diff --git a/README.md b/README.md index df3cf4d..0f7c7b6 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,5 @@ # Cyber Notes This is our master repository, hosting our technical knowledge gathered over the years. -# Competition Repo +# Competition Repos https://github.com/ufsit/blue.git \ No newline at end of file diff --git a/blue/Tools/README.md b/blue/Tools/README.md index 3449aa1..f20f3e9 100644 --- a/blue/Tools/README.md +++ b/blue/Tools/README.md @@ -2,18 +2,9 @@ Competition Tools for UF CCDC. ## Subdirectories - * `archive` - Older scripts, used for inspiration - * `chomp` - Our EDR. - * `http` - Miscellaneous web-related scripts. - * `injects` - Templates for inject tasks - * `ipcatalog` - IP cataloging tool. Licensed under GPLv2 only (see `ipcatalog/README.md` for more details) - * `logging` - Our scripts to set up the ELK stack + * `archive` - Older or deprecated scripts, kept for inspiration and historical purposes. * `osdestroyer4000` - Licensed under GPLv3 only (see `osdestroyer4000/README.md` for more details) - * `portinventory` - The PortInventory tool. Licensed under AGPLv3 only (see `portinventory/README.md` for more details) - * `unixfiletransfer` - Scripts to assist in file transfers. Licensed under GPLv2 only (see `unixfiletransfer/README.md` for details) - * `webandaid` - The Webandaid tool. Licensed under Apache 2.0 (see `webandaid/README.md` for more details) - * `windows_hardening` - Windows scripts to run at the start to harden the machine faster - * `zoo` - One-stop shop for all blueteam actions (_contains the animals_). + * `zoo` - One-stop shop for all Blue Team actions. * `README.md` - This file. Documents the files in this repository ## Competition Transfer diff --git a/blue/Tools/http/web_triage.sh b/blue/Tools/archive/http/web_triage.sh similarity index 100% rename from blue/Tools/http/web_triage.sh rename to blue/Tools/archive/http/web_triage.sh diff --git a/blue/Tools/ipcatalog/LICENSE b/blue/Tools/archive/ipcatalog/LICENSE similarity index 100% rename from blue/Tools/ipcatalog/LICENSE rename to blue/Tools/archive/ipcatalog/LICENSE diff --git a/blue/Tools/ipcatalog/README.md b/blue/Tools/archive/ipcatalog/README.md similarity index 100% rename from blue/Tools/ipcatalog/README.md rename to blue/Tools/archive/ipcatalog/README.md diff --git a/blue/Tools/ipcatalog/ipcatalog.py b/blue/Tools/archive/ipcatalog/ipcatalog.py similarity index 100% rename from blue/Tools/ipcatalog/ipcatalog.py rename to blue/Tools/archive/ipcatalog/ipcatalog.py diff --git a/blue/Tools/portinventory/LICENSE b/blue/Tools/archive/portinventory/LICENSE similarity index 100% rename from blue/Tools/portinventory/LICENSE rename to blue/Tools/archive/portinventory/LICENSE diff --git a/blue/Tools/portinventory/README.md b/blue/Tools/archive/portinventory/README.md similarity index 100% rename from blue/Tools/portinventory/README.md rename to blue/Tools/archive/portinventory/README.md diff --git a/blue/Tools/portinventory/kuma/01-uksetup.sh b/blue/Tools/archive/portinventory/kuma/01-uksetup.sh similarity index 100% rename from blue/Tools/portinventory/kuma/01-uksetup.sh rename to blue/Tools/archive/portinventory/kuma/01-uksetup.sh diff --git a/blue/Tools/portinventory/kuma/README.md b/blue/Tools/archive/portinventory/kuma/README.md similarity index 100% rename from blue/Tools/portinventory/kuma/README.md rename to blue/Tools/archive/portinventory/kuma/README.md diff --git a/blue/Tools/portinventory/nmapxmlingest.py b/blue/Tools/archive/portinventory/nmapxmlingest.py similarity index 100% rename from blue/Tools/portinventory/nmapxmlingest.py rename to blue/Tools/archive/portinventory/nmapxmlingest.py diff --git a/blue/Tools/portinventory/planka/01-root.sh b/blue/Tools/archive/portinventory/planka/01-root.sh similarity index 100% rename from blue/Tools/portinventory/planka/01-root.sh rename to blue/Tools/archive/portinventory/planka/01-root.sh diff --git a/blue/Tools/portinventory/planka/02-postgres.sh b/blue/Tools/archive/portinventory/planka/02-postgres.sh similarity index 100% rename from blue/Tools/portinventory/planka/02-postgres.sh rename to blue/Tools/archive/portinventory/planka/02-postgres.sh diff --git a/blue/Tools/portinventory/planka/03-planka.sh b/blue/Tools/archive/portinventory/planka/03-planka.sh similarity index 100% rename from blue/Tools/portinventory/planka/03-planka.sh rename to blue/Tools/archive/portinventory/planka/03-planka.sh diff --git a/blue/Tools/portinventory/planka/README.md b/blue/Tools/archive/portinventory/planka/README.md similarity index 100% rename from blue/Tools/portinventory/planka/README.md rename to blue/Tools/archive/portinventory/planka/README.md diff --git a/blue/Tools/portinventory/plankaconfig.ini b/blue/Tools/archive/portinventory/plankaconfig.ini similarity index 100% rename from blue/Tools/portinventory/plankaconfig.ini rename to blue/Tools/archive/portinventory/plankaconfig.ini diff --git a/blue/Tools/portinventory/plankainit.py b/blue/Tools/archive/portinventory/plankainit.py similarity index 100% rename from blue/Tools/portinventory/plankainit.py rename to blue/Tools/archive/portinventory/plankainit.py diff --git a/blue/Tools/portinventory/plankaupload.py b/blue/Tools/archive/portinventory/plankaupload.py similarity index 100% rename from blue/Tools/portinventory/plankaupload.py rename to blue/Tools/archive/portinventory/plankaupload.py diff --git a/blue/Tools/portinventory/plankausers.txt b/blue/Tools/archive/portinventory/plankausers.txt similarity index 100% rename from blue/Tools/portinventory/plankausers.txt rename to blue/Tools/archive/portinventory/plankausers.txt diff --git a/blue/Tools/portinventory/ukpatch.py b/blue/Tools/archive/portinventory/ukpatch.py similarity index 100% rename from blue/Tools/portinventory/ukpatch.py rename to blue/Tools/archive/portinventory/ukpatch.py diff --git a/blue/Tools/unixfiletransfer/LICENSE b/blue/Tools/archive/unixfiletransfer/LICENSE similarity index 100% rename from blue/Tools/unixfiletransfer/LICENSE rename to blue/Tools/archive/unixfiletransfer/LICENSE diff --git a/blue/Tools/unixfiletransfer/README.md b/blue/Tools/archive/unixfiletransfer/README.md similarity index 100% rename from blue/Tools/unixfiletransfer/README.md rename to blue/Tools/archive/unixfiletransfer/README.md diff --git a/blue/Tools/unixfiletransfer/debian/README.md b/blue/Tools/archive/unixfiletransfer/debian/README.md similarity index 100% rename from blue/Tools/unixfiletransfer/debian/README.md rename to blue/Tools/archive/unixfiletransfer/debian/README.md diff --git a/blue/Tools/unixfiletransfer/debian/ftp.sh b/blue/Tools/archive/unixfiletransfer/debian/ftp.sh similarity index 100% rename from blue/Tools/unixfiletransfer/debian/ftp.sh rename to blue/Tools/archive/unixfiletransfer/debian/ftp.sh diff --git a/blue/Tools/unixfiletransfer/debian/smb.sh b/blue/Tools/archive/unixfiletransfer/debian/smb.sh similarity index 100% rename from blue/Tools/unixfiletransfer/debian/smb.sh rename to blue/Tools/archive/unixfiletransfer/debian/smb.sh diff --git a/blue/Tools/unixfiletransfer/external/README.md b/blue/Tools/archive/unixfiletransfer/external/README.md similarity index 100% rename from blue/Tools/unixfiletransfer/external/README.md rename to blue/Tools/archive/unixfiletransfer/external/README.md diff --git a/blue/Tools/unixfiletransfer/external/busybox/README.md b/blue/Tools/archive/unixfiletransfer/external/busybox/README.md similarity index 100% rename from blue/Tools/unixfiletransfer/external/busybox/README.md rename to blue/Tools/archive/unixfiletransfer/external/busybox/README.md diff --git a/blue/Tools/unixfiletransfer/external/busybox/busybox b/blue/Tools/archive/unixfiletransfer/external/busybox/busybox similarity index 100% rename from blue/Tools/unixfiletransfer/external/busybox/busybox rename to blue/Tools/archive/unixfiletransfer/external/busybox/busybox diff --git a/blue/Tools/unixfiletransfer/redhat/README.md b/blue/Tools/archive/unixfiletransfer/redhat/README.md similarity index 100% rename from blue/Tools/unixfiletransfer/redhat/README.md rename to blue/Tools/archive/unixfiletransfer/redhat/README.md diff --git a/blue/Tools/unixfiletransfer/redhat/smb.sh b/blue/Tools/archive/unixfiletransfer/redhat/smb.sh similarity index 100% rename from blue/Tools/unixfiletransfer/redhat/smb.sh rename to blue/Tools/archive/unixfiletransfer/redhat/smb.sh diff --git a/blue/Tools/webandaid/LICENSE b/blue/Tools/archive/webandaid/LICENSE similarity index 100% rename from blue/Tools/webandaid/LICENSE rename to blue/Tools/archive/webandaid/LICENSE diff --git a/blue/Tools/webandaid/README.md b/blue/Tools/archive/webandaid/README.md similarity index 100% rename from blue/Tools/webandaid/README.md rename to blue/Tools/archive/webandaid/README.md diff --git a/blue/Tools/webandaid/caddy-freebsd b/blue/Tools/archive/webandaid/caddy-freebsd similarity index 100% rename from blue/Tools/webandaid/caddy-freebsd rename to blue/Tools/archive/webandaid/caddy-freebsd diff --git a/blue/Tools/webandaid/caddy-linux b/blue/Tools/archive/webandaid/caddy-linux similarity index 100% rename from blue/Tools/webandaid/caddy-linux rename to blue/Tools/archive/webandaid/caddy-linux diff --git a/blue/Tools/webandaid/caddy-win.exe b/blue/Tools/archive/webandaid/caddy-win.exe similarity index 100% rename from blue/Tools/webandaid/caddy-win.exe rename to blue/Tools/archive/webandaid/caddy-win.exe diff --git a/blue/Tools/webandaid/configgen-server.tpl b/blue/Tools/archive/webandaid/configgen-server.tpl similarity index 100% rename from blue/Tools/webandaid/configgen-server.tpl rename to blue/Tools/archive/webandaid/configgen-server.tpl diff --git a/blue/Tools/webandaid/configgen.py b/blue/Tools/archive/webandaid/configgen.py similarity index 100% rename from blue/Tools/webandaid/configgen.py rename to blue/Tools/archive/webandaid/configgen.py diff --git a/blue/Tools/webandaid/coreruleset/LICENSE b/blue/Tools/archive/webandaid/coreruleset/LICENSE similarity index 100% rename from blue/Tools/webandaid/coreruleset/LICENSE rename to blue/Tools/archive/webandaid/coreruleset/LICENSE diff --git a/blue/Tools/webandaid/coreruleset/crs-setup.conf b/blue/Tools/archive/webandaid/coreruleset/crs-setup.conf similarity index 100% rename from blue/Tools/webandaid/coreruleset/crs-setup.conf rename to blue/Tools/archive/webandaid/coreruleset/crs-setup.conf diff --git a/blue/Tools/webandaid/coreruleset/docs/CHANGES.md b/blue/Tools/archive/webandaid/coreruleset/docs/CHANGES.md similarity index 100% rename from blue/Tools/webandaid/coreruleset/docs/CHANGES.md rename to blue/Tools/archive/webandaid/coreruleset/docs/CHANGES.md diff --git a/blue/Tools/webandaid/coreruleset/docs/CONTRIBUTING.md b/blue/Tools/archive/webandaid/coreruleset/docs/CONTRIBUTING.md similarity index 100% rename from blue/Tools/webandaid/coreruleset/docs/CONTRIBUTING.md rename to blue/Tools/archive/webandaid/coreruleset/docs/CONTRIBUTING.md diff --git a/blue/Tools/webandaid/coreruleset/docs/CONTRIBUTORS.md b/blue/Tools/archive/webandaid/coreruleset/docs/CONTRIBUTORS.md similarity index 100% rename from blue/Tools/webandaid/coreruleset/docs/CONTRIBUTORS.md rename to blue/Tools/archive/webandaid/coreruleset/docs/CONTRIBUTORS.md diff --git a/blue/Tools/webandaid/coreruleset/docs/INSTALL.md b/blue/Tools/archive/webandaid/coreruleset/docs/INSTALL.md similarity index 100% rename from blue/Tools/webandaid/coreruleset/docs/INSTALL.md rename to blue/Tools/archive/webandaid/coreruleset/docs/INSTALL.md diff --git a/blue/Tools/webandaid/coreruleset/docs/KNOWN_BUGS.md b/blue/Tools/archive/webandaid/coreruleset/docs/KNOWN_BUGS.md similarity index 100% rename from blue/Tools/webandaid/coreruleset/docs/KNOWN_BUGS.md rename to blue/Tools/archive/webandaid/coreruleset/docs/KNOWN_BUGS.md diff --git a/blue/Tools/webandaid/coreruleset/docs/README.md b/blue/Tools/archive/webandaid/coreruleset/docs/README.md similarity index 100% rename from blue/Tools/webandaid/coreruleset/docs/README.md rename to blue/Tools/archive/webandaid/coreruleset/docs/README.md diff --git a/blue/Tools/webandaid/coreruleset/docs/SECURITY.md b/blue/Tools/archive/webandaid/coreruleset/docs/SECURITY.md similarity index 100% rename from blue/Tools/webandaid/coreruleset/docs/SECURITY.md rename to blue/Tools/archive/webandaid/coreruleset/docs/SECURITY.md diff --git a/blue/Tools/webandaid/coreruleset/docs/SPONSORS.md b/blue/Tools/archive/webandaid/coreruleset/docs/SPONSORS.md similarity index 100% rename from blue/Tools/webandaid/coreruleset/docs/SPONSORS.md rename to blue/Tools/archive/webandaid/coreruleset/docs/SPONSORS.md diff --git a/blue/Tools/webandaid/coreruleset/plugins/README.md b/blue/Tools/archive/webandaid/coreruleset/plugins/README.md similarity index 100% rename from blue/Tools/webandaid/coreruleset/plugins/README.md rename to blue/Tools/archive/webandaid/coreruleset/plugins/README.md diff --git a/blue/Tools/webandaid/coreruleset/plugins/empty-after.conf b/blue/Tools/archive/webandaid/coreruleset/plugins/empty-after.conf similarity index 100% rename from blue/Tools/webandaid/coreruleset/plugins/empty-after.conf rename to blue/Tools/archive/webandaid/coreruleset/plugins/empty-after.conf diff --git a/blue/Tools/webandaid/coreruleset/plugins/empty-before.conf b/blue/Tools/archive/webandaid/coreruleset/plugins/empty-before.conf similarity index 100% rename from blue/Tools/webandaid/coreruleset/plugins/empty-before.conf rename to blue/Tools/archive/webandaid/coreruleset/plugins/empty-before.conf diff --git a/blue/Tools/webandaid/coreruleset/plugins/empty-config.conf b/blue/Tools/archive/webandaid/coreruleset/plugins/empty-config.conf similarity index 100% rename from blue/Tools/webandaid/coreruleset/plugins/empty-config.conf rename to blue/Tools/archive/webandaid/coreruleset/plugins/empty-config.conf diff --git a/blue/Tools/webandaid/coreruleset/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example b/blue/Tools/archive/webandaid/coreruleset/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example similarity index 100% rename from blue/Tools/webandaid/coreruleset/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example rename to blue/Tools/archive/webandaid/coreruleset/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example diff --git a/blue/Tools/webandaid/coreruleset/rules/REQUEST-901-INITIALIZATION.conf b/blue/Tools/archive/webandaid/coreruleset/rules/REQUEST-901-INITIALIZATION.conf similarity index 100% rename from blue/Tools/webandaid/coreruleset/rules/REQUEST-901-INITIALIZATION.conf rename to blue/Tools/archive/webandaid/coreruleset/rules/REQUEST-901-INITIALIZATION.conf diff --git a/blue/Tools/webandaid/coreruleset/rules/REQUEST-905-COMMON-EXCEPTIONS.conf b/blue/Tools/archive/webandaid/coreruleset/rules/REQUEST-905-COMMON-EXCEPTIONS.conf similarity index 100% rename from blue/Tools/webandaid/coreruleset/rules/REQUEST-905-COMMON-EXCEPTIONS.conf rename to blue/Tools/archive/webandaid/coreruleset/rules/REQUEST-905-COMMON-EXCEPTIONS.conf diff --git a/blue/Tools/webandaid/coreruleset/rules/REQUEST-911-METHOD-ENFORCEMENT.conf b/blue/Tools/archive/webandaid/coreruleset/rules/REQUEST-911-METHOD-ENFORCEMENT.conf similarity index 100% rename from blue/Tools/webandaid/coreruleset/rules/REQUEST-911-METHOD-ENFORCEMENT.conf rename to blue/Tools/archive/webandaid/coreruleset/rules/REQUEST-911-METHOD-ENFORCEMENT.conf diff --git a/blue/Tools/webandaid/coreruleset/rules/REQUEST-913-SCANNER-DETECTION.conf b/blue/Tools/archive/webandaid/coreruleset/rules/REQUEST-913-SCANNER-DETECTION.conf similarity index 100% rename from blue/Tools/webandaid/coreruleset/rules/REQUEST-913-SCANNER-DETECTION.conf rename to blue/Tools/archive/webandaid/coreruleset/rules/REQUEST-913-SCANNER-DETECTION.conf diff --git a/blue/Tools/webandaid/coreruleset/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf b/blue/Tools/archive/webandaid/coreruleset/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf similarity index 100% rename from blue/Tools/webandaid/coreruleset/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf rename to blue/Tools/archive/webandaid/coreruleset/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf diff --git a/blue/Tools/webandaid/coreruleset/rules/REQUEST-921-PROTOCOL-ATTACK.conf b/blue/Tools/archive/webandaid/coreruleset/rules/REQUEST-921-PROTOCOL-ATTACK.conf similarity index 100% rename from blue/Tools/webandaid/coreruleset/rules/REQUEST-921-PROTOCOL-ATTACK.conf rename to blue/Tools/archive/webandaid/coreruleset/rules/REQUEST-921-PROTOCOL-ATTACK.conf diff --git a/blue/Tools/webandaid/coreruleset/rules/REQUEST-922-MULTIPART-ATTACK.conf b/blue/Tools/archive/webandaid/coreruleset/rules/REQUEST-922-MULTIPART-ATTACK.conf similarity index 100% rename from blue/Tools/webandaid/coreruleset/rules/REQUEST-922-MULTIPART-ATTACK.conf rename to blue/Tools/archive/webandaid/coreruleset/rules/REQUEST-922-MULTIPART-ATTACK.conf diff --git a/blue/Tools/webandaid/coreruleset/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf b/blue/Tools/archive/webandaid/coreruleset/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf similarity index 100% rename from blue/Tools/webandaid/coreruleset/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf rename to blue/Tools/archive/webandaid/coreruleset/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf diff --git a/blue/Tools/webandaid/coreruleset/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf b/blue/Tools/archive/webandaid/coreruleset/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf similarity index 100% rename from blue/Tools/webandaid/coreruleset/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf rename to blue/Tools/archive/webandaid/coreruleset/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf diff --git a/blue/Tools/webandaid/coreruleset/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf b/blue/Tools/archive/webandaid/coreruleset/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf similarity index 100% rename from blue/Tools/webandaid/coreruleset/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf rename to blue/Tools/archive/webandaid/coreruleset/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf diff --git a/blue/Tools/webandaid/coreruleset/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf b/blue/Tools/archive/webandaid/coreruleset/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf similarity index 100% rename from blue/Tools/webandaid/coreruleset/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf rename to blue/Tools/archive/webandaid/coreruleset/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf diff --git a/blue/Tools/webandaid/coreruleset/rules/REQUEST-934-APPLICATION-ATTACK-GENERIC.conf b/blue/Tools/archive/webandaid/coreruleset/rules/REQUEST-934-APPLICATION-ATTACK-GENERIC.conf similarity index 100% rename from blue/Tools/webandaid/coreruleset/rules/REQUEST-934-APPLICATION-ATTACK-GENERIC.conf rename to blue/Tools/archive/webandaid/coreruleset/rules/REQUEST-934-APPLICATION-ATTACK-GENERIC.conf diff --git a/blue/Tools/webandaid/coreruleset/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf b/blue/Tools/archive/webandaid/coreruleset/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf similarity index 100% rename from blue/Tools/webandaid/coreruleset/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf rename to blue/Tools/archive/webandaid/coreruleset/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf diff --git a/blue/Tools/webandaid/coreruleset/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf b/blue/Tools/archive/webandaid/coreruleset/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf similarity index 100% rename from blue/Tools/webandaid/coreruleset/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf rename to blue/Tools/archive/webandaid/coreruleset/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf diff --git a/blue/Tools/webandaid/coreruleset/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf b/blue/Tools/archive/webandaid/coreruleset/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf similarity index 100% rename from blue/Tools/webandaid/coreruleset/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf rename to blue/Tools/archive/webandaid/coreruleset/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf diff --git a/blue/Tools/webandaid/coreruleset/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf b/blue/Tools/archive/webandaid/coreruleset/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf similarity index 100% rename from blue/Tools/webandaid/coreruleset/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf rename to blue/Tools/archive/webandaid/coreruleset/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf diff --git a/blue/Tools/webandaid/coreruleset/rules/REQUEST-949-BLOCKING-EVALUATION.conf b/blue/Tools/archive/webandaid/coreruleset/rules/REQUEST-949-BLOCKING-EVALUATION.conf similarity index 100% rename from blue/Tools/webandaid/coreruleset/rules/REQUEST-949-BLOCKING-EVALUATION.conf rename to blue/Tools/archive/webandaid/coreruleset/rules/REQUEST-949-BLOCKING-EVALUATION.conf diff --git a/blue/Tools/webandaid/coreruleset/rules/RESPONSE-950-DATA-LEAKAGES.conf b/blue/Tools/archive/webandaid/coreruleset/rules/RESPONSE-950-DATA-LEAKAGES.conf similarity index 100% rename from blue/Tools/webandaid/coreruleset/rules/RESPONSE-950-DATA-LEAKAGES.conf rename to blue/Tools/archive/webandaid/coreruleset/rules/RESPONSE-950-DATA-LEAKAGES.conf diff --git a/blue/Tools/webandaid/coreruleset/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf b/blue/Tools/archive/webandaid/coreruleset/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf similarity index 100% rename from blue/Tools/webandaid/coreruleset/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf rename to blue/Tools/archive/webandaid/coreruleset/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf diff --git a/blue/Tools/webandaid/coreruleset/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf b/blue/Tools/archive/webandaid/coreruleset/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf similarity index 100% rename from blue/Tools/webandaid/coreruleset/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf rename to blue/Tools/archive/webandaid/coreruleset/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf diff --git a/blue/Tools/webandaid/coreruleset/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf b/blue/Tools/archive/webandaid/coreruleset/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf similarity index 100% rename from blue/Tools/webandaid/coreruleset/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf rename to blue/Tools/archive/webandaid/coreruleset/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf diff --git a/blue/Tools/webandaid/coreruleset/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf b/blue/Tools/archive/webandaid/coreruleset/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf similarity index 100% rename from blue/Tools/webandaid/coreruleset/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf rename to blue/Tools/archive/webandaid/coreruleset/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf diff --git a/blue/Tools/webandaid/coreruleset/rules/RESPONSE-955-WEB-SHELLS.conf b/blue/Tools/archive/webandaid/coreruleset/rules/RESPONSE-955-WEB-SHELLS.conf similarity index 100% rename from blue/Tools/webandaid/coreruleset/rules/RESPONSE-955-WEB-SHELLS.conf rename to blue/Tools/archive/webandaid/coreruleset/rules/RESPONSE-955-WEB-SHELLS.conf diff --git a/blue/Tools/webandaid/coreruleset/rules/RESPONSE-956-DATA-LEAKAGES-RUBY.conf b/blue/Tools/archive/webandaid/coreruleset/rules/RESPONSE-956-DATA-LEAKAGES-RUBY.conf similarity index 100% rename from blue/Tools/webandaid/coreruleset/rules/RESPONSE-956-DATA-LEAKAGES-RUBY.conf rename to blue/Tools/archive/webandaid/coreruleset/rules/RESPONSE-956-DATA-LEAKAGES-RUBY.conf diff --git a/blue/Tools/webandaid/coreruleset/rules/RESPONSE-959-BLOCKING-EVALUATION.conf b/blue/Tools/archive/webandaid/coreruleset/rules/RESPONSE-959-BLOCKING-EVALUATION.conf similarity index 100% rename from blue/Tools/webandaid/coreruleset/rules/RESPONSE-959-BLOCKING-EVALUATION.conf rename to blue/Tools/archive/webandaid/coreruleset/rules/RESPONSE-959-BLOCKING-EVALUATION.conf diff --git a/blue/Tools/webandaid/coreruleset/rules/RESPONSE-980-CORRELATION.conf b/blue/Tools/archive/webandaid/coreruleset/rules/RESPONSE-980-CORRELATION.conf similarity index 100% rename from blue/Tools/webandaid/coreruleset/rules/RESPONSE-980-CORRELATION.conf rename to blue/Tools/archive/webandaid/coreruleset/rules/RESPONSE-980-CORRELATION.conf diff --git a/blue/Tools/webandaid/coreruleset/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example b/blue/Tools/archive/webandaid/coreruleset/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example similarity index 100% rename from blue/Tools/webandaid/coreruleset/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example rename to blue/Tools/archive/webandaid/coreruleset/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example diff --git a/blue/Tools/webandaid/coreruleset/rules/asp-dotnet-errors.data b/blue/Tools/archive/webandaid/coreruleset/rules/asp-dotnet-errors.data similarity index 100% rename from blue/Tools/webandaid/coreruleset/rules/asp-dotnet-errors.data rename to blue/Tools/archive/webandaid/coreruleset/rules/asp-dotnet-errors.data diff --git a/blue/Tools/webandaid/coreruleset/rules/iis-errors.data b/blue/Tools/archive/webandaid/coreruleset/rules/iis-errors.data similarity index 100% rename from blue/Tools/webandaid/coreruleset/rules/iis-errors.data rename to blue/Tools/archive/webandaid/coreruleset/rules/iis-errors.data diff --git a/blue/Tools/webandaid/coreruleset/rules/java-classes.data b/blue/Tools/archive/webandaid/coreruleset/rules/java-classes.data similarity index 100% rename from blue/Tools/webandaid/coreruleset/rules/java-classes.data rename to blue/Tools/archive/webandaid/coreruleset/rules/java-classes.data diff --git a/blue/Tools/webandaid/coreruleset/rules/lfi-os-files.data b/blue/Tools/archive/webandaid/coreruleset/rules/lfi-os-files.data similarity index 100% rename from blue/Tools/webandaid/coreruleset/rules/lfi-os-files.data rename to blue/Tools/archive/webandaid/coreruleset/rules/lfi-os-files.data diff --git a/blue/Tools/webandaid/coreruleset/rules/php-errors.data b/blue/Tools/archive/webandaid/coreruleset/rules/php-errors.data similarity index 100% rename from blue/Tools/webandaid/coreruleset/rules/php-errors.data rename to blue/Tools/archive/webandaid/coreruleset/rules/php-errors.data diff --git a/blue/Tools/webandaid/coreruleset/rules/php-function-names-933150.data b/blue/Tools/archive/webandaid/coreruleset/rules/php-function-names-933150.data similarity index 100% rename from blue/Tools/webandaid/coreruleset/rules/php-function-names-933150.data rename to blue/Tools/archive/webandaid/coreruleset/rules/php-function-names-933150.data diff --git a/blue/Tools/webandaid/coreruleset/rules/php-variables.data b/blue/Tools/archive/webandaid/coreruleset/rules/php-variables.data similarity index 100% rename from blue/Tools/webandaid/coreruleset/rules/php-variables.data rename to blue/Tools/archive/webandaid/coreruleset/rules/php-variables.data diff --git a/blue/Tools/webandaid/coreruleset/rules/restricted-files.data b/blue/Tools/archive/webandaid/coreruleset/rules/restricted-files.data similarity index 100% rename from blue/Tools/webandaid/coreruleset/rules/restricted-files.data rename to blue/Tools/archive/webandaid/coreruleset/rules/restricted-files.data diff --git a/blue/Tools/webandaid/coreruleset/rules/restricted-upload.data b/blue/Tools/archive/webandaid/coreruleset/rules/restricted-upload.data similarity index 100% rename from blue/Tools/webandaid/coreruleset/rules/restricted-upload.data rename to blue/Tools/archive/webandaid/coreruleset/rules/restricted-upload.data diff --git a/blue/Tools/webandaid/coreruleset/rules/ruby-errors.data b/blue/Tools/archive/webandaid/coreruleset/rules/ruby-errors.data similarity index 100% rename from blue/Tools/webandaid/coreruleset/rules/ruby-errors.data rename to blue/Tools/archive/webandaid/coreruleset/rules/ruby-errors.data diff --git a/blue/Tools/webandaid/coreruleset/rules/scanners-user-agents.data b/blue/Tools/archive/webandaid/coreruleset/rules/scanners-user-agents.data similarity index 100% rename from blue/Tools/webandaid/coreruleset/rules/scanners-user-agents.data rename to blue/Tools/archive/webandaid/coreruleset/rules/scanners-user-agents.data diff --git a/blue/Tools/webandaid/coreruleset/rules/sql-errors.data b/blue/Tools/archive/webandaid/coreruleset/rules/sql-errors.data similarity index 100% rename from blue/Tools/webandaid/coreruleset/rules/sql-errors.data rename to blue/Tools/archive/webandaid/coreruleset/rules/sql-errors.data diff --git a/blue/Tools/webandaid/coreruleset/rules/ssrf.data b/blue/Tools/archive/webandaid/coreruleset/rules/ssrf.data similarity index 100% rename from blue/Tools/webandaid/coreruleset/rules/ssrf.data rename to blue/Tools/archive/webandaid/coreruleset/rules/ssrf.data diff --git a/blue/Tools/webandaid/coreruleset/rules/unix-shell-builtins.data b/blue/Tools/archive/webandaid/coreruleset/rules/unix-shell-builtins.data similarity index 100% rename from blue/Tools/webandaid/coreruleset/rules/unix-shell-builtins.data rename to blue/Tools/archive/webandaid/coreruleset/rules/unix-shell-builtins.data diff --git a/blue/Tools/webandaid/coreruleset/rules/unix-shell.data b/blue/Tools/archive/webandaid/coreruleset/rules/unix-shell.data similarity index 100% rename from blue/Tools/webandaid/coreruleset/rules/unix-shell.data rename to blue/Tools/archive/webandaid/coreruleset/rules/unix-shell.data diff --git a/blue/Tools/webandaid/coreruleset/rules/web-shells-asp.data b/blue/Tools/archive/webandaid/coreruleset/rules/web-shells-asp.data similarity index 100% rename from blue/Tools/webandaid/coreruleset/rules/web-shells-asp.data rename to blue/Tools/archive/webandaid/coreruleset/rules/web-shells-asp.data diff --git a/blue/Tools/webandaid/coreruleset/rules/web-shells-php.data b/blue/Tools/archive/webandaid/coreruleset/rules/web-shells-php.data similarity index 100% rename from blue/Tools/webandaid/coreruleset/rules/web-shells-php.data rename to blue/Tools/archive/webandaid/coreruleset/rules/web-shells-php.data diff --git a/blue/Tools/webandaid/coreruleset/rules/windows-powershell-commands.data b/blue/Tools/archive/webandaid/coreruleset/rules/windows-powershell-commands.data similarity index 100% rename from blue/Tools/webandaid/coreruleset/rules/windows-powershell-commands.data rename to blue/Tools/archive/webandaid/coreruleset/rules/windows-powershell-commands.data diff --git a/blue/Tools/webandaid/html/blocked.html b/blue/Tools/archive/webandaid/html/blocked.html similarity index 100% rename from blue/Tools/webandaid/html/blocked.html rename to blue/Tools/archive/webandaid/html/blocked.html diff --git a/blue/Tools/webandaid/logparse.py b/blue/Tools/archive/webandaid/logparse.py similarity index 100% rename from blue/Tools/webandaid/logparse.py rename to blue/Tools/archive/webandaid/logparse.py diff --git a/blue/Tools/webandaid/tags.md b/blue/Tools/archive/webandaid/tags.md similarity index 100% rename from blue/Tools/webandaid/tags.md rename to blue/Tools/archive/webandaid/tags.md diff --git a/blue/Tools/portinventory/planka/.env b/blue/Tools/portinventory/planka/.env deleted file mode 100644 index ddfdfd8..0000000 --- a/blue/Tools/portinventory/planka/.env +++ /dev/null @@ -1,85 +0,0 @@ -## Required - -BASE_URL=http://:1337 -DATABASE_URL=postgresql://planka:ChangeMe123!@localhost/planka -SECRET_KEY=4af08d5e6897bca6a877a9ebb2f34469fd16ef6fe140a42c9f121adc44864c47601e08d65c59d075c9f02e1dbd4391f84f247a8216d5b06e2e1f33fd4a4bf902 - -## Optional - -# LOG_LEVEL=warn -# LOG_FILE= - -# TRUST_PROXY=true -# TOKEN_EXPIRES_IN=365 # In days - -# related: https://github.com/knex/knex/issues/2354 -# As knex does not pass query parameters from the connection string, -# we have to use environment variables in order to pass the desired values, e.g. -# PGSSLMODE= - -# Configure knex to accept SSL certificates -# KNEX_REJECT_UNAUTHORIZED_SSL_CERTIFICATE=false - -# Used for per-board notifications -# DEFAULT_LANGUAGE=en-US - -# Do not comment out DEFAULT_ADMIN_EMAIL if you want to prevent this user from being edited/deleted -DEFAULT_ADMIN_EMAIL=admin@test.test -DEFAULT_ADMIN_PASSWORD=ChangeMe123! -DEFAULT_ADMIN_NAME=admin -DEFAULT_ADMIN_USERNAME=admin - -# ACTIVE_USERS_LIMIT= - -# Set to true to show more detailed authentication error messages. -# It should not be enabled without a rate limiter for security reasons. -# SHOW_DETAILED_AUTH_ERRORS=false - -# S3_ENDPOINT= -# S3_REGION= -# S3_ACCESS_KEY_ID= -# S3_SECRET_ACCESS_KEY= -# S3_BUCKET= -# S3_FORCE_PATH_STYLE=true - -# OIDC_ISSUER= -# OIDC_CLIENT_ID= -# OIDC_CLIENT_SECRET= -# OIDC_ID_TOKEN_SIGNED_RESPONSE_ALG= -# OIDC_USERINFO_SIGNED_RESPONSE_ALG= -# OIDC_SCOPES=openid email profile -# OIDC_RESPONSE_MODE=fragment -# OIDC_USE_DEFAULT_RESPONSE_MODE=true -# OIDC_ADMIN_ROLES=admin -# OIDC_PROJECT_OWNER_ROLES=project_owner -# OIDC_BOARD_USER_ROLES=board_user -# OIDC_CLAIMS_SOURCE=userinfo -# OIDC_EMAIL_ATTRIBUTE=email -# OIDC_NAME_ATTRIBUTE=name -# OIDC_USERNAME_ATTRIBUTE=preferred_username -# OIDC_ROLES_ATTRIBUTE=groups -# OIDC_IGNORE_USERNAME=true -# OIDC_IGNORE_ROLES=true -# OIDC_ENFORCED=true - -# Email Notifications (https://nodemailer.com/smtp/) -# SMTP_HOST= -# SMTP_PORT=587 -# SMTP_NAME= -# SMTP_SECURE=true -# SMTP_USER= -# SMTP_PASSWORD= -# SMTP_FROM="Demo Demo" -# SMTP_TLS_REJECT_UNAUTHORIZED=false - -# Optional fields: accessToken, events, excludedEvents -# WEBHOOKS='[{ -# "url": "http://localhost:3001", -# "accessToken": "notaccesstoken", -# "events": ["cardCreate", "cardUpdate", "cardDelete"], -# "excludedEvents": ["notificationCreate", "notificationUpdate"] -# }]' - -## Do not edit this - -TZ=UTC diff --git a/blue/Tools/unixfiletransfer/external/busybox/.config b/blue/Tools/unixfiletransfer/external/busybox/.config deleted file mode 100644 index aba94ad..0000000 --- a/blue/Tools/unixfiletransfer/external/busybox/.config +++ /dev/null @@ -1,1231 +0,0 @@ -# -# Automatically generated make config: don't edit -# Busybox version: 1.36.1 -# Tue Feb 10 16:53:51 2026 -# -CONFIG_HAVE_DOT_CONFIG=y - -# -# Settings -# -CONFIG_DESKTOP=y -# CONFIG_EXTRA_COMPAT is not set -CONFIG_FEDORA_COMPAT=y -CONFIG_INCLUDE_SUSv2=y -CONFIG_LONG_OPTS=y -CONFIG_SHOW_USAGE=y -CONFIG_FEATURE_VERBOSE_USAGE=y -CONFIG_FEATURE_COMPRESS_USAGE=y -CONFIG_LFS=y -# CONFIG_PAM is not set -CONFIG_FEATURE_DEVPTS=y -CONFIG_FEATURE_UTMP=y -CONFIG_FEATURE_WTMP=y -CONFIG_FEATURE_PIDFILE=y -CONFIG_PID_FILE_PATH="/var/run" -CONFIG_BUSYBOX=y -CONFIG_FEATURE_SHOW_SCRIPT=y -CONFIG_FEATURE_INSTALLER=y -# CONFIG_INSTALL_NO_USR is not set -CONFIG_FEATURE_SUID=y -CONFIG_FEATURE_SUID_CONFIG=y -CONFIG_FEATURE_SUID_CONFIG_QUIET=y -# CONFIG_FEATURE_PREFER_APPLETS is not set -CONFIG_BUSYBOX_EXEC_PATH="/proc/self/exe" -# CONFIG_SELINUX is not set -# CONFIG_FEATURE_CLEAN_UP is not set -CONFIG_FEATURE_SYSLOG_INFO=y -CONFIG_FEATURE_SYSLOG=y - -# -# Build Options -# -CONFIG_STATIC=y -# CONFIG_PIE is not set -# CONFIG_NOMMU is not set -# CONFIG_BUILD_LIBBUSYBOX is not set -# CONFIG_FEATURE_LIBBUSYBOX_STATIC is not set -# CONFIG_FEATURE_INDIVIDUAL is not set -# CONFIG_FEATURE_SHARED_BUSYBOX is not set -CONFIG_CROSS_COMPILER_PREFIX="" -CONFIG_SYSROOT="" -CONFIG_EXTRA_CFLAGS="" -CONFIG_EXTRA_LDFLAGS="" -CONFIG_EXTRA_LDLIBS="" -# CONFIG_USE_PORTABLE_CODE is not set -CONFIG_STACK_OPTIMIZATION_386=y -CONFIG_STATIC_LIBGCC=y - -# -# Installation Options ("make install" behavior) -# -CONFIG_INSTALL_APPLET_SYMLINKS=y -# CONFIG_INSTALL_APPLET_HARDLINKS is not set -# CONFIG_INSTALL_APPLET_SCRIPT_WRAPPERS is not set -# CONFIG_INSTALL_APPLET_DONT is not set -# CONFIG_INSTALL_SH_APPLET_SYMLINK is not set -# CONFIG_INSTALL_SH_APPLET_HARDLINK is not set -# CONFIG_INSTALL_SH_APPLET_SCRIPT_WRAPPER is not set -CONFIG_PREFIX="./_install" - -# -# Debugging Options -# -# CONFIG_DEBUG is not set -# CONFIG_DEBUG_PESSIMIZE is not set -# CONFIG_DEBUG_SANITIZE is not set -# CONFIG_UNIT_TEST is not set -# CONFIG_WERROR is not set -# CONFIG_WARN_SIMPLE_MSG is not set -CONFIG_NO_DEBUG_LIB=y -# CONFIG_DMALLOC is not set -# CONFIG_EFENCE is not set - -# -# Library Tuning -# -# CONFIG_FEATURE_USE_BSS_TAIL is not set -CONFIG_FLOAT_DURATION=y -CONFIG_FEATURE_RTMINMAX=y -CONFIG_FEATURE_RTMINMAX_USE_LIBC_DEFINITIONS=y -CONFIG_FEATURE_BUFFERS_USE_MALLOC=y -# CONFIG_FEATURE_BUFFERS_GO_ON_STACK is not set -# CONFIG_FEATURE_BUFFERS_GO_IN_BSS is not set -CONFIG_PASSWORD_MINLEN=6 -CONFIG_MD5_SMALL=1 -CONFIG_SHA1_SMALL=3 -CONFIG_SHA1_HWACCEL=y -CONFIG_SHA256_HWACCEL=y -CONFIG_SHA3_SMALL=1 -CONFIG_FEATURE_NON_POSIX_CP=y -# CONFIG_FEATURE_VERBOSE_CP_MESSAGE is not set -CONFIG_FEATURE_USE_SENDFILE=y -CONFIG_FEATURE_COPYBUF_KB=4 -CONFIG_MONOTONIC_SYSCALL=y -CONFIG_IOCTL_HEX2STR_ERROR=y -CONFIG_FEATURE_EDITING=y -CONFIG_FEATURE_EDITING_MAX_LEN=1024 -# CONFIG_FEATURE_EDITING_VI is not set -CONFIG_FEATURE_EDITING_HISTORY=255 -CONFIG_FEATURE_EDITING_SAVEHISTORY=y -# CONFIG_FEATURE_EDITING_SAVE_ON_EXIT is not set -CONFIG_FEATURE_REVERSE_SEARCH=y -CONFIG_FEATURE_TAB_COMPLETION=y -CONFIG_FEATURE_USERNAME_COMPLETION=y -CONFIG_FEATURE_EDITING_FANCY_PROMPT=y -CONFIG_FEATURE_EDITING_WINCH=y -# CONFIG_FEATURE_EDITING_ASK_TERMINAL is not set -# CONFIG_LOCALE_SUPPORT is not set -CONFIG_UNICODE_SUPPORT=y -# CONFIG_UNICODE_USING_LOCALE is not set -# CONFIG_FEATURE_CHECK_UNICODE_IN_ENV is not set -CONFIG_SUBST_WCHAR=63 -CONFIG_LAST_SUPPORTED_WCHAR=767 -# CONFIG_UNICODE_COMBINING_WCHARS is not set -# CONFIG_UNICODE_WIDE_WCHARS is not set -# CONFIG_UNICODE_BIDI_SUPPORT is not set -# CONFIG_UNICODE_NEUTRAL_TABLE is not set -# CONFIG_UNICODE_PRESERVE_BROKEN is not set -# CONFIG_LOOP_CONFIGURE is not set -# CONFIG_NO_LOOP_CONFIGURE is not set -CONFIG_TRY_LOOP_CONFIGURE=y - -# -# Applets -# - -# -# Archival Utilities -# -CONFIG_FEATURE_SEAMLESS_XZ=y -CONFIG_FEATURE_SEAMLESS_LZMA=y -CONFIG_FEATURE_SEAMLESS_BZ2=y -CONFIG_FEATURE_SEAMLESS_GZ=y -# CONFIG_FEATURE_SEAMLESS_Z is not set -# CONFIG_AR is not set -# CONFIG_FEATURE_AR_LONG_FILENAMES is not set -# CONFIG_FEATURE_AR_CREATE is not set -# CONFIG_UNCOMPRESS is not set -CONFIG_GUNZIP=y -CONFIG_ZCAT=y -CONFIG_FEATURE_GUNZIP_LONG_OPTIONS=y -CONFIG_BUNZIP2=y -CONFIG_BZCAT=y -CONFIG_UNLZMA=y -CONFIG_LZCAT=y -CONFIG_LZMA=y -CONFIG_UNXZ=y -CONFIG_XZCAT=y -CONFIG_XZ=y -CONFIG_BZIP2=y -CONFIG_BZIP2_SMALL=8 -CONFIG_FEATURE_BZIP2_DECOMPRESS=y -CONFIG_CPIO=y -CONFIG_FEATURE_CPIO_O=y -CONFIG_FEATURE_CPIO_P=y -CONFIG_FEATURE_CPIO_IGNORE_DEVNO=y -CONFIG_FEATURE_CPIO_RENUMBER_INODES=y -CONFIG_DPKG=y -CONFIG_DPKG_DEB=y -CONFIG_GZIP=y -CONFIG_FEATURE_GZIP_LONG_OPTIONS=y -CONFIG_GZIP_FAST=0 -# CONFIG_FEATURE_GZIP_LEVELS is not set -CONFIG_FEATURE_GZIP_DECOMPRESS=y -CONFIG_LZOP=y -# CONFIG_UNLZOP is not set -# CONFIG_LZOPCAT is not set -# CONFIG_LZOP_COMPR_HIGH is not set -CONFIG_RPM=y -CONFIG_RPM2CPIO=y -CONFIG_TAR=y -CONFIG_FEATURE_TAR_LONG_OPTIONS=y -CONFIG_FEATURE_TAR_CREATE=y -CONFIG_FEATURE_TAR_AUTODETECT=y -CONFIG_FEATURE_TAR_FROM=y -CONFIG_FEATURE_TAR_OLDGNU_COMPATIBILITY=y -CONFIG_FEATURE_TAR_OLDSUN_COMPATIBILITY=y -CONFIG_FEATURE_TAR_GNU_EXTENSIONS=y -CONFIG_FEATURE_TAR_TO_COMMAND=y -CONFIG_FEATURE_TAR_UNAME_GNAME=y -CONFIG_FEATURE_TAR_NOPRESERVE_TIME=y -# CONFIG_FEATURE_TAR_SELINUX is not set -CONFIG_UNZIP=y -CONFIG_FEATURE_UNZIP_CDF=y -CONFIG_FEATURE_UNZIP_BZIP2=y -CONFIG_FEATURE_UNZIP_LZMA=y -CONFIG_FEATURE_UNZIP_XZ=y -# CONFIG_FEATURE_LZMA_FAST is not set - -# -# Coreutils -# -CONFIG_FEATURE_VERBOSE=y - -# -# Common options for date and touch -# -CONFIG_FEATURE_TIMEZONE=y - -# -# Common options for cp and mv -# -CONFIG_FEATURE_PRESERVE_HARDLINKS=y - -# -# Common options for df, du, ls -# -CONFIG_FEATURE_HUMAN_READABLE=y -CONFIG_BASENAME=y -CONFIG_CAT=y -CONFIG_FEATURE_CATN=y -CONFIG_FEATURE_CATV=y -CONFIG_CHGRP=y -CONFIG_CHMOD=y -CONFIG_CHOWN=y -CONFIG_FEATURE_CHOWN_LONG_OPTIONS=y -CONFIG_CHROOT=y -CONFIG_CKSUM=y -CONFIG_CRC32=y -CONFIG_COMM=y -CONFIG_CP=y -CONFIG_FEATURE_CP_LONG_OPTIONS=y -CONFIG_FEATURE_CP_REFLINK=y -CONFIG_CUT=y -CONFIG_FEATURE_CUT_REGEX=y -CONFIG_DATE=y -CONFIG_FEATURE_DATE_ISOFMT=y -# CONFIG_FEATURE_DATE_NANO is not set -CONFIG_FEATURE_DATE_COMPAT=y -CONFIG_DD=y -CONFIG_FEATURE_DD_SIGNAL_HANDLING=y -CONFIG_FEATURE_DD_THIRD_STATUS_LINE=y -CONFIG_FEATURE_DD_IBS_OBS=y -CONFIG_FEATURE_DD_STATUS=y -CONFIG_DF=y -CONFIG_FEATURE_DF_FANCY=y -CONFIG_FEATURE_SKIP_ROOTFS=y -CONFIG_DIRNAME=y -CONFIG_DOS2UNIX=y -CONFIG_UNIX2DOS=y -CONFIG_DU=y -CONFIG_FEATURE_DU_DEFAULT_BLOCKSIZE_1K=y -CONFIG_ECHO=y -CONFIG_FEATURE_FANCY_ECHO=y -CONFIG_ENV=y -CONFIG_EXPAND=y -CONFIG_UNEXPAND=y -CONFIG_EXPR=y -CONFIG_EXPR_MATH_SUPPORT_64=y -CONFIG_FACTOR=y -CONFIG_FALSE=y -CONFIG_FOLD=y -CONFIG_HEAD=y -CONFIG_FEATURE_FANCY_HEAD=y -CONFIG_HOSTID=y -CONFIG_ID=y -CONFIG_GROUPS=y -CONFIG_INSTALL=y -CONFIG_FEATURE_INSTALL_LONG_OPTIONS=y -CONFIG_LINK=y -CONFIG_LN=y -CONFIG_LOGNAME=y -CONFIG_LS=y -CONFIG_FEATURE_LS_FILETYPES=y -CONFIG_FEATURE_LS_FOLLOWLINKS=y -CONFIG_FEATURE_LS_RECURSIVE=y -CONFIG_FEATURE_LS_WIDTH=y -CONFIG_FEATURE_LS_SORTFILES=y -CONFIG_FEATURE_LS_TIMESTAMPS=y -CONFIG_FEATURE_LS_USERNAME=y -CONFIG_FEATURE_LS_COLOR=y -CONFIG_FEATURE_LS_COLOR_IS_DEFAULT=y -CONFIG_MD5SUM=y -CONFIG_SHA1SUM=y -CONFIG_SHA256SUM=y -CONFIG_SHA512SUM=y -CONFIG_SHA3SUM=y - -# -# Common options for md5sum, sha1sum, sha256sum, sha512sum, sha3sum -# -CONFIG_FEATURE_MD5_SHA1_SUM_CHECK=y -CONFIG_MKDIR=y -CONFIG_MKFIFO=y -CONFIG_MKNOD=y -CONFIG_MKTEMP=y -CONFIG_MV=y -CONFIG_NICE=y -CONFIG_NL=y -CONFIG_NOHUP=y -CONFIG_NPROC=y -CONFIG_OD=y -CONFIG_PASTE=y -CONFIG_PRINTENV=y -CONFIG_PRINTF=y -CONFIG_PWD=y -CONFIG_READLINK=y -CONFIG_FEATURE_READLINK_FOLLOW=y -CONFIG_REALPATH=y -CONFIG_RM=y -CONFIG_RMDIR=y -CONFIG_SEQ=y -CONFIG_SHRED=y -CONFIG_SHUF=y -CONFIG_SLEEP=y -CONFIG_FEATURE_FANCY_SLEEP=y -CONFIG_SORT=y -CONFIG_FEATURE_SORT_BIG=y -# CONFIG_FEATURE_SORT_OPTIMIZE_MEMORY is not set -CONFIG_SPLIT=y -CONFIG_FEATURE_SPLIT_FANCY=y -CONFIG_STAT=y -CONFIG_FEATURE_STAT_FORMAT=y -CONFIG_FEATURE_STAT_FILESYSTEM=y -CONFIG_STTY=y -CONFIG_SUM=y -CONFIG_SYNC=y -CONFIG_FEATURE_SYNC_FANCY=y -CONFIG_FSYNC=y -CONFIG_TAC=y -CONFIG_TAIL=y -CONFIG_FEATURE_FANCY_TAIL=y -CONFIG_TEE=y -CONFIG_FEATURE_TEE_USE_BLOCK_IO=y -CONFIG_TEST=y -CONFIG_TEST1=y -CONFIG_TEST2=y -CONFIG_FEATURE_TEST_64=y -CONFIG_TIMEOUT=y -CONFIG_TOUCH=y -CONFIG_FEATURE_TOUCH_SUSV3=y -CONFIG_TR=y -CONFIG_FEATURE_TR_CLASSES=y -CONFIG_FEATURE_TR_EQUIV=y -CONFIG_TRUE=y -CONFIG_TRUNCATE=y -CONFIG_TSORT=y -CONFIG_TTY=y -CONFIG_UNAME=y -CONFIG_UNAME_OSNAME="GNU/Linux" -CONFIG_BB_ARCH=y -CONFIG_UNIQ=y -CONFIG_UNLINK=y -CONFIG_USLEEP=y -CONFIG_UUDECODE=y -CONFIG_BASE32=y -CONFIG_BASE64=y -CONFIG_UUENCODE=y -CONFIG_WC=y -CONFIG_FEATURE_WC_LARGE=y -CONFIG_WHO=y -CONFIG_W=y -CONFIG_USERS=y -CONFIG_WHOAMI=y -CONFIG_YES=y - -# -# Console Utilities -# -CONFIG_CHVT=y -CONFIG_CLEAR=y -CONFIG_DEALLOCVT=y -CONFIG_DUMPKMAP=y -CONFIG_FGCONSOLE=y -CONFIG_KBD_MODE=y -CONFIG_LOADFONT=y -CONFIG_SETFONT=y -CONFIG_FEATURE_SETFONT_TEXTUAL_MAP=y -CONFIG_DEFAULT_SETFONT_DIR="" - -# -# Common options for loadfont and setfont -# -CONFIG_FEATURE_LOADFONT_PSF2=y -CONFIG_FEATURE_LOADFONT_RAW=y -CONFIG_LOADKMAP=y -CONFIG_OPENVT=y -CONFIG_RESET=y -CONFIG_RESIZE=y -CONFIG_FEATURE_RESIZE_PRINT=y -CONFIG_SETCONSOLE=y -CONFIG_FEATURE_SETCONSOLE_LONG_OPTIONS=y -CONFIG_SETKEYCODES=y -CONFIG_SETLOGCONS=y -CONFIG_SHOWKEY=y - -# -# Debian Utilities -# -CONFIG_PIPE_PROGRESS=y -CONFIG_RUN_PARTS=y -CONFIG_FEATURE_RUN_PARTS_LONG_OPTIONS=y -CONFIG_FEATURE_RUN_PARTS_FANCY=y -CONFIG_START_STOP_DAEMON=y -CONFIG_FEATURE_START_STOP_DAEMON_LONG_OPTIONS=y -CONFIG_FEATURE_START_STOP_DAEMON_FANCY=y -CONFIG_WHICH=y - -# -# klibc-utils -# -# CONFIG_MINIPS is not set -# CONFIG_NUKE is not set -CONFIG_RESUME=y -CONFIG_RUN_INIT=y - -# -# Editors -# -CONFIG_AWK=y -CONFIG_FEATURE_AWK_LIBM=y -CONFIG_FEATURE_AWK_GNU_EXTENSIONS=y -CONFIG_CMP=y -CONFIG_DIFF=y -CONFIG_FEATURE_DIFF_LONG_OPTIONS=y -CONFIG_FEATURE_DIFF_DIR=y -CONFIG_ED=y -CONFIG_PATCH=y -CONFIG_SED=y -CONFIG_VI=y -CONFIG_FEATURE_VI_MAX_LEN=4096 -# CONFIG_FEATURE_VI_8BIT is not set -CONFIG_FEATURE_VI_COLON=y -CONFIG_FEATURE_VI_COLON_EXPAND=y -CONFIG_FEATURE_VI_YANKMARK=y -CONFIG_FEATURE_VI_SEARCH=y -# CONFIG_FEATURE_VI_REGEX_SEARCH is not set -CONFIG_FEATURE_VI_USE_SIGNALS=y -CONFIG_FEATURE_VI_DOT_CMD=y -CONFIG_FEATURE_VI_READONLY=y -CONFIG_FEATURE_VI_SETOPTS=y -CONFIG_FEATURE_VI_SET=y -CONFIG_FEATURE_VI_WIN_RESIZE=y -CONFIG_FEATURE_VI_ASK_TERMINAL=y -CONFIG_FEATURE_VI_UNDO=y -CONFIG_FEATURE_VI_UNDO_QUEUE=y -CONFIG_FEATURE_VI_UNDO_QUEUE_MAX=256 -CONFIG_FEATURE_VI_VERBOSE_STATUS=y -CONFIG_FEATURE_ALLOW_EXEC=y - -# -# Finding Utilities -# -CONFIG_FIND=y -CONFIG_FEATURE_FIND_PRINT0=y -CONFIG_FEATURE_FIND_MTIME=y -CONFIG_FEATURE_FIND_ATIME=y -CONFIG_FEATURE_FIND_CTIME=y -CONFIG_FEATURE_FIND_MMIN=y -CONFIG_FEATURE_FIND_AMIN=y -CONFIG_FEATURE_FIND_CMIN=y -CONFIG_FEATURE_FIND_PERM=y -CONFIG_FEATURE_FIND_TYPE=y -CONFIG_FEATURE_FIND_EXECUTABLE=y -CONFIG_FEATURE_FIND_XDEV=y -CONFIG_FEATURE_FIND_MAXDEPTH=y -CONFIG_FEATURE_FIND_NEWER=y -CONFIG_FEATURE_FIND_INUM=y -CONFIG_FEATURE_FIND_SAMEFILE=y -CONFIG_FEATURE_FIND_EXEC=y -CONFIG_FEATURE_FIND_EXEC_PLUS=y -CONFIG_FEATURE_FIND_USER=y -CONFIG_FEATURE_FIND_GROUP=y -CONFIG_FEATURE_FIND_NOT=y -CONFIG_FEATURE_FIND_DEPTH=y -CONFIG_FEATURE_FIND_PAREN=y -CONFIG_FEATURE_FIND_SIZE=y -CONFIG_FEATURE_FIND_PRUNE=y -CONFIG_FEATURE_FIND_QUIT=y -CONFIG_FEATURE_FIND_DELETE=y -CONFIG_FEATURE_FIND_EMPTY=y -CONFIG_FEATURE_FIND_PATH=y -CONFIG_FEATURE_FIND_REGEX=y -# CONFIG_FEATURE_FIND_CONTEXT is not set -CONFIG_FEATURE_FIND_LINKS=y -CONFIG_GREP=y -CONFIG_EGREP=y -CONFIG_FGREP=y -CONFIG_FEATURE_GREP_CONTEXT=y -CONFIG_XARGS=y -CONFIG_FEATURE_XARGS_SUPPORT_CONFIRMATION=y -CONFIG_FEATURE_XARGS_SUPPORT_QUOTES=y -CONFIG_FEATURE_XARGS_SUPPORT_TERMOPT=y -CONFIG_FEATURE_XARGS_SUPPORT_ZERO_TERM=y -CONFIG_FEATURE_XARGS_SUPPORT_REPL_STR=y -CONFIG_FEATURE_XARGS_SUPPORT_PARALLEL=y -CONFIG_FEATURE_XARGS_SUPPORT_ARGS_FILE=y - -# -# Init Utilities -# -CONFIG_BOOTCHARTD=y -CONFIG_FEATURE_BOOTCHARTD_BLOATED_HEADER=y -CONFIG_FEATURE_BOOTCHARTD_CONFIG_FILE=y -CONFIG_HALT=y -CONFIG_POWEROFF=y -CONFIG_REBOOT=y -CONFIG_FEATURE_WAIT_FOR_INIT=y -# CONFIG_FEATURE_CALL_TELINIT is not set -CONFIG_TELINIT_PATH="" -CONFIG_INIT=y -CONFIG_LINUXRC=y -CONFIG_FEATURE_USE_INITTAB=y -# CONFIG_FEATURE_KILL_REMOVED is not set -CONFIG_FEATURE_KILL_DELAY=0 -CONFIG_FEATURE_INIT_SCTTY=y -CONFIG_FEATURE_INIT_SYSLOG=y -CONFIG_FEATURE_INIT_QUIET=y -# CONFIG_FEATURE_INIT_COREDUMPS is not set -CONFIG_INIT_TERMINAL_TYPE="linux" -CONFIG_FEATURE_INIT_MODIFY_CMDLINE=y - -# -# Login/Password Management Utilities -# -CONFIG_FEATURE_SHADOWPASSWDS=y -CONFIG_USE_BB_PWD_GRP=y -CONFIG_USE_BB_SHADOW=y -CONFIG_USE_BB_CRYPT=y -CONFIG_USE_BB_CRYPT_SHA=y -CONFIG_ADD_SHELL=y -CONFIG_REMOVE_SHELL=y -CONFIG_ADDGROUP=y -CONFIG_FEATURE_ADDUSER_TO_GROUP=y -CONFIG_ADDUSER=y -# CONFIG_FEATURE_CHECK_NAMES is not set -CONFIG_LAST_ID=60000 -CONFIG_FIRST_SYSTEM_ID=100 -CONFIG_LAST_SYSTEM_ID=999 -CONFIG_CHPASSWD=y -CONFIG_FEATURE_DEFAULT_PASSWD_ALGO="des" -CONFIG_CRYPTPW=y -CONFIG_MKPASSWD=y -CONFIG_DELUSER=y -CONFIG_DELGROUP=y -CONFIG_FEATURE_DEL_USER_FROM_GROUP=y -CONFIG_GETTY=y -CONFIG_LOGIN=y -# CONFIG_LOGIN_SESSION_AS_CHILD is not set -CONFIG_LOGIN_SCRIPTS=y -CONFIG_FEATURE_NOLOGIN=y -CONFIG_FEATURE_SECURETTY=y -CONFIG_PASSWD=y -CONFIG_FEATURE_PASSWD_WEAK_CHECK=y -CONFIG_SU=y -CONFIG_FEATURE_SU_SYSLOG=y -CONFIG_FEATURE_SU_CHECKS_SHELLS=y -# CONFIG_FEATURE_SU_BLANK_PW_NEEDS_SECURE_TTY is not set -CONFIG_SULOGIN=y -CONFIG_VLOCK=y - -# -# Linux Ext2 FS Progs -# -CONFIG_CHATTR=y -CONFIG_FSCK=y -CONFIG_LSATTR=y -# CONFIG_TUNE2FS is not set - -# -# Linux Module Utilities -# -CONFIG_MODPROBE_SMALL=y -CONFIG_DEPMOD=y -CONFIG_INSMOD=y -CONFIG_LSMOD=y -# CONFIG_FEATURE_LSMOD_PRETTY_2_6_OUTPUT is not set -CONFIG_MODINFO=y -CONFIG_MODPROBE=y -# CONFIG_FEATURE_MODPROBE_BLACKLIST is not set -CONFIG_RMMOD=y - -# -# Options common to multiple modutils -# -CONFIG_FEATURE_CMDLINE_MODULE_OPTIONS=y -CONFIG_FEATURE_MODPROBE_SMALL_CHECK_ALREADY_LOADED=y -# CONFIG_FEATURE_2_4_MODULES is not set -# CONFIG_FEATURE_INSMOD_VERSION_CHECKING is not set -# CONFIG_FEATURE_INSMOD_KSYMOOPS_SYMBOLS is not set -# CONFIG_FEATURE_INSMOD_LOADINKMEM is not set -# CONFIG_FEATURE_INSMOD_LOAD_MAP is not set -# CONFIG_FEATURE_INSMOD_LOAD_MAP_FULL is not set -# CONFIG_FEATURE_CHECK_TAINTED_MODULE is not set -# CONFIG_FEATURE_INSMOD_TRY_MMAP is not set -# CONFIG_FEATURE_MODUTILS_ALIAS is not set -# CONFIG_FEATURE_MODUTILS_SYMBOLS is not set -CONFIG_DEFAULT_MODULES_DIR="/lib/modules" -CONFIG_DEFAULT_DEPMOD_FILE="modules.dep" - -# -# Linux System Utilities -# -CONFIG_ACPID=y -CONFIG_FEATURE_ACPID_COMPAT=y -CONFIG_BLKDISCARD=y -CONFIG_BLKID=y -CONFIG_FEATURE_BLKID_TYPE=y -CONFIG_BLOCKDEV=y -CONFIG_CAL=y -CONFIG_CHRT=y -CONFIG_DMESG=y -CONFIG_FEATURE_DMESG_PRETTY=y -CONFIG_EJECT=y -CONFIG_FEATURE_EJECT_SCSI=y -CONFIG_FALLOCATE=y -CONFIG_FATATTR=y -CONFIG_FBSET=y -CONFIG_FEATURE_FBSET_FANCY=y -CONFIG_FEATURE_FBSET_READMODE=y -CONFIG_FDFORMAT=y -CONFIG_FDISK=y -# CONFIG_FDISK_SUPPORT_LARGE_DISKS is not set -CONFIG_FEATURE_FDISK_WRITABLE=y -# CONFIG_FEATURE_AIX_LABEL is not set -# CONFIG_FEATURE_SGI_LABEL is not set -# CONFIG_FEATURE_SUN_LABEL is not set -# CONFIG_FEATURE_OSF_LABEL is not set -# CONFIG_FEATURE_GPT_LABEL is not set -CONFIG_FEATURE_FDISK_ADVANCED=y -CONFIG_FINDFS=y -CONFIG_FLOCK=y -CONFIG_FDFLUSH=y -CONFIG_FREERAMDISK=y -CONFIG_FSCK_MINIX=y -CONFIG_FSFREEZE=y -CONFIG_FSTRIM=y -CONFIG_GETOPT=y -CONFIG_FEATURE_GETOPT_LONG=y -CONFIG_HEXDUMP=y -CONFIG_HD=y -CONFIG_XXD=y -CONFIG_HWCLOCK=y -# CONFIG_FEATURE_HWCLOCK_ADJTIME_FHS is not set -CONFIG_IONICE=y -CONFIG_IPCRM=y -CONFIG_IPCS=y -CONFIG_LAST=y -CONFIG_FEATURE_LAST_FANCY=y -CONFIG_LOSETUP=y -CONFIG_LSPCI=y -CONFIG_LSUSB=y -CONFIG_MDEV=y -CONFIG_FEATURE_MDEV_CONF=y -CONFIG_FEATURE_MDEV_RENAME=y -CONFIG_FEATURE_MDEV_RENAME_REGEXP=y -CONFIG_FEATURE_MDEV_EXEC=y -CONFIG_FEATURE_MDEV_LOAD_FIRMWARE=y -CONFIG_FEATURE_MDEV_DAEMON=y -CONFIG_MESG=y -CONFIG_FEATURE_MESG_ENABLE_ONLY_GROUP=y -CONFIG_MKE2FS=y -CONFIG_MKFS_EXT2=y -CONFIG_MKFS_MINIX=y -CONFIG_FEATURE_MINIX2=y -# CONFIG_MKFS_REISER is not set -CONFIG_MKDOSFS=y -CONFIG_MKFS_VFAT=y -CONFIG_MKSWAP=y -CONFIG_FEATURE_MKSWAP_UUID=y -CONFIG_MORE=y -CONFIG_MOUNT=y -CONFIG_FEATURE_MOUNT_FAKE=y -CONFIG_FEATURE_MOUNT_VERBOSE=y -# CONFIG_FEATURE_MOUNT_HELPERS is not set -CONFIG_FEATURE_MOUNT_LABEL=y -# CONFIG_FEATURE_MOUNT_NFS is not set -CONFIG_FEATURE_MOUNT_CIFS=y -CONFIG_FEATURE_MOUNT_FLAGS=y -CONFIG_FEATURE_MOUNT_FSTAB=y -CONFIG_FEATURE_MOUNT_OTHERTAB=y -CONFIG_MOUNTPOINT=y -CONFIG_NOLOGIN=y -# CONFIG_NOLOGIN_DEPENDENCIES is not set -CONFIG_NSENTER=y -CONFIG_PIVOT_ROOT=y -CONFIG_RDATE=y -CONFIG_RDEV=y -CONFIG_READPROFILE=y -CONFIG_RENICE=y -CONFIG_REV=y -CONFIG_RTCWAKE=y -CONFIG_SCRIPT=y -CONFIG_SCRIPTREPLAY=y -CONFIG_SETARCH=y -CONFIG_LINUX32=y -CONFIG_LINUX64=y -CONFIG_SETPRIV=y -CONFIG_FEATURE_SETPRIV_DUMP=y -CONFIG_FEATURE_SETPRIV_CAPABILITIES=y -CONFIG_FEATURE_SETPRIV_CAPABILITY_NAMES=y -CONFIG_SETSID=y -CONFIG_SWAPON=y -CONFIG_FEATURE_SWAPON_DISCARD=y -CONFIG_FEATURE_SWAPON_PRI=y -CONFIG_SWAPOFF=y -CONFIG_FEATURE_SWAPONOFF_LABEL=y -CONFIG_SWITCH_ROOT=y -CONFIG_TASKSET=y -CONFIG_FEATURE_TASKSET_FANCY=y -CONFIG_FEATURE_TASKSET_CPULIST=y -CONFIG_UEVENT=y -CONFIG_UMOUNT=y -CONFIG_FEATURE_UMOUNT_ALL=y -CONFIG_UNSHARE=y -CONFIG_WALL=y - -# -# Common options for mount/umount -# -CONFIG_FEATURE_MOUNT_LOOP=y -CONFIG_FEATURE_MOUNT_LOOP_CREATE=y -# CONFIG_FEATURE_MTAB_SUPPORT is not set -CONFIG_VOLUMEID=y - -# -# Filesystem/Volume identification -# -CONFIG_FEATURE_VOLUMEID_BCACHE=y -CONFIG_FEATURE_VOLUMEID_BTRFS=y -CONFIG_FEATURE_VOLUMEID_CRAMFS=y -CONFIG_FEATURE_VOLUMEID_EROFS=y -CONFIG_FEATURE_VOLUMEID_EXFAT=y -CONFIG_FEATURE_VOLUMEID_EXT=y -CONFIG_FEATURE_VOLUMEID_F2FS=y -CONFIG_FEATURE_VOLUMEID_FAT=y -CONFIG_FEATURE_VOLUMEID_HFS=y -CONFIG_FEATURE_VOLUMEID_ISO9660=y -CONFIG_FEATURE_VOLUMEID_JFS=y -CONFIG_FEATURE_VOLUMEID_LFS=y -CONFIG_FEATURE_VOLUMEID_LINUXRAID=y -CONFIG_FEATURE_VOLUMEID_LINUXSWAP=y -CONFIG_FEATURE_VOLUMEID_LUKS=y -CONFIG_FEATURE_VOLUMEID_MINIX=y -CONFIG_FEATURE_VOLUMEID_NILFS=y -CONFIG_FEATURE_VOLUMEID_NTFS=y -CONFIG_FEATURE_VOLUMEID_OCFS2=y -CONFIG_FEATURE_VOLUMEID_REISERFS=y -CONFIG_FEATURE_VOLUMEID_ROMFS=y -CONFIG_FEATURE_VOLUMEID_SQUASHFS=y -CONFIG_FEATURE_VOLUMEID_SYSV=y -CONFIG_FEATURE_VOLUMEID_UBIFS=y -CONFIG_FEATURE_VOLUMEID_UDF=y -CONFIG_FEATURE_VOLUMEID_XFS=y - -# -# Miscellaneous Utilities -# -CONFIG_ADJTIMEX=y -CONFIG_ASCII=y -# CONFIG_BBCONFIG is not set -# CONFIG_FEATURE_COMPRESS_BBCONFIG is not set -CONFIG_BC=y -CONFIG_DC=y -CONFIG_FEATURE_DC_BIG=y -# CONFIG_FEATURE_DC_LIBM is not set -CONFIG_FEATURE_BC_INTERACTIVE=y -CONFIG_FEATURE_BC_LONG_OPTIONS=y -CONFIG_BEEP=y -CONFIG_FEATURE_BEEP_FREQ=4000 -CONFIG_FEATURE_BEEP_LENGTH_MS=30 -CONFIG_CHAT=y -CONFIG_FEATURE_CHAT_NOFAIL=y -# CONFIG_FEATURE_CHAT_TTY_HIFI is not set -CONFIG_FEATURE_CHAT_IMPLICIT_CR=y -CONFIG_FEATURE_CHAT_SWALLOW_OPTS=y -CONFIG_FEATURE_CHAT_SEND_ESCAPES=y -CONFIG_FEATURE_CHAT_VAR_ABORT_LEN=y -CONFIG_FEATURE_CHAT_CLR_ABORT=y -CONFIG_CONSPY=y -CONFIG_CROND=y -CONFIG_FEATURE_CROND_D=y -CONFIG_FEATURE_CROND_CALL_SENDMAIL=y -CONFIG_FEATURE_CROND_SPECIAL_TIMES=y -CONFIG_FEATURE_CROND_DIR="/var/spool/cron" -CONFIG_CRONTAB=y -# CONFIG_DEVFSD is not set -# CONFIG_DEVFSD_MODLOAD is not set -# CONFIG_DEVFSD_FG_NP is not set -# CONFIG_DEVFSD_VERBOSE is not set -# CONFIG_FEATURE_DEVFS is not set -CONFIG_DEVMEM=y -CONFIG_FBSPLASH=y -# CONFIG_FLASH_ERASEALL is not set -# CONFIG_FLASH_LOCK is not set -# CONFIG_FLASH_UNLOCK is not set -# CONFIG_FLASHCP is not set -CONFIG_HDPARM=y -CONFIG_FEATURE_HDPARM_GET_IDENTITY=y -CONFIG_FEATURE_HDPARM_HDIO_SCAN_HWIF=y -CONFIG_FEATURE_HDPARM_HDIO_UNREGISTER_HWIF=y -CONFIG_FEATURE_HDPARM_HDIO_DRIVE_RESET=y -CONFIG_FEATURE_HDPARM_HDIO_TRISTATE_HWIF=y -CONFIG_FEATURE_HDPARM_HDIO_GETSET_DMA=y -CONFIG_HEXEDIT=y -CONFIG_I2CGET=y -CONFIG_I2CSET=y -CONFIG_I2CDUMP=y -CONFIG_I2CDETECT=y -CONFIG_I2CTRANSFER=y -# CONFIG_INOTIFYD is not set -CONFIG_LESS=y -CONFIG_FEATURE_LESS_MAXLINES=9999999 -CONFIG_FEATURE_LESS_BRACKETS=y -CONFIG_FEATURE_LESS_FLAGS=y -CONFIG_FEATURE_LESS_TRUNCATE=y -CONFIG_FEATURE_LESS_MARKS=y -CONFIG_FEATURE_LESS_REGEXP=y -CONFIG_FEATURE_LESS_WINCH=y -CONFIG_FEATURE_LESS_ASK_TERMINAL=y -CONFIG_FEATURE_LESS_DASHCMD=y -CONFIG_FEATURE_LESS_LINENUMS=y -CONFIG_FEATURE_LESS_RAW=y -CONFIG_FEATURE_LESS_ENV=y -CONFIG_LSSCSI=y -CONFIG_MAKEDEVS=y -# CONFIG_FEATURE_MAKEDEVS_LEAF is not set -CONFIG_FEATURE_MAKEDEVS_TABLE=y -CONFIG_MAN=y -CONFIG_MICROCOM=y -CONFIG_MIM=y -CONFIG_MT=y -CONFIG_NANDWRITE=y -CONFIG_NANDDUMP=y -CONFIG_PARTPROBE=y -CONFIG_RAIDAUTORUN=y -CONFIG_READAHEAD=y -# CONFIG_RFKILL is not set -CONFIG_RUNLEVEL=y -CONFIG_RX=y -CONFIG_SEEDRNG=y -CONFIG_SETFATTR=y -CONFIG_SETSERIAL=y -CONFIG_STRINGS=y -CONFIG_TIME=y -CONFIG_TREE=y -CONFIG_TS=y -CONFIG_TTYSIZE=y -CONFIG_UBIATTACH=y -CONFIG_UBIDETACH=y -CONFIG_UBIMKVOL=y -CONFIG_UBIRMVOL=y -CONFIG_UBIRSVOL=y -CONFIG_UBIUPDATEVOL=y -CONFIG_UBIRENAME=y -CONFIG_VOLNAME=y -CONFIG_WATCHDOG=y -# CONFIG_FEATURE_WATCHDOG_OPEN_TWICE is not set - -# -# Networking Utilities -# -CONFIG_FEATURE_IPV6=y -# CONFIG_FEATURE_UNIX_LOCAL is not set -CONFIG_FEATURE_PREFER_IPV4_ADDRESS=y -# CONFIG_VERBOSE_RESOLUTION_ERRORS is not set -# CONFIG_FEATURE_ETC_NETWORKS is not set -# CONFIG_FEATURE_ETC_SERVICES is not set -CONFIG_FEATURE_HWIB=y -# CONFIG_FEATURE_TLS_SHA1 is not set -CONFIG_ARP=y -CONFIG_ARPING=y -CONFIG_BRCTL=y -CONFIG_FEATURE_BRCTL_FANCY=y -CONFIG_FEATURE_BRCTL_SHOW=y -CONFIG_DNSD=y -CONFIG_ETHER_WAKE=y -CONFIG_FTPD=y -CONFIG_FEATURE_FTPD_WRITE=y -CONFIG_FEATURE_FTPD_ACCEPT_BROKEN_LIST=y -CONFIG_FEATURE_FTPD_AUTHENTICATION=y -CONFIG_FTPGET=y -CONFIG_FTPPUT=y -CONFIG_FEATURE_FTPGETPUT_LONG_OPTIONS=y -CONFIG_HOSTNAME=y -CONFIG_DNSDOMAINNAME=y -CONFIG_HTTPD=y -CONFIG_FEATURE_HTTPD_PORT_DEFAULT=80 -CONFIG_FEATURE_HTTPD_RANGES=y -CONFIG_FEATURE_HTTPD_SETUID=y -CONFIG_FEATURE_HTTPD_BASIC_AUTH=y -CONFIG_FEATURE_HTTPD_AUTH_MD5=y -CONFIG_FEATURE_HTTPD_CGI=y -CONFIG_FEATURE_HTTPD_CONFIG_WITH_SCRIPT_INTERPR=y -CONFIG_FEATURE_HTTPD_SET_REMOTE_PORT_TO_ENV=y -CONFIG_FEATURE_HTTPD_ENCODE_URL_STR=y -CONFIG_FEATURE_HTTPD_ERROR_PAGES=y -CONFIG_FEATURE_HTTPD_PROXY=y -CONFIG_FEATURE_HTTPD_GZIP=y -CONFIG_FEATURE_HTTPD_ETAG=y -CONFIG_FEATURE_HTTPD_LAST_MODIFIED=y -CONFIG_FEATURE_HTTPD_DATE=y -CONFIG_FEATURE_HTTPD_ACL_IP=y -CONFIG_IFCONFIG=y -CONFIG_FEATURE_IFCONFIG_STATUS=y -CONFIG_FEATURE_IFCONFIG_SLIP=y -CONFIG_FEATURE_IFCONFIG_MEMSTART_IOADDR_IRQ=y -CONFIG_FEATURE_IFCONFIG_HW=y -CONFIG_FEATURE_IFCONFIG_BROADCAST_PLUS=y -CONFIG_IFENSLAVE=y -CONFIG_IFPLUGD=y -CONFIG_IFUP=y -CONFIG_IFDOWN=y -CONFIG_IFUPDOWN_IFSTATE_PATH="/var/run/ifstate" -CONFIG_FEATURE_IFUPDOWN_IP=y -CONFIG_FEATURE_IFUPDOWN_IPV4=y -CONFIG_FEATURE_IFUPDOWN_IPV6=y -CONFIG_FEATURE_IFUPDOWN_MAPPING=y -# CONFIG_FEATURE_IFUPDOWN_EXTERNAL_DHCP is not set -CONFIG_INETD=y -CONFIG_FEATURE_INETD_SUPPORT_BUILTIN_ECHO=y -CONFIG_FEATURE_INETD_SUPPORT_BUILTIN_DISCARD=y -CONFIG_FEATURE_INETD_SUPPORT_BUILTIN_TIME=y -CONFIG_FEATURE_INETD_SUPPORT_BUILTIN_DAYTIME=y -CONFIG_FEATURE_INETD_SUPPORT_BUILTIN_CHARGEN=y -# CONFIG_FEATURE_INETD_RPC is not set -CONFIG_IP=y -CONFIG_IPADDR=y -CONFIG_IPLINK=y -CONFIG_IPROUTE=y -CONFIG_IPTUNNEL=y -CONFIG_IPRULE=y -CONFIG_IPNEIGH=y -CONFIG_FEATURE_IP_ADDRESS=y -CONFIG_FEATURE_IP_LINK=y -CONFIG_FEATURE_IP_ROUTE=y -CONFIG_FEATURE_IP_ROUTE_DIR="/etc/iproute2" -CONFIG_FEATURE_IP_TUNNEL=y -CONFIG_FEATURE_IP_RULE=y -CONFIG_FEATURE_IP_NEIGH=y -# CONFIG_FEATURE_IP_RARE_PROTOCOLS is not set -CONFIG_IPCALC=y -CONFIG_FEATURE_IPCALC_LONG_OPTIONS=y -CONFIG_FEATURE_IPCALC_FANCY=y -CONFIG_FAKEIDENTD=y -CONFIG_NAMEIF=y -CONFIG_FEATURE_NAMEIF_EXTENDED=y -CONFIG_NBDCLIENT=y -CONFIG_NC=y -# CONFIG_NETCAT is not set -CONFIG_NC_SERVER=y -CONFIG_NC_EXTRA=y -CONFIG_NC_110_COMPAT=y -CONFIG_NETSTAT=y -CONFIG_FEATURE_NETSTAT_WIDE=y -CONFIG_FEATURE_NETSTAT_PRG=y -CONFIG_NSLOOKUP=y -CONFIG_FEATURE_NSLOOKUP_BIG=y -CONFIG_FEATURE_NSLOOKUP_LONG_OPTIONS=y -CONFIG_NTPD=y -CONFIG_FEATURE_NTPD_SERVER=y -CONFIG_FEATURE_NTPD_CONF=y -CONFIG_FEATURE_NTP_AUTH=y -CONFIG_PING=y -CONFIG_PING6=y -CONFIG_FEATURE_FANCY_PING=y -CONFIG_PSCAN=y -CONFIG_ROUTE=y -CONFIG_SLATTACH=y -CONFIG_SSL_CLIENT=y -CONFIG_TC=y -CONFIG_FEATURE_TC_INGRESS=y -CONFIG_TCPSVD=y -CONFIG_UDPSVD=y -CONFIG_TELNET=y -CONFIG_FEATURE_TELNET_TTYPE=y -CONFIG_FEATURE_TELNET_AUTOLOGIN=y -CONFIG_FEATURE_TELNET_WIDTH=y -CONFIG_TELNETD=y -CONFIG_FEATURE_TELNETD_STANDALONE=y -CONFIG_FEATURE_TELNETD_PORT_DEFAULT=23 -CONFIG_FEATURE_TELNETD_INETD_WAIT=y -CONFIG_TFTP=y -CONFIG_FEATURE_TFTP_PROGRESS_BAR=y -CONFIG_FEATURE_TFTP_HPA_COMPAT=y -CONFIG_TFTPD=y -CONFIG_FEATURE_TFTP_GET=y -CONFIG_FEATURE_TFTP_PUT=y -CONFIG_FEATURE_TFTP_BLOCKSIZE=y -# CONFIG_TFTP_DEBUG is not set -CONFIG_TLS=y -CONFIG_TRACEROUTE=y -CONFIG_TRACEROUTE6=y -CONFIG_FEATURE_TRACEROUTE_VERBOSE=y -CONFIG_FEATURE_TRACEROUTE_USE_ICMP=y -CONFIG_TUNCTL=y -CONFIG_FEATURE_TUNCTL_UG=y -CONFIG_VCONFIG=y -CONFIG_WGET=y -CONFIG_FEATURE_WGET_LONG_OPTIONS=y -CONFIG_FEATURE_WGET_STATUSBAR=y -CONFIG_FEATURE_WGET_FTP=y -CONFIG_FEATURE_WGET_AUTHENTICATION=y -CONFIG_FEATURE_WGET_TIMEOUT=y -CONFIG_FEATURE_WGET_HTTPS=y -CONFIG_FEATURE_WGET_OPENSSL=y -CONFIG_WHOIS=y -CONFIG_ZCIP=y -CONFIG_UDHCPD=y -# CONFIG_FEATURE_UDHCPD_BASE_IP_ON_MAC is not set -CONFIG_FEATURE_UDHCPD_WRITE_LEASES_EARLY=y -CONFIG_DHCPD_LEASES_FILE="/var/lib/misc/udhcpd.leases" -CONFIG_DUMPLEASES=y -CONFIG_DHCPRELAY=y -CONFIG_UDHCPC=y -CONFIG_FEATURE_UDHCPC_ARPING=y -CONFIG_FEATURE_UDHCPC_SANITIZEOPT=y -CONFIG_UDHCPC_DEFAULT_SCRIPT="/usr/share/udhcpc/default.script" -CONFIG_UDHCPC6_DEFAULT_SCRIPT="/usr/share/udhcpc/default6.script" -CONFIG_UDHCPC6=y -CONFIG_FEATURE_UDHCPC6_RFC3646=y -CONFIG_FEATURE_UDHCPC6_RFC4704=y -CONFIG_FEATURE_UDHCPC6_RFC4833=y -CONFIG_FEATURE_UDHCPC6_RFC5970=y - -# -# Common options for DHCP applets -# -CONFIG_UDHCPC_DEFAULT_INTERFACE="eth0" -# CONFIG_FEATURE_UDHCP_PORT is not set -CONFIG_UDHCP_DEBUG=2 -CONFIG_UDHCPC_SLACK_FOR_BUGGY_SERVERS=80 -CONFIG_FEATURE_UDHCP_RFC3397=y -CONFIG_FEATURE_UDHCP_8021Q=y -CONFIG_IFUPDOWN_UDHCPC_CMD_OPTIONS="-R -n" - -# -# Print Utilities -# -CONFIG_LPD=y -CONFIG_LPR=y -CONFIG_LPQ=y - -# -# Mail Utilities -# -CONFIG_FEATURE_MIME_CHARSET="us-ascii" -CONFIG_MAKEMIME=y -CONFIG_POPMAILDIR=y -CONFIG_FEATURE_POPMAILDIR_DELIVERY=y -CONFIG_REFORMIME=y -CONFIG_FEATURE_REFORMIME_COMPAT=y -CONFIG_SENDMAIL=y - -# -# Process Utilities -# -# CONFIG_FEATURE_FAST_TOP is not set -CONFIG_FEATURE_SHOW_THREADS=y -CONFIG_FREE=y -CONFIG_FUSER=y -CONFIG_IOSTAT=y -CONFIG_KILL=y -CONFIG_KILLALL=y -CONFIG_KILLALL5=y -CONFIG_LSOF=y -CONFIG_MPSTAT=y -CONFIG_NMETER=y -CONFIG_PGREP=y -CONFIG_PKILL=y -CONFIG_PIDOF=y -CONFIG_FEATURE_PIDOF_SINGLE=y -CONFIG_FEATURE_PIDOF_OMIT=y -CONFIG_PMAP=y -CONFIG_POWERTOP=y -CONFIG_FEATURE_POWERTOP_INTERACTIVE=y -CONFIG_PS=y -# CONFIG_FEATURE_PS_WIDE is not set -# CONFIG_FEATURE_PS_LONG is not set -CONFIG_FEATURE_PS_TIME=y -# CONFIG_FEATURE_PS_UNUSUAL_SYSTEMS is not set -CONFIG_FEATURE_PS_ADDITIONAL_COLUMNS=y -CONFIG_PSTREE=y -CONFIG_PWDX=y -CONFIG_SMEMCAP=y -CONFIG_BB_SYSCTL=y -CONFIG_TOP=y -CONFIG_FEATURE_TOP_INTERACTIVE=y -CONFIG_FEATURE_TOP_CPU_USAGE_PERCENTAGE=y -CONFIG_FEATURE_TOP_CPU_GLOBAL_PERCENTS=y -CONFIG_FEATURE_TOP_SMP_CPU=y -CONFIG_FEATURE_TOP_DECIMALS=y -CONFIG_FEATURE_TOP_SMP_PROCESS=y -CONFIG_FEATURE_TOPMEM=y -CONFIG_UPTIME=y -CONFIG_FEATURE_UPTIME_UTMP_SUPPORT=y -CONFIG_WATCH=y - -# -# Runit Utilities -# -CONFIG_CHPST=y -CONFIG_SETUIDGID=y -CONFIG_ENVUIDGID=y -CONFIG_ENVDIR=y -CONFIG_SOFTLIMIT=y -CONFIG_RUNSV=y -CONFIG_RUNSVDIR=y -# CONFIG_FEATURE_RUNSVDIR_LOG is not set -CONFIG_SV=y -CONFIG_SV_DEFAULT_SERVICE_DIR="/var/service" -CONFIG_SVC=y -CONFIG_SVOK=y -CONFIG_SVLOGD=y -# CONFIG_CHCON is not set -# CONFIG_GETENFORCE is not set -# CONFIG_GETSEBOOL is not set -# CONFIG_LOAD_POLICY is not set -# CONFIG_MATCHPATHCON is not set -# CONFIG_RUNCON is not set -# CONFIG_SELINUXENABLED is not set -# CONFIG_SESTATUS is not set -# CONFIG_SETENFORCE is not set -# CONFIG_SETFILES is not set -# CONFIG_FEATURE_SETFILES_CHECK_OPTION is not set -# CONFIG_RESTORECON is not set -# CONFIG_SETSEBOOL is not set - -# -# Shells -# -CONFIG_SH_IS_ASH=y -# CONFIG_SH_IS_HUSH is not set -# CONFIG_SH_IS_NONE is not set -# CONFIG_BASH_IS_ASH is not set -# CONFIG_BASH_IS_HUSH is not set -CONFIG_BASH_IS_NONE=y -CONFIG_SHELL_ASH=y -CONFIG_ASH=y -CONFIG_ASH_OPTIMIZE_FOR_SIZE=y -CONFIG_ASH_INTERNAL_GLOB=y -CONFIG_ASH_BASH_COMPAT=y -# CONFIG_ASH_BASH_SOURCE_CURDIR is not set -CONFIG_ASH_BASH_NOT_FOUND_HOOK=y -CONFIG_ASH_JOB_CONTROL=y -CONFIG_ASH_ALIAS=y -CONFIG_ASH_RANDOM_SUPPORT=y -CONFIG_ASH_EXPAND_PRMT=y -CONFIG_ASH_IDLE_TIMEOUT=y -CONFIG_ASH_MAIL=y -CONFIG_ASH_ECHO=y -CONFIG_ASH_PRINTF=y -CONFIG_ASH_TEST=y -CONFIG_ASH_SLEEP=y -CONFIG_ASH_HELP=y -CONFIG_ASH_GETOPTS=y -CONFIG_ASH_CMDCMD=y -CONFIG_CTTYHACK=y -CONFIG_HUSH=y -CONFIG_SHELL_HUSH=y -CONFIG_HUSH_BASH_COMPAT=y -CONFIG_HUSH_BRACE_EXPANSION=y -# CONFIG_HUSH_BASH_SOURCE_CURDIR is not set -CONFIG_HUSH_LINENO_VAR=y -CONFIG_HUSH_INTERACTIVE=y -CONFIG_HUSH_SAVEHISTORY=y -CONFIG_HUSH_JOB=y -CONFIG_HUSH_TICK=y -CONFIG_HUSH_IF=y -CONFIG_HUSH_LOOPS=y -CONFIG_HUSH_CASE=y -CONFIG_HUSH_FUNCTIONS=y -CONFIG_HUSH_LOCAL=y -CONFIG_HUSH_RANDOM_SUPPORT=y -CONFIG_HUSH_MODE_X=y -CONFIG_HUSH_ECHO=y -CONFIG_HUSH_PRINTF=y -CONFIG_HUSH_TEST=y -CONFIG_HUSH_HELP=y -CONFIG_HUSH_EXPORT=y -CONFIG_HUSH_EXPORT_N=y -CONFIG_HUSH_READONLY=y -CONFIG_HUSH_KILL=y -CONFIG_HUSH_WAIT=y -CONFIG_HUSH_COMMAND=y -CONFIG_HUSH_TRAP=y -CONFIG_HUSH_TYPE=y -CONFIG_HUSH_TIMES=y -CONFIG_HUSH_READ=y -CONFIG_HUSH_SET=y -CONFIG_HUSH_UNSET=y -CONFIG_HUSH_ULIMIT=y -CONFIG_HUSH_UMASK=y -CONFIG_HUSH_GETOPTS=y -# CONFIG_HUSH_MEMLEAK is not set - -# -# Options common to all shells -# -CONFIG_FEATURE_SH_MATH=y -CONFIG_FEATURE_SH_MATH_64=y -CONFIG_FEATURE_SH_MATH_BASE=y -CONFIG_FEATURE_SH_EXTRA_QUIET=y -# CONFIG_FEATURE_SH_STANDALONE is not set -# CONFIG_FEATURE_SH_NOFORK is not set -CONFIG_FEATURE_SH_READ_FRAC=y -CONFIG_FEATURE_SH_HISTFILESIZE=y -CONFIG_FEATURE_SH_EMBEDDED_SCRIPTS=y - -# -# System Logging Utilities -# -CONFIG_KLOGD=y - -# -# klogd should not be used together with syslog to kernel printk buffer -# -CONFIG_FEATURE_KLOGD_KLOGCTL=y -CONFIG_LOGGER=y -CONFIG_LOGREAD=y -CONFIG_FEATURE_LOGREAD_REDUCED_LOCKING=y -CONFIG_SYSLOGD=y -CONFIG_FEATURE_ROTATE_LOGFILE=y -CONFIG_FEATURE_REMOTE_LOG=y -CONFIG_FEATURE_SYSLOGD_DUP=y -CONFIG_FEATURE_SYSLOGD_CFG=y -# CONFIG_FEATURE_SYSLOGD_PRECISE_TIMESTAMPS is not set -CONFIG_FEATURE_SYSLOGD_READ_BUFFER_SIZE=256 -CONFIG_FEATURE_IPC_SYSLOG=y -CONFIG_FEATURE_IPC_SYSLOG_BUFFER_SIZE=16 -CONFIG_FEATURE_KMSG_SYSLOG=y diff --git a/blue/Tools/zoo/README.md b/blue/Tools/zoo/README.md index d95edd3..9c22d22 100644 --- a/blue/Tools/zoo/README.md +++ b/blue/Tools/zoo/README.md @@ -44,10 +44,11 @@ Funmap supports many features including: Located in the `modules` subdirectory. These are the 'animals' of the zoo, each providing functionality to the manager. - `armadillo` - General system hardening scripts. +- `beaver` - Fixes holes in the dam (bad service files, missing binaries, etc.) and performs the appropriate action to restore the green check - `chipmunk` - Anything we need for backups, including creating, restoring, managing, and hosting backups. - `chomp` - Host-based EDR. The module is responsible for deploying, starting it, collecting its logs, and health checks. +- `elephant` - Password manager. - `elk` - Automation scripts for deploying the Elastic Search stack. -- `flamingo` - Password change and management scripts. Able to parse `/etc/passwd` and `/etc/shadow` for misconfigurations. - `hawk` - Initial scans of the network to populate the network diagram of zoo. - `lynx` - PAM debugger, analyzes bad PAM configs and backdoors. - `meerkat` - Generic service health checks (whatever `woodpecker` doesn't cover). @@ -55,14 +56,6 @@ Located in the `modules` subdirectory. These are the 'animals' of the zoo, each - `nematode` - Gain visibility into service running on hosts and maps relationships between services (i.e. a web server has its database on a different host). - `phoenix` - Automated firewall tasks. - `suricata` - Automated suricata deployment. Automated connection to ELK. +- `turtle` - Caddy WAF deployment - `woodpecker` - Continuously runs login attempts to check for default credentials. - `woof` - Interactive script that patches system and service misconfigurations, can run on a schedule. - -# To Do - -- Implement password management - - Use `modules/meow` as the connector, use `modules/chamaleon` for the password changer - - encrypting so the files aren't stored in plaintext. -- Add LOTS of modules for tool setup -- Windows support (connect via WinRM, SMB) -- Create a version of funmap that runs on Windows diff --git a/blue/Tools/zoo/modules/beaver/README.md b/blue/Tools/zoo/modules/beaver/README.md new file mode 100644 index 0000000..0fa4303 --- /dev/null +++ b/blue/Tools/zoo/modules/beaver/README.md @@ -0,0 +1,13 @@ +# Beaver +* Automatinc common green check restore steps + +# Common Tasks +* Restore systemd files and corresponding binaries from backup +* Restore required binaries from backup (i.e. `id`, `curl`) +* Restore common files from backups (`/etc/passwd`, `/etc/os-release`) + +# Implementation +* Interactively select files and binaries as `watching` from files in `chipmunk` + * Checks for these files in the targets, and restores a good version if behaving unexpectedly + * _(A wrapper on chipmunk essentially)_ + diff --git a/blue/Tools/zoo/modules/flamingo/README.md b/blue/Tools/zoo/modules/elephant/README.md similarity index 50% rename from blue/Tools/zoo/modules/flamingo/README.md rename to blue/Tools/zoo/modules/elephant/README.md index fea5a68..0155164 100644 --- a/blue/Tools/zoo/modules/flamingo/README.md +++ b/blue/Tools/zoo/modules/elephant/README.md @@ -1,8 +1,8 @@ -# Flamingo -> Flamingos are pink because of their heavy diet of shrimp. Like flamingos, our users change color based on their favorite meal: passwords. +# Elephant +> Elephants have an incredibly good memory, and their job in this zoo is to remember and manage our passwords. * This directory will contain the logic and management of user passwords across our hosts. * Features: * Parse `/etc/passwd` and `/etc/shadow` into secure versions for every UNIX host * Execute a password change for local Windows users. - * A password change request may involve rolling every password, or a selection of users. \ No newline at end of file + * A password change request is able to target every users' password or a selection of users. \ No newline at end of file diff --git a/blue/Tools/zoo/modules/meow/README.md b/blue/Tools/zoo/modules/meow/README.md index 0a00d96..9da28f9 100644 --- a/blue/Tools/zoo/modules/meow/README.md +++ b/blue/Tools/zoo/modules/meow/README.md @@ -1,9 +1,8 @@ # Meow * This is the distribution engine for our scripts, commands, and tooling. * `meow.sh` is the driver. Output logs and artifacts from the scripts are delivered to their corresponding module directory - * To run custom scripts, write the script's relative path to `meow`. -* `woof.sh` will be populated with system patches as we find them in our environment -* `ips.txt` is purely for convenience purposes to store targets + * To run custom scripts, write the script's relative path to `meow.sh`. +* The module that transfers and/or executes a module on a target # To Do * Deprecate the following directories in favor of their equivalent modules: @@ -11,5 +10,8 @@ * `linux_agent_log` $\rightarrow$ `elk` * `net_enum_log` $\rightarrow$ `nematode` * `nmap_log` $\rightarrow$ `hawk` - * `passwd_roll_log` $\rightarrow$ `flamingo` - * `woof_log` $\rightarrow$ `woof` \ No newline at end of file + * `passwd_roll_log` $\rightarrow$ `elephant` + * `woof_log` $\rightarrow$ `woof` + * `cmd_log` & `script_log` $\rightarrow$ DEPRECATED +* Establish ssh-keys instead of using sshpass +* Extend functionality to connect to Windows (WinRM, PSExec, SSH) \ No newline at end of file diff --git a/blue/Tools/zoo/modules/phoenix/README.md b/blue/Tools/zoo/modules/phoenix/README.md index 0d4a609..1aff739 100644 --- a/blue/Tools/zoo/modules/phoenix/README.md +++ b/blue/Tools/zoo/modules/phoenix/README.md @@ -1,9 +1,10 @@ # Phoenix * Automated firewall tasks -## Implementations Ideas/Implementations +## Implementations Ideas * Whitelists * Use packet captures * Use `ss` to determine a base of allowed ports, and then fine-tune them further * Block all outbound traffic - * Automated way to execute unlock the firewall for a command and restore to block all outbound traffic \ No newline at end of file + * Automated way to execute unlock the firewall for a command and restore to block all outbound traffic +* Red team has changed the SSH port in the past, Phoenix could attempt to fix this \ No newline at end of file diff --git a/blue/Tools/zoo/modules/turtle/LICENSE b/blue/Tools/zoo/modules/turtle/LICENSE new file mode 100644 index 0000000..11cd810 --- /dev/null +++ b/blue/Tools/zoo/modules/turtle/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright 2025-2026 Y. Huang + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/blue/Tools/zoo/modules/turtle/README.md b/blue/Tools/zoo/modules/turtle/README.md new file mode 100644 index 0000000..a1f195f --- /dev/null +++ b/blue/Tools/zoo/modules/turtle/README.md @@ -0,0 +1,55 @@ +# Turtle (previously Webandaid) +To quote the visionary singer-songwriter Taylor Swift: +> Band-aids don't fix bullet holes + +Well, what if they could? This is a band-aid to slap onto the web +applications that are often riddled with bullet holes in security +competitions. Of course, this isn't a *fix* per se, it simply delays +attackers (hopefully enough so that any issues can be fixed). + +This is meant to be "first aid" for a vulnerable server. It is +intended to be set up in minutes, but is by no means a comprehensive +solution. + +# Prerequisites +There are a couple of prerequisites for this program to function +properly: + - Ability to change the listening port of the web server + - Ability to change the listening IP address of the web server + - Ability to add and modify firewall rules + +This script requires Python 3.9 or newer. + +# Instructions +First, run `configgen.py` and enter in the information about all +HTTP/HTTPS servers running on the system. + +# License +Unless otherwise stated, any rules and scripts in this directory and subdirectories are +licensed under the +[Apache License 2.0](https://www.apache.org/licenses/LICENSE-2.0). +``` +Copyright (c) 2025-2026 Yuliang Huang +``` + +## OWASP Core Rule Set (CRS) +The [OWASP CRS](https://github.com/coreruleset/coreruleset) is licensed under +the [Apache License 2.0](https://www.apache.org/licenses/LICENSE-2.0). +``` +Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. +Copyright (c) 2021-2025 CRS project. All rights reserved. +``` + +## Coraza WAF +The [Coraza WAF](https://github.com/corazawaf/coraza) is licensed under +the [Apache License 2.0](https://www.apache.org/licenses/LICENSE-2.0). +``` +Copyright 2022 Juan Pablo Tosso and the OWASP Coraza contributors +``` + +## Caddy Web Server +[Caddy](https://github.com/caddyserver/caddy) is licensed under the +the [Apache License 2.0](https://www.apache.org/licenses/LICENSE-2.0). +``` +Copyright 2015 Matthew Holt and The Caddy Authors +``` diff --git a/blue/Tools/zoo/modules/turtle/caddy-freebsd b/blue/Tools/zoo/modules/turtle/caddy-freebsd new file mode 100755 index 0000000..1e67efb Binary files /dev/null and b/blue/Tools/zoo/modules/turtle/caddy-freebsd differ diff --git a/blue/Tools/zoo/modules/turtle/caddy-linux b/blue/Tools/zoo/modules/turtle/caddy-linux new file mode 100755 index 0000000..b5b17a9 Binary files /dev/null and b/blue/Tools/zoo/modules/turtle/caddy-linux differ diff --git a/blue/Tools/zoo/modules/turtle/caddy-win.exe b/blue/Tools/zoo/modules/turtle/caddy-win.exe new file mode 100755 index 0000000..d12640d Binary files /dev/null and b/blue/Tools/zoo/modules/turtle/caddy-win.exe differ diff --git a/blue/Tools/zoo/modules/turtle/configgen-server.tpl b/blue/Tools/zoo/modules/turtle/configgen-server.tpl new file mode 100644 index 0000000..775a9c1 --- /dev/null +++ b/blue/Tools/zoo/modules/turtle/configgen-server.tpl @@ -0,0 +1,39 @@ +${protocol}://:${externport} { + coraza_waf { + load_owasp_crs + directives ` + Include @coraza.conf-recommended + Include coreruleset/crs-setup.conf + Include coreruleset/rules/*.conf + SecRuleEngine On + SecRequestBodyAccess On + SecResponseBodyAccess On + SecAuditEngine RelevantOnly + SecAuditLog modseclog-${externport}.json + SecAuditLogParts ABCFHJKZ + SecAuditLogFormat JSON + ` + } + + reverse_proxy http://127.0.0.1:${internport} + + ${tlscomment}tls ${tlscertpath} ${tlskeypath} + + handle_errors 403 { + rewrite * /blocked.html + root * html + file_server + #redir https://www.youtube.com/watch?v=dQw4w9WgXcQ + } + handle_errors 404 { + respond "404 Not Found" + } + + log { + output file caddylog-${externport}.json { + roll_size 128MiB + } + format json + } +} + diff --git a/blue/Tools/zoo/modules/turtle/configgen.py b/blue/Tools/zoo/modules/turtle/configgen.py new file mode 100644 index 0000000..1bdd31d --- /dev/null +++ b/blue/Tools/zoo/modules/turtle/configgen.py @@ -0,0 +1,96 @@ +""" +Copyright (c) 2025 Yuliang Huang + +Licensed under the Apache License 2.0. +""" + +import os +import pathlib +import random +import string +import sys +import typing + + +HEADER_BLOCK: str = '''{ + order coraza_waf before reverse_proxy +} + +''' + +INTERNAL_PORT_START: int = 41054 + +def main(argv: list[str]) -> int: + print("WARNING: If the file \"Caddyfile\" exists, this script *will* overwrite it!") + internal_port: int = random.randint(1024, 48128) # Initialize to a random port. + + port_mappings: dict[int, int] = {} + + while True: + port_number: int = -1 + while True: + port_number_str: str = input("Enter the port number of the service to firewall: ").strip() + try: + port_number = int(port_number_str) + if 0 <= port_number < 65536: + break + print("Expected an integer between 0 and 65535, but got " + port_number_str) + except ValueError: + print("ERROR: Please enter a valid integer between 0 and 65535 inclusive, not \"" + + port_number_str + "\"") + + tls_cert_path_str: str = input("Please enter the absolute path to the TLS certificate. " + + "Leave blank if no certificate. ") + tls_cert_path: typing.Optional[pathlib.Path] = None + tls_key_path: typing.Optional[pathlib.Path] = None + if tls_cert_path_str != "": + tls_cert_present = True + tls_cert_path = pathlib.Path(tls_cert_path_str).resolve() + while True: + tls_key_path_str: str = input("Please enter the absolute path to the TLS key. ") + if tls_key_path_str != "": + tls_key_path = pathlib.Path(tls_key_path_str).resolve() + break + print("ERROR: Please enter a valid path, not \"" + str(tls_key_path_str) + "\"") + + # Use the "Caddyfile" template to create a Caddyfile. + server_config_template: str = "" + with open("configgen-server.tpl") as caddyfile_template_file: + server_config_template = caddyfile_template_file.read() + + # Write the header line if the file doesn't already exist. + try: + with open("Caddyfile", 'x') as caddy_file: + caddy_file.write(HEADER_BLOCK) + # Since the file doesn't exist, initialize to a fixed starting port. + internal_port = INTERNAL_PORT_START + except FileExistsError: + pass + + # Now write the rest of the file. + with open("Caddyfile", 'a') as caddy_file: + caddy_file.write(string.Template(server_config_template).substitute( + protocol="http" if tls_cert_path is None else "https", + externport=str(port_number), + internport=internal_port, + tlscomment="# " if tls_cert_path is None else "", + tlscertpath=os.devnull if tls_cert_path is None else str(tls_cert_path), + tlskeypath=os.devnull if tls_key_path is None else str(tls_key_path), + )) + + port_mappings[port_number] = internal_port + + internal_port += 1 + + if input("\nDo you have more servers to add? [y/N] ").strip().lower() != "y": + break + + print("\n\nDon't forget to change the ports of the services as follows:") + for i, port_number in enumerate(port_mappings): + print(str(i) + ". Move service on port " + str(port_number) + + " to port " + str(port_mappings[port_number])) + + return 0 + +if __name__ == "__main__": + sys.exit(main(sys.argv)) diff --git a/blue/Tools/zoo/modules/turtle/coreruleset/LICENSE b/blue/Tools/zoo/modules/turtle/coreruleset/LICENSE new file mode 100644 index 0000000..baf1ccc --- /dev/null +++ b/blue/Tools/zoo/modules/turtle/coreruleset/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright 2025 OWASP CRS project + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/blue/Tools/zoo/modules/turtle/coreruleset/crs-setup.conf b/blue/Tools/zoo/modules/turtle/coreruleset/crs-setup.conf new file mode 100644 index 0000000..10a0d99 --- /dev/null +++ b/blue/Tools/zoo/modules/turtle/coreruleset/crs-setup.conf @@ -0,0 +1,872 @@ +# ------------------------------------------------------------------------ +# OWASP CRS ver.4.19.0 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. +# Copyright (c) 2021-2025 CRS project. All rights reserved. +# +# The OWASP CRS is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENSE file for full details. +# ------------------------------------------------------------------------ + + +# +# -- [[ Introduction ]] -------------------------------------------------------- +# +# The OWASP CRS is a set of generic attack +# detection rules that provide a base level of protection for any web +# application. They are written for the open source, cross-platform +# ModSecurity Web Application Firewall. +# +# See also: +# https://coreruleset.org/ +# https://github.com/coreruleset/coreruleset +# https://owasp.org/www-project-modsecurity-core-rule-set/ +# + + +# +# -- [[ System Requirements ]] ------------------------------------------------- +# +# CRS requires ModSecurity version 2.8.0 or above. +# We recommend to always use the newest ModSecurity version. +# +# The configuration directives/settings in this file are used to control +# the OWASP ModSecurity CRS. These settings do **NOT** configure the main +# ModSecurity settings (modsecurity.conf) such as SecRuleEngine, +# SecRequestBodyAccess, SecAuditEngine, SecDebugLog, and XML processing. +# +# The CRS assumes that modsecurity.conf has been loaded. It is bundled with +# ModSecurity. If you don't have it, you can get it from: +# 2.x: https://raw.githubusercontent.com/owasp-modsecurity/ModSecurity/v2/master/modsecurity.conf-recommended +# 3.x: https://raw.githubusercontent.com/owasp-modsecurity/ModSecurity/v3/master/modsecurity.conf-recommended +# +# The order of file inclusion in your webserver configuration should always be: +# 1. modsecurity.conf +# 2. crs-setup.conf (this file) +# 3. rules/*.conf (the CRS rule files) +# +# Please refer to the INSTALL file for detailed installation instructions. +# + + +# +# -- [[ Mode of Operation: Anomaly Scoring vs. Self-Contained ]] --------------- +# +# The CRS can run in two modes: +# +# -- [[ Anomaly Scoring Mode (default) ]] -- +# In CRS3, anomaly mode is the default and recommended mode, since it gives the +# most accurate log information and offers the most flexibility in setting your +# blocking policies. It is also called "collaborative detection mode". +# In this mode, each matching rule increases an 'anomaly score'. +# At the conclusion of the inbound rules, and again at the conclusion of the +# outbound rules, the anomaly score is checked, and the blocking evaluation +# rules apply a disruptive action, by default returning an error 403. +# +# -- [[ Self-Contained Mode ]] -- +# In this mode, rules apply an action instantly. This was the CRS2 default. +# It can lower resource usage, at the cost of less flexibility in blocking policy +# and less informative audit logs (only the first detected threat is logged). +# Rules inherit the disruptive action that you specify (i.e. deny, drop, etc). +# The first rule that matches will execute this action. In most cases this will +# cause evaluation to stop after the first rule has matched, similar to how many +# IDSs function. +# +# -- [[ Alert Logging Control ]] -- +# In the mode configuration, you must also adjust the desired logging options. +# There are three common options for dealing with logging. By default CRS enables +# logging to the webserver error log (or Event viewer) plus detailed logging to +# the ModSecurity audit log (configured under SecAuditLog in modsecurity.conf). +# +# - To log to both error log and ModSecurity audit log file, use: "log,auditlog" +# - To log *only* to the ModSecurity audit log file, use: "nolog,auditlog" +# - To log *only* to the error log file, use: "log,noauditlog" +# +# Examples for the various modes follow. +# You must leave one of the following options enabled. +# Note that you must specify the same line for phase:1 and phase:2. +# + +# Default: Anomaly Scoring mode, log to error log, log to ModSecurity audit log +# - By default, offending requests are blocked with an error 403 response. +# - To change the disruptive action, see RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example +# and review section 'Changing the Disruptive Action for Anomaly Mode'. +# - In Apache, you can use ErrorDocument to show a friendly error page or +# perform a redirect: https://httpd.apache.org/docs/2.4/custom-error.html +# +SecDefaultAction "phase:1,log,auditlog,pass" +SecDefaultAction "phase:2,log,auditlog,pass" + +# Example: Anomaly Scoring mode, log only to ModSecurity audit log +# - By default, offending requests are blocked with an error 403 response. +# - To change the disruptive action, see RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example +# and review section 'Changing the Disruptive Action for Anomaly Mode'. +# - In Apache, you can use ErrorDocument to show a friendly error page or +# perform a redirect: https://httpd.apache.org/docs/2.4/custom-error.html +# +# SecDefaultAction "phase:1,nolog,auditlog,pass" +# SecDefaultAction "phase:2,nolog,auditlog,pass" + +# Example: Self-contained mode, return error 403 on blocking +# - In this configuration the default disruptive action becomes 'deny'. After a +# rule triggers, it will stop processing the request and return an error 403. +# - You can also use a different error status, such as 404, 406, et cetera. +# - In Apache, you can use ErrorDocument to show a friendly error page or +# perform a redirect: https://httpd.apache.org/docs/2.4/custom-error.html +# +# SecDefaultAction "phase:1,log,auditlog,deny,status:403" +# SecDefaultAction "phase:2,log,auditlog,deny,status:403" + +# Example: Self-contained mode, redirect back to homepage on blocking +# - In this configuration the 'tag' action includes the Host header data in the +# log. This helps to identify which virtual host triggered the rule (if any). +# - Note that this might cause redirect loops in some situations; for example +# if a Cookie or User-Agent header is blocked, it will also be blocked when +# the client subsequently tries to access the homepage. You can also redirect +# to another custom URL. +# SecDefaultAction "phase:1,log,auditlog,redirect:'http://%{request_headers.host}/',tag:'Host: %{request_headers.host}'" +# SecDefaultAction "phase:2,log,auditlog,redirect:'http://%{request_headers.host}/',tag:'Host: %{request_headers.host}'" + + +# +# -- [[ Paranoia Level Initialization ]] --------------------------------------- +# +# The Paranoia Level (PL) setting allows you to choose the desired level +# of rule checks that will add to your anomaly scores. +# +# With each paranoia level increase, the CRS enables additional rules +# giving you a higher level of security. However, higher paranoia levels +# also increase the possibility of blocking some legitimate traffic due to +# false alarms (also named false positives or FPs). If you use higher +# paranoia levels, it is likely that you will need to add some exclusion +# rules for certain requests and applications receiving complex input. +# +# - A paranoia level of 1 is default. In this level, most core rules +# are enabled. PL1 is advised for beginners, installations +# covering many different sites and applications, and for setups +# with standard security requirements. +# At PL1 you should face FPs rarely. If you encounter FPs, please +# open an issue on the CRS GitHub site and don't forget to attach your +# complete Audit Log record for the request with the issue. +# - Paranoia level 2 includes many extra rules, for instance enabling +# many regexp-based SQL and XSS injection protections, and adding +# extra keywords checked for code injections. PL2 is advised +# for moderate to experienced users desiring more complete coverage +# and for installations with elevated security requirements. +# PL2 comes with some FPs which you need to handle. +# - Paranoia level 3 enables more rules and keyword lists, and tweaks +# limits on special characters used. PL3 is aimed at users experienced +# at the handling of FPs and at installations with a high security +# requirement. +# - Paranoia level 4 further restricts special characters. +# The highest level is advised for experienced users protecting +# installations with very high security requirements. Running PL4 will +# likely produce a very high number of FPs which have to be +# treated before the site can go productive. +# +# All rules will log their PL to the audit log; +# example: [tag "paranoia-level/2"]. This allows you to deduct from the +# audit log how the WAF behavior is affected by paranoia level. +# +# It is important to also look into the variable +# tx.enforce_bodyproc_urlencoded (Enforce Body Processor URLENCODED) +# defined below. Enabling it closes a possible bypass of CRS. +# +# Uncomment this rule to change the default: +# +SecAction \ + "id:900000,\ + phase:1,\ + pass,\ + t:none,\ + nolog,\ + tag:'OWASP_CRS',\ + ver:'OWASP_CRS/4.19.0',\ + setvar:tx.blocking_paranoia_level=2" + + +# It is possible to execute rules from a higher paranoia level but not include +# them in the anomaly scoring. This allows you to take a well-tuned system on +# paranoia level 1 and add rules from paranoia level 2 without having to fear +# the new rules would lead to false positives that raise your score above the +# threshold. +# This optional feature is enabled by uncommenting the following rule and +# setting the tx.detection_paranoia_level. +# Technically, rules up to the level defined in tx.detection_paranoia_level +# will be executed, but only the rules up to tx.blocking_paranoia_level affect the +# anomaly scores. +# By default, tx.detection_paranoia_level is set to tx.blocking_paranoia_level. +# tx.detection_paranoia_level must not be lower than tx.blocking_paranoia_level. +# +# Please notice that setting tx.detection_paranoia_level to a higher paranoia +# level results in a performance impact that is equally high as setting +# tx.blocking_paranoia_level to said level. +# +#SecAction \ +# "id:900001,\ +# phase:1,\ +# pass,\ +# t:none,\ +# nolog,\ +# tag:'OWASP_CRS',\ +# ver:'OWASP_CRS/4.19.0',\ +# setvar:tx.detection_paranoia_level=3" + + +# +# -- [[ Enforce Body Processor URLENCODED ]] ----------------------------------- +# +# ModSecurity selects the body processor based on the Content-Type request +# header. But clients are not always setting the Content-Type header for their +# request body payloads. This will leave ModSecurity with limited vision into +# the payload. The variable tx.enforce_bodyproc_urlencoded lets you force the +# URLENCODED body processor in these situations. This is off by default, as it +# implies a change of the behaviour of ModSecurity beyond CRS (the body +# processor applies to all rules, not only CRS) and because it may lead to +# false positives already on paranoia level 1. However, enabling this variable +# closes a possible bypass of CRS so it should be considered. +# +# Uncomment this rule to change the default: +# +#SecAction \ +# "id:900010,\ +# phase:1,\ +# pass,\ +# t:none,\ +# nolog,\ +# tag:'OWASP_CRS',\ +# ver:'OWASP_CRS/4.19.0',\ +# setvar:tx.enforce_bodyproc_urlencoded=1" + + +# +# -- [[ Anomaly Scoring Mode Severity Levels ]] -------------------------------- +# +# Each rule in the CRS has an associated severity level. +# These are the default scoring points for each severity level. +# These settings will be used to increment the anomaly score if a rule matches. +# You may adjust these points to your liking, but this is usually not needed. +# +# - CRITICAL severity: Anomaly Score of 5. +# Mostly generated by the application attack rules (93x and 94x files). +# - ERROR severity: Anomaly Score of 4. +# Generated mostly from outbound leakage rules (95x files). +# - WARNING severity: Anomaly Score of 3. +# Generated mostly by malicious client rules (91x files). +# - NOTICE severity: Anomaly Score of 2. +# Generated mostly by the protocol rules (92x files). +# +# In anomaly mode, these scores are cumulative. +# So it's possible for a request to hit multiple rules. +# +# (Note: In this file, we use 'phase:1' to set CRS configuration variables. +# In general, 'phase:request' is used. However, we want to make absolutely sure +# that all configuration variables are set before the CRS rules are processed.) +# +#SecAction \ +# "id:900100,\ +# phase:1,\ +# pass,\ +# t:none,\ +# nolog,\ +# tag:'OWASP_CRS',\ +# ver:'OWASP_CRS/4.19.0',\ +# setvar:tx.critical_anomaly_score=5,\ +# setvar:tx.error_anomaly_score=4,\ +# setvar:tx.warning_anomaly_score=3,\ +# setvar:tx.notice_anomaly_score=2" + + +# +# -- [[ Anomaly Scoring Mode Blocking Threshold Levels ]] ---------------------- +# +# Here, you can specify at which cumulative anomaly score an inbound request, +# or outbound response, gets blocked. +# +# Most detected inbound threats will give a critical score of 5. +# Smaller violations, like violations of protocol/standards, carry lower scores. +# +# [ At default value ] +# If you keep the blocking thresholds at the defaults, the CRS will work +# similarly to previous CRS versions: a single critical rule match will cause +# the request to be blocked and logged. +# +# [ Using higher values ] +# If you want to make the CRS less sensitive, you can increase the blocking +# thresholds, for instance to 7 (which would require multiple rule matches +# before blocking) or 10 (which would require at least two critical alerts - or +# a combination of many lesser alerts), or even higher. However, increasing the +# thresholds might cause some attacks to bypass the CRS rules or your policies. +# +# [ New deployment strategy: Starting high and decreasing ] +# It is a common practice to start a fresh CRS installation with elevated +# anomaly scoring thresholds (>100) and then lower the limits as your +# confidence in the setup grows. You may also look into the Sampling +# Percentage section below for a different strategy to ease into a new +# CRS installation. +# +# [ Anomaly Threshold / Paranoia Level Quadrant ] +# +# High Anomaly Limit | High Anomaly Limit +# Low Paranoia Level | High Paranoia Level +# -> Fresh Site | -> Experimental Site +# ------------------------------------------------------ +# Low Anomaly Limit | Low Anomaly Limit +# Low Paranoia Level | High Paranoia Level +# -> Standard Site | -> High Security Site +# +# Uncomment this rule to change the defaults: +# +#SecAction \ +# "id:900110,\ +# phase:1,\ +# pass,\ +# t:none,\ +# nolog,\ +# tag:'OWASP_CRS',\ +# ver:'OWASP_CRS/4.19.0',\ +# setvar:tx.inbound_anomaly_score_threshold=5,\ +# setvar:tx.outbound_anomaly_score_threshold=4" + + +# +# -- [[ Application Specific Rule Exclusions ]] -------------------------------- +# +# CRS 3.x contained exclusion packages to tweak the CRS for use with common +# web applications, lowering the number of false positives. +# +# In CRS 4, these are no longer part of the CRS itself, but they are available +# as "CRS plugins". Some plugins improve support for web applications, and others +# may bring new functionality. Plugins are not installed by default, but can be +# downloaded from the plugin registry: +# https://github.com/coreruleset/plugin-registry +# +# For detailed information about using and installing plugins, please see: +# https://coreruleset.org/docs/concepts/plugins/ + + +# +# -- [[ Anomaly Score Reporting Level ]] --------------------------------------- +# +# When a request is blocked due to the anomaly score meeting or exceeding the +# anomaly threshold then the blocking rule will also report the anomaly score. +# This applies to the separate inbound and outbound anomaly scores. +# +# In phase 5, there are additional rules that can perform additional reporting +# of anomaly scores with a verbosity that depends on the reporting level defined +# below. +# +# By setting the reporting level you control whether you want additional +# reporting beyond the blocking rule or not and, if yes, which requests should +# be covered. The higher the reporting level, the more verbose the reporting is. +# +# There are 6 reporting levels: +# +# 0 - Reporting disabled +# 1 - Reporting for requests with a blocking anomaly score >= a threshold +# 2 - Reporting for requests with a detection anomaly score >= a threshold +# 3 - Reporting for requests with a blocking anomaly score greater than 0 +# 4 - Reporting for requests with a detection anomaly score greater than 0 +# 5 - Reporting for all requests +# +# Note: Reporting levels 1 and 2 make it possible to differentiate between +# requests that are blocked and requests that are *not* blocked but would have +# been blocked if the blocking PL was equal to detection PL. This may be useful +# for certain FP tuning methodologies, for example moving to a higher PL. +# +# A value of 5 can be useful on platforms where you are interested in logging +# non-scoring requests, yet it is not possible to report this information in +# the request/access log. This applies to Nginx, for example. +# +#SecAction \ +# "id:900115,\ +# phase:1,\ +# pass,\ +# t:none,\ +# nolog,\ +# tag:'OWASP_CRS',\ +# ver:'OWASP_CRS/4.19.0',\ +# setvar:tx.reporting_level=4" + + +# +# -- [[ Early Anomaly Scoring Mode Blocking ]] ------------------------------ +# +# The anomaly scores for the request and the responses are generally summed up +# and evaluated at the end of phase:2 and at the end of phase:4 respectively. +# However, it is possible to enable an early evaluation of these anomaly scores +# at the end of phase:1 and at the end of phase:3. +# +# If a request (or a response) hits the anomaly threshold in this early +# evaluation, then blocking happens immediately (if blocking is enabled) and +# the phase 2 (and phase 4 respectively) will no longer be executed. +# +# Enable the rule 900120 that sets the variable tx.early_blocking to 1 in order +# to enable early blocking. The variable tx.early_blocking is set to 0 by +# default. Early blocking is thus disabled by default. +# +# Please note that early blocking will hide potential alerts from you. This +# means that a payload that would appear in an alert in phase 2 (or phase 4) +# does not get evaluated if the request is being blocked early. So when you +# disabled early blocking again at some point in the future, then new alerts +# from phase 2 might pop up. +#SecAction \ +# "id:900120,\ +# phase:1,\ +# pass,\ +# t:none,\ +# nolog,\ +# tag:'OWASP_CRS',\ +# ver:'OWASP_CRS/4.19.0',\ +# setvar:tx.early_blocking=1" + + +# +# -- [[ Initialize Default Collections ]] ----------------------------------- +# +# CRS provides a centralized option to initialize and populate collections +# meant to be used by plugins (E.g.DoS protection plugin). +# By default, Global and IP collections (see rule 901320), +# being not used by core rules, are not initialized. +# +# Uncomment this rule to change the default: +# +#SecAction \ +# "id:900130,\ +# phase:1,\ +# pass,\ +# t:none,\ +# nolog,\ +# tag:'OWASP_CRS',\ +# ver:'OWASP_CRS/4.19.0',\ +# setvar:tx.enable_default_collections=1" + + +# +# -- [[ HTTP Policy Settings ]] ------------------------------------------------ +# +# This section defines your policies for the HTTP protocol, such as: +# - allowed HTTP versions, HTTP methods, allowed request Content-Types +# - forbidden file extensions (e.g. .bak, .sql) and request headers (e.g. Proxy) +# +# These variables are used in the following rule files: +# - REQUEST-911-METHOD-ENFORCEMENT.conf +# - REQUEST-920-PROTOCOL-ENFORCEMENT.conf + +# HTTP methods that a client is allowed to use. +# Default: GET HEAD POST OPTIONS +# Example: for RESTful APIs, add the following methods: PUT PATCH DELETE +# Example: for WebDAV, add the following methods: CHECKOUT COPY DELETE LOCK +# MERGE MKACTIVITY MKCOL MOVE PROPFIND PROPPATCH PUT UNLOCK +# Uncomment this rule to change the default. +# +# The HTTP PUT method is normally used to upload data that is saved on the server at a user-supplied URL. +# If enabled, an attacker may be able to inject arbitrary, and potentially malicious, content into the application or on to the file system of the web server. +# Depending on the server's configuration, this may lead to compromise of other users (by uploading +# client-executable scripts), compromise of the server (by uploading server-executable code), or other attacks. +# For this reason, the PUT method is disabled by default. +# GET, HEAD, POST and OPTIONS are seen as the minimal set of HTTP methods +# from a security perspective. For static sites, removing the POST is +# recommended. Add other HTTP methods as seen fit (see above). +# +#SecAction \ +# "id:900200,\ +# phase:1,\ +# pass,\ +# t:none,\ +# nolog,\ +# tag:'OWASP_CRS',\ +# ver:'OWASP_CRS/4.19.0',\ +# setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'" + +# Content-Types that a client is allowed to send in a request. +# Default: |application/x-www-form-urlencoded| |multipart/form-data| |text/xml| +# |application/xml| |application/soap+xml| |application/json| |application/reports+json| |application/csp-report| +# +# Please note, that the rule where CRS uses this variable (920420) evaluates it with operator +# `@within`, which is case sensitive, but uses t:lowercase. You must add your whole custom +# Content-Type with lowercase. +# +# Bypass Warning: some applications may not rely on the content-type request header in order +# to parse the request body. This could make an attacker able to send malicious URLENCODED/JSON/XML +# payloads without being detected by the WAF. Allowing request content-type that doesn't activate any +# body processor (for example: "text/plain", "application/x-amf", "application/octet-stream", etc..) +# could lead to a WAF bypass. For example, a malicious JSON payload submitted with a "text/plain" +# content type may still be interpreted as JSON by a backend application but would not trigger the +# JSON body parser at the WAF, leading to a bypass. To avoid bypasses, you must enable the appropriate +# body parser based on the expected data in the request bodies (For example JSON for JSON data, XML for XML data, etc). +# +# When additional JSON content types are legitimately used in a deployment, +# e.g. application/cloudevents+json, it is extremely important to ensure that a +# rule exists to enable the engine's JSON body processor for these additional +# JSON content types. Failure to do so can lead to a request body bypass. The +# default JSON rule in modsecurity.conf-recommended (200001) will only activate +# the JSON body processor for the specific content type application/json. The +# optional modsecurity.conf-recommended rule 200006 can be used to enable the +# JSON body processor for a wide variety of JSON content types. +# +# To prevent blocking request with not allowed content-type by default, you can create an exclusion +# rule that removes rule 920420. It's important that you enable the correct body parser when allowing +# an additional content type to prevent bypasses. For example, this rule enables the JSON body processor +# for the text/plain content type: +#SecRule REQUEST_HEADERS:Content-Type "@beginsWith text/plain" \ +# "id:1234,\ +# phase:1,\ +# pass,\ +# t:none,\ +# nolog,\ +# tag:'OWASP_CRS',\ +# ver:'OWASP_CRS/4.19.0',\ +# chain" +# SecRule REQUEST_URI "@rx ^/foo/bar" \ +# "t:none,\ +# ctl:ruleRemoveById=920420,\ +# ctl:requestBodyProcessor=JSON" +# +# See: https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v2.x)#ctl +# See: https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v3.x)#ctl +# +# Uncomment this rule to change the default. +# +#SecAction \ +# "id:900220,\ +# phase:1,\ +# pass,\ +# t:none,\ +# nolog,\ +# tag:'OWASP_CRS',\ +# ver:'OWASP_CRS/4.19.0',\ +# setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |text/xml| |application/xml| |application/soap+xml| |application/json| |application/reports+json| |application/csp-report|'" + +# Allowed HTTP versions. +# Default: HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0 HTTP/3 HTTP/3.0 +# Example for legacy clients: HTTP/0.9 HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0 HTTP/3 HTTP/3.0 +# Note that some web server versions use 'HTTP/2', some 'HTTP/2.0', so +# we include both version strings by default. +# Uncomment this rule to change the default. +#SecAction \ +# "id:900230,\ +# phase:1,\ +# pass,\ +# t:none,\ +# nolog,\ +# tag:'OWASP_CRS',\ +# ver:'OWASP_CRS/4.19.0',\ +# setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0 HTTP/3 HTTP/3.0'" + +# Forbidden file extensions. +# Guards against unintended exposure of development/configuration files. +# Default: .ani/ .asa/ .asax/ .ascx/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .compositefont/ .config/ .conf/ .crt/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dist/ .dll/ .dos/ .dpkg-dist/ .drv/ .gadget/ .hta/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .inf/ .ini/ .jse/ .key/ .licx/ .lnk/ .log/ .mdb/ .msc/ .ocx/ .old/ .pass/ .pdb/ .pfx/ .pif/ .pem/ .pol/ .prf/ .printer/ .pwd/ .rdb/ .rdp/ .reg/ .resources/ .resx/ .scr/ .sct/ .shs/ .sql/ .swp/ .sys/ .tlb/ .tmp/ .vb/ .vbe/ .vbs/ .vbproj/ .vsdisco/ .vxd/ .webinfo/ .ws/ .wsc/ .wsf/ .wsh/ .xsd/ .xsx/ +# Example: .bak/ .config/ .conf/ .db/ .ini/ .log/ .old/ .pass/ .pdb/ .rdb/ .sql/ +# Note that .axd was removed due to false positives (see PR 1925). +# +# To additionally guard against configuration/install archive files from being +# accidentally exposed, common archive file extensions can be added to the +# restricted extensions list. An example list of common archive file extensions +# is presented below: +# .7z/ .br/ .bz/ .bz2/ .cab/ .cpio/ .gz/ .img/ .iso/ .jar/ .rar/ .tar/ .tbz2/ .tgz/ .txz/ .xz/ .zip/ .zst/ +# (Source: https://en.wikipedia.org/wiki/List_of_archive_formats) +# +# Uncomment this rule to change the default. +#SecAction \ +# "id:900240,\ +# phase:1,\ +# pass,\ +# t:none,\ +# nolog,\ +# tag:'OWASP_CRS',\ +# ver:'OWASP_CRS/4.19.0',\ +# setvar:'tx.restricted_extensions=.ani/ .asa/ .asax/ .ascx/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .compositefont/ .config/ .conf/ .crt/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dist/ .dll/ .dos/ .dpkg-dist/ .drv/ .gadget/ .hta/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .inf/ .ini/ .jse/ .key/ .licx/ .lnk/ .log/ .mdb/ .msc/ .ocx/ .old/ .pass/ .pdb/ .pfx/ .pif/ .pem/ .pol/ .prf/ .printer/ .pwd/ .rdb/ .rdp/ .reg/ .resources/ .resx/ .scr/ .sct/ .shs/ .sql/ .swp/ .sys/ .tlb/ .tmp/ .vb/ .vbe/ .vbs/ .vbproj/ .vsdisco/ .vxd/ .webinfo/ .ws/ .wsc/ .wsf/ .wsh/ .xsd/ .xsx/'" + +# Restricted request headers. +# The HTTP request headers that CRS restricts are split into two categories: +# basic (always forbidden) and extended (may be forbidden). All header names +# should be lowercase and enclosed by /slashes/ as delimiters. +# +# [ Basic ] +# Includes deprecated headers and headers with known security risks. Always +# forbidden. +# Default: /content-encoding/ /proxy/ /lock-token/ /content-range/ /if/ /x-http-method-override/ /x-http-method/ /x-method-override/ /x-middleware-subrequest/ +# +# /content-encoding/ +# Used to list any encodings that have been applied to the original payload. +# Only used for compression, which isn't supported by CRS by default since CRS +# blocks newlines and null bytes inside the request body. Most compression +# algorithms require at least null bytes per RFC. Blocking Content-Encoding +# shouldn't break anything and increases security since WAF engines, including +# ModSecurity, are typically incapable of properly scanning compressed request +# bodies. +# +# /proxy/ +# Blocking this prevents the 'httpoxy' vulnerability: https://httpoxy.org +# +# /lock-token/ +# +# /content-range/ +# +# /if/ +# +# /x-http-method-override/ +# /x-http-method/ +# /x-method-override/ +# Blocking these headers prevents method override attacks, as described here: +# https://www.sidechannel.blog/en/http-method-override-what-it-is-and-how-a-pentester-can-use-it +# +# /x-middleware-subrequest/ +# CVE-2025-29927 (Next.js) +# +# Uncomment this rule to change the default. +#SecAction \ +# "id:900250,\ +# phase:1,\ +# pass,\ +# t:none,\ +# nolog,\ +# tag:'OWASP_CRS',\ +# ver:'OWASP_CRS/4.19.0',\ +# setvar:'tx.restricted_headers_basic=/content-encoding/ /proxy/ /lock-token/ /content-range/ /if/ /x-http-method-override/ /x-http-method/ /x-method-override/ /x-middleware-subrequest/'" +# +# [ Extended ] +# Includes deprecated headers that are still in use (so false positives are +# possible) and headers with possible security risks. Forbidden at a higher +# paranoia level. +# Default: /accept-charset/ +# +# /accept-charset/ +# Deprecated header that should not be used by clients and should be ignored +# by servers. Can be used for a response WAF bypass by asking for a charset +# that the WAF cannot decode. Considered to be a good indicator of suspicious +# behavior but produces too many false positives to be forbidden by default. +# References: +# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept-Charset +# https://github.com/coreruleset/coreruleset/issues/3140 +# +# Uncomment this rule to change the default. +#SecAction \ +# "id:900255,\ +# phase:1,\ +# pass,\ +# t:none,\ +# nolog,\ +# tag:'OWASP_CRS',\ +# ver:'OWASP_CRS/4.19.0',\ +# setvar:'tx.restricted_headers_extended=/accept-charset/'" + +# Content-Types charsets that a client is allowed to send in a request. +# The content-types are enclosed by |pipes| as delimiters to guarantee exact matches. +# +# You can add additional character sets if something more exotic is required. One caveat: you will also need to edit 'regex-assembly/include/allowed-charsets.ra' and rebuild all the associated regular expressions using `crs-toolchain regex update --all`. See https://coreruleset.org/docs/6-development/6-2-crs-toolchain/. +# +# Warning: If the WAF engine is unable to fully and correctly decode a newly added character encoding then this can lead to a full request body or response body bypass. Additional permitted character encodings should be added with caution and tested to ensure inspection is not affected. +# +# Default: |utf-8| |iso-8859-1| |iso-8859-15| |windows-1252| +# Uncomment this rule to change the default. +#SecAction \ +# "id:900280,\ +# phase:1,\ +# pass,\ +# t:none,\ +# nolog,\ +# tag:'OWASP_CRS',\ +# ver:'OWASP_CRS/4.19.0',\ +# setvar:'tx.allowed_request_content_type_charset=|utf-8| |iso-8859-1| |iso-8859-15| |windows-1252|'" + +# +# -- [[ HTTP Argument/Upload Limits ]] ----------------------------------------- +# +# Here you can define optional limits on HTTP get/post parameters and uploads. +# This can help to prevent application specific DoS attacks. +# +# These values are checked in REQUEST-920-PROTOCOL-ENFORCEMENT.conf. +# Beware of blocking legitimate traffic when enabling these limits. +# + +# Block request if number of arguments is too high +# Default: unlimited +# Example: 255 +# Note that a hard limit by the engine may also apply here (SecArgumentsLimit). +# This would override this soft limit. +# Uncomment this rule to set a limit. +#SecAction \ +# "id:900300,\ +# phase:1,\ +# pass,\ +# t:none,\ +# nolog,\ +# tag:'OWASP_CRS',\ +# ver:'OWASP_CRS/4.19.0',\ +# setvar:tx.max_num_args=255" + +# Block request if the length of any argument name is too high +# Default: unlimited +# Example: 100 +# Uncomment this rule to set a limit. +#SecAction \ +# "id:900310,\ +# phase:1,\ +# pass,\ +# t:none,\ +# nolog,\ +# tag:'OWASP_CRS',\ +# ver:'OWASP_CRS/4.19.0',\ +# setvar:tx.arg_name_length=100" + +# Block request if the length of any argument value is too high +# Default: unlimited +# Example: 400 +# Uncomment this rule to set a limit. +#SecAction \ +# "id:900320,\ +# phase:1,\ +# pass,\ +# t:none,\ +# nolog,\ +# tag:'OWASP_CRS',\ +# ver:'OWASP_CRS/4.19.0',\ +# setvar:tx.arg_length=400" + +# Block request if the total length of all combined arguments is too high +# Default: unlimited +# Example: 64000 +# Uncomment this rule to set a limit. +#SecAction \ +# "id:900330,\ +# phase:1,\ +# pass,\ +# t:none,\ +# nolog,\ +# tag:'OWASP_CRS',\ +# ver:'OWASP_CRS/4.19.0',\ +# setvar:tx.total_arg_length=64000" + +# Block request if the file size of any individual uploaded file is too high +# Default: unlimited +# Example: 1048576 +# Uncomment this rule to set a limit. +#SecAction \ +# "id:900340,\ +# phase:1,\ +# pass,\ +# t:none,\ +# nolog,\ +# tag:'OWASP_CRS',\ +# ver:'OWASP_CRS/4.19.0',\ +# setvar:tx.max_file_size=1048576" + +# Block request if the total size of all combined uploaded files is too high +# Default: unlimited +# Example: 1048576 +# Uncomment this rule to set a limit. +#SecAction \ +# "id:900350,\ +# phase:1,\ +# pass,\ +# t:none,\ +# nolog,\ +# tag:'OWASP_CRS',\ +# ver:'OWASP_CRS/4.19.0',\ +# setvar:tx.combined_file_sizes=1048576" + + +# +# -- [[ Easing In / Sampling Percentage ]] ------------------------------------- +# +# Adding the CRS to an existing productive site can lead to false +# positives, unexpected performance issues and other undesired side effects. +# +# It can be beneficial to test the water first by enabling the CRS for a +# limited number of requests only and then, when you have solved the issues (if +# any) and you have confidence in the setup, to raise the ratio of requests +# being sent into the ruleset. +# +# Adjust the percentage of requests that are funnelled into the Core Rules by +# setting TX.sampling_percentage below. The default is 100, meaning that every +# request gets checked by the CRS. The selection of requests, which are going +# to be checked, is based on a pseudo random number generated by ModSecurity. +# +# If a request is allowed to pass without being checked by the CRS, there is no +# entry in the audit log (for performance reasons), but an error log entry is +# written. If you want to disable the error log entry, then issue the +# following directive somewhere after the inclusion of the CRS +# (E.g., RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf). +# +#SecRuleUpdateActionById 901450 "nolog" +# +# ATTENTION: If this TX.sampling_percentage is below 100, then some of the +# requests will bypass the Core Rules completely and you lose the ability to +# protect your service with ModSecurity. +# +# Uncomment this rule to enable this feature: +# +#SecAction \ +# "id:900400,\ +# phase:1,\ +# pass,\ +# nolog,\ +# tag:'OWASP_CRS',\ +# ver:'OWASP_CRS/4.19.0',\ +# setvar:tx.sampling_percentage=100" + + + +# +# -- [[ Check UTF-8 encoding ]] ------------------------------------------------ +# +# The CRS can optionally check request contents for invalid UTF-8 encoding. +# We only want to apply this check if UTF-8 encoding is actually used by the +# site; otherwise it will result in false positives. +# +# Uncomment this rule to use this feature: +# +#SecAction \ +# "id:900950,\ +# phase:1,\ +# pass,\ +# t:none,\ +# nolog,\ +# tag:'OWASP_CRS',\ +# ver:'OWASP_CRS/4.19.0',\ +# setvar:tx.crs_validate_utf8_encoding=1" + +# -- [[ Skip Checking Responses ]] ------------------------------------------------ +# +# CRS will perform analysis of the response contents if this is enabled and you have +# the directive `SecResponseBodyAccess On`. +# +# Warning: this feature is _enabled_ by default, but depending on your applications +# you might be targeted in a Request Filter Denial of Service (RFDoS) attack. +# +# References: https://blog.sicuranext.com/response-filter-denial-of-service-a-new-way-to-shutdown-a-website/ +# +# Uncomment this rule to _skip checking responses_. +# +#SecAction \ +# "id:900500,\ +# phase:1,\ +# pass,\ +# t:none,\ +# nolog,\ +# tag:'OWASP_CRS',\ +# ver:'OWASP_CRS/4.19.0',\ +# setvar:tx.crs_skip_response_analysis=1" + +# +# -- [[ End of setup ]] -------------------------------------------------------- +# +# The CRS checks the tx.crs_setup_version variable to ensure that the setup +# has been loaded. If you are not planning to use this setup template, +# you must manually set the tx.crs_setup_version variable before including +# the CRS rules/* files. +# +# The variable is a numerical representation of the CRS version number. +# E.g., v3.0.0 is represented as 300. +# +SecAction \ + "id:900990,\ + phase:1,\ + pass,\ + t:none,\ + nolog,\ + tag:'OWASP_CRS',\ + ver:'OWASP_CRS/4.19.0',\ + setvar:tx.crs_setup_version=4190" diff --git a/blue/Tools/zoo/modules/turtle/coreruleset/docs/CHANGES.md b/blue/Tools/zoo/modules/turtle/coreruleset/docs/CHANGES.md new file mode 100644 index 0000000..6986157 --- /dev/null +++ b/blue/Tools/zoo/modules/turtle/coreruleset/docs/CHANGES.md @@ -0,0 +1,2440 @@ +# OWASP CRS CHANGES + +## Report Bugs/Issues to GitHub Issues Tracker or the mailinglist +* https://github.com/coreruleset/coreruleset/issues + or the CRS Google Group at +* https://groups.google.com/a/owasp.org/g/modsecurity-core-rule-set-project + +## Version 4.22.0 - 2026-01-05 + +## What's Changed +### CRITICAL +* fix for 9AJ-260102 + +### 🧰 Other Changes +* feat(934100): added sequence for CVE-2025-55182 POCs by @touchweb-vincent in https://github.com/coreruleset/coreruleset/pull/4372 +* feat(942440): reduce false positive by @touchweb-vincent in https://github.com/coreruleset/coreruleset/pull/4346 +* fix(942431): reduce false positive with arrays in ARGS_NAMES by @touchweb-vincent in https://github.com/coreruleset/coreruleset/pull/4305 +* fix: make regexen Rust's regex compatible by @fgsch in https://github.com/coreruleset/coreruleset/pull/4385 +* refactor: drop older spelling variants by @fgsch in https://github.com/coreruleset/coreruleset/pull/4386 + +Special thanks to @daytriftnewgen for responsible reporting 9AJ-260102 + +**Full Changelog**: https://github.com/coreruleset/coreruleset/compare/v4.21.0...v4.22.0 + +## Version 4.21.0 - 2025-12-01 + +## What's Changed +### 🆕 New features and detections 🎉 +* feat(931100): add IPv6 support / XML scan and SSH scheme. by @touchweb-vincent in https://github.com/coreruleset/coreruleset/pull/4321 +* feat(920440): add new restricted file extensions by @touchweb-vincent in https://github.com/coreruleset/coreruleset/pull/4322 +### 🧰 Other Changes +* fix(942160): adding unit test for double comment by @touchweb-vincent in https://github.com/coreruleset/coreruleset/pull/4315 +* fix(920280, 920300, 920310, 920311, 920320, 920330): should be block by @touchweb-vincent in https://github.com/coreruleset/coreruleset/pull/4319 +* fix(942151,942152): wrong functions names by @touchweb-vincent in https://github.com/coreruleset/coreruleset/pull/4333 +* feat(942460): adding help for non-English folks by @touchweb-vincent in https://github.com/coreruleset/coreruleset/pull/4334 +* fix(932180): reduce substring false positives by @EsadCetiner in https://github.com/coreruleset/coreruleset/pull/4338 +* fix(942151,942152): wrong functions names by @touchweb-vincent in https://github.com/coreruleset/coreruleset/pull/4337 +* fix(920180): wrong unit test - content-type evasion bypass by @touchweb-vincent in https://github.com/coreruleset/coreruleset/pull/4339 +* fix(956110): move rule to pl-2 by @EsadCetiner in https://github.com/coreruleset/coreruleset/pull/4344 +* docs: comment on disabling `Expect` header in .Net by @theseion in https://github.com/coreruleset/coreruleset/pull/4348 +* fix: add missing capture action to affected rules by @airween in https://github.com/coreruleset/coreruleset/pull/4361 + + +**Full Changelog**: https://github.com/coreruleset/coreruleset/compare/v4.20.0...v4.21.0 + +## Version 4.20.0 - 2025-11-02 + +## What's Changed +### 🆕 New features and detections 🎉 +* feat: update restricted file extensions by @EsadCetiner in https://github.com/coreruleset/coreruleset/pull/4287 +* feat(930120): adding conf file for PrestaShop 1.6 / 1.7 / 8+ & Magento 2 by @touchweb-vincent in https://github.com/coreruleset/coreruleset/pull/4303 +* feat: add expect header to list of restricted headers by @franbuehler in https://github.com/coreruleset/coreruleset/pull/4298 +### 🧰 Other Changes +* fix(942560): missing capture keyword by @touchweb-vincent in https://github.com/coreruleset/coreruleset/pull/4285 +* fix(932281): reduce false positive matches with json payload by @EsadCetiner in https://github.com/coreruleset/coreruleset/pull/4288 +* fix(932240): reduce false positive matches with json payloads by @EsadCetiner in https://github.com/coreruleset/coreruleset/pull/4290 +* fix(921180, 921210, 921220): should be block not pass by @touchweb-vincent in https://github.com/coreruleset/coreruleset/pull/4294 +* fix(942550): partial revert - too high risk of false positive by @touchweb-vincent in https://github.com/coreruleset/coreruleset/pull/4284 +* fix(942160): updating regex to deal with new payloads by @touchweb-vincent in https://github.com/coreruleset/coreruleset/pull/4292 + + +**Full Changelog**: https://github.com/coreruleset/coreruleset/compare/v4.19.0...v4.20.0 + +## Version 4.19.0 - 2025-10-02 + +## What's Changed +### ⭐ Important changes +* refactor: 920340 - delete 920341 by @touchweb-vincent in https://github.com/coreruleset/coreruleset/pull/4268 +### 🆕 New features and detections 🎉 +* fix: update lfi-os-files.data by @Xhoenix in https://github.com/coreruleset/coreruleset/pull/4240 +### 🧰 Other Changes +* fix: dont block `.url` file extension by @EsadCetiner in https://github.com/coreruleset/coreruleset/pull/4259 +* fix(933135): wrong score variable by @touchweb-vincent in https://github.com/coreruleset/coreruleset/pull/4262 +* fix(933153): missing inbound_anomaly_score by @touchweb-vincent in https://github.com/coreruleset/coreruleset/pull/4260 +* fix(953100): remove generic SQLSTATE error codes causing false positives by @Elnadrion in https://github.com/coreruleset/coreruleset/pull/4257 +* feat: add stricter sibling 954101 to 954100 by @franbuehler in https://github.com/coreruleset/coreruleset/pull/4258 +* fix(942550): cleanup regex by @fzipi in https://github.com/coreruleset/coreruleset/pull/3767 +* fix: reduce false positives with php response rules by @EsadCetiner in https://github.com/coreruleset/coreruleset/pull/4272 +* fix: don't block on all question marks (942550 PL-1) by @EsadCetiner in https://github.com/coreruleset/coreruleset/pull/4264 +* feat: whitelist application/csp-report content-type header by @Elnadrion in https://github.com/coreruleset/coreruleset/pull/4274 + +## New Contributors +* @touchweb-vincent made their first contribution in https://github.com/coreruleset/coreruleset/pull/4262 +* @Elnadrion made their first contribution in https://github.com/coreruleset/coreruleset/pull/4257 + +**Full Changelog**: https://github.com/coreruleset/coreruleset/compare/v4.18.0...v4.19.0 + +## Version 4.18.0 - 2025-09-03 + +## What's Changed +### 🆕 New features and detections 🎉 +* feat: add `application/reports+json` content-type header by @Xhoenix in https://github.com/coreruleset/coreruleset/pull/4230 +* feat: update unix commands list by @EsadCetiner in https://github.com/coreruleset/coreruleset/pull/4215 +* feat: added ssh commands by @Xhoenix in https://github.com/coreruleset/coreruleset/pull/4249 +* feat: detect `rmt` and `rmt-tar` by @theseion in https://github.com/coreruleset/coreruleset/pull/4242 +### 🧰 Other Changes +* feat: Add product name tags by @TimDiam0nd in https://github.com/coreruleset/coreruleset/pull/3960 +* fix: remove dot star by @Xhoenix in https://github.com/coreruleset/coreruleset/pull/4235 +* fix(942370): remove dot star by @Xhoenix in https://github.com/coreruleset/coreruleset/pull/4234 +* fix: avoid matching non-ruby errors and source code by @EsadCetiner in https://github.com/coreruleset/coreruleset/pull/4224 +* fix: don't replace cmdline suffixes for 932220 and 932250 by @theseion in https://github.com/coreruleset/coreruleset/pull/4231 + + +**Full Changelog**: https://github.com/coreruleset/coreruleset/compare/v4.17.1...v4.18.0 + +## Version 4.17.1 - 2025-08-05 + +## What's Changed +### ⭐ Important changes +* chore: removed detection for LaTeX injection by @Xhoenix in https://github.com/coreruleset/coreruleset/pull/4221 +### 🧰 Other Changes +* fix(942340): remove dot star by @Xhoenix in https://github.com/coreruleset/coreruleset/pull/4220 + + +**Full Changelog**: https://github.com/coreruleset/coreruleset/compare/v4.17.0...v4.17.1 +## Version 4.17.0 - 2025-07-31 + +## What's Changed +### ⭐ Important changes +* feat: remove PCI DSS tags (#4194) by @pha6d in https://github.com/coreruleset/coreruleset/pull/4203 +### 🆕 New features and detections 🎉 +* feat: added detection for ASP.NET errors by @Xhoenix in https://github.com/coreruleset/coreruleset/pull/4092 +* feat: added detection for RCE via Referer header by @Xhoenix in https://github.com/coreruleset/coreruleset/pull/3993 +* feat: added detection for LaTeX injection by @Xhoenix in https://github.com/coreruleset/coreruleset/pull/4206 +* feat: added detection for ruby errors and code leakage by @Xhoenix in https://github.com/coreruleset/coreruleset/pull/4089 +### 🧰 Other Changes +* fix(951xxx): remove dot star by @Xhoenix in https://github.com/coreruleset/coreruleset/pull/4171 +* fix: use word bondary on 952110 to avoid matching non-java errors by @EsadCetiner in https://github.com/coreruleset/coreruleset/pull/4177 +* feat: Update java-classes.data by @KIC-8462852 in https://github.com/coreruleset/coreruleset/pull/4173 +* fix(931130): update file uri with single slash by @fzipi in https://github.com/coreruleset/coreruleset/pull/4193 +* fix(932281): avoid matching on json payloads by @EsadCetiner in https://github.com/coreruleset/coreruleset/pull/4187 +* fix: 932280/932281 bypass by @Xhoenix in https://github.com/coreruleset/coreruleset/pull/4207 + +## New Contributors +* @KIC-8462852 made their first contribution in https://github.com/coreruleset/coreruleset/pull/4173 +* @pha6d made their first contribution in https://github.com/coreruleset/coreruleset/pull/4203 + +**Full Changelog**: https://github.com/coreruleset/coreruleset/compare/v4.16.0...v4.17.0 + +## Version 4.16.0 - 2025-06-29 + +## What's Changed +### 🆕 New features and detections 🎉 +* feat: remediation for Python SSTI by @TheRubick in https://github.com/coreruleset/coreruleset/pull/4145 +* fix: update rule 942560 by @Xhoenix in https://github.com/coreruleset/coreruleset/pull/4161 +* feat: detect generic config filenames by @EsadCetiner in https://github.com/coreruleset/coreruleset/pull/4102 +* feat: update `java-errors.data` by @Xhoenix in https://github.com/coreruleset/coreruleset/pull/4113 +* feat: added rule to detect Bash Brace Expansion by @Xhoenix in https://github.com/coreruleset/coreruleset/pull/3780 +* feat: added MongoDB operators by @Xhoenix in https://github.com/coreruleset/coreruleset/pull/4162 +### 🧰 Other Changes +* fix(941160): remove dot star by @fzipi in https://github.com/coreruleset/coreruleset/pull/4155 +* fix(934140): remove dot star by @fzipi in https://github.com/coreruleset/coreruleset/pull/4165 +* fix(932370): remove dot star by @fzipi in https://github.com/coreruleset/coreruleset/pull/4166 +* fix(955xxx): remove dot star by @Xhoenix in https://github.com/coreruleset/coreruleset/pull/4169 +* fix(933150): moving printf to 933160 for additional php syntax check (933150 PL-1, 933160 PL-1) by @EsadCetiner in https://github.com/coreruleset/coreruleset/pull/3840 +* fix: create a stricter sibling to 932370 and move `at` to PL-2 (932370 PL-1, 932371 PL-2) by @EsadCetiner in https://github.com/coreruleset/coreruleset/pull/4015 +* fix(942340): remove dot star by @fzipi in https://github.com/coreruleset/coreruleset/pull/4164 +* refactor(942340): move to regex assembly by @fzipi in https://github.com/coreruleset/coreruleset/pull/4014 +* fix(933160): remove dot star by @fzipi in https://github.com/coreruleset/coreruleset/pull/4167 + +## New Contributors +* @TheRubick made their first contribution in https://github.com/coreruleset/coreruleset/pull/4145 + +**Full Changelog**: https://github.com/coreruleset/coreruleset/compare/v4.15.0...v4.16.0 + +## Version 4.15.0 - 2025-06-03 + +## What's Changed +### 🆕 New features and detections 🎉 +* feat: add User-Agent and Referer into targets (942280 PL1) by @azurit in https://github.com/coreruleset/coreruleset/pull/4115 +* feat: update `java-classes.data` by @Xhoenix in https://github.com/coreruleset/coreruleset/pull/4080 +* feat: block database yaml files by @EsadCetiner in https://github.com/coreruleset/coreruleset/pull/4130 +### 🧰 Other Changes +* fix: false positive with `title_strip_tags` by moving `strip_tags` to 933160 by @EsadCetiner in https://github.com/coreruleset/coreruleset/pull/4105 +* fix: remove `self` command by @EsadCetiner in https://github.com/coreruleset/coreruleset/pull/4111 +* fix: remove rc shell to reduce FPs by @theseion in https://github.com/coreruleset/coreruleset/pull/4125 +* feat: remove unnecessary character class from 933151 by @TimDiam0nd in https://github.com/coreruleset/coreruleset/pull/4135 +* fix: false positives with session tokens/cookies 933150 by @EsadCetiner in https://github.com/coreruleset/coreruleset/pull/4142 +* fix: add word ending to unix command sendmail (932235 PL1, 932236 PL2, 932239 PL2, 932260 PL1) by @franbuehler in https://github.com/coreruleset/coreruleset/pull/4141 +* feat: 933151 change from capture and double `pmf` to regex by @TimDiam0nd in https://github.com/coreruleset/coreruleset/pull/4139 +* feat: 933120 change from capture and double `pmf` to regex by @TimDiam0nd in https://github.com/coreruleset/coreruleset/pull/4138 +* feat: remove exclusion of deprecated `__utm` cookies by @theseion in https://github.com/coreruleset/coreruleset/pull/4151 + +## Version 4.14.0 - 2025-04-29 + +## What's Changed +### 🆕 New features and detections 🎉 +* feat: detect ASP web shells by @Xhoenix in https://github.com/coreruleset/coreruleset/pull/4063 +* feat: detect compressed database dumps by @EsadCetiner in https://github.com/coreruleset/coreruleset/pull/4082 +* feat: detect javascript methods import fetch console.log `console.dir` by @EsadCetiner in https://github.com/coreruleset/coreruleset/pull/4076 +### 🧰 Other Changes +* fix: fixing FPs related to rule 951220 by @azurit in https://github.com/coreruleset/coreruleset/pull/4079 +* fix: don't block ttf font files by @EsadCetiner in https://github.com/coreruleset/coreruleset/pull/4081 +* fix: 932270 FP by @Xhoenix in https://github.com/coreruleset/coreruleset/pull/3917 +* fix(954100): detect forward slash in path by @Xhoenix in https://github.com/coreruleset/coreruleset/pull/4094 +* fix: remove `.application` from restricted extensions by @EsadCetiner in https://github.com/coreruleset/coreruleset/pull/4103 +* fix: 44J-250329 by @EsadCetiner in https://github.com/coreruleset/coreruleset/pull/4107 + + +**Full Changelog**: https://github.com/coreruleset/coreruleset/compare/v4.13.0...v.4.14.0 + +## Version 4.13.0 - 2025-03-31 + +## What's Changed +### ⭐ Important changes +* fix(security): fixing double URL decode of REQUEST_URI by @azurit in https://github.com/coreruleset/coreruleset/pull/4047 +### 🆕 New features and detections 🎉 +* feat: block header related to CVE-2025-29927 (Next.js) by @azurit in https://github.com/coreruleset/coreruleset/pull/4053 +* feat: added new XSS payloads by @Xhoenix in https://github.com/coreruleset/coreruleset/pull/4055 +* feat: add potential malicious file extensions into tx.restricted_extensions by @Xhoenix in https://github.com/coreruleset/coreruleset/pull/4068 +* feat: add additional files commonly accessed by bots by @EsadCetiner in https://github.com/coreruleset/coreruleset/pull/4069 +### 🪦 Rule removals +* feat: remove rule 952100 for detecting Java Source Code Leakage by @S0obi in https://github.com/coreruleset/coreruleset/pull/4052 +### 🧰 Other Changes +* fix(934130): extend prototype pollution payload by @Xhoenix in https://github.com/coreruleset/coreruleset/pull/4036 +* fix: rule 930110 is not supposed to match bare '..' without (back)slashes by @azurit in https://github.com/coreruleset/coreruleset/pull/4050 +* fix: use boundary to fix false positive with email `firstname.dockery@host.tld` by @EsadCetiner in https://github.com/coreruleset/coreruleset/pull/4045 +* feat: refresh restricted-upload.data by @S0obi in https://github.com/coreruleset/coreruleset/pull/4046 +* fix: tag inconsistency per file by @Xhoenix in https://github.com/coreruleset/coreruleset/pull/4031 +* feat: adding .dist and .dpkg-dist into tx.restricted_extensions by @azurit in https://github.com/coreruleset/coreruleset/pull/4057 +* feat: add more default session cookie names by @Xhoenix in https://github.com/coreruleset/coreruleset/pull/4062 +* fix: added pre-check of unset TX variable by @airween in https://github.com/coreruleset/coreruleset/pull/4066 +* fix: false positive found in quantitative testing round 2 for unix rce rules (932230 PL-1, 932235 PL-1, 932250 PL-1, 932260 PL-1, 932231 PL-2, 932220 PL-2, 932236 PL-2, 932239 PL-2, 932232 PL-3, 932238 PL-3) by @EsadCetiner in https://github.com/coreruleset/coreruleset/pull/4019 + +## New Contributors +* @daum3ns made their first contribution in https://github.com/coreruleset/coreruleset/pull/4043 +* @S0obi made their first contribution in https://github.com/coreruleset/coreruleset/pull/4046 + +**Full Changelog**: https://github.com/coreruleset/coreruleset/compare/v4.12.0...v4.13.0 + +## Version 4.12.0 - 2025-03-01 + +## What's Changed +### 🆕 New features and detections 🎉 +* feat: prevent V1 cookie format use by @fzipi in https://github.com/coreruleset/coreruleset/pull/4006 +* feat: added new restricted files for openstack and docker compose by @azurit in https://github.com/coreruleset/coreruleset/pull/4021 +### 🧰 Other Changes +* fix: multipart header tag consistency by @Xhoenix in https://github.com/coreruleset/coreruleset/pull/3992 +* fix: prevent invalid commands matches on 5 characters or less (932220 PL-2, 932230 PL-1, 932232 PL-3, 932235 PL-1, 932236 PL-2, 932237 PL-3, 932238 PL-3, 932239 PL-2, 932250 PL-1, 932260 PL-1) by @EsadCetiner in https://github.com/coreruleset/coreruleset/pull/3735 +* docs: add warning about default charsets modification by @fzipi in https://github.com/coreruleset/coreruleset/pull/4003 +* fix: response splitting rules and tests by @theseion in https://github.com/coreruleset/coreruleset/pull/4009 +* fix(933160): use better regex by @fzipi in https://github.com/coreruleset/coreruleset/pull/4010 +* fix: move fopen to 933160 to resolve fp with `RootAndLeafOpenCamera.jpg` (933150 PL-1, 933160 PL-1) by @EsadCetiner in https://github.com/coreruleset/coreruleset/pull/4016 +* fix(941210): update log message to reflect rule javascript word detection by @fzipi in https://github.com/coreruleset/coreruleset/pull/4023 +* fix: remove .env from lfi-os-files.data by @theseion in https://github.com/coreruleset/coreruleset/pull/4024 + +## New Contributors +* @renovate made their first contribution in https://github.com/coreruleset/coreruleset/pull/4000 + +**Full Changelog**: https://github.com/coreruleset/coreruleset/compare/v4.11.0...v4.12.0 + +## Version 4.11.0 - 2025-01-27 + +## What's Changed +### 🪦 Rule removals +* feat: Remove rules for lack of viable attack scenario (920220 PL1, 920221 PL1) by @dune73 in https://github.com/coreruleset/coreruleset/pull/3969 +### 🧰 Other Changes +* fix: remove aliases man, mi, si and resolve positives (932125 PL1) by @franbuehler in https://github.com/coreruleset/coreruleset/pull/3971 +* fix: remove where, if, for and vol and resolve false positives (932380 PL1) by @franbuehler in https://github.com/coreruleset/coreruleset/pull/3972 +* fix: make 932300 actually case-insensitive by @theseion in https://github.com/coreruleset/coreruleset/pull/3977 +* fix: remove sql function names to resolve false positives (942151 PL1) by @franbuehler in https://github.com/coreruleset/coreruleset/pull/3973 +* fix: issue 3809 by @Xhoenix in https://github.com/coreruleset/coreruleset/pull/3983 + + +**Full Changelog**: https://github.com/coreruleset/coreruleset/compare/v4.10.0...v4.11.0 + +## Version 4.10.0 - 2024-12-29 + +## What's Changed +### 🆕 New features and detections 🎉 +* feat: block CVE-2023-5003 by @azurit in https://github.com/coreruleset/coreruleset/pull/3955 +* feat: prevent accessing PHP variables by @azurit in https://github.com/coreruleset/coreruleset/pull/3965 +### 🧰 Other Changes +* fix: FP against `pattern` with `=` following at arbitrary position by @theseion in https://github.com/coreruleset/coreruleset/pull/3963 + + +**Full Changelog**: https://github.com/coreruleset/coreruleset/compare/v4.9.0...v4.10.0 + +## Version 4.9.0 - 2024-11-29 + +## What's Changed +### ⭐ Important changes +* feat: add variable to skip response rules by @fzipi in https://github.com/coreruleset/coreruleset/pull/3944 +### 🆕 New features and detections 🎉 +* feat: add fish shell files to restricted-files.data by @OhMyVolk in https://github.com/coreruleset/coreruleset/pull/3915 +* feat: add quantitative testing to Git workflow by @airween in https://github.com/coreruleset/coreruleset/pull/3924 +### 🧰 Other Changes +* feat: added support for new web shells by @azurit in https://github.com/coreruleset/coreruleset/pull/3898 +* fix(security): remove double URL decode (921151 PL2, 932190 PL3, 942441 PL2, 942442 PL2, 942460 PL3) by @azurit in https://github.com/coreruleset/coreruleset/pull/3741 +* docs: extended rule documentation (900200) by @dune73 in https://github.com/coreruleset/coreruleset/pull/3934 + +## New Contributors +* @OhMyVolk made their first contribution in https://github.com/coreruleset/coreruleset/pull/3915 + +**Full Changelog**: https://github.com/coreruleset/coreruleset/compare/v4.8.0...v4.9.0 + +## Version 4.8.0 - 2024-10-28 + +## What's Changed +### ⭐ Important changes +* fix: 9EA-241022 v4 by @RedXanadu in https://github.com/coreruleset/coreruleset/pull/3905 +### 🆕 New features and detections 🎉 +* chore: set up nginx tests by @theseion in https://github.com/coreruleset/coreruleset/pull/3856 +### 🧰 Other Changes +* fix: remove unnecessary capture groups by @TimDiam0nd in https://github.com/coreruleset/coreruleset/pull/3849 +* fix(942120): update operators by @Xhoenix in https://github.com/coreruleset/coreruleset/pull/3841 +* fix(933120): do not match on base64 encoded strings by @fzipi in https://github.com/coreruleset/coreruleset/pull/3863 +* fix(refactor): 942130 and 942131 regex-assembly by @Xhoenix in https://github.com/coreruleset/coreruleset/pull/3862 +* fix(942520): SQL operators can be one or more characters by @Xhoenix in https://github.com/coreruleset/coreruleset/pull/3845 +* chore: remove verify id-range by @fzipi in https://github.com/coreruleset/coreruleset/pull/3885 +* chore: remove find-max-datalen-in-tests by @fzipi in https://github.com/coreruleset/coreruleset/pull/3891 +* chore: remove honeypot sensor by @fzipi in https://github.com/coreruleset/coreruleset/pull/3883 +* chore: remove browser tools by @fzipi in https://github.com/coreruleset/coreruleset/pull/3887 +* chore: remove send-payload-pls by @fzipi in https://github.com/coreruleset/coreruleset/pull/3879 +* chore: remove geo-location by @fzipi in https://github.com/coreruleset/coreruleset/pull/3875 +* chore: remove crs2 renumbering by @fzipi in https://github.com/coreruleset/coreruleset/pull/3873 +* chore: remove change-version script by @fzipi in https://github.com/coreruleset/coreruleset/pull/3869 +* chore: remove join multiline rules by @fzipi in https://github.com/coreruleset/coreruleset/pull/3877 +* chore: remove av-scanning by @fzipi in https://github.com/coreruleset/coreruleset/pull/3871 +* chore: remove util virtual patching by @fzipi in https://github.com/coreruleset/coreruleset/pull/3889 +* chore: remove fp-finder by @fzipi in https://github.com/coreruleset/coreruleset/pull/3893 + +## New Contributors +* @evidencebp made their first contribution in https://github.com/coreruleset/coreruleset/pull/3837 +* @mtaket made their first contribution in https://github.com/coreruleset/coreruleset/pull/3855 + +**Full Changelog**: https://github.com/coreruleset/coreruleset/compare/v4.7.0...v4.8.0 + +## Version 4.7.0 - 2024-09-23 + +### 🆕 New features and detections 🎉 +* feat: added sendgrid.env into restricted files by @azurit in https://github.com/coreruleset/coreruleset/pull/3823 +### 🧰 Other Changes +* fix: Changed regex (920470) to match multiple whitespaces after `Content-Type` parameters to avoid false-positives by @lostmann-owl-it in https://github.com/coreruleset/coreruleset/pull/3818 +* fix: fp with user-agent containing ; pg (932239 PL2) by @franbuehler in https://github.com/coreruleset/coreruleset/pull/3727 +* fix: update xss detection with onwebkitplaybacktargetavailabilitychanged event by @fzipi in https://github.com/coreruleset/coreruleset/pull/3822 +* feat: refactoring (944110 PL1) by @azurit in https://github.com/coreruleset/coreruleset/pull/3715 + +## New Contributors +* @lostmann-owl-it made their first contribution in https://github.com/coreruleset/coreruleset/pull/3818 + +**Full Changelog**: https://github.com/coreruleset/coreruleset/compare/v4.6.0...v4.7.0 + +## Version 4.6.0 - 2024-08-27 + +### ⭐ Important changes +* fix: prevent using backslash in file names by @fzipi in https://github.com/coreruleset/coreruleset/pull/3799 +* feat: add new rule to catch invalid character in multipart headers by @airween, @theseion, @fzipi in https://github.com/coreruleset/coreruleset/pull/3796 + +Big thanks tu @luelueking for reporting us these two ☝️ . + +### 🧰 Other Changes +* feat: rule to detect bash tilde expansion by @Xhoenix in https://github.com/coreruleset/coreruleset/pull/3765 +* fix: Update 932270's `ver` by @airween in https://github.com/coreruleset/coreruleset/pull/3786 +* perf: remove unnecessary chain rule and capture (921180 PL3) by @EsadCetiner in https://github.com/coreruleset/coreruleset/pull/3787 +* fix: add pem to restricted file extensions by @EsadCetiner in https://github.com/coreruleset/coreruleset/pull/3789 +* fix(942160): check REQUEST_FILENAME by @mat1010 in https://github.com/coreruleset/coreruleset/pull/3782 + +## New Contributors +* @mat1010 made their first contribution in https://github.com/coreruleset/coreruleset/pull/3782 + +**Full Changelog**: https://github.com/coreruleset/coreruleset/compare/v4.5.0...v4.6.0 + +## Version 4.5.0 - 2024-07-23 + +### 🆕 New features and detections 🎉 +* feat: added arithmetic expansion payload by @Xhoenix in https://github.com/coreruleset/coreruleset/pull/3756 +### 🧰 Other Changes +* fix(security): alias false negative by @Xhoenix in https://github.com/coreruleset/coreruleset/pull/3740 +* feat: add test overrides for nginx by @theseion in https://github.com/coreruleset/coreruleset/pull/3369 +* fix: use proper capture for log output of 932300 by @theseion in https://github.com/coreruleset/coreruleset/pull/3763 +* chore: use lowercase character class for 932320 by @theseion in https://github.com/coreruleset/coreruleset/pull/3772 +* fix: remove nonnecessary variable (932260 PL1) by @dune73 in https://github.com/coreruleset/coreruleset/pull/3773 + +## New Contributors +* @aryehb made their first contribution in https://github.com/coreruleset/coreruleset/pull/3755 + +**Full Changelog**: https://github.com/coreruleset/coreruleset/compare/v4.4.0...v4.5.0 + +## Version 4.4.0 - 2024-06-23 + +### 🆕 New features and detections 🎉 +* fix: ignore checking compressed response body by @azurit in https://github.com/coreruleset/coreruleset/pull/3712 + +### 🧰 Other Changes +* fix(934140): update regex by @fzipi in https://github.com/coreruleset/coreruleset/pull/3731 +* fix: replacing t:UrlDecode with t:UrlDecodeUni (921240 PL1, 932170 PL1, 932171 PL1, 932190 PL3, 932190 PL1, 933211 PL3, 941310 PL1, 941350 PL1) by @azurit in https://github.com/coreruleset/coreruleset/pull/3713 +* feat: skip response rules if data are compressed by @azurit in https://github.com/coreruleset/coreruleset/pull/3742 + +## Version 4.3.0 - 2024-05-24 + +### 🆕 New features and detections 🎉 + +* feat: catch Java PostgreSQL errors (951240 PL1) by @azurit in https://github.com/coreruleset/coreruleset/pull/3686 +* feat: block The Mysterious Mozlila User Agent bot (913100 PL1) by @brentclark in https://github.com/coreruleset/coreruleset/pull/3646 + +### 🧰 Other Changes +* fix: Oracle SQL database data leakage FP (951120 PL1) by @azurit in https://github.com/coreruleset/coreruleset/pull/3685 +* fix: typos in 920330 and 942280 tests by @TimDiam0nd in https://github.com/coreruleset/coreruleset/pull/3688 +* test: change pl-1 to pl1 to be inline with others by @TimDiam0nd in https://github.com/coreruleset/coreruleset/pull/3690 +* feat: use renovate to update docker-compose by @theseion in https://github.com/coreruleset/coreruleset/pull/3697 +* fix: FP for `sched` (932235 PL1, 932236 PL2, 932237 PL3, 932239 PL2, … by @theseion in https://github.com/coreruleset/coreruleset/pull/3701 +* fix: collections not being initialized without User-Agent header by @azurit in https://github.com/coreruleset/coreruleset/pull/3645 +* feat: refactoring of rule 941310 (PL1 941310) by @azurit in https://github.com/coreruleset/coreruleset/pull/3700 +* fix: resolving more FPs with Oracle error messages (951120 PL1) by @azurit in https://github.com/coreruleset/coreruleset/pull/3703 +* fix: removing double t:urlDecodeUni (920221 PL1, 920440 PL1, 932200 PL2, 932205 PL2, 932206 PL2) by @azurit in https://github.com/coreruleset/coreruleset/pull/3699 +* fix: false positives from PHP config directives and functions (933120 PL1, 933151 PL2) by @ssigwart in https://github.com/coreruleset/coreruleset/pull/3638 +* feat: prevent detection of web shells rules as malware by Windows Defender (955260 PL1) by @azurit in https://github.com/coreruleset/coreruleset/pull/3687 +* fix: fp with name axel by removing it from rce rule (932260 PL1) by @franbuehler in https://github.com/coreruleset/coreruleset/pull/3705 + +## Version 4.2.0 - 2024-04-23 + +Changes with direct rule impact (sorted by lowest rule ID per change where available): + + * fix: increase length of Accept-Encoding header from 50 to 100 (920520 PL1) (Franziska Bühler) [#3661] + * fix: add missing roundcube files (930120 PL1, 930121 PL2, 930130 PL1, 932180 PL1) (Esad Cetiner) [#3635] + * fix: add visudo and cscli to unix-shell.data (932160 PL1, 932161 PL2) (Esad Cetiner) [#3663] + * feat: block crowdsec cscli and visudo commands (932235 PL1, 932236 PL2, 932237 PL3, 932239 PL2, 932260 PL1) (Esad Cetiner) [#3649] + * fix: add detection for php evasion attempt (933100 PL1) (Franziska Bühler) [#3667] + +Changes without direct rule impact: + + * feat: disassemble php rule (933100 PL1) (Franziska Bühler) [#3662] + * chore: remove references to nonexistant 942110 rule (Esad Cetiner) [#3648] + +## Version 4.1.0 - 2024-03-21 + +Changes with direct rule impact (sorted by lowest rule ID per change where available): + + * feat: add support for additional ansible and chef commands (932160 PL1, 932161 PL2, 932235 PL1, 932260 PL1, 932236 PL2, 932239 PL2, 932237 PL3) (Esad Cetiner) [#3601] + * feat: move HTTP header rules to phase 1 (932161 PL2, 932205 PL2, 932206 PL2, 932237 PL3) (Esad Cetiner) [#3570] + * fix: remove t:lowercase from rules that use '(?i)' modifier in their regex (942150 PL2, 942151 PL1, 942152 PL2) (Ervin Hegedus) [#3585] + * fix: prevent FPs against names due to "cron" (932260 PL1, 932236 PL2, 932237 PL3, 932239 PL2) (@superlgn) [#3578] + * fix: add missing tags and ver action (various rules) (Jozef Sudolský) [#3571] + * fix: adding more missing tags and ver actions (Jozef Sudolský) [#3593] + * fix: do not check URL fragments in referer headers as part of the existing rule to prevent FPs (932205 PL2) (Max Leske) [#3485] + * fix: range expressions must not start with `\v` (various rules) (Max Leske) [#3615] + +Changes without direct rule impact: + + * feat: add check for combinations of t:lowercase and (?i) to lint (Franziska Bühler) [#3584] + * chore: add Esad Cetiner to list of developers (@EsadCetiner) [#3589] + * chore(deps): update workflow actions (Max Leske) [#3613] + * test: change HTTP method to uppercase for test 932260-28 (Matteo Pace) [#3580] + +## Version 4.0.0 - 2024-02-14 + +Important changes: + * feat: introduce plugin architecture for extending CRS and minimizing attack surface. (Christian Folini, Max Leske, Jozef Sudolský, Andrew Howe) [#2038, #2448, #2404] + * feat: migrate application exclusions and less-used functionality to plugins (Christian Folini, Max Leske, Jozef Sudolský, Andrew Howe) + * feat: introduce early blocking option (Christian Folini) [#1955] + * feat: introduce new rule file/category to detect use of common web shells in responses (955100-955340 PL1, 955350 PL2) (Jozef Sudolský, Andrea Menin) [#1962, #2039, #2116] + * feat: rename 'Node.js' category to 'generic' (Felipe Zipitría) [#2340] + * feat: make all formerly PCRE-only regular expressions compatible with RE2/Hyperscan regular expression engines (Max Leske, Felipe Zipitría, Allan Boll, Franziska Bühler) [#1868, #2356, #2425, #2426, #2371, #2372] + * feat: add support for HTTP/3 (Jozef Sudolský) [#3218] + * feat: add granular control over reporting levels in 9801xx rules (Simon Studer, Andrew Howe, Christian Folini) [#2482, #2488] + * feat: add new rule to explicitly detect multiple Content-Type abuse (CVE-2023-38199) (920620 PL1) (Andrea Menin) [#3237] + * feat: add enable_default_collections flag to not initialize collections by default (Matteo Pace) [#3141] + * feat: extend definition of restricted headers to include `Content-Encoding` and `Accept-Charset` by default (920450 PL1, 920451 PL2) (Walter Hop) [#2780, #2782] + * feat: drop HTTP/0.9 support to resolve FP (Federico G. Schwindt) [#1966] + * fix: refactor and rename anomaly scoring variables and paranoia level definition (Simon Studer) [#2417] + * tests: complete goal of 100% test coverage for rules (entire team, Juan-Pablo Tosso, NiceYouKnow) + * feat: switch to using WordNet instead of spell for finding English words in spell.sh (Max Leske) [#3242] + * feat: publish nightly packages regularly (Felipe Zipitría) [#2207] + +Tool changes: + * feat: extend spell.sh script with an opt-in manual list of common and partial words. (Matteo Pace) [#3273] + * feat: rework spell.sh utility to help with detection of false positives English words (Andrea Menin) [#3029] + * feat: improve usability of spell.sh utility (Max Leske) [#3238] + * feat: extend rules-check.py script to better enforce rule format in project guidelines (Ervin Hegedus) [#3113] + * feat: extend rules-check.py script to ensure that `auditLogParts` is only used in last chained rule (Ervin Hegedus) [#2609] + * feat: extend rules-check.py script to ensure that rules use `@rx` operator explicitly (Ervin Hegedus) [#2541] + * feat: extend rules-check.py script to strip comments when parsing crs-setup.conf.example (Ervin Hegedus) [#3161] + * feat: add utility to change version numbers (Ervin Hegedus) [#2085] + * feat: add utility script to find rules without tests (Ervin Hegedus) [#2279] + * feat: add crs-rules-check tool that runs sanity checks against rules (Ervin Hegedus) [#2236] + * feat: add utility to find longest data lengths (Ervin Hegedus) [#2277] + * feat: improve rule-ctl script to modify rules (Max Leske) [#2193] + * feat: improve unique ID matching and documentation in send-payload-pls.sh (Manuel Spartan) [#2288] + * feat: unify regexp utils to automate error-prone actions and automatically update rules from regular expression sources (Max Leske) [#2149, #2223, #2423, #2495, #2489, #2473] + * fix: adjust log directories needed for volume mounts to Git (Max Leske) [#2103] + * fix: replace backend docker container for tests to fix JSON Unicode reflection (Max Leske) [#3464] + * feat: add new test method: check for tags on rules against allowlist (Ervin Hegedus) [#3437] + +Changes with direct rule impact (sorted by lowest rule ID per change where available): + * feat: add placeholder files for new plugin architecture (Walter Hop) [#2515] + * feat: check initialization and use for all TX variables (Ervin Hegedus) [#3043] + * feat: extend rule to detect restricted `method override` headers (Mark Zeman / KramNamez) [#3056] + * feat: extend rules to detect keyword `time` as prefix of \*nix and Windows RCE rules (rules later replaced) (Franziska Bühler) [#2819] + * feat: improve Unix shell evasion prefix (various rules) (Jitendra Patro, Max Leske) [#3518] + * feat: improve performance by removing unnecessary lowercase transformations (various rules) (Jozef Sudolský) [#2106] + * feat: add additional prefix commands to 'unix-shell-evasion-prefix' (various rules) (Jitendra Patro) [#3557 + * feat: consolidate 'unix-evasion-prefix*' files to ensure they don't diverge (various rules) (Franziska Bühler, Max Leske, Andrew Howe) [#3531] + * feat: move regexp-assemble data files to root directory (Felipe Zipitría) [#3002] + * feat: move rules to the earliest phase possible based on their inputs (various rules) (Ervin Hegedus) [#1941] + * feat: remove superfluous 'urlDecodeUni' transformations (various rules) (Federico G. Schwindt) [#1845] + * feat: rename 'tx.blocking_early' to 'tx.early_blocking' (various rules) (Christian Folini) [#2414] + * feat: simplify regular expressions by replacing upper-case with lower-case matches if the expression is case-insensitive (various rules) (Felipe Zipitría) [#2485] + * feat: remove SecCollectionTimeout from crs-setup.conf (Christian Folini) [#3559] + * fix: do not log 'MATCHED_VAR' when the it contains the full response body (various rules) (Jozef Sudolský) [#1985] + * fix: do not unnecessarily escape forward slashes in regular expressions (various rules) (Federico G. Schwindt) [#1842] + * fix: reformat several initialization rules to follow project guidelines (Ervin Hegedus) [#3157] + * fix: remove auditLogParts actions from all rules where present (Andrea Menin, Ervin Hegedus) [#3034, #3081] + * fix: remove uncommon Content Types from default in `crs-setup.conf.example` (Andrea Menin) [#2768] + * fix: update diverse rules to follow new naming convention with paranoia level TX variables (Christoph Hansen) [#2937] + * fix: update various rules to consolidate use of backslashes to \x5c representation for better compatibility with known WAF engines (various rules) (Andrew Howe, Max Leske) [#2335, #2345, #2375, #2376, #2399, #2400, #2402, #2410, #2420, #2441, #2442, #2454, #2426] + * fix: remove initialization rules for redundant IP reputation variables (901150, 901152) (Andrew Howe) [#2833] + * fix: initialize all variables used properly (901169) (Ervin Hegedus) [#2802] + * feat: improve sampling mode efficiency (901410, 901420, 901440) (Paul Beckett) [#2094] + * fix: replace uses of 'ctl:ruleEngine=Off' with "ctl:ruleRemoveByTag=OWASP_CRS" to accommodate more than one ruleset (901450, 905100, 905110) (Jozef Sudolský) [#2156] + * feat: remove old, commented-out IP reputation check rule (910110 PL1) (Paul Beckett) [#2148] + * feat: detect 'burpcollaborator' scanner (913100 PL1) (Amir Hosein Aliakbarian) [#2152] + * feat: detect 'httpx' scanner (913100 PL1) (Will Woodson) [#2045] + * feat: detect 'LeakIX' scanner (913100 PL1) (Jozef Sudolský) [#1961] + * feat: detect 'QQGameHall' malware (913100 PL1) (Walter Hop) [#2144] + * feat: detect User-Agent of Tsunami Security Scanner (913100 PL1) (@hoexter) [#3480] + * fix: avoid FP for YAM package manager (913100 PL1) (Jozef Sudolský) [#2022] + * fix: move 'ecairn' from scanners to crawlers (913100 PL1) (Felipe Zipitría) [#2408] + * feat: detect 'CensysInspect' and seoscanners.net crawlers (913102 PL2) (Andrew Howe) [#2155] + * feat: detect 'ecairn' crawler (913102 PL2) (Jozef Sudolský) [#2024] + * feat: detect 'Krzana' bot (913102 PL2) (Deepshikha Sinha) [#2432] + * fix: remove rule to detect security scanner http headers (913110 PL1) (Christian Folini) [#3241] + * feat: remove ineffective anti-scanner list scanners-urls.data and associated rule (913120 PL1) (Christian Folini) [#3235] + * fix: correct the regular expression assembly (920120 PL1) (Max Leske) [#2333] + * feat: increase rule score from warning to critial (920220 PL1) (Max Leske) [#3512] + * fix: reduce FPs by handling the last path segment separately in new rule (920220 PL1, 920221 PL1) (Max Leske) [#3512] + * fix: reduce FPs by matching on decoded variables (920220 PL1) (Max Leske) [#3512] + * feat: prevent FPs by moving rule to higher PL (920240 PL2) (Max Leske) [#3506] + * feat: valiadate 'SEC-CH-UA' and 'SEC-CH-UA-MOBILE' request headers (920274 PL4) (Chaim Sanders) [#1970] + * fix: use the right kind of validation for 'Sec-CH-UA' and 'Sec-CH-UA-Mobile' request headers (920274 PL4, 920275 PL4) (somechris) [#2028] + * fix: make validatioin of 'Sec-Fetch-User' header more strict (920275 PL4) (somechris) [#2020] + * feat: move rule from PL2 to PL3 (920300 PL3) (Franziska Bühler) [#2013] + * fix: amend rule to exclude CONNECT requests from requiring an Accept header (920300 PL3) (Andrew Howe) [#2297] + * feat: add IPv6 to the 'Host header is a numeric IP address' check (920350 PL1) (itsTheFae, Ervin Hegedus, Jozef Sudolský) [#1929] + * fix: avoid FP on '.axd' in restricted extensions, these are public (920440 PL1) (Jozef Sudolský) [#1925] + * feat: rework restricted headers mechanism into two separate lists (920450 PL1, 920451 PL2) (Andrew Howe) [#3152] + * fix: avoid FP in 'application/\*+json' Content-Type (920470 PL1) (Mirko Dziadzka, Walter Hop) [#2455] + * fix: avoid FP in CalDAV Content-Type (920470 PL1) (Vandan Rohatgi) [#2505] + * fix: avoid FP in 'Content-Type' header with '#' character (920470 PL1) (Jozef Sudolský) [#1856] + * fix: avoid FP on 'version' string in Content-Type header (920470 PL1) (Jozef Sudolský) [#1901] + * fix: resolve false negative when matching against allowed charsets variable (920480 PL1) (katef, Federico G. Schwindt) [#1957] + * fix: replace unnecessary capture groups in regular expressions with non-capturing groups (920510 PL3, 932200 PL2, 942510 PL2, 942511 PL3) (Federico G. Schwindt) [#1983] + * feat: improve explanatory rule comments (920520 PL1) (Max Leske) [#2391] + * feat: validate 'Accept-Encoding' header (920520 PL1, 920521 PL3) (Franziska Bühler) [#2357] + * feat: new rule detect multiple occurrences of charset keyword in content type header (920530 PL1) (Jan Gora / terjanq) [#2571] + * feat: new rule to detect Unicode character bypass check for non JSON requests (920540 PL1) (Franziska Bühler, 0SPwn) [#2512] + * feat: new rule to detect # char in URIs (920610 PL1) (Karel Knibbe) [#2919] + * fix: use correct anomaly scoring variables and paranoia level tags across several rules (921170 PL1, 921220 PL4, 932220 PL2, 932331 PL3, 933211 PL3, 934101 PL1, 942362 PL2, 951100) (Christoph Hansen) [#2931] + * feat: new rules to detect HTTP parameter pollution bypasses (921210 PL3, 921220 PL4) (Christian Folini) [#2747] + * fix: use correct anomaly scoring variables and paranoia level tags across several rules (921220 PL4, 932101 PL2, 932331 PL3, 933211 PL3, 942362 PL2) (Ervin Hegedus) [#2832] + * feat: new rule to detect range header that is now forbidden on PL3 and up (921230 PL3) (Christian Folini) [#2760] + * feat: new rule to detect mod_proxy attack (CVE-2021-40438) (921240 PL1) (Franziska Bühler) [#2818] + * fix: add urlDecodeUni transformation rules with REQUEST_URI / REQUEST_BASENAME in phase 1 (921240 PL1, 920440 PL1, 920201 PL2, 920202 PL4) (Christian Folini) [#3411] + * feat: new rules to detecting ModSecurity body processor confusion using the `Content-Type` HTTP header (921421 PL1, 921422 PL2) (Simon Studer, Ervin Hegedus) [#2763] + * fix: handle false positives when detecting ModSecurity body processor confusion (921422 PL2) (Ervin Hegedus) [#2784] + * feat: new rules detecting attacks on multipart headers (922100 PL1, 922110 PL1, 922120 PL1) (Felipe Zipitría) [#2769] + * fix: prevent unintended match of character set substrings in multipart/form-data requests (922100 PL1) (Jozef Sudolský) [#3470] + * feat: remove redundant t:lowercase for a little performance (922110 PL1) (Jozef Sudolský) [#3469] + * fix: remove possessive quantifiers (922110 PL1) (Felipe Zipitría) [#2989] + * fix: update comments (922110 PL1, 942440 PL2) (Jozef Sudolský) [#3468] + * fix: add missing quotes at the end of action lists (930050) (Ervin Hegedus) [#2184] + * feat: disassemble regular expression (930100 PL1) (Andrew Howe) [#2298] + * fix: detect path traversal in uploaded file names (930100 PL1, 930110 PL1) (k4n5ha0, Franziska Bühler, Felipe Zipitría) [#2451] + * fix: detect triple dot path traversal (930100 PL1, 930110 PL1) (Franziska Bühler) [#2309, #2310] + * feat: extended rule to detect Tomcat specific path traversal attack (930110 PL1) (Christoph Hansen) [#2915] + * fix: avoid FP for '..' without slashes (930110 PL1) (Tetrik, Walter Hop) [#2016] + * feat: block access to AWS CLI files (930120 PL1, 930121 PL2) (Jozef Sudolský) [#2439] + * feat: block access to extended list of sensitive files (930120 PL1, 930121 PL2, 930130 PL1) (Jozef Sudolský) [#1960] + * feat: detect /proc and /sys access attempts (930120 PL1, 930130 PL1) (Andrew Howe) [#2154] + * feat: extend rule to detect access attempts to /tmp/ (930120 PL1, 930121 PL2) (Max Leske) [#3131] + * feat: extend rule to detect ECDSA type SSH identity files via list of sensitive \*nix files (930120 PL1) (Pinaki Mondal / 0xInfection) [#2586] + * fix: avoid detecting Google OAuth2 callback requests as malicious (930120 PL1, 930121 PL1) (Jozef Sudolský, Christian Folini) [#1958] + * feat: extend rule to detect additional sensitive files on \*nix systems (930121 PL2, 930130 PL1) (Gwendal Le Coguic / gwen001) [#2560] + * feat: new rules to detect LFI and SQLi in user-agent and referer request headers (930121 PL2, 942152 PL2, 942321 PL2) (Franziska Bühler, Max Leske, Shivam Bathla) [#3102] + * fix: extend rule to detect more LFI (930121 PL2) (Felipe Zipitría) [#2791] + * feat: add BlockCypher.log to restricted-files.data (930130 PL1) (Jozef Sudolský) [#3501] + * feat: add 'sslvpn_websession' to restricted-files.data (930130 PL1) (Jozef Sudolský) [#2338] + * feat: add .vscode to restricted-files.data (930130 PL1) (Frederik Himpe) [#3471] + * feat: extend data file to include additional restricted file names (restricted-files.data, 930130 PL1) (Jitendra Patro) [#3219] + * feat: extend data file to include PrestaShop configuration file (restricted-files.data, 930130 PL1) (Jean-François Viguier) [#3192] + * feat: extend rule to detect `npm-shrinkwrap.json` to restricted-files (930130 PL1) (Esa Jokinen / oh2fih) [#2627] + * fix: block access to the Java-related WEB-INF directory (930130 PL1) (Jozef Sudolský) [#2092] + * fix: remove duplicate keyword (930130 PL1) (Jozef Sudolský) [#3517] + * feat: extend rules to detect additional protocols in RFI attacks (931130 PL2, 934120 PL2) (Karel Knibbe) [#2572] + * feat: extend rule to detect `url:file:` schema in Java RFI attacks (931130 PL2) (Andrew Howe) [#2727] + * fix: add local_file scheme from Python 2 (931130 PL2, 934120 PL2) (Felipe Zipitría) [#2809] + * fix: close userinfo-based bypass (931130 PL2) (Andrea Menin) [#2479] + * feat: new rule to detect path traversal attacks using URL encoded URL schemes in Java applications (931131 PL2) (Christoph Hansen) [#2902] + * feat: extend rule to detect additional \*nix shell commands (931160 PL1) (Gwendal Le Coguic / gwen001) [#2563] + * feat: disassemble complex regexes for 932xxx rules that were subsequently replaced by other rules (Max Leske) [#2566] + * feat: detect additional Unix RCE commands (932100 PL1, 932105 PL1) (Felipe Zipitría) [#2129] + * feat: extend rule to detect additional entries to \*nix command lists (932100 PL1, 932105 PL1) (Finn Westendorf / wfinn) [#2552] + * feat: extend rule to detect additional \*nix commands (932100 PL1) (Felipe Zipitría) [#2676] + * feat: improve and extend cmdline processor to find more evasions (932100 PL1, 932105 PL1, 932230 PL1, 932150 PL1, 932175 PL1, 932220 PL2, 932240 PL1, 932106 PL3) (Felipe Zipitría) [#2907] + * fix: avoid false positive with certain HTML character entities (932100 PL1) (Franziska Bühler) [#1954] + * feat: move \*nix command injection rule 932101, 932106 into the same range as the other \*nix command injection rules (932231 PL2, 932232 PL3) (Felipe Zipitría, Max Leske) [#3092] + * feat: extend rule to detect additional \*nix commands (932105 PL1) (Felipe Zipitría) [#2677] + * feat: extend rule to detect `mshta` in Windows shell commands (932110 PL1) (Somdev Sangwan / s0md3v) [#2588] + * feat: new Windows commands rules based on lolbas-project replacing 932110, 932115 (932370 PL1, 932380 PL1) (Felipe Zipitría, Franziska Bühler, Max Leske) [#3059, 3170] + * fix: avoid false positive on 'sort' (932115 PL1) (Franziska Bühler) [#2012] + * feat: detect 'Invoke-WebRequest' command (932120 PL1) (Paul Beckett) [#2271] + * feat: extend rule to detect additional PowerShell cmdlet on Windows (932120 PL1) (Pinaki Mondal / 0xInfection) [#2589] + * feat: extend rule to detect PowerShell RCEs better via new automation (932120 PL1) (Felipe Zipitría) [#2669] + * feat: new rule to detect Windows cmdlet aliases (932125 PL1) (Pinaki Mondal / 0xInfection) [#2589] + * fix: extend rule to detect character class \*nix expressions (932130 PL1) (Somdev Sangwan / s0md3v, Walter Hop) [#2594] + * feat: new rules to detect Log4j / Log4Shell attacks (932131 PL2, 944150 PL1, 944151 PL2, 944152 PL4) (Christian Folini, Max Leske) [#2349] + * fix: prevent false positives against brackets in User-Agent header (932131 PL2) (Max Leske) [#3486] + * feat: extend rule to detect `busybox`, `$SHELL`, and `${SHELL}` in \*nix RCE attacks (932150 PL1) (Walter Hop) [#2728] + * feat: extend rule to detect C99 and printf utilities (932150 PL1) (Karel Knibbe) [#2569] + * feat: extend rule to detect `ksh` in \*nix RCE attacks (932150 PL1) (Andrew Howe) [#2721] + * feat: extend rule to detect RCE attacks using compression utilities (932150 PL1) (Andrew Howe) [#2712] + * feat: extend rule to detect RCEs using Base64 evasions (932150 PL1) (Somdev Sangwan / s0md3v, Andrew Howe) [#2590] + * feat: extend rule to detect RCEs using evasions quotes with `python...` commands (932150 PL1) (Somdev Sangwan / s0md3v, Andrew Howe) [#2590] + * feat: new rule to detect generalised \*nix RCE (932150 PL2) (Karel Knibbe) [#2583] + * feat: replace \*nix command injection rules 932150 PL1, 932151 PL1 with new rules for commands of less than 4 characters and commands of more than 4 characters in length respectively (932250 PL1, 932260 PL1) (Felipe Zipitría, Max Leske) [#3092] + * fix: avoid FP on 'time' and 'ping' keywords (932150 PL1) (Walter Hop) [#2457] + * feat: extend rule to detect RCE better via automation (932160 PL1) (Felipe Zipitría) [#2662] + * fix: remove unnecessary prefixes from paths in `unix-shell.data` (932160 PL1) (Felipe Zipitría) [#2662] + * feat: extend rule to detect `expre` in unix-shell list (932161 PL2) (Felipe Zipitría) [#2667] + * feat: new rules to detect \*nix commands in user-agent and referer request headers (932161 PL2, 932237 PL3) (Franziska Bühler, Max Leske, Shivam Bathla) [#3132] + * feat: new rule detecting `alias` builtin (932175 PL1) (Felipe Zipitría) [#2796] + * feat: use new automation to generate `restricted-uploads.data` from `restricted-files.data` (932180 PL1) (Max Leske) [#3282] + * fix: use correct anomaly scoring variable (932180 PL1, 932200 PL2) (Jozef Sudolský) [#2324] + * feat: detect RCE attempts with uninitialized shell vars (932200 PL2) (Andrea Menin) [#2151] + * feat: extend rule to detect RCE in user-agent request header (932200 PL2) (Franziska Bühler, Shivam Bathla) [#3108] + * feat: reduce FPs by removing User-Agent from individual target list (932200 PL2) (Max Leske) [#3489] + * fix: generate correct log entries when using 'MATCHED_VAR_NAME' in conjunction with chain rules (932200 PL2, 933120 PL1, 933151 PL2) (Jozef Sudolský) [#2347] + * fix: new rules to handle referer header and fix false positive (932205 PL2, 932206 PL2) (Max Leske) [#3300] + * feat: extend rule to detect quote evasion (932210 PL2) (Max Leske) [#3120] + * feat: extend rule to detect `sh` (932210 PL2) (Franziska Bühler) [#2816] + * feat: extend rule to detect SQLi via automation of keyword list updates (932210 PL2) (Felipe Zipitría) [#2801] + * feat: new rule to detect SQLite system command injection (932210 PL2) (flo405, Andrea Menin, Christian Folini) [#2032] + * fix: add word boundaries for sh in RCE rules (932230 PL1, 932250 PL1) (Max Leske) [#3186] + * fix: avoid FPs in RCE detections against words 'environment' and 'performance' (932230 PL1, 932235 PL1, 932260 PL1, 932236 PL2, 932237 PL3, 932239 PL2) (Esad Cetiner) [#3477] + * fix: handle false positive against `sh` in \*nix command injection attacks (932230 PL1, 932250 PL1, 932236 PL2) (Max Leske) [#3186] + * feat: add unix commands pyversions and py3versions (932235 PL1, 932260 PL1, 932236 PL2, 932237 PL3, 932239 PL2) (Jitendra Patro) [#3465] + * feat: replace \*-with-params.ra files with suffix replacements (932235 PL1, 932236 PL2, 932239 PL2, 932237 PL3) (Max Leske) [#3331] + * fix: prevent FP on keywords 'more' and 'time' in Unix RCE (932235 PL1) (Franziska Bühler) [#3488] + * fix: reduce FPs at the start of strings by excluding 'as' and 'at' (932236 PL2) (Franziska Bühler, Max Leske, Andrew Howe) [#3531 + * fix: prevent FPs against names due to "axel" and "perl" (932235 PL1, 932260 PL1, 932236 PL2, 932239 PL2, 932237 PL3) (@superlgn) [#3492] + * fix: add whitespace after keywords `mail` and `task` to solve false positives (932236 PL2) (Franziska Bühler) [#3274] + * fix: align unix-shell-upto3* files (932236 PL2) (Max Leske) [#3128] + * fix: handle false positives with word "settings" (932236 PL2, 932237 PL3, 932239 PL2) (Esad Cetiner) [#3394] + * fix: prevent FP on keywords more and time in Unix RCE (932236 PL2) (Franziska Bühler) [#3487] + * fix: solved false positives with creation of word boundaries for commonly used words used in \*nix RCE rules (932236 PL2) (Max Leske) [#3187] + * fix: use correct anomaly scoring variable (932236 PL2) (Ervin Hegedus) [#3112] + * fix: improve rule by matching non-word-boundary of commands with options (932237 PL3) (Max Leske) [#3425] + * feat: new rule to detect \*nix commands in user-agent and referer request headers (932239 PL2) (Franziska Bühler, Shivam Bathla) [#3104, #3318] + * fix: reduce FPs in generic quote evasion detection (932240 PL2) (Max Leske) [#3494] + * fix: remove ARGS_NAME from target variables in (932240 PL2) (Andrea Menin) [#2960] + * fix: use correct anomaly scoring variables and paranoia level tags across for rule (932240 PL2) (Ervin Hegedus) [#2963] + * fix: false positives by requiring specific tokens to follow commands (932250 PL1) (Max Leske) [#3186] + * fix: Added missing target name to logdata (932260 PL1, 932240 PL2) (Ervin Hegedus) [#3409] + * fix: remove chained rule (932260 PL1) (Max Leske) [#3521] + * feat: new rules to detect email protocol attacks (932300 PL2, 932310 PL2, 932320 PL2) (Felipe Zipitría) [#2322] + * fix: remove additional range expression that cause parsing errors for RE2 (932311 PL3) (Felipe Zipitría) [#2484] + * feat: new rules to detect detecting \*nix shell history invocations (932330 PL1, 932331 PL3) (Karel Knibbe) [#2577] + * fix: remove 'time' prefix from Windows RCE detection (932370 PL1, 932380 PL1) (Max Leske) [#3528] + * feat: extend rule to detect additional file extensions via list of executable PHP files (933110) (Jan Gora / terjanq) [#2585] + * feat: extend data file to add missing PHP config directives (php-config-directives.data, 933120 PL1) (Max Leske) [#3028] + * feat: extend rule to detect additional sensitive PHP directives (933120 PL1) (Gwendal Le Coguic / gwen001) [#2561] + * feat: extend rule to detect PHP config directives via automation of keyword list updates (933120 PL1) (Felipe Zipitría) [#2696] + * feat: extend rule to detect sensitive PHP variables better (933130 PL1) (Felipe Zipitría) [#2668] + * tests: clean test definitions and provide proper descriptions (933150 PL1, 933160 PL1) (Andrea Menin, Matteo Pace, Max Leske) [#3462] + * feat: extend data file to include additional php function names (php-function-names-933151.data, 933151 PL2) (Jitendra Patro) [#3212] + * feat: automate generation of PHP function dictionaries, revisited detection (933160 PL1, 933161 PL3, 933150 PL1, 933151 PL2) (Juan-Pablo Tosso, Christian Folini, Matteo Pace) [#3273] + * feat: extend rule to detect `document.domain` XSS (933160 PL1, 941180 PL1) (Franziska Bühler, 0SPwn) [#2567] + * feat: extend rule to detect evasions in PHP contexts with `"` (933160 PL1) (Somdev Sangwan / s0md3v) [#2596] + * feat: rearrange keywords (933160 PL1, 941390 PL1) (Karel Knibbe) [#2905] + * fix: handle false positive by fixing whitespace matching after PHP command (933160 PL1) (Max Leske) [#3432] + * fix: solve ReDoS issue in rule (933161 PL3) (Andrea Menin) [#2302] + * feat: extend rule to detect `bzip2` wrapper in PHP injection attacks (933200 PL1) (Andrew Howe) [#2723] + * feat: extend rule to detect `ssh2.\*` wrappers in PHP injection attacks (933200 PL1) (Andrew Howe) [#2731] + * fix: avoid false positive when cookie contains slash (933210 PL1) (Ervin Hegedus) [#1996] + * fix: close PHP whitespace bypass (933210 PL1) (Walter Hop) [#2033] + * fix: prevent excessive backtracking (933210 PL1) (Andrea Menin) [#2214] + * feat: new rule to detect PHP injection attacks without terminating semi-colon (933211 PL3) (Karel Knibbe) [#2581] + * feat: extended rule to detect Node.js injection attacks using `require` and `child_process` (934100 PL1, 932101 PL2) (Andrea Menin) [#2893] + * feat: extend rule to detect Node.js RCE better (934100 PL1) (rektor0) [#2578] + * feat: improve transformation pipeline to detect Base64-encoded evasions (934100 PL1) (Andrew Howe) [#3203] + * feat: new rule to detect Node.js RCE detection (934101 PL2) (rektor0) [#2578] + * fix: improve js rule transformation pipelines (934101 PL1, 934130 PL1, 934169 PL1, 934131 PL2) (Andrew Howe) [#3312] + * feat: extend data file to include additional indicators (ssrf.data, 934110 PL1) (Jitendra Patro) [#3213] + * feat: extend rule to detect SSRF better (934110 PL1) (Felipe Zipitría) [#2660] + * feat: new rules to detect common IP-based SSRF targets (934110 PL1, 934120 PL2) (Felipe Zipitría) [#2259] + * feat: extend rule to detect additional schema and IP evasion techniques in SSRF (934120 PL2) (Felipe Zipitría, Max Leske) [#2599] + * feat: extend rule to detect octal address of AWS metadata endpoints (934120 PL2) (Karel Knibbe) [#2555] + * feat: extend rule to detect SSRF better by inspecting targets beyond just ARGS (934120 PL2) (Karel Knibbe) [#2555] + * feat: new rules to detect JavaScript prototype pollution (934130 PL1, 934131 PL2) (Walter Hop) [#2411] + * fix: remove base64 transformation due to limited effectiveness and to align behavior across ModSecurity v2.x and libModSecurity v3.x engines (934130 PL1) (Andrea Menin) [#3378] + * fix: remove overly specific rule with limited benefits and lack of cross-engine compatibility (934131 PL2) (Andrea Menin) [#3378] + * feat: new rules to detect detection of Perl and Ruby RCE signatures in a generic way (934140 PL2, 934150 PL1) (Karel Knibbe) [#2587] + * feat: new rule to detect Node DoS attack via expressions resolving to true (934160 PL1) (Karel Knibbe) [#2917] + * feat: new rule for PHP supporting `data:` scheme without using `//` before the content-type (934170 PL1) (Felipe Zipitría) [#3018] + * feat: extend rules to detect path based XSS via new target REQUEST_FILENAME in 941xxx rules (Walter Hop) [#2894] + * feat: run libinjection XSS detector on request filename in PL2 (941101 PL2) (Andrew Howe) [#2208] + * feat: move rule from PL1 to PL2 (941120 PL2) (Christian Folini) [#2306] + * fix: avoid false positive by adding character limit (941120 PL2) (Christian Folini) [#1872] + * fix: avoid FP in Base64 content (941120 PL1) (Jozef Sudolský) [#2226] + * fix: remove unnecessary character escape (941120 PL2) (Andrew Howe) [#2805] + * fix: avoid FP in XMLNLS (941130 PL1) (Walter Hop) [#2192] + * fix: solve ReDoS issue in rule (941140 PL1) (Andrea Menin) [#2050] + * feat: detect 'dialog' tag in XSS no-script payloads (941160 PL1) (Jitendra Patro) [#3473] + * feat: disassemble complex regex fully (941160 PL1) (Felipe Zipitría) [#2701] + * fix: make regular expression more restrictive (941170 PL1) (Andrea Menin) [#2292] + * fix: new rule at PL2 to move the detection of '-->' out of PL1 due to false positives (941181 PL2) (Paul Beckett) [#2082] + * feat: disassemble complex regex (941210 PL1) (Felipe Zipitría) [#3262] + * feat: extend rule to detect XSS evasions using carriage return (\r) and new line (\n) characters (941210 PL1) (oct0pus7) [#2576] + * feat: disassemble complex regex (941220 PL1) (Felipe Zipitría) [#3263] + * fix: correct numerical values used for HTML entity evasion detection (941220 PL1) (Jitendra Patro) [#3479] + * fix: avoid false positive with Russian characters (941310 PL1) (Max Leske) [#2107] + * feat: improve detection by adding missing javascript `prompt` and `confirm` methods (941390 PL1) (Jitendra Patro) [#3395] + * feat: new rule to detect JavaScript methods (941390 PL1) (Franziska Bühler) [#2702] + * feat: extend rule and moved rule from PL3 to PL2 (942101 PL2) (Matteo Pace) [#2922] + * feat: extended rule to detect common SQL injection probing in path segments (942110 PL2) (Andrea Menin) [#2914] + * feat: prevent FPs by removing rule (942110 PL2) (Max Leske) [#3505] + * feat: add target REQUEST_FILENAME to rule to detect path-based SQLi attacks (942120 PL2) (Andrew Howe) [#3057] + * feat: extend rule to detect use of `collate` in SQLite injection attacks (942120 PL2) (Jan Gora / terjanq) [#2584] + * fix: extend rule to detect more SQLi (942120 PL2) (Karel Knibbe) [#2556] + * fix: resolve issue with regular expression and improve SQLi detection by detecting 'not between' (942120 PL2) (NiceYouKnow, Max Leske, Franziska Bühler) [#2115] + * fix: update SQL reserved words (942120 PL2) (Felipe Zipitría) [#2798] + * feat: extend rule to detect `glob` in list of SQLi tautologies (942130 PL2) (Franziska Bühler) [#2729] + * fix: remove unneeded TX variables (942130 PL2, 942131 PL2, 942521 PL3) (Andrea Menin) [#3293] + * feat: detect more error-based SQL injections (942150 PL2, 951230 PL1) (Jozef Sudolský) [#2429] + * feat: extend rule to detect more SQL function names (942150 PL2) (Karel Knibbe) [#2895] + * feat: extend rules to detect more SQL error messages and functions (942151 PL1, 942152 PL1, 951220 PL1, 951230 PL1, 951240 PL1) (Jitendra Patros) [#3336] + * feat: extend rule to detect additional SQL function signatures (942151 PL1) (Karel Knibbe) [#2570] + * feat: extend rule to detect `endswith`, `startswith`, `unistr`, `pg_client_encoding` and various JSON SQL functions (942151 PL1) (Franziska Bühler) [#2874] + * feat: extend rule to detect various JSON functions (942151 PL1) (Franziska Bühler) [#3041] + * fix: avoid FP in SQL function names by splitting between PL1/PL2 (942151 PL1, 942150 PL2) (Jozef Sudolský) [#2480] + * feat: extend rule to detect `sql_compileoption_get` in SQLite injection attacks (942152 PL1) (Andrew Howe) [#2718] + * fix: extend blind SQLi detection (942160 PL1) (Franziska Bühler, Christian Folini) [#1956] + * feat: new regex-assembly file for rule (942170 PL1) (Andrea Menin) [#2939] + * feat: extend rule to detect SQL injection authentication bypasses (942180 PL2) (rekter0) [#2575] + * feat: improve SQLi detection with spaces (942190 PL1, 942390 PL2) (Manuel Spartan, Max Leske) [#2436] + * fix: avoid FP in SQLi by adding word boundary checks (942190 PL1) (Jozef Sudolský) [#2078] + * fix: avoid FP in SQLi with keyword 'union' (942190 PL1) (Franziska Bühler) [#2058] + * fix: prevent comment-based SQL evasion (942190 PL1) (Andrea Menin) [#1910] + * fix: resolve bug in regular expression and add test case (942190 PL1) (NiceYouKnow, Max Leske, Franziska Bühler) [#2112] + * feat: disassemble complex regex (942200 PL2) (Franziska Bühler, Max Leske) [#2932] + * feat: extend rule to detect SQLi in user-agent and referer request headers (942200 PL2, 942370 PL2) (Franziska Bühler, Shivam Bathla) [#3106] + * feat: improve regex-assembly file for rule (942210 PL2) (Andrew Howe) [#2945] + * fix: detect the correct magic numbers that crash old PHP versions (942220 PL1) (Kyzentun, Walter Hop) [#2010] + * fix: avoid false positive with 'case' (942230 PL1) (Franziska Bühler) [#2035] + * fix: detect SQL false negative (942230 PL1) (Max Leske) [#2348] + * feat: disassemble complex regex (942240 PL1) (Franziska Bühler, Max Leske) [#2938] + * fix: avoid FP in 'having' SQLi (942251 PL3) (Felipe Zipitría) [#2248] + * feat: new regex-assembly file for rule (942280 PL1) (Andrea Menin) [#2933] + * feat: extend rule to detect additional MongoDB operators via NoSQL commands list (942290 PL1) (rekter0) [#2579] + * feat: new regex-assembly file for rule (942290 PL1) (Andrea Menin) [#2942] + * feat: improve regex-assembly format (942300 PL2) (Felipe Zipitría) [#3296] + * fix: avoid false positive by adding word boundary checks (942300 PL2) (Franziska Bühler) [#2099] + * fix: remove unnecessary part of regular expression (942310 PL2) (NiceYouKnow) [#2189] + * feat: extend rule to detect `::int` and `::bool` SQL data conversions (942320 PL1) (Franziska Bühler) [#2872] + * feat: extend rule to detect `lo_get` and `::text` via PostgreSQL functions list (942320 PL2) (Franziska Bühler, Walter Hop, Shivam Bathla) [#2925] + * feat: extend rule to detect `lo_import` and `div` via PostgreSQL functions list (942320 PL2) (Franziska Bühler, Shivam Bathla) [#2916] + * feat: extend rule to detect more PostgreSQL data types (942320 PL2) (Franziska Bühler, Shivam Bathla) [#3019] + * fix: add word boundaries to keywords to solve false positives (942330 PL2) (Franziska Bühler) [#3207] + * feat: extend rule to detect SQL injection better (942340 PL2) (Karel Knibbe) [#2557] + * fix: extend rule to detect more SQLi (942340 PL2) (Jan Gora / terjanq) [#2559] + * feat: detect SQLi using the 'drop' keyword (942350 PL1, 942360 PL1, 942200 PL2, 942362 PL2) (Jozef Sudolský) [#2218] + * fix: solve ReDoS issue in rule (942350 PL1) (Andrea Menin) [#2300] + * feat: new regex-assembly file for rule (942370 PL2) (Christoph Hansen, Max Leske) [#2954] + * feat: detect SQLi with 'if exists' (942380 PL2) (NiceYouKnow) [#2121] + * feat: optimize regex (942400 PL2) (Jozef Sudolský) [#2323] + * feat: disassemble complex chained regex (942440 PL2) (Felipe Zipitría) [#3295] + * feat: optimize regex (942440 PL2) (Felipe Zipitría) [#2459] + * fix: adapt rule to work in all ModSecurity versions (942440 PL2) (Andrew Howe) [#2201] + * fix: avoid FP in JWT tokens (942440 PL2) (Andrea Menin) [#2460] + * fix: reformat rules to follow project guidelines (942440 PL2, 949959, 949159, 959059, 959159) (Ervin Hegedus) [#3206] + * fix: solve errors in regex pattern (942440 PL2) (Andrea Menin) [#3290] + * fix: prevent FPs for click identifiers in query string by placing arg specific rule exclusions in rule set (942441, 942442) (Max Leske) [#3500] + * feat: extend rules to detect `current_user` and `overlay` (942470 PL1, 942480 PL2) (Franziska Bühler) [#2875] + * feat: extended rule to detect detect SQL injection attacks using headers (942480 PL2) (Paul Beckett) [#2911] + * feat: extend rule to detect newlines in overlay (942480 PL2) (Franziska Bühler, Shivam Bathla) [#3040] + * fix: detect MySQL optimizer hints (942500 PL1) (Max Leske) [#3431] + * feat: new rules to detect SQL authentication bypasses (942520 PL2, 942521 PL2, 942522 PL2) (Jan Gora / terjanq) [#2603] + * feat: extend rule to detect SQLi in user-agent and referer request headers (942521 PL2) (Franziska Bühler, Shivam Bathla) [#3107] + * fix: replace 'MATCHED_VAR' in 'logdata' argument with stable variable (942521 PL2, 943110 PL1, 943120 PL1) (Ervin Hegedus) [#3543] + * feat: new rule to detect `';` in SQLi (942530 PL3) (Franziska Bühler) [#2808] + * feat: new rule to detect authentication bypass via SQL injection that abuses semi-colons to end the SQL query (942540 PL1) (Karel Knibbe) [#2904] + * fix: update scoring variable (942540 PL2) (Walter Hop) [#2970] + * feat: new rule to detect MySQL scientific notation attacks (942560 PL1) (Jitendra Patro) [#3316] + * fix: remove unnessecary 'lowercase' transformation from chain rule (944120 PL1) (Federico G. Schwindt) [#1852] + * feat: extend rule to detect JAVA exploits better via java-classes.data file (944130 PL1) (Dennis Brown) [#3048] + * feat: new rule to deny uploading .jsp and .jspx files (944140 PL1) (Walter Hop) [#2456] + * feat: new rule to detect Spring4Shell (944260 PL2) (Christian Folini, Andrea Menin) [#2464] + * fix: update administrative rule ids for consistent operation (950011, 950012, 950018) (Ervin Hegedus) [#3339] + * feat: improve rule file 951xxx via the use of `skipAfter` instead of variable `TX:sql_error_match` (Jozef Sudolský) [#2754] + * feat: extend data file to include additional SQL error messages (sql-errors.data, 951100 PL1) (Jitendra Patro) [#3214] + * fix: avoid FP in MySQL data leakage rule (951230 PL1) (Jozef Sudolský) [#2490] + * fix: avoid FP in PostgreSQL error messages (951240 PL1) (Jozef Sudolský, Franziska Bühler) [#1870, #2313] + * fix: handle false positive in SQL error leakage detection (951240 PL1) (Jozef Sudolský) [#3169] + * fix: avoid FP in Sybase error message (951260 PL1) (Jozef Sudolský) [#2307] + * feat: extend rule to detect PHP errors better via new automation (953100 PL1) (Felipe Zipitría) [#2663] + * feat: new rules to detect PHP error leakages with high false positive rates at paranoia level 2 instead of 1 (953100 PL1, 953101 PL2) (Andrea Menin) [#3119] + * fix: solve false positive by shifting "Field cannot be empty" to PL2 (953100 PL1, 953101 PL2) (Esad Cetiner) [#3407] + * fix: ignore case of `PHP` tag in response text (953210 PL1) (Felipe Zipitría) [#2664] + * feat: extend rule to detect IIS errors via automation of pattern updates (954120 PL1) (Felipe Zipitría) [#2810] + * fix: log response body to audit log only when full rule chain matches (954130 PL1) (Franziska Bühler) [#2202] + * feat: added new webshells and tests (955100 PL1) (Jozef Sudolský) [#3405] + * feat: extend data file to include additional web shells (web-shells-php.data, 955100 PL1) (Jitendra Patro) [#3215] + * feat: extend data file to include additional web shells (web-shells-php.data, 955100 PL1) (Jozef Sudolský) [#2687] + * fix: make regular expression more strict to reduce noise in logs (955120 PL1) (Jozef Sudolský) [#2315] + * fix: use correct variable in chained condition for correlation rules (980120 PL0, 980150 PL0) (Simon Studer) [#1898] + +Changes without direct rule impact: + * chore: improve changelog-pr workflow (Max Leske) [#3416] + * chore: generate changelog entries with leading space (Max Leske) [#3550] + * chore: move regexp-assembly to separate directory (Felipe Zipitría) [#2327] + * chore: parse changelog PR author names from contributors (Max Leske) [#3408] + * docs: add a note to a commented rule about unsupported action in v3 (Ervin Hegedus) [#2098] + * docs: add documentation on blocking of archive file extensions that are not blocked by default (Andrew Howe) [#2758] + * docs: add example exclusion rule for monitoring agents (Andrea Menin) [#2037] + * docs: add file sponsors.md (Christian Folini) [#2174] + * docs: add link to run tests (Ervin Hegedus) [#3438] + * docs: add link to slack invitation to README (Christian Folini) [#2122] + * docs: add missing PL tags to all rules (Ervin Hegedus) [#1882] + * docs: add note of lack of rule range support in ModSecv3 (Andrew Howe) [#3303] + * docs: add to CONTRIBUTING.MD chain rule commenting guidance (Ervin Hegedus) [#3196] + * docs: align actions in right order (Ervin Hegedus) [#2237] + * docs: bring CONTRIBUTING.MD in line with documentation (Andrew Howe) [#2558] + * docs: change documentation git module link to https (İlteriş Eroğlu) [#2461] + * docs: change-version: fix typo (Deepshikha Sinha) [#2430] + * docs: contributing.md: add more information for new developers (Andrew Howe) [#2487] + * docs: crs-setup.conf: add note to allowed_request_content_type settings (Ervin Hegedus) [#2164] + * docs: enhance installation process for Nginx / IIS (Jozef Sudolský) [#1988] + * docs: explained to leave audit log settings alone in CONTRIBUTING.md (Christian Folini) [#3090] + * docs: fix capec id for crawlers (Jozef Sudolský) [#2258] + * docs: fix changed Trustwave URLs (Elia Pinto, henkworks, Felipe Zipitría) [#2213, #2364, #2204] + * docs: fix docs for Apache (Jozef Sudolský) [#2238] + * docs: fix donate URL (Felipe Zipitría) [#2132] + * docs: fixed minor typo in comment in file rules/restricted-files.data (Homesteady) [#3305] + * docs: fix NextCloud example comments (Joost de Keijzer) [#2282] + * docs: fix ruleid typos in comments (Paul Beckett) [#2263] + * docs: fix stricter sibling comment for SQL Injection () (Stephen Sigwart) [#1913] + * docs: fix typo in initialization(Elia Pinto) [#2366] + * docs: fix typo in sampling mode description (Christian Folini) [#2090] + * docs: fix typos across the entire project as reported by codespell (Ervin Hegedus) [#2519] + * docs: fix typos in README (Priyam Patel) [#2494] + * docs: improve changelog organization (Christian Folini) [#3536] + * docs: missing space after comment mark (Ervin Hegedus) [#2097] + * docs: update OWASP Slack URL (Jozef Sudolský) [#2056] + * docs: remove 'log' from rules and let SecDefaultAction decide what to do (Federico G. Schwindt) [#1876] + * docs: replace terms Blacklist and Whitelist with Deny list and Allow list (Paul Beckett) [#2137] + * docs: reword comment (900300 config) (Christian Folini) [#3417] + * docs: reword contributing.md (Christian Folini) [#2077] + * docs: sync CONTRIBUTING.MD with HTML version (Andrew Howe) [#3301] + * docs: transferred CHANGES to CHANGES.md (Felipe Zipitría) [#2606] + * docs: update and tidy CHANGES.md file for v4.0 release (Andrew Howe, Max Leske) [#3540] + * docs: update CONTRIBUTORS.md for new release (Ervin Hegedus) [#3340] + * docs: update description of rule 920350 (Christian Folini) [#1952] + * docs: update documentation hyperlinks on rules (Dexter Chang) [#3232] + * docs: update links and format of known bugs (Felipe Zipitría) [#2186] + * docs: update OWASP vulnerability URLs (Walter Hop) [#2467] + * docs: update policy to include signed releases (Felipe Zipitría) [#2465] + * docs: update README for Nginx (vijayasija99) [#2158] + * docs: update SPONSORS.md for new release (Christian Folini) [#3341] + * docs: remove sponsor F5 / VMWare (Christian Folini) [#3555] + * feat: add consistent rule references to initialization rule comments (Andrew Howe) [#2813] + * feat: add editorconfig file to keep spacing in good shape (Felipe Zipitría) [#2407] + * feat: add timezone variable to docker-compose (Felipe Zipitría) [#1995] + * fix: indentations (Ervin Hegedus) [#1851] + * fix: link for docs/OWASP-CRS-Documentation submodule (Ervin Hegedus) [#1885] + * fix: multiple fixes when generating changelog PR (Max Leske) [#3418], [#3420], [#3422], [#3424], [#3429] + * fix: nginx logging in docker-compose (Felipe Zipitría) [#2036] + * fix: remove all whitespace at EOL (Felipe Zipitría) [#2405, #2406] + * fix: remove full stop from end of log message (920181 PL1) (Federico G. Schwindt) [#2011] + * fix: yamllint (Felipe Zipitría) [#2387] + * tests: add a Chrome and Firefox version 100 UA (Mike Taylor) [#2325] + * tests: add common and uniform http headers to tests (Felipe Zipitría) [#2362] + * tests: additional tests for use in PHP wrappers in PHP injection attacks (rule 933200 PL1) (Andrew Howe) [#2723] + * tests: add positive test 920100-16 for rule 920100 PL1 (Andrew Howe) [#2952] + * tests: add positive test 920190-3 for rule 920190 PL1 (Andrew Howe) [#2956] + * tests: add positive test 920250-4 for rule 920250 PL1 (Andrew Howe) [#2971] + * tests: add positive test 920340-3 for rule 920340 PL1 (Andrew Howe) [#2972] + * tests: add positive test 920470-18 for rule 920470 PL1 (Andrew Howe) [#3058] + * tests: add positive test 921120-4 for rule 921120 PL1 (Andrew Howe) [#3083] + * tests: add positive test 921150-2 for rule 921150 PL1 (Andrew Howe) [#3158] + * tests: add positive test 932160-8 for rule 932160 PL1 (Christian Folini) [#2997] + * tests: add test against FP when using urlDecode for 932140 (Max Leske) [#2191] + * tests: add test for rule 941130 PL1 (Paul Beckett) [#2923] + * tests: add test for rule 941140 PL1 (Franziska Bühler) [#2995] + * tests: add test for rule 941170 PL1 (Franziska Bühler) [#2994] + * tests: add test for rule 941200 PL1 (Franziska Bühler) [#2993] + * tests: add test for rule 941240 PL1 (Franziska Bühler) [#2975] + * tests: add test for rule 941310 PL1 (Franziska Bühler) [#2974] + * tests: add test for rule 941400 PL1 (Franziska Bühler) [#2969] + * tests: add test for rule 942170 PL1 (Franziska Bühler) [#2968] + * tests: add test for rule 942270 PL1 (Franziska Bühler) [#2967] + * tests: add test for rule 942350 PL1 (Franziska Bühler) [#2965] + * tests: add test for rule 942500 PL1 (Franziska Bühler) [#2964] + * tests: add test for rule 942520 PL2 (Franziska Bühler) [#2706] + * tests: add test for rule 943100 PL1 (Franziska Bühler) [#2962] + * tests: add test for `sql_compileoption_used` detection (rule 942151 PL1) (Andrew Howe) [#2714] + * tests: add tests for 920120 (Max Leske) [#2369] + * tests: add tests for 920121, 932150, 932160, 932120, 932130, 921151 (Paul Beckett) [#2264, #2275, #2276, #2272, #2273, #2270] + * tests: add tests for 920275, 913101, 913102, 920410, 920171, 932190, 932110, 932105 (Ervin Hegedus) [#2021, #2253, #2257, #2294, #2295, #2285, #2286, #2287] + * tests: add tests for 920341 (Juan-Pablo Tosso) [#2266] + * tests: add tests for 921180 (Juan-Pablo Tosso, Christian Folini) [#2308] + * tests: add tests for 932170, 932171, 932106, 932180, 942170, 942251, 942460 (Franziska Bühler) [#2252, #2254, #2255, #2280, #2283, #2284, #2269, #2268] + * tests: add tests for 933111, 933190, 933200 (NiceYouKnow) [#2281] + * tests: add tests for FP 921110 request smuggling (Franziska Bühler) [#2102] + * tests: add tests for rules 942521 and 942522 PL2 (Franziska Bühler) [#2708] + * tests: add test to prove we cover complex shell variables usage in rule 932230 (Felipe Zipitría) [#2966] + * tests: clean up quoting (Max Leske) [#2370] + * tests: deprecate ftw in favor of go-ftw (Felipe Zipitría) [#3076] + * tests: detection of \*nix RCE using multiple variable assignments (932200 PL2) (Christian Folini) [#2899] + * tests: enable UTF8 encoding validation (Felipe Zipitría) [#2992] + * tests: extend coverage for rule 932120 (Felipe Zipitría) [#2996] + * tests: extend coverage for rule 932200 (Felipe Zipitría) [#2950] + * tests: extend coverage for rule 932220 (Felipe Zipitría) [#3063] + * tests: fix 933160-21 and 942500-1 due to invalid URI (Takaya Saeki) [#2168] + * tests: fix duplicated tests for rule 934130 PL1 (Walter Hop) [#2918] + * tests: fixed end boundary in 932180-2 (Ervin Hegedus) [#2377] + * tests: fixed URLs tests for rule 932130 PL1 (Matteo Pace) [#2880] + * tests: fixed URLs tests for rules 934130 PL1 and 934131 PL2 (Matteo Pace) [#3133] + * tests: fix logging problem for Nginx (vijayasija99) [#2157] + * tests: fix Python version for tests (Max Leske) [#2247] + * tests: fix requirements version (nobletrout) [#2004] + * tests: fix tests lacking charset (Felipe Zipitría) [#1932] + * tests: fix tests on rule 932200 to detect FPs (Max Leske) [#3309] + * tests: fix test titles (bxlxx.wu, Ervin Hegedus) [#2504, #2497] + * tests: fix test using old syntax and add go-ftw check (Felipe Zipitría) [#2715] + * tests: improve test setup, rewrite of log checker (Max Leske) [#2363] + * tests: increase tests (920280-3, 920430-3, 920430-9) compatibility with other proxies (Matteo Pace) [#3134] + * tests: normalized keys in test files (Ervin Hegedus) [#2493] + * tests: rearranged tests for rule 920340 (Christian Folini) [#3089] + * tests: rearranged tests for rule 920400 PL1 (Matteo Pace) [#2877] + * tests: remove Accept-Charset from test files (Felipe Zipitría) [#2781] + * tests: remove broken test 932100-3 (Felipe Zipitría) [#2165] + * tests: use only valid YAML (Felipe Zipitría) [#2080] + * tests: use same user-agent (Felipe Zipitría) [#2393] + +Functionality that has been moved to plugins for this release: + * feat: add Google OAuth 2 exclusion plugin (Jozef Sudolský) [#2388] + * feat: add phpBB exclusion rules (now a plugin) (Jozef Sudolský) [#1893] + * feat: add phpMyAdmin exclusion rules (now a plugin) (Jozef Sudolský) [#1951] + * feat: move IP reputation rules to plugins (Simon Studer) [#2482] + * feat: move exclusion profiles and DOS rules to plugins (Andrew Howe) [#2469] + * feat: ownCloud: Fix rule 9003001 to match both DAV and WebDAV (now a plugin) (Abu Dawud) [#2130] + * fix: nextcloud: fix FPs (now a plugin) (kam821, Jozef Sudolský, ntimo, Felipe Zipitría, pyllyukko) [#1840, #1843, #1847, #1946] + * fix: phpBB: Fix FPs (now a plugin) (Jozef Sudolský) [#2057, #2180, #2299, #2343] + * fix: phpMyAdmin: Fix FPs (now a plugin) (Jozef Sudolský) [#2172, #2249, #2321, #2351] + * fix: replace ARGS by ARGS_GET in rules in phase:1 (various rule exclusion rules) (Ervin Hegedus) [#2063] + * fix: wordPress: fix FPs (now a plugin) (Jozef Sudolský) [#1899, #1971, #2320] + * fix: wordPress: fix FPs and improve performance (now a plugin) (Walter Hop) [#1997, #2311] + * fix: wordPress: fix FPs in Site Health page (now a plugin) (Robert de Boer, Fregf, Walter Hop) [#1895, #1920] + * fix: xenForo: fix FPs (now a plugin) (Walter Hop, ThanhPT) [#1844, #1865, #1894, #1998, #2421] + +## Version 3.3.7 - 2024-10-28 + +### ⭐ Important changes +* fix: 9EA-241022 v3 by @RedXanadu in https://github.com/coreruleset/coreruleset/pull/3906 + +## Version 3.3.6 - 2024-08-27 + +Important changes: + +* Backport fix for 3MU-240701-1 - catch invalid character in multipart headers via new rule 922130 (Ervin Hegedus, Felipe Zipitría) +* Backport fix for 3MU-240701-2 - prevent using backslash in file names from v4 - updated rule 920120 - pl1, 920121 - pl2 (Felipe Zipitria) + +## Version 3.3.5 - 2023-07-18 + +Important changes: + +* Backport fix for CVE-2023-38199 from CRS v4 via new rule 920620 (Andrea Menin, Felipe Zipitría) + +Fixes: + +* Fix paranoia level-related scoring issue in rule 921422 (Walter Hop) +* Move auditLogParts actions to the end of chained rules where used (Ervin Hegedus) + +Chore: + +* Clean up redundant paranoia level tags (Ervin Hegedus) +* Clean up YAML test files to support go-ftw testing framework (Felipe Zipitría) +* Move testing framework from ftw to go-ftw (Felipe Zipitría) + +## Version 3.3.4 - 2022-09-20 + +Fixes and improvements: + +* Fix a regression in our former release, with the impact that some Paranoia Level 2 rules would activate even when running in Paranoia Level 1. (Simon Studer, Walter Hop) + +## Version 3.3.3 - 2022-09-19 + +Important changes: + +* This update requires ModSecurity version 2.9.6 or 3.0.8 (or an updated version with backports of the security fixes in these versions) or a compatible engine supporting these changes. If you do not upgrade ModSecurity, the file REQUEST-922-MULTIPART-ATTACK.conf will cause ModSecurity to fail to start. In that case, you can temporarily delete that file. However, you will be missing protection from these rules. Therefore, we recommend upgrading your ModSecurity or other engine instead. +* By default, the request headers "Accept-Charset" and "Content-Encoding" are now blocked to prevent a WAF bypass. Especially the "Accept-Charset" header may be in use by clients. If you need to serve clients that send this header, uncomment and edit rule 900250 in crs-setup.conf. + +Fixes and improvements: + +* Fix CVE-2022-39955 Multiple charsets defined in Content-Type header (Jan Gora) +* Fix CVE-2022-39956 Content-Type or Content-Transfer-Encoding MIME header fields abuse (Jan Gora, Felipe Zipitria) +* Fix CVE-2022-39957 Charset accept header field resulting in response rule set bypass (Karel Knibbe, Max Leske) +* Fix CVE-2022-39958 Small range header leading to response rule set bypass (Hussein Daher, Christian Folini) +* Fix MIME header abuse via _charset_ field (Jan Gora, Felipe Zipitria) +* Fix bypass using deflated request body (Karel Knibbe) +* Fix request body partial rule set bypass via Content-Type "text/plain" (Pinaki Mondal, Andrea Menin) +* Fix XML Body Parser abuse for non-XML request bodies (Jan Gora) +* Fix body processor bypass by content-type outside the mime type declaration (Jan Gora, Simon Studer, Ervin Hegedus) + +## Version 3.3.2 - 2021-06-30 + +Fixes and improvements: + * Fix CVE-2021-35368 WAF bypass using pathinfo (Christian Folini) + +## Version 3.3.0 - 2020-07-01 + +Important changes: + * The format of crs-setup.conf variable "tx.allowed_request_content_type" has been changed to be more in line with the other variables. If you have overridden this variable, please see the example in crs-setup.conf for the new separator to use. + +New functionality: + * Block backup files ending with ~ in filename (Andrea Menin) + * Detect ffuf vuln scanner (Will Woodson) + * Detect Nuclei vuln scanner (azurit) + * Detect SemrushBot crawler (Christian Folini) + * Detect WFuzz vuln scanner (azurit) + * New LDAP injection rule (Christian Folini) + * New HTTP Splitting rule (Andrea Menin) + * Add .swp to restricted extensions (Andrea Menin) + * Allow CloudEvents content types (Bobby Earl) + * Add CAPEC tags for attack classification (Fernando Outeda, Christian Folini) + * Detect Unix RCE bypass techniques via uninitialized variables, string concatenations and globbing patterns (Andrea Menin) + +Removed functionality: + * Removed outdated rule tags WASCTC, OWASP_TOP_10, OWASP_AppSensor/RE1, and OWASP_CRS/FOO/BAR; note that tags 'OWASP_CRS' and 'attack-type' are kept. (Christian Folini) + +Improved compatibility: + * Changed variable to lowercase (modsec3 behavior fix) (Ervin Hegedus) + +Fixes and improvements: + * WordPress: Add support for upload image/media in Gutenberg Editor (agusmu) + * Prevent bypass of rule 921110 (Amit Klein, Franziska Bühler) + * Prevent bypass of rule 921130 (Amit Klein, Franziska Bühler) + * fix CVE msg in rules 944120 944240 (Fernando Outeda) + * Remove broken or no longer used files (Federico G. Schwindt) + * Make content-type case insensitive (Franziska Bühler) + * Move /util/docker folder from v3.3/dev branch to dedicated repo (Peter Bittner) + * feat(lint): split actions in linting and regression (Felipe Zipitria) + * Fix FP in 921120 (Franziska Bühler) + * Add missing OWASP_CRS tags (Christian Folini) + * Fix GHA badges (Federico G. Schwindt) + * feat(badge): add apache license badge + * fix typos found by fossies codespell (Tim Herren) + * Decrease processing time of rules (Ervin Hegedus) + * handle multiple directives in 920510 (Andrea Menin) + * handle multiple directives in 920510 (Andrea Menin) + * fix(ci): use log_contains instead (Felipe Zipitria) + * Move test where it belongs (Federico G. Schwindt) + * fix(ci): use docker in DetectionOnly (Felipe Zipitria) + * fix(rule): remove dangling whitespace (Felipe Zipitria) + * fix(ci): run actions on .github change (Felipe Zipitria) + * fix(docs): update badges and links in readme (Felipe Zipitria) + * README: update repo link (Walter Hop) + * Update README: Copyright 2019 -> 2020 (Christian Folini) + * fix(ci): run tests also on PRs (Felipe Zipitria) + * fix(ci): change test name and fix default params (Felipe Zipitria) + * Restore Travis Status (was in the wrong repo) (Christian Folini) + * Remove outdated Travis status after migration (Christian Folini) + * feat(ci): adds github actions testing (Felipe Zipitria) + * fix(migration): post migration tasks (Felipe Zipitria) + * feat(templates): add text to github templates about migration. To be reverted after migration is done. (Felipe Zipitria) + * Added more explanations to comment of 920300 (Christian Folini) + * Added 'ver' action with current version to all necessary rules (Ervin Hegedus) + * Update nextcloud excl rules and shorten var (Franziska Bühler) + * Change to preferred lowercase var (Franziska Bühler) + * Set var to lowercase and change comment (Franziska Bühler) + * Resolve issue with allowed_request_content_types (Franziska Bühler) + * Allow REPORT requests without Content-Type header in Nextcloud (pyllyukko) + * Suppress rule 200002 when editing contacts in Nextcloud (pyllyukko) + * XenForo: update exclusions (Walter Hop) + * WordPress: exclude additional URL fields in profile editor (Walter Hop) + * add www to link (NullIsNot0) + * Fix link for 941310 Old link does not work anymore. Change it to new one. (NullIsNot0) + * Add Content-Type: multipart/related as allowed default (jeremyjpj0916) + * Resolve issue 1722 and fix content-type whitelisting (Franziska Bühler) + * make severities and scores consistent (Walter Hop) + * add QQGameHall UA (#1731) (Andrea Menin) + * another test (Allan Boll) + * Add word boundaries around values in SQL tautologies (942130) (Allan Boll) + * Move tests to their own file, while here also correct permissions for 920180. (Federico G. Schwindt) + * Rule to check if both C-L and T-E are present (#1310) (Federico G. Schwindt) + * Fixes for 2 tests in 921200 (Christian Folini) + * XenForo: add exclusions, remove unnecessary chains (#1673) (Walter Hop) + * Fix FPs for 942350 (#1706) (Franziska Bühler) + * Fix typos found by codespell / Fossies project (#1702) (Simon Studer) + * Ignore check of CT header in POST request if protocol is HTTP/2 (Ervin Hegedus) + * Narrowing down the subpattern .\*? in 941130 (Christian Folini) + * Restricting a wide regex a bit (Christian Folini) + * Drop escapes (Christian Folini) + * Fix FP in 941130 and rearrange regex with new regex-assemble file (Christian Folini) + * Ignore check of CT header in POST request if protocol is HTTP/2 (Ervin Hegedus) + * Remove trailing dot in several msg actions (#1678) (Tim Herren) + * Replace REQUEST_BODY with ARGS on 930100 and 930110 (#1659) (Andrea Menin) + * Temporary travis workaround to buy time and fix it for good (#1684) (Andrea Menin) + * Add regression tests (Franziska Bühler) + * Fix FP with create with 942360 (Franziska Bühler) + * Avoid embedded anchors in CRS rule 942330 (Allan Boll) + * Update 942450 for less false positives, more tests (#1662) (Will Woodson) + * Ensure single ranges are also checked (#1661) (Federico G. Schwindt) + * WordPress: also exclude posts/pages endpoint in subdirectories (Walter Hop) + * For bugs, also ask for the environment (#1657) (Federico G. Schwindt) + * XenForo: fix incorrect escape (Walter Hop) + * XenForo: additional exclusions (Walter Hop) + * Pattern cleanup across several rules (#1643). Drop unneeded non-capture groups; No need to escape "-" outside character classes And only if it is not at the end. (Federico G. Schwindt) + * Improve rule 941350: Previously, this rule will also match on the equivalent to "<..<". Rewrite it so it is only triggered by the equivalent to "<..>", simplifying the pattern quite a bit as a bonus. While here add a link describing the bypass for future reference. + * Fix test Was using the equivalent to "<...<" instead of "<...>". (Federico G. Schwindt) + * Move the help and support link to contacts (#1647) While here rename to ensure they are presented in the right order and minor cosmetics. (Federico G. Schwindt) + * Move remaining regression test data file to new folder, cleanup README (#1646) (Peter Bittner) + * Also ask for the paranoia level (Federico G. Schwindt) + * Make it a tiny bit more colorful (Federico G. Schwindt) + * Spacing (Federico G. Schwindt) + * Fix emoji (Federico G. Schwindt) + * Switch to multiple templates for github issues (#1644) (Federico G. Schwindt) + * Fix paranoia-level log description (Andrea Menin) + * change IRC to Slack (Walter Hop) + * fix spacing (Walter Hop) + * Moving tests and documentation folders (#1627) (Soufiane Benali) + * add triggered rule (#1636) (Andrea Menin) + * Drop the translate header from the restricted list Fixes #1410. (Federico G. Schwindt) + * Mark stale issues (Federico G. Schwindt) + * Added support for >). Use negated classes for better performance. (Federico G. Schwindt) + * Add test for issue #1580 (#1612) (Federico G. Schwindt) + * removes t:lowercase (Andrea Menin) + * Move integration tests to their own job (#1608) Also cleanup branches' list. (Federico G. Schwindt) + * Add PL1 tag. (Anna Winkler) + * Change version number for full version name (Felipe Zipitria) + * Better document legacy conversion procedure Add text with instructions for a simple conversion utility. (Felipe Zipitria) + * Correct example text regarding GeoIP. Add maxmind tool for downloading files (Felipe Zipitria) + * Ignore configuration files generated by the JetBrains editors (Anna Winkler) + * Update name of branch to use for feature branches. Minor syntax updates. (Anna Winkler) + * Minor optimisation (Emile-Hugo SPIR) + * Also fix the `as herefrom` pattern (Emile-Hugo SPIR) + * More conservative fix (Emile-Hugo SPIR) + * Update the source file (Emile-Hugo SPIR) + * Fix a FP (`, aside from`) (Emile-Hugo SPIR) + * regression fix for #1581 (emphazer) + * Change order to check ip first in both rules (Felipe Zipitria) + * Change chain order (Felipe Zipitria) + * Fix spacing in text (Felipe Zipitria) + * Add link to mailing list archives (Felipe Zipitria) + * Adding new test for 941150 based on XSS cheatsheet by portswigger (Christian Folini) + * Adding new test for 941340 based on XSS cheatsheet by portswigger (Christian Folini) + * Adding new test for 941280 based on XSS cheatsheet by portswigger (Christian Folini) + * Adding new test for 941170 based on XSS cheatsheet by portswigger (Christian Folini) + * Adding new test for 941250 based on XSS cheatsheet by portswigger (Christian Folini) + * Adding new test for 941220 based on XSS cheatsheet by portswigger (Christian Folini) + * Adding new test for 941330 based on XSS cheatsheet by portswigger (Christian Folini) + * Adding new test for 941300 based on XSS cheatsheet by portswigger (Christian Folini) + * Adding new test for 941230 based on XSS cheatsheet by portswigger (Christian Folini) + * Adding new test for 941260 based on XSS cheatsheet by portswigger (Christian Folini) + * Adding new test for 941290 based on XSS cheatsheet by portswigger (Christian Folini) + * Adding new test for 941270 based on XSS cheatsheet by portswigger (Christian Folini) + * Adding new test for 942180 based on XSS cheatsheet by portswigger (Christian Folini) + * Update mailing list links to google group (Felipe Zipitria) + * Fix typo and add 2 new entries to 941160 (Franziska Bühler) + * Switch to dates in YYYY-MM-DD format IOW iso 8601. While here add newlines and drop empty categories. (Federico G. Schwindt) + * Update badges, add v3.3 and remove v3.0 (#1557) (Federico G. Schwindt) + * Rearrange characters and add positive and negative test cases. Moved the dash to the end of the character set to avoid escaping it. Added test with all the new characters and a test for multiple whitespaces. Allowed a previously blocked charset. (Tim Herren) + * 920470: include chars from rfc 2046 RFC 2046 allows additional chars for the boundary. \d removed as it is covered by \w in the regex. Removed unnecessary escapes. (Tim Herren) + * Fix bypass in 931130 Don't rely on beginsWith as it might allow attackers to create subdomains matching the prefix. Add tests to cover this and other cases. The latter fixes #1404. (Federico G. Schwindt) + * fix rule regex due to remove t:removeComments (Andrea Menin) + * 920470: include chars from rfc 2046 RFC 2046 allows additional chars for the boundary. \d removed as it is covered by \w in the regex. Removed unnecessary escapes. (Tim Herren) + * update Dockerfiles and Travis to use v3.3/dev (Walter Hop) + +## Version 3.2.0 - 2019-09-24 + +New functionality: + * Add AngularJS client side template injection 941380 PL2 (Franziska Bühler) + * Add docker-compose.yaml and example rule exclusion files for docker-compose (Franziska Bühler) + * Add extended access.log format to Docker (Franziska Bühler) + * Add libinjection check on last path segment (Max Leske, Christian Folini) + * Add PUBLIC identifier for XML entities (#1490) (Rufus125) + * Add .rdb to default restricted_extensions (Walter Hop) + * Add .swp to default restricted_extensions (Andrea Menin) + * Add rule 933200 PHP Wrappers (Andrea Menin) + * Add send-payload-pls.sh script to test payload against multiple paranoia levels (Christian Folini, Manuel Spartan) + * Add support for shell evasions with $IFS (Walter Hop, Chaim Sanders) + * Add unix-shell commands (Christoph Hansen, Chaim Sanders) + * Also inspect the path for the script tag (Federico G. Schwindt) + * Detect 80legs, sysscan, Gobuster scanners (Brent Clark) + * Detect CGI source code leakages (Christoph Hansen, Walter Hop) + * Detect 'crawler' user-agent (Federico G. Schwindt) + * Detect Jorgee, Zgrab scanners (Walter Hop) + * Detect MySQL in-line comments (Franziska Bühler) + * Detect Wappalyzer scanner (Christian Folini, Chaim Sanders) + * Java RCE: Add struts namespaces (Walter Hop) + * Java RCE: Detect more java classes (Manuel Leos) + * Javascript: Add 941370 preventing a bypass for 941180 (Andrea Menin) + * Make CRS variables configurable in Docker image (Franziska Bühler) + * New PL3 rule 920490 to protect against content-type charset bypassing (Christian Folini) + * Node.js unserialization + javascript RCE snippets (Walter Hop) + * Request smuggling: Also cover pre http/1.0 requests (Federico G. Schwindt) + * Restricted files: Added many dotfiles (Dan Ehrlich) + * SQLi bypass detection: ticks and backticks (Franziska Bühler) + * XenForo rule exclusion profile (Walter Hop) + +Removed functionality: + * Remove unused protected_uploads setting from setup (Walter Hop) + * Remove deprecated tx.msg and tx.%{rule.id}-... (Federico G. Schwindt) + * Remove deprecated upgrade script (Walter Hop) + +Improved compatibility: + * Add OWASP_CRS tags for ModSec 3 changes and replace ruleRemoveTargetByTag arguments (Ervin Hegedus) + * Replace @contain % with @rx 25; ModSec 3 fails to parse % by itself (or escaped). (Federico G. Schwindt) + * RE2 compatibility for 941130, 920220, 920240, 920230, 920460, 942200, 942370 (Allan Boll) + * Hyperscan compatibility and simplification for 942450 (Allan Boll) + +Fixes and improvements: + * 932140: fix ReDoS in FOR expression (Walter Hop) + * 933200: Simplify pattern (Federico G. Schwindt, Andrea Menin) + * 941380: fix anomaly score variable (Franziska Bühler) + * 942510, 942511: fix anomaly score variable (Walter Hop) + * Add content-type application/csp-report (Andrea Menin) + * Add content-type application/xss-auditor-report (Andrea Menin) + * Add CRS 3.2 Badge build support. (Chaim Sanders) + * Add CVE numbers for Apache Struts vulnerabilities to comments in rules (Franziska Bühler) + * Add CVE-2018-11776 to comments of 933160 and 933161 (Franziska Bühler) + * Add CVE-2018-2380 to comments of rules (Franziska Bühler) + * Add default env vars for anomaly scores in Docker (Franziska Bühler) + * Add missing OWASP_CRS tags to 921xxx rules (Walter Hop) + * Add REQUEST_FILENAME to rule id 944130 and add exploits to comment (Franziska Bühler) + * Add spaces in front of closing square brackets (Franziska Bühler) + * Add travis changes (#1316) (Chaim Sanders) + * Allow dot characters in Content-Type multipart boundary (Walter Hop) + * Also handle dot variant of X_Filename. PHP will transform dots to underscore in variable names since dot is invalid. (Federico G. Schwindt) + * As per the ref manual, it is compressWhitespace (Federico G. Schwindt) + * Avoid php leak false positive with WOFF files (Manuel Spartan) + * Bring back CRS 2.x renumbering utility (Walter Hop) + * Clean up travis and reorg (Federico G. Schwindt) + * Code cosmetics: reorder the actions of rules (Ervin Hegedus) + * Content-Type is case insensitive (Federico G. Schwindt) + * Disassembled 941160 (Franziska Bühler) + * Drop separate regexp files. They are not really needed and save us from updating multiple places. (Federico G. Schwindt) + * Drop t:lowercase from 941350 (Federico G. Schwindt) + * Drop unneeded capture groups and tidy up (Federico G. Schwindt) + * Drop unneeded capture groups and tidy up regexps (Federico G. Schwindt) + * Drop unneeded unicode from 941110. Add tests to cover a few more variants as well as a negative test (Federico G. Schwindt) + * Fix 920440 "URL file extension is restricted by policy" regex (Andrea Menin) + * Fix 920460 test (Federico G. Schwindt) + * Fix 942101 and 942460 by adding to sqli_score variable (Christian Folini) + * Fix checking the existence of 'HTTP' trailing request verb and request path in the payload for HTTP request smuggling; decreases false-positives on free-form text. (Yu Yagihashi) + * Fix commit default for non 2.9 branch (Chaim Sanders) + * Fix CRS2->CRS3 mapping table (973344 -> 941100) (Chaim Sanders) + * Fix date (Chaim Sanders) + * Fix Docker image SSL support (Franziska Bühler) + * Fix duplicate .env (jschleus, Chaim Sanders) + * Fix executing paranoia level counters (Christian Folini) + * Fix indentation and python version in crs2-renumbering script (Chaim Sanders) + * Fix input / headers misordering (Christian Folini) + * Fix path traversal attack pattern at id:930110 (Ervin Hegedus) + * Fix regexp in Docker image (Franziska Bühler) + * Fix regexp with incorrect dot '.' escape in rule 943120 (XeroChen) + * Fix request header Sec-Fetch-User false positive (na1ex) + * Fix runaway regexp in 942260. Add variant regexp assemble script to handle possessive qualifiers. Use possessive qualifiers to tight this up and solve ReDoS problem. (Federico G. Schwindt) + * Fix small typo in variable (Felipe Zipitria) + * Fix spelling error in variable name (supplient) + * Fix transform name pointed out by secrules_parsing (Federico G. Schwindt) + * Fix Travis Merge not being able to find HEAD (Chaim Sanders) + * Fix vulnerable regexp in rule 942490 (CVE-2019-11387) (Christoph Hansen) + * Fix wrong regex, assembly result, in 942370 (Franziska Bühler) + * INSTALL: advise to use release zips, remove upgrade.py, update Nginx (Walter Hop) + * Java: change tag from COMMAND_INJECTION to JAVA_INJECTION (Manuel Spartan) + * Jwall auditconsole outbound anomaly scoring requirements (Christoph Hansen) + * Mark patterns not supported by RE2 (Federico G. Schwindt) + * Move duplicated 900270 to 900280 Fixes #1236. (Federico G. Schwindt) + * Move PROXYLOCATION var (Franziska Bühler) + * PHP: move get_defined_functions() and friends into PL1 (Walter Hop) + * Pin the ftw version to 1.1.7 for now (Federico G. Schwindt) + * Prevent bypass 933180 PHP Variable Function (Andrea Menin) + * Reduce comments, introduction of triggered exploits (Franziska Bühler) + * Remove all trailing spaces from ftw yaml test files (Ervin Hegedus) + * Remove auditlog No other rules specify it. Add missing quotes and drop rev (Federico G. Schwindt) + * Remove capture, remove tx.0, add transformation functions, fix regex, add presentation link (Andrea Menin) + * Remove old and unwanted setvar constructs (Federico G. Schwindt) + * Remove superfluous comments (Walter Hop) + * Remove superfluous pmf (Federico G. Schwindt) + * Remove t:lowercase from 920490 (Christian Folini) + * Remove WARNING from php-errors.data (Andrea Menin) + * Reorder actions (Federico G. Schwindt) + * Replacing all @pmf with @pmFromFile (Christian Treutler) + * Restricted-files.data: add AWS config (Walter Hop) + * SQLI: removed unnecessary + (Christoph Hansen) + * Switch Docker image to owasp/modsecurity:2.9-apache-ubuntu (Federico G. Schwindt) + * unix-shell.data: fix typo in 'more' (Walter Hop) + * Update .travis.yml Update to support v3.1 (Chaim Sanders) + * Update dockerfile to always use 3.2/dev (Federico G. Schwindt) + * Update OWASP CRS Docker image to support the new upstream and 2.9.3 (Peter Bittner, Chaim Sanders) + * Update RESPONSE-950-DATA-LEAKAGES.conf (Christoph Hansen) + * Update RESPONSE-959-BLOCKING-EVALUATION.conf (Christoph Hansen) + * Wordpress: add support for Gutenberg editor (siric_, Walter Hop) + * Wordpress: allow searching for any term in admin posts/pages overview (Walter Hop) + * WordPress: exclude Gutenberg via rest_route (Walter Hop) + * WordPress: exclude some more profile.php fields from RFI rule (Walter Hop) + * WordPress: exclude SQL comment rule from _wp_http_referer (Walter Hop) + * XML Soap Encoding fix 920240 (Christoph Hansen) + +Unit tests: + * 932140: add regression tests (Walter Hop) + * 933180: fix tests which were doing nothing (Walter Hop) + * 941370: add some more tests, fix whitespace (Walter Hop) + * Add more tests for 941130 (Christian Folini) + * Add regression test for 941101 (Avery Wong) + * Add regression tests for 942150, 942100, 942260 (Christian Folini) + * Add regression tests to 941160 (Franziska Bühler) + * Add some regression tests (Ervin Hegedus) + * Add testing support for libmodsecurity running on Apache and Nginx (Chaim Sanders) + * Add tests for 941360 that fights JSFuck and Hieroglyphy (Christian Folini) + * Add tests for rule 921110 (Yu Yagihashi) + * Added regression tests for rules 942320, 942360, 942361, 942210, 942380, 942410, 942470, 942120, 942240, 942160, 942190, 942140, 942490, 942120 (Christoph Hansen) + * Drop tests for removed rules (Federico G. Schwindt) + * Fix failing regression tests (Ervin Hegedus) + * Fix failing tests (Manuel Spartan, Chaim Sanders) + * Fix readme typos in example rule (Walter Hop) + * Fix test 941110-2 (Federico G. Schwindt) + * Fix YAML 1.2 compliance with "true" (Federico G. Schwindt) + * RCE: Add tests for the for command (Federico G. Schwindt) + * Update regression tests for rules 931110, 931120, 931130 (Simon Studer) + +Documentation: + * Add details to README for Dockerhub (Franziska Bühler) + * Add intro/comment to CVE comments (Franziska Bühler) + * CONTRIBUTING: add note about separate PRs (Walter Hop) + * Erased gitter chat. Added CII badge (Felipe Zipitria) + * Replaced descriptions (Christian Folini) + * Summarized authors on single line in tests for 941160 (Christian Folini) + * Update broken link in regexp-assemble blog URLs (Walter Hop) + * Update CONTRIBUTING.md To base changes on v3.2/dev. (Felipe Zipitría) + * Update CONTRIBUTORS order (Andrea Menin) + * Update README.md (Rufus125) + * Updating crs site location (Chaim Sanders) + +## Version 3.1.1 - 2019-06-26 + + * Fix CVE-2019-11387 ReDoS against CRS on ModSecurity 3 at PL 2 (Christoph Hansen, Federico G. Schwindt) + * Content-Type made case insensitive in 920240, 920400 (Federico G. Schwindt) + * Allow % encoding in 920240 (Christoph Hansen) + * Fix bug in 920440 (Andrea Menin) + * Fix bug in 920470 (Walter Hop) + * Reduce false positives in 921110 (Yu Yagihashi, Federico G. Schwindt) + * Fix bug in 943120 (XeroChen) + +## Version 3.1.0 - 2018-08-07 + + * Add Detectify scanner (Andrea Menin) + * Renaming matched_var/s (Victor Hora) + * Remove lines with bare '#' comment char (Walter Hop) + * Drop the XML variable from rule 932190 (Federico G. Schwindt) + * Update outdated URLs (Walter Hop) + * remove unused rule 901180 (Walter Hop) + * Drop exit from unix and windows RCE (Federico G. Schwindt) + * Fix anomaly_score counters (Federico G. Schwindt) + * Remove mostly redundant 944220 in favor of 944240 (Christian Folini) + * Add self[ and document[ to rule 941180 (Andrea Menin) + * Provide proxy support within CRS docker image (Scott O'Neil) + * Prevent bypass in rule 930120 PL3 (Andrea Menin) + * Fix small typo in variable (Felipe Zipitría) + * Fix bug #1166 in Docker image (Franziska Bühler) + * Remove revision status from rules (Federico G. Schwindt) + * Add template for issues (Federico G. Schwindt) + * Correct failing travis tests in merge situations (Federico G. Schwindt) + * Remove unused global variable in IIS rules (Chaim Sanders) + * Refactor to use phase number instead of name (Federico G. Schwindt) + * Add uploaded file name check; refresh LFI / filename checks (Walter Hop) + * Introduce critical sibling of 920340 in PL2 (Walter Hop) + * Fix bypass caused by multiple spaces in RCE rules (Walter Hop) + * Remove unneeded regex capture groups (Federico G. Schwindt) + * Add built-in exceptions for CPanel (Christoph Hansen) + * Add additional file restrictions for ws_ftp, DS_Store... (Jose Nazario) + * Fix missing strings in 942410 (Franziska Bühler) + * Add 2 missing PDO errors (Christoph Hansen) + * Fix issues with FPs in regression tests (Chaim Sanders) + * Add Nextcloud client exclusion support (Christoph Hansen) + * Fix spelling mistakes in REQUEST-942- (Padraig Doran, Chaim Sanders) + * Explicitly ignore the user defined rules (Aaron Haaf, Chaim Sanders) + * Add regression tests for 942490 (Christoph Hansen, Chaim Sanders) + * Add Owncloud client exclusion support (Christoph Hansen, Christian Folini) + * Adding 'F-Secure Radar' vulnerability scanner UA (Christian Folini, Chaim Sanders) + * Update DockerFile to use Ubuntu as base (Chaim Sanders) + * False positives 942360: move alter and union (Franziska Bühler, Chaim Sanders) + * Add support for Java style attacks (Manuel Spartan, Walter Hop) + * Fix various regression tests issues caused by webserver handling (azhao155, Chaim Sanders) + * Update TravisCI to build on a per PR basis (Chaim Sanders) + * Optimized rule 921160 and regex (Allan Boll, Chaim Sanders) + * Update the consistency across various files (Federico G. Schwindt) + * Add missing transform, 944120 sibling 944240 (Manuel Spartan) + * Fix false positive for 'like' in 942120 (Walter Hop) + * Add regression tests for Java Rules (Manuel Spartan) + * Fixup and small reorg of dokuwiki rule exclusion package (Christian Folini) + * Make TravisCI tests fail if Apache can't load rules (Felipe Zipitría) + * Add exclusion rules for Dokuwiki (Matt Bagley, Christian Folini) + * Initial exclusions for NextCloud installs (Matt Bagley, Christian Folini) + * Added struts-pwn UA to list (Manuel Spartan) + * Uses MULTIPART_MISSING_SEMICOLON instead of MULTIPART_SEMICOLON_MISSING (Felipe Zimmerle) + * Add file upload checks (Manuel Spartan) + * Check if Transfer-Encoding is missing (Federico G. Schwindt, Christian Folini) + * Remove duplicated variables (Federico G. Schwindt) + * Reduce FP by splitting classic SQL injection rule 942370 (Christoph Hansen) + * Fix typo in REQUEST-920-PROTOCOL-ENFORCEMENT (ihacku, Franziska Bühler) + * Add configurable timestamp format to FTW integration (Christian Folini) + * Add badges to README (Felipe Zipitría) + * Add clarifying comments to 910110 (Christian Folini) + * Making rule 933131 case-insensitive (Manuel Spartan) + * Merge and reorder rules as part of cleanup (Federico G. Schwindt) + * Update copyright date and syntax (Jose Nazario, Felipe Zipitría) + * Updated SecMarker and SkipAfter names to use meet guidelines (Felipe Zipitría) + * Tidy up single quotes and other guidelines updates (Felipe Zipitría) + * Syntax fix for setvar crs_exclusions_wordpress (Manuel Spartan) + * Updated various contributors to developers (Christian Folini) + * Revise SQL rules by disassembling them into their core protections (Franziska Bühler) + * Add an example payload to 920220 (coolt) + * Add a missing regex to rule 942310 (Franziska Bühler) + * Detect GET or HEAD with Transfer-Encoding header (Federico G. Schwindt) + * Fix broken links in references (Pásztor Gábor) + * Add contributing guidelines (Felipe Zipitría) + * Fix processing bypasses in rule 931130 (Felipe Zipitría, Christian Folini) + * Correct small omissions in unix-shell.data (Walter Hop) + * Add IIS specific detection to LFI-os-files.data (Manuel Spartan) + * Update examples to match the current cleanup (Federico G. Schwindt) + * Corrected the ordering of actions to meet guidelines (Felipe Zipitría) + * Remove unused capture groups (Federico G. Schwindt) + * Use explicit rx operator (Federico G. Schwindt) + * Update the RCE regular expressions(Walter Hop, Federico G. Schwindt) + * Removing maturity & accuracy from rules (Felipe Zipitría) + * Increasing range header (Christoph Hansen) + * Fixed upgrade.py script argument options (Glyn Mooney) + * Updating to reflect OWASP flagship status (Chaim Sanders) + * Adding Docker support for CRS (Chaim Sanders) + * Initial Travis deployment (Zack Allen, Walter Hop) + * Initial commit of regression tests (Chaim Sanders, Walter Hop) + * Remove test for 921170 because it won't ever fire (Chaim Sanders, Walter Hop) + * Update minor incorrectness in asp.net regex (Chaim Sanders, Walter Hop) + * Add notification for builds against #modsecurity on freenode (Zack Allen, Walter Hop) + * Add all past code contributors and convert to markdown (Walter Hop) + * Block uploads of files with .phps extension (Walter Hop) + * Improve message for script upload with superfluous extension (Walter Hop) + * Remove trailing whitespace in various regexs (Walter Hop) + * Add command popd to direct unix rce list in rule 932150 (Franziska Bühler) + * Remove unnecessary END_XSS_CHECKS marker (Christian Folini) + * Ignore Whitespaces in Rule 942110 (Christoph Hansen) + * Update missing RCE Commands (Umar Farook) + * Update lfi-os-files.data (Umar Farook) + * Removed deprecated t:removeComments from 942100 (Christian Folini) + * Add word boundary to rule 942410 (Franziska Bühler) + +## Version 3.0.2 - 2017-05-12 + + * Remove debug rule that popped up in 3.0.1 (Christian Folini) + + +## Version 3.0.1 - 2017-05-09 + + * SECURITY: Removed insecure handling of X-Forwarded-For header; + reported by Christoph Hansen (Walter Hop) + * Fixed documentation errors in RESPONSE-999-... (Chaim Sanders) + * Reduced FPs on 942190 by adding a word boundary to regex (Franziska Bühler) + * Reduced FPs on 932150 by removing keyword reset (Franziska Bühler) + * Tidied exceptions in 930100 (Roberto Paprocki) + * Reduced FPs for 920120 by splitting into stricter sibling (Franziska Bühler) + * Simplified some Drupal rule exclusions (Damien McKenna, Christian Folini) + * Extended KNOWN_BUGS with remarks on JSON support on Debian (Franziska Bühler) + * Updated README to add gitter support (Chaim Sanders) + * Clarified DoS documentation for static extensions (Roberto Paprocki) + * Added application/octet-stream to allowed content types (Christian Folini) + * Typo in 942220 alert message (Chaim Sanders, @bossloper) + * Moved referrer check of 941100 into new PL2 rule (Franziska Bühler) + * Closed multiple @pmf evasions via lowercase transformation (Roberto Paprocki) + * Clarified libinjection bundling in INSTALL file (@cjdp) + * Reduced FPs via Wordpress Rule Exclusions (Walter Hop) + * Support for RFC 3902 (Content Type application/soap+xml; Christoph Hansen) + Make sure you update ModSecurity recommended rule 200000 as well. + * Bugfix in 942410 regex (Christian Folini) + * Reduced FPs for 942360 (Walter Hop) + * Reduced FPs for 941120 by restricting event handler names (Franziska Bühler) + * Extended 931000 with scheme "file" to fix false negative (Federico Schwindt) + * Extended 905100 and 905110 for HTTP/2.0 (includes bugfix, Christoph Hansen) + * Moved 941150 from PL1 to PL2; includes Bugfix for rule (Christian Folini) + * Updated documentation for 920260 (Chaim Sanders) + * Bugfix in upgrade.py (Victor Hora) + * Fixed FP in RCE rule 932140 (Walter Hop) + * Fixed comment for arg limit check rule 920370 (Christian Folini) + * Created CONTRIBUTORS file + * Added Christoph Hansen (emphazer) to CONTRIBUTORS file + * Added Franziska Bühler (Franziska Bühler) to CONTRIBUTORS file + * Fixed bug with DoS rule 912160 (@loudly-soft, Christian Folini) + + +## Version 3.0.0 - 2016-11-10 + +Huge changeset running in separate branch from September 2013 to September 2016. +This is a cursory summary of the most important changes: + + * Huge reduction of false positives (Ryan Barnett, Felipe Zimmerle, Chaim + Sanders, Walter Hop, Christian Folini) + * Anomaly scoring is the new default, renamed thresholds from + tx.(in|out)bound_anomaly_score_level to + tx.(in|out)bound_anomaly_score_threshold + * Introduction of libinjection for SQLi detection + * Introduction of libinjection for XSS detection + * Big improvement on detection of Remote Command Execution (Walter Hop) + * Big improvement on PHP function name detection (Walter Hop) + * Paranoia Mode (Christian Folini, Noël Zindel, Franziska Bühler, + Manuel Leos, Walter Hop) + * Shifted dozens of rules into higher paranoia levels + * Introduced a lot of stricter sibling rules in higher levels + * Generic mechanism to support application specific rule exclusions + (Chaim Sanders) + * Initial Wordpress rule exclusions (Walter Hop) + * Initial Drupal rule exclusions (Christian Folini, @emphazer) + * Renumbering of rules. See folder id_renumbering for a + csv map (Chaim Sanders) + * Consolidation of rules, namely XSS and SQLi (Spider Labs/Trustwave team) + * Sampling mode / Easing in (Christian Folini) + * Cleanup of reputation checks / persistent blocking + (Christian Folini / Walter Hop) + * Tags much more systematic (Walter Hop) + * IP reputation checks / persistent blocking of certain clients + (Spider Labs/Trustwave team) + * Phase actions use request/response/logging now instead of + numerical phases (Spider Labs/Trustwave team) + * Added NoScript XSS Filters (Spider Labs/Trustwave team) + * Updated "severity" action to use words (CRITICAL, WARNING, etc...) + vs. numbers (5, 4, etc..) + * Various regex fixes after research by Vladimir Ivanov (Chaim Sanders) + * Overhaul of the regression mode into debug mode (Walter Hop, Ryan Barnett) + * Introduction of util/upgrade.py (Walter Hop) + * Removal of GeoIP database. Download via util/upgrade.py now. + * Introduction of Initialization rules with + default values (Walter Hop, Christian Folini) + * Sorting out terminology with + whitelisting and rule exclusions (Christian Folini) + * Overhaul of testing (Chaim Sanders) + * Protection from HTTP Parameter Pollution (Franziska Bühler) + * Simplification of setup config file, renamed file to crs-setup.conf.example + * Improved session fixation detection logic (Christian Peron, credits to + Eric Hodel for the discovery) + * Updated list of malicious webscanners + * Splitting scanner user agents data files (github user @ygrek) + * Countless bugfixes in severities, anomaly scores, tags, etc. + across the board + * Cleanup of formerly experimental DDoS rules, + fix documentation (Ryan Barnett, Christian Folini) + * Improves http blacklist checks (Walter Hop) + * Extended XSS detection (as suggested by Mazin Ahmed) + * Added support for Travis CI + * Added support for HTTP/2 in recent Apache 2.4 (Walter Hop) + * Added many, many bots and scanners (among others suggested by + github user @toby78, @jamuse, Matt Koch) + * Fixed mime types suitable for XML processor (Chaim Sanders) + * Include script in util/join-multiline-rules to work around + Apache 2.4 < 2.4.11 bug with long lines (Walter Hop) + * New detection for request smuggling attacks (Achim Hofmann, + Christian Folini) + * Fixes with project honeypot setup (Ryan Barnett) + * Separated DB / SQL messages by DB software (Ryan Barnett) + * CPanel integration (Chaim Sanders) + * Introduction of var for static resources (Chaim Sanders) + * Many improvements to rules in 2014/5 (Ryan Barnett) + + +## Version 2.2.9 - 2013-09-30 + +Improvements: +* Updated the /util directory structure + + +Bug Fixes: +* fix 950901 - word boundary added +* modsecurity_35_bad_robots.data - gecko/25 blocks Firefox Android + https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/157 + + +## Version 2.2.8 - 2013-06-30 + +Improvements: +* Updated the /util directory structure +* Added scripts to check Rule ID duplicates +* Added script to remove v2.7 actions so older ModSecurity rules will work + - https://github.com/SpiderLabs/owasp-modsecurity-crs/pull/43 +* Added new PHP rule (958977) to detect PHP exploits (Plesk 0-day from king cope) + - http://seclists.org/fulldisclosure/2013/Jun/21 + - http://blog.spiderlabs.com/2013/06/honeypot-alert-active-exploits-attempts-for-plesk-vulnerability-.html + + +Bug Fixes: +* fix 950901 - word boundary added + - https://github.com/SpiderLabs/owasp-modsecurity-crs/pull/48 +* fix regex error + - https://github.com/SpiderLabs/owasp-modsecurity-crs/pull/44 +* Updated the Regex in 981244 to include word boundaries + - https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/36 +* Problem with Regression Test (Invalid use of backslash) - Rule 960911 - Test2 + - https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/34 +* ModSecurity: No action id present within the rule - ignore_static.conf + - https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/17 +* "Bad robots" rule blocks all Java applets on Windows XP machines + - https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/16 +* duplicated rules id 981173 + - https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/18 + + +## Version 2.2.7 - 2012-12-19 + +Improvements: +* Added JS Overrides file to identify successful XSS probes +* Added new XSS Detection Rules from Ashar Javed (http://twitter.com/soaj1664ashar) + - http://jsfiddle.net/U9RmU/4/ +* Updated the SQLi Filters to add in Oracle specific functions + - https://github.com/SpiderLabs/owasp-modsecurity-crs/pull/7 + +Bug Fixes: +* Fixed Session Hijacking rules + - https://github.com/SpiderLabs/owasp-modsecurity-crs/pull/8 +* Fixed bug in XSS rules checking TX:PM_XSS_SCORE variable + + +## Version 2.2.6 - 2012-09-14 + +Improvements: +* Started rule formatting update for better readability +* Added maturity and accuracy action data to each rule +* Updated rule revision (rev) action +* Added rule version (ver) action +* Added more regression tests (util/regression_tests/) +* Modified Rule ID 960342 to block large file attachments in phase:1 +* Removed all PARANOID rule checks +* Added new Session Fixation rules + +Bug Fixes: +* Fixed missing ending double-quotes in XSS rules file +* Moved SecDefaultAction setting from phase:2 to phase:1 +* Fixed Session Hijacking SessionID Regex + https://www.modsecurity.org/tracker/browse/CORERULES-79 +* Changed the variable listing for many generic attack rules to exclude REQUEST_FILENAME + https://www.modsecurity.org/tracker/browse/CORERULES-78 + + +## Version 2.2.5 - 2012-06-14 + +Security Fixes: +* Updated the anomaly scoring value for rule ID 960000 to critical + (Identified by Qualys Vulnerability & Malware Research Labs (VMRL)) + (https://community.qualys.com/blogs/securitylabs/2012/06/15/modsecurity-and-modsecurity-core-rule-set-multipart-bypasses) +* Updated Content-Type check to fix possible evasion with @within + (Identified by Qualys Vulnerability & Malware Research Labs (VMRL)) + (https://community.qualys.com/blogs/securitylabs/2012/06/15/modsecurity-and-modsecurity-core-rule-set-multipart-bypasses) + +Improvements: +* Renamed main config file to modsecurity_crs_10_setup.conf +* Updated the rule IDs to start from CRS reserved range: 900000 +* Updated rule formatting for readability +* Updated the CSRF rules to use UNIQUE_ID as the token source +* Added the zap2modsec.pl script to the /util directory which converts + OWASP ZAP Scanner XML data into ModSecurity Virtual Patches +* Updated the Directory Traversal Signatures to include more obfuscated data +* Added Arachni Scanner Integration Lua script/rules files + +Bug Fixes: +* Added forceRequestBodyVariable action to rule ID 960904 + + +## Version 2.2.4 - 2012-03-14 + +Improvements: +* Added Location and Set-Cookie checks to Response Splitting rule ID 950910 +* Added a README file to the activated_rules directory +* Consolidate a number of SQL Injection rules into optimized regexs +* Removed multiMatch and replaceComments from SQL Injection rules +* Updated the SQLi regexs for greediness +* Updated the SQLi setvar anomaly score values to use macro expansion +* Removed PARANOID mode rules + +Bug Fixes: +* Fixed missing comma before severity action in rules 958291, 958230 and 958231 +* Fixed duplicate rule IDs + + +## Version 2.2.3 - 2011-12-19 + +Improvements: +* Added Watcher Cookie Checks to optional_rules/modsecurity_crs_55_appication_defects.conf file + http://websecuritytool.codeplex.com/wikipage?title=Checks#cookies +* Added Watcher Charset Checks to optional_rules/modsecurity_crs_55_application_defects.conf file + http://websecuritytool.codeplex.com/wikipage?title=Checks#charset +* Added Watcher Header Checks to optional_rules/modsecurity_crs_55_application_defects.conf file + http://websecuritytool.codeplex.com/wikipage?title=Checks#header + +Bug Fixes: +* Fixed Content-Type evasion issue by adding ctl:forceRequestBodyVariable action to + rule ID 960010. (Identified by Andrew Wilson of Trustwave SpiderLabs). +* Updated the regex and added tags for RFI rules. + + +## Version 2.2.2 - 2011-09-28 + + +Improvements: +* Updated the AppSensor Profiling (to use Lua scripts) for Request Exceptions Detection Points +* Added new Range header detection checks to prevent Apache DoS +* Added new Security Scanner User-Agent strings +* Added example script to the /util directory to convert Arachni DAST scanner + XML data into ModSecurity virtual patching rules. +* Updated the SQLi Character Anomaly Detection Rules +* Added Host header info to the RESOURCE collection key for AppSensor profiling rules + +Bug Fixes: +* Fixed action list for XSS rules (replaced pass,nolog,auditlog with block) +* Fixed Request Limit rules by removing & from variables +* Fixed Session Hijacking IP/UA hash captures +* Updated the SQLi regex for rule ID 981242 + + +## Version 2.2.1 - 2011-07-20 + + +Improvements: +* Extensive SQL Injection signature updates as a result of the SQLi Challenge + http://www.modsecurity.org/demo/challenge.html +* Updated the SQL Error message detection in response bodies +* Updated SQL Injection signatures to include more DB functions +* Updated the WEAK SQL Injection signatures +* Added tag AppSensor/RE8 to rule ID 960018 + +Bug Fixes: +* Fixed Bad Robot logic for rule ID 990012 to further qualify User-Agent matches + https://www.modsecurity.org/tracker/browse/CORERULES-70 +* Fixed Session Hijacking rules to properly capture IP address network hashes. +* Added the multiMatch action to the SQLi rules +* Fixed a false negative logic flaw within the advanced_filter_converter.lua script +* Fixed missing : in id action in DoS ruleset. +* Updated rule ID 971150 signature to remove ; + + +## Version 2.2.0 - 2011-05-26 + + +Improvements: +* Changed Licensing from GPLv2 to Apache Software License v2 (ASLv2) + http://www.apache.org/licenses/LICENSE-2.0.txt +* Created new INSTALL file outlining quick config setup +* Added a new rule regression testing framework to the /util directory +* Added new activated_rules directory which will allow users to place symlinks pointing + to files they want to run. This allows for easier Apache Include wild-carding +* Adding in new RULE_MATURITY and RULE_ACCURACY tags +* Adding in a check for X-Forwarded-For source IP when creating IP collection +* Added new Application Defect checks (55 app defect file) from Watcher tool (Check Charset) + http://websecuritytool.codeplex.com/wikipage?title=Checks#charset +* Added new AppSensor rules to experimental_dir + https://owasp.org/www-project-appsensor/ +* Added new Generic Malicious JS checks in outbound content +* Added experimental IP Forensic rules to gather Client hostname/whois info + http://blog.spiderlabs.com/2010/11/detecting-malice-with-modsecurity-ip-forensics.html +* Added support for Mozilla's Content Security Policy (CSP) to the experimental_rules + http://blog.spiderlabs.com/2011/04/modsecurity-advanced-topic-of-the-week-integrating-content-security-policy-csp.html +* Global collection in the 10 file now uses the Host Request Header as the collection key. + This allows for per-site global collections. +* Added new SpiderLabs Research (SLR) rules directory (slr_rules) for known vulnerabilities. + This includes both converted web rules from Emerging Threats (ET) and from SLR Team. +* Added new SLR rule packs for known application vulns for WordPress, Joomla and phpBB +* Added experimental rules for detecting Open Proxy Abuse + http://blog.spiderlabs.com/2011/03/detecting-malice-with-modsecurity-open-proxy-abuse.html +* Added experimental Passive Vulnerability Scanning ruleset using OSVDB and Lua API + http://blog.spiderlabs.com/2011/02/modsecurity-advanced-topic-of-the-week-passive-vulnerability-scanning-part-1-osvdb-checks.html +* Added additional URI Request Validation rule to the 20 protocol violations file (Rule ID - 981227) +* Added new SQLi detection rules (959070, 959071 and 959072) +* Added "Toata dragostea mea pentru diavola" to the malicious User-Agent data + https://www.modsecurity.org/tracker/browse/CORERULES-64 + +Bug Fixes: +* Assigned IDs to all active SecRules/SecActions +* Removed rule inversion (!) from rule ID 960902 +* Fixed false negative issue in Response Splitting Rule +* Fixed false negative issue with @validateByteRange check +* Updated the TARGETS listing for rule ID 950908 +* Updated TX data for REQBODY processing +* Changed the pass action to block in the RFI rules in the 40 generic file +* Updated RFI regex to catch IP address usage in hostname + https://www.modsecurity.org/tracker/browse/CORERULES-68 +* Changed REQUEST_URI_RAW variable to REQUEST_LINE in SLR rules to allow matches on request methods. +* Updated the RFI rules in the 40 generic attacks conf file to remove explicit logging actions. + They will now inherit the settings from the SecDefaultAction + + +## Version 2.1.2 - 2011-02-17 + + +Improvements: +* Added experimental real-time application profiling ruleset. +* Added experimental Lua script for profiling the # of page scripts, iframes, etc.. + which will help to identify successful XSS attacks and planting of malware links. +* Added new CSRF detection rule which will trigger if a subsequent request comes too + quickly (need to use the Ignore Static Content rules). + +Bug Fixes: +* Added missing " in the skipAfter SecAction in the CC Detection rule set + + +## Version 2.1.1 - 2010-12-30 + + +Bug Fixes: +* Updated the 10 config conf file to add in pass action to User-Agent rule +* Updated the CSRF ruleset to conditionally do content injection - if the + csrf token was created by the session hijacking conf file +* Updated the session hijacking conf file to only enforce rules if a SessionID + Cookie was submitted +* Fixed macro expansion setvar bug in the restricted file extension rule +* Moved the comment spam data file into the optional_rules directory + + +## Version 2.1.0 - 2010-12-29 + + +Improvements: +* Added Experimental Lua Converter script to normalize payloads. Based on + PHPIDS Converter code and it used with the advanced filters conf file. +* Changed the name of PHPIDS converted rules to Advanced Filters +* Added Ignore Static Content (Performance enhancement) rule set +* Added XML Enabler (Web Services) rule set which will parse XML data +* Added Authorized Vulnerability Scanning (AVS) Whitelist rule set +* Added Denial of Service (DoS) Protection rule set +* Added Slow HTTP DoS (Connection Consumption) Protection rule set +* Added Brute Force Attack Protection rule set +* Added Session Hijacking Detection rule set +* Added Username Tracking rule set +* Added Authentication Tracking rule set +* Added Anti-Virus Scanning of File Attachments rule set +* Added AV Scanning program to /util directory +* Added Credit Card Usage Tracking/Leakage Prevention rule set +* Added experimental CC Track/PAN Leakage Prevention rule set +* Added an experimental_rules directory to hold new BETA rules +* Moved the local exceptions conf file back into base_rules directory however + it has a ".example" extension to prevent overwriting customized versions + when upgrading +* Separated out HTTP Parameter Pollution and Restricted Character Anomaly Detection rules to + the experimental_rules directory +* Adding the REQUEST_HEADERS:User-Agent macro data to the initcol in 10 config file, which will + help to make collections a bit more unique + + + +## Version 2.0.10 - 2010-11-29 + + +Improvements: +* Commented out the Anomaly Scoring Blocking Mode TX variable since, by default, the CRS + is running in traditional mode. + +Bug Fixes: +* Moved all skipAfter actions in chained rules to chain starter SecRules + https://www.modsecurity.org/tracker/browse/MODSEC-159 +* Changed phases on several rules in the 20 protocol anomaly rules file to phase:1 to avoid FNs + + + +## Version 2.0.9 - 2010-11-17 + + +Improvements: +* Changed the name of the main config file to modsecurity_crs_10_config.conf.example so that + it will not overwrite existing config settings. Users should rename this file to activate + it. +* Traditional detection mode is now the current default +* Users can now more easily toggle between traditional/standard mode vs. anomaly scoring mode + by editing the modsecurity_crs_10_config.conf file +* Updated the disruptive actions in most rules to use "block" action instead of "pass". This + is to allow for the toggling between traditional vs. anomaly scoring modes. +* Removed logging actions from most rules so that it can be controlled from the SecDefaultAction + setting in the modsecurity_crs_10_config.conf file +* Updated the anomaly scores in the modsecurity_crs_10_config.conf file to more closely match + what is used in the PHPIDS rules. These still have the same factor of severity even though + the numbers themselves are smaller. +* Updated the 49 and 59 blocking rules to include the matched logdata +* Updated the TAG data to further classify attack/vuln categories. +* Updated the SQL Injection filters to detect more boolean logic attacks +* Moved some files to optional_rules directory (phpids, Emerging Threats rules) + +Bug Fixes: +* Fixed Rule ID 960023 in optional_rules/modsecurity_crs_40_experimental.conf is missing 1 single quote + https://www.modsecurity.org/tracker/browse/CORERULES-63 +* Moved all skipAfter actions in chained rules to the rule starter line (must have ModSec v2.5.13 or higher) + https://www.modsecurity.org/tracker/browse/MODSEC-159 +* Fixed restricted file extension bug with macro expansion + https://www.modsecurity.org/tracker/browse/CORERULES-60 +* Updated the SQLI TX variable macro expansion data in the 49 and 60 files so that + it matches what is being set in the sql injection conf file +* Fixed typo in SQL Injection regexs - missing backslash for word boundary (b) + https://www.modsecurity.org/tracker/browse/CORERULES-62 + + +## Version 2.0.8 - 2010-08-27 + + +Improvements: +* Updated the PHPIDS filters +* Updated the SQL Injection filters to detect boolean attacks (1<2, foo == bar, etc..) +* Updated the SQL Injection filters to account for different quotes +* Added UTF-8 encoding validation support to the modsecurity_crs_10_config.conf file +* Added Rule ID 950109 to detect multiple URL encodings +* Added two experimental rules to detect anomalous use of special characters + +Bug Fixes: +* Fixed Encoding Detection RegEx (950107 and 950108) +* Fixed rules-updater.pl script to better handle whitespace + https://www.modsecurity.org/tracker/browse/MODSEC-167 +* Fixed missing pass action bug in modsecurity_crs_21_protocol_anomalies.conf + https://www.modsecurity.org/tracker/browse/CORERULES-55 +* Fixed the anomaly scoring in the modsecurity_crs_41_phpids_filters.conf file + https://www.modsecurity.org/tracker/browse/CORERULES-54 +* Updated XSS rule id 958001 to improve the .cookie regex to reduce false positives + https://www.modsecurity.org/tracker/browse/CORERULES-29 + + +## Version 2.0.7 - 2010-06-04 + + +Improvements: +* Added CSRF Protection Ruleset which will use Content Injection to add javascript to + specific outbound data and then validate the csrf token on subsequent requests. +* Added new Application Defect Ruleset which will identify/fix missing HTTPOnly cookie + flags +* Added Experimental XSS/Missing Output Escaping Ruleset which looks for user supplied + data being echoed back to user unchanged. +* Added rules-updater.pl script and configuration file to allow users to automatically + download CRS rules from the CRS rules repository. +* Added new SQLi keyword for ciel() and reverse() functions. +* Updated the PHPIDS filters + + +Bug Fixes: +* Fixed false positives for Request Header Name matching in the 30 file by + adding boundary characters. +* Added missing pass actions to @pmFromFile prequalifier rules +* Added backslash to SQLi regex + https://www.modsecurity.org/tracker/browse/CORERULES-41 +* Fixed hard coded anomaly score in PHPIDS filter file + https://www.modsecurity.org/tracker/browse/CORERULES-45 +* Fixed restricted_extension false positive by adding boundary characters + + +## Version 2.0.6 - 2010-02-26 + + +Bug Fixes: +* Added missing transformation functions to SQLi rules. + https://www.modsecurity.org/tracker/browse/CORERULES-32 +* Fixed duplicate rule IDs. + https://www.modsecurity.org/tracker/browse/CORERULES-33 +* Fixed typo in @pmFromFile in the Comment SPAM rules + https://www.modsecurity.org/tracker/browse/CORERULES-34 +* Added macro expansion to Restricted Headers rule + https://www.modsecurity.org/tracker/browse/CORERULES-35 +* Fixed misspelled SecMarker + https://www.modsecurity.org/tracker/browse/CORERULES-36 +* Fixed missing chain action in Content-Type header check + https://www.modsecurity.org/tracker/browse/CORERULES-37 +* Update phpids filters to use pass action instead of block + + +## Version 2.0.5 - 2010-02-01 + + +Improvements: +* Removed previous 10 config files as they may conflict with local customized Mod configs. +* Added a new 10 config file that allows the user to globally set TX variables to turn on/off + PARANOID_MODE inspection, set anomaly score levels and http policies. + Must have ModSecurity 2.5.12 to use the macro expansion in numeric operators. +* Added Rule Logic and Reference links to rules descriptions. +* Added Rule IDs to all rules. +* Added tag data mapping to new OWASP Top 10 and AppSensor Projects, WASC Threat Classification +* Removed Apache limit directives from the 23 file +* Added macro expansion to 23 file checks. +* Added @pmFromFile check to 35 bad robots file +* Added malicious UA strings to 35 bad robots check +* Created an experimental rules file +* Updated HTTP Parameter Pollution (HPP) rule logic to concat data into a TX variable for inspection +* Removed TX inspections for generic attacks and reverted to standard ARGS inspection + https://www.modsecurity.org/tracker/browse/MODSEC-120 +* Updated the variable list for standard inspections (ARGS|ARGS_NAMES|XML:/\*) and moved the other + variables to the PARANOID list (REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS|TX:HPP_DATA) +* Moved converted ET Snort rules to the /optional_rules directory +* Created a new Header Tagging ruleset (optional_rules) that will add matched rule data to the + request headers. +* Updated Inbound blocking conf file to use macro expansion from the 10 config file settings +* Added separate anomaly scores for inbound, outbound and total to be evaluated for blocking. +* Updated the regex logic in the (1=1) rule to factor in quotes and other logical operators. +* Updated the SPAMMER RBL check rules logic to only check once per IP/Day. +* Added new outbound malware link detection rules. +* Added PHP "call_user_func" to blacklist + Identified by SOGETI ESEC R&D + +Bug Fixes: +* Removed Non-numeric Rule IDs + https://www.modsecurity.org/tracker/browse/CORERULES-28 +* Updated the variable list on SQLi rules. +* Fixed outbound @pmFromFile action from allow to skipAfter to allow for outbound anomaly scoring + and blocking + + +## Version 2.0.4 - 2009-11-30 + + +Improvements: +* Updated converted PHPIDS signatures (https://svn.php-ids.org/svn/trunk/lib/IDS/default_filter.xml) +* Updated PHPIDS rules logic to first search for payloads in ARGS and then if there is no match found + then search more generically in request_body|request_uri_raw +* Updated PHPIDS rules logic to only set TX variables and to not log. This allows for more clean + exceptions in the 48 file which can then expire/delete false positive TX matches and adjust the + anomaly scores. These rules will then inspect for any TX variables in phase:5 and create appropriate + alerts for any variable matches that exist. + +Bug Fixes: +* Added Anomaly Score check to the 60 correlation file to recheck the anomaly score at the end of + phase:4 which would allow for blocking based on information leakage issues. + + +## Version 2.0.3 - 2009-11-05 + + +Improvements: +* Updated converted PHPIDS signatures (https://svn.php-ids.org/svn/trunk/lib/IDS/default_filter.xml) +* Create a new PHPIDS Converter rules file (https://svn.php-ids.org/svn/trunk/lib/IDS/Converter.php) +* Added new rules to identify multipart/form-data bypass attempts +* Increased anomaly scoring (+100) for REQBODY_PROCESSOR_ERROR alerts + +Bug Fixes: +* Added t:urlDecodeUni transformation function to phpids rules to fix both false positives/negatives + https://www.modsecurity.org/tracker/browse/CORERULES-17 +* Added new variable locations to the phpids filters + https://www.modsecurity.org/tracker/browse/CORERULES-19 +* Use of transformation functions can cause false negatives - added multiMatch action to phpids rules + https://www.modsecurity.org/tracker/browse/CORERULES-20 +* Fixed multipart parsing evasion issues by adding strict parsing rules + https://www.modsecurity.org/tracker/browse/CORERULES-21 +* Fixed typo in xss rules (missing |) + https://www.modsecurity.org/tracker/browse/CORERULES-22 +* Fixed regex text in IE8 XSS filters (changed to lowercase) + https://www.modsecurity.org/tracker/browse/CORERULES-23 + + +## Version 2.0.2 - 2009-09-11 + + +Improvements: +* Added converted PHPIDS signatures (https://svn.php-ids.org/svn/trunk/lib/IDS/default_filter.xml) + https://www.modsecurity.org/tracker/browse/CORERULES-13 + +Bug Fixes: +* Rule 958297 - Fixed Comment SPAM UA false positive that triggered only on mozilla. + https://www.modsecurity.org/tracker/browse/CORERULES-15 + + +## Version 2.0.1 - 2009-08-07 + + +Improvements: +* Updated the transformation functions used in the XSS/SQLi rules to improve performance + https://www.modsecurity.org/tracker/browse/CORERULES-10 + +* Updated the variable/target list in the XSS rules + https://www.modsecurity.org/tracker/browse/CORERULES-11 + +* Added XSS Filters from IE8 + https://www.modsecurity.org/tracker/browse/CORERULES-12 + +Bug Fixes: +* Rule 958297 - Fixed unescaped double-quote issue in Comment SPAM UA rule. + https://www.modsecurity.org/tracker/browse/CORERULES-9 + + +## Version 2.0.0 - 2009-07-29 + + +New Rules & Features: +* Fine Grained Policy + The rules have been split to having one signature per rule instead of having + all signatures combined into one optimized regular expression. + This should allow you to modify/disable events based on specific patterns + instead of having to deal with the whole rule. +* Converted Snort Rules + Emerging Threat web attack rules have been converted. + http://www.emergingthreats.net/ +* Anomaly Scoring Mode Option + The rules have been updated to include anomaly scoring variables which allow + you to evaluate the score at the end of phase:2 and phase:5 and decide on what + logging and disruptive actions to take based on the score. +* Correlated Events + There are rules in phase:5 that will provide some correlation between inbound + events and outbound events and will provide a result of successful attack or + attempted attack. +* Updated Severity Ratings + The severity ratings in the rules have been updated to the following: + - 0: Emergency - is generated from correlation where there is an inbound attack and + an outbound leakage. + - 1: Alert - is generated from correlation where there is an inbound attack and an + outbound application level error. + - 2: Critical - is the highest severity level possible without correlation. It is + normally generated by the web attack rules (40 level files). + - 3: Error - is generated mostly from outbound leakabe rules (50 level files). + - 4: Warning - is generated by malicious client rules (35 level files). + - 5: Notice - is generated by the Protocol policy and anomaly files. + - 6: Info - is generated by the search engine clients (55 marketing file). +* Updated Comment SPAM Protections + Updated rules to include RBL lookups and client fingerprinting concepts from + Bad Behavior (www.bad-behavior.ioerror.us) +* Creation of Global Collection + Automatically create a Global collection in the *10* config file. Other rules + can then access it. +* Use of Block Action + Updated the rules to use the "block" action. This allows the Admin to globally + set the desired block action once with SecDefaultAction in the *10* config file + rather than having to edit the disruptive actions in all of the rules or for + the need to have multiple versions of the rules (blocking vs. non-blocking). +* "Possible HTTP Parameter Pollution Attack: Multiple Parameters with the same Name." + http://tacticalwebappsec.blogspot.com/2009/05/http-parameter-pollution.html +* Added new generic RFI detection rules. + http://tacticalwebappsec.blogspot.com/2009/06/generic-remote-file-inclusion-attack.html +* "Possibly malicious iframe tag in output" (Rules 981001,981002) + Planting invisible iframes in a site can be used by attackers to point users + from the victim site to their malicious site. This is actually as if the + user was visiting the attacker's site himself, causing the user's browser to + process the content in the attacker's site. + +New Events: +* Rule 960019 - Expect Header Not Allowed. +* Rule 960020 - Pragma Header Requires Cache-Control Header +* Rule 958290 - Invalid Character in Request - Browsers should not send the (#) character + as it is reserved for use as a fragment identifier within the html page. +* Rule 958291 - Range: field exists and begins with 0. +* Rule 958292 - Invalid Request Header Found. +* Rule 958293 - Lowercase Via Request Header Found. +* Rule 958294 - Common SPAM Proxies found in Via Request Header. +* Rule 958295 - Multiple/Conflicting Connection Header Data Found. +* Rule 958296 - Request Indicates a SPAM client accessed the Site. +* Rule 958297 - Common SPAM/Email Harvester crawler. +* Rule 958298 - Common SPAM/Email Harvester crawler + +Bug Fixes: +* Rule 950107 - Split the rule into 2 separate rules to factor in the + Content-Type when inspecting the REQUEST_BODY variable. +* Rule 960017 - Bug fix for when having port in the host header. +* Rule 960014 - Bug fix to correlate the SERVER_NAME variable. +* Rule 950801 - Increased the logic so that the rule will only run if the web site + uses UTF-8 Encoding. +* Rules 999210,999211 - Bug fix to move ctl actions to last rule, add OPTIONS and + allow the IPv6 loopback address +* Rule 950117 - Updated the RFI logic to factor in both a trailing "?" in the ARG + and to identify offsite hosts by comparing the ARG URI to the Host + header. Due to this rule now being stronger, moved it from optional + tight security rule to *40* generic attacks file. + +Other Fixes: +* Added more HTTP Protocol violations to *20* file. +* Set the SecDefaultAction in the *10* config file to log/pass (This was the + default setting, however this sets it explicitly. +* Added SecResponseBodyLimitAction ProcessPartial to the *10* config file. This + was added so that when running the SecRuleEngine in DetectionOnly mode, it will + not deny response bodies that go over the size restrictions. +* Changed SecServerSignature to "Apache/1.3.28" +* Fixed the use of SkipAfter and SecMarkers to make it consistent. Now have + BEGIN and END SecMarkers for rule groups to more accurately allow moving to + proper locations. +* Fixed the @pm/@pmFromFile pre-qualifier logic to allow for operator inversion. + This removes the need for some SecAction/SkipAfter rules. +* Updated rule formatting to easily show rule containers (SecMarkers, pre-qualifier + rules and chained rules). + + +## Version 1.6.1 - 2008-04-22 + + +* Fixed a bug where phases and transformations where not specified explicitly + in rules. The issue affected a significant number of rules, and we strongly + recommend to upgrade. + + +## Version 1.6.0 - 2008-02-19 + + +New Rulesets & Features: +* 42 - Tight Security + This ruleset contains currently 2 rules which are considered highly prone + to FPs. They take care of Path Traversal attacks, and RFI attacks. This + ruleset is included in the optional_rulesets dir +* 42 - Comment Spam + Comment Spam is used by the spammers to increase their rating in search + engines by posting links to their site in other sites that allow posting + of comments and messages. The rules in this ruleset will work against that. + (Requires ModSecurity 2.5) +* Tags + A single type of attack is often detected by multiple rules. The new alert + classification tags solve this issue by providing an alternative alert type + indication and can serve for filtering and analysis of audit logs. + The classification tags are hierarchical with slashes separating levels. + Usually there are two levels with the top level describing the alert group + and the lower level denoting the alert type itself, for example: + WEB_ATTACK/SQL_INJECTION. + +False Positives Fixes: +* Rule 960903 - Moved to phase 4 instead of 5 to avoid FPs +* Rule 950107 - Will look for invalid url decoding in variables that are not + automatically url decoded + +Additional rules logic: +* Using the new "logdata" action for logging the matched signature in rules +* When logging an event once, init the collection only if the alert needs to log +* Using the new operator @pm as a qualifier before large rules to enhance + performance (Requires ModSecurity 2.5) +* SQL injection - A smarter regexp is used to detect 1=1,2=2,etc.. and not + only 1=1. (Thanks to Marc Stern for the idea) +* New XSS signatures - iframe & flash XSS + + + +## Version 1.5.1 - 2007-12-06 + + +False Positives Fixes: +* Protocol Anomalies (file 21) - exception for Apache SSL pinger (Request: GET /) + +New Events: +* 960019 - Detect HTTP/0.9 Requests + HTTP/0.9 request are not common these days. This rule will log by default, + and block in the blocking version of file 21 + +Other Fixes: +* File 40, Rules 950004,950005 - Repaired the correction for the double + url decoding problem +* File 55 contained empty regular expressions. Fixed. + + +## Version 1.5 - 2007-11-23 + + +New Rulesets: +* 23 - Request Limits + "Judging by appearances". This rulesets contains rules blocking based on + the size of the request, for example, a request with too many arguments + will be denied. + +Default policy changes: +* XML protection off by default +* BLOCKING dir renamed to optional_rules +* Ruleset 55 (marketing) is now optional (added to the optional_rules dir) +* Ruleset 21 - The exception for apache internal monitor will not log anymore + +New Events: +* 960912 - Invalid request body + Malformed content will not be parsed by modsecurity, but still there might + be applications that will parse it, ignoring the errors. +* 960913 - Invalid Request + Will trigger a security event when request was rejected by apache with + code 400, without going through ModSecurity rules. + +Additional rules logic: +* 950001 - New signature: delete from +* 950007 - New signature: waitfor delay + +False Positives Fixes: +* 950006 - Will not be looking for /cc pattern in User-Agent header +* 950002 - "Internet Explorer" signature removed +* Double decoding bug used to cause FPs. Some of the parameters are already + url-decoded by apache. This caused FPs when the rule performed another + url-decoding transformation. The rules have been split so that parameters + already decoded by apache will not be decoded by the rules anymore. +* 960911 - Expression is much more permissive now +* 950801 - Commented out entirely. NOTE: If your system uses UTF8 encoding, + then you should uncomment this rule (in file 20) + + +version 1.4.3 - 2007-07-21 + + +New Events: +* 950012 - HTTP Request Smuggling + For more info on this attack: + http://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf +* 960912 - Invalid request body + Malformed content will not be parsed by modsecurity, but still there might + be applications that will parse it, ignoring the errors. +* 960913 - Invalid Request + Will trigger a security event when request was rejected by apache with + code 400, without going through ModSecurity rules. + +False Positives Fixes: +* 950107 - Will allow a % sign in the middle of a string as well +* 960911 - A more accurate expression based on the rfc: + http://www.ietf.org/rfc/rfc2396.txt +* 950015 - Will not look for http/ pattern in the request headers + +Additional rules logic: +* Since Apache applies scope directives only after ModSecurity phase 1 + this directives cannot be used to exclude phase 1 rules. Therefore + we moved all inspection rules to phase 2. + + + +version 1.4 build 2 - 2007-05-17 + + +New Feature: +* Search for signatures in XML content + XML Content will be parsed and inspected for signatures + +New Events: +* 950116 - Unicode Full/Half Width Abuse Attack Attempt + Full-width unicode can by used to bypass content inspection. Such encoding will be forbidden + http://www.kb.cert.org/vuls/id/739224 +* 960911 - Invalid HTTP request line + Enforce request line to be valid, i.e.: +* 960904 - Request Missing Content-Type (when there is content) + When a request contains content, the content-type must be specified. If not, the content will not be inspected +* 970018 - IIS installed in default location (any drive) + Log once if IIS in installed in the /Inetpub directory (on any drive, not only C) +* 950019 - Email Injection + Web forms used for sending mail (such as "tell a friend") are often manipulated by spammers for sending anonymous emails + +Regular expressions fixes: +* Further optimization of some regular expressions (using the non-greediness operator) + The non-greediness operator, , prevents excessive backtracking + +FP fixes: +* Rule 950107 - Will allow a parameter to end in a % sign from now on + + +version 1.4 - 2007-05-02 + + +New Events: +* 970021 - WebLogic information disclosure + Matching of "JSP compile error" in the response body, will trigger this rule, with severity 4 (Warning) +* 950015,950910,950911 - HTTP Response Splitting + Looking for HTTP Response Splitting patterns as described in Amit Klein's excellent white paper: + http://www.packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf +ModSecurity does not support compressed content at the moment. Thus, the following rules have been added: +* 960902 - Content-Encoding in request not supported + Any incoming compressed request will be denied +* 960903 - Content-Encoding in response not supported + An outgoing compressed response will be logged to alert, but ONLY ONCE. + +False Positives Fixes: +* Removed <.exe>,<.shtml> from restricted extensions +* Will not be looking for SQL Injection signatures , in the Via request header +* Excluded Referer header from SQL injection, XSS and command injection rules +* Excluded X-OS-Prefs header from command injection rule +* Will be looking for command injection signatures in + REQUEST_COOKIES|REQUEST_COOKIES_NAMES instead of REQUEST_HEADERS:Cookie. +* Allowing charset specification in the Content-Type + +Additional rules logic: +* Corrected match of OPTIONS method in event 960015 +* Changed location for event 960014 (proxy access) to REQUEST_URI_RAW +* Moved all rules apart from method inspection from phase 1 to phase 2 - + This will enable viewing content if such a rule triggers as well as setting + exceptions using Apache scope tags. +* Added match for double quote in addition to single quote for signature (SQL Injection) +* Added 1=1 signature (SQL Injection) + + +version 1.3.2 build 4 2007-01-17 + + +Fixed apache 2.4 dummy requests exclusion +Added persistent PDF UXSS detection rule + + +## Version 1.3.2 build 3 2007-01-10 + + +Fixed regular expression in rule 960010 (file #30) to allow multipart form data +content + + +## Version 1.3.2 - 2006-12-27 + + +New events: +* 960037 Directory is restricted by policy +* 960038 HTTP header is restricted by policy + +Regular expressions fixes: +* Regular expressions with @ at end of beginning (for example "@import) +* Regular expressions with un-escaped "." +* Command Injections now always require certain characters both before and after the command. Important since many are common English words (finger, mail) +* The command injection wget is not searched in the UA header as it has different meaning there. +* LDAP Fixed to reduce FPs: + + More accurate regular expressions + + high bit characters not accepted between signature tokens. +* Do not detect The CRS project values third party contributions. To make the contribution process as easy as possible, a helpful set of contribution guidelines are in place which all contributors and developers are asked to adhere to. + +## Getting Started with a New Contribution + +1. Sign in to [GitHub](https://github.com/join). +2. Open a [new issue](https://github.com/coreruleset/coreruleset/issues) for the contribution, *assuming a similar issue doesn't already exist*. + * **Clearly describe the issue**, including steps to reproduce if reporting a bug. + * **Specify the CRS version in question** if reporting a bug. + * Bonus points for submitting tests along with the issue. +3. Fork the repository on GitHub and begin making changes there. +4. Signed commits are preferred. (For more information and help with this, refer to the [GitHub documentation](https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits)). + +## Making Changes + +* Base any changes on branch `main`. +* Create a topic branch for each new contribution. +* Fix only one problem at a time. This helps to quickly test and merge submitted changes. If intending to fix *multiple unrelated problems* then use a separate branch for each problem. +* Make commits of logical units. +* Make sure commits adhere to the contribution guidelines presented in this document. +* Make sure commit messages follow the [standard Git format](http://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html). +* Make sure changes are submitted as a pull request (PR) on [GitHub](https://github.com/coreruleset/coreruleset/pulls). + * PR titles should follow the [Conventional Commits format](https://www.conventionalcommits.org/en/v1.0.0/), for example: `fix(rce): Fix a FP in rule 912345 with keyword 'time'`. + * If a PR only affects a single rule then the rule ID should be included in the title. + * If a PR title does not follow the correct format then a CRS developer will fix it. + +## General Formatting Guidelines for Rules Contributions + +* American English should be used throughout. +* 4 spaces should be used for indentation (no tabs). +* Files must end with a single newline character. +* No trailing whitespace at EOL. +* No trailing blank lines at EOF (only the required single EOF newline character is allowed). +* Adhere to an 80 character line length limit where possible. +* Add comments where possible and clearly explain any new rules. +* Comments must not appear between chained rules and should instead be placed before the start of a rule chain. +* All [chained rules](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v2.x)#chain) should be indented like so, for readability: +``` +SecRule .. .. \ + "..." + SecRule .. .. \ + "..." + SecRule .. .. \ + "..." +``` +- Action lists in rules must always be enclosed in double quotes for readability, even if there is only one action (e.g., use `"chain"` instead of `chain`, and `"ctl:requestBodyAccess=Off"` instead of `ctl:requestBodyAccess=Off`). +- Always use numbers for phases instead of names. +- Format all use of `SecMarker` using double quotes, using UPPERCASE, and separating words with hyphens. For example: +``` +SecMarker "END-RESPONSE-959-BLOCKING-EVALUATION" +SecMarker "END-REQUEST-910-IP-REPUTATION" +``` +- Rule actions should appear in the following order, for consistency: +``` +id +phase +allow | block | deny | drop | pass | proxy | redirect +status +capture +t:xxx +log +nolog +auditlog +noauditlog +msg +logdata +tag +sanitiseArg +sanitiseRequestHeader +sanitiseMatched +sanitiseMatchedBytes +ctl +ver +severity +multiMatch +initcol +setenv +setvar +expirevar +chain +skip +skipAfter +``` +- Rule operators must always be explicitly specified. Although ModSecurity defaults to using the `@rx` operator, for clarity `@rx` should always be explicitly specified when used. For example, write: +``` +SecRule ARGS "@rx foo" "id:1,phase:1,pass,t:none" +``` +instead of +``` +SecRule ARGS "foo" "id:1,phase:1,pass,t:none" +``` + * Only the tags listed in the [util/APPROVED_TAGS](util/APPROVED_TAGS) file can be added to a rule. If you want to add a new tag, you **must** add it to this file. + +## Variable Naming Conventions + +* Variable names should be lowercase and should use the characters a-z, 0-9, and underscores only. +* To reflect the different syntax between *defining* a variable (using `setvar`) and *using* a variable, the following visual distinction should be applied: + * **Variable definition:** Lowercase letters for collection name, dot as the separator, variable name. E.g.: `setvar:tx.foo_bar_variable` + * **Variable use:** Capital letters for collection name, colon as the separator, variable name. E.g.: `SecRule TX:foo_bar_variable` + +## Writing Regular Expressions + +* Use the following character class, in the stated order, to cover alphanumeric characters plus underscores and hyphens: `[a-zA-Z0-9_-]` + +### Portable Backslash Representation + +CRS uses `\x5c` to represent the backslash `\` character in regular expressions. Some of the reasons for this are: + +* It's portable across web servers and WAF engines: it works with Apache, Nginx, and Coraza. +* It works with the [crs-toolchain](https://coreruleset.org/docs/development/crs_toolchain/) for building optimized regular expressions. + +The older style of representing a backslash using the character class `[\\\\]` must _not_ be used. This was previously used in CRS to get consistent results between Apache and Nginx, owing to a quirk with how Apache would "double un-escape" character escapes. For future reference, the decision was made to stop using this older method because: + +* It can be confusing and difficult to understand how it works. +* It doesn't work with [crs-toolchain](https://coreruleset.org/docs/development/crs_toolchain/). +* It doesn't work with Coraza. +* It isn't obvious how to use it in a character class, e.g., `[a-zA-Z]`. + +### Forward Slash Representation + +CRS uses literal, *unescaped* forward slash `/` characters in regular expressions. + +Regular expression engines and libraries based on PCRE use the forward slash `/` character as the default delimiter. As such, forward slashes are often escaped in regular expression patterns. In the interests of readability, CRS does *not* escape forward slashes in regular expression patterns, which may seem unusual at first to new contributors. + +If testing a CRS regular expression using a third party tool, it may be useful to change the delimiter to something other than `/` if a testing tool raises errors because a CRS pattern features unescaped forward slashes. + +### When and Why to Anchor Regular Expressions + +Engines running the OWASP CRS will use regular expressions to _search_ the input string, i.e., the regular expression engine is asked to find the first match in the input string. If an expression needs to match the entire input then the expression must be anchored appropriately. + +#### Beginning of String Anchor (^) + +It is often necessary to match something at the start of the input to prevent false positives that match the same string in the middle of another argument, for example. Consider a scenario where the goal is to match the value of `REQUEST_HEADERS:Content-Type` to `multipart/form-data`. The following regular expression could be used: + +```python +"@rx multipart/form-data" +``` + +HTTP headers can contain multiple values, and it may be necessary to guarantee that the value being searched for is the _first_ value of the header. There are different ways to do this but the simplest one is to use the `^` caret anchor to match the beginning of the string: + +```python +"@rx ^multipart/form-data" +``` + +It will also be useful to ignore case sensitivity in this scenario: + +```python +"@rx (?i)^multipart/form-data" +``` + +#### End of String Anchor ($) + +Consider, for example, needing to find the string `/admin/content/assets/add/evil` in the `REQUEST_FILENAME`. This could be achieved with the following regular expression: + +```python +"@rx /admin/content/assets/add/evil" +``` + +If the input is changed, it can be seen that this expression can easily produce a false positive: `/admin/content/assets/add/evilbutactuallynot/nonevilfile`. If it is known that the file being searched for can't be in a subdirectory of `add` then the `$` anchor can be used to match the end of the input: + +```python +"@rx /admin/content/assets/add/evil$" +``` + +This could be made a bit more general: + +```python +"@rx /admin/content/assets/add/[a-z]+$" +``` + +#### Matching the Entire Input String + +It is sometimes necessary to match the entire input string to ensure that it _exactly_ matches what is expected. It might be necessary to find the "edit" action transmitted by WordPress, for example. To avoid false positives on variations (e.g., "myedit", "the edit", "editable", etc.), the `^` caret and `$` dollar anchors can be used to indicate that an exact string is expected. For example, to only match the _exact_ strings `edit` or `editpost`: + +```python +"@rx ^(?:edit|editpost)$" +``` + +#### Other Anchors + +Other anchors apart from `^` caret and `$` dollar exist, such as `\A`, `\G`, and `\Z` in PCRE. CRS **strongly discourages** the use of other anchors for the following reasons: + +- Not all regular expression engines support all anchors and the OWASP CRS should be compatible with as many regular expression engines as possible. +- Their function is sometimes not trivial. +- They aren't well known and would require additional documentation. +- In most cases that would justify their use the regular expression can be transformed into a form that doesn't require them, or the rule can be transformed (e.g., with an additional chain rule). + +### Use Capture Groups Sparingly + +Capture groups, i.e., parts of the regular expression surrounded by parentheses (`(` and `)`), are used to store the matched information from a string in memory for later use. Capturing input uses both additional CPU cycles and additional memory. In many cases, parentheses are *mistakenly* used for grouping and ensuring precedence. + +To group parts of a regular expression, or to ensure that the expression uses the precedence required, surround the concerning parts with `(?:` and `)`. Such a group is referred to as being "non-capturing". The following will create a capture group: + +```python +"@rx a|(b|c)d" +``` + +On the other hand, this will create a _non-capturing_ group, guaranteeing the precedence of the alternative _without_ capturing the input: + +```python +"@rx a|(?:b|c)d" +``` + +### Lazy Matching + +The question mark `?` can be used to turn "greedy" quantifiers into "lazy" quantifiers, i.e., `.+` and `.*` are greedy while `.+?` and `.*?` are lazy. Using lazy quantifiers can help with writing certain expressions that wouldn't otherwise be possible. However, in backtracking regular expression engines, like PCRE, lazy quantifiers can also be a source of performance issues. The following is an example of an expression that uses a lazy quantifier: + +```python +"@rx (?i)\.cookie\b.*?;\W*?(?:expires|domain)\W*?=" +``` + +This expression matches cookie values in HTML to detect session fixation attacks. The input string could be `document.cookie = "name=evil; domain=https://example.com";`. + +The lazy quantifiers in this expression are used to reduce the amount of backtracking that engines such as PCRE have to perform (others, such as RE2, are not affected by this). Since the asterisk `*` is greedy, `.*` would match every character in the input up to the end, at which point the regular expression engine would realize that the next character, `;`, can't be matched and it will backtrack to the previous position (`;`). A few iterations later, the engine will realize that the character `d` from `domain` can't be matched and it will backtrack again. This will happen again and again, until the `;` at `evil;` is found. Only then can the engine proceed with the next part of the expression. + +Using lazy quantifiers, the regular expression engine will instead match _as few characters as possible_. The engine will match ` ` (a space), then look for `;` and will not find it. The match will then be expanded to ` =` and, again, a match of `;` is attempted. This continues until the match is ` = "name=evil` and the engine finds `;`. While lazy matching still includes some work, in this case, backtracking would require many more steps. + +Lazy matching can have the inverse effect, though. Consider the following expression: + +```python +"@rx (?i)\b(?:s(?:tyle|rc)|href)\b[\s\S]*?=" +``` + +It matches some HTML attributes and then expects to see `=`. Using a somewhat contrived input, the lazy quantifier will require more steps to match then the greedy version would: `style                     =`. With the lazy quantifier, the regular expression engine will expand the match by one character for each of the space characters in the input, which means 21 steps in this case. With the greedy quantifier, the engine would match up to the end in a single step, backtrack one character and then match `=` (note that `=` is included in `[\s\S]`), which makes 3 steps. + +To summarize: **be very mindful about when and why you use lazy quantifiers in your regular expressions**. + +### Possessive Quantifiers and Atomic Groups + +Lazy and greedy matching change the order in which a regular expression engine processes a regular expression. However, the order of execution does not influence the backtracking behavior of backtracking engines. + +Possessive quantifiers (e.g., `x++`) and atomic groups (e.g., `(?>x)`) are tools that can be used to prevent a backtracking engine from backtracking. They _can_ be used for performance optimization but are only supported by backtracking engines and, therefore, are not permitted in CRS rules. + +### Curly braces + +Curly braces are used for repetition quantifiers (`{m}`, `{m,}`, `{m,n}`). When a brace is intended as a literal character, especially an opening brace, it must be escaped (`\{`) so it is not parsed as the start of a quantifier. Some regex engines treat an unescaped `{` that does not form a valid quantifier as a syntax error rather than a literal. + +Inside character classes (`[...]`), braces are literal characters and must not be escaped, as escaping is unnecessary and may reduce readability or portability. + +### Writing Regular Expressions for Non-Backtracking Compatibility + +Traditional regular expression engines use backtracking to solve some additional problems, such as finding a string that is preceded or followed by another string. While this functionality can certainly come in handy and has its place in certain applications, it can also lead to performance issues and, in uncontrolled environments, open up possibilities for attacks (the term "[ReDoS](https://en.wikipedia.org/wiki/ReDoS)" is often used to describe an attack that exhausts process or system resources due to excessive backtracking). + +The OWASP CRS tries to be compatible with non-backtracking regular expression engines, such as RE2, because: + +- Non-backtracking engines are less vulnerable to ReDoS attacks. +- Non-backtracking engines can often outperform backtracking engines. +- CRS aims to leave the choice of the engine to the user/system. + +To ensure compatibility with non-backtracking regular expression engines, the following operations are **not** permitted in regular expressions: + +- positive lookahead (e.g., `(?=regex)`) +- negative lookahead (e.g., `(?!regex)`) +- positive lookbehind (e.g., `(?<=regex)`) +- negative lookbehind (e.g., `(?regex)`) +- backreferences (e.g., `\1`) +- named backreferences (e.g., `(?P=name)`) +- conditionals (e.g., `(?(regex)then|else)`) +- recursive calls to capture groups (e.g., `(?1)`) +- possessive quantifiers (e.g., `(?:regex)++`) +- atomic (or possessive) groups (e.g., `(?>regex`)) + +This list is not exhaustive but covers the most important points. The [RE2 documentation](https://github.com/google/re2/wiki/Syntax) includes a complete list of supported and unsupported features that various engines offer. + +### When and How to Optimize Regular Expressions + +Optimizing regular expressions is hard. Often, a change intended to improve the performance of a regular expression will change the original semantics by accident. In addition, optimizations usually make expressions harder to read. Consider the following example of URL schemes: + +```python +mailto|mms|mumble|maven +``` + +An optimized version (produced by the [crs-toolchain](https://github.com/coreruleset/crs-toolchain)) could look like this: + +```python +m(?:a(?:ilto|ven)|umble|ms) +``` + +The above expression is an optimization because it reduces the number of backtracking steps when a branch fails. The regular expressions in the CRS are often comprised of lists of tens or even hundreds of words. Reading such an expression in an optimized form is difficult: even the _simple_ optimized example above is difficult to read. + +In general, contributors should not try to optimize contributed regular expressions and should instead strive for clarity. New regular expressions will usually be required to be submitted as a `.ra` file for the [crs-toolchain](https://github.com/coreruleset/crs-toolchain) to process. In such a file, the regular expression is decomposed into individual parts, making manual optimizations much harder or even impossible (and unnecessary with the `crs-toolchain`). The `crs-toolchain` performs some common optimizations automatically, such as the one shown above. + +Whether optimizations make sense in a contribution is assessed for each case individually. + +## Rules Compliance with Paranoia Levels + +The rules in CRS are organized into **paranoia levels** (PLs) which makes it possible to define how aggressive CRS is. See the documentation on [paranoia levels](https://coreruleset.org/docs/concepts/paranoia_levels/) for an introduction and more detailed explanation. + +Each rule that is placed into a paranoia level must contain the tag `paranoia-level/N`, where *N* is the PL value, however this tag can only be added if the rule does **not** use the nolog action. + +The types of rules that are allowed at each paranoia level are as follows: + +**PL 0:** + +* ModSecurity / WAF engine installed, but almost no rules + +**PL 1:** + +* Default level: keep in mind that most installations will normally use this level +* Any complex, memory consuming evaluation rules will surely belong to a higher level, not this one +* CRS will normally use atomic checks in single rules at this level +* Confirmed matches only; all scores are allowed +* No false positives / low false positives: try to avoid adding rules with potential false positives! +* False negatives could happen + +**PL 2:** + +* [Chain](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-%28v2.x%29#chain) usage is allowed +* Confirmed matches use score critical +* Matches that cause false positives are limited to using scores notice or warning +* Low false positive rates +* False negatives are not desirable + +**PL 3:** + +* Chain usage with complex regular expression look arounds and macro expansions are allowed +* Confirmed matches use scores warning or critical +* Matches that cause false positives are limited to using score notice +* False positive rates are higher but limited to multiple matches (not single strings) +* False negatives should be a very unlikely accident + +**PL 4:** + +* Every item is inspected +* Variable creations are allowed to avoid engine limitations +* Confirmed matches use scores notice, warning, or critical +* Matches that cause false positives are limited to using scores notice or warning +* False positive rates are higher (even on single strings) +* False negatives should not happen at this level +* Check everything against RFCs and allow listed values for the most popular elements + +## ID Numbering Scheme + +The CRS project uses the numerical ID rule namespace from 900,000 to 999,999 for CRS rules, as well as 9,000,000 to 9,999,999 for default CRS rule exclusion packages and plugins. + +- Rules applying to the **incoming request** use the ID range 900,000 to 949,999. +- Rules applying to the **outgoing response** use the ID range 950,000 to 999,999. + +The rules are grouped by the vulnerability class they address (SQLi, RCE, etc.) or the functionality they provide (e.g., initialization). These groups occupy blocks of thousands (e.g., SQLi: 942,000 - 942,999). These grouped rules are defined in files dedicated to a single group or functionality. The filename takes up the first three digits of the rule IDs defined within the file (e.g., SQLi: `REQUEST-942-APPLICATION-ATTACK-SQLI.conf`). + +The individual rules within each file for a vulnerability class are organized by the paranoia level of the rules. PL 1 is first, then PL 2, etc. + +The ID block 9xx000 - 9xx099 is reserved for use by CRS helper functionality. There are no blocking or filtering rules in this block. + +Among the rules providing CRS helper functionality are rules that skip other rules depending on the paranoia level. These rules always use the following reserved rule IDs: 9xx011 - 9xx018, with very few exceptions. + +The blocking and filter rules start at 9xx100 with a step width of 10, e.g., 9xx100, 9xx110, 9xx120, etc. + +The ID of a rule does not correspond directly with its paranoia level. Given the size of rule groups and how they're organized by paranoia level (starting with the lower PL rules first), PL 2 and above tend to be composed of rules with higher ID numbers. + +### Stricter Siblings + +Within a rule file / block, there are sometimes smaller groups of rules that belong together. They're closely linked and very often represent copies of the original rules with a stricter limit (alternatively, they can represent the same rule addressing a different *target* in a second rule, where this is necessary). These are **stricter siblings** of the base rule. Stricter siblings usually share the first five digits of the rule ID and raise the rule ID by one, e.g., a base rule at 9xx160 and a stricter sibling at 9xx161. + +Stricter siblings often have different paranoia levels. This means that the base rule and the stricter siblings don't usually reside next to each another in the rule file. Instead, they're ordered by paranoia level and are linked by the first digits of their rule IDs. It's good practice to introduce all stricter siblings together as part of the definition of the base rule: this can be done in the comments of the base rule. It's also good practice to refer back to the base rule with the keywords "stricter sibling" in the comments of the stricter siblings themselves. For example: "...This is performed in two separate stricter siblings of this rule: 9xxxx1 and 9xxxx2", and "This is a stricter sibling of rule 9xxxx0." + +## Writing Tests + +Each rule should be accompanied by tests. Rule tests are an invaluable way to check that a rule behaves as expected: + +- Does the rule correctly match against the payloads and behaviors that the rule is designed to detect? (**Positive tests**) +- Does the rule correctly **not** match against legitimate requests, i.e., the rule doesn't cause obvious false positives? (**Negative tests**) + +Rule tests also provide an excellent way to test WAF engines and implementations to ensure they behave and execute CRS rules as expected. + +The rule tests are located under `tests/regression/tests`. Each CRS rule *file* has a corresponding *directory* and each individual *rule* has a corresponding *YAML file* containing all the tests for that rule. For example, the tests for rule 911100 *(Method is not allowed by policy)* are in the file `REQUEST-911-METHOD-ENFORCEMENT/911100.yaml`. + +Full documentation of the required formatting and available options of the YAML tests can be found in the SPECs at https://github.com/coreruleset/ftw-tests-schema/tree/main/spec. Be aware that the spec is evolving and the latest versions will be supported by the latest versions of the test engine. + +Documentation on how to run the CRS test suite can be found in the [online documentation](https://coreruleset.org/docs/development/testing/). + +### Positive Tests + +Example of a simple *positive test*: + +```yaml +- test_id: 26 + desc: "Unix command injection" + stages: + - input: + dest_addr: 127.0.0.1 + headers: + Host: localhost + User-Agent: "OWASP CRS test agent" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + method: POST + port: 80 + uri: "/post" + data: "var=` /bin/cat /etc/passwd`" + version: HTTP/1.1 + output: + log: + expect_ids: [932230] +``` + +This test will succeed if the log output contains `id "932230"`, which would indicate that the rule in question matched and generated an alert. + +It's important that tests consistently include the HTTP header fields `Host`, `User-Agent`, and `Accept`. CRS includes rules that detect if these headers are missing or empty, so these headers should be included in each test to avoid unnecessarily causing those rules to match. Ideally, *each positive test should cause* **only** *the rule in question to match*. + +The rule's description field, `desc`, is important. It should describe what is being tested: what *should* match, what should *not* match, etc. + +### Negative Tests + +Example of a simple *negative test*: + +```yaml +- test_id: 4 + stages: + - input: + dest_addr: "127.0.0.1" + method: "POST" + port: 80 + headers: + User-Agent: "OWASP CRS test agent" + Host: "localhost" + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + data: 'foo=ping pong tables' + uri: '/post' + output: + log: + no_expect_ids: [932260] +``` + +This test will succeed if the log output does **not** contain `id "932260"`, which would indicate that the rule in question did **not** match and so did **not** generate an alert. + +### Encoded and Raw Requests + +It is possible to *encode* an entire test request. This encapsulates the request and means that the request headers and payload don't need to be explicitly declared. This is useful when a test request needs to use unusual bytes which might break YAML parsers, or when a test request must be intentionally malformed in a way that is impossible to describe otherwise. An encoded request is sent exactly as intended. + +The `encoded_request` field works like so: + +```yaml +encoded_request: +``` + +For example: +```yaml +encoded_request: "R0VUIFwgSFRUUA0KDQoK" +``` + +where `R0VUIFwgSFRUUA0KDQoK` is the base64-encoded equivalent of `GET \ HTTP\r\n\r\n`. + +The older method of using `raw_request` is deprecated as it's difficult to maintain and less portable than `encoded_request`. + +### Using The Correct HTTP Endpoint + +The CRS project uses [albedo](https://github.com/coreruleset/albedo) as the backend server for tests. Albedo is a simple HTTP server used as a reverse-proxy backend in testing web application firewalls (WAFs). + +- improve test throughput (prevent HTML from being returned by the backend) +- add automatic HTTP method verification (the backend will respond with status code `405` (method not allowed) to requests whose method does not match the endpoint) + +These are the supported endpoints by albedo: https://github.com/coreruleset/albedo/?tab=readme-ov-file#endpoints + +Test URIs should be structured as follows, where `` must be replaced by the name of the HTTP method the test uses: + +```yaml +#... + method: + uri: / +#... +``` + +If you are writing a test for a response rule, take a look at the `/reflect` endpoint on how to use it. + +## Further Guidance on Rule Writing + +### Leaving Audit Log Configuration Unchanged + +Former versions of CRS dynamically included the HTTP response body in the audit log via special `ctl` statements on certain individual response rules. This was never applied in a systematic way and, regardless, CRS should not change the format of the audit log by itself, namely because this can lead to information leakages. Therefore, the use of `ctl:auditLogParts=+E` or any other form of `ctl:auditLogParts` is not allowed in CRS rules. + +## Non-Rules General Guidelines + +* Remove trailing spaces from files (if they're not needed). This will make linters happy. +* EOF should have an EOL. + +The `pre-commit` framework can be used to check for and fix these issues automatically. First, go to the [pre-commit](https://pre-commit.com/) website and download the framework. Then, after installing, use the command `pre-commit install` so that the tools are installed and run each time a commit is made. CRS provides a config file that will keep the repository clean. We are also running `pre-commit` in our pipeline, so it will catch common errors. diff --git a/blue/Tools/zoo/modules/turtle/coreruleset/docs/CONTRIBUTORS.md b/blue/Tools/zoo/modules/turtle/coreruleset/docs/CONTRIBUTORS.md new file mode 100644 index 0000000..8bbedaa --- /dev/null +++ b/blue/Tools/zoo/modules/turtle/coreruleset/docs/CONTRIBUTORS.md @@ -0,0 +1,162 @@ +# Contributors + +## Project Co-Leads: + +- [Felipe Zipitría](https://github.com/fzipi) +- [Max Leske](https://github.com/theseion) + +## Developers: + +- [Franziska Bühler](https://github.com/franbuehler) +- [Esad Cetiner](https://github.com/esadcetiner) +- [Christian Folini](https://github.com/dune73) +- [Ervin Hegedus](https://github.com/airween) +- [Andrew Howe](https://github.com/RedXanadu) +- [Matteo Pace](https://github.com/M4tteoP) +- [Jitendra Patro](https://github.com/Xhoenix) +- [Jozef Sudolský](https://github.com/azurit) + +## Former and Inactive Developers: + +- [Paul Beckett](https://github.com/53cur3M3) +- [Christoph Hansen](https://github.com/emphazer) +- [Walter Hop](https://github.com/lifeforms) † +- [Manuel Leos Rivas](https://github.com/spartantri) +- [Andrea Menin](https://github.com/theMiddleBlue) +- [Chaim Sanders](https://github.com/csanders-git) +- [Federico G. Schwindt](https://github.com/fgsch) +- [Simon Studer](https://github.com/studersi) +- [Karel Knibbe](https://github.com/karelorigin) + +## Contributors: + +- [touchweb-vincent](https://github.com/touchweb-vincent) +- [Elnadrion](https://github.com/Elnadrion) +- [pha6d](https://github.com/pha6d) +- [KIC-8462852](https://github.com/KIC-8462852) +- [Muhammad Ayman](https://github.com/TheRubick) +- [Thibault Soubiran](https://github.com/S0obi) +- [OhMyVolk](https://github.com/OhMyVolk) +- [evidencebp](https://github.com/evidencebp) +- [mtaket](https://github.com/mtaket) +- [luelueking](https://github.com/luelueking) +- [agusmu](https://github.com/agusmu) +- [Amir Hosein Aliakbarian](https://github.com/AmirHoseinAliakbarian) +- [Zack Allen](https://github.com/zmallen) +- [azhao155](https://github.com/azhao155) +- [Matt Bagley](https://github.com/bagley) +- [Ryan Barnett](https://github.com/rcbarnett) +- [Soufiane Benali](https://github.com/soufianebenali) +- [Peter Bittner](https://github.com/bittner) +- [Allan Boll](https://github.com/allanbomsft) +- [Jeremy Brown](https://github.com/jwbrown77) +- [Brent Clark](https://github.com/brentclark) +- [Jonathan Claudius](https://github.com/claudijd) +- [coolt](https://github.com/coolt) +- [Hussein Daher](https://github.com/hussein98d) +- [Abu Dawud](https://github.com/abudawud) +- [Ashish Dixit](https://github.com/tundal45) +- [Mirko Dziadzka](https://github.com/mirkodziadzka-avi) +- [Padraig Doran](https://github.com/padraigdoran) +- [Dan Ehrlich](https://github.com/danehrlich1) +- [İlteriş Eroğlu](https://github.com/linuxgemini) +- [Umar Farook](https://github.com/umarfarook882) +- [flo405](https://github.com/flo405) +- [Fregf](https://github.com/Fregf) +- [FrozenSolid](https://github.com/frozenSolid) +- [Pásztor Gábor](https://github.com/gpasztor87) +- [Jan Gora](https://github.com/terjanq) +- [Aaron Haaf](https://github.com/Everspace) +- [Michael Haas](https://github.com/MichaelHaas) +- [henkworks](https://github.com/henkworks) +- [Tim Herren](https://github.com/nerrehmit) +- [Victor Hora](https://github.com/victorhora) +- [itsTheFae](https://github.com/itsTheFae) +- [jamuse](https://github.com/jamuse) +- [jeremyjpj0916](https://github.com/jeremyjpj0916) +- [jschleus](https://github.com/jschleus) +- [k4n5ha0](https://github.com/k4n5ha0) +- [kam821](https://github.com/kam821) +- [Katherine](https://github.com/katef) +- [kyzentun](https://github.com/kyzentun) +- [Joost de Keijzer](https://github.com/joostdekeijzer) +- [Krzysztof Kotowicz](https://github.com/koto) +- [Evgeny Marmalstein](https://github.com/shimshon70) +- [meetug](https://github.com/meetug) +- [Christian Mehlmauer](https://github.com/FireFart) +- [Pinaki Mondal](https://github.com/0xinfection) +- [Glyn Mooney](https://github.com/skidoosh) +- [na1ex](https://github.com/na1ex) +- [Jose Nazario](https://github.com/paralax) +- [Scott O'Neil](https://github.com/cPanelScott) +- [Lucas Ostmann](https://github.com/lostmann-owl-it) +- [NiceYouKnow](https://github.com/NiceYouKnow) +- [nobletrout](https://github.com/nobletrout) +- [Fernando Outeda](https://github.com/fog94) +- [NullIsNot0](https://github.com/NullIsNot0) +- [Robert Paprocki](https://github.com/p0pr0ck5) +- [Christian Peron](https://github.com/csjperon) +- [Elia Pinto](https://github.com/yersinia) +- [pyllyukko](https://github.com/pyllyukko) +- [Brian Rectanus](https://github.com/b1v1r) +- [Vandan Rohatgi](https://github.com/vandanrohatgi) +- [Rufus125](https://github.com/Rufus125) +- Ofer Shezaf +- [Takaya Saeki](https://github.com/nullpo-head) +- Breno Silva +- [Deepshikha Sinha](https://github.com/deepshikha-s) +- siric\_ +- Emile-Hugo Spir +- [somechris](https://github.com/somechris) +- [Marc Stern](https://github.com/marcstern) +- [supplient](https://github.com/supplient) +- [Mike Taylor](https://github.com/miketaylr) +- [ThanhPT](https://github.com/nevol1708) +- [Timo](https://github.com/ntimo) +- [Juan-Pablo Tosso](https://github.com/jptosso) +- [vijayasija99](https://github.com/vijayasija99) +- [Dany Volk](https://github.com/OhMyVolk) +- [Ben Williams](https://github.com/benwilliams) +- [Anna Winkler](https://github.com/annawinkler) +- [Avery Wong](https://github.com/4v3r9) +- [Will Woodson](https://github.com/wjwoodson) +- [Greg Wroblewski](https://github.com/gwroblew) +- [XeroChen](https://github.com/XeroChen) +- [ygrek](https://github.com/ygrek) +- [Yu Yagihashi](https://github.com/yagihash) +- [Felipe "Zimmerle" Costa](https://github.com/zimmerle) +- [Zino](https://github.com/zinoe) +- Josh Zlatin +- [Zou Guangxian](https://github.com/zouguangxian) +- [4ft35t](https://github.com/4ft35t) +- [Andy Clapson](https://github.com/Homesteady) +- [Anuraag Agrawal](https://github.com/anuraaga) +- [Christian Aistleitner](https://github.com/somechris) +- [Dennis Brown](https://github.com/MutableLoss) +- [Dexter Chang](https://github.com/dextermallo) +- [Esa Jokinen](https://github.com/oh2fih) +- [Finn Westendorf](https://github.com/wfinn) +- [Gwendal Le Coguic](https://github.com/gwen001) +- [Jean-François Viguier](https://github.com/jf-viguier) +- [Juan Pablo Tosso](https://github.com/jptosso) +- [Karel](https://github.com/karelorigin) +- [Khiem Doan](https://github.com/khiemdoan) +- [Mark Zeman](https://github.com/KramNamez) +- [Priyam Patel](https://github.com/priyam001) +- [Robert DeBoer](https://github.com/robertdeboer) +- [Somdev Sangwan](https://github.com/s0md3v) +- [Stephen Sigwart](https://github.com/ssigwart) +- [Zerorigin](https://github.com/Zerorigin) +- [Syin Wu](https://github.com/bxlxx) +- [henkdswiss](https://github.com/henkworks) +- [ignatiev](https://github.com/ignatiev) +- [oct0pus7](https://github.com/oct0pus7) +- [Timo](https://github.com/ntimo) +- [rekter0](https://github.com/rekter0) +- [ThanhPT](https://github.com/thanhpt1708) +- [Vandan Rohatgi](https://github.com/vandanrohatgi) +- [NiceYouKnow](https://github.com/NiceYouKnow) +- [floyd](https://github.com/floyd) +- [superlgn](https://github.com/superlgn) +- [TimDiam0nd](https://github.com/TimDiam0nd) +- [brentclark](https://github.com/brentclark) diff --git a/blue/Tools/zoo/modules/turtle/coreruleset/docs/INSTALL.md b/blue/Tools/zoo/modules/turtle/coreruleset/docs/INSTALL.md new file mode 100644 index 0000000..9f40768 --- /dev/null +++ b/blue/Tools/zoo/modules/turtle/coreruleset/docs/INSTALL.md @@ -0,0 +1,183 @@ +# Installing CRS + +This guide aims to get a CRS installation up and running. This guide assumes that a compatible ModSecurity engine is already present and working. If unsure then refer to the [extended install](https://coreruleset.org/docs/deployment/extended_install/) page for full details. + +## Downloading the Rule Set + +The first step is to download the CRS itself. The CRS project strongly recommends using a [supported version](https://github.com/coreruleset/coreruleset/security/policy). + +Official CRS releases can be found at the following URL: https://github.com/coreruleset/coreruleset/releases. + +### Verifying Releases + +{{% notice note %}} +Releases are signed using the CRS project's [GPG key](https://coreruleset.org/security.asc) (fingerprint: 3600 6F0E 0BA1 6783 2158 8211 38EE ACA1 AB8A 6E72). Releases can be verified using GPG/PGP compatible tooling. + +To retrieve the CRS project's public key from public key servers using `gpg`, execute: `gpg --keyserver pgp.mit.edu --recv 0x38EEACA1AB8A6E72` (this ID should be equal to the last sixteen hex characters in the fingerprint). + +It is also possible to use `gpg --fetch-key https://coreruleset.org/security.asc` to retrieve the key directly. +{{% /notice %}} + +The following steps assume that a \*nix operating system is being used. Installation is similar on Windows but likely involves using a zip file from the CRS [releases page](https://github.com/coreruleset/coreruleset/releases). + +To download the release file and the corresponding signature: + +```bash +wget https://github.com/coreruleset/coreruleset/archive/refs/tags/v4.0.0.tar.gz +wget https://github.com/coreruleset/coreruleset/releases/download/v4.0.0/coreruleset-4.0.0.tar.gz.asc +``` + +To verify the integrity of the release: + +```bash +gpg --verify coreruleset-4.0.0.tar.gz.asc v4.0.0.tar.gz +gpg: Signature made Wed Jun 30 10:05:48 2021 -03 +gpg: using RSA key 36006F0E0BA167832158821138EEACA1AB8A6E72 +gpg: Good signature from "OWASP Core Rule Set " [unknown] +gpg: WARNING: This key is not certified with a trusted signature! +gpg: There is no indication that the signature belongs to the owner. +Primary key fingerprint: 3600 6F0E 0BA1 6783 2158 8211 38EE ACA1 AB8A 6E72 +``` + +If the signature was good then the verification succeeds. If a warning is displayed, like the above, it means the CRS project's public key is *known* but is not *trusted*. + +To trust the CRS project's public key: + +```bash +gpg --edit-key 36006F0E0BA167832158821138EEACA1AB8A6E72 +gpg> trust +Your decision: 5 (ultimate trust) +Are you sure: Yes +gpg> quit +``` + +The result when verifying a release will then look like so: + +```bash +gpg --verify coreruleset-4.0.0.tar.gz.asc v4.0.0.tar.gz +gpg: Signature made Wed Jun 30 15:05:48 2021 CEST +gpg: using RSA key 36006F0E0BA167832158821138EEACA1AB8A6E72 +gpg: Good signature from "OWASP Core Rule Set " [ultimate] +``` + +## Installing the Rule Set + +### Extracting the Files + +Once the rule set has been downloaded and verified, extract the rule set files to a well known location on the server. This will typically be somewhere in the web server directory. + +The examples presented below demonstrate using Apache. For information on configuring Nginx or IIS see the [extended install](https://coreruleset.org/docs/deployment/extended_install/) page. + +Note that while it's common practice to make a new `modsecurity.d` folder, as outlined below, this isn't strictly necessary. The path scheme outlined is common on RHEL-based operating systems; the Apache path used may need to be adjusted to match the server's installation. + +```bash +mkdir /etc/crs4 +tar -xzvf v4.0.0.tar.gz --strip-components 1 -C /etc/crs4 +``` + +Now all the CRS files will be located below the `/etc/crs4` directory. + +### Setting Up the Main Configuration File + +After extracting the rule set files, the next step is to set up the main OWASP CRS configuration file. An example configuration file is provided as part of the release package, located in the main directory: `crs-setup.conf.example`. + +{{% notice note %}} +Other aspects of ModSecurity, particularly engine-specific parameters, are controlled by the ModSecurity "recommended" configuration rules, `modsecurity.conf-recommended`. This file comes packaged with ModSecurity itself. +{{% /notice %}} + +In many scenarios, the default example CRS configuration will be a good enough starting point. It is, however, a good idea to take the time to look through the example configuration file *before* deploying it to make sure it's right for a given environment. + +Once any settings have been changed within the example configuration file, as needed, it should be renamed to remove the .example portion, like so: + +```bash +cd /etc/crs4 +mv crs-setup.conf.example crs-setup.conf +``` + +### Include-ing the Rule Files + +The last step is to tell the web server where the rules are. This is achieved by `include`-ing the rule configuration files in the `httpd.conf` file. Again, this example demonstrates using Apache, but the process is similar on other systems (see the [extended install](https://coreruleset.org/docs/deployment/extended_install/) page for details). + +```bash +echo 'IncludeOptional /etc/crs4/crs-setup.conf' >> /etc/httpd/conf/httpd.conf +echo 'IncludeOptional /etc/crs4/plugins/*-config.conf' >> /etc/httpd/conf/httpd.conf +echo 'IncludeOptional /etc/crs4/plugins/*-before.conf' >> /etc/httpd/conf/httpd.conf +echo 'IncludeOptional /etc/crs4/rules/*.conf' >> /etc/httpd/conf/httpd.conf +echo 'IncludeOptional /etc/crs4/plugins/*-after.conf' >> /etc/httpd/conf/httpd.conf +``` + +Now that everything has been configured, it should be possible to restart and begin using the OWASP CRS. The CRS rules typically require a bit of tuning with rule exclusions, depending on the site and web applications in question. For more information on tuning, see [false positives and tuning](https://coreruleset.org/docs/concepts/false_positives_tuning/). + +```bash +systemctl restart httpd.service +``` + +## Alternative: Using Containers + +Another quick option is to use the official CRS [pre-packaged containers](https://coreruleset.org/docs/development/useful_tools/#official-crs-maintained-docker-images). Docker, Podman, or any compatible container engine can be used. The official CRS images are published in the Docker Hub. The image most often deployed is `owasp/modsecurity-crs`: it already has everything needed to get up and running quickly. + +The CRS project pre-packages both Apache and Nginx web servers along with the appropriate corresponding ModSecurity engine. More engines, like [Coraza](https://coraza.io/), will be added at a later date. + +To protect a running web server, all that's required is to get the appropriate image and set its configuration variables to make the WAF receives requests and proxies them to your backend server. + +Below is an example `docker-compose` file that can be used to pull the container images. All that needs to be changed is the `BACKEND` variable so that the WAF points to the backend server in question: + +```docker-compose +services: + modsec2-apache: + container_name: modsec2-apache + image: owasp/modsecurity-crs:apache + environment: + SERVERNAME: modsec2-apache + BACKEND: http:// + PORT: "80" + MODSEC_RULE_ENGINE: DetectionOnly + BLOCKING_PARANOIA: 2 + TZ: "${TZ}" + ERRORLOG: "/var/log/error.log" + ACCESSLOG: "/var/log/access.log" + MODSEC_AUDIT_LOG_FORMAT: Native + MODSEC_AUDIT_LOG_TYPE: Serial + MODSEC_AUDIT_LOG: "/var/log/modsec_audit.log" + MODSEC_TMP_DIR: "/tmp" + MODSEC_RESP_BODY_ACCESS: "On" + MODSEC_RESP_BODY_MIMETYPE: "text/plain text/html text/xml application/json" + COMBINED_FILE_SIZES: "65535" + volumes: + ports: + - "80:80" +``` + +That's all that needs to be done. Simply starting the container described above will instantly provide the protection of the latest stable CRS release in front of a given backend server or service. There are [lots of additional variables](https://github.com/coreruleset/modsecurity-crs-docker) that can be used to configure the container image and its behavior, so be sure to read the full documentation. + +## Verifying that the CRS is active + +Always verify that CRS is installed correctly by sending a 'malicious' request to your site or application, for instance: + +```bash +curl 'https://www.example.com/?foo=/etc/passwd&bar=/bin/sh' +``` + +Depending on your configured thresholds, this should be detected as a malicious request. If you use blocking mode, you should receive an Error 403. The request should also be logged to the audit log, which is usually in `/var/log/modsec_audit.log`. + +## Upgrading + +### Upgrading from CRS 3.x to CRS 4 + +The most impactful change is the removal of application exclusion packages in favor of a plugin system. If you had activated the exclusion packages in CRS 3, you should download the plugins for them and place them in the plugins subdirectory. We maintain the list of plugins in our [Plugin Registry](https://github.com/coreruleset/plugin-registry). You can find detailed information on working with plugins in our [plugins documentation](https://coreruleset.org/docs/concepts/plugins/). + +In terms of changes to the detection rules, the amount of changes is smaller than in the CRS 2—3 changeover. Most rules have only evolved slightly, so it is recommended that you keep any existing custom exclusions that you have made under CRS 3. + +We recommend to start over by copying our `crs-setup.conf.example` to `crs-setup.conf` with a copy of your old file at hand, and re-do the customizations that you had under CRS 3. + +Please note that we added a large number of new detections, and any new detection brings a certain risk of false alarms. Therefore, we recommend to test first before going live. + +### Upgrading from CRS 2.x to CRS 3 + +In general, you can update by unzipping our new release over your older one, and updating the `crs-setup.conf` file with any new settings. However, CRS 3.0 is a major rewrite, incompatible with CRS 2.x. Key setup variables have changed their name, and new features have been introduced. Your former modsecurity_crs_10_setup.conf file is thus no longer usable. We recommend you to start with a fresh crs-setup.conf file from scratch. + +Most rule IDs have been changed to reorganize them into logical sections. This means that if you have written custom configuration with exclusion rules (e.g. `SecRuleRemoveById`, `SecRuleRemoveTargetById`, `ctl:ruleRemoveById` or `ctl:ruleRemoveTargetById`) you must renumber the rule numbers in that configuration. You can do this using the supplied utility util/id_renumbering/update.py or find the changes in util/id_renumbering/IdNumbering.csv. + +However, a key feature of the CRS 3 is the reduction of false positives in the default installation, and many of your old exclusion rules may no longer be necessary. Therefore, it is a good option to start fresh without your old exclusion rules. + +If you are experienced in writing exclusion rules for CRS 2.x, it may be worthwhile to try running CRS 3 in Paranoia Level 2 (PL2). This is a stricter mode, which blocks additional attack patterns, but brings a higher number of false positives — in many situations the false positives will be comparable with CRS 2.x. This paranoia level however will bring you a higher protection level than CRS 2.x or a CRS 3 default install, so it can be worth the investment. diff --git a/blue/Tools/zoo/modules/turtle/coreruleset/docs/KNOWN_BUGS.md b/blue/Tools/zoo/modules/turtle/coreruleset/docs/KNOWN_BUGS.md new file mode 100644 index 0000000..221d0f2 --- /dev/null +++ b/blue/Tools/zoo/modules/turtle/coreruleset/docs/KNOWN_BUGS.md @@ -0,0 +1,49 @@ +# CRS KNOWN BUGS + +## Report Bugs/Issues to GitHub Issues Tracker or the mailinglist + +* https://github.com/coreruleset/coreruleset/issues +or the CRS Google Group at +* https://groups.google.com/a/owasp.org/g/modsecurity-core-rule-set-project + +* There are still false positives for standard web applications in + the default install (paranoia level 1). Please report these when + you encounter them. + False Positives from paranoia level 2 rules are less interesting, + as we expect users to write exclusion rules for their alerts in + the higher paranoia levels. +* Permanent blocking of clients is based on a previous user agent / IP + combination. Changing the user agent will thus allow to bypass + this new filter. The plan is to allow for a purely IP based + filter in the future. +* Apache 2.4 prior to 2.4.11 is affected by a bug in parsing multi-line + configuration directives, which causes Apache to fail during startup + with an error such as: + Error parsing actions: Unknown action: \\ + Action 'configtest' failed. + This bug is known to plague RHEL/Centos 7 below v7.4 or + httpd v2.4.6 release 67 and Ubuntu 14.04 LTS users. + https://bz.apache.org/bugzilla/show_bug.cgi?id=55910 + We advise to upgrade your Apache version. If upgrading is not possible, + we have provided a script in the util/join-multiline-rules directory + which converts the rules into a format that works around the bug. + You have to re-run this script whenever you modify or update + the CRS rules. +* Debian up to and including Jessie lacks YAJL/JSON support in ModSecurity, + which causes the following error in the Apache ErrorLog or SecAuditLog: + 'ModSecurity: JSON support was not enabled.' + JSON support was enabled in Debian's package version 2.8.0-4 (Nov 2014). + You can either use backports.debian.org to install the latest ModSecurity + release or disable rule id 200001. +* As of CRS version 3.0.1, support has been added for the application/soap+xml MIME + type by default, as specified in RFC 3902. OF IMPORTANCE, application/soap+xml is + indicative that XML will be provided. In accordance with this, ModSecurity's XML + Request Body Processor should also be configured to support this MIME type. Within + the ModSecurity project, [commit 5e4e2af](https://github.com/owasp-modsecurity/ModSecurity/commit/5e4e2af7a6f07854fee6ed36ef4a381d4e03960e) + has been merged to support this endeavour. However, if you are running a modified or + preexisting version of the modsecurity.conf provided by this repository, you may + wish to upgrade rule '200000' accordingly. The rule now appears as follows: + ``` + SecRule REQUEST_HEADERS:Content-Type "(?:application(?:/soap\+|/)|text/)xml" \ + "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML" + ``` diff --git a/blue/Tools/zoo/modules/turtle/coreruleset/docs/README.md b/blue/Tools/zoo/modules/turtle/coreruleset/docs/README.md new file mode 100644 index 0000000..baa6db8 --- /dev/null +++ b/blue/Tools/zoo/modules/turtle/coreruleset/docs/README.md @@ -0,0 +1,36 @@ +[![OWASP Flagship](https://img.shields.io/badge/owasp-flagship%20project-38a047.svg)](https://owasp.org/projects/) +[![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/1390/badge)](https://bestpractices.coreinfrastructure.org/projects/1390) +[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) + +| Branch | Status | +|-------------|-------| +| main | ![GHA build main](https://github.com/coreruleset/coreruleset/actions/workflows/test.yml/badge.svg?branch=main) | +| v3.3/master | ![GHA build v3.3/master](https://github.com/coreruleset/coreruleset/workflows/Regression%20Tests/badge.svg?branch=v3.3%2Fmaster) | + + +# OWASP CRS + +The OWASP CRS is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls. The CRS aims to protect web applications from a wide range of attacks, including the OWASP Top Ten, with a minimum of false alerts. + +## CRS Resources, Related Projects and Tools + +Please see the [OWASP CRS page](https://coreruleset.org/) to get introduced to CRS and view resources on installation, configuration, and working with CRS. There you can also find a [list of projects related to CRS](https://coreruleset.org/) and a [list of tools](https://coreruleset.org/docs/6-development/6-6-useful_tools/) for both developers and users. + +## Contributing to CRS + +We strive to make the OWASP CRS accessible to a wide audience of beginner and experienced users. We are interested in hearing any bug reports, false-positive alert reports, evasions, usability issues, and suggestions for new detections. + +[Create an issue on GitHub](https://github.com/coreruleset/coreruleset/issues) to report a false positive or false negative (evasion). Please include your installed version and the relevant portions of your audit log. We will try and address your issue and potentially ask for additional information to reproduce your problem. Please also note that stale issues will be flagged and closed after 120 days. You can search for stale issues with the following [search query](https://github.com/coreruleset/coreruleset/issues?q=label%3A%22Stale+issue%22). + +[Sign up for our Google Group](https://groups.google.com/a/owasp.org/g/modsecurity-core-rule-set-project) to ask general usage questions and participate in discussions on the CRS. Also [here](https://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/index) you can find the archives for the previous mailing list. + +[Join the #coreruleset channel on OWASP Slack](https://owasp.slack.com/) to chat about the CRS. ([Click here](https://owasp.org/slack/invite) to get an invitation if you are not yet registered on the OWASP slack. It's open to non-members too.) + +Read also our documentation on [how to contribute](./CONTRIBUTING.md). + +## License + +Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
+Copyright (c) 2021-2025 CRS project. All rights reserved. + +The OWASP CRS is distributed under Apache Software License (ASL) version 2. Please see the enclosed LICENSE file for full details. diff --git a/blue/Tools/zoo/modules/turtle/coreruleset/docs/SECURITY.md b/blue/Tools/zoo/modules/turtle/coreruleset/docs/SECURITY.md new file mode 100644 index 0000000..10c0813 --- /dev/null +++ b/blue/Tools/zoo/modules/turtle/coreruleset/docs/SECURITY.md @@ -0,0 +1,93 @@ +# Security Policy + +## Supported Versions + +OWASP CRS has two types of releases, Major releases (3.0.0, 3.1.0, 3.2.0 etc.) and point releases (3.0.1, 3.0.2 etc.). +For more information see our [wiki](https://github.com/coreruleset/coreruleset/wiki/Release-Policy). + +The OWASP CRS officially supports the two latest point releases with severe security patches. +We are happy to receive and merge PR's that address security issues in older versions of the project, but the team itself may choose not to fix these. +Along those lines, OWASP CRS team may not issue security notifications for unsupported software. + +| Version | Supported | +| --------- | ------------------ | +| 4.22.z | :white_check_mark: | +| 4.21.z | :white_check_mark: | +| 4.y.z | :x: | +| 3.3.x | :white_check_mark: | +| 3.2.x | :x: | +| 3.1.x | :x: | +| 3.0.x | :x: | +| 2.x | :x: | + +## GPG Signed Releases + +Releases are signed using [our GPG key](https://coreruleset.org/security.asc), (fingerprint: 3600 6F0E 0BA1 6783 2158 8211 38EE ACA1 AB8A 6E72). You can verify the release using GPG/PGP compatible tooling. + +### Importing the GPG Key + +To get our key using gpg: `gpg --keyserver pgp.mit.edu --recv 0x38EEACA1AB8A6E72` (this id should be equal to the last sixteen hex characters in our fingerprint). +You can also use `gpg --fetch-key https://coreruleset.org/security.asc` directly. + +### Verifying the CRS Release + +Download the release file and the corresponding signature. The following example shows how to do it for `v4.0.0` release: + +```bash +$ wget https://github.com/coreruleset/coreruleset/archive/refs/tags/v4.0.0.tar.gz +$ wget https://github.com/coreruleset/coreruleset/releases/download/v4.0.0/coreruleset-4.0.0.tar.gz.asc +``` + +**Verification**: + +```bash +❯ gpg --verify coreruleset-4.0.0.tar.gz.asc v4.0.0.tar.gz +gpg: Signature made Wed Jun 30 10:05:48 2021 -03 +gpg: using RSA key 36006F0E0BA167832158821138EEACA1AB8A6E72 +gpg: Good signature from "OWASP Core Rule Set " [unknown] +gpg: WARNING: This key is not certified with a trusted signature! +gpg: There is no indication that the signature belongs to the owner. +Primary key fingerprint: 3600 6F0E 0BA1 6783 2158 8211 38EE ACA1 AB8A 6E72 +``` + +If the signature was good, the verification succeeded. If you see a warning like the above, it means you know our public key, but you are not trusting it. You can trust it by using the following method: + +```bash +gpg --edit-key 36006F0E0BA167832158821138EEACA1AB8A6E72 +gpg> trust +Your decision: 5 (ultimate trust) +Are you sure: Yes +gpg> quit +``` + +Then you will see this result when verifying: +```bash +gpg --verify coreruleset-4.0.0.tar.gz.asc v4.0.0.tar.gz +gpg: Signature made Wed Jun 30 15:05:48 2021 CEST +gpg: using RSA key 36006F0E0BA167832158821138EEACA1AB8A6E72 +gpg: Good signature from "OWASP Core Rule Set " [ultimate] +``` + +## Reporting a Vulnerability + +We strive to make the OWASP CRS accessible to a wide audience of beginner and experienced users. +We welcome bug reports, false positive alert reports, evasions, usability issues, and suggestions for new detections. +Submit these types of non-vulnerability related issues via Github. +Please include your installed version and the relevant portions of your audit log. +False negative or common bypasses should [create an issue](https://github.com/coreruleset/coreruleset/issues/new) so they can be addressed. + +Do this before submitting a vulnerability using our email: +1) Verify that you have the latest version of OWASP CRS. +2) Validate which Paranoia Level this bypass applies to. If it works in PL4, please send us an email. +3) If you detected anything that causes unexpected behavior of the engine via manipulation of existing CRS provided rules, please send it by email. +4) Check whether the exploit/vulnerability is covered at a higher paranoia level by testing it against the [CRS Sandbox](https://coreruleset.org/docs/6-development/6-4-using-the-crs-sandbox/) at a higher paranoia level. + +We also provide you with the [Sandbox project](https://coreruleset.org/docs/development/sandbox/), where you can test your bypass and report back to us. If testing using the sandbox, please include the `X-Unique-ID` from the response in your email. + +Our email is [security@coreruleset.org](mailto:security@coreruleset.org). You can send us encrypted email using the same GPG key we use to sign releases, fingerprint: `3600 6F0E 0BA1 6783 2158 8211 38EE ACA1 AB8A 6E72`. + +We are happy to work with the community to provide CVE identifiers for any discovered security issues if requested. + +If in doubt, feel free to reach out to us! + +The OWASP CRS Team. diff --git a/blue/Tools/zoo/modules/turtle/coreruleset/docs/SPONSORS.md b/blue/Tools/zoo/modules/turtle/coreruleset/docs/SPONSORS.md new file mode 100644 index 0000000..7e4a32e --- /dev/null +++ b/blue/Tools/zoo/modules/turtle/coreruleset/docs/SPONSORS.md @@ -0,0 +1,8 @@ +## GOLD SPONSORS + +* Google +* United Security Providers + +## SILVER SPONSORS + +* Swiss Post diff --git a/blue/Tools/zoo/modules/turtle/coreruleset/plugins/README.md b/blue/Tools/zoo/modules/turtle/coreruleset/plugins/README.md new file mode 100644 index 0000000..4c2cc9d --- /dev/null +++ b/blue/Tools/zoo/modules/turtle/coreruleset/plugins/README.md @@ -0,0 +1,7 @@ +This is the folder where you install CRS plugins. + +See https://github.com/coreruleset/plugin-registry +for a list of registered official and 3rd party plugins. + +Plugins are documented in the CRS INSTALL file and +in also with said plugin registry. diff --git a/blue/Tools/zoo/modules/turtle/coreruleset/plugins/empty-after.conf b/blue/Tools/zoo/modules/turtle/coreruleset/plugins/empty-after.conf new file mode 100644 index 0000000..e69de29 diff --git a/blue/Tools/zoo/modules/turtle/coreruleset/plugins/empty-before.conf b/blue/Tools/zoo/modules/turtle/coreruleset/plugins/empty-before.conf new file mode 100644 index 0000000..e69de29 diff --git a/blue/Tools/zoo/modules/turtle/coreruleset/plugins/empty-config.conf b/blue/Tools/zoo/modules/turtle/coreruleset/plugins/empty-config.conf new file mode 100644 index 0000000..e69de29 diff --git a/blue/Tools/zoo/modules/turtle/coreruleset/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example b/blue/Tools/zoo/modules/turtle/coreruleset/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example new file mode 100644 index 0000000..ceadfa2 --- /dev/null +++ b/blue/Tools/zoo/modules/turtle/coreruleset/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example @@ -0,0 +1,200 @@ +# ------------------------------------------------------------------------ +# OWASP CRS ver.4.22.0 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. +# Copyright (c) 2021-2026 CRS project. All rights reserved. +# +# The OWASP CRS is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENSE file for full details. +# ------------------------------------------------------------------------ + +# +# The purpose of this file is to hold LOCAL exceptions for your site. The +# types of rules that would go into this file are one where you want to +# short-circuit inspection and allow certain transactions to pass through +# inspection or if you want to alter rules that are applied. +# +# This file is named REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example for a +# very specific reason. Files affixed with the .example extension are designed +# to contain user created/modified data. The '.example'. extension should be +# renamed to end in .conf. The advantage of this is that when OWASP CRS is +# updated, the updates will not overwrite a user generated configuration file. +# +# As a result of this design paradigm users are encouraged NOT to directly +# modify rules. Instead they should use this +# REQUEST-900-EXCLUSION-RULES-BEFORE-CRS and the +# RESPONSE-999-EXCLUSION-RULES-AFTER-CRS file to modify OWASP rules using +# methods similar to the examples specified below. +# +# REQUEST-900-EXCLUSION-RULES-BEFORE-CRS and +# RESPONSE-999-EXCLUSION-RULES-AFTER-CRS serve different purposes. ModSecurity +# effectively maintains two different context: startup, and per transaction. +# As a rule, directives are processed within the startup context. While they +# can affect the per transaction context they generally remain fixed during the +# execution of ModSecurity. +# +# As a result if one wanted to disable a rule at bootup the SecRuleRemoveById +# directive or one of its siblings would have to be placed AFTER the rule is +# listed, otherwise it will not have knowledge of the rules existence (since +# these rules are read in at the same time). This means that when using +# directives that effect SecRules, these exceptions should be placed AFTER all +# the existing rules. This is why RESPONSE-999-EXCLUSION-RULES-AFTER-CRS is +# designed such that it loads LAST. +# +# Conversely, ModSecurity supports several actions that can change the state of +# the underlying configuration during the per transaction context, this is when +# rules are being processed. Generally, these are accomplished by using the +# 'ctl' action. As these are part of a rule, they will be evaluated in the +# order rules are applied (by physical location, considering phases). As a +# result of this ordering a 'ctl' action should be placed with consideration to +# when it will be executed. This is particularly relevant for the 'ctl' options +# that involve modifying ID's (such as ruleRemoveById). In these cases it is +# important that such rules are placed BEFORE the rule ID they will affect. +# Unlike the setup context, by the time we process rules in the per-transaction +# context, we are already aware of all the rule ID's. It is by this logic that +# we include rules such as this BEFORE all the remaining rules. As a result +# REQUEST-900-EXCLUSION-RULES-BEFORE-CRS is designed to load FIRST. +# +# As a general rule: +# ctl:ruleEngine -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS +# ctl:ruleRemoveById -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS +# ctl:ruleRemoveByMsg -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS +# ctl:ruleRemoveByTag -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS +# ctl:ruleRemoveTargetById -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS +# ctl:ruleRemoveTargetByMsg -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS +# ctl:ruleRemoveTargetByTag -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS +# +# SecRuleRemoveById -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS +# SecRuleRemoveByMsg -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS +# SecRuleRemoveByTag -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS +# SecRuleUpdateActionById -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS +# SecRuleUpdateTargetById -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS +# SecRuleUpdateTargetByMsg -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS +# SecRuleUpdateTargetByTag -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS +# +# +# What follows are a group of examples that show you how to perform rule +# exclusions. +# +# +# Example Exclusion Rule: Disable inspection for an authorized client +# +# This ruleset allows you to control how ModSecurity will handle traffic +# originating from Authorized Vulnerability Scanning (AVS) sources. See +# related blog post - +# https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/updated-advanced-topic-of-the-week-handling-authorized-scanning-traffic/ +# +# Allow List ASV network block (no blocking or logging of AVS traffic) Update +# IP network block as appropriate for your AVS traffic +# +# ModSec Rule Exclusion: Disable Rule Engine for known ASV IP +# SecRule REMOTE_ADDR "@ipMatch 192.168.1.100" \ +# "id:1000,\ +# phase:1,\ +# pass,\ +# nolog,\ +# ctl:ruleEngine=Off" +# +# +# Example Exclusion Rule: Removing a specific ARGS parameter from inspection +# for an individual rule +# +# This rule shows how to conditionally exclude the "password" +# parameter for rule 942100 when the REQUEST_URI is /index.php +# ModSecurity Rule Exclusion: 942100 SQL Injection Detected via libinjection +# +# SecRule REQUEST_URI "@beginsWith /index.php" \ +# "id:1001,\ +# phase:1,\ +# pass,\ +# nolog,\ +# ctl:ruleRemoveTargetById=942100;ARGS:password" +# +# +# Example Exclusion Rule: Removing a specific ARGS parameter from inspection +# for only certain attacks +# +# Attack rules within the CRS are tagged, with tags such as 'attack-lfi', +# 'attack-sqli', 'attack-xss', 'attack-injection-php', et cetera. +# +# ModSecurity Rule Exclusion: Disable inspection of ARGS:pwd +# for all rules tagged attack-sqli +# SecRule REQUEST_FILENAME "@endsWith /wp-login.php" \ +# "id:1002,\ +# phase:2,\ +# pass,\ +# nolog,\ +# ctl:ruleRemoveTargetByTag=attack-sqli;ARGS:pwd" +# + +# Example Exclusion Rule: Removing a specific ARGS parameter from inspection +# for all CRS rules +# +# This rule illustrates that we can use tagging very effectively to allow list a +# common false positive across an entire ModSecurity instance. This can be done +# because every rule in OWASP_CRS is tagged with OWASP_CRS. This will NOT +# affect custom rules. +# +# ModSecurity Rule Exclusion: Disable inspection of ARGS:pwd +# for all CRS rules +# SecRule REQUEST_FILENAME "@endsWith /wp-login.php" \ +# "id:1003,\ +# phase:2,\ +# pass,\ +# nolog,\ +# ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pwd" + +# +# Example Exclusion Rule: Removing a range of rules +# +# This rule illustrates that we can remove a rule range via a ctl action. +# This uses the fact, that rules are grouped by topic in rule files covering +# a certain id range. +# IMPORTANT: ModSecurity v3, aka libModSecurity, does not currently support the +# use of rule ranges in a ruleRemoveById ctl action (this feature has been +# planned for v3.1). Consider using ruleRemoveByTag as a workaround, if +# appropriate. +# +# ModSecurity Rule Exclusion: Disable all SQLi and XSS rules +# SecRule REQUEST_FILENAME "@beginsWith /admin" \ +# "id:1004,\ +# phase:2,\ +# pass,\ +# nolog,\ +# ctl:ruleRemoveById=941000-942999" +# +# +# The application-specific rule exclusion plugins +# (see: https://github.com/coreruleset/plugin-registry) +# provide additional examples which can be useful then tuning a service. + + +# +# Example Rule: Allow monitoring tools and scripts +# +# Uncomment this rule to allow all requests from trusted IPs and User-Agent. +# This can be useful for monitoring tools like Monit, Nagios, or other agents. +# For example, if you're using AWS Load Balancer, you may need to trust all +# requests from "10.0.0.0/8" subnet that come with the user-agent +# "ELB-HealthChecker/2.0". By doing this, all requests that match these +# conditions will not be matched against the following rules: +# +# - id: 911100 (allowed methods) +# - id: 913100 (scan detection) +# - id: 920280 (missing/empty host header) +# - id: 920350 (IP address in host header) +# - tag: attack-disclosure (all RESPONSE-*-DATA-LEAKAGES rules) +# +# SecRule REMOTE_ADDR "@ipMatch 10.0.0.0/8" \ +# "id:1005,\ +# phase:1,\ +# pass,\ +# nolog,\ +# chain" +# SecRule REQUEST_METHOD "@pm GET HEAD" "chain" +# SecRule REQUEST_HEADERS:User-Agent "@pm ELB-HealthChecker" \ +# "ctl:ruleRemoveById=911100,\ +# ctl:ruleRemoveById=913100,\ +# ctl:ruleRemoveById=920280,\ +# ctl:ruleRemoveById=920350,\ +# ctl:ruleRemoveByTag=attack-disclosure" diff --git a/blue/Tools/zoo/modules/turtle/coreruleset/rules/REQUEST-901-INITIALIZATION.conf b/blue/Tools/zoo/modules/turtle/coreruleset/rules/REQUEST-901-INITIALIZATION.conf new file mode 100644 index 0000000..4b0e2eb --- /dev/null +++ b/blue/Tools/zoo/modules/turtle/coreruleset/rules/REQUEST-901-INITIALIZATION.conf @@ -0,0 +1,472 @@ +# ------------------------------------------------------------------------ +# OWASP CRS ver.4.22.0 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. +# Copyright (c) 2021-2026 CRS project. All rights reserved. +# +# The OWASP CRS is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENSE file for full details. +# ------------------------------------------------------------------------ + +# +# This file REQUEST-901-INITIALIZATION.conf initializes the Core Rules +# and performs preparatory actions. It also fixes errors and omissions +# of variable definitions in the file crs-setup.conf. +# The crs-setup.conf can and should be edited by the user, this file +# is part of the CRS installation and should not be altered. +# + + +# +# -=[ Rules Version ]=- +# +# Rule version data is added to the "Producer" line of Section H of the Audit log: +# +# - Producer: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/); OWASP_CRS/3.1.0. +# +# Ref: https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v2.x)#seccomponentsignature +# +SecComponentSignature "OWASP_CRS/4.22.0" + +# +# -=[ Default setup values ]=- +# +# The CRS checks the tx.crs_setup_version variable to ensure that the setup +# file is included at the correct time. This detects situations where +# necessary settings are not defined, for instance if the file +# inclusion order is incorrect, or if the user has forgotten to +# include the crs-setup.conf file. +# +# If you are upgrading from an earlier version of the CRS and you are +# getting this error, please make a new copy of the setup template +# crs-setup.conf.example to crs-setup.conf, and re-apply your policy +# changes. There have been many changes in settings syntax from CRS2 +# to CRS3, so an old setup file may cause unwanted behavior. +# +# If you are not planning to use the crs-setup.conf template, you must +# manually set the tx.crs_setup_version variable before including +# the CRS rules/* files. +# +# The variable is a numerical representation of the CRS version number. +# E.g., v3.0.0 is represented as 300. +# + +SecRule &TX:crs_setup_version "@eq 0" \ + "id:901001,\ + phase:1,\ + deny,\ + status:500,\ + log,\ + auditlog,\ + msg:'CRS is deployed without configuration! Please copy the crs-setup.conf.example template to crs-setup.conf, and include the crs-setup.conf file in your webserver configuration before including the CRS rules. See the INSTALL file in the CRS directory for detailed instructions',\ + tag:'OWASP_CRS',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL'" + + +# +# -=[ Default setup values ]=- +# +# Some constructs or individual rules will fail if certain parameters +# are not set in the crs-setup.conf file. The following rules will catch +# these cases and assign sane default values. +# + +# Default Inbound Anomaly Threshold Level (rule 900110 in crs-setup.conf) +SecRule &TX:inbound_anomaly_score_threshold "@eq 0" \ + "id:901100,\ + phase:1,\ + pass,\ + nolog,\ + tag:'OWASP_CRS',\ + ver:'OWASP_CRS/4.22.0',\ + setvar:'tx.inbound_anomaly_score_threshold=5'" + +# Default Outbound Anomaly Threshold Level (rule 900110 in crs-setup.conf) +SecRule &TX:outbound_anomaly_score_threshold "@eq 0" \ + "id:901110,\ + phase:1,\ + pass,\ + nolog,\ + tag:'OWASP_CRS',\ + ver:'OWASP_CRS/4.22.0',\ + setvar:'tx.outbound_anomaly_score_threshold=4'" + +# Default Reporting Level (rule 900115 in crs-setup.conf) +SecRule &TX:reporting_level "@eq 0" \ + "id:901111,\ + phase:1,\ + pass,\ + nolog,\ + tag:'OWASP_CRS',\ + ver:'OWASP_CRS/4.22.0',\ + setvar:'tx.reporting_level=4'" + +# Default Early Blocking (rule 900120 in crs-setup.conf) +SecRule &TX:early_blocking "@eq 0" \ + "id:901115,\ + phase:1,\ + pass,\ + nolog,\ + tag:'OWASP_CRS',\ + ver:'OWASP_CRS/4.22.0',\ + setvar:'tx.early_blocking=0'" + +# Default Blocking Paranoia Level (rule 900000 in crs-setup.conf) +SecRule &TX:blocking_paranoia_level "@eq 0" \ + "id:901120,\ + phase:1,\ + pass,\ + nolog,\ + tag:'OWASP_CRS',\ + ver:'OWASP_CRS/4.22.0',\ + setvar:'tx.blocking_paranoia_level=1'" + +# Default Detection Paranoia Level (rule 900001 in crs-setup.conf) +SecRule &TX:detection_paranoia_level "@eq 0" \ + "id:901125,\ + phase:1,\ + pass,\ + nolog,\ + tag:'OWASP_CRS',\ + ver:'OWASP_CRS/4.22.0',\ + setvar:'tx.detection_paranoia_level=%{TX.blocking_paranoia_level}'" + +# Default Sampling Percentage (rule 900400 in crs-setup.conf) +SecRule &TX:sampling_percentage "@eq 0" \ + "id:901130,\ + phase:1,\ + pass,\ + nolog,\ + tag:'OWASP_CRS',\ + ver:'OWASP_CRS/4.22.0',\ + setvar:'tx.sampling_percentage=100'" + +# Default Anomaly Scores (rule 900100 in crs-setup.conf) +SecRule &TX:critical_anomaly_score "@eq 0" \ + "id:901140,\ + phase:1,\ + pass,\ + nolog,\ + tag:'OWASP_CRS',\ + ver:'OWASP_CRS/4.22.0',\ + setvar:'tx.critical_anomaly_score=5'" + +SecRule &TX:error_anomaly_score "@eq 0" \ + "id:901141,\ + phase:1,\ + pass,\ + nolog,\ + tag:'OWASP_CRS',\ + ver:'OWASP_CRS/4.22.0',\ + setvar:'tx.error_anomaly_score=4'" + +SecRule &TX:warning_anomaly_score "@eq 0" \ + "id:901142,\ + phase:1,\ + pass,\ + nolog,\ + tag:'OWASP_CRS',\ + ver:'OWASP_CRS/4.22.0',\ + setvar:'tx.warning_anomaly_score=3'" + +SecRule &TX:notice_anomaly_score "@eq 0" \ + "id:901143,\ + phase:1,\ + pass,\ + nolog,\ + tag:'OWASP_CRS',\ + ver:'OWASP_CRS/4.22.0',\ + setvar:'tx.notice_anomaly_score=2'" + +# Default HTTP policy: allowed_methods (rule 900200 in crs-setup.conf) +SecRule &TX:allowed_methods "@eq 0" \ + "id:901160,\ + phase:1,\ + pass,\ + nolog,\ + tag:'OWASP_CRS',\ + ver:'OWASP_CRS/4.22.0',\ + setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'" + +# Default HTTP policy: allowed_request_content_type (rule 900220 in crs-setup.conf) +SecRule &TX:allowed_request_content_type "@eq 0" \ + "id:901162,\ + phase:1,\ + pass,\ + nolog,\ + tag:'OWASP_CRS',\ + ver:'OWASP_CRS/4.22.0',\ + setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |text/xml| |application/xml| |application/soap+xml| |application/json| |application/reports+json| |application/csp-report|'" + +# Default HTTP policy: allowed_request_content_type_charset (rule 900280 in crs-setup.conf) +SecRule &TX:allowed_request_content_type_charset "@eq 0" \ + "id:901168,\ + phase:1,\ + pass,\ + nolog,\ + tag:'OWASP_CRS',\ + ver:'OWASP_CRS/4.22.0',\ + setvar:'tx.allowed_request_content_type_charset=|utf-8| |iso-8859-1| |iso-8859-15| |windows-1252|'" + +# Default HTTP policy: allowed_http_versions (rule 900230 in crs-setup.conf) +SecRule &TX:allowed_http_versions "@eq 0" \ + "id:901163,\ + phase:1,\ + pass,\ + nolog,\ + tag:'OWASP_CRS',\ + ver:'OWASP_CRS/4.22.0',\ + setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0 HTTP/3 HTTP/3.0'" + +# Default HTTP policy: restricted_extensions (rule 900240 in crs-setup.conf) +SecRule &TX:restricted_extensions "@eq 0" \ + "id:901164,\ + phase:1,\ + pass,\ + nolog,\ + tag:'OWASP_CRS',\ + ver:'OWASP_CRS/4.22.0',\ + setvar:'tx.restricted_extensions=.ani/ .asa/ .asax/ .ascx/ .back/ .backup/ .bak/ .bck/ .bk/ .bkp/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .cnf/ .com/ .compositefont/ .config/ .conf/ .copy/ .crt/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dist/ .dll/ .dos/ .dpkg-dist/ .drv/ .gadget/ .hta/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .inf/ .ini/ .jse/ .key/ .licx/ .lnk/ .log/ .mdb/ .msc/ .ocx/ .old/ .pass/ .pdb/ .pfx/ .pif/ .pem/ .pol/ .prf/ .printer/ .pwd/ .rdb/ .rdp/ .reg/ .resources/ .resx/ .sav/ .save/ .scr/ .sct/ .sh/ .shs/ .sql/ .sqlite/ .sqlite3/ .swp/ .sys/ .temp/ .tlb/ .tmp/ .vb/ .vbe/ .vbs/ .vbproj/ .vsdisco/ .vxd/ .webinfo/ .ws/ .wsc/ .wsf/ .wsh/ .xsd/ .xsx/'" + +# Default HTTP policy: restricted_headers_basic (rule 900250 in crs-setup.conf) +SecRule &TX:restricted_headers_basic "@eq 0" \ + "id:901165,\ + phase:1,\ + pass,\ + nolog,\ + tag:'OWASP_CRS',\ + ver:'OWASP_CRS/4.22.0',\ + setvar:'tx.restricted_headers_basic=/content-encoding/ /proxy/ /lock-token/ /content-range/ /if/ /x-http-method-override/ /x-http-method/ /x-method-override/ /x-middleware-subrequest/ /expect/'" + +# Default HTTP policy: restricted_headers_extended (rule 900255 in crs-setup.conf) +SecRule &TX:restricted_headers_extended "@eq 0" \ + "id:901171,\ + phase:1,\ + pass,\ + nolog,\ + tag:'OWASP_CRS',\ + ver:'OWASP_CRS/4.22.0',\ + setvar:'tx.restricted_headers_extended=/accept-charset/'" + +# Default enforcing of body processor URLENCODED (rule 900010 in crs-setup.conf) +SecRule &TX:enforce_bodyproc_urlencoded "@eq 0" \ + "id:901167,\ + phase:1,\ + pass,\ + nolog,\ + tag:'OWASP_CRS',\ + ver:'OWASP_CRS/4.22.0',\ + setvar:'tx.enforce_bodyproc_urlencoded=0'" + +# Default check for UTF8 encoding validation (rule 900950 in crs-setup.conf) +SecRule &TX:crs_validate_utf8_encoding "@eq 0" \ + "id:901169,\ + phase:1,\ + pass,\ + nolog,\ + tag:'OWASP_CRS',\ + ver:'OWASP_CRS/4.22.0',\ + setvar:'tx.crs_validate_utf8_encoding=0'" + +# Default check for skipping response analysis (rule 900500 in crs-setup.conf) +SecRule &TX:crs_skip_response_analysis "@eq 0" \ + "id:901170,\ + phase:1,\ + pass,\ + nolog,\ + tag:'OWASP_CRS',\ + ver:'OWASP_CRS/4.22.0',\ + setvar:'tx.crs_skip_response_analysis=0'" + +# +# -=[ Initialize internal variables ]=- +# + +# Initialize anomaly scoring variables. +# All _score variables start at 0, and are incremented by the various rules +# upon detection of a possible attack. + +SecAction \ + "id:901200,\ + phase:1,\ + pass,\ + t:none,\ + nolog,\ + tag:'OWASP_CRS',\ + ver:'OWASP_CRS/4.22.0',\ + setvar:'tx.blocking_inbound_anomaly_score=0',\ + setvar:'tx.detection_inbound_anomaly_score=0',\ + setvar:'tx.inbound_anomaly_score_pl1=0',\ + setvar:'tx.inbound_anomaly_score_pl2=0',\ + setvar:'tx.inbound_anomaly_score_pl3=0',\ + setvar:'tx.inbound_anomaly_score_pl4=0',\ + setvar:'tx.sql_injection_score=0',\ + setvar:'tx.xss_score=0',\ + setvar:'tx.rfi_score=0',\ + setvar:'tx.lfi_score=0',\ + setvar:'tx.rce_score=0',\ + setvar:'tx.php_injection_score=0',\ + setvar:'tx.http_violation_score=0',\ + setvar:'tx.session_fixation_score=0',\ + setvar:'tx.blocking_outbound_anomaly_score=0',\ + setvar:'tx.detection_outbound_anomaly_score=0',\ + setvar:'tx.outbound_anomaly_score_pl1=0',\ + setvar:'tx.outbound_anomaly_score_pl2=0',\ + setvar:'tx.outbound_anomaly_score_pl3=0',\ + setvar:'tx.outbound_anomaly_score_pl4=0',\ + setvar:'tx.anomaly_score=0'" + + +# +# -=[ Initialize collections ]=- +# +# Create both Global and IP collections for rules to use. +# Some plugins assume that these two collections have already +# been initialized. +# IP collection is initialized with the IP address concatened with the hashed user agent. + +# Disable collection initialization by default (see rule 900130 in crs-setup.conf) +# The creation of the IP and the GLOBAL collection is not being tested as +# of this writing due to limits in ftw and our testing setup. +# Proper testing would involve the checking of a variable in the said collections. +SecRule &TX:ENABLE_DEFAULT_COLLECTIONS "@eq 1" \ + "id:901320,\ + phase:1,\ + pass,\ + nolog,\ + tag:'OWASP_CRS',\ + ver:'OWASP_CRS/4.22.0',\ + setvar:'tx.ua_hash=%{REQUEST_HEADERS.User-Agent}',\ + chain" + SecRule TX:ENABLE_DEFAULT_COLLECTIONS "@eq 1" \ + "chain" + SecRule TX:ua_hash "@unconditionalMatch" \ + "t:none,t:sha1,t:hexEncode,\ + initcol:global=global,\ + initcol:ip=%{remote_addr}_%{MATCHED_VAR}" + +# +# -=[ Initialize Correct Body Processing ]=- +# +# Force request body variable and optionally request body processor +# + +# Force body variable +SecRule REQBODY_PROCESSOR "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" \ + "id:901340,\ + phase:1,\ + pass,\ + nolog,\ + noauditlog,\ + msg:'Enabling body inspection',\ + tag:'OWASP_CRS',\ + ctl:forceRequestBodyVariable=On,\ + ver:'OWASP_CRS/4.22.0'" + +# Force body processor URLENCODED +SecRule TX:enforce_bodyproc_urlencoded "@eq 1" \ + "id:901350,\ + phase:1,\ + pass,\ + t:none,t:urlDecodeUni,\ + nolog,\ + noauditlog,\ + msg:'Enabling forced body inspection for ASCII content',\ + tag:'OWASP_CRS',\ + ver:'OWASP_CRS/4.22.0',\ + chain" + SecRule REQBODY_PROCESSOR "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" \ + "ctl:requestBodyProcessor=URLENCODED" + + +# +# -=[ Easing In / Sampling Percentage ]=- +# +# This is used to send only a limited percentage of requests into the Core +# Rule Set. The selection is based on TX.sampling_percentage and a pseudo +# random number calculated below. +# +# Use this to ease into a new Core Rules installation with an existing +# productive service. +# +# See +# https://www.netnea.com/cms/2016/04/26/easing-in-conditional-modsecurity-rule-execution-based-on-pseudo-random-numbers/ +# + +# +# Generate the pseudo random number +# +# ATTENTION: This is no cryptographically secure random number. It's just +# a cheap way to get some random number suitable for sampling. +# +# We take the entropy contained in the UNIQUE_ID. We hash that variable and +# take the first integer numbers out of it. Theoretically, it is possible +# but highly improbable that there are no integers in a hexEncoded sha1 hash. +# In the very rare event that two integers are not matched (due to only being +# a-f in all, or all but one positions) 901450 will not be triggered. +# Leading zeros are not removed from the two-digit random number, and are +# handled gracefullly by 901450 + +SecRule TX:sampling_percentage "@eq 100" \ + "id:901400,\ + phase:1,\ + pass,\ + nolog,\ + tag:'OWASP_CRS',\ + ver:'OWASP_CRS/4.22.0',\ + skipAfter:END-SAMPLING" + +SecRule UNIQUE_ID "@rx ^[a-f]*([0-9])[a-f]*([0-9])" \ + "id:901410,\ + phase:1,\ + pass,\ + capture,\ + t:sha1,t:hexEncode,\ + nolog,\ + tag:'OWASP_CRS',\ + ver:'OWASP_CRS/4.22.0',\ + setvar:'TX.sampling_rnd100=%{TX.1}%{TX.2}'" + +# +# Sampling decision +# +# If a request is allowed to pass without being checked by the CRS, there is no +# entry in the audit log (for performance reasons), but an error log entry is +# being written. If you want to disable the error log entry, then issue the +# following directive somewhere after the inclusion of the CRS +# (E.g., RESPONSE-999-EXCEPTIONS.conf). +# +# SecRuleUpdateActionById 901450 "nolog" +# + + +SecRule TX:sampling_rnd100 "!@lt %{tx.sampling_percentage}" \ + "id:901450,\ + phase:1,\ + pass,\ + log,\ + noauditlog,\ + msg:'Sampling: Disable the rule engine based on sampling_percentage %{TX.sampling_percentage} and random number %{TX.sampling_rnd100}',\ + tag:'OWASP_CRS',\ + ctl:ruleRemoveByTag=OWASP_CRS,\ + ver:'OWASP_CRS/4.22.0'" + +SecMarker "END-SAMPLING" + + +# +# Configuration Plausibility Checks +# + +# Make sure detection paranoia level is not lower than paranoia level +SecRule TX:detection_paranoia_level "@lt %{tx.blocking_paranoia_level}" \ + "id:901500,\ + phase:1,\ + deny,\ + status:500,\ + t:none,\ + log,\ + msg:'Detection paranoia level configured is lower than the paranoia level itself. This is illegal. Blocking request. Aborting',\ + tag:'OWASP_CRS',\ + ver:'OWASP_CRS/4.22.0'" diff --git a/blue/Tools/zoo/modules/turtle/coreruleset/rules/REQUEST-905-COMMON-EXCEPTIONS.conf b/blue/Tools/zoo/modules/turtle/coreruleset/rules/REQUEST-905-COMMON-EXCEPTIONS.conf new file mode 100644 index 0000000..42a5d9c --- /dev/null +++ b/blue/Tools/zoo/modules/turtle/coreruleset/rules/REQUEST-905-COMMON-EXCEPTIONS.conf @@ -0,0 +1,57 @@ +# ------------------------------------------------------------------------ +# OWASP CRS ver.4.22.0 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. +# Copyright (c) 2021-2026 CRS project. All rights reserved. +# +# The OWASP CRS is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENSE file for full details. +# ------------------------------------------------------------------------ + + +# This file is used as an exception mechanism to remove common false positives +# that may be encountered. +# +# Exception for Apache SSL pinger +# +SecRule REQUEST_LINE "@streq GET /" \ + "id:905100,\ + phase:1,\ + pass,\ + t:none,\ + nolog,\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-apache',\ + tag:'attack-generic',\ + tag:'OWASP_CRS',\ + ver:'OWASP_CRS/4.22.0',\ + chain" + SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" \ + "t:none,\ + ctl:ruleRemoveByTag=OWASP_CRS,\ + ctl:auditEngine=Off" + +# +# Exception for Apache internal dummy connection +# +SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" \ + "id:905110,\ + phase:1,\ + pass,\ + t:none,\ + nolog,\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-apache',\ + tag:'attack-generic',\ + tag:'OWASP_CRS',\ + ver:'OWASP_CRS/4.22.0',\ + chain" + SecRule REQUEST_HEADERS:User-Agent "@endsWith (internal dummy connection)" \ + "t:none,\ + chain" + SecRule REQUEST_LINE "@rx ^(?:GET /|OPTIONS \*) HTTP/[12]\.[01]$" \ + "t:none,\ + ctl:ruleRemoveByTag=OWASP_CRS,\ + ctl:auditEngine=Off" diff --git a/blue/Tools/zoo/modules/turtle/coreruleset/rules/REQUEST-911-METHOD-ENFORCEMENT.conf b/blue/Tools/zoo/modules/turtle/coreruleset/rules/REQUEST-911-METHOD-ENFORCEMENT.conf new file mode 100644 index 0000000..9c5d377 --- /dev/null +++ b/blue/Tools/zoo/modules/turtle/coreruleset/rules/REQUEST-911-METHOD-ENFORCEMENT.conf @@ -0,0 +1,76 @@ +# ------------------------------------------------------------------------ +# OWASP CRS ver.4.22.0 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. +# Copyright (c) 2021-2026 CRS project. All rights reserved. +# +# The OWASP CRS is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENSE file for full details. +# ------------------------------------------------------------------------ + +# +# -= Paranoia Level 0 (empty) =- (apply unconditionally) +# + + + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:911011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:911012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" +# +# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher) +# + +# +# -=[ Allowed Request Methods ]=- +# +# tx.allowed_methods is defined in the crs-setup.conf file +# +SecRule REQUEST_METHOD "!@within %{tx.allowed_methods}" \ + "id:911100,\ + phase:1,\ + block,\ + msg:'Method is not allowed by policy',\ + logdata:'%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-generic',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/METHOD-ENFORCEMENT',\ + tag:'capec/1000/210/272/220/274',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + + + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:911013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:911014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" +# +# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher) +# + + + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:911015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:911016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" +# +# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher) +# + + + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:911017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:911018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT" +# +# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher) +# + + + +# +# -= Paranoia Levels Finished =- +# +SecMarker "END-REQUEST-911-METHOD-ENFORCEMENT" diff --git a/blue/Tools/zoo/modules/turtle/coreruleset/rules/REQUEST-913-SCANNER-DETECTION.conf b/blue/Tools/zoo/modules/turtle/coreruleset/rules/REQUEST-913-SCANNER-DETECTION.conf new file mode 100644 index 0000000..2409892 --- /dev/null +++ b/blue/Tools/zoo/modules/turtle/coreruleset/rules/REQUEST-913-SCANNER-DETECTION.conf @@ -0,0 +1,86 @@ +# ------------------------------------------------------------------------ +# OWASP CRS ver.4.22.0 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. +# Copyright (c) 2021-2026 CRS project. All rights reserved. +# +# The OWASP CRS is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENSE file for full details. +# ------------------------------------------------------------------------ + +# +# -= Paranoia Level 0 (empty) =- (apply unconditionally) +# + + + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:913011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:913012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION" +# +# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher) +# + +# +# -=[ Security Scanner Checks ]=- +# +# This rule inspects the default User-Agent and Header values sent by +# various commercial and open source scanners, mostly +# security / vulnerability scanners. +# +# It is based on a curated list of known malicious scanners in widespread use. +# This list is maintained in scanners-user-agents.data. +# +# With CRSv4, the project has given up on keeping track of different categories +# of scanners and scripting agents, mostly because it's very hard to draw +# a line between benign, mostly benign and malicious. And because dedicated +# attackers will change the user agent anyways. + +SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scanners-user-agents.data" \ + "id:913100,\ + phase:1,\ + block,\ + capture,\ + t:none,\ + msg:'Found User-Agent associated with security scanner',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-reputation-scanner',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/SCANNER-DETECTION',\ + tag:'capec/1000/118/224/541/310',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:913013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:913014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION" +# +# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher) +# + + + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:913015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:913016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION" +# +# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher) +# + + + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:913017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:913018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION" +# +# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher) +# + + + +# +# -= Paranoia Levels Finished =- +# +SecMarker "END-REQUEST-913-SCANNER-DETECTION" diff --git a/blue/Tools/zoo/modules/turtle/coreruleset/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf b/blue/Tools/zoo/modules/turtle/coreruleset/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf new file mode 100644 index 0000000..f116f66 --- /dev/null +++ b/blue/Tools/zoo/modules/turtle/coreruleset/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf @@ -0,0 +1,1852 @@ +# ------------------------------------------------------------------------ +# OWASP CRS ver.4.22.0 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. +# Copyright (c) 2021-2026 CRS project. All rights reserved. +# +# The OWASP CRS is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENSE file for full details. +# ------------------------------------------------------------------------ + +# +# Some protocol violations are common in application layer attacks. +# Validating HTTP requests eliminates a large number of application layer attacks. +# +# The purpose of this rules file is to enforce HTTP RFC requirements that state how +# the client is supposed to interact with the server. +# https://www.rfc-editor.org/rfc/rfc9110.html + + + +# +# -= Paranoia Level 0 (empty) =- (apply unconditionally) +# + + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:920011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:920012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" +# +# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher) +# + +# +# Validate request line against the format specified in the HTTP RFC +# +# -=[ Rule Logic ]=- +# +# Uses rule negation against the regex for positive security. The regex specifies the proper +# construction of URI request lines such as: +# +# "http" "://" authority path-abempty [ "?" query ] +# +# It also outlines proper construction for CONNECT, OPTIONS and GET requests. +# +# Regular expression generated from regex-assembly/920100.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 920100 +# +# -=[ References ]=- +# https://www.rfc-editor.org/rfc/rfc9110.html#section-4.2.1 +# http://capec.mitre.org/data/definitions/272.html +# +SecRule REQUEST_LINE "!@rx (?i)^(?:get /[^#\?]*(?:\?[^\s\x0b#]*)?(?:#[^\s\x0b]*)?|(?:connect (?:(?:[0-9]{1,3}\.){3}[0-9]{1,3}\.?(?::[0-9]+)?|[\--9A-Z_a-z]+:[0-9]+)|options \*|[a-z]{3,10}[\s\x0b]+(?:[0-9A-Z_a-z]{3,7}?://[\--9A-Z_a-z]*(?::[0-9]+)?)?/[^#\?]*(?:\?[^\s\x0b#]*)?(?:#[^\s\x0b]*)?)[\s\x0b]+[\.-9A-Z_a-z]+)$" \ + "id:920100,\ + phase:1,\ + block,\ + t:none,\ + msg:'Invalid HTTP Request Line',\ + logdata:'%{request_line}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ + tag:'capec/1000/210/272',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'WARNING',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'" + + +# +# Identify multipart/form-data name evasion attempts +# +# There are possible impedance mismatches between how +# ModSecurity interprets multipart file names and how +# a destination app server such as PHP might parse the +# Content-Disposition data: +# +# filename-parm := "filename" "=" value +# +# -=[ Rule Logic ]=- +# These rules check for the existence of the ' " ; = meta-characters in +# either the "name" (FILES) and "filename" (FILES_NAMES) variables. +# HTML entities may lead to false positives, which is why +# frequently used ones, such as "ä", are allowed at PL1. +# +# -=[ Targets, characters and html entities ]=- +# +# 920120: PL1 : FILES_NAMES, FILES +# Disallow ['\";=\\], except for frequently used HTML entities (see 920120.ra). +# +# 920121: PL2 : FILES_NAMES, FILES +# Disallow ['\";=\\] +# +# -=[ References ]=- +# http://www.ietf.org/rfc/rfc2183.txt +# +# This rule used to use negative look-behind. +# See https://github.com/coreruleset/coreruleset/wiki/Technical-Decisions-and-Best-Practices#avoiding-negative-look-behind-in-regular-expressions +# for an explanation of why it now uses `!@rx` instead to avoid look-around. +# +# Regular expression generated from regex-assembly/920120.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 920120 +# +SecRule FILES|FILES_NAMES "!@rx (?i)^(?:&(?:(?:[acegilnorsuz]acut|[aeiou]grav|[aino]tild)e|[c-elnr-tz]caron|(?:[cgklnr-t]cedi|[aeiouy]um)l|[aceg-josuwy]circ|[au]ring|a(?:mp|pos)|nbsp|oslash);|[^\"';=\x5c])*$" \ + "id:920120,\ + phase:2,\ + block,\ + t:none,t:urlDecodeUni,\ + msg:'Attempted multipart/form-data bypass',\ + logdata:'%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ + tag:'capec/1000/210/272',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# +# Accept only digits in content length +# +# -=[ Rule Logic ]=- +# This rule uses ModSecurity's rule negation against the regex meaning if the Content-Length header +# is NOT all digits, then it will match. +# +# -=[ References ]=- +# https://www.rfc-editor.org/rfc/rfc9110.html#section-8.6 +# +SecRule REQUEST_HEADERS:Content-Length "!@rx ^\d+$" \ + "id:920160,\ + phase:1,\ + block,\ + t:none,\ + msg:'Content-Length HTTP header is not numeric',\ + logdata:'%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ + tag:'capec/1000/210/272',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# +# Do not accept GET or HEAD requests with bodies +# In RCF-9110, "A client SHOULD NOT generate content in a HEAD/GET request +# unless it is made directly to an origin server that has previously indicated" +# +# -=[ Rule Logic ]=- +# The chained rule matches when: +# 1) If the request method is GET or HEAD +# AND +# 2) Header: Content-Length exists and non-zero +# +# -=[ References ]=- +# https://www.rfc-editor.org/rfc/rfc9110.html#section-9.3.1 +# https://www.rfc-editor.org/rfc/rfc9110.html#section-9.3.2 +# +SecRule REQUEST_METHOD "@rx ^(?:GET|HEAD)$" \ + "id:920170,\ + phase:1,\ + block,\ + t:none,\ + msg:'GET or HEAD Request with Body Content',\ + logdata:'%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ + tag:'capec/1000/210/272',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + chain" + SecRule REQUEST_HEADERS:Content-Length "!@rx ^0?$" \ + "t:none,\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# +# This is a sibling of rule 920170 +# +SecRule REQUEST_METHOD "@rx ^(?:GET|HEAD)$" \ + "id:920171,\ + phase:1,\ + block,\ + t:none,\ + msg:'GET or HEAD Request with Transfer-Encoding',\ + logdata:'%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ + tag:'capec/1000/210/272',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + chain" + SecRule &REQUEST_HEADERS:Transfer-Encoding "!@eq 0" \ + "t:none,\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# +# Require Content-Length or Transfer-Encoding to be provided with +# every POST request if the protocol version is not HTTP/2 or HTTP/3. +# +# In case of HTTP/2, see the RFC7540 8.1 p52: +# HTTP/2 does not use the Transfer-Encoding: chunked anymore, because +# the underlying transport protocol is already using data frames with +# known length. +# +# In case of HTTP/3, see the RFC9114 4.1: +# Transfer codings (see Section 7 of [HTTP/1.1]) are not defined for +# HTTP/3; the Transfer-Encoding header field MUST NOT be used. +# +# -=[ Rule Logic ]=- +# This chained rule checks if the protocol is not HTTP/2 or HTTP/3, +# then checks request method is POST, if so, it checks that a +# Content-Length or Transfer-Encoding headers are also present. +# +SecRule REQUEST_PROTOCOL "!@within HTTP/2 HTTP/2.0 HTTP/3 HTTP/3.0" \ + "id:920180,\ + phase:1,\ + block,\ + t:none,\ + msg:'POST without Content-Length and Transfer-Encoding headers',\ + logdata:'%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ + tag:'capec/1000/210/272',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'WARNING',\ + chain" + SecRule REQUEST_METHOD "@streq POST" \ + "chain" + SecRule &REQUEST_HEADERS:Content-Length "@eq 0" \ + "chain" + SecRule &REQUEST_HEADERS:Transfer-Encoding "@eq 0" \ + "setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'" + +# +# As per RFC7230 3.3.2: A sender MUST NOT send a Content-Length +# header field in any message that contains a Transfer-Encoding header +# field. +# +# Related to 920170, 920171 and 920180. +# +SecRule &REQUEST_HEADERS:Transfer-Encoding "!@eq 0" \ + "id:920181,\ + phase:1,\ + block,\ + t:none,\ + msg:'Content-Length and Transfer-Encoding headers present',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ + tag:'capec/1000/210/272',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'WARNING',\ + chain" + SecRule &REQUEST_HEADERS:Content-Length "!@eq 0" \ + "t:none,\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'" + + +# +# Range Header Check +# +# RFC7233 2.1 p6: +# "A byte-range-spec is invalid if the last-byte-pos value is present +# and less than the first-byte-pos." +# +# -=[ Rule Logic ]=- +# This rule compares the first and second byte ranges and flags +# when the first value is greater than the second. +# +# -=[ References ]=- +# https://datatracker.ietf.org/doc/html/rfc7233 +# https://seclists.org/fulldisclosure/2011/Aug/175 +# +SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx (\d+)-(\d+)" \ + "id:920190,\ + phase:1,\ + block,\ + capture,\ + t:none,\ + msg:'Range: Invalid Last Byte Value',\ + logdata:'%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ + tag:'capec/1000/210/272',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'WARNING',\ + chain" + SecRule TX:2 "@lt %{tx.1}" \ + "setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'" + + +# +# Broken/Malicious clients often have duplicate or conflicting headers +# Automated programs and bots often do not obey the HTTP RFC +# +# -=[ Rule Logic ]=- +# This rule inspects the Connection header and looks for duplicates of the +# keep-alive and close options. +# +# -=[ References ]=- +# https://datatracker.ietf.org/doc/html/rfc7233 +# +SecRule REQUEST_HEADERS:Connection "@rx \b(?:keep-alive|close),\s?(?:keep-alive|close)\b" \ + "id:920210,\ + phase:1,\ + block,\ + t:none,\ + msg:'Multiple/Conflicting Connection Header Data Found',\ + logdata:'%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ + tag:'capec/1000/210/272',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'WARNING',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'" + + +# +# Check UTF encoding +# We only want to apply this check if UTF-8 encoding is actually used by the site, otherwise +# it will result in false positives. +# +# -=[ Rule Logic ]=- +# This chained rule first checks to see if the admin has set the TX:CRS_VALIDATE_UTF8_ENCODING +# variable in the crs-setup.conf file. +# +SecRule TX:CRS_VALIDATE_UTF8_ENCODING "@eq 1" \ + "id:920250,\ + phase:2,\ + block,\ + t:none,\ + msg:'UTF8 Encoding Abuse Attack Attempt',\ + logdata:'%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ + tag:'capec/1000/255/153/267',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'WARNING',\ + chain" + SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "@validateUtf8Encoding" \ + "setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'" + + +# +# Disallow use of full-width unicode as decoding evasions may be possible. +# +# -=[ Rule Logic ]=- +# This rule looks for full-width encoding by looking for %u followed by 2 'f' +# characters and then 2 hex characters. It is a vulnerability that affected +# IIS circa 2007. +# The rule will trigger on %uXXXX formatted chars that are full or half +# width, as explained above. This %uXXXX format is passed as a raw parameter +# and is (seemingly only) accepted by IIS (5.0, 6.0, 7.0, and 8.0). Other +# webservers will only process unicode chars presented as hex UTF-8 bytes. +# +# -=[ References ]=- +# http://www.kb.cert.org/vuls/id/739224 +# https://www.checkpoint.com/defense/advisories/public/2007/cpai-2007-201.html +# https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/719 +# +# Regular expression generated from regex-assembly/920260.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 920260 +# +SecRule REQUEST_URI|REQUEST_BODY "@rx (?i)%uff[0-9a-f]{2}" \ + "id:920260,\ + phase:2,\ + block,\ + t:none,\ + msg:'Unicode Full/Half Width Abuse Attack Attempt',\ + logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-iis',\ + tag:'platform-windows',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ + tag:'capec/1000/255/153/267/72',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'WARNING',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'" + + +# +# Restrict type of characters sent +# +# This is a rule with multiple stricter siblings that grows more +# restrictive in higher paranoia levels. +# +# -=[ Rule Logic ]=- +# This rule uses the @validateByteRange operator to restrict the request +# payloads. +# +# -=[ Targets and ASCII Ranges ]=- +# +# 920270: PL1 : REQUEST_URI, REQUEST_HEADERS, ARGS and ARGS_NAMES +# ASCII 1-255 : Full ASCII range without null character +# +# 920271: PL2 : REQUEST_URI, REQUEST_HEADERS, ARGS and ARGS_NAMES +# ASCII 9,10,13,32-126,128-255 : Full visible ASCII range, tab, newline +# +# 920272: PL3 : REQUEST_URI, REQUEST_HEADERS, ARGS, ARGS_NAMES and REQUEST_BODY +# ASCII 32-36,38-126 : Visible lower ASCII range without percent symbol +# +# 920273: PL4 : ARGS, ARGS_NAMES and REQUEST_BODY +# ASCII 38,44-46,48-58,61,65-90,95,97-122 +# A-Z a-z 0-9 = - _ . , : & +# +# 920274: PL4 : REQUEST_HEADERS without User-Agent, Referer, Cookie +# and Structured Header booleans +# ASCII 32,34,38,42-59,61,65-90,95,97-122 +# A-Z a-z 0-9 = - _ . , : & " * + / SPACE +# +# REQUEST_URI and REQUEST_HEADERS User-Agent, Referer and Cookie are very hard +# to restrict beyond the limits in 920272. Structured Header booleans are +# validated separately in 920275. +# +# 920274 generally has few positives. However, it would detect rare attacks +# on Accept request headers and friends. + +SecRule REQUEST_URI_RAW|REQUEST_HEADERS|ARGS|ARGS_NAMES "@validateByteRange 1-255" \ + "id:920270,\ + phase:2,\ + block,\ + t:none,t:urlDecodeUni,\ + msg:'Invalid character in request (null character)',\ + logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ + tag:'capec/1000/210/272',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# +# Do not accept requests without common headers. +# All normal web browsers include Host, User-Agent and Accept headers. +# Implies either an attacker or a legitimate automation client. +# + +# +# Missing/Empty Host Header +# +# -=[ Rule Logic ]=- +# These rules will first check to see if a Host header is present. +# The second check is to see if a Host header exists but is empty. +# +SecRule &REQUEST_HEADERS:Host "@eq 0" \ + "id:920280,\ + phase:1,\ + block,\ + t:none,\ + msg:'Request Missing a Host Header',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ + tag:'capec/1000/210/272',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + skipAfter:END-HOST-CHECK" + + +SecRule REQUEST_HEADERS:Host "@rx ^$" \ + "id:920290,\ + phase:1,\ + block,\ + t:none,\ + msg:'Empty Host Header',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ + tag:'capec/1000/210/272',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +SecMarker "END-HOST-CHECK" + + +# +# Empty Accept Header +# +# -=[ Rule Logic ]=- +# This rule checks if an Accept header exists, but has an empty value. +# This is only allowed in combination with the OPTIONS method. +# Additionally, there are some clients sending empty Accept headers. +# They are covered in another chained rule checking the User-Agent. +# This technique demands a separate rule to detect an empty +# Accept header if there is no user agent. This is checked via +# the separate rule 920311. +# +# Exclude some common broken clients sending empty Accept header: +# "Business/6.6.1.2 CFNetwork/758.5.3 Darwin/15.6.0" (CRS issue #515) +# "Entreprise/6.5.0.177 CFNetwork/758.4.3 Darwin/15.5.0" (CRS issue #366) +# +# -=[ References ]=- +# https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/366 +# + +SecRule REQUEST_HEADERS:Accept "@rx ^$" \ + "id:920310,\ + phase:1,\ + block,\ + t:none,\ + msg:'Request Has an Empty Accept Header',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ + tag:'capec/1000/210/272',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'NOTICE',\ + chain" + SecRule REQUEST_METHOD "!@rx ^OPTIONS$" \ + "chain" + SecRule REQUEST_HEADERS:User-Agent "!@pm AppleWebKit Android Business Enterprise Entreprise" \ + "t:none,\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.notice_anomaly_score}'" + +# +# This rule is a sibling of rule 920310. +# +SecRule REQUEST_HEADERS:Accept "@rx ^$" \ + "id:920311,\ + phase:1,\ + block,\ + t:none,\ + msg:'Request Has an Empty Accept Header',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ + tag:'capec/1000/210/272',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'NOTICE',\ + chain" + SecRule REQUEST_METHOD "!@rx ^OPTIONS$" \ + "chain" + SecRule &REQUEST_HEADERS:User-Agent "@eq 0" \ + "t:none,\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.notice_anomaly_score}'" + + +# +# Empty User-Agent Header +# +# -=[ Rule Logic ]=- +# This rules will check to see if the User-Agent header is empty. +# +# Note that there is a second rule, 920320, which will check for +# the existence of the User-Agent header. +# + +SecRule REQUEST_HEADERS:User-Agent "@rx ^$" \ + "id:920330,\ + phase:1,\ + block,\ + t:none,\ + msg:'Empty User Agent Header',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ + tag:'capec/1000/210/272',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'NOTICE',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.notice_anomaly_score}'" + +# +# Missing Content-Type Header with Request Body +# +# -=[ Rule Logic ]=- +# This rule will first check to see if the value of the Content-Length header is +# non-equal to 0. The chained rule is then checking the existence of the +# Content-Type header. The RFCs do not state there must be a +# Content-Type header. However, a request missing a Content-Header is a +# strong indication of a non-compliant browser or an evasion attempt. +# +# Also, omitting the CT header allows to bypass the Request Body Processor +# unless you set the optional tx.enforce_bodyproc_urlencoded variable. +# +# Enabling this rule is important as it maximizes +# the detection of risky practices that attempt to disable +# body processors (such as XML, JSON, etc.) in order to hide +# malicious payloads. +# +# -=[ References ]=- +# http://httpwg.org/specs/rfc7231.html#header.content-type + +SecRule REQUEST_HEADERS:Content-Length "!@rx ^0$" \ + "id:920340,\ + phase:1,\ + block,\ + t:none,\ + msg:'Request Containing Content, but Missing Content-Type header',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ + tag:'capec/1000/210/272',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + chain" + SecRule &REQUEST_HEADERS:Content-Type "@eq 0" \ + "t:none,\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# Check that the host header is not an IP address +# This is not an HTTP RFC violation but it is indicative of automated client access. +# Many web-based worms propagate by scanning IP address blocks. +# +# -=[ Rule Logic ]=- +# This rule triggers if the Host header contains an IPv4 or IPv6 address, optionally +# extended with a port number. In the case of IPv6 we covering the address with square +# brackets and the address without square brackets. +# +# The regex consists of three main parts and said optional group: +# +# * IPv4 address +# * IPv6 address with square brackets +# * IPv6 address without square brackets +# * optional colon and port number +# +# Please note that the regex does not test the validity of the IP addresses. +# It just tries to detect a potential IP address. +# +# -=[ References ]=- +# https://technet.microsoft.com/en-us/magazine/2005.01.hackerbasher.aspx +# + +SecRule REQUEST_HEADERS:Host "@rx (?:^([\d.]+|\[[\da-f:]+\]|[\da-f:]+)(:[\d]+)?$)" \ + "id:920350,\ + phase:1,\ + block,\ + t:none,\ + msg:'Host header is a numeric IP address',\ + logdata:'%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ + tag:'capec/1000/210/272',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'WARNING',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'" + + +# In most cases, you should expect a certain volume of each a request on your +# website. For example, a request with 400 arguments, can be suspicious. +# This file creates limitations on the request. +# +# TODO Look at the rules in this file, and define the sizes you'd like to enforce. +# Note that most of the rules are commented out by default. +# Uncomment the rules you need +# + + +# +# Maximum number of arguments in request limited +# +SecRule &TX:MAX_NUM_ARGS "@eq 1" \ + "id:920380,\ + phase:2,\ + block,\ + t:none,\ + msg:'Too many arguments in request',\ + logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ + tag:'capec/1000/210/272',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + chain" + SecRule &ARGS "@gt %{tx.max_num_args}" \ + "t:none,\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +## -- Arguments limits -- +# +# Limit argument name length +# +SecRule &TX:ARG_NAME_LENGTH "@eq 1" \ + "id:920360,\ + phase:2,\ + block,\ + t:none,\ + msg:'Argument name too long',\ + logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ + tag:'capec/1000/210/272',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + chain" + SecRule ARGS_NAMES "@gt %{tx.arg_name_length}" \ + "t:none,t:length,\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# +# Limit argument value length +# +# This rule is also triggered by an Apache Struts Remote Code Execution exploit: +# [ Apache Struts vulnerability CVE-2017-9791 - Exploit tested: https://www.exploit-db.com/exploits/42324 ] +# +SecRule &TX:ARG_LENGTH "@eq 1" \ + "id:920370,\ + phase:2,\ + block,\ + t:none,\ + msg:'Argument value too long',\ + logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ + tag:'capec/1000/210/272',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + chain" + SecRule ARGS "@gt %{tx.arg_length}" \ + "t:none,t:length,\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# +# Limit arguments total length +# +SecRule &TX:TOTAL_ARG_LENGTH "@eq 1" \ + "id:920390,\ + phase:2,\ + block,\ + t:none,\ + msg:'Total arguments size exceeded',\ + logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ + tag:'capec/1000/210/272',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + chain" + SecRule ARGS_COMBINED_SIZE "@gt %{tx.total_arg_length}" \ + "t:none,\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# +# -- File upload limits -- +# +# Individual file size is limited +SecRule &TX:MAX_FILE_SIZE "@eq 1" \ + "id:920400,\ + phase:1,\ + block,\ + t:none,\ + msg:'Uploaded file size too large',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ + tag:'capec/1000/210/272',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + chain" + SecRule REQUEST_HEADERS:Content-Type "@rx ^(?i)multipart/form-data" \ + "chain" + SecRule REQUEST_HEADERS:Content-Length "@gt %{tx.max_file_size}" \ + "t:none,\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# +# Combined file size is limited +# +SecRule &TX:COMBINED_FILE_SIZES "@eq 1" \ + "id:920410,\ + phase:2,\ + block,\ + t:none,\ + msg:'Total uploaded files size too large',\ + logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ + tag:'capec/1000/210/272',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + chain" + SecRule FILES_COMBINED_SIZE "@gt %{tx.combined_file_sizes}" \ + "t:none,\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + + +# +# Restrict which content-types we accept. +# + +# Restrict Content-Type header to established patterns. +# +# This provides generic allow list protection against vulnerabilities like +# Apache Struts Content-Type arbitrary command execution (CVE-2017-5638). +# +# Examples of allowed patterns: +# - text/plain +# - text/plain; charset="UTF-8" +# - multipart/form-data; boundary=----WebKitFormBoundary12345 +# - application/soap+xml; charset=utf-8; action="urn:localhost-hwh#getQuestions" +# - application/*+json + +SecRule REQUEST_HEADERS:Content-Type "!@rx ^[\w/.+*-]+(?:\s?;\s*(?:action|boundary|charset|component|start(?:-info)?|type|version)\s?=\s?['\"\w.()+,/:=?<>@#*-]+)*$" \ + "id:920470,\ + phase:1,\ + block,\ + t:none,t:lowercase,\ + msg:'Illegal Content-Type header',\ + logdata:'%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ + tag:'capec/1000/255/153',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# In case Content-Type header can be parsed, check the mime-type against +# the policy defined in the 'allowed_request_content_type' variable. +# To change your policy, edit crs-setup.conf and activate rule 900220. +SecRule REQUEST_HEADERS:Content-Type "@rx ^[^;\s]+" \ + "id:920420,\ + phase:1,\ + block,\ + capture,\ + t:none,\ + msg:'Request content type is not allowed by policy',\ + logdata:'%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ + tag:'capec/1000/255/153',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.content_type=|%{tx.0}|',\ + chain" + SecRule TX:content_type "!@within %{tx.allowed_request_content_type}" \ + "t:lowercase,\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# +# Restrict charset parameter within the content-type header +# +SecRule REQUEST_HEADERS:Content-Type "@rx charset\s*=\s*[\"']?([^;\"'\s]+)" \ + "id:920480,\ + phase:1,\ + block,\ + capture,\ + t:none,\ + msg:'Request content type charset is not allowed by policy',\ + logdata:'%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ + tag:'capec/1000/255/153',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.content_type_charset=|%{tx.1}|',\ + chain" + SecRule TX:content_type_charset "!@within %{tx.allowed_request_content_type_charset}" \ + "t:lowercase,\ + ctl:forceRequestBodyVariable=On,\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# +# Restrict charset parameter inside content type header to occur max once. +# +SecRule REQUEST_HEADERS:Content-Type "@rx charset.*?charset" \ + "id:920530,\ + phase:1,\ + block,\ + t:none,t:lowercase,\ + msg:'Multiple charsets detected in content type header',\ + logdata:'%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ + tag:'capec/1000/255/153',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# +# Restrict protocol versions. +# +SecRule REQUEST_PROTOCOL "!@within %{tx.allowed_http_versions}" \ + "id:920430,\ + phase:1,\ + block,\ + t:none,\ + msg:'HTTP protocol version is not allowed by policy',\ + logdata:'%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ + tag:'capec/1000/210/272',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# +# Restrict file extension +# +SecRule REQUEST_BASENAME "@rx \.([^.]+)$" \ + "id:920440,\ + phase:1,\ + block,\ + capture,\ + t:none,t:urlDecodeUni,\ + msg:'URL file extension is restricted by policy',\ + logdata:'%{TX.0}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ + tag:'capec/1000/210/272',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.extension=.%{tx.1}/',\ + chain" + SecRule TX:EXTENSION "@within %{tx.restricted_extensions}" \ + "t:none,t:lowercase,\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# +# Backup or "working" file extension +# example: index.php~, /index.php~/foo/ +# +SecRule REQUEST_FILENAME "@rx \.[^.~]+~(?:/.*|)$" \ + "id:920500,\ + phase:1,\ + block,\ + capture,\ + t:none,t:urlDecodeUni,\ + msg:'Attempt to access a backup or working file',\ + logdata:'%{TX.0}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ + tag:'capec/1000/210/272',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# +# Restricted HTTP headers +# +# -=[ Rule Logic ]=- +# The use of certain headers is restricted. They are listed in two variables: +# - TX.restricted_headers_basic: Known security risks, always forbidden (rule +# 920450) +# - TX.restricted_headers_extended: Possible false positives, possible security +# risks, may be forbidden (rule 920451) +# +# The headers are transformed into lowercase before the match. In order to make +# sure that only complete header names match, the names in the +# TX.restricted_headers_* variables are wrapped in slashes. This guarantees that +# the Range header (which becomes /range/) will not match the restricted +# /content-range/ header, for example. +# +# This is a chained rule, where the first rule fills a set of variables of the +# form TX.header_name__. The second rule is then executed +# for all variables of the form TX.header_name__. +# +# As a consequence of the construction of the rule, the alert message and the +# alert data will not display the original header name Content-Range, but +# /content-range/ instead. +# +# This rule has a stricter sibling, 920451, which matches against the variable +# TX.restricted_headers_extended. It handles deprecated headers that are still +# in use (so false positives are possible, hence unsuitable for blocking in a +# default paranoia level 1 installation) and headers with possible security +# risks. +# +# -=[ References ]=- +# https://access.redhat.com/security/vulnerabilities/httpoxy (Header Proxy) +# https://www.sidechannel.blog/en/http-method-override-what-it-is-and-how-a-pentester-can-use-it +# +SecRule REQUEST_HEADERS_NAMES "@rx ^.*$" \ + "id:920450,\ + phase:1,\ + block,\ + capture,\ + t:none,t:lowercase,\ + msg:'HTTP header is restricted by policy (%{MATCHED_VAR})',\ + logdata:'Restricted header detected: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ + tag:'capec/1000/210/272',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.header_name_920450_%{tx.0}=/%{tx.0}/',\ + chain" + SecRule TX:/^header_name_920450_/ "@within %{tx.restricted_headers_basic}" \ + "setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# +# Rule against CVE-2022-21907 +# This rule blocks Accept-Encoding headers longer than 100 characters. +# The length of 100 is a heuristic based on the length of values from +# the RFC (https://datatracker.ietf.org/doc/rfc9110/) +# and the respective values assigned by IANA +# (https://www.iana.org/assignments/http-parameters/http-parameters.xml#content-coding). +# Concatenating all valid values for Accept-Encoding (without q=0.5) resulted in a value of 93: +# aes128gcm, br, compress, deflate, exi, gzip, identity, pack200-gzip, x-compress, x-gzip, zstd +# +# This rule has a stricter sibling: 920521 +# +SecRule REQUEST_HEADERS:Accept-Encoding "@gt 100" \ + "id:920520,\ + phase:1,\ + block,\ + t:none,t:lowercase,t:length,\ + msg:'Accept-Encoding header exceeded sensible length',\ + logdata:'%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ + tag:'capec/1000/255/153',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# +# Restrict response charsets that we allow. +# The following rules make sure that the response will be in an ASCII-compatible charset that +# phase 4 rules can properly understand and block. +# + +# +# Some servers rely on the request Accept header to determine what charset to respond with. +# This rule restricts these to familiar charsets. +# +# Regular expression generated from regex-assembly/920600.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 920600 +# +SecRule REQUEST_HEADERS:Accept "!@rx ^(?:(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)/(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)|\*)(?:[\s\x0b]*;[\s\x0b]*(?:charset[\s\x0b]*=[\s\x0b]*\"?(?:iso-8859-15?|utf-8|windows-1252)\b\"?|(?:[^\s\x0b-\"\(\),/:-\?\[-\]c\{\}]|c(?:[^!\"\(\),/:-\?\[-\]h\{\}]|h(?:[^!\"\(\),/:-\?\[-\]a\{\}]|a(?:[^!\"\(\),/:-\?\[-\]r\{\}]|r(?:[^!\"\(\),/:-\?\[-\]s\{\}]|s(?:[^!\"\(\),/:-\?\[-\]e\{\}]|e[^!\"\(\),/:-\?\[-\]t\{\}]))))))[^!\"\(\),/:-\?\[-\]\{\}]*[\s\x0b]*=[\s\x0b]*[^!\(\),/:-\?\[-\]\{\}]+);?)*(?:[\s\x0b]*,[\s\x0b]*(?:(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)/(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)|\*)(?:[\s\x0b]*;[\s\x0b]*(?:charset[\s\x0b]*=[\s\x0b]*\"?(?:iso-8859-15?|utf-8|windows-1252)\b\"?|(?:[^\s\x0b-\"\(\),/:-\?\[-\]c\{\}]|c(?:[^!\"\(\),/:-\?\[-\]h\{\}]|h(?:[^!\"\(\),/:-\?\[-\]a\{\}]|a(?:[^!\"\(\),/:-\?\[-\]r\{\}]|r(?:[^!\"\(\),/:-\?\[-\]s\{\}]|s(?:[^!\"\(\),/:-\?\[-\]e\{\}]|e[^!\"\(\),/:-\?\[-\]t\{\}]))))))[^!\"\(\),/:-\?\[-\]\{\}]*[\s\x0b]*=[\s\x0b]*[^!\(\),/:-\?\[-\]\{\}]+);?)*)*$" \ + "id:920600,\ + phase:1,\ + block,\ + t:none,t:lowercase,\ + msg:'Illegal Accept header: charset parameter',\ + logdata:'%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# +# Unicode character bypass check for non JSON requests +# See reported bypass in issue: +# https://github.com/coreruleset/coreruleset/issues/2512 +# +SecRule REQBODY_PROCESSOR "!@streq JSON" \ + "id:920540,\ + phase:2,\ + block,\ + t:none,\ + msg:'Possible Unicode character bypass detected',\ + logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ + tag:'capec/1000/255/153/267/72',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + chain" + SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@rx (?i)\x5cu[0-9a-f]{4}" \ + "setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# +# Disallow any raw URL fragments. The '#' character should be omitted or URL-encoded. +# CRS rules generally do not check REQUEST_URI_RAW, but some servers accept the fragment as part of the URL path/query. +# This creates false negative evasions. +# +SecRule REQUEST_URI_RAW "@contains #" \ + "id:920610,\ + phase:1,\ + block,\ + t:none,\ + msg:'Raw (unencoded) fragment in request URI',\ + logdata:'%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# +# The following rule (920620) checks for the presence of 2 or more request Content-Type headers. +# Content-Type confusion poses a significant security risk to a web application. It occurs when +# the server and client have different interpretations of the Content-Type header, leading to +# miscommunication, potential exploitation and WAF bypass. +# +# Using Apache, when multiple Content-Type request headers are received, the server combines them +# into a single header with the values separated by commas. For example, if a client sends multiple +# Content-Type headers with values "application/json" and "text/plain", Apache will combine them +# into a single header like this: "Content-Type: application/json, text/plain". +# +# On the other hand, Nginx handles multiple Content-Type headers differently. It preserves each +# header as a separate entity without combining them. So, if a client sends multiple Content-Type +# headers, Nginx will keep them separate, maintaining the original values. +# +SecRule &REQUEST_HEADERS:Content-Type "@gt 1" \ + "id:920620,\ + phase:1,\ + block,\ + t:none,\ + msg:'Multiple Content-Type Request Headers',\ + logdata:'%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:920013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:920014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" +# +# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher) +# + +# +# -=[ Rule Logic ]=- +# +# Check the number of range fields in the Range request header. +# +# An excessive number of Range request headers can be used to DoS a server. +# The original CVE proposed an arbitrary upper limit of 5 range fields. +# +# Several clients are known to request PDF fields with up to 62 range +# fields. Therefore the standard rule does not cover PDF files. This is +# performed in two separate (stricter) siblings of this rule. +# +# 920200: PL2: Limit of 5 range header fields for all filenames outside of PDFs +# 920201: PL2: Limit of 62 range header fields for PDFs +# 920202: PL4: Limit of 5 range header fields for PDFs +# +# -=[ References ]=- +# https://httpd.apache.org/security/CVE-2011-3192.txt + + +SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d+)?-(?:\d+)?\s*,?\s*){6}" \ + "id:920200,\ + phase:1,\ + block,\ + t:none,\ + msg:'Range: Too many fields (6 or more)',\ + logdata:'%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ + tag:'capec/1000/210/272',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'WARNING',\ + chain" + SecRule REQUEST_BASENAME "!@endsWith .pdf" \ + "setvar:'tx.inbound_anomaly_score_pl2=+%{tx.warning_anomaly_score}'" + +# +# This is a sibling of rule 920200 +# + +SecRule REQUEST_BASENAME "@endsWith .pdf" \ + "id:920201,\ + phase:1,\ + block,\ + t:none,t:urlDecodeUni,\ + msg:'Range: Too many fields for pdf request (63 or more)',\ + logdata:'%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ + tag:'capec/1000/210/272',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'WARNING',\ + chain" + SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d+)?-(?:\d+)?\s*,?\s*){63}" \ + "setvar:'tx.inbound_anomaly_score_pl2=+%{tx.warning_anomaly_score}'" + + +SecRule ARGS "@rx %[0-9a-fA-F]{2}" \ + "id:920230,\ + phase:2,\ + block,\ + t:none,\ + msg:'Multiple URL Encoding Detected',\ + logdata:'%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ + tag:'capec/1000/255/153/267/120',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'WARNING',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.warning_anomaly_score}'" + + +# +# PL2: This is a stricter sibling of 920270. +# +SecRule REQUEST_URI_RAW|REQUEST_HEADERS|ARGS|ARGS_NAMES "@validateByteRange 9,10,13,32-126,128-255" \ + "id:920271,\ + phase:2,\ + block,\ + t:none,t:urlDecodeUni,\ + msg:'Invalid character in request (non printable characters)',\ + logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ + tag:'capec/1000/210/272',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + + + +# +# Missing User-Agent Header +# +# -=[ Rule Logic ]=- +# This rules will check to see if there is a User-Agent header or not. +# + +SecRule &REQUEST_HEADERS:User-Agent "@eq 0" \ + "id:920320,\ + phase:1,\ + block,\ + t:none,\ + msg:'Missing User Agent Header',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ + tag:'capec/1000/210/272',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'NOTICE',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.notice_anomaly_score}'" + + +# +# PL2: This is a stricter sibling of 920120. +# +SecRule FILES_NAMES|FILES "@rx ['\";=\x5c]" \ + "id:920121,\ + phase:2,\ + block,\ + t:none,t:urlDecodeUni,\ + msg:'Attempted multipart/form-data bypass',\ + logdata:'%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ + tag:'capec/1000/210/272',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + +# +# PL2: This is a stricter sibling of 920450. +# +SecRule REQUEST_HEADERS_NAMES "@rx ^.*$" \ + "id:920451,\ + phase:1,\ + block,\ + capture,\ + t:none,t:lowercase,\ + msg:'HTTP header is restricted by policy (%{MATCHED_VAR})',\ + logdata:'Restricted header detected: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ + tag:'capec/1000/210/272',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.header_name_920451_%{tx.0}=/%{tx.0}/',\ + chain" + SecRule TX:/^header_name_920451_/ "@within %{tx.restricted_headers_extended}" \ + "setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + + +# +# Check URL encodings +# +# -=[ References ]=- +# http://www.ietf.org/rfc/rfc1738.txt +# +SecRule REQUEST_HEADERS:Content-Type "@rx ^(?i)application/x-www-form-urlencoded" \ + "id:920240,\ + phase:2,\ + block,\ + t:none,\ + msg:'URL Encoding Abuse Attack Attempt',\ + logdata:'%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ + tag:'capec/1000/255/153/267/72',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'WARNING',\ + chain" + SecRule REQUEST_BODY "@rx \x25" \ + "chain" + SecRule REQUEST_BODY "@validateUrlEncoding" \ + "setvar:'tx.inbound_anomaly_score_pl2=+%{tx.warning_anomaly_score}'" + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:920015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:920016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" +# +# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher) +# + +# +# PL 3: This is a stricter sibling of 920270. Ascii range: Printable characters in the low range +# +# This rule is also triggered by the following exploit(s): +# [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ] +# +SecRule REQUEST_URI_RAW|REQUEST_HEADERS|ARGS|ARGS_NAMES|REQUEST_BODY "@validateByteRange 32-36,38-126" \ + "id:920272,\ + phase:2,\ + block,\ + t:none,t:urlDecodeUni,\ + msg:'Invalid character in request (outside of printable chars below ascii 127)',\ + logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/3',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ + tag:'capec/1000/210/272',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" + +# +# Missing Accept Header +# +# This rule has been moved to PL3 +# +# -=[ Rule Logic ]=- +# This rule generates a notice if the Accept header is missing. +# RFC 7231 does not enforce the use of the Accept header. +# It is just typical browser behavior to send and it can indicate a malicious client. +# +# Notice: The rule tries to avoid known false positives by ignoring +# OPTIONS requests, CONNECT requests, and requests coming from known +# offending User-Agents via two chained rules. +# As ModSecurity only reports the match of the last matching rule, +# the alert is misleading. +# +SecRule &REQUEST_HEADERS:Accept "@eq 0" \ + "id:920300,\ + phase:1,\ + block,\ + t:none,\ + msg:'Request Missing an Accept Header',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/3',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ + tag:'capec/1000/210/272',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'NOTICE',\ + chain" + SecRule REQUEST_METHOD "!@rx ^(?:OPTIONS|CONNECT)$" \ + "chain" + SecRule REQUEST_HEADERS:User-Agent "!@pm AppleWebKit Android" \ + "t:none,\ + setvar:'tx.inbound_anomaly_score_pl3=+%{tx.notice_anomaly_score}'" + + +# +# PL3: The little known x-up-devcap-post-charset request header can be used to submit +# a request with a different encoding as an alternative to the charset parameter in +# the Content-Type header. This can be used to circumvent charset restrictions on +# the Content-Type header in ASP.NET. +# Note that this only works in combination with a User-Agent prefix. +# +# This rule is based on a blog post by Soroush Dalili at +# https://soroush.me/blog/2019/05/x-up-devcap-post-charset-header-in-aspnet-to-bypass-wafs-again/ +# +SecRule &REQUEST_HEADERS:x-up-devcap-post-charset "@ge 1" \ + "id:920490,\ + phase:1,\ + block,\ + t:none,\ + msg:'Request header x-up-devcap-post-charset detected in combination with prefix \'UP\' to User-Agent',\ + logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\ + tag:'language-aspnet',\ + tag:'platform-windows',\ + tag:'attack-protocol',\ + tag:'paranoia-level/3',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ + tag:'capec/1000/210/272',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + chain" + SecRule REQUEST_HEADERS:User-Agent "@rx ^(?i)up" \ + "t:none,\ + setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" + + +# +# Cache-Control Request Header allow list +# +# -=[ Rule Logic ]=- +# This rule aims to strictly allow list the Cache-Control request header +# values and to blocks all violations. This should be useful to intercept +# "bad bot" and tools that impersonate a real browser but with wrong request +# header setup. +# +# The regular expression used on this rule tries to match multiple directives +# in a single value, for example: "max-stale=1, max-age=2". This leads us to +# use a regular expression that accepts a trailing comma to keep compatibility +# with all regex engines and not PCRE only. For example: "max-stale=1, max-age=2, " +# +# Moreover, this regular expression allows duplicate directives sequence like: +# "max-stale, max-stale=1, no-cache, no-cache". +# +# Standard Cache-Control directives that can be used by the client: +# - max-age= +# - max-stale[=] +# - min-fresh= +# - no-cache +# - no-store +# - no-transform +# - only-if-cached +# +# References: +# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control +# - https://regex101.com/r/CZ0Hxu/22 +# +SecRule &REQUEST_HEADERS:Cache-Control "@gt 0" \ + "id:920510,\ + phase:1,\ + block,\ + t:none,\ + msg:'Invalid Cache-Control request header',\ + logdata:'Invalid Cache-Control value in request found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'header-allowlist',\ + tag:'paranoia-level/3',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ + tag:'capec/1000/210/272',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + chain" + SecRule REQUEST_HEADERS:Cache-Control "!@rx ^(?:(?:max-age=[0-9]+|min-fresh=[0-9]+|no-cache|no-store|no-transform|only-if-cached|max-stale(?:=[0-9]+)?)(?:\s*\,\s*|$)){1,7}$" \ + "setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" + +# +# This rule checks for valid Accept-Encoding headers +# +# This rule has a less strict sibling: 920520 +# +# Regular expression generated from regex-assembly/920521.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 920521 +# +SecRule REQUEST_HEADERS:Accept-Encoding "!@rx br|compress|deflate|(?:pack200-)?gzip|identity|\*|^$|aes128gcm|exi|zstd|x-(?:compress|gzip)" \ + "id:920521,\ + phase:1,\ + block,\ + t:none,t:lowercase,\ + msg:'Illegal Accept-Encoding header',\ + logdata:'%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/3',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ + tag:'capec/1000/255/153',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:920017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:920018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" +# +# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher) +# + +# +# This is a stricter sibling of rule 920200 +# + +SecRule REQUEST_BASENAME "@endsWith .pdf" \ + "id:920202,\ + phase:1,\ + block,\ + t:none,t:urlDecodeUni,\ + msg:'Range: Too many fields for pdf request (6 or more)',\ + logdata:'%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/4',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ + tag:'capec/1000/210/272',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'WARNING',\ + chain" + SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d+)?-(?:\d+)?\s*,?\s*){6}" \ + "setvar:'tx.inbound_anomaly_score_pl4=+%{tx.warning_anomaly_score}'" + + +# +# This is a stricter sibling of 920270. +# +# This rule is also triggered by the following exploit(s): +# [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ] +# +SecRule ARGS|ARGS_NAMES|REQUEST_BODY "@validateByteRange 38,44-46,48-58,61,65-90,95,97-122" \ + "id:920273,\ + phase:2,\ + block,\ + t:none,t:urlDecodeUni,\ + msg:'Invalid character in request (outside of very strict set)',\ + logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/4',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ + tag:'capec/1000/210/272',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'" + +# +# This is a stricter sibling of 920270. +# +SecRule REQUEST_HEADERS|!REQUEST_HEADERS:User-Agent|!REQUEST_HEADERS:Referer|!REQUEST_HEADERS:Cookie|!REQUEST_HEADERS:Sec-Fetch-User|!REQUEST_HEADERS:Sec-CH-UA|!REQUEST_HEADERS:Sec-CH-UA-Mobile "@validateByteRange 32,34,38,42-59,61,65-90,95,97-122" \ + "id:920274,\ + phase:1,\ + block,\ + t:none,t:urlDecodeUni,\ + msg:'Invalid character in request headers (outside of very strict set)',\ + logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/4',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ + tag:'capec/1000/210/272',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'" + +# +# This is a stricter sibling of 920270. +# The headers of this rule are Structured Header booleans, for which only `?0`, +# and `?1` are inconspicuous. +# Structured Header boolean: https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-header-structure-19#section-3.3.6 +# Sec-Fetch-User: https://www.w3.org/TR/fetch-metadata/#http-headerdef-sec-fetch-user +# Sec-CH-UA-Mobile: https://wicg.github.io/ua-client-hints/#sec-ch-ua-mobile +# +SecRule REQUEST_HEADERS:Sec-Fetch-User|REQUEST_HEADERS:Sec-CH-UA-Mobile "!@rx ^(?:\?[01])?$" \ + "id:920275,\ + phase:1,\ + block,\ + t:none,t:urlDecodeUni,\ + msg:'Invalid character in request headers (outside of very strict set)',\ + logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/4',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ + tag:'capec/1000/210/272',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'" + +# -=[ Abnormal Character Escapes ]=- +# +# [ Rule Logic ] +# Consider the following payload: arg=cat+/e\tc/pa\ssw\d +# Here, \s and \d were only used to obfuscate the string passwd and a lot of +# parsers will silently ignore the non-necessary escapes. The case with \t is +# a bit different though, as \t is a natural escape for the TAB character, +# so we will avoid this (and \n, \r, etc.). +# +# This rule aims to detect non-necessary, abnormal escapes. You could say it is +# a nice way to forbid the backslash character where it is not needed. +# +# This is a new rule at paranoia level 4. We expect quite a few false positives +# for this rule and we will later evaluate if the rule makes any sense at all. +# The rule is redundant with 920273 and 920274 in PL4. But if the rule proofs +# to be useful and false positives remain at a reasonable level, then it might +# be shifted to PL3 in a future release, where it would be the only rule +# covering the backslash escape. +# +# We forbid backslashes followed by a list of basic ascii characters - unless +# the backslash is preceded by another backslash. +# +# This rule is also triggered by the following exploit(s): +# [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ] +# +SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@rx (?:^|[^\x5c])\x5c[cdeghijklmpqwxyz123456789]" \ + "id:920460,\ + phase:2,\ + block,\ + capture,\ + t:none,t:htmlEntityDecode,t:lowercase,\ + msg:'Abnormal character escapes in request',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/4',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\ + tag:'capec/1000/153/267',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'" + + +# +# -= Paranoia Levels Finished =- +# +SecMarker "END-REQUEST-920-PROTOCOL-ENFORCEMENT" diff --git a/blue/Tools/zoo/modules/turtle/coreruleset/rules/REQUEST-921-PROTOCOL-ATTACK.conf b/blue/Tools/zoo/modules/turtle/coreruleset/rules/REQUEST-921-PROTOCOL-ATTACK.conf new file mode 100644 index 0000000..697d233 --- /dev/null +++ b/blue/Tools/zoo/modules/turtle/coreruleset/rules/REQUEST-921-PROTOCOL-ATTACK.conf @@ -0,0 +1,608 @@ +# ------------------------------------------------------------------------ +# OWASP CRS ver.4.22.0 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. +# Copyright (c) 2021-2026 CRS project. All rights reserved. +# +# The OWASP CRS is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENSE file for full details. +# ------------------------------------------------------------------------ + +# +# -= Paranoia Level 0 (empty) =- (apply unconditionally) +# + + + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:921011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:921012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" +# +# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher) +# + +# +# -=[ HTTP Request Smuggling ]=- +# +# [ Rule Logic ] +# This rule looks for a HTTP / WEBDAV method name in combination with the word http/\d or a CR/LF character. +# This would point to an attempt to inject a 2nd request into the request, thus bypassing +# tests carried out on the primary request. +# +# [ References ] +# http://projects.webappsec.org/HTTP-Request-Smuggling +# +SecRule ARGS_NAMES|ARGS|REQUEST_BODY|XML:/* "@rx (?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)\s+[^\s]+\s+http/\d" \ + "id:921110,\ + phase:2,\ + block,\ + capture,\ + t:none,t:htmlEntityDecode,t:lowercase,\ + msg:'HTTP Request Smuggling Attack',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/PROTOCOL-ATTACK',\ + tag:'capec/1000/210/272/220/33',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# +# -=[ HTTP Response Splitting ]=- +# +# [ Rule Logic ] +# These rules look for Carriage Return (CR) %0d and Linefeed (LF) %0a characters. +# These characters may cause problems if the data is returned in a response header and +# may be interpreted by an intermediary proxy server and treated as two separate +# responses. +# +# [ References ] +# http://projects.webappsec.org/HTTP-Response-Splitting +# +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx [\r\n]\W*?(?:content-(?:type|length)|set-cookie|location):\s*\w" \ + "id:921120,\ + phase:2,\ + block,\ + capture,\ + t:none,t:lowercase,\ + msg:'HTTP Response Splitting Attack',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/PROTOCOL-ATTACK',\ + tag:'capec/1000/210/272/220/34',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:\bhttp/\d|<(?:html|meta)\b)" \ + "id:921130,\ + phase:2,\ + block,\ + capture,\ + t:none,t:htmlEntityDecode,t:lowercase,\ + msg:'HTTP Response Splitting Attack',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/PROTOCOL-ATTACK',\ + tag:'capec/1000/210/272/220/34',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# +# -=[ HTTP Header Injection ]=- +# +# [ Rule Logic ] +# These rules look for Carriage Return (CR) %0d and Linefeed (LF) %0a characters, +# on their own or in combination with header field names. +# These characters may cause problems if the data is returned in a response header +# and interpreted by the client. +# The rules are similar to rules defending against the HTTP Request Splitting and +# Request Smuggling rules. +# +# [ References ] +# https://en.wikipedia.org/wiki/HTTP_header_injection +# +SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@rx [\n\r]" \ + "id:921140,\ + phase:1,\ + block,\ + capture,\ + t:none,t:urlDecodeUni,\ + msg:'HTTP Header Injection Attack via headers',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/PROTOCOL-ATTACK',\ + tag:'capec/1000/210/272/220/273',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# Detect newlines in argument names. +# Checking for GET arguments has been moved to paranoia level 2 (921151) +# in order to mitigate possible false positives. +# +# This rule is also triggered by the following exploit(s): +# [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ] +# +SecRule ARGS_NAMES "@rx [\n\r]" \ + "id:921150,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'HTTP Header Injection Attack via payload (CR/LF detected)',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/PROTOCOL-ATTACK',\ + tag:'capec/1000/210/272/220/33',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +SecRule ARGS_GET_NAMES|ARGS_GET "@rx [\n\r]+(?:\s|location|refresh|(?:set-)?cookie|(?:x-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))\s*:" \ + "id:921160,\ + phase:1,\ + block,\ + capture,\ + t:none,t:lowercase,\ + msg:'HTTP Header Injection Attack via payload (CR/LF and header-name detected)',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/PROTOCOL-ATTACK',\ + tag:'capec/1000/210/272/220/33',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# -=[ HTTP Splitting ]=- +# +# This rule detect \n or \r in the REQUEST FILENAME +# Reference: https://wiki.owasp.org/index.php/Testing_for_HTTP_Splitting/Smuggling_(OTG-INPVAL-016) +# Reference: https://owasp.org/www-project-web-security-testing-guide/assets/archive/OWASP_Testing_Guide_v4.pdf +# +SecRule REQUEST_FILENAME "@rx [\n\r]" \ + "id:921190,\ + phase:1,\ + block,\ + capture,\ + t:none,t:urlDecodeUni,\ + msg:'HTTP Splitting (CR/LF in request filename detected)',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/PROTOCOL-ATTACK',\ + tag:'capec/1000/210/272/220/34',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# +# -=[ LDAP Injection ]=- +# +# [ Rule Logic ] +# +# This is a rule trying to prevent LDAP injection. It is based on a BlackHat presentation by Alonso Parada +# and regex writing by Denis Kolegov. +# +# [ References ] +# * https://www.blackhat.com/presentations/bh-europe-08/Alonso-Parada/Whitepaper/bh-eu-08-alonso-parada-WP.pdf +# * https://www.sonarsource.com/blog/joomla-takeover-in-20-seconds-with-ldap-injection-cve-2017-14596/ +# * https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/276#issue-126581660 + +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx ^[^:\(\)\&\|\!<>\~]*\)\s*(?:\((?:[^,\(\)\=\&\|\!<>\~]+[><~]?=|\s*[&!|]\s*(?:\)|\()?\s*)|\)\s*\(\s*[\&\|\!]\s*|[&!|]\s*\([^\(\)\=\&\|\!<>\~]+[><~]?=[^:\(\)\&\|\!<>\~]*)" \ + "id:921200,\ + phase:2,\ + block,\ + capture,\ + t:none,t:htmlEntityDecode,\ + msg:'LDAP Injection Attack',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-ldap',\ + tag:'platform-multi',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/PROTOCOL-ATTACK',\ + tag:'capec/1000/152/248/136',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# +# -=[ Body Processor Bypass ]=- +# +# [ Rule Logic ] +# +# This rule intends to detect content types in the Content-Type header outside of the actual content type declaration. +# This prevents bypasses targeting the Modsecurity recommended rules controlling which body processor is used. +# +# Regular expression generated from regex-assembly/921421.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 921421 +# +SecRule REQUEST_HEADERS:Content-Type "@rx ^[^\s\x0b,;]+[\s\x0b,;].*?(?:application/(?:.+\+)?json|(?:application/(?:soap\+)?|text/)xml)" \ + "id:921421,\ + phase:1,\ + block,\ + capture,\ + t:none,t:lowercase,\ + msg:'Content-Type header: Dangerous content type outside the mime type declaration',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/PROTOCOL-ATTACK',\ + tag:'capec/1000/255/153',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# +# Rule against CVE-2021-40438: +# A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. +# This issue affects Apache HTTP Server 2.4.48 and earlier. +# GET /?unix:AAAAAAAAAAAAA|http://coreruleset.org/ +# +SecRule REQUEST_URI_RAW "@rx unix:[^|]*\|" \ + "id:921240,\ + phase:1,\ + block,\ + capture,\ + t:none,t:urlDecodeUni,t:lowercase,\ + msg:'mod_proxy attack attempt detected',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-apache',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/PROTOCOL-ATTACK',\ + tag:'capec/1000/210/272/220/33',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# Detection for old V1 cookie format from RFC 2109. +# +# This has been abused by the cookie sandwich technique, in diverse issues affecting Apache Tomcat, Python, and maybe others. +# RFC 6265 deprecated and replaced RFCs 2109 and 2965. +# It completely removed "$Version", meaning user agents and servers no longer use this attribute. +# See: +# - https://portswigger.net/research/stealing-httponly-cookies-with-the-cookie-sandwich-technique +# - https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-%28v2.x%29#seccookieformat +SecRule REQUEST_COOKIES:/\x22?\x24Version/ "@streq 1" \ + "id:921250,\ + phase:1,\ + block,\ + capture,\ + t:none,t:lowercase,\ + msg:'Old Cookies V1 usage attempt detected',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/PROTOCOL-ATTACK',\ + tag:'capec/1000/210/272/220/33',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:921013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:921014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" +# +# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher) +# + + +# Detect newlines in GET argument values. +# These may point to a HTTP header injection attack, but can also sometimes +# occur in benign query parameters. +# +# See also: rule 921140, 921150 +# +SecRule ARGS_GET "@rx [\n\r]" \ + "id:921151,\ + phase:1,\ + block,\ + capture,\ + t:none,\ + msg:'HTTP Header Injection Attack via payload (CR/LF detected)',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/PROTOCOL-ATTACK',\ + tag:'capec/1000/210/272/220/33',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + +# +# -=[ Body Processor Bypass ]=- +# +# [ Rule Logic ] +# +# This rule intends to detect content types in the Content-Type header outside of the actual content type declaration. +# +# [ References ] +# * See rule 921422 +# +# Regular expression generated from regex-assembly/921422.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 921422 +# +SecRule REQUEST_HEADERS:Content-Type "@rx ^[^\s\x0b,;]+[\s\x0b,;].*?\b(?:((?:tex|multipar)t|application)|((?:audi|vide)o|image|cs[sv]|(?:vn|relate)d|p(?:df|lain)|json|(?:soa|cs)p|x(?:ml|-www-form-urlencoded)|form-data|x-amf|(?:octe|repor)t|stream)|([\+/]))\b" \ + "id:921422,\ + phase:1,\ + block,\ + capture,\ + t:none,t:lowercase,\ + msg:'Content-Type header: Dangerous content type outside the mime type declaration',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/PROTOCOL-ATTACK',\ + tag:'capec/1000/255/153',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:921015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:921016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" +# +# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher) +# +# + +# Forbid Request Range Header +# +# It is possible abuse the HTTP Request Range Header to leak error pages +# and other information in very small snippets. +# The easiest way to fight this is to deny the use of this header. +# This is a viable option since the header is only used in rare circumstances +# anymore. +# If it is necessary to use it in a certain setup, then it is best to +# create a rule exclusion for a given URI and this rule ID as a workaround. +# +SecRule &REQUEST_HEADERS:Range "@gt 0" \ + "id:921230,\ + phase:1,\ + block,\ + t:none,\ + msg:'HTTP Range Header detected',\ + logdata:'Matched Data: Header %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/3',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/PROTOCOL-ATTACK',\ + tag:'capec/1000/210/272/220',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" + + +# -=[ HTTP Parameter Pollution ]=- +# +# [ Rule Logic ] +# These rules look for multiple parameters with the same name. +# 921170 counts the occurrences of the individual parameters. +# 921180 checks if any counter is > 1. +# +# One HPP attack vector is to try evade signature filters by distributing the +# attack payload across multiple parameters with the same name. +# This works as many security devices only apply signatures to individual +# parameter payloads, however the back-end web application may (in the case +# of ASP.NET) consolidate all of the payloads into one thus making the +# attack payload active. +# +# This rule is not compatible with application endpoints that accept this +# kind of input: /foo.php?test[]=1&test[]=2 +# +# [ References ] +# http://tacticalwebappsec.blogspot.com/2009/05/http-parameter-pollution.html +# https://capec.mitre.org/data/definitions/460.html +# +SecRule ARGS_NAMES "@rx ." \ + "id:921170,\ + phase:2,\ + pass,\ + nolog,\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/PROTOCOL-ATTACK',\ + tag:'capec/1000/152/137/15/460',\ + ver:'OWASP_CRS/4.22.0',\ + setvar:'TX.paramcounter_%{MATCHED_VAR_NAME}=+1'" + +SecRule TX:/paramcounter_.*/ "@gt 1" \ + "id:921180,\ + phase:2,\ + block,\ + msg:'HTTP Parameter Pollution (%{MATCHED_VAR_NAME})',\ + logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/3',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/PROTOCOL-ATTACK',\ + tag:'capec/1000/152/137/15/460',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" + + +# -=[ HTTP Parameter Pollution ]=- +# +# [ Rule Logic ] +# Parameter pollution rule 921180 PL3 can by bypassed when a weak backend parameter +# parser is ignoring additional characters in a parameter array name after the +# closing of the array. +# Rule 921210 PL3 prevents this by disallowing arbitrary strings after an array has +# been closed or inbetween the square brackets in multidimensional arrays. +# Please note that rule 921210 allows for 2-dimensional, but not for higher dimensional +# arrays. If these are flagged as attacks, a rule exclusion will have to be +# deployed; ideally for the parameter(s) in question. +# +# [ References ] +# Private bug bounty in Spring 2022, findings Z05OZUCH. +# +# [ Payloads ] +# * foo[1]a=bar&foo[1]b= - parameter parsers often cut after the closing of +# the array. 921180 PL3 takes the full name, though. +# This impediance mismatch allows for bypasses. +# * foo[1]x[1]=bar&foo[1]x[2]= - extension of 1; this has the advantage that +# the parameter name does end with "]" just like a valid array notation. +# +SecRule ARGS_NAMES "@rx (][^\]]+$|][^\]]+\[)" \ + "id:921210,\ + phase:2,\ + block,\ + capture,\ + log,\ + msg:'HTTP Parameter Pollution after detecting bogus char after parameter array',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/3',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/PROTOCOL-ATTACK',\ + tag:'capec/1000/152/137/15/460',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" + + + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:921017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:921018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK" +# +# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher) +# + +# -=[ HTTP Parameter Pollution ]=- +# +# [ Rule Logic ] +# Parameter pollution rule 921180 PL3 and 921210 PL3 can by bypassed if a +# weak backend parameter parser ignores parameter array alltogether at +# cuts parameter names at the first occurrence of the "[" character. +# The rule 921220 PL4 prevents this by disallowing parameter array names. +# +# If an application needs parameter array names - which is the case for almost +# all CMS - this rule should be disabled. Otherwise, be prepared to handle +# a high volume of exclusions to configure, particularly on administration +# panels. +# +# [ References ] +# Private bug bounty in Spring 2022, finding 5UXE4RK0. +# +# [ Payloads ] +# * foo[1]=bar&foo[2]= +# * foo=bar&foo[1]= +# * foo[1]=bar&foo[1]acb]= - this is an edge case that 921210 PL3 is not +# able to catch since the parameter name ends with "]". +# +SecRule ARGS_NAMES "@rx \[" \ + "id:921220,\ + phase:2,\ + block,\ + capture,\ + log,\ + msg:'HTTP Parameter Pollution possible via array notation',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/4',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/PROTOCOL-ATTACK',\ + tag:'capec/1000/152/137/15/460',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'" + + + +# +# -= Paranoia Levels Finished =- +# +SecMarker "END-REQUEST-921-PROTOCOL-ATTACK" diff --git a/blue/Tools/zoo/modules/turtle/coreruleset/rules/REQUEST-922-MULTIPART-ATTACK.conf b/blue/Tools/zoo/modules/turtle/coreruleset/rules/REQUEST-922-MULTIPART-ATTACK.conf new file mode 100644 index 0000000..71a5ced --- /dev/null +++ b/blue/Tools/zoo/modules/turtle/coreruleset/rules/REQUEST-922-MULTIPART-ATTACK.conf @@ -0,0 +1,157 @@ +# ------------------------------------------------------------------------ +# OWASP CRS ver.4.22.0 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. +# Copyright (c) 2021-2026 CRS project. All rights reserved. +# +# The OWASP CRS is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENSE file for full details. +# ------------------------------------------------------------------------ + +# +# -= Paranoia Level 0 (empty) =- (apply unconditionally) +# + +# This file is to address the 3UWMWA6W vulnerability. +# It requires ModSecurity version 2.9.6 or 3.0.8 (or an updated version with backports +# of the security fixes in these versions) or a compatible engine supporting these changes. +# +# If you cannot upgrade ModSecurity, this file will cause ModSecurity to fail to start. +# In that case, you can temporarily delete this file. However, you will be missing +# protection from these rules. Therefore, we recommend upgrading your engine instead. + +# The rules in this file will be part of the 920 / 921 in the future. + +# Only allow specific charsets when using "_charset_" +# Note: this is in phase:2 because these are headers that come in the body +SecRule &MULTIPART_PART_HEADERS:_charset_ "!@eq 0" \ + "id:922100,\ + phase:2,\ + block,\ + t:none,\ + msg:'Multipart content type global _charset_ definition is not allowed by policy',\ + logdata:'Matched Data: %{ARGS._charset_}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-multipart-header',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/MULTIPART-ATTACK',\ + tag:'capec/1000/255/153',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.922100_charset=|%{ARGS._charset_}|',\ + chain" + SecRule TX:922100_CHARSET "!@within %{tx.allowed_request_content_type_charset}" \ + "t:lowercase,\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# Only allow specific charsets same as Rule 920600 +# Note: this is in phase:2 because these are headers that come in the body +# +# How do these rules work: +# * rule 922140 sets the multipart counter TX variable to 0 +# note that this is why does not matter if more parts have the same name - see rule's test +# * rule 922150 collects all multipart headers' 'Content-Type' value +# eg. 'text/plain; charset=utf-8' +# * rule 922110 checks all the collected headers' content type and charset +# +SecRule &MULTIPART_PART_HEADERS "@gt 0" \ + "id:922140,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + tag:'attack-multipart-header',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/MULTIPART-ATTACK',\ + ver:'OWASP_CRS/4.22.0',\ + setvar:'tx.multipart_headers_content_counter=0'" + +SecRule MULTIPART_PART_HEADERS "@rx ^content-type\s*:\s*(.*)$" \ + "id:922150,\ + phase:2,\ + pass,\ + capture,\ + t:none,t:lowercase,\ + nolog,\ + tag:'attack-multipart-header',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/MULTIPART-ATTACK',\ + ver:'OWASP_CRS/4.22.0',\ + setvar:'tx.multipart_headers_content_types_%{tx.multipart_headers_content_counter}=%{tx.1}',\ + setvar:'tx.multipart_headers_content_counter=+1'" + +# Regular expression generated from regex-assembly/922110.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 922110 +SecRule TX:/MULTIPART_HEADERS_CONTENT_TYPES_*/ "!@rx ^(?:(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)/(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)|\*)(?:[\s\x0b]*;[\s\x0b]*(?:charset[\s\x0b]*=[\s\x0b]*\"?(?:iso-8859-15?|utf-8|windows-1252)\b\"?|(?:[^\s\x0b-\"\(\),/:-\?\[-\]c\{\}]|c(?:[^!\"\(\),/:-\?\[-\]h\{\}]|h(?:[^!\"\(\),/:-\?\[-\]a\{\}]|a(?:[^!\"\(\),/:-\?\[-\]r\{\}]|r(?:[^!\"\(\),/:-\?\[-\]s\{\}]|s(?:[^!\"\(\),/:-\?\[-\]e\{\}]|e[^!\"\(\),/:-\?\[-\]t\{\}]))))))[^!\"\(\),/:-\?\[-\]\{\}]*[\s\x0b]*=[\s\x0b]*[^!\(\),/:-\?\[-\]\{\}]+);?)*(?:[\s\x0b]*,[\s\x0b]*(?:(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)/(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)|\*)(?:[\s\x0b]*;[\s\x0b]*(?:charset[\s\x0b]*=[\s\x0b]*\"?(?:iso-8859-15?|utf-8|windows-1252)\b\"?|(?:[^\s\x0b-\"\(\),/:-\?\[-\]c\{\}]|c(?:[^!\"\(\),/:-\?\[-\]h\{\}]|h(?:[^!\"\(\),/:-\?\[-\]a\{\}]|a(?:[^!\"\(\),/:-\?\[-\]r\{\}]|r(?:[^!\"\(\),/:-\?\[-\]s\{\}]|s(?:[^!\"\(\),/:-\?\[-\]e\{\}]|e[^!\"\(\),/:-\?\[-\]t\{\}]))))))[^!\"\(\),/:-\?\[-\]\{\}]*[\s\x0b]*=[\s\x0b]*[^!\(\),/:-\?\[-\]\{\}]+);?)*)*$" \ + "id:922110,\ + phase:2,\ + block,\ + capture,\ + t:none,t:lowercase,\ + msg:'Illegal MIME Multipart Header content-type: charset parameter',\ + logdata:'Matched Data: %{MATCHED_VAR} found within Content-Type multipart form',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-multipart-header',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/MULTIPART-ATTACK',\ + tag:'capec/272/220',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# Content-Transfer-Encoding was deprecated by rfc7578 in 2015 and should not be used (see: https://www.rfc-editor.org/rfc/rfc7578#section-4.7) +# Note: this is in phase:2 because these are headers that come in the body +SecRule MULTIPART_PART_HEADERS "@rx content-transfer-encoding:(.*)" \ + "id:922120,\ + phase:2,\ + block,\ + capture,\ + t:none,t:lowercase,\ + msg:'Content-Transfer-Encoding was deprecated by rfc7578 in 2015 and should not be used',\ + logdata:'Matched Data: %{TX.0}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-multipart-header',\ + tag:'attack-deprecated-header',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/MULTIPART-ATTACK',\ + tag:'capec/272/220',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# Multipart header names can't contain any characters outside of range 33 and 126, +# excluding 58 (':') which is the separator. +# RFC 2045 refers RFC 822 about the header syntax. +# Note: this is in phase:2 because these are headers that come in the body +SecRule MULTIPART_PART_HEADERS "@rx [^\x21-\x7E][\x21-\x39\x3B-\x7E]*:" \ + "id:922130,\ + phase:2,\ + block,\ + capture,\ + t:none,t:lowercase,\ + msg:'Multipart header contains characters outside of valid range',\ + logdata:'Matched Data: %{TX.0}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-multipart-header',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/MULTIPART-ATTACK',\ + tag:'capec/272/220',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" diff --git a/blue/Tools/zoo/modules/turtle/coreruleset/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf b/blue/Tools/zoo/modules/turtle/coreruleset/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf new file mode 100644 index 0000000..36d69c2 --- /dev/null +++ b/blue/Tools/zoo/modules/turtle/coreruleset/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf @@ -0,0 +1,205 @@ +# ------------------------------------------------------------------------ +# OWASP CRS ver.4.22.0 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. +# Copyright (c) 2021-2026 CRS project. All rights reserved. +# +# The OWASP CRS is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENSE file for full details. +# ------------------------------------------------------------------------ + +# +# -= Paranoia Level 0 (empty) =- (apply unconditionally) +# + + + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:930011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:930012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" +# +# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher) +# + +# +# -=[ Directory Traversal Attacks ]=- +# +# Ref: https://github.com/wireghoul/dotdotpwn +# +# [ Encoded /../ Payloads ] +# +# Regular expression generated from regex-assembly/930100.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 930100 +# +SecRule REQUEST_URI_RAW|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|FILES|XML:/* "@rx (?i)(?:[/\x5c]|%(?:2(?:f|5(?:2f|5c|c(?:1%259c|0%25af))|%46)|5c|c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|(?:bg%q|(?:e|f(?:8%8)?0%8)0%80%a)f|u(?:221[56]|EFC8|F025|002f)|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|1u)|0x(?:2f|5c))(?:\.(?:%0[01]|\?)?|\?\.?|%(?:2(?:(?:5(?:2|c0%25a))?e|%45)|c0(?:\.|%[256aef]e)|u(?:(?:ff0|002)e|2024)|%32(?:%(?:%6|4)5|E)|(?:e|f(?:(?:8|c%80)%8)?0%8)0%80%ae)|0x2e){2,3}(?:[/\x5c]|%(?:2(?:f|5(?:2f|5c|c(?:1%259c|0%25af))|%46)|5c|c(?:0%(?:[2aq]f|5c|9v)|1%(?:[19p]c|8s|af))|(?:bg%q|(?:e|f(?:8%8)?0%8)0%80%a)f|u(?:221[56]|EFC8|F025|002f)|%3(?:2(?:%(?:%6|4)6|F)|5%%63)|1u)|0x(?:2f|5c))" \ + "id:930100,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Path Traversal Attack (/../) or (/.../)',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-lfi',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-LFI',\ + tag:'capec/1000/255/153/126',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}'" + +# +# [ Decoded /../ or /..;/ Payloads ] +# +# To prevent '..' from triggering, the regexp is split into two parts: +# - ../ +# - /.. +# OR +# - .../ +# - /... +# +# Semicolon added to prevent path traversal via reverse proxy mapping '/..;/' (Tomcat) +# +SecRule REQUEST_URI_RAW|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|FILES|XML:/* "@rx (?:(?:^|[\x5c/;])\.{2,3}[\x5c/;]|[\x5c/;]\.{2,3}[\x5c/;])" \ + "id:930110,\ + phase:2,\ + block,\ + capture,\ + t:none,t:utf8toUnicode,t:urlDecodeUni,t:removeNulls,t:cmdLine,\ + msg:'Path Traversal Attack (/../) or (/.../)',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-lfi',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-LFI',\ + tag:'capec/1000/255/153/126',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + multiMatch,\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ + setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}'" + +# +# -=[ OS File Access ]=- +# +# We check for OS file access with the help of a local file with OS files data. +# +# Ref: https://github.com/lightos/Panoptic/blob/master/cases.xml +# +# If you wonder where support for Google OAuth2 has gone, see: +# https://github.com/coreruleset/google-oauth2-plugin +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmFromFile lfi-os-files.data" \ + "id:930120,\ + phase:2,\ + block,\ + capture,\ + t:none,t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin,\ + msg:'OS File Access Attempt',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-lfi',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-LFI',\ + tag:'capec/1000/255/153/126',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# +# -=[ Restricted File Access ]=- +# +# Detects attempts to retrieve application source code, metadata, +# credentials and version control history possibly reachable in a web root. +# +SecRule REQUEST_FILENAME "@pmFromFile restricted-files.data" \ + "id:930130,\ + phase:1,\ + block,\ + capture,\ + t:none,t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin,\ + msg:'Restricted File Access Attempt',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-lfi',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-LFI',\ + tag:'capec/1000/255/153/126',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:930013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:930014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" +# +# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher) +# + +# +# -=[ OS File Access ]=- +# +# This is a stricter sibling of rule 930120. +# This stricter sibling checks for OS file data in request headers referer and user-agent. +# We check for OS file access with the help of a local file with OS files data. +# +# Ref: https://github.com/lightos/Panoptic/blob/master/cases.xml +# +SecRule REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent "@pmFromFile lfi-os-files.data" \ + "id:930121,\ + phase:1,\ + block,\ + capture,\ + t:none,t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin,\ + msg:'OS File Access Attempt in REQUEST_HEADERS',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-lfi',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-LFI',\ + tag:'capec/1000/255/153/126',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:930015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:930016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" +# +# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher) +# + + + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:930017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:930018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI" +# +# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher) +# + + + +# +# -= Paranoia Levels Finished =- +# +SecMarker "END-REQUEST-930-APPLICATION-ATTACK-LFI" diff --git a/blue/Tools/zoo/modules/turtle/coreruleset/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf b/blue/Tools/zoo/modules/turtle/coreruleset/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf new file mode 100644 index 0000000..1b7ff0f --- /dev/null +++ b/blue/Tools/zoo/modules/turtle/coreruleset/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf @@ -0,0 +1,199 @@ +# ------------------------------------------------------------------------ +# OWASP CRS ver.4.22.0 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. +# Copyright (c) 2021-2026 CRS project. All rights reserved. +# +# The OWASP CRS is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENSE file for full details. +# ------------------------------------------------------------------------ +# +# RFI Attacks +# + +# +# -= Paranoia Level 0 (empty) =- (apply unconditionally) +# + + + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:931011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:931012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" +# +# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher) +# + +# -=[ Rule Logic ]=- +# These rules look for common types of Remote File Inclusion (RFI) attack methods. +# - URL Contains an IP Address +# - The PHP "include()" Function +# - RFI Data Ends with Question Mark(s) (?) +# - RFI Host Doesn't Match Local Host +# +# Note: brackets around IPv6 literals are mandatory per RFC 2732, +# but have been made optional here - just in case - to account for rare +# non-standard implementations or parsing inconsistencies. +# +# -=[ References ]=- +# http://projects.webappsec.org/Remote-File-Inclusion +# http://tacticalwebappsec.blogspot.com/2009/06/generic-remote-file-inclusion-attack.html +# https://datatracker.ietf.org/doc/html/rfc2732 +# +SecRule ARGS|XML:/* "@rx (?i)^(file|ftps?|https?|ssh)://(?:\[?[a-f0-9]+:[a-f0-9:]+\]?|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" \ + "id:931100,\ + phase:2,\ + block,\ + capture,\ + t:none,t:urlDecodeUni,\ + msg:'Possible Remote File Inclusion (RFI) Attack: URL Parameter using IP Address',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-rfi',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-RFI',\ + tag:'capec/1000/152/175/253',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +SecRule QUERY_STRING|REQUEST_BODY "@rx (?i)(?:\binclude\s*\([^)]*|mosConfig_absolute_path|_CONF\[path\]|_SERVER\[DOCUMENT_ROOT\]|GALLERY_BASEDIR|path\[docroot\]|appserv_root|config\[root_dir\])=(?:file|ftps?|https?)://" \ + "id:931110,\ + phase:2,\ + block,\ + capture,\ + t:none,t:urlDecodeUni,\ + msg:'Possible Remote File Inclusion (RFI) Attack: Common RFI Vulnerable Parameter Name used w/URL Payload',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-rfi',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-RFI',\ + tag:'capec/1000/152/175/253',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +SecRule ARGS "@rx ^(?i:file|ftps?|https?).*?\?+$" \ + "id:931120,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Possible Remote File Inclusion (RFI) Attack: URL Payload Used w/Trailing Question Mark Character (?)',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-rfi',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-RFI',\ + tag:'capec/1000/152/175/253',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:931013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:931014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" +# +# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher) +# + +# url:file:// can be used by Java applications using +# org.apache.commons.io.IOUtils to access internal files, so this has been added +# +# This rule has one (stricter) sibling: 931131. +# That rule applies the same regular expression to the request filename in phase 1. +# +# Regular expression generated from regex-assembly/931130.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 931130 +# +SecRule ARGS "@rx (?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:\+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://?(?:[^@]+@)?([^/]*)" \ + "id:931130,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-rfi',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-RFI',\ + tag:'capec/1000/152/175/253',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.rfi_parameter_%{MATCHED_VAR_NAME}=.%{tx.1}',\ + chain" + SecRule TX:/rfi_parameter_.*/ "!@endsWith .%{request_headers.host}" \ + "setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + +# This is a (stricter) sibling of 931130. +# +# Regular expression generated from regex-assembly/931131.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 931131 +# +SecRule REQUEST_FILENAME "@rx (?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:\+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://(?:[^@]+@)?([^/]*)" \ + "id:931131,\ + phase:1,\ + block,\ + capture,\ + t:none,t:urlDecodeUni,\ + msg:'Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-rfi',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-RFI',\ + tag:'capec/1000/152/175/253',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.rfi_parameter_%{MATCHED_VAR_NAME}=.%{tx.1}',\ + chain" + SecRule TX:/rfi_parameter_.*/ "!@endsWith .%{request_headers.host}" \ + "setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:931015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:931016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" +# +# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher) +# + + + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:931017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:931018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI" +# +# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher) +# + + + +# +# -= Paranoia Levels Finished =- +# +SecMarker "END-REQUEST-931-APPLICATION-ATTACK-RFI" diff --git a/blue/Tools/zoo/modules/turtle/coreruleset/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf b/blue/Tools/zoo/modules/turtle/coreruleset/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf new file mode 100644 index 0000000..5c78ef7 --- /dev/null +++ b/blue/Tools/zoo/modules/turtle/coreruleset/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf @@ -0,0 +1,2071 @@ +# ------------------------------------------------------------------------ +# OWASP CRS ver.4.22.0 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. +# Copyright (c) 2021-2026 CRS project. All rights reserved. +# +# The OWASP CRS is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENSE file for full details. +# ------------------------------------------------------------------------ + +# +# -= Paranoia Level 0 (empty) =- (apply unconditionally) +# + + + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:932011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:932012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" +# +# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher) +# + + +# [ Unix command injection ] +# +# This rule detects Unix command injections. +# A command injection takes a form such as: +# +# foo.jpg;uname -a +# foo.jpg||uname -a +# +# The vulnerability exists when an application executes a shell command +# without proper input escaping/validation. +# +# This rule is also triggered by an Oracle WebLogic Remote Command Execution exploit: +# [ Oracle WebLogic vulnerability CVE-2017-10271 - Exploit tested: https://www.exploit-db.com/exploits/43458 ] +# +# To prevent false positives, we look for a 'starting sequence' that +# precedes a command in shell syntax, such as: ; | & $( ` <( >( +# Anatomy of the regexp with examples of patterns caught: +# +# 1. Starting tokens +# +# ; ;ifconfig +# \{ {ifconfig} +# \| |ifconfig +# \|\| ||ifconfig +# & &ifconfig +# && &&ifconfig +# \n ;\nifconfig +# \r ;\rifconfig +# \$\( $(ifconfig) +# \$\(\( $((ifconfig)) +# \$\[ $[2+2] +# ` `ifconfig` +# \${ ${ifconfig} +# <\( <( ifconfig ) +# >\( >( ifconfig ) +# \(\s*\) a() ( ifconfig; ); a +# +# 2. Command prefixes +# +# { { ifconfig } +# \s*\(\s* ( ifconfig ) +# \w+=(?:[^\s]*|\$.*|\$.*|<.*|>.*|\'.*\'|\".*\")\s+ VARNAME=xyz ifconfig +# !\s* ! ifconfig +# \$ $ifconfig +# +# 3. Quoting +# +# ' 'ifconfig' +# \" "ifconfig" +# +# 4. Paths +# +# [\?\*\[\]\(\)\-\|+\w'\"\./\x5c]+/ /sbin/ifconfig, /s?in/./ifconfig, /s[a-b]in/ifconfig etc. +# +# An effort was made to combat evasions by shell quoting (e.g. 'ls', +# 'l'"s", \l\s are all valid). ModSecurity has a t:cmdLine +# transformation built-in to deal with this, but unfortunately, it +# replaces ';' characters and lowercases the payload, which is less +# useful for this case. However, emulating the transformation makes +# the regexp more complex. +# +# This is the base Rule to prevent Unix Command Injection +# for prefix + two and three characters. +# +# Rule relations: +# +# .932230 (base rule, PL1, targets prefix + two and three character commands) +# ..932231 (stricter sibling, PL2, targets prefix + the source shortcut command) +# ..932232 (stricter sibling, PL3, targets prefix + additional command words) +# .932235 (base rule, PL1, targets prefix + known command word of length > 3 without evasion) +# +# .932250 (base rule, PL1, targets two and three character commands) +# .932260 (base rule, PL1, targets known command word of length > 3 without evasion) +# +# .932240 (generic detection, PL2, targets generic evasion attempts) +# .932236 (stricter sibling of 932230, 932235, 932250, 932260, PL2, +# - with and without prefix +# - words of any length) +# ..932239 (sibling of 932236, PL2, +# - with and without prefix +# - words of any length +# - targets request headers user-agent and referer only +# - excluded words: known user-agents) +# ..932238 (stricter sibling of 932236, PL3, +# - no excluded words) +# .932237 (stricter sibling of 932230, 932235, 932250, 932260, PL3, +# - targets request headers user-agent and referer only +# - without prefix +# - with word boundaries +# - words of any length +# - excluded words: known user-agents) +# +# +# Regular expression generated from regex-assembly/932230.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932230 +# +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|]|$).*|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:(?:[\s\x0b&\),<>\|]|$).*|o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|[\[\{])|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'[^']*'|\"[^\"]*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:(?:7[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[arx][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?|(?:b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z|c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[89][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?9|m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)|d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?f|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|q[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n|s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)|f[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[dg]|m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)|(?:h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u|u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b|j[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:j[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s|q)|[kz][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h|m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r|p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b|k[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?g|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|x[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z)|r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)|s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|(?:s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?h|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n)|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:3[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m|c)|x[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:x[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|z)|y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?|l[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?|z[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:4[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?))(?:[\s\x0b&\),<>\|]|$).*|a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?-[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:(?:[&\),<>\|]|$){1,10}|(?:[\-\.0-9A-Z_a-z][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?){1,10}(?:[\s\x0b&\),<>\|\}]|$){1,10})|r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?j[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|]|$).*)|g[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:(?:[&\),<>\|]|$){1,10}|(?:[\-\.0-9A-Z_a-z][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?){1,10}(?:[\s\x0b&\),<>\|\}]|$){1,10})|(?:d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b|[hr][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c|p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?g)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|]|$).*))\b" \ + "id:932230,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Remote Command Execution: Unix Command Injection (2-3 chars)',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ + tag:'attack-rce',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-RCE',\ + tag:'capec/1000/152/248/88',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# [ Unix command injection ] +# +# This is the base Rule to prevent Unix Command Injection +# for prefix + more than 4 characters. +# +# Rule relations: +# +# .932230 (base rule, PL1, targets prefix + two and three character commands) +# ..932231 (stricter sibling, PL2, targets prefix + the source shortcut command) +# ..932232 (stricter sibling, PL3, targets prefix + additional command words) +# .932235 (base rule, PL1, targets prefix + known command word of length > 3 without evasion) +# +# .932250 (base rule, PL1, targets two and three character commands) +# .932260 (base rule, PL1, targets known command word of length > 3 without evasion) +# +# .932240 (generic detection, PL2, targets generic evasion attempts) +# .932236 (stricter sibling of 932230, 932235, 932250, 932260, PL2, +# - with and without prefix +# - words of any length) +# ..932239 (sibling of 932236, PL2, +# - with and without prefix +# - words of any length +# - targets request headers user-agent and referer only +# - excluded words: known user-agents) +# ..932238 (stricter sibling of 932236, PL3, +# - no excluded words) +# .932237 (stricter sibling of 932230, 932235, 932250, 932260, PL3, +# - targets request headers user-agent and referer only +# - without prefix +# - with word boundaries +# - words of any length +# - excluded words: known user-agents) +# +# +# Regular expression generated from regex-assembly/932235.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932235 +# +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|]|$).*|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:(?:[\s\x0b&\),<>\|]|$).*|o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|[\[\{])|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'[^']*'|\"[^\"]*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:(?:HEAD|POST|y(?:arn|elp))(?:[\s\x0b&\),<>\|]|$)|a(?:dd(?:group|user)|getty|(?:l(?:ias|pine)|tobm|xel)(?:[\s\x0b&\),<>\|]|$)|nsible|p(?:parmor_[^\s\x0b]{1,10}\b|t(?:-get|itude(?:[\s\x0b&\),<>\|]|$)))|r(?:ch(?:[\s\x0b&\),<>\|]|$)|ia2c|j(?:-register|disp))|s(?:cii(?:-xfr|85)|pell)|u(?:ditctl|repot|search))|b(?:a(?:s(?:e(?:32|64|n(?:ame(?:[\s\x0b&\),<>\|]|$)|c))|h(?:[\s\x0b&\),<>\|]|$))|tch(?:[\s\x0b&\),<>\|]|$))|lkid(?:[\s\x0b&\),<>\|]|$)|pftrace|r(?:eaksw|(?:idge|wap)(?:[\s\x0b&\),<>\|]|$))|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler(?:[\s\x0b&\),<>\|]|$)|zip2)|s(?:ctl|ybox))|y(?:ebug|obu(?:[\s\x0b&\),<>\|]|$))|z(?:c(?:at|mp)(?:[\s\x0b&\),<>\|]|$)|diff|e(?:grep|xe(?:[\s\x0b&\),<>\|]|$))|f?grep|ip2(?:[\s\x0b&\),<>\|]|$|recover)|less|more))|c(?:[89]9-gcc|a(?:ncel|psh)(?:[\s\x0b&\),<>\|]|$)|ertbot|h(?:(?:(?:att|di)r|mod|o(?:om|wn)|root|sh)(?:[\s\x0b&\),<>\|]|$)|e(?:ck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|f(?:[\s\x0b&\),\-<>\|]|$))|(?:flag|pas)s|g(?:passwd|rp(?:[\s\x0b&\),<>\|]|$)))|lang(?:\+\+|[\s\x0b&\),<>\|]|$)|o(?:bc(?:[\s\x0b&\),<>\|]|$|run)|lumn(?:[\s\x0b&\),<>\|]|$)|m(?:m(?:[\s\x0b&\),<>\|]|$|and(?:[\s\x0b&\),<>\|]|$))|p(?:oser|ress)(?:[\s\x0b&\),<>\|]|$))|proc|w(?:say|think))|p(?:(?:an|io)(?:[\s\x0b&\),<>\|]|$)|ulimit)|r(?:ash(?:[\s\x0b&\),<>\|]|$)|on(?:[\s\x0b&\),<>\|]|$|tab))|s(?:cli(?:[\s\x0b&\),<>\|]|$)|plit|vtool)|u(?:psfilter|rl(?:[\s\x0b&\),<>\|]|$)))|d(?:(?:ash|i(?:alog|ff)|vips)(?:[\s\x0b&\),<>\|]|$)|hclient|m(?:esg(?:[\s\x0b&\),<>\|]|$)|idecode|setup)|o(?:(?:as|ne)(?:[\s\x0b&\),<>\|]|$)|cker(?:[\s\x0b&\),\-<>\|]|$)|sbox)|pkg(?:[\s\x0b&\),\-<>\|]|$))|e(?:2fsck|asy_install|(?:cho|fax|grep|macs|sac|val)(?:[\s\x0b&\),<>\|]|$)|n(?:d(?:if|sw)(?:[\s\x0b&\),<>\|]|$)|v-update)|x(?:(?:ec|p(?:and|(?:ec|or)t|r))(?:[\s\x0b&\),<>\|]|$)|iftool))|f(?:acter|d(?:(?:find|isk)(?:[\s\x0b&\),<>\|]|$)|u?mount)|(?:etch|grep|lock|unction)(?:[\s\x0b&\),<>\|]|$)|i(?:le(?:[\s\x0b&\),<>\|]|$|test)|(?:n(?:d|ger)|sh)(?:[\s\x0b&\),<>\|]|$))|o(?:ld(?:[\s\x0b&\),<>\|]|$)|reach)|ping(?:[\s\x0b&\),6<>\|]|$)|tp(?:stats|who))|g(?:(?:awk|core|i(?:mp|nsh)|z(?:cat|exe|ip))(?:[\s\x0b&\),<>\|]|$)|e(?:ni(?:e(?:[\s\x0b&\),<>\|]|$)|soimage)|t(?:cap|facl(?:[\s\x0b&\),<>\|]|$)))|hc(?:-(?:[\s\x0b&\),<>\|]|$)|i(?:[\s\x0b&\),\-<>\|]|$))|r(?:(?:cat|ep)(?:[\s\x0b&\),<>\|]|$)|oupmod)|tester|unzip)|h(?:(?:ash|i(?:ghlight|story))(?:[\s\x0b&\),<>\|]|$)|e(?:ad(?:[\s\x0b&\),<>\|]|$)|xdump)|ost(?:id|name)|ping3|t(?:digest|op(?:[\s\x0b&\),<>\|]|$)|passwd))|i(?:(?:conv|nstall)(?:[\s\x0b&\),<>\|]|$)|f(?:config|top(?:[\s\x0b&\),<>\|]|$))|onice|p(?:6?tables|config|p(?:eveprinter|find|tool))|spell)|j(?:(?:ava|exec)(?:[\s\x0b&\),<>\|]|$)|o(?:in(?:[\s\x0b&\),<>\|]|$)|urnalctl)|runscript)|k(?:ill(?:[\s\x0b&\),<>\|]|$|all)|nife(?:[\s\x0b&\),<>\|]|$)|sshell)|l(?:a(?:st(?:comm(?:[\s\x0b&\),<>\|]|$)|log(?:in)?)|tex(?:[\s\x0b&\),<>\|]|$))|dconfig|ess(?:echo|(?:fil|pip)e)|ftp(?:[\s\x0b&\),<>\|]|$|get)|o(?:(?:cate|ok)(?:[\s\x0b&\),<>\|]|$)|g(?:inctl|(?:nam|sav)e)|setup)|s(?:(?:-F|cpu|hw|mod|of|pci|usb)(?:[\s\x0b&\),<>\|]|$)|b_release)|trace|ua(?:la)?tex|wp-(?:d(?:ownload|ump)|mirror|request)|ynx(?:[\s\x0b&\),<>\|]|$)|z(?:4c(?:[\s\x0b&\),<>\|]|$|at)|c(?:at|mp)(?:[\s\x0b&\),<>\|]|$)|diff|[ef]?grep|less|m(?:a(?:[\s\x0b&\),<>\|]|$|dec|info)|ore)))|m(?:a(?:il(?:[\s\x0b&\),<>\|]|$|[qx](?:[\s\x0b&\),<>\|]|$))|(?:ke|wk)(?:[\s\x0b&\),<>\|]|$)|ster\.passwd)|k(?:(?:dir|nod)(?:[\s\x0b&\),<>\|]|$)|fifo|temp)|locate|o(?:squitto|unt(?:[\s\x0b&\),<>\|]|$))|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|utt(?:[\s\x0b&\),<>\|]|$)|ysql(?:[\s\x0b&\),<>\|]|$|admin|dump(?:slow)?|hotcopy|show))|n(?:(?:a(?:no|sm|wk)|ice|map|o(?:de|hup)|ping|roff|ull)(?:[\s\x0b&\),<>\|]|$)|c(?:\.(?:openbsd|traditional)|at(?:[\s\x0b&\),<>\|]|$))|e(?:ofetch|t(?:(?:c|st)at|kit-ftp|plan))|s(?:enter|lookup|tat(?:[\s\x0b&\),<>\|]|$)))|o(?:ctave(?:[\s\x0b&\),<>\|]|$)|nintr|p(?:en(?:ssl|v(?:pn|t))|kg(?:[\s\x0b&\),<>\|]|$)))|p(?:a(?:(?:cman|rted|tch)(?:[\s\x0b&\),<>\|]|$)|s(?:swd|te(?:[\s\x0b&\),<>\|]|$)))|d(?:b(?:2mb|3(?:[\s\x0b&\),\.<>\|]|$))|f(?:la)?tex|ksh(?:[\s\x0b&\),<>\|]|$))|er(?:(?:f|ms)(?:[\s\x0b&\),<>\|]|$)|l(?:5?(?:[\s\x0b&\),<>\|]|$)|sh))|(?:(?:ft|gre)p|opd|u(?:ppet|shd))(?:[\s\x0b&\),<>\|]|$)|hp(?:-cgi|[57](?:[\s\x0b&\),<>\|]|$))|i(?:(?:co|gz|ng6?)(?:[\s\x0b&\),<>\|]|$)|dstat)|k(?:exec|g_?info|ill(?:[\s\x0b&\),<>\|]|$))|rint(?:env|f(?:[\s\x0b&\),<>\|]|$))|s(?:(?:ed|ql)(?:[\s\x0b&\),<>\|]|$)|ftp)|tar(?:[\s\x0b&\),<>\|]|$|diff|grep)|wd\.db|y(?:3?versions|thon(?:[23]|[^\s\x0b]{1,10}\b)))|r(?:(?:ak[eu]|bash|nano|oute|vi(?:ew|m))(?:[\s\x0b&\),<>\|]|$)|e(?:a(?:delf|lpath)|(?:(?:boo|dcarpe)t|name|p(?:eat|lace))(?:[\s\x0b&\),<>\|]|$)|stic)|l(?:ogin|wrap)|m(?:dir(?:[\s\x0b&\),<>\|]|$)|t-(?:dump|tar)|user)|pm(?:db(?:[\s\x0b&\),<>\|]|$)|(?:quer|verif)y)|sync(?:-ssl|[\s\x0b&\),<>\|]|$)|u(?:by[^\s\x0b]{1,10}\b|n(?:-(?:mailcap|parts)|c(?:[\s\x0b&\),<>\|]|$))))|s(?:(?:ash|c(?:hed|r(?:een|ipt))|diff|(?:ft|na)p|l(?:eep|sh))(?:[\s\x0b&\),<>\|]|$)|e(?:(?:ndmail|rvice)(?:[\s\x0b&\),<>\|]|$)|t(?:arch|cap|env|facl(?:[\s\x0b&\),<>\|]|$)|sid))|h(?:\.distrib|(?:adow|ells|u(?:f|tdown))(?:[\s\x0b&\),<>\|]|$))|mbclient|o(?:(?:ca|r)t(?:[\s\x0b&\),<>\|]|$)|elim)|p(?:lit(?:[\s\x0b&\),<>\|]|$)|wd\.db)|qlite3|sh(?:-(?:a(?:dd|gent)|copy-id|key(?:ge|sca)n)|pass)|t(?:art-stop-daemon|d(?:buf|err|in(?:[\s\x0b&\),<>\|]|$)|out)|r(?:ace|ings(?:[\s\x0b&\),<>\|]|$)))|udo(?:-rs|[\s\x0b&\),<>_\|]|$|edit|replay)|vn(?:a(?:dmin|uthz)|bench|dumpfilter|fsfs|look|mucc|rdump|s(?:erve|ync)|version)|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:il(?:[\s\x0b&\),<>\|]|$|f(?:[\s\x0b&\),<>\|]|$))|sk(?:[\s\x0b&\),<>\|]|$|set))|c(?:l?sh(?:[\s\x0b&\),<>\|]|$)|p(?:dump|ing|traceroute))|elnet|(?:ftp|mux|ouch)(?:[\s\x0b&\),<>\|]|$)|ime(?:datectl|out(?:[\s\x0b&\),<>\|]|$))|r(?:aceroute6?|off(?:[\s\x0b&\),<>\|]|$))|shark)|u(?:limit(?:[\s\x0b&\),<>\|]|$)|n(?:(?:ame|compress|iq|rar|s(?:et|hare)|xz)(?:[\s\x0b&\),<>\|]|$)|expand|l(?:ink(?:[\s\x0b&\),<>\|]|$)|z(?:4(?:[\s\x0b&\),<>\|]|$)|ma))|pigz|z(?:ip(?:[\s\x0b&\),<>\|]|$)|std))|p(?:2date(?:[\s\x0b&\),<>\|]|$)|date-alternatives)|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:algrind|i(?:(?:[ep]w|gr|rsh)(?:[\s\x0b&\),<>\|]|$)|mdiff|sudo(?:-rs)?)|olatility(?:[\s\x0b&\),<>\|]|$))|w(?:(?:all|get)(?:[\s\x0b&\),<>\|]|$)|h(?:iptail(?:[\s\x0b&\),<>\|]|$)|o(?:ami|is(?:[\s\x0b&\),<>\|]|$)))|i(?:reshark|sh(?:[\s\x0b&\),<>\|]|$)))|x(?:(?:args|pad|term)(?:[\s\x0b&\),<>\|]|$)|e(?:latex|tex(?:[\s\x0b&\),<>\|]|$))|mo(?:dmap|re(?:[\s\x0b&\),<>\|]|$))|z(?:c(?:at|mp)(?:[\s\x0b&\),<>\|]|$)|d(?:ec(?:[\s\x0b&\),<>\|]|$)|iff)|[ef]?grep|less|more))|z(?:athura|(?:c(?:at|mp)|diff|grep|less|run)(?:[\s\x0b&\),<>\|]|$)|e(?:grep|ro(?:[\s\x0b&\),<>\|]|$))|fgrep|ip(?:c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|mo(?:dload|re(?:[\s\x0b&\),<>\|]|$))|s(?:oelim|td(?:[\s\x0b&\),<>\|]|$|(?:ca|m)t|grep|less))|ypper))" \ + "id:932235,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Remote Command Execution: Unix Command Injection (command without evasion)',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ + tag:'attack-rce',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-RCE',\ + tag:'capec/1000/152/248/88',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# [ Windows PowerShell, cmdlets and options ] +# +# Detect some common PowerShell commands, cmdlets and options. +# These commands should be relatively uncommon in normal text, but +# potentially useful for code injection. +# +# If you are not running Windows, it is safe to disable this rule. +# +# https://learn.microsoft.com/en-us/previous-versions/technet-magazine/ff714569(v=msdn.10) +# +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmFromFile windows-powershell-commands.data" \ + "id:932120,\ + phase:2,\ + block,\ + capture,\ + t:none,t:cmdLine,\ + msg:'Remote Command Execution: Windows PowerShell Command Found',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'language-powershell',\ + tag:'platform-windows',\ + tag:'attack-rce',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-RCE',\ + tag:'capec/1000/152/248/88',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# [ Windows Powershell cmdlet aliases ] +# +# Attempts to detect aliases of the common PowerShell cmdlets in windows-powershell-commands.data +# If you are not running Windows, it is safe to disable this rule. +# +# There are other aliases which are similar to Unix, but they are properly handled by rule 932105 +# +# Regular expression generated from regex-assembly/932125.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932125 +# +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:[\n\r;`\{]|\|\|?|&&?)[\s\x0b]*[\s\x0b\"'\(,@]*(?:[\"'\.-9A-Z_a-z]+/|(?:[\"'\x5c\^]*[0-9A-Z_a-z][\"'\x5c\^]*:.*|[ \"'\.-9A-Z\x5c\^_a-z]*)\x5c)?[\"\^]*(?:(?:a[\"\^]*(?:c|s[\"\^]*n[\"\^]*p)|e[\"\^]*(?:b[\"\^]*p|p[\"\^]*(?:a[\"\^]*l|c[\"\^]*s[\"\^]*v|s[\"\^]*n)|[tx][\"\^]*s[\"\^]*n)|f[\"\^]*(?:[cltw]|o[\"\^]*r[\"\^]*e[\"\^]*a[\"\^]*c[\"\^]*h)|i[\"\^]*(?:[cr][\"\^]*m|e[\"\^]*x|h[\"\^]*y|i|p[\"\^]*(?:a[\"\^]*l|c[\"\^]*s[\"\^]*v|m[\"\^]*o|s[\"\^]*n)|s[\"\^]*e|w[\"\^]*(?:m[\"\^]*i|r))|m[\"\^]*(?:[dpv]|o[\"\^]*u[\"\^]*n[\"\^]*t)|o[\"\^]*g[\"\^]*v|p[\"\^]*(?:o[\"\^]*p|u[\"\^]*s[\"\^]*h)[\"\^]*d|t[\"\^]*r[\"\^]*c[\"\^]*m|w[\"\^]*j[\"\^]*b)[\"\^]*[\s\x0b,\./;<>].*|c[\"\^]*(?:(?:(?:d|h[\"\^]*d[\"\^]*i[\"\^]*r|v[\"\^]*p[\"\^]*a)[\"\^]*|p[\"\^]*(?:[ip][\"\^]*)?)[\s\x0b,\./;<>].*|l[\"\^]*(?:(?:[cipv]|h[\"\^]*y)[\"\^]*[\s\x0b,\./;<>].*|s)|n[\"\^]*s[\"\^]*n)|d[\"\^]*(?:(?:b[\"\^]*p|e[\"\^]*l|i[\"\^]*(?:f[\"\^]*f|r))[\"\^]*[\s\x0b,\./;<>].*|n[\"\^]*s[\"\^]*n)|g[\"\^]*(?:(?:(?:(?:a[\"\^]*)?l|b[\"\^]*p|d[\"\^]*r|h[\"\^]*y|(?:w[\"\^]*m[\"\^]*)?i|j[\"\^]*b|[uv])[\"\^]*|c[\"\^]*(?:[ims][\"\^]*)?|m[\"\^]*(?:o[\"\^]*)?|s[\"\^]*(?:n[\"\^]*(?:p[\"\^]*)?|v[\"\^]*))[\s\x0b,\./;<>].*|e[\"\^]*r[\"\^]*r|p[\"\^]*(?:(?:s[\"\^]*)?[\s\x0b,\./;<>].*|v))|l[\"\^]*s|n[\"\^]*(?:(?:a[\"\^]*l|d[\"\^]*r|[iv]|m[\"\^]*o|s[\"\^]*n)[\"\^]*[\s\x0b,\./;<>].*|p[\"\^]*s[\"\^]*s[\"\^]*c)|r[\"\^]*(?:(?:(?:(?:b[\"\^]*)?p|e[\"\^]*n|(?:w[\"\^]*m[\"\^]*)?i|j[\"\^]*b|n[\"\^]*[ip])[\"\^]*|d[\"\^]*(?:r[\"\^]*)?|m[\"\^]*(?:(?:d[\"\^]*i[\"\^]*r|o)[\"\^]*)?|s[\"\^]*n[\"\^]*(?:p[\"\^]*)?|v[\"\^]*(?:p[\"\^]*a[\"\^]*)?)[\s\x0b,\./;<>].*|c[\"\^]*(?:j[\"\^]*b[\"\^]*[\s\x0b,\./;<>].*|s[\"\^]*n)|u[\"\^]*j[\"\^]*b)|s[\"\^]*(?:(?:(?:a[\"\^]*(?:j[\"\^]*b|l|p[\"\^]*s|s[\"\^]*v)|b[\"\^]*p|[cv]|w[\"\^]*m[\"\^]*i)[\"\^]*|l[\"\^]*(?:s[\"\^]*)?|p[\"\^]*(?:(?:j[\"\^]*b|p[\"\^]*s|s[\"\^]*v)[\"\^]*)?)[\s\x0b,\./;<>].*|h[\"\^]*c[\"\^]*m|u[\"\^]*j[\"\^]*b))(?:\.[\"\^]*[0-9A-Z_a-z]+)?\b" \ + "id:932125,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Remote Command Execution: Windows Powershell Alias Command Injection',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-windows',\ + tag:'attack-rce',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-RCE',\ + tag:'capec/1000/152/248/88',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# [ Unix shell expressions ] +# +# Detects the following patterns which are common in Unix shell scripts +# and one-liners: +# +# $(foo) Command substitution +# ${foo} Parameter expansion +# <(foo) Process substitution +# >(foo) Process substitution +# $((foo)) Arithmetic expansion +# $[2+2] Arithmetic expansion +# /e[t]c Shell glob expression to bypass wordlists +# +# This rule has a stricter sibling: 932131 (PL2) that applies the same regex to User-Agent and Referer +# +# This rule is essential to defend against the Log4J / Log4Shell attacks (see also rule 944150) +# +# Regular expression generated from regex-assembly/932130.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932130 +# +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \$(?:\((?:.*|\(.*\))\)|\{.*\}|\[.*\])|[<>]\(.*\)|/[0-9A-Z_a-z]*\[!?.+\]" \ + "id:932130,\ + phase:2,\ + block,\ + capture,\ + t:none,t:cmdLine,\ + msg:'Remote Command Execution: Unix Shell Expression Found',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ + tag:'attack-rce',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-RCE',\ + tag:'capec/1000/152/248/88',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# [ Windows FOR, IF commands ] +# +# This rule detects Windows command shell FOR and IF commands. +# If you are not running Windows, it is safe to disable this rule. +# +# Examples: +# +# FOR %a IN (set) DO +# FOR /D %a IN (dirs) DO +# FOR /F "options" %a IN (text|"text") DO +# FOR /L %a IN (start,step,end) DO +# FOR /R C:\dir %A IN (set) DO +# +# IF [/I] [NOT] EXIST filename | DEFINED define | ERRORLEVEL n | CMDEXTVERSION n +# IF [/I] [NOT] item1 [==|EQU|NEQ|LSS|LEQ|GTR|GEQ] item2 +# IF [/I] [NOT] (item1) [==|EQU|NEQ|LSS|LEQ|GTR|GEQ] (item2) +# +# http://ss64.com/nt/if.html +# http://ss64.com/nt/for.html +# +# Regular expression generated from regex-assembly/932140.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932140 +# +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \b(?:for(?:/[dflr].*)? %+[^ ]+ in\(.*\)[\s\x0b]?do|if(?:/i)?(?: not)?(?: (?:e(?:xist|rrorlevel)|defined|cmdextversion)\b|[ \(].*(?:\b(?:g(?:eq|tr)|equ|neq|l(?:eq|ss))\b|==)))" \ + "id:932140,\ + phase:2,\ + block,\ + capture,\ + t:none,t:cmdLine,\ + msg:'Remote Command Execution: Windows FOR/IF Command Found',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-windows',\ + tag:'attack-rce',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-RCE',\ + tag:'capec/1000/152/248/88',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# [ Unix shell expressions - Bash Tilde expansion ] +# This rule has a stricter sibling: 932271 +# +# Detects the following patterns which are common in Unix shell scripts +# and one-liners: +# +# ~+ $PWD +# ~- $OLDPWD +# ~-2 second directory entry on the stack from the top +# ~+2 second directory entry on the stack from the bottom +# +# Reference - https://linuxsimply.com/bash-scripting-tutorial/expansion/tilde-expansion/ +# +# Regular expression generated from regex-assembly/932270.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932270 +# +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx ~[\+\-](?:$|[0-9]+)" \ + "id:932270,\ + phase:2,\ + block,\ + capture,\ + t:none,t:cmdLine,\ + msg:'Remote Command Execution: Unix Shell Expression Found',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ + tag:'attack-rce',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-RCE',\ + tag:'capec/1000/152/248/88',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# [ Unix shell expressions - brace expansion ] +# +# Detects the following patterns which are common in Unix shell scripts +# and one-liners: +# +# {,ip,a} +# c{a,oun}t +# {,ifconfig} +# {,ifconfig,eth0} +# {l,-lh}s +# +# +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \{[0-9A-Z_a-z]*,[,\-0-9A-Z_a-z]*\}" \ + "id:932280,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Remote Command Execution: Brace Expansion Found',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ + tag:'attack-rce',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-RCE',\ + tag:'capec/1000/152/248/88',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# [ Unix direct remote command execution ] +# +# Detects Unix commands at the start of a parameter (direct RCE). +# Example: foo=wget%20www.example.com +# +# In this rule we use a different check from command injection (rule 932230), where a +# command string is appended (injected) to a regular parameter, and then +# passed to a shell unescaped. +# +# Additionaly, we require a trailing space (denoting command parameters) or command +# separator character after the command. +# +# This rule is also triggered by an Oracle WebLogic Remote Command Execution exploit: +# [ Oracle WebLogic vulnerability CVE-2017-10271 - Exploit tested: https://www.exploit-db.com/exploits/43458 ] +# +# An effort was made to combat evasions by shell quoting (e.g. 'ls', +# 'l'"s", \l\s are all valid). ModSecurity has a t:cmdLine +# transformation built-in to deal with this, but unfortunately, it +# replaces ';' characters and lowercases the payload, which is less +# useful for this case. However, emulating the transformation makes +# the regexp more complex. +# +# This is the base Rule to prevent Direct Unix Command Injection +# without prefix match. +# +# Rule relations: +# +# .932230 (base rule, PL1, targets prefix + two and three character commands) +# ..932231 (stricter sibling, PL2, targets prefix + the source shortcut command) +# ..932232 (stricter sibling, PL3, targets prefix + additional command words) +# .932235 (base rule, PL1, targets prefix + known command word of length > 3 without evasion) +# +# .932250 (base rule, PL1, targets two and three character commands) +# .932260 (base rule, PL1, targets known command word of length > 3 without evasion) +# +# .932240 (generic detection, PL2, targets generic evasion attempts) +# .932236 (stricter sibling of 932230, 932235, 932250, 932260, PL2, +# - with and without prefix +# - words of any length) +# ..932239 (sibling of 932236, PL2, +# - with and without prefix +# - words of any length +# - targets request headers user-agent and referer only +# - excluded words: known user-agents) +# ..932238 (stricter sibling of 932236, PL3, +# - no excluded words) +# .932237 (stricter sibling of 932230, 932235, 932250, 932260, PL3, +# - targets request headers user-agent and referer only +# - without prefix +# - with word boundaries +# - words of any length +# - excluded words: known user-agents) +# +# +# Regular expression generated from regex-assembly/932250.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932250 +# +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:^|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|]|$).*|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:(?:[\s\x0b&\),<>\|]|$).*|o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|[\[\{])|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'[^']*'|\"[^\"]*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:(?:7[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[arx][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?|(?:b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z|c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[89][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?9|m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)|d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?f|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|q[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n|s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)|f[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[dg]|m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)|(?:h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u|u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b|j[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:j[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s|q)|[kz][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h|m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r|p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b|k[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?g|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|x[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z)|r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)|s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|(?:s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?h|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n)|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:3[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m|c)|x[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:x[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|z)|y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?|l[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?|z[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:4[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?))(?:[\s\x0b&\),<>\|]|$).*|a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?-[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:(?:[&\),<>\|]|$){1,10}|(?:[\-\.0-9A-Z_a-z][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?){1,10}(?:[\s\x0b&\),<>\|\}]|$){1,10})|r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?j[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|]|$).*)|g[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:(?:[&\),<>\|]|$){1,10}|(?:[\-\.0-9A-Z_a-z][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?){1,10}(?:[\s\x0b&\),<>\|\}]|$){1,10})|(?:d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b|[hr][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c|p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?g)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|]|$).*))" \ + "id:932250,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Remote Command Execution: Direct Unix Command Execution',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ + tag:'attack-rce',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-RCE',\ + tag:'capec/1000/152/248/88',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# [ Unix command injection ] +# +# This rule complements rule 932250 for commands of 4 characters and up. +# +# Rule relations: +# +# .932230 (base rule, PL1, targets prefix + two and three character commands) +# ..932231 (stricter sibling, PL2, targets prefix + the source shortcut command) +# ..932232 (stricter sibling, PL3, targets prefix + additional command words) +# .932235 (base rule, PL1, targets prefix + known command word of length > 3 without evasion) +# +# .932250 (base rule, PL1, targets two and three character commands) +# .932260 (base rule, PL1, targets known command word of length > 3 without evasion) +# +# .932240 (generic detection, PL2, targets generic evasion attempts) +# .932236 (stricter sibling of 932230, 932235, 932250, 932260, PL2, +# - with and without prefix +# - words of any length) +# ..932239 (sibling of 932236, PL2, +# - with and without prefix +# - words of any length +# - targets request headers user-agent and referer only +# - excluded words: known user-agents) +# ..932238 (stricter sibling of 932236, PL3, +# - no excluded words) +# .932237 (stricter sibling of 932230, 932235, 932250, 932260, PL3, +# - targets request headers user-agent and referer only +# - without prefix +# - with word boundaries +# - words of any length +# - excluded words: known user-agents) +# +# +# Regular expression generated from regex-assembly/932260.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932260 +# +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:^|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|]|$).*|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:(?:[\s\x0b&\),<>\|]|$).*|o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|[\[\{])|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'[^']*'|\"[^\"]*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:a(?:ddgroup|nsible|pparmor_[^\s\x0b]{1,10}\b|rj(?:-register|disp)|tobm(?:[\s\x0b&\),<>\|]|$)|u(?:ditctl|repot|search))|b(?:ase(?:32|64|nc)|(?:lkid|rwap|yobu)(?:[\s\x0b&\),<>\|]|$)|sd(?:cat|iff|tar)|u(?:iltin|nzip2|sybox)|z(?:c(?:at|mp)(?:[\s\x0b&\),<>\|]|$)|diff|e(?:grep|xe(?:[\s\x0b&\),<>\|]|$))|f?grep|ip2(?:[\s\x0b&\),<>\|]|$|recover)|less|more))|c(?:[89]9-gcc|h(?:(?:attr|mod|o(?:om|wn)|sh)(?:[\s\x0b&\),<>\|]|$)|ef-|g(?:passwd|rp(?:[\s\x0b&\),<>\|]|$))|pass)|lang\+\+|o(?:bc(?:[\s\x0b&\),<>\|]|$|run)|mm(?:[\s\x0b&\),<>\|]|$)|proc)|(?:p(?:an|io)|scli)(?:[\s\x0b&\),<>\|]|$))|d(?:(?:iff|mesg|vips)(?:[\s\x0b&\),<>\|]|$)|o(?:as(?:[\s\x0b&\),<>\|]|$)|cker-)|pkg(?:[\s\x0b&\),\-<>\|]|$))|e(?:2fsck|(?:fax|grep|macs|nd(?:if|sw)|sac|xpr)(?:[\s\x0b&\),<>\|]|$))|f(?:d(?:(?:find|isk)(?:[\s\x0b&\),<>\|]|$)|u?mount)|grep(?:[\s\x0b&\),<>\|]|$)|iletest|ping(?:[\s\x0b&\),6<>\|]|$)|tp(?:stats|who))|g(?:(?:core|insh|z(?:cat|exe|ip))(?:[\s\x0b&\),<>\|]|$)|(?:etca|unzi)p|hc(?:-(?:[\s\x0b&\),<>\|]|$)|i(?:[\s\x0b&\),\-<>\|]|$))|r(?:(?:cat|ep)(?:[\s\x0b&\),<>\|]|$)|oupmod))|(?:htop|jexec)(?:[\s\x0b&\),<>\|]|$)|i(?:(?:conv|ftop)(?:[\s\x0b&\),<>\|]|$)|pp(?:eveprinter|find|tool))|l(?:ast(?:comm(?:[\s\x0b&\),<>\|]|$)|log(?:in)?)|ess(?:echo|(?:fil|pip)e)|ftp(?:[\s\x0b&\),<>\|]|$|get)|osetup|s(?:(?:-F|cpu|hw|mod|of|pci|usb)(?:[\s\x0b&\),<>\|]|$)|b_release)|wp-download|z(?:4c(?:[\s\x0b&\),<>\|]|$|at)|c(?:at|mp)(?:[\s\x0b&\),<>\|]|$)|diff|[ef]?grep|less|m(?:a(?:[\s\x0b&\),<>\|]|$|dec|info)|ore)))|m(?:a(?:(?:ilq|wk)(?:[\s\x0b&\),<>\|]|$)|ster\.passwd)|k(?:fifo|nod(?:[\s\x0b&\),<>\|]|$)|temp)|locate|ysql(?:[\s\x0b&\),<>\|]|$|admin|dump(?:slow)?|hotcopy|show))|n(?:(?:a(?:sm|wk)|(?:ma|ohu)p|ping|roff|stat)(?:[\s\x0b&\),<>\|]|$)|c(?:\.(?:openbsd|traditional)|at(?:[\s\x0b&\),<>\|]|$))|et(?:(?:c|st)at|kit-ftp|plan))|o(?:nintr|pkg(?:[\s\x0b&\),<>\|]|$))|p(?:d(?:b(?:2mb|3(?:[\s\x0b&\),\.<>\|]|$))|ksh(?:[\s\x0b&\),<>\|]|$))|(?:er(?:f|l5?)|(?:ft|gre)p|i(?:gz|ng6)|(?:op|ush)d|s(?:ed|ql))(?:[\s\x0b&\),<>\|]|$)|hp(?:-cgi|[57](?:[\s\x0b&\),<>\|]|$))|k(?:exec|ill(?:[\s\x0b&\),<>\|]|$))|rint(?:env|f(?:[\s\x0b&\),<>\|]|$))|tar(?:[\s\x0b&\),<>\|]|$|diff|grep)|wd\.db|y(?:3?versions|thon[23]))|r(?:(?:aku|bash|nano|pmdb|unc|vi(?:ew|m))(?:[\s\x0b&\),<>\|]|$)|e(?:alpath|boot(?:[\s\x0b&\),<>\|]|$))|m(?:dir(?:[\s\x0b&\),<>\|]|$)|t-(?:dump|tar)|user)|sync(?:-ssl|[\s\x0b&\),<>\|]|$))|s(?:(?:diff|ftp|lsh|ocat)(?:[\s\x0b&\),<>\|]|$)|e(?:ndmail(?:[\s\x0b&\),<>\|]|$)|t(?:cap|env|sid))|h(?:\.distrib|uf(?:[\s\x0b&\),<>\|]|$))|pwd\.db|sh-(?:a(?:dd|gent)|copy-id)|td(?:err|in(?:[\s\x0b&\),<>\|]|$)|out)|udo(?:-rs|[\s\x0b&\),<>_\|]|$|edit|replay)|vn(?:a(?:dmin|uthz)|bench|dumpfilter|fsfs|look|mucc|rdump|s(?:erve|ync)|version)|ysctl)|t(?:(?:ailf|ftp|mux)(?:[\s\x0b&\),<>\|]|$)|c(?:l?sh(?:[\s\x0b&\),<>\|]|$)|p(?:ing|traceroute))|elnet|r(?:aceroute6?|off(?:[\s\x0b&\),<>\|]|$)))|u(?:n(?:(?:iq|rar|xz)(?:[\s\x0b&\),<>\|]|$)|lz(?:4(?:[\s\x0b&\),<>\|]|$)|ma)|pigz|zstd)|ser(?:(?:ad|mo)d|del))|vi(?:(?:gr|pw|rsh)(?:[\s\x0b&\),<>\|]|$)|sudo(?:-rs)?)|w(?:get(?:[\s\x0b&\),<>\|]|$)|hoami)|x(?:(?:args|etex|more|pad|term)(?:[\s\x0b&\),<>\|]|$)|z(?:c(?:at|mp)(?:[\s\x0b&\),<>\|]|$)|d(?:ec(?:[\s\x0b&\),<>\|]|$)|iff)|[ef]?grep|less|more))|z(?:(?:c(?:at|mp)|diff|grep|less|run)(?:[\s\x0b&\),<>\|]|$)|[ef]grep|ip(?:c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|mo(?:dload|re(?:[\s\x0b&\),<>\|]|$))|std(?:[\s\x0b&\),<>\|]|$|(?:ca|m)t|grep|less)))" \ + "id:932260,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Remote Command Execution: Direct Unix Command Execution',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ + tag:'attack-rce',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-RCE',\ + tag:'capec/1000/152/248/88',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# [ Unix shell history invocation ] +# +# Detects Unix shell history invocations in any context. +# +# Example: +# GET /?rce=example.com +# GET /?rce=curl%20 +# GET /?rce=!-1!-2 +# +# Will execute `curl example.com`. We should be able to detect the '!-' sequence with a very low risk of false-positives since the sequence is very specific +# and does not allow for whitespaces in between. +# +# This rule has stricter siblings: +# * 932331 (PL3) +# +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx !-\d" \ + "id:932330,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Remote Command Execution: Unix shell history invocation',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ + tag:'attack-rce',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-RCE',\ + tag:'capec/1000/152/248/88',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# [ Unix shell snippets ] +# +# Detect some common sequences found in shell commands and scripts. +# +# Some commands which were restricted in earlier rules due to FP, +# have been added here with their full path, in order to catch some +# cases where the full path is sent. +# +# Rule relations: +# +# .932160 (base rule, PL1, unix shell commands with full path) +# ..932161 (stricter sibling, PL2, unix shell commands with full path in User-Agent and Referer request headers) +# +# This rule is also triggered by an Apache Struts Remote Code Execution exploit: +# [ Apache Struts vulnerability CVE-2017-9805 - Exploit tested: https://www.exploit-db.com/exploits/42627 ] +# +# This rule is also triggered by an Oracle WebLogic Remote Command Execution exploit: +# [ Oracle WebLogic vulnerability CVE-2017-10271 - Exploit tested: https://www.exploit-db.com/exploits/43458 ] + +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmFromFile unix-shell.data" \ + "id:932160,\ + phase:2,\ + block,\ + capture,\ + t:none,t:cmdLine,t:normalizePath,\ + msg:'Remote Command Execution: Unix Shell Code Found',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ + tag:'attack-rce',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-RCE',\ + tag:'capec/1000/152/248/88',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# [ Shellshock vulnerability (CVE-2014-6271 and CVE-2014-7169) ] +# +# Detect exploitation of "Shellshock" GNU Bash RCE vulnerability. +# +# Based on ModSecurity rules created by Red Hat. +# Permission for use was granted by Martin Prpic +# +# https://access.redhat.com/articles/1212303 +# +SecRule REQUEST_HEADERS|REQUEST_LINE "@rx ^\(\s*\)\s+\{" \ + "id:932170,\ + phase:1,\ + block,\ + capture,\ + t:none,t:urlDecodeUni,\ + msg:'Remote Command Execution: Shellshock (CVE-2014-6271)',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ + tag:'attack-rce',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-RCE',\ + tag:'capec/1000/152/248/88',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +SecRule ARGS_NAMES|ARGS|FILES_NAMES "@rx ^\(\s*\)\s+\{" \ + "id:932171,\ + phase:2,\ + block,\ + capture,\ + t:none,t:urlDecodeUni,\ + msg:'Remote Command Execution: Shellshock (CVE-2014-6271)',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ + tag:'attack-rce',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-RCE',\ + tag:'capec/1000/152/248/88',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# [ Unix shell alias detection ] +# +# Detects Unix shell alias invocations in any context. +# +# Example: +# GET /?rce=alias%20a=b +# +# Shell aliasing can be performed to substitute anything in commands, escaping +# +# References: https://pubs.opengroup.org/onlinepubs/007904975/basedefs/xbd_chap03.html#tag_03_10 : +# "In the shell command language, a word consisting solely of underscores, digits, and alphabetics +# from the portable character set and any of the following characters: '!', '%', ',', '@'." +# +# Implementations may allow other characters within alias names as an extension. +# +# Regular expression generated from regex-assembly/932175.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932175 +# +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \ba[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s\b[\s\x0b]+(?:[\+\-][a-z]+\+?[\s\x0b]+)?[!\"%',-\.0-9@-Z_a-z]+=[^\s\x0b]" \ + "id:932175,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Remote Command Execution: Unix shell alias invocation',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ + tag:'attack-rce',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-RCE',\ + tag:'capec/1000/152/248/88',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# +# -=[ Restricted File Upload ]=- +# +# Detects attempts to upload a file with a forbidden filename. +# +# Many application contain Unrestricted File Upload vulnerabilities. +# https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload +# +# These might be abused to upload configuration files or other files +# that affect the behavior of the web server, possibly causing remote +# code execution. +# +# The inverted chained rule enforces a word boundary for some entries that are prone to +# being detected as false positives. This can't be enforced for all entries since some are intentionally meant to match permutations. +# +# +SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X-File-Name "@pmFromFile restricted-upload.data" \ + "id:932180,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Restricted File Upload Attempt',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-RCE',\ + tag:'capec/1000/152/248/88',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + chain" + SecRule MATCHED_VARS "!@rx (?i)(?:\.boto|buddyinfo|mtrr|acpi|zoneinfo)\B" \ + "t:none,\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# [ Windows command injection ] +# +# This rule detects Windows shell command injections. +# If you are not running Windows, it is safe to disable this rule. +# +# New in CRSv4: The rules 932110 and 932115 were reorganized and renumbered to 932370 and 932380. +# The new rules target specific Windows binaries to simplify future updates of the command list. +# +# A command injection takes a form such as: +# +# foo.jpg&ver /r +# foo.jpg|ver /r +# +# The vulnerability exists when an application executes a shell command +# without proper input escaping/validation. +# +# To prevent false positives, we look for a 'starting sequence' that +# precedes a command in CMD syntax, such as: ; | & ` +# +# Anatomy of the regexp: +# +# 1. Starting tokens +# +# ; ;cmd +# \{ {cmd +# \| |cmd +# \|\| ||cmd +# & &cmd +# && &&cmd +# \n \ncmd +# \r \rcmd +# ` `cmd +# +# 2. Command prefixes +# +# ( (cmd) +# , ,cmd +# @ @cmd +# ' 'cmd' +# " "cmd" +# \s spacing+cmd +# +# 3. Paths +# +# [\w'\"\./]+/ /path/cmd +# [\x5c'\"\^]*\w[\x5c'\"\^]*:.*\x5c C:\Program Files\cmd +# [\^\.\w '\"/\x5c]*\x5c)?[\"\^]* \\net\share\dir\cmd +# +# 4. Quoting +# +# \" "cmd" +# \^ ^cmd +# +# 5. Extension/switches +# +# \.[\"\^]*\w+ cmd.com, cmd.exe, etc. +# /b cmd/h +# +# An effort is made to combat evasions by CMD syntax; for example, +# the following strings are valid: c^md, @cmd, "c"md. ModSecurity +# has a t:cmdLine transformation built-in to deal with some of these, +# but unfortunately, that transformation replaces ';' characters (so +# we cannot match on the start of a command) and '\' characters (so we +# have trouble matching paths). This makes the regexp more complex. +# +# This rule is case-insensitive. +# +# Regular expression generated from regex-assembly/932370.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932370 +# +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:[\n\r;`\{]|\|\|?|&&?)[\s\x0b]*[\s\x0b\"'\(,@]*(?:[\"'\.-9A-Z_a-z]+/|(?:[\"'\x5c\^]*[0-9A-Z_a-z][\"'\x5c\^]*:[^\x5c]*|[ \"'\.-9A-Z\x5c\^_a-z]*)\x5c)?[\"\^]*(?:a[\"\^]*(?:c[\"\^]*c[\"\^]*c[\"\^]*h[\"\^]*e[\"\^]*c[\"\^]*k[\"\^]*c[\"\^]*o[\"\^]*n[\"\^]*s[\"\^]*o[\"\^]*l[\"\^]*e|d[\"\^]*(?:p[\"\^]*l[\"\^]*u[\"\^]*s|v[\"\^]*p[\"\^]*a[\"\^]*c[\"\^]*k)|(?:g[\"\^]*e[\"\^]*n[\"\^]*t[\"\^]*e[\"\^]*x[\"\^]*e[\"\^]*c[\"\^]*u[\"\^]*t[\"\^]*o|(?:s[\"\^]*p[\"\^]*n[\"\^]*e[\"\^]*t[\"\^]*_[\"\^]*c[\"\^]*o[\"\^]*m[\"\^]*p[\"\^]*i[\"\^]*l|t[\"\^]*b[\"\^]*r[\"\^]*o[\"\^]*k)[\"\^]*e)[\"\^]*r|p[\"\^]*p[\"\^]*(?:i[\"\^]*n[\"\^]*s[\"\^]*t[\"\^]*a[\"\^]*l[\"\^]*l[\"\^]*e[\"\^]*r|v[\"\^]*l[\"\^]*p))|b[\"\^]*(?:a[\"\^]*s[\"\^]*h|g[\"\^]*i[\"\^]*n[\"\^]*f[\"\^]*o|i[\"\^]*t[\"\^]*s[\"\^]*a[\"\^]*d[\"\^]*m[\"\^]*i[\"\^]*n)|c[\"\^]*(?:d[\"\^]*b|e[\"\^]*r[\"\^]*t[\"\^]*(?:o[\"\^]*c|r[\"\^]*e[\"\^]*q|u[\"\^]*t[\"\^]*i[\"\^]*l)|l[\"\^]*_[\"\^]*(?:i[\"\^]*n[\"\^]*v[\"\^]*o[\"\^]*c[\"\^]*a[\"\^]*t[\"\^]*i[\"\^]*o[\"\^]*n|l[\"\^]*o[\"\^]*a[\"\^]*d[\"\^]*a[\"\^]*s[\"\^]*s[\"\^]*e[\"\^]*m[\"\^]*b[\"\^]*l[\"\^]*y|m[\"\^]*u[\"\^]*t[\"\^]*e[\"\^]*x[\"\^]*v[\"\^]*e[\"\^]*r[\"\^]*i[\"\^]*f[\"\^]*i[\"\^]*e[\"\^]*r[\"\^]*s)|m[\"\^]*(?:d(?:[\"\^]*(?:k[\"\^]*e[\"\^]*y|l[\"\^]*3[\"\^]*2))?|s[\"\^]*t[\"\^]*p)|o[\"\^]*(?:m[\"\^]*s[\"\^]*v[\"\^]*c[\"\^]*s|n[\"\^]*(?:f[\"\^]*i[\"\^]*g[\"\^]*s[\"\^]*e[\"\^]*c[\"\^]*u[\"\^]*r[\"\^]*i[\"\^]*t[\"\^]*y[\"\^]*p[\"\^]*o[\"\^]*l[\"\^]*i[\"\^]*c[\"\^]*y|h[\"\^]*o[\"\^]*s[\"\^]*t|t[\"\^]*r[\"\^]*o[\"\^]*l)|r[\"\^]*e[\"\^]*g[\"\^]*e[\"\^]*n)|r[\"\^]*e[\"\^]*a[\"\^]*t[\"\^]*e[\"\^]*d[\"\^]*u[\"\^]*m[\"\^]*p|s[\"\^]*(?:c(?:[\"\^]*r[\"\^]*i[\"\^]*p[\"\^]*t)?|i)|u[\"\^]*s[\"\^]*t[\"\^]*o[\"\^]*m[\"\^]*s[\"\^]*h[\"\^]*e[\"\^]*l[\"\^]*l[\"\^]*h[\"\^]*o[\"\^]*s[\"\^]*t)|d[\"\^]*(?:a[\"\^]*t[\"\^]*a[\"\^]*s[\"\^]*v[\"\^]*c[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l|e[\"\^]*(?:f[\"\^]*a[\"\^]*u[\"\^]*l[\"\^]*t[\"\^]*p[\"\^]*a[\"\^]*c[\"\^]*k|s[\"\^]*k(?:[\"\^]*t[\"\^]*o[\"\^]*p[\"\^]*i[\"\^]*m[\"\^]*g[\"\^]*d[\"\^]*o[\"\^]*w[\"\^]*n[\"\^]*l[\"\^]*d[\"\^]*r)?|v[\"\^]*(?:i[\"\^]*c[\"\^]*e[\"\^]*c[\"\^]*r[\"\^]*e[\"\^]*d[\"\^]*e[\"\^]*n[\"\^]*t[\"\^]*i[\"\^]*a[\"\^]*l[\"\^]*d[\"\^]*e[\"\^]*p[\"\^]*l[\"\^]*o[\"\^]*y[\"\^]*m[\"\^]*e[\"\^]*n[\"\^]*t|t[\"\^]*o[\"\^]*o[\"\^]*l[\"\^]*s[\"\^]*l[\"\^]*a[\"\^]*u[\"\^]*n[\"\^]*c[\"\^]*h[\"\^]*e[\"\^]*r))|f[\"\^]*s[\"\^]*(?:h[\"\^]*i[\"\^]*m|v[\"\^]*c)|i[\"\^]*(?:a[\"\^]*n[\"\^]*t[\"\^]*z|s[\"\^]*k[\"\^]*s[\"\^]*h[\"\^]*a[\"\^]*d[\"\^]*o[\"\^]*w)|n[\"\^]*(?:s[\"\^]*c[\"\^]*m[\"\^]*d|x)|o[\"\^]*t[\"\^]*n[\"\^]*e[\"\^]*t|u[\"\^]*m[\"\^]*p[\"\^]*6[\"\^]*4|x[\"\^]*c[\"\^]*a[\"\^]*p)|e[\"\^]*(?:s[\"\^]*e[\"\^]*n[\"\^]*t[\"\^]*u[\"\^]*t[\"\^]*l|v[\"\^]*e[\"\^]*n[\"\^]*t[\"\^]*v[\"\^]*w[\"\^]*r|x[\"\^]*(?:c[\"\^]*e[\"\^]*l|p[\"\^]*(?:a[\"\^]*n[\"\^]*d|l[\"\^]*o[\"\^]*r[\"\^]*e[\"\^]*r)|t[\"\^]*(?:e[\"\^]*x[\"\^]*p[\"\^]*o[\"\^]*r[\"\^]*t|r[\"\^]*a[\"\^]*c[\"\^]*3[\"\^]*2)))|f[\"\^]*(?:i[\"\^]*n[\"\^]*(?:d[\"\^]*s[\"\^]*t|g[\"\^]*e)[\"\^]*r|l[\"\^]*t[\"\^]*m[\"\^]*c|o[\"\^]*r[\"\^]*f[\"\^]*i[\"\^]*l[\"\^]*e[\"\^]*s|s[\"\^]*(?:i(?:[\"\^]*a[\"\^]*n[\"\^]*y[\"\^]*c[\"\^]*p[\"\^]*u)?|u[\"\^]*t[\"\^]*i[\"\^]*l)|t[\"\^]*p)|g[\"\^]*(?:f[\"\^]*x[\"\^]*d[\"\^]*o[\"\^]*w[\"\^]*n[\"\^]*l[\"\^]*o[\"\^]*a[\"\^]*d[\"\^]*w[\"\^]*r[\"\^]*a[\"\^]*p[\"\^]*p[\"\^]*e[\"\^]*r|p[\"\^]*s[\"\^]*c[\"\^]*r[\"\^]*i[\"\^]*p[\"\^]*t)|h[\"\^]*h|i[\"\^]*(?:e[\"\^]*(?:4[\"\^]*u[\"\^]*i[\"\^]*n[\"\^]*i[\"\^]*t|a[\"\^]*d[\"\^]*v[\"\^]*p[\"\^]*a[\"\^]*c[\"\^]*k|e[\"\^]*x[\"\^]*e[\"\^]*c|f[\"\^]*r[\"\^]*a[\"\^]*m[\"\^]*e)|l[\"\^]*a[\"\^]*s[\"\^]*m|m[\"\^]*e[\"\^]*w[\"\^]*d[\"\^]*b[\"\^]*l[\"\^]*d|n[\"\^]*(?:f[\"\^]*d[\"\^]*e[\"\^]*f[\"\^]*a[\"\^]*u[\"\^]*l[\"\^]*t[\"\^]*i[\"\^]*n[\"\^]*s[\"\^]*t[\"\^]*a[\"\^]*l|s[\"\^]*t[\"\^]*a[\"\^]*l[\"\^]*l[\"\^]*u[\"\^]*t[\"\^]*i)[\"\^]*l)|j[\"\^]*s[\"\^]*c|l[\"\^]*(?:a[\"\^]*u[\"\^]*n[\"\^]*c[\"\^]*h[\"\^]*-[\"\^]*v[\"\^]*s[\"\^]*d[\"\^]*e[\"\^]*v[\"\^]*s[\"\^]*h[\"\^]*e[\"\^]*l[\"\^]*l|d[\"\^]*i[\"\^]*f[\"\^]*d[\"\^]*e)|m[\"\^]*(?:a[\"\^]*(?:k[\"\^]*e[\"\^]*c[\"\^]*a[\"\^]*b|n[\"\^]*a[\"\^]*g[\"\^]*e[\"\^]*-[\"\^]*b[\"\^]*d[\"\^]*e|v[\"\^]*i[\"\^]*n[\"\^]*j[\"\^]*e[\"\^]*c[\"\^]*t)|f[\"\^]*t[\"\^]*r[\"\^]*a[\"\^]*c[\"\^]*e|i[\"\^]*c[\"\^]*r[\"\^]*o[\"\^]*s[\"\^]*o[\"\^]*f[\"\^]*t|m[\"\^]*c|p[\"\^]*c[\"\^]*m[\"\^]*d[\"\^]*r[\"\^]*u[\"\^]*n|s[\"\^]*(?:(?:b[\"\^]*u[\"\^]*i[\"\^]*l|o[\"\^]*h[\"\^]*t[\"\^]*m[\"\^]*e)[\"\^]*d|c[\"\^]*o[\"\^]*n[\"\^]*f[\"\^]*i[\"\^]*g|d[\"\^]*(?:e[\"\^]*p[\"\^]*l[\"\^]*o[\"\^]*y|t)|h[\"\^]*t[\"\^]*(?:a|m[\"\^]*l)|i[\"\^]*e[\"\^]*x[\"\^]*e[\"\^]*c|p[\"\^]*u[\"\^]*b|x[\"\^]*s[\"\^]*l))|n[\"\^]*(?:e[\"\^]*t[\"\^]*s[\"\^]*h|t[\"\^]*d[\"\^]*s[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l)|o[\"\^]*(?:d[\"\^]*b[\"\^]*c[\"\^]*c[\"\^]*o[\"\^]*n[\"\^]*f|f[\"\^]*f[\"\^]*l[\"\^]*i[\"\^]*n[\"\^]*e[\"\^]*s[\"\^]*c[\"\^]*a[\"\^]*n[\"\^]*n[\"\^]*e[\"\^]*r[\"\^]*s[\"\^]*h[\"\^]*e[\"\^]*l[\"\^]*l|n[\"\^]*e[\"\^]*d[\"\^]*r[\"\^]*i[\"\^]*v[\"\^]*e[\"\^]*s[\"\^]*t[\"\^]*a[\"\^]*n[\"\^]*d[\"\^]*a[\"\^]*l[\"\^]*o[\"\^]*n[\"\^]*e[\"\^]*u[\"\^]*p[\"\^]*d[\"\^]*a[\"\^]*t[\"\^]*e[\"\^]*r|p[\"\^]*e[\"\^]*n[\"\^]*c[\"\^]*o[\"\^]*n[\"\^]*s[\"\^]*o[\"\^]*l[\"\^]*e)|p[\"\^]*(?:c[\"\^]*(?:a[\"\^]*l[\"\^]*u[\"\^]*a|w[\"\^]*(?:r[\"\^]*u[\"\^]*n|u[\"\^]*t[\"\^]*l))|(?:e[\"\^]*s[\"\^]*t[\"\^]*e|s)[\"\^]*r|(?:k[\"\^]*t[\"\^]*m[\"\^]*o|u[\"\^]*b[\"\^]*p[\"\^]*r)[\"\^]*n|n[\"\^]*p[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l|o[\"\^]*w[\"\^]*e[\"\^]*r[\"\^]*p[\"\^]*n[\"\^]*t|r[\"\^]*(?:e[\"\^]*s[\"\^]*e[\"\^]*n[\"\^]*t[\"\^]*a[\"\^]*t[\"\^]*i[\"\^]*o[\"\^]*n[\"\^]*h[\"\^]*o[\"\^]*s[\"\^]*t|i[\"\^]*n[\"\^]*t(?:[\"\^]*b[\"\^]*r[\"\^]*m)?|o[\"\^]*(?:c[\"\^]*d[\"\^]*u[\"\^]*m[\"\^]*p|t[\"\^]*o[\"\^]*c[\"\^]*o[\"\^]*l[\"\^]*h[\"\^]*a[\"\^]*n[\"\^]*d[\"\^]*l[\"\^]*e[\"\^]*r)))|r[\"\^]*(?:a[\"\^]*s[\"\^]*a[\"\^]*u[\"\^]*t[\"\^]*o[\"\^]*u|c[\"\^]*s[\"\^]*i|(?:d[\"\^]*r[\"\^]*l[\"\^]*e[\"\^]*a[\"\^]*k[\"\^]*d[\"\^]*i[\"\^]*a|p[\"\^]*c[\"\^]*p[\"\^]*i[\"\^]*n)[\"\^]*g|e[\"\^]*(?:g(?:[\"\^]*(?:a[\"\^]*s[\"\^]*m|e[\"\^]*d[\"\^]*i[\"\^]*t|i[\"\^]*(?:n[\"\^]*i|s[\"\^]*t[\"\^]*e[\"\^]*r[\"\^]*-[\"\^]*c[\"\^]*i[\"\^]*m[\"\^]*p[\"\^]*r[\"\^]*o[\"\^]*v[\"\^]*i[\"\^]*d[\"\^]*e[\"\^]*r)|s[\"\^]*v[\"\^]*(?:c[\"\^]*s|r[\"\^]*3[\"\^]*2)))?|(?:m[\"\^]*o[\"\^]*t|p[\"\^]*l[\"\^]*a[\"\^]*c)[\"\^]*e)|u[\"\^]*n[\"\^]*(?:d[\"\^]*l[\"\^]*l[\"\^]*3[\"\^]*2|(?:e[\"\^]*x[\"\^]*e|s[\"\^]*c[\"\^]*r[\"\^]*i[\"\^]*p[\"\^]*t)[\"\^]*h[\"\^]*e[\"\^]*l[\"\^]*p[\"\^]*e[\"\^]*r|o[\"\^]*n[\"\^]*c[\"\^]*e))|s[\"\^]*(?:c[\"\^]*(?:[\s\x0b,\./;<>].*|h[\"\^]*t[\"\^]*a[\"\^]*s[\"\^]*k[\"\^]*s|r[\"\^]*i[\"\^]*p[\"\^]*t[\"\^]*r[\"\^]*u[\"\^]*n[\"\^]*n[\"\^]*e[\"\^]*r)|e[\"\^]*t[\"\^]*(?:r[\"\^]*e[\"\^]*s|t[\"\^]*i[\"\^]*n[\"\^]*g[\"\^]*s[\"\^]*y[\"\^]*n[\"\^]*c[\"\^]*h[\"\^]*o[\"\^]*s[\"\^]*t|u[\"\^]*p[\"\^]*a[\"\^]*p[\"\^]*i)|h[\"\^]*(?:d[\"\^]*o[\"\^]*c[\"\^]*v[\"\^]*w|e[\"\^]*l[\"\^]*l[\"\^]*3[\"\^]*2)|q[\"\^]*(?:l[\"\^]*(?:d[\"\^]*u[\"\^]*m[\"\^]*p[\"\^]*e[\"\^]*r|(?:t[\"\^]*o[\"\^]*o[\"\^]*l[\"\^]*s[\"\^]*)?p[\"\^]*s)|u[\"\^]*i[\"\^]*r[\"\^]*r[\"\^]*e[\"\^]*l)|s[\"\^]*h|t[\"\^]*o[\"\^]*r[\"\^]*d[\"\^]*i[\"\^]*a[\"\^]*g|y[\"\^]*(?:n[\"\^]*c[\"\^]*a[\"\^]*p[\"\^]*p[\"\^]*v[\"\^]*p[\"\^]*u[\"\^]*b[\"\^]*l[\"\^]*i[\"\^]*s[\"\^]*h[\"\^]*i[\"\^]*n[\"\^]*g[\"\^]*s[\"\^]*e[\"\^]*r[\"\^]*v[\"\^]*e[\"\^]*r|s[\"\^]*s[\"\^]*e[\"\^]*t[\"\^]*u[\"\^]*p))|t[\"\^]*(?:e[\"\^]*[\s\x0b,\./;<>].*|r[\"\^]*a[\"\^]*c[\"\^]*k[\"\^]*e[\"\^]*r|t[\"\^]*(?:d[\"\^]*i[\"\^]*n[\"\^]*j[\"\^]*e[\"\^]*c[\"\^]*t|t[\"\^]*r[\"\^]*a[\"\^]*c[\"\^]*e[\"\^]*r))|u[\"\^]*(?:n[\"\^]*r[\"\^]*e[\"\^]*g[\"\^]*m[\"\^]*p[\"\^]*2|p[\"\^]*d[\"\^]*a[\"\^]*t[\"\^]*e|r[\"\^]*l|t[\"\^]*i[\"\^]*l[\"\^]*i[\"\^]*t[\"\^]*y[\"\^]*f[\"\^]*u[\"\^]*n[\"\^]*c[\"\^]*t[\"\^]*i[\"\^]*o[\"\^]*n[\"\^]*s)|v[\"\^]*(?:b[\"\^]*c|e[\"\^]*r[\"\^]*c[\"\^]*l[\"\^]*s[\"\^]*i[\"\^]*d|i[\"\^]*s[\"\^]*u[\"\^]*a[\"\^]*l[\"\^]*u[\"\^]*i[\"\^]*a[\"\^]*v[\"\^]*e[\"\^]*r[\"\^]*i[\"\^]*f[\"\^]*y[\"\^]*n[\"\^]*a[\"\^]*t[\"\^]*i[\"\^]*v[\"\^]*e|s[\"\^]*(?:i[\"\^]*i[\"\^]*s[\"\^]*e[\"\^]*x[\"\^]*e[\"\^]*l[\"\^]*a[\"\^]*u[\"\^]*n[\"\^]*c[\"\^]*h|j[\"\^]*i[\"\^]*t[\"\^]*d[\"\^]*e[\"\^]*b[\"\^]*u[\"\^]*g[\"\^]*g)[\"\^]*e[\"\^]*r)|w[\"\^]*(?:a[\"\^]*b|(?:f|m[\"\^]*i)[\"\^]*c|i[\"\^]*n[\"\^]*(?:g[\"\^]*e[\"\^]*t|r[\"\^]*m|w[\"\^]*o[\"\^]*r[\"\^]*d)|l[\"\^]*r[\"\^]*m[\"\^]*d[\"\^]*r|o[\"\^]*r[\"\^]*k[\"\^]*f[\"\^]*o[\"\^]*l[\"\^]*d[\"\^]*e[\"\^]*r[\"\^]*s|s[\"\^]*(?:(?:c[\"\^]*r[\"\^]*i[\"\^]*p|r[\"\^]*e[\"\^]*s[\"\^]*e)[\"\^]*t|l)|t[\"\^]*[\s\x0b,\./;<>].*|u[\"\^]*a[\"\^]*u[\"\^]*c[\"\^]*l[\"\^]*t)|x[\"\^]*w[\"\^]*i[\"\^]*z[\"\^]*a[\"\^]*r[\"\^]*d|z[\"\^]*i[\"\^]*p[\"\^]*f[\"\^]*l[\"\^]*d[\"\^]*r)(?:\.[\"\^]*[0-9A-Z_a-z]+)?\b" \ + "id:932370,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Remote Command Execution: Windows Command Injection',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-windows',\ + tag:'attack-rce',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-RCE',\ + tag:'capec/1000/152/248/88',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# +# This rule detects Windows shell command injections. +# If you are not running Windows, it is safe to disable this rule. +# +# New in CRSv4: The rules 932110 and 932115 were reorganized and renumbered to 932370 and 932380. +# The new rules target specific Windows binaries to simplify future updates of the command list. +# +# See rule 932370 above for further explanation. +# +# This rule is case-insensitive. +# +# Regular expression generated from regex-assembly/932380.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932380 +# +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:[\n\r;`\{]|\|\|?|&&?)[\s\x0b]*[\s\x0b\"'\(,@]*(?:[\"'\.-9A-Z_a-z]+/|(?:[\"'\x5c\^]*[0-9A-Z_a-z][\"'\x5c\^]*:[^\x5c]*|[ \"'\.-9A-Z\x5c\^_a-z]*)\x5c)?[\"\^]*(?:a[\"\^]*(?:s[\"\^]*s[\"\^]*o[\"\^]*c|t[\"\^]*(?:m[\"\^]*a[\"\^]*d[\"\^]*m|t[\"\^]*r[\"\^]*i[\"\^]*b)|u[\"\^]*(?:d[\"\^]*i[\"\^]*t[\"\^]*p[\"\^]*o[\"\^]*l|t[\"\^]*o[\"\^]*(?:c[\"\^]*(?:h[\"\^]*k|o[\"\^]*n[\"\^]*v)|(?:f[\"\^]*m|m[\"\^]*o[\"\^]*u[\"\^]*n)[\"\^]*t)))|b[\"\^]*(?:c[\"\^]*d[\"\^]*(?:b[\"\^]*o[\"\^]*o|e[\"\^]*d[\"\^]*i)[\"\^]*t|(?:d[\"\^]*e[\"\^]*h[\"\^]*d|o[\"\^]*o[\"\^]*t)[\"\^]*c[\"\^]*f[\"\^]*g|i[\"\^]*t[\"\^]*s[\"\^]*a[\"\^]*d[\"\^]*m[\"\^]*i[\"\^]*n)|c[\"\^]*(?:a[\"\^]*c[\"\^]*l[\"\^]*s|e[\"\^]*r[\"\^]*t[\"\^]*(?:r[\"\^]*e[\"\^]*q|u[\"\^]*t[\"\^]*i[\"\^]*l)|h[\"\^]*(?:c[\"\^]*p|d[\"\^]*i[\"\^]*r|g[\"\^]*(?:l[\"\^]*o[\"\^]*g[\"\^]*o[\"\^]*n|p[\"\^]*o[\"\^]*r[\"\^]*t|u[\"\^]*s[\"\^]*r)|k[\"\^]*(?:d[\"\^]*s[\"\^]*k|n[\"\^]*t[\"\^]*f[\"\^]*s))|l[\"\^]*e[\"\^]*a[\"\^]*n[\"\^]*m[\"\^]*g[\"\^]*r|m[\"\^]*(?:d(?:[\"\^]*k[\"\^]*e[\"\^]*y)?|s[\"\^]*t[\"\^]*p)|s[\"\^]*c[\"\^]*r[\"\^]*i[\"\^]*p[\"\^]*t)|d[\"\^]*(?:c[\"\^]*(?:d[\"\^]*i[\"\^]*a[\"\^]*g|g[\"\^]*p[\"\^]*o[\"\^]*f[\"\^]*i[\"\^]*x)|e[\"\^]*(?:f[\"\^]*r[\"\^]*a[\"\^]*g|l)|f[\"\^]*s[\"\^]*(?:d[\"\^]*i[\"\^]*a|r[\"\^]*m[\"\^]*i)[\"\^]*g|i[\"\^]*(?:a[\"\^]*n[\"\^]*t[\"\^]*z|r|s[\"\^]*(?:k[\"\^]*(?:c[\"\^]*o[\"\^]*(?:m[\"\^]*p|p[\"\^]*y)|p[\"\^]*(?:a[\"\^]*r[\"\^]*t|e[\"\^]*r[\"\^]*f)|r[\"\^]*a[\"\^]*i[\"\^]*d|s[\"\^]*h[\"\^]*a[\"\^]*d[\"\^]*o[\"\^]*w)|p[\"\^]*d[\"\^]*i[\"\^]*a[\"\^]*g))|n[\"\^]*s[\"\^]*c[\"\^]*m[\"\^]*d|(?:o[\"\^]*s[\"\^]*k[\"\^]*e|r[\"\^]*i[\"\^]*v[\"\^]*e[\"\^]*r[\"\^]*q[\"\^]*u[\"\^]*e[\"\^]*r)[\"\^]*y)|e[\"\^]*(?:n[\"\^]*d[\"\^]*l[\"\^]*o[\"\^]*c[\"\^]*a[\"\^]*l|v[\"\^]*e[\"\^]*n[\"\^]*t[\"\^]*c[\"\^]*r[\"\^]*e[\"\^]*a[\"\^]*t[\"\^]*e)|E[\"\^]*v[\"\^]*n[\"\^]*t[\"\^]*c[\"\^]*m[\"\^]*d|f[\"\^]*(?:c|i[\"\^]*(?:l[\"\^]*e[\"\^]*s[\"\^]*y[\"\^]*s[\"\^]*t[\"\^]*e[\"\^]*m[\"\^]*s|n[\"\^]*d[\"\^]*s[\"\^]*t[\"\^]*r)|l[\"\^]*a[\"\^]*t[\"\^]*t[\"\^]*e[\"\^]*m[\"\^]*p|o[\"\^]*r[\"\^]*f[\"\^]*i[\"\^]*l[\"\^]*e[\"\^]*s|r[\"\^]*e[\"\^]*e[\"\^]*d[\"\^]*i[\"\^]*s[\"\^]*k|s[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l|(?:t[\"\^]*y[\"\^]*p|v[\"\^]*e[\"\^]*u[\"\^]*p[\"\^]*d[\"\^]*a[\"\^]*t)[\"\^]*e)|g[\"\^]*(?:e[\"\^]*t[\"\^]*(?:m[\"\^]*a[\"\^]*c|t[\"\^]*y[\"\^]*p[\"\^]*e)|o[\"\^]*t[\"\^]*o|p[\"\^]*(?:f[\"\^]*i[\"\^]*x[\"\^]*u[\"\^]*p|(?:r[\"\^]*e[\"\^]*s[\"\^]*u[\"\^]*l[\"\^]*)?t|u[\"\^]*p[\"\^]*d[\"\^]*a[\"\^]*t[\"\^]*e)|r[\"\^]*a[\"\^]*f[\"\^]*t[\"\^]*a[\"\^]*b[\"\^]*l)|h[\"\^]*(?:e[\"\^]*l[\"\^]*p[\"\^]*c[\"\^]*t[\"\^]*r|o[\"\^]*s[\"\^]*t[\"\^]*n[\"\^]*a[\"\^]*m[\"\^]*e)|i[\"\^]*(?:c[\"\^]*a[\"\^]*c[\"\^]*l[\"\^]*s|p[\"\^]*(?:c[\"\^]*o[\"\^]*n[\"\^]*f[\"\^]*i[\"\^]*g|x[\"\^]*r[\"\^]*o[\"\^]*u[\"\^]*t[\"\^]*e)|r[\"\^]*f[\"\^]*t[\"\^]*p)|j[\"\^]*e[\"\^]*t[\"\^]*p[\"\^]*a[\"\^]*c[\"\^]*k|k[\"\^]*(?:l[\"\^]*i[\"\^]*s[\"\^]*t|s[\"\^]*e[\"\^]*t[\"\^]*u[\"\^]*p|t[\"\^]*(?:m[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l|p[\"\^]*a[\"\^]*s[\"\^]*s))|l[\"\^]*(?:o[\"\^]*(?:d[\"\^]*c[\"\^]*t[\"\^]*r|g[\"\^]*(?:m[\"\^]*a[\"\^]*n|o[\"\^]*f[\"\^]*f))|p[\"\^]*[qr])|m[\"\^]*(?:a[\"\^]*(?:c[\"\^]*f[\"\^]*i[\"\^]*l[\"\^]*e|k[\"\^]*e[\"\^]*c[\"\^]*a[\"\^]*b|p[\"\^]*a[\"\^]*d[\"\^]*m[\"\^]*i[\"\^]*n)|k[\"\^]*(?:d[\"\^]*i[\"\^]*r|l[\"\^]*i[\"\^]*n[\"\^]*k)|m[\"\^]*c|o[\"\^]*u[\"\^]*n[\"\^]*t[\"\^]*v[\"\^]*o[\"\^]*l|q[\"\^]*(?:b[\"\^]*k[\"\^]*u[\"\^]*p|(?:t[\"\^]*g[\"\^]*)?s[\"\^]*v[\"\^]*c)|s[\"\^]*(?:d[\"\^]*t|i[\"\^]*(?:e[\"\^]*x[\"\^]*e[\"\^]*c|n[\"\^]*f[\"\^]*o[\"\^]*3[\"\^]*2)|t[\"\^]*s[\"\^]*c))|n[\"\^]*(?:b[\"\^]*t[\"\^]*s[\"\^]*t[\"\^]*a[\"\^]*t|e[\"\^]*t[\"\^]*(?:c[\"\^]*f[\"\^]*g|d[\"\^]*o[\"\^]*m|s[\"\^]*(?:h|t[\"\^]*a[\"\^]*t))|f[\"\^]*s[\"\^]*(?:a[\"\^]*d[\"\^]*m[\"\^]*i[\"\^]*n|s[\"\^]*(?:h[\"\^]*a[\"\^]*r[\"\^]*e|t[\"\^]*a[\"\^]*t))|l[\"\^]*(?:b[\"\^]*m[\"\^]*g[\"\^]*r|t[\"\^]*e[\"\^]*s[\"\^]*t)|s[\"\^]*l[\"\^]*o[\"\^]*o[\"\^]*k[\"\^]*u[\"\^]*p|t[\"\^]*(?:b[\"\^]*a[\"\^]*c[\"\^]*k[\"\^]*u[\"\^]*p|c[\"\^]*m[\"\^]*d[\"\^]*p[\"\^]*r[\"\^]*o[\"\^]*m[\"\^]*p[\"\^]*t|f[\"\^]*r[\"\^]*s[\"\^]*u[\"\^]*t[\"\^]*l))|o[\"\^]*(?:f[\"\^]*f[\"\^]*l[\"\^]*i[\"\^]*n[\"\^]*e|p[\"\^]*e[\"\^]*n[\"\^]*f[\"\^]*i[\"\^]*l[\"\^]*e[\"\^]*s)|p[\"\^]*(?:a[\"\^]*(?:g[\"\^]*e[\"\^]*f[\"\^]*i[\"\^]*l[\"\^]*e[\"\^]*c[\"\^]*o[\"\^]*n[\"\^]*f[\"\^]*i|t[\"\^]*h[\"\^]*p[\"\^]*i[\"\^]*n)[\"\^]*g|(?:b[\"\^]*a[\"\^]*d[\"\^]*m[\"\^]*i|k[\"\^]*t[\"\^]*m[\"\^]*o)[\"\^]*n|e[\"\^]*(?:n[\"\^]*t[\"\^]*n[\"\^]*t|r[\"\^]*f[\"\^]*m[\"\^]*o[\"\^]*n)|n[\"\^]*p[\"\^]*u[\"\^]*(?:n[\"\^]*a[\"\^]*t[\"\^]*t[\"\^]*e[\"\^]*n[\"\^]*d|t[\"\^]*i[\"\^]*l)|o[\"\^]*(?:p[\"\^]*d|w[\"\^]*e[\"\^]*r[\"\^]*s[\"\^]*h[\"\^]*e[\"\^]*l[\"\^]*l)|r[\"\^]*n[\"\^]*(?:c[\"\^]*n[\"\^]*f[\"\^]*g|(?:d[\"\^]*r[\"\^]*v|m[\"\^]*n[\"\^]*g)[\"\^]*r|j[\"\^]*o[\"\^]*b[\"\^]*s|p[\"\^]*o[\"\^]*r[\"\^]*t|q[\"\^]*c[\"\^]*t[\"\^]*l)|u[\"\^]*(?:b[\"\^]*p[\"\^]*r[\"\^]*n|s[\"\^]*h[\"\^]*(?:d|p[\"\^]*r[\"\^]*i[\"\^]*n[\"\^]*t[\"\^]*e[\"\^]*r[\"\^]*c[\"\^]*o[\"\^]*n[\"\^]*n[\"\^]*e[\"\^]*c[\"\^]*t[\"\^]*i[\"\^]*o[\"\^]*n[\"\^]*s))|w[\"\^]*(?:l[\"\^]*a[\"\^]*u[\"\^]*n[\"\^]*c[\"\^]*h[\"\^]*e[\"\^]*r|s[\"\^]*h))|q[\"\^]*(?:a[\"\^]*p[\"\^]*p[\"\^]*s[\"\^]*r[\"\^]*v|p[\"\^]*r[\"\^]*o[\"\^]*c[\"\^]*e[\"\^]*s[\"\^]*s|u[\"\^]*s[\"\^]*e[\"\^]*r|w[\"\^]*i[\"\^]*n[\"\^]*s[\"\^]*t[\"\^]*a)|r[\"\^]*(?:d(?:[\"\^]*p[\"\^]*s[\"\^]*i[\"\^]*g[\"\^]*n)?|e[\"\^]*(?:f[\"\^]*s[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l|g(?:[\"\^]*(?:i[\"\^]*n[\"\^]*i|s[\"\^]*v[\"\^]*r[\"\^]*3[\"\^]*2))?|l[\"\^]*o[\"\^]*g|(?:(?:p[\"\^]*a[\"\^]*d[\"\^]*m[\"\^]*i|s[\"\^]*c[\"\^]*a)[\"\^]*)?n|x[\"\^]*e[\"\^]*c)|i[\"\^]*s[\"\^]*e[\"\^]*t[\"\^]*u[\"\^]*p|m[\"\^]*d[\"\^]*i[\"\^]*r|o[\"\^]*b[\"\^]*o[\"\^]*c[\"\^]*o[\"\^]*p[\"\^]*y|p[\"\^]*c[\"\^]*(?:i[\"\^]*n[\"\^]*f[\"\^]*o|p[\"\^]*i[\"\^]*n[\"\^]*g)|s[\"\^]*h|u[\"\^]*n[\"\^]*d[\"\^]*l[\"\^]*l[\"\^]*3[\"\^]*2|w[\"\^]*i[\"\^]*n[\"\^]*s[\"\^]*t[\"\^]*a)|s[\"\^]*(?:a[\"\^]*n|c[\"\^]*(?:h[\"\^]*t[\"\^]*a[\"\^]*s[\"\^]*k[\"\^]*s|w[\"\^]*c[\"\^]*m[\"\^]*d)|e[\"\^]*(?:c[\"\^]*e[\"\^]*d[\"\^]*i[\"\^]*t|r[\"\^]*v[\"\^]*e[\"\^]*r[\"\^]*(?:(?:c[\"\^]*e[\"\^]*i[\"\^]*p|w[\"\^]*e[\"\^]*r)[\"\^]*o[\"\^]*p[\"\^]*t[\"\^]*i[\"\^]*n|m[\"\^]*a[\"\^]*n[\"\^]*a[\"\^]*g[\"\^]*e[\"\^]*r[\"\^]*c[\"\^]*m[\"\^]*d)|t[\"\^]*x)|f[\"\^]*c|(?:h[\"\^]*o[\"\^]*w[\"\^]*m[\"\^]*o[\"\^]*u[\"\^]*n|u[\"\^]*b[\"\^]*s)[\"\^]*t|x[\"\^]*s[\"\^]*t[\"\^]*r[\"\^]*a[\"\^]*c[\"\^]*e|y[\"\^]*s[\"\^]*(?:o[\"\^]*c[\"\^]*m[\"\^]*g[\"\^]*r|t[\"\^]*e[\"\^]*m[\"\^]*i[\"\^]*n[\"\^]*f[\"\^]*o))|t[\"\^]*(?:a[\"\^]*(?:k[\"\^]*e[\"\^]*o[\"\^]*w[\"\^]*n|p[\"\^]*i[\"\^]*c[\"\^]*f[\"\^]*g|s[\"\^]*k[\"\^]*(?:k[\"\^]*i[\"\^]*l[\"\^]*l|l[\"\^]*i[\"\^]*s[\"\^]*t))|(?:c[\"\^]*m[\"\^]*s[\"\^]*e[\"\^]*t[\"\^]*u|f[\"\^]*t)[\"\^]*p|(?:(?:e[\"\^]*l[\"\^]*n[\"\^]*e|i[\"\^]*m[\"\^]*e[\"\^]*o[\"\^]*u)[\"\^]*|r[\"\^]*a[\"\^]*c[\"\^]*e[\"\^]*r[\"\^]*(?:p[\"\^]*)?)t|l[\"\^]*n[\"\^]*t[\"\^]*a[\"\^]*d[\"\^]*m[\"\^]*n|p[\"\^]*m[\"\^]*(?:t[\"\^]*o[\"\^]*o[\"\^]*l|v[\"\^]*s[\"\^]*c[\"\^]*m[\"\^]*g[\"\^]*r)|s[\"\^]*(?:(?:d[\"\^]*i[\"\^]*s[\"\^]*)?c[\"\^]*o[\"\^]*n|e[\"\^]*c[\"\^]*i[\"\^]*m[\"\^]*p|k[\"\^]*i[\"\^]*l[\"\^]*l|p[\"\^]*r[\"\^]*o[\"\^]*f)|y[\"\^]*p[\"\^]*e[\"\^]*p[\"\^]*e[\"\^]*r[\"\^]*f|z[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l)|u[\"\^]*n[\"\^]*(?:e[\"\^]*x[\"\^]*p[\"\^]*o[\"\^]*s[\"\^]*e|i[\"\^]*q[\"\^]*u[\"\^]*e[\"\^]*i[\"\^]*d|l[\"\^]*o[\"\^]*d[\"\^]*c[\"\^]*t[\"\^]*r)|v[\"\^]*s[\"\^]*s[\"\^]*a[\"\^]*d[\"\^]*m[\"\^]*i[\"\^]*n|w[\"\^]*(?:a[\"\^]*i[\"\^]*t[\"\^]*f[\"\^]*o[\"\^]*r|b[\"\^]*a[\"\^]*d[\"\^]*m[\"\^]*i[\"\^]*n|(?:d[\"\^]*s|e[\"\^]*(?:c|v[\"\^]*t))[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l|h[\"\^]*o[\"\^]*a[\"\^]*m[\"\^]*i|i[\"\^]*n[\"\^]*(?:n[\"\^]*t(?:[\"\^]*3[\"\^]*2)?|r[\"\^]*s)|m[\"\^]*i[\"\^]*c|s[\"\^]*c[\"\^]*r[\"\^]*i[\"\^]*p[\"\^]*t)|x[\"\^]*c[\"\^]*o[\"\^]*p[\"\^]*y)(?:\.[\"\^]*[0-9A-Z_a-z]+)?\b" \ + "id:932380,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Remote Command Execution: Windows Command Injection',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-windows',\ + tag:'attack-rce',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-RCE',\ + tag:'capec/1000/152/248/88',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:932013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:932014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" +# +# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher) +# + +# This rule is a stricter sibling to 932370 +# +# This rule contains additional commands that are not matched at PL-1 due to being false positive prone or common english words. +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:[\n\r;`\{]|\|\|?|&&?)[\s\x0b]*[\s\x0b\"'\(,@]*(?:[\"'\.-9A-Z_a-z]+/|(?:[\"'\x5c\^]*[0-9A-Z_a-z][\"'\x5c\^]*:[^\x5c]*|[ \"'\.-9A-Z\x5c\^_a-z]*)\x5c)?[\"\^]*a[\"\^]*t[\"\^]*[\s\x0b,\./;<>].*(?:\.[\"\^]*[0-9A-Z_a-z]+)?\b" \ + "id:932371,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Remote Command Execution: Windows Command Injection',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-windows',\ + tag:'attack-rce',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-RCE',\ + tag:'capec/1000/152/248/88',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + +# [ Unix command injection ] +# +# This rule targets pefix + the source command (dot character) at PL2. +# +# Rule relations: +# +# .932230 (base rule, PL1, targets prefix + two and three character commands) +# ..932231 (stricter sibling, PL2, targets prefix + the source shortcut command) +# ..932232 (stricter sibling, PL3, targets prefix + additional command words) +# .932235 (base rule, PL1, targets prefix + known command word of length > 3 without evasion) +# +# .932250 (base rule, PL1, targets two and three character commands) +# .932260 (base rule, PL1, targets known command word of length > 3 without evasion) +# +# .932240 (generic detection, PL2, targets generic evasion attempts) +# .932236 (stricter sibling of 932230, 932235, 932250, 932260, PL2, +# - with and without prefix +# - words of any length) +# ..932239 (sibling of 932236, PL2, +# - with and without prefix +# - words of any length +# - targets request headers user-agent and referer only +# - excluded words: known user-agents) +# ..932238 (stricter sibling of 932236, PL3, +# - no excluded words) +# .932237 (stricter sibling of 932230, 932235, 932250, 932260, PL3, +# - targets request headers user-agent and referer only +# - without prefix +# - with word boundaries +# - words of any length +# - excluded words: known user-agents) +# +# +# Regular expression generated from regex-assembly/932231.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932231 +# +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|]|$).*|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:(?:[\s\x0b&\),<>\|]|$).*|o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|[\[\{])|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'[^']*'|\"[^\"]*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*\.[\s\x0b].*\b" \ + "id:932231,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Remote Command Execution: Unix Command Injection',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ + tag:'attack-rce',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-RCE',\ + tag:'capec/1000/152/248/88',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + +# This is a stricter sibling of rule 932130. +# +# It applies the same regular expression to the +# User-Agent and Referer HTTP headers. +# +# Unlike the sibling rule, this rule runs in phase 1. +# +# Regular expression generated from regex-assembly/932131.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932131 +# +SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@rx \$(?:\((?:.*|\(.*\))\)|\{.*\}|\[.*\])|[<>]\(.*\)|/[0-9A-Z_a-z]*\[!?.+\]" \ + "id:932131,\ + phase:1,\ + block,\ + capture,\ + t:none,t:cmdLine,\ + msg:'Remote Command Execution: Unix Shell Expression Found',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ + tag:'attack-rce',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-RCE',\ + tag:'capec/1000/152/248/88',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + +# +# -=[ Rule 932200 ]=- +# +# Block RCE Bypass using different techniques: +# - uninitialized variables (https://www.secjuice.com/web-application-firewall-waf-evasion/) +# - string concatenations (https://medium.com/secjuice/web-application-firewall-waf-evasion-techniques-2-125995f3e7b0) +# - globbing patterns (https://medium.com/secjuice/waf-evasion-techniques-718026d693d8) +# +# Examples: +# - foo;cat$u+/etc$u/passwd +# - bar;cd+/etc;/bin$u/ca*+passwd +# - foo;ca\t+/et\c/pa\s\swd +# - foo;c'at'+/etc/pa's'swd +# - foo;c$@at+/et$@c/pas$@swd +# - foo;c$!at+/et$!c/pas$!swd +# - foo;c$*at+/et$*c/pas$*swd +# - foo;c$?at+/et$?c/pas$?swd +# - foo;c$-at+/et$-c/pas$-swd +# - foo;c$_at+/et$_c/pas$_swd +# - foo;c$$at+/et$$c/pas$$swd +# +# Regex notes: https://regex101.com/r/V6wrCO/1 +# +# The two chain rules looking for `/` and `\s` prevent FPs for strings such as +# - pa$word +# - Price: $24.99 +# - rando$mstr.in/g. +# The regular expression does not include this requirement, but we're looking for a unix command +# separated by space, followed by an absolute path, e.g., `cat /etc/passwd`. +# +# Regular expression generated from regex-assembly/932200.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932200 +# +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx ['\*\?\x5c`][^\n/]+/|/[^/]+?['\*\?\x5c`]|\$[!#\$\(\*\-0-9\?-\[_a-\{]" \ + "id:932200,\ + phase:2,\ + block,\ + capture,\ + t:none,t:lowercase,t:urlDecodeUni,\ + msg:'RCE Bypass Technique',\ + logdata:'Matched Data: %{TX.0} found within %{TX.932200_MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-RCE',\ + tag:'capec/1000/152/248/88',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.932200_matched_var_name=%{matched_var_name}',\ + chain" + SecRule MATCHED_VARS "@rx /" \ + "t:none,\ + chain" + SecRule MATCHED_VARS "@rx \s" \ + "t:none,\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + +# +# -=[ Rule 932205 ]=- +# +# Sibling of 932200 targeting the Referer header. URLs cause false positives in rule 932200 +# and must be handled with additional checks. +# +# Regular expression generated from regex-assembly/932205.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932205 +# +SecRule REQUEST_HEADERS:Referer "@rx ^[^#]+" \ + "id:932205,\ + phase:1,\ + block,\ + capture,\ + t:none,t:lowercase,t:urlDecodeUni,\ + msg:'RCE Bypass Technique',\ + logdata:'Matched Data: %{TX.2} found within %{TX.932205_MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-RCE',\ + tag:'capec/1000/152/248/88',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.932205_matched_var_name=%{matched_var_name}',\ + chain" + SecRule TX:0 "@rx ^[^\.]+\.[^;\?]+[;\?](.*(['\*\?\x5c`][^\n/]+/|/[^/]+?['\*\?\x5c`]|\$[!#\$\(\*\-0-9\?-\[_a-\{]))" \ + "capture,\ + t:none,\ + chain" + SecRule TX:1 "@rx /" \ + "t:none,\ + chain" + SecRule TX:1 "@rx \s" \ + "t:none,\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + +# +# -=[ Rule 932206 ]=- +# +# Sibling of 932200 targeting the Referer header. URLs cause false positives in rule 932200 +# and must be handled with additional checks. +# +# Regular expression generated from regex-assembly/932206.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932206 +# +SecRule REQUEST_HEADERS:Referer "@rx ^[^\.]*?(?:['\*\?\x5c`][^\n/]+/|/[^/]+?['\*\?\x5c`]|\$[!#\$\(\*\-0-9\?-\[_a-\{])" \ + "id:932206,\ + phase:1,\ + block,\ + capture,\ + t:none,t:lowercase,t:urlDecodeUni,\ + msg:'RCE Bypass Technique',\ + logdata:'Matched Data: %{TX.0} found within %{TX.932206_MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-RCE',\ + tag:'capec/1000/152/248/88',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.932206_matched_var_name=%{matched_var_name}',\ + chain" + SecRule MATCHED_VARS "@rx /" \ + "t:none,\ + chain" + SecRule MATCHED_VARS "@rx \s" \ + "t:none,\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + + +# +# -=[ Rule 932207 ]=- +# +# Sibling of 932200 targeting fragments in the Referer header. +# +# The last chain prevents FPs against the "Scroll to text fragment" browser feature +# (https://wicg.github.io/scroll-to-text-fragment/). +# +# Regular expression generated from regex-assembly/932207.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932207 +# +SecRule REQUEST_HEADERS:Referer "@rx #.*" \ + "id:932207,\ + phase:1,\ + block,\ + capture,\ + t:none,t:lowercase,t:urlDecodeUni,\ + msg:'RCE Bypass Technique',\ + logdata:'Matched Data: %{TX.0} found within %{TX.932207_MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-RCE',\ + tag:'capec/1000/152/248/88',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.932207_matched_var_name=%{matched_var_name}',\ + chain" + SecRule TX:0 "@rx ['\*\?\x5c`][^\n/]+/|/[^/]+?['\*\?\x5c`]|\$[!#\$\(\*\-0-9\?-\[_a-\{]" \ + "capture,\ + t:none,\ + chain" + SecRule MATCHED_VAR "@rx /" \ + "t:none,\ + chain" + SecRule MATCHED_VAR "@rx \s" \ + "t:none,\ + chain" + SecRule MATCHED_VAR "!@beginsWith #:~:text=" \ + "t:none,\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + +# Regular expression generated from regex-assembly/932220.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932220 +# +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i).\|(?:[\s\x0b]*|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|]|$).*|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:(?:[\s\x0b&\),<>\|]|$).*|o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|[\[\{])|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'[^']*'|\"[^\"]*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:(?:7[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[arx][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?|(?:b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z|c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[89][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?9|[au][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t|c|(?:m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?p|s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)|d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[dfu]|i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?g)|f[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[cdgi]|m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p)|h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:d|u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p)|i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:p|r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b)|j[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:j[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s|q)|k[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h|m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r|v)|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[cl]|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t|(?:p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?m)|o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[dt]|[gu]|(?:s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?h|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n)|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[cr]|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l|[co][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[ex]|i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c)|u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|l)|(?:v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i|y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:3[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m|c)|x[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:x[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|z)|z[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h))[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:(?:[bx]|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|q[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?|s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?)|l[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?|(?:[nps]|u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?|z[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:4[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?)|r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:(?:a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[dv]|p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?|c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?|m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?))(?:[\s\x0b&\),<>\|]|$).*|a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?-[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:(?:[&\),<>\|]|$){1,10}|(?:[\-\.0-9A-Z_a-z][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?){1,10}(?:[\s\x0b&\),<>\|\}]|$){1,10})|(?:(?:b|(?:p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?t|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[ks])[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?|r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[jp][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?|s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?)(?:[\s\x0b&\),<>\|]|$).*)|g[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:(?:[&\),<>\|]|$){1,10}|(?:[\-\.0-9A-Z_a-z][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?){1,10}(?:[\s\x0b&\),<>\|\}]|$){1,10})|(?:d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m|[hr][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c|i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t|o|p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?g)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|]|$).*)|p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:(?:(?:[at][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b|f|k[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?g|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|x[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?|r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?)(?:[\s\x0b&\),<>\|]|$).*|i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|]|$).*|p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:(?:[&\),<>\|]|$){1,10}|(?:[\-\.0-9A-Z_a-z][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?){1,10}(?:[\s\x0b&\),<>\|\}]|$){1,10}|(?:[\s\x0b&\),<>\|]|$).*))))" \ + "id:932220,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Remote Command Execution: Unix Command Injection with pipe',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ + tag:'attack-rce',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-RCE',\ + tag:'capec/1000/152/248/88',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + +# -=[ Rule 932240 ]=- +# +# Generic RCE Bypass blocking using different techniques: see https://github.com/coreruleset/coreruleset/issues/2632 +# +# This rule complements rule 932230 with generic evasion detection. +# Anything that uses a well-known evasion technique should be blocked at this level. +# The chained rule will exclude false positives due to german thousands separators (e.g., 10'000). +# +# Rule relations: +# +# .932230 (base rule, PL1, targets prefix + two and three character commands) +# ..932231 (stricter sibling, PL2, targets prefix + the source shortcut command) +# ..932232 (stricter sibling, PL3, targets prefix + additional command words) +# .932235 (base rule, PL1, targets prefix + known command word of length > 3 without evasion) +# +# .932250 (base rule, PL1, targets two and three character commands) +# .932260 (base rule, PL1, targets known command word of length > 3 without evasion) +# +# .932240 (generic detection, PL2, targets generic evasion attempts) +# .932236 (stricter sibling of 932230, 932235, 932250, 932260, PL2, +# - with and without prefix +# - words of any length) +# ..932239 (sibling of 932236, PL2, +# - with and without prefix +# - words of any length +# - targets request headers user-agent and referer only +# - excluded words: known user-agents) +# ..932238 (stricter sibling of 932236, PL3, +# - no excluded words) +# .932237 (stricter sibling of 932230, 932235, 932250, 932260, PL3, +# - targets request headers user-agent and referer only +# - without prefix +# - with word boundaries +# - words of any length +# - excluded words: known user-agents) +# +# +# Regular expression generated from regex-assembly/932240.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932240 +# +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS|XML:/* "@rx (?i)[\-0-9_a-z]+(?:[\s\x0b]*[\"'][^\s\x0b\"',:]+[\"']|(?:[\"'][\"']+|[\[-\]]+|\$+[!#\*\-0-9\?@\x5c_a-\{]+|``|[\$<>]\(\))[\s\x0b]*)[\-0-9_a-z]+" \ + "id:932240,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Remote Command Execution: Unix Command Injection evasion attempt detected',\ + logdata:'Matched Data: %{TX.0} found within %{TX.932240_MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ + tag:'attack-rce',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-RCE',\ + tag:'capec/1000/152/248/88',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.932240_matched_var_name=%{matched_var_name}',\ + chain" + SecRule MATCHED_VARS "!@rx [0-9]\s*\'\s*[0-9]" \ + "t:none,\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + + +# [ Unix shell expressions - Bash Brace expansion ] +# +# This rule is a stricter sibling of rule 932280. It matches non-whitespace characters between braces, +# as an extension of rule 932280, which only detects alphanumeric and underscore characters. This rule detects the following +# patterns which are used in Unix shell scripts and one-liners: +# +# {,echo,#test} +# {,cd,/etc,} +# {,$'whoami',} +# {,$"whoami",} +# {,/?s?/?i?/c?t,/e??/p??s??,} +# +# +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \{[^\s\x0b,:\}]*,[^\s\x0b]*\}" \ + "id:932281,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Remote Command Execution: Brace Expansion Found',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ + tag:'attack-rce',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-RCE',\ + tag:'capec/1000/152/248/88',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + + + +# [ Sqlite System Command Execution ] +# +# This rule prevents execution of SQLite CLI commands like .system and .shell +# +# You can find a vulnerable script and a sample payload here: +# https://github.com/qxxxb/ctf/tree/master/2021/zer0pts_ctf/baby_sqli +# +# List of sqlite3 CLI commands: +# https://sqlite.org/cli.html +# +# Regular expression generated from regex-assembly/932210.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932210 +# +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx ;[\s\x0b]*\.[\s\x0b]*[\"']?(?:a(?:rchive|uth)|b(?:a(?:ckup|il)|inary)|c(?:d|h(?:anges|eck)|lone|onnection)|d(?:atabases|b(?:config|info)|ump)|e(?:cho|qp|x(?:cel|it|p(?:ert|lain)))|f(?:ilectrl|ullschema)|he(?:aders|lp)|i(?:mpo(?:rt|ster)|ndexes|otrace)|l(?:i(?:mi|n)t|o(?:ad|g))|(?:mod|n(?:onc|ullvalu)|unmodul)e|o(?:nce|pen|utput)|p(?:arameter|r(?:int|o(?:gress|mpt)))|quit|re(?:ad|cover|store)|s(?:ave|c(?:anstats|hema)|e(?:lftest|parator|ssion)|h(?:a3sum|ell|ow)?|tats|ystem)|t(?:ables|estc(?:ase|trl)|ime(?:out|r)|race)|vfs(?:info|list|name)|width)" \ + "id:932210,\ + phase:2,\ + block,\ + capture,\ + t:none,t:escapeSeqDecode,t:compressWhitespace,\ + msg:'Remote Command Execution: SQLite System Command Execution',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ + tag:'attack-rce',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-RCE',\ + tag:'capec/1000/152/248/88',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + +# [ Unix shell expressions - Bash Tilde expansion ] +# This rule is a sibling of rule 932270 +# +# Detects the following patterns which are common in Unix shell scripts +# and one-liners: +# +# ~4 fourth directory entry on the stack from the top +# +# Reference - https://linuxsimply.com/bash-scripting-tutorial/expansion/tilde-expansion/ +# +# Regular expression generated from regex-assembly/932271.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932271 +# +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx ~[0-9]+" \ + "id:932271,\ + phase:2,\ + block,\ + capture,\ + t:none,t:cmdLine,\ + msg:'Remote Command Execution: Unix Shell Expression Found',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ + tag:'attack-rce',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-RCE',\ + tag:'capec/1000/152/248/88',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + +# -=[ SMTP/IMAP/POP3 Command Execution ]=- +# +# Rationale +# ========= +# +# The rules for email command execution are based on the RFCs for each protocol. +# Some of the commands have optional and/or additional parameters, so we tried to be +# precise to avoid as many FP in PL2 rules. +# For those commands that resemble common English words, and may pose a higher risk of false positives, +# they have been split off to a sibling rule in PL3. + +# =[ SMTP Command Execution ]= +# +# This rule prevents execution of SMTP related system commands. +# +# List of SMTP commands: from rfc 5321 (https://www.rfc-editor.org/rfc/rfc5321) +# +# Regular expression generated from regex-assembly/932300.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932300 +# +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\r\n.*?\b(?:E(?:HLO[\s\x0b][\-\.a-z]{1,255}|XPN[\s\x0b].{1,64})|HELO[\s\x0b][\-\.a-z]{1,255}|MAIL[\s\x0b]FROM:<.{1,64}@.{1,255}>|R(?:CPT[\s\x0b]TO:(?:<.{1,64}@.{1,255}>| )?<.{1,64}>|SET\b)|VRFY[\s\x0b].{1,64}(?:[\s\x0b]<.{1,64}@.{1,255}>|@.{1,255})|AUTH[\s\x0b][\-0-9_a-z]{1,20}[\s\x0b](?:(?:[\+/-9A-Z_a-z]{4})*(?:[\+/-9A-Z_a-z]{2}=|[\+/-9A-Z_a-z]{3}))?=|STARTTLS\b|NOOP\b(?:[\s\x0b].{1,255})?)" \ + "id:932300,\ + phase:2,\ + block,\ + capture,\ + t:none,t:escapeSeqDecode,\ + msg:'Remote Command Execution: SMTP Command Execution',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-RCE',\ + tag:'capec/137/134',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + +# =[ IMAP Command Execution ]= +# +# This rule prevents execution of IMAP4 related system commands. +# +# List of IMAP4 commands: from rfc 3501 (https://datatracker.ietf.org/doc/html/rfc3501#section-9) +# +# Note: Mailbox International Naming Convention uses UTF-7, so it was left out explicitly. +# +# Regular expression generated from regex-assembly/932310.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932310 +# +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?is)\r\n[0-9A-Z_a-z]{1,50}\b (?:A(?:PPEND (?:[\"#%&\*\--9A-Z\x5c_a-z]+)?(?: \([ \x5ca-z]+\))?(?: \"?[0-9]{1,2}-[0-9A-Z_a-z]{3}-[0-9]{4} [0-9]{2}:[0-9]{2}:[0-9]{2} [\+\-][0-9]{4}\"?)? \{[0-9]{1,20}\+?\}|UTHENTICATE [\-0-9_a-z]{1,20}\r\n)|L(?:SUB (?:[\"#\*\.-9A-Z_a-z~]+)? (?:[\"%&\*\.-9A-Z\x5c_a-z]+)?|ISTRIGHTS (?:[\"%&\*\--9A-Z\x5c_a-z]+)?)|S(?:TATUS (?:[\"%&\*\--9A-Z\x5c_a-z]+)? \((?:U(?:NSEEN|IDNEXT)|MESSAGES|UIDVALIDITY|RECENT| )+\)|ETACL (?:[\"%&\*\--9A-Z\x5c_a-z]+)? [\+\-][ac-eiklpr-twx]+?)|UID (?:COPY|FETCH|STORE) (?:[\*,0-:]+)?|(?:(?:DELETE|GET)ACL|MYRIGHTS) (?:[\"%&\*\--9A-Z\x5c_a-z]+)?)" \ + "id:932310,\ + phase:2,\ + block,\ + capture,\ + t:none,t:escapeSeqDecode,\ + msg:'Remote Command Execution: IMAP Command Execution',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-RCE',\ + tag:'capec/137/134',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + +# =[ POP3 Command Execution ]= +# +# This rule prevents execution of POP3 related system commands. +# +# List of POP3 commands: +# - from rfc 1939 (https://www.rfc-editor.org/rfc/rfc1939#appendix-B) +# - extensions from rfc 2449 (https://www.rfc-editor.org/rfc/rfc2449) +# +# These commands all have some kind of parameter that makes them a good PL2 target. +# +# Regular expression generated from regex-assembly/932320.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932320 +# +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?is)\r\n.*?\b(?:(?:LIST|TOP [0-9]+)(?: [0-9]+)?|U(?:SER .+?|IDL(?: [0-9]+)?)|PASS .+?|(?:RETR|DELE) [0-9]+?|A(?:POP [0-9A-Z_a-z]+ [0-9a-f]{32}|UTH [\-0-9_a-z]{1,20} (?:(?:[\+/-9A-Z_a-z]{4})*(?:[\+/-9A-Z_a-z]{2}=|[\+/-9A-Z_a-z]{3}))?=))" \ + "id:932320,\ + phase:2,\ + block,\ + capture,\ + t:none,t:escapeSeqDecode,\ + msg:'Remote Command Execution: POP3 Command Execution',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-RCE',\ + tag:'capec/137/134',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + + +# [ Unix command injection ] +# +# This is a stricter sibling of rules 932230, 932235, 932250, 932260. +# This stricter sibling detects Unix RCE with and without prefix and words of any length. +# It uses the same regex. +# +# Rule relations: +# +# .932230 (base rule, PL1, targets prefix + two and three character commands) +# ..932231 (stricter sibling, PL2, targets prefix + the source shortcut command) +# ..932232 (stricter sibling, PL3, targets prefix + additional command words) +# .932235 (base rule, PL1, targets prefix + known command word of length > 3 without evasion) +# +# .932250 (base rule, PL1, targets two and three character commands) +# .932260 (base rule, PL1, targets known command word of length > 3 without evasion) +# +# .932240 (generic detection, PL2, targets generic evasion attempts) +# .932236 (stricter sibling of 932230, 932235, 932250, 932260, PL2, +# - with and without prefix +# - words of any length) +# ..932239 (sibling of 932236, PL2, +# - with and without prefix +# - words of any length +# - targets request headers user-agent and referer only +# - excluded words: known user-agents) +# ..932238 (stricter sibling of 932236, PL3, +# - no excluded words) +# .932237 (stricter sibling of 932230, 932235, 932250, 932260, PL3, +# - targets request headers user-agent and referer only +# - without prefix +# - with word boundaries +# - words of any length +# - excluded words: known user-agents) +# +# +# Regular expression generated from regex-assembly/932236.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932236 +# +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:^|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|]|$).*|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:(?:[\s\x0b&\),<>\|]|$).*|o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|[\[\{])|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'[^']*'|\"[^\"]*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:7z(?:[\s\x0b&\),<>\|]|$|[arx](?:[\s\x0b&\),<>\|]|$))|a(?:a-[^\s\x0b]{1,10}\b|(?:b|w[ks]|l(?:ias|pine)|tobm|xel)(?:[\s\x0b&\),<>\|]|$)|p(?:t(?:[\s\x0b&\),<>\|]|$|-get)|parmor_[^\s\x0b]{1,10}\b)|r(?:[\s\x0b&\),<>\|]|$|j(?:[\s\x0b&\),<>\|]|$|-register|disp)|(?:p|ch)(?:[\s\x0b&\),<>\|]|$)|ia2c)|s(?:h(?:[\s\x0b&\),<>\|]|$)|cii(?:-xfr|85)|pell)|dd(?:group|user)|getty|nsible|u(?:ditctl|repot|search))|b(?:z(?:(?:z|c(?:at|mp))(?:[\s\x0b&\),<>\|]|$)|diff|e(?:grep|xe(?:[\s\x0b&\),<>\|]|$))|f?grep|ip2(?:[\s\x0b&\),<>\|]|$|recover)|less|more)|a(?:s(?:e(?:32|64|n(?:ame(?:[\s\x0b&\),<>\|]|$)|c))|h(?:[\s\x0b&\),<>\|]|$))|tch(?:[\s\x0b&\),<>\|]|$))|lkid(?:[\s\x0b&\),<>\|]|$)|pftrace|r(?:eaksw|(?:idge|wap)(?:[\s\x0b&\),<>\|]|$))|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler(?:[\s\x0b&\),<>\|]|$)|zip2)|s(?:ctl|ybox))|y(?:ebug|obu(?:[\s\x0b&\),<>\|]|$)))|c(?:[89]9(?:[\s\x0b&\),<>\|]|$|-gcc)|(?:a(?:t|ncel|psh)|c|mp)(?:[\s\x0b&\),<>\|]|$)|p(?:[\s\x0b&\),<>\|]|$|(?:an|io)(?:[\s\x0b&\),<>\|]|$)|ulimit)|s(?:(?:h|cli)(?:[\s\x0b&\),<>\|]|$)|plit|vtool)|u(?:(?:t|rl)(?:[\s\x0b&\),<>\|]|$)|psfilter)|ertbot|h(?:(?:(?:att|di)r|mod|o(?:om|wn)|root|sh)(?:[\s\x0b&\),<>\|]|$)|e(?:ck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|f(?:[\s\x0b&\),\-<>\|]|$))|(?:flag|pas)s|g(?:passwd|rp(?:[\s\x0b&\),<>\|]|$)))|lang(?:\+\+|[\s\x0b&\),<>\|]|$)|o(?:bc(?:[\s\x0b&\),<>\|]|$|run)|lumn(?:[\s\x0b&\),<>\|]|$)|m(?:m(?:[\s\x0b&\),<>\|]|$|and(?:[\s\x0b&\),<>\|]|$))|p(?:oser|ress)(?:[\s\x0b&\),<>\|]|$))|proc|w(?:say|think))|r(?:ash(?:[\s\x0b&\),<>\|]|$)|ontab))|d(?:(?:[dfu]|i(?:(?:alo)?g|ff)|ash|vips)(?:[\s\x0b&\),<>\|]|$)|hclient|m(?:esg(?:[\s\x0b&\),<>\|]|$)|idecode|setup)|o(?:(?:as|ne)(?:[\s\x0b&\),<>\|]|$)|cker(?:[\s\x0b&\),\-<>\|]|$)|sbox)|pkg(?:[\s\x0b&\),\-<>\|]|$))|e(?:(?:b|qn|cho|fax|grep|macs|val)(?:[\s\x0b&\),<>\|]|$)|n(?:v(?:[\s\x0b&\),<>\|]|$|-update)|d(?:if|sw)(?:[\s\x0b&\),<>\|]|$))|s(?:[\s\x0b&\),<>\|]|$|(?:h|ac)(?:[\s\x0b&\),<>\|]|$))|x(?:[\s\x0b&\),<>\|]|$|(?:ec|p(?:and|(?:ec|or)t|r))(?:[\s\x0b&\),<>\|]|$)|iftool)|2fsck|asy_install)|f(?:(?:c|mt|etch|lock|unction)(?:[\s\x0b&\),<>\|]|$)|d(?:[\s\x0b&\),<>\|]|$|(?:find|isk)(?:[\s\x0b&\),<>\|]|$)|u?mount)|g(?:[\s\x0b&\),<>\|]|$|rep(?:[\s\x0b&\),<>\|]|$))|i(?:[\s\x0b&\),<>\|]|$|letest|(?:n(?:d|ger)|sh)(?:[\s\x0b&\),<>\|]|$))|tp(?:[\s\x0b&\),<>\|]|$|stats|who)|acter|o(?:ld(?:[\s\x0b&\),<>\|]|$)|reach)|ping(?:[\s\x0b&\),6<>\|]|$))|g(?:c(?:c[^\s\x0b]{1,10}\b|ore(?:[\s\x0b&\),<>\|]|$))|(?:db|i(?:t|mp|nsh)|o|pg|awk|z(?:cat|exe|ip))(?:[\s\x0b&\),<>\|]|$)|e(?:m(?:[\s\x0b&\),<>\|]|$)|ni(?:e(?:[\s\x0b&\),<>\|]|$)|soimage)|t(?:cap|facl(?:[\s\x0b&\),<>\|]|$)))|hc(?:[\s\x0b&\),<>\|]|$|-(?:[\s\x0b&\),<>\|]|$)|i(?:[\s\x0b&\),\-<>\|]|$))|r(?:c(?:[\s\x0b&\),<>\|]|$|at(?:[\s\x0b&\),<>\|]|$))|ep(?:[\s\x0b&\),<>\|]|$)|oup(?:[\s\x0b&\),<>\|]|$|mod))|tester|unzip)|h(?:(?:d|up|i(?:ghlight|story))(?:[\s\x0b&\),<>\|]|$)|e(?:ad(?:[\s\x0b&\),<>\|]|$)|xdump)|ost(?:id|name)|ping3|t(?:digest|op(?:[\s\x0b&\),<>\|]|$)|passwd))|i(?:p(?:[\s\x0b&\),<>\|]|$|6?tables|config|p(?:eveprinter|find|tool))|(?:rb|conv)(?:[\s\x0b&\),<>\|]|$)|f(?:config|top(?:[\s\x0b&\),<>\|]|$))|onice|spell)|j(?:(?:js|q|exec)(?:[\s\x0b&\),<>\|]|$)|o(?:(?:bs|in)(?:[\s\x0b&\),<>\|]|$)|urnalctl)|runscript)|k(?:s(?:h(?:[\s\x0b&\),<>\|]|$)|shell)|ill(?:[\s\x0b&\),<>\|]|$|all)|nife(?:[\s\x0b&\),<>\|]|$))|l(?:d(?:[\s\x0b&\),<>\|]|$|d(?:[\s\x0b&\),<>\|]|$)|config)|(?:[np]|inks|ynx)(?:[\s\x0b&\),<>\|]|$)|s(?:[\s\x0b&\),<>\|]|$|(?:-F|cpu|hw|mod|of|pci|usb)(?:[\s\x0b&\),<>\|]|$)|b_release)|ua(?:[\s\x0b&\),<>\|]|$|(?:la)?tex)|z(?:4(?:[\s\x0b&\),<>\|]|$|c(?:[\s\x0b&\),<>\|]|$|at))|(?:c(?:at|mp))?(?:[\s\x0b&\),<>\|]|$)|diff|[ef]?grep|less|m(?:a(?:[\s\x0b&\),<>\|]|$|dec|info)|ore))|a(?:st(?:[\s\x0b&\),<>\|]|$|comm(?:[\s\x0b&\),<>\|]|$)|log(?:in)?)|tex(?:[\s\x0b&\),<>\|]|$))|ess(?:[\s\x0b&\),<>\|]|$|echo|(?:fil|pip)e)|ftp(?:[\s\x0b&\),<>\|]|$|get)|o(?:(?:ca(?:l|te)|ok)(?:[\s\x0b&\),<>\|]|$)|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:(?:n|il[qx]|ke|wk)(?:[\s\x0b&\),<>\|]|$)|ster\.passwd)|(?:tr|v|utt)(?:[\s\x0b&\),<>\|]|$)|k(?:(?:dir|nod)(?:[\s\x0b&\),<>\|]|$)|fifo|temp)|locate|o(?:squitto|unt(?:[\s\x0b&\),<>\|]|$))|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:[\s\x0b&\),<>\|]|$|admin|dump(?:slow)?|hotcopy|show))|n(?:c(?:[\s\x0b&\),<>\|]|$|\.(?:openbsd|traditional)|at(?:[\s\x0b&\),<>\|]|$))|e(?:t(?:[\s\x0b&\),<>\|]|$|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:l|p(?:m|ing)|a(?:no|sm|wk)|ice|o(?:de|hup)|roff)(?:[\s\x0b&\),<>\|]|$)|m(?:[\s\x0b&\),<>\|]|$|ap(?:[\s\x0b&\),<>\|]|$))|s(?:enter|lookup|tat(?:[\s\x0b&\),<>\|]|$)))|o(?:(?:d|ctave)(?:[\s\x0b&\),<>\|]|$)|nintr|p(?:en(?:ssl|v(?:pn|t))|kg(?:[\s\x0b&\),<>\|]|$)))|p(?:a(?:(?:x|rted|tch)(?:[\s\x0b&\),<>\|]|$)|s(?:swd|te(?:[\s\x0b&\),<>\|]|$)))|d(?:b(?:[\s\x0b&\),<>\|]|$|2mb|3(?:[\s\x0b&\),\.<>\|]|$))|f(?:la)?tex|ksh(?:[\s\x0b&\),<>\|]|$))|f(?:[\s\x0b&\),<>\|]|$|tp(?:[\s\x0b&\),<>\|]|$))|i(?:c(?:[\s\x0b&\),<>\|]|$|o(?:[\s\x0b&\),<>\|]|$))|p(?:[^\s\x0b]{1,10}\b|[\s\x0b&\),<>\|]|$)|dstat|(?:gz|ng6?)(?:[\s\x0b&\),<>\|]|$))|k(?:g(?:[\s\x0b&\),<>\|]|$|_?info)|exec|ill(?:[\s\x0b&\),<>\|]|$))|r(?:[\s\x0b&\),<>\|]|$|y(?:[\s\x0b&\),<>\|]|$)|int(?:env|f(?:[\s\x0b&\),<>\|]|$)))|t(?:x(?:[\s\x0b&\),<>\|]|$)|ar(?:[\s\x0b&\),<>\|]|$|diff|grep))|wd(?:[\s\x0b&\),<>\|]|$|\.db)|(?:xz|grep|opd|u(?:ppet|shd))(?:[\s\x0b&\),<>\|]|$)|er(?:(?:f|ms)(?:[\s\x0b&\),<>\|]|$)|l(?:5?(?:[\s\x0b&\),<>\|]|$)|sh))|hp(?:-cgi|[57](?:[\s\x0b&\),<>\|]|$))|s(?:(?:ed|ql)(?:[\s\x0b&\),<>\|]|$)|ftp)|y(?:3?versions|thon(?:[23]|[^\s\x0b]{1,10}\b)))|r(?:(?:a(?:r|k[eu])|bash|nano|oute|vi(?:ew|m))(?:[\s\x0b&\),<>\|]|$)|c(?:[\s\x0b&\),<>\|]|$|p(?:[\s\x0b&\),<>\|]|$))|e(?:d(?:[\s\x0b&\),<>\|]|$|carpet(?:[\s\x0b&\),<>\|]|$))|(?:v|boot|place)(?:[\s\x0b&\),<>\|]|$)|a(?:delf|lpath)|stic)|m(?:[\s\x0b&\),<>\|]|$|t(?:[\s\x0b&\),<>\|]|$|-(?:dump|tar))|dir(?:[\s\x0b&\),<>\|]|$)|user)|pm(?:[\s\x0b&\),<>\|]|$|db(?:[\s\x0b&\),<>\|]|$)|(?:quer|verif)y)|l(?:ogin|wrap)|sync(?:-ssl|[\s\x0b&\),<>\|]|$)|u(?:by[^\s\x0b]{1,10}\b|n(?:-(?:mailcap|parts)|c(?:[\s\x0b&\),<>\|]|$))))|s(?:(?:c(?:p|hed|ript)|g|ash|diff|(?:ft|na)p|l(?:eep|sh))(?:[\s\x0b&\),<>\|]|$)|e(?:(?:d|ndmail|rvice)(?:[\s\x0b&\),<>\|]|$)|t(?:[\s\x0b&\),<>\|]|$|arch|cap|env|facl(?:[\s\x0b&\),<>\|]|$)|sid))|h(?:[\s\x0b&\),<>\|]|$|\.distrib|(?:adow|ells|u(?:f|tdown))(?:[\s\x0b&\),<>\|]|$))|sh(?:[\s\x0b&\),<>\|]|$|-(?:a(?:dd|gent)|copy-id|key(?:ge|sca)n)|pass)|u(?:[\s\x0b&\),<>\|]|$|do(?:-rs|[\s\x0b&\),<>_\|]|$|edit|replay))|vn(?:[\s\x0b&\),<>\|]|$|a(?:dmin|uthz)|bench|dumpfilter|fsfs|look|mucc|rdump|s(?:erve|ync)|version)|mbclient|o(?:cat(?:[\s\x0b&\),<>\|]|$)|elim)|p(?:lit(?:[\s\x0b&\),<>\|]|$)|wd\.db)|qlite3|t(?:art-stop-daemon|d(?:buf|err|in(?:[\s\x0b&\),<>\|]|$)|out)|r(?:ace|ings(?:[\s\x0b&\),<>\|]|$)))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:[cr](?:[\s\x0b&\),<>\|]|$)|il(?:[\s\x0b&\),<>\|]|$|f(?:[\s\x0b&\),<>\|]|$))|skset)|(?:bl|o(?:p|uch)|ftp|mux)(?:[\s\x0b&\),<>\|]|$)|c(?:p(?:[\s\x0b&\),<>\|]|$|dump|ing|traceroute)|l?sh(?:[\s\x0b&\),<>\|]|$))|e(?:[ex](?:[\s\x0b&\),<>\|]|$)|lnet)|i(?:c(?:[\s\x0b&\),<>\|]|$)|medatectl)|r(?:aceroute6?|off(?:[\s\x0b&\),<>\|]|$))|shark)|u(?:dp(?:[\s\x0b&\),<>\|]|$)|l(?:[\s\x0b&\),<>\|]|$|imit(?:[\s\x0b&\),<>\|]|$))|n(?:(?:compress|iq|rar|s(?:et|hare)|xz)(?:[\s\x0b&\),<>\|]|$)|expand|l(?:ink(?:[\s\x0b&\),<>\|]|$)|z(?:4(?:[\s\x0b&\),<>\|]|$)|ma))|pigz|z(?:ip(?:[\s\x0b&\),<>\|]|$)|std))|pdate-alternatives|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:m(?:[\s\x0b&\),<>\|]|$|diff)|(?:gr|pw|rsh)(?:[\s\x0b&\),<>\|]|$)|sudo(?:-rs)?)|algrind|olatility(?:[\s\x0b&\),<>\|]|$))|w(?:(?:3m|c|atch|get)(?:[\s\x0b&\),<>\|]|$)|h(?:iptail(?:[\s\x0b&\),<>\|]|$)|oami)|i(?:reshark|sh(?:[\s\x0b&\),<>\|]|$)))|x(?:(?:(?:x|pa)d|args|term)(?:[\s\x0b&\),<>\|]|$)|z(?:[\s\x0b&\),<>\|]|$|c(?:at|mp)(?:[\s\x0b&\),<>\|]|$)|d(?:ec(?:[\s\x0b&\),<>\|]|$)|iff)|[ef]?grep|less|more)|e(?:latex|tex(?:[\s\x0b&\),<>\|]|$))|mo(?:dmap|re(?:[\s\x0b&\),<>\|]|$)))|y(?:um|arn|elp)(?:[\s\x0b&\),<>\|]|$)|z(?:ip(?:[\s\x0b&\),<>\|]|$|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h(?:[\s\x0b&\),<>\|]|$)|oelim|td(?:[\s\x0b&\),<>\|]|$|(?:ca|m)t|grep|less))|athura|(?:c(?:at|mp)|diff|grep|less|run)(?:[\s\x0b&\),<>\|]|$)|e(?:grep|ro(?:[\s\x0b&\),<>\|]|$))|fgrep|mo(?:dload|re(?:[\s\x0b&\),<>\|]|$))|ypper))" \ + "id:932236,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Remote Command Execution: Unix Command Injection (command without evasion)',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ + tag:'attack-rce',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-RCE',\ + tag:'capec/1000/152/248/88',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + +# [ Unix command injection ] +# +# This is a sibling of rule 932236. +# This sibling detects Unix RCE in request headers Referer and User-Agent. +# It uses the same regex but excludes known user-agents to avoid false positives. +# +# Rule relations: +# +# .932230 (base rule, PL1, targets prefix + two and three character commands) +# ..932231 (stricter sibling, PL2, targets prefix + the source shortcut command) +# ..932232 (stricter sibling, PL3, targets prefix + additional command words) +# .932235 (base rule, PL1, targets prefix + known command word of length > 3 without evasion) +# +# .932250 (base rule, PL1, targets two and three character commands) +# .932260 (base rule, PL1, targets known command word of length > 3 without evasion) +# +# .932240 (generic detection, PL2, targets generic evasion attempts) +# .932236 (stricter sibling of 932230, 932235, 932250, 932260, PL2, +# - with and without prefix +# - words of any length) +# ..932239 (sibling of 932236, PL2, +# - with and without prefix +# - words of any length +# - targets request headers user-agent and referer only +# - excluded words: known user-agents) +# ..932238 (stricter sibling of 932236, PL3, +# - no excluded words) +# .932237 (stricter sibling of 932230, 932235, 932250, 932260, PL3, +# - targets request headers user-agent and referer only +# - without prefix +# - with word boundaries +# - words of any length +# - excluded words: known user-agents) +# +# +# +# Regular expression generated from regex-assembly/932239.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932239 +# +SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@rx (?i)(?:^|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|]|$).*|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:(?:[\s\x0b&\),<>\|]|$).*|o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|[\[\{])|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'[^']*'|\"[^\"]*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:7z(?:[\s\x0b&\),<>\|]|$|[arx](?:[\s\x0b&\),<>\|]|$))|a(?:a-[^\s\x0b]{1,10}\b|(?:b|w[ks]|l(?:ias|pine)|tobm|xel)(?:[\s\x0b&\),<>\|]|$)|p(?:t(?:[\s\x0b&\),<>\|]|$|-get)|parmor_[^\s\x0b]{1,10}\b)|r(?:[\s\x0b&\),<>\|]|$|j(?:[\s\x0b&\),<>\|]|$|-register|disp)|(?:p|ch)(?:[\s\x0b&\),<>\|]|$)|ia2c)|s(?:h(?:[\s\x0b&\),<>\|]|$)|cii(?:-xfr|85)|pell)|dd(?:group|user)|getty|nsible|u(?:ditctl|repot|search))|b(?:z(?:(?:z|c(?:at|mp))(?:[\s\x0b&\),<>\|]|$)|diff|e(?:grep|xe(?:[\s\x0b&\),<>\|]|$))|f?grep|ip2(?:[\s\x0b&\),<>\|]|$|recover)|less|more)|a(?:s(?:e(?:32|64|n(?:ame(?:[\s\x0b&\),<>\|]|$)|c))|h(?:[\s\x0b&\),<>\|]|$))|tch(?:[\s\x0b&\),<>\|]|$))|lkid(?:[\s\x0b&\),<>\|]|$)|pftrace|r(?:eaksw|(?:idge|wap)(?:[\s\x0b&\),<>\|]|$))|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler(?:[\s\x0b&\),<>\|]|$)|zip2)|s(?:ctl|ybox))|y(?:ebug|obu(?:[\s\x0b&\),<>\|]|$)))|c(?:[89]9(?:[\s\x0b&\),<>\|]|$|-gcc)|(?:a(?:t|ncel|psh)|c|mp)(?:[\s\x0b&\),<>\|]|$)|p(?:[\s\x0b&\),<>\|]|$|io(?:[\s\x0b&\),<>\|]|$)|ulimit)|s(?:(?:h|cli)(?:[\s\x0b&\),<>\|]|$)|plit|vtool)|u(?:t(?:[\s\x0b&\),<>\|]|$)|psfilter)|ertbot|h(?:(?:(?:att|di)r|mod|o(?:om|wn)|root|sh)(?:[\s\x0b&\),<>\|]|$)|e(?:ck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|f(?:[\s\x0b&\),\-<>\|]|$))|(?:flag|pas)s|g(?:passwd|rp(?:[\s\x0b&\),<>\|]|$)))|lang(?:\+\+|[\s\x0b&\),<>\|]|$)|o(?:bc(?:[\s\x0b&\),<>\|]|$|run)|lumn(?:[\s\x0b&\),<>\|]|$)|m(?:m(?:[\s\x0b&\),<>\|]|$|and(?:[\s\x0b&\),<>\|]|$))|p(?:oser|ress)(?:[\s\x0b&\),<>\|]|$))|proc|w(?:say|think))|r(?:ash(?:[\s\x0b&\),<>\|]|$)|ontab))|d(?:(?:[dfu]|i(?:(?:alo)?g|ff)|ash|vips)(?:[\s\x0b&\),<>\|]|$)|hclient|m(?:esg(?:[\s\x0b&\),<>\|]|$)|idecode|setup)|o(?:(?:as|ne)(?:[\s\x0b&\),<>\|]|$)|cker(?:[\s\x0b&\),\-<>\|]|$)|sbox)|pkg(?:[\s\x0b&\),\-<>\|]|$))|e(?:(?:b|qn|cho|fax|grep|macs|val)(?:[\s\x0b&\),<>\|]|$)|n(?:v(?:[\s\x0b&\),<>\|]|$|-update)|d(?:if|sw)(?:[\s\x0b&\),<>\|]|$))|s(?:[\s\x0b&\),<>\|]|$|(?:h|ac)(?:[\s\x0b&\),<>\|]|$))|x(?:[\s\x0b&\),<>\|]|$|(?:ec|p(?:and|(?:ec|or)t|r))(?:[\s\x0b&\),<>\|]|$)|iftool)|2fsck|asy_install)|f(?:(?:c|mt|etch|lock|unction)(?:[\s\x0b&\),<>\|]|$)|d(?:[\s\x0b&\),<>\|]|$|(?:find|isk)(?:[\s\x0b&\),<>\|]|$)|u?mount)|g(?:[\s\x0b&\),<>\|]|$|rep(?:[\s\x0b&\),<>\|]|$))|i(?:[\s\x0b&\),<>\|]|$|letest|(?:n(?:d|ger)|sh)(?:[\s\x0b&\),<>\|]|$))|tp(?:[\s\x0b&\),<>\|]|$|stats|who)|acter|o(?:ld(?:[\s\x0b&\),<>\|]|$)|reach)|ping(?:[\s\x0b&\),6<>\|]|$))|g(?:c(?:c[^\s\x0b]{1,10}\b|ore(?:[\s\x0b&\),<>\|]|$))|(?:db|i(?:t|mp|nsh)|o|pg|awk|z(?:cat|exe|ip))(?:[\s\x0b&\),<>\|]|$)|e(?:m(?:[\s\x0b&\),<>\|]|$)|ni(?:e(?:[\s\x0b&\),<>\|]|$)|soimage)|t(?:cap|facl(?:[\s\x0b&\),<>\|]|$)))|hc(?:[\s\x0b&\),<>\|]|$|-(?:[\s\x0b&\),<>\|]|$)|i(?:[\s\x0b&\),\-<>\|]|$))|r(?:c(?:[\s\x0b&\),<>\|]|$|at(?:[\s\x0b&\),<>\|]|$))|ep(?:[\s\x0b&\),<>\|]|$)|oup(?:[\s\x0b&\),<>\|]|$|mod))|tester|unzip)|h(?:(?:d|up|i(?:ghlight|story))(?:[\s\x0b&\),<>\|]|$)|e(?:ad(?:[\s\x0b&\),<>\|]|$)|xdump)|ost(?:id|name)|ping3|t(?:digest|op(?:[\s\x0b&\),<>\|]|$)|passwd))|i(?:p(?:[\s\x0b&\),<>\|]|$|6?tables|config|p(?:eveprinter|find|tool))|(?:rb|conv)(?:[\s\x0b&\),<>\|]|$)|f(?:config|top(?:[\s\x0b&\),<>\|]|$))|onice|spell)|j(?:(?:js|q|exec)(?:[\s\x0b&\),<>\|]|$)|o(?:(?:bs|in)(?:[\s\x0b&\),<>\|]|$)|urnalctl)|runscript)|k(?:s(?:h(?:[\s\x0b&\),<>\|]|$)|shell)|ill(?:[\s\x0b&\),<>\|]|$|all)|nife(?:[\s\x0b&\),<>\|]|$))|l(?:d(?:[\s\x0b&\),<>\|]|$|d(?:[\s\x0b&\),<>\|]|$)|config)|(?:[np]|ynx)(?:[\s\x0b&\),<>\|]|$)|s(?:[\s\x0b&\),<>\|]|$|(?:-F|cpu|hw|mod|of|pci|usb)(?:[\s\x0b&\),<>\|]|$)|b_release)|ua(?:[\s\x0b&\),<>\|]|$|(?:la)?tex)|z(?:4(?:[\s\x0b&\),<>\|]|$|c(?:[\s\x0b&\),<>\|]|$|at))|(?:c(?:at|mp))?(?:[\s\x0b&\),<>\|]|$)|diff|[ef]?grep|less|m(?:a(?:[\s\x0b&\),<>\|]|$|dec|info)|ore))|a(?:st(?:[\s\x0b&\),<>\|]|$|comm(?:[\s\x0b&\),<>\|]|$)|log(?:in)?)|tex(?:[\s\x0b&\),<>\|]|$))|ess(?:[\s\x0b&\),<>\|]|$|echo|(?:fil|pip)e)|ftp(?:[\s\x0b&\),<>\|]|$|get)|o(?:(?:ca(?:l|te)|ok)(?:[\s\x0b&\),<>\|]|$)|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:(?:n|il[qx]|ke|wk)(?:[\s\x0b&\),<>\|]|$)|ster\.passwd)|(?:tr|v|utt)(?:[\s\x0b&\),<>\|]|$)|k(?:(?:dir|nod)(?:[\s\x0b&\),<>\|]|$)|fifo|temp)|locate|o(?:squitto|unt(?:[\s\x0b&\),<>\|]|$))|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:[\s\x0b&\),<>\|]|$|admin|dump(?:slow)?|hotcopy|show))|n(?:c(?:[\s\x0b&\),<>\|]|$|\.(?:openbsd|traditional)|at(?:[\s\x0b&\),<>\|]|$))|e(?:t(?:[\s\x0b&\),<>\|]|$|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:l|p(?:m|ing)|a(?:no|sm|wk)|ice|o(?:de|hup)|roff)(?:[\s\x0b&\),<>\|]|$)|m(?:[\s\x0b&\),<>\|]|$|ap(?:[\s\x0b&\),<>\|]|$))|s(?:enter|lookup|tat(?:[\s\x0b&\),<>\|]|$)))|o(?:(?:d|ctave)(?:[\s\x0b&\),<>\|]|$)|nintr|p(?:en(?:ssl|v(?:pn|t))|kg(?:[\s\x0b&\),<>\|]|$)))|p(?:a(?:(?:x|rted|tch)(?:[\s\x0b&\),<>\|]|$)|s(?:swd|te(?:[\s\x0b&\),<>\|]|$)))|d(?:b(?:[\s\x0b&\),<>\|]|$|2mb|3(?:[\s\x0b&\),\.<>\|]|$))|f(?:la)?tex|ksh(?:[\s\x0b&\),<>\|]|$))|f(?:[\s\x0b&\),<>\|]|$|tp(?:[\s\x0b&\),<>\|]|$))|i(?:c(?:[\s\x0b&\),<>\|]|$|o(?:[\s\x0b&\),<>\|]|$))|p(?:[^\s\x0b]{1,10}\b|[\s\x0b&\),<>\|]|$)|dstat|(?:gz|ng6?)(?:[\s\x0b&\),<>\|]|$))|k(?:g(?:[\s\x0b&\),<>\|]|$|_?info)|exec|ill(?:[\s\x0b&\),<>\|]|$))|r(?:[\s\x0b&\),<>\|]|$|y(?:[\s\x0b&\),<>\|]|$)|int(?:env|f(?:[\s\x0b&\),<>\|]|$)))|t(?:x(?:[\s\x0b&\),<>\|]|$)|ar(?:[\s\x0b&\),<>\|]|$|diff|grep))|wd(?:[\s\x0b&\),<>\|]|$|\.db)|(?:xz|grep|opd|u(?:ppet|shd))(?:[\s\x0b&\),<>\|]|$)|er(?:(?:f|ms)(?:[\s\x0b&\),<>\|]|$)|l(?:5?(?:[\s\x0b&\),<>\|]|$)|sh))|hp(?:-cgi|[57](?:[\s\x0b&\),<>\|]|$))|s(?:(?:ed|ql)(?:[\s\x0b&\),<>\|]|$)|ftp)|y(?:3?versions|thon[23]))|r(?:(?:a(?:r|k[eu])|bash|nano|oute|vi(?:ew|m))(?:[\s\x0b&\),<>\|]|$)|c(?:[\s\x0b&\),<>\|]|$|p(?:[\s\x0b&\),<>\|]|$))|e(?:d(?:[\s\x0b&\),<>\|]|$|carpet(?:[\s\x0b&\),<>\|]|$))|(?:v|boot|place)(?:[\s\x0b&\),<>\|]|$)|a(?:delf|lpath)|stic)|m(?:[\s\x0b&\),<>\|]|$|t(?:[\s\x0b&\),<>\|]|$|-(?:dump|tar))|dir(?:[\s\x0b&\),<>\|]|$)|user)|pm(?:[\s\x0b&\),<>\|]|$|db(?:[\s\x0b&\),<>\|]|$)|(?:quer|verif)y)|l(?:ogin|wrap)|sync(?:-ssl|[\s\x0b&\),<>\|]|$)|u(?:by[^\s\x0b]{1,10}\b|n(?:-(?:mailcap|parts)|c(?:[\s\x0b&\),<>\|]|$))))|s(?:(?:c(?:p|hed|ript)|g|ash|diff|ftp|l(?:eep|sh))(?:[\s\x0b&\),<>\|]|$)|e(?:(?:d|ndmail|rvice)(?:[\s\x0b&\),<>\|]|$)|t(?:[\s\x0b&\),<>\|]|$|arch|cap|env|facl(?:[\s\x0b&\),<>\|]|$)|sid))|h(?:[\s\x0b&\),<>\|]|$|\.distrib|(?:adow|ells|u(?:f|tdown))(?:[\s\x0b&\),<>\|]|$))|sh(?:[\s\x0b&\),<>\|]|$|-(?:a(?:dd|gent)|copy-id|key(?:ge|sca)n)|pass)|u(?:[\s\x0b&\),<>\|]|$|do(?:-rs|[\s\x0b&\),<>_\|]|$|edit|replay))|vn(?:[\s\x0b&\),<>\|]|$|a(?:dmin|uthz)|bench|dumpfilter|fsfs|look|mucc|rdump|s(?:erve|ync)|version)|mbclient|o(?:cat(?:[\s\x0b&\),<>\|]|$)|elim)|p(?:lit(?:[\s\x0b&\),<>\|]|$)|wd\.db)|qlite3|t(?:art-stop-daemon|d(?:buf|err|in(?:[\s\x0b&\),<>\|]|$)|out)|r(?:ace|ings(?:[\s\x0b&\),<>\|]|$)))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:[cr](?:[\s\x0b&\),<>\|]|$)|il(?:[\s\x0b&\),<>\|]|$|f(?:[\s\x0b&\),<>\|]|$))|skset)|(?:bl|o(?:p|uch)|ftp|mux)(?:[\s\x0b&\),<>\|]|$)|c(?:p(?:[\s\x0b&\),<>\|]|$|dump|ing|traceroute)|l?sh(?:[\s\x0b&\),<>\|]|$))|e(?:[ex](?:[\s\x0b&\),<>\|]|$)|lnet)|i(?:c(?:[\s\x0b&\),<>\|]|$)|medatectl)|r(?:aceroute6?|off(?:[\s\x0b&\),<>\|]|$))|shark)|u(?:dp(?:[\s\x0b&\),<>\|]|$)|l(?:[\s\x0b&\),<>\|]|$|imit(?:[\s\x0b&\),<>\|]|$))|n(?:(?:compress|iq|rar|s(?:et|hare)|xz)(?:[\s\x0b&\),<>\|]|$)|expand|l(?:ink(?:[\s\x0b&\),<>\|]|$)|z(?:4(?:[\s\x0b&\),<>\|]|$)|ma))|pigz|z(?:ip(?:[\s\x0b&\),<>\|]|$)|std))|pdate-alternatives|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:m(?:[\s\x0b&\),<>\|]|$|diff)|(?:gr|pw|rsh)(?:[\s\x0b&\),<>\|]|$)|sudo(?:-rs)?)|algrind|olatility(?:[\s\x0b&\),<>\|]|$))|w(?:(?:c|atch)(?:[\s\x0b&\),<>\|]|$)|h(?:iptail(?:[\s\x0b&\),<>\|]|$)|oami)|i(?:reshark|sh(?:[\s\x0b&\),<>\|]|$)))|x(?:(?:(?:x|pa)d|args|term)(?:[\s\x0b&\),<>\|]|$)|z(?:[\s\x0b&\),<>\|]|$|c(?:at|mp)(?:[\s\x0b&\),<>\|]|$)|d(?:ec(?:[\s\x0b&\),<>\|]|$)|iff)|[ef]?grep|less|more)|e(?:latex|tex(?:[\s\x0b&\),<>\|]|$))|mo(?:dmap|re(?:[\s\x0b&\),<>\|]|$)))|y(?:um|arn|elp)(?:[\s\x0b&\),<>\|]|$)|z(?:ip(?:[\s\x0b&\),<>\|]|$|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h(?:[\s\x0b&\),<>\|]|$)|oelim|td(?:[\s\x0b&\),<>\|]|$|(?:ca|m)t|grep|less))|athura|(?:c(?:at|mp)|diff|grep|less|run)(?:[\s\x0b&\),<>\|]|$)|e(?:grep|ro(?:[\s\x0b&\),<>\|]|$))|fgrep|mo(?:dload|re(?:[\s\x0b&\),<>\|]|$))|ypper))" \ + "id:932239,\ + phase:1,\ + block,\ + capture,\ + t:none,\ + msg:'Remote Command Execution: Unix Command Injection found in user-agent or referer header',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ + tag:'attack-rce',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-RCE',\ + tag:'capec/1000/152/248/88',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + + +# [ Unix shell snippets ] +# +# Detect some common sequences found in shell commands and scripts. +# +# Some commands which were restricted in earlier rules due to FP, +# have been added here with their full path, in order to catch some +# cases where the full path is sent. +# +# Rule relations: +# +# .932160 (base rule, PL1, unix shell commands with full path) +# ..932161 (stricter sibling, PL2, unix shell commands with full path in User-Agent and Referer request headers) +# +SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@pmFromFile unix-shell.data" \ + "id:932161,\ + phase:1,\ + block,\ + capture,\ + t:none,t:cmdLine,t:normalizePath,\ + msg:'Remote Command Execution: Unix Shell Code Found in REQUEST_HEADERS',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ + tag:'attack-rce',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-RCE',\ + tag:'capec/1000/152/248/88',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:932015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:932016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" +# +# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher) +# + +# [ Unix command injection ] +# +# This rule targets pefix + commans that are prone to false positive detection at PL3. +# +# Rule relations: +# +# .932230 (base rule, PL1, targets prefix + two and three character commands) +# ..932231 (stricter sibling, PL2, targets prefix + the source shortcut command) +# ..932232 (stricter sibling, PL3, targets prefix + additional command words) +# .932235 (base rule, PL1, targets prefix + known command word of length > 3 without evasion) +# +# .932250 (base rule, PL1, targets two and three character commands) +# .932260 (base rule, PL1, targets known command word of length > 3 without evasion) +# +# .932240 (generic detection, PL2, targets generic evasion attempts) +# .932236 (stricter sibling of 932230, 932235, 932250, 932260, PL2, +# - with and without prefix +# - words of any length) +# ..932239 (sibling of 932236, PL2, +# - with and without prefix +# - words of any length +# - targets request headers user-agent and referer only +# - excluded words: known user-agents) +# ..932238 (stricter sibling of 932236, PL3, +# - no excluded words) +# .932237 (stricter sibling of 932230, 932235, 932250, 932260, PL3, +# - targets request headers user-agent and referer only +# - without prefix +# - with word boundaries +# - words of any length +# - excluded words: known user-agents) +# +# +# Regular expression generated from regex-assembly/932232.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932232 +# +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|]|$).*|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:(?:[\s\x0b&\),<>\|]|$).*|o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|[\[\{])|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'[^']*'|\"[^\"]*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:(?:(?:a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?2[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n|s)|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|]|$).*|d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?f|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o|(?:[\s\x0b&\),<>\|]|$).*))\b" \ + "id:932232,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Remote Command Execution: Unix Command Injection',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ + tag:'attack-rce',\ + tag:'paranoia-level/3',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-RCE',\ + tag:'capec/1000/152/248/88',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" + +# [ Unix command injection ] +# +# Rule relations: +# +# .932230 (base rule, PL1, targets prefix + two and three character commands) +# ..932231 (stricter sibling, PL2, targets prefix + the source shortcut command) +# ..932232 (stricter sibling, PL3, targets prefix + additional command words) +# .932235 (base rule, PL1, targets prefix + known command word of length > 3 without evasion) +# +# .932250 (base rule, PL1, targets two and three character commands) +# .932260 (base rule, PL1, targets known command word of length > 3 without evasion) +# +# .932240 (generic detection, PL2, targets generic evasion attempts) +# .932236 (stricter sibling of 932230, 932235, 932250, 932260, PL2, +# - with and without prefix +# - words of any length) +# ..932239 (sibling of 932236, PL2, +# - with and without prefix +# - words of any length +# - targets request headers user-agent and referer only +# - excluded words: known user-agents) +# ..932238 (stricter sibling of 932236, PL3, +# - no excluded words) +# .932237 (stricter sibling of 932230, 932235, 932250, 932260, PL3, +# - targets request headers user-agent and referer only +# - without prefix +# - with word boundaries +# - words of any length +# - excluded words: known user-agents) +# +# +# Regular expression generated from regex-assembly/932237.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932237 +# +SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@rx (?i)\b(?:7z(?:[\s\x0b&\),<>\|]|$|[arx](?:[\s\x0b&\),<>\|]|$))|(?:(?:GE|POS)T|y(?:e(?:s|lp)|um|arn)|HEAD)(?:[\s\x0b&\),<>\|]|$)|a(?:a-[^\s\x0b]{1,10}\b|(?:b|w[ks]|l(?:ias|pine)|xel)(?:[\s\x0b&\),<>\|]|$)|p(?:t(?:[\s\x0b&\),<>\|]|$|-get|itude(?:[\s\x0b&\),<>\|]|$))|parmor_[^\s\x0b]{1,10}\b)|r(?:[\s\x0b&\),<>\|]|$|j(?:[\s\x0b&\),<>\|]|$|-register|disp)|(?:p|ch)(?:[\s\x0b&\),<>\|]|$)|ia2c)|s(?:[\s\x0b&\),<>\|]|$|h(?:[\s\x0b&\),<>\|]|$)|cii(?:-xfr|85)|pell)|t(?:[\s\x0b&\),<>\|]|$|obm(?:[\s\x0b&\),<>\|]|$))|dd(?:group|user)|getty|nsible|u(?:ditctl|repot|search))|b(?:z(?:(?:z|c(?:at|mp))(?:[\s\x0b&\),<>\|]|$)|diff|e(?:grep|xe(?:[\s\x0b&\),<>\|]|$))|f?grep|ip2(?:[\s\x0b&\),<>\|]|$|recover)|less|more)|a(?:s(?:e(?:32|64|n(?:ame(?:[\s\x0b&\),<>\|]|$)|c))|h(?:[\s\x0b&\),<>\|]|$))|tch(?:[\s\x0b&\),<>\|]|$))|lkid(?:[\s\x0b&\),<>\|]|$)|pftrace|r(?:eaksw|(?:idge|wap)(?:[\s\x0b&\),<>\|]|$))|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler(?:[\s\x0b&\),<>\|]|$)|zip2)|s(?:ctl|ybox))|y(?:ebug|obu(?:[\s\x0b&\),<>\|]|$)))|c(?:[89]9(?:[\s\x0b&\),<>\|]|$|-gcc)|(?:a(?:t|ncel|psh)|c|mp)(?:[\s\x0b&\),<>\|]|$)|p(?:[\s\x0b&\),<>\|]|$|io(?:[\s\x0b&\),<>\|]|$)|ulimit)|s(?:(?:h|cli)(?:[\s\x0b&\),<>\|]|$)|plit|vtool)|u(?:t(?:[\s\x0b&\),<>\|]|$)|psfilter)|ertbot|h(?:(?:(?:att|di)r|mod|o(?:om|wn)|root|sh)(?:[\s\x0b&\),<>\|]|$)|e(?:ck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|f(?:[\s\x0b&\),\-<>\|]|$))|(?:flag|pas)s|g(?:passwd|rp(?:[\s\x0b&\),<>\|]|$)))|lang(?:\+\+|[\s\x0b&\),<>\|]|$)|o(?:bc(?:[\s\x0b&\),<>\|]|$|run)|lumn(?:[\s\x0b&\),<>\|]|$)|m(?:m(?:[\s\x0b&\),<>\|]|$|and(?:[\s\x0b&\),<>\|]|$))|p(?:oser|ress)(?:[\s\x0b&\),<>\|]|$))|proc|w(?:say|think))|r(?:ash(?:[\s\x0b&\),<>\|]|$)|on(?:[\s\x0b&\),<>\|]|$|tab)))|d(?:(?:[dfu]|i(?:(?:alo)?g|r|ff)|a(?:sh|te)|vips)(?:[\s\x0b&\),<>\|]|$)|nf(?:[\s\x0b&\),<>\|]|$)?|hclient|m(?:esg(?:[\s\x0b&\),<>\|]|$)|idecode|setup)|o(?:(?:as|ne)(?:[\s\x0b&\),<>\|]|$)|cker(?:[\s\x0b&\),\-<>\|]|$)|sbox)|pkg(?:[\s\x0b&\),\-<>\|]|$))|e(?:(?:[bd]|qn|cho|fax|grep|macs|val)(?:[\s\x0b&\),<>\|]|$)|n(?:v(?:[\s\x0b&\),<>\|]|$|-update)|d(?:if|sw)(?:[\s\x0b&\),<>\|]|$))|s(?:[\s\x0b&\),<>\|]|$|(?:h|ac)(?:[\s\x0b&\),<>\|]|$))|x(?:[\s\x0b&\),<>\|]|$|(?:ec|p(?:and|(?:ec|or)t|r))(?:[\s\x0b&\),<>\|]|$)|iftool)|2fsck|asy_install)|f(?:(?:c|mt|etch|lock|unction)(?:[\s\x0b&\),<>\|]|$)|d(?:[\s\x0b&\),<>\|]|$|(?:find|isk)(?:[\s\x0b&\),<>\|]|$)|u?mount)|g(?:[\s\x0b&\),<>\|]|$|rep(?:[\s\x0b&\),<>\|]|$))|i(?:[\s\x0b&\),<>\|]|$|le(?:[\s\x0b&\),<>\|]|$|test)|(?:n(?:d|ger)|sh)(?:[\s\x0b&\),<>\|]|$))|tp(?:[\s\x0b&\),<>\|]|$|stats|who)|acter|o(?:ld(?:[\s\x0b&\),<>\|]|$)|reach)|ping(?:[\s\x0b&\),6<>\|]|$))|g(?:c(?:c[^\s\x0b]{1,10}\b|ore(?:[\s\x0b&\),<>\|]|$))|(?:db|i(?:t|mp|nsh)|o|pg|awk|z(?:cat|exe|ip))(?:[\s\x0b&\),<>\|]|$)|e(?:m(?:[\s\x0b&\),<>\|]|$)|ni(?:e(?:[\s\x0b&\),<>\|]|$)|soimage)|t(?:cap|facl(?:[\s\x0b&\),<>\|]|$)))|hc(?:[\s\x0b&\),<>\|]|$|-(?:[\s\x0b&\),<>\|]|$)|i(?:[\s\x0b&\),\-<>\|]|$))|r(?:c(?:[\s\x0b&\),<>\|]|$|at(?:[\s\x0b&\),<>\|]|$))|ep(?:[\s\x0b&\),<>\|]|$)|oup(?:[\s\x0b&\),<>\|]|$|mod))|tester|unzip)|h(?:(?:d|up|ash|i(?:ghlight|story))(?:[\s\x0b&\),<>\|]|$)|e(?:ad(?:[\s\x0b&\),<>\|]|$)|xdump)|ost(?:id|name)|ping3|t(?:digest|op(?:[\s\x0b&\),<>\|]|$)|passwd))|i(?:(?:d|rb|conv|nstall)(?:[\s\x0b&\),<>\|]|$)|p(?:[\s\x0b&\),<>\|]|$|6?tables|config|p(?:eveprinter|find|tool))|f(?:config|top(?:[\s\x0b&\),<>\|]|$))|onice|spell)|j(?:(?:js|q|ava|exec)(?:[\s\x0b&\),<>\|]|$)|o(?:(?:bs|in)(?:[\s\x0b&\),<>\|]|$)|urnalctl)|runscript)|k(?:s(?:h(?:[\s\x0b&\),<>\|]|$)|shell)|ill(?:[\s\x0b&\),<>\|]|$|all)|nife(?:[\s\x0b&\),<>\|]|$))|l(?:d(?:[\s\x0b&\),<>\|]|$|d(?:[\s\x0b&\),<>\|]|$)|config)|(?:[np]|ynx)(?:[\s\x0b&\),<>\|]|$)|s(?:[\s\x0b&\),<>\|]|$|(?:-F|cpu|hw|mod|of|pci|usb)(?:[\s\x0b&\),<>\|]|$)|b_release)|ua(?:[\s\x0b&\),<>\|]|$|(?:la)?tex)|z(?:4(?:[\s\x0b&\),<>\|]|$|c(?:[\s\x0b&\),<>\|]|$|at))|(?:c(?:at|mp))?(?:[\s\x0b&\),<>\|]|$)|diff|[ef]?grep|less|m(?:a(?:[\s\x0b&\),<>\|]|$|dec|info)|ore))|a(?:st(?:[\s\x0b&\),<>\|]|$|comm(?:[\s\x0b&\),<>\|]|$)|log(?:in)?)|tex(?:[\s\x0b&\),<>\|]|$))|ess(?:[\s\x0b&\),<>\|]|$|echo|(?:fil|pip)e)|ftp(?:[\s\x0b&\),<>\|]|$|get)|o(?:(?:ca(?:l|te)|ok)(?:[\s\x0b&\),<>\|]|$)|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:(?:n|ke|wk)(?:[\s\x0b&\),<>\|]|$)|il(?:[\s\x0b&\),<>\|]|$|[qx](?:[\s\x0b&\),<>\|]|$))|ster\.passwd)|(?:tr|v|utt)(?:[\s\x0b&\),<>\|]|$)|k(?:(?:dir|nod)(?:[\s\x0b&\),<>\|]|$)|fifo|temp)|locate|o(?:(?:re|unt)(?:[\s\x0b&\),<>\|]|$)|squitto)|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:[\s\x0b&\),<>\|]|$|admin|dump(?:slow)?|hotcopy|show))|n(?:c(?:[\s\x0b&\),<>\|]|$|\.(?:openbsd|traditional)|at(?:[\s\x0b&\),<>\|]|$))|e(?:t(?:[\s\x0b&\),<>\|]|$|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:(?:ul)?l|p(?:m|ing)|a(?:no|sm|wk)|ice|o(?:de|hup)|roff)(?:[\s\x0b&\),<>\|]|$)|m(?:[\s\x0b&\),<>\|]|$|ap(?:[\s\x0b&\),<>\|]|$))|s(?:enter|lookup|tat(?:[\s\x0b&\),<>\|]|$)))|o(?:(?:d|ctave)(?:[\s\x0b&\),<>\|]|$)|nintr|p(?:en(?:ssl|v(?:pn|t))|kg(?:[\s\x0b&\),<>\|]|$)))|p(?:a(?:(?:x|cman|rted|tch)(?:[\s\x0b&\),<>\|]|$)|s(?:swd|te(?:[\s\x0b&\),<>\|]|$)))|d(?:b(?:[\s\x0b&\),<>\|]|$|2mb|3(?:[\s\x0b&\),\.<>\|]|$))|f(?:la)?tex|ksh(?:[\s\x0b&\),<>\|]|$))|f(?:[\s\x0b&\),<>\|]|$|tp(?:[\s\x0b&\),<>\|]|$))|g(?:[\s\x0b&\),<>\|]|$|rep(?:[\s\x0b&\),<>\|]|$))|hp(?:[\s\x0b&\),<>\|]|$|-cgi|[57](?:[\s\x0b&\),<>\|]|$))|i(?:c(?:[\s\x0b&\),<>\|]|$|o(?:[\s\x0b&\),<>\|]|$))|p(?:[^\s\x0b]{1,10}\b|[\s\x0b&\),<>\|]|$)|dstat|(?:gz|ng6?)(?:[\s\x0b&\),<>\|]|$))|k(?:g(?:[\s\x0b&\),<>\|]|$|_?info)|exec|ill(?:[\s\x0b&\),<>\|]|$))|r(?:[\s\x0b&\),<>\|]|$|y(?:[\s\x0b&\),<>\|]|$)|int(?:env|f(?:[\s\x0b&\),<>\|]|$)))|s(?:[\s\x0b&\),<>\|]|$|(?:ed|ql)(?:[\s\x0b&\),<>\|]|$)|ftp)|t(?:x(?:[\s\x0b&\),<>\|]|$)|ar(?:[\s\x0b&\),<>\|]|$|diff|grep))|wd(?:[\s\x0b&\),<>\|]|$|\.db)|(?:xz|opd|u(?:ppet|shd))(?:[\s\x0b&\),<>\|]|$)|er(?:(?:f|ms)(?:[\s\x0b&\),<>\|]|$)|l(?:5?(?:[\s\x0b&\),<>\|]|$)|sh))|y(?:3?versions|thon[23]))|r(?:(?:a(?:r|k[eu])|bash|nano|oute|vi(?:ew|m))(?:[\s\x0b&\),<>\|]|$)|c(?:[\s\x0b&\),<>\|]|$|p(?:[\s\x0b&\),<>\|]|$))|e(?:d(?:[\s\x0b&\),<>\|]|$|carpet(?:[\s\x0b&\),<>\|]|$))|(?:v|boot|name|p(?:eat|lace))(?:[\s\x0b&\),<>\|]|$)|a(?:delf|lpath)|stic)|m(?:[\s\x0b&\),<>\|]|$|t(?:[\s\x0b&\),<>\|]|$|-(?:dump|tar))|dir(?:[\s\x0b&\),<>\|]|$)|user)|pm(?:[\s\x0b&\),<>\|]|$|db(?:[\s\x0b&\),<>\|]|$)|(?:quer|verif)y)|l(?:ogin|wrap)|sync(?:-ssl|[\s\x0b&\),<>\|]|$)|u(?:by[^\s\x0b]{1,10}\b|n(?:-(?:mailcap|parts)|c(?:[\s\x0b&\),<>\|]|$))))|s(?:(?:c(?:p|hed|r(?:een|ipt))|g|ash|diff|ftp|l(?:eep|sh))(?:[\s\x0b&\),<>\|]|$)|e(?:(?:d|ndmail|rvice)(?:[\s\x0b&\),<>\|]|$)|t(?:[\s\x0b&\),<>\|]|$|arch|cap|env|facl(?:[\s\x0b&\),<>\|]|$)|sid))|h(?:[\s\x0b&\),<>\|]|$|\.distrib|(?:adow|ells|u(?:f|tdown))(?:[\s\x0b&\),<>\|]|$))|s(?:[\s\x0b&\),<>\|]|$|h(?:[\s\x0b&\),<>\|]|$|-(?:a(?:dd|gent)|copy-id|key(?:ge|sca)n)|pass))|u(?:[\s\x0b&\),<>\|]|$|do(?:-rs|[\s\x0b&\),<>_\|]|$|edit|replay))|vn(?:[\s\x0b&\),<>\|]|$|a(?:dmin|uthz)|bench|dumpfilter|fsfs|look|mucc|rdump|s(?:erve|ync)|version)|mbclient|o(?:(?:(?:ca|r)t|urce)(?:[\s\x0b&\),<>\|]|$)|elim)|p(?:lit(?:[\s\x0b&\),<>\|]|$)|wd\.db)|qlite3|t(?:art-stop-daemon|d(?:buf|err|in(?:[\s\x0b&\),<>\|]|$)|out)|r(?:ace|ings(?:[\s\x0b&\),<>\|]|$)))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:[cr](?:[\s\x0b&\),<>\|]|$)|il(?:[\s\x0b&\),<>\|]|$|f(?:[\s\x0b&\),<>\|]|$))|sk(?:[\s\x0b&\),<>\|]|$|set))|(?:bl|o(?:p|uch)|ftp|mux)(?:[\s\x0b&\),<>\|]|$)|c(?:p(?:[\s\x0b&\),<>\|]|$|dump|ing|traceroute)|l?sh(?:[\s\x0b&\),<>\|]|$))|e(?:[ex](?:[\s\x0b&\),<>\|]|$)|lnet)|i(?:c(?:[\s\x0b&\),<>\|]|$)|me(?:[\s\x0b&\),<>\|]|$|datectl|out(?:[\s\x0b&\),<>\|]|$)))|r(?:aceroute6?|off(?:[\s\x0b&\),<>\|]|$))|shark)|u(?:dp(?:[\s\x0b&\),<>\|]|$)|l(?:[\s\x0b&\),<>\|]|$|imit(?:[\s\x0b&\),<>\|]|$))|n(?:(?:ame|compress|iq|rar|s(?:et|hare)|xz)(?:[\s\x0b&\),<>\|]|$)|expand|l(?:ink(?:[\s\x0b&\),<>\|]|$)|z(?:4(?:[\s\x0b&\),<>\|]|$)|ma))|pigz|z(?:ip(?:[\s\x0b&\),<>\|]|$)|std))|p(?:2date(?:[\s\x0b&\),<>\|]|$)|date-alternatives)|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:[\s\x0b&\),<>\|]|$|m(?:[\s\x0b&\),<>\|]|$|diff)|(?:[ep]w|gr|rsh)(?:[\s\x0b&\),<>\|]|$)|sudo(?:-rs)?)|algrind|olatility(?:[\s\x0b&\),<>\|]|$))|w(?:[\s\x0b&\),<>\|]|$|(?:c|a(?:ll|tch))(?:[\s\x0b&\),<>\|]|$)|h(?:o(?:[\s\x0b&\),<>\|]|$|ami|is(?:[\s\x0b&\),<>\|]|$))?|iptail(?:[\s\x0b&\),<>\|]|$))|i(?:reshark|sh(?:[\s\x0b&\),<>\|]|$)))|x(?:(?:(?:x|pa)d|args|term)(?:[\s\x0b&\),<>\|]|$)|z(?:[\s\x0b&\),<>\|]|$|c(?:at|mp)(?:[\s\x0b&\),<>\|]|$)|d(?:ec(?:[\s\x0b&\),<>\|]|$)|iff)|[ef]?grep|less|more)|e(?:latex|tex(?:[\s\x0b&\),<>\|]|$))|mo(?:dmap|re(?:[\s\x0b&\),<>\|]|$)))|z(?:ip(?:[\s\x0b&\),<>\|]|$|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h(?:[\s\x0b&\),<>\|]|$)|oelim|td(?:[\s\x0b&\),<>\|]|$|(?:ca|m)t|grep|less))|athura|(?:c(?:at|mp)|diff|grep|less|run)(?:[\s\x0b&\),<>\|]|$)|e(?:grep|ro(?:[\s\x0b&\),<>\|]|$))|fgrep|mo(?:dload|re(?:[\s\x0b&\),<>\|]|$))|ypper))(?:\b|[^0-9A-Z_a-z])" \ + "id:932237,\ + phase:1,\ + block,\ + capture,\ + t:none,t:cmdLine,t:normalizePath,\ + msg:'Remote Command Execution: Unix Shell Code Found in REQUEST_HEADERS',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ + tag:'attack-rce',\ + tag:'paranoia-level/3',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-RCE',\ + tag:'capec/1000/152/248/88',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" + +# [ Unix command injection ] +# +# Rule relations: +# +# .932230 (base rule, PL1, targets prefix + two and three character commands) +# ..932231 (stricter sibling, PL2, targets prefix + the source shortcut command) +# ..932232 (stricter sibling, PL3, targets prefix + additional command words) +# .932235 (base rule, PL1, targets prefix + known command word of length > 3 without evasion) +# +# .932250 (base rule, PL1, targets two and three character commands) +# .932260 (base rule, PL1, targets known command word of length > 3 without evasion) +# +# .932240 (generic detection, PL2, targets generic evasion attempts) +# .932236 (stricter sibling of 932230, 932235, 932250, 932260, PL2, +# - with and without prefix +# - words of any length) +# ..932239 (sibling of 932236, PL2, +# - with and without prefix +# - words of any length +# - targets request headers user-agent and referer only +# - excluded words: known user-agents) +# ..932238 (stricter sibling of 932236, PL3, +# - no excluded words) +# .932237 (stricter sibling of 932230, 932235, 932250, 932260, PL3, +# - targets request headers user-agent and referer only +# - without prefix +# - with word boundaries +# - words of any length +# - excluded words: known user-agents) +# +# +# Regular expression generated from regex-assembly/932238.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932238 +# +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*|REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent "@rx (?i)(?:^|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|]|$).*|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:(?:[\s\x0b&\),<>\|]|$).*|o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|[\[\{])|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'[^']*'|\"[^\"]*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:(?:(?:a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?2[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n|s)|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|]|$).*|d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?f|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o|(?:[\s\x0b&\),<>\|]|$).*))" \ + "id:932238,\ + phase:2,\ + block,\ + capture,\ + t:none,t:cmdLine,t:normalizePath,\ + msg:'Remote Command Execution: Unix Shell Code Found in REQUEST_HEADERS',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ + tag:'attack-rce',\ + tag:'paranoia-level/3',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-RCE',\ + tag:'capec/1000/152/248/88',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" + + +# +# -=[ Bypass Rule 930120 (wildcard) ]=- +# +# When Paranoia Level is set to 1 and 2, a Remote Command Execution +# could be exploited bypassing rule 930120 (OS File Access Attempt) +# by using wildcard characters. +# +# In some other cases, it could be bypassed even if the Paranoia Level is set to 3. +# Please, keep in mind that this rule could lead to many false positives. +# +# The following two blog posts explain the evasions this rule is designed to detect: +# - https://medium.com/secjuice/waf-evasion-techniques-718026d693d8 +# - https://medium.com/secjuice/web-application-firewall-waf-evasion-techniques-2-125995f3e7b0 + +SecRule ARGS "@rx /(?:[?*]+[a-z/]+|[a-z/]+[?*]+)" \ + "id:932190,\ + phase:2,\ + block,\ + capture,\ + t:none,t:normalizePath,t:cmdLine,\ + msg:'Remote Command Execution: Wildcard bypass technique attempt',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ + tag:'attack-rce',\ + tag:'paranoia-level/3',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-RCE',\ + tag:'capec/1000/152/248/88',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" + + +# -=[ SMTP commands ]=- +# +# This rule prevents execution of SMTP related system commands. +# +# These commands may have a higher risk of false positives. +# For explanation of this rule, see above rule 932300. +# +# Rule 932301 is a stricter sibling of rule 932300. +# +# Regular expression generated from regex-assembly/932301.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932301 +# +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \r\n.*?\b(?:DATA|QUIT|HELP(?: .{1,255})?)" \ + "id:932301,\ + phase:2,\ + block,\ + capture,\ + t:none,t:escapeSeqDecode,\ + msg:'Remote Command Execution: SMTP Command Execution',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'paranoia-level/3',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-RCE',\ + tag:'capec/137/134',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" + +# =[ IMAP4 Command Execution ]= +# +# This rule prevents execution of IMAP4 related system commands. +# +# These commands may have a higher risk of false positives. +# For explanation of this rule, see above rule 932310. +# +# Rule 932311 is a stricter sibling of rule 932310. +# +# Regular expression generated from regex-assembly/932311.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932311 +# +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?is)\r\n[0-9A-Z_a-z]{1,50}\b (?:C(?:(?:REATE|OPY [\*,0-:]+) [\"#%&\*\--9A-Z\x5c_a-z]+|APABILITY|HECK|LOSE)|DELETE [\"#%&\*\-\.0-9A-Z\x5c_a-z]+|EX(?:AMINE [\"#%&\*\-\.0-9A-Z\x5c_a-z]+|PUNGE)|FETCH [\*,0-:]+|L(?:IST [\"#\*\--9A-Z\x5c_a-z~]+? [\"#%&\*\--9A-Z\x5c_a-z]+|OG(?:IN [\-\.0-9@_a-z]{1,40} .*?|OUT))|RENAME [\"#%&\*\--9A-Z\x5c_a-z]+? [\"#%&\*\--9A-Z\x5c_a-z]+|S(?:E(?:LECT [\"#%&\*\--9A-Z\x5c_a-z]+|ARCH(?: CHARSET [\-\.0-9A-Z_a-z]{1,40})? (?:(KEYWORD \x5c)?(?:A(?:LL|NSWERED)|BCC|D(?:ELETED|RAFT)|(?:FLAGGE|OL)D|RECENT|SEEN|UN(?:(?:ANSWER|FLAGG)ED|D(?:ELETED|RAFT)|SEEN)|NEW)|(?:BODY|CC|FROM|HEADER .{1,100}|NOT|OR .{1,255}|T(?:EXT|O)) .{1,255}|LARGER [0-9]{1,20}|[\*,0-:]+|(?:BEFORE|ON|S(?:ENT(?:(?:BEFOR|SINC)E|ON)|INCE)) \"?[0-9]{1,2}-[0-9A-Z_a-z]{3}-[0-9]{4}\"?|S(?:MALLER [0-9]{1,20}|UBJECT .{1,255})|U(?:ID [\*,0-:]+?|NKEYWORD \x5c(Seen|(?:Answer|Flagg)ed|D(?:eleted|raft)|Recent))))|T(?:ORE [\*,0-:]+? [\+\-]?FLAGS(?:\.SILENT)? (?:\(\x5c[a-z]{1,20}\))?|ARTTLS)|UBSCRIBE [\"#%&\*\--9A-Z\x5c_a-z]+)|UN(?:SUBSCRIBE [\"#%&\*\--9A-Z\x5c_a-z]+|AUTHENTICATE)|NOOP)" \ + "id:932311,\ + phase:2,\ + block,\ + capture,\ + t:none,t:escapeSeqDecode,\ + msg:'Remote Command Execution: IMAP Command Execution',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'paranoia-level/3',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-RCE',\ + tag:'capec/137/134',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" + +# =[ POP3 Command Execution ]= +# +# This rule prevents execution of POP3 related system commands. +# +# These commands may have a higher risk of false positives. +# For explanation of this rule, see above rule 932320. +# +# Rule 932321 is a stricter sibling of rule 932320. +# +# Regular expression generated from regex-assembly/932321.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932321 +# +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \r\n.*?\b(?:(?:QUI|STA|RSE)T|NOOP|CAPA)" \ + "id:932321,\ + phase:2,\ + block,\ + capture,\ + t:none,t:escapeSeqDecode,\ + msg:'Remote Command Execution: POP3 Command Execution',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'paranoia-level/3',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-RCE',\ + tag:'capec/137/134',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" + + +# =[ Unix shell history invocation ]= +# +# This rule is a stricter sibling of 932330. +# Shell history can also be invoked by providing an absolute position: '!1' or by repeating the last command '!!'. +# The latter might seem harmless as you would expect that it already requires a successful exploitation, but it is a threat in disguise. +# +# Imagine the following requests: +# GET /?rce=c +# GET /?rce=!!!! +# The last request will invoke /usr/bin/cc, which is otherwise blocked by 932250. +# +# Neither !1 nor !! is necessarily valid speech, but blocking either of them is much more likely to cause false-positives than 932330. +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx !(?:\d|!)" \ + "id:932331,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Remote Command Execution: Unix shell history invocation',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ + tag:'attack-rce',\ + tag:'paranoia-level/3',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-RCE',\ + tag:'capec/1000/152/248/88',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" + + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:932017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:932018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" +# +# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher) +# + + + +# +# -= Paranoia Levels Finished =- +# +SecMarker "END-REQUEST-932-APPLICATION-ATTACK-RCE" diff --git a/blue/Tools/zoo/modules/turtle/coreruleset/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf b/blue/Tools/zoo/modules/turtle/coreruleset/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf new file mode 100644 index 0000000..a950395 --- /dev/null +++ b/blue/Tools/zoo/modules/turtle/coreruleset/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf @@ -0,0 +1,883 @@ +# ------------------------------------------------------------------------ +# OWASP CRS ver.4.22.0 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. +# Copyright (c) 2021-2026 CRS project. All rights reserved. +# +# The OWASP CRS is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENSE file for full details. +# ------------------------------------------------------------------------ + +# +# -= Paranoia Level 0 (empty) =- (apply unconditionally) +# + + + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:933011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:933012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" +# +# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher) +# + +# +# -=[ PHP Injection Attacks ]=- +# +# [ References ] +# https://rips-scanner.sourceforge.net/ +# https://wiki.owasp.org/index.php/PHP_Top_5#P1:_Remote_Code_Executionh +# + +# +# [ PHP Open Tag Found ] +# +# Detects PHP open tags "', but +# this resulted in false positives which were difficult to prevent. +# Therefore, that pattern is now checked by rule 933190 in paranoia levels +# 3 or higher. +# +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)<\?(?:[^x]|x(?:[^m]|m(?:[^l]|l(?:[^\s\x0b]|[\s\x0b]+[^a-z]|$)))|$|php)|\[[/\x5c]?php\]" \ + "id:933100,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'PHP Injection Attack: PHP Open Tag Found',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-injection-php',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-PHP',\ + tag:'capec/1000/152/242',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# +# [ PHP Script Uploads ] +# +# Block file uploads with filenames ending in PHP related extensions +# (.php, .phps, .phtml, .php5 etc). +# +# Many application contain Unrestricted File Upload vulnerabilities. +# https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload +# +# Attackers may use such a vulnerability to achieve remote code execution +# by uploading a .php file. If the upload storage location is predictable +# and not adequately protected, the attacker may then request the uploaded +# .php file and have the code within it executed on the server. +# +# Also block files with just dot (.) characters after the extension: +# https://www.rapid7.com/blog/post/2013/08/15/time-to-patch-joomla/ +# +# Some AJAX uploaders use the nonstandard request headers X-Filename, +# X_Filename, or X-File-Name to transmit the file name to the server; +# scan these request headers as well as multipart/form-data file names. +# +SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X.Filename|REQUEST_HEADERS:X-File-Name "@rx .*\.ph(?:p\d*|tml|ar|ps|t|pt)\.*$" \ + "id:933110,\ + phase:2,\ + block,\ + capture,\ + t:none,t:lowercase,\ + msg:'PHP Injection Attack: PHP Script File Upload Found',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-injection-php',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-PHP',\ + tag:'capec/1000/152/242',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# +# [ PHP Configuration Directives ] +# +# Regular expression generated from regex-assembly/933120.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 933120 +# +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:a(?:llow_url_(?:fopen|include)|pc.(?:coredump_unmap|en(?:able(?:_cli|d)|tries_hint)|(?:gc_)?ttl|mmap_file_mask|preload_path|s(?:erializer|hm_s(?:egments|ize)|lam_defense)|use_request_time)|rg_separator.(?:in|out)put|ssert.(?:active|(?:bai|quiet_eva)l|callback|exception|warning)|uto_(?:(?:ap|pre)pend_file|detect_line_endings|globals_jit))|b(?:cmath.scale|rowscap)|c(?:gi.(?:check_shebang_line|(?:discard_pat|np)h|f(?:ix_pathinfo|orce_redirect)|r(?:edirect_status_env|fc2616_headers))|hild_terminate|li(?:_server.color|.p(?:ager|rompt))|om.(?:a(?:llow_dcom|utoregister_(?:(?:casesensitiv|verbos)e|typelib))|(?:code_pag|typelib_fil)e|dotnet_version)|url.cainfo)|d(?:ate.(?:(?:default_l(?:at|ong)itud|timezon)e|sun(?:rise|set)_zenith)|ba.default_handler|efault_(?:(?:charse|socket_timeou)t|mimetype)|is(?:able_(?:classe|function)|play_(?:startup_)?error)s|oc(?:_roo|ref_(?:ex|roo))t)|e(?:n(?:able_(?:dl|post_data_reading)|gine)|rror_(?:(?:(?:ap|pre)pend_str|report)in|lo)g|x(?:i(?:f.(?:decode_(?:jis|unicode)_(?:intel|motorola)|encode_(?:jis|unicode))|t_on_timeout)|tension(?:_dir)?|p(?:ect.(?:log(?:file|user)|match_max|timeout)|ose_php)))|f(?:astcgi.(?:impersonate|logging)|fi.(?:enable|preload)|il(?:e_uploads|ter.default(?:_flags)?))|g(?:d.jpeg_ignore_warning|eoip.custom_directory)|h(?:ard_timeout|ighlight.(?:(?:commen|defaul)t|html|keyword|string)|tml_errors)|i(?:b(?:ase.(?:(?:allow_persisten|time(?:stamp)?forma)t|d(?:ateformat|efault_(?:charset|db|password|user))|max_(?:links|persistent))|m_db2.(?:binmode|i(?:5_(?:all(?:_pconnec|ow_commi)t|dbcs_alloc|ignore_userid)|nstance_name)))|conv.(?:in(?:put|ternal)|output)_encoding|g(?:binary.compact_strings|nore_(?:repeated_(?:errors|source)|user_abort))|m(?:a(?:gick.(?:locale_fix|progress_monitor|skip_version_check)|p.enable_insecure_rsh)|plicit_flush)|n(?:clude_path|put_encoding|t(?:ernal_encoding|l.(?:default_locale|error_level|use_exceptions))))|l(?:dap.max_links|og_errors(?:_max_len)?)|m(?:a(?:gic_quotes_(?:gpc|runtime)|il(?:.(?:add_x_header|force_extra_parameters|log)|parse.def_charset)|x_(?:execution_time|file_uploads|input_(?:nesting_level|time|vars)))|bstring.(?:detect_order|encoding_translation|func_overload|http_(?:input|output(?:_conv_mimetypes)?)|internal_encoding|language|regex_(?:retry|stack)_limit|s(?:trict_detection|ubstitute_character))|crypt.(?:algorithm|mode)s_dir|em(?:cache(?:.(?:allow_failover|c(?:hunk_size|ompress_threshold)|(?:default_por|lock_timeou)t|hash_(?:function|strategy)|max_failover_attempts|protocol|(?:session_)?redundancy)|d.(?:compression_(?:factor|t(?:hreshold|ype))|default_(?:binary_protocol|con(?:nect_timeout|sistent_hash))|s(?:e(?:rializer|ss_(?:binary(?:_protocol)?|con(?:nect_timeout|sistent_hash(?:_type)?)|lock(?:_(?:expire|retries|wait(?:_m(?:ax|in))?)|ing)|number_of_replicas|p(?:ersistent|refix)|r(?:andomize_replica_read|emove_failed(?:_servers)?)|s(?:asl_(?:password|username)|erver_failure_limit)))|tore_retry_count)|use_sasl))|ory_limit)|ysql(?:.(?:allow_(?:local_infile|persistent)|connect_timeout|default_(?:(?:hos|socke)t|p(?:assword|ort)|user)|max_(?:links|persistent)|trace_mode)|i.(?:allow_(?:local_infile|persistent)|default_(?:(?:hos|socke)t|p(?:ort|w)|user)|local_infile_directory|max_(?:links|persistent)|r(?:econnect|ollback_on_cached_plink))|nd.(?:collect_(?:memory_)?statistics|debug|(?:fetch_data_cop|sha256_server_public_ke)y|log_mask|mempool_default_size|net_(?:cmd_buffer_size|read_(?:buffer_size|timeout))|trace_alloc)))|o(?:ci8.(?:(?:connection_clas|event|old_oci_close_semantic)s|default_prefetch|max_persistent|p(?:ersistent_timeout|ing_interval|r(?:efetch_lob_size|ivileged_connect))|statement_cache_size)|dbc.(?:(?:allow|check)_persistent|default(?:_(?:cursortype|db|pw|user)|binmode|lrl)|max_(?:links|persistent))|p(?:cache.(?:blacklist_filename|c(?:ache_id|onsistency_checks)|dups_fix|e(?:nable(?:_(?:cli|file_override))?|rror_log)|f(?:ast_shutdown|ile_(?:cache(?:_(?:consistency_checks|fallback|only))?|update_protection)|orce_restart_timeout)|(?:huge_code_page|save_comment)s|in(?:herited_hack|terned_strings_buffer)|jit(?:_(?:b(?:isect_limit|(?:lacklist_(?:root|side)_trac|uffer_siz)e)|debug|hot_(?:func|loop|return|side_exit)|max_(?:exit_counter|(?:loop_unro|polymorphic_ca)ll|r(?:ecursive_(?:call|return)|oot_trace)|side_trace)s|prof_threshold))?|lo(?:ckfile_path|g_verbosity_level)|m(?:ax_(?:accelerated_files|(?:file_siz|wasted_percentag)e)|emory_consumption|map_base)|opt(?:_debug|imization)_level|pr(?:e(?:ferred_memory_model|load(?:_user)?)|otect_memory)|re(?:cord_warnings|strict_api|validate_(?:freq|path))|use_cwd|validate_(?:permission|root|timestamps))|en(?:_basedir|ssl.ca(?:file|path)))|utput_(?:(?:buffer|encod)ing|handler))|p(?:cre.(?:(?:backtrack|recursion)_lim|j)it|do(?:_odbc.(?:connection_pooling|db2_instance_name)|.dsn)|gsql.(?:a(?:llow|uto_reset)_persistent|(?:ignore|log)_notice|max_(?:links|persistent))|h(?:ar.(?:cache_list|re(?:adonly|quire_hash))|pdbg.(?:eol|path))|recision|ost_max_size)|r(?:e(?:alpath_cache_(?:size|ttl)|gister_argc_argv|port_(?:memleaks|zend_debug)|quest_order)|unkit.(?:internal_override|superglobal))|s(?:e(?:aslog.(?:appender(?:_retry)?|buffer_(?:disabled_in_cli|size)|d(?:efault_(?:basepath|datetime_format|logger|template)|isting_(?:(?:by_hou|folde)r|type))|ignore_warning|level|re(?:call_depth|mote_(?:hos|por|timeou)t)|t(?:hrow_exception|r(?:ace_(?:e(?:rror|xception)|notice|warning)|im_wrap))|use_buffer)|ndmail_(?:from|path)|rialize_precision|ssion.(?:auto_start|c(?:ache_(?:expire|limiter)|ookie_(?:domain|httponly|(?:lifetim|s(?:amesit|ecur))e|path))|entropy_(?:file|length)|gc_(?:divisor|maxlifetime|probability)|hash_(?:bits_per_character|function)|(?:lazy_writ|nam)e|referer_check|s(?:ave_(?:handler|path)|erialize_handler|id_(?:bits_per_character|length))|trans_sid_(?:host|tag)s|u(?:pload_progress.(?:cleanup|enabled|(?:min_)?freq|name|prefix)|se_(?:(?:only_)?cookies|strict_mode|trans_sid))))|hort_open_tag|mtp(?:_port)?|oap.wsdl_cache(?:_(?:dir|enabled|limit|ttl))?|ql(?:.safe_mode|ite3.(?:defensive|extension_dir))|tomp.default_(?:broker|(?:connection|read)_timeout_u?sec)|woole.(?:aio_thread_num|display_errors|enable_(?:coroutine|library|preemptive_scheduler)|(?:fast_serializ|u(?:nixsock_buffer_siz|se_(?:namespac|shortnam)))e)|ys(?:_temp_dir|log.(?:f(?:acility|ilter)|ident)|vshm.init_mem))|t(?:aint.e(?:nable|rror_level)|idy.(?:clean_output|default_config)|ra(?:ck_errors|der.real_(?:precision|round_mode)))|u(?:nserialize_(?:callback_func|max_depth)|opz.(?:disable|exit|overloads)|pload(?:_(?:max_filesize|tmp_dir)|progress.file.filename_template)|rl_rewriter.(?:host|tag)s|ser_(?:agent|dir|ini.(?:cache_ttl|filename)))|v(?:8js.(?:flag|max_disposed_context)s|ariables_order|ld.(?:(?:activ|execut)e|skip_(?:ap|pre)pend))|w(?:in(?:cache.(?:chkinterval|enablecli|f(?:c(?:achesize|enabled(?:filter)?|ndetect)|ile(?:count|mapdir))|(?:ignorelis|namesal)t|maxfilesize|oc(?:achesize|enabled(?:filter)?)|reroute(?:_enabled|ini)|s(?:cachesize|rwlocks)|ttlmax|uc(?:achesize|enabled))|dows.show_crt_warning)|khtmltox.graphics)|x(?:bithack|hprof.output_dir|mlrpc_error(?:_number|s))|ya(?:c(?:.(?:compress_threshold|debug|enable(?:_cli)?|(?:key|value)s_memory_size|serializer)|onf.(?:check_dela|director)y)|f.(?:action_prefer|cache_config|environ|forward_limit|l(?:ibrary|owcase_path)|name_s(?:eparator|uffix)|use_(?:namespace|spl_autoload))|ml.(?:decode_(?:binary|(?:ph|timestam)p)|output_(?:canonical|indent|width))|r.(?:(?:connect_)?timeout|debug|expose_info|packager)|z.(?:keepalive|log_mask))|z(?:end(?:_extension|.(?:assertions|(?:detect_unicod|multibyt)e|e(?:nable_gc|xception_(?:ignore_args|string_param_max_len))|s(?:cript_encoding|ignal_check)))|lib.output_(?:compression(?:_level)?|handler)|ookeeper.(?:recv_timeout|sess(?:_lock_wait|ion_lock))))[\s\x0b]*=[^=]" \ + "id:933120,\ + phase:2,\ + block,\ + capture,\ + t:none,t:normalizePath,\ + msg:'PHP Injection Attack: Configuration Directive Found',\ + logdata:'Matched Data: %{TX.0} found within %{TX.933120_MATCHED_VAR_NAME}: %{TX.933120_MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-injection-php',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-PHP',\ + tag:'capec/1000/152/242',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.933120_matched_var=%{MATCHED_VAR}',\ + setvar:'tx.933120_matched_var_name=%{MATCHED_VAR_NAME}',\ + setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# +# [ PHP Variables ] +# +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmFromFile php-variables.data" \ + "id:933130,\ + phase:2,\ + block,\ + capture,\ + t:none,t:normalizePath,t:urlDecodeUni,\ + msg:'PHP Injection Attack: Variables Found',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-injection-php',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-PHP',\ + tag:'capec/1000/152/242',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# +# [ PHP Variables ] +# +# Prevent accessing PHP variables using these methods: +# ${'VARIABLE_NAME'} +# $ {"VARIABLE_NAME"} +# $ {'_VAR'.'IABLE_NAME'} +# $ { $var} +# $ { CONSTANT } +# +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx \$\s*\{\s*\S[^\{\}]*\}" \ + "id:933135,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'PHP Injection Attack: Variable Access Found',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-injection-php',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-PHP',\ + tag:'capec/1000/152/242',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# +# [ PHP I/O Streams ] +# +# The "php://" syntax can be used to refer to various objects, such as local files (for LFI), +# remote urls (for RFI), or standard input/request body. Its occurrence indicates a possible attempt +# to either inject PHP code or exploit a file inclusion vulnerability in a PHP web app. +# +# Examples: +# php://filter/resource=./../../../wp-config.php +# php://filter/resource=http://www.example.com +# php://stdin +# php://input +# +# http://php.net/manual/en/wrappers.php.php +# +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)php://(?:std(?:in|out|err)|(?:in|out)put|fd|memory|temp|filter)" \ + "id:933140,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'PHP Injection Attack: I/O Stream Found',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-injection-php',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-PHP',\ + tag:'capec/1000/152/242',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# +# [ PHP Wrappers ] +# +# PHP comes with many built-in wrappers for various URL-style protocols for use with the filesystem +# functions such as fopen(), copy(), file_exists() and filesize(). Abusing of PHP wrappers like phar:// +# could lead to RCE as describled by Sam Thomas at BlackHat USA 2018 (https://bit.ly/2yaKV5X), even +# wrappers like zlib://, glob://, rar://, zip://, etc... could lead to LFI and expect:// to RCE. +# +# Valid PHP wrappers can be found in the PHP documentation here: +# https://www.php.net/manual/en/wrappers.php +# +# Regular expression generated from regex-assembly/933200.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 933200 +# +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:bzip2|expect|glob|ogg|(?:ph|r)ar|ssh2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?|z(?:ip|lib))://" \ + "id:933200,\ + phase:2,\ + block,\ + t:none,t:utf8toUnicode,t:urlDecodeUni,t:removeNulls,t:cmdLine,\ + msg:'PHP Injection Attack: Wrapper scheme detected',\ + logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\ + tag:'application-multi',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-injection-php',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-PHP',\ + tag:'capec/1000/152/242',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# +# [ PHP Functions ] +# +# Detecting PHP function names is useful to block PHP code injection attacks. +# There are many PHP functions. We have to strike a balance between robust detection +# of PHP code in content, and the risk of false positives. +# +# The list of PHP functions is divided into four groups of varying attack/false positive risk. +# Four separate rules are used to detect these groups of functions: +# +# - Rule 933150: ~237 words highly common to PHP injection payloads and extremely rare in +# natural language or other contexts. +# Examples: 'base64_decode', 'file_get_contents'. +# These words are detected as a match directly using @pmFromFile. +# Function names are defined in php-function-names-933150.data +# +# - Rule 933160: ~36 words which are common in PHP code, but have a higher chance to cause +# false positives in natural language or other contexts. +# Examples: 'chr', 'eval'. +# To mitigate false positives, a regexp looks for PHP function syntax, e.g. 'eval()'. +# Regexp is generated from function names in /regexp-assemble/data/933160.ra +# +# - Rule 933151: ~2200 words of lesser importance. This includes most PHP functions and keywords. +# Examples: 'addslashes', 'array_diff'. +# For performance reasons, the @pmFromFile operator is used, and many functions from lesser +# used PHP extensions are removed. +# To mitigate false positives, we only match when the '(' character is also found. +# This rule only runs in paranoia level 2 or higher. +# Function names are defined in php-function-names-933151.data +# +# - Rule 933161: ~95 words with short or trivial names, possibly leading to false positives. +# Examples: 'abs', 'cos'. +# To mitigate false positives, a regexp matches on function syntax, e.g. 'abs()'. +# This rule only runs in paranoia level 3 or higher. +# Regexp is generated from function names in /regexp-assemble/data/933161.ra +# + + +# +# [ PHP Functions: High-Risk PHP Function Names ] +# +# Rule 933150 contains a small list of function names which are highly indicative of a PHP +# injection attack, for example 'base64_decode'. +# We block these function names outright, without using a complex regexp or chain. +# This could make the detection a bit more robust against possible bypasses. +# +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@pmFromFile php-function-names-933150.data" \ + "id:933150,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'PHP Injection Attack: High-Risk PHP Function Name Found',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-injection-php',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-PHP',\ + tag:'capec/1000/152/242',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# +# [ PHP Functions: High-Risk PHP Function Calls ] +# +# Some PHP function names have a certain risk of false positives, due to short +# names, full or partial overlap with common natural language terms, uses in +# other contexts, et cetera. Some examples are 'eval', 'exec', 'system'. +# +# For these function names, we apply a regexp to look for PHP function syntax. +# The regexp looks for a word boundary and adjoining parentheses. +# For instance, we want to block 'eval()', but we want to allow 'medieval()'. +# +# We have to be careful of possible bypasses using comment syntax. Examples: +# +# system(...) +# system (...) +# system\t(...) +# system /*comment*/ (...) +# system /*multiline \n comment*/ (...) +# system //comment \n (...) +# system #comment \n (...) +# +# This rule is triggered by the following exploits as well, as they include the string 'exec(...)': +# [ Apache Struts vulnerability CVE-2017-9791 - Exploit tested: https://www.exploit-db.com/exploits/42324 ] +# [ Apache Struts vulnerability CVE-2018-11776 - Exploit tested: https://www.exploit-db.com/exploits/45260 ] +# [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ] +# +# Regular expression generated from regex-assembly/933160.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 933160 +# +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b\(?[\"']*(?:assert(?:_options)?|c(?:hr|reate_function)|e(?:val|x(?:ec|p))|f(?:ile(?:group)?|open|puts)|glob|i(?:mage(?:gif|(?:jpe|pn)g|wbmp|xbm)|s_a)|m(?:d5|kdir)|o(?:pendir|rd)|p(?:assthru|open|r(?:intf|ev))|r(?:eadfile|trim)|s(?:t(?:rip_tags|at)|ubstr|ystem)|tmpfile|u(?:n(?:pac|lin)k|sort))(?:/(?:\*.*?\*/|/[^\n\r]*)|#[^\n\r]*|[\s\x0b\"])*[\"']*\)?[\s\x0b]*\([^\)]*\)" \ + "id:933160,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'PHP Injection Attack: High-Risk PHP Function Call Found',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-injection-php',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-PHP',\ + tag:'capec/1000/152/242',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# +# [ PHP Object Injection ] +# +# PHP Object Injection is an application level vulnerability that could allow +# an attacker to perform different kinds of malicious attacks, such as +# Code Injection, SQL Injection, Path Traversal and Application Denial of Service, +# depending on the context. +# +# The vulnerability occurs when user-supplied input is not properly sanitized +# before being passed to the unserialize() PHP function. Since PHP allows object +# serialization, attackers could pass ad-hoc serialized strings to a vulnerable +# unserialize() call, resulting in an arbitrary PHP object(s) injection into the +# application scope. +# +# https://owasp.org/www-community/vulnerabilities/PHP_Object_Injection +# +# In serialized form, PHP objects have the following format: +# +# O:8:"stdClass":1:{s:1:"a";i:2;} +# O:3:"Foo":0:{} +# +# Also detected are PHP objects with a custom unserializer: +# https://www.phpinternalsbook.com/php5/classes_objects/serialization.html +# These have the following format: +# +# C:11:"ArrayObject":37:{x:i:0;a:1:{s:1:"a";s:1:"b";};m:a:0:{}} +# C:3:"Foo":23:{s:15:"My private data";} +# +# HTTP headers are inspected, since PHP object injection vulnerabilities have been +# found in applications parsing them: +# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8562 (User-Agent header) +# https://www.exploit-db.com/exploits/39033/ (X-Forwarded-For header) +# http://karmainsecurity.com/KIS-2015-10 (Host header) +# +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_HEADERS|ARGS_NAMES|ARGS|XML:/* "@rx [oOcC]:\d+:\".+?\":\d+:\{.*}" \ + "id:933170,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'PHP Injection Attack: Serialized Object Injection',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-injection-php',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-PHP',\ + tag:'capec/1000/152/242',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + + +# +# [ PHP Functions: Variable Function Calls ] +# +# PHP 'variable functions' provide an alternate syntax for calling PHP functions. +# http://php.net/manual/en/functions.variable-functions.php +# +# An attacker may use variable function syntax to evade detection of function +# names during exploitation of a remote code execution vulnerability. +# An example to use the 'file_get_contents' function while evading rule 933150: +# +# $fn = 'file_' . 'get_' . 'contents'; +# echo $fn('wp-co' . 'nfig.php'); +# +# Some examples from obfuscated malware: +# +# $OOO0000O0(...) +# @$b374k(...) +# $_[@-_]($_[@!+_] ) +# +# A breakdown of the regular expression: +# +# \$+ +# The variable's '$' char, or multiple '$' for 'variable variables': +# http://php.net/manual/en/language.variables.variable.php +# (?:[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*|\s*{.+}) +# One of the following: +# - A variable name; regexp from http://php.net/language.variables.basics +# - A nonempty expression for variable variables: ${'fn'} or $ {'fn'} +# (?:\s|\[.+\]|{.+}|/\*.*\*/|//.*|#.*)* +# Optional whitespace, array access, or comments +# \(.*\) +# Parentheses optionally containing function parameters +# +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx \$+(?:[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*|\s*\{.+})(?:\s|\[.+\]|\{.+}|/\*.*\*/|//.*|#.*)*\(.*\)" \ + "id:933180,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'PHP Injection Attack: Variable Function Call Found',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-injection-php',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-PHP',\ + tag:'capec/1000/152/242',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# [ PHP Functions: Variable Function Prevent Bypass ] +# +# Referring to https://www.secjuice.com/php-rce-bypass-filters-sanitization-waf/ +# Regex test on https://regex101.com/r/x1tfXG/1 +# the rule 933180 could be bypassed by using the following payloads: +# +# - (system)('uname'); +# - (sy.(st).em)('uname'); +# - (string)"system"('uname'); +# - define('x', 'sys' . 'tem');(x)/* comment */('uname'); +# - $y = 'sys'.'tem';($y)('uname'); +# - define('z', [['sys' .'tem']]);(z)[0][0]('uname'); +# - (system)(ls); +# - (/**/system)(ls/**/); +# - (['system'])[0]('uname'); +# - (++[++system++][++0++])++{/*dsasd*/0}++(++ls++); +# +# This rule blocks all payloads above and avoids to block values like: +# +# - [ACME] this is a test (just a test) +# - Test (with two) rounded (brackets) +# +# Regular expression generated from regex-assembly/933210.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 933210 +# +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?:\((?:.+\)(?:[\"'][\-0-9A-Z_a-z]+[\"'])?\(.+|[^\)]*string[^\)]*\)[\s\x0b\"'\-\.0-9A-\[\]_a-\{\}]+\([^\)]*)|(?:\[[0-9]+\]|\{[0-9]+\}|\$[^\(\),\./;\x5c]+|[\"'][\-0-9A-Z\x5c_a-z]+[\"'])\(.+)\);" \ + "id:933210,\ + phase:2,\ + block,\ + capture,\ + t:none,t:urlDecodeUni,t:replaceComments,t:removeWhitespace,\ + msg:'PHP Injection Attack: Variable Function Call Found',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-injection-php',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-PHP',\ + tag:'capec/1000/152/242',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:933013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:933014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" +# +# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher) +# + +# +# [ PHP Functions: Medium-Risk PHP Function Names ] +# +# In paranoia level 2, we add additional checks for most PHP functions. +# +# The size of the PHP function list is considerable. +# Even after excluding the more obscure PHP extensions, 1300+ functions remain. +# For performance reasons, this rule now uses a singular regex, without any capturing. +# Due to regex size limitations in Modsecurity 2 with httpd, this is currently split +# out into 3 seperate regex assembly includes: php-function-names-933151, +# php-function-names-933152, and php-function-names-933153, which correspond +# to 933151, 933152, and 933153 respectively. +# +# This approach carries some risk for false positives. Therefore, the function list +# has been curated to remove words closely matching natural language and terms often +# used in other contexts. +# +# This rule is a stricter sibling of rule 933150. +# +# Regular expression generated from regex-assembly/933151.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 933151 +# +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:a(?:c(?:cel_chdir|osh?)|ddc?slashes|pache_(?:child_terminate|get(?:_(?:modules|version)|env)|lookup_uri|note |re(?:quest|sponse)_headers|setenv)|r(?:ray_(?:c(?:h(?:ange_key_case|unk)|o(?:lumn|mbine|unt_values))|diff(?:_(?:assoc|key|u(?:assoc|key)))?|f(?:ill(?:_keys)?|lip)|i(?:ntersect(?:_(?:assoc|key|u(?:assoc|key)))?|s_list)|key(?:_(?:fir|la)st|s)|m(?:ap|erge(?:_recursive)?|ultisort)|p(?:ad|op|roduct)|r(?:and|e(?:(?:duc|vers)e|place(?:_recursive)?))|s(?:earch|p?lice|um)|u(?:(?:diff|intersect)(?:_u?assoc)?|n(?:ique|shift))|walk(?:_recursive)?)|sort)|s(?:inh|ort|sert_options)|tan[2h]?)|b(?:ase(?:64_(?:de|en)code|_convert)|c(?:add|comp|div|m(?:od|ul)|pow(?:mod)?|s(?:cale|qrt|ub))|in(?:2hex|d(?:_textdomain_codeset|ec|textdomain))|oolval|z(?:(?:de)?compress|err(?:no|(?:o|st)r)|open|read))|c(?:al(?:_(?:days_in_month|(?:from|to)_jd|info)|l_user_func_array)|eil|h(?:(?:di)?r|grp|mod|own|unk_split)|l(?:ass_(?:alia|(?:implem|par)ent|use)s|earstatcache|ose(?:dir|log))|o(?:llator_(?:asort|c(?:ompar|reat)e|get_(?:(?:attribut|error_(?:cod|messag)|local)e|s(?:ort_key|trength))|s(?:et_(?:attribute|strength)|ort(?:_with_sort_keys)?))|m_(?:create_guid|event_sink|get_active_object|load_typelib|message_pump|print_typeinfo)|n(?:fig_get_hash|nection_(?:aborted|status)|vert_uu(?:de|en)code)|unt_chars)|rc32|type_(?:al(?:num|pha)|cntrl|(?:x?digi|p(?:rin|unc))t|graph|(?:low|upp)er|space)|url_(?:(?:c(?:los|opy_handl)|file_creat|paus)e|e(?:rr(?:no|or)|scape|xec)|getinfo|(?:ini|rese)t|multi_(?:(?:(?:add|remove)_handl|clos)e|e(?:rrno|xec)|getcontent|in(?:fo_read|it)|s(?:e(?:lec|top)t|trerror))|s(?:etopt(?:_array)?|hare_(?:close|errno|init|s(?:etopt|trerror))|trerror)|u(?:nescape|pkeep)|version))|d(?:ate(?:_(?:add|create(?:_(?:from_format|immutable(?:_from_format)?))?|d(?:(?:ate_s|efault_timezone_[gs])et|iff)|(?:forma|(?:offset_g|time(?:_s|(?:stamp|zone)_[gs]))e)t|get_last_errors|i(?:nterval_(?:create_from_date_string|format)|sodate_set)|modify|parse(?:_from_format)?|su(?:b|n(?:_info|rise|set)))|fmt_(?:(?:creat|localtim|pars)e|format(?:_object)?|get_(?:calendar(?:_object)?|(?:datetyp|error_(?:cod|messag)|local)e|pattern|time(?:type|zone(?:_id)?))|is_lenient|set_(?:calendar|lenient|pattern|timezone)))|ba_(?:(?:clos|delet|replac)e|(?:exist|handler)s|f(?:etch|irstkey)|(?:inser|key_spli|lis)t|nextkey|op(?:en|timize)|popen|sync)|(?:cn?)?gettext|e(?:bug_(?:(?:print_)?backtrace|zval_dump)|c(?:bin|hex)|flate_(?:add|init)|g2rad)|isk_(?:free|total)_space|l_test_test[12]|n(?:gettext|s_(?:check_record|get_(?:mx|record)))|om_import_simplexml)|e(?:aster_da(?:te|ys)|n(?:chant_(?:broker_(?:d(?:escribe|ict_exists)|free(?:_dict)?|get_(?:dict_path|error)|(?:ini|request_(?:pwl_)?dic)t|list_dicts|set_(?:dict_path|ordering))|dict_(?:add(?:_to_session)?|(?:quick_)?check|describe|get_error|is_added|s(?:tore_replacemen|ugges)t))|um_exists)|rror_(?:(?:clear|get)_last|(?:lo|reportin)g)|scapeshell(?:arg|cmd)|x(?:if_(?:imagetype|read_data|t(?:agname|humbnail))|pm1|tension_loaded))|f(?:astcgi_finish_request|d(?:atasync|iv)|eof|f(?:i_trampoline|lush)|get(?:c(?:sv)?|s)|i(?:l(?:e_put_contents|ter_(?:has_var|i(?:d|nput(?:_array)?)|list|var(?:_array)?))|nfo_(?:buffer|(?:clos|fil)e|open|set_flags))|loatval|(?:mo|re(?:a|nchtoj))d|nmatch|orward_static_call(?:_array)?|p(?:assthru|m_get_status|rintf|utcsv)|s(?:canf|eek|ockopen|tat|ync)|t(?:ell|ok|p_(?:a(?:lloc|ppend)|c(?:dup|h(?:dir|mod)|lose|onnect)|delete|exec|f(?:ge|pu)t|get(?:_option)?|login|m(?:dtm|kdir|lsd)|n(?:b_(?:continue|(?:f(?:ge|pu)|ge|pu)t)|list)|p(?:asv|ut|wd)|r(?:aw(?:list)?|ename|mdir)|s(?:et_option|(?:i[tz]|ystyp)e|sl_connect))|runcate)|unc_(?:get_args?|num_args)|write)|g(?:c_(?:(?:(?:collect_cycl|mem_cach)e|statu)s|disable|enabled?)|d_info|et(?:_(?:browser|c(?:(?:alled_clas|lass_(?:method|var))s|(?:fg_va|urrent_use)r)|de(?:bug_type|(?:clared_(?:(?:class|interfac)e|trait)|fined_(?:constant|function|var))s)|(?:extension_func|loaded_extension|m(?:angled_object_var|eta_tag)|parent_clas)s|h(?:eaders|tml_translation_table)|include(?:_path|d_files)|o(?:bject_vars|pen_basedir)|resource(?:_(?:id|type)|s))|(?:cw|lastmo)d|(?:dat|rusag)e|env|host(?:by(?:addr|namel?)|name)|imagesize(?:fromstring)?|my(?:[gpu]id|inode)|opt|protobyn(?:ame|umber)|servby(?:name|port)|t(?:ext|imeofday|ype))|m(?:(?:dat|(?:mk|strf)tim)e|p_(?:a(?:bs|[dn]d)|binomial|c(?:lrbit|mp|om)|div(?:_(?:qr?|r)|exact)|(?:expor|fac|hamdis|testbi)t|gcd(?:ext)?|i(?:mport|n(?:(?:i|ver)t|tval))|jacobi|(?:kronecke|x?o)r|l(?:cm|egendre)|m(?:od|ul)|ne(?:g|xtprime)|p(?:erfect_(?:power|square)|o(?:pcount|wm?)|rob_prime)|r(?:andom_(?:bits|range|seed)|oot(?:rem)?)|s(?:can[01]|etbit|ign|qrt(?:rem)?|trval|ub)))|r(?:apheme_(?:extract|s(?:tr(?:i(?:pos|str)|len|(?:ri?)?pos|str)|ubstr))|egoriantojd)|z(?:(?:un)?compress|(?:de(?:cod|flat)|encod|fil|inflat)e|open))|h(?:ash_(?:(?:algo|equal)s|copy|fi(?:le|nal)|h(?:kdf|mac(?:_(?:algos|file))?)|init|pbkdf2|update(?:_(?:file|stream))?)|e(?:ader(?:_re(?:gister_callback|move)|s_(?:lis|sen)t)|brev|x(?:2bin|dec))|ighlight_(?:file|string)|rtime|t(?:ml(?:(?:_entity|specialchars)_decode|entities)|tp_(?:build_query|response_code))|ypot)|i(?:conv(?:_(?:get_encoding|mime_(?:decode(?:_headers)?|encode)|s(?:et_encoding|tr(?:len|r?pos)|ubstr)))?|dn_to_(?:ascii|utf8)|gnore_user_abort|ma(?:ge(?:_type_to_(?:extension|mime_type)|a(?:ffine(?:matrix(?:conca|ge)t)?|lphablending|ntialias|rc|vif)|(?:bm|w(?:bm|eb))p|c(?:har(?:up)?|o(?:lor(?:a(?:llocate(?:alpha)?|t)|closest(?:alpha|hwb)?|deallocate|(?:exact|resolve)(?:alpha)?|match|s(?:et|forindex|total)|transparent)|nvolution|py(?:merge(?:gray)?|res(?:ampl|iz)ed)?)|r(?:eate(?:from(?:avif|(?:bm|w(?:bm|eb))p|g(?:d(?:2(?:part)?)?|if)|(?:jpe|(?:p|stri)n)g|tga|x[bp]m)|truecolor)?|op(?:auto)?))|d(?:ashedline|estroy)|ellipse|f(?:il(?:l(?:ed(?:arc|(?:ellips|rectangl)e|polygon)|toborder)?|ter)|lip|ont(?:height|width)|t(?:bbox|text))|g(?:ammacorrect|d2?|et(?:clip|interpolation)|if|rab(?:screen|window))|i(?:nterlace|struecolor)|jpeg|l(?:(?:ayereffec|oadfon)t|ine)|openpolygon|p(?:alette(?:copy|totruecolor)|ng|olygon)|r(?:e(?:ctangle|solution)|otate)|s(?:avealpha|cale|et(?:brush|clip|interpolation|pixel|style|t(?:hickness|ile))|tring(?:up)?|[xy])|t(?:ruecolortopalette|ypes)|xbm)|p_(?:(?:8bi|qprin)t|a(?:lerts|ppend)|b(?:ase64|inary|ody(?:struct)?)|c(?:heck|l(?:earflag_full|ose)|reatemailbox)|delete(?:mailbox)?|e(?:rrors|xpunge)|fetch(?:_overview|body|header|(?:mim|structur)e)|g(?:c|et(?:_quota(?:root)?|acl|mailboxes|subscribed))|header(?:info|s)|(?:is_)?open|l(?:ast_error|ist(?:scan)?|sub)|m(?:ail(?:_(?:co(?:mpose|py)|move)|boxmsginfo)?|ime_header_decode|sgno|utf7_to_utf8)|num_(?:msg|recent)|ping|r(?:e(?:namemailbox|open)|fc822_(?:parse_(?:adrlist|headers)|write_address))|s(?:avebody|e(?:arch|t(?:_quota|(?:ac|flag_ful)l))|ort|tatus|ubscribe)|t(?:hread|imeout)|u(?:id|n(?:delet|subscrib)e|tf(?:7_(?:de|en)code|8(?:_to_mutf7)?))))|n(?:_array|et_(?:ntop|pton)|flate_(?:add|get_(?:read_len|status)|init)|i_(?:get(?:_all)?|parse_quantity|restore|set)|t(?:div|erface_exists|l(?:_(?:error_nam|get_error_(?:cod|messag)|is_failur)e|cal_(?:a(?:dd|fter)|(?:befor|f(?:ield_differenc|rom_date_tim)|to_date_tim)e|c(?:lear|reate_instance)|equals|get(?:_(?:a(?:ctual_m(?:ax|in)imum|vailable_locales)|(?:day_of_week_typ|error_(?:cod|messag)|keyword_values_for_local)e|first_day_of_week|greatest_minimum|l(?:east_maximum|ocale)|m(?:aximum|inim(?:al_days_in_first_week|um))|now|(?:(?:repeat|skipp)ed_wall_time_op|weekend_transi)tion|t(?:ime(?:_zone)?|ype)))?|i(?:n_daylight_time|s_(?:equivalent_to|(?:lenien|se)t|weekend))|roll|set(?:_(?:(?:first_day_of|minimal_days_in_first)_week|lenient|(?:repeat|skipp)ed_wall_time_option|time(?:_zone)?))?)|gregcal_(?:(?:create_instanc|[gs]et_gregorian_chang)e|is_leap_year)|tz_(?:c(?:ount_equivalent_ids|reate_(?:default|enumeration|time_zone(?:_id_enumeration)?))|(?:(?:from|to)_date_time_zon|use_daylight_tim)e|get_(?:(?:canonical|windows)_id|d(?:isplay_name|st_savings)|e(?:quivalent_id|rror_(?:cod|messag)e)|(?:gm|offse)t|id(?:_for_windows_id)?|r(?:aw_offset|egion)|(?:tz_data_versio|unknow)n)|has_same_rules))))|p(?:2long|tc(?:embed|parse))|s_(?:bool|(?:(?:(?:c(?:all|ount)|(?:execu|wri)t)ab|uploaded_fi)l|i(?:nfinit|terabl)|re(?:adabl|sourc))e|f(?:i(?:l|nit)e|loat)|link|nan|s(?:calar|oap_fault|tring|ubclass_of))|terator_(?:(?:appl|to_arra)y|count))|j(?:d(?:dayofweek|monthname|to(?:french|gregorian|j(?:ewish|ulian)|unix))|(?:ewish|ulian)tojd|son_(?:last_error(?:_msg)?|validate)))[\s\x0b]*\(" \ + "id:933151,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'PHP Injection Attack: Medium-Risk PHP Function Name Found',\ + logdata:'Matched Data: %{TX.0} found within %{TX.933151_MATCHED_VAR_NAME}: %{TX.933151_MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-injection-php',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-PHP',\ + tag:'capec/1000/152/242',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.933151_matched_var=%{MATCHED_VAR}',\ + setvar:'tx.933151_matched_var_name=%{MATCHED_VAR_NAME}',\ + setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + +# This rule is a sibling of rule 933151. +# +# Regular expression generated from regex-assembly/933152.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 933152 +# +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:kr?sort|l(?:c(?:first|g_value|h(?:grp|own))|dap_(?:8859_to_t61|(?:ad|bin)d(?:_ext)?|co(?:mpare|nnect(?:_wallet)?|unt_(?:entri|referenc)es)|d(?:elete(?:_ext)?|n2ufn)|e(?:rr(?:(?:2st|o)r|no)|scape|x(?:op(?:_(?:passwd|refresh|sync|whoami))?|plode_dn))|f(?:irst_(?:(?:attribut|referenc)e|entry)|ree_result)|get_(?:(?:attribut|entri)es|(?:d|optio|values_le)n)|list|mod(?:_(?:add|del|replace)(?:_ext)?|ify_batch)|next_(?:(?:attribut|referenc)e|entry)|parse_(?:exop|re(?:ference|sult))|re(?:ad|name(?:_ext)?)|s(?:asl_bind|e(?:arch|t_(?:option|rebind_proc))|tart_tls)|t61_to_8859|unbind)|evenshtein|i(?:bxml_(?:(?:clear|use_internal)_errors|disable_entity_loader|get_(?:e(?:rrors|xternal_entity_loader)|last_error)|set_(?:external_entity_loader|streams_context))|nkinfo|tespeed_(?:finish_request|re(?:quest|sponse)_headers))|o(?:cal(?:e(?:_(?:(?:accept_from_htt|looku)p|(?:c(?:anonicaliz|ompos)|pars)e|filter_matches|get_(?:(?:all_variant|keyword)s|d(?:efault|isplay_(?:(?:languag|nam)e|region|(?:scrip|varian)t))|primary_language|region|script)|set_default)|conv)|time)|g1[0p]|ng2ip)|stat|trim)|m(?:b_(?:c(?:h(?:eck_encoding|r)|onvert_(?:case|encoding|kana|variables))|de(?:code_(?:mimeheader|numericentity)|tect_(?:encoding|order))|e(?:ncod(?:e_(?:mimeheader|numericentity)|ing_aliases)|reg(?:_(?:match|replace(?:_callback)?|search(?:_(?:(?:get(?:po|reg)|(?:set)?po|reg)s|init))?)|i(?:_replace)?)?)|get_info|http_(?:in|out)put|internal_encoding|l(?:anguage|ist_encodings)|o(?:rd|utput_handler)|p(?:arse_str|referred_mime_name)|regex_(?:encoding|set_options)|s(?:crub|end_mail|plit|tr(?:_(?:pad|split)|cut|i(?:mwidth|pos|str)|len|pos|r(?:chr|i(?:chr|pos)|pos)|(?:st|to(?:low|upp)e)r|width)|ubst(?:itute_character|r(?:_count)?)))|(?:(?:d5|ove_uploaded)_fil|e(?:mory_(?:get_(?:peak_)?|reset_peak_)usag|taphon)|i(?:crotim|me_content_typ))e|hash(?:_(?:count|get_(?:block_siz|hash_nam)e|keygen_s2k))?|k(?:dir|time)|sg(?:_(?:(?:get_queu|re(?:ceiv|move_queu))e|queue_exists|s(?:e(?:nd|t_queue)|tat_queue))|fmt_(?:create|(?:format|parse)(?:_message)?|get_(?:(?:error_(?:cod|messag)|local)e|pattern)|set_pattern))|t_(?:getrandmax|s?rand)|ysqli_(?:a(?:ffected_rows|utocommit)|begin_transaction|c(?:ha(?:nge_user|racter_set_name)|lose|o(?:mmit|nnect(?:_err(?:no|or))?))|d(?:ata_seek|ebug|ump_debug_info)|e(?:rr(?:no|or(?:_list)?)|xecute_query)|f(?:etch_(?:a(?:ll|rray|ssoc)|column|field(?:_direct|s)?|lengths|object|row)|ield_(?:count|seek|tell)|ree_result)|get_(?:c(?:harset|lient_(?:info|stats|version)|onnection_stats)|(?:host|proto)_info|(?:links_stat|warning)s|server_(?:info|version))|in(?:fo|it|sert_id)|kill|m(?:ore_results|ulti_query)|n(?:ext_result|um_(?:field|row)s)|options|p(?:ing|oll|repare)|query|r(?:e(?:a(?:l_(?:connect|escape_string|query)|p_async_query)|fresh|(?:lease_savepoin|por)t)|ollback)|s(?:(?:avepoin|sl_se)t|e(?:lect_db|t_charset)|qlstate|t(?:(?:a|ore_resul)t|mt_(?:a(?:ffected_rows|ttr_[gs]et)|bind_(?:param|result)|close|data_seek|e(?:rr(?:no|or(?:_list)?)|xecute)|f(?:etch|(?:ield_coun|ree_resul)t)|get_(?:result|warnings)|in(?:it|sert_id)|more_results|n(?:ext_result|um_rows)|p(?:aram_count|repare)|res(?:et|ult_metadata)|s(?:end_long_data|qlstate|tore_result))))|thread_(?:id|safe)|(?:use_resul|warning_coun)t))|n(?:(?:at(?:case)?sor|gettex)t|et_get_interfaces|l(?:2br|_langinfo)|ormalizer_(?:get_raw_decomposition|is_normalized|normalize)|umfmt_(?:create|(?:format|parse)(?:_currency)?|get_(?:(?:(?:text_)?attribut|error_(?:cod|messag)|local)e|pattern|symbol)|set_(?:(?:text_)?attribute|pattern|symbol)))|o(?:b_(?:clean|end_(?:clean|flush)|(?:implicit_)?flush|g(?:et_(?:c(?:lean|ontents)|flush|le(?:ngth|vel)|status)|zhandler)|list_handlers)|c(?:i(?:_(?:(?:bind_(?:array_)?|define_)by_name|c(?:ancel|l(?:ient_version|ose)|o(?:llection_(?:a(?:ppend|ssign)|element_(?:assign|get)|max|size|trim)|(?:mmi|nnec)t))|e(?:rror|xecute)|f(?:etch(?:_(?:a(?:ll|rray|ssoc)|object|row))?|ield_(?:is_null|(?:nam|s(?:cal|iz))e|precision|type(?:_raw)?)|ree_(?:collection|descriptor|statement))|get_implicit_resultset|lob_(?:(?:appen|loa|re(?:a|win))d|copy|e(?:of|rase|xport)|flush|i(?:mport|s_equal)|s(?:(?:av|iz)e|eek)|t(?:ell|runcate)|write)|n(?:ew_(?:c(?:o(?:llection|nnect)|ursor)|descriptor)|um_(?:field|row)s)|p(?:a(?:rs|ssword_chang)e|connect)|r(?:e(?:gister_taf_callback|sult)|ollback)|s(?:e(?:rver_version|t_(?:(?:ac|db_opera|edi)tion|c(?:all_timeout|lient_i(?:dentifier|nfo))|module_name|prefetch(?:_lob)?))|tatement_type)|unregister_taf_callback)|fetchinto|[gs]etbufferinglob)|tdec)|dbc_(?:autocommit|(?:binmod|data_sourc)e|c(?:lose(?:_all)?|o(?:lumn(?:privilege)?s|mmit|nnect(?:ion_string_(?:is_quoted|(?:should_)?quote))?)|ursor)|e(?:rror(?:msg)?|xec(?:ute)?)|f(?:etch_(?:array|into|object|row)|ield_(?:len|n(?:ame|um)|(?:scal|typ)e)|oreignkeys|ree_result)|gettypeinfo|longreadlen|n(?:ext_result|um_(?:field|row)s)|p(?:connect|r(?:epare|(?:imarykey|ocedure(?:column)?)s))|r(?:esult(?:_all)?|ollback)|s(?:etoption|(?:pecialcolumn|tatistic)s)|table(?:privilege)?s)|p(?:cache_(?:compile_file|get_(?:configuration|status)|i(?:nvalidate|s_script_cached)|reset)|en(?:dir|log|ssl_(?:c(?:ipher_(?:iv|key)_length|ms_(?:(?:de|en)crypt|read|sign|verify)|sr_(?:export(?:_to_file)?|get_(?:public_key|subject)|new|sign))|d(?:(?:ecryp|iges)t|h_compute_key)|e(?:ncrypt|rror_string)|(?:get_(?:c(?:ert_location|ipher_method|urve_name)|md_method)|random_pseudo_byte)s|open|p(?:bkdf2|k(?:cs(?:12_(?:export(?:_to_file)?|read)|7_(?:(?:de|en)crypt|read|sign|verify))|ey_(?:(?:deriv|fre)e|export(?:_to_file)?|get_(?:details|p(?:rivate|ublic))|new))|(?:rivate|ublic)_(?:de|en)crypt)|s(?:eal|ign|pki_(?:export(?:_challenge)?|new|verify))|verify|x509_(?:check(?:_private_key|purpose)|export(?:_to_file)?|f(?:ingerprint|ree)|parse|read|verify))))|utput_(?:add_rewrite_var|reset_rewrite_vars))|p(?:a(?:rse_(?:ini_(?:file|string)|str)|ss(?:thru|word_(?:algos|get_info|(?:needs_re)?hash|verify))|thinfo)|c(?:lose|ntl_(?:a(?:larm|sync_signals)|exec|forkx?|get(?:_last_error|priority)|rfork|s(?:etpriority|ig(?:nal(?:_(?:dispatch|get_handler))?|procmask|timedwait|waitinfo)|trerror)|unshare|w(?:ait(?:pid)?|exitstatus|if(?:continu|exit|s(?:ignal|topp))ed|(?:stop|term)sig)))|do_drivers|fsockopen|g_(?:(?:affected_row|num_(?:field|row)|option)s|c(?:ancel_query|l(?:ient_encoding|ose)|o(?:n(?:nect(?:_poll|ion_(?:busy|reset|status))?|(?:sume_inpu|ver)t)|py_(?:from|to)))|d(?:bnam|elet)e|e(?:n(?:d_copy|ter_pipeline_mode)|scape_(?:bytea|identifier|literal|string)|x(?:ecut|it_pipeline_mod)e)|f(?:etch_(?:a(?:ll(?:_columns)?|rray|ssoc)|object|r(?:esult|ow))|ield(?:_(?:is_null|n(?:ame|um)|prtlen|size|t(?:able|ype(?:_oid)?))|isnull|prtlen)|lush|ree_result)|get_(?:notify|pid|result)|(?:hos|inser)t|l(?:ast_(?:error|notice|oid)|o_(?:(?:c(?:los|reat)|writ)e|(?:ex|im)port|open|read(?:_all)?|(?:see|unlin)k|t(?:ell|runcate)))|meta_data|p(?:arameter_status|(?:connec|or)t|i(?:ng|peline_s(?:tatus|ync))|(?:repar|ut_lin)e)|query(?:_params)?|result_(?:error(?:_field)?|s(?:eek|tatus))|s(?:e(?:lect|nd_(?:(?:execut|prepar)e|query(?:_params)?)|t_(?:client_encoding|error_(?:context_visibil|verbos)ity))|ocket)|t(?:ra(?:ce|nsaction_status)|ty)|u(?:n(?:escape_bytea|trace)|pdate)|version)|hp(?:_(?:ini_(?:loaded_file|scanned_files)|(?:s(?:api_nam|trip_whitespac)|unam)e)|credits|dbg_(?:break_(?:f(?:ile|unction)|method|next)|c(?:lea|olo)r|e(?:nd_oplog|xec)|get_executable|prompt|start_oplog)|info|version)|osix_(?:e?access|ctermid|f?pathconf|get(?:_last_error|(?:cw|(?:e[gu]|[su])i)d|g(?:id|r(?:gid|nam|oups))|login|p(?:g(?:id|rp)|p?id|w(?:nam|uid))|rlimit)|i(?:nitgroups|satty)|kill|mk(?:fifo|nod)|s(?:et(?:(?:e[gu]|p?g|[su])id|rlimit)|trerror|ysconf)|t(?:imes|tyname)|uname)|r(?:eg_(?:filter|grep|last_error(?:_msg)?|match_all|quote|replace_callback(?:_array)?|split)|o(?:c_(?:(?:clos|nic|terminat)e|get_status|open)|perty_exists))|spell_(?:add_to_(?:personal|session)|c(?:heck|lear_session|onfig_(?:(?:creat|ignor|mod)e|d(?:ata|ict)_dir|(?:persona|save_rep)l|r(?:epl|untogether)))|new(?:_(?:config|personal))?|s(?:(?:ave_wordli|ugge)s|tore_replacemen)t)|utenv)|quote(?:d_printable_(?:de|en)code|meta))[\s\x0b]*\(" \ + "id:933152,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'PHP Injection Attack: Medium-Risk PHP Function Name Found',\ + logdata:'Matched Data: %{TX.0} found within %{TX.933152_MATCHED_VAR_NAME}: %{TX.933152_MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-injection-php',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-PHP',\ + tag:'capec/1000/152/242',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.933152_matched_var=%{MATCHED_VAR}',\ + setvar:'tx.933152_matched_var_name=%{MATCHED_VAR_NAME}',\ + setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + +# This rule is a sibling of rule 933151. +# +# Regular expression generated from regex-assembly/933153.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 933153 +# +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:r(?:a(?:d2deg|ndom_(?:bytes|int)|wurl(?:de|en)code)|e(?:a(?:d(?:dir|(?:gz)?file|lin(?:e(?:_(?:(?:(?:add|list|write)_histor|re(?:ad_histor|displa))y|c(?:allback_(?:handler_(?:install|remove)|read_char)|lear_history|ompletion_function)|info|on_new_line))?|k))|lpath(?:_cache_(?:get|size))?)|gister_(?:shutdown|tick)_function|s(?:ourcebundle_(?:c(?:ount|reate)|get(?:_error_(?:cod|messag)e)?|locales)|tore_e(?:rror|xception)_handler)|wind(?:dir)?)|mdir|sort)|s(?:api_windows_(?:cp_(?:conv|[gs]et|is_utf8)|(?:generate_ctrl_even|vt100_suppor)t|set_ctrl_handler)|candir|e(?:m_(?:(?:acquir|re(?:leas|mov))e|get)|ssion_(?:(?:abor|unse)t|c(?:ache_(?:expire|limiter)|reate_id)|de(?:code|stroy)|(?:encod|(?:module_)?nam|write_clos)e|g(?:c|et_cookie_params)|id|re(?:g(?:enerate_id|ister_shutdown)|set)|s(?:ave_path|et_(?:cookie_params|save_handler)|ta(?:rt|tus)))|t(?:_(?:e(?:rror|xception)_handler|include_path|time_limit)|(?:(?:raw)?cooki|local)e))|h(?:a1(?:_file)?|ell_exec|m(?:_(?:(?:at|de)tach|(?:(?:ge|pu)t|has)_var|remove(?:_var)?)|op_(?:(?:clos|(?:dele|wri)t|siz)e|open|read)))|i(?:m(?:ilar_text|plexml_(?:import_dom|load_(?:file|string)))|nh)|nmp(?:[23]_(?:get(?:next)?|(?:real_)?walk|set)|_(?:get_(?:quick_print|valueretrieval)|read_mib|set_(?:(?:(?:enum|quick)_prin|oid_output_forma)t|valueretrieval))|get(?:next)?|(?:real)?walk|set)|o(?:cket_(?:a(?:ccept|ddrinfo_(?:bind|connect|explain|lookup)|tmark)|bind|c(?:l(?:ear_error|ose)|msg_space|onnect|reate(?:_(?:listen|pair))?)|(?:ex|im)port_stream|get(?:_option|(?:peer|sock)name)|l(?:ast_error|isten)|re(?:ad|cv(?:from|msg)?)|s(?:e(?:lect|nd(?:msg|to)?|t_(?:(?:non)?block|option))|hutdown|trerror)|w(?:rite|saprotocol_info_(?:(?:ex|im)port|release)))|dium_(?:(?:ad|(?:un)?pa)d|b(?:ase642bin|in2(?:base64|hex))|c(?:ompare|rypto_(?:a(?:ead_(?:aes256gcm_(?:(?:de|en)crypt|is_available|keygen)|chacha20poly1305_(?:(?:de|en)crypt|ietf_(?:(?:de|en)crypt|keygen)|keygen)|xchacha20poly1305_ietf_(?:(?:de|en)crypt|keygen))|uth(?:_(?:keygen|verify))?)|box(?:_(?:keypair(?:_from_secretkey_and_publickey)?|open|publickey(?:_from_secretkey)?|se(?:al(?:_open)?|cretkey|ed_keypair)))?|core_ristretto255_(?:add|from_hash|is_valid_point|random|s(?:calar_(?:add|(?:complemen|inver)t|mul|negate|r(?:andom|educe)|sub)|ub))|generichash(?:_(?:final|init|keygen|update))?|k(?:df_(?:derive_from_key|keygen)|x_(?:client_session_keys|keypair|publickey|se(?:cretkey|ed_keypair|rver_session_keys)))|pwhash(?:_s(?:cryptsalsa208sha256(?:_str(?:_verify)?)?|tr(?:_(?:needs_rehash|verify))?))?|s(?:calarmult(?:_ristretto255(?:_base)?)?|ecret(?:box(?:_(?:keyg|op)en)?|stream_xchacha20poly1305_(?:(?:init_)?pu(?:ll|sh)|keygen|rekey))|horthash(?:_keygen)?|ign(?:_(?:(?:verify_)?detached|ed25519_[ps]k_to_curve25519|keypair(?:_from_secretkey_and_publickey)?|open|publickey(?:_from_secretkey)?|se(?:cretkey|ed_keypair)))?|tream(?:_(?:keygen|x(?:chacha20(?:_(?:keygen|xor(?:_ic)?))?|or)))?)))|hex2bin|increment|mem(?:cmp|zero))|undex)|p(?:l_(?:autoload(?:_(?:call|(?:extens|funct)ions|(?:un)?register))?|classes|object_(?:hash|id))|rintf)|qrt|scanf|tr(?:_(?:contains|(?:decreme|word_cou)nt|ends_with|getcsv|i(?:ncrement|replace)|pad|r(?:epeat|ot13)|s(?:huffle|plit|tarts_with))|c(?:(?:asec)?mp|oll|spn)|eam_(?:bucket_(?:(?:ap|pre)pend|make_writeable|new)|co(?:ntext_(?:create|get_(?:default|(?:option|param)s)|set_(?:default|options?|params))|py_to_stream)|filter_(?:(?:ap|pre)pend|re(?:gister|move))|get_(?:(?:(?:conten|transpor)t|(?:filt|wrapp)er)s|line|meta_data)|is(?:_local|atty)|resolve_include_path|s(?:e(?:lect|t_(?:blocking|chunk_size|(?:read|write)_buffer|timeout))|ocket_(?:(?:accep|clien)t|enable_crypto|get_name|pair|recvfrom|s(?:e(?:ndto|rver)|hutdown))|upports_lock)|wrapper_(?:re(?:gister|store)|unregister))|ftime|i(?:p(?:c?slashe|o)s|str)|n(?:at)?c(?:asec)?mp|p(?:brk|time)|r(?:chr|ev|i?pos)|s(?:pn|tr)|t(?:ok|r)|val)|ubstr_(?:co(?:mpare|unt)|replace)|ys_get(?:_temp_dir|loadavg))|t(?:anh|e(?:mpnam|st[12]|xtdomain)|i(?:dy_(?:(?:access|error|warning)_count|c(?:lean_repair|onfig_count)|diagnose|get(?:_(?:body|config|error_buffer|h(?:ead|tml(?:_ver)?)|o(?:pt_doc|utput)|r(?:elease|oot)|status)|opt)|is_x(?:ht)?ml|(?:parse|repair)_(?:file|string))|me(?:_(?:nanosleep|sleep_until)|zone_(?:(?:(?:abbreviation|identifier)s_lis|(?:(?:locat|vers)ion|transitions)_ge)t|name_(?:from_abbr|get)|o(?:ffset_get|pen))))|mpfile|oken_(?:get_all|name)|r(?:a(?:it_exists|nsliterator_(?:create(?:_(?:from_rules|inverse))?|(?:get_error_(?:cod|messag)|transliterat)e|list_ids))|igger_error))|u(?:[ak]sort|cwords|mask|n(?:i(?:qi|xtoj)d|register_tick_function)|(?:rlde|tf8_(?:de|en))code|s(?:e_soap_error_handler|leep|ort))|v(?:ar(?:_(?:dump|export)|iant_(?:a(?:bs|[dn]d)|c(?:as?t|mp)|d(?:ate_(?:from|to)_timestamp|iv)|eqv|fix|get_type|i(?:div|mp|nt)|m(?:od|ul)|n(?:eg|ot)|x?or|pow|round|s(?:et(?:_type)?|ub)))|ersion_compare|[fs]?printf)|wordwrap|xml(?:_(?:error_string|get_(?:current_(?:byte_index|(?:column|line)_number)|error_code)|parse(?:_into_struct|r_(?:create(?:_ns)?|free|[gs]et_option))?|set_(?:(?:character_data|default|e(?:lement|nd_namespace_decl|xternal_entity_ref)|(?:notation|start_namespace|unparsed_entity)_decl|processing_instruction)_handler|object))|writer_(?:end_(?:attribute|c(?:data|omment)|d(?:ocument|td(?:_(?:attlist|e(?:lement|ntity)))?)|element|pi)|f(?:lush|ull_end_element)|o(?:pen_(?:memory|uri)|utput_memory)|s(?:et_indent(?:_string)?|tart_(?:(?:attribute|element)(?:_ns)?|c(?:data|omment)|d(?:ocument|td(?:_(?:attlist|e(?:lement|ntity)))?)|pi))|text|write_(?:(?:attribute|element)(?:_ns)?|c(?:data|omment)|dtd(?:_(?:attlist|e(?:lement|ntity)))?|pi|raw)))|z(?:end_(?:c(?:all_method|reate_unterminated_string)|get_(?:current_func_name|map_ptr_last|unit_enum)|iterable(?:_legacy)?|leak_(?:bytes|variable)|(?:number_or_string|string_or_(?:object|stdclass))(?:_or_null)?|t(?:e(?:rminate_string|st_(?:(?:(?:nullable_)?array|void)_return|c(?:ompile_string|r(?:ash|eate_throwing_resource))|deprecated|f(?:ill_packed_array|unc)|is_string_marked_as_valid_utf8|(?:override_libxml_global_sta|parameter_with_attribu)te|zend_(?:call_stack_(?:get|use_all)|ini_(?:parse_u?quantity|str))))|hread_id)|version|weakmap_(?:attach|dump|remove))|ip_(?:close|entry_(?:c(?:lose|ompress(?:edsize|ionmethod))|(?:filesiz|nam)e|open|read)|open|read)|lib_(?:(?:de|en)cod|get_coding_typ)e)|ZendTestNS2_(?:ZendSubNS_)?namespaced_(?:deprecated_)?func)[\s\x0b]*\(" \ + "id:933153,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'PHP Injection Attack: Medium-Risk PHP Function Name Found',\ + logdata:'Matched Data: %{TX.0} found within %{TX.933153_MATCHED_VAR_NAME}: %{TX.933153_MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-injection-php',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-PHP',\ + tag:'capec/1000/152/242',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.933153_matched_var=%{MATCHED_VAR}',\ + setvar:'tx.933153_matched_var_name=%{MATCHED_VAR_NAME}',\ + setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:933015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:933016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" +# +# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher) +# + +# +# [ PHP Variables: Common Variable Indexes ] +# +# In paranoia level 3, we add additional checks for parameters to many PHP variables. +# +# +# One of the more common variables used within attacks on PHP is $_SERVER. Because +# of how many different ways PHP has for executing variables (variable variables, +# etc) often just looking for $_SERVER will be less effective than looking for the +# various indexes within $_SERVER. This rule checks for these indexes. +# This rule is located in PL 3 because often developers will use these names as +# parameter names or values and this will lead to false positives. +# Because this list is not expected to change and it is limited in size we use a +# regex in this case to look for these values whereas in its sibling rule we use +# @pmFromFile for flexibility and performance. +# +# Regular expression generated from regex-assembly/933131.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 933131 +# +# This rule is a stricter sibling of rule 933130. +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx AUTH_TYPE|HTTP_(?:ACCEPT(?:_(?:CHARSET|ENCODING|LANGUAGE))?|CONNECTION|(?:HOS|USER_AGEN)T|KEEP_ALIVE|(?:REFERE|X_FORWARDED_FO)R)|ORIG_PATH_INFO|PATH_(?:INFO|TRANSLATED)|QUERY_STRING|REQUEST_URI" \ + "id:933131,\ + phase:2,\ + block,\ + capture,\ + t:none,t:normalizePath,t:urlDecodeUni,\ + msg:'PHP Injection Attack: Variables Found',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-injection-php',\ + tag:'paranoia-level/3',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-PHP',\ + tag:'capec/1000/152/242',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" + + +# +# [ PHP Functions: Low-Value PHP Function Calls ] +# +# In paranoia level 3, we add additional checks for the remaining PHP functions. +# +# Most of these function names are likely to cause false positives in natural text +# or common parameter values, such as 'abs', 'copy', 'date', 'key', 'max', 'min'. +# Therefore, these function names are not scanned in lower paranoia levels. +# +# To mitigate the risk of false positives somewhat, a regexp is used to look for +# PHP function syntax. (See rule 933160 for a description.) +# +# This rule is a stricter sibling of rule 933160. +# +# This rule is also triggered by the following exploit(s): +# [ Apache Struts vulnerability CVE-2018-11776 - Exploit tested: https://www.exploit-db.com/exploits/45262 ] +# [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ] +# +# Regular expression generated from regex-assembly/933161.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 933161 +# +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:a(?:bs|s(?:in|sert(?:_options)?))|basename|c(?:h(?:eckdate|r(?:oot)?)|o(?:(?:mpac|(?:nsta|u)n)t|py|sh?)|r(?:eate_function|ypt)|urrent)|d(?:ate|e(?:coct|fined?)|ir)|e(?:nd|val|x(?:ec|p(?:lode)?|tract))|f(?:ile(?:(?:[acm]tim|inod|siz|typ)e|group|owner|perms)?|l(?:o(?:ck|or)|ush))|glob|h(?:ash|eader)|i(?:date|m(?:age(?:gif|(?:jpe|pn)g|wbmp|xbm)|plode)|s_a)|key|l(?:ink|og)|m(?:a(?:il|x)|d5|in)|n(?:ame|ext)|o(?:pendir|rd)|p(?:a(?:ck|ss(?:thru)?)|i|o(?:pen|w)|rev)|r(?:an(?:d|ge)|e(?:(?:adfil|nam)e|set)|ound)|s(?:(?:erializ|huffl)e|in|leep|(?:or|ta)t|ubstr|y(?:mlink|s(?:log|tem)))|t(?:an|(?:im|mpfil)e|ouch|rim)|u(?:cfirst|n(?:lin|pac)k)|virtual)(?:[\s\x0b]|/\*.*\*/|(?:#|//).*)*\(.*\)" \ + "id:933161,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'PHP Injection Attack: Low-Value PHP Function Call Found',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-injection-php',\ + tag:'paranoia-level/3',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-PHP',\ + tag:'capec/1000/152/242',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" + + +# +# [ PHP Script Uploads: Superfluous extension ] +# +# Block file uploads with PHP related extensions (.php, .phps, .phtml, +# .php5 etc) anywhere in the name, followed by a dot. +# +# Example: index.php.tmp +# +# Uploading of such files can lead to remote code execution if +# Apache is configured with AddType and MultiViews, as Apache will +# automatically do a filename match when the extension is unknown. +# This configuration is fortunately not common in modern installs. +# +# Blocking these file names might lead to more false positives. +# +# Some AJAX uploaders use the nonstandard request headers X-Filename, +# X_Filename, or X-File-Name to transmit the file name to the server; +# scan these request headers as well as multipart/form-data file names. +# +# This rule is a stricter sibling of rule 933110. +# +SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X.Filename|REQUEST_HEADERS:X-File-Name "@rx .*\.(?:php\d*|phtml)\..*$" \ + "id:933111,\ + phase:2,\ + block,\ + capture,\ + t:none,t:lowercase,\ + msg:'PHP Injection Attack: PHP Script File Upload Found',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-injection-php',\ + tag:'paranoia-level/3',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-PHP',\ + tag:'capec/1000/152/242',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" + + +# [ PHP Closing Tag Found ] +# +# http://www.php.net/manual/en/language.basic-syntax.phptags.php +# +# This check was extracted from 933100 (paranoia level 1), since the +# checked sequence '?>' commonly causes false positives. +# See issue #654 for discussion. +# +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pm ?>" \ + "id:933190,\ + phase:2,\ + block,\ + capture,\ + t:none,t:urlDecodeUni,\ + msg:'PHP Injection Attack: PHP Closing Tag Found',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-injection-php',\ + tag:'paranoia-level/3',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-PHP',\ + tag:'capec/1000/152/242',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" + + +# [ PHP Functions: Variable Function Prevent Bypass ] +# +# This rule is a stricter sibling of 933210. +# Unlike 933210, this rule will also match "this is a 'dog' (not a cat)", because the semi-colon at the end of the string is optional. +# This is useful for PHP evals where the semi-colon is already hardcoded: +# +# +# Any potential function calls not at the end of a string will require a semi-colon to form valid PHP, which is automatically covered by 933210. +# +# Regular expression generated from regex-assembly/933211.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 933211 +# +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?:\((?:.+\)(?:[\"'][\-0-9A-Z_a-z]+[\"'])?\(.+|[^\)]*string[^\)]*\)[\s\x0b\"'\-\.0-9A-\[\]_a-\{\}]+\([^\)]*)|(?:\[[0-9]+\]|\{[0-9]+\}|\$[^\(\),\./;\x5c]+|[\"'][\-0-9A-Z\x5c_a-z]+[\"'])\(.+)\)(?:;|$)?" \ + "id:933211,\ + phase:2,\ + block,\ + capture,\ + t:none,t:urlDecodeUni,t:replaceComments,t:removeWhitespace,\ + msg:'PHP Injection Attack: Variable Function Call Found',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-injection-php',\ + tag:'paranoia-level/3',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-PHP',\ + tag:'capec/1000/152/242',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" + + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:933017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:933018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP" +# +# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher) +# + + + +# +# -= Paranoia Levels Finished =- +# +SecMarker "END-REQUEST-933-APPLICATION-ATTACK-PHP" diff --git a/blue/Tools/zoo/modules/turtle/coreruleset/rules/REQUEST-934-APPLICATION-ATTACK-GENERIC.conf b/blue/Tools/zoo/modules/turtle/coreruleset/rules/REQUEST-934-APPLICATION-ATTACK-GENERIC.conf new file mode 100644 index 0000000..026b795 --- /dev/null +++ b/blue/Tools/zoo/modules/turtle/coreruleset/rules/REQUEST-934-APPLICATION-ATTACK-GENERIC.conf @@ -0,0 +1,403 @@ +# ------------------------------------------------------------------------ +# OWASP CRS ver.4.22.0 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. +# Copyright (c) 2021-2026 CRS project. All rights reserved. +# +# The OWASP CRS is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENSE file for full details. +# ------------------------------------------------------------------------ + +# +# -= Paranoia Level 0 (empty) =- (apply unconditionally) +# + + + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:934011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:934012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC" +# +# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher) +# + + +# [ NodeJS Insecure unserialization / generic RCE signatures ] +# +# Libraries performing insecure unserialization: +# - node-serialize: _$$ND_FUNC$$_ (CVE-2017-5941) +# - funcster: __js_function +# +# See: +# https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution/ +# https://www.acunetix.com/blog/web-security-zone/deserialization-vulnerabilities-attacking-deserialization-in-js/ +# +# Some generic snippets used: +# - function() { +# - new Function( +# - eval( +# - String.fromCharCode( +# +# Last two are used by nodejsshell.py, +# https://github.com/ajinabraham/Node.Js-Security-Course/blob/master/nodejsshell.py +# +# As base64 is sometimes (but not always) used to encode serialized values, +# use multiMatch and t:base64decode. +# +# Regular expression generated from regex-assembly/934100.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 934100 +# +# Stricter sibling: 934101 +SecRule REQUEST_FILENAME|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx _(?:\$\$ND_FUNC\$\$_|_js_function)|(?:\beval|new[\s\x0b]+Function[\s\x0b]*)\(|(?:String\.fromCharCod|Module:prototyp)e|function\(\)\{|this\.constructor|module\.exports=|\([\s\x0b]*[^0-9A-Z_a-z]child_process[^0-9A-Z_a-z][\s\x0b]*\)|cons(?:tructor:constructor|ole(?:\.(?:(?:debu|lo)g|error|info|trace|warn)(?:\.call)?\(|\[[\"'`](?:(?:debu|lo)g|error|info|trace|warn)[\"'`]\]))|process(?:\.(?:(?:a(?:ccess|ppendfile|rgv|vailability)|c(?:aveats|h(?:mod|own)|(?:los|opyfil)e|p|reate(?:read|write)stream)|ex(?:ec(?:file)?|ists)|f(?:ch(?:mod|own)|data(?:sync)?|s(?:tat|ync)|utimes)|inodes|l(?:chmod|ink|stat|utimes)|mkd(?:ir|temp)|open(?:dir)?|r(?:e(?:ad(?:dir|file|link|v)?|name)|m)|s(?:pawn(?:file)?|tat|ymlink)|truncate|u(?:n(?:link|watchfile)|times)|w(?:atchfile|rite(?:file|v)?))(?:sync)?(?:\.call)?\(|binding|constructor|env|global|main(?:Module)?|process|require)|\[[\"'`](?:(?:a(?:ccess|ppendfile|rgv|vailability)|c(?:aveats|h(?:mod|own)|(?:los|opyfil)e|p|reate(?:read|write)stream)|ex(?:ec(?:file)?|ists)|f(?:ch(?:mod|own)|data(?:sync)?|s(?:tat|ync)|utimes)|inodes|l(?:chmod|ink|stat|utimes)|mkd(?:ir|temp)|open(?:dir)?|r(?:e(?:ad(?:dir|file|link|v)?|name)|m)|s(?:pawn(?:file)?|tat|ymlink)|truncate|u(?:n(?:link|watchfile)|times)|w(?:atchfile|rite(?:file|v)?))(?:sync)?|binding|constructor|env|global|main(?:Module)?|process|require)[\"'`]\])|(?:binding|constructor|env|global|main(?:Module)?|process|require)\[|require(?:\.(?:resolve(?:\.call)?\(|main|extensions|cache)|\[[\"'`](?:(?:resolv|cach)e|main|extensions)[\"'`]\])" \ + "id:934100,\ + phase:2,\ + block,\ + capture,\ + t:none,t:urlDecodeUni,t:jsDecode,t:removeWhitespace,t:base64Decode,t:urlDecodeUni,t:jsDecode,t:removeWhitespace,\ + msg:'Node.js Injection Attack 1/2',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-javascript',\ + tag:'platform-multi',\ + tag:'platform-nodejs',\ + tag:'attack-rce',\ + tag:'attack-injection-generic',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-GENERIC',\ + tag:'capec/1000/152/242',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + multiMatch,\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# -=[ SSRF Attacks ]=- +# +# We provide only partial protection to SSRF. DNS Rebinding attacks needs +# to be handled at application level, and even those might be difficult to catch. +# +# PL1 rules are based on common attacks on cloud providers, based on well-known URLs. +# +# -=[ References ]=- +# https://highon.coffee/blog/ssrf-cheat-sheet/ +# https://cwe.mitre.org/data/definitions/918.html +# https://capec.mitre.org/data/definitions/664.html) +# +# Preventing: https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html + +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@pmFromFile ssrf.data" \ + "id:934110,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Possible Server Side Request Forgery (SSRF) Attack: Cloud provider metadata URL in Parameter',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-ssrf',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-GENERIC',\ + tag:'capec/1000/225/664',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# JavaScript prototype pollution injection attempts +# +# Example from https://hackerone.com/reports/869574 critical +# vulnerability in the TypeORM library: +# {"text":"a","title":{"__proto__":{"where":{"name":"sqlinjection","where":null}}}} +# +# Test cases are based on this list of payloads: +# https://github.com/BlackFan/client-side-prototype-pollution/blob/master/README.md +# +# See also: https://cwe.mitre.org/data/definitions/1321.html +# +# Note: only server-based (not DOM-based) attacks are covered here. + +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:__proto__|constructor\s*(?:\.|\]?\[)\s*prototype)" \ + "id:934130,\ + phase:2,\ + block,\ + capture,\ + t:none,t:urlDecodeUni,t:jsDecode,\ + msg:'JavaScript Prototype Pollution',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-javascript',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'attack-injection-generic',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-GENERIC',\ + tag:'capec/1/180/77',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + multiMatch,\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# [ Ruby generic RCE signatures ] +# +# Detects Ruby-based injection attacks. +# Example: Process.spawn("id") +# +# Regular expression generated from regex-assembly/934150.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 934150 +# +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx Process[\s\x0b]*\.[\s\x0b]*spawn[\s\x0b]*\(" \ + "id:934150,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Ruby Injection Attack',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-ruby',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'attack-injection-generic',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-GENERIC',\ + tag:'capec/1000/152/242',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# [ NodeJS DoS signatures ] +# +# NodeJS runs in a single thread, so any evaluated payloads that block execution can cause an easy DoS. +# This rule attempts to block e.g. while(true). +# +# Regular expression generated from regex-assembly/934160.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 934160 +# +SecRule REQUEST_FILENAME|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx while[\s\x0b]*\([\s\x0b\(]*(?:!+(?:false|null|undefined|NaN|[\+\-]?0|\"{2}|'{2}|`{2})|(?:!!)*(?:(?:t(?:rue|his)|[\+\-]?(?:Infinity|[1-9][0-9]*)|new [A-Za-z][0-9A-Z_a-z]*|window|String|(?:Boolea|Functio)n|Object|Array)\b|\{[^\}]*\}|\[[^\]]*\]|\"[^\"]+\"|'[^']+'|`[^`]+`)).*\)" \ + "id:934160,\ + phase:2,\ + block,\ + capture,\ + t:none,t:urlDecodeUni,t:jsDecode,t:base64Decode,t:urlDecodeUni,t:jsDecode,t:replaceComments,\ + msg:'Node.js DoS attack',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-javascript',\ + tag:'platform-nodejs',\ + tag:'attack-rce',\ + tag:'attack-injection-generic',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-GENERIC',\ + tag:'capec/1000/152/242',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + multiMatch,\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# [ PHP data: scheme ] +# +# PHP supports the `data:` scheme without using `//` before the content-type. +# +# Regular expression generated from regex-assembly/934170.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 934170 +# +SecRule REQUEST_FILENAME|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx ^data:(?:(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)/(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)|\*)(?:[\s\x0b]*;[\s\x0b]*(?:charset[\s\x0b]*=[\s\x0b]*\"?(?:iso-8859-15?|utf-8|windows-1252)\b\"?|(?:[^\s\x0b-\"\(\),/:-\?\[-\]c\{\}]|c(?:[^!\"\(\),/:-\?\[-\]h\{\}]|h(?:[^!\"\(\),/:-\?\[-\]a\{\}]|a(?:[^!\"\(\),/:-\?\[-\]r\{\}]|r(?:[^!\"\(\),/:-\?\[-\]s\{\}]|s(?:[^!\"\(\),/:-\?\[-\]e\{\}]|e[^!\"\(\),/:-\?\[-\]t\{\}]))))))[^!\"\(\),/:-\?\[-\]\{\}]*[\s\x0b]*=[\s\x0b]*[^!\(\),/:-\?\[-\]\{\}]+);?)*(?:[\s\x0b]*,[\s\x0b]*(?:(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)/(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)|\*)(?:[\s\x0b]*;[\s\x0b]*(?:charset[\s\x0b]*=[\s\x0b]*\"?(?:iso-8859-15?|utf-8|windows-1252)\b\"?|(?:[^\s\x0b-\"\(\),/:-\?\[-\]c\{\}]|c(?:[^!\"\(\),/:-\?\[-\]h\{\}]|h(?:[^!\"\(\),/:-\?\[-\]a\{\}]|a(?:[^!\"\(\),/:-\?\[-\]r\{\}]|r(?:[^!\"\(\),/:-\?\[-\]s\{\}]|s(?:[^!\"\(\),/:-\?\[-\]e\{\}]|e[^!\"\(\),/:-\?\[-\]t\{\}]))))))[^!\"\(\),/:-\?\[-\]\{\}]*[\s\x0b]*=[\s\x0b]*[^!\(\),/:-\?\[-\]\{\}]+);?)*)*" \ + "id:934170,\ + phase:2,\ + block,\ + capture,\ + t:none,t:urlDecodeUni,\ + msg:'PHP data scheme attack',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-php',\ + tag:'platform-multi',\ + tag:'attack-ssrf',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-GENERIC',\ + tag:'capec/1000/152/242',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:934013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:934014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC" +# +# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher) +# + +# This rule is a stricter sibling of 934100. +SecRule REQUEST_FILENAME|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:close|exists|fork|(?:ope|spaw)n|re(?:ad|quire)|w(?:atch|rite))[\s\x0b]*\(" \ + "id:934101,\ + phase:2,\ + block,\ + capture,\ + t:none,t:urlDecodeUni,t:jsDecode,t:base64Decode,t:urlDecodeUni,t:jsDecode,\ + msg:'Node.js Injection Attack 2/2',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-javascript',\ + tag:'platform-nodejs',\ + tag:'attack-rce',\ + tag:'attack-injection-generic',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-GENERIC',\ + tag:'capec/1000/152/242',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + multiMatch,\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + +# -=[ SSRF Attacks ]=- +# +# PL2 rules adds SSRF capture for common evasion techniques. +# +# We add captures for these evasion techniques: (see source in util/regexp-assemble/data/regexp-934120.data) +# http://425.510.425.510/ Dotted decimal with overflow (already covered by RFI rule 931100) +# http://2852039166/ Dotless decimal - \d{10} +# http://7147006462/ Dotless decimal with overflow - \d{10} +# http://0xA9.0xFE.0xA9.0xFE/ Dotted hexadecimal - (?:0x[a-f0-9]{2}\.){3}0x[a-f0-9]{2} +# http://0xA9FEA9FE/ Dotless hexadecimal - 0x[a-f0-9]{8} +# http://0x41414141A9FEA9FE/ Dotless hexadecimal with overflow - 0x[a-f0-9]{16} +# http://0251.0376.0251.0376/ Dotted octal - Covered by the same below +# http://0251.00376.000251.0000376/ Dotted octal with padding - (?:0{1,4}\d{3}\.){3}0{1,4}\d{3}) +# http://169.254.43518/ - (?:\d{1,3}\.){2}\.\d{5} +# http://169.16689662/ - \d{1,3}\.\d{8} +# http://[::ffff:a9fe:a9fe] IPV6 Compressed - IPv6 regex from https://ihateregex.io/expr/ipv6/, with [0-9] converted to \d and with non-capturing groups (below) +# http://[0:0:0:0:0:ffff:a9fe:a9fe] IPV6 Expanded - (?:(?:[0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}|(?:[0-9a-fA-F]{1,4}:){1,7}:|(?:[0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|(?:[0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|(?:[0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|(?:[0-9a-fA-F]{1,4}:){1,3}(?::[0-9a-fA-F]{1,4}){1,4}|(?:[0-9a-fA-F]{1,4}:){1,2}(?::[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:(?:(?::[0-9a-fA-F]{1,4}){1,6})|:(?:(?::[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(?::[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(?::0{1,4}){0,1}:){0,1}(?:(?:25[0-5]|(?:2[0-4]|1{0,1}\d){0,1}\d)\.){3,3}(?:25[0-5]|(?:2[0-4]|1{0,1}\d){0,1}\d)|(?:[0-9a-fA-F]{1,4}:){1,4}:(?:(?:25[0-5]|(2[0-4]|1{0,1}\d){0,1}\d)\.){3,3}(?:25[0-5]|(?:2[0-4]|1{0,1}\d){0,1}\d)) +# http://[0:0:0:0:0:ffff:169.254.169.254] IPV6/IPV4 - ((?:[0-9a-fA-F]{1,4}:){6}(?:(25[0-5]|(?:2[0-4]|1{0,1}\d){0,1}\d)\.){3,3}(?:25[0-5]|(?:2[0-4]|1{0,1}\d){0,1}\d)) +# http://[::] +# http://127.88.23.245:22/+&@google.com:80#+@google.com:80/ (already covered by RFI rule 931100) +# http://127.88.23.245:22/?@google.com:80/ (already covered by RFI rule 931100) +# http://127.88.23.245:22/#@www.google.com:80/ (already covered by RFI rule 931100) +# http://google.com:80\\@127.88.23.245:22/ (already covered by RFI rule 931100) +# http://google.com:80+&@127.88.23.245:22/#+@google.com:80/ +# http://google.com:80+&@google.com:80#+@127.88.23.245:22/ +# +# Regular expression generated from regex-assembly/934120.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 934120 +# +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:\+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://(?:[0-9]{10}|(?:0x[0-9a-f]{2}\.){3}0x[0-9a-f]{2}|0x(?:[0-9a-f]{8}|[0-9a-f]{16})|(?:0{1,4}[0-9]{1,3}\.){3}0{1,4}[0-9]{1,3}|[0-9]{1,3}\.(?:[0-9]{1,3}\.[0-9]{5}|[0-9]{8})|(?:\x5c\x5c[\-0-9a-z]\.?_?)+|\[[0-:a-f]+(?:[\.0-9]+|%[0-9A-Z_a-z]+)?\]|[a-z][\-\.0-9A-Z_a-z]{1,255}:[0-9]{1,5}(?:#?[\s\x0b]*&?@(?:(?:[0-9]{1,3}\.){3}[0-9]{1,3}|[a-z][\-\.0-9A-Z_a-z]{1,255}):[0-9]{1,5}/?)+|[\.0-9]{0,11}(?:\x{e2}(?:\x91[\xa0-\x{bf}]|\x92[\x80-\x{bf}]|\x93[\x80-\x{a9}\x{ab}-\x{bf}])|\x{e3}\x80\x82)+)" \ + "id:934120,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Possible Server Side Request Forgery (SSRF) Attack: URL Parameter using IP Address',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-ssrf',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-GENERIC',\ + tag:'capec/1000/225/664',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + + +# [ Perl generic RCE signatures ] +# +# Detects Perl-based injection attacks. +# Example: @{[system whoami]} +# +# Regular expression generated from regex-assembly/934140.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 934140 +# +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx ^(?:[^@]|@[^\{])*@+\{[^\}]*\}" \ + "id:934140,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Perl Injection Attack',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-perl',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'attack-injection-generic',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-GENERIC',\ + tag:'capec/1000/152/242',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + + +# [ Generic RCE signatures ] +# +# Detects General SSTI attacks. +# Example: <%= File.open('/etc/passwd').read %> +# Note: there is another rule 941380 that checks for {{.*}} regex. +# +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:\{%[^%}]*%}|<%=?[^%>]*%>)" \ + "id:934180,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'SSTI Attack',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'platform-multi',\ + tag:'attack-ssti',\ + tag:'attack-injection-generic',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-GENERIC',\ + tag:'capec/1000/152/242',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:934015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:934016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC" +# +# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher) +# + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:934017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:934018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC" +# +# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher) +# + + + +# +# -= Paranoia Levels Finished =- +# +SecMarker "END-REQUEST-934-APPLICATION-ATTACK-GENERIC" diff --git a/blue/Tools/zoo/modules/turtle/coreruleset/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf b/blue/Tools/zoo/modules/turtle/coreruleset/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf new file mode 100644 index 0000000..d8e5ed2 --- /dev/null +++ b/blue/Tools/zoo/modules/turtle/coreruleset/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf @@ -0,0 +1,1105 @@ +# ------------------------------------------------------------------------ +# OWASP CRS ver.4.22.0 +# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. +# Copyright (c) 2021-2026 CRS project. All rights reserved. +# +# The OWASP CRS is distributed under +# Apache Software License (ASL) version 2 +# Please see the enclosed LICENSE file for full details. +# ------------------------------------------------------------------------ + +# +# -= Paranoia Level 0 (empty) =- (apply unconditionally) +# + + + +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:941011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:941012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.22.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS" +# +# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher) +# + + +# In CRS v4.0, we have added REQUEST_FILENAME to the list of variables to +# be checked for XSS to catch path-based XSS exploits such as: +# /index.php/%3Csvg/onload=alert() +# +# However, the REQUEST_FILENAME is always populated (while ARGS etc. are +# only set on some requests) and we found that always checking the +# REQUEST_FILENAME has a significant performance impact. +# Therefore, we are disabling the REQUEST_FILENAME XSS checks when the +# REQUEST_FILENAME is clearly not containing special characters necessary +# for a successful XSS. +# +# Some bona-fide REQUEST_FILENAMEs will still contain special characters +# and will be checked by the rules, but it will be a much lower amount, +# and that is a trade-off we are willing to make. +# +# So, we check for XSS in REQUEST_FILENAME only if it contains +# other characters than alphanumeric characters, hyphens, underscores etc. +# typically found in filenames and paths: +# +# - ascii 20 (whitespace) +# - ascii 45-47 (- . /) +# - ascii 48-57 (0-9) +# - ascii 65-90 (A-Z) +# - ascii 95 (underscore) +# - ascii 97-122 (a-z) +# +# If just these characters are present, we make use of a special tag to remove +# REQUEST_FILENAME from the target list of all the 941xxx rules starting 941100. +# +# Please note that it would be preferable to start without REQUEST_FILENAME in the +# target list and to add it on a case to case base, but the rule language does not +# support this feature at runtime. +# +SecRule REQUEST_FILENAME "!@validateByteRange 20,45-47,48-57,65-90,95,97-122" \ + "id:941010,\ + phase:1,\ + pass,\ + t:none,\ + nolog,\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-XSS',\ + ctl:ruleRemoveTargetByTag=xss-perf-disable;REQUEST_FILENAME,\ + ver:'OWASP_CRS/4.22.0'" + + +# +# -=[ Libinjection - XSS Detection ]=- +# +# Ref: https://github.com/client9/libinjection +# Ref: https://speakerdeck.com/ngalbreath/libinjection-from-sqli-to-xss +# +# -=[ Targets ]=- +# +# 941100: PL1 : REQUEST_COOKIES| +# REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent| +# ARGS_NAMES|ARGS|XML:/* +# +# 941101: PL2 : REQUEST_FILENAME|REQUEST_HEADERS:Referer +# +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|XML:/* "@detectXSS" \ + "id:941100,\ + phase:2,\ + block,\ + t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ + msg:'XSS Attack Detected via libinjection',\ + logdata:'Matched Data: XSS data found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-xss',\ + tag:'xss-perf-disable',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-XSS',\ + tag:'capec/1000/152/242',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# +# -=[ XSS Filters - Category 1 ]=- +# http://xssplayground.net23.net/xssfilter.html +# script tag based XSS vectors, e.g., +# +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i)]*>[\s\S]*?" \ + "id:941110,\ + phase:2,\ + block,\ + capture,\ + t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ + msg:'XSS Filter - Category 1: Script Tag Vector',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-xss',\ + tag:'xss-perf-disable',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-XSS',\ + tag:'capec/1000/152/242',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# +# -=[ XSS Filters - Category 3 ]=- +# +# Regular expression generated from regex-assembly/941130.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 941130 +# +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i).(?:\b(?:(?:x(?:link:href|html|mlns)|data:text/html|formaction)\b|pattern[\s\x0b]*=)|(?:!ENTITY[\s\x0b]+(?:%[\s\x0b]+)?[^\s\x0b]+[\s\x0b]+(?:SYSTEM|PUBLIC)|@import|;base64)\b)" \ + "id:941130,\ + phase:2,\ + block,\ + capture,\ + t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ + msg:'XSS Filter - Category 3: Attribute Vector',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-xss',\ + tag:'xss-perf-disable',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-XSS',\ + tag:'capec/1000/152/242',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# +# -=[ XSS Filters - Category 4 ]=- +# XSS vectors making use of javascript uri and tags, e.g.,

+# https://portswigger.net/web-security/cross-site-scripting/cheat-sheet#css-expressions-ie7 +# https://portswigger.net/web-security/cross-site-scripting/cheat-sheet#behaviors-for-older-modes-of-ie +# examples: https://regex101.com/r/FFEpsh/1 +# +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)[a-z]+=(?:[^:=]+:.+;)*?[^:=]+:url\(javascript" \ + "id:941140,\ + phase:2,\ + block,\ + capture,\ + t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,t:removeWhitespace,\ + msg:'XSS Filter - Category 4: Javascript URI Vector',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-xss',\ + tag:'xss-perf-disable',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-XSS',\ + tag:'capec/1000/152/242',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# +# -=[ NoScript XSS Filters ]=- +# Ref: http://noscript.net/ +# +# [NoScript InjectionChecker] HTML injection +# +# Regular expression generated from regex-assembly/941160.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 941160 +# +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)<[^0-9<>A-Z_a-z]*(?:[^\s\x0b\"'<>]*:)?[^0-9<>A-Z_a-z]*[^0-9A-Z_a-z]*?(?:s[^0-9A-Z_a-z]*?(?:c[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?t|t[^0-9A-Z_a-z]*?y[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?e|v[^0-9A-Z_a-z]*?g|e[^0-9A-Z_a-z]*?t[^0-9>A-Z_a-z])|f[^0-9A-Z_a-z]*?o[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?m|d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?o[^0-9A-Z_a-z]*?g|m[^0-9A-Z_a-z]*?(?:a[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?q[^0-9A-Z_a-z]*?u[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?e|e[^0-9A-Z_a-z]*?t[^0-9A-Z_a-z]*?a[^0-9>A-Z_a-z])|(?:l[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?k|o[^0-9A-Z_a-z]*?b[^0-9A-Z_a-z]*?j[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?c[^0-9A-Z_a-z]*?t|e[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?b[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?d|a[^0-9A-Z_a-z]*?(?:p[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?t|u[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?o|n[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?t[^0-9A-Z_a-z]*?e)|p[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?m|i?[^0-9A-Z_a-z]*?f[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?e|b[^0-9A-Z_a-z]*?(?:a[^0-9A-Z_a-z]*?s[^0-9A-Z_a-z]*?e|o[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?y|i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?g[^0-9A-Z_a-z]*?s)|i[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?a?[^0-9A-Z_a-z]*?g[^0-9A-Z_a-z]*?e?|v[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?o)[^0-9>A-Z_a-z])|(?:<[0-9A-Z_a-z][^\s\x0b/]*[\s\x0b/]|[\"'](?:[^\s\x0b/]*[\s\x0b/])?)(?:background|formaction|lowsrc|on(?:a(?:bort|ctivate|d(?:apteradded|dtrack)|fter(?:print|(?:scriptexecu|upda)te)|lerting|n(?:imation(?:cancel|end|iteration|start)|tennastatechange)|ppcommand|u(?:dio(?:end|process|start)|xclick))|b(?:e(?:fore(?:(?:(?:(?:de)?activa|scriptexecu)t|toggl)e|c(?:opy|ut)|editfocus|input|p(?:aste|rint)|u(?:nload|pdate))|gin(?:Event)?)|l(?:ocked|ur)|oun(?:ce|dary)|roadcast|usy)|c(?:a(?:(?:ch|llschang)ed|nplay(?:through)?|rdstatechange)|(?:ell|fstate)change|h(?:a(?:rging(?:time)?cha)?nge|ecking)|l(?:ick|ose)|o(?:m(?:mand(?:update)?|p(?:lete|osition(?:end|start|update)))|n(?:nect(?:ed|ing)|t(?:extmenu|rolselect))|py)|u(?:echange|t))|d(?:ata(?:(?:availabl|chang)e|error|setc(?:hanged|omplete))|blclick|e(?:activate|livery(?:error|success)|vice(?:found|light|(?:mo|orienta)tion|proximity))|i(?:aling|s(?:abled|c(?:hargingtimechange|onnect(?:ed|ing))))|o(?:m(?:a(?:ctivate|ttrmodified)|(?:characterdata|subtree)modified|focus(?:in|out)|mousescroll|node(?:inserted(?:intodocument)?|removed(?:fromdocument)?))|wnloading)|r(?:ag(?:drop|e(?:n(?:d|ter)|xit)|(?:gestur|leav)e|over|start)|op)|urationchange)|e(?:mptied|n(?:abled|d(?:ed|Event)?|ter)|rror(?:update)?|xit)|f(?:ailed|i(?:lterchange|nish)|o(?:cus(?:in|out)?|rm(?:change|input))|ullscreenchange)|g(?:amepad(?:axismove|button(?:down|up)|(?:dis)?connected)|et)|h(?:ashchange|e(?:adphoneschange|l[dp])|olding)|i(?:cc(?:cardlockerror|infochange)|n(?:coming|put|valid))|key(?:down|press|up)|l(?:evelchange|o(?:ad(?:e(?:d(?:meta)?data|nd)|start)?|secapture)|y)|m(?:ark|essage|o(?:use(?:down|enter|(?:lea|mo)ve|o(?:ut|ver)|up|wheel)|ve(?:end|start)?|z(?:a(?:fterpaint|udioavailable)|(?:beforeresiz|orientationchang|t(?:apgestur|imechang))e|(?:edgeui(?:c(?:ancel|omplet)|start)e|network(?:down|up)loa)d|fullscreen(?:change|error)|m(?:agnifygesture(?:start|update)?|ouse(?:hittest|pixelscroll))|p(?:ointerlock(?:change|error)|resstapgesture)|rotategesture(?:start|update)?|s(?:crolledareachanged|wipegesture(?:end|start|update)?))))|no(?:match|update)|o(?:(?:bsolet|(?:ff|n)lin)e|pen|verflow(?:changed)?)|p(?:a(?:ge(?:hide|show)|int|(?:st|us)e)|lay(?:ing)?|o(?:inter(?:down|enter|(?:(?:lea|mo)v|rawupdat)e|o(?:ut|ver)|up)|p(?:state|up(?:hid(?:den|ing)|show(?:ing|n))))|ro(?:gress|pertychange))|r(?:atechange|e(?:adystatechange|ceived|movetrack|peat(?:Event)?|quest|s(?:et|ize|u(?:lt|m(?:e|ing)))|trieving)|ow(?:e(?:nter|xit)|s(?:delete|inserted)))|s(?:croll(?:end)?|e(?:arch|ek(?:complete|ed|ing)|lect(?:ionchange|start)?|n(?:ding|t)|t)|how|(?:ound|peech)(?:end|start)|t(?:a(?:lled|rt|t(?:echange|uschanged))|k(?:comma|sessione)nd|op)|u(?:bmit|ccess|spend)|vg(?:abort|error|(?:un)?load|resize|scroll|zoom))|t(?:ext|ime(?:out|update)|o(?:ggle|uch(?:cancel|en(?:d|ter)|(?:lea|mo)ve|start))|ransition(?:cancel|end|run|start))|u(?:n(?:derflow|handledrejection|load)|p(?:dateready|gradeneeded)|s(?:erproximity|sdreceived))|v(?:ersion|o(?:ic|lum)e)change|w(?:a(?:it|rn)ing|ebkit(?:animation(?:end|iteration|start)|(?:playbacktargetavailabilitychange|transitionen)d)|heel)|zoom)|ping|s(?:rc|tyle))[\x08-\n\f\r ]*?=" \ + "id:941160,\ + phase:2,\ + block,\ + capture,\ + t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ + msg:'NoScript XSS InjectionChecker: HTML Injection',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-xss',\ + tag:'xss-perf-disable',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-XSS',\ + tag:'capec/1000/152/242',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# +# [NoScript InjectionChecker] Attributes injection +# +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)(?:\W|^)(?:javascript:(?:[\s\S]+[=\x5c\(\[\.<]|[\s\S]*?(?:\bname\b|\x5c[ux]\d))|data:(?:(?:[a-z]\w+/\w[\w+-]+\w)?[;,]|[\s\S]*?;[\s\S]*?\b(?:base64|charset=)|[\s\S]*?,[\s\S]*?<[\s\S]*?\w[\s\S]*?>))|@\W*?i\W*?m\W*?p\W*?o\W*?r\W*?t\W*?(?:/\*[\s\S]*?)?(?:[\"']|\W*?u\W*?r\W*?l[\s\S]*?\()|[^-]*?-\W*?m\W*?o\W*?z\W*?-\W*?b\W*?i\W*?n\W*?d\W*?i\W*?n\W*?g[^:]*?:\W*?u\W*?r\W*?l[\s\S]*?\(" \ + "id:941170,\ + phase:2,\ + block,\ + capture,\ + t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\ + msg:'NoScript XSS InjectionChecker: Attribute Injection',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-xss',\ + tag:'xss-perf-disable',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-XSS',\ + tag:'capec/1000/152/242',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# +# [Deny List Keywords from Node-Validator] +# https://github.com/validatorjs/validator.js/ +# This rule has a stricter sibling 941181 (PL2) that covers the additional payload "-->" +# +SecRule REQUEST_COOKIES|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@pm document.cookie document.domain document.querySelector document.body.appendChild document.write .parentnode .innerhtml window.location -moz-binding " \ + "id:941181,\ + phase:2,\ + block,\ + capture,\ + t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:lowercase,t:removeNulls,\ + msg:'Node-Validator Deny List Keywords',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-xss',\ + tag:'xss-perf-disable',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/ATTACK-XSS',\ + tag:'capec/1000/152/242',\ + ver:'OWASP_CRS/4.22.0',\ + severity:'CRITICAL',\ + setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + + + +# +# -=[ XSS Filters from IE ]=- + +# Detect tags that are the most common direct HTML injection points. +# +# +# +# +#