|
||||
.bash_config
|
||||
.bash_history
|
||||
.bash_logout
|
||||
.bash_profile
|
||||
.bashrc
|
||||
.cache/notify-osd.log
|
||||
.config/odesk/odesk team.conf
|
||||
.cshrc
|
||||
.drush/
|
||||
.gitconfig
|
||||
.gnupg/
|
||||
.hplip/hplip.conf
|
||||
.ksh_history
|
||||
.lesshst
|
||||
.lftp/
|
||||
.lhistory
|
||||
.lldb-history
|
||||
.local/share/mc/
|
||||
.my.cnf
|
||||
.mysql_history
|
||||
.nano_history
|
||||
.node_repl_history
|
||||
.nsr
|
||||
.pearrc
|
||||
.php_history
|
||||
.pki/
|
||||
.profile
|
||||
.psql_history
|
||||
.python_history
|
||||
.rediscli_history
|
||||
.Rhistory
|
||||
.sh_history
|
||||
.sqlite_history
|
||||
.ssh/authorized_keys
|
||||
.ssh/config
|
||||
.ssh/id_dsa
|
||||
.ssh/id_dsa.pub
|
||||
.ssh/id_rsa
|
||||
.ssh/id_rsa.pub
|
||||
.ssh/identity
|
||||
.ssh/identity.pub
|
||||
.ssh/known_hosts
|
||||
.subversion/auth
|
||||
.subversion/config
|
||||
.subversion/servers
|
||||
.tconn/tconn.conf
|
||||
.tcshrc
|
||||
.vidalia/vidalia.conf
|
||||
.viminfo
|
||||
.vimrc
|
||||
.xauthority
|
||||
.zhistory
|
||||
.zshrc
|
||||
.zsh_history
|
||||
.nsconfig
|
||||
# Version control
|
||||
/.git/
|
||||
/.gitignore
|
||||
/.hg/
|
||||
/.hgignore
|
||||
/.svn/
|
||||
# Wordpress
|
||||
wp-config.php
|
||||
wp-config.bak
|
||||
wp-config.old
|
||||
wp-config.temp
|
||||
wp-config.tmp
|
||||
wp-config.txt
|
||||
# Symfony
|
||||
/config/config.yml
|
||||
/config/config_dev.yml
|
||||
/config/config_prod.yml
|
||||
/config/config_test.yml
|
||||
/config/parameters.yml
|
||||
/config/routing.yml
|
||||
/config/security.yml
|
||||
/config/services.yml
|
||||
# Drupal
|
||||
/sites/default/default.settings.php
|
||||
/sites/default/settings.php
|
||||
/sites/default/settings.local.php
|
||||
# Magento
|
||||
/app/etc/local.xml
|
||||
# Sublime Text
|
||||
/sftp-config.json
|
||||
# ASP.NET
|
||||
/Web.config
|
||||
# Node
|
||||
/package.json
|
||||
/package-lock.json
|
||||
/gruntfile.js
|
||||
/npm-debug.log
|
||||
/ormconfig.json
|
||||
/tsconfig.json
|
||||
/webpack.config.js
|
||||
/yarn.lock
|
||||
# Composer
|
||||
/composer.json
|
||||
/composer.lock
|
||||
/packages.json
|
||||
# dotenv
|
||||
/.env
|
||||
/.env
|
||||
# OSX
|
||||
/.DS_Store
|
||||
# WS FTP
|
||||
/.ws_ftp.ini
|
||||
# common, old network config file
|
||||
.netrc
|
|
@ -0,0 +1,23 @@
|
|||
# Apache webserver
|
||||
.htaccess
|
||||
.htdigest
|
||||
.htpasswd
|
||||
# WordPress configuration file
|
||||
wp-config.php
|
||||
# Symfony configuration files
|
||||
config.yml
|
||||
config_dev.yml
|
||||
config_prod.yml
|
||||
config_test.yml
|
||||
parameters.yml
|
||||
routing.yml
|
||||
security.yml
|
||||
services.yml
|
||||
# Drupal configuration files
|
||||
default.settings.php
|
||||
settings.php
|
||||
settings.local.php
|
||||
# Magento configuration files
|
||||
local.xml
|
||||
# dotenv configuration file
|
||||
.env
|
|
@ -0,0 +1,8 @@
|
|||
acunetix-product
|
||||
(acunetix web vulnerability scanner
|
||||
acunetix-scanning-agreement
|
||||
acunetix-user-agreement
|
||||
myvar=1234
|
||||
x-ratproxy-loop
|
||||
bytes=0-,5-0,5-1,5-2,5-3,5-4,5-5,5-6,5-7,5-8,5-9,5-10,5-11,5-12,5-13,5-14
|
||||
x-scanner
|
|
@ -0,0 +1,17 @@
|
|||
/.adSensepostnottherenonobook
|
||||
/<invalid>hello.html
|
||||
/actSensepostnottherenonotive
|
||||
/acunetix-wvs-test-for-some-inexistent-file
|
||||
/antidisestablishmentarianism
|
||||
/appscan_fingerprint/mac_address
|
||||
/arachni-
|
||||
/cybercop
|
||||
/nessus_is_probing_you_
|
||||
/nessustest
|
||||
/netsparker-
|
||||
/rfiinc.txt
|
||||
/thereisnowaythat-you-canbethere
|
||||
/w3af/remotefileinclude.html
|
||||
appscan_fingerprint
|
||||
w00tw00t.at.ISC.SANS.DFind
|
||||
w00tw00t.at.blackhats.romanian.anti-sec
|
|
@ -0,0 +1,195 @@
|
|||
# Vulnerability scanners, bruteforce password crackers and exploitation tools
|
||||
|
||||
# password cracker
|
||||
# http://sectools.org/tool/hydra/
|
||||
(hydra)
|
||||
# vuln scanner
|
||||
# http://virtualblueness.net/nasl.html
|
||||
.nasl
|
||||
# sql injection
|
||||
# https://sourceforge.net/projects/absinthe/
|
||||
absinthe
|
||||
# email harvesting
|
||||
# dead? 2004
|
||||
advanced email extractor
|
||||
# vuln scanner
|
||||
# http://www.arachni-scanner.com/
|
||||
arachni/
|
||||
autogetcontent
|
||||
# nessus frontend
|
||||
# http://www.crossley-nilsen.com/Linux/Bilbo_-_Nessus_WEB/bilbo_-_nessus_web.html
|
||||
# dead? 2003
|
||||
bilbo
|
||||
# Backup File Artifacts Checker
|
||||
# https://github.com/mazen160/bfac
|
||||
BFAC
|
||||
# password cracker
|
||||
# http://sectools.org/tool/brutus/
|
||||
brutus
|
||||
brutus/aet
|
||||
# sql injection
|
||||
# https://www.notsosecure.com/bsqlbf-v2-blind-sql-injection-brute-forcer/
|
||||
bsqlbf
|
||||
# vuln scanner
|
||||
# http://freecode.com/projects/cgichk dead? 2001
|
||||
cgichk
|
||||
# vuln scanner
|
||||
# https://sourceforge.net/projects/cisco-torch/
|
||||
cisco-torch
|
||||
# vuln scanner
|
||||
# https://github.com/stasinopoulos/commix
|
||||
commix
|
||||
# MS FrontPage vuln scanner?
|
||||
core-project/1.0
|
||||
# vuln scanner?
|
||||
crimscanner/
|
||||
# vuln scanner
|
||||
datacha0s
|
||||
# hidden page scanner
|
||||
# https://www.owasp.org/index.php/Category:OWASP_DirBuster_Project
|
||||
dirbuster
|
||||
# vuln scanner
|
||||
# https://sourceforge.net/projects/dominohunter/
|
||||
domino hunter
|
||||
# vuln scanner - directory traversal fuzzer
|
||||
# https://github.com/wireghoul/dotdotpwn
|
||||
dotdotpwn
|
||||
email extractor
|
||||
# vuln scanner
|
||||
fhscan core 1.
|
||||
floodgate
|
||||
# "F-Secure Radar is a turnkey vulnerability scanning and management platform."
|
||||
F-Secure Radar
|
||||
get-minimal
|
||||
# vuln scanner
|
||||
gootkit auto-rooter scanner
|
||||
grabber
|
||||
# vuln scanner
|
||||
# https://sourceforge.net/projects/grendel/
|
||||
grendel-scan
|
||||
# sql injection
|
||||
havij
|
||||
# vuln scanner - path disclosure finder
|
||||
# http://seclists.org/fulldisclosure/2010/Sep/375
|
||||
inspath
|
||||
internet ninja
|
||||
# vuln scanner
|
||||
jaascois
|
||||
# vuln scanner
|
||||
zmeu
|
||||
# port scanner
|
||||
# https://github.com/robertdavidgraham/masscan
|
||||
masscan
|
||||
# vuln scanner
|
||||
# http://www.severus.org/sacha/metis/
|
||||
metis
|
||||
# vuln scanner
|
||||
morfeus fucking scanner
|
||||
# sql injection
|
||||
# https://github.com/dtrip/mysqloit
|
||||
mysqloit
|
||||
# vuln scanner
|
||||
# http://www.nstalker.com/
|
||||
n-stealth
|
||||
# vuln scanner
|
||||
# http://www.tenable.com/products/nessus-vulnerability-scanner
|
||||
nessus
|
||||
# vuln scanner
|
||||
# https://www.netsparker.com/web-vulnerability-scanner/
|
||||
netsparker
|
||||
# vuln scanner
|
||||
# https://cirt.net/Nikto2
|
||||
nikto
|
||||
# vuln scanner
|
||||
nmap nse
|
||||
nmap scripting engine
|
||||
nmap-nse
|
||||
# vuln scanner
|
||||
# http://www.nsauditor.com/
|
||||
nsauditor
|
||||
# vuln scanner
|
||||
# http://www.openvas.org/
|
||||
openvas
|
||||
# sql injection
|
||||
# http://www.vealtel.com/software/nosec/pangolin/
|
||||
pangolin
|
||||
# web proxy & vuln scanner
|
||||
# https://sourceforge.net/projects/paros/
|
||||
paros
|
||||
# phpmyadmin vuln scanner
|
||||
# dead 2005?
|
||||
pmafind
|
||||
prog.customcrawler
|
||||
# vuln scanner
|
||||
# https://www.qualys.com/suite/web-application-scanning/
|
||||
qualys was
|
||||
s.t.a.l.k.e.r.
|
||||
security scan
|
||||
# vuln scanner
|
||||
# https://sourceforge.net/projects/springenwerk/
|
||||
springenwerk
|
||||
# sql injection
|
||||
# http://www.sqlpowerinjector.com/
|
||||
sql power injector
|
||||
# sql injection
|
||||
# http://sqlmap.org/
|
||||
sqlmap
|
||||
# sql injection
|
||||
# http://sqlninja.sourceforge.net/
|
||||
sqlninja
|
||||
# password cracker
|
||||
# http://foofus.net/goons/jmk/medusa/medusa.html
|
||||
teh forest lobster
|
||||
this is an exploit
|
||||
# vuln scanner?
|
||||
toata dragostea
|
||||
toata dragostea mea pentru diavola
|
||||
# SQL bot
|
||||
# http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=22142&signatureSubId=0
|
||||
uil2pn
|
||||
# badly scripted UAs (e.g. User-Agent: User-Agent: foo)
|
||||
user-agent:
|
||||
# vuln scannr
|
||||
# https://subgraph.com/vega/
|
||||
vega/
|
||||
# vuln scanner
|
||||
# dead?
|
||||
voideye
|
||||
# vuln scanner
|
||||
# http://w3af.org/
|
||||
w3af.sf.net
|
||||
w3af.sourceforge.net
|
||||
w3af.org
|
||||
# site scanner (legacy)
|
||||
# http://www.robotstxt.org/db/webbandit.html
|
||||
webbandit
|
||||
# vuln scanner
|
||||
# http://www8.hp.com/us/en/software-solutions/webinspect-dynamic-analysis-dast/
|
||||
webinspect
|
||||
# site scanner
|
||||
# http://www.scrt.ch/en/attack/downloads/webshag
|
||||
webshag
|
||||
# vuln scanner
|
||||
# dead?
|
||||
webtrends security analyzer
|
||||
# vuln scanner
|
||||
# https://github.com/hhucn/webvulnscan
|
||||
webvulnscan
|
||||
# web technology scanner
|
||||
# https://www.morningstarsecurity.com/research/whatweb
|
||||
whatweb
|
||||
# vuln scanner
|
||||
whcc/
|
||||
# exploit poc
|
||||
wordpress hash grabber
|
||||
# exploit
|
||||
xmlrpc exploit
|
||||
# wordpress vuln scanner
|
||||
# https://wpscan.org/
|
||||
WPScan
|
||||
# vuln scanner
|
||||
# https://github.com/mazen160/struts-pwn
|
||||
struts-pwn
|
||||
# Detectify website vulnerability scanner
|
||||
# https://detectify.com/
|
||||
Detectify
|
|
@ -0,0 +1,28 @@
|
|||
# Generic HTTP clients (popular libraries)
|
||||
|
||||
# http library
|
||||
# http://search.cpan.org/~opera/HTTP-DAV/DAV.pm
|
||||
dav.pm/v
|
||||
# http library
|
||||
# http://search.cpan.org/dist/libwww-perl/lib/LWP.pm
|
||||
libwww-perl
|
||||
# generic
|
||||
mozilla/4.0 (compatible)
|
||||
mozilla/4.0 (compatible; msie 6.0; win32)
|
||||
mozilla/5.0 sf/
|
||||
mozilla/5.0 sf//
|
||||
# http library
|
||||
# https://pypi.python.org/pypi/httplib2
|
||||
python-httplib2
|
||||
# http library
|
||||
# http://docs.python-requests.org/en/master/
|
||||
python-requests
|
||||
# http library
|
||||
# https://docs.python.org/2/library/urllib.html
|
||||
Python-urllib
|
||||
# http library
|
||||
# https://github.com/typhoeus/typhoeus
|
||||
typhoeus
|
||||
# http library
|
||||
# https://msdn.microsoft.com/en-us/library/windows/desktop/aa382925%28v=vs.85%29.aspx
|
||||
winhttp.winhttprequest
|
|
@ -0,0 +1,80 @@
|
|||
MySqlClient.
|
||||
Server message
|
||||
SQL error
|
||||
Oracle error
|
||||
JET Database Engine
|
||||
Procedure or function
|
||||
SQLite.Exception
|
||||
[IBM][CLI Driver][DB2/6000]
|
||||
the used select statements have different number of columns
|
||||
org.postgresql.util.PSQLException
|
||||
Access Database Engine
|
||||
Incorrect syntax near
|
||||
Syntax error in string in query expression
|
||||
SQLiteException
|
||||
' doesn't exist
|
||||
CLI Driver
|
||||
on MySQL result index
|
||||
sybase
|
||||
com.informix.jdbc
|
||||
[MySQL][ODBC
|
||||
Error
|
||||
has occurred in the vicinity of:
|
||||
Sintaxis incorrecta cerca de
|
||||
MySQL server version for the right syntax to use
|
||||
com.mysql.jdbc.exceptions
|
||||
You have an error in your SQL syntax near
|
||||
You have an error in your SQL syntax;
|
||||
An illegal character has been found in the statement
|
||||
pg_query() [:
|
||||
supplied argument is not a valid MySQL
|
||||
mssql_query()
|
||||
mysql_fetch_array()
|
||||
Exception
|
||||
java.sql.SQLException
|
||||
Column count doesn't match value count at row
|
||||
Sybase message
|
||||
SQL Server
|
||||
PostgreSQL query failed:
|
||||
Dynamic SQL Error
|
||||
System.Data.SQLite.SQLiteException
|
||||
SQLite/JDBCDriver
|
||||
Unclosed quotation mark before the character string
|
||||
System.Data.SqlClient.
|
||||
Unclosed quotation mark after the character string
|
||||
System.Data.OleDb.OleDbException
|
||||
[DM_QUERY_E_SYNTAX]
|
||||
[SqlException
|
||||
Unexpected end of command in statement
|
||||
valid PostgreSQL result
|
||||
pg_exec() [:
|
||||
SQL Server
|
||||
[SQLITE_ERROR]
|
||||
Microsoft OLE DB Provider for ODBC Drivers
|
||||
PostgreSQL
|
||||
org.hsqldb.jdbc
|
||||
ADODB.Field (0x800A0BCD)
|
||||
SQL syntax
|
||||
Exception
|
||||
System.Data.SqlClient.SqlException
|
||||
Data type mismatch in criteria expression.
|
||||
Driver
|
||||
DB2 SQL error
|
||||
Sybase message:
|
||||
ORA-
|
||||
[Microsoft][ODBC SQL Server Driver]
|
||||
'80040e14'
|
||||
Microsoft OLE DB Provider for SQL Server
|
||||
in query expression
|
||||
Npgsql.
|
||||
valid MySQL result
|
||||
supplied argument is not a valid PostgreSQL result
|
||||
db2_
|
||||
Ingres SQLSTATE
|
||||
Column count doesn't match
|
||||
Warning
|
||||
[Microsoft][ODBC Microsoft Access Driver]
|
||||
[Macromedia][SQLServer JDBC Driver]
|
||||
<b>Warning</b>: ibase_
|
||||
Roadhouse.Cms.
|
||||
DB2 SQL error:
|
|
@ -0,0 +1,236 @@
|
|||
abs
|
||||
acos
|
||||
adddate
|
||||
addtime
|
||||
aes_decrypt
|
||||
aes_encrypt
|
||||
ascii
|
||||
asciistr
|
||||
asin
|
||||
atan
|
||||
atan2
|
||||
avg
|
||||
benchmark
|
||||
bin
|
||||
bin_to_num
|
||||
bit_and
|
||||
bit_count
|
||||
bit_length
|
||||
bit_or
|
||||
bit_xor
|
||||
cast
|
||||
ciel
|
||||
cieling
|
||||
char_length
|
||||
char
|
||||
character_length
|
||||
charset
|
||||
chr
|
||||
coalesce
|
||||
coercibility
|
||||
collation
|
||||
compress
|
||||
concat_ws
|
||||
concat
|
||||
connection_id
|
||||
conv
|
||||
convert_tz
|
||||
convert
|
||||
cos
|
||||
cot
|
||||
count
|
||||
dcount
|
||||
cr32
|
||||
curdate
|
||||
current_date
|
||||
current_time
|
||||
current_timestamp
|
||||
current_user
|
||||
curtime
|
||||
database
|
||||
date
|
||||
date_add
|
||||
date_format
|
||||
date_sub
|
||||
datediff
|
||||
day
|
||||
dayname
|
||||
dayofmonth
|
||||
dayofweek
|
||||
dayofyear
|
||||
decode
|
||||
default
|
||||
degrees
|
||||
des_decrypt
|
||||
des_encrypt
|
||||
dump
|
||||
elt
|
||||
encode
|
||||
encrypt
|
||||
exp
|
||||
export_set
|
||||
extract
|
||||
extractvalue
|
||||
field
|
||||
field_in_set
|
||||
find_in_set
|
||||
floor
|
||||
format
|
||||
found_rows
|
||||
from_base64
|
||||
from_days
|
||||
from_unixtime
|
||||
get_format
|
||||
get_lock
|
||||
greatest
|
||||
group_concat
|
||||
hex
|
||||
hextoraw
|
||||
rawtohex
|
||||
hour
|
||||
if
|
||||
ifnull
|
||||
in
|
||||
inet6_aton
|
||||
inet6_ntoa
|
||||
inet_aton
|
||||
inet_ntoa
|
||||
insert
|
||||
instr
|
||||
interval
|
||||
isnull
|
||||
is_free_lock
|
||||
is_ipv4_compat
|
||||
is_ipv4_mapped
|
||||
is_ipv4
|
||||
is_ipv6
|
||||
is_not_null
|
||||
is_not
|
||||
is_null
|
||||
is_used_lock
|
||||
last
|
||||
last_day
|
||||
last_inser_id
|
||||
lcase
|
||||
least
|
||||
left
|
||||
length
|
||||
ln
|
||||
load_file
|
||||
local
|
||||
localtimestamp
|
||||
locate
|
||||
log
|
||||
log2
|
||||
log10
|
||||
lower
|
||||
lpad
|
||||
ltrim
|
||||
make_set
|
||||
makedate
|
||||
master_pos_wait
|
||||
max
|
||||
md5
|
||||
microsecond
|
||||
mid
|
||||
min
|
||||
minute
|
||||
mod
|
||||
month
|
||||
monthname
|
||||
name_const
|
||||
not_in
|
||||
now
|
||||
nullif
|
||||
oct
|
||||
octet_length
|
||||
old_password
|
||||
ord
|
||||
password
|
||||
period_add
|
||||
period_diff
|
||||
pi
|
||||
position
|
||||
pow
|
||||
power
|
||||
procedure_analyse
|
||||
quarter
|
||||
quote
|
||||
radians
|
||||
rand
|
||||
release_lock
|
||||
repeat
|
||||
replace
|
||||
reverse
|
||||
right
|
||||
round
|
||||
row_count
|
||||
rpad
|
||||
rtrim
|
||||
schema
|
||||
sec_to_time
|
||||
second
|
||||
session_user
|
||||
sha
|
||||
sha1
|
||||
sha2
|
||||
sign
|
||||
sin
|
||||
pg_sleep
|
||||
sleep
|
||||
soundex
|
||||
space
|
||||
sqrt
|
||||
std
|
||||
stddev_pop
|
||||
stddev_samp
|
||||
str_to_date
|
||||
strcmp
|
||||
subdate
|
||||
substring
|
||||
substring_index
|
||||
substr
|
||||
subtime
|
||||
sum
|
||||
sysdate
|
||||
system_user
|
||||
tan
|
||||
time
|
||||
timestamp
|
||||
timestampadd
|
||||
timestampdiff
|
||||
timediff
|
||||
time_format
|
||||
time_to_sec
|
||||
to_base64
|
||||
todays
|
||||
toseconds
|
||||
tochar
|
||||
tonchar
|
||||
trim
|
||||
truncate
|
||||
ucase
|
||||
uncompress
|
||||
uncompressed_length
|
||||
unhex
|
||||
unix_timestamp
|
||||
updatexml
|
||||
upper
|
||||
user
|
||||
utc_date
|
||||
utc_time
|
||||
utc_timestamp
|
||||
uuid
|
||||
uuid_short
|
||||
values
|
||||
var_pop
|
||||
var_samp
|
||||
variance
|
||||
version
|
||||
week
|
||||
weekday
|
||||
weekofyear
|
||||
weight_string
|
||||
year
|
||||
yearweek
|
||||
xmltype
|
|
@ -0,0 +1,78 @@
|
|||
bin/bash
|
||||
bin/cat
|
||||
bin/csh
|
||||
bin/dash
|
||||
bin/du
|
||||
bin/echo
|
||||
bin/grep
|
||||
bin/less
|
||||
bin/ls
|
||||
bin/more
|
||||
bin/nc
|
||||
bin/ps
|
||||
bin/rbash
|
||||
bin/sh
|
||||
bin/sleep
|
||||
bin/su
|
||||
bin/tcsh
|
||||
bin/uname
|
||||
dev/fd/
|
||||
dev/null
|
||||
dev/stderr
|
||||
dev/stdin
|
||||
dev/stdout
|
||||
dev/tcp/
|
||||
dev/udp/
|
||||
dev/zero
|
||||
etc/group
|
||||
etc/master.passwd
|
||||
etc/passwd
|
||||
etc/pwd.db
|
||||
etc/shadow
|
||||
etc/shells
|
||||
etc/spwd.db
|
||||
proc/self/
|
||||
usr/bin/cc
|
||||
usr/bin/clang
|
||||
usr/bin/clang++
|
||||
usr/bin/curl
|
||||
usr/bin/diff
|
||||
usr/bin/env
|
||||
usr/bin/fetch
|
||||
usr/bin/file
|
||||
usr/bin/find
|
||||
usr/bin/ftp
|
||||
usr/bin/gcc
|
||||
usr/bin/head
|
||||
usr/bin/id
|
||||
usr/bin/less
|
||||
usr/bin/more
|
||||
usr/bin/nc
|
||||
usr/bin/nice
|
||||
usr/bin/nmap
|
||||
usr/bin/perl
|
||||
usr/bin/php
|
||||
usr/bin/php5
|
||||
usr/bin/php7
|
||||
usr/bin/python
|
||||
usr/bin/python2
|
||||
usr/bin/python3
|
||||
usr/bin/ruby
|
||||
usr/bin/tail
|
||||
usr/bin/top
|
||||
usr/bin/uname
|
||||
usr/bin/wget
|
||||
usr/bin/who
|
||||
usr/bin/whoami
|
||||
usr/bin/xargs
|
||||
usr/local/bin/bash
|
||||
usr/local/bin/curl
|
||||
usr/local/bin/nmap
|
||||
usr/local/bin/perl
|
||||
usr/local/bin/php
|
||||
usr/local/bin/python
|
||||
usr/local/bin/python2
|
||||
usr/local/bin/python3
|
||||
usr/local/bin/rbash
|
||||
usr/local/bin/ruby
|
||||
usr/local/bin/wget
|
|
@ -0,0 +1,253 @@
|
|||
powershell.exe
|
||||
Add-BitsFile
|
||||
Add-Computer
|
||||
Add-Content
|
||||
Add-History
|
||||
Add-Member
|
||||
Add-PSSnapin
|
||||
Add-Type
|
||||
Checkpoint-Computer
|
||||
Clear-Content
|
||||
Clear-EventLog
|
||||
Clear-History
|
||||
Clear-Item
|
||||
Clear-ItemProperty
|
||||
Clear-Variable
|
||||
Compare-Object
|
||||
Complete-BitsTransfer
|
||||
Complete-Transaction
|
||||
Connect-WSMan
|
||||
ConvertFrom-CSV
|
||||
ConvertFrom-SecureString
|
||||
ConvertFrom-StringData
|
||||
Convert-Path
|
||||
ConvertTo-CSV
|
||||
ConvertTo-Html
|
||||
ConvertTo-SecureString
|
||||
ConvertTo-XML
|
||||
Copy-Item
|
||||
Copy-ItemProperty
|
||||
Debug-Process
|
||||
Disable-ComputerRestore
|
||||
Disable-PSBreakpoint
|
||||
Disable-PSSessionConfiguration
|
||||
Disable-WSManCredSSP
|
||||
Disconnect-WSMan
|
||||
Enable-ComputerRestore
|
||||
Enable-PSBreakpoint
|
||||
Enable-PSRemoting
|
||||
Enable-PSSessionConfiguration
|
||||
Enable-WSManCredSSP
|
||||
Enter-PSSession
|
||||
Exit-PSSession
|
||||
Export-Alias
|
||||
Export-Clixml
|
||||
Export-Console
|
||||
Export-Counter
|
||||
Export-CSV
|
||||
Export-FormatData
|
||||
Export-ModuleMember
|
||||
Export-PSSession
|
||||
ForEach-Object
|
||||
Format-Custom
|
||||
Format-List
|
||||
Format-Table
|
||||
Format-Wide
|
||||
Get-Acl
|
||||
Get-Alias
|
||||
Get-AppLockerFileInformation
|
||||
Get-AppLockerPolicy
|
||||
Get-AuthenticodeSignature
|
||||
Get-BitsTransfer
|
||||
Get-ChildItem
|
||||
Get-Command
|
||||
Get-ComputerRestorePoint
|
||||
Get-Content
|
||||
Get-Counter
|
||||
Get-Credential
|
||||
Get-Culture
|
||||
Get-Event
|
||||
Get-EventLog
|
||||
Get-EventSubscriber
|
||||
Get-ExecutionPolicy
|
||||
Get-FormatData
|
||||
Get-History
|
||||
Get-Host
|
||||
Get-HotFix
|
||||
Get-Item
|
||||
Get-ItemProperty
|
||||
Get-Job
|
||||
Get-Location
|
||||
Get-Member
|
||||
Get-Module
|
||||
Get-PfxCertificate
|
||||
Get-Process
|
||||
Get-PSBreakpoint
|
||||
Get-PSCallStack
|
||||
Get-PSDrive
|
||||
Get-PSProvider
|
||||
Get-PSSession
|
||||
Get-PSSessionConfiguration
|
||||
Get-PSSnapin
|
||||
Get-Random
|
||||
Get-Service
|
||||
Get-TraceSource
|
||||
Get-Transaction
|
||||
Get-TroubleshootingPack
|
||||
Get-UICulture
|
||||
Get-Unique
|
||||
Get-Variable
|
||||
Get-WinEvent
|
||||
Get-WmiObject
|
||||
Get-WSManCredSSP
|
||||
Get-WSManInstance
|
||||
Group-Object
|
||||
Import-Alias
|
||||
Import-Clixml
|
||||
Import-Counter
|
||||
Import-CSV
|
||||
Import-LocalizedData
|
||||
Import-Module
|
||||
Import-PSSession
|
||||
Invoke-Command
|
||||
Invoke-Expression
|
||||
Invoke-History
|
||||
Invoke-Item
|
||||
Invoke-TroubleshootingPack
|
||||
Invoke-WmiMethod
|
||||
Invoke-WSManAction
|
||||
Join-Path
|
||||
Limit-EventLog
|
||||
Measure-Command
|
||||
Measure-Object
|
||||
Move-Item
|
||||
Move-ItemProperty
|
||||
New-Alias
|
||||
New-AppLockerPolicy
|
||||
New-Event
|
||||
New-EventLog
|
||||
New-Item
|
||||
New-ItemProperty
|
||||
New-Module
|
||||
New-ModuleManifest
|
||||
New-Object
|
||||
New-PSDrive
|
||||
New-PSSession
|
||||
New-PSSessionOption
|
||||
New-Service
|
||||
New-TimeSpan
|
||||
New-Variable
|
||||
New-WebServiceProxy
|
||||
New-WSManInstance
|
||||
New-WSManSessionOption
|
||||
Out-Default
|
||||
Out-File
|
||||
Out-GridView
|
||||
Out-Host
|
||||
Out-Null
|
||||
Out-Printer
|
||||
Out-String
|
||||
Pop-Location
|
||||
Push-Location
|
||||
Read-Host
|
||||
Receive-Job
|
||||
Register-EngineEvent
|
||||
Register-ObjectEvent
|
||||
Register-PSSessionConfiguration
|
||||
Register-WmiEvent
|
||||
Remove-BitsTransfer
|
||||
Remove-Computer
|
||||
Remove-Event
|
||||
Remove-EventLog
|
||||
Remove-Item
|
||||
Remove-ItemProperty
|
||||
Remove-Job
|
||||
Remove-Module
|
||||
Remove-PSBreakpoint
|
||||
Remove-PSDrive
|
||||
Remove-PSSession
|
||||
Remove-PSSnapin
|
||||
Remove-Variable
|
||||
Remove-WmiObject
|
||||
Remove-WSManInstance
|
||||
Rename-Item
|
||||
Rename-ItemProperty
|
||||
Reset-ComputerMachinePassword
|
||||
Resolve-Path
|
||||
Restart-Computer
|
||||
Restart-Service
|
||||
Restore-Computer
|
||||
Resume-BitsTransfer
|
||||
Resume-Service
|
||||
Select-Object
|
||||
Select-String
|
||||
Select-XML
|
||||
Send-MailMessage
|
||||
Set-Acl
|
||||
Set-Alias
|
||||
Set-AppLockerPolicy
|
||||
Set-AuthenticodeSignature
|
||||
Set-BitsTransfer
|
||||
Set-Content
|
||||
Set-Date
|
||||
Set-ExecutionPolicy
|
||||
Set-Item
|
||||
Set-ItemProperty
|
||||
Set-Location
|
||||
Set-PSBreakpoint
|
||||
Set-PSDebug
|
||||
Set-PSSessionConfiguration
|
||||
Set-Service
|
||||
Set-StrictMode
|
||||
Set-TraceSource
|
||||
Set-Variable
|
||||
Set-WmiInstance
|
||||
Set-WSManInstance
|
||||
Set-WSManQuickConfig
|
||||
Show-EventLog
|
||||
Sort-Object
|
||||
Split-Path
|
||||
Start-BitsTransfer
|
||||
Start-Job
|
||||
Start-Process
|
||||
Start-Service
|
||||
Start-Sleep
|
||||
Start-Transaction
|
||||
Start-Transcript
|
||||
Stop-Computer
|
||||
Stop-Job
|
||||
Stop-Process
|
||||
Stop-Service
|
||||
Stop-Transcript
|
||||
Suspend-BitsTransfer
|
||||
Suspend-Service
|
||||
Tee-Object
|
||||
Test-AppLockerPolicy
|
||||
Test-ComputerSecureChannel
|
||||
Test-Connection
|
||||
Test-ModuleManifest
|
||||
Test-Path
|
||||
Test-WSMan
|
||||
Trace-Command
|
||||
Undo-Transaction
|
||||
Unregister-Event
|
||||
Unregister-PSSessionConfiguration
|
||||
Update-FormatData
|
||||
Update-List
|
||||
Update-TypeData
|
||||
Use-Transaction
|
||||
Wait-Event
|
||||
Wait-Job
|
||||
Wait-Process
|
||||
Where-Object
|
||||
Write-Debug
|
||||
Write-Error
|
||||
Write-EventLog
|
||||
Write-Host
|
||||
Write-Output
|
||||
Write-Progress
|
||||
Write-Verbose
|
||||
Write-Warning
|
||||
-EncodedCommand
|
||||
-ExecutionPolicy
|
||||
-PSConsoleFile
|
|
@ -0,0 +1,5 @@
|
|||
location ~ \.php$ {
|
||||
fastcgi_pass 127.0.0.1:9000;
|
||||
fastcgi_index index.php;
|
||||
include fastcgi.conf;
|
||||
}
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1 @@
|
|||
more_set_headers "Referrer-Policy: %REFERRER_POLICY%";
|
|
@ -0,0 +1,26 @@
|
|||
server {
|
||||
%LISTEN_HTTP%
|
||||
%AUTO_LETS_ENCRYPT%
|
||||
server_name %SERVER_NAME%;
|
||||
root /www;
|
||||
index index.html index.php;
|
||||
location / {
|
||||
try_files $uri $uri/ =404;
|
||||
%BLOCK_TOR_EXIT_NODE%
|
||||
}
|
||||
if ($request_method !~ ^(%ALLOWED_METHODS%)$)
|
||||
{
|
||||
return 405;
|
||||
}
|
||||
%USE_PHP%
|
||||
%HEADER_SERVER%
|
||||
%X_FRAME_OPTIONS%
|
||||
%X_XSS_PROTECTION%
|
||||
%X_CONTENT_TYPE_OPTIONS%
|
||||
# TODO : CSP
|
||||
%REFERRER_POLICY%
|
||||
%FEATURE_POLICY%
|
||||
%BLOCK_COUNTRY%
|
||||
%BLOCK_USER_AGENT%
|
||||
%ERRORS%
|
||||
}
|
|
@ -0,0 +1 @@
|
|||
more_set_headers "X-Content-Type-Options: %X_CONTENT_TYPE_OPTIONS%";
|
|
@ -0,0 +1 @@
|
|||
more_set_headers "X-Frame-Options: %X_FRAME_OPTIONS%";
|
|
@ -0,0 +1 @@
|
|||
more_set_headers "X-XSS-Protection: %X_XSS_PROTECTION%";
|
|
@ -0,0 +1,229 @@
|
|||
#!/bin/sh
|
||||
|
||||
# replace pattern in file
|
||||
function replace_in_file() {
|
||||
# escape slashes
|
||||
pattern=$(echo "$2" | sed "s/\//\\\\\//g")
|
||||
replace=$(echo "$3" | sed "s/\//\\\\\//g")
|
||||
sed -i "s/$pattern/$replace/g" "$1"
|
||||
}
|
||||
|
||||
# copy stub confs
|
||||
cp /opt/confs/*.conf /etc/nginx
|
||||
cp -r /opt/confs/owasp-crs /etc/nginx
|
||||
cp /opt/confs/php.ini /etc/php7/php.ini
|
||||
|
||||
# remove cron jobs
|
||||
echo "" > /etc/crontabs/root
|
||||
|
||||
# set default values
|
||||
MAX_CLIENT_SIZE="${MAX_CLIENT_SIZE:-10m}"
|
||||
SERVER_TOKENS="${SERVER_TOKENS:-off}"
|
||||
CACHE="${CACHE:-max=1000 inactive=60s}"
|
||||
CACHE_ERRORS="${CACHE_ERRORS:-on}"
|
||||
CACHE_USES="${CACHE_USES:-1}"
|
||||
CACHE_VALID="${CACHE_VALID:-60s}"
|
||||
#CLIENT_CACHE="${CLIENT_CACHE}:-css|gif|htm|html|ico|jpeg|jpg|js|png|svg|tif|tiff|eot|otf|ttf|woff|woff2"
|
||||
#CLIENT_CACHE_EXPIRES="${CLIENT_CACHE_EXPIRES}:-1d}"
|
||||
#CLIENT_CACHE_CONTROL=
|
||||
USE_GZIP="${USE_GZIP:-off}"
|
||||
GZIP_COMP_LEVEL="${GZIP_COMP_LEVEL:-6}"
|
||||
GZIP_MIN_LENGTH="${GZIP_MIN_LENGTH:-10240}"
|
||||
GZIP_TYPES="${GZIP_TYPES:-text/css text/javascript text/xml text/plain text/x-component application/javascript application/x-javascript application/json application/xml application/rss+xml application/atom+xml font/truetype font/opentype application/vnd.ms-fontobject image/svg+xml}"
|
||||
USE_PHP="${USE_PHP:-yes}"
|
||||
HEADER_SERVER="${HEADER_SERVER:-no}"
|
||||
X_FRAME_OPTIONS="${X_FRAME_OPTIONS:-DENY}"
|
||||
X_XSS_PROTECTION="${X_XSS_PROTECTION:-1; mode=block}"
|
||||
X_CONTENT_TYPE_OPTIONS="${X_CONTENT_TYPE_OPTIONS:-nosniff}"
|
||||
REFERRER_POLICY="${REFERRER_POLICY:-no-referrer}"
|
||||
FEATURE_POLICY="${FEATURE_POLICY:-accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; camera 'none'; display-capture 'none'; document-domain 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; speaker 'none'; sync-xhr 'none'; usb 'none'; vibrate 'none'; vr 'none'}"
|
||||
DISABLE_DEFAULT_SERVER="${DISABLE_DEFAULT_SERVER:-no}"
|
||||
SERVER_NAME="${SERVER_NAME:-www.bunkerity.io}"
|
||||
ALLOWED_METHODS="${ALLOWED_METHODS:-GET|POST|HEAD}"
|
||||
BLOCK_COUNTRY="${BLOCK_COUNTRY:-}"
|
||||
BLOCK_USER_AGENT="${BLOCK_USER_AGENT:-yes}"
|
||||
AUTO_LETS_ENCRYPT="${AUTO_LETS_ENCRYPT:-no}"
|
||||
HTTP2="${HTTP2:-yes}"
|
||||
STRICT_TRANSPORT_SECURITY="${STRICT_TRANSPORT_SECURITY:-max-age=31536000}"
|
||||
PHP_EXPOSE="${PHP_EXPOSE:-no}"
|
||||
PHP_DISPLAY_ERRORS="${PHP_DISPLAY_ERRORS:-no}"
|
||||
PHP_OPEN_BASEDIR="${PHP_OPEN_BASEDIR:-/www/}"
|
||||
PHP_ALLOW_URL_FOPEN="${PHP_ALLOW_URL_FOPEN:-no}"
|
||||
PHP_ALLOW_URL_INCLUDE="${PHP_ALLOW_URL_INCLUDE:-no}"
|
||||
PHP_FILE_UPLOADS="${PHP_FILE_UPLOADS:-yes}"
|
||||
PHP_UPLOAD_MAX_FILESIZE="${PHP_UPLOAD_MAX_FILESIZE:-10M}"
|
||||
PHP_DISABLE_FUNCTIONS="${PHP_DISABLE_FUNCTIONS:-system, exec, shell_exec, passthru, phpinfo, show_source, highlight_file, popen, proc_open, fopen_with_path, dbmopen, dbase_open, putenv, chdir, mkdir, rmdir, chmod, rename, filepro, filepro_rowcount, filepro_retrieve, posix_mkfifo}"
|
||||
USE_MODSECURITY="${USE_MODSECURITY:-yes}"
|
||||
|
||||
# replace values
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%MAX_CLIENT_SIZE%" "$MAX_CLIENT_SIZE"
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%SERVER_TOKENS%" "$SERVER_TOKENS"
|
||||
replace_in_file "/etc/nginx/cache.conf" "%CACHE%" "$CACHE"
|
||||
replace_in_file "/etc/nginx/cache.conf" "%CACHE_ERRORS%" "$CACHE_ERRORS"
|
||||
replace_in_file "/etc/nginx/cache.conf" "%CACHE_USES%" "$CACHE_USES"
|
||||
replace_in_file "/etc/nginx/cache.conf" "%CACHE_VALID%" "$CACHE_VALID"
|
||||
replace_in_file "/etc/nginx/gzip.conf" "%USE_GZIP%" "$USE_GZIP"
|
||||
replace_in_file "/etc/nginx/gzip.conf" "%GZIP_COMP_LEVEL%" "$GZIP_COMP_LEVEL"
|
||||
replace_in_file "/etc/nginx/gzip.conf" "%GZIP_MIN_LENGTH%" "$GZIP_MIN_LENGTH"
|
||||
replace_in_file "/etc/nginx/gzip.conf" "%GZIP_TYPES%" "$GZIP_TYPES"
|
||||
if [ "$USE_PHP" = "yes" ] ; then
|
||||
replace_in_file "/etc/nginx/server.conf" "%USE_PHP%" "include /etc/nginx/php.conf;"
|
||||
if [ "$PHP_EXPOSE" = "yes" ] ; then
|
||||
replace_in_file "/etc/php7/php.ini" "%PHP_EXPOSE%" "On"
|
||||
else
|
||||
replace_in_file "/etc/php7/php.ini" "%PHP_EXPOSE%" "Off"
|
||||
fi
|
||||
if [ "$PHP_DISPLAY_ERRORS" = "yes" ] ; then
|
||||
replace_in_file "/etc/php7/php.ini" "%PHP_DISPLAY_ERRORS%" "On"
|
||||
else
|
||||
replace_in_file "/etc/php7/php.ini" "%PHP_DISPLAY_ERRORS%" "Off"
|
||||
fi
|
||||
replace_in_file "/etc/php7/php.ini" "%PHP_OPEN_BASEDIR%" "$PHP_OPEN_BASEDIR"
|
||||
if [ "$PHP_ALLOW_URL_FOPEN" = "yes" ] ; then
|
||||
replace_in_file "/etc/php7/php.ini" "%PHP_ALLOW_URL_FOPEN%" "On"
|
||||
else
|
||||
replace_in_file "/etc/php7/php.ini" "%PHP_ALLOW_URL_FOPEN%" "Off"
|
||||
fi
|
||||
if [ "$PHP_ALLOW_URL_INCLUDE" = "yes" ] ; then
|
||||
replace_in_file "/etc/php7/php.ini" "%PHP_ALLOW_URL_INCLUDE%" "On"
|
||||
else
|
||||
replace_in_file "/etc/php7/php.ini" "%PHP_ALLOW_URL_INCLUDE%" "Off"
|
||||
fi
|
||||
if [ "$PHP_FILE_UPLOADS" = "yes" ] ; then
|
||||
replace_in_file "/etc/php7/php.ini" "%PHP_FILE_UPLOADS%" "On"
|
||||
else
|
||||
replace_in_file "/etc/php7/php.ini" "%PHP_FILE_UPLOADS%" "Off"
|
||||
fi
|
||||
replace_in_file "/etc/php7/php.ini" "%PHP_UPLOAD_MAX_FILESIZE%" "$PHP_UPLOAD_MAX_FILESIZE"
|
||||
replace_in_file "/etc/php7/php.ini" "%PHP_DISABLE_FUNCTIONS%" "$PHP_DISABLE_FUNCTIONS"
|
||||
else
|
||||
replace_in_file "/etc/nginx/server.conf" "%USE_PHP%" ""
|
||||
fi
|
||||
if [ "$HEADER_SERVER" = "yes" ] ; then
|
||||
replace_in_file "/etc/nginx/server.conf" "%HEADER_SERVER%" ""
|
||||
else
|
||||
replace_in_file "/etc/nginx/server.conf" "%HEADER_SERVER%" "more_clear_headers 'Server';"
|
||||
fi
|
||||
if [ "$X_FRAME_OPTIONS" != "" ] ; then
|
||||
replace_in_file "/etc/nginx/server.conf" "%X_FRAME_OPTIONS%" "include /etc/nginx/x-frame-options.conf;"
|
||||
replace_in_file "/etc/nginx/x-frame-options.conf" "%X_FRAME_OPTIONS%" "$X_FRAME_OPTIONS"
|
||||
else
|
||||
replace_in_file "/etc/nginx/server.conf" "%X_FRAME_OPTIONS%" ""
|
||||
fi
|
||||
if [ "$X_XSS_PROTECTION" != "" ] ; then
|
||||
replace_in_file "/etc/nginx/server.conf" "%X_XSS_PROTECTION%" "include /etc/nginx/x-xss-protection.conf;"
|
||||
replace_in_file "/etc/nginx/x-xss-protection.conf" "%X_XSS_PROTECTION%" "$X_XSS_PROTECTION"
|
||||
else
|
||||
replace_in_file "/etc/nginx/server.conf" "%X_XSS_PROTECTION%" ""
|
||||
fi
|
||||
if [ "$X_CONTENT_TYPE_OPTIONS" != "" ] ; then
|
||||
replace_in_file "/etc/nginx/server.conf" "%X_CONTENT_TYPE_OPTIONS%" "include /etc/nginx/x-content-type-options.conf;"
|
||||
replace_in_file "/etc/nginx/x-content-type-options.conf" "%X_CONTENT_TYPE_OPTIONS%" "$X_CONTENT_TYPE_OPTIONS"
|
||||
else
|
||||
replace_in_file "/etc/nginx/server.conf" "%X_CONTENT_TYPE_OPTIONS%" ""
|
||||
fi
|
||||
if [ "$REFERRER_POLICY" != "" ] ; then
|
||||
replace_in_file "/etc/nginx/server.conf" "%REFERRER_POLICY%" "include /etc/nginx/referrer-policy.conf;"
|
||||
replace_in_file "/etc/nginx/referrer-policy.conf" "%REFERRER_POLICY%" "$REFERRER_POLICY"
|
||||
else
|
||||
replace_in_file "/etc/nginx/server.conf" "%REFERRER_POLICY%" ""
|
||||
fi
|
||||
if [ "$FEATURE_POLICY" != "" ] ; then
|
||||
replace_in_file "/etc/nginx/server.conf" "%FEATURE_POLICY%" "include /etc/nginx/feature-policy.conf;"
|
||||
replace_in_file "/etc/nginx/feature-policy.conf" "%FEATURE_POLICY%" "$FEATURE_POLICY"
|
||||
else
|
||||
replace_in_file "/etc/nginx/server.conf" "%FEATURE_POLICY%" ""
|
||||
fi
|
||||
if [ "$DISABLE_DEFAULT_SERVER" = "yes" ] ; then
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%DISABLE_DEFAULT_SERVER%" "include /etc/nginx/disable-default-server.conf;"
|
||||
else
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%DISABLE_DEFAULT_SERVER%" ""
|
||||
fi
|
||||
replace_in_file "/etc/nginx/server.conf" "%SERVER_NAME%" "$SERVER_NAME"
|
||||
replace_in_file "/etc/nginx/server.conf" "%ALLOWED_METHODS%" "$ALLOWED_METHODS"
|
||||
if [ ! -f /etc/nginx/geoip.mmdb ] ; then
|
||||
/opt/scripts/geolite.sh
|
||||
fi
|
||||
if [ "$BLOCK_COUNTRY" != "" ] ; then
|
||||
replace_in_file "/etc/nginx/server.conf" "%BLOCK_COUNTRY%" "include /etc/nginx/geoip.conf;"
|
||||
replace_in_file "/etc/nginx/geoip.conf" "%BLOCK_COUNTRY%" "$(echo $BLOCK_COUNTRY | sed 's/ / no;\n/g') no;"
|
||||
echo "0 0 * * * /opt/scripts/geolite.sh" >> /etc/crontabs/root
|
||||
else
|
||||
replace_in_file "/etc/nginx/server.conf" "%BLOCK_COUNTRY%" ""
|
||||
fi
|
||||
if [ "$BLOCK_USER_AGENT" = "yes" ] ; then
|
||||
replace_in_file "/etc/nginx/server.conf" "%BLOCK_USER_AGENT%" "include /etc/nginx/block-user-agent.conf;"
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_USER_AGENT%" "include /etc/nginx/map-user-agent.conf;"
|
||||
/opt/scripts/user-agents.sh
|
||||
echo "0 0 * * * /opt/scripts/user-agents.sh" >> /etc/crontabs/root
|
||||
else
|
||||
replace_in_file "/etc/nginx/server.conf" "%BLOCK_USER_AGENT%" ""
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%BLOCK_USER_AGENT%" ""
|
||||
fi
|
||||
if [ "$BLOCK_TOR_EXIT_NODE" = "yes" ] ; then
|
||||
replace_in_file "/etc/nginx/server.conf" "%BLOCK_TOR_EXIT_NODE%" "include /etc/nginx/block-tor-exit-node.conf;"
|
||||
/opt/scripts/exit-nodes.sh
|
||||
echo "0 * * * * /opt/scripts/exit-nodes.sh" >> /etc/crontabs/root
|
||||
else
|
||||
replace_in_file "/etc/nginx/server.conf" "%BLOCK_TOR_EXIT_NODE%" ""
|
||||
fi
|
||||
if [ "$AUTO_LETS_ENCRYPT" = "yes" ] ; then
|
||||
replace_in_file "/etc/nginx/server.conf" "%LISTEN_HTTP%" ""
|
||||
replace_in_file "/etc/nginx/server.conf" "%AUTO_LETS_ENCRYPT%" "include /etc/nginx/auto-lets-encrypt.conf;"
|
||||
if [ "$HTTP2" = "yes" ] ; then
|
||||
replace_in_file "/etc/nginx/auto-lets-encrypt.conf" "%HTTP2%" "http2"
|
||||
else
|
||||
replace_in_file "/etc/nginx/auto-lets-encrypt.conf" "%HTTP2%" ""
|
||||
fi
|
||||
replace_in_file "/etc/nginx/auto-lets-encrypt.conf" "%SERVER_NAME%" "$SERVER_NAME"
|
||||
if [ "$STRICT_TRANSPORT_SECURITY" != "" ] ; then
|
||||
replace_in_file "/etc/nginx/auto-lets-encrypt.conf" "%STRICT_TRANSPORT_SECURITY%" "more_set_headers 'Strict-Transport-Security: $STRICT_TRANSPORT_SECURITY';"
|
||||
else
|
||||
replace_in_file "/etc/nginx/auto-lets-encrypt.conf" "%STRICT_TRANSPORT_SECURITY%" ""
|
||||
fi
|
||||
echo "0 0 * * * /opt/scripts/certbot-renew.sh" >> /etc/crontabs/root
|
||||
if [ -f /etc/letsencrypt/live/${SERVER_NAME}/fullchain.pem ] ; then
|
||||
/opt/scripts/certbot-renew.sh
|
||||
else
|
||||
certbot certonly --standalone -n --preferred-challenges http -d $SERVER_NAME --email contact@$SERVER_NAME --agree-tos
|
||||
fi
|
||||
else
|
||||
replace_in_file "/etc/nginx/server.conf" "%AUTO_LETS_ENCRYPT%" ""
|
||||
replace_in_file "/etc/nginx/server.conf" "%LISTEN_HTTP%" "listen 0.0.0.0:80;"
|
||||
fi
|
||||
|
||||
if [ "$USE_MODSECURITY" = "yes" ] ; then
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%USE_MODSECURITY%" "include /etc/nginx/modsecurity.conf;"
|
||||
else
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%USE_MODSECURITY%" ""
|
||||
fi
|
||||
|
||||
ERRORS=""
|
||||
for var in $(env) ; do
|
||||
var_name=$(echo "$var" | cut -d '=' -f 1 | cut -d '_' -f 1)
|
||||
if [ "z${var_name}" = "zERROR" ] ; then
|
||||
err_code=$(echo "$var" | cut -d '=' -f 1 | cut -d '_' -f 2)
|
||||
err_page=$(echo "$var" | cut -d '=' -f 2)
|
||||
cp /opt/confs/error.conf /etc/nginx/error-${err_code}.conf
|
||||
replace_in_file "/etc/nginx/error-${err_code}.conf" "%CODE%" "$err_code"
|
||||
replace_in_file "/etc/nginx/error-${err_code}.conf" "%PAGE%" "$err_page"
|
||||
ERRORS="${ERRORS}include /etc/nginx/error-${err_code}.conf;\n"
|
||||
fi
|
||||
done
|
||||
if [ "$ERRORS" != "" ] ; then
|
||||
replace_in_file "/etc/nginx/server.conf" "%ERRORS%" "$ERRORS"
|
||||
else
|
||||
replace_in_file "/etc/nginx/server.conf" "%ERRORS%" ""
|
||||
fi
|
||||
|
||||
# start PHP
|
||||
if [ "$USE_PHP" = "yes" ] ; then
|
||||
php-fpm7
|
||||
fi
|
||||
|
||||
# start crond
|
||||
crond
|
||||
|
||||
# start nginx in foreground
|
||||
# when nginx is killed, container get killed too
|
||||
exec /usr/sbin/nginx
|
|
@ -0,0 +1,7 @@
|
|||
#!/bin/sh
|
||||
|
||||
certbot renew
|
||||
|
||||
if [ -f /run/nginx/nginx.pid ] ; then
|
||||
/usr/sbin/nginx -s reload
|
||||
fi
|
|
@ -0,0 +1,11 @@
|
|||
#!/bin/sh
|
||||
|
||||
BLACKLIST=$(curl "https://iplists.firehol.org/files/tor_exits.ipset")
|
||||
DATA=""
|
||||
for ip in $BLACKLIST ; do
|
||||
DATA="${DATA}deny ${ip};\n"
|
||||
done
|
||||
echo $DATA > /etc/nginx/block-tor-exit-node.conf
|
||||
if [ -f /run/nginx/nginx.pid ] ; then
|
||||
/usr/sbin/nginx -s reload
|
||||
fi
|
|
@ -0,0 +1,7 @@
|
|||
#!/bin/sh
|
||||
|
||||
wget -O /etc/nginx/geoip.mmdb.gz https://geolite.maxmind.com/download/geoip/database/GeoLite2-Country.mmdb.gz
|
||||
gunzip -f /etc/nginx/geoip.mmdb.gz
|
||||
if [ -f /run/nginx/nginx.pid ] ; then
|
||||
/usr/sbin/nginx -s reload
|
||||
fi
|
|
@ -0,0 +1,22 @@
|
|||
#!/bin/sh
|
||||
|
||||
# replace pattern in file
|
||||
function replace_in_file() {
|
||||
# escape slashes
|
||||
pattern=$(echo "$2" | sed "s/\//\\\\\//g")
|
||||
replace=$(echo "$3" | sed "s/\//\\\\\//g")
|
||||
replace=$(echo "$replace" | sed "s/\\ /\\\\ /g")
|
||||
sed -i "s/$pattern/$replace/g" "$1"
|
||||
}
|
||||
|
||||
BLACKLIST="$(curl https://raw.githubusercontent.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/master/_generator_lists/bad-user-agents.list)"
|
||||
DATA=""
|
||||
IFS=$'\n'
|
||||
for ua in $BLACKLIST ; do
|
||||
DATA="${DATA}~*(?:\b)${ua}\(?:\b) yes;\n"
|
||||
done
|
||||
cp /opt/confs/map-user-agent.conf /etc/nginx/map-user-agent.conf
|
||||
replace_in_file "/etc/nginx/map-user-agent.conf" "%BLOCK_USER_AGENT%" "$DATA"
|
||||
if [ -f /run/nginx/nginx.pid ] ; then
|
||||
/usr/sbin/nginx -s reload
|
||||
fi
|
|
@ -0,0 +1 @@
|
|||
test 403
|
|
@ -0,0 +1 @@
|
|||
test 404
|
|
@ -0,0 +1,5 @@
|
|||
<?php
|
||||
|
||||
echo "Bunkerity FTW !";
|
||||
|
||||
?>
|
Loading…
Reference in New Issue