From 68eb4f5ce11d33bb992146cbbe182b0ef8d487ef Mon Sep 17 00:00:00 2001 From: Sebastien Blot Date: Thu, 21 Mar 2024 17:25:28 +0100 Subject: [PATCH 1/2] update CRS to v4.0 --- appsec/crs/REQUEST-901-INITIALIZATION.conf | 85 +- appsec/crs/REQUEST-905-COMMON-EXCEPTIONS.conf | 10 +- .../crs/REQUEST-911-METHOD-ENFORCEMENT.conf | 8 +- appsec/crs/REQUEST-913-SCANNER-DETECTION.conf | 133 +- .../crs/REQUEST-920-PROTOCOL-ENFORCEMENT.conf | 364 ++-- appsec/crs/REQUEST-921-PROTOCOL-ATTACK.conf | 49 +- appsec/crs/REQUEST-922-MULTIPART-ATTACK.conf | 23 +- .../REQUEST-930-APPLICATION-ATTACK-LFI.conf | 16 +- .../REQUEST-931-APPLICATION-ATTACK-RFI.conf | 16 +- .../REQUEST-932-APPLICATION-ATTACK-RCE.conf | 483 ++++- .../REQUEST-933-APPLICATION-ATTACK-PHP.conf | 60 +- ...EQUEST-934-APPLICATION-ATTACK-GENERIC.conf | 96 +- .../REQUEST-941-APPLICATION-ATTACK-XSS.conf | 127 +- .../REQUEST-942-APPLICATION-ATTACK-SQLI.conf | 271 +-- ...3-APPLICATION-ATTACK-SESSION-FIXATION.conf | 18 +- .../REQUEST-944-APPLICATION-ATTACK-JAVA.conf | 35 +- .../crs/REQUEST-949-BLOCKING-EVALUATION.conf | 10 +- appsec/crs/RESPONSE-950-DATA-LEAKAGES.conf | 30 +- .../crs/RESPONSE-951-DATA-LEAKAGES-SQL.conf | 48 +- .../crs/RESPONSE-952-DATA-LEAKAGES-JAVA.conf | 10 +- .../crs/RESPONSE-953-DATA-LEAKAGES-PHP.conf | 14 +- .../crs/RESPONSE-954-DATA-LEAKAGES-IIS.conf | 14 +- appsec/crs/RESPONSE-955-WEB-SHELLS.conf | 58 +- .../crs/RESPONSE-959-BLOCKING-EVALUATION.conf | 10 +- appsec/crs/RESPONSE-980-CORRELATION.conf | 10 +- appsec/crs/java-classes.data | 5 +- appsec/crs/php-errors-pl2.data | 2 + appsec/crs/php-errors.data | 10 +- appsec/crs/php-function-names-933150.data | 255 ++- appsec/crs/php-function-names-933151.data | 1761 +++++++++++++---- appsec/crs/restricted-files.data | 16 +- appsec/crs/restricted-upload.data | 173 +- appsec/crs/scanners-user-agents.data | 254 +-- appsec/crs/sql-errors.data | 3 + appsec/crs/ssrf.data | 37 +- appsec/crs/unix-shell.data | 33 + appsec/crs/web-shells-php.data | 10 +- 37 files changed, 3066 insertions(+), 1491 deletions(-) diff --git a/appsec/crs/REQUEST-901-INITIALIZATION.conf b/appsec/crs/REQUEST-901-INITIALIZATION.conf index 8085712..984252e 100644 --- a/appsec/crs/REQUEST-901-INITIALIZATION.conf +++ b/appsec/crs/REQUEST-901-INITIALIZATION.conf @@ -1,9 +1,9 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.4.0.0-rc1 +# OWASP CRS ver.4.0.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. -# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved. +# Copyright (c) 2021-2024 CRS project. All rights reserved. # -# The OWASP ModSecurity Core Rule Set is distributed under +# The OWASP CRS is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENSE file for full details. # ------------------------------------------------------------------------ @@ -24,9 +24,9 @@ # # - Producer: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/); OWASP_CRS/3.1.0. # -# Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecComponentSignature +# Ref: https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v2.x)#seccomponentsignature # -SecComponentSignature "OWASP_CRS/4.0.0-rc1" +SecComponentSignature "OWASP_CRS/4.0.0" # # -=[ Default setup values ]=- @@ -58,8 +58,8 @@ SecRule &TX:crs_setup_version "@eq 0" \ status:500,\ log,\ auditlog,\ - msg:'ModSecurity Core Rule Set is deployed without configuration! Please copy the crs-setup.conf.example template to crs-setup.conf, and include the crs-setup.conf file in your webserver configuration before including the CRS rules. See the INSTALL file in the CRS directory for detailed instructions',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + msg:'ModSecurity CRS is deployed without configuration! Please copy the crs-setup.conf.example template to crs-setup.conf, and include the crs-setup.conf file in your webserver configuration before including the CRS rules. See the INSTALL file in the CRS directory for detailed instructions',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL'" @@ -77,7 +77,7 @@ SecRule &TX:inbound_anomaly_score_threshold "@eq 0" \ phase:1,\ pass,\ nolog,\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ setvar:'tx.inbound_anomaly_score_threshold=5'" # Default Outbound Anomaly Threshold Level (rule 900110 in crs-setup.conf) @@ -86,7 +86,7 @@ SecRule &TX:outbound_anomaly_score_threshold "@eq 0" \ phase:1,\ pass,\ nolog,\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ setvar:'tx.outbound_anomaly_score_threshold=4'" # Default Reporting Level (rule 900115 in crs-setup.conf) @@ -95,7 +95,7 @@ SecRule &TX:reporting_level "@eq 0" \ phase:1,\ pass,\ nolog,\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ setvar:'tx.reporting_level=4'" # Default Early Blocking (rule 900120 in crs-setup.conf) @@ -104,7 +104,7 @@ SecRule &TX:early_blocking "@eq 0" \ phase:1,\ pass,\ nolog,\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ setvar:'tx.early_blocking=0'" # Default Blocking Paranoia Level (rule 900000 in crs-setup.conf) @@ -113,7 +113,7 @@ SecRule &TX:blocking_paranoia_level "@eq 0" \ phase:1,\ pass,\ nolog,\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ setvar:'tx.blocking_paranoia_level=1'" # Default Detection Paranoia Level (rule 900001 in crs-setup.conf) @@ -122,7 +122,7 @@ SecRule &TX:detection_paranoia_level "@eq 0" \ phase:1,\ pass,\ nolog,\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ setvar:'tx.detection_paranoia_level=%{TX.blocking_paranoia_level}'" # Default Sampling Percentage (rule 900400 in crs-setup.conf) @@ -131,7 +131,7 @@ SecRule &TX:sampling_percentage "@eq 0" \ phase:1,\ pass,\ nolog,\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ setvar:'tx.sampling_percentage=100'" # Default Anomaly Scores (rule 900100 in crs-setup.conf) @@ -140,7 +140,7 @@ SecRule &TX:critical_anomaly_score "@eq 0" \ phase:1,\ pass,\ nolog,\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ setvar:'tx.critical_anomaly_score=5'" SecRule &TX:error_anomaly_score "@eq 0" \ @@ -148,7 +148,7 @@ SecRule &TX:error_anomaly_score "@eq 0" \ phase:1,\ pass,\ nolog,\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ setvar:'tx.error_anomaly_score=4'" SecRule &TX:warning_anomaly_score "@eq 0" \ @@ -156,7 +156,7 @@ SecRule &TX:warning_anomaly_score "@eq 0" \ phase:1,\ pass,\ nolog,\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ setvar:'tx.warning_anomaly_score=3'" SecRule &TX:notice_anomaly_score "@eq 0" \ @@ -164,7 +164,7 @@ SecRule &TX:notice_anomaly_score "@eq 0" \ phase:1,\ pass,\ nolog,\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ setvar:'tx.notice_anomaly_score=2'" # Default HTTP policy: allowed_methods (rule 900200 in crs-setup.conf) @@ -173,7 +173,7 @@ SecRule &TX:allowed_methods "@eq 0" \ phase:1,\ pass,\ nolog,\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'" # Default HTTP policy: allowed_request_content_type (rule 900220 in crs-setup.conf) @@ -182,7 +182,7 @@ SecRule &TX:allowed_request_content_type "@eq 0" \ phase:1,\ pass,\ nolog,\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json|'" # Default HTTP policy: allowed_request_content_type_charset (rule 900280 in crs-setup.conf) @@ -191,7 +191,7 @@ SecRule &TX:allowed_request_content_type_charset "@eq 0" \ phase:1,\ pass,\ nolog,\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ setvar:'tx.allowed_request_content_type_charset=|utf-8| |iso-8859-1| |iso-8859-15| |windows-1252|'" # Default HTTP policy: allowed_http_versions (rule 900230 in crs-setup.conf) @@ -200,8 +200,8 @@ SecRule &TX:allowed_http_versions "@eq 0" \ phase:1,\ pass,\ nolog,\ - ver:'OWASP_CRS/4.0.0-rc1',\ - setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0'" + ver:'OWASP_CRS/4.0.0',\ + setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0 HTTP/3 HTTP/3.0'" # Default HTTP policy: restricted_extensions (rule 900240 in crs-setup.conf) SecRule &TX:restricted_extensions "@eq 0" \ @@ -209,17 +209,26 @@ SecRule &TX:restricted_extensions "@eq 0" \ phase:1,\ pass,\ nolog,\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'" -# Default HTTP policy: restricted_headers (rule 900250 in crs-setup.conf) -SecRule &TX:restricted_headers "@eq 0" \ +# Default HTTP policy: restricted_headers_basic (rule 900250 in crs-setup.conf) +SecRule &TX:restricted_headers_basic "@eq 0" \ "id:901165,\ phase:1,\ pass,\ nolog,\ - ver:'OWASP_CRS/4.0.0-rc1',\ - setvar:'tx.restricted_headers=/accept-charset/ /content-encoding/ /proxy/ /lock-token/ /content-range/ /if/ /x-http-method-override/ /x-http-method/ /x-method-override/'" + ver:'OWASP_CRS/4.0.0',\ + setvar:'tx.restricted_headers_basic=/content-encoding/ /proxy/ /lock-token/ /content-range/ /if/ /x-http-method-override/ /x-http-method/ /x-method-override/'" + +# Default HTTP policy: restricted_headers_extended (rule 900255 in crs-setup.conf) +SecRule &TX:restricted_headers_extended "@eq 0" \ + "id:901171,\ + phase:1,\ + pass,\ + nolog,\ + ver:'OWASP_CRS/4.0.0',\ + setvar:'tx.restricted_headers_extended=/accept-charset/'" # Default enforcing of body processor URLENCODED (rule 900010 in crs-setup.conf) SecRule &TX:enforce_bodyproc_urlencoded "@eq 0" \ @@ -227,7 +236,7 @@ SecRule &TX:enforce_bodyproc_urlencoded "@eq 0" \ phase:1,\ pass,\ nolog,\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ setvar:'tx.enforce_bodyproc_urlencoded=0'" # Default check for UTF8 encoding validation (rule 900950 in crs-setup.conf) @@ -236,7 +245,7 @@ SecRule &TX:crs_validate_utf8_encoding "@eq 0" \ phase:1,\ pass,\ nolog,\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ setvar:'tx.crs_validate_utf8_encoding=0'" # @@ -253,7 +262,7 @@ SecAction \ pass,\ t:none,\ nolog,\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ setvar:'tx.blocking_inbound_anomaly_score=0',\ setvar:'tx.detection_inbound_anomaly_score=0',\ setvar:'tx.inbound_anomaly_score_pl1=0',\ @@ -291,7 +300,7 @@ SecRule TX:ENABLE_DEFAULT_COLLECTIONS "@eq 1" \ phase:1,\ pass,\ nolog,\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ chain" SecRule REQUEST_HEADERS:User-Agent "@rx ^.*$" \ "t:none,t:sha1,t:hexEncode,\ @@ -313,7 +322,7 @@ SecRule REQBODY_PROCESSOR "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" \ noauditlog,\ msg:'Enabling body inspection',\ ctl:forceRequestBodyVariable=On,\ - ver:'OWASP_CRS/4.0.0-rc1'" + ver:'OWASP_CRS/4.0.0'" # Force body processor URLENCODED SecRule TX:enforce_bodyproc_urlencoded "@eq 1" \ @@ -324,7 +333,7 @@ SecRule TX:enforce_bodyproc_urlencoded "@eq 1" \ nolog,\ noauditlog,\ msg:'Enabling forced body inspection for ASCII content',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ chain" SecRule REQBODY_PROCESSOR "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" \ "ctl:requestBodyProcessor=URLENCODED" @@ -363,7 +372,7 @@ SecRule TX:sampling_percentage "@eq 100" \ phase:1,\ pass,\ nolog,\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ skipAfter:END-SAMPLING" SecRule UNIQUE_ID "@rx ^[a-f]*([0-9])[a-f]*([0-9])" \ @@ -373,7 +382,7 @@ SecRule UNIQUE_ID "@rx ^[a-f]*([0-9])[a-f]*([0-9])" \ capture,\ t:sha1,t:hexEncode,\ nolog,\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ setvar:'TX.sampling_rnd100=%{TX.1}%{TX.2}'" # @@ -397,7 +406,7 @@ SecRule TX:sampling_rnd100 "!@lt %{tx.sampling_percentage}" \ noauditlog,\ msg:'Sampling: Disable the rule engine based on sampling_percentage %{TX.sampling_percentage} and random number %{TX.sampling_rnd100}',\ ctl:ruleRemoveByTag=OWASP_CRS,\ - ver:'OWASP_CRS/4.0.0-rc1'" + ver:'OWASP_CRS/4.0.0'" SecMarker "END-SAMPLING" @@ -415,4 +424,4 @@ SecRule TX:detection_paranoia_level "@lt %{tx.blocking_paranoia_level}" \ t:none,\ log,\ msg:'Detection paranoia level configured is lower than the paranoia level itself. This is illegal. Blocking request. Aborting',\ - ver:'OWASP_CRS/4.0.0-rc1'" + ver:'OWASP_CRS/4.0.0'" diff --git a/appsec/crs/REQUEST-905-COMMON-EXCEPTIONS.conf b/appsec/crs/REQUEST-905-COMMON-EXCEPTIONS.conf index a945f4d..67fde5b 100644 --- a/appsec/crs/REQUEST-905-COMMON-EXCEPTIONS.conf +++ b/appsec/crs/REQUEST-905-COMMON-EXCEPTIONS.conf @@ -1,9 +1,9 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.4.0.0-rc1 +# OWASP CRS ver.4.0.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. -# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved. +# Copyright (c) 2021-2024 CRS project. All rights reserved. # -# The OWASP ModSecurity Core Rule Set is distributed under +# The OWASP CRS is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENSE file for full details. # ------------------------------------------------------------------------ @@ -24,7 +24,7 @@ SecRule REQUEST_LINE "@streq GET /" \ tag:'language-multi',\ tag:'platform-apache',\ tag:'attack-generic',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ chain" SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" \ "t:none,\ @@ -44,7 +44,7 @@ SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" \ tag:'language-multi',\ tag:'platform-apache',\ tag:'attack-generic',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ chain" SecRule REQUEST_HEADERS:User-Agent "@endsWith (internal dummy connection)" \ "t:none,\ diff --git a/appsec/crs/REQUEST-911-METHOD-ENFORCEMENT.conf b/appsec/crs/REQUEST-911-METHOD-ENFORCEMENT.conf index 26a57b5..e5171c4 100644 --- a/appsec/crs/REQUEST-911-METHOD-ENFORCEMENT.conf +++ b/appsec/crs/REQUEST-911-METHOD-ENFORCEMENT.conf @@ -1,9 +1,9 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.4.0.0-rc1 +# OWASP CRS ver.4.0.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. -# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved. +# Copyright (c) 2021-2024 CRS project. All rights reserved. # -# The OWASP ModSecurity Core Rule Set is distributed under +# The OWASP CRS is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENSE file for full details. # ------------------------------------------------------------------------ @@ -39,7 +39,7 @@ SecRule REQUEST_METHOD "!@within %{tx.allowed_methods}" \ tag:'OWASP_CRS',\ tag:'capec/1000/210/272/220/274',\ tag:'PCI/12.1',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" diff --git a/appsec/crs/REQUEST-913-SCANNER-DETECTION.conf b/appsec/crs/REQUEST-913-SCANNER-DETECTION.conf index c4d777a..24d23f6 100644 --- a/appsec/crs/REQUEST-913-SCANNER-DETECTION.conf +++ b/appsec/crs/REQUEST-913-SCANNER-DETECTION.conf @@ -1,9 +1,9 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.4.0.0-rc1 +# OWASP CRS ver.4.0.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. -# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved. +# Copyright (c) 2021-2024 CRS project. All rights reserved. # -# The OWASP ModSecurity Core Rule Set is distributed under +# The OWASP CRS is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENSE file for full details. # ------------------------------------------------------------------------ @@ -21,19 +21,20 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:913012,phase:2,pass,nolog,skipAf # # -# -=[ Vulnerability Scanner Checks ]=- +# -=[ Security Scanner Checks ]=- # -# These rules inspect the default User-Agent and Header values sent by -# various commercial and open source vuln scanners. +# This rule inspects the default User-Agent and Header values sent by +# various commercial and open source scanners, mostly +# security / vulnerability scanners. # -# The following rules contain User-Agent lists: -# 913100 - security scanners (data file scanners-user-agents.data) -# 913101 - scripting/generic HTTP clients (data file scripting-user-agents.data) -# 913102 - web crawlers/bots (data file crawlers-user-agents.data) +# It is based on a curated list of known malicious scanners in widespread use. +# This list is maintained in scanners-user-agents.data. # -# Chained rule is allow listing: -# YUM package manager of CentOS / Fedore: User-Agent: urlgrabber/3.10 yum/3.4.3 -# eCairn service: User-Agent: mozilla/5.0 ecairn-grabber/1.0 (+http://ecairn.com/grabber) +# With CRSv4, the project has given up on keeping track of different categories +# of scanners and scripting agents, mostly because it's very hard to draw +# a line between benign, mostly benign and malicious. And because dedicated +# attackers will change the user agent anyways. + SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scanners-user-agents.data" \ "id:913100,\ phase:1,\ @@ -50,51 +51,7 @@ SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scanners-user-agents.data" \ tag:'OWASP_CRS',\ tag:'capec/1000/118/224/541/310',\ tag:'PCI/6.5.10',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - chain" - SecRule MATCHED_VARS "!@rx ^(?:urlgrabber/[0-9\.]+ yum/[0-9\.]+|mozilla/[0-9\.]+ ecairn-grabber/[0-9\.]+ \(\+http://ecairn.com/grabber\))$" \ - "setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" - -SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@pmFromFile scanners-headers.data" \ - "id:913110,\ - phase:1,\ - block,\ - capture,\ - t:none,\ - msg:'Found request header associated with security scanner',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-reputation-scanner',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/118/224/541/310',\ - tag:'PCI/6.5.10',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" - - - -SecRule REQUEST_FILENAME|ARGS "@pmFromFile scanners-urls.data" \ - "id:913120,\ - phase:2,\ - block,\ - capture,\ - t:none,\ - msg:'Found request filename/argument associated with security scanner',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-reputation-scanner',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/118/224/541/310',\ - tag:'PCI/6.5.10',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -106,66 +63,6 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:913014,phase:2,pass,nolog,skipAf # -# -# -=[ Scripting/Generic User-Agents ]=- -# -# This rule detects user-agents associated with various HTTP client libraries -# and scripting languages. Detection suggests attempted access by some -# automated tool. -# -# This rule is a sibling of rule 913100. -# -SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scripting-user-agents.data" \ - "id:913101,\ - phase:1,\ - block,\ - capture,\ - t:none,\ - msg:'Found User-Agent associated with scripting/generic HTTP client',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-reputation-scripting',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/118/224/541/310',\ - tag:'PCI/6.5.10',\ - tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" - - - -# -# -=[ Crawler User-Agents ]=- -# -# This rule detects user-agents associated with various crawlers, SEO tools, -# and bots, which have been reported to potentially misbehave. -# These crawlers can have legitimate uses when used with authorization. -# -# This rule is a sibling of rule 913100. -# -SecRule REQUEST_HEADERS:User-Agent "@pmFromFile crawlers-user-agents.data" \ - "id:913102,\ - phase:1,\ - block,\ - capture,\ - t:none,\ - msg:'Found User-Agent associated with web crawler/bot',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-reputation-crawler',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/118/116/150',\ - tag:'PCI/6.5.10',\ - tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" - SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:913015,phase:1,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:913016,phase:2,pass,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION" diff --git a/appsec/crs/REQUEST-920-PROTOCOL-ENFORCEMENT.conf b/appsec/crs/REQUEST-920-PROTOCOL-ENFORCEMENT.conf index 57c4d34..f545b31 100644 --- a/appsec/crs/REQUEST-920-PROTOCOL-ENFORCEMENT.conf +++ b/appsec/crs/REQUEST-920-PROTOCOL-ENFORCEMENT.conf @@ -1,9 +1,9 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.4.0.0-rc1 +# OWASP CRS ver.4.0.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. -# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved. +# Copyright (c) 2021-2024 CRS project. All rights reserved. # -# The OWASP ModSecurity Core Rule Set is distributed under +# The OWASP CRS is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENSE file for full details. # ------------------------------------------------------------------------ @@ -14,7 +14,7 @@ # # The purpose of this rules file is to enforce HTTP RFC requirements that state how # the client is supposed to interact with the server. -# https://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html +# https://www.rfc-editor.org/rfc/rfc9110.html @@ -37,7 +37,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:920012,phase:2,pass,nolog,skipAf # Uses rule negation against the regex for positive security. The regex specifies the proper # construction of URI request lines such as: # -# "http:" "//" host [ ":" port ] [ abs_path [ "?" query ]] +# "http" "://" authority path-abempty [ "?" query ] # # It also outlines proper construction for CONNECT, OPTIONS and GET requests. # @@ -47,7 +47,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:920012,phase:2,pass,nolog,skipAf # crs-toolchain regex update 920100 # # -=[ References ]=- -# https://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.1 +# https://www.rfc-editor.org/rfc/rfc9110.html#section-4.2.1 # http://capec.mitre.org/data/definitions/272.html # SecRule REQUEST_LINE "!@rx (?i)^(?:get /[^#\?]*(?:\?[^\s\v#]*)?(?:#[^\s\v]*)?|(?:connect (?:(?:[0-9]{1,3}\.){3}[0-9]{1,3}\.?(?::[0-9]+)?|[\--9A-Z_a-z]+:[0-9]+)|options \*|[a-z]{3,10}[\s\v]+(?:[0-9A-Z_a-z]{3,7}?://[\--9A-Z_a-z]*(?::[0-9]+)?)?/[^#\?]*(?:\?[^\s\v#]*)?(?:#[^\s\v]*)?)[\s\v]+[\.-9A-Z_a-z]+)$" \ @@ -64,7 +64,7 @@ SecRule REQUEST_LINE "!@rx (?i)^(?:get /[^#\?]*(?:\?[^\s\v#]*)?(?:#[^\s\v]*)?|(? tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'WARNING',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'" @@ -94,7 +94,6 @@ SecRule REQUEST_LINE "!@rx (?i)^(?:get /[^#\?]*(?:\?[^\s\v#]*)?(?:#[^\s\v]*)?|(? # Disallow ['\";=] # # -=[ References ]=- -# https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-96000 # http://www.ietf.org/rfc/rfc2183.txt # # This rule used to use negative look-behind. @@ -120,7 +119,7 @@ SecRule FILES|FILES_NAMES "!@rx (?i)^(?:&(?:(?:[acegiln-or-suz]acut|[aeiou]grav| tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -133,7 +132,7 @@ SecRule FILES|FILES_NAMES "!@rx (?i)^(?:&(?:(?:[acegiln-or-suz]acut|[aeiou]grav| # is NOT all digits, then it will match. # # -=[ References ]=- -# https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.13 +# https://www.rfc-editor.org/rfc/rfc9110.html#section-8.6 # SecRule REQUEST_HEADERS:Content-Length "!@rx ^\d+$" \ "id:920160,\ @@ -149,25 +148,25 @@ SecRule REQUEST_HEADERS:Content-Length "!@rx ^\d+$" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # # Do not accept GET or HEAD requests with bodies -# HTTP standard allows GET requests to have a body but this -# feature is not used in real life. Attackers could try to force -# a request body on an unsuspecting web applications. +# In RCF-9110, "A client SHOULD NOT generate content in a HEAD/GET request +# unless it is made directly to an origin server that has previously indicated" # # -=[ Rule Logic ]=- -# This is a chained rule that first checks the Request Method. If it is a -# GET or HEAD method, then it checks for the existence of a Content-Length -# header. If the header exists and its payload is either not a 0 digit or not -# empty, then it will match. +# The chained rule matches when: +# 1) If the request method is GET or HEAD +# AND +# 2) Header: Content-Length exists and non-zero # # -=[ References ]=- -# https://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.3 +# https://www.rfc-editor.org/rfc/rfc9110.html#section-9.3.1 +# https://www.rfc-editor.org/rfc/rfc9110.html#section-9.3.2 # SecRule REQUEST_METHOD "@rx ^(?:GET|HEAD)$" \ "id:920170,\ @@ -183,7 +182,7 @@ SecRule REQUEST_METHOD "@rx ^(?:GET|HEAD)$" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ chain" SecRule REQUEST_HEADERS:Content-Length "!@rx ^0?$" \ @@ -208,7 +207,7 @@ SecRule REQUEST_METHOD "@rx ^(?:GET|HEAD)$" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ chain" SecRule &REQUEST_HEADERS:Transfer-Encoding "!@eq 0" \ @@ -218,19 +217,23 @@ SecRule REQUEST_METHOD "@rx ^(?:GET|HEAD)$" \ # # Require Content-Length or Transfer-Encoding to be provided with -# every POST request if the protocol version is not HTTP/2. +# every POST request if the protocol version is not HTTP/2 or HTTP/3. # # In case of HTTP/2, see the RFC7540 8.1 p52: # HTTP/2 does not use the Transfer-Encoding: chunked anymore, because # the underlying transport protocol is already using data frames with # known length. # +# In case of HTTP/3, see the RFC9114 4.1: +# Transfer codings (see Section 7 of [HTTP/1.1]) are not defined for +# HTTP/3; the Transfer-Encoding header field MUST NOT be used. +# # -=[ Rule Logic ]=- -# This chained rule checks if the protocol is not HTTP/2, then checks -# request method is POST, if so, it checks that a Content-Length or -# Transfer-Encoding headers are also present. +# This chained rule checks if the protocol is not HTTP/2 or HTTP/3, +# then checks request method is POST, if so, it checks that a +# Content-Length or Transfer-Encoding headers are also present. # -SecRule REQUEST_PROTOCOL "!@within HTTP/2 HTTP/2.0" \ +SecRule REQUEST_PROTOCOL "!@within HTTP/2 HTTP/2.0 HTTP/3 HTTP/3.0" \ "id:920180,\ phase:1,\ block,\ @@ -244,7 +247,7 @@ SecRule REQUEST_PROTOCOL "!@within HTTP/2 HTTP/2.0" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'WARNING',\ chain" SecRule REQUEST_METHOD "@streq POST" \ @@ -274,7 +277,7 @@ SecRule &REQUEST_HEADERS:Transfer-Encoding "!@eq 0" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'WARNING',\ chain" SecRule &REQUEST_HEADERS:Content-Length "!@eq 0" \ @@ -294,7 +297,7 @@ SecRule &REQUEST_HEADERS:Transfer-Encoding "!@eq 0" \ # when the first value is greater than the second. # # -=[ References ]=- -# https://tools.ietf.org/html/rfc7233 +# https://datatracker.ietf.org/doc/html/rfc7233 # https://seclists.org/fulldisclosure/2011/Aug/175 # SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx (\d+)-(\d+)" \ @@ -312,7 +315,7 @@ SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx (\d+)-(\d+)" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'WARNING',\ chain" SecRule TX:2 "@lt %{tx.1}" \ @@ -328,8 +331,7 @@ SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx (\d+)-(\d+)" \ # keep-alive and close options. # # -=[ References ]=- -# http://www.bad-behavior.ioerror.us/about/ -# https://tools.ietf.org/html/rfc7233 +# https://datatracker.ietf.org/doc/html/rfc7233 # SecRule REQUEST_HEADERS:Connection "@rx \b(?:keep-alive|close),\s?(?:keep-alive|close)\b" \ "id:920210,\ @@ -345,7 +347,7 @@ SecRule REQUEST_HEADERS:Connection "@rx \b(?:keep-alive|close),\s?(?:keep-alive| tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'WARNING',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'" @@ -354,9 +356,12 @@ SecRule REQUEST_HEADERS:Connection "@rx \b(?:keep-alive|close),\s?(?:keep-alive| # # -=[ Rule Logic ]=- # There are two different chained rules. We need to separate them as we are inspecting two -# different variables - REQUEST_URI and REQUEST_BODY. For REQUEST_BODY, we only want to +# different variables - REQUEST_URI_RAW and REQUEST_BODY. For REQUEST_BODY, we only want to # run the @validateUrlEncoding operator if the content-type is application/x-www-form-urlencoding. # +# We exclude the last path segment from validation because it could be a file name, which could +# easily contain a '%' character that is not part of a URI encoded sequence. +# # -=[ References ]=- # http://www.ietf.org/rfc/rfc1738.txt # @@ -364,13 +369,18 @@ SecRule REQUEST_HEADERS:Connection "@rx \b(?:keep-alive|close),\s?(?:keep-alive| # http://localhost/?s=a%20b%20c%'/ # reason: %'/ is not a valid url encoding # -SecRule REQUEST_URI "@rx \x25" \ +# Regular expression generated from regex-assembly/920220-chain1.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 920220-chain1 +# +SecRule REQUEST_URI_RAW "@rx \x25" \ "id:920220,\ phase:1,\ block,\ - t:none,\ + t:none,t:urlDecodeUni,\ msg:'URL Encoding Abuse Attack Attempt',\ - logdata:'%{MATCHED_VAR}',\ + logdata:'%{REQUEST_URI_RAW}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ @@ -378,19 +388,33 @@ SecRule REQUEST_URI "@rx \x25" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/255/153/267/72',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'WARNING',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ chain" - SecRule REQUEST_URI "@validateUrlEncoding" \ - "setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'" + SecRule REQUEST_URI_RAW "@rx ^(.*)/(?:[^\?]+)?(\?.*)?$" \ + "capture,\ + chain" + SecRule TX:1|TX:2 "@validateUrlEncoding" \ + "t:none,t:urlDecodeUni,\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" -SecRule REQUEST_HEADERS:Content-Type "@rx ^(?i)application/x-www-form-urlencoded" \ - "id:920240,\ - phase:2,\ + +# Validate URI encoding of the last path segment, only if it does not look like a file name. +# A file name could easily contain a '%' character that is not part of a URI encoded sequence. +# +# Regular expression generated from regex-assembly/920221.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 920221 +# +SecRule REQUEST_BASENAME "!@rx ^.*%.*\.[^\s\v\.]+$" \ + "id:920221,\ + phase:1,\ block,\ - t:none,\ + capture,\ + t:none,t:urlDecodeUni,\ msg:'URL Encoding Abuse Attack Attempt',\ - logdata:'%{MATCHED_VAR}',\ + logdata:'%{REQUEST_BASENAME}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ @@ -398,13 +422,12 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^(?i)application/x-www-form-urlencoded tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/255/153/267/72',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'WARNING',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ chain" - SecRule REQUEST_BODY "@rx \x25" \ - "chain" - SecRule REQUEST_BODY "@validateUrlEncoding" \ - "setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'" + SecRule TX:0 "@validateUrlEncoding" \ + "t:none,t:urlDecodeUni,\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # @@ -430,7 +453,7 @@ SecRule TX:CRS_VALIDATE_UTF8_ENCODING "@eq 1" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/255/153/267',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'WARNING',\ chain" SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "@validateUtf8Encoding" \ @@ -454,7 +477,12 @@ SecRule TX:CRS_VALIDATE_UTF8_ENCODING "@eq 1" \ # https://www.checkpoint.com/defense/advisories/public/2007/cpai-2007-201.html # https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/719 # -SecRule REQUEST_URI|REQUEST_BODY "@rx \%u[fF]{2}[0-9a-fA-F]{2}" \ +# Regular expression generated from regex-assembly/920260.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 920260 +# +SecRule REQUEST_URI|REQUEST_BODY "@rx (?i)%uff[0-9a-f]{2}" \ "id:920260,\ phase:2,\ block,\ @@ -469,7 +497,7 @@ SecRule REQUEST_URI|REQUEST_BODY "@rx \%u[fF]{2}[0-9a-fA-F]{2}" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/255/153/267/72',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'WARNING',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'" @@ -525,7 +553,7 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@validateByteRange 1-255" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -557,7 +585,7 @@ SecRule &REQUEST_HEADERS:Host "@eq 0" \ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ tag:'PCI/6.5.10',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'WARNING',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}',\ skipAfter:END-HOST-CHECK" @@ -566,7 +594,7 @@ SecRule &REQUEST_HEADERS:Host "@eq 0" \ SecRule REQUEST_HEADERS:Host "@rx ^$" \ "id:920290,\ phase:1,\ - pass,\ + block,\ t:none,\ msg:'Empty Host Header',\ tag:'application-multi',\ @@ -576,9 +604,9 @@ SecRule REQUEST_HEADERS:Host "@rx ^$" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'WARNING',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'" + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" SecMarker "END-HOST-CHECK" @@ -616,7 +644,7 @@ SecRule REQUEST_HEADERS:Accept "@rx ^$" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'NOTICE',\ chain" SecRule REQUEST_METHOD "!@rx ^OPTIONS$" \ @@ -641,7 +669,7 @@ SecRule REQUEST_HEADERS:Accept "@rx ^$" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'NOTICE',\ chain" SecRule REQUEST_METHOD "!@rx ^OPTIONS$" \ @@ -674,14 +702,14 @@ SecRule REQUEST_HEADERS:User-Agent "@rx ^$" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'NOTICE',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.notice_anomaly_score}'" # # Missing Content-Type Header with Request Body # -# -=[ Rule Logic]=- +# -=[ Rule Logic ]=- # This rule will first check to see if the value of the Content-Length header is # non-equal to 0. The chained rule is then checking the existence of the # Content-Type header. The RFCs do not state there must be a @@ -711,7 +739,7 @@ SecRule REQUEST_HEADERS:Content-Length "!@rx ^0$" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'NOTICE',\ chain" SecRule &REQUEST_HEADERS:Content-Type "@eq 0" \ @@ -756,7 +784,7 @@ SecRule REQUEST_HEADERS:Host "@rx (?:^([\d.]+|\[[\da-f:]+\]|[\da-f:]+)(:[\d]+)?$ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ tag:'PCI/6.5.10',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'WARNING',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'" @@ -788,7 +816,7 @@ SecRule &TX:MAX_NUM_ARGS "@eq 1" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ chain" SecRule &ARGS "@gt %{tx.max_num_args}" \ @@ -813,7 +841,7 @@ SecRule &TX:ARG_NAME_LENGTH "@eq 1" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ chain" SecRule ARGS_NAMES "@gt %{tx.arg_name_length}" \ @@ -840,7 +868,7 @@ SecRule &TX:ARG_LENGTH "@eq 1" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ chain" SecRule ARGS "@gt %{tx.arg_length}" \ @@ -864,7 +892,7 @@ SecRule &TX:TOTAL_ARG_LENGTH "@eq 1" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ chain" SecRule ARGS_COMBINED_SIZE "@gt %{tx.total_arg_length}" \ @@ -889,7 +917,7 @@ SecRule &TX:MAX_FILE_SIZE "@eq 1" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ chain" SecRule REQUEST_HEADERS:Content-Type "@rx ^(?i)multipart/form-data" \ @@ -915,7 +943,7 @@ SecRule &TX:COMBINED_FILE_SIZES "@eq 1" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ chain" SecRule FILES_COMBINED_SIZE "@gt %{tx.combined_file_sizes}" \ @@ -955,7 +983,7 @@ SecRule REQUEST_HEADERS:Content-Type "!@rx ^[\w/.+*-]+(?:\s?;\s?(?:action|bounda tag:'OWASP_CRS',\ tag:'capec/1000/255/153',\ tag:'PCI/12.1',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -978,7 +1006,7 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^[^;\s]+" \ tag:'OWASP_CRS',\ tag:'capec/1000/255/153',\ tag:'PCI/12.1',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.content_type=|%{tx.0}|',\ chain" @@ -1006,7 +1034,7 @@ SecRule REQUEST_HEADERS:Content-Type "@rx charset\s*=\s*[\"']?([^;\"'\s]+)" \ tag:'OWASP_CRS',\ tag:'capec/1000/255/153',\ tag:'PCI/12.1',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.content_type_charset=|%{tx.1}|',\ chain" @@ -1033,7 +1061,7 @@ SecRule REQUEST_HEADERS:Content-Type "@rx charset.*?charset" \ tag:'OWASP_CRS',\ tag:'capec/1000/255/153',\ tag:'PCI/12.1',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -1055,7 +1083,7 @@ SecRule REQUEST_PROTOCOL "!@within %{tx.allowed_http_versions}" \ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ tag:'PCI/6.5.10',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -1067,7 +1095,7 @@ SecRule REQUEST_BASENAME "@rx \.([^.]+)$" \ phase:1,\ block,\ capture,\ - t:none,\ + t:none,t:urlDecodeUni,\ msg:'URL file extension is restricted by policy',\ logdata:'%{TX.0}',\ tag:'application-multi',\ @@ -1078,7 +1106,7 @@ SecRule REQUEST_BASENAME "@rx \.([^.]+)$" \ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ tag:'PCI/6.5.10',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.extension=.%{tx.1}/',\ chain" @@ -1105,7 +1133,7 @@ SecRule REQUEST_FILENAME "@rx \.[^.~]+~(?:/.*|)$" \ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ tag:'PCI/6.5.10',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -1113,26 +1141,35 @@ SecRule REQUEST_FILENAME "@rx \.[^.~]+~(?:/.*|)$" \ # Restricted HTTP headers # # -=[ Rule Logic ]=- -# The use of certain headers is restricted. They are listed in the variable -# TX.restricted_headers. -# -# The headers are transformed into lowercase before the match. In order to -# make sure that only complete header names are matching, the names in -# TX.restricted_headers are wrapped in slashes. This guarantees that the -# header Range (-> /range/) is not matching the restricted header -# /content-range/ for example. +# The use of certain headers is restricted. They are listed in two variables: +# - TX.restricted_headers_basic: Known security risks, always forbidden (rule +# 920450) +# - TX.restricted_headers_extended: Possible false positives, possible security +# risks, may be forbidden (rule 920451) +# +# The headers are transformed into lowercase before the match. In order to make +# sure that only complete header names match, the names in the +# TX.restricted_headers_* variables are wrapped in slashes. This guarantees that +# the Range header (which becomes /range/) will not match the restricted +# /content-range/ header, for example. # # This is a chained rule, where the first rule fills a set of variables of the -# form TX.header_name_. The second rule is then executed for all -# variables of the form TX.header_name_. +# form TX.header_name__. The second rule is then executed +# for all variables of the form TX.header_name__. # # As a consequence of the construction of the rule, the alert message and the # alert data will not display the original header name Content-Range, but # /content-range/ instead. # +# This rule has a stricter sibling, 920451, which matches against the variable +# TX.restricted_headers_extended. It handles deprecated headers that are still +# in use (so false positives are possible, hence unsuitable for blocking in a +# default paranoia level 1 installation) and headers with possible security +# risks. # # -=[ References ]=- # https://access.redhat.com/security/vulnerabilities/httpoxy (Header Proxy) +# https://www.sidechannel.blog/en/http-method-override-what-it-is-and-how-a-pentester-can-use-it # SecRule REQUEST_HEADERS_NAMES "@rx ^.*$" \ "id:920450,\ @@ -1150,17 +1187,18 @@ SecRule REQUEST_HEADERS_NAMES "@rx ^.*$" \ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ tag:'PCI/12.1',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ - setvar:'tx.header_name_%{tx.0}=/%{tx.0}/',\ + setvar:'tx.header_name_920450_%{tx.0}=/%{tx.0}/',\ chain" - SecRule TX:/^header_name_/ "@within %{tx.restricted_headers}" \ + SecRule TX:/^header_name_920450_/ "@within %{tx.restricted_headers_basic}" \ "setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + # # Rule against CVE-2022-21907 # This rule blocks Accept-Encoding headers longer than 50 characters. # The length of 50 is a heuristic based on the length of values from -# the RFC (https://datatracker.ietf.org/doc/draft-ietf-httpbis-semantics/) +# the RFC (https://datatracker.ietf.org/doc/rfc9110/) # and the respective values assigned by IANA # (https://www.iana.org/assignments/http-parameters/http-parameters.xml#content-coding). # @@ -1181,7 +1219,7 @@ SecRule REQUEST_HEADERS:Accept-Encoding "@gt 50" \ tag:'OWASP_CRS',\ tag:'capec/1000/255/153',\ tag:'PCI/12.1',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -1213,7 +1251,7 @@ SecRule REQUEST_HEADERS:Accept "!@rx ^(?:(?:\*|[^!-\"\(-\),/:-\?\[-\]\{\}]+)/(?: tag:'attack-protocol',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -1236,7 +1274,7 @@ SecRule REQBODY_PROCESSOR "!@streq JSON" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/255/153/267/72',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ chain" SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@rx (?i)\x5cu[0-9a-f]{4}" \ @@ -1260,7 +1298,39 @@ SecRule REQUEST_URI_RAW "@contains #" \ tag:'attack-protocol',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# +# The following rule (920620) checks for the presence of 2 or more request Content-Type headers. +# Content-Type confusion poses a significant security risk to a web application. It occurs when +# the server and client have different interpretations of the Content-Type header, leading to +# miscommunication, potential exploitation and WAF bypass. +# +# Using Apache, when multiple Content-Type request headers are received, the server combines them +# into a single header with the values separated by commas. For example, if a client sends multiple +# Content-Type headers with values "application/json" and "text/plain", Apache will combine them +# into a single header like this: "Content-Type: application/json, text/plain". +# +# On the other hand, Nginx handles multiple Content-Type headers differently. It preserves each +# header as a separate entity without combining them. So, if a client sends multiple Content-Type +# headers, Nginx will keep them separate, maintaining the original values. +# +SecRule &REQUEST_HEADERS:Content-Type "@gt 1" \ + "id:920620,\ + phase:1,\ + block,\ + t:none,\ + msg:'Multiple Content-Type Request Headers',\ + logdata:'%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -1305,7 +1375,7 @@ SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'WARNING',\ chain" SecRule REQUEST_BASENAME "!@endsWith .pdf" \ @@ -1319,7 +1389,7 @@ SecRule REQUEST_BASENAME "@endsWith .pdf" \ "id:920201,\ phase:1,\ block,\ - t:none,\ + t:none,t:urlDecodeUni,\ msg:'Range: Too many fields for pdf request (63 or more)',\ logdata:'%{MATCHED_VAR}',\ tag:'application-multi',\ @@ -1329,7 +1399,7 @@ SecRule REQUEST_BASENAME "@endsWith .pdf" \ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'WARNING',\ chain" SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d+)?-(?:\d+)?\s*,?\s*){63}" \ @@ -1350,7 +1420,7 @@ SecRule ARGS "@rx %[0-9a-fA-F]{2}" \ tag:'OWASP_CRS',\ tag:'capec/1000/255/153/267/120',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'WARNING',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.warning_anomaly_score}'" @@ -1372,7 +1442,7 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@validateByteRange 9,10,13, tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1399,7 +1469,7 @@ SecRule &REQUEST_HEADERS:User-Agent "@eq 0" \ tag:'capec/1000/210/272',\ tag:'PCI/6.5.10',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'NOTICE',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.notice_anomaly_score}'" @@ -1421,7 +1491,7 @@ SecRule FILES_NAMES|FILES "@rx ['\";=]" \ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1446,7 +1516,7 @@ SecRule REQUEST_HEADERS:Content-Length "!@rx ^0$" \ tag:'paranoia-level/2',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ chain" SecRule &REQUEST_HEADERS:Content-Type "@eq 0" \ @@ -1454,6 +1524,60 @@ SecRule REQUEST_HEADERS:Content-Length "!@rx ^0$" \ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" +# +# PL2: This is a stricter sibling of 920450. +# +SecRule REQUEST_HEADERS_NAMES "@rx ^.*$" \ + "id:920451,\ + phase:1,\ + block,\ + capture,\ + t:none,t:lowercase,\ + msg:'HTTP header is restricted by policy (%{MATCHED_VAR})',\ + logdata:'Restricted header detected: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/210/272',\ + tag:'PCI/12.1',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.header_name_920451_%{tx.0}=/%{tx.0}/',\ + chain" + SecRule TX:/^header_name_920451_/ "@within %{tx.restricted_headers_extended}" \ + "setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + + +# +# Check URL encodings +# +# See comment on rule 920220. +# +SecRule REQUEST_HEADERS:Content-Type "@rx ^(?i)application/x-www-form-urlencoded" \ + "id:920240,\ + phase:2,\ + block,\ + t:none,\ + msg:'URL Encoding Abuse Attack Attempt',\ + logdata:'%{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-protocol',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/255/153/267/72',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'WARNING',\ + chain" + SecRule REQUEST_BODY "@rx \x25" \ + "chain" + SecRule REQUEST_BODY "@validateUrlEncoding" \ + "setvar:'tx.inbound_anomaly_score_pl2=+%{tx.warning_anomaly_score}'" + SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:920015,phase:1,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:920016,phase:2,pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT" # @@ -1480,7 +1604,7 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES|REQUEST_BODY "@validateByteR tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ tag:'paranoia-level/3',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" @@ -1514,7 +1638,7 @@ SecRule &REQUEST_HEADERS:Accept "@eq 0" \ tag:'capec/1000/210/272',\ tag:'PCI/6.5.10',\ tag:'paranoia-level/3',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'NOTICE',\ chain" SecRule REQUEST_METHOD "!@rx ^(?:OPTIONS|CONNECT)$" \ @@ -1532,7 +1656,7 @@ SecRule &REQUEST_HEADERS:Accept "@eq 0" \ # Note that this only works in combination with a User-Agent prefix. # # This rule is based on a blog post by Soroush Dalili at -# https://soroush.secproject.com/blog/2019/05/x-up-devcap-post-charset-header-in-aspnet-to-bypass-wafs-again/ +# https://soroush.me/blog/2019/05/x-up-devcap-post-charset-header-in-aspnet-to-bypass-wafs-again/ # SecRule &REQUEST_HEADERS:x-up-devcap-post-charset "@ge 1" \ "id:920490,\ @@ -1547,7 +1671,7 @@ SecRule &REQUEST_HEADERS:x-up-devcap-post-charset "@ge 1" \ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ tag:'paranoia-level/3',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ chain" SecRule REQUEST_HEADERS:User-Agent "@rx ^(?i)up" \ @@ -1600,7 +1724,7 @@ SecRule &REQUEST_HEADERS:Cache-Control "@gt 0" \ tag:'paranoia-level/3',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ chain" SecRule REQUEST_HEADERS:Cache-Control "!@rx ^(?:(?:max-age=[0-9]+|min-fresh=[0-9]+|no-cache|no-store|no-transform|only-if-cached|max-stale(?:=[0-9]+)?)(?:\s*\,\s*|$)){1,7}$" \ @@ -1631,7 +1755,7 @@ SecRule REQUEST_HEADERS:Accept-Encoding "!@rx br|compress|deflate|(?:pack200-)?g tag:'OWASP_CRS',\ tag:'capec/1000/255/153',\ tag:'PCI/12.1',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" @@ -1649,7 +1773,7 @@ SecRule REQUEST_BASENAME "@endsWith .pdf" \ "id:920202,\ phase:1,\ block,\ - t:none,\ + t:none,t:urlDecodeUni,\ msg:'Range: Too many fields for pdf request (6 or more)',\ logdata:'%{MATCHED_VAR}',\ tag:'application-multi',\ @@ -1659,7 +1783,7 @@ SecRule REQUEST_BASENAME "@endsWith .pdf" \ tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ tag:'paranoia-level/4',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'WARNING',\ chain" SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d+)?-(?:\d+)?\s*,?\s*){6}" \ @@ -1686,7 +1810,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_BODY "@validateByteRange 38,44-46,48-58,61,65-90 tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ tag:'paranoia-level/4',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'" @@ -1707,7 +1831,7 @@ SecRule REQUEST_HEADERS|!REQUEST_HEADERS:User-Agent|!REQUEST_HEADERS:Referer|!RE tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ tag:'paranoia-level/4',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'" @@ -1715,7 +1839,7 @@ SecRule REQUEST_HEADERS|!REQUEST_HEADERS:User-Agent|!REQUEST_HEADERS:Referer|!RE # This is a stricter sibling of 920270. # The headers of this rule are Structured Header booleans, for which only `?0`, # and `?1` are inconspicuous. -# Structured Header boolean: https://tools.ietf.org/html/draft-ietf-httpbis-header-structure-19#section-3.3.6 +# Structured Header boolean: https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-header-structure-19#section-3.3.6 # Sec-Fetch-User: https://www.w3.org/TR/fetch-metadata/#http-headerdef-sec-fetch-user # Sec-CH-UA-Mobile: https://wicg.github.io/ua-client-hints/#sec-ch-ua-mobile # @@ -1733,7 +1857,7 @@ SecRule REQUEST_HEADERS:Sec-Fetch-User|REQUEST_HEADERS:Sec-CH-UA-Mobile "!@rx ^( tag:'OWASP_CRS',\ tag:'capec/1000/210/272',\ tag:'paranoia-level/4',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'" @@ -1777,7 +1901,7 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@rx (?:^|[^\x5c])\x5c[cdegh tag:'paranoia-level/4',\ tag:'OWASP_CRS',\ tag:'capec/1000/153/267',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'" diff --git a/appsec/crs/REQUEST-921-PROTOCOL-ATTACK.conf b/appsec/crs/REQUEST-921-PROTOCOL-ATTACK.conf index c29ad75..545d52f 100644 --- a/appsec/crs/REQUEST-921-PROTOCOL-ATTACK.conf +++ b/appsec/crs/REQUEST-921-PROTOCOL-ATTACK.conf @@ -1,9 +1,9 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.4.0.0-rc1 +# OWASP CRS ver.4.0.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. -# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved. +# Copyright (c) 2021-2024 CRS project. All rights reserved. # -# The OWASP ModSecurity Core Rule Set is distributed under +# The OWASP CRS is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENSE file for full details. # ------------------------------------------------------------------------ @@ -46,7 +46,7 @@ SecRule ARGS_NAMES|ARGS|REQUEST_BODY|XML:/* "@rx (?:get|post|head|options|connec tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272/220/33',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -78,7 +78,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272/220/34',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -99,7 +99,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272/220/34',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -133,7 +133,7 @@ SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@rx [\n\r]" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272/220/273',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -161,7 +161,7 @@ SecRule ARGS_NAMES "@rx [\n\r]" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272/220/33',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -182,7 +182,7 @@ SecRule ARGS_GET_NAMES|ARGS_GET "@rx [\n\r]+(?:\s|location|refresh|(?:set-)?cook tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272/220/33',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -191,7 +191,8 @@ SecRule ARGS_GET_NAMES|ARGS_GET "@rx [\n\r]+(?:\s|location|refresh|(?:set-)?cook # -=[ HTTP Splitting ]=- # # This rule detect \n or \r in the REQUEST FILENAME -# Reference: https://www.owasp.org/index.php/Testing_for_HTTP_Splitting/Smuggling_(OTG-INPVAL-016) +# Reference: https://wiki.owasp.org/index.php/Testing_for_HTTP_Splitting/Smuggling_(OTG-INPVAL-016) +# Reference: https://owasp.org/www-project-web-security-testing-guide/assets/archive/OWASP_Testing_Guide_v4.pdf # SecRule REQUEST_FILENAME "@rx [\n\r]" \ "id:921190,\ @@ -207,7 +208,7 @@ SecRule REQUEST_FILENAME "@rx [\n\r]" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272/220/34',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -223,7 +224,7 @@ SecRule REQUEST_FILENAME "@rx [\n\r]" \ # # [ References ] # * https://www.blackhat.com/presentations/bh-europe-08/Alonso-Parada/Whitepaper/bh-eu-08-alonso-parada-WP.pdf -# * https://blog.ripstech.com/2017/joomla-takeover-in-20-seconds-with-ldap-injection-cve-2017-14596/ +# * https://www.sonarsource.com/blog/joomla-takeover-in-20-seconds-with-ldap-injection-cve-2017-14596/ # * https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/276#issue-126581660 SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx ^[^:\(\)\&\|\!\<\>\~]*\)\s*(?:\((?:[^,\(\)\=\&\|\!\<\>\~]+[><~]?=|\s*[&!|]\s*(?:\)|\()?\s*)|\)\s*\(\s*[\&\|\!]\s*|[&!|]\s*\([^\(\)\=\&\|\!\<\>\~]+[><~]?=[^:\(\)\&\|\!\<\>\~]*)" \ @@ -240,7 +241,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/136',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -273,7 +274,7 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^[^\s\v,;]+[\s\v,;].*?(?:application/( tag:'OWASP_CRS',\ tag:'capec/1000/255/153',\ tag:'PCI/12.1',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -289,7 +290,7 @@ SecRule REQUEST_URI "@rx unix:[^|]*\|" \ phase:1,\ block,\ capture,\ - t:none,t:lowercase,\ + t:none,t:urlDecode,t:lowercase,\ msg:'mod_proxy attack attempt detected',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ @@ -299,7 +300,7 @@ SecRule REQUEST_URI "@rx unix:[^|]*\|" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272/220/33',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -332,7 +333,7 @@ SecRule ARGS_GET "@rx [\n\r]" \ tag:'paranoia-level/2',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272/220/33',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -368,7 +369,7 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^[^\s\v,;]+[\s\v,;].*?\b(?:((?:tex|mul tag:'OWASP_CRS',\ tag:'capec/1000/255/153',\ tag:'PCI/12.1',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -404,7 +405,7 @@ SecRule &REQUEST_HEADERS:Range "@gt 0" \ tag:'paranoia-level/3',\ tag:'OWASP_CRS',\ tag:'capec/1000/210/272/220',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" @@ -438,7 +439,7 @@ SecRule ARGS_NAMES "@rx ." \ tag:'attack-protocol',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/137/15/460',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ setvar:'TX.paramcounter_%{MATCHED_VAR_NAME}=+1'" SecRule TX:/paramcounter_.*/ "@gt 1" \ @@ -454,7 +455,7 @@ SecRule TX:/paramcounter_.*/ "@gt 1" \ tag:'OWASP_CRS',\ tag:'capec/1000/152/137/15/460',\ tag:'paranoia-level/3',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ chain" SecRule MATCHED_VARS_NAMES "@rx TX:paramcounter_(.*)" \ @@ -471,7 +472,7 @@ SecRule TX:/paramcounter_.*/ "@gt 1" \ # closing of the array. # Rule 921210 PL3 prevents this by disallowing arbitrary strings after an array has # been closed or inbetween the square brackets in multidimensional arrays. -# Please note that rule 921120 allows for 2-dimensional, but not for higher dimensional +# Please note that rule 921210 allows for 2-dimensional, but not for higher dimensional # arrays. If these are flagged as attacks, a rule exclusion will have to be # deployed; ideally for the parameter(s) in question. # @@ -499,7 +500,7 @@ SecRule ARGS_NAMES "@rx (][^\]]+$|][^\]]+\[)" \ tag:'OWASP_CRS',\ tag:'capec/1000/152/137/15/460',\ tag:'paranoia-level/3',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" @@ -547,7 +548,7 @@ SecRule ARGS_NAMES "@rx \[" \ tag:'OWASP_CRS',\ tag:'capec/1000/152/137/15/460',\ tag:'paranoia-level/4',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'" diff --git a/appsec/crs/REQUEST-922-MULTIPART-ATTACK.conf b/appsec/crs/REQUEST-922-MULTIPART-ATTACK.conf index 04daef5..5ba40a5 100644 --- a/appsec/crs/REQUEST-922-MULTIPART-ATTACK.conf +++ b/appsec/crs/REQUEST-922-MULTIPART-ATTACK.conf @@ -1,9 +1,9 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.4.0.0-rc1 +# OWASP CRS ver.4.0.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. -# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved. +# Copyright (c) 2021-2024 CRS project. All rights reserved. # -# The OWASP ModSecurity Core Rule Set is distributed under +# The OWASP CRS is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENSE file for full details. # ------------------------------------------------------------------------ @@ -38,16 +38,22 @@ SecRule &MULTIPART_PART_HEADERS:_charset_ "!@eq 0" \ tag:'OWASP_CRS',\ tag:'capec/1000/255/153',\ tag:'paranoia-level/1',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ + setvar:'tx.922100_charset=|%{ARGS._charset_}|',\ chain" - SecRule ARGS:_charset_ "!@within |%{tx.allowed_request_content_type_charset}|" \ + SecRule TX:922100_CHARSET "!@within %{tx.allowed_request_content_type_charset}" \ "t:lowercase,\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # Only allow specific charsets same as Rule 920600 # Note: this is in phase:2 because these are headers that come in the body +# +# Regular expression generated from regex-assembly/922110-chain1.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 922110-chain1 SecRule MULTIPART_PART_HEADERS "@rx ^content-type\s*:\s*(.*)$" \ "id:922110,\ phase:2,\ @@ -63,12 +69,11 @@ SecRule MULTIPART_PART_HEADERS "@rx ^content-type\s*:\s*(.*)$" \ tag:'OWASP_CRS',\ tag:'capec/272/220',\ tag:'paranoia-level/1',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ chain" SecRule TX:1 "!@rx ^(?:(?:\*|[^!-\"\(-\),/:-\?\[-\]\{\}]+)/(?:\*|[^!-\"\(-\),/:-\?\[-\]\{\}]+)|\*)(?:[\s\v]*;[\s\v]*(?:charset[\s\v]*=[\s\v]*\"?(?:iso-8859-15?|utf-8|windows-1252)\b\"?|(?:[^\s\v -\"\(-\),/:-\?\[-\]c\{\}]|c(?:[^!-\"\(-\),/:-\?\[-\]h\{\}]|h(?:[^!-\"\(-\),/:-\?\[-\]a\{\}]|a(?:[^!-\"\(-\),/:-\?\[-\]r\{\}]|r(?:[^!-\"\(-\),/:-\?\[-\]s\{\}]|s(?:[^!-\"\(-\),/:-\?\[-\]e\{\}]|e[^!-\"\(-\),/:-\?\[-\]t\{\}]))))))[^!-\"\(-\),/:-\?\[-\]\{\}]*[\s\v]*=[\s\v]*[^!\(-\),/:-\?\[-\]\{\}]+);?)*(?:[\s\v]*,[\s\v]*(?:(?:\*|[^!-\"\(-\),/:-\?\[-\]\{\}]+)/(?:\*|[^!-\"\(-\),/:-\?\[-\]\{\}]+)|\*)(?:[\s\v]*;[\s\v]*(?:charset[\s\v]*=[\s\v]*\"?(?:iso-8859-15?|utf-8|windows-1252)\b\"?|(?:[^\s\v -\"\(-\),/:-\?\[-\]c\{\}]|c(?:[^!-\"\(-\),/:-\?\[-\]h\{\}]|h(?:[^!-\"\(-\),/:-\?\[-\]a\{\}]|a(?:[^!-\"\(-\),/:-\?\[-\]r\{\}]|r(?:[^!-\"\(-\),/:-\?\[-\]s\{\}]|s(?:[^!-\"\(-\),/:-\?\[-\]e\{\}]|e[^!-\"\(-\),/:-\?\[-\]t\{\}]))))))[^!-\"\(-\),/:-\?\[-\]\{\}]*[\s\v]*=[\s\v]*[^!\(-\),/:-\?\[-\]\{\}]+);?)*)*$" \ - "t:lowercase,\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + "setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # Content-Transfer-Encoding was deprecated by rfc7578 in 2015 and should not be used (see: https://www.rfc-editor.org/rfc/rfc7578#section-4.7) # Note: this is in phase:2 because these are headers that come in the body @@ -87,6 +92,6 @@ SecRule MULTIPART_PART_HEADERS "@rx content-transfer-encoding:(.*)" \ tag:'OWASP_CRS',\ tag:'capec/272/220',\ tag:'paranoia-level/1',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" diff --git a/appsec/crs/REQUEST-930-APPLICATION-ATTACK-LFI.conf b/appsec/crs/REQUEST-930-APPLICATION-ATTACK-LFI.conf index fd62484..a1fd3e0 100644 --- a/appsec/crs/REQUEST-930-APPLICATION-ATTACK-LFI.conf +++ b/appsec/crs/REQUEST-930-APPLICATION-ATTACK-LFI.conf @@ -1,9 +1,9 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.4.0.0-rc1 +# OWASP CRS ver.4.0.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. -# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved. +# Copyright (c) 2021-2024 CRS project. All rights reserved. # -# The OWASP ModSecurity Core Rule Set is distributed under +# The OWASP CRS is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENSE file for full details. # ------------------------------------------------------------------------ @@ -47,7 +47,7 @@ SecRule REQUEST_URI_RAW|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|FILES|XML: tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/255/153/126',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}'" @@ -79,7 +79,7 @@ SecRule REQUEST_URI|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|FILES|XML:/* " tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/255/153/126',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ multiMatch,\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ @@ -110,7 +110,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/255/153/126',\ tag:'PCI/6.5.4',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -137,7 +137,7 @@ SecRule REQUEST_FILENAME "@pmFromFile restricted-files.data" \ tag:'OWASP_CRS',\ tag:'capec/1000/255/153/126',\ tag:'PCI/6.5.4',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -175,7 +175,7 @@ SecRule REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent "@pmFromFile lfi-os-f tag:'OWASP_CRS',\ tag:'capec/1000/255/153/126',\ tag:'PCI/6.5.4',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" diff --git a/appsec/crs/REQUEST-931-APPLICATION-ATTACK-RFI.conf b/appsec/crs/REQUEST-931-APPLICATION-ATTACK-RFI.conf index 581a657..6fc1f28 100644 --- a/appsec/crs/REQUEST-931-APPLICATION-ATTACK-RFI.conf +++ b/appsec/crs/REQUEST-931-APPLICATION-ATTACK-RFI.conf @@ -1,9 +1,9 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.4.0.0-rc1 +# OWASP CRS ver.4.0.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. -# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved. +# Copyright (c) 2021-2024 CRS project. All rights reserved. # -# The OWASP ModSecurity Core Rule Set is distributed under +# The OWASP CRS is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENSE file for full details. # ------------------------------------------------------------------------ @@ -49,7 +49,7 @@ SecRule ARGS "@rx ^(?i:file|ftps?|https?)://(?:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3 tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/175/253',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -69,7 +69,7 @@ SecRule QUERY_STRING|REQUEST_BODY "@rx (?i)(?:\binclude\s*\([^)]*|mosConfig_abso tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/175/253',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -89,7 +89,7 @@ SecRule ARGS "@rx ^(?i:file|ftps?|https?).*?\?+$" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/175/253',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -128,7 +128,7 @@ SecRule ARGS "@rx (?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b(?:eshare|it tag:'OWASP_CRS',\ tag:'capec/1000/152/175/253',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.rfi_parameter_%{MATCHED_VAR_NAME}=.%{tx.1}',\ chain" @@ -158,7 +158,7 @@ SecRule REQUEST_FILENAME "@rx (?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b tag:'OWASP_CRS',\ tag:'capec/1000/152/175/253',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.rfi_parameter_%{MATCHED_VAR_NAME}=.%{tx.1}',\ chain" diff --git a/appsec/crs/REQUEST-932-APPLICATION-ATTACK-RCE.conf b/appsec/crs/REQUEST-932-APPLICATION-ATTACK-RCE.conf index 2d61cf4..45f3ca6 100644 --- a/appsec/crs/REQUEST-932-APPLICATION-ATTACK-RCE.conf +++ b/appsec/crs/REQUEST-932-APPLICATION-ATTACK-RCE.conf @@ -1,9 +1,9 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.4.0.0-rc1 +# OWASP CRS ver.4.0.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. -# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved. +# Copyright (c) 2021-2024 CRS project. All rights reserved. # -# The OWASP ModSecurity Core Rule Set is distributed under +# The OWASP CRS is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENSE file for full details. # ------------------------------------------------------------------------ @@ -97,14 +97,20 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:932012,phase:2,pass,nolog,skipAf # .932240 (generic detection, PL2, targets generic evasion attempts) # .932236 (stricter sibling of 932230, 932235, 932250, 932260, PL2, # - with and without prefix +# - words of any length) +# ..932239 (sibling of 932236, PL2, +# - with and without prefix # - words of any length +# - targets request headers user-agent and referer only +# - excluded words: known user-agents) +# ..932238 (stricter sibling of 932236, PL3, # - no excluded words) # .932237 (stricter sibling of 932230, 932235, 932250, 932260, PL3, # - targets request headers user-agent and referer only # - without prefix # - with word boundaries # - words of any length -# - no excluded words) +# - excluded words: known user-agents) # # # Regular expression generated from regex-assembly/932230.ra. @@ -112,7 +118,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:932012,phase:2,pass,nolog,skipAf # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 932230 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|[\n\r;`\{]|\|\|?|&&?|\$(?:\(\(?|\{)|[<>]\(|\([\s\v]*\))[\s\v]*(?:[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*[\s\v]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:7[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[ar])?|a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:(?:[bt]|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[ks])[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*|p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t|r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[\s\v&\),<>\|].*|[jp])|s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[\s\v&\),<>\|].*|h))|(?:(?:b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z|h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:d|u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p)|n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[cl]|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t|(?:p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?m)|o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?l)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?|v[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?)[\s\v&\),<>\|].*|c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[8-9][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?9|(?:[au][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t|[cp])[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*|m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h)|d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[du][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*|i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?g|n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?f)|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:(?:[bdx]|n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?v)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*|q[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n)|f[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:(?:c|t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*|i|m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t)|g[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:(?:c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[&,<>\|]|(?:[\--\.0-9A-Z_a-z][\"'\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\*\-0-9\?-@_a-\{]*)?\x5c?)+[\s\v&,<>\|])|(?:e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m|i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t|o)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|]).*|d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?b|[hr][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c)|i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*|p|r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?b)|j[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:j[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?s|q)|k[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h|l[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:(?:d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?|(?:[npz]|u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)[\s\v&\),<>\|].*|s)|m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:(?:a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n|v)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*|t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?r)|p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:(?:(?:a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?x|f|h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?|r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:y[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?)[\s\v&\),<>\|].*|d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?b|(?:k[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?g|i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:c|p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[&,<>\|]|(?:[\--\.0-9A-Z_a-z][\"'\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\*\-0-9\?-@_a-\{]*)?\x5c?)+[\s\v&,<>\|]).*)|s|t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?x|x[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z)|r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:(?:a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?r|c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|(?:p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?m)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*|v))|s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|(?:(?:e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[dt]|[hu])[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?|s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?)[\s\v&\),<>\|].*|g|v[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n)|t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:c|r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*)|b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?l|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[ex]|i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*|o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p)|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:3[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m|c|h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o)|x[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:x[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|z[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*)|y[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m|z[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h))\b" \ +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?y[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?x|c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?v|v[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?l)|[ls][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t)?|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|\{)|<(?:\(|<<)|>\(|\([\s\v]*\))[\s\v]*(?:[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*[\s\v]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:7[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[arx])?|(?:(?:b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z|x)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z|h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*|[ckz][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h|d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?f|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?v[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*|s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h)|f[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[dg]|g[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[&,<>\|]|(?:[\--\.0-9A-Z_a-z][\"'\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\*\-0-9\?-@_a-\{]*)?\x5c?)+[\s\v&,<>\|]).*|p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?g)|i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?b|l[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:s|z[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:4|[\s\v&\),<>\|].*))|p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|x[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z)|r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*)?|s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|(?:e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|(?:s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?h)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*|v[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n)|u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?3[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m)\b" \ "id:932230,\ phase:2,\ block,\ @@ -128,7 +134,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -151,14 +157,20 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # .932240 (generic detection, PL2, targets generic evasion attempts) # .932236 (stricter sibling of 932230, 932235, 932250, 932260, PL2, # - with and without prefix +# - words of any length) +# ..932239 (sibling of 932236, PL2, +# - with and without prefix # - words of any length +# - targets request headers user-agent and referer only +# - excluded words: known user-agents) +# ..932238 (stricter sibling of 932236, PL3, # - no excluded words) # .932237 (stricter sibling of 932230, 932235, 932250, 932260, PL3, # - targets request headers user-agent and referer only # - without prefix # - with word boundaries # - words of any length -# - no excluded words) +# - excluded words: known user-agents) # # # Regular expression generated from regex-assembly/932235.ra. @@ -166,7 +178,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 932235 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|[\n\r;`\{]|\|\|?|&&?|\$(?:\(\(?|\{)|[<>]\(|\([\s\v]*\))[\s\v]*(?:[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*[\s\v]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:a(?:dduser|getty|l(?:ias|pine)[\s\v<>]|nsible-playbook|pt-get|r(?:ch[\s\v<>]|ia2c)|s(?:cii(?:-xfr|85)|pell)|tobm)|b(?:a(?:s(?:e(?:32|64|nc)|h)|tch[\s\v<>])|pftrace|r(?:eaksw|idge[\s\v<>])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[\s\v<>]|zip2)|s(?:ctl|ybox))|yebug|z(?:c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2|less|more))|c(?:a(?:ncel|psh)[\s\v<>]|ertbot|h(?:attr|dir[\s\v<>]|eck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|flags|mod|o(?:om|wn)|root)|o(?:(?:b|pro)c|lumn[\s\v<>]|m(?:m(?:and[\s\v<>])?|p(?:oser|ress[\s\v<>]))|w(?:say|think))|p(?:an|io|ulimit)|r(?:ash[\s\v<>]|ontab)|s(?:plit|vtool)|u(?:psfilter|rl))|d(?:(?:a(?:sh|te)|i(?:alog|ff))[\s\v<>]|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[\s\v<>]|sbox)|pkg|vips)|e(?:(?:asy_instal|va)l|cho[\s\v<>]|fax|grep|macs|n(?:d(?:if|sw)|v-update)|sac|x(?:ec[\s\v<>]|iftool|p(?:(?:and|(?:ec|or)t)[\s\v<>]|r)))|f(?:acter|(?:etch|lock)[\s\v<>]|grep|i(?:le(?:[\s\v<>]|test)|(?:n(?:d|ger)|sh)[\s\v<>])|o(?:ld[\s\v<>]|reach)|ping|tp(?:stats|who)|unction)|g(?:awk|core|e(?:ni(?:e[\s\v<>]|soimage)|tfacl[\s\v<>])|hci|i(?:mp[\s\v<>]|nsh)|rep[\s\v<>]|tester|unzip|z(?:cat|exe|ip))|h(?:e(?:ad[\s\v<>]|xdump)|i(?:ghlight|story)[\s\v<>]|ost(?:id|name)|ping3|t(?:digest|passwd))|i(?:conv|f(?:config|top)|nstall[\s\v<>]|onice|p(?:6?tables|config)|spell)|j(?:ava[\s\v<>]|exec|o(?:(?:bs|in)[\s\v<>]|urnalctl)|runscript)|k(?:ill(?:[\s\v<>]|all)|nife[\s\v<>]|sshell)|l(?:a(?:st(?:[\s\v<>]|comm|log(?:in)?)|tex[\s\v<>])|dconfig|ess(?:[\s\v<>]|echo|(?:fil|pip)e)|ftp(?:get)?|(?:inks|ynx)[\s\v<>]|o(?:(?:ca(?:l|te)|ok)[\s\v<>]|g(?:inctl|(?:nam|sav)e))|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)|trace|ua(?:la)?tex|wp-(?:d(?:ownload|ump)|mirror|request)|z(?:c(?:at|mp)|diff|[e-f]?grep|less|m(?:a|ore)))|m(?:a(?:il(?:q|x[\s\v<>])?|ke[\s\v<>]|wk)|(?:kdir|utt)[\s\v<>]|locate|o(?:(?:re|unt)[\s\v<>]|squitto)|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:a(?:no[\s\v<>]|sm|wk)|c(?:\.(?:openbsd|traditional)|at)|e(?:ofetch|t(?:(?:c|st)at|kit-ftp))|ice[\s\v<>]|map|o(?:de[\s\v<>]|hup)|ping|roff|s(?:enter|lookup|tat))|o(?:ctave[\s\v<>]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:s(?:swd|te[\s\v<>])|tch[\s\v<>])|df(?:la)?tex|er(?:f|l(?:5|sh)?|ms)|(?:ft|gre)p|i(?:(?:co|ng)[\s\v<>]|dstat|gz)|k(?:exec|g_?info|ill)|opd|rint(?:env|f[\s\v<>])|s(?:ftp|ql)|tar(?:diff|grep)?|ython[^\s\v]|u(?:ppet[\s\v<>]|shd))|r(?:ak(?:e[\s\v<>]|u)|e(?:a(?:delf|lpath)|(?:dcarpet|name|p(?:eat|lace))[\s\v<>]|stic)|l(?:ogin|wrap)|m(?:dir[\s\v<>]|user)|nano|oute[\s\v<>]|pm(?:db|(?:quer|verif)y)|sync|u(?:by[^\s\v]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:(?:ash|nap|plit)[\s\v<>]|c(?:hed|r(?:een|ipt)[\s\v<>])|diff|e(?:ndmail|rvice[\s\v<>]|t(?:arch|env|facl[\s\v<>]|sid))|ftp|h(?:\.distrib|ell|u(?:f|tdown[\s\v<>]))|l(?:eep[\s\v<>]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[\s\v<>])|qlite3|sh(?:-key(?:ge|sca)n|pass)|t(?:art-stop-daemon|dbuf|r(?:ace|ings))|udo|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:il[\s\v<>f]|sk(?:set)?)|c(?:l?sh|p(?:dump|ing|traceroute))|elnet|ftp|ime(?:(?:out)?[\s\v<>]|datectl)|mux|ouch[\s\v<>]|r(?:aceroute6?|off)|shark)|u(?:limit[\s\v<>]|n(?:ame|compress|expand|iq|l(?:ink[\s\v<>]|z(?:4|ma))|(?:pig|x)z|rar|s(?:et|hare)[\s\v<>]|z(?:ip|std))|pdate-alternatives|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:algrind|i(?:ew[\s\v<>]|gr|mdiff|pw|rsh)|olatility)|w(?:a(?:ll|tch)[\s\v<>]|get|h(?:iptail|o(?:ami|is))|i(?:reshark|sh[\s\v<>]))|x(?:args|e(?:la)?tex|mo(?:dmap|re)|pad|term|z(?:c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more))|y(?:arn|elp[\s\v<>])|z(?:athura|c(?:at|mp)|diff|[e-f]?grep|(?:ipdetail|les)s|more|run|s(?:oelim|td)|ypper))" \ +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?y[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?x|c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?v|v[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?l)|[ls][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t)?|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|\{)|<(?:\(|<<)|>\(|\([\s\v]*\))[\s\v]*(?:[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*[\s\v]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:(?:HEAD|POST|y(?:arn|elp))[\s\v&\)<>\|]|a(?:dd(?:group|user)|getty|(?:l(?:ias|pine)|xel)[\s\v&\)<>\|]|nsible-playbook|pt(?:-get|itude[\s\v&\)<>\|])|r(?:ch[\s\v&\)<>\|]|ia2c)|s(?:cii(?:-xfr|85)|pell)|tobm)|b(?:a(?:s(?:e(?:32|64|n(?:ame[\s\v&\)<>\|]|c))|h[\s\v&\)<>\|])|tch[\s\v&\)<>\|])|lkid|pftrace|r(?:eaksw|idge[\s\v&\)<>\|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[\s\v&\)<>\|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu)|z(?:c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more))|c(?:a(?:ncel|psh)[\s\v&\)<>\|]|ertbot|h(?:attr|(?:dir|root)[\s\v&\)<>\|]|eck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|(?:flag|pas)s|g(?:passwd|rp)|mod|o(?:om|wn)|sh)|lang(?:[\s\v&\)<>\|]|\+\+)|o(?:(?:b|pro)c|(?:lumn|m(?:m(?:and)?|p(?:oser|ress)))[\s\v&\)<>\|]|w(?:say|think))|p(?:an|io|ulimit)|r(?:ash[\s\v&\)<>\|]|on(?:tab)?)|s(?:plit|vtool)|u(?:psfilter|rl[\s\v&\)<>\|]))|d(?:(?:a(?:sh|te)|i(?:alog|ff))[\s\v&\)<>\|]|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[\s\v&\)<>\|]|sbox)|pkg|vips)|e(?:2fsck|(?:asy_instal|va)l|cho[\s\v&\)<>\|]|fax|grep|macs|n(?:d(?:if|sw)|v-update)|sac|x(?:ec[\s\v&\)<>\|]|iftool|p(?:(?:and|(?:ec|or)t)[\s\v&\)<>\|]|r)))|f(?:acter|(?:etch|lock|unction)[\s\v&\)<>\|]|grep|i(?:le(?:[\s\v&\)<>\|]|test)|(?:n(?:d|ger)|sh)[\s\v&\)<>\|])|o(?:ld[\s\v&\)<>\|]|reach)|ping|tp(?:stats|who))|g(?:awk[\s\v&\)<>\|]|core|e(?:ni(?:e[\s\v&\)<>\|]|soimage)|tfacl[\s\v&\)<>\|])|hci|i(?:mp[\s\v&\)<>\|]|nsh)|r(?:ep[\s\v&\)<>\|]|oup(?:[\s\v&\)<>\|]|mod))|tester|unzip|z(?:cat|exe|ip))|h(?:(?:ash|i(?:ghlight|story))[\s\v&\)<>\|]|e(?:ad[\s\v&\)<>\|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op|passwd))|i(?:conv|f(?:config|top)|nstall[\s\v&\)<>\|]|onice|p(?:6?tables|config)|spell)|j(?:ava[\s\v&\)<>\|]|exec|o(?:(?:bs|in)[\s\v&\)<>\|]|urnalctl)|runscript)|k(?:ill(?:[\s\v&\)<>\|]|all)|nife[\s\v&\)<>\|]|sshell)|l(?:a(?:st(?:[\s\v&\)<>\|]|comm|log(?:in)?)|tex[\s\v&\)<>\|])|dconfig|ess(?:[\s\v&\)<>\|]|echo|(?:fil|pip)e)|ftp(?:get)?|(?:inks|ynx)[\s\v&\)<>\|]|o(?:(?:ca(?:l|te)|ok)[\s\v&\)<>\|]|g(?:inctl|(?:nam|sav)e)|setup)|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)|trace|ua(?:la)?tex|wp-(?:d(?:ownload|ump)|mirror|request)|z(?:4c(?:at)?|c(?:at|mp)|diff|[e-f]?grep|less|m(?:a(?:dec|info)?|ore)))|m(?:a(?:il(?:[\s\v&\)<>q\|]|x[\s\v&\)<>\|])|ke[\s\v&\)<>\|]|ster\.passwd|wk)|k(?:dir[\s\v&\)<>\|]|fifo|nod|temp)|locate|o(?:squitto|unt[\s\v&\)<>\|])|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|utt[\s\v&\)<>\|]|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:a(?:no[\s\v&\)<>\|]|sm|wk)|c(?:\.(?:openbsd|traditional)|at)|e(?:ofetch|t(?:(?:c|st)at|kit-ftp|plan))|(?:ice|ull)[\s\v&\)<>\|]|map|o(?:de[\s\v&\)<>\|]|hup)|ping|roff|s(?:enter|lookup|tat))|o(?:ctave[\s\v&\)<>\|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:(?:cman|rted|tch)[\s\v&\)<>\|]|s(?:swd|te[\s\v&\)<>\|]))|d(?:f(?:la)?tex|ksh)|er(?:(?:f|ms)[\s\v&\)<>\|]|l(?:[\s\v&\)5<>\|]|sh))|(?:ft|gre)p|hp(?:-cgi|[57])|i(?:(?:co|ng)[\s\v&\)<>\|]|dstat|gz)|k(?:exec|g_?info|ill)|opd|rint(?:env|f[\s\v&\)<>\|])|s(?:ed|ftp|ql)|tar(?:diff|grep)?|u(?:ppet[\s\v&\)<>\|]|shd)|wd\.db|y(?:thon[^\s\v]|3?versions))|r(?:ak(?:e[\s\v&\)<>\|]|u)|bash|e(?:a(?:delf|lpath)|(?:dcarpet|name|p(?:eat|lace))[\s\v&\)<>\|]|stic)|l(?:ogin|wrap)|m(?:dir[\s\v&\)<>\|]|user)|nano|oute[\s\v&\)<>\|]|pm(?:db|(?:quer|verif)y)|sync|u(?:by[^\s\v]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:(?:ash|nap)[\s\v&\)<>\|]|c(?:hed|r(?:een|ipt)[\s\v&\)<>\|])|diff|e(?:(?:lf|rvice)[\s\v&\)<>\|]|ndmail|t(?:arch|env|facl[\s\v&\)<>\|]|sid))|ftp|h(?:\.distrib|(?:adow|ells)[\s\v&\)<>\|]|u(?:f|tdown[\s\v&\)<>\|]))|l(?:eep[\s\v&\)<>\|]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[\s\v&\)<>\|])|p(?:lit[\s\v&\)<>\|]|wd\.db)|qlite3|sh(?:-key(?:ge|sca)n|pass)|t(?:art-stop-daemon|d(?:buf|err|in|out)|r(?:ace|ings[\s\v&\)<>\|]))|udo|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:il[\s\v&\)<>f\|]|sk(?:[\s\v&\)<>\|]|set))|c(?:l?sh|p(?:dump|ing|traceroute))|elnet|ftp|ime(?:datectl|out[\s\v&\)<>\|])|mux|ouch[\s\v&\)<>\|]|r(?:aceroute6?|off)|shark)|u(?:limit[\s\v&\)<>\|]|n(?:ame|(?:compress|s(?:et|hare))[\s\v&\)<>\|]|expand|iq|l(?:ink[\s\v&\)<>\|]|z(?:4|ma))|(?:pig|x)z|rar|z(?:ip[\s\v&\)<>\|]|std))|p(?:2date[\s\v&\)<>\|]|date-alternatives)|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:algrind|i(?:ew[\s\v&\)<>\|]|gr|mdiff|pw|rsh)|olatility[\s\v&\)<>\|])|w(?:a(?:ll|tch)[\s\v&\)<>\|]|get|h(?:iptail[\s\v&\)<>\|]|o(?:ami|is))|i(?:reshark|sh[\s\v&\)<>\|]))|x(?:args|e(?:la)?tex|mo(?:dmap|re)|pad|term|z(?:c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more))|z(?:athura|c(?:at|mp)|diff|e(?:grep|ro[\s\v&\)<>\|])|f?grep|ip(?:c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|less|more|run|s(?:oelim|td(?:(?:ca|m)t|grep|less)?)|ypper))" \ "id:932235,\ phase:2,\ block,\ @@ -182,40 +194,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" - -# Apache 2.2 requires configuration file lines to be under 8kB. -# Therefore, some remaining commands have been split off to a separate rule. -# For explanation of this rule, see rule 932370. -# -# This rule is also triggered by an Oracle WebLogic Remote Command Execution exploit: -# [ Oracle WebLogic vulnerability CVE-2017-10271 - Exploit tested: https://www.exploit-db.com/exploits/43458 ] -# -# Regular expression generated from regex-assembly/932115.ra. -# To update the regular expression run the following shell script -# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): -# crs-toolchain regex update 932115 -# -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:t[\"\^]*i[\"\^]*m[\"\^]*e|[\n\r;`\{]|\|\|?|&&?)[\s\v]*[\s\v\"'-\(,@]*(?:[\"'\.-9A-Z_a-z]+/|(?:[\"'\x5c\^]*[0-9A-Z_a-z][\"'\x5c\^]*:.*|[ \"'\.-9A-Z\x5c\^-_a-z]*)\x5c)?[\"\^]*(?:o[\"\^]*(?:d[\"\^]*b[\"\^]*c[\"\^]*(?:a[\"\^]*d[\"\^]*3[\"\^]*2|c[\"\^]*o[\"\^]*n[\"\^]*f)|p[\"\^]*e[\"\^]*n[\"\^]*f[\"\^]*i[\"\^]*l[\"\^]*e[\"\^]*s)|p[\"\^]*(?:a[\"\^]*t[\"\^]*h[\"\^]*(?:[\s\v,\.-/;-<>].*|p[\"\^]*i[\"\^]*n[\"\^]*g)|e[\"\^]*r[\"\^]*(?:f[\"\^]*m[\"\^]*o[\"\^]*n|l(?:[\"\^]*(?:5|s[\"\^]*h))?)|h[\"\^]*p(?:[\"\^]*[57])?|i[\"\^]*n[\"\^]*g|k[\"\^]*g[\"\^]*m[\"\^]*g[\"\^]*r|o[\"\^]*(?:p[\"\^]*d|r[\"\^]*t[\"\^]*q[\"\^]*r[\"\^]*y|w[\"\^]*e[\"\^]*r[\"\^]*(?:c[\"\^]*f[\"\^]*g|s[\"\^]*h[\"\^]*e[\"\^]*l[\"\^]*l(?:[\"\^]*_[\"\^]*i[\"\^]*s[\"\^]*e)?))|r[\"\^]*(?:i[\"\^]*n[\"\^]*t[\"\^]*(?:[\s\v,\.-/;-<>].*|b[\"\^]*r[\"\^]*m)|n[\"\^]*(?:c[\"\^]*n[\"\^]*f[\"\^]*g|m[\"\^]*n[\"\^]*g[\"\^]*r)|o[\"\^]*m[\"\^]*p[\"\^]*t)|s[\"\^]*(?:e[\"\^]*x[\"\^]*e[\"\^]*c|f[\"\^]*i[\"\^]*l[\"\^]*e|g[\"\^]*e[\"\^]*t[\"\^]*s[\"\^]*i[\"\^]*d|i[\"\^]*n[\"\^]*f[\"\^]*o|k[\"\^]*i[\"\^]*l[\"\^]*l|l[\"\^]*(?:i[\"\^]*s[\"\^]*t|o[\"\^]*g[\"\^]*(?:g[\"\^]*e[\"\^]*d[\"\^]*o[\"\^]*n|l[\"\^]*i[\"\^]*s[\"\^]*t))|p[\"\^]*(?:a[\"\^]*s[\"\^]*s[\"\^]*w[\"\^]*d|i[\"\^]*n[\"\^]*g)|s[\"\^]*(?:e[\"\^]*r[\"\^]*v[\"\^]*i[\"\^]*c[\"\^]*e|h[\"\^]*u[\"\^]*t[\"\^]*d[\"\^]*o[\"\^]*w[\"\^]*n|u[\"\^]*s[\"\^]*p[\"\^]*e[\"\^]*n[\"\^]*d))|u[\"\^]*s[\"\^]*h[\"\^]*d|y[\"\^]*t[\"\^]*h[\"\^]*o[\"\^]*n(?:[\"\^]*(?:2|3(?:[\"\^]*m)?))?)|q[\"\^]*(?:g[\"\^]*r[\"\^]*e[\"\^]*p|p[\"\^]*r[\"\^]*o[\"\^]*c[\"\^]*e[\"\^]*s[\"\^]*s|u[\"\^]*e[\"\^]*r[\"\^]*y[\"\^]*[\s\v,\.-/;-<>].*|w[\"\^]*i[\"\^]*n[\"\^]*s[\"\^]*t[\"\^]*a)|r[\"\^]*(?:a[\"\^]*(?:r[\"\^]*[\s\v,\.-/;-<>].*|s[\"\^]*(?:d[\"\^]*i[\"\^]*a[\"\^]*l|p[\"\^]*h[\"\^]*o[\"\^]*n[\"\^]*e))|d[\"\^]*[\s\v,\.-/;-<>].*|e[\"\^]*(?:c[\"\^]*(?:d[\"\^]*i[\"\^]*s[\"\^]*c|o[\"\^]*v[\"\^]*e[\"\^]*r)|g[\"\^]*(?:[\s\v,\.-/;-<>].*|e[\"\^]*d[\"\^]*i[\"\^]*t|i[\"\^]*n[\"\^]*i|s[\"\^]*v[\"\^]*r[\"\^]*3[\"\^]*2)|k[\"\^]*e[\"\^]*y[\"\^]*w[\"\^]*i[\"\^]*z|(?:n[\"\^]*(?:a[\"\^]*m[\"\^]*e[\"\^]*)?|(?:p[\"\^]*l[\"\^]*a[\"\^]*c[\"\^]*e|s[\"\^]*e[\"\^]*t)[\"\^]*)[\s\v,\.-/;-<>].*)|m[\"\^]*(?:(?:d[\"\^]*i[\"\^]*r[\"\^]*)?[\s\v,\.-/;-<>].*|t[\"\^]*s[\"\^]*h[\"\^]*a[\"\^]*r[\"\^]*e)|o[\"\^]*(?:b[\"\^]*o[\"\^]*c[\"\^]*o[\"\^]*p[\"\^]*y|u[\"\^]*t[\"\^]*e[\"\^]*[\s\v,\.-/;-<>].*)|s[\"\^]*(?:t[\"\^]*r[\"\^]*u[\"\^]*i|y[\"\^]*n[\"\^]*c)|u[\"\^]*(?:b[\"\^]*y[\"\^]*(?:1(?:[\"\^]*[8-9])?|2[\"\^]*[0-2])|n[\"\^]*(?:a[\"\^]*s|d[\"\^]*l[\"\^]*l[\"\^]*3[\"\^]*2)))|s[\"\^]*(?:c[\"\^]*(?:h[\"\^]*t[\"\^]*a[\"\^]*s[\"\^]*k[\"\^]*s|l[\"\^]*i[\"\^]*s[\"\^]*t)|e[\"\^]*(?:c[\"\^]*p[\"\^]*o[\"\^]*l|l[\"\^]*e[\"\^]*c[\"\^]*t|t[\"\^]*(?:(?:x[\"\^]*)?[\s\v,\.-/;-<>].*|l[\"\^]*o[\"\^]*c[\"\^]*a[\"\^]*l))|f[\"\^]*c|h[\"\^]*(?:a[\"\^]*r[\"\^]*e|e[\"\^]*l[\"\^]*l[\"\^]*r[\"\^]*u[\"\^]*n[\"\^]*a[\"\^]*s|i[\"\^]*f[\"\^]*t|o[\"\^]*(?:r[\"\^]*t[\"\^]*c[\"\^]*u[\"\^]*t|w[\"\^]*(?:g[\"\^]*r[\"\^]*p|m[\"\^]*b[\"\^]*r)[\"\^]*s)|r[\"\^]*p[\"\^]*u[\"\^]*b[\"\^]*w|u[\"\^]*t[\"\^]*d[\"\^]*o[\"\^]*w[\"\^]*n)|i[\"\^]*g[\"\^]*v[\"\^]*e[\"\^]*r[\"\^]*i[\"\^]*f|l[\"\^]*(?:e[\"\^]*e[\"\^]*p|m[\"\^]*g[\"\^]*r)|(?:o|t[\"\^]*a)[\"\^]*r[\"\^]*t[\"\^]*[\s\v,\.-/;-<>].*|u[\"\^]*b[\"\^]*(?:i[\"\^]*n[\"\^]*a[\"\^]*c[\"\^]*l|s[\"\^]*t)|v[\"\^]*n|y[\"\^]*s[\"\^]*(?:d[\"\^]*m|k[\"\^]*e[\"\^]*y|t[\"\^]*e[\"\^]*m[\"\^]*(?:i[\"\^]*n[\"\^]*f[\"\^]*o|p[\"\^]*r[\"\^]*o[\"\^]*p[\"\^]*e[\"\^]*r[\"\^]*t[\"\^]*i[\"\^]*e[\"\^]*s[\"\^]*(?:a[\"\^]*d[\"\^]*v[\"\^]*a[\"\^]*n[\"\^]*c[\"\^]*e[\"\^]*d|d[\"\^]*a[\"\^]*t[\"\^]*a[\"\^]*e[\"\^]*x[\"\^]*e[\"\^]*c[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*o[\"\^]*n[\"\^]*p[\"\^]*r[\"\^]*e[\"\^]*v[\"\^]*e[\"\^]*n[\"\^]*t[\"\^]*i[\"\^]*o[\"\^]*n|(?:h[\"\^]*a[\"\^]*r[\"\^]*d[\"\^]*w[\"\^]*a[\"\^]*r|p[\"\^]*e[\"\^]*r[\"\^]*f[\"\^]*o[\"\^]*r[\"\^]*m[\"\^]*a[\"\^]*n[\"\^]*c)[\"\^]*e))))|t[\"\^]*(?:a[\"\^]*(?:k[\"\^]*e[\"\^]*o[\"\^]*w[\"\^]*n|s[\"\^]*k[\"\^]*(?:k[\"\^]*i[\"\^]*l[\"\^]*l|l[\"\^]*i[\"\^]*s[\"\^]*t|m[\"\^]*g[\"\^]*r|s[\"\^]*c[\"\^]*h[\"\^]*d))|(?:e[\"\^]*l[\"\^]*n[\"\^]*e|i[\"\^]*m[\"\^]*e[\"\^]*o[\"\^]*u|l[\"\^]*i[\"\^]*s|p[\"\^]*m[\"\^]*i[\"\^]*n[\"\^]*i)[\"\^]*t|r[\"\^]*(?:a[\"\^]*c[\"\^]*e[\"\^]*r[\"\^]*t|e[\"\^]*e)|s[\"\^]*(?:d[\"\^]*i[\"\^]*s[\"\^]*c[\"\^]*o|s[\"\^]*h[\"\^]*u[\"\^]*t[\"\^]*d)[\"\^]*n|y[\"\^]*p[\"\^]*e[\"\^]*(?:[\s\v,\.-/;-<>].*|p[\"\^]*e[\"\^]*r[\"\^]*f))|u[\"\^]*(?:n[\"\^]*(?:r[\"\^]*a[\"\^]*r|z[\"\^]*i[\"\^]*p)|s[\"\^]*(?:e[\"\^]*r[\"\^]*a[\"\^]*c[\"\^]*c[\"\^]*o[\"\^]*u[\"\^]*n[\"\^]*t[\"\^]*c[\"\^]*o[\"\^]*n[\"\^]*t[\"\^]*r[\"\^]*o[\"\^]*l[\"\^]*s[\"\^]*e[\"\^]*t[\"\^]*t[\"\^]*i[\"\^]*n[\"\^]*g[\"\^]*s|r[\"\^]*s[\"\^]*t[\"\^]*a[\"\^]*t))|v[\"\^]*(?:e[\"\^]*r[\"\^]*i[\"\^]*f[\"\^]*y|o[\"\^]*l[\"\^]*[\s\v,\.-/;-<>].*)|w[\"\^]*(?:a[\"\^]*i[\"\^]*t[\"\^]*f[\"\^]*o[\"\^]*r|e[\"\^]*v[\"\^]*t[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l|g[\"\^]*e[\"\^]*t|h[\"\^]*o[\"\^]*a[\"\^]*m[\"\^]*i|i[\"\^]*n[\"\^]*(?:d[\"\^]*i[\"\^]*f[\"\^]*f|m[\"\^]*s[\"\^]*d[\"\^]*p|r[\"\^]*[ms]|v[\"\^]*a[\"\^]*r)|m[\"\^]*i[\"\^]*(?:c|m[\"\^]*g[\"\^]*m[\"\^]*t)|s[\"\^]*c[\"\^]*(?:r[\"\^]*i[\"\^]*p[\"\^]*t|u[\"\^]*i)|u[\"\^]*(?:a[\"\^]*(?:p[\"\^]*p|u[\"\^]*c[\"\^]*l[\"\^]*t)|s[\"\^]*a))|x[\"\^]*c[\"\^]*(?:a[\"\^]*c[\"\^]*l[\"\^]*s|o[\"\^]*p[\"\^]*y)|z[\"\^]*i[\"\^]*p[\"\^]*[\s\v,\.-/;-<>].*)(?:\.[\"\^]*[0-9A-Z_a-z]+)?\b" \ - "id:932115,\ - phase:2,\ - block,\ - capture,\ - t:none,\ - msg:'Remote Command Execution: Windows Command Injection',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-shell',\ - tag:'platform-windows',\ - tag:'attack-rce',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/88',\ - tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -229,8 +208,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # # If you are not running Windows, it is safe to disable this rule. # -# https://technet.microsoft.com/en-us/magazine/ff714569.aspx -# https://msdn.microsoft.com/en-us/powershell/scripting/core-powershell/console/powershell.exe-command-line-help +# https://learn.microsoft.com/en-us/previous-versions/technet-magazine/ff714569(v=msdn.10) # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmFromFile windows-powershell-commands.data" \ "id:932120,\ @@ -249,7 +227,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -283,7 +261,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -301,15 +279,15 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # $((foo)) Arithmetic expansion # /e[t]c Shell glob expression to bypass wordlists # +# This rule has a stricter sibling: 932131 (PL2) that applies the same regex to User-Agent and Referer +# +# This rule is essential to defend against the Log4J / Log4Shell attacks (see also rule 944150) +# # Regular expression generated from regex-assembly/932130.ra. # To update the regular expression run the following shell script # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 932130 # -# This rule has a stricter sibling: 932131 (PL2) that applies the same regex to User-Agent and Referer -# -# This rule is essential to defend against the Log4J / Log4Shell attacks (see also rule 944150) -# SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \$(?:\((?:.*|\(.*\))\)|\{.*\})|[<>]\(.*\)|/[0-9A-Z_a-z]*\[!?.+\]" \ "id:932130,\ phase:2,\ @@ -326,7 +304,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -373,7 +351,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -417,14 +395,20 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # .932240 (generic detection, PL2, targets generic evasion attempts) # .932236 (stricter sibling of 932230, 932235, 932250, 932260, PL2, # - with and without prefix +# - words of any length) +# ..932239 (sibling of 932236, PL2, +# - with and without prefix # - words of any length +# - targets request headers user-agent and referer only +# - excluded words: known user-agents) +# ..932238 (stricter sibling of 932236, PL3, # - no excluded words) # .932237 (stricter sibling of 932230, 932235, 932250, 932260, PL3, # - targets request headers user-agent and referer only # - without prefix # - with word boundaries # - words of any length -# - no excluded words) +# - excluded words: known user-agents) # # # Regular expression generated from regex-assembly/932250.ra. @@ -432,7 +416,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 932250 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:^|=)[\s\v]*(?:t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*[\s\v]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:7[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[ar])?|(?:b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z|x)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z|c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:c|s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h)|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?v|(?:g[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c|n)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c|(?:h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u|r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?b|[kz][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h|l[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[sz]|p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|x[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z)|s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|(?:s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?h|v[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n)|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?3[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m)[\s\v&\)<>\|]" \ +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:^|b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?y[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?x|c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?v|v[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?l)|[ls][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t)?|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|\{)|<(?:\(|<<)|>\(|\([\s\v]*\))[\s\v]*(?:[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*[\s\v]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:7[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[arx])?|(?:b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z|x)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z|[ckz][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h|d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?f|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?v|s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h)|f[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[dg]|g[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c|p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?g)|(?:h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u|u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?b|l[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:s|z(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?4)?)|p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|x[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z)|r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p)?|s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|(?:s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?h|v[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n)|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?3[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m)[\s\v&\)<>\|]" \ "id:932250,\ phase:2,\ block,\ @@ -448,7 +432,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -470,14 +454,20 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # .932240 (generic detection, PL2, targets generic evasion attempts) # .932236 (stricter sibling of 932230, 932235, 932250, 932260, PL2, # - with and without prefix +# - words of any length) +# ..932239 (sibling of 932236, PL2, +# - with and without prefix # - words of any length +# - targets request headers user-agent and referer only +# - excluded words: known user-agents) +# ..932238 (stricter sibling of 932236, PL3, # - no excluded words) # .932237 (stricter sibling of 932230, 932235, 932250, 932260, PL3, # - targets request headers user-agent and referer only # - without prefix # - with word boundaries # - words of any length -# - no excluded words) +# - excluded words: known user-agents) # # # Regular expression generated from regex-assembly/932260.ra. @@ -485,14 +475,14 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 932260 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:^|=)[\s\v]*(?:t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*[\s\v]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:b(?:as(?:e(?:32|64|nc)|h)|sd(?:cat|iff|tar)|u(?:iltin|nzip2|sybox)|z(?:c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2|less|more))|c(?:o(?:mmand[\s\v<>]|proc)|url)|d(?:(?:ash|iff)[\s\v<>]|mesg|oas)|e(?:(?:cho|xec)[\s\v<>]|grep|val)|f(?:etch[\s\v<>]|grep|iletest|tp(?:stats|who))|g(?:rep[\s\v<>]|unzip|z(?:cat|exe|ip))|(?:head|java)[\s\v<>]|l(?:ast(?:comm|log(?:in)?)|ess(?:echo|(?:fil|pip)e)|ftp(?:get)?|s(?:-F|b_release|cpu|mod|of|pci|usb)|wp-download|ynx[\s\v<>]|z(?:c(?:at|mp)|diff|[e-f]?grep|less|m(?:a|ore)))|m(?:ailq|locate|ysql(?:admin|dump(?:slow)?|hotcopy|show))|n(?:c(?:\.(?:openbsd|traditional)|at)|et(?:(?:c|st)at|kit-ftp)|ohup|ping|stat)|onintr|p(?:erl5?|(?:ft|gre)p|igz|k(?:exec|ill)|opd|rint(?:env|f[\s\v<>])|tar(?:diff|grep)?|ython[^\s\v])|r(?:e(?:alpath|(?:name|p(?:eat|lace))[\s\v<>])|m(?:dir[\s\v<>]|user)|nano|sync|uby[^\s\v])|s(?:ched|diff|e(?:ndmail|t(?:env|sid))|ftp|h(?:\.distrib|ell)|o(?:cat|urce[\s\v<>])|trings|udo|ysctl)|t(?:ail[\s\v<>f]|c(?:p(?:ing|traceroute)|sh)|elnet|imeout[\s\v<>]|raceroute6?)|u(?:n(?:ame|compress|lz(?:4|ma)|(?:pig|x)z|rar|set[\s\v<>]|z(?:ip|std))|ser(?:(?:ad|mo)d|del))|vi(?:gr|pw)|w(?:get|hoami)|x(?:args|z(?:c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more))|z(?:c(?:at|mp)|diff|[e-f]?grep|(?:ipdetail|les)s|more|run|std))" \ +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:^|b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?y[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?x|c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?v|v[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?l)|[ls][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t)?|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|\{)|<(?:\(|<<)|>\(|\([\s\v]*\))[\s\v]*(?:[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*[\s\v]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:a(?:ddgroup|xel[\s\v&\)<>\|])|b(?:ase(?:32|64|nc)|lkid|sd(?:cat|iff|tar)|u(?:iltin|nzip2|sybox)|yobu|z(?:c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more))|c(?:h(?:g(?:passwd|rp)|pass|sh)|lang\+\+|o(?:mm[\s\v&\)<>\|]|proc)|ron)|d(?:iff[\s\v&\)<>\|]|mesg|oas)|e(?:2fsck|grep)|f(?:grep|iletest|tp(?:stats|who))|g(?:r(?:ep[\s\v&\)<>\|]|oupmod)|unzip|z(?:cat|exe|ip))|htop|l(?:ast(?:comm|log(?:in)?)|ess(?:echo|(?:fil|pip)e)|ftp(?:get)?|osetup|s(?:-F|b_release|cpu|mod|of|pci|usb)|wp-download|z(?:4c(?:at)?|c(?:at|mp)|diff|[e-f]?grep|less|m(?:a(?:dec|info)?|ore)))|m(?:a(?:ilq|ster\.passwd)|k(?:fifo|nod|temp)|locate|ysql(?:admin|dump(?:slow)?|hotcopy|show))|n(?:c(?:\.(?:openbsd|traditional)|at)|et(?:(?:c|st)at|kit-ftp|plan)|ohup|ping|stat)|onintr|p(?:dksh|er(?:f[\s\v&\)<>\|]|l[\s\v&\)5<>\|])|(?:ft|gre)p|hp(?:-cgi|[57])|igz|k(?:exec|ill)|(?:op|se)d|rint(?:env|f[\s\v&\)<>\|])|tar(?:diff|grep)?|wd\.db|y(?:thon[2-3]|3?versions))|r(?:(?:bas|ealpat)h|m(?:dir[\s\v&\)<>\|]|user)|nano|sync)|s(?:diff|e(?:ndmail|t(?:env|sid))|ftp|(?:h\.distri|pwd\.d)b|ocat|td(?:err|in|out)|udo|ysctl)|t(?:ailf|c(?:p(?:ing|traceroute)|sh)|elnet|imeout[\s\v&\)<>\|]|raceroute6?)|u(?:n(?:ame|lz(?:4|ma)|(?:pig|x)z|rar|zstd)|ser(?:(?:ad|mo)d|del))|vi(?:gr|pw)|w(?:get|hoami)|x(?:args|z(?:c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more))|z(?:c(?:at|mp)|diff|[e-f]?grep|ip(?:c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|less|more|run|std(?:(?:ca|m)t|grep|less)?))" \ "id:932260,\ phase:2,\ block,\ capture,\ t:none,\ msg:'Remote Command Execution: Direct Unix Command Execution',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + logdata:'Matched Data: %{TX.0} found within %{TX.932260_MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-shell',\ tag:'platform-unix',\ @@ -501,13 +491,11 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ - chain" - SecRule MATCHED_VAR "!@rx [0-9]\s*\'\s*[0-9]" \ - "t:none,\ - setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + setvar:'tx.932260_matched_var_name=%{matched_var_name}',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" # [ Unix shell history invocation ] # @@ -540,7 +528,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -581,7 +569,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -612,7 +600,7 @@ SecRule REQUEST_HEADERS|REQUEST_LINE "@rx ^\(\s*\)\s+{" \ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -633,7 +621,7 @@ SecRule ARGS_NAMES|ARGS|FILES_NAMES "@rx ^\(\s*\)\s+{" \ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -675,7 +663,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -687,7 +675,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # Detects attempts to upload a file with a forbidden filename. # # Many application contain Unrestricted File Upload vulnerabilities. -# https://www.owasp.org/index.php/Unrestricted_File_Upload +# https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload # # These might be abused to upload configuration files or other files # that affect the behavior of the web server, possibly causing remote @@ -710,7 +698,7 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -721,8 +709,8 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD # This rule detects Windows shell command injections. # If you are not running Windows, it is safe to disable this rule. # -# New in CRSv4: The rules 932110 and 932115 were reorganized and moved to new rules 932370 and 932380 based on their contents. -# The new rules target specific Windows binaries to easy updating in the future. +# New in CRSv4: The rules 932110 and 932115 were reorganized and renumbered to 932370 and 932380. +# The new rules target specific Windows binaries to simplify future updates of the command list. # # A command injection takes a form such as: # @@ -788,7 +776,7 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 932370 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:t[\"\^]*i[\"\^]*m[\"\^]*e|[\n\r;`\{]|\|\|?|&&?)[\s\v]*[\s\v\"'-\(,@]*(?:[\"'\.-9A-Z_a-z]+/|(?:[\"'\x5c\^]*[0-9A-Z_a-z][\"'\x5c\^]*:.*|[ \"'\.-9A-Z\x5c\^-_a-z]*)\x5c)?[\"\^]*(?:a[\"\^]*(?:c[\"\^]*c[\"\^]*c[\"\^]*h[\"\^]*e[\"\^]*c[\"\^]*k[\"\^]*c[\"\^]*o[\"\^]*n[\"\^]*s[\"\^]*o[\"\^]*l[\"\^]*e|d[\"\^]*(?:p[\"\^]*l[\"\^]*u[\"\^]*s|v[\"\^]*p[\"\^]*a[\"\^]*c[\"\^]*k)|(?:g[\"\^]*e[\"\^]*n[\"\^]*t[\"\^]*e[\"\^]*x[\"\^]*e[\"\^]*c[\"\^]*u[\"\^]*t[\"\^]*o|s[\"\^]*p[\"\^]*n[\"\^]*e[\"\^]*t[\"\^]*_[\"\^]*c[\"\^]*o[\"\^]*m[\"\^]*p[\"\^]*i[\"\^]*l[\"\^]*e)[\"\^]*r|p[\"\^]*p[\"\^]*(?:i[\"\^]*n[\"\^]*s[\"\^]*t[\"\^]*a[\"\^]*l[\"\^]*l[\"\^]*e[\"\^]*r|v[\"\^]*l[\"\^]*p)|t[\"\^]*(?:[\s\v,\.-/;-<>].*|b[\"\^]*r[\"\^]*o[\"\^]*k[\"\^]*e[\"\^]*r))|b[\"\^]*(?:a[\"\^]*s[\"\^]*h|g[\"\^]*i[\"\^]*n[\"\^]*f[\"\^]*o|i[\"\^]*t[\"\^]*s[\"\^]*a[\"\^]*d[\"\^]*m[\"\^]*i[\"\^]*n)|c[\"\^]*(?:d[\"\^]*b|e[\"\^]*r[\"\^]*t[\"\^]*(?:o[\"\^]*c|r[\"\^]*e[\"\^]*q|u[\"\^]*t[\"\^]*i[\"\^]*l)|l[\"\^]*_[\"\^]*(?:i[\"\^]*n[\"\^]*v[\"\^]*o[\"\^]*c[\"\^]*a[\"\^]*t[\"\^]*i[\"\^]*o[\"\^]*n|l[\"\^]*o[\"\^]*a[\"\^]*d[\"\^]*a[\"\^]*s[\"\^]*s[\"\^]*e[\"\^]*m[\"\^]*b[\"\^]*l[\"\^]*y|m[\"\^]*u[\"\^]*t[\"\^]*e[\"\^]*x[\"\^]*v[\"\^]*e[\"\^]*r[\"\^]*i[\"\^]*f[\"\^]*i[\"\^]*e[\"\^]*r[\"\^]*s)|m[\"\^]*(?:d(?:[\"\^]*(?:k[\"\^]*e[\"\^]*y|l[\"\^]*3[\"\^]*2))?|s[\"\^]*t[\"\^]*p)|o[\"\^]*(?:m[\"\^]*s[\"\^]*v[\"\^]*c[\"\^]*s|n[\"\^]*(?:f[\"\^]*i[\"\^]*g[\"\^]*s[\"\^]*e[\"\^]*c[\"\^]*u[\"\^]*r[\"\^]*i[\"\^]*t[\"\^]*y[\"\^]*p[\"\^]*o[\"\^]*l[\"\^]*i[\"\^]*c[\"\^]*y|h[\"\^]*o[\"\^]*s[\"\^]*t|t[\"\^]*r[\"\^]*o[\"\^]*l)|r[\"\^]*e[\"\^]*g[\"\^]*e[\"\^]*n)|r[\"\^]*e[\"\^]*a[\"\^]*t[\"\^]*e[\"\^]*d[\"\^]*u[\"\^]*m[\"\^]*p|s[\"\^]*(?:c(?:[\"\^]*r[\"\^]*i[\"\^]*p[\"\^]*t)?|i)|u[\"\^]*s[\"\^]*t[\"\^]*o[\"\^]*m[\"\^]*s[\"\^]*h[\"\^]*e[\"\^]*l[\"\^]*l[\"\^]*h[\"\^]*o[\"\^]*s[\"\^]*t)|d[\"\^]*(?:a[\"\^]*t[\"\^]*a[\"\^]*s[\"\^]*v[\"\^]*c[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l|e[\"\^]*(?:f[\"\^]*a[\"\^]*u[\"\^]*l[\"\^]*t[\"\^]*p[\"\^]*a[\"\^]*c[\"\^]*k|s[\"\^]*k(?:[\"\^]*t[\"\^]*o[\"\^]*p[\"\^]*i[\"\^]*m[\"\^]*g[\"\^]*d[\"\^]*o[\"\^]*w[\"\^]*n[\"\^]*l[\"\^]*d[\"\^]*r)?|v[\"\^]*(?:i[\"\^]*c[\"\^]*e[\"\^]*c[\"\^]*r[\"\^]*e[\"\^]*d[\"\^]*e[\"\^]*n[\"\^]*t[\"\^]*i[\"\^]*a[\"\^]*l[\"\^]*d[\"\^]*e[\"\^]*p[\"\^]*l[\"\^]*o[\"\^]*y[\"\^]*m[\"\^]*e[\"\^]*n[\"\^]*t|t[\"\^]*o[\"\^]*o[\"\^]*l[\"\^]*s[\"\^]*l[\"\^]*a[\"\^]*u[\"\^]*n[\"\^]*c[\"\^]*h[\"\^]*e[\"\^]*r))|f[\"\^]*s[\"\^]*(?:h[\"\^]*i[\"\^]*m|v[\"\^]*c)|i[\"\^]*(?:a[\"\^]*n[\"\^]*t[\"\^]*z|s[\"\^]*k[\"\^]*s[\"\^]*h[\"\^]*a[\"\^]*d[\"\^]*o[\"\^]*w)|n[\"\^]*(?:s[\"\^]*c[\"\^]*m[\"\^]*d|x)|o[\"\^]*t[\"\^]*n[\"\^]*e[\"\^]*t|u[\"\^]*m[\"\^]*p[\"\^]*6[\"\^]*4|x[\"\^]*c[\"\^]*a[\"\^]*p)|e[\"\^]*(?:s[\"\^]*e[\"\^]*n[\"\^]*t[\"\^]*u[\"\^]*t[\"\^]*l|v[\"\^]*e[\"\^]*n[\"\^]*t[\"\^]*v[\"\^]*w[\"\^]*r|x[\"\^]*(?:c[\"\^]*e[\"\^]*l|p[\"\^]*(?:a[\"\^]*n[\"\^]*d|l[\"\^]*o[\"\^]*r[\"\^]*e[\"\^]*r)|t[\"\^]*(?:e[\"\^]*x[\"\^]*p[\"\^]*o[\"\^]*r[\"\^]*t|r[\"\^]*a[\"\^]*c[\"\^]*3[\"\^]*2)))|f[\"\^]*(?:i[\"\^]*n[\"\^]*(?:d[\"\^]*s[\"\^]*t|g[\"\^]*e)[\"\^]*r|l[\"\^]*t[\"\^]*m[\"\^]*c|o[\"\^]*r[\"\^]*f[\"\^]*i[\"\^]*l[\"\^]*e[\"\^]*s|s[\"\^]*(?:i(?:[\"\^]*a[\"\^]*n[\"\^]*y[\"\^]*c[\"\^]*p[\"\^]*u)?|u[\"\^]*t[\"\^]*i[\"\^]*l)|t[\"\^]*p)|g[\"\^]*(?:f[\"\^]*x[\"\^]*d[\"\^]*o[\"\^]*w[\"\^]*n[\"\^]*l[\"\^]*o[\"\^]*a[\"\^]*d[\"\^]*w[\"\^]*r[\"\^]*a[\"\^]*p[\"\^]*p[\"\^]*e[\"\^]*r|p[\"\^]*s[\"\^]*c[\"\^]*r[\"\^]*i[\"\^]*p[\"\^]*t)|h[\"\^]*h|i[\"\^]*(?:e[\"\^]*(?:4[\"\^]*u[\"\^]*i[\"\^]*n[\"\^]*i[\"\^]*t|a[\"\^]*d[\"\^]*v[\"\^]*p[\"\^]*a[\"\^]*c[\"\^]*k|e[\"\^]*x[\"\^]*e[\"\^]*c|f[\"\^]*r[\"\^]*a[\"\^]*m[\"\^]*e)|l[\"\^]*a[\"\^]*s[\"\^]*m|m[\"\^]*e[\"\^]*w[\"\^]*d[\"\^]*b[\"\^]*l[\"\^]*d|n[\"\^]*(?:f[\"\^]*d[\"\^]*e[\"\^]*f[\"\^]*a[\"\^]*u[\"\^]*l[\"\^]*t[\"\^]*i[\"\^]*n[\"\^]*s[\"\^]*t[\"\^]*a[\"\^]*l|s[\"\^]*t[\"\^]*a[\"\^]*l[\"\^]*l[\"\^]*u[\"\^]*t[\"\^]*i)[\"\^]*l)|j[\"\^]*s[\"\^]*c|l[\"\^]*(?:a[\"\^]*u[\"\^]*n[\"\^]*c[\"\^]*h[\"\^]*-[\"\^]*v[\"\^]*s[\"\^]*d[\"\^]*e[\"\^]*v[\"\^]*s[\"\^]*h[\"\^]*e[\"\^]*l[\"\^]*l|d[\"\^]*i[\"\^]*f[\"\^]*d[\"\^]*e)|m[\"\^]*(?:a[\"\^]*(?:k[\"\^]*e[\"\^]*c[\"\^]*a[\"\^]*b|n[\"\^]*a[\"\^]*g[\"\^]*e[\"\^]*-[\"\^]*b[\"\^]*d[\"\^]*e|v[\"\^]*i[\"\^]*n[\"\^]*j[\"\^]*e[\"\^]*c[\"\^]*t)|f[\"\^]*t[\"\^]*r[\"\^]*a[\"\^]*c[\"\^]*e|i[\"\^]*c[\"\^]*r[\"\^]*o[\"\^]*s[\"\^]*o[\"\^]*f[\"\^]*t|m[\"\^]*c|p[\"\^]*c[\"\^]*m[\"\^]*d[\"\^]*r[\"\^]*u[\"\^]*n|s[\"\^]*(?:(?:b[\"\^]*u[\"\^]*i[\"\^]*l|o[\"\^]*h[\"\^]*t[\"\^]*m[\"\^]*e)[\"\^]*d|c[\"\^]*o[\"\^]*n[\"\^]*f[\"\^]*i[\"\^]*g|d[\"\^]*(?:e[\"\^]*p[\"\^]*l[\"\^]*o[\"\^]*y|t)|h[\"\^]*t[\"\^]*(?:a|m[\"\^]*l)|i[\"\^]*e[\"\^]*x[\"\^]*e[\"\^]*c|p[\"\^]*u[\"\^]*b|x[\"\^]*s[\"\^]*l))|n[\"\^]*(?:e[\"\^]*t[\"\^]*s[\"\^]*h|t[\"\^]*d[\"\^]*s[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l)|o[\"\^]*(?:d[\"\^]*b[\"\^]*c[\"\^]*c[\"\^]*o[\"\^]*n[\"\^]*f|f[\"\^]*f[\"\^]*l[\"\^]*i[\"\^]*n[\"\^]*e[\"\^]*s[\"\^]*c[\"\^]*a[\"\^]*n[\"\^]*n[\"\^]*e[\"\^]*r[\"\^]*s[\"\^]*h[\"\^]*e[\"\^]*l[\"\^]*l|n[\"\^]*e[\"\^]*d[\"\^]*r[\"\^]*i[\"\^]*v[\"\^]*e[\"\^]*s[\"\^]*t[\"\^]*a[\"\^]*n[\"\^]*d[\"\^]*a[\"\^]*l[\"\^]*o[\"\^]*n[\"\^]*e[\"\^]*u[\"\^]*p[\"\^]*d[\"\^]*a[\"\^]*t[\"\^]*e[\"\^]*r|p[\"\^]*e[\"\^]*n[\"\^]*c[\"\^]*o[\"\^]*n[\"\^]*s[\"\^]*o[\"\^]*l[\"\^]*e)|p[\"\^]*(?:c[\"\^]*(?:a[\"\^]*l[\"\^]*u[\"\^]*a|w[\"\^]*(?:r[\"\^]*u[\"\^]*n|u[\"\^]*t[\"\^]*l))|(?:e[\"\^]*s[\"\^]*t[\"\^]*e|s)[\"\^]*r|(?:k[\"\^]*t[\"\^]*m[\"\^]*o|u[\"\^]*b[\"\^]*p[\"\^]*r)[\"\^]*n|n[\"\^]*p[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l|o[\"\^]*w[\"\^]*e[\"\^]*r[\"\^]*p[\"\^]*n[\"\^]*t|r[\"\^]*(?:e[\"\^]*s[\"\^]*e[\"\^]*n[\"\^]*t[\"\^]*a[\"\^]*t[\"\^]*i[\"\^]*o[\"\^]*n[\"\^]*h[\"\^]*o[\"\^]*s[\"\^]*t|i[\"\^]*n[\"\^]*t(?:[\"\^]*b[\"\^]*r[\"\^]*m)?|o[\"\^]*(?:c[\"\^]*d[\"\^]*u[\"\^]*m[\"\^]*p|t[\"\^]*o[\"\^]*c[\"\^]*o[\"\^]*l[\"\^]*h[\"\^]*a[\"\^]*n[\"\^]*d[\"\^]*l[\"\^]*e[\"\^]*r)))|r[\"\^]*(?:a[\"\^]*s[\"\^]*a[\"\^]*u[\"\^]*t[\"\^]*o[\"\^]*u|c[\"\^]*s[\"\^]*i|(?:d[\"\^]*r[\"\^]*l[\"\^]*e[\"\^]*a[\"\^]*k[\"\^]*d[\"\^]*i[\"\^]*a|p[\"\^]*c[\"\^]*p[\"\^]*i[\"\^]*n)[\"\^]*g|e[\"\^]*(?:g(?:[\"\^]*(?:a[\"\^]*s[\"\^]*m|e[\"\^]*d[\"\^]*i[\"\^]*t|i[\"\^]*(?:n[\"\^]*i|s[\"\^]*t[\"\^]*e[\"\^]*r[\"\^]*-[\"\^]*c[\"\^]*i[\"\^]*m[\"\^]*p[\"\^]*r[\"\^]*o[\"\^]*v[\"\^]*i[\"\^]*d[\"\^]*e[\"\^]*r)|s[\"\^]*v[\"\^]*(?:c[\"\^]*s|r[\"\^]*3[\"\^]*2)))?|(?:m[\"\^]*o[\"\^]*t|p[\"\^]*l[\"\^]*a[\"\^]*c)[\"\^]*e)|u[\"\^]*n[\"\^]*(?:d[\"\^]*l[\"\^]*l[\"\^]*3[\"\^]*2|(?:e[\"\^]*x[\"\^]*e|s[\"\^]*c[\"\^]*r[\"\^]*i[\"\^]*p[\"\^]*t)[\"\^]*h[\"\^]*e[\"\^]*l[\"\^]*p[\"\^]*e[\"\^]*r|o[\"\^]*n[\"\^]*c[\"\^]*e))|s[\"\^]*(?:c[\"\^]*(?:[\s\v,\.-/;-<>].*|h[\"\^]*t[\"\^]*a[\"\^]*s[\"\^]*k[\"\^]*s|r[\"\^]*i[\"\^]*p[\"\^]*t[\"\^]*r[\"\^]*u[\"\^]*n[\"\^]*n[\"\^]*e[\"\^]*r)|e[\"\^]*t[\"\^]*(?:r[\"\^]*e[\"\^]*s|t[\"\^]*i[\"\^]*n[\"\^]*g[\"\^]*s[\"\^]*y[\"\^]*n[\"\^]*c[\"\^]*h[\"\^]*o[\"\^]*s[\"\^]*t|u[\"\^]*p[\"\^]*a[\"\^]*p[\"\^]*i)|h[\"\^]*(?:d[\"\^]*o[\"\^]*c[\"\^]*v[\"\^]*w|e[\"\^]*l[\"\^]*l[\"\^]*3[\"\^]*2)|q[\"\^]*(?:l[\"\^]*(?:d[\"\^]*u[\"\^]*m[\"\^]*p[\"\^]*e[\"\^]*r|(?:t[\"\^]*o[\"\^]*o[\"\^]*l[\"\^]*s[\"\^]*)?p[\"\^]*s)|u[\"\^]*i[\"\^]*r[\"\^]*r[\"\^]*e[\"\^]*l)|s[\"\^]*h|t[\"\^]*o[\"\^]*r[\"\^]*d[\"\^]*i[\"\^]*a[\"\^]*g|y[\"\^]*(?:n[\"\^]*c[\"\^]*a[\"\^]*p[\"\^]*p[\"\^]*v[\"\^]*p[\"\^]*u[\"\^]*b[\"\^]*l[\"\^]*i[\"\^]*s[\"\^]*h[\"\^]*i[\"\^]*n[\"\^]*g[\"\^]*s[\"\^]*e[\"\^]*r[\"\^]*v[\"\^]*e[\"\^]*r|s[\"\^]*s[\"\^]*e[\"\^]*t[\"\^]*u[\"\^]*p))|t[\"\^]*(?:e[\"\^]*[\s\v,\.-/;-<>].*|r[\"\^]*a[\"\^]*c[\"\^]*k[\"\^]*e[\"\^]*r|t[\"\^]*(?:d[\"\^]*i[\"\^]*n[\"\^]*j[\"\^]*e[\"\^]*c[\"\^]*t|t[\"\^]*r[\"\^]*a[\"\^]*c[\"\^]*e[\"\^]*r))|u[\"\^]*(?:n[\"\^]*r[\"\^]*e[\"\^]*g[\"\^]*m[\"\^]*p[\"\^]*2|p[\"\^]*d[\"\^]*a[\"\^]*t[\"\^]*e|r[\"\^]*l|t[\"\^]*i[\"\^]*l[\"\^]*i[\"\^]*t[\"\^]*y[\"\^]*f[\"\^]*u[\"\^]*n[\"\^]*c[\"\^]*t[\"\^]*i[\"\^]*o[\"\^]*n[\"\^]*s)|v[\"\^]*(?:b[\"\^]*c|e[\"\^]*r[\"\^]*c[\"\^]*l[\"\^]*s[\"\^]*i[\"\^]*d|i[\"\^]*s[\"\^]*u[\"\^]*a[\"\^]*l[\"\^]*u[\"\^]*i[\"\^]*a[\"\^]*v[\"\^]*e[\"\^]*r[\"\^]*i[\"\^]*f[\"\^]*y[\"\^]*n[\"\^]*a[\"\^]*t[\"\^]*i[\"\^]*v[\"\^]*e|s[\"\^]*(?:i[\"\^]*i[\"\^]*s[\"\^]*e[\"\^]*x[\"\^]*e[\"\^]*l[\"\^]*a[\"\^]*u[\"\^]*n[\"\^]*c[\"\^]*h|j[\"\^]*i[\"\^]*t[\"\^]*d[\"\^]*e[\"\^]*b[\"\^]*u[\"\^]*g[\"\^]*g)[\"\^]*e[\"\^]*r)|w[\"\^]*(?:a[\"\^]*b|(?:f|m[\"\^]*i)[\"\^]*c|i[\"\^]*n[\"\^]*(?:g[\"\^]*e[\"\^]*t|r[\"\^]*m|w[\"\^]*o[\"\^]*r[\"\^]*d)|l[\"\^]*r[\"\^]*m[\"\^]*d[\"\^]*r|o[\"\^]*r[\"\^]*k[\"\^]*f[\"\^]*o[\"\^]*l[\"\^]*d[\"\^]*e[\"\^]*r[\"\^]*s|s[\"\^]*(?:(?:c[\"\^]*r[\"\^]*i[\"\^]*p|r[\"\^]*e[\"\^]*s[\"\^]*e)[\"\^]*t|l)|t[\"\^]*[\s\v,\.-/;-<>].*|u[\"\^]*a[\"\^]*u[\"\^]*c[\"\^]*l[\"\^]*t)|x[\"\^]*w[\"\^]*i[\"\^]*z[\"\^]*a[\"\^]*r[\"\^]*d|z[\"\^]*i[\"\^]*p[\"\^]*f[\"\^]*l[\"\^]*d[\"\^]*r)(?:\.[\"\^]*[0-9A-Z_a-z]+)?\b" \ +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:[\n\r;`\{]|\|\|?|&&?)[\s\v]*[\s\v\"'-\(,@]*(?:[\"'\.-9A-Z_a-z]+/|(?:[\"'\x5c\^]*[0-9A-Z_a-z][\"'\x5c\^]*:.*|[ \"'\.-9A-Z\x5c\^-_a-z]*)\x5c)?[\"\^]*(?:a[\"\^]*(?:c[\"\^]*c[\"\^]*c[\"\^]*h[\"\^]*e[\"\^]*c[\"\^]*k[\"\^]*c[\"\^]*o[\"\^]*n[\"\^]*s[\"\^]*o[\"\^]*l[\"\^]*e|d[\"\^]*(?:p[\"\^]*l[\"\^]*u[\"\^]*s|v[\"\^]*p[\"\^]*a[\"\^]*c[\"\^]*k)|(?:g[\"\^]*e[\"\^]*n[\"\^]*t[\"\^]*e[\"\^]*x[\"\^]*e[\"\^]*c[\"\^]*u[\"\^]*t[\"\^]*o|s[\"\^]*p[\"\^]*n[\"\^]*e[\"\^]*t[\"\^]*_[\"\^]*c[\"\^]*o[\"\^]*m[\"\^]*p[\"\^]*i[\"\^]*l[\"\^]*e)[\"\^]*r|p[\"\^]*p[\"\^]*(?:i[\"\^]*n[\"\^]*s[\"\^]*t[\"\^]*a[\"\^]*l[\"\^]*l[\"\^]*e[\"\^]*r|v[\"\^]*l[\"\^]*p)|t[\"\^]*(?:[\s\v,\.-/;-<>].*|b[\"\^]*r[\"\^]*o[\"\^]*k[\"\^]*e[\"\^]*r))|b[\"\^]*(?:a[\"\^]*s[\"\^]*h|g[\"\^]*i[\"\^]*n[\"\^]*f[\"\^]*o|i[\"\^]*t[\"\^]*s[\"\^]*a[\"\^]*d[\"\^]*m[\"\^]*i[\"\^]*n)|c[\"\^]*(?:d[\"\^]*b|e[\"\^]*r[\"\^]*t[\"\^]*(?:o[\"\^]*c|r[\"\^]*e[\"\^]*q|u[\"\^]*t[\"\^]*i[\"\^]*l)|l[\"\^]*_[\"\^]*(?:i[\"\^]*n[\"\^]*v[\"\^]*o[\"\^]*c[\"\^]*a[\"\^]*t[\"\^]*i[\"\^]*o[\"\^]*n|l[\"\^]*o[\"\^]*a[\"\^]*d[\"\^]*a[\"\^]*s[\"\^]*s[\"\^]*e[\"\^]*m[\"\^]*b[\"\^]*l[\"\^]*y|m[\"\^]*u[\"\^]*t[\"\^]*e[\"\^]*x[\"\^]*v[\"\^]*e[\"\^]*r[\"\^]*i[\"\^]*f[\"\^]*i[\"\^]*e[\"\^]*r[\"\^]*s)|m[\"\^]*(?:d(?:[\"\^]*(?:k[\"\^]*e[\"\^]*y|l[\"\^]*3[\"\^]*2))?|s[\"\^]*t[\"\^]*p)|o[\"\^]*(?:m[\"\^]*s[\"\^]*v[\"\^]*c[\"\^]*s|n[\"\^]*(?:f[\"\^]*i[\"\^]*g[\"\^]*s[\"\^]*e[\"\^]*c[\"\^]*u[\"\^]*r[\"\^]*i[\"\^]*t[\"\^]*y[\"\^]*p[\"\^]*o[\"\^]*l[\"\^]*i[\"\^]*c[\"\^]*y|h[\"\^]*o[\"\^]*s[\"\^]*t|t[\"\^]*r[\"\^]*o[\"\^]*l)|r[\"\^]*e[\"\^]*g[\"\^]*e[\"\^]*n)|r[\"\^]*e[\"\^]*a[\"\^]*t[\"\^]*e[\"\^]*d[\"\^]*u[\"\^]*m[\"\^]*p|s[\"\^]*(?:c(?:[\"\^]*r[\"\^]*i[\"\^]*p[\"\^]*t)?|i)|u[\"\^]*s[\"\^]*t[\"\^]*o[\"\^]*m[\"\^]*s[\"\^]*h[\"\^]*e[\"\^]*l[\"\^]*l[\"\^]*h[\"\^]*o[\"\^]*s[\"\^]*t)|d[\"\^]*(?:a[\"\^]*t[\"\^]*a[\"\^]*s[\"\^]*v[\"\^]*c[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l|e[\"\^]*(?:f[\"\^]*a[\"\^]*u[\"\^]*l[\"\^]*t[\"\^]*p[\"\^]*a[\"\^]*c[\"\^]*k|s[\"\^]*k(?:[\"\^]*t[\"\^]*o[\"\^]*p[\"\^]*i[\"\^]*m[\"\^]*g[\"\^]*d[\"\^]*o[\"\^]*w[\"\^]*n[\"\^]*l[\"\^]*d[\"\^]*r)?|v[\"\^]*(?:i[\"\^]*c[\"\^]*e[\"\^]*c[\"\^]*r[\"\^]*e[\"\^]*d[\"\^]*e[\"\^]*n[\"\^]*t[\"\^]*i[\"\^]*a[\"\^]*l[\"\^]*d[\"\^]*e[\"\^]*p[\"\^]*l[\"\^]*o[\"\^]*y[\"\^]*m[\"\^]*e[\"\^]*n[\"\^]*t|t[\"\^]*o[\"\^]*o[\"\^]*l[\"\^]*s[\"\^]*l[\"\^]*a[\"\^]*u[\"\^]*n[\"\^]*c[\"\^]*h[\"\^]*e[\"\^]*r))|f[\"\^]*s[\"\^]*(?:h[\"\^]*i[\"\^]*m|v[\"\^]*c)|i[\"\^]*(?:a[\"\^]*n[\"\^]*t[\"\^]*z|s[\"\^]*k[\"\^]*s[\"\^]*h[\"\^]*a[\"\^]*d[\"\^]*o[\"\^]*w)|n[\"\^]*(?:s[\"\^]*c[\"\^]*m[\"\^]*d|x)|o[\"\^]*t[\"\^]*n[\"\^]*e[\"\^]*t|u[\"\^]*m[\"\^]*p[\"\^]*6[\"\^]*4|x[\"\^]*c[\"\^]*a[\"\^]*p)|e[\"\^]*(?:s[\"\^]*e[\"\^]*n[\"\^]*t[\"\^]*u[\"\^]*t[\"\^]*l|v[\"\^]*e[\"\^]*n[\"\^]*t[\"\^]*v[\"\^]*w[\"\^]*r|x[\"\^]*(?:c[\"\^]*e[\"\^]*l|p[\"\^]*(?:a[\"\^]*n[\"\^]*d|l[\"\^]*o[\"\^]*r[\"\^]*e[\"\^]*r)|t[\"\^]*(?:e[\"\^]*x[\"\^]*p[\"\^]*o[\"\^]*r[\"\^]*t|r[\"\^]*a[\"\^]*c[\"\^]*3[\"\^]*2)))|f[\"\^]*(?:i[\"\^]*n[\"\^]*(?:d[\"\^]*s[\"\^]*t|g[\"\^]*e)[\"\^]*r|l[\"\^]*t[\"\^]*m[\"\^]*c|o[\"\^]*r[\"\^]*f[\"\^]*i[\"\^]*l[\"\^]*e[\"\^]*s|s[\"\^]*(?:i(?:[\"\^]*a[\"\^]*n[\"\^]*y[\"\^]*c[\"\^]*p[\"\^]*u)?|u[\"\^]*t[\"\^]*i[\"\^]*l)|t[\"\^]*p)|g[\"\^]*(?:f[\"\^]*x[\"\^]*d[\"\^]*o[\"\^]*w[\"\^]*n[\"\^]*l[\"\^]*o[\"\^]*a[\"\^]*d[\"\^]*w[\"\^]*r[\"\^]*a[\"\^]*p[\"\^]*p[\"\^]*e[\"\^]*r|p[\"\^]*s[\"\^]*c[\"\^]*r[\"\^]*i[\"\^]*p[\"\^]*t)|h[\"\^]*h|i[\"\^]*(?:e[\"\^]*(?:4[\"\^]*u[\"\^]*i[\"\^]*n[\"\^]*i[\"\^]*t|a[\"\^]*d[\"\^]*v[\"\^]*p[\"\^]*a[\"\^]*c[\"\^]*k|e[\"\^]*x[\"\^]*e[\"\^]*c|f[\"\^]*r[\"\^]*a[\"\^]*m[\"\^]*e)|l[\"\^]*a[\"\^]*s[\"\^]*m|m[\"\^]*e[\"\^]*w[\"\^]*d[\"\^]*b[\"\^]*l[\"\^]*d|n[\"\^]*(?:f[\"\^]*d[\"\^]*e[\"\^]*f[\"\^]*a[\"\^]*u[\"\^]*l[\"\^]*t[\"\^]*i[\"\^]*n[\"\^]*s[\"\^]*t[\"\^]*a[\"\^]*l|s[\"\^]*t[\"\^]*a[\"\^]*l[\"\^]*l[\"\^]*u[\"\^]*t[\"\^]*i)[\"\^]*l)|j[\"\^]*s[\"\^]*c|l[\"\^]*(?:a[\"\^]*u[\"\^]*n[\"\^]*c[\"\^]*h[\"\^]*-[\"\^]*v[\"\^]*s[\"\^]*d[\"\^]*e[\"\^]*v[\"\^]*s[\"\^]*h[\"\^]*e[\"\^]*l[\"\^]*l|d[\"\^]*i[\"\^]*f[\"\^]*d[\"\^]*e)|m[\"\^]*(?:a[\"\^]*(?:k[\"\^]*e[\"\^]*c[\"\^]*a[\"\^]*b|n[\"\^]*a[\"\^]*g[\"\^]*e[\"\^]*-[\"\^]*b[\"\^]*d[\"\^]*e|v[\"\^]*i[\"\^]*n[\"\^]*j[\"\^]*e[\"\^]*c[\"\^]*t)|f[\"\^]*t[\"\^]*r[\"\^]*a[\"\^]*c[\"\^]*e|i[\"\^]*c[\"\^]*r[\"\^]*o[\"\^]*s[\"\^]*o[\"\^]*f[\"\^]*t|m[\"\^]*c|p[\"\^]*c[\"\^]*m[\"\^]*d[\"\^]*r[\"\^]*u[\"\^]*n|s[\"\^]*(?:(?:b[\"\^]*u[\"\^]*i[\"\^]*l|o[\"\^]*h[\"\^]*t[\"\^]*m[\"\^]*e)[\"\^]*d|c[\"\^]*o[\"\^]*n[\"\^]*f[\"\^]*i[\"\^]*g|d[\"\^]*(?:e[\"\^]*p[\"\^]*l[\"\^]*o[\"\^]*y|t)|h[\"\^]*t[\"\^]*(?:a|m[\"\^]*l)|i[\"\^]*e[\"\^]*x[\"\^]*e[\"\^]*c|p[\"\^]*u[\"\^]*b|x[\"\^]*s[\"\^]*l))|n[\"\^]*(?:e[\"\^]*t[\"\^]*s[\"\^]*h|t[\"\^]*d[\"\^]*s[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l)|o[\"\^]*(?:d[\"\^]*b[\"\^]*c[\"\^]*c[\"\^]*o[\"\^]*n[\"\^]*f|f[\"\^]*f[\"\^]*l[\"\^]*i[\"\^]*n[\"\^]*e[\"\^]*s[\"\^]*c[\"\^]*a[\"\^]*n[\"\^]*n[\"\^]*e[\"\^]*r[\"\^]*s[\"\^]*h[\"\^]*e[\"\^]*l[\"\^]*l|n[\"\^]*e[\"\^]*d[\"\^]*r[\"\^]*i[\"\^]*v[\"\^]*e[\"\^]*s[\"\^]*t[\"\^]*a[\"\^]*n[\"\^]*d[\"\^]*a[\"\^]*l[\"\^]*o[\"\^]*n[\"\^]*e[\"\^]*u[\"\^]*p[\"\^]*d[\"\^]*a[\"\^]*t[\"\^]*e[\"\^]*r|p[\"\^]*e[\"\^]*n[\"\^]*c[\"\^]*o[\"\^]*n[\"\^]*s[\"\^]*o[\"\^]*l[\"\^]*e)|p[\"\^]*(?:c[\"\^]*(?:a[\"\^]*l[\"\^]*u[\"\^]*a|w[\"\^]*(?:r[\"\^]*u[\"\^]*n|u[\"\^]*t[\"\^]*l))|(?:e[\"\^]*s[\"\^]*t[\"\^]*e|s)[\"\^]*r|(?:k[\"\^]*t[\"\^]*m[\"\^]*o|u[\"\^]*b[\"\^]*p[\"\^]*r)[\"\^]*n|n[\"\^]*p[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l|o[\"\^]*w[\"\^]*e[\"\^]*r[\"\^]*p[\"\^]*n[\"\^]*t|r[\"\^]*(?:e[\"\^]*s[\"\^]*e[\"\^]*n[\"\^]*t[\"\^]*a[\"\^]*t[\"\^]*i[\"\^]*o[\"\^]*n[\"\^]*h[\"\^]*o[\"\^]*s[\"\^]*t|i[\"\^]*n[\"\^]*t(?:[\"\^]*b[\"\^]*r[\"\^]*m)?|o[\"\^]*(?:c[\"\^]*d[\"\^]*u[\"\^]*m[\"\^]*p|t[\"\^]*o[\"\^]*c[\"\^]*o[\"\^]*l[\"\^]*h[\"\^]*a[\"\^]*n[\"\^]*d[\"\^]*l[\"\^]*e[\"\^]*r)))|r[\"\^]*(?:a[\"\^]*s[\"\^]*a[\"\^]*u[\"\^]*t[\"\^]*o[\"\^]*u|c[\"\^]*s[\"\^]*i|(?:d[\"\^]*r[\"\^]*l[\"\^]*e[\"\^]*a[\"\^]*k[\"\^]*d[\"\^]*i[\"\^]*a|p[\"\^]*c[\"\^]*p[\"\^]*i[\"\^]*n)[\"\^]*g|e[\"\^]*(?:g(?:[\"\^]*(?:a[\"\^]*s[\"\^]*m|e[\"\^]*d[\"\^]*i[\"\^]*t|i[\"\^]*(?:n[\"\^]*i|s[\"\^]*t[\"\^]*e[\"\^]*r[\"\^]*-[\"\^]*c[\"\^]*i[\"\^]*m[\"\^]*p[\"\^]*r[\"\^]*o[\"\^]*v[\"\^]*i[\"\^]*d[\"\^]*e[\"\^]*r)|s[\"\^]*v[\"\^]*(?:c[\"\^]*s|r[\"\^]*3[\"\^]*2)))?|(?:m[\"\^]*o[\"\^]*t|p[\"\^]*l[\"\^]*a[\"\^]*c)[\"\^]*e)|u[\"\^]*n[\"\^]*(?:d[\"\^]*l[\"\^]*l[\"\^]*3[\"\^]*2|(?:e[\"\^]*x[\"\^]*e|s[\"\^]*c[\"\^]*r[\"\^]*i[\"\^]*p[\"\^]*t)[\"\^]*h[\"\^]*e[\"\^]*l[\"\^]*p[\"\^]*e[\"\^]*r|o[\"\^]*n[\"\^]*c[\"\^]*e))|s[\"\^]*(?:c[\"\^]*(?:[\s\v,\.-/;-<>].*|h[\"\^]*t[\"\^]*a[\"\^]*s[\"\^]*k[\"\^]*s|r[\"\^]*i[\"\^]*p[\"\^]*t[\"\^]*r[\"\^]*u[\"\^]*n[\"\^]*n[\"\^]*e[\"\^]*r)|e[\"\^]*t[\"\^]*(?:r[\"\^]*e[\"\^]*s|t[\"\^]*i[\"\^]*n[\"\^]*g[\"\^]*s[\"\^]*y[\"\^]*n[\"\^]*c[\"\^]*h[\"\^]*o[\"\^]*s[\"\^]*t|u[\"\^]*p[\"\^]*a[\"\^]*p[\"\^]*i)|h[\"\^]*(?:d[\"\^]*o[\"\^]*c[\"\^]*v[\"\^]*w|e[\"\^]*l[\"\^]*l[\"\^]*3[\"\^]*2)|q[\"\^]*(?:l[\"\^]*(?:d[\"\^]*u[\"\^]*m[\"\^]*p[\"\^]*e[\"\^]*r|(?:t[\"\^]*o[\"\^]*o[\"\^]*l[\"\^]*s[\"\^]*)?p[\"\^]*s)|u[\"\^]*i[\"\^]*r[\"\^]*r[\"\^]*e[\"\^]*l)|s[\"\^]*h|t[\"\^]*o[\"\^]*r[\"\^]*d[\"\^]*i[\"\^]*a[\"\^]*g|y[\"\^]*(?:n[\"\^]*c[\"\^]*a[\"\^]*p[\"\^]*p[\"\^]*v[\"\^]*p[\"\^]*u[\"\^]*b[\"\^]*l[\"\^]*i[\"\^]*s[\"\^]*h[\"\^]*i[\"\^]*n[\"\^]*g[\"\^]*s[\"\^]*e[\"\^]*r[\"\^]*v[\"\^]*e[\"\^]*r|s[\"\^]*s[\"\^]*e[\"\^]*t[\"\^]*u[\"\^]*p))|t[\"\^]*(?:e[\"\^]*[\s\v,\.-/;-<>].*|r[\"\^]*a[\"\^]*c[\"\^]*k[\"\^]*e[\"\^]*r|t[\"\^]*(?:d[\"\^]*i[\"\^]*n[\"\^]*j[\"\^]*e[\"\^]*c[\"\^]*t|t[\"\^]*r[\"\^]*a[\"\^]*c[\"\^]*e[\"\^]*r))|u[\"\^]*(?:n[\"\^]*r[\"\^]*e[\"\^]*g[\"\^]*m[\"\^]*p[\"\^]*2|p[\"\^]*d[\"\^]*a[\"\^]*t[\"\^]*e|r[\"\^]*l|t[\"\^]*i[\"\^]*l[\"\^]*i[\"\^]*t[\"\^]*y[\"\^]*f[\"\^]*u[\"\^]*n[\"\^]*c[\"\^]*t[\"\^]*i[\"\^]*o[\"\^]*n[\"\^]*s)|v[\"\^]*(?:b[\"\^]*c|e[\"\^]*r[\"\^]*c[\"\^]*l[\"\^]*s[\"\^]*i[\"\^]*d|i[\"\^]*s[\"\^]*u[\"\^]*a[\"\^]*l[\"\^]*u[\"\^]*i[\"\^]*a[\"\^]*v[\"\^]*e[\"\^]*r[\"\^]*i[\"\^]*f[\"\^]*y[\"\^]*n[\"\^]*a[\"\^]*t[\"\^]*i[\"\^]*v[\"\^]*e|s[\"\^]*(?:i[\"\^]*i[\"\^]*s[\"\^]*e[\"\^]*x[\"\^]*e[\"\^]*l[\"\^]*a[\"\^]*u[\"\^]*n[\"\^]*c[\"\^]*h|j[\"\^]*i[\"\^]*t[\"\^]*d[\"\^]*e[\"\^]*b[\"\^]*u[\"\^]*g[\"\^]*g)[\"\^]*e[\"\^]*r)|w[\"\^]*(?:a[\"\^]*b|(?:f|m[\"\^]*i)[\"\^]*c|i[\"\^]*n[\"\^]*(?:g[\"\^]*e[\"\^]*t|r[\"\^]*m|w[\"\^]*o[\"\^]*r[\"\^]*d)|l[\"\^]*r[\"\^]*m[\"\^]*d[\"\^]*r|o[\"\^]*r[\"\^]*k[\"\^]*f[\"\^]*o[\"\^]*l[\"\^]*d[\"\^]*e[\"\^]*r[\"\^]*s|s[\"\^]*(?:(?:c[\"\^]*r[\"\^]*i[\"\^]*p|r[\"\^]*e[\"\^]*s[\"\^]*e)[\"\^]*t|l)|t[\"\^]*[\s\v,\.-/;-<>].*|u[\"\^]*a[\"\^]*u[\"\^]*c[\"\^]*l[\"\^]*t)|x[\"\^]*w[\"\^]*i[\"\^]*z[\"\^]*a[\"\^]*r[\"\^]*d|z[\"\^]*i[\"\^]*p[\"\^]*f[\"\^]*l[\"\^]*d[\"\^]*r)(?:\.[\"\^]*[0-9A-Z_a-z]+)?\b" \ "id:932370,\ phase:2,\ block,\ @@ -804,7 +792,44 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + +# +# This rule detects Windows shell command injections. +# If you are not running Windows, it is safe to disable this rule. +# +# New in CRSv4: The rules 932110 and 932115 were reorganized and renumbered to 932370 and 932380. +# The new rules target specific Windows binaries to simplify future updates of the command list. +# +# See rule 932370 above for further explanation. +# +# This rule is case-insensitive. +# +# Regular expression generated from regex-assembly/932380.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932380 +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:[\n\r;`\{]|\|\|?|&&?)[\s\v]*[\s\v\"'-\(,@]*(?:[\"'\.-9A-Z_a-z]+/|(?:[\"'\x5c\^]*[0-9A-Z_a-z][\"'\x5c\^]*:.*|[ \"'\.-9A-Z\x5c\^-_a-z]*)\x5c)?[\"\^]*(?:a[\"\^]*(?:s[\"\^]*s[\"\^]*o[\"\^]*c|t[\"\^]*(?:m[\"\^]*a[\"\^]*d[\"\^]*m|t[\"\^]*r[\"\^]*i[\"\^]*b)|u[\"\^]*(?:d[\"\^]*i[\"\^]*t[\"\^]*p[\"\^]*o[\"\^]*l|t[\"\^]*o[\"\^]*(?:c[\"\^]*(?:h[\"\^]*k|o[\"\^]*n[\"\^]*v)|(?:f[\"\^]*m|m[\"\^]*o[\"\^]*u[\"\^]*n)[\"\^]*t)))|b[\"\^]*(?:c[\"\^]*d[\"\^]*(?:b[\"\^]*o[\"\^]*o|e[\"\^]*d[\"\^]*i)[\"\^]*t|(?:d[\"\^]*e[\"\^]*h[\"\^]*d|o[\"\^]*o[\"\^]*t)[\"\^]*c[\"\^]*f[\"\^]*g|i[\"\^]*t[\"\^]*s[\"\^]*a[\"\^]*d[\"\^]*m[\"\^]*i[\"\^]*n)|c[\"\^]*(?:a[\"\^]*c[\"\^]*l[\"\^]*s|e[\"\^]*r[\"\^]*t[\"\^]*(?:r[\"\^]*e[\"\^]*q|u[\"\^]*t[\"\^]*i[\"\^]*l)|h[\"\^]*(?:c[\"\^]*p|d[\"\^]*i[\"\^]*r|g[\"\^]*(?:l[\"\^]*o[\"\^]*g[\"\^]*o[\"\^]*n|p[\"\^]*o[\"\^]*r[\"\^]*t|u[\"\^]*s[\"\^]*r)|k[\"\^]*(?:d[\"\^]*s[\"\^]*k|n[\"\^]*t[\"\^]*f[\"\^]*s))|l[\"\^]*e[\"\^]*a[\"\^]*n[\"\^]*m[\"\^]*g[\"\^]*r|m[\"\^]*(?:d(?:[\"\^]*k[\"\^]*e[\"\^]*y)?|s[\"\^]*t[\"\^]*p)|s[\"\^]*c[\"\^]*r[\"\^]*i[\"\^]*p[\"\^]*t)|d[\"\^]*(?:c[\"\^]*(?:d[\"\^]*i[\"\^]*a[\"\^]*g|g[\"\^]*p[\"\^]*o[\"\^]*f[\"\^]*i[\"\^]*x)|e[\"\^]*(?:f[\"\^]*r[\"\^]*a[\"\^]*g|l)|f[\"\^]*s[\"\^]*(?:d[\"\^]*i[\"\^]*a|r[\"\^]*m[\"\^]*i)[\"\^]*g|i[\"\^]*(?:a[\"\^]*n[\"\^]*t[\"\^]*z|r|s[\"\^]*(?:k[\"\^]*(?:c[\"\^]*o[\"\^]*(?:m[\"\^]*p|p[\"\^]*y)|p[\"\^]*(?:a[\"\^]*r[\"\^]*t|e[\"\^]*r[\"\^]*f)|r[\"\^]*a[\"\^]*i[\"\^]*d|s[\"\^]*h[\"\^]*a[\"\^]*d[\"\^]*o[\"\^]*w)|p[\"\^]*d[\"\^]*i[\"\^]*a[\"\^]*g))|n[\"\^]*s[\"\^]*c[\"\^]*m[\"\^]*d|(?:o[\"\^]*s[\"\^]*k[\"\^]*e|r[\"\^]*i[\"\^]*v[\"\^]*e[\"\^]*r[\"\^]*q[\"\^]*u[\"\^]*e[\"\^]*r)[\"\^]*y)|e[\"\^]*(?:n[\"\^]*d[\"\^]*l[\"\^]*o[\"\^]*c[\"\^]*a[\"\^]*l|v[\"\^]*e[\"\^]*n[\"\^]*t[\"\^]*c[\"\^]*r[\"\^]*e[\"\^]*a[\"\^]*t[\"\^]*e)|E[\"\^]*v[\"\^]*n[\"\^]*t[\"\^]*c[\"\^]*m[\"\^]*d|f[\"\^]*(?:c|i[\"\^]*(?:l[\"\^]*e[\"\^]*s[\"\^]*y[\"\^]*s[\"\^]*t[\"\^]*e[\"\^]*m[\"\^]*s|n[\"\^]*d[\"\^]*s[\"\^]*t[\"\^]*r)|l[\"\^]*a[\"\^]*t[\"\^]*t[\"\^]*e[\"\^]*m[\"\^]*p|o[\"\^]*r(?:[\"\^]*f[\"\^]*i[\"\^]*l[\"\^]*e[\"\^]*s)?|r[\"\^]*e[\"\^]*e[\"\^]*d[\"\^]*i[\"\^]*s[\"\^]*k|s[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l|(?:t[\"\^]*y[\"\^]*p|v[\"\^]*e[\"\^]*u[\"\^]*p[\"\^]*d[\"\^]*a[\"\^]*t)[\"\^]*e)|g[\"\^]*(?:e[\"\^]*t[\"\^]*(?:m[\"\^]*a[\"\^]*c|t[\"\^]*y[\"\^]*p[\"\^]*e)|o[\"\^]*t[\"\^]*o|p[\"\^]*(?:f[\"\^]*i[\"\^]*x[\"\^]*u[\"\^]*p|(?:r[\"\^]*e[\"\^]*s[\"\^]*u[\"\^]*l[\"\^]*)?t|u[\"\^]*p[\"\^]*d[\"\^]*a[\"\^]*t[\"\^]*e)|r[\"\^]*a[\"\^]*f[\"\^]*t[\"\^]*a[\"\^]*b[\"\^]*l)|h[\"\^]*(?:e[\"\^]*l[\"\^]*p[\"\^]*c[\"\^]*t[\"\^]*r|o[\"\^]*s[\"\^]*t[\"\^]*n[\"\^]*a[\"\^]*m[\"\^]*e)|i[\"\^]*(?:c[\"\^]*a[\"\^]*c[\"\^]*l[\"\^]*s|f|p[\"\^]*(?:c[\"\^]*o[\"\^]*n[\"\^]*f[\"\^]*i[\"\^]*g|x[\"\^]*r[\"\^]*o[\"\^]*u[\"\^]*t[\"\^]*e)|r[\"\^]*f[\"\^]*t[\"\^]*p)|j[\"\^]*e[\"\^]*t[\"\^]*p[\"\^]*a[\"\^]*c[\"\^]*k|k[\"\^]*(?:l[\"\^]*i[\"\^]*s[\"\^]*t|s[\"\^]*e[\"\^]*t[\"\^]*u[\"\^]*p|t[\"\^]*(?:m[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l|p[\"\^]*a[\"\^]*s[\"\^]*s))|l[\"\^]*(?:o[\"\^]*(?:d[\"\^]*c[\"\^]*t[\"\^]*r|g[\"\^]*(?:m[\"\^]*a[\"\^]*n|o[\"\^]*f[\"\^]*f))|p[\"\^]*[q-r])|m[\"\^]*(?:a[\"\^]*(?:c[\"\^]*f[\"\^]*i[\"\^]*l[\"\^]*e|k[\"\^]*e[\"\^]*c[\"\^]*a[\"\^]*b|p[\"\^]*a[\"\^]*d[\"\^]*m[\"\^]*i[\"\^]*n)|k[\"\^]*(?:d[\"\^]*i[\"\^]*r|l[\"\^]*i[\"\^]*n[\"\^]*k)|m[\"\^]*c|o[\"\^]*u[\"\^]*n[\"\^]*t[\"\^]*v[\"\^]*o[\"\^]*l|q[\"\^]*(?:b[\"\^]*k[\"\^]*u[\"\^]*p|(?:t[\"\^]*g[\"\^]*)?s[\"\^]*v[\"\^]*c)|s[\"\^]*(?:d[\"\^]*t|i[\"\^]*(?:e[\"\^]*x[\"\^]*e[\"\^]*c|n[\"\^]*f[\"\^]*o[\"\^]*3[\"\^]*2)|t[\"\^]*s[\"\^]*c))|n[\"\^]*(?:b[\"\^]*t[\"\^]*s[\"\^]*t[\"\^]*a[\"\^]*t|e[\"\^]*t[\"\^]*(?:c[\"\^]*f[\"\^]*g|d[\"\^]*o[\"\^]*m|s[\"\^]*(?:h|t[\"\^]*a[\"\^]*t))|f[\"\^]*s[\"\^]*(?:a[\"\^]*d[\"\^]*m[\"\^]*i[\"\^]*n|s[\"\^]*(?:h[\"\^]*a[\"\^]*r[\"\^]*e|t[\"\^]*a[\"\^]*t))|l[\"\^]*(?:b[\"\^]*m[\"\^]*g[\"\^]*r|t[\"\^]*e[\"\^]*s[\"\^]*t)|s[\"\^]*l[\"\^]*o[\"\^]*o[\"\^]*k[\"\^]*u[\"\^]*p|t[\"\^]*(?:b[\"\^]*a[\"\^]*c[\"\^]*k[\"\^]*u[\"\^]*p|c[\"\^]*m[\"\^]*d[\"\^]*p[\"\^]*r[\"\^]*o[\"\^]*m[\"\^]*p[\"\^]*t|f[\"\^]*r[\"\^]*s[\"\^]*u[\"\^]*t[\"\^]*l))|o[\"\^]*(?:f[\"\^]*f[\"\^]*l[\"\^]*i[\"\^]*n[\"\^]*e|p[\"\^]*e[\"\^]*n[\"\^]*f[\"\^]*i[\"\^]*l[\"\^]*e[\"\^]*s)|p[\"\^]*(?:a[\"\^]*(?:g[\"\^]*e[\"\^]*f[\"\^]*i[\"\^]*l[\"\^]*e[\"\^]*c[\"\^]*o[\"\^]*n[\"\^]*f[\"\^]*i|t[\"\^]*h[\"\^]*p[\"\^]*i[\"\^]*n)[\"\^]*g|(?:b[\"\^]*a[\"\^]*d[\"\^]*m[\"\^]*i|k[\"\^]*t[\"\^]*m[\"\^]*o)[\"\^]*n|e[\"\^]*(?:n[\"\^]*t[\"\^]*n[\"\^]*t|r[\"\^]*f[\"\^]*m[\"\^]*o[\"\^]*n)|n[\"\^]*p[\"\^]*u[\"\^]*(?:n[\"\^]*a[\"\^]*t[\"\^]*t[\"\^]*e[\"\^]*n[\"\^]*d|t[\"\^]*i[\"\^]*l)|o[\"\^]*(?:p[\"\^]*d|w[\"\^]*e[\"\^]*r[\"\^]*s[\"\^]*h[\"\^]*e[\"\^]*l[\"\^]*l)|r[\"\^]*n[\"\^]*(?:c[\"\^]*n[\"\^]*f[\"\^]*g|(?:d[\"\^]*r[\"\^]*v|m[\"\^]*n[\"\^]*g)[\"\^]*r|j[\"\^]*o[\"\^]*b[\"\^]*s|p[\"\^]*o[\"\^]*r[\"\^]*t|q[\"\^]*c[\"\^]*t[\"\^]*l)|u[\"\^]*(?:b[\"\^]*p[\"\^]*r[\"\^]*n|s[\"\^]*h[\"\^]*(?:d|p[\"\^]*r[\"\^]*i[\"\^]*n[\"\^]*t[\"\^]*e[\"\^]*r[\"\^]*c[\"\^]*o[\"\^]*n[\"\^]*n[\"\^]*e[\"\^]*c[\"\^]*t[\"\^]*i[\"\^]*o[\"\^]*n[\"\^]*s))|w[\"\^]*(?:l[\"\^]*a[\"\^]*u[\"\^]*n[\"\^]*c[\"\^]*h[\"\^]*e[\"\^]*r|s[\"\^]*h))|q[\"\^]*(?:a[\"\^]*p[\"\^]*p[\"\^]*s[\"\^]*r[\"\^]*v|p[\"\^]*r[\"\^]*o[\"\^]*c[\"\^]*e[\"\^]*s[\"\^]*s|u[\"\^]*s[\"\^]*e[\"\^]*r|w[\"\^]*i[\"\^]*n[\"\^]*s[\"\^]*t[\"\^]*a)|r[\"\^]*(?:d(?:[\"\^]*p[\"\^]*s[\"\^]*i[\"\^]*g[\"\^]*n)?|e[\"\^]*(?:f[\"\^]*s[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l|g(?:[\"\^]*(?:i[\"\^]*n[\"\^]*i|s[\"\^]*v[\"\^]*r[\"\^]*3[\"\^]*2))?|l[\"\^]*o[\"\^]*g|(?:(?:p[\"\^]*a[\"\^]*d[\"\^]*m[\"\^]*i|s[\"\^]*c[\"\^]*a)[\"\^]*)?n|x[\"\^]*e[\"\^]*c)|i[\"\^]*s[\"\^]*e[\"\^]*t[\"\^]*u[\"\^]*p|m[\"\^]*d[\"\^]*i[\"\^]*r|o[\"\^]*b[\"\^]*o[\"\^]*c[\"\^]*o[\"\^]*p[\"\^]*y|p[\"\^]*c[\"\^]*(?:i[\"\^]*n[\"\^]*f[\"\^]*o|p[\"\^]*i[\"\^]*n[\"\^]*g)|s[\"\^]*h|u[\"\^]*n[\"\^]*d[\"\^]*l[\"\^]*l[\"\^]*3[\"\^]*2|w[\"\^]*i[\"\^]*n[\"\^]*s[\"\^]*t[\"\^]*a)|s[\"\^]*(?:a[\"\^]*n|c[\"\^]*(?:h[\"\^]*t[\"\^]*a[\"\^]*s[\"\^]*k[\"\^]*s|w[\"\^]*c[\"\^]*m[\"\^]*d)|e[\"\^]*(?:c[\"\^]*e[\"\^]*d[\"\^]*i[\"\^]*t|r[\"\^]*v[\"\^]*e[\"\^]*r[\"\^]*(?:(?:c[\"\^]*e[\"\^]*i[\"\^]*p|w[\"\^]*e[\"\^]*r)[\"\^]*o[\"\^]*p[\"\^]*t[\"\^]*i[\"\^]*n|m[\"\^]*a[\"\^]*n[\"\^]*a[\"\^]*g[\"\^]*e[\"\^]*r[\"\^]*c[\"\^]*m[\"\^]*d)|t[\"\^]*x)|f[\"\^]*c|(?:h[\"\^]*o[\"\^]*w[\"\^]*m[\"\^]*o[\"\^]*u[\"\^]*n|u[\"\^]*b[\"\^]*s)[\"\^]*t|x[\"\^]*s[\"\^]*t[\"\^]*r[\"\^]*a[\"\^]*c[\"\^]*e|y[\"\^]*s[\"\^]*(?:o[\"\^]*c[\"\^]*m[\"\^]*g[\"\^]*r|t[\"\^]*e[\"\^]*m[\"\^]*i[\"\^]*n[\"\^]*f[\"\^]*o))|t[\"\^]*(?:a[\"\^]*(?:k[\"\^]*e[\"\^]*o[\"\^]*w[\"\^]*n|p[\"\^]*i[\"\^]*c[\"\^]*f[\"\^]*g|s[\"\^]*k[\"\^]*(?:k[\"\^]*i[\"\^]*l[\"\^]*l|l[\"\^]*i[\"\^]*s[\"\^]*t))|(?:c[\"\^]*m[\"\^]*s[\"\^]*e[\"\^]*t[\"\^]*u|f[\"\^]*t)[\"\^]*p|(?:(?:e[\"\^]*l[\"\^]*n[\"\^]*e|i[\"\^]*m[\"\^]*e[\"\^]*o[\"\^]*u)[\"\^]*|r[\"\^]*a[\"\^]*c[\"\^]*e[\"\^]*r[\"\^]*(?:p[\"\^]*)?)t|l[\"\^]*n[\"\^]*t[\"\^]*a[\"\^]*d[\"\^]*m[\"\^]*n|p[\"\^]*m[\"\^]*(?:t[\"\^]*o[\"\^]*o[\"\^]*l|v[\"\^]*s[\"\^]*c[\"\^]*m[\"\^]*g[\"\^]*r)|s[\"\^]*(?:(?:d[\"\^]*i[\"\^]*s[\"\^]*)?c[\"\^]*o[\"\^]*n|e[\"\^]*c[\"\^]*i[\"\^]*m[\"\^]*p|k[\"\^]*i[\"\^]*l[\"\^]*l|p[\"\^]*r[\"\^]*o[\"\^]*f)|y[\"\^]*p[\"\^]*e[\"\^]*p[\"\^]*e[\"\^]*r[\"\^]*f|z[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l)|u[\"\^]*n[\"\^]*(?:e[\"\^]*x[\"\^]*p[\"\^]*o[\"\^]*s[\"\^]*e|i[\"\^]*q[\"\^]*u[\"\^]*e[\"\^]*i[\"\^]*d|l[\"\^]*o[\"\^]*d[\"\^]*c[\"\^]*t[\"\^]*r)|v[\"\^]*(?:o[\"\^]*l|s[\"\^]*s[\"\^]*a[\"\^]*d[\"\^]*m[\"\^]*i[\"\^]*n)|w[\"\^]*(?:a[\"\^]*i[\"\^]*t[\"\^]*f[\"\^]*o[\"\^]*r|b[\"\^]*a[\"\^]*d[\"\^]*m[\"\^]*i[\"\^]*n|(?:d[\"\^]*s|e[\"\^]*(?:c|v[\"\^]*t))[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l|h[\"\^]*(?:e[\"\^]*r[\"\^]*e|o[\"\^]*a[\"\^]*m[\"\^]*i)|i[\"\^]*n[\"\^]*(?:n[\"\^]*t(?:[\"\^]*3[\"\^]*2)?|r[\"\^]*s)|m[\"\^]*i[\"\^]*c|s[\"\^]*c[\"\^]*r[\"\^]*i[\"\^]*p[\"\^]*t)|x[\"\^]*c[\"\^]*o[\"\^]*p[\"\^]*y)(?:\.[\"\^]*[0-9A-Z_a-z]+)?\b" \ + "id:932380,\ + phase:2,\ + block,\ + capture,\ + t:none,\ + msg:'Remote Command Execution: Windows Command Injection',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-windows',\ + tag:'attack-rce',\ + tag:'paranoia-level/1',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/248/88',\ + tag:'PCI/6.5.2',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -833,14 +858,20 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:932014,phase:2,pass,nolog,skipAf # .932240 (generic detection, PL2, targets generic evasion attempts) # .932236 (stricter sibling of 932230, 932235, 932250, 932260, PL2, # - with and without prefix +# - words of any length) +# ..932239 (sibling of 932236, PL2, +# - with and without prefix # - words of any length +# - targets request headers user-agent and referer only +# - excluded words: known user-agents) +# ..932238 (stricter sibling of 932236, PL3, # - no excluded words) # .932237 (stricter sibling of 932230, 932235, 932250, 932260, PL3, # - targets request headers user-agent and referer only # - without prefix # - with word boundaries # - words of any length -# - no excluded words) +# - excluded words: known user-agents) # # # Regular expression generated from regex-assembly/932231.ra. @@ -848,7 +879,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:932014,phase:2,pass,nolog,skipAf # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 932231 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|[\n\r;`\{]|\|\|?|&&?|\$(?:\(\(?|\{)|[<>]\(|\([\s\v]*\))[\s\v]*(?:[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*[\s\v]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*\.[\s\v].*\b" \ +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?y[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?x|c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?v|v[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?l)|[ls][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t)?|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|\{)|<(?:\(|<<)|>\(|\([\s\v]*\))[\s\v]*(?:[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*[\s\v]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*\.[\s\v].*\b" \ "id:932231,\ phase:2,\ block,\ @@ -864,7 +895,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -876,7 +907,12 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # # Unlike the sibling rule, this rule runs in phase 1. # -SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@rx (?:\$(?:\((?:\(.*\)|.*)\)|\{.*})|[<>]\(.*\)|\[!?.+\])" \ +# Regular expression generated from regex-assembly/932131.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932131 +# +SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@rx \$(?:\((?:.*|\(.*\))\)|\{.*\})|[<>]\(.*\)|/[0-9A-Z_a-z]*\[!?.+\]" \ "id:932131,\ phase:1,\ block,\ @@ -892,7 +928,7 @@ SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@rx (?:\$(?:\((?:\(. tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -920,7 +956,12 @@ SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@rx (?:\$(?:\((?:\(. # # Regex notes: https://regex101.com/r/V6wrCO/1 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|XML:/* "@rx (?:[*?`\x5c'][^/\n]+/|\$[({\[#@!?*\-_$a-zA-Z0-9]|/[^/]+?[*?`\x5c'])" \ +# Regular expression generated from regex-assembly/932200.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932200 +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx ['\*\?\x5c`][^\n/]+/|/[^/]+?['\*\?\x5c`]|\$[!#-\$\(\*\-0-9\?-\[_a-\{]" \ "id:932200,\ phase:2,\ block,\ @@ -936,7 +977,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.932200_matched_var_name=%{matched_var_name}',\ chain" @@ -948,12 +989,90 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" +# +# -=[ Rule 932205 ]=- +# +# Sibling of 932200 targeting the Referer header. URLs cause false positives in rule 932200 +# and must be handled with additional checks. +# +# Regular expression generated from regex-assembly/932205.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932205 +# +SecRule REQUEST_HEADERS:Referer "@rx ^[^\.]+\.[^;\?]+[;\?](.*(['\*\?\x5c`][^\n/]+/|/[^/]+?['\*\?\x5c`]|\$[!#-\$\(\*\-0-9\?-\[_a-\{]))" \ + "id:932205,\ + phase:2,\ + block,\ + capture,\ + t:none,t:lowercase,t:urlDecodeUni,\ + msg:'RCE Bypass Technique',\ + logdata:'Matched Data: %{TX.2} found within %{TX.932205_MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/248/88',\ + tag:'PCI/6.5.2',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.932205_matched_var_name=%{matched_var_name}',\ + chain" + SecRule TX:1 "@rx /" \ + "t:none,t:urlDecodeUni,\ + chain" + SecRule TX:1 "@rx \s" \ + "t:none,t:urlDecodeUni,\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + +# +# -=[ Rule 932206 ]=- +# +# Sibling of 932200 targeting the Referer header. URLs cause false positives in rule 932200 +# and must be handled with additional checks. +# +# Regular expression generated from regex-assembly/932206.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932206 +# +SecRule REQUEST_HEADERS:Referer "@rx ^[^\.]*?(?:['\*\?\x5c`][^\n/]+/|/[^/]+?['\*\?\x5c`]|\$[!#-\$\(\*\-0-9\?-\[_a-\{])" \ + "id:932206,\ + phase:2,\ + block,\ + capture,\ + t:none,t:lowercase,t:urlDecodeUni,\ + msg:'RCE Bypass Technique',\ + logdata:'Matched Data: %{TX.0} found within %{TX.932206_MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/248/88',\ + tag:'PCI/6.5.2',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.932206_matched_var_name=%{matched_var_name}',\ + chain" + SecRule MATCHED_VAR "@rx /" \ + "t:none,t:urlDecodeUni,\ + chain" + SecRule MATCHED_VAR "@rx \s" \ + "t:none,t:urlDecodeUni,\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + # Regular expression generated from regex-assembly/932220.ra. # To update the regular expression run the following shell script # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 932220 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i).\|(?:[\s\v]*|t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|[\n\r;`\{]|\|\|?|&&?|\$(?:\(\(?|\{)|[<>]\(|\([\s\v]*\))[\s\v]*(?:[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*[\s\v]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:7[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[ar])?|a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:b|(?:p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?t|r(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[jp])?|s(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h)?|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[ks])|b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z|c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[8-9][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?9|[au][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t|c|(?:m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?p|s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h)|d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[du]|i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?g|n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?f)|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[bdx]|n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?v|q[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n)|f[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[ci]|m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t|t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p)|g[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[chr][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c|d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?b|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m|i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t|o)|h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:d|u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p)|i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[dp]|r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?b)|j[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:j[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?s|q)|k[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h|l[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:d(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d)?|[npsz]|u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a)|m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n|t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?r|v)|n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[cl]|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t|(?:p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?m)|o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[at][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?x|d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?b|[fs]|(?:k[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?g|h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[cp]|r(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?y)?|x[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z)|r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?r|c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[dv]|(?:p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?m)|s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[dt]|[g-hu]|s(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h)?|v[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n)|t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[cr]|b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?l|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[ex]|i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c|o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p)|u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?l|v[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m)?|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:3[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m|c|h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o)|x[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:x[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|z)|y[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m|z[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h))" \ +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i).\|(?:[\s\v]*|b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?y[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?x|c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?v|v[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?l)|[ls][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t)?|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|\{)|<(?:\(|<<)|>\(|\([\s\v]*\))[\s\v]*(?:[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*[\s\v]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:7[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[arx])?|G[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?E[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?T|a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:b|(?:p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?t|r(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[jp])?|s(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h)?|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[ks])|b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z|c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[8-9][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?9|[au][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t|c|(?:m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?p|s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h)|d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[dfu]|i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[gr])|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[bdx]|n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?v|q[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n|s(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h)?)|f[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[c-dgi]|m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t|t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p)|g[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[chr][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c|d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?b|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m|i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t|o|p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?g)|h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:d|u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p)|i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[dp]|r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?b)|j[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:j[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?s|q)|k[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h|l[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:d(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d)?|[nps]|u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a|z(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?4)?)|m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n|t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?r|v)|n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[cl]|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t|(?:p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?m)|o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:[at][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?x|d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?b|f|(?:k[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?g|h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[cp]|r(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?y)?|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|x[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?z)|r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?r|c(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p)?|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[dv]|(?:p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?)?m)|s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[dt]|[g-hu]|s(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h)?|v[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n)|t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[cr]|b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?l|[co][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[ex]|i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c)|u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|l)|v[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:3[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m|c)|x[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:x[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|z)|y[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?s|u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m)|z[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h))" \ "id:932220,\ phase:2,\ block,\ @@ -969,7 +1088,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -995,14 +1114,20 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # .932240 (generic detection, PL2, targets generic evasion attempts) # .932236 (stricter sibling of 932230, 932235, 932250, 932260, PL2, # - with and without prefix +# - words of any length) +# ..932239 (sibling of 932236, PL2, +# - with and without prefix # - words of any length +# - targets request headers user-agent and referer only +# - excluded words: known user-agents) +# ..932238 (stricter sibling of 932236, PL3, # - no excluded words) # .932237 (stricter sibling of 932230, 932235, 932250, 932260, PL3, # - targets request headers user-agent and referer only # - without prefix # - with word boundaries # - words of any length -# - no excluded words) +# - excluded words: known user-agents) # # # Regular expression generated from regex-assembly/932240.ra. @@ -1010,14 +1135,14 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 932240 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS|XML:/* "@rx (?i)[\-0-9_a-z]+(?:[\"'\[-\]]+|\$+[!#\*\-0-9\?-@\x5c_a-\{]+|``|[\$<>]\(\))[\s\v]*[\-0-9_a-z]+" \ +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS|XML:/* "@rx (?i)[\-0-9_a-z]+(?:[\s\v]*[\"'][^\s\v\"']+[\"']|(?:[\"'][\"']+|[\[-\]]+|\$+[!#\*\-0-9\?-@\x5c_a-\{]+|``|[\$<>]\(\))[\s\v]*)[\-0-9_a-z]+" \ "id:932240,\ phase:2,\ block,\ capture,\ t:none,\ msg:'Remote Command Execution: Unix Command Injection evasion attempt detected',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + logdata:'Matched Data: %{TX.0} found within %{TX.932240_MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-shell',\ tag:'platform-unix',\ @@ -1026,8 +1151,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS|XML: tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ + setvar:'tx.932240_matched_var_name=%{matched_var_name}',\ chain" SecRule MATCHED_VAR "!@rx [0-9]\s*\'\s*[0-9]" \ "t:none,\ @@ -1067,7 +1193,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1108,7 +1234,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/137/134',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1140,7 +1266,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/137/134',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1174,7 +1300,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/137/134',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1182,8 +1308,8 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # [ Unix command injection ] # -# This is a stricter sibling of rule 932235. -# This stricter sibling detects Unix RCE in request headers referer and user-agent. +# This is a stricter sibling of rules 932230, 932235, 932250, 932260. +# This stricter sibling detects Unix RCE with and without prefix and words of any length. # It uses the same regex. # # Rule relations: @@ -1199,14 +1325,20 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # .932240 (generic detection, PL2, targets generic evasion attempts) # .932236 (stricter sibling of 932230, 932235, 932250, 932260, PL2, # - with and without prefix +# - words of any length) +# ..932239 (sibling of 932236, PL2, +# - with and without prefix # - words of any length +# - targets request headers user-agent and referer only +# - excluded words: known user-agents) +# ..932238 (stricter sibling of 932236, PL3, # - no excluded words) # .932237 (stricter sibling of 932230, 932235, 932250, 932260, PL3, # - targets request headers user-agent and referer only # - without prefix # - with word boundaries # - words of any length -# - no excluded words) +# - excluded words: known user-agents) # # # Regular expression generated from regex-assembly/932236.ra. @@ -1214,7 +1346,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 932236 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*|REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent "@rx (?i)(?:(?:^|=)[\s\v]*(?:t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*|(?:t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|[\n\r;`\{]|\|\|?|&&?|\$(?:\(\(?|\{)|[<>]\(|\([\s\v]*\))[\s\v]*(?:[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*)[\s\v]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:7z[ar]?|a(?:(?:b|w[ks])[\s\v&\)<>\|]|pt(?:-get)?|r(?:[\s\v&\)<>jp\|]|ch[\s\v<>]|ia2c)|s(?:[\s\v&\)<>h\|]|cii(?:-xfr|85)|pell)|t(?:[\s\v&\)<>\|]|obm)|dduser|getty|l(?:ias|pine)[\s\v<>]|nsible-playbook)|b(?:z(?:z[\s\v&\)<>\|]|c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2|less|more)|a(?:s(?:e(?:32|64|nc)|h)|tch[\s\v<>])|pftrace|r(?:eaksw|idge[\s\v<>])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[\s\v<>]|zip2)|s(?:ctl|ybox))|yebug)|c(?:[8-9]9|a(?:t[\s\v&\)<>\|]|(?:ncel|psh)[\s\v<>])|c[\s\v&\)<>\|]|mp|p(?:[\s\v&\)<>\|]|an|io|ulimit)|s(?:h|plit|vtool)|u(?:t[\s\v&\)<>\|]|psfilter|rl)|ertbot|h(?:attr|dir[\s\v<>]|eck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|flags|mod|o(?:om|wn)|root)|o(?:(?:b|pro)c|lumn[\s\v<>]|m(?:m(?:and[\s\v<>])?|p(?:oser|ress[\s\v<>]))|w(?:say|think))|r(?:ash[\s\v<>]|ontab))|d(?:[du][\s\v&\)<>\|]|i(?:g|(?:alog|ff)[\s\v<>])|nf|a(?:sh|te)[\s\v<>]|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[\s\v<>]|sbox)|pkg|vips)|e(?:[bd][\s\v&\)<>\|]|n(?:v(?:[\s\v&\)<>\|]|-update)|d(?:if|sw))|qn|x(?:[\s\v&\)<>\|]|ec[\s\v<>]|iftool|p(?:(?:and|(?:ec|or)t)[\s\v<>]|r))|(?:asy_instal|va)l|cho[\s\v<>]|fax|grep|macs|sac)|f(?:c[\s\v&\)<>\|]|i(?:[\s\v&\)<>\|]|le(?:[\s\v<>]|test)|(?:n(?:d|ger)|sh)[\s\v<>])|mt|tp(?:[\s\v&\)<>\|]|stats|who)|acter|(?:etch|lock)[\s\v<>]|grep|o(?:ld[\s\v<>]|reach)|ping|unction)|g(?:c(?:c[^\s\v]|ore)|db|e(?:m[\s\v&\)<>\|]|ni(?:e[\s\v<>]|soimage)|tfacl[\s\v<>])|hci?|i(?:t[\s\v&\)<>\|]|mp[\s\v<>]|nsh)|o[\s\v&\)<>\|]|r(?:c|ep[\s\v<>])|awk|tester|unzip|z(?:cat|exe|ip))|h(?:(?:d|up)[\s\v&\)<>\|]|e(?:ad[\s\v<>]|xdump)|i(?:ghlight|story)[\s\v<>]|ost(?:id|name)|ping3|t(?:digest|passwd))|i(?:d[\s\v&\)<>\|]|p(?:6?tables|config)?|rb|conv|f(?:config|top)|nstall[\s\v<>]|onice|spell)|j(?:js|q|ava[\s\v<>]|exec|o(?:(?:bs|in)[\s\v<>]|urnalctl)|runscript)|k(?:s(?:h|shell)|ill(?:[\s\v<>]|all)|nife[\s\v<>])|l(?:d(?:d?[\s\v&\)<>\|]|config)|[np][\s\v&\)<>\|]|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)?|ua(?:[\s\v&\)<>\|]|(?:la)?tex)|z(?:[\s\v&\)<>\|]|c(?:at|mp)|diff|[e-f]?grep|less|m(?:a|ore))|a(?:st(?:[\s\v<>]|comm|log(?:in)?)|tex[\s\v<>])|ess(?:[\s\v<>]|echo|(?:fil|pip)e)|ftp(?:get)?|(?:inks|ynx)[\s\v<>]|o(?:(?:ca(?:l|te)|ok)[\s\v<>]|g(?:inctl|(?:nam|sav)e))|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:n[\s\v&\)<>\|]|il(?:q|x[\s\v<>])?|ke[\s\v<>]|wk)|tr|v[\s\v&\)<>\|]|(?:kdir|utt)[\s\v<>]|locate|o(?:(?:re|unt)[\s\v<>]|squitto)|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:c(?:[\s\v&\)<>\|]|\.(?:openbsd|traditional)|at)|e(?:t(?:[\s\v&\)<>\|]|(?:c|st)at|kit-ftp)|ofetch)|l[\s\v&\)<>\|]|m(?:[\s\v&\)<>\|]|ap)|p(?:m[\s\v&\)<>\|]|ing)|a(?:no[\s\v<>]|sm|wk)|ice[\s\v<>]|o(?:de[\s\v<>]|hup)|roff|s(?:enter|lookup|tat))|o(?:d[\s\v&\)<>\|]|ctave[\s\v<>]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:x[\s\v&\)<>\|]|s(?:swd|te[\s\v<>])|tch[\s\v<>])|d(?:b|f(?:la)?tex)|f(?:[\s\v&\)<>\|]|tp)|g(?:rep)?|hp[\s\v&\)<>\|]|i(?:c(?:o[\s\v<>])?|p[^\s\v]|dstat|gz|ng[\s\v<>])|k(?:g(?:_?info)?|exec|ill)|r(?:y?[\s\v&\)<>\|]|int(?:env|f[\s\v<>]))|s(?:ftp|ql)?|t(?:x|ar(?:diff|grep)?)|xz|er(?:f|l(?:5|sh)?|ms)|opd|ython[^\s\v]|u(?:ppet[\s\v<>]|shd))|r(?:a(?:r[\s\v&\)<>\|]|k(?:e[\s\v<>]|u))|cp[\s\v&\)<>\|]|e(?:d(?:[\s\v&\)<>\|]|carpet[\s\v<>])|v|a(?:delf|lpath)|(?:name|p(?:eat|lace))[\s\v<>]|stic)|m(?:[\s\v&\)<>\|]|dir[\s\v<>]|user)|pm(?:[\s\v&\)<>\|]|db|(?:quer|verif)y)|l(?:ogin|wrap)|nano|oute[\s\v<>]|sync|u(?:by[^\s\v]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:c(?:p|hed|r(?:een|ipt)[\s\v<>])|e(?:d[\s\v&\)<>\|]|t(?:[\s\v&\)<>\|]|arch|env|facl[\s\v<>]|sid)|ndmail|rvice[\s\v<>])|g|h(?:[\s\v&\)<>\|]|\.distrib|ell|u(?:f|tdown[\s\v<>]))|s(?:[\s\v&\)<>\|]|h(?:[\s\v&\)<>\|]|-key(?:ge|sca)n|pass))|u(?:[\s\v&\)<>\|]|do)|vn|(?:ash|nap|plit)[\s\v<>]|diff|ftp|l(?:eep[\s\v<>]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[\s\v<>])|qlite3|t(?:art-stop-daemon|dbuf|r(?:ace|ings))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:c|r[\s\v&\)<>\|]|il[\s\v<>f]|sk(?:set)?)|bl|e(?:e|x[\s\v&\)<>\|]|lnet)|i(?:c[\s\v&\)<>\|]|me(?:(?:out)?[\s\v<>]|datectl))|o(?:p|uch[\s\v<>])|c(?:l?sh|p(?:dump|ing|traceroute))|ftp|mux|r(?:aceroute6?|off)|shark)|u(?:l(?:[\s\v&\)<>\|]|imit[\s\v<>])|n(?:ame|compress|expand|iq|l(?:ink[\s\v<>]|z(?:4|ma))|(?:pig|x)z|rar|s(?:et|hare)[\s\v<>]|z(?:ip|std))|pdate-alternatives|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:[\s\v&\)<>\|]|m(?:[\s\v&\)<>\|]|diff)|ew[\s\v<>]|gr|pw|rsh)|algrind|olatility)|w(?:3m|c|h(?:o(?:ami|is)?|iptail)|a(?:ll|tch)[\s\v<>]|get|i(?:reshark|sh[\s\v<>]))|x(?:(?:x|pa)d|z(?:[\s\v&\)<>\|]|c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more)|args|e(?:la)?tex|mo(?:dmap|re)|term)|y(?:um|arn|elp[\s\v<>])|z(?:ip(?:details)?|s(?:h|oelim|td)|athura|c(?:at|mp)|diff|[e-f]?grep|less|more|run|ypper))" \ +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:^|b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?y[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?x|c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?v|v[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?l)|[ls][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t)?|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|\{)|<(?:\(|<<)|>\(|\([\s\v]*\))[\s\v]*(?:[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*[\s\v]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:7z[arx]?|(?:(?:GE|POS)T|HEAD)[\s\v&\)<>\|]|a(?:(?:b|w[ks]|l(?:ias|pine)|xel)[\s\v&\)<>\|]|pt(?:[\s\v&\)<>\|]|-get)|r(?:[\s\v&\)<>j\|]|(?:p|ch)[\s\v&\)<>\|]|ia2c)|s(?:h[\s\v&\)<>\|]|cii(?:-xfr|85)|pell)|dd(?:group|user)|getty|nsible-playbook|tobm)|b(?:z(?:z[\s\v&\)<>\|]|c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more)|a(?:s(?:e(?:32|64|n(?:ame[\s\v&\)<>\|]|c))|h[\s\v&\)<>\|])|tch[\s\v&\)<>\|])|lkid|pftrace|r(?:eaksw|idge[\s\v&\)<>\|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[\s\v&\)<>\|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu))|c(?:[8-9]9|(?:a(?:t|ncel|psh)|c)[\s\v&\)<>\|]|mp|p(?:[\s\v&\)<>\|]|an|io|ulimit)|s(?:h|plit|vtool)|u(?:(?:t|rl)[\s\v&\)<>\|]|psfilter)|ertbot|h(?:attr|(?:dir|root)[\s\v&\)<>\|]|eck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|(?:flag|pas)s|g(?:passwd|rp)|mod|o(?:om|wn)|sh)|lang(?:[\s\v&\)<>\|]|\+\+)|o(?:(?:b|pro)c|(?:lumn|m(?:m(?:and)?|p(?:oser|ress)))[\s\v&\)<>\|]|w(?:say|think))|r(?:ash[\s\v&\)<>\|]|on(?:tab)?))|d(?:(?:[du]|i(?:(?:alo)?g|r|ff)|a(?:sh|te))[\s\v&\)<>\|]|f|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[\s\v&\)<>\|]|sbox)|pkg|vips)|e(?:(?:[bd]|cho)[\s\v&\)<>\|]|n(?:v(?:[\s\v&\)<>\|]|-update)|d(?:if|sw))|qn|s(?:[\s\v&\)<>h\|]|ac)|x(?:(?:ec)?[\s\v&\)<>\|]|iftool|p(?:(?:and|(?:ec|or)t)[\s\v&\)<>\|]|r))|2fsck|(?:asy_instal|va)l|fax|grep|macs)|f(?:(?:c|etch|lock|unction)[\s\v&\)<>\|]|d|g(?:rep)?|i(?:(?:n(?:d|ger)|sh)?[\s\v&\)<>\|]|le(?:[\s\v&\)<>\|]|test))|mt|tp(?:[\s\v&\)<>\|]|stats|who)|acter|o(?:ld[\s\v&\)<>\|]|reach)|ping)|g(?:c(?:c[^\s\v]|ore)|db|e(?:(?:m|tfacl)[\s\v&\)<>\|]|ni(?:e[\s\v&\)<>\|]|soimage))|hci?|i(?:(?:t|mp)[\s\v&\)<>\|]|nsh)|(?:o|awk)[\s\v&\)<>\|]|pg|r(?:c|ep[\s\v&\)<>\|]|oup(?:[\s\v&\)<>\|]|mod))|tester|unzip|z(?:cat|exe|ip))|h(?:(?:d|up|ash|i(?:ghlight|story))[\s\v&\)<>\|]|e(?:ad[\s\v&\)<>\|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op|passwd))|i(?:d|p(?:6?tables|config)?|rb|conv|f(?:config|top)|nstall[\s\v&\)<>\|]|onice|spell)|j(?:js|q|ava[\s\v&\)<>\|]|exec|o(?:(?:bs|in)[\s\v&\)<>\|]|urnalctl)|runscript)|k(?:s(?:h|shell)|ill(?:[\s\v&\)<>\|]|all)|nife[\s\v&\)<>\|])|l(?:d(?:d?[\s\v&\)<>\|]|config)|(?:[np]|inks|ynx)[\s\v&\)<>\|]|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)?|ua(?:[\s\v&\)<>\|]|(?:la)?tex)|z(?:[\s\v&\)4<>\|]|4c(?:at)?|c(?:at|mp)|diff|[e-f]?grep|less|m(?:a(?:dec|info)?|ore))|a(?:st(?:[\s\v&\)<>\|]|comm|log(?:in)?)|tex[\s\v&\)<>\|])|ess(?:[\s\v&\)<>\|]|echo|(?:fil|pip)e)|ftp(?:get)?|o(?:(?:ca(?:l|te)|ok)[\s\v&\)<>\|]|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:(?:n|ke)[\s\v&\)<>\|]|il(?:[\s\v&\)<>q\|]|x[\s\v&\)<>\|])|ster\.passwd|wk)|tr|(?:v|utt)[\s\v&\)<>\|]|k(?:dir[\s\v&\)<>\|]|fifo|nod|temp)|locate|o(?:squitto|unt[\s\v&\)<>\|])|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:c(?:[\s\v&\)<>\|]|\.(?:openbsd|traditional)|at)|e(?:t(?:[\s\v&\)<>\|]|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:(?:ul)?l|ice)[\s\v&\)<>\|]|m(?:[\s\v&\)<>\|]|ap)|p(?:m[\s\v&\)<>\|]|ing)|a(?:no[\s\v&\)<>\|]|sm|wk)|o(?:de[\s\v&\)<>\|]|hup)|roff|s(?:enter|lookup|tat))|o(?:(?:d|ctave)[\s\v&\)<>\|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:(?:x|rted|tch)[\s\v&\)<>\|]|s(?:swd|te[\s\v&\)<>\|]))|d(?:b|f(?:la)?tex|ksh)|f(?:[\s\v&\)<>\|]|tp)|g(?:rep)?|hp(?:[\s\v&\)57<>\|]|-cgi)|i(?:(?:co?|ng)[\s\v&\)<>\|]|p[^\s\v]|dstat|gz)|k(?:g(?:_?info)?|exec|ill)|r(?:y?[\s\v&\)<>\|]|int(?:env|f[\s\v&\)<>\|]))|t(?:x|ar(?:diff|grep)?)|wd(?:\.db)?|xz|er(?:(?:f|ms)[\s\v&\)<>\|]|l(?:[\s\v&\)5<>\|]|sh))|opd|s(?:ed|ftp|ql)|u(?:ppet[\s\v&\)<>\|]|shd)|y(?:thon[^\s\v]|3?versions))|r(?:a(?:r[\s\v&\)<>\|]|k(?:e[\s\v&\)<>\|]|u))|c(?:p[\s\v&\)<>\|])?|e(?:(?:d(?:carpet)?|v|name|p(?:eat|lace))[\s\v&\)<>\|]|a(?:delf|lpath)|stic)|m(?:(?:dir)?[\s\v&\)<>\|]|user)|pm(?:[\s\v&\)<>\|]|db|(?:quer|verif)y)|bash|l(?:ogin|wrap)|nano|oute[\s\v&\)<>\|]|sync|u(?:by[^\s\v]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:c(?:p|hed|r(?:een|ipt)[\s\v&\)<>\|])|e(?:(?:d|lf|rvice)[\s\v&\)<>\|]|t(?:(?:facl)?[\s\v&\)<>\|]|arch|env|sid)|ndmail)|(?:g|ash|nap)[\s\v&\)<>\|]|h(?:(?:adow|ells)?[\s\v&\)<>\|]|\.distrib|u(?:f|tdown[\s\v&\)<>\|]))|s(?:[\s\v&\)<>\|]|h(?:[\s\v&\)<>\|]|-key(?:ge|sca)n|pass))|u(?:[\s\v&\)<>\|]|do)|vn|diff|ftp|l(?:eep[\s\v&\)<>\|]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[\s\v&\)<>\|])|p(?:lit[\s\v&\)<>\|]|wd\.db)|qlite3|t(?:art-stop-daemon|d(?:buf|err|in|out)|r(?:ace|ings[\s\v&\)<>\|]))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:c|r[\s\v&\)<>\|]|il[\s\v&\)<>f\|]|sk(?:[\s\v&\)<>\|]|set))|bl|c(?:p(?:[\s\v&\)<>\|]|dump|ing|traceroute)|l?sh)|e(?:[ex][\s\v&\)<>\|]|lnet)|i(?:c[\s\v&\)<>\|]|me(?:datectl|out[\s\v&\)<>\|]))|o(?:p|uch[\s\v&\)<>\|])|ftp|mux|r(?:aceroute6?|off)|shark)|u(?:dp|l(?:imit)?[\s\v&\)<>\|]|n(?:ame|(?:compress|s(?:et|hare))[\s\v&\)<>\|]|expand|iq|l(?:ink[\s\v&\)<>\|]|z(?:4|ma))|(?:pig|x)z|rar|z(?:ip[\s\v&\)<>\|]|std))|pdate-alternatives|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:m(?:[\s\v&\)<>\|]|diff)|ew[\s\v&\)<>\|]|gr|pw|rsh)|algrind|olatility[\s\v&\)<>\|])|w(?:3m|c|a(?:ll|tch)[\s\v&\)<>\|]|get|h(?:iptail[\s\v&\)<>\|]|o(?:ami|is))|i(?:reshark|sh[\s\v&\)<>\|]))|x(?:(?:x|pa)d|z(?:[\s\v&\)<>\|]|c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more)|args|e(?:la)?tex|mo(?:dmap|re)|term)|y(?:(?:e(?:s|lp)|arn)[\s\v&\)<>\|]|um)|z(?:ip(?:[\s\v&\)<>\|]|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h|oelim|td(?:(?:ca|m)t|grep|less)?)|athura|c(?:at|mp)|diff|e(?:grep|ro[\s\v&\)<>\|])|f?grep|less|more|run|ypper))" \ "id:932236,\ phase:2,\ block,\ @@ -1230,11 +1362,74 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + +# [ Unix command injection ] +# +# This is a sibling of rule 932236. +# This sibling detects Unix RCE in request headers Referer and User-Agent. +# It uses the same regex but excludes known user-agents to avoid false positives. +# +# Rule relations: +# +# .932230 (base rule, PL1, targets prefix + two and three character commands) +# ..932231 (stricter sibling, PL2, targets prefix + the source shortcut command) +# ..932232 (stricter sibling, PL3, targets prefix + additional command words) +# .932235 (base rule, PL1, targets prefix + known command word of length > 3 without evasion) +# +# .932250 (base rule, PL1, targets two and three character commands) +# .932260 (base rule, PL1, targets known command word of length > 3 without evasion) +# +# .932240 (generic detection, PL2, targets generic evasion attempts) +# .932236 (stricter sibling of 932230, 932235, 932250, 932260, PL2, +# - with and without prefix +# - words of any length) +# ..932239 (sibling of 932236, PL2, +# - with and without prefix +# - words of any length +# - targets request headers user-agent and referer only +# - excluded words: known user-agents) +# ..932238 (stricter sibling of 932236, PL3, +# - no excluded words) +# .932237 (stricter sibling of 932230, 932235, 932250, 932260, PL3, +# - targets request headers user-agent and referer only +# - without prefix +# - with word boundaries +# - words of any length +# - excluded words: known user-agents) +# +# +# +# Regular expression generated from regex-assembly/932239.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932239 +# +SecRule REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent "@rx (?i)(?:^|b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?y[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?x|c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?v|v[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?l)|[ls][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t)?|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|\{)|<(?:\(|<<)|>\(|\([\s\v]*\))[\s\v]*(?:[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*[\s\v]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:7z[arx]?|(?:(?:GE|POS)T|HEAD)[\s\v&\)<>\|]|a(?:(?:b|w[ks]|l(?:ias|pine)|xel)[\s\v&\)<>\|]|pt(?:[\s\v&\)<>\|]|-get)|r(?:[\s\v&\)<>j\|]|(?:p|ch)[\s\v&\)<>\|]|ia2c)|s(?:h[\s\v&\)<>\|]|cii(?:-xfr|85)|pell)|dd(?:group|user)|getty|nsible-playbook|tobm)|b(?:z(?:z[\s\v&\)<>\|]|c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more)|a(?:s(?:e(?:32|64|n(?:ame[\s\v&\)<>\|]|c))|h[\s\v&\)<>\|])|tch[\s\v&\)<>\|])|lkid|pftrace|r(?:eaksw|idge[\s\v&\)<>\|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[\s\v&\)<>\|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu))|c(?:[8-9]9|(?:a(?:t|ncel|psh)|c)[\s\v&\)<>\|]|mp|p(?:[\s\v&\)<>\|]|io|ulimit)|s(?:h|plit|vtool)|u(?:t[\s\v&\)<>\|]|psfilter)|ertbot|h(?:attr|(?:dir|root)[\s\v&\)<>\|]|eck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|(?:flag|pas)s|g(?:passwd|rp)|mod|o(?:om|wn)|sh)|lang(?:[\s\v&\)<>\|]|\+\+)|o(?:(?:b|pro)c|(?:lumn|m(?:m(?:and)?|p(?:oser|ress)))[\s\v&\)<>\|]|w(?:say|think))|r(?:ash[\s\v&\)<>\|]|on(?:tab)?))|d(?:(?:[du]|i(?:(?:alo)?g|r|ff)|a(?:sh|te))[\s\v&\)<>\|]|f|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[\s\v&\)<>\|]|sbox)|pkg|vips)|e(?:(?:[bd]|cho)[\s\v&\)<>\|]|n(?:v(?:[\s\v&\)<>\|]|-update)|d(?:if|sw))|qn|s(?:[\s\v&\)<>h\|]|ac)|x(?:(?:ec)?[\s\v&\)<>\|]|iftool|p(?:(?:and|(?:ec|or)t)[\s\v&\)<>\|]|r))|2fsck|(?:asy_instal|va)l|fax|grep|macs)|f(?:(?:c|etch|lock|unction)[\s\v&\)<>\|]|d|g(?:rep)?|i(?:(?:n(?:d|ger)|sh)?[\s\v&\)<>\|]|le(?:[\s\v&\)<>\|]|test))|mt|tp(?:[\s\v&\)<>\|]|stats|who)|acter|o(?:ld[\s\v&\)<>\|]|reach)|ping)|g(?:c(?:c[^\s\v]|ore)|db|e(?:(?:m|tfacl)[\s\v&\)<>\|]|ni(?:e[\s\v&\)<>\|]|soimage))|hci?|i(?:(?:t|mp)[\s\v&\)<>\|]|nsh)|(?:o|awk)[\s\v&\)<>\|]|pg|r(?:c|ep[\s\v&\)<>\|]|oup(?:[\s\v&\)<>\|]|mod))|tester|unzip|z(?:cat|exe|ip))|h(?:(?:d|up|ash|i(?:ghlight|story))[\s\v&\)<>\|]|e(?:ad[\s\v&\)<>\|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op|passwd))|i(?:d|p(?:6?tables|config)?|rb|conv|f(?:config|top)|nstall[\s\v&\)<>\|]|onice|spell)|j(?:js|q|ava[\s\v&\)<>\|]|exec|o(?:(?:bs|in)[\s\v&\)<>\|]|urnalctl)|runscript)|k(?:s(?:h|shell)|ill(?:[\s\v&\)<>\|]|all)|nife[\s\v&\)<>\|])|l(?:d(?:d?[\s\v&\)<>\|]|config)|(?:[np]|ynx)[\s\v&\)<>\|]|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)?|ua(?:[\s\v&\)<>\|]|(?:la)?tex)|z(?:[\s\v&\)4<>\|]|4c(?:at)?|c(?:at|mp)|diff|[e-f]?grep|less|m(?:a(?:dec|info)?|ore))|a(?:st(?:[\s\v&\)<>\|]|comm|log(?:in)?)|tex[\s\v&\)<>\|])|ess(?:[\s\v&\)<>\|]|echo|(?:fil|pip)e)|ftp(?:get)?|o(?:(?:ca(?:l|te)|ok)[\s\v&\)<>\|]|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:(?:n|ke)[\s\v&\)<>\|]|il(?:[\s\v&\)<>q\|]|x[\s\v&\)<>\|])|ster\.passwd|wk)|tr|(?:v|utt)[\s\v&\)<>\|]|k(?:dir[\s\v&\)<>\|]|fifo|nod|temp)|locate|o(?:squitto|unt[\s\v&\)<>\|])|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:c(?:[\s\v&\)<>\|]|\.(?:openbsd|traditional)|at)|e(?:t(?:[\s\v&\)<>\|]|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:(?:ul)?l|ice)[\s\v&\)<>\|]|m(?:[\s\v&\)<>\|]|ap)|p(?:m[\s\v&\)<>\|]|ing)|a(?:no[\s\v&\)<>\|]|sm|wk)|o(?:de[\s\v&\)<>\|]|hup)|roff|s(?:enter|lookup|tat))|o(?:(?:d|ctave)[\s\v&\)<>\|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:(?:x|rted|tch)[\s\v&\)<>\|]|s(?:swd|te[\s\v&\)<>\|]))|d(?:b|f(?:la)?tex|ksh)|f(?:[\s\v&\)<>\|]|tp)|g(?:rep)?|hp(?:[\s\v&\)57<>\|]|-cgi)|i(?:(?:co?|ng)[\s\v&\)<>\|]|p[^\s\v]|dstat|gz)|k(?:g(?:_?info)?|exec|ill)|r(?:y?[\s\v&\)<>\|]|int(?:env|f[\s\v&\)<>\|]))|t(?:x|ar(?:diff|grep)?)|wd(?:\.db)?|xz|er(?:(?:f|ms)[\s\v&\)<>\|]|l(?:[\s\v&\)5<>\|]|sh))|opd|s(?:ed|ftp|ql)|u(?:ppet[\s\v&\)<>\|]|shd)|y(?:thon[2-3]|3?versions))|r(?:a(?:r[\s\v&\)<>\|]|k(?:e[\s\v&\)<>\|]|u))|c(?:p[\s\v&\)<>\|])?|e(?:(?:d(?:carpet)?|v|name|p(?:eat|lace))[\s\v&\)<>\|]|a(?:delf|lpath)|stic)|m(?:(?:dir)?[\s\v&\)<>\|]|user)|pm(?:[\s\v&\)<>\|]|db|(?:quer|verif)y)|bash|l(?:ogin|wrap)|nano|oute[\s\v&\)<>\|]|sync|u(?:by[^\s\v]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:c(?:p|hed|r(?:een|ipt)[\s\v&\)<>\|])|e(?:(?:d|lf|rvice)[\s\v&\)<>\|]|t(?:(?:facl)?[\s\v&\)<>\|]|arch|env|sid)|ndmail)|(?:g|ash)[\s\v&\)<>\|]|h(?:(?:adow|ells)?[\s\v&\)<>\|]|\.distrib|u(?:f|tdown[\s\v&\)<>\|]))|s(?:[\s\v&\)<>\|]|h(?:[\s\v&\)<>\|]|-key(?:ge|sca)n|pass))|u(?:[\s\v&\)<>\|]|do)|vn|diff|ftp|l(?:eep[\s\v&\)<>\|]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[\s\v&\)<>\|])|p(?:lit[\s\v&\)<>\|]|wd\.db)|qlite3|t(?:art-stop-daemon|d(?:buf|err|in|out)|r(?:ace|ings[\s\v&\)<>\|]))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:c|r[\s\v&\)<>\|]|il[\s\v&\)<>f\|]|sk(?:[\s\v&\)<>\|]|set))|bl|c(?:p(?:[\s\v&\)<>\|]|dump|ing|traceroute)|l?sh)|e(?:[ex][\s\v&\)<>\|]|lnet)|i(?:c[\s\v&\)<>\|]|me(?:datectl|out[\s\v&\)<>\|]))|o(?:p|uch[\s\v&\)<>\|])|ftp|mux|r(?:aceroute6?|off)|shark)|u(?:dp|l(?:imit)?[\s\v&\)<>\|]|n(?:ame|(?:compress|s(?:et|hare))[\s\v&\)<>\|]|expand|iq|l(?:ink[\s\v&\)<>\|]|z(?:4|ma))|(?:pig|x)z|rar|z(?:ip[\s\v&\)<>\|]|std))|pdate-alternatives|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:m(?:[\s\v&\)<>\|]|diff)|ew[\s\v&\)<>\|]|gr|pw|rsh)|algrind|olatility[\s\v&\)<>\|])|w(?:c|a(?:ll|tch)[\s\v&\)<>\|]|h(?:iptail[\s\v&\)<>\|]|o(?:ami|is))|i(?:reshark|sh[\s\v&\)<>\|]))|x(?:(?:x|pa)d|z(?:[\s\v&\)<>\|]|c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more)|args|e(?:la)?tex|mo(?:dmap|re)|term)|y(?:(?:e(?:s|lp)|arn)[\s\v&\)<>\|]|um)|z(?:ip(?:[\s\v&\)<>\|]|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h|oelim|td(?:(?:ca|m)t|grep|less)?)|athura|c(?:at|mp)|diff|e(?:grep|ro[\s\v&\)<>\|])|f?grep|less|more|run|ypper))" \ + "id:932239,\ + phase:1,\ + block,\ + capture,\ + t:none,\ + msg:'Remote Command Execution: Unix Command Injection found in user-agent or referer header',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ + tag:'attack-rce',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/248/88',\ + tag:'PCI/6.5.2',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + # [ Unix shell snippets ] # # Detect some common sequences found in shell commands and scripts. @@ -1264,7 +1459,7 @@ SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@pmFromFile unix-she tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1293,14 +1488,20 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:932016,phase:2,pass,nolog,skipAf # .932240 (generic detection, PL2, targets generic evasion attempts) # .932236 (stricter sibling of 932230, 932235, 932250, 932260, PL2, # - with and without prefix +# - words of any length) +# ..932239 (sibling of 932236, PL2, +# - with and without prefix # - words of any length +# - targets request headers user-agent and referer only +# - excluded words: known user-agents) +# ..932238 (stricter sibling of 932236, PL3, # - no excluded words) # .932237 (stricter sibling of 932230, 932235, 932250, 932260, PL3, # - targets request headers user-agent and referer only # - without prefix # - with word boundaries # - words of any length -# - no excluded words) +# - excluded words: known user-agents) # # # Regular expression generated from regex-assembly/932232.ra. @@ -1308,7 +1509,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:932016,phase:2,pass,nolog,skipAf # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 932232 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|[\n\r;`\{]|\|\|?|&&?|\$(?:\(\(?|\{)|[<>]\(|\([\s\v]*\))[\s\v]*(?:[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*[\s\v]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:(?:v[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i|(?:a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?2[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?f)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*|p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:s|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*)|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o|[\s\v&\),<>\|].*))\b" \ +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?y[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?x|c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?v|v[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?l)|[ls][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t)?|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|\{)|<(?:\(|<<)|>\(|\([\s\v]*\))[\s\v]*(?:[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*[\s\v]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:(?:(?:a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?2[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|v[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*|d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?f|p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*|s)|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o|[\s\v&\),<>\|].*))\b" \ "id:932232,\ phase:2,\ block,\ @@ -1324,7 +1525,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/3',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" @@ -1344,21 +1545,28 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # .932240 (generic detection, PL2, targets generic evasion attempts) # .932236 (stricter sibling of 932230, 932235, 932250, 932260, PL2, # - with and without prefix +# - words of any length) +# ..932239 (sibling of 932236, PL2, +# - with and without prefix # - words of any length +# - targets request headers user-agent and referer only +# - excluded words: known user-agents) +# ..932238 (stricter sibling of 932236, PL3, # - no excluded words) # .932237 (stricter sibling of 932230, 932235, 932250, 932260, PL3, # - targets request headers user-agent and referer only # - without prefix # - with word boundaries # - words of any length -# - no excluded words) +# - excluded words: known user-agents) +# # # Regular expression generated from regex-assembly/932237.ra. # To update the regular expression run the following shell script # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 932237 # -SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@rx (?i)\b(?:7z[ar]?|a(?:b|pt(?:-get)?|r(?:[jp]|ch[\s\v<>]|ia2c)?|s(?:h|cii(?:-xfr|85)|pell)?|t(?:obm)?|w[ks]|dduser|getty|l(?:ias|pine)[\s\v<>]|nsible-playbook)|b(?:z(?:z|c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2|less|more)|a(?:s(?:e(?:32|64|nc)|h)|tch[\s\v<>])|pftrace|r(?:eaksw|idge[\s\v<>])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[\s\v<>]|zip2)|s(?:ctl|ybox))|yebug)|c(?:[8-9]9|a(?:t|(?:ncel|psh)[\s\v<>])|c|mp|p(?:an|io|ulimit)?|s(?:h|plit|vtool)|u(?:t|psfilter|rl)|ertbot|h(?:attr|dir[\s\v<>]|eck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|flags|mod|o(?:om|wn)|root)|o(?:(?:b|pro)c|lumn[\s\v<>]|m(?:m(?:and[\s\v<>])?|p(?:oser|ress[\s\v<>]))|w(?:say|think))|r(?:ash[\s\v<>]|ontab))|d(?:[du]|i(?:g|(?:alog|ff)[\s\v<>])|nf|a(?:sh|te)[\s\v<>]|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[\s\v<>]|sbox)|pkg|vips)|e(?:[bd]|n(?:v(?:-update)?|d(?:if|sw))|qn|x(?:ec[\s\v<>]|iftool|p(?:(?:and|(?:ec|or)t)[\s\v<>]|r))?|(?:asy_instal|va)l|cho[\s\v<>]|fax|grep|macs|sac)|f(?:c|i(?:le(?:[\s\v<>]|test)|(?:n(?:d|ger)|sh)[\s\v<>])?|mt|tp(?:stats|who)?|acter|(?:etch|lock)[\s\v<>]|grep|o(?:ld[\s\v<>]|reach)|ping|unction)|g(?:c(?:c|ore)|db|e(?:m|ni(?:e[\s\v<>]|soimage)|tfacl[\s\v<>])|hci?|i(?:t|mp[\s\v<>]|nsh)|o|r(?:c|ep[\s\v<>])|awk|tester|unzip|z(?:cat|exe|ip))|h(?:d|up|e(?:ad[\s\v<>]|xdump)|i(?:ghlight|story)[\s\v<>]|ost(?:id|name)|ping3|t(?:digest|passwd))|i(?:d|p(?:6?tables|config)?|rb|conv|f(?:config|top)|nstall[\s\v<>]|onice|spell)|j(?:js|q|ava[\s\v<>]|exec|o(?:(?:bs|in)[\s\v<>]|urnalctl)|runscript)|k(?:s(?:h|shell)|ill(?:[\s\v<>]|all)|nife[\s\v<>])|l(?:d(?:d|config)?|[np]|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)?|ua(?:(?:la)?tex)?|z(?:c(?:at|mp)|diff|[e-f]?grep|less|m(?:a|ore))?|a(?:st(?:[\s\v<>]|comm|log(?:in)?)|tex[\s\v<>])|ess(?:[\s\v<>]|echo|(?:fil|pip)e)|ftp(?:get)?|(?:inks|ynx)[\s\v<>]|o(?:(?:ca(?:l|te)|ok)[\s\v<>]|g(?:inctl|(?:nam|sav)e))|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:n|il(?:q|x[\s\v<>])?|ke[\s\v<>]|wk)|tr|v|(?:kdir|utt)[\s\v<>]|locate|o(?:(?:re|unt)[\s\v<>]|squitto)|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:c(?:\.(?:openbsd|traditional)|at)?|e(?:t(?:(?:c|st)at|kit-ftp)?|ofetch)|l|m(?:ap)?|p(?:m|ing)|a(?:no[\s\v<>]|sm|wk)|ice[\s\v<>]|o(?:de[\s\v<>]|hup)|roff|s(?:enter|lookup|tat))|o(?:d|ctave[\s\v<>]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:x|s(?:swd|te[\s\v<>])|tch[\s\v<>])|d(?:b|f(?:la)?tex)|f(?:tp)?|g(?:rep)?|hp|i(?:c(?:o[\s\v<>])?|p|dstat|gz|ng[\s\v<>])|k(?:g(?:_?info)?|exec|ill)|r(?:y|int(?:env|f[\s\v<>]))?|s(?:ftp|ql)?|t(?:x|ar(?:diff|grep)?)|xz|er(?:f|l(?:5|sh)?|ms)|opd|ython[^\s\v]|u(?:ppet[\s\v<>]|shd))|r(?:a(?:r|k(?:e[\s\v<>]|u))|cp|e(?:d(?:carpet[\s\v<>])?|v|a(?:delf|lpath)|(?:name|p(?:eat|lace))[\s\v<>]|stic)|m(?:dir[\s\v<>]|user)?|pm(?:db|(?:quer|verif)y)?|l(?:ogin|wrap)|nano|oute[\s\v<>]|sync|u(?:by[^\s\v]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:c(?:p|hed|r(?:een|ipt)[\s\v<>])|e(?:d|t(?:arch|env|facl[\s\v<>]|sid)?|ndmail|rvice[\s\v<>])|g|h(?:\.distrib|ell|u(?:f|tdown[\s\v<>]))?|s(?:h(?:-key(?:ge|sca)n|pass)?)?|u(?:do)?|vn|(?:ash|nap|plit)[\s\v<>]|diff|ftp|l(?:eep[\s\v<>]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[\s\v<>])|qlite3|t(?:art-stop-daemon|dbuf|r(?:ace|ings))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:[cr]|il[\s\v<>f]|sk(?:set)?)|bl|e(?:[ex]|lnet)|i(?:c|me(?:(?:out)?[\s\v<>]|datectl))|o(?:p|uch[\s\v<>])|c(?:l?sh|p(?:dump|ing|traceroute))|ftp|mux|r(?:aceroute6?|off)|shark)|u(?:l(?:imit[\s\v<>])?|n(?:ame|compress|expand|iq|l(?:ink[\s\v<>]|z(?:4|ma))|(?:pig|x)z|rar|s(?:et|hare)[\s\v<>]|z(?:ip|std))|pdate-alternatives|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:m(?:diff)?|ew[\s\v<>]|gr|pw|rsh)?|algrind|olatility)|w(?:3m|c|h(?:o(?:ami|is)?|iptail)|a(?:ll|tch)[\s\v<>]|get|i(?:reshark|sh[\s\v<>]))|x(?:(?:x|pa)d|z(?:c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more)?|args|e(?:la)?tex|mo(?:dmap|re)|term)|y(?:um|arn|elp[\s\v<>])|z(?:ip(?:details)?|s(?:h|oelim|td)|athura|c(?:at|mp)|diff|[e-f]?grep|less|more|run|ypper))\b" \ +SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@rx (?i)\b(?:7z[arx]?|(?:(?:GE|POS)T|HEAD)[\s\v&\)<>\|]|a(?:(?:b|w[ks]|l(?:ias|pine)|xel)[\s\v&\)<>\|]|pt(?:(?:itude)?[\s\v&\)<>\|]|-get)|r(?:[\s\v&\)<>j\|]|(?:p|ch)[\s\v&\)<>\|]|ia2c)|s(?:h?[\s\v&\)<>\|]|cii(?:-xfr|85)|pell)|t(?:[\s\v&\)<>\|]|obm)|dd(?:group|user)|getty|nsible-playbook)|b(?:z(?:z[\s\v&\)<>\|]|c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more)|a(?:s(?:e(?:32|64|n(?:ame[\s\v&\)<>\|]|c))|h[\s\v&\)<>\|])|tch[\s\v&\)<>\|])|lkid|pftrace|r(?:eaksw|idge[\s\v&\)<>\|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[\s\v&\)<>\|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu))|c(?:[8-9]9|(?:a(?:t|ncel|psh)|c)[\s\v&\)<>\|]|mp|p(?:[\s\v&\)<>\|]|io|ulimit)|s(?:h|plit|vtool)|u(?:t[\s\v&\)<>\|]|psfilter)|ertbot|h(?:attr|(?:dir|root)[\s\v&\)<>\|]|eck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|(?:flag|pas)s|g(?:passwd|rp)|mod|o(?:om|wn)|sh)|lang(?:[\s\v&\)<>\|]|\+\+)|o(?:(?:b|pro)c|(?:lumn|m(?:m(?:and)?|p(?:oser|ress)))[\s\v&\)<>\|]|w(?:say|think))|r(?:ash[\s\v&\)<>\|]|on(?:tab)?))|d(?:(?:[du]|i(?:(?:alo)?g|r|ff)|a(?:sh|te))[\s\v&\)<>\|]|n?f|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[\s\v&\)<>\|]|sbox)|pkg|vips)|e(?:(?:[bd]|cho)[\s\v&\)<>\|]|n(?:v(?:[\s\v&\)<>\|]|-update)|d(?:if|sw))|qn|s(?:[\s\v&\)<>h\|]|ac)|x(?:(?:ec)?[\s\v&\)<>\|]|iftool|p(?:(?:and|(?:ec|or)t)[\s\v&\)<>\|]|r))|2fsck|(?:asy_instal|va)l|fax|grep|macs)|f(?:(?:c|etch|lock|unction)[\s\v&\)<>\|]|d|g(?:rep)?|i(?:(?:n(?:d|ger)|sh)?[\s\v&\)<>\|]|le(?:[\s\v&\)<>\|]|test))|mt|tp(?:[\s\v&\)<>\|]|stats|who)|acter|o(?:ld[\s\v&\)<>\|]|reach)|ping)|g(?:c(?:c[^\s\v]|ore)|db|e(?:(?:m|tfacl)[\s\v&\)<>\|]|ni(?:e[\s\v&\)<>\|]|soimage))|hci?|i(?:(?:t|mp)[\s\v&\)<>\|]|nsh)|(?:o|awk)[\s\v&\)<>\|]|pg|r(?:c|ep[\s\v&\)<>\|]|oup(?:[\s\v&\)<>\|]|mod))|tester|unzip|z(?:cat|exe|ip))|h(?:(?:d|up|ash|i(?:ghlight|story))[\s\v&\)<>\|]|e(?:ad[\s\v&\)<>\|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op|passwd))|i(?:d|p(?:6?tables|config)?|rb|conv|f(?:config|top)|nstall[\s\v&\)<>\|]|onice|spell)|j(?:js|q|ava[\s\v&\)<>\|]|exec|o(?:(?:bs|in)[\s\v&\)<>\|]|urnalctl)|runscript)|k(?:s(?:h|shell)|ill(?:[\s\v&\)<>\|]|all)|nife[\s\v&\)<>\|])|l(?:d(?:d?[\s\v&\)<>\|]|config)|(?:[np]|ynx)[\s\v&\)<>\|]|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)?|ua(?:[\s\v&\)<>\|]|(?:la)?tex)|z(?:[\s\v&\)4<>\|]|4c(?:at)?|c(?:at|mp)|diff|[e-f]?grep|less|m(?:a(?:dec|info)?|ore))|a(?:st(?:[\s\v&\)<>\|]|comm|log(?:in)?)|tex[\s\v&\)<>\|])|ess(?:[\s\v&\)<>\|]|echo|(?:fil|pip)e)|ftp(?:get)?|o(?:(?:ca(?:l|te)|ok)[\s\v&\)<>\|]|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:(?:n|ke)[\s\v&\)<>\|]|il(?:[\s\v&\)<>q\|]|x[\s\v&\)<>\|])|ster\.passwd|wk)|tr|(?:v|utt)[\s\v&\)<>\|]|k(?:dir[\s\v&\)<>\|]|fifo|nod|temp)|locate|o(?:(?:re|unt)[\s\v&\)<>\|]|squitto)|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:c(?:[\s\v&\)<>\|]|\.(?:openbsd|traditional)|at)|e(?:t(?:[\s\v&\)<>\|]|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:(?:ul)?l|ice)[\s\v&\)<>\|]|m(?:[\s\v&\)<>\|]|ap)|p(?:m[\s\v&\)<>\|]|ing)|a(?:no[\s\v&\)<>\|]|sm|wk)|o(?:de[\s\v&\)<>\|]|hup)|roff|s(?:enter|lookup|tat))|o(?:(?:d|ctave)[\s\v&\)<>\|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:(?:x|cman|rted|tch)[\s\v&\)<>\|]|s(?:swd|te[\s\v&\)<>\|]))|d(?:b|f(?:la)?tex|ksh)|f(?:[\s\v&\)<>\|]|tp)|g(?:rep)?|hp(?:[\s\v&\)57<>\|]|-cgi)|i(?:(?:co?|ng)[\s\v&\)<>\|]|p[^\s\v]|dstat|gz)|k(?:g(?:_?info)?|exec|ill)|r(?:y?[\s\v&\)<>\|]|int(?:env|f[\s\v&\)<>\|]))|s(?:[\s\v&\)<>\|]|ed|ftp|ql)?|t(?:x|ar(?:diff|grep)?)|wd(?:\.db)?|xz|er(?:(?:f|ms)[\s\v&\)<>\|]|l(?:[\s\v&\)5<>\|]|sh))|opd|u(?:ppet[\s\v&\)<>\|]|shd)|y(?:thon[2-3]|3?versions))|r(?:a(?:r[\s\v&\)<>\|]|k(?:e[\s\v&\)<>\|]|u))|c(?:p[\s\v&\)<>\|])?|e(?:(?:d(?:carpet)?|v|name|p(?:eat|lace))[\s\v&\)<>\|]|a(?:delf|lpath)|stic)|m(?:(?:dir)?[\s\v&\)<>\|]|user)|pm(?:[\s\v&\)<>\|]|db|(?:quer|verif)y)|bash|l(?:ogin|wrap)|nano|oute[\s\v&\)<>\|]|sync|u(?:by[^\s\v]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:c(?:p|hed|r(?:een|ipt)[\s\v&\)<>\|])|e(?:(?:d|lf|rvice)[\s\v&\)<>\|]|t(?:(?:facl)?[\s\v&\)<>\|]|arch|env|sid)|ndmail)|(?:g|ash)[\s\v&\)<>\|]|h(?:(?:adow|ells)?[\s\v&\)<>\|]|\.distrib|u(?:f|tdown[\s\v&\)<>\|]))|s(?:[\s\v&\)<>\|]|h(?:[\s\v&\)<>\|]|-key(?:ge|sca)n|pass))|u(?:[\s\v&\)<>\|]|do)|vn|diff|ftp|l(?:eep[\s\v&\)<>\|]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[\s\v&\)<>\|])|p(?:lit[\s\v&\)<>\|]|wd\.db)|qlite3|t(?:art-stop-daemon|d(?:buf|err|in|out)|r(?:ace|ings[\s\v&\)<>\|]))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:c|r[\s\v&\)<>\|]|il[\s\v&\)<>f\|]|sk(?:[\s\v&\)<>\|]|set))|bl|c(?:p(?:[\s\v&\)<>\|]|dump|ing|traceroute)|l?sh)|e(?:[ex][\s\v&\)<>\|]|lnet)|i(?:c[\s\v&\)<>\|]|me(?:(?:out)?[\s\v&\)<>\|]|datectl))|o(?:p|uch[\s\v&\)<>\|])|ftp|mux|r(?:aceroute6?|off)|shark)|u(?:dp|l(?:imit)?[\s\v&\)<>\|]|n(?:ame|(?:compress|s(?:et|hare))[\s\v&\)<>\|]|expand|iq|l(?:ink[\s\v&\)<>\|]|z(?:4|ma))|(?:pig|x)z|rar|z(?:ip[\s\v&\)<>\|]|std))|p(?:2date[\s\v&\)<>\|]|date-alternatives)|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:(?:ew)?[\s\v&\)<>\|]|m(?:[\s\v&\)<>\|]|diff)|gr|pw|rsh)|algrind|olatility[\s\v&\)<>\|])|w(?:[\s\v&\)<>c\|]|h(?:o(?:[\s\v&\)<>\|]|ami|is)?|iptail[\s\v&\)<>\|])|a(?:ll|tch)[\s\v&\)<>\|]|i(?:reshark|sh[\s\v&\)<>\|]))|x(?:(?:x|pa)d|z(?:[\s\v&\)<>\|]|c(?:at|mp)|d(?:ec|iff)|[e-f]?grep|less|more)|args|e(?:la)?tex|mo(?:dmap|re)|term)|y(?:(?:e(?:s|lp)|arn)[\s\v&\)<>\|]|um)|z(?:ip(?:[\s\v&\)<>\|]|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h|oelim|td(?:(?:ca|m)t|grep|less)?)|athura|c(?:at|mp)|diff|e(?:grep|ro[\s\v&\)<>\|])|f?grep|less|more|run|ypper))(?:\b|[^0-9A-Z_a-z])" \ "id:932237,\ phase:2,\ block,\ @@ -1374,7 +1582,64 @@ SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@rx (?i)\b(?:7z[ar]? tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" + +# [ Unix command injection ] +# +# Rule relations: +# +# .932230 (base rule, PL1, targets prefix + two and three character commands) +# ..932231 (stricter sibling, PL2, targets prefix + the source shortcut command) +# ..932232 (stricter sibling, PL3, targets prefix + additional command words) +# .932235 (base rule, PL1, targets prefix + known command word of length > 3 without evasion) +# +# .932250 (base rule, PL1, targets two and three character commands) +# .932260 (base rule, PL1, targets known command word of length > 3 without evasion) +# +# .932240 (generic detection, PL2, targets generic evasion attempts) +# .932236 (stricter sibling of 932230, 932235, 932250, 932260, PL2, +# - with and without prefix +# - words of any length) +# ..932239 (sibling of 932236, PL2, +# - with and without prefix +# - words of any length +# - targets request headers user-agent and referer only +# - excluded words: known user-agents) +# ..932238 (stricter sibling of 932236, PL3, +# - no excluded words) +# .932237 (stricter sibling of 932230, 932235, 932250, 932260, PL3, +# - targets request headers user-agent and referer only +# - without prefix +# - with word boundaries +# - words of any length +# - excluded words: known user-agents) +# +# +# Regular expression generated from regex-assembly/932238.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 932238 +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*|REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent "@rx (?i)(?:^|b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?s[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?y[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?b[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?x|c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|e[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?v|v[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?l)|[ls][\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?r[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p|t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e(?:[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t)?|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?h|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|\{)|<(?:\(|<<)|>\(|\([\s\v]*\))[\s\v]*(?:[\$\{]|(?:[\s\v]*\(|!)[\s\v]*|[0-9A-Z_a-z]+=(?:[^\s\v]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\v]+)*[\s\v]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:(?:(?:a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d|u[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?2[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?t)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?e|v[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?i)[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*|d[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?f|p[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?c[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?m[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?a[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?n[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?[\s\v&\),<>\|].*|s)|w[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?(?:h[\"'\)\[-\x5c]*(?:(?:(?:\|\||&&)[\s\v]*)?\$[!#\(\*\-0-9\?-@_a-\{]*)?\x5c?o|[\s\v&\),<>\|].*))" \ + "id:932238,\ + phase:2,\ + block,\ + capture,\ + t:none,t:cmdLine,t:normalizePath,\ + msg:'Remote Command Execution: Unix Shell Code Found in REQUEST_HEADERS',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-shell',\ + tag:'platform-unix',\ + tag:'attack-rce',\ + tag:'paranoia-level/3',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/248/88',\ + tag:'PCI/6.5.2',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" @@ -1410,7 +1675,7 @@ SecRule ARGS "@rx /(?:[?*]+[a-z/]+|[a-z/]+[?*]+)" \ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/3',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" @@ -1444,7 +1709,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/137/134',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" @@ -1477,7 +1742,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/137/134',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" @@ -1510,7 +1775,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/137/134',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" @@ -1543,7 +1808,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/88',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" diff --git a/appsec/crs/REQUEST-933-APPLICATION-ATTACK-PHP.conf b/appsec/crs/REQUEST-933-APPLICATION-ATTACK-PHP.conf index b125102..66bd9ea 100644 --- a/appsec/crs/REQUEST-933-APPLICATION-ATTACK-PHP.conf +++ b/appsec/crs/REQUEST-933-APPLICATION-ATTACK-PHP.conf @@ -1,9 +1,9 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.4.0.0-rc1 +# OWASP CRS ver.4.0.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. -# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved. +# Copyright (c) 2021-2024 CRS project. All rights reserved. # -# The OWASP ModSecurity Core Rule Set is distributed under +# The OWASP CRS is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENSE file for full details. # ------------------------------------------------------------------------ @@ -24,8 +24,8 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:933012,phase:2,pass,nolog,skipAf # -=[ PHP Injection Attacks ]=- # # [ References ] -# http://rips-scanner.sourceforge.net/ -# https://www.owasp.org/index.php/PHP_Top_5#P1:_Remote_Code_Executionh +# https://rips-scanner.sourceforge.net/ +# https://wiki.owasp.org/index.php/PHP_Top_5#P1:_Remote_Code_Executionh # # @@ -59,7 +59,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -79,7 +79,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # .php file and have the code within it executed on the server. # # Also block files with just dot (.) characters after the extension: -# https://community.rapid7.com/community/metasploit/blog/2013/08/15/time-to-patch-joomla +# https://www.rapid7.com/blog/post/2013/08/15/time-to-patch-joomla/ # # Some AJAX uploaders use the nonstandard request headers X-Filename, # X_Filename, or X-File-Name to transmit the file name to the server; @@ -100,7 +100,7 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -124,7 +124,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.933120_tx_0=%{tx.0}',\ chain" @@ -152,7 +152,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -188,7 +188,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -224,7 +224,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -250,7 +250,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # false positives in natural language or other contexts. # Examples: 'chr', 'eval'. # To mitigate false positives, a regexp looks for PHP function syntax, e.g. 'eval()'. -# Regexp is generated from function names in util/regexp-assemble/data/933160.data +# Regexp is generated from function names in /regexp-assemble/data/933160.ra # # - Rule 933151: ~1300 words of lesser importance. This includes most PHP functions and keywords. # Examples: 'addslashes', 'array_diff'. @@ -264,7 +264,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # Examples: 'abs', 'cos'. # To mitigate false positives, a regexp matches on function syntax, e.g. 'abs()'. # This rule only runs in paranoia level 3 or higher. -# Regexp is generated from function names in util/regexp-assemble/data/933161.data +# Regexp is generated from function names in /regexp-assemble/data/933161.ra # @@ -291,7 +291,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -318,7 +318,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F # system //comment \n (...) # system #comment \n (...) # -# This rule is also triggered by the following exploit(s): +# This rule is triggered by the following exploits as well, as they include the string 'exec(...)': # [ Apache Struts vulnerability CVE-2017-9791 - Exploit tested: https://www.exploit-db.com/exploits/42324 ] # [ Apache Struts vulnerability CVE-2018-11776 - Exploit tested: https://www.exploit-db.com/exploits/45260 ] # [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ] @@ -328,7 +328,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 933160 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b\(?[\"']*(?:a(?:rray_(?:(?:diff|intersect)_u(?:assoc|key)|filter|map|reduce|u(?:diff|intersect)(?:_u?assoc)?)|ssert(?:_options)?)|b(?:(?:ase64_en|son_(?:de|en))code|zopen)|c(?:hr|onvert_uuencode|reate_function|url_(?:exec|file_create|init))|(?:debug_backtrac|json_(?:de|en)cod|tmpfil)e|e(?:rror_reporting|scapeshell(?:arg|cmd)|val|x(?:ec|if_(?:imagetype|read_data|t(?:agname|humbnail))))|f(?:i(?:le(?:(?:_exist|perm)s|(?:[acm]tim|inod)e|group)?|nfo_open)|open|(?:pu|unction_exis)ts|tp_(?:connec|ge|nb_(?:ge|pu)|pu)t|write)|g(?:et(?:_(?:c(?:fg_va|urrent_use)r|meta_tags)|(?:cw|lastmo)d|env|imagesize|my(?:[gpu]id|inode))|lob|z(?:compress|(?:(?:defla|wri)t|encod|fil)e|open|read))|h(?:(?:ash_(?:(?:hmac|update)_)?|ighlight_)file|e(?:ader_register_callback|x2bin)|tml(?:_entity_decode|entities|specialchars(?:_decode)?))|i(?:mage(?:2?wbmp|createfrom(?:gif|(?:jpe|pn)g|wbmp|x[bp]m)|g(?:d2?|if)|(?:jpe|pn)g|xbm)|ni_(?:get(?:_all)?|set)|ptcembed|s_(?:dir|(?:(?:execut|read|write?)ab|fi)le)|terator_apply)|m(?:b_(?:ereg(?:_(?:match|replace(?:_callback)?)|i(?:_replace)?)?|parse_str)|(?:d5|ove_uploaded)_file|ethod_exists|kdir|ysql_query)|o(?:b_(?:clean|end_(?:clean|flush)|flush|get_(?:c(?:lean|ontents)|flush)|start)|dbc_(?:connect|exec(?:ute)?|result(?:_all)?)|pendir)|p(?:a(?:rse_(?:ini_file|str)|ssthru)|g_(?:connect|(?:execut|prepar)e|query)|hp(?:_(?:strip_whitespac|unam)e|info|version)|o(?:pen|six_(?:get(?:(?:e[gu]|g)id|login|pwnam)|kill|mk(?:fifo|nod)|ttyname))|r(?:eg_(?:match(?:_all)?|replace(?:_callback(?:_array)?)?|split)|int_r|oc_(?:(?:clos|nic|terminat)e|get_status|open))|utenv)|r(?:awurl(?:de|en)code|e(?:ad(?:_exif_data|dir|(?:gz)?file)|(?:gister_(?:shutdown|tick)|name)_function)|unkit_(?:constant_(?:add|redefine)|(?:function|method)_(?:add|copy|re(?:defin|nam)e)))|s(?:e(?:ssion_s(?:et_save_handler|tart)|t(?:_(?:e(?:rror|xception)_handler|include_path|magic_quotes_runtime)|defaultstub))|h(?:a1_fil|ow_sourc)e|implexml_load_(?:file|string)|ocket_c(?:onnect|reate)|pl_autoload_register|qlite_(?:(?:(?:array|single|unbuffered)_)?query|create_(?:aggregate|function)|exec|p?open)|tr(?:eam_(?:context_create|socket_client)|ipc?slashes|rev)|ystem)|u(?:[ak]?sort|n(?:pack|serialize)|rl(?:de|en)code)|var_dump)(?:/(?:\*.*\*/|/.*)|#.*[\s\v]|\")*[\"']*\)?[\s\v]*\(.*\)" \ +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b\(?[\"']*(?:assert(?:_options)?|c(?:hr|reate_function)|e(?:val|x(?:ec|p))|file(?:group)?|glob|i(?:mage(?:gif|(?:jpe|pn)g|wbmp|xbm)|s_a)|md5|o(?:pendir|rd)|p(?:assthru|open|rev)|(?:read|tmp)file|un(?:pac|lin)k|s(?:tat|ubstr|ystem))(?:/(?:\*.*\*/|/.*)|#.*|[\s\v\"])*[\"']*\)?[\s\v]*\(.*\)" \ "id:933160,\ phase:2,\ block,\ @@ -343,7 +343,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -363,7 +363,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F # unserialize() call, resulting in an arbitrary PHP object(s) injection into the # application scope. # -# https://www.owasp.org/index.php/PHP_Object_Injection +# https://owasp.org/www-community/vulnerabilities/PHP_Object_Injection # # In serialized form, PHP objects have the following format: # @@ -371,7 +371,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F # O:3:"Foo":0:{} # # Also detected are PHP objects with a custom unserializer: -# http://www.phpinternalsbook.com/classes_objects/serialization.html +# https://www.phpinternalsbook.com/php5/classes_objects/serialization.html # These have the following format: # # C:11:"ArrayObject":37:{x:i:0;a:1:{s:1:"a";s:1:"b";};m:a:0:{}} @@ -398,7 +398,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -453,7 +453,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -500,7 +500,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -543,7 +543,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.933151_tx_0=%{tx.0}',\ chain" @@ -598,7 +598,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ tag:'paranoia-level/3',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" @@ -627,7 +627,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 933161 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:a(?:bs|cosh?|r(?:ray|sort)|s(?:inh?|(?:o|se)rt)|tan[2h]?)|b(?:asename|indec)|c(?:eil|h(?:dir|eckdate|mod|o(?:p|wn)|root)|lose(?:dir|log)|o(?:(?:mpac|(?:nsta|u)n)t|py|sh?)|(?:ryp|urren)t)|d(?:ate|e(?:coct|fined?)|i(?:(?:skfreespac)?e|r(?:name)?)|(?:oubleva)?l)|e(?:a(?:ch|ster_da(?:te|ys))|cho|mpty|nd|r(?:egi?|ror_log)|x(?:(?:i|trac)t|p(?:lode)?))|f(?:close|eof|gets|ile(?:owner|pro|(?:siz|typ)e)|l(?:o(?:atval|ck|or)|ush)|(?:mo|rea)d|stat|t(?:ell|ok)|unction)|g(?:et(?:date|t(?:ext|ype))|mdate)|h(?:ash|e(?:ader(?:s_(?:lis|sen)t)?|brev)|ypot)|i(?:conv|(?:dat|mplod)e|n(?:(?:clud|vok)e|t(?:div|val))|s(?:_(?:a(?:rray)?|bool|(?:calla|dou)ble|f(?:inite|loat)|in(?:finite|t(?:eger)?)|l(?:ink|ong)|n(?:an|u(?:ll|meric))|object|re(?:al|source)|s(?:calar|tring))|set))|join|k(?:ey|sort)|l(?:(?:cfirs|sta)t|evenshtein|i(?:nk(?:info)?|st)|o(?:caltime|g(?:1[0p])?)|trim)|m(?:a(?:i[ln]|x)|b(?:ereg|split)|etaphone|hash|i(?:crotime|n)|y?sql)|n(?:atsor|ex)t|o(?:ctdec|penlog|rd)|p(?:a(?:ck|thinfo)|close|i|o[sw]|r(?:ev|intf?))|quotemeta|r(?:an(?:d|ge)|e(?:adlin[ek]|(?:cod|nam|quir)e|set|wind)|ound|sort|trim)|s(?:(?:candi|ubst)r|(?:e(?:rializ|ttyp)|huffl)e|i(?:milar_text|nh?|zeof)|leep|o(?:rt|undex)|p(?:liti?|rintf)|qrt|rand|t(?:at|r(?:coll|(?:le|sp)n))|y(?:mlink|slog))|t(?:a(?:int|nh?)|e(?:mpnam|xtdomain)|ime|ouch|rim)|u(?:cfirst|mask|n(?:iqid|link|(?:se|tain)t)|s(?:leep|ort))|virtual|wordwrap)(?:[\s\v]|/(?:\*.*\*/|/.*)|#.*)*\(.*\)" \ +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:a(?:bs|s(?:in|sert(?:_options)?))|basename|c(?:h(?:eckdate|r(?:oot)?)|o(?:(?:mpac|(?:nsta|u)n)t|py|sh?)|r(?:eate_function|ypt)|urrent)|d(?:ate|e(?:coct|fined?)|ir)|e(?:nd|val|x(?:ec|p(?:lode)?|tract))|f(?:ile(?:(?:[acm]tim|inod|siz|typ)e|group|owner|perms)?|l(?:o(?:ck|or)|ush))|glob|h(?:ash|eader)|i(?:date|m(?:age(?:gif|(?:jpe|pn)g|wbmp|xbm)|plode)|s_a)|key|l(?:ink|og)|m(?:a(?:il|x)|d5|in)|n(?:ame|ext)|o(?:pendir|rd)|p(?:a(?:ck|ss(?:thru)?)|i|o(?:pen|w)|rev)|r(?:an(?:d|ge)|e(?:(?:adfil|nam)e|set)|ound)|s(?:(?:erializ|huffl)e|in|leep|(?:or|ta)t|ubstr|y(?:mlink|s(?:log|tem)))|t(?:an|(?:im|mpfil)e|ouch|rim)|u(?:cfirst|n(?:lin|pac)k)|virtual)(?:[\s\v]|/\*.*\*/|(?:#|//).*)*\(.*\)" \ "id:933161,\ phase:2,\ block,\ @@ -642,7 +642,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ tag:'paranoia-level/3',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" @@ -684,7 +684,7 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ tag:'paranoia-level/3',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" @@ -713,7 +713,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ tag:'paranoia-level/3',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" @@ -748,7 +748,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F tag:'paranoia-level/3',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" diff --git a/appsec/crs/REQUEST-934-APPLICATION-ATTACK-GENERIC.conf b/appsec/crs/REQUEST-934-APPLICATION-ATTACK-GENERIC.conf index 8e47a15..84a6198 100644 --- a/appsec/crs/REQUEST-934-APPLICATION-ATTACK-GENERIC.conf +++ b/appsec/crs/REQUEST-934-APPLICATION-ATTACK-GENERIC.conf @@ -1,9 +1,9 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.4.0.0-rc1 +# OWASP CRS ver.4.0.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. -# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved. +# Copyright (c) 2021-2024 CRS project. All rights reserved. # -# The OWASP ModSecurity Core Rule Set is distributed under +# The OWASP CRS is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENSE file for full details. # ------------------------------------------------------------------------ @@ -54,7 +54,7 @@ SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIE phase:2,\ block,\ capture,\ - t:none,t:urlDecodeUni,t:jsDecode,t:removeWhitespace,t:base64Decode,\ + t:none,t:urlDecodeUni,t:jsDecode,t:removeWhitespace,t:base64Decode,t:urlDecodeUni,t:jsDecode,t:removeWhitespace,\ msg:'Node.js Injection Attack 1/2',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ @@ -65,30 +65,7 @@ SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIE tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - multiMatch,\ - setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" - - -SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:close|exists|fork|(?:ope|spaw)n|re(?:ad|quire)|w(?:atch|rite))[\s\v]*\(" \ - "id:934101,\ - phase:2,\ - block,\ - capture,\ - t:none,t:urlDecodeUni,t:base64Decode,\ - msg:'Node.js Injection Attack 2/2',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-javascript',\ - tag:'platform-multi',\ - tag:'attack-rce',\ - tag:'attack-injection-generic',\ - tag:'paranoia-level/1',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ multiMatch,\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ @@ -123,7 +100,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/225/664',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -147,7 +124,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME phase:2,\ block,\ capture,\ - t:none,t:urlDecodeUni,t:base64Decode,\ + t:none,t:urlDecodeUni,t:jsDecode,\ msg:'JavaScript Prototype Pollution',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ @@ -158,7 +135,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1/180/77',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ multiMatch,\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ @@ -190,7 +167,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -210,7 +187,7 @@ SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIE phase:2,\ block,\ capture,\ - t:none,t:urlDecodeUni,t:base64Decode,t:replaceComments,\ + t:none,t:urlDecodeUni,t:jsDecode,t:base64Decode,t:urlDecodeUni,t:jsDecode,t:replaceComments,\ msg:'Node.js DoS attack',\ logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ @@ -221,7 +198,7 @@ SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIE tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ multiMatch,\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ @@ -251,7 +228,7 @@ SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIE tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -262,6 +239,29 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:934014,phase:2,pass,nolog,skipAf # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher) # +# This rule is a stricter sibling of 934100. +SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:close|exists|fork|(?:ope|spaw)n|re(?:ad|quire)|w(?:atch|rite))[\s\v]*\(" \ + "id:934101,\ + phase:2,\ + block,\ + capture,\ + t:none,t:urlDecodeUni,t:jsDecode,t:base64Decode,t:urlDecodeUni,t:jsDecode,\ + msg:'Node.js Injection Attack 2/2',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-javascript',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'attack-injection-generic',\ + tag:'paranoia-level/2',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/242',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + multiMatch,\ + setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" + # -=[ SSRF Attacks ]=- # # PL2 rules adds SSRF capture for common evasion techniques. @@ -308,33 +308,11 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F tag:'paranoia-level/2',\ tag:'OWASP_CRS',\ tag:'capec/1000/225/664',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \[\s*constructor\s*\]" \ - "id:934131,\ - phase:2,\ - block,\ - capture,\ - t:none,t:urlDecodeUni,t:base64Decode,\ - msg:'JavaScript Prototype Pollution',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-javascript',\ - tag:'platform-multi',\ - tag:'attack-rce',\ - tag:'attack-injection-generic',\ - tag:'paranoia-level/2',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'CRITICAL',\ - multiMatch,\ - setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" - # [ Perl generic RCE signatures ] # @@ -362,7 +340,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'paranoia-level/2',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" diff --git a/appsec/crs/REQUEST-941-APPLICATION-ATTACK-XSS.conf b/appsec/crs/REQUEST-941-APPLICATION-ATTACK-XSS.conf index feabb35..1507487 100644 --- a/appsec/crs/REQUEST-941-APPLICATION-ATTACK-XSS.conf +++ b/appsec/crs/REQUEST-941-APPLICATION-ATTACK-XSS.conf @@ -1,9 +1,9 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.4.0.0-rc1 +# OWASP CRS ver.4.0.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. -# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved. +# Copyright (c) 2021-2024 CRS project. All rights reserved. # -# The OWASP ModSecurity Core Rule Set is distributed under +# The OWASP CRS is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENSE file for full details. # ------------------------------------------------------------------------ @@ -47,8 +47,8 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:941012,phase:2,pass,nolog,skipAf # - ascii 95 (underscore) # - ascii 97-122 (a-z) # -# If just these characters are present, we remove REQUEST_FILENAME from the target -# list of all the 941xxx rules starting 941100. +# If just these characters are present, we make use of a special tag to remove +# REQUEST_FILENAME from the target list of all the 941xxx rules starting 941100. # # Please note that it would be preferable to start without REQUEST_FILENAME in the # target list and to add it on a case to case base, but the rule language does not @@ -60,7 +60,7 @@ SecRule REQUEST_FILENAME "!@validateByteRange 20, 45-47, 48-57, 65-90, 95, 97-12 pass,\ t:none,\ nolog,\ - ctl:ruleRemoveTargetById=941100-941999;REQUEST_FILENAME" + ctl:ruleRemoveTargetByTag=xss-perf-disable;REQUEST_FILENAME" # @@ -88,10 +88,11 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ + tag:'xss-perf-disable',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -114,10 +115,11 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ + tag:'xss-perf-disable',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -143,10 +145,11 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ + tag:'xss-perf-disable',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -171,10 +174,11 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ + tag:'xss-perf-disable',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -191,7 +195,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 941160 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)<[^0-9<>A-Z_a-z]*(?:[^\s\v\"'<>]*:)?[^0-9<>A-Z_a-z]*[^0-9A-Z_a-z]*?(?:s[^0-9A-Z_a-z]*?(?:c[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?t|t[^0-9A-Z_a-z]*?y[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?e|v[^0-9A-Z_a-z]*?g|e[^0-9A-Z_a-z]*?t[^0-9>A-Z_a-z])|f[^0-9A-Z_a-z]*?o[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?m|m[^0-9A-Z_a-z]*?(?:a[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?q[^0-9A-Z_a-z]*?u[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?e|e[^0-9A-Z_a-z]*?t[^0-9A-Z_a-z]*?a[^0-9>A-Z_a-z])|(?:l[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?k|o[^0-9A-Z_a-z]*?b[^0-9A-Z_a-z]*?j[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?c[^0-9A-Z_a-z]*?t|e[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?b[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?d|a[^0-9A-Z_a-z]*?(?:p[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?t|u[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?o|n[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?t[^0-9A-Z_a-z]*?e)|p[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?m|i?[^0-9A-Z_a-z]*?f[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?e|b[^0-9A-Z_a-z]*?(?:a[^0-9A-Z_a-z]*?s[^0-9A-Z_a-z]*?e|o[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?y|i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?g[^0-9A-Z_a-z]*?s)|i[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?a?[^0-9A-Z_a-z]*?g[^0-9A-Z_a-z]*?e?|v[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?o)[^0-9>A-Z_a-z])|(?:<[0-9A-Z_a-z].*[\s\v/]|[\"'](?:.*[\s\v/])?)(?:background|formaction|lowsrc|on(?:a(?:bort|ctivate|d(?:apteradded|dtrack)|fter(?:print|(?:scriptexecu|upda)te)|lerting|n(?:imation(?:end|iteration|start)|tennastatechange)|ppcommand|udio(?:end|process|start))|b(?:e(?:fore(?:(?:(?:de)?activa|scriptexecu)te|c(?:opy|ut)|editfocus|p(?:aste|rint)|u(?:nload|pdate))|gin(?:Event)?)|l(?:ocked|ur)|oun(?:ce|dary)|roadcast|usy)|c(?:a(?:(?:ch|llschang)ed|nplay(?:through)?|rdstatechange)|(?:ell|fstate)change|h(?:a(?:rging(?:time)?cha)?nge|ecking)|l(?:ick|ose)|o(?:m(?:mand(?:update)?|p(?:lete|osition(?:end|start|update)))|n(?:nect(?:ed|ing)|t(?:extmenu|rolselect))|py)|u(?:echange|t))|d(?:ata(?:(?:availabl|chang)e|error|setc(?:hanged|omplete))|blclick|e(?:activate|livery(?:error|success)|vice(?:found|light|(?:mo|orienta)tion|proximity))|i(?:aling|s(?:abled|c(?:hargingtimechange|onnect(?:ed|ing))))|o(?:m(?:a(?:ctivate|ttrmodified)|(?:characterdata|subtree)modified|focus(?:in|out)|mousescroll|node(?:inserted(?:intodocument)?|removed(?:fromdocument)?))|wnloading)|r(?:ag(?:drop|e(?:n(?:d|ter)|xit)|(?:gestur|leav)e|over|start)|op)|urationchange)|e(?:mptied|n(?:abled|d(?:ed|Event)?|ter)|rror(?:update)?|xit)|f(?:ailed|i(?:lterchange|nish)|o(?:cus(?:in|out)?|rm(?:change|input)))|g(?:amepad(?:axismove|button(?:down|up)|(?:dis)?connected)|et)|h(?:ashchange|e(?:adphoneschange|l[dp])|olding)|i(?:cc(?:cardlockerror|infochange)|n(?:coming|put|valid))|key(?:down|press|up)|l(?:evelchange|o(?:ad(?:e(?:d(?:meta)?data|nd)|start)?|secapture)|y)|m(?:ark|essage|o(?:use(?:down|enter|(?:lea|mo)ve|o(?:ut|ver)|up|wheel)|ve(?:end|start)?|z(?:a(?:fterpaint|udioavailable)|(?:beforeresiz|orientationchang|t(?:apgestur|imechang))e|(?:edgeui(?:c(?:ancel|omplet)|start)e|network(?:down|up)loa)d|fullscreen(?:change|error)|m(?:agnifygesture(?:start|update)?|ouse(?:hittest|pixelscroll))|p(?:ointerlock(?:change|error)|resstapgesture)|rotategesture(?:start|update)?|s(?:crolledareachanged|wipegesture(?:end|start|update)?))))|no(?:match|update)|o(?:(?:bsolet|(?:ff|n)lin)e|pen|verflow(?:changed)?)|p(?:a(?:ge(?:hide|show)|int|(?:st|us)e)|lay(?:ing)?|op(?:state|up(?:hid(?:den|ing)|show(?:ing|n)))|ro(?:gress|pertychange))|r(?:atechange|e(?:adystatechange|ceived|movetrack|peat(?:Event)?|quest|s(?:et|ize|u(?:lt|m(?:e|ing)))|trieving)|ow(?:e(?:nter|xit)|s(?:delete|inserted)))|s(?:croll|e(?:ek(?:complete|ed|ing)|lect(?:start)?|n(?:ding|t)|t)|how|(?:ound|peech)(?:end|start)|t(?:a(?:lled|rt|t(?:echange|uschanged))|k(?:comma|sessione)nd|op)|u(?:bmit|ccess|spend)|vg(?:abort|error|(?:un)?load|resize|scroll|zoom))|t(?:ext|ime(?:out|update)|ouch(?:cancel|en(?:d|ter)|(?:lea|mo)ve|start)|ransition(?:cancel|end|run))|u(?:n(?:derflow|load)|p(?:dateready|gradeneeded)|s(?:erproximity|sdreceived))|v(?:ersion|o(?:ic|lum)e)change|w(?:a(?:it|rn)ing|heel)|zoom)|ping|s(?:rc|tyle))[\x08-\n\f-\r ]*?=" \ +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)<[^0-9<>A-Z_a-z]*(?:[^\s\v\"'<>]*:)?[^0-9<>A-Z_a-z]*[^0-9A-Z_a-z]*?(?:s[^0-9A-Z_a-z]*?(?:c[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?t|t[^0-9A-Z_a-z]*?y[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?e|v[^0-9A-Z_a-z]*?g|e[^0-9A-Z_a-z]*?t[^0-9>A-Z_a-z])|f[^0-9A-Z_a-z]*?o[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?m|d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?o[^0-9A-Z_a-z]*?g|m[^0-9A-Z_a-z]*?(?:a[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?q[^0-9A-Z_a-z]*?u[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?e|e[^0-9A-Z_a-z]*?t[^0-9A-Z_a-z]*?a[^0-9>A-Z_a-z])|(?:l[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?k|o[^0-9A-Z_a-z]*?b[^0-9A-Z_a-z]*?j[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?c[^0-9A-Z_a-z]*?t|e[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?b[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?d|a[^0-9A-Z_a-z]*?(?:p[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?t|u[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?o|n[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?t[^0-9A-Z_a-z]*?e)|p[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?m|i?[^0-9A-Z_a-z]*?f[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?e|b[^0-9A-Z_a-z]*?(?:a[^0-9A-Z_a-z]*?s[^0-9A-Z_a-z]*?e|o[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?y|i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?g[^0-9A-Z_a-z]*?s)|i[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?a?[^0-9A-Z_a-z]*?g[^0-9A-Z_a-z]*?e?|v[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?o)[^0-9>A-Z_a-z])|(?:<[0-9A-Z_a-z].*[\s\v/]|[\"'](?:.*[\s\v/])?)(?:background|formaction|lowsrc|on(?:a(?:bort|ctivate|d(?:apteradded|dtrack)|fter(?:print|(?:scriptexecu|upda)te)|lerting|n(?:imation(?:cancel|end|iteration|start)|tennastatechange)|ppcommand|u(?:dio(?:end|process|start)|xclick))|b(?:e(?:fore(?:(?:(?:(?:de)?activa|scriptexecu)t|toggl)e|c(?:opy|ut)|editfocus|input|p(?:aste|rint)|u(?:nload|pdate))|gin(?:Event)?)|l(?:ocked|ur)|oun(?:ce|dary)|roadcast|usy)|c(?:a(?:(?:ch|llschang)ed|nplay(?:through)?|rdstatechange)|(?:ell|fstate)change|h(?:a(?:rging(?:time)?cha)?nge|ecking)|l(?:ick|ose)|o(?:m(?:mand(?:update)?|p(?:lete|osition(?:end|start|update)))|n(?:nect(?:ed|ing)|t(?:extmenu|rolselect))|py)|u(?:echange|t))|d(?:ata(?:(?:availabl|chang)e|error|setc(?:hanged|omplete))|blclick|e(?:activate|livery(?:error|success)|vice(?:found|light|(?:mo|orienta)tion|proximity))|i(?:aling|s(?:abled|c(?:hargingtimechange|onnect(?:ed|ing))))|o(?:m(?:a(?:ctivate|ttrmodified)|(?:characterdata|subtree)modified|focus(?:in|out)|mousescroll|node(?:inserted(?:intodocument)?|removed(?:fromdocument)?))|wnloading)|r(?:ag(?:drop|e(?:n(?:d|ter)|xit)|(?:gestur|leav)e|over|start)|op)|urationchange)|e(?:mptied|n(?:abled|d(?:ed|Event)?|ter)|rror(?:update)?|xit)|f(?:ailed|i(?:lterchange|nish)|o(?:cus(?:in|out)?|rm(?:change|input))|ullscreenchange)|g(?:amepad(?:axismove|button(?:down|up)|(?:dis)?connected)|et)|h(?:ashchange|e(?:adphoneschange|l[dp])|olding)|i(?:cc(?:cardlockerror|infochange)|n(?:coming|put|valid))|key(?:down|press|up)|l(?:evelchange|o(?:ad(?:e(?:d(?:meta)?data|nd)|start)?|secapture)|y)|m(?:ark|essage|o(?:use(?:down|enter|(?:lea|mo)ve|o(?:ut|ver)|up|wheel)|ve(?:end|start)?|z(?:a(?:fterpaint|udioavailable)|(?:beforeresiz|orientationchang|t(?:apgestur|imechang))e|(?:edgeui(?:c(?:ancel|omplet)|start)e|network(?:down|up)loa)d|fullscreen(?:change|error)|m(?:agnifygesture(?:start|update)?|ouse(?:hittest|pixelscroll))|p(?:ointerlock(?:change|error)|resstapgesture)|rotategesture(?:start|update)?|s(?:crolledareachanged|wipegesture(?:end|start|update)?))))|no(?:match|update)|o(?:(?:bsolet|(?:ff|n)lin)e|pen|verflow(?:changed)?)|p(?:a(?:ge(?:hide|show)|int|(?:st|us)e)|lay(?:ing)?|o(?:inter(?:down|enter|(?:(?:lea|mo)v|rawupdat)e|o(?:ut|ver)|up)|p(?:state|up(?:hid(?:den|ing)|show(?:ing|n))))|ro(?:gress|pertychange))|r(?:atechange|e(?:adystatechange|ceived|movetrack|peat(?:Event)?|quest|s(?:et|ize|u(?:lt|m(?:e|ing)))|trieving)|ow(?:e(?:nter|xit)|s(?:delete|inserted)))|s(?:croll(?:end)?|e(?:arch|ek(?:complete|ed|ing)|lect(?:ionchange|start)?|n(?:ding|t)|t)|how|(?:ound|peech)(?:end|start)|t(?:a(?:lled|rt|t(?:echange|uschanged))|k(?:comma|sessione)nd|op)|u(?:bmit|ccess|spend)|vg(?:abort|error|(?:un)?load|resize|scroll|zoom))|t(?:ext|ime(?:out|update)|o(?:ggle|uch(?:cancel|en(?:d|ter)|(?:lea|mo)ve|start))|ransition(?:cancel|end|run|start))|u(?:n(?:derflow|handledrejection|load)|p(?:dateready|gradeneeded)|s(?:erproximity|sdreceived))|v(?:ersion|o(?:ic|lum)e)change|w(?:a(?:it|rn)ing|ebkit(?:animation(?:end|iteration|start)|transitionend)|heel)|zoom)|ping|s(?:rc|tyle))[\x08-\n\f-\r ]*?=" \ "id:941160,\ phase:2,\ block,\ @@ -203,10 +207,11 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ + tag:'xss-perf-disable',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -227,10 +232,11 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ + tag:'xss-perf-disable',\ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -238,7 +244,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H # # [Deny List Keywords from Node-Validator] -# https://raw.github.com/chriso/node-validator/master/validator.js +# https://github.com/validatorjs/validator.js/ # This rule has a stricter sibling 941181 (PL2) that covers the additional payload "-->" # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@pm document.cookie document.domain document.write .parentnode .innerhtml window.location -moz-binding " \ @@ -841,10 +869,11 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ + tag:'xss-perf-disable',\ tag:'paranoia-level/2',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -927,11 +956,12 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ + tag:'xss-perf-disable',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242/63',\ tag:'PCI/6.5.1',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -948,11 +978,12 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ + tag:'xss-perf-disable',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ tag:'PCI/6.5.1',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -972,11 +1003,12 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-xss',\ + tag:'xss-perf-disable',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ tag:'PCI/6.5.1',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -987,7 +1019,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU # Of course, pure client-side AngularJS commands can not be intercepted. # But once a command is sent to the server, the CRS will trigger. # -# https://portswigger.net/blog/xss-without-html-client-side-template-injection-with-angularjs +# https://portswigger.net/research/xss-without-html-client-side-template-injection-with-angularjs # # Example payload: # http://localhost/login?user=%20x%20%7B%7Bconstructor.constructor(%27alert(1)%27)()%7D%7D%20.%20ff @@ -1005,10 +1037,11 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'application-multi',\ tag:'language-multi',\ tag:'attack-xss',\ + tag:'xss-perf-disable',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242/63',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" diff --git a/appsec/crs/REQUEST-942-APPLICATION-ATTACK-SQLI.conf b/appsec/crs/REQUEST-942-APPLICATION-ATTACK-SQLI.conf index abc4d8b..56ff770 100644 --- a/appsec/crs/REQUEST-942-APPLICATION-ATTACK-SQLI.conf +++ b/appsec/crs/REQUEST-942-APPLICATION-ATTACK-SQLI.conf @@ -1,9 +1,9 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.4.0.0-rc1 +# OWASP CRS ver.4.0.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. -# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved. +# Copyright (c) 2021-2024 CRS project. All rights reserved. # -# The OWASP ModSecurity Core Rule Set is distributed under +# The OWASP CRS is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENSE file for full details. # ------------------------------------------------------------------------ @@ -33,7 +33,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:942012,phase:2,pass,nolog,skipAf # http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/ # # SQLMap's Tamper Scripts (for evasions) -# https://svn.sqlmap.org/sqlmap/trunk/sqlmap/tamper/ +# https://github.com/sqlmapproject/sqlmap # # @@ -41,7 +41,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:942012,phase:2,pass,nolog,skipAf # # There is a stricter sibling of this rule at 942101. It covers REQUEST_BASENAME and REQUEST_FILENAME. # -# Ref: https://libinjection.client9.com/ +# Ref: https://github.com/libinjection/libinjection # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@detectSQLi" \ "id:942100,\ @@ -59,7 +59,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ multiMatch,\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ @@ -90,7 +90,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -99,7 +99,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # # -=[ SQL Function Names ]=- # -# This rule has a stricter sibling to this rule (942152) that checks for SQL function names in +# This rule has a stricter sibling to this rule (942152) that checks for SQL function names in # request headers referer and user-agent. # # Regular expression generated from regex-assembly/942151.ra. @@ -107,7 +107,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942151 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:a(?:dd(?:dat|tim)e|es_(?:de|en)crypt|s(?:cii(?:str)?|in)|tan2?)|b(?:enchmark|i(?:n_to_num|t_(?:and|count|length|x?or)))|c(?:har(?:acter)?_length|iel(?:ing)?|o(?:alesce|ercibility|llation|(?:mpres)?s|n(?:cat(?:_ws)?|nection_id|v(?:ert(?:_tz)?)?)|t)|r32|ur(?:(?:dat|tim)e|rent_(?:date|time(?:stamp)?|user)))|d(?:a(?:t(?:abase|e(?:_(?:add|format|sub)|diff))|y(?:name|of(?:month|week|year)))|count|e(?:code|grees|s_(?:de|en)crypt)|ump)|e(?:lt|n(?:c(?:ode|rypt)|ds_?with)|x(?:p(?:ort_set)?|tract(?:value)?))|f(?:i(?:el|n)d_in_set|ound_rows|rom_(?:base64|days|unixtime))|g(?:e(?:ometrycollection|t_(?:format|lock))|(?:r(?:eates|oup_conca)|tid_subse)t)|hex(?:toraw)?|i(?:fnull|n(?:et6?_(?:aton|ntoa)|s(?:ert|tr)|terval)|s(?:_(?:(?:free|used)_lock|ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull))|null))|json(?:_(?:a(?:gg|rray(?:_(?:elements(?:_text)?|length))?)|build_(?:array|object)|e(?:ac|xtract_pat)h(?:_text)?|object(?:_(?:agg|keys))?|populate_record(?:set)?|strip_nulls|t(?:o_record(?:set)?|ypeof))|b(?:_(?:array(?:_(?:elements(?:_text)?|length))?|build_(?:array|object)|object(?:_(?:agg|keys))?|e(?:ac|xtract_pat)h(?:_text)?|insert|p(?:ath_(?:(?:exists|match)(?:_tz)?|query(?:_(?:(?:array|first)(?:_tz)?|tz))?)|opulate_record(?:set)?|retty)|s(?:et(?:_lax)?|trip_nulls)|t(?:o_record(?:set)?|ypeof)))?|path)?|l(?:ast_(?:day|inser_id)|case|e(?:as|f)t|i(?:kel(?:ihood|y)|nestring)|o(?:ad_file|ca(?:ltimestamp|te)|g(?:10|2)|wer)|pad|trim)|m(?:a(?:ke(?:_set|date)|ster_pos_wait)|d5|i(?:crosecon)?d|onthname|ulti(?:linestring|po(?:int|lygon)))|n(?:ame_const|ot_in|ullif)|o(?:ct(?:et_length)?|(?:ld_passwo)?rd)|p(?:eriod_(?:add|diff)|g_(?:client_encoding|sleep)|o(?:(?:lyg|siti)on|w)|rocedure_analyse)|qu(?:arter|ote)|r(?:a(?:dians|nd|wtohex)|elease_lock|ow_(?:count|to_json)|pad|trim)|s(?:chema|e(?:c_to_time|ssion_user)|ha[1-2]?|in|oundex|pace|q(?:lite_(?:compileoption_(?:get|used)|source_id)|rt)|t(?:arts_?with|d(?:dev_(?:po|sam)p)?|r(?:_to_date|cmp))|ub(?:(?:dat|tim)e|str(?:ing(?:_index)?)?)|ys(?:date|tem_user))|t(?:ime(?:_(?:format|to_sec)|diff|stamp(?:add|diff)?)|o(?:_(?:base64|jsonb?)|n?char|(?:day|second)s)|r(?:im|uncate))|u(?:case|n(?:compress(?:ed_length)?|hex|i(?:str|x_timestamp)|likely)|(?:pdatexm|se_json_nul)l|tc_(?:date|time(?:stamp)?)|uid(?:_short)?)|var(?:_(?:po|sam)p|iance)|we(?:ek(?:day|ofyear)|ight_string)|xmltype|yearweek)[^0-9A-Z_a-z]*\(" \ +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:a(?:dd(?:dat|tim)e|es_(?:de|en)crypt|s(?:cii(?:str)?|in)|tan2?)|b(?:enchmark|i(?:n_to_num|t_(?:and|count|length|x?or)))|c(?:har(?:acter)?_length|iel(?:ing)?|o(?:alesce|ercibility|llation|(?:mpres)?s|n(?:cat(?:_ws)?|nection_id|v(?:ert(?:_tz)?)?)|t)|r32|ur(?:(?:dat|tim)e|rent_(?:date|setting|time(?:stamp)?|user)))|d(?:a(?:t(?:abase(?:_to_xml)?|e(?:_(?:add|format|sub)|diff))|y(?:name|of(?:month|week|year)))|count|e(?:code|grees|s_(?:de|en)crypt)|ump)|e(?:lt|n(?:c(?:ode|rypt)|ds_?with)|x(?:p(?:ort_set)?|tract(?:value)?))|f(?:i(?:el|n)d_in_set|ound_rows|rom_(?:base64|days|unixtime))|g(?:e(?:ometrycollection|t(?:_(?:format|lock)|pgusername))|(?:r(?:eates|oup_conca)|tid_subse)t)|hex(?:toraw)?|i(?:fnull|n(?:et6?_(?:aton|ntoa)|s(?:ert|tr)|terval)|s(?:_(?:(?:free|used)_lock|ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull)|superuser)|null))|json(?:_(?:a(?:gg|rray(?:_(?:elements(?:_text)?|length))?)|build_(?:array|object)|e(?:ac|xtract_pat)h(?:_text)?|object(?:_(?:agg|keys))?|populate_record(?:set)?|strip_nulls|t(?:o_record(?:set)?|ypeof))|b(?:_(?:array(?:_(?:elements(?:_text)?|length))?|build_(?:array|object)|object(?:_(?:agg|keys))?|e(?:ac|xtract_pat)h(?:_text)?|insert|p(?:ath_(?:(?:exists|match)(?:_tz)?|query(?:_(?:(?:array|first)(?:_tz)?|tz))?)|opulate_record(?:set)?|retty)|s(?:et(?:_lax)?|trip_nulls)|t(?:o_record(?:set)?|ypeof)))?|path)?|l(?:ast_(?:day|inser_id)|case|e(?:as|f)t|i(?:kel(?:ihood|y)|nestring)|o(?:_(?:from_bytea|put)|ad_file|ca(?:ltimestamp|te)|g(?:10|2)|wer)|pad|trim)|m(?:a(?:ke(?:_set|date)|ster_pos_wait)|d5|i(?:crosecon)?d|onthname|ulti(?:linestring|po(?:int|lygon)))|n(?:ame_const|ot_in|ullif)|o(?:ct(?:et_length)?|(?:ld_passwo)?rd)|p(?:eriod_(?:add|diff)|g_(?:client_encoding|(?:databas|read_fil)e|l(?:argeobject|s_dir)|sleep|user)|o(?:(?:lyg|siti)on|w)|rocedure_analyse)|qu(?:arter|ery_to_xml|ote)|r(?:a(?:dians|nd|wtohex)|elease_lock|ow_(?:count|to_json)|pad|trim)|s(?:chema|e(?:c_to_time|ssion_user)|ha[1-2]?|in|oundex|pace|q(?:lite_(?:compileoption_(?:get|used)|source_id)|rt)|t(?:arts_?with|d(?:dev_(?:po|sam)p)?|r(?:_to_date|cmp))|ub(?:(?:dat|tim)e|str(?:ing(?:_index)?)?)|ys(?:date|tem_user))|t(?:ime(?:_(?:format|to_sec)|diff|stamp(?:add|diff)?)|o(?:_(?:base64|jsonb?)|n?char|(?:day|second)s)|r(?:im|uncate))|u(?:case|n(?:compress(?:ed_length)?|hex|i(?:str|x_timestamp)|likely)|(?:pdatexm|se_json_nul)l|tc_(?:date|time(?:stamp)?)|uid(?:_short)?)|var(?:_(?:po|sam)p|iance)|we(?:ek(?:day|ofyear)|ight_string)|xmltype|yearweek)[^0-9A-Z_a-z]*\(" \ "id:942151,\ phase:2,\ block,\ @@ -123,7 +123,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/1',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -132,7 +132,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # # -=[ PHPIDS - Converted SQLI Filters ]=- # -# https://raw.github.com/PHPIDS/PHPIDS/master/lib/IDS/default_filter.xml +# https://raw.githubusercontent.com/PHPIDS/PHPIDS/master/lib/IDS/default_filter.xml # # The rule 942160 prevents time-based blind SQL injection attempts # by prohibiting sleep() or benchmark(,) functions: @@ -166,7 +166,7 @@ SecRule REQUEST_BASENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIE tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -192,7 +192,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -218,7 +218,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -242,7 +242,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -268,7 +268,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -294,7 +294,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -315,7 +315,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -336,7 +336,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -362,7 +362,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -388,12 +388,12 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" -# This rule has a stricter sibling (942321) that checks for MySQL and PostgreSQL procedures / functions in +# This rule has a stricter sibling (942321) that checks for MySQL and PostgreSQL procedures / functions in # request headers referer and user-agent. # # Regular expression generated from regex-assembly/942320.ra. @@ -417,7 +417,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -443,7 +443,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -456,10 +456,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # # Sources for SQL ALTER statements: # MySQL: https://dev.mysql.com/doc/refman/5.7/en/sql-syntax-data-definition.html -# Oracle/PLSQL: https://docs.oracle.com/apps/search/search.jsp?q=alter&size=60&category=database +# Oracle/PLSQL: https://docs.oracle.com/search/?q=alter&size=60&category=database # PostgreQSL: https://www.postgresql.org/search/?u=%2Fdocs&q=alter -# MSSQL: https://docs.microsoft.com/en-us/sql/t-sql/statements/statements -# DB2: https://www.ibm.com/support/knowledgecenter/en/search/alter?scope=SSEPGG_9.5.0 +# MSSQL: https://learn.microsoft.com/en-us/sql/t-sql/statements/statements?view=sql-server-ver16 +# DB2: https://www.ibm.com/docs/en/search/alter?scope=SSEPGG_9.5.0 # # Regular expression generated from regex-assembly/942360.ra. # To update the regular expression run the following shell script @@ -482,7 +482,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -502,7 +502,12 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # The minimal string that triggers this regexp is: /*!*/ or /*+*/. # The rule 942500 is related to 942440 which catches both /*! and */ independently. # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:/\*[!+](?:[\w\s=_\-()]+)?\*/)" \ +# Regular expression generated from regex-assembly/942500.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 942500 +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)/\*[\s\v]*?[!\+](?:[\s\v\(-\)\-0-9=A-Z_a-z]+)?\*/" \ "id:942500,\ phase:2,\ block,\ @@ -518,8 +523,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ + multiMatch,\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -554,7 +560,36 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/1',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ + severity:'CRITICAL',\ + setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + + +# This rule catches on Scientific Notation bypass payloads in MySQL +# Reference: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/MySQL%20Injection.md#scientific-notation +# +# Regular expression generated from regex-assembly/942560.ra. +# To update the regular expression run the following shell script +# (consult https://coreruleset.org/docs/development/regex_assembly/ for details): +# crs-toolchain regex update 942560 +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)1\.e[\(-\),]" \ + "id:942560,\ + phase:2,\ + block,\ + t:none,t:urlDecodeUni,t:replaceComments,\ + msg:'MySQL Scientific Notation payload detected',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-sqli',\ + tag:'OWASP_CRS',\ + tag:'capec/1000/152/248/66',\ + tag:'PCI/6.5.2',\ + tag:'paranoia-level/1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -583,7 +618,7 @@ SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIE tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/1',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -596,37 +631,6 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:942014,phase:2,pass,nolog,skipAf # -# -# -=[ String Termination/Statement Ending Injection Testing ]=- -# -# Identifies common initial SQLi probing requests where attackers insert/append -# quote characters to the existing normal payload to see how the app/db responds. -# -# This rule is also triggered by the following exploit(s): -# [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ] -# -SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?:^\s*[\"'`;]+|[\"'`]+\s*$)" \ - "id:942110,\ - phase:2,\ - block,\ - capture,\ - t:none,t:utf8toUnicode,t:urlDecodeUni,\ - msg:'SQL Injection Attack: Common Injection Testing Detected',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ - tag:'application-multi',\ - tag:'language-multi',\ - tag:'platform-multi',\ - tag:'attack-sqli',\ - tag:'OWASP_CRS',\ - tag:'capec/1000/152/248/66',\ - tag:'PCI/6.5.2',\ - tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ - severity:'WARNING',\ - setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}',\ - setvar:'tx.inbound_anomaly_score_pl2=+%{tx.warning_anomaly_score}'" - - # # -=[ SQL Operators ]=- # @@ -654,7 +658,7 @@ SecRule ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)!=|&&|\|\||>[=->]|<(?:< tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -695,12 +699,11 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\s\v\"'-\)`]*?\b([0-9A-Z_a-z]+)\b[\s\v\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ - setvar:'tx.942130_lhs=%{TX.1}',\ setvar:'tx.942130_matched_var_name=%{matched_var_name}',\ chain" - SecRule TX:942130_lhs "@streq %{TX.2}" \ + SecRule TX:1 "@streq %{TX.2}" \ "t:none,\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -732,13 +735,12 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\s\v\"'-\)`]*?\b([0-9A-Z_a-z]+)\b[\s\v\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ multiMatch,\ - setvar:'tx.942131_lhs=%{TX.1}',\ setvar:'tx.942131_matched_var_name=%{matched_var_name}',\ chain" - SecRule TX:942131_lhs "!@streq %{TX.2}" \ + SecRule TX:1 "!@streq %{TX.2}" \ "t:none,\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -770,7 +772,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -813,7 +815,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -842,7 +844,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -871,7 +873,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -897,7 +899,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -907,7 +909,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942300 # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\)[\s\v]*?when[\s\v]*?[0-9]+[\s\v]*?then|[\"'`][\s\v]*?(?:[#\{]|--)|/\*![\s\v]?[0-9]+|\b(?:b(?:inary[\s\v]*?\([\s\v]*?[0-9]|etween[\s\v]+[\s\v]*?[0-9A-Z_a-z]+\()|cha?r[\s\v]*?\([\s\v]*?[0-9]|(?:and|n(?:and|ot)|(?:xx?)?or|div|like|r(?:egexp|like))[\s\v]+[\s\v]*?[0-9A-Z_a-z]+\()|(?:\|\||&&)[\s\v]+[\s\v]*?[0-9A-Z_a-z]+\(" \ +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\)[\s\v]*?when[\s\v]*?[0-9]+[\s\v]*?then|[\"'`][\s\v]*?(?:[#\{]|--)|/\*![\s\v]?[0-9]+|\b(?:(?:binary|cha?r)[\s\v]*?\([\s\v]*?[0-9]|(?:and|n(?:and|ot)|(?:xx?)?or|div|like|between|r(?:egexp|like))[\s\v]+[0-9A-Z_a-z]+\()|(?:\|\||&&)[\s\v]*?[0-9A-Z_a-z]+\(" \ "id:942300,\ phase:2,\ block,\ @@ -923,7 +925,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -949,7 +951,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -983,7 +985,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1012,7 +1014,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1037,7 +1039,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1067,7 +1069,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1099,7 +1101,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1125,7 +1127,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1151,7 +1153,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1177,7 +1179,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1208,7 +1210,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1237,7 +1239,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1266,7 +1268,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1307,11 +1309,38 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'WARNING',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.warning_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'" +# +# -=[ Exclusion rule for 942440 ]=- +# +# Prevent FPs against Facebook click identifier +# +SecRule ARGS_GET:fbclid "@rx [a-zA-Z0-9_-]{61,61}" \ + "id:942441,\ + phase:2,\ + pass,\ + t:none,t:urlDecodeUni,\ + nolog,\ + ctl:ruleRemoveTargetById=942440;ARGS:fbclid,\ + ver:'OWASP_CRS/4.0.0'" + +# +# -=[ Exclusion rule for 942440 ]=- +# +# Prevent FPs against Google click identifier +# +SecRule ARGS_GET:gclid "@rx [a-zA-Z0-9_-]{91,91}" \ + "id:942442,\ + phase:2,\ + pass,\ + t:none,t:urlDecodeUni,\ + nolog,\ + ctl:ruleRemoveTargetById=942440;ARGS:gclid,\ + ver:'OWASP_CRS/4.0.0'" # # -=[ Detect SQL Comment Sequences ]=- @@ -1335,10 +1364,19 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´ # 0/**/union/*!50000select*/table_name`foo`/**/ # ------------------------- # -# Regular expression generated from regex-assembly/942440.ra. -# To update the regular expression run the following shell script +# The chained rule is designed to prevent false positives by specifically +# targeting JWT tokens. Starting with 'ey' targets JWT tokens, where the 'ey' +# prefix corresponds to the beginning of the Base64-encoded header section. +# +# example: +# $ echo '{"' | base64 +# eyIK +# +# Regular expressions generated from regex-assembly/942440.ra and regex-assembly/942440-chain1.ra. +# To update the regular expressions run the following shell scripts # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942440 +# crs-toolchain regex update 942440-chain1 # SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx /\*!?|\*/|[';]--|--(?:[\s\v]|[^\-]*?-)|[^&\-]#.*?[\s\v]|;?\x00" \ "id:942440,\ @@ -1356,10 +1394,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ chain" - SecRule MATCHED_VARS "!@rx ^ey[A-Z-a-z0-9-_]+[.]ey[A-Z-a-z0-9-_]+[.][A-Z-a-z0-9-_]+$" \ + SecRule MATCHED_VARS "!@rx ^ey[\-0-9A-Z_a-z]+\.ey[\-0-9A-Z_a-z]+\.[\-0-9A-Z_a-z]+$" \ "t:none,\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" @@ -1368,6 +1406,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU # # -=[ SQL Hex Evasion Methods ]=- # +# Hex encoding detection: +# (?i:\b0x[a-f\d]{3,}) will match any 3 or more hex bytes after "0x", together forming a hexadecimal payload(e.g 0xf00, 0xf00d and so on) +# SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:\b0x[a-f\d]{3,})" \ "id:942450,\ phase:2,\ @@ -1384,7 +1425,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1433,7 +1474,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1460,7 +1501,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1484,7 +1525,7 @@ SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/ capture,\ t:none,t:urlDecodeUni,\ msg:'Detects basic SQL authentication bypass attempts 4.1/4',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + logdata:'Matched Data: %{TX.0} found within %{TX.942521_MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ @@ -1493,11 +1534,11 @@ SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ - setvar:'tx.942521_lhs=%{TX.1}',\ + setvar:'tx.942521_matched_var_name=%{matched_var_name}',\ chain" - SecRule TX:942521_lhs "@rx ^(?:and|or)$" \ + SecRule TX:1 "@rx ^(?:and|or)$" \ "t:none,\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1521,7 +1562,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx ^.*?\x5c['\"`](?:.*?['\"`])?\s*(?:and|or)\b" tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1559,7 +1600,7 @@ SecRule REQUEST_BASENAME|REQUEST_FILENAME "@detectSQLi" \ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1575,7 +1616,7 @@ SecRule REQUEST_BASENAME|REQUEST_FILENAME "@detectSQLi" \ # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 942152 # -SecRule REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent "@rx (?i)\b(?:a(?:dd(?:dat|tim)e|es_(?:de|en)crypt|s(?:cii(?:str)?|in)|tan2?)|b(?:enchmark|i(?:n_to_num|t_(?:and|count|length|x?or)))|c(?:har(?:acter)?_length|iel(?:ing)?|o(?:alesce|ercibility|llation|(?:mpres)?s|n(?:cat(?:_ws)?|nection_id|v(?:ert(?:_tz)?)?)|t)|r32|ur(?:(?:dat|tim)e|rent_(?:date|time(?:stamp)?|user)))|d(?:a(?:t(?:abase|e(?:_(?:add|format|sub)|diff))|y(?:name|of(?:month|week|year)))|count|e(?:code|grees|s_(?:de|en)crypt)|ump)|e(?:lt|n(?:c(?:ode|rypt)|ds_?with)|x(?:p(?:ort_set)?|tract(?:value)?))|f(?:i(?:el|n)d_in_set|ound_rows|rom_(?:base64|days|unixtime))|g(?:e(?:ometrycollection|t_(?:format|lock))|(?:r(?:eates|oup_conca)|tid_subse)t)|hex(?:toraw)?|i(?:fnull|n(?:et6?_(?:aton|ntoa)|s(?:ert|tr)|terval)|s(?:_(?:(?:free|used)_lock|ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull))|null))|json(?:_(?:a(?:gg|rray(?:_(?:elements(?:_text)?|length))?)|build_(?:array|object)|e(?:ac|xtract_pat)h(?:_text)?|object(?:_(?:agg|keys))?|populate_record(?:set)?|strip_nulls|t(?:o_record(?:set)?|ypeof))|b(?:_(?:array(?:_(?:elements(?:_text)?|length))?|build_(?:array|object)|object(?:_(?:agg|keys))?|e(?:ac|xtract_pat)h(?:_text)?|insert|p(?:ath_(?:(?:exists|match)(?:_tz)?|query(?:_(?:(?:array|first)(?:_tz)?|tz))?)|opulate_record(?:set)?|retty)|s(?:et(?:_lax)?|trip_nulls)|t(?:o_record(?:set)?|ypeof)))?|path)?|l(?:ast_(?:day|inser_id)|case|e(?:as|f)t|i(?:kel(?:ihood|y)|nestring)|o(?:ad_file|ca(?:ltimestamp|te)|g(?:10|2)|wer)|pad|trim)|m(?:a(?:ke(?:_set|date)|ster_pos_wait)|d5|i(?:crosecon)?d|onthname|ulti(?:linestring|po(?:int|lygon)))|n(?:ame_const|ot_in|ullif)|o(?:ct(?:et_length)?|(?:ld_passwo)?rd)|p(?:eriod_(?:add|diff)|g_(?:client_encoding|sleep)|o(?:(?:lyg|siti)on|w)|rocedure_analyse)|qu(?:arter|ote)|r(?:a(?:dians|nd|wtohex)|elease_lock|ow_(?:count|to_json)|pad|trim)|s(?:chema|e(?:c_to_time|ssion_user)|ha[1-2]?|in|oundex|pace|q(?:lite_(?:compileoption_(?:get|used)|source_id)|rt)|t(?:arts_?with|d(?:dev_(?:po|sam)p)?|r(?:_to_date|cmp))|ub(?:(?:dat|tim)e|str(?:ing(?:_index)?)?)|ys(?:date|tem_user))|t(?:ime(?:_(?:format|to_sec)|diff|stamp(?:add|diff)?)|o(?:_(?:base64|jsonb?)|n?char|(?:day|second)s)|r(?:im|uncate))|u(?:case|n(?:compress(?:ed_length)?|hex|i(?:str|x_timestamp)|likely)|(?:pdatexm|se_json_nul)l|tc_(?:date|time(?:stamp)?)|uid(?:_short)?)|var(?:_(?:po|sam)p|iance)|we(?:ek(?:day|ofyear)|ight_string)|xmltype|yearweek)[^0-9A-Z_a-z]*\(" \ +SecRule REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent "@rx (?i)\b(?:a(?:dd(?:dat|tim)e|es_(?:de|en)crypt|s(?:cii(?:str)?|in)|tan2?)|b(?:enchmark|i(?:n_to_num|t_(?:and|count|length|x?or)))|c(?:har(?:acter)?_length|iel(?:ing)?|o(?:alesce|ercibility|llation|(?:mpres)?s|n(?:cat(?:_ws)?|nection_id|v(?:ert(?:_tz)?)?)|t)|r32|ur(?:(?:dat|tim)e|rent_(?:date|setting|time(?:stamp)?|user)))|d(?:a(?:t(?:abase(?:_to_xml)?|e(?:_(?:add|format|sub)|diff))|y(?:name|of(?:month|week|year)))|count|e(?:code|grees|s_(?:de|en)crypt)|ump)|e(?:lt|n(?:c(?:ode|rypt)|ds_?with)|x(?:p(?:ort_set)?|tract(?:value)?))|f(?:i(?:el|n)d_in_set|ound_rows|rom_(?:base64|days|unixtime))|g(?:e(?:ometrycollection|t(?:_(?:format|lock)|pgusername))|(?:r(?:eates|oup_conca)|tid_subse)t)|hex(?:toraw)?|i(?:fnull|n(?:et6?_(?:aton|ntoa)|s(?:ert|tr)|terval)|s(?:_(?:(?:free|used)_lock|ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull)|superuser)|null))|json(?:_(?:a(?:gg|rray(?:_(?:elements(?:_text)?|length))?)|build_(?:array|object)|e(?:ac|xtract_pat)h(?:_text)?|object(?:_(?:agg|keys))?|populate_record(?:set)?|strip_nulls|t(?:o_record(?:set)?|ypeof))|b(?:_(?:array(?:_(?:elements(?:_text)?|length))?|build_(?:array|object)|object(?:_(?:agg|keys))?|e(?:ac|xtract_pat)h(?:_text)?|insert|p(?:ath_(?:(?:exists|match)(?:_tz)?|query(?:_(?:(?:array|first)(?:_tz)?|tz))?)|opulate_record(?:set)?|retty)|s(?:et(?:_lax)?|trip_nulls)|t(?:o_record(?:set)?|ypeof)))?|path)?|l(?:ast_(?:day|inser_id)|case|e(?:as|f)t|i(?:kel(?:ihood|y)|nestring)|o(?:_(?:from_bytea|put)|ad_file|ca(?:ltimestamp|te)|g(?:10|2)|wer)|pad|trim)|m(?:a(?:ke(?:_set|date)|ster_pos_wait)|d5|i(?:crosecon)?d|onthname|ulti(?:linestring|po(?:int|lygon)))|n(?:ame_const|ot_in|ullif)|o(?:ct(?:et_length)?|(?:ld_passwo)?rd)|p(?:eriod_(?:add|diff)|g_(?:client_encoding|(?:databas|read_fil)e|l(?:argeobject|s_dir)|sleep|user)|o(?:(?:lyg|siti)on|w)|rocedure_analyse)|qu(?:arter|ery_to_xml|ote)|r(?:a(?:dians|nd|wtohex)|elease_lock|ow_(?:count|to_json)|pad|trim)|s(?:chema|e(?:c_to_time|ssion_user)|ha[1-2]?|in|oundex|pace|q(?:lite_(?:compileoption_(?:get|used)|source_id)|rt)|t(?:arts_?with|d(?:dev_(?:po|sam)p)?|r(?:_to_date|cmp))|ub(?:(?:dat|tim)e|str(?:ing(?:_index)?)?)|ys(?:date|tem_user))|t(?:ime(?:_(?:format|to_sec)|diff|stamp(?:add|diff)?)|o(?:_(?:base64|jsonb?)|n?char|(?:day|second)s)|r(?:im|uncate))|u(?:case|n(?:compress(?:ed_length)?|hex|i(?:str|x_timestamp)|likely)|(?:pdatexm|se_json_nul)l|tc_(?:date|time(?:stamp)?)|uid(?:_short)?)|var(?:_(?:po|sam)p|iance)|we(?:ek(?:day|ofyear)|ight_string)|xmltype|yearweek)[^0-9A-Z_a-z]*\(" \ "id:942152,\ phase:1,\ block,\ @@ -1591,7 +1632,7 @@ SecRule REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent "@rx (?i)\b(?:a(?:dd( tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1621,7 +1662,7 @@ SecRule REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent "@rx (?i)create[\s\v] tag:'OWASP_CRS',\ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -1661,7 +1702,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/3',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" @@ -1685,7 +1726,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/3',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" @@ -1725,7 +1766,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/3',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'WARNING',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.warning_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'" @@ -1754,7 +1795,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/3',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'WARNING',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.warning_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'" @@ -1784,7 +1825,7 @@ SecRule ARGS "@rx \W{4}" \ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/3',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'WARNING',\ setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.warning_anomaly_score}'" @@ -1834,7 +1875,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/3',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" @@ -1863,7 +1904,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/3',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" @@ -1897,7 +1938,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/4',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'WARNING',\ setvar:'tx.inbound_anomaly_score_pl4=+%{tx.warning_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'" @@ -1926,7 +1967,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´ tag:'capec/1000/152/248/66',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/4',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'WARNING',\ setvar:'tx.inbound_anomaly_score_pl4=+%{tx.warning_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'" diff --git a/appsec/crs/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf b/appsec/crs/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf index 639c695..3ae7b27 100644 --- a/appsec/crs/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf +++ b/appsec/crs/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf @@ -1,9 +1,9 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.4.0.0-rc1 +# OWASP CRS ver.4.0.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. -# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved. +# Copyright (c) 2021-2024 CRS project. All rights reserved. # -# The OWASP ModSecurity Core Rule Set is distributed under +# The OWASP CRS is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENSE file for full details. # ------------------------------------------------------------------------ @@ -43,7 +43,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/225/21/593/61',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.session_fixation_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -56,7 +56,7 @@ SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsessio capture,\ t:none,t:lowercase,\ msg:'Possible Session Fixation Attack: SessionID Parameter Name with Off-Domain Referer',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + logdata:'Matched Data: %{TX.0} found within %{TX.943110_MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ @@ -64,8 +64,9 @@ SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsessio tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/225/21/593/61',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ + setvar:'tx.943110_matched_var_name=%{matched_var_name}',\ chain" SecRule REQUEST_HEADERS:Referer "@rx ^(?:ht|f)tps?://(.*?)/" \ "capture,\ @@ -82,7 +83,7 @@ SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsessio capture,\ t:none,t:lowercase,\ msg:'Possible Session Fixation Attack: SessionID Parameter Name with No Referer',\ - logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + logdata:'Matched Data: %{TX.0} found within %{TX.943120_MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ tag:'application-multi',\ tag:'language-multi',\ tag:'platform-multi',\ @@ -90,8 +91,9 @@ SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsessio tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/225/21/593/61',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ + setvar:'tx.943120_matched_var_name=%{matched_var_name}',\ chain" SecRule &REQUEST_HEADERS:Referer "@eq 0" \ "setvar:'tx.session_fixation_score=+%{tx.critical_anomaly_score}',\ diff --git a/appsec/crs/REQUEST-944-APPLICATION-ATTACK-JAVA.conf b/appsec/crs/REQUEST-944-APPLICATION-ATTACK-JAVA.conf index 1ad6025..b8b6d1e 100644 --- a/appsec/crs/REQUEST-944-APPLICATION-ATTACK-JAVA.conf +++ b/appsec/crs/REQUEST-944-APPLICATION-ATTACK-JAVA.conf @@ -1,9 +1,9 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.4.0.0-rc1 +# OWASP CRS ver.4.0.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. -# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved. +# Copyright (c) 2021-2024 CRS project. All rights reserved. # -# The OWASP ModSecurity Core Rule Set is distributed under +# The OWASP CRS is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENSE file for full details. # ------------------------------------------------------------------------ @@ -46,7 +46,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES tag:'capec/1000/152/137/6',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/1',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -79,7 +79,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES tag:'capec/1000/152/248',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/1',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ chain" SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* "@rx (?:unmarshaller|base64data|java\.)" \ @@ -104,7 +104,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES tag:'capec/1000/152/248',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/1',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ chain" SecRule MATCHED_VARS "@rx (?:runtime|processbuilder)" \ @@ -136,7 +136,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES tag:'capec/1000/152/248',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/1',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -174,7 +174,7 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/152/242',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -222,7 +222,7 @@ SecRule REQUEST_LINE|ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUE tag:'capec/1000/152/137/6',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/1',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -260,7 +260,7 @@ SecRule REQUEST_LINE|ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUE tag:'capec/1000/152/137/6',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -292,7 +292,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES tag:'capec/1000/152/248',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -313,7 +313,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES tag:'capec/1000/152/248',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -334,7 +334,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES tag:'capec/1000/152/248',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -358,7 +358,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES tag:'capec/1000/152/248',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -366,7 +366,6 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES # This rule is also triggered by the following exploit(s): # - https://www.rapid7.com/blog/post/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework/ -# - https://www.ironcastle.net/possible-new-java-spring-framework-vulnerability-wed-mar-30th/ # SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \ "@rx (?:class\.module\.classLoader\.resources\.context\.parent\.pipeline|springframework\.context\.support\.FileSystemXmlApplicationContext)" \ @@ -384,7 +383,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES tag:'capec/1000/152/248',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'" @@ -418,7 +417,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES tag:'capec/1000/152/248',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/3',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'" @@ -454,7 +453,7 @@ SecRule REQUEST_LINE|ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUE tag:'capec/1000/152/137/6',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/4',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'" diff --git a/appsec/crs/REQUEST-949-BLOCKING-EVALUATION.conf b/appsec/crs/REQUEST-949-BLOCKING-EVALUATION.conf index 81f3361..2358df9 100644 --- a/appsec/crs/REQUEST-949-BLOCKING-EVALUATION.conf +++ b/appsec/crs/REQUEST-949-BLOCKING-EVALUATION.conf @@ -1,9 +1,9 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.4.0.0-rc1 +# OWASP CRS ver.4.0.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. -# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved. +# Copyright (c) 2021-2024 CRS project. All rights reserved. # -# The OWASP ModSecurity Core Rule Set is distributed under +# The OWASP CRS is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENSE file for full details. # ------------------------------------------------------------------------ @@ -171,7 +171,7 @@ SecRule TX:BLOCKING_INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_thresh t:none,\ msg:'Inbound Anomaly Score Exceeded in phase 1 (Total Score: %{TX.BLOCKING_INBOUND_ANOMALY_SCORE})',\ tag:'anomaly-evaluation',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ chain" SecRule TX:EARLY_BLOCKING "@eq 1" @@ -183,7 +183,7 @@ SecRule TX:BLOCKING_INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_thresh t:none,\ msg:'Inbound Anomaly Score Exceeded (Total Score: %{TX.BLOCKING_INBOUND_ANOMALY_SCORE})',\ tag:'anomaly-evaluation',\ - ver:'OWASP_CRS/4.0.0-rc1'" + ver:'OWASP_CRS/4.0.0'" SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:949011,phase:1,pass,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:949012,phase:2,pass,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" diff --git a/appsec/crs/RESPONSE-950-DATA-LEAKAGES.conf b/appsec/crs/RESPONSE-950-DATA-LEAKAGES.conf index 27bedc0..dec60c0 100644 --- a/appsec/crs/RESPONSE-950-DATA-LEAKAGES.conf +++ b/appsec/crs/RESPONSE-950-DATA-LEAKAGES.conf @@ -1,17 +1,21 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.4.0.0-rc1 +# OWASP CRS ver.4.0.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. -# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved. +# Copyright (c) 2021-2024 CRS project. All rights reserved. # -# The OWASP ModSecurity Core Rule Set is distributed under +# The OWASP CRS is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENSE file for full details. # ------------------------------------------------------------------------ -# The paranoia level skip rules 950020, 950021 and 950022 have odd -# numbers not in sync with other paranoia level skip rules in other -# files. This is done to avoid rule id collisions with CRSv2. -# This is also true for rule 950130. +# We reused paranoia level skip rules 950010, 950011, and 950018. +# These rule identifiers were in use in CRSv2, so we used different +# identifiers in CRSv3 to avoid conflicts (950020, 950021 and 950022). +# In CRSv4, for the sake of a consistent structure, we use these +# identifiers again, so that the skip rules of PL can be defined in the +# same way for all files. +# Rule id 950130 has been kept - this ID also was introduced at first +# rule to avoid the collision. # # -= Paranoia Level 0 (empty) =- (apply unconditionally) @@ -19,8 +23,8 @@ -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:950020,phase:3,pass,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:950021,phase:4,pass,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:950011,phase:3,pass,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:950012,phase:4,pass,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" # # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher) # @@ -44,7 +48,7 @@ SecRule RESPONSE_BODY "@rx (?:<(?:TITLE>Index of.*?Index of.*?Inde tag:'OWASP_CRS',\ tag:'capec/1000/118/116/54/127',\ tag:'PCI/6.5.6',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'ERROR',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'" @@ -76,7 +80,7 @@ SecRule RESPONSE_BODY "@rx ^#\!\s?/" \ tag:'OWASP_CRS',\ tag:'capec/1000/118/116',\ tag:'PCI/6.5.6',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'ERROR',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'" @@ -106,7 +110,7 @@ SecRule RESPONSE_STATUS "@rx ^5\d{2}$" \ tag:'paranoia-level/2',\ tag:'OWASP_CRS',\ tag:'capec/1000/152',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'ERROR',\ setvar:'tx.outbound_anomaly_score_pl2=+%{tx.error_anomaly_score}'" @@ -121,7 +125,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:950016,phase:4,pass,nolog,skipAf SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:950017,phase:3,pass,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" -SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:950022,phase:4,pass,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" +SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:950018,phase:4,pass,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES" # # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher) # diff --git a/appsec/crs/RESPONSE-951-DATA-LEAKAGES-SQL.conf b/appsec/crs/RESPONSE-951-DATA-LEAKAGES-SQL.conf index 6afb37b..37d58d1 100644 --- a/appsec/crs/RESPONSE-951-DATA-LEAKAGES-SQL.conf +++ b/appsec/crs/RESPONSE-951-DATA-LEAKAGES-SQL.conf @@ -1,9 +1,9 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.4.0.0-rc1 +# OWASP CRS ver.4.0.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. -# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved. +# Copyright (c) 2021-2024 CRS project. All rights reserved. # -# The OWASP ModSecurity Core Rule Set is distributed under +# The OWASP CRS is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENSE file for full details. # ------------------------------------------------------------------------ @@ -23,7 +23,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:951012,phase:4,pass,nolog,skipAf # # -=[ SQL Error Leakages ]=- # -# Ref: https://raw.github.com/sqlmapproject/sqlmap/master/xml/errors.xml +# Ref: https://github.com/sqlmapproject/sqlmap # Ref: https://github.com/Arachni/arachni/tree/master/components/checks/active/sql_injection/regexps # SecRule RESPONSE_BODY "!@pmFromFile sql-errors.data" \ @@ -38,7 +38,7 @@ SecRule RESPONSE_BODY "!@pmFromFile sql-errors.data" \ tag:'attack-disclosure',\ tag:'OWASP_CRS',\ tag:'capec/1000/118/116/54',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ skipAfter:END-SQL-ERROR-MATCH-PL1" SecRule RESPONSE_BODY "@rx (?i:JET Database Engine|Access Database Engine|\[Microsoft\]\[ODBC Microsoft Access Driver\])" \ @@ -56,7 +56,7 @@ SecRule RESPONSE_BODY "@rx (?i:JET Database Engine|Access Database Engine|\[Micr tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/118/116/54',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" @@ -76,7 +76,7 @@ SecRule RESPONSE_BODY "@rx (?i:ORA-[0-9][0-9][0-9][0-9]|java\.sql\.SQLException| tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/118/116/54',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" @@ -96,7 +96,7 @@ SecRule RESPONSE_BODY "@rx (?i:DB2 SQL error:|\[IBM\]\[CLI Driver\]\[DB2/6000\]| tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/118/116/54',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" @@ -116,7 +116,7 @@ SecRule RESPONSE_BODY "@rx (?i:\[DM_QUERY_E_SYNTAX\]|has occurred in the vicinit tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/118/116/54',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" @@ -136,7 +136,7 @@ SecRule RESPONSE_BODY "@rx (?i)Dynamic SQL Error" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/118/116/54',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" @@ -156,7 +156,7 @@ SecRule RESPONSE_BODY "@rx (?i)Exception (?:condition )?\d+\. Transaction rollba tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/118/116/54',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" @@ -176,7 +176,7 @@ SecRule RESPONSE_BODY "@rx (?i)org\.hsqldb\.jdbc" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/118/116/54',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" @@ -196,7 +196,7 @@ SecRule RESPONSE_BODY "@rx (?i:An illegal character has been found in the statem tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/118/116/54',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" @@ -216,7 +216,7 @@ SecRule RESPONSE_BODY "@rx (?i:Warning.*ingres_|Ingres SQLSTATE|Ingres\W.*Driver tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/118/116/54',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" @@ -236,7 +236,7 @@ SecRule RESPONSE_BODY "@rx (?i:Warning: ibase_|Unexpected end of command tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/118/116/54',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" @@ -256,12 +256,12 @@ SecRule RESPONSE_BODY "@rx (?i:SQL error.*POS[0-9]+.*|Warning.*maxdb.*)" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/118/116/54',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" -SecRule RESPONSE_BODY "@rx (?i)(?:System\.Data\.OleDb\.OleDbException|\[Microsoft\]\[ODBC SQL Server Driver\]|\[Macromedia\]\[SQLServer JDBC Driver\]|\[SqlException|System\.Data\.SqlClient\.SqlException|Unclosed quotation mark after the character string|'80040e14'|mssql_query\(\)|Microsoft OLE DB Provider for ODBC Drivers|Microsoft OLE DB Provider for SQL Server|Incorrect syntax near|Sintaxis incorrecta cerca de|Syntax error in string in query expression|Procedure or function .* expects parameter|Unclosed quotation mark before the character string|Syntax error .* in query expression|Data type mismatch in criteria expression\.|ADODB\.Field \(0x800A0BCD\)|the used select statements have different number of columns|OLE DB.*SQL Server|Warning.*mssql_.*|Driver.*SQL[ _-]*Server|SQL Server.*Driver|SQL Server.*[0-9a-fA-F]{8}|Exception.*\WSystem\.Data\.SqlClient\.)" \ +SecRule RESPONSE_BODY "@rx (?i)(?:System\.Data\.OleDb\.OleDbException|\[Microsoft\]\[ODBC SQL Server Driver\]|\[Macromedia\]\[SQLServer JDBC Driver\]|\[SqlException|System\.Data\.SqlClient\.SqlException|Unclosed quotation mark after the character string|'80040e14'|mssql_query\(\)|Microsoft OLE DB Provider for ODBC Drivers|Microsoft OLE DB Provider for SQL Server|Incorrect syntax near|Sintaxis incorrecta cerca de|Syntax error in string in query expression|Procedure or function .* expects parameter|Unclosed quotation mark before the character string|Syntax error .* in query expression|Data type mismatch in criteria expression\.|ADODB\.Field \(0x800A0BCD\)|the used select statements have different number of columns|OLE DB.*SQL Server|Warning.*mssql_.*|Driver.*SQL[ _-]*Server|SQL Server.*Driver|SQL Server.*[0-9a-fA-F]{8}|Exception.*\WSystem\.Data\.SqlClient\.|Conversion failed when converting the varchar value .*? to data type int\.)" \ "id:951220,\ phase:4,\ block,\ @@ -276,7 +276,7 @@ SecRule RESPONSE_BODY "@rx (?i)(?:System\.Data\.OleDb\.OleDbException|\[Microsof tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/118/116/54',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" @@ -286,7 +286,7 @@ SecRule RESPONSE_BODY "@rx (?i)(?:System\.Data\.OleDb\.OleDbException|\[Microsof # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 951230 # -SecRule RESPONSE_BODY "@rx (?i)(?:supplied argument is not a valid |SQL syntax.*)MySQL|Column count doesn't match(?: value count at row)?|mysql_fetch_array\(\)|on MySQL result index|You have an error in your SQL syntax(?:;| near)|MyS(?:QL server version for the right syntax to use|qlClient\.)|\[MySQL\]\[ODBC|(?:Table '[^']+' doesn't exis|valid MySQL resul)t|Warning.{1,10}mysql_(?:[\(-\)_a-z]{1,26})?|ERROR [0-9]{4} \([0-9a-z]{5}\):" \ +SecRule RESPONSE_BODY "@rx (?i)(?:supplied argument is not a valid |SQL syntax.*)MySQL|Column count doesn't match(?: value count at row)?|mysql_fetch_array\(\)|on MySQL result index|You have an error in your SQL syntax(?:;| near)|MyS(?:QL server version for the right syntax to use|qlClient\.)|\[MySQL\]\[ODBC|(?:Table '[^']+' doesn't exis|valid MySQL resul)t|Warning.{1,10}mysql_(?:[\(-\)_a-z]{1,26})?|(?:ERROR [0-9]{4} \([0-9a-z]{5}\)|XPATH syntax error):" \ "id:951230,\ phase:4,\ block,\ @@ -301,7 +301,7 @@ SecRule RESPONSE_BODY "@rx (?i)(?:supplied argument is not a valid |SQL syntax.* tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/118/116/54',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" @@ -311,7 +311,7 @@ SecRule RESPONSE_BODY "@rx (?i)(?:supplied argument is not a valid |SQL syntax.* # (consult https://coreruleset.org/docs/development/regex_assembly/ for details): # crs-toolchain regex update 951240 # -SecRule RESPONSE_BODY "@rx (?i)P(?:ostgreSQL(?: query failed:|.{1,20}ERROR)|G::[a-z]*Error)|pg_(?:query|exec)\(\) \[:|Warning.{1,20}\bpg_.*|valid PostgreSQL result|Npgsql\.|Supplied argument is not a valid PostgreSQL .*? resource|Unable to connect to PostgreSQL server" \ +SecRule RESPONSE_BODY "@rx (?i)P(?:ostgreSQL(?: query failed:|.{1,20}ERROR)|G::[a-z]*Error)|pg_(?:query|exec)\(\) \[:|Warning.{1,20}\bpg_.*|valid PostgreSQL result|Npgsql\.|Supplied argument is not a valid PostgreSQL .*? resource|(?:Unable to connect to PostgreSQL serv|invalid input syntax for integ)er" \ "id:951240,\ phase:4,\ block,\ @@ -326,7 +326,7 @@ SecRule RESPONSE_BODY "@rx (?i)P(?:ostgreSQL(?: query failed:|.{1,20}ERROR)|G::[ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/118/116/54',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" @@ -346,7 +346,7 @@ SecRule RESPONSE_BODY "@rx (?i)(?:Warning.*sqlite_.*|Warning.*SQLite3::|SQLite/J tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/118/116/54',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" @@ -366,7 +366,7 @@ SecRule RESPONSE_BODY "@rx (?i)(?:Sybase message:|Warning.{2,20}sybase|Sybase.*S tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/118/116/54',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'" diff --git a/appsec/crs/RESPONSE-952-DATA-LEAKAGES-JAVA.conf b/appsec/crs/RESPONSE-952-DATA-LEAKAGES-JAVA.conf index e932095..33fcfae 100644 --- a/appsec/crs/RESPONSE-952-DATA-LEAKAGES-JAVA.conf +++ b/appsec/crs/RESPONSE-952-DATA-LEAKAGES-JAVA.conf @@ -1,9 +1,9 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.4.0.0-rc1 +# OWASP CRS ver.4.0.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. -# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved. +# Copyright (c) 2021-2024 CRS project. All rights reserved. # -# The OWASP ModSecurity Core Rule Set is distributed under +# The OWASP CRS is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENSE file for full details. # ------------------------------------------------------------------------ @@ -39,7 +39,7 @@ SecRule RESPONSE_BODY "@pmFromFile java-code-leakages.data" \ tag:'OWASP_CRS',\ tag:'capec/1000/118/116',\ tag:'PCI/6.5.6',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'ERROR',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'" @@ -64,7 +64,7 @@ SecRule RESPONSE_BODY "@pmFromFile java-errors.data" \ tag:'OWASP_CRS',\ tag:'capec/1000/118/116',\ tag:'PCI/6.5.6',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'ERROR',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'" diff --git a/appsec/crs/RESPONSE-953-DATA-LEAKAGES-PHP.conf b/appsec/crs/RESPONSE-953-DATA-LEAKAGES-PHP.conf index 5bb3c41..d0955d2 100644 --- a/appsec/crs/RESPONSE-953-DATA-LEAKAGES-PHP.conf +++ b/appsec/crs/RESPONSE-953-DATA-LEAKAGES-PHP.conf @@ -1,9 +1,9 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.4.0.0-rc1 +# OWASP CRS ver.4.0.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. -# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved. +# Copyright (c) 2021-2024 CRS project. All rights reserved. # -# The OWASP ModSecurity Core Rule Set is distributed under +# The OWASP CRS is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENSE file for full details. # ------------------------------------------------------------------------ @@ -39,7 +39,7 @@ SecRule RESPONSE_BODY "@pmFromFile php-errors.data" \ tag:'OWASP_CRS',\ tag:'capec/1000/118/116',\ tag:'PCI/6.5.6',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'ERROR',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'" @@ -64,7 +64,7 @@ SecRule RESPONSE_BODY "@rx (?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scan tag:'OWASP_CRS',\ tag:'capec/1000/118/116',\ tag:'PCI/6.5.6',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'ERROR',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'" @@ -90,7 +90,7 @@ SecRule RESPONSE_BODY "@rx (?i)<\?(?:=|php)?\s+" \ tag:'OWASP_CRS',\ tag:'capec/1000/118/116',\ tag:'PCI/6.5.6',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'ERROR',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'" @@ -123,7 +123,7 @@ SecRule RESPONSE_BODY "@pmFromFile php-errors-pl2.data" \ tag:'OWASP_CRS',\ tag:'capec/1000/118/116',\ tag:'PCI/6.5.6',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'ERROR',\ setvar:'tx.outbound_anomaly_score_pl2=+%{tx.error_anomaly_score}'" diff --git a/appsec/crs/RESPONSE-954-DATA-LEAKAGES-IIS.conf b/appsec/crs/RESPONSE-954-DATA-LEAKAGES-IIS.conf index 34d8f99..5801d05 100644 --- a/appsec/crs/RESPONSE-954-DATA-LEAKAGES-IIS.conf +++ b/appsec/crs/RESPONSE-954-DATA-LEAKAGES-IIS.conf @@ -1,9 +1,9 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.4.0.0-rc1 +# OWASP CRS ver.4.0.0 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. -# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved. +# Copyright (c) 2021-2024 CRS project. All rights reserved. # -# The OWASP ModSecurity Core Rule Set is distributed under +# The OWASP CRS is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENSE file for full details. # ------------------------------------------------------------------------ @@ -37,7 +37,7 @@ SecRule RESPONSE_BODY "@rx [a-z]:\x5cinetpub\b" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/118/116',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'ERROR',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'" @@ -58,7 +58,7 @@ SecRule RESPONSE_BODY "@rx (?:Microsoft OLE DB Provider for SQL Server(?: tag:'PCI/6.5.6',\ tag:'OWASP_CRS',\ tag:'capec/1000/118/116',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'ERROR',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'" @@ -82,7 +82,7 @@ SecRule RESPONSE_BODY "@pmFromFile iis-errors.data" \ tag:'OWASP_CRS',\ tag:'capec/1000/118/116',\ tag:'PCI/6.5.6',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'ERROR',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'" @@ -104,7 +104,7 @@ SecRule RESPONSE_STATUS "!@rx ^404$" \ tag:'OWASP_CRS',\ tag:'capec/1000/118/116',\ tag:'PCI/6.5.6',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'ERROR',\ chain" SecRule RESPONSE_BODY "@rx \bServer Error in.{0,50}?\bApplication\b" \ diff --git a/appsec/crs/RESPONSE-955-WEB-SHELLS.conf b/appsec/crs/RESPONSE-955-WEB-SHELLS.conf index 8b58b26..d8a2e4b 100644 --- a/appsec/crs/RESPONSE-955-WEB-SHELLS.conf +++ b/appsec/crs/RESPONSE-955-WEB-SHELLS.conf @@ -1,9 +1,9 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.4.0.0-rc1 +# OWASP CRS ver.4.0.0 # Copyright (c) 2006-2020 Trustwave and contributors. (not) All rights reserved. -# Copyright (c) 2021-2022 Core Rule Set project. All rights reserved. +# Copyright (c) 2021-2024 CRS project. All rights reserved. # -# The OWASP ModSecurity Core Rule Set is distributed under +# The OWASP CRS is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENSE file for full details. # ------------------------------------------------------------------------ @@ -36,7 +36,7 @@ SecRule RESPONSE_BODY "@pmFromFile web-shells-php.data" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/225/122/17/650',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -55,7 +55,7 @@ SecRule RESPONSE_BODY "@rx (r57 Shell Version [0-9.]+|r57 tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/225/122/17/650',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -74,7 +74,7 @@ SecRule RESPONSE_BODY "@rx ^<html><head><meta http-equiv='Content-Type' content= tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/225/122/17/650',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -93,7 +93,7 @@ SecRule RESPONSE_BODY "@rx B4TM4N SH3LL.*Mini Shell.*Developed By LameHacker" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/225/122/17/650',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -131,7 +131,7 @@ SecRule RESPONSE_BODY "@rx \.:: .* ~ Ashiyane V [0-9.]+ ::\." \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/225/122/17/650',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -150,7 +150,7 @@ SecRule RESPONSE_BODY "@rx Symlink_Sa [0-9.]+" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/225/122/17/650',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -169,7 +169,7 @@ SecRule RESPONSE_BODY "@rx CasuS [0-9.]+ by MafiABoY" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/225/122/17/650',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -188,7 +188,7 @@ SecRule RESPONSE_BODY "@rx ^\r\n\r\nGRP WebShell [0-9.]+ " \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/225/122/17/650',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -207,7 +207,7 @@ SecRule RESPONSE_BODY "@rx <small>NGHshell [0-9.]+ by Cr4sh</body></html>\n$" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/225/122/17/650',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -226,7 +226,7 @@ SecRule RESPONSE_BODY "@rx <title>SimAttacker - (?:Version|Vrsion) : [0-9.]+ - " tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/225/122/17/650',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -245,7 +245,7 @@ SecRule RESPONSE_BODY "@rx ^<!DOCTYPE html>\n<html>\n<!-- By Artyum .*<title>Web tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/225/122/17/650',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -264,7 +264,7 @@ SecRule RESPONSE_BODY "@rx <title>lama's'hell v. [0-9.]+" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/225/122/17/650',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -283,7 +283,7 @@ SecRule RESPONSE_BODY "@rx ^ *\n[ ]+\n[ ]+lostDC - " \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/225/122/17/650',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -302,7 +302,7 @@ SecRule RESPONSE_BODY "@rx ^<title>PHP Web Shell\r\n\r\n\r\n tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/225/122/17/650',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -321,7 +321,7 @@ SecRule RESPONSE_BODY "@rx ^\n\n
\n\nRu24PostWebShell - " \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/225/122/17/650',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -359,7 +359,7 @@ SecRule RESPONSE_BODY "@rx <title>s72 Shell v[0-9.]+ Codinf by Cr@zy_King\r\n\r\n\n\n\n\ng00nshell v[0-9.]+ " \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/225/122/17/650',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -418,7 +418,7 @@ SecRule RESPONSE_BODY "@contains <title>punkholicshell" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/225/122/17/650',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -437,7 +437,7 @@ SecRule RESPONSE_BODY "@rx ^\n \n azrail [0- tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/225/122/17/650',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -456,7 +456,7 @@ SecRule RESPONSE_BODY "@rx >SmEvK_PaThAn Shell v[0-9]+ coded by <a href=" \ tag:'paranoia-level/1',\ tag:'OWASP_CRS',\ tag:'capec/1000/225/122/17/650',\ - ver:'OWASP_CRS/4.0.0-rc1',\ + ver:'OWASP_CRS/4.0.0',\ severity:'CRITICAL',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'" @@ -475,7 +475,7 @@ SecRule RESPONSE_BODY "@rx ^<html>\n<title>.*? ~ Shell I\n\n