flatten CRS rules to workaround crowdsecurity/crowdsec#3343 (#83)

appsec/crs/REQUEST-905-COMMON-EXCEPTIONS.conf

@@ -14,42 +14,12 @@
 #
 # Exception for Apache SSL pinger
 #
-SecRule REQUEST_LINE "@streq GET /" \
-    "id:905100,\
-    phase:1,\
-    pass,\
-    t:none,\
-    nolog,\
-    tag:'application-multi',\
-    tag:'language-multi',\
-    tag:'platform-apache',\
-    tag:'attack-generic',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
-    chain"
-    SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" \
-        "t:none,\
-        ctl:ruleRemoveByTag=OWASP_CRS,\
-        ctl:auditEngine=Off"
+SecRule REQUEST_LINE "@streq GET /"     "id:905100,    phase:1,    pass,    t:none,    nolog,    tag:'application-multi',    tag:'language-multi',    tag:'platform-apache',    tag:'attack-generic',    ver:'OWASP_CRS/4.0.0-rc1',    chain"
+    SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1"         "t:none,        ctl:ruleRemoveByTag=OWASP_CRS,        ctl:auditEngine=Off"
 
 #
 # Exception for Apache internal dummy connection
 #
-SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" \
-    "id:905110,\
-    phase:1,\
-    pass,\
-    t:none,\
-    nolog,\
-    tag:'application-multi',\
-    tag:'language-multi',\
-    tag:'platform-apache',\
-    tag:'attack-generic',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
-    chain"
-    SecRule REQUEST_HEADERS:User-Agent "@endsWith (internal dummy connection)" \
-        "t:none,\
-        chain"
-        SecRule REQUEST_LINE "@rx ^(?:GET /|OPTIONS \*) HTTP/[12]\.[01]$" \
-            "t:none,\
-            ctl:ruleRemoveByTag=OWASP_CRS,\
-            ctl:auditEngine=Off"
+SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1"     "id:905110,    phase:1,    pass,    t:none,    nolog,    tag:'application-multi',    tag:'language-multi',    tag:'platform-apache',    tag:'attack-generic',    ver:'OWASP_CRS/4.0.0-rc1',    chain"
+    SecRule REQUEST_HEADERS:User-Agent "@endsWith (internal dummy connection)"         "t:none,        chain"
+        SecRule REQUEST_LINE "@rx ^(?:GET /|OPTIONS \*) HTTP/[12]\.[01]$"             "t:none,            ctl:ruleRemoveByTag=OWASP_CRS,            ctl:auditEngine=Off"

appsec/crs/REQUEST-911-METHOD-ENFORCEMENT.conf

@@ -25,23 +25,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:911012,phase:2,pass,nolog,skipAf
 #
 # tx.allowed_methods is defined in the crs-setup.conf file
 #
-SecRule REQUEST_METHOD "!@within %{tx.allowed_methods}" \
-    "id:911100,\
-    phase:1,\
-    block,\
-    msg:'Method is not allowed by policy',\
-    logdata:'%{MATCHED_VAR}',\
-    tag:'application-multi',\
-    tag:'language-multi',\
-    tag:'platform-multi',\
-    tag:'attack-generic',\
-    tag:'paranoia-level/1',\
-    tag:'OWASP_CRS',\
-    tag:'capec/1000/210/272/220/274',\
-    tag:'PCI/12.1',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
-    severity:'CRITICAL',\
-    setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+SecRule REQUEST_METHOD "!@within %{tx.allowed_methods}"     "id:911100,    phase:1,    block,    msg:'Method is not allowed by policy',    logdata:'%{MATCHED_VAR}',    tag:'application-multi',    tag:'language-multi',    tag:'platform-multi',    tag:'attack-generic',    tag:'paranoia-level/1',    tag:'OWASP_CRS',    tag:'capec/1000/210/272/220/274',    tag:'PCI/12.1',    ver:'OWASP_CRS/4.0.0-rc1',    severity:'CRITICAL',    setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
 

appsec/crs/REQUEST-913-SCANNER-DETECTION.conf

@@ -34,69 +34,14 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:913012,phase:2,pass,nolog,skipAf
 # Chained rule is allow listing:
 # YUM package manager of CentOS / Fedore: User-Agent: urlgrabber/3.10 yum/3.4.3
 # eCairn service: User-Agent: mozilla/5.0 ecairn-grabber/1.0 (+http://ecairn.com/grabber)
-SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scanners-user-agents.data" \
-    "id:913100,\
-    phase:1,\
-    block,\
-    capture,\
-    t:none,\
-    msg:'Found User-Agent associated with security scanner',\
-    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
-    tag:'application-multi',\
-    tag:'language-multi',\
-    tag:'platform-multi',\
-    tag:'attack-reputation-scanner',\
-    tag:'paranoia-level/1',\
-    tag:'OWASP_CRS',\
-    tag:'capec/1000/118/224/541/310',\
-    tag:'PCI/6.5.10',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
-    severity:'CRITICAL',\
-    chain"
-    SecRule MATCHED_VARS "!@rx ^(?:urlgrabber/[0-9\.]+ yum/[0-9\.]+|mozilla/[0-9\.]+ ecairn-grabber/[0-9\.]+ \(\+http://ecairn.com/grabber\))$" \
-        "setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
-
-SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@pmFromFile scanners-headers.data" \
-    "id:913110,\
-    phase:1,\
-    block,\
-    capture,\
-    t:none,\
-    msg:'Found request header associated with security scanner',\
-    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
-    tag:'application-multi',\
-    tag:'language-multi',\
-    tag:'platform-multi',\
-    tag:'attack-reputation-scanner',\
-    tag:'paranoia-level/1',\
-    tag:'OWASP_CRS',\
-    tag:'capec/1000/118/224/541/310',\
-    tag:'PCI/6.5.10',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
-    severity:'CRITICAL',\
-    setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
-
-
-
-SecRule REQUEST_FILENAME|ARGS "@pmFromFile scanners-urls.data" \
-    "id:913120,\
-    phase:2,\
-    block,\
-    capture,\
-    t:none,\
-    msg:'Found request filename/argument associated with security scanner',\
-    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
-    tag:'application-multi',\
-    tag:'language-multi',\
-    tag:'platform-multi',\
-    tag:'attack-reputation-scanner',\
-    tag:'paranoia-level/1',\
-    tag:'OWASP_CRS',\
-    tag:'capec/1000/118/224/541/310',\
-    tag:'PCI/6.5.10',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
-    severity:'CRITICAL',\
-    setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scanners-user-agents.data"     "id:913100,    phase:1,    block,    capture,    t:none,    msg:'Found User-Agent associated with security scanner',    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',    tag:'application-multi',    tag:'language-multi',    tag:'platform-multi',    tag:'attack-reputation-scanner',    tag:'paranoia-level/1',    tag:'OWASP_CRS',    tag:'capec/1000/118/224/541/310',    tag:'PCI/6.5.10',    ver:'OWASP_CRS/4.0.0-rc1',    severity:'CRITICAL',    chain"
+    SecRule MATCHED_VARS "!@rx ^(?:urlgrabber/[0-9\.]+ yum/[0-9\.]+|mozilla/[0-9\.]+ ecairn-grabber/[0-9\.]+ \(\+http://ecairn.com/grabber\))$"         "setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@pmFromFile scanners-headers.data"     "id:913110,    phase:1,    block,    capture,    t:none,    msg:'Found request header associated with security scanner',    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',    tag:'application-multi',    tag:'language-multi',    tag:'platform-multi',    tag:'attack-reputation-scanner',    tag:'paranoia-level/1',    tag:'OWASP_CRS',    tag:'capec/1000/118/224/541/310',    tag:'PCI/6.5.10',    ver:'OWASP_CRS/4.0.0-rc1',    severity:'CRITICAL',    setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+
+
+SecRule REQUEST_FILENAME|ARGS "@pmFromFile scanners-urls.data"     "id:913120,    phase:2,    block,    capture,    t:none,    msg:'Found request filename/argument associated with security scanner',    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',    tag:'application-multi',    tag:'language-multi',    tag:'platform-multi',    tag:'attack-reputation-scanner',    tag:'paranoia-level/1',    tag:'OWASP_CRS',    tag:'capec/1000/118/224/541/310',    tag:'PCI/6.5.10',    ver:'OWASP_CRS/4.0.0-rc1',    severity:'CRITICAL',    setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
 SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:913013,phase:1,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION"
@@ -115,25 +60,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:913014,phase:2,pass,nolog,skipAf
 #
 # This rule is a sibling of rule 913100.
 #
-SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scripting-user-agents.data" \
-    "id:913101,\
-    phase:1,\
-    block,\
-    capture,\
-    t:none,\
-    msg:'Found User-Agent associated with scripting/generic HTTP client',\
-    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
-    tag:'application-multi',\
-    tag:'language-multi',\
-    tag:'platform-multi',\
-    tag:'attack-reputation-scripting',\
-    tag:'OWASP_CRS',\
-    tag:'capec/1000/118/224/541/310',\
-    tag:'PCI/6.5.10',\
-    tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
-    severity:'CRITICAL',\
-    setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
+SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scripting-user-agents.data"     "id:913101,    phase:1,    block,    capture,    t:none,    msg:'Found User-Agent associated with scripting/generic HTTP client',    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',    tag:'application-multi',    tag:'language-multi',    tag:'platform-multi',    tag:'attack-reputation-scripting',    tag:'OWASP_CRS',    tag:'capec/1000/118/224/541/310',    tag:'PCI/6.5.10',    tag:'paranoia-level/2',    ver:'OWASP_CRS/4.0.0-rc1',    severity:'CRITICAL',    setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
 
 
 
@@ -146,25 +73,7 @@ SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scripting-user-agents.data" \
 #
 # This rule is a sibling of rule 913100.
 #
-SecRule REQUEST_HEADERS:User-Agent "@pmFromFile crawlers-user-agents.data" \
-    "id:913102,\
-    phase:1,\
-    block,\
-    capture,\
-    t:none,\
-    msg:'Found User-Agent associated with web crawler/bot',\
-    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
-    tag:'application-multi',\
-    tag:'language-multi',\
-    tag:'platform-multi',\
-    tag:'attack-reputation-crawler',\
-    tag:'OWASP_CRS',\
-    tag:'capec/1000/118/116/150',\
-    tag:'PCI/6.5.10',\
-    tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/4.0.0-rc1',\
-    severity:'CRITICAL',\
-    setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
+SecRule REQUEST_HEADERS:User-Agent "@pmFromFile crawlers-user-agents.data"     "id:913102,    phase:1,    block,    capture,    t:none,    msg:'Found User-Agent associated with web crawler/bot',    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',    tag:'application-multi',    tag:'language-multi',    tag:'platform-multi',    tag:'attack-reputation-crawler',    tag:'OWASP_CRS',    tag:'capec/1000/118/116/150',    tag:'PCI/6.5.10',    tag:'paranoia-level/2',    ver:'OWASP_CRS/4.0.0-rc1',    severity:'CRITICAL',    setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
 
 
 SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:913015,phase:1,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION"