diff --git a/appsec/crs/REQUEST-901-INITIALIZATION.conf b/appsec/crs/REQUEST-901-INITIALIZATION.conf index 80857123..eaf6ce20 100644 --- a/appsec/crs/REQUEST-901-INITIALIZATION.conf +++ b/appsec/crs/REQUEST-901-INITIALIZATION.conf @@ -51,16 +51,7 @@ SecComponentSignature "OWASP_CRS/4.0.0-rc1" # E.g., v3.0.0 is represented as 300. # -SecRule &TX:crs_setup_version "@eq 0" \ - "id:901001,\ - phase:1,\ - deny,\ - status:500,\ - log,\ - auditlog,\ - msg:'ModSecurity Core Rule Set is deployed without configuration! Please copy the crs-setup.conf.example template to crs-setup.conf, and include the crs-setup.conf file in your webserver configuration before including the CRS rules. See the INSTALL file in the CRS directory for detailed instructions',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL'" +SecRule &TX:crs_setup_version "@eq 0" "id:901001, phase:1, deny, status:500, log, auditlog, msg:'ModSecurity Core Rule Set is deployed without configuration! Please copy the crs-setup.conf.example template to crs-setup.conf, and include the crs-setup.conf file in your webserver configuration before including the CRS rules. See the INSTALL file in the CRS directory for detailed instructions', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL'" # @@ -72,172 +63,58 @@ SecRule &TX:crs_setup_version "@eq 0" \ # # Default Inbound Anomaly Threshold Level (rule 900110 in crs-setup.conf) -SecRule &TX:inbound_anomaly_score_threshold "@eq 0" \ - "id:901100,\ - phase:1,\ - pass,\ - nolog,\ - ver:'OWASP_CRS/4.0.0-rc1',\ - setvar:'tx.inbound_anomaly_score_threshold=5'" +SecRule &TX:inbound_anomaly_score_threshold "@eq 0" "id:901100, phase:1, pass, nolog, ver:'OWASP_CRS/4.0.0-rc1', setvar:'tx.inbound_anomaly_score_threshold=5'" # Default Outbound Anomaly Threshold Level (rule 900110 in crs-setup.conf) -SecRule &TX:outbound_anomaly_score_threshold "@eq 0" \ - "id:901110,\ - phase:1,\ - pass,\ - nolog,\ - ver:'OWASP_CRS/4.0.0-rc1',\ - setvar:'tx.outbound_anomaly_score_threshold=4'" +SecRule &TX:outbound_anomaly_score_threshold "@eq 0" "id:901110, phase:1, pass, nolog, ver:'OWASP_CRS/4.0.0-rc1', setvar:'tx.outbound_anomaly_score_threshold=4'" # Default Reporting Level (rule 900115 in crs-setup.conf) -SecRule &TX:reporting_level "@eq 0" \ - "id:901111,\ - phase:1,\ - pass,\ - nolog,\ - ver:'OWASP_CRS/4.0.0-rc1',\ - setvar:'tx.reporting_level=4'" +SecRule &TX:reporting_level "@eq 0" "id:901111, phase:1, pass, nolog, ver:'OWASP_CRS/4.0.0-rc1', setvar:'tx.reporting_level=4'" # Default Early Blocking (rule 900120 in crs-setup.conf) -SecRule &TX:early_blocking "@eq 0" \ - "id:901115,\ - phase:1,\ - pass,\ - nolog,\ - ver:'OWASP_CRS/4.0.0-rc1',\ - setvar:'tx.early_blocking=0'" +SecRule &TX:early_blocking "@eq 0" "id:901115, phase:1, pass, nolog, ver:'OWASP_CRS/4.0.0-rc1', setvar:'tx.early_blocking=0'" # Default Blocking Paranoia Level (rule 900000 in crs-setup.conf) -SecRule &TX:blocking_paranoia_level "@eq 0" \ - "id:901120,\ - phase:1,\ - pass,\ - nolog,\ - ver:'OWASP_CRS/4.0.0-rc1',\ - setvar:'tx.blocking_paranoia_level=1'" +SecRule &TX:blocking_paranoia_level "@eq 0" "id:901120, phase:1, pass, nolog, ver:'OWASP_CRS/4.0.0-rc1', setvar:'tx.blocking_paranoia_level=1'" # Default Detection Paranoia Level (rule 900001 in crs-setup.conf) -SecRule &TX:detection_paranoia_level "@eq 0" \ - "id:901125,\ - phase:1,\ - pass,\ - nolog,\ - ver:'OWASP_CRS/4.0.0-rc1',\ - setvar:'tx.detection_paranoia_level=%{TX.blocking_paranoia_level}'" +SecRule &TX:detection_paranoia_level "@eq 0" "id:901125, phase:1, pass, nolog, ver:'OWASP_CRS/4.0.0-rc1', setvar:'tx.detection_paranoia_level=%{TX.blocking_paranoia_level}'" # Default Sampling Percentage (rule 900400 in crs-setup.conf) -SecRule &TX:sampling_percentage "@eq 0" \ - "id:901130,\ - phase:1,\ - pass,\ - nolog,\ - ver:'OWASP_CRS/4.0.0-rc1',\ - setvar:'tx.sampling_percentage=100'" +SecRule &TX:sampling_percentage "@eq 0" "id:901130, phase:1, pass, nolog, ver:'OWASP_CRS/4.0.0-rc1', setvar:'tx.sampling_percentage=100'" # Default Anomaly Scores (rule 900100 in crs-setup.conf) -SecRule &TX:critical_anomaly_score "@eq 0" \ - "id:901140,\ - phase:1,\ - pass,\ - nolog,\ - ver:'OWASP_CRS/4.0.0-rc1',\ - setvar:'tx.critical_anomaly_score=5'" - -SecRule &TX:error_anomaly_score "@eq 0" \ - "id:901141,\ - phase:1,\ - pass,\ - nolog,\ - ver:'OWASP_CRS/4.0.0-rc1',\ - setvar:'tx.error_anomaly_score=4'" - -SecRule &TX:warning_anomaly_score "@eq 0" \ - "id:901142,\ - phase:1,\ - pass,\ - nolog,\ - ver:'OWASP_CRS/4.0.0-rc1',\ - setvar:'tx.warning_anomaly_score=3'" - -SecRule &TX:notice_anomaly_score "@eq 0" \ - "id:901143,\ - phase:1,\ - pass,\ - nolog,\ - ver:'OWASP_CRS/4.0.0-rc1',\ - setvar:'tx.notice_anomaly_score=2'" +SecRule &TX:critical_anomaly_score "@eq 0" "id:901140, phase:1, pass, nolog, ver:'OWASP_CRS/4.0.0-rc1', setvar:'tx.critical_anomaly_score=5'" + +SecRule &TX:error_anomaly_score "@eq 0" "id:901141, phase:1, pass, nolog, ver:'OWASP_CRS/4.0.0-rc1', setvar:'tx.error_anomaly_score=4'" + +SecRule &TX:warning_anomaly_score "@eq 0" "id:901142, phase:1, pass, nolog, ver:'OWASP_CRS/4.0.0-rc1', setvar:'tx.warning_anomaly_score=3'" + +SecRule &TX:notice_anomaly_score "@eq 0" "id:901143, phase:1, pass, nolog, ver:'OWASP_CRS/4.0.0-rc1', setvar:'tx.notice_anomaly_score=2'" # Default HTTP policy: allowed_methods (rule 900200 in crs-setup.conf) -SecRule &TX:allowed_methods "@eq 0" \ - "id:901160,\ - phase:1,\ - pass,\ - nolog,\ - ver:'OWASP_CRS/4.0.0-rc1',\ - setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'" +SecRule &TX:allowed_methods "@eq 0" "id:901160, phase:1, pass, nolog, ver:'OWASP_CRS/4.0.0-rc1', setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'" # Default HTTP policy: allowed_request_content_type (rule 900220 in crs-setup.conf) -SecRule &TX:allowed_request_content_type "@eq 0" \ - "id:901162,\ - phase:1,\ - pass,\ - nolog,\ - ver:'OWASP_CRS/4.0.0-rc1',\ - setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json|'" +SecRule &TX:allowed_request_content_type "@eq 0" "id:901162, phase:1, pass, nolog, ver:'OWASP_CRS/4.0.0-rc1', setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json|'" # Default HTTP policy: allowed_request_content_type_charset (rule 900280 in crs-setup.conf) -SecRule &TX:allowed_request_content_type_charset "@eq 0" \ - "id:901168,\ - phase:1,\ - pass,\ - nolog,\ - ver:'OWASP_CRS/4.0.0-rc1',\ - setvar:'tx.allowed_request_content_type_charset=|utf-8| |iso-8859-1| |iso-8859-15| |windows-1252|'" +SecRule &TX:allowed_request_content_type_charset "@eq 0" "id:901168, phase:1, pass, nolog, ver:'OWASP_CRS/4.0.0-rc1', setvar:'tx.allowed_request_content_type_charset=|utf-8| |iso-8859-1| |iso-8859-15| |windows-1252|'" # Default HTTP policy: allowed_http_versions (rule 900230 in crs-setup.conf) -SecRule &TX:allowed_http_versions "@eq 0" \ - "id:901163,\ - phase:1,\ - pass,\ - nolog,\ - ver:'OWASP_CRS/4.0.0-rc1',\ - setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0'" +SecRule &TX:allowed_http_versions "@eq 0" "id:901163, phase:1, pass, nolog, ver:'OWASP_CRS/4.0.0-rc1', setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0'" # Default HTTP policy: restricted_extensions (rule 900240 in crs-setup.conf) -SecRule &TX:restricted_extensions "@eq 0" \ - "id:901164,\ - phase:1,\ - pass,\ - nolog,\ - ver:'OWASP_CRS/4.0.0-rc1',\ - setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'" +SecRule &TX:restricted_extensions "@eq 0" "id:901164, phase:1, pass, nolog, ver:'OWASP_CRS/4.0.0-rc1', setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'" # Default HTTP policy: restricted_headers (rule 900250 in crs-setup.conf) -SecRule &TX:restricted_headers "@eq 0" \ - "id:901165,\ - phase:1,\ - pass,\ - nolog,\ - ver:'OWASP_CRS/4.0.0-rc1',\ - setvar:'tx.restricted_headers=/accept-charset/ /content-encoding/ /proxy/ /lock-token/ /content-range/ /if/ /x-http-method-override/ /x-http-method/ /x-method-override/'" +SecRule &TX:restricted_headers "@eq 0" "id:901165, phase:1, pass, nolog, ver:'OWASP_CRS/4.0.0-rc1', setvar:'tx.restricted_headers=/accept-charset/ /content-encoding/ /proxy/ /lock-token/ /content-range/ /if/ /x-http-method-override/ /x-http-method/ /x-method-override/'" # Default enforcing of body processor URLENCODED (rule 900010 in crs-setup.conf) -SecRule &TX:enforce_bodyproc_urlencoded "@eq 0" \ - "id:901167,\ - phase:1,\ - pass,\ - nolog,\ - ver:'OWASP_CRS/4.0.0-rc1',\ - setvar:'tx.enforce_bodyproc_urlencoded=0'" +SecRule &TX:enforce_bodyproc_urlencoded "@eq 0" "id:901167, phase:1, pass, nolog, ver:'OWASP_CRS/4.0.0-rc1', setvar:'tx.enforce_bodyproc_urlencoded=0'" # Default check for UTF8 encoding validation (rule 900950 in crs-setup.conf) -SecRule &TX:crs_validate_utf8_encoding "@eq 0" \ - "id:901169,\ - phase:1,\ - pass,\ - nolog,\ - ver:'OWASP_CRS/4.0.0-rc1',\ - setvar:'tx.crs_validate_utf8_encoding=0'" +SecRule &TX:crs_validate_utf8_encoding "@eq 0" "id:901169, phase:1, pass, nolog, ver:'OWASP_CRS/4.0.0-rc1', setvar:'tx.crs_validate_utf8_encoding=0'" # # -=[ Initialize internal variables ]=- @@ -247,34 +124,7 @@ SecRule &TX:crs_validate_utf8_encoding "@eq 0" \ # All _score variables start at 0, and are incremented by the various rules # upon detection of a possible attack. -SecAction \ - "id:901200,\ - phase:1,\ - pass,\ - t:none,\ - nolog,\ - ver:'OWASP_CRS/4.0.0-rc1',\ - setvar:'tx.blocking_inbound_anomaly_score=0',\ - setvar:'tx.detection_inbound_anomaly_score=0',\ - setvar:'tx.inbound_anomaly_score_pl1=0',\ - setvar:'tx.inbound_anomaly_score_pl2=0',\ - setvar:'tx.inbound_anomaly_score_pl3=0',\ - setvar:'tx.inbound_anomaly_score_pl4=0',\ - setvar:'tx.sql_injection_score=0',\ - setvar:'tx.xss_score=0',\ - setvar:'tx.rfi_score=0',\ - setvar:'tx.lfi_score=0',\ - setvar:'tx.rce_score=0',\ - setvar:'tx.php_injection_score=0',\ - setvar:'tx.http_violation_score=0',\ - setvar:'tx.session_fixation_score=0',\ - setvar:'tx.blocking_outbound_anomaly_score=0',\ - setvar:'tx.detection_outbound_anomaly_score=0',\ - setvar:'tx.outbound_anomaly_score_pl1=0',\ - setvar:'tx.outbound_anomaly_score_pl2=0',\ - setvar:'tx.outbound_anomaly_score_pl3=0',\ - setvar:'tx.outbound_anomaly_score_pl4=0',\ - setvar:'tx.anomaly_score=0'" +SecAction "id:901200,phase:1,pass,t:none,nolog,ver:'OWASP_CRS/4.0.0-rc1',setvar:'tx.blocking_inbound_anomaly_score=0',setvar:'tx.detection_inbound_anomaly_score=0',setvar:'tx.inbound_anomaly_score_pl1=0',setvar:'tx.inbound_anomaly_score_pl2=0',setvar:'tx.inbound_anomaly_score_pl3=0',setvar:'tx.inbound_anomaly_score_pl4=0',setvar:'tx.sql_injection_score=0',setvar:'tx.xss_score=0',setvar:'tx.rfi_score=0',setvar:'tx.lfi_score=0',setvar:'tx.rce_score=0',setvar:'tx.php_injection_score=0',setvar:'tx.http_violation_score=0',setvar:'tx.session_fixation_score=0', setvar:'tx.blocking_outbound_anomaly_score=0', setvar:'tx.detection_outbound_anomaly_score=0', setvar:'tx.outbound_anomaly_score_pl1=0', setvar:'tx.outbound_anomaly_score_pl2=0', setvar:'tx.outbound_anomaly_score_pl3=0', setvar:'tx.outbound_anomaly_score_pl4=0', setvar:'tx.anomaly_score=0'" # @@ -286,17 +136,8 @@ SecAction \ # IP collection is initialized with the IP address concatened with the hashed user agent. # Disable collection initialization by default (see rule 900130 in crs-setup.conf) -SecRule TX:ENABLE_DEFAULT_COLLECTIONS "@eq 1" \ - "id:901320,\ - phase:1,\ - pass,\ - nolog,\ - ver:'OWASP_CRS/4.0.0-rc1',\ - chain" - SecRule REQUEST_HEADERS:User-Agent "@rx ^.*$" \ - "t:none,t:sha1,t:hexEncode,\ - initcol:global=global,\ - initcol:ip=%{remote_addr}_%{MATCHED_VAR}" +SecRule TX:ENABLE_DEFAULT_COLLECTIONS "@eq 1" "id:901320, phase:1, pass, nolog, ver:'OWASP_CRS/4.0.0-rc1', chain" + SecRule REQUEST_HEADERS:User-Agent "@rx ^.*$" "t:none,t:sha1,t:hexEncode, initcol:global=global, initcol:ip=%{remote_addr}_%{MATCHED_VAR}" # # -=[ Initialize Correct Body Processing ]=- @@ -305,29 +146,11 @@ SecRule TX:ENABLE_DEFAULT_COLLECTIONS "@eq 1" \ # # Force body variable -SecRule REQBODY_PROCESSOR "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" \ - "id:901340,\ - phase:1,\ - pass,\ - nolog,\ - noauditlog,\ - msg:'Enabling body inspection',\ - ctl:forceRequestBodyVariable=On,\ - ver:'OWASP_CRS/4.0.0-rc1'" +SecRule REQBODY_PROCESSOR "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" "id:901340, phase:1, pass, nolog, noauditlog, msg:'Enabling body inspection', ctl:forceRequestBodyVariable=On, ver:'OWASP_CRS/4.0.0-rc1'" # Force body processor URLENCODED -SecRule TX:enforce_bodyproc_urlencoded "@eq 1" \ - "id:901350,\ - phase:1,\ - pass,\ - t:none,t:urlDecodeUni,\ - nolog,\ - noauditlog,\ - msg:'Enabling forced body inspection for ASCII content',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - chain" - SecRule REQBODY_PROCESSOR "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" \ - "ctl:requestBodyProcessor=URLENCODED" +SecRule TX:enforce_bodyproc_urlencoded "@eq 1" "id:901350, phase:1, pass, t:none,t:urlDecodeUni, nolog, noauditlog, msg:'Enabling forced body inspection for ASCII content', ver:'OWASP_CRS/4.0.0-rc1', chain" + SecRule REQBODY_PROCESSOR "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" "ctl:requestBodyProcessor=URLENCODED" # @@ -358,23 +181,9 @@ SecRule TX:enforce_bodyproc_urlencoded "@eq 1" \ # Leading zeros are not removed from the two-digit random number, and are # handled gracefullly by 901450 -SecRule TX:sampling_percentage "@eq 100" \ - "id:901400,\ - phase:1,\ - pass,\ - nolog,\ - ver:'OWASP_CRS/4.0.0-rc1',\ - skipAfter:END-SAMPLING" - -SecRule UNIQUE_ID "@rx ^[a-f]*([0-9])[a-f]*([0-9])" \ - "id:901410,\ - phase:1,\ - pass,\ - capture,\ - t:sha1,t:hexEncode,\ - nolog,\ - ver:'OWASP_CRS/4.0.0-rc1',\ - setvar:'TX.sampling_rnd100=%{TX.1}%{TX.2}'" +SecRule TX:sampling_percentage "@eq 100" "id:901400, phase:1, pass, nolog, ver:'OWASP_CRS/4.0.0-rc1', skipAfter:END-SAMPLING" + +SecRule UNIQUE_ID "@rx ^[a-f]*([0-9])[a-f]*([0-9])" "id:901410, phase:1, pass, capture, t:sha1,t:hexEncode, nolog, ver:'OWASP_CRS/4.0.0-rc1', setvar:'TX.sampling_rnd100=%{TX.1}%{TX.2}'" # # Sampling decision @@ -389,15 +198,7 @@ SecRule UNIQUE_ID "@rx ^[a-f]*([0-9])[a-f]*([0-9])" \ # -SecRule TX:sampling_rnd100 "!@lt %{tx.sampling_percentage}" \ - "id:901450,\ - phase:1,\ - pass,\ - log,\ - noauditlog,\ - msg:'Sampling: Disable the rule engine based on sampling_percentage %{TX.sampling_percentage} and random number %{TX.sampling_rnd100}',\ - ctl:ruleRemoveByTag=OWASP_CRS,\ - ver:'OWASP_CRS/4.0.0-rc1'" +SecRule TX:sampling_rnd100 "!@lt %{tx.sampling_percentage}" "id:901450, phase:1, pass, log, noauditlog, msg:'Sampling: Disable the rule engine based on sampling_percentage %{TX.sampling_percentage} and random number %{TX.sampling_rnd100}', ctl:ruleRemoveByTag=OWASP_CRS, ver:'OWASP_CRS/4.0.0-rc1'" SecMarker "END-SAMPLING" @@ -407,12 +208,4 @@ SecMarker "END-SAMPLING" # # Make sure detection paranoia level is not lower than paranoia level -SecRule TX:detection_paranoia_level "@lt %{tx.blocking_paranoia_level}" \ - "id:901500,\ - phase:1,\ - deny,\ - status:500,\ - t:none,\ - log,\ - msg:'Detection paranoia level configured is lower than the paranoia level itself. This is illegal. Blocking request. Aborting',\ - ver:'OWASP_CRS/4.0.0-rc1'" +SecRule TX:detection_paranoia_level "@lt %{tx.blocking_paranoia_level}" "id:901500, phase:1, deny, status:500, t:none, log, msg:'Detection paranoia level configured is lower than the paranoia level itself. This is illegal. Blocking request. Aborting', ver:'OWASP_CRS/4.0.0-rc1'" diff --git a/appsec/crs/REQUEST-905-COMMON-EXCEPTIONS.conf b/appsec/crs/REQUEST-905-COMMON-EXCEPTIONS.conf index a945f4d6..9511d392 100644 --- a/appsec/crs/REQUEST-905-COMMON-EXCEPTIONS.conf +++ b/appsec/crs/REQUEST-905-COMMON-EXCEPTIONS.conf @@ -14,42 +14,12 @@ # # Exception for Apache SSL pinger # -SecRule REQUEST_LINE "@streq GET /" \ - "id:905100,\ - phase:1,\ - pass,\ - t:none,\ - nolog,\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-apache',\ - tag:'attack-generic',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - chain" - SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" \ - "t:none,\ - ctl:ruleRemoveByTag=OWASP_CRS,\ - ctl:auditEngine=Off" +SecRule REQUEST_LINE "@streq GET /" "id:905100, phase:1, pass, t:none, nolog, tag:'application-multi', tag:'language-multi', tag:'platform-apache', tag:'attack-generic', ver:'OWASP_CRS/4.0.0-rc1', chain" + SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" "t:none, ctl:ruleRemoveByTag=OWASP_CRS, ctl:auditEngine=Off" # # Exception for Apache internal dummy connection # -SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" \ - "id:905110,\ - phase:1,\ - pass,\ - t:none,\ - nolog,\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-apache',\ - tag:'attack-generic',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - chain" - SecRule REQUEST_HEADERS:User-Agent "@endsWith (internal dummy connection)" \ - "t:none,\ - chain" - SecRule REQUEST_LINE "@rx ^(?:GET /|OPTIONS \*) HTTP/[12]\.[01]$" \ - "t:none,\ - ctl:ruleRemoveByTag=OWASP_CRS,\ - ctl:auditEngine=Off" +SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" "id:905110, phase:1, pass, t:none, nolog, tag:'application-multi', tag:'language-multi', tag:'platform-apache', tag:'attack-generic', ver:'OWASP_CRS/4.0.0-rc1', chain" + SecRule REQUEST_HEADERS:User-Agent "@endsWith (internal dummy connection)" "t:none, chain" + SecRule REQUEST_LINE "@rx ^(?:GET /|OPTIONS \*) HTTP/[12]\.[01]$" "t:none, ctl:ruleRemoveByTag=OWASP_CRS, ctl:auditEngine=Off" diff --git a/appsec/crs/REQUEST-911-METHOD-ENFORCEMENT.conf b/appsec/crs/REQUEST-911-METHOD-ENFORCEMENT.conf index 26a57b55..d46939e5 100644 --- a/appsec/crs/REQUEST-911-METHOD-ENFORCEMENT.conf +++ b/appsec/crs/REQUEST-911-METHOD-ENFORCEMENT.conf @@ -25,23 +25,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:911012,phase:2,pass,nolog,skipAf # # tx.allowed_methods is defined in the crs-setup.conf file # -SecRule REQUEST_METHOD "!@within %{tx.allowed_methods}" \ - "id:911100,\ - phase:1,\ - block,\ - msg:'Method is not allowed by policy',\ - logdata:'%{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-generic',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/210/272/220/274',\ - tag:'PCI/12.1',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_METHOD "!@within %{tx.allowed_methods}" "id:911100, phase:1, block, msg:'Method is not allowed by policy', logdata:'%{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-generic', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/210/272/220/274', tag:'PCI/12.1', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" diff --git a/appsec/crs/REQUEST-913-SCANNER-DETECTION.conf b/appsec/crs/REQUEST-913-SCANNER-DETECTION.conf index c4d777ac..872e6e98 100644 --- a/appsec/crs/REQUEST-913-SCANNER-DETECTION.conf +++ b/appsec/crs/REQUEST-913-SCANNER-DETECTION.conf @@ -34,69 +34,14 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:913012,phase:2,pass,nolog,skipAf # Chained rule is allow listing: # YUM package manager of CentOS / Fedore: User-Agent: urlgrabber/3.10 yum/3.4.3 # eCairn service: User-Agent: mozilla/5.0 ecairn-grabber/1.0 (+http://ecairn.com/grabber) -SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scanners-user-agents.data" \ - "id:913100,\ - phase:1,\ - block,\ - capture,\ - t:none,\ - msg:'Found User-Agent associated with security scanner',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-reputation-scanner',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/118/224/541/310',\ - tag:'PCI/6.5.10',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - chain" - SecRule MATCHED_VARS "!@rx ^(?:urlgrabber/[0-9\.]+ yum/[0-9\.]+|mozilla/[0-9\.]+ ecairn-grabber/[0-9\.]+ \(\+http://ecairn.com/grabber\))$" \ - "setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" - -SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@pmFromFile scanners-headers.data" \ - "id:913110,\ - phase:1,\ - block,\ - capture,\ - t:none,\ - msg:'Found request header associated with security scanner',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-reputation-scanner',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/118/224/541/310',\ - tag:'PCI/6.5.10',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" - - - -SecRule REQUEST_FILENAME|ARGS "@pmFromFile scanners-urls.data" \ - "id:913120,\ - phase:2,\ - block,\ - capture,\ - t:none,\ - msg:'Found request filename/argument associated with security scanner',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-reputation-scanner',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/118/224/541/310',\ - tag:'PCI/6.5.10',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scanners-user-agents.data" "id:913100, phase:1, block, capture, t:none, msg:'Found User-Agent associated with security scanner', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-reputation-scanner', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/118/224/541/310', tag:'PCI/6.5.10', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', chain" + SecRule MATCHED_VARS "!@rx ^(?:urlgrabber/[0-9\.]+ yum/[0-9\.]+|mozilla/[0-9\.]+ ecairn-grabber/[0-9\.]+ \(\+http://ecairn.com/grabber\))$" "setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@pmFromFile scanners-headers.data" "id:913110, phase:1, block, capture, t:none, msg:'Found request header associated with security scanner', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-reputation-scanner', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/118/224/541/310', tag:'PCI/6.5.10', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + + +SecRule REQUEST_FILENAME|ARGS "@pmFromFile scanners-urls.data" "id:913120, phase:2, block, capture, t:none, msg:'Found request filename/argument associated with security scanner', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-reputation-scanner', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/118/224/541/310', tag:'PCI/6.5.10', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:913013,phase:1,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" @@ -115,25 +60,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:913014,phase:2,pass,nolog,skipAf # # This rule is a sibling of rule 913100. # -SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scripting-user-agents.data" \ - "id:913101,\ - phase:1,\ - block,\ - capture,\ - t:none,\ - msg:'Found User-Agent associated with scripting/generic HTTP client',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-reputation-scripting',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/118/224/541/310',\ - tag:'PCI/6.5.10',\ - tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scripting-user-agents.data" "id:913101, phase:1, block, capture, t:none, msg:'Found User-Agent associated with scripting/generic HTTP client', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-reputation-scripting', tag:'OWASP_CRS', tag:'capec/1000/118/224/541/310', tag:'PCI/6.5.10', tag:'paranoia-level/2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -146,25 +73,7 @@ SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scripting-user-agents.data" \ # # This rule is a sibling of rule 913100. # -SecRule REQUEST_HEADERS:User-Agent "@pmFromFile crawlers-user-agents.data" \ - "id:913102,\ - phase:1,\ - block,\ - capture,\ - t:none,\ - msg:'Found User-Agent associated with web crawler/bot',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-reputation-crawler',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/118/116/150',\ - tag:'PCI/6.5.10',\ - tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_HEADERS:User-Agent "@pmFromFile crawlers-user-agents.data" "id:913102, phase:1, block, capture, t:none, msg:'Found User-Agent associated with web crawler/bot', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-reputation-crawler', tag:'OWASP_CRS', tag:'capec/1000/118/116/150', tag:'PCI/6.5.10', tag:'paranoia-level/2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:913015,phase:1,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" diff --git a/appsec/crs/REQUEST-920-PROTOCOL-ENFORCEMENT.conf b/appsec/crs/REQUEST-920-PROTOCOL-ENFORCEMENT.conf index 57c4d340..07e64b70 100644 --- a/appsec/crs/REQUEST-920-PROTOCOL-ENFORCEMENT.conf +++ b/appsec/crs/REQUEST-920-PROTOCOL-ENFORCEMENT.conf @@ -50,23 +50,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:920012,phase:2,pass,nolog,skipAf # https://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.1 # http://capec.mitre.org/data/definitions/272.html # -SecRule REQUEST_LINE "!@rx (?i)^(?:get /[^#\?]*(?:\?[^\s\v#]*)?(?:#[^\s\v]*)?|(?:connect (?:(?:[0-9]{1,3}\.){3}[0-9]{1,3}\.?(?::[0-9]+)?|[\--9A-Z_a-z]+:[0-9]+)|options \*|[a-z]{3,10}[\s\v]+(?:[0-9A-Z_a-z]{3,7}?://[\--9A-Z_a-z]*(?::[0-9]+)?)?/[^#\?]*(?:\?[^\s\v#]*)?(?:#[^\s\v]*)?)[\s\v]+[\.-9A-Z_a-z]+)$" \ - "id:920100,\ - phase:1,\ - block,\ - t:none,\ - msg:'Invalid HTTP Request Line',\ - logdata:'%{request_line}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-protocol',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'WARNING',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'" +SecRule REQUEST_LINE "!@rx (?i)^(?:get /[^#\?]*(?:\?[^\s\v#]*)?(?:#[^\s\v]*)?|(?:connect (?:(?:[0-9]{1,3}\.){3}[0-9]{1,3}\.?(?::[0-9]+)?|[\--9A-Z_a-z]+:[0-9]+)|options \*|[a-z]{3,10}[\s\v]+(?:[0-9A-Z_a-z]{3,7}?://[\--9A-Z_a-z]*(?::[0-9]+)?)?/[^#\?]*(?:\?[^\s\v#]*)?(?:#[^\s\v]*)?)[\s\v]+[\.-9A-Z_a-z]+)$" "id:920100, phase:1, block, t:none, msg:'Invalid HTTP Request Line', logdata:'%{request_line}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-protocol', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/210/272', ver:'OWASP_CRS/4.0.0-rc1', severity:'WARNING', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'" # @@ -106,23 +90,7 @@ SecRule REQUEST_LINE "!@rx (?i)^(?:get /[^#\?]*(?:\?[^\s\v#]*)?(?:#[^\s\v]*)?|(? # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 920120 # -SecRule FILES|FILES_NAMES "!@rx (?i)^(?:&(?:(?:[acegiln-or-suz]acut|[aeiou]grav|[ain-o]tild)e|[c-elnr-tz]caron|(?:[cgk-lnr-t]cedi|[aeiouy]um)l|[aceg-josuwy]circ|[au]ring|a(?:mp|pos)|nbsp|oslash);|[^\"';=])*$" \ - "id:920120,\ - phase:2,\ - block,\ - t:none,t:urlDecodeUni,\ - msg:'Attempted multipart/form-data bypass',\ - logdata:'%{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-protocol',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule FILES|FILES_NAMES "!@rx (?i)^(?:&(?:(?:[acegiln-or-suz]acut|[aeiou]grav|[ain-o]tild)e|[c-elnr-tz]caron|(?:[cgk-lnr-t]cedi|[aeiouy]um)l|[aceg-josuwy]circ|[au]ring|a(?:mp|pos)|nbsp|oslash);|[^\"';=])*$" "id:920120, phase:2, block, t:none,t:urlDecodeUni, msg:'Attempted multipart/form-data bypass', logdata:'%{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-protocol', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/210/272', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # @@ -135,23 +103,7 @@ SecRule FILES|FILES_NAMES "!@rx (?i)^(?:&(?:(?:[acegiln-or-suz]acut|[aeiou]grav| # -=[ References ]=- # https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.13 # -SecRule REQUEST_HEADERS:Content-Length "!@rx ^\d+$" \ - "id:920160,\ - phase:1,\ - block,\ - t:none,\ - msg:'Content-Length HTTP header is not numeric',\ - logdata:'%{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-protocol',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_HEADERS:Content-Length "!@rx ^\d+$" "id:920160, phase:1, block, t:none, msg:'Content-Length HTTP header is not numeric', logdata:'%{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-protocol', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/210/272', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # @@ -169,51 +121,15 @@ SecRule REQUEST_HEADERS:Content-Length "!@rx ^\d+$" \ # -=[ References ]=- # https://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.3 # -SecRule REQUEST_METHOD "@rx ^(?:GET|HEAD)$" \ - "id:920170,\ - phase:1,\ - block,\ - t:none,\ - msg:'GET or HEAD Request with Body Content',\ - logdata:'%{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-protocol',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - chain" - SecRule REQUEST_HEADERS:Content-Length "!@rx ^0?$" \ - "t:none,\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_METHOD "@rx ^(?:GET|HEAD)$" "id:920170, phase:1, block, t:none, msg:'GET or HEAD Request with Body Content', logdata:'%{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-protocol', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/210/272', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', chain" + SecRule REQUEST_HEADERS:Content-Length "!@rx ^0?$" "t:none, setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # # This is a sibling of rule 920170 # -SecRule REQUEST_METHOD "@rx ^(?:GET|HEAD)$" \ - "id:920171,\ - phase:1,\ - block,\ - t:none,\ - msg:'GET or HEAD Request with Transfer-Encoding',\ - logdata:'%{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-protocol',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - chain" - SecRule &REQUEST_HEADERS:Transfer-Encoding "!@eq 0" \ - "t:none,\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_METHOD "@rx ^(?:GET|HEAD)$" "id:920171, phase:1, block, t:none, msg:'GET or HEAD Request with Transfer-Encoding', logdata:'%{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-protocol', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/210/272', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', chain" + SecRule &REQUEST_HEADERS:Transfer-Encoding "!@eq 0" "t:none, setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # @@ -230,29 +146,10 @@ SecRule REQUEST_METHOD "@rx ^(?:GET|HEAD)$" \ # request method is POST, if so, it checks that a Content-Length or # Transfer-Encoding headers are also present. # -SecRule REQUEST_PROTOCOL "!@within HTTP/2 HTTP/2.0" \ - "id:920180,\ - phase:1,\ - block,\ - t:none,\ - msg:'POST without Content-Length or Transfer-Encoding headers',\ - logdata:'%{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-protocol',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'WARNING',\ - chain" - SecRule REQUEST_METHOD "@streq POST" \ - "chain" - SecRule &REQUEST_HEADERS:Content-Length "@eq 0" \ - "chain" - SecRule &REQUEST_HEADERS:Transfer-Encoding "@eq 0" \ - "setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'" +SecRule REQUEST_PROTOCOL "!@within HTTP/2 HTTP/2.0" "id:920180, phase:1, block, t:none, msg:'POST without Content-Length or Transfer-Encoding headers', logdata:'%{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-protocol', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/210/272', ver:'OWASP_CRS/4.0.0-rc1', severity:'WARNING', chain" + SecRule REQUEST_METHOD "@streq POST" "chain" + SecRule &REQUEST_HEADERS:Content-Length "@eq 0" "chain" + SecRule &REQUEST_HEADERS:Transfer-Encoding "@eq 0" "setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'" # # As per RFC7230 3.3.2: A sender MUST NOT send a Content-Length @@ -261,25 +158,8 @@ SecRule REQUEST_PROTOCOL "!@within HTTP/2 HTTP/2.0" \ # # Related to 920170, 920171 and 920180. # -SecRule &REQUEST_HEADERS:Transfer-Encoding "!@eq 0" \ - "id:920181,\ - phase:1,\ - block,\ - t:none,\ - msg:'Content-Length and Transfer-Encoding headers present',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-protocol',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'WARNING',\ - chain" - SecRule &REQUEST_HEADERS:Content-Length "!@eq 0" \ - "t:none,\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'" +SecRule &REQUEST_HEADERS:Transfer-Encoding "!@eq 0" "id:920181, phase:1, block, t:none, msg:'Content-Length and Transfer-Encoding headers present', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-protocol', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/210/272', ver:'OWASP_CRS/4.0.0-rc1', severity:'WARNING', chain" + SecRule &REQUEST_HEADERS:Content-Length "!@eq 0" "t:none, setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'" # @@ -297,26 +177,8 @@ SecRule &REQUEST_HEADERS:Transfer-Encoding "!@eq 0" \ # https://tools.ietf.org/html/rfc7233 # https://seclists.org/fulldisclosure/2011/Aug/175 # -SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx (\d+)-(\d+)" \ - "id:920190,\ - phase:1,\ - block,\ - capture,\ - t:none,\ - msg:'Range: Invalid Last Byte Value',\ - logdata:'%{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-protocol',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'WARNING',\ - chain" - SecRule TX:2 "@lt %{tx.1}" \ - "setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'" +SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx (\d+)-(\d+)" "id:920190, phase:1, block, capture, t:none, msg:'Range: Invalid Last Byte Value', logdata:'%{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-protocol', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/210/272', ver:'OWASP_CRS/4.0.0-rc1', severity:'WARNING', chain" + SecRule TX:2 "@lt %{tx.1}" "setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'" # @@ -331,23 +193,7 @@ SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx (\d+)-(\d+)" \ # http://www.bad-behavior.ioerror.us/about/ # https://tools.ietf.org/html/rfc7233 # -SecRule REQUEST_HEADERS:Connection "@rx \b(?:keep-alive|close),\s?(?:keep-alive|close)\b" \ - "id:920210,\ - phase:1,\ - block,\ - t:none,\ - msg:'Multiple/Conflicting Connection Header Data Found',\ - logdata:'%{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-protocol',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'WARNING',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'" +SecRule REQUEST_HEADERS:Connection "@rx \b(?:keep-alive|close),\s?(?:keep-alive|close)\b" "id:920210, phase:1, block, t:none, msg:'Multiple/Conflicting Connection Header Data Found', logdata:'%{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-protocol', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/210/272', ver:'OWASP_CRS/4.0.0-rc1', severity:'WARNING', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'" # # Check URL encodings @@ -364,47 +210,12 @@ SecRule REQUEST_HEADERS:Connection "@rx \b(?:keep-alive|close),\s?(?:keep-alive| # http://localhost/?s=a%20b%20c%'/ # reason: %'/ is not a valid url encoding # -SecRule REQUEST_URI "@rx \x25" \ - "id:920220,\ - phase:1,\ - block,\ - t:none,\ - msg:'URL Encoding Abuse Attack Attempt',\ - logdata:'%{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-protocol',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/255/153/267/72',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'WARNING',\ - chain" - SecRule REQUEST_URI "@validateUrlEncoding" \ - "setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'" - -SecRule REQUEST_HEADERS:Content-Type "@rx ^(?i)application/x-www-form-urlencoded" \ - "id:920240,\ - phase:2,\ - block,\ - t:none,\ - msg:'URL Encoding Abuse Attack Attempt',\ - logdata:'%{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-protocol',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/255/153/267/72',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'WARNING',\ - chain" - SecRule REQUEST_BODY "@rx \x25" \ - "chain" - SecRule REQUEST_BODY "@validateUrlEncoding" \ - "setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'" +SecRule REQUEST_URI "@rx \x25" "id:920220, phase:1, block, t:none, msg:'URL Encoding Abuse Attack Attempt', logdata:'%{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-protocol', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/255/153/267/72', ver:'OWASP_CRS/4.0.0-rc1', severity:'WARNING', chain" + SecRule REQUEST_URI "@validateUrlEncoding" "setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'" + +SecRule REQUEST_HEADERS:Content-Type "@rx ^(?i)application/x-www-form-urlencoded" "id:920240, phase:2, block, t:none, msg:'URL Encoding Abuse Attack Attempt', logdata:'%{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-protocol', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/255/153/267/72', ver:'OWASP_CRS/4.0.0-rc1', severity:'WARNING', chain" + SecRule REQUEST_BODY "@rx \x25" "chain" + SecRule REQUEST_BODY "@validateUrlEncoding" "setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'" # @@ -416,25 +227,8 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^(?i)application/x-www-form-urlencoded # This chained rule first checks to see if the admin has set the TX:CRS_VALIDATE_UTF8_ENCODING # variable in the crs-setup.conf file. # -SecRule TX:CRS_VALIDATE_UTF8_ENCODING "@eq 1" \ - "id:920250,\ - phase:2,\ - block,\ - t:none,\ - msg:'UTF8 Encoding Abuse Attack Attempt',\ - logdata:'%{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-protocol',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/255/153/267',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'WARNING',\ - chain" - SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "@validateUtf8Encoding" \ - "setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'" +SecRule TX:CRS_VALIDATE_UTF8_ENCODING "@eq 1" "id:920250, phase:2, block, t:none, msg:'UTF8 Encoding Abuse Attack Attempt', logdata:'%{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-protocol', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/255/153/267', ver:'OWASP_CRS/4.0.0-rc1', severity:'WARNING', chain" + SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "@validateUtf8Encoding" "setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'" # @@ -454,24 +248,7 @@ SecRule TX:CRS_VALIDATE_UTF8_ENCODING "@eq 1" \ # https://www.checkpoint.com/defense/advisories/public/2007/cpai-2007-201.html # https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/719 # -SecRule REQUEST_URI|REQUEST_BODY "@rx \%u[fF]{2}[0-9a-fA-F]{2}" \ - "id:920260,\ - phase:2,\ - block,\ - t:none,\ - msg:'Unicode Full/Half Width Abuse Attack Attempt',\ - logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-iis',\ - tag:'platform-windows',\ - tag:'attack-protocol',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/255/153/267/72',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'WARNING',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'" +SecRule REQUEST_URI|REQUEST_BODY "@rx \%u[fF]{2}[0-9a-fA-F]{2}" "id:920260, phase:2, block, t:none, msg:'Unicode Full/Half Width Abuse Attack Attempt', logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-iis', tag:'platform-windows', tag:'attack-protocol', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/255/153/267/72', ver:'OWASP_CRS/4.0.0-rc1', severity:'WARNING', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'" # @@ -511,23 +288,7 @@ SecRule REQUEST_URI|REQUEST_BODY "@rx \%u[fF]{2}[0-9a-fA-F]{2}" \ # 920274 generally has few positives. However, it would detect rare attacks # on Accept request headers and friends. -SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@validateByteRange 1-255" \ - "id:920270,\ - phase:2,\ - block,\ - t:none,t:urlDecodeUni,\ - msg:'Invalid character in request (null character)',\ - logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-protocol',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@validateByteRange 1-255" "id:920270, phase:2, block, t:none,t:urlDecodeUni, msg:'Invalid character in request (null character)', logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-protocol', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/210/272', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # @@ -543,42 +304,10 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@validateByteRange 1-255" \ # These rules will first check to see if a Host header is present. # The second check is to see if a Host header exists but is empty. # -SecRule &REQUEST_HEADERS:Host "@eq 0" \ - "id:920280,\ - phase:1,\ - pass,\ - t:none,\ - msg:'Request Missing a Host Header',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-protocol',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/210/272',\ - tag:'PCI/6.5.10',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'WARNING',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}',\ - skipAfter:END-HOST-CHECK" - - -SecRule REQUEST_HEADERS:Host "@rx ^$" \ - "id:920290,\ - phase:1,\ - pass,\ - t:none,\ - msg:'Empty Host Header',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-protocol',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'WARNING',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'" +SecRule &REQUEST_HEADERS:Host "@eq 0" "id:920280, phase:1, pass, t:none, msg:'Request Missing a Host Header', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-protocol', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/210/272', tag:'PCI/6.5.10', ver:'OWASP_CRS/4.0.0-rc1', severity:'WARNING', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}', skipAfter:END-HOST-CHECK" + + +SecRule REQUEST_HEADERS:Host "@rx ^$" "id:920290, phase:1, pass, t:none, msg:'Empty Host Header', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-protocol', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/210/272', ver:'OWASP_CRS/4.0.0-rc1', severity:'WARNING', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'" SecMarker "END-HOST-CHECK" @@ -603,52 +332,16 @@ SecMarker "END-HOST-CHECK" # https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/366 # -SecRule REQUEST_HEADERS:Accept "@rx ^$" \ - "id:920310,\ - phase:1,\ - pass,\ - t:none,\ - msg:'Request Has an Empty Accept Header',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-protocol',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'NOTICE',\ - chain" - SecRule REQUEST_METHOD "!@rx ^OPTIONS$" \ - "chain" - SecRule REQUEST_HEADERS:User-Agent "!@pm AppleWebKit Android Business Enterprise Entreprise" \ - "t:none,\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.notice_anomaly_score}'" +SecRule REQUEST_HEADERS:Accept "@rx ^$" "id:920310, phase:1, pass, t:none, msg:'Request Has an Empty Accept Header', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-protocol', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/210/272', ver:'OWASP_CRS/4.0.0-rc1', severity:'NOTICE', chain" + SecRule REQUEST_METHOD "!@rx ^OPTIONS$" "chain" + SecRule REQUEST_HEADERS:User-Agent "!@pm AppleWebKit Android Business Enterprise Entreprise" "t:none, setvar:'tx.inbound_anomaly_score_pl1=+%{tx.notice_anomaly_score}'" # # This rule is a sibling of rule 920310. # -SecRule REQUEST_HEADERS:Accept "@rx ^$" \ - "id:920311,\ - phase:1,\ - pass,\ - t:none,\ - msg:'Request Has an Empty Accept Header',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-protocol',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'NOTICE',\ - chain" - SecRule REQUEST_METHOD "!@rx ^OPTIONS$" \ - "chain" - SecRule &REQUEST_HEADERS:User-Agent "@eq 0" \ - "t:none,\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.notice_anomaly_score}'" +SecRule REQUEST_HEADERS:Accept "@rx ^$" "id:920311, phase:1, pass, t:none, msg:'Request Has an Empty Accept Header', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-protocol', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/210/272', ver:'OWASP_CRS/4.0.0-rc1', severity:'NOTICE', chain" + SecRule REQUEST_METHOD "!@rx ^OPTIONS$" "chain" + SecRule &REQUEST_HEADERS:User-Agent "@eq 0" "t:none, setvar:'tx.inbound_anomaly_score_pl1=+%{tx.notice_anomaly_score}'" # @@ -661,22 +354,7 @@ SecRule REQUEST_HEADERS:Accept "@rx ^$" \ # the existence of the User-Agent header. # -SecRule REQUEST_HEADERS:User-Agent "@rx ^$" \ - "id:920330,\ - phase:1,\ - pass,\ - t:none,\ - msg:'Empty User Agent Header',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-protocol',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'NOTICE',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.notice_anomaly_score}'" +SecRule REQUEST_HEADERS:User-Agent "@rx ^$" "id:920330, phase:1, pass, t:none, msg:'Empty User Agent Header', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-protocol', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/210/272', ver:'OWASP_CRS/4.0.0-rc1', severity:'NOTICE', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.notice_anomaly_score}'" # # Missing Content-Type Header with Request Body @@ -698,25 +376,8 @@ SecRule REQUEST_HEADERS:User-Agent "@rx ^$" \ # -=[ References ]=- # http://httpwg.org/specs/rfc7231.html#header.content-type -SecRule REQUEST_HEADERS:Content-Length "!@rx ^0$" \ - "id:920340,\ - phase:1,\ - pass,\ - t:none,\ - msg:'Request Containing Content, but Missing Content-Type header',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-protocol',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'NOTICE',\ - chain" - SecRule &REQUEST_HEADERS:Content-Type "@eq 0" \ - "t:none,\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.notice_anomaly_score}'" +SecRule REQUEST_HEADERS:Content-Length "!@rx ^0$" "id:920340, phase:1, pass, t:none, msg:'Request Containing Content, but Missing Content-Type header', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-protocol', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/210/272', ver:'OWASP_CRS/4.0.0-rc1', severity:'NOTICE', chain" + SecRule &REQUEST_HEADERS:Content-Type "@eq 0" "t:none, setvar:'tx.inbound_anomaly_score_pl1=+%{tx.notice_anomaly_score}'" # Check that the host header is not an IP address # This is not an HTTP RFC violation but it is indicative of automated client access. @@ -741,24 +402,7 @@ SecRule REQUEST_HEADERS:Content-Length "!@rx ^0$" \ # https://technet.microsoft.com/en-us/magazine/2005.01.hackerbasher.aspx # -SecRule REQUEST_HEADERS:Host "@rx (?:^([\d.]+|\[[\da-f:]+\]|[\da-f:]+)(:[\d]+)?$)" \ - "id:920350,\ - phase:1,\ - block,\ - t:none,\ - msg:'Host header is a numeric IP address',\ - logdata:'%{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-protocol',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/210/272',\ - tag:'PCI/6.5.10',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'WARNING',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'" +SecRule REQUEST_HEADERS:Host "@rx (?:^([\d.]+|\[[\da-f:]+\]|[\da-f:]+)(:[\d]+)?$)" "id:920350, phase:1, block, t:none, msg:'Host header is a numeric IP address', logdata:'%{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-protocol', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/210/272', tag:'PCI/6.5.10', ver:'OWASP_CRS/4.0.0-rc1', severity:'WARNING', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'" # In most cases, you should expect a certain volume of each a request on your @@ -774,51 +418,15 @@ SecRule REQUEST_HEADERS:Host "@rx (?:^([\d.]+|\[[\da-f:]+\]|[\da-f:]+)(:[\d]+)?$ # # Maximum number of arguments in request limited # -SecRule &TX:MAX_NUM_ARGS "@eq 1" \ - "id:920380,\ - phase:2,\ - block,\ - t:none,\ - msg:'Too many arguments in request',\ - logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-protocol',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - chain" - SecRule &ARGS "@gt %{tx.max_num_args}" \ - "t:none,\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule &TX:MAX_NUM_ARGS "@eq 1" "id:920380, phase:2, block, t:none, msg:'Too many arguments in request', logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-protocol', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/210/272', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', chain" + SecRule &ARGS "@gt %{tx.max_num_args}" "t:none, setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" ## -- Arguments limits -- # # Limit argument name length # -SecRule &TX:ARG_NAME_LENGTH "@eq 1" \ - "id:920360,\ - phase:2,\ - block,\ - t:none,\ - msg:'Argument name too long',\ - logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-protocol',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - chain" - SecRule ARGS_NAMES "@gt %{tx.arg_name_length}" \ - "t:none,t:length,\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule &TX:ARG_NAME_LENGTH "@eq 1" "id:920360, phase:2, block, t:none, msg:'Argument name too long', logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-protocol', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/210/272', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', chain" + SecRule ARGS_NAMES "@gt %{tx.arg_name_length}" "t:none,t:length, setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # # Limit argument value length @@ -826,101 +434,29 @@ SecRule &TX:ARG_NAME_LENGTH "@eq 1" \ # This rule is also triggered by an Apache Struts Remote Code Execution exploit: # [ Apache Struts vulnerability CVE-2017-9791 - Exploit tested: https://www.exploit-db.com/exploits/42324 ] # -SecRule &TX:ARG_LENGTH "@eq 1" \ - "id:920370,\ - phase:2,\ - block,\ - t:none,\ - msg:'Argument value too long',\ - logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-protocol',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - chain" - SecRule ARGS "@gt %{tx.arg_length}" \ - "t:none,t:length,\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule &TX:ARG_LENGTH "@eq 1" "id:920370, phase:2, block, t:none, msg:'Argument value too long', logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-protocol', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/210/272', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', chain" + SecRule ARGS "@gt %{tx.arg_length}" "t:none,t:length, setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # # Limit arguments total length # -SecRule &TX:TOTAL_ARG_LENGTH "@eq 1" \ - "id:920390,\ - phase:2,\ - block,\ - t:none,\ - msg:'Total arguments size exceeded',\ - logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-protocol',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - chain" - SecRule ARGS_COMBINED_SIZE "@gt %{tx.total_arg_length}" \ - "t:none,\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule &TX:TOTAL_ARG_LENGTH "@eq 1" "id:920390, phase:2, block, t:none, msg:'Total arguments size exceeded', logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-protocol', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/210/272', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', chain" + SecRule ARGS_COMBINED_SIZE "@gt %{tx.total_arg_length}" "t:none, setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # # -- File upload limits -- # # Individual file size is limited -SecRule &TX:MAX_FILE_SIZE "@eq 1" \ - "id:920400,\ - phase:1,\ - block,\ - t:none,\ - msg:'Uploaded file size too large',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-protocol',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - chain" - SecRule REQUEST_HEADERS:Content-Type "@rx ^(?i)multipart/form-data" \ - "chain" - SecRule REQUEST_HEADERS:Content-Length "@gt %{tx.max_file_size}" \ - "t:none,\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule &TX:MAX_FILE_SIZE "@eq 1" "id:920400, phase:1, block, t:none, msg:'Uploaded file size too large', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-protocol', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/210/272', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', chain" + SecRule REQUEST_HEADERS:Content-Type "@rx ^(?i)multipart/form-data" "chain" + SecRule REQUEST_HEADERS:Content-Length "@gt %{tx.max_file_size}" "t:none, setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # # Combined file size is limited # -SecRule &TX:COMBINED_FILE_SIZES "@eq 1" \ - "id:920410,\ - phase:2,\ - block,\ - t:none,\ - msg:'Total uploaded files size too large',\ - logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-protocol',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - chain" - SecRule FILES_COMBINED_SIZE "@gt %{tx.combined_file_sizes}" \ - "t:none,\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule &TX:COMBINED_FILE_SIZES "@eq 1" "id:920410, phase:2, block, t:none, msg:'Total uploaded files size too large', logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-protocol', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/210/272', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', chain" + SecRule FILES_COMBINED_SIZE "@gt %{tx.combined_file_sizes}" "t:none, setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -940,174 +476,42 @@ SecRule &TX:COMBINED_FILE_SIZES "@eq 1" \ # - application/soap+xml; charset=utf-8; action="urn:localhost-hwh#getQuestions" # - application/*+json -SecRule REQUEST_HEADERS:Content-Type "!@rx ^[\w/.+*-]+(?:\s?;\s?(?:action|boundary|charset|component|start(?:-info)?|type|version)\s?=\s?['\"\w.()+,/:=?<>@#*-]+)*$" \ - "id:920470,\ - phase:1,\ - block,\ - t:none,t:lowercase,\ - msg:'Illegal Content-Type header',\ - logdata:'%{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-protocol',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/255/153',\ - tag:'PCI/12.1',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_HEADERS:Content-Type "!@rx ^[\w/.+*-]+(?:\s?;\s?(?:action|boundary|charset|component|start(?:-info)?|type|version)\s?=\s?['\"\w.()+,/:=?<>@#*-]+)*$" "id:920470, phase:1, block, t:none,t:lowercase, msg:'Illegal Content-Type header', logdata:'%{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-protocol', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/255/153', tag:'PCI/12.1', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # In case Content-Type header can be parsed, check the mime-type against # the policy defined in the 'allowed_request_content_type' variable. # To change your policy, edit crs-setup.conf and activate rule 900220. -SecRule REQUEST_HEADERS:Content-Type "@rx ^[^;\s]+" \ - "id:920420,\ - phase:1,\ - block,\ - capture,\ - t:none,\ - msg:'Request content type is not allowed by policy',\ - logdata:'%{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-protocol',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/255/153',\ - tag:'PCI/12.1',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.content_type=|%{tx.0}|',\ - chain" - SecRule TX:content_type "!@within %{tx.allowed_request_content_type}" \ - "t:lowercase,\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_HEADERS:Content-Type "@rx ^[^;\s]+" "id:920420, phase:1, block, capture, t:none, msg:'Request content type is not allowed by policy', logdata:'%{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-protocol', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/255/153', tag:'PCI/12.1', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.content_type=|%{tx.0}|', chain" + SecRule TX:content_type "!@within %{tx.allowed_request_content_type}" "t:lowercase, setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # # Restrict charset parameter within the content-type header # -SecRule REQUEST_HEADERS:Content-Type "@rx charset\s*=\s*[\"']?([^;\"'\s]+)" \ - "id:920480,\ - phase:1,\ - block,\ - capture,\ - t:none,\ - msg:'Request content type charset is not allowed by policy',\ - logdata:'%{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-protocol',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/255/153',\ - tag:'PCI/12.1',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.content_type_charset=|%{tx.1}|',\ - chain" - SecRule TX:content_type_charset "!@within %{tx.allowed_request_content_type_charset}" \ - "t:lowercase,\ - ctl:forceRequestBodyVariable=On,\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_HEADERS:Content-Type "@rx charset\s*=\s*[\"']?([^;\"'\s]+)" "id:920480, phase:1, block, capture, t:none, msg:'Request content type charset is not allowed by policy', logdata:'%{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-protocol', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/255/153', tag:'PCI/12.1', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.content_type_charset=|%{tx.1}|', chain" + SecRule TX:content_type_charset "!@within %{tx.allowed_request_content_type_charset}" "t:lowercase, ctl:forceRequestBodyVariable=On, setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # # Restrict charset parameter inside content type header to occur max once. # -SecRule REQUEST_HEADERS:Content-Type "@rx charset.*?charset" \ - "id:920530,\ - phase:1,\ - block,\ - t:none,t:lowercase,\ - msg:'Multiple charsets detected in content type header',\ - logdata:'%{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-protocol',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/255/153',\ - tag:'PCI/12.1',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_HEADERS:Content-Type "@rx charset.*?charset" "id:920530, phase:1, block, t:none,t:lowercase, msg:'Multiple charsets detected in content type header', logdata:'%{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-protocol', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/255/153', tag:'PCI/12.1', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # # Restrict protocol versions. # -SecRule REQUEST_PROTOCOL "!@within %{tx.allowed_http_versions}" \ - "id:920430,\ - phase:1,\ - block,\ - t:none,\ - msg:'HTTP protocol version is not allowed by policy',\ - logdata:'%{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-protocol',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/210/272',\ - tag:'PCI/6.5.10',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_PROTOCOL "!@within %{tx.allowed_http_versions}" "id:920430, phase:1, block, t:none, msg:'HTTP protocol version is not allowed by policy', logdata:'%{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-protocol', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/210/272', tag:'PCI/6.5.10', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # # Restrict file extension # -SecRule REQUEST_BASENAME "@rx \.([^.]+)$" \ - "id:920440,\ - phase:1,\ - block,\ - capture,\ - t:none,\ - msg:'URL file extension is restricted by policy',\ - logdata:'%{TX.0}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-protocol',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/210/272',\ - tag:'PCI/6.5.10',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.extension=.%{tx.1}/',\ - chain" - SecRule TX:EXTENSION "@within %{tx.restricted_extensions}" \ - "t:none,t:urlDecodeUni,t:lowercase,\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_BASENAME "@rx \.([^.]+)$" "id:920440, phase:1, block, capture, t:none, msg:'URL file extension is restricted by policy', logdata:'%{TX.0}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-protocol', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/210/272', tag:'PCI/6.5.10', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.extension=.%{tx.1}/', chain" + SecRule TX:EXTENSION "@within %{tx.restricted_extensions}" "t:none,t:urlDecodeUni,t:lowercase, setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # # Backup or "working" file extension # example: index.php~, /index.php~/foo/ # -SecRule REQUEST_FILENAME "@rx \.[^.~]+~(?:/.*|)$" \ - "id:920500,\ - phase:1,\ - block,\ - t:none,t:urlDecodeUni,\ - msg:'Attempt to access a backup or working file',\ - logdata:'%{TX.0}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-protocol',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/210/272',\ - tag:'PCI/6.5.10',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_FILENAME "@rx \.[^.~]+~(?:/.*|)$" "id:920500, phase:1, block, t:none,t:urlDecodeUni, msg:'Attempt to access a backup or working file', logdata:'%{TX.0}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-protocol', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/210/272', tag:'PCI/6.5.10', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # # Restricted HTTP headers @@ -1134,28 +538,8 @@ SecRule REQUEST_FILENAME "@rx \.[^.~]+~(?:/.*|)$" \ # -=[ References ]=- # https://access.redhat.com/security/vulnerabilities/httpoxy (Header Proxy) # -SecRule REQUEST_HEADERS_NAMES "@rx ^.*$" \ - "id:920450,\ - phase:1,\ - block,\ - capture,\ - t:none,t:lowercase,\ - msg:'HTTP header is restricted by policy (%{MATCHED_VAR})',\ - logdata:'Restricted header detected: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-protocol',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/210/272',\ - tag:'PCI/12.1',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.header_name_%{tx.0}=/%{tx.0}/',\ - chain" - SecRule TX:/^header_name_/ "@within %{tx.restricted_headers}" \ - "setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_HEADERS_NAMES "@rx ^.*$" "id:920450, phase:1, block, capture, t:none,t:lowercase, msg:'HTTP header is restricted by policy (%{MATCHED_VAR})', logdata:'Restricted header detected: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-protocol', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/210/272', tag:'PCI/12.1', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.header_name_%{tx.0}=/%{tx.0}/', chain" + SecRule TX:/^header_name_/ "@within %{tx.restricted_headers}" "setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # # Rule against CVE-2022-21907 # This rule blocks Accept-Encoding headers longer than 50 characters. @@ -1166,24 +550,7 @@ SecRule REQUEST_HEADERS_NAMES "@rx ^.*$" \ # # This rule has a stricter sibling: 920521 # -SecRule REQUEST_HEADERS:Accept-Encoding "@gt 50" \ - "id:920520,\ - phase:1,\ - block,\ - t:none,t:lowercase,t:length,\ - msg:'Accept-Encoding header exceeded sensible length',\ - logdata:'%{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-protocol',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/255/153',\ - tag:'PCI/12.1',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_HEADERS:Accept-Encoding "@gt 50" "id:920520, phase:1, block, t:none,t:lowercase,t:length, msg:'Accept-Encoding header exceeded sensible length', logdata:'%{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-protocol', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/255/153', tag:'PCI/12.1', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # # Restrict response charsets that we allow. @@ -1200,69 +567,22 @@ SecRule REQUEST_HEADERS:Accept-Encoding "@gt 50" \ # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 920600 # -SecRule REQUEST_HEADERS:Accept "!@rx ^(?:(?:\*|[^!-\"\(-\),/:-\?\[-\]\{\}]+)/(?:\*|[^!-\"\(-\),/:-\?\[-\]\{\}]+)|\*)(?:[\s\v]*;[\s\v]*(?:charset[\s\v]*=[\s\v]*\"?(?:iso-8859-15?|utf-8|windows-1252)\b\"?|(?:[^\s\v -\"\(-\),/:-\?\[-\]c\{\}]|c(?:[^!-\"\(-\),/:-\?\[-\]h\{\}]|h(?:[^!-\"\(-\),/:-\?\[-\]a\{\}]|a(?:[^!-\"\(-\),/:-\?\[-\]r\{\}]|r(?:[^!-\"\(-\),/:-\?\[-\]s\{\}]|s(?:[^!-\"\(-\),/:-\?\[-\]e\{\}]|e[^!-\"\(-\),/:-\?\[-\]t\{\}]))))))[^!-\"\(-\),/:-\?\[-\]\{\}]*[\s\v]*=[\s\v]*[^!\(-\),/:-\?\[-\]\{\}]+);?)*(?:[\s\v]*,[\s\v]*(?:(?:\*|[^!-\"\(-\),/:-\?\[-\]\{\}]+)/(?:\*|[^!-\"\(-\),/:-\?\[-\]\{\}]+)|\*)(?:[\s\v]*;[\s\v]*(?:charset[\s\v]*=[\s\v]*\"?(?:iso-8859-15?|utf-8|windows-1252)\b\"?|(?:[^\s\v -\"\(-\),/:-\?\[-\]c\{\}]|c(?:[^!-\"\(-\),/:-\?\[-\]h\{\}]|h(?:[^!-\"\(-\),/:-\?\[-\]a\{\}]|a(?:[^!-\"\(-\),/:-\?\[-\]r\{\}]|r(?:[^!-\"\(-\),/:-\?\[-\]s\{\}]|s(?:[^!-\"\(-\),/:-\?\[-\]e\{\}]|e[^!-\"\(-\),/:-\?\[-\]t\{\}]))))))[^!-\"\(-\),/:-\?\[-\]\{\}]*[\s\v]*=[\s\v]*[^!\(-\),/:-\?\[-\]\{\}]+);?)*)*$" \ - "id:920600,\ - phase:1,\ - block,\ - t:none,t:lowercase,\ - msg:'Illegal Accept header: charset parameter',\ - logdata:'%{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-protocol',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_HEADERS:Accept "!@rx ^(?:(?:\*|[^!-\"\(-\),/:-\?\[-\]\{\}]+)/(?:\*|[^!-\"\(-\),/:-\?\[-\]\{\}]+)|\*)(?:[\s\v]*;[\s\v]*(?:charset[\s\v]*=[\s\v]*\"?(?:iso-8859-15?|utf-8|windows-1252)\b\"?|(?:[^\s\v -\"\(-\),/:-\?\[-\]c\{\}]|c(?:[^!-\"\(-\),/:-\?\[-\]h\{\}]|h(?:[^!-\"\(-\),/:-\?\[-\]a\{\}]|a(?:[^!-\"\(-\),/:-\?\[-\]r\{\}]|r(?:[^!-\"\(-\),/:-\?\[-\]s\{\}]|s(?:[^!-\"\(-\),/:-\?\[-\]e\{\}]|e[^!-\"\(-\),/:-\?\[-\]t\{\}]))))))[^!-\"\(-\),/:-\?\[-\]\{\}]*[\s\v]*=[\s\v]*[^!\(-\),/:-\?\[-\]\{\}]+);?)*(?:[\s\v]*,[\s\v]*(?:(?:\*|[^!-\"\(-\),/:-\?\[-\]\{\}]+)/(?:\*|[^!-\"\(-\),/:-\?\[-\]\{\}]+)|\*)(?:[\s\v]*;[\s\v]*(?:charset[\s\v]*=[\s\v]*\"?(?:iso-8859-15?|utf-8|windows-1252)\b\"?|(?:[^\s\v -\"\(-\),/:-\?\[-\]c\{\}]|c(?:[^!-\"\(-\),/:-\?\[-\]h\{\}]|h(?:[^!-\"\(-\),/:-\?\[-\]a\{\}]|a(?:[^!-\"\(-\),/:-\?\[-\]r\{\}]|r(?:[^!-\"\(-\),/:-\?\[-\]s\{\}]|s(?:[^!-\"\(-\),/:-\?\[-\]e\{\}]|e[^!-\"\(-\),/:-\?\[-\]t\{\}]))))))[^!-\"\(-\),/:-\?\[-\]\{\}]*[\s\v]*=[\s\v]*[^!\(-\),/:-\?\[-\]\{\}]+);?)*)*$" "id:920600, phase:1, block, t:none,t:lowercase, msg:'Illegal Accept header: charset parameter', logdata:'%{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-protocol', tag:'paranoia-level/1', tag:'OWASP_CRS', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # # Unicode character bypass check for non JSON requests # See reported bypass in issue: # https://github.com/coreruleset/coreruleset/issues/2512 # -SecRule REQBODY_PROCESSOR "!@streq JSON" \ - "id:920540,\ - phase:2,\ - block,\ - t:none,\ - msg:'Possible Unicode character bypass detected',\ - logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-protocol',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/255/153/267/72',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - chain" - SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@rx (?i)\x5cu[0-9a-f]{4}" \ - "setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule REQBODY_PROCESSOR "!@streq JSON" "id:920540, phase:2, block, t:none, msg:'Possible Unicode character bypass detected', logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-protocol', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/255/153/267/72', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', chain" + SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@rx (?i)\x5cu[0-9a-f]{4}" "setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # # Disallow any raw URL fragments. The '#' character should be omitted or URL-encoded. # CRS rules generally do not check REQUEST_URI_RAW, but some servers accept the fragment as part of the URL path/query. # This creates false negative evasions. # -SecRule REQUEST_URI_RAW "@contains #" \ - "id:920610,\ - phase:1,\ - block,\ - t:none,\ - msg:'Raw (unencoded) fragment in request URI',\ - logdata:'%{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-protocol',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_URI_RAW "@contains #" "id:920610, phase:1, block, t:none, msg:'Raw (unencoded) fragment in request URI', logdata:'%{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-protocol', tag:'paranoia-level/1', tag:'OWASP_CRS', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:920013,phase:1,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" @@ -1291,90 +611,24 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:920014,phase:2,pass,nolog,skipAf # https://httpd.apache.org/security/CVE-2011-3192.txt -SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d+)?-(?:\d+)?\s*,?\s*){6}" \ - "id:920200,\ - phase:1,\ - block,\ - t:none,\ - msg:'Range: Too many fields (6 or more)',\ - logdata:'%{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-protocol',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/210/272',\ - tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'WARNING',\ - chain" - SecRule REQUEST_BASENAME "!@endsWith .pdf" \ - "setvar:'tx.inbound_anomaly_score_pl2=+%{tx.warning_anomaly_score}'" +SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d+)?-(?:\d+)?\s*,?\s*){6}" "id:920200, phase:1, block, t:none, msg:'Range: Too many fields (6 or more)', logdata:'%{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-protocol', tag:'OWASP_CRS', tag:'capec/1000/210/272', tag:'paranoia-level/2', ver:'OWASP_CRS/4.0.0-rc1', severity:'WARNING', chain" + SecRule REQUEST_BASENAME "!@endsWith .pdf" "setvar:'tx.inbound_anomaly_score_pl2=+%{tx.warning_anomaly_score}'" # # This is a sibling of rule 920200 # -SecRule REQUEST_BASENAME "@endsWith .pdf" \ - "id:920201,\ - phase:1,\ - block,\ - t:none,\ - msg:'Range: Too many fields for pdf request (63 or more)',\ - logdata:'%{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-protocol',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/210/272',\ - tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'WARNING',\ - chain" - SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d+)?-(?:\d+)?\s*,?\s*){63}" \ - "setvar:'tx.inbound_anomaly_score_pl2=+%{tx.warning_anomaly_score}'" - - -SecRule ARGS "@rx %[0-9a-fA-F]{2}" \ - "id:920230,\ - phase:2,\ - block,\ - t:none,\ - msg:'Multiple URL Encoding Detected',\ - logdata:'%{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-protocol',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/255/153/267/120',\ - tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'WARNING',\ - setvar:'tx.inbound_anomaly_score_pl2=+%{tx.warning_anomaly_score}'" +SecRule REQUEST_BASENAME "@endsWith .pdf" "id:920201, phase:1, block, t:none, msg:'Range: Too many fields for pdf request (63 or more)', logdata:'%{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-protocol', tag:'OWASP_CRS', tag:'capec/1000/210/272', tag:'paranoia-level/2', ver:'OWASP_CRS/4.0.0-rc1', severity:'WARNING', chain" + SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d+)?-(?:\d+)?\s*,?\s*){63}" "setvar:'tx.inbound_anomaly_score_pl2=+%{tx.warning_anomaly_score}'" + + +SecRule ARGS "@rx %[0-9a-fA-F]{2}" "id:920230, phase:2, block, t:none, msg:'Multiple URL Encoding Detected', logdata:'%{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-protocol', tag:'OWASP_CRS', tag:'capec/1000/255/153/267/120', tag:'paranoia-level/2', ver:'OWASP_CRS/4.0.0-rc1', severity:'WARNING', setvar:'tx.inbound_anomaly_score_pl2=+%{tx.warning_anomaly_score}'" # # PL2: This is a stricter sibling of 920270. # -SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@validateByteRange 9,10,13,32-126,128-255" \ - "id:920271,\ - phase:2,\ - block,\ - t:none,t:urlDecodeUni,\ - msg:'Invalid character in request (non printable characters)',\ - logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-protocol',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/210/272',\ - tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@validateByteRange 9,10,13,32-126,128-255" "id:920271, phase:2, block, t:none,t:urlDecodeUni, msg:'Invalid character in request (non printable characters)', logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-protocol', tag:'OWASP_CRS', tag:'capec/1000/210/272', tag:'paranoia-level/2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1385,45 +639,13 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@validateByteRange 9,10,13, # This rules will check to see if there is a User-Agent header or not. # -SecRule &REQUEST_HEADERS:User-Agent "@eq 0" \ - "id:920320,\ - phase:1,\ - pass,\ - t:none,\ - msg:'Missing User Agent Header',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-protocol',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/210/272',\ - tag:'PCI/6.5.10',\ - tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'NOTICE',\ - setvar:'tx.inbound_anomaly_score_pl2=+%{tx.notice_anomaly_score}'" +SecRule &REQUEST_HEADERS:User-Agent "@eq 0" "id:920320, phase:1, pass, t:none, msg:'Missing User Agent Header', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-protocol', tag:'OWASP_CRS', tag:'capec/1000/210/272', tag:'PCI/6.5.10', tag:'paranoia-level/2', ver:'OWASP_CRS/4.0.0-rc1', severity:'NOTICE', setvar:'tx.inbound_anomaly_score_pl2=+%{tx.notice_anomaly_score}'" # # PL2: This is a stricter sibling of 920120. # -SecRule FILES_NAMES|FILES "@rx ['\";=]" \ - "id:920121,\ - phase:2,\ - block,\ - t:none,t:urlDecodeUni,\ - msg:'Attempted multipart/form-data bypass',\ - logdata:'%{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-protocol',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/210/272',\ - tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" +SecRule FILES_NAMES|FILES "@rx ['\";=]" "id:920121, phase:2, block, t:none,t:urlDecodeUni, msg:'Attempted multipart/form-data bypass', logdata:'%{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-protocol', tag:'OWASP_CRS', tag:'capec/1000/210/272', tag:'paranoia-level/2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # @@ -1433,25 +655,8 @@ SecRule FILES_NAMES|FILES "@rx ['\";=]" \ # -=[ References ]=- # http://httpwg.org/specs/rfc7231.html#header.content-type -SecRule REQUEST_HEADERS:Content-Length "!@rx ^0$" \ - "id:920341,\ - phase:1,\ - block,\ - t:none,\ - msg:'Request Containing Content Requires Content-Type header',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-protocol',\ - tag:'paranoia-level/2',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - chain" - SecRule &REQUEST_HEADERS:Content-Type "@eq 0" \ - "t:none,\ - setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_HEADERS:Content-Length "!@rx ^0$" "id:920341, phase:1, block, t:none, msg:'Request Containing Content Requires Content-Type header', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-protocol', tag:'paranoia-level/2', tag:'OWASP_CRS', tag:'capec/1000/210/272', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', chain" + SecRule &REQUEST_HEADERS:Content-Type "@eq 0" "t:none, setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:920015,phase:1,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" @@ -1466,23 +671,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:920016,phase:2,pass,nolog,skipAf # This rule is also triggered by the following exploit(s): # [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ] # -SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES|REQUEST_BODY "@validateByteRange 32-36,38-126" \ - "id:920272,\ - phase:2,\ - block,\ - t:none,t:urlDecodeUni,\ - msg:'Invalid character in request (outside of printable chars below ascii 127)',\ - logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-protocol',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/210/272',\ - tag:'paranoia-level/3',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES|REQUEST_BODY "@validateByteRange 32-36,38-126" "id:920272, phase:2, block, t:none,t:urlDecodeUni, msg:'Invalid character in request (outside of printable chars below ascii 127)', logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-protocol', tag:'OWASP_CRS', tag:'capec/1000/210/272', tag:'paranoia-level/3', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" # # Missing Accept Header @@ -1500,28 +689,9 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES|REQUEST_BODY "@validateByteR # As ModSecurity only reports the match of the last matching rule, # the alert is misleading. # -SecRule &REQUEST_HEADERS:Accept "@eq 0" \ - "id:920300,\ - phase:1,\ - pass,\ - t:none,\ - msg:'Request Missing an Accept Header',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-protocol',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/210/272',\ - tag:'PCI/6.5.10',\ - tag:'paranoia-level/3',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'NOTICE',\ - chain" - SecRule REQUEST_METHOD "!@rx ^(?:OPTIONS|CONNECT)$" \ - "chain" - SecRule REQUEST_HEADERS:User-Agent "!@pm AppleWebKit Android" \ - "t:none,\ - setvar:'tx.inbound_anomaly_score_pl3=+%{tx.notice_anomaly_score}'" +SecRule &REQUEST_HEADERS:Accept "@eq 0" "id:920300, phase:1, pass, t:none, msg:'Request Missing an Accept Header', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-protocol', tag:'OWASP_CRS', tag:'capec/1000/210/272', tag:'PCI/6.5.10', tag:'paranoia-level/3', ver:'OWASP_CRS/4.0.0-rc1', severity:'NOTICE', chain" + SecRule REQUEST_METHOD "!@rx ^(?:OPTIONS|CONNECT)$" "chain" + SecRule REQUEST_HEADERS:User-Agent "!@pm AppleWebKit Android" "t:none, setvar:'tx.inbound_anomaly_score_pl3=+%{tx.notice_anomaly_score}'" # @@ -1534,25 +704,8 @@ SecRule &REQUEST_HEADERS:Accept "@eq 0" \ # This rule is based on a blog post by Soroush Dalili at # https://soroush.secproject.com/blog/2019/05/x-up-devcap-post-charset-header-in-aspnet-to-bypass-wafs-again/ # -SecRule &REQUEST_HEADERS:x-up-devcap-post-charset "@ge 1" \ - "id:920490,\ - phase:1,\ - block,\ - t:none,\ - msg:'Request header x-up-devcap-post-charset detected in combination with prefix \'UP\' to User-Agent',\ - logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\ - tag:'language-aspnet',\ - tag:'platform-windows',\ - tag:'attack-protocol',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/210/272',\ - tag:'paranoia-level/3',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - chain" - SecRule REQUEST_HEADERS:User-Agent "@rx ^(?i)up" \ - "t:none,\ - setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" +SecRule &REQUEST_HEADERS:x-up-devcap-post-charset "@ge 1" "id:920490, phase:1, block, t:none, msg:'Request header x-up-devcap-post-charset detected in combination with prefix \'UP\' to User-Agent', logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}', tag:'language-aspnet', tag:'platform-windows', tag:'attack-protocol', tag:'OWASP_CRS', tag:'capec/1000/210/272', tag:'paranoia-level/3', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', chain" + SecRule REQUEST_HEADERS:User-Agent "@rx ^(?i)up" "t:none, setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" # @@ -1585,26 +738,8 @@ SecRule &REQUEST_HEADERS:x-up-devcap-post-charset "@ge 1" \ # - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control # - https://regex101.com/r/CZ0Hxu/22 # -SecRule &REQUEST_HEADERS:Cache-Control "@gt 0" \ - "id:920510,\ - phase:1,\ - block,\ - t:none,\ - msg:'Invalid Cache-Control request header',\ - logdata:'Invalid Cache-Control value in request found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-protocol',\ - tag:'header-allowlist',\ - tag:'paranoia-level/3',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - chain" - SecRule REQUEST_HEADERS:Cache-Control "!@rx ^(?:(?:max-age=[0-9]+|min-fresh=[0-9]+|no-cache|no-store|no-transform|only-if-cached|max-stale(?:=[0-9]+)?)(?:\s*\,\s*|$)){1,7}$" \ - "setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" +SecRule &REQUEST_HEADERS:Cache-Control "@gt 0" "id:920510, phase:1, block, t:none, msg:'Invalid Cache-Control request header', logdata:'Invalid Cache-Control value in request found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-protocol', tag:'header-allowlist', tag:'paranoia-level/3', tag:'OWASP_CRS', tag:'capec/1000/210/272', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', chain" + SecRule REQUEST_HEADERS:Cache-Control "!@rx ^(?:(?:max-age=[0-9]+|min-fresh=[0-9]+|no-cache|no-store|no-transform|only-if-cached|max-stale(?:=[0-9]+)?)(?:\s*\,\s*|$)){1,7}$" "setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" # # This rule checks for valid Accept-Encoding headers @@ -1616,24 +751,7 @@ SecRule &REQUEST_HEADERS:Cache-Control "@gt 0" \ # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 920521 # -SecRule REQUEST_HEADERS:Accept-Encoding "!@rx br|compress|deflate|(?:pack200-)?gzip|identity|\*|^$|aes128gcm|exi|zstd|x-(?:compress|gzip)" \ - "id:920521,\ - phase:1,\ - block,\ - t:none,t:lowercase,\ - msg:'Illegal Accept-Encoding header',\ - logdata:'%{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-protocol',\ - tag:'paranoia-level/3',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/255/153',\ - tag:'PCI/12.1',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_HEADERS:Accept-Encoding "!@rx br|compress|deflate|(?:pack200-)?gzip|identity|\*|^$|aes128gcm|exi|zstd|x-(?:compress|gzip)" "id:920521, phase:1, block, t:none,t:lowercase, msg:'Illegal Accept-Encoding header', logdata:'%{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-protocol', tag:'paranoia-level/3', tag:'OWASP_CRS', tag:'capec/1000/255/153', tag:'PCI/12.1', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:920017,phase:1,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:920018,phase:2,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" @@ -1645,25 +763,8 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:920018,phase:2,pass,nolog,skipAf # This is a stricter sibling of rule 920200 # -SecRule REQUEST_BASENAME "@endsWith .pdf" \ - "id:920202,\ - phase:1,\ - block,\ - t:none,\ - msg:'Range: Too many fields for pdf request (6 or more)',\ - logdata:'%{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-protocol',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/210/272',\ - tag:'paranoia-level/4',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'WARNING',\ - chain" - SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d+)?-(?:\d+)?\s*,?\s*){6}" \ - "setvar:'tx.inbound_anomaly_score_pl4=+%{tx.warning_anomaly_score}'" +SecRule REQUEST_BASENAME "@endsWith .pdf" "id:920202, phase:1, block, t:none, msg:'Range: Too many fields for pdf request (6 or more)', logdata:'%{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-protocol', tag:'OWASP_CRS', tag:'capec/1000/210/272', tag:'paranoia-level/4', ver:'OWASP_CRS/4.0.0-rc1', severity:'WARNING', chain" + SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d+)?-(?:\d+)?\s*,?\s*){6}" "setvar:'tx.inbound_anomaly_score_pl4=+%{tx.warning_anomaly_score}'" # @@ -1672,44 +773,12 @@ SecRule REQUEST_BASENAME "@endsWith .pdf" \ # This rule is also triggered by the following exploit(s): # [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ] # -SecRule ARGS|ARGS_NAMES|REQUEST_BODY "@validateByteRange 38,44-46,48-58,61,65-90,95,97-122" \ - "id:920273,\ - phase:2,\ - block,\ - t:none,t:urlDecodeUni,\ - msg:'Invalid character in request (outside of very strict set)',\ - logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-protocol',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/210/272',\ - tag:'paranoia-level/4',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'" +SecRule ARGS|ARGS_NAMES|REQUEST_BODY "@validateByteRange 38,44-46,48-58,61,65-90,95,97-122" "id:920273, phase:2, block, t:none,t:urlDecodeUni, msg:'Invalid character in request (outside of very strict set)', logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-protocol', tag:'OWASP_CRS', tag:'capec/1000/210/272', tag:'paranoia-level/4', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'" # # This is a stricter sibling of 920270. # -SecRule REQUEST_HEADERS|!REQUEST_HEADERS:User-Agent|!REQUEST_HEADERS:Referer|!REQUEST_HEADERS:Cookie|!REQUEST_HEADERS:Sec-Fetch-User|!REQUEST_HEADERS:Sec-CH-UA|!REQUEST_HEADERS:Sec-CH-UA-Mobile "@validateByteRange 32,34,38,42-59,61,65-90,95,97-122" \ - "id:920274,\ - phase:1,\ - block,\ - t:none,t:urlDecodeUni,\ - msg:'Invalid character in request headers (outside of very strict set)',\ - logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-protocol',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/210/272',\ - tag:'paranoia-level/4',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_HEADERS|!REQUEST_HEADERS:User-Agent|!REQUEST_HEADERS:Referer|!REQUEST_HEADERS:Cookie|!REQUEST_HEADERS:Sec-Fetch-User|!REQUEST_HEADERS:Sec-CH-UA|!REQUEST_HEADERS:Sec-CH-UA-Mobile "@validateByteRange 32,34,38,42-59,61,65-90,95,97-122" "id:920274, phase:1, block, t:none,t:urlDecodeUni, msg:'Invalid character in request headers (outside of very strict set)', logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-protocol', tag:'OWASP_CRS', tag:'capec/1000/210/272', tag:'paranoia-level/4', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'" # # This is a stricter sibling of 920270. @@ -1719,23 +788,7 @@ SecRule REQUEST_HEADERS|!REQUEST_HEADERS:User-Agent|!REQUEST_HEADERS:Referer|!RE # Sec-Fetch-User: https://www.w3.org/TR/fetch-metadata/#http-headerdef-sec-fetch-user # Sec-CH-UA-Mobile: https://wicg.github.io/ua-client-hints/#sec-ch-ua-mobile # -SecRule REQUEST_HEADERS:Sec-Fetch-User|REQUEST_HEADERS:Sec-CH-UA-Mobile "!@rx ^(?:\?[01])?$" \ - "id:920275,\ - phase:1,\ - block,\ - t:none,t:urlDecodeUni,\ - msg:'Invalid character in request headers (outside of very strict set)',\ - logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-protocol',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/210/272',\ - tag:'paranoia-level/4',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_HEADERS:Sec-Fetch-User|REQUEST_HEADERS:Sec-CH-UA-Mobile "!@rx ^(?:\?[01])?$" "id:920275, phase:1, block, t:none,t:urlDecodeUni, msg:'Invalid character in request headers (outside of very strict set)', logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-protocol', tag:'OWASP_CRS', tag:'capec/1000/210/272', tag:'paranoia-level/4', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'" # -=[ Abnormal Character Escapes ]=- # @@ -1762,25 +815,7 @@ SecRule REQUEST_HEADERS:Sec-Fetch-User|REQUEST_HEADERS:Sec-CH-UA-Mobile "!@rx ^( # This rule is also triggered by the following exploit(s): # [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ] # -SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@rx (?:^|[^\x5c])\x5c[cdeghijklmpqwxyz123456789]" \ - "id:920460,\ - phase:2,\ - block,\ - capture,\ - t:none,t:htmlEntityDecode,t:lowercase,\ - msg:'Abnormal character escapes in request',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-protocol',\ - tag:'paranoia-level/4',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/153/267',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@rx (?:^|[^\x5c])\x5c[cdeghijklmpqwxyz123456789]" "id:920460, phase:2, block, capture, t:none,t:htmlEntityDecode,t:lowercase, msg:'Abnormal character escapes in request', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-protocol', tag:'paranoia-level/4', tag:'OWASP_CRS', tag:'capec/1000/153/267', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'" # diff --git a/appsec/crs/REQUEST-921-PROTOCOL-ATTACK.conf b/appsec/crs/REQUEST-921-PROTOCOL-ATTACK.conf index c29ad75e..125e3b19 100644 --- a/appsec/crs/REQUEST-921-PROTOCOL-ATTACK.conf +++ b/appsec/crs/REQUEST-921-PROTOCOL-ATTACK.conf @@ -31,25 +31,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:921012,phase:2,pass,nolog,skipAf # [ References ] # http://projects.webappsec.org/HTTP-Request-Smuggling # -SecRule ARGS_NAMES|ARGS|REQUEST_BODY|XML:/* "@rx (?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)\s+[^\s]+\s+http/\d" \ - "id:921110,\ - phase:2,\ - block,\ - capture,\ - t:none,t:htmlEntityDecode,t:lowercase,\ - msg:'HTTP Request Smuggling Attack',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-protocol',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/210/272/220/33',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule ARGS_NAMES|ARGS|REQUEST_BODY|XML:/* "@rx (?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)\s+[^\s]+\s+http/\d" "id:921110, phase:2, block, capture, t:none,t:htmlEntityDecode,t:lowercase, msg:'HTTP Request Smuggling Attack', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-protocol', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/210/272/220/33', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # # -=[ HTTP Response Splitting ]=- @@ -63,46 +45,10 @@ SecRule ARGS_NAMES|ARGS|REQUEST_BODY|XML:/* "@rx (?:get|post|head|options|connec # [ References ] # http://projects.webappsec.org/HTTP-Response-Splitting # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx [\r\n]\W*?(?:content-(?:type|length)|set-cookie|location):\s*\w" \ - "id:921120,\ - phase:2,\ - block,\ - capture,\ - t:none,t:lowercase,\ - msg:'HTTP Response Splitting Attack',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-protocol',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/210/272/220/34',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" - - -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:\bhttp/\d|<(?:html|meta)\b)" \ - "id:921130,\ - phase:2,\ - block,\ - capture,\ - t:none,t:htmlEntityDecode,t:lowercase,\ - msg:'HTTP Response Splitting Attack',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-protocol',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/210/272/220/34',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx [\r\n]\W*?(?:content-(?:type|length)|set-cookie|location):\s*\w" "id:921120, phase:2, block, capture, t:none,t:lowercase, msg:'HTTP Response Splitting Attack', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-protocol', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/210/272/220/34', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:\bhttp/\d|<(?:html|meta)\b)" "id:921130, phase:2, block, capture, t:none,t:htmlEntityDecode,t:lowercase, msg:'HTTP Response Splitting Attack', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-protocol', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/210/272/220/34', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # # -=[ HTTP Header Injection ]=- @@ -118,25 +64,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # [ References ] # https://en.wikipedia.org/wiki/HTTP_header_injection # -SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@rx [\n\r]" \ - "id:921140,\ - phase:1,\ - block,\ - capture,\ - t:none,t:htmlEntityDecode,\ - msg:'HTTP Header Injection Attack via headers',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-protocol',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/210/272/220/273',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@rx [\n\r]" "id:921140, phase:1, block, capture, t:none,t:htmlEntityDecode, msg:'HTTP Header Injection Attack via headers', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-protocol', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/210/272/220/273', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # Detect newlines in argument names. @@ -146,46 +74,10 @@ SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@rx [\n\r]" \ # This rule is also triggered by the following exploit(s): # [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ] # -SecRule ARGS_NAMES "@rx [\n\r]" \ - "id:921150,\ - phase:2,\ - block,\ - capture,\ - t:none,t:htmlEntityDecode,\ - msg:'HTTP Header Injection Attack via payload (CR/LF detected)',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-protocol',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/210/272/220/33',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" - - -SecRule ARGS_GET_NAMES|ARGS_GET "@rx [\n\r]+(?:\s|location|refresh|(?:set-)?cookie|(?:x-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))\s*:" \ - "id:921160,\ - phase:1,\ - block,\ - capture,\ - t:none,t:htmlEntityDecode,t:lowercase,\ - msg:'HTTP Header Injection Attack via payload (CR/LF and header-name detected)',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-protocol',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/210/272/220/33',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule ARGS_NAMES "@rx [\n\r]" "id:921150, phase:2, block, capture, t:none,t:htmlEntityDecode, msg:'HTTP Header Injection Attack via payload (CR/LF detected)', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-protocol', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/210/272/220/33', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +SecRule ARGS_GET_NAMES|ARGS_GET "@rx [\n\r]+(?:\s|location|refresh|(?:set-)?cookie|(?:x-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))\s*:" "id:921160, phase:1, block, capture, t:none,t:htmlEntityDecode,t:lowercase, msg:'HTTP Header Injection Attack via payload (CR/LF and header-name detected)', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-protocol', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/210/272/220/33', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # -=[ HTTP Splitting ]=- @@ -193,24 +85,7 @@ SecRule ARGS_GET_NAMES|ARGS_GET "@rx [\n\r]+(?:\s|location|refresh|(?:set-)?cook # This rule detect \n or \r in the REQUEST FILENAME # Reference: https://www.owasp.org/index.php/Testing_for_HTTP_Splitting/Smuggling_(OTG-INPVAL-016) # -SecRule REQUEST_FILENAME "@rx [\n\r]" \ - "id:921190,\ - phase:1,\ - block,\ - t:none,t:urlDecodeUni,\ - msg:'HTTP Splitting (CR/LF in request filename detected)',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-protocol',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/210/272/220/34',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_FILENAME "@rx [\n\r]" "id:921190, phase:1, block, t:none,t:urlDecodeUni, msg:'HTTP Splitting (CR/LF in request filename detected)', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-protocol', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/210/272/220/34', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # @@ -226,23 +101,7 @@ SecRule REQUEST_FILENAME "@rx [\n\r]" \ # * https://blog.ripstech.com/2017/joomla-takeover-in-20-seconds-with-ldap-injection-cve-2017-14596/ # * https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/276#issue-126581660 -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx ^[^:\(\)\&\|\!\<\>\~]*\)\s*(?:\((?:[^,\(\)\=\&\|\!\<\>\~]+[><~]?=|\s*[&!|]\s*(?:\)|\()?\s*)|\)\s*\(\s*[\&\|\!]\s*|[&!|]\s*\([^\(\)\=\&\|\!\<\>\~]+[><~]?=[^:\(\)\&\|\!\<\>\~]*)" \ - "id:921200,\ - phase:2,\ - block,\ - capture,\ - t:none,t:htmlEntityDecode,\ - msg:'LDAP Injection Attack',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-ldap',\ - tag:'platform-multi',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/136',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx ^[^:\(\)\&\|\!\<\>\~]*\)\s*(?:\((?:[^,\(\)\=\&\|\!\<\>\~]+[><~]?=|\s*[&!|]\s*(?:\)|\()?\s*)|\)\s*\(\s*[\&\|\!]\s*|[&!|]\s*\([^\(\)\=\&\|\!\<\>\~]+[><~]?=[^:\(\)\&\|\!\<\>\~]*)" "id:921200, phase:2, block, capture, t:none,t:htmlEntityDecode, msg:'LDAP Injection Attack', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-ldap', tag:'platform-multi', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/152/248/136', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # # -=[ Body Processor Bypass ]=- @@ -257,25 +116,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 921421 # -SecRule REQUEST_HEADERS:Content-Type "@rx ^[^\s\v,;]+[\s\v,;].*?(?:application/(?:.+\+)?json|(?:application/(?:soap\+)?|text/)xml)" \ - "id:921421,\ - phase:1,\ - block,\ - capture,\ - t:none,t:lowercase,\ - msg:'Content-Type header: Dangerous content type outside the mime type declaration',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-protocol',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/255/153',\ - tag:'PCI/12.1',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_HEADERS:Content-Type "@rx ^[^\s\v,;]+[\s\v,;].*?(?:application/(?:.+\+)?json|(?:application/(?:soap\+)?|text/)xml)" "id:921421, phase:1, block, capture, t:none,t:lowercase, msg:'Content-Type header: Dangerous content type outside the mime type declaration', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-protocol', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/255/153', tag:'PCI/12.1', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # @@ -284,24 +125,7 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^[^\s\v,;]+[\s\v,;].*?(?:application/( # This issue affects Apache HTTP Server 2.4.48 and earlier. # GET /?unix:AAAAAAAAAAAAA|http://coreruleset.org/ # -SecRule REQUEST_URI "@rx unix:[^|]*\|" \ - "id:921240,\ - phase:1,\ - block,\ - capture,\ - t:none,t:lowercase,\ - msg:'mod_proxy attack attempt detected',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-apache',\ - tag:'attack-protocol',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/210/272/220/33',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_URI "@rx unix:[^|]*\|" "id:921240, phase:1, block, capture, t:none,t:lowercase, msg:'mod_proxy attack attempt detected', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-apache', tag:'attack-protocol', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/210/272/220/33', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:921013,phase:1,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" @@ -317,25 +141,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:921014,phase:2,pass,nolog,skipAf # # See also: rule 921140, 921150 # -SecRule ARGS_GET "@rx [\n\r]" \ - "id:921151,\ - phase:1,\ - block,\ - capture,\ - t:none,t:urlDecodeUni,t:htmlEntityDecode,\ - msg:'HTTP Header Injection Attack via payload (CR/LF detected)',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-protocol',\ - tag:'paranoia-level/2',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/210/272/220/33',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" +SecRule ARGS_GET "@rx [\n\r]" "id:921151, phase:1, block, capture, t:none,t:urlDecodeUni,t:htmlEntityDecode, msg:'HTTP Header Injection Attack via payload (CR/LF detected)', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-protocol', tag:'paranoia-level/2', tag:'OWASP_CRS', tag:'capec/1000/210/272/220/33', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # # -=[ Body Processor Bypass ]=- @@ -352,25 +158,7 @@ SecRule ARGS_GET "@rx [\n\r]" \ # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 921422 # -SecRule REQUEST_HEADERS:Content-Type "@rx ^[^\s\v,;]+[\s\v,;].*?\b(?:((?:tex|multipar)t|application)|((?:audi|vide)o|image|cs[sv]|(?:vn|relate)d|p(?:df|lain)|json|(?:soa|cs)p|x(?:ml|-www-form-urlencoded)|form-data|x-amf|(?:octe|repor)t|stream)|([\+/]))\b" \ - "id:921422,\ - phase:1,\ - block,\ - capture,\ - t:none,t:lowercase,\ - msg:'Content-Type header: Dangerous content type outside the mime type declaration',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-protocol',\ - tag:'paranoia-level/2',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/255/153',\ - tag:'PCI/12.1',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_HEADERS:Content-Type "@rx ^[^\s\v,;]+[\s\v,;].*?\b(?:((?:tex|multipar)t|application)|((?:audi|vide)o|image|cs[sv]|(?:vn|relate)d|p(?:df|lain)|json|(?:soa|cs)p|x(?:ml|-www-form-urlencoded)|form-data|x-amf|(?:octe|repor)t|stream)|([\+/]))\b" "id:921422, phase:1, block, capture, t:none,t:lowercase, msg:'Content-Type header: Dangerous content type outside the mime type declaration', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-protocol', tag:'paranoia-level/2', tag:'OWASP_CRS', tag:'capec/1000/255/153', tag:'PCI/12.1', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:921015,phase:1,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" @@ -390,23 +178,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:921016,phase:2,pass,nolog,skipAf # If it is necessary to use it in a certain setup, then it is best to # create a rule exclusion for a given URI and this rule ID as a workaround. # -SecRule &REQUEST_HEADERS:Range "@gt 0" \ - "id:921230,\ - phase:1,\ - block,\ - t:none,\ - msg:'HTTP Range Header detected',\ - logdata:'Matched Data: Header %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-protocol',\ - tag:'paranoia-level/3',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/210/272/220',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" +SecRule &REQUEST_HEADERS:Range "@gt 0" "id:921230, phase:1, block, t:none, msg:'HTTP Range Header detected', logdata:'Matched Data: Header %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-protocol', tag:'paranoia-level/3', tag:'OWASP_CRS', tag:'capec/1000/210/272/220', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" # -=[ HTTP Parameter Pollution ]=- @@ -427,40 +199,10 @@ SecRule &REQUEST_HEADERS:Range "@gt 0" \ # http://tacticalwebappsec.blogspot.com/2009/05/http-parameter-pollution.html # https://capec.mitre.org/data/definitions/460.html # -SecRule ARGS_NAMES "@rx ." \ - "id:921170,\ - phase:2,\ - pass,\ - nolog,\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-protocol',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/137/15/460',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - setvar:'TX.paramcounter_%{MATCHED_VAR_NAME}=+1'" - -SecRule TX:/paramcounter_.*/ "@gt 1" \ - "id:921180,\ - phase:2,\ - pass,\ - msg:'HTTP Parameter Pollution (%{TX.1})',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-protocol',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/137/15/460',\ - tag:'paranoia-level/3',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - chain" - SecRule MATCHED_VARS_NAMES "@rx TX:paramcounter_(.*)" \ - "capture,\ - setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" +SecRule ARGS_NAMES "@rx ." "id:921170, phase:2, pass, nolog, tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-protocol', tag:'OWASP_CRS', tag:'capec/1000/152/137/15/460', ver:'OWASP_CRS/4.0.0-rc1', setvar:'TX.paramcounter_%{MATCHED_VAR_NAME}=+1'" + +SecRule TX:/paramcounter_.*/ "@gt 1" "id:921180, phase:2, pass, msg:'HTTP Parameter Pollution (%{TX.1})', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-protocol', tag:'OWASP_CRS', tag:'capec/1000/152/137/15/460', tag:'paranoia-level/3', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', chain" + SecRule MATCHED_VARS_NAMES "@rx TX:paramcounter_(.*)" "capture, setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" # -=[ HTTP Parameter Pollution ]=- @@ -485,24 +227,7 @@ SecRule TX:/paramcounter_.*/ "@gt 1" \ # * foo[1]x[1]=bar&foo[1]x[2]= - extension of 1; this has the advantage that # the parameter name does end with "]" just like a valid array notation. # -SecRule ARGS_NAMES "@rx (][^\]]+$|][^\]]+\[)" \ - "id:921210,\ - phase:2,\ - pass,\ - log,\ - msg:'HTTP Parameter Pollution after detecting bogus char after parameter array',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-protocol',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/137/15/460',\ - tag:'paranoia-level/3',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" +SecRule ARGS_NAMES "@rx (][^\]]+$|][^\]]+\[)" "id:921210, phase:2, pass, log, msg:'HTTP Parameter Pollution after detecting bogus char after parameter array', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-protocol', tag:'OWASP_CRS', tag:'capec/1000/152/137/15/460', tag:'paranoia-level/3', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" @@ -533,24 +258,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:921018,phase:2,pass,nolog,skipAf # * foo[1]=bar&foo[1]acb]= - this is an edge case that 921210 PL3 is not # able to catch since the parameter name ends with "]". # -SecRule ARGS_NAMES "@rx \[" \ - "id:921220,\ - phase:2,\ - pass,\ - log,\ - msg:'HTTP Parameter Pollution possible via array notation',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-protocol',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/137/15/460',\ - tag:'paranoia-level/4',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'" +SecRule ARGS_NAMES "@rx \[" "id:921220, phase:2, pass, log, msg:'HTTP Parameter Pollution possible via array notation', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-protocol', tag:'OWASP_CRS', tag:'capec/1000/152/137/15/460', tag:'paranoia-level/4', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'" diff --git a/appsec/crs/REQUEST-922-MULTIPART-ATTACK.conf b/appsec/crs/REQUEST-922-MULTIPART-ATTACK.conf index 04daef5b..b09285ff 100644 --- a/appsec/crs/REQUEST-922-MULTIPART-ATTACK.conf +++ b/appsec/crs/REQUEST-922-MULTIPART-ATTACK.conf @@ -24,69 +24,15 @@ # Only allow specific charsets when using "_charset_" # Note: this is in phase:2 because these are headers that come in the body -SecRule &MULTIPART_PART_HEADERS:_charset_ "!@eq 0" \ - "id:922100,\ - phase:2,\ - block,\ - t:none,\ - msg:'Multipart content type global _charset_ definition is not allowed by policy',\ - logdata:'Matched Data: %{ARGS._charset_}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-multipart-header',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/255/153',\ - tag:'paranoia-level/1',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - chain" - SecRule ARGS:_charset_ "!@within |%{tx.allowed_request_content_type_charset}|" \ - "t:lowercase,\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule &MULTIPART_PART_HEADERS:_charset_ "!@eq 0" "id:922100, phase:2, block, t:none, msg:'Multipart content type global _charset_ definition is not allowed by policy', logdata:'Matched Data: %{ARGS._charset_}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-multipart-header', tag:'OWASP_CRS', tag:'capec/1000/255/153', tag:'paranoia-level/1', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', chain" + SecRule ARGS:_charset_ "!@within |%{tx.allowed_request_content_type_charset}|" "t:lowercase, setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # Only allow specific charsets same as Rule 920600 # Note: this is in phase:2 because these are headers that come in the body -SecRule MULTIPART_PART_HEADERS "@rx ^content-type\s*:\s*(.*)$" \ - "id:922110,\ - phase:2,\ - block,\ - capture,\ - t:none,t:lowercase,\ - msg:'Illegal MIME Multipart Header content-type: charset parameter',\ - logdata:'Matched Data: %{TX.1} found within Content-Type multipart form',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-protocol',\ - tag:'OWASP_CRS',\ - tag:'capec/272/220',\ - tag:'paranoia-level/1',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - chain" - SecRule TX:1 "!@rx ^(?:(?:\*|[^!-\"\(-\),/:-\?\[-\]\{\}]+)/(?:\*|[^!-\"\(-\),/:-\?\[-\]\{\}]+)|\*)(?:[\s\v]*;[\s\v]*(?:charset[\s\v]*=[\s\v]*\"?(?:iso-8859-15?|utf-8|windows-1252)\b\"?|(?:[^\s\v -\"\(-\),/:-\?\[-\]c\{\}]|c(?:[^!-\"\(-\),/:-\?\[-\]h\{\}]|h(?:[^!-\"\(-\),/:-\?\[-\]a\{\}]|a(?:[^!-\"\(-\),/:-\?\[-\]r\{\}]|r(?:[^!-\"\(-\),/:-\?\[-\]s\{\}]|s(?:[^!-\"\(-\),/:-\?\[-\]e\{\}]|e[^!-\"\(-\),/:-\?\[-\]t\{\}]))))))[^!-\"\(-\),/:-\?\[-\]\{\}]*[\s\v]*=[\s\v]*[^!\(-\),/:-\?\[-\]\{\}]+);?)*(?:[\s\v]*,[\s\v]*(?:(?:\*|[^!-\"\(-\),/:-\?\[-\]\{\}]+)/(?:\*|[^!-\"\(-\),/:-\?\[-\]\{\}]+)|\*)(?:[\s\v]*;[\s\v]*(?:charset[\s\v]*=[\s\v]*\"?(?:iso-8859-15?|utf-8|windows-1252)\b\"?|(?:[^\s\v -\"\(-\),/:-\?\[-\]c\{\}]|c(?:[^!-\"\(-\),/:-\?\[-\]h\{\}]|h(?:[^!-\"\(-\),/:-\?\[-\]a\{\}]|a(?:[^!-\"\(-\),/:-\?\[-\]r\{\}]|r(?:[^!-\"\(-\),/:-\?\[-\]s\{\}]|s(?:[^!-\"\(-\),/:-\?\[-\]e\{\}]|e[^!-\"\(-\),/:-\?\[-\]t\{\}]))))))[^!-\"\(-\),/:-\?\[-\]\{\}]*[\s\v]*=[\s\v]*[^!\(-\),/:-\?\[-\]\{\}]+);?)*)*$" \ - "t:lowercase,\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule MULTIPART_PART_HEADERS "@rx ^content-type\s*:\s*(.*)$" "id:922110, phase:2, block, capture, t:none,t:lowercase, msg:'Illegal MIME Multipart Header content-type: charset parameter', logdata:'Matched Data: %{TX.1} found within Content-Type multipart form', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-protocol', tag:'OWASP_CRS', tag:'capec/272/220', tag:'paranoia-level/1', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', chain" + SecRule TX:1 "!@rx ^(?:(?:\*|[^!-\"\(-\),/:-\?\[-\]\{\}]+)/(?:\*|[^!-\"\(-\),/:-\?\[-\]\{\}]+)|\*)(?:[\s\v]*;[\s\v]*(?:charset[\s\v]*=[\s\v]*\"?(?:iso-8859-15?|utf-8|windows-1252)\b\"?|(?:[^\s\v -\"\(-\),/:-\?\[-\]c\{\}]|c(?:[^!-\"\(-\),/:-\?\[-\]h\{\}]|h(?:[^!-\"\(-\),/:-\?\[-\]a\{\}]|a(?:[^!-\"\(-\),/:-\?\[-\]r\{\}]|r(?:[^!-\"\(-\),/:-\?\[-\]s\{\}]|s(?:[^!-\"\(-\),/:-\?\[-\]e\{\}]|e[^!-\"\(-\),/:-\?\[-\]t\{\}]))))))[^!-\"\(-\),/:-\?\[-\]\{\}]*[\s\v]*=[\s\v]*[^!\(-\),/:-\?\[-\]\{\}]+);?)*(?:[\s\v]*,[\s\v]*(?:(?:\*|[^!-\"\(-\),/:-\?\[-\]\{\}]+)/(?:\*|[^!-\"\(-\),/:-\?\[-\]\{\}]+)|\*)(?:[\s\v]*;[\s\v]*(?:charset[\s\v]*=[\s\v]*\"?(?:iso-8859-15?|utf-8|windows-1252)\b\"?|(?:[^\s\v -\"\(-\),/:-\?\[-\]c\{\}]|c(?:[^!-\"\(-\),/:-\?\[-\]h\{\}]|h(?:[^!-\"\(-\),/:-\?\[-\]a\{\}]|a(?:[^!-\"\(-\),/:-\?\[-\]r\{\}]|r(?:[^!-\"\(-\),/:-\?\[-\]s\{\}]|s(?:[^!-\"\(-\),/:-\?\[-\]e\{\}]|e[^!-\"\(-\),/:-\?\[-\]t\{\}]))))))[^!-\"\(-\),/:-\?\[-\]\{\}]*[\s\v]*=[\s\v]*[^!\(-\),/:-\?\[-\]\{\}]+);?)*)*$" "t:lowercase, setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # Content-Transfer-Encoding was deprecated by rfc7578 in 2015 and should not be used (see: https://www.rfc-editor.org/rfc/rfc7578#section-4.7) # Note: this is in phase:2 because these are headers that come in the body -SecRule MULTIPART_PART_HEADERS "@rx content-transfer-encoding:(.*)" \ - "id:922120,\ - phase:2,\ - block,\ - capture,\ - t:none,t:lowercase,\ - msg:'Content-Transfer-Encoding was deprecated by rfc7578 in 2015 and should not be used',\ - logdata:'Matched Data: %{TX.0}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-deprecated-header',\ - tag:'OWASP_CRS',\ - tag:'capec/272/220',\ - tag:'paranoia-level/1',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule MULTIPART_PART_HEADERS "@rx content-transfer-encoding:(.*)" "id:922120, phase:2, block, capture, t:none,t:lowercase, msg:'Content-Transfer-Encoding was deprecated by rfc7578 in 2015 and should not be used', logdata:'Matched Data: %{TX.0}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-deprecated-header', tag:'OWASP_CRS', tag:'capec/272/220', tag:'paranoia-level/1', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" diff --git a/appsec/crs/REQUEST-930-APPLICATION-ATTACK-LFI.conf b/appsec/crs/REQUEST-930-APPLICATION-ATTACK-LFI.conf index fd624844..c0d89b43 100644 --- a/appsec/crs/REQUEST-930-APPLICATION-ATTACK-LFI.conf +++ b/appsec/crs/REQUEST-930-APPLICATION-ATTACK-LFI.conf @@ -32,25 +32,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:930012,phase:2,pass,nolog,skipAf # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 930100 # -SecRule REQUEST_URI_RAW|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|FILES|XML:/* "@rx (?i)(?:[/\x5c]|%(?:2(?:f|5(?:2f|5c|c(?:1%259c|0%25af))|%46)|5c|c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|(?:bg%q|(?:e|f(?:8%8)?0%8)0%80%a)f|u(?:221[5-6]|EFC8|F025|002f)|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|1u)|0x(?:2f|5c))(?:\.(?:%0[0-1]|\?)?|\?\.?|%(?:2(?:(?:5(?:2|c0%25a))?e|%45)|c0(?:\.|%[25-6ae-f]e)|u(?:(?:ff0|002)e|2024)|%32(?:%(?:%6|4)5|E)|(?:e|f(?:(?:8|c%80)%8)?0%8)0%80%ae)|0x2e){2,3}(?:[/\x5c]|%(?:2(?:f|5(?:2f|5c|c(?:1%259c|0%25af))|%46)|5c|c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|(?:bg%q|(?:e|f(?:8%8)?0%8)0%80%a)f|u(?:221[5-6]|EFC8|F025|002f)|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|1u)|0x(?:2f|5c))" \ - "id:930100,\ - phase:2,\ - block,\ - capture,\ - t:none,\ - msg:'Path Traversal Attack (/../) or (/.../)',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-lfi',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/255/153/126',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ - setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_URI_RAW|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|FILES|XML:/* "@rx (?i)(?:[/\x5c]|%(?:2(?:f|5(?:2f|5c|c(?:1%259c|0%25af))|%46)|5c|c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|(?:bg%q|(?:e|f(?:8%8)?0%8)0%80%a)f|u(?:221[5-6]|EFC8|F025|002f)|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|1u)|0x(?:2f|5c))(?:\.(?:%0[0-1]|\?)?|\?\.?|%(?:2(?:(?:5(?:2|c0%25a))?e|%45)|c0(?:\.|%[25-6ae-f]e)|u(?:(?:ff0|002)e|2024)|%32(?:%(?:%6|4)5|E)|(?:e|f(?:(?:8|c%80)%8)?0%8)0%80%ae)|0x2e){2,3}(?:[/\x5c]|%(?:2(?:f|5(?:2f|5c|c(?:1%259c|0%25af))|%46)|5c|c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|(?:bg%q|(?:e|f(?:8%8)?0%8)0%80%a)f|u(?:221[5-6]|EFC8|F025|002f)|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|1u)|0x(?:2f|5c))" "id:930100, phase:2, block, capture, t:none, msg:'Path Traversal Attack (/../) or (/.../)', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-lfi', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/255/153/126', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}', setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}'" # # [ Decoded /../ or /..;/ Payloads ] @@ -64,26 +46,7 @@ SecRule REQUEST_URI_RAW|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|FILES|XML: # # Semicolon added to prevent path traversal via reverse proxy mapping '/..;/' (Tomcat) # -SecRule REQUEST_URI|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|FILES|XML:/* "@rx (?:(?:^|[\x5c/;])\.{2,3}[\x5c/;]|[\x5c/;]\.{2,3}(?:[\x5c/;]|$))" \ - "id:930110,\ - phase:2,\ - block,\ - capture,\ - t:none,t:utf8toUnicode,t:urlDecodeUni,t:removeNulls,t:cmdLine,\ - msg:'Path Traversal Attack (/../) or (/.../)',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-lfi',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/255/153/126',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - multiMatch,\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ - setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_URI|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|FILES|XML:/* "@rx (?:(?:^|[\x5c/;])\.{2,3}[\x5c/;]|[\x5c/;]\.{2,3}(?:[\x5c/;]|$))" "id:930110, phase:2, block, capture, t:none,t:utf8toUnicode,t:urlDecodeUni,t:removeNulls,t:cmdLine, msg:'Path Traversal Attack (/../) or (/.../)', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-lfi', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/255/153/126', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', multiMatch, setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}', setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}'" # # -=[ OS File Access ]=- @@ -94,26 +57,7 @@ SecRule REQUEST_URI|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|FILES|XML:/* " # # If you wonder where support for Google OAuth2 has gone, see: # https://github.com/coreruleset/google-oauth2-plugin -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmFromFile lfi-os-files.data" \ - "id:930120,\ - phase:2,\ - block,\ - capture,\ - t:none,t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin,\ - msg:'OS File Access Attempt',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-lfi',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/255/153/126',\ - tag:'PCI/6.5.4',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmFromFile lfi-os-files.data" "id:930120, phase:2, block, capture, t:none,t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin, msg:'OS File Access Attempt', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-lfi', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/255/153/126', tag:'PCI/6.5.4', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # # -=[ Restricted File Access ]=- @@ -121,26 +65,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # Detects attempts to retrieve application source code, metadata, # credentials and version control history possibly reachable in a web root. # -SecRule REQUEST_FILENAME "@pmFromFile restricted-files.data" \ - "id:930130,\ - phase:1,\ - block,\ - capture,\ - t:none,t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin,\ - msg:'Restricted File Access Attempt',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-lfi',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/255/153/126',\ - tag:'PCI/6.5.4',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_FILENAME "@pmFromFile restricted-files.data" "id:930130, phase:1, block, capture, t:none,t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin, msg:'Restricted File Access Attempt', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-lfi', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/255/153/126', tag:'PCI/6.5.4', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -159,26 +84,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:930014,phase:2,pass,nolog,skipAf # # Ref: https://github.com/lightos/Panoptic/blob/master/cases.xml # -SecRule REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent "@pmFromFile lfi-os-files.data" \ - "id:930121,\ - phase:1,\ - block,\ - capture,\ - t:none,t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin,\ - msg:'OS File Access Attempt in REQUEST_HEADERS',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-lfi',\ - tag:'paranoia-level/2',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/255/153/126',\ - tag:'PCI/6.5.4',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent "@pmFromFile lfi-os-files.data" "id:930121, phase:1, block, capture, t:none,t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin, msg:'OS File Access Attempt in REQUEST_HEADERS', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-lfi', tag:'paranoia-level/2', tag:'OWASP_CRS', tag:'capec/1000/255/153/126', tag:'PCI/6.5.4', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:930015,phase:1,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" diff --git a/appsec/crs/REQUEST-931-APPLICATION-ATTACK-RFI.conf b/appsec/crs/REQUEST-931-APPLICATION-ATTACK-RFI.conf index 581a6578..e926af3c 100644 --- a/appsec/crs/REQUEST-931-APPLICATION-ATTACK-RFI.conf +++ b/appsec/crs/REQUEST-931-APPLICATION-ATTACK-RFI.conf @@ -34,65 +34,11 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:931012,phase:2,pass,nolog,skipAf # http://projects.webappsec.org/Remote-File-Inclusion # http://tacticalwebappsec.blogspot.com/2009/06/generic-remote-file-inclusion-attack.html # -SecRule ARGS "@rx ^(?i:file|ftps?|https?)://(?:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" \ - "id:931100,\ - phase:2,\ - block,\ - capture,\ - t:none,\ - msg:'Possible Remote File Inclusion (RFI) Attack: URL Parameter using IP Address',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-rfi',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/175/253',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" - -SecRule QUERY_STRING|REQUEST_BODY "@rx (?i)(?:\binclude\s*\([^)]*|mosConfig_absolute_path|_CONF\[path\]|_SERVER\[DOCUMENT_ROOT\]|GALLERY_BASEDIR|path\[docroot\]|appserv_root|config\[root_dir\])=(?:file|ftps?|https?)://" \ - "id:931110,\ - phase:2,\ - block,\ - capture,\ - t:none,t:urlDecodeUni,\ - msg:'Possible Remote File Inclusion (RFI) Attack: Common RFI Vulnerable Parameter Name used w/URL Payload',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-rfi',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/175/253',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" - -SecRule ARGS "@rx ^(?i:file|ftps?|https?).*?\?+$" \ - "id:931120,\ - phase:2,\ - block,\ - capture,\ - t:none,\ - msg:'Possible Remote File Inclusion (RFI) Attack: URL Payload Used w/Trailing Question Mark Character (?)',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-rfi',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/175/253',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule ARGS "@rx ^(?i:file|ftps?|https?)://(?:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" "id:931100, phase:2, block, capture, t:none, msg:'Possible Remote File Inclusion (RFI) Attack: URL Parameter using IP Address', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-rfi', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/152/175/253', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +SecRule QUERY_STRING|REQUEST_BODY "@rx (?i)(?:\binclude\s*\([^)]*|mosConfig_absolute_path|_CONF\[path\]|_SERVER\[DOCUMENT_ROOT\]|GALLERY_BASEDIR|path\[docroot\]|appserv_root|config\[root_dir\])=(?:file|ftps?|https?)://" "id:931110, phase:2, block, capture, t:none,t:urlDecodeUni, msg:'Possible Remote File Inclusion (RFI) Attack: Common RFI Vulnerable Parameter Name used w/URL Payload', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-rfi', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/152/175/253', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +SecRule ARGS "@rx ^(?i:file|ftps?|https?).*?\?+$" "id:931120, phase:2, block, capture, t:none, msg:'Possible Remote File Inclusion (RFI) Attack: URL Payload Used w/Trailing Question Mark Character (?)', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-rfi', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/152/175/253', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -113,28 +59,8 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:931014,phase:2,pass,nolog,skipAf # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 931130 # -SecRule ARGS "@rx (?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:\+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://(?:[^@]+@)?([^/]*)" \ - "id:931130,\ - phase:2,\ - block,\ - capture,\ - t:none,\ - msg:'Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-rfi',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/175/253',\ - tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.rfi_parameter_%{MATCHED_VAR_NAME}=.%{tx.1}',\ - chain" - SecRule TX:/rfi_parameter_.*/ "!@endsWith .%{request_headers.host}" \ - "setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" +SecRule ARGS "@rx (?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:\+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://(?:[^@]+@)?([^/]*)" "id:931130, phase:2, block, capture, t:none, msg:'Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-rfi', tag:'OWASP_CRS', tag:'capec/1000/152/175/253', tag:'paranoia-level/2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.rfi_parameter_%{MATCHED_VAR_NAME}=.%{tx.1}', chain" + SecRule TX:/rfi_parameter_.*/ "!@endsWith .%{request_headers.host}" "setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # This is a (stricter) sibling of 931130. # @@ -143,28 +69,8 @@ SecRule ARGS "@rx (?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b(?:eshare|it # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 931131 # -SecRule REQUEST_FILENAME "@rx (?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:\+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://(?:[^@]+@)?([^/]*)" \ - "id:931131,\ - phase:1,\ - block,\ - capture,\ - t:none,t:urlDecodeUni,\ - msg:'Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-rfi',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/175/253',\ - tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.rfi_parameter_%{MATCHED_VAR_NAME}=.%{tx.1}',\ - chain" - SecRule TX:/rfi_parameter_.*/ "!@endsWith .%{request_headers.host}" \ - "setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_FILENAME "@rx (?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:\+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://(?:[^@]+@)?([^/]*)" "id:931131, phase:1, block, capture, t:none,t:urlDecodeUni, msg:'Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-rfi', tag:'OWASP_CRS', tag:'capec/1000/152/175/253', tag:'paranoia-level/2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.rfi_parameter_%{MATCHED_VAR_NAME}=.%{tx.1}', chain" + SecRule TX:/rfi_parameter_.*/ "!@endsWith .%{request_headers.host}" "setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:931015,phase:1,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" diff --git a/appsec/crs/REQUEST-932-APPLICATION-ATTACK-RCE.conf b/appsec/crs/REQUEST-932-APPLICATION-ATTACK-RCE.conf index 2d61cf42..ecdea6d4 100644 --- a/appsec/crs/REQUEST-932-APPLICATION-ATTACK-RCE.conf +++ b/appsec/crs/REQUEST-932-APPLICATION-ATTACK-RCE.conf @@ -112,26 +112,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:932012,phase:2,pass,nolog,skipAf # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 932230 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|[\n\r;`\{]|\|\|?|&&?|\$(?:\(\(?|\{)|[<>]\(|\([\s\v]*\))[\s\v]*(?:[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*[\s\v]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:7[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[ar])?|a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:(?:[bt]|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[ks])[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*|p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t|r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[\s\v&\),<>\|].*|[jp])|s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[\s\v&\),<>\|].*|h))|(?:(?:b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z|h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:d|u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p)|n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[cl]|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t|(?:p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?m)|o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?l)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?|v[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?)[\s\v&\),<>\|].*|c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[8-9][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?9|(?:[au][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t|[cp])[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*|m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h)|d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[du][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*|i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?g|n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?f)|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:(?:[bdx]|n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?v)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*|q[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n)|f[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:(?:c|t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*|i|m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t)|g[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:(?:c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[&,<>\|]|(?:[\--\.0-9A-Z_a-z][\"'\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\*\-0-9\?-@_a-\{]*)?\x5c?)+[\s\v&,<>\|])|(?:e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m|i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t|o)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|]).*|d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?b|[hr][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c)|i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*|p|r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?b)|j[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:j[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?s|q)|k[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h|l[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:(?:d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?|(?:[npz]|u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)[\s\v&\),<>\|].*|s)|m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:(?:a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n|v)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*|t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?r)|p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:(?:(?:a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?x|f|h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?|r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:y[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?)[\s\v&\),<>\|].*|d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?b|(?:k[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?g|i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:c|p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[&,<>\|]|(?:[\--\.0-9A-Z_a-z][\"'\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\*\-0-9\?-@_a-\{]*)?\x5c?)+[\s\v&,<>\|]).*)|s|t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?x|x[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z)|r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:(?:a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?r|c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|(?:p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?m)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*|v))|s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|(?:(?:e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[dt]|[hu])[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?|s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?)[\s\v&\),<>\|].*|g|v[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n)|t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:c|r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*)|b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?l|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[ex]|i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*|o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p)|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:3[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m|c|h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o)|x[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:x[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|z[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*)|y[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m|z[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h))\b" \ - "id:932230,\ - phase:2,\ - block,\ - capture,\ - t:none,\ - msg:'Remote Command Execution: Unix Command Injection (2-3 chars)',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-shell',\ - tag:'platform-unix',\ - tag:'attack-rce',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/88',\ - tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|[\n\r;`\{]|\|\|?|&&?|\$(?:\(\(?|\{)|[<>]\(|\([\s\v]*\))[\s\v]*(?:[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*[\s\v]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:7[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[ar])?|a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:(?:[bt]|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[ks])[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*|p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t|r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[\s\v&\),<>\|].*|[jp])|s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[\s\v&\),<>\|].*|h))|(?:(?:b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z|h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:d|u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p)|n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[cl]|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t|(?:p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?m)|o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?l)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?|v[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?)[\s\v&\),<>\|].*|c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[8-9][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?9|(?:[au][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t|[cp])[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*|m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h)|d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[du][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*|i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?g|n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?f)|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:(?:[bdx]|n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?v)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*|q[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n)|f[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:(?:c|t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*|i|m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t)|g[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:(?:c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[&,<>\|]|(?:[\--\.0-9A-Z_a-z][\"'\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\*\-0-9\?-@_a-\{]*)?\x5c?)+[\s\v&,<>\|])|(?:e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m|i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t|o)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|]).*|d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?b|[hr][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c)|i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*|p|r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?b)|j[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:j[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?s|q)|k[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h|l[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:(?:d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?|(?:[npz]|u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)[\s\v&\),<>\|].*|s)|m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:(?:a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n|v)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*|t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?r)|p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:(?:(?:a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?x|f|h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?|r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:y[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?)[\s\v&\),<>\|].*|d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?b|(?:k[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?g|i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:c|p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[&,<>\|]|(?:[\--\.0-9A-Z_a-z][\"'\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\*\-0-9\?-@_a-\{]*)?\x5c?)+[\s\v&,<>\|]).*)|s|t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?x|x[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z)|r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:(?:a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?r|c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|(?:p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?m)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*|v))|s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|(?:(?:e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[dt]|[hu])[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?|s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?)[\s\v&\),<>\|].*|g|v[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n)|t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:c|r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*)|b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?l|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[ex]|i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*|o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p)|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:3[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m|c|h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o)|x[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:x[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|z[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*)|y[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m|z[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h))\b" "id:932230, phase:2, block, capture, t:none, msg:'Remote Command Execution: Unix Command Injection (2-3 chars)', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-shell', tag:'platform-unix', tag:'attack-rce', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/152/248/88', tag:'PCI/6.5.2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.rce_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # [ Unix command injection ] # @@ -166,26 +147,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 932235 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|[\n\r;`\{]|\|\|?|&&?|\$(?:\(\(?|\{)|[<>]\(|\([\s\v]*\))[\s\v]*(?:[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*[\s\v]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:a(?:dduser|getty|l(?:ias|pine)[\s\v<>]|nsible-playbook|pt-get|r(?:ch[\s\v<>]|ia2c)|s(?:cii(?:-xfr|85)|pell)|tobm)|b(?:a(?:s(?:e(?:32|64|nc)|h)|tch[\s\v<>])|pftrace|r(?:eaksw|idge[\s\v<>])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[\s\v<>]|zip2)|s(?:ctl|ybox))|yebug|z(?:c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2|less|more))|c(?:a(?:ncel|psh)[\s\v<>]|ertbot|h(?:attr|dir[\s\v<>]|eck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|flags|mod|o(?:om|wn)|root)|o(?:(?:b|pro)c|lumn[\s\v<>]|m(?:m(?:and[\s\v<>])?|p(?:oser|ress[\s\v<>]))|w(?:say|think))|p(?:an|io|ulimit)|r(?:ash[\s\v<>]|ontab)|s(?:plit|vtool)|u(?:psfilter|rl))|d(?:(?:a(?:sh|te)|i(?:alog|ff))[\s\v<>]|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[\s\v<>]|sbox)|pkg|vips)|e(?:(?:asy_instal|va)l|cho[\s\v<>]|fax|grep|macs|n(?:d(?:if|sw)|v-update)|sac|x(?:ec[\s\v<>]|iftool|p(?:(?:and|(?:ec|or)t)[\s\v<>]|r)))|f(?:acter|(?:etch|lock)[\s\v<>]|grep|i(?:le(?:[\s\v<>]|test)|(?:n(?:d|ger)|sh)[\s\v<>])|o(?:ld[\s\v<>]|reach)|ping|tp(?:stats|who)|unction)|g(?:awk|core|e(?:ni(?:e[\s\v<>]|soimage)|tfacl[\s\v<>])|hci|i(?:mp[\s\v<>]|nsh)|rep[\s\v<>]|tester|unzip|z(?:cat|exe|ip))|h(?:e(?:ad[\s\v<>]|xdump)|i(?:ghlight|story)[\s\v<>]|ost(?:id|name)|ping3|t(?:digest|passwd))|i(?:conv|f(?:config|top)|nstall[\s\v<>]|onice|p(?:6?tables|config)|spell)|j(?:ava[\s\v<>]|exec|o(?:(?:bs|in)[\s\v<>]|urnalctl)|runscript)|k(?:ill(?:[\s\v<>]|all)|nife[\s\v<>]|sshell)|l(?:a(?:st(?:[\s\v<>]|comm|log(?:in)?)|tex[\s\v<>])|dconfig|ess(?:[\s\v<>]|echo|(?:fil|pip)e)|ftp(?:get)?|(?:inks|ynx)[\s\v<>]|o(?:(?:ca(?:l|te)|ok)[\s\v<>]|g(?:inctl|(?:nam|sav)e))|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)|trace|ua(?:la)?tex|wp-(?:d(?:ownload|ump)|mirror|request)|z(?:c(?:at|mp)|diff|[e-f]?grep|less|m(?:a|ore)))|m(?:a(?:il(?:q|x[\s\v<>])?|ke[\s\v<>]|wk)|(?:kdir|utt)[\s\v<>]|locate|o(?:(?:re|unt)[\s\v<>]|squitto)|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:a(?:no[\s\v<>]|sm|wk)|c(?:\.(?:openbsd|traditional)|at)|e(?:ofetch|t(?:(?:c|st)at|kit-ftp))|ice[\s\v<>]|map|o(?:de[\s\v<>]|hup)|ping|roff|s(?:enter|lookup|tat))|o(?:ctave[\s\v<>]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:s(?:swd|te[\s\v<>])|tch[\s\v<>])|df(?:la)?tex|er(?:f|l(?:5|sh)?|ms)|(?:ft|gre)p|i(?:(?:co|ng)[\s\v<>]|dstat|gz)|k(?:exec|g_?info|ill)|opd|rint(?:env|f[\s\v<>])|s(?:ftp|ql)|tar(?:diff|grep)?|ython[^\s\v]|u(?:ppet[\s\v<>]|shd))|r(?:ak(?:e[\s\v<>]|u)|e(?:a(?:delf|lpath)|(?:dcarpet|name|p(?:eat|lace))[\s\v<>]|stic)|l(?:ogin|wrap)|m(?:dir[\s\v<>]|user)|nano|oute[\s\v<>]|pm(?:db|(?:quer|verif)y)|sync|u(?:by[^\s\v]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:(?:ash|nap|plit)[\s\v<>]|c(?:hed|r(?:een|ipt)[\s\v<>])|diff|e(?:ndmail|rvice[\s\v<>]|t(?:arch|env|facl[\s\v<>]|sid))|ftp|h(?:\.distrib|ell|u(?:f|tdown[\s\v<>]))|l(?:eep[\s\v<>]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[\s\v<>])|qlite3|sh(?:-key(?:ge|sca)n|pass)|t(?:art-stop-daemon|dbuf|r(?:ace|ings))|udo|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:il[\s\v<>f]|sk(?:set)?)|c(?:l?sh|p(?:dump|ing|traceroute))|elnet|ftp|ime(?:(?:out)?[\s\v<>]|datectl)|mux|ouch[\s\v<>]|r(?:aceroute6?|off)|shark)|u(?:limit[\s\v<>]|n(?:ame|compress|expand|iq|l(?:ink[\s\v<>]|z(?:4|ma))|(?:pig|x)z|rar|s(?:et|hare)[\s\v<>]|z(?:ip|std))|pdate-alternatives|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:algrind|i(?:ew[\s\v<>]|gr|mdiff|pw|rsh)|olatility)|w(?:a(?:ll|tch)[\s\v<>]|get|h(?:iptail|o(?:ami|is))|i(?:reshark|sh[\s\v<>]))|x(?:args|e(?:la)?tex|mo(?:dmap|re)|pad|term|z(?:c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more))|y(?:arn|elp[\s\v<>])|z(?:athura|c(?:at|mp)|diff|[e-f]?grep|(?:ipdetail|les)s|more|run|s(?:oelim|td)|ypper))" \ - "id:932235,\ - phase:2,\ - block,\ - capture,\ - t:none,\ - msg:'Remote Command Execution: Unix Command Injection (command without evasion)',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-shell',\ - tag:'platform-unix',\ - tag:'attack-rce',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/88',\ - tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|[\n\r;`\{]|\|\|?|&&?|\$(?:\(\(?|\{)|[<>]\(|\([\s\v]*\))[\s\v]*(?:[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*[\s\v]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:a(?:dduser|getty|l(?:ias|pine)[\s\v<>]|nsible-playbook|pt-get|r(?:ch[\s\v<>]|ia2c)|s(?:cii(?:-xfr|85)|pell)|tobm)|b(?:a(?:s(?:e(?:32|64|nc)|h)|tch[\s\v<>])|pftrace|r(?:eaksw|idge[\s\v<>])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[\s\v<>]|zip2)|s(?:ctl|ybox))|yebug|z(?:c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2|less|more))|c(?:a(?:ncel|psh)[\s\v<>]|ertbot|h(?:attr|dir[\s\v<>]|eck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|flags|mod|o(?:om|wn)|root)|o(?:(?:b|pro)c|lumn[\s\v<>]|m(?:m(?:and[\s\v<>])?|p(?:oser|ress[\s\v<>]))|w(?:say|think))|p(?:an|io|ulimit)|r(?:ash[\s\v<>]|ontab)|s(?:plit|vtool)|u(?:psfilter|rl))|d(?:(?:a(?:sh|te)|i(?:alog|ff))[\s\v<>]|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[\s\v<>]|sbox)|pkg|vips)|e(?:(?:asy_instal|va)l|cho[\s\v<>]|fax|grep|macs|n(?:d(?:if|sw)|v-update)|sac|x(?:ec[\s\v<>]|iftool|p(?:(?:and|(?:ec|or)t)[\s\v<>]|r)))|f(?:acter|(?:etch|lock)[\s\v<>]|grep|i(?:le(?:[\s\v<>]|test)|(?:n(?:d|ger)|sh)[\s\v<>])|o(?:ld[\s\v<>]|reach)|ping|tp(?:stats|who)|unction)|g(?:awk|core|e(?:ni(?:e[\s\v<>]|soimage)|tfacl[\s\v<>])|hci|i(?:mp[\s\v<>]|nsh)|rep[\s\v<>]|tester|unzip|z(?:cat|exe|ip))|h(?:e(?:ad[\s\v<>]|xdump)|i(?:ghlight|story)[\s\v<>]|ost(?:id|name)|ping3|t(?:digest|passwd))|i(?:conv|f(?:config|top)|nstall[\s\v<>]|onice|p(?:6?tables|config)|spell)|j(?:ava[\s\v<>]|exec|o(?:(?:bs|in)[\s\v<>]|urnalctl)|runscript)|k(?:ill(?:[\s\v<>]|all)|nife[\s\v<>]|sshell)|l(?:a(?:st(?:[\s\v<>]|comm|log(?:in)?)|tex[\s\v<>])|dconfig|ess(?:[\s\v<>]|echo|(?:fil|pip)e)|ftp(?:get)?|(?:inks|ynx)[\s\v<>]|o(?:(?:ca(?:l|te)|ok)[\s\v<>]|g(?:inctl|(?:nam|sav)e))|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)|trace|ua(?:la)?tex|wp-(?:d(?:ownload|ump)|mirror|request)|z(?:c(?:at|mp)|diff|[e-f]?grep|less|m(?:a|ore)))|m(?:a(?:il(?:q|x[\s\v<>])?|ke[\s\v<>]|wk)|(?:kdir|utt)[\s\v<>]|locate|o(?:(?:re|unt)[\s\v<>]|squitto)|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:a(?:no[\s\v<>]|sm|wk)|c(?:\.(?:openbsd|traditional)|at)|e(?:ofetch|t(?:(?:c|st)at|kit-ftp))|ice[\s\v<>]|map|o(?:de[\s\v<>]|hup)|ping|roff|s(?:enter|lookup|tat))|o(?:ctave[\s\v<>]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:s(?:swd|te[\s\v<>])|tch[\s\v<>])|df(?:la)?tex|er(?:f|l(?:5|sh)?|ms)|(?:ft|gre)p|i(?:(?:co|ng)[\s\v<>]|dstat|gz)|k(?:exec|g_?info|ill)|opd|rint(?:env|f[\s\v<>])|s(?:ftp|ql)|tar(?:diff|grep)?|ython[^\s\v]|u(?:ppet[\s\v<>]|shd))|r(?:ak(?:e[\s\v<>]|u)|e(?:a(?:delf|lpath)|(?:dcarpet|name|p(?:eat|lace))[\s\v<>]|stic)|l(?:ogin|wrap)|m(?:dir[\s\v<>]|user)|nano|oute[\s\v<>]|pm(?:db|(?:quer|verif)y)|sync|u(?:by[^\s\v]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:(?:ash|nap|plit)[\s\v<>]|c(?:hed|r(?:een|ipt)[\s\v<>])|diff|e(?:ndmail|rvice[\s\v<>]|t(?:arch|env|facl[\s\v<>]|sid))|ftp|h(?:\.distrib|ell|u(?:f|tdown[\s\v<>]))|l(?:eep[\s\v<>]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[\s\v<>])|qlite3|sh(?:-key(?:ge|sca)n|pass)|t(?:art-stop-daemon|dbuf|r(?:ace|ings))|udo|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:il[\s\v<>f]|sk(?:set)?)|c(?:l?sh|p(?:dump|ing|traceroute))|elnet|ftp|ime(?:(?:out)?[\s\v<>]|datectl)|mux|ouch[\s\v<>]|r(?:aceroute6?|off)|shark)|u(?:limit[\s\v<>]|n(?:ame|compress|expand|iq|l(?:ink[\s\v<>]|z(?:4|ma))|(?:pig|x)z|rar|s(?:et|hare)[\s\v<>]|z(?:ip|std))|pdate-alternatives|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:algrind|i(?:ew[\s\v<>]|gr|mdiff|pw|rsh)|olatility)|w(?:a(?:ll|tch)[\s\v<>]|get|h(?:iptail|o(?:ami|is))|i(?:reshark|sh[\s\v<>]))|x(?:args|e(?:la)?tex|mo(?:dmap|re)|pad|term|z(?:c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more))|y(?:arn|elp[\s\v<>])|z(?:athura|c(?:at|mp)|diff|[e-f]?grep|(?:ipdetail|les)s|more|run|s(?:oelim|td)|ypper))" "id:932235, phase:2, block, capture, t:none, msg:'Remote Command Execution: Unix Command Injection (command without evasion)', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-shell', tag:'platform-unix', tag:'attack-rce', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/152/248/88', tag:'PCI/6.5.2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.rce_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # Apache 2.2 requires configuration file lines to be under 8kB. # Therefore, some remaining commands have been split off to a separate rule. @@ -199,26 +161,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 932115 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:t[\"\^]*i[\"\^]*m[\"\^]*e|[\n\r;`\{]|\|\|?|&&?)[\s\v]*[\s\v\"'-\(,@]*(?:[\"'\.-9A-Z_a-z]+/|(?:[\"'\x5c\^]*[0-9A-Z_a-z][\"'\x5c\^]*:.*|[ \"'\.-9A-Z\x5c\^-_a-z]*)\x5c)?[\"\^]*(?:o[\"\^]*(?:d[\"\^]*b[\"\^]*c[\"\^]*(?:a[\"\^]*d[\"\^]*3[\"\^]*2|c[\"\^]*o[\"\^]*n[\"\^]*f)|p[\"\^]*e[\"\^]*n[\"\^]*f[\"\^]*i[\"\^]*l[\"\^]*e[\"\^]*s)|p[\"\^]*(?:a[\"\^]*t[\"\^]*h[\"\^]*(?:[\s\v,\.-/;-<>].*|p[\"\^]*i[\"\^]*n[\"\^]*g)|e[\"\^]*r[\"\^]*(?:f[\"\^]*m[\"\^]*o[\"\^]*n|l(?:[\"\^]*(?:5|s[\"\^]*h))?)|h[\"\^]*p(?:[\"\^]*[57])?|i[\"\^]*n[\"\^]*g|k[\"\^]*g[\"\^]*m[\"\^]*g[\"\^]*r|o[\"\^]*(?:p[\"\^]*d|r[\"\^]*t[\"\^]*q[\"\^]*r[\"\^]*y|w[\"\^]*e[\"\^]*r[\"\^]*(?:c[\"\^]*f[\"\^]*g|s[\"\^]*h[\"\^]*e[\"\^]*l[\"\^]*l(?:[\"\^]*_[\"\^]*i[\"\^]*s[\"\^]*e)?))|r[\"\^]*(?:i[\"\^]*n[\"\^]*t[\"\^]*(?:[\s\v,\.-/;-<>].*|b[\"\^]*r[\"\^]*m)|n[\"\^]*(?:c[\"\^]*n[\"\^]*f[\"\^]*g|m[\"\^]*n[\"\^]*g[\"\^]*r)|o[\"\^]*m[\"\^]*p[\"\^]*t)|s[\"\^]*(?:e[\"\^]*x[\"\^]*e[\"\^]*c|f[\"\^]*i[\"\^]*l[\"\^]*e|g[\"\^]*e[\"\^]*t[\"\^]*s[\"\^]*i[\"\^]*d|i[\"\^]*n[\"\^]*f[\"\^]*o|k[\"\^]*i[\"\^]*l[\"\^]*l|l[\"\^]*(?:i[\"\^]*s[\"\^]*t|o[\"\^]*g[\"\^]*(?:g[\"\^]*e[\"\^]*d[\"\^]*o[\"\^]*n|l[\"\^]*i[\"\^]*s[\"\^]*t))|p[\"\^]*(?:a[\"\^]*s[\"\^]*s[\"\^]*w[\"\^]*d|i[\"\^]*n[\"\^]*g)|s[\"\^]*(?:e[\"\^]*r[\"\^]*v[\"\^]*i[\"\^]*c[\"\^]*e|h[\"\^]*u[\"\^]*t[\"\^]*d[\"\^]*o[\"\^]*w[\"\^]*n|u[\"\^]*s[\"\^]*p[\"\^]*e[\"\^]*n[\"\^]*d))|u[\"\^]*s[\"\^]*h[\"\^]*d|y[\"\^]*t[\"\^]*h[\"\^]*o[\"\^]*n(?:[\"\^]*(?:2|3(?:[\"\^]*m)?))?)|q[\"\^]*(?:g[\"\^]*r[\"\^]*e[\"\^]*p|p[\"\^]*r[\"\^]*o[\"\^]*c[\"\^]*e[\"\^]*s[\"\^]*s|u[\"\^]*e[\"\^]*r[\"\^]*y[\"\^]*[\s\v,\.-/;-<>].*|w[\"\^]*i[\"\^]*n[\"\^]*s[\"\^]*t[\"\^]*a)|r[\"\^]*(?:a[\"\^]*(?:r[\"\^]*[\s\v,\.-/;-<>].*|s[\"\^]*(?:d[\"\^]*i[\"\^]*a[\"\^]*l|p[\"\^]*h[\"\^]*o[\"\^]*n[\"\^]*e))|d[\"\^]*[\s\v,\.-/;-<>].*|e[\"\^]*(?:c[\"\^]*(?:d[\"\^]*i[\"\^]*s[\"\^]*c|o[\"\^]*v[\"\^]*e[\"\^]*r)|g[\"\^]*(?:[\s\v,\.-/;-<>].*|e[\"\^]*d[\"\^]*i[\"\^]*t|i[\"\^]*n[\"\^]*i|s[\"\^]*v[\"\^]*r[\"\^]*3[\"\^]*2)|k[\"\^]*e[\"\^]*y[\"\^]*w[\"\^]*i[\"\^]*z|(?:n[\"\^]*(?:a[\"\^]*m[\"\^]*e[\"\^]*)?|(?:p[\"\^]*l[\"\^]*a[\"\^]*c[\"\^]*e|s[\"\^]*e[\"\^]*t)[\"\^]*)[\s\v,\.-/;-<>].*)|m[\"\^]*(?:(?:d[\"\^]*i[\"\^]*r[\"\^]*)?[\s\v,\.-/;-<>].*|t[\"\^]*s[\"\^]*h[\"\^]*a[\"\^]*r[\"\^]*e)|o[\"\^]*(?:b[\"\^]*o[\"\^]*c[\"\^]*o[\"\^]*p[\"\^]*y|u[\"\^]*t[\"\^]*e[\"\^]*[\s\v,\.-/;-<>].*)|s[\"\^]*(?:t[\"\^]*r[\"\^]*u[\"\^]*i|y[\"\^]*n[\"\^]*c)|u[\"\^]*(?:b[\"\^]*y[\"\^]*(?:1(?:[\"\^]*[8-9])?|2[\"\^]*[0-2])|n[\"\^]*(?:a[\"\^]*s|d[\"\^]*l[\"\^]*l[\"\^]*3[\"\^]*2)))|s[\"\^]*(?:c[\"\^]*(?:h[\"\^]*t[\"\^]*a[\"\^]*s[\"\^]*k[\"\^]*s|l[\"\^]*i[\"\^]*s[\"\^]*t)|e[\"\^]*(?:c[\"\^]*p[\"\^]*o[\"\^]*l|l[\"\^]*e[\"\^]*c[\"\^]*t|t[\"\^]*(?:(?:x[\"\^]*)?[\s\v,\.-/;-<>].*|l[\"\^]*o[\"\^]*c[\"\^]*a[\"\^]*l))|f[\"\^]*c|h[\"\^]*(?:a[\"\^]*r[\"\^]*e|e[\"\^]*l[\"\^]*l[\"\^]*r[\"\^]*u[\"\^]*n[\"\^]*a[\"\^]*s|i[\"\^]*f[\"\^]*t|o[\"\^]*(?:r[\"\^]*t[\"\^]*c[\"\^]*u[\"\^]*t|w[\"\^]*(?:g[\"\^]*r[\"\^]*p|m[\"\^]*b[\"\^]*r)[\"\^]*s)|r[\"\^]*p[\"\^]*u[\"\^]*b[\"\^]*w|u[\"\^]*t[\"\^]*d[\"\^]*o[\"\^]*w[\"\^]*n)|i[\"\^]*g[\"\^]*v[\"\^]*e[\"\^]*r[\"\^]*i[\"\^]*f|l[\"\^]*(?:e[\"\^]*e[\"\^]*p|m[\"\^]*g[\"\^]*r)|(?:o|t[\"\^]*a)[\"\^]*r[\"\^]*t[\"\^]*[\s\v,\.-/;-<>].*|u[\"\^]*b[\"\^]*(?:i[\"\^]*n[\"\^]*a[\"\^]*c[\"\^]*l|s[\"\^]*t)|v[\"\^]*n|y[\"\^]*s[\"\^]*(?:d[\"\^]*m|k[\"\^]*e[\"\^]*y|t[\"\^]*e[\"\^]*m[\"\^]*(?:i[\"\^]*n[\"\^]*f[\"\^]*o|p[\"\^]*r[\"\^]*o[\"\^]*p[\"\^]*e[\"\^]*r[\"\^]*t[\"\^]*i[\"\^]*e[\"\^]*s[\"\^]*(?:a[\"\^]*d[\"\^]*v[\"\^]*a[\"\^]*n[\"\^]*c[\"\^]*e[\"\^]*d|d[\"\^]*a[\"\^]*t[\"\^]*a[\"\^]*e[\"\^]*x[\"\^]*e[\"\^]*c[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*o[\"\^]*n[\"\^]*p[\"\^]*r[\"\^]*e[\"\^]*v[\"\^]*e[\"\^]*n[\"\^]*t[\"\^]*i[\"\^]*o[\"\^]*n|(?:h[\"\^]*a[\"\^]*r[\"\^]*d[\"\^]*w[\"\^]*a[\"\^]*r|p[\"\^]*e[\"\^]*r[\"\^]*f[\"\^]*o[\"\^]*r[\"\^]*m[\"\^]*a[\"\^]*n[\"\^]*c)[\"\^]*e))))|t[\"\^]*(?:a[\"\^]*(?:k[\"\^]*e[\"\^]*o[\"\^]*w[\"\^]*n|s[\"\^]*k[\"\^]*(?:k[\"\^]*i[\"\^]*l[\"\^]*l|l[\"\^]*i[\"\^]*s[\"\^]*t|m[\"\^]*g[\"\^]*r|s[\"\^]*c[\"\^]*h[\"\^]*d))|(?:e[\"\^]*l[\"\^]*n[\"\^]*e|i[\"\^]*m[\"\^]*e[\"\^]*o[\"\^]*u|l[\"\^]*i[\"\^]*s|p[\"\^]*m[\"\^]*i[\"\^]*n[\"\^]*i)[\"\^]*t|r[\"\^]*(?:a[\"\^]*c[\"\^]*e[\"\^]*r[\"\^]*t|e[\"\^]*e)|s[\"\^]*(?:d[\"\^]*i[\"\^]*s[\"\^]*c[\"\^]*o|s[\"\^]*h[\"\^]*u[\"\^]*t[\"\^]*d)[\"\^]*n|y[\"\^]*p[\"\^]*e[\"\^]*(?:[\s\v,\.-/;-<>].*|p[\"\^]*e[\"\^]*r[\"\^]*f))|u[\"\^]*(?:n[\"\^]*(?:r[\"\^]*a[\"\^]*r|z[\"\^]*i[\"\^]*p)|s[\"\^]*(?:e[\"\^]*r[\"\^]*a[\"\^]*c[\"\^]*c[\"\^]*o[\"\^]*u[\"\^]*n[\"\^]*t[\"\^]*c[\"\^]*o[\"\^]*n[\"\^]*t[\"\^]*r[\"\^]*o[\"\^]*l[\"\^]*s[\"\^]*e[\"\^]*t[\"\^]*t[\"\^]*i[\"\^]*n[\"\^]*g[\"\^]*s|r[\"\^]*s[\"\^]*t[\"\^]*a[\"\^]*t))|v[\"\^]*(?:e[\"\^]*r[\"\^]*i[\"\^]*f[\"\^]*y|o[\"\^]*l[\"\^]*[\s\v,\.-/;-<>].*)|w[\"\^]*(?:a[\"\^]*i[\"\^]*t[\"\^]*f[\"\^]*o[\"\^]*r|e[\"\^]*v[\"\^]*t[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l|g[\"\^]*e[\"\^]*t|h[\"\^]*o[\"\^]*a[\"\^]*m[\"\^]*i|i[\"\^]*n[\"\^]*(?:d[\"\^]*i[\"\^]*f[\"\^]*f|m[\"\^]*s[\"\^]*d[\"\^]*p|r[\"\^]*[ms]|v[\"\^]*a[\"\^]*r)|m[\"\^]*i[\"\^]*(?:c|m[\"\^]*g[\"\^]*m[\"\^]*t)|s[\"\^]*c[\"\^]*(?:r[\"\^]*i[\"\^]*p[\"\^]*t|u[\"\^]*i)|u[\"\^]*(?:a[\"\^]*(?:p[\"\^]*p|u[\"\^]*c[\"\^]*l[\"\^]*t)|s[\"\^]*a))|x[\"\^]*c[\"\^]*(?:a[\"\^]*c[\"\^]*l[\"\^]*s|o[\"\^]*p[\"\^]*y)|z[\"\^]*i[\"\^]*p[\"\^]*[\s\v,\.-/;-<>].*)(?:\.[\"\^]*[0-9A-Z_a-z]+)?\b" \ - "id:932115,\ - phase:2,\ - block,\ - capture,\ - t:none,\ - msg:'Remote Command Execution: Windows Command Injection',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-shell',\ - tag:'platform-windows',\ - tag:'attack-rce',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/88',\ - tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:t[\"\^]*i[\"\^]*m[\"\^]*e|[\n\r;`\{]|\|\|?|&&?)[\s\v]*[\s\v\"'-\(,@]*(?:[\"'\.-9A-Z_a-z]+/|(?:[\"'\x5c\^]*[0-9A-Z_a-z][\"'\x5c\^]*:.*|[ \"'\.-9A-Z\x5c\^-_a-z]*)\x5c)?[\"\^]*(?:o[\"\^]*(?:d[\"\^]*b[\"\^]*c[\"\^]*(?:a[\"\^]*d[\"\^]*3[\"\^]*2|c[\"\^]*o[\"\^]*n[\"\^]*f)|p[\"\^]*e[\"\^]*n[\"\^]*f[\"\^]*i[\"\^]*l[\"\^]*e[\"\^]*s)|p[\"\^]*(?:a[\"\^]*t[\"\^]*h[\"\^]*(?:[\s\v,\.-/;-<>].*|p[\"\^]*i[\"\^]*n[\"\^]*g)|e[\"\^]*r[\"\^]*(?:f[\"\^]*m[\"\^]*o[\"\^]*n|l(?:[\"\^]*(?:5|s[\"\^]*h))?)|h[\"\^]*p(?:[\"\^]*[57])?|i[\"\^]*n[\"\^]*g|k[\"\^]*g[\"\^]*m[\"\^]*g[\"\^]*r|o[\"\^]*(?:p[\"\^]*d|r[\"\^]*t[\"\^]*q[\"\^]*r[\"\^]*y|w[\"\^]*e[\"\^]*r[\"\^]*(?:c[\"\^]*f[\"\^]*g|s[\"\^]*h[\"\^]*e[\"\^]*l[\"\^]*l(?:[\"\^]*_[\"\^]*i[\"\^]*s[\"\^]*e)?))|r[\"\^]*(?:i[\"\^]*n[\"\^]*t[\"\^]*(?:[\s\v,\.-/;-<>].*|b[\"\^]*r[\"\^]*m)|n[\"\^]*(?:c[\"\^]*n[\"\^]*f[\"\^]*g|m[\"\^]*n[\"\^]*g[\"\^]*r)|o[\"\^]*m[\"\^]*p[\"\^]*t)|s[\"\^]*(?:e[\"\^]*x[\"\^]*e[\"\^]*c|f[\"\^]*i[\"\^]*l[\"\^]*e|g[\"\^]*e[\"\^]*t[\"\^]*s[\"\^]*i[\"\^]*d|i[\"\^]*n[\"\^]*f[\"\^]*o|k[\"\^]*i[\"\^]*l[\"\^]*l|l[\"\^]*(?:i[\"\^]*s[\"\^]*t|o[\"\^]*g[\"\^]*(?:g[\"\^]*e[\"\^]*d[\"\^]*o[\"\^]*n|l[\"\^]*i[\"\^]*s[\"\^]*t))|p[\"\^]*(?:a[\"\^]*s[\"\^]*s[\"\^]*w[\"\^]*d|i[\"\^]*n[\"\^]*g)|s[\"\^]*(?:e[\"\^]*r[\"\^]*v[\"\^]*i[\"\^]*c[\"\^]*e|h[\"\^]*u[\"\^]*t[\"\^]*d[\"\^]*o[\"\^]*w[\"\^]*n|u[\"\^]*s[\"\^]*p[\"\^]*e[\"\^]*n[\"\^]*d))|u[\"\^]*s[\"\^]*h[\"\^]*d|y[\"\^]*t[\"\^]*h[\"\^]*o[\"\^]*n(?:[\"\^]*(?:2|3(?:[\"\^]*m)?))?)|q[\"\^]*(?:g[\"\^]*r[\"\^]*e[\"\^]*p|p[\"\^]*r[\"\^]*o[\"\^]*c[\"\^]*e[\"\^]*s[\"\^]*s|u[\"\^]*e[\"\^]*r[\"\^]*y[\"\^]*[\s\v,\.-/;-<>].*|w[\"\^]*i[\"\^]*n[\"\^]*s[\"\^]*t[\"\^]*a)|r[\"\^]*(?:a[\"\^]*(?:r[\"\^]*[\s\v,\.-/;-<>].*|s[\"\^]*(?:d[\"\^]*i[\"\^]*a[\"\^]*l|p[\"\^]*h[\"\^]*o[\"\^]*n[\"\^]*e))|d[\"\^]*[\s\v,\.-/;-<>].*|e[\"\^]*(?:c[\"\^]*(?:d[\"\^]*i[\"\^]*s[\"\^]*c|o[\"\^]*v[\"\^]*e[\"\^]*r)|g[\"\^]*(?:[\s\v,\.-/;-<>].*|e[\"\^]*d[\"\^]*i[\"\^]*t|i[\"\^]*n[\"\^]*i|s[\"\^]*v[\"\^]*r[\"\^]*3[\"\^]*2)|k[\"\^]*e[\"\^]*y[\"\^]*w[\"\^]*i[\"\^]*z|(?:n[\"\^]*(?:a[\"\^]*m[\"\^]*e[\"\^]*)?|(?:p[\"\^]*l[\"\^]*a[\"\^]*c[\"\^]*e|s[\"\^]*e[\"\^]*t)[\"\^]*)[\s\v,\.-/;-<>].*)|m[\"\^]*(?:(?:d[\"\^]*i[\"\^]*r[\"\^]*)?[\s\v,\.-/;-<>].*|t[\"\^]*s[\"\^]*h[\"\^]*a[\"\^]*r[\"\^]*e)|o[\"\^]*(?:b[\"\^]*o[\"\^]*c[\"\^]*o[\"\^]*p[\"\^]*y|u[\"\^]*t[\"\^]*e[\"\^]*[\s\v,\.-/;-<>].*)|s[\"\^]*(?:t[\"\^]*r[\"\^]*u[\"\^]*i|y[\"\^]*n[\"\^]*c)|u[\"\^]*(?:b[\"\^]*y[\"\^]*(?:1(?:[\"\^]*[8-9])?|2[\"\^]*[0-2])|n[\"\^]*(?:a[\"\^]*s|d[\"\^]*l[\"\^]*l[\"\^]*3[\"\^]*2)))|s[\"\^]*(?:c[\"\^]*(?:h[\"\^]*t[\"\^]*a[\"\^]*s[\"\^]*k[\"\^]*s|l[\"\^]*i[\"\^]*s[\"\^]*t)|e[\"\^]*(?:c[\"\^]*p[\"\^]*o[\"\^]*l|l[\"\^]*e[\"\^]*c[\"\^]*t|t[\"\^]*(?:(?:x[\"\^]*)?[\s\v,\.-/;-<>].*|l[\"\^]*o[\"\^]*c[\"\^]*a[\"\^]*l))|f[\"\^]*c|h[\"\^]*(?:a[\"\^]*r[\"\^]*e|e[\"\^]*l[\"\^]*l[\"\^]*r[\"\^]*u[\"\^]*n[\"\^]*a[\"\^]*s|i[\"\^]*f[\"\^]*t|o[\"\^]*(?:r[\"\^]*t[\"\^]*c[\"\^]*u[\"\^]*t|w[\"\^]*(?:g[\"\^]*r[\"\^]*p|m[\"\^]*b[\"\^]*r)[\"\^]*s)|r[\"\^]*p[\"\^]*u[\"\^]*b[\"\^]*w|u[\"\^]*t[\"\^]*d[\"\^]*o[\"\^]*w[\"\^]*n)|i[\"\^]*g[\"\^]*v[\"\^]*e[\"\^]*r[\"\^]*i[\"\^]*f|l[\"\^]*(?:e[\"\^]*e[\"\^]*p|m[\"\^]*g[\"\^]*r)|(?:o|t[\"\^]*a)[\"\^]*r[\"\^]*t[\"\^]*[\s\v,\.-/;-<>].*|u[\"\^]*b[\"\^]*(?:i[\"\^]*n[\"\^]*a[\"\^]*c[\"\^]*l|s[\"\^]*t)|v[\"\^]*n|y[\"\^]*s[\"\^]*(?:d[\"\^]*m|k[\"\^]*e[\"\^]*y|t[\"\^]*e[\"\^]*m[\"\^]*(?:i[\"\^]*n[\"\^]*f[\"\^]*o|p[\"\^]*r[\"\^]*o[\"\^]*p[\"\^]*e[\"\^]*r[\"\^]*t[\"\^]*i[\"\^]*e[\"\^]*s[\"\^]*(?:a[\"\^]*d[\"\^]*v[\"\^]*a[\"\^]*n[\"\^]*c[\"\^]*e[\"\^]*d|d[\"\^]*a[\"\^]*t[\"\^]*a[\"\^]*e[\"\^]*x[\"\^]*e[\"\^]*c[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*o[\"\^]*n[\"\^]*p[\"\^]*r[\"\^]*e[\"\^]*v[\"\^]*e[\"\^]*n[\"\^]*t[\"\^]*i[\"\^]*o[\"\^]*n|(?:h[\"\^]*a[\"\^]*r[\"\^]*d[\"\^]*w[\"\^]*a[\"\^]*r|p[\"\^]*e[\"\^]*r[\"\^]*f[\"\^]*o[\"\^]*r[\"\^]*m[\"\^]*a[\"\^]*n[\"\^]*c)[\"\^]*e))))|t[\"\^]*(?:a[\"\^]*(?:k[\"\^]*e[\"\^]*o[\"\^]*w[\"\^]*n|s[\"\^]*k[\"\^]*(?:k[\"\^]*i[\"\^]*l[\"\^]*l|l[\"\^]*i[\"\^]*s[\"\^]*t|m[\"\^]*g[\"\^]*r|s[\"\^]*c[\"\^]*h[\"\^]*d))|(?:e[\"\^]*l[\"\^]*n[\"\^]*e|i[\"\^]*m[\"\^]*e[\"\^]*o[\"\^]*u|l[\"\^]*i[\"\^]*s|p[\"\^]*m[\"\^]*i[\"\^]*n[\"\^]*i)[\"\^]*t|r[\"\^]*(?:a[\"\^]*c[\"\^]*e[\"\^]*r[\"\^]*t|e[\"\^]*e)|s[\"\^]*(?:d[\"\^]*i[\"\^]*s[\"\^]*c[\"\^]*o|s[\"\^]*h[\"\^]*u[\"\^]*t[\"\^]*d)[\"\^]*n|y[\"\^]*p[\"\^]*e[\"\^]*(?:[\s\v,\.-/;-<>].*|p[\"\^]*e[\"\^]*r[\"\^]*f))|u[\"\^]*(?:n[\"\^]*(?:r[\"\^]*a[\"\^]*r|z[\"\^]*i[\"\^]*p)|s[\"\^]*(?:e[\"\^]*r[\"\^]*a[\"\^]*c[\"\^]*c[\"\^]*o[\"\^]*u[\"\^]*n[\"\^]*t[\"\^]*c[\"\^]*o[\"\^]*n[\"\^]*t[\"\^]*r[\"\^]*o[\"\^]*l[\"\^]*s[\"\^]*e[\"\^]*t[\"\^]*t[\"\^]*i[\"\^]*n[\"\^]*g[\"\^]*s|r[\"\^]*s[\"\^]*t[\"\^]*a[\"\^]*t))|v[\"\^]*(?:e[\"\^]*r[\"\^]*i[\"\^]*f[\"\^]*y|o[\"\^]*l[\"\^]*[\s\v,\.-/;-<>].*)|w[\"\^]*(?:a[\"\^]*i[\"\^]*t[\"\^]*f[\"\^]*o[\"\^]*r|e[\"\^]*v[\"\^]*t[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l|g[\"\^]*e[\"\^]*t|h[\"\^]*o[\"\^]*a[\"\^]*m[\"\^]*i|i[\"\^]*n[\"\^]*(?:d[\"\^]*i[\"\^]*f[\"\^]*f|m[\"\^]*s[\"\^]*d[\"\^]*p|r[\"\^]*[ms]|v[\"\^]*a[\"\^]*r)|m[\"\^]*i[\"\^]*(?:c|m[\"\^]*g[\"\^]*m[\"\^]*t)|s[\"\^]*c[\"\^]*(?:r[\"\^]*i[\"\^]*p[\"\^]*t|u[\"\^]*i)|u[\"\^]*(?:a[\"\^]*(?:p[\"\^]*p|u[\"\^]*c[\"\^]*l[\"\^]*t)|s[\"\^]*a))|x[\"\^]*c[\"\^]*(?:a[\"\^]*c[\"\^]*l[\"\^]*s|o[\"\^]*p[\"\^]*y)|z[\"\^]*i[\"\^]*p[\"\^]*[\s\v,\.-/;-<>].*)(?:\.[\"\^]*[0-9A-Z_a-z]+)?\b" "id:932115, phase:2, block, capture, t:none, msg:'Remote Command Execution: Windows Command Injection', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-shell', tag:'platform-windows', tag:'attack-rce', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/152/248/88', tag:'PCI/6.5.2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.rce_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # [ Windows PowerShell, cmdlets and options ] @@ -232,27 +175,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # https://technet.microsoft.com/en-us/magazine/ff714569.aspx # https://msdn.microsoft.com/en-us/powershell/scripting/core-powershell/console/powershell.exe-command-line-help # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmFromFile windows-powershell-commands.data" \ - "id:932120,\ - phase:2,\ - block,\ - capture,\ - t:none,t:cmdLine,\ - msg:'Remote Command Execution: Windows PowerShell Command Found',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-shell',\ - tag:'language-powershell',\ - tag:'platform-windows',\ - tag:'attack-rce',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/88',\ - tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmFromFile windows-powershell-commands.data" "id:932120, phase:2, block, capture, t:none,t:cmdLine, msg:'Remote Command Execution: Windows PowerShell Command Found', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-shell', tag:'language-powershell', tag:'platform-windows', tag:'attack-rce', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/152/248/88', tag:'PCI/6.5.2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.rce_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # [ Windows Powershell cmdlet aliases ] @@ -267,26 +190,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 932125 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:[\n\r;`\{]|\|\|?|&&?)[\s\v]*[\s\v\"'-\(,@]*(?:[\"'\.-9A-Z_a-z]+/|(?:[\"'\x5c\^]*[0-9A-Z_a-z][\"'\x5c\^]*:.*|[ \"'\.-9A-Z\x5c\^-_a-z]*)\x5c)?[\"\^]*(?:(?:a[\"\^]*(?:c|s[\"\^]*n[\"\^]*p)|e[\"\^]*(?:b[\"\^]*p|p[\"\^]*(?:a[\"\^]*l|c[\"\^]*s[\"\^]*v|s[\"\^]*n)|[tx][\"\^]*s[\"\^]*n)|f[\"\^]*(?:[cltw]|o[\"\^]*r[\"\^]*e[\"\^]*a[\"\^]*c[\"\^]*h)|i[\"\^]*(?:[cr][\"\^]*m|e[\"\^]*x|h[\"\^]*y|i|p[\"\^]*(?:a[\"\^]*l|c[\"\^]*s[\"\^]*v|m[\"\^]*o|s[\"\^]*n)|s[\"\^]*e|w[\"\^]*(?:m[\"\^]*i|r))|m[\"\^]*(?:a[\"\^]*n|[dipv]|o[\"\^]*u[\"\^]*n[\"\^]*t)|o[\"\^]*g[\"\^]*v|p[\"\^]*(?:o[\"\^]*p|u[\"\^]*s[\"\^]*h)[\"\^]*d|t[\"\^]*r[\"\^]*c[\"\^]*m|w[\"\^]*j[\"\^]*b)[\"\^]*[\s\v,\.-/;-<>].*|c[\"\^]*(?:(?:(?:d|h[\"\^]*d[\"\^]*i[\"\^]*r|v[\"\^]*p[\"\^]*a)[\"\^]*|p[\"\^]*(?:[ip][\"\^]*)?)[\s\v,\.-/;-<>].*|l[\"\^]*(?:(?:[cipv]|h[\"\^]*y)[\"\^]*[\s\v,\.-/;-<>].*|s)|n[\"\^]*s[\"\^]*n)|d[\"\^]*(?:(?:b[\"\^]*p|e[\"\^]*l|i[\"\^]*(?:f[\"\^]*f|r))[\"\^]*[\s\v,\.-/;-<>].*|n[\"\^]*s[\"\^]*n)|g[\"\^]*(?:(?:(?:(?:a[\"\^]*)?l|b[\"\^]*p|d[\"\^]*r|h[\"\^]*y|(?:w[\"\^]*m[\"\^]*)?i|j[\"\^]*b|[u-v])[\"\^]*|c[\"\^]*(?:[ims][\"\^]*)?|m[\"\^]*(?:o[\"\^]*)?|s[\"\^]*(?:n[\"\^]*(?:p[\"\^]*)?|v[\"\^]*))[\s\v,\.-/;-<>].*|e[\"\^]*r[\"\^]*r|p[\"\^]*(?:(?:s[\"\^]*)?[\s\v,\.-/;-<>].*|v))|l[\"\^]*s|n[\"\^]*(?:(?:a[\"\^]*l|d[\"\^]*r|[iv]|m[\"\^]*o|s[\"\^]*n)[\"\^]*[\s\v,\.-/;-<>].*|p[\"\^]*s[\"\^]*s[\"\^]*c)|r[\"\^]*(?:(?:(?:(?:b[\"\^]*)?p|e[\"\^]*n|(?:w[\"\^]*m[\"\^]*)?i|j[\"\^]*b|n[\"\^]*[ip])[\"\^]*|d[\"\^]*(?:r[\"\^]*)?|m[\"\^]*(?:(?:d[\"\^]*i[\"\^]*r|o)[\"\^]*)?|s[\"\^]*n[\"\^]*(?:p[\"\^]*)?|v[\"\^]*(?:p[\"\^]*a[\"\^]*)?)[\s\v,\.-/;-<>].*|c[\"\^]*(?:j[\"\^]*b[\"\^]*[\s\v,\.-/;-<>].*|s[\"\^]*n)|u[\"\^]*j[\"\^]*b)|s[\"\^]*(?:(?:(?:a[\"\^]*(?:j[\"\^]*b|l|p[\"\^]*s|s[\"\^]*v)|b[\"\^]*p|[civ]|w[\"\^]*m[\"\^]*i)[\"\^]*|l[\"\^]*(?:s[\"\^]*)?|p[\"\^]*(?:(?:j[\"\^]*b|p[\"\^]*s|s[\"\^]*v)[\"\^]*)?)[\s\v,\.-/;-<>].*|h[\"\^]*c[\"\^]*m|u[\"\^]*j[\"\^]*b))(?:\.[\"\^]*[0-9A-Z_a-z]+)?\b" \ - "id:932125,\ - phase:2,\ - block,\ - capture,\ - t:none,\ - msg:'Remote Command Execution: Windows Powershell Alias Command Injection',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-shell',\ - tag:'platform-windows',\ - tag:'attack-rce',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/88',\ - tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:[\n\r;`\{]|\|\|?|&&?)[\s\v]*[\s\v\"'-\(,@]*(?:[\"'\.-9A-Z_a-z]+/|(?:[\"'\x5c\^]*[0-9A-Z_a-z][\"'\x5c\^]*:.*|[ \"'\.-9A-Z\x5c\^-_a-z]*)\x5c)?[\"\^]*(?:(?:a[\"\^]*(?:c|s[\"\^]*n[\"\^]*p)|e[\"\^]*(?:b[\"\^]*p|p[\"\^]*(?:a[\"\^]*l|c[\"\^]*s[\"\^]*v|s[\"\^]*n)|[tx][\"\^]*s[\"\^]*n)|f[\"\^]*(?:[cltw]|o[\"\^]*r[\"\^]*e[\"\^]*a[\"\^]*c[\"\^]*h)|i[\"\^]*(?:[cr][\"\^]*m|e[\"\^]*x|h[\"\^]*y|i|p[\"\^]*(?:a[\"\^]*l|c[\"\^]*s[\"\^]*v|m[\"\^]*o|s[\"\^]*n)|s[\"\^]*e|w[\"\^]*(?:m[\"\^]*i|r))|m[\"\^]*(?:a[\"\^]*n|[dipv]|o[\"\^]*u[\"\^]*n[\"\^]*t)|o[\"\^]*g[\"\^]*v|p[\"\^]*(?:o[\"\^]*p|u[\"\^]*s[\"\^]*h)[\"\^]*d|t[\"\^]*r[\"\^]*c[\"\^]*m|w[\"\^]*j[\"\^]*b)[\"\^]*[\s\v,\.-/;-<>].*|c[\"\^]*(?:(?:(?:d|h[\"\^]*d[\"\^]*i[\"\^]*r|v[\"\^]*p[\"\^]*a)[\"\^]*|p[\"\^]*(?:[ip][\"\^]*)?)[\s\v,\.-/;-<>].*|l[\"\^]*(?:(?:[cipv]|h[\"\^]*y)[\"\^]*[\s\v,\.-/;-<>].*|s)|n[\"\^]*s[\"\^]*n)|d[\"\^]*(?:(?:b[\"\^]*p|e[\"\^]*l|i[\"\^]*(?:f[\"\^]*f|r))[\"\^]*[\s\v,\.-/;-<>].*|n[\"\^]*s[\"\^]*n)|g[\"\^]*(?:(?:(?:(?:a[\"\^]*)?l|b[\"\^]*p|d[\"\^]*r|h[\"\^]*y|(?:w[\"\^]*m[\"\^]*)?i|j[\"\^]*b|[u-v])[\"\^]*|c[\"\^]*(?:[ims][\"\^]*)?|m[\"\^]*(?:o[\"\^]*)?|s[\"\^]*(?:n[\"\^]*(?:p[\"\^]*)?|v[\"\^]*))[\s\v,\.-/;-<>].*|e[\"\^]*r[\"\^]*r|p[\"\^]*(?:(?:s[\"\^]*)?[\s\v,\.-/;-<>].*|v))|l[\"\^]*s|n[\"\^]*(?:(?:a[\"\^]*l|d[\"\^]*r|[iv]|m[\"\^]*o|s[\"\^]*n)[\"\^]*[\s\v,\.-/;-<>].*|p[\"\^]*s[\"\^]*s[\"\^]*c)|r[\"\^]*(?:(?:(?:(?:b[\"\^]*)?p|e[\"\^]*n|(?:w[\"\^]*m[\"\^]*)?i|j[\"\^]*b|n[\"\^]*[ip])[\"\^]*|d[\"\^]*(?:r[\"\^]*)?|m[\"\^]*(?:(?:d[\"\^]*i[\"\^]*r|o)[\"\^]*)?|s[\"\^]*n[\"\^]*(?:p[\"\^]*)?|v[\"\^]*(?:p[\"\^]*a[\"\^]*)?)[\s\v,\.-/;-<>].*|c[\"\^]*(?:j[\"\^]*b[\"\^]*[\s\v,\.-/;-<>].*|s[\"\^]*n)|u[\"\^]*j[\"\^]*b)|s[\"\^]*(?:(?:(?:a[\"\^]*(?:j[\"\^]*b|l|p[\"\^]*s|s[\"\^]*v)|b[\"\^]*p|[civ]|w[\"\^]*m[\"\^]*i)[\"\^]*|l[\"\^]*(?:s[\"\^]*)?|p[\"\^]*(?:(?:j[\"\^]*b|p[\"\^]*s|s[\"\^]*v)[\"\^]*)?)[\s\v,\.-/;-<>].*|h[\"\^]*c[\"\^]*m|u[\"\^]*j[\"\^]*b))(?:\.[\"\^]*[0-9A-Z_a-z]+)?\b" "id:932125, phase:2, block, capture, t:none, msg:'Remote Command Execution: Windows Powershell Alias Command Injection', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-shell', tag:'platform-windows', tag:'attack-rce', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/152/248/88', tag:'PCI/6.5.2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.rce_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # [ Unix shell expressions ] @@ -310,26 +214,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # # This rule is essential to defend against the Log4J / Log4Shell attacks (see also rule 944150) # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \$(?:\((?:.*|\(.*\))\)|\{.*\})|[<>]\(.*\)|/[0-9A-Z_a-z]*\[!?.+\]" \ - "id:932130,\ - phase:2,\ - block,\ - capture,\ - t:none,t:cmdLine,\ - msg:'Remote Command Execution: Unix Shell Expression Found',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-shell',\ - tag:'platform-unix',\ - tag:'attack-rce',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/88',\ - tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \$(?:\((?:.*|\(.*\))\)|\{.*\})|[<>]\(.*\)|/[0-9A-Z_a-z]*\[!?.+\]" "id:932130, phase:2, block, capture, t:none,t:cmdLine, msg:'Remote Command Execution: Unix Shell Expression Found', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-shell', tag:'platform-unix', tag:'attack-rce', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/152/248/88', tag:'PCI/6.5.2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.rce_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # [ Windows FOR, IF commands ] @@ -357,26 +242,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 932140 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \b(?:for(?:/[dflr].*)? %+[^ ]+ in\(.*\)[\s\v]?do|if(?:/i)?(?: not)?(?: (?:e(?:xist|rrorlevel)|defined|cmdextversion)\b|[ \(].*(?:\b(?:g(?:eq|tr)|equ|neq|l(?:eq|ss))\b|==)))" \ - "id:932140,\ - phase:2,\ - block,\ - capture,\ - t:none,t:cmdLine,\ - msg:'Remote Command Execution: Windows FOR/IF Command Found',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-shell',\ - tag:'platform-windows',\ - tag:'attack-rce',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/88',\ - tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \b(?:for(?:/[dflr].*)? %+[^ ]+ in\(.*\)[\s\v]?do|if(?:/i)?(?: not)?(?: (?:e(?:xist|rrorlevel)|defined|cmdextversion)\b|[ \(].*(?:\b(?:g(?:eq|tr)|equ|neq|l(?:eq|ss))\b|==)))" "id:932140, phase:2, block, capture, t:none,t:cmdLine, msg:'Remote Command Execution: Windows FOR/IF Command Found', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-shell', tag:'platform-windows', tag:'attack-rce', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/152/248/88', tag:'PCI/6.5.2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.rce_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # [ Unix direct remote command execution ] @@ -432,26 +298,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 932250 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:^|=)[\s\v]*(?:t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*[\s\v]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:7[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[ar])?|(?:b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z|x)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z|c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:c|s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h)|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?v|(?:g[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c|n)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c|(?:h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u|r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?b|[kz][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h|l[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[sz]|p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|x[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z)|s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|(?:s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?h|v[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n)|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?3[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m)[\s\v&\)<>\|]" \ - "id:932250,\ - phase:2,\ - block,\ - capture,\ - t:none,\ - msg:'Remote Command Execution: Direct Unix Command Execution',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-shell',\ - tag:'platform-unix',\ - tag:'attack-rce',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/88',\ - tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:^|=)[\s\v]*(?:t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*[\s\v]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:7[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[ar])?|(?:b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z|x)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z|c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:c|s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h)|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?v|(?:g[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c|n)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c|(?:h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u|r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?b|[kz][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h|l[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[sz]|p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|x[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z)|s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|(?:s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?h|v[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n)|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?3[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m)[\s\v&\)<>\|]" "id:932250, phase:2, block, capture, t:none, msg:'Remote Command Execution: Direct Unix Command Execution', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-shell', tag:'platform-unix', tag:'attack-rce', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/152/248/88', tag:'PCI/6.5.2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.rce_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # [ Unix command injection ] # @@ -485,29 +332,8 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 932260 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:^|=)[\s\v]*(?:t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*[\s\v]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:b(?:as(?:e(?:32|64|nc)|h)|sd(?:cat|iff|tar)|u(?:iltin|nzip2|sybox)|z(?:c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2|less|more))|c(?:o(?:mmand[\s\v<>]|proc)|url)|d(?:(?:ash|iff)[\s\v<>]|mesg|oas)|e(?:(?:cho|xec)[\s\v<>]|grep|val)|f(?:etch[\s\v<>]|grep|iletest|tp(?:stats|who))|g(?:rep[\s\v<>]|unzip|z(?:cat|exe|ip))|(?:head|java)[\s\v<>]|l(?:ast(?:comm|log(?:in)?)|ess(?:echo|(?:fil|pip)e)|ftp(?:get)?|s(?:-F|b_release|cpu|mod|of|pci|usb)|wp-download|ynx[\s\v<>]|z(?:c(?:at|mp)|diff|[e-f]?grep|less|m(?:a|ore)))|m(?:ailq|locate|ysql(?:admin|dump(?:slow)?|hotcopy|show))|n(?:c(?:\.(?:openbsd|traditional)|at)|et(?:(?:c|st)at|kit-ftp)|ohup|ping|stat)|onintr|p(?:erl5?|(?:ft|gre)p|igz|k(?:exec|ill)|opd|rint(?:env|f[\s\v<>])|tar(?:diff|grep)?|ython[^\s\v])|r(?:e(?:alpath|(?:name|p(?:eat|lace))[\s\v<>])|m(?:dir[\s\v<>]|user)|nano|sync|uby[^\s\v])|s(?:ched|diff|e(?:ndmail|t(?:env|sid))|ftp|h(?:\.distrib|ell)|o(?:cat|urce[\s\v<>])|trings|udo|ysctl)|t(?:ail[\s\v<>f]|c(?:p(?:ing|traceroute)|sh)|elnet|imeout[\s\v<>]|raceroute6?)|u(?:n(?:ame|compress|lz(?:4|ma)|(?:pig|x)z|rar|set[\s\v<>]|z(?:ip|std))|ser(?:(?:ad|mo)d|del))|vi(?:gr|pw)|w(?:get|hoami)|x(?:args|z(?:c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more))|z(?:c(?:at|mp)|diff|[e-f]?grep|(?:ipdetail|les)s|more|run|std))" \ - "id:932260,\ - phase:2,\ - block,\ - capture,\ - t:none,\ - msg:'Remote Command Execution: Direct Unix Command Execution',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-shell',\ - tag:'platform-unix',\ - tag:'attack-rce',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/88',\ - tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - chain" - SecRule MATCHED_VAR "!@rx [0-9]\s*\'\s*[0-9]" \ - "t:none,\ - setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:^|=)[\s\v]*(?:t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*[\s\v]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:b(?:as(?:e(?:32|64|nc)|h)|sd(?:cat|iff|tar)|u(?:iltin|nzip2|sybox)|z(?:c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2|less|more))|c(?:o(?:mmand[\s\v<>]|proc)|url)|d(?:(?:ash|iff)[\s\v<>]|mesg|oas)|e(?:(?:cho|xec)[\s\v<>]|grep|val)|f(?:etch[\s\v<>]|grep|iletest|tp(?:stats|who))|g(?:rep[\s\v<>]|unzip|z(?:cat|exe|ip))|(?:head|java)[\s\v<>]|l(?:ast(?:comm|log(?:in)?)|ess(?:echo|(?:fil|pip)e)|ftp(?:get)?|s(?:-F|b_release|cpu|mod|of|pci|usb)|wp-download|ynx[\s\v<>]|z(?:c(?:at|mp)|diff|[e-f]?grep|less|m(?:a|ore)))|m(?:ailq|locate|ysql(?:admin|dump(?:slow)?|hotcopy|show))|n(?:c(?:\.(?:openbsd|traditional)|at)|et(?:(?:c|st)at|kit-ftp)|ohup|ping|stat)|onintr|p(?:erl5?|(?:ft|gre)p|igz|k(?:exec|ill)|opd|rint(?:env|f[\s\v<>])|tar(?:diff|grep)?|ython[^\s\v])|r(?:e(?:alpath|(?:name|p(?:eat|lace))[\s\v<>])|m(?:dir[\s\v<>]|user)|nano|sync|uby[^\s\v])|s(?:ched|diff|e(?:ndmail|t(?:env|sid))|ftp|h(?:\.distrib|ell)|o(?:cat|urce[\s\v<>])|trings|udo|ysctl)|t(?:ail[\s\v<>f]|c(?:p(?:ing|traceroute)|sh)|elnet|imeout[\s\v<>]|raceroute6?)|u(?:n(?:ame|compress|lz(?:4|ma)|(?:pig|x)z|rar|set[\s\v<>]|z(?:ip|std))|ser(?:(?:ad|mo)d|del))|vi(?:gr|pw)|w(?:get|hoami)|x(?:args|z(?:c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more))|z(?:c(?:at|mp)|diff|[e-f]?grep|(?:ipdetail|les)s|more|run|std))" "id:932260, phase:2, block, capture, t:none, msg:'Remote Command Execution: Direct Unix Command Execution', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-shell', tag:'platform-unix', tag:'attack-rce', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/152/248/88', tag:'PCI/6.5.2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', chain" + SecRule MATCHED_VAR "!@rx [0-9]\s*\'\s*[0-9]" "t:none, setvar:'tx.rce_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # [ Unix shell history invocation ] # @@ -524,26 +350,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # This rule has stricter siblings: # * 932331 (PL3) # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx !-\d" \ - "id:932330,\ - phase:2,\ - block,\ - capture,\ - t:none,\ - msg:'Remote Command Execution: Unix shell history invocation',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-shell',\ - tag:'platform-unix',\ - tag:'attack-rce',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/88',\ - tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx !-\d" "id:932330, phase:2, block, capture, t:none, msg:'Remote Command Execution: Unix shell history invocation', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-shell', tag:'platform-unix', tag:'attack-rce', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/152/248/88', tag:'PCI/6.5.2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.rce_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # [ Unix shell snippets ] @@ -565,26 +372,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # This rule is also triggered by an Oracle WebLogic Remote Command Execution exploit: # [ Oracle WebLogic vulnerability CVE-2017-10271 - Exploit tested: https://www.exploit-db.com/exploits/43458 ] -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmFromFile unix-shell.data" \ - "id:932160,\ - phase:2,\ - block,\ - capture,\ - t:none,t:cmdLine,t:normalizePath,\ - msg:'Remote Command Execution: Unix Shell Code Found',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-shell',\ - tag:'platform-unix',\ - tag:'attack-rce',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/88',\ - tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmFromFile unix-shell.data" "id:932160, phase:2, block, capture, t:none,t:cmdLine,t:normalizePath, msg:'Remote Command Execution: Unix Shell Code Found', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-shell', tag:'platform-unix', tag:'attack-rce', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/152/248/88', tag:'PCI/6.5.2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.rce_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # [ Shellshock vulnerability (CVE-2014-6271 and CVE-2014-7169) ] @@ -596,47 +384,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # # https://access.redhat.com/articles/1212303 # -SecRule REQUEST_HEADERS|REQUEST_LINE "@rx ^\(\s*\)\s+{" \ - "id:932170,\ - phase:1,\ - block,\ - capture,\ - t:none,t:urlDecode,\ - msg:'Remote Command Execution: Shellshock (CVE-2014-6271)',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-shell',\ - tag:'platform-unix',\ - tag:'attack-rce',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/88',\ - tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" - -SecRule ARGS_NAMES|ARGS|FILES_NAMES "@rx ^\(\s*\)\s+{" \ - "id:932171,\ - phase:2,\ - block,\ - capture,\ - t:none,t:urlDecode,t:urlDecodeUni,\ - msg:'Remote Command Execution: Shellshock (CVE-2014-6271)',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-shell',\ - tag:'platform-unix',\ - tag:'attack-rce',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/88',\ - tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_HEADERS|REQUEST_LINE "@rx ^\(\s*\)\s+{" "id:932170, phase:1, block, capture, t:none,t:urlDecode, msg:'Remote Command Execution: Shellshock (CVE-2014-6271)', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-shell', tag:'platform-unix', tag:'attack-rce', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/152/248/88', tag:'PCI/6.5.2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.rce_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +SecRule ARGS_NAMES|ARGS|FILES_NAMES "@rx ^\(\s*\)\s+{" "id:932171, phase:2, block, capture, t:none,t:urlDecode,t:urlDecodeUni, msg:'Remote Command Execution: Shellshock (CVE-2014-6271)', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-shell', tag:'platform-unix', tag:'attack-rce', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/152/248/88', tag:'PCI/6.5.2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.rce_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # [ Unix shell alias detection ] @@ -659,26 +409,7 @@ SecRule ARGS_NAMES|ARGS|FILES_NAMES "@rx ^\(\s*\)\s+{" \ # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 932175 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \ba[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?l[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?s\b[\s\v]+[!-\"%',0-9@-Z_a-z]+=[^\s\v]" \ - "id:932175,\ - phase:2,\ - block,\ - capture,\ - t:none,\ - msg:'Remote Command Execution: Unix shell alias invocation',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-shell',\ - tag:'platform-unix',\ - tag:'attack-rce',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/88',\ - tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \ba[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?l[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?s\b[\s\v]+[!-\"%',0-9@-Z_a-z]+=[^\s\v]" "id:932175, phase:2, block, capture, t:none, msg:'Remote Command Execution: Unix shell alias invocation', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-shell', tag:'platform-unix', tag:'attack-rce', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/152/248/88', tag:'PCI/6.5.2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.rce_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # @@ -693,27 +424,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # that affect the behavior of the web server, possibly causing remote # code execution. # -SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X-File-Name \ - "@pmFromFile restricted-upload.data" \ - "id:932180,\ - phase:2,\ - block,\ - capture,\ - t:none,\ - msg:'Restricted File Upload Attempt',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-rce',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/88',\ - tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X-File-Name "@pmFromFile restricted-upload.data" "id:932180, phase:2, block, capture, t:none, msg:'Restricted File Upload Attempt', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-rce', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/152/248/88', tag:'PCI/6.5.2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.rce_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # [ Windows command injection ] @@ -788,26 +499,7 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 932370 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:t[\"\^]*i[\"\^]*m[\"\^]*e|[\n\r;`\{]|\|\|?|&&?)[\s\v]*[\s\v\"'-\(,@]*(?:[\"'\.-9A-Z_a-z]+/|(?:[\"'\x5c\^]*[0-9A-Z_a-z][\"'\x5c\^]*:.*|[ \"'\.-9A-Z\x5c\^-_a-z]*)\x5c)?[\"\^]*(?:a[\"\^]*(?:c[\"\^]*c[\"\^]*c[\"\^]*h[\"\^]*e[\"\^]*c[\"\^]*k[\"\^]*c[\"\^]*o[\"\^]*n[\"\^]*s[\"\^]*o[\"\^]*l[\"\^]*e|d[\"\^]*(?:p[\"\^]*l[\"\^]*u[\"\^]*s|v[\"\^]*p[\"\^]*a[\"\^]*c[\"\^]*k)|(?:g[\"\^]*e[\"\^]*n[\"\^]*t[\"\^]*e[\"\^]*x[\"\^]*e[\"\^]*c[\"\^]*u[\"\^]*t[\"\^]*o|s[\"\^]*p[\"\^]*n[\"\^]*e[\"\^]*t[\"\^]*_[\"\^]*c[\"\^]*o[\"\^]*m[\"\^]*p[\"\^]*i[\"\^]*l[\"\^]*e)[\"\^]*r|p[\"\^]*p[\"\^]*(?:i[\"\^]*n[\"\^]*s[\"\^]*t[\"\^]*a[\"\^]*l[\"\^]*l[\"\^]*e[\"\^]*r|v[\"\^]*l[\"\^]*p)|t[\"\^]*(?:[\s\v,\.-/;-<>].*|b[\"\^]*r[\"\^]*o[\"\^]*k[\"\^]*e[\"\^]*r))|b[\"\^]*(?:a[\"\^]*s[\"\^]*h|g[\"\^]*i[\"\^]*n[\"\^]*f[\"\^]*o|i[\"\^]*t[\"\^]*s[\"\^]*a[\"\^]*d[\"\^]*m[\"\^]*i[\"\^]*n)|c[\"\^]*(?:d[\"\^]*b|e[\"\^]*r[\"\^]*t[\"\^]*(?:o[\"\^]*c|r[\"\^]*e[\"\^]*q|u[\"\^]*t[\"\^]*i[\"\^]*l)|l[\"\^]*_[\"\^]*(?:i[\"\^]*n[\"\^]*v[\"\^]*o[\"\^]*c[\"\^]*a[\"\^]*t[\"\^]*i[\"\^]*o[\"\^]*n|l[\"\^]*o[\"\^]*a[\"\^]*d[\"\^]*a[\"\^]*s[\"\^]*s[\"\^]*e[\"\^]*m[\"\^]*b[\"\^]*l[\"\^]*y|m[\"\^]*u[\"\^]*t[\"\^]*e[\"\^]*x[\"\^]*v[\"\^]*e[\"\^]*r[\"\^]*i[\"\^]*f[\"\^]*i[\"\^]*e[\"\^]*r[\"\^]*s)|m[\"\^]*(?:d(?:[\"\^]*(?:k[\"\^]*e[\"\^]*y|l[\"\^]*3[\"\^]*2))?|s[\"\^]*t[\"\^]*p)|o[\"\^]*(?:m[\"\^]*s[\"\^]*v[\"\^]*c[\"\^]*s|n[\"\^]*(?:f[\"\^]*i[\"\^]*g[\"\^]*s[\"\^]*e[\"\^]*c[\"\^]*u[\"\^]*r[\"\^]*i[\"\^]*t[\"\^]*y[\"\^]*p[\"\^]*o[\"\^]*l[\"\^]*i[\"\^]*c[\"\^]*y|h[\"\^]*o[\"\^]*s[\"\^]*t|t[\"\^]*r[\"\^]*o[\"\^]*l)|r[\"\^]*e[\"\^]*g[\"\^]*e[\"\^]*n)|r[\"\^]*e[\"\^]*a[\"\^]*t[\"\^]*e[\"\^]*d[\"\^]*u[\"\^]*m[\"\^]*p|s[\"\^]*(?:c(?:[\"\^]*r[\"\^]*i[\"\^]*p[\"\^]*t)?|i)|u[\"\^]*s[\"\^]*t[\"\^]*o[\"\^]*m[\"\^]*s[\"\^]*h[\"\^]*e[\"\^]*l[\"\^]*l[\"\^]*h[\"\^]*o[\"\^]*s[\"\^]*t)|d[\"\^]*(?:a[\"\^]*t[\"\^]*a[\"\^]*s[\"\^]*v[\"\^]*c[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l|e[\"\^]*(?:f[\"\^]*a[\"\^]*u[\"\^]*l[\"\^]*t[\"\^]*p[\"\^]*a[\"\^]*c[\"\^]*k|s[\"\^]*k(?:[\"\^]*t[\"\^]*o[\"\^]*p[\"\^]*i[\"\^]*m[\"\^]*g[\"\^]*d[\"\^]*o[\"\^]*w[\"\^]*n[\"\^]*l[\"\^]*d[\"\^]*r)?|v[\"\^]*(?:i[\"\^]*c[\"\^]*e[\"\^]*c[\"\^]*r[\"\^]*e[\"\^]*d[\"\^]*e[\"\^]*n[\"\^]*t[\"\^]*i[\"\^]*a[\"\^]*l[\"\^]*d[\"\^]*e[\"\^]*p[\"\^]*l[\"\^]*o[\"\^]*y[\"\^]*m[\"\^]*e[\"\^]*n[\"\^]*t|t[\"\^]*o[\"\^]*o[\"\^]*l[\"\^]*s[\"\^]*l[\"\^]*a[\"\^]*u[\"\^]*n[\"\^]*c[\"\^]*h[\"\^]*e[\"\^]*r))|f[\"\^]*s[\"\^]*(?:h[\"\^]*i[\"\^]*m|v[\"\^]*c)|i[\"\^]*(?:a[\"\^]*n[\"\^]*t[\"\^]*z|s[\"\^]*k[\"\^]*s[\"\^]*h[\"\^]*a[\"\^]*d[\"\^]*o[\"\^]*w)|n[\"\^]*(?:s[\"\^]*c[\"\^]*m[\"\^]*d|x)|o[\"\^]*t[\"\^]*n[\"\^]*e[\"\^]*t|u[\"\^]*m[\"\^]*p[\"\^]*6[\"\^]*4|x[\"\^]*c[\"\^]*a[\"\^]*p)|e[\"\^]*(?:s[\"\^]*e[\"\^]*n[\"\^]*t[\"\^]*u[\"\^]*t[\"\^]*l|v[\"\^]*e[\"\^]*n[\"\^]*t[\"\^]*v[\"\^]*w[\"\^]*r|x[\"\^]*(?:c[\"\^]*e[\"\^]*l|p[\"\^]*(?:a[\"\^]*n[\"\^]*d|l[\"\^]*o[\"\^]*r[\"\^]*e[\"\^]*r)|t[\"\^]*(?:e[\"\^]*x[\"\^]*p[\"\^]*o[\"\^]*r[\"\^]*t|r[\"\^]*a[\"\^]*c[\"\^]*3[\"\^]*2)))|f[\"\^]*(?:i[\"\^]*n[\"\^]*(?:d[\"\^]*s[\"\^]*t|g[\"\^]*e)[\"\^]*r|l[\"\^]*t[\"\^]*m[\"\^]*c|o[\"\^]*r[\"\^]*f[\"\^]*i[\"\^]*l[\"\^]*e[\"\^]*s|s[\"\^]*(?:i(?:[\"\^]*a[\"\^]*n[\"\^]*y[\"\^]*c[\"\^]*p[\"\^]*u)?|u[\"\^]*t[\"\^]*i[\"\^]*l)|t[\"\^]*p)|g[\"\^]*(?:f[\"\^]*x[\"\^]*d[\"\^]*o[\"\^]*w[\"\^]*n[\"\^]*l[\"\^]*o[\"\^]*a[\"\^]*d[\"\^]*w[\"\^]*r[\"\^]*a[\"\^]*p[\"\^]*p[\"\^]*e[\"\^]*r|p[\"\^]*s[\"\^]*c[\"\^]*r[\"\^]*i[\"\^]*p[\"\^]*t)|h[\"\^]*h|i[\"\^]*(?:e[\"\^]*(?:4[\"\^]*u[\"\^]*i[\"\^]*n[\"\^]*i[\"\^]*t|a[\"\^]*d[\"\^]*v[\"\^]*p[\"\^]*a[\"\^]*c[\"\^]*k|e[\"\^]*x[\"\^]*e[\"\^]*c|f[\"\^]*r[\"\^]*a[\"\^]*m[\"\^]*e)|l[\"\^]*a[\"\^]*s[\"\^]*m|m[\"\^]*e[\"\^]*w[\"\^]*d[\"\^]*b[\"\^]*l[\"\^]*d|n[\"\^]*(?:f[\"\^]*d[\"\^]*e[\"\^]*f[\"\^]*a[\"\^]*u[\"\^]*l[\"\^]*t[\"\^]*i[\"\^]*n[\"\^]*s[\"\^]*t[\"\^]*a[\"\^]*l|s[\"\^]*t[\"\^]*a[\"\^]*l[\"\^]*l[\"\^]*u[\"\^]*t[\"\^]*i)[\"\^]*l)|j[\"\^]*s[\"\^]*c|l[\"\^]*(?:a[\"\^]*u[\"\^]*n[\"\^]*c[\"\^]*h[\"\^]*-[\"\^]*v[\"\^]*s[\"\^]*d[\"\^]*e[\"\^]*v[\"\^]*s[\"\^]*h[\"\^]*e[\"\^]*l[\"\^]*l|d[\"\^]*i[\"\^]*f[\"\^]*d[\"\^]*e)|m[\"\^]*(?:a[\"\^]*(?:k[\"\^]*e[\"\^]*c[\"\^]*a[\"\^]*b|n[\"\^]*a[\"\^]*g[\"\^]*e[\"\^]*-[\"\^]*b[\"\^]*d[\"\^]*e|v[\"\^]*i[\"\^]*n[\"\^]*j[\"\^]*e[\"\^]*c[\"\^]*t)|f[\"\^]*t[\"\^]*r[\"\^]*a[\"\^]*c[\"\^]*e|i[\"\^]*c[\"\^]*r[\"\^]*o[\"\^]*s[\"\^]*o[\"\^]*f[\"\^]*t|m[\"\^]*c|p[\"\^]*c[\"\^]*m[\"\^]*d[\"\^]*r[\"\^]*u[\"\^]*n|s[\"\^]*(?:(?:b[\"\^]*u[\"\^]*i[\"\^]*l|o[\"\^]*h[\"\^]*t[\"\^]*m[\"\^]*e)[\"\^]*d|c[\"\^]*o[\"\^]*n[\"\^]*f[\"\^]*i[\"\^]*g|d[\"\^]*(?:e[\"\^]*p[\"\^]*l[\"\^]*o[\"\^]*y|t)|h[\"\^]*t[\"\^]*(?:a|m[\"\^]*l)|i[\"\^]*e[\"\^]*x[\"\^]*e[\"\^]*c|p[\"\^]*u[\"\^]*b|x[\"\^]*s[\"\^]*l))|n[\"\^]*(?:e[\"\^]*t[\"\^]*s[\"\^]*h|t[\"\^]*d[\"\^]*s[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l)|o[\"\^]*(?:d[\"\^]*b[\"\^]*c[\"\^]*c[\"\^]*o[\"\^]*n[\"\^]*f|f[\"\^]*f[\"\^]*l[\"\^]*i[\"\^]*n[\"\^]*e[\"\^]*s[\"\^]*c[\"\^]*a[\"\^]*n[\"\^]*n[\"\^]*e[\"\^]*r[\"\^]*s[\"\^]*h[\"\^]*e[\"\^]*l[\"\^]*l|n[\"\^]*e[\"\^]*d[\"\^]*r[\"\^]*i[\"\^]*v[\"\^]*e[\"\^]*s[\"\^]*t[\"\^]*a[\"\^]*n[\"\^]*d[\"\^]*a[\"\^]*l[\"\^]*o[\"\^]*n[\"\^]*e[\"\^]*u[\"\^]*p[\"\^]*d[\"\^]*a[\"\^]*t[\"\^]*e[\"\^]*r|p[\"\^]*e[\"\^]*n[\"\^]*c[\"\^]*o[\"\^]*n[\"\^]*s[\"\^]*o[\"\^]*l[\"\^]*e)|p[\"\^]*(?:c[\"\^]*(?:a[\"\^]*l[\"\^]*u[\"\^]*a|w[\"\^]*(?:r[\"\^]*u[\"\^]*n|u[\"\^]*t[\"\^]*l))|(?:e[\"\^]*s[\"\^]*t[\"\^]*e|s)[\"\^]*r|(?:k[\"\^]*t[\"\^]*m[\"\^]*o|u[\"\^]*b[\"\^]*p[\"\^]*r)[\"\^]*n|n[\"\^]*p[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l|o[\"\^]*w[\"\^]*e[\"\^]*r[\"\^]*p[\"\^]*n[\"\^]*t|r[\"\^]*(?:e[\"\^]*s[\"\^]*e[\"\^]*n[\"\^]*t[\"\^]*a[\"\^]*t[\"\^]*i[\"\^]*o[\"\^]*n[\"\^]*h[\"\^]*o[\"\^]*s[\"\^]*t|i[\"\^]*n[\"\^]*t(?:[\"\^]*b[\"\^]*r[\"\^]*m)?|o[\"\^]*(?:c[\"\^]*d[\"\^]*u[\"\^]*m[\"\^]*p|t[\"\^]*o[\"\^]*c[\"\^]*o[\"\^]*l[\"\^]*h[\"\^]*a[\"\^]*n[\"\^]*d[\"\^]*l[\"\^]*e[\"\^]*r)))|r[\"\^]*(?:a[\"\^]*s[\"\^]*a[\"\^]*u[\"\^]*t[\"\^]*o[\"\^]*u|c[\"\^]*s[\"\^]*i|(?:d[\"\^]*r[\"\^]*l[\"\^]*e[\"\^]*a[\"\^]*k[\"\^]*d[\"\^]*i[\"\^]*a|p[\"\^]*c[\"\^]*p[\"\^]*i[\"\^]*n)[\"\^]*g|e[\"\^]*(?:g(?:[\"\^]*(?:a[\"\^]*s[\"\^]*m|e[\"\^]*d[\"\^]*i[\"\^]*t|i[\"\^]*(?:n[\"\^]*i|s[\"\^]*t[\"\^]*e[\"\^]*r[\"\^]*-[\"\^]*c[\"\^]*i[\"\^]*m[\"\^]*p[\"\^]*r[\"\^]*o[\"\^]*v[\"\^]*i[\"\^]*d[\"\^]*e[\"\^]*r)|s[\"\^]*v[\"\^]*(?:c[\"\^]*s|r[\"\^]*3[\"\^]*2)))?|(?:m[\"\^]*o[\"\^]*t|p[\"\^]*l[\"\^]*a[\"\^]*c)[\"\^]*e)|u[\"\^]*n[\"\^]*(?:d[\"\^]*l[\"\^]*l[\"\^]*3[\"\^]*2|(?:e[\"\^]*x[\"\^]*e|s[\"\^]*c[\"\^]*r[\"\^]*i[\"\^]*p[\"\^]*t)[\"\^]*h[\"\^]*e[\"\^]*l[\"\^]*p[\"\^]*e[\"\^]*r|o[\"\^]*n[\"\^]*c[\"\^]*e))|s[\"\^]*(?:c[\"\^]*(?:[\s\v,\.-/;-<>].*|h[\"\^]*t[\"\^]*a[\"\^]*s[\"\^]*k[\"\^]*s|r[\"\^]*i[\"\^]*p[\"\^]*t[\"\^]*r[\"\^]*u[\"\^]*n[\"\^]*n[\"\^]*e[\"\^]*r)|e[\"\^]*t[\"\^]*(?:r[\"\^]*e[\"\^]*s|t[\"\^]*i[\"\^]*n[\"\^]*g[\"\^]*s[\"\^]*y[\"\^]*n[\"\^]*c[\"\^]*h[\"\^]*o[\"\^]*s[\"\^]*t|u[\"\^]*p[\"\^]*a[\"\^]*p[\"\^]*i)|h[\"\^]*(?:d[\"\^]*o[\"\^]*c[\"\^]*v[\"\^]*w|e[\"\^]*l[\"\^]*l[\"\^]*3[\"\^]*2)|q[\"\^]*(?:l[\"\^]*(?:d[\"\^]*u[\"\^]*m[\"\^]*p[\"\^]*e[\"\^]*r|(?:t[\"\^]*o[\"\^]*o[\"\^]*l[\"\^]*s[\"\^]*)?p[\"\^]*s)|u[\"\^]*i[\"\^]*r[\"\^]*r[\"\^]*e[\"\^]*l)|s[\"\^]*h|t[\"\^]*o[\"\^]*r[\"\^]*d[\"\^]*i[\"\^]*a[\"\^]*g|y[\"\^]*(?:n[\"\^]*c[\"\^]*a[\"\^]*p[\"\^]*p[\"\^]*v[\"\^]*p[\"\^]*u[\"\^]*b[\"\^]*l[\"\^]*i[\"\^]*s[\"\^]*h[\"\^]*i[\"\^]*n[\"\^]*g[\"\^]*s[\"\^]*e[\"\^]*r[\"\^]*v[\"\^]*e[\"\^]*r|s[\"\^]*s[\"\^]*e[\"\^]*t[\"\^]*u[\"\^]*p))|t[\"\^]*(?:e[\"\^]*[\s\v,\.-/;-<>].*|r[\"\^]*a[\"\^]*c[\"\^]*k[\"\^]*e[\"\^]*r|t[\"\^]*(?:d[\"\^]*i[\"\^]*n[\"\^]*j[\"\^]*e[\"\^]*c[\"\^]*t|t[\"\^]*r[\"\^]*a[\"\^]*c[\"\^]*e[\"\^]*r))|u[\"\^]*(?:n[\"\^]*r[\"\^]*e[\"\^]*g[\"\^]*m[\"\^]*p[\"\^]*2|p[\"\^]*d[\"\^]*a[\"\^]*t[\"\^]*e|r[\"\^]*l|t[\"\^]*i[\"\^]*l[\"\^]*i[\"\^]*t[\"\^]*y[\"\^]*f[\"\^]*u[\"\^]*n[\"\^]*c[\"\^]*t[\"\^]*i[\"\^]*o[\"\^]*n[\"\^]*s)|v[\"\^]*(?:b[\"\^]*c|e[\"\^]*r[\"\^]*c[\"\^]*l[\"\^]*s[\"\^]*i[\"\^]*d|i[\"\^]*s[\"\^]*u[\"\^]*a[\"\^]*l[\"\^]*u[\"\^]*i[\"\^]*a[\"\^]*v[\"\^]*e[\"\^]*r[\"\^]*i[\"\^]*f[\"\^]*y[\"\^]*n[\"\^]*a[\"\^]*t[\"\^]*i[\"\^]*v[\"\^]*e|s[\"\^]*(?:i[\"\^]*i[\"\^]*s[\"\^]*e[\"\^]*x[\"\^]*e[\"\^]*l[\"\^]*a[\"\^]*u[\"\^]*n[\"\^]*c[\"\^]*h|j[\"\^]*i[\"\^]*t[\"\^]*d[\"\^]*e[\"\^]*b[\"\^]*u[\"\^]*g[\"\^]*g)[\"\^]*e[\"\^]*r)|w[\"\^]*(?:a[\"\^]*b|(?:f|m[\"\^]*i)[\"\^]*c|i[\"\^]*n[\"\^]*(?:g[\"\^]*e[\"\^]*t|r[\"\^]*m|w[\"\^]*o[\"\^]*r[\"\^]*d)|l[\"\^]*r[\"\^]*m[\"\^]*d[\"\^]*r|o[\"\^]*r[\"\^]*k[\"\^]*f[\"\^]*o[\"\^]*l[\"\^]*d[\"\^]*e[\"\^]*r[\"\^]*s|s[\"\^]*(?:(?:c[\"\^]*r[\"\^]*i[\"\^]*p|r[\"\^]*e[\"\^]*s[\"\^]*e)[\"\^]*t|l)|t[\"\^]*[\s\v,\.-/;-<>].*|u[\"\^]*a[\"\^]*u[\"\^]*c[\"\^]*l[\"\^]*t)|x[\"\^]*w[\"\^]*i[\"\^]*z[\"\^]*a[\"\^]*r[\"\^]*d|z[\"\^]*i[\"\^]*p[\"\^]*f[\"\^]*l[\"\^]*d[\"\^]*r)(?:\.[\"\^]*[0-9A-Z_a-z]+)?\b" \ - "id:932370,\ - phase:2,\ - block,\ - capture,\ - t:none,\ - msg:'Remote Command Execution: Windows Command Injection',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-shell',\ - tag:'platform-windows',\ - tag:'attack-rce',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/88',\ - tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:t[\"\^]*i[\"\^]*m[\"\^]*e|[\n\r;`\{]|\|\|?|&&?)[\s\v]*[\s\v\"'-\(,@]*(?:[\"'\.-9A-Z_a-z]+/|(?:[\"'\x5c\^]*[0-9A-Z_a-z][\"'\x5c\^]*:.*|[ \"'\.-9A-Z\x5c\^-_a-z]*)\x5c)?[\"\^]*(?:a[\"\^]*(?:c[\"\^]*c[\"\^]*c[\"\^]*h[\"\^]*e[\"\^]*c[\"\^]*k[\"\^]*c[\"\^]*o[\"\^]*n[\"\^]*s[\"\^]*o[\"\^]*l[\"\^]*e|d[\"\^]*(?:p[\"\^]*l[\"\^]*u[\"\^]*s|v[\"\^]*p[\"\^]*a[\"\^]*c[\"\^]*k)|(?:g[\"\^]*e[\"\^]*n[\"\^]*t[\"\^]*e[\"\^]*x[\"\^]*e[\"\^]*c[\"\^]*u[\"\^]*t[\"\^]*o|s[\"\^]*p[\"\^]*n[\"\^]*e[\"\^]*t[\"\^]*_[\"\^]*c[\"\^]*o[\"\^]*m[\"\^]*p[\"\^]*i[\"\^]*l[\"\^]*e)[\"\^]*r|p[\"\^]*p[\"\^]*(?:i[\"\^]*n[\"\^]*s[\"\^]*t[\"\^]*a[\"\^]*l[\"\^]*l[\"\^]*e[\"\^]*r|v[\"\^]*l[\"\^]*p)|t[\"\^]*(?:[\s\v,\.-/;-<>].*|b[\"\^]*r[\"\^]*o[\"\^]*k[\"\^]*e[\"\^]*r))|b[\"\^]*(?:a[\"\^]*s[\"\^]*h|g[\"\^]*i[\"\^]*n[\"\^]*f[\"\^]*o|i[\"\^]*t[\"\^]*s[\"\^]*a[\"\^]*d[\"\^]*m[\"\^]*i[\"\^]*n)|c[\"\^]*(?:d[\"\^]*b|e[\"\^]*r[\"\^]*t[\"\^]*(?:o[\"\^]*c|r[\"\^]*e[\"\^]*q|u[\"\^]*t[\"\^]*i[\"\^]*l)|l[\"\^]*_[\"\^]*(?:i[\"\^]*n[\"\^]*v[\"\^]*o[\"\^]*c[\"\^]*a[\"\^]*t[\"\^]*i[\"\^]*o[\"\^]*n|l[\"\^]*o[\"\^]*a[\"\^]*d[\"\^]*a[\"\^]*s[\"\^]*s[\"\^]*e[\"\^]*m[\"\^]*b[\"\^]*l[\"\^]*y|m[\"\^]*u[\"\^]*t[\"\^]*e[\"\^]*x[\"\^]*v[\"\^]*e[\"\^]*r[\"\^]*i[\"\^]*f[\"\^]*i[\"\^]*e[\"\^]*r[\"\^]*s)|m[\"\^]*(?:d(?:[\"\^]*(?:k[\"\^]*e[\"\^]*y|l[\"\^]*3[\"\^]*2))?|s[\"\^]*t[\"\^]*p)|o[\"\^]*(?:m[\"\^]*s[\"\^]*v[\"\^]*c[\"\^]*s|n[\"\^]*(?:f[\"\^]*i[\"\^]*g[\"\^]*s[\"\^]*e[\"\^]*c[\"\^]*u[\"\^]*r[\"\^]*i[\"\^]*t[\"\^]*y[\"\^]*p[\"\^]*o[\"\^]*l[\"\^]*i[\"\^]*c[\"\^]*y|h[\"\^]*o[\"\^]*s[\"\^]*t|t[\"\^]*r[\"\^]*o[\"\^]*l)|r[\"\^]*e[\"\^]*g[\"\^]*e[\"\^]*n)|r[\"\^]*e[\"\^]*a[\"\^]*t[\"\^]*e[\"\^]*d[\"\^]*u[\"\^]*m[\"\^]*p|s[\"\^]*(?:c(?:[\"\^]*r[\"\^]*i[\"\^]*p[\"\^]*t)?|i)|u[\"\^]*s[\"\^]*t[\"\^]*o[\"\^]*m[\"\^]*s[\"\^]*h[\"\^]*e[\"\^]*l[\"\^]*l[\"\^]*h[\"\^]*o[\"\^]*s[\"\^]*t)|d[\"\^]*(?:a[\"\^]*t[\"\^]*a[\"\^]*s[\"\^]*v[\"\^]*c[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l|e[\"\^]*(?:f[\"\^]*a[\"\^]*u[\"\^]*l[\"\^]*t[\"\^]*p[\"\^]*a[\"\^]*c[\"\^]*k|s[\"\^]*k(?:[\"\^]*t[\"\^]*o[\"\^]*p[\"\^]*i[\"\^]*m[\"\^]*g[\"\^]*d[\"\^]*o[\"\^]*w[\"\^]*n[\"\^]*l[\"\^]*d[\"\^]*r)?|v[\"\^]*(?:i[\"\^]*c[\"\^]*e[\"\^]*c[\"\^]*r[\"\^]*e[\"\^]*d[\"\^]*e[\"\^]*n[\"\^]*t[\"\^]*i[\"\^]*a[\"\^]*l[\"\^]*d[\"\^]*e[\"\^]*p[\"\^]*l[\"\^]*o[\"\^]*y[\"\^]*m[\"\^]*e[\"\^]*n[\"\^]*t|t[\"\^]*o[\"\^]*o[\"\^]*l[\"\^]*s[\"\^]*l[\"\^]*a[\"\^]*u[\"\^]*n[\"\^]*c[\"\^]*h[\"\^]*e[\"\^]*r))|f[\"\^]*s[\"\^]*(?:h[\"\^]*i[\"\^]*m|v[\"\^]*c)|i[\"\^]*(?:a[\"\^]*n[\"\^]*t[\"\^]*z|s[\"\^]*k[\"\^]*s[\"\^]*h[\"\^]*a[\"\^]*d[\"\^]*o[\"\^]*w)|n[\"\^]*(?:s[\"\^]*c[\"\^]*m[\"\^]*d|x)|o[\"\^]*t[\"\^]*n[\"\^]*e[\"\^]*t|u[\"\^]*m[\"\^]*p[\"\^]*6[\"\^]*4|x[\"\^]*c[\"\^]*a[\"\^]*p)|e[\"\^]*(?:s[\"\^]*e[\"\^]*n[\"\^]*t[\"\^]*u[\"\^]*t[\"\^]*l|v[\"\^]*e[\"\^]*n[\"\^]*t[\"\^]*v[\"\^]*w[\"\^]*r|x[\"\^]*(?:c[\"\^]*e[\"\^]*l|p[\"\^]*(?:a[\"\^]*n[\"\^]*d|l[\"\^]*o[\"\^]*r[\"\^]*e[\"\^]*r)|t[\"\^]*(?:e[\"\^]*x[\"\^]*p[\"\^]*o[\"\^]*r[\"\^]*t|r[\"\^]*a[\"\^]*c[\"\^]*3[\"\^]*2)))|f[\"\^]*(?:i[\"\^]*n[\"\^]*(?:d[\"\^]*s[\"\^]*t|g[\"\^]*e)[\"\^]*r|l[\"\^]*t[\"\^]*m[\"\^]*c|o[\"\^]*r[\"\^]*f[\"\^]*i[\"\^]*l[\"\^]*e[\"\^]*s|s[\"\^]*(?:i(?:[\"\^]*a[\"\^]*n[\"\^]*y[\"\^]*c[\"\^]*p[\"\^]*u)?|u[\"\^]*t[\"\^]*i[\"\^]*l)|t[\"\^]*p)|g[\"\^]*(?:f[\"\^]*x[\"\^]*d[\"\^]*o[\"\^]*w[\"\^]*n[\"\^]*l[\"\^]*o[\"\^]*a[\"\^]*d[\"\^]*w[\"\^]*r[\"\^]*a[\"\^]*p[\"\^]*p[\"\^]*e[\"\^]*r|p[\"\^]*s[\"\^]*c[\"\^]*r[\"\^]*i[\"\^]*p[\"\^]*t)|h[\"\^]*h|i[\"\^]*(?:e[\"\^]*(?:4[\"\^]*u[\"\^]*i[\"\^]*n[\"\^]*i[\"\^]*t|a[\"\^]*d[\"\^]*v[\"\^]*p[\"\^]*a[\"\^]*c[\"\^]*k|e[\"\^]*x[\"\^]*e[\"\^]*c|f[\"\^]*r[\"\^]*a[\"\^]*m[\"\^]*e)|l[\"\^]*a[\"\^]*s[\"\^]*m|m[\"\^]*e[\"\^]*w[\"\^]*d[\"\^]*b[\"\^]*l[\"\^]*d|n[\"\^]*(?:f[\"\^]*d[\"\^]*e[\"\^]*f[\"\^]*a[\"\^]*u[\"\^]*l[\"\^]*t[\"\^]*i[\"\^]*n[\"\^]*s[\"\^]*t[\"\^]*a[\"\^]*l|s[\"\^]*t[\"\^]*a[\"\^]*l[\"\^]*l[\"\^]*u[\"\^]*t[\"\^]*i)[\"\^]*l)|j[\"\^]*s[\"\^]*c|l[\"\^]*(?:a[\"\^]*u[\"\^]*n[\"\^]*c[\"\^]*h[\"\^]*-[\"\^]*v[\"\^]*s[\"\^]*d[\"\^]*e[\"\^]*v[\"\^]*s[\"\^]*h[\"\^]*e[\"\^]*l[\"\^]*l|d[\"\^]*i[\"\^]*f[\"\^]*d[\"\^]*e)|m[\"\^]*(?:a[\"\^]*(?:k[\"\^]*e[\"\^]*c[\"\^]*a[\"\^]*b|n[\"\^]*a[\"\^]*g[\"\^]*e[\"\^]*-[\"\^]*b[\"\^]*d[\"\^]*e|v[\"\^]*i[\"\^]*n[\"\^]*j[\"\^]*e[\"\^]*c[\"\^]*t)|f[\"\^]*t[\"\^]*r[\"\^]*a[\"\^]*c[\"\^]*e|i[\"\^]*c[\"\^]*r[\"\^]*o[\"\^]*s[\"\^]*o[\"\^]*f[\"\^]*t|m[\"\^]*c|p[\"\^]*c[\"\^]*m[\"\^]*d[\"\^]*r[\"\^]*u[\"\^]*n|s[\"\^]*(?:(?:b[\"\^]*u[\"\^]*i[\"\^]*l|o[\"\^]*h[\"\^]*t[\"\^]*m[\"\^]*e)[\"\^]*d|c[\"\^]*o[\"\^]*n[\"\^]*f[\"\^]*i[\"\^]*g|d[\"\^]*(?:e[\"\^]*p[\"\^]*l[\"\^]*o[\"\^]*y|t)|h[\"\^]*t[\"\^]*(?:a|m[\"\^]*l)|i[\"\^]*e[\"\^]*x[\"\^]*e[\"\^]*c|p[\"\^]*u[\"\^]*b|x[\"\^]*s[\"\^]*l))|n[\"\^]*(?:e[\"\^]*t[\"\^]*s[\"\^]*h|t[\"\^]*d[\"\^]*s[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l)|o[\"\^]*(?:d[\"\^]*b[\"\^]*c[\"\^]*c[\"\^]*o[\"\^]*n[\"\^]*f|f[\"\^]*f[\"\^]*l[\"\^]*i[\"\^]*n[\"\^]*e[\"\^]*s[\"\^]*c[\"\^]*a[\"\^]*n[\"\^]*n[\"\^]*e[\"\^]*r[\"\^]*s[\"\^]*h[\"\^]*e[\"\^]*l[\"\^]*l|n[\"\^]*e[\"\^]*d[\"\^]*r[\"\^]*i[\"\^]*v[\"\^]*e[\"\^]*s[\"\^]*t[\"\^]*a[\"\^]*n[\"\^]*d[\"\^]*a[\"\^]*l[\"\^]*o[\"\^]*n[\"\^]*e[\"\^]*u[\"\^]*p[\"\^]*d[\"\^]*a[\"\^]*t[\"\^]*e[\"\^]*r|p[\"\^]*e[\"\^]*n[\"\^]*c[\"\^]*o[\"\^]*n[\"\^]*s[\"\^]*o[\"\^]*l[\"\^]*e)|p[\"\^]*(?:c[\"\^]*(?:a[\"\^]*l[\"\^]*u[\"\^]*a|w[\"\^]*(?:r[\"\^]*u[\"\^]*n|u[\"\^]*t[\"\^]*l))|(?:e[\"\^]*s[\"\^]*t[\"\^]*e|s)[\"\^]*r|(?:k[\"\^]*t[\"\^]*m[\"\^]*o|u[\"\^]*b[\"\^]*p[\"\^]*r)[\"\^]*n|n[\"\^]*p[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l|o[\"\^]*w[\"\^]*e[\"\^]*r[\"\^]*p[\"\^]*n[\"\^]*t|r[\"\^]*(?:e[\"\^]*s[\"\^]*e[\"\^]*n[\"\^]*t[\"\^]*a[\"\^]*t[\"\^]*i[\"\^]*o[\"\^]*n[\"\^]*h[\"\^]*o[\"\^]*s[\"\^]*t|i[\"\^]*n[\"\^]*t(?:[\"\^]*b[\"\^]*r[\"\^]*m)?|o[\"\^]*(?:c[\"\^]*d[\"\^]*u[\"\^]*m[\"\^]*p|t[\"\^]*o[\"\^]*c[\"\^]*o[\"\^]*l[\"\^]*h[\"\^]*a[\"\^]*n[\"\^]*d[\"\^]*l[\"\^]*e[\"\^]*r)))|r[\"\^]*(?:a[\"\^]*s[\"\^]*a[\"\^]*u[\"\^]*t[\"\^]*o[\"\^]*u|c[\"\^]*s[\"\^]*i|(?:d[\"\^]*r[\"\^]*l[\"\^]*e[\"\^]*a[\"\^]*k[\"\^]*d[\"\^]*i[\"\^]*a|p[\"\^]*c[\"\^]*p[\"\^]*i[\"\^]*n)[\"\^]*g|e[\"\^]*(?:g(?:[\"\^]*(?:a[\"\^]*s[\"\^]*m|e[\"\^]*d[\"\^]*i[\"\^]*t|i[\"\^]*(?:n[\"\^]*i|s[\"\^]*t[\"\^]*e[\"\^]*r[\"\^]*-[\"\^]*c[\"\^]*i[\"\^]*m[\"\^]*p[\"\^]*r[\"\^]*o[\"\^]*v[\"\^]*i[\"\^]*d[\"\^]*e[\"\^]*r)|s[\"\^]*v[\"\^]*(?:c[\"\^]*s|r[\"\^]*3[\"\^]*2)))?|(?:m[\"\^]*o[\"\^]*t|p[\"\^]*l[\"\^]*a[\"\^]*c)[\"\^]*e)|u[\"\^]*n[\"\^]*(?:d[\"\^]*l[\"\^]*l[\"\^]*3[\"\^]*2|(?:e[\"\^]*x[\"\^]*e|s[\"\^]*c[\"\^]*r[\"\^]*i[\"\^]*p[\"\^]*t)[\"\^]*h[\"\^]*e[\"\^]*l[\"\^]*p[\"\^]*e[\"\^]*r|o[\"\^]*n[\"\^]*c[\"\^]*e))|s[\"\^]*(?:c[\"\^]*(?:[\s\v,\.-/;-<>].*|h[\"\^]*t[\"\^]*a[\"\^]*s[\"\^]*k[\"\^]*s|r[\"\^]*i[\"\^]*p[\"\^]*t[\"\^]*r[\"\^]*u[\"\^]*n[\"\^]*n[\"\^]*e[\"\^]*r)|e[\"\^]*t[\"\^]*(?:r[\"\^]*e[\"\^]*s|t[\"\^]*i[\"\^]*n[\"\^]*g[\"\^]*s[\"\^]*y[\"\^]*n[\"\^]*c[\"\^]*h[\"\^]*o[\"\^]*s[\"\^]*t|u[\"\^]*p[\"\^]*a[\"\^]*p[\"\^]*i)|h[\"\^]*(?:d[\"\^]*o[\"\^]*c[\"\^]*v[\"\^]*w|e[\"\^]*l[\"\^]*l[\"\^]*3[\"\^]*2)|q[\"\^]*(?:l[\"\^]*(?:d[\"\^]*u[\"\^]*m[\"\^]*p[\"\^]*e[\"\^]*r|(?:t[\"\^]*o[\"\^]*o[\"\^]*l[\"\^]*s[\"\^]*)?p[\"\^]*s)|u[\"\^]*i[\"\^]*r[\"\^]*r[\"\^]*e[\"\^]*l)|s[\"\^]*h|t[\"\^]*o[\"\^]*r[\"\^]*d[\"\^]*i[\"\^]*a[\"\^]*g|y[\"\^]*(?:n[\"\^]*c[\"\^]*a[\"\^]*p[\"\^]*p[\"\^]*v[\"\^]*p[\"\^]*u[\"\^]*b[\"\^]*l[\"\^]*i[\"\^]*s[\"\^]*h[\"\^]*i[\"\^]*n[\"\^]*g[\"\^]*s[\"\^]*e[\"\^]*r[\"\^]*v[\"\^]*e[\"\^]*r|s[\"\^]*s[\"\^]*e[\"\^]*t[\"\^]*u[\"\^]*p))|t[\"\^]*(?:e[\"\^]*[\s\v,\.-/;-<>].*|r[\"\^]*a[\"\^]*c[\"\^]*k[\"\^]*e[\"\^]*r|t[\"\^]*(?:d[\"\^]*i[\"\^]*n[\"\^]*j[\"\^]*e[\"\^]*c[\"\^]*t|t[\"\^]*r[\"\^]*a[\"\^]*c[\"\^]*e[\"\^]*r))|u[\"\^]*(?:n[\"\^]*r[\"\^]*e[\"\^]*g[\"\^]*m[\"\^]*p[\"\^]*2|p[\"\^]*d[\"\^]*a[\"\^]*t[\"\^]*e|r[\"\^]*l|t[\"\^]*i[\"\^]*l[\"\^]*i[\"\^]*t[\"\^]*y[\"\^]*f[\"\^]*u[\"\^]*n[\"\^]*c[\"\^]*t[\"\^]*i[\"\^]*o[\"\^]*n[\"\^]*s)|v[\"\^]*(?:b[\"\^]*c|e[\"\^]*r[\"\^]*c[\"\^]*l[\"\^]*s[\"\^]*i[\"\^]*d|i[\"\^]*s[\"\^]*u[\"\^]*a[\"\^]*l[\"\^]*u[\"\^]*i[\"\^]*a[\"\^]*v[\"\^]*e[\"\^]*r[\"\^]*i[\"\^]*f[\"\^]*y[\"\^]*n[\"\^]*a[\"\^]*t[\"\^]*i[\"\^]*v[\"\^]*e|s[\"\^]*(?:i[\"\^]*i[\"\^]*s[\"\^]*e[\"\^]*x[\"\^]*e[\"\^]*l[\"\^]*a[\"\^]*u[\"\^]*n[\"\^]*c[\"\^]*h|j[\"\^]*i[\"\^]*t[\"\^]*d[\"\^]*e[\"\^]*b[\"\^]*u[\"\^]*g[\"\^]*g)[\"\^]*e[\"\^]*r)|w[\"\^]*(?:a[\"\^]*b|(?:f|m[\"\^]*i)[\"\^]*c|i[\"\^]*n[\"\^]*(?:g[\"\^]*e[\"\^]*t|r[\"\^]*m|w[\"\^]*o[\"\^]*r[\"\^]*d)|l[\"\^]*r[\"\^]*m[\"\^]*d[\"\^]*r|o[\"\^]*r[\"\^]*k[\"\^]*f[\"\^]*o[\"\^]*l[\"\^]*d[\"\^]*e[\"\^]*r[\"\^]*s|s[\"\^]*(?:(?:c[\"\^]*r[\"\^]*i[\"\^]*p|r[\"\^]*e[\"\^]*s[\"\^]*e)[\"\^]*t|l)|t[\"\^]*[\s\v,\.-/;-<>].*|u[\"\^]*a[\"\^]*u[\"\^]*c[\"\^]*l[\"\^]*t)|x[\"\^]*w[\"\^]*i[\"\^]*z[\"\^]*a[\"\^]*r[\"\^]*d|z[\"\^]*i[\"\^]*p[\"\^]*f[\"\^]*l[\"\^]*d[\"\^]*r)(?:\.[\"\^]*[0-9A-Z_a-z]+)?\b" "id:932370, phase:2, block, capture, t:none, msg:'Remote Command Execution: Windows Command Injection', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-shell', tag:'platform-windows', tag:'attack-rce', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/152/248/88', tag:'PCI/6.5.2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.rce_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:932013,phase:1,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" @@ -848,26 +540,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:932014,phase:2,pass,nolog,skipAf # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 932231 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|[\n\r;`\{]|\|\|?|&&?|\$(?:\(\(?|\{)|[<>]\(|\([\s\v]*\))[\s\v]*(?:[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*[\s\v]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*\.[\s\v].*\b" \ - "id:932231,\ - phase:2,\ - block,\ - capture,\ - t:none,\ - msg:'Remote Command Execution: Unix Command Injection',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-shell',\ - tag:'platform-unix',\ - tag:'attack-rce',\ - tag:'paranoia-level/2',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/88',\ - tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|[\n\r;`\{]|\|\|?|&&?|\$(?:\(\(?|\{)|[<>]\(|\([\s\v]*\))[\s\v]*(?:[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*[\s\v]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*\.[\s\v].*\b" "id:932231, phase:2, block, capture, t:none, msg:'Remote Command Execution: Unix Command Injection', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-shell', tag:'platform-unix', tag:'attack-rce', tag:'paranoia-level/2', tag:'OWASP_CRS', tag:'capec/1000/152/248/88', tag:'PCI/6.5.2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.rce_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # This is a stricter sibling of rule 932130. # @@ -876,26 +549,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # # Unlike the sibling rule, this rule runs in phase 1. # -SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@rx (?:\$(?:\((?:\(.*\)|.*)\)|\{.*})|[<>]\(.*\)|\[!?.+\])" \ - "id:932131,\ - phase:1,\ - block,\ - capture,\ - t:none,t:cmdLine,\ - msg:'Remote Command Execution: Unix Shell Expression Found',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-shell',\ - tag:'platform-unix',\ - tag:'attack-rce',\ - tag:'paranoia-level/2',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/88',\ - tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@rx (?:\$(?:\((?:\(.*\)|.*)\)|\{.*})|[<>]\(.*\)|\[!?.+\])" "id:932131, phase:1, block, capture, t:none,t:cmdLine, msg:'Remote Command Execution: Unix Shell Expression Found', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-shell', tag:'platform-unix', tag:'attack-rce', tag:'paranoia-level/2', tag:'OWASP_CRS', tag:'capec/1000/152/248/88', tag:'PCI/6.5.2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.rce_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # # -=[ Rule 932200 ]=- @@ -920,59 +574,16 @@ SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@rx (?:\$(?:\((?:\(. # # Regex notes: https://regex101.com/r/V6wrCO/1 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|XML:/* "@rx (?:[*?`\x5c'][^/\n]+/|\$[({\[#@!?*\-_$a-zA-Z0-9]|/[^/]+?[*?`\x5c'])" \ - "id:932200,\ - phase:2,\ - block,\ - capture,\ - t:none,t:lowercase,t:urlDecodeUni,\ - msg:'RCE Bypass Technique',\ - logdata:'Matched Data: %{TX.0} found within %{TX.932200_MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-rce',\ - tag:'paranoia-level/2',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/88',\ - tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.932200_matched_var_name=%{matched_var_name}',\ - chain" - SecRule MATCHED_VAR "@rx /" \ - "t:none,t:urlDecodeUni,\ - chain" - SecRule MATCHED_VAR "@rx \s" \ - "t:none,t:urlDecodeUni,\ - setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|XML:/* "@rx (?:[*?`\x5c'][^/\n]+/|\$[({\[#@!?*\-_$a-zA-Z0-9]|/[^/]+?[*?`\x5c'])" "id:932200, phase:2, block, capture, t:none,t:lowercase,t:urlDecodeUni, msg:'RCE Bypass Technique', logdata:'Matched Data: %{TX.0} found within %{TX.932200_MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-rce', tag:'paranoia-level/2', tag:'OWASP_CRS', tag:'capec/1000/152/248/88', tag:'PCI/6.5.2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.932200_matched_var_name=%{matched_var_name}', chain" + SecRule MATCHED_VAR "@rx /" "t:none,t:urlDecodeUni, chain" + SecRule MATCHED_VAR "@rx \s" "t:none,t:urlDecodeUni, setvar:'tx.rce_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # Regular expression generated from regex-assembly/932220.ra. # To update the regular expression run the following shell script # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 932220 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i).\|(?:[\s\v]*|t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|[\n\r;`\{]|\|\|?|&&?|\$(?:\(\(?|\{)|[<>]\(|\([\s\v]*\))[\s\v]*(?:[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*[\s\v]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:7[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[ar])?|a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:b|(?:p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?t|r(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[jp])?|s(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h)?|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[ks])|b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z|c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[8-9][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?9|[au][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t|c|(?:m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?p|s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h)|d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[du]|i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?g|n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?f)|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[bdx]|n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?v|q[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n)|f[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[ci]|m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t|t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p)|g[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[chr][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c|d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?b|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m|i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t|o)|h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:d|u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p)|i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[dp]|r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?b)|j[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:j[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?s|q)|k[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h|l[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:d(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d)?|[npsz]|u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a)|m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n|t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?r|v)|n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[cl]|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t|(?:p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?m)|o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[at][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?x|d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?b|[fs]|(?:k[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?g|h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[cp]|r(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?y)?|x[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z)|r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?r|c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[dv]|(?:p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?m)|s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[dt]|[g-hu]|s(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h)?|v[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n)|t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[cr]|b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?l|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[ex]|i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c|o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p)|u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?l|v[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m)?|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:3[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m|c|h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o)|x[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:x[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|z)|y[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m|z[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h))" \ - "id:932220,\ - phase:2,\ - block,\ - capture,\ - t:none,\ - msg:'Remote Command Execution: Unix Command Injection with pipe',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-shell',\ - tag:'platform-unix',\ - tag:'attack-rce',\ - tag:'paranoia-level/2',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/88',\ - tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i).\|(?:[\s\v]*|t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|[\n\r;`\{]|\|\|?|&&?|\$(?:\(\(?|\{)|[<>]\(|\([\s\v]*\))[\s\v]*(?:[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*[\s\v]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:7[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[ar])?|a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:b|(?:p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?t|r(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[jp])?|s(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h)?|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[ks])|b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z|c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[8-9][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?9|[au][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t|c|(?:m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?p|s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h)|d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[du]|i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?g|n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?f)|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[bdx]|n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?v|q[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n)|f[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[ci]|m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t|t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p)|g[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[chr][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c|d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?b|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m|i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t|o)|h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:d|u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p)|i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[dp]|r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?b)|j[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:j[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?s|q)|k[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h|l[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:d(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d)?|[npsz]|u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a)|m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n|t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?r|v)|n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[cl]|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t|(?:p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?m)|o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[at][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?x|d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?b|[fs]|(?:k[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?g|h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[cp]|r(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?y)?|x[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z)|r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?r|c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[dv]|(?:p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?m)|s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[dt]|[g-hu]|s(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h)?|v[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n)|t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[cr]|b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?l|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[ex]|i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c|o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p)|u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?l|v[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m)?|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:3[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m|c|h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o)|x[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:x[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|z)|y[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m|z[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h))" "id:932220, phase:2, block, capture, t:none, msg:'Remote Command Execution: Unix Command Injection with pipe', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-shell', tag:'platform-unix', tag:'attack-rce', tag:'paranoia-level/2', tag:'OWASP_CRS', tag:'capec/1000/152/248/88', tag:'PCI/6.5.2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.rce_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # -=[ Rule 932240 ]=- # @@ -1010,29 +621,8 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 932240 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS|XML:/* "@rx (?i)[\-0-9_a-z]+(?:[\"'\[-\]]+|\$+[!#\*\-0-9\?-@\x5c_a-\{]+|``|[\$<>]\(\))[\s\v]*[\-0-9_a-z]+" \ - "id:932240,\ - phase:2,\ - block,\ - capture,\ - t:none,\ - msg:'Remote Command Execution: Unix Command Injection evasion attempt detected',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-shell',\ - tag:'platform-unix',\ - tag:'attack-rce',\ - tag:'paranoia-level/2',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/88',\ - tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - chain" - SecRule MATCHED_VAR "!@rx [0-9]\s*\'\s*[0-9]" \ - "t:none,\ - setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS|XML:/* "@rx (?i)[\-0-9_a-z]+(?:[\"'\[-\]]+|\$+[!#\*\-0-9\?-@\x5c_a-\{]+|``|[\$<>]\(\))[\s\v]*[\-0-9_a-z]+" "id:932240, phase:2, block, capture, t:none, msg:'Remote Command Execution: Unix Command Injection evasion attempt detected', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-shell', tag:'platform-unix', tag:'attack-rce', tag:'paranoia-level/2', tag:'OWASP_CRS', tag:'capec/1000/152/248/88', tag:'PCI/6.5.2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', chain" + SecRule MATCHED_VAR "!@rx [0-9]\s*\'\s*[0-9]" "t:none, setvar:'tx.rce_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1052,25 +642,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS|XML: # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 932210 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx ;[\s\v]*\.[\s\v]*[\"']?(?:a(?:rchive|uth)|b(?:a(?:ckup|il)|inary)|c(?:d|h(?:anges|eck)|lone|onnection)|d(?:atabases|b(?:config|info)|ump)|e(?:cho|qp|x(?:cel|it|p(?:ert|lain)))|f(?:ilectrl|ullschema)|he(?:aders|lp)|i(?:mpo(?:rt|ster)|ndexes|otrace)|l(?:i(?:mi|n)t|o(?:ad|g))|(?:mod|n(?:onc|ullvalu)|unmodul)e|o(?:nce|pen|utput)|p(?:arameter|r(?:int|o(?:gress|mpt)))|quit|re(?:ad|cover|store)|s(?:ave|c(?:anstats|hema)|e(?:lftest|parator|ssion)|h(?:a3sum|ell|ow)?|tats|ystem)|t(?:ables|estc(?:ase|trl)|ime(?:out|r)|race)|vfs(?:info|list|name)|width)" \ - "id:932210,\ - phase:2,\ - block,\ - t:none,t:escapeSeqDecode,t:compressWhitespace,\ - msg:'Remote Command Execution: SQLite System Command Execution',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-shell',\ - tag:'platform-unix',\ - tag:'attack-rce',\ - tag:'paranoia-level/2',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/88',\ - tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx ;[\s\v]*\.[\s\v]*[\"']?(?:a(?:rchive|uth)|b(?:a(?:ckup|il)|inary)|c(?:d|h(?:anges|eck)|lone|onnection)|d(?:atabases|b(?:config|info)|ump)|e(?:cho|qp|x(?:cel|it|p(?:ert|lain)))|f(?:ilectrl|ullschema)|he(?:aders|lp)|i(?:mpo(?:rt|ster)|ndexes|otrace)|l(?:i(?:mi|n)t|o(?:ad|g))|(?:mod|n(?:onc|ullvalu)|unmodul)e|o(?:nce|pen|utput)|p(?:arameter|r(?:int|o(?:gress|mpt)))|quit|re(?:ad|cover|store)|s(?:ave|c(?:anstats|hema)|e(?:lftest|parator|ssion)|h(?:a3sum|ell|ow)?|tats|ystem)|t(?:ables|estc(?:ase|trl)|ime(?:out|r)|race)|vfs(?:info|list|name)|width)" "id:932210, phase:2, block, t:none,t:escapeSeqDecode,t:compressWhitespace, msg:'Remote Command Execution: SQLite System Command Execution', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-shell', tag:'platform-unix', tag:'attack-rce', tag:'paranoia-level/2', tag:'OWASP_CRS', tag:'capec/1000/152/248/88', tag:'PCI/6.5.2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.rce_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # -=[ SMTP/IMAP/POP3 Command Execution ]=- # @@ -1094,24 +666,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 932300 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \r\n(?s:.)*?\b(?:(?i:E)(?:HLO [\--\.A-Za-z\x17f\x212a]{1,255}|XPN .{1,64})|HELO [\--\.A-Za-z\x17f\x212a]{1,255}|MAIL FROM:<.{1,64}(?i:@).{1,255}(?i:>)|(?i:R)(?:CPT TO:(?:(?i:<).{1,64}(?i:@).{1,255}(?i:>)|(?i: ))?(?i:<).{1,64}(?i:>)|SET\b)|VRFY .{1,64}(?: <.{1,64}(?i:@).{1,255}(?i:>)|(?i:@).{1,255})|AUTH [\-0-9A-Z_a-z\x17f\x212a]{1,20}(?i: )(?:(?:[\+/-9A-Z_a-z\x17f\x212a]{4})*(?:[\+/-9A-Z_a-z\x17f\x212a]{2}(?i:=)|[\+/-9A-Z_a-z\x17f\x212a]{3}))?(?i:=)|STARTTLS\b|NOOP\b(?:(?i: ).{1,255})?)" \ - "id:932300,\ - phase:2,\ - block,\ - t:none,t:escapeSeqDecode,\ - msg:'Remote Command Execution: SMTP Command Execution',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'platform-multi',\ - tag:'attack-rce',\ - tag:'paranoia-level/2',\ - tag:'OWASP_CRS',\ - tag:'capec/137/134',\ - tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \r\n(?s:.)*?\b(?:(?i:E)(?:HLO [\--\.A-Za-z\x17f\x212a]{1,255}|XPN .{1,64})|HELO [\--\.A-Za-z\x17f\x212a]{1,255}|MAIL FROM:<.{1,64}(?i:@).{1,255}(?i:>)|(?i:R)(?:CPT TO:(?:(?i:<).{1,64}(?i:@).{1,255}(?i:>)|(?i: ))?(?i:<).{1,64}(?i:>)|SET\b)|VRFY .{1,64}(?: <.{1,64}(?i:@).{1,255}(?i:>)|(?i:@).{1,255})|AUTH [\-0-9A-Z_a-z\x17f\x212a]{1,20}(?i: )(?:(?:[\+/-9A-Z_a-z\x17f\x212a]{4})*(?:[\+/-9A-Z_a-z\x17f\x212a]{2}(?i:=)|[\+/-9A-Z_a-z\x17f\x212a]{3}))?(?i:=)|STARTTLS\b|NOOP\b(?:(?i: ).{1,255})?)" "id:932300, phase:2, block, t:none,t:escapeSeqDecode, msg:'Remote Command Execution: SMTP Command Execution', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'platform-multi', tag:'attack-rce', tag:'paranoia-level/2', tag:'OWASP_CRS', tag:'capec/137/134', tag:'PCI/6.5.2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.rce_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # =[ IMAP Command Execution ]= # @@ -1126,24 +681,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 932310 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?is)\r\n[0-9A-Z_a-z]{1,50}\b (?:A(?:PPEND (?:[\"-#%-&\*\--9A-Z\x5c_a-z]+)?(?: \([ \x5ca-z]+\))?(?: \"?[0-9]{1,2}-[0-9A-Z_a-z]{3}-[0-9]{4} [0-9]{2}:[0-9]{2}:[0-9]{2} [\+\-][0-9]{4}\"?)? \{[0-9]{1,20}\+?\}|UTHENTICATE [\-0-9_a-z]{1,20}\r\n)|L(?:SUB (?:[\"-#\*\.-9A-Z_a-z~]+)? (?:[\"%-&\*\.-9A-Z\x5c_a-z]+)?|ISTRIGHTS (?:[\"%-&\*\--9A-Z\x5c_a-z]+)?)|S(?:TATUS (?:[\"%-&\*\--9A-Z\x5c_a-z]+)? \((?:U(?:NSEEN|IDNEXT)|MESSAGES|UIDVALIDITY|RECENT| )+\)|ETACL (?:[\"%-&\*\--9A-Z\x5c_a-z]+)? [\+\-][ac-eik-lpr-tw-x]+?)|UID (?:COPY|FETCH|STORE) (?:[\*,0-:]+)?|(?:(?:DELETE|GET)ACL|MYRIGHTS) (?:[\"%-&\*\--9A-Z\x5c_a-z]+)?)" \ - "id:932310,\ - phase:2,\ - block,\ - t:none,t:escapeSeqDecode,\ - msg:'Remote Command Execution: IMAP Command Execution',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'platform-multi',\ - tag:'attack-rce',\ - tag:'paranoia-level/2',\ - tag:'OWASP_CRS',\ - tag:'capec/137/134',\ - tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?is)\r\n[0-9A-Z_a-z]{1,50}\b (?:A(?:PPEND (?:[\"-#%-&\*\--9A-Z\x5c_a-z]+)?(?: \([ \x5ca-z]+\))?(?: \"?[0-9]{1,2}-[0-9A-Z_a-z]{3}-[0-9]{4} [0-9]{2}:[0-9]{2}:[0-9]{2} [\+\-][0-9]{4}\"?)? \{[0-9]{1,20}\+?\}|UTHENTICATE [\-0-9_a-z]{1,20}\r\n)|L(?:SUB (?:[\"-#\*\.-9A-Z_a-z~]+)? (?:[\"%-&\*\.-9A-Z\x5c_a-z]+)?|ISTRIGHTS (?:[\"%-&\*\--9A-Z\x5c_a-z]+)?)|S(?:TATUS (?:[\"%-&\*\--9A-Z\x5c_a-z]+)? \((?:U(?:NSEEN|IDNEXT)|MESSAGES|UIDVALIDITY|RECENT| )+\)|ETACL (?:[\"%-&\*\--9A-Z\x5c_a-z]+)? [\+\-][ac-eik-lpr-tw-x]+?)|UID (?:COPY|FETCH|STORE) (?:[\*,0-:]+)?|(?:(?:DELETE|GET)ACL|MYRIGHTS) (?:[\"%-&\*\--9A-Z\x5c_a-z]+)?)" "id:932310, phase:2, block, t:none,t:escapeSeqDecode, msg:'Remote Command Execution: IMAP Command Execution', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'platform-multi', tag:'attack-rce', tag:'paranoia-level/2', tag:'OWASP_CRS', tag:'capec/137/134', tag:'PCI/6.5.2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.rce_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # =[ POP3 Command Execution ]= # @@ -1160,24 +698,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 932320 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?is)\r\n.*?\b(?:(?:LIST|TOP [0-9]+)(?: [0-9]+)?|U(?:SER .+?|IDL(?: [0-9]+)?)|PASS .+?|(?:RETR|DELE) [0-9]+?|A(?:POP [0-9A-Z_a-z]+ [0-9a-f]{32}|UTH [\-0-9A-Z_]{1,20} (?:(?:[\+/-9A-Z_a-z]{4})*(?:[\+/-9A-Z_a-z]{2}=|[\+/-9A-Z_a-z]{3}))?=))" \ - "id:932320,\ - phase:2,\ - block,\ - t:none,t:escapeSeqDecode,\ - msg:'Remote Command Execution: POP3 Command Execution',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'platform-multi',\ - tag:'attack-rce',\ - tag:'paranoia-level/2',\ - tag:'OWASP_CRS',\ - tag:'capec/137/134',\ - tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?is)\r\n.*?\b(?:(?:LIST|TOP [0-9]+)(?: [0-9]+)?|U(?:SER .+?|IDL(?: [0-9]+)?)|PASS .+?|(?:RETR|DELE) [0-9]+?|A(?:POP [0-9A-Z_a-z]+ [0-9a-f]{32}|UTH [\-0-9A-Z_]{1,20} (?:(?:[\+/-9A-Z_a-z]{4})*(?:[\+/-9A-Z_a-z]{2}=|[\+/-9A-Z_a-z]{3}))?=))" "id:932320, phase:2, block, t:none,t:escapeSeqDecode, msg:'Remote Command Execution: POP3 Command Execution', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'platform-multi', tag:'attack-rce', tag:'paranoia-level/2', tag:'OWASP_CRS', tag:'capec/137/134', tag:'PCI/6.5.2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.rce_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # [ Unix command injection ] @@ -1214,26 +735,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 932236 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*|REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent "@rx (?i)(?:(?:^|=)[\s\v]*(?:t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*|(?:t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|[\n\r;`\{]|\|\|?|&&?|\$(?:\(\(?|\{)|[<>]\(|\([\s\v]*\))[\s\v]*(?:[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*)[\s\v]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:7z[ar]?|a(?:(?:b|w[ks])[\s\v&\)<>\|]|pt(?:-get)?|r(?:[\s\v&\)<>jp\|]|ch[\s\v<>]|ia2c)|s(?:[\s\v&\)<>h\|]|cii(?:-xfr|85)|pell)|t(?:[\s\v&\)<>\|]|obm)|dduser|getty|l(?:ias|pine)[\s\v<>]|nsible-playbook)|b(?:z(?:z[\s\v&\)<>\|]|c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2|less|more)|a(?:s(?:e(?:32|64|nc)|h)|tch[\s\v<>])|pftrace|r(?:eaksw|idge[\s\v<>])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[\s\v<>]|zip2)|s(?:ctl|ybox))|yebug)|c(?:[8-9]9|a(?:t[\s\v&\)<>\|]|(?:ncel|psh)[\s\v<>])|c[\s\v&\)<>\|]|mp|p(?:[\s\v&\)<>\|]|an|io|ulimit)|s(?:h|plit|vtool)|u(?:t[\s\v&\)<>\|]|psfilter|rl)|ertbot|h(?:attr|dir[\s\v<>]|eck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|flags|mod|o(?:om|wn)|root)|o(?:(?:b|pro)c|lumn[\s\v<>]|m(?:m(?:and[\s\v<>])?|p(?:oser|ress[\s\v<>]))|w(?:say|think))|r(?:ash[\s\v<>]|ontab))|d(?:[du][\s\v&\)<>\|]|i(?:g|(?:alog|ff)[\s\v<>])|nf|a(?:sh|te)[\s\v<>]|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[\s\v<>]|sbox)|pkg|vips)|e(?:[bd][\s\v&\)<>\|]|n(?:v(?:[\s\v&\)<>\|]|-update)|d(?:if|sw))|qn|x(?:[\s\v&\)<>\|]|ec[\s\v<>]|iftool|p(?:(?:and|(?:ec|or)t)[\s\v<>]|r))|(?:asy_instal|va)l|cho[\s\v<>]|fax|grep|macs|sac)|f(?:c[\s\v&\)<>\|]|i(?:[\s\v&\)<>\|]|le(?:[\s\v<>]|test)|(?:n(?:d|ger)|sh)[\s\v<>])|mt|tp(?:[\s\v&\)<>\|]|stats|who)|acter|(?:etch|lock)[\s\v<>]|grep|o(?:ld[\s\v<>]|reach)|ping|unction)|g(?:c(?:c[^\s\v]|ore)|db|e(?:m[\s\v&\)<>\|]|ni(?:e[\s\v<>]|soimage)|tfacl[\s\v<>])|hci?|i(?:t[\s\v&\)<>\|]|mp[\s\v<>]|nsh)|o[\s\v&\)<>\|]|r(?:c|ep[\s\v<>])|awk|tester|unzip|z(?:cat|exe|ip))|h(?:(?:d|up)[\s\v&\)<>\|]|e(?:ad[\s\v<>]|xdump)|i(?:ghlight|story)[\s\v<>]|ost(?:id|name)|ping3|t(?:digest|passwd))|i(?:d[\s\v&\)<>\|]|p(?:6?tables|config)?|rb|conv|f(?:config|top)|nstall[\s\v<>]|onice|spell)|j(?:js|q|ava[\s\v<>]|exec|o(?:(?:bs|in)[\s\v<>]|urnalctl)|runscript)|k(?:s(?:h|shell)|ill(?:[\s\v<>]|all)|nife[\s\v<>])|l(?:d(?:d?[\s\v&\)<>\|]|config)|[np][\s\v&\)<>\|]|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)?|ua(?:[\s\v&\)<>\|]|(?:la)?tex)|z(?:[\s\v&\)<>\|]|c(?:at|mp)|diff|[e-f]?grep|less|m(?:a|ore))|a(?:st(?:[\s\v<>]|comm|log(?:in)?)|tex[\s\v<>])|ess(?:[\s\v<>]|echo|(?:fil|pip)e)|ftp(?:get)?|(?:inks|ynx)[\s\v<>]|o(?:(?:ca(?:l|te)|ok)[\s\v<>]|g(?:inctl|(?:nam|sav)e))|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:n[\s\v&\)<>\|]|il(?:q|x[\s\v<>])?|ke[\s\v<>]|wk)|tr|v[\s\v&\)<>\|]|(?:kdir|utt)[\s\v<>]|locate|o(?:(?:re|unt)[\s\v<>]|squitto)|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:c(?:[\s\v&\)<>\|]|\.(?:openbsd|traditional)|at)|e(?:t(?:[\s\v&\)<>\|]|(?:c|st)at|kit-ftp)|ofetch)|l[\s\v&\)<>\|]|m(?:[\s\v&\)<>\|]|ap)|p(?:m[\s\v&\)<>\|]|ing)|a(?:no[\s\v<>]|sm|wk)|ice[\s\v<>]|o(?:de[\s\v<>]|hup)|roff|s(?:enter|lookup|tat))|o(?:d[\s\v&\)<>\|]|ctave[\s\v<>]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:x[\s\v&\)<>\|]|s(?:swd|te[\s\v<>])|tch[\s\v<>])|d(?:b|f(?:la)?tex)|f(?:[\s\v&\)<>\|]|tp)|g(?:rep)?|hp[\s\v&\)<>\|]|i(?:c(?:o[\s\v<>])?|p[^\s\v]|dstat|gz|ng[\s\v<>])|k(?:g(?:_?info)?|exec|ill)|r(?:y?[\s\v&\)<>\|]|int(?:env|f[\s\v<>]))|s(?:ftp|ql)?|t(?:x|ar(?:diff|grep)?)|xz|er(?:f|l(?:5|sh)?|ms)|opd|ython[^\s\v]|u(?:ppet[\s\v<>]|shd))|r(?:a(?:r[\s\v&\)<>\|]|k(?:e[\s\v<>]|u))|cp[\s\v&\)<>\|]|e(?:d(?:[\s\v&\)<>\|]|carpet[\s\v<>])|v|a(?:delf|lpath)|(?:name|p(?:eat|lace))[\s\v<>]|stic)|m(?:[\s\v&\)<>\|]|dir[\s\v<>]|user)|pm(?:[\s\v&\)<>\|]|db|(?:quer|verif)y)|l(?:ogin|wrap)|nano|oute[\s\v<>]|sync|u(?:by[^\s\v]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:c(?:p|hed|r(?:een|ipt)[\s\v<>])|e(?:d[\s\v&\)<>\|]|t(?:[\s\v&\)<>\|]|arch|env|facl[\s\v<>]|sid)|ndmail|rvice[\s\v<>])|g|h(?:[\s\v&\)<>\|]|\.distrib|ell|u(?:f|tdown[\s\v<>]))|s(?:[\s\v&\)<>\|]|h(?:[\s\v&\)<>\|]|-key(?:ge|sca)n|pass))|u(?:[\s\v&\)<>\|]|do)|vn|(?:ash|nap|plit)[\s\v<>]|diff|ftp|l(?:eep[\s\v<>]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[\s\v<>])|qlite3|t(?:art-stop-daemon|dbuf|r(?:ace|ings))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:c|r[\s\v&\)<>\|]|il[\s\v<>f]|sk(?:set)?)|bl|e(?:e|x[\s\v&\)<>\|]|lnet)|i(?:c[\s\v&\)<>\|]|me(?:(?:out)?[\s\v<>]|datectl))|o(?:p|uch[\s\v<>])|c(?:l?sh|p(?:dump|ing|traceroute))|ftp|mux|r(?:aceroute6?|off)|shark)|u(?:l(?:[\s\v&\)<>\|]|imit[\s\v<>])|n(?:ame|compress|expand|iq|l(?:ink[\s\v<>]|z(?:4|ma))|(?:pig|x)z|rar|s(?:et|hare)[\s\v<>]|z(?:ip|std))|pdate-alternatives|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:[\s\v&\)<>\|]|m(?:[\s\v&\)<>\|]|diff)|ew[\s\v<>]|gr|pw|rsh)|algrind|olatility)|w(?:3m|c|h(?:o(?:ami|is)?|iptail)|a(?:ll|tch)[\s\v<>]|get|i(?:reshark|sh[\s\v<>]))|x(?:(?:x|pa)d|z(?:[\s\v&\)<>\|]|c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more)|args|e(?:la)?tex|mo(?:dmap|re)|term)|y(?:um|arn|elp[\s\v<>])|z(?:ip(?:details)?|s(?:h|oelim|td)|athura|c(?:at|mp)|diff|[e-f]?grep|less|more|run|ypper))" \ - "id:932236,\ - phase:2,\ - block,\ - capture,\ - t:none,\ - msg:'Remote Command Execution: Unix Command Injection (command without evasion)',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-shell',\ - tag:'platform-unix',\ - tag:'attack-rce',\ - tag:'paranoia-level/2',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/88',\ - tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*|REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent "@rx (?i)(?:(?:^|=)[\s\v]*(?:t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*|(?:t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|[\n\r;`\{]|\|\|?|&&?|\$(?:\(\(?|\{)|[<>]\(|\([\s\v]*\))[\s\v]*(?:[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*)[\s\v]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:7z[ar]?|a(?:(?:b|w[ks])[\s\v&\)<>\|]|pt(?:-get)?|r(?:[\s\v&\)<>jp\|]|ch[\s\v<>]|ia2c)|s(?:[\s\v&\)<>h\|]|cii(?:-xfr|85)|pell)|t(?:[\s\v&\)<>\|]|obm)|dduser|getty|l(?:ias|pine)[\s\v<>]|nsible-playbook)|b(?:z(?:z[\s\v&\)<>\|]|c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2|less|more)|a(?:s(?:e(?:32|64|nc)|h)|tch[\s\v<>])|pftrace|r(?:eaksw|idge[\s\v<>])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[\s\v<>]|zip2)|s(?:ctl|ybox))|yebug)|c(?:[8-9]9|a(?:t[\s\v&\)<>\|]|(?:ncel|psh)[\s\v<>])|c[\s\v&\)<>\|]|mp|p(?:[\s\v&\)<>\|]|an|io|ulimit)|s(?:h|plit|vtool)|u(?:t[\s\v&\)<>\|]|psfilter|rl)|ertbot|h(?:attr|dir[\s\v<>]|eck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|flags|mod|o(?:om|wn)|root)|o(?:(?:b|pro)c|lumn[\s\v<>]|m(?:m(?:and[\s\v<>])?|p(?:oser|ress[\s\v<>]))|w(?:say|think))|r(?:ash[\s\v<>]|ontab))|d(?:[du][\s\v&\)<>\|]|i(?:g|(?:alog|ff)[\s\v<>])|nf|a(?:sh|te)[\s\v<>]|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[\s\v<>]|sbox)|pkg|vips)|e(?:[bd][\s\v&\)<>\|]|n(?:v(?:[\s\v&\)<>\|]|-update)|d(?:if|sw))|qn|x(?:[\s\v&\)<>\|]|ec[\s\v<>]|iftool|p(?:(?:and|(?:ec|or)t)[\s\v<>]|r))|(?:asy_instal|va)l|cho[\s\v<>]|fax|grep|macs|sac)|f(?:c[\s\v&\)<>\|]|i(?:[\s\v&\)<>\|]|le(?:[\s\v<>]|test)|(?:n(?:d|ger)|sh)[\s\v<>])|mt|tp(?:[\s\v&\)<>\|]|stats|who)|acter|(?:etch|lock)[\s\v<>]|grep|o(?:ld[\s\v<>]|reach)|ping|unction)|g(?:c(?:c[^\s\v]|ore)|db|e(?:m[\s\v&\)<>\|]|ni(?:e[\s\v<>]|soimage)|tfacl[\s\v<>])|hci?|i(?:t[\s\v&\)<>\|]|mp[\s\v<>]|nsh)|o[\s\v&\)<>\|]|r(?:c|ep[\s\v<>])|awk|tester|unzip|z(?:cat|exe|ip))|h(?:(?:d|up)[\s\v&\)<>\|]|e(?:ad[\s\v<>]|xdump)|i(?:ghlight|story)[\s\v<>]|ost(?:id|name)|ping3|t(?:digest|passwd))|i(?:d[\s\v&\)<>\|]|p(?:6?tables|config)?|rb|conv|f(?:config|top)|nstall[\s\v<>]|onice|spell)|j(?:js|q|ava[\s\v<>]|exec|o(?:(?:bs|in)[\s\v<>]|urnalctl)|runscript)|k(?:s(?:h|shell)|ill(?:[\s\v<>]|all)|nife[\s\v<>])|l(?:d(?:d?[\s\v&\)<>\|]|config)|[np][\s\v&\)<>\|]|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)?|ua(?:[\s\v&\)<>\|]|(?:la)?tex)|z(?:[\s\v&\)<>\|]|c(?:at|mp)|diff|[e-f]?grep|less|m(?:a|ore))|a(?:st(?:[\s\v<>]|comm|log(?:in)?)|tex[\s\v<>])|ess(?:[\s\v<>]|echo|(?:fil|pip)e)|ftp(?:get)?|(?:inks|ynx)[\s\v<>]|o(?:(?:ca(?:l|te)|ok)[\s\v<>]|g(?:inctl|(?:nam|sav)e))|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:n[\s\v&\)<>\|]|il(?:q|x[\s\v<>])?|ke[\s\v<>]|wk)|tr|v[\s\v&\)<>\|]|(?:kdir|utt)[\s\v<>]|locate|o(?:(?:re|unt)[\s\v<>]|squitto)|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:c(?:[\s\v&\)<>\|]|\.(?:openbsd|traditional)|at)|e(?:t(?:[\s\v&\)<>\|]|(?:c|st)at|kit-ftp)|ofetch)|l[\s\v&\)<>\|]|m(?:[\s\v&\)<>\|]|ap)|p(?:m[\s\v&\)<>\|]|ing)|a(?:no[\s\v<>]|sm|wk)|ice[\s\v<>]|o(?:de[\s\v<>]|hup)|roff|s(?:enter|lookup|tat))|o(?:d[\s\v&\)<>\|]|ctave[\s\v<>]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:x[\s\v&\)<>\|]|s(?:swd|te[\s\v<>])|tch[\s\v<>])|d(?:b|f(?:la)?tex)|f(?:[\s\v&\)<>\|]|tp)|g(?:rep)?|hp[\s\v&\)<>\|]|i(?:c(?:o[\s\v<>])?|p[^\s\v]|dstat|gz|ng[\s\v<>])|k(?:g(?:_?info)?|exec|ill)|r(?:y?[\s\v&\)<>\|]|int(?:env|f[\s\v<>]))|s(?:ftp|ql)?|t(?:x|ar(?:diff|grep)?)|xz|er(?:f|l(?:5|sh)?|ms)|opd|ython[^\s\v]|u(?:ppet[\s\v<>]|shd))|r(?:a(?:r[\s\v&\)<>\|]|k(?:e[\s\v<>]|u))|cp[\s\v&\)<>\|]|e(?:d(?:[\s\v&\)<>\|]|carpet[\s\v<>])|v|a(?:delf|lpath)|(?:name|p(?:eat|lace))[\s\v<>]|stic)|m(?:[\s\v&\)<>\|]|dir[\s\v<>]|user)|pm(?:[\s\v&\)<>\|]|db|(?:quer|verif)y)|l(?:ogin|wrap)|nano|oute[\s\v<>]|sync|u(?:by[^\s\v]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:c(?:p|hed|r(?:een|ipt)[\s\v<>])|e(?:d[\s\v&\)<>\|]|t(?:[\s\v&\)<>\|]|arch|env|facl[\s\v<>]|sid)|ndmail|rvice[\s\v<>])|g|h(?:[\s\v&\)<>\|]|\.distrib|ell|u(?:f|tdown[\s\v<>]))|s(?:[\s\v&\)<>\|]|h(?:[\s\v&\)<>\|]|-key(?:ge|sca)n|pass))|u(?:[\s\v&\)<>\|]|do)|vn|(?:ash|nap|plit)[\s\v<>]|diff|ftp|l(?:eep[\s\v<>]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[\s\v<>])|qlite3|t(?:art-stop-daemon|dbuf|r(?:ace|ings))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:c|r[\s\v&\)<>\|]|il[\s\v<>f]|sk(?:set)?)|bl|e(?:e|x[\s\v&\)<>\|]|lnet)|i(?:c[\s\v&\)<>\|]|me(?:(?:out)?[\s\v<>]|datectl))|o(?:p|uch[\s\v<>])|c(?:l?sh|p(?:dump|ing|traceroute))|ftp|mux|r(?:aceroute6?|off)|shark)|u(?:l(?:[\s\v&\)<>\|]|imit[\s\v<>])|n(?:ame|compress|expand|iq|l(?:ink[\s\v<>]|z(?:4|ma))|(?:pig|x)z|rar|s(?:et|hare)[\s\v<>]|z(?:ip|std))|pdate-alternatives|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:[\s\v&\)<>\|]|m(?:[\s\v&\)<>\|]|diff)|ew[\s\v<>]|gr|pw|rsh)|algrind|olatility)|w(?:3m|c|h(?:o(?:ami|is)?|iptail)|a(?:ll|tch)[\s\v<>]|get|i(?:reshark|sh[\s\v<>]))|x(?:(?:x|pa)d|z(?:[\s\v&\)<>\|]|c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more)|args|e(?:la)?tex|mo(?:dmap|re)|term)|y(?:um|arn|elp[\s\v<>])|z(?:ip(?:details)?|s(?:h|oelim|td)|athura|c(?:at|mp)|diff|[e-f]?grep|less|more|run|ypper))" "id:932236, phase:2, block, capture, t:none, msg:'Remote Command Execution: Unix Command Injection (command without evasion)', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-shell', tag:'platform-unix', tag:'attack-rce', tag:'paranoia-level/2', tag:'OWASP_CRS', tag:'capec/1000/152/248/88', tag:'PCI/6.5.2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.rce_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # [ Unix shell snippets ] # @@ -1248,26 +750,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # .932160 (base rule, PL1, unix shell commands with full path) # ..932161 (stricter sibling, PL2, unix shell commands with full path in User-Agent and Referer request headers) # -SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@pmFromFile unix-shell.data" \ - "id:932161,\ - phase:2,\ - block,\ - capture,\ - t:none,t:cmdLine,t:normalizePath,\ - msg:'Remote Command Execution: Unix Shell Code Found in REQUEST_HEADERS',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-shell',\ - tag:'platform-unix',\ - tag:'attack-rce',\ - tag:'paranoia-level/2',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/88',\ - tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@pmFromFile unix-shell.data" "id:932161, phase:2, block, capture, t:none,t:cmdLine,t:normalizePath, msg:'Remote Command Execution: Unix Shell Code Found in REQUEST_HEADERS', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-shell', tag:'platform-unix', tag:'attack-rce', tag:'paranoia-level/2', tag:'OWASP_CRS', tag:'capec/1000/152/248/88', tag:'PCI/6.5.2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.rce_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:932015,phase:1,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" @@ -1308,26 +791,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:932016,phase:2,pass,nolog,skipAf # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 932232 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|[\n\r;`\{]|\|\|?|&&?|\$(?:\(\(?|\{)|[<>]\(|\([\s\v]*\))[\s\v]*(?:[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*[\s\v]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:(?:v[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i|(?:a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?2[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?f)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*|p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:s|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*)|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o|[\s\v&\),<>\|].*))\b" \ - "id:932232,\ - phase:2,\ - block,\ - capture,\ - t:none,\ - msg:'Remote Command Execution: Unix Command Injection',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-shell',\ - tag:'platform-unix',\ - tag:'attack-rce',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/88',\ - tag:'PCI/6.5.2',\ - tag:'paranoia-level/3',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|[\n\r;`\{]|\|\|?|&&?|\$(?:\(\(?|\{)|[<>]\(|\([\s\v]*\))[\s\v]*(?:[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*[\s\v]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:(?:v[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i|(?:a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?2[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?f)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*|p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:s|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*)|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o|[\s\v&\),<>\|].*))\b" "id:932232, phase:2, block, capture, t:none, msg:'Remote Command Execution: Unix Command Injection', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-shell', tag:'platform-unix', tag:'attack-rce', tag:'OWASP_CRS', tag:'capec/1000/152/248/88', tag:'PCI/6.5.2', tag:'paranoia-level/3', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.rce_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" # [ Unix command injection ] # @@ -1358,26 +822,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 932237 # -SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@rx (?i)\b(?:7z[ar]?|a(?:b|pt(?:-get)?|r(?:[jp]|ch[\s\v<>]|ia2c)?|s(?:h|cii(?:-xfr|85)|pell)?|t(?:obm)?|w[ks]|dduser|getty|l(?:ias|pine)[\s\v<>]|nsible-playbook)|b(?:z(?:z|c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2|less|more)|a(?:s(?:e(?:32|64|nc)|h)|tch[\s\v<>])|pftrace|r(?:eaksw|idge[\s\v<>])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[\s\v<>]|zip2)|s(?:ctl|ybox))|yebug)|c(?:[8-9]9|a(?:t|(?:ncel|psh)[\s\v<>])|c|mp|p(?:an|io|ulimit)?|s(?:h|plit|vtool)|u(?:t|psfilter|rl)|ertbot|h(?:attr|dir[\s\v<>]|eck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|flags|mod|o(?:om|wn)|root)|o(?:(?:b|pro)c|lumn[\s\v<>]|m(?:m(?:and[\s\v<>])?|p(?:oser|ress[\s\v<>]))|w(?:say|think))|r(?:ash[\s\v<>]|ontab))|d(?:[du]|i(?:g|(?:alog|ff)[\s\v<>])|nf|a(?:sh|te)[\s\v<>]|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[\s\v<>]|sbox)|pkg|vips)|e(?:[bd]|n(?:v(?:-update)?|d(?:if|sw))|qn|x(?:ec[\s\v<>]|iftool|p(?:(?:and|(?:ec|or)t)[\s\v<>]|r))?|(?:asy_instal|va)l|cho[\s\v<>]|fax|grep|macs|sac)|f(?:c|i(?:le(?:[\s\v<>]|test)|(?:n(?:d|ger)|sh)[\s\v<>])?|mt|tp(?:stats|who)?|acter|(?:etch|lock)[\s\v<>]|grep|o(?:ld[\s\v<>]|reach)|ping|unction)|g(?:c(?:c|ore)|db|e(?:m|ni(?:e[\s\v<>]|soimage)|tfacl[\s\v<>])|hci?|i(?:t|mp[\s\v<>]|nsh)|o|r(?:c|ep[\s\v<>])|awk|tester|unzip|z(?:cat|exe|ip))|h(?:d|up|e(?:ad[\s\v<>]|xdump)|i(?:ghlight|story)[\s\v<>]|ost(?:id|name)|ping3|t(?:digest|passwd))|i(?:d|p(?:6?tables|config)?|rb|conv|f(?:config|top)|nstall[\s\v<>]|onice|spell)|j(?:js|q|ava[\s\v<>]|exec|o(?:(?:bs|in)[\s\v<>]|urnalctl)|runscript)|k(?:s(?:h|shell)|ill(?:[\s\v<>]|all)|nife[\s\v<>])|l(?:d(?:d|config)?|[np]|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)?|ua(?:(?:la)?tex)?|z(?:c(?:at|mp)|diff|[e-f]?grep|less|m(?:a|ore))?|a(?:st(?:[\s\v<>]|comm|log(?:in)?)|tex[\s\v<>])|ess(?:[\s\v<>]|echo|(?:fil|pip)e)|ftp(?:get)?|(?:inks|ynx)[\s\v<>]|o(?:(?:ca(?:l|te)|ok)[\s\v<>]|g(?:inctl|(?:nam|sav)e))|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:n|il(?:q|x[\s\v<>])?|ke[\s\v<>]|wk)|tr|v|(?:kdir|utt)[\s\v<>]|locate|o(?:(?:re|unt)[\s\v<>]|squitto)|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:c(?:\.(?:openbsd|traditional)|at)?|e(?:t(?:(?:c|st)at|kit-ftp)?|ofetch)|l|m(?:ap)?|p(?:m|ing)|a(?:no[\s\v<>]|sm|wk)|ice[\s\v<>]|o(?:de[\s\v<>]|hup)|roff|s(?:enter|lookup|tat))|o(?:d|ctave[\s\v<>]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:x|s(?:swd|te[\s\v<>])|tch[\s\v<>])|d(?:b|f(?:la)?tex)|f(?:tp)?|g(?:rep)?|hp|i(?:c(?:o[\s\v<>])?|p|dstat|gz|ng[\s\v<>])|k(?:g(?:_?info)?|exec|ill)|r(?:y|int(?:env|f[\s\v<>]))?|s(?:ftp|ql)?|t(?:x|ar(?:diff|grep)?)|xz|er(?:f|l(?:5|sh)?|ms)|opd|ython[^\s\v]|u(?:ppet[\s\v<>]|shd))|r(?:a(?:r|k(?:e[\s\v<>]|u))|cp|e(?:d(?:carpet[\s\v<>])?|v|a(?:delf|lpath)|(?:name|p(?:eat|lace))[\s\v<>]|stic)|m(?:dir[\s\v<>]|user)?|pm(?:db|(?:quer|verif)y)?|l(?:ogin|wrap)|nano|oute[\s\v<>]|sync|u(?:by[^\s\v]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:c(?:p|hed|r(?:een|ipt)[\s\v<>])|e(?:d|t(?:arch|env|facl[\s\v<>]|sid)?|ndmail|rvice[\s\v<>])|g|h(?:\.distrib|ell|u(?:f|tdown[\s\v<>]))?|s(?:h(?:-key(?:ge|sca)n|pass)?)?|u(?:do)?|vn|(?:ash|nap|plit)[\s\v<>]|diff|ftp|l(?:eep[\s\v<>]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[\s\v<>])|qlite3|t(?:art-stop-daemon|dbuf|r(?:ace|ings))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:[cr]|il[\s\v<>f]|sk(?:set)?)|bl|e(?:[ex]|lnet)|i(?:c|me(?:(?:out)?[\s\v<>]|datectl))|o(?:p|uch[\s\v<>])|c(?:l?sh|p(?:dump|ing|traceroute))|ftp|mux|r(?:aceroute6?|off)|shark)|u(?:l(?:imit[\s\v<>])?|n(?:ame|compress|expand|iq|l(?:ink[\s\v<>]|z(?:4|ma))|(?:pig|x)z|rar|s(?:et|hare)[\s\v<>]|z(?:ip|std))|pdate-alternatives|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:m(?:diff)?|ew[\s\v<>]|gr|pw|rsh)?|algrind|olatility)|w(?:3m|c|h(?:o(?:ami|is)?|iptail)|a(?:ll|tch)[\s\v<>]|get|i(?:reshark|sh[\s\v<>]))|x(?:(?:x|pa)d|z(?:c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more)?|args|e(?:la)?tex|mo(?:dmap|re)|term)|y(?:um|arn|elp[\s\v<>])|z(?:ip(?:details)?|s(?:h|oelim|td)|athura|c(?:at|mp)|diff|[e-f]?grep|less|more|run|ypper))\b" \ - "id:932237,\ - phase:2,\ - block,\ - capture,\ - t:none,t:cmdLine,t:normalizePath,\ - msg:'Remote Command Execution: Unix Shell Code Found in REQUEST_HEADERS',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-shell',\ - tag:'platform-unix',\ - tag:'attack-rce',\ - tag:'paranoia-level/3',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/88',\ - tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@rx (?i)\b(?:7z[ar]?|a(?:b|pt(?:-get)?|r(?:[jp]|ch[\s\v<>]|ia2c)?|s(?:h|cii(?:-xfr|85)|pell)?|t(?:obm)?|w[ks]|dduser|getty|l(?:ias|pine)[\s\v<>]|nsible-playbook)|b(?:z(?:z|c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2|less|more)|a(?:s(?:e(?:32|64|nc)|h)|tch[\s\v<>])|pftrace|r(?:eaksw|idge[\s\v<>])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[\s\v<>]|zip2)|s(?:ctl|ybox))|yebug)|c(?:[8-9]9|a(?:t|(?:ncel|psh)[\s\v<>])|c|mp|p(?:an|io|ulimit)?|s(?:h|plit|vtool)|u(?:t|psfilter|rl)|ertbot|h(?:attr|dir[\s\v<>]|eck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|flags|mod|o(?:om|wn)|root)|o(?:(?:b|pro)c|lumn[\s\v<>]|m(?:m(?:and[\s\v<>])?|p(?:oser|ress[\s\v<>]))|w(?:say|think))|r(?:ash[\s\v<>]|ontab))|d(?:[du]|i(?:g|(?:alog|ff)[\s\v<>])|nf|a(?:sh|te)[\s\v<>]|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[\s\v<>]|sbox)|pkg|vips)|e(?:[bd]|n(?:v(?:-update)?|d(?:if|sw))|qn|x(?:ec[\s\v<>]|iftool|p(?:(?:and|(?:ec|or)t)[\s\v<>]|r))?|(?:asy_instal|va)l|cho[\s\v<>]|fax|grep|macs|sac)|f(?:c|i(?:le(?:[\s\v<>]|test)|(?:n(?:d|ger)|sh)[\s\v<>])?|mt|tp(?:stats|who)?|acter|(?:etch|lock)[\s\v<>]|grep|o(?:ld[\s\v<>]|reach)|ping|unction)|g(?:c(?:c|ore)|db|e(?:m|ni(?:e[\s\v<>]|soimage)|tfacl[\s\v<>])|hci?|i(?:t|mp[\s\v<>]|nsh)|o|r(?:c|ep[\s\v<>])|awk|tester|unzip|z(?:cat|exe|ip))|h(?:d|up|e(?:ad[\s\v<>]|xdump)|i(?:ghlight|story)[\s\v<>]|ost(?:id|name)|ping3|t(?:digest|passwd))|i(?:d|p(?:6?tables|config)?|rb|conv|f(?:config|top)|nstall[\s\v<>]|onice|spell)|j(?:js|q|ava[\s\v<>]|exec|o(?:(?:bs|in)[\s\v<>]|urnalctl)|runscript)|k(?:s(?:h|shell)|ill(?:[\s\v<>]|all)|nife[\s\v<>])|l(?:d(?:d|config)?|[np]|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)?|ua(?:(?:la)?tex)?|z(?:c(?:at|mp)|diff|[e-f]?grep|less|m(?:a|ore))?|a(?:st(?:[\s\v<>]|comm|log(?:in)?)|tex[\s\v<>])|ess(?:[\s\v<>]|echo|(?:fil|pip)e)|ftp(?:get)?|(?:inks|ynx)[\s\v<>]|o(?:(?:ca(?:l|te)|ok)[\s\v<>]|g(?:inctl|(?:nam|sav)e))|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:n|il(?:q|x[\s\v<>])?|ke[\s\v<>]|wk)|tr|v|(?:kdir|utt)[\s\v<>]|locate|o(?:(?:re|unt)[\s\v<>]|squitto)|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:c(?:\.(?:openbsd|traditional)|at)?|e(?:t(?:(?:c|st)at|kit-ftp)?|ofetch)|l|m(?:ap)?|p(?:m|ing)|a(?:no[\s\v<>]|sm|wk)|ice[\s\v<>]|o(?:de[\s\v<>]|hup)|roff|s(?:enter|lookup|tat))|o(?:d|ctave[\s\v<>]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:x|s(?:swd|te[\s\v<>])|tch[\s\v<>])|d(?:b|f(?:la)?tex)|f(?:tp)?|g(?:rep)?|hp|i(?:c(?:o[\s\v<>])?|p|dstat|gz|ng[\s\v<>])|k(?:g(?:_?info)?|exec|ill)|r(?:y|int(?:env|f[\s\v<>]))?|s(?:ftp|ql)?|t(?:x|ar(?:diff|grep)?)|xz|er(?:f|l(?:5|sh)?|ms)|opd|ython[^\s\v]|u(?:ppet[\s\v<>]|shd))|r(?:a(?:r|k(?:e[\s\v<>]|u))|cp|e(?:d(?:carpet[\s\v<>])?|v|a(?:delf|lpath)|(?:name|p(?:eat|lace))[\s\v<>]|stic)|m(?:dir[\s\v<>]|user)?|pm(?:db|(?:quer|verif)y)?|l(?:ogin|wrap)|nano|oute[\s\v<>]|sync|u(?:by[^\s\v]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:c(?:p|hed|r(?:een|ipt)[\s\v<>])|e(?:d|t(?:arch|env|facl[\s\v<>]|sid)?|ndmail|rvice[\s\v<>])|g|h(?:\.distrib|ell|u(?:f|tdown[\s\v<>]))?|s(?:h(?:-key(?:ge|sca)n|pass)?)?|u(?:do)?|vn|(?:ash|nap|plit)[\s\v<>]|diff|ftp|l(?:eep[\s\v<>]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[\s\v<>])|qlite3|t(?:art-stop-daemon|dbuf|r(?:ace|ings))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:[cr]|il[\s\v<>f]|sk(?:set)?)|bl|e(?:[ex]|lnet)|i(?:c|me(?:(?:out)?[\s\v<>]|datectl))|o(?:p|uch[\s\v<>])|c(?:l?sh|p(?:dump|ing|traceroute))|ftp|mux|r(?:aceroute6?|off)|shark)|u(?:l(?:imit[\s\v<>])?|n(?:ame|compress|expand|iq|l(?:ink[\s\v<>]|z(?:4|ma))|(?:pig|x)z|rar|s(?:et|hare)[\s\v<>]|z(?:ip|std))|pdate-alternatives|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:m(?:diff)?|ew[\s\v<>]|gr|pw|rsh)?|algrind|olatility)|w(?:3m|c|h(?:o(?:ami|is)?|iptail)|a(?:ll|tch)[\s\v<>]|get|i(?:reshark|sh[\s\v<>]))|x(?:(?:x|pa)d|z(?:c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more)?|args|e(?:la)?tex|mo(?:dmap|re)|term)|y(?:um|arn|elp[\s\v<>])|z(?:ip(?:details)?|s(?:h|oelim|td)|athura|c(?:at|mp)|diff|[e-f]?grep|less|more|run|ypper))\b" "id:932237, phase:2, block, capture, t:none,t:cmdLine,t:normalizePath, msg:'Remote Command Execution: Unix Shell Code Found in REQUEST_HEADERS', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-shell', tag:'platform-unix', tag:'attack-rce', tag:'paranoia-level/3', tag:'OWASP_CRS', tag:'capec/1000/152/248/88', tag:'PCI/6.5.2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.rce_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" # @@ -1394,26 +839,7 @@ SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@rx (?i)\b(?:7z[ar]? # - https://medium.com/secjuice/waf-evasion-techniques-718026d693d8 # - https://medium.com/secjuice/web-application-firewall-waf-evasion-techniques-2-125995f3e7b0 -SecRule ARGS "@rx /(?:[?*]+[a-z/]+|[a-z/]+[?*]+)" \ - "id:932190,\ - phase:2,\ - block,\ - capture,\ - t:none,t:urlDecode,t:urlDecodeUni,t:normalizePath,t:cmdLine,\ - msg:'Remote Command Execution: Wildcard bypass technique attempt',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-shell',\ - tag:'platform-unix',\ - tag:'attack-rce',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/88',\ - tag:'PCI/6.5.2',\ - tag:'paranoia-level/3',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" +SecRule ARGS "@rx /(?:[?*]+[a-z/]+|[a-z/]+[?*]+)" "id:932190, phase:2, block, capture, t:none,t:urlDecode,t:urlDecodeUni,t:normalizePath,t:cmdLine, msg:'Remote Command Execution: Wildcard bypass technique attempt', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-shell', tag:'platform-unix', tag:'attack-rce', tag:'OWASP_CRS', tag:'capec/1000/152/248/88', tag:'PCI/6.5.2', tag:'paranoia-level/3', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.rce_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" # -=[ SMTP commands ]=- @@ -1430,24 +856,7 @@ SecRule ARGS "@rx /(?:[?*]+[a-z/]+|[a-z/]+[?*]+)" \ # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 932301 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \r\n(?s:.)*?\b(?:DATA|QUIT|HELP(?: .{1,255})?)" \ - "id:932301,\ - phase:2,\ - block,\ - t:none,t:escapeSeqDecode,\ - msg:'Remote Command Execution: SMTP Command Execution',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'platform-multi',\ - tag:'attack-rce',\ - tag:'paranoia-level/3',\ - tag:'OWASP_CRS',\ - tag:'capec/137/134',\ - tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \r\n(?s:.)*?\b(?:DATA|QUIT|HELP(?: .{1,255})?)" "id:932301, phase:2, block, t:none,t:escapeSeqDecode, msg:'Remote Command Execution: SMTP Command Execution', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'platform-multi', tag:'attack-rce', tag:'paranoia-level/3', tag:'OWASP_CRS', tag:'capec/137/134', tag:'PCI/6.5.2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.rce_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" # =[ IMAP4 Command Execution ]= # @@ -1463,24 +872,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 932311 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?is)\r\n[0-9A-Z_a-z]{1,50}\b (?:C(?:(?:REATE|OPY [\*,0-:]+) [\"-#%-&\*\--9A-Z\x5c_a-z]+|APABILITY|HECK|LOSE)|DELETE [\"-#%-&\*\--\.0-9A-Z\x5c_a-z]+|EX(?:AMINE [\"-#%-&\*\--\.0-9A-Z\x5c_a-z]+|PUNGE)|FETCH [\*,0-:]+|L(?:IST [\"-#\*\--9A-Z\x5c_a-z~]+? [\"-#%-&\*\--9A-Z\x5c_a-z]+|OG(?:IN [\--\.0-9@_a-z]{1,40} .*?|OUT))|RENAME [\"-#%-&\*\--9A-Z\x5c_a-z]+? [\"-#%-&\*\--9A-Z\x5c_a-z]+|S(?:E(?:LECT [\"-#%-&\*\--9A-Z\x5c_a-z]+|ARCH(?: CHARSET [\--\.0-9A-Z_a-z]{1,40})? (?:(KEYWORD \x5c)?(?:A(?:LL|NSWERED)|BCC|D(?:ELETED|RAFT)|(?:FLAGGE|OL)D|RECENT|SEEN|UN(?:(?:ANSWER|FLAGG)ED|D(?:ELETED|RAFT)|SEEN)|NEW)|(?:BODY|CC|FROM|HEADER .{1,100}|NOT|OR .{1,255}|T(?:EXT|O)) .{1,255}|LARGER [0-9]{1,20}|[\*,0-:]+|(?:BEFORE|ON|S(?:ENT(?:(?:BEFOR|SINC)E|ON)|INCE)) \"?[0-9]{1,2}-[0-9A-Z_a-z]{3}-[0-9]{4}\"?|S(?:MALLER [0-9]{1,20}|UBJECT .{1,255})|U(?:ID [\*,0-:]+?|NKEYWORD \x5c(Seen|(?:Answer|Flagg)ed|D(?:eleted|raft)|Recent))))|T(?:ORE [\*,0-:]+? [\+\-]?FLAGS(?:\.SILENT)? (?:\(\x5c[a-z]{1,20}\))?|ARTTLS)|UBSCRIBE [\"-#%-&\*\--9A-Z\x5c_a-z]+)|UN(?:SUBSCRIBE [\"-#%-&\*\--9A-Z\x5c_a-z]+|AUTHENTICATE)|NOOP)" \ - "id:932311,\ - phase:2,\ - block,\ - t:none,t:escapeSeqDecode,\ - msg:'Remote Command Execution: IMAP Command Execution',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'platform-multi',\ - tag:'attack-rce',\ - tag:'paranoia-level/3',\ - tag:'OWASP_CRS',\ - tag:'capec/137/134',\ - tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?is)\r\n[0-9A-Z_a-z]{1,50}\b (?:C(?:(?:REATE|OPY [\*,0-:]+) [\"-#%-&\*\--9A-Z\x5c_a-z]+|APABILITY|HECK|LOSE)|DELETE [\"-#%-&\*\--\.0-9A-Z\x5c_a-z]+|EX(?:AMINE [\"-#%-&\*\--\.0-9A-Z\x5c_a-z]+|PUNGE)|FETCH [\*,0-:]+|L(?:IST [\"-#\*\--9A-Z\x5c_a-z~]+? [\"-#%-&\*\--9A-Z\x5c_a-z]+|OG(?:IN [\--\.0-9@_a-z]{1,40} .*?|OUT))|RENAME [\"-#%-&\*\--9A-Z\x5c_a-z]+? [\"-#%-&\*\--9A-Z\x5c_a-z]+|S(?:E(?:LECT [\"-#%-&\*\--9A-Z\x5c_a-z]+|ARCH(?: CHARSET [\--\.0-9A-Z_a-z]{1,40})? (?:(KEYWORD \x5c)?(?:A(?:LL|NSWERED)|BCC|D(?:ELETED|RAFT)|(?:FLAGGE|OL)D|RECENT|SEEN|UN(?:(?:ANSWER|FLAGG)ED|D(?:ELETED|RAFT)|SEEN)|NEW)|(?:BODY|CC|FROM|HEADER .{1,100}|NOT|OR .{1,255}|T(?:EXT|O)) .{1,255}|LARGER [0-9]{1,20}|[\*,0-:]+|(?:BEFORE|ON|S(?:ENT(?:(?:BEFOR|SINC)E|ON)|INCE)) \"?[0-9]{1,2}-[0-9A-Z_a-z]{3}-[0-9]{4}\"?|S(?:MALLER [0-9]{1,20}|UBJECT .{1,255})|U(?:ID [\*,0-:]+?|NKEYWORD \x5c(Seen|(?:Answer|Flagg)ed|D(?:eleted|raft)|Recent))))|T(?:ORE [\*,0-:]+? [\+\-]?FLAGS(?:\.SILENT)? (?:\(\x5c[a-z]{1,20}\))?|ARTTLS)|UBSCRIBE [\"-#%-&\*\--9A-Z\x5c_a-z]+)|UN(?:SUBSCRIBE [\"-#%-&\*\--9A-Z\x5c_a-z]+|AUTHENTICATE)|NOOP)" "id:932311, phase:2, block, t:none,t:escapeSeqDecode, msg:'Remote Command Execution: IMAP Command Execution', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'platform-multi', tag:'attack-rce', tag:'paranoia-level/3', tag:'OWASP_CRS', tag:'capec/137/134', tag:'PCI/6.5.2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.rce_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" # =[ POP3 Command Execution ]= # @@ -1496,24 +888,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 932321 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \r\n(?s:.)*?\b(?:(?:QUI|STA|RSE)(?i:T)|NOOP|CAPA)" \ - "id:932321,\ - phase:2,\ - block,\ - t:none,t:escapeSeqDecode,\ - msg:'Remote Command Execution: POP3 Command Execution',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'platform-multi',\ - tag:'attack-rce',\ - tag:'paranoia-level/3',\ - tag:'OWASP_CRS',\ - tag:'capec/137/134',\ - tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \r\n(?s:.)*?\b(?:(?:QUI|STA|RSE)(?i:T)|NOOP|CAPA)" "id:932321, phase:2, block, t:none,t:escapeSeqDecode, msg:'Remote Command Execution: POP3 Command Execution', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'platform-multi', tag:'attack-rce', tag:'paranoia-level/3', tag:'OWASP_CRS', tag:'capec/137/134', tag:'PCI/6.5.2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.rce_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" # =[ Unix shell history invocation ]= @@ -1528,25 +903,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # The last request will invoke /usr/bin/cc, which is otherwise blocked by 932150. # # Neither !1 nor !! is necessarily valid speech, but blocking either of them is much more likely to cause false-positives than 932330. -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx !(?:\d|!)" \ - "id:932331,\ - phase:2,\ - block,\ - t:none,\ - msg:'Remote Command Execution: Unix shell history invocation',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-shell',\ - tag:'platform-unix',\ - tag:'attack-rce',\ - tag:'paranoia-level/3',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/88',\ - tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx !(?:\d|!)" "id:932331, phase:2, block, t:none, msg:'Remote Command Execution: Unix shell history invocation', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-shell', tag:'platform-unix', tag:'attack-rce', tag:'paranoia-level/3', tag:'OWASP_CRS', tag:'capec/1000/152/248/88', tag:'PCI/6.5.2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.rce_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:932017,phase:1,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" diff --git a/appsec/crs/REQUEST-933-APPLICATION-ATTACK-PHP.conf b/appsec/crs/REQUEST-933-APPLICATION-ATTACK-PHP.conf index b125102b..4061ac09 100644 --- a/appsec/crs/REQUEST-933-APPLICATION-ATTACK-PHP.conf +++ b/appsec/crs/REQUEST-933-APPLICATION-ATTACK-PHP.conf @@ -44,25 +44,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:933012,phase:2,pass,nolog,skipAf # Therefore, that pattern is now checked by rule 933190 in paranoia levels # 3 or higher. # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:<\?(?:[^x]|x[^m]|xm[^l]|xml[^\s]|xml$|$)|<\?php|\[(?:/|\x5c)?php\])" \ - "id:933100,\ - phase:2,\ - block,\ - capture,\ - t:none,t:lowercase,\ - msg:'PHP Injection Attack: PHP Open Tag Found',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-php',\ - tag:'platform-multi',\ - tag:'attack-injection-php',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:<\?(?:[^x]|x[^m]|xm[^l]|xml[^\s]|xml$|$)|<\?php|\[(?:/|\x5c)?php\])" "id:933100, phase:2, block, capture, t:none,t:lowercase, msg:'PHP Injection Attack: PHP Open Tag Found', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-php', tag:'platform-multi', tag:'attack-injection-php', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/152/242', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # # [ PHP Script Uploads ] @@ -85,77 +67,20 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # X_Filename, or X-File-Name to transmit the file name to the server; # scan these request headers as well as multipart/form-data file names. # -SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X.Filename|REQUEST_HEADERS:X-File-Name "@rx .*\.ph(?:p\d*|tml|ar|ps|t|pt)\.*$" \ - "id:933110,\ - phase:2,\ - block,\ - capture,\ - t:none,t:lowercase,\ - msg:'PHP Injection Attack: PHP Script File Upload Found',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-php',\ - tag:'platform-multi',\ - tag:'attack-injection-php',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X.Filename|REQUEST_HEADERS:X-File-Name "@rx .*\.ph(?:p\d*|tml|ar|ps|t|pt)\.*$" "id:933110, phase:2, block, capture, t:none,t:lowercase, msg:'PHP Injection Attack: PHP Script File Upload Found', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-php', tag:'platform-multi', tag:'attack-injection-php', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/152/242', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # # [ PHP Configuration Directives ] # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmFromFile php-config-directives.data" \ - "id:933120,\ - phase:2,\ - block,\ - capture,\ - t:none,t:normalisePath,\ - msg:'PHP Injection Attack: Configuration Directive Found',\ - logdata:'Matched Data: %{TX.933120_TX_0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-php',\ - tag:'platform-multi',\ - tag:'attack-injection-php',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.933120_tx_0=%{tx.0}',\ - chain" - SecRule MATCHED_VARS "@pm =" \ - "capture,\ - setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmFromFile php-config-directives.data" "id:933120, phase:2, block, capture, t:none,t:normalisePath, msg:'PHP Injection Attack: Configuration Directive Found', logdata:'Matched Data: %{TX.933120_TX_0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-php', tag:'platform-multi', tag:'attack-injection-php', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/152/242', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.933120_tx_0=%{tx.0}', chain" + SecRule MATCHED_VARS "@pm =" "capture, setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # # [ PHP Variables ] # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmFromFile php-variables.data" \ - "id:933130,\ - phase:2,\ - block,\ - capture,\ - t:none,t:normalisePath,t:urlDecodeUni,\ - msg:'PHP Injection Attack: Variables Found',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-php',\ - tag:'platform-multi',\ - tag:'attack-injection-php',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmFromFile php-variables.data" "id:933130, phase:2, block, capture, t:none,t:normalisePath,t:urlDecodeUni, msg:'PHP Injection Attack: Variables Found', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-php', tag:'platform-multi', tag:'attack-injection-php', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/152/242', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # @@ -173,25 +98,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # # http://php.net/manual/en/wrappers.php.php # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)php://(?:std(?:in|out|err)|(?:in|out)put|fd|memory|temp|filter)" \ - "id:933140,\ - phase:2,\ - block,\ - capture,\ - t:none,\ - msg:'PHP Injection Attack: I/O Stream Found',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-php',\ - tag:'platform-multi',\ - tag:'attack-injection-php',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)php://(?:std(?:in|out|err)|(?:in|out)put|fd|memory|temp|filter)" "id:933140, phase:2, block, capture, t:none, msg:'PHP Injection Attack: I/O Stream Found', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-php', tag:'platform-multi', tag:'attack-injection-php', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/152/242', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # @@ -210,24 +117,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 933200 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:bzip2|expect|glob|ogg|(?:ph|r)ar|ssh2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?|z(?:ip|lib))://" \ - "id:933200,\ - phase:2,\ - block,\ - t:none,t:utf8toUnicode,t:urlDecodeUni,t:removeNulls,t:cmdLine,\ - msg:'PHP Injection Attack: Wrapper scheme detected',\ - logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\ - tag:'application-multi',\ - tag:'language-php',\ - tag:'platform-multi',\ - tag:'attack-injection-php',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:bzip2|expect|glob|ogg|(?:ph|r)ar|ssh2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?|z(?:ip|lib))://" "id:933200, phase:2, block, t:none,t:utf8toUnicode,t:urlDecodeUni,t:removeNulls,t:cmdLine, msg:'PHP Injection Attack: Wrapper scheme detected', logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}', tag:'application-multi', tag:'language-php', tag:'platform-multi', tag:'attack-injection-php', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/152/242', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # @@ -276,25 +166,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # We block these function names outright, without using a complex regexp or chain. # This could make the detection a bit more robust against possible bypasses. # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@pmFromFile php-function-names-933150.data" \ - "id:933150,\ - phase:2,\ - block,\ - capture,\ - t:none,\ - msg:'PHP Injection Attack: High-Risk PHP Function Name Found',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-php',\ - tag:'platform-multi',\ - tag:'attack-injection-php',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@pmFromFile php-function-names-933150.data" "id:933150, phase:2, block, capture, t:none, msg:'PHP Injection Attack: High-Risk PHP Function Name Found', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-php', tag:'platform-multi', tag:'attack-injection-php', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/152/242', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # @@ -328,25 +200,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 933160 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b\(?[\"']*(?:a(?:rray_(?:(?:diff|intersect)_u(?:assoc|key)|filter|map|reduce|u(?:diff|intersect)(?:_u?assoc)?)|ssert(?:_options)?)|b(?:(?:ase64_en|son_(?:de|en))code|zopen)|c(?:hr|onvert_uuencode|reate_function|url_(?:exec|file_create|init))|(?:debug_backtrac|json_(?:de|en)cod|tmpfil)e|e(?:rror_reporting|scapeshell(?:arg|cmd)|val|x(?:ec|if_(?:imagetype|read_data|t(?:agname|humbnail))))|f(?:i(?:le(?:(?:_exist|perm)s|(?:[acm]tim|inod)e|group)?|nfo_open)|open|(?:pu|unction_exis)ts|tp_(?:connec|ge|nb_(?:ge|pu)|pu)t|write)|g(?:et(?:_(?:c(?:fg_va|urrent_use)r|meta_tags)|(?:cw|lastmo)d|env|imagesize|my(?:[gpu]id|inode))|lob|z(?:compress|(?:(?:defla|wri)t|encod|fil)e|open|read))|h(?:(?:ash_(?:(?:hmac|update)_)?|ighlight_)file|e(?:ader_register_callback|x2bin)|tml(?:_entity_decode|entities|specialchars(?:_decode)?))|i(?:mage(?:2?wbmp|createfrom(?:gif|(?:jpe|pn)g|wbmp|x[bp]m)|g(?:d2?|if)|(?:jpe|pn)g|xbm)|ni_(?:get(?:_all)?|set)|ptcembed|s_(?:dir|(?:(?:execut|read|write?)ab|fi)le)|terator_apply)|m(?:b_(?:ereg(?:_(?:match|replace(?:_callback)?)|i(?:_replace)?)?|parse_str)|(?:d5|ove_uploaded)_file|ethod_exists|kdir|ysql_query)|o(?:b_(?:clean|end_(?:clean|flush)|flush|get_(?:c(?:lean|ontents)|flush)|start)|dbc_(?:connect|exec(?:ute)?|result(?:_all)?)|pendir)|p(?:a(?:rse_(?:ini_file|str)|ssthru)|g_(?:connect|(?:execut|prepar)e|query)|hp(?:_(?:strip_whitespac|unam)e|info|version)|o(?:pen|six_(?:get(?:(?:e[gu]|g)id|login|pwnam)|kill|mk(?:fifo|nod)|ttyname))|r(?:eg_(?:match(?:_all)?|replace(?:_callback(?:_array)?)?|split)|int_r|oc_(?:(?:clos|nic|terminat)e|get_status|open))|utenv)|r(?:awurl(?:de|en)code|e(?:ad(?:_exif_data|dir|(?:gz)?file)|(?:gister_(?:shutdown|tick)|name)_function)|unkit_(?:constant_(?:add|redefine)|(?:function|method)_(?:add|copy|re(?:defin|nam)e)))|s(?:e(?:ssion_s(?:et_save_handler|tart)|t(?:_(?:e(?:rror|xception)_handler|include_path|magic_quotes_runtime)|defaultstub))|h(?:a1_fil|ow_sourc)e|implexml_load_(?:file|string)|ocket_c(?:onnect|reate)|pl_autoload_register|qlite_(?:(?:(?:array|single|unbuffered)_)?query|create_(?:aggregate|function)|exec|p?open)|tr(?:eam_(?:context_create|socket_client)|ipc?slashes|rev)|ystem)|u(?:[ak]?sort|n(?:pack|serialize)|rl(?:de|en)code)|var_dump)(?:/(?:\*.*\*/|/.*)|#.*[\s\v]|\")*[\"']*\)?[\s\v]*\(.*\)" \ - "id:933160,\ - phase:2,\ - block,\ - capture,\ - t:none,\ - msg:'PHP Injection Attack: High-Risk PHP Function Call Found',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-php',\ - tag:'platform-multi',\ - tag:'attack-injection-php',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b\(?[\"']*(?:a(?:rray_(?:(?:diff|intersect)_u(?:assoc|key)|filter|map|reduce|u(?:diff|intersect)(?:_u?assoc)?)|ssert(?:_options)?)|b(?:(?:ase64_en|son_(?:de|en))code|zopen)|c(?:hr|onvert_uuencode|reate_function|url_(?:exec|file_create|init))|(?:debug_backtrac|json_(?:de|en)cod|tmpfil)e|e(?:rror_reporting|scapeshell(?:arg|cmd)|val|x(?:ec|if_(?:imagetype|read_data|t(?:agname|humbnail))))|f(?:i(?:le(?:(?:_exist|perm)s|(?:[acm]tim|inod)e|group)?|nfo_open)|open|(?:pu|unction_exis)ts|tp_(?:connec|ge|nb_(?:ge|pu)|pu)t|write)|g(?:et(?:_(?:c(?:fg_va|urrent_use)r|meta_tags)|(?:cw|lastmo)d|env|imagesize|my(?:[gpu]id|inode))|lob|z(?:compress|(?:(?:defla|wri)t|encod|fil)e|open|read))|h(?:(?:ash_(?:(?:hmac|update)_)?|ighlight_)file|e(?:ader_register_callback|x2bin)|tml(?:_entity_decode|entities|specialchars(?:_decode)?))|i(?:mage(?:2?wbmp|createfrom(?:gif|(?:jpe|pn)g|wbmp|x[bp]m)|g(?:d2?|if)|(?:jpe|pn)g|xbm)|ni_(?:get(?:_all)?|set)|ptcembed|s_(?:dir|(?:(?:execut|read|write?)ab|fi)le)|terator_apply)|m(?:b_(?:ereg(?:_(?:match|replace(?:_callback)?)|i(?:_replace)?)?|parse_str)|(?:d5|ove_uploaded)_file|ethod_exists|kdir|ysql_query)|o(?:b_(?:clean|end_(?:clean|flush)|flush|get_(?:c(?:lean|ontents)|flush)|start)|dbc_(?:connect|exec(?:ute)?|result(?:_all)?)|pendir)|p(?:a(?:rse_(?:ini_file|str)|ssthru)|g_(?:connect|(?:execut|prepar)e|query)|hp(?:_(?:strip_whitespac|unam)e|info|version)|o(?:pen|six_(?:get(?:(?:e[gu]|g)id|login|pwnam)|kill|mk(?:fifo|nod)|ttyname))|r(?:eg_(?:match(?:_all)?|replace(?:_callback(?:_array)?)?|split)|int_r|oc_(?:(?:clos|nic|terminat)e|get_status|open))|utenv)|r(?:awurl(?:de|en)code|e(?:ad(?:_exif_data|dir|(?:gz)?file)|(?:gister_(?:shutdown|tick)|name)_function)|unkit_(?:constant_(?:add|redefine)|(?:function|method)_(?:add|copy|re(?:defin|nam)e)))|s(?:e(?:ssion_s(?:et_save_handler|tart)|t(?:_(?:e(?:rror|xception)_handler|include_path|magic_quotes_runtime)|defaultstub))|h(?:a1_fil|ow_sourc)e|implexml_load_(?:file|string)|ocket_c(?:onnect|reate)|pl_autoload_register|qlite_(?:(?:(?:array|single|unbuffered)_)?query|create_(?:aggregate|function)|exec|p?open)|tr(?:eam_(?:context_create|socket_client)|ipc?slashes|rev)|ystem)|u(?:[ak]?sort|n(?:pack|serialize)|rl(?:de|en)code)|var_dump)(?:/(?:\*.*\*/|/.*)|#.*[\s\v]|\")*[\"']*\)?[\s\v]*\(.*\)" "id:933160, phase:2, block, capture, t:none, msg:'PHP Injection Attack: High-Risk PHP Function Call Found', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-php', tag:'platform-multi', tag:'attack-injection-php', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/152/242', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # @@ -383,25 +237,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F # https://www.exploit-db.com/exploits/39033/ (X-Forwarded-For header) # http://karmainsecurity.com/KIS-2015-10 (Host header) # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS|ARGS_NAMES|ARGS|XML:/* "@rx [oOcC]:\d+:\".+?\":\d+:{.*}" \ - "id:933170,\ - phase:2,\ - block,\ - capture,\ - t:none,\ - msg:'PHP Injection Attack: Serialized Object Injection',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-php',\ - tag:'platform-multi',\ - tag:'attack-injection-php',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS|ARGS_NAMES|ARGS|XML:/* "@rx [oOcC]:\d+:\".+?\":\d+:{.*}" "id:933170, phase:2, block, capture, t:none, msg:'PHP Injection Attack: Serialized Object Injection', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-php', tag:'platform-multi', tag:'attack-injection-php', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/152/242', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -438,25 +274,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H # \(.*\) # Parentheses optionally containing function parameters # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx \$+(?:[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*|\s*{.+})(?:\s|\[.+\]|{.+}|/\*.*\*/|//.*|#.*)*\(.*\)" \ - "id:933180,\ - phase:2,\ - block,\ - capture,\ - t:none,\ - msg:'PHP Injection Attack: Variable Function Call Found',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-php',\ - tag:'platform-multi',\ - tag:'attack-injection-php',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx \$+(?:[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*|\s*{.+})(?:\s|\[.+\]|{.+}|/\*.*\*/|//.*|#.*)*\(.*\)" "id:933180, phase:2, block, capture, t:none, msg:'PHP Injection Attack: Variable Function Call Found', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-php', tag:'platform-multi', tag:'attack-injection-php', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/152/242', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # [ PHP Functions: Variable Function Prevent Bypass ] # @@ -485,25 +303,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 933210 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?:\((?:.+\)(?:[\"'][\-0-9A-Z_a-z]+[\"'])?\(.+|[^\)]*string[^\)]*\)[\s\v\"'\--\.0-9A-\[\]_a-\{\}]+\([^\)]*)|(?:\[[0-9]+\]|\{[0-9]+\}|\$[^\(-\),\.-/;\x5c]+|[\"'][\-0-9A-Z\x5c_a-z]+[\"'])\(.+)\);" \ - "id:933210,\ - phase:2,\ - block,\ - capture,\ - t:none,t:urlDecode,t:replaceComments,t:removeWhitespace,\ - msg:'PHP Injection Attack: Variable Function Call Found',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-php',\ - tag:'platform-multi',\ - tag:'attack-injection-php',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?:\((?:.+\)(?:[\"'][\-0-9A-Z_a-z]+[\"'])?\(.+|[^\)]*string[^\)]*\)[\s\v\"'\--\.0-9A-\[\]_a-\{\}]+\([^\)]*)|(?:\[[0-9]+\]|\{[0-9]+\}|\$[^\(-\),\.-/;\x5c]+|[\"'][\-0-9A-Z\x5c_a-z]+[\"'])\(.+)\);" "id:933210, phase:2, block, capture, t:none,t:urlDecode,t:replaceComments,t:removeWhitespace, msg:'PHP Injection Attack: Variable Function Call Found', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-php', tag:'platform-multi', tag:'attack-injection-php', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/152/242', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:933013,phase:1,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:933014,phase:2,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" @@ -528,29 +328,8 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:933014,phase:2,pass,nolog,skipAf # # This rule is a stricter sibling of rule 933150. # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@pmFromFile php-function-names-933151.data" \ - "id:933151,\ - phase:2,\ - block,\ - capture,\ - t:none,\ - msg:'PHP Injection Attack: Medium-Risk PHP Function Name Found',\ - logdata:'Matched Data: %{TX.933151_TX_0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-php',\ - tag:'platform-multi',\ - tag:'attack-injection-php',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/242',\ - tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.933151_tx_0=%{tx.0}',\ - chain" - SecRule MATCHED_VARS "@pm (" \ - "capture,\ - setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@pmFromFile php-function-names-933151.data" "id:933151, phase:2, block, capture, t:none, msg:'PHP Injection Attack: Medium-Risk PHP Function Name Found', logdata:'Matched Data: %{TX.933151_TX_0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-php', tag:'platform-multi', tag:'attack-injection-php', tag:'OWASP_CRS', tag:'capec/1000/152/242', tag:'paranoia-level/2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.933151_tx_0=%{tx.0}', chain" + SecRule MATCHED_VARS "@pm (" "capture, setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -583,25 +362,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:933016,phase:2,pass,nolog,skipAf # crs-toolchain regex update 933131 # # This rule is a stricter sibling of rule 933130. -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx AUTH_TYPE|HTTP_(?:ACCEPT(?:_(?:CHARSET|ENCODING|LANGUAGE))?|CONNECTION|(?:HOS|USER_AGEN)T|KEEP_ALIVE|(?:REFERE|X_FORWARDED_FO)R)|ORIG_PATH_INFO|PATH_(?:INFO|TRANSLATED)|QUERY_STRING|REQUEST_URI" \ - "id:933131,\ - phase:2,\ - block,\ - capture,\ - t:none,t:normalisePath,t:urlDecodeUni,\ - msg:'PHP Injection Attack: Variables Found',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-php',\ - tag:'platform-multi',\ - tag:'attack-injection-php',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/242',\ - tag:'paranoia-level/3',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx AUTH_TYPE|HTTP_(?:ACCEPT(?:_(?:CHARSET|ENCODING|LANGUAGE))?|CONNECTION|(?:HOS|USER_AGEN)T|KEEP_ALIVE|(?:REFERE|X_FORWARDED_FO)R)|ORIG_PATH_INFO|PATH_(?:INFO|TRANSLATED)|QUERY_STRING|REQUEST_URI" "id:933131, phase:2, block, capture, t:none,t:normalisePath,t:urlDecodeUni, msg:'PHP Injection Attack: Variables Found', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-php', tag:'platform-multi', tag:'attack-injection-php', tag:'OWASP_CRS', tag:'capec/1000/152/242', tag:'paranoia-level/3', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" # @@ -627,25 +388,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 933161 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:a(?:bs|cosh?|r(?:ray|sort)|s(?:inh?|(?:o|se)rt)|tan[2h]?)|b(?:asename|indec)|c(?:eil|h(?:dir|eckdate|mod|o(?:p|wn)|root)|lose(?:dir|log)|o(?:(?:mpac|(?:nsta|u)n)t|py|sh?)|(?:ryp|urren)t)|d(?:ate|e(?:coct|fined?)|i(?:(?:skfreespac)?e|r(?:name)?)|(?:oubleva)?l)|e(?:a(?:ch|ster_da(?:te|ys))|cho|mpty|nd|r(?:egi?|ror_log)|x(?:(?:i|trac)t|p(?:lode)?))|f(?:close|eof|gets|ile(?:owner|pro|(?:siz|typ)e)|l(?:o(?:atval|ck|or)|ush)|(?:mo|rea)d|stat|t(?:ell|ok)|unction)|g(?:et(?:date|t(?:ext|ype))|mdate)|h(?:ash|e(?:ader(?:s_(?:lis|sen)t)?|brev)|ypot)|i(?:conv|(?:dat|mplod)e|n(?:(?:clud|vok)e|t(?:div|val))|s(?:_(?:a(?:rray)?|bool|(?:calla|dou)ble|f(?:inite|loat)|in(?:finite|t(?:eger)?)|l(?:ink|ong)|n(?:an|u(?:ll|meric))|object|re(?:al|source)|s(?:calar|tring))|set))|join|k(?:ey|sort)|l(?:(?:cfirs|sta)t|evenshtein|i(?:nk(?:info)?|st)|o(?:caltime|g(?:1[0p])?)|trim)|m(?:a(?:i[ln]|x)|b(?:ereg|split)|etaphone|hash|i(?:crotime|n)|y?sql)|n(?:atsor|ex)t|o(?:ctdec|penlog|rd)|p(?:a(?:ck|thinfo)|close|i|o[sw]|r(?:ev|intf?))|quotemeta|r(?:an(?:d|ge)|e(?:adlin[ek]|(?:cod|nam|quir)e|set|wind)|ound|sort|trim)|s(?:(?:candi|ubst)r|(?:e(?:rializ|ttyp)|huffl)e|i(?:milar_text|nh?|zeof)|leep|o(?:rt|undex)|p(?:liti?|rintf)|qrt|rand|t(?:at|r(?:coll|(?:le|sp)n))|y(?:mlink|slog))|t(?:a(?:int|nh?)|e(?:mpnam|xtdomain)|ime|ouch|rim)|u(?:cfirst|mask|n(?:iqid|link|(?:se|tain)t)|s(?:leep|ort))|virtual|wordwrap)(?:[\s\v]|/(?:\*.*\*/|/.*)|#.*)*\(.*\)" \ - "id:933161,\ - phase:2,\ - block,\ - capture,\ - t:none,\ - msg:'PHP Injection Attack: Low-Value PHP Function Call Found',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-php',\ - tag:'platform-multi',\ - tag:'attack-injection-php',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/242',\ - tag:'paranoia-level/3',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:a(?:bs|cosh?|r(?:ray|sort)|s(?:inh?|(?:o|se)rt)|tan[2h]?)|b(?:asename|indec)|c(?:eil|h(?:dir|eckdate|mod|o(?:p|wn)|root)|lose(?:dir|log)|o(?:(?:mpac|(?:nsta|u)n)t|py|sh?)|(?:ryp|urren)t)|d(?:ate|e(?:coct|fined?)|i(?:(?:skfreespac)?e|r(?:name)?)|(?:oubleva)?l)|e(?:a(?:ch|ster_da(?:te|ys))|cho|mpty|nd|r(?:egi?|ror_log)|x(?:(?:i|trac)t|p(?:lode)?))|f(?:close|eof|gets|ile(?:owner|pro|(?:siz|typ)e)|l(?:o(?:atval|ck|or)|ush)|(?:mo|rea)d|stat|t(?:ell|ok)|unction)|g(?:et(?:date|t(?:ext|ype))|mdate)|h(?:ash|e(?:ader(?:s_(?:lis|sen)t)?|brev)|ypot)|i(?:conv|(?:dat|mplod)e|n(?:(?:clud|vok)e|t(?:div|val))|s(?:_(?:a(?:rray)?|bool|(?:calla|dou)ble|f(?:inite|loat)|in(?:finite|t(?:eger)?)|l(?:ink|ong)|n(?:an|u(?:ll|meric))|object|re(?:al|source)|s(?:calar|tring))|set))|join|k(?:ey|sort)|l(?:(?:cfirs|sta)t|evenshtein|i(?:nk(?:info)?|st)|o(?:caltime|g(?:1[0p])?)|trim)|m(?:a(?:i[ln]|x)|b(?:ereg|split)|etaphone|hash|i(?:crotime|n)|y?sql)|n(?:atsor|ex)t|o(?:ctdec|penlog|rd)|p(?:a(?:ck|thinfo)|close|i|o[sw]|r(?:ev|intf?))|quotemeta|r(?:an(?:d|ge)|e(?:adlin[ek]|(?:cod|nam|quir)e|set|wind)|ound|sort|trim)|s(?:(?:candi|ubst)r|(?:e(?:rializ|ttyp)|huffl)e|i(?:milar_text|nh?|zeof)|leep|o(?:rt|undex)|p(?:liti?|rintf)|qrt|rand|t(?:at|r(?:coll|(?:le|sp)n))|y(?:mlink|slog))|t(?:a(?:int|nh?)|e(?:mpnam|xtdomain)|ime|ouch|rim)|u(?:cfirst|mask|n(?:iqid|link|(?:se|tain)t)|s(?:leep|ort))|virtual|wordwrap)(?:[\s\v]|/(?:\*.*\*/|/.*)|#.*)*\(.*\)" "id:933161, phase:2, block, capture, t:none, msg:'PHP Injection Attack: Low-Value PHP Function Call Found', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-php', tag:'platform-multi', tag:'attack-injection-php', tag:'OWASP_CRS', tag:'capec/1000/152/242', tag:'paranoia-level/3', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" # @@ -669,25 +412,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F # # This rule is a stricter sibling of rule 933110. # -SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X.Filename|REQUEST_HEADERS:X-File-Name "@rx .*\.(?:php\d*|phtml)\..*$" \ - "id:933111,\ - phase:2,\ - block,\ - capture,\ - t:none,t:lowercase,\ - msg:'PHP Injection Attack: PHP Script File Upload Found',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-php',\ - tag:'platform-multi',\ - tag:'attack-injection-php',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/242',\ - tag:'paranoia-level/3',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" +SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X.Filename|REQUEST_HEADERS:X-File-Name "@rx .*\.(?:php\d*|phtml)\..*$" "id:933111, phase:2, block, capture, t:none,t:lowercase, msg:'PHP Injection Attack: PHP Script File Upload Found', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-php', tag:'platform-multi', tag:'attack-injection-php', tag:'OWASP_CRS', tag:'capec/1000/152/242', tag:'paranoia-level/3', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" # [ PHP Closing Tag Found ] @@ -698,25 +423,7 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD # checked sequence '?>' commonly causes false positives. # See issue #654 for discussion. # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pm ?>" \ - "id:933190,\ - phase:2,\ - block,\ - capture,\ - t:none,t:urlDecodeUni,\ - msg:'PHP Injection Attack: PHP Closing Tag Found',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-php',\ - tag:'platform-multi',\ - tag:'attack-injection-php',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/242',\ - tag:'paranoia-level/3',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pm ?>" "id:933190, phase:2, block, capture, t:none,t:urlDecodeUni, msg:'PHP Injection Attack: PHP Closing Tag Found', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-php', tag:'platform-multi', tag:'attack-injection-php', tag:'OWASP_CRS', tag:'capec/1000/152/242', tag:'paranoia-level/3', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" # [ PHP Functions: Variable Function Prevent Bypass ] @@ -733,25 +440,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 933211 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?:\((?:.+\)(?:[\"'][\-0-9A-Z_a-z]+[\"'])?\(.+|[^\)]*string[^\)]*\)[\s\v\"'\--\.0-9A-\[\]_a-\{\}]+\([^\)]*)|(?:\[[0-9]+\]|\{[0-9]+\}|\$[^\(-\),\.-/;\x5c]+|[\"'][\-0-9A-Z\x5c_a-z]+[\"'])\(.+)\)(?:;|$)?" \ - "id:933211,\ - phase:2,\ - block,\ - capture,\ - t:none,t:urlDecode,t:replaceComments,t:removeWhitespace,\ - msg:'PHP Injection Attack: Variable Function Call Found',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-php',\ - tag:'platform-multi',\ - tag:'attack-injection-php',\ - tag:'paranoia-level/3',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?:\((?:.+\)(?:[\"'][\-0-9A-Z_a-z]+[\"'])?\(.+|[^\)]*string[^\)]*\)[\s\v\"'\--\.0-9A-\[\]_a-\{\}]+\([^\)]*)|(?:\[[0-9]+\]|\{[0-9]+\}|\$[^\(-\),\.-/;\x5c]+|[\"'][\-0-9A-Z\x5c_a-z]+[\"'])\(.+)\)(?:;|$)?" "id:933211, phase:2, block, capture, t:none,t:urlDecode,t:replaceComments,t:removeWhitespace, msg:'PHP Injection Attack: Variable Function Call Found', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-php', tag:'platform-multi', tag:'attack-injection-php', tag:'paranoia-level/3', tag:'OWASP_CRS', tag:'capec/1000/152/242', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:933017,phase:1,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" diff --git a/appsec/crs/REQUEST-934-APPLICATION-ATTACK-GENERIC.conf b/appsec/crs/REQUEST-934-APPLICATION-ATTACK-GENERIC.conf index 8e47a155..85184719 100644 --- a/appsec/crs/REQUEST-934-APPLICATION-ATTACK-GENERIC.conf +++ b/appsec/crs/REQUEST-934-APPLICATION-ATTACK-GENERIC.conf @@ -49,50 +49,10 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:934012,phase:2,pass,nolog,skipAf # crs-toolchain regex update 934100 # # Stricter sibling: 934101 -SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx _(?:\$\$ND_FUNC\$\$_|_js_function)|(?:\beval|new[\s\v]+Function[\s\v]*)\(|String\.fromCharCode|function\(\)\{|this\.constructor|module\.exports=|\([\s\v]*[^0-9A-Z_a-z]child_process[^0-9A-Z_a-z][\s\v]*\)|process(?:\.(?:(?:a(?:ccess|ppendfile|rgv|vailability)|c(?:aveats|h(?:mod|own)|(?:los|opyfil)e|p|reate(?:read|write)stream)|ex(?:ec(?:file)?|ists)|f(?:ch(?:mod|own)|data(?:sync)?|s(?:tat|ync)|utimes)|inodes|l(?:chmod|ink|stat|utimes)|mkd(?:ir|temp)|open(?:dir)?|r(?:e(?:ad(?:dir|file|link|v)?|name)|m)|s(?:pawn(?:file)?|tat|ymlink)|truncate|u(?:n(?:link|watchfile)|times)|w(?:atchfile|rite(?:file|v)?))(?:sync)?(?:\.call)?\(|binding|constructor|env|global|main(?:Module)?|process|require)|\[[\"'`](?:(?:a(?:ccess|ppendfile|rgv|vailability)|c(?:aveats|h(?:mod|own)|(?:los|opyfil)e|p|reate(?:read|write)stream)|ex(?:ec(?:file)?|ists)|f(?:ch(?:mod|own)|data(?:sync)?|s(?:tat|ync)|utimes)|inodes|l(?:chmod|ink|stat|utimes)|mkd(?:ir|temp)|open(?:dir)?|r(?:e(?:ad(?:dir|file|link|v)?|name)|m)|s(?:pawn(?:file)?|tat|ymlink)|truncate|u(?:n(?:link|watchfile)|times)|w(?:atchfile|rite(?:file|v)?))(?:sync)?|binding|constructor|env|global|main(?:Module)?|process|require)[\"'`]\])|(?:binding|constructor|env|global|main(?:Module)?|process|require)\[|console(?:\.(?:debug|error|info|trace|warn)(?:\.call)?\(|\[[\"'`](?:debug|error|info|trace|warn)[\"'`]\])|require(?:\.(?:resolve(?:\.call)?\(|main|extensions|cache)|\[[\"'`](?:(?:resolv|cach)e|main|extensions)[\"'`]\])" \ - "id:934100,\ - phase:2,\ - block,\ - capture,\ - t:none,t:urlDecodeUni,t:jsDecode,t:removeWhitespace,t:base64Decode,\ - msg:'Node.js Injection Attack 1/2',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-javascript',\ - tag:'platform-multi',\ - tag:'attack-rce',\ - tag:'attack-injection-generic',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - multiMatch,\ - setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx _(?:\$\$ND_FUNC\$\$_|_js_function)|(?:\beval|new[\s\v]+Function[\s\v]*)\(|String\.fromCharCode|function\(\)\{|this\.constructor|module\.exports=|\([\s\v]*[^0-9A-Z_a-z]child_process[^0-9A-Z_a-z][\s\v]*\)|process(?:\.(?:(?:a(?:ccess|ppendfile|rgv|vailability)|c(?:aveats|h(?:mod|own)|(?:los|opyfil)e|p|reate(?:read|write)stream)|ex(?:ec(?:file)?|ists)|f(?:ch(?:mod|own)|data(?:sync)?|s(?:tat|ync)|utimes)|inodes|l(?:chmod|ink|stat|utimes)|mkd(?:ir|temp)|open(?:dir)?|r(?:e(?:ad(?:dir|file|link|v)?|name)|m)|s(?:pawn(?:file)?|tat|ymlink)|truncate|u(?:n(?:link|watchfile)|times)|w(?:atchfile|rite(?:file|v)?))(?:sync)?(?:\.call)?\(|binding|constructor|env|global|main(?:Module)?|process|require)|\[[\"'`](?:(?:a(?:ccess|ppendfile|rgv|vailability)|c(?:aveats|h(?:mod|own)|(?:los|opyfil)e|p|reate(?:read|write)stream)|ex(?:ec(?:file)?|ists)|f(?:ch(?:mod|own)|data(?:sync)?|s(?:tat|ync)|utimes)|inodes|l(?:chmod|ink|stat|utimes)|mkd(?:ir|temp)|open(?:dir)?|r(?:e(?:ad(?:dir|file|link|v)?|name)|m)|s(?:pawn(?:file)?|tat|ymlink)|truncate|u(?:n(?:link|watchfile)|times)|w(?:atchfile|rite(?:file|v)?))(?:sync)?|binding|constructor|env|global|main(?:Module)?|process|require)[\"'`]\])|(?:binding|constructor|env|global|main(?:Module)?|process|require)\[|console(?:\.(?:debug|error|info|trace|warn)(?:\.call)?\(|\[[\"'`](?:debug|error|info|trace|warn)[\"'`]\])|require(?:\.(?:resolve(?:\.call)?\(|main|extensions|cache)|\[[\"'`](?:(?:resolv|cach)e|main|extensions)[\"'`]\])" "id:934100, phase:2, block, capture, t:none,t:urlDecodeUni,t:jsDecode,t:removeWhitespace,t:base64Decode, msg:'Node.js Injection Attack 1/2', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-javascript', tag:'platform-multi', tag:'attack-rce', tag:'attack-injection-generic', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/152/242', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', multiMatch, setvar:'tx.rce_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" -SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:close|exists|fork|(?:ope|spaw)n|re(?:ad|quire)|w(?:atch|rite))[\s\v]*\(" \ - "id:934101,\ - phase:2,\ - block,\ - capture,\ - t:none,t:urlDecodeUni,t:base64Decode,\ - msg:'Node.js Injection Attack 2/2',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-javascript',\ - tag:'platform-multi',\ - tag:'attack-rce',\ - tag:'attack-injection-generic',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - multiMatch,\ - setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:close|exists|fork|(?:ope|spaw)n|re(?:ad|quire)|w(?:atch|rite))[\s\v]*\(" "id:934101, phase:2, block, capture, t:none,t:urlDecodeUni,t:base64Decode, msg:'Node.js Injection Attack 2/2', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-javascript', tag:'platform-multi', tag:'attack-rce', tag:'attack-injection-generic', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/152/242', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', multiMatch, setvar:'tx.rce_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # -=[ SSRF Attacks ]=- # @@ -108,25 +68,7 @@ SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIE # # Preventing: https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@pmFromFile ssrf.data" \ - "id:934110,\ - phase:2,\ - block,\ - capture,\ - t:none,\ - msg:'Possible Server Side Request Forgery (SSRF) Attack: Cloud provider metadata URL in Parameter',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-ssrf',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/225/664',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@pmFromFile ssrf.data" "id:934110, phase:2, block, capture, t:none, msg:'Possible Server Side Request Forgery (SSRF) Attack: Cloud provider metadata URL in Parameter', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-ssrf', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/225/664', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.rce_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # JavaScript prototype pollution injection attempts # @@ -142,27 +84,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F # Note: only server-based (not DOM-based) attacks are covered here. # Stricter sibling: 934131 -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:__proto__|constructor\s*(?:\.|\[)\s*prototype)" \ - "id:934130,\ - phase:2,\ - block,\ - capture,\ - t:none,t:urlDecodeUni,t:base64Decode,\ - msg:'JavaScript Prototype Pollution',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-javascript',\ - tag:'platform-multi',\ - tag:'attack-rce',\ - tag:'attack-injection-generic',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1/180/77',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - multiMatch,\ - setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:__proto__|constructor\s*(?:\.|\[)\s*prototype)" "id:934130, phase:2, block, capture, t:none,t:urlDecodeUni,t:base64Decode, msg:'JavaScript Prototype Pollution', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-javascript', tag:'platform-multi', tag:'attack-rce', tag:'attack-injection-generic', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1/180/77', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', multiMatch, setvar:'tx.rce_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # [ Ruby generic RCE signatures ] # @@ -174,26 +96,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 934150 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx Process[\s\v]*\.[\s\v]*spawn[\s\v]*\(" \ - "id:934150,\ - phase:2,\ - block,\ - capture,\ - t:none,\ - msg:'Ruby Injection Attack',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-ruby',\ - tag:'platform-multi',\ - tag:'attack-rce',\ - tag:'attack-injection-generic',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx Process[\s\v]*\.[\s\v]*spawn[\s\v]*\(" "id:934150, phase:2, block, capture, t:none, msg:'Ruby Injection Attack', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-ruby', tag:'platform-multi', tag:'attack-rce', tag:'attack-injection-generic', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/152/242', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.rce_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # [ NodeJS DoS signatures ] # @@ -205,27 +108,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 934160 # -SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx while[\s\v]*\([\s\v\(]*(?:!+(?:false|null|undefined|NaN|[\+\-]?0|\"{2}|'{2}|`{2})|(?:!!)*(?:(?:t(?:rue|his)|[\+\-]?(?:Infinity|[1-9][0-9]*)|new [A-Za-z][0-9A-Z_a-z]*|window|String|(?:Boolea|Functio)n|Object|Array)\b|\{.*\}|\[.*\]|\"[^\"]+\"|'[^']+'|`[^`]+`)).*\)" \ - "id:934160,\ - phase:2,\ - block,\ - capture,\ - t:none,t:urlDecodeUni,t:base64Decode,t:replaceComments,\ - msg:'Node.js DoS attack',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-javascript',\ - tag:'platform-multi',\ - tag:'attack-rce',\ - tag:'attack-injection-generic',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - multiMatch,\ - setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx while[\s\v]*\([\s\v\(]*(?:!+(?:false|null|undefined|NaN|[\+\-]?0|\"{2}|'{2}|`{2})|(?:!!)*(?:(?:t(?:rue|his)|[\+\-]?(?:Infinity|[1-9][0-9]*)|new [A-Za-z][0-9A-Z_a-z]*|window|String|(?:Boolea|Functio)n|Object|Array)\b|\{.*\}|\[.*\]|\"[^\"]+\"|'[^']+'|`[^`]+`)).*\)" "id:934160, phase:2, block, capture, t:none,t:urlDecodeUni,t:base64Decode,t:replaceComments, msg:'Node.js DoS attack', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-javascript', tag:'platform-multi', tag:'attack-rce', tag:'attack-injection-generic', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/152/242', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', multiMatch, setvar:'tx.rce_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # [ PHP data: scheme ] # @@ -236,25 +119,7 @@ SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIE # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 934170 # -SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx ^data:(?:(?:\*|[^!-\"\(-\),/:-\?\[-\]\{\}]+)/(?:\*|[^!-\"\(-\),/:-\?\[-\]\{\}]+)|\*)(?:[\s\v]*;[\s\v]*(?:charset[\s\v]*=[\s\v]*\"?(?:iso-8859-15?|utf-8|windows-1252)\b\"?|(?:[^\s\v -\"\(-\),/:-\?\[-\]c\{\}]|c(?:[^!-\"\(-\),/:-\?\[-\]h\{\}]|h(?:[^!-\"\(-\),/:-\?\[-\]a\{\}]|a(?:[^!-\"\(-\),/:-\?\[-\]r\{\}]|r(?:[^!-\"\(-\),/:-\?\[-\]s\{\}]|s(?:[^!-\"\(-\),/:-\?\[-\]e\{\}]|e[^!-\"\(-\),/:-\?\[-\]t\{\}]))))))[^!-\"\(-\),/:-\?\[-\]\{\}]*[\s\v]*=[\s\v]*[^!\(-\),/:-\?\[-\]\{\}]+);?)*(?:[\s\v]*,[\s\v]*(?:(?:\*|[^!-\"\(-\),/:-\?\[-\]\{\}]+)/(?:\*|[^!-\"\(-\),/:-\?\[-\]\{\}]+)|\*)(?:[\s\v]*;[\s\v]*(?:charset[\s\v]*=[\s\v]*\"?(?:iso-8859-15?|utf-8|windows-1252)\b\"?|(?:[^\s\v -\"\(-\),/:-\?\[-\]c\{\}]|c(?:[^!-\"\(-\),/:-\?\[-\]h\{\}]|h(?:[^!-\"\(-\),/:-\?\[-\]a\{\}]|a(?:[^!-\"\(-\),/:-\?\[-\]r\{\}]|r(?:[^!-\"\(-\),/:-\?\[-\]s\{\}]|s(?:[^!-\"\(-\),/:-\?\[-\]e\{\}]|e[^!-\"\(-\),/:-\?\[-\]t\{\}]))))))[^!-\"\(-\),/:-\?\[-\]\{\}]*[\s\v]*=[\s\v]*[^!\(-\),/:-\?\[-\]\{\}]+);?)*)*" \ - "id:934170,\ - phase:2,\ - block,\ - capture,\ - t:none,t:urlDecodeUni,\ - msg:'PHP data scheme attack',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-php',\ - tag:'platform-multi',\ - tag:'attack-ssrf',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx ^data:(?:(?:\*|[^!-\"\(-\),/:-\?\[-\]\{\}]+)/(?:\*|[^!-\"\(-\),/:-\?\[-\]\{\}]+)|\*)(?:[\s\v]*;[\s\v]*(?:charset[\s\v]*=[\s\v]*\"?(?:iso-8859-15?|utf-8|windows-1252)\b\"?|(?:[^\s\v -\"\(-\),/:-\?\[-\]c\{\}]|c(?:[^!-\"\(-\),/:-\?\[-\]h\{\}]|h(?:[^!-\"\(-\),/:-\?\[-\]a\{\}]|a(?:[^!-\"\(-\),/:-\?\[-\]r\{\}]|r(?:[^!-\"\(-\),/:-\?\[-\]s\{\}]|s(?:[^!-\"\(-\),/:-\?\[-\]e\{\}]|e[^!-\"\(-\),/:-\?\[-\]t\{\}]))))))[^!-\"\(-\),/:-\?\[-\]\{\}]*[\s\v]*=[\s\v]*[^!\(-\),/:-\?\[-\]\{\}]+);?)*(?:[\s\v]*,[\s\v]*(?:(?:\*|[^!-\"\(-\),/:-\?\[-\]\{\}]+)/(?:\*|[^!-\"\(-\),/:-\?\[-\]\{\}]+)|\*)(?:[\s\v]*;[\s\v]*(?:charset[\s\v]*=[\s\v]*\"?(?:iso-8859-15?|utf-8|windows-1252)\b\"?|(?:[^\s\v -\"\(-\),/:-\?\[-\]c\{\}]|c(?:[^!-\"\(-\),/:-\?\[-\]h\{\}]|h(?:[^!-\"\(-\),/:-\?\[-\]a\{\}]|a(?:[^!-\"\(-\),/:-\?\[-\]r\{\}]|r(?:[^!-\"\(-\),/:-\?\[-\]s\{\}]|s(?:[^!-\"\(-\),/:-\?\[-\]e\{\}]|e[^!-\"\(-\),/:-\?\[-\]t\{\}]))))))[^!-\"\(-\),/:-\?\[-\]\{\}]*[\s\v]*=[\s\v]*[^!\(-\),/:-\?\[-\]\{\}]+);?)*)*" "id:934170, phase:2, block, capture, t:none,t:urlDecodeUni, msg:'PHP data scheme attack', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-php', tag:'platform-multi', tag:'attack-ssrf', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/152/242', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.rce_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:934013,phase:1,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC" SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:934014,phase:2,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC" @@ -293,47 +158,9 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:934014,phase:2,pass,nolog,skipAf # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 934120 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?i)((?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:\+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://(?:[0-9]{10}|(?:0x[0-9a-f]{2}\.){3}0x[0-9a-f]{2}|0x(?:[0-9a-f]{8}|[0-9a-f]{16})|(?:0{1,4}[0-9]{1,3}\.){3}0{1,4}[0-9]{1,3}|[0-9]{1,3}\.(?:[0-9]{1,3}\.[0-9]{5}|[0-9]{8})|(?:\x5c\x5c[\-0-9a-z]\.?_?)+|\[[0-:a-f]+(?:[\.0-9]+|%[0-9A-Z_a-z]+)?\]|[a-z][\--\.0-9A-Z_a-z]{1,255}:[0-9]{1,5}(?:#?[\s\v]*&?@(?:(?:[0-9]{1,3}\.){3}[0-9]{1,3}|[a-z][\--\.0-9A-Z_a-z]{1,255}):[0-9]{1,5}/?)+|[\.0-9]{0,11}(?:\xe2(?:\x91[\xa0-\xbf]|\x92[\x80-\xbf]|\x93[\x80-\xa9\xab-\xbf])|\xe3\x80\x82)+))" \ - "id:934120,\ - phase:2,\ - block,\ - capture,\ - t:none,\ - msg:'Possible Server Side Request Forgery (SSRF) Attack: URL Parameter using IP Address',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-ssrf',\ - tag:'paranoia-level/2',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/225/664',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?i)((?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:\+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://(?:[0-9]{10}|(?:0x[0-9a-f]{2}\.){3}0x[0-9a-f]{2}|0x(?:[0-9a-f]{8}|[0-9a-f]{16})|(?:0{1,4}[0-9]{1,3}\.){3}0{1,4}[0-9]{1,3}|[0-9]{1,3}\.(?:[0-9]{1,3}\.[0-9]{5}|[0-9]{8})|(?:\x5c\x5c[\-0-9a-z]\.?_?)+|\[[0-:a-f]+(?:[\.0-9]+|%[0-9A-Z_a-z]+)?\]|[a-z][\--\.0-9A-Z_a-z]{1,255}:[0-9]{1,5}(?:#?[\s\v]*&?@(?:(?:[0-9]{1,3}\.){3}[0-9]{1,3}|[a-z][\--\.0-9A-Z_a-z]{1,255}):[0-9]{1,5}/?)+|[\.0-9]{0,11}(?:\xe2(?:\x91[\xa0-\xbf]|\x92[\x80-\xbf]|\x93[\x80-\xa9\xab-\xbf])|\xe3\x80\x82)+))" "id:934120, phase:2, block, capture, t:none, msg:'Possible Server Side Request Forgery (SSRF) Attack: URL Parameter using IP Address', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-ssrf', tag:'paranoia-level/2', tag:'OWASP_CRS', tag:'capec/1000/225/664', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.rce_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \[\s*constructor\s*\]" \ - "id:934131,\ - phase:2,\ - block,\ - capture,\ - t:none,t:urlDecodeUni,t:base64Decode,\ - msg:'JavaScript Prototype Pollution',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-javascript',\ - tag:'platform-multi',\ - tag:'attack-rce',\ - tag:'attack-injection-generic',\ - tag:'paranoia-level/2',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - multiMatch,\ - setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \[\s*constructor\s*\]" "id:934131, phase:2, block, capture, t:none,t:urlDecodeUni,t:base64Decode, msg:'JavaScript Prototype Pollution', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-javascript', tag:'platform-multi', tag:'attack-rce', tag:'attack-injection-generic', tag:'paranoia-level/2', tag:'OWASP_CRS', tag:'capec/1000/152/242', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', multiMatch, setvar:'tx.rce_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # [ Perl generic RCE signatures ] @@ -346,26 +173,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 934140 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx @\{.*\}" \ - "id:934140,\ - phase:2,\ - block,\ - capture,\ - t:none,\ - msg:'Perl Injection Attack',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-perl',\ - tag:'platform-multi',\ - tag:'attack-rce',\ - tag:'attack-injection-generic',\ - tag:'paranoia-level/2',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx @\{.*\}" "id:934140, phase:2, block, capture, t:none, msg:'Perl Injection Attack', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-perl', tag:'platform-multi', tag:'attack-rce', tag:'attack-injection-generic', tag:'paranoia-level/2', tag:'OWASP_CRS', tag:'capec/1000/152/242', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.rce_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:934015,phase:1,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC" diff --git a/appsec/crs/REQUEST-941-APPLICATION-ATTACK-XSS.conf b/appsec/crs/REQUEST-941-APPLICATION-ATTACK-XSS.conf index feabb356..59e36f0a 100644 --- a/appsec/crs/REQUEST-941-APPLICATION-ATTACK-XSS.conf +++ b/appsec/crs/REQUEST-941-APPLICATION-ATTACK-XSS.conf @@ -54,13 +54,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:941012,phase:2,pass,nolog,skipAf # target list and to add it on a case to case base, but the rule language does not # support this feature at runtime. # -SecRule REQUEST_FILENAME "!@validateByteRange 20, 45-47, 48-57, 65-90, 95, 97-122" \ - "id:941010,\ - phase:1,\ - pass,\ - t:none,\ - nolog,\ - ctl:ruleRemoveTargetById=941100-941999;REQUEST_FILENAME" +SecRule REQUEST_FILENAME "!@validateByteRange 20, 45-47, 48-57, 65-90, 95, 97-122" "id:941010, phase:1, pass, t:none, nolog, ctl:ruleRemoveTargetById=941100-941999;REQUEST_FILENAME" # @@ -77,24 +71,7 @@ SecRule REQUEST_FILENAME "!@validateByteRange 20, 45-47, 48-57, 65-90, 95, 97-12 # # 941101: PL2 : REQUEST_FILENAME|REQUEST_HEADERS:Referer # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|XML:/* "@detectXSS" \ - "id:941100,\ - phase:2,\ - block,\ - t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ - msg:'XSS Attack Detected via libinjection',\ - logdata:'Matched Data: XSS data found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-xss',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|XML:/* "@detectXSS" "id:941100, phase:2, block, t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls, msg:'XSS Attack Detected via libinjection', logdata:'Matched Data: XSS data found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-xss', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/152/242', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.xss_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # @@ -102,25 +79,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H # http://xssplayground.net23.net/xssfilter.html # script tag based XSS vectors, e.g., # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i)]*>[\s\S]*?" \ - "id:941110,\ - phase:2,\ - block,\ - capture,\ - t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ - msg:'XSS Filter - Category 1: Script Tag Vector',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-xss',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i)]*>[\s\S]*?" "id:941110, phase:2, block, capture, t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls, msg:'XSS Filter - Category 1: Script Tag Vector', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-xss', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/152/242', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.xss_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # @@ -131,25 +90,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 941130 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i).(?:\b(?:x(?:link:href|html|mlns)|data:text/html|formaction|pattern\b.*?=)|!ENTITY[\s\v]+(?:%[\s\v]+)?[^\s\v]+[\s\v]+(?:SYSTEM|PUBLIC)|@import|;base64)\b" \ - "id:941130,\ - phase:2,\ - block,\ - capture,\ - t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ - msg:'XSS Filter - Category 3: Attribute Vector',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-xss',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i).(?:\b(?:x(?:link:href|html|mlns)|data:text/html|formaction|pattern\b.*?=)|!ENTITY[\s\v]+(?:%[\s\v]+)?[^\s\v]+[\s\v]+(?:SYSTEM|PUBLIC)|@import|;base64)\b" "id:941130, phase:2, block, capture, t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls, msg:'XSS Filter - Category 3: Attribute Vector', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-xss', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/152/242', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.xss_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # @@ -159,25 +100,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H # https://portswigger.net/web-security/cross-site-scripting/cheat-sheet#behaviors-for-older-modes-of-ie # examples: https://regex101.com/r/FFEpsh/1 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)[a-z]+=(?:[^:=]+:.+;)*?[^:=]+:url\(javascript" \ - "id:941140,\ - phase:2,\ - block,\ - capture,\ - t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,t:removeWhitespace,\ - msg:'XSS Filter - Category 4: Javascript URI Vector',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-xss',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)[a-z]+=(?:[^:=]+:.+;)*?[^:=]+:url\(javascript" "id:941140, phase:2, block, capture, t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,t:removeWhitespace, msg:'XSS Filter - Category 4: Javascript URI Vector', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-xss', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/152/242', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.xss_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # @@ -191,49 +114,13 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 941160 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)<[^0-9<>A-Z_a-z]*(?:[^\s\v\"'<>]*:)?[^0-9<>A-Z_a-z]*[^0-9A-Z_a-z]*?(?:s[^0-9A-Z_a-z]*?(?:c[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?t|t[^0-9A-Z_a-z]*?y[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?e|v[^0-9A-Z_a-z]*?g|e[^0-9A-Z_a-z]*?t[^0-9>A-Z_a-z])|f[^0-9A-Z_a-z]*?o[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?m|m[^0-9A-Z_a-z]*?(?:a[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?q[^0-9A-Z_a-z]*?u[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?e|e[^0-9A-Z_a-z]*?t[^0-9A-Z_a-z]*?a[^0-9>A-Z_a-z])|(?:l[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?k|o[^0-9A-Z_a-z]*?b[^0-9A-Z_a-z]*?j[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?c[^0-9A-Z_a-z]*?t|e[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?b[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?d|a[^0-9A-Z_a-z]*?(?:p[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?t|u[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?o|n[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?t[^0-9A-Z_a-z]*?e)|p[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?m|i?[^0-9A-Z_a-z]*?f[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?e|b[^0-9A-Z_a-z]*?(?:a[^0-9A-Z_a-z]*?s[^0-9A-Z_a-z]*?e|o[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?y|i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?g[^0-9A-Z_a-z]*?s)|i[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?a?[^0-9A-Z_a-z]*?g[^0-9A-Z_a-z]*?e?|v[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?o)[^0-9>A-Z_a-z])|(?:<[0-9A-Z_a-z].*[\s\v/]|[\"'](?:.*[\s\v/])?)(?:background|formaction|lowsrc|on(?:a(?:bort|ctivate|d(?:apteradded|dtrack)|fter(?:print|(?:scriptexecu|upda)te)|lerting|n(?:imation(?:end|iteration|start)|tennastatechange)|ppcommand|udio(?:end|process|start))|b(?:e(?:fore(?:(?:(?:de)?activa|scriptexecu)te|c(?:opy|ut)|editfocus|p(?:aste|rint)|u(?:nload|pdate))|gin(?:Event)?)|l(?:ocked|ur)|oun(?:ce|dary)|roadcast|usy)|c(?:a(?:(?:ch|llschang)ed|nplay(?:through)?|rdstatechange)|(?:ell|fstate)change|h(?:a(?:rging(?:time)?cha)?nge|ecking)|l(?:ick|ose)|o(?:m(?:mand(?:update)?|p(?:lete|osition(?:end|start|update)))|n(?:nect(?:ed|ing)|t(?:extmenu|rolselect))|py)|u(?:echange|t))|d(?:ata(?:(?:availabl|chang)e|error|setc(?:hanged|omplete))|blclick|e(?:activate|livery(?:error|success)|vice(?:found|light|(?:mo|orienta)tion|proximity))|i(?:aling|s(?:abled|c(?:hargingtimechange|onnect(?:ed|ing))))|o(?:m(?:a(?:ctivate|ttrmodified)|(?:characterdata|subtree)modified|focus(?:in|out)|mousescroll|node(?:inserted(?:intodocument)?|removed(?:fromdocument)?))|wnloading)|r(?:ag(?:drop|e(?:n(?:d|ter)|xit)|(?:gestur|leav)e|over|start)|op)|urationchange)|e(?:mptied|n(?:abled|d(?:ed|Event)?|ter)|rror(?:update)?|xit)|f(?:ailed|i(?:lterchange|nish)|o(?:cus(?:in|out)?|rm(?:change|input)))|g(?:amepad(?:axismove|button(?:down|up)|(?:dis)?connected)|et)|h(?:ashchange|e(?:adphoneschange|l[dp])|olding)|i(?:cc(?:cardlockerror|infochange)|n(?:coming|put|valid))|key(?:down|press|up)|l(?:evelchange|o(?:ad(?:e(?:d(?:meta)?data|nd)|start)?|secapture)|y)|m(?:ark|essage|o(?:use(?:down|enter|(?:lea|mo)ve|o(?:ut|ver)|up|wheel)|ve(?:end|start)?|z(?:a(?:fterpaint|udioavailable)|(?:beforeresiz|orientationchang|t(?:apgestur|imechang))e|(?:edgeui(?:c(?:ancel|omplet)|start)e|network(?:down|up)loa)d|fullscreen(?:change|error)|m(?:agnifygesture(?:start|update)?|ouse(?:hittest|pixelscroll))|p(?:ointerlock(?:change|error)|resstapgesture)|rotategesture(?:start|update)?|s(?:crolledareachanged|wipegesture(?:end|start|update)?))))|no(?:match|update)|o(?:(?:bsolet|(?:ff|n)lin)e|pen|verflow(?:changed)?)|p(?:a(?:ge(?:hide|show)|int|(?:st|us)e)|lay(?:ing)?|op(?:state|up(?:hid(?:den|ing)|show(?:ing|n)))|ro(?:gress|pertychange))|r(?:atechange|e(?:adystatechange|ceived|movetrack|peat(?:Event)?|quest|s(?:et|ize|u(?:lt|m(?:e|ing)))|trieving)|ow(?:e(?:nter|xit)|s(?:delete|inserted)))|s(?:croll|e(?:ek(?:complete|ed|ing)|lect(?:start)?|n(?:ding|t)|t)|how|(?:ound|peech)(?:end|start)|t(?:a(?:lled|rt|t(?:echange|uschanged))|k(?:comma|sessione)nd|op)|u(?:bmit|ccess|spend)|vg(?:abort|error|(?:un)?load|resize|scroll|zoom))|t(?:ext|ime(?:out|update)|ouch(?:cancel|en(?:d|ter)|(?:lea|mo)ve|start)|ransition(?:cancel|end|run))|u(?:n(?:derflow|load)|p(?:dateready|gradeneeded)|s(?:erproximity|sdreceived))|v(?:ersion|o(?:ic|lum)e)change|w(?:a(?:it|rn)ing|heel)|zoom)|ping|s(?:rc|tyle))[\x08-\n\f-\r ]*?=" \ - "id:941160,\ - phase:2,\ - block,\ - capture,\ - t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ - msg:'NoScript XSS InjectionChecker: HTML Injection',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-xss',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)<[^0-9<>A-Z_a-z]*(?:[^\s\v\"'<>]*:)?[^0-9<>A-Z_a-z]*[^0-9A-Z_a-z]*?(?:s[^0-9A-Z_a-z]*?(?:c[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?t|t[^0-9A-Z_a-z]*?y[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?e|v[^0-9A-Z_a-z]*?g|e[^0-9A-Z_a-z]*?t[^0-9>A-Z_a-z])|f[^0-9A-Z_a-z]*?o[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?m|m[^0-9A-Z_a-z]*?(?:a[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?q[^0-9A-Z_a-z]*?u[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?e|e[^0-9A-Z_a-z]*?t[^0-9A-Z_a-z]*?a[^0-9>A-Z_a-z])|(?:l[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?k|o[^0-9A-Z_a-z]*?b[^0-9A-Z_a-z]*?j[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?c[^0-9A-Z_a-z]*?t|e[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?b[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?d|a[^0-9A-Z_a-z]*?(?:p[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?t|u[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?o|n[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?t[^0-9A-Z_a-z]*?e)|p[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?m|i?[^0-9A-Z_a-z]*?f[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?e|b[^0-9A-Z_a-z]*?(?:a[^0-9A-Z_a-z]*?s[^0-9A-Z_a-z]*?e|o[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?y|i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?g[^0-9A-Z_a-z]*?s)|i[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?a?[^0-9A-Z_a-z]*?g[^0-9A-Z_a-z]*?e?|v[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?o)[^0-9>A-Z_a-z])|(?:<[0-9A-Z_a-z].*[\s\v/]|[\"'](?:.*[\s\v/])?)(?:background|formaction|lowsrc|on(?:a(?:bort|ctivate|d(?:apteradded|dtrack)|fter(?:print|(?:scriptexecu|upda)te)|lerting|n(?:imation(?:end|iteration|start)|tennastatechange)|ppcommand|udio(?:end|process|start))|b(?:e(?:fore(?:(?:(?:de)?activa|scriptexecu)te|c(?:opy|ut)|editfocus|p(?:aste|rint)|u(?:nload|pdate))|gin(?:Event)?)|l(?:ocked|ur)|oun(?:ce|dary)|roadcast|usy)|c(?:a(?:(?:ch|llschang)ed|nplay(?:through)?|rdstatechange)|(?:ell|fstate)change|h(?:a(?:rging(?:time)?cha)?nge|ecking)|l(?:ick|ose)|o(?:m(?:mand(?:update)?|p(?:lete|osition(?:end|start|update)))|n(?:nect(?:ed|ing)|t(?:extmenu|rolselect))|py)|u(?:echange|t))|d(?:ata(?:(?:availabl|chang)e|error|setc(?:hanged|omplete))|blclick|e(?:activate|livery(?:error|success)|vice(?:found|light|(?:mo|orienta)tion|proximity))|i(?:aling|s(?:abled|c(?:hargingtimechange|onnect(?:ed|ing))))|o(?:m(?:a(?:ctivate|ttrmodified)|(?:characterdata|subtree)modified|focus(?:in|out)|mousescroll|node(?:inserted(?:intodocument)?|removed(?:fromdocument)?))|wnloading)|r(?:ag(?:drop|e(?:n(?:d|ter)|xit)|(?:gestur|leav)e|over|start)|op)|urationchange)|e(?:mptied|n(?:abled|d(?:ed|Event)?|ter)|rror(?:update)?|xit)|f(?:ailed|i(?:lterchange|nish)|o(?:cus(?:in|out)?|rm(?:change|input)))|g(?:amepad(?:axismove|button(?:down|up)|(?:dis)?connected)|et)|h(?:ashchange|e(?:adphoneschange|l[dp])|olding)|i(?:cc(?:cardlockerror|infochange)|n(?:coming|put|valid))|key(?:down|press|up)|l(?:evelchange|o(?:ad(?:e(?:d(?:meta)?data|nd)|start)?|secapture)|y)|m(?:ark|essage|o(?:use(?:down|enter|(?:lea|mo)ve|o(?:ut|ver)|up|wheel)|ve(?:end|start)?|z(?:a(?:fterpaint|udioavailable)|(?:beforeresiz|orientationchang|t(?:apgestur|imechang))e|(?:edgeui(?:c(?:ancel|omplet)|start)e|network(?:down|up)loa)d|fullscreen(?:change|error)|m(?:agnifygesture(?:start|update)?|ouse(?:hittest|pixelscroll))|p(?:ointerlock(?:change|error)|resstapgesture)|rotategesture(?:start|update)?|s(?:crolledareachanged|wipegesture(?:end|start|update)?))))|no(?:match|update)|o(?:(?:bsolet|(?:ff|n)lin)e|pen|verflow(?:changed)?)|p(?:a(?:ge(?:hide|show)|int|(?:st|us)e)|lay(?:ing)?|op(?:state|up(?:hid(?:den|ing)|show(?:ing|n)))|ro(?:gress|pertychange))|r(?:atechange|e(?:adystatechange|ceived|movetrack|peat(?:Event)?|quest|s(?:et|ize|u(?:lt|m(?:e|ing)))|trieving)|ow(?:e(?:nter|xit)|s(?:delete|inserted)))|s(?:croll|e(?:ek(?:complete|ed|ing)|lect(?:start)?|n(?:ding|t)|t)|how|(?:ound|peech)(?:end|start)|t(?:a(?:lled|rt|t(?:echange|uschanged))|k(?:comma|sessione)nd|op)|u(?:bmit|ccess|spend)|vg(?:abort|error|(?:un)?load|resize|scroll|zoom))|t(?:ext|ime(?:out|update)|ouch(?:cancel|en(?:d|ter)|(?:lea|mo)ve|start)|ransition(?:cancel|end|run))|u(?:n(?:derflow|load)|p(?:dateready|gradeneeded)|s(?:erproximity|sdreceived))|v(?:ersion|o(?:ic|lum)e)change|w(?:a(?:it|rn)ing|heel)|zoom)|ping|s(?:rc|tyle))[\x08-\n\f-\r ]*?=" "id:941160, phase:2, block, capture, t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls, msg:'NoScript XSS InjectionChecker: HTML Injection', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-xss', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/152/242', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.xss_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # # [NoScript InjectionChecker] Attributes injection # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)(?:\W|^)(?:javascript:(?:[\s\S]+[=\x5c\(\[\.<]|[\s\S]*?(?:\bname\b|\x5c[ux]\d))|data:(?:(?:[a-z]\w+/\w[\w+-]+\w)?[;,]|[\s\S]*?;[\s\S]*?\b(?:base64|charset=)|[\s\S]*?,[\s\S]*?<[\s\S]*?\w[\s\S]*?>))|@\W*?i\W*?m\W*?p\W*?o\W*?r\W*?t\W*?(?:/\*[\s\S]*?)?(?:[\"']|\W*?u\W*?r\W*?l[\s\S]*?\()|[^-]*?-\W*?m\W*?o\W*?z\W*?-\W*?b\W*?i\W*?n\W*?d\W*?i\W*?n\W*?g[^:]*?:\W*?u\W*?r\W*?l[\s\S]*?\(" \ - "id:941170,\ - phase:2,\ - block,\ - capture,\ - t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ - msg:'NoScript XSS InjectionChecker: Attribute Injection',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-xss',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)(?:\W|^)(?:javascript:(?:[\s\S]+[=\x5c\(\[\.<]|[\s\S]*?(?:\bname\b|\x5c[ux]\d))|data:(?:(?:[a-z]\w+/\w[\w+-]+\w)?[;,]|[\s\S]*?;[\s\S]*?\b(?:base64|charset=)|[\s\S]*?,[\s\S]*?<[\s\S]*?\w[\s\S]*?>))|@\W*?i\W*?m\W*?p\W*?o\W*?r\W*?t\W*?(?:/\*[\s\S]*?)?(?:[\"']|\W*?u\W*?r\W*?l[\s\S]*?\()|[^-]*?-\W*?m\W*?o\W*?z\W*?-\W*?b\W*?i\W*?n\W*?d\W*?i\W*?n\W*?g[^:]*?:\W*?u\W*?r\W*?l[\s\S]*?\(" "id:941170, phase:2, block, capture, t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls, msg:'NoScript XSS InjectionChecker: Attribute Injection', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-xss', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/152/242', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.xss_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # @@ -241,25 +128,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H # https://raw.github.com/chriso/node-validator/master/validator.js # This rule has a stricter sibling 941181 (PL2) that covers the additional payload "-->" # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@pm document.cookie document.domain document.write .parentnode .innerhtml window.location -moz-binding " \ - "id:941181,\ - phase:2,\ - block,\ - capture,\ - t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:lowercase,t:removeNulls,\ - msg:'Node-Validator Deny List Keywords',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-xss',\ - tag:'paranoia-level/2',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@contains -->" "id:941181, phase:2, block, capture, t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:lowercase,t:removeNulls, msg:'Node-Validator Deny List Keywords', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-xss', tag:'paranoia-level/2', tag:'OWASP_CRS', tag:'capec/1000/152/242', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.xss_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -915,71 +390,14 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # This rule is also triggered by the following exploit(s): # [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ] # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx <(?:a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|hr|html|i|iframe|ilayer|img|input|ins|isindex|kdb|keygen|label|layer|legend|li|limittext|link|listing|map|marquee|menu|meta|multicol|nobr|noembed|noframes|noscript|nosmartquotes|object|ol|optgroup|option|p|param|plaintext|pre|q|rt|ruby|s|samp|script|select|server|shadow|sidebar|small|spacer|span|strike|strong|style|sub|sup|table|tbody|td|textarea|tfoot|th|thead|title|tr|tt|u|ul|var|wbr|xml|xmp)\W" \ - "id:941320,\ - phase:2,\ - block,\ - capture,\ - t:none,t:jsDecode,t:lowercase,\ - msg:'Possible XSS Attack Detected - HTML Tag Handler',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-xss',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/242/63',\ - tag:'PCI/6.5.1',\ - tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" - -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i:[\"'][ ]*(?:[^a-z0-9~_:' ]|in).*?(?:(?:l|\x5cu006C)(?:o|\x5cu006F)(?:c|\x5cu0063)(?:a|\x5cu0061)(?:t|\x5cu0074)(?:i|\x5cu0069)(?:o|\x5cu006F)(?:n|\x5cu006E)|(?:n|\x5cu006E)(?:a|\x5cu0061)(?:m|\x5cu006D)(?:e|\x5cu0065)|(?:o|\x5cu006F)(?:n|\x5cu006E)(?:e|\x5cu0065)(?:r|\x5cu0072)(?:r|\x5cu0072)(?:o|\x5cu006F)(?:r|\x5cu0072)|(?:v|\x5cu0076)(?:a|\x5cu0061)(?:l|\x5cu006C)(?:u|\x5cu0075)(?:e|\x5cu0065)(?:O|\x5cu004F)(?:f|\x5cu0066)).*?=)" \ - "id:941330,\ - phase:2,\ - block,\ - capture,\ - t:none,t:htmlEntityDecode,t:compressWhitespace,\ - msg:'IE XSS Filters - Attack Detected',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-xss',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/242',\ - tag:'PCI/6.5.1',\ - tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx <(?:a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|hr|html|i|iframe|ilayer|img|input|ins|isindex|kdb|keygen|label|layer|legend|li|limittext|link|listing|map|marquee|menu|meta|multicol|nobr|noembed|noframes|noscript|nosmartquotes|object|ol|optgroup|option|p|param|plaintext|pre|q|rt|ruby|s|samp|script|select|server|shadow|sidebar|small|spacer|span|strike|strong|style|sub|sup|table|tbody|td|textarea|tfoot|th|thead|title|tr|tt|u|ul|var|wbr|xml|xmp)\W" "id:941320, phase:2, block, capture, t:none,t:jsDecode,t:lowercase, msg:'Possible XSS Attack Detected - HTML Tag Handler', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-xss', tag:'OWASP_CRS', tag:'capec/1000/152/242/63', tag:'PCI/6.5.1', tag:'paranoia-level/2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.xss_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i:[\"'][ ]*(?:[^a-z0-9~_:' ]|in).*?(?:(?:l|\x5cu006C)(?:o|\x5cu006F)(?:c|\x5cu0063)(?:a|\x5cu0061)(?:t|\x5cu0074)(?:i|\x5cu0069)(?:o|\x5cu006F)(?:n|\x5cu006E)|(?:n|\x5cu006E)(?:a|\x5cu0061)(?:m|\x5cu006D)(?:e|\x5cu0065)|(?:o|\x5cu006F)(?:n|\x5cu006E)(?:e|\x5cu0065)(?:r|\x5cu0072)(?:r|\x5cu0072)(?:o|\x5cu006F)(?:r|\x5cu0072)|(?:v|\x5cu0076)(?:a|\x5cu0061)(?:l|\x5cu006C)(?:u|\x5cu0075)(?:e|\x5cu0065)(?:O|\x5cu004F)(?:f|\x5cu0066)).*?=)" "id:941330, phase:2, block, capture, t:none,t:htmlEntityDecode,t:compressWhitespace, msg:'IE XSS Filters - Attack Detected', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-xss', tag:'OWASP_CRS', tag:'capec/1000/152/242', tag:'PCI/6.5.1', tag:'paranoia-level/2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.xss_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # This rule is also triggered by the following exploit(s): # [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ] # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)[\"\'][ ]*(?:[^a-z0-9~_:\' ]|in).+?[.].+?=" \ - "id:941340,\ - phase:2,\ - block,\ - capture,\ - t:none,t:htmlEntityDecode,t:compressWhitespace,\ - msg:'IE XSS Filters - Attack Detected',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-xss',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/242',\ - tag:'PCI/6.5.1',\ - tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)[\"\'][ ]*(?:[^a-z0-9~_:\' ]|in).+?[.].+?=" "id:941340, phase:2, block, capture, t:none,t:htmlEntityDecode,t:compressWhitespace, msg:'IE XSS Filters - Attack Detected', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-xss', tag:'OWASP_CRS', tag:'capec/1000/152/242', tag:'PCI/6.5.1', tag:'paranoia-level/2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.xss_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # # Defend against AngularJS client side template injection @@ -994,24 +412,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU # Decoded argument: # {{constructor.constructor('alert(1)')()}} # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx {{.*?}}" \ - "id:941380,\ - phase:2,\ - block,\ - capture,\ - t:none,\ - msg:'AngularJS client side template injection detected',\ - logdata:'Matched Data: Suspicious payload found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'attack-xss',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/242/63',\ - tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx {{.*?}}" "id:941380, phase:2, block, capture, t:none, msg:'AngularJS client side template injection detected', logdata:'Matched Data: Suspicious payload found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'attack-xss', tag:'OWASP_CRS', tag:'capec/1000/152/242/63', tag:'paranoia-level/2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.xss_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" diff --git a/appsec/crs/REQUEST-942-APPLICATION-ATTACK-SQLI.conf b/appsec/crs/REQUEST-942-APPLICATION-ATTACK-SQLI.conf index abc4d8bf..83e3ba59 100644 --- a/appsec/crs/REQUEST-942-APPLICATION-ATTACK-SQLI.conf +++ b/appsec/crs/REQUEST-942-APPLICATION-ATTACK-SQLI.conf @@ -43,27 +43,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:942012,phase:2,pass,nolog,skipAf # # Ref: https://libinjection.client9.com/ # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@detectSQLi" \ - "id:942100,\ - phase:2,\ - block,\ - capture,\ - t:none,t:utf8toUnicode,t:urlDecodeUni,t:removeNulls,\ - msg:'SQL Injection Attack Detected via libinjection',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-sqli',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/66',\ - tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - multiMatch,\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@detectSQLi" "id:942100, phase:2, block, capture, t:none,t:utf8toUnicode,t:urlDecodeUni,t:removeNulls, msg:'SQL Injection Attack Detected via libinjection', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-sqli', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/152/248/66', tag:'PCI/6.5.2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', multiMatch, setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}', setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" # @@ -74,26 +54,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942140 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:d(?:atabas|b_nam)e[^0-9A-Z_a-z]*\(|(?:information_schema|m(?:aster\.\.sysdatabases|s(?:db|ys(?:ac(?:cess(?:objects|storage|xml)|es)|modules2?|(?:object|querie|relationship)s))|ysql\.db)|northwind|pg_(?:catalog|toast)|tempdb)\b|s(?:chema(?:_name\b|[^0-9A-Z_a-z]*\()|(?:qlite_(?:temp_)?master|ys(?:aux|\.database_name))\b))" \ - "id:942140,\ - phase:2,\ - block,\ - capture,\ - t:none,t:urlDecodeUni,\ - msg:'SQL Injection Attack: Common DB Names Detected',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-sqli',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/66',\ - tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:d(?:atabas|b_nam)e[^0-9A-Z_a-z]*\(|(?:information_schema|m(?:aster\.\.sysdatabases|s(?:db|ys(?:ac(?:cess(?:objects|storage|xml)|es)|modules2?|(?:object|querie|relationship)s))|ysql\.db)|northwind|pg_(?:catalog|toast)|tempdb)\b|s(?:chema(?:_name\b|[^0-9A-Z_a-z]*\()|(?:qlite_(?:temp_)?master|ys(?:aux|\.database_name))\b))" "id:942140, phase:2, block, capture, t:none,t:urlDecodeUni, msg:'SQL Injection Attack: Common DB Names Detected', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-sqli', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/152/248/66', tag:'PCI/6.5.2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # @@ -107,26 +68,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942151 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:a(?:dd(?:dat|tim)e|es_(?:de|en)crypt|s(?:cii(?:str)?|in)|tan2?)|b(?:enchmark|i(?:n_to_num|t_(?:and|count|length|x?or)))|c(?:har(?:acter)?_length|iel(?:ing)?|o(?:alesce|ercibility|llation|(?:mpres)?s|n(?:cat(?:_ws)?|nection_id|v(?:ert(?:_tz)?)?)|t)|r32|ur(?:(?:dat|tim)e|rent_(?:date|time(?:stamp)?|user)))|d(?:a(?:t(?:abase|e(?:_(?:add|format|sub)|diff))|y(?:name|of(?:month|week|year)))|count|e(?:code|grees|s_(?:de|en)crypt)|ump)|e(?:lt|n(?:c(?:ode|rypt)|ds_?with)|x(?:p(?:ort_set)?|tract(?:value)?))|f(?:i(?:el|n)d_in_set|ound_rows|rom_(?:base64|days|unixtime))|g(?:e(?:ometrycollection|t_(?:format|lock))|(?:r(?:eates|oup_conca)|tid_subse)t)|hex(?:toraw)?|i(?:fnull|n(?:et6?_(?:aton|ntoa)|s(?:ert|tr)|terval)|s(?:_(?:(?:free|used)_lock|ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull))|null))|json(?:_(?:a(?:gg|rray(?:_(?:elements(?:_text)?|length))?)|build_(?:array|object)|e(?:ac|xtract_pat)h(?:_text)?|object(?:_(?:agg|keys))?|populate_record(?:set)?|strip_nulls|t(?:o_record(?:set)?|ypeof))|b(?:_(?:array(?:_(?:elements(?:_text)?|length))?|build_(?:array|object)|object(?:_(?:agg|keys))?|e(?:ac|xtract_pat)h(?:_text)?|insert|p(?:ath_(?:(?:exists|match)(?:_tz)?|query(?:_(?:(?:array|first)(?:_tz)?|tz))?)|opulate_record(?:set)?|retty)|s(?:et(?:_lax)?|trip_nulls)|t(?:o_record(?:set)?|ypeof)))?|path)?|l(?:ast_(?:day|inser_id)|case|e(?:as|f)t|i(?:kel(?:ihood|y)|nestring)|o(?:ad_file|ca(?:ltimestamp|te)|g(?:10|2)|wer)|pad|trim)|m(?:a(?:ke(?:_set|date)|ster_pos_wait)|d5|i(?:crosecon)?d|onthname|ulti(?:linestring|po(?:int|lygon)))|n(?:ame_const|ot_in|ullif)|o(?:ct(?:et_length)?|(?:ld_passwo)?rd)|p(?:eriod_(?:add|diff)|g_(?:client_encoding|sleep)|o(?:(?:lyg|siti)on|w)|rocedure_analyse)|qu(?:arter|ote)|r(?:a(?:dians|nd|wtohex)|elease_lock|ow_(?:count|to_json)|pad|trim)|s(?:chema|e(?:c_to_time|ssion_user)|ha[1-2]?|in|oundex|pace|q(?:lite_(?:compileoption_(?:get|used)|source_id)|rt)|t(?:arts_?with|d(?:dev_(?:po|sam)p)?|r(?:_to_date|cmp))|ub(?:(?:dat|tim)e|str(?:ing(?:_index)?)?)|ys(?:date|tem_user))|t(?:ime(?:_(?:format|to_sec)|diff|stamp(?:add|diff)?)|o(?:_(?:base64|jsonb?)|n?char|(?:day|second)s)|r(?:im|uncate))|u(?:case|n(?:compress(?:ed_length)?|hex|i(?:str|x_timestamp)|likely)|(?:pdatexm|se_json_nul)l|tc_(?:date|time(?:stamp)?)|uid(?:_short)?)|var(?:_(?:po|sam)p|iance)|we(?:ek(?:day|ofyear)|ight_string)|xmltype|yearweek)[^0-9A-Z_a-z]*\(" \ - "id:942151,\ - phase:2,\ - block,\ - capture,\ - t:none,t:urlDecodeUni,t:lowercase,\ - msg:'SQL Injection Attack: SQL function name detected',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-sqli',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/66',\ - tag:'PCI/6.5.2',\ - tag:'paranoia-level/1',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:a(?:dd(?:dat|tim)e|es_(?:de|en)crypt|s(?:cii(?:str)?|in)|tan2?)|b(?:enchmark|i(?:n_to_num|t_(?:and|count|length|x?or)))|c(?:har(?:acter)?_length|iel(?:ing)?|o(?:alesce|ercibility|llation|(?:mpres)?s|n(?:cat(?:_ws)?|nection_id|v(?:ert(?:_tz)?)?)|t)|r32|ur(?:(?:dat|tim)e|rent_(?:date|time(?:stamp)?|user)))|d(?:a(?:t(?:abase|e(?:_(?:add|format|sub)|diff))|y(?:name|of(?:month|week|year)))|count|e(?:code|grees|s_(?:de|en)crypt)|ump)|e(?:lt|n(?:c(?:ode|rypt)|ds_?with)|x(?:p(?:ort_set)?|tract(?:value)?))|f(?:i(?:el|n)d_in_set|ound_rows|rom_(?:base64|days|unixtime))|g(?:e(?:ometrycollection|t_(?:format|lock))|(?:r(?:eates|oup_conca)|tid_subse)t)|hex(?:toraw)?|i(?:fnull|n(?:et6?_(?:aton|ntoa)|s(?:ert|tr)|terval)|s(?:_(?:(?:free|used)_lock|ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull))|null))|json(?:_(?:a(?:gg|rray(?:_(?:elements(?:_text)?|length))?)|build_(?:array|object)|e(?:ac|xtract_pat)h(?:_text)?|object(?:_(?:agg|keys))?|populate_record(?:set)?|strip_nulls|t(?:o_record(?:set)?|ypeof))|b(?:_(?:array(?:_(?:elements(?:_text)?|length))?|build_(?:array|object)|object(?:_(?:agg|keys))?|e(?:ac|xtract_pat)h(?:_text)?|insert|p(?:ath_(?:(?:exists|match)(?:_tz)?|query(?:_(?:(?:array|first)(?:_tz)?|tz))?)|opulate_record(?:set)?|retty)|s(?:et(?:_lax)?|trip_nulls)|t(?:o_record(?:set)?|ypeof)))?|path)?|l(?:ast_(?:day|inser_id)|case|e(?:as|f)t|i(?:kel(?:ihood|y)|nestring)|o(?:ad_file|ca(?:ltimestamp|te)|g(?:10|2)|wer)|pad|trim)|m(?:a(?:ke(?:_set|date)|ster_pos_wait)|d5|i(?:crosecon)?d|onthname|ulti(?:linestring|po(?:int|lygon)))|n(?:ame_const|ot_in|ullif)|o(?:ct(?:et_length)?|(?:ld_passwo)?rd)|p(?:eriod_(?:add|diff)|g_(?:client_encoding|sleep)|o(?:(?:lyg|siti)on|w)|rocedure_analyse)|qu(?:arter|ote)|r(?:a(?:dians|nd|wtohex)|elease_lock|ow_(?:count|to_json)|pad|trim)|s(?:chema|e(?:c_to_time|ssion_user)|ha[1-2]?|in|oundex|pace|q(?:lite_(?:compileoption_(?:get|used)|source_id)|rt)|t(?:arts_?with|d(?:dev_(?:po|sam)p)?|r(?:_to_date|cmp))|ub(?:(?:dat|tim)e|str(?:ing(?:_index)?)?)|ys(?:date|tem_user))|t(?:ime(?:_(?:format|to_sec)|diff|stamp(?:add|diff)?)|o(?:_(?:base64|jsonb?)|n?char|(?:day|second)s)|r(?:im|uncate))|u(?:case|n(?:compress(?:ed_length)?|hex|i(?:str|x_timestamp)|likely)|(?:pdatexm|se_json_nul)l|tc_(?:date|time(?:stamp)?)|uid(?:_short)?)|var(?:_(?:po|sam)p|iance)|we(?:ek(?:day|ofyear)|ight_string)|xmltype|yearweek)[^0-9A-Z_a-z]*\(" "id:942151, phase:2, block, capture, t:none,t:urlDecodeUni,t:lowercase, msg:'SQL Injection Attack: SQL function name detected', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-sqli', tag:'OWASP_CRS', tag:'capec/1000/152/248/66', tag:'PCI/6.5.2', tag:'paranoia-level/1', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # @@ -151,247 +93,58 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # A positive side effect is that it prevents certain DoS attacks via the directives # described above. # -SecRule REQUEST_BASENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:sleep\(\s*?\d*?\s*?\)|benchmark\(.*?\,.*?\))" \ - "id:942160,\ - phase:2,\ - block,\ - capture,\ - t:none,t:urlDecodeUni,\ - msg:'Detects blind sqli tests using sleep() or benchmark()',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-sqli',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/66',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_BASENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:sleep\(\s*?\d*?\s*?\)|benchmark\(.*?\,.*?\))" "id:942160, phase:2, block, capture, t:none,t:urlDecodeUni, msg:'Detects blind sqli tests using sleep() or benchmark()', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-sqli', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/152/248/66', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # Regular expression generated from regex-assembly/942170.ra. # To update the regular expression run the following shell script # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942170 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:select|;)[\s\v]+(?:benchmark|if|sleep)[\s\v]*?\([\s\v]*?\(?[\s\v]*?[0-9A-Z_a-z]+" \ - "id:942170,\ - phase:2,\ - block,\ - capture,\ - t:none,t:urlDecodeUni,\ - msg:'Detects SQL benchmark and sleep injection attempts including conditional queries',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-sqli',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/66',\ - tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:select|;)[\s\v]+(?:benchmark|if|sleep)[\s\v]*?\([\s\v]*?\(?[\s\v]*?[0-9A-Z_a-z]+" "id:942170, phase:2, block, capture, t:none,t:urlDecodeUni, msg:'Detects SQL benchmark and sleep injection attempts including conditional queries', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-sqli', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/152/248/66', tag:'PCI/6.5.2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # Regular expression generated from regex-assembly/942190.ra. # To update the regular expression run the following shell script # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942190 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\"'`](?:[\s\v]*![\s\v]*[\"'0-9A-Z_-z]|;?[\s\v]*(?:having|select|union\b[\s\v]*(?:all|(?:distin|sele)ct))\b[\s\v]*[^\s\v])|\b(?:(?:(?:c(?:onnection_id|urrent_user)|database|schema|user)[\s\v]*?|select.*?[0-9A-Z_a-z]?user)\(|exec(?:ute)?[\s\v]+master\.|from[^0-9A-Z_a-z]+information_schema[^0-9A-Z_a-z]|into[\s\v\+]+(?:dump|out)file[\s\v]*?[\"'`]|union(?:[\s\v]select[\s\v]@|[\s\v\(0-9A-Z_a-z]*?select))|[\s\v]*?exec(?:ute)?.*?[^0-9A-Z_a-z]xp_cmdshell|[^0-9A-Z_a-z]iif[\s\v]*?\(" \ - "id:942190,\ - phase:2,\ - block,\ - capture,\ - t:none,t:urlDecodeUni,t:removeCommentsChar,\ - msg:'Detects MSSQL code execution and information gathering attempts',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-sqli',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/66',\ - tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\"'`](?:[\s\v]*![\s\v]*[\"'0-9A-Z_-z]|;?[\s\v]*(?:having|select|union\b[\s\v]*(?:all|(?:distin|sele)ct))\b[\s\v]*[^\s\v])|\b(?:(?:(?:c(?:onnection_id|urrent_user)|database|schema|user)[\s\v]*?|select.*?[0-9A-Z_a-z]?user)\(|exec(?:ute)?[\s\v]+master\.|from[^0-9A-Z_a-z]+information_schema[^0-9A-Z_a-z]|into[\s\v\+]+(?:dump|out)file[\s\v]*?[\"'`]|union(?:[\s\v]select[\s\v]@|[\s\v\(0-9A-Z_a-z]*?select))|[\s\v]*?exec(?:ute)?.*?[^0-9A-Z_a-z]xp_cmdshell|[^0-9A-Z_a-z]iif[\s\v]*?\(" "id:942190, phase:2, block, capture, t:none,t:urlDecodeUni,t:removeCommentsChar, msg:'Detects MSSQL code execution and information gathering attempts', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-sqli', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/152/248/66', tag:'PCI/6.5.2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # Magic number crash in PHP strtod from 2011: # https://www.exploringbinary.com/php-hangs-on-numeric-value-2-2250738585072011e-308/ -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx ^(?i:-0000023456|4294967295|4294967296|2147483648|2147483647|0000012345|-2147483648|-2147483649|0000023456|2.2250738585072007e-308|2.2250738585072011e-308|1e309)$" \ - "id:942220,\ - phase:2,\ - block,\ - capture,\ - t:none,t:urlDecodeUni,\ - msg:'Looking for integer overflow attacks, these are taken from skipfish, except 2.2.2250738585072011e-308 is the \"magic number\" crash',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-sqli',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/66',\ - tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx ^(?i:-0000023456|4294967295|4294967296|2147483648|2147483647|0000012345|-2147483648|-2147483649|0000023456|2.2250738585072007e-308|2.2250738585072011e-308|1e309)$" "id:942220, phase:2, block, capture, t:none,t:urlDecodeUni, msg:'Looking for integer overflow attacks, these are taken from skipfish, except 2.2.2250738585072011e-308 is the \"magic number\" crash', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-sqli', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/152/248/66', tag:'PCI/6.5.2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # Regular expression generated from regex-assembly/942230.ra. # To update the regular expression run the following shell script # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942230 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\s\v\(-\)]case[\s\v]+when.*?then|\)[\s\v]*?like[\s\v]*?\(|select.*?having[\s\v]*?[^\s\v]+[\s\v]*?[^\s\v0-9A-Z_a-z]|if[\s\v]?\([0-9A-Z_a-z]+[\s\v]*?[<->~]" \ - "id:942230,\ - phase:2,\ - block,\ - capture,\ - t:none,t:urlDecodeUni,\ - msg:'Detects conditional SQL injection attempts',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-sqli',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/66',\ - tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\s\v\(-\)]case[\s\v]+when.*?then|\)[\s\v]*?like[\s\v]*?\(|select.*?having[\s\v]*?[^\s\v]+[\s\v]*?[^\s\v0-9A-Z_a-z]|if[\s\v]?\([0-9A-Z_a-z]+[\s\v]*?[<->~]" "id:942230, phase:2, block, capture, t:none,t:urlDecodeUni, msg:'Detects conditional SQL injection attempts', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-sqli', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/152/248/66', tag:'PCI/6.5.2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # Regular expression generated from regex-assembly/942240.ra. # To update the regular expression run the following shell script # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942240 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)alter[\s\v]*?[0-9A-Z_a-z]+.*?char(?:acter)?[\s\v]+set[\s\v]+[0-9A-Z_a-z]+|[\"'`](?:;*?[\s\v]*?waitfor[\s\v]+(?:time|delay)[\s\v]+[\"'`]|;.*?:[\s\v]*?goto)" \ - "id:942240,\ - phase:2,\ - block,\ - capture,\ - t:none,t:urlDecodeUni,\ - msg:'Detects MySQL charset switch and MSSQL DoS attempts',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-sqli',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/66',\ - tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" - -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:merge.*?using\s*?\(|execute\s*?immediate\s*?[\"'`]|match\s*?[\w(),+-]+\s*?against\s*?\()" \ - "id:942250,\ - phase:2,\ - block,\ - capture,\ - t:none,t:urlDecodeUni,\ - msg:'Detects MATCH AGAINST, MERGE and EXECUTE IMMEDIATE injections',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-sqli',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/66',\ - tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" - -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)union.*?select.*?from" \ - "id:942270,\ - phase:2,\ - block,\ - capture,\ - t:none,t:urlDecodeUni,\ - msg:'Looking for basic sql injection. Common attack string for mysql, oracle and others',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-sqli',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/66',\ - tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)alter[\s\v]*?[0-9A-Z_a-z]+.*?char(?:acter)?[\s\v]+set[\s\v]+[0-9A-Z_a-z]+|[\"'`](?:;*?[\s\v]*?waitfor[\s\v]+(?:time|delay)[\s\v]+[\"'`]|;.*?:[\s\v]*?goto)" "id:942240, phase:2, block, capture, t:none,t:urlDecodeUni, msg:'Detects MySQL charset switch and MSSQL DoS attempts', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-sqli', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/152/248/66', tag:'PCI/6.5.2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:merge.*?using\s*?\(|execute\s*?immediate\s*?[\"'`]|match\s*?[\w(),+-]+\s*?against\s*?\()" "id:942250, phase:2, block, capture, t:none,t:urlDecodeUni, msg:'Detects MATCH AGAINST, MERGE and EXECUTE IMMEDIATE injections', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-sqli', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/152/248/66', tag:'PCI/6.5.2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)union.*?select.*?from" "id:942270, phase:2, block, capture, t:none,t:urlDecodeUni, msg:'Looking for basic sql injection. Common attack string for mysql, oracle and others', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-sqli', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/152/248/66', tag:'PCI/6.5.2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # Regular expression generated from regex-assembly/942280.ra. # To update the regular expression run the following shell script # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942280 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)select[\s\v]*?pg_sleep|waitfor[\s\v]*?delay[\s\v]?[\"'`]+[\s\v]?[0-9]|;[\s\v]*?shutdown[\s\v]*?(?:[#;\{]|/\*|--)" \ - "id:942280,\ - phase:2,\ - block,\ - capture,\ - t:none,t:urlDecodeUni,\ - msg:'Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-sqli',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/66',\ - tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)select[\s\v]*?pg_sleep|waitfor[\s\v]*?delay[\s\v]?[\"'`]+[\s\v]?[0-9]|;[\s\v]*?shutdown[\s\v]*?(?:[#;\{]|/\*|--)" "id:942280, phase:2, block, capture, t:none,t:urlDecodeUni, msg:'Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-sqli', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/152/248/66', tag:'PCI/6.5.2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # Regular expression generated from regex-assembly/942290.ra. # To update the regular expression run the following shell script # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942290 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\[?\$(?:n(?:e|in?|o[rt])|e(?:q|xists|lemMatch)|l(?:te?|ike)|mod|a(?:ll|nd)|(?:s(?:iz|lic)|wher)e|t(?:ype|ext)|x?or|div|between|regex|jsonSchema)\]?" \ - "id:942290,\ - phase:2,\ - block,\ - capture,\ - t:none,t:urlDecodeUni,\ - msg:'Finds basic MongoDB SQL injection attempts',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-sqli',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/66',\ - tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\[?\$(?:n(?:e|in?|o[rt])|e(?:q|xists|lemMatch)|l(?:te?|ike)|mod|a(?:ll|nd)|(?:s(?:iz|lic)|wher)e|t(?:ype|ext)|x?or|div|between|regex|jsonSchema)\]?" "id:942290, phase:2, block, capture, t:none,t:urlDecodeUni, msg:'Finds basic MongoDB SQL injection attempts', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-sqli', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/152/248/66', tag:'PCI/6.5.2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # This rule has a stricter sibling (942321) that checks for MySQL and PostgreSQL procedures / functions in # request headers referer and user-agent. @@ -401,52 +154,14 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942320 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)create[\s\v]+(?:function|procedure)[\s\v]*?[0-9A-Z_a-z]+[\s\v]*?\([\s\v]*?\)[\s\v]*?-|d(?:eclare[^0-9A-Z_a-z]+[#@][\s\v]*?[0-9A-Z_a-z]+|iv[\s\v]*?\([\+\-]*[\s\v\.0-9]+,[\+\-]*[\s\v\.0-9]+\))|exec[\s\v]*?\([\s\v]*?@|(?:lo_(?:impor|ge)t|procedure[\s\v]+analyse)[\s\v]*?\(|;[\s\v]*?(?:declare|open)[\s\v]+[\-0-9A-Z_a-z]+|::(?:b(?:igint|ool)|double[\s\v]+precision|int(?:eger)?|numeric|oid|real|(?:tex|smallin)t)" \ - "id:942320,\ - phase:2,\ - block,\ - capture,\ - t:none,t:urlDecodeUni,\ - msg:'Detects MySQL and PostgreSQL stored procedure/function injections',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-sqli',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/66',\ - tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)create[\s\v]+(?:function|procedure)[\s\v]*?[0-9A-Z_a-z]+[\s\v]*?\([\s\v]*?\)[\s\v]*?-|d(?:eclare[^0-9A-Z_a-z]+[#@][\s\v]*?[0-9A-Z_a-z]+|iv[\s\v]*?\([\+\-]*[\s\v\.0-9]+,[\+\-]*[\s\v\.0-9]+\))|exec[\s\v]*?\([\s\v]*?@|(?:lo_(?:impor|ge)t|procedure[\s\v]+analyse)[\s\v]*?\(|;[\s\v]*?(?:declare|open)[\s\v]+[\-0-9A-Z_a-z]+|::(?:b(?:igint|ool)|double[\s\v]+precision|int(?:eger)?|numeric|oid|real|(?:tex|smallin)t)" "id:942320, phase:2, block, capture, t:none,t:urlDecodeUni, msg:'Detects MySQL and PostgreSQL stored procedure/function injections', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-sqli', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/152/248/66', tag:'PCI/6.5.2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # Regular expression generated from regex-assembly/942350.ra. # To update the regular expression run the following shell script # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942350 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)create[\s\v]+function[\s\v].+[\s\v]returns|;[\s\v]*?(?:alter|(?:(?:cre|trunc|upd)at|renam)e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load)\b[\s\v]*?[\(\[]?[0-9A-Z_a-z]{2,}" \ - "id:942350,\ - phase:2,\ - block,\ - capture,\ - t:none,t:urlDecodeUni,\ - msg:'Detects MySQL UDF injection and other data/structure manipulation attempts',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-sqli',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/66',\ - tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)create[\s\v]+function[\s\v].+[\s\v]returns|;[\s\v]*?(?:alter|(?:(?:cre|trunc|upd)at|renam)e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load)\b[\s\v]*?[\(\[]?[0-9A-Z_a-z]{2,}" "id:942350, phase:2, block, capture, t:none,t:urlDecodeUni, msg:'Detects MySQL UDF injection and other data/structure manipulation attempts', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-sqli', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/152/248/66', tag:'PCI/6.5.2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # This rule has two stricter sibling: 942361 and 942362. # The keywords 'alter' and 'union' led to false positives. @@ -466,26 +181,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942360 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:(?:alter|(?:(?:cre|trunc|upd)at|renam)e|de(?:lete|sc)|(?:inser|selec)t|load)[\s\v]+(?:char|group_concat|load_file)\b[\s\v]*\(?|end[\s\v]*?\);)|[\s\v\(]load_file[\s\v]*?\(|[\"'`][\s\v]+regexp[^0-9A-Z_a-z]|[\"'0-9A-Z_-z][\s\v]+as\b[\s\v]*[\"'0-9A-Z_-z]+[\s\v]*\bfrom|^[^A-Z_a-z]+[\s\v]*?(?:(?:(?:(?:cre|trunc)at|renam)e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load)[\s\v]+[0-9A-Z_a-z]+|u(?:pdate[\s\v]+[0-9A-Z_a-z]+|nion[\s\v]*(?:all|(?:sele|distin)ct)\b)|alter[\s\v]*(?:a(?:(?:ggregat|pplication[\s\v]*rol)e|s(?:sembl|ymmetric[\s\v]*ke)y|u(?:dit|thorization)|vailability[\s\v]*group)|b(?:roker[\s\v]*priority|ufferpool)|c(?:ertificate|luster|o(?:l(?:latio|um)|nversio)n|r(?:edential|yptographic[\s\v]*provider))|d(?:atabase|efault|i(?:mension|skgroup)|omain)|e(?:(?:ndpoi|ve)nt|xte(?:nsion|rnal))|f(?:lashback|oreign|u(?:lltext|nction))|hi(?:erarchy|stogram)|group|in(?:dex(?:type)?|memory|stance)|java|l(?:a(?:ngua|r)ge|ibrary|o(?:ckdown|g(?:file[\s\v]*group|in)))|m(?:a(?:s(?:k|ter[\s\v]*key)|terialized)|e(?:ssage[\s\v]*type|thod)|odule)|(?:nicknam|queu)e|o(?:perator|utline)|p(?:a(?:ckage|rtition)|ermission|ro(?:cedur|fil)e)|r(?:e(?:mot|sourc)e|o(?:l(?:e|lback)|ute))|s(?:chema|e(?:arch|curity|rv(?:er|ice)|quence|ssion)|y(?:mmetric[\s\v]*key|nonym)|togroup)|t(?:able(?:space)?|ext|hreshold|r(?:igger|usted)|ype)|us(?:age|er)|view|w(?:ork(?:load)?|rapper)|x(?:ml[\s\v]*schema|srobject))\b)" \ - "id:942360,\ - phase:2,\ - block,\ - capture,\ - t:none,t:urlDecodeUni,\ - msg:'Detects concatenated basic SQL injection and SQLLFI attempts',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-sqli',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/66',\ - tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:(?:alter|(?:(?:cre|trunc|upd)at|renam)e|de(?:lete|sc)|(?:inser|selec)t|load)[\s\v]+(?:char|group_concat|load_file)\b[\s\v]*\(?|end[\s\v]*?\);)|[\s\v\(]load_file[\s\v]*?\(|[\"'`][\s\v]+regexp[^0-9A-Z_a-z]|[\"'0-9A-Z_-z][\s\v]+as\b[\s\v]*[\"'0-9A-Z_-z]+[\s\v]*\bfrom|^[^A-Z_a-z]+[\s\v]*?(?:(?:(?:(?:cre|trunc)at|renam)e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load)[\s\v]+[0-9A-Z_a-z]+|u(?:pdate[\s\v]+[0-9A-Z_a-z]+|nion[\s\v]*(?:all|(?:sele|distin)ct)\b)|alter[\s\v]*(?:a(?:(?:ggregat|pplication[\s\v]*rol)e|s(?:sembl|ymmetric[\s\v]*ke)y|u(?:dit|thorization)|vailability[\s\v]*group)|b(?:roker[\s\v]*priority|ufferpool)|c(?:ertificate|luster|o(?:l(?:latio|um)|nversio)n|r(?:edential|yptographic[\s\v]*provider))|d(?:atabase|efault|i(?:mension|skgroup)|omain)|e(?:(?:ndpoi|ve)nt|xte(?:nsion|rnal))|f(?:lashback|oreign|u(?:lltext|nction))|hi(?:erarchy|stogram)|group|in(?:dex(?:type)?|memory|stance)|java|l(?:a(?:ngua|r)ge|ibrary|o(?:ckdown|g(?:file[\s\v]*group|in)))|m(?:a(?:s(?:k|ter[\s\v]*key)|terialized)|e(?:ssage[\s\v]*type|thod)|odule)|(?:nicknam|queu)e|o(?:perator|utline)|p(?:a(?:ckage|rtition)|ermission|ro(?:cedur|fil)e)|r(?:e(?:mot|sourc)e|o(?:l(?:e|lback)|ute))|s(?:chema|e(?:arch|curity|rv(?:er|ice)|quence|ssion)|y(?:mmetric[\s\v]*key|nonym)|togroup)|t(?:able(?:space)?|ext|hreshold|r(?:igger|usted)|ype)|us(?:age|er)|view|w(?:ork(?:load)?|rapper)|x(?:ml[\s\v]*schema|srobject))\b)" "id:942360, phase:2, block, capture, t:none,t:urlDecodeUni, msg:'Detects concatenated basic SQL injection and SQLLFI attempts', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-sqli', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/152/248/66', tag:'PCI/6.5.2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # # -=[ Detect MySQL in-line comments ]=- @@ -502,26 +198,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # The minimal string that triggers this regexp is: /*!*/ or /*+*/. # The rule 942500 is related to 942440 which catches both /*! and */ independently. # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:/\*[!+](?:[\w\s=_\-()]+)?\*/)" \ - "id:942500,\ - phase:2,\ - block,\ - capture,\ - t:none,t:urlDecodeUni,\ - msg:'MySQL in-line comment detected',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-sqli',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/66',\ - tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:/\*[!+](?:[\w\s=_\-()]+)?\*/)" "id:942500, phase:2, block, capture, t:none,t:urlDecodeUni, msg:'MySQL in-line comment detected', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-sqli', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/152/248/66', tag:'PCI/6.5.2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # This rule catches an authentication bypass via SQL injection that abuses semi-colons to end the SQL query early. @@ -538,26 +215,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942540 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx ^(?:[^']*'|[^\"]*\"|[^`]*`)[\s\v]*;" \ - "id:942540,\ - phase:2,\ - block,\ - capture,\ - t:none,t:urlDecodeUni,t:replaceComments,\ - msg:'SQL Authentication bypass (split query)',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-sqli',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/66',\ - tag:'PCI/6.5.2',\ - tag:'paranoia-level/1',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx ^(?:[^']*'|[^\"]*\"|[^`]*`)[\s\v]*;" "id:942540, phase:2, block, capture, t:none,t:urlDecodeUni,t:replaceComments, msg:'SQL Authentication bypass (split query)', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-sqli', tag:'OWASP_CRS', tag:'capec/1000/152/248/66', tag:'PCI/6.5.2', tag:'paranoia-level/1', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # This rule tries to match JSON SQL syntax that could be used as a bypass technique. @@ -568,25 +226,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942550 # -SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx [\"'`][\[\{].*[\]\}][\"'`].*(::.*jsonb?)?.*(?:(?:@|->?)>|<@|\?[&\|]?|#>>?|[<>]|<-)|(?:(?:@|->?)>|<@|\?[&\|]?|#>>?|[<>]|<-)[\"'`][\[\{].*[\]\}][\"'`]|json_extract.*\(.*\)" \ - "id:942550,\ - phase:2,\ - block,\ - t:none,t:urlDecodeUni,t:lowercase,t:removeWhitespace,\ - msg:'JSON-Based SQL Injection',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-sqli',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/66',\ - tag:'PCI/6.5.2',\ - tag:'paranoia-level/1',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx [\"'`][\[\{].*[\]\}][\"'`].*(::.*jsonb?)?.*(?:(?:@|->?)>|<@|\?[&\|]?|#>>?|[<>]|<-)|(?:(?:@|->?)>|<@|\?[&\|]?|#>>?|[<>]|<-)[\"'`][\[\{].*[\]\}][\"'`]|json_extract.*\(.*\)" "id:942550, phase:2, block, t:none,t:urlDecodeUni,t:lowercase,t:removeWhitespace, msg:'JSON-Based SQL Injection', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-sqli', tag:'OWASP_CRS', tag:'capec/1000/152/248/66', tag:'PCI/6.5.2', tag:'paranoia-level/1', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:942013,phase:1,pass,nolog,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" @@ -605,26 +245,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:942014,phase:2,pass,nolog,skipAf # This rule is also triggered by the following exploit(s): # [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ] # -SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?:^\s*[\"'`;]+|[\"'`]+\s*$)" \ - "id:942110,\ - phase:2,\ - block,\ - capture,\ - t:none,t:utf8toUnicode,t:urlDecodeUni,\ - msg:'SQL Injection Attack: Common Injection Testing Detected',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-sqli',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/66',\ - tag:'PCI/6.5.2',\ - tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'WARNING',\ - setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl2=+%{tx.warning_anomaly_score}'" +SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?:^\s*[\"'`;]+|[\"'`]+\s*$)" "id:942110, phase:2, block, capture, t:none,t:utf8toUnicode,t:urlDecodeUni, msg:'SQL Injection Attack: Common Injection Testing Detected', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-sqli', tag:'OWASP_CRS', tag:'capec/1000/152/248/66', tag:'PCI/6.5.2', tag:'paranoia-level/2', ver:'OWASP_CRS/4.0.0-rc1', severity:'WARNING', setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl2=+%{tx.warning_anomaly_score}'" # @@ -638,26 +259,7 @@ SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?:^\s*[\"'`;]+|[\"'`]+\s*$ # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942120 # -SecRule ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)!=|&&|\|\||>[=->]|<(?:<|=>?|>(?:[\s\v]+binary)?)|\b(?:(?:xor|r(?:egexp|like)|i(?:snull|like)|notnull)\b|collate(?:[^0-9A-Z_a-z]*?(?:U&)?[\"'`]|[^0-9A-Z_a-z]+(?:(?:binary|nocase|rtrim)\b|[0-9A-Z_a-z]*?_))|(?:likel(?:ihood|y)|unlikely)[\s\v]*\()|r(?:egexp|like)[\s\v]+binary|not[\s\v]+between[\s\v]+(?:0[\s\v]+and|(?:'[^']*'|\"[^\"]*\")[\s\v]+and[\s\v]+(?:'[^']*'|\"[^\"]*\"))|is[\s\v]+null|like[\s\v]+(?:null|[0-9A-Z_a-z]+[\s\v]+escape\b)|(?:^|[^0-9A-Z_a-z])in[\s\v\+]*\([\s\v\"0-9]+[^\(-\)]*\)|[!<->]{1,2}[\s\v]*all\b" \ - "id:942120,\ - phase:2,\ - block,\ - capture,\ - t:none,t:utf8toUnicode,t:urlDecodeUni,\ - msg:'SQL Injection Attack: SQL Operator Detected',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-sqli',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/66',\ - tag:'PCI/6.5.2',\ - tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" +SecRule ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)!=|&&|\|\||>[=->]|<(?:<|=>?|>(?:[\s\v]+binary)?)|\b(?:(?:xor|r(?:egexp|like)|i(?:snull|like)|notnull)\b|collate(?:[^0-9A-Z_a-z]*?(?:U&)?[\"'`]|[^0-9A-Z_a-z]+(?:(?:binary|nocase|rtrim)\b|[0-9A-Z_a-z]*?_))|(?:likel(?:ihood|y)|unlikely)[\s\v]*\()|r(?:egexp|like)[\s\v]+binary|not[\s\v]+between[\s\v]+(?:0[\s\v]+and|(?:'[^']*'|\"[^\"]*\")[\s\v]+and[\s\v]+(?:'[^']*'|\"[^\"]*\"))|is[\s\v]+null|like[\s\v]+(?:null|[0-9A-Z_a-z]+[\s\v]+escape\b)|(?:^|[^0-9A-Z_a-z])in[\s\v\+]*\([\s\v\"0-9]+[^\(-\)]*\)|[!<->]{1,2}[\s\v]*all\b" "id:942120, phase:2, block, capture, t:none,t:utf8toUnicode,t:urlDecodeUni, msg:'SQL Injection Attack: SQL Operator Detected', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-sqli', tag:'OWASP_CRS', tag:'capec/1000/152/248/66', tag:'PCI/6.5.2', tag:'paranoia-level/2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # @@ -679,31 +281,8 @@ SecRule ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)!=|&&|\|\||>[=->]|<(?:< # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942130 # -SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\s\v\"'-\)`]*?\b([0-9A-Z_a-z]+)\b[\s\v\"'-\)`]*?(?:=|<=>|(?:sounds[\s\v]+)?like|glob|r(?:like|egexp))[\s\v\"'-\)`]*?\b([0-9A-Z_a-z]+)\b" \ - "id:942130,\ - phase:2,\ - block,\ - capture,\ - t:none,t:urlDecodeUni,t:replaceComments,\ - msg:'SQL Injection Attack: SQL Boolean-based attack detected',\ - logdata:'Matched Data: %{TX.0} found within %{TX.942130_MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-sqli',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/66',\ - tag:'PCI/6.5.2',\ - tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.942130_lhs=%{TX.1}',\ - setvar:'tx.942130_matched_var_name=%{matched_var_name}',\ - chain" - SecRule TX:942130_lhs "@streq %{TX.2}" \ - "t:none,\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" +SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\s\v\"'-\)`]*?\b([0-9A-Z_a-z]+)\b[\s\v\"'-\)`]*?(?:=|<=>|(?:sounds[\s\v]+)?like|glob|r(?:like|egexp))[\s\v\"'-\)`]*?\b([0-9A-Z_a-z]+)\b" "id:942130, phase:2, block, capture, t:none,t:urlDecodeUni,t:replaceComments, msg:'SQL Injection Attack: SQL Boolean-based attack detected', logdata:'Matched Data: %{TX.0} found within %{TX.942130_MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-sqli', tag:'OWASP_CRS', tag:'capec/1000/152/248/66', tag:'PCI/6.5.2', tag:'paranoia-level/2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.942130_lhs=%{TX.1}', setvar:'tx.942130_matched_var_name=%{matched_var_name}', chain" + SecRule TX:942130_lhs "@streq %{TX.2}" "t:none, setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # Rule Targeting logical inequalities that return TRUE (e.g. 1 != 2) # @@ -716,32 +295,8 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\s\v\"'-\)`]*?\b([0-9A-Z_a-z]+)\b[\s\v\ # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942131 # -SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\s\v\"'-\)`]*?\b([0-9A-Z_a-z]+)\b[\s\v\"'-\)`]*?(?:![<->]|<[=->]?|>=?|\^|is[\s\v]+not|not[\s\v]+(?:like|r(?:like|egexp)))[\s\v\"'-\)`]*?\b([0-9A-Z_a-z]+)\b" \ - "id:942131,\ - phase:2,\ - block,\ - capture,\ - t:none,t:urlDecodeUni,t:replaceComments,\ - msg:'SQL Injection Attack: SQL Boolean-based attack detected',\ - logdata:'Matched Data: %{TX.0} found within %{TX.942131_MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-sqli',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/66',\ - tag:'PCI/6.5.2',\ - tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - multiMatch,\ - setvar:'tx.942131_lhs=%{TX.1}',\ - setvar:'tx.942131_matched_var_name=%{matched_var_name}',\ - chain" - SecRule TX:942131_lhs "!@streq %{TX.2}" \ - "t:none,\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" +SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\s\v\"'-\)`]*?\b([0-9A-Z_a-z]+)\b[\s\v\"'-\)`]*?(?:![<->]|<[=->]?|>=?|\^|is[\s\v]+not|not[\s\v]+(?:like|r(?:like|egexp)))[\s\v\"'-\)`]*?\b([0-9A-Z_a-z]+)\b" "id:942131, phase:2, block, capture, t:none,t:urlDecodeUni,t:replaceComments, msg:'SQL Injection Attack: SQL Boolean-based attack detected', logdata:'Matched Data: %{TX.0} found within %{TX.942131_MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-sqli', tag:'OWASP_CRS', tag:'capec/1000/152/248/66', tag:'PCI/6.5.2', tag:'paranoia-level/2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', multiMatch, setvar:'tx.942131_lhs=%{TX.1}', setvar:'tx.942131_matched_var_name=%{matched_var_name}', chain" + SecRule TX:942131_lhs "!@streq %{TX.2}" "t:none, setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # # -=[ SQL Function Names ]=- @@ -754,26 +309,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\s\v\"'-\)`]*?\b([0-9A-Z_a-z]+)\b[\s\v\ # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942150 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:json(?:_[0-9A-Z_a-z]+)?|a(?:bs|(?:cos|sin)h?|tan[2h]?|vg)|c(?:eil(?:ing)?|h(?:a(?:nges|r(?:set)?)|r)|o(?:alesce|sh?|unt)|ast)|d(?:e(?:grees|fault)|a(?:te|y))|exp|f(?:loor(?:avg)?|ormat|ield)|g(?:lob|roup_concat)|h(?:ex|our)|i(?:f(?:null)?|if|n(?:str)?)|l(?:ast(?:_insert_rowid)?|ength|ike(?:l(?:ihood|y))?|n|o(?:ad_extension|g(?:10|2)?|wer(?:pi)?|cal)|trim)|m(?:ax|in(?:ute)?|o(?:d|nth))|n(?:ullif|ow)|p(?:i|ow(?:er)?|rintf|assword)|quote|r(?:a(?:dians|ndom(?:blob)?)|e(?:p(?:lace|eat)|verse)|ound|trim|ight)|s(?:i(?:gn|nh?)|oundex|q(?:lite_(?:compileoption_(?:get|used)|offset|source_id|version)|rt)|u(?:bstr(?:ing)?|m)|econd|leep)|t(?:anh?|otal(?:_changes)?|r(?:im|unc)|ypeof|ime)|u(?:n(?:icode|likely)|(?:pp|s)er)|zeroblob|bin|v(?:alues|ersion)|week|year)[^0-9A-Z_a-z]*\(" \ - "id:942150,\ - phase:2,\ - block,\ - capture,\ - t:none,t:urlDecodeUni,t:lowercase,\ - msg:'SQL Injection Attack: SQL function name detected',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-sqli',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/66',\ - tag:'PCI/6.5.2',\ - tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:json(?:_[0-9A-Z_a-z]+)?|a(?:bs|(?:cos|sin)h?|tan[2h]?|vg)|c(?:eil(?:ing)?|h(?:a(?:nges|r(?:set)?)|r)|o(?:alesce|sh?|unt)|ast)|d(?:e(?:grees|fault)|a(?:te|y))|exp|f(?:loor(?:avg)?|ormat|ield)|g(?:lob|roup_concat)|h(?:ex|our)|i(?:f(?:null)?|if|n(?:str)?)|l(?:ast(?:_insert_rowid)?|ength|ike(?:l(?:ihood|y))?|n|o(?:ad_extension|g(?:10|2)?|wer(?:pi)?|cal)|trim)|m(?:ax|in(?:ute)?|o(?:d|nth))|n(?:ullif|ow)|p(?:i|ow(?:er)?|rintf|assword)|quote|r(?:a(?:dians|ndom(?:blob)?)|e(?:p(?:lace|eat)|verse)|ound|trim|ight)|s(?:i(?:gn|nh?)|oundex|q(?:lite_(?:compileoption_(?:get|used)|offset|source_id|version)|rt)|u(?:bstr(?:ing)?|m)|econd|leep)|t(?:anh?|otal(?:_changes)?|r(?:im|unc)|ypeof|ime)|u(?:n(?:icode|likely)|(?:pp|s)er)|zeroblob|bin|v(?:alues|ersion)|week|year)[^0-9A-Z_a-z]*\(" "id:942150, phase:2, block, capture, t:none,t:urlDecodeUni,t:lowercase, msg:'SQL Injection Attack: SQL function name detected', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-sqli', tag:'OWASP_CRS', tag:'capec/1000/152/248/66', tag:'PCI/6.5.2', tag:'paranoia-level/2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # # -=[ SQL Authentication Bypasses ]=- @@ -797,26 +333,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942180 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:/\*)+[\"'`]+[\s\v]?(?:--|[#\{]|/\*)?|[\"'`](?:[\s\v]*(?:(?:x?or|and|div|like|between)[\s\v\-0-9A-Z_a-z]+[\(-\)\+-\-<->][\s\v]*[\"'0-9`]|[!=\|](?:[\s\v -!\+\-0-9=]+.*?[\"'-\(`].*?|[\s\v -!0-9=]+.*?[0-9]+)$|(?:like|print)[^0-9A-Z_a-z]+[\"'-\(0-9A-Z_-z]|;)|(?:[<>~]+|[\s\v]*[^\s\v0-9A-Z_a-z]?=[\s\v]*|[^0-9A-Z_a-z]*?[\+=]+[^0-9A-Z_a-z]*?)[\"'`])|[0-9][\"'`][\s\v]+[\"'`][\s\v]+[0-9]|^admin[\s\v]*?[\"'`]|[\s\v\"'-\(`][\s\v]*?glob[^0-9A-Z_a-z]+[\"'-\(0-9A-Z_-z]|[\s\v]is[\s\v]*?0[^0-9A-Z_a-z]|where[\s\v][\s\v,-\.0-9A-Z_a-z]+[\s\v]=" \ - "id:942180,\ - phase:2,\ - block,\ - capture,\ - t:none,t:urlDecodeUni,\ - msg:'Detects basic SQL authentication bypass attempts 1/3',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-sqli',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/66',\ - tag:'PCI/6.5.2',\ - tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:/\*)+[\"'`]+[\s\v]?(?:--|[#\{]|/\*)?|[\"'`](?:[\s\v]*(?:(?:x?or|and|div|like|between)[\s\v\-0-9A-Z_a-z]+[\(-\)\+-\-<->][\s\v]*[\"'0-9`]|[!=\|](?:[\s\v -!\+\-0-9=]+.*?[\"'-\(`].*?|[\s\v -!0-9=]+.*?[0-9]+)$|(?:like|print)[^0-9A-Z_a-z]+[\"'-\(0-9A-Z_-z]|;)|(?:[<>~]+|[\s\v]*[^\s\v0-9A-Z_a-z]?=[\s\v]*|[^0-9A-Z_a-z]*?[\+=]+[^0-9A-Z_a-z]*?)[\"'`])|[0-9][\"'`][\s\v]+[\"'`][\s\v]+[0-9]|^admin[\s\v]*?[\"'`]|[\s\v\"'-\(`][\s\v]*?glob[^0-9A-Z_a-z]+[\"'-\(0-9A-Z_-z]|[\s\v]is[\s\v]*?0[^0-9A-Z_a-z]|where[\s\v][\s\v,-\.0-9A-Z_a-z]+[\s\v]=" "id:942180, phase:2, block, capture, t:none,t:urlDecodeUni, msg:'Detects basic SQL authentication bypass attempts 1/3', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-sqli', tag:'OWASP_CRS', tag:'capec/1000/152/248/66', tag:'PCI/6.5.2', tag:'paranoia-level/2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # This rule is also triggered by the following exploit(s): # [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ] @@ -826,26 +343,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942200 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i),.*?[\"'\)0-9`-f][\"'`](?:[\"'`].*?[\"'`]|(?:\r?\n)?\z|[^\"'`]+)|[^0-9A-Z_a-z]select.+[^0-9A-Z_a-z]*?from|(?:alter|(?:(?:cre|trunc|upd)at|renam)e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load)[\s\v]*?\([\s\v]*?space[\s\v]*?\(" \ - "id:942200,\ - phase:2,\ - block,\ - capture,\ - t:none,t:urlDecodeUni,\ - msg:'Detects MySQL comment-/space-obfuscated injections and backtick termination',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-sqli',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/66',\ - tag:'PCI/6.5.2',\ - tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i),.*?[\"'\)0-9`-f][\"'`](?:[\"'`].*?[\"'`]|(?:\r?\n)?\z|[^\"'`]+)|[^0-9A-Z_a-z]select.+[^0-9A-Z_a-z]*?from|(?:alter|(?:(?:cre|trunc|upd)at|renam)e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load)[\s\v]*?\([\s\v]*?space[\s\v]*?\(" "id:942200, phase:2, block, capture, t:none,t:urlDecodeUni, msg:'Detects MySQL comment-/space-obfuscated injections and backtick termination', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-sqli', tag:'OWASP_CRS', tag:'capec/1000/152/248/66', tag:'PCI/6.5.2', tag:'paranoia-level/2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # This rule is also triggered by the following exploit(s): # [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ] @@ -855,104 +353,28 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942210 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:&&|\|\||and|between|div|like|n(?:and|ot)|(?:xx?)?or)[\s\v\(]+[0-9A-Z_a-z]+[\s\v\)]*?[!\+=]+[\s\v0-9]*?[\"'-\)=`]|[0-9](?:[\s\v]*?(?:and|between|div|like|x?or)[\s\v]*?[0-9]+[\s\v]*?[\+\-]|[\s\v]+group[\s\v]+by.+\()|/[0-9A-Z_a-z]+;?[\s\v]+(?:and|between|div|having|like|x?or|select)[^0-9A-Z_a-z]|(?:[#;]|--)[\s\v]*?(?:alter|drop|(?:insert|update)[\s\v]*?[0-9A-Z_a-z]{2,})|@.+=[\s\v]*?\([\s\v]*?select|[^0-9A-Z_a-z]SET[\s\v]*?@[0-9A-Z_a-z]+" \ - "id:942210,\ - phase:2,\ - block,\ - capture,\ - t:none,t:urlDecodeUni,\ - msg:'Detects chained SQL injection attempts 1/2',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-sqli',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/66',\ - tag:'PCI/6.5.2',\ - tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:&&|\|\||and|between|div|like|n(?:and|ot)|(?:xx?)?or)[\s\v\(]+[0-9A-Z_a-z]+[\s\v\)]*?[!\+=]+[\s\v0-9]*?[\"'-\)=`]|[0-9](?:[\s\v]*?(?:and|between|div|like|x?or)[\s\v]*?[0-9]+[\s\v]*?[\+\-]|[\s\v]+group[\s\v]+by.+\()|/[0-9A-Z_a-z]+;?[\s\v]+(?:and|between|div|having|like|x?or|select)[^0-9A-Z_a-z]|(?:[#;]|--)[\s\v]*?(?:alter|drop|(?:insert|update)[\s\v]*?[0-9A-Z_a-z]{2,})|@.+=[\s\v]*?\([\s\v]*?select|[^0-9A-Z_a-z]SET[\s\v]*?@[0-9A-Z_a-z]+" "id:942210, phase:2, block, capture, t:none,t:urlDecodeUni, msg:'Detects chained SQL injection attempts 1/2', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-sqli', tag:'OWASP_CRS', tag:'capec/1000/152/248/66', tag:'PCI/6.5.2', tag:'paranoia-level/2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # Regular expression generated from regex-assembly/942260.ra. # To update the regular expression run the following shell script # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942260 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\"'`][\s\v]*?(?:(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between|\|\||&&)[\s\v]+[\s\v0-9A-Z_a-z]+=[\s\v]*?[0-9A-Z_a-z]+[\s\v]*?having[\s\v]+|like[^0-9A-Z_a-z]*?[\"'0-9`])|[0-9A-Z_a-z][\s\v]+like[\s\v]+[\"'`]|like[\s\v]*?[\"'`]%|select[\s\v]+?[\s\v\"'-\),-\.0-9A-\[\]_-z]+from[\s\v]+" \ - "id:942260,\ - phase:2,\ - block,\ - capture,\ - t:none,t:urlDecodeUni,\ - msg:'Detects basic SQL authentication bypass attempts 2/3',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-sqli',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/66',\ - tag:'PCI/6.5.2',\ - tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\"'`][\s\v]*?(?:(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between|\|\||&&)[\s\v]+[\s\v0-9A-Z_a-z]+=[\s\v]*?[0-9A-Z_a-z]+[\s\v]*?having[\s\v]+|like[^0-9A-Z_a-z]*?[\"'0-9`])|[0-9A-Z_a-z][\s\v]+like[\s\v]+[\"'`]|like[\s\v]*?[\"'`]%|select[\s\v]+?[\s\v\"'-\),-\.0-9A-\[\]_-z]+from[\s\v]+" "id:942260, phase:2, block, capture, t:none,t:urlDecodeUni, msg:'Detects basic SQL authentication bypass attempts 2/3', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-sqli', tag:'OWASP_CRS', tag:'capec/1000/152/248/66', tag:'PCI/6.5.2', tag:'paranoia-level/2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # Regular expression generated from regex-assembly/942300.ra. # To update the regular expression run the following shell script # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942300 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\)[\s\v]*?when[\s\v]*?[0-9]+[\s\v]*?then|[\"'`][\s\v]*?(?:[#\{]|--)|/\*![\s\v]?[0-9]+|\b(?:b(?:inary[\s\v]*?\([\s\v]*?[0-9]|etween[\s\v]+[\s\v]*?[0-9A-Z_a-z]+\()|cha?r[\s\v]*?\([\s\v]*?[0-9]|(?:and|n(?:and|ot)|(?:xx?)?or|div|like|r(?:egexp|like))[\s\v]+[\s\v]*?[0-9A-Z_a-z]+\()|(?:\|\||&&)[\s\v]+[\s\v]*?[0-9A-Z_a-z]+\(" \ - "id:942300,\ - phase:2,\ - block,\ - capture,\ - t:none,t:urlDecodeUni,\ - msg:'Detects MySQL comments, conditions and ch(a)r injections',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-sqli',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/66',\ - tag:'PCI/6.5.2',\ - tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\)[\s\v]*?when[\s\v]*?[0-9]+[\s\v]*?then|[\"'`][\s\v]*?(?:[#\{]|--)|/\*![\s\v]?[0-9]+|\b(?:b(?:inary[\s\v]*?\([\s\v]*?[0-9]|etween[\s\v]+[\s\v]*?[0-9A-Z_a-z]+\()|cha?r[\s\v]*?\([\s\v]*?[0-9]|(?:and|n(?:and|ot)|(?:xx?)?or|div|like|r(?:egexp|like))[\s\v]+[\s\v]*?[0-9A-Z_a-z]+\()|(?:\|\||&&)[\s\v]+[\s\v]*?[0-9A-Z_a-z]+\(" "id:942300, phase:2, block, capture, t:none,t:urlDecodeUni, msg:'Detects MySQL comments, conditions and ch(a)r injections', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-sqli', tag:'OWASP_CRS', tag:'capec/1000/152/248/66', tag:'PCI/6.5.2', tag:'paranoia-level/2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # Regular expression generated from regex-assembly/942310.ra. # To update the regular expression run the following shell script # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942310 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:\([\s\v]*?select[\s\v]*?[0-9A-Z_a-z]+|coalesce|order[\s\v]+by[\s\v]+if[0-9A-Z_a-z]*?)[\s\v]*?\(|\*/from|\+[\s\v]*?[0-9]+[\s\v]*?\+[\s\v]*?@|[0-9A-Z_a-z][\"'`][\s\v]*?(?:(?:[\+\-=@\|]+[\s\v]+?)+|[\+\-=@\|]+)[\(0-9]|@@[0-9A-Z_a-z]+[\s\v]*?[^\s\v0-9A-Z_a-z]|[^0-9A-Z_a-z]!+[\"'`][0-9A-Z_a-z]|[\"'`](?:;[\s\v]*?(?:if|while|begin)|[\s\v0-9]+=[\s\v]*?[0-9])|[\s\v\(]+case[0-9]*?[^0-9A-Z_a-z].+[tw]hen[\s\v\(]" \ - "id:942310,\ - phase:2,\ - block,\ - capture,\ - t:none,t:urlDecodeUni,\ - msg:'Detects chained SQL injection attempts 2/2',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-sqli',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/66',\ - tag:'PCI/6.5.2',\ - tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:\([\s\v]*?select[\s\v]*?[0-9A-Z_a-z]+|coalesce|order[\s\v]+by[\s\v]+if[0-9A-Z_a-z]*?)[\s\v]*?\(|\*/from|\+[\s\v]*?[0-9]+[\s\v]*?\+[\s\v]*?@|[0-9A-Z_a-z][\"'`][\s\v]*?(?:(?:[\+\-=@\|]+[\s\v]+?)+|[\+\-=@\|]+)[\(0-9]|@@[0-9A-Z_a-z]+[\s\v]*?[^\s\v0-9A-Z_a-z]|[^0-9A-Z_a-z]!+[\"'`][0-9A-Z_a-z]|[\"'`](?:;[\s\v]*?(?:if|while|begin)|[\s\v0-9]+=[\s\v]*?[0-9])|[\s\v\(]+case[0-9]*?[^0-9A-Z_a-z].+[tw]hen[\s\v\(]" "id:942310, phase:2, block, capture, t:none,t:urlDecodeUni, msg:'Detects chained SQL injection attempts 2/2', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-sqli', tag:'OWASP_CRS', tag:'capec/1000/152/248/66', tag:'PCI/6.5.2', tag:'paranoia-level/2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # # -=[ SQL Injection Probings ]=- @@ -967,26 +389,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942330 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\"'`][\s\v]*?\b(?:x?or|div|like|between|and)\b[\s\v]*?[\"'`]?[0-9]|\x5cx(?:2[37]|3d)|^(?:.?[\"'`]$|[\"'\x5c`]*?(?:[\"'0-9`]+|[^\"'`]+[\"'`])[\s\v]*?\b(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between|\|\||&&)\b[\s\v]*?[\"'0-9A-Z_-z][!&\(-\)\+-\.@])|[^\s\v0-9A-Z_a-z][0-9A-Z_a-z]+[\s\v]*?[\-\|][\s\v]*?[\"'`][\s\v]*?[0-9A-Z_a-z]|@(?:[0-9A-Z_a-z]+[\s\v]+(?:and|x?or|div|like|between)\b[\s\v]*?[\"'0-9`]+|[\-0-9A-Z_a-z]+[\s\v](?:and|x?or|div|like|between)\b[\s\v]*?[^\s\v0-9A-Z_a-z])|[^\s\v0-:A-Z_a-z][\s\v]*?[0-9][^0-9A-Z_a-z]+[^\s\v0-9A-Z_a-z][\s\v]*?[\"'`].|[^0-9A-Z_a-z]information_schema|table_name[^0-9A-Z_a-z]" \ - "id:942330,\ - phase:2,\ - block,\ - capture,\ - t:none,t:urlDecodeUni,\ - msg:'Detects classic SQL injection probings 1/3',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-sqli',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/66',\ - tag:'PCI/6.5.2',\ - tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\"'`][\s\v]*?\b(?:x?or|div|like|between|and)\b[\s\v]*?[\"'`]?[0-9]|\x5cx(?:2[37]|3d)|^(?:.?[\"'`]$|[\"'\x5c`]*?(?:[\"'0-9`]+|[^\"'`]+[\"'`])[\s\v]*?\b(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between|\|\||&&)\b[\s\v]*?[\"'0-9A-Z_-z][!&\(-\)\+-\.@])|[^\s\v0-9A-Z_a-z][0-9A-Z_a-z]+[\s\v]*?[\-\|][\s\v]*?[\"'`][\s\v]*?[0-9A-Z_a-z]|@(?:[0-9A-Z_a-z]+[\s\v]+(?:and|x?or|div|like|between)\b[\s\v]*?[\"'0-9`]+|[\-0-9A-Z_a-z]+[\s\v](?:and|x?or|div|like|between)\b[\s\v]*?[^\s\v0-9A-Z_a-z])|[^\s\v0-:A-Z_a-z][\s\v]*?[0-9][^0-9A-Z_a-z]+[^\s\v0-9A-Z_a-z][\s\v]*?[\"'`].|[^0-9A-Z_a-z]information_schema|table_name[^0-9A-Z_a-z]" "id:942330, phase:2, block, capture, t:none,t:urlDecodeUni, msg:'Detects classic SQL injection probings 1/3', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-sqli', tag:'OWASP_CRS', tag:'capec/1000/152/248/66', tag:'PCI/6.5.2', tag:'paranoia-level/2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # Regular expression generated from regex-assembly/942340.ra. # To update the regular expression run the following shell script @@ -996,51 +399,13 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # Note that part of 942340.data is already optimized, to avoid a # Regexp::Assemble behaviour, where the regex is not optimized very nicely. # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)in[\s\v]*?\(+[\s\v]*?select|(?:(?:(?i:N)?AND|(?i:X)?(?i:X)?OR|DIV|LIKE|BETWEEN|NOT)[\s\v]+|(?:\|\||&&)[\s\v]*)[\s\v\+0-9A-Z_a-z]+(?:regexp[\s\v]*?\(|sounds[\s\v]+like[\s\v]*?[\"'`]|[0-9=]+x)|[\"'`](?:[\s\v]*?(?:[0-9][\s\v]*?(?:--|#)|is[\s\v]*?(?:[0-9].+[\"'`]?[0-9A-Z_a-z]|[\.0-9]+[\s\v]*?[^0-9A-Z_a-z].*?[\"'`]))|[%-&<->\^]+[0-9][\s\v]*?(?:=|x?or|div|like|between|and)|(?:[^0-9A-Z_a-z]+[\+\-0-9A-Z_a-z]+[\s\v]*?=[\s\v]*?[0-9][^0-9A-Z_a-z]+|\|?[\-0-9A-Z_a-z]{3,}[^\s\v,\.0-9A-Z_a-z]+)[\"'`]|[\s\v]*(?:(?:(?i:N)?AND|(?i:X)?(?i:X)?OR|DIV|LIKE|BETWEEN|NOT)[\s\v]+|(?:\|\||&&)[\s\v]*)(?:array[\s\v]*\[|[0-9A-Z_a-z]+(?:[\s\v]*!?~|[\s\v]+(?:not[\s\v]+)?similar[\s\v]+to[\s\v]+)|(?:tru|fals)e\b))|\bexcept[\s\v]+(?:select\b|values[\s\v]*?\()" \ - "id:942340,\ - phase:2,\ - block,\ - capture,\ - t:none,t:urlDecodeUni,\ - msg:'Detects basic SQL authentication bypass attempts 3/3',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-sqli',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/66',\ - tag:'PCI/6.5.2',\ - tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)in[\s\v]*?\(+[\s\v]*?select|(?:(?:(?i:N)?AND|(?i:X)?(?i:X)?OR|DIV|LIKE|BETWEEN|NOT)[\s\v]+|(?:\|\||&&)[\s\v]*)[\s\v\+0-9A-Z_a-z]+(?:regexp[\s\v]*?\(|sounds[\s\v]+like[\s\v]*?[\"'`]|[0-9=]+x)|[\"'`](?:[\s\v]*?(?:[0-9][\s\v]*?(?:--|#)|is[\s\v]*?(?:[0-9].+[\"'`]?[0-9A-Z_a-z]|[\.0-9]+[\s\v]*?[^0-9A-Z_a-z].*?[\"'`]))|[%-&<->\^]+[0-9][\s\v]*?(?:=|x?or|div|like|between|and)|(?:[^0-9A-Z_a-z]+[\+\-0-9A-Z_a-z]+[\s\v]*?=[\s\v]*?[0-9][^0-9A-Z_a-z]+|\|?[\-0-9A-Z_a-z]{3,}[^\s\v,\.0-9A-Z_a-z]+)[\"'`]|[\s\v]*(?:(?:(?i:N)?AND|(?i:X)?(?i:X)?OR|DIV|LIKE|BETWEEN|NOT)[\s\v]+|(?:\|\||&&)[\s\v]*)(?:array[\s\v]*\[|[0-9A-Z_a-z]+(?:[\s\v]*!?~|[\s\v]+(?:not[\s\v]+)?similar[\s\v]+to[\s\v]+)|(?:tru|fals)e\b))|\bexcept[\s\v]+(?:select\b|values[\s\v]*?\()" "id:942340, phase:2, block, capture, t:none,t:urlDecodeUni, msg:'Detects basic SQL authentication bypass attempts 3/3', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-sqli', tag:'OWASP_CRS', tag:'capec/1000/152/248/66', tag:'PCI/6.5.2', tag:'paranoia-level/2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # This rule is a stricter sibling of 942360. # The keywords 'alter' and 'union' led to false positives. # Therefore they have been moved to PL2 and the keywords have been extended on PL1. # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:^[\W\d]+\s*?(?:alter|union)\b)" \ - "id:942361,\ - phase:2,\ - block,\ - capture,\ - t:none,t:urlDecodeUni,\ - msg:'Detects basic SQL injection based on keyword alter or union',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-sqli',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/66',\ - tag:'PCI/6.5.2',\ - tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:^[\W\d]+\s*?(?:alter|union)\b)" "id:942361, phase:2, block, capture, t:none,t:urlDecodeUni, msg:'Detects basic SQL injection based on keyword alter or union', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-sqli', tag:'OWASP_CRS', tag:'capec/1000/152/248/66', tag:'PCI/6.5.2', tag:'paranoia-level/2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # This rule is a stricter sibling of 942360. # The loose word boundaries and light context led to false positives. @@ -1051,26 +416,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942362 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:alter|(?:(?:cre|trunc|upd)at|renam)e|de(?:lete|sc)|(?:inser|selec)t|load)[\s\v]+(?:char|group_concat|load_file)[\s\v]?\(?|end[\s\v]*?\);|[\s\v\(]load_file[\s\v]*?\(|[\"'`][\s\v]+regexp[^0-9A-Z_a-z]|[^A-Z_a-z][\s\v]+as\b[\s\v]*[\"'0-9A-Z_-z]+[\s\v]*\bfrom|^[^A-Z_a-z]+[\s\v]*?(?:create[\s\v]+[0-9A-Z_a-z]+|(?:d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load|(?:renam|truncat)e|u(?:pdate|nion[\s\v]*(?:all|(?:sele|distin)ct))|alter[\s\v]*(?:a(?:(?:ggregat|pplication[\s\v]*rol)e|s(?:sembl|ymmetric[\s\v]*ke)y|u(?:dit|thorization)|vailability[\s\v]*group)|b(?:roker[\s\v]*priority|ufferpool)|c(?:ertificate|luster|o(?:l(?:latio|um)|nversio)n|r(?:edential|yptographic[\s\v]*provider))|d(?:atabase|efault|i(?:mension|skgroup)|omain)|e(?:(?:ndpoi|ve)nt|xte(?:nsion|rnal))|f(?:lashback|oreign|u(?:lltext|nction))|hi(?:erarchy|stogram)|group|in(?:dex(?:type)?|memory|stance)|java|l(?:a(?:ngua|r)ge|ibrary|o(?:ckdown|g(?:file[\s\v]*group|in)))|m(?:a(?:s(?:k|ter[\s\v]*key)|terialized)|e(?:ssage[\s\v]*type|thod)|odule)|(?:nicknam|queu)e|o(?:perator|utline)|p(?:a(?:ckage|rtition)|ermission|ro(?:cedur|fil)e)|r(?:e(?:mot|sourc)e|o(?:l(?:e|lback)|ute))|s(?:chema|e(?:arch|curity|rv(?:er|ice)|quence|ssion)|y(?:mmetric[\s\v]*key|nonym)|togroup)|t(?:able(?:space)?|ext|hreshold|r(?:igger|usted)|ype)|us(?:age|er)|view|w(?:ork(?:load)?|rapper)|x(?:ml[\s\v]*schema|srobject)))\b)" \ - "id:942362,\ - phase:2,\ - block,\ - capture,\ - t:none,t:urlDecodeUni,\ - msg:'Detects concatenated basic SQL injection and SQLLFI attempts',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-sqli',\ - tag:'paranoia-level/2',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/66',\ - tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:alter|(?:(?:cre|trunc|upd)at|renam)e|de(?:lete|sc)|(?:inser|selec)t|load)[\s\v]+(?:char|group_concat|load_file)[\s\v]?\(?|end[\s\v]*?\);|[\s\v\(]load_file[\s\v]*?\(|[\"'`][\s\v]+regexp[^0-9A-Z_a-z]|[^A-Z_a-z][\s\v]+as\b[\s\v]*[\"'0-9A-Z_-z]+[\s\v]*\bfrom|^[^A-Z_a-z]+[\s\v]*?(?:create[\s\v]+[0-9A-Z_a-z]+|(?:d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load|(?:renam|truncat)e|u(?:pdate|nion[\s\v]*(?:all|(?:sele|distin)ct))|alter[\s\v]*(?:a(?:(?:ggregat|pplication[\s\v]*rol)e|s(?:sembl|ymmetric[\s\v]*ke)y|u(?:dit|thorization)|vailability[\s\v]*group)|b(?:roker[\s\v]*priority|ufferpool)|c(?:ertificate|luster|o(?:l(?:latio|um)|nversio)n|r(?:edential|yptographic[\s\v]*provider))|d(?:atabase|efault|i(?:mension|skgroup)|omain)|e(?:(?:ndpoi|ve)nt|xte(?:nsion|rnal))|f(?:lashback|oreign|u(?:lltext|nction))|hi(?:erarchy|stogram)|group|in(?:dex(?:type)?|memory|stance)|java|l(?:a(?:ngua|r)ge|ibrary|o(?:ckdown|g(?:file[\s\v]*group|in)))|m(?:a(?:s(?:k|ter[\s\v]*key)|terialized)|e(?:ssage[\s\v]*type|thod)|odule)|(?:nicknam|queu)e|o(?:perator|utline)|p(?:a(?:ckage|rtition)|ermission|ro(?:cedur|fil)e)|r(?:e(?:mot|sourc)e|o(?:l(?:e|lback)|ute))|s(?:chema|e(?:arch|curity|rv(?:er|ice)|quence|ssion)|y(?:mmetric[\s\v]*key|nonym)|togroup)|t(?:able(?:space)?|ext|hreshold|r(?:igger|usted)|ype)|us(?:age|er)|view|w(?:ork(?:load)?|rapper)|x(?:ml[\s\v]*schema|srobject)))\b)" "id:942362, phase:2, block, capture, t:none,t:urlDecodeUni, msg:'Detects concatenated basic SQL injection and SQLLFI attempts', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-sqli', tag:'paranoia-level/2', tag:'OWASP_CRS', tag:'capec/1000/152/248/66', tag:'PCI/6.5.2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # This rule is a sibling of 942330. See that rule for a description and overview. @@ -1083,104 +429,28 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942370 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\"'`](?:[\s\v]*?(?:(?:\*.+(?:x?or|div|like|between|(?:an|i)d)[^0-9A-Z_a-z]*?[\"'`]|(?:x?or|div|like|between|and)[\s\v][^0-9]+[\-0-9A-Z_a-z]+.*?)[0-9]|[^\s\v0-9\?A-Z_a-z]+[\s\v]*?[^\s\v0-9A-Z_a-z]+[\s\v]*?[\"'`]|[^\s\v0-9A-Z_a-z]+[\s\v]*?[^A-Z_a-z].*?(?:#|--))|.*?\*[\s\v]*?[0-9])|\^[\"'`]|[%\(-\+\-<>][\-0-9A-Z_a-z]+[^\s\v0-9A-Z_a-z]+[\"'`][^,]" \ - "id:942370,\ - phase:2,\ - block,\ - capture,\ - t:none,t:urlDecodeUni,\ - msg:'Detects classic SQL injection probings 2/3',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-sqli',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/66',\ - tag:'PCI/6.5.2',\ - tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\"'`](?:[\s\v]*?(?:(?:\*.+(?:x?or|div|like|between|(?:an|i)d)[^0-9A-Z_a-z]*?[\"'`]|(?:x?or|div|like|between|and)[\s\v][^0-9]+[\-0-9A-Z_a-z]+.*?)[0-9]|[^\s\v0-9\?A-Z_a-z]+[\s\v]*?[^\s\v0-9A-Z_a-z]+[\s\v]*?[\"'`]|[^\s\v0-9A-Z_a-z]+[\s\v]*?[^A-Z_a-z].*?(?:#|--))|.*?\*[\s\v]*?[0-9])|\^[\"'`]|[%\(-\+\-<>][\-0-9A-Z_a-z]+[^\s\v0-9A-Z_a-z]+[\"'`][^,]" "id:942370, phase:2, block, capture, t:none,t:urlDecodeUni, msg:'Detects classic SQL injection probings 2/3', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-sqli', tag:'OWASP_CRS', tag:'capec/1000/152/248/66', tag:'PCI/6.5.2', tag:'paranoia-level/2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # Regular expression generated from regex-assembly/942380.ra. # To update the regular expression run the following shell script # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942380 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:having\b(?:[\s\v]+(?:[0-9]{1,10}|'[^=]{1,10}')[\s\v]*?[<->]| ?(?:[0-9]{1,10} ?[<->]+|[\"'][^=]{1,10}[ \"'<-\?\[]+))|ex(?:ecute(?:\(|[\s\v]{1,5}[\$\.0-9A-Z_a-z]{1,5}[\s\v]{0,3})|ists[\s\v]*?\([\s\v]*?select\b)|(?:create[\s\v]+?table.{0,20}?|like[^0-9A-Z_a-z]*?char[^0-9A-Z_a-z]*?)\()|select.*?case|from.*?limit|order[\s\v]by|exists[\s\v](?:[\s\v]select|s(?:elect[^\s\v](?:if(?:null)?[\s\v]\(|top|concat)|ystem[\s\v]\()|\bhaving\b[\s\v]+[0-9]{1,10}|'[^=]{1,10}')" \ - "id:942380,\ - phase:2,\ - block,\ - capture,\ - t:none,t:urlDecodeUni,\ - msg:'SQL Injection Attack',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-sqli',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/66',\ - tag:'PCI/6.5.2',\ - tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:having\b(?:[\s\v]+(?:[0-9]{1,10}|'[^=]{1,10}')[\s\v]*?[<->]| ?(?:[0-9]{1,10} ?[<->]+|[\"'][^=]{1,10}[ \"'<-\?\[]+))|ex(?:ecute(?:\(|[\s\v]{1,5}[\$\.0-9A-Z_a-z]{1,5}[\s\v]{0,3})|ists[\s\v]*?\([\s\v]*?select\b)|(?:create[\s\v]+?table.{0,20}?|like[^0-9A-Z_a-z]*?char[^0-9A-Z_a-z]*?)\()|select.*?case|from.*?limit|order[\s\v]by|exists[\s\v](?:[\s\v]select|s(?:elect[^\s\v](?:if(?:null)?[\s\v]\(|top|concat)|ystem[\s\v]\()|\bhaving\b[\s\v]+[0-9]{1,10}|'[^=]{1,10}')" "id:942380, phase:2, block, capture, t:none,t:urlDecodeUni, msg:'SQL Injection Attack', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-sqli', tag:'OWASP_CRS', tag:'capec/1000/152/248/66', tag:'PCI/6.5.2', tag:'paranoia-level/2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # Regular expression generated from regex-assembly/942390.ra. # To update the regular expression run the following shell script # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942390 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:or\b(?:[\s\v]?(?:[0-9]{1,10}|[\"'][^=]{1,10}[\"'])[\s\v]?[<->]+|[\s\v]+(?:[0-9]{1,10}|'[^=]{1,10}')(?:[\s\v]*?[<->])?)|xor\b[\s\v]+(?:[0-9]{1,10}|'[^=]{1,10}')(?:[\s\v]*?[<->])?)|'[\s\v]+x?or[\s\v]+.{1,20}[!\+\-<->]" \ - "id:942390,\ - phase:2,\ - block,\ - capture,\ - t:none,t:urlDecodeUni,\ - msg:'SQL Injection Attack',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-sqli',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/66',\ - tag:'PCI/6.5.2',\ - tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:or\b(?:[\s\v]?(?:[0-9]{1,10}|[\"'][^=]{1,10}[\"'])[\s\v]?[<->]+|[\s\v]+(?:[0-9]{1,10}|'[^=]{1,10}')(?:[\s\v]*?[<->])?)|xor\b[\s\v]+(?:[0-9]{1,10}|'[^=]{1,10}')(?:[\s\v]*?[<->])?)|'[\s\v]+x?or[\s\v]+.{1,20}[!\+\-<->]" "id:942390, phase:2, block, capture, t:none,t:urlDecodeUni, msg:'SQL Injection Attack', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-sqli', tag:'OWASP_CRS', tag:'capec/1000/152/248/66', tag:'PCI/6.5.2', tag:'paranoia-level/2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # Regular expression generated from regex-assembly/942400.ra. # To update the regular expression run the following shell script # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942400 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\band\b(?:[\s\v]+(?:[0-9]{1,10}[\s\v]*?[<->]|'[^=]{1,10}')| ?(?:[0-9]{1,10}|[\"'][^=]{1,10}[\"']) ?[<->]+)" \ - "id:942400,\ - phase:2,\ - block,\ - capture,\ - t:none,t:urlDecodeUni,\ - msg:'SQL Injection Attack',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-sqli',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/66',\ - tag:'PCI/6.5.2',\ - tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\band\b(?:[\s\v]+(?:[0-9]{1,10}[\s\v]*?[<->]|'[^=]{1,10}')| ?(?:[0-9]{1,10}|[\"'][^=]{1,10}[\"']) ?[<->]+)" "id:942400, phase:2, block, capture, t:none,t:urlDecodeUni, msg:'SQL Injection Attack', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-sqli', tag:'OWASP_CRS', tag:'capec/1000/152/248/66', tag:'PCI/6.5.2', tag:'paranoia-level/2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # The former rule id 942410 was split into three new rules: 942410, 942470, 942480 # @@ -1192,26 +462,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942410 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:a(?:(?:b|co)s|dd(?:dat|tim)e|es_(?:de|en)crypt|s(?:in|cii(?:str)?)|tan2?|vg)|b(?:enchmark|i(?:n(?:_to_num)?|t_(?:and|count|length|x?or)))|c(?:ast|h(?:ar(?:(?:acter)?_length|set)?|r)|iel(?:ing)?|o(?:alesce|ercibility|(?:mpres)?s|n(?:cat(?:_ws)?|nection_id|v(?:ert(?:_tz)?)?)|(?:un)?t)|r32|ur(?:(?:dat|tim)e|rent_(?:date|time(?:stamp)?|user)))|d(?:a(?:t(?:abase|e(?:_(?:add|format|sub)|diff)?)|y(?:name|of(?:month|week|year))?)|count|e(?:code|(?:faul|s_(?:de|en)cryp)t|grees)|ump)|e(?:lt|nc(?:ode|rypt)|x(?:p(?:ort_set)?|tract(?:value)?))|f(?:i(?:eld(?:_in_set)?|nd_in_set)|loor|o(?:rmat|und_rows)|rom_(?:base64|days|unixtime))|g(?:et_(?:format|lock)|r(?:eates|oup_conca)t)|h(?:ex(?:toraw)?|our)|i(?:f(?:null)?|n(?:et6?_(?:aton|ntoa)|s(?:ert|tr)|terval)?|s(?:_(?:(?:free|used)_lock|ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull))|null)?)|l(?:ast(?:_(?:day|insert_id))?|case|e(?:(?:as|f)t|ngth)|n|o(?:ad_file|ca(?:l(?:timestamp)?|te)|g(?:10|2)?|wer)|pad|trim)|m(?:a(?:ke(?:date|_set)|ster_pos_wait|x)|d5|i(?:(?:crosecon)?d|n(?:ute)?)|o(?:d|nth(?:name)?))|n(?:ame_const|o(?:t_in|w)|ullif)|o(?:ct(?:et_length)?|(?:ld_passwo)?rd)|p(?:assword|eriod_(?:add|diff)|g_sleep|i|o(?:sition|w(?:er)?)|rocedure_analyse)|qu(?:arter|ote)|r(?:a(?:dians|nd|wto(?:hex|nhex(?:toraw)?))|e(?:lease_lock|p(?:eat|lace)|verse)|ight|o(?:und|w_count)|pad|trim)|s(?:chema|e(?:c(?:ond|_to_time)|ssion_user)|ha[1-2]?|ig?n|leep|oundex|pace|qrt|t(?:d(?:dev(?:_(?:po|sam)p)?)?|r(?:cmp|_to_date))|u(?:b(?:(?:dat|tim)e|str(?:ing(?:_index)?)?)|m)|ys(?:date|tem_user))|t(?:an|ime(?:diff|_(?:format|to_sec)|stamp(?:add|diff)?)?|o_(?:base64|n?char|(?:day|second)s)|r(?:im|uncate))|u(?:case|n(?:compress(?:ed_length)?|hex|ix_timestamp)|p(?:datexml|per)|ser|tc_(?:date|time(?:stamp)?)|uid(?:_short)?)|v(?:a(?:lues|r(?:iance|_(?:po|sam)p))|ersion)|we(?:ek(?:day|ofyear)?|ight_string)|xmltype|year(?:week)?)[^0-9A-Z_a-z]*?\(" \ - "id:942410,\ - phase:2,\ - block,\ - capture,\ - t:none,t:urlDecodeUni,\ - msg:'SQL Injection Attack',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-sqli',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/66',\ - tag:'PCI/6.5.2',\ - tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:a(?:(?:b|co)s|dd(?:dat|tim)e|es_(?:de|en)crypt|s(?:in|cii(?:str)?)|tan2?|vg)|b(?:enchmark|i(?:n(?:_to_num)?|t_(?:and|count|length|x?or)))|c(?:ast|h(?:ar(?:(?:acter)?_length|set)?|r)|iel(?:ing)?|o(?:alesce|ercibility|(?:mpres)?s|n(?:cat(?:_ws)?|nection_id|v(?:ert(?:_tz)?)?)|(?:un)?t)|r32|ur(?:(?:dat|tim)e|rent_(?:date|time(?:stamp)?|user)))|d(?:a(?:t(?:abase|e(?:_(?:add|format|sub)|diff)?)|y(?:name|of(?:month|week|year))?)|count|e(?:code|(?:faul|s_(?:de|en)cryp)t|grees)|ump)|e(?:lt|nc(?:ode|rypt)|x(?:p(?:ort_set)?|tract(?:value)?))|f(?:i(?:eld(?:_in_set)?|nd_in_set)|loor|o(?:rmat|und_rows)|rom_(?:base64|days|unixtime))|g(?:et_(?:format|lock)|r(?:eates|oup_conca)t)|h(?:ex(?:toraw)?|our)|i(?:f(?:null)?|n(?:et6?_(?:aton|ntoa)|s(?:ert|tr)|terval)?|s(?:_(?:(?:free|used)_lock|ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull))|null)?)|l(?:ast(?:_(?:day|insert_id))?|case|e(?:(?:as|f)t|ngth)|n|o(?:ad_file|ca(?:l(?:timestamp)?|te)|g(?:10|2)?|wer)|pad|trim)|m(?:a(?:ke(?:date|_set)|ster_pos_wait|x)|d5|i(?:(?:crosecon)?d|n(?:ute)?)|o(?:d|nth(?:name)?))|n(?:ame_const|o(?:t_in|w)|ullif)|o(?:ct(?:et_length)?|(?:ld_passwo)?rd)|p(?:assword|eriod_(?:add|diff)|g_sleep|i|o(?:sition|w(?:er)?)|rocedure_analyse)|qu(?:arter|ote)|r(?:a(?:dians|nd|wto(?:hex|nhex(?:toraw)?))|e(?:lease_lock|p(?:eat|lace)|verse)|ight|o(?:und|w_count)|pad|trim)|s(?:chema|e(?:c(?:ond|_to_time)|ssion_user)|ha[1-2]?|ig?n|leep|oundex|pace|qrt|t(?:d(?:dev(?:_(?:po|sam)p)?)?|r(?:cmp|_to_date))|u(?:b(?:(?:dat|tim)e|str(?:ing(?:_index)?)?)|m)|ys(?:date|tem_user))|t(?:an|ime(?:diff|_(?:format|to_sec)|stamp(?:add|diff)?)?|o_(?:base64|n?char|(?:day|second)s)|r(?:im|uncate))|u(?:case|n(?:compress(?:ed_length)?|hex|ix_timestamp)|p(?:datexml|per)|ser|tc_(?:date|time(?:stamp)?)|uid(?:_short)?)|v(?:a(?:lues|r(?:iance|_(?:po|sam)p))|ersion)|we(?:ek(?:day|ofyear)?|ight_string)|xmltype|year(?:week)?)[^0-9A-Z_a-z]*?\(" "id:942410, phase:2, block, capture, t:none,t:urlDecodeUni, msg:'SQL Injection Attack', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-sqli', tag:'OWASP_CRS', tag:'capec/1000/152/248/66', tag:'PCI/6.5.2', tag:'paranoia-level/2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # The former rule id 942410 was split into three new rules: 942410, 942470, 942480 @@ -1221,26 +472,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942470 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)autonomous_transaction|(?:current_use|n?varcha|tbcreato)r|db(?:a_users|ms_java)|open(?:owa_util|query|rowset)|s(?:p_(?:(?:addextendedpro|sqlexe)c|execute(?:sql)?|help|is_srvrolemember|makewebtask|oacreate|p(?:assword|repare)|replwritetovarbin)|ql_(?:longvarchar|variant))|utl_(?:file|http)|xp_(?:availablemedia|(?:cmdshel|servicecontro)l|dirtree|e(?:numdsn|xecresultset)|filelist|loginconfig|makecab|ntsec(?:_enumdomains)?|reg(?:addmultistring|delete(?:key|value)|enum(?:key|value)s|re(?:ad|movemultistring)|write)|terminate(?:_process)?)" \ - "id:942470,\ - phase:2,\ - block,\ - capture,\ - t:none,t:urlDecodeUni,\ - msg:'SQL Injection Attack',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-sqli',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/66',\ - tag:'PCI/6.5.2',\ - tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)autonomous_transaction|(?:current_use|n?varcha|tbcreato)r|db(?:a_users|ms_java)|open(?:owa_util|query|rowset)|s(?:p_(?:(?:addextendedpro|sqlexe)c|execute(?:sql)?|help|is_srvrolemember|makewebtask|oacreate|p(?:assword|repare)|replwritetovarbin)|ql_(?:longvarchar|variant))|utl_(?:file|http)|xp_(?:availablemedia|(?:cmdshel|servicecontro)l|dirtree|e(?:numdsn|xecresultset)|filelist|loginconfig|makecab|ntsec(?:_enumdomains)?|reg(?:addmultistring|delete(?:key|value)|enum(?:key|value)s|re(?:ad|movemultistring)|write)|terminate(?:_process)?)" "id:942470, phase:2, block, capture, t:none,t:urlDecodeUni, msg:'SQL Injection Attack', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-sqli', tag:'OWASP_CRS', tag:'capec/1000/152/248/66', tag:'PCI/6.5.2', tag:'paranoia-level/2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # The former rule id 942410 was split into three new rules: 942410, 942470, 942480 @@ -1250,26 +482,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942480 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:(?:d(?:bms_[0-9A-Z_a-z]+\.|elete\b[^0-9A-Z_a-z]*?\bfrom)|(?:group\b.*?\bby\b.{1,100}?\bhav|overlay\b[^0-9A-Z_a-z]*?\(.*?\b[^0-9A-Z_a-z]*?plac)ing|in(?:ner\b[^0-9A-Z_a-z]*?\bjoin|sert\b[^0-9A-Z_a-z]*?\binto|to\b[^0-9A-Z_a-z]*?\b(?:dump|out)file)|load\b[^0-9A-Z_a-z]*?\bdata\b.*?\binfile|s(?:elect\b.{1,100}?\b(?:(?:.*?\bdump\b.*|(?:count|length)\b.{1,100}?)\bfrom|(?:data_typ|from\b.{1,100}?\bwher)e|instr|to(?:_(?:cha|numbe)r|p\b.{1,100}?\bfrom))|ys_context)|u(?:nion\b.{1,100}?\bselect|tl_inaddr))\b|print\b[^0-9A-Z_a-z]*?@@)|(?:collation[^0-9A-Z_a-z]*?\(a|@@version|;[^0-9A-Z_a-z]*?\b(?:drop|shutdown))\b|'(?:dbo|msdasql|s(?:a|qloledb))'" \ - "id:942480,\ - phase:2,\ - block,\ - capture,\ - t:none,t:urlDecodeUni,\ - msg:'SQL Injection Attack',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-sqli',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/66',\ - tag:'PCI/6.5.2',\ - tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:(?:d(?:bms_[0-9A-Z_a-z]+\.|elete\b[^0-9A-Z_a-z]*?\bfrom)|(?:group\b.*?\bby\b.{1,100}?\bhav|overlay\b[^0-9A-Z_a-z]*?\(.*?\b[^0-9A-Z_a-z]*?plac)ing|in(?:ner\b[^0-9A-Z_a-z]*?\bjoin|sert\b[^0-9A-Z_a-z]*?\binto|to\b[^0-9A-Z_a-z]*?\b(?:dump|out)file)|load\b[^0-9A-Z_a-z]*?\bdata\b.*?\binfile|s(?:elect\b.{1,100}?\b(?:(?:.*?\bdump\b.*|(?:count|length)\b.{1,100}?)\bfrom|(?:data_typ|from\b.{1,100}?\bwher)e|instr|to(?:_(?:cha|numbe)r|p\b.{1,100}?\bfrom))|ys_context)|u(?:nion\b.{1,100}?\bselect|tl_inaddr))\b|print\b[^0-9A-Z_a-z]*?@@)|(?:collation[^0-9A-Z_a-z]*?\(a|@@version|;[^0-9A-Z_a-z]*?\b(?:drop|shutdown))\b|'(?:dbo|msdasql|s(?:a|qloledb))'" "id:942480, phase:2, block, capture, t:none,t:urlDecodeUni, msg:'SQL Injection Attack', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-sqli', tag:'OWASP_CRS', tag:'capec/1000/152/248/66', tag:'PCI/6.5.2', tag:'paranoia-level/2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # @@ -1291,26 +504,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU # SecRuleUpdateTargetById 942430 "!ARGS:foo" # -SecRule ARGS_NAMES|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>][^~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>]*?){12})" \ - "id:942430,\ - phase:2,\ - block,\ - capture,\ - t:none,t:urlDecodeUni,\ - msg:'Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12)',\ - logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-sqli',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/66',\ - tag:'PCI/6.5.2',\ - tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'WARNING',\ - setvar:'tx.inbound_anomaly_score_pl2=+%{tx.warning_anomaly_score}',\ - setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'" +SecRule ARGS_NAMES|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>][^~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>]*?){12})" "id:942430, phase:2, block, capture, t:none,t:urlDecodeUni, msg:'Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12)', logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-sqli', tag:'OWASP_CRS', tag:'capec/1000/152/248/66', tag:'PCI/6.5.2', tag:'paranoia-level/2', ver:'OWASP_CRS/4.0.0-rc1', severity:'WARNING', setvar:'tx.inbound_anomaly_score_pl2=+%{tx.warning_anomaly_score}', setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'" # @@ -1340,54 +534,14 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´ # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942440 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx /\*!?|\*/|[';]--|--(?:[\s\v]|[^\-]*?-)|[^&\-]#.*?[\s\v]|;?\x00" \ - "id:942440,\ - phase:2,\ - block,\ - capture,\ - t:none,t:urlDecodeUni,\ - msg:'SQL Comment Sequence Detected',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-sqli',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/66',\ - tag:'PCI/6.5.2',\ - tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - chain" - SecRule MATCHED_VARS "!@rx ^ey[A-Z-a-z0-9-_]+[.]ey[A-Z-a-z0-9-_]+[.][A-Z-a-z0-9-_]+$" \ - "t:none,\ - setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}',\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx /\*!?|\*/|[';]--|--(?:[\s\v]|[^\-]*?-)|[^&\-]#.*?[\s\v]|;?\x00" "id:942440, phase:2, block, capture, t:none,t:urlDecodeUni, msg:'SQL Comment Sequence Detected', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-sqli', tag:'OWASP_CRS', tag:'capec/1000/152/248/66', tag:'PCI/6.5.2', tag:'paranoia-level/2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', chain" + SecRule MATCHED_VARS "!@rx ^ey[A-Z-a-z0-9-_]+[.]ey[A-Z-a-z0-9-_]+[.][A-Z-a-z0-9-_]+$" "t:none, setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}', setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" # # -=[ SQL Hex Evasion Methods ]=- # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:\b0x[a-f\d]{3,})" \ - "id:942450,\ - phase:2,\ - block,\ - capture,\ - t:none,t:urlDecodeUni,\ - msg:'SQL Hex Encoding Identified',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-sqli',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/66',\ - tag:'PCI/6.5.2',\ - tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:\b0x[a-f\d]{3,})" "id:942450, phase:2, block, capture, t:none,t:urlDecodeUni, msg:'SQL Hex Encoding Identified', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-sqli', tag:'OWASP_CRS', tag:'capec/1000/152/248/66', tag:'PCI/6.5.2', tag:'paranoia-level/2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # @@ -1417,26 +571,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU # ('if'). That rule runs in paranoia level 3 or higher since it is prone to # false positives in natural text. # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:`(?:(?:[\w\s=_\-+{}()<@]){2,29}|(?:[A-Za-z0-9+/]{4})+(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?)`)" \ - "id:942510,\ - phase:2,\ - block,\ - capture,\ - t:none,t:urlDecodeUni,\ - msg:'SQLi bypass attempt by ticks or backticks detected',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-sqli',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/66',\ - tag:'PCI/6.5.2',\ - tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:`(?:(?:[\w\s=_\-+{}()<@]){2,29}|(?:[A-Za-z0-9+/]{4})+(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?)`)" "id:942510, phase:2, block, capture, t:none,t:urlDecodeUni, msg:'SQLi bypass attempt by ticks or backticks detected', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-sqli', tag:'OWASP_CRS', tag:'capec/1000/152/248/66', tag:'PCI/6.5.2', tag:'paranoia-level/2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # Regular expression generated from regex-assembly/942520.ra. @@ -1444,26 +579,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942520 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\"'`][\s\v]*?(?:(?:is[\s\v]+not|not[\s\v]+(?:like|glob|(?:betwee|i)n|null|regexp|match)|mod|div|sounds[\s\v]+like)\b|[%-&\*-\+\-/<->\^\|])" \ - "id:942520,\ - phase:2,\ - block,\ - capture,\ - t:none,t:urlDecodeUni,\ - msg:'Detects basic SQL authentication bypass attempts 4.0/4',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-sqli',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/66',\ - tag:'PCI/6.5.2',\ - tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\"'`][\s\v]*?(?:(?:is[\s\v]+not|not[\s\v]+(?:like|glob|(?:betwee|i)n|null|regexp|match)|mod|div|sounds[\s\v]+like)\b|[%-&\*-\+\-/<->\^\|])" "id:942520, phase:2, block, capture, t:none,t:urlDecodeUni, msg:'Detects basic SQL authentication bypass attempts 4.0/4', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-sqli', tag:'OWASP_CRS', tag:'capec/1000/152/248/66', tag:'PCI/6.5.2', tag:'paranoia-level/2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # Complementary rule to PL2 942520 that block and/or-based bypasses. @@ -1477,54 +593,13 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942521 # -SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i)^(?:[^']*?(?:'[^']*?'[^']*?)*?'|[^\"]*?(?:\"[^\"]*?\"[^\"]*?)*?\"|[^`]*?(?:`[^`]*?`[^`]*?)*?`)[\s\v]*([0-9A-Z_a-z]+)\b" \ - "id:942521,\ - phase:2,\ - block,\ - capture,\ - t:none,t:urlDecodeUni,\ - msg:'Detects basic SQL authentication bypass attempts 4.1/4',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-sqli',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/66',\ - tag:'PCI/6.5.2',\ - tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.942521_lhs=%{TX.1}',\ - chain" - SecRule TX:942521_lhs "@rx ^(?:and|or)$" \ - "t:none,\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i)^(?:[^']*?(?:'[^']*?'[^']*?)*?'|[^\"]*?(?:\"[^\"]*?\"[^\"]*?)*?\"|[^`]*?(?:`[^`]*?`[^`]*?)*?`)[\s\v]*([0-9A-Z_a-z]+)\b" "id:942521, phase:2, block, capture, t:none,t:urlDecodeUni, msg:'Detects basic SQL authentication bypass attempts 4.1/4', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-sqli', tag:'OWASP_CRS', tag:'capec/1000/152/248/66', tag:'PCI/6.5.2', tag:'paranoia-level/2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.942521_lhs=%{TX.1}', chain" + SecRule TX:942521_lhs "@rx ^(?:and|or)$" "t:none, setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # Complementary rule to PL2 942521 that block escaped quotes followed by (and|or) # -SecRule ARGS_NAMES|ARGS|XML:/* "@rx ^.*?\x5c['\"`](?:.*?['\"`])?\s*(?:and|or)\b" \ - "id:942522,\ - phase:2,\ - block,\ - capture,\ - t:none,t:urlDecodeUni,\ - msg:'Detects basic SQL authentication bypass attempts 4.1/4',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-sqli',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/66',\ - tag:'PCI/6.5.2',\ - tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" +SecRule ARGS_NAMES|ARGS|XML:/* "@rx ^.*?\x5c['\"`](?:.*?['\"`])?\s*(?:and|or)\b" "id:942522, phase:2, block, capture, t:none,t:urlDecodeUni, msg:'Detects basic SQL authentication bypass attempts 4.1/4', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-sqli', tag:'OWASP_CRS', tag:'capec/1000/152/248/66', tag:'PCI/6.5.2', tag:'paranoia-level/2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # @@ -1543,26 +618,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx ^.*?\x5c['\"`](?:.*?['\"`])?\s*(?:and|or)\b" # previous slashes do not affect libinjection result, making it able to detect # some SQLi inside the path. # -SecRule REQUEST_BASENAME|REQUEST_FILENAME "@detectSQLi" \ - "id:942101,\ - phase:1,\ - block,\ - capture,\ - t:none,t:utf8toUnicode,t:urlDecodeUni,t:removeNulls,\ - msg:'SQL Injection Attack Detected via libinjection',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-sqli',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/66',\ - tag:'PCI/6.5.2',\ - tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_BASENAME|REQUEST_FILENAME "@detectSQLi" "id:942101, phase:1, block, capture, t:none,t:utf8toUnicode,t:urlDecodeUni,t:removeNulls, msg:'SQL Injection Attack Detected via libinjection', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-sqli', tag:'OWASP_CRS', tag:'capec/1000/152/248/66', tag:'PCI/6.5.2', tag:'paranoia-level/2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # # -=[ SQL Function Names ]=- @@ -1575,26 +631,7 @@ SecRule REQUEST_BASENAME|REQUEST_FILENAME "@detectSQLi" \ # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942152 # -SecRule REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent "@rx (?i)\b(?:a(?:dd(?:dat|tim)e|es_(?:de|en)crypt|s(?:cii(?:str)?|in)|tan2?)|b(?:enchmark|i(?:n_to_num|t_(?:and|count|length|x?or)))|c(?:har(?:acter)?_length|iel(?:ing)?|o(?:alesce|ercibility|llation|(?:mpres)?s|n(?:cat(?:_ws)?|nection_id|v(?:ert(?:_tz)?)?)|t)|r32|ur(?:(?:dat|tim)e|rent_(?:date|time(?:stamp)?|user)))|d(?:a(?:t(?:abase|e(?:_(?:add|format|sub)|diff))|y(?:name|of(?:month|week|year)))|count|e(?:code|grees|s_(?:de|en)crypt)|ump)|e(?:lt|n(?:c(?:ode|rypt)|ds_?with)|x(?:p(?:ort_set)?|tract(?:value)?))|f(?:i(?:el|n)d_in_set|ound_rows|rom_(?:base64|days|unixtime))|g(?:e(?:ometrycollection|t_(?:format|lock))|(?:r(?:eates|oup_conca)|tid_subse)t)|hex(?:toraw)?|i(?:fnull|n(?:et6?_(?:aton|ntoa)|s(?:ert|tr)|terval)|s(?:_(?:(?:free|used)_lock|ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull))|null))|json(?:_(?:a(?:gg|rray(?:_(?:elements(?:_text)?|length))?)|build_(?:array|object)|e(?:ac|xtract_pat)h(?:_text)?|object(?:_(?:agg|keys))?|populate_record(?:set)?|strip_nulls|t(?:o_record(?:set)?|ypeof))|b(?:_(?:array(?:_(?:elements(?:_text)?|length))?|build_(?:array|object)|object(?:_(?:agg|keys))?|e(?:ac|xtract_pat)h(?:_text)?|insert|p(?:ath_(?:(?:exists|match)(?:_tz)?|query(?:_(?:(?:array|first)(?:_tz)?|tz))?)|opulate_record(?:set)?|retty)|s(?:et(?:_lax)?|trip_nulls)|t(?:o_record(?:set)?|ypeof)))?|path)?|l(?:ast_(?:day|inser_id)|case|e(?:as|f)t|i(?:kel(?:ihood|y)|nestring)|o(?:ad_file|ca(?:ltimestamp|te)|g(?:10|2)|wer)|pad|trim)|m(?:a(?:ke(?:_set|date)|ster_pos_wait)|d5|i(?:crosecon)?d|onthname|ulti(?:linestring|po(?:int|lygon)))|n(?:ame_const|ot_in|ullif)|o(?:ct(?:et_length)?|(?:ld_passwo)?rd)|p(?:eriod_(?:add|diff)|g_(?:client_encoding|sleep)|o(?:(?:lyg|siti)on|w)|rocedure_analyse)|qu(?:arter|ote)|r(?:a(?:dians|nd|wtohex)|elease_lock|ow_(?:count|to_json)|pad|trim)|s(?:chema|e(?:c_to_time|ssion_user)|ha[1-2]?|in|oundex|pace|q(?:lite_(?:compileoption_(?:get|used)|source_id)|rt)|t(?:arts_?with|d(?:dev_(?:po|sam)p)?|r(?:_to_date|cmp))|ub(?:(?:dat|tim)e|str(?:ing(?:_index)?)?)|ys(?:date|tem_user))|t(?:ime(?:_(?:format|to_sec)|diff|stamp(?:add|diff)?)|o(?:_(?:base64|jsonb?)|n?char|(?:day|second)s)|r(?:im|uncate))|u(?:case|n(?:compress(?:ed_length)?|hex|i(?:str|x_timestamp)|likely)|(?:pdatexm|se_json_nul)l|tc_(?:date|time(?:stamp)?)|uid(?:_short)?)|var(?:_(?:po|sam)p|iance)|we(?:ek(?:day|ofyear)|ight_string)|xmltype|yearweek)[^0-9A-Z_a-z]*\(" \ - "id:942152,\ - phase:1,\ - block,\ - capture,\ - t:none,t:urlDecodeUni,t:lowercase,\ - msg:'SQL Injection Attack: SQL function name detected',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-sqli',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/66',\ - tag:'PCI/6.5.2',\ - tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent "@rx (?i)\b(?:a(?:dd(?:dat|tim)e|es_(?:de|en)crypt|s(?:cii(?:str)?|in)|tan2?)|b(?:enchmark|i(?:n_to_num|t_(?:and|count|length|x?or)))|c(?:har(?:acter)?_length|iel(?:ing)?|o(?:alesce|ercibility|llation|(?:mpres)?s|n(?:cat(?:_ws)?|nection_id|v(?:ert(?:_tz)?)?)|t)|r32|ur(?:(?:dat|tim)e|rent_(?:date|time(?:stamp)?|user)))|d(?:a(?:t(?:abase|e(?:_(?:add|format|sub)|diff))|y(?:name|of(?:month|week|year)))|count|e(?:code|grees|s_(?:de|en)crypt)|ump)|e(?:lt|n(?:c(?:ode|rypt)|ds_?with)|x(?:p(?:ort_set)?|tract(?:value)?))|f(?:i(?:el|n)d_in_set|ound_rows|rom_(?:base64|days|unixtime))|g(?:e(?:ometrycollection|t_(?:format|lock))|(?:r(?:eates|oup_conca)|tid_subse)t)|hex(?:toraw)?|i(?:fnull|n(?:et6?_(?:aton|ntoa)|s(?:ert|tr)|terval)|s(?:_(?:(?:free|used)_lock|ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull))|null))|json(?:_(?:a(?:gg|rray(?:_(?:elements(?:_text)?|length))?)|build_(?:array|object)|e(?:ac|xtract_pat)h(?:_text)?|object(?:_(?:agg|keys))?|populate_record(?:set)?|strip_nulls|t(?:o_record(?:set)?|ypeof))|b(?:_(?:array(?:_(?:elements(?:_text)?|length))?|build_(?:array|object)|object(?:_(?:agg|keys))?|e(?:ac|xtract_pat)h(?:_text)?|insert|p(?:ath_(?:(?:exists|match)(?:_tz)?|query(?:_(?:(?:array|first)(?:_tz)?|tz))?)|opulate_record(?:set)?|retty)|s(?:et(?:_lax)?|trip_nulls)|t(?:o_record(?:set)?|ypeof)))?|path)?|l(?:ast_(?:day|inser_id)|case|e(?:as|f)t|i(?:kel(?:ihood|y)|nestring)|o(?:ad_file|ca(?:ltimestamp|te)|g(?:10|2)|wer)|pad|trim)|m(?:a(?:ke(?:_set|date)|ster_pos_wait)|d5|i(?:crosecon)?d|onthname|ulti(?:linestring|po(?:int|lygon)))|n(?:ame_const|ot_in|ullif)|o(?:ct(?:et_length)?|(?:ld_passwo)?rd)|p(?:eriod_(?:add|diff)|g_(?:client_encoding|sleep)|o(?:(?:lyg|siti)on|w)|rocedure_analyse)|qu(?:arter|ote)|r(?:a(?:dians|nd|wtohex)|elease_lock|ow_(?:count|to_json)|pad|trim)|s(?:chema|e(?:c_to_time|ssion_user)|ha[1-2]?|in|oundex|pace|q(?:lite_(?:compileoption_(?:get|used)|source_id)|rt)|t(?:arts_?with|d(?:dev_(?:po|sam)p)?|r(?:_to_date|cmp))|ub(?:(?:dat|tim)e|str(?:ing(?:_index)?)?)|ys(?:date|tem_user))|t(?:ime(?:_(?:format|to_sec)|diff|stamp(?:add|diff)?)|o(?:_(?:base64|jsonb?)|n?char|(?:day|second)s)|r(?:im|uncate))|u(?:case|n(?:compress(?:ed_length)?|hex|i(?:str|x_timestamp)|likely)|(?:pdatexm|se_json_nul)l|tc_(?:date|time(?:stamp)?)|uid(?:_short)?)|var(?:_(?:po|sam)p|iance)|we(?:ek(?:day|ofyear)|ight_string)|xmltype|yearweek)[^0-9A-Z_a-z]*\(" "id:942152, phase:1, block, capture, t:none,t:urlDecodeUni,t:lowercase, msg:'SQL Injection Attack: SQL function name detected', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-sqli', tag:'OWASP_CRS', tag:'capec/1000/152/248/66', tag:'PCI/6.5.2', tag:'paranoia-level/2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # # This rule is a stricter sibling of 942320. @@ -1605,26 +642,7 @@ SecRule REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent "@rx (?i)\b(?:a(?:dd( # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942321 # -SecRule REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent "@rx (?i)create[\s\v]+(?:function|procedure)[\s\v]*?[0-9A-Z_a-z]+[\s\v]*?\([\s\v]*?\)[\s\v]*?-|d(?:eclare[^0-9A-Z_a-z]+[#@][\s\v]*?[0-9A-Z_a-z]+|iv[\s\v]*?\([\+\-]*[\s\v\.0-9]+,[\+\-]*[\s\v\.0-9]+\))|exec[\s\v]*?\([\s\v]*?@|(?:lo_(?:impor|ge)t|procedure[\s\v]+analyse)[\s\v]*?\(|;[\s\v]*?(?:declare|open)[\s\v]+[\-0-9A-Z_a-z]+|::(?:b(?:igint|ool)|double[\s\v]+precision|int(?:eger)?|numeric|oid|real|(?:tex|smallin)t)" \ - "id:942321,\ - phase:1,\ - block,\ - capture,\ - t:none,t:urlDecodeUni,\ - msg:'Detects MySQL and PostgreSQL stored procedure/function injections',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-sqli',\ - tag:'paranoia-level/2',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/66',\ - tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent "@rx (?i)create[\s\v]+(?:function|procedure)[\s\v]*?[0-9A-Z_a-z]+[\s\v]*?\([\s\v]*?\)[\s\v]*?-|d(?:eclare[^0-9A-Z_a-z]+[#@][\s\v]*?[0-9A-Z_a-z]+|iv[\s\v]*?\([\+\-]*[\s\v\.0-9]+,[\+\-]*[\s\v\.0-9]+\))|exec[\s\v]*?\([\s\v]*?@|(?:lo_(?:impor|ge)t|procedure[\s\v]+analyse)[\s\v]*?\(|;[\s\v]*?(?:declare|open)[\s\v]+[\-0-9A-Z_a-z]+|::(?:b(?:igint|ool)|double[\s\v]+precision|int(?:eger)?|numeric|oid|real|(?:tex|smallin)t)" "id:942321, phase:1, block, capture, t:none,t:urlDecodeUni, msg:'Detects MySQL and PostgreSQL stored procedure/function injections', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-sqli', tag:'paranoia-level/2', tag:'OWASP_CRS', tag:'capec/1000/152/248/66', tag:'PCI/6.5.2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1645,50 +663,12 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:942016,phase:2,pass,nolog,skipAf # # This is a stricter sibling of rule 942250. # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\W+\d*?\s*?\bhaving\b\s*?[^\s\-]" \ - "id:942251,\ - phase:2,\ - block,\ - capture,\ - t:none,t:urlDecodeUni,\ - msg:'Detects HAVING injections',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-sqli',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/66',\ - tag:'PCI/6.5.2',\ - tag:'paranoia-level/3',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\W+\d*?\s*?\bhaving\b\s*?[^\s\-]" "id:942251, phase:2, block, capture, t:none,t:urlDecodeUni, msg:'Detects HAVING injections', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-sqli', tag:'OWASP_CRS', tag:'capec/1000/152/248/66', tag:'PCI/6.5.2', tag:'paranoia-level/3', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" # This rule is a stricter sibling of 942330. See that rule for a # description and overview. # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx [\"'`][\s\d]*?[^\w\s]\W*?\d\W*?.*?[\"'`\d]" \ - "id:942490,\ - phase:2,\ - block,\ - capture,\ - t:none,t:urlDecodeUni,\ - msg:'Detects classic SQL injection probings 3/3',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-sqli',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/66',\ - tag:'PCI/6.5.2',\ - tag:'paranoia-level/3',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx [\"'`][\s\d]*?[^\w\s]\W*?\d\W*?.*?[\"'`\d]" "id:942490, phase:2, block, capture, t:none,t:urlDecodeUni, msg:'Detects classic SQL injection probings 3/3', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-sqli', tag:'OWASP_CRS', tag:'capec/1000/152/248/66', tag:'PCI/6.5.2', tag:'paranoia-level/3', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" # # [ SQL Injection Character Anomaly Usage ] @@ -1709,26 +689,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # SecRuleUpdateTargetById 942420 "!REQUEST_COOKIES:foo_id" # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>][^~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>]*?){8})" \ - "id:942420,\ - phase:1,\ - block,\ - capture,\ - t:none,t:urlDecodeUni,\ - msg:'Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (8)',\ - logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-sqli',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/66',\ - tag:'PCI/6.5.2',\ - tag:'paranoia-level/3',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'WARNING',\ - setvar:'tx.inbound_anomaly_score_pl3=+%{tx.warning_anomaly_score}',\ - setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>][^~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>]*?){8})" "id:942420, phase:1, block, capture, t:none,t:urlDecodeUni, msg:'Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (8)', logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-sqli', tag:'OWASP_CRS', tag:'capec/1000/152/248/66', tag:'PCI/6.5.2', tag:'paranoia-level/3', ver:'OWASP_CRS/4.0.0-rc1', severity:'WARNING', setvar:'tx.inbound_anomaly_score_pl3=+%{tx.warning_anomaly_score}', setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'" # @@ -1738,26 +699,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU # [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ] # -SecRule ARGS_NAMES|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>][^~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>]*?){6})" \ - "id:942431,\ - phase:2,\ - block,\ - capture,\ - t:none,t:urlDecodeUni,\ - msg:'Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (6)',\ - logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-sqli',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/66',\ - tag:'PCI/6.5.2',\ - tag:'paranoia-level/3',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'WARNING',\ - setvar:'tx.inbound_anomaly_score_pl3=+%{tx.warning_anomaly_score}',\ - setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'" +SecRule ARGS_NAMES|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>][^~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>]*?){6})" "id:942431, phase:2, block, capture, t:none,t:urlDecodeUni, msg:'Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (6)', logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-sqli', tag:'OWASP_CRS', tag:'capec/1000/152/248/66', tag:'PCI/6.5.2', tag:'paranoia-level/3', ver:'OWASP_CRS/4.0.0-rc1', severity:'WARNING', setvar:'tx.inbound_anomaly_score_pl3=+%{tx.warning_anomaly_score}', setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'" # @@ -1768,26 +710,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´ # # The pattern may occur in some normal texts, e.g. "foo...." will match. # -SecRule ARGS "@rx \W{4}" \ - "id:942460,\ - phase:2,\ - block,\ - capture,\ - t:none,t:urlDecodeUni,\ - msg:'Meta-Character Anomaly Detection Alert - Repetitive Non-Word Characters',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-sqli',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/66',\ - tag:'PCI/6.5.2',\ - tag:'paranoia-level/3',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'WARNING',\ - setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl3=+%{tx.warning_anomaly_score}'" +SecRule ARGS "@rx \W{4}" "id:942460, phase:2, block, capture, t:none,t:urlDecodeUni, msg:'Meta-Character Anomaly Detection Alert - Repetitive Non-Word Characters', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-sqli', tag:'OWASP_CRS', tag:'capec/1000/152/248/66', tag:'PCI/6.5.2', tag:'paranoia-level/3', ver:'OWASP_CRS/4.0.0-rc1', severity:'WARNING', setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl3=+%{tx.warning_anomaly_score}'" # @@ -1818,26 +741,7 @@ SecRule ARGS "@rx \W{4}" \ # false positives in natural text is still present but lower than this # rule. # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:'(?:(?:[\w\s=_\-+{}()<@]){2,29}|(?:[A-Za-z0-9+/]{4})+(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?)')" \ - "id:942511,\ - phase:2,\ - block,\ - capture,\ - t:none,t:urlDecodeUni,\ - msg:'SQLi bypass attempt by ticks detected',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-sqli',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/66',\ - tag:'PCI/6.5.2',\ - tag:'paranoia-level/3',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:'(?:(?:[\w\s=_\-+{}()<@]){2,29}|(?:[A-Za-z0-9+/]{4})+(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?)')" "id:942511, phase:2, block, capture, t:none,t:urlDecodeUni, msg:'SQLi bypass attempt by ticks detected', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-sqli', tag:'OWASP_CRS', tag:'capec/1000/152/248/66', tag:'PCI/6.5.2', tag:'paranoia-level/3', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" # Detects '; # ' Single quote. Used to delineate a query with an unmatched quote. @@ -1847,26 +751,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # # Bug Bounty example: email=admin@juice-sh.op';&password=foo # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx ';" \ - "id:942530,\ - phase:2,\ - block,\ - capture,\ - t:none,t:urlDecodeUni,\ - msg:'SQLi query termination detected',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-sqli',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/66',\ - tag:'PCI/6.5.2',\ - tag:'paranoia-level/3',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx ';" "id:942530, phase:2, block, capture, t:none,t:urlDecodeUni, msg:'SQLi query termination detected', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-sqli', tag:'OWASP_CRS', tag:'capec/1000/152/248/66', tag:'PCI/6.5.2', tag:'paranoia-level/3', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:942017,phase:1,pass,nolog,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI" @@ -1881,26 +766,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:942018,phase:2,pass,nolog,skipAf # This is a stricter sibling of rule 942420. # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>][^~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>]*?){3})" \ - "id:942421,\ - phase:1,\ - block,\ - capture,\ - t:none,t:urlDecodeUni,\ - msg:'Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (3)',\ - logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-sqli',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/66',\ - tag:'PCI/6.5.2',\ - tag:'paranoia-level/4',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'WARNING',\ - setvar:'tx.inbound_anomaly_score_pl4=+%{tx.warning_anomaly_score}',\ - setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>][^~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>]*?){3})" "id:942421, phase:1, block, capture, t:none,t:urlDecodeUni, msg:'Restricted SQL Character Anomaly Detection (cookies): # of special characters exceeded (3)', logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-sqli', tag:'OWASP_CRS', tag:'capec/1000/152/248/66', tag:'PCI/6.5.2', tag:'paranoia-level/4', ver:'OWASP_CRS/4.0.0-rc1', severity:'WARNING', setvar:'tx.inbound_anomaly_score_pl4=+%{tx.warning_anomaly_score}', setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'" # @@ -1910,26 +776,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU # [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ] # -SecRule ARGS_NAMES|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>][^~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>]*?){2})" \ - "id:942432,\ - phase:2,\ - block,\ - capture,\ - t:none,t:urlDecodeUni,\ - msg:'Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (2)',\ - logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-sqli',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/66',\ - tag:'PCI/6.5.2',\ - tag:'paranoia-level/4',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'WARNING',\ - setvar:'tx.inbound_anomaly_score_pl4=+%{tx.warning_anomaly_score}',\ - setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'" +SecRule ARGS_NAMES|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>][^~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´’‘`<>]*?){2})" "id:942432, phase:2, block, capture, t:none,t:urlDecodeUni, msg:'Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (2)', logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-sqli', tag:'OWASP_CRS', tag:'capec/1000/152/248/66', tag:'PCI/6.5.2', tag:'paranoia-level/4', ver:'OWASP_CRS/4.0.0-rc1', severity:'WARNING', setvar:'tx.inbound_anomaly_score_pl4=+%{tx.warning_anomaly_score}', setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'" # diff --git a/appsec/crs/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf b/appsec/crs/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf index 639c6951..5fc85ae4 100644 --- a/appsec/crs/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf +++ b/appsec/crs/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf @@ -28,74 +28,16 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:943012,phase:2,pass,nolog,skipAf # http://projects.webappsec.org/w/page/13246960/Session%20Fixation # http://capec.mitre.org/data/definitions/61.html # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:\.cookie\b.*?;\W*?(?:expires|domain)\W*?=|\bhttp-equiv\W+set-cookie\b)" \ - "id:943100,\ - phase:2,\ - block,\ - capture,\ - t:none,t:urlDecodeUni,\ - msg:'Possible Session Fixation Attack: Setting Cookie Values in HTML',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-fixation',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/225/21/593/61',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.session_fixation_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" - - -SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$" \ - "id:943110,\ - phase:2,\ - block,\ - capture,\ - t:none,t:lowercase,\ - msg:'Possible Session Fixation Attack: SessionID Parameter Name with Off-Domain Referer',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-fixation',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/225/21/593/61',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - chain" - SecRule REQUEST_HEADERS:Referer "@rx ^(?:ht|f)tps?://(.*?)/" \ - "capture,\ - chain" - SecRule TX:1 "!@endsWith %{request_headers.host}" \ - "setvar:'tx.session_fixation_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" - - -SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$" \ - "id:943120,\ - phase:2,\ - block,\ - capture,\ - t:none,t:lowercase,\ - msg:'Possible Session Fixation Attack: SessionID Parameter Name with No Referer',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-fixation',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/225/21/593/61',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - chain" - SecRule &REQUEST_HEADERS:Referer "@eq 0" \ - "setvar:'tx.session_fixation_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:\.cookie\b.*?;\W*?(?:expires|domain)\W*?=|\bhttp-equiv\W+set-cookie\b)" "id:943100, phase:2, block, capture, t:none,t:urlDecodeUni, msg:'Possible Session Fixation Attack: Setting Cookie Values in HTML', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-fixation', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/225/21/593/61', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.session_fixation_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$" "id:943110, phase:2, block, capture, t:none,t:lowercase, msg:'Possible Session Fixation Attack: SessionID Parameter Name with Off-Domain Referer', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-fixation', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/225/21/593/61', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', chain" + SecRule REQUEST_HEADERS:Referer "@rx ^(?:ht|f)tps?://(.*?)/" "capture, chain" + SecRule TX:1 "!@endsWith %{request_headers.host}" "setvar:'tx.session_fixation_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$" "id:943120, phase:2, block, capture, t:none,t:lowercase, msg:'Possible Session Fixation Attack: SessionID Parameter Name with No Referer', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-fixation', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/225/21/593/61', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', chain" + SecRule &REQUEST_HEADERS:Referer "@eq 0" "setvar:'tx.session_fixation_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" diff --git a/appsec/crs/REQUEST-944-APPLICATION-ATTACK-JAVA.conf b/appsec/crs/REQUEST-944-APPLICATION-ATTACK-JAVA.conf index 1ad60259..74c463e3 100644 --- a/appsec/crs/REQUEST-944-APPLICATION-ATTACK-JAVA.conf +++ b/appsec/crs/REQUEST-944-APPLICATION-ATTACK-JAVA.conf @@ -30,26 +30,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:944012,phase:2,pass,nolog,skipAf # This rule is also triggered by an Oracle WebLogic Remote Command Execution exploit: # [ Oracle WebLogic vulnerability CVE-2017-10271 - Exploit tested: https://www.exploit-db.com/exploits/43458 ] # -SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \ - "@rx java\.lang\.(?:runtime|processbuilder)" \ - "id:944100,\ - phase:2,\ - block,\ - t:none,t:lowercase,\ - msg:'Remote Command Execution: Suspicious Java class detected',\ - logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\ - tag:'application-multi',\ - tag:'language-java',\ - tag:'platform-multi',\ - tag:'attack-rce',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/137/6',\ - tag:'PCI/6.5.2',\ - tag:'paranoia-level/1',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* "@rx java\.lang\.(?:runtime|processbuilder)" "id:944100, phase:2, block, t:none,t:lowercase, msg:'Remote Command Execution: Suspicious Java class detected', logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}', tag:'application-multi', tag:'language-java', tag:'platform-multi', tag:'attack-rce', tag:'OWASP_CRS', tag:'capec/1000/152/137/6', tag:'PCI/6.5.2', tag:'paranoia-level/1', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.rce_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # This rule is also triggered by the following exploit(s): # [ Apache Struts vulnerability CVE-2017-5638 - Exploit tested: https://github.com/xsscx/cve-2017-5638 ] @@ -63,53 +44,13 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES # java. unmarshaller or base64data to trigger a potential payload execution # tested with https://www.exploit-db.com/exploits/42627/ and https://www.exploit-db.com/exploits/43458/ -SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \ - "@rx (?:runtime|processbuilder)" \ - "id:944110,\ - phase:2,\ - block,\ - t:none,t:lowercase,\ - msg:'Remote Command Execution: Java process spawn (CVE-2017-9805)',\ - logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\ - tag:'application-multi',\ - tag:'language-java',\ - tag:'platform-multi',\ - tag:'attack-rce',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248',\ - tag:'PCI/6.5.2',\ - tag:'paranoia-level/1',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - chain" - SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* "@rx (?:unmarshaller|base64data|java\.)" \ - "setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* "@rx (?:runtime|processbuilder)" "id:944110, phase:2, block, t:none,t:lowercase, msg:'Remote Command Execution: Java process spawn (CVE-2017-9805)', logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}', tag:'application-multi', tag:'language-java', tag:'platform-multi', tag:'attack-rce', tag:'OWASP_CRS', tag:'capec/1000/152/248', tag:'PCI/6.5.2', tag:'paranoia-level/1', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', chain" + SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* "@rx (?:unmarshaller|base64data|java\.)" "setvar:'tx.rce_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # Magic bytes detected and payload included possibly RCE vulnerable classes detected and process execution methods detected # anomaly score set to critical as all conditions indicate the request try to perform RCE. -SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \ - "@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)" \ - "id:944120,\ - phase:2,\ - block,\ - t:none,t:lowercase,\ - msg:'Remote Command Execution: Java serialization (CVE-2015-4852)',\ - logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\ - tag:'application-multi',\ - tag:'language-java',\ - tag:'platform-multi',\ - tag:'attack-rce',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248',\ - tag:'PCI/6.5.2',\ - tag:'paranoia-level/1',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - chain" - SecRule MATCHED_VARS "@rx (?:runtime|processbuilder)" \ - "setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* "@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)" "id:944120, phase:2, block, t:none,t:lowercase, msg:'Remote Command Execution: Java serialization (CVE-2015-4852)', logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}', tag:'application-multi', tag:'language-java', tag:'platform-multi', tag:'attack-rce', tag:'OWASP_CRS', tag:'capec/1000/152/248', tag:'PCI/6.5.2', tag:'paranoia-level/1', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', chain" + SecRule MATCHED_VARS "@rx (?:runtime|processbuilder)" "setvar:'tx.rce_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # This rule is also triggered by the following exploit(s): # [ Apache Struts vulnerability CVE-2017-5638 - Exploit tested: https://github.com/mazen160/struts-pwn ] @@ -120,26 +61,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES # [ Apache Struts vulnerability CVE-2018-11776 - Exploit tested: https://www.exploit-db.com/exploits/45262 ] # [ Apache Struts vulnerability CVE-2018-11776 - Exploit tested: https://www.exploit-db.com/exploits/45260 ] # -SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_FILENAME|REQUEST_HEADERS|XML:/*|XML://@* \ - "@pmFromFile java-classes.data" \ - "id:944130,\ - phase:2,\ - block,\ - t:none,\ - msg:'Suspicious Java class detected',\ - logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\ - tag:'application-multi',\ - tag:'language-java',\ - tag:'platform-multi',\ - tag:'attack-rce',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248',\ - tag:'PCI/6.5.2',\ - tag:'paranoia-level/1',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_FILENAME|REQUEST_HEADERS|XML:/*|XML://@* "@pmFromFile java-classes.data" "id:944130, phase:2, block, t:none, msg:'Suspicious Java class detected', logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}', tag:'application-multi', tag:'language-java', tag:'platform-multi', tag:'attack-rce', tag:'OWASP_CRS', tag:'capec/1000/152/248', tag:'PCI/6.5.2', tag:'paranoia-level/1', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.rce_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # @@ -159,25 +81,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES # X_Filename, or X-File-Name to transmit the file name to the server; # scan these request headers as well as multipart/form-data file names. # -SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X.Filename|REQUEST_HEADERS:X-File-Name "@rx .*\.(?:jsp|jspx)\.*$" \ - "id:944140,\ - phase:2,\ - block,\ - capture,\ - t:none,t:lowercase,\ - msg:'Java Injection Attack: Java Script File Upload Found',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-java',\ - tag:'platform-multi',\ - tag:'attack-injection-java',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X.Filename|REQUEST_HEADERS:X-File-Name "@rx .*\.(?:jsp|jspx)\.*$" "id:944140, phase:2, block, capture, t:none,t:lowercase, msg:'Java Injection Attack: Java Script File Upload Found', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-java', tag:'platform-multi', tag:'attack-injection-java', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/152/242', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.rce_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # Log4J / Log4Shell Defense @@ -207,25 +111,7 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 944150 # -SecRule REQUEST_LINE|ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_HEADERS|XML:/*|XML://@* "@rx (?i)(?:\$|$?)(?:\{|&l(?:brace|cub);?)(?:[^\}]{0,15}(?:\$|$?)(?:\{|&l(?:brace|cub);?)|jndi|ctx)" \ - "id:944150,\ - phase:2,\ - block,\ - t:none,t:urlDecodeUni,t:jsDecode,t:htmlEntityDecode,\ - log,\ - msg:'Potential Remote Command Execution: Log4j / Log4shell',\ - tag:'application-multi',\ - tag:'language-java',\ - tag:'platform-multi',\ - tag:'attack-rce',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/137/6',\ - tag:'PCI/6.5.2',\ - tag:'paranoia-level/1',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_LINE|ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_HEADERS|XML:/*|XML://@* "@rx (?i)(?:\$|$?)(?:\{|&l(?:brace|cub);?)(?:[^\}]{0,15}(?:\$|$?)(?:\{|&l(?:brace|cub);?)|jndi|ctx)" "id:944150, phase:2, block, t:none,t:urlDecodeUni,t:jsDecode,t:htmlEntityDecode, log, msg:'Potential Remote Command Execution: Log4j / Log4shell', tag:'application-multi', tag:'language-java', tag:'platform-multi', tag:'attack-rce', tag:'OWASP_CRS', tag:'capec/1000/152/137/6', tag:'PCI/6.5.2', tag:'paranoia-level/1', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.rce_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:944013,phase:1,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" @@ -245,25 +131,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:944014,phase:2,pass,nolog,skipAf # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 944151 # -SecRule REQUEST_LINE|ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_HEADERS|XML:/*|XML://@* "@rx (?i)(?:\$|$?)(?:\{|&l(?:brace|cub);?)(?:[^\}]*(?:\$|$?)(?:\{|&l(?:brace|cub);?)|jndi|ctx)" \ - "id:944151,\ - phase:2,\ - block,\ - t:none,t:urlDecodeUni,t:jsDecode,t:htmlEntityDecode,\ - log,\ - msg:'Potential Remote Command Execution: Log4j / Log4shell',\ - tag:'application-multi',\ - tag:'language-java',\ - tag:'platform-multi',\ - tag:'attack-rce',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/137/6',\ - tag:'PCI/6.5.2',\ - tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_LINE|ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_HEADERS|XML:/*|XML://@* "@rx (?i)(?:\$|$?)(?:\{|&l(?:brace|cub);?)(?:[^\}]*(?:\$|$?)(?:\{|&l(?:brace|cub);?)|jndi|ctx)" "id:944151, phase:2, block, t:none,t:urlDecodeUni,t:jsDecode,t:htmlEntityDecode, log, msg:'Potential Remote Command Execution: Log4j / Log4shell', tag:'application-multi', tag:'language-java', tag:'platform-multi', tag:'attack-rce', tag:'OWASP_CRS', tag:'capec/1000/152/137/6', tag:'PCI/6.5.2', tag:'paranoia-level/2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.rce_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # [ Java deserialization vulnerability/Apache Commons (CVE-2015-4852) ] # @@ -277,117 +145,24 @@ SecRule REQUEST_LINE|ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUE # https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet # # Potential false positives with random fields, the anomaly level is set low to avoid blocking request -SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \ - "@rx \xac\xed\x00\x05" \ - "id:944200,\ - phase:2,\ - block,\ - msg:'Magic bytes Detected, probable java serialization in use',\ - logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\ - tag:'application-multi',\ - tag:'language-java',\ - tag:'platform-multi',\ - tag:'attack-rce',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248',\ - tag:'PCI/6.5.2',\ - tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" +SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* "@rx \xac\xed\x00\x05" "id:944200, phase:2, block, msg:'Magic bytes Detected, probable java serialization in use', logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}', tag:'application-multi', tag:'language-java', tag:'platform-multi', tag:'attack-rce', tag:'OWASP_CRS', tag:'capec/1000/152/248', tag:'PCI/6.5.2', tag:'paranoia-level/2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.rce_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # Detecting possible base64 text to match encoded magic bytes \xac\xed\x00\x05 with padding encoded in base64 strings are rO0ABQ KztAAU Cs7QAF -SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \ - "@rx (?:rO0ABQ|KztAAU|Cs7QAF)" \ - "id:944210,\ - phase:2,\ - block,\ - msg:'Magic bytes Detected Base64 Encoded, probable java serialization in use',\ - logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\ - tag:'application-multi',\ - tag:'language-java',\ - tag:'platform-multi',\ - tag:'attack-rce',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248',\ - tag:'PCI/6.5.2',\ - tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" +SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* "@rx (?:rO0ABQ|KztAAU|Cs7QAF)" "id:944210, phase:2, block, msg:'Magic bytes Detected Base64 Encoded, probable java serialization in use', logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}', tag:'application-multi', tag:'language-java', tag:'platform-multi', tag:'attack-rce', tag:'OWASP_CRS', tag:'capec/1000/152/248', tag:'PCI/6.5.2', tag:'paranoia-level/2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.rce_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" -SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \ - "@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)" \ - "id:944240,\ - phase:2,\ - block,\ - t:none,t:lowercase,\ - msg:'Remote Command Execution: Java serialization (CVE-2015-4852)',\ - logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\ - tag:'application-multi',\ - tag:'language-java',\ - tag:'platform-multi',\ - tag:'attack-rce',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248',\ - tag:'PCI/6.5.2',\ - tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" +SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* "@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)" "id:944240, phase:2, block, t:none,t:lowercase, msg:'Remote Command Execution: Java serialization (CVE-2015-4852)', logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}', tag:'application-multi', tag:'language-java', tag:'platform-multi', tag:'attack-rce', tag:'OWASP_CRS', tag:'capec/1000/152/248', tag:'PCI/6.5.2', tag:'paranoia-level/2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.rce_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # This rule is also triggered by the following exploit(s): # [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ] # -SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \ - "@rx java\b.+(?:runtime|processbuilder)" \ - "id:944250,\ - phase:2,\ - block,\ - t:lowercase,\ - msg:'Remote Command Execution: Suspicious Java method detected',\ - logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\ - tag:'application-multi',\ - tag:'language-java',\ - tag:'platform-multi',\ - tag:'attack-rce',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248',\ - tag:'PCI/6.5.2',\ - tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" +SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* "@rx java\b.+(?:runtime|processbuilder)" "id:944250, phase:2, block, t:lowercase, msg:'Remote Command Execution: Suspicious Java method detected', logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}', tag:'application-multi', tag:'language-java', tag:'platform-multi', tag:'attack-rce', tag:'OWASP_CRS', tag:'capec/1000/152/248', tag:'PCI/6.5.2', tag:'paranoia-level/2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.rce_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" # This rule is also triggered by the following exploit(s): # - https://www.rapid7.com/blog/post/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework/ # - https://www.ironcastle.net/possible-new-java-spring-framework-vulnerability-wed-mar-30th/ # -SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \ - "@rx (?:class\.module\.classLoader\.resources\.context\.parent\.pipeline|springframework\.context\.support\.FileSystemXmlApplicationContext)" \ - "id:944260,\ - phase:2,\ - block,\ - t:urlDecodeUni,\ - msg:'Remote Command Execution: Malicious class-loading payload',\ - logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\ - tag:'application-multi',\ - tag:'language-java',\ - tag:'platform-multi',\ - tag:'attack-rce',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248',\ - tag:'PCI/6.5.2',\ - tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" +SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* "@rx (?:class\.module\.classLoader\.resources\.context\.parent\.pipeline|springframework\.context\.support\.FileSystemXmlApplicationContext)" "id:944260, phase:2, block, t:urlDecodeUni, msg:'Remote Command Execution: Malicious class-loading payload', logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}', tag:'application-multi', tag:'language-java', tag:'platform-multi', tag:'attack-rce', tag:'OWASP_CRS', tag:'capec/1000/152/248', tag:'PCI/6.5.2', tag:'paranoia-level/2', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.rce_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:944015,phase:1,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" @@ -402,26 +177,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:944016,phase:2,pass,nolog,skipAf # for padding in xrange(3): # print base64.b64encode(''.join([pad*padding,item])).replace('=','')[padding:], #cnVudGltZQ HJ1bnRpbWU BydW50aW1l cHJvY2Vzc2J1aWxkZXI HByb2Nlc3NidWlsZGVy Bwcm9jZXNzYnVpbGRlcg Y2xvbmV0cmFuc2Zvcm1lcg GNsb25ldHJhbnNmb3JtZXI BjbG9uZXRyYW5zZm9ybWVy Zm9yY2xvc3VyZQ GZvcmNsb3N1cmU Bmb3JjbG9zdXJl aW5zdGFudGlhdGVmYWN0b3J5 Gluc3RhbnRpYXRlZmFjdG9yeQ BpbnN0YW50aWF0ZWZhY3Rvcnk aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg Gluc3RhbnRpYXRldHJhbnNmb3JtZXI BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy aW52b2tlcnRyYW5zZm9ybWVy Gludm9rZXJ0cmFuc2Zvcm1lcg BpbnZva2VydHJhbnNmb3JtZXI cHJvdG90eXBlY2xvbmVmYWN0b3J5 HByb3RvdHlwZWNsb25lZmFjdG9yeQ Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5 Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ d2hpbGVjbG9zdXJl HdoaWxlY2xvc3VyZQ B3aGlsZWNsb3N1cmU -SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \ - "@rx (?:cnVudGltZQ|HJ1bnRpbWU|BydW50aW1l|cHJvY2Vzc2J1aWxkZXI|HByb2Nlc3NidWlsZGVy|Bwcm9jZXNzYnVpbGRlcg|Y2xvbmV0cmFuc2Zvcm1lcg|GNsb25ldHJhbnNmb3JtZXI|BjbG9uZXRyYW5zZm9ybWVy|Zm9yY2xvc3VyZQ|GZvcmNsb3N1cmU|Bmb3JjbG9zdXJl|aW5zdGFudGlhdGVmYWN0b3J5|Gluc3RhbnRpYXRlZmFjdG9yeQ|BpbnN0YW50aWF0ZWZhY3Rvcnk|aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg|Gluc3RhbnRpYXRldHJhbnNmb3JtZXI|BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy|aW52b2tlcnRyYW5zZm9ybWVy|Gludm9rZXJ0cmFuc2Zvcm1lcg|BpbnZva2VydHJhbnNmb3JtZXI|cHJvdG90eXBlY2xvbmVmYWN0b3J5|HByb3RvdHlwZWNsb25lZmFjdG9yeQ|Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk|cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk|HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5|Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ|d2hpbGVjbG9zdXJl|HdoaWxlY2xvc3VyZQ|B3aGlsZWNsb3N1cmU)" \ - "id:944300,\ - phase:2,\ - block,\ - t:none,\ - msg:'Base64 encoded string matched suspicious keyword',\ - logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\ - tag:'application-multi',\ - tag:'language-java',\ - tag:'platform-multi',\ - tag:'attack-rce',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248',\ - tag:'PCI/6.5.2',\ - tag:'paranoia-level/3',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" +SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* "@rx (?:cnVudGltZQ|HJ1bnRpbWU|BydW50aW1l|cHJvY2Vzc2J1aWxkZXI|HByb2Nlc3NidWlsZGVy|Bwcm9jZXNzYnVpbGRlcg|Y2xvbmV0cmFuc2Zvcm1lcg|GNsb25ldHJhbnNmb3JtZXI|BjbG9uZXRyYW5zZm9ybWVy|Zm9yY2xvc3VyZQ|GZvcmNsb3N1cmU|Bmb3JjbG9zdXJl|aW5zdGFudGlhdGVmYWN0b3J5|Gluc3RhbnRpYXRlZmFjdG9yeQ|BpbnN0YW50aWF0ZWZhY3Rvcnk|aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg|Gluc3RhbnRpYXRldHJhbnNmb3JtZXI|BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy|aW52b2tlcnRyYW5zZm9ybWVy|Gludm9rZXJ0cmFuc2Zvcm1lcg|BpbnZva2VydHJhbnNmb3JtZXI|cHJvdG90eXBlY2xvbmVmYWN0b3J5|HByb3RvdHlwZWNsb25lZmFjdG9yeQ|Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk|cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk|HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5|Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ|d2hpbGVjbG9zdXJl|HdoaWxlY2xvc3VyZQ|B3aGlsZWNsb3N1cmU)" "id:944300, phase:2, block, t:none, msg:'Base64 encoded string matched suspicious keyword', logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}', tag:'application-multi', tag:'language-java', tag:'platform-multi', tag:'attack-rce', tag:'OWASP_CRS', tag:'capec/1000/152/248', tag:'PCI/6.5.2', tag:'paranoia-level/3', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.rce_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:944017,phase:1,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA" @@ -439,25 +195,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:944018,phase:2,pass,nolog,skipAf # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 944152 # -SecRule REQUEST_LINE|ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_HEADERS|XML:/*|XML://@* "@rx (?i)(?:\$|$?)(?:\{|&l(?:brace|cub);?)" \ - "id:944152,\ - phase:2,\ - block,\ - t:none,t:urlDecodeUni,t:jsDecode,t:htmlEntityDecode,\ - log,\ - msg:'Potential Remote Command Execution: Log4j / Log4shell',\ - tag:'application-multi',\ - tag:'language-java',\ - tag:'platform-multi',\ - tag:'attack-rce',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/137/6',\ - tag:'PCI/6.5.2',\ - tag:'paranoia-level/4',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'" +SecRule REQUEST_LINE|ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_HEADERS|XML:/*|XML://@* "@rx (?i)(?:\$|$?)(?:\{|&l(?:brace|cub);?)" "id:944152, phase:2, block, t:none,t:urlDecodeUni,t:jsDecode,t:htmlEntityDecode, log, msg:'Potential Remote Command Execution: Log4j / Log4shell', tag:'application-multi', tag:'language-java', tag:'platform-multi', tag:'attack-rce', tag:'OWASP_CRS', tag:'capec/1000/152/137/6', tag:'PCI/6.5.2', tag:'paranoia-level/4', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.rce_score=+%{tx.critical_anomaly_score}', setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'" # # -= Paranoia Levels Finished =- diff --git a/appsec/crs/REQUEST-949-BLOCKING-EVALUATION.conf b/appsec/crs/REQUEST-949-BLOCKING-EVALUATION.conf index 81f3361e..bc03d1d7 100644 --- a/appsec/crs/REQUEST-949-BLOCKING-EVALUATION.conf +++ b/appsec/crs/REQUEST-949-BLOCKING-EVALUATION.conf @@ -17,144 +17,36 @@ # this prevents bugs in phase 5 if Apache skips phases because of error handling # See: https://github.com/coreruleset/coreruleset/issues/2319#issuecomment-1047503932 -SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 1" \ - "id:949052,\ - phase:1,\ - pass,\ - t:none,\ - nolog,\ - setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl1}'" -SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 1" \ - "id:949152,\ - phase:1,\ - pass,\ - t:none,\ - nolog,\ - setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl1}'" - -SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 2" \ - "id:949053,\ - phase:1,\ - pass,\ - t:none,\ - nolog,\ - setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl2}'" -SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 2" \ - "id:949153,\ - phase:1,\ - pass,\ - t:none,\ - nolog,\ - setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl2}'" - -SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 3" \ - "id:949054,\ - phase:1,\ - pass,\ - t:none,\ - nolog,\ - setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl3}'" -SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 3" \ - "id:949154,\ - phase:1,\ - pass,\ - t:none,\ - nolog,\ - setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl3}'" - -SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 4" \ - "id:949055,\ - phase:1,\ - pass,\ - t:none,\ - nolog,\ - setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl4}'" -SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 4" \ - "id:949155,\ - phase:1,\ - pass,\ - t:none,\ - nolog,\ - setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl4}'" +SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 1" "id:949052, phase:1, pass, t:none, nolog, setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl1}'" +SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 1" "id:949152, phase:1, pass, t:none, nolog, setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl1}'" + +SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 2" "id:949053, phase:1, pass, t:none, nolog, setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl2}'" +SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 2" "id:949153, phase:1, pass, t:none, nolog, setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl2}'" + +SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 3" "id:949054, phase:1, pass, t:none, nolog, setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl3}'" +SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 3" "id:949154, phase:1, pass, t:none, nolog, setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl3}'" + +SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 4" "id:949055, phase:1, pass, t:none, nolog, setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl4}'" +SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 4" "id:949155, phase:1, pass, t:none, nolog, setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl4}'" # at start of phase 2, we reset the aggregate scores to 0 to prevent duplicate counting of per-PL scores # this is necessary because the per-PL scores are counted across phases -SecAction \ - "id:949059,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - setvar:'tx.blocking_inbound_anomaly_score=0'" -SecAction \ - "id:949159,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - setvar:'tx.detection_inbound_anomaly_score=0'" +SecAction "id:949059,phase:2,pass,t:none,nolog,setvar:'tx.blocking_inbound_anomaly_score=0'" +SecAction "id:949159,phase:2,pass,t:none,nolog,setvar:'tx.detection_inbound_anomaly_score=0'" # Summing up the blocking and detection anomaly scores in phase 2 -SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 1" \ - "id:949060,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl1}'" -SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 1" \ - "id:949160,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl1}'" - -SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 2" \ - "id:949061,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl2}'" -SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 2" \ - "id:949161,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl2}'" - -SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 3" \ - "id:949062,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl3}'" -SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 3" \ - "id:949162,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl3}'" - -SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 4" \ - "id:949063,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl4}'" -SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 4" \ - "id:949163,\ - phase:2,\ - pass,\ - t:none,\ - nolog,\ - setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl4}'" +SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 1" "id:949060, phase:2, pass, t:none, nolog, setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl1}'" +SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 1" "id:949160, phase:2, pass, t:none, nolog, setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl1}'" + +SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 2" "id:949061, phase:2, pass, t:none, nolog, setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl2}'" +SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 2" "id:949161, phase:2, pass, t:none, nolog, setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl2}'" + +SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 3" "id:949062, phase:2, pass, t:none, nolog, setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl3}'" +SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 3" "id:949162, phase:2, pass, t:none, nolog, setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl3}'" + +SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 4" "id:949063, phase:2, pass, t:none, nolog, setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl4}'" +SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 4" "id:949163, phase:2, pass, t:none, nolog, setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl4}'" SecMarker "BEGIN-REQUEST-BLOCKING-EVAL" @@ -164,26 +56,11 @@ SecMarker "BEGIN-REQUEST-BLOCKING-EVAL" # # if early blocking is active, check threshold in phase 1 -SecRule TX:BLOCKING_INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" \ - "id:949111,\ - phase:1,\ - deny,\ - t:none,\ - msg:'Inbound Anomaly Score Exceeded in phase 1 (Total Score: %{TX.BLOCKING_INBOUND_ANOMALY_SCORE})',\ - tag:'anomaly-evaluation',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - chain" +SecRule TX:BLOCKING_INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" "id:949111, phase:1, deny, t:none, msg:'Inbound Anomaly Score Exceeded in phase 1 (Total Score: %{TX.BLOCKING_INBOUND_ANOMALY_SCORE})', tag:'anomaly-evaluation', ver:'OWASP_CRS/4.0.0-rc1', chain" SecRule TX:EARLY_BLOCKING "@eq 1" # always check threshold in phase 2 -SecRule TX:BLOCKING_INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" \ - "id:949110,\ - phase:2,\ - deny,\ - t:none,\ - msg:'Inbound Anomaly Score Exceeded (Total Score: %{TX.BLOCKING_INBOUND_ANOMALY_SCORE})',\ - tag:'anomaly-evaluation',\ - ver:'OWASP_CRS/4.0.0-rc1'" +SecRule TX:BLOCKING_INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" "id:949110, phase:2, deny, t:none, msg:'Inbound Anomaly Score Exceeded (Total Score: %{TX.BLOCKING_INBOUND_ANOMALY_SCORE})', tag:'anomaly-evaluation', ver:'OWASP_CRS/4.0.0-rc1'" SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:949011,phase:1,pass,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:949012,phase:2,pass,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" diff --git a/appsec/crs/RESPONSE-950-DATA-LEAKAGES.conf b/appsec/crs/RESPONSE-950-DATA-LEAKAGES.conf index 27bedc0f..69200eda 100644 --- a/appsec/crs/RESPONSE-950-DATA-LEAKAGES.conf +++ b/appsec/crs/RESPONSE-950-DATA-LEAKAGES.conf @@ -28,25 +28,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:950021,phase:4,pass,nolog,skipAf # # -=[ Directory Listing ]=- # -SecRule RESPONSE_BODY "@rx (?:<(?:TITLE>Index of.*?Index of.*?Index of|>\[To Parent Directory\]
)" \ - "id:950130,\ - phase:4,\ - block,\ - capture,\ - t:none,\ - msg:'Directory Listing',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-disclosure',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/118/116/54/127',\ - tag:'PCI/6.5.6',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'ERROR',\ - setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'" +SecRule RESPONSE_BODY "@rx (?:<(?:TITLE>Index of.*?Index of.*?Index of|>\[To Parent Directory\]
)" "id:950130, phase:4, block, capture, t:none, msg:'Directory Listing', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-disclosure', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/118/116/54/127', tag:'PCI/6.5.6', ver:'OWASP_CRS/4.0.0-rc1', severity:'ERROR', setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'" # # -=[ CGI Source Code Leakage ]=- @@ -60,25 +42,7 @@ SecRule RESPONSE_BODY "@rx (?:<(?:TITLE>Index of.*?Index of.*?Inde # # If the CGI script processors or MIME type handlers are misconfigured, # the script's source code could be erroneously returned to the client. -SecRule RESPONSE_BODY "@rx ^#\!\s?/" \ - "id:950140,\ - phase:4,\ - block,\ - capture,\ - t:none,\ - msg:'CGI source code leakage',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-disclosure',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/118/116',\ - tag:'PCI/6.5.6',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'ERROR',\ - setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'" +SecRule RESPONSE_BODY "@rx ^#\!\s?/" "id:950140, phase:4, block, capture, t:none, msg:'CGI source code leakage', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-disclosure', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/118/116', tag:'PCI/6.5.6', ver:'OWASP_CRS/4.0.0-rc1', severity:'ERROR', setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'" SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:950013,phase:3,pass,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" @@ -90,25 +54,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:950014,phase:4,pass,nolog,skipAf # # -=[ The application is not available - 5xx level status code ]=- # -SecRule RESPONSE_STATUS "@rx ^5\d{2}$" \ - "id:950100,\ - phase:3,\ - block,\ - capture,\ - t:none,\ - msg:'The Application Returned a 500-Level Status Code',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-disclosure',\ - tag:'PCI/6.5.6',\ - tag:'paranoia-level/2',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'ERROR',\ - setvar:'tx.outbound_anomaly_score_pl2=+%{tx.error_anomaly_score}'" +SecRule RESPONSE_STATUS "@rx ^5\d{2}$" "id:950100, phase:3, block, capture, t:none, msg:'The Application Returned a 500-Level Status Code', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}', tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-disclosure', tag:'PCI/6.5.6', tag:'paranoia-level/2', tag:'OWASP_CRS', tag:'capec/1000/152', ver:'OWASP_CRS/4.0.0-rc1', severity:'ERROR', setvar:'tx.outbound_anomaly_score_pl2=+%{tx.error_anomaly_score}'" diff --git a/appsec/crs/RESPONSE-951-DATA-LEAKAGES-SQL.conf b/appsec/crs/RESPONSE-951-DATA-LEAKAGES-SQL.conf index 6afb37b9..820d4c63 100644 --- a/appsec/crs/RESPONSE-951-DATA-LEAKAGES-SQL.conf +++ b/appsec/crs/RESPONSE-951-DATA-LEAKAGES-SQL.conf @@ -26,350 +26,49 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:951012,phase:4,pass,nolog,skipAf # Ref: https://raw.github.com/sqlmapproject/sqlmap/master/xml/errors.xml # Ref: https://github.com/Arachni/arachni/tree/master/components/checks/active/sql_injection/regexps # -SecRule RESPONSE_BODY "!@pmFromFile sql-errors.data" \ - "id:951100,\ - phase:4,\ - pass,\ - t:none,\ - nolog,\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-disclosure',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/118/116/54',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - skipAfter:END-SQL-ERROR-MATCH-PL1" - -SecRule RESPONSE_BODY "@rx (?i:JET Database Engine|Access Database Engine|\[Microsoft\]\[ODBC Microsoft Access Driver\])" \ - "id:951110,\ - phase:4,\ - block,\ - capture,\ - t:none,\ - msg:'Microsoft Access SQL Information Leakage',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-msaccess',\ - tag:'attack-disclosure',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/118/116/54',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" - -SecRule RESPONSE_BODY "@rx (?i:ORA-[0-9][0-9][0-9][0-9]|java\.sql\.SQLException|Oracle error|Oracle.*Driver|Warning.*oci_.*|Warning.*ora_.*)" \ - "id:951120,\ - phase:4,\ - block,\ - capture,\ - t:none,\ - msg:'Oracle SQL Information Leakage',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-oracle',\ - tag:'attack-disclosure',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/118/116/54',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" - -SecRule RESPONSE_BODY "@rx (?i:DB2 SQL error:|\[IBM\]\[CLI Driver\]\[DB2/6000\]|CLI Driver.*DB2|DB2 SQL error|db2_\w+\()" \ - "id:951130,\ - phase:4,\ - block,\ - capture,\ - t:none,\ - msg:'DB2 SQL Information Leakage',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-db2',\ - tag:'attack-disclosure',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/118/116/54',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" - -SecRule RESPONSE_BODY "@rx (?i:\[DM_QUERY_E_SYNTAX\]|has occurred in the vicinity of:)" \ - "id:951140,\ - phase:4,\ - block,\ - capture,\ - t:none,\ - msg:'EMC SQL Information Leakage',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-emc',\ - tag:'attack-disclosure',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/118/116/54',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" - -SecRule RESPONSE_BODY "@rx (?i)Dynamic SQL Error" \ - "id:951150,\ - phase:4,\ - block,\ - capture,\ - t:none,\ - msg:'firebird SQL Information Leakage',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-firebird',\ - tag:'attack-disclosure',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/118/116/54',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" - -SecRule RESPONSE_BODY "@rx (?i)Exception (?:condition )?\d+\. Transaction rollback\." \ - "id:951160,\ - phase:4,\ - block,\ - capture,\ - t:none,\ - msg:'Frontbase SQL Information Leakage',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-frontbase',\ - tag:'attack-disclosure',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/118/116/54',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" - -SecRule RESPONSE_BODY "@rx (?i)org\.hsqldb\.jdbc" \ - "id:951170,\ - phase:4,\ - block,\ - capture,\ - t:none,\ - msg:'hsqldb SQL Information Leakage',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-hsqldb',\ - tag:'attack-disclosure',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/118/116/54',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" - -SecRule RESPONSE_BODY "@rx (?i:An illegal character has been found in the statement|com\.informix\.jdbc|Exception.*Informix)" \ - "id:951180,\ - phase:4,\ - block,\ - capture,\ - t:none,\ - msg:'informix SQL Information Leakage',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-informix',\ - tag:'attack-disclosure',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/118/116/54',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" - -SecRule RESPONSE_BODY "@rx (?i:Warning.*ingres_|Ingres SQLSTATE|Ingres\W.*Driver)" \ - "id:951190,\ - phase:4,\ - block,\ - capture,\ - t:none,\ - msg:'ingres SQL Information Leakage',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-ingres',\ - tag:'attack-disclosure',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/118/116/54',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" - -SecRule RESPONSE_BODY "@rx (?i:Warning: ibase_|Unexpected end of command in statement)" \ - "id:951200,\ - phase:4,\ - block,\ - capture,\ - t:none,\ - msg:'interbase SQL Information Leakage',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-interbase',\ - tag:'attack-disclosure',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/118/116/54',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" - -SecRule RESPONSE_BODY "@rx (?i:SQL error.*POS[0-9]+.*|Warning.*maxdb.*)" \ - "id:951210,\ - phase:4,\ - block,\ - capture,\ - t:none,\ - msg:'maxDB SQL Information Leakage',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-maxdb',\ - tag:'attack-disclosure',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/118/116/54',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" - -SecRule RESPONSE_BODY "@rx (?i)(?:System\.Data\.OleDb\.OleDbException|\[Microsoft\]\[ODBC SQL Server Driver\]|\[Macromedia\]\[SQLServer JDBC Driver\]|\[SqlException|System\.Data\.SqlClient\.SqlException|Unclosed quotation mark after the character string|'80040e14'|mssql_query\(\)|Microsoft OLE DB Provider for ODBC Drivers|Microsoft OLE DB Provider for SQL Server|Incorrect syntax near|Sintaxis incorrecta cerca de|Syntax error in string in query expression|Procedure or function .* expects parameter|Unclosed quotation mark before the character string|Syntax error .* in query expression|Data type mismatch in criteria expression\.|ADODB\.Field \(0x800A0BCD\)|the used select statements have different number of columns|OLE DB.*SQL Server|Warning.*mssql_.*|Driver.*SQL[ _-]*Server|SQL Server.*Driver|SQL Server.*[0-9a-fA-F]{8}|Exception.*\WSystem\.Data\.SqlClient\.)" \ - "id:951220,\ - phase:4,\ - block,\ - capture,\ - t:none,\ - msg:'mssql SQL Information Leakage',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-mssql',\ - tag:'attack-disclosure',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/118/116/54',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" +SecRule RESPONSE_BODY "!@pmFromFile sql-errors.data" "id:951100, phase:4, pass, t:none, nolog, tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-disclosure', tag:'OWASP_CRS', tag:'capec/1000/118/116/54', ver:'OWASP_CRS/4.0.0-rc1', skipAfter:END-SQL-ERROR-MATCH-PL1" + +SecRule RESPONSE_BODY "@rx (?i:JET Database Engine|Access Database Engine|\[Microsoft\]\[ODBC Microsoft Access Driver\])" "id:951110, phase:4, block, capture, t:none, msg:'Microsoft Access SQL Information Leakage', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}', tag:'application-multi', tag:'language-multi', tag:'platform-msaccess', tag:'attack-disclosure', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/118/116/54', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}', setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" + +SecRule RESPONSE_BODY "@rx (?i:ORA-[0-9][0-9][0-9][0-9]|java\.sql\.SQLException|Oracle error|Oracle.*Driver|Warning.*oci_.*|Warning.*ora_.*)" "id:951120, phase:4, block, capture, t:none, msg:'Oracle SQL Information Leakage', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}', tag:'application-multi', tag:'language-multi', tag:'platform-oracle', tag:'attack-disclosure', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/118/116/54', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}', setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" + +SecRule RESPONSE_BODY "@rx (?i:DB2 SQL error:|\[IBM\]\[CLI Driver\]\[DB2/6000\]|CLI Driver.*DB2|DB2 SQL error|db2_\w+\()" "id:951130, phase:4, block, capture, t:none, msg:'DB2 SQL Information Leakage', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}', tag:'application-multi', tag:'language-multi', tag:'platform-db2', tag:'attack-disclosure', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/118/116/54', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}', setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" + +SecRule RESPONSE_BODY "@rx (?i:\[DM_QUERY_E_SYNTAX\]|has occurred in the vicinity of:)" "id:951140, phase:4, block, capture, t:none, msg:'EMC SQL Information Leakage', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}', tag:'application-multi', tag:'language-multi', tag:'platform-emc', tag:'attack-disclosure', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/118/116/54', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}', setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" + +SecRule RESPONSE_BODY "@rx (?i)Dynamic SQL Error" "id:951150, phase:4, block, capture, t:none, msg:'firebird SQL Information Leakage', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}', tag:'application-multi', tag:'language-multi', tag:'platform-firebird', tag:'attack-disclosure', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/118/116/54', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}', setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" + +SecRule RESPONSE_BODY "@rx (?i)Exception (?:condition )?\d+\. Transaction rollback\." "id:951160, phase:4, block, capture, t:none, msg:'Frontbase SQL Information Leakage', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}', tag:'application-multi', tag:'language-multi', tag:'platform-frontbase', tag:'attack-disclosure', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/118/116/54', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}', setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" + +SecRule RESPONSE_BODY "@rx (?i)org\.hsqldb\.jdbc" "id:951170, phase:4, block, capture, t:none, msg:'hsqldb SQL Information Leakage', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}', tag:'application-multi', tag:'language-multi', tag:'platform-hsqldb', tag:'attack-disclosure', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/118/116/54', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}', setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" + +SecRule RESPONSE_BODY "@rx (?i:An illegal character has been found in the statement|com\.informix\.jdbc|Exception.*Informix)" "id:951180, phase:4, block, capture, t:none, msg:'informix SQL Information Leakage', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}', tag:'application-multi', tag:'language-multi', tag:'platform-informix', tag:'attack-disclosure', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/118/116/54', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}', setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" + +SecRule RESPONSE_BODY "@rx (?i:Warning.*ingres_|Ingres SQLSTATE|Ingres\W.*Driver)" "id:951190, phase:4, block, capture, t:none, msg:'ingres SQL Information Leakage', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}', tag:'application-multi', tag:'language-multi', tag:'platform-ingres', tag:'attack-disclosure', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/118/116/54', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}', setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" + +SecRule RESPONSE_BODY "@rx (?i:Warning: ibase_|Unexpected end of command in statement)" "id:951200, phase:4, block, capture, t:none, msg:'interbase SQL Information Leakage', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}', tag:'application-multi', tag:'language-multi', tag:'platform-interbase', tag:'attack-disclosure', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/118/116/54', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}', setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" + +SecRule RESPONSE_BODY "@rx (?i:SQL error.*POS[0-9]+.*|Warning.*maxdb.*)" "id:951210, phase:4, block, capture, t:none, msg:'maxDB SQL Information Leakage', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}', tag:'application-multi', tag:'language-multi', tag:'platform-maxdb', tag:'attack-disclosure', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/118/116/54', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}', setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" + +SecRule RESPONSE_BODY "@rx (?i)(?:System\.Data\.OleDb\.OleDbException|\[Microsoft\]\[ODBC SQL Server Driver\]|\[Macromedia\]\[SQLServer JDBC Driver\]|\[SqlException|System\.Data\.SqlClient\.SqlException|Unclosed quotation mark after the character string|'80040e14'|mssql_query\(\)|Microsoft OLE DB Provider for ODBC Drivers|Microsoft OLE DB Provider for SQL Server|Incorrect syntax near|Sintaxis incorrecta cerca de|Syntax error in string in query expression|Procedure or function .* expects parameter|Unclosed quotation mark before the character string|Syntax error .* in query expression|Data type mismatch in criteria expression\.|ADODB\.Field \(0x800A0BCD\)|the used select statements have different number of columns|OLE DB.*SQL Server|Warning.*mssql_.*|Driver.*SQL[ _-]*Server|SQL Server.*Driver|SQL Server.*[0-9a-fA-F]{8}|Exception.*\WSystem\.Data\.SqlClient\.)" "id:951220, phase:4, block, capture, t:none, msg:'mssql SQL Information Leakage', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}', tag:'application-multi', tag:'language-multi', tag:'platform-mssql', tag:'attack-disclosure', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/118/116/54', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}', setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" # Regular expression generated from regex-assembly/951230.ra. # To update the regular expression run the following shell script # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 951230 # -SecRule RESPONSE_BODY "@rx (?i)(?:supplied argument is not a valid |SQL syntax.*)MySQL|Column count doesn't match(?: value count at row)?|mysql_fetch_array\(\)|on MySQL result index|You have an error in your SQL syntax(?:;| near)|MyS(?:QL server version for the right syntax to use|qlClient\.)|\[MySQL\]\[ODBC|(?:Table '[^']+' doesn't exis|valid MySQL resul)t|Warning.{1,10}mysql_(?:[\(-\)_a-z]{1,26})?|ERROR [0-9]{4} \([0-9a-z]{5}\):" \ - "id:951230,\ - phase:4,\ - block,\ - capture,\ - t:none,\ - msg:'mysql SQL Information Leakage',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-mysql',\ - tag:'attack-disclosure',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/118/116/54',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" +SecRule RESPONSE_BODY "@rx (?i)(?:supplied argument is not a valid |SQL syntax.*)MySQL|Column count doesn't match(?: value count at row)?|mysql_fetch_array\(\)|on MySQL result index|You have an error in your SQL syntax(?:;| near)|MyS(?:QL server version for the right syntax to use|qlClient\.)|\[MySQL\]\[ODBC|(?:Table '[^']+' doesn't exis|valid MySQL resul)t|Warning.{1,10}mysql_(?:[\(-\)_a-z]{1,26})?|ERROR [0-9]{4} \([0-9a-z]{5}\):" "id:951230, phase:4, block, capture, t:none, msg:'mysql SQL Information Leakage', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}', tag:'application-multi', tag:'language-multi', tag:'platform-mysql', tag:'attack-disclosure', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/118/116/54', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}', setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" # Regular expression generated from regex-assembly/951240.ra. # To update the regular expression run the following shell script # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 951240 # -SecRule RESPONSE_BODY "@rx (?i)P(?:ostgreSQL(?: query failed:|.{1,20}ERROR)|G::[a-z]*Error)|pg_(?:query|exec)\(\) \[:|Warning.{1,20}\bpg_.*|valid PostgreSQL result|Npgsql\.|Supplied argument is not a valid PostgreSQL .*? resource|Unable to connect to PostgreSQL server" \ - "id:951240,\ - phase:4,\ - block,\ - capture,\ - t:none,\ - msg:'postgres SQL Information Leakage',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-pgsql',\ - tag:'attack-disclosure',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/118/116/54',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" - -SecRule RESPONSE_BODY "@rx (?i)(?:Warning.*sqlite_.*|Warning.*SQLite3::|SQLite/JDBCDriver|SQLite\.Exception|System\.Data\.SQLite\.SQLiteException)" \ - "id:951250,\ - phase:4,\ - block,\ - capture,\ - t:none,\ - msg:'sqlite SQL Information Leakage',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-sqlite',\ - tag:'attack-disclosure',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/118/116/54',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" - -SecRule RESPONSE_BODY "@rx (?i)(?:Sybase message:|Warning.{2,20}sybase|Sybase.*Server message.*)" \ - "id:951260,\ - phase:4,\ - block,\ - capture,\ - t:none,\ - msg:'Sybase SQL Information Leakage',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-sybase',\ - tag:'attack-disclosure',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/118/116/54',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ - setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" +SecRule RESPONSE_BODY "@rx (?i)P(?:ostgreSQL(?: query failed:|.{1,20}ERROR)|G::[a-z]*Error)|pg_(?:query|exec)\(\) \[:|Warning.{1,20}\bpg_.*|valid PostgreSQL result|Npgsql\.|Supplied argument is not a valid PostgreSQL .*? resource|Unable to connect to PostgreSQL server" "id:951240, phase:4, block, capture, t:none, msg:'postgres SQL Information Leakage', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}', tag:'application-multi', tag:'language-multi', tag:'platform-pgsql', tag:'attack-disclosure', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/118/116/54', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}', setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" + +SecRule RESPONSE_BODY "@rx (?i)(?:Warning.*sqlite_.*|Warning.*SQLite3::|SQLite/JDBCDriver|SQLite\.Exception|System\.Data\.SQLite\.SQLiteException)" "id:951250, phase:4, block, capture, t:none, msg:'sqlite SQL Information Leakage', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}', tag:'application-multi', tag:'language-multi', tag:'platform-sqlite', tag:'attack-disclosure', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/118/116/54', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}', setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" + +SecRule RESPONSE_BODY "@rx (?i)(?:Sybase message:|Warning.{2,20}sybase|Sybase.*Server message.*)" "id:951260, phase:4, block, capture, t:none, msg:'Sybase SQL Information Leakage', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}', tag:'application-multi', tag:'language-multi', tag:'platform-sybase', tag:'attack-disclosure', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/118/116/54', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}', setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" SecMarker "END-SQL-ERROR-MATCH-PL1" diff --git a/appsec/crs/RESPONSE-952-DATA-LEAKAGES-JAVA.conf b/appsec/crs/RESPONSE-952-DATA-LEAKAGES-JAVA.conf index e9320953..37a0404a 100644 --- a/appsec/crs/RESPONSE-952-DATA-LEAKAGES-JAVA.conf +++ b/appsec/crs/RESPONSE-952-DATA-LEAKAGES-JAVA.conf @@ -23,50 +23,14 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:952012,phase:4,pass,nolog,skipAf # # -=[ Java Source Code Leakages ]=- # -SecRule RESPONSE_BODY "@pmFromFile java-code-leakages.data" \ - "id:952100,\ - phase:4,\ - block,\ - capture,\ - t:none,\ - msg:'Java Source Code Leakage',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ - tag:'application-multi',\ - tag:'language-java',\ - tag:'platform-multi',\ - tag:'attack-disclosure',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/118/116',\ - tag:'PCI/6.5.6',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'ERROR',\ - setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'" +SecRule RESPONSE_BODY "@pmFromFile java-code-leakages.data" "id:952100, phase:4, block, capture, t:none, msg:'Java Source Code Leakage', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}', tag:'application-multi', tag:'language-java', tag:'platform-multi', tag:'attack-disclosure', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/118/116', tag:'PCI/6.5.6', ver:'OWASP_CRS/4.0.0-rc1', severity:'ERROR', setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'" # # -=[ Java Errors ]=- # # Ref: https://github.com/andresriancho/w3af/blob/master/w3af/plugins/grep/error_pages.py # -SecRule RESPONSE_BODY "@pmFromFile java-errors.data" \ - "id:952110,\ - phase:4,\ - block,\ - capture,\ - t:none,\ - msg:'Java Errors',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ - tag:'application-multi',\ - tag:'language-java',\ - tag:'platform-multi',\ - tag:'attack-disclosure',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/118/116',\ - tag:'PCI/6.5.6',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'ERROR',\ - setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'" +SecRule RESPONSE_BODY "@pmFromFile java-errors.data" "id:952110, phase:4, block, capture, t:none, msg:'Java Errors', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}', tag:'application-multi', tag:'language-java', tag:'platform-multi', tag:'attack-disclosure', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/118/116', tag:'PCI/6.5.6', ver:'OWASP_CRS/4.0.0-rc1', severity:'ERROR', setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'" diff --git a/appsec/crs/RESPONSE-953-DATA-LEAKAGES-PHP.conf b/appsec/crs/RESPONSE-953-DATA-LEAKAGES-PHP.conf index 5bb3c41d..510861a9 100644 --- a/appsec/crs/RESPONSE-953-DATA-LEAKAGES-PHP.conf +++ b/appsec/crs/RESPONSE-953-DATA-LEAKAGES-PHP.conf @@ -23,50 +23,14 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:953012,phase:4,pass,nolog,skipAf # # -=[ PHP Error Message Leakage ]=- # -SecRule RESPONSE_BODY "@pmFromFile php-errors.data" \ - "id:953100,\ - phase:4,\ - block,\ - capture,\ - t:none,\ - msg:'PHP Information Leakage',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ - tag:'application-multi',\ - tag:'language-php',\ - tag:'platform-multi',\ - tag:'attack-disclosure',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/118/116',\ - tag:'PCI/6.5.6',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'ERROR',\ - setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'" +SecRule RESPONSE_BODY "@pmFromFile php-errors.data" "id:953100, phase:4, block, capture, t:none, msg:'PHP Information Leakage', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}', tag:'application-multi', tag:'language-php', tag:'platform-multi', tag:'attack-disclosure', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/118/116', tag:'PCI/6.5.6', ver:'OWASP_CRS/4.0.0-rc1', severity:'ERROR', setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'" # # -=[ PHP source code leakage ]=- # # Detect some common PHP keywords in output. # -SecRule RESPONSE_BODY "@rx (?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open|call_user_func)|\$_(?:(?:pos|ge)t|session))\b" \ - "id:953110,\ - phase:4,\ - block,\ - capture,\ - t:none,\ - msg:'PHP source code leakage',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ - tag:'application-multi',\ - tag:'language-php',\ - tag:'platform-multi',\ - tag:'attack-disclosure',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/118/116',\ - tag:'PCI/6.5.6',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'ERROR',\ - setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'" +SecRule RESPONSE_BODY "@rx (?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open|call_user_func)|\$_(?:(?:pos|ge)t|session))\b" "id:953110, phase:4, block, capture, t:none, msg:'PHP source code leakage', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}', tag:'application-multi', tag:'language-php', tag:'platform-multi', tag:'attack-disclosure', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/118/116', tag:'PCI/6.5.6', ver:'OWASP_CRS/4.0.0-rc1', severity:'ERROR', setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'" # Detect the presence of the PHP open tag ".{1,20}?error '800(?:04005|40e31)'.{1,40}?Timeout expired| \(0x80040e31\)
Timeout expired
)|

internal server error

.*?

part of the server has crashed or it has a configuration error\.

|cannot connect to the server: timed out)" \ - "id:954110,\ - phase:4,\ - block,\ - capture,\ - t:none,\ - msg:'Application Availability Error',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-iis',\ - tag:'platform-windows',\ - tag:'attack-disclosure',\ - tag:'paranoia-level/1',\ - tag:'PCI/6.5.6',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/118/116',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'ERROR',\ - setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'" +SecRule RESPONSE_BODY "@rx [a-z]:\x5cinetpub\b" "id:954100, phase:4, block, capture, t:none,t:lowercase, msg:'Disclosure of IIS install location', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}', tag:'application-multi', tag:'language-multi', tag:'platform-iis', tag:'platform-windows', tag:'attack-disclosure', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/118/116', ver:'OWASP_CRS/4.0.0-rc1', severity:'ERROR', setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'" + +SecRule RESPONSE_BODY "@rx (?:Microsoft OLE DB Provider for SQL Server(?:.{1,20}?error '800(?:04005|40e31)'.{1,40}?Timeout expired| \(0x80040e31\)
Timeout expired
)|

internal server error

.*?

part of the server has crashed or it has a configuration error\.

|cannot connect to the server: timed out)" "id:954110, phase:4, block, capture, t:none, msg:'Application Availability Error', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}', tag:'application-multi', tag:'language-multi', tag:'platform-iis', tag:'platform-windows', tag:'attack-disclosure', tag:'paranoia-level/1', tag:'PCI/6.5.6', tag:'OWASP_CRS', tag:'capec/1000/118/116', ver:'OWASP_CRS/4.0.0-rc1', severity:'ERROR', setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'" # # IIS Errors leakage # -SecRule RESPONSE_BODY "@pmFromFile iis-errors.data" \ - "id:954120,\ - phase:4,\ - block,\ - capture,\ - t:none,\ - msg:'IIS Information Leakage',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-iis',\ - tag:'platform-windows',\ - tag:'attack-disclosure',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/118/116',\ - tag:'PCI/6.5.6',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'ERROR',\ - setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'" - - -SecRule RESPONSE_STATUS "!@rx ^404$" \ - "id:954130,\ - phase:4,\ - block,\ - capture,\ - t:none,\ - msg:'IIS Information Leakage',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-iis',\ - tag:'platform-windows',\ - tag:'attack-disclosure',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/118/116',\ - tag:'PCI/6.5.6',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'ERROR',\ - chain" - SecRule RESPONSE_BODY "@rx \bServer Error in.{0,50}?\bApplication\b" \ - "capture,\ - t:none,\ - setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'" +SecRule RESPONSE_BODY "@pmFromFile iis-errors.data" "id:954120, phase:4, block, capture, t:none, msg:'IIS Information Leakage', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}', tag:'application-multi', tag:'language-multi', tag:'platform-iis', tag:'platform-windows', tag:'attack-disclosure', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/118/116', tag:'PCI/6.5.6', ver:'OWASP_CRS/4.0.0-rc1', severity:'ERROR', setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'" + + +SecRule RESPONSE_STATUS "!@rx ^404$" "id:954130, phase:4, block, capture, t:none, msg:'IIS Information Leakage', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}', tag:'application-multi', tag:'language-multi', tag:'platform-iis', tag:'platform-windows', tag:'attack-disclosure', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/118/116', tag:'PCI/6.5.6', ver:'OWASP_CRS/4.0.0-rc1', severity:'ERROR', chain" + SecRule RESPONSE_BODY "@rx \bServer Error in.{0,50}?\bApplication\b" "capture, t:none, setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'" diff --git a/appsec/crs/RESPONSE-955-WEB-SHELLS.conf b/appsec/crs/RESPONSE-955-WEB-SHELLS.conf index 8b58b26e..a4262f3b 100644 --- a/appsec/crs/RESPONSE-955-WEB-SHELLS.conf +++ b/appsec/crs/RESPONSE-955-WEB-SHELLS.conf @@ -22,481 +22,81 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:955012,phase:4,pass,nolog,skipAf # For performance reasons, most of the shells are matched using this rule. # This rule is intended for PHP web shells. -SecRule RESPONSE_BODY "@pmFromFile web-shells-php.data" \ - "id:955100,\ - phase:4,\ - block,\ - capture,\ - t:none,\ - msg:'Web shell detected',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ - tag:'language-php',\ - tag:'platform-multi',\ - tag:'attack-rce',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/225/122/17/650',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule RESPONSE_BODY "@pmFromFile web-shells-php.data" "id:955100, phase:4, block, capture, t:none, msg:'Web shell detected', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}', tag:'language-php', tag:'platform-multi', tag:'attack-rce', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/225/122/17/650', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # r57 web shell -SecRule RESPONSE_BODY "@rx (r57 Shell Version [0-9.]+|r57 shell)" \ - "id:955110,\ - phase:4,\ - block,\ - capture,\ - t:none,\ - msg:'r57 web shell',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ - tag:'language-php',\ - tag:'platform-multi',\ - tag:'attack-rce',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/225/122/17/650',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule RESPONSE_BODY "@rx (r57 Shell Version [0-9.]+|r57 shell)" "id:955110, phase:4, block, capture, t:none, msg:'r57 web shell', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}', tag:'language-php', tag:'platform-multi', tag:'attack-rce', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/225/122/17/650', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # WSO web shell -SecRule RESPONSE_BODY "@rx ^.*? - WSO [0-9.]+" \ - "id:955120,\ - phase:4,\ - block,\ - capture,\ - t:none,\ - msg:'WSO web shell',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ - tag:'language-php',\ - tag:'platform-multi',\ - tag:'attack-rce',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/225/122/17/650',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule RESPONSE_BODY "@rx ^.*? - WSO [0-9.]+" "id:955120, phase:4, block, capture, t:none, msg:'WSO web shell', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}', tag:'language-php', tag:'platform-multi', tag:'attack-rce', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/225/122/17/650', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # b4tm4n web shell (https://github.com/k4mpr3t/b4tm4n) -SecRule RESPONSE_BODY "@rx B4TM4N SH3LL.*" \ - "id:955130,\ - phase:4,\ - block,\ - capture,\ - t:none,\ - msg:'b4tm4n web shell',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ - tag:'language-php',\ - tag:'platform-multi',\ - tag:'attack-rce',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/225/122/17/650',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule RESPONSE_BODY "@rx B4TM4N SH3LL.*" "id:955130, phase:4, block, capture, t:none, msg:'b4tm4n web shell', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}', tag:'language-php', tag:'platform-multi', tag:'attack-rce', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/225/122/17/650', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # Mini Shell web shell -SecRule RESPONSE_BODY "@rx Mini Shell.*Developed By LameHacker" \ - "id:955140,\ - phase:4,\ - block,\ - capture,\ - t:none,\ - msg:'Mini Shell web shell',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ - tag:'language-php',\ - tag:'platform-multi',\ - tag:'attack-rce',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/225/122/17/650',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule RESPONSE_BODY "@rx Mini Shell.*Developed By LameHacker" "id:955140, phase:4, block, capture, t:none, msg:'Mini Shell web shell', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}', tag:'language-php', tag:'platform-multi', tag:'attack-rce', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/225/122/17/650', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # Ashiyane web shell -SecRule RESPONSE_BODY "@rx \.:: .* ~ Ashiyane V [0-9.]+ ::\." \ - "id:955150,\ - phase:4,\ - block,\ - capture,\ - t:none,\ - msg:'Ashiyane web shell',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ - tag:'language-php',\ - tag:'platform-multi',\ - tag:'attack-rce',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/225/122/17/650',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule RESPONSE_BODY "@rx \.:: .* ~ Ashiyane V [0-9.]+ ::\." "id:955150, phase:4, block, capture, t:none, msg:'Ashiyane web shell', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}', tag:'language-php', tag:'platform-multi', tag:'attack-rce', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/225/122/17/650', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # Symlink_Sa web shell -SecRule RESPONSE_BODY "@rx Symlink_Sa [0-9.]+" \ - "id:955160,\ - phase:4,\ - block,\ - capture,\ - t:none,\ - msg:'Symlink_Sa web shell',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ - tag:'language-php',\ - tag:'platform-multi',\ - tag:'attack-rce',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/225/122/17/650',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule RESPONSE_BODY "@rx Symlink_Sa [0-9.]+" "id:955160, phase:4, block, capture, t:none, msg:'Symlink_Sa web shell', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}', tag:'language-php', tag:'platform-multi', tag:'attack-rce', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/225/122/17/650', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # CasuS web shell -SecRule RESPONSE_BODY "@rx CasuS [0-9.]+ by MafiABoY" \ - "id:955170,\ - phase:4,\ - block,\ - capture,\ - t:none,\ - msg:'CasuS web shell',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ - tag:'language-php',\ - tag:'platform-multi',\ - tag:'attack-rce',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/225/122/17/650',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule RESPONSE_BODY "@rx CasuS [0-9.]+ by MafiABoY" "id:955170, phase:4, block, capture, t:none, msg:'CasuS web shell', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}', tag:'language-php', tag:'platform-multi', tag:'attack-rce', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/225/122/17/650', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # GRP WebShell -SecRule RESPONSE_BODY "@rx ^\r\n\r\nGRP WebShell [0-9.]+ " \ - "id:955180,\ - phase:4,\ - block,\ - capture,\ - t:none,\ - msg:'GRP WebShell',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ - tag:'language-php',\ - tag:'platform-multi',\ - tag:'attack-rce',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/225/122/17/650',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule RESPONSE_BODY "@rx ^<html>\r\n<head>\r\n<title>GRP WebShell [0-9.]+ " "id:955180, phase:4, block, capture, t:none, msg:'GRP WebShell', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}', tag:'language-php', tag:'platform-multi', tag:'attack-rce', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/225/122/17/650', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # NGHshell web shell -SecRule RESPONSE_BODY "@rx <small>NGHshell [0-9.]+ by Cr4sh</body></html>\n$" \ - "id:955190,\ - phase:4,\ - block,\ - capture,\ - t:none,\ - msg:'NGHshell web shell',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ - tag:'language-php',\ - tag:'platform-multi',\ - tag:'attack-rce',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/225/122/17/650',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule RESPONSE_BODY "@rx <small>NGHshell [0-9.]+ by Cr4sh</body></html>\n$" "id:955190, phase:4, block, capture, t:none, msg:'NGHshell web shell', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}', tag:'language-php', tag:'platform-multi', tag:'attack-rce', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/225/122/17/650', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # SimAttacker web shell -SecRule RESPONSE_BODY "@rx <title>SimAttacker - (?:Version|Vrsion) : [0-9.]+ - " \ - "id:955200,\ - phase:4,\ - block,\ - capture,\ - t:none,\ - msg:'SimAttacker web shell',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ - tag:'language-php',\ - tag:'platform-multi',\ - tag:'attack-rce',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/225/122/17/650',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule RESPONSE_BODY "@rx <title>SimAttacker - (?:Version|Vrsion) : [0-9.]+ - " "id:955200, phase:4, block, capture, t:none, msg:'SimAttacker web shell', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}', tag:'language-php', tag:'platform-multi', tag:'attack-rce', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/225/122/17/650', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # Unknown web shell -SecRule RESPONSE_BODY "@rx ^<!DOCTYPE html>\n<html>\n<!-- By Artyum .*<title>Web Shell" \ - "id:955210,\ - phase:4,\ - block,\ - capture,\ - t:none,\ - msg:'Unknown web shell',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ - tag:'language-php',\ - tag:'platform-multi',\ - tag:'attack-rce',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/225/122/17/650',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule RESPONSE_BODY "@rx ^\n\n" \ - "id:955240,\ - phase:4,\ - block,\ - capture,\ - t:none,\ - msg:'Unknown web shell',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ - tag:'language-php',\ - tag:'platform-multi',\ - tag:'attack-rce',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/225/122/17/650',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule RESPONSE_BODY "@rx ^PHP Web Shell\r\n\r\n\r\n " "id:955240, phase:4, block, capture, t:none, msg:'Unknown web shell', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}', tag:'language-php', tag:'platform-multi', tag:'attack-rce', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/225/122/17/650', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # Unknown web shell -SecRule RESPONSE_BODY "@rx ^\n\n
Input command :
\n
" \ - "id:955250,\ - phase:4,\ - block,\ - capture,\ - t:none,\ - msg:'Unknown web shell',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ - tag:'language-php',\ - tag:'platform-multi',\ - tag:'attack-rce',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/225/122/17/650',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule RESPONSE_BODY "@rx ^\n\n
Input command :
\n" "id:955250, phase:4, block, capture, t:none, msg:'Unknown web shell', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}', tag:'language-php', tag:'platform-multi', tag:'attack-rce', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/225/122/17/650', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # Ru24PostWebShell web shell -SecRule RESPONSE_BODY "@rx ^\n\nRu24PostWebShell - " \ - "id:955260,\ - phase:4,\ - block,\ - capture,\ - t:none,\ - msg:'Ru24PostWebShell web shell',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ - tag:'language-php',\ - tag:'platform-multi',\ - tag:'attack-rce',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/225/122/17/650',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule RESPONSE_BODY "@rx ^<html>\n<head>\n<title>Ru24PostWebShell - " "id:955260, phase:4, block, capture, t:none, msg:'Ru24PostWebShell web shell', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}', tag:'language-php', tag:'platform-multi', tag:'attack-rce', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/225/122/17/650', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # s72 Shell web shell -SecRule RESPONSE_BODY "@rx <title>s72 Shell v[0-9.]+ Codinf by Cr@zy_King" \ - "id:955270,\ - phase:4,\ - block,\ - capture,\ - t:none,\ - msg:'s72 Shell web shell',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ - tag:'language-php',\ - tag:'platform-multi',\ - tag:'attack-rce',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/225/122/17/650',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule RESPONSE_BODY "@rx s72 Shell v[0-9.]+ Codinf by Cr@zy_King" "id:955270, phase:4, block, capture, t:none, msg:'s72 Shell web shell', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}', tag:'language-php', tag:'platform-multi', tag:'attack-rce', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/225/122/17/650', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # PhpSpy web shell -SecRule RESPONSE_BODY "@rx ^\r\n\r\n\r\nPhpSpy Ver [0-9]+" \ - "id:955280,\ - phase:4,\ - block,\ - capture,\ - t:none,\ - msg:'PhpSpy web shell',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ - tag:'language-php',\ - tag:'platform-multi',\ - tag:'attack-rce',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/225/122/17/650',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule RESPONSE_BODY "@rx ^\r\n\r\n\r\nPhpSpy Ver [0-9]+" "id:955280, phase:4, block, capture, t:none, msg:'PhpSpy web shell', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}', tag:'language-php', tag:'platform-multi', tag:'attack-rce', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/225/122/17/650', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # g00nshell web shell -SecRule RESPONSE_BODY "@rx ^ \n\n\n\ng00nshell v[0-9.]+ " \ - "id:955290,\ - phase:4,\ - block,\ - capture,\ - t:none,\ - msg:'g00nshell web shell',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ - tag:'language-php',\ - tag:'platform-multi',\ - tag:'attack-rce',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/225/122/17/650',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule RESPONSE_BODY "@rx ^ <html>\n\n<head>\n\n<title>g00nshell v[0-9.]+ " "id:955290, phase:4, block, capture, t:none, msg:'g00nshell web shell', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}', tag:'language-php', tag:'platform-multi', tag:'attack-rce', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/225/122/17/650', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # PuNkHoLic shell web shell # Various versions has this text written little differently so we need to do # t:removeWhitespace and t:lowercase. -SecRule RESPONSE_BODY "@contains <title>punkholicshell" \ - "id:955300,\ - phase:4,\ - block,\ - capture,\ - t:none,t:removeWhitespace,t:lowercase,\ - msg:'PuNkHoLic shell web shell',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ - tag:'language-php',\ - tag:'platform-multi',\ - tag:'attack-rce',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/225/122/17/650',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule RESPONSE_BODY "@contains punkholicshell" "id:955300, phase:4, block, capture, t:none,t:removeWhitespace,t:lowercase, msg:'PuNkHoLic shell web shell', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}', tag:'language-php', tag:'platform-multi', tag:'attack-rce', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/225/122/17/650', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # azrail web shell -SecRule RESPONSE_BODY "@rx ^\n \n azrail [0-9.]+ by C-W-M" \ - "id:955310,\ - phase:4,\ - block,\ - capture,\ - t:none,\ - msg:'azrail web shell',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\ - tag:'language-php',\ - tag:'platform-multi',\ - tag:'attack-rce',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/225/122/17/650',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +SecRule RESPONSE_BODY "@rx ^\n \n azrail [0-9.]+ by C-W-M" "id:955310, phase:4, block, capture, t:none, msg:'azrail web shell', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}', tag:'language-php', tag:'platform-multi', tag:'attack-rce', tag:'paranoia-level/1', tag:'OWASP_CRS', tag:'capec/1000/225/122/17/650', ver:'OWASP_CRS/4.0.0-rc1', severity:'CRITICAL', setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # SmEvK_PaThAn Shell web shell -SecRule RESPONSE_BODY "@rx >SmEvK_PaThAn Shell v[0-9]+ coded by SmEvK_PaThAn Shell v[0-9]+ coded by \n.*? ~ Shell I\n\n