From e90060ce6854f9ae2c56c56fe3cfeca864021a17 Mon Sep 17 00:00:00 2001 From: bunkerity Date: Tue, 20 Aug 2019 21:25:16 +0000 Subject: [PATCH] initial work --- Dockerfile | 22 + compile.sh | 37 + confs/auto-lets-encrypt.conf | 8 + confs/block-user-agent.conf | 3 + confs/cache.conf | 4 + confs/disable-default-server.conf | 4 + confs/error.conf | 7 + confs/feature-policy.conf | 1 + confs/geoip.conf | 7 + confs/gzip.conf | 9 + confs/map-user-agent.conf | 4 + confs/modsecurity-rules.conf | 59 + confs/modsecurity.conf | 2 + confs/nginx.conf | 85 + confs/owasp-crs.conf | 845 +++++++ ...00-EXCLUSION-RULES-BEFORE-CRS.conf.example | 165 ++ .../owasp-crs/REQUEST-901-INITIALIZATION.conf | 424 ++++ ...QUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf | 382 ++++ ...ST-903.9002-WORDPRESS-EXCLUSION-RULES.conf | 639 ++++++ ...ST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf | 355 +++ ...EST-903.9004-DOKUWIKI-EXCLUSION-RULES.conf | 261 +++ ...QUEST-903.9005-CPANEL-EXCLUSION-RULES.conf | 60 + .../REQUEST-905-COMMON-EXCEPTIONS.conf | 52 + .../owasp-crs/REQUEST-910-IP-REPUTATION.conf | 311 +++ .../REQUEST-911-METHOD-ENFORCEMENT.conf | 78 + .../owasp-crs/REQUEST-912-DOS-PROTECTION.conf | 297 +++ .../REQUEST-913-SCANNER-DETECTION.conf | 210 ++ .../REQUEST-920-PROTOCOL-ENFORCEMENT.conf | 1549 +++++++++++++ .../REQUEST-921-PROTOCOL-ATTACK.conf | 297 +++ .../REQUEST-930-APPLICATION-ATTACK-LFI.conf | 159 ++ .../REQUEST-931-APPLICATION-ATTACK-RFI.conf | 153 ++ .../REQUEST-932-APPLICATION-ATTACK-RCE.conf | 703 ++++++ .../REQUEST-933-APPLICATION-ATTACK-PHP.conf | 671 ++++++ .../REQUEST-941-APPLICATION-ATTACK-XSS.conf | 900 ++++++++ .../REQUEST-942-APPLICATION-ATTACK-SQLI.conf | 1571 +++++++++++++ ...3-APPLICATION-ATTACK-SESSION-FIXATION.conf | 138 ++ .../REQUEST-944-APPLICATION-ATTACK-JAVA.conf | 301 +++ .../REQUEST-949-BLOCKING-EVALUATION.conf | 132 ++ .../owasp-crs/RESPONSE-950-DATA-LEAKAGES.conf | 110 + .../RESPONSE-951-DATA-LEAKAGES-SQL.conf | 489 +++++ .../RESPONSE-952-DATA-LEAKAGES-JAVA.conf | 107 + .../RESPONSE-953-DATA-LEAKAGES-PHP.conf | 141 ++ .../RESPONSE-954-DATA-LEAKAGES-IIS.conf | 154 ++ .../RESPONSE-959-BLOCKING-EVALUATION.conf | 108 + confs/owasp-crs/RESPONSE-980-CORRELATION.conf | 161 ++ ...999-EXCLUSION-RULES-AFTER-CRS.conf.example | 75 + confs/owasp-crs/crawlers-user-agents.data | 34 + confs/owasp-crs/iis-errors.data | 13 + confs/owasp-crs/java-classes.data | 38 + confs/owasp-crs/java-code-leakages.data | 17 + confs/owasp-crs/java-errors.data | 10 + confs/owasp-crs/lfi-os-files.data | 1115 ++++++++++ confs/owasp-crs/php-config-directives.data | 276 +++ confs/owasp-crs/php-errors.data | 220 ++ .../owasp-crs/php-function-names-933150.data | 39 + .../owasp-crs/php-function-names-933151.data | 1269 +++++++++++ confs/owasp-crs/php-variables.data | 19 + confs/owasp-crs/restricted-files.data | 116 + confs/owasp-crs/restricted-upload.data | 23 + confs/owasp-crs/scanners-headers.data | 8 + confs/owasp-crs/scanners-urls.data | 17 + confs/owasp-crs/scanners-user-agents.data | 195 ++ confs/owasp-crs/scripting-user-agents.data | 28 + confs/owasp-crs/sql-errors.data | 80 + confs/owasp-crs/sql-function-names.data | 236 ++ confs/owasp-crs/unix-shell.data | 78 + .../windows-powershell-commands.data | 253 +++ confs/php.conf | 5 + confs/php.ini | 1950 +++++++++++++++++ confs/referrer-policy.conf | 1 + confs/server.conf | 26 + confs/x-content-type-options.conf | 1 + confs/x-frame-options.conf | 1 + confs/x-xss-protection.conf | 1 + entrypoint.sh | 229 ++ scripts/certbot-renew.sh | 7 + scripts/exit-nodes.sh | 11 + scripts/geolite.sh | 7 + scripts/user-agents.sh | 22 + www/403.html | 1 + www/404.html | 1 + www/index.php | 5 + 82 files changed, 18602 insertions(+) create mode 100644 Dockerfile create mode 100644 compile.sh create mode 100644 confs/auto-lets-encrypt.conf create mode 100644 confs/block-user-agent.conf create mode 100644 confs/cache.conf create mode 100644 confs/disable-default-server.conf create mode 100644 confs/error.conf create mode 100644 confs/feature-policy.conf create mode 100644 confs/geoip.conf create mode 100644 confs/gzip.conf create mode 100644 confs/map-user-agent.conf create mode 100644 confs/modsecurity-rules.conf create mode 100644 confs/modsecurity.conf create mode 100644 confs/nginx.conf create mode 100644 confs/owasp-crs.conf create mode 100644 confs/owasp-crs/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example create mode 100644 confs/owasp-crs/REQUEST-901-INITIALIZATION.conf create mode 100644 confs/owasp-crs/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf create mode 100644 confs/owasp-crs/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf create mode 100644 confs/owasp-crs/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf create mode 100644 confs/owasp-crs/REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES.conf create mode 100644 confs/owasp-crs/REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf create mode 100644 confs/owasp-crs/REQUEST-905-COMMON-EXCEPTIONS.conf create mode 100644 confs/owasp-crs/REQUEST-910-IP-REPUTATION.conf create mode 100644 confs/owasp-crs/REQUEST-911-METHOD-ENFORCEMENT.conf create mode 100644 confs/owasp-crs/REQUEST-912-DOS-PROTECTION.conf create mode 100644 confs/owasp-crs/REQUEST-913-SCANNER-DETECTION.conf create mode 100644 confs/owasp-crs/REQUEST-920-PROTOCOL-ENFORCEMENT.conf create mode 100644 confs/owasp-crs/REQUEST-921-PROTOCOL-ATTACK.conf create mode 100644 confs/owasp-crs/REQUEST-930-APPLICATION-ATTACK-LFI.conf create mode 100644 confs/owasp-crs/REQUEST-931-APPLICATION-ATTACK-RFI.conf create mode 100644 confs/owasp-crs/REQUEST-932-APPLICATION-ATTACK-RCE.conf create mode 100644 confs/owasp-crs/REQUEST-933-APPLICATION-ATTACK-PHP.conf create mode 100644 confs/owasp-crs/REQUEST-941-APPLICATION-ATTACK-XSS.conf create mode 100644 confs/owasp-crs/REQUEST-942-APPLICATION-ATTACK-SQLI.conf create mode 100644 confs/owasp-crs/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf create mode 100644 confs/owasp-crs/REQUEST-944-APPLICATION-ATTACK-JAVA.conf create mode 100644 confs/owasp-crs/REQUEST-949-BLOCKING-EVALUATION.conf create mode 100644 confs/owasp-crs/RESPONSE-950-DATA-LEAKAGES.conf create mode 100644 confs/owasp-crs/RESPONSE-951-DATA-LEAKAGES-SQL.conf create mode 100644 confs/owasp-crs/RESPONSE-952-DATA-LEAKAGES-JAVA.conf create mode 100644 confs/owasp-crs/RESPONSE-953-DATA-LEAKAGES-PHP.conf create mode 100644 confs/owasp-crs/RESPONSE-954-DATA-LEAKAGES-IIS.conf create mode 100644 confs/owasp-crs/RESPONSE-959-BLOCKING-EVALUATION.conf create mode 100644 confs/owasp-crs/RESPONSE-980-CORRELATION.conf create mode 100644 confs/owasp-crs/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example create mode 100644 confs/owasp-crs/crawlers-user-agents.data create mode 100644 confs/owasp-crs/iis-errors.data create mode 100644 confs/owasp-crs/java-classes.data create mode 100644 confs/owasp-crs/java-code-leakages.data create mode 100644 confs/owasp-crs/java-errors.data create mode 100644 confs/owasp-crs/lfi-os-files.data create mode 100644 confs/owasp-crs/php-config-directives.data create mode 100644 confs/owasp-crs/php-errors.data create mode 100644 confs/owasp-crs/php-function-names-933150.data create mode 100644 confs/owasp-crs/php-function-names-933151.data create mode 100644 confs/owasp-crs/php-variables.data create mode 100644 confs/owasp-crs/restricted-files.data create mode 100644 confs/owasp-crs/restricted-upload.data create mode 100644 confs/owasp-crs/scanners-headers.data create mode 100644 confs/owasp-crs/scanners-urls.data create mode 100644 confs/owasp-crs/scanners-user-agents.data create mode 100644 confs/owasp-crs/scripting-user-agents.data create mode 100644 confs/owasp-crs/sql-errors.data create mode 100644 confs/owasp-crs/sql-function-names.data create mode 100644 confs/owasp-crs/unix-shell.data create mode 100644 confs/owasp-crs/windows-powershell-commands.data create mode 100644 confs/php.conf create mode 100644 confs/php.ini create mode 100644 confs/referrer-policy.conf create mode 100644 confs/server.conf create mode 100644 confs/x-content-type-options.conf create mode 100644 confs/x-frame-options.conf create mode 100644 confs/x-xss-protection.conf create mode 100644 entrypoint.sh create mode 100644 scripts/certbot-renew.sh create mode 100644 scripts/exit-nodes.sh create mode 100644 scripts/geolite.sh create mode 100755 scripts/user-agents.sh create mode 100644 www/403.html create mode 100644 www/404.html create mode 100644 www/index.php diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..c9611e3 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,22 @@ +FROM alpine + +COPY compile.sh /tmp/compile.sh +RUN chmod +x /tmp/compile.sh && \ + /tmp/compile.sh && \ + rm -rf /tmp/* + +COPY entrypoint.sh /opt/entrypoint.sh +COPY confs/ /opt/confs +COPY scripts/ /opt/scripts + +RUN apk --no-cache add php7-fpm certbot libstdc++ libmaxminddb geoip pcre yajl && \ + chmod +x /opt/entrypoint.sh /opt/scripts/* && \ + mkdir /www && \ + adduser -h /dev/null -g '' -s /sbin/nologin -D -H nginx + +VOLUME /www + +EXPOSE 80 +EXPOSE 443 + +ENTRYPOINT ["/opt/entrypoint.sh"] diff --git a/compile.sh b/compile.sh new file mode 100644 index 0000000..1a34b9b --- /dev/null +++ b/compile.sh @@ -0,0 +1,37 @@ +#/bin/sh + +NTASK=$(($(nproc)*2)) + +# install build dependencies +apk add --no-cache --virtual build autoconf libtool automake git geoip-dev yajl-dev g++ curl-dev libxml2-dev pcre-dev make linux-headers libmaxminddb-dev + +# compile and install ModSecurity library +cd /tmp +git clone https://github.com/SpiderLabs/ModSecurity.git +cd ModSecurity +./build.sh +git submodule init +git submodule update +./configure --enable-static=no --disable-doxygen-doc --disable-dependency-tracking +make -j $NTASK +make install-strip + +# get nginx modules +cd /tmp +# ModSecurity connector for nginx +git clone https://github.com/SpiderLabs/ModSecurity-nginx.git +# headers more +git clone https://github.com/openresty/headers-more-nginx-module.git +# geoip +git clone https://github.com/leev/ngx_http_geoip2_module.git + +# compile and install nginx +cd /tmp +git clone https://github.com/nginx/nginx.git +cd nginx +./auto/configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --pid-path=/run/nginx/nginx.pid --modules-path=/usr/lib/nginx/modules --with-file-aio --with-http_ssl_module --with-http_v2_module --add-module=/tmp/ModSecurity-nginx --add-module=/tmp/headers-more-nginx-module --add-module=/tmp/ngx_http_geoip2_module +make -j $NTASK +make install + +# remove build dependencies +apk del build diff --git a/confs/auto-lets-encrypt.conf b/confs/auto-lets-encrypt.conf new file mode 100644 index 0000000..7911e76 --- /dev/null +++ b/confs/auto-lets-encrypt.conf @@ -0,0 +1,8 @@ +listen 0.0.0.0:443 ssl %HTTP2%; +server_name %SERVER_NAME%; +ssl_certificate /etc/letsencrypt/live/%SERVER_NAME%/fullchain.pem; +ssl_certificate_key /etc/letsencrypt/live/%SERVER_NAME%/privkey.pem; +ssl_protocols TLSv1.3; +ssl_prefer_server_ciphers off; +ssl_session_tickets off; +%STRICT_TRANSPORT_SECURITY% diff --git a/confs/block-user-agent.conf b/confs/block-user-agent.conf new file mode 100644 index 0000000..712b4b3 --- /dev/null +++ b/confs/block-user-agent.conf @@ -0,0 +1,3 @@ +if ($bad_user_agent = yes) { + return 444; +} diff --git a/confs/cache.conf b/confs/cache.conf new file mode 100644 index 0000000..2b12cfd --- /dev/null +++ b/confs/cache.conf @@ -0,0 +1,4 @@ +open_file_cache %CACHE%; +open_file_cache_errors %CACHE_ERRORS%; +open_file_cache_min_uses %CACHE_USES%; +open_file_cache_valid %CACHE_VALID%; diff --git a/confs/disable-default-server.conf b/confs/disable-default-server.conf new file mode 100644 index 0000000..ede9fa8 --- /dev/null +++ b/confs/disable-default-server.conf @@ -0,0 +1,4 @@ +server { + listen 0.0.0.0:80 default_server; + return 444; +} diff --git a/confs/error.conf b/confs/error.conf new file mode 100644 index 0000000..534ec3a --- /dev/null +++ b/confs/error.conf @@ -0,0 +1,7 @@ +error_page %CODE% %PAGE%; + +location = %PAGE% { + root /www; + modsecurity off; + internal; +} diff --git a/confs/feature-policy.conf b/confs/feature-policy.conf new file mode 100644 index 0000000..64c6e8e --- /dev/null +++ b/confs/feature-policy.conf @@ -0,0 +1 @@ +more_set_headers "Feature-Policy: %FEATURE_POLICY%"; diff --git a/confs/geoip.conf b/confs/geoip.conf new file mode 100644 index 0000000..52d75b5 --- /dev/null +++ b/confs/geoip.conf @@ -0,0 +1,7 @@ +map $geoip2_data_country_code $allowed_country { + default yes; + %BLOCK_COUNTRY% +} +if ($allowed_country = no) { + return 403; +} diff --git a/confs/gzip.conf b/confs/gzip.conf new file mode 100644 index 0000000..e858fc1 --- /dev/null +++ b/confs/gzip.conf @@ -0,0 +1,9 @@ +# /etc/nginx/gzip.conf + +# enable/disable gzip compression +gzip %USE_GZIP%; +gzip_comp_level %GZIP_COMP_LEVEL%; +gzip_disable msie6; +gzip_min_length %GZIP_MIN_LENGTH%; +gzip_proxied any; +gzip_types %GZIP_TYPES%; diff --git a/confs/map-user-agent.conf b/confs/map-user-agent.conf new file mode 100644 index 0000000..468c37c --- /dev/null +++ b/confs/map-user-agent.conf @@ -0,0 +1,4 @@ +map $http_user_agent $bad_user_agent { + default no; + %BLOCK_USER_AGENT% +} diff --git a/confs/modsecurity-rules.conf b/confs/modsecurity-rules.conf new file mode 100644 index 0000000..bf74b09 --- /dev/null +++ b/confs/modsecurity-rules.conf @@ -0,0 +1,59 @@ +# process rules with disruptive actions +SecRuleEngine On + +# allow body checks +SecRequestBodyAccess On + +# enable XML parsing +SecRule REQUEST_HEADERS:Content-Type "(?:application(?:/soap\+|/)|text/)xml" \ + "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML" + +# enable JSON parsing +SecRule REQUEST_HEADERS:Content-Type "application/json" \ + "id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON" + +# maximum data size +SecRequestBodyLimit 13107200 +SecRequestBodyNoFilesLimit 131072 + +# reject requests if bigger than max data size +SecRequestBodyLimitAction Reject + +# reject if we can't process the body +SecRule REQBODY_ERROR "!@eq 0" \ +"id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2" + +# be strict with multipart/form-data body +SecRule MULTIPART_STRICT_ERROR "!@eq 0" \ +"id:'200003',phase:2,t:none,log,deny,status:400, \ +msg:'Multipart request body failed strict validation: \ +PE %{REQBODY_PROCESSOR_ERROR}, \ +BQ %{MULTIPART_BOUNDARY_QUOTED}, \ +BW %{MULTIPART_BOUNDARY_WHITESPACE}, \ +DB %{MULTIPART_DATA_BEFORE}, \ +DA %{MULTIPART_DATA_AFTER}, \ +HF %{MULTIPART_HEADER_FOLDING}, \ +LF %{MULTIPART_LF_LINE}, \ +SM %{MULTIPART_MISSING_SEMICOLON}, \ +IQ %{MULTIPART_INVALID_QUOTING}, \ +IP %{MULTIPART_INVALID_PART}, \ +IH %{MULTIPART_INVALID_HEADER_FOLDING}, \ +FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'" +SecRule MULTIPART_UNMATCHED_BOUNDARY "@eq 1" \ + "id:'200004',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'" + +# enable response body checks +SecResponseBodyAccess On +SecResponseBodyMimeType text/plain text/html text/xml application/json +SecResponseBodyLimit 524288 +SecResponseBodyLimitAction ProcessPartial + +# log usefull stuff +SecAuditEngine RelevantOnly +SecAuditLogRelevantStatus "^(?:5|4(?!04))" +SecAuditLogType Serial +SecAuditLog /var/log/modsec_audit.log + +# include OWASP CRS rules +include /etc/nginx/owasp-crs.conf +include /etc/nginx/owasp-crs/*.conf diff --git a/confs/modsecurity.conf b/confs/modsecurity.conf new file mode 100644 index 0000000..4eee500 --- /dev/null +++ b/confs/modsecurity.conf @@ -0,0 +1,2 @@ +modsecurity on; +modsecurity_rules_file /etc/nginx/modsecurity-rules.conf; diff --git a/confs/nginx.conf b/confs/nginx.conf new file mode 100644 index 0000000..d504a60 --- /dev/null +++ b/confs/nginx.conf @@ -0,0 +1,85 @@ +# /etc/nginx/nginx.conf + +# do not run as daemon +daemon off; + +# do NOT run as root +user nginx; + +# worker number = CPU core(s) +worker_processes auto; + +# faster regexp +pcre_jit on; + +# display warnings and errors on stderr +error_log stderr warn; + +# config files for dynamic modules +include /etc/nginx/modules/*.conf; + +events { + # max connections per worker + worker_connections 1024; + + # epoll seems to be the best on Linux + use epoll; +} + +http { + # zero copy within the kernel + sendfile on; + + # send packets only if filled + tcp_nopush on; + + # remove 200ms delay + tcp_nodelay on; + + # load mime types and set default one + include /etc/nginx/mime.types; + default_type application/octet-stream; + + # load gzip custom config + include /etc/nginx/gzip.conf; + + # maximum request body size + client_max_body_size %MAX_CLIENT_SIZE%; + + # load caching custom config + include /etc/nginx/cache.conf; + + # close connections in FIN_WAIT1 state + reset_timedout_connection on; + + # timeouts + client_body_timeout 12; + client_header_timeout 12; + keepalive_timeout 15; + send_timeout 10; + + # enable/disable sending nginx version + server_tokens %SERVER_TOKENS%; + + # display standard logs on stdout + access_log /dev/stdout; + + # server config + include /etc/nginx/server.conf; + + # disable default server + %DISABLE_DEFAULT_SERVER% + + # geoip2 config + geoip2 /etc/nginx/geoip.mmdb { + auto_reload 5m; + $geoip2_metadata_country_build metadata build_epoch; + $geoip2_data_country_code country iso_code; + } + + # check if user agent is blocked + %BLOCK_USER_AGENT% + + # enable ModSecurity + %USE_MODSECURITY% +} diff --git a/confs/owasp-crs.conf b/confs/owasp-crs.conf new file mode 100644 index 0000000..bfc2395 --- /dev/null +++ b/confs/owasp-crs.conf @@ -0,0 +1,845 @@ +# ------------------------------------------------------------------------ +# OWASP ModSecurity Core Rule Set ver.3.1.1 +# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENSE file for full details. +# ------------------------------------------------------------------------ + + +# +# -- [[ Introduction ]] -------------------------------------------------------- +# +# The OWASP ModSecurity Core Rule Set (CRS) is a set of generic attack +# detection rules that provide a base level of protection for any web +# application. They are written for the open source, cross-platform +# ModSecurity Web Application Firewall. +# +# See also: +# https://coreruleset.org/ +# https://github.com/SpiderLabs/owasp-modsecurity-crs +# https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project +# + + +# +# -- [[ System Requirements ]] ------------------------------------------------- +# +# CRS requires ModSecurity version 2.8.0 or above. +# We recommend to always use the newest ModSecurity version. +# +# The configuration directives/settings in this file are used to control +# the OWASP ModSecurity CRS. These settings do **NOT** configure the main +# ModSecurity settings (modsecurity.conf) such as SecRuleEngine, +# SecRequestBodyAccess, SecAuditEngine, SecDebugLog, and XML processing. +# +# The CRS assumes that modsecurity.conf has been loaded. It is bundled with +# ModSecurity. If you don't have it, you can get it from: +# 2.x: https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v2/master/modsecurity.conf-recommended +# 3.x: https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended +# +# The order of file inclusion in your webserver configuration should always be: +# 1. modsecurity.conf +# 2. crs-setup.conf (this file) +# 3. rules/*.conf (the CRS rule files) +# +# Please refer to the INSTALL file for detailed installation instructions. +# + + +# +# -- [[ Mode of Operation: Anomaly Scoring vs. Self-Contained ]] --------------- +# +# The CRS can run in two modes: +# +# -- [[ Anomaly Scoring Mode (default) ]] -- +# In CRS3, anomaly mode is the default and recommended mode, since it gives the +# most accurate log information and offers the most flexibility in setting your +# blocking policies. It is also called "collaborative detection mode". +# In this mode, each matching rule increases an 'anomaly score'. +# At the conclusion of the inbound rules, and again at the conclusion of the +# outbound rules, the anomaly score is checked, and the blocking evaluation +# rules apply a disruptive action, by default returning an error 403. +# +# -- [[ Self-Contained Mode ]] -- +# In this mode, rules apply an action instantly. This was the CRS2 default. +# It can lower resource usage, at the cost of less flexibility in blocking policy +# and less informative audit logs (only the first detected threat is logged). +# Rules inherit the disruptive action that you specify (i.e. deny, drop, etc). +# The first rule that matches will execute this action. In most cases this will +# cause evaluation to stop after the first rule has matched, similar to how many +# IDSs function. +# +# -- [[ Alert Logging Control ]] -- +# In the mode configuration, you must also adjust the desired logging options. +# There are three common options for dealing with logging. By default CRS enables +# logging to the webserver error log (or Event viewer) plus detailed logging to +# the ModSecurity audit log (configured under SecAuditLog in modsecurity.conf). +# +# - To log to both error log and ModSecurity audit log file, use: "log,auditlog" +# - To log *only* to the ModSecurity audit log file, use: "nolog,auditlog" +# - To log *only* to the error log file, use: "log,noauditlog" +# +# Examples for the various modes follow. +# You must leave one of the following options enabled. +# Note that you must specify the same line for phase:1 and phase:2. +# + +# Default: Anomaly Scoring mode, log to error log, log to ModSecurity audit log +# - By default, offending requests are blocked with an error 403 response. +# - To change the disruptive action, see RESPONSE-999-EXCEPTIONS.conf.example +# and review section 'Changing the Disruptive Action for Anomaly Mode'. +# - In Apache, you can use ErrorDocument to show a friendly error page or +# perform a redirect: https://httpd.apache.org/docs/2.4/custom-error.html +# +SecDefaultAction "phase:1,log,auditlog,pass" +SecDefaultAction "phase:2,log,auditlog,pass" + +# Example: Anomaly Scoring mode, log only to ModSecurity audit log +# - By default, offending requests are blocked with an error 403 response. +# - To change the disruptive action, see RESPONSE-999-EXCEPTIONS.conf.example +# and review section 'Changing the Disruptive Action for Anomaly Mode'. +# - In Apache, you can use ErrorDocument to show a friendly error page or +# perform a redirect: https://httpd.apache.org/docs/2.4/custom-error.html +# +# SecDefaultAction "phase:1,nolog,auditlog,pass" +# SecDefaultAction "phase:2,nolog,auditlog,pass" + +# Example: Self-contained mode, return error 403 on blocking +# - In this configuration the default disruptive action becomes 'deny'. After a +# rule triggers, it will stop processing the request and return an error 403. +# - You can also use a different error status, such as 404, 406, et cetera. +# - In Apache, you can use ErrorDocument to show a friendly error page or +# perform a redirect: https://httpd.apache.org/docs/2.4/custom-error.html +# +# SecDefaultAction "phase:1,log,auditlog,deny,status:403" +# SecDefaultAction "phase:2,log,auditlog,deny,status:403" + +# Example: Self-contained mode, redirect back to homepage on blocking +# - In this configuration the 'tag' action includes the Host header data in the +# log. This helps to identify which virtual host triggered the rule (if any). +# - Note that this might cause redirect loops in some situations; for example +# if a Cookie or User-Agent header is blocked, it will also be blocked when +# the client subsequently tries to access the homepage. You can also redirect +# to another custom URL. +# SecDefaultAction "phase:1,log,auditlog,redirect:'http://%{request_headers.host}/',tag:'Host: %{request_headers.host}'" +# SecDefaultAction "phase:2,log,auditlog,redirect:'http://%{request_headers.host}/',tag:'Host: %{request_headers.host}'" + + +# +# -- [[ Paranoia Level Initialization ]] --------------------------------------- +# +# The Paranoia Level (PL) setting allows you to choose the desired level +# of rule checks that will add to your anomaly scores. +# +# With each paranoia level increase, the CRS enables additional rules +# giving you a higher level of security. However, higher paranoia levels +# also increase the possibility of blocking some legitimate traffic due to +# false alarms (also named false positives or FPs). If you use higher +# paranoia levels, it is likely that you will need to add some exclusion +# rules for certain requests and applications receiving complex input. +# +# - A paranoia level of 1 is default. In this level, most core rules +# are enabled. PL1 is advised for beginners, installations +# covering many different sites and applications, and for setups +# with standard security requirements. +# At PL1 you should face FPs rarely. If you encounter FPs, please +# open an issue on the CRS GitHub site and don't forget to attach your +# complete Audit Log record for the request with the issue. +# - Paranoia level 2 includes many extra rules, for instance enabling +# many regexp-based SQL and XSS injection protections, and adding +# extra keywords checked for code injections. PL2 is advised +# for moderate to experienced users desiring more complete coverage +# and for installations with elevated security requirements. +# PL2 comes with some FPs which you need to handle. +# - Paranoia level 3 enables more rules and keyword lists, and tweaks +# limits on special characters used. PL3 is aimed at users experienced +# at the handling of FPs and at installations with a high security +# requirement. +# - Paranoia level 4 further restricts special characters. +# The highest level is advised for experienced users protecting +# installations with very high security requirements. Running PL4 will +# likely produce a very high number of FPs which have to be +# treated before the site can go productive. +# +# Rules in paranoia level 2 or higher will log their PL to the audit log; +# example: [tag "paranoia-level/2"]. This allows you to deduct from the +# audit log how the WAF behavior is affected by paranoia level. +# +# It is important to also look into the variable +# tx.enforce_bodyproc_urlencoded (Enforce Body Processor URLENCODED) +# defined below. Enabling it closes a possible bypass of CRS. +# +# Uncomment this rule to change the default: +# +#SecAction \ +# "id:900000,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:tx.paranoia_level=1" + + +# It is possible to execute rules from a higher paranoia level but not include +# them in the anomaly scoring. This allows you to take a well-tuned system on +# paranoia level 1 and add rules from paranoia level 2 without having to fear +# the new rules would lead to false positives that raise your score above the +# threshold. +# This optional feature is enabled by uncommenting the following rule and +# setting the tx.executing_paranoia_level. +# Technically, rules up to the level defined in tx.executing_paranoia_level +# will be executed, but only the rules up to tx.paranoia_level affect the +# anomaly scores. +# By default, tx.executing_paranoia_level is set to tx.paranoia_level. +# tx.executing_paranoia_level must not be lower than tx.paranoia_level. +# +# Please notice that setting tx.executing_paranoia_level to a higher paranoia +# level results in a performance impact that is equally high as setting +# tx.paranoia_level to said level. +# +#SecAction \ +# "id:900001,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:tx.executing_paranoia_level=1" + + +# +# -- [[ Enforce Body Processor URLENCODED ]] ----------------------------------- +# +# ModSecurity selects the body processor based on the Content-Type request +# header. But clients are not always setting the Content-Type header for their +# request body payloads. This will leave ModSecurity with limited vision into +# the payload. The variable tx.enforce_bodyproc_urlencoded lets you force the +# URLENCODED body processor in these situations. This is off by default, as it +# implies a change of the behaviour of ModSecurity beyond CRS (the body +# processor applies to all rules, not only CRS) and because it may lead to +# false positives already on paranoia level 1. However, enabling this variable +# closes a possible bypass of CRS so it should be considered. +# +# Uncomment this rule to change the default: +# +#SecAction \ +# "id:900010,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:tx.enforce_bodyproc_urlencoded=1" + + +# +# -- [[ Anomaly Mode Severity Levels ]] ---------------------------------------- +# +# Each rule in the CRS has an associated severity level. +# These are the default scoring points for each severity level. +# These settings will be used to increment the anomaly score if a rule matches. +# You may adjust these points to your liking, but this is usually not needed. +# +# - CRITICAL severity: Anomaly Score of 5. +# Mostly generated by the application attack rules (93x and 94x files). +# - ERROR severity: Anomaly Score of 4. +# Generated mostly from outbound leakage rules (95x files). +# - WARNING severity: Anomaly Score of 3. +# Generated mostly by malicious client rules (91x files). +# - NOTICE severity: Anomaly Score of 2. +# Generated mostly by the protocol rules (92x files). +# +# In anomaly mode, these scores are cumulative. +# So it's possible for a request to hit multiple rules. +# +# (Note: In this file, we use 'phase:1' to set CRS configuration variables. +# In general, 'phase:request' is used. However, we want to make absolutely sure +# that all configuration variables are set before the CRS rules are processed.) +# +#SecAction \ +# "id:900100,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:tx.critical_anomaly_score=5,\ +# setvar:tx.error_anomaly_score=4,\ +# setvar:tx.warning_anomaly_score=3,\ +# setvar:tx.notice_anomaly_score=2" + + +# +# -- [[ Anomaly Mode Blocking Threshold Levels ]] ------------------------------ +# +# Here, you can specify at which cumulative anomaly score an inbound request, +# or outbound response, gets blocked. +# +# Most detected inbound threats will give a critical score of 5. +# Smaller violations, like violations of protocol/standards, carry lower scores. +# +# [ At default value ] +# If you keep the blocking thresholds at the defaults, the CRS will work +# similarly to previous CRS versions: a single critical rule match will cause +# the request to be blocked and logged. +# +# [ Using higher values ] +# If you want to make the CRS less sensitive, you can increase the blocking +# thresholds, for instance to 7 (which would require multiple rule matches +# before blocking) or 10 (which would require at least two critical alerts - or +# a combination of many lesser alerts), or even higher. However, increasing the +# thresholds might cause some attacks to bypass the CRS rules or your policies. +# +# [ New deployment strategy: Starting high and decreasing ] +# It is a common practice to start a fresh CRS installation with elevated +# anomaly scoring thresholds (>100) and then lower the limits as your +# confidence in the setup grows. You may also look into the Sampling +# Percentage section below for a different strategy to ease into a new +# CRS installation. +# +# [ Anomaly Threshold / Paranoia Level Quadrant ] +# +# High Anomaly Limit | High Anomaly Limit +# Low Paranoia Level | High Paranoia Level +# -> Fresh Site | -> Experimental Site +# ------------------------------------------------------ +# Low Anomaly Limit | Low Anomaly Limit +# Low Paranoia Level | High Paranoia Level +# -> Standard Site | -> High Security Site +# +# Uncomment this rule to change the defaults: +# +#SecAction \ +# "id:900110,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:tx.inbound_anomaly_score_threshold=5,\ +# setvar:tx.outbound_anomaly_score_threshold=4" + +# +# -- [[ Application Specific Rule Exclusions ]] ---------------------------------------- +# +# Some well-known applications may undertake actions that appear to be +# malicious. This includes actions such as allowing HTML or Javascript within +# parameters. In such cases the CRS aims to prevent false positives by allowing +# administrators to enable prebuilt, application specific exclusions on an +# application by application basis. +# These application specific exclusions are distinct from the rules that would +# be placed in the REQUEST-900-EXCLUSION-RULES-BEFORE-CRS configuration file as +# they are prebuilt for specific applications. The 'REQUEST-900' file is +# designed for users to add their own custom exclusions. Note, using these +# application specific exclusions may loosen restrictions of the CRS, +# especially if used with an application they weren't designed for. As a result +# they should be applied with care. +# To use this functionality you must specify a supported application. To do so +# uncomment rule 900130. In addition to uncommenting the rule you will need to +# specify which application(s) you'd like to enable exclusions for. Only a +# (very) limited set of applications are currently supported, please use the +# filenames prefixed with 'REQUEST-903' to guide you in your selection. +# Such filenames use the following convention: +# REQUEST-903.9XXX-{APPNAME}-EXCLUSIONS-RULES.conf +# +# It is recommended if you run multiple web applications on your site to limit +# the effects of the exclusion to only the path where the excluded webapp +# resides using a rule similar to the following example: +# SecRule REQUEST_URI "@beginsWith /wordpress/" setvar:tx.crs_exclusions_wordpress=1 + +# +# Modify and uncomment this rule to select which application: +# +#SecAction \ +# "id:900130,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:tx.crs_exclusions_drupal=1,\ +# setvar:tx.crs_exclusions_wordpress=1,\ +# setvar:tx.crs_exclusions_nextcloud=1,\ +# setvar:tx.crs_exclusions_dokuwiki=1,\ +# setvar:tx.crs_exclusions_cpanel=1" + +# +# -- [[ HTTP Policy Settings ]] ------------------------------------------------ +# +# This section defines your policies for the HTTP protocol, such as: +# - allowed HTTP versions, HTTP methods, allowed request Content-Types +# - forbidden file extensions (e.g. .bak, .sql) and request headers (e.g. Proxy) +# +# These variables are used in the following rule files: +# - REQUEST-911-METHOD-ENFORCEMENT.conf +# - REQUEST-912-DOS-PROTECTION.conf +# - REQUEST-920-PROTOCOL-ENFORCEMENT.conf + +# HTTP methods that a client is allowed to use. +# Default: GET HEAD POST OPTIONS +# Example: for RESTful APIs, add the following methods: PUT PATCH DELETE +# Example: for WebDAV, add the following methods: CHECKOUT COPY DELETE LOCK +# MERGE MKACTIVITY MKCOL MOVE PROPFIND PROPPATCH PUT UNLOCK +# Uncomment this rule to change the default. +#SecAction \ +# "id:900200,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'" + +# Content-Types that a client is allowed to send in a request. +# Default: application/x-www-form-urlencoded|multipart/form-data|text/xml|\ +# application/xml|application/soap+xml|application/x-amf|application/json|\ +# application/octet-stream|text/plain +# Uncomment this rule to change the default. +#SecAction \ +# "id:900220,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/soap+xml|application/x-amf|application/json|application/octet-stream|text/plain'" + +# Content-Types charsets that a client is allowed to send in a request. +# Default: utf-8|iso-8859-1|iso-8859-15|windows-1252 +# Uncomment this rule to change the default. +# Use "|" to separate multiple charsets like in the rule defining +# tx.allowed_request_content_type. +#SecAction \ +# "id:900270,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:'tx.allowed_request_content_type_charset=utf-8|iso-8859-1|iso-8859-15|windows-1252'" + +# Allowed HTTP versions. +# Default: HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0 +# Example for legacy clients: HTTP/0.9 HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0 +# Note that some web server versions use 'HTTP/2', some 'HTTP/2.0', so +# we include both version strings by default. +# Uncomment this rule to change the default. +#SecAction \ +# "id:900230,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0'" + +# Forbidden file extensions. +# Guards against unintended exposure of development/configuration files. +# Default: .asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/ +# Example: .bak/ .config/ .conf/ .db/ .ini/ .log/ .old/ .pass/ .pdb/ .sql/ +# Uncomment this rule to change the default. +#SecAction \ +# "id:900240,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'" + +# Forbidden request headers. +# Header names should be lowercase, enclosed by /slashes/ as delimiters. +# Blocking Proxy header prevents 'httpoxy' vulnerability: https://httpoxy.org +# Default: /proxy/ /lock-token/ /content-range/ /translate/ /if/ +# Uncomment this rule to change the default. +#SecAction \ +# "id:900250,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:'tx.restricted_headers=/proxy/ /lock-token/ /content-range/ /translate/ /if/'" + +# File extensions considered static files. +# Extensions include the dot, lowercase, enclosed by /slashes/ as delimiters. +# Used in DoS protection rule. See section "Anti-Automation / DoS Protection". +# Default: /.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ /.webp/ +# Uncomment this rule to change the default. +#SecAction \ +# "id:900260,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ /.webp/'" + + +# +# -- [[ HTTP Argument/Upload Limits ]] ----------------------------------------- +# +# Here you can define optional limits on HTTP get/post parameters and uploads. +# This can help to prevent application specific DoS attacks. +# +# These values are checked in REQUEST-920-PROTOCOL-ENFORCEMENT.conf. +# Beware of blocking legitimate traffic when enabling these limits. +# + +# Block request if number of arguments is too high +# Default: unlimited +# Example: 255 +# Uncomment this rule to set a limit. +#SecAction \ +# "id:900300,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:tx.max_num_args=255" + +# Block request if the length of any argument name is too high +# Default: unlimited +# Example: 100 +# Uncomment this rule to set a limit. +#SecAction \ +# "id:900310,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:tx.arg_name_length=100" + +# Block request if the length of any argument value is too high +# Default: unlimited +# Example: 400 +# Uncomment this rule to set a limit. +#SecAction \ +# "id:900320,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:tx.arg_length=400" + +# Block request if the total length of all combined arguments is too high +# Default: unlimited +# Example: 64000 +# Uncomment this rule to set a limit. +#SecAction \ +# "id:900330,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:tx.total_arg_length=64000" + +# Block request if the file size of any individual uploaded file is too high +# Default: unlimited +# Example: 1048576 +# Uncomment this rule to set a limit. +#SecAction \ +# "id:900340,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:tx.max_file_size=1048576" + +# Block request if the total size of all combined uploaded files is too high +# Default: unlimited +# Example: 1048576 +# Uncomment this rule to set a limit. +#SecAction \ +# "id:900350,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:tx.combined_file_sizes=1048576" + + +# +# -- [[ Easing In / Sampling Percentage ]] ------------------------------------- +# +# Adding the Core Rule Set to an existing productive site can lead to false +# positives, unexpected performance issues and other undesired side effects. +# +# It can be beneficial to test the water first by enabling the CRS for a +# limited number of requests only and then, when you have solved the issues (if +# any) and you have confidence in the setup, to raise the ratio of requests +# being sent into the ruleset. +# +# Adjust the percentage of requests that are funnelled into the Core Rules by +# setting TX.sampling_percentage below. The default is 100, meaning that every +# request gets checked by the CRS. The selection of requests, which are going +# to be checked, is based on a pseudo random number generated by ModSecurity. +# +# If a request is allowed to pass without being checked by the CRS, there is no +# entry in the audit log (for performance reasons), but an error log entry is +# written. If you want to disable the error log entry, then issue the +# following directive somewhere after the inclusion of the CRS +# (E.g., RESPONSE-999-EXCEPTIONS.conf). +# +# SecRuleUpdateActionById 901150 "nolog" +# +# ATTENTION: If this TX.sampling_percentage is below 100, then some of the +# requests will bypass the Core Rules completely and you lose the ability to +# protect your service with ModSecurity. +# +# Uncomment this rule to enable this feature: +# +#SecAction "id:900400,\ +# phase:1,\ +# pass,\ +# nolog,\ +# setvar:tx.sampling_percentage=100" + + +# +# -- [[ Project Honey Pot HTTP Blacklist ]] ------------------------------------ +# +# Optionally, you can check the client IP address against the Project Honey Pot +# HTTPBL (dnsbl.httpbl.org). In order to use this, you need to register to get a +# free API key. Set it here with SecHttpBlKey. +# +# Project Honeypot returns multiple different malicious IP types. +# You may specify which you want to block by enabling or disabling them below. +# +# Ref: https://www.projecthoneypot.org/httpbl.php +# Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecHttpBlKey +# +# Uncomment these rules to use this feature: +# +#SecHttpBlKey XXXXXXXXXXXXXXXXX +#SecAction "id:900500,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:tx.block_search_ip=1,\ +# setvar:tx.block_suspicious_ip=1,\ +# setvar:tx.block_harvester_ip=1,\ +# setvar:tx.block_spammer_ip=1" + + +# +# -- [[ GeoIP Database ]] ------------------------------------------------------ +# +# There are some rulesets that inspect geolocation data of the client IP address +# (geoLookup). The CRS uses geoLookup to implement optional country blocking. +# +# To use geolocation, we make use of the MaxMind GeoIP database. +# This database is not included with the CRS and must be downloaded. +# You should also update the database regularly, for instance every month. +# The CRS contains a tool to download it to util/geo-location/GeoIP.dat: +# util/upgrade.py --geoip +# +# This product includes GeoLite data created by MaxMind, available from: +# http://www.maxmind.com. +# +# Ref: http://blog.spiderlabs.com/2010/10/detecting-malice-with-modsecurity-geolocation-data.html +# Ref: http://blog.spiderlabs.com/2010/11/detecting-malice-with-modsecurity-ip-forensics.html +# +# Uncomment this rule to use this feature: +# +#SecGeoLookupDB util/geo-location/GeoIP.dat + + +# +# -=[ Block Countries ]=- +# +# Rules in the IP Reputation file can check the client against a list of high +# risk country codes. These countries have to be defined in the variable +# tx.high_risk_country_codes via their ISO 3166 two-letter country code: +# https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2#Officially_assigned_code_elements +# +# If you are sure that you are not getting any legitimate requests from a given +# country, then you can disable all access from that country via this variable. +# The rule performing the test has the rule id 910100. +# +# This rule requires SecGeoLookupDB to be enabled and the GeoIP database to be +# downloaded (see the section "GeoIP Database" above.) +# +# By default, the list is empty. A list used by some sites was the following: +# setvar:'tx.high_risk_country_codes=UA ID YU LT EG RO BG TR RU PK MY CN'" +# +# Uncomment this rule to use this feature: +# +#SecAction \ +# "id:900600,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:'tx.high_risk_country_codes='" + + +# +# -- [[ Anti-Automation / DoS Protection ]] ------------------------------------ +# +# Optional DoS protection against clients making requests too quickly. +# +# When a client is making more than 100 requests (excluding static files) within +# 60 seconds, this is considered a 'burst'. After two bursts, the client is +# blocked for 600 seconds. +# +# Requests to static files are not counted towards DoS; they are listed in the +# 'tx.static_extensions' setting, which you can change in this file (see +# section "HTTP Policy Settings"). +# +# For a detailed description, see rule file REQUEST-912-DOS-PROTECTION.conf. +# +# Uncomment this rule to use this feature: +# +#SecAction \ +# "id:900700,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:'tx.dos_burst_time_slice=60',\ +# setvar:'tx.dos_counter_threshold=100',\ +# setvar:'tx.dos_block_timeout=600'" + + +# +# -- [[ Check UTF-8 encoding ]] ------------------------------------------------ +# +# The CRS can optionally check request contents for invalid UTF-8 encoding. +# We only want to apply this check if UTF-8 encoding is actually used by the +# site; otherwise it will result in false positives. +# +# Uncomment this rule to use this feature: +# +#SecAction \ +# "id:900950,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:tx.crs_validate_utf8_encoding=1" + + +# +# -- [[ Blocking Based on IP Reputation ]] ------------------------------------ +# +# Blocking based on reputation is permanent in the CRS. Unlike other rules, +# which look at the indvidual request, the blocking of IPs is based on +# a persistent record in the IP collection, which remains active for a +# certain amount of time. +# +# There are two ways an individual client can become flagged for blocking: +# - External information (RBL, GeoIP, etc.) +# - Internal information (Core Rules) +# +# The record in the IP collection carries a flag, which tags requests from +# individual clients with a flag named IP.reput_block_flag. +# But the flag alone is not enough to have a client blocked. There is also +# a global switch named tx.do_reput_block. This is off by default. If you set +# it to 1 (=On), requests from clients with the IP.reput_block_flag will +# be blocked for a certain duration. +# +# Variables +# ip.reput_block_flag Blocking flag for the IP collection record +# ip.reput_block_reason Reason (= rule message) that caused to blocking flag +# tx.do_reput_block Switch deciding if we really block based on flag +# tx.reput_block_duration Setting to define the duration of a block +# +# It may be important to know, that all the other core rules are skipped for +# requests, when it is clear that they carry the blocking flag in question. +# +# Uncomment this rule to use this feature: +# +#SecAction \ +# "id:900960,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:tx.do_reput_block=1" +# +# Uncomment this rule to change the blocking time: +# Default: 300 (5 minutes) +# +#SecAction \ +# "id:900970,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# setvar:tx.reput_block_duration=300" + + +# +# -- [[ Collection timeout ]] -------------------------------------------------- +# +# Set the SecCollectionTimeout directive from the ModSecurity default (1 hour) +# to a lower setting which is appropriate to most sites. +# This increases performance by cleaning out stale collection (block) entries. +# +# This value should be greater than or equal to: +# tx.reput_block_duration (see section "Blocking Based on IP Reputation") and +# tx.dos_block_timeout (see section "Anti-Automation / DoS Protection"). +# +# Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecCollectionTimeout + +# Please keep this directive uncommented. +# Default: 600 (10 minutes) +SecCollectionTimeout 600 + + +# +# -- [[ Debug Mode ]] ---------------------------------------------------------- +# +# To enable rule development and debugging, CRS has an optional debug mode +# that does not block a request, but instead sends detection information +# back to the HTTP client. +# +# This functionality is currently only supported with the Apache web server. +# The Apache mod_headers module is required. +# +# In debug mode, the webserver inserts "X-WAF-Events" / "X-WAF-Score" +# response headers whenever a debug client makes a request. Example: +# +# # curl -v 'http://192.168.1.100/?foo=../etc/passwd' +# X-WAF-Events: TX:930110-OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL-REQUEST_URI, +# TX:930120-OWASP_CRS/WEB_ATTACK/FILE_INJECTION-ARGS:foo, +# TX:932160-OWASP_CRS/WEB_ATTACK/RCE-ARGS:foo +# X-WAF-Score: Total=15; sqli=0; xss=0; rfi=0; lfi=10; rce=5; php=0; http=0; ses=0 +# +# To enable debug mode, include the RESPONSE-981-DEBUG.conf file. +# This file resides in a separate folder, as it is not compatible with +# nginx and IIS. +# +# You must specify the source IP address/network where you will be running the +# tests from. The source IP will BYPASS all CRS blocking, and will be sent the +# response headers as specified above. Be careful to only list your private +# IP addresses/networks here. +# +# Tip: for regression testing of CRS or your own ModSecurity rules, you may +# be interested in using the OWASP CRS regression testing suite instead. +# View the file util/regression-tests/README for more information. +# +# Uncomment these rules, filling in your CRS path and the source IP address, +# to enable debug mode: +# +#Include /path/to/crs/util/debug/RESPONSE-981-DEBUG.conf +#SecRule REMOTE_ADDR "@ipMatch 192.168.1.100" \ +# "id:900980,\ +# phase:1,\ +# nolog,\ +# pass,\ +# t:none,\ +# ctl:ruleEngine=DetectionOnly,\ +# setvar:tx.crs_debug_mode=1" + + +# +# -- [[ End of setup ]] -------------------------------------------------------- +# +# The CRS checks the tx.crs_setup_version variable to ensure that the setup +# has been loaded. If you are not planning to use this setup template, +# you must manually set the tx.crs_setup_version variable before including +# the CRS rules/* files. +# +# The variable is a numerical representation of the CRS version number. +# E.g., v3.0.0 is represented as 300. +# +SecAction \ + "id:900990,\ + phase:1,\ + nolog,\ + pass,\ + t:none,\ + setvar:tx.crs_setup_version=311" diff --git a/confs/owasp-crs/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example b/confs/owasp-crs/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example new file mode 100644 index 0000000..bd23616 --- /dev/null +++ b/confs/owasp-crs/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example @@ -0,0 +1,165 @@ +# ------------------------------------------------------------------------ +# OWASP ModSecurity Core Rule Set ver.3.1.1 +# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENSE file for full details. +# ------------------------------------------------------------------------ + +# +# The purpose of this file is to hold LOCAL exceptions for your site. The +# types of rules that would go into this file are one where you want to +# short-circuit inspection and allow certain transactions to pass through +# inspection or if you want to alter rules that are applied. +# +# This file is named REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example for a +# very specific reason. Files affixed with the .example extension are designed +# to contain user created/modified data. The '.example'. extension should be +# renamed to end in .conf. The advantage of this is that when OWASP CRS is +# updated, the updates will not overwrite a user generated configuration file. +# +# As a result of this design paradigm users are encouraged NOT to directly +# modify rules. Instead they should use this +# REQUEST-900-EXCLUSION-RULES-BEFORE-CRS and the +# RESPONSE-999-EXCLUSION-RULES-AFTER-CRS file to modify OWASP rules using +# methods similar to the examples specified below. +# +# REQUEST-900-EXCLUSION-RULES-BEFORE-CRS and +# RESPONSE-999-EXCLUSION-RULES-AFTER-CRS serve different purposes. ModSecurity +# effectively maintains two different context: startup, and per transaction. +# As a rule, directives are processed within the startup context. While they +# can affect the per transaction context they generally remain fixed during the +# execution of ModSecurity. +# +# As a result if one wanted to disable a rule at bootup the SecRuleRemoveById +# directive or one of its siblings would have to be placed AFTER the rule is +# listed, otherwise it will not have knowledge of the rules existence (since +# these rules are read in at the same time). This means that when using +# directives that effect SecRules, these exceptions should be placed AFTER all +# the existing rules. This is why RESPONSE-999-EXCLUSION-RULES-AFTER-CRS is +# designed such that it loads LAST. +# +# Conversely, ModSecurity supports several actions that can change the state of +# the underlying configuration during the per transaction context, this is when +# rules are being processed. Generally, these are accomplished by using the +# 'ctl' action. As these are part of a rule, they will be evaluated in the +# order rules are applied (by physical location, considering phases). As a +# result of this ordering a 'ctl' action should be placed with consideration to +# when it will be executed. This is particularly relevant for the 'ctl' options +# that involve modifying ID's (such as ruleRemoveById). In these cases it is +# important that such rules are placed BEFORE the rule ID they will affect. +# Unlike the setup context, by the time we process rules in the per-transaction +# context, we are already aware of all the rule ID's. It is by this logic that +# we include rules such as this BEFORE all the remaining rules. As a result +# REQUEST-900-EXCLUSION-RULES-BEFORE-CRS is designed to load FIRST. +# +# As a general rule: +# ctl:ruleEngine -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS +# ctl:ruleRemoveById -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS +# ctl:ruleRemoveByMsg -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS +# ctl:ruleRemoveByTag -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS +# ctl:ruleRemoveTargetById -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS +# ctl:ruleRemoveTargetByMsg -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS +# ctl:ruleRemoveTargetByTag -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS +# +# SecRuleRemoveById -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS +# SecRuleRemoveByMsg -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS +# SecRuleRemoveByTag -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS +# SecRuleUpdateActionById -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS +# SecRuleUpdateTargetById -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS +# SecRuleUpdateTargetByMsg -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS +# SecRuleUpdateTargetByTag -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS +# +# +# What follows are a group of examples that show you how to perform rule +# exclusions. +# +# +# Example Exclusion Rule: Disable inspection for an authorized client +# +# This ruleset allows you to control how ModSecurity will handle traffic +# originating from Authorized Vulnerability Scanning (AVS) sources. See +# related blog post - +# http://blog.spiderlabs.com/2010/12/advanced-topic-of-the-week-handling-authorized-scanning-traffic.html +# +# White-list ASV network block (no blocking or logging of AVS traffic) Update +# IP network block as appropriate for your AVS traffic +# +# ModSec Rule Exclusion: Disable Rule Engine for known ASV IP +# SecRule REMOTE_ADDR "@ipMatch 192.168.1.100" \ +# "id:1000,\ +# phase:1,\ +# pass,\ +# nolog,\ +# ctl:ruleEngine=Off" +# +# +# Example Exclusion Rule: Removing a specific ARGS parameter from inspection +# for an individual rule +# +# This rule shows how to conditionally exclude the "password" +# parameter for rule 942100 when the REQUEST_URI is /index.php +# ModSecurity Rule Exclusion: 942100 SQL Injection Detected via libinjection +# +# SecRule REQUEST_URI "@beginsWith /index.php" \ +# "id:1001,\ +# phase:1,\ +# pass,\ +# nolog,\ +# ctl:ruleRemoveTargetById=942100;ARGS:password" +# +# +# Example Exclusion Rule: Removing a specific ARGS parameter from inspection +# for only certain attacks +# +# Attack rules within the CRS are tagged, with tags such as 'attack-lfi', +# 'attack-sqli', 'attack-xss', 'attack-injection-php', et cetera. +# +# ModSecurity Rule Exclusion: Disable inspection of ARGS:pwd +# for all rules tagged attack-sqli +# SecRule REQUEST_FILENAME "@endsWith /wp-login.php" \ +# "id:1002,\ +# phase:2,\ +# pass,\ +# nolog,\ +# ctl:ruleRemoveTargetByTag=attack-sqli;ARGS:pwd" +# + +# Example Exclusion Rule: Removing a specific ARGS parameter from inspection +# for all CRS rules +# +# This rule illustrates that we can use tagging very effectively to whitelist a +# common false positive across an entire ModSecurity instance. This can be done +# because every rule in OWASP_CRS is tagged with OWASP_CRS. This will NOT +# affect custom rules. +# +# ModSecurity Rule Exclusion: Disable inspection of ARGS:pwd +# for all CRS rules +# SecRule REQUEST_FILENAME "@endsWith /wp-login.php" \ +# "id:1003,\ +# phase:2,\ +# pass,\ +# nolog,\ +# ctl:ruleRemoveTargetByTag=CRS;ARGS:pwd" + +# +# Example Exclusion Rule: Removing a range of rules +# +# This rule illustrates that we can remove a rule range via a ctl action. +# This uses the fact, that rules are grouped by topic in rule files covering +# a certain id range. +# +# ModSecurity Rule Exclusion: Disable all SQLi and XSS rules +# SecRule REQUEST_FILENAME "@beginsWith /admin" \ +# "id:1004,\ +# phase:2,\ +# pass,\ +# nolog,\ +# ctl:ruleRemoveById=941000-942999" +# +# +# The application specific rule exclusion files +# REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf +# REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf +# bring additional examples which can be useful then tuning a service. diff --git a/confs/owasp-crs/REQUEST-901-INITIALIZATION.conf b/confs/owasp-crs/REQUEST-901-INITIALIZATION.conf new file mode 100644 index 0000000..b893794 --- /dev/null +++ b/confs/owasp-crs/REQUEST-901-INITIALIZATION.conf @@ -0,0 +1,424 @@ +# ------------------------------------------------------------------------ +# OWASP ModSecurity Core Rule Set ver.3.1.1 +# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENSE file for full details. +# ------------------------------------------------------------------------ + +# +# This file REQUEST-901-INITIALIZATION.conf initializes the Core Rules +# and performs preparatory actions. It also fixes errors and omissions +# of variable definitions in the file crs-setup.conf. +# The setup.conf can and should be edited by the user, this file +# is part of the CRS installation and should not be altered. +# + + +# +# -=[ Rules Version ]=- +# +# Rule version data is added to the "Producer" line of Section H of the Audit log: +# +# - Producer: ModSecurity for Apache/2.9.3 (http://www.modsecurity.org/); OWASP_CRS/3.1.1. +# +# Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecComponentSignature +# +SecComponentSignature "OWASP_CRS/3.1.1" + +# +# -=[ Default setup values ]=- +# +# The CRS checks the tx.crs_setup_version variable to ensure that the setup +# file is included at the correct time. This detects situations where +# necessary settings are not defined, for instance if the file +# inclusion order is incorrect, or if the user has forgotten to +# include the crs-setup.conf file. +# +# If you are upgrading from an earlier version of the CRS and you are +# getting this error, please make a new copy of the setup template +# crs-setup.conf.example to crs-setup.conf, and re-apply your policy +# changes. There have been many changes in settings syntax from CRS2 +# to CRS3, so an old setup file may cause unwanted behavior. +# +# If you are not planning to use the crs-setup.conf template, you must +# manually set the tx.crs_setup_version variable before including +# the CRS rules/* files. +# +# The variable is a numerical representation of the CRS version number. +# E.g., v3.0.0 is represented as 300. +# + +SecRule &TX:crs_setup_version "@eq 0" \ + "id:901001,\ + phase:1,\ + deny,\ + status:500,\ + log,\ + auditlog,\ + msg:'ModSecurity Core Rule Set is deployed without configuration! Please copy the crs-setup.conf.example template to crs-setup.conf, and include the crs-setup.conf file in your webserver configuration before including the CRS rules. See the INSTALL file in the CRS directory for detailed instructions.',\ + severity:'CRITICAL'" + + +# +# -=[ Default setup values ]=- +# +# Some constructs or individual rules will fail if certain parameters +# are not set in the setup.conf file. The following rules will catch +# these cases and assign sane default values. +# + +# Default Inbound Anomaly Threshold Level (rule 900110 in setup.conf) +SecRule &TX:inbound_anomaly_score_threshold "@eq 0" \ + "id:901100,\ + phase:1,\ + pass,\ + nolog,\ + setvar:'tx.inbound_anomaly_score_threshold=5'" + +# Default Outbound Anomaly Threshold Level (rule 900110 in setup.conf) +SecRule &TX:outbound_anomaly_score_threshold "@eq 0" \ + "id:901110,\ + phase:1,\ + pass,\ + nolog,\ + setvar:'tx.outbound_anomaly_score_threshold=4'" + +# Default Paranoia Level (rule 900000 in setup.conf) +SecRule &TX:paranoia_level "@eq 0" \ + "id:901120,\ + phase:1,\ + pass,\ + nolog,\ + setvar:'tx.paranoia_level=1'" + +# Default Executing Paranoia Level (rule 900000 in setup.conf) +SecRule &TX:executing_paranoia_level "@eq 0" \ + "id:901125,\ + phase:1,\ + pass,\ + nolog,\ + setvar:'tx.executing_paranoia_level=%{TX.PARANOIA_LEVEL}'" + +# Default Sampling Percentage (rule 900400 in setup.conf) +SecRule &TX:sampling_percentage "@eq 0" \ + "id:901130,\ + phase:1,\ + pass,\ + nolog,\ + setvar:'tx.sampling_percentage=100'" + +# Default Anomaly Scores (rule 900100 in setup.conf) +SecRule &TX:critical_anomaly_score "@eq 0" \ + "id:901140,\ + phase:1,\ + pass,\ + nolog,\ + setvar:'tx.critical_anomaly_score=5'" + +SecRule &TX:error_anomaly_score "@eq 0" \ + "id:901141,\ + phase:1,\ + pass,\ + nolog,\ + setvar:'tx.error_anomaly_score=4'" + +SecRule &TX:warning_anomaly_score "@eq 0" \ + "id:901142,\ + phase:1,\ + pass,\ + nolog,\ + setvar:'tx.warning_anomaly_score=3'" + +SecRule &TX:notice_anomaly_score "@eq 0" \ + "id:901143,\ + phase:1,\ + pass,\ + nolog,\ + setvar:'tx.notice_anomaly_score=2'" + +# Default do_reput_block +SecRule &TX:do_reput_block "@eq 0" \ + "id:901150,\ + phase:1,\ + pass,\ + nolog,\ + setvar:'tx.do_reput_block=0'" + +# Default block duration +SecRule &TX:reput_block_duration "@eq 0" \ + "id:901152,\ + phase:1,\ + pass,\ + nolog,\ + setvar:'tx.reput_block_duration=300'" + +# Default HTTP policy: allowed_methods (rule 900200) +SecRule &TX:allowed_methods "@eq 0" \ + "id:901160,\ + phase:1,\ + pass,\ + nolog,\ + setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'" + +# Default HTTP policy: allowed_request_content_type (rule 900220) +SecRule &TX:allowed_request_content_type "@eq 0" \ + "id:901162,\ + phase:1,\ + pass,\ + nolog,\ + setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/soap+xml|application/x-amf|application/json|application/octet-stream|text/plain'" + +# Default HTTP policy: allowed_request_content_type_charset (rule 900270) +SecRule &TX:allowed_request_content_type_charset "@eq 0" \ + "id:901168,\ + phase:1,\ + pass,\ + nolog,\ + setvar:'tx.allowed_request_content_type_charset=utf-8|iso-8859-1|iso-8859-15|windows-1252'" + +# Default HTTP policy: allowed_http_versions (rule 900230) +SecRule &TX:allowed_http_versions "@eq 0" \ + "id:901163,\ + phase:1,\ + pass,\ + nolog,\ + setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0'" + +# Default HTTP policy: restricted_extensions (rule 900240) +SecRule &TX:restricted_extensions "@eq 0" \ + "id:901164,\ + phase:1,\ + pass,\ + nolog,\ + setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'" + +# Default HTTP policy: restricted_headers (rule 900250) +SecRule &TX:restricted_headers "@eq 0" \ + "id:901165,\ + phase:1,\ + pass,\ + nolog,\ + setvar:'tx.restricted_headers=/proxy/ /lock-token/ /content-range/ /translate/ /if/'" + +# Default HTTP policy: static_extensions (rule 900260) +SecRule &TX:static_extensions "@eq 0" \ + "id:901166,\ + phase:1,\ + pass,\ + nolog,\ + setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ /.webp/'" + +# Default enforcing of body processor URLENCODED +SecRule &TX:enforce_bodyproc_urlencoded "@eq 0" \ + "id:901167,\ + phase:1,\ + pass,\ + nolog,\ + setvar:'tx.enforce_bodyproc_urlencoded=0'" + + +# +# -=[ Initialize internal variables ]=- +# + +# Initialize anomaly scoring variables. +# All _score variables start at 0, and are incremented by the various rules +# upon detection of a possible attack. +# sql_error_match is used for shortcutting rules for performance reasons. + +SecAction \ + "id:901200,\ + phase:1,\ + pass,\ + t:none,\ + nolog,\ + setvar:'tx.anomaly_score=0',\ + setvar:'tx.anomaly_score_pl1=0',\ + setvar:'tx.anomaly_score_pl2=0',\ + setvar:'tx.anomaly_score_pl3=0',\ + setvar:'tx.anomaly_score_pl4=0',\ + setvar:'tx.sql_injection_score=0',\ + setvar:'tx.xss_score=0',\ + setvar:'tx.rfi_score=0',\ + setvar:'tx.lfi_score=0',\ + setvar:'tx.rce_score=0',\ + setvar:'tx.php_injection_score=0',\ + setvar:'tx.http_violation_score=0',\ + setvar:'tx.session_fixation_score=0',\ + setvar:'tx.inbound_anomaly_score=0',\ + setvar:'tx.outbound_anomaly_score=0',\ + setvar:'tx.outbound_anomaly_score_pl1=0',\ + setvar:'tx.outbound_anomaly_score_pl2=0',\ + setvar:'tx.outbound_anomaly_score_pl3=0',\ + setvar:'tx.outbound_anomaly_score_pl4=0',\ + setvar:'tx.sql_error_match=0'" + + +# +# -=[ Initialize collections ]=- +# +# Create both Global and IP collections for rules to use. +# There are some CRS rules that assume that these two collections +# have already been initiated. +# + +SecRule REQUEST_HEADERS:User-Agent "@rx ^.*$" \ + "id:901318,\ + phase:1,\ + pass,\ + t:none,t:sha1,t:hexEncode,\ + nolog,\ + setvar:'tx.ua_hash=%{MATCHED_VAR}'" + +SecAction \ + "id:901321,\ + phase:1,\ + pass,\ + t:none,\ + nolog,\ + initcol:global=global,\ + initcol:ip=%{remote_addr}_%{tx.ua_hash},\ + setvar:'tx.real_ip=%{remote_addr}'" + +# +# -=[ Initialize Correct Body Processing ]=- +# +# Force request body variable and optionally request body processor +# + +# Force body variable +SecRule REQBODY_PROCESSOR "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" \ + "id:901340,\ + phase:1,\ + pass,\ + nolog,\ + noauditlog,\ + msg:'Enabling body inspection',\ + tag:'paranoia-level/1',\ + ctl:forceRequestBodyVariable=On,\ + ver:'OWASP_CRS/3.1.1'" + +# Force body processor URLENCODED +SecRule TX:enforce_bodyproc_urlencoded "@eq 1" \ + "id:901350,\ + phase:1,\ + pass,\ + t:none,t:urlDecodeUni,\ + nolog,\ + noauditlog,\ + msg:'Enabling forced body inspection for ASCII content',\ + ver:'OWASP_CRS/3.1.1',\ + chain" + SecRule REQBODY_PROCESSOR "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" \ + "ctl:requestBodyProcessor=URLENCODED" + + +# +# -=[ Easing In / Sampling Percentage ]=- +# +# This is used to send only a limited percentage of requests into the Core +# Rule Set. The selection is based on TX.sampling_percentage and a pseudo +# random number calculated below. +# +# Use this to ease into a new Core Rules installation with an existing +# productive service. +# +# See +# https://www.netnea.com/cms/2016/04/26/easing-in-conditional-modsecurity-rule-execution-based-on-pseudo-random-numbers/ +# + +# +# Generate the pseudo random number +# +# ATTENTION: This is no cryptographically secure random number. It's just +# a cheap way to get some random number suitable for sampling. +# +# We take the entropy contained in the UNIQUE_ID. We hash that variable and +# take the first integer numbers out of it. Theoretically, it is possible +# there are no integers in a sha1 hash. We make sure we get two +# integer numbers by taking the last two digits from the DURATION counter +# (in microseconds). +# Finally, leading zeros are removed from the two-digit random number. +# + +SecRule TX:sampling_percentage "@eq 100" \ + "id:901400,\ + phase:1,\ + pass,\ + nolog,\ + skipAfter:END-SAMPLING" + +SecRule UNIQUE_ID "@rx ^." \ + "id:901410,\ + phase:1,\ + pass,\ + t:sha1,t:hexEncode,\ + nolog,\ + setvar:'TX.sampling_rnd100=%{MATCHED_VAR}'" + +SecRule DURATION "@rx (..)$" \ + "id:901420,\ + phase:1,\ + pass,\ + capture,\ + nolog,\ + setvar:'TX.sampling_rnd100=%{TX.sampling_rnd100}%{TX.1}'" + +SecRule TX:sampling_rnd100 "@rx ^[a-f]*([0-9])[a-f]*([0-9])" \ + "id:901430,\ + phase:1,\ + pass,\ + capture,\ + nolog,\ + setvar:'TX.sampling_rnd100=%{TX.1}%{TX.2}'" + +SecRule TX:sampling_rnd100 "@rx ^0([0-9])" \ + "id:901440,\ + phase:1,\ + pass,\ + capture,\ + nolog,\ + setvar:'TX.sampling_rnd100=%{TX.1}'" + + +# +# Sampling decision +# +# If a request is allowed to pass without being checked by the CRS, there is no +# entry in the audit log (for performance reasons), but an error log entry is +# being written. If you want to disable the error log entry, then issue the +# following directive somewhere after the inclusion of the CRS +# (E.g., RESPONSE-999-EXCEPTIONS.conf). +# +# SecRuleUpdateActionById 901450 "nolog" +# + + +SecRule TX:sampling_rnd100 "!@lt %{tx.sampling_percentage}" \ + "id:901450,\ + phase:1,\ + pass,\ + log,\ + noauditlog,\ + msg:'Sampling: Disable the rule engine based on sampling_percentage \ +%{TX.sampling_percentage} and random number %{TX.sampling_rnd100}.',\ + ctl:ruleEngine=Off" + +SecMarker "END-SAMPLING" + + +# +# Configuration Plausibility Checks +# + +# Make sure executing paranoia level is not lower than paranoia level +SecRule TX:executing_paranoia_level "@lt %{tx.paranoia_level}" \ + "id:901500,\ + phase:1,\ + deny,\ + status:500,\ + t:none,\ + log,\ + msg:'Executing paranoia level configured is lower than the paranoia level itself. This is illegal. Blocking request. Aborting.'" diff --git a/confs/owasp-crs/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf b/confs/owasp-crs/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf new file mode 100644 index 0000000..1f511c3 --- /dev/null +++ b/confs/owasp-crs/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf @@ -0,0 +1,382 @@ +# ------------------------------------------------------------------------ +# OWASP ModSecurity Core Rule Set ver.3.1.1 +# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENSE file for full details. +# ------------------------------------------------------------------------ + +# These exclusions remedy false positives in a default Drupal install. +# The exclusions are only active if crs_exclusions_drupal=1 is set. +# See rule 900130 in crs-setup.conf.example for instructions. + +# +# [ POLICY ] +# +# Drupal is a complex application that is hard to secure with the CRS. This set +# of exclusion rules aims to sanitise the CRS in a way that allows a default +# Drupal setup to be installed and configured without much hassle as far as +# ModSecurity and the CRS are concerned. +# +# The exclusion rules are fairly straight forward in the sense that they +# disable CRS on a set of well-known parameter fields that are often the source +# of false positives / false alarms of the CRS. This includes namely the +# session cookie, the password fields and article/node bodies. +# +# This is based on two assumptions: - You have a basic trust in your +# authenticated users who are allowed to edit nodes. - Drupal allows html +# content in nodes and it protects your users from attacks via these fields. +# +# If you think these assumptions are wrong or if you would prefer a more +# careful/secure approach, you can disable the exclusion rules handling of said +# node body false positives. Do this by placing the following directive in +# RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf. +# +# SecRuleRemoveById 9001200-9001299 +# +# This will mean the CRS remain intact for the editing of node bodies. +# +# The exclusion rules in this file work without the need to define a Drupal +# installation path prefix. Instead they look at the URI from the end - or +# they use regular expressions when targeting dynamic URL. This is all not +# totally foolproof. In some cases, an advanced attacker might be able to +# doctor a request in a way that one of these exclusion rules is triggered +# and the request will bypass all further inspection despite not being a +# Drupal request at all. These exclusion rules could thus be leveraged to +# disable the CRS completely. This is why these rules are off by default. +# +# The CRS rules covered by this ruleset are the rules with Paranoia Level 1 and +# 2. If you chose to run Paranoia Level 3 or 4, you will be facing additional +# false positives which you need to handle yourself. +# +# This set of exclusion rules does not cover any additional Drupal modules +# outside of core. +# +# The exclusion rules are based on Drupal 8.1.10. +# +# And finally: This set of exclusion rules is in an experimental state. If you +# encounter false positives with the basic Drupal functionality and they are +# not covered by this rule file, then please report them. The aim is to be able +# to install and run Drupal core in a seamless manner protected by +# ModSecurity / CRS up to the paranoia level 2. + + +SecRule &TX:crs_exclusions_drupal|TX:crs_exclusions_drupal "@eq 0" \ + "id:9001000,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + skipAfter:END-DRUPAL-RULE-EXCLUSIONS" + + +# [ Table of Contents ] +# +# 9001100 Session Cookie +# 9001110 Password +# 9001120 FREE for use +# 9001130 FREE for use +# 9001140 Content and Descriptions +# 9001150 FREE for use +# 9001160 Form Token +# 9001170 Text Formats and Editors +# 9001180 WYSIWYG/CKEditor Assets and Upload +# 9001190 FREE for use +# 9001200 Content and Descriptions +# +# The rule id range from 9001200 to 9001999 is reserved for future +# use (Drupal plugins / modules). + + +# [ Session Cookie ] +# +# Giving the session cookie a dynamic name is most unfortunate +# from a ModSecurity perspective. The rule language does not allow +# us to disable rules in a granular way for individual cookies with +# dynamic names. So we need to disable rule causing false positives +# for all cookies and their names. +# +# Rule Exclusion Session Cookie: 942450 SQL Hex Encoding Identified +# +SecAction "id:9001100,\ + phase:2,\ + pass,\ + nolog,\ + ctl:ruleRemoveTargetById=942450;REQUEST_COOKIES_NAMES,\ + ctl:ruleRemoveTargetById=942450;REQUEST_COOKIES" + + +# +# [ Password ] +# +# Disable the CRS completely for all occurrences of passwords. +# +SecRule REQUEST_FILENAME "@endsWith /core/install.php" \ + "id:9001110,\ + phase:2,\ + pass,\ + nolog,\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:account[pass][pass1],\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:account[pass][pass2]" + +SecRule REQUEST_FILENAME "@endsWith /user/login" \ + "id:9001112,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:pass" + +SecRule REQUEST_FILENAME "@endsWith /admin/people/create" \ + "id:9001114,\ + phase:2,\ + pass,\ + nolog,\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:pass[pass1],\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:pass[pass2]" + +SecRule REQUEST_FILENAME "@rx /user/[0-9]+/edit$" \ + "id:9001116,\ + phase:2,\ + pass,\ + nolog,\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:current_pass,\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:pass[pass1],\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:pass[pass2]" + + +# +# [ Admin Settings (general) ] +# +# Disable known false positives for various fields used on admin pages. +# +# Rule Exclusion: 920271 Invalid character in request on multiple fields/paths +# Rule Exclusion: 942430 Restricted SQL Character Anomaly Detection (args) +# Disabled completely for admin/config pages +# For the people/accounts page, we disable the CRS completely for a number of +# freeform text fields. +# +SecRule REQUEST_FILENAME "@contains /admin/config/" \ + "id:9001122,\ + phase:2,\ + pass,\ + nolog,\ + ctl:ruleRemoveById=942430" + +SecRule REQUEST_FILENAME "@endsWith /admin/config/people/accounts" \ + "id:9001124,\ + phase:2,\ + pass,\ + nolog,\ + ctl:ruleRemoveById=920271,\ + ctl:ruleRemoveById=942440,\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:user_mail_cancel_confirm_body,\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:user_mail_password_reset_body,\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:user_mail_register_admin_created_body,\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:user_mail_register_no_approval_required_body,\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:user_mail_register_pending_approval_body,\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:user_mail_status_activated_body,\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:user_mail_status_blocked_body,\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:user_mail_status_canceled_body" + +SecRule REQUEST_FILENAME "@endsWith /admin/config/development/configuration/single/import" \ + "id:9001126,\ + phase:2,\ + pass,\ + nolog,\ + ctl:ruleRemoveById=920271,\ + ctl:ruleRemoveById=942440" + +SecRule REQUEST_FILENAME "@endsWith /admin/config/development/maintenance" \ + "id:9001128,\ + phase:2,\ + pass,\ + nolog,\ + ctl:ruleRemoveById=942440" + + +# +# +# [ Content and Descriptions ] +# +# Disable known false positives for field "ids[]". +# +# Rule Exclusion: 942130 SQL Injection Attack: SQL Tautology Detected +# +SecRule REQUEST_FILENAME "@endsWith /contextual/render" \ + "id:9001140,\ + phase:2,\ + pass,\ + nolog,\ + ctl:ruleRemoveTargetById=942130;ARGS:ids[]" + + +# +# [ Form Token / Build ID ] +# +# Rule Exclusion for form_build_id: 942440 SQL Comment Sequence Detected on ... +# Rule Exclusion for form_token: 942450 SQL Hex Encoding +# Rule Exclusion for form_build_id: 942450 SQL Hex Encoding +# +# This is applied site-wide. +# +SecAction "id:9001160,\ + phase:2,\ + pass,\ + nolog,\ + ctl:ruleRemoveTargetById=942440;ARGS:form_build_id,\ + ctl:ruleRemoveTargetById=942450;ARGS:form_token,\ + ctl:ruleRemoveTargetById=942450;ARGS:form_build_id" + + +# +# [ Text Formats and Editors ] +# +# Disable the CRS completely for two fields triggering many, many rules +# +# Rule Exclusion for two fields: 942440 SQL Comment Sequence Detected +# +SecRule REQUEST_FILENAME "@endsWith /admin/config/content/formats/manage/full_html" \ + "id:9001170,\ + phase:2,\ + pass,\ + nolog,\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:editor[settings][toolbar][button_groups],\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:filters[filter_html][settings][allowed_html]" + + +# +# [ WYSIWYG/CKEditor Assets and Upload ] +# +# Disable the unnecessary requestBodyAccess and for binary uploads +# bigger than an arbitrary limit of 31486341 bytes. +# +# Extensive checks make sure these uploads are really legitimate. +# +SecRule REQUEST_METHOD "@streq POST" \ + "id:9001180,\ + phase:1,\ + pass,\ + t:none,\ + nolog,\ + noauditlog,\ + chain" + SecRule REQUEST_FILENAME "@rx /admin/content/assets/add/[a-z]+$" \ + "chain" + SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx ^[a-zA-Z0-9_-]+" \ + "ctl:requestBodyAccess=Off" + +SecRule REQUEST_METHOD "@streq POST" \ + "id:9001182,\ + phase:1,\ + pass,\ + t:none,\ + nolog,\ + noauditlog,\ + chain" + SecRule REQUEST_FILENAME "@rx /admin/content/assets/manage/[0-9]+$" \ + "chain" + SecRule ARGS:destination "@streq admin/content/assets" \ + "chain" + SecRule REQUEST_HEADERS:Content-Length "@gt 31486341" \ + "chain" + SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx ^[a-zA-Z0-9_-]+" \ + "ctl:requestBodyAccess=Off" + +SecRule REQUEST_METHOD "@streq POST" \ + "id:9001184,\ + phase:1,\ + pass,\ + t:none,\ + nolog,\ + noauditlog,\ + chain" + SecRule REQUEST_FILENAME "@rx /file/ajax/field_asset_[a-z0-9_]+/[ua]nd/0/form-[a-z0-9A-Z_-]+$" \ + "chain" + SecRule REQUEST_HEADERS:Content-Length "@gt 31486341" \ + "chain" + SecRule REQUEST_HEADERS:Content-Type "@rx ^(?i)multipart/form-data" \ + "chain" + SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx ^[a-zA-Z0-9_-]+" \ + "ctl:requestBodyAccess=Off" + + +# +# [ Content and Descriptions ] +# +# Disable the CRS completely for node bodies and other free text fields. +# Other rules are disabled individually. +# +# Rule Exclusion for ARGS:uid[0][target_id]: 942410 SQL Injection Attack +# Rule Exclusion for ARGS:destination: 932110 RCE: Windows Command Inj. +# +SecRule REQUEST_FILENAME "@endsWith /node/add/article" \ + "id:9001200,\ + phase:2,\ + pass,\ + nolog,\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:body[0][value],\ + ctl:ruleRemoveTargetById=942410;ARGS:uid[0][target_id]" + +SecRule REQUEST_FILENAME "@endsWith /node/add/page" \ + "id:9001202,\ + phase:2,\ + pass,\ + nolog,\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:body[0][value],\ + ctl:ruleRemoveTargetById=942410;ARGS:uid[0][target_id]" + +SecRule REQUEST_FILENAME "@rx /node/[0-9]+/edit$" \ + "id:9001204,\ + phase:2,\ + pass,\ + nolog,\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:body[0][value],\ + ctl:ruleRemoveTargetById=942410;ARGS:uid[0][target_id],\ + ctl:ruleRemoveTargetById=932110;ARGS:destination" + +SecRule REQUEST_FILENAME "@endsWith /block/add" \ + "id:9001206,\ + phase:2,\ + pass,\ + nolog,\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:body[0][value]" + +SecRule REQUEST_FILENAME "@endsWith /admin/structure/block/block-content/manage/basic" \ + "id:9001208,\ + phase:2,\ + pass,\ + nolog,\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:description" + +SecRule REQUEST_FILENAME "@rx /editor/filter_xss/(?:full|basic)_html$" \ + "id:9001210,\ + phase:2,\ + pass,\ + nolog,\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:value" + +SecRule REQUEST_FILENAME "@rx /user/[0-9]+/contact$" \ + "id:9001212,\ + phase:2,\ + pass,\ + nolog,\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:message[0][value]" + +SecRule REQUEST_FILENAME "@endsWith /admin/config/development/maintenance" \ + "id:9001214,\ + phase:2,\ + pass,\ + nolog,\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:maintenance_mode_message" + +SecRule REQUEST_FILENAME "@endsWith /admin/config/services/rss-publishing" \ + "id:9001216,\ + phase:2,\ + pass,\ + nolog,\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:feed_description" + + +SecMarker "END-DRUPAL-RULE-EXCLUSIONS" diff --git a/confs/owasp-crs/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf b/confs/owasp-crs/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf new file mode 100644 index 0000000..7d8fff7 --- /dev/null +++ b/confs/owasp-crs/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf @@ -0,0 +1,639 @@ +# ------------------------------------------------------------------------ +# OWASP ModSecurity Core Rule Set ver.3.1.1 +# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENSE file for full details. +# ------------------------------------------------------------------------ + +# These exclusions remedy false positives in a default WordPress install. +# The exclusions are only active if crs_exclusions_wordpress=1 is set. +# See rule 900130 in crs-setup.conf.example for instructions. +# +# Note that the WordPress comment field itself is currently NOT excluded +# from checking. The reason is that malicious content is regularly being +# posted to WordPress comment forms, and there have been various cases +# of XSS and even RCE vulnerabilities exploited by WordPress comments. + +SecRule &TX:crs_exclusions_wordpress|TX:crs_exclusions_wordpress "@eq 0" \ + "id:9002000,\ + phase:1,\ + pass,\ + t:none,\ + nolog,\ + skipAfter:END-WORDPRESS" + +SecRule &TX:crs_exclusions_wordpress|TX:crs_exclusions_wordpress "@eq 0" \ + "id:9002001,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + skipAfter:END-WORDPRESS" + + +# +# -=[ WordPress Front-End ]=- +# + + +# +# [ Login form ] +# + +# User login password +SecRule REQUEST_FILENAME "@endsWith /wp-login.php" \ + "id:9002100,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:pwd" + +# Reset password +SecRule REQUEST_FILENAME "@endsWith /wp-login.php" \ + "id:9002120,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + chain" + SecRule ARGS:action "@streq resetpass" \ + "t:none,\ + chain" + SecRule &ARGS:action "@eq 1" \ + "t:none,\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:pass1,\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:pass1-text,\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:pass2" + + +# +# [ Comments ] +# + +# Post comment +SecRule REQUEST_FILENAME "@endsWith /wp-comments-post.php" \ + "id:9002130,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ctl:ruleRemoveTargetById=931130;ARGS:url" + + +# +# [ Live preview ] +# Used when an administrator customizes the site and previews the result +# as a normal user. +# + +# Theme select +# Example: wp_customize=on&theme=twentyfifteen&customized= +# {"old_sidebars_widgets_data":{"wp_inactive_widgets":[], +# "sidebar-1":["search-2","recent-posts-2","recent-comments-2", +# "archives-2","categories-2","meta-2"]}}&nonce=XXX& +# customize_messenger_channel=preview-0 +SecRule ARGS:wp_customize "@streq on" \ + "id:9002150,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + chain" + SecRule &ARGS:action "@eq 0" \ + "t:none,\ + ctl:ruleRemoveTargetById=942200;ARGS:customized,\ + ctl:ruleRemoveTargetById=942260;ARGS:customized,\ + ctl:ruleRemoveTargetById=942300;ARGS:customized,\ + ctl:ruleRemoveTargetById=942330;ARGS:customized,\ + ctl:ruleRemoveTargetById=942340;ARGS:customized,\ + ctl:ruleRemoveTargetById=942370;ARGS:customized,\ + ctl:ruleRemoveTargetById=942430;ARGS:customized,\ + ctl:ruleRemoveTargetById=942431;ARGS:customized,\ + ctl:ruleRemoveTargetById=942460;ARGS:customized" + +# Appearance -> Widgets -> Live Preview +SecRule ARGS:wp_customize "@streq on" \ + "id:9002160,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + chain" + SecRule ARGS:action "@rx ^(?:|customize_save|update-widget)$" \ + "t:none,\ + chain" + SecRule &ARGS:action "@eq 1" \ + "t:none,\ + ctl:ruleRemoveTargetById=942200;ARGS:customized,\ + ctl:ruleRemoveTargetById=942260;ARGS:customized,\ + ctl:ruleRemoveTargetById=942300;ARGS:customized,\ + ctl:ruleRemoveTargetById=942330;ARGS:customized,\ + ctl:ruleRemoveTargetById=942340;ARGS:customized,\ + ctl:ruleRemoveTargetById=942370;ARGS:customized,\ + ctl:ruleRemoveTargetById=942430;ARGS:customized,\ + ctl:ruleRemoveTargetById=942431;ARGS:customized,\ + ctl:ruleRemoveTargetById=942460;ARGS:customized,\ + ctl:ruleRemoveTargetById=920230;ARGS:partials,\ + ctl:ruleRemoveTargetById=941320;ARGS:partials,\ + ctl:ruleRemoveTargetById=942180;ARGS:partials,\ + ctl:ruleRemoveTargetById=942200;ARGS:partials,\ + ctl:ruleRemoveTargetById=942260;ARGS:partials,\ + ctl:ruleRemoveTargetById=942330;ARGS:partials,\ + ctl:ruleRemoveTargetById=942340;ARGS:partials,\ + ctl:ruleRemoveTargetById=942370;ARGS:partials,\ + ctl:ruleRemoveTargetById=942430;ARGS:partials,\ + ctl:ruleRemoveTargetById=942431;ARGS:partials,\ + ctl:ruleRemoveTargetById=942460;ARGS:partials" + + + +# Self calls to wp-cron.php?doing_wp_cron=[timestamp] +# These requests may be missing Accept, Content-Length headers. +# This rule must run in phase:1. +SecRule REQUEST_FILENAME "@endsWith /wp-cron.php" \ + "id:9002200,\ + phase:1,\ + pass,\ + t:none,\ + nolog,\ + ctl:ruleRemoveById=920180,\ + ctl:ruleRemoveById=920300" + + +# +# [ Cookies ] + +# WP Session Manager +# Cookie: _wp_session=[hex]||[timestamp]||[timestamp] +# detected SQLi using libinjection with fingerprint 'n&1' +SecRule REQUEST_COOKIES:_wp_session "@rx ^[0-9a-f]+\|\|\d+\|\|\d+$" \ + "id:9002300,\ + phase:1,\ + pass,\ + t:none,\ + nolog,\ + chain" + SecRule &REQUEST_COOKIES:_wp_session "@eq 1" \ + "t:none,\ + ctl:ruleRemoveTargetById=942100;REQUEST_COOKIES:_wp_session" + + +# +# -=[ WordPress Administration Back-End (wp-admin) ]=- +# + +# Skip this section for performance unless /wp-admin/ is in filename + +SecRule REQUEST_FILENAME "!@contains /wp-admin/" \ + "id:9002400,\ + phase:1,\ + pass,\ + t:none,\ + nolog,\ + skipAfter:END-WORDPRESS-ADMIN" + +SecRule REQUEST_FILENAME "!@contains /wp-admin/" \ + "id:9002401,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + skipAfter:END-WORDPRESS-ADMIN" + + +# +# [ Installation ] +# + +# WordPress installation: exclude database password +SecRule REQUEST_FILENAME "@endsWith /wp-admin/setup-config.php" \ + "id:9002410,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + chain" + SecRule ARGS:step "@streq 2" \ + "t:none,\ + chain" + SecRule &ARGS:step "@eq 1" \ + "t:none,\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:pwd" + +# WordPress installation: exclude admin password +SecRule REQUEST_FILENAME "@endsWith /wp-admin/install.php" \ + "id:9002420,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + chain" + SecRule ARGS:step "@streq 2" \ + "t:none,\ + chain" + SecRule &ARGS:step "@eq 1" \ + "t:none,\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:admin_password,\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:admin_password2,\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:pass1-text" + + +# +# [ User management ] +# + +# Edit logged-in user +SecRule REQUEST_FILENAME "@endsWith /wp-admin/profile.php" \ + "id:9002520,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + chain" + SecRule ARGS:action "@streq update" \ + "t:none,\ + chain" + SecRule &ARGS:action "@eq 1" \ + "t:none,\ + ctl:ruleRemoveTargetById=931130;ARGS:url,\ + ctl:ruleRemoveTargetById=931130;ARGS:facebook,\ + ctl:ruleRemoveTargetById=931130;ARGS:googleplus,\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:pass1,\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:pass1-text,\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:pass2" + +# Edit user +SecRule REQUEST_FILENAME "@endsWith /wp-admin/user-edit.php" \ + "id:9002530,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + chain" + SecRule ARGS:action "@streq update" \ + "t:none,\ + chain" + SecRule &ARGS:action "@eq 1" \ + "t:none,\ + ctl:ruleRemoveTargetById=931130;ARGS:url,\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:pass1,\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:pass1-text,\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:pass2" + +# Create user +SecRule REQUEST_FILENAME "@endsWith /wp-admin/user-new.php" \ + "id:9002540,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + chain" + SecRule ARGS:action "@streq createuser" \ + "t:none,\ + chain" + SecRule &ARGS:action "@eq 1" \ + "t:none,\ + ctl:ruleRemoveTargetById=931130;ARGS:url,\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:pass1,\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:pass1-text,\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:pass2" + + +# +# [ General exclusions ] +# + +# _wp_http_referer and wp_http_referer are passed on a lot of wp-admin pages +SecAction \ + "id:9002600,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ctl:ruleRemoveTargetById=920230;ARGS:_wp_http_referer,\ + ctl:ruleRemoveTargetById=931130;ARGS:_wp_http_referer,\ + ctl:ruleRemoveTargetById=932150;ARGS:_wp_http_referer,\ + ctl:ruleRemoveTargetById=941100;ARGS:_wp_http_referer,\ + ctl:ruleRemoveTargetById=942130;ARGS:_wp_http_referer,\ + ctl:ruleRemoveTargetById=942200;ARGS:_wp_http_referer,\ + ctl:ruleRemoveTargetById=942260;ARGS:_wp_http_referer,\ + ctl:ruleRemoveTargetById=942431;ARGS:_wp_http_referer,\ + ctl:ruleRemoveTargetById=920230;ARGS:wp_http_referer,\ + ctl:ruleRemoveTargetById=931130;ARGS:wp_http_referer,\ + ctl:ruleRemoveTargetById=932150;ARGS:wp_http_referer,\ + ctl:ruleRemoveTargetById=941100;ARGS:wp_http_referer,\ + ctl:ruleRemoveTargetById=942130;ARGS:wp_http_referer,\ + ctl:ruleRemoveTargetById=942200;ARGS:wp_http_referer,\ + ctl:ruleRemoveTargetById=942260;ARGS:wp_http_referer,\ + ctl:ruleRemoveTargetById=942431;ARGS:wp_http_referer" + +# +# [ Content editing ] +# + +# Edit posts and pages +# /wp-admin/post.php, /wp-admin/post.php?t=[timestamp] +# - Themes do not properly escape post_title in HTML, so beware of XSS +# and be conservative in excluding this parameter. +# - Parameter _wp_http_referer can appear multiple times. +SecRule REQUEST_FILENAME "@endsWith /wp-admin/post.php" \ + "id:9002700,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + chain" + SecRule ARGS:action "@rx ^(?:edit|editpost)$" \ + "t:none,\ + chain" + SecRule &ARGS:action "@eq 1" \ + "t:none,\ + ctl:ruleRemoveTargetByTag=attack-sqli;ARGS:post_title,\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:content,\ + ctl:ruleRemoveById=920272,\ + ctl:ruleRemoveById=921180" + +# Autosave posts and pages +# ARGS_NAMES:data[wp-check-locked-posts][] can appear multiple times +SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \ + "id:9002710,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + chain" + SecRule ARGS:action "@streq heartbeat" \ + "t:none,\ + chain" + SecRule &ARGS:action "@eq 1" \ + "t:none,\ + ctl:ruleRemoveTargetByTag=attack-sqli;ARGS:data[wp_autosave][post_title],\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:data[wp_autosave][content],\ + ctl:ruleRemoveTargetById=942431;ARGS_NAMES:data[wp-refresh-post-lock][post_id],\ + ctl:ruleRemoveTargetById=942431;ARGS_NAMES:data[wp-refresh-post-lock][lock],\ + ctl:ruleRemoveTargetById=942431;ARGS_NAMES:data[wp-check-locked-posts][],\ + ctl:ruleRemoveById=921180,\ + ctl:ruleRemoveById=920272" + +# Edit menus +SecRule REQUEST_FILENAME "@endsWith /wp-admin/nav-menus.php" \ + "id:9002720,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + chain" + SecRule ARGS:action "@streq update" \ + "t:none,\ + chain" + SecRule &ARGS:action "@eq 1" \ + "t:none,\ + ctl:ruleRemoveTargetById=942460;ARGS:menu-name,\ + ctl:ruleRemoveTargetById=941330;ARGS:nav-menu-data,\ + ctl:ruleRemoveTargetById=941340;ARGS:nav-menu-data,\ + ctl:ruleRemoveTargetById=942200;ARGS:nav-menu-data,\ + ctl:ruleRemoveTargetById=942260;ARGS:nav-menu-data,\ + ctl:ruleRemoveTargetById=942330;ARGS:nav-menu-data,\ + ctl:ruleRemoveTargetById=942340;ARGS:nav-menu-data,\ + ctl:ruleRemoveTargetById=942430;ARGS:nav-menu-data,\ + ctl:ruleRemoveTargetById=942431;ARGS:nav-menu-data,\ + ctl:ruleRemoveTargetById=942460;ARGS:nav-menu-data" + +# Edit text widgets (can contain custom HTML) +SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \ + "id:9002730,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + chain" + SecRule ARGS:action "@rx ^(?:save-widget|update-widget)$" \ + "t:none,\ + chain" + SecRule &ARGS:action "@eq 1" \ + "t:none,\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[0][text],\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[1][text],\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[2][text],\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[3][text],\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[4][text],\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[5][text],\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[6][text],\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[7][text],\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[8][text],\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[9][text],\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[10][text],\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[11][text],\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[12][text],\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[13][text],\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[14][text],\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[15][text],\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[16][text],\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[17][text],\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[18][text],\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[19][text],\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[20][text],\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[21][text],\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[22][text],\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[23][text],\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[24][text],\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[25][text],\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[26][text],\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[27][text],\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[28][text],\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[29][text],\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[30][text],\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[31][text],\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[32][text],\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[33][text],\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[34][text],\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[35][text],\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[36][text],\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[37][text],\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[38][text],\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[39][text]" + +# Reorder widgets +SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \ + "id:9002740,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + chain" + SecRule ARGS:action "@streq widgets-order" \ + "t:none,\ + chain" + SecRule &ARGS:action "@eq 1" \ + "t:none,\ + ctl:ruleRemoveTargetById=942430;ARGS:sidebars[sidebar-1],\ + ctl:ruleRemoveTargetById=942431;ARGS:sidebars[sidebar-1],\ + ctl:ruleRemoveTargetById=942430;ARGS:sidebars[sidebar-2],\ + ctl:ruleRemoveTargetById=942431;ARGS:sidebars[sidebar-2],\ + ctl:ruleRemoveTargetById=942430;ARGS:sidebars[sidebar-3],\ + ctl:ruleRemoveTargetById=942431;ARGS:sidebars[sidebar-3],\ + ctl:ruleRemoveTargetById=942430;ARGS:sidebars[sidebar-4],\ + ctl:ruleRemoveTargetById=942431;ARGS:sidebars[sidebar-4],\ + ctl:ruleRemoveTargetById=942430;ARGS:sidebars[sidebar-5],\ + ctl:ruleRemoveTargetById=942431;ARGS:sidebars[sidebar-5],\ + ctl:ruleRemoveTargetById=942430;ARGS:sidebars[sidebar-6],\ + ctl:ruleRemoveTargetById=942431;ARGS:sidebars[sidebar-6],\ + ctl:ruleRemoveTargetById=942430;ARGS:sidebars[sidebar-7],\ + ctl:ruleRemoveTargetById=942431;ARGS:sidebars[sidebar-7]" + +# Create permalink sample for new post +SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \ + "id:9002750,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + chain" + SecRule ARGS:action "@streq sample-permalink" \ + "t:none,\ + chain" + SecRule &ARGS:action "@eq 1" \ + "t:none,\ + ctl:ruleRemoveTargetByTag=attack-sqli;ARGS:new_title" + +# Add external link to menu +SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \ + "id:9002760,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + chain" + SecRule ARGS:action "@streq add-menu-item" \ + "t:none,\ + chain" + SecRule &ARGS:action "@eq 1" \ + "t:none,\ + ctl:ruleRemoveTargetById=931130;ARGS:menu-item[-1][menu-item-url]" + +# Editor: Add Media, Insert Media, Insert into page +SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \ + "id:9002770,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + chain" + SecRule ARGS:action "@streq send-attachment-to-editor" \ + "t:none,\ + chain" + SecRule &ARGS:action "@eq 1" \ + "t:none,\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:html" + + +# +# [ Options and Settings ] +# + +# Change site URL +SecRule REQUEST_FILENAME "@endsWith /wp-admin/options.php" \ + "id:9002800,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + chain" + SecRule ARGS:option_page "@streq general" \ + "t:none,\ + chain" + SecRule &ARGS:option_page "@eq 1" \ + "t:none,\ + chain" + SecRule ARGS:action "@streq update" \ + "t:none,\ + chain" + SecRule &ARGS:action "@eq 1" \ + "t:none,\ + ctl:ruleRemoveTargetById=931130;ARGS:home,\ + ctl:ruleRemoveTargetById=931130;ARGS:siteurl" + +# Permalink settings +# permalink_structure=/index.php/%year%/%monthnum%/%day%/%postname%/ +SecRule REQUEST_FILENAME "@endsWith /wp-admin/options-permalink.php" \ + "id:9002810,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ctl:ruleRemoveTargetById=920230;ARGS:selection,\ + ctl:ruleRemoveTargetById=920272;ARGS:selection,\ + ctl:ruleRemoveTargetById=942431;ARGS:selection,\ + ctl:ruleRemoveTargetById=920230;ARGS:permalink_structure,\ + ctl:ruleRemoveTargetById=920272;ARGS:permalink_structure,\ + ctl:ruleRemoveTargetById=942431;ARGS:permalink_structure,\ + ctl:ruleRemoveTargetById=920272;REQUEST_BODY" + +# Comments blacklist and moderation list +SecRule REQUEST_FILENAME "@endsWith /wp-admin/options.php" \ + "id:9002820,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + chain" + SecRule ARGS:option_page "@streq discussion" \ + "t:none,\ + chain" + SecRule &ARGS:option_page "@eq 1" \ + "t:none,\ + chain" + SecRule ARGS:action "@streq update" \ + "t:none,\ + chain" + SecRule &ARGS:action "@eq 1" \ + "t:none,\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:blacklist_keys,\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:moderation_keys" + + +# +# [ Helpers ] +# + +# /wp-admin/load-scripts.php?c=0&load%5B%5D=hoverIntent,common, +# admin-bar,wp-ajax-response,jquery-color,wp-lists,quicktags, +# jquery-query,admin-comments,svg-painter,heartbeat,&load%5B%5D= +# wp-auth-check,wp-a11y,wplink,jquery-ui-core,jquery-ui-widget, +# jquery-ui-position,jquery-ui-menu,jquery-ui-autocomplete&ver=4.6.1 +# +# /wp-admin/load-styles.php?c=0&dir=ltr&load%5B%5D=dashicons, +# admin-bar,buttons,media-views,common,forms,admin-menu,dashboard, +# list-tables,edit,revisions,media,themes,about,nav-menu&load%5B%5D= +# s,widgets,site-icon,l10n,wp-auth-check&ver=4.6.1 +# +# /wp-admin/load-scripts.php?c=0&load%5B%5D=hoverIntent,common, +# admin-bar,jquery-ui-widget,jquery-ui-position,wp-pointer, +# wp-ajax-response,jquery-color,wp-lists,quicktags, +# jqu&load%5B%5D=ery-query,admin-comments,jquery-ui-core, +# jquery-ui-mouse,jquery-ui-sortable,postbox,dashboard,underscore, +# customize-base,customize&load%5B%5D=-loader,thickbox,plugin-install, +# wp-util,wp-a11y,updates,shortcode,media-upload,svg-painter, +# jquery-ui-accordion&ver=3f9999390861a0133beda3ee8acf152e +SecRule REQUEST_FILENAME "@rx /wp-admin/load-(?:scripts|styles)\.php$" \ + "id:9002900,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ctl:ruleRemoveById=921180,\ + ctl:ruleRemoveTargetById=920273;ARGS_NAMES:load[],\ + ctl:ruleRemoveTargetById=942432;ARGS_NAMES:load[],\ + ctl:ruleRemoveTargetById=942360;ARGS:load[],\ + ctl:ruleRemoveTargetById=942430;ARGS:load[],\ + ctl:ruleRemoveTargetById=942431;ARGS:load[],\ + ctl:ruleRemoveTargetById=942432;ARGS:load[]" + + +SecMarker "END-WORDPRESS-ADMIN" + + +SecMarker "END-WORDPRESS" diff --git a/confs/owasp-crs/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf b/confs/owasp-crs/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf new file mode 100644 index 0000000..f667c5f --- /dev/null +++ b/confs/owasp-crs/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf @@ -0,0 +1,355 @@ +# ------------------------------------------------------------------------ +# OWASP ModSecurity Core Rule Set ver.3.1.1 +# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENSE file for full details. +# +# ------------------------------------------------------------------------ + +# These exclusions remedy false positives in a default NextCloud install. +# They will likely work with OwnCloud too, but you may have to modify them. +# The exclusions are only active if crs_exclusions_nextcloud=1 is set. +# See rule 900130 in crs-setup.conf.example for instructions. +# +# To relax upload restrictions for only the php files that need it, +# you put something like this in crs-setup.conf: +# +# SecRule REQUEST_FILENAME "@rx /(?:remote.php|index.php)/" \ +# "id:9003330,\ +# phase:1,\ +# t:none,\ +# nolog,\ +# pass,\ +# tx.restricted_extensions='.bak/ .config/ .conf/'" +# +# Large uploads can be modified with SecRequestBodyLimit. Or they +# can be more controlled by using the following: +# +# SecRule REQUEST_URI "@endsWith /index.php/apps/files/ajax/upload.php" \ +# "id:9003610,\ +# phase:1,\ +# t:none,\ +# nolog,\ +# ctl:requestBodyLimit=1073741824" +# +# --------------------- + + +SecRule &TX:crs_exclusions_nextcloud|TX:crs_exclusions_nextcloud "@eq 0" \ + "id:9003000,\ + phase:1,\ + pass,\ + t:none,\ + nolog,\ + skipAfter:END-NEXTCLOUD" + +SecRule &TX:crs_exclusions_nextcloud|TX:crs_exclusions_nextcloud "@eq 0" \ + "id:9003001,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + skipAfter:END-NEXTCLOUD" + + +# +# [ File Manager ] +# +# +# The web interface uploads files, and interacts with the user. + +SecRule REQUEST_FILENAME "@contains /remote.php/webdav" \ + "id:9003100,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ctl:ruleRemoveByTag=attack-injection-php,\ + ctl:ruleRemoveById=941000-942999,\ + ctl:ruleRemoveById=951000-951999,\ + ctl:ruleRemoveById=953100-953130,\ + ctl:ruleRemoveById=920420,\ + ctl:ruleRemoveById=920440" + +# Skip PUT parsing for invalid encoding / protocol violations in binary files. + +SecRule REQUEST_METHOD "@streq PUT" \ + "id:9003105,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + chain" + SecRule REQUEST_FILENAME "@contains /remote.php/webdav" \ + "t:none,\ + ctl:ruleRemoveById=920000-920999,\ + ctl:ruleRemoveById=932000-932999,\ + ctl:ruleRemoveById=921150,\ + ctl:ruleRemoveById=930110,\ + ctl:ruleRemoveById=930120" + +# Allow the data type 'text/vcard' + +SecRule REQUEST_FILENAME "@contains /remote.php/dav/files/" \ + "id:9003110,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type}|text/vcard'" + +# Allow the data type 'application/octet-stream' + +SecRule REQUEST_METHOD "@rx ^(?:PUT|MOVE)$" \ + "id:9003115,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + chain" + SecRule REQUEST_FILENAME "@rx /remote\.php/dav/(?:files|uploads)/" \ + "setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type}|application/octet-stream'" + +# Allow data types like video/mp4 + +SecRule REQUEST_METHOD "@streq PUT" \ + "id:9003116,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + chain" + SecRule REQUEST_FILENAME "@rx (?:/public\.php/webdav/|/remote\.php/dav/uploads/)" \ + "ctl:ruleRemoveById=920340,\ + ctl:ruleRemoveById=920420" + + +# Allow characters like /../ in files. +# Allow all kind of filetypes. +# Allow source code. + +SecRule REQUEST_FILENAME "@contains /remote.php/dav/files/" \ + "id:9003120,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ctl:ruleRemoveById=930100-930110,\ + ctl:ruleRemoveById=951000-951999,\ + ctl:ruleRemoveById=953100-953130,\ + ctl:ruleRemoveById=920440" + + +# [ Searchengine ] +# +# NexCloud uses a search field for filename or content queries. + +SecRule REQUEST_FILENAME "@contains /index.php/core/search" \ + "id:9003125,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ctl:ruleRemoveTargetByTag=attack-injection-php;ARGS:query,\ + ctl:ruleRemoveTargetById=941000-942999;ARGS:query,\ + ctl:ruleRemoveTargetById=932000-932999;ARGS:query" + + +# [ DAV ] +# +# NextCloud uses DAV methods with index.php and remote.php to do many things +# The default ones in ModSecurity are: GET HEAD POST OPTIONS +# +# Looking through the code, and via testing, I found these: +# +# File manager: PUT DELETE MOVE PROPFIND PROPPATCH +# Calendars: REPORT +# Others in the code or js files: PATCH MKCOL MOVE TRACE +# Others that I added just in case, and they seem related: +# CHECKOUT COPY LOCK MERGE MKACTIVITY UNLOCK. + +SecRule REQUEST_FILENAME "@rx /(?:remote|index|public)\.php/" \ + "id:9003130,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + setvar:'tx.allowed_methods=%{tx.allowed_methods} PUT PATCH CHECKOUT COPY DELETE LOCK MERGE MKACTIVITY MKCOL MOVE PROPFIND PROPPATCH UNLOCK REPORT TRACE jsonp'" + + +# We need to allow DAV methods for sharing files, and removing shares +# DELETE - when the share is removed +# PUT - when setting a password / expiration time + +SecRule REQUEST_FILENAME "@rx /ocs/v[0-9]+\.php/apps/files_sharing/" \ + "id:9003140,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + setvar:'tx.allowed_methods=%{tx.allowed_methods} PUT DELETE'" + + +# [ Preview and Thumbnails ] + +SecRule REQUEST_FILENAME "@contains /index.php/core/preview.png" \ + "id:9003150,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ctl:ruleRemoveTargetById=932150;ARGS:file" + +# Filepreview for trashbin + +SecRule REQUEST_FILENAME "@contains /index.php/apps/files_trashbin/ajax/preview.php" \ + "id:9003155,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ctl:ruleRemoveTargetById=932150;ARGS:file,\ + ctl:ruleRemoveTargetById=942190;ARGS:file" + +SecRule REQUEST_FILENAME "@rx /index\.php/(?:apps/gallery/thumbnails|logout$)" \ + "id:9003160,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ctl:ruleRemoveTargetById=941120;ARGS:requesttoken" + + +# [ Ownnote ] + +SecRule REQUEST_FILENAME "@contains /index.php/apps/ownnote/" \ + "id:9003300,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ctl:ruleRemoveById=941150" + + +# [ Text Editor ] +# +# This file can save anything, and it's name could be lots of things. + +SecRule REQUEST_FILENAME "@contains /index.php/apps/files_texteditor/" \ + "id:9003310,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:filecontents,\ + ctl:ruleRemoveTargetById=921110-921160;ARGS:filecontents,\ + ctl:ruleRemoveTargetById=932150;ARGS:filename,\ + ctl:ruleRemoveTargetById=920370-920390;ARGS:filecontents,\ + ctl:ruleRemoveTargetById=920370-920390;ARGS_COMBINED_SIZE" + + +# [ Address Book ] +# +# Allow the data type 'text/vcard' + +SecRule REQUEST_FILENAME "@contains /remote.php/dav/addressbooks/" \ + "id:9003320,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type}|text/vcard'" + + +# [ Calendar ] +# +# Allow the data type 'text/calendar' + +SecRule REQUEST_FILENAME "@contains /remote.php/dav/calendars/" \ + "id:9003330,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type}|text/calendar'" + + +# [ Notes ] +# +# We want to allow a lot of things as the user is +# allowed to note on anything. + +SecRule REQUEST_FILENAME "@contains /index.php/apps/notes/" \ + "id:9003340,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ctl:ruleRemoveByTag=attack-injection-php" + + +# [ Bookmarks ] +# +# Allow urls in data. + +SecRule REQUEST_FILENAME "@contains /index.php/apps/bookmarks/" \ + "id:9003350,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ctl:ruleRemoveById=931130" + + +# +# [ Login forms ] +# + +# This removes checks on the 'password' and related fields: + +# User login password. + +SecRule REQUEST_FILENAME "@contains /index.php/login" \ + "id:9003400,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ctl:ruleRemoveTargetById=941100;ARGS:requesttoken,\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:password" + +# Reset password. + +SecRule REQUEST_FILENAME "@endsWith /index.php/login" \ + "id:9003410,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + chain" + SecRule ARGS:action "@streq resetpass" \ + "t:none,\ + chain" + SecRule &ARGS:action "@eq 1" \ + "t:none,\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:pass1,\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:pass1-text,\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:pass2" + +# Change Password and Setting up a new user/password + +SecRule REQUEST_FILENAME "@endsWith /index.php/settings/users" \ + "id:9003500,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:newuserpassword,\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:password" + + +SecMarker "END-NEXTCLOUD-ADMIN" + +SecMarker "END-NEXTCLOUD" diff --git a/confs/owasp-crs/REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES.conf b/confs/owasp-crs/REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES.conf new file mode 100644 index 0000000..dfb180f --- /dev/null +++ b/confs/owasp-crs/REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES.conf @@ -0,0 +1,261 @@ +# ------------------------------------------------------------------------ +# OWASP ModSecurity Core Rule Set ver.3.1.1 +# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENSE file for full details. +# +# ------------------------------------------------------------------------ + +# These exclusions remedy false positives in a default Dokuwiki install. +# The exclusions are only active if crs_exclusions_dokuwiki=1 is set. +# See rule 900130 in crs-setup.conf.example for instructions. +# +# Note, if you want to relax the upload restrictions, +# see rule 900240. For Dokuwiki you can limit the exception +# to the ajax.php file: +# +# SecRule REQUEST_FILENAME "@endsWith /lib/exe/ajax.php" ... +# + + +SecRule &TX:crs_exclusions_dokuwiki|TX:crs_exclusions_dokuwiki "@eq 0" \ + "id:9004000,\ + phase:1,\ + pass,\ + t:none,\ + nolog,\ + skipAfter:END-DOKUWIKI" + +SecRule &TX:crs_exclusions_dokuwiki|TX:crs_exclusions_dokuwiki "@eq 0" \ + "id:9004001,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + skipAfter:END-DOKUWIKI" + + +# +# -=[ Dokuwiki Front-End ]=- +# +# Note on files specified: +# /doku.php: shows pages, saves, edits, admin +# /lib/exe/ajax.php: autosave, uploads +# +# Allow pages to be edited, and ajax to save drafts. +# +# ARGS 'wikitext', 'suffix', and 'prefix' must allow the same things, +# as the page (in part or whole) is passed via 'suffix/prefix' at times. +# attack-protocol (921110-921160/920230): Allows odd characters on the page. +# CRS: (still need attack-protocol specified.) +# attack-injection-php (930000-933999): Allows code on page. +# attack-sqli (940000-942999): Allows SQL expressions on page. +# +# Others: +# 930100-930110;REQUEST_BODY: if there's a /../ in the text. +# +# ARGS:summary (the text in the 'summary' box on page edits.): +# Allowing 930120-930130 lets user save summaries with +# system file names. This should not be needed in normal +# use. But leaving a note here of how to allow in rule below: +# ctl:ruleRemoveTargetById=930120;ARGS:summary +# ctl:ruleRemoveTargetById=930130;ARGS:summary +# +# Also, can't specify: +# SecRule ARGS:do "@streq edit" \ +# SecRule REQUEST_FILENAME "@endsWith /lib/exe/ajax.php"\ +# because at times the do=edit can get dropped, so if we use +# above the edit will get blocked when the page is saved. + +# Hint: those using .htaccess rewrites can remove/replace +# this first 'SecRule...' line with 'SecAction \' (unsupported). + +SecRule REQUEST_FILENAME "@rx (?:/doku.php|/lib/exe/ajax.php)$" \ + "id:9004100,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + chain" + SecRule REQUEST_METHOD "@streq POST" \ + "t:none,\ + chain" + SecRule REQUEST_COOKIES:/S?DW[a-f0-9]+/ "@rx ^[%a-zA-Z0-9_-]+" \ + "t:none,\ + ctl:ruleRemoveTargetByTag=attack-protocol;ARGS:wikitext,\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:wikitext,\ + ctl:ruleRemoveTargetByTag=attack-protocol;ARGS:suffix,\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:suffix,\ + ctl:ruleRemoveTargetByTag=attack-protocol;ARGS:prefix,\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:prefix,\ + ctl:ruleRemoveTargetById=930100-930110;REQUEST_BODY" + + +# Allow it to upload files. But check for cookies just to make sure. + +SecRule REQUEST_FILENAME "@endsWith /lib/exe/ajax.php"\ + "id:9004110,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + noauditlog,\ + chain" + SecRule REQUEST_METHOD "@streq POST" \ + "t:none,\ + chain" + SecRule REQUEST_COOKIES:/S?DW[a-f0-9]+/ "@rx ^[%a-zA-Z0-9_-]+" \ + "t:none,\ + setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type}|application/octet-stream'" + + +# Show the index, even if things like "postgresql" or other things show up. + +SecRule REQUEST_FILENAME "@endsWith /doku.php"\ + "id:9004130,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + noauditlog,\ + chain" + SecRule ARGS:do "@streq index" \ + "t:none,\ + chain" + SecRule &ARGS:do "@eq 1" \ + "t:none,\ + ctl:ruleRemoveById=951240,\ + ctl:ruleRemoveById=953110" + + +# +# [ Login form ] +# + +# Turn off checks for password. + +SecRule REQUEST_FILENAME "@endsWith /doku.php" \ + "id:9004200,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + noauditlog,\ + chain" + SecRule ARGS:do "@streq login" \ + "t:none,\ + chain" + SecRule &ARGS:do "@eq 1" \ + "t:none,\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:p" + + +# +# [ Admin Area ] +# +# Skip this section for performance unless do=admin is in request + +SecRule ARGS:do "!@streq admin" \ + "id:9004300,\ + phase:1,\ + pass,\ + t:none,\ + nolog,\ + skipAfter:END-DOKUWIKI-ADMIN" + +SecRule ARGS:do "!@streq admin" \ + "id:9004310,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + skipAfter:END-DOKUWIKI-ADMIN" + + +# [ Reset password ] +# +# Turn off checks for pass1, pass1-text, pass2 + +SecRule REQUEST_FILENAME "@endsWith /doku.php" \ + "id:9004320,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + noauditlog,\ + chain" + SecRule ARGS:do "@streq login" \ + "t:none,\ + chain" + SecRule &ARGS:do "@eq 1" \ + "t:none,\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:pass1,\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:pass1-text,\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:pass2" + + +# [ Save config ] +# +# Allow the config to be saved: +# 942200: If the user adds "..." to tagline: ARGS:config[tagline] +# 942430: if ARGS:config[hidepages] has pages looking like sql statements +# 942430,942440: "--- //[[@MAIL@|@NAME@]] @DATE@//"]" in ARGS:config[signature] + +SecRule REQUEST_FILENAME "@endsWith /doku.php" \ + "id:9004370,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + noauditlog,\ + chain" + SecRule ARGS:page "@streq config" \ + "t:none,\ + chain" + SecRule &ARGS:page "@eq 1" \ + "t:none,\ + chain" + SecRule REQUEST_METHOD "@streq POST" \ + "t:none,\ + chain" + SecRule REQUEST_COOKIES:/S?DW[a-f0-9]+/ "@rx ^[%a-zA-Z0-9_-]+" \ + "t:none,\ + ctl:ruleRemoveTargetById=920230;ARGS:config[dformat],\ + ctl:ruleRemoveTargetById=942200;ARGS:config[tagline],\ + ctl:ruleRemoveTargetById=942430;ARGS:config[hidepages],\ + ctl:ruleRemoveTargetById=942430-942440;ARGS:config[signature]" + + +# When the config loads after a save, it gets blocked because +# it has 'readdir' and lines that look like sql +# 942430,942440: "--- //[[@MAIL@|@NAME@]] @DATE@//"]" in ARGS:config[signature] +# 951240,953110: When the page reloads, it triggers +# postgress and php code disclosure rules. + +SecRule REQUEST_FILENAME "@endsWith /doku.php" \ + "id:9004380,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + noauditlog,\ + chain" + SecRule ARGS:page "@streq config" \ + "t:none,\ + chain" + SecRule &ARGS:page "@eq 1" \ + "t:none,\ + chain" + SecRule REQUEST_COOKIES:/S?DW[a-f0-9]+/ "@rx ^[%a-zA-Z0-9_-]+" \ + "t:none,\ + ctl:ruleRemoveById=951240,\ + ctl:ruleRemoveById=953110" + + +# End [ Admin Area ] + +SecMarker "END-DOKUWIKI-ADMIN" + +SecMarker "END-DOKUWIKI" diff --git a/confs/owasp-crs/REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf b/confs/owasp-crs/REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf new file mode 100644 index 0000000..1553364 --- /dev/null +++ b/confs/owasp-crs/REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf @@ -0,0 +1,60 @@ +# ------------------------------------------------------------------------ +# OWASP ModSecurity Core Rule Set ver.3.1.1 +# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENSE file for full details. +# ------------------------------------------------------------------------ + +# These exclusions remedy false positives in a default cPanel environment. +# The exclusions are only active if crs_exclusions_cpanel=1 is set. +# See rule 900130 in crs-setup.conf.example for instructions. + + +SecRule &TX:crs_exclusions_cpanel|TX:crs_exclusions_cpanel "@eq 0" \ + "id:9005000,\ + phase:1,\ + pass,\ + t:none,\ + nolog,\ + skipAfter:END-CPANEL" + +SecRule &TX:crs_exclusions_cpanel|TX:crs_exclusions_cpanel "@eq 0" \ + "id:9005001,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + skipAfter:END-CPANEL" + + +# +# [ cPanel whm-server-status ] +# +# Cpanel's WHM auto generates requests to /whm-server-status from +# 127.0.0.1 (triggers rule 920280, non-blocking, log only) Once every 5 minutes. +# These false positives have a low impact (logged, non-blocking) to a large number of users (all cPanel admins). +# + +# +# Rule to allow cPanel whm-server-status requests from localhost without log entry. +# +SecRule REQUEST_LINE "@rx ^GET /whm-server-status(?:/|/\?auto)? HTTP/[12]\.[01]$" \ + "id:9005100,\ + phase:1,\ + pass,\ + t:none,\ + nolog,\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-apache',\ + tag:'attack-generic',\ + chain" + SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" \ + "t:none,\ + ctl:ruleRemoveById=920280,\ + ctl:ruleRemoveById=920350" + + +SecMarker "END-CPANEL" diff --git a/confs/owasp-crs/REQUEST-905-COMMON-EXCEPTIONS.conf b/confs/owasp-crs/REQUEST-905-COMMON-EXCEPTIONS.conf new file mode 100644 index 0000000..3761725 --- /dev/null +++ b/confs/owasp-crs/REQUEST-905-COMMON-EXCEPTIONS.conf @@ -0,0 +1,52 @@ +# ------------------------------------------------------------------------ +# OWASP ModSecurity Core Rule Set ver.3.1.1 +# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENSE file for full details. +# ------------------------------------------------------------------------ + + +# This file is used as an exception mechanism to remove common false positives +# that may be encountered. +# +# Exception for Apache SSL pinger +# +SecRule REQUEST_LINE "@streq GET /" \ + "id:905100,\ + phase:1,\ + pass,\ + t:none,\ + nolog,\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-apache',\ + tag:'attack-generic',\ + chain" + SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" \ + "t:none,\ + ctl:ruleEngine=Off,\ + ctl:auditEngine=Off" + +# +# Exception for Apache internal dummy connection +# +SecRule REQUEST_LINE "@rx ^(?:GET /|OPTIONS \*) HTTP/[12]\.[01]$" \ + "id:905110,\ + phase:1,\ + pass,\ + t:none,\ + nolog,\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-apache',\ + tag:'attack-generic',\ + chain" + SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" \ + "t:none,\ + chain" + SecRule REQUEST_HEADERS:User-Agent "@rx ^.*\(internal dummy connection\)$" \ + "t:none,\ + ctl:ruleEngine=Off,\ + ctl:auditEngine=Off" diff --git a/confs/owasp-crs/REQUEST-910-IP-REPUTATION.conf b/confs/owasp-crs/REQUEST-910-IP-REPUTATION.conf new file mode 100644 index 0000000..eadbb24 --- /dev/null +++ b/confs/owasp-crs/REQUEST-910-IP-REPUTATION.conf @@ -0,0 +1,311 @@ +# ------------------------------------------------------------------------ +# OWASP ModSecurity Core Rule Set ver.3.1.1 +# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENSE file for full details. +# ------------------------------------------------------------------------ + +# +# -= Paranoia Level 0 (empty) =- (apply unconditionally) +# + + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:910011,phase:1,pass,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:910012,phase:2,pass,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION" +# +# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher) +# + +# +# -=[ IP Reputation Block Flag Check ]=- +# +# The first check we do is to see if the client IP address has already +# been blacklisted by rules from previous requests. +# +# If the rule matches, it will do a skipAfter and pick up processing +# at the end of the request phase for actual blocking. +# +SecRule TX:DO_REPUT_BLOCK "@eq 1" \ + "id:910000,\ + phase:2,\ + block,\ + t:none,\ + msg:'Request from Known Malicious Client (Based on previous traffic violations).',\ + logdata:'Previous Block Reason: %{ip.reput_block_reason}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-reputation-ip',\ + tag:'IP_REPUTATION/MALICIOUS_CLIENT',\ + setvar:'tx.msg=%{rule.msg}',\ + severity:'CRITICAL',\ + chain,\ + skipAfter:BEGIN-REQUEST-BLOCKING-EVAL" + SecRule IP:REPUT_BLOCK_FLAG "@eq 1" \ + "setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'tx.%{rule.id}-AUTOMATION/MALICIOUS-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'" + + +# +# -=[ GeoIP Checks ]=- +# +# This rule requires activating the SecGeoLookupDB directive +# in the crs-setup.conf file and specifying +# the list of blocked countries (tx.high_risk_country_codes). +# +# This rule does a GeoIP resolution on the client IP address. +# +SecRule TX:HIGH_RISK_COUNTRY_CODES "!@rx ^$" \ + "id:910100,\ + phase:2,\ + block,\ + t:none,\ + msg:'Client IP is from a HIGH Risk Country Location.',\ + logdata:'%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-reputation-ip',\ + severity:'CRITICAL',\ + chain" + SecRule TX:REAL_IP "@geoLookup" \ + "chain" + SecRule GEO:COUNTRY_CODE "@within %{tx.high_risk_country_codes}" \ + "setvar:'tx.msg=%{rule.msg}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'tx.%{rule.id}-AUTOMATION/MALICIOUS-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\ + setvar:'ip.reput_block_flag=1',\ + setvar:'ip.reput_block_reason=%{rule.msg}',\ + expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'" + + +# +# -=[ IP Reputation Checks ]=- +# +# ModSecurity Rules from Trustwave SpiderLabs: IP Blacklist Alert +# Ref: http://www.modsecurity.org/projects/commercial/rules/ +# +# This rule checks the client IP address against a list of recent IPs captured +# from the SpiderLabs web honeypot systems (last 48 hours). +# +#SecRule TX:REAL_IP "@ipMatchFromFile ip_blacklist.data" \ +# "id:910110,\ +# phase:2,\ +# block,\ +# t:none,\ +# msg:'Client IP in Trustwave SpiderLabs IP Reputation Blacklist.',\ +# tag:'application-multi',\ +# tag:'language-multi',\ +# tag:'platform-multi',\ +# tag:'attack-reputation-ip',\ +# severity:'CRITICAL',\ +# setvar:'tx.msg=%{rule.msg}',\ +# setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ +# setvar:'tx.%{rule.id}-AUTOMATION/MALICIOUS-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\ +# setvar:'ip.reput_block_flag=1',\ +# setvar:'ip.reput_block_reason=%{rule.msg}',\ +# expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'" + + +# +# First check if we have already run an @rbl check for this IP by checking in IP collection. +# If we have, then skip doing another check. +# +SecRule IP:PREVIOUS_RBL_CHECK "@eq 1" \ + "id:910120,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-reputation-ip',\ + skipAfter:END-RBL-LOOKUP" + +# +# Check Client IP against ProjectHoneypot's HTTP Blacklist +# Ref: http://www.projecthoneypot.org/httpbl_api.php +# +# To use the blacklist, you must register for an HttpBL API Key +# and choose the traffic types to block. See section +# "Project Honey Pot HTTP Blacklist" in crs-setup.conf. +# +# Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecHttpBlKey +# + +# Skip HttpBL checks if user has not defined one of the TX:block_* variables. +# This prevents error "Operator error: RBL httpBl called but no key defined: set SecHttpBlKey" +SecRule &TX:block_suspicious_ip "@eq 0" \ + "id:910130,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + chain,\ + skipAfter:END-RBL-CHECK" + SecRule &TX:block_harvester_ip "@eq 0" \ + "chain" + SecRule &TX:block_spammer_ip "@eq 0" \ + "chain" + SecRule &TX:block_search_ip "@eq 0" + +SecRule TX:REAL_IP "@rbl dnsbl.httpbl.org" \ + "id:910140,\ + phase:2,\ + pass,\ + capture,\ + t:none,\ + nolog,\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-reputation-ip',\ + setvar:'tx.httpbl_msg=%{tx.0}',\ + chain" + SecRule TX:httpbl_msg "@rx RBL lookup of .*?.dnsbl.httpbl.org succeeded at TX:checkip. (.*?): .*" \ + "capture,\ + t:none,\ + setvar:'tx.httpbl_msg=%{tx.1}'" + +# The following regexs are generated based off re_operators.c +SecRule TX:block_search_ip "@eq 1" \ + "id:910150,\ + phase:2,\ + block,\ + t:none,\ + msg:'HTTP Blacklist match for search engine IP',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-reputation-ip',\ + severity:'CRITICAL',\ + chain,\ + skipAfter:END-RBL-CHECK" + SecRule TX:httpbl_msg "@rx Search Engine" \ + "setvar:'tx.msg=%{rule.msg}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'tx.%{rule.id}-AUTOMATION/MALICIOUS-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\ + setvar:'ip.reput_block_flag=1',\ + setvar:'ip.reput_block_reason=%{rule.msg}',\ + setvar:'ip.previous_rbl_check=1',\ + expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}',\ + expirevar:'ip.previous_rbl_check=86400'" + +SecRule TX:block_spammer_ip "@eq 1" \ + "id:910160,\ + phase:2,\ + block,\ + t:none,\ + msg:'HTTP Blacklist match for spammer IP',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-reputation-ip',\ + severity:'CRITICAL',\ + chain,\ + skipAfter:END-RBL-CHECK" + SecRule TX:httpbl_msg "@rx (?i)^.*? spammer .*?$" \ + "setvar:'tx.msg=%{rule.msg}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'tx.%{rule.id}-AUTOMATION/MALICIOUS-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\ + setvar:'ip.reput_block_flag=1',\ + setvar:'ip.reput_block_reason=%{rule.msg}',\ + setvar:'ip.previous_rbl_check=1',\ + expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}',\ + expirevar:'ip.previous_rbl_check=86400'" + +SecRule TX:block_suspicious_ip "@eq 1" \ + "id:910170,\ + phase:2,\ + block,\ + t:none,\ + msg:'HTTP Blacklist match for suspicious IP',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-reputation-ip',\ + severity:'CRITICAL',\ + chain,\ + skipAfter:END-RBL-CHECK" + SecRule TX:httpbl_msg "@rx (?i)^.*? suspicious .*?$" \ + "setvar:'tx.msg=%{rule.msg}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'tx.%{rule.id}-AUTOMATION/MALICIOUS-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\ + setvar:'ip.reput_block_flag=1',\ + setvar:'ip.reput_block_reason=%{rule.msg}',\ + setvar:'ip.previous_rbl_check=1',\ + expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}',\ + expirevar:'ip.previous_rbl_check=86400'" + +SecRule TX:block_harvester_ip "@eq 1" \ + "id:910180,\ + phase:2,\ + block,\ + t:none,\ + msg:'HTTP Blacklist match for harvester IP',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-reputation-ip',\ + severity:'CRITICAL',\ + chain,\ + skipAfter:END-RBL-CHECK" + SecRule TX:httpbl_msg "@rx (?i)^.*? harvester .*?$" \ + "setvar:'tx.msg=%{rule.msg}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'tx.%{rule.id}-AUTOMATION/MALICIOUS-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\ + setvar:'ip.reput_block_flag=1',\ + setvar:'ip.reput_block_reason=%{rule.msg}',\ + setvar:'ip.previous_rbl_check=1',\ + expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}',\ + expirevar:'ip.previous_rbl_check=86400'" + +SecAction \ + "id:910190,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-reputation-ip',\ + setvar:'ip.previous_rbl_check=1',\ + expirevar:'ip.previous_rbl_check=86400'" + +SecMarker "END-RBL-LOOKUP" + +SecMarker "END-RBL-CHECK" + + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:910013,phase:1,pass,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:910014,phase:2,pass,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION" +# +# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher) +# + + + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:910015,phase:1,pass,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:910016,phase:2,pass,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION" +# +# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher) +# + + + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:910017,phase:1,pass,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:910018,phase:2,pass,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION" +# +# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher) +# + + + +# +# -= Paranoia Levels Finished =- +# +SecMarker "END-REQUEST-910-IP-REPUTATION" diff --git a/confs/owasp-crs/REQUEST-911-METHOD-ENFORCEMENT.conf b/confs/owasp-crs/REQUEST-911-METHOD-ENFORCEMENT.conf new file mode 100644 index 0000000..0196990 --- /dev/null +++ b/confs/owasp-crs/REQUEST-911-METHOD-ENFORCEMENT.conf @@ -0,0 +1,78 @@ +# ------------------------------------------------------------------------ +# OWASP ModSecurity Core Rule Set ver.3.1.1 +# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENSE file for full details. +# ------------------------------------------------------------------------ + +# +# -= Paranoia Level 0 (empty) =- (apply unconditionally) +# + + + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:911011,phase:1,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:911012,phase:2,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" +# +# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher) +# + +# +# -=[ Allowed Request Methods ]=- +# +# tx.allowed_methods is defined in the crs-setup.conf file +# +SecRule REQUEST_METHOD "!@within %{tx.allowed_methods}" \ + "id:911100,\ + phase:2,\ + block,\ + msg:'Method is not allowed by policy',\ + logdata:'%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-generic',\ + tag:'OWASP_CRS/POLICY/METHOD_NOT_ALLOWED',\ + tag:'WASCTC/WASC-15',\ + tag:'OWASP_TOP_10/A6',\ + tag:'OWASP_AppSensor/RE1',\ + tag:'PCI/12.1',\ + severity:'CRITICAL',\ + ver:'OWASP_CRS/3.1.1',\ + setvar:'tx.msg=%{rule.msg}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'tx.%{rule.id}-OWASP_CRS/POLICY/METHOD_NOT_ALLOWED-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'" + + + + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:911013,phase:1,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:911014,phase:2,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" +# +# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher) +# + + + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:911015,phase:1,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:911016,phase:2,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" +# +# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher) +# + + + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:911017,phase:1,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:911018,phase:2,pass,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" +# +# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher) +# + + + +# +# -= Paranoia Levels Finished =- +# +SecMarker "END-REQUEST-911-METHOD-ENFORCEMENT" diff --git a/confs/owasp-crs/REQUEST-912-DOS-PROTECTION.conf b/confs/owasp-crs/REQUEST-912-DOS-PROTECTION.conf new file mode 100644 index 0000000..4de94de --- /dev/null +++ b/confs/owasp-crs/REQUEST-912-DOS-PROTECTION.conf @@ -0,0 +1,297 @@ +# ------------------------------------------------------------------------ +# OWASP ModSecurity Core Rule Set ver.3.1.1 +# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENSE file for full details. +# ------------------------------------------------------------------------ + +# +# Anti-Automation rules to detect Denial of Service attacks. +# +# Description of mechanics: +# When a request hits a non-static resource (TX:STATIC_EXTENSIONS), then a counter for the IP +# address is being raised (IP:DOS_COUNTER). If the counter (IP:DOS_COUNTER) hits a limit +# (TX:DOS_COUNTER_THRESHOLD), then a burst is identified (IP:DOS_BURST_COUNTER) and the +# counter (IP:DOS_COUNTER) is reset. The burst counter expires within a timeout period +# (TX:DOS_BURST_TIME_SLICE). +# If the burst counter (IP:DOS_BURST_COUNTER) is greater equal 2, then the blocking flag +# is being set (IP:DOS_BLOCK). The blocking flag (IP:DOS_BLOCK) expires within a timeout +# period (TX:DOS_BLOCK_TIMEOUT). All this counting happens in phase 5. +# There is a stricter sibling to this rule (912170) in paranoia level 2, where the +# burst counter check (IP:DOS_BURST_COUNTER) hits at greater equal 1. +# +# The blocking is done in phase 1: When the blocking flag is encountered (IP:DOS_BLOCK), +# then the request is dropped without sending a response. If this happens, then a +# counter is # raised (IP:DOS_BLOCK_COUNTER). +# When an IP address is blocked for the first time, then the blocking is reported in a +# message and a flag (IP:DOS_BLOCK_FLAG) is set. This flag expires in 60 seconds. +# When an IP address is blocked and the flag (IP:DOS_BLOCK_FLAG) is set, then the +# blocking is not being reported (to prevent a flood of alerts). When the flag +# (IP:DOS_BLOCK_FLAG) has expired and a new request is being blocked, then the +# counter (IP:DOS_BLOCK_COUNTER) is being reset to 0 and the block is being treated +# as the first block (-> alert). +# In order to be able to display the counter (IP:DOS_BLOCK_COUNTER) and resetting +# it at the same time, we copy the counter (IP:DOS_BLOCK_COUNTER) into a different +# variable (TX:DOS_BLOCK_COUNTER), which is then displayed in turn. +# +# Variables: +# IP:DOS_BLOCK Flag if an IP address should be blocked +# IP:DOS_BLOCK_COUNTER Counter of blocked requests +# IP:DOS_BLOCK_FLAG Flag keeping track of alert. Flag expires after 60 seconds. +# IP:DOS_BURST_COUNTER Burst counter +# IP:DOS_COUNTER Request counter (static resources are ignored) +# TX:DOS_BLOCK_COUNTER Copy of IP:DOS_BLOCK_COUNTER (needed for display reasons) +# TX:DOS_BLOCK_TIMEOUT Period in seconds a blocked IP will be blocked +# TX:DOS_COUNTER_THRESHOLD Limit of requests, where a burst is identified +# TX:DOS_BURST_TIME_SLICE Period in seconds when we will forget a burst +# TX:STATIC_EXTENSIONS Paths which can be ignored with regards to DoS +# +# As a precondition for these rules, please set the following three variables: +# - TX:DOS_BLOCK_TIMEOUT +# - TX:DOS_COUNTER_THRESHOLD +# - TX:DOS_BURST_TIME_SLICE +# +# And make sure that TX:STATIC_EXTENSIONS is also set. +# + +# +# -= Paranoia Level 0 (empty) =- (apply unconditionally) +# + +# +# Skip if variables defining DoS protection are not set +# +SecRule &TX:dos_burst_time_slice "@eq 0" \ + "id:912100,\ + phase:1,\ + pass,\ + t:none,\ + nolog,\ + chain,\ + skipAfter:END-DOS-PROTECTION-CHECKS" + SecRule &TX:dos_counter_threshold "@eq 0" \ + "chain" + SecRule &TX:dos_block_timeout "@eq 0" + +SecRule &TX:dos_burst_time_slice "@eq 0" \ + "id:912110,\ + phase:5,\ + pass,\ + t:none,\ + nolog,\ + chain,\ + skipAfter:END-DOS-PROTECTION-CHECKS" + SecRule &TX:dos_counter_threshold "@eq 0" \ + "chain" + SecRule &TX:dos_block_timeout "@eq 0" + + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:912011,phase:1,pass,nolog,skipAfter:END-REQUEST-912-DOS-PROTECTION" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:912012,phase:2,pass,nolog,skipAfter:END-REQUEST-912-DOS-PROTECTION" +# +# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher) +# + +# +# -=[ Anti-Automation / DoS Protection : Block ]=- +# + +# +# Block and track # of requests and log +# +SecRule IP:DOS_BLOCK "@eq 1" \ + "id:912120,\ + phase:1,\ + drop,\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-dos',\ + msg:'Denial of Service (DoS) attack identified from %{tx.real_ip} (%{tx.dos_block_counter} hits since last alert)',\ + chain" + SecRule &IP:DOS_BLOCK_FLAG "@eq 0" \ + "setvar:'ip.dos_block_counter=+1',\ + setvar:'ip.dos_block_flag=1',\ + setvar:'tx.dos_block_counter=%{ip.dos_block_counter}',\ + setvar:'ip.dos_block_counter=0',\ + expirevar:'ip.dos_block_flag=60'" + + +# +# Block and track # of requests but don't log +# +SecRule IP:DOS_BLOCK "@eq 1" \ + "id:912130,\ + phase:1,\ + drop,\ + t:none,\ + nolog,\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-dos',\ + setvar:'ip.dos_block_counter=+1'" + + +# +# -=[ Anti-Automation / DoS Protection: Count requests ]=- +# + +# +# Skip if we have blocked the request +# +SecRule IP:DOS_BLOCK "@eq 1" \ + "id:912140,\ + phase:5,\ + pass,\ + t:none,\ + nolog,\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-dos',\ + skipAfter:END-DOS-PROTECTION-CHECKS" + + +# +# DOS Counter: Count the number of requests to non-static resources +# +SecRule REQUEST_BASENAME "@rx .*?(\.[a-z0-9]{1,10})?$" \ + "id:912150,\ + phase:5,\ + pass,\ + capture,\ + t:none,t:lowercase,\ + nolog,\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-dos',\ + setvar:'tx.extension=/%{TX.1}/',\ + chain" + SecRule TX:EXTENSION "!@within %{tx.static_extensions}" \ + "setvar:'ip.dos_counter=+1'" + + +# +# Check DOS Counter +# If the request count is greater than or equal to user settings, +# we raise the burst counter. This happens via two separate rules: +# - 912160: raise from 0 to 1 +# - 912161: raise from 1 to 2 +# +# This approach with two rules avoids raising the burst counter +# from 0 to 2 via two concurrent requests. We do not raise the +# burst counter beyond 2. +# +# +SecRule IP:DOS_COUNTER "@ge %{tx.dos_counter_threshold}" \ + "id:912160,\ + phase:5,\ + pass,\ + t:none,\ + nolog,\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-dos',\ + chain" + SecRule &IP:DOS_BURST_COUNTER "@eq 0" \ + "setvar:'ip.dos_burst_counter=1',\ + setvar:'!ip.dos_counter',\ + expirevar:'ip.dos_burst_counter=%{tx.dos_burst_time_slice}'" + + +SecRule IP:DOS_COUNTER "@ge %{tx.dos_counter_threshold}" \ + "id:912161,\ + phase:5,\ + pass,\ + t:none,\ + nolog,\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-dos',\ + chain" + SecRule &IP:DOS_BURST_COUNTER "@ge 1" \ + "setvar:'ip.dos_burst_counter=2',\ + setvar:'!ip.dos_counter',\ + expirevar:'ip.dos_burst_counter=%{tx.dos_burst_time_slice}'" + + +# +# Check DOS Burst Counter and set Block +# Check the burst counter - if greater than or equal to 2, then we set the IP +# block variable for a given expiry and issue an alert. +# +SecRule IP:DOS_BURST_COUNTER "@ge 2" \ + "id:912170,\ + phase:5,\ + pass,\ + t:none,\ + log,\ + msg:'Potential Denial of Service (DoS) Attack from %{tx.real_ip} - # of Request Bursts: %{ip.dos_burst_counter}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-dos',\ + setvar:'ip.dos_block=1',\ + expirevar:'ip.dos_block=%{tx.dos_block_timeout}'" + + + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:912013,phase:1,pass,nolog,skipAfter:END-REQUEST-912-DOS-PROTECTION" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:912014,phase:2,pass,nolog,skipAfter:END-REQUEST-912-DOS-PROTECTION" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:912019,phase:5,pass,nolog,skipAfter:END-REQUEST-912-DOS-PROTECTION" +# +# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher) +# + +# +# Check DOS Burst Counter and set Block +# Check the burst counter - if greater than or equal to 1, then we set the IP +# block variable for a given expiry and issue an alert. +# +# This is a stricter sibling of rule 912170. +# +SecRule IP:DOS_BURST_COUNTER "@ge 1" \ + "id:912171,\ + phase:5,\ + pass,\ + t:none,\ + log,\ + msg:'Potential Denial of Service (DoS) Attack from %{tx.real_ip} - # of Request Bursts: %{ip.dos_burst_counter}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-dos',\ + tag:'paranoia-level/2',\ + setvar:'ip.dos_block=1',\ + expirevar:'ip.dos_block=%{tx.dos_block_timeout}'" + + + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:912015,phase:1,pass,nolog,skipAfter:END-REQUEST-912-DOS-PROTECTION" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:912016,phase:2,pass,nolog,skipAfter:END-REQUEST-912-DOS-PROTECTION" +# +# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher) +# + + + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:912017,phase:1,pass,nolog,skipAfter:END-REQUEST-912-DOS-PROTECTION" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:912018,phase:2,pass,nolog,skipAfter:END-REQUEST-912-DOS-PROTECTION" +# +# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher) +# + + + +# +# -= Paranoia Levels Finished =- +# +SecMarker "END-REQUEST-912-DOS-PROTECTION" + +SecMarker "END-DOS-PROTECTION-CHECKS" diff --git a/confs/owasp-crs/REQUEST-913-SCANNER-DETECTION.conf b/confs/owasp-crs/REQUEST-913-SCANNER-DETECTION.conf new file mode 100644 index 0000000..d9868f0 --- /dev/null +++ b/confs/owasp-crs/REQUEST-913-SCANNER-DETECTION.conf @@ -0,0 +1,210 @@ +# ------------------------------------------------------------------------ +# OWASP ModSecurity Core Rule Set ver.3.1.1 +# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENSE file for full details. +# ------------------------------------------------------------------------ + +# +# -= Paranoia Level 0 (empty) =- (apply unconditionally) +# + + + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:913011,phase:1,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:913012,phase:2,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" +# +# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher) +# + +# +# -=[ Vulnerability Scanner Checks ]=- +# +# These rules inspect the default User-Agent and Header values sent by +# various commercial and open source vuln scanners. +# +# The following rules contain User-Agent lists: +# 913100 - security scanners (data file scanners-user-agents.data) +# 913101 - scripting/generic HTTP clients (data file scripting-user-agents.data) +# 913102 - web crawlers/bots (data file crawlers-user-agents.data) +# +SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scanners-user-agents.data" \ + "id:913100,\ + phase:2,\ + block,\ + capture,\ + t:none,t:lowercase,\ + msg:'Found User-Agent associated with security scanner',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-reputation-scanner',\ + tag:'OWASP_CRS/AUTOMATION/SECURITY_SCANNER',\ + tag:'WASCTC/WASC-21',\ + tag:'OWASP_TOP_10/A7',\ + tag:'PCI/6.5.10',\ + ver:'OWASP_CRS/3.1.1',\ + severity:'CRITICAL',\ + setvar:'tx.msg=%{rule.msg}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'tx.%{rule.id}-OWASP_CRS/AUTOMATION/SECURITY_SCANNER-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\ + setvar:'ip.reput_block_flag=1',\ + setvar:'ip.reput_block_reason=%{rule.msg}',\ + expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'" + +SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@pmf scanners-headers.data" \ + "id:913110,\ + phase:2,\ + block,\ + capture,\ + t:none,t:lowercase,\ + msg:'Found request header associated with security scanner',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-reputation-scanner',\ + tag:'OWASP_CRS/AUTOMATION/SECURITY_SCANNER',\ + tag:'WASCTC/WASC-21',\ + tag:'OWASP_TOP_10/A7',\ + tag:'PCI/6.5.10',\ + ver:'OWASP_CRS/3.1.1',\ + severity:'CRITICAL',\ + setvar:'tx.msg=%{rule.msg}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'tx.%{rule.id}-OWASP_CRS/AUTOMATION/SECURITY_SCANNER-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\ + setvar:'ip.reput_block_flag=1',\ + setvar:'ip.reput_block_reason=%{rule.msg}',\ + expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'" + + + +SecRule REQUEST_FILENAME|ARGS "@pmf scanners-urls.data" \ + "id:913120,\ + phase:2,\ + block,\ + capture,\ + t:none,t:lowercase,\ + msg:'Found request filename/argument associated with security scanner',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-reputation-scanner',\ + tag:'OWASP_CRS/AUTOMATION/SECURITY_SCANNER',\ + tag:'WASCTC/WASC-21',\ + tag:'OWASP_TOP_10/A7',\ + tag:'PCI/6.5.10',\ + ver:'OWASP_CRS/3.1.1',\ + severity:'CRITICAL',\ + setvar:'tx.msg=%{rule.msg}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'tx.%{rule.id}-OWASP_CRS/AUTOMATION/SECURITY_SCANNER-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\ + setvar:'ip.reput_block_flag=1',\ + setvar:'ip.reput_block_reason=%{rule.msg}',\ + expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'" + + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:913013,phase:1,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:913014,phase:2,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" +# +# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher) +# + + +# +# -=[ Scripting/Generic User-Agents ]=- +# +# This rule detects user-agents associated with various HTTP client libraries +# and scripting languages. Detection suggests attempted access by some +# automated tool. +# +# This rule is a sibling of rule 913100. +# +SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scripting-user-agents.data" \ + "id:913101,\ + phase:2,\ + block,\ + capture,\ + t:none,t:lowercase,\ + msg:'Found User-Agent associated with scripting/generic HTTP client',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-reputation-scripting',\ + tag:'OWASP_CRS/AUTOMATION/SCRIPTING',\ + tag:'WASCTC/WASC-21',\ + tag:'OWASP_TOP_10/A7',\ + tag:'PCI/6.5.10',\ + tag:'paranoia-level/2',\ + ver:'OWASP_CRS/3.1.1',\ + severity:'CRITICAL',\ + setvar:'tx.msg=%{rule.msg}',\ + setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\ + setvar:'tx.%{rule.id}-OWASP_CRS/AUTOMATION/SCRIPTING-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\ + setvar:'ip.reput_block_flag=1',\ + setvar:'ip.reput_block_reason=%{rule.msg}',\ + expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'" + + + +# +# -=[ Crawler User-Agents ]=- +# +# This rule detects user-agents associated with various crawlers, SEO tools, +# and bots, which have been reported to potentially misbehave. +# These crawlers can have legitimate uses when used with authorization. +# +# This rule is a sibling of rule 913100. +# +SecRule REQUEST_HEADERS:User-Agent "@pmFromFile crawlers-user-agents.data" \ + "id:913102,\ + phase:2,\ + block,\ + capture,\ + t:none,t:lowercase,\ + msg:'Found User-Agent associated with web crawler/bot',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-reputation-crawler',\ + tag:'OWASP_CRS/AUTOMATION/CRAWLER',\ + tag:'WASCTC/WASC-21',\ + tag:'OWASP_TOP_10/A7',\ + tag:'PCI/6.5.10',\ + tag:'paranoia-level/2',\ + ver:'OWASP_CRS/3.1.1',\ + severity:'CRITICAL',\ + setvar:'tx.msg=%{rule.msg}',\ + setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\ + setvar:'tx.%{rule.id}-OWASP_CRS/AUTOMATION/CRAWLER-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\ + setvar:'ip.reput_block_flag=1',\ + setvar:'ip.reput_block_reason=%{rule.msg}',\ + expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'" + + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:913015,phase:1,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:913016,phase:2,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" +# +# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher) +# + + + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:913017,phase:1,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:913018,phase:2,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" +# +# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher) +# + + + +# +# -= Paranoia Levels Finished =- +# +SecMarker "END-REQUEST-913-SCANNER-DETECTION" diff --git a/confs/owasp-crs/REQUEST-920-PROTOCOL-ENFORCEMENT.conf b/confs/owasp-crs/REQUEST-920-PROTOCOL-ENFORCEMENT.conf new file mode 100644 index 0000000..8cf817c --- /dev/null +++ b/confs/owasp-crs/REQUEST-920-PROTOCOL-ENFORCEMENT.conf @@ -0,0 +1,1549 @@ +# ------------------------------------------------------------------------ +# OWASP ModSecurity Core Rule Set ver.3.1.1 +# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENSE file for full details. +# ------------------------------------------------------------------------ + +# +# Some protocol violations are common in application layer attacks. +# Validating HTTP requests eliminates a large number of application layer attacks. +# +# The purpose of this rules file is to enforce HTTP RFC requirements that state how +# the client is supposed to interact with the server. +# https://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html + + + +# +# -= Paranoia Level 0 (empty) =- (apply unconditionally) +# + + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:920011,phase:1,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:920012,phase:2,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" +# +# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher) +# + +# +# Validate request line against the format specified in the HTTP RFC +# +# -=[ Rule Logic ]=- +# +# Uses rule negation against the regex for positive security. The regex specifies the proper +# construction of URI request lines such as: +# +# "http:" "//" host [ ":" port ] [ abs_path [ "?" query ]] +# +# It also outlines proper construction for CONNECT, OPTIONS and GET requests. +# +# -=[ References ]=- +# https://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.1 +# http://capec.mitre.org/data/definitions/272.html +# +SecRule REQUEST_LINE "!@rx ^(?i:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+|get /[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?)$" \ + "id:920100,\ + phase:2,\ + block,\ + t:none,\ + msg:'Invalid HTTP Request Line',\ + logdata:'%{request_line}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ',\ + tag:'CAPEC-272',\ + ver:'OWASP_CRS/3.1.1',\ + severity:'WARNING',\ + setvar:'tx.msg=%{rule.msg}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.notice_anomaly_score}',\ + setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'" + + +# +# Identify multipart/form-data name evasion attempts +# +# There are possible impedance mismatches between how +# ModSecurity interprets multipart file names and how +# a destination app server such as PHP might parse the +# Content-Disposition data: +# +# filename-parm := "filename" "=" value +# +# -=[ Rule Logic ]=- +# These rules check for the existence of the ' " ; = meta-characters in +# either the file or file name variables. +# HTML entities may lead to false positives, why they are allowed on PL1. +# Negative look behind assertions allow frequently used entities &_; +# +# -=[ Targets, characters and html entities ]=- +# +# 920120: PL1 : FILES_NAMES, FILES +# ['\";=] but allowed: +# &[aAoOuUyY]uml); &[aAeEiIoOuU]circ; &[eEiIoOuUyY]acute; +# &[aAeEiIoOuU]grave; &[cC]cedil; &[aAnNoO]tilde; & ' +# +# 920121: PL2 : FILES_NAMES, FILES +# ['\";=] : ' " ; = meta-characters +# +# -=[ References ]=- +# https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-960000 +# http://www.ietf.org/rfc/rfc2183.txt +# +SecRule FILES_NAMES|FILES "@rx (? /range/) is not matching the restricted header +# /content-range/ for example. +# +# This is a chained rule, where the first rule fills a set of variables of the +# form TX.header_name_. The second rule is then executed for all +# variables of the form TX.header_name_. +# +# As a consequence of the construction of the rule, the alert message and the +# alert data will not display the original header name Content-Range, but +# /content-range/ instead. +# +# +# -=[ References ]=- +# https://access.redhat.com/security/vulnerabilities/httpoxy (Header Proxy) +# +SecRule REQUEST_HEADERS_NAMES "@rx ^.*$" \ + "id:920450,\ + phase:2,\ + block,\ + capture,\ + t:none,t:lowercase,\ + msg:'HTTP header is restricted by policy (%{MATCHED_VAR})',\ + logdata:' Restricted header detected: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'OWASP_CRS/POLICY/HEADER_RESTRICTED',\ + tag:'WASCTC/WASC-21',\ + tag:'OWASP_TOP_10/A7',\ + tag:'PCI/12.1',\ + tag:'WASCTC/WASC-15',\ + tag:'OWASP_TOP_10/A7',\ + tag:'PCI/12.1',\ + ver:'OWASP_CRS/3.1.1',\ + severity:'CRITICAL',\ + setvar:'tx.header_name_%{tx.0}=/%{tx.0}/',\ + chain" + SecRule TX:/^HEADER_NAME_/ "@within %{tx.restricted_headers}" \ + "setvar:'tx.msg=%{rule.msg}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'tx.%{rule.id}-OWASP_CRS/POLICY/HEADERS_RESTRICTED-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'" + + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:920013,phase:1,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:920014,phase:2,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" +# +# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher) +# + +# +# -=[ Rule Logic ]=- +# +# Check the number of range fields in the Range request header. +# +# An excessive number of Range request headers can be used to DoS a server. +# The original CVE proposed an arbitrary upper limit of 5 range fields. +# +# Several clients are known to request PDF fields with up to 62 range +# fields. Therefore the standard rule does not cover PDF files. This is +# performed in two separate (stricter) siblings of this rule. +# +# 920200: PL2: Limit of 5 range header fields for all filenames outside of PDFs +# 920201: PL2: Limit of 62 range header fields for PDFs +# 920202: PL4: Limit of 5 range header fields for PDFs +# +# -=[ References ]=- +# https://httpd.apache.org/security/CVE-2011-3192.txt + + +SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d+)?\-(?:\d+)?\s*,?\s*){6}" \ + "id:920200,\ + phase:2,\ + block,\ + t:none,\ + msg:'Range: Too many fields (6 or more)',\ + logdata:'%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ',\ + tag:'paranoia-level/2',\ + ver:'OWASP_CRS/3.1.1',\ + severity:'WARNING',\ + chain" + SecRule REQUEST_BASENAME "!@endsWith .pdf" \ + "setvar:'tx.msg=%{rule.msg}',\ + setvar:'tx.anomaly_score_pl2=+%{tx.warning_anomaly_score}',\ + setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'" + +# +# This is a sibling of rule 920200 +# + +SecRule REQUEST_BASENAME "@endsWith .pdf" \ + "id:920201,\ + phase:2,\ + block,\ + t:none,\ + msg:'Range: Too many fields for pdf request (63 or more)',\ + logdata:'%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ',\ + tag:'paranoia-level/2',\ + ver:'OWASP_CRS/3.1.1',\ + severity:'WARNING',\ + chain" + SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d+)?\-(?:\d+)?\s*,?\s*){63}" \ + "setvar:'tx.msg=%{rule.msg}',\ + setvar:'tx.anomaly_score_pl2=+%{tx.warning_anomaly_score}',\ + setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'" + + +SecRule ARGS "@rx \%((?!$|\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" \ + "id:920230,\ + phase:2,\ + block,\ + t:none,\ + msg:'Multiple URL Encoding Detected',\ + logdata:'%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'OWASP_CRS/PROTOCOL_VIOLATION/EVASION',\ + tag:'paranoia-level/2',\ + ver:'OWASP_CRS/3.1.1',\ + severity:'WARNING',\ + setvar:'tx.msg=%{rule.msg}',\ + setvar:'tx.anomaly_score_pl2=+%{tx.warning_anomaly_score}',\ + setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/EVASION-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'" + + +# +# Missing Accept Header +# +# -=[ Rule Logic ]=- +# This rule generates a notice if the Accept header is missing. +# +SecRule &REQUEST_HEADERS:Accept "@eq 0" \ + "id:920300,\ + phase:2,\ + pass,\ + t:none,\ + msg:'Request Missing an Accept Header',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT',\ + tag:'WASCTC/WASC-21',\ + tag:'OWASP_TOP_10/A7',\ + tag:'PCI/6.5.10',\ + tag:'paranoia-level/2',\ + ver:'OWASP_CRS/3.1.1',\ + severity:'NOTICE',\ + chain" + SecRule REQUEST_METHOD "!@rx ^OPTIONS$" \ + "chain" + SecRule REQUEST_HEADERS:User-Agent "!@pm AppleWebKit Android" \ + "t:none,\ + setvar:'tx.msg=%{rule.msg}',\ + setvar:'tx.anomaly_score_pl2=+%{tx.notice_anomaly_score}',\ + setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'" + +# +# PL2: This is a stricter sibling of 920270. +# +SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@validateByteRange 9,10,13,32-126,128-255" \ + "id:920271,\ + phase:2,\ + block,\ + t:none,t:urlDecodeUni,\ + msg:'Invalid character in request (non printable characters)',\ + logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'OWASP_CRS/PROTOCOL_VIOLATION/EVASION',\ + tag:'paranoia-level/2',\ + ver:'OWASP_CRS/3.1.1',\ + severity:'CRITICAL',\ + setvar:'tx.msg=%{rule.msg}',\ + setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\ + setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/EVASION-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'" + + + +# +# Missing User-Agent Header +# +# -=[ Rule Logic ]=- +# This rules will check to see if there is a User-Agent header or not. +# + +SecRule &REQUEST_HEADERS:User-Agent "@eq 0" \ + "id:920320,\ + phase:2,\ + pass,\ + t:none,\ + msg:'Missing User Agent Header',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_UA',\ + tag:'WASCTC/WASC-21',\ + tag:'OWASP_TOP_10/A7',\ + tag:'PCI/6.5.10',\ + tag:'paranoia-level/2',\ + ver:'OWASP_CRS/3.1.1',\ + severity:'NOTICE',\ + setvar:'tx.msg=%{rule.msg}',\ + setvar:'tx.anomaly_score_pl2=+%{tx.notice_anomaly_score}',\ + setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'" + + +# +# PL2: This is a stricter sibling of 920120. +# +SecRule FILES_NAMES|FILES "@rx ['\";=]" \ + "id:920121,\ + phase:2,\ + block,\ + t:none,t:urlDecodeUni,\ + msg:'Attempted multipart/form-data bypass',\ + logdata:'%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ',\ + tag:'CAPEC-272',\ + tag:'paranoia-level/2',\ + ver:'OWASP_CRS/3.1.1',\ + severity:'CRITICAL',\ + setvar:'tx.msg=%{rule.msg}',\ + setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\ + setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'" + + +# +# PL2: Block on Missing Content-Type Header with Request Body +# This is a stricter sibling of rule 920340. +# +# -=[ References ]=- +# http://httpwg.org/specs/rfc7231.html#header.content-type + +SecRule REQUEST_HEADERS:Content-Length "!@rx ^0$" \ + "id:920341,\ + phase:2,\ + block,\ + t:none,\ + msg:'Request Containing Content Requires Content-Type header',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/2',\ + ver:'OWASP_CRS/3.1.1',\ + severity:'CRITICAL',\ + chain" + SecRule &REQUEST_HEADERS:Content-Type "@eq 0" \ + "t:none,\ + setvar:'tx.msg=%{rule.msg}',\ + setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\ + setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'" + + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:920015,phase:1,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:920016,phase:2,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" +# +# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher) +# + +# +# PL 3: This is a stricter sibling of 920270. Ascii range: Printable characters in the low range +# +SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES|REQUEST_BODY "@validateByteRange 32-36,38-126" \ + "id:920272,\ + phase:2,\ + block,\ + t:none,t:urlDecodeUni,\ + msg:'Invalid character in request (outside of printable chars below ascii 127)',\ + logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'OWASP_CRS/PROTOCOL_VIOLATION/EVASION',\ + tag:'paranoia-level/3',\ + ver:'OWASP_CRS/3.1.1',\ + severity:'CRITICAL',\ + setvar:'tx.msg=%{rule.msg}',\ + setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}',\ + setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/EVASION-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'" + + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:920017,phase:1,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:920018,phase:2,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" +# +# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher) +# + +# +# This is a stricter sibling of rule 920200 +# + +SecRule REQUEST_BASENAME "@endsWith .pdf" \ + "id:920202,\ + phase:2,\ + block,\ + t:none,\ + msg:'Range: Too many fields for pdf request (6 or more)',\ + logdata:'%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ',\ + tag:'paranoia-level/4',\ + ver:'OWASP_CRS/3.1.1',\ + severity:'WARNING',\ + chain" + SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d+)?\-(?:\d+)?\s*,?\s*){6}" \ + "setvar:'tx.msg=%{rule.msg}',\ + setvar:'tx.anomaly_score_pl4=+%{tx.warning_anomaly_score}',\ + setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'" + + +# +# This is a stricter sibling of 920270. +# +SecRule ARGS|ARGS_NAMES|REQUEST_BODY "@validateByteRange 38,44-46,48-58,61,65-90,95,97-122" \ + "id:920273,\ + phase:2,\ + block,\ + t:none,t:urlDecodeUni,\ + msg:'Invalid character in request (outside of very strict set)',\ + logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'OWASP_CRS/PROTOCOL_VIOLATION/EVASION',\ + tag:'paranoia-level/4',\ + ver:'OWASP_CRS/3.1.1',\ + severity:'CRITICAL',\ + setvar:'tx.msg=%{rule.msg}',\ + setvar:'tx.anomaly_score_pl4=+%{tx.critical_anomaly_score}',\ + setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/EVASION-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'" + +# +# This is a stricter sibling of 920270. +# +SecRule REQUEST_HEADERS|!REQUEST_HEADERS:User-Agent|!REQUEST_HEADERS:Referer|!REQUEST_HEADERS:Cookie "@validateByteRange 32,34,38,42-59,61,65-90,95,97-122" \ + "id:920274,\ + phase:2,\ + block,\ + t:none,t:urlDecodeUni,\ + msg:'Invalid character in request headers (outside of very strict set)',\ + logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'OWASP_CRS/PROTOCOL_VIOLATION/EVASION',\ + tag:'paranoia-level/4',\ + ver:'OWASP_CRS/3.1.1',\ + severity:'CRITICAL',\ + setvar:'tx.msg=%{rule.msg}',\ + setvar:'tx.anomaly_score_pl4=+%{tx.critical_anomaly_score}',\ + setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/EVASION-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'" + + +# -=[ Abnormal Character Escapes ]=- +# +# [ Rule Logic ] +# Consider the following payload: arg=cat+/e\tc/pa\ssw\d +# Here, \s and \d were only used to obfuscate the string passwd and a lot of +# parsers will silently ignore the non-necessary escapes. The case with \t is +# a bit different though, as \t is a natural escape for the TAB character, +# so we will avoid this (and \n, \r, etc.). +# +# This rule aims to detect non-necessary, abnormal escapes. You could say it is +# a nice way to forbid the backslash character where it is not needed. +# +# This is a new rule at paranoia level 4. We expect quite a few false positives +# for this rule and we will later evaluate if the rule makes any sense at all. +# The rule is redundant with 920273 and 920274 in PL4. But if the rule proofs +# to be useful and false positives remain at a reasonable level, then it might +# be shifted to PL3 in a future release, where it would be the only rule +# covering the backslash escape. +# +# The rule construct is overly complex due to the fact that matching the +# backslash character with \b did not work. \Q\\\E does match the backslash +# character though. This is thus the base of the rule. We forbid the backslash +# when followed by a list of basic ascii characters - unless the backslash +# is preceded by another backslash character, which is being checked via a +# negative look-behind construct. If that is the case, the backslash character +# is allowed. +# +SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@rx (? 1. +# +# One HPP attack vector is to try evade signature filters by distributing the +# attack payload across multiple parameters with the same name. +# This works as many security devices only apply signatures to individual +# parameter payloads, however the back-end web application may (in the case +# of ASP.NET) consolidate all of the payloads into one thus making the +# attack payload active. +# +# [ References ] +# http://tacticalwebappsec.blogspot.com/2009/05/http-parameter-pollution.html +# https://capec.mitre.org/data/definitions/460.html +# +SecRule ARGS_NAMES "@rx ." \ + "id:921170,\ + phase:2,\ + pass,\ + nolog,\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/3',\ + tag:'CAPEC-460',\ + ver:'OWASP_CRS/3.1.1',\ + setvar:'TX.paramcounter_%{MATCHED_VAR_NAME}=+1'" + +SecRule TX:/paramcounter_.*/ "@gt 1" \ + "id:921180,\ + phase:2,\ + pass,\ + msg:'HTTP Parameter Pollution (%{TX.1})',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/3',\ + tag:'CAPEC-460',\ + ver:'OWASP_CRS/3.1.1',\ + severity:'CRITICAL',\ + chain" + SecRule MATCHED_VARS_NAMES "@rx TX:paramcounter_(.*)" \ + "capture,\ + setvar:'tx.msg=%{rule.msg}',\ + setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}',\ + setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/HTTP_PARAMETER_POLLUTION-%{MATCHED_VAR_NAME}=%{tx.0}'" + + + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:921017,phase:1,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:921018,phase:2,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" +# +# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher) +# + + + +# +# -= Paranoia Levels Finished =- +# +SecMarker "END-REQUEST-921-PROTOCOL-ATTACK" diff --git a/confs/owasp-crs/REQUEST-930-APPLICATION-ATTACK-LFI.conf b/confs/owasp-crs/REQUEST-930-APPLICATION-ATTACK-LFI.conf new file mode 100644 index 0000000..f88ec8f --- /dev/null +++ b/confs/owasp-crs/REQUEST-930-APPLICATION-ATTACK-LFI.conf @@ -0,0 +1,159 @@ +# ------------------------------------------------------------------------ +# OWASP ModSecurity Core Rule Set ver.3.1.1 +# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENSE file for full details. +# ------------------------------------------------------------------------ + +# +# -= Paranoia Level 0 (empty) =- (apply unconditionally) +# + + + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:930011,phase:1,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:930012,phase:2,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" +# +# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher) +# + +# +# -=[ Directory Traversal Attacks ]=- +# +# Ref: https://github.com/wireghoul/dotdotpwn +# +# [ Encoded /../ Payloads ] +# +SecRule REQUEST_URI_RAW|REQUEST_BODY|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|XML:/* "@rx (?i)(?:\x5c|(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|\/))(?:%(?:(?:f(?:(?:c%80|8)%8)?0%8|e)0%80%ae|2(?:(?:5(?:c0%25a|2))?e|%45)|u(?:(?:002|ff0)e|2024)|%32(?:%(?:%6|4)5|E)|c0(?:%[256aef]e|\.))|\.(?:%0[01]|\?)?|\?\.?|0x2e){2}(?:\x5c|(?:%(?:c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|2(?:5(?:c(?:0%25af|1%259c)|2f|5c)|%46|f)|(?:(?:f(?:8%8)?0%8|e)0%80%a|bg%q)f|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|u(?:221[56]|002f|EFC8|F025)|1u|5c)|0x(?:2f|5c)|\/))" \ + "id:930100,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Path Traversal Attack (/../)',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-lfi',\ + tag:'OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL',\ + ver:'OWASP_CRS/3.1.1',\ + severity:'CRITICAL',\ + setvar:'tx.msg=%{rule.msg}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'" + +# +# [ Decoded /../ Payloads ] +# +SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|XML:/* "@pm ..\ ../" \ + "id:930110,\ + phase:2,\ + block,\ + capture,\ + t:none,t:utf8toUnicode,t:urlDecodeUni,t:removeNulls,t:cmdLine,\ + msg:'Path Traversal Attack (/../)',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-lfi',\ + tag:'OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL',\ + ver:'OWASP_CRS/3.1.1',\ + severity:'CRITICAL',\ + multiMatch,\ + setvar:'tx.msg=%{rule.msg}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'" + +# +# -=[ OS File Access ]=- +# +# Ref: https://github.com/lightos/Panoptic/blob/master/cases.xml +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmf lfi-os-files.data" \ + "id:930120,\ + phase:2,\ + block,\ + capture,\ + t:none,t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin,t:lowercase,\ + msg:'OS File Access Attempt',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-lfi',\ + tag:'OWASP_CRS/WEB_ATTACK/FILE_INJECTION',\ + tag:'WASCTC/WASC-33',\ + tag:'OWASP_TOP_10/A4',\ + tag:'PCI/6.5.4',\ + ver:'OWASP_CRS/3.1.1',\ + severity:'CRITICAL',\ + setvar:'tx.msg=%{rule.msg}',\ + setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/FILE_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'" + +# +# -=[ Restricted File Access ]=- +# +# Detects attempts to retrieve application source code, metadata, +# credentials and version control history possibly reachable in a web root. +# +SecRule REQUEST_FILENAME "@pmf restricted-files.data" \ + "id:930130,\ + phase:2,\ + block,\ + capture,\ + t:none,t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin,t:lowercase,\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + msg:'Restricted File Access Attempt',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-lfi',\ + tag:'OWASP_CRS/WEB_ATTACK/FILE_INJECTION',\ + tag:'WASCTC/WASC-33',\ + tag:'OWASP_TOP_10/A4',\ + tag:'PCI/6.5.4',\ + ver:'OWASP_CRS/3.1.1',\ + severity:'CRITICAL',\ + setvar:'tx.msg=%{rule.msg}',\ + setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/FILE_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'" + + + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:930013,phase:1,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:930014,phase:2,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" +# +# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher) +# + + + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:930015,phase:1,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:930016,phase:2,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" +# +# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher) +# + + + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:930017,phase:1,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:930018,phase:2,pass,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" +# +# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher) +# + + + +# +# -= Paranoia Levels Finished =- +# +SecMarker "END-REQUEST-930-APPLICATION-ATTACK-LFI" diff --git a/confs/owasp-crs/REQUEST-931-APPLICATION-ATTACK-RFI.conf b/confs/owasp-crs/REQUEST-931-APPLICATION-ATTACK-RFI.conf new file mode 100644 index 0000000..4c898ef --- /dev/null +++ b/confs/owasp-crs/REQUEST-931-APPLICATION-ATTACK-RFI.conf @@ -0,0 +1,153 @@ +# ------------------------------------------------------------------------ +# OWASP ModSecurity Core Rule Set ver.3.1.1 +# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENSE file for full details. +# ------------------------------------------------------------------------ +# +# RFI Attacks +# + +# +# -= Paranoia Level 0 (empty) =- (apply unconditionally) +# + + + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:931011,phase:1,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:931012,phase:2,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" +# +# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher) +# + +# -=[ Rule Logic ]=- +# These rules look for common types of Remote File Inclusion (RFI) attack methods. +# - URL Contains an IP Address +# - The PHP "include()" Function +# - RFI Data Ends with Question Mark(s) (?) +# - RFI Host Doesn't Match Local Host +# +# -=[ References ]=- +# http://projects.webappsec.org/Remote-File-Inclusion +# http://tacticalwebappsec.blogspot.com/2009/06/generic-remote-file-inclusion-attack.html +# +SecRule ARGS "@rx ^(?i:file|ftps?|https?):\/\/(?:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" \ + "id:931100,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Possible Remote File Inclusion (RFI) Attack: URL Parameter using IP Address',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-rfi',\ + tag:'OWASP_CRS/WEB_ATTACK/RFI',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.1.1',\ + severity:'CRITICAL',\ + setvar:'tx.msg=%{rule.msg}',\ + setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RFI-%{MATCHED_VAR_NAME}=%{tx.0}'" + +SecRule QUERY_STRING|REQUEST_BODY "@rx (?i)(?:\binclude\s*\([^)]*|mosConfig_absolute_path|_CONF\[path\]|_SERVER\[DOCUMENT_ROOT\]|GALLERY_BASEDIR|path\[docroot\]|appserv_root|config\[root_dir\])=(?:file|ftps?|https?):\/\/" \ + "id:931110,\ + phase:2,\ + block,\ + capture,\ + t:none,t:urlDecodeUni,\ + msg:'Possible Remote File Inclusion (RFI) Attack: Common RFI Vulnerable Parameter Name used w/URL Payload',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-rfi',\ + tag:'OWASP_CRS/WEB_ATTACK/RFI',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.1.1',\ + severity:'CRITICAL',\ + setvar:'tx.msg=%{rule.msg}',\ + setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RFI-%{MATCHED_VAR_NAME}=%{tx.0}'" + +SecRule ARGS "@rx ^(?i:file|ftps?|https?).*?\?+$" \ + "id:931120,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Possible Remote File Inclusion (RFI) Attack: URL Payload Used w/Trailing Question Mark Character (?)',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-rfi',\ + tag:'OWASP_CRS/WEB_ATTACK/RFI',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.1.1',\ + severity:'CRITICAL',\ + setvar:'tx.msg=%{rule.msg}',\ + setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RFI-%{MATCHED_VAR_NAME}=%{tx.0}'" + + + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:931013,phase:1,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:931014,phase:2,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" +# +# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher) +# + +SecRule ARGS "@rx ^(?i:file|ftps?|https?)://(.*)$" \ + "id:931130,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-rfi',\ + tag:'OWASP_CRS/WEB_ATTACK/RFI',\ + tag:'paranoia-level/2',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.1.1',\ + severity:'CRITICAL',\ + setvar:'tx.rfi_parameter_%{MATCHED_VAR_NAME}=%{tx.1}',\ + chain" + SecRule TX:/rfi_parameter_.*/ "!@beginsWith %{request_headers.host}" \ + "setvar:'tx.msg=%{rule.msg}',\ + setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\ + setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RFI-%{MATCHED_VAR_NAME}=%{tx.1}'" + + + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:931015,phase:1,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:931016,phase:2,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" +# +# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher) +# + + + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:931017,phase:1,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:931018,phase:2,pass,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" +# +# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher) +# + + + +# +# -= Paranoia Levels Finished =- +# +SecMarker "END-REQUEST-931-APPLICATION-ATTACK-RFI" diff --git a/confs/owasp-crs/REQUEST-932-APPLICATION-ATTACK-RCE.conf b/confs/owasp-crs/REQUEST-932-APPLICATION-ATTACK-RCE.conf new file mode 100644 index 0000000..e4a7e70 --- /dev/null +++ b/confs/owasp-crs/REQUEST-932-APPLICATION-ATTACK-RCE.conf @@ -0,0 +1,703 @@ +# ------------------------------------------------------------------------ +# OWASP ModSecurity Core Rule Set ver.3.1.1 +# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENSE file for full details. +# ------------------------------------------------------------------------ + +# +# -= Paranoia Level 0 (empty) =- (apply unconditionally) +# + + + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:932011,phase:1,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:932012,phase:2,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" +# +# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher) +# + + +# [ Unix command injection ] +# +# This rule detects Unix command injections. +# A command injection takes a form such as: +# +# foo.jpg;uname -a +# foo.jpg||uname -a +# +# The vulnerability exists when an application executes a shell command +# without proper input escaping/validation. +# +# To prevent false positives, we look for a 'starting sequence' that +# precedes a command in shell syntax, such as: ; | & $( ` <( >( +# Anatomy of the regexp with examples of patterns caught: +# +# 1. Starting tokens +# +# ; ;ifconfig +# \{ {ifconfig} +# \| |ifconfig +# \|\| ||ifconfig +# & &ifconfig +# && &&ifconfig +# \n ;\nifconfig +# \r ;\rifconfig +# \$\( $(ifconfig) +# $\(\( $((ifconfig)) +# ` `ifconfig` +# \${ ${ifconfig} +# <\( <( ifconfig ) +# >\( >( ifconfig ) +# \(\s*\) a() ( ifconfig; ); a +# +# 2. Command prefixes +# +# { { ifconfig } +# \s*\(\s* ( ifconfig ) +# \w+=(?:[^\s]*|\$.*|\$.*|<.*|>.*|\'.*\'|\".*\")\s+ VARNAME=xyz ifconfig +# !\s* ! ifconfig +# \$ $ifconfig +# +# 3. Quoting +# +# ' 'ifconfig' +# \" "ifconfig" +# +# 4. Paths +# +# [\?\*\[\]\(\)\-\|+\w'\"\./\\\\]+/ /sbin/ifconfig, /s?in/./ifconfig, /s[a-b]in/ifconfig etc. +# +# This rule is case-sensitive to prevent FP ("Cat" vs. "cat"). +# +# An effort was made to combat evasions by shell quoting (e.g. 'ls', +# 'l'"s", \l\s are all valid). ModSecurity has a t:cmdLine +# transformation built-in to deal with this, but unfortunately, it +# replaces ';' characters and lowercases the payload, which is less +# useful for this case. However, emulating the transformation makes +# the regexp more complex. +# +# To rebuild the word list regexp: +# cd util/regexp-assemble +# cat regexp-932100.txt | ./regexp-cmdline.py unix | ./regexp-assemble.pl +# +# Then insert the assembled regexp into this template: +# +# SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:;|\{|\||\|\||&|&&|\n|\r|\$\(|\$\(\(|`|\${|<\(|>\(|\(\s*\))\s*(?:{|\s*\(\s*|\w+=(?:[^\s]*|\$.*|\$.*|<.*|>.*|\'.*\'|\".*\")\s+|!\s*|\$)*\s*(?:'|\")*(?:[\?\*\[\]\(\)\-\|+\w'\"\./\\\\]+/)?[\\\\'\"]* +# [regexp assembled from util/regexp-assemble/regexp-932100.txt] +# \b" \ +# +# This is the base Rule to prevent Unix Command Injection +# Please refer other rules 932105,932106 to know more. +# +# .932100 +# ├── 932105 +# ├── 932106 +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:;|\{|\||\|\||&|&&|\n|\r|\$\(|\$\(\(|`|\${|<\(|>\(|\(\s*\))\s*(?:{|\s*\(\s*|\w+=(?:[^\s]*|\$.*|\$.*|<.*|>.*|\'.*\'|\".*\")\s+|!\s*|\$)*\s*(?:'|\")*(?:[\?\*\[\]\(\)\-\|+\w'\"\./\\\\]+/)?[\\\\'\"]*(?:l[\\\\'\"]*(?:w[\\\\'\"]*p[\\\\'\"]*-[\\\\'\"]*(?:d[\\\\'\"]*(?:o[\\\\'\"]*w[\\\\'\"]*n[\\\\'\"]*l[\\\\'\"]*o[\\\\'\"]*a[\\\\'\"]*d|u[\\\\'\"]*m[\\\\'\"]*p)|r[\\\\'\"]*e[\\\\'\"]*q[\\\\'\"]*u[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*t|m[\\\\'\"]*i[\\\\'\"]*r[\\\\'\"]*r[\\\\'\"]*o[\\\\'\"]*r)|s(?:[\\\\'\"]*(?:b[\\\\'\"]*_[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*l[\\\\'\"]*e[\\\\'\"]*a[\\\\'\"]*s[\\\\'\"]*e|c[\\\\'\"]*p[\\\\'\"]*u|m[\\\\'\"]*o[\\\\'\"]*d|p[\\\\'\"]*c[\\\\'\"]*i|u[\\\\'\"]*s[\\\\'\"]*b|-[\\\\'\"]*F|h[\\\\'\"]*w|o[\\\\'\"]*f))?|z[\\\\'\"]*(?:(?:[ef][\\\\'\"]*)?g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p|c[\\\\'\"]*(?:a[\\\\'\"]*t|m[\\\\'\"]*p)|m[\\\\'\"]*(?:o[\\\\'\"]*r[\\\\'\"]*e|a)|d[\\\\'\"]*i[\\\\'\"]*f[\\\\'\"]*f|l[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*s)|e[\\\\'\"]*s[\\\\'\"]*s[\\\\'\"]*(?:(?:f[\\\\'\"]*i[\\\\'\"]*l|p[\\\\'\"]*i[\\\\'\"]*p)[\\\\'\"]*e|e[\\\\'\"]*c[\\\\'\"]*h[\\\\'\"]*o|(?:\s|<|>).*)|a[\\\\'\"]*s[\\\\'\"]*t[\\\\'\"]*(?:l[\\\\'\"]*o[\\\\'\"]*g(?:[\\\\'\"]*i[\\\\'\"]*n)?|c[\\\\'\"]*o[\\\\'\"]*m[\\\\'\"]*m|(?:\s|<|>).*)|o[\\\\'\"]*(?:c[\\\\'\"]*a[\\\\'\"]*(?:t[\\\\'\"]*e|l)[\\\\'\"]*(?:\s|<|>).*|g[\\\\'\"]*n[\\\\'\"]*a[\\\\'\"]*m[\\\\'\"]*e)|d[\\\\'\"]*(?:c[\\\\'\"]*o[\\\\'\"]*n[\\\\'\"]*f[\\\\'\"]*i[\\\\'\"]*g|d[\\\\'\"]*(?:\s|<|>).*)|f[\\\\'\"]*t[\\\\'\"]*p(?:[\\\\'\"]*g[\\\\'\"]*e[\\\\'\"]*t)?|(?:[np]|y[\\\\'\"]*n[\\\\'\"]*x)[\\\\'\"]*(?:\s|<|>).*)|b[\\\\'\"]*(?:z[\\\\'\"]*(?:(?:[ef][\\\\'\"]*)?g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p|d[\\\\'\"]*i[\\\\'\"]*f[\\\\'\"]*f|l[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*s|m[\\\\'\"]*o[\\\\'\"]*r[\\\\'\"]*e|c[\\\\'\"]*a[\\\\'\"]*t|i[\\\\'\"]*p[\\\\'\"]*2)|s[\\\\'\"]*d[\\\\'\"]*(?:c[\\\\'\"]*a[\\\\'\"]*t|i[\\\\'\"]*f[\\\\'\"]*f|t[\\\\'\"]*a[\\\\'\"]*r)|a[\\\\'\"]*(?:t[\\\\'\"]*c[\\\\'\"]*h[\\\\'\"]*(?:\s|<|>).*|s[\\\\'\"]*h)|r[\\\\'\"]*e[\\\\'\"]*a[\\\\'\"]*k[\\\\'\"]*s[\\\\'\"]*w|u[\\\\'\"]*i[\\\\'\"]*l[\\\\'\"]*t[\\\\'\"]*i[\\\\'\"]*n)|c[\\\\'\"]*(?:o[\\\\'\"]*(?:m[\\\\'\"]*(?:p[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*s|m[\\\\'\"]*a[\\\\'\"]*n[\\\\'\"]*d)[\\\\'\"]*(?:\s|<|>).*|p[\\\\'\"]*r[\\\\'\"]*o[\\\\'\"]*c)|h[\\\\'\"]*(?:d[\\\\'\"]*i[\\\\'\"]*r[\\\\'\"]*(?:\s|<|>).*|f[\\\\'\"]*l[\\\\'\"]*a[\\\\'\"]*g[\\\\'\"]*s|a[\\\\'\"]*t[\\\\'\"]*t[\\\\'\"]*r|m[\\\\'\"]*o[\\\\'\"]*d)|r[\\\\'\"]*o[\\\\'\"]*n[\\\\'\"]*t[\\\\'\"]*a[\\\\'\"]*b|(?:[cp]|a[\\\\'\"]*t)[\\\\'\"]*(?:\s|<|>).*|u[\\\\'\"]*r[\\\\'\"]*l|s[\\\\'\"]*h)|f[\\\\'\"]*(?:i(?:[\\\\'\"]*(?:l[\\\\'\"]*e[\\\\'\"]*(?:t[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*t|(?:\s|<|>).*)|n[\\\\'\"]*d[\\\\'\"]*(?:\s|<|>).*))?|t[\\\\'\"]*p[\\\\'\"]*(?:s[\\\\'\"]*t[\\\\'\"]*a[\\\\'\"]*t[\\\\'\"]*s|w[\\\\'\"]*h[\\\\'\"]*o|(?:\s|<|>).*)|u[\\\\'\"]*n[\\\\'\"]*c[\\\\'\"]*t[\\\\'\"]*i[\\\\'\"]*o[\\\\'\"]*n|(?:e[\\\\'\"]*t[\\\\'\"]*c[\\\\'\"]*h|c)[\\\\'\"]*(?:\s|<|>).*|o[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*a[\\\\'\"]*c[\\\\'\"]*h|g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p)|e[\\\\'\"]*(?:n[\\\\'\"]*(?:v(?:[\\\\'\"]*-[\\\\'\"]*u[\\\\'\"]*p[\\\\'\"]*d[\\\\'\"]*a[\\\\'\"]*t[\\\\'\"]*e)?|d[\\\\'\"]*(?:i[\\\\'\"]*f|s[\\\\'\"]*w))|x[\\\\'\"]*(?:p[\\\\'\"]*(?:a[\\\\'\"]*n[\\\\'\"]*d|o[\\\\'\"]*r[\\\\'\"]*t|r)|e[\\\\'\"]*c[\\\\'\"]*(?:\s|<|>).*)|c[\\\\'\"]*h[\\\\'\"]*o[\\\\'\"]*(?:\s|<|>).*|g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p|s[\\\\'\"]*a[\\\\'\"]*c|v[\\\\'\"]*a[\\\\'\"]*l)|h[\\\\'\"]*(?:t[\\\\'\"]*(?:d[\\\\'\"]*i[\\\\'\"]*g[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*t|p[\\\\'\"]*a[\\\\'\"]*s[\\\\'\"]*s[\\\\'\"]*w[\\\\'\"]*d)|o[\\\\'\"]*s[\\\\'\"]*t[\\\\'\"]*(?:n[\\\\'\"]*a[\\\\'\"]*m[\\\\'\"]*e|i[\\\\'\"]*d)|(?:e[\\\\'\"]*a[\\\\'\"]*d|u[\\\\'\"]*p)[\\\\'\"]*(?:\s|<|>).*|i[\\\\'\"]*s[\\\\'\"]*t[\\\\'\"]*o[\\\\'\"]*r[\\\\'\"]*y)|i[\\\\'\"]*(?:p[\\\\'\"]*(?:(?:6[\\\\'\"]*)?t[\\\\'\"]*a[\\\\'\"]*b[\\\\'\"]*l[\\\\'\"]*e[\\\\'\"]*s|c[\\\\'\"]*o[\\\\'\"]*n[\\\\'\"]*f[\\\\'\"]*i[\\\\'\"]*g)|r[\\\\'\"]*b(?:[\\\\'\"]*(?:1(?:[\\\\'\"]*[89])?|2[\\\\'\"]*[012]))?|f[\\\\'\"]*c[\\\\'\"]*o[\\\\'\"]*n[\\\\'\"]*f[\\\\'\"]*i[\\\\'\"]*g|d[\\\\'\"]*(?:\s|<|>).*)|g[\\\\'\"]*(?:(?:e[\\\\'\"]*t[\\\\'\"]*f[\\\\'\"]*a[\\\\'\"]*c[\\\\'\"]*l|r[\\\\'\"]*e[\\\\'\"]*p|c[\\\\'\"]*c|i[\\\\'\"]*t)[\\\\'\"]*(?:\s|<|>).*|z[\\\\'\"]*(?:c[\\\\'\"]*a[\\\\'\"]*t|i[\\\\'\"]*p)|u[\\\\'\"]*n[\\\\'\"]*z[\\\\'\"]*i[\\\\'\"]*p|d[\\\\'\"]*b)|a[\\\\'\"]*(?:(?:l[\\\\'\"]*i[\\\\'\"]*a[\\\\'\"]*s|w[\\\\'\"]*k)[\\\\'\"]*(?:\s|<|>).*|d[\\\\'\"]*d[\\\\'\"]*u[\\\\'\"]*s[\\\\'\"]*e[\\\\'\"]*r|p[\\\\'\"]*t[\\\\'\"]*-[\\\\'\"]*g[\\\\'\"]*e[\\\\'\"]*t|r[\\\\'\"]*(?:c[\\\\'\"]*h[\\\\'\"]*(?:\s|<|>).*|p))|d[\\\\'\"]*(?:h[\\\\'\"]*c[\\\\'\"]*l[\\\\'\"]*i[\\\\'\"]*e[\\\\'\"]*n[\\\\'\"]*t|(?:i[\\\\'\"]*f[\\\\'\"]*f|u)[\\\\'\"]*(?:\s|<|>).*|(?:m[\\\\'\"]*e[\\\\'\"]*s|p[\\\\'\"]*k)[\\\\'\"]*g|o[\\\\'\"]*(?:a[\\\\'\"]*s|n[\\\\'\"]*e)|a[\\\\'\"]*s[\\\\'\"]*h)|m[\\\\'\"]*(?:(?:k[\\\\'\"]*d[\\\\'\"]*i[\\\\'\"]*r|o[\\\\'\"]*r[\\\\'\"]*e)[\\\\'\"]*(?:\s|<|>).*|a[\\\\'\"]*i[\\\\'\"]*l[\\\\'\"]*(?:x[\\\\'\"]*(?:\s|<|>).*|q)|l[\\\\'\"]*o[\\\\'\"]*c[\\\\'\"]*a[\\\\'\"]*t[\\\\'\"]*e)|j[\\\\'\"]*(?:(?:a[\\\\'\"]*v[\\\\'\"]*a|o[\\\\'\"]*b[\\\\'\"]*s)[\\\\'\"]*(?:\s|<|>).*|e[\\\\'\"]*x[\\\\'\"]*e[\\\\'\"]*c)|k[\\\\'\"]*i[\\\\'\"]*l[\\\\'\"]*l[\\\\'\"]*(?:a[\\\\'\"]*l[\\\\'\"]*l|(?:\s|<|>).*)|(?:G[\\\\'\"]*E[\\\\'\"]*T[\\\\'\"]*(?:\s|<|>)|\.\s).*|7[\\\\'\"]*z(?:[\\\\'\"]*[ar])?)\b" \ + "id:932100,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Remote Command Execution: Unix Command Injection',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ + tag:'attack-rce',\ + tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\ + tag:'WASCTC/WASC-31',\ + tag:'OWASP_TOP_10/A1',\ + tag:'PCI/6.5.2',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.1.1',\ + severity:'CRITICAL',\ + setvar:'tx.msg=%{rule.msg}',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{tx.0}'" + +# Apache 2.2 requires configuration file lines to be under 8kB. +# Therefore, some remaining commands have been split off to a separate rule. +# For explanation of this rule, see rule 932100. +# +# To rebuild the word list regexp: +# cd util/regexp-assemble +# cat regexp-932105.txt | ./regexp-cmdline.py unix | ./regexp-assemble.pl +# +# Then insert the assembled regexp into this template: +# +# SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:;|\{|\||\|\||&|&&|\n|\r|\$\(|\$\(\(|`|\${|<\(|>\(|\(\s*\))\s*(?:{|\s*\(\s*|\w+=(?:[^\s]*|\$.*|\$.*|<.*|>.*|\'.*\'|\".*\")\s+|!\s*|\$)*\s*(?:'|\")*(?:[\?\*\[\]\(\)\-\|+\w'\"\./\\\\]+/)?[\\\\'\"]* +# [regexp assembled from util/regexp-assemble/regexp-932105.txt] +# \b" \ +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:;|\{|\||\|\||&|&&|\n|\r|\$\(|\$\(\(|`|\${|<\(|>\(|\(\s*\))\s*(?:{|\s*\(\s*|\w+=(?:[^\s]*|\$.*|\$.*|<.*|>.*|\'.*\'|\".*\")\s+|!\s*|\$)*\s*(?:'|\")*(?:[\?\*\[\]\(\)\-\|+\w'\"\./\\\\]+/)?[\\\\'\"]*(?:s[\\\\'\"]*(?:e[\\\\'\"]*(?:t[\\\\'\"]*(?:(?:f[\\\\'\"]*a[\\\\'\"]*c[\\\\'\"]*l[\\\\'\"]*)?(?:\s|<|>).*|e[\\\\'\"]*n[\\\\'\"]*v|s[\\\\'\"]*i[\\\\'\"]*d)|n[\\\\'\"]*d[\\\\'\"]*m[\\\\'\"]*a[\\\\'\"]*i[\\\\'\"]*l|d[\\\\'\"]*(?:\s|<|>).*)|h[\\\\'\"]*(?:\.[\\\\'\"]*d[\\\\'\"]*i[\\\\'\"]*s[\\\\'\"]*t[\\\\'\"]*r[\\\\'\"]*i[\\\\'\"]*b|u[\\\\'\"]*t[\\\\'\"]*d[\\\\'\"]*o[\\\\'\"]*w[\\\\'\"]*n|(?:\s|<|>).*)|o[\\\\'\"]*(?:(?:u[\\\\'\"]*r[\\\\'\"]*c[\\\\'\"]*e|r[\\\\'\"]*t)[\\\\'\"]*(?:\s|<|>).*|c[\\\\'\"]*a[\\\\'\"]*t)|c[\\\\'\"]*(?:h[\\\\'\"]*e[\\\\'\"]*d|p[\\\\'\"]*(?:\s|<|>).*)|t[\\\\'\"]*r[\\\\'\"]*i[\\\\'\"]*n[\\\\'\"]*g[\\\\'\"]*s|(?:l[\\\\'\"]*e[\\\\'\"]*e|f[\\\\'\"]*t)[\\\\'\"]*p|y[\\\\'\"]*s[\\\\'\"]*c[\\\\'\"]*t[\\\\'\"]*l|u[\\\\'\"]*(?:(?:\s|<|>).*|d[\\\\'\"]*o)|d[\\\\'\"]*i[\\\\'\"]*f[\\\\'\"]*f|s[\\\\'\"]*h|v[\\\\'\"]*n)|p[\\\\'\"]*(?:k[\\\\'\"]*(?:g(?:(?:[\\\\'\"]*_)?[\\\\'\"]*i[\\\\'\"]*n[\\\\'\"]*f[\\\\'\"]*o)?|e[\\\\'\"]*x[\\\\'\"]*e[\\\\'\"]*c|i[\\\\'\"]*l[\\\\'\"]*l)|t[\\\\'\"]*a[\\\\'\"]*r(?:[\\\\'\"]*(?:d[\\\\'\"]*i[\\\\'\"]*f[\\\\'\"]*f|g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p))?|a[\\\\'\"]*(?:t[\\\\'\"]*c[\\\\'\"]*h[\\\\'\"]*(?:\s|<|>).*|s[\\\\'\"]*s[\\\\'\"]*w[\\\\'\"]*d)|r[\\\\'\"]*i[\\\\'\"]*n[\\\\'\"]*t[\\\\'\"]*(?:e[\\\\'\"]*n[\\\\'\"]*v|f[\\\\'\"]*(?:\s|<|>).*)|y[\\\\'\"]*t[\\\\'\"]*h[\\\\'\"]*o[\\\\'\"]*n(?:[\\\\'\"]*(?:3(?:[\\\\'\"]*m)?|2))?|e[\\\\'\"]*r[\\\\'\"]*(?:l(?:[\\\\'\"]*(?:s[\\\\'\"]*h|5))?|m[\\\\'\"]*s)|(?:g[\\\\'\"]*r[\\\\'\"]*e|f[\\\\'\"]*t)[\\\\'\"]*p|(?:u[\\\\'\"]*s[\\\\'\"]*h|o[\\\\'\"]*p)[\\\\'\"]*d|h[\\\\'\"]*p(?:[\\\\'\"]*[57])?|i[\\\\'\"]*n[\\\\'\"]*g|s[\\\\'\"]*(?:\s|<|>).*)|n[\\\\'\"]*(?:c[\\\\'\"]*(?:\.[\\\\'\"]*(?:t[\\\\'\"]*r[\\\\'\"]*a[\\\\'\"]*d[\\\\'\"]*i[\\\\'\"]*t[\\\\'\"]*i[\\\\'\"]*o[\\\\'\"]*n[\\\\'\"]*a[\\\\'\"]*l|o[\\\\'\"]*p[\\\\'\"]*e[\\\\'\"]*n[\\\\'\"]*b[\\\\'\"]*s[\\\\'\"]*d)|(?:\s|<|>).*|a[\\\\'\"]*t)|e[\\\\'\"]*t[\\\\'\"]*(?:k[\\\\'\"]*i[\\\\'\"]*t[\\\\'\"]*-[\\\\'\"]*f[\\\\'\"]*t[\\\\'\"]*p|(?:s[\\\\'\"]*t|c)[\\\\'\"]*a[\\\\'\"]*t|(?:\s|<|>).*)|s[\\\\'\"]*(?:l[\\\\'\"]*o[\\\\'\"]*o[\\\\'\"]*k[\\\\'\"]*u[\\\\'\"]*p|t[\\\\'\"]*a[\\\\'\"]*t)|(?:a[\\\\'\"]*n[\\\\'\"]*o|i[\\\\'\"]*c[\\\\'\"]*e)[\\\\'\"]*(?:\s|<|>).*|(?:o[\\\\'\"]*h[\\\\'\"]*u|m[\\\\'\"]*a)[\\\\'\"]*p|p[\\\\'\"]*i[\\\\'\"]*n[\\\\'\"]*g)|r[\\\\'\"]*(?:e[\\\\'\"]*(?:(?:p[\\\\'\"]*(?:l[\\\\'\"]*a[\\\\'\"]*c[\\\\'\"]*e|e[\\\\'\"]*a[\\\\'\"]*t)|n[\\\\'\"]*a[\\\\'\"]*m[\\\\'\"]*e)[\\\\'\"]*(?:\s|<|>).*|a[\\\\'\"]*l[\\\\'\"]*p[\\\\'\"]*a[\\\\'\"]*t[\\\\'\"]*h)|m[\\\\'\"]*(?:(?:d[\\\\'\"]*i[\\\\'\"]*r[\\\\'\"]*)?(?:\s|<|>).*|u[\\\\'\"]*s[\\\\'\"]*e[\\\\'\"]*r)|u[\\\\'\"]*b[\\\\'\"]*y(?:[\\\\'\"]*(?:1(?:[\\\\'\"]*[89])?|2[\\\\'\"]*[012]))?|(?:a[\\\\'\"]*r|c[\\\\'\"]*p|p[\\\\'\"]*m)[\\\\'\"]*(?:\s|<|>).*|n[\\\\'\"]*a[\\\\'\"]*n[\\\\'\"]*o|o[\\\\'\"]*u[\\\\'\"]*t[\\\\'\"]*e|s[\\\\'\"]*y[\\\\'\"]*n[\\\\'\"]*c)|t[\\\\'\"]*(?:c[\\\\'\"]*(?:p[\\\\'\"]*(?:t[\\\\'\"]*r[\\\\'\"]*a[\\\\'\"]*c[\\\\'\"]*e[\\\\'\"]*r[\\\\'\"]*o[\\\\'\"]*u[\\\\'\"]*t[\\\\'\"]*e|i[\\\\'\"]*n[\\\\'\"]*g)|s[\\\\'\"]*h)|r[\\\\'\"]*a[\\\\'\"]*c[\\\\'\"]*e[\\\\'\"]*r[\\\\'\"]*o[\\\\'\"]*u[\\\\'\"]*t[\\\\'\"]*e(?:[\\\\'\"]*6)?|e[\\\\'\"]*(?:l[\\\\'\"]*n[\\\\'\"]*e[\\\\'\"]*t|e[\\\\'\"]*(?:\s|<|>).*)|i[\\\\'\"]*m[\\\\'\"]*e[\\\\'\"]*(?:o[\\\\'\"]*u[\\\\'\"]*t|(?:\s|<|>).*)|a[\\\\'\"]*(?:i[\\\\'\"]*l(?:[\\\\'\"]*f)?|r[\\\\'\"]*(?:\s|<|>).*)|o[\\\\'\"]*(?:u[\\\\'\"]*c[\\\\'\"]*h[\\\\'\"]*(?:\s|<|>).*|p))|u[\\\\'\"]*(?:n[\\\\'\"]*(?:l[\\\\'\"]*(?:i[\\\\'\"]*n[\\\\'\"]*k[\\\\'\"]*(?:\s|<|>).*|z[\\\\'\"]*m[\\\\'\"]*a)|c[\\\\'\"]*o[\\\\'\"]*m[\\\\'\"]*p[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*s|a[\\\\'\"]*m[\\\\'\"]*e|r[\\\\'\"]*a[\\\\'\"]*r|s[\\\\'\"]*e[\\\\'\"]*t|z[\\\\'\"]*i[\\\\'\"]*p|x[\\\\'\"]*z)|s[\\\\'\"]*e[\\\\'\"]*r[\\\\'\"]*(?:(?:a[\\\\'\"]*d|m[\\\\'\"]*o)[\\\\'\"]*d|d[\\\\'\"]*e[\\\\'\"]*l)|l[\\\\'\"]*i[\\\\'\"]*m[\\\\'\"]*i[\\\\'\"]*t[\\\\'\"]*(?:\s|<|>).*)|m[\\\\'\"]*(?:y[\\\\'\"]*s[\\\\'\"]*q[\\\\'\"]*l(?:[\\\\'\"]*(?:d[\\\\'\"]*u[\\\\'\"]*m[\\\\'\"]*p(?:[\\\\'\"]*s[\\\\'\"]*l[\\\\'\"]*o[\\\\'\"]*w)?|h[\\\\'\"]*o[\\\\'\"]*t[\\\\'\"]*c[\\\\'\"]*o[\\\\'\"]*p[\\\\'\"]*y|a[\\\\'\"]*d[\\\\'\"]*m[\\\\'\"]*i[\\\\'\"]*n|s[\\\\'\"]*h[\\\\'\"]*o[\\\\'\"]*w))?|(?:(?:o[\\\\'\"]*u[\\\\'\"]*n|u[\\\\'\"]*t)[\\\\'\"]*t|v)[\\\\'\"]*(?:\s|<|>).*)|x[\\\\'\"]*(?:z[\\\\'\"]*(?:(?:[ef][\\\\'\"]*)?g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p|d[\\\\'\"]*(?:i[\\\\'\"]*f[\\\\'\"]*f|e[\\\\'\"]*c)|c[\\\\'\"]*(?:a[\\\\'\"]*t|m[\\\\'\"]*p)|l[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*s|m[\\\\'\"]*o[\\\\'\"]*r[\\\\'\"]*e|(?:\s|<|>).*)|a[\\\\'\"]*r[\\\\'\"]*g[\\\\'\"]*s|t[\\\\'\"]*e[\\\\'\"]*r[\\\\'\"]*m|x[\\\\'\"]*d[\\\\'\"]*(?:\s|<|>).*)|z[\\\\'\"]*(?:(?:[ef][\\\\'\"]*)?g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p|c[\\\\'\"]*(?:a[\\\\'\"]*t|m[\\\\'\"]*p)|d[\\\\'\"]*i[\\\\'\"]*f[\\\\'\"]*f|i[\\\\'\"]*p[\\\\'\"]*(?:\s|<|>).*|l[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*s|m[\\\\'\"]*o[\\\\'\"]*r[\\\\'\"]*e|r[\\\\'\"]*u[\\\\'\"]*n|s[\\\\'\"]*h)|o[\\\\'\"]*(?:p[\\\\'\"]*e[\\\\'\"]*n[\\\\'\"]*s[\\\\'\"]*s[\\\\'\"]*l|n[\\\\'\"]*i[\\\\'\"]*n[\\\\'\"]*t[\\\\'\"]*r)|w[\\\\'\"]*(?:h[\\\\'\"]*o[\\\\'\"]*(?:a[\\\\'\"]*m[\\\\'\"]*i|(?:\s|<|>).*)|g[\\\\'\"]*e[\\\\'\"]*t|3[\\\\'\"]*m)|v[\\\\'\"]*i[\\\\'\"]*(?:m[\\\\'\"]*(?:\s|<|>).*|g[\\\\'\"]*r|p[\\\\'\"]*w)|y[\\\\'\"]*u[\\\\'\"]*m)\b" \ + "id:932105,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Remote Command Execution: Unix Command Injection',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ + tag:'attack-rce',\ + tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\ + tag:'WASCTC/WASC-31',\ + tag:'OWASP_TOP_10/A1',\ + tag:'PCI/6.5.2',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.1.1',\ + severity:'CRITICAL',\ + setvar:'tx.msg=%{rule.msg}',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{tx.0}'" + + +# [ Windows command injection ] +# +# This rule detects Windows shell command injections. +# If you are not running Windows, it is safe to disable this rule. +# +# A command injection takes a form such as: +# +# foo.jpg&ver /r +# foo.jpg|ver /r +# +# The vulnerability exists when an application executes a shell command +# without proper input escaping/validation. +# +# To prevent false positives, we look for a 'starting sequence' that +# precedes a command in CMD syntax, such as: ; | & ` +# +# Anatomy of the regexp: +# +# 1. Starting tokens +# +# ; ;cmd +# \{ {cmd +# \| |cmd +# \|\| ||cmd +# & &cmd +# && &&cmd +# \n \ncmd +# \r \rcmd +# ` `cmd +# +# 2. Command prefixes +# +# ( (cmd) +# , ,cmd +# @ @cmd +# ' 'cmd' +# " "cmd" +# \s spacing+cmd +# +# 3. Paths +# +# [\w'\"\./]+/ /path/cmd +# [\\\\'\"\^]*\w[\\\\'\"\^]*:.*\\\\ C:\Program Files\cmd +# [\^\.\w '\"/\\\\]*\\\\)?[\"\^]* \\net\share\dir\cmd +# +# 4. Quoting +# +# \" "cmd" +# \^ ^cmd +# +# 5. Extension/switches +# +# \.[\"\^]*\w+ cmd.com, cmd.exe, etc. +# /b cmd/h +# +# An effort is made to combat evasions by CMD syntax; for example, +# the following strings are valid: c^md, @cmd, "c"md. ModSecurity +# has a t:cmdLine transformation built-in to deal with some of these, +# but unfortunately, that transformation replaces ';' characters (so +# we cannot match on the start of a command) and '\' characters (so we +# have trouble matching paths). This makes the regexp more complex. +# +# This rule is case-insensitive. +# +# To rebuild the word list regexp: +# cd util/regexp-assemble +# cat regexp-932110.txt | ./regexp-cmdline.py windows | ./regexp-assemble.pl +# +# Then insert the assembled regexp into this template: +# +# SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:;|\{|\||\|\||&|&&|\n|\r|`)\s*[\(,@\'\"\s]*(?:[\w'\"\./]+/|[\\\\'\"\^]*\w[\\\\'\"\^]*:.*\\\\|[\^\.\w '\"/\\\\]*\\\\)?[\"\^]* +# [regexp assembled from util/regexp-assemble/regexp-932110.txt] +# (?:\.[\"\^]*\w+)?\b" \ +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:;|\{|\||\|\||&|&&|\n|\r|`)\s*[\(,@\'\"\s]*(?:[\w'\"\./]+/|[\\\\'\"\^]*\w[\\\\'\"\^]*:.*\\\\|[\^\.\w '\"/\\\\]*\\\\)?[\"\^]*(?:m[\"\^]*(?:y[\"\^]*s[\"\^]*q[\"\^]*l(?:[\"\^]*(?:d[\"\^]*u[\"\^]*m[\"\^]*p(?:[\"\^]*s[\"\^]*l[\"\^]*o[\"\^]*w)?|h[\"\^]*o[\"\^]*t[\"\^]*c[\"\^]*o[\"\^]*p[\"\^]*y|a[\"\^]*d[\"\^]*m[\"\^]*i[\"\^]*n|s[\"\^]*h[\"\^]*o[\"\^]*w))?|s[\"\^]*(?:i[\"\^]*(?:n[\"\^]*f[\"\^]*o[\"\^]*3[\"\^]*2|e[\"\^]*x[\"\^]*e[\"\^]*c)|c[\"\^]*o[\"\^]*n[\"\^]*f[\"\^]*i[\"\^]*g|g[\"\^]*(?:[\s,;]|\.|/|<|>).*|t[\"\^]*s[\"\^]*c)|o[\"\^]*(?:u[\"\^]*n[\"\^]*t[\"\^]*(?:(?:[\s,;]|\.|/|<|>).*|v[\"\^]*o[\"\^]*l)|v[\"\^]*e[\"\^]*u[\"\^]*s[\"\^]*e[\"\^]*r|[dr][\"\^]*e[\"\^]*(?:[\s,;]|\.|/|<|>).*)|k[\"\^]*(?:d[\"\^]*i[\"\^]*r[\"\^]*(?:[\s,;]|\.|/|<|>).*|l[\"\^]*i[\"\^]*n[\"\^]*k)|d[\"\^]*(?:s[\"\^]*c[\"\^]*h[\"\^]*e[\"\^]*d|(?:[\s,;]|\.|/|<|>).*)|a[\"\^]*p[\"\^]*i[\"\^]*s[\"\^]*e[\"\^]*n[\"\^]*d|b[\"\^]*s[\"\^]*a[\"\^]*c[\"\^]*l[\"\^]*i|e[\"\^]*a[\"\^]*s[\"\^]*u[\"\^]*r[\"\^]*e|m[\"\^]*s[\"\^]*y[\"\^]*s)|d[\"\^]*(?:i[\"\^]*(?:s[\"\^]*k[\"\^]*(?:(?:m[\"\^]*g[\"\^]*m|p[\"\^]*a[\"\^]*r)[\"\^]*t|s[\"\^]*h[\"\^]*a[\"\^]*d[\"\^]*o[\"\^]*w)|r[\"\^]*(?:(?:[\s,;]|\.|/|<|>).*|u[\"\^]*s[\"\^]*e)|f[\"\^]*f[\"\^]*(?:[\s,;]|\.|/|<|>).*)|e[\"\^]*(?:l[\"\^]*(?:p[\"\^]*r[\"\^]*o[\"\^]*f|t[\"\^]*r[\"\^]*e[\"\^]*e|(?:[\s,;]|\.|/|<|>).*)|v[\"\^]*(?:m[\"\^]*g[\"\^]*m[\"\^]*t|c[\"\^]*o[\"\^]*n)|(?:f[\"\^]*r[\"\^]*a|b[\"\^]*u)[\"\^]*g)|s[\"\^]*(?:a[\"\^]*(?:c[\"\^]*l[\"\^]*s|d[\"\^]*d)|q[\"\^]*u[\"\^]*e[\"\^]*r[\"\^]*y|m[\"\^]*o[\"\^]*(?:v[\"\^]*e|d)|g[\"\^]*e[\"\^]*t|r[\"\^]*m)|(?:r[\"\^]*i[\"\^]*v[\"\^]*e[\"\^]*r[\"\^]*q[\"\^]*u[\"\^]*e[\"\^]*r|o[\"\^]*s[\"\^]*k[\"\^]*e)[\"\^]*y|(?:c[\"\^]*o[\"\^]*m[\"\^]*c[\"\^]*n[\"\^]*f|x[\"\^]*d[\"\^]*i[\"\^]*a)[\"\^]*g|a[\"\^]*t[\"\^]*e[\"\^]*(?:[\s,;]|\.|/|<|>).*|n[\"\^]*s[\"\^]*s[\"\^]*t[\"\^]*a[\"\^]*t)|c[\"\^]*(?:o[\"\^]*(?:m[\"\^]*(?:p[\"\^]*(?:(?:a[\"\^]*c[\"\^]*t[\"\^]*)?(?:[\s,;]|\.|/|<|>).*|m[\"\^]*g[\"\^]*m[\"\^]*t)|e[\"\^]*x[\"\^]*p)|n[\"\^]*(?:2[\"\^]*p|v[\"\^]*e)[\"\^]*r[\"\^]*t|p[\"\^]*y)|l[\"\^]*(?:e[\"\^]*a[\"\^]*(?:n[\"\^]*m[\"\^]*g[\"\^]*r|r[\"\^]*m[\"\^]*e[\"\^]*m)|u[\"\^]*s[\"\^]*t[\"\^]*e[\"\^]*r)|h[\"\^]*(?:k[\"\^]*(?:n[\"\^]*t[\"\^]*f[\"\^]*s|d[\"\^]*s[\"\^]*k)|d[\"\^]*i[\"\^]*r[\"\^]*(?:[\s,;]|\.|/|<|>).*)|s[\"\^]*(?:c[\"\^]*(?:r[\"\^]*i[\"\^]*p[\"\^]*t|c[\"\^]*m[\"\^]*d)|v[\"\^]*d[\"\^]*e)|e[\"\^]*r[\"\^]*t[\"\^]*(?:u[\"\^]*t[\"\^]*i[\"\^]*l|r[\"\^]*e[\"\^]*q)|a[\"\^]*(?:l[\"\^]*l[\"\^]*(?:[\s,;]|\.|/|<|>).*|c[\"\^]*l[\"\^]*s)|m[\"\^]*d(?:[\"\^]*k[\"\^]*e[\"\^]*y)?|i[\"\^]*p[\"\^]*h[\"\^]*e[\"\^]*r|u[\"\^]*r[\"\^]*l)|f[\"\^]*(?:o[\"\^]*r[\"\^]*(?:m[\"\^]*a[\"\^]*t[\"\^]*(?:[\s,;]|\.|/|<|>).*|f[\"\^]*i[\"\^]*l[\"\^]*e[\"\^]*s|e[\"\^]*a[\"\^]*c[\"\^]*h)|i[\"\^]*n[\"\^]*d[\"\^]*(?:(?:[\s,;]|\.|/|<|>).*|s[\"\^]*t[\"\^]*r)|s[\"\^]*(?:m[\"\^]*g[\"\^]*m[\"\^]*t|u[\"\^]*t[\"\^]*i[\"\^]*l)|t[\"\^]*(?:p[\"\^]*(?:[\s,;]|\.|/|<|>).*|y[\"\^]*p[\"\^]*e)|r[\"\^]*e[\"\^]*e[\"\^]*d[\"\^]*i[\"\^]*s[\"\^]*k|c[\"\^]*(?:[\s,;]|\.|/|<|>).*|g[\"\^]*r[\"\^]*e[\"\^]*p)|n[\"\^]*(?:e[\"\^]*t[\"\^]*(?:s[\"\^]*(?:t[\"\^]*a[\"\^]*t|v[\"\^]*c|h)|(?:[\s,;]|\.|/|<|>).*|c[\"\^]*a[\"\^]*t|d[\"\^]*o[\"\^]*m)|t[\"\^]*(?:b[\"\^]*a[\"\^]*c[\"\^]*k[\"\^]*u[\"\^]*p|r[\"\^]*i[\"\^]*g[\"\^]*h[\"\^]*t[\"\^]*s)|(?:s[\"\^]*l[\"\^]*o[\"\^]*o[\"\^]*k[\"\^]*u|m[\"\^]*a)[\"\^]*p|c[\"\^]*(?:(?:[\s,;]|\.|/|<|>).*|a[\"\^]*t)|b[\"\^]*t[\"\^]*s[\"\^]*t[\"\^]*a[\"\^]*t)|e[\"\^]*(?:x[\"\^]*p[\"\^]*(?:a[\"\^]*n[\"\^]*d[\"\^]*(?:[\s,;]|\.|/|<|>).*|l[\"\^]*o[\"\^]*r[\"\^]*e[\"\^]*r)|v[\"\^]*e[\"\^]*n[\"\^]*t[\"\^]*(?:c[\"\^]*r[\"\^]*e[\"\^]*a[\"\^]*t[\"\^]*e|v[\"\^]*w[\"\^]*r)|n[\"\^]*d[\"\^]*l[\"\^]*o[\"\^]*c[\"\^]*a[\"\^]*l|g[\"\^]*r[\"\^]*e[\"\^]*p|r[\"\^]*a[\"\^]*s[\"\^]*e|c[\"\^]*h[\"\^]*o)|g[\"\^]*(?:a[\"\^]*t[\"\^]*h[\"\^]*e[\"\^]*r[\"\^]*n[\"\^]*e[\"\^]*t[\"\^]*w[\"\^]*o[\"\^]*r[\"\^]*k[\"\^]*i[\"\^]*n[\"\^]*f[\"\^]*o|p[\"\^]*(?:(?:r[\"\^]*e[\"\^]*s[\"\^]*u[\"\^]*l|e[\"\^]*d[\"\^]*i)[\"\^]*t|u[\"\^]*p[\"\^]*d[\"\^]*a[\"\^]*t[\"\^]*e)|i[\"\^]*t[\"\^]*(?:[\s,;]|\.|/|<|>).*|e[\"\^]*t[\"\^]*m[\"\^]*a[\"\^]*c)|i[\"\^]*(?:r[\"\^]*b(?:[\"\^]*(?:1(?:[\"\^]*[89])?|2[\"\^]*[012]))?|f[\"\^]*m[\"\^]*e[\"\^]*m[\"\^]*b[\"\^]*e[\"\^]*r|p[\"\^]*c[\"\^]*o[\"\^]*n[\"\^]*f[\"\^]*i[\"\^]*g|n[\"\^]*e[\"\^]*t[\"\^]*c[\"\^]*p[\"\^]*l|c[\"\^]*a[\"\^]*c[\"\^]*l[\"\^]*s)|a[\"\^]*(?:d[\"\^]*(?:d[\"\^]*u[\"\^]*s[\"\^]*e[\"\^]*r[\"\^]*s|m[\"\^]*o[\"\^]*d[\"\^]*c[\"\^]*m[\"\^]*d)|r[\"\^]*p[\"\^]*(?:[\s,;]|\.|/|<|>).*|t[\"\^]*t[\"\^]*r[\"\^]*i[\"\^]*b|s[\"\^]*s[\"\^]*o[\"\^]*c|z[\"\^]*m[\"\^]*a[\"\^]*n)|l[\"\^]*(?:o[\"\^]*g[\"\^]*(?:e[\"\^]*v[\"\^]*e[\"\^]*n[\"\^]*t|t[\"\^]*i[\"\^]*m[\"\^]*e|m[\"\^]*a[\"\^]*n|o[\"\^]*f[\"\^]*f)|a[\"\^]*b[\"\^]*e[\"\^]*l[\"\^]*(?:[\s,;]|\.|/|<|>).*|u[\"\^]*s[\"\^]*r[\"\^]*m[\"\^]*g[\"\^]*r)|b[\"\^]*(?:(?:c[\"\^]*d[\"\^]*(?:b[\"\^]*o[\"\^]*o|e[\"\^]*d[\"\^]*i)|r[\"\^]*o[\"\^]*w[\"\^]*s[\"\^]*t[\"\^]*a)[\"\^]*t|i[\"\^]*t[\"\^]*s[\"\^]*a[\"\^]*d[\"\^]*m[\"\^]*i[\"\^]*n|o[\"\^]*o[\"\^]*t[\"\^]*c[\"\^]*f[\"\^]*g)|h[\"\^]*(?:o[\"\^]*s[\"\^]*t[\"\^]*n[\"\^]*a[\"\^]*m[\"\^]*e|d[\"\^]*w[\"\^]*w[\"\^]*i[\"\^]*z)|j[\"\^]*a[\"\^]*v[\"\^]*a[\"\^]*(?:[\s,;]|\.|/|<|>).*|7[\"\^]*z(?:[\"\^]*[ar])?)(?:\.[\"\^]*\w+)?\b" \ + "id:932110,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Remote Command Execution: Windows Command Injection',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-windows',\ + tag:'attack-rce',\ + tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\ + tag:'WASCTC/WASC-31',\ + tag:'OWASP_TOP_10/A1',\ + tag:'PCI/6.5.2',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.1.1',\ + severity:'CRITICAL',\ + setvar:'tx.msg=%{rule.msg}',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{tx.0}'" + +# Apache 2.2 requires configuration file lines to be under 8kB. +# Therefore, some remaining commands have been split off to a separate rule. +# For explanation of this rule, see rule 932110. +# +# To rebuild the word list regexp: +# cd util/regexp-assemble +# cat regexp-932115.txt | ./regexp-cmdline.py windows | ./regexp-assemble.pl +# +# Then insert the assembled regexp into this template: +# +# SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:;|\{|\||\|\||&|&&|\n|\r|`)\s*[\(,@\'\"\s]*(?:[\w'\"\./]+/|[\\\\'\"\^]*\w[\\\\'\"\^]*:.*\\\\|[\^\.\w '\"/\\\\]*\\\\)?[\"\^]* +# [regexp assembled from util/regexp-assemble/regexp-932110.txt] +# (?:\.[\"\^]*\w+)?\b" \ +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:;|\{|\||\|\||&|&&|\n|\r|`)\s*[\(,@\'\"\s]*(?:[\w'\"\./]+/|[\\\\'\"\^]*\w[\\\\'\"\^]*:.*\\\\|[\^\.\w '\"/\\\\]*\\\\)?[\"\^]*(?:s[\"\^]*(?:y[\"\^]*s[\"\^]*(?:t[\"\^]*e[\"\^]*m[\"\^]*(?:p[\"\^]*r[\"\^]*o[\"\^]*p[\"\^]*e[\"\^]*r[\"\^]*t[\"\^]*i[\"\^]*e[\"\^]*s[\"\^]*(?:d[\"\^]*a[\"\^]*t[\"\^]*a[\"\^]*e[\"\^]*x[\"\^]*e[\"\^]*c[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*o[\"\^]*n[\"\^]*p[\"\^]*r[\"\^]*e[\"\^]*v[\"\^]*e[\"\^]*n[\"\^]*t[\"\^]*i[\"\^]*o[\"\^]*n|(?:p[\"\^]*e[\"\^]*r[\"\^]*f[\"\^]*o[\"\^]*r[\"\^]*m[\"\^]*a[\"\^]*n[\"\^]*c|h[\"\^]*a[\"\^]*r[\"\^]*d[\"\^]*w[\"\^]*a[\"\^]*r)[\"\^]*e|a[\"\^]*d[\"\^]*v[\"\^]*a[\"\^]*n[\"\^]*c[\"\^]*e[\"\^]*d)|i[\"\^]*n[\"\^]*f[\"\^]*o)|k[\"\^]*e[\"\^]*y|d[\"\^]*m)|h[\"\^]*(?:o[\"\^]*(?:w[\"\^]*(?:g[\"\^]*r[\"\^]*p|m[\"\^]*b[\"\^]*r)[\"\^]*s|r[\"\^]*t[\"\^]*c[\"\^]*u[\"\^]*t)|e[\"\^]*l[\"\^]*l[\"\^]*r[\"\^]*u[\"\^]*n[\"\^]*a[\"\^]*s|u[\"\^]*t[\"\^]*d[\"\^]*o[\"\^]*w[\"\^]*n|r[\"\^]*p[\"\^]*u[\"\^]*b[\"\^]*w|a[\"\^]*r[\"\^]*e|i[\"\^]*f[\"\^]*t)|e[\"\^]*(?:t[\"\^]*(?:(?:x[\"\^]*)?(?:[\s,;]|\.|/|<|>).*|l[\"\^]*o[\"\^]*c[\"\^]*a[\"\^]*l)|c[\"\^]*p[\"\^]*o[\"\^]*l|l[\"\^]*e[\"\^]*c[\"\^]*t)|c[\"\^]*(?:h[\"\^]*t[\"\^]*a[\"\^]*s[\"\^]*k[\"\^]*s|l[\"\^]*i[\"\^]*s[\"\^]*t)|u[\"\^]*b[\"\^]*(?:i[\"\^]*n[\"\^]*a[\"\^]*c[\"\^]*l|s[\"\^]*t)|t[\"\^]*a[\"\^]*r[\"\^]*t[\"\^]*(?:[\s,;]|\.|/|<|>).*|i[\"\^]*g[\"\^]*v[\"\^]*e[\"\^]*r[\"\^]*i[\"\^]*f|l[\"\^]*(?:e[\"\^]*e[\"\^]*p|m[\"\^]*g[\"\^]*r)|o[\"\^]*r[\"\^]*t|f[\"\^]*c|v[\"\^]*n)|p[\"\^]*(?:s[\"\^]*(?:s[\"\^]*(?:h[\"\^]*u[\"\^]*t[\"\^]*d[\"\^]*o[\"\^]*w[\"\^]*n|e[\"\^]*r[\"\^]*v[\"\^]*i[\"\^]*c[\"\^]*e|u[\"\^]*s[\"\^]*p[\"\^]*e[\"\^]*n[\"\^]*d)|l[\"\^]*(?:o[\"\^]*g[\"\^]*(?:g[\"\^]*e[\"\^]*d[\"\^]*o[\"\^]*n|l[\"\^]*i[\"\^]*s[\"\^]*t)|i[\"\^]*s[\"\^]*t)|p[\"\^]*(?:a[\"\^]*s[\"\^]*s[\"\^]*w[\"\^]*d|i[\"\^]*n[\"\^]*g)|g[\"\^]*e[\"\^]*t[\"\^]*s[\"\^]*i[\"\^]*d|e[\"\^]*x[\"\^]*e[\"\^]*c|f[\"\^]*i[\"\^]*l[\"\^]*e|i[\"\^]*n[\"\^]*f[\"\^]*o|k[\"\^]*i[\"\^]*l[\"\^]*l)|o[\"\^]*(?:w[\"\^]*e[\"\^]*r[\"\^]*(?:s[\"\^]*h[\"\^]*e[\"\^]*l[\"\^]*l(?:[\"\^]*_[\"\^]*i[\"\^]*s[\"\^]*e)?|c[\"\^]*f[\"\^]*g)|r[\"\^]*t[\"\^]*q[\"\^]*r[\"\^]*y|p[\"\^]*d)|r[\"\^]*(?:i[\"\^]*n[\"\^]*t[\"\^]*(?:(?:[\s,;]|\.|/|<|>).*|b[\"\^]*r[\"\^]*m)|n[\"\^]*(?:c[\"\^]*n[\"\^]*f[\"\^]*g|m[\"\^]*n[\"\^]*g[\"\^]*r)|o[\"\^]*m[\"\^]*p[\"\^]*t)|a[\"\^]*t[\"\^]*h[\"\^]*(?:p[\"\^]*i[\"\^]*n[\"\^]*g|(?:[\s,;]|\.|/|<|>).*)|e[\"\^]*r[\"\^]*(?:l(?:[\"\^]*(?:s[\"\^]*h|5))?|f[\"\^]*m[\"\^]*o[\"\^]*n)|y[\"\^]*t[\"\^]*h[\"\^]*o[\"\^]*n(?:[\"\^]*(?:3(?:[\"\^]*m)?|2))?|k[\"\^]*g[\"\^]*m[\"\^]*g[\"\^]*r|h[\"\^]*p(?:[\"\^]*[57])?|u[\"\^]*s[\"\^]*h[\"\^]*d|i[\"\^]*n[\"\^]*g)|r[\"\^]*(?:e[\"\^]*(?:(?:p[\"\^]*l[\"\^]*a[\"\^]*c[\"\^]*e|n(?:[\"\^]*a[\"\^]*m[\"\^]*e)?|s[\"\^]*e[\"\^]*t)[\"\^]*(?:[\s,;]|\.|/|<|>).*|g[\"\^]*(?:s[\"\^]*v[\"\^]*r[\"\^]*3[\"\^]*2|e[\"\^]*d[\"\^]*i[\"\^]*t|(?:[\s,;]|\.|/|<|>).*|i[\"\^]*n[\"\^]*i)|c[\"\^]*(?:d[\"\^]*i[\"\^]*s[\"\^]*c|o[\"\^]*v[\"\^]*e[\"\^]*r)|k[\"\^]*e[\"\^]*y[\"\^]*w[\"\^]*i[\"\^]*z)|u[\"\^]*(?:n[\"\^]*(?:d[\"\^]*l[\"\^]*l[\"\^]*3[\"\^]*2|a[\"\^]*s)|b[\"\^]*y[\"\^]*(?:1(?:[\"\^]*[89])?|2[\"\^]*[012]))|a[\"\^]*(?:s[\"\^]*(?:p[\"\^]*h[\"\^]*o[\"\^]*n[\"\^]*e|d[\"\^]*i[\"\^]*a[\"\^]*l)|r[\"\^]*(?:[\s,;]|\.|/|<|>).*)|m[\"\^]*(?:(?:d[\"\^]*i[\"\^]*r[\"\^]*)?(?:[\s,;]|\.|/|<|>).*|t[\"\^]*s[\"\^]*h[\"\^]*a[\"\^]*r[\"\^]*e)|o[\"\^]*(?:u[\"\^]*t[\"\^]*e[\"\^]*(?:[\s,;]|\.|/|<|>).*|b[\"\^]*o[\"\^]*c[\"\^]*o[\"\^]*p[\"\^]*y)|s[\"\^]*(?:t[\"\^]*r[\"\^]*u[\"\^]*i|y[\"\^]*n[\"\^]*c)|d[\"\^]*(?:[\s,;]|\.|/|<|>).*)|t[\"\^]*(?:a[\"\^]*(?:s[\"\^]*k[\"\^]*(?:k[\"\^]*i[\"\^]*l[\"\^]*l|l[\"\^]*i[\"\^]*s[\"\^]*t|s[\"\^]*c[\"\^]*h[\"\^]*d|m[\"\^]*g[\"\^]*r)|k[\"\^]*e[\"\^]*o[\"\^]*w[\"\^]*n)|(?:i[\"\^]*m[\"\^]*e[\"\^]*o[\"\^]*u|p[\"\^]*m[\"\^]*i[\"\^]*n[\"\^]*i|e[\"\^]*l[\"\^]*n[\"\^]*e|l[\"\^]*i[\"\^]*s)[\"\^]*t|s[\"\^]*(?:d[\"\^]*i[\"\^]*s[\"\^]*c[\"\^]*o|s[\"\^]*h[\"\^]*u[\"\^]*t[\"\^]*d)[\"\^]*n|y[\"\^]*p[\"\^]*e[\"\^]*(?:p[\"\^]*e[\"\^]*r[\"\^]*f|(?:[\s,;]|\.|/|<|>).*)|r[\"\^]*(?:a[\"\^]*c[\"\^]*e[\"\^]*r[\"\^]*t|e[\"\^]*e))|w[\"\^]*(?:i[\"\^]*n[\"\^]*(?:d[\"\^]*i[\"\^]*f[\"\^]*f|m[\"\^]*s[\"\^]*d[\"\^]*p|v[\"\^]*a[\"\^]*r|r[\"\^]*[ms])|u[\"\^]*(?:a[\"\^]*(?:u[\"\^]*c[\"\^]*l[\"\^]*t|p[\"\^]*p)|s[\"\^]*a)|s[\"\^]*c[\"\^]*(?:r[\"\^]*i[\"\^]*p[\"\^]*t|u[\"\^]*i)|e[\"\^]*v[\"\^]*t[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l|m[\"\^]*i[\"\^]*(?:m[\"\^]*g[\"\^]*m[\"\^]*t|c)|a[\"\^]*i[\"\^]*t[\"\^]*f[\"\^]*o[\"\^]*r|h[\"\^]*o[\"\^]*a[\"\^]*m[\"\^]*i|g[\"\^]*e[\"\^]*t)|u[\"\^]*(?:s[\"\^]*(?:e[\"\^]*r[\"\^]*a[\"\^]*c[\"\^]*c[\"\^]*o[\"\^]*u[\"\^]*n[\"\^]*t[\"\^]*c[\"\^]*o[\"\^]*n[\"\^]*t[\"\^]*r[\"\^]*o[\"\^]*l[\"\^]*s[\"\^]*e[\"\^]*t[\"\^]*t[\"\^]*i[\"\^]*n[\"\^]*g[\"\^]*s|r[\"\^]*s[\"\^]*t[\"\^]*a[\"\^]*t)|n[\"\^]*(?:r[\"\^]*a[\"\^]*r|z[\"\^]*i[\"\^]*p))|q[\"\^]*(?:u[\"\^]*e[\"\^]*r[\"\^]*y[\"\^]*(?:[\s,;]|\.|/|<|>).*|p[\"\^]*r[\"\^]*o[\"\^]*c[\"\^]*e[\"\^]*s[\"\^]*s|w[\"\^]*i[\"\^]*n[\"\^]*s[\"\^]*t[\"\^]*a|g[\"\^]*r[\"\^]*e[\"\^]*p)|o[\"\^]*(?:d[\"\^]*b[\"\^]*c[\"\^]*(?:a[\"\^]*d[\"\^]*3[\"\^]*2|c[\"\^]*o[\"\^]*n[\"\^]*f)|p[\"\^]*e[\"\^]*n[\"\^]*f[\"\^]*i[\"\^]*l[\"\^]*e[\"\^]*s)|v[\"\^]*(?:o[\"\^]*l[\"\^]*(?:[\s,;]|\.|/|<|>).*|e[\"\^]*r[\"\^]*i[\"\^]*f[\"\^]*y)|x[\"\^]*c[\"\^]*(?:a[\"\^]*c[\"\^]*l[\"\^]*s|o[\"\^]*p[\"\^]*y)|z[\"\^]*i[\"\^]*p[\"\^]*(?:[\s,;]|\.|/|<|>).*)(?:\.[\"\^]*\w+)?\b" \ + "id:932115,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Remote Command Execution: Windows Command Injection',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-windows',\ + tag:'attack-rce',\ + tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\ + tag:'WASCTC/WASC-31',\ + tag:'OWASP_TOP_10/A1',\ + tag:'PCI/6.5.2',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.1.1',\ + severity:'CRITICAL',\ + setvar:'tx.msg=%{rule.msg}',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{tx.0}'" + + +# [ Windows PowerShell, cmdlets and options ] +# +# Detect some common PowerShell commands, cmdlets and options. +# These commands should be relatively uncommon in normal text, but +# potentially useful for code injection. +# +# If you are not running Windows, it is safe to disable this rule. +# +# https://technet.microsoft.com/en-us/magazine/ff714569.aspx +# https://msdn.microsoft.com/en-us/powershell/scripting/core-powershell/console/powershell.exe-command-line-help +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmf windows-powershell-commands.data" \ + "id:932120,\ + phase:2,\ + block,\ + capture,\ + t:none,t:urlDecodeUni,t:cmdLine,t:lowercase,\ + msg:'Remote Command Execution: Windows PowerShell Command Found',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'language-powershell',\ + tag:'platform-windows',\ + tag:'attack-rce',\ + tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\ + tag:'WASCTC/WASC-31',\ + tag:'OWASP_TOP_10/A1',\ + tag:'PCI/6.5.2',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.1.1',\ + severity:'CRITICAL',\ + setvar:'tx.msg=%{rule.msg}',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{tx.0}'" + + +# [ Unix shell expressions ] +# +# Detects the following patterns which are common in Unix shell scripts +# and oneliners: +# +# $(foo) Command substitution +# ${foo} Parameter expansion +# <(foo) Process substitution +# >(foo) Process substitution +# $((foo)) Arithmetic expansion +# +# Regexp generated from util/regexp-assemble/regexp-932130.data using Regexp::Assemble. +# See http://blog.modsecurity.org/2007/06/optimizing-regu.html for usage. +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:\$(?:\((?:\(.*\)|.*)\)|\{.*\})|[<>]\(.*\))" \ + "id:932130,\ + phase:2,\ + block,\ + capture,\ + t:none,t:urlDecodeUni,t:cmdLine,\ + msg:'Remote Command Execution: Unix Shell Expression Found',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ + tag:'attack-rce',\ + tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\ + tag:'WASCTC/WASC-31',\ + tag:'OWASP_TOP_10/A1',\ + tag:'PCI/6.5.2',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.1.1',\ + severity:'CRITICAL',\ + setvar:'tx.msg=%{rule.msg}',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{tx.0}'" + + +# [ Windows FOR, IF commands ] +# +# This rule detects Windows command shell FOR and IF commands. +# If you are not running Windows, it is safe to disable this rule. +# +# Examples: +# +# FOR %a IN (set) DO +# FOR /D %a IN (dirs) DO +# FOR /F "options" %a IN (text|"text") DO +# FOR /L %a IN (start,step,end) DO +# FOR /R C:\dir %A IN (set) DO +# +# IF [/I] [NOT] EXIST filename | DEFINED define | ERRORLEVEL n | CMDEXTVERSION n +# IF [/I] [NOT] item1 [==|EQU|NEQ|LSS|LEQ|GTR|GEQ] item2 +# IF [/I] [NOT] (item1) [==|EQU|NEQ|LSS|LEQ|GTR|GEQ] (item2) +# +# http://ss64.com/nt/if.html +# http://ss64.com/nt/for.html +# +# Regexp generated from util/regexp-assemble/regexp-932140.data using Regexp::Assemble. +# See http://blog.modsecurity.org/2007/06/optimizing-regu.html for usage. +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \b(?:if(?:/i)?(?: not)?(?: exist\b| defined\b| errorlevel\b| cmdextversion\b|(?: |\().*(?:\bgeq\b|\bequ\b|\bneq\b|\bleq\b|\bgtr\b|\blss\b|==))|for(/[dflr].*)* %+[^ ]+ in\(.*\)\s?do)" \ + "id:932140,\ + phase:2,\ + block,\ + capture,\ + t:none,t:urlDecodeUni,t:cmdLine,\ + msg:'Remote Command Execution: Windows FOR/IF Command Found',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-windows',\ + tag:'attack-rce',\ + tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\ + tag:'WASCTC/WASC-31',\ + tag:'OWASP_TOP_10/A1',\ + tag:'PCI/6.5.2',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.1.1',\ + severity:'CRITICAL',\ + setvar:'tx.msg=%{rule.msg}',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{tx.0}'" + + +# [ Unix direct remote command execution ] +# +# Detects Unix commands at the start of a parameter (direct RCE). +# Example: foo=wget%20www.example.com +# +# This case is different from command injection (rule 932100), where a +# command string is appended (injected) to a regular parameter, and then +# passed to a shell unescaped. +# +# Due to a higher risk of false positives, the following changes have been +# made relative to rule 932100: +# 1) the set of commands is smaller +# 2) we require a trailing space (denoting command parameters) or command +# separator character after the command +# +# To rebuild the word list regexp: +# cd util/regexp-assemble +# cat regexp-932150.txt | ./regexp-cmdline.py unix | ./regexp-assemble.pl +# +# Then insert the assembled regexp into this template: +# +# SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:^|=)\s*(?:{|\s*\(\s*|\w+=(?:[^\s]*|\$.*|\$.*|<.*|>.*|\'.*\'|\".*\")\s+|!\s*|\$)*\s*(?:'|\")*(?:[\?\*\[\]\(\)\-\|+\w'\"\./\\\\]+/)?[\\\\'\"]* +# [regexp assembled from util/regexp-assemble/regexp-932150.txt] +# [\\\\'\"]*(?:\s|;|\||&|<|>)" \ +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:^|=)\s*(?:{|\s*\(\s*|\w+=(?:[^\s]*|\$.*|\$.*|<.*|>.*|\'.*\'|\".*\")\s+|!\s*|\$)*\s*(?:'|\")*(?:[\?\*\[\]\(\)\-\|+\w'\"\./\\\\]+/)?[\\\\'\"]*(?:l[\\\\'\"]*(?:s(?:[\\\\'\"]*(?:b[\\\\'\"]*_[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*l[\\\\'\"]*e[\\\\'\"]*a[\\\\'\"]*s[\\\\'\"]*e|c[\\\\'\"]*p[\\\\'\"]*u|m[\\\\'\"]*o[\\\\'\"]*d|p[\\\\'\"]*c[\\\\'\"]*i|u[\\\\'\"]*s[\\\\'\"]*b|-[\\\\'\"]*F|o[\\\\'\"]*f))?|z[\\\\'\"]*(?:(?:[ef][\\\\'\"]*)?g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p|c[\\\\'\"]*(?:a[\\\\'\"]*t|m[\\\\'\"]*p)|m[\\\\'\"]*(?:o[\\\\'\"]*r[\\\\'\"]*e|a)|d[\\\\'\"]*i[\\\\'\"]*f[\\\\'\"]*f|l[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*s)|e[\\\\'\"]*s[\\\\'\"]*s[\\\\'\"]*(?:(?:f[\\\\'\"]*i[\\\\'\"]*l|p[\\\\'\"]*i[\\\\'\"]*p)[\\\\'\"]*e|e[\\\\'\"]*c[\\\\'\"]*h[\\\\'\"]*o)|a[\\\\'\"]*s[\\\\'\"]*t[\\\\'\"]*(?:l[\\\\'\"]*o[\\\\'\"]*g(?:[\\\\'\"]*i[\\\\'\"]*n)?|c[\\\\'\"]*o[\\\\'\"]*m[\\\\'\"]*m)|w[\\\\'\"]*p(?:[\\\\'\"]*-[\\\\'\"]*d[\\\\'\"]*o[\\\\'\"]*w[\\\\'\"]*n[\\\\'\"]*l[\\\\'\"]*o[\\\\'\"]*a[\\\\'\"]*d)?|f[\\\\'\"]*t[\\\\'\"]*p(?:[\\\\'\"]*g[\\\\'\"]*e[\\\\'\"]*t)?|y[\\\\'\"]*n[\\\\'\"]*x)|s[\\\\'\"]*(?:e[\\\\'\"]*(?:t[\\\\'\"]*(?:e[\\\\'\"]*n[\\\\'\"]*v|s[\\\\'\"]*i[\\\\'\"]*d)|n[\\\\'\"]*d[\\\\'\"]*m[\\\\'\"]*a[\\\\'\"]*i[\\\\'\"]*l|d)|h(?:[\\\\'\"]*\.[\\\\'\"]*d[\\\\'\"]*i[\\\\'\"]*s[\\\\'\"]*t[\\\\'\"]*r[\\\\'\"]*i[\\\\'\"]*b)?|o[\\\\'\"]*(?:u[\\\\'\"]*r[\\\\'\"]*c[\\\\'\"]*e|c[\\\\'\"]*a[\\\\'\"]*t)|t[\\\\'\"]*r[\\\\'\"]*i[\\\\'\"]*n[\\\\'\"]*g[\\\\'\"]*s|y[\\\\'\"]*s[\\\\'\"]*c[\\\\'\"]*t[\\\\'\"]*l|c[\\\\'\"]*(?:h[\\\\'\"]*e[\\\\'\"]*d|p)|d[\\\\'\"]*i[\\\\'\"]*f[\\\\'\"]*f|f[\\\\'\"]*t[\\\\'\"]*p|u[\\\\'\"]*d[\\\\'\"]*o|s[\\\\'\"]*h|v[\\\\'\"]*n)|p[\\\\'\"]*(?:t[\\\\'\"]*a[\\\\'\"]*r(?:[\\\\'\"]*(?:d[\\\\'\"]*i[\\\\'\"]*f[\\\\'\"]*f|g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p))?|y[\\\\'\"]*t[\\\\'\"]*h[\\\\'\"]*o[\\\\'\"]*n(?:[\\\\'\"]*(?:3(?:[\\\\'\"]*m)?|2))?|k[\\\\'\"]*(?:e[\\\\'\"]*x[\\\\'\"]*e[\\\\'\"]*c|i[\\\\'\"]*l[\\\\'\"]*l)|r[\\\\'\"]*i[\\\\'\"]*n[\\\\'\"]*t[\\\\'\"]*e[\\\\'\"]*n[\\\\'\"]*v|(?:g[\\\\'\"]*r[\\\\'\"]*e|f[\\\\'\"]*t)[\\\\'\"]*p|e[\\\\'\"]*r[\\\\'\"]*l(?:[\\\\'\"]*5)?|h[\\\\'\"]*p(?:[\\\\'\"]*[57])?|i[\\\\'\"]*n[\\\\'\"]*g|o[\\\\'\"]*p[\\\\'\"]*d)|n[\\\\'\"]*(?:c(?:[\\\\'\"]*(?:\.[\\\\'\"]*(?:t[\\\\'\"]*r[\\\\'\"]*a[\\\\'\"]*d[\\\\'\"]*i[\\\\'\"]*t[\\\\'\"]*i[\\\\'\"]*o[\\\\'\"]*n[\\\\'\"]*a[\\\\'\"]*l|o[\\\\'\"]*p[\\\\'\"]*e[\\\\'\"]*n[\\\\'\"]*b[\\\\'\"]*s[\\\\'\"]*d)|a[\\\\'\"]*t))?|e[\\\\'\"]*t[\\\\'\"]*(?:k[\\\\'\"]*i[\\\\'\"]*t[\\\\'\"]*-[\\\\'\"]*f[\\\\'\"]*t[\\\\'\"]*p|(?:s[\\\\'\"]*t|c)[\\\\'\"]*a[\\\\'\"]*t)|o[\\\\'\"]*h[\\\\'\"]*u[\\\\'\"]*p|p[\\\\'\"]*i[\\\\'\"]*n[\\\\'\"]*g|s[\\\\'\"]*t[\\\\'\"]*a[\\\\'\"]*t)|t[\\\\'\"]*(?:c[\\\\'\"]*(?:p[\\\\'\"]*(?:t[\\\\'\"]*r[\\\\'\"]*a[\\\\'\"]*c[\\\\'\"]*e[\\\\'\"]*r[\\\\'\"]*o[\\\\'\"]*u[\\\\'\"]*t[\\\\'\"]*e|i[\\\\'\"]*n[\\\\'\"]*g)|s[\\\\'\"]*h)|r[\\\\'\"]*a[\\\\'\"]*c[\\\\'\"]*e[\\\\'\"]*r[\\\\'\"]*o[\\\\'\"]*u[\\\\'\"]*t[\\\\'\"]*e(?:[\\\\'\"]*6)?|i[\\\\'\"]*m[\\\\'\"]*e(?:[\\\\'\"]*o[\\\\'\"]*u[\\\\'\"]*t)?|a[\\\\'\"]*(?:i[\\\\'\"]*l(?:[\\\\'\"]*f)?|r)|e[\\\\'\"]*l[\\\\'\"]*n[\\\\'\"]*e[\\\\'\"]*t)|r[\\\\'\"]*(?:e[\\\\'\"]*(?:p[\\\\'\"]*(?:l[\\\\'\"]*a[\\\\'\"]*c[\\\\'\"]*e|e[\\\\'\"]*a[\\\\'\"]*t)|a[\\\\'\"]*l[\\\\'\"]*p[\\\\'\"]*a[\\\\'\"]*t[\\\\'\"]*h|n[\\\\'\"]*a[\\\\'\"]*m[\\\\'\"]*e)|u[\\\\'\"]*b[\\\\'\"]*y(?:[\\\\'\"]*(?:1(?:[\\\\'\"]*[89])?|2[\\\\'\"]*[012]))?|m[\\\\'\"]*(?:u[\\\\'\"]*s[\\\\'\"]*e|d[\\\\'\"]*i)[\\\\'\"]*r|n[\\\\'\"]*a[\\\\'\"]*n[\\\\'\"]*o|s[\\\\'\"]*y[\\\\'\"]*n[\\\\'\"]*c|c[\\\\'\"]*p)|b[\\\\'\"]*(?:z[\\\\'\"]*(?:(?:[ef][\\\\'\"]*)?g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p|d[\\\\'\"]*i[\\\\'\"]*f[\\\\'\"]*f|l[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*s|m[\\\\'\"]*o[\\\\'\"]*r[\\\\'\"]*e|c[\\\\'\"]*a[\\\\'\"]*t)|s[\\\\'\"]*d[\\\\'\"]*(?:c[\\\\'\"]*a[\\\\'\"]*t|i[\\\\'\"]*f[\\\\'\"]*f|t[\\\\'\"]*a[\\\\'\"]*r)|u[\\\\'\"]*i[\\\\'\"]*l[\\\\'\"]*t[\\\\'\"]*i[\\\\'\"]*n|a[\\\\'\"]*s[\\\\'\"]*h)|m[\\\\'\"]*(?:y[\\\\'\"]*s[\\\\'\"]*q[\\\\'\"]*l[\\\\'\"]*(?:d[\\\\'\"]*u[\\\\'\"]*m[\\\\'\"]*p(?:[\\\\'\"]*s[\\\\'\"]*l[\\\\'\"]*o[\\\\'\"]*w)?|h[\\\\'\"]*o[\\\\'\"]*t[\\\\'\"]*c[\\\\'\"]*o[\\\\'\"]*p[\\\\'\"]*y|a[\\\\'\"]*d[\\\\'\"]*m[\\\\'\"]*i[\\\\'\"]*n|s[\\\\'\"]*h[\\\\'\"]*o[\\\\'\"]*w)|l[\\\\'\"]*o[\\\\'\"]*c[\\\\'\"]*a[\\\\'\"]*t[\\\\'\"]*e|a[\\\\'\"]*i[\\\\'\"]*l[\\\\'\"]*q)|u[\\\\'\"]*(?:n[\\\\'\"]*(?:c[\\\\'\"]*o[\\\\'\"]*m[\\\\'\"]*p[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*s|l[\\\\'\"]*z[\\\\'\"]*m[\\\\'\"]*a|a[\\\\'\"]*m[\\\\'\"]*e|r[\\\\'\"]*a[\\\\'\"]*r|s[\\\\'\"]*e[\\\\'\"]*t|z[\\\\'\"]*i[\\\\'\"]*p|x[\\\\'\"]*z)|s[\\\\'\"]*e[\\\\'\"]*r[\\\\'\"]*(?:(?:a[\\\\'\"]*d|m[\\\\'\"]*o)[\\\\'\"]*d|d[\\\\'\"]*e[\\\\'\"]*l))|x[\\\\'\"]*(?:z(?:[\\\\'\"]*(?:(?:[ef][\\\\'\"]*)?g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p|d[\\\\'\"]*(?:i[\\\\'\"]*f[\\\\'\"]*f|e[\\\\'\"]*c)|c[\\\\'\"]*(?:a[\\\\'\"]*t|m[\\\\'\"]*p)|l[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*s|m[\\\\'\"]*o[\\\\'\"]*r[\\\\'\"]*e))?|a[\\\\'\"]*r[\\\\'\"]*g[\\\\'\"]*s)|z[\\\\'\"]*(?:(?:(?:[ef][\\\\'\"]*)?g[\\\\'\"]*r[\\\\'\"]*e|i)[\\\\'\"]*p|c[\\\\'\"]*(?:a[\\\\'\"]*t|m[\\\\'\"]*p)|d[\\\\'\"]*i[\\\\'\"]*f[\\\\'\"]*f|l[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*s|m[\\\\'\"]*o[\\\\'\"]*r[\\\\'\"]*e|r[\\\\'\"]*u[\\\\'\"]*n|s[\\\\'\"]*h)|f[\\\\'\"]*(?:t[\\\\'\"]*p[\\\\'\"]*(?:s[\\\\'\"]*t[\\\\'\"]*a[\\\\'\"]*t[\\\\'\"]*s|w[\\\\'\"]*h[\\\\'\"]*o)|i[\\\\'\"]*l[\\\\'\"]*e[\\\\'\"]*t[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*t|e[\\\\'\"]*t[\\\\'\"]*c[\\\\'\"]*h|g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p)|c[\\\\'\"]*(?:o[\\\\'\"]*(?:m[\\\\'\"]*m[\\\\'\"]*a[\\\\'\"]*n[\\\\'\"]*d|p[\\\\'\"]*r[\\\\'\"]*o[\\\\'\"]*c)|u[\\\\'\"]*r[\\\\'\"]*l|s[\\\\'\"]*h|c)|e[\\\\'\"]*(?:g[\\\\'\"]*r[\\\\'\"]*e[\\\\'\"]*p|c[\\\\'\"]*h[\\\\'\"]*o|v[\\\\'\"]*a[\\\\'\"]*l|x[\\\\'\"]*e[\\\\'\"]*c|n[\\\\'\"]*v)|d[\\\\'\"]*(?:m[\\\\'\"]*e[\\\\'\"]*s[\\\\'\"]*g|a[\\\\'\"]*s[\\\\'\"]*h|i[\\\\'\"]*f[\\\\'\"]*f|o[\\\\'\"]*a[\\\\'\"]*s)|g[\\\\'\"]*(?:z[\\\\'\"]*(?:c[\\\\'\"]*a[\\\\'\"]*t|i[\\\\'\"]*p)|r[\\\\'\"]*e[\\\\'\"]*p|c[\\\\'\"]*c)|j[\\\\'\"]*(?:o[\\\\'\"]*b[\\\\'\"]*s[\\\\'\"]*\s+[\\\\'\"]*-[\\\\'\"]*x|a[\\\\'\"]*v[\\\\'\"]*a)|w[\\\\'\"]*(?:h[\\\\'\"]*o[\\\\'\"]*a[\\\\'\"]*m[\\\\'\"]*i|g[\\\\'\"]*e[\\\\'\"]*t|3[\\\\'\"]*m)|i[\\\\'\"]*r[\\\\'\"]*b(?:[\\\\'\"]*(?:1(?:[\\\\'\"]*[89])?|2[\\\\'\"]*[012]))?|o[\\\\'\"]*n[\\\\'\"]*i[\\\\'\"]*n[\\\\'\"]*t[\\\\'\"]*r|h[\\\\'\"]*(?:e[\\\\'\"]*a[\\\\'\"]*d|u[\\\\'\"]*p)|v[\\\\'\"]*i[\\\\'\"]*(?:g[\\\\'\"]*r|p[\\\\'\"]*w)|G[\\\\'\"]*E[\\\\'\"]*T)[\\\\'\"]*(?:\s|;|\||&|<|>)" \ + "id:932150,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Remote Command Execution: Direct Unix Command Execution',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ + tag:'attack-rce',\ + tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\ + tag:'WASCTC/WASC-31',\ + tag:'OWASP_TOP_10/A1',\ + tag:'PCI/6.5.2',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.1.1',\ + severity:'CRITICAL',\ + setvar:'tx.msg=%{rule.msg}',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{tx.0}'" + + +# [ Unix shell snippets ] +# +# Detect some common sequences found in shell commands and scripts. +# +# Some commands which were restricted in earlier rules due to FP, +# have been added here with their full path, in order to catch some +# cases where the full path is sent. +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmf unix-shell.data" \ + "id:932160,\ + phase:2,\ + block,\ + capture,\ + t:none,t:urlDecodeUni,t:cmdLine,t:normalizePath,t:lowercase,\ + msg:'Remote Command Execution: Unix Shell Code Found',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ + tag:'attack-rce',\ + tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\ + tag:'WASCTC/WASC-31',\ + tag:'OWASP_TOP_10/A1',\ + tag:'PCI/6.5.2',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.1.1',\ + severity:'CRITICAL',\ + setvar:'tx.msg=%{rule.msg}',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{tx.0}'" + + +# [ Shellshock vulnerability (CVE-2014-6271 and CVE-2014-7169) ] +# +# Detect exploitation of "Shellshock" GNU Bash RCE vulnerability. +# +# Based on ModSecurity rules created by Red Hat. +# Permission for use was granted by Martin Prpic +# +# https://access.redhat.com/articles/1212303 +# +SecRule REQUEST_HEADERS|REQUEST_LINE "@rx ^\(\s*\)\s+{" \ + "id:932170,\ + phase:2,\ + block,\ + capture,\ + t:none,t:urlDecode,\ + msg:'Remote Command Execution: Shellshock (CVE-2014-6271)',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ + tag:'attack-rce',\ + tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\ + tag:'WASCTC/WASC-31',\ + tag:'OWASP_TOP_10/A1',\ + tag:'PCI/6.5.2',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.1.1',\ + severity:'CRITICAL',\ + setvar:'tx.msg=%{rule.msg}',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{tx.0}'" + +SecRule ARGS_NAMES|ARGS|FILES_NAMES "@rx ^\(\s*\)\s+{" \ + "id:932171,\ + phase:2,\ + block,\ + capture,\ + t:none,t:urlDecode,t:urlDecodeUni,\ + msg:'Remote Command Execution: Shellshock (CVE-2014-6271)',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ + tag:'attack-rce',\ + tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\ + tag:'WASCTC/WASC-31',\ + tag:'OWASP_TOP_10/A1',\ + tag:'PCI/6.5.2',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.1.1',\ + severity:'CRITICAL',\ + setvar:'tx.msg=%{rule.msg}',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{tx.0}'" + + +# +# -=[ Restricted File Upload ]=- +# +# Detects attempts to upload a file with a forbidden filename. +# +# Many application contain Unrestricted File Upload vulnerabilities. +# https://www.owasp.org/index.php/Unrestricted_File_Upload +# +# These might be abused to upload configuration files or other files +# that affect the behavior of the web server, possibly causing remote +# code execution. +# +SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X-File-Name \ + "@pmf restricted-upload.data" \ + "id:932180,\ + phase:2,\ + block,\ + capture,\ + t:none,t:lowercase,\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + msg:'Restricted File Upload Attempt',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\ + tag:'WASCTC/WASC-31',\ + tag:'OWASP_TOP_10/A1',\ + tag:'PCI/6.5.2',\ + ver:'OWASP_CRS/3.1.1',\ + severity:'CRITICAL',\ + setvar:'tx.msg=%{rule.msg}',\ + setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/FILE_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'" + + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:932013,phase:1,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:932014,phase:2,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" +# +# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher) +# + + + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:932015,phase:1,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:932016,phase:2,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" +# +# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher) +# + +# Missing Unix commands have been added to a new word list i.e. +# util/regexp-assemble/regexp-932106.txt +# These commands may have a higher risk of false positives. +# Therefore, they have been split off to a separate rule in PL3. +# For explanation of this rule, see rule 932100. +# +# To rebuild the word list regexp: +# cd util/regexp-assemble +# cat regexp-932106.txt | ./regexp-cmdline.py unix | ./regexp-assemble.pl +# +# Then insert the assembled regexp into this template: +# +# SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:;|\{|\||\|\||&|&&|\n|\r|\$\(|\$\(\(|`|\${|<\(|>\(|\(\s*\))\s*(?:{|\s*\(\s*|\w+=(?:[^\s]*|\$.*|\$.*|<.*|>.*|\'.*\'|\".*\")\s+|!\s*|\$)*\s*(?:'|\")*(?:[\?\*\[\]\(\)\-\|+\w'\"\./\\\\]+/)?[\\\\'\"]* +# [regexp assembled from util/regexp-assemble/regexp-932106.txt] +# \b" \ +# +# This rule is a stricter sibling of rule 932100. + +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:;|\{|\||\|\||&|&&|\n|\r|\$\(|\$\(\(|`|\${|<\(|>\(|\(\s*\))\s*(?:{|\s*\(\s*|\w+=(?:[^\s]*|\$.*|\$.*|<.*|>.*|\'.*\'|\".*\")\s+|!\s*|\$)*\s*(?:'|\")*(?:[\?\*\[\]\(\)\-\|+\w'\"\./\\\\]+/)?[\\\\'\"]*(?:(?:(?:a[\\\\'\"]*p[\\\\'\"]*t[\\\\'\"]*i[\\\\'\"]*t[\\\\'\"]*u[\\\\'\"]*d|u[\\\\'\"]*p[\\\\'\"]*2[\\\\'\"]*d[\\\\'\"]*a[\\\\'\"]*t)[\\\\'\"]*e|d[\\\\'\"]*n[\\\\'\"]*f|v[\\\\'\"]*i)[\\\\'\"]*(?:\s|<|>).*|p[\\\\'\"]*(?:a[\\\\'\"]*c[\\\\'\"]*m[\\\\'\"]*a[\\\\'\"]*n[\\\\'\"]*(?:\s|<|>).*|w[\\\\'\"]*d|s)|w[\\\\'\"]*(?:(?:\s|<|>).*|h[\\\\'\"]*o))\b" \ + "id:932106,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Remote Command Execution: Unix Command Injection',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ + tag:'attack-rce',\ + tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\ + tag:'WASCTC/WASC-31',\ + tag:'OWASP_TOP_10/A1',\ + tag:'PCI/6.5.2',\ + tag:'paranoia-level/3',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.1.1',\ + severity:'CRITICAL',\ + setvar:'tx.msg=%{rule.msg}',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}',\ + setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{tx.0}'" + +# +# -=[ Bypass Rule 930120 (wildcard) ]=- +# +# When Paranoia Level is set to 1 and 2, a Remote Command Execution +# could be exploited bypassing rule 930120 (OS File Access Attempt) +# by using wildcard characters. +# +# In some other cases, it could be bypassed even if the Paranoia Level is set to 3. +# Please, keep in mind that this rule could lead to many false positives. +# +SecRule ARGS "@rx (?:/|\\\\)(?:[\?\*]+[a-z/\\\\]+|[a-z/\\\\]+[\?\*]+)" \ + "id:932190,\ + phase:2,\ + block,\ + capture,\ + t:none,t:urlDecode,t:urlDecodeUni,t:normalizePath,t:cmdLine,\ + msg:'Remote Command Execution: Wildcard bypass technique attempt',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ + tag:'attack-rce',\ + tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\ + tag:'WASCTC/WASC-31',\ + tag:'OWASP_TOP_10/A1',\ + tag:'PCI/6.5.2',\ + tag:'paranoia-level/3',\ + ctl:auditLogParts=+E,\ + severity:'CRITICAL',\ + setvar:'tx.msg=%{rule.msg}',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}',\ + setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{tx.0}'" + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:932017,phase:1,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:932018,phase:2,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" +# +# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher) +# + + + +# +# -= Paranoia Levels Finished =- +# +SecMarker "END-REQUEST-932-APPLICATION-ATTACK-RCE" diff --git a/confs/owasp-crs/REQUEST-933-APPLICATION-ATTACK-PHP.conf b/confs/owasp-crs/REQUEST-933-APPLICATION-ATTACK-PHP.conf new file mode 100644 index 0000000..63d3a32 --- /dev/null +++ b/confs/owasp-crs/REQUEST-933-APPLICATION-ATTACK-PHP.conf @@ -0,0 +1,671 @@ +# ------------------------------------------------------------------------ +# OWASP ModSecurity Core Rule Set ver.3.1.1 +# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENSE file for full details. +# ------------------------------------------------------------------------ + +# +# -= Paranoia Level 0 (empty) =- (apply unconditionally) +# + + + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:933011,phase:1,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:933012,phase:2,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" +# +# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher) +# + +# +# -=[ PHP Injection Attacks ]=- +# +# [ References ] +# http://rips-scanner.sourceforge.net/ +# https://www.owasp.org/index.php/PHP_Top_5#P1:_Remote_Code_Executionh +# + +# +# [ PHP Open Tag Found ] +# +# Detects PHP open tags "', but +# this resulted in false positives which were difficult to prevent. +# Therefore, that pattern is now checked by rule 933190 in paranoia levels +# 3 or higher. +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:<\?(?!xml\s)|<\?php|\[(?:/|\\\\)?php\])" \ + "id:933100,\ + phase:2,\ + block,\ + capture,\ + t:none,t:urlDecodeUni,t:lowercase,\ + msg:'PHP Injection Attack: PHP Open Tag Found',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-injection-php',\ + tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\ + tag:'OWASP_TOP_10/A1',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.1.1',\ + severity:'CRITICAL',\ + setvar:'tx.msg=%{rule.msg}',\ + setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'" + +# +# [ PHP Script Uploads ] +# +# Block file uploads with filenames ending in PHP related extensions +# (.php, .phps, .phtml, .php5 etc). +# +# Many application contain Unrestricted File Upload vulnerabilities. +# https://www.owasp.org/index.php/Unrestricted_File_Upload +# +# Attackers may use such a vulnerability to achieve remote code execution +# by uploading a .php file. If the upload storage location is predictable +# and not adequately protected, the attacker may then request the uploaded +# .php file and have the code within it executed on the server. +# +# Also block files with just dot (.) characters after the extension: +# https://community.rapid7.com/community/metasploit/blog/2013/08/15/time-to-patch-joomla +# +# Some AJAX uploaders use the nonstandard request headers X-Filename, +# X_Filename, or X-File-Name to transmit the file name to the server; +# scan these request headers as well as multipart/form-data file names. +# +SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X-File-Name "@rx .*\.(?:php\d*|phtml)\.*$" \ + "id:933110,\ + phase:2,\ + block,\ + capture,\ + t:none,t:lowercase,\ + msg:'PHP Injection Attack: PHP Script File Upload Found',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-injection-php',\ + tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\ + tag:'OWASP_TOP_10/A1',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.1.1',\ + severity:'CRITICAL',\ + setvar:'tx.msg=%{rule.msg}',\ + setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'" + + +# +# [ PHP Configuration Directives ] +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmf php-config-directives.data" \ + "id:933120,\ + phase:2,\ + block,\ + capture,\ + t:none,t:urlDecodeUni,t:normalisePath,t:lowercase,\ + msg:'PHP Injection Attack: Configuration Directive Found',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-injection-php',\ + tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\ + tag:'OWASP_TOP_10/A1',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.1.1',\ + severity:'CRITICAL',\ + chain" + SecRule MATCHED_VARS "@pm =" \ + "capture,\ + setvar:'tx.msg=%{rule.msg}',\ + setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'" + + +# +# [ PHP Variables ] +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmf php-variables.data" \ + "id:933130,\ + phase:2,\ + block,\ + capture,\ + t:none,t:normalisePath,t:urlDecodeUni,t:lowercase,\ + msg:'PHP Injection Attack: Variables Found',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-injection-php',\ + tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\ + tag:'OWASP_TOP_10/A1',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.1.1',\ + severity:'CRITICAL',\ + setvar:'tx.msg=%{rule.msg}',\ + setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'" + + +# +# [ PHP I/O Streams ] +# +# The "php://" syntax can be used to refer to various objects, such as local files (for LFI), +# remote urls (for RFI), or standard input/request body. Its occurrence indicates a possible attempt +# to either inject PHP code or exploit a file inclusion vulnerability in a PHP web app. +# +# Examples: +# php://filter/resource=./../../../wp-config.php +# php://filter/resource=http://www.example.com +# php://stdin +# php://input +# +# http://php.net/manual/en/wrappers.php.php +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)php://(?:std(?:in|out|err)|(?:in|out)put|fd|memory|temp|filter)" \ + "id:933140,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'PHP Injection Attack: I/O Stream Found',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-injection-php',\ + tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\ + tag:'OWASP_TOP_10/A1',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.1.1',\ + severity:'CRITICAL',\ + setvar:'tx.msg=%{rule.msg}',\ + setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'" + + +# +# [ PHP Functions ] +# +# Detecting PHP function names is useful to block PHP code injection attacks. +# There are many PHP functions. We have to strike a balance between robust detection +# of PHP code in content, and the risk of false positives. +# +# The list of PHP functions is divided into four groups of varying attack/false positive risk. +# Four separate rules are used to detect these groups of functions: +# +# - Rule 933150: ~40 words highly common to PHP injection payloads and extremely rare in +# natural language or other contexts. +# Examples: 'base64_decode', 'file_get_contents'. +# These words are detected as a match directly using @pmf. +# Function names are defined in php-function-names-933150.data +# +# - Rule 933160: ~220 words which are common in PHP code, but have a higher chance to cause +# false positives in natural language or other contexts. +# Examples: 'chr', 'eval'. +# To mitigate false positives, a regexp looks for PHP function syntax, e.g. 'eval()'. +# Regexp is generated from function names in util/regexp-assemble/regexp-933160.data +# +# - Rule 933151: ~1300 words of lesser importance. This includes most PHP functions and keywords. +# Examples: 'addslashes', 'array_diff'. +# For performance reasons, the @pmf operator is used, and many functions from lesser +# used PHP extensions are removed. +# To mitigate false positives, we only match when the '(' character is also found. +# This rule only runs in paranoia level 2 or higher. +# Function names are defined in php-function-names-933151.data +# +# - Rule 933161: ~200 words with short or trivial names, possibly leading to false positives. +# Examples: 'abs', 'cos'. +# To mitigate false positives, a regexp matches on function syntax, e.g. 'abs()'. +# This rule only runs in paranoia level 3 or higher. +# Regexp is generated from function names in util/regexp-assemble/regexp-933161.data +# + + +# +# [ PHP Functions: High-Risk PHP Function Names ] +# +# Rule 933150 contains a small list of function names which are highly indicative of a PHP +# injection attack, for example 'base64_decode'. +# We block these function names outright, without using a complex regexp or chain. +# This could make the detection a bit more robust against possible bypasses. +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@pmf php-function-names-933150.data" \ + "id:933150,\ + phase:2,\ + block,\ + capture,\ + t:none,t:lowercase,\ + msg:'PHP Injection Attack: High-Risk PHP Function Name Found',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-injection-php',\ + tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\ + tag:'OWASP_TOP_10/A1',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.1.1',\ + severity:'CRITICAL',\ + setvar:'tx.msg=%{rule.msg}',\ + setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'" + + +# +# [ PHP Functions: High-Risk PHP Function Calls ] +# +# Some PHP function names have a certain risk of false positives, due to short +# names, full or partial overlap with common natural language terms, uses in +# other contexts, et cetera. Some examples are 'eval', 'exec', 'system'. +# +# For these function names, we apply a regexp to look for PHP function syntax. +# The regexp looks for a word boundary and adjoining parentheses. +# For instance, we want to block 'eval()', but we want to allow 'medieval()'. +# +# We have to be careful of possible bypasses using comment syntax. Examples: +# +# system(...) +# system (...) +# system\t(...) +# system /*comment*/ (...) +# system /*multiline \n comment*/ (...) +# system //comment \n (...) +# system #comment \n (...) +# +# Regexp generated from util/regexp-assemble/regexp-933160.data using Regexp::Assemble. +# See http://blog.modsecurity.org/2007/06/optimizing-regu.html for usage. +# Note that after assemble, PHP function syntax pre/postfix is added to the Regexp::Assemble +# output. Example: "@rx (?i)\bASSEMBLE_OUTPUT_HERE(?:\s|/\*.*\*/|//.*|#.*)*\(.*\)" +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:s(?:e(?:t(?:_(?:e(?:xception|rror)_handler|magic_quotes_runtime|include_path)|defaultstub)|ssion_s(?:et_save_handler|tart))|qlite_(?:(?:(?:unbuffered|single|array)_)?query|create_(?:aggregate|function)|p?open|exec)|tr(?:eam_(?:context_create|socket_client)|ipc?slashes|rev)|implexml_load_(?:string|file)|ocket_c(?:onnect|reate)|h(?:ow_sourc|a1_fil)e|pl_autoload_register|ystem)|p(?:r(?:eg_(?:replace(?:_callback(?:_array)?)?|match(?:_all)?|split)|oc_(?:(?:terminat|clos|nic)e|get_status|open)|int_r)|o(?:six_(?:get(?:(?:e[gu]|g)id|login|pwnam)|mk(?:fifo|nod)|ttyname|kill)|pen)|hp(?:_(?:strip_whitespac|unam)e|version|info)|g_(?:(?:execut|prepar)e|connect|query)|a(?:rse_(?:ini_file|str)|ssthru)|utenv)|r(?:unkit_(?:function_(?:re(?:defin|nam)e|copy|add)|method_(?:re(?:defin|nam)e|copy|add)|constant_(?:redefine|add))|e(?:(?:gister_(?:shutdown|tick)|name)_function|ad(?:(?:gz)?file|_exif_data|dir))|awurl(?:de|en)code)|i(?:mage(?:createfrom(?:(?:jpe|pn)g|x[bp]m|wbmp|gif)|(?:jpe|pn)g|g(?:d2?|if)|2?wbmp|xbm)|s_(?:(?:(?:execut|write?|read)ab|fi)le|dir)|ni_(?:get(?:_all)?|set)|terator_apply|ptcembed)|g(?:et(?:_(?:c(?:urrent_use|fg_va)r|meta_tags)|my(?:[gpu]id|inode)|(?:lastmo|cw)d|imagesize|env)|z(?:(?:(?:defla|wri)t|encod|fil)e|compress|open|read)|lob)|a(?:rray_(?:u(?:intersect(?:_u?assoc)?|diff(?:_u?assoc)?)|intersect_u(?:assoc|key)|diff_u(?:assoc|key)|filter|reduce|map)|ssert(?:_options)?)|h(?:tml(?:specialchars(?:_decode)?|_entity_decode|entities)|(?:ash(?:_(?:update|hmac))?|ighlight)_file|e(?:ader_register_callback|x2bin))|f(?:i(?:le(?:(?:[acm]tim|inod)e|(?:_exist|perm)s|group)?|nfo_open)|tp_(?:nb_(?:ge|pu)|connec|ge|pu)t|(?:unction_exis|pu)ts|write|open)|o(?:b_(?:get_(?:c(?:ontents|lean)|flush)|end_(?:clean|flush)|clean|flush|start)|dbc_(?:result(?:_all)?|exec(?:ute)?|connect)|pendir)|m(?:b_(?:ereg(?:_(?:replace(?:_callback)?|match)|i(?:_replace)?)?|parse_str)|(?:ove_uploaded|d5)_file|ethod_exists|ysql_query|kdir)|e(?:x(?:if_(?:t(?:humbnail|agname)|imagetype|read_data)|ec)|scapeshell(?:arg|cmd)|rror_reporting|val)|c(?:url_(?:file_create|exec|init)|onvert_uuencode|reate_function|hr)|u(?:n(?:serialize|pack)|rl(?:de|en)code|[ak]?sort)|(?:json_(?:de|en)cod|debug_backtrac|tmpfil)e|b(?:(?:son_(?:de|en)|ase64_en)code|zopen)|var_dump)(?:\s|/\*.*\*/|//.*|#.*)*\(.*\)" \ + "id:933160,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'PHP Injection Attack: High-Risk PHP Function Call Found',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-injection-php',\ + tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\ + tag:'OWASP_TOP_10/A1',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.1.1',\ + severity:'CRITICAL',\ + setvar:'tx.msg=%{rule.msg}',\ + setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'" + + +# +# [ PHP Object Injection ] +# +# PHP Object Injection is an application level vulnerability that could allow +# an attacker to perform different kinds of malicious attacks, such as +# Code Injection, SQL Injection, Path Traversal and Application Denial of Service, +# depending on the context. +# +# The vulnerability occurs when user-supplied input is not properly sanitized +# before being passed to the unserialize() PHP function. Since PHP allows object +# serialization, attackers could pass ad-hoc serialized strings to a vulnerable +# unserialize() call, resulting in an arbitrary PHP object(s) injection into the +# application scope. +# +# https://www.owasp.org/index.php/PHP_Object_Injection +# +# In serialized form, PHP objects have the following format: +# +# O:8:"stdClass":1:{s:1:"a";i:2;} +# O:3:"Foo":0:{} +# +# Also detected are PHP objects with a custom unserializer: +# http://www.phpinternalsbook.com/classes_objects/serialization.html +# These have the following format: +# +# C:11:"ArrayObject":37:{x:i:0;a:1:{s:1:"a";s:1:"b";};m:a:0:{}} +# C:3:"Foo":23:{s:15:"My private data";} +# +# HTTP headers are inspected, since PHP object injection vulnerabilities have been +# found in applications parsing them: +# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8562 (User-Agent header) +# https://www.exploit-db.com/exploits/39033/ (X-Forwarded-For header) +# http://karmainsecurity.com/KIS-2015-10 (Host header) +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS|ARGS_NAMES|ARGS|XML:/* "@rx [oOcC]:\d+:\".+?\":\d+:{.*}" \ + "id:933170,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'PHP Injection Attack: Serialized Object Injection',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-injection-php',\ + tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\ + tag:'OWASP_TOP_10/A1',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.1.1',\ + severity:'CRITICAL',\ + setvar:'tx.msg=%{rule.msg}',\ + setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'" + + + +# +# [ PHP Functions: Variable Function Calls ] +# +# PHP 'variable functions' provide an alternate syntax for calling PHP functions. +# http://php.net/manual/en/functions.variable-functions.php +# +# An attacker may use variable function syntax to evade detection of function +# names during exploitation of a remote code execution vulnerability. +# An example to use the 'file_get_contents' function while evading rule 933150: +# +# $fn = 'file_' . 'get_' . 'contents'; +# echo $fn('wp-co' . 'nfig.php'); +# +# Some examples from obfuscated malware: +# +# $OOO0000O0(...) +# @$b374k(...) +# $_[@-_]($_[@!+_] ) +# +# A breakdown of the regular expression: +# +# \$+ +# The variable's '$' char, or multiple '$' for 'variable variables': +# http://php.net/manual/en/language.variables.variable.php +# (?:[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*|\s*{.+}) +# One of the following: +# - A variable name; regexp from http://php.net/language.variables.basics +# - A nonempty expression for variable variables: ${'fn'} or $ {'fn'} +# (?:\s|\[.+\]|{.+}|/\*.*\*/|//.*|#.*)* +# Optional whitespace, array access, or comments +# \(.*\) +# Parentheses optionally containing function parameters +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx \$+(?:[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*|\s*{.+})(?:\s|\[.+\]|{.+}|/\*.*\*/|//.*|#.*)*\(.*\)" \ + "id:933180,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'PHP Injection Attack: Variable Function Call Found',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-injection-php',\ + tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\ + tag:'OWASP_TOP_10/A1',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.1.1',\ + severity:'CRITICAL',\ + setvar:'tx.msg=%{rule.msg}',\ + setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'" + + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:933013,phase:1,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:933014,phase:2,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" +# +# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher) +# + +# +# [ PHP Functions: Medium-Risk PHP Function Names ] +# +# In paranoia level 2, we add additional checks for most PHP functions. +# +# The size of the PHP function list is considerable. +# Even after excluding the more obscure PHP extensions, 1300+ functions remain. +# For performance and maintenance reasons, this rule does not use a regexp, +# but uses a phrase file (@pmf), and additionally looks for an '(' character +# in the matched variable. +# +# This approach carries some risk for false positives. Therefore, the function list +# has been curated to remove words closely matching natural language and terms often +# used in other contexts. +# +# This rule is a stricter sibling of rule 933150. +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@pmf php-function-names-933151.data" \ + "id:933151,\ + phase:2,\ + block,\ + capture,\ + t:none,t:lowercase,\ + msg:'PHP Injection Attack: Medium-Risk PHP Function Name Found',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-injection-php',\ + tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\ + tag:'OWASP_TOP_10/A1',\ + tag:'paranoia-level/2',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.1.1',\ + severity:'CRITICAL',\ + chain" + SecRule MATCHED_VARS "@pm (" \ + "capture,\ + setvar:'tx.msg=%{rule.msg}',\ + setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\ + setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'" + + + + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:933015,phase:1,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:933016,phase:2,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" +# +# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher) +# + +# +# [ PHP Variables: Common Variable Indexes ] +# +# In paranoia level 3, we add additional checks for parameters to many PHP variables. +# +# +# One of the more common variables used within attacks on PHP is $_SERVER. Because +# of how many different ways PHP has for executing variables (variable variables, +# etc) often just looking for $_SERVER will be less effective than looking for the +# various indexes within $_SERVER. This rule checks for these indexes. +# This rule is located in PL 3 because often developers will use these names as +# parameter names or values and this will lead to false positives. +# Because this list is not expected to change and it is limited in size we use a +# regex in this case to look for these values whereas in its sibling rule we use +# @pmf for flexibility and performance. +# +# To rebuild the regexp: +# cd util/regexp-assemble +# ./regexp-assemble.pl < regexp-933131.data +# +# This rule is a stricter sibling of rule 933130. +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:HTTP_(?:ACCEPT(?:_(?:ENCODING|LANGUAGE|CHARSET))?|(?:X_FORWARDED_FO|REFERE)R|(?:USER_AGEN|HOS)T|CONNECTION|KEEP_ALIVE)|PATH_(?:TRANSLATED|INFO)|ORIG_PATH_INFO|QUERY_STRING|REQUEST_URI|AUTH_TYPE)" \ + "id:933131,\ + phase:2,\ + block,\ + capture,\ + t:none,t:normalisePath,t:urlDecodeUni,\ + msg:'PHP Injection Attack: Variables Found',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-injection-php',\ + tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\ + tag:'OWASP_TOP_10/A1',\ + tag:'paranoia-level/3',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.1.1',\ + severity:'CRITICAL',\ + setvar:'tx.msg=%{rule.msg}',\ + setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}',\ + setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'" + + +# +# [ PHP Functions: Low-Value PHP Function Calls ] +# +# In paranoia level 3, we add additional checks for the remaining PHP functions. +# +# Most of these function names are likely to cause false positives in natural text +# or common parameter values, such as 'abs', 'copy', 'date', 'key', 'max', 'min'. +# Therefore, these function names are not scanned in lower paranoia levels. +# +# To mitigate the risk of false positives somewhat, a regexp is used to look for +# PHP function syntax. (See rule 933160 for a description.) +# +# This rule is a stricter sibling of rule 933160. +# +# Regexp generated from util/regexp-assemble/regexp-933161.data using Regexp::Assemble. +# See http://blog.modsecurity.org/2007/06/optimizing-regu.html for usage. +# Note that after assemble, PHP function syntax pre/postfix is added to the Regexp::Assemble +# output. Example: "@rx (?i)\bASSEMBLE_OUTPUT_HERE(?:\s|/\*.*\*/|//.*|#.*)*\(.*\)" +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:i(?:s(?:_(?:in(?:t(?:eger)?|finite)|n(?:u(?:meric|ll)|an)|(?:calla|dou)ble|s(?:calar|tring)|f(?:inite|loat)|re(?:source|al)|l(?:ink|ong)|a(?:rray)?|object|bool)|set)|n(?:(?:clud|vok)e|t(?:div|val))|(?:mplod|dat)e|conv)|s(?:t(?:r(?:(?:le|sp)n|coll)|at)|(?:e(?:rializ|ttyp)|huffl)e|i(?:milar_text|zeof|nh?)|p(?:liti?|rintf)|(?:candi|ubst)r|y(?:mlink|slog)|o(?:undex|rt)|leep|rand|qrt)|f(?:ile(?:(?:siz|typ)e|owner|pro)|l(?:o(?:atval|ck|or)|ush)|(?:rea|mo)d|t(?:ell|ok)|unction|close|gets|stat|eof)|c(?:h(?:o(?:wn|p)|eckdate|root|dir|mod)|o(?:(?:(?:nsta|u)n|mpac)t|sh?|py)|lose(?:dir|log)|(?:urren|ryp)t|eil)|e(?:x(?:(?:trac|i)t|p(?:lode)?)|a(?:ster_da(?:te|ys)|ch)|r(?:ror_log|egi?)|mpty|cho|nd)|l(?:o(?:g(?:1[0p])?|caltime)|i(?:nk(?:info)?|st)|(?:cfirs|sta)t|evenshtein|trim)|d(?:i(?:(?:skfreespac)?e|r(?:name)?)|e(?:fined?|coct)|(?:oubleva)?l|ate)|r(?:e(?:(?:quir|cod|nam)e|adlin[ek]|wind|set)|an(?:ge|d)|ound|sort|trim)|m(?:b(?:split|ereg)|i(?:crotime|n)|a(?:i[ln]|x)|etaphone|y?sql|hash)|u(?:n(?:(?:tain|se)t|iqid|link)|s(?:leep|ort)|cfirst|mask)|a(?:s(?:(?:se|o)rt|inh?)|r(?:sort|ray)|tan[2h]?|cosh?|bs)|t(?:e(?:xtdomain|mpnam)|a(?:int|nh?)|ouch|ime|rim)|h(?:e(?:ader(?:s_(?:lis|sen)t)?|brev)|ypot|ash)|p(?:a(?:thinfo|ck)|r(?:intf?|ev)|close|o[sw]|i)|g(?:et(?:t(?:ext|ype)|date)|mdate)|o(?:penlog|ctdec|rd)|b(?:asename|indec)|n(?:atsor|ex)t|k(?:sort|ey)|quotemeta|wordwrap|virtual|join)(?:\s|/\*.*\*/|//.*|#.*)*\(.*\)" \ + "id:933161,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'PHP Injection Attack: Low-Value PHP Function Call Found',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-injection-php',\ + tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\ + tag:'OWASP_TOP_10/A1',\ + tag:'paranoia-level/3',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.1.1',\ + severity:'CRITICAL',\ + setvar:'tx.msg=%{rule.msg}',\ + setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}',\ + setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'" + + +# +# [ PHP Script Uploads: Superfluous extension ] +# +# Block file uploads with PHP related extensions (.php, .phps, .phtml, +# .php5 etc) anywhere in the name, followed by a dot. +# +# Example: index.php.tmp +# +# Uploading of such files can lead to remote code execution if +# Apache is configured with AddType and MultiViews, as Apache will +# automatically do a filename match when the extension is unknown. +# This configuration is fortunately not common in modern installs. +# +# Blocking these file names might lead to more false positives. +# +# Some AJAX uploaders use the nonstandard request headers X-Filename, +# X_Filename, or X-File-Name to transmit the file name to the server; +# scan these request headers as well as multipart/form-data file names. +# +# This rule is a stricter sibling of rule 933110. +# +SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X-File-Name "@rx .*\.(?:php\d*|phtml)\..*$" \ + "id:933111,\ + phase:2,\ + block,\ + capture,\ + t:none,t:lowercase,\ + msg:'PHP Injection Attack: PHP Script File Upload Found',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-injection-php',\ + tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\ + tag:'OWASP_TOP_10/A1',\ + tag:'paranoia-level/3',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.1.1',\ + severity:'CRITICAL',\ + setvar:'tx.msg=%{rule.msg}',\ + setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}',\ + setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'" + + +# [ PHP Closing Tag Found ] +# +# http://www.php.net/manual/en/language.basic-syntax.phptags.php +# +# This check was extracted from 933100 (paranoia level 1), since the +# checked sequence '?>' commonly causes false positives. +# See issue #654 for discussion. +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pm ?>" \ + "msg:'PHP Injection Attack: PHP Closing Tag Found',\ + phase:2,\ + ver:'OWASP_CRS/3.1.1',\ + t:none,t:urlDecodeUni,\ + ctl:auditLogParts=+E,\ + block,\ + capture,\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + id:933190,\ + severity:'CRITICAL',\ + tag:'application-multi',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-injection-php',\ + tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\ + tag:'OWASP_TOP_10/A1',\ + tag:'paranoia-level/3',\ + setvar:'tx.msg=%{rule.msg}',\ + setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}',\ + setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'" + + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:933017,phase:1,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:933018,phase:2,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" +# +# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher) +# + + + +# +# -= Paranoia Levels Finished =- +# +SecMarker "END-REQUEST-933-APPLICATION-ATTACK-PHP" diff --git a/confs/owasp-crs/REQUEST-941-APPLICATION-ATTACK-XSS.conf b/confs/owasp-crs/REQUEST-941-APPLICATION-ATTACK-XSS.conf new file mode 100644 index 0000000..c09a258 --- /dev/null +++ b/confs/owasp-crs/REQUEST-941-APPLICATION-ATTACK-XSS.conf @@ -0,0 +1,900 @@ +# ------------------------------------------------------------------------ +# OWASP ModSecurity Core Rule Set ver.3.1.1 +# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved. +# +# The OWASP ModSecurity Core Rule Set is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENSE file for full details. +# ------------------------------------------------------------------------ + +# +# -= Paranoia Level 0 (empty) =- (apply unconditionally) +# + + + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:941011,phase:1,pass,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:941012,phase:2,pass,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" +# +# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher) +# + + +# +# -=[ Libinjection - XSS Detection ]=- +# +# Ref: https://github.com/client9/libinjection +# Ref: https://speakerdeck.com/ngalbreath/libinjection-from-sqli-to-xss +# +# -=[ Targets ]=- +# +# 941100: PL1 : REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/| +# REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent| +# ARGS_NAMES|ARGS|XML:/* +# +# 941101: PL2 : REQUEST_HEADERS:Referer +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|XML:/* "@detectXSS" \ + "id:941100,\ + phase:2,\ + block,\ + t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ + msg:'XSS Attack Detected via libinjection',\ + logdata:'Matched Data: XSS data found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-xss',\ + tag:'OWASP_CRS/WEB_ATTACK/XSS',\ + tag:'WASCTC/WASC-8',\ + tag:'WASCTC/WASC-22',\ + tag:'OWASP_TOP_10/A3',\ + tag:'OWASP_AppSensor/IE1',\ + tag:'CAPEC-242',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.1.1',\ + severity:'CRITICAL',\ + setvar:'tx.msg=%{rule.msg}',\ + setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'" + + +# +# -=[ XSS Filters - Category 1 ]=- +# http://xssplayground.net23.net/xssfilter.html +# script tag based XSS vectors, e.g., +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i)[<<]script[^>>]*[>>][\s\S]*?" \ + "id:941110,\ + phase:2,\ + block,\ + capture,\ + t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ + msg:'XSS Filter - Category 1: Script Tag Vector',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-xss',\ + tag:'OWASP_CRS/WEB_ATTACK/XSS',\ + tag:'WASCTC/WASC-8',\ + tag:'WASCTC/WASC-22',\ + tag:'OWASP_TOP_10/A3',\ + tag:'OWASP_AppSensor/IE1',\ + tag:'CAPEC-242',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.1.1',\ + severity:'CRITICAL',\ + setvar:'tx.msg=%{rule.msg}',\ + setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'" + + +# +# -=[ XSS Filters - Category 2 ]=- +# XSS vectors making use of event handlers like onerror, onload etc, e.g., +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\s\"'`;\/0-9=\x0B\x09\x0C\x3B\x2C\x28\x3B]+on[a-zA-Z]+[\s\x0B\x09\x0C\x3B\x2C\x28\x3B]*?=" \ + "id:941120,\ + phase:2,\ + block,\ + capture,\ + t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ + msg:'XSS Filter - Category 2: Event Handler Vector',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-xss',\ + tag:'OWASP_CRS/WEB_ATTACK/XSS',\ + tag:'WASCTC/WASC-8',\ + tag:'WASCTC/WASC-22',\ + tag:'OWASP_TOP_10/A3',\ + tag:'OWASP_AppSensor/IE1',\ + tag:'CAPEC-242',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.1.1',\ + severity:'CRITICAL',\ + setvar:'tx.msg=%{rule.msg}',\ + setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'" + + +# +# -=[ XSS Filters - Category 3 ]=- +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\s\S](?:x(?:link:href|html|mlns)|!ENTITY.*?SYSTEM|data:text\/html|pattern(?=.*?=)|formaction|\@import|base64)\b" \ + "id:941130,\ + phase:2,\ + block,\ + capture,\ + t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ + msg:'XSS Filter - Category 3: Attribute Vector',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-xss',\ + tag:'OWASP_CRS/WEB_ATTACK/XSS',\ + tag:'WASCTC/WASC-8',\ + tag:'WASCTC/WASC-22',\ + tag:'OWASP_TOP_10/A3',\ + tag:'OWASP_AppSensor/IE1',\ + tag:'CAPEC-242',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.1.1',\ + severity:'CRITICAL',\ + setvar:'tx.msg=%{rule.msg}',\ + setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'" + + +# +# -=[ XSS Filters - Category 4 ]=- +# XSS vectors making use of javascript uri and tags, e.g.,

+# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:<(?:(?:apple|objec)t|isindex|embed|style|form|meta)\b[^>]*?>[\s\S]*?|(?:=|U\s*?R\s*?L\s*?\()\s*?[^>]*?\s*?S\s*?C\s*?R\s*?I\s*?P\s*?T\s*?:)" \ + "id:941140,\ + phase:2,\ + block,\ + capture,\ + t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ + msg:'XSS Filter - Category 4: Javascript URI Vector',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-xss',\ + tag:'OWASP_CRS/WEB_ATTACK/XSS',\ + tag:'WASCTC/WASC-8',\ + tag:'WASCTC/WASC-22',\ + tag:'OWASP_TOP_10/A3',\ + tag:'OWASP_AppSensor/IE1',\ + tag:'CAPEC-242',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.1.1',\ + severity:'CRITICAL',\ + setvar:'tx.msg=%{rule.msg}',\ + setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'" + + +# +# -=[ NoScript XSS Filters ]=- +# Ref: http://noscript.net/ +# +# [NoScript InjectionChecker] HTML injection +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i)<[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*(?:\W*?s\W*?c\W*?r\W*?i\W*?p\W*?t|\W*?f\W*?o\W*?r\W*?m|\W*?s\W*?t\W*?y\W*?l\W*?e|\W*?s\W*?v\W*?g|\W*?m\W*?a\W*?r\W*?q\W*?u\W*?e\W*?e|(?:\W*?l\W*?i\W*?n\W*?k|\W*?o\W*?b\W*?j\W*?e\W*?c\W*?t|\W*?e\W*?m\W*?b\W*?e\W*?d|\W*?a\W*?p\W*?p\W*?l\W*?e\W*?t|\W*?p\W*?a\W*?r\W*?a\W*?m|\W*?i?\W*?f\W*?r\W*?a\W*?m\W*?e|\W*?b\W*?a\W*?s\W*?e|\W*?b\W*?o\W*?d\W*?y|\W*?m\W*?e\W*?t\W*?a|\W*?i\W*?m\W*?a?\W*?g\W*?e?|\W*?v\W*?i\W*?d\W*?e\W*?o|\W*?a\W*?u\W*?d\W*?i\W*?o|\W*?b\W*?i\W*?n\W*?d\W*?i\W*?n\W*?g\W*?s|\W*?s\W*?e\W*?t|\W*?a\W*?n\W*?i\W*?m\W*?a\W*?t\W*?e)[^>\w])|(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)(?:formaction|style|background|src|lowsrc|ping|on(?:d(?:e(?:vice(?:(?:orienta|mo)tion|proximity|found|light)|livery(?:success|error)|activate)|r(?:ag(?:e(?:n(?:ter|d)|xit)|(?:gestur|leav)e|start|drop|over)?|op)|i(?:s(?:c(?:hargingtimechange|onnect(?:ing|ed))|abled)|aling)|ata(?:setc(?:omplete|hanged)|(?:availabl|chang)e|error)|urationchange|ownloading|blclick)|Moz(?:M(?:agnifyGesture(?:Update|Start)?|ouse(?:PixelScroll|Hittest))|S(?:wipeGesture(?:Update|Start|End)?|crolledAreaChanged)|(?:(?:Press)?TapGestur|BeforeResiz)e|EdgeUI(?:C(?:omplet|ancel)|Start)ed|RotateGesture(?:Update|Start)?|A(?:udioAvailable|fterPaint))|c(?:o(?:m(?:p(?:osition(?:update|start|end)|lete)|mand(?:update)?)|n(?:t(?:rolselect|extmenu)|nect(?:ing|ed))|py)|a(?:(?:llschang|ch)ed|nplay(?:through)?|rdstatechange)|h(?:(?:arging(?:time)?ch)?ange|ecking)|(?:fstate|ell)change|u(?:echange|t)|l(?:ick|ose))|m(?:o(?:z(?:pointerlock(?:change|error)|(?:orientation|time)change|fullscreen(?:change|error)|network(?:down|up)load)|use(?:(?:lea|mo)ve|o(?:ver|ut)|enter|wheel|down|up)|ve(?:start|end)?)|essage|ark)|s(?:t(?:a(?:t(?:uschanged|echange)|lled|rt)|k(?:sessione|comma)nd|op)|e(?:ek(?:complete|ing|ed)|(?:lec(?:tstar)?)?t|n(?:ding|t))|u(?:ccess|spend|bmit)|peech(?:start|end)|ound(?:start|end)|croll|how)|b(?:e(?:for(?:e(?:(?:scriptexecu|activa)te|u(?:nload|pdate)|p(?:aste|rint)|c(?:opy|ut)|editfocus)|deactivate)|gin(?:Event)?)|oun(?:dary|ce)|l(?:ocked|ur)|roadcast|usy)|a(?:n(?:imation(?:iteration|start|end)|tennastatechange)|fter(?:(?:scriptexecu|upda)te|print)|udio(?:process|start|end)|d(?:apteradded|dtrack)|ctivate|lerting|bort)|DOM(?:Node(?:Inserted(?:IntoDocument)?|Removed(?:FromDocument)?)|(?:CharacterData|Subtree)Modified|A(?:ttrModified|ctivate)|Focus(?:Out|In)|MouseScroll)|r(?:e(?:s(?:u(?:m(?:ing|e)|lt)|ize|et)|adystatechange|pea(?:tEven)?t|movetrack|trieving|ceived)|ow(?:s(?:inserted|delete)|e(?:nter|xit))|atechange)|p(?:op(?:up(?:hid(?:den|ing)|show(?:ing|n))|state)|a(?:ge(?:hide|show)|(?:st|us)e|int)|ro(?:pertychange|gress)|lay(?:ing)?)|t(?:ouch(?:(?:lea|mo)ve|en(?:ter|d)|cancel|start)|ime(?:update|out)|ransitionend|ext)|u(?:s(?:erproximity|sdreceived)|p(?:gradeneeded|dateready)|n(?:derflow|load))|f(?:o(?:rm(?:change|input)|cus(?:out|in)?)|i(?:lterchange|nish)|ailed)|l(?:o(?:ad(?:e(?:d(?:meta)?data|nd)|start)?|secapture)|evelchange|y)|g(?:amepad(?:(?:dis)?connected|button(?:down|up)|axismove)|et)|e(?:n(?:d(?:Event|ed)?|abled|ter)|rror(?:update)?|mptied|xit)|i(?:cc(?:cardlockerror|infochange)|n(?:coming|valid|put))|o(?:(?:(?:ff|n)lin|bsolet)e|verflow(?:changed)?|pen)|SVG(?:(?:Unl|L)oad|Resize|Scroll|Abort|Error|Zoom)|h(?:e(?:adphoneschange|l[dp])|ashchange|olding)|v(?:o(?:lum|ic)e|ersion)change|w(?:a(?:it|rn)ing|heel)|key(?:press|down|up)|(?:AppComman|Loa)d|no(?:update|match)|Request|zoom))[\s\x08]*?=" \ + "id:941160,\ + phase:2,\ + block,\ + capture,\ + t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ + msg:'NoScript XSS InjectionChecker: HTML Injection',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-xss',\ + tag:'OWASP_CRS/WEB_ATTACK/XSS',\ + tag:'WASCTC/WASC-8',\ + tag:'WASCTC/WASC-22',\ + tag:'OWASP_TOP_10/A3',\ + tag:'OWASP_AppSensor/IE1',\ + tag:'CAPEC-242',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.1.1',\ + severity:'CRITICAL',\ + setvar:'tx.msg=%{rule.msg}',\ + setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'" + + +# +# [NoScript InjectionChecker] Attributes injection +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:\W|^)(?:javascript:(?:[\s\S]+[=\\\(\[\.<]|[\s\S]*?(?:\bname\b|\\[ux]\d))|data:(?:(?:[a-z]\w+\/\w[\w+-]+\w)?[;,]|[\s\S]*?;[\s\S]*?\b(?:base64|charset=)|[\s\S]*?,[\s\S]*?<[\s\S]*?\w[\s\S]*?>))|@\W*?i\W*?m\W*?p\W*?o\W*?r\W*?t\W*?(?:\/\*[\s\S]*?)?(?:[\"']|\W*?u\W*?r\W*?l[\s\S]*?\()|\W*?-\W*?m\W*?o\W*?z\W*?-\W*?b\W*?i\W*?n\W*?d\W*?i\W*?n\W*?g[\s\S]*?:[\s\S]*?\W*?u\W*?r\W*?l[\s\S]*?\(" \ + "id:941170,\ + phase:2,\ + block,\ + capture,\ + t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ + msg:'NoScript XSS InjectionChecker: Attribute Injection',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-xss',\ + tag:'OWASP_CRS/WEB_ATTACK/XSS',\ + tag:'WASCTC/WASC-8',\ + tag:'WASCTC/WASC-22',\ + tag:'OWASP_TOP_10/A3',\ + tag:'OWASP_AppSensor/IE1',\ + tag:'CAPEC-242',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.1.1',\ + severity:'CRITICAL',\ + setvar:'tx.msg=%{rule.msg}',\ + setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'" + + +# +# [Blacklist Keywords from Node-Validator] +# https://raw.github.com/chriso/node-validator/master/validator.js +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pm document.cookie document.write document[ self[ .parentnode .innerhtml window.location -moz-binding .*?((@[i\\\\])|(([:=]|(&#x?0*((58)|(3A)|(61)|(3D));?)).*?([(\\\\]|(&#x?0*((40)|(28)|(92)|(5C));?)))))" \ + "id:941190,\ + phase:2,\ + block,\ + capture,\ + t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ + msg:'IE XSS Filters - Attack Detected.',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-xss',\ + tag:'OWASP_CRS/WEB_ATTACK/XSS',\ + tag:'WASCTC/WASC-8',\ + tag:'WASCTC/WASC-22',\ + tag:'OWASP_TOP_10/A3',\ + tag:'OWASP_AppSensor/IE1',\ + tag:'CAPEC-242',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.1.1',\ + severity:'CRITICAL',\ + setvar:'tx.msg=%{rule.msg}',\ + setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'" + + +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:<.*[:]?vmlframe.*?[\s/+]*?src[\s/+]*=)" \ + "id:941200,\ + phase:2,\ + block,\ + capture,\ + t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ + msg:'IE XSS Filters - Attack Detected.',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-xss',\ + tag:'OWASP_CRS/WEB_ATTACK/XSS',\ + tag:'WASCTC/WASC-8',\ + tag:'WASCTC/WASC-22',\ + tag:'OWASP_TOP_10/A3',\ + tag:'OWASP_AppSensor/IE1',\ + tag:'CAPEC-242',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.1.1',\ + severity:'CRITICAL',\ + setvar:'tx.msg=%{rule.msg}',\ + setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'" + + +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(j|(&#x?0*((74)|(4A)|(106)|(6A));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(a|(&#x?0*((65)|(41)|(97)|(61));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(v|(&#x?0*((86)|(56)|(118)|(76));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(a|(&#x?0*((65)|(41)|(97)|(61));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(s|(&#x?0*((83)|(53)|(115)|(73));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(c|(&#x?0*((67)|(43)|(99)|(63));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(r|(&#x?0*((82)|(52)|(114)|(72));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(i|(&#x?0*((73)|(49)|(105)|(69));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(p|(&#x?0*((80)|(50)|(112)|(70));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(t|(&#x?0*((84)|(54)|(116)|(74));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(:|(&((#x?0*((58)|(3A));?)|(colon;)))).)" \ + "id:941210,\ + phase:2,\ + block,\ + capture,\ + t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ + msg:'IE XSS Filters - Attack Detected.',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-xss',\ + tag:'OWASP_CRS/WEB_ATTACK/XSS',\ + tag:'WASCTC/WASC-8',\ + tag:'WASCTC/WASC-22',\ + tag:'OWASP_TOP_10/A3',\ + tag:'OWASP_AppSensor/IE1',\ + tag:'CAPEC-242',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.1.1',\ + severity:'CRITICAL',\ + setvar:'tx.msg=%{rule.msg}',\ + setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'" + + +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(v|(&#x?0*((86)|(56)|(118)|(76));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(b|(&#x?0*((66)|(42)|(98)|(62));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(s|(&#x?0*((83)|(53)|(115)|(73));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(c|(&#x?0*((67)|(43)|(99)|(63));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(r|(&#x?0*((82)|(52)|(114)|(72));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(i|(&#x?0*((73)|(49)|(105)|(69));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(p|(&#x?0*((80)|(50)|(112)|(70));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(t|(&#x?0*((84)|(54)|(116)|(74));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(:|(&((#x?0*((58)|(3A));?)|(colon;)))).)" \ + "id:941220,\ + phase:2,\ + block,\ + capture,\ + t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ + msg:'IE XSS Filters - Attack Detected.',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-xss',\ + tag:'OWASP_CRS/WEB_ATTACK/XSS',\ + tag:'WASCTC/WASC-8',\ + tag:'WASCTC/WASC-22',\ + tag:'OWASP_TOP_10/A3',\ + tag:'OWASP_AppSensor/IE1',\ + tag:'CAPEC-242',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.1.1',\ + severity:'CRITICAL',\ + setvar:'tx.msg=%{rule.msg}',\ + setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'" + + +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)]" \ + "id:941290,\ + phase:2,\ + block,\ + capture,\ + t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ + msg:'IE XSS Filters - Attack Detected.',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-xss',\ + tag:'OWASP_CRS/WEB_ATTACK/XSS',\ + tag:'WASCTC/WASC-8',\ + tag:'WASCTC/WASC-22',\ + tag:'OWASP_TOP_10/A3',\ + tag:'OWASP_AppSensor/IE1',\ + tag:'CAPEC-242',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.1.1',\ + severity:'CRITICAL',\ + setvar:'tx.msg=%{rule.msg}',\ + setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'" + + +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i))|(?:¾|¼|<).*(?:¾|¼)" \ + "id:941310,\ + phase:2,\ + block,\ + capture,\ + t:none,t:urlDecodeUni,t:lowercase,t:urlDecode,t:htmlEntityDecode,t:jsDecode,\ + msg:'US-ASCII Malformed Encoding XSS Filter - Attack Detected.',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-tomcat',\ + tag:'attack-xss',\ + tag:'OWASP_CRS/WEB_ATTACK/XSS',\ + tag:'WASCTC/WASC-8',\ + tag:'WASCTC/WASC-22',\ + tag:'OWASP_TOP_10/A3',\ + tag:'OWASP_AppSensor/IE1',\ + tag:'CAPEC-242',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.1.1',\ + severity:'CRITICAL',\ + setvar:'tx.msg=%{rule.msg}',\ + setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'" + +# +# UTF-7 encoding XSS filter evasion for IE. +# Reported by Vladimir Ivanov +# + +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:\+ADw\-|\+AD4\-).*(?:\+ADw\-|\+AD4\-|>)|(?:\+ADw\-|\+AD4\-|<).*(?:\+ADw\-|\+AD4\-)" \ + "id:941350,\ + phase:2,\ + block,\ + capture,\ + t:none,t:urlDecodeUni,t:lowercase,t:urlDecode,t:htmlEntityDecode,t:jsDecode,\ + msg:'UTF-7 Encoding IE XSS - Attack Detected.',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-internet-explorer',\ + tag:'attack-xss',\ + tag:'OWASP_CRS/WEB_ATTACK/XSS',\ + tag:'WASCTC/WASC-8',\ + tag:'WASCTC/WASC-22',\ + tag:'OWASP_TOP_10/A3',\ + tag:'OWASP_AppSensor/IE1',\ + tag:'CAPEC-242',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.1.1',\ + severity:'CRITICAL',\ + setvar:'tx.msg=%{rule.msg}',\ + setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'" + + +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:941013,phase:1,pass,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" +SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:941014,phase:2,pass,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" +# +# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher) +# + +# +# This is a stricter sibling of rule 941100. +# +SecRule REQUEST_HEADERS:Referer "@detectXSS" \ + "id:941101,\ + phase:2,\ + block,\ + capture,\ + t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ + msg:'XSS Attack Detected via libinjection',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-xss',\ + tag:'OWASP_CRS/WEB_ATTACK/XSS',\ + tag:'WASCTC/WASC-8',\ + tag:'WASCTC/WASC-22',\ + tag:'OWASP_TOP_10/A3',\ + tag:'OWASP_AppSensor/IE1',\ + tag:'CAPEC-242',\ + tag:'paranoia-level/2',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.1.1',\ + severity:'CRITICAL',\ + setvar:'tx.msg=%{rule.msg}',\ + setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\ + setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'" + + +# +# -=[ XSS Filters - Category 5 ]=- +# HTML attribues - src, style and href +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:s(?:tyle|rc)|href)\b[\s\S]*?=" \ + "id:941150,\ + phase:2,\ + block,\ + capture,\ + t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ + msg:'XSS Filter - Category 5: Disallowed HTML Attributes',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-xss',\ + tag:'OWASP_CRS/WEB_ATTACK/XSS',\ + tag:'WASCTC/WASC-8',\ + tag:'WASCTC/WASC-22',\ + tag:'OWASP_TOP_10/A3',\ + tag:'OWASP_AppSensor/IE1',\ + tag:'CAPEC-242',\ + tag:'paranoia-level/2',\ + ctl:auditLogParts=+E,\ + ver:'OWASP_CRS/3.1.1',\ + severity:'CRITICAL',\ + setvar:'tx.msg=%{rule.msg}',\ + setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\ + setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'" + + +# Detect tags that are the most common direct HTML injection points. +# +# +# +# +#