322 lines
16 KiB
Plaintext
322 lines
16 KiB
Plaintext
# ------------------------------------------------------------------------
|
|
# OWASP ModSecurity Core Rule Set ver.3.2.0
|
|
# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
|
|
#
|
|
# The OWASP ModSecurity Core Rule Set is distributed under
|
|
# Apache Software License (ASL) version 2
|
|
# Please see the enclosed LICENSE file for full details.
|
|
# ------------------------------------------------------------------------
|
|
|
|
#
|
|
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
|
|
#
|
|
# Many rules check request bodies, use "SecRequestBodyAccess On" to enable it on main modsecurity configuration file.
|
|
|
|
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:944011,phase:1,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
|
|
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:944012,phase:2,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
|
|
#
|
|
# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher)
|
|
#
|
|
# This rule is also triggered by an Apache Struts exploit:
|
|
# [ Apache Struts vulnerability CVE-2017-5638 - Exploit tested: https://github.com/xsscx/cve-2017-5638 ]
|
|
#
|
|
# This rule is also triggered by an Apache Struts Remote Code Execution exploit:
|
|
# [ Apache Struts vulnerability CVE-2017-9791 - Exploit tested: https://www.exploit-db.com/exploits/42324 ]
|
|
#
|
|
# This rule is also triggered by an Apache Struts Remote Code Execution exploit:
|
|
# [ Apache Struts vulnerability CVE-2017-9805 - Exploit tested: https://www.exploit-db.com/exploits/42627 ]
|
|
#
|
|
# This rule is also triggered by an Oracle WebLogic Remote Command Execution exploit:
|
|
# [ Oracle WebLogic vulnerability CVE-2017-10271 - Exploit tested: https://www.exploit-db.com/exploits/43458 ]
|
|
#
|
|
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
|
|
"@rx java\.lang\.(?:runtime|processbuilder)" \
|
|
"id:944100,\
|
|
phase:2,\
|
|
block,\
|
|
t:none,t:lowercase,\
|
|
log,\
|
|
msg:'Remote Command Execution: Suspicious Java class detected',\
|
|
logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
|
|
tag:'application-multi',\
|
|
tag:'language-java',\
|
|
tag:'platform-multi',\
|
|
tag:'attack-rce',\
|
|
tag:'OWASP_CRS',\
|
|
tag:'OWASP_CRS/WEB_ATTACK/JAVA_INJECTION',\
|
|
tag:'WASCTC/WASC-31',\
|
|
tag:'OWASP_TOP_10/A1',\
|
|
tag:'PCI/6.5.2',\
|
|
tag:'paranoia-level/1',\
|
|
ver:'OWASP_CRS/3.2.0',\
|
|
severity:'CRITICAL',\
|
|
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
|
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
|
|
|
# This rule is also triggered by the following exploit(s):
|
|
# [ Apache Struts vulnerability CVE-2017-5638 - Exploit tested: https://github.com/xsscx/cve-2017-5638 ]
|
|
# [ Apache Struts vulnerability CVE-2017-9791 - Exploit tested: https://www.exploit-db.com/exploits/42324 ]
|
|
# [ Apache Struts vulnerability CVE-2017-9805 - Exploit tested: https://www.exploit-db.com/exploits/42627 ]
|
|
# [ Java deserialization vulnerability/Apache Struts (CVE-2017-9805) ]
|
|
# [ Java deserialization vulnerability/Oracle Weblogic (CVE-2017-10271) ]
|
|
# [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ]
|
|
#
|
|
# Generic rule to detect processbuilder or runtime calls, if any of thos is found and the same target contains
|
|
# java. unmarshaller or base64data to trigger a potential payload execution
|
|
# tested with https://www.exploit-db.com/exploits/42627/ and https://www.exploit-db.com/exploits/43458/
|
|
|
|
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
|
|
"@rx (?:runtime|processbuilder)" \
|
|
"id:944110,\
|
|
phase:2,\
|
|
block,\
|
|
t:none,t:lowercase,\
|
|
log,\
|
|
msg:'Remote Command Execution: Java process spawn (CVE-2017-9805)',\
|
|
logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
|
|
tag:'application-multi',\
|
|
tag:'language-java',\
|
|
tag:'platform-multi',\
|
|
tag:'attack-rce',\
|
|
tag:'OWASP_CRS',\
|
|
tag:'OWASP_CRS/WEB_ATTACK/JAVA_INJECTION',\
|
|
tag:'WASCTC/WASC-31',\
|
|
tag:'OWASP_TOP_10/A1',\
|
|
tag:'PCI/6.5.2',\
|
|
tag:'paranoia-level/1',\
|
|
ver:'OWASP_CRS/3.2.0',\
|
|
severity:'CRITICAL',\
|
|
chain"
|
|
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* "@rx (?:unmarshaller|base64data|java\.)" \
|
|
"setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
|
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
|
|
|
# Magic bytes detected and payload included possibly RCE vulnerable classess detected and process execution methods detected
|
|
# anomaly score set to critical as all conditions indicate the request try to perform RCE.
|
|
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
|
|
"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)" \
|
|
"id:944120,\
|
|
phase:2,\
|
|
block,\
|
|
t:none,t:lowercase,\
|
|
log,\
|
|
msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',\
|
|
logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
|
|
tag:'application-multi',\
|
|
tag:'language-java',\
|
|
tag:'platform-multi',\
|
|
tag:'attack-rce',\
|
|
tag:'OWASP_CRS',\
|
|
tag:'OWASP_CRS/WEB_ATTACK/JAVA_INJECTION',\
|
|
tag:'WASCTC/WASC-31',\
|
|
tag:'OWASP_TOP_10/A1',\
|
|
tag:'PCI/6.5.2',\
|
|
tag:'paranoia-level/1',\
|
|
ver:'OWASP_CRS/3.2.0',\
|
|
severity:'CRITICAL',\
|
|
chain"
|
|
SecRule MATCHED_VARS "@rx (?:runtime|processbuilder)" \
|
|
"t:none,t:lowercase,\
|
|
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
|
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
|
|
|
# This rule is also triggered by the following exploit(s):
|
|
# [ Apache Struts vulnerability CVE-2017-5638 - Exploit tested: https://github.com/mazen160/struts-pwn ]
|
|
# [ Apache Struts vulnerability CVE-2017-5638 - Exploit tested: https://github.com/xsscx/cve-2017-5638 ]
|
|
# [ Apache Struts vulnerability CVE-2017-9791 - Exploit tested: https://www.exploit-db.com/exploits/42324 ]
|
|
# [ Apache Struts vulnerability CVE-2017-9805 - Exploit tested: https://www.exploit-db.com/exploits/42627 ]
|
|
# [ Oracle WebLogic vulnerability CVE-2017-10271 - Exploit tested: https://www.exploit-db.com/exploits/43458 ]
|
|
# [ Apache Struts vulnerability CVE-2018-11776 - Exploit tested: https://www.exploit-db.com/exploits/45262 ]
|
|
# [ Apache Struts vulnerability CVE-2018-11776 - Exploit tested: https://www.exploit-db.com/exploits/45260 ]
|
|
#
|
|
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_FILENAME|REQUEST_HEADERS|XML:/*|XML://@* \
|
|
"@pmFromFile java-classes.data" \
|
|
"id:944130,\
|
|
phase:2,\
|
|
block,\
|
|
t:none,t:lowercase,\
|
|
log,\
|
|
msg:'Suspicious Java class detected',\
|
|
logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
|
|
tag:'application-multi',\
|
|
tag:'language-java',\
|
|
tag:'platform-multi',\
|
|
tag:'attack-rce',\
|
|
tag:'OWASP_CRS',\
|
|
tag:'OWASP_CRS/WEB_ATTACK/JAVA_INJECTION',\
|
|
tag:'WASCTC/WASC-31',\
|
|
tag:'OWASP_TOP_10/A1',\
|
|
tag:'PCI/6.5.2',\
|
|
tag:'paranoia-level/1',\
|
|
ver:'OWASP_CRS/3.2.0',\
|
|
severity:'CRITICAL',\
|
|
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
|
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
|
|
|
|
|
|
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:944013,phase:1,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
|
|
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:944014,phase:2,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
|
|
#
|
|
# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher)
|
|
#
|
|
# [ Java deserialization vulnerability/Apache Commons (CVE-2015-4852) ]
|
|
#
|
|
# Detect exploitation of "Java deserialization" Apache Commons.
|
|
#
|
|
# Based on rules by @spartantri.
|
|
# https://spartantri.com/ModSecurity/?p=44
|
|
#
|
|
# Interesting references about the vulnerability
|
|
# https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
|
|
# https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet
|
|
#
|
|
# Potential false positives with random fields, the anomaly level is set low to avoid blocking request
|
|
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
|
|
"@rx \xac\xed\x00\x05" \
|
|
"id:944200,\
|
|
phase:2,\
|
|
block,\
|
|
log,\
|
|
msg:'Magic bytes Detected, probable java serialization in use',\
|
|
logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
|
|
tag:'application-multi',\
|
|
tag:'language-java',\
|
|
tag:'platform-multi',\
|
|
tag:'attack-rce',\
|
|
tag:'OWASP_CRS',\
|
|
tag:'OWASP_CRS/WEB_ATTACK/JAVA_INJECTION',\
|
|
tag:'WASCTC/WASC-31',\
|
|
tag:'OWASP_TOP_10/A1',\
|
|
tag:'PCI/6.5.2',\
|
|
tag:'paranoia-level/2',\
|
|
ver:'OWASP_CRS/3.2.0',\
|
|
severity:'CRITICAL',\
|
|
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
|
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
|
|
|
# Detecting possibe base64 text to match encoded magic bytes \xac\xed\x00\x05 with padding encoded in base64 strings are rO0ABQ KztAAU Cs7QAF
|
|
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
|
|
"@rx (?:rO0ABQ|KztAAU|Cs7QAF)" \
|
|
"id:944210,\
|
|
phase:2,\
|
|
block,\
|
|
log,\
|
|
msg:'Magic bytes Detected Base64 Encoded, probable java serialization in use',\
|
|
logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
|
|
tag:'application-multi',\
|
|
tag:'language-java',\
|
|
tag:'platform-multi',\
|
|
tag:'attack-rce',\
|
|
tag:'OWASP_CRS',\
|
|
tag:'OWASP_CRS/WEB_ATTACK/JAVA_INJECTION',\
|
|
tag:'WASCTC/WASC-31',\
|
|
tag:'OWASP_TOP_10/A1',\
|
|
tag:'PCI/6.5.2',\
|
|
tag:'paranoia-level/2',\
|
|
ver:'OWASP_CRS/3.2.0',\
|
|
severity:'CRITICAL',\
|
|
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
|
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
|
|
|
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
|
|
"@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)" \
|
|
"id:944240,\
|
|
phase:2,\
|
|
block,\
|
|
t:none,t:lowercase,\
|
|
log,\
|
|
msg:'Remote Command Execution: Java serialization (CVE-2015-5842)',\
|
|
logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
|
|
tag:'application-multi',\
|
|
tag:'language-java',\
|
|
tag:'platform-multi',\
|
|
tag:'attack-rce',\
|
|
tag:'OWASP_CRS',\
|
|
tag:'OWASP_CRS/WEB_ATTACK/JAVA_INJECTION',\
|
|
tag:'WASCTC/WASC-31',\
|
|
tag:'OWASP_TOP_10/A1',\
|
|
tag:'PCI/6.5.2',\
|
|
tag:'paranoia-level/2',\
|
|
ver:'OWASP_CRS/3.2.0',\
|
|
severity:'CRITICAL',\
|
|
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
|
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
|
|
|
# This rule is also triggered by the following exploit(s):
|
|
# [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ]
|
|
#
|
|
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
|
|
"@rx java\b.+(?:runtime|processbuilder)" \
|
|
"id:944250,\
|
|
phase:2,\
|
|
block,\
|
|
t:lowercase,\
|
|
log,\
|
|
msg:'Remote Command Execution: Suspicious Java method detected',\
|
|
logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
|
|
tag:'application-multi',\
|
|
tag:'language-java',\
|
|
tag:'platform-multi',\
|
|
tag:'attack-rce',\
|
|
tag:'OWASP_CRS',\
|
|
tag:'OWASP_CRS/WEB_ATTACK/JAVA_INJECTION',\
|
|
tag:'WASCTC/WASC-31',\
|
|
tag:'OWASP_TOP_10/A1',\
|
|
tag:'PCI/6.5.2',\
|
|
tag:'paranoia-level/2',\
|
|
ver:'OWASP_CRS/3.2.0',\
|
|
severity:'CRITICAL',\
|
|
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
|
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
|
|
|
|
|
|
|
|
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:944015,phase:1,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
|
|
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:944016,phase:2,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
|
|
#
|
|
# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher)
|
|
#
|
|
# Interesting keywords for possibly RCE on vulnerable classess and methods base64 encoded
|
|
# Keywords = ['runtime', 'processbuilder', 'clonetransformer', 'forclosure', 'instantiatefactory', 'instantiatetransformer', 'invokertransformer', 'prototypeclonefactory', 'prototypeserializationfactory', 'whileclosure']
|
|
#for item in keywords:
|
|
# pad='\x00'
|
|
# for padding in xrange(3):
|
|
# print base64.b64encode(''.join([pad*padding,item])).replace('=','')[padding:],
|
|
#cnVudGltZQ HJ1bnRpbWU BydW50aW1l cHJvY2Vzc2J1aWxkZXI HByb2Nlc3NidWlsZGVy Bwcm9jZXNzYnVpbGRlcg Y2xvbmV0cmFuc2Zvcm1lcg GNsb25ldHJhbnNmb3JtZXI BjbG9uZXRyYW5zZm9ybWVy Zm9yY2xvc3VyZQ GZvcmNsb3N1cmU Bmb3JjbG9zdXJl aW5zdGFudGlhdGVmYWN0b3J5 Gluc3RhbnRpYXRlZmFjdG9yeQ BpbnN0YW50aWF0ZWZhY3Rvcnk aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg Gluc3RhbnRpYXRldHJhbnNmb3JtZXI BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy aW52b2tlcnRyYW5zZm9ybWVy Gludm9rZXJ0cmFuc2Zvcm1lcg BpbnZva2VydHJhbnNmb3JtZXI cHJvdG90eXBlY2xvbmVmYWN0b3J5 HByb3RvdHlwZWNsb25lZmFjdG9yeQ Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5 Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ d2hpbGVjbG9zdXJl HdoaWxlY2xvc3VyZQ B3aGlsZWNsb3N1cmU
|
|
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
|
|
"@rx (?:cnVudGltZQ|HJ1bnRpbWU|BydW50aW1l|cHJvY2Vzc2J1aWxkZXI|HByb2Nlc3NidWlsZGVy|Bwcm9jZXNzYnVpbGRlcg|Y2xvbmV0cmFuc2Zvcm1lcg|GNsb25ldHJhbnNmb3JtZXI|BjbG9uZXRyYW5zZm9ybWVy|Zm9yY2xvc3VyZQ|GZvcmNsb3N1cmU|Bmb3JjbG9zdXJl|aW5zdGFudGlhdGVmYWN0b3J5|Gluc3RhbnRpYXRlZmFjdG9yeQ|BpbnN0YW50aWF0ZWZhY3Rvcnk|aW5zdGFudGlhdGV0cmFuc2Zvcm1lcg|Gluc3RhbnRpYXRldHJhbnNmb3JtZXI|BpbnN0YW50aWF0ZXRyYW5zZm9ybWVy|aW52b2tlcnRyYW5zZm9ybWVy|Gludm9rZXJ0cmFuc2Zvcm1lcg|BpbnZva2VydHJhbnNmb3JtZXI|cHJvdG90eXBlY2xvbmVmYWN0b3J5|HByb3RvdHlwZWNsb25lZmFjdG9yeQ|Bwcm90b3R5cGVjbG9uZWZhY3Rvcnk|cHJvdG90eXBlc2VyaWFsaXphdGlvbmZhY3Rvcnk|HByb3RvdHlwZXNlcmlhbGl6YXRpb25mYWN0b3J5|Bwcm90b3R5cGVzZXJpYWxpemF0aW9uZmFjdG9yeQ|d2hpbGVjbG9zdXJl|HdoaWxlY2xvc3VyZQ|B3aGlsZWNsb3N1cmU)" \
|
|
"id:944300,\
|
|
phase:2,\
|
|
block,\
|
|
t:none,\
|
|
log,\
|
|
msg:'Base64 encoded string matched suspicious keyword',\
|
|
logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
|
|
tag:'application-multi',\
|
|
tag:'language-java',\
|
|
tag:'platform-multi',\
|
|
tag:'attack-rce',\
|
|
tag:'OWASP_CRS',\
|
|
tag:'OWASP_CRS/WEB_ATTACK/JAVA_INJECTION',\
|
|
tag:'WASCTC/WASC-31',\
|
|
tag:'OWASP_TOP_10/A1',\
|
|
tag:'PCI/6.5.2',\
|
|
tag:'paranoia-level/3',\
|
|
ver:'OWASP_CRS/3.2.0',\
|
|
severity:'CRITICAL',\
|
|
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
|
|
setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
|
|
|
|
|
|
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:944017,phase:1,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
|
|
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:944018,phase:2,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
|
|
#
|
|
# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher)
|
|
#
|
|
|
|
|
|
#
|
|
# -= Paranoia Levels Finished =-
|
|
#
|
|
SecMarker "END-REQUEST-944-APPLICATION-ATTACK-JAVA"
|